880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
16 lines
No EOL
1.3 KiB
Text
16 lines
No EOL
1.3 KiB
Text
Windows 95/98,Windows NT Enterprise Server 4.0 SP1/SP2/SP3/SP4/SP5/SP6,Windows NT Server 4.0 SP1/SP2/SP3/SP4/SP5/SP6/SP6a,Windows NT Terminal Server 4.0 SP1/SP2/SP3/SP4/SP5/SP6,Windows NT Workstation 4.0 SP1/SP2/SP3/SP4/SP5/SP6/SP6a Riched Buffer Overflow Vulnerability
|
|
|
|
source: https://www.securityfocus.com/bid/807/info
|
|
|
|
Riched20.dll and Riched32.dll, which Windows uses to parse Rich Text Forrmat files, have an unchecked buffer which allows arbitrary code to be executed. The code can be put into an .rtf file and emailed to the victim. Then if the victim opens the document, the code will be run at the same privilege level as the user.
|
|
|
|
NOTE: It has been reported on the Bugtraq mailing list that the patch provided by Microsoft does not completely fix the problem. A .rtf file with 1000 characters (instead of the original 32) will still crash the application reading the .rtf file.
|
|
|
|
This will crash Wordpad:
|
|
Create an .rtf file, then open it in notepad. The first line will look something like this:
|
|
{\rtf1\ansi\deff0\deftab720{\fonttbl...etc....etc
|
|
Now insert 32 characters after the .rtf identifier:
|
|
{\rtf1\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAansi\deff0\deftab720{\fonttbl...etc...etc
|
|
When this file is opened in Wordpad, the program will crash.
|
|
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/19633.wri |