880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
17 lines
No EOL
1.7 KiB
Text
17 lines
No EOL
1.7 KiB
Text
source: https://www.securityfocus.com/bid/2124/info
|
|
|
|
The ftp daemon derived from 4.x BSD source contains a serious vulnerability that may compromise root access.
|
|
|
|
There exists a one byte overflow in the replydirname() function. The overflow condition is due to an off-by-one bug that allows an attacker to write a null byte beyond the boundaries of a local buffer and over the lowest byte of the saved base pointer.
|
|
|
|
As a result, the numerical value of the pointer decreases (and it thus points to a higher location (or lower address) on the stack than it should) and when the replydirname() function returns, the modified saved base pointer is stored in the base pointer register. When the calling function returns, the return address is read from an offset of where the base pointer points to. With the last byte of the base pointer zero, this will be a location other than where it should be.
|
|
|
|
If this region of the stack is under the control of the attacker, such as the local variable which contained the extra byte in the first place, an arbitrary address can be placed there that will be used as the saved return address by the function.
|
|
|
|
This is the case in ftpd. It is possible for an attacker to force the ftp daemon to look in user-supplied data for a return address and then execute instructions at the location as root.
|
|
|
|
This vulnerability can be exploited on systems supporting anonymous ftp if a writeable directory exists (such as an "incoming" directory). This is rarely in place by default.
|
|
|
|
It should noted that OpenBSD ships with ftp disabled, though it is an extremely commonly used service.
|
|
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/20512.tar.gz |