880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
20 lines
No EOL
1.4 KiB
Text
20 lines
No EOL
1.4 KiB
Text
source: https://www.securityfocus.com/bid/1834/info
|
|
|
|
lpr is a set of printing tools for unix systems. The lpr package that ships with RedHat Linux 6.2 (and possibly earlier versions) contains a vulnerability that will allow an attacker to execute arbitrary commands with the privileges of group 'lp'.
|
|
|
|
The vulnerability is not in one of the binary executables, rather in one of the print filters supplied with the lpr package. It is in the processing of troff files, their conversion into postscript files for printing on a postscript printer.
|
|
|
|
When the processing occurs, certain commands embedded in the troff file being processed can be executed -- with the privileges of the setgid lpr. This is the result of formatting programs being executed by the print filter in an unsafe manner.
|
|
|
|
Compromise of group lp access may lead to further compromise as the lpr configuration files are writeable to members of group lp. If lpr configuration files are modified, arbitrary commands can be run as any user other than root. This will most certainly eventually lead to root access for the attacker (a excellent example of this is in the zenith parsec's bugtraq post in the reference section).
|
|
|
|
[zen@continuity /tmp]$ cat asdf
|
|
PS
|
|
sh D/usr/bin/id>/tmp/yougetanyideasyetD
|
|
.PF
|
|
|
|
[zen@continuity /tmp]$ lpr asdf
|
|
|
|
[zen@continuity /tmp]$ cat /tmp/yougetanyideasyet
|
|
|
|
uid=500(zen) gid=500(zen) groups=7(lp) |