546 matches found
Linux/x86 - setuid(0) + chmod(/etc/shadow, 0666) Shellcode (37 bytes)
Linux/x86 - setuid0 + chmod/etc/shadow, 0666 Shellcode 37 bytes. Shellcode exploit for Linuxx86 platform / Title: linux/x86 setuid0 + chmod"/etc/shadow", 0666 Shellcode 37 Bytes Type: Shellcode Author: antrhacks Platform: Linux X86 / / ASSembly 31 db xor %ebx,%ebx b0 17 mov $0x17,%al cd 80 int...
Linux/x86 - execve(/bin/sh,0,0) Shellcode (21 bytes)
Linux/x86 - execve/bin/sh,0,0 Shellcode 21 bytes. Shellcode exploit for Linuxx86 platform / linux/x86 execve"/bin/sh",0,0 21 bytes http://www.gonullyourself.org sToRm / char shellcode = // "\x31\xc9" // xor %ecx,%ecx "\xf7\xe1" // mul %ecx "\x51" // push %ecx "\x68\x2f\x2f\x73\x68" // push...
Linux/x86 - Remote File Download Shellcode (42 bytes)
Linux/x86 - Remote File Download Shellcode 42 bytes. Shellcode exploit for Linuxx86 platform / Title: Linux x86 - Remote file Download - 42 bytes Author: Jonathan Salwan Web: http://www.shell-storm.org Twitter: http://twitter.com/jonathansalwan !Database of Shellcodes...
VMware产品Trap Flag处理本地权限提升漏洞
BUGTRAQ ID: 32168 CVECAN ID: CVE-2008-4915 VMWare是一款虚拟PC软件,允许在一台机器上同时运行两个或多个Windows、DOS、LINUX系统。 VMWare在处理指令的执行时存在问题,攻击者可能利用此漏洞提升自己的权限。如果在设置了Trap Flag的情况下出现中断,正确的CPU将执行转移到中断处理器之前会清除Trap Flag。对于受影响的VMware版本,如果内核态IRET设置了Trap Flag的话,则在执行单字节INT 3指令的时候Trap Flag在模式切换后仍继续存在,这造成的结果就是如果能够导致内核通过IRET设置Trap...
Count.cgi(wwwcount)远程缓冲区溢出漏洞
BugCVE: CVE-1999-0021 BUGTRAQ: 128 Count.cgi wwwcount是一个非常流行的Web站点跟踪统计CGI程序。一般它作为Web页面点击数统计。1997年10月,这个程序被发现了两个远程漏洞。第一个漏洞比较轻微,它能允许远程用户浏览到受限制的.GIF文件,可能泄漏.GIF文件里潜在的敏感数据。 第二个漏洞比较严重,count.cgi程序在处理QUERYSTRING环境变量的时候存在缓冲区溢出漏洞。远程攻击者可以发送一个超长的请求给程序就能进行溢出攻击,以Web用户的权限在系统执行任意命令。 2.3 Muhammad A. Muquit...
CUPS gif_read_lzw()函数GIF文件处理缓冲区溢出漏洞
BUGTRAQ ID: 28544 CVECAN ID: CVE-2008-1373 Common Unix Printing System CUPS是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务。 CUPS处理畸形格式的GIF文件时存在漏洞,远程攻击者可能利用此漏洞控制服务器。 CUPS打印系统所使用的GIF解析代码直接从GIF图形中读取了codesize值,且没有经过验证便用于初始化gifreadlzw中的表格数组,这可能导致静态溢出。...
Design/Logic Flaw
Parallels allows local users to cause a denial of service virtual machine abort via 1 certain INT instructions, as demonstrated by INT 0xAA; 2 an IRET instruction when an invalid address is at the top of the stack; 3 a malformed MOVNTI instruction, as demonstrated by using a register as a...
CVE-2007-2455
Parallels allows local users to cause a denial of service virtual machine abort via 1 certain INT instructions, as demonstrated by INT 0xAA; 2 an IRET instruction when an invalid address is at the top of the stack; 3 a malformed MOVNTI instruction, as demonstrated by using a register as a...
OS X Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 65 include Msf::Payload::Single include Msf::Payload::Osx include...
Important: XFree86 security update
4.3.0-120.EL.0.1 - Add oracle detection to Imake. 4.3.0-120.EL - add cve-2007-1351.patch 234056 4.3.0-119.EL - Add int-overflow.patch 231684 - comment out requirement on fonts-base as that is an unreleased change. 4.3.0-118.EL - Add cve-2007-1003.patch 232996 4.3.0-117.EL - Make xfs depend on...
Important: xorg-x11 security update
6.8.2-1.EL.13.37.0.1 - Add Enterprise Linux detection 6.8.2-1.EL.13.37.7 - Add cve-2007-1351.patch 234056 6.8.2-1.EL.13.37.6 - Add cve-2007-1003.patch 233000 - Add int-overflow.patch 231693 6.8.2-1.EL.13.37.5 - Add xorg-x11-6.8.2-sorted-xkbcomp-dirs.patch to fix rpmdiff multilib failure...
Fedora Core 5 : libwmf-0.2.8.4-5.1 (2006-805)
CVE-2006-3376 int overflow Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. %NASLMINLEVEL 70300 C Tenab...
linux/x86 - execve/bin/sh 22 bytes
linux/x86 execve/bin/sh 22 bytes. Shellcode exploit for linx86 platform / revenge-execve.c, v1.0 2006/10/14 16:32 Yet another linux execve shellcode.. linux/x86 execve"/bin//sh/","/bin//sh",NULL shellcode http://www.0xcafebabe.it But this time it's 22 bytes We could start the shellcode with a mov...
linux/x86 execve(/bin/sh) + RIFF Header 28 bytes
No description provided by source. / linux/x86 - execve"/bin/sh", "/bin/sh", NULL + RIFF Header - 28 bytes root@magicbox: file linux-sh-riffhdr.bin linux-sh-riffhdr.bin: RIFF little-endian data - izik [email protected] / char shellcode = // // RIFF Header 5 bytes // "\x52" // push %edx "\x49" // dec...
CVE-2006-0635
Tiny C Compiler TCC 0.9.23 aka TinyCC evaluates the "isizeofint" expression to false when i equals -1, which might introduce integer overflow vulnerabilities into applications that could be exploited by context-dependent attackers...
linux/x86 anti-debug trick (INT 3h trap) + execve /bin/sh 39 bytes
Exploit for linux/x86 platform in category shellcode ================================================================== linux/x86 anti-debug trick INT 3h trap + execve /bin/sh 39 bytes ================================================================== / linux/x86 anti-debug trick INT 3h trap +...
linux/x86 anti-debug trick INT 3h trap + execve /bin/sh 39 bytes
linux/x86 anti-debug trick INT 3h trap + execve /bin/sh 39 bytes. Shellcode exploit for linx86 platform / linux/x86 anti-debug trick INT 3h trap + execve"/bin/sh", "/bin/sh", NULL, NULL - 39 bytes The idea behind a shellcode w/ an anti-debugging trick embedded in it, is if for any reason the IDS...
linux/x86 setreuid0, 0 + execve/bin/sh 31 bytes
linux/x86 setreuid0, 0 + execve/bin/sh 31 bytes. Shellcode exploit for linx86 platform / linux/x86 setreuid0, 0 + execve"/bin/sh", "/bin/sh", NULL, NULL - 31 bytes - izik / char shellcode = "\x6a\x46" // push $0x46 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx...
linux/x86 /bin/sh sysenter Opcode Array Payload 45 bytes
Exploit for linux/x86 platform in category shellcode ======================================================== linux/x86 /bin/sh sysenter Opcode Array Payload 45 bytes ======================================================== / lnxbinsh2.c - v1 - 45 Byte /bin/sh sysenter Opcode Array Payload...
Debian DSA-278-1 : sendmail - char-to-int conversion
Michal Zalewski discovered a buffer overflow, triggered by a char to int conversion, in the address parsing code in sendmail, a widely used powerful, efficient, and scalable mail transport agent. This problem is potentially remotely exploitable. %NASLMINLEVEL 70300 C Tenable Network Security, Inc...