[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Portable shell-exploit for buffer-overflow bugs
From: Roman Medina-Heigl Hernandez <roman () rs-labs ! com>
Date: 2006-09-29 12:50:08
Message-ID: 451D1680.7040809 () rs-labs ! com
[Download RAW message or body]
Hello str0ke,
I reviewed the exploits listed. Yes, all of them use the shell but they
exploit trivially shell-exploitable bugs (like race conditions, ld-preload,
etc) or include other "external" programs (like cc, perl, etc) or assume
Linux/bash as well as other more or less recent environments.
The nearest exploit to what I was looking for (buffer overflow exploit in
shell-scripting) is:
http://milw0rm.com/exploits/18
But it lacks compatibility. For instance, "echo" command is very variable,
depending on OS/Shell version. I've uploaded a proof of concept which I
wrote some time ago, showing my approach, to:
http://www.rs-labs.com/exploitsntools/rs_aix_host.sh
(~6 KB)
It may not be perfect but my goal was to make it work in a very old minimal
Unix environment (the exploit yields local root on AIX 4.1.4.0, abusing a
known and ancient bug: ~ 10 years old!) and at the same time compatible
with some recent systems like Linux/bash (logically, the vulnerability is
not present in such systems, I'm referring to the skel of the exploit).
Feedback would be appreciated.
PS: I'm cc'ing some lists where this post could suit. Moderators should decide.
Cheers,
-Roman
str0ke escribió:
> How goes it Roman,
>
> > Which other "curious" exploits in shell do you know of?
>
> Attached is a list of the known exploits that are in shell, some call
> other languages some don't.
>
> Be safe,
> /str0ke
>
>
> ------------------------------------------------------------------------
>
> date exploit title exploit author platform
> ------------------------------------------------------------------------------------ \
> ------------------------------------------------------------------------------------
> 2003-04-23 Snort <=1.9.1 Remote Root Exploit (p7snort191.sh) \
> http://milw0rm.com/exploits/18 truff linux 2003-05-02 OpenSSH/PAM <= 3.6.1p1 \
> Remote Users Ident (gossh.sh) http://milw0rm.com/exploits/26 Nicolas \
> Couture linux 2003-07-22 Cisco IOS (using hping) Remote Denial of Service \
> Exploit http://milw0rm.com/exploits/62 zerash hardware 2004-01-25 MS Windows \
> XP/2003 Samba Share Resource Exhaustion Exploit \
> http://milw0rm.com/exploits/148 Steve Ladjabi windows 2000-11-16 /sbin/restore \
> exploit (rh6.2) http://milw0rm.com/exploits/182 n/a linux \
> 2000-11-17 Slackware Linux /usr/bin/ppp-off Insecure /tmp Call \
> Exploit http://milw0rm.com/exploits/185 sinfony linux 2000-11-19 dump 0.4b15 \
> Local Root Exploit http://milw0rm.com/exploits/193 Mat linux \
> 2000-11-19 HP-UX 11.00/10.20 crontab Overwrite Files \
> Exploit http://milw0rm.com/exploits/195 dubhe hp-ux 2000-11-21 vixie-cron \
> Local Root Exploit http://milw0rm.com/exploits/203 Michal Zalewski linux \
> 2000-12-15 Pine (Local Message Grabber) \
> Exploit http://milw0rm.com/exploits/231 Mat linux 2001-01-02 Redhat 6.1 / \
> 6.2 TTY Flood Users Exploit http://milw0rm.com/exploits/236 teleh0r linux \
> 2001-01-03 Solaris 2.6 / 7 / 8 Lock Users Out of mailx \
> Exploit http://milw0rm.com/exploits/240 optyx solaris 2001-01-25 glibc-2.2 \
> and openssh-2.3.0p1 exploits glibc >= \
> 2.1.9x http://milw0rm.com/exploits/258 krochos linux 2001-05-07 IRIX \
> (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/bin/lpstat Local \
> Exploit http://milw0rm.com/exploits/265 LSD-PLaNET irix 2001-05-08 IRIX \
> (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/lib/print/netprint Local \
> Exploit http://milw0rm.com/exploits/270 LSD-PLaNET irix 2001-03-04 GLIBC 2.1.3 \
> ld_preload Local Exploit http://milw0rm.com/exploits/290 shadow linux \
> 1997-05-03 Solaris 2.5.1 lp and lpsched Symlink \
> Vulnerabilities http://milw0rm.com/exploits/330 Chris Sheldon solaris \
> 1997-05-19 Solaris 2.5.0/2.5.1 ps & chkey Data Buffer \
> Exploit http://milw0rm.com/exploits/332 Joe Zbiciak solaris 2004-07-22 Xitami \
> Web Server Denial of Service \
> Exploit http://milw0rm.com/exploits/362 CoolICE windows 2004-09-07 CDRDAO \
> Local Root Exploit http://milw0rm.com/exploits/434 Karol Więsek linux \
> 2004-09-22 MS Windows JPEG Processing Buffer Overrun Exploit \
> (MS04-028) http://milw0rm.com/exploits/474 perplexy windows 2004-09-23 MS \
> Windows JPEG GDI+ Overflow Administrator Exploit \
> (MS04-028) http://milw0rm.com/exploits/475 Elia Florio windows \
> 2004-09-28 Serendipity 0.7-beta1 SQL Injection Proof of Concept \
> http://milw0rm.com/exploits/561 aCiDBiTS php 2004-10-16 BSD bmon <= 1.2.1_2 Local \
> Exploit http://milw0rm.com/exploits/579 Idan Nahoum bsd 2004-12-21 AIX 5.1 \
> to 5.3 lsmcode Local Root Command \
> Execution http://milw0rm.com/exploits/701 cees-bart aix 2005-01-30 Linux ncpfs \
> Local Exploit http://milw0rm.com/exploits/779 super linux 2005-02-07 Exim \
> <= 4.42 Local Root Exploit http://milw0rm.com/exploits/796 Dark Eagle linux \
> 2005-03-25 AIX <= 5.3.0 (invscout) Local Command Execution \
> Vulnerability http://milw0rm.com/exploits/898 ri0t aix 2005-04-07 PHP-Nuke 6.x \
> - 7.6 Top module Remote Sql Injection Exploit \
> http://milw0rm.com/exploits/921 Fabrizi Andrea php 2005-05-17 Linux Mandrake <= \
> 10.2 cdrdao Local Root Exploit http://milw0rm.com/exploits/997 newbug linux \
> 2005-08-05 Lantronix Secure Console Server (edituser) Local Root \
> Exploit http://milw0rm.com/exploits/1136 c0ntex linux 2005-09-24 Qpopper <= \
> 4.0.8 (poppassd) Local Root Exploit \
> (linux) http://milw0rm.com/exploits/1229 kcope linux 2005-09-24 Qpopper <= \
> 4.0.8 (poppassd) Local Root Exploit \
> (freebsd) http://milw0rm.com/exploits/1230 kcope bsd 2005-11-08 SuSE Linux <= \
> 9.3, 10 (chfn) Local Root Privilege Escalation \
> Exploit http://milw0rm.com/exploits/1299 Hunger linux 2005-11-09 Operator Shell \
> (osh) 1.7-14 Local Root Exploit http://milw0rm.com/exploits/1300 Charles \
> Stevenson linux 2006-02-08 QNX Neutrino 6.2.1 (phfont) Race Condition Local Root \
> Exploit http://milw0rm.com/exploits/1479 kokanin QNX 2006-02-08 QNX RTOS 6.3.0 \
> Insecure rc.local Permissions Plus System Crash \
> Exploit http://milw0rm.com/exploits/1481 kokanin QNX 2005-10-10 SGI IRIX <= \
> 6.5.28 (runpriv) Design Error \
> Vulnerability http://milw0rm.com/exploits/1577 n/a irix 2006-07-14 Linux \
> Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit \
> (4) http://milw0rm.com/exploits/2011 Sunay linux 2006-07-15 Rocks Clusters <= \
> 4.1 (mount-loop) Local Root Exploit http://milw0rm.com/exploits/2016 Xavier de \
> Leon linux 2006-07-21 MS Internet Explorer (MDAC) Remote Code Execution Exploit \
> (MS06-014) http://milw0rm.com/exploits/2052 redsand windows 2006-08-01 Mac OS X \
> <= 10.4.7 fetchmail Privilege Escalation \
> Exploit http://milw0rm.com/exploits/2108 Kevin Finisterre osX \
> 2006-08-08 liblesstif <= 2-0.93.94-4mdk (DEBUG_FILE) Local Root \
> Exploit http://milw0rm.com/exploits/2144 Karol Wiesek linux 2006-08-21 Apache < \
> 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow \
> PoC http://milw0rm.com/exploits/2237 Jacobo Avariento multiple 2006-08-22 Solaris \
> 8 / 9 (/usr/ucb/ps) Local Information Leak \
> Exploit http://milw0rm.com/exploits/2242 Marco Ivaldi solaris 2006-09-27 OpenSSH \
> <= 4.3 p1 (Duplicated Block) Remote Denial of Service \
> Exploit http://milw0rm.com/exploits/2444 Tavis Ormandy multiple
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic