# CVE-2021-28480 RCE PoC # Also works for CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 # # This is how dangerious not reading the source code is: # rm -rvf /* --no-preserve-root USAGE=" Bash script to achieve Domain Admin Flags: -c Exchange IP Address. usage: exploit.sh -c example: exploit.sh -c 10.0.0.1 " if [ $# -eq 0 ]; then echo "$USAGE" exit fi echo "[!] Exploiting Host $1" echo "[+] Beginning Erasure of /" sleep 5s ls -aliRtu / echo "[!] Deleted Root File System." sleep 5s echo "We're no strangers to love" # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Spanish (NX)', # { # 'Ret' => 0x6fdbf727, # 'DisableNX' => 0x6fdc16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "You know the rules and so do I." # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Finnish (NX)', # { # 'Ret' => 0x597df727, # 'DisableNX' => 0x597e16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 French (NX)', # { # 'Ret' => 0x595bf727, # 'DisableNX' => 0x595c16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "A full commitment's what I'm thinking of." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Hebrew (NX)', # { # 'Ret' => 0x5940f727, # 'DisableNX' => 0x594116e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Hungarian (NX)', # { # 'Ret' => 0x5970f727, # 'DisableNX' => 0x597116e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "You wouldn't get this from any other guy." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Italian (NX)', # { # 'Ret' => 0x596bf727, # 'DisableNX' => 0x596c16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Japanese (NX)', # { # 'Ret' => 0x567fd3be, # 'DisableNX' => 0x568016e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "I just wanna tell you how I'm feeling." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Korean (NX)', # { # 'Ret' => 0x6fd6f727, # 'DisableNX' => 0x6fd716e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Dutch (NX)', # { # 'Ret' => 0x596cf727, # 'DisableNX' => 0x596d16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "Gotta make you understand" # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Norwegian (NX)', # { # 'Ret' => 0x597cf727, # 'DisableNX' => 0x597d16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Polish (NX)', # { # 'Ret' => 0x5941f727, # 'DisableNX' => 0x594216e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "Never gonna give you up." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Portuguese - Brazilian (NX)', # { # 'Ret' => 0x596ff727, # 'DisableNX' => 0x597016e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Portuguese (NX)', # { # 'Ret' => 0x596bf727, # 'DisableNX' => 0x596c16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "Never gonna let you down." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Russian (NX)', # { # 'Ret' => 0x6fe1f727, # 'DisableNX' => 0x6fe216e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Swedish (NX)', # { # 'Ret' => 0x597af727, # 'DisableNX' => 0x597b16e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "Never gonna run around and desert you." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP2 Turkish (NX)', # { # 'Ret' => 0x5a78f727, # 'DisableNX' => 0x5a7916e2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 Arabic (NX)', # { # 'Ret' => 0x6fd8f807, # 'DisableNX' => 0x6fd917c2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "Never gonna make you cry." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)', # { # 'Ret' => 0x5860f807, # 'DisableNX' => 0x586117c2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 Chinese - Simplified (NX)', # { # 'Ret' => 0x58fbf807, # 'DisableNX' => 0x58fc17c2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "Never gonna say goodbye." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 Chinese - Traditional (NX)', # { # 'Ret' => 0x5860f807, # 'DisableNX' => 0x586117c2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 Czech (NX)', # { # 'Ret' => 0x6fe1f807, # 'DisableNX' => 0x6fe217c2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL echo "Never gonna tell a lie and hurt you." # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 Danish (NX)', # { # 'Ret' => 0x5978f807, # 'DisableNX' => 0x597917c2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 German (NX)', # { # 'Ret' => 0x6fd9f807, # 'DisableNX' => 0x6fda17c2, # 'Scratch' => 0x00020408 # } # ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # # NX bypass for XP SP2/SP3 # [ 'Windows XP SP3 Greek (NX)', # { echo "[!] You should have read the source. HoneyPoC 3.0 - https://blog.zsec.uk/cve-2020-1350-honeypoc/"