This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02X0R Cryptor with DEC/N0T/R0R encoder plus random byte insertion.
79b9b9a6dd757b66b2e94d3630b76899ed2e53218846c0933182d8877820babbThis Metasploit modules exploits CVE-2020-26950, a use-after-free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox versions prior to 82.0.3, Firefox ESR versions prior to 78.4.1, and Thunderbird versions prior to 78.4.2, however only Firefox versions up to 79 are supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1.
c5497acbfe1516edccf2f8747d261489391c42dfa92ad82028efc92b075df94464 bytes small Solaris/SPARC setuid(0) + chmod (/bin/ksh) + exit(0) shellcode.
ac0a8ce6fdd207649a67626e1818a1afd680783d1a46fb94677718a1d199421060 bytes small Solaris/SPARC setuid(0) + execve (/bin/ksh) shellcode.
d785c150823ddd32cb42d29580182ea9055608bea403fff7662eca6bf006f946Linux/MIPS N32 MSB reverse shell shellcode that showcases various techniques to avoid badchars.
b1b0100dc2ab1910886ea650ac52df457851a4b14a3d07a98e33678c077b6d6eSolaris/SPARC chmod() shellcode with a max size of 36 bytes.
844bef47108ea6b399c1949416ca0526422e2fc8ce504d583c3f36aaa4144470171 bytes small Windows/x86 shellcode with a new method to find the kernel32 base address by walking down the stack and look for a possible Kernel32 address using a custom SEH handler. Each address found on the stack will be tested using the Exception handling function. If it's valid and starts with 7, then it's a possible kernel32 address.
e7941faf4a7799cf5e35fcf962b075b17a9570e4f37e959633b2962f8d3bf53d133 bytes small Windows/x86 kernel32 base address / memory sieve method shellcode.
02598a837cdf14b2aa15f8aa989595e031da15dac8d7e4835e2d041eda455355458 bytes small Windows/x86 download file and execute dynamic PEB and EDT method shellcode.
373527dc3abce798f323c157f33b7e37a9ae39642431558cc7be8a6423eec576Windows/x86 bind TCP shellcode / dynamic PEB and EDT method null-free shellcode. This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
7dd9706d9d60f259d8e6ef790111d2ef99c07abddaae6debfdc64b5c0856ce2f178 bytes small Windows/x86 shellcode that pops calc.exe. The shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. It also uses a hash function to dynamically gather the required symbols without worry about the length. Finally, the shellcode pops the calc.exe using WinExec and exits gracefully using TerminateProcess.
9b19277190c962885d3585247da068c374f5db74bbb693ce9cb6fe906a1118a8330 bytes small Windows/x86 reverse TCP shellcode that connects to 192.168.201.11:4444.
12149f06ca22bb6ea072202a3c3d714fb9e0922026292c67e2fc3c768fa2b30fLinux/x86 egghunter reverse TCP shell shellcode generator with dynamic IP and port.
f381e9e627457c622f41f2e0f02fd7275a109fbf7c64277852a12fa68a12f38386 bytes small Linux/x86 reverse TCP shell with dynamic IP and port binding shellcode.
098ad2f853874de86f3c54be8fe5f0603e48dcd1deaae5ff49d0f3c6ecd04c34102 bytes small Linux/x86 bindshell shellcode with dynamic port binding.
5c78bdabecd99971442c81d97f0c4cac565a54711d65cfb78e5c749c02cc5a5aLinux/x86 custom shellcode ASCII And-Sub encoder.
e94e7d4fd85ab353e369c5db6283be701e1beb64be40051eb7290608b3d9b33570 bytes small Linux/x86 shellcode with XOR decoder stub and fstenv MMX FPU spawning a /bin/sh shell.
11b3b90f9432231138d2380813aec5392fb07dbce222b7123fb12312d6eaa00729 bytes small Linux/x86 shellcode that performs setreuid to 0 and then executes /bin/sh.
e6a46129d157e756ab079a8bd8c0b4fb71e4329d98e97809fa092cf1d9ec5876655 bytes small 64-bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.
9b8f41be48c0a71cc5b34fd0d409faea955538963763a4a5c5ca27e1ec4d2afb205 bytes small 64-bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method. It contains no null bytes (0x00), and therefore will not crash if injected into typical stack buffer overflow vulnerabilities.
6143eebe8156ea982d4ef3362eab1915ca829a3ac99ed38af8a6c4ca2e852a0d387 bytes small 64-bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups. Shellcode must be executed from a process with either a HIGH or SYSTEM integrity level.
0e9ecdb6d32c850a8cd46f1c273c31f8a22128d898a75e6f5be2706159ec67b017 bytes small Linux/x86 execve(/bin/sh) shellcode.
0d57e5917177f7b2c8c614412ee8c4d46b75b72f8a5547e97bce99f62fabc11121 bytes small Linux/x64 execve(/bin/sh) shellcode.
7640bb0b2bdd99b08b0876002140a299d855d4c3abe7f76eb8c7c4c0c63ed8bdThis Metasploit module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly.
a2c2e0bb6afa9428a1723f49c6bd0ba43ef8b68bb81b7b27053a5cae99795839
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed