114 bytes small Linux/x86 reverse TCP shellcode.
2683c644409206f0c3a9aae6d82afb5a6f04a316245fb265c0cdab4441651ee1This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary.
255a53ba4764640c38d52b8d61674d66f25d7a11c08ebc0d8b26cc5cdb1d4aceSolaris SunSSH versions 10 through 11.0 on x86 libpam remote root exploit.
93c50138db56dcc96e612d0fa56cca01459695d4f656345667a2e4fdec807e5dWhitepaper called Encrypted Linux x86-64 Loadable Kernel Modules (ELKM). The aim is to protect kernel-based rootkits and implants against observation by EndpointDetection and Response (EDR) software and to neutralize the effects of recovery by disk forensics tooling.
8c1624c7c34043b6adcf6bf8d40dacba0d70f69ac41bf3bb91c707f4c800f332A trivial to reach stack-based buffer overflow is present in libpam on Solaris. The vulnerable code exists in pam_framework.c parse_user_name() which allocates a fixed size buffer of 512 bytes on the stack and parses a username supplied to PAM modules (such as authtok_get used by SunSSH). This issue can be reached remotely pre-authentication via SunSSH when "keyboard-interactive" is enabled to use PAM based authentication. The vulnerability was discovered being actively exploited by FireEye in the wild and is part of an APT toolkit called "EVILSUN". The vulnerability is present in both SPARC/x86 versions of Solaris and others (eg. illumos). This exploit uses ROP gadgets to disable nxstack through mprotect on x86 and a helper shellcode stub. Tested against latest Solaris 10 without patch applied and the configuration is vulnerable in a default vanilla install. This exploit requires libssh2, the vulnerability has been identified and confirmed reachable on Solaris 10 through 11.0.
4efe811f974352dcef13923a4c23660cd48238ef8eed2fdf0c41f3fb02116a2284 bytes small Linux/x86 reverse TCP shellcode.
a9b8dde55f9a62b0ac5a12be1dac512db3965420f4d49dbeec8a6055fc68b62d10 bytes small Linux/x86 execve "/bin/sh" shellcode.
d7b4184b5a7ea47ec13c322c758dac2ceed368f6f5dec7ace02c73c81a32bf4935 bytes small Linux/x86 /dev/sda wiping shellcode.
88db311b901ed70f5965fb3a51e043676c4963a4c809de48bb783a32f6fc423935 bytes small Linux/x86 Egghunter(0x50905090) + sigaction + execve(/bin/sh) shellcode.
4d2240f6fe2cbfc4c1aa25e4bc8ad1f4cd34923614985dca663345985bd66458100 bytes small Windows/x86 download using mshta.exe shellcode.
96d062205c263e5c48c9d942ddd99a1310491be0519f44b44a4246375ac3aedeThe installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to version 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service will then launch the vulnerable installer component (vpndownloader), which copies itself to an arbitrary location before being executed with system privileges. Since vpndownloader is also vulnerable to DLL hijacking, a specially crafted DLL (dbghelp.dll) is created at the same location vpndownloader will be copied to get code execution with system privileges. This exploit has been successfully tested against Cisco AnyConnect Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10 version 1909 (x64) and Windows 7 SP1 (x86).
b6d44c2b494378ff342fef57be9d4be4564327103eadabb01ff166ae6dae9bffKeystone is a lightweight multi-platform, multi-architecture assembler framework. Highlight features include multi-architecture, with support for Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ, and X86 (include 16/32/64bit). It has a clean and lightweight architecture-neutral API. It's implemented in C/C++ languages, with bindings for Python, NodeJS, Ruby, Go and Rust available and also has native support for Windows and various Unix flavors.
c9b3a343ed3e05ee168d29daf89820aff9effb2c74c6803c2d9e21d55b5b7c24102 bytes small Linux/x86 add map in /etc/hosts file polymorphic shellcode.
8c6be862cdd489e1e40cc44a7b3b8708d5796e21512c87f10dde7e74ba32023875 bytes small Linux/x86 tiny read polymorphic shellcode.
a509e58b18807ea1af8ff4869ec95f922023610871e8db9cc792dc98ccd6680cThis Metasploit module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.
fb3cf21123b0e2fbb662a608751638e9471714e3f0e34de79dd880b595ae013c39 bytes small Linux/x86 egghunter null-free shellcode. The egghunter dynamically searches memory for 2 instances of the egg. When the eggs are found, the egghunter passes execution control to the payload at the memory address of the eggs.
f15f64c0d4291382054a30e3697719a38ea41de5b89587531e1baff5818409e880 bytes small Linux/x86 reverse shell generator shellcode with customizable TCP port and IP address.
b6288f9069a67ab9a6e3d01fe3b23d7615e89b3fbb4002b6507be11140b269ff155 bytes small Linux/x86 shellcode that has a MMX stub decoder that dynamically decodes the payload in memory. The FPU GetPC technique is used to determine the offset from EIP dynamically in running memory. Once decoded. this shellcode adds the user 'ctl' with the password 'ctl' to the /etc/passwd file with the UID and GID of 0 (root). This shellcode uses legacy passwd functionality. Therefore the /etc/shadow file does not need to be accessed or modified.
d72edd6daaf006feaf82398a3b67d4281ff9258ee56eeaedca56c7d0ab3e4980107 bytes small Linux/x86 shellcode that adds the user 'ctl' with the password 'ctl' to the /etc/passwd file with the UID and GID of 0 (root). This shellcode uses legacy passwd functionality. Therefore the /etc/shadow file does not need to be accessed or modified.
e9483cceb2d45bc3e4c29c88655dc4a6e6bcedc432d98e81e5ab936189311836644 bytes small Microsoft Windows x86 shellcode that disables the Windows firewall, adds the user MajinBuu with password TurnU2C@ndy!! to the system, adds the user MajinBuu to the local groups Administrators and Remote Desktop Users, and then enables the RDP Service.
45196bef615997ff1457d3b58b9dd0c6f69545d940fc57d196cd73a34f48987033 bytes small Linux/x86 egghunter null-free shellcode.
146a5ad8da7bf358cba71d6ad35173b50c272b32445c081fabb654c79207f8f110Strike LANState version 9.32 on x86 Host Check hostname SEH buffer overflow exploit.
14d5fb0369d804df952aa677f189c95cee2dc58e248e3ea40989ccac3e77a17b26 bytes small Linux/x86 reboot polymorphic shellcode.
fa0f3f8ad9bda717bb3a92c58de936f8932a7a2db2e9f6502cd29ab55ef3bb75195 bytes small Windows/x86 null-free WinExec Calc.exe shellcode.
fee44adfb0bfdb2c7192391912bf356c70e5e8f50319f258fd2597def6aa0826114 bytes small Linux/x86 bind shell generator shellcode.
1e7612da16986e3cb4c25c855cdc90ea5787caa9e5e7169bf210c923678fd670
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed