A trivial to reach stack-based buffer overflow is present in libpam on Solaris. The vulnerable code exists in pam_framework.c parse_user_name() which allocates a fixed size buffer of 512 bytes on the stack and parses a username supplied to PAM modules (such as authtok_get used by SunSSH). This issue can be reached remotely pre-authentication via SunSSH when "keyboard-interactive" is enabled to use PAM based authentication. The vulnerability was discovered being actively exploited by FireEye in the wild and is part of an APT toolkit called "EVILSUN". The vulnerability is present in both SPARC/x86 versions of Solaris and others (eg. illumos). This exploit uses ROP gadgets to disable nxstack through mprotect on x86 and a helper shellcode stub. Tested against latest Solaris 10 without patch applied and the configuration is vulnerable in a default vanilla install. This exploit requires libssh2, the vulnerability has been identified and confirmed reachable on Solaris 10 through 11.0.
4efe811f974352dcef13923a4c23660cd48238ef8eed2fdf0c41f3fb02116a22This Metasploit module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the embed element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions.
fbbde1e0b4f53036aee6e135d84e5add073f53c612d6996cee132e6170926d1684 bytes small Linux/x86 reverse TCP shellcode.
a9b8dde55f9a62b0ac5a12be1dac512db3965420f4d49dbeec8a6055fc68b62d10 bytes small Linux/x86 execve "/bin/sh" shellcode.
d7b4184b5a7ea47ec13c322c758dac2ceed368f6f5dec7ace02c73c81a32bf4935 bytes small Linux/x86 /dev/sda wiping shellcode.
88db311b901ed70f5965fb3a51e043676c4963a4c809de48bb783a32f6fc4239This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.
8ca4b125e9aba514f4d2bd3c12b5189f4dceafcaab577262cc602a11c87480fb35 bytes small Linux/x86 Egghunter(0x50905090) + sigaction + execve(/bin/sh) shellcode.
4d2240f6fe2cbfc4c1aa25e4bc8ad1f4cd34923614985dca663345985bd66458100 bytes small Windows/x86 download using mshta.exe shellcode.
96d062205c263e5c48c9d942ddd99a1310491be0519f44b44a4246375ac3aedeEternalBlueC is the EternalBlue suite remade in C which includes an MS17-010 exploit, EternalBlue/MS17-010 vulnerability detector, DoublePulsar detector, and DoublePulsar UploadDLL and shellcode.
f58498ce3ca66c84f0bc061eb5766104eb7d8e10ed8cedcec829db3061d61beaNetPCLinker version 1.0.0.0 SEH with egghunter shellcode buffer overflow exploit.
faf335f38b0cfa1532855053ad2d12d2861d1f997d3c34bf6c71855e835b30fe100 bytes small null-free Linux/ARM shellcode that binds /bin/sh to 0.0.0.0:1337/TCP.
7ee6a6fcc5e486b90d3866afa4de0159d3ef94aa1637076ecdb4c1ab24dbf70032 bytes small Linux/ARM execve /bin/dash shellcode.
fabc3a831bff99d6730f97c3240cc21f6d5c4711bd6f1b6ab992f145a704413d102 bytes small Linux/x86 add map in /etc/hosts file polymorphic shellcode.
8c6be862cdd489e1e40cc44a7b3b8708d5796e21512c87f10dde7e74ba320238124 bytes small ASLR deactivation polymorphic shellcode.
f35cfa4088dc8782ee00e5aec94711939df5ad8baab85cfcf1521e6a2ed5733775 bytes small Linux/x86 tiny read polymorphic shellcode.
a509e58b18807ea1af8ff4869ec95f922023610871e8db9cc792dc98ccd6680c198 bytes small macOS/x64 RickRolling shellcode.
45c7075c008f666fbb2fd9dadac0c02ddf70076745868d713f14861c733cdd1e113 bytes small Linux/x64 anti-debug trick (INT3 trap) with execve("/bin/sh") shellcode that is NULL free.
22961b45b5d956fcd59277ee56779b00f2f5f370abf5c42935f6e786b276c88539 bytes small Linux/x86 egghunter null-free shellcode. The egghunter dynamically searches memory for 2 instances of the egg. When the eggs are found, the egghunter passes execution control to the payload at the memory address of the eggs.
f15f64c0d4291382054a30e3697719a38ea41de5b89587531e1baff5818409e880 bytes small Linux/x86 reverse shell generator shellcode with customizable TCP port and IP address.
b6288f9069a67ab9a6e3d01fe3b23d7615e89b3fbb4002b6507be11140b269ff155 bytes small Linux/x86 shellcode that has a MMX stub decoder that dynamically decodes the payload in memory. The FPU GetPC technique is used to determine the offset from EIP dynamically in running memory. Once decoded. this shellcode adds the user 'ctl' with the password 'ctl' to the /etc/passwd file with the UID and GID of 0 (root). This shellcode uses legacy passwd functionality. Therefore the /etc/shadow file does not need to be accessed or modified.
d72edd6daaf006feaf82398a3b67d4281ff9258ee56eeaedca56c7d0ab3e4980107 bytes small Linux/x86 shellcode that adds the user 'ctl' with the password 'ctl' to the /etc/passwd file with the UID and GID of 0 (root). This shellcode uses legacy passwd functionality. Therefore the /etc/shadow file does not need to be accessed or modified.
e9483cceb2d45bc3e4c29c88655dc4a6e6bcedc432d98e81e5ab93618931183657 bytes small Linux/x64_86 /bin/bash shellcode. The stub decodes the ROL Encoded shellcode. When the stub has finished decoding the payload, execution control is passed to the payload.
0b2a9ee02c0b7d0258cad51519bebf538bc5adf11a6b79a09c2f9a31449092a7272 bytes small Linux/x86_64 null free password protected bindshell shellcode.
3b354d90a8edf71f759af7fb2d5a48d129b38945626e7de89ff29bd0b2c1fa8f63 bytes small Linux/x64_86 dynamic egghunter shellcode that searches memory for 2 instances of the egg. When the eggs are found, the egghunter passes execution control to the payload at the memory address of the eggs. The payload is an execve(/bin/bash) shellcode.
c3ff54b357a821a1566c2d7a70204024eb13af4cdf6c240a1725a87696156951644 bytes small Microsoft Windows x86 shellcode that disables the Windows firewall, adds the user MajinBuu with password TurnU2C@ndy!! to the system, adds the user MajinBuu to the local groups Administrators and Remote Desktop Users, and then enables the RDP Service.
45196bef615997ff1457d3b58b9dd0c6f69545d940fc57d196cd73a34f489870
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed