Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This Metasploit module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.
7da47a7e8285d0a6b8ee0d6e5384264f78b38a3863420fbdc47ecf044ace7ddeThis Metasploit module patches the authentication functions of a Cisco ASA to allow uncredentialed logins. Uses improved shellcode for payload.
ac78a9f2d7331bfc6089f521bb49fc475153b66e3c5eb8ac274c23830a542a5255 bytes small Linux/x64 shellcode that create a shell with execve() sending an argument using XOR (/bin//sh).
dd9cd816ff8fe9dd6be1a0a2fe0b49cf0524f491dbdd68c06004dfcc6d90b9b0476 bytes small Windows/x64 PIC null-free TCP reverse shell shellcode.
bba5751e922713bc181d1684a80fe65ee53eab2de87b3bbaf9cb5fc3fdccc945170 bytes small Linux/x64 memfd_create ELF Loader shellcode.
2dc407857824c17594024902be962b49ce532aee8e9d3c302790295cd4d64e3cSavant Web Server version 3.1 remote buffer overflow exploit with egghunter shellcode.
55105bce6fa65050219f56386fd46c40c00c4c48c7e09a9b26fcab79d90e4458169 bytes small Windows/x64 PIC NULL-free calc.exec shellcode.
4d8ef778b3fa4d33d047bc1cf28b30c55e64f1c18779fd433649fe60f5ea0bef326 bytes small Windows/x64 add administrative user dynamic PEB and EDT method shellcode.
ce836880761cfda2559a206f8a4eddd7cafbcbfe3f946cceb11b3d189d914798This Windows/x64 shellcode is an implementation of the DeleteFileA Windows API to delete a file in the C:/Windows/Temp/ directory.
5aec26b7e7e54f4fd6d0132a04967aea1827335f4327596bf01678300a0e46bb71 bytes small Linux/x86_64 bash shellcode with XOR encoding.
801d1c974de1f03b559e03ce6feeaff70b28545726389af5b9766890611a1dc592 bytes small Linux/x86 polymorphic nc -lvve/bin/sh -p13377 shellcode.
05c38fb813c23c380d6dd1aa3c46be607e0be4322b049a9a2b1ada74e5f3ebc6146 bytes small FlipRotation version 1.0 decoder shellcode.
caaf753479490907a0b5aab043a31cea50405595c33d8f36d7b099eb3ca98baa373 bytes small Windows/x86 create administrator user dynamic PEB and EDT method null-free shellcode.
bc0be9163bb975df26f17d6f2ca0289dfedc8e8f35a9bd95e0682e7123f4061e286 bytes small macOS/x64 execve Caesar cipher string null-free shellcode.
aa23ac4a240ae6871b72d0723b1c8d4ebded5889ad862b0dd0455f86699c05a2253 bytes small macOS/x64 execve null-free shellcode.
8b589116ca43d93bd39b3f0f87c1530ec372e055ebb8ddff6b021bf288966dd7This tool packs up to 4KB of compressed shellcode into an executable binary, near-instantly. The output file will always have the same MD5 hash: 3cebbe60d91ce760409bbe513593e401. Currently, only Linux x86-64 is supported. It would be trivial to port this technique to other platforms, although each version would end up with a different MD5.
1401bc41094d6c399524f490182dedc77295916d73ec25d4c7ea3751f754d6ccThis tool is a 3DES shellcode crypter.
9e6475d7e02bb5bcc0b7670b1ca005b4e4ecb987abc3fd2dcd7a5d44af829d04This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02X0R Cryptor with DEC/N0T/R0R encoder plus random byte insertion.
79b9b9a6dd757b66b2e94d3630b76899ed2e53218846c0933182d8877820babbThis Metasploit modules exploits CVE-2020-26950, a use-after-free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox versions prior to 82.0.3, Firefox ESR versions prior to 78.4.1, and Thunderbird versions prior to 78.4.2, however only Firefox versions up to 79 are supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1.
c5497acbfe1516edccf2f8747d261489391c42dfa92ad82028efc92b075df94464 bytes small Solaris/SPARC setuid(0) + chmod (/bin/ksh) + exit(0) shellcode.
ac0a8ce6fdd207649a67626e1818a1afd680783d1a46fb94677718a1d199421060 bytes small Solaris/SPARC setuid(0) + execve (/bin/ksh) shellcode.
d785c150823ddd32cb42d29580182ea9055608bea403fff7662eca6bf006f946Linux/MIPS N32 MSB reverse shell shellcode that showcases various techniques to avoid badchars.
b1b0100dc2ab1910886ea650ac52df457851a4b14a3d07a98e33678c077b6d6eSolaris/SPARC chmod() shellcode with a max size of 36 bytes.
844bef47108ea6b399c1949416ca0526422e2fc8ce504d583c3f36aaa4144470171 bytes small Windows/x86 shellcode with a new method to find the kernel32 base address by walking down the stack and look for a possible Kernel32 address using a custom SEH handler. Each address found on the stack will be tested using the Exception handling function. If it's valid and starts with 7, then it's a possible kernel32 address.
e7941faf4a7799cf5e35fcf962b075b17a9570e4f37e959633b2962f8d3bf53d
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed